rpz.h revision f97d56e757b9a293ffbaa915ca4d792ae84ba85a
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater * Copyright (C) 2011, 2012 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * Permission to use, copy, modify, and/or distribute this software for any
803b50652fd6ad81d04d18fc04332c8a94f8fe9aAndreas Gustafsson * purpose with or without fee is hereby granted, provided that the above
803b50652fd6ad81d04d18fc04332c8a94f8fe9aAndreas Gustafsson * copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews * PERFORMANCE OF THIS SOFTWARE.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater#define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein#define DNS_RPZ_PASSTHRU_ZONE DNS_RPZ_PREFIX"passthru"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeintypedef enum {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN <
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeintypedef enum {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNS_RPZ_POLICY_NXDOMAIN = 3, /* 'nxdomain': answer with NXDOMAIN */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNS_RPZ_POLICY_NODATA = 4, /* 'nodata': answer with ANCOUNT=0 */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DNS_RPZ_POLICY_CNAME = 5, /* 'cname x': answer with x's rrsets */
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater# error "rpz zone bit masks must fit in a word"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein#define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n))
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * Mask of the specified and higher numbered policy zones
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * Avoid hassles with (1<<33) or (1<<65)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein#define DNS_RPZ_ZMASK(n) ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES-1) ? \
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * A single response policy zone.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeintypedef struct dns_rpz_triggers dns_rpz_triggers_t;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein dns_rpz_num_t num; /* ordinal in list of policy zones */
7329012471d165cd3dc4180ad2a0a43de91e7f01Mark Andrews dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */
7329012471d165cd3dc4180ad2a0a43de91e7f01Mark Andrews dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */
7329012471d165cd3dc4180ad2a0a43de91e7f01Mark Andrews dns_name_t passthru; /* DNS_RPZ_PASSTHRU_ZONE. */
7329012471d165cd3dc4180ad2a0a43de91e7f01Mark Andrews dns_name_t cname; /* override value for ..._CNAME */
7329012471d165cd3dc4180ad2a0a43de91e7f01Mark Andrews dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */
7329012471d165cd3dc4180ad2a0a43de91e7f01Mark Andrews * Radix tree node for response policy IP addresses
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeintypedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * Response policy zones known to a view.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews * The set of records for a policy zone are in one of these states:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * never loaded load_begun=0 have=0
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * during initial loading load_begun=1 have=0
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * and rbtdb->rpzsp == rbtdb->load_rpzsp
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * after good load load_begun=1 have!=0
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * after failed initial load load_begun=1 have=0
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * and rbtdb->load_rpzsp == NULL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * reloading after failure load_begun=1 have=0
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * reloading after success
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews * main rpzs load_begun=1 have!=0
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * load rpzs load_begun=1 have=0
f02216f5b390ff0a589fa080f29350fd7794bf5cMark Andrews * One lock for short term read-only search that guarantees the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * consistency of the pointers.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * A second lock for maintenance that guarantees no other thread
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater * is adding or deleting nodes.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * context for finding the best policy
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeintypedef struct {
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein unsigned int state;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# define DNS_RPZ_DONE_QNAME 0x0002 /* qname checked */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# define DNS_RPZ_DONE_QNAME_IP 0x0004 /* IP addresses of qname checked */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein# define DNS_RPZ_DONE_NSDNAME 0x0008 /* NS name missed; checking addresses */
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * Best match so far.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * State for chasing IP addresses and NS names including recursion.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein unsigned int label;
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * State of real query while recursing for NSIP or NSDNAME.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * p_name: current policy owner name
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * r_name: recursing for this name to possible policy triggers
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * f_name: saved found name from before recursion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein#define DNS_RPZ_MAX_TTL_DEFAULT DNS_RPZ_TTL_DEFAULT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein * So various response policy zone messages can be turned up or down.
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews#define DNS_RPZ_DEBUG_QUIET (DNS_RPZ_DEBUG_LEVEL3+1)
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updaterdns_rpz_policy2str(dns_rpz_policy_t policy);
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updaterdns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrewsdns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx);
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrewsdns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target);
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num);
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeindns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name);
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrewsdns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name);
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrewsdns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein dns_name_t *ip_name, dns_rpz_prefix_t *prefixp);
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeindns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
69f175fc57a578dd85c1548ed3f34284321f9d3aMark Andrews#endif /* DNS_RPZ_H */