1/* $NetBSD: rpz.h,v 1.4 2012/12/04 23:38:43 spz Exp $ */ 2 3/* 4 * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC") 5 * 6 * Permission to use, copy, modify, and/or distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 11 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 12 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 13 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 14 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 15 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 16 * PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19/* Id: rpz.h,v 1.5 2011/10/28 11:46:50 marka Exp */ 20 21#ifndef DNS_RPZ_H 22#define DNS_RPZ_H 1 23 24#include <isc/lang.h> 25 26#include <dns/fixedname.h> 27#include <dns/rdata.h> 28#include <dns/types.h> 29 30ISC_LANG_BEGINDECLS 31 32#define DNS_RPZ_IP_ZONE "rpz-ip" 33#define DNS_RPZ_NSIP_ZONE "rpz-nsip" 34#define DNS_RPZ_NSDNAME_ZONE "rpz-nsdname" 35#define DNS_RPZ_PASSTHRU_ZONE "rpz-passthru" 36 37typedef isc_uint8_t dns_rpz_cidr_bits_t; 38 39typedef enum { 40 DNS_RPZ_TYPE_BAD, 41 DNS_RPZ_TYPE_QNAME, 42 DNS_RPZ_TYPE_IP, 43 DNS_RPZ_TYPE_NSDNAME, 44 DNS_RPZ_TYPE_NSIP 45} dns_rpz_type_t; 46 47/* 48 * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN < 49 * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing 50 * policies. 51 */ 52typedef enum { 53 DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ 54 DNS_RPZ_POLICY_DISABLED = 1, /* 'cname x': answer with x's rrsets */ 55 DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ 56 DNS_RPZ_POLICY_NXDOMAIN = 3, /* 'nxdomain': answer with NXDOMAIN */ 57 DNS_RPZ_POLICY_NODATA = 4, /* 'nodata': answer with ANCOUNT=0 */ 58 DNS_RPZ_POLICY_CNAME = 5, /* 'cname x': answer with x's rrsets */ 59 DNS_RPZ_POLICY_RECORD, 60 DNS_RPZ_POLICY_WILDCNAME, 61 DNS_RPZ_POLICY_MISS, 62 DNS_RPZ_POLICY_ERROR 63} dns_rpz_policy_t; 64 65/* 66 * Specify a response policy zone. 67 */ 68typedef struct dns_rpz_zone dns_rpz_zone_t; 69 70struct dns_rpz_zone { 71 ISC_LINK(dns_rpz_zone_t) link; 72 int num; /* ordinal in list of policy zones */ 73 dns_name_t origin; /* Policy zone name */ 74 dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ 75 dns_name_t passthru;/* DNS_RPZ_PASSTHRU_ZONE. */ 76 dns_name_t cname; /* override value for ..._CNAME */ 77 dns_ttl_t max_policy_ttl; 78 dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ 79 isc_boolean_t recursive_only; 80}; 81 82/* 83 * Radix trees for response policy IP addresses. 84 */ 85typedef struct dns_rpz_cidr dns_rpz_cidr_t; 86 87/* 88 * context for finding the best policy 89 */ 90typedef struct { 91 unsigned int state; 92# define DNS_RPZ_REWRITTEN 0x0001 93# define DNS_RPZ_DONE_QNAME 0x0002 /* qname checked */ 94# define DNS_RPZ_DONE_QNAME_IP 0x0004 /* IP addresses of qname checked */ 95# define DNS_RPZ_DONE_NSDNAME 0x0008 /* NS name missed; checking addresses */ 96# define DNS_RPZ_DONE_IPv4 0x0010 97# define DNS_RPZ_RECURSING 0x0020 98# define DNS_RPZ_HAVE_IP 0x0040 /* a policy zone has IP addresses */ 99# define DNS_RPZ_HAVE_NSIPv4 0x0080 /* IPv4 NISP addresses */ 100# define DNS_RPZ_HAVE_NSIPv6 0x0100 /* IPv6 NISP addresses */ 101# define DNS_RPZ_HAVE_NSDNAME 0x0200 /* NS names */ 102 /* 103 * Best match so far. 104 */ 105 struct { 106 dns_rpz_type_t type; 107 dns_rpz_zone_t *rpz; 108 dns_rpz_cidr_bits_t prefix; 109 dns_rpz_policy_t policy; 110 dns_ttl_t ttl; 111 isc_result_t result; 112 dns_zone_t *zone; 113 dns_db_t *db; 114 dns_dbversion_t *version; 115 dns_dbnode_t *node; 116 dns_rdataset_t *rdataset; 117 } m; 118 /* 119 * State for chasing IP addresses and NS names including recursion. 120 */ 121 struct { 122 unsigned int label; 123 dns_db_t *db; 124 dns_rdataset_t *ns_rdataset; 125 dns_rdatatype_t r_type; 126 isc_result_t r_result; 127 dns_rdataset_t *r_rdataset; 128 } r; 129 /* 130 * State of real query while recursing for NSIP or NSDNAME. 131 */ 132 struct { 133 isc_result_t result; 134 isc_boolean_t is_zone; 135 isc_boolean_t authoritative; 136 dns_zone_t *zone; 137 dns_db_t *db; 138 dns_dbnode_t *node; 139 dns_rdataset_t *rdataset; 140 dns_rdataset_t *sigrdataset; 141 dns_rdatatype_t qtype; 142 } q; 143 dns_name_t *qname; 144 dns_name_t *r_name; 145 dns_name_t *fname; 146 dns_fixedname_t _qnamef; 147 dns_fixedname_t _r_namef; 148 dns_fixedname_t _fnamef; 149} dns_rpz_st_t; 150 151#define DNS_RPZ_TTL_DEFAULT 5 152#define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT 153 154/* 155 * So various response policy zone messages can be turned up or down. 156 */ 157#define DNS_RPZ_ERROR_LEVEL ISC_LOG_WARNING 158#define DNS_RPZ_INFO_LEVEL ISC_LOG_INFO 159#define DNS_RPZ_DEBUG_LEVEL1 ISC_LOG_DEBUG(1) 160#define DNS_RPZ_DEBUG_LEVEL2 ISC_LOG_DEBUG(2) 161#define DNS_RPZ_DEBUG_LEVEL3 ISC_LOG_DEBUG(3) 162#define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3+1) 163 164const char * 165dns_rpz_type2str(dns_rpz_type_t type); 166 167dns_rpz_policy_t 168dns_rpz_str2policy(const char *str); 169 170const char * 171dns_rpz_policy2str(dns_rpz_policy_t policy); 172 173void 174dns_rpz_set_need(isc_boolean_t need); 175 176isc_boolean_t 177dns_rpz_needed(void); 178 179void 180dns_rpz_cidr_free(dns_rpz_cidr_t **cidr); 181 182void 183dns_rpz_view_destroy(dns_view_t *view); 184 185isc_result_t 186dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, 187 dns_rpz_cidr_t **rbtdb_cidr); 188void 189dns_rpz_enabled(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st); 190 191void 192dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name); 193 194void 195dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name); 196 197isc_result_t 198dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, 199 dns_rpz_type_t type, dns_name_t *canon_name, 200 dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix); 201 202dns_rpz_policy_t 203dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, 204 dns_name_t *selfname); 205 206ISC_LANG_ENDDECLS 207 208#endif /* DNS_RPZ_H */ 209 210