Fixed ACL checking for XFR-IN.

f20def5e · Marek Vavrusa · 2dfbf205 · f20def5e · f20def5e · f20def5e
Commit f20def5e authored 13 years ago by Marek Vavrusa
--- a/src/knot/server/name-server.c
+++ b/src/knot/server/name-server.c
@@ -3050,6 +3050,13 @@ int ns_process_response(ns_nameserver_t *nameserver, sockaddr_t *from,
 			return KNOT_EINVAL;
 		}

+		/* Match against ACL to verify. */
+		if (acl_match(zd->xfr_in.acl, from) == ACL_DENY) {
+			debug_ns("Unauthorized SOA response, will not start "
+				 "XFR.\n");
+			return KNOT_EINVAL;
+		}
+
 		/* Cancel EXPIRE timer. */
 		evsched_t *sched = nameserver->server->sched;
 		event_t *expire_ev = zd->xfr_in.expire;

--- a/src/knot/server/zones.c
+++ b/src/knot/server/zones.c
@@ -763,6 +763,7 @@ static int zones_insert_zones(ns_nameserver_t *ns,

 			/* Update ACLs. */
 			debug_zones("Updating zone ACLs.\n");
+			zones_set_acl(&zd->xfr_in.acl, &z->acl.xfr_in);
 			zones_set_acl(&zd->xfr_out, &z->acl.xfr_out);
 			zones_set_acl(&zd->notify_in, &z->acl.notify_in);
 			zones_set_acl(&zd->notify_out, &z->acl.notify_out);
@@ -779,6 +780,10 @@ static int zones_insert_zones(ns_nameserver_t *ns,
 					     cfg_if->family,
 					     cfg_if->address,
 					     cfg_if->port);
+
+				debug_zones("Using %s:%d as zone XFR master.\n",
+					    cfg_if->address,
+					    cfg_if->port);
 			}

 			/* Update events scheduled for zone. */

--- a/src/knot/server/zones.h
+++ b/src/knot/server/zones.h
@@ -41,6 +41,7 @@ typedef struct zonedata_t
 	/*! \brief XFR-IN scheduler. */
 	struct {
 		list          **ifaces; /*!< List of availabel interfaces. */
+		acl_t         *acl;     /*!< ACL for xfr-in.*/
 		sockaddr_t     master;  /*!< Master server for xfr-in.*/
 		struct event_t *timer;  /*!< Timer for REFRESH/RETRY. */
 		struct event_t *expire; /*!< Timer for REFRESH. */