acl_list.h revision 356345 
1/*
2 * daemon/acl_list.h - client access control storage for the server.
3 *
4 * Copyright (c) 2007, NLnet Labs. All rights reserved.
5 *
6 * This software is open source.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * Redistributions of source code must retain the above copyright notice,
13 * this list of conditions and the following disclaimer.
14 *
15 * Redistributions in binary form must reproduce the above copyright notice,
16 * this list of conditions and the following disclaimer in the documentation
17 * and/or other materials provided with the distribution.
18 *
19 * Neither the name of the NLNET LABS nor the names of its contributors may
20 * be used to endorse or promote products derived from this software without
21 * specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36/**
37 * \file
38 *
39 * This file keeps track of the list of clients that are allowed to
40 * access the server.
41 */
42
43#ifndef DAEMON_ACL_LIST_H
44#define DAEMON_ACL_LIST_H
45#include "util/storage/dnstree.h"
46#include "services/view.h"
47struct config_file;
48struct regional;
49
50/**
51 * Enumeration of access control options for an address range.
52 * Allow or deny access.
53 */
54enum acl_access {
55	/** disallow any access whatsoever, drop it */
56	acl_deny = 0,
57	/** disallow access, send a polite 'REFUSED' reply */
58	acl_refuse,
59	/** disallow any access to zones that aren't local, drop it */
60	acl_deny_non_local,
61	/** disallow access to zones that aren't local, 'REFUSED' reply */
62	acl_refuse_non_local,
63	/** allow full access for recursion (+RD) queries */
64	acl_allow,
65	/** allow full access for all queries, recursion and cache snooping */
66	acl_allow_snoop,
67	/** allow full access for recursion queries and set RD flag regardless of request */
68	acl_allow_setrd
69};
70
71/**
72 * Access control storage structure
73 */
74struct acl_list {
75	/** regional for allocation */
76	struct regional* region;
77	/**
78	 * Tree of the addresses that are allowed/blocked.
79	 * contents of type acl_addr.
80	 */
81	rbtree_type tree;
82};
83
84/**
85 *
86 * An address span with access control information
87 */
88struct acl_addr {
89	/** node in address tree */
90	struct addr_tree_node node;
91	/** access control on this netblock */
92	enum acl_access control;
93	/** tag bitlist */
94	uint8_t* taglist;
95	/** length of the taglist (in bytes) */
96	size_t taglen;
97	/** array per tagnumber of localzonetype(in one byte). NULL if none. */
98	uint8_t* tag_actions;
99	/** size of the tag_actions_array */
100	size_t tag_actions_size;
101	/** array per tagnumber, with per tag a list of rdata strings.
102	 * NULL if none.  strings are like 'A 127.0.0.1' 'AAAA ::1' */
103	struct config_strlist** tag_datas;
104	/** size of the tag_datas array */
105	size_t tag_datas_size;
106	/* view element, NULL if none */
107	struct view* view;
108};
109
110/**
111 * Create acl structure
112 * @return new structure or NULL on error.
113 */
114struct acl_list* acl_list_create(void);
115
116/**
117 * Delete acl structure.
118 * @param acl: to delete.
119 */
120void acl_list_delete(struct acl_list* acl);
121
122/**
123 * Process access control config.
124 * @param acl: where to store.
125 * @param cfg: config options.
126 * @param v: views structure
127 * @return 0 on error.
128 */
129int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
130	struct views* v);
131
132/**
133 * Lookup access control status for acl structure.
134 * @param acl: structure for acl storage.
135 * @return: what to do with message from this address.
136 */
137enum acl_access acl_get_control(struct acl_addr* acl);
138
139/**
140 * Lookup address to see its acl structure
141 * @param acl: structure for address storage.
142 * @param addr: address to check
143 * @param addrlen: length of addr.
144 * @return: acl structure from this address.
145 */
146struct acl_addr*
147acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
148        socklen_t addrlen);
149
150/**
151 * Get memory used by acl structure.
152 * @param acl: structure for address storage.
153 * @return bytes in use.
154 */
155size_t acl_list_get_mem(struct acl_list* acl);
156
157#endif /* DAEMON_ACL_LIST_H */
158