On 04/08/2015 21:29, Darcy Kevin (FCA) wrote: > The short answer is that that is how address-match-lists work: a non-negated > match allows access, a negated match denies access, and if there is *no* > match, access is denied. The only real reason to use a negated match, > therefore, is when what you're negating is a subset of something later in the > address-match-list. > > You do realize, I hope, that you could just change the order of the views and > then you wouldn't need any form of negation (earlier one matches 127.0.0.1, > later one matches "any"). > > - Kevin > > -----Original Message----- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN > Sent: Tuesday, August 04, 2015 4:19 PM > To: bind-users@lists.isc.org > Subject: Negation in view match-clients ACL doesn't work? > > Folks, > > This has been a real mystery and haven't been able to find a good > explanation for the behavior. For a simple example I have two views setup and > I want to differentiate access based on queries originating from 127.0.0.1. > > In my FIRST ATTEMPT I just negated the IP address, but that didn't > work. The first view never matched. In the SECOND ATTEMPT I simply added > "any" AFTER the negation and that worked? > > I read the ARM, can someone explain? Many Thanks!!!!! > > FIRST ATTEMPT: Fails - no clients can see external_zones. > > view "default-test" { > match-clients { ! 127.0.0.1; }; // thought this would match anyone but > 127.0.0.1 > > zone "." { > type hint; > file "db.cache"; > }; > zone "0.0.127.in-addr.arpa" { > type master; > file "db.127.0.0.0"; > }; > > include "external_zones.txt"; > }; > > view "default" { > match-clients { any; }; > > zone "." { > type hint; > file "db.cache"; > }; > zone "0.0.127.in-addr.arpa" { > type master; > file "db.127.0.0.0"; > }; > > include "internal_zones.txt"; > }; > > SECOND ATTEMPT: Succeeds, only external clients can see external_zones. > > view "default-test" { > match-clients { ! 127.0.0.1; any; }; // Why must I add any? > ...... > Although it's dealing with a different question, this KB article might help a bit with understanding ACLs:
https://kb.isc.org/article/AA-00723 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users