daemon/acl_list.h


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

/*
 * daemon/acl_list.h - client access control storage for the server.
 *
 * Copyright (c) 2007, NLnet Labs. All rights reserved.
 *
 * This software is open source.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 
 * Redistributions of source code must retain the above copyright notice,
 * this list of conditions and the following disclaimer.
 * 
 * Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 * 
 * Neither the name of the NLNET LABS nor the names of its contributors may
 * be used to endorse or promote products derived from this software without
 * specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/**
 * \file
 *
 * This file keeps track of the list of clients that are allowed to 
 * access the server.
 */

#ifndef DAEMON_ACL_LIST_H
#define DAEMON_ACL_LIST_H
#include "util/storage/dnstree.h"
struct config_file;
struct regional;

/**
 * Enumeration of access control options for an address range.
 * Allow or deny access.
 */
enum acl_access {
	/** disallow any access whatsoever, drop it */
	acl_deny = 0,
	/** disallow access, send a polite 'REFUSED' reply */
	acl_refuse,
	/** disallow any access to zones that aren't local, drop it */
	acl_deny_non_local,
	/** disallow access to zones that aren't local, 'REFUSED' reply */
	acl_refuse_non_local,
	/** allow full access for recursion (+RD) queries */
	acl_allow,
	/** allow full access for all queries, recursion and cache snooping */
	acl_allow_snoop
};

/**
 * Access control storage structure
 */
struct acl_list {
	/** regional for allocation */
	struct regional* region;
	/** 
	 * Tree of the addresses that are allowed/blocked.
	 * contents of type acl_addr.
	 */
	rbtree_t tree;
};

/**
 *
 * An address span with access control information
 */
struct acl_addr {
	/** node in address tree */
	struct addr_tree_node node;
	/** access control on this netblock */
	enum acl_access control;
	/** tag bitlist */
	uint8_t* taglist;
	/** length of the taglist (in bytes) */
	size_t taglen;
	/** array per tagnumber of localzonetype(in one byte). NULL if none. */
	uint8_t* tag_actions;
	/** size of the tag_actions_array */
	size_t tag_actions_size;
	/** array per tagnumber, with per tag a list of rdata strings.
	 * NULL if none.  strings are like 'A 127.0.0.1' 'AAAA ::1' */
	struct config_strlist** tag_datas;
	/** size of the tag_datas array */
	size_t tag_datas_size;
};

/**
 * Create acl structure 
 * @return new structure or NULL on error.
 */
struct acl_list* acl_list_create(void);

/**
 * Delete acl structure.
 * @param acl: to delete.
 */
void acl_list_delete(struct acl_list* acl);

/**
 * Process access control config.
 * @param acl: where to store.
 * @param cfg: config options.
 * @return 0 on error.
 */
int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg);

/**
 * Lookup access control status for acl structure.
 * @param acl: structure for acl storage.
 * @return: what to do with message from this address.
 */
enum acl_access acl_get_control(struct acl_addr* acl);

/**
 * Lookup address to see its acl structure
 * @param acl: structure for address storage.
 * @param addr: address to check
 * @param addrlen: length of addr.
 * @return: acl structure from this address.
 */
struct acl_addr*
acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
        socklen_t addrlen);

/**
 * Get memory used by acl structure.
 * @param acl: structure for address storage.
 * @return bytes in use.
 */
size_t acl_list_get_mem(struct acl_list* acl);

#endif /* DAEMON_ACL_LIST_H */