788. [feature] Add the "match-mapped-addresses" options, which

causes IPv6 v4mapped addresses to be treated as IPv4 addresses for the purpose of acl matching.

788. [feature] Add the "match-mapped-addresses" options, which
causes IPv6 v4mapped addresses to be treated as IPv4 addresses for the purpose of acl matching.
6eccf5bd · Brian Wellington · 0a10d772 · 6eccf5bd · 6eccf5bd · 6eccf5bd
Commit 6eccf5bd authored Mar 26, 2001 by Brian Wellington
--- a/CHANGES
+++ b/CHANGES

+ 788.	[feature]	Add the "match-mapped-addresses" options, which
+ 			causes IPv6 v4mapped addresses to be treated as
+			IPv4 addresses for the purpose of acl matching.
+
 787.	[bug]		The DNSSEC tools failed to downcase domain
 			names when mapping them into file names.


--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: client.c,v 1.160 2001/03/19 20:52:19 gson Exp $ */
+/* $Id: client.c,v 1.161 2001/03/26 21:32:52 bwelling Exp $ */

 #include <config.h>

@@ -736,7 +736,8 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) {
 		if (ns_g_server->blackholeacl != NULL &&
 		    dns_acl_match(&netaddr, NULL,
 			    	  ns_g_server->blackholeacl,
-				  NULL, &match, NULL) == ISC_R_SUCCESS &&
+				  &ns_g_server->aclenv,
+				  &match, NULL) == ISC_R_SUCCESS &&
 		    match > 0)
 			return (DNS_R_BLACKHOLED);
 		sockflags |= ISC_SOCKFLAG_NORETRY;

--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: config.c,v 1.7 2001/03/20 21:54:29 bwelling Exp $ */
+/* $Id: config.c,v 1.8 2001/03/26 21:32:53 bwelling Exp $ */

 #include <config.h>

@@ -56,6 +56,7 @@ options {\n\
 	interface-interval 3600;\n\
 	listen-on {any;};\n\
 	listen-on-v6 {none;};\n\
+	match-mapped-addresses no;\n\
 	memstatistics-file \"named.memstats\";\n\
 	multiple-cnames no;\n\
 #	named-xfer <obsolete>;\n\

--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.c,v 1.308 2001/03/22 00:06:56 bwelling Exp $ */
+/* $Id: server.c,v 1.309 2001/03/26 21:32:54 bwelling Exp $ */

 #include <config.h>

@@ -710,6 +710,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 		view->peers = newpeers; /* Transfer ownership. */
 	}

+	/*
+	 * Copy the aclenv object.
+	 */
+	dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
+
 	/*
 	 * Configure the "match-clients" ACL.
 	 */
@@ -1404,6 +1409,8 @@ directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) {

 static void
 scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
+	isc_boolean_t match_mapped = server->aclenv.match_mapped;
+
 	ns_interfacemgr_scan(server->interfacemgr, verbose);
 	/*
 	 * Update the "localhost" and "localnets" ACLs to match the
@@ -1411,6 +1418,8 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) {
 	 */
 	dns_aclenv_copy(&server->aclenv,
 			ns_interfacemgr_getaclenv(server->interfacemgr));
+
+	server->aclenv.match_mapped = match_mapped;
 }

 /*
@@ -1635,6 +1644,10 @@ load_configuration(const char *filename, ns_server_t *server,
 		dns_dispatchmgr_setblackhole(ns_g_dispatchmgr,
 					     server->blackholeacl);

+	result = ns_config_get(maps, "match-mapped-addresses", &obj);
+	INSIST(result == ISC_R_SUCCESS);
+	server->aclenv.match_mapped = cfg_obj_asboolean(obj);
+
 	/*
 	 * Configure the zone manager.
 	 */

--- a/doc/misc/options
+++ b/doc/misc/options
 Copyright (C) 2000, 2001  Internet Software Consortium.
 See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

-$Id: options,v 1.65 2001/03/19 22:34:08 bwelling Exp $
+$Id: options,v 1.66 2001/03/26 21:32:56 bwelling Exp $

 This is a summary of the implementation status of the various named.conf
 options in BIND 9.
@@ -123,6 +123,7 @@ options {
  [ additional-from-cache yes_or_no; ]			    Yes*
  [ random-device path_name; ]				    Yes*
  [ minimal-responses yes_or_no; ]			    Yes*
+  [ match-mapped-addresses yes_or_no; ]			    Yes*
 };

 acl							    Yes@

--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: acl.c,v 1.21 2001/02/08 23:30:31 gson Exp $ */
+/* $Id: acl.c,v 1.22 2001/03/26 21:32:57 bwelling Exp $ */

 #include <config.h>

@@ -157,12 +157,24 @@ dns_aclelement_match(isc_netaddr_t *reqaddr,
 		     dns_aclelement_t **matchelt)
 {
 	dns_acl_t *inner = NULL;
+	isc_netaddr_t *addr;
+	isc_netaddr_t v4addr;
 	int indirectmatch;
 	isc_result_t result;

 	switch (e->type) {
 	case dns_aclelementtype_ipprefix:
-		if (isc_netaddr_eqprefix(reqaddr,
+		if (env == NULL ||
+		    env->match_mapped == ISC_FALSE ||
+		    reqaddr->family != AF_INET6 ||
+		    !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6))
+			addr = reqaddr;
+		else {
+			isc_netaddr_fromv4mapped(&v4addr, reqaddr);
+			addr = &v4addr;
+		}
+
+		if (isc_netaddr_eqprefix(addr,
 					 &e->u.ip_prefix.address, 
 					 e->u.ip_prefix.prefixlen))
 			goto matched;
@@ -389,6 +401,7 @@ dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) {
 	result = dns_acl_create(mctx, 0, &env->localnets);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_localhost;
+	env->match_mapped = ISC_FALSE;
 	return (ISC_R_SUCCESS);

 cleanup_localhost:
@@ -403,6 +416,7 @@ dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) {
 	dns_acl_attach(s->localhost, &t->localhost);
 	dns_acl_detach(&t->localnets);
 	dns_acl_attach(s->localnets, &t->localnets);
+	t->match_mapped = s->match_mapped;
 }

 void

--- a/lib/dns/include/dns/acl.h
+++ b/lib/dns/include/dns/acl.h
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: acl.h,v 1.18 2001/02/08 23:30:32 gson Exp $ */
+/* $Id: acl.h,v 1.19 2001/03/26 21:33:02 bwelling Exp $ */

 #ifndef DNS_ACL_H
 #define DNS_ACL_H 1
@@ -84,6 +84,7 @@ struct dns_acl {
 struct dns_aclenv {
 	dns_acl_t *localhost;
 	dns_acl_t *localnets;
+	isc_boolean_t match_mapped;
 };

 #define DNS_ACL_MAGIC		0x4461636c	/* Dacl */

--- a/lib/dns/include/dns/view.h
+++ b/lib/dns/include/dns/view.h
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: view.h,v 1.68 2001/03/14 21:53:28 halley Exp $ */
+/* $Id: view.h,v 1.69 2001/03/26 21:33:04 bwelling Exp $ */

 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -70,6 +70,7 @@
 #include <isc/rwlock.h>
 #include <isc/stdtime.h>

+#include <dns/acl.h>
 #include <dns/types.h>

 ISC_LANG_BEGINDECLS
@@ -115,6 +116,7 @@ struct dns_view {
 	dns_ttl_t			maxcachettl;
 	dns_ttl_t			maxncachettl;
 	in_port_t			dstport;
+	dns_aclenv_t			aclenv;

 	/*
 	 * Configurable data for server use only,

--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: resolver.c,v 1.213 2001/03/20 22:13:00 gson Exp $ */
+/* $Id: resolver.c,v 1.214 2001/03/26 21:32:58 bwelling Exp $ */

 #include <config.h>

@@ -1092,7 +1092,8 @@ resquery_send(resquery_t *query) {
 		int match;

 		if (dns_acl_match(&ipaddr, NULL, blackhole,
-				  NULL, &match, NULL) == ISC_R_SUCCESS &&
+				  &fctx->res->view->aclenv,
+				  &match, NULL) == ISC_R_SUCCESS &&
 		    match > 0)
 			aborted = ISC_TRUE;
 	}

--- a/lib/dns/view.c
+++ b/lib/dns/view.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: view.c,v 1.97 2001/03/14 21:53:27 halley Exp $ */
+/* $Id: view.c,v 1.98 2001/03/26 21:33:00 bwelling Exp $ */

 #include <config.h>

@@ -160,6 +160,11 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	result = dns_peerlist_new(view->mctx, &view->peers);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_dynkeys;
+
+	result = dns_aclenv_init(view->mctx, &view->aclenv);
+	if (result != ISC_R_SUCCESS)
+		goto cleanup_peerlist;
+
 	ISC_LINK_INIT(view, link);
 	ISC_EVENT_INIT(&view->resevent, sizeof view->resevent, 0, NULL,
 		       DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown,
@@ -176,6 +181,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,

 	return (ISC_R_SUCCESS);

+ cleanup_peerlist:
+	dns_peerlist_detach(&view->peers);
+
 cleanup_dynkeys:
 	dns_tsigkeyring_destroy(&view->dynamickeys);

@@ -245,6 +253,7 @@ destroy(dns_view_t *view) {
 	dns_keytable_detach(&view->trustedkeys);
 	dns_keytable_detach(&view->secroots);
 	dns_fwdtable_destroy(&view->fwdtable);
+	dns_aclenv_destroy(&view->aclenv);
 	DESTROYLOCK(&view->lock);
 	isc_refcount_destroy(&view->references);
 	isc_mem_free(view->mctx, view->name);

--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: zone.c,v 1.314 2001/03/26 21:11:33 bwelling Exp $ */
+/* $Id: zone.c,v 1.315 2001/03/26 21:33:01 bwelling Exp $ */

 #include <config.h>

@@ -3968,8 +3968,11 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from,
 	 */
 	isc_netaddr_fromsockaddr(&netaddr, from);
 	if (i >= zone->masterscnt && zone->notify_acl != NULL &&
-	    dns_acl_match(&netaddr, NULL, zone->notify_acl, NULL, &match,
-			  NULL) == ISC_R_SUCCESS && match > 0) {
+	    dns_acl_match(&netaddr, NULL, zone->notify_acl,
+		    	  &zone->view->aclenv,
+			  &match, NULL) == ISC_R_SUCCESS &&
+	    match > 0)
+	{
 		/* Accept notify. */
 	} else if (i >= zone->masterscnt) {
 		UNLOCK_ZONE(zone);

--- a/lib/isc/include/isc/netaddr.h
+++ b/lib/isc/include/isc/netaddr.h
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: netaddr.h,v 1.17 2001/02/02 02:48:47 gson Exp $ */
+/* $Id: netaddr.h,v 1.18 2001/03/26 21:33:06 bwelling Exp $ */

 #ifndef ISC_NETADDR_H
 #define ISC_NETADDR_H 1
@@ -112,6 +112,13 @@ isc_netaddr_ismulticast(isc_netaddr_t *na);
 * Returns ISC_TRUE if the address is a multicast address
 */

+void
+isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s);
+/*
+ * Convert an IPv6 v4mapped address into an IPv4 address.
+ */
+
+
 ISC_LANG_ENDDECLS

 #endif /* ISC_NETADDR_H */
--- a/lib/isc/netaddr.c
+++ b/lib/isc/netaddr.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: netaddr.c,v 1.15 2001/02/02 02:48:46 gson Exp $ */
+/* $Id: netaddr.c,v 1.16 2001/03/26 21:33:05 bwelling Exp $ */

 #include <config.h>

@@ -257,3 +257,14 @@ isc_netaddr_ismulticast(isc_netaddr_t *na) {
 		return (ISC_FALSE);  /* XXXMLG ? */
 	}
 }
+
+void
+isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) {
+	REQUIRE(s->family == AF_INET6);
+	REQUIRE(IN6_IS_ADDR_V4MAPPED(&s->type.in6));
+
+	memset(t, 0, sizeof *t);
+	t->family = AF_INET;
+	memcpy(&t->type.in, (const char *)&s->type.in6 + 12, 4);
+	return;
+}
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: parser.c,v 1.49 2001/03/21 19:01:36 gson Exp $ */
+/* $Id: parser.c,v 1.50 2001/03/26 21:33:07 bwelling Exp $ */

 #include <config.h>

@@ -806,6 +806,7 @@ options_clauses[] = {
 	{ "interface-interval", &cfg_type_uint32, 0 },
 	{ "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
 	{ "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI },
+	{ "match-mapped-addresses", &cfg_type_boolean, 0 },
 	{ "memstatistics-file", &cfg_type_qstring, 0 },
 	{ "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
 	{ "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },