From 83e0fb268518baeccd6ece9b1c252c01f6925aae Mon Sep 17 00:00:00 2001 From: Michal 'vorner' Vaner Date: Mon, 6 Aug 2012 12:01:11 +0200 Subject: [PATCH] [2066] docs/ACLs: Some examples and how to bindctl it --- doc/guide/bind10-guide.xml | 63 +++++++++++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/doc/guide/bind10-guide.xml b/doc/guide/bind10-guide.xml index 0b97cc8180..65606c3d4b 100644 --- a/doc/guide/bind10-guide.xml +++ b/doc/guide/bind10-guide.xml @@ -1426,7 +1426,68 @@ TODO ] - + + Now we show two ways to accept only the queries from private ranges. + This is the same as rejecting anything that is outside. + + [ + { + "from": [ + "10.0.0.0/8", + "172.16.0.0/12", + "192.168.0.0/16", + "fc00::/7" + ], + "action": "ACCEPT" + }, + { + "action": "REJECT" + } +] + + [ + { + "NOT": { + "ANY": [ + {"from": "10.0.0.0/8"}, + {"from": "172.16.0.0/12"}, + {"from": "192.168.0.0/16"}, + {"from": "fc00::/7"} + ] + }, + "action": "REJECT" + }, + { + "action": "ACCEPT" + } +] + + + +
+ Interaction with <command>bindctl</command> + + + Currently, bindctl has hard time coping with + the variable nature of the ACL syntax. This technical limitation + makes it impossible to edit parts of the entries. You need to + set the whole entry at once, providing the whole JSON value. + + + + This limitation is planned to be solved soon at least partially. + + + + You'd do something like this to create the second example. + Note that the whole JSON must be on a single line. + + > config add somewhere/acl +> config set somewhere/acl[0] { "from": [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fc00::/7" ], "action": "ACCEPT" } +> config add somewhere/acl +> config set somewhere/acl[1] { "action": "REJECT" } +> config commit +