/contrib/bind9/lib/dns/iptable.c

https://bitbucket.org/freebsd/freebsd-head/ · C · 188 lines · 122 code · 30 blank · 36 comment · 36 complexity · 8bfaefb2b6940670dfbc7151c8fe1f82 MD5 · raw file

  1. /*
  2. * Copyright (C) 2007-2009 Internet Systems Consortium, Inc. ("ISC")
  3. *
  4. * Permission to use, copy, modify, and/or distribute this software for any
  5. * purpose with or without fee is hereby granted, provided that the above
  6. * copyright notice and this permission notice appear in all copies.
  7. *
  8. * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  9. * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  10. * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  11. * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  12. * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  13. * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  14. * PERFORMANCE OF THIS SOFTWARE.
  15. */
  16. /* $Id: iptable.c,v 1.15 2009/02/18 23:47:48 tbox Exp $ */
  17. #include <config.h>
  18. #include <isc/mem.h>
  19. #include <isc/radix.h>
  20. #include <dns/acl.h>
  21. static void destroy_iptable(dns_iptable_t *dtab);
  22. /*
  23. * Create a new IP table and the underlying radix structure
  24. */
  25. isc_result_t
  26. dns_iptable_create(isc_mem_t *mctx, dns_iptable_t **target) {
  27. isc_result_t result;
  28. dns_iptable_t *tab;
  29. tab = isc_mem_get(mctx, sizeof(*tab));
  30. if (tab == NULL)
  31. return (ISC_R_NOMEMORY);
  32. tab->mctx = mctx;
  33. isc_refcount_init(&tab->refcount, 1);
  34. tab->radix = NULL;
  35. tab->magic = DNS_IPTABLE_MAGIC;
  36. result = isc_radix_create(mctx, &tab->radix, RADIX_MAXBITS);
  37. if (result != ISC_R_SUCCESS)
  38. goto cleanup;
  39. *target = tab;
  40. return (ISC_R_SUCCESS);
  41. cleanup:
  42. dns_iptable_detach(&tab);
  43. return (result);
  44. }
  45. isc_boolean_t dns_iptable_neg = ISC_FALSE;
  46. isc_boolean_t dns_iptable_pos = ISC_TRUE;
  47. /*
  48. * Add an IP prefix to an existing IP table
  49. */
  50. isc_result_t
  51. dns_iptable_addprefix(dns_iptable_t *tab, isc_netaddr_t *addr,
  52. isc_uint16_t bitlen, isc_boolean_t pos)
  53. {
  54. isc_result_t result;
  55. isc_prefix_t pfx;
  56. isc_radix_node_t *node = NULL;
  57. int family;
  58. INSIST(DNS_IPTABLE_VALID(tab));
  59. INSIST(tab->radix);
  60. NETADDR_TO_PREFIX_T(addr, pfx, bitlen);
  61. result = isc_radix_insert(tab->radix, &node, NULL, &pfx);
  62. if (result != ISC_R_SUCCESS) {
  63. isc_refcount_destroy(&pfx.refcount);
  64. return(result);
  65. }
  66. /* If a node already contains data, don't overwrite it */
  67. family = pfx.family;
  68. if (family == AF_UNSPEC) {
  69. /* "any" or "none" */
  70. INSIST(pfx.bitlen == 0);
  71. if (pos) {
  72. if (node->data[0] == NULL)
  73. node->data[0] = &dns_iptable_pos;
  74. if (node->data[1] == NULL)
  75. node->data[1] = &dns_iptable_pos;
  76. } else {
  77. if (node->data[0] == NULL)
  78. node->data[0] = &dns_iptable_neg;
  79. if (node->data[1] == NULL)
  80. node->data[1] = &dns_iptable_neg;
  81. }
  82. } else {
  83. /* any other prefix */
  84. if (node->data[ISC_IS6(family)] == NULL) {
  85. if (pos)
  86. node->data[ISC_IS6(family)] = &dns_iptable_pos;
  87. else
  88. node->data[ISC_IS6(family)] = &dns_iptable_neg;
  89. }
  90. }
  91. isc_refcount_destroy(&pfx.refcount);
  92. return (ISC_R_SUCCESS);
  93. }
  94. /*
  95. * Merge one IP table into another one.
  96. */
  97. isc_result_t
  98. dns_iptable_merge(dns_iptable_t *tab, dns_iptable_t *source, isc_boolean_t pos)
  99. {
  100. isc_result_t result;
  101. isc_radix_node_t *node, *new_node;
  102. int max_node = 0;
  103. RADIX_WALK (source->radix->head, node) {
  104. new_node = NULL;
  105. result = isc_radix_insert (tab->radix, &new_node, node, NULL);
  106. if (result != ISC_R_SUCCESS)
  107. return(result);
  108. /*
  109. * If we're negating a nested ACL, then we should
  110. * reverse the sense of every node. However, this
  111. * could lead to a negative node in a nested ACL
  112. * becoming a positive match in the parent, which
  113. * could be a security risk. To prevent this, we
  114. * just leave the negative nodes negative.
  115. */
  116. if (!pos) {
  117. if (node->data[0] &&
  118. *(isc_boolean_t *) node->data[0] == ISC_TRUE)
  119. new_node->data[0] = &dns_iptable_neg;
  120. if (node->data[1] &&
  121. *(isc_boolean_t *) node->data[1] == ISC_TRUE)
  122. new_node->data[1] = &dns_iptable_neg;
  123. }
  124. if (node->node_num[0] > max_node)
  125. max_node = node->node_num[0];
  126. if (node->node_num[1] > max_node)
  127. max_node = node->node_num[1];
  128. } RADIX_WALK_END;
  129. tab->radix->num_added_node += max_node;
  130. return (ISC_R_SUCCESS);
  131. }
  132. void
  133. dns_iptable_attach(dns_iptable_t *source, dns_iptable_t **target) {
  134. REQUIRE(DNS_IPTABLE_VALID(source));
  135. isc_refcount_increment(&source->refcount, NULL);
  136. *target = source;
  137. }
  138. void
  139. dns_iptable_detach(dns_iptable_t **tabp) {
  140. dns_iptable_t *tab = *tabp;
  141. unsigned int refs;
  142. REQUIRE(DNS_IPTABLE_VALID(tab));
  143. isc_refcount_decrement(&tab->refcount, &refs);
  144. if (refs == 0)
  145. destroy_iptable(tab);
  146. *tabp = NULL;
  147. }
  148. static void
  149. destroy_iptable(dns_iptable_t *dtab) {
  150. REQUIRE(DNS_IPTABLE_VALID(dtab));
  151. if (dtab->radix != NULL) {
  152. isc_radix_destroy(dtab->radix, NULL);
  153. dtab->radix = NULL;
  154. }
  155. isc_refcount_destroy(&dtab->refcount);
  156. dtab->magic = 0;
  157. isc_mem_put(dtab->mctx, dtab, sizeof(*dtab));
  158. }