View | Details | Raw Unified | Return to bug 536
Collapse All | Expand All

(-)daemon/acl_list.c (+4 lines)
 Lines 103-108    Link Here 
103
		control = acl_deny;
103
		control = acl_deny;
104
	else if(strcmp(s2, "refuse") == 0)
104
	else if(strcmp(s2, "refuse") == 0)
105
		control = acl_refuse;
105
		control = acl_refuse;
106
	else if(strcmp(s2, "deny_non_local") == 0)
107
		control = acl_deny_non_local;
108
	else if(strcmp(s2, "refuse_non_local") == 0)
109
		control = acl_refuse_non_local;
106
	else if(strcmp(s2, "allow_snoop") == 0)
110
	else if(strcmp(s2, "allow_snoop") == 0)
107
		control = acl_allow_snoop;
111
		control = acl_allow_snoop;
108
	else {
112
	else {
(-)daemon/acl_list.h (+4 lines)
 Lines 55-60    Link Here 
55
	acl_deny = 0,
55
	acl_deny = 0,
56
	/** disallow access, send a polite 'REFUSED' reply */
56
	/** disallow access, send a polite 'REFUSED' reply */
57
	acl_refuse,
57
	acl_refuse,
58
	/** disallow any access to zones that aren't local, drop it */
59
	acl_deny_non_local,
60
	/** disallow access to zones that aren't local, 'REFUSED' reply */
61
	acl_refuse_non_local,
58
	/** allow full access for recursion (+RD) queries */
62
	/** allow full access for recursion (+RD) queries */
59
	acl_allow,
63
	acl_allow,
60
	/** allow full access for all queries, recursion and cache snooping */
64
	/** allow full access for all queries, recursion and cache snooping */
(-)daemon/worker.c (-20 / +57 lines)
 Lines 718-748    Link Here 
718
	return 0;
718
	return 0;
719
}
719
}
720
720
721
int 
721
int
722
worker_handle_request(struct comm_point* c, void* arg, int error,
722
deny_refuse(struct comm_point* c, enum acl_access acl,
723
	struct comm_reply* repinfo)
723
	enum acl_access deny, enum acl_access refuse,
724
	struct worker* worker, struct comm_reply* repinfo)
724
{
725
{
725
	struct worker* worker = (struct worker*)arg;
726
	if(acl == deny) {
726
	int ret;
727
	hashvalue_t h;
728
	struct lruhash_entry* e;
729
	struct query_info qinfo;
730
	struct edns_data edns;
731
	enum acl_access acl;
732
733
	if(error != NETEVENT_NOERROR) {
734
		/* some bad tcp query DNS formats give these error calls */
735
		verbose(VERB_ALGO, "handle request called with err=%d", error);
736
		return 0;
737
	}
738
	acl = acl_list_lookup(worker->daemon->acl, &repinfo->addr, 
739
		repinfo->addrlen);
740
	if(acl == acl_deny) {
741
		comm_point_drop_reply(repinfo);
727
		comm_point_drop_reply(repinfo);
742
		if(worker->stats.extended)
728
		if(worker->stats.extended)
743
			worker->stats.unwanted_queries++;
729
			worker->stats.unwanted_queries++;
744
		return 0;
730
		return 0;
745
	} else if(acl == acl_refuse) {
731
	} else if(acl == refuse) {
746
		log_addr(VERB_ALGO, "refused query from",
732
		log_addr(VERB_ALGO, "refused query from",
747
			&repinfo->addr, repinfo->addrlen);
733
			&repinfo->addr, repinfo->addrlen);
748
		log_buf(VERB_ALGO, "refuse", c->buffer);
734
		log_buf(VERB_ALGO, "refuse", c->buffer);
 Lines 760-765    Link Here 
760
			LDNS_RCODE_REFUSED);
746
			LDNS_RCODE_REFUSED);
761
		return 1;
747
		return 1;
762
	}
748
	}
749
750
	return -1;
751
}
752
753
int
754
deny_refuse_all(struct comm_point* c, enum acl_access acl,
755
	struct worker* worker, struct comm_reply* repinfo)
756
{
757
	return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo);
758
}
759
760
int
761
deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
762
	struct worker* worker, struct comm_reply* repinfo)
763
{
764
	return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo);
765
}
766
767
int 
768
worker_handle_request(struct comm_point* c, void* arg, int error,
769
	struct comm_reply* repinfo)
770
{
771
	struct worker* worker = (struct worker*)arg;
772
	int ret;
773
	hashvalue_t h;
774
	struct lruhash_entry* e;
775
	struct query_info qinfo;
776
	struct edns_data edns;
777
	enum acl_access acl;
778
779
	if(error != NETEVENT_NOERROR) {
780
		/* some bad tcp query DNS formats give these error calls */
781
		verbose(VERB_ALGO, "handle request called with err=%d", error);
782
		return 0;
783
	}
784
	acl = acl_list_lookup(worker->daemon->acl, &repinfo->addr, 
785
		repinfo->addrlen);
786
	if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
787
	{
788
		return ret;
789
	}
763
	if((ret=worker_check_request(c->buffer, worker)) != 0) {
790
	if((ret=worker_check_request(c->buffer, worker)) != 0) {
764
		verbose(VERB_ALGO, "worker check request: bad query.");
791
		verbose(VERB_ALGO, "worker check request: bad query.");
765
		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
792
		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
 Lines 872-877    Link Here 
872
		server_stats_insrcode(&worker->stats, c->buffer);
899
		server_stats_insrcode(&worker->stats, c->buffer);
873
		return 1;
900
		return 1;
874
	}
901
	}
902
903
	/* We've looked in our local zones. If the answer isn't there, we
904
	 * might need to bail out based on ACLs now. */
905
	if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1)
906
	{
907
		return ret;
908
	}
909
910
	/* If this request does not have the recursion bit set, verify
911
	 * ACLs allow the snooping. */
875
	if(!(LDNS_RD_WIRE(ldns_buffer_begin(c->buffer))) &&
912
	if(!(LDNS_RD_WIRE(ldns_buffer_begin(c->buffer))) &&
876
		acl != acl_allow_snoop ) {
913
		acl != acl_allow_snoop ) {
877
		ldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
914
		ldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
(-)util/configparser.y (-1 / +4 lines)
 Lines 865-873    Link Here 
865
	{
865
	{
866
		OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
866
		OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
867
		if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
867
		if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
868
			strcmp($3, "deny_non_local")!=0 &&
869
			strcmp($3, "refuse_non_local")!=0 &&
868
			strcmp($3, "allow")!=0 && 
870
			strcmp($3, "allow")!=0 && 
869
			strcmp($3, "allow_snoop")!=0) {
871
			strcmp($3, "allow_snoop")!=0) {
870
			yyerror("expected deny, refuse, allow or allow_snoop "
872
			yyerror("expected deny, refuse, deny_non_local, "
873
				"refuse_non_local, allow or allow_snoop "
871
				"in access control action");
874
				"in access control action");
872
		} else {
875
		} else {
873
			if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
876
			if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))

Return to bug 536