Commit ee3ab606 authored by Brian Wellington's avatar Brian Wellington
Browse files

945. [func] Add the new view-specific options

			"match-destinations" and "match-recursive-only".
parent e5b18854
945. [func] Add the new view-specific options
"match-destinations" and "match-recursive-only".
944. [func] Check for expired signatures on load.
943. [bug] The server could crash when receiving a command
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: client.c,v 1.174 2001/06/28 02:39:46 marka Exp $ */
/* $Id: client.c,v 1.175 2001/07/26 20:42:38 bwelling Exp $ */
#include <config.h>
......@@ -1189,6 +1189,19 @@ client_getoptattrs(ns_client_t *client, dns_rdataset_t *opt) {
}
#endif /* DNS_OPT_NEWCODES */
static inline isc_boolean_t
allowed(isc_netaddr_t *addr, dns_acl_t *acl) {
int match;
isc_result_t result;
if (acl == NULL)
return (ISC_TRUE);
result = dns_acl_match(addr, NULL, acl, &ns_g_server->aclenv,
&match, NULL);
if (result == ISC_R_SUCCESS && match > 0)
return (ISC_TRUE);
return (ISC_FALSE);
}
/*
* Handle an incoming request event from the socket (UDP case)
......@@ -1438,11 +1451,14 @@ client_request(isc_task_t *task, isc_event_t *event) {
if (client->message->rdclass == view->rdclass ||
client->message->rdclass == dns_rdataclass_any)
{
if (view->matchclients == NULL ||
(dns_acl_match(&netaddr, NULL, view->matchclients,
&ns_g_server->aclenv,
&match, NULL) == ISC_R_SUCCESS &&
match > 0))
isc_netaddr_t destaddr;
isc_netaddr_fromsockaddr(&destaddr,
&client->interface->addr);
if (allowed(&netaddr, view->matchclients) &&
allowed(&destaddr, view->matchdestinations) &&
!((flags & DNS_MESSAGEFLAG_RD) == 0 &&
view->matchrecursiveonly))
{
dns_view_attach(view, &client->view);
break;
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.335 2001/07/23 17:31:33 gson Exp $ */
/* $Id: server.c,v 1.336 2001/07/26 20:42:40 bwelling Exp $ */
#include <config.h>
......@@ -728,10 +728,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
/*
* Configure the "match-clients" ACL.
* Configure the "match-clients" and "match-destinations" ACL.
*/
CHECK(configure_view_acl(vconfig, config, "match-clients", actx,
ns_g_mctx, &view->matchclients));
CHECK(configure_view_acl(vconfig, config, "match-destinations", actx,
ns_g_mctx, &view->matchdestinations));
/*
* Configure the "match-recursive-only" option.
*/
obj = NULL;
(void) ns_config_get(maps, "match-recursive-only", &obj);
if (obj != NULL && cfg_obj_asboolean(obj))
view->matchrecursiveonly = ISC_TRUE;
else
view->matchrecursiveonly = ISC_FALSE;
/*
* Configure other configurable data.
......
......@@ -2,7 +2,7 @@
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
"http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
<!-- File: $Id: Bv9ARM-book.xml,v 1.148 2001/07/06 20:39:43 gson Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.149 2001/07/26 20:42:42 bwelling Exp $ -->
<book>
<title>BIND 9 Administrator Reference Manual</title>
......@@ -4054,6 +4054,8 @@ key data.</para></sect2>
<sect2><title><command>view</command> Statement Grammar</title>
<programlisting>view <replaceable>view_name</replaceable> <optional><replaceable>class</replaceable></optional> {
match-clients { <replaceable>address_match_list</replaceable> } ;
match-destinations { <replaceable>address_match_list</replaceable> } ;
match-recursive-only { <replaceable>yes_or_no</replaceable> } ;
<optional> <replaceable>view_option</replaceable>; ...</optional>
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
<optional> <replaceable>zone_statement</replaceable>; ...</optional>
......@@ -4065,11 +4067,19 @@ of <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differen
depending on who is asking. It is particularly useful for implementing
split DNS setups without having to run multiple servers.</para>
<para>Each <command>view</command> statement defines a view of the
DNS namespace that will be seen by those clients whose IP addresses
match the <varname>address_match_list</varname> of the view's <command>match-clients</command> clause.
The order of the <command>view</command> statements is significant-a
client query will be resolved in the context of the first <command>view</command> whose <command>match-clients</command> list
matches the client's IP address.</para>
DNS namespace that will be seen by a subset of clients. A client matches
a view if its source IP address matches the
<varname>address_match_list</varname> of the view's
<command>match-clients</command> clause and its destination IP address matches
the <varname>address_match_list</varname> of the view's
<command>match-destinations</command> clause. If not specified, both
<command>match-clients</command> and <command>match-destinations</command>
default to matching all addresses. A view can also be specified
as <command>match-recursive-only</command>, which means that only recursive
queries from matching clients will match that view.
The order of the <command>view</command> statements is significant - a
client query will be resolved in the context of the first
<command>view</command> that it matches.
<para>Zones defined within a <command>view</command> statement will
be only be accessible to clients that match the <command>view</command>.
By defining a zone of the same name in multiple views, different
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.h,v 1.71 2001/05/07 23:34:09 gson Exp $ */
/* $Id: view.h,v 1.72 2001/07/26 20:42:45 bwelling Exp $ */
#ifndef DNS_VIEW_H
#define DNS_VIEW_H 1
......@@ -123,6 +123,8 @@ struct dns_view {
* locked by server configuration lock.
*/
dns_acl_t * matchclients;
dns_acl_t * matchdestinations;
isc_boolean_t matchrecursiveonly;
/* Locked by themselves. */
isc_refcount_t references;
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: view.c,v 1.100 2001/05/07 23:34:04 gson Exp $ */
/* $Id: view.c,v 1.101 2001/07/26 20:42:44 bwelling Exp $ */
#include <config.h>
......@@ -133,6 +133,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->statickeys = NULL;
view->dynamickeys = NULL;
view->matchclients = NULL;
view->matchdestinations = NULL;
view->matchrecursiveonly = ISC_FALSE;
result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
if (result != ISC_R_SUCCESS)
goto cleanup_fwdtable;
......@@ -242,6 +244,8 @@ destroy(dns_view_t *view) {
dns_cache_detach(&view->cache);
if (view->matchclients != NULL)
dns_acl_detach(&view->matchclients);
if (view->matchdestinations != NULL)
dns_acl_detach(&view->matchdestinations);
if (view->queryacl != NULL)
dns_acl_detach(&view->queryacl);
if (view->recursionacl != NULL)
......
......@@ -15,7 +15,7 @@
* WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: parser.c,v 1.64 2001/07/23 05:00:43 mayer Exp $ */
/* $Id: parser.c,v 1.65 2001/07/26 20:42:46 bwelling Exp $ */
#include <config.h>
......@@ -902,6 +902,8 @@ view_clauses[] = {
static cfg_clausedef_t
view_only_clauses[] = {
{ "match-clients", &cfg_type_bracketed_aml, 0 },
{ "match-destinations", &cfg_type_bracketed_aml, 0 },
{ "match-recursive-only", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment