mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 07:35:26 +00:00
Code Issues Releases Wiki Activity

[master] fix geoip asnum matching

Browse Source 
3935.	[bug]		"geoip asnum" ACL elements would not match unless
			the full organization name was specified.  They
			can now match against the AS number alone (e.g.,
			AS1234). [RT #36945]
This commit is contained in:
Evan Hunt
2014-08-28 21:40:32 -07:00
parent 9ba4efa4ac
commit 180319f572
11 changed files with 383 additions and 210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -1,3 +1,8 @@
3935. [bug] "geoip asnum" ACL elements would not match unless
the full organization name was specified. They
can now match against the AS number alone (e.g.,
AS1234). [RT #36945]
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve 3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
sit-secret documentation. [RT #36980] sit-secret documentation. [RT #36980]

14
bin/tests/system/geoip/ns2/named10.conf
View File

@@ -40,7 +40,7 @@ controls {
}; };
view one { view one {
match-clients { geoip domain one.de; }; match-clients { geoip asnum "AS100001"; };
zone "example" { zone "example" {
type master; type master;
file "example1.db"; file "example1.db";
@@ -48,7 +48,7 @@ view one {
}; };
view two { view two {
match-clients { geoip domain two.com; }; match-clients { geoip asnum "AS100002"; };
zone "example" { zone "example" {
type master; type master;
file "example2.db"; file "example2.db";
@@ -56,7 +56,7 @@ view two {
}; };
view three { view three {
match-clients { geoip domain three.com; }; match-clients { geoip asnum "AS100003"; };
zone "example" { zone "example" {
type master; type master;
file "example3.db"; file "example3.db";
@@ -64,7 +64,7 @@ view three {
}; };
view four { view four {
match-clients { geoip domain four.com; }; match-clients { geoip asnum "AS100004"; };
zone "example" { zone "example" {
type master; type master;
file "example4.db"; file "example4.db";
@@ -72,7 +72,7 @@ view four {
}; };
view five { view five {
match-clients { geoip domain five.es; }; match-clients { geoip asnum "AS100005"; };
zone "example" { zone "example" {
type master; type master;
file "example5.db"; file "example5.db";
@@ -80,7 +80,7 @@ view five {
}; };
view six { view six {
match-clients { geoip domain six.it; }; match-clients { geoip asnum "AS100006"; };
zone "example" { zone "example" {
type master; type master;
file "example6.db"; file "example6.db";
@@ -88,7 +88,7 @@ view six {
}; };
view seven { view seven {
match-clients { geoip domain seven.org; }; match-clients { geoip asnum "AS100007"; };
zone "example" { zone "example" {
type master; type master;
file "example7.db"; file "example7.db";

32
bin/tests/system/geoip/ns2/named11.conf
View File

@@ -40,7 +40,7 @@ controls {
}; };
view one { view one {
match-clients { geoip netspeed 0; }; match-clients { geoip domain one.de; };
zone "example" { zone "example" {
type master; type master;
file "example1.db"; file "example1.db";
@@ -48,7 +48,7 @@ view one {
}; };
view two { view two {
match-clients { geoip netspeed 1; }; match-clients { geoip domain two.com; };
zone "example" { zone "example" {
type master; type master;
file "example2.db"; file "example2.db";
@@ -56,7 +56,7 @@ view two {
}; };
view three { view three {
match-clients { geoip netspeed 2; }; match-clients { geoip domain three.com; };
zone "example" { zone "example" {
type master; type master;
file "example3.db"; file "example3.db";
@@ -64,13 +64,37 @@ view three {
}; };
view four { view four {
match-clients { geoip netspeed 3; }; match-clients { geoip domain four.com; };
zone "example" { zone "example" {
type master; type master;
file "example4.db"; file "example4.db";
}; };
}; };
view five {
match-clients { geoip domain five.es; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { geoip domain six.it; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { geoip domain seven.org; };
zone "example" {
type master;
file "example7.db";
};
};
view none { view none {
match-clients { any; }; match-clients { any; };
zone "example" { zone "example" {

47
bin/tests/system/geoip/ns2/named12.conf
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC") * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
* *
* Permission to use, copy, modify, and/or distribute this software for any * Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above * purpose with or without fee is hereby granted, provided that the above
@@ -18,10 +18,6 @@
controls { /* empty */ }; controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options { options {
query-source address 10.53.0.2; query-source address 10.53.0.2;
notify-source 10.53.0.2; notify-source 10.53.0.2;
@@ -32,7 +28,6 @@ options {
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion no; recursion no;
geoip-directory "../data"; geoip-directory "../data";
blackhole { blocking; };
}; };
key rndc_key { key rndc_key {
@@ -43,3 +38,43 @@ key rndc_key {
controls { controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
}; };
view one {
match-clients { geoip netspeed 0; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { geoip netspeed 1; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { geoip netspeed 2; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { geoip netspeed 3; };
zone "example" {
type master;
file "example4.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

77
bin/tests/system/geoip/ns2/named13.conf
View File

@@ -18,6 +18,10 @@
controls { /* empty */ }; controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options { options {
query-source address 10.53.0.2; query-source address 10.53.0.2;
notify-source 10.53.0.2; notify-source 10.53.0.2;
@@ -28,6 +32,7 @@ options {
listen-on-v6 { none; }; listen-on-v6 { none; };
recursion no; recursion no;
geoip-directory "../data"; geoip-directory "../data";
blackhole { blocking; };
}; };
key rndc_key { key rndc_key {
@@ -38,75 +43,3 @@ key rndc_key {
controls { controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
}; };
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

112
bin/tests/system/geoip/ns2/named14.conf Normal file
View File

@@ -0,0 +1,112 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

27
bin/tests/system/geoip/tests.sh
View File

@@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3 sleep 3
n=`expr $n + 1` n=`expr $n + 1`
echo "I:checking GeoIP domain database ($n)" echo "I:checking GeoIP asnum database - ASNNNN only ($n)"
ret=0 ret=0
lret=0 lret=0
for i in 1 2 3 4 5 6 7; do for i in 1 2 3 4 5 6 7; do
@@ -216,10 +216,10 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3 sleep 3
n=`expr $n + 1` n=`expr $n + 1`
echo "I:checking GeoIP netspeed database ($n)" echo "I:checking GeoIP domain database ($n)"
ret=0 ret=0
lret=0 lret=0
for i in 1 2 3 4; do for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1 $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'` j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1 [ "$i" = "$j" ] || lret=1
@@ -234,6 +234,25 @@ cp -f ns2/named12.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3 sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP netspeed database ($n)"
ret=0
lret=0
for i in 1 2 3 4; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named13.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1` n=`expr $n + 1`
echo "I:checking GeoIP blackhole ACL ($n)" echo "I:checking GeoIP blackhole ACL ($n)"
ret=0 ret=0
@@ -243,7 +262,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes
status=`expr $status + $ret` status=`expr $status + $ret`
echo "I:reloading server" echo "I:reloading server"
cp -f ns2/named13.conf ns2/named.conf cp -f ns2/named14.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /' $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3 sleep 3

191
doc/arm/Bv9ARM-book.xml
View File

@@ -2564,10 +2564,10 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
<command>lwres</command> statement in <filename>named.conf</filename>. <command>lwres</command> statement in <filename>named.conf</filename>.
</para> </para>
<para> <para>
The number of client queries that the <command>lwresd</command> The number of client queries that the <command>lwresd</command>
daemon is able to serve can be set using the daemon is able to serve can be set using the
<option>lwres-tasks</option> and <option>lwres-clients</option> <option>lwres-tasks</option> and <option>lwres-clients</option>
statements in the configuration. statements in the configuration.
</para> </para>
</sect1> </sect1>
</chapter> </chapter>
@@ -3459,17 +3459,20 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
"isp", "org", "asnum", "domain" and "netspeed". "isp", "org", "asnum", "domain" and "netspeed".
</para> </para>
<para> <para>
<replaceable>value</replaceable> is the value to searched for <replaceable>value</replaceable> is the value to search
within the database. A string may be quoted if it contains for within the database. A string may be quoted if it
spaces or other special characters. If this is a "country" contains spaces or other special characters. If this is
search and the string is two characters long, then it must be a an "asnum" search, then the leading "ASNNNN" string can be
standard ISO-3166-1 two-letter country code, and if it is three used, otherwise the full description must be used (e.g.
characters long then it must be an ISO-3166-1 three-letter "ASNNNN Example Company Name"). If this is a "country"
country code; otherwise it is the full name of the country. search and the string is two characters long, then it must
Similarly, if this is a "region" search and the string is be a standard ISO-3166-1 two-letter country code, and if it
two characters long, then it must be a standard two-letter state is three characters long then it must be an ISO-3166-1
or province abbreviation; otherwise it is the full name of the three-letter country code; otherwise it is the full name
state or province. of the country. Similarly, if this is a "region" search
and the string is two characters long, then it must be a
standard two-letter state or province abbreviation;
otherwise it is the full name of the state or province.
</para> </para>
<para> <para>
The <replaceable>database</replaceable> field indicates which The <replaceable>database</replaceable> field indicates which
@@ -4718,32 +4721,32 @@ badresp:1,adberr:0,findfail:0,valfail:0]
minimum minimum
number of dots in a relative domain name that should result in an number of dots in a relative domain name that should result in an
exact match lookup before search path elements are appended. exact match lookup before search path elements are appended.
</para> </para>
<para> <para>
The <option>lwres-tasks</option> statement specifies the number The <option>lwres-tasks</option> statement specifies the number
of worker threads the lightweight resolver will dedicate to serving of worker threads the lightweight resolver will dedicate to serving
clients. By default the number is the same as the number of CPUs on clients. By default the number is the same as the number of CPUs on
the system; this can be overridden using the <option>-n</option> the system; this can be overridden using the <option>-n</option>
command line option when starting the server. command line option when starting the server.
</para> </para>
<para> <para>
The <option>lwres-clients</option> specifies The <option>lwres-clients</option> specifies
the number of client objects per thread the lightweight the number of client objects per thread the lightweight
resolver should create to serve client queries. resolver should create to serve client queries.
By default, if the lightweight resolver runs as a part By default, if the lightweight resolver runs as a part
of <command>named</command>, 256 client objects are of <command>named</command>, 256 client objects are
created for each task; if it runs as <command>lwresd</command>, created for each task; if it runs as <command>lwresd</command>,
1024 client objects are created for each thread. The maximum 1024 client objects are created for each thread. The maximum
value is 32768; higher values will be silently ignored and value is 32768; higher values will be silently ignored and
the maximum will be used instead. the maximum will be used instead.
Note that setting too high a value may overconsume Note that setting too high a value may overconsume
system resources. system resources.
</para> </para>
<para> <para>
The maximum number of client queries that the lightweight The maximum number of client queries that the lightweight
resolver can handle at any one time equals resolver can handle at any one time equals
<option>lwres-tasks</option> times <option>lwres-clients</option>. <option>lwres-tasks</option> times <option>lwres-clients</option>.
</para> </para>
</sect2> </sect2>
<sect2> <sect2>
<title><command>masters</command> Statement Grammar</title> <title><command>masters</command> Statement Grammar</title>
@@ -5793,7 +5796,7 @@ options {
For convenience, TTL-style time unit suffixes can be For convenience, TTL-style time unit suffixes can be
used to specify the NTA lifetime in seconds, minutes used to specify the NTA lifetime in seconds, minutes
or hours. <option>nta-lifetime</option> defaults to or hours. <option>nta-lifetime</option> defaults to
one hour. It cannot exceed one day. one hour. It cannot exceed one day.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -5802,31 +5805,31 @@ options {
<term><command>nta-recheck</command></term> <term><command>nta-recheck</command></term>
<listitem> <listitem>
<para> <para>
Species how often to check whether negative Species how often to check whether negative
trust anchors added via <command>rndc nta</command> trust anchors added via <command>rndc nta</command>
are still necessary. are still necessary.
</para> </para>
<para> <para>
A negative trust anchor is normally used when a A negative trust anchor is normally used when a
domain has stopped validating due to operator error; domain has stopped validating due to operator error;
it temporarily disables DNSSEC validation for that it temporarily disables DNSSEC validation for that
domain. In the interest of ensuring that DNSSEC domain. In the interest of ensuring that DNSSEC
validation is turned back on as soon as possible, validation is turned back on as soon as possible,
<command>named</command> will periodically send a <command>named</command> will periodically send a
query to the domain, ignoring negative trust anchors, query to the domain, ignoring negative trust anchors,
to find out whether it can now be validated. If so, to find out whether it can now be validated. If so,
the negative trust anchor is allowed to expire early. the negative trust anchor is allowed to expire early.
</para> </para>
<para> <para>
Validity checks can be disabled for an individual Validity checks can be disabled for an individual
NTA by using <command>rndc nta -f</command>, or NTA by using <command>rndc nta -f</command>, or
for all NTA's by setting <option>nta-recheck</option> for all NTA's by setting <option>nta-recheck</option>
to zero. to zero.
</para> </para>
<para> <para>
For convenience, TTL-style time unit suffixes can be For convenience, TTL-style time unit suffixes can be
used to specify the NTA recheck interval in seconds, used to specify the NTA recheck interval in seconds,
minutes or hours. The default is five minutes. minutes or hours. The default is five minutes.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -9020,24 +9023,24 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
<varlistentry> <varlistentry>
<term><command>masterfile-style</command></term> <term><command>masterfile-style</command></term>
<listitem> <listitem>
<para> <para>
Specifies the formatting of zone files during dump Specifies the formatting of zone files during dump
when the <option>masterfile-format</option> is when the <option>masterfile-format</option> is
<constant>text</constant>. (This option is ignored <constant>text</constant>. (This option is ignored
with any other <option>masterfile-format</option>.) with any other <option>masterfile-format</option>.)
</para> </para>
<para> <para>
When set to <constant>relative</constant>, When set to <constant>relative</constant>,
records are printed in a multi-line format with owner records are printed in a multi-line format with owner
names expressed relative to a shared origin. When set names expressed relative to a shared origin. When set
to <constant>full</constant>, records are printed in to <constant>full</constant>, records are printed in
a single-line format with absolute owner names. a single-line format with absolute owner names.
The <constant>full</constant> format is most suitable The <constant>full</constant> format is most suitable
when a zone file needs to be processed automatically when a zone file needs to be processed automatically
by a script. The <constant>relative</constant> format by a script. The <constant>relative</constant> format
is more human-readable, and is thus suitable when a is more human-readable, and is thus suitable when a
zone is to be edited by hand. The default is zone is to be edited by hand. The default is
<constant>relative</constant>. <constant>relative</constant>.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -9050,8 +9053,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
initial value (minimum) and maximum number of recursive initial value (minimum) and maximum number of recursive
simultaneous clients for any given query simultaneous clients for any given query
(&lt;qname,qtype,qclass&gt;) that the server will accept (&lt;qname,qtype,qclass&gt;) that the server will accept
before dropping additional clients. before dropping additional clients.
<command>named</command> will attempt to <command>named</command> will attempt to
self tune this value and changes will be logged. The self tune this value and changes will be logged. The
default values are 10 and 100. default values are 10 and 100.
</para> </para>
@@ -10564,15 +10567,15 @@ rate-limit {
<para> <para>
The <command>request-expire</command> clause determines The <command>request-expire</command> clause determines
whether the local server, when acting as a slave, will whether the local server, when acting as a slave, will
request the EDNS EXPIRE value. The EDNS EXPIRE value request the EDNS EXPIRE value. The EDNS EXPIRE value
indicates the remaining time before the zone data will indicates the remaining time before the zone data will
expire and need to be be refreshed. This is used expire and need to be be refreshed. This is used
when a secondary server transfers a zone from another when a secondary server transfers a zone from another
secondary server; when transferring from the primary, the secondary server; when transferring from the primary, the
expiration timer is set from the EXPIRE field of the SOA expiration timer is set from the EXPIRE field of the SOA
record instead. record instead.
The default is <command>yes</command>. The default is <command>yes</command>.
</para> </para>
<para> <para>
@@ -12459,11 +12462,11 @@ example.com. NS ns2.example.net.
<para> <para>
When set to When set to
<command>serial-update-method date;</command>, the <command>serial-update-method date;</command>, the
new SOA serial number will be the current date new SOA serial number will be the current date
in the form "YYYYMMDD", followed by two zeroes, in the form "YYYYMMDD", followed by two zeroes,
unless the existing serial number is already greater unless the existing serial number is already greater
than or equal to that value, in which case it is than or equal to that value, in which case it is
incremented by one. incremented by one.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

17
lib/dns/geoip.c
View File

@@ -766,8 +766,21 @@ dns_geoip_match(const isc_netaddr_t *reqaddr,
return (ISC_FALSE); return (ISC_FALSE);
s = name_lookup(db, subtype, ipnum); s = name_lookup(db, subtype, ipnum);
if (s != NULL && strcasecmp(elt->as_string, s) == 0) if (s != NULL) {
return (ISC_TRUE); size_t l;
if (strcasecmp(elt->as_string, s) == 0)
return (ISC_TRUE);
if (subtype != dns_geoip_as_asnum)
break;
/*
* Just check if the ASNNNN value matches.
*/
l = strlen(elt->as_string);
if (l > 0U && strchr(elt->as_string, ' ') == NULL &&
strncasecmp(elt->as_string, s, l) == 0 &&
s[l] == ' ')
return (ISC_TRUE);
}
break; break;
case dns_geoip_netspeed_id: case dns_geoip_netspeed_id:

66
lib/isccfg/aclconf.c
View File

@@ -482,6 +482,7 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
const char *stype, *search; const char *stype, *search;
dns_geoip_subtype_t subtype; dns_geoip_subtype_t subtype;
dns_aclelement_t de; dns_aclelement_t de;
size_t len;
REQUIRE(dep != NULL); REQUIRE(dep != NULL);
@@ -493,35 +494,52 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype")); stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype"));
search = cfg_obj_asstring(cfg_tuple_get(obj, "search")); search = cfg_obj_asstring(cfg_tuple_get(obj, "search"));
len = strlen(search);
if (strcasecmp(stype, "country") == 0 && strlen(search) == 2) { if (len == 0) {
cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
"zero-length geoip search field");
return (ISC_R_FAILURE);
}
if (strcasecmp(stype, "country") == 0 && len == 2) {
/* Two-letter country code */ /* Two-letter country code */
subtype = dns_geoip_countrycode; subtype = dns_geoip_countrycode;
strncpy(de.geoip_elem.as_string, search, 2); strlcpy(de.geoip_elem.as_string, search,
} else if (strcasecmp(stype, "country") == 0 && strlen(search) == 3) { sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "country") == 0 && len == 3) {
/* Three-letter country code */ /* Three-letter country code */
subtype = dns_geoip_countrycode3; subtype = dns_geoip_countrycode3;
strncpy(de.geoip_elem.as_string, search, 3); strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "country") == 0) { } else if (strcasecmp(stype, "country") == 0) {
/* Country name */ /* Country name */
subtype = dns_geoip_countryname; subtype = dns_geoip_countryname;
strncpy(de.geoip_elem.as_string, search, 255); strlcpy(de.geoip_elem.as_string, search,
} else if (strcasecmp(stype, "region") == 0 && strlen(search) == 2) { sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "region") == 0 && len == 2) {
/* Two-letter region code */ /* Two-letter region code */
subtype = dns_geoip_region; subtype = dns_geoip_region;
strncpy(de.geoip_elem.as_string, search, 2); strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "region") == 0) { } else if (strcasecmp(stype, "region") == 0) {
/* Region name */ /* Region name */
subtype = dns_geoip_regionname; subtype = dns_geoip_regionname;
strncpy(de.geoip_elem.as_string, search, 255); strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "city") == 0) { } else if (strcasecmp(stype, "city") == 0) {
/* City name */ /* City name */
subtype = dns_geoip_city_name; subtype = dns_geoip_city_name;
strncpy(de.geoip_elem.as_string, search, 255); strlcpy(de.geoip_elem.as_string, search,
} else if (strcasecmp(stype, "postal") == 0 && strlen(search) < 7) { sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "postal") == 0 && len < 7) {
subtype = dns_geoip_city_postalcode; subtype = dns_geoip_city_postalcode;
strncpy(de.geoip_elem.as_string, search, 6); strlcpy(de.geoip_elem.as_string, search,
de.geoip_elem.as_string[6] = '\0'; sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "postal") == 0) {
cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
"geoiop postal code (%s) too long", search);
return (ISC_R_FAILURE);
} else if (strcasecmp(stype, "metro") == 0) { } else if (strcasecmp(stype, "metro") == 0) {
subtype = dns_geoip_city_metrocode; subtype = dns_geoip_city_metrocode;
de.geoip_elem.as_int = atoi(search); de.geoip_elem.as_int = atoi(search);
@@ -530,23 +548,33 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
de.geoip_elem.as_int = atoi(search); de.geoip_elem.as_int = atoi(search);
} else if (strcasecmp(stype, "tz") == 0) { } else if (strcasecmp(stype, "tz") == 0) {
subtype = dns_geoip_city_timezonecode; subtype = dns_geoip_city_timezonecode;
strncpy(de.geoip_elem.as_string, search, 255); strlcpy(de.geoip_elem.as_string, search,
} else if (strcasecmp(stype, "continent") == 0 && strlen(search) == 2) { sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "continent") == 0 && len == 2) {
/* Two-letter continent code */ /* Two-letter continent code */
subtype = dns_geoip_city_continentcode; subtype = dns_geoip_city_continentcode;
strncpy(de.geoip_elem.as_string, search, 2); strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "continent") == 0) {
cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
"geoiop continent code (%s) too long", search);
return (ISC_R_FAILURE);
} else if (strcasecmp(stype, "isp") == 0) { } else if (strcasecmp(stype, "isp") == 0) {
subtype = dns_geoip_isp_name; subtype = dns_geoip_isp_name;
strncpy(de.geoip_elem.as_string, search, 255); strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "asnum") == 0) { } else if (strcasecmp(stype, "asnum") == 0) {
subtype = dns_geoip_as_asnum; subtype = dns_geoip_as_asnum;
strncpy(de.geoip_elem.as_string, search, 255); strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "org") == 0) { } else if (strcasecmp(stype, "org") == 0) {
subtype = dns_geoip_org_name; subtype = dns_geoip_org_name;
strncpy(de.geoip_elem.as_string, search, 255); strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "domain") == 0) { } else if (strcasecmp(stype, "domain") == 0) {
subtype = dns_geoip_domain_name; subtype = dns_geoip_domain_name;
strncpy(de.geoip_elem.as_string, search, 255); strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "netspeed") == 0) { } else if (strcasecmp(stype, "netspeed") == 0) {
subtype = dns_geoip_netspeed_id; subtype = dns_geoip_netspeed_id;
de.geoip_elem.as_int = atoi(search); de.geoip_elem.as_int = atoi(search);

5
util/copyrights
View File

@@ -1313,10 +1313,11 @@
./bin/tests/system/geoip/geoip.c C 2013 ./bin/tests/system/geoip/geoip.c C 2013
./bin/tests/system/geoip/ns2/example.db.in ZONE 2013 ./bin/tests/system/geoip/ns2/example.db.in ZONE 2013
./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named10.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named10.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named12.conf CONF-C 2014 ./bin/tests/system/geoip/ns2/named12.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named13.conf CONF-C 2014 ./bin/tests/system/geoip/ns2/named13.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named14.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named2.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named2.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named3.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named3.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named4.conf CONF-C 2013 ./bin/tests/system/geoip/ns2/named4.conf CONF-C 2013