[ratelimits] exempt-clients and ACLs
Vernon Schryver
vjs at rhyolite.com
Mon Aug 6 15:24:49 UTC 2012
On 08/06/12 14:14, Tony Finch wrote:
> I don't actually have any acl statements in my configuration. I was
> expecting the built-in localhost acl to work. This seems to require an
> acl environment to work, and the call to dns_acl_match in rrl.c doesn't
> provide one.
That is a good point.
The attached patch, applied with `patch -s -p1 <aclenv.patch`
in an source tree with the current version seems to fix that problem.
People who do not care about exempt-clients{local*;} would probably
do best by waiting for the next version of complete patch from the
web site.
Vernon Schryver vjs at rhyolite.com
-------------- next part --------------
diff --git a/bin/named/client.c b/bin/named/client.c
index cee21b5..592c134 100644
--- a/bin/named/client.c
+++ b/bin/named/client.c
@@ -1147,7 +1147,7 @@ ns_client_error(ns_client_t *client, isc_result_t result) {
dns_rrl_result_t rrl_result;
wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP);
- rrl_result = dns_rrl(client->view->rrl, &client->peeraddr,
+ rrl_result = dns_rrl(client->view, &client->peeraddr,
dns_rdataclass_in, dns_rdatatype_none,
NULL, rcode, client->now, wouldlog,
TCP_CLIENT(client),
diff --git a/bin/named/query.c b/bin/named/query.c
index 7cc9ee9..99e96d5 100644
--- a/bin/named/query.c
+++ b/bin/named/query.c
@@ -5854,7 +5854,7 @@ query_find(ns_client_t *client, dns_fetchevent_t *event, dns_rdatatype_t qtype)
rcode = dns_rcode_noerror;
err_str = "";
}
- rrl_result = dns_rrl(client->view->rrl, &client->peeraddr,
+ rrl_result = dns_rrl(client->view, &client->peeraddr,
client->message->rdclass, qtype, tname,
rcode, client->now, wouldlog,
ISC_TF((client->attributes
diff --git a/lib/dns/include/dns/rrl.h b/lib/dns/include/dns/rrl.h
index a5b13b0..f22d868 100644
--- a/lib/dns/include/dns/rrl.h
+++ b/lib/dns/include/dns/rrl.h
@@ -155,7 +155,7 @@ typedef enum {
} dns_rrl_result_t;
dns_rrl_result_t
-dns_rrl(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
+dns_rrl(dns_view_t *view, const isc_sockaddr_t *client_addr,
dns_rdataclass_t rdclass, dns_rdatatype_t qtype,
dns_name_t *fname, dns_rcode_t rcode, isc_stdtime_t now,
isc_boolean_t wouldlog, isc_boolean_t is_tcp,
diff --git a/lib/dns/rrl.c b/lib/dns/rrl.c
index d842cc1..e19a3d6 100644
--- a/lib/dns/rrl.c
+++ b/lib/dns/rrl.c
@@ -717,7 +717,7 @@ log_sub(int level, dns_rcode_t rcode, const char *log_ws_buf,
* Main rate limit interface.
*/
dns_rrl_result_t
-dns_rrl(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
+dns_rrl(dns_view_t *view, const isc_sockaddr_t *client_addr,
dns_rdataclass_t rdclass, dns_rdatatype_t qtype,
dns_name_t *tgt_name, dns_rcode_t rcode, isc_stdtime_t now,
isc_boolean_t wouldlog, isc_boolean_t is_tcp,
@@ -725,6 +725,7 @@ dns_rrl(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
char *log_client_buf, int log_client_buf_len,
char *tgt_name_buf, int tgt_name_buf_len)
{
+ dns_rrl_t *rrl;
dns_rrl_kflags_t kflags;
dns_rrl_entry_t *e;
isc_netaddr_t netclient;
@@ -739,10 +740,11 @@ dns_rrl(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr,
INSIST(log_client_buf != NULL && log_client_buf_len > 0);
INSIST(tgt_name_buf != NULL && tgt_name_buf_len > 0);
+ rrl = view->rrl;
if (rrl->exempt != NULL) {
isc_netaddr_fromsockaddr(&netclient, client_addr);
result = dns_acl_match(&netclient, NULL, rrl->exempt,
- NULL, &exempt_match, NULL);
+ &view->aclenv, &exempt_match, NULL);
if (result == ISC_R_SUCCESS && exempt_match > 0)
return DNS_RRL_RESULT_OK;
}
More information about the ratelimits
mailing list