1/* 2 * Copyright (C) 2004-2007, 2009, 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 3 * Copyright (C) 1999-2002 Internet Software Consortium. 4 * 5 * Permission to use, copy, modify, and/or distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15 * PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18/* $Id$ */ 19 20#ifndef DNS_ACL_H 21#define DNS_ACL_H 1 22 23/***** 24 ***** Module Info 25 *****/ 26 27/*! \file dns/acl.h 28 * \brief 29 * Address match list handling. 30 */ 31 32/*** 33 *** Imports 34 ***/ 35 36#include <isc/lang.h> 37#include <isc/magic.h> 38#include <isc/netaddr.h> 39#include <isc/refcount.h> 40 41#include <dns/name.h> 42#include <dns/types.h> 43#include <dns/iptable.h> 44 45/*** 46 *** Types 47 ***/ 48 49typedef enum { 50 dns_aclelementtype_ipprefix, 51 dns_aclelementtype_keyname, 52 dns_aclelementtype_nestedacl, 53 dns_aclelementtype_localhost, 54 dns_aclelementtype_localnets, 55 dns_aclelementtype_any 56} dns_aclelemettype_t; 57 58typedef struct dns_aclipprefix dns_aclipprefix_t; 59 60struct dns_aclipprefix { 61 isc_netaddr_t address; /* IP4/IP6 */ 62 unsigned int prefixlen; 63}; 64 65struct dns_aclelement { 66 dns_aclelemettype_t type; 67 isc_boolean_t negative; 68 dns_name_t keyname; 69 dns_acl_t *nestedacl; 70 int node_num; 71}; 72 73struct dns_acl { 74 unsigned int magic; 75 isc_mem_t *mctx; 76 isc_refcount_t refcount; 77 dns_iptable_t *iptable; 78#define node_count iptable->radix->num_added_node 79 dns_aclelement_t *elements; 80 isc_boolean_t has_negatives; 81 unsigned int alloc; /*%< Elements allocated */ 82 unsigned int length; /*%< Elements initialized */ 83 char *name; /*%< Temporary use only */ 84 ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */ 85}; 86 87struct dns_aclenv { 88 dns_acl_t *localhost; 89 dns_acl_t *localnets; 90 isc_boolean_t match_mapped; 91}; 92 93#define DNS_ACL_MAGIC ISC_MAGIC('D','a','c','l') 94#define DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC) 95 96/*** 97 *** Functions 98 ***/ 99 100ISC_LANG_BEGINDECLS 101 102isc_result_t 103dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target); 104/*%< 105 * Create a new ACL, including an IP table and an array with room 106 * for 'n' ACL elements. The elements are uninitialized and the 107 * length is 0. 108 */ 109 110isc_result_t 111dns_acl_any(isc_mem_t *mctx, dns_acl_t **target); 112/*%< 113 * Create a new ACL that matches everything. 114 */ 115 116isc_result_t 117dns_acl_none(isc_mem_t *mctx, dns_acl_t **target); 118/*%< 119 * Create a new ACL that matches nothing. 120 */ 121 122isc_boolean_t 123dns_acl_isany(dns_acl_t *acl); 124/*%< 125 * Test whether ACL is set to "{ any; }" 126 */ 127 128isc_boolean_t 129dns_acl_isnone(dns_acl_t *acl); 130/*%< 131 * Test whether ACL is set to "{ none; }" 132 */ 133 134isc_result_t 135dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos); 136/*%< 137 * Merge the contents of one ACL into another. Call dns_iptable_merge() 138 * for the IP tables, then concatenate the element arrays. 139 * 140 * If pos is set to false, then the nested ACL is to be negated. This 141 * means reverse the sense of each *positive* element or IP table node, 142 * but leave negatives alone, so as to prevent a double-negative causing 143 * an unexpected positive match in the parent ACL. 144 */ 145 146void 147dns_acl_attach(dns_acl_t *source, dns_acl_t **target); 148/*%< 149 * Attach to acl 'source'. 150 * 151 * Requires: 152 *\li 'source' to be a valid acl. 153 *\li 'target' to be non NULL and '*target' to be NULL. 154 */ 155 156void 157dns_acl_detach(dns_acl_t **aclp); 158/*%< 159 * Detach the acl. On final detach the acl must not be linked on any 160 * list. 161 * 162 * Requires: 163 *\li '*aclp' to be a valid acl. 164 * 165 * Insists: 166 *\li '*aclp' is not linked on final detach. 167 */ 168 169isc_boolean_t 170dns_acl_isinsecure(const dns_acl_t *a); 171/*%< 172 * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is, 173 * if it contains IP addresses other than those of the local host. 174 * This is intended for applications such as printing warning 175 * messages for suspect ACLs; it is not intended for making access 176 * control decisions. We make no guarantee that an ACL for which 177 * this function returns #ISC_FALSE is safe. 178 */ 179 180isc_result_t 181dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env); 182/*%< 183 * Initialize ACL environment, setting up localhost and localnets ACLs 184 */ 185 186void 187dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s); 188 189void 190dns_aclenv_destroy(dns_aclenv_t *env); 191 192isc_result_t 193dns_acl_match(const isc_netaddr_t *reqaddr, 194 const dns_name_t *reqsigner, 195 const dns_acl_t *acl, 196 const dns_aclenv_t *env, 197 int *match, 198 const dns_aclelement_t **matchelt); 199/*%< 200 * General, low-level ACL matching. This is expected to 201 * be useful even for weird stuff like the topology and sortlist statements. 202 * 203 * Match the address 'reqaddr', and optionally the key name 'reqsigner', 204 * against 'acl'. 'reqsigner' may be NULL. 205 * 206 * If there is a match, '*match' will be set to an integer whose absolute 207 * value corresponds to the order in which the matching value was inserted 208 * into the ACL. For a positive match, this value will be positive; for a 209 * negative match, it will be negative. 210 * 211 * If there is no match, *match will be set to zero. 212 * 213 * If there is a match in the element list (either positive or negative) 214 * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching 215 * element. 216 * 217 * Returns: 218 *\li #ISC_R_SUCCESS Always succeeds. 219 */ 220 221isc_boolean_t 222dns_aclelement_match(const isc_netaddr_t *reqaddr, 223 const dns_name_t *reqsigner, 224 const dns_aclelement_t *e, 225 const dns_aclenv_t *env, 226 const dns_aclelement_t **matchelt); 227/*%< 228 * Like dns_acl_match, but matches against the single ACL element 'e' 229 * rather than a complete ACL, and returns ISC_TRUE iff it matched. 230 * 231 * To determine whether the match was positive or negative, the 232 * caller should examine e->negative. Since the element 'e' may be 233 * a reference to a named ACL or a nested ACL, a matching element 234 * returned through 'matchelt' is not necessarily 'e' itself. 235 */ 236 237ISC_LANG_ENDDECLS 238 239#endif /* DNS_ACL_H */ 240