These are chat archives for CZ-NIC/knot-resolver

15th
Mar 2017
lanconnected
@lanconnected
Mar 15 2017 13:23
Hello, how can I fill in a bug report? We would like to set up knot resolver in a way that only a certain amount of fixed IPs are allowed to ask queries and the rest of the internet wil get dropped. The ACL filter seems straight forward:
Vladimír Čunát
@vcunat
Mar 15 2017 13:24
@lanconnected: and what's wrong?
lanconnected
@lanconnected
Mar 15 2017 13:25
view:addr('0.0.0.0/0', function (req, qry) return policy.DROP end) to drop everything as a last rule. The problem is this does not work because of the function kr_bitcmp() which does not allow 0 bitlen. The proposed change should look like:
int kr_bitcmp(const char a, const char b, int bits)
{
  • if (!a || !b || bits == 0) {
  • if (!a || !b) {
    return kr_error(ENOMEM);
    }
    / Compare part byte-divisible part. /
After this change, the ACL ruleset works correctly.
Vladimír Čunát
@vcunat
Mar 15 2017 13:31
I see. I'll have a look. It not clear immediately if the condition was there for a purpose.
lanconnected
@lanconnected
Mar 15 2017 13:36
Thanks. As I understand it, the function should end on memcmp() which should always succeed.
Anyway, the kr_bitcmp() should allow bitlen==0. It's a valid input value which makes sence.
Vladimír Čunát
@vcunat
Mar 15 2017 13:37
Yes, I checked all call sites now. I'll fix it.
lanconnected
@lanconnected
Mar 15 2017 13:40
It would also be nice to add this special case to the documentation. So others know how to specify catch-all scenario.
Vladimír Čunát
@vcunat
Mar 15 2017 13:41
You mean the view module?
Vladimír Čunát
@vcunat
Mar 15 2017 14:08
I would take the following approach, but for the current use cases it should make no difference.
https://gitlab.labs.nic.cz/knot/resolver/merge_requests/234