xref: /freebsd-10.1-release/contrib/unbound/daemon/acl_list.h

/*
 * daemon/acl_list.h - client access control storage for the server.
 *
 * Copyright (c) 2007, NLnet Labs. All rights reserved.
 *
 * This software is open source.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * Redistributions of source code must retain the above copyright notice,
 * this list of conditions and the following disclaimer.
 *
 * Redistributions in binary form must reproduce the above copyright notice,
 * this list of conditions and the following disclaimer in the documentation
 * and/or other materials provided with the distribution.
 *
 * Neither the name of the NLNET LABS nor the names of its contributors may
 * be used to endorse or promote products derived from this software without
 * specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/**
 * \file
 *
 * This file keeps track of the list of clients that are allowed to
 * access the server.
 */

#ifndef DAEMON_ACL_LIST_H
#define DAEMON_ACL_LIST_H
#include "util/storage/dnstree.h"
struct config_file;
struct regional;

/**
 * Enumeration of access control options for an address range.
 * Allow or deny access.
 */
enum acl_access {
	/** disallow any access whatsoever, drop it */
	acl_deny = 0,
	/** disallow access, send a polite 'REFUSED' reply */
	acl_refuse,
	/** disallow any access to zones that aren't local, drop it */
	acl_deny_non_local,
	/** disallow access to zones that aren't local, 'REFUSED' reply */
	acl_refuse_non_local,
	/** allow full access for recursion (+RD) queries */
	acl_allow,
	/** allow full access for all queries, recursion and cache snooping */
	acl_allow_snoop
};

/**
 * Access control storage structure
 */
struct acl_list {
	/** regional for allocation */
	struct regional* region;
	/**
	 * Tree of the addresses that are allowed/blocked.
	 * contents of type acl_addr.
	 */
	rbtree_t tree;
};

/**
 *
 * An address span with access control information
 */
struct acl_addr {
	/** node in address tree */
	struct addr_tree_node node;
	/** access control on this netblock */
	enum acl_access control;
};

/**
 * Create acl structure
 * @return new structure or NULL on error.
 */
struct acl_list* acl_list_create(void);

/**
 * Delete acl structure.
 * @param acl: to delete.
 */
void acl_list_delete(struct acl_list* acl);

/**
 * Process access control config.
 * @param acl: where to store.
 * @param cfg: config options.
 * @return 0 on error.
 */
int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg);

/**
 * Lookup address to see its access control status.
 * @param acl: structure for address storage.
 * @param addr: address to check
 * @param addrlen: length of addr.
 * @return: what to do with message from this address.
 */
enum acl_access acl_list_lookup(struct acl_list* acl,
	struct sockaddr_storage* addr, socklen_t addrlen);

/**
 * Get memory used by acl structure.
 * @param acl: structure for address storage.
 * @return bytes in use.
 */
size_t acl_list_get_mem(struct acl_list* acl);

#endif /* DAEMON_ACL_LIST_H */