mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

[master] fix geoip asnum matching

Browse Source 
3935.	[bug]		"geoip asnum" ACL elements would not match unless
			the full organization name was specified.  They
			can now match against the AS number alone (e.g.,
			AS1234). [RT #36945]
This commit is contained in:
Evan Hunt
2014-08-28 21:40:32 -07:00
parent 9ba4efa4ac
commit 180319f572
11 changed files with 383 additions and 210 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
CHANGES
View File

@@ -1,3 +1,8 @@
3935. [bug] "geoip asnum" ACL elements would not match unless
the full organization name was specified. They
can now match against the AS number alone (e.g.,
AS1234). [RT #36945]
3934. [bug] Catch bad 'sit-secret' in named-checkconf. Improve
sit-secret documentation. [RT #36980]

14
bin/tests/system/geoip/ns2/named10.conf
View File

@@ -40,7 +40,7 @@ controls {
};
view one {
match-clients { geoip domain one.de; };
match-clients { geoip asnum "AS100001"; };
zone "example" {
type master;
file "example1.db";
@@ -48,7 +48,7 @@ view one {
};
view two {
match-clients { geoip domain two.com; };
match-clients { geoip asnum "AS100002"; };
zone "example" {
type master;
file "example2.db";
@@ -56,7 +56,7 @@ view two {
};
view three {
match-clients { geoip domain three.com; };
match-clients { geoip asnum "AS100003"; };
zone "example" {
type master;
file "example3.db";
@@ -64,7 +64,7 @@ view three {
};
view four {
match-clients { geoip domain four.com; };
match-clients { geoip asnum "AS100004"; };
zone "example" {
type master;
file "example4.db";
@@ -72,7 +72,7 @@ view four {
};
view five {
match-clients { geoip domain five.es; };
match-clients { geoip asnum "AS100005"; };
zone "example" {
type master;
file "example5.db";
@@ -80,7 +80,7 @@ view five {
};
view six {
match-clients { geoip domain six.it; };
match-clients { geoip asnum "AS100006"; };
zone "example" {
type master;
file "example6.db";
@@ -88,7 +88,7 @@ view six {
};
view seven {
match-clients { geoip domain seven.org; };
match-clients { geoip asnum "AS100007"; };
zone "example" {
type master;
file "example7.db";

32
bin/tests/system/geoip/ns2/named11.conf
View File

@@ -40,7 +40,7 @@ controls {
};
view one {
match-clients { geoip netspeed 0; };
match-clients { geoip domain one.de; };
zone "example" {
type master;
file "example1.db";
@@ -48,7 +48,7 @@ view one {
};
view two {
match-clients { geoip netspeed 1; };
match-clients { geoip domain two.com; };
zone "example" {
type master;
file "example2.db";
@@ -56,7 +56,7 @@ view two {
};
view three {
match-clients { geoip netspeed 2; };
match-clients { geoip domain three.com; };
zone "example" {
type master;
file "example3.db";
@@ -64,13 +64,37 @@ view three {
};
view four {
match-clients { geoip netspeed 3; };
match-clients { geoip domain four.com; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { geoip domain five.es; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { geoip domain six.it; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { geoip domain seven.org; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {

47
bin/tests/system/geoip/ns2/named12.conf
View File

@@ -1,5 +1,5 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
* Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -18,10 +18,6 @@
controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
@@ -32,7 +28,6 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
blackhole { blocking; };
};
key rndc_key {
@@ -43,3 +38,43 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
view one {
match-clients { geoip netspeed 0; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { geoip netspeed 1; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { geoip netspeed 2; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { geoip netspeed 3; };
zone "example" {
type master;
file "example4.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

77
bin/tests/system/geoip/ns2/named13.conf
View File

@@ -18,6 +18,10 @@
controls { /* empty */ };
acl blocking {
geoip db country country AU;
};
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
@@ -28,6 +32,7 @@ options {
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
blackhole { blocking; };
};
key rndc_key {
@@ -38,75 +43,3 @@ key rndc_key {
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

112
bin/tests/system/geoip/ns2/named14.conf Normal file
View File

@@ -0,0 +1,112 @@
/*
* Copyright (C) 2014 Internet Systems Consortium, Inc. ("ISC")
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
* PERFORMANCE OF THIS SOFTWARE.
*/
// NS2
controls { /* empty */ };
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port 5300;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
recursion no;
geoip-directory "../data";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
};
acl gAU { geoip db country country AU; };
acl gUS { geoip db country country US; };
acl gGB { geoip db country country GB; };
acl gCA { geoip db country country CA; };
acl gCL { geoip db country country CL; };
acl gDE { geoip db country country DE; };
acl gEH { geoip db country country EH; };
view one {
match-clients { gAU; };
zone "example" {
type master;
file "example1.db";
};
};
view two {
match-clients { gUS; };
zone "example" {
type master;
file "example2.db";
};
};
view three {
match-clients { gGB; };
zone "example" {
type master;
file "example3.db";
};
};
view four {
match-clients { gCA; };
zone "example" {
type master;
file "example4.db";
};
};
view five {
match-clients { gCL; };
zone "example" {
type master;
file "example5.db";
};
};
view six {
match-clients { gDE; };
zone "example" {
type master;
file "example6.db";
};
};
view seven {
match-clients { gEH; };
zone "example" {
type master;
file "example7.db";
};
};
view none {
match-clients { any; };
zone "example" {
type master;
file "example.db.in";
};
};

27
bin/tests/system/geoip/tests.sh
View File

@@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP domain database ($n)"
echo "I:checking GeoIP asnum database - ASNNNN only ($n)"
ret=0
lret=0
for i in 1 2 3 4 5 6 7; do
@@ -216,10 +216,10 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP netspeed database ($n)"
echo "I:checking GeoIP domain database ($n)"
ret=0
lret=0
for i in 1 2 3 4; do
for i in 1 2 3 4 5 6 7; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
@@ -234,6 +234,25 @@ cp -f ns2/named12.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP netspeed database ($n)"
ret=0
lret=0
for i in 1 2 3 4; do
$DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
[ "$i" = "$j" ] || lret=1
[ $lret -eq 1 ] && break
done
[ $lret -eq 1 ] && ret=1
[ $ret -eq 0 ] || echo "I:failed"
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named13.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3
n=`expr $n + 1`
echo "I:checking GeoIP blackhole ACL ($n)"
ret=0
@@ -243,7 +262,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes
status=`expr $status + $ret`
echo "I:reloading server"
cp -f ns2/named13.conf ns2/named.conf
cp -f ns2/named14.conf ns2/named.conf
$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
sleep 3

25
doc/arm/Bv9ARM-book.xml
View File

@@ -3459,17 +3459,20 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
"isp", "org", "asnum", "domain" and "netspeed".
</para>
<para>
<replaceable>value</replaceable> is the value to searched for
within the database. A string may be quoted if it contains
spaces or other special characters. If this is a "country"
search and the string is two characters long, then it must be a
standard ISO-3166-1 two-letter country code, and if it is three
characters long then it must be an ISO-3166-1 three-letter
country code; otherwise it is the full name of the country.
Similarly, if this is a "region" search and the string is
two characters long, then it must be a standard two-letter state
or province abbreviation; otherwise it is the full name of the
state or province.
<replaceable>value</replaceable> is the value to search
for within the database. A string may be quoted if it
contains spaces or other special characters. If this is
an "asnum" search, then the leading "ASNNNN" string can be
used, otherwise the full description must be used (e.g.
"ASNNNN Example Company Name"). If this is a "country"
search and the string is two characters long, then it must
be a standard ISO-3166-1 two-letter country code, and if it
is three characters long then it must be an ISO-3166-1
three-letter country code; otherwise it is the full name
of the country. Similarly, if this is a "region" search
and the string is two characters long, then it must be a
standard two-letter state or province abbreviation;
otherwise it is the full name of the state or province.
</para>
<para>
The <replaceable>database</replaceable> field indicates which

15
lib/dns/geoip.c
View File

@@ -766,8 +766,21 @@ dns_geoip_match(const isc_netaddr_t *reqaddr,
return (ISC_FALSE);
s = name_lookup(db, subtype, ipnum);
if (s != NULL && strcasecmp(elt->as_string, s) == 0)
if (s != NULL) {
size_t l;
if (strcasecmp(elt->as_string, s) == 0)
return (ISC_TRUE);
if (subtype != dns_geoip_as_asnum)
break;
/*
* Just check if the ASNNNN value matches.
*/
l = strlen(elt->as_string);
if (l > 0U && strchr(elt->as_string, ' ') == NULL &&
strncasecmp(elt->as_string, s, l) == 0 &&
s[l] == ' ')
return (ISC_TRUE);
}
break;
case dns_geoip_netspeed_id:

66
lib/isccfg/aclconf.c
View File

@@ -482,6 +482,7 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
const char *stype, *search;
dns_geoip_subtype_t subtype;
dns_aclelement_t de;
size_t len;
REQUIRE(dep != NULL);
@@ -493,35 +494,52 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype"));
search = cfg_obj_asstring(cfg_tuple_get(obj, "search"));
len = strlen(search);
if (strcasecmp(stype, "country") == 0 && strlen(search) == 2) {
if (len == 0) {
cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
"zero-length geoip search field");
return (ISC_R_FAILURE);
}
if (strcasecmp(stype, "country") == 0 && len == 2) {
/* Two-letter country code */
subtype = dns_geoip_countrycode;
strncpy(de.geoip_elem.as_string, search, 2);
} else if (strcasecmp(stype, "country") == 0 && strlen(search) == 3) {
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "country") == 0 && len == 3) {
/* Three-letter country code */
subtype = dns_geoip_countrycode3;
strncpy(de.geoip_elem.as_string, search, 3);
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "country") == 0) {
/* Country name */
subtype = dns_geoip_countryname;
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "region") == 0 && strlen(search) == 2) {
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "region") == 0 && len == 2) {
/* Two-letter region code */
subtype = dns_geoip_region;
strncpy(de.geoip_elem.as_string, search, 2);
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "region") == 0) {
/* Region name */
subtype = dns_geoip_regionname;
strncpy(de.geoip_elem.as_string, search, 255);
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "city") == 0) {
/* City name */
subtype = dns_geoip_city_name;
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "postal") == 0 && strlen(search) < 7) {
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "postal") == 0 && len < 7) {
subtype = dns_geoip_city_postalcode;
strncpy(de.geoip_elem.as_string, search, 6);
de.geoip_elem.as_string[6] = '\0';
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "postal") == 0) {
cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
"geoiop postal code (%s) too long", search);
return (ISC_R_FAILURE);
} else if (strcasecmp(stype, "metro") == 0) {
subtype = dns_geoip_city_metrocode;
de.geoip_elem.as_int = atoi(search);
@@ -530,23 +548,33 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
de.geoip_elem.as_int = atoi(search);
} else if (strcasecmp(stype, "tz") == 0) {
subtype = dns_geoip_city_timezonecode;
strncpy(de.geoip_elem.as_string, search, 255);
} else if (strcasecmp(stype, "continent") == 0 && strlen(search) == 2) {
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "continent") == 0 && len == 2) {
/* Two-letter continent code */
subtype = dns_geoip_city_continentcode;
strncpy(de.geoip_elem.as_string, search, 2);
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "continent") == 0) {
cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
"geoiop continent code (%s) too long", search);
return (ISC_R_FAILURE);
} else if (strcasecmp(stype, "isp") == 0) {
subtype = dns_geoip_isp_name;
strncpy(de.geoip_elem.as_string, search, 255);
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "asnum") == 0) {
subtype = dns_geoip_as_asnum;
strncpy(de.geoip_elem.as_string, search, 255);
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "org") == 0) {
subtype = dns_geoip_org_name;
strncpy(de.geoip_elem.as_string, search, 255);
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "domain") == 0) {
subtype = dns_geoip_domain_name;
strncpy(de.geoip_elem.as_string, search, 255);
strlcpy(de.geoip_elem.as_string, search,
sizeof(de.geoip_elem.as_string));
} else if (strcasecmp(stype, "netspeed") == 0) {
subtype = dns_geoip_netspeed_id;
de.geoip_elem.as_int = atoi(search);

5
util/copyrights
View File

@@ -1313,10 +1313,11 @@
./bin/tests/system/geoip/geoip.c C 2013
./bin/tests/system/geoip/ns2/example.db.in ZONE 2013
./bin/tests/system/geoip/ns2/named1.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named10.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named10.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named11.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named12.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named12.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named13.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named14.conf CONF-C 2014
./bin/tests/system/geoip/ns2/named2.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named3.conf CONF-C 2013
./bin/tests/system/geoip/ns2/named4.conf CONF-C 2013