"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.12.3-P1/lib/dns/include/dns/acl.h" (7 Dec 2018, 7412 Bytes) of package /linux/misc/dns/bind9/9.12.3-P1/bind-9.12.3-P1.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. See also the last Fossies "Diffs" side-by-side code changes report for "acl.h": 9.12.2-P2_vs_9.12.3.

    1 /*
    2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
    3  *
    4  * This Source Code Form is subject to the terms of the Mozilla Public
    5  * License, v. 2.0. If a copy of the MPL was not distributed with this
    6  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
    7  *
    8  * See the COPYRIGHT file distributed with this work for additional
    9  * information regarding copyright ownership.
   10  */
   11 
   12 #ifndef DNS_ACL_H
   13 #define DNS_ACL_H 1
   14 
   15 /*****
   16  ***** Module Info
   17  *****/
   18 
   19 /*! \file dns/acl.h
   20  * \brief
   21  * Address match list handling.
   22  */
   23 
   24 /***
   25  *** Imports
   26  ***/
   27 
   28 #include <stdbool.h>
   29 
   30 #include <isc/lang.h>
   31 #include <isc/magic.h>
   32 #include <isc/netaddr.h>
   33 #include <isc/refcount.h>
   34 
   35 #ifdef HAVE_GEOIP
   36 #include <dns/geoip.h>
   37 #endif
   38 #include <dns/name.h>
   39 #include <dns/types.h>
   40 #include <dns/iptable.h>
   41 
   42 #ifdef HAVE_GEOIP
   43 #include <GeoIP.h>
   44 #endif
   45 
   46 /***
   47  *** Types
   48  ***/
   49 
   50 typedef enum {
   51     dns_aclelementtype_ipprefix,
   52     dns_aclelementtype_keyname,
   53     dns_aclelementtype_nestedacl,
   54     dns_aclelementtype_localhost,
   55     dns_aclelementtype_localnets,
   56 #ifdef HAVE_GEOIP
   57     dns_aclelementtype_geoip,
   58 #endif /* HAVE_GEOIP */
   59     dns_aclelementtype_any
   60 } dns_aclelementtype_t;
   61 
   62 typedef struct dns_aclipprefix dns_aclipprefix_t;
   63 
   64 struct dns_aclipprefix {
   65     isc_netaddr_t address; /* IP4/IP6 */
   66     unsigned int prefixlen;
   67 };
   68 
   69 struct dns_aclelement {
   70     dns_aclelementtype_t    type;
   71     bool        negative;
   72     dns_name_t      keyname;
   73 #ifdef HAVE_GEOIP
   74     dns_geoip_elem_t    geoip_elem;
   75 #endif /* HAVE_GEOIP */
   76     dns_acl_t       *nestedacl;
   77     int         node_num;
   78 };
   79 
   80 struct dns_acl {
   81     unsigned int        magic;
   82     isc_mem_t       *mctx;
   83     isc_refcount_t      refcount;
   84     dns_iptable_t       *iptable;
   85 #define node_count      iptable->radix->num_added_node
   86     dns_aclelement_t    *elements;
   87     bool        has_negatives;
   88     unsigned int        alloc;      /*%< Elements allocated */
   89     unsigned int        length;     /*%< Elements initialized */
   90     char            *name;      /*%< Temporary use only */
   91     ISC_LINK(dns_acl_t)     nextincache;    /*%< Ditto */
   92 };
   93 
   94 struct dns_aclenv {
   95     dns_acl_t *localhost;
   96     dns_acl_t *localnets;
   97     bool match_mapped;
   98 #ifdef HAVE_GEOIP
   99     dns_geoip_databases_t *geoip;
  100     bool geoip_use_ecs;
  101 #endif
  102 };
  103 
  104 #define DNS_ACL_MAGIC       ISC_MAGIC('D','a','c','l')
  105 #define DNS_ACL_VALID(a)    ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
  106 
  107 /***
  108  *** Functions
  109  ***/
  110 
  111 ISC_LANG_BEGINDECLS
  112 
  113 isc_result_t
  114 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
  115 /*%<
  116  * Create a new ACL, including an IP table and an array with room
  117  * for 'n' ACL elements.  The elements are uninitialized and the
  118  * length is 0.
  119  */
  120 
  121 isc_result_t
  122 dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
  123 /*%<
  124  * Create a new ACL that matches everything.
  125  */
  126 
  127 isc_result_t
  128 dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
  129 /*%<
  130  * Create a new ACL that matches nothing.
  131  */
  132 
  133 bool
  134 dns_acl_isany(dns_acl_t *acl);
  135 /*%<
  136  * Test whether ACL is set to "{ any; }"
  137  */
  138 
  139 bool
  140 dns_acl_isnone(dns_acl_t *acl);
  141 /*%<
  142  * Test whether ACL is set to "{ none; }"
  143  */
  144 
  145 isc_result_t
  146 dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, bool pos);
  147 /*%<
  148  * Merge the contents of one ACL into another.  Call dns_iptable_merge()
  149  * for the IP tables, then concatenate the element arrays.
  150  *
  151  * If pos is set to false, then the nested ACL is to be negated.  This
  152  * means reverse the sense of each *positive* element or IP table node,
  153  * but leave negatives alone, so as to prevent a double-negative causing
  154  * an unexpected positive match in the parent ACL.
  155  */
  156 
  157 void
  158 dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
  159 /*%<
  160  * Attach to acl 'source'.
  161  *
  162  * Requires:
  163  *\li   'source' to be a valid acl.
  164  *\li   'target' to be non NULL and '*target' to be NULL.
  165  */
  166 
  167 void
  168 dns_acl_detach(dns_acl_t **aclp);
  169 /*%<
  170  * Detach the acl. On final detach the acl must not be linked on any
  171  * list.
  172  *
  173  * Requires:
  174  *\li   '*aclp' to be a valid acl.
  175  *
  176  * Insists:
  177  *\li   '*aclp' is not linked on final detach.
  178  */
  179 
  180 bool
  181 dns_acl_isinsecure(const dns_acl_t *a);
  182 /*%<
  183  * Return #true iff the acl 'a' is considered insecure, that is,
  184  * if it contains IP addresses other than those of the local host.
  185  * This is intended for applications such as printing warning
  186  * messages for suspect ACLs; it is not intended for making access
  187  * control decisions.  We make no guarantee that an ACL for which
  188  * this function returns #false is safe.
  189  */
  190 
  191 bool
  192 dns_acl_allowed(isc_netaddr_t *addr, dns_name_t *signer,
  193         isc_netaddr_t *ecs_addr, uint8_t ecs_addrlen,
  194         uint8_t *ecs_scope, dns_acl_t *acl, dns_aclenv_t
  195         *aclenv);
  196 /*%<
  197  * Return #true iff the 'addr', 'signer', or ECS values are
  198  * permitted by 'acl' in environment 'aclenv'.
  199  */
  200 
  201 isc_result_t
  202 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
  203 /*%<
  204  * Initialize ACL environment, setting up localhost and localnets ACLs
  205  */
  206 
  207 void
  208 dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
  209 
  210 void
  211 dns_aclenv_destroy(dns_aclenv_t *env);
  212 
  213 isc_result_t
  214 dns_acl_match(const isc_netaddr_t *reqaddr,
  215           const dns_name_t *reqsigner,
  216           const dns_acl_t *acl,
  217           const dns_aclenv_t *env,
  218           int *match,
  219           const dns_aclelement_t **matchelt);
  220 
  221 isc_result_t
  222 dns_acl_match2(const isc_netaddr_t *reqaddr,
  223            const dns_name_t *reqsigner,
  224            const isc_netaddr_t *ecs,
  225            uint8_t ecslen,
  226            uint8_t *scope,
  227            const dns_acl_t *acl,
  228            const dns_aclenv_t *env,
  229            int *match,
  230            const dns_aclelement_t **matchelt);
  231 /*%<
  232  * General, low-level ACL matching.  This is expected to
  233  * be useful even for weird stuff like the topology and sortlist statements.
  234  *
  235  * Match the address 'reqaddr', and optionally the key name 'reqsigner',
  236  * and optionally the client prefix 'ecs' of length 'ecslen'
  237  * (reported via EDNS client subnet option) against 'acl'.
  238  *
  239  * 'reqsigner' and 'ecs' may be NULL.  If an ACL matches against 'ecs'
  240  * and 'ecslen', then 'scope' will be set to indicate the netmask that
  241  * matched.
  242  *
  243  * If there is a match, '*match' will be set to an integer whose absolute
  244  * value corresponds to the order in which the matching value was inserted
  245  * into the ACL.  For a positive match, this value will be positive; for a
  246  * negative match, it will be negative.
  247  *
  248  * If there is no match, *match will be set to zero.
  249  *
  250  * If there is a match in the element list (either positive or negative)
  251  * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
  252  * element.
  253  *
  254  * 'env' points to the current ACL environment, including the
  255  * current values of localhost and localnets and (if applicable)
  256  * the GeoIP context.
  257  *
  258  * Returns:
  259  *\li   #ISC_R_SUCCESS      Always succeeds.
  260  */
  261 
  262 bool
  263 dns_aclelement_match(const isc_netaddr_t *reqaddr,
  264              const dns_name_t *reqsigner,
  265              const dns_aclelement_t *e,
  266              const dns_aclenv_t *env,
  267              const dns_aclelement_t **matchelt);
  268 
  269 bool
  270 dns_aclelement_match2(const isc_netaddr_t *reqaddr,
  271               const dns_name_t *reqsigner,
  272               const isc_netaddr_t *ecs,
  273               uint8_t ecslen,
  274               uint8_t *scope,
  275               const dns_aclelement_t *e,
  276               const dns_aclenv_t *env,
  277               const dns_aclelement_t **matchelt);
  278 /*%<
  279  * Like dns_acl_match, but matches against the single ACL element 'e'
  280  * rather than a complete ACL, and returns true iff it matched.
  281  *
  282  * To determine whether the match was positive or negative, the
  283  * caller should examine e->negative.  Since the element 'e' may be
  284  * a reference to a named ACL or a nested ACL, a matching element
  285  * returned through 'matchelt' is not necessarily 'e' itself.
  286  */
  287 
  288 ISC_LANG_ENDDECLS
  289 
  290 #endif /* DNS_ACL_H */