head 1.3; access; symbols netbsd-11-0-RC4:1.2 netbsd-11-0-RC3:1.2 netbsd-11-0-RC2:1.2 netbsd-11-0-RC1:1.2 perseant-exfatfs-base-20250801:1.2 netbsd-11:1.2.0.10 netbsd-11-base:1.2 netbsd-10-1-RELEASE:1.2 perseant-exfatfs-base-20240630:1.2 perseant-exfatfs:1.2.0.8 perseant-exfatfs-base:1.2 netbsd-10-0-RELEASE:1.2 netbsd-10-0-RC6:1.2 netbsd-10-0-RC5:1.2 netbsd-10-0-RC4:1.2 netbsd-10-0-RC3:1.2 netbsd-10-0-RC2:1.2 netbsd-10-0-RC1:1.2 netbsd-10:1.2.0.6 netbsd-10-base:1.2 cjep_sun2x-base1:1.2 cjep_sun2x:1.2.0.4 cjep_sun2x-base:1.2 cjep_staticlib_x-base1:1.2 cjep_staticlib_x:1.2.0.2 cjep_staticlib_x-base:1.2 blocklist-20200614:1.1.1.1 CHRISTOS:1.1.1; locks; strict; comment @# @; 1.3 date 2026.04.09.15.58.11; author christos; state Exp; branches; next 1.2; commitid USmnYareVrQAGiBG; 1.2 date 2020.06.15.02.29.45; author christos; state Exp; branches; next 1.1; commitid Hmw5T0TEena9ugcC; 1.1 date 2020.06.15.01.52.53; author christos; state Exp; branches 1.1.1.1; next ; commitid 178yOO8MwJTTggcC; 1.1.1.1 date 2020.06.15.01.52.53; author christos; state Exp; branches; next ; commitid 178yOO8MwJTTggcC; desc @@ 1.3 log @updare for bind-9.20.22 @ text @Index: bin/named/Makefile =================================================================== RCS file: /cvsroot/src/external/mpl/bind/bin/named/Makefile,v retrieving revision 1.6 diff -u -p -u -r1.6 Makefile --- bin/named/Makefile 21 Feb 2024 22:50:56 -0000 1.6 +++ bin/named/Makefile 9 Apr 2026 15:53:58 -0000 @@@@ -47,5 +47,7 @@@@ CLEANFILES+= xsl.c main.o: ${VERSIONFILE} +LDADD+=-lblocklist +DPADD+=${LIBBLOCKLIST} .include Index: dist/bin/named/main.c =================================================================== RCS file: /cvsroot/src/external/mpl/bind/dist/bin/named/main.c,v retrieving revision 1.22 diff -u -p -u -r1.22 main.c --- dist/bin/named/main.c 8 Apr 2026 00:15:44 -0000 1.22 +++ dist/bin/named/main.c 9 Apr 2026 15:53:59 -0000 @@@@ -54,6 +54,8 @@@@ #include +#include "ns/pfilter.h" + #ifdef HAVE_GPERFTOOLS_PROFILER #include #endif /* ifdef HAVE_GPERFTOOLS_PROFILER */ @@@@ -1554,6 +1556,9 @@@@ main(int argc, char *argv[]) { parse_command_line(argc, argv); + // Should we have a command line flag? + pfilter_enable(); + #ifdef ENABLE_AFL if (named_g_fuzz_type != isc_fuzz_none) { named_fuzz_setup(); Index: dist/lib/ns/client.c =================================================================== RCS file: /cvsroot/src/external/mpl/bind/dist/lib/ns/client.c,v retrieving revision 1.27 diff -u -p -u -r1.27 client.c --- dist/lib/ns/client.c 8 Apr 2026 00:16:16 -0000 1.27 +++ dist/lib/ns/client.c 9 Apr 2026 15:54:00 -0000 @@@@ -66,6 +66,8 @@@@ #include #include +#include "pfilter.h" + /*** *** Client ***/ @@@@ -2703,6 +2705,7 @@@@ ns_client_checkacl(ns_client_t *client, ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, log_level, "%s denied", opname); + pfilter_notify(result, client, opname); } return result; } Index: dist/lib/ns/xfrout.c =================================================================== RCS file: /cvsroot/src/external/mpl/bind/dist/lib/ns/xfrout.c,v retrieving revision 1.16 diff -u -p -u -r1.16 xfrout.c --- dist/lib/ns/xfrout.c 29 Jan 2026 18:37:56 -0000 1.16 +++ dist/lib/ns/xfrout.c 9 Apr 2026 15:54:00 -0000 @@@@ -48,6 +48,8 @@@@ #include #include +#include "pfilter.h" + /*! \file * \brief * Outgoing AXFR and IXFR. @@@@ -826,6 +828,7 @@@@ ns_xfr_start(ns_client_t *client, dns_rd ISC_LOG_ERROR, "zone transfer '%s/%s' denied", _buf1, _buf2); + pfilter_notify(result, client, "zonexfr"); goto cleanup; } if (result != ISC_R_SUCCESS) { Index: include/ns/pfilter.h =================================================================== RCS file: /cvsroot/src/external/mpl/bind/include/ns/pfilter.h,v retrieving revision 1.1 diff -u -p -u -r1.1 pfilter.h --- include/ns/pfilter.h 26 Jan 2025 16:30:19 -0000 1.1 +++ include/ns/pfilter.h 9 Apr 2026 15:54:00 -0000 @@@@ -1,2 +1,3 @@@@ void pfilter_enable(void); -void pfilter_notify(isc_result_t, ns_client_t *, const char *); +struct ns_client; +void pfilter_notify(isc_result_t, struct ns_client *, const char *); Index: include/ns/pfilter.h =================================================================== RCS file: include/ns/pfilter.h diff -N include/ns/pfilter.h --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ include/ns/pfilter.h 9 Apr 2026 15:54:52 -0000 1.2 @@@@ -0,0 +1,3 @@@@ +void pfilter_enable(void); +struct ns_client; +void pfilter_notify(isc_result_t, struct ns_client *, const char *); Index: lib/libns/pfilter.c =================================================================== RCS file: lib/libns/pfilter.c diff -N lib/libns/pfilter.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ lib/libns/pfilter.c 26 Jan 2025 16:30:19 -0000 1.1 @@@@ -0,0 +1,43 @@@@ + +#include +#include +#include + +#include + +#include + +static struct blocklist *blstate; +static int blenable; + +void +pfilter_enable(void) { + blenable = 1; +} + +#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) + +void +pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg) +{ + int fd; + + if (!blenable) + return; + + if (blstate == NULL) + blstate = blocklist_open(); + + if (blstate == NULL) + return; + + if (!TCP_CLIENT(client) && !client->peeraddr_valid) + return; + + if ((fd = isc_nmhandle_getfd(client->handle)) == -1) + return; + + blocklist_sa_r(blstate, + res != ISC_R_SUCCESS, fd, + &client->peeraddr.type.sa, client->peeraddr.length, msg); +} @ 1.2 log @missed the capitalized ones. @ text @a0 50 --- /dev/null 2015-01-22 01:48:00.000000000 -0500 +++ dist/bin/named/pfilter.c 2015-01-22 01:35:16.000000000 -0500 @@@@ -0,0 +1,42 @@@@ +#include + +#include +#include +#include +#include + +#include + +#include "pfilter.h" + +static struct blocklist *blstate; + +void +pfilter_open(void) +{ + if (blstate == NULL) + blstate = blocklist_open(); +} + +#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) + +void +pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg) +{ + isc_socket_t *socket; + + pfilter_open(); + + if (TCP_CLIENT(client)) + socket = client->tcpsocket; + else { + socket = client->udpsocket; + if (!client->peeraddr_valid) + return; + } + if (socket == NULL) + return; + blocklist_sa_r(blstate, + res != ISC_R_SUCCESS, isc_socket_getfd(socket), + &client->peeraddr.type.sa, client->peeraddr.length, msg); +} --- /dev/null 2015-01-22 01:48:00.000000000 -0500 +++ dist/bin/named/pfilter.h 2015-01-22 01:16:56.000000000 -0500 @@@@ -0,0 +1,2 @@@@ +void pfilter_open(void); +void pfilter_notify(isc_result_t, ns_client_t *, const char *); d3 8 a10 12 RCS file: /cvsroot/src/external/bsd/bind/bin/named/Makefile,v retrieving revision 1.8 diff -u -u -r1.8 Makefile --- bin/named/Makefile 31 Dec 2013 20:23:12 -0000 1.8 +++ bin/named/Makefile 23 Jan 2015 21:37:09 -0000 @@@@ -33,7 +33,9 @@@@ lwaddr.c lwdclient.c lwderror.c \ lwdgabn.c lwdgnba.c lwdgrbn.c lwdnoop.c lwresd.c lwsearch.c \ main.c notify.c query.c server.c sortlist.c statschannel.c \ - tkeyconf.c tsigconf.c \ + pfilter.c tkeyconf.c tsigconf.c \ update.c xfrout.c zoneconf.c ${SRCS_UNIX} d14 1 d16 1 a16 1 Index: dist/bin/named/client.c d18 6 a23 8 RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/client.c,v retrieving revision 1.11 diff -u -u -r1.11 client.c --- dist/bin/named/client.c 10 Dec 2014 04:37:51 -0000 1.11 +++ dist/bin/named/client.c 23 Jan 2015 21:37:09 -0000 @@@@ -65,6 +65,8 @@@@ #include #include d25 1 a25 8 +#include "pfilter.h" + /*** *** Client ***/ @@@@ -3101,6 +3103,7 @@@@ result = ns_client_checkaclsilent(client, sockaddr ? &netaddr : NULL, acl, default_allow); d27 1 a27 17 + pfilter_notify(result, client, opname); if (result == ISC_R_SUCCESS) ns_client_log(client, DNS_LOGCATEGORY_SECURITY, NS_LOGMODULE_CLIENT, ISC_LOG_DEBUG(3), Index: dist/bin/named/main.c =================================================================== RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/main.c,v retrieving revision 1.15 diff -u -u -r1.15 main.c --- dist/bin/named/main.c 10 Dec 2014 04:37:51 -0000 1.15 +++ dist/bin/named/main.c 23 Jan 2015 21:37:09 -0000 @@@@ -83,6 +83,9 @@@@ #ifdef HAVE_LIBXML2 #include #endif + +#include "pfilter.h" d29 4 a32 4 /* * Include header files for database drivers here. */ @@@@ -1206,6 +1209,8 @@@@ d36 2 a37 1 + pfilter_open(); d39 13 a51 13 /* * Warn about common configuration error. */ Index: dist/bin/named/query.c =================================================================== RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/query.c,v retrieving revision 1.17 diff -u -u -r1.17 query.c --- dist/bin/named/query.c 10 Dec 2014 04:37:52 -0000 1.17 +++ dist/bin/named/query.c 23 Jan 2015 21:37:09 -0000 @@@@ -65,6 +65,8 @@@@ #include #include d55 8 a62 4 #if 0 /* * It has been recommended that DNS64 be changed to return excluded @@@@ -762,6 +764,8 @@@@ d64 12 a75 26 result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); + if (result != ISC_R_SUCCESS) + pfilter_notify(result, client, "validatezonedb"); if ((options & DNS_GETDB_NOLOG) == 0) { char msg[NS_CLIENT_ACLMSGSIZE("query")]; if (result == ISC_R_SUCCESS) { @@@@ -1026,6 +1030,8 @@@@ result = ns_client_checkaclsilent(client, NULL, client->view->cacheacl, ISC_TRUE); + if (result == ISC_R_SUCCESS) + pfilter_notify(result, client, "cachedb"); if (result == ISC_R_SUCCESS) { /* * We were allowed by the "allow-query-cache" ACL. Index: dist/bin/named/update.c =================================================================== RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/update.c,v retrieving revision 1.9 diff -u -u -r1.9 update.c --- dist/bin/named/update.c 10 Dec 2014 04:37:52 -0000 1.9 +++ dist/bin/named/update.c 23 Jan 2015 21:37:09 -0000 @@@@ -59,6 +59,8 @@@@ #include #include d81 76 a156 37 * This module implements dynamic update as in RFC2136. @@@@ -307,6 +309,7 @@@@ result = ns_client_checkaclsilent(client, NULL, queryacl, ISC_TRUE); if (result != ISC_R_SUCCESS) { + pfilter_notify(result, client, "queryacl"); dns_name_format(zonename, namebuf, sizeof(namebuf)); dns_rdataclass_format(client->view->rdclass, classbuf, sizeof(classbuf)); @@@@ -324,6 +327,7 @@@@ sizeof(classbuf)); result = DNS_R_REFUSED; + pfilter_notify(result, client, "updateacl"); ns_client_log(client, NS_LOGCATEGORY_UPDATE_SECURITY, NS_LOGMODULE_UPDATE, ISC_LOG_INFO, "update '%s/%s' denied", namebuf, classbuf); @@@@ -362,6 +366,7 @@@@ msg = "disabled"; } else { result = ns_client_checkaclsilent(client, NULL, acl, ISC_FALSE); + pfilter_notify(result, client, "updateacl"); if (result == ISC_R_SUCCESS) { level = ISC_LOG_DEBUG(3); msg = "approved"; Index: dist/bin/named/xfrout.c =================================================================== RCS file: /cvsroot/src/external/bsd/bind/dist/bin/named/xfrout.c,v retrieving revision 1.7 diff -u -u -r1.7 xfrout.c --- dist/bin/named/xfrout.c 10 Dec 2014 04:37:52 -0000 1.7 +++ dist/bin/named/xfrout.c 23 Jan 2015 21:37:09 -0000 @@@@ -54,6 +54,8 @@@@ #include #include +#include "pfilter.h" d158 4 a161 11 /*! \file * \brief * Outgoing AXFR and IXFR. @@@@ -822,6 +824,7 @@@@ &client->peeraddr, &db); + pfilter_notify(result, client, "zonexfr"); if (result == ISC_R_NOPERM) { char _buf1[DNS_NAME_FORMATSIZE]; char _buf2[DNS_RDATACLASS_FORMATSIZE]; @ 1.1 log @Initial revision @ text @d67 1 a67 1 +DPADD+=${LIBBLACKLIST} @ 1.1.1.1 log @Import blocklist from https://github.com/zoulasc/blocklist. This is the same code as blacklist from the HEAD of the NetBSD tree. @ text @@