1135446Strhodes/* 2254897Serwin * Copyright (C) 2004-2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") 3135446Strhodes * Copyright (C) 1999-2002 Internet Software Consortium. 4135446Strhodes * 5193149Sdougb * Permission to use, copy, modify, and/or distribute this software for any 6135446Strhodes * purpose with or without fee is hereby granted, provided that the above 7135446Strhodes * copyright notice and this permission notice appear in all copies. 8135446Strhodes * 9135446Strhodes * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10135446Strhodes * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11135446Strhodes * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12135446Strhodes * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13135446Strhodes * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14135446Strhodes * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15135446Strhodes * PERFORMANCE OF THIS SOFTWARE. 16135446Strhodes */ 17135446Strhodes 18254897Serwin/* $Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp $ */ 19135446Strhodes 20135446Strhodes#ifndef DNS_ACL_H 21135446Strhodes#define DNS_ACL_H 1 22135446Strhodes 23135446Strhodes/***** 24135446Strhodes ***** Module Info 25135446Strhodes *****/ 26135446Strhodes 27193149Sdougb/*! \file dns/acl.h 28170222Sdougb * \brief 29135446Strhodes * Address match list handling. 30135446Strhodes */ 31135446Strhodes 32135446Strhodes/*** 33135446Strhodes *** Imports 34135446Strhodes ***/ 35135446Strhodes 36135446Strhodes#include <isc/lang.h> 37135446Strhodes#include <isc/magic.h> 38135446Strhodes#include <isc/netaddr.h> 39135446Strhodes#include <isc/refcount.h> 40135446Strhodes 41135446Strhodes#include <dns/name.h> 42135446Strhodes#include <dns/types.h> 43193149Sdougb#include <dns/iptable.h> 44135446Strhodes 45135446Strhodes/*** 46135446Strhodes *** Types 47135446Strhodes ***/ 48135446Strhodes 49135446Strhodestypedef enum { 50135446Strhodes dns_aclelementtype_ipprefix, 51135446Strhodes dns_aclelementtype_keyname, 52135446Strhodes dns_aclelementtype_nestedacl, 53135446Strhodes dns_aclelementtype_localhost, 54135446Strhodes dns_aclelementtype_localnets, 55135446Strhodes dns_aclelementtype_any 56135446Strhodes} dns_aclelemettype_t; 57135446Strhodes 58135446Strhodestypedef struct dns_aclipprefix dns_aclipprefix_t; 59135446Strhodes 60135446Strhodesstruct dns_aclipprefix { 61135446Strhodes isc_netaddr_t address; /* IP4/IP6 */ 62135446Strhodes unsigned int prefixlen; 63135446Strhodes}; 64135446Strhodes 65135446Strhodesstruct dns_aclelement { 66193149Sdougb dns_aclelemettype_t type; 67193149Sdougb isc_boolean_t negative; 68193149Sdougb dns_name_t keyname; 69193149Sdougb dns_acl_t *nestedacl; 70193149Sdougb int node_num; 71135446Strhodes}; 72135446Strhodes 73135446Strhodesstruct dns_acl { 74135446Strhodes unsigned int magic; 75135446Strhodes isc_mem_t *mctx; 76135446Strhodes isc_refcount_t refcount; 77193149Sdougb dns_iptable_t *iptable; 78193149Sdougb#define node_count iptable->radix->num_added_node 79135446Strhodes dns_aclelement_t *elements; 80193149Sdougb isc_boolean_t has_negatives; 81170222Sdougb unsigned int alloc; /*%< Elements allocated */ 82170222Sdougb unsigned int length; /*%< Elements initialized */ 83170222Sdougb char *name; /*%< Temporary use only */ 84170222Sdougb ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */ 85135446Strhodes}; 86135446Strhodes 87135446Strhodesstruct dns_aclenv { 88135446Strhodes dns_acl_t *localhost; 89135446Strhodes dns_acl_t *localnets; 90135446Strhodes isc_boolean_t match_mapped; 91135446Strhodes}; 92135446Strhodes 93135446Strhodes#define DNS_ACL_MAGIC ISC_MAGIC('D','a','c','l') 94135446Strhodes#define DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC) 95135446Strhodes 96135446Strhodes/*** 97135446Strhodes *** Functions 98135446Strhodes ***/ 99135446Strhodes 100135446StrhodesISC_LANG_BEGINDECLS 101135446Strhodes 102135446Strhodesisc_result_t 103135446Strhodesdns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target); 104170222Sdougb/*%< 105193149Sdougb * Create a new ACL, including an IP table and an array with room 106193149Sdougb * for 'n' ACL elements. The elements are uninitialized and the 107193149Sdougb * length is 0. 108135446Strhodes */ 109135446Strhodes 110135446Strhodesisc_result_t 111135446Strhodesdns_acl_any(isc_mem_t *mctx, dns_acl_t **target); 112170222Sdougb/*%< 113135446Strhodes * Create a new ACL that matches everything. 114135446Strhodes */ 115135446Strhodes 116135446Strhodesisc_result_t 117135446Strhodesdns_acl_none(isc_mem_t *mctx, dns_acl_t **target); 118170222Sdougb/*%< 119135446Strhodes * Create a new ACL that matches nothing. 120135446Strhodes */ 121135446Strhodes 122193149Sdougbisc_boolean_t 123193149Sdougbdns_acl_isany(dns_acl_t *acl); 124193149Sdougb/*%< 125193149Sdougb * Test whether ACL is set to "{ any; }" 126193149Sdougb */ 127193149Sdougb 128193149Sdougbisc_boolean_t 129193149Sdougbdns_acl_isnone(dns_acl_t *acl); 130193149Sdougb/*%< 131193149Sdougb * Test whether ACL is set to "{ none; }" 132193149Sdougb */ 133193149Sdougb 134193149Sdougbisc_result_t 135193149Sdougbdns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos); 136193149Sdougb/*%< 137193149Sdougb * Merge the contents of one ACL into another. Call dns_iptable_merge() 138193149Sdougb * for the IP tables, then concatenate the element arrays. 139193149Sdougb * 140193149Sdougb * If pos is set to false, then the nested ACL is to be negated. This 141193149Sdougb * means reverse the sense of each *positive* element or IP table node, 142193149Sdougb * but leave negatives alone, so as to prevent a double-negative causing 143193149Sdougb * an unexpected positive match in the parent ACL. 144193149Sdougb */ 145193149Sdougb 146135446Strhodesvoid 147135446Strhodesdns_acl_attach(dns_acl_t *source, dns_acl_t **target); 148225361Sdougb/*%< 149225361Sdougb * Attach to acl 'source'. 150225361Sdougb * 151225361Sdougb * Requires: 152225361Sdougb *\li 'source' to be a valid acl. 153225361Sdougb *\li 'target' to be non NULL and '*target' to be NULL. 154225361Sdougb */ 155135446Strhodes 156135446Strhodesvoid 157135446Strhodesdns_acl_detach(dns_acl_t **aclp); 158225361Sdougb/*%< 159225361Sdougb * Detach the acl. On final detach the acl must not be linked on any 160225361Sdougb * list. 161225361Sdougb * 162225361Sdougb * Requires: 163225361Sdougb *\li '*aclp' to be a valid acl. 164225361Sdougb * 165225361Sdougb * Insists: 166225361Sdougb *\li '*aclp' is not linked on final detach. 167225361Sdougb */ 168135446Strhodes 169135446Strhodesisc_boolean_t 170165071Sdougbdns_acl_isinsecure(const dns_acl_t *a); 171170222Sdougb/*%< 172170222Sdougb * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is, 173135446Strhodes * if it contains IP addresses other than those of the local host. 174193149Sdougb * This is intended for applications such as printing warning 175135446Strhodes * messages for suspect ACLs; it is not intended for making access 176135446Strhodes * control decisions. We make no guarantee that an ACL for which 177170222Sdougb * this function returns #ISC_FALSE is safe. 178135446Strhodes */ 179135446Strhodes 180135446Strhodesisc_result_t 181135446Strhodesdns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env); 182193149Sdougb/*%< 183193149Sdougb * Initialize ACL environment, setting up localhost and localnets ACLs 184193149Sdougb */ 185135446Strhodes 186135446Strhodesvoid 187135446Strhodesdns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s); 188135446Strhodes 189135446Strhodesvoid 190135446Strhodesdns_aclenv_destroy(dns_aclenv_t *env); 191135446Strhodes 192135446Strhodesisc_result_t 193165071Sdougbdns_acl_match(const isc_netaddr_t *reqaddr, 194165071Sdougb const dns_name_t *reqsigner, 195165071Sdougb const dns_acl_t *acl, 196165071Sdougb const dns_aclenv_t *env, 197135446Strhodes int *match, 198165071Sdougb const dns_aclelement_t **matchelt); 199170222Sdougb/*%< 200135446Strhodes * General, low-level ACL matching. This is expected to 201135446Strhodes * be useful even for weird stuff like the topology and sortlist statements. 202135446Strhodes * 203135446Strhodes * Match the address 'reqaddr', and optionally the key name 'reqsigner', 204135446Strhodes * against 'acl'. 'reqsigner' may be NULL. 205135446Strhodes * 206193149Sdougb * If there is a match, '*match' will be set to an integer whose absolute 207193149Sdougb * value corresponds to the order in which the matching value was inserted 208193149Sdougb * into the ACL. For a positive match, this value will be positive; for a 209193149Sdougb * negative match, it will be negative. 210135446Strhodes * 211193149Sdougb * If there is no match, *match will be set to zero. 212135446Strhodes * 213193149Sdougb * If there is a match in the element list (either positive or negative) 214193149Sdougb * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching 215193149Sdougb * element. 216135446Strhodes * 217135446Strhodes * Returns: 218170222Sdougb *\li #ISC_R_SUCCESS Always succeeds. 219135446Strhodes */ 220135446Strhodes 221135446Strhodesisc_boolean_t 222165071Sdougbdns_aclelement_match(const isc_netaddr_t *reqaddr, 223165071Sdougb const dns_name_t *reqsigner, 224165071Sdougb const dns_aclelement_t *e, 225193149Sdougb const dns_aclenv_t *env, 226165071Sdougb const dns_aclelement_t **matchelt); 227170222Sdougb/*%< 228135446Strhodes * Like dns_acl_match, but matches against the single ACL element 'e' 229193149Sdougb * rather than a complete ACL, and returns ISC_TRUE iff it matched. 230193149Sdougb * 231193149Sdougb * To determine whether the match was positive or negative, the 232135446Strhodes * caller should examine e->negative. Since the element 'e' may be 233193149Sdougb * a reference to a named ACL or a nested ACL, a matching element 234135446Strhodes * returned through 'matchelt' is not necessarily 'e' itself. 235135446Strhodes */ 236135446Strhodes 237135446StrhodesISC_LANG_ENDDECLS 238135446Strhodes 239135446Strhodes#endif /* DNS_ACL_H */ 240