xref: /freebsd/contrib/unbound/daemon/acl_list.h (revision e8d8bef961a50d4dc22501cde4fb9fb0be1b2532)
1 /*
2  * daemon/acl_list.h - client access control storage for the server.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file keeps track of the list of clients that are allowed to
40  * access the server.
41  */
42 
43 #ifndef DAEMON_ACL_LIST_H
44 #define DAEMON_ACL_LIST_H
45 #include "util/storage/dnstree.h"
46 #include "services/view.h"
47 struct config_file;
48 struct regional;
49 
50 /**
51  * Enumeration of access control options for an address range.
52  * Allow or deny access.
53  */
54 enum acl_access {
55 	/** disallow any access whatsoever, drop it */
56 	acl_deny = 0,
57 	/** disallow access, send a polite 'REFUSED' reply */
58 	acl_refuse,
59 	/** disallow any access to zones that aren't local, drop it */
60 	acl_deny_non_local,
61 	/** disallow access to zones that aren't local, 'REFUSED' reply */
62 	acl_refuse_non_local,
63 	/** allow full access for recursion (+RD) queries */
64 	acl_allow,
65 	/** allow full access for all queries, recursion and cache snooping */
66 	acl_allow_snoop,
67 	/** allow full access for recursion queries and set RD flag regardless of request */
68 	acl_allow_setrd
69 };
70 
71 /**
72  * Access control storage structure
73  */
74 struct acl_list {
75 	/** regional for allocation */
76 	struct regional* region;
77 	/**
78 	 * Tree of the addresses that are allowed/blocked.
79 	 * contents of type acl_addr.
80 	 */
81 	rbtree_type tree;
82 };
83 
84 /**
85  *
86  * An address span with access control information
87  */
88 struct acl_addr {
89 	/** node in address tree */
90 	struct addr_tree_node node;
91 	/** access control on this netblock */
92 	enum acl_access control;
93 	/** tag bitlist */
94 	uint8_t* taglist;
95 	/** length of the taglist (in bytes) */
96 	size_t taglen;
97 	/** array per tagnumber of localzonetype(in one byte). NULL if none. */
98 	uint8_t* tag_actions;
99 	/** size of the tag_actions_array */
100 	size_t tag_actions_size;
101 	/** array per tagnumber, with per tag a list of rdata strings.
102 	 * NULL if none.  strings are like 'A 127.0.0.1' 'AAAA ::1' */
103 	struct config_strlist** tag_datas;
104 	/** size of the tag_datas array */
105 	size_t tag_datas_size;
106 	/* view element, NULL if none */
107 	struct view* view;
108 };
109 
110 /**
111  * Create acl structure
112  * @return new structure or NULL on error.
113  */
114 struct acl_list* acl_list_create(void);
115 
116 /**
117  * Delete acl structure.
118  * @param acl: to delete.
119  */
120 void acl_list_delete(struct acl_list* acl);
121 
122 /**
123  * Process access control config.
124  * @param acl: where to store.
125  * @param cfg: config options.
126  * @param v: views structure
127  * @return 0 on error.
128  */
129 int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
130 	struct views* v);
131 
132 /**
133  * Lookup access control status for acl structure.
134  * @param acl: structure for acl storage.
135  * @return: what to do with message from this address.
136  */
137 enum acl_access acl_get_control(struct acl_addr* acl);
138 
139 /**
140  * Lookup address to see its acl structure
141  * @param acl: structure for address storage.
142  * @param addr: address to check
143  * @param addrlen: length of addr.
144  * @return: acl structure from this address.
145  */
146 struct acl_addr*
147 acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
148         socklen_t addrlen);
149 
150 /**
151  * Get memory used by acl structure.
152  * @param acl: structure for address storage.
153  * @return bytes in use.
154  */
155 size_t acl_list_get_mem(struct acl_list* acl);
156 
157 #endif /* DAEMON_ACL_LIST_H */
158