put back the blacklistd integration that got lost in the bsd -> mpl move.

external/mpl/bind/Makefile.inc

@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile.inc,v 1.4 2019/02/28 22:18:21 joerg Exp $
+#	$NetBSD: Makefile.inc,v 1.5 2019/09/09 14:40:39 christos Exp $
 
 .if !defined(BIND9_MAKEFILE_INC)
 BIND9_MAKEFILE_INC=yes
@@ -77,6 +77,9 @@ CPPFLAGS+= -DLIBINTERFACE=${LIBINTERFACE} \
 #CPPFLAGS+= -DUSE_MEMIMPREGISTER -DUSE_APPIMPREGISTER -DUSE_SOCKETIMPREGISTER \
 #    -DUSE_TIMERIMPREGISTER
 
+LDADD+=-lblacklist
+DPADD+=${LIBBLACKLIST}
+
 .if ${NAMED_USE_PTHREADS} == "yes"
 # XXX: Not ready yet
 # CPPFLAGS+=	-DISC_PLATFORM_USE_NATIVE_RWLOCKS

external/mpl/bind/bin/named/Makefile

@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.2 2018/08/14 11:52:56 christos Exp $
+#	$NetBSD: Makefile,v 1.3 2019/09/09 14:40:39 christos Exp $
 
 LDADD+=-lns
 DPADD+=${LIBNS}
@@ -35,11 +35,9 @@ SRCS_UNIX=	os.c dlz_dlopen_driver.c
 SRCS=	builtin.c config.c control.c controlconf.c \
 	log.c logconf.c \
 	main.c server.c statschannel.c \
-	pfilter.c tkeyconf.c tsigconf.c \
+	tkeyconf.c tsigconf.c \
 	zoneconf.c ${SRCS_UNIX}
 
 main.o: ${VERSIONFILE}
 
-LDADD+=-lblacklist
-DPADD+=${LIBBLACKLIST}
 .include <bsd.prog.mk>

external/mpl/bind/dist/bin/named/main.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: main.c,v 1.4 2019/02/24 20:01:27 christos Exp $	*/
+/*	$NetBSD: main.c,v 1.5 2019/09/09 14:40:39 christos Exp $	*/
 
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
@@ -89,7 +89,7 @@
 #include <zlib.h>
 #endif
 
-#include "pfilter.h"
+#include <ns/pfilter.h>
 /*
  * Include header files for database drivers here.
  */
@@ -1404,7 +1404,7 @@ main(int argc, char *argv[]) {
 
 	parse_command_line(argc, argv);
 
-	pfilter_open();
+	pfilter_enable();
 
 #ifdef ENABLE_AFL
 	if (named_g_fuzz_type != isc_fuzz_none) {

external/mpl/bind/dist/lib/ns/Makefile.in

@@ -42,11 +42,11 @@ LIBS =		@LIBS@
 OBJS =		client.@O@ hooks.@O@ interfacemgr.@O@ lib.@O@ \
 		listenlist.@O@ log.@O@ notify.@O@ query.@O@ \
 		server.@O@ sortlist.@O@ stats.@O@ update.@O@ \
-		version.@O@ xfrout.@O@
+		version.@O@ xfrout.@O@ pfilter.@O@
 
 SRCS =		client.c hooks.c interfacemgr.c lib.c listenlist.c \
 		log.c notify.c query.c server.c sortlist.c stats.c \
-		update.c version.c xfrout.c
+		update.c version.c xfrout.c pfilter.c
 
 SUBDIRS =	include
 TESTDIRS =	@UNITTESTS@

external/mpl/bind/dist/lib/ns/include/ns/pfilter.h

@@ -1,2 +1,2 @@
-void pfilter_open(void);
+void pfilter_enable(void);
 void pfilter_notify(isc_result_t, ns_client_t *, const char *);

external/mpl/bind/dist/lib/ns/pfilter.c

@@ -2,20 +2,19 @@
 
 #include <isc/platform.h>
 #include <isc/util.h>
-#include <named/types.h>
+#include <ns/types.h>
 #include <ns/client.h>
 
 #include <blacklist.h>
 
-#include "pfilter.h"
+#include <ns/pfilter.h>
 
 static struct blacklist *blstate;
+static int blenable;
 
 void
-pfilter_open(void)
-{
-	if (blstate == NULL)
-		blstate = blacklist_open();
+pfilter_enable(void) {
+	blenable = 1;
 }
 
 #define TCP_CLIENT(c)  (((c)->attributes & NS_CLIENTATTR_TCP) != 0)
@@ -25,7 +24,14 @@ pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg)
 {
 	isc_socket_t *socket;
 
-	pfilter_open();
+	if (!blenable)
+		return;
+
+	if (blstate == NULL)
+		blstate = blacklist_open();
+
+	if (blstate == NULL)
+		return;
 
 	if (TCP_CLIENT(client))
 		socket = client->tcpsocket;
@@ -38,9 +44,6 @@ pfilter_notify(isc_result_t res, ns_client_t *client, const char *msg)
 	if (socket == NULL)
 		return;
 
-	if (blstate == NULL)
-		return;
-
 	blacklist_sa_r(blstate, 
 	    res != ISC_R_SUCCESS, isc_socket_getfd(socket),
 	    &client->peeraddr.type.sa, client->peeraddr.length, msg);

external/mpl/bind/dist/lib/ns/query.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: query.c,v 1.6 2019/09/05 19:33:00 christos Exp $	*/
+/*	$NetBSD: query.c,v 1.7 2019/09/09 14:40:40 christos Exp $	*/
 
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
@@ -71,6 +71,8 @@
 #include <ns/stats.h>
 #include <ns/xfrout.h>
 
+#include <ns/pfilter.h>
+
 #if 0
 /*
  * It has been recommended that DNS64 be changed to return excluded
@@ -868,6 +870,8 @@ query_checkcacheaccess(ns_client_t *client, const dns_name_t *name,
 					      msg);
 			}
 		} else if (log) {
+			pfilter_notify(result, client, "checkcacheaccess");
+
 			/*
 			 * We were denied by the "allow-query-cache" ACL.
 			 * There is no need to clear NS_QUERYATTR_CACHEACLOK
@@ -999,6 +1003,7 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name,
 					      "%s approved", msg);
 			}
 		} else {
+			pfilter_notify(result, client, "validatezonedb");
 			ns_client_aclmsg("query", name, qtype,
 					 client->view->rdclass,
 					 msg, sizeof(msg));
@@ -1032,6 +1037,8 @@ query_validatezonedb(ns_client_t *client, const dns_name_t *name,
 
 		result = ns_client_checkaclsilent(client, &client->destaddr,
 						  queryonacl, true);
+		if (result != ISC_R_SUCCESS)
+			pfilter_notify(result, client, "validatezonedb");
 		if ((options & DNS_GETDB_NOLOG) == 0 &&
 		    result != ISC_R_SUCCESS)
 			ns_client_log(client, DNS_LOGCATEGORY_SECURITY,

external/mpl/bind/dist/lib/ns/update.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: update.c,v 1.4 2019/02/24 20:01:32 christos Exp $	*/
+/*	$NetBSD: update.c,v 1.5 2019/09/09 14:40:40 christos Exp $	*/
 
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
@@ -56,6 +56,8 @@
 #include <ns/stats.h>
 #include <ns/update.h>
 
+#include <ns/pfilter.h>
+
 /*! \file
  * \brief
  * This module implements dynamic update as in RFC2136.
@@ -337,6 +339,7 @@ checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
 
 	result = ns_client_checkaclsilent(client, NULL, queryacl, true);
 	if (result != ISC_R_SUCCESS) {
+		pfilter_notify(result, client, "queryacl");
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
 		dns_rdataclass_format(client->view->rdclass, classbuf,
 				      sizeof(classbuf));
@@ -349,6 +352,7 @@ checkqueryacl(ns_client_t *client, dns_acl_t *queryacl, dns_name_t *zonename,
 			      "update '%s/%s' denied due to allow-query",
 			      namebuf, classbuf);
 	} else if (updateacl == NULL && ssutable == NULL) {
+		pfilter_notify(result, client, "updateacl");
 		dns_name_format(zonename, namebuf, sizeof(namebuf));
 		dns_rdataclass_format(client->view->rdclass, classbuf,
 				      sizeof(classbuf));
@@ -392,6 +396,7 @@ checkupdateacl(ns_client_t *client, dns_acl_t *acl, const char *message,
 		msg = "disabled";
 	} else {
 		result = ns_client_checkaclsilent(client, NULL, acl, false);
+		pfilter_notify(result, client, "updateacl");
 		if (result == ISC_R_SUCCESS) {
 			level = ISC_LOG_DEBUG(3);
 			msg = "approved";

external/mpl/bind/dist/lib/ns/xfrout.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: xfrout.c,v 1.5 2019/09/05 19:33:00 christos Exp $	*/
+/*	$NetBSD: xfrout.c,v 1.6 2019/09/09 14:40:40 christos Exp $	*/
 
 /*
  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
@@ -50,6 +50,8 @@
 #include <ns/stats.h>
 #include <ns/xfrout.h>
 
+#include <ns/pfilter.h>
+
 /*! \file
  * \brief
  * Outgoing AXFR and IXFR.
@@ -833,6 +835,7 @@ ns_xfr_start(ns_client_t *client, dns_rdatatype_t reqtype) {
 						     &client->peeraddr,
 						     &db);
 
+			pfilter_notify(result, client, "zonexfr");
 			if (result == ISC_R_NOPERM) {
 				char _buf1[DNS_NAME_FORMATSIZE];
 				char _buf2[DNS_RDATACLASS_FORMATSIZE];

external/mpl/bind/lib/libns/Makefile

@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.3 2019/04/28 00:01:16 christos Exp $
+#	$NetBSD: Makefile,v 1.4 2019/09/09 14:40:40 christos Exp $
 
 LIB=ns
 #USE_SHLIBDIR=   yes
@@ -22,6 +22,6 @@ CWARNFLAGS.clang+=	-Wno-tautological-constant-out-of-range-compare
 
 SRCS=	client.c hooks.c interfacemgr.c lib.c listenlist.c \
 	log.c notify.c query.c server.c sortlist.c stats.c \
-	update.c version.c xfrout.c
+	update.c version.c xfrout.c pfilter.c
 
 .include <bsd.lib.mk>