xref: /freebsd/contrib/blocklist/diff/named.diff (revision 5f4c09dd85bff675e0ca63c55ea3c517e0fddfcc) 
1--- /dev/null	2015-01-22 01:48:00.000000000 -0500
2+++ dist/bin/named/pfilter.c	2015-01-22 01:35:16.000000000 -0500
3@@ -0,0 +1,42 @@
4+#include <config.h>
5+
6+#include <isc/platform.h>
7+#include <isc/util.h>
8+#include <named/types.h>
9+#include <named/client.h>
10+
11+#include <blacklist.h>
12+
13+#include "pfilter.h"
14+
15+static struct blacklist *blstate;
16+
17+void
18+pfilter_open(void)
19+{
20+	if (blstate == NULL)
21+		blstate = blacklist_open();
22+}
23+
24+#define TCP_CLIENT(c)  (((c)->attributes & NS_CLIENTATTR_TCP) != 0)
25+
26+void
27+pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg)
28+{
29+	isc_socket_t *socket;
30+
31+	pfilter_open();
32+
33+	if (TCP_CLIENT(client))
34+		socket = client->tcpsocket;
35+	else {
36+		socket = client->udpsocket;
37+		if (!client->peeraddr_valid)
38+			return;
39+	}
40+	if (socket == NULL)
41+		return;
42+	blacklist_sa_r(blstate,
43+	    res != ISC_R_SUCCESS, isc_socket_getfd(socket),
44+	    &client->peeraddr.type.sa, client->peeraddr.length, msg);
45+}
46--- /dev/null	2015-01-22 01:48:00.000000000 -0500
47+++ dist/bin/named/pfilter.h	2015-01-22 01:16:56.000000000 -0500
48@@ -0,0 +1,2 @@
49+void pfilter_open(void);
50+void pfilter_notify(isc_result_t, ns_client_t *, const char *);
51Index: bin/named/Makefile
52===================================================================
53RCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v
54retrieving revision 1.8
55diff -u -u -r1.8 Makefile
56--- bin/named/Makefile	31 Dec 2013 20:23:12 -0000	1.8
57+++ bin/named/Makefile	23 Jan 2015 21:37:09 -0000
58@@ -33,7 +33,9 @@
59 	lwaddr.c lwdclient.c lwderror.c \
60 	lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \
61 	main.c notify.c query.c server.c sortlist.c statschannel.c \
62-	tkeyconf.c tsigconf.c \
63+	pfilter.c tkeyconf.c tsigconf.c \
64 	update.c xfrout.c zoneconf.c ${SRCS_UNIX}
65
66+LDADD+=-lblacklist
67+DPADD+=${LIBBLACKLIST}
68 .include <bsd.prog.mk>
69Index: dist/bin/named/client.c
70===================================================================
71RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v
72retrieving revision 1.11
73diff -u -u -r1.11 client.c
74--- dist/bin/named/client.c	10 Dec 2014 04:37:51 -0000	1.11
75+++ dist/bin/named/client.c	23 Jan 2015 21:37:09 -0000
76@@ -65,6 +65,8 @@
77 #include <named/server.h>
78 #include <named/update.h>
79
80+#include "pfilter.h"
81+
82 /***
83  *** Client
84  ***/
85@@ -3101,6 +3103,7 @@
86 	result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
87 					  acl, default_allow);
88
89+	pfilter_notify(result, client, opname);
90 	if (result == ISC_R_SUCCESS)
91 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
92 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
93Index: dist/bin/named/main.c
94===================================================================
95RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v
96retrieving revision 1.15
97diff -u -u -r1.15 main.c
98--- dist/bin/named/main.c	10 Dec 2014 04:37:51 -0000	1.15
99+++ dist/bin/named/main.c	23 Jan 2015 21:37:09 -0000
100@@ -83,6 +83,9 @@
101 #ifdef HAVE_LIBXML2
102 #include <libxml/xmlversion.h>
103 #endif
104+
105+#include "pfilter.h"
106+
107 /*
108  * Include header files for database drivers here.
109  */
110@@ -1206,6 +1209,8 @@
111
112 	parse_command_line(argc, argv);
113
114+	pfilter_open();
115+
116 	/*
117 	 * Warn about common configuration error.
118 	 */
119Index: dist/bin/named/query.c
120===================================================================
121RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v
122retrieving revision 1.17
123diff -u -u -r1.17 query.c
124--- dist/bin/named/query.c	10 Dec 2014 04:37:52 -0000	1.17
125+++ dist/bin/named/query.c	23 Jan 2015 21:37:09 -0000
126@@ -65,6 +65,8 @@
127 #include <named/sortlist.h>
128 #include <named/xfrout.h>
129
130+#include "pfilter.h"
131+
132 #if 0
133 /*
134  * It has been recommended that DNS64 be changed to return excluded
135@@ -762,6 +764,8 @@
136 	}
137
138 	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
139+	if (result != ISC_R_SUCCESS)
140+		pfilter_notify(result, client, "validatezonedb");
141 	if ((options & DNS_GETDB_NOLOG) == 0) {
142 		char msg[NS_CLIENT_ACLMSGSIZE("query")];
143 		if (result == ISC_R_SUCCESS) {
144@@ -1026,6 +1030,8 @@
145 		result = ns_client_checkaclsilent(client, NULL,
146 						  client->view->cacheacl,
147 						  ISC_TRUE);
148+		if (result == ISC_R_SUCCESS)
149+			pfilter_notify(result, client, "cachedb");
150 		if (result == ISC_R_SUCCESS) {
151 			/*
152 			 * We were allowed by the "allow-query-cache" ACL.
153Index: dist/bin/named/update.c
154===================================================================
155RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v
156retrieving revision 1.9
157diff -u -u -r1.9 update.c
158--- dist/bin/named/update.c	10 Dec 2014 04:37:52 -0000	1.9
159+++ dist/bin/named/update.c	23 Jan 2015 21:37:09 -0000
160@@ -59,6 +59,8 @@
161 #include <named/server.h>
162 #include <named/update.h>
163
164+#include "pfilter.h"
165+
166 /*! \file
167  * \brief
168  * This module implements dynamic update as in RFC2136.
169@@ -307,6 +309,7 @@
170
171 	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
172 	if (result != ISC_R_SUCCESS) {
173+		pfilter_notify(result, client, "queryacl");
174 		dns_name_format(zonename, namebuf, sizeof(namebuf));
175 		dns_rdataclass_format(client->view->rdclass, classbuf,
176 				      sizeof(classbuf));
177@@ -324,6 +327,7 @@
178 				      sizeof(classbuf));
179
180 		result = DNS_R_REFUSED;
181+		pfilter_notify(result, client, "updateacl");
182 		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
183 			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
184 			      "update '%s/%s' denied", namebuf, classbuf);
185@@ -362,6 +366,7 @@
186 		msg = "disabled";
187 	} else {
188 		result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
189+		pfilter_notify(result, client, "updateacl");
190 		if (result == ISC_R_SUCCESS) {
191 			level = ISC_LOG_DEBUG(3);
192 			msg = "approved";
193Index: dist/bin/named/xfrout.c
194===================================================================
195RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v
196retrieving revision 1.7
197diff -u -u -r1.7 xfrout.c
198--- dist/bin/named/xfrout.c	10 Dec 2014 04:37:52 -0000	1.7
199+++ dist/bin/named/xfrout.c	23 Jan 2015 21:37:09 -0000
200@@ -54,6 +54,8 @@
201 #include <named/server.h>
202 #include <named/xfrout.h>
203
204+#include "pfilter.h"
205+
206 /*! \file
207  * \brief
208  * Outgoing AXFR and IXFR.
209@@ -822,6 +824,7 @@
210 						     &client->peeraddr,
211 						     &db);
212
213+			pfilter_notify(result, client, "zonexfr");
214 			if (result == ISC_R_NOPERM) {
215 				char _buf1[DNS_NAME_FORMATSIZE];
216 				char _buf2[DNS_RDATACLASS_FORMATSIZE];
217