NSD ACL Plugin
colm.maccarthaigh at heanet.ie
Thu Jul 10 13:37:16 UTC 2003
On Thu, Jul 10, 2003 at 03:10:16PM +0200, Erik Rozendaal wrote:
> Colm MacCarthaigh wrote:
> >After having enough time to put some finishing touches to an ACL plugin
> >for NSD I know have something suitable for looking at. It isnt entirely
> >functionaly just yet, but it does compile, load and work to certain
> >After untarring the source, it needs to be configured as follows:
> Is there a place I can get the source? :)
Gah! This has been happening me the least few days, Mutt plus our
virus scanner hasnt been playing nicely. I've attached it now, from
a different machine. Please shout if it isnt attached :)
> >for example. The current implementation has two main limitations,
> >I'm hoping someone may be able to help me rectify these. The plugin
> >currently only honours "all" type ACLs, ie you can't block just
> >"NS", "MX" .. or whatever queries. This is because I can't find
> >an easy way to determine query_type from with the plugin. Is there
> >an easy way ?
> Not yet. Right now the class and type of the query are passed explicitly
> to functions that need it inside NSD. They should be stored in "struct
> query" after the query has been analyzed. Another problem is that
> currently the query is overwritten with the answer... so by the time your
> plugin is called the original class and type are no longer available :-(
> Finally, what do you plan to do when a client issues a query for type "ANY"
> but is not allowed to see MX records? Filter out the MX records from the
> answer? Reject the original ANY query?
I was planning on simply rejecting the ANY. I'm not sure how useful
denying specific record types is, but since it was so easy to add
, I did :)
> >Rules are currently not honoured for subzones. So, if you have
> >a rule that says:
> > deny all for example.com from 0.0.0.0/0
> >"host -t any example.com" will be refused by the plugin, but
> >"host -t any www.example.com" will not.
> >Fixing this is a matter of finding out how to get a list of all the
> >records in a particular zone and registering data for each. Since the AXFR
> >must have method of finding out all this data, I'm assuming this will
> >be relatively doable. I just havnt figured out how yet. Though the
> >plugin has been written with this approach in mind. (see the top of
> >nsd_acl_plugin.c). I'd appreciate any insights anyone has to offer in
> >this regard.
> Probably the easiest way is to use the HEAP_WALK macro in heap.h (which
> redefines RBTREE_WALK in rbtree.h) on interface->nsd->db->heap. This will
> give you all the domains (not just the ones specific to a zone).
O.k., I'll give that a go.
> Obviously the internal plugin APIs aren't very well defined yet. That's
> one reason the plugin support is marked experimental :) But it will be a
> good thing to make more of the internal functionality of NSD available to
> plugins in a documented manner. But this will take some time.
Colm MacCárthaigh / HEAnet, Teach Brooklawn, / Innealtóir Ghréasáin
+353 1 6609040 / Bóthar Shelbourne, BÁC, IE / http://www.hea.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 62873 bytes
Desc: not available
More information about the nsd-users