xref: /freebsd/contrib/unbound/daemon/acl_list.h (revision 5dae51da3da0cc94d17bd67b308fad304ebec7e0) 
1 /*
2  * daemon/acl_list.h - client access control storage for the server.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file keeps track of the list of clients that are allowed to
40  * access the server.
41  */
42 
43 #ifndef DAEMON_ACL_LIST_H
44 #define DAEMON_ACL_LIST_H
45 #include "util/storage/dnstree.h"
46 struct config_file;
47 struct regional;
48 
49 /**
50  * Enumeration of access control options for an address range.
51  * Allow or deny access.
52  */
53 enum acl_access {
54 	/** disallow any access whatsoever, drop it */
55 	acl_deny = 0,
56 	/** disallow access, send a polite 'REFUSED' reply */
57 	acl_refuse,
58 	/** disallow any access to zones that aren't local, drop it */
59 	acl_deny_non_local,
60 	/** disallow access to zones that aren't local, 'REFUSED' reply */
61 	acl_refuse_non_local,
62 	/** allow full access for recursion (+RD) queries */
63 	acl_allow,
64 	/** allow full access for all queries, recursion and cache snooping */
65 	acl_allow_snoop
66 };
67 
68 /**
69  * Access control storage structure
70  */
71 struct acl_list {
72 	/** regional for allocation */
73 	struct regional* region;
74 	/**
75 	 * Tree of the addresses that are allowed/blocked.
76 	 * contents of type acl_addr.
77 	 */
78 	rbtree_t tree;
79 };
80 
81 /**
82  *
83  * An address span with access control information
84  */
85 struct acl_addr {
86 	/** node in address tree */
87 	struct addr_tree_node node;
88 	/** access control on this netblock */
89 	enum acl_access control;
90 	/** tag bitlist */
91 	uint8_t* taglist;
92 	/** length of the taglist (in bytes) */
93 	size_t taglen;
94 	/** array per tagnumber of localzonetype(in one byte). NULL if none. */
95 	uint8_t* tag_actions;
96 	/** size of the tag_actions_array */
97 	size_t tag_actions_size;
98 	/** array per tagnumber, with per tag a list of rdata strings.
99 	 * NULL if none.  strings are like 'A 127.0.0.1' 'AAAA ::1' */
100 	struct config_strlist** tag_datas;
101 	/** size of the tag_datas array */
102 	size_t tag_datas_size;
103 };
104 
105 /**
106  * Create acl structure
107  * @return new structure or NULL on error.
108  */
109 struct acl_list* acl_list_create(void);
110 
111 /**
112  * Delete acl structure.
113  * @param acl: to delete.
114  */
115 void acl_list_delete(struct acl_list* acl);
116 
117 /**
118  * Process access control config.
119  * @param acl: where to store.
120  * @param cfg: config options.
121  * @return 0 on error.
122  */
123 int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg);
124 
125 /**
126  * Lookup access control status for acl structure.
127  * @param acl: structure for acl storage.
128  * @return: what to do with message from this address.
129  */
130 enum acl_access acl_get_control(struct acl_addr* acl);
131 
132 /**
133  * Lookup address to see its acl structure
134  * @param acl: structure for address storage.
135  * @param addr: address to check
136  * @param addrlen: length of addr.
137  * @return: acl structure from this address.
138  */
139 struct acl_addr*
140 acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
141         socklen_t addrlen);
142 
143 /**
144  * Get memory used by acl structure.
145  * @param acl: structure for address storage.
146  * @return bytes in use.
147  */
148 size_t acl_list_get_mem(struct acl_list* acl);
149 
150 #endif /* DAEMON_ACL_LIST_H */
151