1/* $NetBSD$ */ 2 3/* 4 * Copyright (C) 2004-2007, 2009, 2011 Internet Systems Consortium, Inc. ("ISC") 5 * Copyright (C) 1999-2002 Internet Software Consortium. 6 * 7 * Permission to use, copy, modify, and/or distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 * PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20/* Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp */ 21 22#ifndef DNS_ACL_H 23#define DNS_ACL_H 1 24 25/***** 26 ***** Module Info 27 *****/ 28 29/*! \file dns/acl.h 30 * \brief 31 * Address match list handling. 32 */ 33 34/*** 35 *** Imports 36 ***/ 37 38#include <isc/lang.h> 39#include <isc/magic.h> 40#include <isc/netaddr.h> 41#include <isc/refcount.h> 42 43#include <dns/name.h> 44#include <dns/types.h> 45#include <dns/iptable.h> 46 47/*** 48 *** Types 49 ***/ 50 51typedef enum { 52 dns_aclelementtype_ipprefix, 53 dns_aclelementtype_keyname, 54 dns_aclelementtype_nestedacl, 55 dns_aclelementtype_localhost, 56 dns_aclelementtype_localnets, 57 dns_aclelementtype_any 58} dns_aclelemettype_t; 59 60typedef struct dns_aclipprefix dns_aclipprefix_t; 61 62struct dns_aclipprefix { 63 isc_netaddr_t address; /* IP4/IP6 */ 64 unsigned int prefixlen; 65}; 66 67struct dns_aclelement { 68 dns_aclelemettype_t type; 69 isc_boolean_t negative; 70 dns_name_t keyname; 71 dns_acl_t *nestedacl; 72 int node_num; 73}; 74 75struct dns_acl { 76 unsigned int magic; 77 isc_mem_t *mctx; 78 isc_refcount_t refcount; 79 dns_iptable_t *iptable; 80#define node_count iptable->radix->num_added_node 81 dns_aclelement_t *elements; 82 isc_boolean_t has_negatives; 83 unsigned int alloc; /*%< Elements allocated */ 84 unsigned int length; /*%< Elements initialized */ 85 char *name; /*%< Temporary use only */ 86 ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */ 87}; 88 89struct dns_aclenv { 90 dns_acl_t *localhost; 91 dns_acl_t *localnets; 92 isc_boolean_t match_mapped; 93}; 94 95#define DNS_ACL_MAGIC ISC_MAGIC('D','a','c','l') 96#define DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC) 97 98/*** 99 *** Functions 100 ***/ 101 102ISC_LANG_BEGINDECLS 103 104isc_result_t 105dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target); 106/*%< 107 * Create a new ACL, including an IP table and an array with room 108 * for 'n' ACL elements. The elements are uninitialized and the 109 * length is 0. 110 */ 111 112isc_result_t 113dns_acl_any(isc_mem_t *mctx, dns_acl_t **target); 114/*%< 115 * Create a new ACL that matches everything. 116 */ 117 118isc_result_t 119dns_acl_none(isc_mem_t *mctx, dns_acl_t **target); 120/*%< 121 * Create a new ACL that matches nothing. 122 */ 123 124isc_boolean_t 125dns_acl_isany(dns_acl_t *acl); 126/*%< 127 * Test whether ACL is set to "{ any; }" 128 */ 129 130isc_boolean_t 131dns_acl_isnone(dns_acl_t *acl); 132/*%< 133 * Test whether ACL is set to "{ none; }" 134 */ 135 136isc_result_t 137dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos); 138/*%< 139 * Merge the contents of one ACL into another. Call dns_iptable_merge() 140 * for the IP tables, then concatenate the element arrays. 141 * 142 * If pos is set to false, then the nested ACL is to be negated. This 143 * means reverse the sense of each *positive* element or IP table node, 144 * but leave negatives alone, so as to prevent a double-negative causing 145 * an unexpected positive match in the parent ACL. 146 */ 147 148void 149dns_acl_attach(dns_acl_t *source, dns_acl_t **target); 150/*%< 151 * Attach to acl 'source'. 152 * 153 * Requires: 154 *\li 'source' to be a valid acl. 155 *\li 'target' to be non NULL and '*target' to be NULL. 156 */ 157 158void 159dns_acl_detach(dns_acl_t **aclp); 160/*%< 161 * Detach the acl. On final detach the acl must not be linked on any 162 * list. 163 * 164 * Requires: 165 *\li '*aclp' to be a valid acl. 166 * 167 * Insists: 168 *\li '*aclp' is not linked on final detach. 169 */ 170 171isc_boolean_t 172dns_acl_isinsecure(const dns_acl_t *a); 173/*%< 174 * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is, 175 * if it contains IP addresses other than those of the local host. 176 * This is intended for applications such as printing warning 177 * messages for suspect ACLs; it is not intended for making access 178 * control decisions. We make no guarantee that an ACL for which 179 * this function returns #ISC_FALSE is safe. 180 */ 181 182isc_result_t 183dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env); 184/*%< 185 * Initialize ACL environment, setting up localhost and localnets ACLs 186 */ 187 188void 189dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s); 190 191void 192dns_aclenv_destroy(dns_aclenv_t *env); 193 194isc_result_t 195dns_acl_match(const isc_netaddr_t *reqaddr, 196 const dns_name_t *reqsigner, 197 const dns_acl_t *acl, 198 const dns_aclenv_t *env, 199 int *match, 200 const dns_aclelement_t **matchelt); 201/*%< 202 * General, low-level ACL matching. This is expected to 203 * be useful even for weird stuff like the topology and sortlist statements. 204 * 205 * Match the address 'reqaddr', and optionally the key name 'reqsigner', 206 * against 'acl'. 'reqsigner' may be NULL. 207 * 208 * If there is a match, '*match' will be set to an integer whose absolute 209 * value corresponds to the order in which the matching value was inserted 210 * into the ACL. For a positive match, this value will be positive; for a 211 * negative match, it will be negative. 212 * 213 * If there is no match, *match will be set to zero. 214 * 215 * If there is a match in the element list (either positive or negative) 216 * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching 217 * element. 218 * 219 * Returns: 220 *\li #ISC_R_SUCCESS Always succeeds. 221 */ 222 223isc_boolean_t 224dns_aclelement_match(const isc_netaddr_t *reqaddr, 225 const dns_name_t *reqsigner, 226 const dns_aclelement_t *e, 227 const dns_aclenv_t *env, 228 const dns_aclelement_t **matchelt); 229/*%< 230 * Like dns_acl_match, but matches against the single ACL element 'e' 231 * rather than a complete ACL, and returns ISC_TRUE iff it matched. 232 * 233 * To determine whether the match was positive or negative, the 234 * caller should examine e->negative. Since the element 'e' may be 235 * a reference to a named ACL or a nested ACL, a matching element 236 * returned through 'matchelt' is not necessarily 'e' itself. 237 */ 238 239ISC_LANG_ENDDECLS 240 241#endif /* DNS_ACL_H */ 242