BIND 10 #998: IP based ACL check

BIND 10 Development do-not-reply at isc.org
Fri Jun 17 22:45:56 UTC 2011 

#998: IP based ACL check
-------------------------------------+-------------------------------------
                   Reporter:         |                 Owner:  jinmei
  vorner                             |                Status:  reviewing
                       Type:  task   |             Milestone:
                   Priority:  major  |  Sprint-20110628
                  Component:         |            Resolution:
  Unclassified                       |             Sensitive:  0
                   Keywords:         |           Sub-Project:  DNS
            Defect Severity:  N/A    |  Estimated Difficulty:  5.0
Feature Depending on Ticket:         |           Total Hours:  0
        Add Hours to Ticket:  0      |
                  Internal?:  0      |
-------------------------------------+-------------------------------------

Comment (by jinmei):

 Replying to [comment:14 vorner]:

 > > > And, looking into the file, I didn't find the body of the match
 function. Do I look bad?
 > >
 > > My understanding is that it's expected to be very Context dependent,
 > > and no generic template is provided (it's the Context class author's
 > > responsibility to give the implementation).
 >
 > Won't that be confusing, to have methods of single class scattered over
 multiple files? Anyway, the thing as a whole looks complicated,
 considering it's only simple IP address match.

 I can't speak for Stephen (this is not my design), but, again, my
 understanding of his design is that it's a tradeoff between
 flexibility and implementation overhead of specialization.

 The problem is that it wouldn't be so obvious how to extract the IP
 address to match from the Context.  The "Context" may be of some type
 representing an IP packet, or it may represent an A/AAAA RR (for some
 filtering on the A/AAAA RDATA), or it may mean something else.  Also,
 when the "Context" means an IP packet, what we may want to test is
 either the source or destination address.

 One possibility is to introduce some requirement to the Context type,
 e.g., that it must have a method named "getAddress()" that returns a
 struct sockaddr or something, and to provide templated implementation
 of match() based on the requirement.  This will save the
 specialization cost, but it also reduces the flexibility of the
 "Context" type.  Personally, I can see both points, and don't have a
 strong opinion either way; I'd happily leave the dispute on this point
 to you and Stephen:-)

-- 
Ticket URL: <http://bind10.isc.org/ticket/998#comment:15>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list