ixfrdist: Add an ACL option

diff --git a/pdns/ixfrdist.cc b/pdns/ixfrdist.cc
index d5400fe7e9556c11ed6e55c7a46306805367c5b7..45c8a3e67c2c870e91c52a29b5d16b233c648736 100644 (file)
--- a/pdns/ixfrdist.cc
+++ b/pdns/ixfrdist.cc
@@ -74,6 +74,8 @@ bool g_exiting = false;
 #define KEEP_DEFAULT 20
 uint16_t g_keep = KEEP_DEFAULT;
 
+NetmaskGroup g_acl;
+
 void handleSignal(int signum) {
   if (g_verbose) {
     cerr<<"[INFO] Got "<<strsignal(signum)<<" signal";
@@ -503,6 +505,10 @@ bool makeIXFRPackets(const MOADNSParser& mdp, const shared_ptr<SOARecordContent>
   return true;
 }
 
+bool allowedByACL(const ComboAddress& addr) {
+  return g_acl.match(addr);
+}
+
 void handleUDPRequest(int fd, boost::any&) {
   // TODO make the buffer-size configurable
   char buf[4096];
@@ -521,6 +527,11 @@ void handleUDPRequest(int fd, boost::any&) {
     return;
   }
 
+  if (!allowedByACL(saddr)) {
+    cerr<<"[WARNING] UDP query from "<<saddr.toString()<<" is not allowed, dropping"<<endl;
+    return;
+  }
+
   if (saddr == ComboAddress("0.0.0.0", 0)) {
     cerr<<"[WARNING] Could not determine source of message"<<endl;
     return;
@@ -563,6 +574,12 @@ void handleTCPRequest(int fd, boost::any&) {
     return;
   }
 
+  if (!allowedByACL(saddr)) {
+    cerr<<"[WARNING] TCP query from "<<saddr.toString()<<" is not allowed, dropping"<<endl;
+    close(cfd);
+    return;
+  }
+
   if (saddr == ComboAddress("0.0.0.0", 0)) {
     cerr<<"[WARNING] Could not determine source of message"<<endl;
     return;
@@ -682,6 +699,7 @@ int main(int argc, char** argv) {
       ("verbose", "Be verbose")
       ("debug", "Be even more verbose")
       ("listen-address", po::value< vector< string>>(), "IP Address(es) to listen on")
+      ("acl", po::value<vector<string>>(), "IP Address masks that are allowed access, by default only loopback addresses are allowed")
       ("server-address", po::value<string>()->default_value("127.0.0.1:5300"), "server address")
       ("work-dir", po::value<string>()->default_value("."), "Directory for storing AXFR and IXFR data")
       ("keep", po::value<uint16_t>()->default_value(KEEP_DEFAULT), "Number of old zone versions to retain")
@@ -767,6 +785,22 @@ int main(int argc, char** argv) {
     return EXIT_FAILURE;
   }
 
+  vector<string> acl = {"127.0.0.0/8", "::1/128"};
+  if (g_vm.count("acl") > 0) {
+    acl = g_vm["acl"].as<vector<string>>();
+  }
+  for (const auto &addr : acl) {
+    try {
+      g_acl.addMask(addr);
+    } catch (const NetmaskException &e) {
+      cerr<<"[ERROR] "<<e.reason<<endl;
+      had_error = true;
+    }
+  }
+  if (g_verbose) {
+    cerr<<"[INFO] ACL set to "<<g_acl.toString()<<"."<<endl;
+  }
+
   set<int> allSockets;
   for (const auto& addr : listen_addresses) {
     for (const auto& stype : {SOCK_DGRAM, SOCK_STREAM}) {