From f20def5e795b1bf170f384f57701ebaaba195352 Mon Sep 17 00:00:00 2001
From: Marek Vavrusa <marek.vavrusa@nic.cz>
Date: Mon, 1 Aug 2011 18:31:57 +0200
Subject: [PATCH] Fixed ACL checking for XFR-IN.

---
 src/knot/server/name-server.c | 7 +++++++
 src/knot/server/zones.c       | 5 +++++
 src/knot/server/zones.h       | 1 +
 3 files changed, 13 insertions(+)

diff --git a/src/knot/server/name-server.c b/src/knot/server/name-server.c
index 2e4ab3a8b..443185ac0 100644
--- a/src/knot/server/name-server.c
+++ b/src/knot/server/name-server.c
@@ -3050,6 +3050,13 @@ int ns_process_response(ns_nameserver_t *nameserver, sockaddr_t *from,
 			return KNOT_EINVAL;
 		}
 
+		/* Match against ACL to verify. */
+		if (acl_match(zd->xfr_in.acl, from) == ACL_DENY) {
+			debug_ns("Unauthorized SOA response, will not start "
+				 "XFR.\n");
+			return KNOT_EINVAL;
+		}
+
 		/* Cancel EXPIRE timer. */
 		evsched_t *sched = nameserver->server->sched;
 		event_t *expire_ev = zd->xfr_in.expire;
diff --git a/src/knot/server/zones.c b/src/knot/server/zones.c
index 6da0539ef..7db3cecec 100644
--- a/src/knot/server/zones.c
+++ b/src/knot/server/zones.c
@@ -763,6 +763,7 @@ static int zones_insert_zones(ns_nameserver_t *ns,
 
 			/* Update ACLs. */
 			debug_zones("Updating zone ACLs.\n");
+			zones_set_acl(&zd->xfr_in.acl, &z->acl.xfr_in);
 			zones_set_acl(&zd->xfr_out, &z->acl.xfr_out);
 			zones_set_acl(&zd->notify_in, &z->acl.notify_in);
 			zones_set_acl(&zd->notify_out, &z->acl.notify_out);
@@ -779,6 +780,10 @@ static int zones_insert_zones(ns_nameserver_t *ns,
 					     cfg_if->family,
 					     cfg_if->address,
 					     cfg_if->port);
+
+				debug_zones("Using %s:%d as zone XFR master.\n",
+					    cfg_if->address,
+					    cfg_if->port);
 			}
 
 			/* Update events scheduled for zone. */
diff --git a/src/knot/server/zones.h b/src/knot/server/zones.h
index ceb902f42..565003587 100644
--- a/src/knot/server/zones.h
+++ b/src/knot/server/zones.h
@@ -41,6 +41,7 @@ typedef struct zonedata_t
 	/*! \brief XFR-IN scheduler. */
 	struct {
 		list          **ifaces; /*!< List of availabel interfaces. */
+		acl_t         *acl;     /*!< ACL for xfr-in.*/
 		sockaddr_t     master;  /*!< Master server for xfr-in.*/
 		struct event_t *timer;  /*!< Timer for REFRESH/RETRY. */
 		struct event_t *expire; /*!< Timer for REFRESH. */
-- 
GitLab