xref: /freebsd/contrib/unbound/daemon/acl_list.c (revision 5b9c547c) 
1 /*
2  * daemon/acl_list.h - client access control storage for the server.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file helps the server keep out queries from outside sources, that
40  * should not be answered.
41  */
42 #include "config.h"
43 #include "daemon/acl_list.h"
44 #include "util/regional.h"
45 #include "util/log.h"
46 #include "util/config_file.h"
47 #include "util/net_help.h"
48 
49 struct acl_list*
50 acl_list_create(void)
51 {
52 	struct acl_list* acl = (struct acl_list*)calloc(1,
53 		sizeof(struct acl_list));
54 	if(!acl)
55 		return NULL;
56 	acl->region = regional_create();
57 	if(!acl->region) {
58 		acl_list_delete(acl);
59 		return NULL;
60 	}
61 	return acl;
62 }
63 
64 void
65 acl_list_delete(struct acl_list* acl)
66 {
67 	if(!acl)
68 		return;
69 	regional_destroy(acl->region);
70 	free(acl);
71 }
72 
73 /** insert new address into acl_list structure */
74 static int
75 acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
76 	socklen_t addrlen, int net, enum acl_access control,
77 	int complain_duplicates)
78 {
79 	struct acl_addr* node = regional_alloc(acl->region,
80 		sizeof(struct acl_addr));
81 	if(!node)
82 		return 0;
83 	node->control = control;
84 	if(!addr_tree_insert(&acl->tree, &node->node, addr, addrlen, net)) {
85 		if(complain_duplicates)
86 			verbose(VERB_QUERY, "duplicate acl address ignored.");
87 	}
88 	return 1;
89 }
90 
91 /** apply acl_list string */
92 static int
93 acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
94 	int complain_duplicates)
95 {
96 	struct sockaddr_storage addr;
97 	int net;
98 	socklen_t addrlen;
99 	enum acl_access control;
100 	if(strcmp(s2, "allow") == 0)
101 		control = acl_allow;
102 	else if(strcmp(s2, "deny") == 0)
103 		control = acl_deny;
104 	else if(strcmp(s2, "refuse") == 0)
105 		control = acl_refuse;
106 	else if(strcmp(s2, "deny_non_local") == 0)
107 		control = acl_deny_non_local;
108 	else if(strcmp(s2, "refuse_non_local") == 0)
109 		control = acl_refuse_non_local;
110 	else if(strcmp(s2, "allow_snoop") == 0)
111 		control = acl_allow_snoop;
112 	else {
113 		log_err("access control type %s unknown", str);
114 		return 0;
115 	}
116 	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
117 		log_err("cannot parse access control: %s %s", str, s2);
118 		return 0;
119 	}
120 	if(!acl_list_insert(acl, &addr, addrlen, net, control,
121 		complain_duplicates)) {
122 		log_err("out of memory");
123 		return 0;
124 	}
125 	return 1;
126 }
127 
128 /** read acl_list config */
129 static int
130 read_acl_list(struct acl_list* acl, struct config_file* cfg)
131 {
132 	struct config_str2list* p;
133 	for(p = cfg->acls; p; p = p->next) {
134 		log_assert(p->str && p->str2);
135 		if(!acl_list_str_cfg(acl, p->str, p->str2, 1))
136 			return 0;
137 	}
138 	return 1;
139 }
140 
141 int
142 acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
143 {
144 	regional_free_all(acl->region);
145 	addr_tree_init(&acl->tree);
146 	if(!read_acl_list(acl, cfg))
147 		return 0;
148 	/* insert defaults, with '0' to ignore them if they are duplicates */
149 	if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0))
150 		return 0;
151 	if(!acl_list_str_cfg(acl, "127.0.0.0/8", "allow", 0))
152 		return 0;
153 	if(cfg->do_ip6) {
154 		if(!acl_list_str_cfg(acl, "::0/0", "refuse", 0))
155 			return 0;
156 		if(!acl_list_str_cfg(acl, "::1", "allow", 0))
157 			return 0;
158 		if(!acl_list_str_cfg(acl, "::ffff:127.0.0.1", "allow", 0))
159 			return 0;
160 	}
161 	addr_tree_init_parents(&acl->tree);
162 	return 1;
163 }
164 
165 enum acl_access
166 acl_list_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
167         socklen_t addrlen)
168 {
169 	struct acl_addr* r = (struct acl_addr*)addr_tree_lookup(&acl->tree,
170 		addr, addrlen);
171 	if(r) return r->control;
172 	return acl_deny;
173 }
174 
175 size_t
176 acl_list_get_mem(struct acl_list* acl)
177 {
178 	if(!acl) return 0;
179 	return sizeof(*acl) + regional_get_mem(acl->region);
180 }
181