1 /*
2 * options.h -- nsd.conf options definitions and prototypes
3 *
4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved.
5 *
6 * See LICENSE for the license.
7 *
8 */
9
10 #ifndef OPTIONS_H
11 #define OPTIONS_H
12
13 #include <stdarg.h>
14 #include "region-allocator.h"
15 #include "rbtree.h"
16 struct query;
17 struct dname;
18 struct tsig_key;
19 struct buffer;
20 struct nsd;
21 struct proxy_protocol_port_list;
22
23 typedef struct nsd_options nsd_options_type;
24 typedef struct pattern_options pattern_options_type;
25 typedef struct zone_options zone_options_type;
26 typedef struct range_option range_option_type;
27 typedef struct ip_address_option ip_address_option_type;
28 typedef struct cpu_option cpu_option_type;
29 typedef struct cpu_map_option cpu_map_option_type;
30 typedef struct acl_options acl_options_type;
31 typedef struct key_options key_options_type;
32 typedef struct tls_auth_options tls_auth_options_type;
33 typedef struct config_parser_state config_parser_state_type;
34
35 #define VERIFY_ZONE_INHERIT (2)
36 #define VERIFIER_FEED_ZONE_INHERIT (2)
37 #define VERIFIER_TIMEOUT_INHERIT (-1)
38
39 /*
40 * Options global for nsd.
41 */
42 struct nsd_options {
43 /* config file name */
44 char* configfile;
45 /* options for zones, by apex, contains zone_options */
46 rbtree_type* zone_options;
47 /* patterns, by name, contains pattern_options */
48 rbtree_type* patterns;
49
50 /* free space in zonelist file, contains zonelist_bucket */
51 rbtree_type* zonefree;
52 /* number of free space lines in zonelist file */
53 size_t zonefree_number;
54 /* zonelist file if open */
55 FILE* zonelist;
56 /* last offset in file (or 0 if none) */
57 off_t zonelist_off;
58
59 /* tree of zonestat names and their id values, entries are struct
60 * zonestatname with malloced key=stringname. The number of items
61 * is the max statnameid, no items are freed from this.
62 * kept correct in the xfrd process, and on startup. */
63 rbtree_type* zonestatnames;
64
65 /* rbtree of keys defined, by name */
66 rbtree_type* keys;
67
68 /* rbtree of tls_auth defined, by name */
69 rbtree_type* tls_auths;
70
71 /* list of ip addresses to bind to (or NULL for all) */
72 struct ip_address_option* ip_addresses;
73
74 int ip_transparent;
75 int ip_freebind;
76 int send_buffer_size;
77 int receive_buffer_size;
78 int debug_mode;
79 int verbosity;
80 int hide_version;
81 int hide_identity;
82 int drop_updates;
83 int do_ip4;
84 int do_ip6;
85 const char* identity;
86 const char* version;
87 const char* logfile;
88 int log_only_syslog;
89 int server_count;
90 struct cpu_option* cpu_affinity;
91 struct cpu_map_option* service_cpu_affinity;
92 int tcp_count;
93 int tcp_reject_overflow;
94 int confine_to_zone;
95 int tcp_query_count;
96 int tcp_timeout;
97 int tcp_mss;
98 int outgoing_tcp_mss;
99 size_t ipv4_edns_size;
100 size_t ipv6_edns_size;
101 const char* pidfile;
102 const char* port;
103 int statistics;
104 const char* chroot;
105 const char* username;
106 const char* zonesdir;
107 const char* xfrdfile;
108 const char* xfrdir;
109 const char* zonelistfile;
110 const char* nsid;
111 int xfrd_reload_timeout;
112 int zonefiles_check;
113 int zonefiles_write;
114 int log_time_ascii;
115 int round_robin;
116 int minimal_responses;
117 int refuse_any;
118 int reuseport;
119 /* max number of xfrd tcp sockets */
120 int xfrd_tcp_max;
121 /* max number of simultaneous requests on xfrd tcp socket */
122 int xfrd_tcp_pipeline;
123
124 /* private key file for TLS */
125 char* tls_service_key;
126 /* ocsp stapling file for TLS */
127 char* tls_service_ocsp;
128 /* certificate file for TLS */
129 char* tls_service_pem;
130 /* TLS dedicated port */
131 const char* tls_port;
132 /* TLS certificate bundle */
133 const char* tls_cert_bundle;
134
135 /* proxy protocol port list */
136 struct proxy_protocol_port_list* proxy_protocol_port;
137
138 /** remote control section. enable toggle. */
139 int control_enable;
140 /** the interfaces the remote control should listen on */
141 struct ip_address_option* control_interface;
142 /** port number for the control port */
143 int control_port;
144 /** private key file for server */
145 char* server_key_file;
146 /** certificate file for server */
147 char* server_cert_file;
148 /** private key file for nsd-control */
149 char* control_key_file;
150 /** certificate file for nsd-control */
151 char* control_cert_file;
152
153 #ifdef RATELIMIT
154 /** number of buckets in rrl hashtable */
155 size_t rrl_size;
156 /** max qps for queries, 0 is nolimit */
157 size_t rrl_ratelimit;
158 /** ratio of slipped responses, 0 is noslip */
159 size_t rrl_slip;
160 /** ip prefix length */
161 size_t rrl_ipv4_prefix_length;
162 size_t rrl_ipv6_prefix_length;
163 /** max qps for whitelisted queries, 0 is nolimit */
164 size_t rrl_whitelist_ratelimit;
165 #endif
166 /** if dnstap is enabled */
167 int dnstap_enable;
168 /** dnstap socket path */
169 char* dnstap_socket_path;
170 /** dnstap IP, if "", it uses socket path. */
171 char* dnstap_ip;
172 /** dnstap TLS enable */
173 int dnstap_tls;
174 /** dnstap tls server authentication name */
175 char* dnstap_tls_server_name;
176 /** dnstap server cert bundle */
177 char* dnstap_tls_cert_bundle;
178 /** dnstap client key for client authentication */
179 char* dnstap_tls_client_key_file;
180 /** dnstap client cert for client authentication */
181 char* dnstap_tls_client_cert_file;
182 /** true to send "identity" via dnstap */
183 int dnstap_send_identity;
184 /** true to send "version" via dnstap */
185 int dnstap_send_version;
186 /** dnstap "identity", hostname is used if "". */
187 char* dnstap_identity;
188 /** dnstap "version", package version is used if "". */
189 char* dnstap_version;
190 /** true to log dnstap AUTH_QUERY message events */
191 int dnstap_log_auth_query_messages;
192 /** true to log dnstap AUTH_RESPONSE message events */
193 int dnstap_log_auth_response_messages;
194
195 /** do answer with server cookie when request contained cookie option */
196 int answer_cookie;
197 /** cookie secret */
198 char *cookie_secret;
199 /** path to cookie secret store */
200 char const* cookie_secret_file;
201 /** enable verify */
202 int verify_enable;
203 /** list of ip addresses used to serve zones for verification */
204 struct ip_address_option* verify_ip_addresses;
205 /** default port 5347 */
206 char *verify_port;
207 /** verify zones by default */
208 int verify_zones;
209 /** default command to verify zones with */
210 char **verifier;
211 /** maximum number of verifiers that may run simultaneously */
212 int verifier_count;
213 /** whether or not to feed the zone to the verifier over stdin */
214 uint8_t verifier_feed_zone;
215 /** maximum number of seconds that a verifier may take */
216 uint32_t verifier_timeout;
217
218 region_type* region;
219 };
220
221 struct range_option {
222 struct range_option* next;
223 int first;
224 int last;
225 };
226
227 struct ip_address_option {
228 struct ip_address_option* next;
229 char* address;
230 struct range_option* servers;
231 int dev;
232 int fib;
233 };
234
235 struct cpu_option {
236 struct cpu_option* next;
237 int cpu;
238 };
239
240 struct cpu_map_option {
241 struct cpu_map_option* next;
242 int service;
243 int cpu;
244 };
245
246 /*
247 * Defines for min_expire_time_expr value
248 */
249 #define EXPIRE_TIME_HAS_VALUE 0
250 #define EXPIRE_TIME_IS_DEFAULT 1
251 #define REFRESHPLUSRETRYPLUS1 2
252 #define REFRESHPLUSRETRYPLUS1_STR "refresh+retry+1"
253 #define expire_time_is_default(x) (!( (x) == REFRESHPLUSRETRYPLUS1 \
254 || (x) == EXPIRE_TIME_HAS_VALUE ))
255
256
257 /*
258 * Pattern of zone options, used to contain options for zone(s).
259 */
260 struct pattern_options {
261 rbnode_type node;
262 const char* pname; /* name of the pattern, key of rbtree */
263 const char* zonefile;
264 struct acl_options* allow_notify;
265 struct acl_options* request_xfr;
266 struct acl_options* notify;
267 struct acl_options* provide_xfr;
268 struct acl_options* allow_query;
269 struct acl_options* outgoing_interface;
270 const char* zonestats;
271 #ifdef RATELIMIT
272 uint16_t rrl_whitelist; /* bitmap with rrl types */
273 #endif
274 uint8_t allow_axfr_fallback;
275 uint8_t allow_axfr_fallback_is_default;
276 uint8_t notify_retry;
277 uint8_t notify_retry_is_default;
278 uint8_t implicit; /* pattern is implicit, part_of_config zone used */
279 uint8_t xfrd_flags;
280 uint32_t max_refresh_time;
281 uint8_t max_refresh_time_is_default;
282 uint32_t min_refresh_time;
283 uint8_t min_refresh_time_is_default;
284 uint32_t max_retry_time;
285 uint8_t max_retry_time_is_default;
286 uint32_t min_retry_time;
287 uint8_t min_retry_time_is_default;
288 uint32_t min_expire_time;
289 /* min_expir_time_expr is either a known value (REFRESHPLUSRETRYPLUS1
290 * or EXPIRE_EXPR_HAS_VALUE) or else min_expire_time is the default.
291 * This can be tested with expire_time_is_default(x) define.
292 */
293 uint8_t min_expire_time_expr;
294 uint64_t size_limit_xfr;
295 uint8_t multi_master_check;
296 uint8_t store_ixfr;
297 uint8_t store_ixfr_is_default;
298 uint64_t ixfr_size;
299 uint8_t ixfr_size_is_default;
300 uint32_t ixfr_number;
301 uint8_t ixfr_number_is_default;
302 uint8_t create_ixfr;
303 uint8_t create_ixfr_is_default;
304 uint8_t verify_zone;
305 uint8_t verify_zone_is_default;
306 char **verifier;
307 uint8_t verifier_feed_zone;
308 uint8_t verifier_feed_zone_is_default;
309 int32_t verifier_timeout;
310 uint8_t verifier_timeout_is_default;
311 } ATTR_PACKED;
312
313 #define PATTERN_IMPLICIT_MARKER "_implicit_"
314
315 /*
316 * Options for a zone
317 */
318 struct zone_options {
319 /* key is dname of apex */
320 rbnode_type node;
321
322 /* is apex of the zone */
323 const char* name;
324 /* if not part of config, the offset and linesize of zonelist entry */
325 off_t off;
326 int linesize;
327 /* pattern for the zone options, if zone is part_of_config, this is
328 * a anonymous pattern created in-place */
329 struct pattern_options* pattern;
330 /* zone is fixed into the main config, not in zonelist, cannot delete */
331 uint8_t part_of_config;
332 } ATTR_PACKED;
333
334 union acl_addr_storage {
335 #ifdef INET6
336 struct in_addr addr;
337 struct in6_addr addr6;
338 #else
339 struct in_addr addr;
340 #endif
341 };
342
343 /*
344 * Access control list element
345 */
346 struct acl_options {
347 struct acl_options* next;
348
349 /* options */
350 time_t ixfr_disabled;
351 int bad_xfr_count;
352 uint8_t use_axfr_only;
353 uint8_t allow_udp;
354
355 /* ip address range */
356 const char* ip_address_spec;
357 uint8_t is_ipv6;
358 unsigned int port; /* is 0(no port) or suffix @port value */
359 union acl_addr_storage addr;
360 union acl_addr_storage range_mask;
361 enum {
362 acl_range_single = 0, /* single address */
363 acl_range_mask = 1, /* 10.20.30.40&255.255.255.0 */
364 acl_range_subnet = 2, /* 10.20.30.40/28 */
365 acl_range_minmax = 3 /* 10.20.30.40-10.20.30.60 (mask=max) */
366 } rangetype;
367
368 /* key */
369 uint8_t nokey;
370 uint8_t blocked;
371 const char* key_name;
372 struct key_options* key_options;
373
374 /* tls_auth for XoT */
375 const char* tls_auth_name;
376 struct tls_auth_options* tls_auth_options;
377 } ATTR_PACKED;
378
379 /*
380 * Key definition
381 */
382 struct key_options {
383 rbnode_type node; /* key of tree is name */
384 char* name;
385 char* algorithm;
386 char* secret;
387 struct tsig_key* tsig_key;
388 } ATTR_PACKED;
389
390 /*
391 * TLS Auth definition for XoT
392 */
393 struct tls_auth_options {
394 rbnode_type node; /* key of tree is name */
395 char* name;
396 char* auth_domain_name;
397 char* client_cert;
398 char* client_key;
399 char* client_key_pw;
400 };
401
402 /* proxy protocol port option list */
403 struct proxy_protocol_port_list {
404 struct proxy_protocol_port_list* next;
405 int port;
406 };
407
408 /** zone list free space */
409 struct zonelist_free {
410 struct zonelist_free* next;
411 off_t off;
412 };
413 /** zonelist free bucket for a particular line length */
414 struct zonelist_bucket {
415 rbnode_type node; /* key is ptr to linesize */
416 int linesize;
417 struct zonelist_free* list;
418 };
419
420 /* default zonefile write interval if database is "", in seconds */
421 #define ZONEFILES_WRITE_INTERVAL 3600
422
423 struct zonestatname {
424 rbnode_type node; /* key is malloced string with cooked zonestat name */
425 unsigned id; /* index in nsd.zonestat array */
426 };
427
428 /*
429 * Used during options parsing
430 */
431 struct config_parser_state {
432 char* filename;
433 const char* chroot;
434 int line;
435 int errors;
436 struct nsd_options* opt;
437 struct pattern_options *pattern;
438 struct zone_options *zone;
439 struct key_options *key;
440 struct tls_auth_options *tls_auth;
441 struct ip_address_option *ip;
442 void (*err)(void*,const char*);
443 void* err_arg;
444 };
445
446 extern config_parser_state_type* cfg_parser;
447
448 /* region will be put in nsd_options struct. Returns empty options struct. */
449 struct nsd_options* nsd_options_create(region_type* region);
450 /* the number of zones that are configured */
nsd_options_num_zones(struct nsd_options * opt)451 static inline size_t nsd_options_num_zones(struct nsd_options* opt)
452 { return opt->zone_options->count; }
453 /* insert a zone into the main options tree, returns 0 on error */
454 int nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone);
455 /* insert a pattern into the main options tree, returns 0 on error */
456 int nsd_options_insert_pattern(struct nsd_options* opt,
457 struct pattern_options* pat);
458
459 /* parses options file. Returns false on failure. callback, if nonNULL,
460 * gets called with error strings, default prints. */
461 int parse_options_file(struct nsd_options* opt, const char* file,
462 void (*err)(void*,const char*), void* err_arg);
463 struct zone_options* zone_options_create(region_type* region);
464 void zone_options_delete(struct nsd_options* opt, struct zone_options* zone);
465 /* find a zone by apex domain name, or NULL if not found. */
466 struct zone_options* zone_options_find(struct nsd_options* opt,
467 const struct dname* apex);
468 struct pattern_options* pattern_options_create(region_type* region);
469 struct pattern_options* pattern_options_find(struct nsd_options* opt, const char* name);
470 int pattern_options_equal(struct pattern_options* p, struct pattern_options* q);
471 void pattern_options_remove(struct nsd_options* opt, const char* name);
472 void pattern_options_add_modify(struct nsd_options* opt,
473 struct pattern_options* p);
474 void pattern_options_marshal(struct buffer* buffer, struct pattern_options* p);
475 struct pattern_options* pattern_options_unmarshal(region_type* r,
476 struct buffer* b);
477 struct key_options* key_options_create(region_type* region);
478 void key_options_insert(struct nsd_options* opt, struct key_options* key);
479 struct key_options* key_options_find(struct nsd_options* opt, const char* name);
480 void key_options_remove(struct nsd_options* opt, const char* name);
481 int key_options_equal(struct key_options* p, struct key_options* q);
482 void key_options_add_modify(struct nsd_options* opt, struct key_options* key);
483 void key_options_setup(region_type* region, struct key_options* key);
484 void key_options_desetup(region_type* region, struct key_options* key);
485 /* TLS auth */
486 struct tls_auth_options* tls_auth_options_create(region_type* region);
487 void tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth);
488 struct tls_auth_options* tls_auth_options_find(struct nsd_options* opt, const char* name);
489 /* read in zone list file. Returns false on failure */
490 int parse_zone_list_file(struct nsd_options* opt);
491 /* create zone entry and add to the zonelist file */
492 struct zone_options* zone_list_add(struct nsd_options* opt, const char* zname,
493 const char* pname);
494 /* create zonelist entry, do not insert in file (called by _add) */
495 struct zone_options* zone_list_zone_insert(struct nsd_options* opt,
496 const char* nm, const char* patnm, int linesize, off_t off);
497 void zone_list_del(struct nsd_options* opt, struct zone_options* zone);
498 void zone_list_compact(struct nsd_options* opt);
499 void zone_list_close(struct nsd_options* opt);
500
501 /* create zonestat name tree , for initially created zones */
502 void options_zonestatnames_create(struct nsd_options* opt);
503 /* Get zonestat id for zone options, add new entry if necessary.
504 * instantiates the pattern's zonestat string */
505 unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt);
506 /* create string, same options as zonefile but no chroot changes */
507 const char* config_cook_string(struct zone_options* zone, const char* input);
508
509 /** check if config for remote control turns on IP-address interface
510 * with certificates or a named pipe without certificates. */
511 int options_remote_is_address(struct nsd_options* cfg);
512
513 #if defined(HAVE_SSL)
514 /* tsig must be inited, adds all keys in options to tsig. */
515 void key_options_tsig_add(struct nsd_options* opt);
516 #endif
517
518 /* check acl list, acl number that matches if passed(0..),
519 * or failure (-1) if dropped */
520 /* the reason why (the acl) is returned too (or NULL) */
521 int acl_check_incoming(struct acl_options* acl, struct query* q,
522 struct acl_options** reason);
523 int acl_addr_matches_host(struct acl_options* acl, struct acl_options* host);
524 int acl_addr_matches(struct acl_options* acl, struct query* q);
525 int acl_addr_matches_proxy(struct acl_options* acl, struct query* q);
526 int acl_key_matches(struct acl_options* acl, struct query* q);
527 int acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz);
528 int acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz);
529 int acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz);
530
531 /* check acl list for blocks on address, return 0 if none, -1 if blocked. */
532 int acl_check_incoming_block_proxy(struct acl_options* acl, struct query* q,
533 struct acl_options** reason);
534
535 /* returns true if acls are both from the same host */
536 int acl_same_host(struct acl_options* a, struct acl_options* b);
537 /* find acl by number in the list */
538 struct acl_options* acl_find_num(struct acl_options* acl, int num);
539
540 /* see if two acl lists are the same (same elements in same order, or empty) */
541 int acl_list_equal(struct acl_options* p, struct acl_options* q);
542 /* see if two acl are the same */
543 int acl_equal(struct acl_options* p, struct acl_options* q);
544
545 /* see if a zone is a slave or a master zone */
546 int zone_is_slave(struct zone_options* opt);
547 /* create zonefile name, returns static pointer (perhaps to options data) */
548 const char* config_make_zonefile(struct zone_options* zone, struct nsd* nsd);
549
550 #define ZONEC_PCT_TIME 5 /* seconds, then it starts to print pcts */
551 #define ZONEC_PCT_COUNT 100000 /* elements before pct check is done */
552
553 /* parsing helpers */
554 void c_error(const char* msg, ...) ATTR_FORMAT(printf, 1,2);
555 int c_wrap(void);
556 struct acl_options* parse_acl_info(region_type* region, char* ip,
557 const char* key);
558 /* true if ipv6 address, false if ipv4 */
559 int parse_acl_is_ipv6(const char* p);
560 /* returns range type. mask is the 2nd part of the range */
561 int parse_acl_range_type(char* ip, char** mask);
562 /* parses subnet mask, fills 0 mask as well */
563 void parse_acl_range_subnet(char* p, void* addr, int maxbits);
564 /* clean up options */
565 void nsd_options_destroy(struct nsd_options* opt);
566 /* replace occurrences of one with two in buf, pass length of buffer */
567 void replace_str(char* buf, size_t len, const char* one, const char* two);
568 /* apply pattern to the existing pattern in the parser */
569 void config_apply_pattern(struct pattern_options *dest, const char* name);
570 /* if the file is a directory, print a warning, because flex just exit()s
571 * when a fileread fails because it is a directory, helps the user figure
572 * out what just happened */
573 void warn_if_directory(const char* filetype, FILE* f, const char* fname);
574 /* resolve interface names in the options "ip-address:" (or "interface:")
575 * and "control-interface:" into the ip-addresses associated with those
576 * names. */
577 void resolve_interface_names(struct nsd_options* options);
578
579 /* See if the sockaddr port number is listed in the proxy protocol ports. */
580 int sockaddr_uses_proxy_protocol_port(struct nsd_options* options,
581 struct sockaddr* addr);
582
583 #endif /* OPTIONS_H */
584