On Wed, Apr 30, 2014 at 11:33:06PM +0200, Ali Jawad wrote: > Any hints ?
So, yeah, that's embarrassing. It never crossed my mind to test geoip ACL elements by referencing them indirectly in named ACLs, as you did; I only referenced them directly. Apparently none of the folks who've been using the code in production ever tried that either. Kudos for your QA skills. :) Thanks to you, I am now aware of the fact that, while the following configuration does work: match-clients { geoip country US; }; ...this one doesn't: acl geoipUS { geoip country US; } ... match-clients { geoipUS; }; The problem is that when the "geoipUS" ACL is merged into match-clients for the view, the geoip information doesn't get copied correctly. The attached patch should fix it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc.
diff --git a/lib/dns/acl.c b/lib/dns/acl.c index a2d0347..1064bce 100644 --- a/lib/dns/acl.c +++ b/lib/dns/acl.c @@ -337,6 +337,12 @@ dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos) return result; } + /* copy the GeoIP data */ + if (source->elements[i].type == dns_aclelementtype_geoip) { + dest->elements[nelem + i].geoip_elem = + source->elements[i].geoip_elem; + } + /* reverse sense of positives if this is a negative acl */ if (!pos && source->elements[i].negative == ISC_FALSE) { dest->elements[nelem + i].negative = ISC_TRUE;
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users