1df0cfa3bSKurt Lidl--- /dev/null 2015-01-22 01:48:00.000000000 -0500 2df0cfa3bSKurt Lidl+++ dist/bin/named/pfilter.c 2015-01-22 01:35:16.000000000 -0500 3df0cfa3bSKurt Lidl@@ -0,0 +1,42 @@ 4df0cfa3bSKurt Lidl+#include <config.h> 5df0cfa3bSKurt Lidl+ 6df0cfa3bSKurt Lidl+#include <isc/platform.h> 7df0cfa3bSKurt Lidl+#include <isc/util.h> 8df0cfa3bSKurt Lidl+#include <named/types.h> 9df0cfa3bSKurt Lidl+#include <named/client.h> 10df0cfa3bSKurt Lidl+ 11e6a066acSEd Maste+#include <blocklist.h> 12df0cfa3bSKurt Lidl+ 13df0cfa3bSKurt Lidl+#include "pfilter.h" 14df0cfa3bSKurt Lidl+ 15e6a066acSEd Maste+static struct blocklist *blstate; 16df0cfa3bSKurt Lidl+ 17df0cfa3bSKurt Lidl+void 18df0cfa3bSKurt Lidl+pfilter_open(void) 19df0cfa3bSKurt Lidl+{ 20df0cfa3bSKurt Lidl+ if (blstate == NULL) 21e6a066acSEd Maste+ blstate = blocklist_open(); 22df0cfa3bSKurt Lidl+} 23df0cfa3bSKurt Lidl+ 24df0cfa3bSKurt Lidl+#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) 25df0cfa3bSKurt Lidl+ 26df0cfa3bSKurt Lidl+void 27df0cfa3bSKurt Lidl+pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg) 28df0cfa3bSKurt Lidl+{ 29df0cfa3bSKurt Lidl+ isc_socket_t *socket; 30df0cfa3bSKurt Lidl+ 31df0cfa3bSKurt Lidl+ pfilter_open(); 32df0cfa3bSKurt Lidl+ 33df0cfa3bSKurt Lidl+ if (TCP_CLIENT(client)) 34df0cfa3bSKurt Lidl+ socket = client->tcpsocket; 35df0cfa3bSKurt Lidl+ else { 36df0cfa3bSKurt Lidl+ socket = client->udpsocket; 37df0cfa3bSKurt Lidl+ if (!client->peeraddr_valid) 38df0cfa3bSKurt Lidl+ return; 39df0cfa3bSKurt Lidl+ } 40df0cfa3bSKurt Lidl+ if (socket == NULL) 41df0cfa3bSKurt Lidl+ return; 42e6a066acSEd Maste+ blocklist_sa_r(blstate, 43df0cfa3bSKurt Lidl+ res != ISC_R_SUCCESS, isc_socket_getfd(socket), 44df0cfa3bSKurt Lidl+ &client->peeraddr.type.sa, client->peeraddr.length, msg); 45df0cfa3bSKurt Lidl+} 46df0cfa3bSKurt Lidl--- /dev/null 2015-01-22 01:48:00.000000000 -0500 47df0cfa3bSKurt Lidl+++ dist/bin/named/pfilter.h 2015-01-22 01:16:56.000000000 -0500 48df0cfa3bSKurt Lidl@@ -0,0 +1,2 @@ 49df0cfa3bSKurt Lidl+void pfilter_open(void); 50df0cfa3bSKurt Lidl+void pfilter_notify(isc_result_t, ns_client_t *, const char *); 51df0cfa3bSKurt LidlIndex: bin/named/Makefile 52df0cfa3bSKurt Lidl=================================================================== 53df0cfa3bSKurt LidlRCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v 54df0cfa3bSKurt Lidlretrieving revision 1.8 55df0cfa3bSKurt Lidldiff -u -u -r1.8 Makefile 56df0cfa3bSKurt Lidl--- bin/named/Makefile 31 Dec 2013 20:23:12 -0000 1.8 57df0cfa3bSKurt Lidl+++ bin/named/Makefile 23 Jan 2015 21:37:09 -0000 58df0cfa3bSKurt Lidl@@ -33,7 +33,9 @@ 59df0cfa3bSKurt Lidl lwaddr.c lwdclient.c lwderror.c \ 60df0cfa3bSKurt Lidl lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \ 61df0cfa3bSKurt Lidl main.c notify.c query.c server.c sortlist.c statschannel.c \ 62df0cfa3bSKurt Lidl- tkeyconf.c tsigconf.c \ 63df0cfa3bSKurt Lidl+ pfilter.c tkeyconf.c tsigconf.c \ 64df0cfa3bSKurt Lidl update.c xfrout.c zoneconf.c ${SRCS_UNIX} 65df0cfa3bSKurt Lidl 66e6a066acSEd Maste+LDADD+=-lblocklist 67e6a066acSEd Maste+DPADD+=${LIBBLOCKLIST} 68df0cfa3bSKurt Lidl .include <bsd.prog.mk> 69df0cfa3bSKurt LidlIndex: dist/bin/named/client.c 70df0cfa3bSKurt Lidl=================================================================== 71df0cfa3bSKurt LidlRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v 72df0cfa3bSKurt Lidlretrieving revision 1.11 73df0cfa3bSKurt Lidldiff -u -u -r1.11 client.c 74df0cfa3bSKurt Lidl--- dist/bin/named/client.c 10 Dec 2014 04:37:51 -0000 1.11 75df0cfa3bSKurt Lidl+++ dist/bin/named/client.c 23 Jan 2015 21:37:09 -0000 76df0cfa3bSKurt Lidl@@ -65,6 +65,8 @@ 77df0cfa3bSKurt Lidl #include <named/server.h> 78df0cfa3bSKurt Lidl #include <named/update.h> 79df0cfa3bSKurt Lidl 80df0cfa3bSKurt Lidl+#include "pfilter.h" 81df0cfa3bSKurt Lidl+ 82df0cfa3bSKurt Lidl /*** 83df0cfa3bSKurt Lidl *** Client 84df0cfa3bSKurt Lidl ***/ 85df0cfa3bSKurt Lidl@@ -3101,6 +3103,7 @@ 86df0cfa3bSKurt Lidl result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, 87df0cfa3bSKurt Lidl acl, default_allow); 88df0cfa3bSKurt Lidl 89df0cfa3bSKurt Lidl+ pfilter_notify(result, client, opname); 90df0cfa3bSKurt Lidl if (result == ISC_R_SUCCESS) 91df0cfa3bSKurt Lidl ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 92df0cfa3bSKurt Lidl NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 93df0cfa3bSKurt LidlIndex: dist/bin/named/main.c 94df0cfa3bSKurt Lidl=================================================================== 95df0cfa3bSKurt LidlRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v 96df0cfa3bSKurt Lidlretrieving revision 1.15 97df0cfa3bSKurt Lidldiff -u -u -r1.15 main.c 98df0cfa3bSKurt Lidl--- dist/bin/named/main.c 10 Dec 2014 04:37:51 -0000 1.15 99df0cfa3bSKurt Lidl+++ dist/bin/named/main.c 23 Jan 2015 21:37:09 -0000 100df0cfa3bSKurt Lidl@@ -83,6 +83,9 @@ 101df0cfa3bSKurt Lidl #ifdef HAVE_LIBXML2 102df0cfa3bSKurt Lidl #include <libxml/xmlversion.h> 103df0cfa3bSKurt Lidl #endif 104df0cfa3bSKurt Lidl+ 105df0cfa3bSKurt Lidl+#include "pfilter.h" 106df0cfa3bSKurt Lidl+ 107df0cfa3bSKurt Lidl /* 108df0cfa3bSKurt Lidl * Include header files for database drivers here. 109df0cfa3bSKurt Lidl */ 110df0cfa3bSKurt Lidl@@ -1206,6 +1209,8 @@ 111df0cfa3bSKurt Lidl 112df0cfa3bSKurt Lidl parse_command_line(argc, argv); 113df0cfa3bSKurt Lidl 114df0cfa3bSKurt Lidl+ pfilter_open(); 115df0cfa3bSKurt Lidl+ 116df0cfa3bSKurt Lidl /* 117df0cfa3bSKurt Lidl * Warn about common configuration error. 118df0cfa3bSKurt Lidl */ 119df0cfa3bSKurt LidlIndex: dist/bin/named/query.c 120df0cfa3bSKurt Lidl=================================================================== 121df0cfa3bSKurt LidlRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v 122df0cfa3bSKurt Lidlretrieving revision 1.17 123df0cfa3bSKurt Lidldiff -u -u -r1.17 query.c 124df0cfa3bSKurt Lidl--- dist/bin/named/query.c 10 Dec 2014 04:37:52 -0000 1.17 125df0cfa3bSKurt Lidl+++ dist/bin/named/query.c 23 Jan 2015 21:37:09 -0000 126df0cfa3bSKurt Lidl@@ -65,6 +65,8 @@ 127df0cfa3bSKurt Lidl #include <named/sortlist.h> 128df0cfa3bSKurt Lidl #include <named/xfrout.h> 129df0cfa3bSKurt Lidl 130df0cfa3bSKurt Lidl+#include "pfilter.h" 131df0cfa3bSKurt Lidl+ 132df0cfa3bSKurt Lidl #if 0 133df0cfa3bSKurt Lidl /* 134df0cfa3bSKurt Lidl * It has been recommended that DNS64 be changed to return excluded 135df0cfa3bSKurt Lidl@@ -762,6 +764,8 @@ 136df0cfa3bSKurt Lidl } 137df0cfa3bSKurt Lidl 138df0cfa3bSKurt Lidl result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); 139df0cfa3bSKurt Lidl+ if (result != ISC_R_SUCCESS) 140df0cfa3bSKurt Lidl+ pfilter_notify(result, client, "validatezonedb"); 141df0cfa3bSKurt Lidl if ((options & DNS_GETDB_NOLOG) == 0) { 142df0cfa3bSKurt Lidl char msg[NS_CLIENT_ACLMSGSIZE("query")]; 143df0cfa3bSKurt Lidl if (result == ISC_R_SUCCESS) { 144df0cfa3bSKurt Lidl@@ -1026,6 +1030,8 @@ 145df0cfa3bSKurt Lidl result = ns_client_checkaclsilent(client, NULL, 146df0cfa3bSKurt Lidl client->view->cacheacl, 147df0cfa3bSKurt Lidl ISC_TRUE); 148df0cfa3bSKurt Lidl+ if (result == ISC_R_SUCCESS) 149df0cfa3bSKurt Lidl+ pfilter_notify(result, client, "cachedb"); 150df0cfa3bSKurt Lidl if (result == ISC_R_SUCCESS) { 151df0cfa3bSKurt Lidl /* 152df0cfa3bSKurt Lidl * We were allowed by the "allow-query-cache" ACL. 153df0cfa3bSKurt LidlIndex: dist/bin/named/update.c 154df0cfa3bSKurt Lidl=================================================================== 155df0cfa3bSKurt LidlRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v 156df0cfa3bSKurt Lidlretrieving revision 1.9 157df0cfa3bSKurt Lidldiff -u -u -r1.9 update.c 158df0cfa3bSKurt Lidl--- dist/bin/named/update.c 10 Dec 2014 04:37:52 -0000 1.9 159df0cfa3bSKurt Lidl+++ dist/bin/named/update.c 23 Jan 2015 21:37:09 -0000 160df0cfa3bSKurt Lidl@@ -59,6 +59,8 @@ 161df0cfa3bSKurt Lidl #include <named/server.h> 162df0cfa3bSKurt Lidl #include <named/update.h> 163df0cfa3bSKurt Lidl 164df0cfa3bSKurt Lidl+#include "pfilter.h" 165df0cfa3bSKurt Lidl+ 166df0cfa3bSKurt Lidl /*! \file 167df0cfa3bSKurt Lidl * \brief 168df0cfa3bSKurt Lidl * This module implements dynamic update as in RFC2136. 169df0cfa3bSKurt Lidl@@ -307,6 +309,7 @@ 170df0cfa3bSKurt Lidl 171df0cfa3bSKurt Lidl result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); 172df0cfa3bSKurt Lidl if (result != ISC_R_SUCCESS) { 173df0cfa3bSKurt Lidl+ pfilter_notify(result, client, "queryacl"); 174df0cfa3bSKurt Lidl dns_name_format(zonename, namebuf, sizeof(namebuf)); 175df0cfa3bSKurt Lidl dns_rdataclass_format(client->view->rdclass, classbuf, 176df0cfa3bSKurt Lidl sizeof(classbuf)); 177df0cfa3bSKurt Lidl@@ -324,6 +327,7 @@ 178df0cfa3bSKurt Lidl sizeof(classbuf)); 179df0cfa3bSKurt Lidl 180df0cfa3bSKurt Lidl result = DNS_R_REFUSED; 181df0cfa3bSKurt Lidl+ pfilter_notify(result, client, "updateacl"); 182df0cfa3bSKurt Lidl ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, 183df0cfa3bSKurt Lidl NS_LOGMODULE_UPDATE, ISC_LOG_INFO, 184df0cfa3bSKurt Lidl "update '%s/%s' denied", namebuf, classbuf); 185df0cfa3bSKurt Lidl@@ -362,6 +366,7 @@ 186df0cfa3bSKurt Lidl msg = "disabled"; 187df0cfa3bSKurt Lidl } else { 188df0cfa3bSKurt Lidl result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); 189df0cfa3bSKurt Lidl+ pfilter_notify(result, client, "updateacl"); 190df0cfa3bSKurt Lidl if (result == ISC_R_SUCCESS) { 191df0cfa3bSKurt Lidl level = ISC_LOG_DEBUG(3); 192df0cfa3bSKurt Lidl msg = "approved"; 193df0cfa3bSKurt LidlIndex: dist/bin/named/xfrout.c 194df0cfa3bSKurt Lidl=================================================================== 195df0cfa3bSKurt LidlRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v 196df0cfa3bSKurt Lidlretrieving revision 1.7 197df0cfa3bSKurt Lidldiff -u -u -r1.7 xfrout.c 198df0cfa3bSKurt Lidl--- dist/bin/named/xfrout.c 10 Dec 2014 04:37:52 -0000 1.7 199df0cfa3bSKurt Lidl+++ dist/bin/named/xfrout.c 23 Jan 2015 21:37:09 -0000 200df0cfa3bSKurt Lidl@@ -54,6 +54,8 @@ 201df0cfa3bSKurt Lidl #include <named/server.h> 202df0cfa3bSKurt Lidl #include <named/xfrout.h> 203df0cfa3bSKurt Lidl 204df0cfa3bSKurt Lidl+#include "pfilter.h" 205df0cfa3bSKurt Lidl+ 206df0cfa3bSKurt Lidl /*! \file 207df0cfa3bSKurt Lidl * \brief 208df0cfa3bSKurt Lidl * Outgoing AXFR and IXFR. 209df0cfa3bSKurt Lidl@@ -822,6 +824,7 @@ 210df0cfa3bSKurt Lidl &client->peeraddr, 211df0cfa3bSKurt Lidl &db); 212df0cfa3bSKurt Lidl 213df0cfa3bSKurt Lidl+ pfilter_notify(result, client, "zonexfr"); 214df0cfa3bSKurt Lidl if (result == ISC_R_NOPERM) { 215df0cfa3bSKurt Lidl char _buf1[DNS_NAME_FORMATSIZE]; 216df0cfa3bSKurt Lidl char _buf2[DNS_RDATACLASS_FORMATSIZE]; 217