1eaad808eSchristos /* 2eaad808eSchristos * daemon/acl_list.h - client access control storage for the server. 3eaad808eSchristos * 4eaad808eSchristos * Copyright (c) 2007, NLnet Labs. All rights reserved. 5eaad808eSchristos * 6eaad808eSchristos * This software is open source. 7eaad808eSchristos * 8eaad808eSchristos * Redistribution and use in source and binary forms, with or without 9eaad808eSchristos * modification, are permitted provided that the following conditions 10eaad808eSchristos * are met: 11eaad808eSchristos * 12eaad808eSchristos * Redistributions of source code must retain the above copyright notice, 13eaad808eSchristos * this list of conditions and the following disclaimer. 14eaad808eSchristos * 15eaad808eSchristos * Redistributions in binary form must reproduce the above copyright notice, 16eaad808eSchristos * this list of conditions and the following disclaimer in the documentation 17eaad808eSchristos * and/or other materials provided with the distribution. 18eaad808eSchristos * 19eaad808eSchristos * Neither the name of the NLNET LABS nor the names of its contributors may 20eaad808eSchristos * be used to endorse or promote products derived from this software without 21eaad808eSchristos * specific prior written permission. 22eaad808eSchristos * 23eaad808eSchristos * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24eaad808eSchristos * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25eaad808eSchristos * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26eaad808eSchristos * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27eaad808eSchristos * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28eaad808eSchristos * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29eaad808eSchristos * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30eaad808eSchristos * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31eaad808eSchristos * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32eaad808eSchristos * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33eaad808eSchristos * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34eaad808eSchristos */ 35eaad808eSchristos 36eaad808eSchristos /** 37eaad808eSchristos * \file 38eaad808eSchristos * 39eaad808eSchristos * This file keeps track of the list of clients that are allowed to 40eaad808eSchristos * access the server. 41eaad808eSchristos */ 42eaad808eSchristos 43eaad808eSchristos #ifndef DAEMON_ACL_LIST_H 44eaad808eSchristos #define DAEMON_ACL_LIST_H 45eaad808eSchristos #include "util/storage/dnstree.h" 46762909a6Schristos #include "services/view.h" 47eaad808eSchristos struct config_file; 48eaad808eSchristos struct regional; 49eaad808eSchristos 50eaad808eSchristos /** 51eaad808eSchristos * Enumeration of access control options for an address range. 52eaad808eSchristos * Allow or deny access. 53eaad808eSchristos */ 54eaad808eSchristos enum acl_access { 55eaad808eSchristos /** disallow any access whatsoever, drop it */ 56eaad808eSchristos acl_deny = 0, 57eaad808eSchristos /** disallow access, send a polite 'REFUSED' reply */ 58eaad808eSchristos acl_refuse, 59eaad808eSchristos /** disallow any access to zones that aren't local, drop it */ 60eaad808eSchristos acl_deny_non_local, 61eaad808eSchristos /** disallow access to zones that aren't local, 'REFUSED' reply */ 62eaad808eSchristos acl_refuse_non_local, 63eaad808eSchristos /** allow full access for recursion (+RD) queries */ 64eaad808eSchristos acl_allow, 65eaad808eSchristos /** allow full access for all queries, recursion and cache snooping */ 66d6959bcfSchristos acl_allow_snoop, 67d6959bcfSchristos /** allow full access for recursion queries and set RD flag regardless of request */ 68d6959bcfSchristos acl_allow_setrd 69eaad808eSchristos }; 70eaad808eSchristos 71eaad808eSchristos /** 72eaad808eSchristos * Access control storage structure 73eaad808eSchristos */ 74eaad808eSchristos struct acl_list { 75eaad808eSchristos /** regional for allocation */ 76eaad808eSchristos struct regional* region; 77eaad808eSchristos /** 78eaad808eSchristos * Tree of the addresses that are allowed/blocked. 79eaad808eSchristos * contents of type acl_addr. 80eaad808eSchristos */ 81762909a6Schristos rbtree_type tree; 82eaad808eSchristos }; 83eaad808eSchristos 84eaad808eSchristos /** 85eaad808eSchristos * 86eaad808eSchristos * An address span with access control information 87eaad808eSchristos */ 88eaad808eSchristos struct acl_addr { 89eaad808eSchristos /** node in address tree */ 90eaad808eSchristos struct addr_tree_node node; 91eaad808eSchristos /** access control on this netblock */ 92eaad808eSchristos enum acl_access control; 93762909a6Schristos /** tag bitlist */ 94762909a6Schristos uint8_t* taglist; 95762909a6Schristos /** length of the taglist (in bytes) */ 96762909a6Schristos size_t taglen; 97762909a6Schristos /** array per tagnumber of localzonetype(in one byte). NULL if none. */ 98762909a6Schristos uint8_t* tag_actions; 99762909a6Schristos /** size of the tag_actions_array */ 100762909a6Schristos size_t tag_actions_size; 101762909a6Schristos /** array per tagnumber, with per tag a list of rdata strings. 102762909a6Schristos * NULL if none. strings are like 'A 127.0.0.1' 'AAAA ::1' */ 103762909a6Schristos struct config_strlist** tag_datas; 104762909a6Schristos /** size of the tag_datas array */ 105762909a6Schristos size_t tag_datas_size; 106762909a6Schristos /* view element, NULL if none */ 107762909a6Schristos struct view* view; 108eaad808eSchristos }; 109eaad808eSchristos 110eaad808eSchristos /** 111eaad808eSchristos * Create acl structure 112eaad808eSchristos * @return new structure or NULL on error. 113eaad808eSchristos */ 114eaad808eSchristos struct acl_list* acl_list_create(void); 115eaad808eSchristos 116eaad808eSchristos /** 117eaad808eSchristos * Delete acl structure. 118eaad808eSchristos * @param acl: to delete. 119eaad808eSchristos */ 120eaad808eSchristos void acl_list_delete(struct acl_list* acl); 121eaad808eSchristos 122eaad808eSchristos /** 123eaad808eSchristos * Process access control config. 124eaad808eSchristos * @param acl: where to store. 125eaad808eSchristos * @param cfg: config options. 126762909a6Schristos * @param v: views structure 127eaad808eSchristos * @return 0 on error. 128eaad808eSchristos */ 129762909a6Schristos int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, 130762909a6Schristos struct views* v); 131eaad808eSchristos 132eaad808eSchristos /** 133762909a6Schristos * Lookup access control status for acl structure. 134762909a6Schristos * @param acl: structure for acl storage. 135762909a6Schristos * @return: what to do with message from this address. 136762909a6Schristos */ 137762909a6Schristos enum acl_access acl_get_control(struct acl_addr* acl); 138762909a6Schristos 139762909a6Schristos /** 140762909a6Schristos * Lookup address to see its acl structure 141eaad808eSchristos * @param acl: structure for address storage. 142eaad808eSchristos * @param addr: address to check 143eaad808eSchristos * @param addrlen: length of addr. 144762909a6Schristos * @return: acl structure from this address. 145eaad808eSchristos */ 146762909a6Schristos struct acl_addr* 147762909a6Schristos acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr, 148762909a6Schristos socklen_t addrlen); 149eaad808eSchristos 150eaad808eSchristos /** 151eaad808eSchristos * Get memory used by acl structure. 152eaad808eSchristos * @param acl: structure for address storage. 153eaad808eSchristos * @return bytes in use. 154eaad808eSchristos */ 155eaad808eSchristos size_t acl_list_get_mem(struct acl_list* acl); 156eaad808eSchristos 157*17b85d8bSchristos /* 158*17b85d8bSchristos * Get string for acl access specification 159*17b85d8bSchristos * @param acl: access type value 160*17b85d8bSchristos * @return string 161*17b85d8bSchristos */ 162*17b85d8bSchristos const char* acl_access_to_str(enum acl_access acl); 163*17b85d8bSchristos 164*17b85d8bSchristos /* log acl and addr for action */ 165*17b85d8bSchristos void log_acl_action(const char* action, struct sockaddr_storage* addr, 166*17b85d8bSchristos socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr); 167*17b85d8bSchristos 168eaad808eSchristos #endif /* DAEMON_ACL_LIST_H */ 169