Commit 3483f241 authored by Michal 'vorner' Vaner's avatar Michal 'vorner' Vaner
Browse files

[2066] ACL Docs: More tweaks by review

* Note that TSIG key is DNS specific.
* Language fix.
* Returned an example to the resolver.
parent f533afad
......@@ -1352,8 +1352,10 @@ TODO
RULE := { "action": "ACCEPT"|"REJECT"|"DROP", MATCH, MATCH, ... }
RULE_RAW := { MATCH, MATCH, ... }
MATCH := FROM_MATCH|KEY_MATCH|NOT_MATCH|OR_MATCH|AND_MATCH|...
FROM_MATCH := "from": "<ip range>
KEY_MATCH := "key": "<key name>
FROM_MATCH := "from": [RANGE, RANGE, RANGE, ...] | RANGE
RANGE := "<ip range>
KEY_MATCH := "key": [KEY, KEY, KEY, ...] | KEY
KEY := "<key name>
NOT_MATCH := "NOT": RULE_RAW
OR_MATCH := "ANY": [ RULE_RAW, RULE_RAW, ... ]
AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ]
......@@ -1373,8 +1375,9 @@ AND_MATCH := "ALL": [ RULE_RAW, RULE_RAW, ... ]
<para>
The other is TSIG key by which the message was signed. The ACL
contains only the name (under the name "key"), the key itself
must be stored in the global keyring. <!-- TODO: Section for
the keyring and link to it.-->
must be stored in the global keyring. This property is applicable only
to the DNS context. <!-- TODO: Section for the keyring and link to
it.-->
</para>
<para>
......@@ -2101,7 +2104,7 @@ http://bind10.isc.org/wiki/ScalableZoneLoadDesign#a7.2UpdatingaZone
Xfrout/transfer_acl[0] {"action": "ACCEPT"} any (default)</screen>
<para>
You can configure it the same as any ACL
You can configure it in the same way as any ACL
(<xref linkend="common-acl" />).
</para>
......@@ -2483,6 +2486,27 @@ what is XfroutClient xfr_client??
See <xref linkend="common-acl" />.
</para>
<para>
To allow queries on the "192.168.1.1" interface, these commands could be
issued. Note that we don't set the value of the third rule -- in the case
of resolver, rejecting all queries is the default value of new rule. And
that last final rule is not needed too, as the default, when a query falls
off the list, is rejection.
<screen>
> <userinput>config show Resolver/query_acl</userinput>
Resolver/query_acl[0] {"action": "ACCEPT", "from": "127.0.0.1"} any (default)
Resolver/query_acl[1] {"action": "ACCEPT", "from": "::1"} any (default)
> <userinput>config add Resolver/query_acl</userinput>
> <userinput>config set Resolver/query_acl[2] {"action": "ACCEPT", "from": "192.168.1.1/24"}</userinput>
> <userinput>config add Resolver/query_acl</userinput>
> <userinput>config show Resolver/query_acl</userinput>
Resolver/query_acl[0] {"action": "ACCEPT", "from": "127.0.0.1"} any (modified)
Resolver/query_acl[1] {"action": "ACCEPT", "from": "::1"} any (modified)
Resolver/query_acl[2] {"action": "ACCEPT", "from": "192.168.1.1/24"} any (modified)
Resolver/query_acl[3] {"action": "REJECT"} any (modified)
> <userinput>config commit</userinput></screen>
</para>
</section>
<section>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment