Problems with include in acl file

Robert Moskowitz rgm at htt-consult.com
Sun Oct 18 16:39:01 UTC 2009 


Chris Thompson wrote:
> On Oct 18 2009, Joseph S D Yao wrote:
>
>> On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote:
>>> I am trying to build up an environment where the user can maintain 
>>> custom files and leave the basic files alone.
>>>
>>> So I have a named.acl that works, I add an include line:
>>>
>>> acl "hdanets" {
>>>         192.168.1.0/24; // hda network
>>>         include "custom.acl";
>>> };
>>>
>>>
>>> and get the error:
>>>
>>> Starting named:
>>> Error in named configuration:
>>> named.acl:3: missing ';' before '"'
>> ...
>>
>>
>> Glancing through the 9.6 ARM <https://www.isc.org/files/Bv9.6ARM.pdf>,
>> it seems to me that "include" is a statement, and needs to be parsed
>> outside of any other statements, not inside a statement.  
>
> That's what it *says* ... but it is being economical with the truth!
>
>>                                                          Inside the
>> "acl" statement the parser would expect to see IP addresses, networks in
>> the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword
>> "key", and the names of other ACLs.  When it encounters the word
>> "include" in this context, it parses it as the name of an ACL - after
>> which, the '"' is out of place.
>
> As long ago as BIND 9.2, you'll find this in the CHANGES file:
>
> 764.   [func]          Configuration files now allow "include" directives
>                        in more places, such as inside the "view" 
> statement.
>                        [RT #377, #728, #860]
>
> Roughly, "include" can occur instead of a keyword in any list where all
> list elements are introduced by keywords; e.g. "view", "options", 
> "logging",
> "zone". But not "acl" because the elements there do not (in general) 
> start
> with keywords.

Oh, fiddlesticks!!!!  ;)'

This complicates matters.  It would have made it very easy to bootstrap 
into this process if this was supported.

>
> For the whole truth, you need to look at lib/isccfg/namedconf.c and
> lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody
> in the latter gets called :-( 

I am not much into reading c code.  I never really programmed in c.  Did 
do some programming in b....

So reading someone elses script and recommending changes has been 
challenging enough!

More information about the bind-users mailing list