Problems with include in acl file

Mark Andrews marka at isc.org
Sun Oct 18 22:49:24 UTC 2009 

In message <4ADB44A5.2060602 at htt-consult.com>, Robert Moskowitz writes:
> 
> 
> Chris Thompson wrote:
> > On Oct 18 2009, Joseph S D Yao wrote:
> >
> >> On Sat, Oct 17, 2009 at 10:33:37PM -0400, Robert Moskowitz wrote:
> >>> I am trying to build up an environment where the user can maintain 
> >>> custom files and leave the basic files alone.
> >>>
> >>> So I have a named.acl that works, I add an include line:
> >>>
> >>> acl "hdanets" {
> >>>         192.168.1.0/24; // hda network
> >>>         include "custom.acl";
> >>> };
> >>>
> >>>
> >>> and get the error:
> >>>
> >>> Starting named:
> >>> Error in named configuration:
> >>> named.acl:3: missing ';' before '"'
> >> ...
> >>
> >>
> >> Glancing through the 9.6 ARM <https://www.isc.org/files/Bv9.6ARM.pdf>,
> >> it seems to me that "include" is a statement, and needs to be parsed
> >> outside of any other statements, not inside a statement.  
> >
> > That's what it *says* ... but it is being economical with the truth!
> >
> >>                                                          Inside the
> >> "acl" statement the parser would expect to see IP addresses, networks in
> >> the ip.ad.dr.ess/xx format, keys with the name prepended by the keyword
> >> "key", and the names of other ACLs.  When it encounters the word
> >> "include" in this context, it parses it as the name of an ACL - after
> >> which, the '"' is out of place.
> >
> > As long ago as BIND 9.2, you'll find this in the CHANGES file:
> >
> > 764.   [func]          Configuration files now allow "include" directives
> >                        in more places, such as inside the "view" 
> > statement.
> >                        [RT #377, #728, #860]
> >
> > Roughly, "include" can occur instead of a keyword in any list where all
> > list elements are introduced by keywords; e.g. "view", "options", 
> > "logging",
> > "zone". But not "acl" because the elements there do not (in general) 
> > start
> > with keywords.
> 
> Oh, fiddlesticks!!!!  ;)'
> 
> This complicates matters.  It would have made it very easy to bootstrap 
> into this process if this was supported.

acl's can include other acls.
I'm having a hard time seeing why you need to include a file here.

include "custom.acl";	// defines acl "customacl"

acl "hdanets" {
	92.168.1.0/24; // hda network
	customacl;
};

> > For the whole truth, you need to look at lib/isccfg/namedconf.c and
> > lib/isccfg/parser.c and work out in exactly which cases cfg_parse_mapbody
> > in the latter gets called :-( 
> 
> I am not much into reading c code.  I never really programmed in c.  Did 
> do some programming in b....
> 
> So reading someone elses script and recommending changes has been 
> challenging enough!
> 
> 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list