Commit 21b3a186 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

doc: acl behaviour description improved

parent f38e7f55
...@@ -88,32 +88,51 @@ Access control list (ACL) ...@@ -88,32 +88,51 @@ Access control list (ACL)
An ACL list specifies which remotes are allowed to send the server a specific An ACL list specifies which remotes are allowed to send the server a specific
request. A remote can be a single IP address or a network subnet. Also a TSIG request. A remote can be a single IP address or a network subnet. Also a TSIG
key can be assigned (see :doc:`keymgr <man_keymgr>` how to generate a TSIG key):: key can be assigned (see :doc:`keymgr <man_keymgr>` how to generate a TSIG key).
key: With no ACL rule, all the actions are denied for the zone. Each ACL rule
- id: key1 can allow one or more actions for given address/subnet/TSIG, or deny them.
algorithm: hmac-md5
secret: Wg== The rule precendence, if multiple rules match (e.g. overlapping address ranges),
is not for stricter or more specific rules. In any case, just the first -- in the
order of rules in zone or template acl configuration item, not in the order of
declarations in acl section -- matching rule applies and the rest is ignored.
See following examples and :ref:`ACL section`.::
acl: acl:
- id: address_rule - id: address_rule
address: [2001:db8::1, 192.168.2.0/24] # Allowed IP address list address: [2001:db8::1, 192.168.2.0/24]
action: [transfer, update] # Allow zone transfers and updates action: transfer
- id: deny_rule # Negative match rule - id: deny_rule
address: 192.168.2.100 address: 192.168.2.100
action: transfer action: transfer
deny: on # The request is denied deny: on
zone:
- domain: acl1.example.com.
acl: [deny_rule, address_rule] # deny_rule first here to take precendence
::
key:
- id: key1
algorithm: hmac-md5
secret: Wg==
acl:
- id: deny_all
address: 192.168.3.0/24
deny: on # no action specified and deny on implies denial of all actions
- id: key_rule - id: key_rule
key: key1 # Access based just on TSIG key key: key1 # Access based just on TSIG key
action: transfer action: [transfer, notify]
These rules can then be referenced from a zone :ref:`zone_acl`::
zone: zone:
- domain: example.com - domain: acl2.example.com
acl: [address_rule, deny_rule, key_rule] acl: [deny_all, key_rule]
Slave zone Slave zone
========== ==========
......
...@@ -328,8 +328,7 @@ match one of them. Empty value means that TSIG key is not required. ...@@ -328,8 +328,7 @@ match one of them. Empty value means that TSIG key is not required.
\fIDefault:\fP not set \fIDefault:\fP not set
.SS action .SS action
.sp .sp
An ordered list of allowed actions. Empty action list is only allowed if An ordered list of allowed (or denied) actions.
\fI\%deny\fP is set.
.sp .sp
Possible values: Possible values:
.INDENT 0.0 .INDENT 0.0
...@@ -344,8 +343,9 @@ Possible values: ...@@ -344,8 +343,9 @@ Possible values:
\fIDefault:\fP not set \fIDefault:\fP not set
.SS deny .SS deny
.sp .sp
Deny if \fI\%address\fP, \fI\%key\fP and If enabled, instead of allowing, deny the specified \fI\%action\fP,
\fI\%action\fP match. \fI\%address\fP, \fI\%key\fP, or combination if these
items. If no action is specified, deny all actions.
.sp .sp
\fIDefault:\fP off \fIDefault:\fP off
.SH CONTROL SECTION .SH CONTROL SECTION
......
...@@ -373,8 +373,7 @@ match one of them. Empty value means that TSIG key is not required. ...@@ -373,8 +373,7 @@ match one of them. Empty value means that TSIG key is not required.
action action
------ ------
An ordered list of allowed actions. Empty action list is only allowed if An ordered list of allowed (or denied) actions.
:ref:`deny<acl_deny>` is set.
Possible values: Possible values:
...@@ -389,8 +388,9 @@ Possible values: ...@@ -389,8 +388,9 @@ Possible values:
deny deny
---- ----
Deny if :ref:`address<acl_address>`, :ref:`key<acl_key>` and If enabled, instead of allowing, deny the specified :ref:`action<acl_action>`,
:ref:`action<acl_action>` match. :ref:`address<acl_address>`, :ref:`key<acl_key>`, or combination if these
items. If no action is specified, deny all actions.
*Default:* off *Default:* off
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment