ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Add per rule logging of dns_ssutable_checkrules processing

Browse Source 
These are logged to the update category at debug level 99 and
have the following form.

    update-policy: using: signer=ddns-key.example.nil, name=updated.example.nil, addr=10.53.0.1, tcp=0, type=A, target=
    update-policy: trying: grant zonesub-key.example.nil zonesub TXT
    update-policy: next rule: signer does not match identity
    update-policy: trying: grant ddns-key.example.nil zonesub ANY
    update-policy: matched: grant ddns-key.example.nil zonesub ANY

or

    update-policy: using: signer=restricted.example.nil, name=example.nil, addr=10.53.0.1, tcp=0, type=TXT, target=
    update-policy: trying: grant zonesub-key.example.nil zonesub TXT
    update-policy: next rule: signer does not match identity
    update-policy: trying: grant ddns-key.example.nil zonesub ANY
    update-policy: next rule: signer does not match identity
    update-policy: trying: grant restricted.example.nil zonesub ANY
    update-policy: next rule: name/subdomain mismatch
    update-policy: no match found

where 'using:' is the calling parameters of dns_ssutable_checkrules,
'trying:' in the rule bing evaluated, "next rule:" is the reason
the rule does not match, "matched:" repeats the matched rule, and
no match found is reported when te set of rules is exhausted.
This commit is contained in:
Mark Andrews
2024-05-29 15:04:37 +10:00
parent d282e5a66e
commit b7a13cf2c1
3 changed files with 478 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
bin/named/zoneconf.c
View File

@@ -203,6 +203,11 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
isc_mem_t *mctx = dns_zone_getmctx(zone);
bool autoddns = false;
isc_result_t result = ISC_R_SUCCESS;
char debug[1024];
isc_buffer_t dbuf;
isc_buffer_init(&dbuf, debug, sizeof(debug));
isc_buffer_setmctx(&dbuf, mctx);
(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
@@ -237,7 +242,9 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
isc_buffer_t b;
dns_ssuruletype_t *types;
unsigned int i, n;
char namebuf[DNS_NAME_FORMATSIZE];
isc_buffer_clear(&dbuf);
str = cfg_obj_asstring(mode);
if (strcasecmp(str, "grant") == 0) {
grant = true;
@@ -246,14 +253,7 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
} else {
UNREACHABLE();
}
str = cfg_obj_asstring(matchtype);
CHECK(dns_ssu_mtypefromstring(str, &mtype));
if (mtype == dns_ssumatchtype_subdomain &&
strcasecmp(str, "zonesub") == 0)
{
usezone = true;
}
isc_buffer_putstr(&dbuf, str);
dns_fixedname_init(&fident);
str = cfg_obj_asstring(identity);
@@ -266,6 +266,20 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
"'%s' is not a valid name", str);
goto cleanup;
}
dns_name_format(dns_fixedname_name(&fident), namebuf,
sizeof(namebuf));
isc_buffer_putstr(&dbuf, " ");
isc_buffer_putstr(&dbuf, namebuf);
str = cfg_obj_asstring(matchtype);
CHECK(dns_ssu_mtypefromstring(str, &mtype));
if (mtype == dns_ssumatchtype_subdomain &&
strcasecmp(str, "zonesub") == 0)
{
usezone = true;
}
isc_buffer_putstr(&dbuf, " ");
isc_buffer_putstr(&dbuf, str);
dns_fixedname_init(&fname);
if (usezone) {
@@ -282,6 +296,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
"'%s' is not a valid name", str);
goto cleanup;
}
dns_name_format(dns_fixedname_name(&fname), namebuf,
sizeof(namebuf));
isc_buffer_putstr(&dbuf, " ");
isc_buffer_putstr(&dbuf, namebuf);
}
n = named_config_listcount(typelist);
@@ -305,6 +323,8 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
typeobj = cfg_listelt_value(element2);
str = cfg_obj_asstring(typeobj);
r.base = UNCONST(str);
isc_buffer_putstr(&dbuf, " ");
isc_buffer_putstr(&dbuf, str);
bracket = strchr(str, '(' /*)*/);
if (bracket != NULL) {
@@ -337,9 +357,10 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
}
INSIST(i == n);
isc_buffer_putuint8(&dbuf, '\0');
dns_ssutable_addrule(table, grant, dns_fixedname_name(&fident),
mtype, dns_fixedname_name(&fname), n,
types);
types, isc_buffer_base(&dbuf));
if (types != NULL) {
isc_mem_cput(mctx, types, n, sizeof(*types));
}
@@ -363,15 +384,16 @@ configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
goto cleanup;
}
dns_ssutable_addrule(table, true,
named_g_server->session_keyname,
dns_ssumatchtype_local,
dns_zone_getorigin(zone), 1, &any);
dns_ssutable_addrule(
table, true, named_g_server->session_keyname,
dns_ssumatchtype_local, dns_zone_getorigin(zone), 1,
&any, "local");
}
dns_zone_setssutable(zone, table);
cleanup:
isc_buffer_clearmctx(&dbuf);
dns_ssutable_detach(&table);
return (result);
}

3
lib/dns/include/dns/ssu.h
View File

@@ -111,7 +111,7 @@ void
dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
const dns_name_t *identity, dns_ssumatchtype_t matchtype,
const dns_name_t *name, unsigned int ntypes,
dns_ssuruletype_t *types);
dns_ssuruletype_t *types, const char *debug);
/*%<
* Adds a new rule to a simple-secure-update rule table. The rule
* either grants or denies update privileges of an identity (or set of
@@ -134,6 +134,7 @@ dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
*\li 'matchtype' must be one of the defined constants.
*\li 'name' is a valid absolute name
*\li If 'ntypes' > 0, 'types' must not be NULL
*\li 'debug' must not be NULL
*
* Returns:
*\li ISC_R_SUCCESS

465
lib/dns/ssu.c
View File

@@ -47,6 +47,7 @@ struct dns_ssurule {
dns_ssuruletype_t *types; /*%< the data types. Can include */
/* ANY. if NULL, defaults to all */
/* types except SIG, SOA, and NS */
char *debug; /*%< text version for debugging */
ISC_LINK(dns_ssurule_t) link;
};
@@ -96,6 +97,9 @@ destroy(dns_ssutable_t *table) {
isc_mem_cput(mctx, rule->types, rule->ntypes,
sizeof(*rule->types));
}
if (rule->debug != NULL) {
isc_mem_free(mctx, rule->debug);
}
ISC_LIST_UNLINK(table->rules, rule, link);
rule->magic = 0;
isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
@@ -129,11 +133,56 @@ dns_ssutable_detach(dns_ssutable_t **tablep) {
}
}
static const char *
mtypetostring(dns_ssumatchtype_t matchtype) {
switch (matchtype) {
case dns_ssumatchtype_name:
return ("name");
case dns_ssumatchtype_wildcard:
return ("wildcard");
case dns_ssumatchtype_self:
return ("self");
case dns_ssumatchtype_selfsub:
return ("selfsub");
case dns_ssumatchtype_selfwild:
return ("selfwild");
case dns_ssumatchtype_selfms:
return ("ms-self");
case dns_ssumatchtype_selfsubms:
return ("ms-selfsub");
case dns_ssumatchtype_selfkrb5:
return ("krb5-self");
case dns_ssumatchtype_selfsubkrb5:
return ("krb5-selfsub");
case dns_ssumatchtype_subdomainms:
return ("ms-subdomain");
case dns_ssumatchtype_subdomainselfmsrhs:
return ("ms-subdomain-self-rhs");
case dns_ssumatchtype_subdomainkrb5:
return ("krb5-subdomain");
case dns_ssumatchtype_subdomainselfkrb5rhs:
return ("krb5-subdomain-self-rhs");
case dns_ssumatchtype_tcpself:
return ("tcp-self");
case dns_ssumatchtype_6to4self:
return ("6to4-self");
case dns_ssumatchtype_subdomain:
return ("subdomain");
case dns_ssumatchtype_external:
return ("external");
case dns_ssumatchtype_local:
return ("local");
case dns_ssumatchtype_dlz:
return ("dlz");
}
return ("UnknownMatchType");
}
void
dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
const dns_name_t *identity, dns_ssumatchtype_t matchtype,
const dns_name_t *name, unsigned int ntypes,
dns_ssuruletype_t *types) {
dns_ssuruletype_t *types, const char *debug) {
dns_ssurule_t *rule;
isc_mem_t *mctx;
@@ -147,35 +196,34 @@ dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
if (ntypes > 0) {
REQUIRE(types != NULL);
}
REQUIRE(debug != NULL);
mctx = table->mctx;
rule = isc_mem_get(mctx, sizeof(*rule));
*rule = (dns_ssurule_t){
.grant = grant,
.matchtype = matchtype,
.identity = isc_mem_get(mctx, sizeof(*rule->identity)),
.name = isc_mem_get(mctx, sizeof(*rule->name)),
.ntypes = ntypes,
.types = ntypes == 0 ? NULL
: isc_mem_cget(mctx, ntypes,
sizeof(*rule->types)),
.link = ISC_LINK_INITIALIZER,
.magic = SSURULEMAGIC,
};
rule->identity = NULL;
rule->name = NULL;
rule->types = NULL;
rule->grant = grant;
rule->identity = isc_mem_get(mctx, sizeof(*rule->identity));
dns_name_init(rule->identity, NULL);
dns_name_dup(identity, mctx, rule->identity);
rule->name = isc_mem_get(mctx, sizeof(*rule->name));
dns_name_init(rule->name, NULL);
dns_name_dup(name, mctx, rule->name);
rule->matchtype = matchtype;
rule->ntypes = ntypes;
if (ntypes > 0) {
rule->types = isc_mem_cget(mctx, ntypes, sizeof(*rule->types));
memmove(rule->types, types, ntypes * sizeof(*rule->types));
} else {
rule->types = NULL;
}
rule->magic = SSURULEMAGIC;
rule->debug = isc_mem_strdup(mctx, debug);
ISC_LIST_INITANDAPPEND(table->rules, rule, link);
}
@@ -289,12 +337,40 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
int match;
isc_result_t result;
unsigned int i;
bool logit = isc_log_wouldlog(99);
REQUIRE(VALID_SSUTABLE(table));
REQUIRE(signer == NULL || dns_name_isabsolute(signer));
REQUIRE(dns_name_isabsolute(name));
REQUIRE(addr == NULL || env != NULL);
if (logit) {
char signerbuf[DNS_NAME_FORMATSIZE] = { 0 };
char namebuf[DNS_NAME_FORMATSIZE] = { 0 };
char targetbuf[DNS_NAME_FORMATSIZE] = { 0 };
char addrbuf[ISC_NETADDR_FORMATSIZE] = { 0 };
char typebuf[DNS_RDATATYPE_FORMATSIZE] = { 0 };
if (signer != NULL) {
dns_name_format(signer, signerbuf, sizeof(signerbuf));
}
dns_name_format(name, namebuf, sizeof(namebuf));
if (target != NULL) {
dns_name_format(target, targetbuf, sizeof(targetbuf));
}
dns_rdatatype_format(type, typebuf, sizeof(typebuf));
if (addr != NULL) {
isc_netaddr_format(addr, addrbuf, sizeof(addrbuf));
}
isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: using: signer=%s name=%s addr=%s "
"tcp=%u type=%s target=%s",
signerbuf, namebuf, addrbuf, tcp, typebuf,
targetbuf);
}
if (signer == NULL && addr == NULL) {
return (false);
}
@@ -302,6 +378,49 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
for (rule = ISC_LIST_HEAD(table->rules); rule != NULL;
rule = ISC_LIST_NEXT(rule, link))
{
if (logit) {
isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99),
"update-policy: trying: %s",
rule->debug != NULL ? rule->debug
: "not available");
if (tcp && addr != NULL) {
char namebuf[DNS_NAME_FORMATSIZE] = { 0 };
switch (rule->matchtype) {
case dns_ssumatchtype_tcpself:
tcpself =
dns_fixedname_initname(&fixed);
reverse_from_address(tcpself, addr);
dns_name_format(tcpself, namebuf,
sizeof(namebuf));
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: %s=%s",
mtypetostring(rule->matchtype),
namebuf);
break;
case dns_ssumatchtype_6to4self:
stfself =
dns_fixedname_initname(&fixed);
stf_from_address(stfself, addr);
dns_name_format(stfself, namebuf,
sizeof(namebuf));
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: %s=%s",
mtypetostring(rule->matchtype),
namebuf);
break;
default:
break;
}
}
}
switch (rule->matchtype) {
case dns_ssumatchtype_local:
case dns_ssumatchtype_name:
@@ -311,16 +430,43 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
case dns_ssumatchtype_subdomain:
case dns_ssumatchtype_wildcard:
if (signer == NULL) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: no signer");
}
continue;
}
if (dns_name_iswildcard(rule->identity)) {
if (!dns_name_matcheswildcard(signer,
rule->identity))
{
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: signer does not "
"match wildcard "
"identity");
}
continue;
}
} else {
if (!dns_name_equal(signer, rule->identity)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: signer does not "
"match identity");
}
continue;
}
}
@@ -334,12 +480,28 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
case dns_ssumatchtype_subdomainselfkrb5rhs:
case dns_ssumatchtype_subdomainselfmsrhs:
if (signer == NULL) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: no signer");
}
continue;
}
break;
case dns_ssumatchtype_tcpself:
case dns_ssumatchtype_6to4self:
if (!tcp || addr == NULL) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: %s",
tcp ? "no address" : "not TCP");
}
continue;
}
break;
@@ -351,19 +513,51 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
switch (rule->matchtype) {
case dns_ssumatchtype_name:
if (!dns_name_equal(name, rule->name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: name mismatch");
}
continue;
}
break;
case dns_ssumatchtype_subdomain:
if (!dns_name_issubdomain(name, rule->name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"name/subdomain mismatch");
}
continue;
}
break;
case dns_ssumatchtype_local:
if (addr == NULL) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: no address");
}
continue;
}
if (!dns_name_issubdomain(name, rule->name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"name/subdomain mismatch");
}
continue;
}
rcu_read_lock();
@@ -381,21 +575,56 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
"key not from "
"localhost");
}
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"address not local");
}
continue;
}
break;
case dns_ssumatchtype_wildcard:
if (!dns_name_matcheswildcard(name, rule->name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: record name does "
"not match wilcard name");
}
continue;
}
break;
case dns_ssumatchtype_self:
if (!dns_name_equal(signer, name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: record named not "
"equal signer");
}
continue;
}
break;
case dns_ssumatchtype_selfsub:
if (!dns_name_issubdomain(name, signer)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: record name not "
"subdomain of signer");
}
continue;
}
break;
@@ -404,9 +633,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
result = dns_name_concatenate(dns_wildcardname, signer,
wildcard, NULL);
if (result != ISC_R_SUCCESS) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: wilcard, signer "
"concatenation failed");
}
continue;
}
if (!dns_name_matcheswildcard(name, wildcard)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"record name does not match "
"wildcarded signer");
}
continue;
}
break;
@@ -416,6 +663,13 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
{
break;
}
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99),
"update-policy: next rule: krb5 signer "
"doesn't map to record name");
}
continue;
case dns_ssumatchtype_selfms:
if (dst_gssapi_identitymatchesrealmms(
@@ -423,6 +677,13 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
{
break;
}
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99),
"update-policy: next rule: MS Windows "
"signer doesn't map to record name");
}
continue;
case dns_ssumatchtype_selfsubkrb5:
if (dst_gssapi_identitymatchesrealmkrb5(
@@ -430,6 +691,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
{
break;
}
if (logit) {
isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"record name not a subdomain of "
"krb5 signer mapped name");
}
continue;
case dns_ssumatchtype_selfsubms:
if (dst_gssapi_identitymatchesrealmms(
@@ -437,10 +706,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
{
break;
}
if (logit) {
isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"record name not a subdomain of "
"MS Windows signer mapped name");
}
continue;
case dns_ssumatchtype_subdomainkrb5:
case dns_ssumatchtype_subdomainselfkrb5rhs:
if (!dns_name_issubdomain(name, rule->name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: record name not a "
"subdomain of rule name");
}
continue;
}
tname = NULL;
@@ -461,10 +747,27 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
{
break;
}
if (logit) {
isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: rdata "
"name does not match krb5 signer "
"mapped name");
}
continue;
case dns_ssumatchtype_subdomainms:
case dns_ssumatchtype_subdomainselfmsrhs:
if (!dns_name_issubdomain(name, rule->name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: record name not a "
"subdomain of rule name");
}
continue;
}
tname = NULL;
@@ -485,6 +788,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
{
break;
}
if (logit) {
isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: rdata "
"name does not match MS Windows "
"signer mapped name");
}
continue;
case dns_ssumatchtype_tcpself:
tcpself = dns_fixedname_initname(&fixed);
@@ -493,14 +804,43 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
if (!dns_name_matcheswildcard(tcpself,
rule->identity))
{
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: tcp-self name "
"does not match "
"wildcard identity");
}
continue;
}
} else {
if (!dns_name_equal(tcpself, rule->identity)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: tcp-self name "
"does not match "
"identity");
}
continue;
}
}
if (!dns_name_equal(tcpself, name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"tcp-self name does not match "
"record name");
}
continue;
}
break;
@@ -511,14 +851,47 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
if (!dns_name_matcheswildcard(stfself,
rule->identity))
{
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: %s name "
"does not match "
"wildcard identity",
mtypetostring(
rule->matchtype));
}
continue;
}
} else {
if (!dns_name_equal(stfself, rule->identity)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: %s name does "
"not match identity",
mtypetostring(
rule->matchtype));
}
continue;
}
}
if (!dns_name_equal(stfself, name)) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: %s name does not "
"match record name",
mtypetostring(rule->matchtype));
}
continue;
}
break;
@@ -527,6 +900,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
name, addr, type, key,
table->mctx))
{
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"external match failed");
}
continue;
}
break;
@@ -534,6 +915,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
if (!dns_dlz_ssumatch(table->dlzdatabase, signer, name,
addr, type, key))
{
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: dlz match failed");
}
continue;
}
break;
@@ -547,6 +936,14 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
if (rule->matchtype != dns_ssumatchtype_dlz &&
!isusertype(type))
{
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next "
"rule: not user type");
}
continue;
}
} else {
@@ -558,14 +955,34 @@ dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
}
}
if (i == rule->ntypes) {
if (logit) {
isc_log_write(
DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: next rule: "
"type not in type list");
}
continue;
}
}
if (rule->grant && rulep != NULL) {
*rulep = rule;
}
if (logit) {
isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY,
DNS_LOGMODULE_SSU, ISC_LOG_DEBUG(99),
"update-policy: matched: %s",
rule->debug != NULL ? rule->debug
: "not available");
}
return (rule->grant);
}
if (logit) {
isc_log_write(DNS_LOGCATEGORY_UPDATE_POLICY, DNS_LOGMODULE_SSU,
ISC_LOG_DEBUG(99),
"update-policy: no match found");
}
return (false);
}
@@ -653,13 +1070,13 @@ dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
rule->identity = NULL;
rule->name = NULL;
rule->grant = true;
rule->matchtype = dns_ssumatchtype_dlz;
rule->ntypes = 0;
rule->types = NULL;
rule->magic = SSURULEMAGIC;
*rule = (dns_ssurule_t){
.grant = true,
.matchtype = dns_ssumatchtype_dlz,
.magic = SSURULEMAGIC,
};
rule->debug = isc_mem_strdup(mctx, "grant dlz");
ISC_LIST_INITANDAPPEND(table->rules, rule, link);
*tablep = table;