1 /*
2 * options.h -- nsd.conf options definitions and prototypes
3 *
4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
5 *
6 * See LICENSE for the license.
7 *
8 */
9
10 #ifndef OPTIONS_H
11 #define OPTIONS_H
12
13 #include <stdarg.h>
14 #include "region-allocator.h"
15 #include "rbtree.h"
16 struct query;
17 struct dname;
18 struct tsig_key;
19 struct buffer;
20 struct nsd;
21
22 typedef struct nsd_options nsd_options_type;
23 typedef struct pattern_options pattern_options_type;
24 typedef struct zone_options zone_options_type;
25 typedef struct range_option range_option_type;
26 typedef struct ip_address_option ip_address_option_type;
27 typedef struct cpu_option cpu_option_type;
28 typedef struct cpu_map_option cpu_map_option_type;
29 typedef struct acl_options acl_options_type;
30 typedef struct key_options key_options_type;
31 typedef struct tls_auth_options tls_auth_options_type;
32 typedef struct config_parser_state config_parser_state_type;
33
34 #define VERIFY_ZONE_INHERIT (2)
35 #define VERIFIER_FEED_ZONE_INHERIT (2)
36 #define VERIFIER_TIMEOUT_INHERIT (-1)
37
38 /*
39 * Options global for nsd.
40 */
41 struct nsd_options {
42 /* config file name */
43 char* configfile;
44 /* options for zones, by apex, contains zone_options */
45 rbtree_type* zone_options;
46 /* patterns, by name, contains pattern_options */
47 rbtree_type* patterns;
48
49 /* free space in zonelist file, contains zonelist_bucket */
50 rbtree_type* zonefree;
51 /* number of free space lines in zonelist file */
52 size_t zonefree_number;
53 /* zonelist file if open */
54 FILE* zonelist;
55 /* last offset in file (or 0 if none) */
56 off_t zonelist_off;
57
58 /* tree of zonestat names and their id values, entries are struct
59 * zonestatname with malloced key=stringname. The number of items
60 * is the max statnameid, no items are freed from this.
61 * kept correct in the xfrd process, and on startup. */
62 rbtree_type* zonestatnames;
63
64 /* rbtree of keys defined, by name */
65 rbtree_type* keys;
66
67 /* rbtree of tls_auth defined, by name */
68 rbtree_type* tls_auths;
69
70 /* list of ip addresses to bind to (or NULL for all) */
71 struct ip_address_option* ip_addresses;
72
73 int ip_transparent;
74 int ip_freebind;
75 int send_buffer_size;
76 int receive_buffer_size;
77 int debug_mode;
78 int verbosity;
79 int hide_version;
80 int hide_identity;
81 int drop_updates;
82 int do_ip4;
83 int do_ip6;
84 const char* database;
85 const char* identity;
86 const char* version;
87 const char* logfile;
88 int log_only_syslog;
89 int server_count;
90 struct cpu_option* cpu_affinity;
91 struct cpu_map_option* service_cpu_affinity;
92 int tcp_count;
93 int tcp_reject_overflow;
94 int confine_to_zone;
95 int tcp_query_count;
96 int tcp_timeout;
97 int tcp_mss;
98 int outgoing_tcp_mss;
99 size_t ipv4_edns_size;
100 size_t ipv6_edns_size;
101 const char* pidfile;
102 const char* port;
103 int statistics;
104 const char* chroot;
105 const char* username;
106 const char* zonesdir;
107 const char* xfrdfile;
108 const char* xfrdir;
109 const char* zonelistfile;
110 const char* nsid;
111 int xfrd_reload_timeout;
112 int zonefiles_check;
113 int zonefiles_write;
114 int log_time_ascii;
115 int round_robin;
116 int minimal_responses;
117 int refuse_any;
118 int reuseport;
119 /* max number of xfrd tcp sockets */
120 int xfrd_tcp_max;
121 /* max number of simultaneous requests on xfrd tcp socket */
122 int xfrd_tcp_pipeline;
123
124 /* private key file for TLS */
125 char* tls_service_key;
126 /* ocsp stapling file for TLS */
127 char* tls_service_ocsp;
128 /* certificate file for TLS */
129 char* tls_service_pem;
130 /* TLS dedicated port */
131 const char* tls_port;
132 /* TLS certificate bundle */
133 const char* tls_cert_bundle;
134
135 /** remote control section. enable toggle. */
136 int control_enable;
137 /** the interfaces the remote control should listen on */
138 struct ip_address_option* control_interface;
139 /** port number for the control port */
140 int control_port;
141 /** private key file for server */
142 char* server_key_file;
143 /** certificate file for server */
144 char* server_cert_file;
145 /** private key file for nsd-control */
146 char* control_key_file;
147 /** certificate file for nsd-control */
148 char* control_cert_file;
149
150 #ifdef RATELIMIT
151 /** number of buckets in rrl hashtable */
152 size_t rrl_size;
153 /** max qps for queries, 0 is nolimit */
154 size_t rrl_ratelimit;
155 /** ratio of slipped responses, 0 is noslip */
156 size_t rrl_slip;
157 /** ip prefix length */
158 size_t rrl_ipv4_prefix_length;
159 size_t rrl_ipv6_prefix_length;
160 /** max qps for whitelisted queries, 0 is nolimit */
161 size_t rrl_whitelist_ratelimit;
162 #endif
163 /** if dnstap is enabled */
164 int dnstap_enable;
165 /** dnstap socket path */
166 char* dnstap_socket_path;
167 /** true to send "identity" via dnstap */
168 int dnstap_send_identity;
169 /** true to send "version" via dnstap */
170 int dnstap_send_version;
171 /** dnstap "identity", hostname is used if "". */
172 char* dnstap_identity;
173 /** dnstap "version", package version is used if "". */
174 char* dnstap_version;
175 /** true to log dnstap AUTH_QUERY message events */
176 int dnstap_log_auth_query_messages;
177 /** true to log dnstap AUTH_RESPONSE message events */
178 int dnstap_log_auth_response_messages;
179
180 /** do answer with server cookie when request contained cookie option */
181 int answer_cookie;
182 /** cookie secret */
183 char *cookie_secret;
184 /** path to cookie secret store */
185 char const* cookie_secret_file;
186 /** enable verify */
187 int verify_enable;
188 /** list of ip addresses used to serve zones for verification */
189 struct ip_address_option* verify_ip_addresses;
190 /** default port 5347 */
191 char *verify_port;
192 /** verify zones by default */
193 int verify_zones;
194 /** default command to verify zones with */
195 char **verifier;
196 /** maximum number of verifiers that may run simultaneously */
197 int verifier_count;
198 /** whether or not to feed the zone to the verifier over stdin */
199 uint8_t verifier_feed_zone;
200 /** maximum number of seconds that a verifier may take */
201 uint32_t verifier_timeout;
202
203 region_type* region;
204 };
205
206 struct range_option {
207 struct range_option* next;
208 int first;
209 int last;
210 };
211
212 struct ip_address_option {
213 struct ip_address_option* next;
214 char* address;
215 struct range_option* servers;
216 int dev;
217 int fib;
218 };
219
220 struct cpu_option {
221 struct cpu_option* next;
222 int cpu;
223 };
224
225 struct cpu_map_option {
226 struct cpu_map_option* next;
227 int service;
228 int cpu;
229 };
230
231 /*
232 * Defines for min_expire_time_expr value
233 */
234 #define EXPIRE_TIME_HAS_VALUE 0
235 #define EXPIRE_TIME_IS_DEFAULT 1
236 #define REFRESHPLUSRETRYPLUS1 2
237 #define REFRESHPLUSRETRYPLUS1_STR "refresh+retry+1"
238 #define expire_time_is_default(x) (!( (x) == REFRESHPLUSRETRYPLUS1 \
239 || (x) == EXPIRE_TIME_HAS_VALUE ))
240
241
242 /*
243 * Pattern of zone options, used to contain options for zone(s).
244 */
245 struct pattern_options {
246 rbnode_type node;
247 const char* pname; /* name of the pattern, key of rbtree */
248 const char* zonefile;
249 struct acl_options* allow_notify;
250 struct acl_options* request_xfr;
251 struct acl_options* notify;
252 struct acl_options* provide_xfr;
253 struct acl_options* allow_query;
254 struct acl_options* outgoing_interface;
255 const char* zonestats;
256 #ifdef RATELIMIT
257 uint16_t rrl_whitelist; /* bitmap with rrl types */
258 #endif
259 uint8_t allow_axfr_fallback;
260 uint8_t allow_axfr_fallback_is_default;
261 uint8_t notify_retry;
262 uint8_t notify_retry_is_default;
263 uint8_t implicit; /* pattern is implicit, part_of_config zone used */
264 uint8_t xfrd_flags;
265 uint32_t max_refresh_time;
266 uint8_t max_refresh_time_is_default;
267 uint32_t min_refresh_time;
268 uint8_t min_refresh_time_is_default;
269 uint32_t max_retry_time;
270 uint8_t max_retry_time_is_default;
271 uint32_t min_retry_time;
272 uint8_t min_retry_time_is_default;
273 uint32_t min_expire_time;
274 /* min_expir_time_expr is either a known value (REFRESHPLUSRETRYPLUS1
275 * or EXPIRE_EXPR_HAS_VALUE) or else min_expire_time is the default.
276 * This can be tested with expire_time_is_default(x) define.
277 */
278 uint8_t min_expire_time_expr;
279 uint64_t size_limit_xfr;
280 uint8_t multi_master_check;
281 uint8_t store_ixfr;
282 uint8_t store_ixfr_is_default;
283 uint64_t ixfr_size;
284 uint8_t ixfr_size_is_default;
285 uint32_t ixfr_number;
286 uint8_t ixfr_number_is_default;
287 uint8_t create_ixfr;
288 uint8_t create_ixfr_is_default;
289 uint8_t verify_zone;
290 uint8_t verify_zone_is_default;
291 char **verifier;
292 uint8_t verifier_feed_zone;
293 uint8_t verifier_feed_zone_is_default;
294 int32_t verifier_timeout;
295 uint8_t verifier_timeout_is_default;
296 } ATTR_PACKED;
297
298 #define PATTERN_IMPLICIT_MARKER "_implicit_"
299
300 /*
301 * Options for a zone
302 */
303 struct zone_options {
304 /* key is dname of apex */
305 rbnode_type node;
306
307 /* is apex of the zone */
308 const char* name;
309 /* if not part of config, the offset and linesize of zonelist entry */
310 off_t off;
311 int linesize;
312 /* pattern for the zone options, if zone is part_of_config, this is
313 * a anonymous pattern created in-place */
314 struct pattern_options* pattern;
315 /* zone is fixed into the main config, not in zonelist, cannot delete */
316 uint8_t part_of_config;
317 } ATTR_PACKED;
318
319 union acl_addr_storage {
320 #ifdef INET6
321 struct in_addr addr;
322 struct in6_addr addr6;
323 #else
324 struct in_addr addr;
325 #endif
326 };
327
328 /*
329 * Access control list element
330 */
331 struct acl_options {
332 struct acl_options* next;
333
334 /* options */
335 time_t ixfr_disabled;
336 int bad_xfr_count;
337 uint8_t use_axfr_only;
338 uint8_t allow_udp;
339
340 /* ip address range */
341 const char* ip_address_spec;
342 uint8_t is_ipv6;
343 unsigned int port; /* is 0(no port) or suffix @port value */
344 union acl_addr_storage addr;
345 union acl_addr_storage range_mask;
346 enum {
347 acl_range_single = 0, /* single address */
348 acl_range_mask = 1, /* 10.20.30.40&255.255.255.0 */
349 acl_range_subnet = 2, /* 10.20.30.40/28 */
350 acl_range_minmax = 3 /* 10.20.30.40-10.20.30.60 (mask=max) */
351 } rangetype;
352
353 /* key */
354 uint8_t nokey;
355 uint8_t blocked;
356 const char* key_name;
357 struct key_options* key_options;
358
359 /* tls_auth for XoT */
360 const char* tls_auth_name;
361 struct tls_auth_options* tls_auth_options;
362 } ATTR_PACKED;
363
364 /*
365 * Key definition
366 */
367 struct key_options {
368 rbnode_type node; /* key of tree is name */
369 char* name;
370 char* algorithm;
371 char* secret;
372 struct tsig_key* tsig_key;
373 } ATTR_PACKED;
374
375 /*
376 * TLS Auth definition for XoT
377 */
378 struct tls_auth_options {
379 rbnode_type node; /* key of tree is name */
380 char* name;
381 char* auth_domain_name;
382 char* client_cert;
383 char* client_key;
384 char* client_key_pw;
385 };
386
387 /** zone list free space */
388 struct zonelist_free {
389 struct zonelist_free* next;
390 off_t off;
391 };
392 /** zonelist free bucket for a particular line length */
393 struct zonelist_bucket {
394 rbnode_type node; /* key is ptr to linesize */
395 int linesize;
396 struct zonelist_free* list;
397 };
398
399 /* default zonefile write interval if database is "", in seconds */
400 #define ZONEFILES_WRITE_INTERVAL 3600
401
402 struct zonestatname {
403 rbnode_type node; /* key is malloced string with cooked zonestat name */
404 unsigned id; /* index in nsd.zonestat array */
405 };
406
407 /*
408 * Used during options parsing
409 */
410 struct config_parser_state {
411 char* filename;
412 const char* chroot;
413 int line;
414 int errors;
415 struct nsd_options* opt;
416 struct pattern_options *pattern;
417 struct zone_options *zone;
418 struct key_options *key;
419 struct tls_auth_options *tls_auth;
420 struct ip_address_option *ip;
421 void (*err)(void*,const char*);
422 void* err_arg;
423 };
424
425 extern config_parser_state_type* cfg_parser;
426
427 /* region will be put in nsd_options struct. Returns empty options struct. */
428 struct nsd_options* nsd_options_create(region_type* region);
429 /* the number of zones that are configured */
nsd_options_num_zones(struct nsd_options * opt)430 static inline size_t nsd_options_num_zones(struct nsd_options* opt)
431 { return opt->zone_options->count; }
432 /* insert a zone into the main options tree, returns 0 on error */
433 int nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone);
434 /* insert a pattern into the main options tree, returns 0 on error */
435 int nsd_options_insert_pattern(struct nsd_options* opt,
436 struct pattern_options* pat);
437
438 /* parses options file. Returns false on failure. callback, if nonNULL,
439 * gets called with error strings, default prints. */
440 int parse_options_file(struct nsd_options* opt, const char* file,
441 void (*err)(void*,const char*), void* err_arg);
442 struct zone_options* zone_options_create(region_type* region);
443 void zone_options_delete(struct nsd_options* opt, struct zone_options* zone);
444 /* find a zone by apex domain name, or NULL if not found. */
445 struct zone_options* zone_options_find(struct nsd_options* opt,
446 const struct dname* apex);
447 struct pattern_options* pattern_options_create(region_type* region);
448 struct pattern_options* pattern_options_find(struct nsd_options* opt, const char* name);
449 int pattern_options_equal(struct pattern_options* p, struct pattern_options* q);
450 void pattern_options_remove(struct nsd_options* opt, const char* name);
451 void pattern_options_add_modify(struct nsd_options* opt,
452 struct pattern_options* p);
453 void pattern_options_marshal(struct buffer* buffer, struct pattern_options* p);
454 struct pattern_options* pattern_options_unmarshal(region_type* r,
455 struct buffer* b);
456 struct key_options* key_options_create(region_type* region);
457 void key_options_insert(struct nsd_options* opt, struct key_options* key);
458 struct key_options* key_options_find(struct nsd_options* opt, const char* name);
459 void key_options_remove(struct nsd_options* opt, const char* name);
460 int key_options_equal(struct key_options* p, struct key_options* q);
461 void key_options_add_modify(struct nsd_options* opt, struct key_options* key);
462 void key_options_setup(region_type* region, struct key_options* key);
463 void key_options_desetup(region_type* region, struct key_options* key);
464 /* TLS auth */
465 struct tls_auth_options* tls_auth_options_create(region_type* region);
466 void tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth);
467 struct tls_auth_options* tls_auth_options_find(struct nsd_options* opt, const char* name);
468 /* read in zone list file. Returns false on failure */
469 int parse_zone_list_file(struct nsd_options* opt);
470 /* create zone entry and add to the zonelist file */
471 struct zone_options* zone_list_add(struct nsd_options* opt, const char* zname,
472 const char* pname);
473 /* create zonelist entry, do not insert in file (called by _add) */
474 struct zone_options* zone_list_zone_insert(struct nsd_options* opt,
475 const char* nm, const char* patnm, int linesize, off_t off);
476 void zone_list_del(struct nsd_options* opt, struct zone_options* zone);
477 void zone_list_compact(struct nsd_options* opt);
478 void zone_list_close(struct nsd_options* opt);
479
480 /* create zonestat name tree , for initially created zones */
481 void options_zonestatnames_create(struct nsd_options* opt);
482 /* Get zonestat id for zone options, add new entry if necessary.
483 * instantiates the pattern's zonestat string */
484 unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt);
485 /* create string, same options as zonefile but no chroot changes */
486 const char* config_cook_string(struct zone_options* zone, const char* input);
487
488 /** check if config for remote control turns on IP-address interface
489 * with certificates or a named pipe without certificates. */
490 int options_remote_is_address(struct nsd_options* cfg);
491
492 #if defined(HAVE_SSL)
493 /* tsig must be inited, adds all keys in options to tsig. */
494 void key_options_tsig_add(struct nsd_options* opt);
495 #endif
496
497 /* check acl list, acl number that matches if passed(0..),
498 * or failure (-1) if dropped */
499 /* the reason why (the acl) is returned too (or NULL) */
500 int acl_check_incoming(struct acl_options* acl, struct query* q,
501 struct acl_options** reason);
502 int acl_addr_matches_host(struct acl_options* acl, struct acl_options* host);
503 int acl_addr_matches(struct acl_options* acl, struct query* q);
504 int acl_key_matches(struct acl_options* acl, struct query* q);
505 int acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz);
506 int acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz);
507 int acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz);
508
509 /* returns true if acls are both from the same host */
510 int acl_same_host(struct acl_options* a, struct acl_options* b);
511 /* find acl by number in the list */
512 struct acl_options* acl_find_num(struct acl_options* acl, int num);
513
514 /* see if two acl lists are the same (same elements in same order, or empty) */
515 int acl_list_equal(struct acl_options* p, struct acl_options* q);
516 /* see if two acl are the same */
517 int acl_equal(struct acl_options* p, struct acl_options* q);
518
519 /* see if a zone is a slave or a master zone */
520 int zone_is_slave(struct zone_options* opt);
521 /* create zonefile name, returns static pointer (perhaps to options data) */
522 const char* config_make_zonefile(struct zone_options* zone, struct nsd* nsd);
523
524 #define ZONEC_PCT_TIME 5 /* seconds, then it starts to print pcts */
525 #define ZONEC_PCT_COUNT 100000 /* elements before pct check is done */
526
527 /* parsing helpers */
528 void c_error(const char* msg, ...) ATTR_FORMAT(printf, 1,2);
529 int c_wrap(void);
530 struct acl_options* parse_acl_info(region_type* region, char* ip,
531 const char* key);
532 /* true if ipv6 address, false if ipv4 */
533 int parse_acl_is_ipv6(const char* p);
534 /* returns range type. mask is the 2nd part of the range */
535 int parse_acl_range_type(char* ip, char** mask);
536 /* parses subnet mask, fills 0 mask as well */
537 void parse_acl_range_subnet(char* p, void* addr, int maxbits);
538 /* clean up options */
539 void nsd_options_destroy(struct nsd_options* opt);
540 /* replace occurrences of one with two in buf, pass length of buffer */
541 void replace_str(char* buf, size_t len, const char* one, const char* two);
542 /* apply pattern to the existing pattern in the parser */
543 void config_apply_pattern(struct pattern_options *dest, const char* name);
544 /* if the file is a directory, print a warning, because flex just exit()s
545 * when a fileread fails because it is a directory, helps the user figure
546 * out what just happened */
547 void warn_if_directory(const char* filetype, FILE* f, const char* fname);
548 /* resolve interface names in the options "ip-address:" (or "interface:")
549 * and "control-interface:" into the ip-addresses associated with those
550 * names. */
551 void resolve_interface_names(struct nsd_options* options);
552
553 #endif /* OPTIONS_H */
554