1 --- /dev/null 2015-01-22 01:48:00.000000000 -0500
2 +++ dist/bin/named/pfilter.c 2015-01-22 01:35:16.000000000 -0500
6 +#include <isc/platform.h>
8 +#include <named/types.h>
9 +#include <named/client.h>
11 +#include <blacklist.h>
15 +static struct blacklist *blstate;
20 + if (blstate == NULL)
21 + blstate = blacklist_open();
24 +#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0)
27 +pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg)
29 + isc_socket_t *socket;
33 + if (TCP_CLIENT(client))
34 + socket = client->tcpsocket;
36 + socket = client->udpsocket;
37 + if (!client->peeraddr_valid)
42 + blacklist_sa_r(blstate,
43 + res != ISC_R_SUCCESS, isc_socket_getfd(socket),
44 + &client->peeraddr.type.sa, client->peeraddr.length, msg);
46 --- /dev/null 2015-01-22 01:48:00.000000000 -0500
47 +++ dist/bin/named/pfilter.h 2015-01-22 01:16:56.000000000 -0500
49 +void pfilter_open(void);
50 +void pfilter_notify(isc_result_t, ns_client_t *, const char *);
51 Index: bin/named/Makefile
52 ===================================================================
53 RCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v
54 retrieving revision 1.8
55 diff -u -u -r1.8 Makefile
56 --- bin/named/Makefile 31 Dec 2013 20:23:12 -0000 1.8
57 +++ bin/named/Makefile 23 Jan 2015 21:37:09 -0000
59 lwaddr.c lwdclient.c lwderror.c \
60 lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \
61 main.c notify.c query.c server.c sortlist.c statschannel.c \
62 - tkeyconf.c tsigconf.c \
63 + pfilter.c tkeyconf.c tsigconf.c \
64 update.c xfrout.c zoneconf.c ${SRCS_UNIX}
67 +DPADD+=${LIBBLACKLIST}
68 .include <bsd.prog.mk>
69 Index: dist/bin/named/client.c
70 ===================================================================
71 RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v
72 retrieving revision 1.11
73 diff -u -u -r1.11 client.c
74 --- dist/bin/named/client.c 10 Dec 2014 04:37:51 -0000 1.11
75 +++ dist/bin/named/client.c 23 Jan 2015 21:37:09 -0000
77 #include <named/server.h>
78 #include <named/update.h>
86 result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
89 + pfilter_notify(result, client, opname);
90 if (result == ISC_R_SUCCESS)
91 ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
92 NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
93 Index: dist/bin/named/main.c
94 ===================================================================
95 RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v
96 retrieving revision 1.15
97 diff -u -u -r1.15 main.c
98 --- dist/bin/named/main.c 10 Dec 2014 04:37:51 -0000 1.15
99 +++ dist/bin/named/main.c 23 Jan 2015 21:37:09 -0000
102 #include <libxml/xmlversion.h>
105 +#include "pfilter.h"
108 * Include header files for database drivers here.
110 @@ -1206,6 +1209,8 @@
112 parse_command_line(argc, argv);
117 * Warn about common configuration error.
119 Index: dist/bin/named/query.c
120 ===================================================================
121 RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v
122 retrieving revision 1.17
123 diff -u -u -r1.17 query.c
124 --- dist/bin/named/query.c 10 Dec 2014 04:37:52 -0000 1.17
125 +++ dist/bin/named/query.c 23 Jan 2015 21:37:09 -0000
127 #include <named/sortlist.h>
128 #include <named/xfrout.h>
130 +#include "pfilter.h"
134 * It has been recommended that DNS64 be changed to return excluded
138 result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
139 + if (result != ISC_R_SUCCESS)
140 + pfilter_notify(result, client, "validatezonedb");
141 if ((options & DNS_GETDB_NOLOG) == 0) {
142 char msg[NS_CLIENT_ACLMSGSIZE("query")];
143 if (result == ISC_R_SUCCESS) {
144 @@ -1026,6 +1030,8 @@
145 result = ns_client_checkaclsilent(client, NULL,
146 client->view->cacheacl,
148 + if (result == ISC_R_SUCCESS)
149 + pfilter_notify(result, client, "cachedb");
150 if (result == ISC_R_SUCCESS) {
152 * We were allowed by the "allow-query-cache" ACL.
153 Index: dist/bin/named/update.c
154 ===================================================================
155 RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v
156 retrieving revision 1.9
157 diff -u -u -r1.9 update.c
158 --- dist/bin/named/update.c 10 Dec 2014 04:37:52 -0000 1.9
159 +++ dist/bin/named/update.c 23 Jan 2015 21:37:09 -0000
161 #include <named/server.h>
162 #include <named/update.h>
164 +#include "pfilter.h"
168 * This module implements dynamic update as in RFC2136.
171 result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
172 if (result != ISC_R_SUCCESS) {
173 + pfilter_notify(result, client, "queryacl");
174 dns_name_format(zonename, namebuf, sizeof(namebuf));
175 dns_rdataclass_format(client->view->rdclass, classbuf,
180 result = DNS_R_REFUSED;
181 + pfilter_notify(result, client, "updateacl");
182 ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
183 NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
184 "update '%s/%s' denied", namebuf, classbuf);
188 result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
189 + pfilter_notify(result, client, "updateacl");
190 if (result == ISC_R_SUCCESS) {
191 level = ISC_LOG_DEBUG(3);
193 Index: dist/bin/named/xfrout.c
194 ===================================================================
195 RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v
196 retrieving revision 1.7
197 diff -u -u -r1.7 xfrout.c
198 --- dist/bin/named/xfrout.c 10 Dec 2014 04:37:52 -0000 1.7
199 +++ dist/bin/named/xfrout.c 23 Jan 2015 21:37:09 -0000
201 #include <named/server.h>
202 #include <named/xfrout.h>
204 +#include "pfilter.h"
208 * Outgoing AXFR and IXFR.
213 + pfilter_notify(result, client, "zonexfr");
214 if (result == ISC_R_NOPERM) {
215 char _buf1[DNS_NAME_FORMATSIZE];
216 char _buf2[DNS_RDATACLASS_FORMATSIZE];