1/* $NetBSD: acl.h,v 1.1 2024/02/18 20:57:35 christos Exp $ */ 2 3/* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16#ifndef DNS_ACL_H 17#define DNS_ACL_H 1 18 19/***** 20***** Module Info 21*****/ 22 23/*! \file dns/acl.h 24 * \brief 25 * Address match list handling. 26 */ 27 28/*** 29 *** Imports 30 ***/ 31 32#include <stdbool.h> 33 34#include <isc/lang.h> 35#include <isc/magic.h> 36#include <isc/netaddr.h> 37#include <isc/refcount.h> 38 39#include <dns/geoip.h> 40#include <dns/iptable.h> 41#include <dns/name.h> 42#include <dns/types.h> 43 44/*** 45 *** Types 46 ***/ 47 48typedef enum { 49 dns_aclelementtype_ipprefix, 50 dns_aclelementtype_keyname, 51 dns_aclelementtype_nestedacl, 52 dns_aclelementtype_localhost, 53 dns_aclelementtype_localnets, 54#if defined(HAVE_GEOIP2) 55 dns_aclelementtype_geoip, 56#endif /* HAVE_GEOIP2 */ 57 dns_aclelementtype_any 58} dns_aclelementtype_t; 59 60typedef struct dns_aclipprefix dns_aclipprefix_t; 61 62struct dns_aclipprefix { 63 isc_netaddr_t address; /* IP4/IP6 */ 64 unsigned int prefixlen; 65}; 66 67struct dns_aclelement { 68 dns_aclelementtype_t type; 69 bool negative; 70 dns_name_t keyname; 71#if defined(HAVE_GEOIP2) 72 dns_geoip_elem_t geoip_elem; 73#endif /* HAVE_GEOIP2 */ 74 dns_acl_t *nestedacl; 75 int node_num; 76}; 77 78#define dns_acl_node_count(acl) acl->iptable->radix->num_added_node 79 80struct dns_acl { 81 unsigned int magic; 82 isc_mem_t *mctx; 83 isc_refcount_t refcount; 84 dns_iptable_t *iptable; 85 dns_aclelement_t *elements; 86 bool has_negatives; 87 unsigned int alloc; /*%< Elements allocated */ 88 unsigned int length; /*%< Elements initialized */ 89 char *name; /*%< Temporary use only */ 90 ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */ 91}; 92 93struct dns_aclenv { 94 dns_acl_t *localhost; 95 dns_acl_t *localnets; 96 bool match_mapped; 97#if defined(HAVE_GEOIP2) 98 dns_geoip_databases_t *geoip; 99#endif /* HAVE_GEOIP2 */ 100}; 101 102#define DNS_ACL_MAGIC ISC_MAGIC('D', 'a', 'c', 'l') 103#define DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC) 104 105/*** 106 *** Functions 107 ***/ 108 109ISC_LANG_BEGINDECLS 110 111isc_result_t 112dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target); 113/*%< 114 * Create a new ACL, including an IP table and an array with room 115 * for 'n' ACL elements. The elements are uninitialized and the 116 * length is 0. 117 */ 118 119isc_result_t 120dns_acl_any(isc_mem_t *mctx, dns_acl_t **target); 121/*%< 122 * Create a new ACL that matches everything. 123 */ 124 125isc_result_t 126dns_acl_none(isc_mem_t *mctx, dns_acl_t **target); 127/*%< 128 * Create a new ACL that matches nothing. 129 */ 130 131bool 132dns_acl_isany(dns_acl_t *acl); 133/*%< 134 * Test whether ACL is set to "{ any; }" 135 */ 136 137bool 138dns_acl_isnone(dns_acl_t *acl); 139/*%< 140 * Test whether ACL is set to "{ none; }" 141 */ 142 143isc_result_t 144dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, bool pos); 145/*%< 146 * Merge the contents of one ACL into another. Call dns_iptable_merge() 147 * for the IP tables, then concatenate the element arrays. 148 * 149 * If pos is set to false, then the nested ACL is to be negated. This 150 * means reverse the sense of each *positive* element or IP table node, 151 * but leave negatives alone, so as to prevent a double-negative causing 152 * an unexpected positive match in the parent ACL. 153 */ 154 155void 156dns_acl_attach(dns_acl_t *source, dns_acl_t **target); 157/*%< 158 * Attach to acl 'source'. 159 * 160 * Requires: 161 *\li 'source' to be a valid acl. 162 *\li 'target' to be non NULL and '*target' to be NULL. 163 */ 164 165void 166dns_acl_detach(dns_acl_t **aclp); 167/*%< 168 * Detach the acl. On final detach the acl must not be linked on any 169 * list. 170 * 171 * Requires: 172 *\li '*aclp' to be a valid acl. 173 * 174 * Insists: 175 *\li '*aclp' is not linked on final detach. 176 */ 177 178bool 179dns_acl_isinsecure(const dns_acl_t *a); 180/*%< 181 * Return #true iff the acl 'a' is considered insecure, that is, 182 * if it contains IP addresses other than those of the local host. 183 * This is intended for applications such as printing warning 184 * messages for suspect ACLs; it is not intended for making access 185 * control decisions. We make no guarantee that an ACL for which 186 * this function returns #false is safe. 187 */ 188 189bool 190dns_acl_allowed(isc_netaddr_t *addr, const dns_name_t *signer, dns_acl_t *acl, 191 dns_aclenv_t *aclenv); 192/*%< 193 * Return #true iff the 'addr', 'signer', or ECS values are 194 * permitted by 'acl' in environment 'aclenv'. 195 */ 196 197isc_result_t 198dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env); 199/*%< 200 * Initialize ACL environment, setting up localhost and localnets ACLs 201 */ 202 203void 204dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s); 205 206void 207dns_aclenv_destroy(dns_aclenv_t *env); 208 209isc_result_t 210dns_acl_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, 211 const dns_acl_t *acl, const dns_aclenv_t *env, int *match, 212 const dns_aclelement_t **matchelt); 213/*%< 214 * General, low-level ACL matching. This is expected to 215 * be useful even for weird stuff like the topology and sortlist statements. 216 * 217 * Match the address 'reqaddr', and optionally the key name 'reqsigner', 218 * against 'acl'. 'reqsigner' may be NULL. 219 * 220 * If there is a match, '*match' will be set to an integer whose absolute 221 * value corresponds to the order in which the matching value was inserted 222 * into the ACL. For a positive match, this value will be positive; for a 223 * negative match, it will be negative. 224 * 225 * If there is no match, *match will be set to zero. 226 * 227 * If there is a match in the element list (either positive or negative) 228 * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching 229 * element. 230 * 231 * 'env' points to the current ACL environment, including the 232 * current values of localhost and localnets and (if applicable) 233 * the GeoIP context. 234 * 235 * Returns: 236 *\li #ISC_R_SUCCESS Always succeeds. 237 */ 238 239bool 240dns_aclelement_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, 241 const dns_aclelement_t *e, const dns_aclenv_t *env, 242 const dns_aclelement_t **matchelt); 243/*%< 244 * Like dns_acl_match, but matches against the single ACL element 'e' 245 * rather than a complete ACL, and returns true iff it matched. 246 * 247 * To determine whether the match was positive or negative, the 248 * caller should examine e->negative. Since the element 'e' may be 249 * a reference to a named ACL or a nested ACL, a matching element 250 * returned through 'matchelt' is not necessarily 'e' itself. 251 */ 252 253ISC_LANG_ENDDECLS 254 255#endif /* DNS_ACL_H */ 256