1/*
2 * Copyright (C) 2004-2007, 2009, 2011, 2012  Internet Systems Consortium, Inc. ("ISC")
3 * Copyright (C) 1999-2002  Internet Software Consortium.
4 *
5 * Permission to use, copy, modify, and/or distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 * PERFORMANCE OF THIS SOFTWARE.
16 */
17
18/* $Id$ */
19
20#ifndef DNS_ACL_H
21#define DNS_ACL_H 1
22
23/*****
24 ***** Module Info
25 *****/
26
27/*! \file dns/acl.h
28 * \brief
29 * Address match list handling.
30 */
31
32/***
33 *** Imports
34 ***/
35
36#include <isc/lang.h>
37#include <isc/magic.h>
38#include <isc/netaddr.h>
39#include <isc/refcount.h>
40
41#include <dns/name.h>
42#include <dns/types.h>
43#include <dns/iptable.h>
44
45/***
46 *** Types
47 ***/
48
49typedef enum {
50	dns_aclelementtype_ipprefix,
51	dns_aclelementtype_keyname,
52	dns_aclelementtype_nestedacl,
53	dns_aclelementtype_localhost,
54	dns_aclelementtype_localnets,
55	dns_aclelementtype_any
56} dns_aclelemettype_t;
57
58typedef struct dns_aclipprefix dns_aclipprefix_t;
59
60struct dns_aclipprefix {
61	isc_netaddr_t address; /* IP4/IP6 */
62	unsigned int prefixlen;
63};
64
65struct dns_aclelement {
66	dns_aclelemettype_t	type;
67	isc_boolean_t		negative;
68	dns_name_t		keyname;
69	dns_acl_t		*nestedacl;
70	int			node_num;
71};
72
73struct dns_acl {
74	unsigned int		magic;
75	isc_mem_t		*mctx;
76	isc_refcount_t		refcount;
77	dns_iptable_t		*iptable;
78#define node_count		iptable->radix->num_added_node
79	dns_aclelement_t	*elements;
80	isc_boolean_t 		has_negatives;
81	unsigned int 		alloc;		/*%< Elements allocated */
82	unsigned int 		length;		/*%< Elements initialized */
83	char 			*name;		/*%< Temporary use only */
84	ISC_LINK(dns_acl_t) 	nextincache;	/*%< Ditto */
85};
86
87struct dns_aclenv {
88	dns_acl_t *localhost;
89	dns_acl_t *localnets;
90	isc_boolean_t match_mapped;
91};
92
93#define DNS_ACL_MAGIC		ISC_MAGIC('D','a','c','l')
94#define DNS_ACL_VALID(a)	ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
95
96/***
97 *** Functions
98 ***/
99
100ISC_LANG_BEGINDECLS
101
102isc_result_t
103dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
104/*%<
105 * Create a new ACL, including an IP table and an array with room
106 * for 'n' ACL elements.  The elements are uninitialized and the
107 * length is 0.
108 */
109
110isc_result_t
111dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
112/*%<
113 * Create a new ACL that matches everything.
114 */
115
116isc_result_t
117dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
118/*%<
119 * Create a new ACL that matches nothing.
120 */
121
122isc_boolean_t
123dns_acl_isany(dns_acl_t *acl);
124/*%<
125 * Test whether ACL is set to "{ any; }"
126 */
127
128isc_boolean_t
129dns_acl_isnone(dns_acl_t *acl);
130/*%<
131 * Test whether ACL is set to "{ none; }"
132 */
133
134isc_result_t
135dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
136/*%<
137 * Merge the contents of one ACL into another.  Call dns_iptable_merge()
138 * for the IP tables, then concatenate the element arrays.
139 *
140 * If pos is set to false, then the nested ACL is to be negated.  This
141 * means reverse the sense of each *positive* element or IP table node,
142 * but leave negatives alone, so as to prevent a double-negative causing
143 * an unexpected positive match in the parent ACL.
144 */
145
146void
147dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
148/*%<
149 * Attach to acl 'source'.
150 *
151 * Requires:
152 *\li	'source' to be a valid acl.
153 *\li	'target' to be non NULL and '*target' to be NULL.
154 */
155
156void
157dns_acl_detach(dns_acl_t **aclp);
158/*%<
159 * Detach the acl. On final detach the acl must not be linked on any
160 * list.
161 *
162 * Requires:
163 *\li	'*aclp' to be a valid acl.
164 *
165 * Insists:
166 *\li	'*aclp' is not linked on final detach.
167 */
168
169isc_boolean_t
170dns_acl_isinsecure(const dns_acl_t *a);
171/*%<
172 * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
173 * if it contains IP addresses other than those of the local host.
174 * This is intended for applications such as printing warning
175 * messages for suspect ACLs; it is not intended for making access
176 * control decisions.  We make no guarantee that an ACL for which
177 * this function returns #ISC_FALSE is safe.
178 */
179
180isc_result_t
181dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
182/*%<
183 * Initialize ACL environment, setting up localhost and localnets ACLs
184 */
185
186void
187dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
188
189void
190dns_aclenv_destroy(dns_aclenv_t *env);
191
192isc_result_t
193dns_acl_match(const isc_netaddr_t *reqaddr,
194	      const dns_name_t *reqsigner,
195	      const dns_acl_t *acl,
196	      const dns_aclenv_t *env,
197	      int *match,
198	      const dns_aclelement_t **matchelt);
199/*%<
200 * General, low-level ACL matching.  This is expected to
201 * be useful even for weird stuff like the topology and sortlist statements.
202 *
203 * Match the address 'reqaddr', and optionally the key name 'reqsigner',
204 * against 'acl'.  'reqsigner' may be NULL.
205 *
206 * If there is a match, '*match' will be set to an integer whose absolute
207 * value corresponds to the order in which the matching value was inserted
208 * into the ACL.  For a positive match, this value will be positive; for a
209 * negative match, it will be negative.
210 *
211 * If there is no match, *match will be set to zero.
212 *
213 * If there is a match in the element list (either positive or negative)
214 * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
215 * element.
216 *
217 * Returns:
218 *\li	#ISC_R_SUCCESS		Always succeeds.
219 */
220
221isc_boolean_t
222dns_aclelement_match(const isc_netaddr_t *reqaddr,
223		     const dns_name_t *reqsigner,
224		     const dns_aclelement_t *e,
225		     const dns_aclenv_t *env,
226		     const dns_aclelement_t **matchelt);
227/*%<
228 * Like dns_acl_match, but matches against the single ACL element 'e'
229 * rather than a complete ACL, and returns ISC_TRUE iff it matched.
230 *
231 * To determine whether the match was positive or negative, the
232 * caller should examine e->negative.  Since the element 'e' may be
233 * a reference to a named ACL or a nested ACL, a matching element
234 * returned through 'matchelt' is not necessarily 'e' itself.
235 */
236
237ISC_LANG_ENDDECLS
238
239#endif /* DNS_ACL_H */
240