#include <isc/lang.h>
#include <isc/magic.h>
#include <isc/netaddr.h>
#include <isc/refcount.h>
#include <dns/name.h>
#include <dns/types.h>
#include <dns/iptable.h>
Go to the source code of this file.
Data Structures | |
| struct | dns_aclipprefix |
| struct | dns_aclelement |
| struct | dns_acl |
| struct | dns_aclenv |
Defines | |
| #define | DNS_ACL_H 1 |
| #define | node_count iptable->radix->num_added_node |
| #define | DNS_ACL_MAGIC ISC_MAGIC('D','a','c','l') |
| #define | DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC) |
Typedefs | |
| typedef struct dns_aclipprefix | dns_aclipprefix_t |
Enumerations | |
| enum | dns_aclelementtype_t { dns_aclelementtype_ipprefix, dns_aclelementtype_keyname, dns_aclelementtype_nestedacl, dns_aclelementtype_localhost, dns_aclelementtype_localnets, dns_aclelementtype_any } |
Functions | |
| ISC_LANG_BEGINDECLS isc_result_t | dns_acl_create (isc_mem_t *mctx, int n, dns_acl_t **target) |
| Create a new ACL, including an IP table and an array with room for 'n' ACL elements. The elements are uninitialized and the length is 0. | |
| isc_result_t | dns_acl_any (isc_mem_t *mctx, dns_acl_t **target) |
| Create a new ACL that matches everything. | |
| isc_result_t | dns_acl_none (isc_mem_t *mctx, dns_acl_t **target) |
| Create a new ACL that matches nothing. | |
| isc_boolean_t | dns_acl_isany (dns_acl_t *acl) |
| Test whether ACL is set to "{ any; }". | |
| isc_boolean_t | dns_acl_isnone (dns_acl_t *acl) |
| Test whether ACL is set to "{ none; }". | |
| isc_result_t | dns_acl_merge (dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos) |
| Merge the contents of one ACL into another. Call dns_iptable_merge() for the IP tables, then concatenate the element arrays. | |
| void | dns_acl_attach (dns_acl_t *source, dns_acl_t **target) |
| Attach to acl 'source'. | |
| void | dns_acl_detach (dns_acl_t **aclp) |
| Detach the acl. On final detach the acl must not be linked on any list. | |
| isc_boolean_t | dns_acl_isinsecure (const dns_acl_t *a) |
| Return ISC_TRUE iff the acl 'a' is considered insecure, that is, if it contains IP addresses other than those of the local host. This is intended for applications such as printing warning messages for suspect ACLs; it is not intended for making access control decisions. We make no guarantee that an ACL for which this function returns ISC_FALSE is safe. | |
| isc_result_t | dns_aclenv_init (isc_mem_t *mctx, dns_aclenv_t *env) |
| Initialize ACL environment, setting up localhost and localnets ACLs. | |
| void | dns_aclenv_copy (dns_aclenv_t *t, dns_aclenv_t *s) |
| void | dns_aclenv_destroy (dns_aclenv_t *env) |
| isc_result_t | dns_acl_match (const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, const dns_acl_t *acl, const dns_aclenv_t *env, int *match, const dns_aclelement_t **matchelt) |
| isc_result_t | dns_acl_match2 (const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, const isc_netaddr_t *ecs, isc_uint8_t ecslen, isc_uint8_t *scope, const dns_acl_t *acl, const dns_aclenv_t *env, int *match, const dns_aclelement_t **matchelt) |
| General, low-level ACL matching. This is expected to be useful even for weird stuff like the topology and sortlist statements. | |
| isc_boolean_t | dns_aclelement_match (const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, const dns_aclelement_t *e, const dns_aclenv_t *env, const dns_aclelement_t **matchelt) |
| isc_boolean_t | dns_aclelement_match2 (const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner, const isc_netaddr_t *ecs, isc_uint8_t ecslen, isc_uint8_t *scope, const dns_aclelement_t *e, const dns_aclenv_t *env, const dns_aclelement_t **matchelt) |
| Like dns_acl_match, but matches against the single ACL element 'e' rather than a complete ACL, and returns ISC_TRUE iff it matched. | |
Definition in file acl.h.
| #define DNS_ACL_MAGIC ISC_MAGIC('D','a','c','l') |
| #define DNS_ACL_VALID | ( | a | ) | ISC_MAGIC_VALID(a, DNS_ACL_MAGIC) |
Definition at line 111 of file acl.h.
Referenced by cfg_acl_fromconfig2(), dns_acl_attach(), and dns_acl_detach().
| typedef struct dns_aclipprefix dns_aclipprefix_t |
| enum dns_aclelementtype_t |
| ISC_LANG_BEGINDECLS isc_result_t dns_acl_create | ( | isc_mem_t * | mctx, | |
| int | n, | |||
| dns_acl_t ** | target | |||
| ) |
Create a new ACL, including an IP table and an array with room for 'n' ACL elements. The elements are uninitialized and the length is 0.
Definition at line 37 of file acl.c.
References dns_acl::alloc, cleanup(), dns_acl_detach(), DNS_ACL_MAGIC, dns_iptable_create(), dns_acl::elements, dns_acl::has_negatives, dns_acl::iptable, ISC_FALSE, ISC_LINK_INIT, isc_mem_attach(), isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, isc_refcount_init(), dns_acl::length, dns_acl::magic, dns_acl::mctx, dns_acl::name, and dns_acl::refcount.
Referenced by add_listenelt(), cfg_acl_fromconfig2(), clearacl(), dns_acl_anyornone(), and dns_aclenv_init().
| isc_result_t dns_acl_any | ( | isc_mem_t * | mctx, | |
| dns_acl_t ** | target | |||
| ) |
Create a new ACL that matches everything.
Definition at line 123 of file acl.c.
References dns_acl_anyornone(), and ISC_FALSE.
Referenced by add_listener(), ns_listenlist_default(), and update_listener().
| isc_result_t dns_acl_none | ( | isc_mem_t * | mctx, | |
| dns_acl_t ** | target | |||
| ) |
Create a new ACL that matches nothing.
Definition at line 131 of file acl.c.
References dns_acl_anyornone(), and ISC_TRUE.
Referenced by add_keydata_zone(), configure_view(), and ns_listenlist_default().
| isc_boolean_t dns_acl_isany | ( | dns_acl_t * | acl | ) |
Test whether ACL is set to "{ any; }".
Definition at line 167 of file acl.c.
References dns_acl_isanyornone(), and ISC_TRUE.
Referenced by listenon_is_ip6_any().
| isc_boolean_t dns_acl_isnone | ( | dns_acl_t * | acl | ) |
Test whether ACL is set to "{ none; }".
Definition at line 176 of file acl.c.
References dns_acl_isanyornone(), and ISC_FALSE.
Referenced by check_filteraaaa(), check_recursionacls(), check_zoneconf(), dns_zone_isdynamic(), and set_resigntime().
| isc_result_t dns_acl_merge | ( | dns_acl_t * | dest, | |
| dns_acl_t * | source, | |||
| isc_boolean_t | pos | |||
| ) |
Merge the contents of one ACL into another. Call dns_iptable_merge() for the IP tables, then concatenate the element arrays.
If pos is set to false, then the nested ACL is to be negated. This means reverse the sense of each *positive* element or IP table node, but leave negatives alone, so as to prevent a double-negative causing an unexpected positive match in the parent ACL.
Definition at line 325 of file acl.c.
References dns_acl::alloc, dns_acl_attach(), dns_aclelementtype_keyname, dns_aclelementtype_nestedacl, dns_iptable_merge(), dns_name_dup(), dns_name_init(), dns_acl::elements, dns_acl::iptable, isc_mem_get, isc_mem_put, ISC_R_NOMEMORY, ISC_R_SUCCESS, ISC_TRUE, dns_aclelement::keyname, dns_acl::length, dns_acl::mctx, dns_aclelement::negative, dns_aclelement::nestedacl, dns_aclelement::node_num, and dns_aclelement::type.
Referenced by cfg_acl_fromconfig2().
Attach to acl 'source'.
Requires:
Definition at line 529 of file acl.c.
References DNS_ACL_VALID, isc_refcount_increment, dns_acl::refcount, and REQUIRE.
Referenced by add_listener(), cfg_acl_fromconfig2(), clearacl(), configure_view(), configure_zone_acl(), convert_named_acl(), dns_acl_merge(), dns_aclenv_copy(), dns_dispatchmgr_setblackhole(), dns_dns64_create(), dns_zone_setforwardacl(), dns_zone_setnotifyacl(), dns_zone_setqueryacl(), dns_zone_setqueryonacl(), dns_zone_setupdateacl(), dns_zone_setxfracl(), and update_listener().
| void dns_acl_detach | ( | dns_acl_t ** | aclp | ) |
Detach the acl. On final detach the acl must not be linked on any list.
Requires:
Definition at line 563 of file acl.c.
References destroy(), DNS_ACL_VALID, isc_refcount_decrement, dns_acl::refcount, and REQUIRE.
Referenced by add_keydata_zone(), add_listenelt(), add_listener(), bind9_check_controls(), cfg_acl_fromconfig2(), cfg_aclconfctx_detach(), check_dns64(), check_filteraaaa(), check_recursionacls(), check_zoneconf(), checkacl(), clearacl(), configure_view(), configure_view_acl(), configure_view_sortlist(), configure_zone_acl(), count_acl_elements(), destroy(), destroy_listener(), destroy_mgr(), dns_acl_anyornone(), dns_acl_create(), dns_aclenv_copy(), dns_aclenv_destroy(), dns_aclenv_init(), dns_dispatchmgr_setblackhole(), dns_dns64_destroy(), dns_rrl_view_destroy(), dns_zone_clearforwardacl(), dns_zone_clearnotifyacl(), dns_zone_clearqueryacl(), dns_zone_clearqueryonacl(), dns_zone_clearupdateacl(), dns_zone_clearxfracl(), dns_zone_setforwardacl(), dns_zone_setnotifyacl(), dns_zone_setqueryacl(), dns_zone_setqueryonacl(), dns_zone_setupdateacl(), dns_zone_setxfracl(), free_listener(), ns_listenelt_destroy(), ns_listenlist_default(), shutdown_server(), update_listener(), and zone_free().
| isc_boolean_t dns_acl_isinsecure | ( | const dns_acl_t * | a | ) |
Return ISC_TRUE iff the acl 'a' is considered insecure, that is, if it contains IP addresses other than those of the local host. This is intended for applications such as printing warning messages for suspect ACLs; it is not intended for making access control decisions. We make no guarantee that an ACL for which this function returns ISC_FALSE is safe.
Definition at line 630 of file acl.c.
References dns_acl_isinsecure(), dns_aclelementtype_keyname, dns_aclelementtype_localhost, dns_aclelementtype_localnets, dns_aclelementtype_nestedacl, dns_acl::elements, initialize_action(), insecure_prefix_found, insecure_prefix_lock, insecure_prefix_once, INSIST, dns_acl::iptable, is_insecure(), ISC_FALSE, isc_once_do, ISC_R_SUCCESS, isc_radix_process(), ISC_TRUE, dns_acl::length, LOCK, dns_aclelement::negative, dns_aclelement::nestedacl, dns_iptable::radix, RUNTIME_CHECK, dns_aclelement::type, and UNLOCK.
Referenced by dns_acl_isinsecure(), and ns_zone_configure().
| isc_result_t dns_aclenv_init | ( | isc_mem_t * | mctx, | |
| dns_aclenv_t * | env | |||
| ) |
Initialize ACL environment, setting up localhost and localnets ACLs.
Definition at line 684 of file acl.c.
References dns_acl_create(), dns_acl_detach(), ISC_FALSE, ISC_R_SUCCESS, dns_aclenv::localhost, dns_aclenv::localnets, and dns_aclenv::match_mapped.
Referenced by dns_view_create(), ns_interfacemgr_create(), and ns_server_create().
| void dns_aclenv_copy | ( | dns_aclenv_t * | t, | |
| dns_aclenv_t * | s | |||
| ) |
Definition at line 709 of file acl.c.
References dns_acl_attach(), dns_acl_detach(), dns_aclenv::localhost, dns_aclenv::localnets, and dns_aclenv::match_mapped.
Referenced by configure_view(), and scan_interfaces().
| void dns_aclenv_destroy | ( | dns_aclenv_t * | env | ) |
Definition at line 721 of file acl.c.
References dns_acl_detach(), dns_aclenv::localhost, and dns_aclenv::localnets.
Referenced by destroy(), ns_interfacemgr_create(), ns_interfacemgr_destroy(), and ns_server_destroy().
| isc_result_t dns_acl_match | ( | const isc_netaddr_t * | reqaddr, | |
| const dns_name_t * | reqsigner, | |||
| const dns_acl_t * | acl, | |||
| const dns_aclenv_t * | env, | |||
| int * | match, | |||
| const dns_aclelement_t ** | matchelt | |||
| ) |
Definition at line 188 of file acl.c.
References dns_acl_match2().
Referenced by address_ok(), client_newconn(), client_ok(), client_request(), client_sendpkg(), dns_dns64_aaaafroma(), dns_dns64_aaaaok(), dns_rrl(), dns_zone_notifyreceive(), do_scan(), is_answeraddress_allowed(), isblackholed(), ns_sortlist_addrorder2(), possibly_mark(), and udp_recv().
| isc_result_t dns_acl_match2 | ( | const isc_netaddr_t * | reqaddr, | |
| const dns_name_t * | reqsigner, | |||
| const isc_netaddr_t * | ecs, | |||
| isc_uint8_t | ecslen, | |||
| isc_uint8_t * | scope, | |||
| const dns_acl_t * | acl, | |||
| const dns_aclenv_t * | env, | |||
| int * | match, | |||
| const dns_aclelement_t ** | matchelt | |||
| ) |
General, low-level ACL matching. This is expected to be useful even for weird stuff like the topology and sortlist statements.
Match the address 'reqaddr', and optionally the key name 'reqsigner', and optionally the client prefix 'ecs' of length 'ecslen' (reported via EDNS client subnet option) against 'acl'.
'reqsigner' and 'ecs' may be NULL. If an ACL matches against 'ecs' and 'ecslen', then 'scope' will be set to indicate the netmask that matched.
If there is a match, '*match' will be set to an integer whose absolute value corresponds to the order in which the matching value was inserted into the ACL. For a positive match, this value will be positive; for a negative match, it will be negative.
If there is no match, *match will be set to zero.
If there is a match in the element list (either positive or negative) and 'matchelt' is non-NULL, *matchelt will be pointed to the matching element.
'env' points to the current ACL environment, including the current values of localhost and localnets and (if applicable) the GeoIP context.
Returns:
Definition at line 200 of file acl.c.
References AF_INET6, isc_radix_node::bit, isc_radix_node::data, dns_aclelement_match2(), dns_acl::elements, isc_netaddr::family, isc_netaddr::in6, IN6_IS_ADDR_V4MAPPED, dns_acl::iptable, ISC_FALSE, isc_netaddr_fromv4mapped(), ISC_R_SUCCESS, ISC_RADIX_OFF, isc_radix_search(), isc_refcount_destroy, ISC_TRUE, dns_acl::length, dns_aclenv::match_mapped, dns_aclelement::negative, NETADDR_TO_PREFIX_T, dns_aclelement::node_num, isc_radix_node::node_num, dns_iptable::radix, isc_prefix::refcount, REQUIRE, and isc_netaddr::type.
Referenced by allowed(), dns_acl_match(), dns_aclelement_match2(), and ns_client_checkaclsilent().
| isc_boolean_t dns_aclelement_match | ( | const isc_netaddr_t * | reqaddr, | |
| const dns_name_t * | reqsigner, | |||
| const dns_aclelement_t * | e, | |||
| const dns_aclenv_t * | env, | |||
| const dns_aclelement_t ** | matchelt | |||
| ) |
Definition at line 434 of file acl.c.
References dns_aclelement_match2().
Referenced by ns_sortlist_addrorder1(), and ns_sortlist_setup().
| isc_boolean_t dns_aclelement_match2 | ( | const isc_netaddr_t * | reqaddr, | |
| const dns_name_t * | reqsigner, | |||
| const isc_netaddr_t * | ecs, | |||
| isc_uint8_t | ecslen, | |||
| isc_uint8_t * | scope, | |||
| const dns_aclelement_t * | e, | |||
| const dns_aclenv_t * | env, | |||
| const dns_aclelement_t ** | matchelt | |||
| ) |
Like dns_acl_match, but matches against the single ACL element 'e' rather than a complete ACL, and returns ISC_TRUE iff it matched.
To determine whether the match was positive or negative, the caller should examine e->negative. Since the element 'e' may be a reference to a named ACL or a nested ACL, a matching element returned through 'matchelt' is not necessarily 'e' itself.
Definition at line 445 of file acl.c.
References dns_acl_match2(), dns_aclelementtype_keyname, dns_aclelementtype_localhost, dns_aclelementtype_localnets, dns_aclelementtype_nestedacl, dns_geoip_match(), dns_name_equal(), INSIST, ISC_FALSE, ISC_R_SUCCESS, ISC_TRUE, dns_aclelement::keyname, dns_aclenv::localhost, dns_aclenv::localnets, dns_aclelement::nestedacl, REQUIRE, and dns_aclelement::type.
Referenced by dns_acl_match2(), and dns_aclelement_match().