BIND 10 #998: IP based ACL check
BIND 10 Development
do-not-reply at isc.org
Fri Jun 17 11:34:52 UTC 2011
#998: IP based ACL check
-------------------------------------+-------------------------------------
Reporter: | Owner: jinmei
vorner | Status: reviewing
Type: task | Milestone:
Priority: major | Sprint-20110628
Component: | Resolution:
Unclassified | Sensitive: 0
Keywords: | Sub-Project: DNS
Defect Severity: N/A | Estimated Difficulty: 5.0
Feature Depending on Ticket: | Total Hours: 0
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by vorner):
Hello
The notification caught my eye, so I had a short look.
Replying to [comment:9 stephen]:
> The class as implemented here is only a single ACL match (or non-match -
the capability to check for a non-match was trivial, which is why I added
it to this class). The ACL you are suggesting in the example is really a
combined ACL:
The non-match, I guess, will not be used, for consistency. We probably
will have a general not, so having a different syntax for not on IP seems
strange.
> {{{
> allow (source matches 2001:db8:1::/64) AND (dest matches
2001:db8:2::/64)
> }}}
> I would see then implementation as being a class containing two IPCheck
classes, one for source and one for destination. It would be the container
class that knows the structure of the packet and distinguishes between
source and destination address.
But I don't see a way to say „use this context and extract the source
address“ for one version and „use the same context, but extract the
destination address“. Maybe it's there, but I didn't notice it.
And, looking into the file, I didn't find the body of the match function.
Do I look bad?
On the other side, is there any reason to have all the assignment and copy
constructors and so on?
With regards
--
Ticket URL: <http://bind10.isc.org/ticket/998#comment:10>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list