[ratelimits] exempt-clients and ACLs

Vernon Schryver vjs at rhyolite.com
Mon Aug 6 15:24:49 UTC 2012


On 08/06/12 14:14, Tony Finch wrote:

> I don't actually have any acl statements in my configuration. I was
> expecting the built-in localhost acl to work. This seems to require an
> acl environment to work, and the call to dns_acl_match in rrl.c doesn't
> provide one.

That is a good point.
The attached patch, applied with `patch -s -p1 <aclenv.patch`
in an source tree with the current version seems to fix that problem.

People who do not care about exempt-clients{local*;} would probably
do best by waiting for the next version of complete patch from the
web site.


Vernon Schryver   vjs at rhyolite.com
-------------- next part --------------
diff --git a/bin/named/client.c b/bin/named/client.c
index cee21b5..592c134 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1147,7 +1147,7 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
 		dns_rrl_result_t rrl_result;
 
 		wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP);
-		rrl_result = dns_rrl(client->view->rrl, &client->peeraddr,
+		rrl_result = dns_rrl(client->view, &client->peeraddr,
 				     dns_rdataclass_in, dns_rdatatype_none,
 				     NULL, rcode, client->now, wouldlog,
 				     TCP_CLIENT(client),
diff --git a/bin/named/query.c b/bin/named/query.c
index 7cc9ee9..99e96d5 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -5854,7 +5854,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
 			rcode = dns_rcode_noerror;
 			err_str = "";
 		}
-		rrl_result = dns_rrl(client->view->rrl, &client->peeraddr,
+		rrl_result = dns_rrl(client->view, &client->peeraddr,
 				     client->message->rdclass, qtype, tname,
 				     rcode, client->now, wouldlog,
 				     ISC_TF((client->attributes
diff --git a/lib/dns/include/dns/rrl.h b/lib/dns/include/dns/rrl.h
index a5b13b0..f22d868 100644
--- a/lib/dns/include/dns/rrl.h
+++ b/lib/dns/include/dns/rrl.h
@@ -155,7 +155,7 @@ typedef enum {
 } dns_rrl_result_t;
 
 dns_rrl_result_t
-dns_rrl(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
+dns_rrl(dns_view_t *view, const isc_sockaddr_t *client_addr,
 	dns_rdataclass_t rdclass, dns_rdatatype_t qtype,
 	dns_name_t *fname, dns_rcode_t rcode, isc_stdtime_t now,
 	isc_boolean_t wouldlog, isc_boolean_t is_tcp,
diff --git a/lib/dns/rrl.c b/lib/dns/rrl.c
index d842cc1..e19a3d6 100644
--- a/lib/dns/rrl.c
+++ b/lib/dns/rrl.c
@@ -717,7 +717,7 @@ log_sub(int level, dns_rcode_t rcode, const char *log_ws_buf,
  * Main rate limit interface.
  */
 dns_rrl_result_t
-dns_rrl(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
+dns_rrl(dns_view_t *view, const isc_sockaddr_t *client_addr,
 	dns_rdataclass_t rdclass, dns_rdatatype_t qtype,
 	dns_name_t *tgt_name, dns_rcode_t rcode, isc_stdtime_t now,
 	isc_boolean_t wouldlog, isc_boolean_t is_tcp,
@@ -725,6 +725,7 @@ dns_rrl(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
 	char *log_client_buf, int log_client_buf_len,
 	char *tgt_name_buf, int tgt_name_buf_len)
 {
+	dns_rrl_t *rrl;
 	dns_rrl_kflags_t kflags;
 	dns_rrl_entry_t *e;
 	isc_netaddr_t netclient;
@@ -739,10 +740,11 @@ dns_rrl(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
 	INSIST(log_client_buf != NULL && log_client_buf_len > 0);
 	INSIST(tgt_name_buf != NULL && tgt_name_buf_len > 0);
 
+	rrl = view->rrl;
 	if (rrl->exempt != NULL) {
 		isc_netaddr_fromsockaddr(&netclient, client_addr);
 		result = dns_acl_match(&netclient, NULL, rrl->exempt,
-				       NULL, &exempt_match, NULL);
+				       &view->aclenv, &exempt_match, NULL);
 		if (result == ISC_R_SUCCESS && exempt_match > 0)
 			return DNS_RRL_RESULT_OK;
 	}


More information about the ratelimits mailing list