ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

[v9_10] fixed geoip elements in named ACLs

Browse Source 
3835.	[bug]		Geoip ACL elements didn't work correctly when
                        referenced via named or nested ACLs. [RT #35879]

(cherry picked from commit c0c4512020)
This commit is contained in:
Evan Hunt
2014-04-30 20:23:38 -07:00
parent d79492c45c
commit 4266ef751e
5 changed files with 179 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGES
View File

@@ -1,3 +1,6 @@
3835. [bug] Geoip ACL elements didn't work correctly when
referenced via named or nested ACLs. [RT #35879]
3834. [bug] The re-signing heaps were not being updated soon enough
leading to multiple re-generations of the same RRSIG
when a zone transfer was in progress. [RT #35273]

112
bin/tests/system/geoip/ns2/named13.conf Normal file
View File

@@ -0,0 +1,112 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

43
bin/tests/system/geoip/tests.sh
View File

@@ -25,7 +25,7 @@ rm -f dig.out.*
DIGOPTS="+tcp +short -p 5300 @10.53.0.2"
n=`expr $n + 1`
echo "I:checking GeoIP country database by code"
echo "I:checking GeoIP country database by code ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -44,7 +44,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP country database by three-letter code"
echo "I:checking GeoIP country database by three-letter code ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -63,7 +63,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP country database by name"
echo "I:checking GeoIP country database by name ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -82,7 +82,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP region code, no specified database"
echo "I:checking GeoIP region code, no specified database ($n)"
ret=0
lret=0
# skipping 2 on purpose here; it has the same region code as 1
@@ -102,7 +102,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP region database by region name and country code"
echo "I:checking GeoIP region database by region name and country code ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -121,7 +121,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP city database by city name"
echo "I:checking GeoIP city database by city name ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -140,7 +140,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP isp database"
echo "I:checking GeoIP isp database ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -159,7 +159,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP org database"
echo "I:checking GeoIP org database ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -178,7 +178,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP asnum database"
echo "I:checking GeoIP asnum database ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP domain database"
echo "I:checking GeoIP domain database ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -216,7 +216,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP netspeed database"
echo "I:checking GeoIP netspeed database ($n)"
ret=0
lret=0
for i in 1 2 3 4; do
@@ -235,12 +235,31 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP blackhole ACL"
echo "I:checking GeoIP blackhole ACL ($n)"
ret=0
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n || ret=1
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.test$n || ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named13.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP country database by code (using nested ACLs) ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:exit status: $status"
exit $status

6
lib/dns/acl.c
View File

@@ -337,6 +337,12 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos)
return result;
}
/* Duplicate GeoIP data */
if (source->elements[i].type == dns_aclelementtype_geoip) {
dest->elements[nelem + i].geoip_elem =
source->elements[i].geoip_elem;
}
/* reverse sense of positives if this is a negative acl */
if (!pos && source->elements[i].negative == ISC_FALSE) {
dest->elements[nelem + i].negative = ISC_TRUE;

47
lib/isccfg/aclconf.c
View File

@@ -456,12 +456,17 @@ geoip_can_answer(dns_aclelement_t *elt, cfg_aclconfctx_t *ctx) {
static isc_result_t
parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
cfg_aclconfctx_t *ctx, dns_aclelement_t *de)
cfg_aclconfctx_t *ctx, dns_aclelement_t *dep)
{
const cfg_obj_t *ge;
const char *dbname = NULL;
const char *stype, *search;
dns_geoip_subtype_t subtype;
dns_aclelement_t de;
REQUIRE(dep != NULL);
de = *dep;
ge = cfg_tuple_get(obj, "db");
if (!cfg_obj_isvoid(ge))
@@ -473,71 +478,73 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
if (strcasecmp(stype, "country") == 0 && strlen(search) == 2) {
/* Two-letter country code */
subtype = dns_geoip_countrycode;
strncpy(de->geoip_elem.as_string, search, 2);
strncpy(de.geoip_elem.as_string, search, 2);
} else if (strcasecmp(stype, "country") == 0 && strlen(search) == 3) {
/* Three-letter country code */
subtype = dns_geoip_countrycode3;
strncpy(de->geoip_elem.as_string, search, 3);
strncpy(de.geoip_elem.as_string, search, 3);
} else if (strcasecmp(stype, "country") == 0) {
/* Country name */
subtype = dns_geoip_countryname;
strncpy(de->geoip_elem.as_string, search, 255);
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "region") == 0 && strlen(search) == 2) {
/* Two-letter region code */
subtype = dns_geoip_region;
strncpy(de->geoip_elem.as_string, search, 2);
strncpy(de.geoip_elem.as_string, search, 2);
} else if (strcasecmp(stype, "region") == 0) {
/* Region name */
subtype = dns_geoip_regionname;
strncpy(de->geoip_elem.as_string, search, 255);
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "city") == 0) {
/* City name */
subtype = dns_geoip_city_name;
strncpy(de->geoip_elem.as_string, search, 255);
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "postal") == 0 && strlen(search) < 7) {
subtype = dns_geoip_city_postalcode;
strncpy(de->geoip_elem.as_string, search, 6);
de->geoip_elem.as_string[6] = '\0';
strncpy(de.geoip_elem.as_string, search, 6);
de.geoip_elem.as_string[6] = '\0';
} else if (strcasecmp(stype, "metro") == 0) {
subtype = dns_geoip_city_metrocode;
de->geoip_elem.as_int = atoi(search);
de.geoip_elem.as_int = atoi(search);
} else if (strcasecmp(stype, "area") == 0) {
subtype = dns_geoip_city_areacode;
de->geoip_elem.as_int = atoi(search);
de.geoip_elem.as_int = atoi(search);
} else if (strcasecmp(stype, "tz") == 0) {
subtype = dns_geoip_city_timezonecode;
strncpy(de->geoip_elem.as_string, search, 255);
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "continent") == 0 && strlen(search) == 2) {
/* Two-letter continent code */
subtype = dns_geoip_city_continentcode;
strncpy(de->geoip_elem.as_string, search, 2);
strncpy(de.geoip_elem.as_string, search, 2);
} else if (strcasecmp(stype, "isp") == 0) {
subtype = dns_geoip_isp_name;
strncpy(de->geoip_elem.as_string, search, 255);
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "asnum") == 0) {
subtype = dns_geoip_as_asnum;
strncpy(de->geoip_elem.as_string, search, 255);
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "org") == 0) {
subtype = dns_geoip_org_name;
strncpy(de->geoip_elem.as_string, search, 255);
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "domain") == 0) {
subtype = dns_geoip_domain_name;
strncpy(de->geoip_elem.as_string, search, 255);
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "netspeed") == 0) {
subtype = dns_geoip_netspeed_id;
de->geoip_elem.as_int = atoi(search);
de.geoip_elem.as_int = atoi(search);
} else
INSIST(0);
de->geoip_elem.subtype = get_subtype(obj, lctx, subtype, dbname);
de.geoip_elem.subtype = get_subtype(obj, lctx, subtype, dbname);
if (! geoip_can_answer(de, ctx)) {
if (! geoip_can_answer(&de, ctx)) {
cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
"no GeoIP database installed which can answer "
"queries of type '%s'", stype);
return (ISC_R_FAILURE);
}
*dep = de;
return (ISC_R_SUCCESS);
}
#endif