1 /*
2 * options.h -- nsd.conf options definitions and prototypes
3 *
4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
5 *
6 * See LICENSE for the license.
7 *
8 */
9
10 #ifndef OPTIONS_H
11 #define OPTIONS_H
12
13 #include <stdarg.h>
14 #include "region-allocator.h"
15 #include "rbtree.h"
16 struct query;
17 struct dname;
18 struct tsig_key;
19 struct buffer;
20 struct nsd;
21
22 typedef struct nsd_options nsd_options_type;
23 typedef struct pattern_options pattern_options_type;
24 typedef struct zone_options zone_options_type;
25 typedef struct range_option range_option_type;
26 typedef struct ip_address_option ip_address_option_type;
27 typedef struct cpu_option cpu_option_type;
28 typedef struct cpu_map_option cpu_map_option_type;
29 typedef struct acl_options acl_options_type;
30 typedef struct key_options key_options_type;
31 typedef struct tls_auth_options tls_auth_options_type;
32 typedef struct config_parser_state config_parser_state_type;
33
34 /*
35 * Options global for nsd.
36 */
37 struct nsd_options {
38 /* config file name */
39 char* configfile;
40 /* options for zones, by apex, contains zone_options */
41 rbtree_type* zone_options;
42 /* patterns, by name, contains pattern_options */
43 rbtree_type* patterns;
44
45 /* free space in zonelist file, contains zonelist_bucket */
46 rbtree_type* zonefree;
47 /* number of free space lines in zonelist file */
48 size_t zonefree_number;
49 /* zonelist file if open */
50 FILE* zonelist;
51 /* last offset in file (or 0 if none) */
52 off_t zonelist_off;
53
54 /* tree of zonestat names and their id values, entries are struct
55 * zonestatname with malloced key=stringname. The number of items
56 * is the max statnameid, no items are freed from this.
57 * kept correct in the xfrd process, and on startup. */
58 rbtree_type* zonestatnames;
59
60 /* rbtree of keys defined, by name */
61 rbtree_type* keys;
62
63 /* rbtree of tls_auth defined, by name */
64 rbtree_type* tls_auths;
65
66 /* list of ip addresses to bind to (or NULL for all) */
67 struct ip_address_option* ip_addresses;
68
69 int ip_transparent;
70 int ip_freebind;
71 int send_buffer_size;
72 int receive_buffer_size;
73 int debug_mode;
74 int verbosity;
75 int hide_version;
76 int hide_identity;
77 int drop_updates;
78 int do_ip4;
79 int do_ip6;
80 const char* database;
81 const char* identity;
82 const char* version;
83 const char* logfile;
84 int log_only_syslog;
85 int server_count;
86 struct cpu_option* cpu_affinity;
87 struct cpu_map_option* service_cpu_affinity;
88 int tcp_count;
89 int tcp_reject_overflow;
90 int confine_to_zone;
91 int tcp_query_count;
92 int tcp_timeout;
93 int tcp_mss;
94 int outgoing_tcp_mss;
95 size_t ipv4_edns_size;
96 size_t ipv6_edns_size;
97 const char* pidfile;
98 const char* port;
99 int statistics;
100 const char* chroot;
101 const char* username;
102 const char* zonesdir;
103 const char* xfrdfile;
104 const char* xfrdir;
105 const char* zonelistfile;
106 const char* nsid;
107 int xfrd_reload_timeout;
108 int zonefiles_check;
109 int zonefiles_write;
110 int log_time_ascii;
111 int round_robin;
112 int minimal_responses;
113 int refuse_any;
114 int reuseport;
115
116 /* private key file for TLS */
117 char* tls_service_key;
118 /* ocsp stapling file for TLS */
119 char* tls_service_ocsp;
120 /* certificate file for TLS */
121 char* tls_service_pem;
122 /* TLS dedicated port */
123 const char* tls_port;
124 /* TLS certificate bundle */
125 const char* tls_cert_bundle;
126
127 /** remote control section. enable toggle. */
128 int control_enable;
129 /** the interfaces the remote control should listen on */
130 struct ip_address_option* control_interface;
131 /** port number for the control port */
132 int control_port;
133 /** private key file for server */
134 char* server_key_file;
135 /** certificate file for server */
136 char* server_cert_file;
137 /** private key file for nsd-control */
138 char* control_key_file;
139 /** certificate file for nsd-control */
140 char* control_cert_file;
141
142 #ifdef RATELIMIT
143 /** number of buckets in rrl hashtable */
144 size_t rrl_size;
145 /** max qps for queries, 0 is nolimit */
146 size_t rrl_ratelimit;
147 /** ratio of slipped responses, 0 is noslip */
148 size_t rrl_slip;
149 /** ip prefix length */
150 size_t rrl_ipv4_prefix_length;
151 size_t rrl_ipv6_prefix_length;
152 /** max qps for whitelisted queries, 0 is nolimit */
153 size_t rrl_whitelist_ratelimit;
154 #endif
155 /** if dnstap is enabled */
156 int dnstap_enable;
157 /** dnstap socket path */
158 char* dnstap_socket_path;
159 /** true to send "identity" via dnstap */
160 int dnstap_send_identity;
161 /** true to send "version" via dnstap */
162 int dnstap_send_version;
163 /** dnstap "identity", hostname is used if "". */
164 char* dnstap_identity;
165 /** dnstap "version", package version is used if "". */
166 char* dnstap_version;
167 /** true to log dnstap AUTH_QUERY message events */
168 int dnstap_log_auth_query_messages;
169 /** true to log dnstap AUTH_RESPONSE message events */
170 int dnstap_log_auth_response_messages;
171
172 /** do answer with server cookie when request contained cookie option */
173 int answer_cookie;
174 /** cookie secret */
175 char *cookie_secret;
176 /** path to cookie secret store */
177 char const* cookie_secret_file;
178
179 region_type* region;
180 };
181
182 struct range_option {
183 struct range_option* next;
184 int first;
185 int last;
186 };
187
188 struct ip_address_option {
189 struct ip_address_option* next;
190 char* address;
191 struct range_option* servers;
192 int dev;
193 int fib;
194 };
195
196 struct cpu_option {
197 struct cpu_option* next;
198 int cpu;
199 };
200
201 struct cpu_map_option {
202 struct cpu_map_option* next;
203 int service;
204 int cpu;
205 };
206
207 /*
208 * Defines for min_expire_time_expr value
209 */
210 #define EXPIRE_TIME_HAS_VALUE 0
211 #define EXPIRE_TIME_IS_DEFAULT 1
212 #define REFRESHPLUSRETRYPLUS1 2
213 #define REFRESHPLUSRETRYPLUS1_STR "refresh+retry+1"
214 #define expire_time_is_default(x) (!( (x) == REFRESHPLUSRETRYPLUS1 \
215 || (x) == EXPIRE_TIME_HAS_VALUE ))
216
217
218 /*
219 * Pattern of zone options, used to contain options for zone(s).
220 */
221 struct pattern_options {
222 rbnode_type node;
223 const char* pname; /* name of the pattern, key of rbtree */
224 const char* zonefile;
225 struct acl_options* allow_notify;
226 struct acl_options* request_xfr;
227 struct acl_options* notify;
228 struct acl_options* provide_xfr;
229 struct acl_options* allow_query;
230 struct acl_options* outgoing_interface;
231 const char* zonestats;
232 #ifdef RATELIMIT
233 uint16_t rrl_whitelist; /* bitmap with rrl types */
234 #endif
235 uint8_t allow_axfr_fallback;
236 uint8_t allow_axfr_fallback_is_default;
237 uint8_t notify_retry;
238 uint8_t notify_retry_is_default;
239 uint8_t implicit; /* pattern is implicit, part_of_config zone used */
240 uint8_t xfrd_flags;
241 uint32_t max_refresh_time;
242 uint8_t max_refresh_time_is_default;
243 uint32_t min_refresh_time;
244 uint8_t min_refresh_time_is_default;
245 uint32_t max_retry_time;
246 uint8_t max_retry_time_is_default;
247 uint32_t min_retry_time;
248 uint8_t min_retry_time_is_default;
249 uint32_t min_expire_time;
250 /* min_expir_time_expr is either a known value (REFRESHPLUSRETRYPLUS1
251 * or EXPIRE_EXPR_HAS_VALUE) or else min_expire_time is the default.
252 * This can be tested with expire_time_is_default(x) define.
253 */
254 uint8_t min_expire_time_expr;
255 uint64_t size_limit_xfr;
256 uint8_t multi_master_check;
257 } ATTR_PACKED;
258
259 #define PATTERN_IMPLICIT_MARKER "_implicit_"
260
261 /*
262 * Options for a zone
263 */
264 struct zone_options {
265 /* key is dname of apex */
266 rbnode_type node;
267
268 /* is apex of the zone */
269 const char* name;
270 /* if not part of config, the offset and linesize of zonelist entry */
271 off_t off;
272 int linesize;
273 /* pattern for the zone options, if zone is part_of_config, this is
274 * a anonymous pattern created in-place */
275 struct pattern_options* pattern;
276 /* zone is fixed into the main config, not in zonelist, cannot delete */
277 uint8_t part_of_config;
278 } ATTR_PACKED;
279
280 union acl_addr_storage {
281 #ifdef INET6
282 struct in_addr addr;
283 struct in6_addr addr6;
284 #else
285 struct in_addr addr;
286 #endif
287 };
288
289 /*
290 * Access control list element
291 */
292 struct acl_options {
293 struct acl_options* next;
294
295 /* options */
296 time_t ixfr_disabled;
297 int bad_xfr_count;
298 uint8_t use_axfr_only;
299 uint8_t allow_udp;
300
301 /* ip address range */
302 const char* ip_address_spec;
303 uint8_t is_ipv6;
304 unsigned int port; /* is 0(no port) or suffix @port value */
305 union acl_addr_storage addr;
306 union acl_addr_storage range_mask;
307 enum {
308 acl_range_single = 0, /* single address */
309 acl_range_mask = 1, /* 10.20.30.40&255.255.255.0 */
310 acl_range_subnet = 2, /* 10.20.30.40/28 */
311 acl_range_minmax = 3 /* 10.20.30.40-10.20.30.60 (mask=max) */
312 } rangetype;
313
314 /* key */
315 uint8_t nokey;
316 uint8_t blocked;
317 const char* key_name;
318 struct key_options* key_options;
319
320 /* tls_auth for XoT */
321 const char* tls_auth_name;
322 struct tls_auth_options* tls_auth_options;
323 } ATTR_PACKED;
324
325 /*
326 * Key definition
327 */
328 struct key_options {
329 rbnode_type node; /* key of tree is name */
330 char* name;
331 char* algorithm;
332 char* secret;
333 struct tsig_key* tsig_key;
334 } ATTR_PACKED;
335
336 /*
337 * TLS Auth definition for XoT
338 */
339 struct tls_auth_options {
340 rbnode_type node; /* key of tree is name */
341 char* name;
342 char* auth_domain_name;
343 char* client_cert;
344 char* client_key;
345 char* client_key_pw;
346 };
347
348 /** zone list free space */
349 struct zonelist_free {
350 struct zonelist_free* next;
351 off_t off;
352 };
353 /** zonelist free bucket for a particular line length */
354 struct zonelist_bucket {
355 rbnode_type node; /* key is ptr to linesize */
356 int linesize;
357 struct zonelist_free* list;
358 };
359
360 /* default zonefile write interval if database is "", in seconds */
361 #define ZONEFILES_WRITE_INTERVAL 3600
362
363 struct zonestatname {
364 rbnode_type node; /* key is malloced string with cooked zonestat name */
365 unsigned id; /* index in nsd.zonestat array */
366 };
367
368 /*
369 * Used during options parsing
370 */
371 struct config_parser_state {
372 char* filename;
373 const char* chroot;
374 int line;
375 int errors;
376 struct nsd_options* opt;
377 struct pattern_options *pattern;
378 struct zone_options *zone;
379 struct key_options *key;
380 struct tls_auth_options *tls_auth;
381 struct ip_address_option *ip;
382 void (*err)(void*,const char*);
383 void* err_arg;
384 };
385
386 extern config_parser_state_type* cfg_parser;
387
388 /* region will be put in nsd_options struct. Returns empty options struct. */
389 struct nsd_options* nsd_options_create(region_type* region);
390 /* the number of zones that are configured */
nsd_options_num_zones(struct nsd_options * opt)391 static inline size_t nsd_options_num_zones(struct nsd_options* opt)
392 { return opt->zone_options->count; }
393 /* insert a zone into the main options tree, returns 0 on error */
394 int nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone);
395 /* insert a pattern into the main options tree, returns 0 on error */
396 int nsd_options_insert_pattern(struct nsd_options* opt,
397 struct pattern_options* pat);
398
399 /* parses options file. Returns false on failure. callback, if nonNULL,
400 * gets called with error strings, default prints. */
401 int parse_options_file(struct nsd_options* opt, const char* file,
402 void (*err)(void*,const char*), void* err_arg);
403 struct zone_options* zone_options_create(region_type* region);
404 void zone_options_delete(struct nsd_options* opt, struct zone_options* zone);
405 /* find a zone by apex domain name, or NULL if not found. */
406 struct zone_options* zone_options_find(struct nsd_options* opt,
407 const struct dname* apex);
408 struct pattern_options* pattern_options_create(region_type* region);
409 struct pattern_options* pattern_options_find(struct nsd_options* opt, const char* name);
410 int pattern_options_equal(struct pattern_options* p, struct pattern_options* q);
411 void pattern_options_remove(struct nsd_options* opt, const char* name);
412 void pattern_options_add_modify(struct nsd_options* opt,
413 struct pattern_options* p);
414 void pattern_options_marshal(struct buffer* buffer, struct pattern_options* p);
415 struct pattern_options* pattern_options_unmarshal(region_type* r,
416 struct buffer* b);
417 struct key_options* key_options_create(region_type* region);
418 void key_options_insert(struct nsd_options* opt, struct key_options* key);
419 struct key_options* key_options_find(struct nsd_options* opt, const char* name);
420 void key_options_remove(struct nsd_options* opt, const char* name);
421 int key_options_equal(struct key_options* p, struct key_options* q);
422 void key_options_add_modify(struct nsd_options* opt, struct key_options* key);
423 void key_options_setup(region_type* region, struct key_options* key);
424 void key_options_desetup(region_type* region, struct key_options* key);
425 /* TLS auth */
426 struct tls_auth_options* tls_auth_options_create(region_type* region);
427 void tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth);
428 struct tls_auth_options* tls_auth_options_find(struct nsd_options* opt, const char* name);
429 /* read in zone list file. Returns false on failure */
430 int parse_zone_list_file(struct nsd_options* opt);
431 /* create zone entry and add to the zonelist file */
432 struct zone_options* zone_list_add(struct nsd_options* opt, const char* zname,
433 const char* pname);
434 /* create zonelist entry, do not insert in file (called by _add) */
435 struct zone_options* zone_list_zone_insert(struct nsd_options* opt,
436 const char* nm, const char* patnm, int linesize, off_t off);
437 void zone_list_del(struct nsd_options* opt, struct zone_options* zone);
438 void zone_list_compact(struct nsd_options* opt);
439 void zone_list_close(struct nsd_options* opt);
440
441 /* create zonestat name tree , for initially created zones */
442 void options_zonestatnames_create(struct nsd_options* opt);
443 /* Get zonestat id for zone options, add new entry if necessary.
444 * instantiates the pattern's zonestat string */
445 unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt);
446 /* create string, same options as zonefile but no chroot changes */
447 const char* config_cook_string(struct zone_options* zone, const char* input);
448
449 /** check if config for remote control turns on IP-address interface
450 * with certificates or a named pipe without certificates. */
451 int options_remote_is_address(struct nsd_options* cfg);
452
453 #if defined(HAVE_SSL)
454 /* tsig must be inited, adds all keys in options to tsig. */
455 void key_options_tsig_add(struct nsd_options* opt);
456 #endif
457
458 /* check acl list, acl number that matches if passed(0..),
459 * or failure (-1) if dropped */
460 /* the reason why (the acl) is returned too (or NULL) */
461 int acl_check_incoming(struct acl_options* acl, struct query* q,
462 struct acl_options** reason);
463 int acl_addr_matches_host(struct acl_options* acl, struct acl_options* host);
464 int acl_addr_matches(struct acl_options* acl, struct query* q);
465 int acl_key_matches(struct acl_options* acl, struct query* q);
466 int acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz);
467 int acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz);
468 int acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz);
469
470 /* returns true if acls are both from the same host */
471 int acl_same_host(struct acl_options* a, struct acl_options* b);
472 /* find acl by number in the list */
473 struct acl_options* acl_find_num(struct acl_options* acl, int num);
474
475 /* see if two acl lists are the same (same elements in same order, or empty) */
476 int acl_list_equal(struct acl_options* p, struct acl_options* q);
477 /* see if two acl are the same */
478 int acl_equal(struct acl_options* p, struct acl_options* q);
479
480 /* see if a zone is a slave or a master zone */
481 int zone_is_slave(struct zone_options* opt);
482 /* create zonefile name, returns static pointer (perhaps to options data) */
483 const char* config_make_zonefile(struct zone_options* zone, struct nsd* nsd);
484
485 #define ZONEC_PCT_TIME 5 /* seconds, then it starts to print pcts */
486 #define ZONEC_PCT_COUNT 100000 /* elements before pct check is done */
487
488 /* parsing helpers */
489 void c_error(const char* msg, ...) ATTR_FORMAT(printf, 1,2);
490 int c_wrap(void);
491 struct acl_options* parse_acl_info(region_type* region, char* ip,
492 const char* key);
493 /* true if ipv6 address, false if ipv4 */
494 int parse_acl_is_ipv6(const char* p);
495 /* returns range type. mask is the 2nd part of the range */
496 int parse_acl_range_type(char* ip, char** mask);
497 /* parses subnet mask, fills 0 mask as well */
498 void parse_acl_range_subnet(char* p, void* addr, int maxbits);
499 /* clean up options */
500 void nsd_options_destroy(struct nsd_options* opt);
501 /* replace occurrences of one with two in buf, pass length of buffer */
502 void replace_str(char* buf, size_t len, const char* one, const char* two);
503 /* apply pattern to the existing pattern in the parser */
504 void config_apply_pattern(struct pattern_options *dest, const char* name);
505 /* if the file is a directory, print a warning, because flex just exit()s
506 * when a fileread fails because it is a directory, helps the user figure
507 * out what just happened */
508 void warn_if_directory(const char* filetype, FILE* f, const char* fname);
509 /* resolve interface names in the options "ip-address:" (or "interface:")
510 * and "control-interface:" into the ip-addresses associated with those
511 * names. */
512 void resolve_interface_names(struct nsd_options* options);
513
514 #endif /* OPTIONS_H */
515