1 /* 2 * daemon/acl_list.h - client access control storage for the server. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file keeps track of the list of clients that are allowed to 40 * access the server. 41 */ 42 43 #ifndef DAEMON_ACL_LIST_H 44 #define DAEMON_ACL_LIST_H 45 #include "util/storage/dnstree.h" 46 #include "services/view.h" 47 struct config_file; 48 struct regional; 49 50 /** 51 * Enumeration of access control options for an address range. 52 * Allow or deny access. 53 */ 54 enum acl_access { 55 /** disallow any access whatsoever, drop it */ 56 acl_deny = 0, 57 /** disallow access, send a polite 'REFUSED' reply */ 58 acl_refuse, 59 /** disallow any access to zones that aren't local, drop it */ 60 acl_deny_non_local, 61 /** disallow access to zones that aren't local, 'REFUSED' reply */ 62 acl_refuse_non_local, 63 /** allow full access for recursion (+RD) queries */ 64 acl_allow, 65 /** allow full access for all queries, recursion and cache snooping */ 66 acl_allow_snoop, 67 /** allow full access for recursion queries and set RD flag regardless of request */ 68 acl_allow_setrd 69 }; 70 71 /** 72 * Access control storage structure 73 */ 74 struct acl_list { 75 /** regional for allocation */ 76 struct regional* region; 77 /** 78 * Tree of the addresses that are allowed/blocked. 79 * contents of type acl_addr. 80 */ 81 rbtree_type tree; 82 }; 83 84 /** 85 * 86 * An address span with access control information 87 */ 88 struct acl_addr { 89 /** node in address tree */ 90 struct addr_tree_node node; 91 /** access control on this netblock */ 92 enum acl_access control; 93 /** tag bitlist */ 94 uint8_t* taglist; 95 /** length of the taglist (in bytes) */ 96 size_t taglen; 97 /** array per tagnumber of localzonetype(in one byte). NULL if none. */ 98 uint8_t* tag_actions; 99 /** size of the tag_actions_array */ 100 size_t tag_actions_size; 101 /** array per tagnumber, with per tag a list of rdata strings. 102 * NULL if none. strings are like 'A 127.0.0.1' 'AAAA ::1' */ 103 struct config_strlist** tag_datas; 104 /** size of the tag_datas array */ 105 size_t tag_datas_size; 106 /* view element, NULL if none */ 107 struct view* view; 108 }; 109 110 /** 111 * Create acl structure 112 * @return new structure or NULL on error. 113 */ 114 struct acl_list* acl_list_create(void); 115 116 /** 117 * Delete acl structure. 118 * @param acl: to delete. 119 */ 120 void acl_list_delete(struct acl_list* acl); 121 122 /** 123 * Process access control config. 124 * @param acl: where to store. 125 * @param cfg: config options. 126 * @param v: views structure 127 * @return 0 on error. 128 */ 129 int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, 130 struct views* v); 131 132 /** 133 * Lookup access control status for acl structure. 134 * @param acl: structure for acl storage. 135 * @return: what to do with message from this address. 136 */ 137 enum acl_access acl_get_control(struct acl_addr* acl); 138 139 /** 140 * Lookup address to see its acl structure 141 * @param acl: structure for address storage. 142 * @param addr: address to check 143 * @param addrlen: length of addr. 144 * @return: acl structure from this address. 145 */ 146 struct acl_addr* 147 acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr, 148 socklen_t addrlen); 149 150 /** 151 * Get memory used by acl structure. 152 * @param acl: structure for address storage. 153 * @return bytes in use. 154 */ 155 size_t acl_list_get_mem(struct acl_list* acl); 156 157 /* 158 * Get string for acl access specification 159 * @param acl: access type value 160 * @return string 161 */ 162 const char* acl_access_to_str(enum acl_access acl); 163 164 /* log acl and addr for action */ 165 void log_acl_action(const char* action, struct sockaddr_storage* addr, 166 socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr); 167 168 #endif /* DAEMON_ACL_LIST_H */ 169