X-Git-Url: http://gitweb.michael.orlitzky.com/?p=valtz.git;a=blobdiff_plain;f=valtz;h=0ca0e6af003eacb7c5150c3dfb765488b84cb6ce;hp=eebda76f4b17beb77fce88c1d3b4f5ecb282428f;hb=288bef06cc018832685adaf9a7d48e4eeeb99df4;hpb=7c5df8ad5c18a9f8b9440dbd1ae4faacf55b452a diff --git a/valtz b/valtz old mode 100644 new mode 100755 index eebda76..0ca0e6a --- a/valtz +++ b/valtz @@ -62,7 +62,7 @@ my $perrs_total = 0; ## # global location registry # (reset for every zone file) -my %loreg; +my %loreg; # NOTE : DO NOT CHANGE the id numbers my %validation_msg = ( @@ -76,6 +76,7 @@ my %validation_msg = ( 1008 => 'integer out of bounds', 1009 => 'must have at least three labels to be valid as mail address', 1010 => 'must not be 2(NS), 5(CNAME), 6(SOA), 12(PTR), 15(MX) or 252(AXFR)', + 1011 => 'IP address found where hostname expected' ); # NOTE : ONLY translate the right-hand part @@ -100,6 +101,9 @@ my %token_name = ( 'min' => 'Minimum time', 'n' => 'Record type number', 'rdata' => 'Resource data', + 'port' => 'Port', + 'priority' => 'Priority', + 'weight' => 'Weight' ); my %record_type = ( @@ -114,6 +118,7 @@ my %record_type = ( "'" => 'TXT', '^' => 'PTR', 'C' => 'CNAME', + 'S' => 'SRV', 'Z' => 'SOA', ':' => 'GENERIC' ); @@ -131,6 +136,8 @@ my %line_type = ( "'" => [ 'TXT', 'fqdn:s:ttl:timestamp:lo', 'fqdn:s' ], '^' => [ 'PTR', 'fqdn:p:ttl:timestamp:lo', 'fqdn:p' ], 'C' => [ 'CNAME', 'fqdn:p:ttl:timestamp:lo', 'fqdn:p' ], + 'S' => [ 'SRV', 'fqdn:ip:x:port:weight:priority:ttl:timestamp:lo', + 'fqdn:x:port' ], 'Z' => [ 'SOA', 'fqdn:mname:rname:ser:ref:ret:exp:min:ttl:timestamp:lo', 'fqdn:mname:rname' ], ':' => [ 'GENERIC', 'fqdn:n:rdata:ttl:timestamp:lo', 'fqdn:n:rdata' ] @@ -146,7 +153,7 @@ sub validate_integer { my $i = $1; - $result = 1008 if $boundary && ($i >= $boundary); + $result = 1008 if $boundary && ($i >= $boundary); } else { @@ -179,11 +186,11 @@ my %token_validator = ( if ($s =~ /^(\d+)(\.(\d+)(\.(\d+)(\.(\d+))?)?)?$/) { my ($a, $b, $c, $d) = ($1, $3, $5, $7); - $a ||= 0; - $b ||= 0; - $c ||= 0; - $d ||= 0; - if (($a > 255) || ($b > 255) || ($c > 255) || ($d > 255)) + $a ||= 0; + $b ||= 0; + $c ||= 0; + $d ||= 0; + if (($a > 255) || ($b > 255) || ($c > 255) || ($d > 255)) { $result = 1003; } @@ -214,11 +221,11 @@ my %token_validator = ( if ($s =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)\.?$/) { my ($a, $b, $c, $d) = ($1, $3, $5, $7); - $a ||= 0; - $b ||= 0; - $c ||= 0; - $d ||= 0; - if (($a > 255) || ($b > 255) || ($c > 255) || ($d > 255)) + $a ||= 0; + $b ||= 0; + $c ||= 0; + $d ||= 0; + if (($a > 255) || ($b > 255) || ($c > 255) || ($d > 255)) { $result = 1003 } @@ -232,6 +239,13 @@ my %token_validator = ( 'x' => [ 5, sub { my ($type, $s) = @_; my $result = 0; + + # Check to see if someone put an IP address in a hostname + # field. The motivation for this was MX records where many + # people expect an IP address to be a valid response, but I + # see no harm in enforcing it elsewhere. + return 1011 if $s =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.?$/; + # check all parts for (split /\./, $s) { @@ -259,7 +273,7 @@ my %token_validator = ( 's' => [ 10, sub { my ($type, $s) = @_; my $result = 0; - # TODO : Validation needed? + # TODO : Validation needed? return $result; }], 'p' => [ 11, sub { @@ -274,7 +288,7 @@ my %token_validator = ( } return $result; }], - 'mname' => [ 12, sub { + 'mname' => [ 12, sub { my ($type, $s) = @_; my $result = 0; # check all parts @@ -289,7 +303,7 @@ my %token_validator = ( 'rname' => [ 13, sub { my ($type, $s) = @_; my $result = 0; - + # check all parts my @parts = split /\./, $s; return 1009 if @parts < 3; @@ -330,16 +344,31 @@ my %token_validator = ( 'n' => [ 19, sub { my ($type, $s) = @_; my $result = validate_integer($s, 65535); - + return 1010 if ($s==2)||($s==5)||($s==6)||($s==12)||($s==15)||($s==252); return $result; }], 'rdata' => [ 20, sub { my ($type, $s) = @_; - # TODO : Validation needed? + # TODO : Validation needed? my $result = 0; return $result; + }], + 'port' => [ 21, sub { + my ($type, $s) = @_; + my $result = validate_integer($s, 65536); + return $result; + }], + 'priority' => [ 22, sub { + my ($type, $s) = @_; + my $result = validate_integer($s, 65536); + return $result; + }], + 'weight' => [ 23, sub { + my ($type, $s) = @_; + my $result = validate_integer($s, 65536); + return $result; }], @@ -402,7 +431,7 @@ sub validate_line ($) { $ip = $token; } - + # if (length($ip) && ($mask[$c] eq 'x')) { @@ -410,14 +439,14 @@ sub validate_line ($) $tmp =~ s/\.$//; push @{$$result[3]}, $tmp; } - + # perform validation - + my $tv = &{$$validator[1]}($type, $token); if ($tv) { $$result[0] ^= (2 ** $$validator[0]); - $$result[1] .= + $$result[1] .= "\npos $c; $mask[$c]; $validation_msg{$tv}"; } } @@ -432,7 +461,7 @@ sub validate_line ($) if ($mand) { - $$result[0] ^= (2 ** $$validator[0]); + $$result[0] ^= (2 ** $$validator[0]); $$result[1] .= "\npos $c; $mask[$c]; ". $token_name{$mask[$c]}.' is mandatory'; } @@ -449,7 +478,7 @@ sub validate_line ($) $c++; } } - + if ($$result[0]) { $$result[1] = "expected: ".$line_type{$type}->[1]."\n". @@ -457,7 +486,7 @@ sub validate_line ($) } } - else + else { $result = [ 1, sprintf("unknown record type: #%02x", ord($type)) ]; @@ -467,7 +496,7 @@ sub validate_line ($) $$result[1] =~ s/^\n+//; $$result[1] =~ s/\n+/\n/g; - # result is now [ iErrno, sErrtxt, sRecordType, [ sFQDN ] ] + # result is now [ iErrno, sErrtxt, sRecordType, [ sFQDN ] ] return $result; } @@ -539,7 +568,7 @@ sub read_filter ($$) chomp; s/^\s+//; s/\s+$//; - + if (/^(\w+)\s+(.+)$/) { my ($key, $value) = ($1, $2); @@ -668,7 +697,7 @@ sub do_filterfile ($$) $$f{allowtype} = (keys %{$$f{allowtype}})[0]; $$f{allowtype} .= $opt{T}; - + my $allowtyperegex = make_char_regexp($$f{allowtype}); if ($$f{extralog}) @@ -701,7 +730,7 @@ sub do_filterfile ($$) { next if $zonefile =~ /$FILESUFFIXREGEXP/i; } - + my $info = 0; my $filehandle = \*STDIN; my $fopen = 1; @@ -713,7 +742,7 @@ sub do_filterfile ($$) { my $temp = ($zonefile eq '-') ? '' : $zonefile; p $output, "File $temp"; - + %loreg = (); my $errs = 0; my $lno = 0; @@ -759,12 +788,11 @@ sub do_filterfile ($$) # Check $$v[3] against allowed fqdn:s:wq! if (keys %{$$f{deny}}) { - # my $patterns = regexped_patterns($$f{deny}); # Default ALLOW ALL $ok = $fqdnok = 1; $reason = 'default allow ^.*$'; - + for my $pat (@{$patterns}) { for (@{$$v[3]}) @@ -796,9 +824,9 @@ sub do_filterfile ($$) } } } # if deny/allow - } # if fqdn + } # if fqdn } # if recordtype ok - } # + } if ($ok && length($line)) { @@ -810,13 +838,13 @@ sub do_filterfile ($$) { $errs++; $perrs_total++; - p $output, " line $lno; err -2; $line"; + p $output, " line $lno; err -2; $line"; p $output, " use of fqdn denied; $reason"; if ($opt{I}) { - print STDOUT "# line $lno; err -2; $line\n"; + print STDOUT "# line $lno; err -2; $line\n"; print STDOUT "# use of fqdn denied; $reason\n"; - } + } } } } @@ -832,8 +860,8 @@ sub do_filterfile ($$) } } - - # Close all extra logfiles + + # Close all extra logfiles for my $el (@extralogs) { if (close($$el[0])) @@ -868,7 +896,7 @@ my $files = funiq(@ARGV); if ($opt{h} || $opt{H} || $opt{'?'}) { print <<"--EOT"; -valtz $VERSION, $COPYRIGHT +valtz $VERSION, $COPYRIGHT validates tinydns-data zone files Usage: $0 [-hfFqrRiItTx] @@ -877,7 +905,7 @@ Usage: -f filter (don't just validate) file and output accepted lines to STDOUT. - + -F treat files as filter configuration files for more advanced filtering. These filterfiles one or several of the following filter directives: @@ -909,27 +937,27 @@ Usage: Multiple zonefile, allow- and deny-lines are allowed, but also the alternative file:-line that points to a textfile containing one value per line. - - + + -r allows fqdn to be empty thus denoting the root. This is also allowed per default when doing implict allow - see deny, or when specifying 'allow .', i.e. explictly allowing root as such. (cannot be combined with deny) - + -R relaxes the validation and allows empty mname and p-fields.xi This is probably not very useful. - + -i allows the ip-fields to be empty as well. These will then not generate any records. -I Include rejected lines as comments in output (valid when filtering). - + -q Do not echo valid lines to STDOUT. - + -s DO NOT ignore files ending with ,v ~ .bak .log .old .swp .tmp which is done per default. @@ -963,18 +991,18 @@ All errors in the zonefiles are sent to STDERR. >/etc/tinydns/data.otto \ 2>/var/log/tinydns/valtz.log - + Example filterfile for using as import from primary (as above): zonefile /var/zones/external/otto/zone-* deny bodin.org deny x42.com - extralog /var/log/tinydns/external-otto.log + extralog /var/log/tinydns/external-otto.log Example #2, strict filter for a certain user editing just A-records zonefile /home/felix/zones/zone-fl3x-net allow fl3x.net - allowtype + + allowtype + extralog /var/log/tinydns/fl3x-net.log Example #3, export filter to secondary @@ -992,7 +1020,7 @@ All errors in the zonefiles are sent to STDERR. elsif (@{$files} == 0) { print <<"--EOT"; -valtz $VERSION, $COPYRIGHT +valtz $VERSION, $COPYRIGHT validates tinydns-data zone files Usage: Simple validation: @@ -1031,7 +1059,7 @@ else { next if $zonefile =~ /$FILESUFFIXREGEXP/i; } - + my $filehandle = \*STDIN; my $fopen = 1; if ($zonefile ne '-') @@ -1063,7 +1091,7 @@ else { print STDOUT "# line $lno; err $$v[0] $line print STDOUT "# $$v[1]; \n"; - } + } } else {