1 /* 2 * daemon/acl_list.h - client access control storage for the server. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file keeps track of the list of clients that are allowed to 40 * access the server. 41 */ 42 43 #ifndef DAEMON_ACL_LIST_H 44 #define DAEMON_ACL_LIST_H 45 #include "util/storage/dnstree.h" 46 #include "services/view.h" 47 struct config_file; 48 struct regional; 49 50 /** 51 * Enumeration of access control options for an address range. 52 * Allow or deny access. 53 */ 54 enum acl_access { 55 /** disallow any access whatsoever, drop it */ 56 acl_deny = 0, 57 /** disallow access, send a polite 'REFUSED' reply */ 58 acl_refuse, 59 /** disallow any access to zones that aren't local, drop it */ 60 acl_deny_non_local, 61 /** disallow access to zones that aren't local, 'REFUSED' reply */ 62 acl_refuse_non_local, 63 /** allow full access for recursion (+RD) queries */ 64 acl_allow, 65 /** allow full access for all queries, recursion and cache snooping */ 66 acl_allow_snoop, 67 /** allow full access for recursion queries and set RD flag regardless 68 * of request */ 69 acl_allow_setrd, 70 /** allow full access for recursion (+RD) queries if valid cookie 71 * present or stateful transport */ 72 acl_allow_cookie 73 }; 74 75 /** 76 * Access control storage structure 77 */ 78 struct acl_list { 79 /** regional for allocation */ 80 struct regional* region; 81 /** 82 * Tree of the addresses that are allowed/blocked. 83 * contents of type acl_addr. 84 */ 85 rbtree_type tree; 86 }; 87 88 /** 89 * 90 * An address span with access control information 91 */ 92 struct acl_addr { 93 /** node in address tree */ 94 struct addr_tree_node node; 95 /** access control on this netblock */ 96 enum acl_access control; 97 /** tag bitlist */ 98 uint8_t* taglist; 99 /** length of the taglist (in bytes) */ 100 size_t taglen; 101 /** array per tagnumber of localzonetype(in one byte). NULL if none. */ 102 uint8_t* tag_actions; 103 /** size of the tag_actions_array */ 104 size_t tag_actions_size; 105 /** array per tagnumber, with per tag a list of rdata strings. 106 * NULL if none. strings are like 'A 127.0.0.1' 'AAAA ::1' */ 107 struct config_strlist** tag_datas; 108 /** size of the tag_datas array */ 109 size_t tag_datas_size; 110 /* If the acl node is for an interface */ 111 int is_interface; 112 /* view element, NULL if none */ 113 struct view* view; 114 }; 115 116 /** 117 * Create acl structure 118 * @return new structure or NULL on error. 119 */ 120 struct acl_list* acl_list_create(void); 121 122 /** 123 * Delete acl structure. 124 * @param acl: to delete. 125 */ 126 void acl_list_delete(struct acl_list* acl); 127 128 /** 129 * Insert interface in the acl_list. This should happen when the listening 130 * interface is setup. 131 * @param acl_interface: acl_list to insert to. 132 * @param addr: interface IP. 133 * @param addrlen: length of the interface IP. 134 * @param control: acl_access. 135 * @return new structure or NULL on error. 136 */ 137 struct acl_addr* 138 acl_interface_insert(struct acl_list* acl_interface, 139 struct sockaddr_storage* addr, socklen_t addrlen, 140 enum acl_access control); 141 142 /** 143 * Process access control config. 144 * @param acl: where to store. 145 * @param cfg: config options. 146 * @param v: views structure 147 * @return 0 on error. 148 */ 149 int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, 150 struct views* v); 151 152 /** 153 * Initialise (also clean) the acl_interface struct. 154 * @param acl_interface: where to store. 155 */ 156 void acl_interface_init(struct acl_list* acl_interface); 157 158 /** 159 * Process interface control config. 160 * @param acl_interface: where to store. 161 * @param cfg: config options. 162 * @param v: views structure 163 * @return 0 on error. 164 */ 165 int acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg, 166 struct views* v); 167 168 /** 169 * Lookup access control status for acl structure. 170 * @param acl: structure for acl storage. 171 * @return: what to do with message from this address. 172 */ 173 enum acl_access acl_get_control(struct acl_addr* acl); 174 175 /** 176 * Lookup address to see its acl structure 177 * @param acl: structure for address storage. 178 * @param addr: address to check 179 * @param addrlen: length of addr. 180 * @return: acl structure from this address. 181 */ 182 struct acl_addr* 183 acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr, 184 socklen_t addrlen); 185 186 /** 187 * Get memory used by acl structure. 188 * @param acl: structure for address storage. 189 * @return bytes in use. 190 */ 191 size_t acl_list_get_mem(struct acl_list* acl); 192 193 /* 194 * Get string for acl access specification 195 * @param acl: access type value 196 * @return string 197 */ 198 const char* acl_access_to_str(enum acl_access acl); 199 200 /* log acl and addr for action */ 201 void log_acl_action(const char* action, struct sockaddr_storage* addr, 202 socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr); 203 204 /** 205 * Swap internal tree with preallocated entries. 206 * @param acl: the acl structure. 207 * @param data: the data structure used to take elements from. This contains 208 * the old elements on return. 209 */ 210 void acl_list_swap_tree(struct acl_list* acl, struct acl_list* data); 211 212 #endif /* DAEMON_ACL_LIST_H */ 213