1/* 2 * options.h -- nsd.conf options definitions and prototypes 3 * 4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved. 5 * 6 * See LICENSE for the license. 7 * 8 */ 9 10#ifndef OPTIONS_H 11#define OPTIONS_H 12 13#include <stdarg.h> 14#include "region-allocator.h" 15#include "rbtree.h" 16struct query; 17struct dname; 18struct tsig_key; 19struct buffer; 20struct nsd; 21struct proxy_protocol_port_list; 22 23 24typedef struct nsd_options nsd_options_type; 25typedef struct pattern_options pattern_options_type; 26typedef struct zone_options zone_options_type; 27typedef struct range_option range_option_type; 28typedef struct ip_address_option ip_address_option_type; 29typedef struct cpu_option cpu_option_type; 30typedef struct cpu_map_option cpu_map_option_type; 31typedef struct acl_options acl_options_type; 32typedef struct key_options key_options_type; 33typedef struct tls_auth_options tls_auth_options_type; 34typedef struct config_parser_state config_parser_state_type; 35 36#define VERIFY_ZONE_INHERIT (2) 37#define VERIFIER_FEED_ZONE_INHERIT (2) 38#define VERIFIER_TIMEOUT_INHERIT (-1) 39#define CATALOG_ROLE_INHERIT (0) 40#define CATALOG_ROLE_CONSUMER (1) 41#define CATALOG_ROLE_PRODUCER (2) 42 43/* 44 * Options global for nsd. 45 */ 46struct nsd_options { 47 /* config file name */ 48 char* configfile; 49 /* options for zones, by apex, contains zone_options */ 50 rbtree_type* zone_options; 51 /* patterns, by name, contains pattern_options */ 52 rbtree_type* patterns; 53 54 /* free space in zonelist file, contains zonelist_bucket */ 55 rbtree_type* zonefree; 56 /* number of free space lines in zonelist file */ 57 size_t zonefree_number; 58 /* zonelist file if open */ 59 FILE* zonelist; 60 /* last offset in file (or 0 if none) */ 61 off_t zonelist_off; 62 63 /* tree of zonestat names and their id values, entries are struct 64 * zonestatname with malloced key=stringname. The number of items 65 * is the max statnameid, no items are freed from this. 66 * kept correct in the xfrd process, and on startup. */ 67 rbtree_type* zonestatnames; 68 69 /* rbtree of keys defined, by name */ 70 rbtree_type* keys; 71 72 /* rbtree of tls_auth defined, by name */ 73 rbtree_type* tls_auths; 74 75 /* list of ip addresses to bind to (or NULL for all) */ 76 struct ip_address_option* ip_addresses; 77 78 int ip_transparent; 79 int ip_freebind; 80 int send_buffer_size; 81 int receive_buffer_size; 82 int debug_mode; 83 int verbosity; 84 int hide_version; 85 int hide_identity; 86 int drop_updates; 87 int do_ip4; 88 int do_ip6; 89 const char* identity; 90 const char* version; 91 const char* logfile; 92 int log_only_syslog; 93 int server_count; 94 struct cpu_option* cpu_affinity; 95 struct cpu_map_option* service_cpu_affinity; 96 int tcp_count; 97 int tcp_reject_overflow; 98 int confine_to_zone; 99 int tcp_query_count; 100 int tcp_timeout; 101 int tcp_mss; 102 int outgoing_tcp_mss; 103 size_t ipv4_edns_size; 104 size_t ipv6_edns_size; 105 const char* pidfile; 106 const char* port; 107 int statistics; 108 const char* chroot; 109 const char* username; 110 const char* zonesdir; 111 const char* xfrdfile; 112 const char* xfrdir; 113 const char* zonelistfile; 114 const char* nsid; 115 int xfrd_reload_timeout; 116 int zonefiles_check; 117 int zonefiles_write; 118 int log_time_ascii; 119 int round_robin; 120 int minimal_responses; 121 int refuse_any; 122 int reuseport; 123 /* max number of xfrd tcp sockets */ 124 int xfrd_tcp_max; 125 /* max number of simultaneous requests on xfrd tcp socket */ 126 int xfrd_tcp_pipeline; 127 128 /* private key file for TLS */ 129 char* tls_service_key; 130 /* ocsp stapling file for TLS */ 131 char* tls_service_ocsp; 132 /* certificate file for TLS */ 133 char* tls_service_pem; 134 /* TLS dedicated port */ 135 const char* tls_port; 136 /* TLS certificate bundle */ 137 const char* tls_cert_bundle; 138 139 /* proxy protocol port list */ 140 struct proxy_protocol_port_list* proxy_protocol_port; 141 142 /** remote control section. enable toggle. */ 143 int control_enable; 144 /** the interfaces the remote control should listen on */ 145 struct ip_address_option* control_interface; 146 /** port number for the control port */ 147 int control_port; 148 /** private key file for server */ 149 char* server_key_file; 150 /** certificate file for server */ 151 char* server_cert_file; 152 /** private key file for nsd-control */ 153 char* control_key_file; 154 /** certificate file for nsd-control */ 155 char* control_cert_file; 156 157#ifdef RATELIMIT 158 /** number of buckets in rrl hashtable */ 159 size_t rrl_size; 160 /** max qps for queries, 0 is nolimit */ 161 size_t rrl_ratelimit; 162 /** ratio of slipped responses, 0 is noslip */ 163 size_t rrl_slip; 164 /** ip prefix length */ 165 size_t rrl_ipv4_prefix_length; 166 size_t rrl_ipv6_prefix_length; 167 /** max qps for whitelisted queries, 0 is nolimit */ 168 size_t rrl_whitelist_ratelimit; 169#endif 170 /** if dnstap is enabled */ 171 int dnstap_enable; 172 /** dnstap socket path */ 173 char* dnstap_socket_path; 174 /** dnstap IP, if "", it uses socket path. */ 175 char* dnstap_ip; 176 /** dnstap TLS enable */ 177 int dnstap_tls; 178 /** dnstap tls server authentication name */ 179 char* dnstap_tls_server_name; 180 /** dnstap server cert bundle */ 181 char* dnstap_tls_cert_bundle; 182 /** dnstap client key for client authentication */ 183 char* dnstap_tls_client_key_file; 184 /** dnstap client cert for client authentication */ 185 char* dnstap_tls_client_cert_file; 186 /** true to send "identity" via dnstap */ 187 int dnstap_send_identity; 188 /** true to send "version" via dnstap */ 189 int dnstap_send_version; 190 /** dnstap "identity", hostname is used if "". */ 191 char* dnstap_identity; 192 /** dnstap "version", package version is used if "". */ 193 char* dnstap_version; 194 /** true to log dnstap AUTH_QUERY message events */ 195 int dnstap_log_auth_query_messages; 196 /** true to log dnstap AUTH_RESPONSE message events */ 197 int dnstap_log_auth_response_messages; 198 199 /** do answer with server cookie when request contained cookie option */ 200 int answer_cookie; 201 /** cookie secret */ 202 char *cookie_secret; 203 /** path to cookie secret store */ 204 char const* cookie_secret_file; 205 /** enable verify */ 206 int verify_enable; 207 /** list of ip addresses used to serve zones for verification */ 208 struct ip_address_option* verify_ip_addresses; 209 /** default port 5347 */ 210 char *verify_port; 211 /** verify zones by default */ 212 int verify_zones; 213 /** default command to verify zones with */ 214 char **verifier; 215 /** maximum number of verifiers that may run simultaneously */ 216 int verifier_count; 217 /** whether or not to feed the zone to the verifier over stdin */ 218 uint8_t verifier_feed_zone; 219 /** maximum number of seconds that a verifier may take */ 220 uint32_t verifier_timeout; 221 222 region_type* region; 223}; 224 225struct range_option { 226 struct range_option* next; 227 int first; 228 int last; 229}; 230 231struct ip_address_option { 232 struct ip_address_option* next; 233 char* address; 234 struct range_option* servers; 235 int dev; 236 int fib; 237}; 238 239struct cpu_option { 240 struct cpu_option* next; 241 int cpu; 242}; 243 244struct cpu_map_option { 245 struct cpu_map_option* next; 246 int service; 247 int cpu; 248}; 249 250/* 251 * Defines for min_expire_time_expr value 252 */ 253#define EXPIRE_TIME_HAS_VALUE 0 254#define EXPIRE_TIME_IS_DEFAULT 1 255#define REFRESHPLUSRETRYPLUS1 2 256#define REFRESHPLUSRETRYPLUS1_STR "refresh+retry+1" 257#define expire_time_is_default(x) (!( (x) == REFRESHPLUSRETRYPLUS1 \ 258 || (x) == EXPIRE_TIME_HAS_VALUE )) 259 260 261/* 262 * Pattern of zone options, used to contain options for zone(s). 263 */ 264struct pattern_options { 265 rbnode_type node; 266 const char* pname; /* name of the pattern, key of rbtree */ 267 const char* zonefile; 268 struct acl_options* allow_notify; 269 struct acl_options* request_xfr; 270 struct acl_options* notify; 271 struct acl_options* provide_xfr; 272 struct acl_options* allow_query; 273 struct acl_options* outgoing_interface; 274 const char* zonestats; 275#ifdef RATELIMIT 276 uint16_t rrl_whitelist; /* bitmap with rrl types */ 277#endif 278 uint8_t allow_axfr_fallback; 279 uint8_t allow_axfr_fallback_is_default; 280 uint8_t notify_retry; 281 uint8_t notify_retry_is_default; 282 uint8_t implicit; /* pattern is implicit, part_of_config zone used */ 283 uint8_t xfrd_flags; 284 uint32_t max_refresh_time; 285 uint8_t max_refresh_time_is_default; 286 uint32_t min_refresh_time; 287 uint8_t min_refresh_time_is_default; 288 uint32_t max_retry_time; 289 uint8_t max_retry_time_is_default; 290 uint32_t min_retry_time; 291 uint8_t min_retry_time_is_default; 292 uint32_t min_expire_time; 293 /* min_expir_time_expr is either a known value (REFRESHPLUSRETRYPLUS1 294 * or EXPIRE_EXPR_HAS_VALUE) or else min_expire_time is the default. 295 * This can be tested with expire_time_is_default(x) define. 296 */ 297 uint8_t min_expire_time_expr; 298 uint64_t size_limit_xfr; 299 uint8_t multi_primary_check; 300 uint8_t store_ixfr; 301 uint8_t store_ixfr_is_default; 302 uint64_t ixfr_size; 303 uint8_t ixfr_size_is_default; 304 uint32_t ixfr_number; 305 uint8_t ixfr_number_is_default; 306 uint8_t create_ixfr; 307 uint8_t create_ixfr_is_default; 308 uint8_t verify_zone; 309 uint8_t verify_zone_is_default; 310 char **verifier; 311 uint8_t verifier_feed_zone; 312 uint8_t verifier_feed_zone_is_default; 313 int32_t verifier_timeout; 314 uint8_t verifier_timeout_is_default; 315 uint8_t catalog_role; 316 uint8_t catalog_role_is_default; 317 const char* catalog_member_pattern; 318 const char* catalog_producer_zone; 319} ATTR_PACKED; 320 321#define PATTERN_IMPLICIT_MARKER "_implicit_" 322 323/* 324 * Options for a zone 325 */ 326struct zone_options { 327 /* key is dname of apex */ 328 rbnode_type node; 329 330 /* is apex of the zone */ 331 const char* name; 332 /* if not part of config, the offset and linesize of zonelist entry */ 333 off_t off; 334 int linesize; 335 /* pattern for the zone options, if zone is part_of_config, this is 336 * a anonymous pattern created in-place */ 337 struct pattern_options* pattern; 338 /* zone is fixed into the main config, not in zonelist, cannot delete */ 339 unsigned part_of_config : 1; 340 unsigned is_catalog_member_zone: 1; 341} ATTR_PACKED; 342 343/* 344 * Options for catalog member zones 345 * assert(options->is_catalog_member_zone == 1) 346 * when options->pattern->catalog_producer_zone is set, this is a 347 * producer member zone, otherwise a consumer member zone. 348 * A catalog member zone is either a member zone of a catalog producer zone 349 * or a catalog consumer zone. They are mutually exclusive. 350 */ 351struct catalog_member_zone { 352 struct zone_options options; 353 const struct dname* member_id; 354 /* node in the associated catalog consumer or producer zone */ 355 rbnode_type node; 356} ATTR_PACKED; 357 358typedef void (*new_member_id_type)(struct catalog_member_zone* zone); 359 360union acl_addr_storage { 361#ifdef INET6 362 struct in_addr addr; 363 struct in6_addr addr6; 364#else 365 struct in_addr addr; 366#endif 367}; 368 369/* 370 * Access control list element 371 */ 372struct acl_options { 373 struct acl_options* next; 374 375 /* options */ 376 time_t ixfr_disabled; 377 int bad_xfr_count; 378 uint8_t use_axfr_only; 379 uint8_t allow_udp; 380 381 /* ip address range */ 382 const char* ip_address_spec; 383 uint8_t is_ipv6; 384 unsigned int port; /* is 0(no port) or suffix @port value */ 385 union acl_addr_storage addr; 386 union acl_addr_storage range_mask; 387 enum { 388 acl_range_single = 0, /* single address */ 389 acl_range_mask = 1, /* 10.20.30.40&255.255.255.0 */ 390 acl_range_subnet = 2, /* 10.20.30.40/28 */ 391 acl_range_minmax = 3 /* 10.20.30.40-10.20.30.60 (mask=max) */ 392 } rangetype; 393 394 /* key */ 395 uint8_t nokey; 396 uint8_t blocked; 397 const char* key_name; 398 struct key_options* key_options; 399 400 /* tls_auth for XoT */ 401 const char* tls_auth_name; 402 struct tls_auth_options* tls_auth_options; 403} ATTR_PACKED; 404 405/* 406 * Key definition 407 */ 408struct key_options { 409 rbnode_type node; /* key of tree is name */ 410 char* name; 411 char* algorithm; 412 char* secret; 413 struct tsig_key* tsig_key; 414} ATTR_PACKED; 415 416/* 417 * TLS Auth definition for XoT 418 */ 419struct tls_auth_options { 420 rbnode_type node; /* key of tree is name */ 421 char* name; 422 char* auth_domain_name; 423 char* client_cert; 424 char* client_key; 425 char* client_key_pw; 426}; 427 428/* proxy protocol port option list */ 429struct proxy_protocol_port_list { 430 struct proxy_protocol_port_list* next; 431 int port; 432}; 433 434/** zone list free space */ 435struct zonelist_free { 436 struct zonelist_free* next; 437 off_t off; 438}; 439/** zonelist free bucket for a particular line length */ 440struct zonelist_bucket { 441 rbnode_type node; /* key is ptr to linesize */ 442 int linesize; 443 struct zonelist_free* list; 444}; 445 446/* default zonefile write interval if database is "", in seconds */ 447#define ZONEFILES_WRITE_INTERVAL 3600 448 449struct zonestatname { 450 rbnode_type node; /* key is malloced string with cooked zonestat name */ 451 unsigned id; /* index in nsd.zonestat array */ 452}; 453 454/* 455 * Used during options parsing 456 */ 457struct config_parser_state { 458 char* filename; 459 const char* chroot; 460 int line; 461 int errors; 462 struct nsd_options* opt; 463 struct pattern_options *pattern; 464 struct zone_options *zone; 465 struct key_options *key; 466 struct tls_auth_options *tls_auth; 467 struct ip_address_option *ip; 468 void (*err)(void*,const char*); 469 void* err_arg; 470}; 471 472extern config_parser_state_type* cfg_parser; 473 474/* region will be put in nsd_options struct. Returns empty options struct. */ 475struct nsd_options* nsd_options_create(region_type* region); 476/* the number of zones that are configured */ 477static inline size_t nsd_options_num_zones(struct nsd_options* opt) 478{ return opt->zone_options->count; } 479/* insert a zone into the main options tree, returns 0 on error */ 480int nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone); 481/* insert a pattern into the main options tree, returns 0 on error */ 482int nsd_options_insert_pattern(struct nsd_options* opt, 483 struct pattern_options* pat); 484 485/* parses options file. Returns false on failure. callback, if nonNULL, 486 * gets called with error strings, default prints. */ 487int parse_options_file(struct nsd_options* opt, const char* file, 488 void (*err)(void*,const char*), void* err_arg, 489 struct nsd_options* old_opts); 490struct zone_options* zone_options_create(region_type* region); 491void zone_options_delete(struct nsd_options* opt, struct zone_options* zone); 492struct catalog_member_zone* catalog_member_zone_create(region_type* region); 493static inline struct catalog_member_zone* as_catalog_member_zone(struct zone_options* zopt) 494{ return zopt && zopt->is_catalog_member_zone ? (struct catalog_member_zone*)zopt : NULL; } 495/* find a zone by apex domain name, or NULL if not found. */ 496struct zone_options* zone_options_find(struct nsd_options* opt, 497 const struct dname* apex); 498struct pattern_options* pattern_options_create(region_type* region); 499struct pattern_options* pattern_options_find(struct nsd_options* opt, const char* name); 500int pattern_options_equal(struct pattern_options* p, struct pattern_options* q); 501void pattern_options_remove(struct nsd_options* opt, const char* name); 502void pattern_options_add_modify(struct nsd_options* opt, 503 struct pattern_options* p); 504void pattern_options_marshal(struct buffer* buffer, struct pattern_options* p); 505struct pattern_options* pattern_options_unmarshal(region_type* r, 506 struct buffer* b); 507struct key_options* key_options_create(region_type* region); 508void key_options_insert(struct nsd_options* opt, struct key_options* key); 509struct key_options* key_options_find(struct nsd_options* opt, const char* name); 510void key_options_remove(struct nsd_options* opt, const char* name); 511int key_options_equal(struct key_options* p, struct key_options* q); 512void key_options_add_modify(struct nsd_options* opt, struct key_options* key); 513void key_options_setup(region_type* region, struct key_options* key); 514void key_options_desetup(region_type* region, struct key_options* key); 515/* TLS auth */ 516struct tls_auth_options* tls_auth_options_create(region_type* region); 517void tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth); 518struct tls_auth_options* tls_auth_options_find(struct nsd_options* opt, const char* name); 519/* read in zone list file. Returns false on failure */ 520int parse_zone_list_file(struct nsd_options* opt); 521/* create (potential) catalog producer member entry and add to the zonelist */ 522struct zone_options* zone_list_add_or_cat(struct nsd_options* opt, 523 const char* zname, const char* pname, new_member_id_type new_member_id); 524/* create zone entry and add to the zonelist file */ 525static inline struct zone_options* zone_list_add(struct nsd_options* opt, 526 const char* zname, const char* pname) 527{ return zone_list_add_or_cat(opt, zname, pname, NULL); } 528/* create zonelist entry, do not insert in file (called by _add) */ 529struct zone_options* zone_list_zone_insert(struct nsd_options* opt, 530 const char* nm, const char* patnm); 531void zone_list_del(struct nsd_options* opt, struct zone_options* zone); 532void zone_list_compact(struct nsd_options* opt); 533void zone_list_close(struct nsd_options* opt); 534 535/* create zonestat name tree , for initially created zones */ 536void options_zonestatnames_create(struct nsd_options* opt); 537/* Get zonestat id for zone options, add new entry if necessary. 538 * instantiates the pattern's zonestat string */ 539unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt); 540/* create string, same options as zonefile but no chroot changes */ 541const char* config_cook_string(struct zone_options* zone, const char* input); 542 543/** check if config for remote control turns on IP-address interface 544 * with certificates or a named pipe without certificates. */ 545int options_remote_is_address(struct nsd_options* cfg); 546 547#if defined(HAVE_SSL) 548/* tsig must be inited, adds all keys in options to tsig. */ 549void key_options_tsig_add(struct nsd_options* opt); 550#endif 551 552/* check acl list, acl number that matches if passed(0..), 553 * or failure (-1) if dropped */ 554/* the reason why (the acl) is returned too (or NULL) */ 555int acl_check_incoming(struct acl_options* acl, struct query* q, 556 struct acl_options** reason); 557int acl_addr_matches_host(struct acl_options* acl, struct acl_options* host); 558int acl_addr_matches(struct acl_options* acl, struct query* q); 559int acl_addr_matches_proxy(struct acl_options* acl, struct query* q); 560int acl_key_matches(struct acl_options* acl, struct query* q); 561int acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz); 562int acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz); 563int acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz); 564 565/* check acl list for blocks on address, return 0 if none, -1 if blocked. */ 566int acl_check_incoming_block_proxy(struct acl_options* acl, struct query* q, 567 struct acl_options** reason); 568 569/* returns true if acls are both from the same host */ 570int acl_same_host(struct acl_options* a, struct acl_options* b); 571/* find acl by number in the list */ 572struct acl_options* acl_find_num(struct acl_options* acl, int num); 573 574/* see if two acl lists are the same (same elements in same order, or empty) */ 575int acl_list_equal(struct acl_options* p, struct acl_options* q); 576/* see if two acl are the same */ 577int acl_equal(struct acl_options* p, struct acl_options* q); 578 579/* see if a zone is a slave or a master zone */ 580int zone_is_slave(struct zone_options* opt); 581/* see if a zone is a catalog consumer */ 582static inline int zone_is_catalog_consumer(struct zone_options* opt) 583{ return opt && opt->pattern 584 && opt->pattern->catalog_role == CATALOG_ROLE_CONSUMER; } 585static inline int zone_is_catalog_producer(struct zone_options* opt) 586{ return opt && opt->pattern 587 && opt->pattern->catalog_role == CATALOG_ROLE_PRODUCER; } 588static inline int zone_is_catalog_member(struct zone_options* opt) 589{ return opt && opt->is_catalog_member_zone; } 590static inline const char* zone_is_catalog_producer_member(struct zone_options* opt) 591{ return opt && opt->pattern && opt->pattern->catalog_producer_zone 592 ? opt->pattern->catalog_producer_zone : NULL; } 593static inline int zone_is_catalog_consumer_member(struct zone_options* opt) 594{ return zone_is_catalog_member(opt) && !zone_is_catalog_producer_member(opt); } 595/* create zonefile name, returns static pointer (perhaps to options data) */ 596const char* config_make_zonefile(struct zone_options* zone, struct nsd* nsd); 597 598#define ZONEC_PCT_TIME 5 /* seconds, then it starts to print pcts */ 599#define ZONEC_PCT_COUNT 100000 /* elements before pct check is done */ 600 601/* parsing helpers */ 602void c_error(const char* msg, ...) ATTR_FORMAT(printf, 1,2); 603int c_wrap(void); 604struct acl_options* parse_acl_info(region_type* region, char* ip, 605 const char* key); 606/* true if ipv6 address, false if ipv4 */ 607int parse_acl_is_ipv6(const char* p); 608/* returns range type. mask is the 2nd part of the range */ 609int parse_acl_range_type(char* ip, char** mask); 610/* parses subnet mask, fills 0 mask as well */ 611void parse_acl_range_subnet(char* p, void* addr, int maxbits); 612/* clean up options */ 613void nsd_options_destroy(struct nsd_options* opt); 614/* replace occurrences of one with two in buf, pass length of buffer */ 615void replace_str(char* buf, size_t len, const char* one, const char* two); 616/* apply pattern to the existing pattern in the parser */ 617void config_apply_pattern(struct pattern_options *dest, const char* name); 618/* if the file is a directory, print a warning, because flex just exit()s 619 * when a fileread fails because it is a directory, helps the user figure 620 * out what just happened */ 621void warn_if_directory(const char* filetype, FILE* f, const char* fname); 622/* resolve interface names in the options "ip-address:" (or "interface:") 623 * and "control-interface:" into the ip-addresses associated with those 624 * names. */ 625void resolve_interface_names(struct nsd_options* options); 626 627/* See if the sockaddr port number is listed in the proxy protocol ports. */ 628int sockaddr_uses_proxy_protocol_port(struct nsd_options* options, 629 struct sockaddr* addr); 630 631#endif /* OPTIONS_H */ 632