/*
* Copyright (C) 2011-2017 Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*/
/*! \file */
#include <config.h>
#include <dns/fixedname.h>
#include <dns/rdataset.h>
#include <dns/rdatastruct.h>
/*
* Parallel radix trees for databases of response policy IP addresses
*
* The radix or patricia trees are somewhat specialized to handle response
* policy addresses by representing the two sets of IP addresses and name
* server IP addresses in a single tree. One set of IP addresses is
* for rpz-ip policies or policies triggered by addresses in A or
* AAAA records in responses.
* The second set is for rpz-nsip policies or policies triggered by addresses
* in A or AAAA records for NS records that are authorities for responses.
*
* Each leaf indicates that an IP address is listed in the IP address or the
* name server IP address policy sub-zone (or both) of the corresponding
* response policy zone. The policy data such as a CNAME or an A record
* is kept in the policy zone. After an IP address has been found in a radix
* tree, the node in the policy zone's database is found by converting
* the IP address to a domain name in a canonical form.
*
*
* The response policy zone canonical form of an IPv6 address is one of:
* prefix.W.W.W.W.W.W.W.W
* prefix.WORDS.zz
* prefix.WORDS.zz.WORDS
* prefix.zz.WORDS
* where
* prefix is the prefix length of the IPv6 address between 1 and 128
* W is a number between 0 and 65535
* WORDS is one or more numbers W separated with "."
* zz corresponds to :: in the standard IPv6 text representation
*
* The canonical form of IPv4 addresses is:
* prefix.B.B.B.B
* where
* prefix is the prefix length of the address between 1 and 32
* B is a number between 0 and 255
*
* Names for IPv4 addresses are distinguished from IPv6 addresses by having
* 5 labels all of which are numbers, and a prefix between 1 and 32.
*/
/*
* Use a private definition of IPv6 addresses because s6_addr32 is not
* always defined and our IPv6 addresses are in non-standard byte order
*/
typedef struct {
: ((dns_rpz_cidr_word_t)(-1) \
<< (DNS_RPZ_CIDR_WORD_BITS - (b))))
/*
* Get bit #n from the array of words of an IP address.
*/
- 1 - ((n) % DNS_RPZ_CIDR_WORD_BITS))))
/*
* A triplet of arrays of bits flagging the existence of
* client-IP, IP, and NSIP policy triggers.
*/
struct dns_rpz_addr_zbits {
};
/*
* A CIDR or radix tree node.
*/
struct dns_rpz_cidr_node {
};
/*
* A pair of arrays of bits flagging the existence of
* QNAME and NSDNAME policy triggers.
*/
struct dns_rpz_nm_zbits {
};
/*
* The data in a RBT node has two pairs of bits for policy zones.
* One pair is for the corresponding name of the node such as example.com
* and the other pair is for a wildcard child such as *.example.com.
*/
struct dns_rpz_nm_data {
};
#if 0
/*
* Catch a name while debugging.
*/
static void
}
}
#endif
const char *
switch (type) {
case DNS_RPZ_TYPE_CLIENT_IP:
return ("CLIENT-IP");
case DNS_RPZ_TYPE_QNAME:
return ("QNAME");
case DNS_RPZ_TYPE_IP:
return ("IP");
case DNS_RPZ_TYPE_NSIP:
return ("NSIP");
case DNS_RPZ_TYPE_NSDNAME:
return ("NSDNAME");
case DNS_RPZ_TYPE_BAD:
break;
}
return ("impossible");
}
static struct {
const char *str;
} tbl[] = {
{"given", DNS_RPZ_POLICY_GIVEN},
{"disabled", DNS_RPZ_POLICY_DISABLED},
{"passthru", DNS_RPZ_POLICY_PASSTHRU},
{"drop", DNS_RPZ_POLICY_DROP},
{"tcp-only", DNS_RPZ_POLICY_TCP_ONLY},
{"nxdomain", DNS_RPZ_POLICY_NXDOMAIN},
{"nodata", DNS_RPZ_POLICY_NODATA},
{"cname", DNS_RPZ_POLICY_CNAME},
};
unsigned int n;
return (DNS_RPZ_POLICY_ERROR);
}
return (DNS_RPZ_POLICY_ERROR);
}
const char *
const char *str;
switch (policy) {
case DNS_RPZ_POLICY_PASSTHRU:
str = "PASSTHRU";
break;
case DNS_RPZ_POLICY_DROP:
str = "DROP";
break;
case DNS_RPZ_POLICY_TCP_ONLY:
str = "TCP-ONLY";
break;
case DNS_RPZ_POLICY_NXDOMAIN:
str = "NXDOMAIN";
break;
case DNS_RPZ_POLICY_NODATA:
str = "NODATA";
break;
case DNS_RPZ_POLICY_RECORD:
str = "Local-Data";
break;
case DNS_RPZ_POLICY_CNAME:
case DNS_RPZ_POLICY_WILDCNAME:
str = "CNAME";
break;
case DNS_RPZ_POLICY_MISS:
str = "MISS";
break;
default:
str = "";
INSIST(0);
}
return (str);
}
/*
* Return the bit number of the highest set bit in 'zbit'.
* (for example, 0x01 returns 0, 0xFF returns 7, etc.)
*/
static int
rpz_num = 0;
#if DNS_RPZ_MAX_ZONES > 32
if ((zbit & 0xffffffff00000000L) != 0) {
zbit >>= 32;
rpz_num += 32;
}
#endif
if ((zbit & 0xffff0000) != 0) {
zbit >>= 16;
rpz_num += 16;
}
if ((zbit & 0xff00) != 0) {
zbit >>= 8;
rpz_num += 8;
}
if ((zbit & 0xf0) != 0) {
zbit >>= 4;
rpz_num += 4;
}
if ((zbit & 0xc) != 0) {
zbit >>= 2;
rpz_num += 2;
}
if ((zbit & 2) != 0)
++rpz_num;
return (rpz_num);
}
/*
* Make a set of bit masks given one or more bits and their type.
*/
static void
{
switch (type) {
case DNS_RPZ_TYPE_CLIENT_IP:
break;
case DNS_RPZ_TYPE_IP:
break;
case DNS_RPZ_TYPE_NSIP:
break;
default:
INSIST(0);
break;
}
}
static void
{
switch (type) {
case DNS_RPZ_TYPE_QNAME:
break;
case DNS_RPZ_TYPE_NSDNAME:
break;
default:
INSIST(0);
break;
}
}
/*
* Mark a node and all of its parents as having client-IP, IP, or NSIP data
*/
static void
do {
}
}
break;
}
/* Caller must hold rpzs->maint_lock */
static void
/*
* qname_wait_recurse and qname_skip_recurse are used to
* implement the "qname-wait-recurse" config option.
*
* When "qname-wait-recurse" is yes, no processing happens
* without recursion. In this case, qname_wait_recurse is true,
* and qname_skip_recurse (a bitfield indicating which policy
* zones can be processed without recursion) is set to all 0's
* by fix_qname_skip_recurse().
*
* When "qname-wait-recurse" is no, qname_skip_recurse may be
* set to a non-zero value by fix_qname_skip_recurse(). The mask
* has to have bits set for the policy zones for which
* processing may continue without recursion, and bits cleared
* for the rest.
*
* (1) The ARM says:
*
* The "qname-wait-recurse no" option overrides that default
* behavior when recursion cannot change a non-error
* response. The option does not affect QNAME or client-IP
* triggers in policy zones listed after other zones
* containing IP, NSIP and NSDNAME triggers, because those may
* depend on the A, AAAA, and NS records that would be found
* during recursive resolution.
*
* Let's consider the following:
*
* zbits_req = (rpzs->have.ipv4 | rpzs->have.ipv6 |
* rpzs->have.nsdname |
* rpzs->have.nsipv4 | rpzs->have.nsipv6);
*
* zbits_req now contains bits set for zones which require
* recursion.
*
* But going by the description in the ARM, if the first policy
* zone requires recursion, then all zones after that (higher
* order bits) have to wait as well. If the Nth zone requires
* recursion, then (N+1)th zone onwards all need to wait.
*
* So mapping this, examples:
*
* zbits_req = 0b000 mask = 0xffffffff (no zones have to wait for
* recursion)
* zbits_req = 0b001 mask = 0x00000000 (all zones have to wait)
* zbits_req = 0b010 mask = 0x00000001 (the first zone doesn't have to
* wait, second zone onwards need
* to wait)
* zbits_req = 0b011 mask = 0x00000000 (all zones have to wait)
* zbits_req = 0b100 mask = 0x00000011 (the 1st and 2nd zones don't
* have to wait, third zone
* onwards need to wait)
*
* More generally, we have to count the number of trailing 0
* bits in zbits_req and only these can be processed without
* recursion. All the rest need to wait.
*
* (2) The ARM says that "qname-wait-recurse no" option
* overrides the default behavior when recursion cannot change a
* non-error response. So, in the order of listing of policy
* zones, within the first policy zone where recursion may be
* required, we should first allow CLIENT-IP and QNAME policy
* records to be attempted without recursion.
*/
/*
* Get a mask covering all policy zones that are not subordinate to
* other policy zones containing triggers that require that the
* qname be resolved before they can be checked.
*/
if (rpzs->p.qname_wait_recurse) {
mask = 0;
} else {
/*
* Get the masks of zones with policies that
*/
if (zbits_req == 0) {
goto set;
}
/*
* req_mask is a mask covering used bits in
* zbits_req. (For instance, 0b1 => 0b1, 0b101 => 0b111,
* 0b11010101 => 0b11111111).
*/
#if DNS_RPZ_MAX_ZONES > 32
#endif
/*
* There's no point in skipping recursion for a later
* zone if it is required in a previous zone.
*/
if ((zbits_notreq & req_mask) == 0) {
mask = 0;
goto set;
}
/*
* This bit arithmetic creates a mask of zones in which
* it is okay to skip recursion. After the first zone
* that has to wait for recursion, all the others have
* to wait as well, so we want to create a mask in which
* all the trailing zeroes in zbits_req are are 1, and
* more significant bits are 0. (For instance,
* 0x0700 => 0x00ff, 0x0007 => 0x0000)
*/
/*
* As mentioned in (2) above, the zone corresponding to
* the least significant zero could have its CLIENT-IP
* and QNAME policies checked before recursion, if it
* has any of those policies. So if it does, we
* can set its 0 to 1.
*
* Locate the least significant 0 bit in the mask (for
* instance, 0xff => 0x100)...
*/
/*
* Also set the bit for zone 0, because if it's in
* zbits_notreq then it's definitely okay to attempt to
* skip recursion for zone 0...
*/
mask2 |= 1;
/* Clear any bits *not* in zbits_notreq... */
mask2 &= zbits_notreq;
/* And merge the result into the skip-recursion mask */
}
set:
"computed RPZ qname_skip_recurse mask=0x%llx",
(isc_uint64_t) mask);
}
static void
{
switch (rpz_type) {
case DNS_RPZ_TYPE_CLIENT_IP:
} else {
}
break;
case DNS_RPZ_TYPE_QNAME:
break;
case DNS_RPZ_TYPE_IP:
} else {
}
break;
case DNS_RPZ_TYPE_NSDNAME:
break;
case DNS_RPZ_TYPE_NSIP:
} else {
}
break;
default:
INSIST(0);
}
if (inc) {
if (++*cnt == 1U) {
}
} else {
if (--*cnt == 0U) {
}
}
}
static dns_rpz_cidr_node_t *
const dns_rpz_cidr_node_t *child)
{
return (NULL);
i = 0;
while (i < words) {
++i;
}
if (wlen != 0) {
++i;
}
while (i < DNS_RPZ_CIDR_WORDS)
return (node);
}
static void
/*
*/
if (level < DNS_RPZ_DEBUG_QUIET &&
"invalid rpz IP address \"%s\"%s%s",
}
}
/*
* Convert an IP address from radix tree binary (host byte order) to
* to its canonical response policy domain name without the origin of the
* policy zone.
*
* Generate a name for an IPv6 address that fits RFC 5952, except that
* our reversed format requires that when the length of the consecutive
* 16-bit 0 fields are equal (e.g., 1.0.0.1.0.0.db8.2001 corresponding
* to 2001:db8:0:0:1:0:0:1), we shorted the last instead of the first
* (e.g., 1.0.0.1.zz.db8.2001 corresponding to 2001:db8::1:0:0:1).
*/
static isc_result_t
{
#ifndef INET6_ADDRSTRLEN
#endif
int w[DNS_RPZ_CIDR_WORDS*2];
int i, n, len;
tgt_prefix - 96,
return (ISC_R_FAILURE);
} else {
if (len == -1)
return (ISC_R_FAILURE);
for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
& 0xffff);
}
/*
* Find the start and length of the first longest sequence
* of zeros in the address.
*/
best_first = -1;
best_len = 0;
cur_first = -1;
cur_len = 0;
for (n = 0; n <=7; ++n) {
if (w[n] != 0) {
cur_len = 0;
cur_first = -1;
} else {
++cur_len;
if (cur_first < 0) {
cur_first = n;
}
}
}
for (n = 0; n <= 7; ++n) {
if (n == best_first) {
".zz");
n += best_len - 1;
} else {
".%x", w[n]);
}
}
}
return (result);
}
/*
* Determine the type of a name in a response policy zone.
*/
static dns_rpz_type_t
return (DNS_RPZ_TYPE_IP);
return (DNS_RPZ_TYPE_CLIENT_IP);
#ifdef ENABLE_RPZ_NSIP
return (DNS_RPZ_TYPE_NSIP);
#endif
#ifdef ENABLE_RPZ_NSDNAME
return (DNS_RPZ_TYPE_NSDNAME);
#endif
return (DNS_RPZ_TYPE_QNAME);
}
/*
* Convert an IP address from canonical response policy domain name form
* to radix tree binary (host byte order) for adding or deleting IP or NSIP
* data.
*/
static isc_result_t
{
char *cp2;
int ip_labels;
unsigned long prefix_num, l;
int i;
if (rpz_type == DNS_RPZ_TYPE_QNAME)
else
if (ip_labels < 2) {
return (ISC_R_FAILURE);
}
/*
* Get text for the IP address
*/
prefix_str = ip_str;
if (*cp2 != '.') {
"; invalid leading prefix length", "");
return (ISC_R_FAILURE);
}
"; invalid prefix length of ", prefix_str);
return (ISC_R_FAILURE);
}
/*
* Convert an IPv4 address
* from the form "prefix.z.y.x.w"
*/
if (prefix_num > 32U) {
"; invalid IPv4 prefix length of ", prefix_str);
return (ISC_R_FAILURE);
}
prefix_num += 96;
tgt_ip->w[0] = 0;
tgt_ip->w[1] = 0;
tgt_ip->w[3] = 0;
for (i = 0; i < 32; i += 8) {
if (*cp2 == '.')
*cp2 = '\0';
"; invalid IPv4 octet ", cp);
return (ISC_R_FAILURE);
}
tgt_ip->w[3] |= l << i;
}
} else {
/*
* Convert a text IPv6 address.
*/
for (i = 0;
ip_labels--) {
i <= 6) {
do {
if ((i & 1) == 0)
++i;
} while (ip_labels + i <= 8);
cp += 3;
} else {
if (l > 0xffffu ||
if (*cp2 == '.')
*cp2 = '\0';
"; invalid IPv6 word ", cp);
return (ISC_R_FAILURE);
}
if ((i & 1) == 0)
else
i++;
}
}
}
return (ISC_R_FAILURE);
}
/*
* Check for 1s after the prefix length.
*/
while (prefix < DNS_RPZ_CIDR_KEY_BITS) {
i = prefix % DNS_RPZ_CIDR_WORD_BITS;
if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) {
"; too small prefix length of ", prefix_str);
return (ISC_R_FAILURE);
}
prefix -= i;
}
/*
* Complain about bad names but be generous and accept them.
*/
if (log_level < DNS_RPZ_DEBUG_QUIET &&
/*
* Convert the address back to a canonical domain name
* to ensure that the original name is in canonical form.
*/
if (result != ISC_R_SUCCESS ||
"rpz IP address \"%s\""
" is not the canonical \"%s\"",
}
}
return (ISC_R_SUCCESS);
}
/*
* Get trigger name and data bits for adding or deleting summary NSDNAME
* or QNAME data.
*/
static void
{
unsigned int prefix_len, n;
/*
* Handle wildcards by putting only the parent into the
* summary RBT. The summary database only causes a check of the
* real policy zone where wildcards will be handled.
*/
if (dns_name_iswildcard(src_name)) {
prefix_len = 1;
} else {
prefix_len = 0;
}
n = dns_name_countlabels(src_name);
n -= prefix_len;
if (rpz_type == DNS_RPZ_TYPE_QNAME)
else
}
#ifndef HAVE_BUILTIN_CLZ
/**
* \brief Count Leading Zeros: Find the location of the left-most set
* bit.
*/
static inline unsigned int
unsigned int bit;
if ((w & 0xffff0000) != 0) {
w >>= 16;
bit -= 16;
}
if ((w & 0xff00) != 0) {
w >>= 8;
bit -= 8;
}
if ((w & 0xf0) != 0) {
w >>= 4;
bit -= 4;
}
if ((w & 0xc) != 0) {
w >>= 2;
bit -= 2;
}
if ((w & 2) != 0)
--bit;
return (bit);
}
#endif
/*
* Find the first differing bit in two keys (IP addresses).
*/
static int
{
int i;
bit = 0;
/*
* find the first differing words
*/
if (ISC_UNLIKELY(delta != 0)) {
#ifdef HAVE_BUILTIN_CLZ
#else
#endif
break;
}
}
}
/*
* Given a hit while searching the radix trees,
* clear all bits for higher numbered zones.
*/
static inline dns_rpz_zbits_t
/*
* Isolate the first or smallest numbered hit bit.
* Make a mask of that bit and all smaller numbered bits.
*/
x &= (~x + 1);
x = (x << 1) - 1;
return (zbits &= x);
}
/*
* Search a radix tree for an IP address for ordinary lookup
* or for a CIDR block adding or deleting an entry
*
* Return ISC_R_SUCCESS, DNS_R_PARTIALMATCH, ISC_R_NOTFOUND,
* and *found=longest match node
* or with create==ISC_TRUE, ISC_R_EXISTS or ISC_R_NOMEMORY
*/
static isc_result_t
{
cur_num = 0;
for (;;) {
/*
* No child so we cannot go down.
* Quit with whatever we already found
* or add the target as a child of the current parent.
*/
if (!create)
return (find_result);
return (ISC_R_NOMEMORY);
else
return (ISC_R_SUCCESS);
}
/*
* This node has no relevant data
* and is in none of the target trees.
* Pretend it does not exist if we are not adding.
*
* If we are adding, continue down to eventually add
*/
if (!create)
return (find_result);
}
/*
* dbit <= tgt_prefix and dbit <= cur->prefix always.
* We are finished searching if we matched all of the target.
*/
if (dbit == tgt_prefix) {
/*
* The node's key matches the target exactly.
*/
/*
* It is the answer if it has data.
*/
if (create) {
} else {
}
} else if (create) {
/*
* The node lacked relevant data,
* but will have it now.
*/
}
return (find_result);
}
/*
* We know tgt_prefix < cur->prefix which means that
* the target is shorter than the current node.
* Add the target as the current node's parent.
*/
if (!create)
return (find_result);
if (new_parent == NULL)
return (ISC_R_NOMEMORY);
else
*found = new_parent;
return (ISC_R_SUCCESS);
}
/*
* We have a partial match between of all of the
* current node but only part of the target.
* Continue searching for other hits in the
* same or lower numbered trees.
*/
}
continue;
}
/*
* dbit < tgt_prefix and dbit < cur->prefix,
* so we failed to match both the target and the current node.
* Insert a fork of a parent above the current node and
* add the target as a sibling of the current node
*/
if (!create)
return (find_result);
return (ISC_R_NOMEMORY);
if (new_parent == NULL) {
return (ISC_R_NOMEMORY);
}
else
return (ISC_R_SUCCESS);
}
}
/*
* Add an IP address to the radix tree.
*/
static isc_result_t
{
/*
* Log complaints about bad owner names but let the zone load.
*/
if (result != ISC_R_SUCCESS)
return (ISC_R_SUCCESS);
if (result != ISC_R_SUCCESS) {
/*
* Do not worry if the radix tree already exists,
* because diff_apply() likes to add nodes before deleting.
*/
if (result == ISC_R_EXISTS)
return (ISC_R_SUCCESS);
/*
*/
"rpz add_cidr(%s) failed: %s",
return (result);
}
return (result);
}
static isc_result_t
const dns_rpz_nm_data_t *new_data)
{
switch (result) {
case ISC_R_SUCCESS:
case ISC_R_EXISTS:
return (ISC_R_NOMEMORY);
return (ISC_R_SUCCESS);
}
break;
default:
return (result);
}
/*
* Do not count bits that are already present
*/
return (ISC_R_EXISTS);
return (ISC_R_SUCCESS);
}
static isc_result_t
{
/*
* We need a summary database of names even with 1 policy zone,
* because wildcard triggers are handled differently.
*/
/*
* Do not worry if the node already exists,
* because diff_apply() likes to add nodes before deleting.
*/
if (result == ISC_R_EXISTS)
return (ISC_R_SUCCESS);
if (result == ISC_R_SUCCESS)
return (result);
}
/*
* Callback to free the data for a node in the summary RBT database.
*/
static void
}
/*
* Get ready for a new set of policy zones for a view.
*/
return (ISC_R_NOMEMORY);
if (result != ISC_R_SUCCESS) {
return (result);
}
if (result != ISC_R_SUCCESS) {
return (result);
}
if (result != ISC_R_SUCCESS) {
return (result);
}
if (result != ISC_R_SUCCESS) {
return (result);
}
return (ISC_R_SUCCESS);
}
/*
* Free the radix tree of a response policy database.
*/
static void
/* Depth first. */
continue;
}
continue;
}
/* Delete this leaf and go up. */
else
}
}
/*
* Discard a response policy zone blob
* before discarding the overall rpz structure.
*/
static void
unsigned int refs;
if (refs != 0)
return;
}
void
}
/*
* Forget a view's policy zones.
*/
void
unsigned int refs;
if (refs > 0)
return;
/*
* Forget the last of view's rpz machinery after the last
* reference.
*/
}
}
/*
* Create empty summary database to load one zone.
* The RBTDB write tree lock must be held.
*/
{
/*
* When reloading a zone, there are usually records among the summary
* data for the zone. Some of those records might be deleted by the
* reloaded zone data. To deal with that case:
* reload the new zone data into a new blank summary database
* if the reload fails, discard the new summary database
* if the new zone data is acceptable, copy the records for the
* other zones into the new summary CIDR and RBT databases
* and replace the old summary databases with the new, and
* correct the triggers and have values for the updated
* zone.
*
* At the first attempt to load a zone, there is no summary data
* for the zone and so no records that need to be deleted.
* This is also the most common case of policy zone loading.
* Most policy zone maintenance should be by incremental changes
* and so by the addition and deletion of individual records.
* Detect that case and load records the first time into the
* operational summary database
*/
/*
* There is no existing version of the target zone.
*/
} else {
/*
* Setup the new RPZ struct with empty summary trees.
*/
if (result != ISC_R_SUCCESS)
return (result);
load_rpzs = *load_rpzsp;
/*
* Initialize some members so that dns_rpz_add() works.
*/
}
return (ISC_R_SUCCESS);
}
/*
* This function updates "have" bits and also the qname_skip_recurse
* mask. It must be called when holding a write lock on rpzs->search_lock.
*/
static void
/*
* rpzs->total_triggers is only used to log a message below.
*/
} else { \
}
zbit = DNS_RPZ_ZBIT(n);
}
"(re)loading policy zone '%s' changed from"
" %lu to %lu qname, %lu to %lu nsdname,"
" %lu to %lu IP, %lu to %lu NSIP,"
" %lu to %lu CLIENTIP entries",
(unsigned long) old_totals.qname,
(unsigned long) old_totals.nsdname,
(unsigned long) old_totals.client_ipv4 +
}
/*
* Finish loading one zone. This function is called during a commit when
* a RPZ zone loading is complete. The RBTDB write tree lock must be
* held.
*
* Here, rpzs is a pointer to the view's common rpzs
* structure. *load_rpzsp is a rpzs structure that is local to the
* RBTDB, which is used during a single zone's load.
*
* During the zone load, i.e., between dns_rpz_beginload() and
* dns_rpz_ready(), only the zone that is being loaded updates
* *load_rpzsp. These updates in the summary databases inside load_rpzsp
* are made only for the rpz_num (and corresponding bit) of that
* zone. Nothing else reads or writes *load_rpzsp. The view's common
* rpzs is used during this time for queries.
*
* When zone loading is complete and we arrive here, the parts of the
* summary databases (CIDR and nsdname+qname RBT trees) from the view's
* common rpzs struct have to be merged into the summary databases of
* *load_rpzsp, as the summary databases of the view's common rpzs
* struct may have changed during the time the zone was being loaded.
*
* The function below carries out the merge. During the merge, it holds
* the maint_lock of the view's common rpzs struct so that it is not
* updated while the merging is taking place.
*
* After the merging is carried out, *load_rpzsp contains the most
* current state of the rpzs structure, i.e., the summary trees contain
* data for the new zone that was just loaded, as well as all other
* zones.
*
* Pointers to the summary databases of *load_rpzsp (CIDR and
* nsdname+qname RBT trees) are then swapped into the view's common rpz
* struct, so that the query path can continue using it. During the
* swap, the search_lock of the view's common rpz struct is acquired so
* that queries are paused while this swap occurs.
*
* The trigger counts for the new zone are also copied into the view's
* common rpz struct, and some other summary counts and masks are
* updated.
*/
{
load_rpzs = *load_rpzsp;
/*
* This is a successful initial zone loading, perhaps
* for a new instance of a view.
*/
return (ISC_R_SUCCESS);
}
/*
* Unless there is only one policy zone, copy the other policy zones
* from the old policy structure to the new summary databases.
*/
/*
* Copy to the radix tree.
*/
if (result == ISC_R_NOMEMORY)
goto unlock_and_detach;
}
/*
* Do down and to the left as far as possible.
*/
if (next_cnode != NULL)
continue;
/*
* Go up until we find a branch to the right where
* we previously took the branch to the left.
*/
for (;;) {
if (parent_cnode == NULL)
break;
if (next_cnode != NULL)
break;
}
}
}
/*
* Copy to the summary RBT.
*/
&nmnode);
new_bit);
new_bit);
&new_data);
if (result != ISC_R_SUCCESS)
goto unlock_and_detach;
}
}
}
"dns_rpz_ready(): unexpected %s",
goto unlock_and_detach;
}
}
/*
* Exchange the summary databases.
*/
return (result);
}
/*
* Add an IP address to the radix tree or a name to the summary database.
*/
{
switch (rpz_type) {
case DNS_RPZ_TYPE_QNAME:
case DNS_RPZ_TYPE_NSDNAME:
break;
case DNS_RPZ_TYPE_CLIENT_IP:
case DNS_RPZ_TYPE_IP:
case DNS_RPZ_TYPE_NSIP:
break;
case DNS_RPZ_TYPE_BAD:
break;
}
return (result);
}
/*
* Remove an IP address from the radix tree.
*/
static void
{
/*
* Do not worry about invalid rpz IP address names. If we
* are here, then something relevant was added and so was
* valid. Invalid names here are usually internal RBTDB nodes.
*/
if (result != ISC_R_SUCCESS)
return;
if (result != ISC_R_SUCCESS) {
result == DNS_R_PARTIALMATCH);
/*
* Do not worry about missing summary RBT nodes that probably
* correspond to RBTDB nodes that were implicit RBT nodes
* that were later added for (often empty) wildcards
* and then to the RBTDB deferred cleanup list.
*/
return;
}
/*
* Mark the node and its parents to reflect the deleted IP address.
* Do not count bits that are already clear for internal RBTDB nodes.
*/
/*
* We might need to delete 2 nodes.
*/
do {
/*
* The node is now useless if it has no data of its own
* and 0 or 1 children. We are finished if it is not useless.
*/
break;
} else {
}
break;
/*
* Replace the pointer to this node in the parent with
* the remaining child or NULL.
*/
} else {
}
/*
* If the child exists fix up its parent pointer.
*/
}
static void
{
/*
* We need a summary database of names even with 1 policy zone,
* because wildcard triggers are handled differently.
*/
if (result != ISC_R_SUCCESS) {
/*
* Do not worry about missing summary RBT nodes that probably
* correspond to RBTDB nodes that were implicit RBT nodes
* that were later added for (often empty) wildcards
* and then to the RBTDB deferred cleanup list.
*/
if (result == ISC_R_NOTFOUND ||
return;
"rpz del_name(%s) node search failed: %s",
return;
}
/*
* Do not count bits that next existed for RBT nodes that would we
* would not have found in a summary for a single RBTDB tree.
*/
if (result != ISC_R_SUCCESS) {
/*
*/
"rpz del_name(%s) node delete failed: %s",
}
}
if (exists)
}
/*
* Remove an IP address from the radix tree or a name from the summary database.
*/
void
dns_name_t *src_name) {
switch (rpz_type) {
case DNS_RPZ_TYPE_QNAME:
case DNS_RPZ_TYPE_NSDNAME:
break;
case DNS_RPZ_TYPE_CLIENT_IP:
case DNS_RPZ_TYPE_IP:
case DNS_RPZ_TYPE_NSIP:
break;
case DNS_RPZ_TYPE_BAD:
break;
}
}
/*
* Search the summary radix tree to get a relative owner name in a
* policy zone relevant to a triggering IP address.
* rpz_type and zbits limit the search for IP address netaddr
* return the policy zone's number or DNS_RPZ_INVALID_NUM
* ip_name is the relative owner name found and
* *prefixp is its prefix length.
*/
{
int i;
/*
* Convert IP address to CIDR tree key.
*/
tgt_ip.w[0] = 0;
tgt_ip.w[1] = 0;
switch (rpz_type) {
case DNS_RPZ_TYPE_CLIENT_IP:
break;
case DNS_RPZ_TYPE_IP:
break;
case DNS_RPZ_TYPE_NSIP:
break;
default:
INSIST(0);
break;
}
/*
* Given the int aligned struct in_addr member of netaddr->type
* one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *,
* but some people object.
*/
for (i = 0; i < 4; i++) {
}
switch (rpz_type) {
case DNS_RPZ_TYPE_CLIENT_IP:
break;
case DNS_RPZ_TYPE_IP:
break;
case DNS_RPZ_TYPE_NSIP:
break;
default:
INSIST(0);
break;
}
} else {
return (DNS_RPZ_INVALID_NUM);
}
if (zbits == 0)
return (DNS_RPZ_INVALID_NUM);
if (result == ISC_R_NOTFOUND) {
/*
* There are no eligible zones for this IP address.
*/
return (DNS_RPZ_INVALID_NUM);
}
/*
* Construct the trigger name for the longest matching trigger
* in the first eligible zone with a match.
*/
switch (rpz_type) {
case DNS_RPZ_TYPE_CLIENT_IP:
break;
case DNS_RPZ_TYPE_IP:
break;
case DNS_RPZ_TYPE_NSIP:
break;
default:
INSIST(0);
break;
}
if (result != ISC_R_SUCCESS) {
/*
*/
"rpz ip2name() failed: %s",
return (DNS_RPZ_INVALID_NUM);
}
return (rpz_num);
}
/*
* Search the summary radix tree for policy zones with triggers matching
* a name.
*/
{
if (zbits == 0)
return (0);
found_zbits = 0;
switch (result) {
case ISC_R_SUCCESS:
if (rpz_type == DNS_RPZ_TYPE_QNAME)
else
}
/* fall thru */
case DNS_R_PARTIALMATCH:
if (rpz_type == DNS_RPZ_TYPE_QNAME)
else
}
}
break;
case ISC_R_NOTFOUND:
break;
default:
/*
*/
"dns_rpz_find_name(%s) failed: %s",
break;
}
return (zbits & found_zbits);
}
/*
* Translate CNAME rdata to a QNAME response policy action.
*/
{
/*
* CNAME . means NXDOMAIN
*/
return (DNS_RPZ_POLICY_NXDOMAIN);
/*
* CNAME *. means NODATA
*/
return (DNS_RPZ_POLICY_NODATA);
/*
* A qname of www.evil.com and a policy of
* *.evil.com CNAME *.garden.net
* gives a result of
*/
return (DNS_RPZ_POLICY_WILDCNAME);
}
/*
* CNAME rpz-tcp-only. means "send truncated UDP responses."
*/
return (DNS_RPZ_POLICY_TCP_ONLY);
/*
* CNAME rpz-drop. means "do not respond."
*/
return (DNS_RPZ_POLICY_DROP);
/*
* CNAME rpz-passthru. means "do not rewrite."
*/
return (DNS_RPZ_POLICY_PASSTHRU);
/*
* 128.1.0.127.rpz-ip CNAME 128.1.0.0.127. is obsolete PASSTHRU
*/
return (DNS_RPZ_POLICY_PASSTHRU);
/*
* Any other rdata gives a response consisting of the rdata.
*/
return (DNS_RPZ_POLICY_RECORD);
}