1/*	$NetBSD$	*/
2
3/*
4 * Copyright (C) 2004-2007, 2009, 2011  Internet Systems Consortium, Inc. ("ISC")
5 * Copyright (C) 1999-2002  Internet Software Consortium.
6 *
7 * Permission to use, copy, modify, and/or distribute this software for any
8 * purpose with or without fee is hereby granted, provided that the above
9 * copyright notice and this permission notice appear in all copies.
10 *
11 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 * PERFORMANCE OF THIS SOFTWARE.
18 */
19
20/* Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp  */
21
22#ifndef DNS_ACL_H
23#define DNS_ACL_H 1
24
25/*****
26 ***** Module Info
27 *****/
28
29/*! \file dns/acl.h
30 * \brief
31 * Address match list handling.
32 */
33
34/***
35 *** Imports
36 ***/
37
38#include <isc/lang.h>
39#include <isc/magic.h>
40#include <isc/netaddr.h>
41#include <isc/refcount.h>
42
43#include <dns/name.h>
44#include <dns/types.h>
45#include <dns/iptable.h>
46
47/***
48 *** Types
49 ***/
50
51typedef enum {
52	dns_aclelementtype_ipprefix,
53	dns_aclelementtype_keyname,
54	dns_aclelementtype_nestedacl,
55	dns_aclelementtype_localhost,
56	dns_aclelementtype_localnets,
57	dns_aclelementtype_any
58} dns_aclelemettype_t;
59
60typedef struct dns_aclipprefix dns_aclipprefix_t;
61
62struct dns_aclipprefix {
63	isc_netaddr_t address; /* IP4/IP6 */
64	unsigned int prefixlen;
65};
66
67struct dns_aclelement {
68	dns_aclelemettype_t	type;
69	isc_boolean_t		negative;
70	dns_name_t		keyname;
71	dns_acl_t		*nestedacl;
72	int			node_num;
73};
74
75struct dns_acl {
76	unsigned int		magic;
77	isc_mem_t		*mctx;
78	isc_refcount_t		refcount;
79	dns_iptable_t		*iptable;
80#define node_count		iptable->radix->num_added_node
81	dns_aclelement_t	*elements;
82	isc_boolean_t 		has_negatives;
83	unsigned int 		alloc;		/*%< Elements allocated */
84	unsigned int 		length;		/*%< Elements initialized */
85	char 			*name;		/*%< Temporary use only */
86	ISC_LINK(dns_acl_t) 	nextincache;	/*%< Ditto */
87};
88
89struct dns_aclenv {
90	dns_acl_t *localhost;
91	dns_acl_t *localnets;
92	isc_boolean_t match_mapped;
93};
94
95#define DNS_ACL_MAGIC		ISC_MAGIC('D','a','c','l')
96#define DNS_ACL_VALID(a)	ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
97
98/***
99 *** Functions
100 ***/
101
102ISC_LANG_BEGINDECLS
103
104isc_result_t
105dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
106/*%<
107 * Create a new ACL, including an IP table and an array with room
108 * for 'n' ACL elements.  The elements are uninitialized and the
109 * length is 0.
110 */
111
112isc_result_t
113dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
114/*%<
115 * Create a new ACL that matches everything.
116 */
117
118isc_result_t
119dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
120/*%<
121 * Create a new ACL that matches nothing.
122 */
123
124isc_boolean_t
125dns_acl_isany(dns_acl_t *acl);
126/*%<
127 * Test whether ACL is set to "{ any; }"
128 */
129
130isc_boolean_t
131dns_acl_isnone(dns_acl_t *acl);
132/*%<
133 * Test whether ACL is set to "{ none; }"
134 */
135
136isc_result_t
137dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
138/*%<
139 * Merge the contents of one ACL into another.  Call dns_iptable_merge()
140 * for the IP tables, then concatenate the element arrays.
141 *
142 * If pos is set to false, then the nested ACL is to be negated.  This
143 * means reverse the sense of each *positive* element or IP table node,
144 * but leave negatives alone, so as to prevent a double-negative causing
145 * an unexpected positive match in the parent ACL.
146 */
147
148void
149dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
150/*%<
151 * Attach to acl 'source'.
152 *
153 * Requires:
154 *\li	'source' to be a valid acl.
155 *\li	'target' to be non NULL and '*target' to be NULL.
156 */
157
158void
159dns_acl_detach(dns_acl_t **aclp);
160/*%<
161 * Detach the acl. On final detach the acl must not be linked on any
162 * list.
163 *
164 * Requires:
165 *\li	'*aclp' to be a valid acl.
166 *
167 * Insists:
168 *\li	'*aclp' is not linked on final detach.
169 */
170
171isc_boolean_t
172dns_acl_isinsecure(const dns_acl_t *a);
173/*%<
174 * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
175 * if it contains IP addresses other than those of the local host.
176 * This is intended for applications such as printing warning
177 * messages for suspect ACLs; it is not intended for making access
178 * control decisions.  We make no guarantee that an ACL for which
179 * this function returns #ISC_FALSE is safe.
180 */
181
182isc_result_t
183dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
184/*%<
185 * Initialize ACL environment, setting up localhost and localnets ACLs
186 */
187
188void
189dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
190
191void
192dns_aclenv_destroy(dns_aclenv_t *env);
193
194isc_result_t
195dns_acl_match(const isc_netaddr_t *reqaddr,
196	      const dns_name_t *reqsigner,
197	      const dns_acl_t *acl,
198	      const dns_aclenv_t *env,
199	      int *match,
200	      const dns_aclelement_t **matchelt);
201/*%<
202 * General, low-level ACL matching.  This is expected to
203 * be useful even for weird stuff like the topology and sortlist statements.
204 *
205 * Match the address 'reqaddr', and optionally the key name 'reqsigner',
206 * against 'acl'.  'reqsigner' may be NULL.
207 *
208 * If there is a match, '*match' will be set to an integer whose absolute
209 * value corresponds to the order in which the matching value was inserted
210 * into the ACL.  For a positive match, this value will be positive; for a
211 * negative match, it will be negative.
212 *
213 * If there is no match, *match will be set to zero.
214 *
215 * If there is a match in the element list (either positive or negative)
216 * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
217 * element.
218 *
219 * Returns:
220 *\li	#ISC_R_SUCCESS		Always succeeds.
221 */
222
223isc_boolean_t
224dns_aclelement_match(const isc_netaddr_t *reqaddr,
225		     const dns_name_t *reqsigner,
226		     const dns_aclelement_t *e,
227		     const dns_aclenv_t *env,
228		     const dns_aclelement_t **matchelt);
229/*%<
230 * Like dns_acl_match, but matches against the single ACL element 'e'
231 * rather than a complete ACL, and returns ISC_TRUE iff it matched.
232 *
233 * To determine whether the match was positive or negative, the
234 * caller should examine e->negative.  Since the element 'e' may be
235 * a reference to a named ACL or a nested ACL, a matching element
236 * returned through 'matchelt' is not necessarily 'e' itself.
237 */
238
239ISC_LANG_ENDDECLS
240
241#endif /* DNS_ACL_H */
242