1 /* 2 * daemon/acl_list.h - client access control storage for the server. 3 * 4 * Copyright (c) 2007, NLnet Labs. All rights reserved. 5 * 6 * This software is open source. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * Redistributions of source code must retain the above copyright notice, 13 * this list of conditions and the following disclaimer. 14 * 15 * Redistributions in binary form must reproduce the above copyright notice, 16 * this list of conditions and the following disclaimer in the documentation 17 * and/or other materials provided with the distribution. 18 * 19 * Neither the name of the NLNET LABS nor the names of its contributors may 20 * be used to endorse or promote products derived from this software without 21 * specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34 */ 35 36 /** 37 * \file 38 * 39 * This file keeps track of the list of clients that are allowed to 40 * access the server. 41 */ 42 43 #ifndef DAEMON_ACL_LIST_H 44 #define DAEMON_ACL_LIST_H 45 #include "util/storage/dnstree.h" 46 #include "services/view.h" 47 struct config_file; 48 struct regional; 49 50 /** 51 * Enumeration of access control options for an address range. 52 * Allow or deny access. 53 */ 54 enum acl_access { 55 /** disallow any access whatsoever, drop it */ 56 acl_deny = 0, 57 /** disallow access, send a polite 'REFUSED' reply */ 58 acl_refuse, 59 /** disallow any access to zones that aren't local, drop it */ 60 acl_deny_non_local, 61 /** disallow access to zones that aren't local, 'REFUSED' reply */ 62 acl_refuse_non_local, 63 /** allow full access for recursion (+RD) queries */ 64 acl_allow, 65 /** allow full access for all queries, recursion and cache snooping */ 66 acl_allow_snoop 67 }; 68 69 /** 70 * Access control storage structure 71 */ 72 struct acl_list { 73 /** regional for allocation */ 74 struct regional* region; 75 /** 76 * Tree of the addresses that are allowed/blocked. 77 * contents of type acl_addr. 78 */ 79 rbtree_type tree; 80 }; 81 82 /** 83 * 84 * An address span with access control information 85 */ 86 struct acl_addr { 87 /** node in address tree */ 88 struct addr_tree_node node; 89 /** access control on this netblock */ 90 enum acl_access control; 91 /** tag bitlist */ 92 uint8_t* taglist; 93 /** length of the taglist (in bytes) */ 94 size_t taglen; 95 /** array per tagnumber of localzonetype(in one byte). NULL if none. */ 96 uint8_t* tag_actions; 97 /** size of the tag_actions_array */ 98 size_t tag_actions_size; 99 /** array per tagnumber, with per tag a list of rdata strings. 100 * NULL if none. strings are like 'A 127.0.0.1' 'AAAA ::1' */ 101 struct config_strlist** tag_datas; 102 /** size of the tag_datas array */ 103 size_t tag_datas_size; 104 /* view element, NULL if none */ 105 struct view* view; 106 }; 107 108 /** 109 * Create acl structure 110 * @return new structure or NULL on error. 111 */ 112 struct acl_list* acl_list_create(void); 113 114 /** 115 * Delete acl structure. 116 * @param acl: to delete. 117 */ 118 void acl_list_delete(struct acl_list* acl); 119 120 /** 121 * Process access control config. 122 * @param acl: where to store. 123 * @param cfg: config options. 124 * @param v: views structure 125 * @return 0 on error. 126 */ 127 int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, 128 struct views* v); 129 130 /** 131 * Lookup access control status for acl structure. 132 * @param acl: structure for acl storage. 133 * @return: what to do with message from this address. 134 */ 135 enum acl_access acl_get_control(struct acl_addr* acl); 136 137 /** 138 * Lookup address to see its acl structure 139 * @param acl: structure for address storage. 140 * @param addr: address to check 141 * @param addrlen: length of addr. 142 * @return: acl structure from this address. 143 */ 144 struct acl_addr* 145 acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr, 146 socklen_t addrlen); 147 148 /** 149 * Get memory used by acl structure. 150 * @param acl: structure for address storage. 151 * @return bytes in use. 152 */ 153 size_t acl_list_get_mem(struct acl_list* acl); 154 155 #endif /* DAEMON_ACL_LIST_H */ 156