1 /* 2 * options.c -- options functions. 3 * 4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved. 5 * 6 * See LICENSE for the license. 7 * 8 */ 9 #include "config.h" 10 #include <string.h> 11 #include <stdio.h> 12 #include <sys/stat.h> 13 #include <errno.h> 14 #ifdef HAVE_IFADDRS_H 15 #include <ifaddrs.h> 16 #endif 17 #include "options.h" 18 #include "query.h" 19 #include "tsig.h" 20 #include "difffile.h" 21 #include "rrl.h" 22 #include "bitset.h" 23 24 #include "configparser.h" 25 config_parser_state_type* cfg_parser = 0; 26 extern FILE* c_in, *c_out; 27 int c_parse(void); 28 int c_lex(void); 29 int c_wrap(void); 30 int c_lex_destroy(void); 31 extern char* c_text; 32 33 static int 34 rbtree_strcmp(const void* p1, const void* p2) 35 { 36 if(p1 == NULL && p2 == NULL) return 0; 37 if(p1 == NULL) return -1; 38 if(p2 == NULL) return 1; 39 return strcmp((const char*)p1, (const char*)p2); 40 } 41 42 struct nsd_options* 43 nsd_options_create(region_type* region) 44 { 45 struct nsd_options* opt; 46 opt = (struct nsd_options*)region_alloc(region, sizeof( 47 struct nsd_options)); 48 opt->region = region; 49 opt->zone_options = rbtree_create(region, 50 (int (*)(const void *, const void *)) dname_compare); 51 opt->configfile = NULL; 52 opt->zonestatnames = rbtree_create(opt->region, rbtree_strcmp); 53 opt->patterns = rbtree_create(region, rbtree_strcmp); 54 opt->keys = rbtree_create(region, rbtree_strcmp); 55 opt->tls_auths = rbtree_create(region, rbtree_strcmp); 56 opt->ip_addresses = NULL; 57 opt->ip_transparent = 0; 58 opt->ip_freebind = 0; 59 opt->send_buffer_size = 0; 60 opt->receive_buffer_size = 0; 61 opt->debug_mode = 0; 62 opt->verbosity = 0; 63 opt->hide_version = 0; 64 opt->hide_identity = 0; 65 opt->drop_updates = 0; 66 opt->do_ip4 = 1; 67 opt->do_ip6 = 1; 68 opt->database = DBFILE; 69 opt->identity = 0; 70 opt->version = 0; 71 opt->nsid = 0; 72 opt->logfile = 0; 73 opt->log_only_syslog = 0; 74 opt->log_time_ascii = 1; 75 opt->round_robin = 0; /* also packet.h::round_robin */ 76 opt->minimal_responses = 1; /* also packet.h::minimal_responses */ 77 opt->confine_to_zone = 0; 78 opt->refuse_any = 1; 79 opt->server_count = 1; 80 opt->cpu_affinity = NULL; 81 opt->service_cpu_affinity = NULL; 82 opt->tcp_count = 100; 83 opt->tcp_reject_overflow = 0; 84 opt->tcp_query_count = 0; 85 opt->tcp_timeout = TCP_TIMEOUT; 86 opt->tcp_mss = 0; 87 opt->outgoing_tcp_mss = 0; 88 opt->ipv4_edns_size = EDNS_MAX_MESSAGE_LEN; 89 opt->ipv6_edns_size = EDNS_MAX_MESSAGE_LEN; 90 opt->pidfile = PIDFILE; 91 opt->port = UDP_PORT; 92 /* deprecated? opt->port = TCP_PORT; */ 93 opt->reuseport = 0; 94 opt->statistics = 0; 95 opt->chroot = 0; 96 opt->username = USER; 97 opt->zonesdir = ZONESDIR; 98 opt->xfrdfile = XFRDFILE; 99 opt->xfrdir = XFRDIR; 100 opt->zonelistfile = ZONELISTFILE; 101 #ifdef RATELIMIT 102 opt->rrl_size = RRL_BUCKETS; 103 opt->rrl_slip = RRL_SLIP; 104 opt->rrl_ipv4_prefix_length = RRL_IPV4_PREFIX_LENGTH; 105 opt->rrl_ipv6_prefix_length = RRL_IPV6_PREFIX_LENGTH; 106 # ifdef RATELIMIT_DEFAULT_OFF 107 opt->rrl_ratelimit = 0; 108 opt->rrl_whitelist_ratelimit = 0; 109 # else 110 opt->rrl_ratelimit = RRL_LIMIT/2; 111 opt->rrl_whitelist_ratelimit = RRL_WLIST_LIMIT/2; 112 # endif 113 #endif 114 #ifdef USE_DNSTAP 115 opt->dnstap_enable = 0; 116 opt->dnstap_socket_path = DNSTAP_SOCKET_PATH; 117 opt->dnstap_send_identity = 0; 118 opt->dnstap_send_version = 0; 119 opt->dnstap_identity = NULL; 120 opt->dnstap_version = NULL; 121 opt->dnstap_log_auth_query_messages = 0; 122 opt->dnstap_log_auth_response_messages = 0; 123 #endif 124 opt->zonefiles_check = 1; 125 if(opt->database == NULL || opt->database[0] == 0) 126 opt->zonefiles_write = ZONEFILES_WRITE_INTERVAL; 127 else opt->zonefiles_write = 0; 128 opt->xfrd_reload_timeout = 1; 129 opt->tls_service_key = NULL; 130 opt->tls_service_ocsp = NULL; 131 opt->tls_service_pem = NULL; 132 opt->tls_port = TLS_PORT; 133 opt->tls_cert_bundle = NULL; 134 opt->answer_cookie = 1; 135 opt->cookie_secret = NULL; 136 opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt"; 137 opt->control_enable = 0; 138 opt->control_interface = NULL; 139 opt->control_port = NSD_CONTROL_PORT; 140 opt->server_key_file = CONFIGDIR"/nsd_server.key"; 141 opt->server_cert_file = CONFIGDIR"/nsd_server.pem"; 142 opt->control_key_file = CONFIGDIR"/nsd_control.key"; 143 opt->control_cert_file = CONFIGDIR"/nsd_control.pem"; 144 return opt; 145 } 146 147 int 148 nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone) 149 { 150 /* create dname for lookup */ 151 const dname_type* dname = dname_parse(opt->region, zone->name); 152 if(!dname) 153 return 0; 154 zone->node.key = dname; 155 if(!rbtree_insert(opt->zone_options, (rbnode_type*)zone)) 156 return 0; 157 return 1; 158 } 159 160 int 161 nsd_options_insert_pattern(struct nsd_options* opt, 162 struct pattern_options* pat) 163 { 164 if(!pat->pname) 165 return 0; 166 pat->node.key = pat->pname; 167 if(!rbtree_insert(opt->patterns, (rbnode_type*)pat)) 168 return 0; 169 return 1; 170 } 171 172 void 173 warn_if_directory(const char* filetype, FILE* f, const char* fname) 174 { 175 if(fileno(f) != -1) { 176 struct stat st; 177 memset(&st, 0, sizeof(st)); 178 if(fstat(fileno(f), &st) != -1) { 179 if(S_ISDIR(st.st_mode)) { 180 log_msg(LOG_WARNING, "trying to read %s but it is a directory: %s", filetype, fname); 181 } 182 } 183 } 184 } 185 186 int 187 parse_options_file(struct nsd_options* opt, const char* file, 188 void (*err)(void*,const char*), void* err_arg) 189 { 190 FILE *in = 0; 191 struct pattern_options* pat; 192 struct acl_options* acl; 193 194 if(!cfg_parser) { 195 cfg_parser = (config_parser_state_type*)region_alloc( 196 opt->region, sizeof(config_parser_state_type)); 197 cfg_parser->chroot = 0; 198 } 199 cfg_parser->err = err; 200 cfg_parser->err_arg = err_arg; 201 cfg_parser->filename = (char*)file; 202 cfg_parser->line = 1; 203 cfg_parser->errors = 0; 204 cfg_parser->opt = opt; 205 cfg_parser->pattern = NULL; 206 cfg_parser->zone = NULL; 207 cfg_parser->key = NULL; 208 cfg_parser->tls_auth = NULL; 209 210 in = fopen(cfg_parser->filename, "r"); 211 if(!in) { 212 if(err) { 213 char m[MAXSYSLOGMSGLEN]; 214 snprintf(m, sizeof(m), "Could not open %s: %s\n", 215 file, strerror(errno)); 216 err(err_arg, m); 217 } else { 218 fprintf(stderr, "Could not open %s: %s\n", 219 file, strerror(errno)); 220 } 221 return 0; 222 } 223 warn_if_directory("configfile", in, file); 224 c_in = in; 225 c_parse(); 226 fclose(in); 227 228 opt->configfile = region_strdup(opt->region, file); 229 230 RBTREE_FOR(pat, struct pattern_options*, opt->patterns) 231 { 232 /* lookup keys for acls */ 233 for(acl=pat->allow_notify; acl; acl=acl->next) 234 { 235 if(acl->nokey || acl->blocked) 236 continue; 237 acl->key_options = key_options_find(opt, acl->key_name); 238 if(!acl->key_options) 239 c_error("key %s in pattern %s could not be found", 240 acl->key_name, pat->pname); 241 } 242 for(acl=pat->notify; acl; acl=acl->next) 243 { 244 if(acl->nokey || acl->blocked) 245 continue; 246 acl->key_options = key_options_find(opt, acl->key_name); 247 if(!acl->key_options) 248 c_error("key %s in pattern %s could not be found", 249 acl->key_name, pat->pname); 250 } 251 for(acl=pat->request_xfr; acl; acl=acl->next) 252 { 253 /* Find tls_auth */ 254 if (!acl->tls_auth_name) 255 ; /* pass */ 256 else if (!(acl->tls_auth_options = 257 tls_auth_options_find(opt, acl->tls_auth_name))) 258 c_error("tls_auth %s in pattern %s could not be found", 259 acl->tls_auth_name, pat->pname); 260 /* Find key */ 261 if(acl->nokey || acl->blocked) 262 continue; 263 acl->key_options = key_options_find(opt, acl->key_name); 264 if(!acl->key_options) 265 c_error("key %s in pattern %s could not be found", 266 acl->key_name, pat->pname); 267 } 268 for(acl=pat->provide_xfr; acl; acl=acl->next) 269 { 270 if(acl->nokey || acl->blocked) 271 continue; 272 acl->key_options = key_options_find(opt, acl->key_name); 273 if(!acl->key_options) 274 c_error("key %s in pattern %s could not be found", 275 acl->key_name, pat->pname); 276 } 277 for(acl=pat->allow_query; acl; acl=acl->next) 278 { 279 if(acl->nokey || acl->blocked) 280 continue; 281 acl->key_options = key_options_find(opt, acl->key_name); 282 if(!acl->key_options) 283 c_error("key %s in pattern %s could not be found", 284 acl->key_name, pat->pname); 285 } 286 } 287 288 if(cfg_parser->errors > 0) 289 { 290 if(err) { 291 char m[MAXSYSLOGMSGLEN]; 292 snprintf(m, sizeof(m), "read %s failed: %d errors in " 293 "configuration file\n", file, 294 cfg_parser->errors); 295 err(err_arg, m); 296 } else { 297 fprintf(stderr, "read %s failed: %d errors in " 298 "configuration file\n", file, 299 cfg_parser->errors); 300 } 301 return 0; 302 } 303 return 1; 304 } 305 306 void options_zonestatnames_create(struct nsd_options* opt) 307 { 308 struct zone_options* zopt; 309 /* allocate "" as zonestat 0, for zones without a zonestat */ 310 if(!rbtree_search(opt->zonestatnames, "")) { 311 struct zonestatname* n; 312 n = (struct zonestatname*)region_alloc_zero(opt->region, 313 sizeof(*n)); 314 n->node.key = region_strdup(opt->region, ""); 315 if(!n->node.key) { 316 log_msg(LOG_ERR, "malloc failed: %s", strerror(errno)); 317 exit(1); 318 } 319 n->id = (unsigned)(opt->zonestatnames->count); 320 rbtree_insert(opt->zonestatnames, (rbnode_type*)n); 321 } 322 RBTREE_FOR(zopt, struct zone_options*, opt->zone_options) { 323 /* insert into tree, so that when read in later id exists */ 324 (void)getzonestatid(opt, zopt); 325 } 326 } 327 328 #define ZONELIST_HEADER "# NSD zone list\n# name pattern\n" 329 static int 330 comp_zonebucket(const void* a, const void* b) 331 { 332 /* the line size is much smaller than max-int, and positive, 333 * so the subtraction works */ 334 return *(const int*)b - *(const int*)a; 335 } 336 337 /* insert free entry into zonelist free buckets */ 338 static void 339 zone_list_free_insert(struct nsd_options* opt, int linesize, off_t off) 340 { 341 struct zonelist_free* e; 342 struct zonelist_bucket* b = (struct zonelist_bucket*)rbtree_search( 343 opt->zonefree, &linesize); 344 if(!b) { 345 b = region_alloc_zero(opt->region, sizeof(*b)); 346 b->linesize = linesize; 347 b->node = *RBTREE_NULL; 348 b->node.key = &b->linesize; 349 rbtree_insert(opt->zonefree, &b->node); 350 } 351 e = (struct zonelist_free*)region_alloc_zero(opt->region, sizeof(*e)); 352 e->next = b->list; 353 b->list = e; 354 e->off = off; 355 opt->zonefree_number++; 356 } 357 358 struct zone_options* 359 zone_list_zone_insert(struct nsd_options* opt, const char* nm, 360 const char* patnm, int linesize, off_t off) 361 { 362 struct pattern_options* pat = pattern_options_find(opt, patnm); 363 struct zone_options* zone; 364 if(!pat) { 365 log_msg(LOG_ERR, "pattern does not exist for zone %s " 366 "pattern %s", nm, patnm); 367 return NULL; 368 } 369 zone = zone_options_create(opt->region); 370 zone->part_of_config = 0; 371 zone->name = region_strdup(opt->region, nm); 372 zone->linesize = linesize; 373 zone->off = off; 374 zone->pattern = pat; 375 if(!nsd_options_insert_zone(opt, zone)) { 376 log_msg(LOG_ERR, "bad domain name or duplicate zone '%s' " 377 "pattern %s", nm, patnm); 378 region_recycle(opt->region, (void*)zone->name, strlen(nm)+1); 379 region_recycle(opt->region, zone, sizeof(*zone)); 380 return NULL; 381 } 382 return zone; 383 } 384 385 int 386 parse_zone_list_file(struct nsd_options* opt) 387 { 388 /* zonelist looks like this: 389 # name pattern 390 add example.com master 391 del example.net slave 392 add foo.bar.nl slave 393 add rutabaga.uk config 394 */ 395 char hdr[64]; 396 char buf[1024]; 397 398 /* create empty data structures */ 399 opt->zonefree = rbtree_create(opt->region, comp_zonebucket); 400 opt->zonelist = NULL; 401 opt->zonefree_number = 0; 402 opt->zonelist_off = 0; 403 404 /* try to open the zonelist file, an empty or nonexist file is OK */ 405 opt->zonelist = fopen(opt->zonelistfile, "r+"); 406 if(!opt->zonelist) { 407 if(errno == ENOENT) 408 return 1; /* file does not exist, it is created later */ 409 log_msg(LOG_ERR, "could not open zone list %s: %s", opt->zonelistfile, 410 strerror(errno)); 411 return 0; 412 } 413 /* read header */ 414 hdr[strlen(ZONELIST_HEADER)] = 0; 415 if(fread(hdr, 1, strlen(ZONELIST_HEADER), opt->zonelist) != 416 strlen(ZONELIST_HEADER) || strncmp(hdr, ZONELIST_HEADER, 417 strlen(ZONELIST_HEADER)) != 0) { 418 log_msg(LOG_ERR, "zone list %s contains bad header\n", opt->zonelistfile); 419 fclose(opt->zonelist); 420 opt->zonelist = NULL; 421 return 0; 422 } 423 buf[sizeof(buf)-1]=0; 424 425 /* read entries in file */ 426 while(fgets(buf, sizeof(buf), opt->zonelist)) { 427 /* skip comments and empty lines */ 428 if(buf[0] == 0 || buf[0] == '\n' || buf[0] == '#') 429 continue; 430 if(strncmp(buf, "add ", 4) == 0) { 431 int linesize = strlen(buf); 432 /* parse the 'add' line */ 433 /* pick last space on the line, so that the domain 434 * name can have a space in it (but not the pattern)*/ 435 char* space = strrchr(buf+4, ' '); 436 char* nm, *patnm; 437 if(!space) { 438 /* parse error */ 439 log_msg(LOG_ERR, "parse error in %s: '%s'", 440 opt->zonelistfile, buf); 441 continue; 442 } 443 nm = buf+4; 444 *space = 0; 445 patnm = space+1; 446 if(linesize && buf[linesize-1] == '\n') 447 buf[linesize-1] = 0; 448 449 /* store offset and line size for zone entry */ 450 /* and create zone entry in zonetree */ 451 (void)zone_list_zone_insert(opt, nm, patnm, linesize, 452 ftello(opt->zonelist)-linesize); 453 } else if(strncmp(buf, "del ", 4) == 0) { 454 /* store offset and line size for deleted entry */ 455 int linesize = strlen(buf); 456 zone_list_free_insert(opt, linesize, 457 ftello(opt->zonelist)-linesize); 458 } else { 459 log_msg(LOG_WARNING, "bad data in %s, '%s'", opt->zonelistfile, 460 buf); 461 } 462 } 463 /* store EOF offset */ 464 opt->zonelist_off = ftello(opt->zonelist); 465 return 1; 466 } 467 468 void 469 zone_options_delete(struct nsd_options* opt, struct zone_options* zone) 470 { 471 rbtree_delete(opt->zone_options, zone->node.key); 472 region_recycle(opt->region, (void*)zone->node.key, dname_total_size( 473 (dname_type*)zone->node.key)); 474 region_recycle(opt->region, zone, sizeof(*zone)); 475 } 476 477 /* add a new zone to the zonelist */ 478 struct zone_options* 479 zone_list_add(struct nsd_options* opt, const char* zname, const char* pname) 480 { 481 int r; 482 struct zonelist_free* e; 483 struct zonelist_bucket* b; 484 int linesize = 6 + strlen(zname) + strlen(pname); 485 /* create zone entry */ 486 struct zone_options* zone = zone_list_zone_insert(opt, zname, pname, 487 linesize, 0); 488 if(!zone) 489 return NULL; 490 491 /* use free entry or append to file or create new file */ 492 if(!opt->zonelist || opt->zonelist_off == 0) { 493 /* create new file */ 494 if(opt->zonelist) fclose(opt->zonelist); 495 opt->zonelist = fopen(opt->zonelistfile, "w+"); 496 if(!opt->zonelist) { 497 log_msg(LOG_ERR, "could not create zone list %s: %s", 498 opt->zonelistfile, strerror(errno)); 499 log_msg(LOG_ERR, "zone %s could not be added", zname); 500 zone_options_delete(opt, zone); 501 return NULL; 502 } 503 r = fprintf(opt->zonelist, ZONELIST_HEADER); 504 if(r != strlen(ZONELIST_HEADER)) { 505 if(r == -1) 506 log_msg(LOG_ERR, "could not write to %s: %s", 507 opt->zonelistfile, strerror(errno)); 508 else log_msg(LOG_ERR, "partial write to %s: disk full", 509 opt->zonelistfile); 510 log_msg(LOG_ERR, "zone %s could not be added", zname); 511 zone_options_delete(opt, zone); 512 return NULL; 513 } 514 zone->off = ftello(opt->zonelist); 515 if(zone->off == -1) 516 log_msg(LOG_ERR, "ftello(%s): %s", opt->zonelistfile, strerror(errno)); 517 r = fprintf(opt->zonelist, "add %s %s\n", zname, pname); 518 if(r != zone->linesize) { 519 if(r == -1) 520 log_msg(LOG_ERR, "could not write to %s: %s", 521 opt->zonelistfile, strerror(errno)); 522 else log_msg(LOG_ERR, "partial write to %s: disk full", 523 opt->zonelistfile); 524 log_msg(LOG_ERR, "zone %s could not be added", zname); 525 zone_options_delete(opt, zone); 526 return NULL; 527 } 528 opt->zonelist_off = ftello(opt->zonelist); 529 if(opt->zonelist_off == -1) 530 log_msg(LOG_ERR, "ftello(%s): %s", opt->zonelistfile, strerror(errno)); 531 if(fflush(opt->zonelist) != 0) { 532 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 533 } 534 return zone; 535 } 536 b = (struct zonelist_bucket*)rbtree_search(opt->zonefree, 537 &zone->linesize); 538 if(!b || b->list == NULL) { 539 /* no empty place, append to file */ 540 zone->off = opt->zonelist_off; 541 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 542 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 543 log_msg(LOG_ERR, "zone %s could not be added", zname); 544 zone_options_delete(opt, zone); 545 return NULL; 546 } 547 r = fprintf(opt->zonelist, "add %s %s\n", zname, pname); 548 if(r != zone->linesize) { 549 if(r == -1) 550 log_msg(LOG_ERR, "could not write to %s: %s", 551 opt->zonelistfile, strerror(errno)); 552 else log_msg(LOG_ERR, "partial write to %s: disk full", 553 opt->zonelistfile); 554 log_msg(LOG_ERR, "zone %s could not be added", zname); 555 zone_options_delete(opt, zone); 556 return NULL; 557 } 558 opt->zonelist_off += linesize; 559 if(fflush(opt->zonelist) != 0) { 560 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 561 } 562 return zone; 563 } 564 /* reuse empty spot */ 565 e = b->list; 566 zone->off = e->off; 567 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 568 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 569 log_msg(LOG_ERR, "zone %s could not be added", zname); 570 zone_options_delete(opt, zone); 571 return NULL; 572 } 573 r = fprintf(opt->zonelist, "add %s %s\n", zname, pname); 574 if(r != zone->linesize) { 575 if(r == -1) 576 log_msg(LOG_ERR, "could not write to %s: %s", 577 opt->zonelistfile, strerror(errno)); 578 else log_msg(LOG_ERR, "partial write to %s: disk full", 579 opt->zonelistfile); 580 log_msg(LOG_ERR, "zone %s could not be added", zname); 581 zone_options_delete(opt, zone); 582 return NULL; 583 } 584 if(fflush(opt->zonelist) != 0) { 585 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 586 } 587 588 /* snip off and recycle element */ 589 b->list = e->next; 590 region_recycle(opt->region, e, sizeof(*e)); 591 if(b->list == NULL) { 592 rbtree_delete(opt->zonefree, &b->linesize); 593 region_recycle(opt->region, b, sizeof(*b)); 594 } 595 opt->zonefree_number--; 596 return zone; 597 } 598 599 /* remove a zone on the zonelist */ 600 void 601 zone_list_del(struct nsd_options* opt, struct zone_options* zone) 602 { 603 /* put its space onto the free entry */ 604 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 605 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 606 return; 607 } 608 fprintf(opt->zonelist, "del"); 609 zone_list_free_insert(opt, zone->linesize, zone->off); 610 611 /* remove zone_options */ 612 zone_options_delete(opt, zone); 613 614 /* see if we need to compact: it is going to halve the zonelist */ 615 if(opt->zonefree_number > opt->zone_options->count) { 616 zone_list_compact(opt); 617 } else { 618 if(fflush(opt->zonelist) != 0) { 619 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 620 } 621 } 622 } 623 /* postorder delete of zonelist free space tree */ 624 static void 625 delbucket(region_type* region, struct zonelist_bucket* b) 626 { 627 struct zonelist_free* e, *f; 628 if(!b || (rbnode_type*)b==RBTREE_NULL) 629 return; 630 delbucket(region, (struct zonelist_bucket*)b->node.left); 631 delbucket(region, (struct zonelist_bucket*)b->node.right); 632 e = b->list; 633 while(e) { 634 f = e->next; 635 region_recycle(region, e, sizeof(*e)); 636 e = f; 637 } 638 region_recycle(region, b, sizeof(*b)); 639 } 640 641 /* compact zonelist file */ 642 void 643 zone_list_compact(struct nsd_options* opt) 644 { 645 char outname[1024]; 646 FILE* out; 647 struct zone_options* zone; 648 off_t off; 649 int r; 650 snprintf(outname, sizeof(outname), "%s~", opt->zonelistfile); 651 /* useful, when : count-of-free > count-of-used */ 652 /* write zonelist to zonelist~ */ 653 out = fopen(outname, "w+"); 654 if(!out) { 655 log_msg(LOG_ERR, "could not open %s: %s", outname, strerror(errno)); 656 return; 657 } 658 r = fprintf(out, ZONELIST_HEADER); 659 if(r == -1) { 660 log_msg(LOG_ERR, "write %s failed: %s", outname, 661 strerror(errno)); 662 fclose(out); 663 return; 664 } else if(r != strlen(ZONELIST_HEADER)) { 665 log_msg(LOG_ERR, "write %s was partial: disk full", 666 outname); 667 fclose(out); 668 return; 669 } 670 off = ftello(out); 671 if(off == -1) { 672 log_msg(LOG_ERR, "ftello(%s): %s", outname, strerror(errno)); 673 fclose(out); 674 return; 675 } 676 RBTREE_FOR(zone, struct zone_options*, opt->zone_options) { 677 if(zone->part_of_config) 678 continue; 679 r = fprintf(out, "add %s %s\n", zone->name, 680 zone->pattern->pname); 681 if(r < 0) { 682 log_msg(LOG_ERR, "write %s failed: %s", outname, 683 strerror(errno)); 684 fclose(out); 685 return; 686 } else if(r != zone->linesize) { 687 log_msg(LOG_ERR, "write %s was partial: disk full", 688 outname); 689 fclose(out); 690 return; 691 } 692 } 693 if(fflush(out) != 0) { 694 log_msg(LOG_ERR, "fflush %s: %s", outname, strerror(errno)); 695 } 696 697 /* rename zonelist~ onto zonelist */ 698 if(rename(outname, opt->zonelistfile) == -1) { 699 log_msg(LOG_ERR, "rename(%s to %s) failed: %s", 700 outname, opt->zonelistfile, strerror(errno)); 701 fclose(out); 702 return; 703 } 704 fclose(opt->zonelist); 705 /* set offsets */ 706 RBTREE_FOR(zone, struct zone_options*, opt->zone_options) { 707 if(zone->part_of_config) 708 continue; 709 zone->off = off; 710 off += zone->linesize; 711 } 712 /* empty the free tree */ 713 delbucket(opt->region, (struct zonelist_bucket*)opt->zonefree->root); 714 opt->zonefree->root = RBTREE_NULL; 715 opt->zonefree->count = 0; 716 opt->zonefree_number = 0; 717 /* finish */ 718 opt->zonelist = out; 719 opt->zonelist_off = off; 720 } 721 722 /* close zonelist file */ 723 void 724 zone_list_close(struct nsd_options* opt) 725 { 726 if(opt->zonelist) { 727 fclose(opt->zonelist); 728 opt->zonelist = NULL; 729 } 730 } 731 732 static void 733 c_error_va_list_pos(int showpos, const char* fmt, va_list args) 734 { 735 char* at = NULL; 736 cfg_parser->errors++; 737 if(showpos && c_text && c_text[0]!=0) { 738 at = c_text; 739 } 740 if(cfg_parser->err) { 741 char m[MAXSYSLOGMSGLEN]; 742 snprintf(m, sizeof(m), "%s:%d: ", cfg_parser->filename, 743 cfg_parser->line); 744 (*cfg_parser->err)(cfg_parser->err_arg, m); 745 if(at) { 746 snprintf(m, sizeof(m), "at '%s': ", at); 747 (*cfg_parser->err)(cfg_parser->err_arg, m); 748 } 749 (*cfg_parser->err)(cfg_parser->err_arg, "error: "); 750 vsnprintf(m, sizeof(m), fmt, args); 751 (*cfg_parser->err)(cfg_parser->err_arg, m); 752 (*cfg_parser->err)(cfg_parser->err_arg, "\n"); 753 return; 754 } 755 fprintf(stderr, "%s:%d: ", cfg_parser->filename, cfg_parser->line); 756 if(at) fprintf(stderr, "at '%s': ", at); 757 fprintf(stderr, "error: "); 758 vfprintf(stderr, fmt, args); 759 fprintf(stderr, "\n"); 760 } 761 762 void 763 c_error(const char *fmt, ...) 764 { 765 va_list ap; 766 int showpos = 0; 767 768 if (strcmp(fmt, "syntax error") == 0 || strcmp(fmt, "parse error") == 0) { 769 showpos = 1; 770 } 771 772 va_start(ap, fmt); 773 c_error_va_list_pos(showpos, fmt, ap); 774 va_end(ap); 775 } 776 777 int 778 c_wrap(void) 779 { 780 return 1; 781 } 782 783 struct zone_options* 784 zone_options_create(region_type* region) 785 { 786 struct zone_options* zone; 787 zone = (struct zone_options*)region_alloc(region, sizeof( 788 struct zone_options)); 789 zone->node = *RBTREE_NULL; 790 zone->name = 0; 791 zone->pattern = 0; 792 zone->part_of_config = 0; 793 return zone; 794 } 795 796 /* true is booleans are the same truth value */ 797 #define booleq(x,y) ( ((x) && (y)) || (!(x) && !(y)) ) 798 799 /* true is min_expire_time_expr has either an equal known value 800 * or none of these known values but booleanally equal 801 */ 802 #define expire_expr_eq(x,y) ( ( (x) == REFRESHPLUSRETRYPLUS1 \ 803 && (y) == REFRESHPLUSRETRYPLUS1 ) \ 804 || ( (x) != REFRESHPLUSRETRYPLUS1 \ 805 && (y) != REFRESHPLUSRETRYPLUS1 \ 806 && booleq((x), (y)))) 807 808 809 int 810 acl_equal(struct acl_options* p, struct acl_options* q) 811 { 812 if(!booleq(p->use_axfr_only, q->use_axfr_only)) return 0; 813 if(!booleq(p->allow_udp, q->allow_udp)) return 0; 814 if(strcmp(p->ip_address_spec, q->ip_address_spec)!=0) return 0; 815 /* the ip6, port, addr, mask, type: are derived from the ip_address_spec */ 816 if(!booleq(p->nokey, q->nokey)) return 0; 817 if(!booleq(p->blocked, q->blocked)) return 0; 818 if(p->key_name && q->key_name) { 819 if(strcmp(p->key_name, q->key_name)!=0) return 0; 820 } else if(p->key_name && !q->key_name) return 0; 821 else if(!p->key_name && q->key_name) return 0; 822 /* key_options is derived from key_name */ 823 if(p->tls_auth_name && q->tls_auth_name) { 824 if(strcmp(p->tls_auth_name, q->tls_auth_name)!=0) return 0; 825 } else if(p->tls_auth_name && !q->tls_auth_name) return 0; 826 else if(!p->tls_auth_name && q->tls_auth_name) return 0; 827 /* tls_auth_options is derived from tls_auth_name */ 828 return 1; 829 } 830 831 int 832 acl_list_equal(struct acl_options* p, struct acl_options* q) 833 { 834 /* must be same and in same order */ 835 while(p && q) { 836 if(!acl_equal(p, q)) 837 return 0; 838 p = p->next; 839 q = q->next; 840 } 841 if(!p && !q) return 1; 842 /* different lengths */ 843 return 0; 844 } 845 846 struct pattern_options* 847 pattern_options_create(region_type* region) 848 { 849 struct pattern_options* p; 850 p = (struct pattern_options*)region_alloc(region, sizeof( 851 struct pattern_options)); 852 p->node = *RBTREE_NULL; 853 p->pname = 0; 854 p->zonefile = 0; 855 p->zonestats = 0; 856 p->allow_notify = 0; 857 p->request_xfr = 0; 858 p->size_limit_xfr = 0; 859 p->notify = 0; 860 p->provide_xfr = 0; 861 p->allow_query = 0; 862 p->outgoing_interface = 0; 863 p->notify_retry = 5; 864 p->notify_retry_is_default = 1; 865 p->allow_axfr_fallback = 1; 866 p->allow_axfr_fallback_is_default = 1; 867 p->implicit = 0; 868 p->xfrd_flags = 0; 869 p->max_refresh_time = 2419200; /* 4 weeks */ 870 p->max_refresh_time_is_default = 1; 871 p->min_refresh_time = 0; 872 p->min_refresh_time_is_default = 1; 873 p->max_retry_time = 1209600; /* 2 weeks */ 874 p->max_retry_time_is_default = 1; 875 p->min_retry_time = 0; 876 p->min_retry_time_is_default = 1; 877 p->min_expire_time = 0; 878 p->min_expire_time_expr = EXPIRE_TIME_IS_DEFAULT; 879 #ifdef RATELIMIT 880 p->rrl_whitelist = 0; 881 #endif 882 p->multi_master_check = 0; 883 return p; 884 } 885 886 static void 887 acl_delete(region_type* region, struct acl_options* acl) 888 { 889 if(acl->ip_address_spec) 890 region_recycle(region, (void*)acl->ip_address_spec, 891 strlen(acl->ip_address_spec)+1); 892 if(acl->key_name) 893 region_recycle(region, (void*)acl->key_name, 894 strlen(acl->key_name)+1); 895 if(acl->tls_auth_name) 896 region_recycle(region, (void*)acl->tls_auth_name, 897 strlen(acl->tls_auth_name)+1); 898 /* key_options is a convenience pointer, not owned by the acl */ 899 region_recycle(region, acl, sizeof(*acl)); 900 } 901 902 static void 903 acl_list_delete(region_type* region, struct acl_options* list) 904 { 905 struct acl_options* n; 906 while(list) { 907 n = list->next; 908 acl_delete(region, list); 909 list = n; 910 } 911 } 912 913 void 914 pattern_options_remove(struct nsd_options* opt, const char* name) 915 { 916 struct pattern_options* p = (struct pattern_options*)rbtree_delete( 917 opt->patterns, name); 918 /* delete p and its contents */ 919 if (!p) 920 return; 921 if(p->pname) 922 region_recycle(opt->region, (void*)p->pname, 923 strlen(p->pname)+1); 924 if(p->zonefile) 925 region_recycle(opt->region, (void*)p->zonefile, 926 strlen(p->zonefile)+1); 927 if(p->zonestats) 928 region_recycle(opt->region, (void*)p->zonestats, 929 strlen(p->zonestats)+1); 930 acl_list_delete(opt->region, p->allow_notify); 931 acl_list_delete(opt->region, p->request_xfr); 932 acl_list_delete(opt->region, p->notify); 933 acl_list_delete(opt->region, p->provide_xfr); 934 acl_list_delete(opt->region, p->allow_query); 935 acl_list_delete(opt->region, p->outgoing_interface); 936 937 region_recycle(opt->region, p, sizeof(struct pattern_options)); 938 } 939 940 static struct acl_options* 941 copy_acl(region_type* region, struct acl_options* a) 942 { 943 struct acl_options* b; 944 if(!a) return NULL; 945 b = (struct acl_options*)region_alloc(region, sizeof(*b)); 946 /* copy the whole lot */ 947 *b = *a; 948 /* fix the pointers */ 949 if(a->ip_address_spec) 950 b->ip_address_spec = region_strdup(region, a->ip_address_spec); 951 if(a->key_name) 952 b->key_name = region_strdup(region, a->key_name); 953 if(a->tls_auth_name) 954 b->tls_auth_name = region_strdup(region, a->tls_auth_name); 955 b->next = NULL; 956 b->key_options = NULL; 957 b->tls_auth_options = NULL; 958 return b; 959 } 960 961 static struct acl_options* 962 copy_acl_list(struct nsd_options* opt, struct acl_options* a) 963 { 964 struct acl_options* b, *blast = NULL, *blist = NULL; 965 while(a) { 966 b = copy_acl(opt->region, a); 967 /* fixup key_options */ 968 if(b->key_name) 969 b->key_options = key_options_find(opt, b->key_name); 970 else b->key_options = NULL; 971 /* fixup tls_auth_options */ 972 if(b->tls_auth_name) 973 b->tls_auth_options = tls_auth_options_find(opt, b->tls_auth_name); 974 else b->tls_auth_options = NULL; 975 976 /* link as last into list */ 977 b->next = NULL; 978 if(!blist) blist = b; 979 else blast->next = b; 980 blast = b; 981 982 a = a->next; 983 } 984 return blist; 985 } 986 987 static void 988 copy_changed_acl(struct nsd_options* opt, struct acl_options** orig, 989 struct acl_options* anew) 990 { 991 if(!acl_list_equal(*orig, anew)) { 992 acl_list_delete(opt->region, *orig); 993 *orig = copy_acl_list(opt, anew); 994 } 995 } 996 997 static void 998 copy_pat_fixed(region_type* region, struct pattern_options* orig, 999 struct pattern_options* p) 1000 { 1001 orig->allow_axfr_fallback = p->allow_axfr_fallback; 1002 orig->allow_axfr_fallback_is_default = 1003 p->allow_axfr_fallback_is_default; 1004 orig->notify_retry = p->notify_retry; 1005 orig->notify_retry_is_default = p->notify_retry_is_default; 1006 orig->implicit = p->implicit; 1007 if(p->zonefile) 1008 orig->zonefile = region_strdup(region, p->zonefile); 1009 else orig->zonefile = NULL; 1010 if(p->zonestats) 1011 orig->zonestats = region_strdup(region, p->zonestats); 1012 else orig->zonestats = NULL; 1013 orig->max_refresh_time = p->max_refresh_time; 1014 orig->max_refresh_time_is_default = p->max_refresh_time_is_default; 1015 orig->min_refresh_time = p->min_refresh_time; 1016 orig->min_refresh_time_is_default = p->min_refresh_time_is_default; 1017 orig->max_retry_time = p->max_retry_time; 1018 orig->max_retry_time_is_default = p->max_retry_time_is_default; 1019 orig->min_retry_time = p->min_retry_time; 1020 orig->min_retry_time_is_default = p->min_retry_time_is_default; 1021 orig->min_expire_time = p->min_expire_time; 1022 orig->min_expire_time_expr = p->min_expire_time_expr; 1023 #ifdef RATELIMIT 1024 orig->rrl_whitelist = p->rrl_whitelist; 1025 #endif 1026 orig->multi_master_check = p->multi_master_check; 1027 } 1028 1029 void 1030 pattern_options_add_modify(struct nsd_options* opt, struct pattern_options* p) 1031 { 1032 struct pattern_options* orig = pattern_options_find(opt, p->pname); 1033 if(!orig) { 1034 /* needs to be copied to opt region */ 1035 orig = pattern_options_create(opt->region); 1036 orig->pname = region_strdup(opt->region, p->pname); 1037 copy_pat_fixed(opt->region, orig, p); 1038 orig->allow_notify = copy_acl_list(opt, p->allow_notify); 1039 orig->request_xfr = copy_acl_list(opt, p->request_xfr); 1040 orig->notify = copy_acl_list(opt, p->notify); 1041 orig->provide_xfr = copy_acl_list(opt, p->provide_xfr); 1042 orig->allow_query = copy_acl_list(opt, p->allow_query); 1043 orig->outgoing_interface = copy_acl_list(opt, 1044 p->outgoing_interface); 1045 nsd_options_insert_pattern(opt, orig); 1046 } else { 1047 /* modify in place so pointers stay valid (and copy 1048 into region). Do not touch unchanged acls. */ 1049 if(orig->zonefile) 1050 region_recycle(opt->region, (char*)orig->zonefile, 1051 strlen(orig->zonefile)+1); 1052 if(orig->zonestats) 1053 region_recycle(opt->region, (char*)orig->zonestats, 1054 strlen(orig->zonestats)+1); 1055 copy_pat_fixed(opt->region, orig, p); 1056 copy_changed_acl(opt, &orig->allow_notify, p->allow_notify); 1057 copy_changed_acl(opt, &orig->request_xfr, p->request_xfr); 1058 copy_changed_acl(opt, &orig->notify, p->notify); 1059 copy_changed_acl(opt, &orig->provide_xfr, p->provide_xfr); 1060 copy_changed_acl(opt, &orig->allow_query, p->allow_query); 1061 copy_changed_acl(opt, &orig->outgoing_interface, 1062 p->outgoing_interface); 1063 } 1064 } 1065 1066 struct pattern_options* 1067 pattern_options_find(struct nsd_options* opt, const char* name) 1068 { 1069 return (struct pattern_options*)rbtree_search(opt->patterns, name); 1070 } 1071 1072 int 1073 pattern_options_equal(struct pattern_options* p, struct pattern_options* q) 1074 { 1075 if(strcmp(p->pname, q->pname) != 0) return 0; 1076 if(!p->zonefile && q->zonefile) return 0; 1077 else if(p->zonefile && !q->zonefile) return 0; 1078 else if(p->zonefile && q->zonefile) { 1079 if(strcmp(p->zonefile, q->zonefile) != 0) return 0; 1080 } 1081 if(!p->zonestats && q->zonestats) return 0; 1082 else if(p->zonestats && !q->zonestats) return 0; 1083 else if(p->zonestats && q->zonestats) { 1084 if(strcmp(p->zonestats, q->zonestats) != 0) return 0; 1085 } 1086 if(!booleq(p->allow_axfr_fallback, q->allow_axfr_fallback)) return 0; 1087 if(!booleq(p->allow_axfr_fallback_is_default, 1088 q->allow_axfr_fallback_is_default)) return 0; 1089 if(p->notify_retry != q->notify_retry) return 0; 1090 if(!booleq(p->notify_retry_is_default, 1091 q->notify_retry_is_default)) return 0; 1092 if(!booleq(p->implicit, q->implicit)) return 0; 1093 if(!acl_list_equal(p->allow_notify, q->allow_notify)) return 0; 1094 if(!acl_list_equal(p->request_xfr, q->request_xfr)) return 0; 1095 if(!acl_list_equal(p->notify, q->notify)) return 0; 1096 if(!acl_list_equal(p->provide_xfr, q->provide_xfr)) return 0; 1097 if(!acl_list_equal(p->allow_query, q->allow_query)) return 0; 1098 if(!acl_list_equal(p->outgoing_interface, q->outgoing_interface)) 1099 return 0; 1100 if(p->max_refresh_time != q->max_refresh_time) return 0; 1101 if(!booleq(p->max_refresh_time_is_default, 1102 q->max_refresh_time_is_default)) return 0; 1103 if(p->min_refresh_time != q->min_refresh_time) return 0; 1104 if(!booleq(p->min_refresh_time_is_default, 1105 q->min_refresh_time_is_default)) return 0; 1106 if(p->max_retry_time != q->max_retry_time) return 0; 1107 if(!booleq(p->max_retry_time_is_default, 1108 q->max_retry_time_is_default)) return 0; 1109 if(p->min_retry_time != q->min_retry_time) return 0; 1110 if(!booleq(p->min_retry_time_is_default, 1111 q->min_retry_time_is_default)) return 0; 1112 if(p->min_expire_time != q->min_expire_time) return 0; 1113 if(!expire_expr_eq(p->min_expire_time_expr, 1114 q->min_expire_time_expr)) return 0; 1115 #ifdef RATELIMIT 1116 if(p->rrl_whitelist != q->rrl_whitelist) return 0; 1117 #endif 1118 if(!booleq(p->multi_master_check,q->multi_master_check)) return 0; 1119 if(p->size_limit_xfr != q->size_limit_xfr) return 0; 1120 return 1; 1121 } 1122 1123 static void 1124 marshal_u8(struct buffer* b, uint8_t v) 1125 { 1126 buffer_reserve(b, 1); 1127 buffer_write_u8(b, v); 1128 } 1129 1130 static uint8_t 1131 unmarshal_u8(struct buffer* b) 1132 { 1133 return buffer_read_u8(b); 1134 } 1135 1136 static void 1137 marshal_u64(struct buffer* b, uint64_t v) 1138 { 1139 buffer_reserve(b, 8); 1140 buffer_write_u64(b, v); 1141 } 1142 1143 static uint64_t 1144 unmarshal_u64(struct buffer* b) 1145 { 1146 return buffer_read_u64(b); 1147 } 1148 1149 #ifdef RATELIMIT 1150 static void 1151 marshal_u16(struct buffer* b, uint16_t v) 1152 { 1153 buffer_reserve(b, 2); 1154 buffer_write_u16(b, v); 1155 } 1156 #endif 1157 1158 #ifdef RATELIMIT 1159 static uint16_t 1160 unmarshal_u16(struct buffer* b) 1161 { 1162 return buffer_read_u16(b); 1163 } 1164 #endif 1165 1166 static void 1167 marshal_u32(struct buffer* b, uint32_t v) 1168 { 1169 buffer_reserve(b, 4); 1170 buffer_write_u32(b, v); 1171 } 1172 1173 static uint32_t 1174 unmarshal_u32(struct buffer* b) 1175 { 1176 return buffer_read_u32(b); 1177 } 1178 1179 static void 1180 marshal_str(struct buffer* b, const char* s) 1181 { 1182 if(!s) marshal_u8(b, 0); 1183 else { 1184 size_t len = strlen(s); 1185 marshal_u8(b, 1); 1186 buffer_reserve(b, len+1); 1187 buffer_write(b, s, len+1); 1188 } 1189 } 1190 1191 static char* 1192 unmarshal_str(region_type* r, struct buffer* b) 1193 { 1194 uint8_t nonnull = unmarshal_u8(b); 1195 if(nonnull) { 1196 char* result = region_strdup(r, (char*)buffer_current(b)); 1197 size_t len = strlen((char*)buffer_current(b)); 1198 buffer_skip(b, len+1); 1199 return result; 1200 } else return NULL; 1201 } 1202 1203 static void 1204 marshal_acl(struct buffer* b, struct acl_options* acl) 1205 { 1206 buffer_reserve(b, sizeof(*acl)); 1207 buffer_write(b, acl, sizeof(*acl)); 1208 marshal_str(b, acl->ip_address_spec); 1209 marshal_str(b, acl->key_name); 1210 marshal_str(b, acl->tls_auth_name); 1211 } 1212 1213 static struct acl_options* 1214 unmarshal_acl(region_type* r, struct buffer* b) 1215 { 1216 struct acl_options* acl = (struct acl_options*)region_alloc(r, 1217 sizeof(*acl)); 1218 buffer_read(b, acl, sizeof(*acl)); 1219 acl->next = NULL; 1220 acl->key_options = NULL; 1221 acl->tls_auth_options = NULL; 1222 acl->ip_address_spec = unmarshal_str(r, b); 1223 acl->key_name = unmarshal_str(r, b); 1224 acl->tls_auth_name = unmarshal_str(r, b); 1225 return acl; 1226 } 1227 1228 static void 1229 marshal_acl_list(struct buffer* b, struct acl_options* list) 1230 { 1231 while(list) { 1232 marshal_u8(b, 1); /* is there a next one marker */ 1233 marshal_acl(b, list); 1234 list = list->next; 1235 } 1236 marshal_u8(b, 0); /* end of list marker */ 1237 } 1238 1239 static struct acl_options* 1240 unmarshal_acl_list(region_type* r, struct buffer* b) 1241 { 1242 struct acl_options* a, *last=NULL, *list=NULL; 1243 while(unmarshal_u8(b)) { 1244 a = unmarshal_acl(r, b); 1245 /* link in */ 1246 a->next = NULL; 1247 if(!list) list = a; 1248 else last->next = a; 1249 last = a; 1250 } 1251 return list; 1252 } 1253 1254 void 1255 pattern_options_marshal(struct buffer* b, struct pattern_options* p) 1256 { 1257 marshal_str(b, p->pname); 1258 marshal_str(b, p->zonefile); 1259 marshal_str(b, p->zonestats); 1260 #ifdef RATELIMIT 1261 marshal_u16(b, p->rrl_whitelist); 1262 #endif 1263 marshal_u8(b, p->allow_axfr_fallback); 1264 marshal_u8(b, p->allow_axfr_fallback_is_default); 1265 marshal_u8(b, p->notify_retry); 1266 marshal_u8(b, p->notify_retry_is_default); 1267 marshal_u8(b, p->implicit); 1268 marshal_u64(b, p->size_limit_xfr); 1269 marshal_acl_list(b, p->allow_notify); 1270 marshal_acl_list(b, p->request_xfr); 1271 marshal_acl_list(b, p->notify); 1272 marshal_acl_list(b, p->provide_xfr); 1273 marshal_acl_list(b, p->allow_query); 1274 marshal_acl_list(b, p->outgoing_interface); 1275 marshal_u32(b, p->max_refresh_time); 1276 marshal_u8(b, p->max_refresh_time_is_default); 1277 marshal_u32(b, p->min_refresh_time); 1278 marshal_u8(b, p->min_refresh_time_is_default); 1279 marshal_u32(b, p->max_retry_time); 1280 marshal_u8(b, p->max_retry_time_is_default); 1281 marshal_u32(b, p->min_retry_time); 1282 marshal_u8(b, p->min_retry_time_is_default); 1283 marshal_u32(b, p->min_expire_time); 1284 marshal_u8(b, p->min_expire_time_expr); 1285 marshal_u8(b, p->multi_master_check); 1286 } 1287 1288 struct pattern_options* 1289 pattern_options_unmarshal(region_type* r, struct buffer* b) 1290 { 1291 struct pattern_options* p = pattern_options_create(r); 1292 p->pname = unmarshal_str(r, b); 1293 p->zonefile = unmarshal_str(r, b); 1294 p->zonestats = unmarshal_str(r, b); 1295 #ifdef RATELIMIT 1296 p->rrl_whitelist = unmarshal_u16(b); 1297 #endif 1298 p->allow_axfr_fallback = unmarshal_u8(b); 1299 p->allow_axfr_fallback_is_default = unmarshal_u8(b); 1300 p->notify_retry = unmarshal_u8(b); 1301 p->notify_retry_is_default = unmarshal_u8(b); 1302 p->implicit = unmarshal_u8(b); 1303 p->size_limit_xfr = unmarshal_u64(b); 1304 p->allow_notify = unmarshal_acl_list(r, b); 1305 p->request_xfr = unmarshal_acl_list(r, b); 1306 p->notify = unmarshal_acl_list(r, b); 1307 p->provide_xfr = unmarshal_acl_list(r, b); 1308 p->allow_query = unmarshal_acl_list(r, b); 1309 p->outgoing_interface = unmarshal_acl_list(r, b); 1310 p->max_refresh_time = unmarshal_u32(b); 1311 p->max_refresh_time_is_default = unmarshal_u8(b); 1312 p->min_refresh_time = unmarshal_u32(b); 1313 p->min_refresh_time_is_default = unmarshal_u8(b); 1314 p->max_retry_time = unmarshal_u32(b); 1315 p->max_retry_time_is_default = unmarshal_u8(b); 1316 p->min_retry_time = unmarshal_u32(b); 1317 p->min_retry_time_is_default = unmarshal_u8(b); 1318 p->min_expire_time = unmarshal_u32(b); 1319 p->min_expire_time_expr = unmarshal_u8(b); 1320 p->multi_master_check = unmarshal_u8(b); 1321 return p; 1322 } 1323 1324 struct key_options* 1325 key_options_create(region_type* region) 1326 { 1327 struct key_options* key; 1328 key = (struct key_options*)region_alloc_zero(region, 1329 sizeof(struct key_options)); 1330 return key; 1331 } 1332 1333 struct tls_auth_options* 1334 tls_auth_options_create(region_type* region) 1335 { 1336 struct tls_auth_options* tls_auth_options; 1337 tls_auth_options = (struct tls_auth_options*)region_alloc_zero(region, sizeof(struct tls_auth_options)); 1338 return tls_auth_options; 1339 } 1340 1341 void 1342 key_options_insert(struct nsd_options* opt, struct key_options* key) 1343 { 1344 if(!key->name) return; 1345 key->node.key = key->name; 1346 (void)rbtree_insert(opt->keys, &key->node); 1347 } 1348 1349 struct key_options* 1350 key_options_find(struct nsd_options* opt, const char* name) 1351 { 1352 return (struct key_options*)rbtree_search(opt->keys, name); 1353 } 1354 1355 void 1356 tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth) 1357 { 1358 if(!auth->name) return; 1359 auth->node.key = auth->name; 1360 (void)rbtree_insert(opt->tls_auths, &auth->node); 1361 } 1362 1363 struct tls_auth_options* 1364 tls_auth_options_find(struct nsd_options* opt, const char* name) 1365 { 1366 return (struct tls_auth_options*)rbtree_search(opt->tls_auths, name); 1367 } 1368 1369 /** remove tsig_key contents */ 1370 void 1371 key_options_desetup(region_type* region, struct key_options* key) 1372 { 1373 /* keep tsig_key pointer so that existing references keep valid */ 1374 if(!key->tsig_key) 1375 return; 1376 /* name stays the same */ 1377 if(key->tsig_key->data) { 1378 /* wipe secret! */ 1379 memset(key->tsig_key->data, 0xdd, key->tsig_key->size); 1380 region_recycle(region, key->tsig_key->data, 1381 key->tsig_key->size); 1382 key->tsig_key->data = NULL; 1383 key->tsig_key->size = 0; 1384 } 1385 } 1386 1387 /** add tsig_key contents */ 1388 void 1389 key_options_setup(region_type* region, struct key_options* key) 1390 { 1391 uint8_t data[16384]; /* 16KB */ 1392 int size; 1393 if(!key->tsig_key) { 1394 /* create it */ 1395 key->tsig_key = (tsig_key_type *) region_alloc(region, 1396 sizeof(tsig_key_type)); 1397 /* create name */ 1398 key->tsig_key->name = dname_parse(region, key->name); 1399 if(!key->tsig_key->name) { 1400 log_msg(LOG_ERR, "Failed to parse tsig key name %s", 1401 key->name); 1402 /* key and base64 were checked during syntax parse */ 1403 exit(1); 1404 } 1405 key->tsig_key->size = 0; 1406 key->tsig_key->data = NULL; 1407 } 1408 size = __b64_pton(key->secret, data, sizeof(data)); 1409 if(size == -1) { 1410 log_msg(LOG_ERR, "Failed to parse tsig key data %s", 1411 key->name); 1412 /* key and base64 were checked during syntax parse */ 1413 exit(1); 1414 } 1415 key->tsig_key->size = size; 1416 key->tsig_key->data = (uint8_t *)region_alloc_init(region, data, size); 1417 } 1418 1419 void 1420 key_options_remove(struct nsd_options* opt, const char* name) 1421 { 1422 struct key_options* k = key_options_find(opt, name); 1423 if(!k) return; 1424 (void)rbtree_delete(opt->keys, name); 1425 if(k->name) 1426 region_recycle(opt->region, k->name, strlen(k->name)+1); 1427 if(k->algorithm) 1428 region_recycle(opt->region, k->algorithm, strlen(k->algorithm)+1); 1429 if(k->secret) { 1430 memset(k->secret, 0xdd, strlen(k->secret)); /* wipe secret! */ 1431 region_recycle(opt->region, k->secret, strlen(k->secret)+1); 1432 } 1433 if(k->tsig_key) { 1434 tsig_del_key(k->tsig_key); 1435 if(k->tsig_key->name) 1436 region_recycle(opt->region, (void*)k->tsig_key->name, 1437 dname_total_size(k->tsig_key->name)); 1438 key_options_desetup(opt->region, k); 1439 region_recycle(opt->region, k->tsig_key, sizeof(tsig_key_type)); 1440 } 1441 region_recycle(opt->region, k, sizeof(struct key_options)); 1442 } 1443 1444 int 1445 key_options_equal(struct key_options* p, struct key_options* q) 1446 { 1447 return strcmp(p->name, q->name)==0 && strcmp(p->algorithm, 1448 q->algorithm)==0 && strcmp(p->secret, q->secret)==0; 1449 } 1450 1451 void 1452 key_options_add_modify(struct nsd_options* opt, struct key_options* key) 1453 { 1454 struct key_options* orig = key_options_find(opt, key->name); 1455 if(!orig) { 1456 /* needs to be copied to opt region */ 1457 orig = key_options_create(opt->region); 1458 orig->name = region_strdup(opt->region, key->name); 1459 orig->algorithm = region_strdup(opt->region, key->algorithm); 1460 orig->secret = region_strdup(opt->region, key->secret); 1461 key_options_setup(opt->region, orig); 1462 tsig_add_key(orig->tsig_key); 1463 key_options_insert(opt, orig); 1464 } else { 1465 /* modify entries in existing key, and copy to opt region */ 1466 key_options_desetup(opt->region, orig); 1467 region_recycle(opt->region, orig->algorithm, 1468 strlen(orig->algorithm)+1); 1469 orig->algorithm = region_strdup(opt->region, key->algorithm); 1470 region_recycle(opt->region, orig->secret, 1471 strlen(orig->secret)+1); 1472 orig->secret = region_strdup(opt->region, key->secret); 1473 key_options_setup(opt->region, orig); 1474 } 1475 } 1476 1477 int 1478 acl_check_incoming(struct acl_options* acl, struct query* q, 1479 struct acl_options** reason) 1480 { 1481 /* check each acl element. 1482 if 1 blocked element matches - return -1. 1483 if any element matches - return number. 1484 else return -1. */ 1485 int found_match = -1; 1486 int number = 0; 1487 struct acl_options* match = 0; 1488 1489 if(reason) 1490 *reason = NULL; 1491 1492 while(acl) 1493 { 1494 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "testing acl %s %s", 1495 acl->ip_address_spec, acl->nokey?"NOKEY": 1496 (acl->blocked?"BLOCKED":acl->key_name))); 1497 if(acl_addr_matches(acl, q) && acl_key_matches(acl, q)) { 1498 if(!match) 1499 { 1500 match = acl; /* remember first match */ 1501 found_match=number; 1502 } 1503 if(acl->blocked) { 1504 if(reason) 1505 *reason = acl; 1506 return -1; 1507 } 1508 } 1509 number++; 1510 acl = acl->next; 1511 } 1512 1513 if(reason) 1514 *reason = match; 1515 return found_match; 1516 } 1517 1518 #ifdef INET6 1519 int 1520 acl_addr_matches_ipv6host(struct acl_options* acl, struct sockaddr_storage* addr_storage, unsigned int port) 1521 { 1522 struct sockaddr_in6* addr = (struct sockaddr_in6*)addr_storage; 1523 if(acl->port != 0 && acl->port != port) 1524 return 0; 1525 switch(acl->rangetype) { 1526 case acl_range_mask: 1527 case acl_range_subnet: 1528 if(!acl_addr_match_mask((uint32_t*)&acl->addr.addr6, (uint32_t*)&addr->sin6_addr, 1529 (uint32_t*)&acl->range_mask.addr6, sizeof(struct in6_addr))) 1530 return 0; 1531 break; 1532 case acl_range_minmax: 1533 if(!acl_addr_match_range_v6((uint32_t*)&acl->addr.addr6, (uint32_t*)&addr->sin6_addr, 1534 (uint32_t*)&acl->range_mask.addr6, sizeof(struct in6_addr))) 1535 return 0; 1536 break; 1537 case acl_range_single: 1538 default: 1539 if(memcmp(&addr->sin6_addr, &acl->addr.addr6, 1540 sizeof(struct in6_addr)) != 0) 1541 return 0; 1542 break; 1543 } 1544 return 1; 1545 } 1546 #endif 1547 1548 int 1549 acl_addr_matches_ipv4host(struct acl_options* acl, struct sockaddr_in* addr, unsigned int port) 1550 { 1551 if(acl->port != 0 && acl->port != port) 1552 return 0; 1553 switch(acl->rangetype) { 1554 case acl_range_mask: 1555 case acl_range_subnet: 1556 if(!acl_addr_match_mask((uint32_t*)&acl->addr.addr, (uint32_t*)&addr->sin_addr, 1557 (uint32_t*)&acl->range_mask.addr, sizeof(struct in_addr))) 1558 return 0; 1559 break; 1560 case acl_range_minmax: 1561 if(!acl_addr_match_range_v4((uint32_t*)&acl->addr.addr, (uint32_t*)&addr->sin_addr, 1562 (uint32_t*)&acl->range_mask.addr, sizeof(struct in_addr))) 1563 return 0; 1564 break; 1565 case acl_range_single: 1566 default: 1567 if(memcmp(&addr->sin_addr, &acl->addr.addr, 1568 sizeof(struct in_addr)) != 0) 1569 return 0; 1570 break; 1571 } 1572 return 1; 1573 } 1574 1575 int 1576 acl_addr_matches_host(struct acl_options* acl, struct acl_options* host) 1577 { 1578 if(acl->is_ipv6) 1579 { 1580 #ifdef INET6 1581 struct sockaddr_storage* addr = (struct sockaddr_storage*)&host->addr; 1582 if(!host->is_ipv6) return 0; 1583 return acl_addr_matches_ipv6host(acl, addr, host->port); 1584 #else 1585 return 0; /* no inet6, no match */ 1586 #endif 1587 } 1588 else 1589 { 1590 struct sockaddr_in* addr = (struct sockaddr_in*)&host->addr; 1591 if(host->is_ipv6) return 0; 1592 return acl_addr_matches_ipv4host(acl, addr, host->port); 1593 } 1594 /* ENOTREACH */ 1595 return 0; 1596 } 1597 1598 int 1599 acl_addr_matches(struct acl_options* acl, struct query* q) 1600 { 1601 if(acl->is_ipv6) 1602 { 1603 #ifdef INET6 1604 struct sockaddr_storage* addr = (struct sockaddr_storage*)&q->addr; 1605 if(addr->ss_family != AF_INET6) 1606 return 0; 1607 return acl_addr_matches_ipv6host(acl, addr, ntohs(((struct sockaddr_in6*)addr)->sin6_port)); 1608 #else 1609 return 0; /* no inet6, no match */ 1610 #endif 1611 } 1612 else 1613 { 1614 struct sockaddr_in* addr = (struct sockaddr_in*)&q->addr; 1615 if(addr->sin_family != AF_INET) 1616 return 0; 1617 return acl_addr_matches_ipv4host(acl, addr, ntohs(addr->sin_port)); 1618 } 1619 /* ENOTREACH */ 1620 return 0; 1621 } 1622 1623 int 1624 acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz) 1625 { 1626 size_t i; 1627 #ifndef NDEBUG 1628 assert(sz % 4 == 0); 1629 #endif 1630 sz /= 4; 1631 for(i=0; i<sz; ++i) 1632 { 1633 if(((*a++)&*mask) != ((*b++)&*mask)) 1634 return 0; 1635 ++mask; 1636 } 1637 return 1; 1638 } 1639 1640 int 1641 acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz) 1642 { 1643 assert(sz == 4); (void)sz; 1644 /* check treats x as one huge number */ 1645 1646 /* if outside bounds, we are done */ 1647 if(*minval > *x) 1648 return 0; 1649 if(*maxval < *x) 1650 return 0; 1651 1652 return 1; 1653 } 1654 1655 #ifdef INET6 1656 int 1657 acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz) 1658 { 1659 size_t i; 1660 uint8_t checkmin = 1, checkmax = 1; 1661 #ifndef NDEBUG 1662 assert(sz % 4 == 0); 1663 #endif 1664 /* check treats x as one huge number */ 1665 sz /= 4; 1666 for(i=0; i<sz; ++i) 1667 { 1668 /* if outside bounds, we are done */ 1669 if(checkmin) 1670 if(minval[i] > x[i]) 1671 return 0; 1672 if(checkmax) 1673 if(maxval[i] < x[i]) 1674 return 0; 1675 /* if x is equal to a bound, that bound needs further checks */ 1676 if(checkmin && minval[i]!=x[i]) 1677 checkmin = 0; 1678 if(checkmax && maxval[i]!=x[i]) 1679 checkmax = 0; 1680 if(!checkmin && !checkmax) 1681 return 1; /* will always match */ 1682 } 1683 return 1; 1684 } 1685 #endif /* INET6 */ 1686 1687 int 1688 acl_key_matches(struct acl_options* acl, struct query* q) 1689 { 1690 if(acl->blocked) 1691 return 1; 1692 if(acl->nokey) { 1693 if(q->tsig.status == TSIG_NOT_PRESENT) 1694 return 1; 1695 return 0; 1696 } 1697 /* check name of tsig key */ 1698 if(q->tsig.status != TSIG_OK) { 1699 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail query has no TSIG")); 1700 return 0; /* query has no TSIG */ 1701 } 1702 if(q->tsig.error_code != TSIG_ERROR_NOERROR) { 1703 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail, tsig has error")); 1704 return 0; /* some tsig error */ 1705 } 1706 if(!acl->key_options->tsig_key) { 1707 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail no config")); 1708 return 0; /* key not properly configured */ 1709 } 1710 if(dname_compare(q->tsig.key_name, 1711 acl->key_options->tsig_key->name) != 0) { 1712 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail wrong key name")); 1713 return 0; /* wrong key name */ 1714 } 1715 if(tsig_strlowercmp(q->tsig.algorithm->short_name, 1716 acl->key_options->algorithm) != 0 && ( 1717 strncmp("hmac-", q->tsig.algorithm->short_name, 5) != 0 || 1718 tsig_strlowercmp(q->tsig.algorithm->short_name+5, 1719 acl->key_options->algorithm) != 0) ) { 1720 DEBUG(DEBUG_XFRD,2, (LOG_ERR, "query tsig wrong algorithm")); 1721 return 0; /* no such algo */ 1722 } 1723 return 1; 1724 } 1725 1726 int 1727 acl_same_host(struct acl_options* a, struct acl_options* b) 1728 { 1729 if(a->is_ipv6 && !b->is_ipv6) 1730 return 0; 1731 if(!a->is_ipv6 && b->is_ipv6) 1732 return 0; 1733 if(a->port != b->port) 1734 return 0; 1735 if(a->rangetype != b->rangetype) 1736 return 0; 1737 if(!a->is_ipv6) { 1738 if(memcmp(&a->addr.addr, &b->addr.addr, 1739 sizeof(struct in_addr)) != 0) 1740 return 0; 1741 if(a->rangetype != acl_range_single && 1742 memcmp(&a->range_mask.addr, &b->range_mask.addr, 1743 sizeof(struct in_addr)) != 0) 1744 return 0; 1745 } else { 1746 #ifdef INET6 1747 if(memcmp(&a->addr.addr6, &b->addr.addr6, 1748 sizeof(struct in6_addr)) != 0) 1749 return 0; 1750 if(a->rangetype != acl_range_single && 1751 memcmp(&a->range_mask.addr6, &b->range_mask.addr6, 1752 sizeof(struct in6_addr)) != 0) 1753 return 0; 1754 #else 1755 return 0; 1756 #endif 1757 } 1758 return 1; 1759 } 1760 1761 #if defined(HAVE_SSL) 1762 void 1763 key_options_tsig_add(struct nsd_options* opt) 1764 { 1765 struct key_options* optkey; 1766 RBTREE_FOR(optkey, struct key_options*, opt->keys) { 1767 key_options_setup(opt->region, optkey); 1768 tsig_add_key(optkey->tsig_key); 1769 } 1770 } 1771 #endif 1772 1773 int 1774 zone_is_slave(struct zone_options* opt) 1775 { 1776 return opt && opt->pattern && opt->pattern->request_xfr != 0; 1777 } 1778 1779 /* get a character in string (or replacement char if not long enough) */ 1780 static const char* 1781 get_char(const char* str, size_t i) 1782 { 1783 static char res[2]; 1784 if(i >= strlen(str)) 1785 return "."; 1786 res[0] = str[i]; 1787 res[1] = 0; 1788 return res; 1789 } 1790 /* get end label of the zone name (or .) */ 1791 static const char* 1792 get_end_label(struct zone_options* zone, int i) 1793 { 1794 const dname_type* d = (const dname_type*)zone->node.key; 1795 if(i >= d->label_count) { 1796 return "."; 1797 } 1798 return wirelabel2str(dname_label(d, i)); 1799 } 1800 /* replace occurrences of one with two */ 1801 void 1802 replace_str(char* str, size_t len, const char* one, const char* two) 1803 { 1804 char* pos; 1805 char* at = str; 1806 while( (pos=strstr(at, one)) ) { 1807 if(strlen(str)+strlen(two)-strlen(one) >= len) 1808 return; /* no more space to replace */ 1809 /* stuff before pos is fine */ 1810 /* move the stuff after pos to make space for two, add 1811 * one to length of remainder to also copy the 0 byte end */ 1812 memmove(pos+strlen(two), pos+strlen(one), 1813 strlen(pos+strlen(one))+1); 1814 /* copy in two */ 1815 memmove(pos, two, strlen(two)); 1816 /* at is end of the newly inserted two (avoids recursion if 1817 * two contains one) */ 1818 at = pos+strlen(two); 1819 } 1820 } 1821 1822 const char* 1823 config_cook_string(struct zone_options* zone, const char* input) 1824 { 1825 static char f[1024]; 1826 /* if not a template, return as-is */ 1827 if(!strchr(input, '%')) { 1828 return input; 1829 } 1830 strlcpy(f, input, sizeof(f)); 1831 if(strstr(f, "%1")) 1832 replace_str(f, sizeof(f), "%1", get_char(zone->name, 0)); 1833 if(strstr(f, "%2")) 1834 replace_str(f, sizeof(f), "%2", get_char(zone->name, 1)); 1835 if(strstr(f, "%3")) 1836 replace_str(f, sizeof(f), "%3", get_char(zone->name, 2)); 1837 if(strstr(f, "%z")) 1838 replace_str(f, sizeof(f), "%z", get_end_label(zone, 1)); 1839 if(strstr(f, "%y")) 1840 replace_str(f, sizeof(f), "%y", get_end_label(zone, 2)); 1841 if(strstr(f, "%x")) 1842 replace_str(f, sizeof(f), "%x", get_end_label(zone, 3)); 1843 if(strstr(f, "%s")) 1844 replace_str(f, sizeof(f), "%s", zone->name); 1845 return f; 1846 } 1847 1848 const char* 1849 config_make_zonefile(struct zone_options* zone, struct nsd* nsd) 1850 { 1851 static char f[1024]; 1852 /* if not a template, return as-is */ 1853 if(!strchr(zone->pattern->zonefile, '%')) { 1854 if (nsd->chrootdir && nsd->chrootdir[0] && 1855 zone->pattern->zonefile && 1856 zone->pattern->zonefile[0] == '/' && 1857 strncmp(zone->pattern->zonefile, nsd->chrootdir, 1858 strlen(nsd->chrootdir)) == 0) 1859 /* -1 because chrootdir ends in trailing slash */ 1860 return zone->pattern->zonefile + strlen(nsd->chrootdir) - 1; 1861 return zone->pattern->zonefile; 1862 } 1863 strlcpy(f, zone->pattern->zonefile, sizeof(f)); 1864 if(strstr(f, "%1")) 1865 replace_str(f, sizeof(f), "%1", get_char(zone->name, 0)); 1866 if(strstr(f, "%2")) 1867 replace_str(f, sizeof(f), "%2", get_char(zone->name, 1)); 1868 if(strstr(f, "%3")) 1869 replace_str(f, sizeof(f), "%3", get_char(zone->name, 2)); 1870 if(strstr(f, "%z")) 1871 replace_str(f, sizeof(f), "%z", get_end_label(zone, 1)); 1872 if(strstr(f, "%y")) 1873 replace_str(f, sizeof(f), "%y", get_end_label(zone, 2)); 1874 if(strstr(f, "%x")) 1875 replace_str(f, sizeof(f), "%x", get_end_label(zone, 3)); 1876 if(strstr(f, "%s")) 1877 replace_str(f, sizeof(f), "%s", zone->name); 1878 if (nsd->chrootdir && nsd->chrootdir[0] && f[0] == '/' && 1879 strncmp(f, nsd->chrootdir, strlen(nsd->chrootdir)) == 0) 1880 /* -1 because chrootdir ends in trailing slash */ 1881 return f + strlen(nsd->chrootdir) - 1; 1882 return f; 1883 } 1884 1885 struct zone_options* 1886 zone_options_find(struct nsd_options* opt, const struct dname* apex) 1887 { 1888 return (struct zone_options*) rbtree_search(opt->zone_options, apex); 1889 } 1890 1891 struct acl_options* 1892 acl_find_num(struct acl_options* acl, int num) 1893 { 1894 int count = num; 1895 if(num < 0) 1896 return 0; 1897 while(acl && count > 0) { 1898 acl = acl->next; 1899 count--; 1900 } 1901 if(count == 0) 1902 return acl; 1903 return 0; 1904 } 1905 1906 /* true if ipv6 address, false if ipv4 */ 1907 int 1908 parse_acl_is_ipv6(const char* p) 1909 { 1910 /* see if addr is ipv6 or ipv4 -- by : and . */ 1911 while(*p) { 1912 if(*p == '.') return 0; 1913 if(*p == ':') return 1; 1914 ++p; 1915 } 1916 return 0; 1917 } 1918 1919 /* returns range type. mask is the 2nd part of the range */ 1920 int 1921 parse_acl_range_type(char* ip, char** mask) 1922 { 1923 char *p; 1924 if((p=strchr(ip, '&'))!=0) { 1925 *p = 0; 1926 *mask = p+1; 1927 return acl_range_mask; 1928 } 1929 if((p=strchr(ip, '/'))!=0) { 1930 *p = 0; 1931 *mask = p+1; 1932 return acl_range_subnet; 1933 } 1934 if((p=strchr(ip, '-'))!=0) { 1935 *p = 0; 1936 *mask = p+1; 1937 return acl_range_minmax; 1938 } 1939 *mask = 0; 1940 return acl_range_single; 1941 } 1942 1943 /* parses subnet mask, fills 0 mask as well */ 1944 void 1945 parse_acl_range_subnet(char* p, void* addr, int maxbits) 1946 { 1947 int subnet_bits = atoi(p); 1948 uint8_t* addr_bytes = (uint8_t*)addr; 1949 if(subnet_bits == 0 && strcmp(p, "0")!=0) { 1950 c_error("bad subnet range '%s'", p); 1951 return; 1952 } 1953 if(subnet_bits < 0 || subnet_bits > maxbits) { 1954 c_error("subnet of %d bits out of range [0..%d]", subnet_bits, maxbits); 1955 return; 1956 } 1957 /* fill addr with n bits of 1s (struct has been zeroed) */ 1958 while(subnet_bits >= 8) { 1959 *addr_bytes++ = 0xff; 1960 subnet_bits -= 8; 1961 } 1962 if(subnet_bits > 0) { 1963 uint8_t shifts[] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff}; 1964 *addr_bytes = shifts[subnet_bits]; 1965 } 1966 } 1967 1968 struct acl_options* 1969 parse_acl_info(region_type* region, char* ip, const char* key) 1970 { 1971 char* p; 1972 struct acl_options* acl = (struct acl_options*)region_alloc(region, 1973 sizeof(struct acl_options)); 1974 acl->next = 0; 1975 /* ip */ 1976 acl->ip_address_spec = region_strdup(region, ip); 1977 acl->use_axfr_only = 0; 1978 acl->allow_udp = 0; 1979 acl->ixfr_disabled = 0; 1980 acl->bad_xfr_count = 0; 1981 acl->key_options = 0; 1982 acl->tls_auth_options = 0; 1983 acl->tls_auth_name = 0; 1984 acl->is_ipv6 = 0; 1985 acl->port = 0; 1986 memset(&acl->addr, 0, sizeof(union acl_addr_storage)); 1987 memset(&acl->range_mask, 0, sizeof(union acl_addr_storage)); 1988 if((p=strrchr(ip, '@'))!=0) { 1989 if(atoi(p+1) == 0) c_error("expected port number after '@'"); 1990 else acl->port = atoi(p+1); 1991 *p=0; 1992 } 1993 acl->rangetype = parse_acl_range_type(ip, &p); 1994 if(parse_acl_is_ipv6(ip)) { 1995 acl->is_ipv6 = 1; 1996 #ifdef INET6 1997 if(inet_pton(AF_INET6, ip, &acl->addr.addr6) != 1) 1998 c_error("Bad ip6 address '%s'", ip); 1999 if(acl->rangetype==acl_range_mask || acl->rangetype==acl_range_minmax) { 2000 assert(p); 2001 if(inet_pton(AF_INET6, p, &acl->range_mask.addr6) != 1) 2002 c_error("Bad ip6 address mask '%s'", p); 2003 } 2004 if(acl->rangetype==acl_range_subnet) { 2005 assert(p); 2006 parse_acl_range_subnet(p, &acl->range_mask.addr6, 128); 2007 } 2008 #else 2009 c_error("encountered IPv6 address '%s'.", ip); 2010 #endif /* INET6 */ 2011 } else { 2012 acl->is_ipv6 = 0; 2013 if(inet_pton(AF_INET, ip, &acl->addr.addr) != 1) 2014 c_error("Bad ip4 address '%s'", ip); 2015 if(acl->rangetype==acl_range_mask || acl->rangetype==acl_range_minmax) { 2016 assert(p); 2017 if(inet_pton(AF_INET, p, &acl->range_mask.addr) != 1) 2018 c_error("Bad ip4 address mask '%s'", p); 2019 } 2020 if(acl->rangetype==acl_range_subnet) { 2021 assert(p); 2022 parse_acl_range_subnet(p, &acl->range_mask.addr, 32); 2023 } 2024 } 2025 2026 /* key */ 2027 if(strcmp(key, "NOKEY")==0) { 2028 acl->nokey = 1; 2029 acl->blocked = 0; 2030 acl->key_name = 0; 2031 } else if(strcmp(key, "BLOCKED")==0) { 2032 acl->nokey = 0; 2033 acl->blocked = 1; 2034 acl->key_name = 0; 2035 } else { 2036 acl->nokey = 0; 2037 acl->blocked = 0; 2038 acl->key_name = region_strdup(region, key); 2039 } 2040 return acl; 2041 } 2042 2043 /* copy acl list at end of parser start, update current */ 2044 static 2045 void copy_and_append_acls(struct acl_options** start, struct acl_options* list) 2046 { 2047 struct acl_options *tail = NULL; 2048 2049 assert(start != NULL); 2050 2051 tail = *start; 2052 if(tail) { 2053 while(tail->next) { 2054 tail = tail->next; 2055 } 2056 } 2057 2058 while(list) { 2059 struct acl_options* acl = copy_acl(cfg_parser->opt->region, 2060 list); 2061 acl->next = NULL; 2062 if(tail) { 2063 tail->next = acl; 2064 } else { 2065 *start = acl; 2066 } 2067 tail = acl; 2068 list = list->next; 2069 } 2070 } 2071 2072 void 2073 config_apply_pattern(struct pattern_options *dest, const char* name) 2074 { 2075 /* find the pattern */ 2076 struct pattern_options* pat = pattern_options_find(cfg_parser->opt, 2077 name); 2078 if(!pat) { 2079 c_error("could not find pattern %s", name); 2080 return; 2081 } 2082 2083 /* apply settings */ 2084 if(pat->zonefile) 2085 dest->zonefile = region_strdup(cfg_parser->opt->region, 2086 pat->zonefile); 2087 if(pat->zonestats) 2088 dest->zonestats = region_strdup(cfg_parser->opt->region, 2089 pat->zonestats); 2090 if(!pat->allow_axfr_fallback_is_default) { 2091 dest->allow_axfr_fallback = pat->allow_axfr_fallback; 2092 dest->allow_axfr_fallback_is_default = 0; 2093 } 2094 if(!pat->notify_retry_is_default) { 2095 dest->notify_retry = pat->notify_retry; 2096 dest->notify_retry_is_default = 0; 2097 } 2098 if(!pat->max_refresh_time_is_default) { 2099 dest->max_refresh_time = pat->max_refresh_time; 2100 dest->max_refresh_time_is_default = 0; 2101 } 2102 if(!pat->min_refresh_time_is_default) { 2103 dest->min_refresh_time = pat->min_refresh_time; 2104 dest->min_refresh_time_is_default = 0; 2105 } 2106 if(!pat->max_retry_time_is_default) { 2107 dest->max_retry_time = pat->max_retry_time; 2108 dest->max_retry_time_is_default = 0; 2109 } 2110 if(!pat->min_retry_time_is_default) { 2111 dest->min_retry_time = pat->min_retry_time; 2112 dest->min_retry_time_is_default = 0; 2113 } 2114 if(!expire_time_is_default(pat->min_expire_time_expr)) { 2115 dest->min_expire_time = pat->min_expire_time; 2116 dest->min_expire_time_expr = pat->min_expire_time_expr; 2117 } 2118 dest->size_limit_xfr = pat->size_limit_xfr; 2119 #ifdef RATELIMIT 2120 dest->rrl_whitelist |= pat->rrl_whitelist; 2121 #endif 2122 /* append acl items */ 2123 copy_and_append_acls(&dest->allow_notify, pat->allow_notify); 2124 copy_and_append_acls(&dest->request_xfr, pat->request_xfr); 2125 copy_and_append_acls(&dest->notify, pat->notify); 2126 copy_and_append_acls(&dest->provide_xfr, pat->provide_xfr); 2127 copy_and_append_acls(&dest->allow_query, pat->allow_query); 2128 copy_and_append_acls(&dest->outgoing_interface, pat->outgoing_interface); 2129 if(pat->multi_master_check) 2130 dest->multi_master_check = pat->multi_master_check; 2131 } 2132 2133 void 2134 nsd_options_destroy(struct nsd_options* opt) 2135 { 2136 region_destroy(opt->region); 2137 #ifdef MEMCLEAN /* OS collects memory pages */ 2138 c_lex_destroy(); 2139 #endif 2140 } 2141 2142 unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt) 2143 { 2144 #ifdef USE_ZONE_STATS 2145 const char* statname; 2146 struct zonestatname* n; 2147 rbnode_type* res; 2148 /* try to find the instantiated zonestat name */ 2149 if(!zopt->pattern->zonestats || zopt->pattern->zonestats[0]==0) 2150 return 0; /* no zone stats */ 2151 statname = config_cook_string(zopt, zopt->pattern->zonestats); 2152 res = rbtree_search(opt->zonestatnames, statname); 2153 if(res) 2154 return ((struct zonestatname*)res)->id; 2155 /* create it */ 2156 n = (struct zonestatname*)region_alloc_zero(opt->region, sizeof(*n)); 2157 n->node.key = region_strdup(opt->region, statname); 2158 if(!n->node.key) { 2159 log_msg(LOG_ERR, "malloc failed: %s", strerror(errno)); 2160 exit(1); 2161 } 2162 n->id = (unsigned)(opt->zonestatnames->count); 2163 rbtree_insert(opt->zonestatnames, (rbnode_type*)n); 2164 return n->id; 2165 #else /* USE_ZONE_STATS */ 2166 (void)opt; (void)zopt; 2167 return 0; 2168 #endif /* USE_ZONE_STATS */ 2169 } 2170 2171 /** check if config turns on IP-address interface with certificates or a 2172 * named pipe without certificates. */ 2173 int 2174 options_remote_is_address(struct nsd_options* cfg) 2175 { 2176 if(!cfg->control_enable) return 0; 2177 if(!cfg->control_interface) return 1; 2178 if(!cfg->control_interface->address) return 1; 2179 if(cfg->control_interface->address[0] == 0) return 1; 2180 return (cfg->control_interface->address[0] != '/'); 2181 } 2182 2183 #ifdef HAVE_GETIFADDRS 2184 static void 2185 resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addresses, size_t *ip_addresses_size) 2186 { 2187 struct ifaddrs *ifa; 2188 size_t last_ip_addresses_size = *ip_addresses_size; 2189 2190 for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) { 2191 sa_family_t family; 2192 const char* atsign; 2193 #ifdef INET6 /* | address ip | % | ifa name | @ | port | nul */ 2194 char addr_buf[INET6_ADDRSTRLEN + 1 + IF_NAMESIZE + 1 + 16 + 1]; 2195 #else 2196 char addr_buf[INET_ADDRSTRLEN + 1 + 16 + 1]; 2197 #endif 2198 2199 if((atsign=strrchr(search_ifa, '@')) != NULL) { 2200 if(strlen(ifa->ifa_name) != (size_t)(atsign-search_ifa) 2201 || strncmp(ifa->ifa_name, search_ifa, 2202 atsign-search_ifa) != 0) 2203 continue; 2204 } else { 2205 if(strcmp(ifa->ifa_name, search_ifa) != 0) 2206 continue; 2207 atsign = ""; 2208 } 2209 2210 if(ifa->ifa_addr == NULL) 2211 continue; 2212 2213 family = ifa->ifa_addr->sa_family; 2214 if(family == AF_INET) { 2215 char a4[INET_ADDRSTRLEN + 1]; 2216 struct sockaddr_in *in4 = (struct sockaddr_in *) 2217 ifa->ifa_addr; 2218 if(!inet_ntop(family, &in4->sin_addr, a4, sizeof(a4))) 2219 error("inet_ntop"); 2220 snprintf(addr_buf, sizeof(addr_buf), "%s%s", 2221 a4, atsign); 2222 } 2223 #ifdef INET6 2224 else if(family == AF_INET6) { 2225 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) 2226 ifa->ifa_addr; 2227 char a6[INET6_ADDRSTRLEN + 1]; 2228 char if_index_name[IF_NAMESIZE + 1]; 2229 if_index_name[0] = 0; 2230 if(!inet_ntop(family, &in6->sin6_addr, a6, sizeof(a6))) 2231 error("inet_ntop"); 2232 if_indextoname(in6->sin6_scope_id, 2233 (char *)if_index_name); 2234 if (strlen(if_index_name) != 0) { 2235 snprintf(addr_buf, sizeof(addr_buf), 2236 "%s%%%s%s", a6, if_index_name, atsign); 2237 } else { 2238 snprintf(addr_buf, sizeof(addr_buf), "%s%s", 2239 a6, atsign); 2240 } 2241 } 2242 #endif 2243 else { 2244 continue; 2245 } 2246 VERBOSITY(4, (LOG_INFO, "interface %s has address %s", 2247 search_ifa, addr_buf)); 2248 2249 *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); 2250 (*ip_addresses)[*ip_addresses_size] = xstrdup(addr_buf); 2251 (*ip_addresses_size)++; 2252 } 2253 2254 if (*ip_addresses_size == last_ip_addresses_size) { 2255 *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); 2256 (*ip_addresses)[*ip_addresses_size] = xstrdup(search_ifa); 2257 (*ip_addresses_size)++; 2258 } 2259 } 2260 2261 static void 2262 resolve_interface_names_for_ref(struct ip_address_option** ip_addresses_ref, 2263 struct ifaddrs *addrs, region_type* region) 2264 { 2265 struct ip_address_option *ip_addr; 2266 struct ip_address_option *last = NULL; 2267 struct ip_address_option *first = NULL; 2268 2269 /* replace the list of ip_adresses with a new list where the 2270 * interface names are replaced with their ip-address strings 2271 * from getifaddrs. An interface can have several addresses. */ 2272 for(ip_addr = *ip_addresses_ref; ip_addr; ip_addr = ip_addr->next) { 2273 char **ip_addresses = NULL; 2274 size_t ip_addresses_size = 0, i; 2275 resolve_ifa_name(addrs, ip_addr->address, &ip_addresses, 2276 &ip_addresses_size); 2277 2278 for (i = 0; i < ip_addresses_size; i++) { 2279 struct ip_address_option *current; 2280 /* this copies the range_option, dev, and fib from 2281 * the original ip_address option to the new ones 2282 * with the addresses spelled out by resolve_ifa_name*/ 2283 current = region_alloc_init(region, ip_addr, 2284 sizeof(*ip_addr)); 2285 current->address = region_strdup(region, 2286 ip_addresses[i]); 2287 current->next = NULL; 2288 free(ip_addresses[i]); 2289 2290 if(first == NULL) { 2291 first = current; 2292 } else { 2293 last->next = current; 2294 } 2295 last = current; 2296 } 2297 free(ip_addresses); 2298 } 2299 *ip_addresses_ref = first; 2300 2301 } 2302 #endif /* HAVE_GETIFADDRS */ 2303 2304 void 2305 resolve_interface_names(struct nsd_options* options) 2306 { 2307 #ifdef HAVE_GETIFADDRS 2308 struct ifaddrs *addrs; 2309 2310 if(getifaddrs(&addrs) == -1) 2311 error("failed to list interfaces"); 2312 2313 resolve_interface_names_for_ref(&options->ip_addresses, 2314 addrs, options->region); 2315 resolve_interface_names_for_ref(&options->control_interface, 2316 addrs, options->region); 2317 2318 freeifaddrs(addrs); 2319 #else 2320 (void)options; 2321 #endif /* HAVE_GETIFADDRS */ 2322 } 2323