1b7579f77SDag-Erling Smørgrav /* 2b7579f77SDag-Erling Smørgrav * daemon/acl_list.h - client access control storage for the server. 3b7579f77SDag-Erling Smørgrav * 4b7579f77SDag-Erling Smørgrav * Copyright (c) 2007, NLnet Labs. All rights reserved. 5b7579f77SDag-Erling Smørgrav * 6b7579f77SDag-Erling Smørgrav * This software is open source. 7b7579f77SDag-Erling Smørgrav * 8b7579f77SDag-Erling Smørgrav * Redistribution and use in source and binary forms, with or without 9b7579f77SDag-Erling Smørgrav * modification, are permitted provided that the following conditions 10b7579f77SDag-Erling Smørgrav * are met: 11b7579f77SDag-Erling Smørgrav * 12b7579f77SDag-Erling Smørgrav * Redistributions of source code must retain the above copyright notice, 13b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer. 14b7579f77SDag-Erling Smørgrav * 15b7579f77SDag-Erling Smørgrav * Redistributions in binary form must reproduce the above copyright notice, 16b7579f77SDag-Erling Smørgrav * this list of conditions and the following disclaimer in the documentation 17b7579f77SDag-Erling Smørgrav * and/or other materials provided with the distribution. 18b7579f77SDag-Erling Smørgrav * 19b7579f77SDag-Erling Smørgrav * Neither the name of the NLNET LABS nor the names of its contributors may 20b7579f77SDag-Erling Smørgrav * be used to endorse or promote products derived from this software without 21b7579f77SDag-Erling Smørgrav * specific prior written permission. 22b7579f77SDag-Erling Smørgrav * 23b7579f77SDag-Erling Smørgrav * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 2417d15b25SDag-Erling Smørgrav * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 2517d15b25SDag-Erling Smørgrav * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 2617d15b25SDag-Erling Smørgrav * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 2717d15b25SDag-Erling Smørgrav * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 2817d15b25SDag-Erling Smørgrav * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 2917d15b25SDag-Erling Smørgrav * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 3017d15b25SDag-Erling Smørgrav * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 3117d15b25SDag-Erling Smørgrav * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 3217d15b25SDag-Erling Smørgrav * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 3317d15b25SDag-Erling Smørgrav * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34b7579f77SDag-Erling Smørgrav */ 35b7579f77SDag-Erling Smørgrav 36b7579f77SDag-Erling Smørgrav /** 37b7579f77SDag-Erling Smørgrav * \file 38b7579f77SDag-Erling Smørgrav * 39b7579f77SDag-Erling Smørgrav * This file keeps track of the list of clients that are allowed to 40b7579f77SDag-Erling Smørgrav * access the server. 41b7579f77SDag-Erling Smørgrav */ 42b7579f77SDag-Erling Smørgrav 43b7579f77SDag-Erling Smørgrav #ifndef DAEMON_ACL_LIST_H 44b7579f77SDag-Erling Smørgrav #define DAEMON_ACL_LIST_H 45b7579f77SDag-Erling Smørgrav #include "util/storage/dnstree.h" 46bc892140SDag-Erling Smørgrav #include "services/view.h" 47b7579f77SDag-Erling Smørgrav struct config_file; 48b7579f77SDag-Erling Smørgrav struct regional; 49b7579f77SDag-Erling Smørgrav 50b7579f77SDag-Erling Smørgrav /** 51b7579f77SDag-Erling Smørgrav * Enumeration of access control options for an address range. 52b7579f77SDag-Erling Smørgrav * Allow or deny access. 53b7579f77SDag-Erling Smørgrav */ 54b7579f77SDag-Erling Smørgrav enum acl_access { 55b7579f77SDag-Erling Smørgrav /** disallow any access whatsoever, drop it */ 56b7579f77SDag-Erling Smørgrav acl_deny = 0, 57b7579f77SDag-Erling Smørgrav /** disallow access, send a polite 'REFUSED' reply */ 58b7579f77SDag-Erling Smørgrav acl_refuse, 5917d15b25SDag-Erling Smørgrav /** disallow any access to zones that aren't local, drop it */ 6017d15b25SDag-Erling Smørgrav acl_deny_non_local, 6117d15b25SDag-Erling Smørgrav /** disallow access to zones that aren't local, 'REFUSED' reply */ 6217d15b25SDag-Erling Smørgrav acl_refuse_non_local, 63b7579f77SDag-Erling Smørgrav /** allow full access for recursion (+RD) queries */ 64b7579f77SDag-Erling Smørgrav acl_allow, 65b7579f77SDag-Erling Smørgrav /** allow full access for all queries, recursion and cache snooping */ 663bd4df0aSDag-Erling Smørgrav acl_allow_snoop, 678f76bb7dSCy Schubert /** allow full access for recursion queries and set RD flag regardless 688f76bb7dSCy Schubert * of request */ 698f76bb7dSCy Schubert acl_allow_setrd, 708f76bb7dSCy Schubert /** allow full access for recursion (+RD) queries if valid cookie 718f76bb7dSCy Schubert * present or stateful transport */ 728f76bb7dSCy Schubert acl_allow_cookie 73b7579f77SDag-Erling Smørgrav }; 74b7579f77SDag-Erling Smørgrav 75b7579f77SDag-Erling Smørgrav /** 76b7579f77SDag-Erling Smørgrav * Access control storage structure 77b7579f77SDag-Erling Smørgrav */ 78b7579f77SDag-Erling Smørgrav struct acl_list { 79b7579f77SDag-Erling Smørgrav /** regional for allocation */ 80b7579f77SDag-Erling Smørgrav struct regional* region; 81b7579f77SDag-Erling Smørgrav /** 82b7579f77SDag-Erling Smørgrav * Tree of the addresses that are allowed/blocked. 83b7579f77SDag-Erling Smørgrav * contents of type acl_addr. 84b7579f77SDag-Erling Smørgrav */ 853005e0a3SDag-Erling Smørgrav rbtree_type tree; 86b7579f77SDag-Erling Smørgrav }; 87b7579f77SDag-Erling Smørgrav 88b7579f77SDag-Erling Smørgrav /** 89b7579f77SDag-Erling Smørgrav * 90b7579f77SDag-Erling Smørgrav * An address span with access control information 91b7579f77SDag-Erling Smørgrav */ 92b7579f77SDag-Erling Smørgrav struct acl_addr { 93b7579f77SDag-Erling Smørgrav /** node in address tree */ 94b7579f77SDag-Erling Smørgrav struct addr_tree_node node; 95b7579f77SDag-Erling Smørgrav /** access control on this netblock */ 96b7579f77SDag-Erling Smørgrav enum acl_access control; 97b5663de9SDag-Erling Smørgrav /** tag bitlist */ 98b5663de9SDag-Erling Smørgrav uint8_t* taglist; 99b5663de9SDag-Erling Smørgrav /** length of the taglist (in bytes) */ 100b5663de9SDag-Erling Smørgrav size_t taglen; 101b5663de9SDag-Erling Smørgrav /** array per tagnumber of localzonetype(in one byte). NULL if none. */ 102b5663de9SDag-Erling Smørgrav uint8_t* tag_actions; 103b5663de9SDag-Erling Smørgrav /** size of the tag_actions_array */ 104b5663de9SDag-Erling Smørgrav size_t tag_actions_size; 105b5663de9SDag-Erling Smørgrav /** array per tagnumber, with per tag a list of rdata strings. 106b5663de9SDag-Erling Smørgrav * NULL if none. strings are like 'A 127.0.0.1' 'AAAA ::1' */ 107b5663de9SDag-Erling Smørgrav struct config_strlist** tag_datas; 108b5663de9SDag-Erling Smørgrav /** size of the tag_datas array */ 109b5663de9SDag-Erling Smørgrav size_t tag_datas_size; 110*be771a7bSCy Schubert /* If the acl node is for an interface */ 111*be771a7bSCy Schubert int is_interface; 112bc892140SDag-Erling Smørgrav /* view element, NULL if none */ 113bc892140SDag-Erling Smørgrav struct view* view; 114b7579f77SDag-Erling Smørgrav }; 115b7579f77SDag-Erling Smørgrav 116b7579f77SDag-Erling Smørgrav /** 117b7579f77SDag-Erling Smørgrav * Create acl structure 118b7579f77SDag-Erling Smørgrav * @return new structure or NULL on error. 119b7579f77SDag-Erling Smørgrav */ 120b7579f77SDag-Erling Smørgrav struct acl_list* acl_list_create(void); 121b7579f77SDag-Erling Smørgrav 122b7579f77SDag-Erling Smørgrav /** 123b7579f77SDag-Erling Smørgrav * Delete acl structure. 124b7579f77SDag-Erling Smørgrav * @param acl: to delete. 125b7579f77SDag-Erling Smørgrav */ 126b7579f77SDag-Erling Smørgrav void acl_list_delete(struct acl_list* acl); 127b7579f77SDag-Erling Smørgrav 128b7579f77SDag-Erling Smørgrav /** 129865f46b2SCy Schubert * Insert interface in the acl_list. This should happen when the listening 130865f46b2SCy Schubert * interface is setup. 131865f46b2SCy Schubert * @param acl_interface: acl_list to insert to. 132865f46b2SCy Schubert * @param addr: interface IP. 133865f46b2SCy Schubert * @param addrlen: length of the interface IP. 134865f46b2SCy Schubert * @param control: acl_access. 135865f46b2SCy Schubert * @return new structure or NULL on error. 136865f46b2SCy Schubert */ 137865f46b2SCy Schubert struct acl_addr* 138865f46b2SCy Schubert acl_interface_insert(struct acl_list* acl_interface, 139865f46b2SCy Schubert struct sockaddr_storage* addr, socklen_t addrlen, 140865f46b2SCy Schubert enum acl_access control); 141865f46b2SCy Schubert 142865f46b2SCy Schubert /** 143b7579f77SDag-Erling Smørgrav * Process access control config. 144b7579f77SDag-Erling Smørgrav * @param acl: where to store. 145b7579f77SDag-Erling Smørgrav * @param cfg: config options. 146bc892140SDag-Erling Smørgrav * @param v: views structure 147b7579f77SDag-Erling Smørgrav * @return 0 on error. 148b7579f77SDag-Erling Smørgrav */ 149bc892140SDag-Erling Smørgrav int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, 150bc892140SDag-Erling Smørgrav struct views* v); 151b7579f77SDag-Erling Smørgrav 152865f46b2SCy Schubert /** 153865f46b2SCy Schubert * Initialise (also clean) the acl_interface struct. 154865f46b2SCy Schubert * @param acl_interface: where to store. 155865f46b2SCy Schubert */ 156865f46b2SCy Schubert void acl_interface_init(struct acl_list* acl_interface); 157865f46b2SCy Schubert 158865f46b2SCy Schubert /** 159865f46b2SCy Schubert * Process interface control config. 160865f46b2SCy Schubert * @param acl_interface: where to store. 161865f46b2SCy Schubert * @param cfg: config options. 162865f46b2SCy Schubert * @param v: views structure 163865f46b2SCy Schubert * @return 0 on error. 164865f46b2SCy Schubert */ 165865f46b2SCy Schubert int acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg, 166865f46b2SCy Schubert struct views* v); 167865f46b2SCy Schubert 168b7579f77SDag-Erling Smørgrav /** 169b5663de9SDag-Erling Smørgrav * Lookup access control status for acl structure. 170b5663de9SDag-Erling Smørgrav * @param acl: structure for acl storage. 171b5663de9SDag-Erling Smørgrav * @return: what to do with message from this address. 172b5663de9SDag-Erling Smørgrav */ 173b5663de9SDag-Erling Smørgrav enum acl_access acl_get_control(struct acl_addr* acl); 174b5663de9SDag-Erling Smørgrav 175b5663de9SDag-Erling Smørgrav /** 176b5663de9SDag-Erling Smørgrav * Lookup address to see its acl structure 177b7579f77SDag-Erling Smørgrav * @param acl: structure for address storage. 178b7579f77SDag-Erling Smørgrav * @param addr: address to check 179b7579f77SDag-Erling Smørgrav * @param addrlen: length of addr. 180b5663de9SDag-Erling Smørgrav * @return: acl structure from this address. 181b7579f77SDag-Erling Smørgrav */ 182b5663de9SDag-Erling Smørgrav struct acl_addr* 183b5663de9SDag-Erling Smørgrav acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr, 184b5663de9SDag-Erling Smørgrav socklen_t addrlen); 185b7579f77SDag-Erling Smørgrav 186b7579f77SDag-Erling Smørgrav /** 187b7579f77SDag-Erling Smørgrav * Get memory used by acl structure. 188b7579f77SDag-Erling Smørgrav * @param acl: structure for address storage. 189b7579f77SDag-Erling Smørgrav * @return bytes in use. 190b7579f77SDag-Erling Smørgrav */ 191b7579f77SDag-Erling Smørgrav size_t acl_list_get_mem(struct acl_list* acl); 192b7579f77SDag-Erling Smørgrav 193a39a5a69SCy Schubert /* 194a39a5a69SCy Schubert * Get string for acl access specification 195a39a5a69SCy Schubert * @param acl: access type value 196a39a5a69SCy Schubert * @return string 197a39a5a69SCy Schubert */ 198a39a5a69SCy Schubert const char* acl_access_to_str(enum acl_access acl); 199a39a5a69SCy Schubert 200a39a5a69SCy Schubert /* log acl and addr for action */ 201a39a5a69SCy Schubert void log_acl_action(const char* action, struct sockaddr_storage* addr, 202a39a5a69SCy Schubert socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr); 203a39a5a69SCy Schubert 204*be771a7bSCy Schubert /** 205*be771a7bSCy Schubert * Swap internal tree with preallocated entries. 206*be771a7bSCy Schubert * @param acl: the acl structure. 207*be771a7bSCy Schubert * @param data: the data structure used to take elements from. This contains 208*be771a7bSCy Schubert * the old elements on return. 209*be771a7bSCy Schubert */ 210*be771a7bSCy Schubert void acl_list_swap_tree(struct acl_list* acl, struct acl_list* data); 211*be771a7bSCy Schubert 212b7579f77SDag-Erling Smørgrav #endif /* DAEMON_ACL_LIST_H */ 213