upstream/knot-dns
1
0
Fork 0
mirror of https://gitlab.nic.cz/knot/knot-dns.git synced 2026-05-28 04:02:31 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

acl: add auto full prefix

Browse source
This commit is contained in:
Daniel Salzman 2015-06-11 16:06:47 +02:00
parent 5e1e83ce1e
commit 6a2c8ff032
6 changed files with 22 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
src/knot/conf/conf.c
View file

@ -474,7 +474,7 @@ struct sockaddr_storage conf_addr(
struct sockaddr_storage conf_net(
conf_val_t *val,
unsigned *prefix_length)
int *prefix_length)
{
assert(val != NULL && val->item != NULL && prefix_length != NULL);
assert(val->item->type == YP_TNET ||
@ -484,18 +484,8 @@ struct sockaddr_storage conf_net(
struct sockaddr_storage out = { AF_UNSPEC };
if (val->code == KNOT_EOK) {
int prefix;
conf_db_val(val);
out = yp_addr(val->data, val->len, &prefix);
if (prefix != -1) {
*prefix_length = prefix;
} else {
if (out.ss_family == AF_INET) {
*prefix_length = IPV4_PREFIXLEN;
} else if (out.ss_family == AF_INET6) {
*prefix_length = IPV6_PREFIXLEN;
}
}
out = yp_addr(val->data, val->len, prefix_length);
} else {
*prefix_length = 0;
}

2
src/knot/conf/conf.h
View file

@ -228,7 +228,7 @@ struct sockaddr_storage conf_addr(
struct sockaddr_storage conf_net(
conf_val_t *val,
unsigned *prefix_length
int *prefix_length
);
char* conf_abs_path(

2
src/knot/modules/synth_record.c
View file

@ -86,7 +86,7 @@ typedef struct synth_template {
char *zone;
uint32_t ttl;
struct sockaddr_storage addr;
unsigned mask;
int mask;
} synth_template_t;
/*! \brief Substitute all occurences of given character. */

16
src/knot/updates/acl.c
View file

@ -40,7 +40,7 @@ static const uint8_t* ipv6_addr(const struct sockaddr_storage *ss) {
bool netblock_match(const struct sockaddr_storage *ss1,
const struct sockaddr_storage *ss2,
unsigned prefix)
int prefix)
{
if (ss1 == NULL || ss2 == NULL) {
return false;
@ -55,12 +55,20 @@ bool netblock_match(const struct sockaddr_storage *ss1,
case AF_INET:
addr1 = ipv4_addr(ss1);
addr2 = ipv4_addr(ss2);
prefix = prefix > IPV4_PREFIXLEN ? IPV4_PREFIXLEN : prefix;
if (prefix < 0) {
prefix = IPV4_PREFIXLEN;
} else if (prefix > IPV4_PREFIXLEN) {
prefix = IPV4_PREFIXLEN;
}
break;
case AF_INET6:
addr1 = ipv6_addr(ss1);
addr2 = ipv6_addr(ss2);
prefix = prefix > IPV6_PREFIXLEN ? IPV6_PREFIXLEN : prefix;
if (prefix < 0) {
prefix = IPV6_PREFIXLEN;
} else if (prefix > IPV6_PREFIXLEN) {
prefix = IPV6_PREFIXLEN;
}
break;
default:
return false;
@ -101,7 +109,7 @@ bool acl_allowed(conf_val_t *acl, acl_action_t action,
/* Check if the address matches the current acl address list. */
val = conf_id_get(conf(), C_ACL, C_ADDR, acl);
while (val.code == KNOT_EOK) {
unsigned prefix;
int prefix;
struct sockaddr_storage ss;
ss = conf_net(&val, &prefix);
if (!netblock_match(addr, &ss, prefix)) {

4
src/knot/updates/acl.h
View file

@ -44,11 +44,11 @@ typedef enum {
*
* \param ss1 First address storage.
* \param ss2 Second address storage.
* \param prefix Netblock length.
* \param prefix Netblock length (negative value for maximum prefix length).
*/
bool netblock_match(const struct sockaddr_storage *ss1,
const struct sockaddr_storage *ss2,
unsigned prefix);
int prefix);
/*!
* \brief Checks if the address and/or tsig key matches given ACL list.

4
tests/acl.c
View file

@ -53,6 +53,8 @@ static void test_netblock_match(void)
ret = netblock_match(&ref4, NULL, 32);
ok(ret == false, "match: NULL second parameter");
ret = netblock_match(&ref4, &ref4, -1);
ok(ret == true, "match: ipv4 - identity, auto full prefix");
ret = netblock_match(&ref4, &ref4, 31);
ok(ret == true, "match: ipv4 - identity, subnet");
ret = netblock_match(&ref4, &ref4, 32);
@ -60,6 +62,8 @@ static void test_netblock_match(void)
ret = netblock_match(&ref4, &ref4, 33);
ok(ret == true, "match: ipv4 - identity, prefix overflow");
ret = netblock_match(&ref6, &ref6, -1);
ok(ret == true, "match: ipv6 - identity, auto full prefix");
ret = netblock_match(&ref6, &ref6, 127);
ok(ret == true, "match: ipv6 - identity, subnet");
ret = netblock_match(&ref6, &ref6, 128);