Commit a672bfbe authored by Andreas Gustafsson's avatar Andreas Gustafsson
Browse files

wired up view options: allow-query, allow-recursion, allow-transfer

parent 2e097e67
......@@ -1023,7 +1023,7 @@ client_request(isc_task_t *task, isc_event_t *event) {
client->view->recursion == ISC_TRUE &&
/* XXX this will log too much too early */
ns_client_checkacl(client, "recursion",
ns_g_server->recursionacl,
client->view->recursionacl,
ISC_TRUE) == ISC_R_SUCCESS)
ra = ISC_TRUE;
......
......@@ -42,8 +42,6 @@ struct ns_server {
isc_rwlock_t conflock;
/* Configurable data. */
dns_acl_t * queryacl;
dns_acl_t * recursionacl;
isc_quota_t xfroutquota;
isc_quota_t tcpquota;
isc_quota_t recursionquota;
......
......@@ -28,8 +28,9 @@
#include <dns/confip.h>
#include <dns/confzone.h>
isc_result_t dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
dns_c_zone_t *czone, dns_zone_t *zone);
isc_result_t dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview,
dns_c_zone_t *czone, dns_aclconfctx_t *ac,
dns_zone_t *zone);
/*
* Configure or reconfigure a zone according to the named.conf
* data in 'cctx' and 'czone'.
......
......@@ -1928,7 +1928,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event) {
if (is_zone)
queryacl = dns_zone_getqueryacl(zone);
if (queryacl == NULL)
queryacl = ns_g_server->queryacl;
queryacl = client->view->queryacl;
/*
* Check the query against the "allow-query" AMLs.
* XXX there should also be a per-view one.
......
......@@ -37,10 +37,11 @@
* Convenience function for configuring a single zone ACL.
*/
static isc_result_t
configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx,
configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx, dns_c_view_t *cview,
dns_aclconfctx_t *aclconfctx, dns_zone_t *zone,
isc_result_t (*getcacl)(dns_c_zone_t *, dns_c_ipmatchlist_t **),
isc_result_t (*getdefaultcacl)(dns_c_ctx_t *, dns_c_ipmatchlist_t **),
isc_result_t (*getviewcacl)(dns_c_view_t *, dns_c_ipmatchlist_t **),
isc_result_t (*getglobalcacl)(dns_c_ctx_t *, dns_c_ipmatchlist_t **),
void (*setzacl)(dns_zone_t *, dns_acl_t *),
void (*clearzacl)(dns_zone_t *))
{
......@@ -48,8 +49,11 @@ configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx,
dns_c_ipmatchlist_t *cacl;
dns_acl_t *dacl = NULL;
result = (*getcacl)(czone, &cacl);
if (result == ISC_R_NOTFOUND && getdefaultcacl != NULL) {
result = (*getdefaultcacl)(cctx, &cacl);
if (result == ISC_R_NOTFOUND && getviewcacl != NULL) {
result = (*getviewcacl)(cview, &cacl);
}
if (result == ISC_R_NOTFOUND && getglobalcacl != NULL) {
result = (*getglobalcacl)(cctx, &cacl);
}
if (result == ISC_R_SUCCESS) {
result = dns_acl_fromconfig(cacl, cctx, aclconfctx,
......@@ -88,8 +92,9 @@ dns_zonetype_fromconf(dns_c_zonetype_t cztype) {
}
isc_result_t
dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
dns_c_zone_t *czone, dns_zone_t *zone)
dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview,
dns_c_zone_t *czone, dns_aclconfctx_t *ac,
dns_zone_t *zone)
{
isc_result_t result;
isc_boolean_t boolean;
......@@ -134,24 +139,26 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
else
dns_zone_setchecknames(zone, dns_c_severity_fail);
#endif
result = configure_zone_acl(czone, cctx, ac, zone,
result = configure_zone_acl(czone, cctx, NULL, ac, zone,
dns_c_zone_getallowupd,
NULL,
NULL, NULL,
dns_zone_setupdateacl,
dns_zone_clearupdateacl);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_zone_acl(czone, cctx, ac, zone,
result = configure_zone_acl(czone, cctx, cview, ac, zone,
dns_c_zone_getallowquery,
dns_c_view_getallowquery,
dns_c_ctx_getallowquery,
dns_zone_setqueryacl,
dns_zone_clearqueryacl);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_zone_acl(czone, cctx, ac, zone,
result = configure_zone_acl(czone, cctx, cview, ac, zone,
dns_c_zone_getallowtransfer,
dns_c_view_gettransferacl,
dns_c_ctx_getallowtransfer,
dns_zone_setxfracl,
dns_zone_clearxfracl);
......@@ -234,8 +241,9 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
else
dns_zone_setchecknames(zone, dns_c_severity_warn);
#endif
result = configure_zone_acl(czone, cctx, ac, zone,
result = configure_zone_acl(czone, cctx, cview, ac, zone,
dns_c_zone_getallowquery,
dns_c_view_getallowquery,
dns_c_ctx_getallowquery,
dns_zone_setqueryacl,
dns_zone_clearqueryacl);
......@@ -326,8 +334,9 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
else
dns_zone_setchecknames(zone, dns_c_severity_warn);
#endif
result = configure_zone_acl(czone, cctx, ac, zone,
dns_c_zone_getallowquery,
result = configure_zone_acl(czone, cctx, cview, ac, zone,
dns_c_zone_getallowquery,
dns_c_view_getallowquery,
dns_c_ctx_getallowquery,
dns_zone_setqueryacl,
dns_zone_clearqueryacl);
......
......@@ -98,7 +98,9 @@ struct dns_view {
isc_boolean_t recursion;
isc_boolean_t auth_nxdomain;
dns_transfer_format_t transfer_format;
dns_acl_t * queryacl;
dns_acl_t * recursionacl;
/*
* Configurable data for server use only,
* locked by server configuration lock.
......
......@@ -28,8 +28,9 @@
#include <dns/confip.h>
#include <dns/confzone.h>
isc_result_t dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
dns_c_zone_t *czone, dns_zone_t *zone);
isc_result_t dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview,
dns_c_zone_t *czone, dns_aclconfctx_t *ac,
dns_zone_t *zone);
/*
* Configure or reconfigure a zone according to the named.conf
* data in 'cctx' and 'czone'.
......
......@@ -139,6 +139,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->recursion = ISC_TRUE;
view->auth_nxdomain = ISC_FALSE; /* Was true in BIND 8 */
view->transfer_format = dns_one_answer;
view->queryacl = NULL;
view->recursionacl = NULL;
result = dns_peerlist_new(view->mctx, &view->peers);
if (result != ISC_R_SUCCESS)
......@@ -231,6 +233,10 @@ destroy(dns_view_t *view) {
dns_cache_detach(&view->cache);
if (view->matchclients != NULL)
dns_acl_detach(&view->matchclients);
if (view->queryacl != NULL)
dns_acl_detach(&view->queryacl);
if (view->recursionacl != NULL)
dns_acl_detach(&view->recursionacl);
dns_zt_detach(&view->zonetable);
dns_keytable_detach(&view->trustedkeys);
dns_keytable_detach(&view->secroots);
......
......@@ -37,10 +37,11 @@
* Convenience function for configuring a single zone ACL.
*/
static isc_result_t
configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx,
configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx, dns_c_view_t *cview,
dns_aclconfctx_t *aclconfctx, dns_zone_t *zone,
isc_result_t (*getcacl)(dns_c_zone_t *, dns_c_ipmatchlist_t **),
isc_result_t (*getdefaultcacl)(dns_c_ctx_t *, dns_c_ipmatchlist_t **),
isc_result_t (*getviewcacl)(dns_c_view_t *, dns_c_ipmatchlist_t **),
isc_result_t (*getglobalcacl)(dns_c_ctx_t *, dns_c_ipmatchlist_t **),
void (*setzacl)(dns_zone_t *, dns_acl_t *),
void (*clearzacl)(dns_zone_t *))
{
......@@ -48,8 +49,11 @@ configure_zone_acl(dns_c_zone_t *czone, dns_c_ctx_t *cctx,
dns_c_ipmatchlist_t *cacl;
dns_acl_t *dacl = NULL;
result = (*getcacl)(czone, &cacl);
if (result == ISC_R_NOTFOUND && getdefaultcacl != NULL) {
result = (*getdefaultcacl)(cctx, &cacl);
if (result == ISC_R_NOTFOUND && getviewcacl != NULL) {
result = (*getviewcacl)(cview, &cacl);
}
if (result == ISC_R_NOTFOUND && getglobalcacl != NULL) {
result = (*getglobalcacl)(cctx, &cacl);
}
if (result == ISC_R_SUCCESS) {
result = dns_acl_fromconfig(cacl, cctx, aclconfctx,
......@@ -88,8 +92,9 @@ dns_zonetype_fromconf(dns_c_zonetype_t cztype) {
}
isc_result_t
dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
dns_c_zone_t *czone, dns_zone_t *zone)
dns_zone_configure(dns_c_ctx_t *cctx, dns_c_view_t *cview,
dns_c_zone_t *czone, dns_aclconfctx_t *ac,
dns_zone_t *zone)
{
isc_result_t result;
isc_boolean_t boolean;
......@@ -134,24 +139,26 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
else
dns_zone_setchecknames(zone, dns_c_severity_fail);
#endif
result = configure_zone_acl(czone, cctx, ac, zone,
result = configure_zone_acl(czone, cctx, NULL, ac, zone,
dns_c_zone_getallowupd,
NULL,
NULL, NULL,
dns_zone_setupdateacl,
dns_zone_clearupdateacl);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_zone_acl(czone, cctx, ac, zone,
result = configure_zone_acl(czone, cctx, cview, ac, zone,
dns_c_zone_getallowquery,
dns_c_view_getallowquery,
dns_c_ctx_getallowquery,
dns_zone_setqueryacl,
dns_zone_clearqueryacl);
if (result != ISC_R_SUCCESS)
return (result);
result = configure_zone_acl(czone, cctx, ac, zone,
result = configure_zone_acl(czone, cctx, cview, ac, zone,
dns_c_zone_getallowtransfer,
dns_c_view_gettransferacl,
dns_c_ctx_getallowtransfer,
dns_zone_setxfracl,
dns_zone_clearxfracl);
......@@ -234,8 +241,9 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
else
dns_zone_setchecknames(zone, dns_c_severity_warn);
#endif
result = configure_zone_acl(czone, cctx, ac, zone,
result = configure_zone_acl(czone, cctx, cview, ac, zone,
dns_c_zone_getallowquery,
dns_c_view_getallowquery,
dns_c_ctx_getallowquery,
dns_zone_setqueryacl,
dns_zone_clearqueryacl);
......@@ -326,8 +334,9 @@ dns_zone_configure(dns_c_ctx_t *cctx, dns_aclconfctx_t *ac,
else
dns_zone_setchecknames(zone, dns_c_severity_warn);
#endif
result = configure_zone_acl(czone, cctx, ac, zone,
dns_c_zone_getallowquery,
result = configure_zone_acl(czone, cctx, cview, ac, zone,
dns_c_zone_getallowquery,
dns_c_view_getallowquery,
dns_c_ctx_getallowquery,
dns_zone_setqueryacl,
dns_zone_clearqueryacl);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment