diff --git a/CHANGES b/CHANGES index a8b79d299e..b3e649cc11 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ + 788. [feature] Add the "match-mapped-addresses" options, which + causes IPv6 v4mapped addresses to be treated as + IPv4 addresses for the purpose of acl matching. + 787. [bug] The DNSSEC tools failed to downcase domain names when mapping them into file names. diff --git a/bin/named/client.c b/bin/named/client.c index 943e55808b..427f5fe3e3 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.160 2001/03/19 20:52:19 gson Exp $ */ +/* $Id: client.c,v 1.161 2001/03/26 21:32:52 bwelling Exp $ */ #include @@ -736,7 +736,8 @@ client_sendpkg(ns_client_t *client, isc_buffer_t *buffer) { if (ns_g_server->blackholeacl != NULL && dns_acl_match(&netaddr, NULL, ns_g_server->blackholeacl, - NULL, &match, NULL) == ISC_R_SUCCESS && + &ns_g_server->aclenv, + &match, NULL) == ISC_R_SUCCESS && match > 0) return (DNS_R_BLACKHOLED); sockflags |= ISC_SOCKFLAG_NORETRY; diff --git a/bin/named/config.c b/bin/named/config.c index dfba345de5..967bf7658d 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: config.c,v 1.7 2001/03/20 21:54:29 bwelling Exp $ */ +/* $Id: config.c,v 1.8 2001/03/26 21:32:53 bwelling Exp $ */ #include @@ -56,6 +56,7 @@ options {\n\ interface-interval 3600;\n\ listen-on {any;};\n\ listen-on-v6 {none;};\n\ + match-mapped-addresses no;\n\ memstatistics-file \"named.memstats\";\n\ multiple-cnames no;\n\ # named-xfer ;\n\ diff --git a/bin/named/server.c b/bin/named/server.c index 70011fd11e..cfa44c6439 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.308 2001/03/22 00:06:56 bwelling Exp $ */ +/* $Id: server.c,v 1.309 2001/03/26 21:32:54 bwelling Exp $ */ #include @@ -710,6 +710,11 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, view->peers = newpeers; /* Transfer ownership. */ } + /* + * Copy the aclenv object. + */ + dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv); + /* * Configure the "match-clients" ACL. */ @@ -1404,6 +1409,8 @@ directory_callback(const char *clausename, cfg_obj_t *obj, void *arg) { static void scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { + isc_boolean_t match_mapped = server->aclenv.match_mapped; + ns_interfacemgr_scan(server->interfacemgr, verbose); /* * Update the "localhost" and "localnets" ACLs to match the @@ -1411,6 +1418,8 @@ scan_interfaces(ns_server_t *server, isc_boolean_t verbose) { */ dns_aclenv_copy(&server->aclenv, ns_interfacemgr_getaclenv(server->interfacemgr)); + + server->aclenv.match_mapped = match_mapped; } /* @@ -1635,6 +1644,10 @@ load_configuration(const char *filename, ns_server_t *server, dns_dispatchmgr_setblackhole(ns_g_dispatchmgr, server->blackholeacl); + result = ns_config_get(maps, "match-mapped-addresses", &obj); + INSIST(result == ISC_R_SUCCESS); + server->aclenv.match_mapped = cfg_obj_asboolean(obj); + /* * Configure the zone manager. */ diff --git a/doc/misc/options b/doc/misc/options index ff954198eb..344a6d99ec 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -1,7 +1,7 @@ Copyright (C) 2000, 2001 Internet Software Consortium. See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. -$Id: options,v 1.65 2001/03/19 22:34:08 bwelling Exp $ +$Id: options,v 1.66 2001/03/26 21:32:56 bwelling Exp $ This is a summary of the implementation status of the various named.conf options in BIND 9. @@ -123,6 +123,7 @@ options { [ additional-from-cache yes_or_no; ] Yes* [ random-device path_name; ] Yes* [ minimal-responses yes_or_no; ] Yes* + [ match-mapped-addresses yes_or_no; ] Yes* }; acl Yes@ diff --git a/lib/dns/acl.c b/lib/dns/acl.c index 6628f39a27..aa10f0a19f 100644 --- a/lib/dns/acl.c +++ b/lib/dns/acl.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acl.c,v 1.21 2001/02/08 23:30:31 gson Exp $ */ +/* $Id: acl.c,v 1.22 2001/03/26 21:32:57 bwelling Exp $ */ #include @@ -157,12 +157,24 @@ dns_aclelement_match(isc_netaddr_t *reqaddr, dns_aclelement_t **matchelt) { dns_acl_t *inner = NULL; + isc_netaddr_t *addr; + isc_netaddr_t v4addr; int indirectmatch; isc_result_t result; switch (e->type) { case dns_aclelementtype_ipprefix: - if (isc_netaddr_eqprefix(reqaddr, + if (env == NULL || + env->match_mapped == ISC_FALSE || + reqaddr->family != AF_INET6 || + !IN6_IS_ADDR_V4MAPPED(&reqaddr->type.in6)) + addr = reqaddr; + else { + isc_netaddr_fromv4mapped(&v4addr, reqaddr); + addr = &v4addr; + } + + if (isc_netaddr_eqprefix(addr, &e->u.ip_prefix.address, e->u.ip_prefix.prefixlen)) goto matched; @@ -389,6 +401,7 @@ dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env) { result = dns_acl_create(mctx, 0, &env->localnets); if (result != ISC_R_SUCCESS) goto cleanup_localhost; + env->match_mapped = ISC_FALSE; return (ISC_R_SUCCESS); cleanup_localhost: @@ -403,6 +416,7 @@ dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s) { dns_acl_attach(s->localhost, &t->localhost); dns_acl_detach(&t->localnets); dns_acl_attach(s->localnets, &t->localnets); + t->match_mapped = s->match_mapped; } void diff --git a/lib/dns/include/dns/acl.h b/lib/dns/include/dns/acl.h index f40cf10c7a..5e46c7efca 100644 --- a/lib/dns/include/dns/acl.h +++ b/lib/dns/include/dns/acl.h @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: acl.h,v 1.18 2001/02/08 23:30:32 gson Exp $ */ +/* $Id: acl.h,v 1.19 2001/03/26 21:33:02 bwelling Exp $ */ #ifndef DNS_ACL_H #define DNS_ACL_H 1 @@ -84,6 +84,7 @@ struct dns_acl { struct dns_aclenv { dns_acl_t *localhost; dns_acl_t *localnets; + isc_boolean_t match_mapped; }; #define DNS_ACL_MAGIC 0x4461636c /* Dacl */ diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 6927429577..daadb60a9c 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.h,v 1.68 2001/03/14 21:53:28 halley Exp $ */ +/* $Id: view.h,v 1.69 2001/03/26 21:33:04 bwelling Exp $ */ #ifndef DNS_VIEW_H #define DNS_VIEW_H 1 @@ -70,6 +70,7 @@ #include #include +#include #include ISC_LANG_BEGINDECLS @@ -115,6 +116,7 @@ struct dns_view { dns_ttl_t maxcachettl; dns_ttl_t maxncachettl; in_port_t dstport; + dns_aclenv_t aclenv; /* * Configurable data for server use only, diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 578fc35130..6ebe698690 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: resolver.c,v 1.213 2001/03/20 22:13:00 gson Exp $ */ +/* $Id: resolver.c,v 1.214 2001/03/26 21:32:58 bwelling Exp $ */ #include @@ -1092,7 +1092,8 @@ resquery_send(resquery_t *query) { int match; if (dns_acl_match(&ipaddr, NULL, blackhole, - NULL, &match, NULL) == ISC_R_SUCCESS && + &fctx->res->view->aclenv, + &match, NULL) == ISC_R_SUCCESS && match > 0) aborted = ISC_TRUE; } diff --git a/lib/dns/view.c b/lib/dns/view.c index eb5e85a297..dc0117bec3 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.97 2001/03/14 21:53:27 halley Exp $ */ +/* $Id: view.c,v 1.98 2001/03/26 21:33:00 bwelling Exp $ */ #include @@ -160,6 +160,11 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, result = dns_peerlist_new(view->mctx, &view->peers); if (result != ISC_R_SUCCESS) goto cleanup_dynkeys; + + result = dns_aclenv_init(view->mctx, &view->aclenv); + if (result != ISC_R_SUCCESS) + goto cleanup_peerlist; + ISC_LINK_INIT(view, link); ISC_EVENT_INIT(&view->resevent, sizeof view->resevent, 0, NULL, DNS_EVENT_VIEWRESSHUTDOWN, resolver_shutdown, @@ -176,6 +181,9 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, return (ISC_R_SUCCESS); + cleanup_peerlist: + dns_peerlist_detach(&view->peers); + cleanup_dynkeys: dns_tsigkeyring_destroy(&view->dynamickeys); @@ -245,6 +253,7 @@ destroy(dns_view_t *view) { dns_keytable_detach(&view->trustedkeys); dns_keytable_detach(&view->secroots); dns_fwdtable_destroy(&view->fwdtable); + dns_aclenv_destroy(&view->aclenv); DESTROYLOCK(&view->lock); isc_refcount_destroy(&view->references); isc_mem_free(view->mctx, view->name); diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 06c8804edf..2dfca0d71d 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: zone.c,v 1.314 2001/03/26 21:11:33 bwelling Exp $ */ +/* $Id: zone.c,v 1.315 2001/03/26 21:33:01 bwelling Exp $ */ #include @@ -3968,8 +3968,11 @@ dns_zone_notifyreceive(dns_zone_t *zone, isc_sockaddr_t *from, */ isc_netaddr_fromsockaddr(&netaddr, from); if (i >= zone->masterscnt && zone->notify_acl != NULL && - dns_acl_match(&netaddr, NULL, zone->notify_acl, NULL, &match, - NULL) == ISC_R_SUCCESS && match > 0) { + dns_acl_match(&netaddr, NULL, zone->notify_acl, + &zone->view->aclenv, + &match, NULL) == ISC_R_SUCCESS && + match > 0) + { /* Accept notify. */ } else if (i >= zone->masterscnt) { UNLOCK_ZONE(zone); diff --git a/lib/isc/include/isc/netaddr.h b/lib/isc/include/isc/netaddr.h index 85c371416d..719e23a91b 100644 --- a/lib/isc/include/isc/netaddr.h +++ b/lib/isc/include/isc/netaddr.h @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: netaddr.h,v 1.17 2001/02/02 02:48:47 gson Exp $ */ +/* $Id: netaddr.h,v 1.18 2001/03/26 21:33:06 bwelling Exp $ */ #ifndef ISC_NETADDR_H #define ISC_NETADDR_H 1 @@ -112,6 +112,13 @@ isc_netaddr_ismulticast(isc_netaddr_t *na); * Returns ISC_TRUE if the address is a multicast address */ +void +isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s); +/* + * Convert an IPv6 v4mapped address into an IPv4 address. + */ + + ISC_LANG_ENDDECLS #endif /* ISC_NETADDR_H */ diff --git a/lib/isc/netaddr.c b/lib/isc/netaddr.c index aac9baffe4..8e324a67eb 100644 --- a/lib/isc/netaddr.c +++ b/lib/isc/netaddr.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: netaddr.c,v 1.15 2001/02/02 02:48:46 gson Exp $ */ +/* $Id: netaddr.c,v 1.16 2001/03/26 21:33:05 bwelling Exp $ */ #include @@ -257,3 +257,14 @@ isc_netaddr_ismulticast(isc_netaddr_t *na) { return (ISC_FALSE); /* XXXMLG ? */ } } + +void +isc_netaddr_fromv4mapped(isc_netaddr_t *t, const isc_netaddr_t *s) { + REQUIRE(s->family == AF_INET6); + REQUIRE(IN6_IS_ADDR_V4MAPPED(&s->type.in6)); + + memset(t, 0, sizeof *t); + t->family = AF_INET; + memcpy(&t->type.in, (const char *)&s->type.in6 + 12, 4); + return; +} diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index 2219a6eb6c..1e171cd10b 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: parser.c,v 1.49 2001/03/21 19:01:36 gson Exp $ */ +/* $Id: parser.c,v 1.50 2001/03/26 21:33:07 bwelling Exp $ */ #include @@ -806,6 +806,7 @@ options_clauses[] = { { "interface-interval", &cfg_type_uint32, 0 }, { "listen-on", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI }, { "listen-on-v6", &cfg_type_listenon, CFG_CLAUSEFLAG_MULTI }, + { "match-mapped-addresses", &cfg_type_boolean, 0 }, { "memstatistics-file", &cfg_type_qstring, 0 }, { "multiple-cnames", &cfg_type_boolean, CFG_CLAUSEFLAG_OBSOLETE }, { "named-xfer", &cfg_type_qstring, CFG_CLAUSEFLAG_OBSOLETE },