#include <config.h>#include <isc/mem.h>#include <isc/once.h>#include <isc/string.h>#include <isc/util.h>#include <dns/acl.h>#include <dns/iptable.h>Go to the source code of this file.
Functions | |
| isc_result_t | dns_acl_create (isc_mem_t *mctx, int n, dns_acl_t **target) |
| Create a new ACL, including an IP table and an array with room for 'n' ACL elements. The elements are uninitialized and the length is 0. | |
| static isc_result_t | dns_acl_anyornone (isc_mem_t *mctx, isc_boolean_t neg, dns_acl_t **target) |
| isc_result_t | dns_acl_any (isc_mem_t *mctx, dns_acl_t **target) |
| Create a new ACL that matches everything. | |
| isc_result_t | dns_acl_none (isc_mem_t *mctx, dns_acl_t **target) |
| Create a new ACL that matches nothing. | |
| static isc_boolean_t | dns_acl_isanyornone (dns_acl_t *acl, isc_boolean_t pos) |
| isc_boolean_t | dns_acl_isany (dns_acl_t *acl) |
| Test whether ACL is set to "{ any; }". | |
| isc_boolean_t | dns_acl_isnone (dns_acl_t *acl) |
| Test whether ACL is set to "{ none; }". | |
| isc_result_t | dns_acl_match (const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, const dns_acl_t *acl, const dns_aclenv_t *env, int *match, const dns_aclelement_t **matchelt) |
| isc_result_t | dns_acl_match2 (const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, const isc_netaddr_t *ecs, isc_uint8_t ecslen, isc_uint8_t *scope, const dns_acl_t *acl, const dns_aclenv_t *env, int *match, const dns_aclelement_t **matchelt) |
| General, low-level ACL matching. This is expected to be useful even for weird stuff like the topology and sortlist statements. | |
| isc_result_t | dns_acl_merge (dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos) |
| Merge the contents of one ACL into another. Call dns_iptable_merge() for the IP tables, then concatenate the element arrays. | |
| isc_boolean_t | dns_aclelement_match (const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, const dns_aclelement_t *e, const dns_aclenv_t *env, const dns_aclelement_t **matchelt) |
| isc_boolean_t | dns_aclelement_match2 (const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, const isc_netaddr_t *ecs, isc_uint8_t ecslen, isc_uint8_t *scope, const dns_aclelement_t *e, const dns_aclenv_t *env, const dns_aclelement_t **matchelt) |
| Like dns_acl_match, but matches against the single ACL element 'e' rather than a complete ACL, and returns ISC_TRUE iff it matched. | |
| void | dns_acl_attach (dns_acl_t *source, dns_acl_t **target) |
| Attach to acl 'source'. | |
| static void | destroy (dns_acl_t *dacl) |
| void | dns_acl_detach (dns_acl_t **aclp) |
| Detach the acl. On final detach the acl must not be linked on any list. | |
| static void | initialize_action (void) |
| static void | is_insecure (isc_prefix_t *prefix, void **data) |
| isc_boolean_t | dns_acl_isinsecure (const dns_acl_t *a) |
| Return ISC_TRUE iff the acl 'a' is considered insecure, that is, if it contains IP addresses other than those of the local host. This is intended for applications such as printing warning messages for suspect ACLs; it is not intended for making access control decisions. We make no guarantee that an ACL for which this function returns ISC_FALSE is safe. | |
| isc_result_t | dns_aclenv_init (isc_mem_t *mctx, dns_aclenv_t *env) |
| Initialize ACL environment, setting up localhost and localnets ACLs. | |
| void | dns_aclenv_copy (dns_aclenv_t *t, dns_aclenv_t *s) |
| void | dns_aclenv_destroy (dns_aclenv_t *env) |
Variables | |
| static isc_once_t | insecure_prefix_once = ISC_ONCE_INIT |
| static isc_mutex_t | insecure_prefix_lock |
| static isc_boolean_t | insecure_prefix_found |
Definition in file acl.c.
| isc_result_t dns_acl_create | ( | isc_mem_t * | mctx, | |
| int | n, | |||
| dns_acl_t ** | target | |||
| ) |
Create a new ACL, including an IP table and an array with room for 'n' ACL elements. The elements are uninitialized and the length is 0.
Definition at line 37 of file acl.c.
References dns_acl::alloc, cleanup(), dns_acl_detach(), DNS_ACL_MAGIC, dns_iptable_create(), dns_acl::elements, dns_acl::has_negatives, dns_acl::iptable, ISC_FALSE, ISC_LINK_INIT, isc_mem_attach(), isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, isc_refcount_init(), dns_acl::length, dns_acl::magic, dns_acl::mctx, dns_acl::name, and dns_acl::refcount.
Referenced by add_listenelt(), cfg_acl_fromconfig2(), clearacl(), dns_acl_anyornone(), and dns_aclenv_init().
| static isc_result_t dns_acl_anyornone | ( | isc_mem_t * | mctx, | |
| isc_boolean_t | neg, | |||
| dns_acl_t ** | target | |||
| ) | [static] |
Definition at line 101 of file acl.c.
References dns_acl_create(), dns_acl_detach(), dns_iptable_addprefix(), dns_acl::iptable, ISC_R_SUCCESS, and ISC_TF.
Referenced by dns_acl_any(), and dns_acl_none().
| isc_result_t dns_acl_any | ( | isc_mem_t * | mctx, | |
| dns_acl_t ** | target | |||
| ) |
Create a new ACL that matches everything.
Definition at line 123 of file acl.c.
References dns_acl_anyornone(), and ISC_FALSE.
Referenced by add_listener(), ns_listenlist_default(), and update_listener().
| isc_result_t dns_acl_none | ( | isc_mem_t * | mctx, | |
| dns_acl_t ** | target | |||
| ) |
Create a new ACL that matches nothing.
Definition at line 131 of file acl.c.
References dns_acl_anyornone(), and ISC_TRUE.
Referenced by add_keydata_zone(), configure_view(), and ns_listenlist_default().
| static isc_boolean_t dns_acl_isanyornone | ( | dns_acl_t * | acl, | |
| isc_boolean_t | pos | |||
| ) | [static] |
Definition at line 140 of file acl.c.
References isc_prefix::bitlen, isc_radix_node::data, isc_radix_tree::head, dns_acl::iptable, ISC_FALSE, ISC_TRUE, dns_acl::length, isc_radix_node::prefix, and dns_iptable::radix.
Referenced by dns_acl_isany(), and dns_acl_isnone().
| isc_boolean_t dns_acl_isany | ( | dns_acl_t * | acl | ) |
Test whether ACL is set to "{ any; }".
Definition at line 167 of file acl.c.
References dns_acl_isanyornone(), and ISC_TRUE.
Referenced by listenon_is_ip6_any().
| isc_boolean_t dns_acl_isnone | ( | dns_acl_t * | acl | ) |
Test whether ACL is set to "{ none; }".
Definition at line 176 of file acl.c.
References dns_acl_isanyornone(), and ISC_FALSE.
Referenced by check_filteraaaa(), check_recursionacls(), check_zoneconf(), dns_zone_isdynamic(), and set_resigntime().
| isc_result_t dns_acl_match | ( | const isc_netaddr_t * | reqaddr, | |
| const dns_name_t * | reqsigner, | |||
| const dns_acl_t * | acl, | |||
| const dns_aclenv_t * | env, | |||
| int * | match, | |||
| const dns_aclelement_t ** | matchelt | |||
| ) |
Definition at line 188 of file acl.c.
References dns_acl_match2().
Referenced by address_ok(), client_newconn(), client_ok(), client_request(), client_sendpkg(), dns_dns64_aaaafroma(), dns_dns64_aaaaok(), dns_rrl(), dns_zone_notifyreceive(), do_scan(), is_answeraddress_allowed(), isblackholed(), ns_sortlist_addrorder2(), possibly_mark(), and udp_recv().
| isc_result_t dns_acl_match2 | ( | const isc_netaddr_t * | reqaddr, | |
| const dns_name_t * | reqsigner, | |||
| const isc_netaddr_t * | ecs, | |||
| isc_uint8_t | ecslen, | |||
| isc_uint8_t * | scope, | |||
| const dns_acl_t * | acl, | |||
| const dns_aclenv_t * | env, | |||
| int * | match, | |||
| const dns_aclelement_t ** | matchelt | |||
| ) |
General, low-level ACL matching. This is expected to be useful even for weird stuff like the topology and sortlist statements.
Match the address 'reqaddr', and optionally the key name 'reqsigner', and optionally the client prefix 'ecs' of length 'ecslen' (reported via EDNS client subnet option) against 'acl'.
'reqsigner' and 'ecs' may be NULL. If an ACL matches against 'ecs' and 'ecslen', then 'scope' will be set to indicate the netmask that matched.
If there is a match, '*match' will be set to an integer whose absolute value corresponds to the order in which the matching value was inserted into the ACL. For a positive match, this value will be positive; for a negative match, it will be negative.
If there is no match, *match will be set to zero.
If there is a match in the element list (either positive or negative) and 'matchelt' is non-NULL, *matchelt will be pointed to the matching element.
'env' points to the current ACL environment, including the current values of localhost and localnets and (if applicable) the GeoIP context.
Returns:
Definition at line 200 of file acl.c.
References AF_INET6, isc_radix_node::bit, isc_radix_node::data, dns_aclelement_match2(), dns_acl::elements, isc_netaddr::family, isc_netaddr::in6, IN6_IS_ADDR_V4MAPPED, dns_acl::iptable, ISC_FALSE, isc_netaddr_fromv4mapped(), ISC_R_SUCCESS, ISC_RADIX_OFF, isc_radix_search(), isc_refcount_destroy, ISC_TRUE, dns_acl::length, dns_aclenv::match_mapped, dns_aclelement::negative, NETADDR_TO_PREFIX_T, dns_aclelement::node_num, isc_radix_node::node_num, dns_iptable::radix, isc_prefix::refcount, REQUIRE, and isc_netaddr::type.
Referenced by allowed(), dns_acl_match(), dns_aclelement_match2(), and ns_client_checkaclsilent().
| isc_result_t dns_acl_merge | ( | dns_acl_t * | dest, | |
| dns_acl_t * | source, | |||
| isc_boolean_t | pos | |||
| ) |
Merge the contents of one ACL into another. Call dns_iptable_merge() for the IP tables, then concatenate the element arrays.
If pos is set to false, then the nested ACL is to be negated. This means reverse the sense of each *positive* element or IP table node, but leave negatives alone, so as to prevent a double-negative causing an unexpected positive match in the parent ACL.
Definition at line 325 of file acl.c.
References dns_acl::alloc, dns_acl_attach(), dns_aclelementtype_keyname, dns_aclelementtype_nestedacl, dns_iptable_merge(), dns_name_dup(), dns_name_init(), dns_acl::elements, dns_acl::iptable, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, ISC_TRUE, dns_aclelement::keyname, dns_acl::length, dns_acl::mctx, dns_aclelement::negative, dns_aclelement::nestedacl, dns_aclelement::node_num, and dns_aclelement::type.
Referenced by cfg_acl_fromconfig2().
| isc_boolean_t dns_aclelement_match | ( | const isc_netaddr_t * | reqaddr, | |
| const dns_name_t * | reqsigner, | |||
| const dns_aclelement_t * | e, | |||
| const dns_aclenv_t * | env, | |||
| const dns_aclelement_t ** | matchelt | |||
| ) |
Definition at line 434 of file acl.c.
References dns_aclelement_match2().
Referenced by ns_sortlist_addrorder1(), and ns_sortlist_setup().
| isc_boolean_t dns_aclelement_match2 | ( | const isc_netaddr_t * | reqaddr, | |
| const dns_name_t * | reqsigner, | |||
| const isc_netaddr_t * | ecs, | |||
| isc_uint8_t | ecslen, | |||
| isc_uint8_t * | scope, | |||
| const dns_aclelement_t * | e, | |||
| const dns_aclenv_t * | env, | |||
| const dns_aclelement_t ** | matchelt | |||
| ) |
Like dns_acl_match, but matches against the single ACL element 'e' rather than a complete ACL, and returns ISC_TRUE iff it matched.
To determine whether the match was positive or negative, the caller should examine e->negative. Since the element 'e' may be a reference to a named ACL or a nested ACL, a matching element returned through 'matchelt' is not necessarily 'e' itself.
Definition at line 445 of file acl.c.
References dns_acl_match2(), dns_aclelementtype_keyname, dns_aclelementtype_localhost, dns_aclelementtype_localnets, dns_aclelementtype_nestedacl, dns_geoip_match(), dns_name_equal(), INSIST, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, dns_aclelement::keyname, dns_aclenv::localhost, dns_aclenv::localnets, dns_aclelement::nestedacl, REQUIRE, and dns_aclelement::type.
Referenced by dns_acl_match2(), and dns_aclelement_match().
Attach to acl 'source'.
Requires:
Definition at line 529 of file acl.c.
References DNS_ACL_VALID, isc_refcount_increment, dns_acl::refcount, and REQUIRE.
Referenced by add_listener(), cfg_acl_fromconfig2(), clearacl(), configure_view(), configure_zone_acl(), convert_named_acl(), dns_acl_merge(), dns_aclenv_copy(), dns_dispatchmgr_setblackhole(), dns_dns64_create(), dns_zone_setforwardacl(), dns_zone_setnotifyacl(), dns_zone_setqueryacl(), dns_zone_setqueryonacl(), dns_zone_setupdateacl(), dns_zone_setxfracl(), and update_listener().
| static void destroy | ( | dns_acl_t * | dacl | ) | [static] |
Definition at line 537 of file acl.c.
References dns_acl::alloc, dns_acl_detach(), dns_aclelementtype_keyname, dns_aclelementtype_nestedacl, dns_iptable_detach(), dns_name_free(), dns_acl::elements, INSIST, dns_acl::iptable, ISC_LINK_LINKED, isc_mem_free, isc_mem_put, isc_mem_putanddetach, isc_refcount_destroy, dns_aclelement::keyname, dns_acl::length, dns_acl::magic, dns_acl::mctx, dns_acl::name, dns_aclelement::nestedacl, dns_acl::refcount, and dns_aclelement::type.
| void dns_acl_detach | ( | dns_acl_t ** | aclp | ) |
Detach the acl. On final detach the acl must not be linked on any list.
Requires:
Definition at line 563 of file acl.c.
References destroy(), DNS_ACL_VALID, isc_refcount_decrement, dns_acl::refcount, and REQUIRE.
Referenced by add_keydata_zone(), add_listenelt(), add_listener(), bind9_check_controls(), cfg_acl_fromconfig2(), cfg_aclconfctx_detach(), check_dns64(), check_filteraaaa(), check_recursionacls(), check_zoneconf(), checkacl(), clearacl(), configure_view(), configure_view_acl(), configure_view_sortlist(), configure_zone_acl(), count_acl_elements(), destroy(), destroy_listener(), destroy_mgr(), dns_acl_anyornone(), dns_acl_create(), dns_aclenv_copy(), dns_aclenv_destroy(), dns_aclenv_init(), dns_dispatchmgr_setblackhole(), dns_dns64_destroy(), dns_rrl_view_destroy(), dns_zone_clearforwardacl(), dns_zone_clearnotifyacl(), dns_zone_clearqueryacl(), dns_zone_clearqueryonacl(), dns_zone_clearupdateacl(), dns_zone_clearxfracl(), dns_zone_setforwardacl(), dns_zone_setnotifyacl(), dns_zone_setqueryacl(), dns_zone_setqueryonacl(), dns_zone_setupdateacl(), dns_zone_setxfracl(), free_listener(), ns_listenelt_destroy(), ns_listenlist_default(), shutdown_server(), update_listener(), and zone_free().
| static void initialize_action | ( | void | ) | [static] |
Definition at line 581 of file acl.c.
References insecure_prefix_lock, isc_mutex_init, ISC_R_SUCCESS, and RUNTIME_CHECK.
| static void is_insecure | ( | isc_prefix_t * | prefix, | |
| void ** | data | |||
| ) | [static] |
Definition at line 590 of file acl.c.
References isc_prefix::add, AF_INET6, isc_prefix::bitlen, isc_prefix::family, IN6_IS_ADDR_LOOPBACK, INADDR_LOOPBACK, insecure_prefix_found, ISC_RADIX_OFF, ISC_TRUE, isc_prefix::sin, and isc_prefix::sin6.
Referenced by dns_acl_isinsecure().
| isc_boolean_t dns_acl_isinsecure | ( | const dns_acl_t * | a | ) |
Return ISC_TRUE iff the acl 'a' is considered insecure, that is, if it contains IP addresses other than those of the local host. This is intended for applications such as printing warning messages for suspect ACLs; it is not intended for making access control decisions. We make no guarantee that an ACL for which this function returns ISC_FALSE is safe.
Definition at line 630 of file acl.c.
References dns_acl_isinsecure(), dns_aclelementtype_keyname, dns_aclelementtype_localhost, dns_aclelementtype_localnets, dns_aclelementtype_nestedacl, dns_acl::elements, initialize_action(), insecure_prefix_found, insecure_prefix_lock, insecure_prefix_once, INSIST, dns_acl::iptable, is_insecure(), ISC_FALSE, isc_once_do, ISC_R_SUCCESS, isc_radix_process(), ISC_TRUE, dns_acl::length, LOCK, dns_aclelement::negative, dns_aclelement::nestedacl, dns_iptable::radix, RUNTIME_CHECK, dns_aclelement::type, and UNLOCK.
Referenced by dns_acl_isinsecure(), and ns_zone_configure().
| isc_result_t dns_aclenv_init | ( | isc_mem_t * | mctx, | |
| dns_aclenv_t * | env | |||
| ) |
Initialize ACL environment, setting up localhost and localnets ACLs.
Definition at line 684 of file acl.c.
References dns_acl_create(), dns_acl_detach(), ISC_FALSE, ISC_R_SUCCESS, dns_aclenv::localhost, dns_aclenv::localnets, and dns_aclenv::match_mapped.
Referenced by dns_view_create(), ns_interfacemgr_create(), and ns_server_create().
| void dns_aclenv_copy | ( | dns_aclenv_t * | t, | |
| dns_aclenv_t * | s | |||
| ) |
Definition at line 709 of file acl.c.
References dns_acl_attach(), dns_acl_detach(), dns_aclenv::localhost, dns_aclenv::localnets, and dns_aclenv::match_mapped.
Referenced by configure_view(), and scan_interfaces().
| void dns_aclenv_destroy | ( | dns_aclenv_t * | env | ) |
Definition at line 721 of file acl.c.
References dns_acl_detach(), dns_aclenv::localhost, and dns_aclenv::localnets.
Referenced by destroy(), ns_interfacemgr_create(), ns_interfacemgr_destroy(), and ns_server_destroy().
isc_once_t insecure_prefix_once = ISC_ONCE_INIT [static] |
isc_mutex_t insecure_prefix_lock [static] |
isc_boolean_t insecure_prefix_found [static] |