Negation in view match-clients ACL doesn't work?
Cathy Almond
cathya at isc.org
Thu Aug 6 12:56:54 UTC 2015
On 04/08/2015 21:29, Darcy Kevin (FCA) wrote:
> The short answer is that that is how address-match-lists work: a non-negated match allows access, a negated match denies access, and if there is *no* match, access is denied. The only real reason to use a negated match, therefore, is when what you're negating is a subset of something later in the address-match-list.
>
> You do realize, I hope, that you could just change the order of the views and then you wouldn't need any form of negation (earlier one matches 127.0.0.1, later one matches "any").
>
> - Kevin
>
> -----Original Message-----
> From: bind-users-bounces at lists.isc.org [mailto:bind-users-bounces at lists.isc.org] On Behalf Of MURTARI, JOHN
> Sent: Tuesday, August 04, 2015 4:19 PM
> To: bind-users at lists.isc.org
> Subject: Negation in view match-clients ACL doesn't work?
>
> Folks,
>
> This has been a real mystery and haven't been able to find a good explanation for the behavior. For a simple example I have two views setup and I want to differentiate access based on queries originating from 127.0.0.1.
>
> In my FIRST ATTEMPT I just negated the IP address, but that didn't work. The first view never matched. In the SECOND ATTEMPT I simply added "any" AFTER the negation and that worked?
>
> I read the ARM, can someone explain? Many Thanks!!!!!
>
> FIRST ATTEMPT: Fails - no clients can see external_zones.
>
> view "default-test" {
> match-clients { ! 127.0.0.1; }; // thought this would match anyone but 127.0.0.1
>
> zone "." {
> type hint;
> file "db.cache";
> };
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "db.127.0.0.0";
> };
>
> include "external_zones.txt";
> };
>
> view "default" {
> match-clients { any; };
>
> zone "." {
> type hint;
> file "db.cache";
> };
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "db.127.0.0.0";
> };
>
> include "internal_zones.txt";
> };
>
> SECOND ATTEMPT: Succeeds, only external clients can see external_zones.
>
> view "default-test" {
> match-clients { ! 127.0.0.1; any; }; // Why must I add any?
> ......
>
Although it's dealing with a different question, this KB article might
help a bit with understanding ACLs:
https://kb.isc.org/article/AA-00723
More information about the bind-users
mailing list