rpz.c revision dcf426e9b546d4bcc0681904551752af43c1bcd6
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC")
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd *
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd * Permission to use, copy, modify, and/or distribute this software for any
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd * purpose with or without fee is hereby granted, provided that the above
0782f6cf216295b70cd608451422f5db560f2cf0kess * copyright notice and this permission notice appear in all copies.
0782f6cf216295b70cd608451422f5db560f2cf0kess *
0782f6cf216295b70cd608451422f5db560f2cf0kess * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0782f6cf216295b70cd608451422f5db560f2cf0kess * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
96ad5d81ee4a2cc66a4ae19893efc8aa6d06fae7jailletc * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0782f6cf216295b70cd608451422f5db560f2cf0kess * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0782f6cf216295b70cd608451422f5db560f2cf0kess * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2e545ce2450a9953665f701bb05350f0d3f26275nd * PERFORMANCE OF THIS SOFTWARE.
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen */
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*! \file */
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen
3f08db06526d6901aa08c110b5bc7dde6bc39905nd#include <config.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <isc/buffer.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <isc/mem.h>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd#include <isc/net.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <isc/netaddr.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <isc/print.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <isc/stdlib.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <isc/string.h>
af84459fbf938e508fd10b01cb8d699c79083813takashi#include <isc/util.h>
4b3a8afbfcea8b265d179a122bf40dfedd1ce280takashi
fac8c35bfb158112226ab43ddf84d59daca5dc30nd#include <dns/db.h>
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung#include <dns/fixedname.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <dns/log.h>
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem#include <dns/rdata.h>
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem#include <dns/rdataset.h>
4b575a6b6704b516f22d65a3ad35696d7b9ba372rpluem#include <dns/rdatastruct.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <dns/result.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <dns/rbt.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <dns/rpz.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess#include <dns/view.h>
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Parallel radix trees for databases of response policy IP addresses
0782f6cf216295b70cd608451422f5db560f2cf0kess *
0782f6cf216295b70cd608451422f5db560f2cf0kess * The radix or patricia trees are somewhat specialized to handle response
0782f6cf216295b70cd608451422f5db560f2cf0kess * policy addresses by representing the two sets of IP addresses and name
0782f6cf216295b70cd608451422f5db560f2cf0kess * server IP addresses in a single tree. One set of IP addresses is
0782f6cf216295b70cd608451422f5db560f2cf0kess * for rpz-ip policies or policies triggered by addresses in A or
0782f6cf216295b70cd608451422f5db560f2cf0kess * AAAA records in responses.
d1348237b33bc1755b9f1165eea52317465a7671nd * The second set is for rpz-nsip policies or policies triggered by addresses
0782f6cf216295b70cd608451422f5db560f2cf0kess * in A or AAAA records for NS records that are authorities for responses.
0782f6cf216295b70cd608451422f5db560f2cf0kess *
0782f6cf216295b70cd608451422f5db560f2cf0kess * Each leaf indicates that an IP address is listed in the IP address or the
0782f6cf216295b70cd608451422f5db560f2cf0kess * name server IP address policy sub-zone (or both) of the corresponding
0782f6cf216295b70cd608451422f5db560f2cf0kess * response response zone. The policy data such as a CNAME or an A record
d1348237b33bc1755b9f1165eea52317465a7671nd * is kept in the policy zone. After an IP address has been found in a radix
0782f6cf216295b70cd608451422f5db560f2cf0kess * tree, the node in the policy zone's database is found by converting
b21197dc8e6b8c764fdcc24d4bae8b0eebb6bc4end * the IP address to a domain name in a canonical form.
0782f6cf216295b70cd608451422f5db560f2cf0kess *
0782f6cf216295b70cd608451422f5db560f2cf0kess *
20189240503ef2c8f5dc6e2248b57faab4b23b5and * The response policy zone canonical form of an IPv6 address is one of:
20189240503ef2c8f5dc6e2248b57faab4b23b5and * prefix.W.W.W.W.W.W.W.W
20189240503ef2c8f5dc6e2248b57faab4b23b5and * prefix.WORDS.zz
20189240503ef2c8f5dc6e2248b57faab4b23b5and * prefix.WORDS.zz.WORDS
20189240503ef2c8f5dc6e2248b57faab4b23b5and * prefix.zz.WORDS
20189240503ef2c8f5dc6e2248b57faab4b23b5and * where
20189240503ef2c8f5dc6e2248b57faab4b23b5and * prefix is the prefix length of the IPv6 address between 1 and 128
20189240503ef2c8f5dc6e2248b57faab4b23b5and * W is a number between 0 and 65535
20189240503ef2c8f5dc6e2248b57faab4b23b5and * WORDS is one or more numbers W separated with "."
0782f6cf216295b70cd608451422f5db560f2cf0kess * zz corresponds to :: in the standard IPv6 text representation
0782f6cf216295b70cd608451422f5db560f2cf0kess *
0782f6cf216295b70cd608451422f5db560f2cf0kess * The canonical form of IPv4 addresses is:
0782f6cf216295b70cd608451422f5db560f2cf0kess * prefix.B.B.B.B
0782f6cf216295b70cd608451422f5db560f2cf0kess * where
0782f6cf216295b70cd608451422f5db560f2cf0kess * prefix is the prefix length of the address between 1 and 32
0782f6cf216295b70cd608451422f5db560f2cf0kess * B is a number between 0 and 255
0782f6cf216295b70cd608451422f5db560f2cf0kess *
0782f6cf216295b70cd608451422f5db560f2cf0kess * Names for IPv4 addresses are distinguished from IPv6 addresses by having
0782f6cf216295b70cd608451422f5db560f2cf0kess * 5 labels all of which are numbers, and a prefix between 1 and 32.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Use a private definition of IPv6 addresses because s6_addr32 is not
0782f6cf216295b70cd608451422f5db560f2cf0kess * always defined and our IPv6 addresses are in non-standard byte order
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kesstypedef isc_uint32_t dns_rpz_cidr_word_t;
0782f6cf216295b70cd608451422f5db560f2cf0kess#define DNS_RPZ_CIDR_WORD_BITS ((int)sizeof(dns_rpz_cidr_word_t)*8)
0782f6cf216295b70cd608451422f5db560f2cf0kess#define DNS_RPZ_CIDR_KEY_BITS ((int)sizeof(dns_rpz_cidr_key_t)*8)
0782f6cf216295b70cd608451422f5db560f2cf0kess#define DNS_RPZ_CIDR_WORDS (128/DNS_RPZ_CIDR_WORD_BITS)
0782f6cf216295b70cd608451422f5db560f2cf0kesstypedef struct {
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_cidr_word_t w[DNS_RPZ_CIDR_WORDS];
0782f6cf216295b70cd608451422f5db560f2cf0kess} dns_rpz_cidr_key_t;
d1348237b33bc1755b9f1165eea52317465a7671nd
d1348237b33bc1755b9f1165eea52317465a7671nd#define ADDR_V4MAPPED 0xffff
d1348237b33bc1755b9f1165eea52317465a7671nd#define KEY_IS_IPV4(prefix,ip) ((prefix) >= 96 && (ip)->w[0] == 0 && \
0782f6cf216295b70cd608451422f5db560f2cf0kess (ip)->w[1] == 0 && (ip)->w[2] == ADDR_V4MAPPED)
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess#define DNS_RPZ_WORD_MASK(b) ((b) == 0 ? (dns_rpz_cidr_word_t)(-1) \
0782f6cf216295b70cd608451422f5db560f2cf0kess : ((dns_rpz_cidr_word_t)(-1) \
0782f6cf216295b70cd608451422f5db560f2cf0kess << (DNS_RPZ_CIDR_WORD_BITS - (b))))
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Get bit #n from the array of words of an IP address.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kess#define DNS_RPZ_IP_BIT(ip, n) (1 & ((ip)->w[(n)/DNS_RPZ_CIDR_WORD_BITS] >> \
0782f6cf216295b70cd608451422f5db560f2cf0kess (DNS_RPZ_CIDR_WORD_BITS \
0782f6cf216295b70cd608451422f5db560f2cf0kess - 1 - ((n) % DNS_RPZ_CIDR_WORD_BITS))))
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
d1348237b33bc1755b9f1165eea52317465a7671nd * A pair of arrays of bits flagging the existence of
d1348237b33bc1755b9f1165eea52317465a7671nd * IP or QNAME (d) and NSIP or NSDNAME (ns) policy triggers.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kesstypedef struct dns_rpz_pair_zbits dns_rpz_pair_zbits_t;
0782f6cf216295b70cd608451422f5db560f2cf0kessstruct dns_rpz_pair_zbits {
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_zbits_t d;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_zbits_t ns;
0782f6cf216295b70cd608451422f5db560f2cf0kess};
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * A CIDR or radix tree node.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kessstruct dns_rpz_cidr_node {
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_cidr_node_t *parent;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_cidr_node_t *child[2];
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_cidr_key_t ip;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_prefix_t prefix;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_pair_zbits_t pair;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_pair_zbits_t sum;
d1348237b33bc1755b9f1165eea52317465a7671nd};
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * The data in a RBT node has two pairs of bits for policy zones.
0782f6cf216295b70cd608451422f5db560f2cf0kess * One pair is for the corresponding name of the node such as example.com
0782f6cf216295b70cd608451422f5db560f2cf0kess * and the other pair is for a wildcard child such as *.example.com.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kesstypedef struct dns_rpz_nm_data dns_rpz_nm_data_t;
d1348237b33bc1755b9f1165eea52317465a7671ndstruct dns_rpz_nm_data {
d1348237b33bc1755b9f1165eea52317465a7671nd dns_rpz_pair_zbits_t pair;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_pair_zbits_t wild;
0782f6cf216295b70cd608451422f5db560f2cf0kess};
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess#if 0
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Catch a name while debugging.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic void
0782f6cf216295b70cd608451422f5db560f2cf0kesscatch_name(const dns_name_t *src_name, const char *tgt, const char *str) {
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_fixedname_t tgt_namef;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_name_t *tgt_name;
d1348237b33bc1755b9f1165eea52317465a7671nd
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_fixedname_init(&tgt_namef);
0782f6cf216295b70cd608451422f5db560f2cf0kess tgt_name = dns_fixedname_name(&tgt_namef);
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_name_fromstring(tgt_name, tgt, DNS_NAME_DOWNCASE, NULL);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (dns_name_equal(src_name, tgt_name)) {
0782f6cf216295b70cd608451422f5db560f2cf0kess isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
0782f6cf216295b70cd608451422f5db560f2cf0kess DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
0782f6cf216295b70cd608451422f5db560f2cf0kess "rpz hit failed: %s %s", str, tgt);
b21197dc8e6b8c764fdcc24d4bae8b0eebb6bc4end }
d1348237b33bc1755b9f1165eea52317465a7671nd}
b21197dc8e6b8c764fdcc24d4bae8b0eebb6bc4end#endif
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kessconst char *
0782f6cf216295b70cd608451422f5db560f2cf0kessdns_rpz_type2str(dns_rpz_type_t type) {
0782f6cf216295b70cd608451422f5db560f2cf0kess switch (type) {
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_QNAME:
0782f6cf216295b70cd608451422f5db560f2cf0kess return ("QNAME");
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_IP:
0782f6cf216295b70cd608451422f5db560f2cf0kess return ("IP");
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_NSIP:
0782f6cf216295b70cd608451422f5db560f2cf0kess return ("NSIP");
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_NSDNAME:
0782f6cf216295b70cd608451422f5db560f2cf0kess return ("NSDNAME");
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_BAD:
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess FATAL_ERROR(__FILE__, __LINE__, "impossible rpz type %d", type);
0782f6cf216295b70cd608451422f5db560f2cf0kess return ("impossible");
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kessdns_rpz_policy_t
d1348237b33bc1755b9f1165eea52317465a7671nddns_rpz_str2policy(const char *str) {
0782f6cf216295b70cd608451422f5db560f2cf0kess if (str == NULL)
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_POLICY_ERROR);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (!strcasecmp(str, "given"))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_POLICY_GIVEN);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (!strcasecmp(str, "disabled"))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_POLICY_DISABLED);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (!strcasecmp(str, "passthru"))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_POLICY_PASSTHRU);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (!strcasecmp(str, "nxdomain"))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_POLICY_NXDOMAIN);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (!strcasecmp(str, "nodata"))
d1348237b33bc1755b9f1165eea52317465a7671nd return (DNS_RPZ_POLICY_NODATA);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (!strcasecmp(str, "cname"))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_POLICY_CNAME);
0782f6cf216295b70cd608451422f5db560f2cf0kess /*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Obsolete
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kess if (!strcasecmp(str, "no-op"))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_POLICY_PASSTHRU);
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_POLICY_ERROR);
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kessconst char *
0782f6cf216295b70cd608451422f5db560f2cf0kessdns_rpz_policy2str(dns_rpz_policy_t policy) {
0782f6cf216295b70cd608451422f5db560f2cf0kess const char *str;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess switch (policy) {
d1348237b33bc1755b9f1165eea52317465a7671nd case DNS_RPZ_POLICY_PASSTHRU:
0782f6cf216295b70cd608451422f5db560f2cf0kess str = "PASSTHRU";
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_POLICY_NXDOMAIN:
0782f6cf216295b70cd608451422f5db560f2cf0kess str = "NXDOMAIN";
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
d1348237b33bc1755b9f1165eea52317465a7671nd case DNS_RPZ_POLICY_NODATA:
0782f6cf216295b70cd608451422f5db560f2cf0kess str = "NODATA";
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
d1348237b33bc1755b9f1165eea52317465a7671nd case DNS_RPZ_POLICY_RECORD:
0782f6cf216295b70cd608451422f5db560f2cf0kess str = "Local-Data";
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_POLICY_CNAME:
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_POLICY_WILDCNAME:
0782f6cf216295b70cd608451422f5db560f2cf0kess str = "CNAME";
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
d1348237b33bc1755b9f1165eea52317465a7671nd default:
0782f6cf216295b70cd608451422f5db560f2cf0kess str = "";
0782f6cf216295b70cd608451422f5db560f2cf0kess POST(str);
0782f6cf216295b70cd608451422f5db560f2cf0kess INSIST(0);
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess return (str);
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic int
d1348237b33bc1755b9f1165eea52317465a7671ndzbit_to_num(dns_rpz_zbits_t zbit) {
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_num_t rpz_num;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess INSIST(zbit != 0);
0782f6cf216295b70cd608451422f5db560f2cf0kess rpz_num = 0;
0782f6cf216295b70cd608451422f5db560f2cf0kess#if DNS_RPZ_MAX_ZONES > 32
0782f6cf216295b70cd608451422f5db560f2cf0kess if ((zbit & 0xffffffff00000000L) != 0) {
0782f6cf216295b70cd608451422f5db560f2cf0kess zbit >>= 32;
0782f6cf216295b70cd608451422f5db560f2cf0kess rpz_num += 32;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess#endif
0782f6cf216295b70cd608451422f5db560f2cf0kess if ((zbit & 0xffff0000) != 0) {
0782f6cf216295b70cd608451422f5db560f2cf0kess zbit >>= 16;
0782f6cf216295b70cd608451422f5db560f2cf0kess rpz_num += 16;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
d1348237b33bc1755b9f1165eea52317465a7671nd if ((zbit & 0xff00) != 0) {
0782f6cf216295b70cd608451422f5db560f2cf0kess zbit >>= 8;
0782f6cf216295b70cd608451422f5db560f2cf0kess rpz_num += 8;
d1348237b33bc1755b9f1165eea52317465a7671nd }
0782f6cf216295b70cd608451422f5db560f2cf0kess if ((zbit & 0xf0) != 0) {
0782f6cf216295b70cd608451422f5db560f2cf0kess zbit >>= 4;
0782f6cf216295b70cd608451422f5db560f2cf0kess rpz_num += 4;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess if ((zbit & 0xc) != 0) {
d1348237b33bc1755b9f1165eea52317465a7671nd zbit >>= 2;
d1348237b33bc1755b9f1165eea52317465a7671nd rpz_num += 2;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess if ((zbit & 2) != 0)
0782f6cf216295b70cd608451422f5db560f2cf0kess ++rpz_num;
0782f6cf216295b70cd608451422f5db560f2cf0kess return (rpz_num);
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic inline void
0782f6cf216295b70cd608451422f5db560f2cf0kessmake_pair(dns_rpz_pair_zbits_t *pair, dns_rpz_zbits_t zbits,
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_type_t type)
0782f6cf216295b70cd608451422f5db560f2cf0kess{
0782f6cf216295b70cd608451422f5db560f2cf0kess switch (type) {
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_QNAME:
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_IP:
0782f6cf216295b70cd608451422f5db560f2cf0kess pair->d = zbits;
0782f6cf216295b70cd608451422f5db560f2cf0kess pair->ns = 0;
d1348237b33bc1755b9f1165eea52317465a7671nd break;
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_NSDNAME:
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_NSIP:
0782f6cf216295b70cd608451422f5db560f2cf0kess pair->d = 0;
0782f6cf216295b70cd608451422f5db560f2cf0kess pair->ns = zbits;
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess default:
0782f6cf216295b70cd608451422f5db560f2cf0kess INSIST(0);
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Mark a node and all of its parents as having IP or NSIP data
d1348237b33bc1755b9f1165eea52317465a7671nd */
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic void
0782f6cf216295b70cd608451422f5db560f2cf0kessset_sum_pair(dns_rpz_cidr_node_t *cnode) {
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_cidr_node_t *child;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_pair_zbits_t sum;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess do {
0782f6cf216295b70cd608451422f5db560f2cf0kess sum = cnode->pair;
b21197dc8e6b8c764fdcc24d4bae8b0eebb6bc4end
b21197dc8e6b8c764fdcc24d4bae8b0eebb6bc4end child = cnode->child[0];
b21197dc8e6b8c764fdcc24d4bae8b0eebb6bc4end if (child != NULL) {
d1348237b33bc1755b9f1165eea52317465a7671nd sum.d |= child->sum.d;
0782f6cf216295b70cd608451422f5db560f2cf0kess sum.ns |= child->sum.ns;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
d1348237b33bc1755b9f1165eea52317465a7671nd
0782f6cf216295b70cd608451422f5db560f2cf0kess child = cnode->child[1];
0782f6cf216295b70cd608451422f5db560f2cf0kess if (child != NULL) {
0782f6cf216295b70cd608451422f5db560f2cf0kess sum.d |= child->sum.d;
0782f6cf216295b70cd608451422f5db560f2cf0kess sum.ns |= child->sum.ns;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess if (cnode->sum.d == sum.d &&
0782f6cf216295b70cd608451422f5db560f2cf0kess cnode->sum.ns == sum.ns)
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess cnode->sum = sum;
0782f6cf216295b70cd608451422f5db560f2cf0kess cnode = cnode->parent;
0782f6cf216295b70cd608451422f5db560f2cf0kess } while (cnode != NULL);
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic void
0782f6cf216295b70cd608451422f5db560f2cf0kessfix_qname_skip_recurse(dns_rpz_zones_t *rpzs) {
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_zbits_t zbits;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess /*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Get a mask covering all policy zones that are not subordinate to
0782f6cf216295b70cd608451422f5db560f2cf0kess * other policy zones containing triggers that require that the
d1348237b33bc1755b9f1165eea52317465a7671nd * qname be resolved before they can be checked.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kess if (rpzs->p.qname_wait_recurse) {
0782f6cf216295b70cd608451422f5db560f2cf0kess zbits = 0;
0782f6cf216295b70cd608451422f5db560f2cf0kess } else {
0782f6cf216295b70cd608451422f5db560f2cf0kess zbits = (rpzs->have.ipv4 || rpzs->have.ipv6 ||
0782f6cf216295b70cd608451422f5db560f2cf0kess rpzs->have.nsdname ||
0782f6cf216295b70cd608451422f5db560f2cf0kess rpzs->have.nsipv4 || rpzs->have.nsipv6);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (zbits == 0) {
0782f6cf216295b70cd608451422f5db560f2cf0kess zbits = DNS_RPZ_ALL_ZBITS;
0782f6cf216295b70cd608451422f5db560f2cf0kess } else {
0782f6cf216295b70cd608451422f5db560f2cf0kess zbits = DNS_RPZ_ZMASK(zbit_to_num(zbits));
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess rpzs->have.qname_skip_recurse = zbits;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess rpzs->have.ip = rpzs->have.ipv4 | rpzs->have.ipv6;
0782f6cf216295b70cd608451422f5db560f2cf0kess rpzs->have.nsip = rpzs->have.nsipv4 | rpzs->have.nsipv6;
0782f6cf216295b70cd608451422f5db560f2cf0kess}
d1348237b33bc1755b9f1165eea52317465a7671nd
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic void
0782f6cf216295b70cd608451422f5db560f2cf0kessadj_trigger_cnt(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_type_t rpz_type,
0782f6cf216295b70cd608451422f5db560f2cf0kess const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
d1348237b33bc1755b9f1165eea52317465a7671nd isc_boolean_t inc)
0782f6cf216295b70cd608451422f5db560f2cf0kess{
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_zone_t *rpz;
0782f6cf216295b70cd608451422f5db560f2cf0kess int *cnt;
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_zbits_t *have;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess rpz = rpzs->zones[rpz_num];
0782f6cf216295b70cd608451422f5db560f2cf0kess switch (rpz_type) {
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_QNAME:
0782f6cf216295b70cd608451422f5db560f2cf0kess cnt = &rpz->triggers.qname;
0782f6cf216295b70cd608451422f5db560f2cf0kess have = &rpzs->have.qname;
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_IP:
0782f6cf216295b70cd608451422f5db560f2cf0kess REQUIRE(tgt_ip != NULL);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
0782f6cf216295b70cd608451422f5db560f2cf0kess cnt = &rpz->triggers.ipv4;
0782f6cf216295b70cd608451422f5db560f2cf0kess have = &rpzs->have.ipv4;
0782f6cf216295b70cd608451422f5db560f2cf0kess } else {
0782f6cf216295b70cd608451422f5db560f2cf0kess cnt = &rpz->triggers.ipv6;
0782f6cf216295b70cd608451422f5db560f2cf0kess have = &rpzs->have.ipv6;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_NSDNAME:
0782f6cf216295b70cd608451422f5db560f2cf0kess cnt = &rpz->triggers.nsdname;
0782f6cf216295b70cd608451422f5db560f2cf0kess have = &rpzs->have.nsdname;
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess case DNS_RPZ_TYPE_NSIP:
0782f6cf216295b70cd608451422f5db560f2cf0kess REQUIRE(tgt_ip != NULL);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
0782f6cf216295b70cd608451422f5db560f2cf0kess cnt = &rpz->triggers.nsipv4;
0782f6cf216295b70cd608451422f5db560f2cf0kess have = &rpzs->have.nsipv4;
0782f6cf216295b70cd608451422f5db560f2cf0kess } else {
0782f6cf216295b70cd608451422f5db560f2cf0kess cnt = &rpz->triggers.nsipv6;
0782f6cf216295b70cd608451422f5db560f2cf0kess have = &rpzs->have.nsipv6;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess break;
0782f6cf216295b70cd608451422f5db560f2cf0kess default:
0782f6cf216295b70cd608451422f5db560f2cf0kess INSIST(0);
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess if (inc) {
0782f6cf216295b70cd608451422f5db560f2cf0kess if (++*cnt == 1) {
0782f6cf216295b70cd608451422f5db560f2cf0kess *have |= DNS_RPZ_ZBIT(rpz_num);
0782f6cf216295b70cd608451422f5db560f2cf0kess fix_qname_skip_recurse(rpzs);
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess } else {
0782f6cf216295b70cd608451422f5db560f2cf0kess REQUIRE(*cnt > 0);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (--*cnt == 0) {
d1348237b33bc1755b9f1165eea52317465a7671nd *have &= ~DNS_RPZ_ZBIT(rpz_num);
0782f6cf216295b70cd608451422f5db560f2cf0kess fix_qname_skip_recurse(rpzs);
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic dns_rpz_cidr_node_t *
0782f6cf216295b70cd608451422f5db560f2cf0kessnew_node(dns_rpz_zones_t *rpzs,
0782f6cf216295b70cd608451422f5db560f2cf0kess const dns_rpz_cidr_key_t *ip, dns_rpz_prefix_t prefix,
0782f6cf216295b70cd608451422f5db560f2cf0kess const dns_rpz_cidr_node_t *child)
0782f6cf216295b70cd608451422f5db560f2cf0kess{
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_rpz_cidr_node_t *new;
0782f6cf216295b70cd608451422f5db560f2cf0kess int i, words, wlen;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess new = isc_mem_get(rpzs->mctx, sizeof(*new));
0782f6cf216295b70cd608451422f5db560f2cf0kess if (new == NULL)
0782f6cf216295b70cd608451422f5db560f2cf0kess return (NULL);
0782f6cf216295b70cd608451422f5db560f2cf0kess memset(new, 0, sizeof(*new));
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess if (child != NULL)
0782f6cf216295b70cd608451422f5db560f2cf0kess new->sum = child->sum;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess new->prefix = prefix;
0782f6cf216295b70cd608451422f5db560f2cf0kess words = prefix / DNS_RPZ_CIDR_WORD_BITS;
0782f6cf216295b70cd608451422f5db560f2cf0kess wlen = prefix % DNS_RPZ_CIDR_WORD_BITS;
0782f6cf216295b70cd608451422f5db560f2cf0kess i = 0;
0782f6cf216295b70cd608451422f5db560f2cf0kess while (i < words) {
0782f6cf216295b70cd608451422f5db560f2cf0kess new->ip.w[i] = ip->w[i];
0782f6cf216295b70cd608451422f5db560f2cf0kess ++i;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess if (wlen != 0) {
0782f6cf216295b70cd608451422f5db560f2cf0kess new->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen);
0782f6cf216295b70cd608451422f5db560f2cf0kess ++i;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess while (i < DNS_RPZ_CIDR_WORDS)
0782f6cf216295b70cd608451422f5db560f2cf0kess new->ip.w[i++] = 0;
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess return (new);
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic void
0782f6cf216295b70cd608451422f5db560f2cf0kessbadname(int level, dns_name_t *name, const char *str1, const char *str2) {
0782f6cf216295b70cd608451422f5db560f2cf0kess char namebuf[DNS_NAME_FORMATSIZE];
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess /*
0782f6cf216295b70cd608451422f5db560f2cf0kess * bin/tests/system/rpz/tests.sh looks for "invalid rpz".
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kess if (level < DNS_RPZ_DEBUG_QUIET
0782f6cf216295b70cd608451422f5db560f2cf0kess && isc_log_wouldlog(dns_lctx, level)) {
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_name_format(name, namebuf, sizeof(namebuf));
0782f6cf216295b70cd608451422f5db560f2cf0kess isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
0782f6cf216295b70cd608451422f5db560f2cf0kess DNS_LOGMODULE_RBTDB, level,
0782f6cf216295b70cd608451422f5db560f2cf0kess "invalid rpz IP address \"%s\"%s%s",
0782f6cf216295b70cd608451422f5db560f2cf0kess namebuf, str1, str2);
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Convert an IP address from radix tree binary (host byte order) to
0782f6cf216295b70cd608451422f5db560f2cf0kess * to its canonical response policy domain name without the origin of the
0782f6cf216295b70cd608451422f5db560f2cf0kess * policy zone.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kessstatic isc_result_t
0782f6cf216295b70cd608451422f5db560f2cf0kessip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
0782f6cf216295b70cd608451422f5db560f2cf0kess dns_name_t *base_name, dns_name_t *ip_name)
0782f6cf216295b70cd608451422f5db560f2cf0kess{
0782f6cf216295b70cd608451422f5db560f2cf0kess#ifndef INET6_ADDRSTRLEN
0782f6cf216295b70cd608451422f5db560f2cf0kess#define INET6_ADDRSTRLEN 46
0782f6cf216295b70cd608451422f5db560f2cf0kess#endif
0782f6cf216295b70cd608451422f5db560f2cf0kess int w[DNS_RPZ_CIDR_WORDS*2];
0782f6cf216295b70cd608451422f5db560f2cf0kess char str[1+8+1+INET6_ADDRSTRLEN+1];
0782f6cf216295b70cd608451422f5db560f2cf0kess isc_buffer_t buffer;
0782f6cf216295b70cd608451422f5db560f2cf0kess isc_result_t result;
0782f6cf216295b70cd608451422f5db560f2cf0kess isc_boolean_t zeros;
0782f6cf216295b70cd608451422f5db560f2cf0kess int i, n, len;
d1348237b33bc1755b9f1165eea52317465a7671nd
0782f6cf216295b70cd608451422f5db560f2cf0kess if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
0782f6cf216295b70cd608451422f5db560f2cf0kess len = snprintf(str, sizeof(str), "%d.%d.%d.%d.%d",
0782f6cf216295b70cd608451422f5db560f2cf0kess tgt_prefix - 96,
6df89e6e4adeb986b41b7ec6b7593a887e031ce7nd tgt_ip->w[3] & 0xff,
0782f6cf216295b70cd608451422f5db560f2cf0kess (tgt_ip->w[3]>>8) & 0xff,
0782f6cf216295b70cd608451422f5db560f2cf0kess (tgt_ip->w[3]>>16) & 0xff,
0782f6cf216295b70cd608451422f5db560f2cf0kess (tgt_ip->w[3]>>24) & 0xff);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (len < 0 || len > (int)sizeof(str))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (ISC_R_FAILURE);
0782f6cf216295b70cd608451422f5db560f2cf0kess } else {
0782f6cf216295b70cd608451422f5db560f2cf0kess for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
0782f6cf216295b70cd608451422f5db560f2cf0kess w[i*2+1] = ((tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] >> 16)
0782f6cf216295b70cd608451422f5db560f2cf0kess & 0xffff);
d1348237b33bc1755b9f1165eea52317465a7671nd w[i*2] = tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] & 0xffff;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess zeros = ISC_FALSE;
0782f6cf216295b70cd608451422f5db560f2cf0kess len = snprintf(str, sizeof(str), "%d", tgt_prefix);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (len == -1)
0782f6cf216295b70cd608451422f5db560f2cf0kess return (ISC_R_FAILURE);
0782f6cf216295b70cd608451422f5db560f2cf0kess i = 0;
0782f6cf216295b70cd608451422f5db560f2cf0kess while (i < DNS_RPZ_CIDR_WORDS * 2) {
0782f6cf216295b70cd608451422f5db560f2cf0kess if (w[i] != 0 || zeros
0782f6cf216295b70cd608451422f5db560f2cf0kess || i >= DNS_RPZ_CIDR_WORDS * 2 - 1
0782f6cf216295b70cd608451422f5db560f2cf0kess || w[i+1] != 0) {
0782f6cf216295b70cd608451422f5db560f2cf0kess INSIST((size_t)len <= sizeof(str));
0782f6cf216295b70cd608451422f5db560f2cf0kess n = snprintf(&str[len], sizeof(str) - len,
0782f6cf216295b70cd608451422f5db560f2cf0kess ".%x", w[i++]);
0782f6cf216295b70cd608451422f5db560f2cf0kess if (n < 0)
0782f6cf216295b70cd608451422f5db560f2cf0kess return (ISC_R_FAILURE);
0782f6cf216295b70cd608451422f5db560f2cf0kess len += n;
0782f6cf216295b70cd608451422f5db560f2cf0kess } else {
0782f6cf216295b70cd608451422f5db560f2cf0kess zeros = ISC_TRUE;
0782f6cf216295b70cd608451422f5db560f2cf0kess INSIST((size_t)len <= sizeof(str));
0782f6cf216295b70cd608451422f5db560f2cf0kess n = snprintf(&str[len], sizeof(str) - len,
0782f6cf216295b70cd608451422f5db560f2cf0kess ".zz");
0782f6cf216295b70cd608451422f5db560f2cf0kess if (n < 0)
0782f6cf216295b70cd608451422f5db560f2cf0kess return (ISC_R_FAILURE);
0782f6cf216295b70cd608451422f5db560f2cf0kess len += n;
0782f6cf216295b70cd608451422f5db560f2cf0kess i += 2;
0782f6cf216295b70cd608451422f5db560f2cf0kess while (i < DNS_RPZ_CIDR_WORDS * 2 && w[i] == 0)
0782f6cf216295b70cd608451422f5db560f2cf0kess ++i;
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess if (len >= (int)sizeof(str))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (ISC_R_FAILURE);
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess }
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess isc__buffer_init(&buffer, str, sizeof(str));
0782f6cf216295b70cd608451422f5db560f2cf0kess isc__buffer_add(&buffer, len);
0782f6cf216295b70cd608451422f5db560f2cf0kess result = dns_name_fromtext(ip_name, &buffer, base_name, 0, NULL);
0782f6cf216295b70cd608451422f5db560f2cf0kess return (result);
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
d1348237b33bc1755b9f1165eea52317465a7671nd * Determine the type a of a name in a response policy zone.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
d1348237b33bc1755b9f1165eea52317465a7671ndstatic dns_rpz_type_t
0782f6cf216295b70cd608451422f5db560f2cf0kesstype_from_name(dns_rpz_zone_t *rpz, dns_name_t *name) {
0782f6cf216295b70cd608451422f5db560f2cf0kess
d1348237b33bc1755b9f1165eea52317465a7671nd if (dns_name_issubdomain(name, &rpz->ip))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_TYPE_IP);
d1348237b33bc1755b9f1165eea52317465a7671nd
0782f6cf216295b70cd608451422f5db560f2cf0kess /*
0782f6cf216295b70cd608451422f5db560f2cf0kess * Require `./configure --enable-rpz-nsip` and nsdname
0782f6cf216295b70cd608451422f5db560f2cf0kess * until consistency problems are resolved.
0782f6cf216295b70cd608451422f5db560f2cf0kess */
0782f6cf216295b70cd608451422f5db560f2cf0kess#ifdef ENABLE_RPZ_NSIP
0782f6cf216295b70cd608451422f5db560f2cf0kess if (dns_name_issubdomain(name, &rpz->nsip))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_TYPE_NSIP);
0782f6cf216295b70cd608451422f5db560f2cf0kess#endif
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess#ifdef ENABLE_RPZ_NSDNAME
0782f6cf216295b70cd608451422f5db560f2cf0kess if (dns_name_issubdomain(name, &rpz->nsdname))
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_TYPE_NSDNAME);
0782f6cf216295b70cd608451422f5db560f2cf0kess#endif
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess return (DNS_RPZ_TYPE_QNAME);
0782f6cf216295b70cd608451422f5db560f2cf0kess}
0782f6cf216295b70cd608451422f5db560f2cf0kess
0782f6cf216295b70cd608451422f5db560f2cf0kess/*
af84459fbf938e508fd10b01cb8d699c79083813takashi * Convert an IP address from canonical response policy domain name form
4b3a8afbfcea8b265d179a122bf40dfedd1ce280takashi * to radix tree binary (host byte order) for adding or deleting IP or NSIP
fac8c35bfb158112226ab43ddf84d59daca5dc30nd * data.
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung */
727872d18412fc021f03969b8641810d8896820bhumbedoohstatic isc_result_t
0d0ba3a410038e179b695446bb149cce6264e0abndname2ipkey(int log_level,
727872d18412fc021f03969b8641810d8896820bhumbedooh const dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh dns_rpz_type_t rpz_type, dns_name_t *src_name,
0d0ba3a410038e179b695446bb149cce6264e0abnd dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t *tgt_prefix,
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh dns_rpz_pair_zbits_t *new_pair)
727872d18412fc021f03969b8641810d8896820bhumbedooh{
0d0ba3a410038e179b695446bb149cce6264e0abnd dns_rpz_zone_t *rpz;
0d0ba3a410038e179b695446bb149cce6264e0abnd char ip_str[DNS_NAME_FORMATSIZE];
0d0ba3a410038e179b695446bb149cce6264e0abnd dns_offsets_t ip_name_offsets;
ac082aefa89416cbdc9a1836eaf3bed9698201c8humbedooh dns_fixedname_t ip_name2f;
0d0ba3a410038e179b695446bb149cce6264e0abnd dns_name_t ip_name, *ip_name2;
0d0ba3a410038e179b695446bb149cce6264e0abnd const char *prefix_str, *cp, *end;
0d0ba3a410038e179b695446bb149cce6264e0abnd char *cp2;
727872d18412fc021f03969b8641810d8896820bhumbedooh int ip_labels;
0d0ba3a410038e179b695446bb149cce6264e0abnd dns_rpz_prefix_t prefix;
0d0ba3a410038e179b695446bb149cce6264e0abnd unsigned long prefix_num, l;
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh isc_result_t result;
205f749042ed530040a4f0080dbcb47ceae8a374rjung int i;
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen
0d0ba3a410038e179b695446bb149cce6264e0abnd REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd rpz = rpzs->zones[rpz_num];
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd REQUIRE(rpz != NULL);
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd
0782f6cf216295b70cd608451422f5db560f2cf0kess make_pair(new_pair, DNS_RPZ_ZBIT(rpz_num), rpz_type);
ip_labels = dns_name_countlabels(src_name);
if (rpz_type == DNS_RPZ_TYPE_QNAME)
ip_labels -= dns_name_countlabels(&rpz->origin);
else
ip_labels -= dns_name_countlabels(&rpz->nsdname);
if (ip_labels < 2) {
badname(log_level, src_name, "; too short", "");
return (ISC_R_FAILURE);
}
dns_name_init(&ip_name, ip_name_offsets);
dns_name_getlabelsequence(src_name, 0, ip_labels, &ip_name);
/*
* Get text for the IP address
*/
dns_name_format(&ip_name, ip_str, sizeof(ip_str));
end = &ip_str[strlen(ip_str)+1];
prefix_str = ip_str;
prefix_num = strtoul(prefix_str, &cp2, 10);
if (*cp2 != '.') {
badname(log_level, src_name,
"; invalid leading prefix length", "");
return (ISC_R_FAILURE);
}
*cp2 = '\0';
if (prefix_num < 1U || prefix_num > 128U) {
badname(log_level, src_name,
"; invalid prefix length of ", prefix_str);
return (ISC_R_FAILURE);
}
cp = cp2+1;
if (--ip_labels == 4 && !strchr(cp, 'z')) {
/*
* Convert an IPv4 address
* from the form "prefix.w.z.y.x"
*/
if (prefix_num > 32U) {
badname(log_level, src_name,
"; invalid IPv4 prefix length of ", prefix_str);
return (ISC_R_FAILURE);
}
prefix_num += 96;
*tgt_prefix = (dns_rpz_prefix_t)prefix_num;
tgt_ip->w[0] = 0;
tgt_ip->w[1] = 0;
tgt_ip->w[2] = ADDR_V4MAPPED;
tgt_ip->w[3] = 0;
for (i = 0; i < 32; i += 8) {
l = strtoul(cp, &cp2, 10);
if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) {
if (*cp2 == '.')
*cp2 = '\0';
badname(log_level, src_name,
"; invalid IPv4 octet ", cp);
return (ISC_R_FAILURE);
}
tgt_ip->w[3] |= l << i;
cp = cp2 + 1;
}
} else {
/*
* Convert a text IPv6 address.
*/
*tgt_prefix = (dns_rpz_prefix_t)prefix_num;
for (i = 0;
ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2;
ip_labels--) {
if (cp[0] == 'z' && cp[1] == 'z' &&
(cp[2] == '.' || cp[2] == '\0') &&
i <= 6) {
do {
if ((i & 1) == 0)
tgt_ip->w[3-i/2] = 0;
++i;
} while (ip_labels + i <= 8);
cp += 3;
} else {
l = strtoul(cp, &cp2, 16);
if (l > 0xffffu ||
(*cp2 != '.' && *cp2 != '\0')) {
if (*cp2 == '.')
*cp2 = '\0';
badname(log_level, src_name,
"; invalid IPv6 word ", cp);
return (ISC_R_FAILURE);
}
if ((i & 1) == 0)
tgt_ip->w[3-i/2] = l;
else
tgt_ip->w[3-i/2] |= l << 16;
i++;
cp = cp2 + 1;
}
}
}
if (cp != end) {
badname(log_level, src_name, "", "");
return (ISC_R_FAILURE);
}
/*
* Check for 1s after the prefix length.
*/
prefix = (dns_rpz_prefix_t)prefix_num;
while (prefix < DNS_RPZ_CIDR_KEY_BITS) {
dns_rpz_cidr_word_t aword;
i = prefix % DNS_RPZ_CIDR_WORD_BITS;
aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS];
if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) {
badname(log_level, src_name,
"; too small prefix length of ", prefix_str);
return (ISC_R_FAILURE);
}
prefix -= i;
prefix += DNS_RPZ_CIDR_WORD_BITS;
}
/*
* Convert the address back to a canonical domain name
* to ensure that the original name is in canonical form.
*/
dns_fixedname_init(&ip_name2f);
ip_name2 = dns_fixedname_name(&ip_name2f);
result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num, NULL, ip_name2);
if (result != ISC_R_SUCCESS || !dns_name_equal(&ip_name, ip_name2)) {
badname(log_level, src_name, "; not canonical", "");
return (ISC_R_FAILURE);
}
return (ISC_R_SUCCESS);
}
/*
* Get trigger name and data bits for adding or deleting summary NSDNAME
* or QNAME data.
*/
static void
name2data(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
dns_rpz_type_t rpz_type, const dns_name_t *src_name,
dns_name_t *trig_name, dns_rpz_nm_data_t *new_data)
{
static dns_rpz_pair_zbits_t zero = {0, 0};
dns_rpz_zone_t *rpz;
dns_offsets_t tmp_name_offsets;
dns_name_t tmp_name;
unsigned int prefix_len, n;
REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
rpz = rpzs->zones[rpz_num];
REQUIRE(rpz != NULL);
/*
* Handle wildcards by putting only the parent into the
* summary RBT. The summary database only causes a check of the
* real policy zone where wildcards will be handled.
*/
if (dns_name_iswildcard(src_name)) {
prefix_len = 1;
new_data->pair = zero;
make_pair(&new_data->wild, DNS_RPZ_ZBIT(rpz_num), rpz_type);
} else {
prefix_len = 0;
make_pair(&new_data->pair, DNS_RPZ_ZBIT(rpz_num), rpz_type);
new_data->wild = zero;
}
dns_name_init(&tmp_name, tmp_name_offsets);
n = dns_name_countlabels(src_name);
n -= prefix_len;
if (rpz_type == DNS_RPZ_TYPE_QNAME)
n -= dns_name_countlabels(&rpz->origin);
else
n -= dns_name_countlabels(&rpz->nsdname);
dns_name_getlabelsequence(src_name, prefix_len, n, &tmp_name);
(void)dns_name_concatenate(&tmp_name, dns_rootname, trig_name, NULL);
}
/*
* Find the first differing bit in a key (IP address) word.
*/
static inline int
ffs_keybit(dns_rpz_cidr_word_t w) {
int bit;
bit = DNS_RPZ_CIDR_WORD_BITS-1;
if ((w & 0xffff0000) != 0) {
w >>= 16;
bit -= 16;
}
if ((w & 0xff00) != 0) {
w >>= 8;
bit -= 8;
}
if ((w & 0xf0) != 0) {
w >>= 4;
bit -= 4;
}
if ((w & 0xc) != 0) {
w >>= 2;
bit -= 2;
}
if ((w & 2) != 0)
--bit;
return (bit);
}
/*
* Find the first differing bit in two keys (IP addresses).
*/
static int
diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_prefix_t prefix1,
const dns_rpz_cidr_key_t *key2, dns_rpz_prefix_t prefix2)
{
dns_rpz_cidr_word_t delta;
dns_rpz_prefix_t maxbit, bit;
int i;
maxbit = ISC_MIN(prefix1, prefix2);
/*
* find the first differing words
*/
for (i = 0, bit = 0;
bit <= maxbit;
i++, bit += DNS_RPZ_CIDR_WORD_BITS) {
delta = key1->w[i] ^ key2->w[i];
if (delta != 0) {
bit += ffs_keybit(delta);
break;
}
}
return (ISC_MIN(bit, maxbit));
}
/*
* Given a hit while searching the radix trees,
* clear all bits for higher numbered zones.
*/
static inline dns_rpz_zbits_t
trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) {
dns_rpz_zbits_t x;
/*
* Isolate the first or smallest numbered hit bit.
* Make a mask of that bit and all smaller numbered bits.
*/
x = zbits & found;
x &= -x;
x = (x << 1) - 1;
return (zbits &= x);
}
/*
* Search a radix tree for an IP address for ordinary lookup
* or for a CIDR block adding or deleting an entry
*
* Return ISC_R_SUCCESS, DNS_R_PARTIALMATCH, ISC_R_NOTFOUND,
* and *found=longest match node
* or with create==ISC_TRUE, ISC_R_EXISTS or ISC_R_NOMEMORY
*/
static isc_result_t
search(dns_rpz_zones_t *rpzs,
const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
const dns_rpz_pair_zbits_t *tgt_pair, isc_boolean_t create,
dns_rpz_cidr_node_t **found)
{
dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling;
dns_rpz_pair_zbits_t pair;
int cur_num, child_num;
dns_rpz_prefix_t dbit;
isc_result_t find_result;
pair = *tgt_pair;
find_result = ISC_R_NOTFOUND;
*found = NULL;
cur = rpzs->cidr;
parent = NULL;
cur_num = 0;
for (;;) {
if (cur == NULL) {
/*
* No child so we cannot go down.
* Quit with whatever we already found
* or add the target as a child of the current parent.
*/
if (!create)
return (find_result);
child = new_node(rpzs, tgt_ip, tgt_prefix, NULL);
if (child == NULL)
return (ISC_R_NOMEMORY);
if (parent == NULL)
rpzs->cidr = child;
else
parent->child[cur_num] = child;
child->parent = parent;
child->pair.d |= tgt_pair->d;
child->pair.ns |= tgt_pair->ns;
set_sum_pair(child);
*found = cur;
return (ISC_R_SUCCESS);
}
if ((cur->sum.d & pair.d) == 0 &&
(cur->sum.ns & pair.ns) == 0) {
/*
* This node has no relevant data
* and is in none of the target trees.
* Pretend it does not exist if we are not adding.
*
* If we are adding, continue down to eventually add
* a node and mark/put this node in the correct tree.
*/
if (!create)
return (find_result);
}
dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->prefix);
/*
* dbit <= tgt_prefix and dbit <= cur->prefix always.
* We are finished searching if we matched all of the target.
*/
if (dbit == tgt_prefix) {
if (tgt_prefix == cur->prefix) {
/*
* The node's key matches the target exactly.
*/
if ((cur->pair.d & pair.d) != 0 ||
(cur->pair.ns & pair.ns) != 0) {
/*
* It is the answer if it has data.
*/
*found = cur;
if (create) {
find_result = ISC_R_EXISTS;
} else {
find_result = ISC_R_SUCCESS;
}
} else if (create) {
/*
* The node lacked relevant data,
* but will have it now.
*/
cur->pair.d |= tgt_pair->d;
cur->pair.ns |= tgt_pair->ns;
set_sum_pair(cur);
*found = cur;
find_result = ISC_R_SUCCESS;
}
return (find_result);
}
/*
* We know tgt_prefix < cur->prefix which means that
* the target is shorter than the current node.
* Add the target as the current node's parent.
*/
if (!create)
return (find_result);
new_parent = new_node(rpzs, tgt_ip, tgt_prefix, cur);
if (new_parent == NULL)
return (ISC_R_NOMEMORY);
new_parent->parent = parent;
if (parent == NULL)
rpzs->cidr = new_parent;
else
parent->child[cur_num] = new_parent;
child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1);
new_parent->child[child_num] = cur;
cur->parent = new_parent;
new_parent->pair = *tgt_pair;
set_sum_pair(new_parent);
*found = new_parent;
return (ISC_R_SUCCESS);
}
if (dbit == cur->prefix) {
if ((cur->pair.d & pair.d) != 0 ||
(cur->pair.ns & pair.ns) != 0) {
/*
* We have a partial match between of all of the
* current node but only part of the target.
* Continue searching for other hits in the
* same or lower numbered trees.
*/
find_result = DNS_R_PARTIALMATCH;
*found = cur;
pair.d = trim_zbits(pair.d, cur->pair.d);
pair.ns = trim_zbits(pair.ns, cur->pair.ns);
}
parent = cur;
cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
cur = cur->child[cur_num];
continue;
}
/*
* dbit < tgt_prefix and dbit < cur->prefix,
* so we failed to match both the target and the current node.
* Insert a fork of a parent above the current node and
* add the target as a sibling of the current node
*/
if (!create)
return (find_result);
sibling = new_node(rpzs, tgt_ip, tgt_prefix, NULL);
if (sibling == NULL)
return (ISC_R_NOMEMORY);
new_parent = new_node(rpzs, tgt_ip, dbit, cur);
if (new_parent == NULL) {
isc_mem_put(rpzs->mctx, sibling, sizeof(*sibling));
return (ISC_R_NOMEMORY);
}
new_parent->parent = parent;
if (parent == NULL)
rpzs->cidr = new_parent;
else
parent->child[cur_num] = new_parent;
child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
new_parent->child[child_num] = sibling;
new_parent->child[1-child_num] = cur;
cur->parent = new_parent;
sibling->parent = new_parent;
sibling->pair = *tgt_pair;
set_sum_pair(sibling);
*found = sibling;
return (ISC_R_SUCCESS);
}
}
/*
* Add an IP address to the radix tree.
*/
static isc_result_t
add_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
dns_rpz_type_t rpz_type, dns_name_t *src_name)
{
dns_rpz_cidr_key_t tgt_ip;
dns_rpz_prefix_t tgt_prefix;
dns_rpz_pair_zbits_t pair;
dns_rpz_cidr_node_t *found;
isc_result_t result;
result = name2ipkey(DNS_RPZ_ERROR_LEVEL, rpzs, rpz_num, rpz_type,
src_name, &tgt_ip, &tgt_prefix, &pair);
/*
* Log complaints about bad owner names but let the zone load.
*/
if (result != ISC_R_SUCCESS)
return (ISC_R_SUCCESS);
result = search(rpzs, &tgt_ip, tgt_prefix, &pair, ISC_TRUE, &found);
if (result != ISC_R_SUCCESS) {
char namebuf[DNS_NAME_FORMATSIZE];
/*
* bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
*/
dns_name_format(src_name, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
"rpz add_cidr(%s) failed: %s",
namebuf, isc_result_totext(result));
return (result);
}
adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_TRUE);
return (result);
}
static isc_result_t
add_nm(dns_rpz_zones_t *rpzs, dns_name_t *trig_name,
const dns_rpz_nm_data_t *new_data)
{
dns_rbtnode_t *nmnode;
dns_rpz_nm_data_t *nm_data;
isc_result_t result;
nmnode = NULL;
result = dns_rbt_addnode(rpzs->rbt, trig_name, &nmnode);
switch (result) {
case ISC_R_SUCCESS:
case ISC_R_EXISTS:
nm_data = nmnode->data;
if (nm_data == NULL) {
nm_data = isc_mem_get(rpzs->mctx, sizeof(*nm_data));
if (nm_data == NULL)
return (ISC_R_NOMEMORY);
*nm_data = *new_data;
nmnode->data = nm_data;
return (ISC_R_SUCCESS);
}
break;
default:
return (result);
}
/*
* Do not count bits that are already present
*/
if ((nm_data->pair.d & new_data->pair.d) != 0 ||
(nm_data->pair.ns & new_data->pair.ns) != 0 ||
(nm_data->wild.d & new_data->wild.d) != 0 ||
(nm_data->wild.ns & new_data->wild.ns) != 0) {
char namebuf[DNS_NAME_FORMATSIZE];
/*
* bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
*/
dns_name_format(trig_name, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
"rpz add_nm(%s): bits already set", namebuf);
return (ISC_R_EXISTS);
}
nm_data->pair.d |= new_data->pair.d;
nm_data->pair.ns |= new_data->pair.ns;
nm_data->wild.d |= new_data->wild.d;
nm_data->wild.ns |= new_data->wild.ns;
return (ISC_R_SUCCESS);
}
static isc_result_t
add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
dns_rpz_type_t rpz_type, dns_name_t *src_name)
{
dns_rpz_nm_data_t new_data;
dns_fixedname_t trig_namef;
dns_name_t *trig_name;
isc_result_t result;
dns_fixedname_init(&trig_namef);
trig_name = dns_fixedname_name(&trig_namef);
name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &new_data);
result = add_nm(rpzs, trig_name, &new_data);
if (result == ISC_R_SUCCESS)
adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE);
return (result);
}
/*
* Callback to free the data for a node in the summary RBT database.
*/
static void
rpz_node_deleter(void *nm_data, void *mctx) {
isc_mem_put(mctx, nm_data, sizeof(dns_rpz_nm_data_t));
}
/*
* Get ready for a new set of policy zones.
*/
isc_result_t
dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx) {
dns_rpz_zones_t *new;
isc_result_t result;
REQUIRE(rpzsp != NULL && *rpzsp == NULL);
*rpzsp = NULL;
new = isc_mem_get(mctx, sizeof(*new));
if (new == NULL)
return (ISC_R_NOMEMORY);
memset(new, 0, sizeof(*new));
result = isc_mutex_init(&new->search_lock);
if (result != ISC_R_SUCCESS) {
isc_mem_put(mctx, new, sizeof(*new));
return (result);
}
result = isc_mutex_init(&new->maint_lock);
if (result != ISC_R_SUCCESS) {
DESTROYLOCK(&new->search_lock);
isc_mem_put(mctx, new, sizeof(*new));
return (result);
}
result = isc_refcount_init(&new->refs, 1);
if (result != ISC_R_SUCCESS) {
DESTROYLOCK(&new->maint_lock);
DESTROYLOCK(&new->search_lock);
isc_mem_put(mctx, new, sizeof(*new));
return (result);
}
result = dns_rbt_create(mctx, rpz_node_deleter, mctx, &new->rbt);
if (result != ISC_R_SUCCESS) {
isc_refcount_decrement(&new->refs, NULL);
isc_refcount_destroy(&new->refs);
DESTROYLOCK(&new->maint_lock);
DESTROYLOCK(&new->search_lock);
isc_mem_put(mctx, new, sizeof(*new));
return (result);
}
isc_mem_attach(mctx, &new->mctx);
*rpzsp = new;
return (ISC_R_SUCCESS);
}
/*
* Free the radix tree of a response policy database.
*/
static void
cidr_free(dns_rpz_zones_t *rpzs) {
dns_rpz_cidr_node_t *cur, *child, *parent;
cur = rpzs->cidr;
while (cur != NULL) {
/* Depth first. */
child = cur->child[0];
if (child != NULL) {
cur = child;
continue;
}
child = cur->child[1];
if (child != NULL) {
cur = child;
continue;
}
/* Delete this leaf and go up. */
parent = cur->parent;
if (parent == NULL)
rpzs->cidr = NULL;
else
parent->child[parent->child[1] == cur] = NULL;
isc_mem_put(rpzs->mctx, cur, sizeof(*cur));
cur = parent;
}
}
/*
* Discard a response policy zone blob
* before discarding the overall rpz structure.
*/
static void
rpz_detach(dns_rpz_zone_t **rpzp, dns_rpz_zones_t *rpzs) {
dns_rpz_zone_t *rpz;
unsigned int refs;
rpz = *rpzp;
*rpzp = NULL;
isc_refcount_decrement(&rpz->refs, &refs);
if (refs != 0)
return;
isc_refcount_destroy(&rpz->refs);
if (dns_name_dynamic(&rpz->origin))
dns_name_free(&rpz->origin, rpzs->mctx);
if (dns_name_dynamic(&rpz->ip))
dns_name_free(&rpz->ip, rpzs->mctx);
if (dns_name_dynamic(&rpz->nsdname))
dns_name_free(&rpz->nsdname, rpzs->mctx);
if (dns_name_dynamic(&rpz->nsip))
dns_name_free(&rpz->nsip, rpzs->mctx);
if (dns_name_dynamic(&rpz->passthru))
dns_name_free(&rpz->passthru, rpzs->mctx);
if (dns_name_dynamic(&rpz->cname))
dns_name_free(&rpz->cname, rpzs->mctx);
isc_mem_put(rpzs->mctx, rpz, sizeof(*rpz));
}
void
dns_rpz_attach_rpzs(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **rpzsp) {
REQUIRE(rpzsp != NULL && *rpzsp == NULL);
isc_refcount_increment(&rpzs->refs, NULL);
*rpzsp = rpzs;
}
/*
* Forget a view's policy zones.
*/
void
dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) {
dns_rpz_zones_t *rpzs;
dns_rpz_zone_t *rpz;
dns_rpz_num_t rpz_num;
unsigned int refs;
REQUIRE(rpzsp != NULL);
rpzs = *rpzsp;
REQUIRE(rpzs != NULL);
*rpzsp = NULL;
isc_refcount_decrement(&rpzs->refs, &refs);
/*
* Forget the last of view's rpz machinery after the last reference.
*/
if (refs == 0) {
for (rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES; ++rpz_num) {
rpz = rpzs->zones[rpz_num];
rpzs->zones[rpz_num] = NULL;
if (rpz != NULL)
rpz_detach(&rpz, rpzs);
}
cidr_free(rpzs);
dns_rbt_destroy(&rpzs->rbt);
DESTROYLOCK(&rpzs->maint_lock);
DESTROYLOCK(&rpzs->search_lock);
isc_refcount_destroy(&rpzs->refs);
isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs));
}
}
/*
* Create empty summary database to load one zone.
* The RBTDB write tree lock must be held.
*/
isc_result_t
dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp,
dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num)
{
dns_rpz_zones_t *load_rpzs;
dns_rpz_zone_t *rpz;
dns_rpz_zbits_t tgt;
isc_result_t result;
REQUIRE(rpz_num < rpzs->p.num_zones);
rpz = rpzs->zones[rpz_num];
REQUIRE(rpz != NULL);
/*
* When reloading a zone, there are usually records among the summary
* data for the zone. Some of those records might be deleted by the
* reloaded zone data. To deal with that case:
* reload the new zone data into a new blank summary database
* if the reload fails, discard the new summary database
* if the new zone data is acceptable, copy the records for the
* other zones into the new summary database and replace the
* old summary database with the new.
*
* At the first attempt to load a zone, there is no summary data
* for the zone and so no records that need to be deleted.
* This is also the most common case of policy zone loading.
* Most policy zone maintenance should be by incremental changes
* and so by the addition and deletion of individual records.
* Detect that case and load records the first time into the
* operational summary database
*/
tgt = DNS_RPZ_ZBIT(rpz_num);
LOCK(&rpzs->maint_lock);
LOCK(&rpzs->search_lock);
if ((rpzs->load_begun & tgt) == 0) {
rpzs->load_begun |= tgt;
dns_rpz_attach_rpzs(rpzs, load_rpzsp);
UNLOCK(&rpzs->search_lock);
UNLOCK(&rpzs->maint_lock);
} else {
UNLOCK(&rpzs->search_lock);
UNLOCK(&rpzs->maint_lock);
result = dns_rpz_new_zones(load_rpzsp, rpzs->mctx);
if (result != ISC_R_SUCCESS)
return (result);
load_rpzs = *load_rpzsp;
load_rpzs->p.num_zones = rpzs->p.num_zones;
load_rpzs->zones[rpz_num] = rpz;
isc_refcount_increment(&rpz->refs, NULL);
}
return (ISC_R_SUCCESS);
}
static void
fix_triggers(dns_rpz_zones_t *rpzs, dns_rpz_triggers_t *totals) {
dns_rpz_num_t rpz_num;
const dns_rpz_zone_t *rpz;
dns_rpz_zbits_t zbit;
# define SET_TRIG(type) \
if (rpz == NULL || rpz->triggers.type == 0) { \
rpzs->have.type &= ~zbit; \
} else { \
totals->type += rpz->triggers.type; \
rpzs->have.type |= zbit; \
}
memset(totals, 0, sizeof(*totals));
for (rpz_num = 0; rpz_num < rpzs->p.num_zones; ++rpz_num) {
rpz = rpzs->zones[rpz_num];
zbit = DNS_RPZ_ZBIT(rpz_num);
SET_TRIG(nsdname);
SET_TRIG(qname);
SET_TRIG(ipv4);
SET_TRIG(ipv6);
SET_TRIG(nsipv4);
SET_TRIG(nsipv6);
}
fix_qname_skip_recurse(rpzs);
# undef SET_TRIG
}
static void
load_unlock(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **load_rpzsp) {
UNLOCK(&rpzs->maint_lock);
UNLOCK(&(*load_rpzsp)->search_lock);
UNLOCK(&(*load_rpzsp)->maint_lock);
dns_rpz_detach_rpzs(load_rpzsp);
}
/*
* Finish loading one zone.
* The RBTDB write tree lock must be held.
*/
isc_result_t
dns_rpz_ready(dns_rpz_zones_t *rpzs,
dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num)
{
char namebuf[DNS_NAME_FORMATSIZE];
dns_rpz_zones_t *load_rpzs;
const dns_rpz_cidr_node_t *cnode, *next_cnode, *parent_cnode;
dns_rpz_cidr_node_t *found;
dns_rpz_pair_zbits_t load_pair, new_pair;
dns_rbt_t *rbt;
dns_rbtnodechain_t chain;
dns_rbtnode_t *nmnode;
dns_rpz_nm_data_t *nm_data, new_data;
dns_rpz_triggers_t old_totals, new_totals;
dns_fixedname_t labelf, originf, namef;
dns_name_t *label, *origin, *name;
isc_result_t result;
INSIST(rpzs != NULL);
LOCK(&rpzs->maint_lock);
load_rpzs = *load_rpzsp;
INSIST(load_rpzs != NULL);
if (load_rpzs == rpzs) {
/*
* This is a successful initial zone loading,
* perhaps for a new instance of a view.
*/
fix_triggers(rpzs, &new_totals);
UNLOCK(&rpzs->maint_lock);
dns_rpz_detach_rpzs(load_rpzsp);
if (rpz_num == rpzs->p.num_zones-1)
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_INFO_LEVEL,
"loaded policy %d zones with"
" %d qname %d nsdname"
" % d IP %d NSIP entries",
rpzs->p.num_zones,
new_totals.qname,
new_totals.nsdname,
new_totals.ipv4 + new_totals.ipv6,
new_totals.nsipv4 +
new_totals.nsipv6);
return (ISC_R_SUCCESS);
}
LOCK(&load_rpzs->maint_lock);
LOCK(&load_rpzs->search_lock);
/*
* Copy the other policy zones to the new summary databases
* unless there is only one policy zone.
*/
if (rpzs->p.num_zones > 1) {
/*
* Copy to the radix tree.
*/
load_pair.d = ~DNS_RPZ_ZBIT(rpz_num);
load_pair.ns = load_pair.d;
for (cnode = rpzs->cidr; cnode != NULL; cnode = next_cnode) {
new_pair.d = cnode->pair.d & load_pair.d;
new_pair.ns = cnode->pair.ns & load_pair.ns;
if (new_pair.d != 0 || new_pair.ns != 0) {
result = search(load_rpzs,
&cnode->ip, cnode->prefix,
&new_pair, ISC_TRUE,
&found);
if (result == ISC_R_NOMEMORY) {
load_unlock(rpzs, load_rpzsp);
return (result);
}
INSIST(result == ISC_R_SUCCESS);
}
/*
* Do down and to the left as far as possible.
*/
next_cnode = cnode->child[0];
if (next_cnode != NULL)
continue;
/*
* Go up until we find a branch to the right where
* we previously took the branck to the left.
*/
for (;;) {
parent_cnode = cnode->parent;
if (parent_cnode == NULL)
break;
if (parent_cnode->child[0] == cnode) {
next_cnode = parent_cnode->child[1];
if (next_cnode != NULL)
break;
}
cnode = parent_cnode;
}
}
/*
* Copy to the summary rbt.
*/
dns_fixedname_init(&namef);
name = dns_fixedname_name(&namef);
dns_fixedname_init(&labelf);
label = dns_fixedname_name(&labelf);
dns_fixedname_init(&originf);
origin = dns_fixedname_name(&originf);
dns_rbtnodechain_init(&chain, NULL);
result = dns_rbtnodechain_first(&chain, rpzs->rbt, NULL, NULL);
while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
result = dns_rbtnodechain_current(&chain, label, origin,
&nmnode);
INSIST(result == ISC_R_SUCCESS);
nm_data = nmnode->data;
if (nm_data != NULL) {
new_data.pair.d = (nm_data->pair.d &
load_pair.d);
new_data.pair.ns = (nm_data->pair.ns &
load_pair.ns);
new_data.wild.d = (nm_data->wild.d &
load_pair.d);
new_data.wild.ns = (nm_data->wild.ns &
load_pair.ns);
if (new_data.pair.d != 0 ||
new_data.pair.ns != 0 ||
new_data.wild.d != 0 ||
new_data.wild.ns != 0) {
result = dns_name_concatenate(label,
origin, name, NULL);
INSIST(result == ISC_R_SUCCESS);
result = add_nm(load_rpzs, name,
&new_data);
if (result != ISC_R_SUCCESS) {
load_unlock(rpzs, load_rpzsp);
return (result);
}
}
}
result = dns_rbtnodechain_next(&chain, NULL, NULL);
}
if (result != ISC_R_NOMORE && result != ISC_R_NOTFOUND) {
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
"dns_rpz_ready(): unexpected %s",
isc_result_totext(result));
load_unlock(rpzs, load_rpzsp);
return (result);
}
}
fix_triggers(rpzs, &old_totals);
fix_triggers(load_rpzs, &new_totals);
dns_name_format(&load_rpzs->zones[rpz_num]->origin,
namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_INFO_LEVEL,
"reloading policy zone '%s' changed from"
" %d to %d qname, %d to %d nsdname,"
" %d to %d IP, %d to %d NSIP entries",
namebuf,
old_totals.qname, new_totals.qname,
old_totals.nsdname, new_totals.nsdname,
old_totals.ipv4 + old_totals.ipv6,
new_totals.ipv4 + new_totals.ipv6,
old_totals.nsipv4 + old_totals.nsipv6,
new_totals.nsipv4 + new_totals.nsipv6);
/*
* Exchange the summary databases.
*/
LOCK(&rpzs->search_lock);
found = rpzs->cidr;
rpzs->cidr = load_rpzs->cidr;
load_rpzs->cidr = found;
rbt = rpzs->rbt;
rpzs->rbt = load_rpzs->rbt;
load_rpzs->rbt = rbt;
UNLOCK(&rpzs->search_lock);
load_unlock(rpzs, load_rpzsp);
return (ISC_R_SUCCESS);
}
/*
* Add an IP address to the radix tree or a name to the summary database.
*/
isc_result_t
dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *src_name)
{
dns_rpz_zone_t *rpz;
dns_rpz_type_t rpz_type;
isc_result_t result = ISC_R_FAILURE;
REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
rpz = rpzs->zones[rpz_num];
REQUIRE(rpz != NULL);
rpz_type = type_from_name(rpz, src_name);
LOCK(&rpzs->maint_lock);
LOCK(&rpzs->search_lock);
switch (rpz_type) {
case DNS_RPZ_TYPE_QNAME:
case DNS_RPZ_TYPE_NSDNAME:
result = add_name(rpzs, rpz_num, rpz_type, src_name);
break;
case DNS_RPZ_TYPE_IP:
case DNS_RPZ_TYPE_NSIP:
result = add_cidr(rpzs, rpz_num, rpz_type, src_name);
break;
case DNS_RPZ_TYPE_BAD:
break;
}
UNLOCK(&rpzs->search_lock);
UNLOCK(&rpzs->maint_lock);
return (result);
}
/*
* Remove an IP address from the radix tree.
*/
static void
del_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
dns_rpz_type_t rpz_type, dns_name_t *src_name)
{
isc_result_t result;
dns_rpz_cidr_key_t tgt_ip;
dns_rpz_prefix_t tgt_prefix;
dns_rpz_pair_zbits_t pair;
dns_rpz_cidr_node_t *tgt, *parent, *child;
/*
* Do not worry about invalid rpz IP address names. If we
* are here, then something relevant was added and so was
* valid. Invalid names here are usually internal RBTDB nodes.
*/
result = name2ipkey(DNS_RPZ_DEBUG_QUIET, rpzs, rpz_num, rpz_type,
src_name, &tgt_ip, &tgt_prefix, &pair);
if (result != ISC_R_SUCCESS)
return;
result = search(rpzs, &tgt_ip, tgt_prefix, &pair, ISC_FALSE, &tgt);
if (result != ISC_R_SUCCESS) {
INSIST(result == ISC_R_NOTFOUND ||
result == DNS_R_PARTIALMATCH);
/*
* Do not worry about missing summary RBT nodes that probably
* correspond to RBTDB nodes that were implicit RBT nodes
* that were later added for (often empty) wildcards
* and then to the RBTDB deferred cleanup list.
*/
return;
}
/*
* Mark the node and its parents to reflect the deleted IP address.
* Do not count bits that are already clear for internal RBTDB nodes.
*/
pair.d &= tgt->pair.d;
pair.ns &= tgt->pair.ns;
tgt->pair.d &= ~pair.d;
tgt->pair.ns &= ~pair.ns;
set_sum_pair(tgt);
adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_FALSE);
/*
* We might need to delete 2 nodes.
*/
do {
/*
* The node is now useless if it has no data of its own
* and 0 or 1 children. We are finished if it is not useless.
*/
if ((child = tgt->child[0]) != NULL) {
if (tgt->child[1] != NULL)
break;
} else {
child = tgt->child[1];
}
if (tgt->pair.d + tgt->pair.ns != 0)
break;
/*
* Replace the pointer to this node in the parent with
* the remaining child or NULL.
*/
parent = tgt->parent;
if (parent == NULL) {
rpzs->cidr = child;
} else {
parent->child[parent->child[1] == tgt] = child;
}
/*
* If the child exists fix up its parent pointer.
*/
if (child != NULL)
child->parent = parent;
isc_mem_put(rpzs->mctx, tgt, sizeof(*tgt));
tgt = parent;
} while (tgt != NULL);
}
static void
del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
dns_rpz_type_t rpz_type, dns_name_t *src_name)
{
char namebuf[DNS_NAME_FORMATSIZE];
dns_fixedname_t trig_namef;
dns_name_t *trig_name;
dns_rbtnode_t *nmnode;
dns_rpz_nm_data_t *nm_data, del_data;
isc_result_t result;
dns_fixedname_init(&trig_namef);
trig_name = dns_fixedname_name(&trig_namef);
name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data);
/*
* No need for a summary database of names with only 1 policy zone.
*/
if (rpzs->p.num_zones <= 1) {
adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
return;
}
nmnode = NULL;
result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, 0,
NULL, NULL);
if (result != ISC_R_SUCCESS) {
/*
* Do not worry about missing summary RBT nodes that probably
* correspond to RBTDB nodes that were implicit RBT nodes
* that were later added for (often empty) wildcards
* and then to the RBTDB deferred cleanup list.
*/
if (result == ISC_R_NOTFOUND)
return;
dns_name_format(src_name, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
"rpz del_name(%s) node search failed: %s",
namebuf, isc_result_totext(result));
return;
}
nm_data = nmnode->data;
INSIST(nm_data != NULL);
/*
* Do not count bits that next existed for RBT nodes that would we
* would not have found in a summary for a single RBTDB tree.
*/
del_data.pair.d &= nm_data->pair.d;
del_data.pair.ns &= nm_data->pair.ns;
del_data.wild.d &= nm_data->wild.d;
del_data.wild.ns &= nm_data->wild.ns;
nm_data->pair.d &= ~del_data.pair.d;
nm_data->pair.ns &= ~del_data.pair.ns;
nm_data->wild.d &= ~del_data.wild.d;
nm_data->wild.ns &= ~del_data.wild.ns;
if (nm_data->pair.d == 0 && nm_data->pair.ns == 0 &&
nm_data->wild.d == 0 && nm_data->wild.ns == 0) {
result = dns_rbt_deletenode(rpzs->rbt, nmnode, ISC_FALSE);
if (result != ISC_R_SUCCESS) {
/*
* bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
*/
dns_name_format(src_name, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
"rpz del_name(%s) node delete failed: %s",
namebuf, isc_result_totext(result));
}
}
adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
}
/*
* Remove an IP address from the radix tree or a name from the summary database.
*/
void
dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
dns_name_t *src_name) {
dns_rpz_zone_t *rpz;
dns_rpz_type_t rpz_type;
REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
rpz = rpzs->zones[rpz_num];
REQUIRE(rpz != NULL);
rpz_type = type_from_name(rpz, src_name);
LOCK(&rpzs->maint_lock);
LOCK(&rpzs->search_lock);
switch (rpz_type) {
case DNS_RPZ_TYPE_QNAME:
case DNS_RPZ_TYPE_NSDNAME:
del_name(rpzs, rpz_num, rpz_type, src_name);
break;
case DNS_RPZ_TYPE_IP:
case DNS_RPZ_TYPE_NSIP:
del_cidr(rpzs, rpz_num, rpz_type, src_name);
break;
case DNS_RPZ_TYPE_BAD:
break;
}
UNLOCK(&rpzs->search_lock);
UNLOCK(&rpzs->maint_lock);
}
/*
* Search the summary radix tree to get a relative owner name in a
* policy zone relevant to a triggering IP address.
* rpz_type and zbits limit the search for IP address netaddr
* return the policy zone's number or DNS_RPZ_INVALID_NUM
* ip_name is the relative owner name found and
* *prefixp is its prefix length.
*/
dns_rpz_num_t
dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
dns_name_t *ip_name, dns_rpz_prefix_t *prefixp)
{
dns_rpz_cidr_key_t tgt_ip;
dns_rpz_pair_zbits_t pair;
dns_rpz_cidr_node_t *found;
isc_result_t result;
dns_rpz_num_t rpz_num;
int i;
/*
* Convert IP address to CIDR tree key.
*/
if (netaddr->family == AF_INET) {
tgt_ip.w[0] = 0;
tgt_ip.w[1] = 0;
tgt_ip.w[2] = ADDR_V4MAPPED;
tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr);
if (rpz_type == DNS_RPZ_TYPE_IP)
zbits &= rpzs->have.ipv4;
else
zbits &= rpzs->have.nsipv4;
} else if (netaddr->family == AF_INET6) {
dns_rpz_cidr_key_t src_ip6;
/*
* Given the int aligned struct in_addr member of netaddr->type
* one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *,
* but some people object.
*/
memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
for (i = 0; i < 4; i++) {
tgt_ip.w[i] = ntohl(src_ip6.w[i]);
}
if (rpz_type == DNS_RPZ_TYPE_IP)
zbits &= rpzs->have.ipv6;
else
zbits &= rpzs->have.nsipv6;
} else {
return (DNS_RPZ_INVALID_NUM);
}
if (zbits == 0)
return (DNS_RPZ_INVALID_NUM);
make_pair(&pair, zbits, rpz_type);
LOCK(&rpzs->search_lock);
result = search(rpzs, &tgt_ip, 128, &pair, ISC_FALSE, &found);
if (result == ISC_R_NOTFOUND) {
/*
* There are no eligible zones for this IP address.
*/
UNLOCK(&rpzs->search_lock);
return (DNS_RPZ_INVALID_NUM);
}
/*
* Construct the trigger name for the longest matching trigger
* in the first eligible zone with a match.
*/
*prefixp = found->prefix;
if (rpz_type == DNS_RPZ_TYPE_IP) {
INSIST((found->pair.d & pair.d) != 0);
rpz_num = zbit_to_num(found->pair.d & pair.d);
} else {
INSIST((found->pair.ns & pair.ns) != 0);
rpz_num = zbit_to_num(found->pair.ns & pair.ns);
}
result = ip2name(&found->ip, found->prefix, dns_rootname, ip_name);
UNLOCK(&rpzs->search_lock);
if (result != ISC_R_SUCCESS) {
/*
* bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
*/
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
"rpz ip2name() failed: %s",
isc_result_totext(result));
return (DNS_RPZ_INVALID_NUM);
}
return (rpz_num);
}
/*
* Search the summary radix tree for policy zones with triggers matching
* a name.
*/
dns_rpz_zbits_t
dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
dns_rpz_zbits_t zbits, dns_name_t *trig_name)
{
char namebuf[DNS_NAME_FORMATSIZE];
dns_rbtnode_t *nmnode;
const dns_rpz_nm_data_t *nm_data;
dns_rpz_zbits_t found_zbits;
isc_result_t result;
if (zbits == 0)
return (0);
found_zbits = 0;
LOCK(&rpzs->search_lock);
nmnode = NULL;
result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL,
DNS_RBTFIND_EMPTYDATA, NULL, NULL);
switch (result) {
case ISC_R_SUCCESS:
nm_data = nmnode->data;
if (nm_data != NULL) {
if (rpz_type == DNS_RPZ_TYPE_QNAME)
found_zbits = nm_data->pair.d;
else
found_zbits = nm_data->pair.ns;
}
nmnode = nmnode->parent;
/* fall thru */
case DNS_R_PARTIALMATCH:
while (nmnode != NULL) {
nm_data = nmnode->data;
if (nm_data != NULL) {
if (rpz_type == DNS_RPZ_TYPE_QNAME)
found_zbits |= nm_data->wild.d;
else
found_zbits |= nm_data->wild.ns;
}
nmnode = nmnode->parent;
}
break;
case ISC_R_NOTFOUND:
break;
default:
/*
* bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
*/
dns_name_format(trig_name, namebuf, sizeof(namebuf));
isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
"dns_rpz_find_name(%s) failed: %s",
namebuf, isc_result_totext(result));
break;
}
UNLOCK(&rpzs->search_lock);
return (zbits & found_zbits);
}
/*
* Translate CNAME rdata to a QNAME response policy action.
*/
dns_rpz_policy_t
dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
dns_name_t *selfname)
{
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdata_cname_t cname;
isc_result_t result;
result = dns_rdataset_first(rdataset);
INSIST(result == ISC_R_SUCCESS);
dns_rdataset_current(rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &cname, NULL);
INSIST(result == ISC_R_SUCCESS);
dns_rdata_reset(&rdata);
/*
* CNAME . means NXDOMAIN
*/
if (dns_name_equal(&cname.cname, dns_rootname))
return (DNS_RPZ_POLICY_NXDOMAIN);
if (dns_name_iswildcard(&cname.cname)) {
/*
* CNAME *. means NODATA
*/
if (dns_name_countlabels(&cname.cname) == 2)
return (DNS_RPZ_POLICY_NODATA);
/*
* A qname of www.evil.com and a policy of
* *.evil.com CNAME *.garden.net
* gives a result of
* evil.com CNAME evil.com.garden.net
*/
if (dns_name_countlabels(&cname.cname) > 2)
return (DNS_RPZ_POLICY_WILDCNAME);
}
/*
* CNAME PASSTHRU. means "do not rewrite.
*/
if (dns_name_equal(&cname.cname, &rpz->passthru))
return (DNS_RPZ_POLICY_PASSTHRU);
/*
* 128.1.0.127.rpz-ip CNAME 128.1.0.0.127. is obsolete PASSTHRU
*/
if (selfname != NULL && dns_name_equal(&cname.cname, selfname))
return (DNS_RPZ_POLICY_PASSTHRU);
/*
* Any other rdata gives a response consisting of the rdata.
*/
return (DNS_RPZ_POLICY_RECORD);
}