xref: /freebsd/contrib/unbound/daemon/acl_list.c (revision ab0b9f6b3073e6c4d1dfbf07444d7db67a189a96) 
1 /*
2  * daemon/acl_list.h - client access control storage for the server.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
25  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
26  * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE
27  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
28  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
29  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
30  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
31  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
32  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
33  * POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file helps the server keep out queries from outside sources, that
40  * should not be answered.
41  */
42 #include "config.h"
43 #include "daemon/acl_list.h"
44 #include "util/regional.h"
45 #include "util/log.h"
46 #include "util/config_file.h"
47 #include "util/net_help.h"
48 
49 struct acl_list*
50 acl_list_create(void)
51 {
52 	struct acl_list* acl = (struct acl_list*)calloc(1,
53 		sizeof(struct acl_list));
54 	if(!acl)
55 		return NULL;
56 	acl->region = regional_create();
57 	if(!acl->region) {
58 		acl_list_delete(acl);
59 		return NULL;
60 	}
61 	return acl;
62 }
63 
64 void
65 acl_list_delete(struct acl_list* acl)
66 {
67 	if(!acl)
68 		return;
69 	regional_destroy(acl->region);
70 	free(acl);
71 }
72 
73 /** insert new address into acl_list structure */
74 static int
75 acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
76 	socklen_t addrlen, int net, enum acl_access control,
77 	int complain_duplicates)
78 {
79 	struct acl_addr* node = regional_alloc(acl->region,
80 		sizeof(struct acl_addr));
81 	if(!node)
82 		return 0;
83 	node->control = control;
84 	if(!addr_tree_insert(&acl->tree, &node->node, addr, addrlen, net)) {
85 		if(complain_duplicates)
86 			verbose(VERB_QUERY, "duplicate acl address ignored.");
87 	}
88 	return 1;
89 }
90 
91 /** apply acl_list string */
92 static int
93 acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
94 	int complain_duplicates)
95 {
96 	struct sockaddr_storage addr;
97 	int net;
98 	socklen_t addrlen;
99 	enum acl_access control;
100 	if(strcmp(s2, "allow") == 0)
101 		control = acl_allow;
102 	else if(strcmp(s2, "deny") == 0)
103 		control = acl_deny;
104 	else if(strcmp(s2, "refuse") == 0)
105 		control = acl_refuse;
106 	else if(strcmp(s2, "allow_snoop") == 0)
107 		control = acl_allow_snoop;
108 	else {
109 		log_err("access control type %s unknown", str);
110 		return 0;
111 	}
112 	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
113 		log_err("cannot parse access control: %s %s", str, s2);
114 		return 0;
115 	}
116 	if(!acl_list_insert(acl, &addr, addrlen, net, control,
117 		complain_duplicates)) {
118 		log_err("out of memory");
119 		return 0;
120 	}
121 	return 1;
122 }
123 
124 /** read acl_list config */
125 static int
126 read_acl_list(struct acl_list* acl, struct config_file* cfg)
127 {
128 	struct config_str2list* p;
129 	for(p = cfg->acls; p; p = p->next) {
130 		log_assert(p->str && p->str2);
131 		if(!acl_list_str_cfg(acl, p->str, p->str2, 1))
132 			return 0;
133 	}
134 	return 1;
135 }
136 
137 int
138 acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
139 {
140 	regional_free_all(acl->region);
141 	addr_tree_init(&acl->tree);
142 	if(!read_acl_list(acl, cfg))
143 		return 0;
144 	/* insert defaults, with '0' to ignore them if they are duplicates */
145 	if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0))
146 		return 0;
147 	if(!acl_list_str_cfg(acl, "127.0.0.0/8", "allow", 0))
148 		return 0;
149 	if(cfg->do_ip6) {
150 		if(!acl_list_str_cfg(acl, "::0/0", "refuse", 0))
151 			return 0;
152 		if(!acl_list_str_cfg(acl, "::1", "allow", 0))
153 			return 0;
154 		if(!acl_list_str_cfg(acl, "::ffff:127.0.0.1", "allow", 0))
155 			return 0;
156 	}
157 	addr_tree_init_parents(&acl->tree);
158 	return 1;
159 }
160 
161 enum acl_access
162 acl_list_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
163         socklen_t addrlen)
164 {
165 	struct acl_addr* r = (struct acl_addr*)addr_tree_lookup(&acl->tree,
166 		addr, addrlen);
167 	if(r) return r->control;
168 	return acl_deny;
169 }
170 
171 size_t
172 acl_list_get_mem(struct acl_list* acl)
173 {
174 	if(!acl) return 0;
175 	return sizeof(*acl) + regional_get_mem(acl->region);
176 }
177