/usr/include/dns/acl.h is in libbind-dev 1:9.11.3+dfsg-1ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 | /*
* Copyright (C) 1999-2002, 2004-2007, 2009, 2011, 2013, 2014, 2016 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/* $Id: acl.h,v 1.35 2011/06/17 23:47:49 tbox Exp $ */
#ifndef DNS_ACL_H
#define DNS_ACL_H 1
/*****
***** Module Info
*****/
/*! \file dns/acl.h
* \brief
* Address match list handling.
*/
/***
*** Imports
***/
#include <isc/lang.h>
#include <isc/magic.h>
#include <isc/netaddr.h>
#include <isc/refcount.h>
#ifdef HAVE_GEOIP
#include <dns/geoip.h>
#endif
#include <dns/name.h>
#include <dns/types.h>
#include <dns/iptable.h>
#ifdef HAVE_GEOIP
#include <GeoIP.h>
#endif
/***
*** Types
***/
typedef enum {
dns_aclelementtype_ipprefix,
dns_aclelementtype_keyname,
dns_aclelementtype_nestedacl,
dns_aclelementtype_localhost,
dns_aclelementtype_localnets,
#ifdef HAVE_GEOIP
dns_aclelementtype_geoip,
#endif /* HAVE_GEOIP */
dns_aclelementtype_any
} dns_aclelementtype_t;
typedef struct dns_aclipprefix dns_aclipprefix_t;
struct dns_aclipprefix {
isc_netaddr_t address; /* IP4/IP6 */
unsigned int prefixlen;
};
struct dns_aclelement {
dns_aclelementtype_t type;
isc_boolean_t negative;
dns_name_t keyname;
#ifdef HAVE_GEOIP
dns_geoip_elem_t geoip_elem;
#endif /* HAVE_GEOIP */
dns_acl_t *nestedacl;
int node_num;
};
struct dns_acl {
unsigned int magic;
isc_mem_t *mctx;
isc_refcount_t refcount;
dns_iptable_t *iptable;
#define node_count iptable->radix->num_added_node
dns_aclelement_t *elements;
isc_boolean_t has_negatives;
unsigned int alloc; /*%< Elements allocated */
unsigned int length; /*%< Elements initialized */
char *name; /*%< Temporary use only */
ISC_LINK(dns_acl_t) nextincache; /*%< Ditto */
};
struct dns_aclenv {
dns_acl_t *localhost;
dns_acl_t *localnets;
isc_boolean_t match_mapped;
#ifdef HAVE_GEOIP
dns_geoip_databases_t *geoip;
isc_boolean_t geoip_use_ecs;
#endif
};
#define DNS_ACL_MAGIC ISC_MAGIC('D','a','c','l')
#define DNS_ACL_VALID(a) ISC_MAGIC_VALID(a, DNS_ACL_MAGIC)
/***
*** Functions
***/
ISC_LANG_BEGINDECLS
isc_result_t
dns_acl_create(isc_mem_t *mctx, int n, dns_acl_t **target);
/*%<
* Create a new ACL, including an IP table and an array with room
* for 'n' ACL elements. The elements are uninitialized and the
* length is 0.
*/
isc_result_t
dns_acl_any(isc_mem_t *mctx, dns_acl_t **target);
/*%<
* Create a new ACL that matches everything.
*/
isc_result_t
dns_acl_none(isc_mem_t *mctx, dns_acl_t **target);
/*%<
* Create a new ACL that matches nothing.
*/
isc_boolean_t
dns_acl_isany(dns_acl_t *acl);
/*%<
* Test whether ACL is set to "{ any; }"
*/
isc_boolean_t
dns_acl_isnone(dns_acl_t *acl);
/*%<
* Test whether ACL is set to "{ none; }"
*/
isc_result_t
dns_acl_merge(dns_acl_t *dest, dns_acl_t *source, isc_boolean_t pos);
/*%<
* Merge the contents of one ACL into another. Call dns_iptable_merge()
* for the IP tables, then concatenate the element arrays.
*
* If pos is set to false, then the nested ACL is to be negated. This
* means reverse the sense of each *positive* element or IP table node,
* but leave negatives alone, so as to prevent a double-negative causing
* an unexpected positive match in the parent ACL.
*/
void
dns_acl_attach(dns_acl_t *source, dns_acl_t **target);
/*%<
* Attach to acl 'source'.
*
* Requires:
*\li 'source' to be a valid acl.
*\li 'target' to be non NULL and '*target' to be NULL.
*/
void
dns_acl_detach(dns_acl_t **aclp);
/*%<
* Detach the acl. On final detach the acl must not be linked on any
* list.
*
* Requires:
*\li '*aclp' to be a valid acl.
*
* Insists:
*\li '*aclp' is not linked on final detach.
*/
isc_boolean_t
dns_acl_isinsecure(const dns_acl_t *a);
/*%<
* Return #ISC_TRUE iff the acl 'a' is considered insecure, that is,
* if it contains IP addresses other than those of the local host.
* This is intended for applications such as printing warning
* messages for suspect ACLs; it is not intended for making access
* control decisions. We make no guarantee that an ACL for which
* this function returns #ISC_FALSE is safe.
*/
isc_result_t
dns_aclenv_init(isc_mem_t *mctx, dns_aclenv_t *env);
/*%<
* Initialize ACL environment, setting up localhost and localnets ACLs
*/
void
dns_aclenv_copy(dns_aclenv_t *t, dns_aclenv_t *s);
void
dns_aclenv_destroy(dns_aclenv_t *env);
isc_result_t
dns_acl_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
const dns_acl_t *acl,
const dns_aclenv_t *env,
int *match,
const dns_aclelement_t **matchelt);
isc_result_t
dns_acl_match2(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
const isc_netaddr_t *ecs,
isc_uint8_t ecslen,
isc_uint8_t *scope,
const dns_acl_t *acl,
const dns_aclenv_t *env,
int *match,
const dns_aclelement_t **matchelt);
/*%<
* General, low-level ACL matching. This is expected to
* be useful even for weird stuff like the topology and sortlist statements.
*
* Match the address 'reqaddr', and optionally the key name 'reqsigner',
* and optionally the client prefix 'ecs' of length 'ecslen'
* (reported via EDNS client subnet option) against 'acl'.
*
* 'reqsigner' and 'ecs' may be NULL. If an ACL matches against 'ecs'
* and 'ecslen', then 'scope' will be set to indicate the netmask that
* matched.
*
* If there is a match, '*match' will be set to an integer whose absolute
* value corresponds to the order in which the matching value was inserted
* into the ACL. For a positive match, this value will be positive; for a
* negative match, it will be negative.
*
* If there is no match, *match will be set to zero.
*
* If there is a match in the element list (either positive or negative)
* and 'matchelt' is non-NULL, *matchelt will be pointed to the matching
* element.
*
* 'env' points to the current ACL environment, including the
* current values of localhost and localnets and (if applicable)
* the GeoIP context.
*
* Returns:
*\li #ISC_R_SUCCESS Always succeeds.
*/
isc_boolean_t
dns_aclelement_match(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
const dns_aclelement_t *e,
const dns_aclenv_t *env,
const dns_aclelement_t **matchelt);
isc_boolean_t
dns_aclelement_match2(const isc_netaddr_t *reqaddr,
const dns_name_t *reqsigner,
const isc_netaddr_t *ecs,
isc_uint8_t ecslen,
isc_uint8_t *scope,
const dns_aclelement_t *e,
const dns_aclenv_t *env,
const dns_aclelement_t **matchelt);
/*%<
* Like dns_acl_match, but matches against the single ACL element 'e'
* rather than a complete ACL, and returns ISC_TRUE iff it matched.
*
* To determine whether the match was positive or negative, the
* caller should examine e->negative. Since the element 'e' may be
* a reference to a named ACL or a nested ACL, a matching element
* returned through 'matchelt' is not necessarily 'e' itself.
*/
ISC_LANG_ENDDECLS
#endif /* DNS_ACL_H */
|