diff --git a/CHANGES b/CHANGES index 7cd2e2f3aa..fb49e88fed 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,7 @@ + 945. [func] Add the new view-specific options + "match-destinations" and "match-recursive-only". + 944. [func] Check for expired signatures on load. 943. [bug] The server could crash when receiving a command diff --git a/bin/named/client.c b/bin/named/client.c index b37a3744fa..8ba607d1c8 100644 --- a/bin/named/client.c +++ b/bin/named/client.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: client.c,v 1.174 2001/06/28 02:39:46 marka Exp $ */ +/* $Id: client.c,v 1.175 2001/07/26 20:42:38 bwelling Exp $ */ #include @@ -1189,6 +1189,19 @@ client_getoptattrs(ns_client_t *client, dns_rdataset_t *opt) { } #endif /* DNS_OPT_NEWCODES */ +static inline isc_boolean_t +allowed(isc_netaddr_t *addr, dns_acl_t *acl) { + int match; + isc_result_t result; + + if (acl == NULL) + return (ISC_TRUE); + result = dns_acl_match(addr, NULL, acl, &ns_g_server->aclenv, + &match, NULL); + if (result == ISC_R_SUCCESS && match > 0) + return (ISC_TRUE); + return (ISC_FALSE); +} /* * Handle an incoming request event from the socket (UDP case) @@ -1438,11 +1451,14 @@ client_request(isc_task_t *task, isc_event_t *event) { if (client->message->rdclass == view->rdclass || client->message->rdclass == dns_rdataclass_any) { - if (view->matchclients == NULL || - (dns_acl_match(&netaddr, NULL, view->matchclients, - &ns_g_server->aclenv, - &match, NULL) == ISC_R_SUCCESS && - match > 0)) + isc_netaddr_t destaddr; + + isc_netaddr_fromsockaddr(&destaddr, + &client->interface->addr); + if (allowed(&netaddr, view->matchclients) && + allowed(&destaddr, view->matchdestinations) && + !((flags & DNS_MESSAGEFLAG_RD) == 0 && + view->matchrecursiveonly)) { dns_view_attach(view, &client->view); break; diff --git a/bin/named/server.c b/bin/named/server.c index cc39e6eb04..01353cd641 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.335 2001/07/23 17:31:33 gson Exp $ */ +/* $Id: server.c,v 1.336 2001/07/26 20:42:40 bwelling Exp $ */ #include @@ -728,10 +728,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig, dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv); /* - * Configure the "match-clients" ACL. + * Configure the "match-clients" and "match-destinations" ACL. */ CHECK(configure_view_acl(vconfig, config, "match-clients", actx, ns_g_mctx, &view->matchclients)); + CHECK(configure_view_acl(vconfig, config, "match-destinations", actx, + ns_g_mctx, &view->matchdestinations)); + + /* + * Configure the "match-recursive-only" option. + */ + obj = NULL; + (void) ns_config_get(maps, "match-recursive-only", &obj); + if (obj != NULL && cfg_obj_asboolean(obj)) + view->matchrecursiveonly = ISC_TRUE; + else + view->matchrecursiveonly = ISC_FALSE; /* * Configure other configurable data. diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index fc0fe6ec77..a1eadcf0e6 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -2,7 +2,7 @@ - + BIND 9 Administrator Reference Manual @@ -4054,6 +4054,8 @@ key data. <command>view</command> Statement Grammar view view_name class { match-clients { address_match_list } ; + match-destinations { address_match_list } ; + match-recursive-only { yes_or_no } ; view_option; ... zone-statistics yes_or_no ; zone_statement; ... @@ -4065,11 +4067,19 @@ of BIND 9 that lets a name server answer a DNS query differen depending on who is asking. It is particularly useful for implementing split DNS setups without having to run multiple servers. Each view statement defines a view of the -DNS namespace that will be seen by those clients whose IP addresses -match the address_match_list of the view's match-clients clause. - The order of the view statements is significant-a -client query will be resolved in the context of the first view whose match-clients list -matches the client's IP address. +DNS namespace that will be seen by a subset of clients. A client matches +a view if its source IP address matches the +address_match_list of the view's +match-clients clause and its destination IP address matches +the address_match_list of the view's +match-destinations clause. If not specified, both +match-clients and match-destinations +default to matching all addresses. A view can also be specified +as match-recursive-only, which means that only recursive +queries from matching clients will match that view. + The order of the view statements is significant - a +client query will be resolved in the context of the first +view that it matches. Zones defined within a view statement will be only be accessible to clients that match the view. By defining a zone of the same name in multiple views, different diff --git a/lib/dns/include/dns/view.h b/lib/dns/include/dns/view.h index 307881df9c..897f42717d 100644 --- a/lib/dns/include/dns/view.h +++ b/lib/dns/include/dns/view.h @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.h,v 1.71 2001/05/07 23:34:09 gson Exp $ */ +/* $Id: view.h,v 1.72 2001/07/26 20:42:45 bwelling Exp $ */ #ifndef DNS_VIEW_H #define DNS_VIEW_H 1 @@ -123,6 +123,8 @@ struct dns_view { * locked by server configuration lock. */ dns_acl_t * matchclients; + dns_acl_t * matchdestinations; + isc_boolean_t matchrecursiveonly; /* Locked by themselves. */ isc_refcount_t references; diff --git a/lib/dns/view.c b/lib/dns/view.c index 5a30406d6e..5931225a35 100644 --- a/lib/dns/view.c +++ b/lib/dns/view.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: view.c,v 1.100 2001/05/07 23:34:04 gson Exp $ */ +/* $Id: view.c,v 1.101 2001/07/26 20:42:44 bwelling Exp $ */ #include @@ -133,6 +133,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass, view->statickeys = NULL; view->dynamickeys = NULL; view->matchclients = NULL; + view->matchdestinations = NULL; + view->matchrecursiveonly = ISC_FALSE; result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys); if (result != ISC_R_SUCCESS) goto cleanup_fwdtable; @@ -242,6 +244,8 @@ destroy(dns_view_t *view) { dns_cache_detach(&view->cache); if (view->matchclients != NULL) dns_acl_detach(&view->matchclients); + if (view->matchdestinations != NULL) + dns_acl_detach(&view->matchdestinations); if (view->queryacl != NULL) dns_acl_detach(&view->queryacl); if (view->recursionacl != NULL) diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index be2d548eb3..34ac895f55 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -15,7 +15,7 @@ * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: parser.c,v 1.64 2001/07/23 05:00:43 mayer Exp $ */ +/* $Id: parser.c,v 1.65 2001/07/26 20:42:46 bwelling Exp $ */ #include @@ -902,6 +902,8 @@ view_clauses[] = { static cfg_clausedef_t view_only_clauses[] = { { "match-clients", &cfg_type_bracketed_aml, 0 }, + { "match-destinations", &cfg_type_bracketed_aml, 0 }, + { "match-recursive-only", &cfg_type_boolean, 0 }, { NULL, NULL, 0 } };