acl.h revision 7d32c065c7bb56f281651ae3dd2888f32ce4f1d9
/*
* Copyright (C) 1999, 2000 Internet Software Consortium.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
* CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
*/
#ifndef DNS_ACL_H
#define DNS_ACL_H 1
/*****
***** Module Info
*****/
/*
* Address match list handling.
*/
/***
*** Imports
***/
#include <isc/sockaddr.h>
/***
*** Types
***/
typedef enum {
struct dns_aclelement {
union {
struct {
unsigned int prefixlen;
} ip_prefix;
} u;
};
struct dns_acl {
unsigned int refcount;
unsigned int alloc; /* Elements allocated */
unsigned int length; /* Elements initialized */
char *name; /* Temporary use only */
};
#define DNS_ACL_VALID(a) ((a) != NULL && \
(a)->magic == DNS_ACL_MAGIC)
/***
*** Functions
***/
/*
* Create a new ACL with place for 'n' elements.
* The elements are uninitialized and the length is 0.
*/
/*
* Create a new ACL that matches everything.
*/
/*
* Create a new ACL that matches nothing.
*/
const char *opname,
/*
* Convenience function for "typical" DNS request permission checking.
*
* Check the DNS request signed by the key whose name is 'signer',
* from IP address 'reqaddr', against 'main_acl'. If main_acl is NULL,
* check against 'fallback_acl' instead. If fallback_acl
* is also NULL, allow the request iff 'default_allow' is ISC_TRUE.
* Log the outcome of the check if deemed appropriate.
* Log messages will refer to the request as an 'opname' request.
*
* Notes:
* This is appropriate for checking allow-update,
* allow-query, allow-transfer, etc. It is not appropriate
* for checking the blackhole list because we treat positive
* matches as "allow" and negative matches as "deny"; in
* the case of the blackhole list this would be backwards.
*
* Requires:
* 'signer' points to a valid name or is NULL.
* 'reqaddr' points to a valid socket address.
* 'opname' points to a null-terminated string.
* 'main_acl' points to a valid address match list, or is NULL.
* 'fallback_acl' points to a valid address match list, or is NULL.
*
* Returns:
* ISC_R_SUCCESS if the request should be allowed
* ISC_R_REFUSED if the request should be denied
* No other return values are possible.
*/
int *match,
/*
* General, low-level ACL matching. This is expected to
* be useful even for weird stuff like the topology and sortlist statements.
*
* Match the address 'reqaddr', and optionally the key name 'reqsigner',
* against 'acl'. 'reqsigner' may be NULL.
*
* If there is a positive match, '*match' will be set to a positive value
* indicating the distance from the beginning of the list.
*
* If there is a negative match, '*match' will be set to a negative value
* whose absoluate value indicates the distance from the beginning of
* the list.
*
* If there is a match (either positive or negative) and 'matchelt' is
* non-NULL, *matchelt will be attached to the primitive
* (non-indirect) address match list element that matched.
*
* If there is no match, *match will be set to zero.
*
* Returns:
* DNS_R_SUCCESS Always succeeds.
*/
#endif /* DNS_ACL_H */