query_getzonedb() formatted the domain name and class being queried

for at least once for every query to authoritative data, whether or not a log message was actually printed, which adversely affected query performance
2026-05-28 04:34:54 -04:00 · 2001-06-15 23:28:29 +00:00 · 2001-06-15 23:28:29 +00:00 · 5465e5f7dd
commit 5465e5f7dd
parent 0eace215bd
3 changed files with 71 additions and 27 deletions
--- a/bin/named/client.c
+++ b/bin/named/client.c
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: client.c,v 1.172 2001/06/15 22:35:42 gson Exp $ */
+/* $Id: client.c,v 1.173 2001/06/15 23:28:26 gson Exp $ */

 #include <config.h>

@ -2172,9 +2172,8 @@ ns_client_getsockaddr(ns_client_t *client) {
 }

 isc_result_t
-ns_client_checkacl(ns_client_t  *client,
-		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow, int log_level)
+ns_client_checkaclsilent(ns_client_t *client, dns_acl_t *acl,
+			 isc_boolean_t default_allow)
 {
 	isc_result_t result;
 	int match;
@ -2199,18 +2198,31 @@ ns_client_checkacl(ns_client_t  *client,
 	goto deny; /* Negative match or no match. */

 allow:
-	ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-		      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
-		      "%s approved", opname);
 	return (ISC_R_SUCCESS);

 deny:
-	ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
-		      NS_LOGMODULE_CLIENT,
-		      log_level, "%s denied", opname);
 	return (DNS_R_REFUSED);
 }

+isc_result_t
+ns_client_checkacl(ns_client_t *client,
+		   const char *opname, dns_acl_t *acl,
+		   isc_boolean_t default_allow, int log_level)
+{
+	isc_result_t result =
+		ns_client_checkaclsilent(client, acl, default_allow);
+
+	if (result == ISC_R_SUCCESS) 
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
+			      "%s approved", opname);
+	else
+		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+			      NS_LOGMODULE_CLIENT,
+			      log_level, "%s denied", opname);
+	return (result);
+}
+
 static void
 ns_client_name(ns_client_t *client, char *peerbuf, size_t len) {
 	if (client->peeraddr_valid)
--- a/bin/named/include/named/client.h
+++ b/bin/named/include/named/client.h
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: client.h,v 1.57 2001/03/19 20:52:21 gson Exp $ */
+/* $Id: client.h,v 1.58 2001/06/15 23:28:29 gson Exp $ */

 #ifndef NAMED_CLIENT_H
 #define NAMED_CLIENT_H 1
@ -268,17 +268,14 @@ ns_client_getsockaddr(ns_client_t *client);
 */

 isc_result_t
-ns_client_checkacl(ns_client_t  *client,
-		   const char *opname, dns_acl_t *acl,
-		   isc_boolean_t default_allow,
-		   int log_level);
+ns_client_checkaclsilent(ns_client_t  *client,dns_acl_t *acl,
+			 isc_boolean_t default_allow);
+
 /*
 * Convenience function for client request ACL checking.
 *
 * Check the current client request against 'acl'.  If 'acl'
 * is NULL, allow the request iff 'default_allow' is ISC_TRUE.
- * Log the outcome of the check if deemed appropriate.
- * Log messages will refer to the request as an 'opname' request.
 *
 * Notes:
 *	This is appropriate for checking allow-update,
@ -289,7 +286,6 @@ ns_client_checkacl(ns_client_t  *client,
 *
 * Requires:
 *	'client' points to a valid client.
- *	'opname' points to a null-terminated string.
 *	'acl' points to a valid ACL, or is NULL.
 *
 * Returns:
@ -298,6 +294,23 @@ ns_client_checkacl(ns_client_t  *client,
 *	No other return values are possible.
 */

+isc_result_t
+ns_client_checkacl(ns_client_t  *client,
+		   const char *opname, dns_acl_t *acl,
+		   isc_boolean_t default_allow,
+		   int log_level);
+/*
+ * Like ns_client_checkacl, but also logs the outcome of the
+ * check at log level 'log_level' if denied, and at debug 3
+ * if approved.  Log messages will refer to the request as
+ * an 'opname' request.
+ *
+ * Requires:
+ *	Those of ns_client_checkaclsilent(), and:
+ *
+ *	'opname' points to a null-terminated string.
+ */
+
 void
 ns_client_log(ns_client_t *client, isc_logcategory_t *category,
 	      isc_logmodule_t *module, int level,
--- a/bin/named/query.c
+++ b/bin/named/query.c
@ -15,7 +15,7 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: query.c,v 1.195 2001/05/19 00:08:21 gson Exp $ */
+/* $Id: query.c,v 1.196 2001/06/15 23:28:27 gson Exp $ */

 #include <config.h>

@ -625,14 +625,33 @@ query_getzonedb(ns_client_t *client, dns_name_t *name, unsigned int options,

 	if (check_acl) {
 		isc_boolean_t log = ISC_TF((options & DNS_GETDB_NOLOG) == 0);
-		char msg[DNS_NAME_FORMATSIZE + DNS_RDATACLASS_FORMATSIZE
-			 + sizeof "query '/'"];
-		
-		ns_client_aclmsg("query", name, client->view->rdclass,
-				 msg, sizeof(msg));
-		result = ns_client_checkacl(client, msg, queryacl,
-					    ISC_TRUE,
-					    log ? ISC_LOG_INFO : ISC_LOG_DEBUG(3));
+
+		result = ns_client_checkaclsilent(client, queryacl, ISC_TRUE);
+		if (log) {
+			char msg[DNS_NAME_FORMATSIZE + DNS_RDATACLASS_FORMATSIZE
+				+ sizeof "query '/'"];
+			if (result == ISC_R_SUCCESS) {
+				if (isc_log_wouldlog(ns_g_lctx,
+						     ISC_LOG_DEBUG(3)))
+				{
+					ns_client_aclmsg("query", name,
+							 client->view->rdclass,
+							 msg, sizeof(msg));
+					ns_client_log(client,
+						      DNS_LOGCATEGORY_SECURITY,
+						      NS_LOGMODULE_QUERY,
+						      ISC_LOG_DEBUG(3),
+						      "%s approved", msg);
+				}
+		    	} else {
+				ns_client_aclmsg("query", name,
+						 client->view->rdclass,
+						 msg, sizeof(msg));
+				ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
+					      NS_LOGMODULE_QUERY, ISC_LOG_INFO,
+					      "%s denied", msg);
+			}
+		}

 		if (queryacl == client->view->queryacl) {
 			if (result == ISC_R_SUCCESS) {