This MR extends ACL syntax with port and transport options.
zone "example" {
...
allow-transfer port 853 transport tls { any; };
};The runtime representation and ACL loading code are extended to allow
the syntax to be used beyond the allow-transfer option (e.g. in
acl definitions and other allow-* options) and can be used to
ultimately extend the ACL support with transport-only
ACLs. For example, it could look like follows:
transport-acl do53 transport udp-tcp;
transport-acl allow-tls port 853 transport tls;
transport-acl allow-http port 443 transport http;
acl https-tls { !do53; allow-tls; allow-http; any;};
options {
allow-query { https-tls; };
};But, due to fundamental nature of such a change, it has not been completed as a
part of 9.17.X release series due to it being close to 9.18 stable
release status. That means that we do not have enough time to fully
test it. so, for now, the transport options are allowed only in allow-transfer options, as required by #2776 (closed) .
The complete integration is planned as a part of 9.19.X release series in a separate issue.
The code was manually verified to work as expected by temporarily
enabling the extended syntax for acl statements and allow-query
options, including ACL merging, negated ACLs (this can be trivially enabled):
acl tls port 853 transport tls {};
acl https-tls port 443 transport http { tls; };
zone "example" {
type primary;
file "example.db";
allow-query {https-tls; any; };
};
Closes #2776 (closed)