945. [func] Add the new view-specific options

"match-destinations" and "match-recursive-only".

CHANGES

@@ -1,4 +1,7 @@
 
+ 945.	[func]		Add the new view-specific options
+ 			"match-destinations" and "match-recursive-only".
+
  944.	[func]		Check for expired signatures on load.
 
  943.	[bug]		The server could crash when receiving a command

bin/named/client.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: client.c,v 1.174 2001/06/28 02:39:46 marka Exp $ */
+/* $Id: client.c,v 1.175 2001/07/26 20:42:38 bwelling Exp $ */
 
 #include <config.h>
 
@@ -1189,6 +1189,19 @@ client_getoptattrs(ns_client_t *client, dns_rdataset_t *opt) {
 }
 #endif /* DNS_OPT_NEWCODES */
 
+static inline isc_boolean_t
+allowed(isc_netaddr_t *addr, dns_acl_t *acl) {
+	int match;
+	isc_result_t result;
+
+	if (acl == NULL)
+		return (ISC_TRUE);
+	result = dns_acl_match(addr, NULL, acl, &ns_g_server->aclenv,
+			       &match, NULL);
+	if (result == ISC_R_SUCCESS && match > 0)
+		return (ISC_TRUE);
+	return (ISC_FALSE);
+}
 
 /*
  * Handle an incoming request event from the socket (UDP case)
@@ -1438,11 +1451,14 @@ client_request(isc_task_t *task, isc_event_t *event) {
 		if (client->message->rdclass == view->rdclass ||
 		    client->message->rdclass == dns_rdataclass_any)
 		{
-			if (view->matchclients == NULL ||
-			    (dns_acl_match(&netaddr, NULL, view->matchclients,
-					   &ns_g_server->aclenv,
-					   &match, NULL) == ISC_R_SUCCESS &&
-			     match > 0))
+			isc_netaddr_t destaddr;
+
+			isc_netaddr_fromsockaddr(&destaddr,
+						 &client->interface->addr); 
+			if (allowed(&netaddr, view->matchclients) &&
+			    allowed(&destaddr, view->matchdestinations) &&
+			    !((flags & DNS_MESSAGEFLAG_RD) == 0 &&
+			      view->matchrecursiveonly))
 			{
 				dns_view_attach(view, &client->view);
 				break;

bin/named/server.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.335 2001/07/23 17:31:33 gson Exp $ */
+/* $Id: server.c,v 1.336 2001/07/26 20:42:40 bwelling Exp $ */
 
 #include <config.h>
 
@@ -728,10 +728,22 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
 	dns_aclenv_copy(&view->aclenv, &ns_g_server->aclenv);
 
 	/*
-	 * Configure the "match-clients" ACL.
+	 * Configure the "match-clients" and "match-destinations" ACL.
 	 */
 	CHECK(configure_view_acl(vconfig, config, "match-clients", actx,
 				 ns_g_mctx, &view->matchclients));
+	CHECK(configure_view_acl(vconfig, config, "match-destinations", actx,
+				 ns_g_mctx, &view->matchdestinations));
+
+	/*
+	 * Configure the "match-recursive-only" option.
+	 */
+	obj = NULL;
+	(void) ns_config_get(maps, "match-recursive-only", &obj);
+	if (obj != NULL && cfg_obj_asboolean(obj))
+		view->matchrecursiveonly = ISC_TRUE;
+	else
+		view->matchrecursiveonly = ISC_FALSE;
 
 	/*
 	 * Configure other configurable data.

doc/arm/Bv9ARM-book.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
                "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd">
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.148 2001/07/06 20:39:43 gson Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.149 2001/07/26 20:42:42 bwelling Exp $ -->
 
 <book>
 <title>BIND 9 Administrator Reference Manual</title>
@@ -4054,6 +4054,8 @@ key data.</para></sect2>
 <sect2><title><command>view</command> Statement Grammar</title>
 <programlisting>view <replaceable>view_name</replaceable> <optional><replaceable>class</replaceable></optional> {
       match-clients { <replaceable>address_match_list</replaceable> } ;
+      match-destinations { <replaceable>address_match_list</replaceable> } ;
+      match-recursive-only { <replaceable>yes_or_no</replaceable> } ;
       <optional> <replaceable>view_option</replaceable>; ...</optional>
       <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
       <optional> <replaceable>zone_statement</replaceable>; ...</optional>
@@ -4065,11 +4067,19 @@ of <acronym>BIND</acronym> 9 that lets a name server answer a DNS query differen
 depending on who is asking. It is particularly useful for implementing
 split DNS setups without having to run multiple servers.</para>
 <para>Each <command>view</command> statement defines a view of the
-DNS namespace that will be seen by those clients whose IP addresses
-match the <varname>address_match_list</varname> of the view's <command>match-clients</command> clause.
- The order of the <command>view</command> statements is significant-a
-client query will be resolved in the context of the first <command>view</command> whose <command>match-clients</command> list
-matches the client's IP address.</para>
+DNS namespace that will be seen by a subset of clients.  A client matches
+a view if its source IP address matches the 
+<varname>address_match_list</varname> of the view's
+<command>match-clients</command> clause and its destination IP address matches
+the <varname>address_match_list</varname> of the view's
+<command>match-destinations</command> clause.  If not specified, both
+<command>match-clients</command> and <command>match-destinations</command>
+default to matching all addresses.  A view can also be specified
+as <command>match-recursive-only</command>, which means that only recursive
+queries from matching clients will match that view.
+ The order of the <command>view</command> statements is significant - a
+client query will be resolved in the context of the first
+<command>view</command> that it matches.
 <para>Zones defined within a <command>view</command> statement will
 be only be accessible to clients that match the <command>view</command>.
  By defining a zone of the same name in multiple views, different

lib/dns/include/dns/view.h

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.h,v 1.71 2001/05/07 23:34:09 gson Exp $ */
+/* $Id: view.h,v 1.72 2001/07/26 20:42:45 bwelling Exp $ */
 
 #ifndef DNS_VIEW_H
 #define DNS_VIEW_H 1
@@ -123,6 +123,8 @@ struct dns_view {
 	 * locked by server configuration lock.
 	 */
 	dns_acl_t *			matchclients;
+	dns_acl_t *			matchdestinations;
+	isc_boolean_t			matchrecursiveonly;
 
 	/* Locked by themselves. */
 	isc_refcount_t			references;

lib/dns/view.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: view.c,v 1.100 2001/05/07 23:34:04 gson Exp $ */
+/* $Id: view.c,v 1.101 2001/07/26 20:42:44 bwelling Exp $ */
 
 #include <config.h>
 
@@ -133,6 +133,8 @@ dns_view_create(isc_mem_t *mctx, dns_rdataclass_t rdclass,
 	view->statickeys = NULL;
 	view->dynamickeys = NULL;
 	view->matchclients = NULL;
+	view->matchdestinations = NULL;
+	view->matchrecursiveonly = ISC_FALSE;
 	result = dns_tsigkeyring_create(view->mctx, &view->dynamickeys);
 	if (result != ISC_R_SUCCESS)
 		goto cleanup_fwdtable;
@@ -242,6 +244,8 @@ destroy(dns_view_t *view) {
 		dns_cache_detach(&view->cache);
 	if (view->matchclients != NULL)
 		dns_acl_detach(&view->matchclients);
+	if (view->matchdestinations != NULL)
+		dns_acl_detach(&view->matchdestinations);
 	if (view->queryacl != NULL)
 		dns_acl_detach(&view->queryacl);
 	if (view->recursionacl != NULL)

lib/isccfg/parser.c

@@ -15,7 +15,7 @@
  * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: parser.c,v 1.64 2001/07/23 05:00:43 mayer Exp $ */
+/* $Id: parser.c,v 1.65 2001/07/26 20:42:46 bwelling Exp $ */
 
 #include <config.h>
 
@@ -902,6 +902,8 @@ view_clauses[] = {
 static cfg_clausedef_t
 view_only_clauses[] = {
 	{ "match-clients", &cfg_type_bracketed_aml, 0 },
+	{ "match-destinations", &cfg_type_bracketed_aml, 0 },
+	{ "match-recursive-only", &cfg_type_boolean, 0 },
 	{ NULL, NULL, 0 }
 };