"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.17.5/lib/dns/include/dns/acl.h" (4 Sep 2020, 6476 Bytes) of package /linux/misc/dns/bind9/9.17.5/bind-9.17.5.tar.xz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style: standard) with prefixed line numbers and code folding option. Alternatively you can here view or download the uninterpreted source code file. For more information about "acl.h" see the Fossies "Dox" file reference documentation.

    1 /*
    2  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
    3  *
    4  * This Source Code Form is subject to the terms of the Mozilla Public
    5  * License, v. 2.0. If a copy of the MPL was not distributed with this
    6  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
    7  *
    8  * See the COPYRIGHT file distributed with this work for additional
    9  * information regarding copyright ownership.
   10  */
   11 
   12 #ifndef DNS_ACL_H
   13 #define DNS_ACL_H 1
   14 
   15 /*****
   16 ***** Module Info
   17 *****/
   18 
   19 /*! \file dns/acl.h
   20  * \brief
   21  * Address match list handling.
   22  */
   23 
   24 /***
   25  *** Imports
   26  ***/
   27 
   28 #include <stdbool.h>
   29 
   30 #include <isc/lang.h>
   31 #include <isc/magic.h>
   32 #include <isc/netaddr.h>
   33 #include <isc/refcount.h>
   34 
   35 #include <dns/geoip.h>
   36 #include <dns/iptable.h>
   37 #include <dns/name.h>
   38 #include <dns/types.h>
   39 
   40 /***
   41  *** Types
   42  ***/
   43 
   44 typedef enum {
   45     dns_aclelementtype_ipprefix,
   46     dns_aclelementtype_keyname,
   47     dns_aclelementtype_nestedacl,
   48     dns_aclelementtype_localhost,
   49     dns_aclelementtype_localnets,
   50 #if defined(HAVE_GEOIP2)
   51     dns_aclelementtype_geoip,
   52 #endif /* HAVE_GEOIP2 */
   53     dns_aclelementtype_any
   54 } dns_aclelementtype_t;
   55 
   56 typedef struct dns_aclipprefix dns_aclipprefix_t;
   57 
   58 struct dns_aclipprefix {
   59     isc_netaddr_t address; /* IP4/IP6 */
   60     unsigned int  prefixlen;
   61 };
   62 
   63 struct dns_aclelement {
   64     dns_aclelementtype_t type;
   65     bool             negative;
   66     dns_name_t       keyname;
   67 #if defined(HAVE_GEOIP2)
   68     dns_geoip_elem_t geoip_elem;
   69 #endif /* HAVE_GEOIP2 */
   70     dns_acl_t *nestedacl;
   71     int    node_num;
   72 };
   73 
   74 #define dns_acl_node_count(acl) acl->iptable->radix->num_added_node
   75 
   76 struct dns_acl {
   77     unsigned int      magic;
   78     isc_mem_t *   mctx;
   79     isc_refcount_t    refcount;
   80     dns_iptable_t *   iptable;
   81     dns_aclelement_t *elements;
   82     bool          has_negatives;
   83     unsigned int      alloc;     /*%< Elements allocated */
   84     unsigned int      length;    /*%< Elements initialized */
   85     char *        name;      /*%< Temporary use only */
   86     ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */
   87 };
   88 
   89 struct dns_aclenv {
   90     dns_acl_t *localhost;
   91     dns_acl_t *localnets;
   92     bool       match_mapped;
   93 #if defined(HAVE_GEOIP2)
   94     dns_geoip_databases_t *geoip;
   95 #endif /* HAVE_GEOIP2 */
   96 };
   97 
   98 #define DNS_ACL_MAGIC    ISC_MAGIC('D', 'a', 'c', 'l')
   99 #define DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
  100 
  101 /***
  102  *** Functions
  103  ***/
  104 
  105 ISC_LANG_BEGINDECLS
  106 
  107 isc_result_t
  108 dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
  109 /*%<
  110  * Create a new ACL, including an IP table and an array with room
  111  * for 'n' ACL elements.  The elements are uninitialized and the
  112  * length is 0.
  113  */
  114 
  115 isc_result_t
  116 dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
  117 /*%<
  118  * Create a new ACL that matches everything.
  119  */
  120 
  121 isc_result_t
  122 dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
  123 /*%<
  124  * Create a new ACL that matches nothing.
  125  */
  126 
  127 bool
  128 dns_acl_isany(dns_acl_t *acl);
  129 /*%<
  130  * Test whether ACL is set to "{ any; }"
  131  */
  132 
  133 bool
  134 dns_acl_isnone(dns_acl_t *acl);
  135 /*%<
  136  * Test whether ACL is set to "{ none; }"
  137  */
  138 
  139 isc_result_t
  140 dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, bool pos);
  141 /*%<
  142  * Merge the contents of one ACL into another.  Call dns_iptable_merge()
  143  * for the IP tables, then concatenate the element arrays.
  144  *
  145  * If pos is set to false, then the nested ACL is to be negated.  This
  146  * means reverse the sense of each *positive* element or IP table node,
  147  * but leave negatives alone, so as to prevent a double-negative causing
  148  * an unexpected positive match in the parent ACL.
  149  */
  150 
  151 void
  152 dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
  153 /*%<
  154  * Attach to acl 'source'.
  155  *
  156  * Requires:
  157  *\li   'source' to be a valid acl.
  158  *\li   'target' to be non NULL and '*target' to be NULL.
  159  */
  160 
  161 void
  162 dns_acl_detach(dns_acl_t **aclp);
  163 /*%<
  164  * Detach the acl. On final detach the acl must not be linked on any
  165  * list.
  166  *
  167  * Requires:
  168  *\li   '*aclp' to be a valid acl.
  169  *
  170  * Insists:
  171  *\li   '*aclp' is not linked on final detach.
  172  */
  173 
  174 bool
  175 dns_acl_isinsecure(const dns_acl_t *a);
  176 /*%<
  177  * Return #true iff the acl 'a' is considered insecure, that is,
  178  * if it contains IP addresses other than those of the local host.
  179  * This is intended for applications such as printing warning
  180  * messages for suspect ACLs; it is not intended for making access
  181  * control decisions.  We make no guarantee that an ACL for which
  182  * this function returns #false is safe.
  183  */
  184 
  185 bool
  186 dns_acl_allowed(isc_netaddr_t *addr, const dns_name_t *signer, dns_acl_t *acl,
  187         dns_aclenv_t *aclenv);
  188 /*%<
  189  * Return #true iff the 'addr', 'signer', or ECS values are
  190  * permitted by 'acl' in environment 'aclenv'.
  191  */
  192 
  193 isc_result_t
  194 dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
  195 /*%<
  196  * Initialize ACL environment, setting up localhost and localnets ACLs
  197  */
  198 
  199 void
  200 dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
  201 
  202 void
  203 dns_aclenv_destroy(dns_aclenv_t *env);
  204 
  205 isc_result_t
  206 dns_acl_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner,
  207           const dns_acl_t *acl, const dns_aclenv_t *env, int *match,
  208           const dns_aclelement_t **matchelt);
  209 /*%<
  210  * General, low-level ACL matching.  This is expected to
  211  * be useful even for weird stuff like the topology and sortlist statements.
  212  *
  213  * Match the address 'reqaddr', and optionally the key name 'reqsigner',
  214  * against 'acl'.  'reqsigner' may be NULL.
  215  *
  216  * If there is a match, '*match' will be set to an integer whose absolute
  217  * value corresponds to the order in which the matching value was inserted
  218  * into the ACL.  For a positive match, this value will be positive; for a
  219  * negative match, it will be negative.
  220  *
  221  * If there is no match, *match will be set to zero.
  222  *
  223  * If there is a match in the element list (either positive or negative)
  224  * and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
  225  * element.
  226  *
  227  * 'env' points to the current ACL environment, including the
  228  * current values of localhost and localnets and (if applicable)
  229  * the GeoIP context.
  230  *
  231  * Returns:
  232  *\li   #ISC_R_SUCCESS      Always succeeds.
  233  */
  234 
  235 bool
  236 dns_aclelement_match(const isc_netaddr_t *reqaddr, const dns_name_t *reqsigner,
  237              const dns_aclelement_t *e, const dns_aclenv_t *env,
  238              const dns_aclelement_t **matchelt);
  239 /*%<
  240  * Like dns_acl_match, but matches against the single ACL element 'e'
  241  * rather than a complete ACL, and returns true iff it matched.
  242  *
  243  * To determine whether the match was positive or negative, the
  244  * caller should examine e->negative.  Since the element 'e' may be
  245  * a reference to a named ACL or a nested ACL, a matching element
  246  * returned through 'matchelt' is not necessarily 'e' itself.
  247  */
  248 
  249 ISC_LANG_ENDDECLS
  250 
  251 #endif /* DNS_ACL_H */