upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-24 15:47:18 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

add a parser to filter-aaaa.so and pass in the parameters

Browse source 
- make some cfg-parsing functions global so they can be run
  from filter-aaaa.so
- add filter-aaaa options to the hook module's parser
- mark filter-aaaa options in named.conf as obsolete, remove
  from named and checkconf, and update the filter-aaaa test not to
  use checkconf anymore
- remove filter-aaaa-related struct members from dns_view
This commit is contained in:
Evan Hunt 2018-08-12 23:06:00 -07:00
parent d2f4644388
commit 9911c835d3
37 changed files with 386 additions and 662 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

150
bin/hooks/filter-aaaa.c
View file

@ -19,6 +19,10 @@
#include <isc/result.h>
#include <isc/util.h>
#include <isccfg/aclconf.h>
#include <isccfg/grammar.h>
#include <isccfg/namedconf.h>
#include <dns/result.h>
#include <dns/view.h>
@ -27,6 +31,13 @@
#include <ns/log.h>
#include <ns/query.h>
#define CHECK(r) \
do { \
result = (r); \
if (result != ISC_R_SUCCESS) \
goto cleanup; \
} while (0)
ns_hook_destroy_t hook_destroy;
ns_hook_register_t hook_register;
ns_hook_version_t hook_version;
@ -70,11 +81,120 @@ ns_hook_t filter_donesend = {
.callback = filter_query_done_send,
};
/*
* Configuration support.
*/
static dns_aaaa_t v4_aaaa;
static dns_aaaa_t v6_aaaa;
static dns_acl_t *aaaa_acl = NULL;
static const char *filter_aaaa_enums[] = { "break-dnssec", NULL };
static isc_result_t
parse_filter_aaaa(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_filter_aaaa(cfg_printer_t *pctx, const cfg_type_t *type) {
cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_filter_aaaa = {
"filter_aaaa", parse_filter_aaaa, cfg_print_ustring,
doc_filter_aaaa, &cfg_rep_string, filter_aaaa_enums,
};
static cfg_clausedef_t param_clauses[] = {
{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
};
static cfg_clausedef_t *param_clausesets[] = {
param_clauses,
NULL
};
static cfg_type_t cfg_type_parameters = {
"filter-aaaa-params", cfg_parse_mapbody, cfg_print_mapbody,
cfg_doc_mapbody, &cfg_rep_map, param_clausesets
};
static isc_result_t
parse_filter_aaaa_on(const cfg_obj_t *param_obj, const char *param_name,
dns_aaaa_t *dstp)
{
const cfg_obj_t *obj = NULL;
isc_result_t result;
result = cfg_map_get(param_obj, param_name, &obj);
if (result != ISC_R_SUCCESS) {
return (ISC_R_SUCCESS);
}
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj)) {
*dstp = dns_aaaa_filter;
} else {
*dstp = dns_aaaa_ok;
}
} else if (strcasecmp(cfg_obj_asstring(obj), "break-dnssec") == 0) {
*dstp = dns_aaaa_break_dnssec;
} else {
result = ISC_R_UNEXPECTED;
}
return (result);
}
static isc_result_t
parse_parameters(const char *parameters, const void *cfg,
void *actx, ns_hookctx_t *hctx)
{
isc_result_t result = ISC_R_SUCCESS;
cfg_parser_t *parser = NULL;
cfg_obj_t *param_obj = NULL;
const cfg_obj_t *obj = NULL;
isc_buffer_t b;
CHECK(cfg_parser_create(hctx->mctx, hctx->lctx, &parser));
isc_buffer_constinit(&b, parameters, strlen(parameters));
isc_buffer_add(&b, strlen(parameters));
CHECK(cfg_parse_buffer(parser, &b, &cfg_type_parameters,
&param_obj));
CHECK(parse_filter_aaaa_on(param_obj, "filter-aaaa-on-v4", &v4_aaaa));
CHECK(parse_filter_aaaa_on(param_obj, "filter-aaaa-on-v6", &v6_aaaa));
obj = NULL;
result = cfg_map_get(param_obj, "filter-aaaa", &obj);
if (result == ISC_R_SUCCESS) {
CHECK(cfg_acl_fromconfig(obj, (const cfg_obj_t *) cfg,
hctx->lctx,
(cfg_aclconfctx_t *) actx,
hctx->mctx, 0, &aaaa_acl));
} else {
CHECK(dns_acl_any(hctx->mctx, &aaaa_acl));
}
cleanup:
if (param_obj != NULL) {
cfg_obj_destroy(parser, &param_obj);
}
if (parser != NULL) {
cfg_parser_destroy(&parser);
}
return (result);
}
/*
* Mandatory hook API functions.
*/
isc_result_t
hook_register(const char *parameters, const char *file, unsigned long line,
ns_hookctx_t *hctx, ns_hooktable_t *hooktable, void **instp)
const void *cfg, void *actx, ns_hookctx_t *hctx,
ns_hooktable_t *hooktable, void **instp)
{
UNUSED(parameters);
UNUSED(instp);
if (parameters != NULL) {
@ -83,6 +203,8 @@ hook_register(const char *parameters, const char *file, unsigned long line,
"loading params for 'filter-aaaa' "
"module from %s:%lu",
file, line);
parse_parameters(parameters, cfg, actx, hctx);
} else {
isc_log_write(hctx->lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_HOOKS, ISC_LOG_INFO,
@ -91,11 +213,6 @@ hook_register(const char *parameters, const char *file, unsigned long line,
file, line);
}
/*
* TODO:
* configure with parameters here
*/
ns_hook_add(hooktable, NS_QUERY_RESPOND_BEGIN,
&filter_respbegin);
ns_hook_add(hooktable, NS_QUERY_RESPOND_ANY_FOUND,
@ -118,6 +235,10 @@ void
hook_destroy(void **instp) {
UNUSED(instp);
if (aaaa_acl != NULL) {
dns_acl_detach(&aaaa_acl);
}
return;
}
@ -170,22 +291,19 @@ filter_prep_response_begin(void *hookdata, void *cbdata, isc_result_t *resp) {
UNUSED(cbdata);
qctx->filter_aaaa = dns_aaaa_ok;
if (qctx->client->view->v4_aaaa != dns_aaaa_ok ||
qctx->client->view->v6_aaaa != dns_aaaa_ok)
{
if (v4_aaaa != dns_aaaa_ok || v6_aaaa != dns_aaaa_ok) {
result = ns_client_checkaclsilent(qctx->client, NULL,
qctx->client->view->aaaa_acl,
true);
aaaa_acl, true);
if (result == ISC_R_SUCCESS &&
qctx->client->view->v4_aaaa != dns_aaaa_ok &&
v4_aaaa != dns_aaaa_ok &&
is_v4_client(qctx->client))
{
qctx->filter_aaaa = qctx->client->view->v4_aaaa;
qctx->filter_aaaa = v4_aaaa;
} else if (result == ISC_R_SUCCESS &&
qctx->client->view->v6_aaaa != dns_aaaa_ok &&
v6_aaaa != dns_aaaa_ok &&
is_v6_client(qctx->client))
{
qctx->filter_aaaa = qctx->client->view->v6_aaaa;
qctx->filter_aaaa = v6_aaaa;
}
}

5
bin/named/config.c
View file

@ -154,10 +154,7 @@ options {\n\
# fetch-glue <obsolete>;\n\
fetch-quota-params 100 0.1 0.3 0.7;\n\
fetches-per-server 0;\n\
fetches-per-zone 0;\n\
filter-aaaa-on-v4 no;\n\
filter-aaaa-on-v6 no;\n\
filter-aaaa { any; };\n"
fetches-per-zone 0;\n"
#ifdef HAVE_GEOIP
" geoip-use-ecs yes;\n"
#endif

48
bin/named/server.c
View file

@ -1538,7 +1538,7 @@ configure_dyndb(const cfg_obj_t *dyndb, isc_mem_t *mctx,
static isc_result_t
configure_hook(ns_hooktable_t *hooktable, const cfg_obj_t *hook,
ns_hookctx_t *hctx)
const cfg_obj_t *config, ns_hookctx_t *hctx)
{
isc_result_t result = ISC_R_SUCCESS;
const cfg_obj_t *obj;
@ -1563,11 +1563,15 @@ configure_hook(ns_hooktable_t *hooktable, const cfg_obj_t *hook,
cfg_obj_asstring(obj),
cfg_obj_file(obj),
cfg_obj_line(obj),
config,
named_g_aclconfctx,
hctx, hooktable);
} else {
result = ns_hookmodule_load(library, NULL,
cfg_obj_file(hook),
cfg_obj_line(hook),
config,
named_g_aclconfctx,
hctx, hooktable);
}
@ -5134,46 +5138,6 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
dns_quotatype_zone, r);
}
obj = NULL;
result = named_config_get(maps, "filter-aaaa-on-v4", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj))
view->v4_aaaa = dns_aaaa_filter;
else
view->v4_aaaa = dns_aaaa_ok;
} else {
const char *v4_aaaastr = cfg_obj_asstring(obj);
if (strcasecmp(v4_aaaastr, "break-dnssec") == 0) {
view->v4_aaaa = dns_aaaa_break_dnssec;
} else {
INSIST(0);
ISC_UNREACHABLE();
}
}
obj = NULL;
result = named_config_get(maps, "filter-aaaa-on-v6", &obj);
INSIST(result == ISC_R_SUCCESS);
if (cfg_obj_isboolean(obj)) {
if (cfg_obj_asboolean(obj))
view->v6_aaaa = dns_aaaa_filter;
else
view->v6_aaaa = dns_aaaa_ok;
} else {
const char *v6_aaaastr = cfg_obj_asstring(obj);
if (strcasecmp(v6_aaaastr, "break-dnssec") == 0) {
view->v6_aaaa = dns_aaaa_break_dnssec;
} else {
INSIST(0);
ISC_UNREACHABLE();
}
}
CHECK(configure_view_acl(vconfig, config, named_g_config,
"filter-aaaa", NULL, actx,
named_g_mctx, &view->aaaa_acl));
obj = NULL;
result = named_config_get(maps, "prefetch", &obj);
if (result == ISC_R_SUCCESS) {
@ -5368,7 +5332,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
CHECK(ns_hook_createctx(mctx, &hctx));
}
CHECK(configure_hook(view->hooktable, hook, hctx));
CHECK(configure_hook(view->hooktable, hook, config, hctx));
}
#endif

15
bin/tests/system/filter-aaaa/conf/bad1.conf
View file

@ -1,15 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
filter-aaaa { none; };
};

24
bin/tests/system/filter-aaaa/conf/bad2.conf
View file

@ -1,24 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
/*
* While this matches the defaults, it is not a good configuration
* to have in named.conf as the two options contradict each other
* indicating a error on behalf of the operator.
*
* The default is to have filter-aaaa-on-v4 off, but if it is turned
* on then it applies to all IPv4 queries. This results in
* contradictory defaults.
*/
filter-aaaa-on-v4 no;
filter-aaaa { any; };
};

18
bin/tests/system/filter-aaaa/conf/bad3.conf
View file

@ -1,18 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 no;
};
view myview {
filter-aaaa { any; };
};

18
bin/tests/system/filter-aaaa/conf/bad4.conf
View file

@ -1,18 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa { any; };
};
view myview {
filter-aaaa-on-v4 no;
};

18
bin/tests/system/filter-aaaa/conf/bad5.conf
View file

@ -1,18 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa { none; };
};
view myview {
filter-aaaa-on-v4 yes;
};

18
bin/tests/system/filter-aaaa/conf/bad6.conf
View file

@ -1,18 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
};
view myview {
filter-aaaa { none; };
};

14
bin/tests/system/filter-aaaa/conf/good1.conf
View file

@ -1,14 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
};

14
bin/tests/system/filter-aaaa/conf/good2.conf
View file

@ -1,14 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 break-dnssec;
};

15
bin/tests/system/filter-aaaa/conf/good3.conf
View file

@ -1,15 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { 1.0.0.0/8; };
};

15
bin/tests/system/filter-aaaa/conf/good4.conf
View file

@ -1,15 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
filter-aaaa { 1.0.0.0/8; };
};

18
bin/tests/system/filter-aaaa/conf/good5.conf
View file

@ -1,18 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 yes;
};
view myview {
filter-aaaa { 1.0.0.0/8; };
};

18
bin/tests/system/filter-aaaa/conf/good6.conf
View file

@ -1,18 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa { 1.0.0.0/8; };
};
view myview {
filter-aaaa-on-v4 yes;
};

18
bin/tests/system/filter-aaaa/conf/good7.conf
View file

@ -1,18 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
};
view myview {
filter-aaaa { 1.0.0.0/8; };
filter-aaaa-on-v4 yes;
};

19
bin/tests/system/filter-aaaa/conf/good8.conf
View file

@ -1,19 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
filter-aaaa-on-v4 no;
};
view myview {
filter-aaaa { 1.0.0.0/8; };
filter-aaaa-on-v4 yes;
};

9
bin/tests/system/filter-aaaa/ns1/named1.conf.in
View file

@ -20,12 +20,15 @@ options {
recursion no;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v4 yes;
filter-aaaa { 10.53.0.1; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
acl filterees { 10.53.0.1; };
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v4 yes;
filter-aaaa { filterees; };
};
key rndc_key {
secret "1234abcd8765";

7
bin/tests/system/filter-aaaa/ns1/named2.conf.in
View file

@ -20,12 +20,13 @@ options {
recursion no;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::1; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::1; };
};
key rndc_key {
secret "1234abcd8765";

7
bin/tests/system/filter-aaaa/ns2/named1.conf.in
View file

@ -20,12 +20,13 @@ options {
recursion yes;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v4 yes;
filter-aaaa { 10.53.0.2; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v4 yes;
filter-aaaa { 10.53.0.2; };
};
key rndc_key {
secret "1234abcd8765";

7
bin/tests/system/filter-aaaa/ns2/named2.conf.in
View file

@ -20,12 +20,13 @@ options {
recursion yes;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::2; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v6 yes;
filter-aaaa { fd92:7065:b8e:ffff::2; };
};
key rndc_key {
secret "1234abcd8765";

7
bin/tests/system/filter-aaaa/ns3/named1.conf.in
View file

@ -20,12 +20,13 @@ options {
recursion yes;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { 10.53.0.3; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { 10.53.0.3; };
};
key rndc_key {
secret "1234abcd8765";

7
bin/tests/system/filter-aaaa/ns3/named2.conf.in
View file

@ -20,12 +20,13 @@ options {
recursion yes;
dnssec-validation yes;
notify yes;
filter-aaaa-on-v6 break-dnssec;
filter-aaaa { fd92:7065:b8e:ffff::3; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v6 break-dnssec;
filter-aaaa { fd92:7065:b8e:ffff::3; };
};
key rndc_key {
secret "1234abcd8765";

7
bin/tests/system/filter-aaaa/ns4/named1.conf.in
View file

@ -20,12 +20,13 @@ options {
recursion no;
dnssec-validation no;
notify yes;
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { 10.53.0.4; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { 10.53.0.4; };
};
key rndc_key {
secret "1234abcd8765";

7
bin/tests/system/filter-aaaa/ns4/named2.conf.in
View file

@ -20,12 +20,13 @@ options {
recursion no;
dnssec-validation no;
notify yes;
filter-aaaa-on-v6 break-dnssec;
filter-aaaa { fd92:7065:b8e:ffff::4; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v6 break-dnssec;
filter-aaaa { fd92:7065:b8e:ffff::4; };
};
key rndc_key {
secret "1234abcd8765";

7
bin/tests/system/filter-aaaa/ns5/named.conf.in
View file

@ -25,12 +25,13 @@ options {
exclude { any; };
mapped { any; };
};
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { any; };
minimal-responses no;
};
hook query "../../../../hooks/lib/filter-aaaa.so";
hook query "../../../../hooks/lib/filter-aaaa.so" {
filter-aaaa-on-v4 break-dnssec;
filter-aaaa { any; };
};
key rndc_key {
secret "1234abcd8765";

20
bin/tests/system/filter-aaaa/tests.sh
View file

@ -20,26 +20,6 @@ rm -f dig.out.*
DIGOPTS="+tcp +noadd +nosea +nostat +nocmd -p ${PORT}"
RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p ${CONTROLPORT} -s"
for conf in conf/good*.conf
do
n=`expr $n + 1`
echo_i "checking that $conf is accepted ($n)"
ret=0
$CHECKCONF "$conf" || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
done
for conf in conf/bad*.conf
do
n=`expr $n + 1`
echo_i "checking that $conf is rejected ($n)"
ret=0
$CHECKCONF "$conf" >/dev/null && ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
done
#
# Authoritative tests against:
# filter-aaaa-on-v4 yes;

103
lib/bind9/check.c
View file

@ -471,7 +471,7 @@ check_viewacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
static const char *acls[] = { "allow-query", "allow-query-on",
"allow-query-cache", "allow-query-cache-on",
"blackhole", "keep-response-order", "match-clients",
"match-destinations", "sortlist", "filter-aaaa", NULL };
"match-destinations", "sortlist", NULL };
while (acls[i] != NULL) {
tresult = checkacl(acls[i++], actx, NULL, voptions, config,
@ -789,102 +789,6 @@ check_recursionacls(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
return (result);
}
static isc_result_t
check_filteraaaa(cfg_aclconfctx_t *actx, const cfg_obj_t *voptions,
const char *viewname, const cfg_obj_t *config,
isc_log_t *logctx, isc_mem_t *mctx)
{
const cfg_obj_t *options, *aclobj, *obj;
dns_acl_t *acl = NULL;
isc_result_t result = ISC_R_SUCCESS;
dns_aaaa_t filter4, filter6;
const char *forview = " for view ";
if (viewname == NULL) {
viewname = "";
forview = "";
}
aclobj = options = NULL;
acl = NULL;
if (voptions != NULL)
cfg_map_get(voptions, "filter-aaaa", &aclobj);
if (config != NULL && aclobj == NULL) {
options = NULL;
cfg_map_get(config, "options", &options);
if (options != NULL)
cfg_map_get(options, "filter-aaaa", &aclobj);
}
if (aclobj == NULL)
return (result);
result = cfg_acl_fromconfig(aclobj, config, logctx,
actx, mctx, 0, &acl);
if (result != ISC_R_SUCCESS)
goto failure;
obj = NULL;
if (voptions != NULL)
cfg_map_get(voptions, "filter-aaaa-on-v4", &obj);
if (obj == NULL && config != NULL) {
options = NULL;
cfg_map_get(config, "options", &options);
if (options != NULL)
cfg_map_get(options, "filter-aaaa-on-v4", &obj);
}
if (obj == NULL)
filter4 = dns_aaaa_ok; /* default */
else if (cfg_obj_isboolean(obj))
filter4 = cfg_obj_asboolean(obj) ? dns_aaaa_filter :
dns_aaaa_ok;
else
filter4 = dns_aaaa_break_dnssec; /* break-dnssec */
obj = NULL;
if (voptions != NULL)
cfg_map_get(voptions, "filter-aaaa-on-v6", &obj);
if (obj == NULL && config != NULL) {
options = NULL;
cfg_map_get(config, "options", &options);
if (options != NULL)
cfg_map_get(options, "filter-aaaa-on-v6", &obj);
}
if (obj == NULL)
filter6 = dns_aaaa_ok; /* default */
else if (cfg_obj_isboolean(obj))
filter6 = cfg_obj_asboolean(obj) ? dns_aaaa_filter :
dns_aaaa_ok;
else
filter6 = dns_aaaa_break_dnssec; /* break-dnssec */
if ((filter4 != dns_aaaa_ok || filter6 != dns_aaaa_ok) &&
dns_acl_isnone(acl))
{
cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
"\"filter-aaaa\" is 'none;' but "
"either filter-aaaa-on-v4 or filter-aaaa-on-v6 "
"is enabled%s%s", forview, viewname);
result = ISC_R_FAILURE;
} else if (filter4 == dns_aaaa_ok && filter6 == dns_aaaa_ok &&
!dns_acl_isnone(acl))
{
cfg_obj_log(aclobj, logctx, ISC_LOG_WARNING,
"\"filter-aaaa\" is set but "
"neither filter-aaaa-on-v4 or filter-aaaa-on-v6 "
"is enabled%s%s", forview, viewname);
result = ISC_R_FAILURE;
}
failure:
if (acl != NULL)
dns_acl_detach(&acl);
return (result);
}
typedef struct {
const char *name;
unsigned int scale;
@ -3750,11 +3654,6 @@ check_viewconf(const cfg_obj_t *config, const cfg_obj_t *voptions,
if (tresult != ISC_R_SUCCESS)
result = tresult;
tresult = check_filteraaaa(actx, voptions, viewname, config,
logctx, mctx);
if (tresult != ISC_R_SUCCESS)
result = tresult;
tresult = check_dns64(actx, voptions, config, logctx, mctx);
if (tresult != ISC_R_SUCCESS)
result = tresult;

3
lib/dns/include/dns/view.h
View file

@ -179,9 +179,6 @@ struct dns_view {
uint16_t padding;
dns_acl_t * pad_acl;
unsigned int maxbits;
dns_aaaa_t v4_aaaa;
dns_aaaa_t v6_aaaa;
dns_acl_t * aaaa_acl;
dns_dns64list_t dns64;
unsigned int dns64cnt;
dns_rpz_zones_t *rpzs;

5
lib/dns/view.c
View file

@ -225,9 +225,6 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
view->padding = 0;
view->pad_acl = NULL;
view->maxbits = 0;
view->v4_aaaa = dns_aaaa_ok;
view->v6_aaaa = dns_aaaa_ok;
view->aaaa_acl = NULL;
view->rpzs = NULL;
view->catzs = NULL;
dns_fixedname_init(&view->dlv_fixed);
@ -457,8 +454,6 @@ destroy(dns_view_t *view) {
dns_acl_detach(&view->upfwdacl);
if (view->denyansweracl != NULL)
dns_acl_detach(&view->denyansweracl);
if (view->aaaa_acl != NULL)
dns_acl_detach(&view->aaaa_acl);
if (view->pad_acl != NULL)
dns_acl_detach(&view->pad_acl);
if (view->answeracl_exclude != NULL)

10
lib/isccfg/include/isccfg/grammar.h
View file

@ -301,8 +301,10 @@ LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_qstring;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_astring;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_ustring;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sstring;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bracketed_aml;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_bracketed_text;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_optional_bracketed_text;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_keyref;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddr;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_sockaddrdscp;
LIBISCCFG_EXTERNAL_DATA extern cfg_type_t cfg_type_netaddr;
@ -433,6 +435,14 @@ cfg_parse_enum(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
void
cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type);
isc_result_t
cfg_parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
const cfg_type_t *othertype, cfg_obj_t **ret);
void
cfg_doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *enumtype,
const cfg_type_t *othertype);
void
cfg_print_chars(cfg_printer_t *pctx, const char *text, int len);
/*%< Print 'len' characters at 'text' */

226
lib/isccfg/namedconf.c
View file

@ -49,14 +49,6 @@
* Forward declarations of static functions.
*/
static isc_result_t
parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
const cfg_type_t *othertype, cfg_obj_t **ret);
static void
doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *enumtype,
const cfg_type_t *othertype);
static isc_result_t
parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret);
@ -94,8 +86,6 @@ doc_geoip(cfg_printer_t *pctx, const cfg_type_t *type);
#endif /* HAVE_GEOIP */
static cfg_type_t cfg_type_acl;
static cfg_type_t cfg_type_addrmatchelt;
static cfg_type_t cfg_type_bracketed_aml;
static cfg_type_t cfg_type_bracketed_dscpsockaddrlist;
static cfg_type_t cfg_type_bracketed_namesockaddrkeylist;
static cfg_type_t cfg_type_bracketed_netaddrlist;
@ -108,7 +98,6 @@ static cfg_type_t cfg_type_dlz;
static cfg_type_t cfg_type_dnstap;
static cfg_type_t cfg_type_dnstapoutput;
static cfg_type_t cfg_type_dyndb;
static cfg_type_t cfg_type_filter_aaaa;
static cfg_type_t cfg_type_hook;
static cfg_type_t cfg_type_ixfrdifftype;
static cfg_type_t cfg_type_key;
@ -121,7 +110,6 @@ static cfg_type_t cfg_type_masterselement;
static cfg_type_t cfg_type_maxttl;
static cfg_type_t cfg_type_minimal;
static cfg_type_t cfg_type_nameportiplist;
static cfg_type_t cfg_type_negated;
static cfg_type_t cfg_type_notifytype;
static cfg_type_t cfg_type_optional_allow;
static cfg_type_t cfg_type_optional_class;
@ -607,11 +595,11 @@ static cfg_type_t cfg_type_updatemethod = {
static const char *zonestat_enums[] = { "full", "terse", "none", NULL };
static isc_result_t
parse_zonestat(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_zonestat(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_boolean);
cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_zonestat = {
"zonestat", parse_zonestat, cfg_print_ustring, doc_zonestat,
@ -952,7 +940,7 @@ static isc_result_t
parse_optional_enum(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
return (parse_enum_or_other(pctx, type, &cfg_type_void, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_void, ret));
}
static void
@ -1909,9 +1897,9 @@ view_clauses[] = {
{ "fetch-quota-params", &cfg_type_fetchquota, 0 },
{ "fetches-per-server", &cfg_type_fetchesper, 0 },
{ "fetches-per-zone", &cfg_type_fetchesper, 0 },
{ "filter-aaaa", &cfg_type_bracketed_aml, 0 },
{ "filter-aaaa-on-v4", &cfg_type_filter_aaaa, 0 },
{ "filter-aaaa-on-v6", &cfg_type_filter_aaaa, 0 },
{ "filter-aaaa", &cfg_type_bracketed_aml, CFG_CLAUSEFLAG_OBSOLETE },
{ "filter-aaaa-on-v4", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "filter-aaaa-on-v6", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE },
{ "glue-cache", &cfg_type_boolean, 0 },
{ "ixfr-from-differences", &cfg_type_ixfrdifftype, 0 },
{ "lame-ttl", &cfg_type_ttlval, 0 },
@ -2495,11 +2483,11 @@ static const char *printtime_enums[] = {
};
static isc_result_t
parse_printtime(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_printtime(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_boolean);
cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_printtime = {
"printtime", parse_printtime, cfg_print_ustring, doc_printtime,
@ -2715,12 +2703,12 @@ static cfg_type_t cfg_type_sizeval = {
static isc_result_t
parse_size(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_sizeval, ret));
}
static void
doc_size(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_sizeval);
cfg_doc_enum_or_other(pctx, type, &cfg_type_sizeval);
}
static const char *size_enums[] = { "default", "unlimited", NULL };
@ -2754,13 +2742,18 @@ static isc_result_t
parse_size_or_percent(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
return (parse_enum_or_other(pctx, type, &cfg_type_sizeval_percent,
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_sizeval_percent,
ret));
}
static void
doc_parse_size_or_percent(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_sizeval_percent);
UNUSED(type);
cfg_print_cstr(pctx, "( default | unlimited | ");
cfg_doc_terminal(pctx, &cfg_type_sizeval);
cfg_print_cstr(pctx, " | ");
cfg_doc_terminal(pctx, &cfg_type_percentage);
cfg_print_cstr(pctx, " )");
}
static const char *sizeorpercent_enums[] = { "default", "unlimited", NULL };
@ -2801,59 +2794,6 @@ parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type,
return (result);
}
static isc_result_t
parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
const cfg_type_t *othertype, cfg_obj_t **ret)
{
isc_result_t result;
CHECK(cfg_peektoken(pctx, 0));
if (pctx->token.type == isc_tokentype_string &&
cfg_is_enum(TOKEN_STRING(pctx), enumtype->of)) {
CHECK(cfg_parse_enum(pctx, enumtype, ret));
} else {
CHECK(cfg_parse_obj(pctx, othertype, ret));
}
cleanup:
return (result);
}
static void
doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *enumtype,
const cfg_type_t *othertype)
{
const char * const *p;
bool first = true;
/*
* If othertype is cfg_type_void, it means that enumtype is
* optional.
*/
if (othertype == &cfg_type_void)
cfg_print_cstr(pctx, "[ ");
cfg_print_cstr(pctx, "( ");
for (p = enumtype->of; *p != NULL; p++) {
if (!first)
cfg_print_cstr(pctx, " | ");
first = false;
cfg_print_cstr(pctx, *p);
}
if (othertype == &cfg_type_sizeval_percent) {
if (!first)
cfg_print_cstr(pctx, " | ");
cfg_doc_terminal(pctx, &cfg_type_sizeval);
cfg_print_cstr(pctx, " | ");
cfg_doc_terminal(pctx, &cfg_type_percentage);
} else if (othertype != &cfg_type_void) {
if (!first)
cfg_print_cstr(pctx, " | ");
cfg_doc_terminal(pctx, othertype);
}
cfg_print_cstr(pctx, " )");
if (othertype == &cfg_type_void)
cfg_print_cstr(pctx, " ]");
}
static isc_result_t
parse_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (parse_maybe_optional_keyvalue(pctx, type, false, ret));
@ -2899,11 +2839,11 @@ static isc_result_t
parse_dialup_type(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_dialup_type(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_boolean);
cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_dialuptype = {
"dialuptype", parse_dialup_type, cfg_print_ustring, doc_dialup_type,
@ -2915,11 +2855,11 @@ static isc_result_t
parse_notify_type(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_notify_type(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_boolean);
cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_notifytype = {
"notifytype", parse_notify_type, cfg_print_ustring, doc_notify_type,
@ -2929,11 +2869,11 @@ static cfg_type_t cfg_type_notifytype = {
static const char *minimal_enums[] = { "no-auth", "no-auth-recursive", NULL };
static isc_result_t
parse_minimal(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_minimal(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_boolean);
cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_minimal = {
"mimimal", parse_minimal, cfg_print_ustring, doc_minimal,
@ -2947,32 +2887,17 @@ static isc_result_t
parse_ixfrdiff_type(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_ixfrdiff_type(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_boolean);
cfg_doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_ixfrdifftype = {
"ixfrdiff", parse_ixfrdiff_type, cfg_print_ustring, doc_ixfrdiff_type,
&cfg_rep_string, ixfrdiff_enums,
};
static const char *filter_aaaa_enums[] = { "break-dnssec", NULL };
static isc_result_t
parse_filter_aaaa(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret) {
return (parse_enum_or_other(pctx, type, &cfg_type_boolean, ret));
}
static void
doc_filter_aaaa(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_boolean);
}
static cfg_type_t cfg_type_filter_aaaa = {
"filter_aaaa", parse_filter_aaaa, cfg_print_ustring,
doc_filter_aaaa, &cfg_rep_string, filter_aaaa_enums,
};
static keyword_type_t key_kw = { "key", &cfg_type_astring };
LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_keyref = {
@ -3419,99 +3344,6 @@ static cfg_type_t cfg_type_querysource = {
"querysource", NULL, print_querysource, NULL, &cfg_rep_sockaddr, NULL
};
/*% addrmatchelt */
static isc_result_t
parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
isc_result_t result;
UNUSED(type);
CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
if (pctx->token.type == isc_tokentype_string ||
pctx->token.type == isc_tokentype_qstring) {
if (pctx->token.type == isc_tokentype_string &&
(strcasecmp(TOKEN_STRING(pctx), "key") == 0)) {
CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
} else if (pctx->token.type == isc_tokentype_string &&
(strcasecmp(TOKEN_STRING(pctx), "geoip") == 0)) {
#ifdef HAVE_GEOIP
CHECK(cfg_gettoken(pctx, 0));
CHECK(cfg_parse_obj(pctx, &cfg_type_geoip, ret));
#else
cfg_parser_error(pctx, CFG_LOG_NEAR, "'geoip' "
"not supported in this build");
return (ISC_R_UNEXPECTEDTOKEN);
#endif
} else {
if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK |
CFG_ADDR_V4PREFIXOK |
CFG_ADDR_V6OK))
{
CHECK(cfg_parse_netprefix(pctx, NULL, ret));
} else {
CHECK(cfg_parse_astring(pctx, NULL, ret));
}
}
} else if (pctx->token.type == isc_tokentype_special) {
if (pctx->token.value.as_char == '{') {
/* Nested match list. */
CHECK(cfg_parse_obj(pctx,
&cfg_type_bracketed_aml, ret));
} else if (pctx->token.value.as_char == '!') {
CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
CHECK(cfg_parse_obj(pctx, &cfg_type_negated, ret));
} else {
goto bad;
}
} else {
bad:
cfg_parser_error(pctx, CFG_LOG_NEAR,
"expected IP match list element");
return (ISC_R_UNEXPECTEDTOKEN);
}
cleanup:
return (result);
}
/*%
* A negated address match list element (like "! 10.0.0.1").
* Somewhat sneakily, the caller is expected to parse the
* "!", but not to print it.
*/
static cfg_tuplefielddef_t negated_fields[] = {
{ "negated", &cfg_type_addrmatchelt, 0 },
{ NULL, NULL, 0 }
};
static void
print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
cfg_print_cstr(pctx, "!");
cfg_print_tuple(pctx, obj);
}
static cfg_type_t cfg_type_negated = {
"negated", cfg_parse_tuple, print_negated, NULL, &cfg_rep_tuple,
&negated_fields
};
/*% An address match list element */
static cfg_type_t cfg_type_addrmatchelt = {
"address_match_element", parse_addrmatchelt, NULL, cfg_doc_terminal,
NULL, NULL
};
/*% A bracketed address match list */
static cfg_type_t cfg_type_bracketed_aml = {
"bracketed_aml", cfg_parse_bracketed_list, cfg_print_bracketed_list,
cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_addrmatchelt
};
/*%
* The socket address syntax in the "controls" statement is silly.
* It allows both socket address families, but also allows "*",
@ -3656,12 +3488,12 @@ static isc_result_t
parse_logversions(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
return (parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_uint32, ret));
}
static void
doc_logversions(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_uint32);
cfg_doc_enum_or_other(pctx, type, &cfg_type_uint32);
}
static cfg_type_t cfg_type_logversions = {
@ -4070,12 +3902,12 @@ static cfg_type_t cfg_type_ttlval = {
static isc_result_t
parse_maxttl(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) {
return (parse_enum_or_other(pctx, type, &cfg_type_ttlval, ret));
return (cfg_parse_enum_or_other(pctx, type, &cfg_type_ttlval, ret));
}
static void
doc_maxttl(cfg_printer_t *pctx, const cfg_type_t *type) {
doc_enum_or_other(pctx, type, &cfg_type_ttlval);
cfg_doc_enum_or_other(pctx, type, &cfg_type_ttlval);
}
/*%

148
lib/isccfg/parser.c
View file

@ -1192,6 +1192,58 @@ cfg_doc_enum(cfg_printer_t *pctx, const cfg_type_t *type) {
cfg_print_cstr(pctx, " )");
}
isc_result_t
cfg_parse_enum_or_other(cfg_parser_t *pctx, const cfg_type_t *enumtype,
const cfg_type_t *othertype, cfg_obj_t **ret)
{
isc_result_t result;
CHECK(cfg_peektoken(pctx, 0));
if (pctx->token.type == isc_tokentype_string &&
cfg_is_enum(TOKEN_STRING(pctx), enumtype->of))
{
CHECK(cfg_parse_enum(pctx, enumtype, ret));
} else {
CHECK(cfg_parse_obj(pctx, othertype, ret));
}
cleanup:
return (result);
}
void
cfg_doc_enum_or_other(cfg_printer_t *pctx, const cfg_type_t *enumtype,
const cfg_type_t *othertype)
{
const char * const *p;
bool first = true;
/*
* If othertype is cfg_type_void, it means that enumtype is
* optional.
*/
if (othertype == &cfg_type_void) {
cfg_print_cstr(pctx, "[ ");
}
cfg_print_cstr(pctx, "( ");
for (p = enumtype->of; *p != NULL; p++) {
if (!first) {
cfg_print_cstr(pctx, " | ");
}
first = false;
cfg_print_cstr(pctx, *p);
}
if (othertype != &cfg_type_void) {
if (!first) {
cfg_print_cstr(pctx, " | ");
}
cfg_doc_terminal(pctx, othertype);
}
cfg_print_cstr(pctx, " )");
if (othertype == &cfg_type_void) {
cfg_print_cstr(pctx, " ]");
}
}
void
cfg_print_ustring(cfg_printer_t *pctx, const cfg_obj_t *obj) {
REQUIRE(pctx != NULL);
@ -1274,6 +1326,101 @@ LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bracketed_text = {
&cfg_rep_string, NULL
};
/*%
* A bracketed address match list
*/
static cfg_type_t cfg_type_addrmatchelt;
static cfg_type_t cfg_type_negated;
static isc_result_t
parse_addrmatchelt(cfg_parser_t *pctx, const cfg_type_t *type,
cfg_obj_t **ret)
{
isc_result_t result;
UNUSED(type);
CHECK(cfg_peektoken(pctx, CFG_LEXOPT_QSTRING));
if (pctx->token.type == isc_tokentype_string ||
pctx->token.type == isc_tokentype_qstring) {
if (pctx->token.type == isc_tokentype_string &&
(strcasecmp(TOKEN_STRING(pctx), "key") == 0)) {
CHECK(cfg_parse_obj(pctx, &cfg_type_keyref, ret));
} else if (pctx->token.type == isc_tokentype_string &&
(strcasecmp(TOKEN_STRING(pctx), "geoip") == 0)) {
#ifdef HAVE_GEOIP
CHECK(cfg_gettoken(pctx, 0));
CHECK(cfg_parse_obj(pctx, &cfg_type_geoip, ret));
#else
cfg_parser_error(pctx, CFG_LOG_NEAR, "'geoip' "
"not supported in this build");
return (ISC_R_UNEXPECTEDTOKEN);
#endif
} else {
if (cfg_lookingat_netaddr(pctx, CFG_ADDR_V4OK |
CFG_ADDR_V4PREFIXOK |
CFG_ADDR_V6OK))
{
CHECK(cfg_parse_netprefix(pctx, NULL, ret));
} else {
CHECK(cfg_parse_astring(pctx, NULL, ret));
}
}
} else if (pctx->token.type == isc_tokentype_special) {
if (pctx->token.value.as_char == '{') {
/* Nested match list. */
CHECK(cfg_parse_obj(pctx,
&cfg_type_bracketed_aml, ret));
} else if (pctx->token.value.as_char == '!') {
CHECK(cfg_gettoken(pctx, 0)); /* read "!" */
CHECK(cfg_parse_obj(pctx, &cfg_type_negated, ret));
} else {
goto bad;
}
} else {
bad:
cfg_parser_error(pctx, CFG_LOG_NEAR,
"expected IP match list element");
return (ISC_R_UNEXPECTEDTOKEN);
}
cleanup:
return (result);
}
/*%
* A negated address match list element (like "! 10.0.0.1").
* Somewhat sneakily, the caller is expected to parse the
* "!", but not to print it.
*/
static cfg_tuplefielddef_t negated_fields[] = {
{ "negated", &cfg_type_addrmatchelt, 0 },
{ NULL, NULL, 0 }
};
static void
print_negated(cfg_printer_t *pctx, const cfg_obj_t *obj) {
cfg_print_cstr(pctx, "!");
cfg_print_tuple(pctx, obj);
}
static cfg_type_t cfg_type_negated = {
"negated", cfg_parse_tuple, print_negated, NULL, &cfg_rep_tuple,
&negated_fields
};
/*% An address match list element */
static cfg_type_t cfg_type_addrmatchelt = {
"address_match_element", parse_addrmatchelt, NULL, cfg_doc_terminal,
NULL, NULL
};
LIBISCCFG_EXTERNAL_DATA cfg_type_t cfg_type_bracketed_aml = {
"bracketed_aml", cfg_parse_bracketed_list, cfg_print_bracketed_list,
cfg_doc_bracketed_list, &cfg_rep_list, &cfg_type_addrmatchelt
};
/*
* Optional bracketed text
*/
@ -2045,6 +2192,7 @@ static struct flagtext {
{ CFG_CLAUSEFLAG_MULTI, "may occur multiple times" },
{ CFG_CLAUSEFLAG_EXPERIMENTAL, "experimental" },
{ CFG_CLAUSEFLAG_NOOP, "non-operational" },
{ CFG_CLAUSEFLAG_DEPRECATED, "deprecated" },
{ 0, NULL }
};

2
lib/isccfg/win32/libisccfg.def
View file

@ -14,6 +14,7 @@ cfg_create_obj
cfg_create_tuple
cfg_doc_bracketed_list
cfg_doc_enum
cfg_doc_enum_or_other
cfg_doc_map
cfg_doc_mapbody
cfg_doc_obj
@ -71,6 +72,7 @@ cfg_parse_buffer3
cfg_parse_buffer4
cfg_parse_dscp
cfg_parse_enum
cfg_parse_enum_or_other
cfg_parse_file
cfg_parse_fixedpoint
cfg_parse_listelt

6
lib/ns/hooks.c
View file

@ -330,6 +330,7 @@ unload_library(ns_hook_module_t **hmodp) {
isc_result_t
ns_hookmodule_load(const char *libname, const char *parameters,
const char *file, unsigned long line,
const void *cfg, void *actx,
ns_hookctx_t *hctx, ns_hooktable_t *hooktable)
{
isc_result_t result;
@ -342,8 +343,9 @@ ns_hookmodule_load(const char *libname, const char *parameters,
"loading module '%s'", libname);
CHECK(load_library(hctx->mctx, libname, &module));
CHECK(module->register_func(parameters, file, line, hctx,
hooktable, &module->inst));
CHECK(module->register_func(parameters, file, line,
cfg, actx, hctx, hooktable,
&module->inst));
APPEND(hook_modules, module, link);
result = ISC_R_SUCCESS;

3
lib/ns/include/ns/hooks.h
View file

@ -238,6 +238,8 @@ typedef struct ns_hookctx {
typedef isc_result_t ns_hook_register_t(const char *parameters,
const char *file,
unsigned long line,
const void *cfg,
void *actx,
ns_hookctx_t *hctx,
ns_hooktable_t *hooktable,
void **instp);
@ -312,6 +314,7 @@ ns_hook_destroyctx(ns_hookctx_t **hctxp);
isc_result_t
ns_hookmodule_load(const char *libname, const char *parameters,
const char *file, unsigned long line,
const void *cfg, void *actx,
ns_hookctx_t *hctx, ns_hooktable_t *hooktable);
void
ns_hookmodule_cleanup(void);

12
lib/ns/query.c
View file

@ -6961,8 +6961,6 @@ query_respond(query_ctx_t *qctx) {
dns_rdataset_t **sigrdatasetp = NULL;
isc_result_t result;
PROCESS_HOOK(NS_QUERY_RESPOND_BEGIN, qctx);
/*
* If we have a zero ttl from the cache, refetch.
*/
@ -7016,6 +7014,16 @@ query_respond(query_ctx_t *qctx) {
return (query_lookup(qctx));
}
/*
* XXX: This hook is meant to be at the top of this function,
* but is postponed until after DNS64 in order to avoid an
* assertion if the hook causes recursion. (When DNS64 also
* becomes a hook module, it will be necessary to find some
* other way to prevent that assertion, since the order in
* which hook modules are configured can't be enforced.)
*/
PROCESS_HOOK(NS_QUERY_RESPOND_BEGIN, qctx);
if (WANTDNSSEC(qctx->client) && qctx->sigrdataset != NULL) {
sigrdatasetp = &qctx->sigrdataset;
}