1df83713dSchristos--- /dev/null 2015-01-22 01:48:00.000000000 -0500 2df83713dSchristos+++ dist/bin/named/pfilter.c 2015-01-22 01:35:16.000000000 -0500 3df83713dSchristos@@ -0,0 +1,42 @@ 4df83713dSchristos+#include <config.h> 5df83713dSchristos+ 6df83713dSchristos+#include <isc/platform.h> 7df83713dSchristos+#include <isc/util.h> 8df83713dSchristos+#include <named/types.h> 9df83713dSchristos+#include <named/client.h> 10df83713dSchristos+ 11df83713dSchristos+#include <blocklist.h> 12df83713dSchristos+ 13df83713dSchristos+#include "pfilter.h" 14df83713dSchristos+ 15df83713dSchristos+static struct blocklist *blstate; 16df83713dSchristos+ 17df83713dSchristos+void 18df83713dSchristos+pfilter_open(void) 19df83713dSchristos+{ 20df83713dSchristos+ if (blstate == NULL) 21df83713dSchristos+ blstate = blocklist_open(); 22df83713dSchristos+} 23df83713dSchristos+ 24df83713dSchristos+#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) 25df83713dSchristos+ 26df83713dSchristos+void 27df83713dSchristos+pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg) 28df83713dSchristos+{ 29df83713dSchristos+ isc_socket_t *socket; 30df83713dSchristos+ 31df83713dSchristos+ pfilter_open(); 32df83713dSchristos+ 33df83713dSchristos+ if (TCP_CLIENT(client)) 34df83713dSchristos+ socket = client->tcpsocket; 35df83713dSchristos+ else { 36df83713dSchristos+ socket = client->udpsocket; 37df83713dSchristos+ if (!client->peeraddr_valid) 38df83713dSchristos+ return; 39df83713dSchristos+ } 40df83713dSchristos+ if (socket == NULL) 41df83713dSchristos+ return; 42df83713dSchristos+ blocklist_sa_r(blstate, 43df83713dSchristos+ res != ISC_R_SUCCESS, isc_socket_getfd(socket), 44df83713dSchristos+ &client->peeraddr.type.sa, client->peeraddr.length, msg); 45df83713dSchristos+} 46df83713dSchristos--- /dev/null 2015-01-22 01:48:00.000000000 -0500 47df83713dSchristos+++ dist/bin/named/pfilter.h 2015-01-22 01:16:56.000000000 -0500 48df83713dSchristos@@ -0,0 +1,2 @@ 49df83713dSchristos+void pfilter_open(void); 50df83713dSchristos+void pfilter_notify(isc_result_t, ns_client_t *, const char *); 51df83713dSchristosIndex: bin/named/Makefile 52df83713dSchristos=================================================================== 53df83713dSchristosRCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v 54df83713dSchristosretrieving revision 1.8 55df83713dSchristosdiff -u -u -r1.8 Makefile 56df83713dSchristos--- bin/named/Makefile 31 Dec 2013 20:23:12 -0000 1.8 57df83713dSchristos+++ bin/named/Makefile 23 Jan 2015 21:37:09 -0000 58df83713dSchristos@@ -33,7 +33,9 @@ 59df83713dSchristos lwaddr.c lwdclient.c lwderror.c \ 60df83713dSchristos lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \ 61df83713dSchristos main.c notify.c query.c server.c sortlist.c statschannel.c \ 62df83713dSchristos- tkeyconf.c tsigconf.c \ 63df83713dSchristos+ pfilter.c tkeyconf.c tsigconf.c \ 64df83713dSchristos update.c xfrout.c zoneconf.c ${SRCS_UNIX} 65df83713dSchristos 66df83713dSchristos+LDADD+=-lblocklist 67*a51582d4Schristos+DPADD+=${LIBBLOCKLIST} 68df83713dSchristos .include <bsd.prog.mk> 69df83713dSchristosIndex: dist/bin/named/client.c 70df83713dSchristos=================================================================== 71df83713dSchristosRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v 72df83713dSchristosretrieving revision 1.11 73df83713dSchristosdiff -u -u -r1.11 client.c 74df83713dSchristos--- dist/bin/named/client.c 10 Dec 2014 04:37:51 -0000 1.11 75df83713dSchristos+++ dist/bin/named/client.c 23 Jan 2015 21:37:09 -0000 76df83713dSchristos@@ -65,6 +65,8 @@ 77df83713dSchristos #include <named/server.h> 78df83713dSchristos #include <named/update.h> 79df83713dSchristos 80df83713dSchristos+#include "pfilter.h" 81df83713dSchristos+ 82df83713dSchristos /*** 83df83713dSchristos *** Client 84df83713dSchristos ***/ 85df83713dSchristos@@ -3101,6 +3103,7 @@ 86df83713dSchristos result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, 87df83713dSchristos acl, default_allow); 88df83713dSchristos 89df83713dSchristos+ pfilter_notify(result, client, opname); 90df83713dSchristos if (result == ISC_R_SUCCESS) 91df83713dSchristos ns_client_log(client, DNS_LOGCATEGORY_SECURITY, 92df83713dSchristos NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), 93df83713dSchristosIndex: dist/bin/named/main.c 94df83713dSchristos=================================================================== 95df83713dSchristosRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v 96df83713dSchristosretrieving revision 1.15 97df83713dSchristosdiff -u -u -r1.15 main.c 98df83713dSchristos--- dist/bin/named/main.c 10 Dec 2014 04:37:51 -0000 1.15 99df83713dSchristos+++ dist/bin/named/main.c 23 Jan 2015 21:37:09 -0000 100df83713dSchristos@@ -83,6 +83,9 @@ 101df83713dSchristos #ifdef HAVE_LIBXML2 102df83713dSchristos #include <libxml/xmlversion.h> 103df83713dSchristos #endif 104df83713dSchristos+ 105df83713dSchristos+#include "pfilter.h" 106df83713dSchristos+ 107df83713dSchristos /* 108df83713dSchristos * Include header files for database drivers here. 109df83713dSchristos */ 110df83713dSchristos@@ -1206,6 +1209,8 @@ 111df83713dSchristos 112df83713dSchristos parse_command_line(argc, argv); 113df83713dSchristos 114df83713dSchristos+ pfilter_open(); 115df83713dSchristos+ 116df83713dSchristos /* 117df83713dSchristos * Warn about common configuration error. 118df83713dSchristos */ 119df83713dSchristosIndex: dist/bin/named/query.c 120df83713dSchristos=================================================================== 121df83713dSchristosRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v 122df83713dSchristosretrieving revision 1.17 123df83713dSchristosdiff -u -u -r1.17 query.c 124df83713dSchristos--- dist/bin/named/query.c 10 Dec 2014 04:37:52 -0000 1.17 125df83713dSchristos+++ dist/bin/named/query.c 23 Jan 2015 21:37:09 -0000 126df83713dSchristos@@ -65,6 +65,8 @@ 127df83713dSchristos #include <named/sortlist.h> 128df83713dSchristos #include <named/xfrout.h> 129df83713dSchristos 130df83713dSchristos+#include "pfilter.h" 131df83713dSchristos+ 132df83713dSchristos #if 0 133df83713dSchristos /* 134df83713dSchristos * It has been recommended that DNS64 be changed to return excluded 135df83713dSchristos@@ -762,6 +764,8 @@ 136df83713dSchristos } 137df83713dSchristos 138df83713dSchristos result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); 139df83713dSchristos+ if (result != ISC_R_SUCCESS) 140df83713dSchristos+ pfilter_notify(result, client, "validatezonedb"); 141df83713dSchristos if ((options & DNS_GETDB_NOLOG) == 0) { 142df83713dSchristos char msg[NS_CLIENT_ACLMSGSIZE("query")]; 143df83713dSchristos if (result == ISC_R_SUCCESS) { 144df83713dSchristos@@ -1026,6 +1030,8 @@ 145df83713dSchristos result = ns_client_checkaclsilent(client, NULL, 146df83713dSchristos client->view->cacheacl, 147df83713dSchristos ISC_TRUE); 148df83713dSchristos+ if (result == ISC_R_SUCCESS) 149df83713dSchristos+ pfilter_notify(result, client, "cachedb"); 150df83713dSchristos if (result == ISC_R_SUCCESS) { 151df83713dSchristos /* 152df83713dSchristos * We were allowed by the "allow-query-cache" ACL. 153df83713dSchristosIndex: dist/bin/named/update.c 154df83713dSchristos=================================================================== 155df83713dSchristosRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v 156df83713dSchristosretrieving revision 1.9 157df83713dSchristosdiff -u -u -r1.9 update.c 158df83713dSchristos--- dist/bin/named/update.c 10 Dec 2014 04:37:52 -0000 1.9 159df83713dSchristos+++ dist/bin/named/update.c 23 Jan 2015 21:37:09 -0000 160df83713dSchristos@@ -59,6 +59,8 @@ 161df83713dSchristos #include <named/server.h> 162df83713dSchristos #include <named/update.h> 163df83713dSchristos 164df83713dSchristos+#include "pfilter.h" 165df83713dSchristos+ 166df83713dSchristos /*! \file 167df83713dSchristos * \brief 168df83713dSchristos * This module implements dynamic update as in RFC2136. 169df83713dSchristos@@ -307,6 +309,7 @@ 170df83713dSchristos 171df83713dSchristos result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); 172df83713dSchristos if (result != ISC_R_SUCCESS) { 173df83713dSchristos+ pfilter_notify(result, client, "queryacl"); 174df83713dSchristos dns_name_format(zonename, namebuf, sizeof(namebuf)); 175df83713dSchristos dns_rdataclass_format(client->view->rdclass, classbuf, 176df83713dSchristos sizeof(classbuf)); 177df83713dSchristos@@ -324,6 +327,7 @@ 178df83713dSchristos sizeof(classbuf)); 179df83713dSchristos 180df83713dSchristos result = DNS_R_REFUSED; 181df83713dSchristos+ pfilter_notify(result, client, "updateacl"); 182df83713dSchristos ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, 183df83713dSchristos NS_LOGMODULE_UPDATE, ISC_LOG_INFO, 184df83713dSchristos "update '%s/%s' denied", namebuf, classbuf); 185df83713dSchristos@@ -362,6 +366,7 @@ 186df83713dSchristos msg = "disabled"; 187df83713dSchristos } else { 188df83713dSchristos result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); 189df83713dSchristos+ pfilter_notify(result, client, "updateacl"); 190df83713dSchristos if (result == ISC_R_SUCCESS) { 191df83713dSchristos level = ISC_LOG_DEBUG(3); 192df83713dSchristos msg = "approved"; 193df83713dSchristosIndex: dist/bin/named/xfrout.c 194df83713dSchristos=================================================================== 195df83713dSchristosRCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v 196df83713dSchristosretrieving revision 1.7 197df83713dSchristosdiff -u -u -r1.7 xfrout.c 198df83713dSchristos--- dist/bin/named/xfrout.c 10 Dec 2014 04:37:52 -0000 1.7 199df83713dSchristos+++ dist/bin/named/xfrout.c 23 Jan 2015 21:37:09 -0000 200df83713dSchristos@@ -54,6 +54,8 @@ 201df83713dSchristos #include <named/server.h> 202df83713dSchristos #include <named/xfrout.h> 203df83713dSchristos 204df83713dSchristos+#include "pfilter.h" 205df83713dSchristos+ 206df83713dSchristos /*! \file 207df83713dSchristos * \brief 208df83713dSchristos * Outgoing AXFR and IXFR. 209df83713dSchristos@@ -822,6 +824,7 @@ 210df83713dSchristos &client->peeraddr, 211df83713dSchristos &db); 212df83713dSchristos 213df83713dSchristos+ pfilter_notify(result, client, "zonexfr"); 214df83713dSchristos if (result == ISC_R_NOPERM) { 215df83713dSchristos char _buf1[DNS_NAME_FORMATSIZE]; 216df83713dSchristos char _buf2[DNS_RDATACLASS_FORMATSIZE]; 217