From ad5bc22a819190839bdcc4d102d023782dc23660 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 11 Jan 2005 03:46:11 +0000 Subject: [PATCH] 1797. [func] named-checkconf now check acls to verify that they only refer to existing acls. [RT #13101] --- CHANGES | 3 + bin/named/Makefile.in | 6 +- bin/named/controlconf.c | 17 +-- bin/named/include/named/control.h | 7 +- bin/named/include/named/zoneconf.h | 7 +- bin/named/server.c | 31 ++--- bin/named/zoneconf.c | 10 +- doc/arm/Bv9ARM-book.xml | 4 +- lib/bind9/check.c | 120 ++++++++++++++---- lib/isccfg/Makefile.in | 6 +- {bin/named => lib/isccfg}/aclconf.c | 45 ++++--- lib/isccfg/include/isccfg/Makefile.in | 4 +- .../isccfg/include/isccfg}/aclconf.h | 27 ++-- 13 files changed, 184 insertions(+), 103 deletions(-) rename {bin/named => lib/isccfg}/aclconf.c (85%) rename {bin/named/include/named => lib/isccfg/include/isccfg}/aclconf.h (79%) diff --git a/CHANGES b/CHANGES index d115593bec..b0dd6f8852 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +1797. [func] named-checkconf now check acls to verify that they + only refer to existing acls. [RT #13101] + 1796. [placeholder] rt12498 1795. [placeholder] rt13396 diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index 8d38e14137..3244c50c70 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.84 2004/09/06 21:53:34 marka Exp $ +# $Id: Makefile.in,v 1.85 2005/01/11 03:46:07 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -63,7 +63,7 @@ SUBDIRS = unix TARGETS = named@EXEEXT@ lwresd@EXEEXT@ -OBJS = aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \ +OBJS = builtin.@O@ client.@O@ config.@O@ control.@O@ \ controlconf.@O@ interfacemgr.@O@ \ listenlist.@O@ log.@O@ logconf.@O@ main.@O@ notify.@O@ \ query.@O@ server.@O@ sortlist.@O@ \ @@ -75,7 +75,7 @@ OBJS = aclconf.@O@ builtin.@O@ client.@O@ config.@O@ control.@O@ \ UOBJS = unix/os.@O@ -SRCS = aclconf.c builtin.c client.c config.c control.c \ +SRCS = builtin.c client.c config.c control.c \ controlconf.c interfacemgr.c \ listenlist.c log.c logconf.c main.c notify.c \ query.c server.c sortlist.c \ diff --git a/bin/named/controlconf.c b/bin/named/controlconf.c index ce541e0201..a120a5aac9 100644 --- a/bin/named/controlconf.c +++ b/bin/named/controlconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: controlconf.c,v 1.40 2004/03/05 04:57:46 marka Exp $ */ +/* $Id: controlconf.c,v 1.41 2005/01/11 03:46:08 marka Exp $ */ #include @@ -915,7 +915,7 @@ static void update_listener(ns_controls_t *cp, controllistener_t **listenerp, cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr, - ns_aclconfctx_t *aclconfctx, const char *socktext) + cfg_aclconfctx_t *aclconfctx, const char *socktext) { controllistener_t *listener; cfg_obj_t *allow; @@ -995,8 +995,9 @@ update_listener(ns_controls_t *cp, */ if (control != NULL) { allow = cfg_tuple_get(control, "allow"); - result = ns_acl_fromconfig(allow, config, aclconfctx, - listener->mctx, &new_acl); + result = cfg_acl_fromconfig(allow, config, ns_g_lctx, + aclconfctx, listener->mctx, + &new_acl); } else { result = dns_acl_any(listener->mctx, &new_acl); } @@ -1018,7 +1019,7 @@ update_listener(ns_controls_t *cp, static void add_listener(ns_controls_t *cp, controllistener_t **listenerp, cfg_obj_t *control, cfg_obj_t *config, isc_sockaddr_t *addr, - ns_aclconfctx_t *aclconfctx, const char *socktext) + cfg_aclconfctx_t *aclconfctx, const char *socktext) { isc_mem_t *mctx = cp->server->mctx; controllistener_t *listener; @@ -1050,8 +1051,8 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, */ if (control != NULL) { allow = cfg_tuple_get(control, "allow"); - result = ns_acl_fromconfig(allow, config, aclconfctx, - mctx, &new_acl); + result = cfg_acl_fromconfig(allow, config, ns_g_lctx, + aclconfctx, mctx, &new_acl); } else { result = dns_acl_any(mctx, &new_acl); } @@ -1136,7 +1137,7 @@ add_listener(ns_controls_t *cp, controllistener_t **listenerp, isc_result_t ns_controls_configure(ns_controls_t *cp, cfg_obj_t *config, - ns_aclconfctx_t *aclconfctx) + cfg_aclconfctx_t *aclconfctx) { controllistener_t *listener; controllistenerlist_t new_listeners; diff --git a/bin/named/include/named/control.h b/bin/named/include/named/control.h index 8e2b2cdaf7..7d86365d7e 100644 --- a/bin/named/include/named/control.h +++ b/bin/named/include/named/control.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: control.h,v 1.16 2004/10/11 05:30:19 marka Exp $ */ +/* $Id: control.h,v 1.17 2005/01/11 03:46:09 marka Exp $ */ #ifndef NAMED_CONTROL_H #define NAMED_CONTROL_H 1 @@ -26,7 +26,8 @@ #include -#include +#include + #include #define NS_CONTROL_PORT 953 @@ -70,7 +71,7 @@ ns_controls_destroy(ns_controls_t **ctrlsp); isc_result_t ns_controls_configure(ns_controls_t *controls, cfg_obj_t *config, - ns_aclconfctx_t *aclconfctx); + cfg_aclconfctx_t *aclconfctx); /* * Configure zero or more command channels into 'controls' * as defined in the configuration parse tree 'config'. diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h index b2f9092e06..186f1d1532 100644 --- a/bin/named/include/named/zoneconf.h +++ b/bin/named/include/named/zoneconf.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.h,v 1.19 2004/03/05 04:57:57 marka Exp $ */ +/* $Id: zoneconf.h,v 1.20 2005/01/11 03:46:09 marka Exp $ */ #ifndef NS_ZONECONF_H #define NS_ZONECONF_H 1 @@ -23,15 +23,14 @@ #include #include +#include #include -#include - ISC_LANG_BEGINDECLS isc_result_t ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig, - ns_aclconfctx_t *ac, dns_zone_t *zone); + cfg_aclconfctx_t *ac, dns_zone_t *zone); /* * Configure or reconfigure a zone according to the named.conf * data in 'cctx' and 'czone'. diff --git a/bin/named/server.c b/bin/named/server.c index 4b22013393..f4c06d61e4 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.434 2004/12/21 10:45:15 jinmei Exp $ */ +/* $Id: server.c,v 1.435 2005/01/11 03:46:08 marka Exp $ */ #include @@ -165,11 +165,11 @@ ns_server_reload(isc_task_t *task, isc_event_t *event); static isc_result_t ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenelt_t **target); static isc_result_t ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenlist_t **target); static isc_result_t @@ -183,7 +183,7 @@ configure_alternates(cfg_obj_t *config, dns_view_t *view, static isc_result_t configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - ns_aclconfctx_t *aclconf); + cfg_aclconfctx_t *aclconf); static void end_reserved_dispatches(ns_server_t *server, isc_boolean_t all); @@ -195,7 +195,7 @@ end_reserved_dispatches(ns_server_t *server, isc_boolean_t all); */ static isc_result_t configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config, - const char *aclname, ns_aclconfctx_t *actx, + const char *aclname, cfg_aclconfctx_t *actx, isc_mem_t *mctx, dns_acl_t **aclp) { isc_result_t result; @@ -222,7 +222,8 @@ configure_view_acl(cfg_obj_t *vconfig, cfg_obj_t *config, */ return (ISC_R_SUCCESS); - result = ns_acl_fromconfig(aclobj, config, actx, mctx, aclp); + result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, + actx, mctx, aclp); return (result); } @@ -715,7 +716,7 @@ disable_algorithms(cfg_obj_t *disabled, dns_resolver_t *resolver) { */ static isc_result_t configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, - isc_mem_t *mctx, ns_aclconfctx_t *actx, + isc_mem_t *mctx, cfg_aclconfctx_t *actx, isc_boolean_t need_hints) { cfg_obj_t *maps[4]; @@ -1608,7 +1609,7 @@ create_view(cfg_obj_t *vconfig, dns_viewlist_t *viewlist, dns_view_t **viewp) { static isc_result_t configure_zone(cfg_obj_t *config, cfg_obj_t *zconfig, cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - ns_aclconfctx_t *aclconf) + cfg_aclconfctx_t *aclconf) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ @@ -2183,14 +2184,14 @@ load_configuration(const char *filename, ns_server_t *server, dns_view_t *view_next; dns_viewlist_t viewlist; dns_viewlist_t tmpviewlist; - ns_aclconfctx_t aclconfctx; + cfg_aclconfctx_t aclconfctx; isc_uint32_t interface_interval; isc_uint32_t heartbeat_interval; isc_uint32_t udpsize; in_port_t listen_port; int i; - ns_aclconfctx_init(&aclconfctx); + cfg_aclconfctx_init(&aclconfctx); ISC_LIST_INIT(viewlist); /* Ensure exclusive access to configuration data. */ @@ -2770,7 +2771,7 @@ load_configuration(const char *filename, ns_server_t *server, result = ISC_R_SUCCESS; cleanup: - ns_aclconfctx_destroy(&aclconfctx); + cfg_aclconfctx_destroy(&aclconfctx); if (parser != NULL) { if (config != NULL) @@ -3552,7 +3553,7 @@ ns_server_togglequerylog(ns_server_t *server) { static isc_result_t ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenlist_t **target) { isc_result_t result; @@ -3591,7 +3592,7 @@ ns_listenlist_fromconfig(cfg_obj_t *listenlist, cfg_obj_t *config, */ static isc_result_t ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config, - ns_aclconfctx_t *actx, + cfg_aclconfctx_t *actx, isc_mem_t *mctx, ns_listenelt_t **target) { isc_result_t result; @@ -3623,8 +3624,8 @@ ns_listenelt_fromconfig(cfg_obj_t *listener, cfg_obj_t *config, if (result != ISC_R_SUCCESS) return (result); - result = ns_acl_fromconfig(cfg_tuple_get(listener, "acl"), - config, actx, mctx, &delt->acl); + result = cfg_acl_fromconfig(cfg_tuple_get(listener, "acl"), + config, ns_g_lctx, actx, mctx, &delt->acl); if (result != ISC_R_SUCCESS) { ns_listenelt_destroy(delt); return (result); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 5d01470d3c..c9924c87b0 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zoneconf.c,v 1.116 2005/01/10 23:43:17 marka Exp $ */ +/* $Id: zoneconf.c,v 1.117 2005/01/11 03:46:08 marka Exp $ */ #include @@ -56,7 +56,7 @@ */ static isc_result_t configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config, - const char *aclname, ns_aclconfctx_t *actx, + const char *aclname, cfg_aclconfctx_t *actx, dns_zone_t *zone, void (*setzacl)(dns_zone_t *, dns_acl_t *), void (*clearzacl)(dns_zone_t *)) @@ -85,8 +85,8 @@ configure_zone_acl(cfg_obj_t *zconfig, cfg_obj_t *vconfig, cfg_obj_t *config, return (ISC_R_SUCCESS); } - result = ns_acl_fromconfig(aclobj, config, actx, - dns_zone_getmctx(zone), &dacl); + result = cfg_acl_fromconfig(aclobj, config, ns_g_lctx, actx, + dns_zone_getmctx(zone), &dacl); if (result != ISC_R_SUCCESS) return (result); (*setzacl)(zone, dacl); @@ -309,7 +309,7 @@ checknames(dns_zonetype_t ztype, cfg_obj_t **maps, cfg_obj_t **objp) { isc_result_t ns_zone_configure(cfg_obj_t *config, cfg_obj_t *vconfig, cfg_obj_t *zconfig, - ns_aclconfctx_t *ac, dns_zone_t *zone) + cfg_aclconfctx_t *ac, dns_zone_t *zone) { isc_result_t result; char *zname; diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 3658577441..45194af34c 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -1836,7 +1836,7 @@ which constitute an address match list can be any of the following: a key ID, as defined by the key statement - the name of an address match list previously defined with + the name of an address match list defined with the acl statement a nested address match list enclosed in braces diff --git a/lib/bind9/check.c b/lib/bind9/check.c index 545fbbf439..aa2af9021e 100644 --- a/lib/bind9/check.c +++ b/lib/bind9/check.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: check.c,v 1.53 2005/01/10 23:43:20 marka Exp $ */ +/* $Id: check.c,v 1.54 2005/01/11 03:46:10 marka Exp $ */ #include @@ -33,11 +33,13 @@ #include #include +#include #include #include #include #include +#include #include #include @@ -344,6 +346,57 @@ mustbesecure(cfg_obj_t *secure, isc_symtab_t *symtab, isc_log_t *logctx, return (result); } +static isc_result_t +checkacl(const char *aclname, cfg_obj_t *zconfig, cfg_obj_t *voptions, + cfg_obj_t *config, isc_log_t *logctx, isc_mem_t *mctx) +{ + isc_result_t result; + cfg_obj_t *aclobj = NULL; + cfg_obj_t *options; + dns_acl_t *acl = NULL; + cfg_aclconfctx_t actx; + + if (zconfig != NULL) { + options = cfg_tuple_get(zconfig, "options"); + cfg_map_get(options, aclname, &aclobj); + } + if (voptions != NULL && aclobj == NULL) + cfg_map_get(voptions, aclname, &aclobj); + if (config != NULL && aclobj == NULL) { + options = NULL; + cfg_map_get(config, "options", &options); + if (options != NULL) + cfg_map_get(options, aclname, &aclobj); + } + if (aclobj == NULL) + return (ISC_R_SUCCESS); + cfg_aclconfctx_init(&actx); + result = cfg_acl_fromconfig(aclobj, config, logctx, &actx, mctx, &acl); + if (acl != NULL) + dns_acl_detach(&acl); + return (result); +} + +static isc_result_t +check_viewacls(cfg_obj_t *voptions, cfg_obj_t *config, + isc_log_t *logctx, isc_mem_t *mctx) +{ + isc_result_t result = ISC_R_SUCCESS, tresult; + int i = 0; + + static const char *acls[] = { "allow-query", "allow-query-cache", + "allow-recursion", "blackhole", "match-clients", + "match-destinations", "sortlist", NULL }; + + while (acls[i] != NULL) { + tresult = checkacl(acls[i++], NULL, voptions, config, + logctx, mctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + } + return (result); +} + typedef struct { const char *name; unsigned int scale; @@ -682,6 +735,7 @@ validate_masters(cfg_obj_t *obj, cfg_obj_t *config, isc_uint32_t *countp, #define HINTZONE 8 #define FORWARDZONE 16 #define DELEGATIONZONE 32 +#define CHECKACL 64 typedef struct { const char *name; @@ -689,8 +743,9 @@ typedef struct { } optionstable; static isc_result_t -check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, - dns_rdataclass_t defclass, isc_log_t *logctx, isc_mem_t *mctx) +check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *voptions, cfg_obj_t *config, + isc_symtab_t *symtab, dns_rdataclass_t defclass, + isc_log_t *logctx, isc_mem_t *mctx) { const char *zname; const char *typestr; @@ -705,9 +760,9 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, isc_buffer_t b; static optionstable options[] = { - { "allow-query", MASTERZONE | SLAVEZONE | STUBZONE }, - { "allow-notify", SLAVEZONE }, - { "allow-transfer", MASTERZONE | SLAVEZONE }, + { "allow-query", MASTERZONE | SLAVEZONE | STUBZONE | CHECKACL }, + { "allow-notify", SLAVEZONE | CHECKACL }, + { "allow-transfer", MASTERZONE | SLAVEZONE | CHECKACL }, { "notify", MASTERZONE | SLAVEZONE }, { "also-notify", MASTERZONE | SLAVEZONE }, { "dialup", MASTERZONE | SLAVEZONE | STUBZONE }, @@ -730,8 +785,8 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, { "min-refresh-time", SLAVEZONE | STUBZONE }, { "sig-validity-interval", MASTERZONE }, { "zone-statistics", MASTERZONE | SLAVEZONE | STUBZONE }, - { "allow-update", MASTERZONE }, - { "allow-update-forwarding", SLAVEZONE }, + { "allow-update", MASTERZONE | CHECKACL }, + { "allow-update-forwarding", SLAVEZONE | CHECKACL }, { "file", MASTERZONE | SLAVEZONE | STUBZONE | HINTZONE }, { "journal", MASTERZONE | SLAVEZONE }, { "ixfr-base", MASTERZONE | SLAVEZONE }, @@ -833,6 +888,7 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, /* * Look for inappropriate options for the given zone type. + * Check that ACLs expand correctly. */ for (i = 0; i < sizeof(options) / sizeof(options[0]); i++) { obj = NULL; @@ -853,6 +909,16 @@ check_zoneconf(cfg_obj_t *zconfig, cfg_obj_t *config, isc_symtab_t *symtab, "in '%s' zone '%s'", options[i].name, typestr, zname); } + obj = NULL; + if ((options[i].allowed & ztype) != 0 && + (options[i].allowed & CHECKACL) != 0) { + + tresult = checkacl(options[i].name, zconfig, + voptions, config, logctx, mctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + } + } /* @@ -1090,7 +1156,7 @@ check_servers(cfg_obj_t *servers, isc_log_t *logctx) { } static isc_result_t -check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass, +check_viewconf(cfg_obj_t *config, cfg_obj_t *voptions, dns_rdataclass_t vclass, isc_log_t *logctx, isc_mem_t *mctx) { cfg_obj_t *servers = NULL; @@ -1110,8 +1176,8 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass, if (tresult != ISC_R_SUCCESS) return (ISC_R_NOMEMORY); - if (vconfig != NULL) - (void)cfg_map_get(vconfig, "zone", &zones); + if (voptions != NULL) + (void)cfg_map_get(voptions, "zone", &zones); else (void)cfg_map_get(config, "zone", &zones); @@ -1122,8 +1188,8 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass, isc_result_t tresult; cfg_obj_t *zone = cfg_listelt_value(element); - tresult = check_zoneconf(zone, config, symtab, vclass, - logctx, mctx); + tresult = check_zoneconf(zone, voptions, config, symtab, + vclass, logctx, mctx); if (tresult != ISC_R_SUCCESS) result = ISC_R_FAILURE; } @@ -1147,9 +1213,9 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass, return (tresult); } - if (vconfig != NULL) { + if (voptions != NULL) { keys = NULL; - (void)cfg_map_get(vconfig, "key", &keys); + (void)cfg_map_get(voptions, "key", &keys); tresult = check_keylist(keys, symtab, logctx); if (tresult == ISC_R_EXISTS) result = ISC_R_FAILURE; @@ -1164,52 +1230,56 @@ check_viewconf(cfg_obj_t *config, cfg_obj_t *vconfig, dns_rdataclass_t vclass, /* * Check that forwarding is reasonable. */ - if (vconfig == NULL) { + if (voptions == NULL) { cfg_obj_t *options = NULL; (void)cfg_map_get(config, "options", &options); if (options != NULL) if (check_forward(options, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; } else { - if (check_forward(vconfig, logctx) != ISC_R_SUCCESS) + if (check_forward(voptions, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; } /* * Check that dual-stack-servers is reasonable. */ - if (vconfig == NULL) { + if (voptions == NULL) { cfg_obj_t *options = NULL; (void)cfg_map_get(config, "options", &options); if (options != NULL) if (check_dual_stack(options, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; } else { - if (check_dual_stack(vconfig, logctx) != ISC_R_SUCCESS) + if (check_dual_stack(voptions, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; } /* * Check that rrset-order is reasonable. */ - if (vconfig != NULL) { - if (check_order(vconfig, logctx) != ISC_R_SUCCESS) + if (voptions != NULL) { + if (check_order(voptions, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; } - if (vconfig != NULL) { - (void)cfg_map_get(vconfig, "server", &servers); + if (voptions != NULL) { + (void)cfg_map_get(voptions, "server", &servers); if (servers != NULL && check_servers(servers, logctx) != ISC_R_SUCCESS) result = ISC_R_FAILURE; } - if (vconfig != NULL) - tresult = check_options(vconfig, logctx, mctx); + if (voptions != NULL) + tresult = check_options(voptions, logctx, mctx); else tresult = check_options(config, logctx, mctx); if (tresult != ISC_R_SUCCESS) result = tresult; + tresult = check_viewacls(voptions, config, logctx, mctx); + if (tresult != ISC_R_SUCCESS) + result = tresult; + return (result); } diff --git a/lib/isccfg/Makefile.in b/lib/isccfg/Makefile.in index 72e1199edb..3759d07c30 100644 --- a/lib/isccfg/Makefile.in +++ b/lib/isccfg/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.13 2004/07/20 07:13:42 marka Exp $ +# $Id: Makefile.in,v 1.14 2005/01/11 03:46:10 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -43,10 +43,10 @@ LIBS = @LIBS@ SUBDIRS = include # Alphabetically -OBJS = log.@O@ namedconf.@O@ parser.@O@ version.@O@ +OBJS = aclconf.@O@ log.@O@ namedconf.@O@ parser.@O@ version.@O@ # Alphabetically -SRCS = log.c namedconf.c parser.c version.c +SRCS = aclconf.c log.c namedconf.c parser.c version.c TARGETS = timestamp diff --git a/bin/named/aclconf.c b/lib/isccfg/aclconf.c similarity index 85% rename from bin/named/aclconf.c rename to lib/isccfg/aclconf.c index 9258ff33ae..ed2d583548 100644 --- a/bin/named/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: aclconf.c,v 1.30 2004/03/05 04:57:46 marka Exp $ */ +/* $Id: aclconf.c,v 1.2 2005/01/11 03:46:11 marka Exp $ */ #include @@ -24,20 +24,20 @@ #include #include +#include #include #include #include -#include void -ns_aclconfctx_init(ns_aclconfctx_t *ctx) { +cfg_aclconfctx_init(cfg_aclconfctx_t *ctx) { ISC_LIST_INIT(ctx->named_acl_cache); } void -ns_aclconfctx_destroy(ns_aclconfctx_t *ctx) { +cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx) { dns_acl_t *dacl, *next; for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache); dacl != NULL; @@ -75,8 +75,8 @@ get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) { static isc_result_t convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx, - ns_aclconfctx_t *ctx, isc_mem_t *mctx, - dns_acl_t **target) + isc_log_t *lctx, cfg_aclconfctx_t *ctx, + isc_mem_t *mctx, dns_acl_t **target) { isc_result_t result; cfg_obj_t *cacl = NULL; @@ -96,11 +96,11 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx, /* Not yet converted. Convert now. */ result = get_acl_def(cctx, aclname, &cacl); if (result != ISC_R_SUCCESS) { - cfg_obj_log(nameobj, dns_lctx, ISC_LOG_WARNING, + cfg_obj_log(nameobj, lctx, ISC_LOG_WARNING, "undefined ACL '%s'", aclname); return (result); } - result = ns_acl_fromconfig(cacl, cctx, ctx, mctx, &dacl); + result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx, &dacl); if (result != ISC_R_SUCCESS) return (result); dacl->name = isc_mem_strdup(dacl->mctx, aclname); @@ -112,7 +112,9 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx, } static isc_result_t -convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) { +convert_keyname(cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx, + dns_name_t *dnsname) +{ isc_result_t result; isc_buffer_t buf; dns_fixedname_t fixname; @@ -126,7 +128,7 @@ convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) { result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf, dns_rootname, ISC_FALSE, NULL); if (result != ISC_R_SUCCESS) { - cfg_obj_log(keyobj, dns_lctx, ISC_LOG_WARNING, + cfg_obj_log(keyobj, lctx, ISC_LOG_WARNING, "key name '%s' is not a valid domain name", txtname); return (result); @@ -135,11 +137,12 @@ convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) { } isc_result_t -ns_acl_fromconfig(cfg_obj_t *caml, - cfg_obj_t *cctx, - ns_aclconfctx_t *ctx, - isc_mem_t *mctx, - dns_acl_t **target) +cfg_acl_fromconfig(cfg_obj_t *caml, + cfg_obj_t *cctx, + isc_log_t *lctx, + cfg_aclconfctx_t *ctx, + isc_mem_t *mctx, + dns_acl_t **target) { isc_result_t result; unsigned int count; @@ -184,14 +187,15 @@ ns_acl_fromconfig(cfg_obj_t *caml, /* Key name */ de->type = dns_aclelementtype_keyname; dns_name_init(&de->u.keyname, NULL); - result = convert_keyname(ce, mctx, &de->u.keyname); + result = convert_keyname(ce, lctx, mctx, + &de->u.keyname); if (result != ISC_R_SUCCESS) goto cleanup; } else if (cfg_obj_islist(ce)) { /* Nested ACL */ de->type = dns_aclelementtype_nestedacl; - result = ns_acl_fromconfig(ce, cctx, ctx, mctx, - &de->u.nestedacl); + result = cfg_acl_fromconfig(ce, cctx, lctx, ctx, + mctx, &de->u.nestedacl); if (result != ISC_R_SUCCESS) goto cleanup; } else if (cfg_obj_isstring(ce)) { @@ -208,13 +212,14 @@ ns_acl_fromconfig(cfg_obj_t *caml, de->negative = ISC_TF(! de->negative); } else { de->type = dns_aclelementtype_nestedacl; - result = convert_named_acl(ce, cctx, ctx, mctx, + result = convert_named_acl(ce, cctx, lctx, + ctx, mctx, &de->u.nestedacl); if (result != ISC_R_SUCCESS) goto cleanup; } } else { - cfg_obj_log(ce, dns_lctx, ISC_LOG_WARNING, + cfg_obj_log(ce, lctx, ISC_LOG_WARNING, "address match list contains " "unsupported element type"); result = ISC_R_FAILURE; diff --git a/lib/isccfg/include/isccfg/Makefile.in b/lib/isccfg/include/isccfg/Makefile.in index a250c5d47f..7f1a588d55 100644 --- a/lib/isccfg/include/isccfg/Makefile.in +++ b/lib/isccfg/include/isccfg/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.8 2004/03/05 05:12:26 marka Exp $ +# $Id: Makefile.in,v 1.9 2005/01/11 03:46:11 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -26,7 +26,7 @@ top_srcdir = @top_srcdir@ # machine generated. The latter are handled specially in the # install target below. # -HEADERS = cfg.h grammar.h log.h namedconf.h version.h +HEADERS = aclconf.h cfg.h grammar.h log.h namedconf.h version.h SUBDIRS = TARGETS = diff --git a/bin/named/include/named/aclconf.h b/lib/isccfg/include/isccfg/aclconf.h similarity index 79% rename from bin/named/include/named/aclconf.h rename to lib/isccfg/include/isccfg/aclconf.h index 56b6647d41..4452503b9c 100644 --- a/bin/named/include/named/aclconf.h +++ b/lib/isccfg/include/isccfg/aclconf.h @@ -15,10 +15,10 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: aclconf.h,v 1.13 2004/03/05 04:57:55 marka Exp $ */ +/* $Id: aclconf.h,v 1.2 2005/01/11 03:46:11 marka Exp $ */ -#ifndef NS_ACLCONF_H -#define NS_ACLCONF_H 1 +#ifndef ISCCFG_ACLCONF_H +#define ISCCFG_ACLCONF_H 1 #include @@ -26,9 +26,9 @@ #include -typedef struct ns_aclconfctx { +typedef struct cfg_aclconfctx { ISC_LIST(dns_acl_t) named_acl_cache; -} ns_aclconfctx_t; +} cfg_aclconfctx_t; /*** *** Functions @@ -37,23 +37,24 @@ typedef struct ns_aclconfctx { ISC_LANG_BEGINDECLS void -ns_aclconfctx_init(ns_aclconfctx_t *ctx); +cfg_aclconfctx_init(cfg_aclconfctx_t *ctx); /* * Initialize an ACL configuration context. */ void -ns_aclconfctx_destroy(ns_aclconfctx_t *ctx); +cfg_aclconfctx_destroy(cfg_aclconfctx_t *ctx); /* * Destroy an ACL configuration context. */ isc_result_t -ns_acl_fromconfig(cfg_obj_t *caml, - cfg_obj_t *cctx, - ns_aclconfctx_t *ctx, - isc_mem_t *mctx, - dns_acl_t **target); +cfg_acl_fromconfig(cfg_obj_t *caml, + cfg_obj_t *cctx, + isc_log_t *lctx, + cfg_aclconfctx_t *ctx, + isc_mem_t *mctx, + dns_acl_t **target); /* * Construct a new dns_acl_t from configuration data in 'caml' and * 'cctx'. Memory is allocated through 'mctx'. @@ -69,4 +70,4 @@ ns_acl_fromconfig(cfg_obj_t *caml, ISC_LANG_ENDDECLS -#endif /* NS_ACLCONF_H */ +#endif /* ISCCFG_ACLCONF_H */