From 4ab9bb2b27038ef5383153f57edc44036ea52bd5 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 28 Aug 2014 21:39:43 -0700 Subject: [PATCH] [v9_10] fix geoip asnum matching 3935. [bug] "geoip asnum" ACL elements would not match unless the full organization name was specified. They can now match against the AS number alone (e.g., AS1234). [RT #36945] --- CHANGES | 5 ++ bin/tests/system/geoip/ns2/named10.conf | 14 +-- bin/tests/system/geoip/ns2/named11.conf | 32 ++++++- bin/tests/system/geoip/ns2/named12.conf | 47 ++++++++-- bin/tests/system/geoip/ns2/named13.conf | 77 ++-------------- bin/tests/system/geoip/ns2/named14.conf | 112 ++++++++++++++++++++++++ bin/tests/system/geoip/tests.sh | 27 +++++- doc/arm/Bv9ARM-book.xml | 29 +++--- lib/dns/geoip.c | 17 +++- lib/isccfg/aclconf.c | 66 ++++++++++---- util/copyrights | 5 +- 11 files changed, 302 insertions(+), 129 deletions(-) create mode 100644 bin/tests/system/geoip/ns2/named14.conf diff --git a/CHANGES b/CHANGES index 6d36018b4e..b13501cd71 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +3935. [bug] "geoip asnum" ACL elements would not match unless + the full organization name was specified. They + can now match against the AS number alone (e.g., + AS1234). [RT #36945] + 3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve sit-secret documentation. [RT #36980] diff --git a/bin/tests/system/geoip/ns2/named10.conf b/bin/tests/system/geoip/ns2/named10.conf index 1ceece41cf..29d9d43459 100644 --- a/bin/tests/system/geoip/ns2/named10.conf +++ b/bin/tests/system/geoip/ns2/named10.conf @@ -40,7 +40,7 @@ controls { }; view one { - match-clients { geoip domain one.de; }; + match-clients { geoip asnum "AS100001"; }; zone "example" { type master; file "example1.db"; @@ -48,7 +48,7 @@ view one { }; view two { - match-clients { geoip domain two.com; }; + match-clients { geoip asnum "AS100002"; }; zone "example" { type master; file "example2.db"; @@ -56,7 +56,7 @@ view two { }; view three { - match-clients { geoip domain three.com; }; + match-clients { geoip asnum "AS100003"; }; zone "example" { type master; file "example3.db"; @@ -64,7 +64,7 @@ view three { }; view four { - match-clients { geoip domain four.com; }; + match-clients { geoip asnum "AS100004"; }; zone "example" { type master; file "example4.db"; @@ -72,7 +72,7 @@ view four { }; view five { - match-clients { geoip domain five.es; }; + match-clients { geoip asnum "AS100005"; }; zone "example" { type master; file "example5.db"; @@ -80,7 +80,7 @@ view five { }; view six { - match-clients { geoip domain six.it; }; + match-clients { geoip asnum "AS100006"; }; zone "example" { type master; file "example6.db"; @@ -88,7 +88,7 @@ view six { }; view seven { - match-clients { geoip domain seven.org; }; + match-clients { geoip asnum "AS100007"; }; zone "example" { type master; file "example7.db"; diff --git a/bin/tests/system/geoip/ns2/named11.conf b/bin/tests/system/geoip/ns2/named11.conf index 85c0d32c34..1ceece41cf 100644 --- a/bin/tests/system/geoip/ns2/named11.conf +++ b/bin/tests/system/geoip/ns2/named11.conf @@ -40,7 +40,7 @@ controls { }; view one { - match-clients { geoip netspeed 0; }; + match-clients { geoip domain one.de; }; zone "example" { type master; file "example1.db"; @@ -48,7 +48,7 @@ view one { }; view two { - match-clients { geoip netspeed 1; }; + match-clients { geoip domain two.com; }; zone "example" { type master; file "example2.db"; @@ -56,7 +56,7 @@ view two { }; view three { - match-clients { geoip netspeed 2; }; + match-clients { geoip domain three.com; }; zone "example" { type master; file "example3.db"; @@ -64,13 +64,37 @@ view three { }; view four { - match-clients { geoip netspeed 3; }; + match-clients { geoip domain four.com; }; zone "example" { type master; file "example4.db"; }; }; +view five { + match-clients { geoip domain five.es; }; + zone "example" { + type master; + file "example5.db"; + }; +}; + +view six { + match-clients { geoip domain six.it; }; + zone "example" { + type master; + file "example6.db"; + }; +}; + +view seven { + match-clients { geoip domain seven.org; }; + zone "example" { + type master; + file "example7.db"; + }; +}; + view none { match-clients { any; }; zone "example" { diff --git a/bin/tests/system/geoip/ns2/named12.conf b/bin/tests/system/geoip/ns2/named12.conf index a650a635d2..85c0d32c34 100644 --- a/bin/tests/system/geoip/ns2/named12.conf +++ b/bin/tests/system/geoip/ns2/named12.conf @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -18,10 +18,6 @@ controls { /* empty */ }; -acl blocking { - geoip db country country AU; -}; - options { query-source address 10.53.0.2; notify-source 10.53.0.2; @@ -32,7 +28,6 @@ options { listen-on-v6 { none; }; recursion no; geoip-directory "../data"; - blackhole { blocking; }; }; key rndc_key { @@ -43,3 +38,43 @@ key rndc_key { controls { inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; }; + +view one { + match-clients { geoip netspeed 0; }; + zone "example" { + type master; + file "example1.db"; + }; +}; + +view two { + match-clients { geoip netspeed 1; }; + zone "example" { + type master; + file "example2.db"; + }; +}; + +view three { + match-clients { geoip netspeed 2; }; + zone "example" { + type master; + file "example3.db"; + }; +}; + +view four { + match-clients { geoip netspeed 3; }; + zone "example" { + type master; + file "example4.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type master; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip/ns2/named13.conf b/bin/tests/system/geoip/ns2/named13.conf index f92d25216c..a650a635d2 100644 --- a/bin/tests/system/geoip/ns2/named13.conf +++ b/bin/tests/system/geoip/ns2/named13.conf @@ -18,6 +18,10 @@ controls { /* empty */ }; +acl blocking { + geoip db country country AU; +}; + options { query-source address 10.53.0.2; notify-source 10.53.0.2; @@ -28,6 +32,7 @@ options { listen-on-v6 { none; }; recursion no; geoip-directory "../data"; + blackhole { blocking; }; }; key rndc_key { @@ -38,75 +43,3 @@ key rndc_key { controls { inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; }; - -acl gAU { geoip db country country AU; }; -acl gUS { geoip db country country US; }; -acl gGB { geoip db country country GB; }; -acl gCA { geoip db country country CA; }; -acl gCL { geoip db country country CL; }; -acl gDE { geoip db country country DE; }; -acl gEH { geoip db country country EH; }; - -view one { - match-clients { gAU; }; - zone "example" { - type master; - file "example1.db"; - }; -}; - -view two { - match-clients { gUS; }; - zone "example" { - type master; - file "example2.db"; - }; -}; - -view three { - match-clients { gGB; }; - zone "example" { - type master; - file "example3.db"; - }; -}; - -view four { - match-clients { gCA; }; - zone "example" { - type master; - file "example4.db"; - }; -}; - -view five { - match-clients { gCL; }; - zone "example" { - type master; - file "example5.db"; - }; -}; - -view six { - match-clients { gDE; }; - zone "example" { - type master; - file "example6.db"; - }; -}; - -view seven { - match-clients { gEH; }; - zone "example" { - type master; - file "example7.db"; - }; -}; - -view none { - match-clients { any; }; - zone "example" { - type master; - file "example.db.in"; - }; -}; diff --git a/bin/tests/system/geoip/ns2/named14.conf b/bin/tests/system/geoip/ns2/named14.conf new file mode 100644 index 0000000000..f92d25216c --- /dev/null +++ b/bin/tests/system/geoip/ns2/named14.conf @@ -0,0 +1,112 @@ +/* + * Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +// NS2 + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + recursion no; + geoip-directory "../data"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +acl gAU { geoip db country country AU; }; +acl gUS { geoip db country country US; }; +acl gGB { geoip db country country GB; }; +acl gCA { geoip db country country CA; }; +acl gCL { geoip db country country CL; }; +acl gDE { geoip db country country DE; }; +acl gEH { geoip db country country EH; }; + +view one { + match-clients { gAU; }; + zone "example" { + type master; + file "example1.db"; + }; +}; + +view two { + match-clients { gUS; }; + zone "example" { + type master; + file "example2.db"; + }; +}; + +view three { + match-clients { gGB; }; + zone "example" { + type master; + file "example3.db"; + }; +}; + +view four { + match-clients { gCA; }; + zone "example" { + type master; + file "example4.db"; + }; +}; + +view five { + match-clients { gCL; }; + zone "example" { + type master; + file "example5.db"; + }; +}; + +view six { + match-clients { gDE; }; + zone "example" { + type master; + file "example6.db"; + }; +}; + +view seven { + match-clients { gEH; }; + zone "example" { + type master; + file "example7.db"; + }; +}; + +view none { + match-clients { any; }; + zone "example" { + type master; + file "example.db.in"; + }; +}; diff --git a/bin/tests/system/geoip/tests.sh b/bin/tests/system/geoip/tests.sh index e7ab56a57b..3e916aed31 100644 --- a/bin/tests/system/geoip/tests.sh +++ b/bin/tests/system/geoip/tests.sh @@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 / sleep 3 n=`expr $n + 1` -echo "I:checking GeoIP domain database ($n)" +echo "I:checking GeoIP asnum database - ASNNNN only ($n)" ret=0 lret=0 for i in 1 2 3 4 5 6 7; do @@ -216,10 +216,10 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 / sleep 3 n=`expr $n + 1` -echo "I:checking GeoIP netspeed database ($n)" +echo "I:checking GeoIP domain database ($n)" ret=0 lret=0 -for i in 1 2 3 4; do +for i in 1 2 3 4 5 6 7; do $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 j=`cat dig.out.ns2.test$n.$i | tr -d '"'` [ "$i" = "$j" ] || lret=1 @@ -234,6 +234,25 @@ cp -f ns2/named12.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' sleep 3 +n=`expr $n + 1` +echo "I:checking GeoIP netspeed database ($n)" +ret=0 +lret=0 +for i in 1 2 3 4; do + $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 + j=`cat dig.out.ns2.test$n.$i | tr -d '"'` + [ "$i" = "$j" ] || lret=1 + [ $lret -eq 1 ] && break +done +[ $lret -eq 1 ] && ret=1 +[ $ret -eq 0 ] || echo "I:failed" +status=`expr $status + $ret` + +echo "I:reloading server" +cp -f ns2/named13.conf ns2/named.conf +$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' +sleep 3 + n=`expr $n + 1` echo "I:checking GeoIP blackhole ACL ($n)" ret=0 @@ -243,7 +262,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes status=`expr $status + $ret` echo "I:reloading server" -cp -f ns2/named13.conf ns2/named.conf +cp -f ns2/named14.conf ns2/named.conf $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' sleep 3 diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 8551db6030..b5f54c0e8e 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2563,7 +2563,6 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. be configured to act as a lightweight resolver daemon using the lwres statement in named.conf. - @@ -3454,17 +3453,20 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. "isp", "org", "asnum", "domain" and "netspeed". - value is the value to searched for - within the database. A string may be quoted if it contains - spaces or other special characters. If this is a "country" - search and the string is two characters long, then it must be a - standard ISO-3166-1 two-letter country code, and if it is three - characters long then it must be an ISO-3166-1 three-letter - country code; otherwise it is the full name of the country. - Similarly, if this is a "region" search and the string is - two characters long, then it must be a standard two-letter state - or province abbreviation; otherwise it is the full name of the - state or province. + value is the value to search + for within the database. A string may be quoted if it + contains spaces or other special characters. If this is + an "asnum" search, then the leading "ASNNNN" string can be + used, otherwise the full description must be used (e.g. + "ASNNNN Example Company Name"). If this is a "country" + search and the string is two characters long, then it must + be a standard ISO-3166-1 two-letter country code, and if it + is three characters long then it must be an ISO-3166-1 + three-letter country code; otherwise it is the full name + of the country. Similarly, if this is a "region" search + and the string is two characters long, then it must be a + standard two-letter state or province abbreviation; + otherwise it is the full name of the state or province. The database field indicates which @@ -8911,7 +8913,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; }; initial value (minimum) and maximum number of recursive simultaneous clients for any given query (<qname,qtype,qclass>) that the server will accept - before dropping additional clients. named will attempt to + before dropping additional clients. + named will attempt to self tune this value and changes will be logged. The default values are 10 and 100. diff --git a/lib/dns/geoip.c b/lib/dns/geoip.c index 291b0d05e9..ec6beb7acb 100644 --- a/lib/dns/geoip.c +++ b/lib/dns/geoip.c @@ -766,8 +766,21 @@ dns_geoip_match(const isc_netaddr_t *reqaddr, return (ISC_FALSE); s = name_lookup(db, subtype, ipnum); - if (s != NULL && strcasecmp(elt->as_string, s) == 0) - return (ISC_TRUE); + if (s != NULL) { + size_t l; + if (strcasecmp(elt->as_string, s) == 0) + return (ISC_TRUE); + if (subtype != dns_geoip_as_asnum) + break; + /* + * Just check if the ASNNNN value matches. + */ + l = strlen(elt->as_string); + if (l > 0U && strchr(elt->as_string, ' ') == NULL && + strncasecmp(elt->as_string, s, l) == 0 && + s[l] == ' ') + return (ISC_TRUE); + } break; case dns_geoip_netspeed_id: diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c index 76f6ad4a9a..83d5ae6509 100644 --- a/lib/isccfg/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -482,6 +482,7 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx, const char *stype, *search; dns_geoip_subtype_t subtype; dns_aclelement_t de; + size_t len; REQUIRE(dep != NULL); @@ -493,35 +494,52 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx, stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype")); search = cfg_obj_asstring(cfg_tuple_get(obj, "search")); + len = strlen(search); - if (strcasecmp(stype, "country") == 0 && strlen(search) == 2) { + if (len == 0) { + cfg_obj_log(obj, lctx, ISC_LOG_ERROR, + "zero-length geoip search field"); + return (ISC_R_FAILURE); + } + + if (strcasecmp(stype, "country") == 0 && len == 2) { /* Two-letter country code */ subtype = dns_geoip_countrycode; - strncpy(de.geoip_elem.as_string, search, 2); - } else if (strcasecmp(stype, "country") == 0 && strlen(search) == 3) { + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "country") == 0 && len == 3) { /* Three-letter country code */ subtype = dns_geoip_countrycode3; - strncpy(de.geoip_elem.as_string, search, 3); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "country") == 0) { /* Country name */ subtype = dns_geoip_countryname; - strncpy(de.geoip_elem.as_string, search, 255); - } else if (strcasecmp(stype, "region") == 0 && strlen(search) == 2) { + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "region") == 0 && len == 2) { /* Two-letter region code */ subtype = dns_geoip_region; - strncpy(de.geoip_elem.as_string, search, 2); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "region") == 0) { /* Region name */ subtype = dns_geoip_regionname; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "city") == 0) { /* City name */ subtype = dns_geoip_city_name; - strncpy(de.geoip_elem.as_string, search, 255); - } else if (strcasecmp(stype, "postal") == 0 && strlen(search) < 7) { + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "postal") == 0 && len < 7) { subtype = dns_geoip_city_postalcode; - strncpy(de.geoip_elem.as_string, search, 6); - de.geoip_elem.as_string[6] = '\0'; + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "postal") == 0) { + cfg_obj_log(obj, lctx, ISC_LOG_ERROR, + "geoiop postal code (%s) too long", search); + return (ISC_R_FAILURE); } else if (strcasecmp(stype, "metro") == 0) { subtype = dns_geoip_city_metrocode; de.geoip_elem.as_int = atoi(search); @@ -530,23 +548,33 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx, de.geoip_elem.as_int = atoi(search); } else if (strcasecmp(stype, "tz") == 0) { subtype = dns_geoip_city_timezonecode; - strncpy(de.geoip_elem.as_string, search, 255); - } else if (strcasecmp(stype, "continent") == 0 && strlen(search) == 2) { + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "continent") == 0 && len == 2) { /* Two-letter continent code */ subtype = dns_geoip_city_continentcode; - strncpy(de.geoip_elem.as_string, search, 2); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); + } else if (strcasecmp(stype, "continent") == 0) { + cfg_obj_log(obj, lctx, ISC_LOG_ERROR, + "geoiop continent code (%s) too long", search); + return (ISC_R_FAILURE); } else if (strcasecmp(stype, "isp") == 0) { subtype = dns_geoip_isp_name; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "asnum") == 0) { subtype = dns_geoip_as_asnum; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "org") == 0) { subtype = dns_geoip_org_name; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "domain") == 0) { subtype = dns_geoip_domain_name; - strncpy(de.geoip_elem.as_string, search, 255); + strlcpy(de.geoip_elem.as_string, search, + sizeof(de.geoip_elem.as_string)); } else if (strcasecmp(stype, "netspeed") == 0) { subtype = dns_geoip_netspeed_id; de.geoip_elem.as_int = atoi(search); diff --git a/util/copyrights b/util/copyrights index 350efbf9e7..87ff5ed109 100644 --- a/util/copyrights +++ b/util/copyrights @@ -1321,10 +1321,11 @@ ./bin/tests/system/geoip/geoip.c C 2013 ./bin/tests/system/geoip/ns2/example.db.in ZONE 2013 ./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013 -./bin/tests/system/geoip/ns2/named10.conf CONF-C 2013 +./bin/tests/system/geoip/ns2/named10.conf CONF-C 2014 ./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013 -./bin/tests/system/geoip/ns2/named12.conf CONF-C 2014 +./bin/tests/system/geoip/ns2/named12.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named13.conf CONF-C 2014 +./bin/tests/system/geoip/ns2/named14.conf CONF-C 2014 ./bin/tests/system/geoip/ns2/named2.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named3.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named4.conf CONF-C 2013