X-Git-Url: http://gitweb.michael.orlitzky.com/?p=valtz.git;a=blobdiff_plain;f=valtz;h=26d516db4a8350b2b4ccb4173eb8cd6ce5196865;hp=c68c120e9a96b324a5de4619f3857b418d551e75;hb=097807e6b55527da495fa668a3c47fc938393743;hpb=422cc33cf0da52d10c271a75cda271d5963da4eb diff --git a/valtz b/valtz old mode 100644 new mode 100755 index c68c120..26d516d --- a/valtz +++ b/valtz @@ -62,7 +62,7 @@ my $perrs_total = 0; ## # global location registry # (reset for every zone file) -my %loreg; +my %loreg; # NOTE : DO NOT CHANGE the id numbers my %validation_msg = ( @@ -100,6 +100,9 @@ my %token_name = ( 'min' => 'Minimum time', 'n' => 'Record type number', 'rdata' => 'Resource data', + 'port' => 'Port', + 'priority' => 'Priority', + 'weight' => 'Weight' ); my %record_type = ( @@ -114,6 +117,7 @@ my %record_type = ( "'" => 'TXT', '^' => 'PTR', 'C' => 'CNAME', + 'S' => 'SRV', 'Z' => 'SOA', ':' => 'GENERIC' ); @@ -131,6 +135,8 @@ my %line_type = ( "'" => [ 'TXT', 'fqdn:s:ttl:timestamp:lo', 'fqdn:s' ], '^' => [ 'PTR', 'fqdn:p:ttl:timestamp:lo', 'fqdn:p' ], 'C' => [ 'CNAME', 'fqdn:p:ttl:timestamp:lo', 'fqdn:p' ], + 'S' => [ 'SRV', 'fqdn:ip:x:port:weight:priority:ttl:timestamp:lo', + 'fqdn:x:port' ], 'Z' => [ 'SOA', 'fqdn:mname:rname:ser:ref:ret:exp:min:ttl:timestamp:lo', 'fqdn:mname:rname' ], ':' => [ 'GENERIC', 'fqdn:n:rdata:ttl:timestamp:lo', 'fqdn:n:rdata' ] @@ -146,7 +152,7 @@ sub validate_integer { my $i = $1; - $result = 1008 if $boundary && ($i >= $boundary); + $result = 1008 if $boundary && ($i >= $boundary); } else { @@ -179,11 +185,11 @@ my %token_validator = ( if ($s =~ /^(\d+)(\.(\d+)(\.(\d+)(\.(\d+))?)?)?$/) { my ($a, $b, $c, $d) = ($1, $3, $5, $7); - $a ||= 0; - $b ||= 0; - $c ||= 0; - $d ||= 0; - if (($a > 255) || ($b > 255) || ($c > 255) || ($d > 255)) + $a ||= 0; + $b ||= 0; + $c ||= 0; + $d ||= 0; + if (($a > 255) || ($b > 255) || ($c > 255) || ($d > 255)) { $result = 1003; } @@ -202,7 +208,7 @@ my %token_validator = ( # check all parts for my $hostpart (split /\./, $s) { - return 1005 unless $hostpart =~ /^[-a-z0-9]+$/i; + return 1005 unless $hostpart =~ /^_?[-a-z0-9]+$/i; return 1006 if $hostpart =~ /^-/; return 1007 if $hostpart =~ /-$/; } @@ -214,11 +220,11 @@ my %token_validator = ( if ($s =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)\.?$/) { my ($a, $b, $c, $d) = ($1, $3, $5, $7); - $a ||= 0; - $b ||= 0; - $c ||= 0; - $d ||= 0; - if (($a > 255) || ($b > 255) || ($c > 255) || ($d > 255)) + $a ||= 0; + $b ||= 0; + $c ||= 0; + $d ||= 0; + if (($a > 255) || ($b > 255) || ($c > 255) || ($d > 255)) { $result = 1003 } @@ -259,7 +265,7 @@ my %token_validator = ( 's' => [ 10, sub { my ($type, $s) = @_; my $result = 0; - # TODO : Validation needed? + # TODO : Validation needed? return $result; }], 'p' => [ 11, sub { @@ -268,13 +274,13 @@ my %token_validator = ( # check all parts for (split /\./, $s) { - return 1005 unless /^[-[a-z0-9]+$/i; + return 1005 unless /^_?[-[a-z0-9]+$/i; return 1006 if /^-/; return 1007 if /-$/; } return $result; }], - 'mname' => [ 12, sub { + 'mname' => [ 12, sub { my ($type, $s) = @_; my $result = 0; # check all parts @@ -289,7 +295,7 @@ my %token_validator = ( 'rname' => [ 13, sub { my ($type, $s) = @_; my $result = 0; - + # check all parts my @parts = split /\./, $s; return 1009 if @parts < 3; @@ -330,16 +336,31 @@ my %token_validator = ( 'n' => [ 19, sub { my ($type, $s) = @_; my $result = validate_integer($s, 65535); - + return 1010 if ($s==2)||($s==5)||($s==6)||($s==12)||($s==15)||($s==252); return $result; }], 'rdata' => [ 20, sub { my ($type, $s) = @_; - # TODO : Validation needed? + # TODO : Validation needed? my $result = 0; return $result; + }], + 'port' => [ 21, sub { + my ($type, $s) = @_; + my $result = validate_integer($s, 65536); + return $result; + }], + 'priority' => [ 22, sub { + my ($type, $s) = @_; + my $result = validate_integer($s, 65536); + return $result; + }], + 'weight' => [ 23, sub { + my ($type, $s) = @_; + my $result = validate_integer($s, 65536); + return $result; }], @@ -402,7 +423,7 @@ sub validate_line ($) { $ip = $token; } - + # if (length($ip) && ($mask[$c] eq 'x')) { @@ -410,14 +431,14 @@ sub validate_line ($) $tmp =~ s/\.$//; push @{$$result[3]}, $tmp; } - + # perform validation - + my $tv = &{$$validator[1]}($type, $token); if ($tv) { $$result[0] ^= (2 ** $$validator[0]); - $$result[1] .= + $$result[1] .= "\npos $c; $mask[$c]; $validation_msg{$tv}"; } } @@ -432,7 +453,7 @@ sub validate_line ($) if ($mand) { - $$result[0] ^= (2 ** $$validator[0]); + $$result[0] ^= (2 ** $$validator[0]); $$result[1] .= "\npos $c; $mask[$c]; ". $token_name{$mask[$c]}.' is mandatory'; } @@ -449,7 +470,7 @@ sub validate_line ($) $c++; } } - + if ($$result[0]) { $$result[1] = "expected: ".$line_type{$type}->[1]."\n". @@ -457,7 +478,7 @@ sub validate_line ($) } } - else + else { $result = [ 1, sprintf("unknown record type: #%02x", ord($type)) ]; @@ -467,7 +488,7 @@ sub validate_line ($) $$result[1] =~ s/^\n+//; $$result[1] =~ s/\n+/\n/g; - # result is now [ iErrno, sErrtxt, sRecordType, [ sFQDN ] ] + # result is now [ iErrno, sErrtxt, sRecordType, [ sFQDN ] ] return $result; } @@ -539,7 +560,7 @@ sub read_filter ($$) chomp; s/^\s+//; s/\s+$//; - + if (/^(\w+)\s+(.+)$/) { my ($key, $value) = ($1, $2); @@ -668,7 +689,7 @@ sub do_filterfile ($$) $$f{allowtype} = (keys %{$$f{allowtype}})[0]; $$f{allowtype} .= $opt{T}; - + my $allowtyperegex = make_char_regexp($$f{allowtype}); if ($$f{extralog}) @@ -701,7 +722,7 @@ sub do_filterfile ($$) { next if $zonefile =~ /$FILESUFFIXREGEXP/i; } - + my $info = 0; my $filehandle = \*STDIN; my $fopen = 1; @@ -713,7 +734,7 @@ sub do_filterfile ($$) { my $temp = ($zonefile eq '-') ? '' : $zonefile; p $output, "File $temp"; - + %loreg = (); my $errs = 0; my $lno = 0; @@ -759,12 +780,11 @@ sub do_filterfile ($$) # Check $$v[3] against allowed fqdn:s:wq! if (keys %{$$f{deny}}) { - # my $patterns = regexped_patterns($$f{deny}); # Default ALLOW ALL $ok = $fqdnok = 1; $reason = 'default allow ^.*$'; - + for my $pat (@{$patterns}) { for (@{$$v[3]}) @@ -796,9 +816,9 @@ sub do_filterfile ($$) } } } # if deny/allow - } # if fqdn + } # if fqdn } # if recordtype ok - } # + } if ($ok && length($line)) { @@ -810,13 +830,13 @@ sub do_filterfile ($$) { $errs++; $perrs_total++; - p $output, " line $lno; err -2; $line"; + p $output, " line $lno; err -2; $line"; p $output, " use of fqdn denied; $reason"; if ($opt{I}) { - print STDOUT "# line $lno; err -2; $line\n"; + print STDOUT "# line $lno; err -2; $line\n"; print STDOUT "# use of fqdn denied; $reason\n"; - } + } } } } @@ -832,8 +852,8 @@ sub do_filterfile ($$) } } - - # Close all extra logfiles + + # Close all extra logfiles for my $el (@extralogs) { if (close($$el[0])) @@ -868,7 +888,7 @@ my $files = funiq(@ARGV); if ($opt{h} || $opt{H} || $opt{'?'}) { print <<"--EOT"; -valtz $VERSION, $COPYRIGHT +valtz $VERSION, $COPYRIGHT validates tinydns-data zone files Usage: $0 [-hfFqrRiItTx] @@ -877,7 +897,7 @@ Usage: -f filter (don't just validate) file and output accepted lines to STDOUT. - + -F treat files as filter configuration files for more advanced filtering. These filterfiles one or several of the following filter directives: @@ -909,27 +929,27 @@ Usage: Multiple zonefile, allow- and deny-lines are allowed, but also the alternative file:-line that points to a textfile containing one value per line. - - + + -r allows fqdn to be empty thus denoting the root. This is also allowed per default when doing implict allow - see deny, or when specifying 'allow .', i.e. explictly allowing root as such. (cannot be combined with deny) - + -R relaxes the validation and allows empty mname and p-fields.xi This is probably not very useful. - + -i allows the ip-fields to be empty as well. These will then not generate any records. -I Include rejected lines as comments in output (valid when filtering). - + -q Do not echo valid lines to STDOUT. - + -s DO NOT ignore files ending with ,v ~ .bak .log .old .swp .tmp which is done per default. @@ -963,18 +983,18 @@ All errors in the zonefiles are sent to STDERR. >/etc/tinydns/data.otto \ 2>/var/log/tinydns/valtz.log - + Example filterfile for using as import from primary (as above): zonefile /var/zones/external/otto/zone-* deny bodin.org deny x42.com - extralog /var/log/tinydns/external-otto.log + extralog /var/log/tinydns/external-otto.log Example #2, strict filter for a certain user editing just A-records zonefile /home/felix/zones/zone-fl3x-net allow fl3x.net - allowtype + + allowtype + extralog /var/log/tinydns/fl3x-net.log Example #3, export filter to secondary @@ -992,7 +1012,7 @@ All errors in the zonefiles are sent to STDERR. elsif (@{$files} == 0) { print <<"--EOT"; -valtz $VERSION, $COPYRIGHT +valtz $VERSION, $COPYRIGHT validates tinydns-data zone files Usage: Simple validation: @@ -1031,7 +1051,7 @@ else { next if $zonefile =~ /$FILESUFFIXREGEXP/i; } - + my $filehandle = \*STDIN; my $fopen = 1; if ($zonefile ne '-') @@ -1063,7 +1083,7 @@ else { print STDOUT "# line $lno; err $$v[0] $line print STDOUT "# $$v[1]; \n"; - } + } } else {