2
* Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
3
* Copyright (C) 1999-2002 Internet Software Consortium.
5
* Permission to use, copy, modify, and distribute this software for any
6
* purpose with or without fee is hereby granted, provided that the above
7
* copyright notice and this permission notice appear in all copies.
9
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15
* PERFORMANCE OF THIS SOFTWARE.
18
/* $Id: aclconf.c,v 1.27.12.5 2005/03/17 03:58:25 marka Exp $ */
23
#include <isc/string.h> /* Required for HP/UX (and others?) */
26
#include <isccfg/namedconf.h>
29
#include <dns/fixedname.h>
32
#include <named/aclconf.h>
34
#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
37
ns_aclconfctx_init(ns_aclconfctx_t *ctx) {
38
ISC_LIST_INIT(ctx->named_acl_cache);
42
ns_aclconfctx_destroy(ns_aclconfctx_t *ctx) {
43
dns_acl_t *dacl, *next;
44
for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
48
next = ISC_LIST_NEXT(dacl, nextincache);
49
dns_acl_detach(&dacl);
54
* Find the definition of the named acl whose name is "name".
57
get_acl_def(cfg_obj_t *cctx, char *name, cfg_obj_t **ret) {
59
cfg_obj_t *acls = NULL;
62
result = cfg_map_get(cctx, "acl", &acls);
63
if (result != ISC_R_SUCCESS)
65
for (elt = cfg_list_first(acls);
67
elt = cfg_list_next(elt)) {
68
cfg_obj_t *acl = cfg_listelt_value(elt);
69
const char *aclname = cfg_obj_asstring(cfg_tuple_get(acl, "name"));
70
if (strcasecmp(aclname, name) == 0) {
71
*ret = cfg_tuple_get(acl, "value");
72
return (ISC_R_SUCCESS);
75
return (ISC_R_NOTFOUND);
79
convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
80
ns_aclconfctx_t *ctx, isc_mem_t *mctx,
84
cfg_obj_t *cacl = NULL;
87
char *aclname = cfg_obj_asstring(nameobj);
89
/* Look for an already-converted version. */
90
for (dacl = ISC_LIST_HEAD(ctx->named_acl_cache);
92
dacl = ISC_LIST_NEXT(dacl, nextincache))
94
if (strcasecmp(aclname, dacl->name) == 0) {
95
if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
96
cfg_obj_log(nameobj, dns_lctx, ISC_LOG_ERROR,
97
"acl loop detected: %s", aclname);
98
return (ISC_R_FAILURE);
100
dns_acl_attach(dacl, target);
101
return (ISC_R_SUCCESS);
104
/* Not yet converted. Convert now. */
105
result = get_acl_def(cctx, aclname, &cacl);
106
if (result != ISC_R_SUCCESS) {
107
cfg_obj_log(nameobj, dns_lctx, ISC_LOG_WARNING,
108
"undefined ACL '%s'", aclname);
112
* Add a loop detection element.
114
memset(&loop, 0, sizeof(loop));
115
ISC_LINK_INIT(&loop, nextincache);
117
loop.magic = LOOP_MAGIC;
118
ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
119
result = ns_acl_fromconfig(cacl, cctx, ctx, mctx, &dacl);
120
ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
123
if (result != ISC_R_SUCCESS)
125
dacl->name = isc_mem_strdup(dacl->mctx, aclname);
126
if (dacl->name == NULL)
127
return (ISC_R_NOMEMORY);
128
ISC_LIST_APPEND(ctx->named_acl_cache, dacl, nextincache);
129
dns_acl_attach(dacl, target);
130
return (ISC_R_SUCCESS);
134
convert_keyname(cfg_obj_t *keyobj, isc_mem_t *mctx, dns_name_t *dnsname) {
137
dns_fixedname_t fixname;
139
const char *txtname = cfg_obj_asstring(keyobj);
141
keylen = strlen(txtname);
142
isc_buffer_init(&buf, txtname, keylen);
143
isc_buffer_add(&buf, keylen);
144
dns_fixedname_init(&fixname);
145
result = dns_name_fromtext(dns_fixedname_name(&fixname), &buf,
146
dns_rootname, ISC_FALSE, NULL);
147
if (result != ISC_R_SUCCESS) {
148
cfg_obj_log(keyobj, dns_lctx, ISC_LOG_WARNING,
149
"key name '%s' is not a valid domain name",
153
return (dns_name_dup(dns_fixedname_name(&fixname), mctx, dnsname));
157
ns_acl_fromconfig(cfg_obj_t *caml,
159
ns_aclconfctx_t *ctx,
165
dns_acl_t *dacl = NULL;
166
dns_aclelement_t *de;
169
REQUIRE(target != NULL && *target == NULL);
172
for (elt = cfg_list_first(caml);
174
elt = cfg_list_next(elt))
177
result = dns_acl_create(mctx, count, &dacl);
178
if (result != ISC_R_SUCCESS)
182
for (elt = cfg_list_first(caml);
184
elt = cfg_list_next(elt))
186
cfg_obj_t *ce = cfg_listelt_value(elt);
187
if (cfg_obj_istuple(ce)) {
188
/* This must be a negated element. */
189
ce = cfg_tuple_get(ce, "value");
190
de->negative = ISC_TRUE;
192
de->negative = ISC_FALSE;
195
if (cfg_obj_isnetprefix(ce)) {
197
de->type = dns_aclelementtype_ipprefix;
199
cfg_obj_asnetprefix(ce,
200
&de->u.ip_prefix.address,
201
&de->u.ip_prefix.prefixlen);
202
} else if (cfg_obj_istype(ce, &cfg_type_keyref)) {
204
de->type = dns_aclelementtype_keyname;
205
dns_name_init(&de->u.keyname, NULL);
206
result = convert_keyname(ce, mctx, &de->u.keyname);
207
if (result != ISC_R_SUCCESS)
209
} else if (cfg_obj_islist(ce)) {
211
de->type = dns_aclelementtype_nestedacl;
212
result = ns_acl_fromconfig(ce, cctx, ctx, mctx,
214
if (result != ISC_R_SUCCESS)
216
} else if (cfg_obj_isstring(ce)) {
218
char *name = cfg_obj_asstring(ce);
219
if (strcasecmp(name, "localhost") == 0) {
220
de->type = dns_aclelementtype_localhost;
221
} else if (strcasecmp(name, "localnets") == 0) {
222
de->type = dns_aclelementtype_localnets;
223
} else if (strcasecmp(name, "any") == 0) {
224
de->type = dns_aclelementtype_any;
225
} else if (strcasecmp(name, "none") == 0) {
226
de->type = dns_aclelementtype_any;
227
de->negative = ISC_TF(! de->negative);
229
de->type = dns_aclelementtype_nestedacl;
230
result = convert_named_acl(ce, cctx, ctx, mctx,
232
if (result != ISC_R_SUCCESS)
236
cfg_obj_log(ce, dns_lctx, ISC_LOG_WARNING,
237
"address match list contains "
238
"unsupported element type");
239
result = ISC_R_FAILURE;
247
return (ISC_R_SUCCESS);
250
dns_acl_detach(&dacl);