BIND9 Internals: lib/dns/include/dns/acl.h Source File

00001 /*
00002  * Copyright (C) 2004-2007, 2009, 2011, 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
00003  * Copyright (C) 1999-2002  Internet Software Consortium.
00004  *
00005  * Permission to use, copy, modify, and/or distribute this software for any
00006  * purpose with or without fee is hereby granted, provided that the above
00007  * copyright notice and this permission notice appear in all copies.
00008  *
00009  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
00010  * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
00011  * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
00012  * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
00013  * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
00014  * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
00015  * PERFORMANCE OF THIS SOFTWARE.
00016  */
00017 
00018 /* $Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp $ */
00019 
00020 #ifndef DNS_ACL_H
00021 #define DNS_ACL_H 1
00022 
00023 /*****
00024  ***** Module Info
00025  *****/
00026 
00027 /*! \file dns/acl.h
00028  * \brief
00029  * Address match list handling.
00030  */
00031 
00032 /***
00033  *** Imports
00034  ***/
00035 
00036 #include <isc/lang.h>
00037 #include <isc/magic.h>
00038 #include <isc/netaddr.h>
00039 #include <isc/refcount.h>
00040 
00041 #ifdef HAVE_GEOIP
00042 #include <dns/geoip.h>
00043 #endif
00044 #include <dns/name.h>
00045 #include <dns/types.h>
00046 #include <dns/iptable.h>
00047 
00048 #ifdef HAVE_GEOIP
00049 #include <GeoIP.h>
00050 #endif
00051 
00052 /***
00053  *** Types
00054  ***/
00055 
00056 typedef enum {
00057         dns_aclelementtype_ipprefix,
00058         dns_aclelementtype_keyname,
00059         dns_aclelementtype_nestedacl,
00060         dns_aclelementtype_localhost,
00061         dns_aclelementtype_localnets,
00062 #ifdef HAVE_GEOIP
00063         dns_aclelementtype_geoip,
00064 #endif /* HAVE_GEOIP */
00065         dns_aclelementtype_any
00066 } dns_aclelementtype_t;
00067 
00068 typedef struct dns_aclipprefix dns_aclipprefix_t;
00069 
00070 struct dns_aclipprefix {
00071         isc_netaddr_t address; /* IP4/IP6 */
00072         unsigned int prefixlen;
00073 };
00074 
00075 struct dns_aclelement {
00076         dns_aclelementtype_t    type;
00077         isc_boolean_t           negative;
00078         dns_name_t              keyname;
00079 #ifdef HAVE_GEOIP
00080         dns_geoip_elem_t        geoip_elem;
00081 #endif /* HAVE_GEOIP */
00082         dns_acl_t               *nestedacl;
00083         int                     node_num;
00084 };
00085 
00086 struct dns_acl {
00087         unsigned int            magic;
00088         isc_mem_t               *mctx;
00089         isc_refcount_t          refcount;
00090         dns_iptable_t           *iptable;
00091 #define node_count              iptable->radix->num_added_node
00092         dns_aclelement_t        *elements;
00093         isc_boolean_t           has_negatives;
00094         unsigned int            alloc;          /*%< Elements allocated */
00095         unsigned int            length;         /*%< Elements initialized */
00096         char                    *name;          /*%< Temporary use only */
00097         ISC_LINK(dns_acl_t)     nextincache;    /*%< Ditto */
00098 };
00099 
00100 struct dns_aclenv {
00101         dns_acl_t *localhost;
00102         dns_acl_t *localnets;
00103         isc_boolean_t match_mapped;
00104 #ifdef HAVE_GEOIP
00105         dns_geoip_databases_t *geoip;
00106         isc_boolean_t geoip_use_ecs;
00107 #endif
00108 };
00109 
00110 #define DNS_ACL_MAGIC           ISC_MAGIC('D','a','c','l')
00111 #define DNS_ACL_VALID(a)        ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
00112 
00113 /***
00114  *** Functions
00115  ***/
00116 
00117 ISC_LANG_BEGINDECLS
00118 
00119 isc_result_t
00120 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
00121 /*%<
00122  * Create a new ACL, including an IP table and an array with room
00123  * for 'n' ACL elements.  The elements are uninitialized and the
00124  * length is 0.
00125  */
00126 
00127 isc_result_t
00128 dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
00129 /*%<
00130  * Create a new ACL that matches everything.
00131  */
00132 
00133 isc_result_t
00134 dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
00135 /*%<
00136  * Create a new ACL that matches nothing.
00137  */
00138 
00139 isc_boolean_t
00140 dns_acl_isany(dns_acl_t *acl);
00141 /*%<
00142  * Test whether ACL is set to "{ any; }"
00143  */
00144 
00145 isc_boolean_t
00146 dns_acl_isnone(dns_acl_t *acl);
00147 /*%<
00148  * Test whether ACL is set to "{ none; }"
00149  */
00150 
00151 isc_result_t
00152 dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
00153 /*%<
00154  * Merge the contents of one ACL into another.  Call dns_iptable_merge()
00155  * for the IP tables, then concatenate the element arrays.
00156  *
00157  * If pos is set to false, then the nested ACL is to be negated.  This
00158  * means reverse the sense of each *positive* element or IP table node,
00159  * but leave negatives alone, so as to prevent a double-negative causing
00160  * an unexpected positive match in the parent ACL.
00161  */
00162 
00163 void
00164 dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
00165 /*%<
00166  * Attach to acl 'source'.
00167  *
00168  * Requires:
00169  *\li   'source' to be a valid acl.
00170  *\li   'target' to be non NULL and '*target' to be NULL.
00171  */
00172 
00173 void
00174 dns_acl_detach(dns_acl_t **aclp);
00175 /*%<
00176  * Detach the acl. On final detach the acl must not be linked on any
00177  * list.
00178  *
00179  * Requires:
00180  *\li   '*aclp' to be a valid acl.
00181  *
00182  * Insists:
00183  *\li   '*aclp' is not linked on final detach.
00184  */
00185 
00186 isc_boolean_t
00187 dns_acl_isinsecure(const dns_acl_t *a);
00188 /*%<
00189  * Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
00190  * if it contains IP addresses other than those of the local host.
00191  * This is intended for applications such as printing warning
00192  * messages for suspect ACLs; it is not intended for making access
00193  * control decisions.  We make no guarantee that an ACL for which
00194  * this function returns #ISC_FALSE is safe.
00195  */
00196 
00197 isc_result_t
00198 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
00199 /*%<
00200  * Initialize ACL environment, setting up localhost and localnets ACLs
00201  */
00202 
00203 void
00204 dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
00205 
00206 void
00207 dns_aclenv_destroy(dns_aclenv_t *env);
00208 
00209 isc_result_t
00210 dns_acl_match(const isc_netaddr_t *reqaddr,
00211               const dns_name_t *reqsigner,
00212               const dns_acl_t *acl,
00213               const dns_aclenv_t *env,
00214               int *match,
00215               const dns_aclelement_t **matchelt);
00216 
00217 isc_result_t
00218 dns_acl_match2(const isc_netaddr_t *reqaddr,
00219                const dns_name_t *reqsigner,
00220                const isc_netaddr_t *ecs,
00221                isc_uint8_t ecslen,
00222                isc_uint8_t *scope,
00223                const dns_acl_t *acl,
00224                const dns_aclenv_t *env,
00225                int *match,
00226                const dns_aclelement_t **matchelt);
00227 /*%<
00228  * General, low-level ACL matching.  This is expected to
00229  * be useful even for weird stuff like the topology and sortlist statements.
00230  *
00231  * Match the address 'reqaddr', and optionally the key name 'reqsigner',
00232  * and optionally the client prefix 'ecs' of length 'ecslen'
00233  * (reported via EDNS client subnet option) against 'acl'.
00234  *
00235  * 'reqsigner' and 'ecs' may be NULL.  If an ACL matches against 'ecs'
00236  * and 'ecslen', then 'scope' will be set to indicate the netmask that
00237  * matched.
00238  *
00239  * If there is a match, '*match' will be set to an integer whose absolute
00240  * value corresponds to the order in which the matching value was inserted
00241  * into the ACL.  For a positive match, this value will be positive; for a
00242  * negative match, it will be negative.
00243  *
00244  * If there is no match, *match will be set to zero.
00245  *
00246  * If there is a match in the element list (either positive or negative)
00247  * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
00248  * element.
00249  *
00250  * 'env' points to the current ACL environment, including the
00251  * current values of localhost and localnets and (if applicable)
00252  * the GeoIP context.
00253  *
00254  * Returns:
00255  *\li   #ISC_R_SUCCESS          Always succeeds.
00256  */
00257 
00258 isc_boolean_t
00259 dns_aclelement_match(const isc_netaddr_t *reqaddr,
00260                      const dns_name_t *reqsigner,
00261                      const dns_aclelement_t *e,
00262                      const dns_aclenv_t *env,
00263                      const dns_aclelement_t **matchelt);
00264 
00265 isc_boolean_t
00266 dns_aclelement_match2(const isc_netaddr_t *reqaddr,
00267                       const dns_name_t *reqsigner,
00268                       const isc_netaddr_t *ecs,
00269                       isc_uint8_t ecslen,
00270                       isc_uint8_t *scope,
00271                       const dns_aclelement_t *e,
00272                       const dns_aclenv_t *env,
00273                       const dns_aclelement_t **matchelt);
00274 /*%<
00275  * Like dns_acl_match, but matches against the single ACL element 'e'
00276  * rather than a complete ACL, and returns ISC_TRUE iff it matched.
00277  *
00278  * To determine whether the match was positive or negative, the
00279  * caller should examine e->negative.  Since the element 'e' may be
00280  * a reference to a named ACL or a nested ACL, a matching element
00281  * returned through 'matchelt' is not necessarily 'e' itself.
00282  */
00283 
00284 ISC_LANG_ENDDECLS
00285 
00286 #endif /* DNS_ACL_H */