From 6329cf4d0f5437e230668ae6ba849cbca3ace869 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 30 Jan 2018 14:47:12 +0100
Subject: [PATCH] ixfrdist: Add an ACL option

---
 pdns/ixfrdist.cc | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/pdns/ixfrdist.cc b/pdns/ixfrdist.cc
index d5400fe7e..45c8a3e67 100644
--- a/pdns/ixfrdist.cc
+++ b/pdns/ixfrdist.cc
@@ -74,6 +74,8 @@ bool g_exiting = false;
 #define KEEP_DEFAULT 20
 uint16_t g_keep = KEEP_DEFAULT;
 
+NetmaskGroup g_acl;
+
 void handleSignal(int signum) {
   if (g_verbose) {
     cerr<<"[INFO] Got "<<strsignal(signum)<<" signal";
@@ -503,6 +505,10 @@ bool makeIXFRPackets(const MOADNSParser& mdp, const shared_ptr<SOARecordContent>
   return true;
 }
 
+bool allowedByACL(const ComboAddress& addr) {
+  return g_acl.match(addr);
+}
+
 void handleUDPRequest(int fd, boost::any&) {
   // TODO make the buffer-size configurable
   char buf[4096];
@@ -521,6 +527,11 @@ void handleUDPRequest(int fd, boost::any&) {
     return;
   }
 
+  if (!allowedByACL(saddr)) {
+    cerr<<"[WARNING] UDP query from "<<saddr.toString()<<" is not allowed, dropping"<<endl;
+    return;
+  }
+
   if (saddr == ComboAddress("0.0.0.0", 0)) {
     cerr<<"[WARNING] Could not determine source of message"<<endl;
     return;
@@ -563,6 +574,12 @@ void handleTCPRequest(int fd, boost::any&) {
     return;
   }
 
+  if (!allowedByACL(saddr)) {
+    cerr<<"[WARNING] TCP query from "<<saddr.toString()<<" is not allowed, dropping"<<endl;
+    close(cfd);
+    return;
+  }
+
   if (saddr == ComboAddress("0.0.0.0", 0)) {
     cerr<<"[WARNING] Could not determine source of message"<<endl;
     return;
@@ -682,6 +699,7 @@ int main(int argc, char** argv) {
       ("verbose", "Be verbose")
       ("debug", "Be even more verbose")
       ("listen-address", po::value< vector< string>>(), "IP Address(es) to listen on")
+      ("acl", po::value<vector<string>>(), "IP Address masks that are allowed access, by default only loopback addresses are allowed")
       ("server-address", po::value<string>()->default_value("127.0.0.1:5300"), "server address")
       ("work-dir", po::value<string>()->default_value("."), "Directory for storing AXFR and IXFR data")
       ("keep", po::value<uint16_t>()->default_value(KEEP_DEFAULT), "Number of old zone versions to retain")
@@ -767,6 +785,22 @@ int main(int argc, char** argv) {
     return EXIT_FAILURE;
   }
 
+  vector<string> acl = {"127.0.0.0/8", "::1/128"};
+  if (g_vm.count("acl") > 0) {
+    acl = g_vm["acl"].as<vector<string>>();
+  }
+  for (const auto &addr : acl) {
+    try {
+      g_acl.addMask(addr);
+    } catch (const NetmaskException &e) {
+      cerr<<"[ERROR] "<<e.reason<<endl;
+      had_error = true;
+    }
+  }
+  if (g_verbose) {
+    cerr<<"[INFO] ACL set to "<<g_acl.toString()<<"."<<endl;
+  }
+
   set<int> allSockets;
   for (const auto& addr : listen_addresses) {
     for (const auto& stype : {SOCK_DGRAM, SOCK_STREAM}) {
-- 
2.40.0