1012 | 1012 |
static int
|
1013 | 1013 |
deny_refuse(struct comm_point* c, enum acl_access acl,
|
1014 | 1014 |
enum acl_access deny, enum acl_access refuse,
|
1015 | |
struct worker* worker, struct comm_reply* repinfo)
|
|
1015 |
struct worker* worker, struct comm_reply* repinfo,
|
|
1016 |
struct acl_addr* acladdr)
|
1016 | 1017 |
{
|
1017 | 1018 |
if(acl == deny) {
|
|
1019 |
if(verbosity >= VERB_ALGO) {
|
|
1020 |
log_acl_action("dropped", &repinfo->addr,
|
|
1021 |
repinfo->addrlen, acl, acladdr);
|
|
1022 |
log_buf(VERB_ALGO, "dropped", c->buffer);
|
|
1023 |
}
|
1018 | 1024 |
comm_point_drop_reply(repinfo);
|
1019 | 1025 |
if(worker->stats.extended)
|
1020 | 1026 |
worker->stats.unwanted_queries++;
|
1021 | 1027 |
return 0;
|
1022 | 1028 |
} else if(acl == refuse) {
|
1023 | |
log_addr(VERB_ALGO, "refused query from",
|
1024 | |
&repinfo->addr, repinfo->addrlen);
|
1025 | |
log_buf(VERB_ALGO, "refuse", c->buffer);
|
|
1029 |
if(verbosity >= VERB_ALGO) {
|
|
1030 |
log_acl_action("refused", &repinfo->addr,
|
|
1031 |
repinfo->addrlen, acl, acladdr);
|
|
1032 |
log_buf(VERB_ALGO, "refuse", c->buffer);
|
|
1033 |
}
|
1026 | 1034 |
if(worker->stats.extended)
|
1027 | 1035 |
worker->stats.unwanted_queries++;
|
1028 | 1036 |
if(worker_check_request(c->buffer, worker) == -1) {
|
|
1045 | 1053 |
|
1046 | 1054 |
static int
|
1047 | 1055 |
deny_refuse_all(struct comm_point* c, enum acl_access acl,
|
1048 | |
struct worker* worker, struct comm_reply* repinfo)
|
1049 | |
{
|
1050 | |
return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo);
|
|
1056 |
struct worker* worker, struct comm_reply* repinfo,
|
|
1057 |
struct acl_addr* acladdr)
|
|
1058 |
{
|
|
1059 |
return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo,
|
|
1060 |
acladdr);
|
1051 | 1061 |
}
|
1052 | 1062 |
|
1053 | 1063 |
static int
|
1054 | 1064 |
deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
|
1055 | |
struct worker* worker, struct comm_reply* repinfo)
|
1056 | |
{
|
1057 | |
return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo);
|
|
1065 |
struct worker* worker, struct comm_reply* repinfo,
|
|
1066 |
struct acl_addr* acladdr)
|
|
1067 |
{
|
|
1068 |
return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local,
|
|
1069 |
worker, repinfo, acladdr);
|
1058 | 1070 |
}
|
1059 | 1071 |
|
1060 | 1072 |
int
|
|
1146 | 1158 |
acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr,
|
1147 | 1159 |
repinfo->addrlen);
|
1148 | 1160 |
acl = acl_get_control(acladdr);
|
1149 | |
if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1)
|
|
1161 |
if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr)) != -1)
|
1150 | 1162 |
{
|
1151 | 1163 |
if(ret == 1)
|
1152 | 1164 |
goto send_reply;
|
|
1366 | 1378 |
|
1367 | 1379 |
/* We've looked in our local zones. If the answer isn't there, we
|
1368 | 1380 |
* might need to bail out based on ACLs now. */
|
1369 | |
if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1)
|
|
1381 |
if((ret=deny_refuse_non_local(c, acl, worker, repinfo, acladdr)) != -1)
|
1370 | 1382 |
{
|
1371 | 1383 |
regional_free_all(worker->scratchpad);
|
1372 | 1384 |
if(ret == 1)
|