On Wed, Apr 30, 2014 at 11:33:06PM +0200, Ali Jawad wrote:
> Any hints ?
So, yeah, that's embarrassing. It never crossed my mind to test geoip
ACL elements by referencing them indirectly in named ACLs, as you did;
I only referenced them directly. Apparently none of the folks who've
been using the code in production ever tried that either. Kudos for
your QA skills. :)
Thanks to you, I am now aware of the fact that, while the following
configuration does work:
match-clients { geoip country US; };
...this one doesn't:
acl geoipUS { geoip country US; }
...
match-clients { geoipUS; };
The problem is that when the "geoipUS" ACL is merged into match-clients
for the view, the geoip information doesn't get copied correctly.
The attached patch should fix it.
--
Evan Hunt -- [email protected]
Internet Systems Consortium, Inc.
diff --git a/lib/dns/acl.c b/lib/dns/acl.c
index a2d0347..1064bce 100644
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -337,6 +337,12 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos)
return result;
}
+ /* copy the GeoIP data */
+ if (source->elements[i].type == dns_aclelementtype_geoip) {
+ dest->elements[nelem + i].geoip_elem =
+ source->elements[i].geoip_elem;
+ }
+
/* reverse sense of positives if this is a negative acl */
if (!pos && source->elements[i].negative == ISC_FALSE) {
dest->elements[nelem + i].negative = ISC_TRUE;
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
