From: bert hubert <bert.hubert@netherlabs.nl>
Date: Fri, 30 Oct 2015 20:36:29 +0000 (+0100)
Subject: oooops did not check ACL for TCP/IP connections
X-Git-Tag: dnsdist-1.0.0-alpha1~267
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b719e46505c2612e4e04c285d44a10f7f4bdcf33;p=pdns

oooops did not check ACL for TCP/IP connections
---

diff --git a/pdns/dnsdist-tcp.cc b/pdns/dnsdist-tcp.cc
index 1fb6b2746..52538bae7 100644
--- a/pdns/dnsdist-tcp.cc
+++ b/pdns/dnsdist-tcp.cc
@@ -252,12 +252,21 @@ void* tcpAcceptorThread(void* p)
   
   g_tcpclientthreads.addTCPClientThread();
 
+  auto acl = g_ACL.getLocal();
   for(;;) {
     try {
-      ConnectionInfo* ci = new ConnectionInfo;      
+      ConnectionInfo* ci = new ConnectionInfo;
       ci->fd = SAccept(cs->tcpFD, remote);
+      
+      if(!acl->match(remote)) {
+	g_stats.aclDrops++;
+	close(ci->fd);
+	delete ci;
+	vinfolog("Dropped TCP connection from %s because of ACL", remote.toStringWithPort());
+	continue;
+      }
 
-      vinfolog("Got connection from %s", remote.toStringWithPort());
+      vinfolog("Got TCP connection from %s", remote.toStringWithPort());
       
       ci->remote = remote;
       writen2(g_tcpclientthreads.getThread(), &ci, sizeof(ci));