1 /* $NetBSD: acl.h,v 1.6 2014/12/10 04:37:58 christos Exp $ */ 2 3 /* 4 * Copyright (C) 2004-2007, 2009, 2011, 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 5 * Copyright (C) 1999-2002 Internet Software Consortium. 6 * 7 * Permission to use, copy, modify, and/or distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 * PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 /* Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp */ 21 22 #ifndef DNS_ACL_H 23 #define DNS_ACL_H 1 24 25 /***** 26 ***** Module Info 27 *****/ 28 29 /*! \file dns/acl.h 30 * \brief 31 * Address match list handling. 32 */ 33 34 /*** 35 *** Imports 36 ***/ 37 38 #include <isc/lang.h> 39 #include <isc/magic.h> 40 #include <isc/netaddr.h> 41 #include <isc/refcount.h> 42 43 #ifdef HAVE_GEOIP 44 #include <dns/geoip.h> 45 #endif 46 #include <dns/name.h> 47 #include <dns/types.h> 48 #include <dns/iptable.h> 49 50 #ifdef HAVE_GEOIP 51 #include <GeoIP.h> 52 #endif 53 54 /*** 55 *** Types 56 ***/ 57 58 typedef enum { 59 dns_aclelementtype_ipprefix, 60 dns_aclelementtype_keyname, 61 dns_aclelementtype_nestedacl, 62 dns_aclelementtype_localhost, 63 dns_aclelementtype_localnets, 64 #ifdef HAVE_GEOIP 65 dns_aclelementtype_geoip, 66 #endif /* HAVE_GEOIP */ 67 dns_aclelementtype_any 68 } dns_aclelementtype_t; 69 70 typedef struct dns_aclipprefix dns_aclipprefix_t; 71 72 struct dns_aclipprefix { 73 isc_netaddr_t address; /* IP4/IP6 */ 74 unsigned int prefixlen; 75 }; 76 77 struct dns_aclelement { 78 dns_aclelementtype_t type; 79 isc_boolean_t negative; 80 dns_name_t keyname; 81 #ifdef HAVE_GEOIP 82 dns_geoip_elem_t geoip_elem; 83 #endif /* HAVE_GEOIP */ 84 dns_acl_t *nestedacl; 85 int node_num; 86 }; 87 88 struct dns_acl { 89 unsigned int magic; 90 isc_mem_t *mctx; 91 isc_refcount_t refcount; 92 dns_iptable_t *iptable; 93 #define node_count iptable->radix->num_added_node 94 dns_aclelement_t *elements; 95 isc_boolean_t has_negatives; 96 unsigned int alloc; /*%< Elements allocated */ 97 unsigned int length; /*%< Elements initialized */ 98 char *name; /*%< Temporary use only */ 99 ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */ 100 }; 101 102 struct dns_aclenv { 103 dns_acl_t *localhost; 104 dns_acl_t *localnets; 105 isc_boolean_t match_mapped; 106 #ifdef HAVE_GEOIP 107 dns_geoip_databases_t *geoip; 108 #endif 109 }; 110 111 #define DNS_ACL_MAGIC ISC_MAGIC('D','a','c','l') 112 #define DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC) 113 114 /*** 115 *** Functions 116 ***/ 117 118 ISC_LANG_BEGINDECLS 119 120 isc_result_t 121 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target); 122 /*%< 123 * Create a new ACL, including an IP table and an array with room 124 * for 'n' ACL elements. The elements are uninitialized and the 125 * length is 0. 126 */ 127 128 isc_result_t 129 dns_acl_any(isc_mem_t *mctx, dns_acl_t **target); 130 /*%< 131 * Create a new ACL that matches everything. 132 */ 133 134 isc_result_t 135 dns_acl_none(isc_mem_t *mctx, dns_acl_t **target); 136 /*%< 137 * Create a new ACL that matches nothing. 138 */ 139 140 isc_boolean_t 141 dns_acl_isany(dns_acl_t *acl); 142 /*%< 143 * Test whether ACL is set to "{ any; }" 144 */ 145 146 isc_boolean_t 147 dns_acl_isnone(dns_acl_t *acl); 148 /*%< 149 * Test whether ACL is set to "{ none; }" 150 */ 151 152 isc_result_t 153 dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos); 154 /*%< 155 * Merge the contents of one ACL into another. Call dns_iptable_merge() 156 * for the IP tables, then concatenate the element arrays. 157 * 158 * If pos is set to false, then the nested ACL is to be negated. This 159 * means reverse the sense of each *positive* element or IP table node, 160 * but leave negatives alone, so as to prevent a double-negative causing 161 * an unexpected positive match in the parent ACL. 162 */ 163 164 void 165 dns_acl_attach(dns_acl_t *source, dns_acl_t **target); 166 /*%< 167 * Attach to acl 'source'. 168 * 169 * Requires: 170 *\li 'source' to be a valid acl. 171 *\li 'target' to be non NULL and '*target' to be NULL. 172 */ 173 174 void 175 dns_acl_detach(dns_acl_t **aclp); 176 /*%< 177 * Detach the acl. On final detach the acl must not be linked on any 178 * list. 179 * 180 * Requires: 181 *\li '*aclp' to be a valid acl. 182 * 183 * Insists: 184 *\li '*aclp' is not linked on final detach. 185 */ 186 187 isc_boolean_t 188 dns_acl_isinsecure(const dns_acl_t *a); 189 /*%< 190 * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is, 191 * if it contains IP addresses other than those of the local host. 192 * This is intended for applications such as printing warning 193 * messages for suspect ACLs; it is not intended for making access 194 * control decisions. We make no guarantee that an ACL for which 195 * this function returns #ISC_FALSE is safe. 196 */ 197 198 isc_result_t 199 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env); 200 /*%< 201 * Initialize ACL environment, setting up localhost and localnets ACLs 202 */ 203 204 void 205 dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s); 206 207 void 208 dns_aclenv_destroy(dns_aclenv_t *env); 209 210 isc_result_t 211 dns_acl_match(const isc_netaddr_t *reqaddr, 212 const dns_name_t *reqsigner, 213 const dns_acl_t *acl, 214 const dns_aclenv_t *env, 215 int *match, 216 const dns_aclelement_t **matchelt); 217 /*%< 218 * General, low-level ACL matching. This is expected to 219 * be useful even for weird stuff like the topology and sortlist statements. 220 * 221 * Match the address 'reqaddr', and optionally the key name 'reqsigner', 222 * against 'acl'. 'reqsigner' may be NULL. 223 * 224 * If there is a match, '*match' will be set to an integer whose absolute 225 * value corresponds to the order in which the matching value was inserted 226 * into the ACL. For a positive match, this value will be positive; for a 227 * negative match, it will be negative. 228 * 229 * If there is no match, *match will be set to zero. 230 * 231 * If there is a match in the element list (either positive or negative) 232 * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching 233 * element. 234 * 235 * 'env' points to the current ACL environment, including the 236 * current values of localhost and localnets and (if applicable) 237 * the GeoIP context. 238 * 239 * Returns: 240 *\li #ISC_R_SUCCESS Always succeeds. 241 */ 242 243 isc_boolean_t 244 dns_aclelement_match(const isc_netaddr_t *reqaddr, 245 const dns_name_t *reqsigner, 246 const dns_aclelement_t *e, 247 const dns_aclenv_t *env, 248 const dns_aclelement_t **matchelt); 249 /*%< 250 * Like dns_acl_match, but matches against the single ACL element 'e' 251 * rather than a complete ACL, and returns ISC_TRUE iff it matched. 252 * 253 * To determine whether the match was positive or negative, the 254 * caller should examine e->negative. Since the element 'e' may be 255 * a reference to a named ACL or a nested ACL, a matching element 256 * returned through 'matchelt' is not necessarily 'e' itself. 257 */ 258 259 ISC_LANG_ENDDECLS 260 261 #endif /* DNS_ACL_H */ 262