blasklist hooks trunk
authorchristos <christos@NetBSD.org>
Sun, 25 Jan 2015 15:51:53 +0000
branchtrunk
changeset 233063 ee4118fc07c4
parent 233062 a024360120ca
child 233064 bfdc4fab854c
blasklist hooks
external/bsd/bind/bin/named/Makefile
external/bsd/bind/dist/bin/named/client.c
external/bsd/bind/dist/bin/named/main.c
external/bsd/bind/dist/bin/named/query.c
external/bsd/bind/dist/bin/named/update.c
external/bsd/bind/dist/bin/named/xfrout.c
--- a/external/bsd/bind/bin/named/Makefile	Sun Jan 25 15:51:17 2015 +0000
+++ b/external/bsd/bind/bin/named/Makefile	Sun Jan 25 15:51:53 2015 +0000
@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.8 2013/12/31 20:23:12 christos Exp $
+#	$NetBSD: Makefile,v 1.9 2015/01/25 15:51:53 christos Exp $
 
 .include <bsd.own.mk>
 
@@ -33,7 +33,9 @@
 	lwaddr.c lwdclient.c lwderror.c \
 	lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \
 	main.c notify.c query.c server.c sortlist.c statschannel.c \
-	tkeyconf.c tsigconf.c \
+	pfilter.c tkeyconf.c tsigconf.c \
 	update.c xfrout.c zoneconf.c ${SRCS_UNIX}
 
+LDADD+=-lblacklist
+DPADD+=${LIBBLACKLIST}
 .include <bsd.prog.mk>
--- a/external/bsd/bind/dist/bin/named/client.c	Sun Jan 25 15:51:17 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/client.c	Sun Jan 25 15:51:53 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: client.c,v 1.11 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: client.c,v 1.12 2015/01/25 15:51:53 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -65,6 +65,8 @@
 #include <named/server.h>
 #include <named/update.h>
 
+#include "pfilter.h"
+
 /***
  *** Client
  ***/
@@ -3101,6 +3103,7 @@
 	result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL,
 					  acl, default_allow);
 
+	pfilter_notify(result, client, opname);
 	if (result == ISC_R_SUCCESS)
 		ns_client_log(client, DNS_LOGCATEGORY_SECURITY,
 			      NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3),
--- a/external/bsd/bind/dist/bin/named/main.c	Sun Jan 25 15:51:17 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/main.c	Sun Jan 25 15:51:53 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.15 2014/12/10 04:37:51 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.16 2015/01/25 15:51:53 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -83,6 +83,9 @@
 #ifdef HAVE_LIBXML2
 #include <libxml/xmlversion.h>
 #endif
+
+#include "pfilter.h"
+
 /*
  * Include header files for database drivers here.
  */
@@ -1206,6 +1209,8 @@
 
 	parse_command_line(argc, argv);
 
+	pfilter_open();
+
 	/*
 	 * Warn about common configuration error.
 	 */
--- a/external/bsd/bind/dist/bin/named/query.c	Sun Jan 25 15:51:17 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/query.c	Sun Jan 25 15:51:53 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: query.c,v 1.17 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: query.c,v 1.18 2015/01/25 15:51:53 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -65,6 +65,8 @@
 #include <named/sortlist.h>
 #include <named/xfrout.h>
 
+#include "pfilter.h"
+
 #if 0
 /*
  * It has been recommended that DNS64 be changed to return excluded
@@ -762,6 +764,8 @@
 	}
 
 	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
+	if (result != ISC_R_SUCCESS)
+		pfilter_notify(result, client, "validatezonedb");
 	if ((options & DNS_GETDB_NOLOG) == 0) {
 		char msg[NS_CLIENT_ACLMSGSIZE("query")];
 		if (result == ISC_R_SUCCESS) {
@@ -1026,6 +1030,8 @@
 		result = ns_client_checkaclsilent(client, NULL,
 						  client->view->cacheacl,
 						  ISC_TRUE);
+		if (result == ISC_R_SUCCESS)
+			pfilter_notify(result, client, "cachedb");
 		if (result == ISC_R_SUCCESS) {
 			/*
 			 * We were allowed by the "allow-query-cache" ACL.
--- a/external/bsd/bind/dist/bin/named/update.c	Sun Jan 25 15:51:17 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/update.c	Sun Jan 25 15:51:53 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: update.c,v 1.9 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: update.c,v 1.10 2015/01/25 15:51:53 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -59,6 +59,8 @@
 #include <named/server.h>
 #include <named/update.h>
 
+#include "pfilter.h"
+
 /*! \file
  * \brief
  * This module implements dynamic update as in RFC2136.
@@ -307,6 +309,7 @@
 
 	result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE);
 	if (result != ISC_R_SUCCESS) {
+		pfilter_notify(result, client, "queryacl");
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
 		dns_rdataclass_format(client->view->rdclass, classbuf,
 				      sizeof(classbuf));
@@ -324,6 +327,7 @@
 				      sizeof(classbuf));
 
 		result = DNS_R_REFUSED;
+		pfilter_notify(result, client, "updateacl");
 		ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY,
 			      NS_LOGMODULE_UPDATE, ISC_LOG_INFO,
 			      "update '%s/%s' denied", namebuf, classbuf);
@@ -362,6 +366,7 @@
 		msg = "disabled";
 	} else {
 		result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE);
+		pfilter_notify(result, client, "updateacl");
 		if (result == ISC_R_SUCCESS) {
 			level = ISC_LOG_DEBUG(3);
 			msg = "approved";
--- a/external/bsd/bind/dist/bin/named/xfrout.c	Sun Jan 25 15:51:17 2015 +0000
+++ b/external/bsd/bind/dist/bin/named/xfrout.c	Sun Jan 25 15:51:53 2015 +0000
@@ -1,4 +1,4 @@
-/*	$NetBSD: xfrout.c,v 1.7 2014/12/10 04:37:52 christos Exp $	*/
+/*	$NetBSD: xfrout.c,v 1.8 2015/01/25 15:51:53 christos Exp $	*/
 
 /*
  * Copyright (C) 2004-2014  Internet Systems Consortium, Inc. ("ISC")
@@ -54,6 +54,8 @@
 #include <named/server.h>
 #include <named/xfrout.h>
 
+#include "pfilter.h"
+
 /*! \file
  * \brief
  * Outgoing AXFR and IXFR.
@@ -822,6 +824,7 @@
 						     &client->peeraddr,
 						     &db);
 
+			pfilter_notify(result, client, "zonexfr");
 			if (result == ISC_R_NOPERM) {
 				char _buf1[DNS_NAME_FORMATSIZE];
 				char _buf2[DNS_RDATACLASS_FORMATSIZE];