NSD ACL Plugin

Colm MacCarthaigh colm.maccarthaigh at heanet.ie
Thu Jul 10 13:37:16 UTC 2003 

On Thu, Jul 10, 2003 at 03:10:16PM +0200, Erik Rozendaal wrote:
> Colm MacCarthaigh wrote:
> >After having enough time to put some finishing touches to an ACL plugin
> >for NSD I know have something suitable for looking at. It isnt entirely
> >functionaly just yet, but it does compile, load and work to certain
> >extent.
> >
> >After untarring the source, it needs to be configured as follows:
> 
> Is there a place I can get the source? :)

Gah! This has been happening me the least few days, Mutt plus our
virus scanner hasnt been playing nicely. I've attached it now, from
a different machine. Please shout if it isnt attached :)

> >for example. The current implementation has two main limitations,
> >I'm hoping someone may be able to help me rectify these. The plugin
> >currently only honours "all" type ACLs, ie you can't block just
> >"NS", "MX" .. or whatever queries. This is because I can't find
> >an easy way to determine query_type from with the plugin. Is there
> >an easy way ?
> 
> Not yet.  Right now the class and type of the query are passed explicitly 
> to functions that need it inside NSD.  They should be stored in "struct 
> query" after the query has been analyzed.  Another problem is that 
> currently the query is overwritten with the answer... so by the time your 
> plugin is called the original class and type are no longer available :-(
> 
> Finally, what do you plan to do when a client issues a query for type "ANY" 
> but is not allowed to see MX records?  Filter out the MX records from the 
> answer?  Reject the original ANY query?

I was planning on simply rejecting the ANY. I'm not sure how useful
denying specific record types is, but since it was so easy to add
, I did :)

> >Rules are currently not honoured for subzones. So, if you have
> >a rule that says:
> >
> >	deny all for example.com from 0.0.0.0/0 
> >
> >"host -t any example.com" will be refused by the plugin, but 
> >"host -t any www.example.com" will not. 
> >
> >Fixing this is a matter of finding out how to get a list of all the 
> >records in a particular zone and registering data for each. Since the AXFR 
> >code
> >must have method of finding out all this data, I'm assuming this will
> >be relatively doable. I just havnt figured out how yet. Though the
> >plugin has been written with this approach in mind. (see the top of
> >nsd_acl_plugin.c). I'd appreciate any insights anyone has to offer in
> >this regard.
> 
> Probably the easiest way is to use the HEAP_WALK macro in heap.h (which 
> redefines RBTREE_WALK in rbtree.h) on interface->nsd->db->heap.  This will 
> give you all the domains (not just the ones specific to a zone).

O.k., I'll give that a go.

> Obviously the internal plugin APIs aren't very well defined yet.  That's 
> one reason the plugin support is marked experimental :)  But it will be a 
> good thing to make more of the internal functionality of NSD available to 
> plugins in a documented manner.  But this will take some time.

Completely understandable!

-- 
Colm MacCárthaigh  /  HEAnet, Teach Brooklawn,  / Innealtóir Ghréasáin
+353 1 6609040    / Bóthar Shelbourne, BÁC, IE /   http://www.hea.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nsd_acl_plugin.tar.gz
Type: application/octet-stream
Size: 62873 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20030710/af8edc46/attachment.obj>

More information about the nsd-users mailing list