if(!acl) return 0;
return sizeof(*acl) + regional_get_mem(acl->region);
}
+
+const char* acl_access_to_str(enum acl_access acl)
+{
+ switch(acl) {
+ case acl_deny: return "deny";
+ case acl_refuse: return "refuse";
+ case acl_deny_non_local: return "deny_non_local";
+ case acl_refuse_non_local: return "refuse_non_local";
+ case acl_allow: return "allow";
+ case acl_allow_snoop: return "allow_snoop";
+ case acl_allow_setrd: return "allow_setrd";
+ default: break;
+ }
+ return "unknown";
+}
+
+void
+log_acl_action(const char* action, struct sockaddr_storage* addr,
+ socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr)
+{
+ char a[128], n[128];
+ uint16_t port;
+ addr_to_str(addr, addrlen, a, sizeof(a));
+ port = ntohs(((struct sockaddr_in*)addr)->sin_port);
+ if(acladdr) {
+ addr_to_str(&acladdr->node.addr, acladdr->node.addrlen,
+ n, sizeof(n));
+ verbose(VERB_ALGO, "%s query from %s port %d because of "
+ "%s/%d %s", action, a, (int)port, n, acladdr->node.net,
+ acl_access_to_str(acl));
+ } else {
+ verbose(VERB_ALGO, "%s query from %s port %d", action, a,
+ (int)port);
+ }
+}
static int
deny_refuse(struct comm_point* c, enum acl_access acl,
enum acl_access deny, enum acl_access refuse,
- struct worker* worker, struct comm_reply* repinfo)
+ struct worker* worker, struct comm_reply* repinfo,
+ struct acl_addr* acladdr)
{
if(acl == deny) {
+ if(verbosity >= VERB_ALGO) {
+ log_acl_action("dropped", &repinfo->addr,
+ repinfo->addrlen, acl, acladdr);
+ log_buf(VERB_ALGO, "dropped", c->buffer);
+ }
comm_point_drop_reply(repinfo);
if(worker->stats.extended)
worker->stats.unwanted_queries++;
return 0;
} else if(acl == refuse) {
- log_addr(VERB_ALGO, "refused query from",
- &repinfo->addr, repinfo->addrlen);
- log_buf(VERB_ALGO, "refuse", c->buffer);
+ if(verbosity >= VERB_ALGO) {
+ log_acl_action("refused", &repinfo->addr,
+ repinfo->addrlen, acl, acladdr);
+ log_buf(VERB_ALGO, "refuse", c->buffer);
+ }
if(worker->stats.extended)
worker->stats.unwanted_queries++;
if(worker_check_request(c->buffer, worker) == -1) {
static int
deny_refuse_all(struct comm_point* c, enum acl_access acl,
- struct worker* worker, struct comm_reply* repinfo)
+ struct worker* worker, struct comm_reply* repinfo,
+ struct acl_addr* acladdr)
{
- return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo);
+ return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo,
+ acladdr);
}
static int
deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
- struct worker* worker, struct comm_reply* repinfo)
+ struct worker* worker, struct comm_reply* repinfo,
+ struct acl_addr* acladdr)
{
- return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo);
+ return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local,
+ worker, repinfo, acladdr);
}
int
acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr,
repinfo->addrlen);
acl = acl_get_control(acladdr);
- if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
+ if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr)) != -1)
{
if(ret == 1)
goto send_reply;
/* We've looked in our local zones. If the answer isn't there, we
* might need to bail out based on ACLs now. */
- if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1)
+ if((ret=deny_refuse_non_local(c, acl, worker, repinfo, acladdr)) != -1)
{
regional_free_all(worker->scratchpad);
if(ret == 1)
projects / thirdparty / unbound.git / commitdiff
