1135446Strhodes/*
2254897Serwin * Copyright (C) 2004-2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
3135446Strhodes * Copyright (C) 1999-2002  Internet Software Consortium.
4135446Strhodes *
5193149Sdougb * Permission to use, copy, modify, and/or distribute this software for any
6135446Strhodes * purpose with or without fee is hereby granted, provided that the above
7135446Strhodes * copyright notice and this permission notice appear in all copies.
8135446Strhodes *
9135446Strhodes * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10135446Strhodes * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11135446Strhodes * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12135446Strhodes * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13135446Strhodes * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14135446Strhodes * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15135446Strhodes * PERFORMANCE OF THIS SOFTWARE.
16135446Strhodes */
17135446Strhodes
18254897Serwin/* $Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp $ */
19135446Strhodes
20135446Strhodes#ifndef DNS_ACL_H
21135446Strhodes#define DNS_ACL_H 1
22135446Strhodes
23135446Strhodes/*****
24135446Strhodes ***** Module Info
25135446Strhodes *****/
26135446Strhodes
27193149Sdougb/*! \file dns/acl.h
28170222Sdougb * \brief
29135446Strhodes * Address match list handling.
30135446Strhodes */
31135446Strhodes
32135446Strhodes/***
33135446Strhodes *** Imports
34135446Strhodes ***/
35135446Strhodes
36135446Strhodes#include <isc/lang.h>
37135446Strhodes#include <isc/magic.h>
38135446Strhodes#include <isc/netaddr.h>
39135446Strhodes#include <isc/refcount.h>
40135446Strhodes
41135446Strhodes#include <dns/name.h>
42135446Strhodes#include <dns/types.h>
43193149Sdougb#include <dns/iptable.h>
44135446Strhodes
45135446Strhodes/***
46135446Strhodes *** Types
47135446Strhodes ***/
48135446Strhodes
49135446Strhodestypedef enum {
50135446Strhodes	dns_aclelementtype_ipprefix,
51135446Strhodes	dns_aclelementtype_keyname,
52135446Strhodes	dns_aclelementtype_nestedacl,
53135446Strhodes	dns_aclelementtype_localhost,
54135446Strhodes	dns_aclelementtype_localnets,
55135446Strhodes	dns_aclelementtype_any
56135446Strhodes} dns_aclelemettype_t;
57135446Strhodes
58135446Strhodestypedef struct dns_aclipprefix dns_aclipprefix_t;
59135446Strhodes
60135446Strhodesstruct dns_aclipprefix {
61135446Strhodes	isc_netaddr_t address; /* IP4/IP6 */
62135446Strhodes	unsigned int prefixlen;
63135446Strhodes};
64135446Strhodes
65135446Strhodesstruct dns_aclelement {
66193149Sdougb	dns_aclelemettype_t	type;
67193149Sdougb	isc_boolean_t		negative;
68193149Sdougb	dns_name_t		keyname;
69193149Sdougb	dns_acl_t		*nestedacl;
70193149Sdougb	int			node_num;
71135446Strhodes};
72135446Strhodes
73135446Strhodesstruct dns_acl {
74135446Strhodes	unsigned int		magic;
75135446Strhodes	isc_mem_t		*mctx;
76135446Strhodes	isc_refcount_t		refcount;
77193149Sdougb	dns_iptable_t		*iptable;
78193149Sdougb#define node_count		iptable->radix->num_added_node
79135446Strhodes	dns_aclelement_t	*elements;
80193149Sdougb	isc_boolean_t 		has_negatives;
81170222Sdougb	unsigned int 		alloc;		/*%< Elements allocated */
82170222Sdougb	unsigned int 		length;		/*%< Elements initialized */
83170222Sdougb	char 			*name;		/*%< Temporary use only */
84170222Sdougb	ISC_LINK(dns_acl_t) 	nextincache;	/*%< Ditto */
85135446Strhodes};
86135446Strhodes
87135446Strhodesstruct dns_aclenv {
88135446Strhodes	dns_acl_t *localhost;
89135446Strhodes	dns_acl_t *localnets;
90135446Strhodes	isc_boolean_t match_mapped;
91135446Strhodes};
92135446Strhodes
93135446Strhodes#define DNS_ACL_MAGIC		ISC_MAGIC('D','a','c','l')
94135446Strhodes#define DNS_ACL_VALID(a)	ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
95135446Strhodes
96135446Strhodes/***
97135446Strhodes *** Functions
98135446Strhodes ***/
99135446Strhodes
100135446StrhodesISC_LANG_BEGINDECLS
101135446Strhodes
102135446Strhodesisc_result_t
103135446Strhodesdns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
104170222Sdougb/*%<
105193149Sdougb * Create a new ACL, including an IP table and an array with room
106193149Sdougb * for 'n' ACL elements.  The elements are uninitialized and the
107193149Sdougb * length is 0.
108135446Strhodes */
109135446Strhodes
110135446Strhodesisc_result_t
111135446Strhodesdns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
112170222Sdougb/*%<
113135446Strhodes * Create a new ACL that matches everything.
114135446Strhodes */
115135446Strhodes
116135446Strhodesisc_result_t
117135446Strhodesdns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
118170222Sdougb/*%<
119135446Strhodes * Create a new ACL that matches nothing.
120135446Strhodes */
121135446Strhodes
122193149Sdougbisc_boolean_t
123193149Sdougbdns_acl_isany(dns_acl_t *acl);
124193149Sdougb/*%<
125193149Sdougb * Test whether ACL is set to "{ any; }"
126193149Sdougb */
127193149Sdougb
128193149Sdougbisc_boolean_t
129193149Sdougbdns_acl_isnone(dns_acl_t *acl);
130193149Sdougb/*%<
131193149Sdougb * Test whether ACL is set to "{ none; }"
132193149Sdougb */
133193149Sdougb
134193149Sdougbisc_result_t
135193149Sdougbdns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
136193149Sdougb/*%<
137193149Sdougb * Merge the contents of one ACL into another.  Call dns_iptable_merge()
138193149Sdougb * for the IP tables, then concatenate the element arrays.
139193149Sdougb *
140193149Sdougb * If pos is set to false, then the nested ACL is to be negated.  This
141193149Sdougb * means reverse the sense of each *positive* element or IP table node,
142193149Sdougb * but leave negatives alone, so as to prevent a double-negative causing
143193149Sdougb * an unexpected positive match in the parent ACL.
144193149Sdougb */
145193149Sdougb
146135446Strhodesvoid
147135446Strhodesdns_acl_attach(dns_acl_t *source, dns_acl_t **target);
148225361Sdougb/*%<
149225361Sdougb * Attach to acl 'source'.
150225361Sdougb *
151225361Sdougb * Requires:
152225361Sdougb *\li	'source' to be a valid acl.
153225361Sdougb *\li	'target' to be non NULL and '*target' to be NULL.
154225361Sdougb */
155135446Strhodes
156135446Strhodesvoid
157135446Strhodesdns_acl_detach(dns_acl_t **aclp);
158225361Sdougb/*%<
159225361Sdougb * Detach the acl. On final detach the acl must not be linked on any
160225361Sdougb * list.
161225361Sdougb *
162225361Sdougb * Requires:
163225361Sdougb *\li	'*aclp' to be a valid acl.
164225361Sdougb *
165225361Sdougb * Insists:
166225361Sdougb *\li	'*aclp' is not linked on final detach.
167225361Sdougb */
168135446Strhodes
169135446Strhodesisc_boolean_t
170165071Sdougbdns_acl_isinsecure(const dns_acl_t *a);
171170222Sdougb/*%<
172170222Sdougb * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
173135446Strhodes * if it contains IP addresses other than those of the local host.
174193149Sdougb * This is intended for applications such as printing warning
175135446Strhodes * messages for suspect ACLs; it is not intended for making access
176135446Strhodes * control decisions.  We make no guarantee that an ACL for which
177170222Sdougb * this function returns #ISC_FALSE is safe.
178135446Strhodes */
179135446Strhodes
180135446Strhodesisc_result_t
181135446Strhodesdns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
182193149Sdougb/*%<
183193149Sdougb * Initialize ACL environment, setting up localhost and localnets ACLs
184193149Sdougb */
185135446Strhodes
186135446Strhodesvoid
187135446Strhodesdns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
188135446Strhodes
189135446Strhodesvoid
190135446Strhodesdns_aclenv_destroy(dns_aclenv_t *env);
191135446Strhodes
192135446Strhodesisc_result_t
193165071Sdougbdns_acl_match(const isc_netaddr_t *reqaddr,
194165071Sdougb	      const dns_name_t *reqsigner,
195165071Sdougb	      const dns_acl_t *acl,
196165071Sdougb	      const dns_aclenv_t *env,
197135446Strhodes	      int *match,
198165071Sdougb	      const dns_aclelement_t **matchelt);
199170222Sdougb/*%<
200135446Strhodes * General, low-level ACL matching.  This is expected to
201135446Strhodes * be useful even for weird stuff like the topology and sortlist statements.
202135446Strhodes *
203135446Strhodes * Match the address 'reqaddr', and optionally the key name 'reqsigner',
204135446Strhodes * against 'acl'.  'reqsigner' may be NULL.
205135446Strhodes *
206193149Sdougb * If there is a match, '*match' will be set to an integer whose absolute
207193149Sdougb * value corresponds to the order in which the matching value was inserted
208193149Sdougb * into the ACL.  For a positive match, this value will be positive; for a
209193149Sdougb * negative match, it will be negative.
210135446Strhodes *
211193149Sdougb * If there is no match, *match will be set to zero.
212135446Strhodes *
213193149Sdougb * If there is a match in the element list (either positive or negative)
214193149Sdougb * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
215193149Sdougb * element.
216135446Strhodes *
217135446Strhodes * Returns:
218170222Sdougb *\li	#ISC_R_SUCCESS		Always succeeds.
219135446Strhodes */
220135446Strhodes
221135446Strhodesisc_boolean_t
222165071Sdougbdns_aclelement_match(const isc_netaddr_t *reqaddr,
223165071Sdougb		     const dns_name_t *reqsigner,
224165071Sdougb		     const dns_aclelement_t *e,
225193149Sdougb		     const dns_aclenv_t *env,
226165071Sdougb		     const dns_aclelement_t **matchelt);
227170222Sdougb/*%<
228135446Strhodes * Like dns_acl_match, but matches against the single ACL element 'e'
229193149Sdougb * rather than a complete ACL, and returns ISC_TRUE iff it matched.
230193149Sdougb *
231193149Sdougb * To determine whether the match was positive or negative, the
232135446Strhodes * caller should examine e->negative.  Since the element 'e' may be
233193149Sdougb * a reference to a named ACL or a nested ACL, a matching element
234135446Strhodes * returned through 'matchelt' is not necessarily 'e' itself.
235135446Strhodes */
236135446Strhodes
237135446StrhodesISC_LANG_ENDDECLS
238135446Strhodes
239135446Strhodes#endif /* DNS_ACL_H */
240