1*0a6a1f1dSLionel Sambuc--- /dev/null 2015-01-22 01:48:00.000000000 -0500 2*0a6a1f1dSLionel Sambuc+++ dist/bin/named/pfilter.c 2015-01-22 01:35:16.000000000 -0500 3*0a6a1f1dSLionel Sambuc@@ -0,0 +1,42 @@ 4*0a6a1f1dSLionel Sambuc+#include <config.h> 5*0a6a1f1dSLionel Sambuc+ 6*0a6a1f1dSLionel Sambuc+#include <isc/platform.h> 7*0a6a1f1dSLionel Sambuc+#include <isc/util.h> 8*0a6a1f1dSLionel Sambuc+#include <named/types.h> 9*0a6a1f1dSLionel Sambuc+#include <named/client.h> 10*0a6a1f1dSLionel Sambuc+ 11*0a6a1f1dSLionel Sambuc+#include <blacklist.h> 12*0a6a1f1dSLionel Sambuc+ 13*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 14*0a6a1f1dSLionel Sambuc+ 15*0a6a1f1dSLionel Sambuc+static struct blacklist *blstate; 16*0a6a1f1dSLionel Sambuc+ 17*0a6a1f1dSLionel Sambuc+void 18*0a6a1f1dSLionel Sambuc+pfilter_open(void) 19*0a6a1f1dSLionel Sambuc+{ 20*0a6a1f1dSLionel Sambuc+ if (blstate == NULL) 21*0a6a1f1dSLionel Sambuc+ blstate = blacklist_open(); 22*0a6a1f1dSLionel Sambuc+} 23*0a6a1f1dSLionel Sambuc+ 24*0a6a1f1dSLionel Sambuc+#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) 25*0a6a1f1dSLionel Sambuc+ 26*0a6a1f1dSLionel Sambuc+void 27*0a6a1f1dSLionel Sambuc+pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg) 28*0a6a1f1dSLionel Sambuc+{ 29*0a6a1f1dSLionel Sambuc+ isc_socket_t *socket; 30*0a6a1f1dSLionel Sambuc+ 31*0a6a1f1dSLionel Sambuc+ pfilter_open(); 32*0a6a1f1dSLionel Sambuc+ 33*0a6a1f1dSLionel Sambuc+ if (TCP_CLIENT(client)) 34*0a6a1f1dSLionel Sambuc+ socket = client->tcpsocket; 35*0a6a1f1dSLionel Sambuc+ else { 36*0a6a1f1dSLionel Sambuc+ socket = client->udpsocket; 37*0a6a1f1dSLionel Sambuc+ if (!client->peeraddr_valid) 38*0a6a1f1dSLionel Sambuc+ return; 39*0a6a1f1dSLionel Sambuc+ } 40*0a6a1f1dSLionel Sambuc+ if (socket == NULL) 41*0a6a1f1dSLionel Sambuc+ return; 42*0a6a1f1dSLionel Sambuc+ blacklist_sa_r(blstate, 43*0a6a1f1dSLionel Sambuc+ res != ISC_R_SUCCESS, isc_socket_getfd(socket), 44*0a6a1f1dSLionel Sambuc+ &client->peeraddr.type.sa, client->peeraddr.length, msg); 45*0a6a1f1dSLionel Sambuc+} 46*0a6a1f1dSLionel Sambuc--- /dev/null 2015-01-22 01:48:00.000000000 -0500 47*0a6a1f1dSLionel Sambuc+++ dist/bin/named/pfilter.h 2015-01-22 01:16:56.000000000 -0500 48*0a6a1f1dSLionel Sambuc@@ -0,0 +1,2 @@ 49*0a6a1f1dSLionel Sambuc+void pfilter_open(void); 50*0a6a1f1dSLionel Sambuc+void pfilter_notify(isc_result_t, ns_client_t *, const char *); 51*0a6a1f1dSLionel SambucIndex: bin/named/Makefile 52*0a6a1f1dSLionel Sambuc=================================================================== 53*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v 54*0a6a1f1dSLionel Sambucretrieving revision 1.8 55*0a6a1f1dSLionel Sambucdiff -u -u -r1.8 Makefile 56*0a6a1f1dSLionel Sambuc--- bin/named/Makefile 31 Dec 2013 20:23:12 -0000 1.8 57*0a6a1f1dSLionel Sambuc+++ bin/named/Makefile 23 Jan 2015 21:37:09 -0000 58*0a6a1f1dSLionel Sambuc@@ -33,7 +33,9 @@ 59*0a6a1f1dSLionel Sambuc lwaddr.c lwdclient.c lwderror.c \ 60*0a6a1f1dSLionel Sambuc lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \ 61*0a6a1f1dSLionel Sambuc main.c notify.c query.c server.c sortlist.c statschannel.c \ 62*0a6a1f1dSLionel Sambuc- tkeyconf.c tsigconf.c \ 63*0a6a1f1dSLionel Sambuc+ pfilter.c tkeyconf.c tsigconf.c \ 64*0a6a1f1dSLionel Sambuc update.c xfrout.c zoneconf.c ${SRCS_UNIX} 65*0a6a1f1dSLionel Sambuc 66*0a6a1f1dSLionel Sambuc+LDADD+=-lblacklist 67*0a6a1f1dSLionel Sambuc+DPADD+=${LIBBLACKLIST} 68*0a6a1f1dSLionel Sambuc .include <bsd.prog.mk> 69*0a6a1f1dSLionel SambucIndex: dist/bin/named/client.c 70*0a6a1f1dSLionel Sambuc=================================================================== 71*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v 72*0a6a1f1dSLionel Sambucretrieving revision 1.11 73*0a6a1f1dSLionel Sambucdiff -u -u -r1.11 client.c 74*0a6a1f1dSLionel Sambuc--- dist/bin/named/client.c 10 Dec 2014 04:37:51 -0000 1.11 75*0a6a1f1dSLionel Sambuc+++ dist/bin/named/client.c 23 Jan 2015 21:37:09 -0000 76*0a6a1f1dSLionel Sambuc@@ -65,6 +65,8 @@ 77*0a6a1f1dSLionel Sambuc #include <named/server.h> 78*0a6a1f1dSLionel Sambuc #include <named/update.h> 79*0a6a1f1dSLionel Sambuc 80*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 81*0a6a1f1dSLionel Sambuc+ 82*0a6a1f1dSLionel Sambuc /*** 83*0a6a1f1dSLionel Sambuc *** Client 84*0a6a1f1dSLionel Sambuc ***/ 85*0a6a1f1dSLionel Sambuc@@ -3101,6 +3103,7 @@ 86*0a6a1f1dSLionel Sambuc result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, 87*0a6a1f1dSLionel Sambuc acl, default_allow); 88*0a6a1f1dSLionel Sambuc 89*0a6a1f1dSLionel Sambuc+ pfilter_notify(result, client, opname); 90*0a6a1f1dSLionel Sambuc if (result == ISC_R_SUCCESS) 91*0a6a1f1dSLionel Sambuc ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 92*0a6a1f1dSLionel Sambuc NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 93*0a6a1f1dSLionel SambucIndex: dist/bin/named/main.c 94*0a6a1f1dSLionel Sambuc=================================================================== 95*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v 96*0a6a1f1dSLionel Sambucretrieving revision 1.15 97*0a6a1f1dSLionel Sambucdiff -u -u -r1.15 main.c 98*0a6a1f1dSLionel Sambuc--- dist/bin/named/main.c 10 Dec 2014 04:37:51 -0000 1.15 99*0a6a1f1dSLionel Sambuc+++ dist/bin/named/main.c 23 Jan 2015 21:37:09 -0000 100*0a6a1f1dSLionel Sambuc@@ -83,6 +83,9 @@ 101*0a6a1f1dSLionel Sambuc #ifdef HAVE_LIBXML2 102*0a6a1f1dSLionel Sambuc #include <libxml/xmlversion.h> 103*0a6a1f1dSLionel Sambuc #endif 104*0a6a1f1dSLionel Sambuc+ 105*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 106*0a6a1f1dSLionel Sambuc+ 107*0a6a1f1dSLionel Sambuc /* 108*0a6a1f1dSLionel Sambuc * Include header files for database drivers here. 109*0a6a1f1dSLionel Sambuc */ 110*0a6a1f1dSLionel Sambuc@@ -1206,6 +1209,8 @@ 111*0a6a1f1dSLionel Sambuc 112*0a6a1f1dSLionel Sambuc parse_command_line(argc, argv); 113*0a6a1f1dSLionel Sambuc 114*0a6a1f1dSLionel Sambuc+ pfilter_open(); 115*0a6a1f1dSLionel Sambuc+ 116*0a6a1f1dSLionel Sambuc /* 117*0a6a1f1dSLionel Sambuc * Warn about common configuration error. 118*0a6a1f1dSLionel Sambuc */ 119*0a6a1f1dSLionel SambucIndex: dist/bin/named/query.c 120*0a6a1f1dSLionel Sambuc=================================================================== 121*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v 122*0a6a1f1dSLionel Sambucretrieving revision 1.17 123*0a6a1f1dSLionel Sambucdiff -u -u -r1.17 query.c 124*0a6a1f1dSLionel Sambuc--- dist/bin/named/query.c 10 Dec 2014 04:37:52 -0000 1.17 125*0a6a1f1dSLionel Sambuc+++ dist/bin/named/query.c 23 Jan 2015 21:37:09 -0000 126*0a6a1f1dSLionel Sambuc@@ -65,6 +65,8 @@ 127*0a6a1f1dSLionel Sambuc #include <named/sortlist.h> 128*0a6a1f1dSLionel Sambuc #include <named/xfrout.h> 129*0a6a1f1dSLionel Sambuc 130*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 131*0a6a1f1dSLionel Sambuc+ 132*0a6a1f1dSLionel Sambuc #if 0 133*0a6a1f1dSLionel Sambuc /* 134*0a6a1f1dSLionel Sambuc * It has been recommended that DNS64 be changed to return excluded 135*0a6a1f1dSLionel Sambuc@@ -762,6 +764,8 @@ 136*0a6a1f1dSLionel Sambuc } 137*0a6a1f1dSLionel Sambuc 138*0a6a1f1dSLionel Sambuc result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); 139*0a6a1f1dSLionel Sambuc+ if (result != ISC_R_SUCCESS) 140*0a6a1f1dSLionel Sambuc+ pfilter_notify(result, client, "validatezonedb"); 141*0a6a1f1dSLionel Sambuc if ((options & DNS_GETDB_NOLOG) == 0) { 142*0a6a1f1dSLionel Sambuc char msg[NS_CLIENT_ACLMSGSIZE("query")]; 143*0a6a1f1dSLionel Sambuc if (result == ISC_R_SUCCESS) { 144*0a6a1f1dSLionel Sambuc@@ -1026,6 +1030,8 @@ 145*0a6a1f1dSLionel Sambuc result = ns_client_checkaclsilent(client, NULL, 146*0a6a1f1dSLionel Sambuc client->view->cacheacl, 147*0a6a1f1dSLionel Sambuc ISC_TRUE); 148*0a6a1f1dSLionel Sambuc+ if (result == ISC_R_SUCCESS) 149*0a6a1f1dSLionel Sambuc+ pfilter_notify(result, client, "cachedb"); 150*0a6a1f1dSLionel Sambuc if (result == ISC_R_SUCCESS) { 151*0a6a1f1dSLionel Sambuc /* 152*0a6a1f1dSLionel Sambuc * We were allowed by the "allow-query-cache" ACL. 153*0a6a1f1dSLionel SambucIndex: dist/bin/named/update.c 154*0a6a1f1dSLionel Sambuc=================================================================== 155*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v 156*0a6a1f1dSLionel Sambucretrieving revision 1.9 157*0a6a1f1dSLionel Sambucdiff -u -u -r1.9 update.c 158*0a6a1f1dSLionel Sambuc--- dist/bin/named/update.c 10 Dec 2014 04:37:52 -0000 1.9 159*0a6a1f1dSLionel Sambuc+++ dist/bin/named/update.c 23 Jan 2015 21:37:09 -0000 160*0a6a1f1dSLionel Sambuc@@ -59,6 +59,8 @@ 161*0a6a1f1dSLionel Sambuc #include <named/server.h> 162*0a6a1f1dSLionel Sambuc #include <named/update.h> 163*0a6a1f1dSLionel Sambuc 164*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 165*0a6a1f1dSLionel Sambuc+ 166*0a6a1f1dSLionel Sambuc /*! \file 167*0a6a1f1dSLionel Sambuc * \brief 168*0a6a1f1dSLionel Sambuc * This module implements dynamic update as in RFC2136. 169*0a6a1f1dSLionel Sambuc@@ -307,6 +309,7 @@ 170*0a6a1f1dSLionel Sambuc 171*0a6a1f1dSLionel Sambuc result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); 172*0a6a1f1dSLionel Sambuc if (result != ISC_R_SUCCESS) { 173*0a6a1f1dSLionel Sambuc+ pfilter_notify(result, client, "queryacl"); 174*0a6a1f1dSLionel Sambuc dns_name_format(zonename, namebuf, sizeof(namebuf)); 175*0a6a1f1dSLionel Sambuc dns_rdataclass_format(client->view->rdclass, classbuf, 176*0a6a1f1dSLionel Sambuc sizeof(classbuf)); 177*0a6a1f1dSLionel Sambuc@@ -324,6 +327,7 @@ 178*0a6a1f1dSLionel Sambuc sizeof(classbuf)); 179*0a6a1f1dSLionel Sambuc 180*0a6a1f1dSLionel Sambuc result = DNS_R_REFUSED; 181*0a6a1f1dSLionel Sambuc+ pfilter_notify(result, client, "updateacl"); 182*0a6a1f1dSLionel Sambuc ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, 183*0a6a1f1dSLionel Sambuc NS_LOGMODULE_UPDATE, ISC_LOG_INFO, 184*0a6a1f1dSLionel Sambuc "update '%s/%s' denied", namebuf, classbuf); 185*0a6a1f1dSLionel Sambuc@@ -362,6 +366,7 @@ 186*0a6a1f1dSLionel Sambuc msg = "disabled"; 187*0a6a1f1dSLionel Sambuc } else { 188*0a6a1f1dSLionel Sambuc result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); 189*0a6a1f1dSLionel Sambuc+ pfilter_notify(result, client, "updateacl"); 190*0a6a1f1dSLionel Sambuc if (result == ISC_R_SUCCESS) { 191*0a6a1f1dSLionel Sambuc level = ISC_LOG_DEBUG(3); 192*0a6a1f1dSLionel Sambuc msg = "approved"; 193*0a6a1f1dSLionel SambucIndex: dist/bin/named/xfrout.c 194*0a6a1f1dSLionel Sambuc=================================================================== 195*0a6a1f1dSLionel SambucRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v 196*0a6a1f1dSLionel Sambucretrieving revision 1.7 197*0a6a1f1dSLionel Sambucdiff -u -u -r1.7 xfrout.c 198*0a6a1f1dSLionel Sambuc--- dist/bin/named/xfrout.c 10 Dec 2014 04:37:52 -0000 1.7 199*0a6a1f1dSLionel Sambuc+++ dist/bin/named/xfrout.c 23 Jan 2015 21:37:09 -0000 200*0a6a1f1dSLionel Sambuc@@ -54,6 +54,8 @@ 201*0a6a1f1dSLionel Sambuc #include <named/server.h> 202*0a6a1f1dSLionel Sambuc #include <named/xfrout.h> 203*0a6a1f1dSLionel Sambuc 204*0a6a1f1dSLionel Sambuc+#include "pfilter.h" 205*0a6a1f1dSLionel Sambuc+ 206*0a6a1f1dSLionel Sambuc /*! \file 207*0a6a1f1dSLionel Sambuc * \brief 208*0a6a1f1dSLionel Sambuc * Outgoing AXFR and IXFR. 209*0a6a1f1dSLionel Sambuc@@ -822,6 +824,7 @@ 210*0a6a1f1dSLionel Sambuc &client->peeraddr, 211*0a6a1f1dSLionel Sambuc &db); 212*0a6a1f1dSLionel Sambuc 213*0a6a1f1dSLionel Sambuc+ pfilter_notify(result, client, "zonexfr"); 214*0a6a1f1dSLionel Sambuc if (result == ISC_R_NOPERM) { 215*0a6a1f1dSLionel Sambuc char _buf1[DNS_NAME_FORMATSIZE]; 216*0a6a1f1dSLionel Sambuc char _buf2[DNS_RDATACLASS_FORMATSIZE]; 217