1238106Sdes/* 2238106Sdes * daemon/acl_list.h - client access control storage for the server. 3238106Sdes * 4238106Sdes * Copyright (c) 2007, NLnet Labs. All rights reserved. 5238106Sdes * 6238106Sdes * This software is open source. 7238106Sdes * 8238106Sdes * Redistribution and use in source and binary forms, with or without 9238106Sdes * modification, are permitted provided that the following conditions 10238106Sdes * are met: 11238106Sdes * 12238106Sdes * Redistributions of source code must retain the above copyright notice, 13238106Sdes * this list of conditions and the following disclaimer. 14238106Sdes * 15238106Sdes * Redistributions in binary form must reproduce the above copyright notice, 16238106Sdes * this list of conditions and the following disclaimer in the documentation 17238106Sdes * and/or other materials provided with the distribution. 18238106Sdes * 19238106Sdes * Neither the name of the NLNET LABS nor the names of its contributors may 20238106Sdes * be used to endorse or promote products derived from this software without 21238106Sdes * specific prior written permission. 22238106Sdes * 23238106Sdes * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 24269257Sdes * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 25269257Sdes * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 26269257Sdes * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 27269257Sdes * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28269257Sdes * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 29269257Sdes * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 30269257Sdes * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 31269257Sdes * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 32269257Sdes * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 33269257Sdes * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 34238106Sdes */ 35238106Sdes 36238106Sdes/** 37238106Sdes * \file 38238106Sdes * 39238106Sdes * This file keeps track of the list of clients that are allowed to 40238106Sdes * access the server. 41238106Sdes */ 42238106Sdes 43238106Sdes#ifndef DAEMON_ACL_LIST_H 44238106Sdes#define DAEMON_ACL_LIST_H 45238106Sdes#include "util/storage/dnstree.h" 46238106Sdesstruct config_file; 47238106Sdesstruct regional; 48238106Sdes 49238106Sdes/** 50238106Sdes * Enumeration of access control options for an address range. 51238106Sdes * Allow or deny access. 52238106Sdes */ 53238106Sdesenum acl_access { 54238106Sdes /** disallow any access whatsoever, drop it */ 55238106Sdes acl_deny = 0, 56238106Sdes /** disallow access, send a polite 'REFUSED' reply */ 57238106Sdes acl_refuse, 58269257Sdes /** disallow any access to zones that aren't local, drop it */ 59269257Sdes acl_deny_non_local, 60269257Sdes /** disallow access to zones that aren't local, 'REFUSED' reply */ 61269257Sdes acl_refuse_non_local, 62238106Sdes /** allow full access for recursion (+RD) queries */ 63238106Sdes acl_allow, 64238106Sdes /** allow full access for all queries, recursion and cache snooping */ 65238106Sdes acl_allow_snoop 66238106Sdes}; 67238106Sdes 68238106Sdes/** 69238106Sdes * Access control storage structure 70238106Sdes */ 71238106Sdesstruct acl_list { 72238106Sdes /** regional for allocation */ 73238106Sdes struct regional* region; 74238106Sdes /** 75238106Sdes * Tree of the addresses that are allowed/blocked. 76238106Sdes * contents of type acl_addr. 77238106Sdes */ 78238106Sdes rbtree_t tree; 79238106Sdes}; 80238106Sdes 81238106Sdes/** 82238106Sdes * 83238106Sdes * An address span with access control information 84238106Sdes */ 85238106Sdesstruct acl_addr { 86238106Sdes /** node in address tree */ 87238106Sdes struct addr_tree_node node; 88238106Sdes /** access control on this netblock */ 89238106Sdes enum acl_access control; 90238106Sdes}; 91238106Sdes 92238106Sdes/** 93238106Sdes * Create acl structure 94238106Sdes * @return new structure or NULL on error. 95238106Sdes */ 96238106Sdesstruct acl_list* acl_list_create(void); 97238106Sdes 98238106Sdes/** 99238106Sdes * Delete acl structure. 100238106Sdes * @param acl: to delete. 101238106Sdes */ 102238106Sdesvoid acl_list_delete(struct acl_list* acl); 103238106Sdes 104238106Sdes/** 105238106Sdes * Process access control config. 106238106Sdes * @param acl: where to store. 107238106Sdes * @param cfg: config options. 108238106Sdes * @return 0 on error. 109238106Sdes */ 110238106Sdesint acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg); 111238106Sdes 112238106Sdes/** 113238106Sdes * Lookup address to see its access control status. 114238106Sdes * @param acl: structure for address storage. 115238106Sdes * @param addr: address to check 116238106Sdes * @param addrlen: length of addr. 117238106Sdes * @return: what to do with message from this address. 118238106Sdes */ 119238106Sdesenum acl_access acl_list_lookup(struct acl_list* acl, 120238106Sdes struct sockaddr_storage* addr, socklen_t addrlen); 121238106Sdes 122238106Sdes/** 123238106Sdes * Get memory used by acl structure. 124238106Sdes * @param acl: structure for address storage. 125238106Sdes * @return bytes in use. 126238106Sdes */ 127238106Sdessize_t acl_list_get_mem(struct acl_list* acl); 128238106Sdes 129238106Sdes#endif /* DAEMON_ACL_LIST_H */ 130