2
* Copyright (C) 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
4
* Permission to use, copy, modify, and/or distribute this software for any
5
* purpose with or without fee is hereby granted, provided that the above
6
* copyright notice and this permission notice appear in all copies.
8
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9
* REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10
* AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12
* LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13
* OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14
* PERFORMANCE OF THIS SOFTWARE.
17
/* $Id: iptable.c,v 1.5.46.3 2008/01/21 21:02:24 each Exp $ */
20
#include <isc/radix.h>
24
static void destroy_iptable(dns_iptable_t *dtab);
27
* Create a new IP table and the underlying radix structure
30
dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target) {
34
tab = isc_mem_get(mctx, sizeof(*tab));
36
return (ISC_R_NOMEMORY);
38
isc_refcount_init(&tab->refcount, 1);
39
tab->magic = DNS_IPTABLE_MAGIC;
41
result = isc_radix_create(mctx, &tab->radix, RADIX_MAXBITS);
42
if (result != ISC_R_SUCCESS)
46
return (ISC_R_SUCCESS);
49
dns_iptable_detach(&tab);
53
isc_boolean_t dns_iptable_neg = ISC_FALSE;
54
isc_boolean_t dns_iptable_pos = ISC_TRUE;
57
* Add an IP prefix to an existing IP table
60
dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
61
isc_uint16_t bitlen, isc_boolean_t pos)
65
isc_radix_node_t *node;
68
INSIST(DNS_IPTABLE_VALID(tab));
71
NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
73
/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
74
family = bitlen ? pfx.family : AF_INET;
76
result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
78
if (result != ISC_R_SUCCESS)
81
/* If the node already contains data, don't overwrite it */
82
if (node->data[ISC_IS6(family)] == NULL) {
84
node->data[ISC_IS6(family)] = &dns_iptable_pos;
86
node->data[ISC_IS6(family)] = &dns_iptable_neg;
89
return (ISC_R_SUCCESS);
93
* Merge one IP table into another one.
96
dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos)
99
isc_radix_node_t *node, *new_node;
102
RADIX_WALK (source->radix->head, node) {
103
result = isc_radix_insert (tab->radix, &new_node, node, NULL);
105
if (result != ISC_R_SUCCESS)
109
* If we're negating a nested ACL, then we should
110
* reverse the sense of every node. However, this
111
* could lead to a negative node in a nested ACL
112
* becoming a positive match in the parent, which
113
* could be a security risk. To prevent this, we
114
* just leave the negative nodes negative.
118
*(isc_boolean_t *) node->data[0] == ISC_TRUE)
119
new_node->data[0] = &dns_iptable_neg;
121
new_node->data[0] = node->data[0];
124
*(isc_boolean_t *) node->data[1] == ISC_TRUE)
125
new_node->data[1] = &dns_iptable_neg;
127
new_node->data[1] = node->data[0];
130
if (node->node_num[0] > max_node)
131
max_node = node->node_num[0];
132
if (node->node_num[1] > max_node)
133
max_node = node->node_num[1];
136
tab->radix->num_added_node += max_node;
137
return (ISC_R_SUCCESS);
141
dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target) {
142
REQUIRE(DNS_IPTABLE_VALID(source));
143
isc_refcount_increment(&source->refcount, NULL);
148
dns_iptable_detach(dns_iptable_t **tabp) {
149
dns_iptable_t *tab = *tabp;
151
REQUIRE(DNS_IPTABLE_VALID(tab));
152
isc_refcount_decrement(&tab->refcount, &refs);
154
destroy_iptable(tab);
159
destroy_iptable(dns_iptable_t *dtab) {
161
REQUIRE(DNS_IPTABLE_VALID(dtab));
163
if (dtab->radix != NULL) {
164
isc_radix_destroy(dtab->radix, NULL);
168
isc_refcount_destroy(&dtab->refcount);
170
isc_mem_put(dtab->mctx, dtab, sizeof(*dtab));