Commit e3244493 authored by Evan Hunt's avatar Evan Hunt
Browse files

remove the experimental authoritative ECS support from named

- mark the 'geoip-use-ecs' option obsolete; warn when it is used
  in named.conf
- prohibit 'ecs' ACL tags in named.conf; note that this is a fatal error
  since simply ignoring the tags could make ACLs behave unpredictably
- re-simplify the radix and iptable code
- clean up dns_acl_match(), dns_aclelement_match(), dns_acl_allowed()
  and dns_geoip_match() so they no longer take ecs options
- remove the ECS-specific unit and system test cases
- remove references to ECS from the ARM
parent 59d076ca
......@@ -230,13 +230,12 @@ address_ok(isc_sockaddr_t *sockaddr, dns_acl_t *acl) {
isc_netaddr_fromsockaddr(&netaddr, sockaddr);
result = dns_acl_match(&netaddr, NULL, NULL, 0, NULL, acl, env, &match,
NULL);
if (result != ISC_R_SUCCESS || match <= 0)
result = dns_acl_match(&netaddr, NULL, acl, env, &match, NULL);
if (result != ISC_R_SUCCESS || match <= 0) {
return (ISC_FALSE);
else
} else {
return (ISC_TRUE);
}
}
static isc_result_t
......
......@@ -3613,8 +3613,7 @@ create_mapped_acl(void) {
if (result != ISC_R_SUCCESS)
return (result);
result = dns_iptable_addprefix(acl->iptable, &addr, 96,
ISC_TRUE, ISC_FALSE);
result = dns_iptable_addprefix(acl->iptable, &addr, 96, ISC_TRUE);
if (result == ISC_R_SUCCESS)
dns_acl_attach(acl, &named_g_mapped);
dns_acl_detach(&acl);
......@@ -6262,7 +6261,7 @@ add_listenelt(isc_mem_t *mctx, ns_listenlist_t *list, isc_sockaddr_t *addr,
return (result);
result = dns_iptable_addprefix(src_acl->iptable, &netaddr,
128, ISC_TRUE, ISC_FALSE);
128, ISC_TRUE);
if (result != ISC_R_SUCCESS)
goto clean;
......@@ -7910,11 +7909,6 @@ load_configuration(const char *filename, named_server_t *server,
named_geoip_load(NULL);
}
named_g_aclconfctx->geoip = named_g_geoip;
obj = NULL;
result = named_config_get(maps, "geoip-use-ecs", &obj);
INSIST(result == ISC_R_SUCCESS);
env->geoip_use_ecs = cfg_obj_asboolean(obj);
#endif /* HAVE_GEOIP */
/*
......@@ -9266,7 +9260,7 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
*/
static isc_result_t
get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
dns_message_t *message, dns_aclenv_t *env, dns_ecs_t *ecs,
dns_message_t *message, dns_aclenv_t *env,
isc_result_t *sigresult, dns_view_t **viewp)
{
dns_view_t *view;
......@@ -9283,9 +9277,6 @@ get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
message->rdclass == dns_rdataclass_any)
{
dns_name_t *tsig = NULL;
isc_netaddr_t *addr = NULL;
isc_uint8_t *scope = NULL;
isc_uint8_t source = 0;
*sigresult = dns_message_rechecksig(message, view);
if (*sigresult == ISC_R_SUCCESS) {
......@@ -9295,15 +9286,9 @@ get_matching_view(isc_netaddr_t *srcaddr, isc_netaddr_t *destaddr,
tsig = dns_tsigkey_identity(tsigkey);
}
if (ecs != NULL) {
addr = &ecs->addr;
source = ecs->source;
scope = &ecs->scope;
}
if (dns_acl_allowed(srcaddr, tsig, addr, source,
scope, view->matchclients, env) &&
dns_acl_allowed(destaddr, tsig, NULL, 0, NULL,
if (dns_acl_allowed(srcaddr, tsig,
view->matchclients, env) &&
dns_acl_allowed(destaddr, tsig,
view->matchdestinations, env) &&
!(view->matchrecursiveonly &&
(message->flags & DNS_MESSAGEFLAG_RD) == 0))
......@@ -14420,7 +14405,6 @@ mkey_destroy(named_server_t *server, dns_view_t *view, isc_buffer_t **text) {
return (result);
}
static isc_result_t
mkey_dumpzone(dns_view_t *view, isc_buffer_t **text) {
isc_result_t result;
......
......@@ -3196,8 +3196,8 @@ client_ok(const isc_sockaddr_t *fromaddr, void *arg) {
isc_netaddr_fromsockaddr(&netaddr, fromaddr);
LOCK(&listener->lock);
if (dns_acl_match(&netaddr, NULL, NULL, 0, NULL, listener->acl, env,
&match, NULL) == ISC_R_SUCCESS && match > 0)
if ((dns_acl_match(&netaddr, NULL, listener->acl, env,
&match, NULL) == ISC_R_SUCCESS) && match > 0)
{
UNLOCK(&listener->lock);
return (ISC_TRUE);
......
......@@ -815,11 +815,12 @@ isself(dns_view_t *myview, dns_tsigkey_t *mykey,
tsig = dns_tsigkey_identity(mykey);
}
if (dns_acl_allowed(&netsrc, tsig, NULL, 0, NULL,
view->matchclients, env) &&
dns_acl_allowed(&netdst, tsig, NULL, 0, NULL,
view->matchdestinations, env))
if (dns_acl_allowed(&netsrc, tsig, view->matchclients, env) &&
dns_acl_allowed(&netdst, tsig, view->matchdestinations,
env))
{
break;
}
}
return (ISC_TF(view == myview));
}
......
......@@ -144,36 +144,6 @@ $DIG -p ${PORT} +tcp soa example. \
@10.53.0.2 -b 10.53.0.3 > dig.out.${t}
grep "status: NOERROR" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
echo_i "testing EDNS client-subnet ACL processing"
copy_setports ns2/named6.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
sleep 5
# should fail
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 axfr > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 || { echo_i "test $t failed" ; status=1; }
# should succeed
t=`expr $t + 1`
$DIG $DIGOPTS tsigzone. \
@10.53.0.2 -b 10.53.0.2 +subnet="10.53.0/24" axfr > dig.out.${t}
grep "^;" dig.out.${t} > /dev/null 2>&1 && { echo_i "test $t failed" ; status=1; }
echo_i "testing EDNS client-subnet response scope"
copy_setports ns2/named7.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
sleep 5
t=`expr $t + 1`
$DIG -p ${PORT} example. soa @10.53.0.2 +subnet="10.53.0.1/32" > dig.out.${t}
grep "CLIENT-SUBNET.*10.53.0.1/32/0" dig.out.${t} > /dev/null || { echo_i "test $t failed" ; status=1; }
t=`expr $t + 1`
$DIG -p ${PORT} example. soa @10.53.0.2 +subnet="192.0.2.128/32" > dig.out.${t}
grep "CLIENT-SUBNET.*192.0.2.128/32/24" dig.out.${t} > /dev/null || { echo_i "test $t failed" ; status=1; }
# AXFR tests against ns3
echo_i "testing allow-transfer ACLs against ns3 (no existing zones)"
......
......@@ -9,42 +9,6 @@
* information regarding copyright ownership.
*/
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
notify yes;
ixfr-from-differences yes;
check-integrity no;
allow-query-on { 10.53.0.2; };
};
zone "." {
type hint;
file "../../common/root.hint";
};
zone "example" {
type master;
file "example.db";
};
zone "tsigzone" {
type master;
file "tsigzone.db";
allow-transfer { ecs 10.53/16; !10/8; };
geoip-use-ecs yes;
};
......@@ -396,5 +396,13 @@ grep "trusted-key for dlv.isc.org still present" checkconf.out$n > /dev/null ||
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "check that 'geoip-use-ecs no' generates a warning ($n)"
ret=0
$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
grep "'geoip-use-ecs' is obsolete" checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -9,52 +9,6 @@
* information regarding copyright ownership.
*/
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
notify yes;
ixfr-from-differences yes;
check-integrity no;
allow-query-on { 10.53.0.2; };
};
view one {
match-clients { ecs 192.0.2/24; };
zone "." {
type hint;
file "../../common/root.hint";
};
zone "example" {
type master;
file "example.db";
};
};
view two {
zone "." {
type hint;
file "../../common/root.hint";
};
zone "example" {
type master;
file "example.db";
};
geoip-use-ecs no;
};
......@@ -21,7 +21,6 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
geoip-use-ecs no;
};
key rndc_key {
......
......@@ -35,30 +35,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP country database by code (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking response scope using client subnet ($n)"
ret=0
$DIG +tcp -p ${PORT} @10.53.0.2 txt example -b 127.0.0.1 +subnet="10.53.0.1/32" > dig.out.ns2.test$n.1 || ret=1
grep 'CLIENT-SUBNET.*10.53.0.1/32/32' dig.out.ns2.test$n.1 > /dev/null || ret=1
$DIG +tcp -p ${PORT} @10.53.0.2 txt example -b 127.0.0.1 +subnet="192.0.2.64/32" > dig.out.ns2.test$n.2 || ret=1
grep 'CLIENT-SUBNET.*192.0.2.64/32/24' dig.out.ns2.test$n.2 > /dev/null || ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named2.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -137,20 +113,6 @@ done
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP region database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named6.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -182,20 +144,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP city database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named7.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -215,20 +163,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP isp database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named8.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -248,20 +182,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP org database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named9.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -281,20 +201,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP asnum database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named10.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -314,20 +220,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP asnum database - ASNNNN only (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named11.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -347,20 +239,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP domain database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named12.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -380,20 +258,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking GeoIP netspeed database (using client subnet) ($n)"
ret=0
lret=0
for i in 1 2 3 4; do
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named13.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
......@@ -426,30 +290,6 @@ done
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
echo_i "reloading server"
copy_setports ns2/named14.conf.in ns2/named.conf
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/ns2 /' | cat_i
sleep 3
n=`expr $n + 1`
echo_i "checking geoip-use-ecs ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
$DIG $DIGOPTS txt example -b 127.0.0.1 +subnet="10.53.0.$i/32" > dig.out.ns2.test$n.ecs.$i || lret=1
j=`cat dig.out.ns2.test$n.ecs.$i | tr -d '"'`
[ "$j" = "bogus" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo_i "failed"
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "reloading server with different geoip-directory ($n)"
copy_setports ns2/named15.conf.in ns2/named.conf
......
......@@ -5795,12 +5795,9 @@ options {
<term><command>geoip-use-ecs</command></term>
<listitem>
<para>
When BIND is compiled with GeoIP support and configured
with "geoip" ACL elements, this option indicates whether
the EDNS Client Subnet option, if present in a request,
should be used for matching against the GeoIP database.
The default is
<command>geoip-use-ecs</command> <userinput>yes</userinput>.
This option was part of an experimental implementation
of the EDNS CLIENT-SUBNET for authoritative servers,
but is now obsolete.
</para>
</listitem>
</varlistentry>
......@@ -16712,37 +16709,8 @@ zone "example.com" {
In addition to network addresses and prefixes, which are
matched against the source address of the DNS request, ACLs
may include <option>key</option> elements, which specify the
name of a TSIG or SIG(0) key, or <option>ecs</option>
elements, which specify a network prefix but are only matched
if that prefix matches an EDNS client subnet option included
in the request.
name of a TSIG or SIG(0) key.
</para>
<para>
The EDNS Client Subnet (ECS) option is used by a recursive
resolver to inform an authoritative name server of the network
address block from which the original query was received, enabling
authoritative servers to give different answers to the same
resolver for different resolver clients. An ACL containing
an element of the form
<command>ecs <replaceable>prefix</replaceable></command>
will match if a request arrives in containing an ECS option
encoding an address within that prefix. If the request has no
ECS option, then "ecs" elements are simply ignored. Addresses
in ACLs that are not prefixed with "ecs" are matched only
against the source address.
</para>
<note>
<simpara>
(Note: The authoritative ECS implementation in
<command>named</command> is based on an early version of the
specification, and is known to have incompatibilities with
other implementations. It is also inefficient, requiring
a separate view for each client subnet to be sent different
answers, and it is unable to correct for overlapping subnets in
the configuration. It can be used for testing purposes, but is
not recommended for production use.)
</simpara>
</note>
<para>
When <acronym>BIND</acronym> 9 is built with GeoIP support,
ACLs can also be used for geographic access restrictions.
......@@ -16787,14 +16755,6 @@ zone "example.com" {
database if it is installed, or the "region" database if it is
installed, or the "country" database, in that order.
</para>
<para>
By default, if a DNS query includes an EDNS Client Subnet (ECS)
option which encodes a non-zero address prefix, then GeoIP ACLs
will be matched against that address prefix. Otherwise, they
are matched against the source address of the query. To
prevent GeoIP ACLs from matching against ECS options, set
the <command>geoip-use-ecs</command> to <literal>no</literal>.
</para>
<para>
Some example GeoIP ACLs:
</para>
......
......@@ -1602,6 +1602,17 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
result = ISC_R_RANGE;
}
obj = NULL;
(void)cfg_map_get(options, "geoip-use-ecs", &obj);
if (obj != NULL && cfg_obj_asboolean(obj)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"'geoip-use-ecs yes': "
"ECS can no longer be used in geoip ACLs");
if (result == ISC_R_SUCCESS) {
result = ISC_R_FAILURE;
}
}
return (result);
}
......
......@@ -100,8 +100,7 @@ dns_acl_anyornone(isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) {
if (result != ISC_R_SUCCESS)
return (result);
result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg),
ISC_FALSE);
result = dns_iptable_addprefix(acl->iptable, NULL, 0, ISC_TF(!neg));
if (result != ISC_R_SUCCESS) {
dns_acl_detach(&acl);
return (result);
......@@ -183,9 +182,6 @@ dns_acl_isnone(dns_acl_t *acl)
isc_result_t
dns_acl_match(const isc_netaddr_t *reqaddr,