nsupdate ACL based on a key AND ip-subnet
Evan Hunt
Evan_Hunt at isc.org
Mon Nov 17 19:28:41 UTC 2008
> > allow-update { !{!10/8;any;}; key update-key; };
>
> Wouldn't this still permit any client on the 10/8 subnet to update the
> zones?
It's very confusing syntax, but no.
You're probably thinking in boolean algebra (I did too, when I first
encountered this). If it were boolean algebra, you could redistribute
the negatives: "!{!10/8; any;}" becomes "{!!10/8; !any;}" and then
simplifies to "{10/8; none;}".
But ACLs aren't boolean, so you can't do that. Each element has three
possible results not two: match and accept, match and reject, or "no
match", which means continue processing.
When an ordinary ACL element matches and is negated (for example, the
element is "!10/8;" and the address is 10.0.0.1) that means "match and
reject". But if the match is inside of a *nested* ACL, then it's treated
differently: A negative result means "the nested ACL didn't match"--and
so you continue processing.
So if you're checking address A against an ACL of one of the following
forms, these will be the results:
{ A; B; } == A is allowed, accept immediately
{ { A; }; B; } == A is allowed, accept immediately
{ !A; B; } == A is forbidden, reject immediately
{ !{ A; }; B; } == A is forbidden, reject immediately
{ { !A; }; B; } == A matched but was negated, try element B
{ !{ !A; }; B; } == A matched but was negated, try element B
Those last two lines there are confusingly similar (and, as written,
useless). The difference is what happens if you're checking an address
*other* than A, and something else in the nested ACL matches it.
{ { !A; any; }; B; } == any address other than A is accepted at once,
but A is only accepted if B matches too.
boolean translation: ((not A) or (A and B))
{ !{ !A; any; }; B; } == any address other than A is *rejected* at once,
but A is accepted as long as B matches too.
boolean translation: (A and B)
Hope that's helpful. (*I* find it hard to keep this syntax straight, and I
wrote a big chunk of the code that implements it in BIND 9.5...)
--
Evan Hunt -- evan_hunt at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list