1*00b67f09SDavid van Moolenbroek /* $NetBSD: rpz.c,v 1.9 2015/07/08 17:28:59 christos Exp $ */
2*00b67f09SDavid van Moolenbroek
3*00b67f09SDavid van Moolenbroek /*
4*00b67f09SDavid van Moolenbroek * Copyright (C) 2011-2015 Internet Systems Consortium, Inc. ("ISC")
5*00b67f09SDavid van Moolenbroek *
6*00b67f09SDavid van Moolenbroek * Permission to use, copy, modify, and/or distribute this software for any
7*00b67f09SDavid van Moolenbroek * purpose with or without fee is hereby granted, provided that the above
8*00b67f09SDavid van Moolenbroek * copyright notice and this permission notice appear in all copies.
9*00b67f09SDavid van Moolenbroek *
10*00b67f09SDavid van Moolenbroek * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
11*00b67f09SDavid van Moolenbroek * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
12*00b67f09SDavid van Moolenbroek * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
13*00b67f09SDavid van Moolenbroek * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14*00b67f09SDavid van Moolenbroek * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15*00b67f09SDavid van Moolenbroek * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
16*00b67f09SDavid van Moolenbroek * PERFORMANCE OF THIS SOFTWARE.
17*00b67f09SDavid van Moolenbroek */
18*00b67f09SDavid van Moolenbroek
19*00b67f09SDavid van Moolenbroek /*! \file */
20*00b67f09SDavid van Moolenbroek
21*00b67f09SDavid van Moolenbroek #include <config.h>
22*00b67f09SDavid van Moolenbroek
23*00b67f09SDavid van Moolenbroek #include <isc/buffer.h>
24*00b67f09SDavid van Moolenbroek #include <isc/mem.h>
25*00b67f09SDavid van Moolenbroek #include <isc/net.h>
26*00b67f09SDavid van Moolenbroek #include <isc/netaddr.h>
27*00b67f09SDavid van Moolenbroek #include <isc/print.h>
28*00b67f09SDavid van Moolenbroek #include <isc/rwlock.h>
29*00b67f09SDavid van Moolenbroek #include <isc/stdlib.h>
30*00b67f09SDavid van Moolenbroek #include <isc/string.h>
31*00b67f09SDavid van Moolenbroek #include <isc/util.h>
32*00b67f09SDavid van Moolenbroek
33*00b67f09SDavid van Moolenbroek #include <dns/db.h>
34*00b67f09SDavid van Moolenbroek #include <dns/fixedname.h>
35*00b67f09SDavid van Moolenbroek #include <dns/log.h>
36*00b67f09SDavid van Moolenbroek #include <dns/rdata.h>
37*00b67f09SDavid van Moolenbroek #include <dns/rdataset.h>
38*00b67f09SDavid van Moolenbroek #include <dns/rdatastruct.h>
39*00b67f09SDavid van Moolenbroek #include <dns/result.h>
40*00b67f09SDavid van Moolenbroek #include <dns/rbt.h>
41*00b67f09SDavid van Moolenbroek #include <dns/rpz.h>
42*00b67f09SDavid van Moolenbroek #include <dns/view.h>
43*00b67f09SDavid van Moolenbroek
44*00b67f09SDavid van Moolenbroek
45*00b67f09SDavid van Moolenbroek /*
46*00b67f09SDavid van Moolenbroek * Parallel radix trees for databases of response policy IP addresses
47*00b67f09SDavid van Moolenbroek *
48*00b67f09SDavid van Moolenbroek * The radix or patricia trees are somewhat specialized to handle response
49*00b67f09SDavid van Moolenbroek * policy addresses by representing the two sets of IP addresses and name
50*00b67f09SDavid van Moolenbroek * server IP addresses in a single tree. One set of IP addresses is
51*00b67f09SDavid van Moolenbroek * for rpz-ip policies or policies triggered by addresses in A or
52*00b67f09SDavid van Moolenbroek * AAAA records in responses.
53*00b67f09SDavid van Moolenbroek * The second set is for rpz-nsip policies or policies triggered by addresses
54*00b67f09SDavid van Moolenbroek * in A or AAAA records for NS records that are authorities for responses.
55*00b67f09SDavid van Moolenbroek *
56*00b67f09SDavid van Moolenbroek * Each leaf indicates that an IP address is listed in the IP address or the
57*00b67f09SDavid van Moolenbroek * name server IP address policy sub-zone (or both) of the corresponding
58*00b67f09SDavid van Moolenbroek * response policy zone. The policy data such as a CNAME or an A record
59*00b67f09SDavid van Moolenbroek * is kept in the policy zone. After an IP address has been found in a radix
60*00b67f09SDavid van Moolenbroek * tree, the node in the policy zone's database is found by converting
61*00b67f09SDavid van Moolenbroek * the IP address to a domain name in a canonical form.
62*00b67f09SDavid van Moolenbroek *
63*00b67f09SDavid van Moolenbroek *
64*00b67f09SDavid van Moolenbroek * The response policy zone canonical form of an IPv6 address is one of:
65*00b67f09SDavid van Moolenbroek * prefix.W.W.W.W.W.W.W.W
66*00b67f09SDavid van Moolenbroek * prefix.WORDS.zz
67*00b67f09SDavid van Moolenbroek * prefix.WORDS.zz.WORDS
68*00b67f09SDavid van Moolenbroek * prefix.zz.WORDS
69*00b67f09SDavid van Moolenbroek * where
70*00b67f09SDavid van Moolenbroek * prefix is the prefix length of the IPv6 address between 1 and 128
71*00b67f09SDavid van Moolenbroek * W is a number between 0 and 65535
72*00b67f09SDavid van Moolenbroek * WORDS is one or more numbers W separated with "."
73*00b67f09SDavid van Moolenbroek * zz corresponds to :: in the standard IPv6 text representation
74*00b67f09SDavid van Moolenbroek *
75*00b67f09SDavid van Moolenbroek * The canonical form of IPv4 addresses is:
76*00b67f09SDavid van Moolenbroek * prefix.B.B.B.B
77*00b67f09SDavid van Moolenbroek * where
78*00b67f09SDavid van Moolenbroek * prefix is the prefix length of the address between 1 and 32
79*00b67f09SDavid van Moolenbroek * B is a number between 0 and 255
80*00b67f09SDavid van Moolenbroek *
81*00b67f09SDavid van Moolenbroek * Names for IPv4 addresses are distinguished from IPv6 addresses by having
82*00b67f09SDavid van Moolenbroek * 5 labels all of which are numbers, and a prefix between 1 and 32.
83*00b67f09SDavid van Moolenbroek */
84*00b67f09SDavid van Moolenbroek
85*00b67f09SDavid van Moolenbroek
86*00b67f09SDavid van Moolenbroek /*
87*00b67f09SDavid van Moolenbroek * Use a private definition of IPv6 addresses because s6_addr32 is not
88*00b67f09SDavid van Moolenbroek * always defined and our IPv6 addresses are in non-standard byte order
89*00b67f09SDavid van Moolenbroek */
90*00b67f09SDavid van Moolenbroek typedef isc_uint32_t dns_rpz_cidr_word_t;
91*00b67f09SDavid van Moolenbroek #define DNS_RPZ_CIDR_WORD_BITS ((int)sizeof(dns_rpz_cidr_word_t)*8)
92*00b67f09SDavid van Moolenbroek #define DNS_RPZ_CIDR_KEY_BITS ((int)sizeof(dns_rpz_cidr_key_t)*8)
93*00b67f09SDavid van Moolenbroek #define DNS_RPZ_CIDR_WORDS (128/DNS_RPZ_CIDR_WORD_BITS)
94*00b67f09SDavid van Moolenbroek typedef struct {
95*00b67f09SDavid van Moolenbroek dns_rpz_cidr_word_t w[DNS_RPZ_CIDR_WORDS];
96*00b67f09SDavid van Moolenbroek } dns_rpz_cidr_key_t;
97*00b67f09SDavid van Moolenbroek
98*00b67f09SDavid van Moolenbroek #define ADDR_V4MAPPED 0xffff
99*00b67f09SDavid van Moolenbroek #define KEY_IS_IPV4(prefix,ip) ((prefix) >= 96 && (ip)->w[0] == 0 && \
100*00b67f09SDavid van Moolenbroek (ip)->w[1] == 0 && (ip)->w[2] == ADDR_V4MAPPED)
101*00b67f09SDavid van Moolenbroek
102*00b67f09SDavid van Moolenbroek #define DNS_RPZ_WORD_MASK(b) ((b) == 0 ? (dns_rpz_cidr_word_t)(-1) \
103*00b67f09SDavid van Moolenbroek : ((dns_rpz_cidr_word_t)(-1) \
104*00b67f09SDavid van Moolenbroek << (DNS_RPZ_CIDR_WORD_BITS - (b))))
105*00b67f09SDavid van Moolenbroek
106*00b67f09SDavid van Moolenbroek /*
107*00b67f09SDavid van Moolenbroek * Get bit #n from the array of words of an IP address.
108*00b67f09SDavid van Moolenbroek */
109*00b67f09SDavid van Moolenbroek #define DNS_RPZ_IP_BIT(ip, n) (1 & ((ip)->w[(n)/DNS_RPZ_CIDR_WORD_BITS] >> \
110*00b67f09SDavid van Moolenbroek (DNS_RPZ_CIDR_WORD_BITS \
111*00b67f09SDavid van Moolenbroek - 1 - ((n) % DNS_RPZ_CIDR_WORD_BITS))))
112*00b67f09SDavid van Moolenbroek
113*00b67f09SDavid van Moolenbroek /*
114*00b67f09SDavid van Moolenbroek * A triplet of arrays of bits flagging the existence of
115*00b67f09SDavid van Moolenbroek * client-IP, IP, and NSIP policy triggers.
116*00b67f09SDavid van Moolenbroek */
117*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_addr_zbits dns_rpz_addr_zbits_t;
118*00b67f09SDavid van Moolenbroek struct dns_rpz_addr_zbits {
119*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t client_ip;
120*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t ip;
121*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t nsip;
122*00b67f09SDavid van Moolenbroek };
123*00b67f09SDavid van Moolenbroek
124*00b67f09SDavid van Moolenbroek /*
125*00b67f09SDavid van Moolenbroek * A CIDR or radix tree node.
126*00b67f09SDavid van Moolenbroek */
127*00b67f09SDavid van Moolenbroek struct dns_rpz_cidr_node {
128*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *parent;
129*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *child[2];
130*00b67f09SDavid van Moolenbroek dns_rpz_cidr_key_t ip;
131*00b67f09SDavid van Moolenbroek dns_rpz_prefix_t prefix;
132*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t set;
133*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t sum;
134*00b67f09SDavid van Moolenbroek };
135*00b67f09SDavid van Moolenbroek
136*00b67f09SDavid van Moolenbroek /*
137*00b67f09SDavid van Moolenbroek * A pair of arrays of bits flagging the existence of
138*00b67f09SDavid van Moolenbroek * QNAME and NSDNAME policy triggers.
139*00b67f09SDavid van Moolenbroek */
140*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_nm_zbits dns_rpz_nm_zbits_t;
141*00b67f09SDavid van Moolenbroek struct dns_rpz_nm_zbits {
142*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t qname;
143*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t ns;
144*00b67f09SDavid van Moolenbroek };
145*00b67f09SDavid van Moolenbroek
146*00b67f09SDavid van Moolenbroek /*
147*00b67f09SDavid van Moolenbroek * The data in a RBT node has two pairs of bits for policy zones.
148*00b67f09SDavid van Moolenbroek * One pair is for the corresponding name of the node such as example.com
149*00b67f09SDavid van Moolenbroek * and the other pair is for a wildcard child such as *.example.com.
150*00b67f09SDavid van Moolenbroek */
151*00b67f09SDavid van Moolenbroek typedef struct dns_rpz_nm_data dns_rpz_nm_data_t;
152*00b67f09SDavid van Moolenbroek struct dns_rpz_nm_data {
153*00b67f09SDavid van Moolenbroek dns_rpz_nm_zbits_t set;
154*00b67f09SDavid van Moolenbroek dns_rpz_nm_zbits_t wild;
155*00b67f09SDavid van Moolenbroek };
156*00b67f09SDavid van Moolenbroek
157*00b67f09SDavid van Moolenbroek #if 0
158*00b67f09SDavid van Moolenbroek /*
159*00b67f09SDavid van Moolenbroek * Catch a name while debugging.
160*00b67f09SDavid van Moolenbroek */
161*00b67f09SDavid van Moolenbroek static void
162*00b67f09SDavid van Moolenbroek catch_name(const dns_name_t *src_name, const char *tgt, const char *str) {
163*00b67f09SDavid van Moolenbroek dns_fixedname_t tgt_namef;
164*00b67f09SDavid van Moolenbroek dns_name_t *tgt_name;
165*00b67f09SDavid van Moolenbroek
166*00b67f09SDavid van Moolenbroek dns_fixedname_init(&tgt_namef);
167*00b67f09SDavid van Moolenbroek tgt_name = dns_fixedname_name(&tgt_namef);
168*00b67f09SDavid van Moolenbroek dns_name_fromstring(tgt_name, tgt, DNS_NAME_DOWNCASE, NULL);
169*00b67f09SDavid van Moolenbroek if (dns_name_equal(src_name, tgt_name)) {
170*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
171*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
172*00b67f09SDavid van Moolenbroek "rpz hit failed: %s %s", str, tgt);
173*00b67f09SDavid van Moolenbroek }
174*00b67f09SDavid van Moolenbroek }
175*00b67f09SDavid van Moolenbroek #endif
176*00b67f09SDavid van Moolenbroek
177*00b67f09SDavid van Moolenbroek const char *
dns_rpz_type2str(dns_rpz_type_t type)178*00b67f09SDavid van Moolenbroek dns_rpz_type2str(dns_rpz_type_t type) {
179*00b67f09SDavid van Moolenbroek switch (type) {
180*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_CLIENT_IP:
181*00b67f09SDavid van Moolenbroek return ("CLIENT-IP");
182*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_QNAME:
183*00b67f09SDavid van Moolenbroek return ("QNAME");
184*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_IP:
185*00b67f09SDavid van Moolenbroek return ("IP");
186*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSIP:
187*00b67f09SDavid van Moolenbroek return ("NSIP");
188*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSDNAME:
189*00b67f09SDavid van Moolenbroek return ("NSDNAME");
190*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_BAD:
191*00b67f09SDavid van Moolenbroek break;
192*00b67f09SDavid van Moolenbroek }
193*00b67f09SDavid van Moolenbroek FATAL_ERROR(__FILE__, __LINE__, "impossible rpz type %d", type);
194*00b67f09SDavid van Moolenbroek return ("impossible");
195*00b67f09SDavid van Moolenbroek }
196*00b67f09SDavid van Moolenbroek
197*00b67f09SDavid van Moolenbroek dns_rpz_policy_t
dns_rpz_str2policy(const char * str)198*00b67f09SDavid van Moolenbroek dns_rpz_str2policy(const char *str) {
199*00b67f09SDavid van Moolenbroek static struct {
200*00b67f09SDavid van Moolenbroek const char *str;
201*00b67f09SDavid van Moolenbroek dns_rpz_policy_t policy;
202*00b67f09SDavid van Moolenbroek } tbl[] = {
203*00b67f09SDavid van Moolenbroek {"given", DNS_RPZ_POLICY_GIVEN},
204*00b67f09SDavid van Moolenbroek {"disabled", DNS_RPZ_POLICY_DISABLED},
205*00b67f09SDavid van Moolenbroek {"passthru", DNS_RPZ_POLICY_PASSTHRU},
206*00b67f09SDavid van Moolenbroek {"drop", DNS_RPZ_POLICY_DROP},
207*00b67f09SDavid van Moolenbroek {"tcp-only", DNS_RPZ_POLICY_TCP_ONLY},
208*00b67f09SDavid van Moolenbroek {"nxdomain", DNS_RPZ_POLICY_NXDOMAIN},
209*00b67f09SDavid van Moolenbroek {"nodata", DNS_RPZ_POLICY_NODATA},
210*00b67f09SDavid van Moolenbroek {"cname", DNS_RPZ_POLICY_CNAME},
211*00b67f09SDavid van Moolenbroek {"no-op", DNS_RPZ_POLICY_PASSTHRU}, /* old passthru */
212*00b67f09SDavid van Moolenbroek };
213*00b67f09SDavid van Moolenbroek unsigned int n;
214*00b67f09SDavid van Moolenbroek
215*00b67f09SDavid van Moolenbroek if (str == NULL)
216*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_ERROR);
217*00b67f09SDavid van Moolenbroek for (n = 0; n < sizeof(tbl)/sizeof(tbl[0]); ++n) {
218*00b67f09SDavid van Moolenbroek if (!strcasecmp(tbl[n].str, str))
219*00b67f09SDavid van Moolenbroek return (tbl[n].policy);
220*00b67f09SDavid van Moolenbroek }
221*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_ERROR);
222*00b67f09SDavid van Moolenbroek }
223*00b67f09SDavid van Moolenbroek
224*00b67f09SDavid van Moolenbroek const char *
dns_rpz_policy2str(dns_rpz_policy_t policy)225*00b67f09SDavid van Moolenbroek dns_rpz_policy2str(dns_rpz_policy_t policy) {
226*00b67f09SDavid van Moolenbroek const char *str;
227*00b67f09SDavid van Moolenbroek
228*00b67f09SDavid van Moolenbroek switch (policy) {
229*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_PASSTHRU:
230*00b67f09SDavid van Moolenbroek str = "PASSTHRU";
231*00b67f09SDavid van Moolenbroek break;
232*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_DROP:
233*00b67f09SDavid van Moolenbroek str = "DROP";
234*00b67f09SDavid van Moolenbroek break;
235*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_TCP_ONLY:
236*00b67f09SDavid van Moolenbroek str = "TCP-ONLY";
237*00b67f09SDavid van Moolenbroek break;
238*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_NXDOMAIN:
239*00b67f09SDavid van Moolenbroek str = "NXDOMAIN";
240*00b67f09SDavid van Moolenbroek break;
241*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_NODATA:
242*00b67f09SDavid van Moolenbroek str = "NODATA";
243*00b67f09SDavid van Moolenbroek break;
244*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_RECORD:
245*00b67f09SDavid van Moolenbroek str = "Local-Data";
246*00b67f09SDavid van Moolenbroek break;
247*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_CNAME:
248*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_WILDCNAME:
249*00b67f09SDavid van Moolenbroek str = "CNAME";
250*00b67f09SDavid van Moolenbroek break;
251*00b67f09SDavid van Moolenbroek case DNS_RPZ_POLICY_MISS:
252*00b67f09SDavid van Moolenbroek str = "MISS";
253*00b67f09SDavid van Moolenbroek break;
254*00b67f09SDavid van Moolenbroek default:
255*00b67f09SDavid van Moolenbroek str = "";
256*00b67f09SDavid van Moolenbroek POST(str);
257*00b67f09SDavid van Moolenbroek INSIST(0);
258*00b67f09SDavid van Moolenbroek }
259*00b67f09SDavid van Moolenbroek return (str);
260*00b67f09SDavid van Moolenbroek }
261*00b67f09SDavid van Moolenbroek
262*00b67f09SDavid van Moolenbroek /*
263*00b67f09SDavid van Moolenbroek * Return the bit number of the highest set bit in 'zbit'.
264*00b67f09SDavid van Moolenbroek * (for example, 0x01 returns 0, 0xFF returns 7, etc.)
265*00b67f09SDavid van Moolenbroek */
266*00b67f09SDavid van Moolenbroek static int
zbit_to_num(dns_rpz_zbits_t zbit)267*00b67f09SDavid van Moolenbroek zbit_to_num(dns_rpz_zbits_t zbit) {
268*00b67f09SDavid van Moolenbroek dns_rpz_num_t rpz_num;
269*00b67f09SDavid van Moolenbroek
270*00b67f09SDavid van Moolenbroek REQUIRE(zbit != 0);
271*00b67f09SDavid van Moolenbroek rpz_num = 0;
272*00b67f09SDavid van Moolenbroek #if DNS_RPZ_MAX_ZONES > 32
273*00b67f09SDavid van Moolenbroek if ((zbit & 0xffffffff00000000L) != 0) {
274*00b67f09SDavid van Moolenbroek zbit >>= 32;
275*00b67f09SDavid van Moolenbroek rpz_num += 32;
276*00b67f09SDavid van Moolenbroek }
277*00b67f09SDavid van Moolenbroek #endif
278*00b67f09SDavid van Moolenbroek if ((zbit & 0xffff0000) != 0) {
279*00b67f09SDavid van Moolenbroek zbit >>= 16;
280*00b67f09SDavid van Moolenbroek rpz_num += 16;
281*00b67f09SDavid van Moolenbroek }
282*00b67f09SDavid van Moolenbroek if ((zbit & 0xff00) != 0) {
283*00b67f09SDavid van Moolenbroek zbit >>= 8;
284*00b67f09SDavid van Moolenbroek rpz_num += 8;
285*00b67f09SDavid van Moolenbroek }
286*00b67f09SDavid van Moolenbroek if ((zbit & 0xf0) != 0) {
287*00b67f09SDavid van Moolenbroek zbit >>= 4;
288*00b67f09SDavid van Moolenbroek rpz_num += 4;
289*00b67f09SDavid van Moolenbroek }
290*00b67f09SDavid van Moolenbroek if ((zbit & 0xc) != 0) {
291*00b67f09SDavid van Moolenbroek zbit >>= 2;
292*00b67f09SDavid van Moolenbroek rpz_num += 2;
293*00b67f09SDavid van Moolenbroek }
294*00b67f09SDavid van Moolenbroek if ((zbit & 2) != 0)
295*00b67f09SDavid van Moolenbroek ++rpz_num;
296*00b67f09SDavid van Moolenbroek return (rpz_num);
297*00b67f09SDavid van Moolenbroek }
298*00b67f09SDavid van Moolenbroek
299*00b67f09SDavid van Moolenbroek /*
300*00b67f09SDavid van Moolenbroek * Make a set of bit masks given one or more bits and their type.
301*00b67f09SDavid van Moolenbroek */
302*00b67f09SDavid van Moolenbroek static void
make_addr_set(dns_rpz_addr_zbits_t * tgt_set,dns_rpz_zbits_t zbits,dns_rpz_type_t type)303*00b67f09SDavid van Moolenbroek make_addr_set(dns_rpz_addr_zbits_t *tgt_set, dns_rpz_zbits_t zbits,
304*00b67f09SDavid van Moolenbroek dns_rpz_type_t type)
305*00b67f09SDavid van Moolenbroek {
306*00b67f09SDavid van Moolenbroek switch (type) {
307*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_CLIENT_IP:
308*00b67f09SDavid van Moolenbroek tgt_set->client_ip = zbits;
309*00b67f09SDavid van Moolenbroek tgt_set->ip = 0;
310*00b67f09SDavid van Moolenbroek tgt_set->nsip = 0;
311*00b67f09SDavid van Moolenbroek break;
312*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_IP:
313*00b67f09SDavid van Moolenbroek tgt_set->client_ip = 0;
314*00b67f09SDavid van Moolenbroek tgt_set->ip = zbits;
315*00b67f09SDavid van Moolenbroek tgt_set->nsip = 0;
316*00b67f09SDavid van Moolenbroek break;
317*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSIP:
318*00b67f09SDavid van Moolenbroek tgt_set->client_ip = 0;
319*00b67f09SDavid van Moolenbroek tgt_set->ip = 0;
320*00b67f09SDavid van Moolenbroek tgt_set->nsip = zbits;
321*00b67f09SDavid van Moolenbroek break;
322*00b67f09SDavid van Moolenbroek default:
323*00b67f09SDavid van Moolenbroek INSIST(0);
324*00b67f09SDavid van Moolenbroek break;
325*00b67f09SDavid van Moolenbroek }
326*00b67f09SDavid van Moolenbroek }
327*00b67f09SDavid van Moolenbroek
328*00b67f09SDavid van Moolenbroek static void
make_nm_set(dns_rpz_nm_zbits_t * tgt_set,dns_rpz_num_t rpz_num,dns_rpz_type_t type)329*00b67f09SDavid van Moolenbroek make_nm_set(dns_rpz_nm_zbits_t *tgt_set,
330*00b67f09SDavid van Moolenbroek dns_rpz_num_t rpz_num, dns_rpz_type_t type)
331*00b67f09SDavid van Moolenbroek {
332*00b67f09SDavid van Moolenbroek switch (type) {
333*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_QNAME:
334*00b67f09SDavid van Moolenbroek tgt_set->qname = DNS_RPZ_ZBIT(rpz_num);
335*00b67f09SDavid van Moolenbroek tgt_set->ns = 0;
336*00b67f09SDavid van Moolenbroek break;
337*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSDNAME:
338*00b67f09SDavid van Moolenbroek tgt_set->qname = 0;
339*00b67f09SDavid van Moolenbroek tgt_set->ns = DNS_RPZ_ZBIT(rpz_num);
340*00b67f09SDavid van Moolenbroek break;
341*00b67f09SDavid van Moolenbroek default:
342*00b67f09SDavid van Moolenbroek INSIST(0);
343*00b67f09SDavid van Moolenbroek break;
344*00b67f09SDavid van Moolenbroek }
345*00b67f09SDavid van Moolenbroek }
346*00b67f09SDavid van Moolenbroek
347*00b67f09SDavid van Moolenbroek /*
348*00b67f09SDavid van Moolenbroek * Mark a node and all of its parents as having client-IP, IP, or NSIP data
349*00b67f09SDavid van Moolenbroek */
350*00b67f09SDavid van Moolenbroek static void
set_sum_pair(dns_rpz_cidr_node_t * cnode)351*00b67f09SDavid van Moolenbroek set_sum_pair(dns_rpz_cidr_node_t *cnode) {
352*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *child;
353*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t sum;
354*00b67f09SDavid van Moolenbroek
355*00b67f09SDavid van Moolenbroek do {
356*00b67f09SDavid van Moolenbroek sum = cnode->set;
357*00b67f09SDavid van Moolenbroek
358*00b67f09SDavid van Moolenbroek child = cnode->child[0];
359*00b67f09SDavid van Moolenbroek if (child != NULL) {
360*00b67f09SDavid van Moolenbroek sum.client_ip |= child->sum.client_ip;
361*00b67f09SDavid van Moolenbroek sum.ip |= child->sum.ip;
362*00b67f09SDavid van Moolenbroek sum.nsip |= child->sum.nsip;
363*00b67f09SDavid van Moolenbroek }
364*00b67f09SDavid van Moolenbroek
365*00b67f09SDavid van Moolenbroek child = cnode->child[1];
366*00b67f09SDavid van Moolenbroek if (child != NULL) {
367*00b67f09SDavid van Moolenbroek sum.client_ip |= child->sum.client_ip;
368*00b67f09SDavid van Moolenbroek sum.ip |= child->sum.ip;
369*00b67f09SDavid van Moolenbroek sum.nsip |= child->sum.nsip;
370*00b67f09SDavid van Moolenbroek }
371*00b67f09SDavid van Moolenbroek
372*00b67f09SDavid van Moolenbroek if (cnode->sum.client_ip == sum.client_ip &&
373*00b67f09SDavid van Moolenbroek cnode->sum.ip == sum.ip &&
374*00b67f09SDavid van Moolenbroek cnode->sum.nsip == sum.nsip)
375*00b67f09SDavid van Moolenbroek break;
376*00b67f09SDavid van Moolenbroek cnode->sum = sum;
377*00b67f09SDavid van Moolenbroek cnode = cnode->parent;
378*00b67f09SDavid van Moolenbroek } while (cnode != NULL);
379*00b67f09SDavid van Moolenbroek }
380*00b67f09SDavid van Moolenbroek
381*00b67f09SDavid van Moolenbroek /* Caller must hold rpzs->maint_lock */
382*00b67f09SDavid van Moolenbroek static void
fix_qname_skip_recurse(dns_rpz_zones_t * rpzs)383*00b67f09SDavid van Moolenbroek fix_qname_skip_recurse(dns_rpz_zones_t *rpzs) {
384*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t mask;
385*00b67f09SDavid van Moolenbroek
386*00b67f09SDavid van Moolenbroek /*
387*00b67f09SDavid van Moolenbroek * qname_wait_recurse and qname_skip_recurse are used to
388*00b67f09SDavid van Moolenbroek * implement the "qname-wait-recurse" config option.
389*00b67f09SDavid van Moolenbroek *
390*00b67f09SDavid van Moolenbroek * By default, "qname-wait-recurse" is yes, so no
391*00b67f09SDavid van Moolenbroek * processing happens without recursion. In this case,
392*00b67f09SDavid van Moolenbroek * qname_wait_recurse is true, and qname_skip_recurse
393*00b67f09SDavid van Moolenbroek * (a bit field indicating which policy zones can be
394*00b67f09SDavid van Moolenbroek * processed without recursion) is set to all 0's by
395*00b67f09SDavid van Moolenbroek * fix_qname_skip_recurse().
396*00b67f09SDavid van Moolenbroek *
397*00b67f09SDavid van Moolenbroek * When "qname-wait-recurse" is no, qname_skip_recurse may be
398*00b67f09SDavid van Moolenbroek * set to a non-zero value by fix_qname_skip_recurse(). The mask
399*00b67f09SDavid van Moolenbroek * has to have bits set for the policy zones for which
400*00b67f09SDavid van Moolenbroek * processing may continue without recursion, and bits cleared
401*00b67f09SDavid van Moolenbroek * for the rest.
402*00b67f09SDavid van Moolenbroek *
403*00b67f09SDavid van Moolenbroek * (1) The ARM says:
404*00b67f09SDavid van Moolenbroek *
405*00b67f09SDavid van Moolenbroek * The "qname-wait-recurse no" option overrides that default
406*00b67f09SDavid van Moolenbroek * behavior when recursion cannot change a non-error
407*00b67f09SDavid van Moolenbroek * response. The option does not affect QNAME or client-IP
408*00b67f09SDavid van Moolenbroek * triggers in policy zones listed after other zones
409*00b67f09SDavid van Moolenbroek * containing IP, NSIP and NSDNAME triggers, because those may
410*00b67f09SDavid van Moolenbroek * depend on the A, AAAA, and NS records that would be found
411*00b67f09SDavid van Moolenbroek * during recursive resolution.
412*00b67f09SDavid van Moolenbroek *
413*00b67f09SDavid van Moolenbroek * Let's consider the following:
414*00b67f09SDavid van Moolenbroek *
415*00b67f09SDavid van Moolenbroek * zbits_req = (rpzs->have.ipv4 | rpzs->have.ipv6 |
416*00b67f09SDavid van Moolenbroek * rpzs->have.nsdname |
417*00b67f09SDavid van Moolenbroek * rpzs->have.nsipv4 | rpzs->have.nsipv6);
418*00b67f09SDavid van Moolenbroek *
419*00b67f09SDavid van Moolenbroek * zbits_req now contains bits set for zones which require
420*00b67f09SDavid van Moolenbroek * recursion.
421*00b67f09SDavid van Moolenbroek *
422*00b67f09SDavid van Moolenbroek * But going by the description in the ARM, if the first policy
423*00b67f09SDavid van Moolenbroek * zone requires recursion, then all zones after that (higher
424*00b67f09SDavid van Moolenbroek * order bits) have to wait as well. If the Nth zone requires
425*00b67f09SDavid van Moolenbroek * recursion, then (N+1)th zone onwards all need to wait.
426*00b67f09SDavid van Moolenbroek *
427*00b67f09SDavid van Moolenbroek * So mapping this, examples:
428*00b67f09SDavid van Moolenbroek *
429*00b67f09SDavid van Moolenbroek * zbits_req = 0b000 mask = 0xffffffff (no zones have to wait for
430*00b67f09SDavid van Moolenbroek * recursion)
431*00b67f09SDavid van Moolenbroek * zbits_req = 0b001 mask = 0x00000000 (all zones have to wait)
432*00b67f09SDavid van Moolenbroek * zbits_req = 0b010 mask = 0x00000001 (the first zone doesn't have to
433*00b67f09SDavid van Moolenbroek * wait, second zone onwards need
434*00b67f09SDavid van Moolenbroek * to wait)
435*00b67f09SDavid van Moolenbroek * zbits_req = 0b011 mask = 0x00000000 (all zones have to wait)
436*00b67f09SDavid van Moolenbroek * zbits_req = 0b100 mask = 0x00000011 (the 1st and 2nd zones don't
437*00b67f09SDavid van Moolenbroek * have to wait, third zone
438*00b67f09SDavid van Moolenbroek * onwards need to wait)
439*00b67f09SDavid van Moolenbroek *
440*00b67f09SDavid van Moolenbroek * More generally, we have to count the number of trailing 0
441*00b67f09SDavid van Moolenbroek * bits in zbits_req and only these can be processed without
442*00b67f09SDavid van Moolenbroek * recursion. All the rest need to wait.
443*00b67f09SDavid van Moolenbroek *
444*00b67f09SDavid van Moolenbroek * (2) The ARM says that "qname-wait-recurse no" option
445*00b67f09SDavid van Moolenbroek * overrides the default behavior when recursion cannot change a
446*00b67f09SDavid van Moolenbroek * non-error response. So, in the order of listing of policy
447*00b67f09SDavid van Moolenbroek * zones, within the first policy zone where recursion may be
448*00b67f09SDavid van Moolenbroek * required, we should first allow CLIENT-IP and QNAME policy
449*00b67f09SDavid van Moolenbroek * records to be attempted without recursion.
450*00b67f09SDavid van Moolenbroek */
451*00b67f09SDavid van Moolenbroek
452*00b67f09SDavid van Moolenbroek /*
453*00b67f09SDavid van Moolenbroek * Get a mask covering all policy zones that are not subordinate to
454*00b67f09SDavid van Moolenbroek * other policy zones containing triggers that require that the
455*00b67f09SDavid van Moolenbroek * qname be resolved before they can be checked.
456*00b67f09SDavid van Moolenbroek */
457*00b67f09SDavid van Moolenbroek rpzs->have.client_ip = rpzs->have.client_ipv4 | rpzs->have.client_ipv6;
458*00b67f09SDavid van Moolenbroek rpzs->have.ip = rpzs->have.ipv4 | rpzs->have.ipv6;
459*00b67f09SDavid van Moolenbroek rpzs->have.nsip = rpzs->have.nsipv4 | rpzs->have.nsipv6;
460*00b67f09SDavid van Moolenbroek
461*00b67f09SDavid van Moolenbroek if (rpzs->p.qname_wait_recurse) {
462*00b67f09SDavid van Moolenbroek mask = 0;
463*00b67f09SDavid van Moolenbroek } else {
464*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t zbits_req;
465*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t zbits_notreq;
466*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t mask2;
467*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t req_mask;
468*00b67f09SDavid van Moolenbroek
469*00b67f09SDavid van Moolenbroek /*
470*00b67f09SDavid van Moolenbroek * Get the masks of zones with policies that
471*00b67f09SDavid van Moolenbroek * do/don't require recursion
472*00b67f09SDavid van Moolenbroek */
473*00b67f09SDavid van Moolenbroek
474*00b67f09SDavid van Moolenbroek zbits_req = (rpzs->have.ipv4 | rpzs->have.ipv6 |
475*00b67f09SDavid van Moolenbroek rpzs->have.nsdname |
476*00b67f09SDavid van Moolenbroek rpzs->have.nsipv4 | rpzs->have.nsipv6);
477*00b67f09SDavid van Moolenbroek zbits_notreq = (rpzs->have.client_ip | rpzs->have.qname);
478*00b67f09SDavid van Moolenbroek
479*00b67f09SDavid van Moolenbroek if (zbits_req == 0) {
480*00b67f09SDavid van Moolenbroek mask = DNS_RPZ_ALL_ZBITS;
481*00b67f09SDavid van Moolenbroek goto set;
482*00b67f09SDavid van Moolenbroek }
483*00b67f09SDavid van Moolenbroek
484*00b67f09SDavid van Moolenbroek /*
485*00b67f09SDavid van Moolenbroek * req_mask is a mask covering used bits in
486*00b67f09SDavid van Moolenbroek * zbits_req. (For instance, 0b1 => 0b1, 0b101 => 0b111,
487*00b67f09SDavid van Moolenbroek * 0b11010101 => 0b11111111).
488*00b67f09SDavid van Moolenbroek */
489*00b67f09SDavid van Moolenbroek req_mask = zbits_req;
490*00b67f09SDavid van Moolenbroek req_mask |= req_mask >> 1;
491*00b67f09SDavid van Moolenbroek req_mask |= req_mask >> 2;
492*00b67f09SDavid van Moolenbroek req_mask |= req_mask >> 4;
493*00b67f09SDavid van Moolenbroek req_mask |= req_mask >> 8;
494*00b67f09SDavid van Moolenbroek req_mask |= req_mask >> 16;
495*00b67f09SDavid van Moolenbroek #if DNS_RPZ_MAX_ZONES > 32
496*00b67f09SDavid van Moolenbroek req_mask |= req_mask >> 32;
497*00b67f09SDavid van Moolenbroek #endif
498*00b67f09SDavid van Moolenbroek
499*00b67f09SDavid van Moolenbroek /*
500*00b67f09SDavid van Moolenbroek * There's no point in skipping recursion for a later
501*00b67f09SDavid van Moolenbroek * zone if it is required in a previous zone.
502*00b67f09SDavid van Moolenbroek */
503*00b67f09SDavid van Moolenbroek if ((zbits_notreq & req_mask) == 0) {
504*00b67f09SDavid van Moolenbroek mask = 0;
505*00b67f09SDavid van Moolenbroek goto set;
506*00b67f09SDavid van Moolenbroek }
507*00b67f09SDavid van Moolenbroek
508*00b67f09SDavid van Moolenbroek /*
509*00b67f09SDavid van Moolenbroek * This bit arithmetic creates a mask of zones in which
510*00b67f09SDavid van Moolenbroek * it is okay to skip recursion. After the first zone
511*00b67f09SDavid van Moolenbroek * that has to wait for recursion, all the others have
512*00b67f09SDavid van Moolenbroek * to wait as well, so we want to create a mask in which
513*00b67f09SDavid van Moolenbroek * all the trailing zeroes in zbits_req are are 1, and
514*00b67f09SDavid van Moolenbroek * more significant bits are 0. (For instance,
515*00b67f09SDavid van Moolenbroek * 0x0700 => 0x00ff, 0x0007 => 0x0000)
516*00b67f09SDavid van Moolenbroek */
517*00b67f09SDavid van Moolenbroek mask = ~(zbits_req | -zbits_req);
518*00b67f09SDavid van Moolenbroek
519*00b67f09SDavid van Moolenbroek /*
520*00b67f09SDavid van Moolenbroek * As mentioned in (2) above, the zone corresponding to
521*00b67f09SDavid van Moolenbroek * the least significant zero could have its CLIENT-IP
522*00b67f09SDavid van Moolenbroek * and QNAME policies checked before recursion, if it
523*00b67f09SDavid van Moolenbroek * has any of those policies. So if it does, we
524*00b67f09SDavid van Moolenbroek * can set its 0 to 1.
525*00b67f09SDavid van Moolenbroek *
526*00b67f09SDavid van Moolenbroek * Locate the least significant 0 bit in the mask (for
527*00b67f09SDavid van Moolenbroek * instance, 0xff => 0x100)...
528*00b67f09SDavid van Moolenbroek */
529*00b67f09SDavid van Moolenbroek mask2 = (mask << 1) & ~mask;
530*00b67f09SDavid van Moolenbroek
531*00b67f09SDavid van Moolenbroek /*
532*00b67f09SDavid van Moolenbroek * Also set the bit for zone 0, because if it's in
533*00b67f09SDavid van Moolenbroek * zbits_notreq then it's definitely okay to attempt to
534*00b67f09SDavid van Moolenbroek * skip recursion for zone 0...
535*00b67f09SDavid van Moolenbroek */
536*00b67f09SDavid van Moolenbroek mask2 |= 1;
537*00b67f09SDavid van Moolenbroek
538*00b67f09SDavid van Moolenbroek /* Clear any bits *not* in zbits_notreq... */
539*00b67f09SDavid van Moolenbroek mask2 &= zbits_notreq;
540*00b67f09SDavid van Moolenbroek
541*00b67f09SDavid van Moolenbroek /* And merge the result into the skip-recursion mask */
542*00b67f09SDavid van Moolenbroek mask |= mask2;
543*00b67f09SDavid van Moolenbroek }
544*00b67f09SDavid van Moolenbroek
545*00b67f09SDavid van Moolenbroek set:
546*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB,
547*00b67f09SDavid van Moolenbroek DNS_RPZ_DEBUG_QUIET,
548*00b67f09SDavid van Moolenbroek "computed RPZ qname_skip_recurse mask=0x%llx",
549*00b67f09SDavid van Moolenbroek (isc_uint64_t) mask);
550*00b67f09SDavid van Moolenbroek rpzs->have.qname_skip_recurse = mask;
551*00b67f09SDavid van Moolenbroek }
552*00b67f09SDavid van Moolenbroek
553*00b67f09SDavid van Moolenbroek static void
adj_trigger_cnt(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_rpz_type_t rpz_type,const dns_rpz_cidr_key_t * tgt_ip,dns_rpz_prefix_t tgt_prefix,isc_boolean_t inc)554*00b67f09SDavid van Moolenbroek adj_trigger_cnt(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
555*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type,
556*00b67f09SDavid van Moolenbroek const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
557*00b67f09SDavid van Moolenbroek isc_boolean_t inc)
558*00b67f09SDavid van Moolenbroek {
559*00b67f09SDavid van Moolenbroek dns_rpz_trigger_counter_t *cnt;
560*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t *have;
561*00b67f09SDavid van Moolenbroek
562*00b67f09SDavid van Moolenbroek switch (rpz_type) {
563*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_CLIENT_IP:
564*00b67f09SDavid van Moolenbroek REQUIRE(tgt_ip != NULL);
565*00b67f09SDavid van Moolenbroek if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
566*00b67f09SDavid van Moolenbroek cnt = &rpzs->triggers[rpz_num].client_ipv4;
567*00b67f09SDavid van Moolenbroek have = &rpzs->have.client_ipv4;
568*00b67f09SDavid van Moolenbroek } else {
569*00b67f09SDavid van Moolenbroek cnt = &rpzs->triggers[rpz_num].client_ipv6;
570*00b67f09SDavid van Moolenbroek have = &rpzs->have.client_ipv6;
571*00b67f09SDavid van Moolenbroek }
572*00b67f09SDavid van Moolenbroek break;
573*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_QNAME:
574*00b67f09SDavid van Moolenbroek cnt = &rpzs->triggers[rpz_num].qname;
575*00b67f09SDavid van Moolenbroek have = &rpzs->have.qname;
576*00b67f09SDavid van Moolenbroek break;
577*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_IP:
578*00b67f09SDavid van Moolenbroek REQUIRE(tgt_ip != NULL);
579*00b67f09SDavid van Moolenbroek if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
580*00b67f09SDavid van Moolenbroek cnt = &rpzs->triggers[rpz_num].ipv4;
581*00b67f09SDavid van Moolenbroek have = &rpzs->have.ipv4;
582*00b67f09SDavid van Moolenbroek } else {
583*00b67f09SDavid van Moolenbroek cnt = &rpzs->triggers[rpz_num].ipv6;
584*00b67f09SDavid van Moolenbroek have = &rpzs->have.ipv6;
585*00b67f09SDavid van Moolenbroek }
586*00b67f09SDavid van Moolenbroek break;
587*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSDNAME:
588*00b67f09SDavid van Moolenbroek cnt = &rpzs->triggers[rpz_num].nsdname;
589*00b67f09SDavid van Moolenbroek have = &rpzs->have.nsdname;
590*00b67f09SDavid van Moolenbroek break;
591*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSIP:
592*00b67f09SDavid van Moolenbroek REQUIRE(tgt_ip != NULL);
593*00b67f09SDavid van Moolenbroek if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
594*00b67f09SDavid van Moolenbroek cnt = &rpzs->triggers[rpz_num].nsipv4;
595*00b67f09SDavid van Moolenbroek have = &rpzs->have.nsipv4;
596*00b67f09SDavid van Moolenbroek } else {
597*00b67f09SDavid van Moolenbroek cnt = &rpzs->triggers[rpz_num].nsipv6;
598*00b67f09SDavid van Moolenbroek have = &rpzs->have.nsipv6;
599*00b67f09SDavid van Moolenbroek }
600*00b67f09SDavid van Moolenbroek break;
601*00b67f09SDavid van Moolenbroek default:
602*00b67f09SDavid van Moolenbroek INSIST(0);
603*00b67f09SDavid van Moolenbroek }
604*00b67f09SDavid van Moolenbroek
605*00b67f09SDavid van Moolenbroek if (inc) {
606*00b67f09SDavid van Moolenbroek if (++*cnt == 1) {
607*00b67f09SDavid van Moolenbroek *have |= DNS_RPZ_ZBIT(rpz_num);
608*00b67f09SDavid van Moolenbroek fix_qname_skip_recurse(rpzs);
609*00b67f09SDavid van Moolenbroek }
610*00b67f09SDavid van Moolenbroek } else {
611*00b67f09SDavid van Moolenbroek REQUIRE(*cnt != 0);
612*00b67f09SDavid van Moolenbroek if (--*cnt == 0) {
613*00b67f09SDavid van Moolenbroek *have &= ~DNS_RPZ_ZBIT(rpz_num);
614*00b67f09SDavid van Moolenbroek fix_qname_skip_recurse(rpzs);
615*00b67f09SDavid van Moolenbroek }
616*00b67f09SDavid van Moolenbroek }
617*00b67f09SDavid van Moolenbroek }
618*00b67f09SDavid van Moolenbroek
619*00b67f09SDavid van Moolenbroek static dns_rpz_cidr_node_t *
new_node(dns_rpz_zones_t * rpzs,const dns_rpz_cidr_key_t * ip,dns_rpz_prefix_t prefix,const dns_rpz_cidr_node_t * child)620*00b67f09SDavid van Moolenbroek new_node(dns_rpz_zones_t *rpzs,
621*00b67f09SDavid van Moolenbroek const dns_rpz_cidr_key_t *ip, dns_rpz_prefix_t prefix,
622*00b67f09SDavid van Moolenbroek const dns_rpz_cidr_node_t *child)
623*00b67f09SDavid van Moolenbroek {
624*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *new;
625*00b67f09SDavid van Moolenbroek int i, words, wlen;
626*00b67f09SDavid van Moolenbroek
627*00b67f09SDavid van Moolenbroek new = isc_mem_get(rpzs->mctx, sizeof(*new));
628*00b67f09SDavid van Moolenbroek if (new == NULL)
629*00b67f09SDavid van Moolenbroek return (NULL);
630*00b67f09SDavid van Moolenbroek memset(new, 0, sizeof(*new));
631*00b67f09SDavid van Moolenbroek
632*00b67f09SDavid van Moolenbroek if (child != NULL)
633*00b67f09SDavid van Moolenbroek new->sum = child->sum;
634*00b67f09SDavid van Moolenbroek
635*00b67f09SDavid van Moolenbroek new->prefix = prefix;
636*00b67f09SDavid van Moolenbroek words = prefix / DNS_RPZ_CIDR_WORD_BITS;
637*00b67f09SDavid van Moolenbroek wlen = prefix % DNS_RPZ_CIDR_WORD_BITS;
638*00b67f09SDavid van Moolenbroek i = 0;
639*00b67f09SDavid van Moolenbroek while (i < words) {
640*00b67f09SDavid van Moolenbroek new->ip.w[i] = ip->w[i];
641*00b67f09SDavid van Moolenbroek ++i;
642*00b67f09SDavid van Moolenbroek }
643*00b67f09SDavid van Moolenbroek if (wlen != 0) {
644*00b67f09SDavid van Moolenbroek new->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen);
645*00b67f09SDavid van Moolenbroek ++i;
646*00b67f09SDavid van Moolenbroek }
647*00b67f09SDavid van Moolenbroek while (i < DNS_RPZ_CIDR_WORDS)
648*00b67f09SDavid van Moolenbroek new->ip.w[i++] = 0;
649*00b67f09SDavid van Moolenbroek
650*00b67f09SDavid van Moolenbroek return (new);
651*00b67f09SDavid van Moolenbroek }
652*00b67f09SDavid van Moolenbroek
653*00b67f09SDavid van Moolenbroek static void
badname(int level,dns_name_t * name,const char * str1,const char * str2)654*00b67f09SDavid van Moolenbroek badname(int level, dns_name_t *name, const char *str1, const char *str2) {
655*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
656*00b67f09SDavid van Moolenbroek
657*00b67f09SDavid van Moolenbroek /*
658*00b67f09SDavid van Moolenbroek * bin/tests/system/rpz/tests.sh looks for "invalid rpz".
659*00b67f09SDavid van Moolenbroek */
660*00b67f09SDavid van Moolenbroek if (level < DNS_RPZ_DEBUG_QUIET &&
661*00b67f09SDavid van Moolenbroek isc_log_wouldlog(dns_lctx, level)) {
662*00b67f09SDavid van Moolenbroek dns_name_format(name, namebuf, sizeof(namebuf));
663*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
664*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, level,
665*00b67f09SDavid van Moolenbroek "invalid rpz IP address \"%s\"%s%s",
666*00b67f09SDavid van Moolenbroek namebuf, str1, str2);
667*00b67f09SDavid van Moolenbroek }
668*00b67f09SDavid van Moolenbroek }
669*00b67f09SDavid van Moolenbroek
670*00b67f09SDavid van Moolenbroek /*
671*00b67f09SDavid van Moolenbroek * Convert an IP address from radix tree binary (host byte order) to
672*00b67f09SDavid van Moolenbroek * to its canonical response policy domain name without the origin of the
673*00b67f09SDavid van Moolenbroek * policy zone.
674*00b67f09SDavid van Moolenbroek */
675*00b67f09SDavid van Moolenbroek static isc_result_t
ip2name(const dns_rpz_cidr_key_t * tgt_ip,dns_rpz_prefix_t tgt_prefix,dns_name_t * base_name,dns_name_t * ip_name)676*00b67f09SDavid van Moolenbroek ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
677*00b67f09SDavid van Moolenbroek dns_name_t *base_name, dns_name_t *ip_name)
678*00b67f09SDavid van Moolenbroek {
679*00b67f09SDavid van Moolenbroek #ifndef INET6_ADDRSTRLEN
680*00b67f09SDavid van Moolenbroek #define INET6_ADDRSTRLEN 46
681*00b67f09SDavid van Moolenbroek #endif
682*00b67f09SDavid van Moolenbroek int w[DNS_RPZ_CIDR_WORDS*2];
683*00b67f09SDavid van Moolenbroek char str[1+8+1+INET6_ADDRSTRLEN+1];
684*00b67f09SDavid van Moolenbroek isc_buffer_t buffer;
685*00b67f09SDavid van Moolenbroek isc_result_t result;
686*00b67f09SDavid van Moolenbroek isc_boolean_t zeros;
687*00b67f09SDavid van Moolenbroek int i, n, len;
688*00b67f09SDavid van Moolenbroek
689*00b67f09SDavid van Moolenbroek if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) {
690*00b67f09SDavid van Moolenbroek len = snprintf(str, sizeof(str), "%d.%d.%d.%d.%d",
691*00b67f09SDavid van Moolenbroek tgt_prefix - 96,
692*00b67f09SDavid van Moolenbroek tgt_ip->w[3] & 0xff,
693*00b67f09SDavid van Moolenbroek (tgt_ip->w[3]>>8) & 0xff,
694*00b67f09SDavid van Moolenbroek (tgt_ip->w[3]>>16) & 0xff,
695*00b67f09SDavid van Moolenbroek (tgt_ip->w[3]>>24) & 0xff);
696*00b67f09SDavid van Moolenbroek if (len < 0 || len > (int)sizeof(str))
697*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
698*00b67f09SDavid van Moolenbroek } else {
699*00b67f09SDavid van Moolenbroek for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) {
700*00b67f09SDavid van Moolenbroek w[i*2+1] = ((tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] >> 16)
701*00b67f09SDavid van Moolenbroek & 0xffff);
702*00b67f09SDavid van Moolenbroek w[i*2] = tgt_ip->w[DNS_RPZ_CIDR_WORDS-1-i] & 0xffff;
703*00b67f09SDavid van Moolenbroek }
704*00b67f09SDavid van Moolenbroek zeros = ISC_FALSE;
705*00b67f09SDavid van Moolenbroek len = snprintf(str, sizeof(str), "%d", tgt_prefix);
706*00b67f09SDavid van Moolenbroek if (len == -1)
707*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
708*00b67f09SDavid van Moolenbroek i = 0;
709*00b67f09SDavid van Moolenbroek while (i < DNS_RPZ_CIDR_WORDS * 2) {
710*00b67f09SDavid van Moolenbroek if (w[i] != 0 || zeros ||
711*00b67f09SDavid van Moolenbroek i >= DNS_RPZ_CIDR_WORDS * 2 - 1 ||
712*00b67f09SDavid van Moolenbroek w[i+1] != 0) {
713*00b67f09SDavid van Moolenbroek INSIST((size_t)len <= sizeof(str));
714*00b67f09SDavid van Moolenbroek n = snprintf(&str[len], sizeof(str) - len,
715*00b67f09SDavid van Moolenbroek ".%x", w[i++]);
716*00b67f09SDavid van Moolenbroek if (n < 0)
717*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
718*00b67f09SDavid van Moolenbroek len += n;
719*00b67f09SDavid van Moolenbroek } else {
720*00b67f09SDavid van Moolenbroek zeros = ISC_TRUE;
721*00b67f09SDavid van Moolenbroek INSIST((size_t)len <= sizeof(str));
722*00b67f09SDavid van Moolenbroek n = snprintf(&str[len], sizeof(str) - len,
723*00b67f09SDavid van Moolenbroek ".zz");
724*00b67f09SDavid van Moolenbroek if (n < 0)
725*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
726*00b67f09SDavid van Moolenbroek len += n;
727*00b67f09SDavid van Moolenbroek i += 2;
728*00b67f09SDavid van Moolenbroek while (i < DNS_RPZ_CIDR_WORDS * 2 && w[i] == 0)
729*00b67f09SDavid van Moolenbroek ++i;
730*00b67f09SDavid van Moolenbroek }
731*00b67f09SDavid van Moolenbroek if (len >= (int)sizeof(str))
732*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
733*00b67f09SDavid van Moolenbroek }
734*00b67f09SDavid van Moolenbroek }
735*00b67f09SDavid van Moolenbroek
736*00b67f09SDavid van Moolenbroek isc_buffer_init(&buffer, str, sizeof(str));
737*00b67f09SDavid van Moolenbroek isc_buffer_add(&buffer, len);
738*00b67f09SDavid van Moolenbroek result = dns_name_fromtext(ip_name, &buffer, base_name, 0, NULL);
739*00b67f09SDavid van Moolenbroek return (result);
740*00b67f09SDavid van Moolenbroek }
741*00b67f09SDavid van Moolenbroek
742*00b67f09SDavid van Moolenbroek /*
743*00b67f09SDavid van Moolenbroek * Determine the type a of a name in a response policy zone.
744*00b67f09SDavid van Moolenbroek */
745*00b67f09SDavid van Moolenbroek static dns_rpz_type_t
type_from_name(dns_rpz_zone_t * rpz,dns_name_t * name)746*00b67f09SDavid van Moolenbroek type_from_name(dns_rpz_zone_t *rpz, dns_name_t *name) {
747*00b67f09SDavid van Moolenbroek
748*00b67f09SDavid van Moolenbroek if (dns_name_issubdomain(name, &rpz->ip))
749*00b67f09SDavid van Moolenbroek return (DNS_RPZ_TYPE_IP);
750*00b67f09SDavid van Moolenbroek
751*00b67f09SDavid van Moolenbroek if (dns_name_issubdomain(name, &rpz->client_ip))
752*00b67f09SDavid van Moolenbroek return (DNS_RPZ_TYPE_CLIENT_IP);
753*00b67f09SDavid van Moolenbroek
754*00b67f09SDavid van Moolenbroek #ifdef ENABLE_RPZ_NSIP
755*00b67f09SDavid van Moolenbroek if (dns_name_issubdomain(name, &rpz->nsip))
756*00b67f09SDavid van Moolenbroek return (DNS_RPZ_TYPE_NSIP);
757*00b67f09SDavid van Moolenbroek #endif
758*00b67f09SDavid van Moolenbroek
759*00b67f09SDavid van Moolenbroek #ifdef ENABLE_RPZ_NSDNAME
760*00b67f09SDavid van Moolenbroek if (dns_name_issubdomain(name, &rpz->nsdname))
761*00b67f09SDavid van Moolenbroek return (DNS_RPZ_TYPE_NSDNAME);
762*00b67f09SDavid van Moolenbroek #endif
763*00b67f09SDavid van Moolenbroek
764*00b67f09SDavid van Moolenbroek return (DNS_RPZ_TYPE_QNAME);
765*00b67f09SDavid van Moolenbroek }
766*00b67f09SDavid van Moolenbroek
767*00b67f09SDavid van Moolenbroek /*
768*00b67f09SDavid van Moolenbroek * Convert an IP address from canonical response policy domain name form
769*00b67f09SDavid van Moolenbroek * to radix tree binary (host byte order) for adding or deleting IP or NSIP
770*00b67f09SDavid van Moolenbroek * data.
771*00b67f09SDavid van Moolenbroek */
772*00b67f09SDavid van Moolenbroek static isc_result_t
name2ipkey(int log_level,const dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_rpz_type_t rpz_type,dns_name_t * src_name,dns_rpz_cidr_key_t * tgt_ip,dns_rpz_prefix_t * tgt_prefix,dns_rpz_addr_zbits_t * new_set)773*00b67f09SDavid van Moolenbroek name2ipkey(int log_level,
774*00b67f09SDavid van Moolenbroek const dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
775*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type, dns_name_t *src_name,
776*00b67f09SDavid van Moolenbroek dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t *tgt_prefix,
777*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t *new_set)
778*00b67f09SDavid van Moolenbroek {
779*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *rpz;
780*00b67f09SDavid van Moolenbroek char ip_str[DNS_NAME_FORMATSIZE];
781*00b67f09SDavid van Moolenbroek dns_offsets_t ip_name_offsets;
782*00b67f09SDavid van Moolenbroek dns_fixedname_t ip_name2f;
783*00b67f09SDavid van Moolenbroek dns_name_t ip_name, *ip_name2;
784*00b67f09SDavid van Moolenbroek const char *prefix_str, *cp, *end;
785*00b67f09SDavid van Moolenbroek char *cp2;
786*00b67f09SDavid van Moolenbroek int ip_labels;
787*00b67f09SDavid van Moolenbroek dns_rpz_prefix_t prefix;
788*00b67f09SDavid van Moolenbroek unsigned long prefix_num, l;
789*00b67f09SDavid van Moolenbroek isc_result_t result;
790*00b67f09SDavid van Moolenbroek int i;
791*00b67f09SDavid van Moolenbroek
792*00b67f09SDavid van Moolenbroek REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
793*00b67f09SDavid van Moolenbroek rpz = rpzs->zones[rpz_num];
794*00b67f09SDavid van Moolenbroek REQUIRE(rpz != NULL);
795*00b67f09SDavid van Moolenbroek
796*00b67f09SDavid van Moolenbroek make_addr_set(new_set, DNS_RPZ_ZBIT(rpz_num), rpz_type);
797*00b67f09SDavid van Moolenbroek
798*00b67f09SDavid van Moolenbroek ip_labels = dns_name_countlabels(src_name);
799*00b67f09SDavid van Moolenbroek if (rpz_type == DNS_RPZ_TYPE_QNAME)
800*00b67f09SDavid van Moolenbroek ip_labels -= dns_name_countlabels(&rpz->origin);
801*00b67f09SDavid van Moolenbroek else
802*00b67f09SDavid van Moolenbroek ip_labels -= dns_name_countlabels(&rpz->nsdname);
803*00b67f09SDavid van Moolenbroek if (ip_labels < 2) {
804*00b67f09SDavid van Moolenbroek badname(log_level, src_name, "; too short", "");
805*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
806*00b67f09SDavid van Moolenbroek }
807*00b67f09SDavid van Moolenbroek dns_name_init(&ip_name, ip_name_offsets);
808*00b67f09SDavid van Moolenbroek dns_name_getlabelsequence(src_name, 0, ip_labels, &ip_name);
809*00b67f09SDavid van Moolenbroek
810*00b67f09SDavid van Moolenbroek /*
811*00b67f09SDavid van Moolenbroek * Get text for the IP address
812*00b67f09SDavid van Moolenbroek */
813*00b67f09SDavid van Moolenbroek dns_name_format(&ip_name, ip_str, sizeof(ip_str));
814*00b67f09SDavid van Moolenbroek end = &ip_str[strlen(ip_str)+1];
815*00b67f09SDavid van Moolenbroek prefix_str = ip_str;
816*00b67f09SDavid van Moolenbroek
817*00b67f09SDavid van Moolenbroek prefix_num = strtoul(prefix_str, &cp2, 10);
818*00b67f09SDavid van Moolenbroek if (*cp2 != '.') {
819*00b67f09SDavid van Moolenbroek badname(log_level, src_name,
820*00b67f09SDavid van Moolenbroek "; invalid leading prefix length", "");
821*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
822*00b67f09SDavid van Moolenbroek }
823*00b67f09SDavid van Moolenbroek *cp2 = '\0';
824*00b67f09SDavid van Moolenbroek if (prefix_num < 1U || prefix_num > 128U) {
825*00b67f09SDavid van Moolenbroek badname(log_level, src_name,
826*00b67f09SDavid van Moolenbroek "; invalid prefix length of ", prefix_str);
827*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
828*00b67f09SDavid van Moolenbroek }
829*00b67f09SDavid van Moolenbroek cp = cp2+1;
830*00b67f09SDavid van Moolenbroek
831*00b67f09SDavid van Moolenbroek if (--ip_labels == 4 && !strchr(cp, 'z')) {
832*00b67f09SDavid van Moolenbroek /*
833*00b67f09SDavid van Moolenbroek * Convert an IPv4 address
834*00b67f09SDavid van Moolenbroek * from the form "prefix.z.y.x.w"
835*00b67f09SDavid van Moolenbroek */
836*00b67f09SDavid van Moolenbroek if (prefix_num > 32U) {
837*00b67f09SDavid van Moolenbroek badname(log_level, src_name,
838*00b67f09SDavid van Moolenbroek "; invalid IPv4 prefix length of ", prefix_str);
839*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
840*00b67f09SDavid van Moolenbroek }
841*00b67f09SDavid van Moolenbroek prefix_num += 96;
842*00b67f09SDavid van Moolenbroek *tgt_prefix = (dns_rpz_prefix_t)prefix_num;
843*00b67f09SDavid van Moolenbroek tgt_ip->w[0] = 0;
844*00b67f09SDavid van Moolenbroek tgt_ip->w[1] = 0;
845*00b67f09SDavid van Moolenbroek tgt_ip->w[2] = ADDR_V4MAPPED;
846*00b67f09SDavid van Moolenbroek tgt_ip->w[3] = 0;
847*00b67f09SDavid van Moolenbroek for (i = 0; i < 32; i += 8) {
848*00b67f09SDavid van Moolenbroek l = strtoul(cp, &cp2, 10);
849*00b67f09SDavid van Moolenbroek if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) {
850*00b67f09SDavid van Moolenbroek if (*cp2 == '.')
851*00b67f09SDavid van Moolenbroek *cp2 = '\0';
852*00b67f09SDavid van Moolenbroek badname(log_level, src_name,
853*00b67f09SDavid van Moolenbroek "; invalid IPv4 octet ", cp);
854*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
855*00b67f09SDavid van Moolenbroek }
856*00b67f09SDavid van Moolenbroek tgt_ip->w[3] |= l << i;
857*00b67f09SDavid van Moolenbroek cp = cp2 + 1;
858*00b67f09SDavid van Moolenbroek }
859*00b67f09SDavid van Moolenbroek } else {
860*00b67f09SDavid van Moolenbroek /*
861*00b67f09SDavid van Moolenbroek * Convert a text IPv6 address.
862*00b67f09SDavid van Moolenbroek */
863*00b67f09SDavid van Moolenbroek *tgt_prefix = (dns_rpz_prefix_t)prefix_num;
864*00b67f09SDavid van Moolenbroek for (i = 0;
865*00b67f09SDavid van Moolenbroek ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2;
866*00b67f09SDavid van Moolenbroek ip_labels--) {
867*00b67f09SDavid van Moolenbroek if (cp[0] == 'z' && cp[1] == 'z' &&
868*00b67f09SDavid van Moolenbroek (cp[2] == '.' || cp[2] == '\0') &&
869*00b67f09SDavid van Moolenbroek i <= 6) {
870*00b67f09SDavid van Moolenbroek do {
871*00b67f09SDavid van Moolenbroek if ((i & 1) == 0)
872*00b67f09SDavid van Moolenbroek tgt_ip->w[3-i/2] = 0;
873*00b67f09SDavid van Moolenbroek ++i;
874*00b67f09SDavid van Moolenbroek } while (ip_labels + i <= 8);
875*00b67f09SDavid van Moolenbroek cp += 3;
876*00b67f09SDavid van Moolenbroek } else {
877*00b67f09SDavid van Moolenbroek l = strtoul(cp, &cp2, 16);
878*00b67f09SDavid van Moolenbroek if (l > 0xffffu ||
879*00b67f09SDavid van Moolenbroek (*cp2 != '.' && *cp2 != '\0')) {
880*00b67f09SDavid van Moolenbroek if (*cp2 == '.')
881*00b67f09SDavid van Moolenbroek *cp2 = '\0';
882*00b67f09SDavid van Moolenbroek badname(log_level, src_name,
883*00b67f09SDavid van Moolenbroek "; invalid IPv6 word ", cp);
884*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
885*00b67f09SDavid van Moolenbroek }
886*00b67f09SDavid van Moolenbroek if ((i & 1) == 0)
887*00b67f09SDavid van Moolenbroek tgt_ip->w[3-i/2] = l;
888*00b67f09SDavid van Moolenbroek else
889*00b67f09SDavid van Moolenbroek tgt_ip->w[3-i/2] |= l << 16;
890*00b67f09SDavid van Moolenbroek i++;
891*00b67f09SDavid van Moolenbroek cp = cp2 + 1;
892*00b67f09SDavid van Moolenbroek }
893*00b67f09SDavid van Moolenbroek }
894*00b67f09SDavid van Moolenbroek }
895*00b67f09SDavid van Moolenbroek if (cp != end) {
896*00b67f09SDavid van Moolenbroek badname(log_level, src_name, "", "");
897*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
898*00b67f09SDavid van Moolenbroek }
899*00b67f09SDavid van Moolenbroek
900*00b67f09SDavid van Moolenbroek /*
901*00b67f09SDavid van Moolenbroek * Check for 1s after the prefix length.
902*00b67f09SDavid van Moolenbroek */
903*00b67f09SDavid van Moolenbroek prefix = (dns_rpz_prefix_t)prefix_num;
904*00b67f09SDavid van Moolenbroek while (prefix < DNS_RPZ_CIDR_KEY_BITS) {
905*00b67f09SDavid van Moolenbroek dns_rpz_cidr_word_t aword;
906*00b67f09SDavid van Moolenbroek
907*00b67f09SDavid van Moolenbroek i = prefix % DNS_RPZ_CIDR_WORD_BITS;
908*00b67f09SDavid van Moolenbroek aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS];
909*00b67f09SDavid van Moolenbroek if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) {
910*00b67f09SDavid van Moolenbroek badname(log_level, src_name,
911*00b67f09SDavid van Moolenbroek "; too small prefix length of ", prefix_str);
912*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
913*00b67f09SDavid van Moolenbroek }
914*00b67f09SDavid van Moolenbroek prefix -= i;
915*00b67f09SDavid van Moolenbroek prefix += DNS_RPZ_CIDR_WORD_BITS;
916*00b67f09SDavid van Moolenbroek }
917*00b67f09SDavid van Moolenbroek
918*00b67f09SDavid van Moolenbroek /*
919*00b67f09SDavid van Moolenbroek * XXXMUKS: Should the following check be enabled in a
920*00b67f09SDavid van Moolenbroek * production build? It can be expensive for large IP zones
921*00b67f09SDavid van Moolenbroek * from 3rd parties.
922*00b67f09SDavid van Moolenbroek */
923*00b67f09SDavid van Moolenbroek
924*00b67f09SDavid van Moolenbroek /*
925*00b67f09SDavid van Moolenbroek * Convert the address back to a canonical domain name
926*00b67f09SDavid van Moolenbroek * to ensure that the original name is in canonical form.
927*00b67f09SDavid van Moolenbroek */
928*00b67f09SDavid van Moolenbroek dns_fixedname_init(&ip_name2f);
929*00b67f09SDavid van Moolenbroek ip_name2 = dns_fixedname_name(&ip_name2f);
930*00b67f09SDavid van Moolenbroek result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num, NULL, ip_name2);
931*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS || !dns_name_equal(&ip_name, ip_name2)) {
932*00b67f09SDavid van Moolenbroek badname(log_level, src_name, "; not canonical", "");
933*00b67f09SDavid van Moolenbroek return (ISC_R_FAILURE);
934*00b67f09SDavid van Moolenbroek }
935*00b67f09SDavid van Moolenbroek
936*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
937*00b67f09SDavid van Moolenbroek }
938*00b67f09SDavid van Moolenbroek
939*00b67f09SDavid van Moolenbroek /*
940*00b67f09SDavid van Moolenbroek * Get trigger name and data bits for adding or deleting summary NSDNAME
941*00b67f09SDavid van Moolenbroek * or QNAME data.
942*00b67f09SDavid van Moolenbroek */
943*00b67f09SDavid van Moolenbroek static void
name2data(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_rpz_type_t rpz_type,const dns_name_t * src_name,dns_name_t * trig_name,dns_rpz_nm_data_t * new_data)944*00b67f09SDavid van Moolenbroek name2data(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
945*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type, const dns_name_t *src_name,
946*00b67f09SDavid van Moolenbroek dns_name_t *trig_name, dns_rpz_nm_data_t *new_data)
947*00b67f09SDavid van Moolenbroek {
948*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *rpz;
949*00b67f09SDavid van Moolenbroek dns_offsets_t tmp_name_offsets;
950*00b67f09SDavid van Moolenbroek dns_name_t tmp_name;
951*00b67f09SDavid van Moolenbroek unsigned int prefix_len, n;
952*00b67f09SDavid van Moolenbroek
953*00b67f09SDavid van Moolenbroek REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
954*00b67f09SDavid van Moolenbroek rpz = rpzs->zones[rpz_num];
955*00b67f09SDavid van Moolenbroek REQUIRE(rpz != NULL);
956*00b67f09SDavid van Moolenbroek
957*00b67f09SDavid van Moolenbroek /*
958*00b67f09SDavid van Moolenbroek * Handle wildcards by putting only the parent into the
959*00b67f09SDavid van Moolenbroek * summary RBT. The summary database only causes a check of the
960*00b67f09SDavid van Moolenbroek * real policy zone where wildcards will be handled.
961*00b67f09SDavid van Moolenbroek */
962*00b67f09SDavid van Moolenbroek if (dns_name_iswildcard(src_name)) {
963*00b67f09SDavid van Moolenbroek prefix_len = 1;
964*00b67f09SDavid van Moolenbroek memset(&new_data->set, 0, sizeof(new_data->set));
965*00b67f09SDavid van Moolenbroek make_nm_set(&new_data->wild, rpz_num, rpz_type);
966*00b67f09SDavid van Moolenbroek } else {
967*00b67f09SDavid van Moolenbroek prefix_len = 0;
968*00b67f09SDavid van Moolenbroek make_nm_set(&new_data->set, rpz_num, rpz_type);
969*00b67f09SDavid van Moolenbroek memset(&new_data->wild, 0, sizeof(new_data->wild));
970*00b67f09SDavid van Moolenbroek }
971*00b67f09SDavid van Moolenbroek
972*00b67f09SDavid van Moolenbroek dns_name_init(&tmp_name, tmp_name_offsets);
973*00b67f09SDavid van Moolenbroek n = dns_name_countlabels(src_name);
974*00b67f09SDavid van Moolenbroek n -= prefix_len;
975*00b67f09SDavid van Moolenbroek if (rpz_type == DNS_RPZ_TYPE_QNAME)
976*00b67f09SDavid van Moolenbroek n -= dns_name_countlabels(&rpz->origin);
977*00b67f09SDavid van Moolenbroek else
978*00b67f09SDavid van Moolenbroek n -= dns_name_countlabels(&rpz->nsdname);
979*00b67f09SDavid van Moolenbroek dns_name_getlabelsequence(src_name, prefix_len, n, &tmp_name);
980*00b67f09SDavid van Moolenbroek (void)dns_name_concatenate(&tmp_name, dns_rootname, trig_name, NULL);
981*00b67f09SDavid van Moolenbroek }
982*00b67f09SDavid van Moolenbroek
983*00b67f09SDavid van Moolenbroek /*
984*00b67f09SDavid van Moolenbroek * Find the first differing bit in a key (IP address) word.
985*00b67f09SDavid van Moolenbroek */
986*00b67f09SDavid van Moolenbroek static inline int
ffs_keybit(dns_rpz_cidr_word_t w)987*00b67f09SDavid van Moolenbroek ffs_keybit(dns_rpz_cidr_word_t w) {
988*00b67f09SDavid van Moolenbroek int bit;
989*00b67f09SDavid van Moolenbroek
990*00b67f09SDavid van Moolenbroek bit = DNS_RPZ_CIDR_WORD_BITS-1;
991*00b67f09SDavid van Moolenbroek if ((w & 0xffff0000) != 0) {
992*00b67f09SDavid van Moolenbroek w >>= 16;
993*00b67f09SDavid van Moolenbroek bit -= 16;
994*00b67f09SDavid van Moolenbroek }
995*00b67f09SDavid van Moolenbroek if ((w & 0xff00) != 0) {
996*00b67f09SDavid van Moolenbroek w >>= 8;
997*00b67f09SDavid van Moolenbroek bit -= 8;
998*00b67f09SDavid van Moolenbroek }
999*00b67f09SDavid van Moolenbroek if ((w & 0xf0) != 0) {
1000*00b67f09SDavid van Moolenbroek w >>= 4;
1001*00b67f09SDavid van Moolenbroek bit -= 4;
1002*00b67f09SDavid van Moolenbroek }
1003*00b67f09SDavid van Moolenbroek if ((w & 0xc) != 0) {
1004*00b67f09SDavid van Moolenbroek w >>= 2;
1005*00b67f09SDavid van Moolenbroek bit -= 2;
1006*00b67f09SDavid van Moolenbroek }
1007*00b67f09SDavid van Moolenbroek if ((w & 2) != 0)
1008*00b67f09SDavid van Moolenbroek --bit;
1009*00b67f09SDavid van Moolenbroek return (bit);
1010*00b67f09SDavid van Moolenbroek }
1011*00b67f09SDavid van Moolenbroek
1012*00b67f09SDavid van Moolenbroek /*
1013*00b67f09SDavid van Moolenbroek * Find the first differing bit in two keys (IP addresses).
1014*00b67f09SDavid van Moolenbroek */
1015*00b67f09SDavid van Moolenbroek static int
diff_keys(const dns_rpz_cidr_key_t * key1,dns_rpz_prefix_t prefix1,const dns_rpz_cidr_key_t * key2,dns_rpz_prefix_t prefix2)1016*00b67f09SDavid van Moolenbroek diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_prefix_t prefix1,
1017*00b67f09SDavid van Moolenbroek const dns_rpz_cidr_key_t *key2, dns_rpz_prefix_t prefix2)
1018*00b67f09SDavid van Moolenbroek {
1019*00b67f09SDavid van Moolenbroek dns_rpz_cidr_word_t delta;
1020*00b67f09SDavid van Moolenbroek dns_rpz_prefix_t maxbit, bit;
1021*00b67f09SDavid van Moolenbroek int i;
1022*00b67f09SDavid van Moolenbroek
1023*00b67f09SDavid van Moolenbroek bit = 0;
1024*00b67f09SDavid van Moolenbroek maxbit = ISC_MIN(prefix1, prefix2);
1025*00b67f09SDavid van Moolenbroek
1026*00b67f09SDavid van Moolenbroek /*
1027*00b67f09SDavid van Moolenbroek * find the first differing words
1028*00b67f09SDavid van Moolenbroek */
1029*00b67f09SDavid van Moolenbroek for (i = 0;
1030*00b67f09SDavid van Moolenbroek bit < maxbit;
1031*00b67f09SDavid van Moolenbroek i++, bit += DNS_RPZ_CIDR_WORD_BITS) {
1032*00b67f09SDavid van Moolenbroek delta = key1->w[i] ^ key2->w[i];
1033*00b67f09SDavid van Moolenbroek if (delta != 0) {
1034*00b67f09SDavid van Moolenbroek bit += ffs_keybit(delta);
1035*00b67f09SDavid van Moolenbroek break;
1036*00b67f09SDavid van Moolenbroek }
1037*00b67f09SDavid van Moolenbroek }
1038*00b67f09SDavid van Moolenbroek return (ISC_MIN(bit, maxbit));
1039*00b67f09SDavid van Moolenbroek }
1040*00b67f09SDavid van Moolenbroek
1041*00b67f09SDavid van Moolenbroek /*
1042*00b67f09SDavid van Moolenbroek * Given a hit while searching the radix trees,
1043*00b67f09SDavid van Moolenbroek * clear all bits for higher numbered zones.
1044*00b67f09SDavid van Moolenbroek */
1045*00b67f09SDavid van Moolenbroek static inline dns_rpz_zbits_t
trim_zbits(dns_rpz_zbits_t zbits,dns_rpz_zbits_t found)1046*00b67f09SDavid van Moolenbroek trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) {
1047*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t x;
1048*00b67f09SDavid van Moolenbroek
1049*00b67f09SDavid van Moolenbroek /*
1050*00b67f09SDavid van Moolenbroek * Isolate the first or smallest numbered hit bit.
1051*00b67f09SDavid van Moolenbroek * Make a mask of that bit and all smaller numbered bits.
1052*00b67f09SDavid van Moolenbroek */
1053*00b67f09SDavid van Moolenbroek x = zbits & found;
1054*00b67f09SDavid van Moolenbroek x &= (~x + 1);
1055*00b67f09SDavid van Moolenbroek x = (x << 1) - 1;
1056*00b67f09SDavid van Moolenbroek return (zbits &= x);
1057*00b67f09SDavid van Moolenbroek }
1058*00b67f09SDavid van Moolenbroek
1059*00b67f09SDavid van Moolenbroek /*
1060*00b67f09SDavid van Moolenbroek * Search a radix tree for an IP address for ordinary lookup
1061*00b67f09SDavid van Moolenbroek * or for a CIDR block adding or deleting an entry
1062*00b67f09SDavid van Moolenbroek *
1063*00b67f09SDavid van Moolenbroek * Return ISC_R_SUCCESS, DNS_R_PARTIALMATCH, ISC_R_NOTFOUND,
1064*00b67f09SDavid van Moolenbroek * and *found=longest match node
1065*00b67f09SDavid van Moolenbroek * or with create==ISC_TRUE, ISC_R_EXISTS or ISC_R_NOMEMORY
1066*00b67f09SDavid van Moolenbroek */
1067*00b67f09SDavid van Moolenbroek static isc_result_t
search(dns_rpz_zones_t * rpzs,const dns_rpz_cidr_key_t * tgt_ip,dns_rpz_prefix_t tgt_prefix,const dns_rpz_addr_zbits_t * tgt_set,isc_boolean_t create,dns_rpz_cidr_node_t ** found)1068*00b67f09SDavid van Moolenbroek search(dns_rpz_zones_t *rpzs,
1069*00b67f09SDavid van Moolenbroek const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix,
1070*00b67f09SDavid van Moolenbroek const dns_rpz_addr_zbits_t *tgt_set, isc_boolean_t create,
1071*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t **found)
1072*00b67f09SDavid van Moolenbroek {
1073*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling;
1074*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t set;
1075*00b67f09SDavid van Moolenbroek int cur_num, child_num;
1076*00b67f09SDavid van Moolenbroek dns_rpz_prefix_t dbit;
1077*00b67f09SDavid van Moolenbroek isc_result_t find_result;
1078*00b67f09SDavid van Moolenbroek
1079*00b67f09SDavid van Moolenbroek set = *tgt_set;
1080*00b67f09SDavid van Moolenbroek find_result = ISC_R_NOTFOUND;
1081*00b67f09SDavid van Moolenbroek *found = NULL;
1082*00b67f09SDavid van Moolenbroek cur = rpzs->cidr;
1083*00b67f09SDavid van Moolenbroek parent = NULL;
1084*00b67f09SDavid van Moolenbroek cur_num = 0;
1085*00b67f09SDavid van Moolenbroek for (;;) {
1086*00b67f09SDavid van Moolenbroek if (cur == NULL) {
1087*00b67f09SDavid van Moolenbroek /*
1088*00b67f09SDavid van Moolenbroek * No child so we cannot go down.
1089*00b67f09SDavid van Moolenbroek * Quit with whatever we already found
1090*00b67f09SDavid van Moolenbroek * or add the target as a child of the current parent.
1091*00b67f09SDavid van Moolenbroek */
1092*00b67f09SDavid van Moolenbroek if (!create)
1093*00b67f09SDavid van Moolenbroek return (find_result);
1094*00b67f09SDavid van Moolenbroek child = new_node(rpzs, tgt_ip, tgt_prefix, NULL);
1095*00b67f09SDavid van Moolenbroek if (child == NULL)
1096*00b67f09SDavid van Moolenbroek return (ISC_R_NOMEMORY);
1097*00b67f09SDavid van Moolenbroek if (parent == NULL)
1098*00b67f09SDavid van Moolenbroek rpzs->cidr = child;
1099*00b67f09SDavid van Moolenbroek else
1100*00b67f09SDavid van Moolenbroek parent->child[cur_num] = child;
1101*00b67f09SDavid van Moolenbroek child->parent = parent;
1102*00b67f09SDavid van Moolenbroek child->set.client_ip |= tgt_set->client_ip;
1103*00b67f09SDavid van Moolenbroek child->set.ip |= tgt_set->ip;
1104*00b67f09SDavid van Moolenbroek child->set.nsip |= tgt_set->nsip;
1105*00b67f09SDavid van Moolenbroek set_sum_pair(child);
1106*00b67f09SDavid van Moolenbroek *found = child;
1107*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1108*00b67f09SDavid van Moolenbroek }
1109*00b67f09SDavid van Moolenbroek
1110*00b67f09SDavid van Moolenbroek if ((cur->sum.client_ip & set.client_ip) == 0 &&
1111*00b67f09SDavid van Moolenbroek (cur->sum.ip & set.ip) == 0 &&
1112*00b67f09SDavid van Moolenbroek (cur->sum.nsip & set.nsip) == 0) {
1113*00b67f09SDavid van Moolenbroek /*
1114*00b67f09SDavid van Moolenbroek * This node has no relevant data
1115*00b67f09SDavid van Moolenbroek * and is in none of the target trees.
1116*00b67f09SDavid van Moolenbroek * Pretend it does not exist if we are not adding.
1117*00b67f09SDavid van Moolenbroek *
1118*00b67f09SDavid van Moolenbroek * If we are adding, continue down to eventually add
1119*00b67f09SDavid van Moolenbroek * a node and mark/put this node in the correct tree.
1120*00b67f09SDavid van Moolenbroek */
1121*00b67f09SDavid van Moolenbroek if (!create)
1122*00b67f09SDavid van Moolenbroek return (find_result);
1123*00b67f09SDavid van Moolenbroek }
1124*00b67f09SDavid van Moolenbroek
1125*00b67f09SDavid van Moolenbroek dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->prefix);
1126*00b67f09SDavid van Moolenbroek /*
1127*00b67f09SDavid van Moolenbroek * dbit <= tgt_prefix and dbit <= cur->prefix always.
1128*00b67f09SDavid van Moolenbroek * We are finished searching if we matched all of the target.
1129*00b67f09SDavid van Moolenbroek */
1130*00b67f09SDavid van Moolenbroek if (dbit == tgt_prefix) {
1131*00b67f09SDavid van Moolenbroek if (tgt_prefix == cur->prefix) {
1132*00b67f09SDavid van Moolenbroek /*
1133*00b67f09SDavid van Moolenbroek * The node's key matches the target exactly.
1134*00b67f09SDavid van Moolenbroek */
1135*00b67f09SDavid van Moolenbroek if ((cur->set.client_ip & set.client_ip) != 0 ||
1136*00b67f09SDavid van Moolenbroek (cur->set.ip & set.ip) != 0 ||
1137*00b67f09SDavid van Moolenbroek (cur->set.nsip & set.nsip) != 0) {
1138*00b67f09SDavid van Moolenbroek /*
1139*00b67f09SDavid van Moolenbroek * It is the answer if it has data.
1140*00b67f09SDavid van Moolenbroek */
1141*00b67f09SDavid van Moolenbroek *found = cur;
1142*00b67f09SDavid van Moolenbroek if (create) {
1143*00b67f09SDavid van Moolenbroek find_result = ISC_R_EXISTS;
1144*00b67f09SDavid van Moolenbroek } else {
1145*00b67f09SDavid van Moolenbroek find_result = ISC_R_SUCCESS;
1146*00b67f09SDavid van Moolenbroek }
1147*00b67f09SDavid van Moolenbroek } else if (create) {
1148*00b67f09SDavid van Moolenbroek /*
1149*00b67f09SDavid van Moolenbroek * The node lacked relevant data,
1150*00b67f09SDavid van Moolenbroek * but will have it now.
1151*00b67f09SDavid van Moolenbroek */
1152*00b67f09SDavid van Moolenbroek cur->set.client_ip |= tgt_set->client_ip;
1153*00b67f09SDavid van Moolenbroek cur->set.ip |= tgt_set->ip;
1154*00b67f09SDavid van Moolenbroek cur->set.nsip |= tgt_set->nsip;
1155*00b67f09SDavid van Moolenbroek set_sum_pair(cur);
1156*00b67f09SDavid van Moolenbroek *found = cur;
1157*00b67f09SDavid van Moolenbroek find_result = ISC_R_SUCCESS;
1158*00b67f09SDavid van Moolenbroek }
1159*00b67f09SDavid van Moolenbroek return (find_result);
1160*00b67f09SDavid van Moolenbroek }
1161*00b67f09SDavid van Moolenbroek
1162*00b67f09SDavid van Moolenbroek /*
1163*00b67f09SDavid van Moolenbroek * We know tgt_prefix < cur->prefix which means that
1164*00b67f09SDavid van Moolenbroek * the target is shorter than the current node.
1165*00b67f09SDavid van Moolenbroek * Add the target as the current node's parent.
1166*00b67f09SDavid van Moolenbroek */
1167*00b67f09SDavid van Moolenbroek if (!create)
1168*00b67f09SDavid van Moolenbroek return (find_result);
1169*00b67f09SDavid van Moolenbroek
1170*00b67f09SDavid van Moolenbroek new_parent = new_node(rpzs, tgt_ip, tgt_prefix, cur);
1171*00b67f09SDavid van Moolenbroek if (new_parent == NULL)
1172*00b67f09SDavid van Moolenbroek return (ISC_R_NOMEMORY);
1173*00b67f09SDavid van Moolenbroek new_parent->parent = parent;
1174*00b67f09SDavid van Moolenbroek if (parent == NULL)
1175*00b67f09SDavid van Moolenbroek rpzs->cidr = new_parent;
1176*00b67f09SDavid van Moolenbroek else
1177*00b67f09SDavid van Moolenbroek parent->child[cur_num] = new_parent;
1178*00b67f09SDavid van Moolenbroek child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1);
1179*00b67f09SDavid van Moolenbroek new_parent->child[child_num] = cur;
1180*00b67f09SDavid van Moolenbroek cur->parent = new_parent;
1181*00b67f09SDavid van Moolenbroek new_parent->set = *tgt_set;
1182*00b67f09SDavid van Moolenbroek set_sum_pair(new_parent);
1183*00b67f09SDavid van Moolenbroek *found = new_parent;
1184*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1185*00b67f09SDavid van Moolenbroek }
1186*00b67f09SDavid van Moolenbroek
1187*00b67f09SDavid van Moolenbroek if (dbit == cur->prefix) {
1188*00b67f09SDavid van Moolenbroek if ((cur->set.client_ip & set.client_ip) != 0 ||
1189*00b67f09SDavid van Moolenbroek (cur->set.ip & set.ip) != 0 ||
1190*00b67f09SDavid van Moolenbroek (cur->set.nsip & set.nsip) != 0) {
1191*00b67f09SDavid van Moolenbroek /*
1192*00b67f09SDavid van Moolenbroek * We have a partial match between of all of the
1193*00b67f09SDavid van Moolenbroek * current node but only part of the target.
1194*00b67f09SDavid van Moolenbroek * Continue searching for other hits in the
1195*00b67f09SDavid van Moolenbroek * same or lower numbered trees.
1196*00b67f09SDavid van Moolenbroek */
1197*00b67f09SDavid van Moolenbroek find_result = DNS_R_PARTIALMATCH;
1198*00b67f09SDavid van Moolenbroek *found = cur;
1199*00b67f09SDavid van Moolenbroek set.client_ip = trim_zbits(set.client_ip,
1200*00b67f09SDavid van Moolenbroek cur->set.client_ip);
1201*00b67f09SDavid van Moolenbroek set.ip = trim_zbits(set.ip,
1202*00b67f09SDavid van Moolenbroek cur->set.ip);
1203*00b67f09SDavid van Moolenbroek set.nsip = trim_zbits(set.nsip,
1204*00b67f09SDavid van Moolenbroek cur->set.nsip);
1205*00b67f09SDavid van Moolenbroek }
1206*00b67f09SDavid van Moolenbroek parent = cur;
1207*00b67f09SDavid van Moolenbroek cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
1208*00b67f09SDavid van Moolenbroek cur = cur->child[cur_num];
1209*00b67f09SDavid van Moolenbroek continue;
1210*00b67f09SDavid van Moolenbroek }
1211*00b67f09SDavid van Moolenbroek
1212*00b67f09SDavid van Moolenbroek
1213*00b67f09SDavid van Moolenbroek /*
1214*00b67f09SDavid van Moolenbroek * dbit < tgt_prefix and dbit < cur->prefix,
1215*00b67f09SDavid van Moolenbroek * so we failed to match both the target and the current node.
1216*00b67f09SDavid van Moolenbroek * Insert a fork of a parent above the current node and
1217*00b67f09SDavid van Moolenbroek * add the target as a sibling of the current node
1218*00b67f09SDavid van Moolenbroek */
1219*00b67f09SDavid van Moolenbroek if (!create)
1220*00b67f09SDavid van Moolenbroek return (find_result);
1221*00b67f09SDavid van Moolenbroek
1222*00b67f09SDavid van Moolenbroek sibling = new_node(rpzs, tgt_ip, tgt_prefix, NULL);
1223*00b67f09SDavid van Moolenbroek if (sibling == NULL)
1224*00b67f09SDavid van Moolenbroek return (ISC_R_NOMEMORY);
1225*00b67f09SDavid van Moolenbroek new_parent = new_node(rpzs, tgt_ip, dbit, cur);
1226*00b67f09SDavid van Moolenbroek if (new_parent == NULL) {
1227*00b67f09SDavid van Moolenbroek isc_mem_put(rpzs->mctx, sibling, sizeof(*sibling));
1228*00b67f09SDavid van Moolenbroek return (ISC_R_NOMEMORY);
1229*00b67f09SDavid van Moolenbroek }
1230*00b67f09SDavid van Moolenbroek new_parent->parent = parent;
1231*00b67f09SDavid van Moolenbroek if (parent == NULL)
1232*00b67f09SDavid van Moolenbroek rpzs->cidr = new_parent;
1233*00b67f09SDavid van Moolenbroek else
1234*00b67f09SDavid van Moolenbroek parent->child[cur_num] = new_parent;
1235*00b67f09SDavid van Moolenbroek child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit);
1236*00b67f09SDavid van Moolenbroek new_parent->child[child_num] = sibling;
1237*00b67f09SDavid van Moolenbroek new_parent->child[1-child_num] = cur;
1238*00b67f09SDavid van Moolenbroek cur->parent = new_parent;
1239*00b67f09SDavid van Moolenbroek sibling->parent = new_parent;
1240*00b67f09SDavid van Moolenbroek sibling->set = *tgt_set;
1241*00b67f09SDavid van Moolenbroek set_sum_pair(sibling);
1242*00b67f09SDavid van Moolenbroek *found = sibling;
1243*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1244*00b67f09SDavid van Moolenbroek }
1245*00b67f09SDavid van Moolenbroek }
1246*00b67f09SDavid van Moolenbroek
1247*00b67f09SDavid van Moolenbroek /*
1248*00b67f09SDavid van Moolenbroek * Add an IP address to the radix tree.
1249*00b67f09SDavid van Moolenbroek */
1250*00b67f09SDavid van Moolenbroek static isc_result_t
add_cidr(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_rpz_type_t rpz_type,dns_name_t * src_name)1251*00b67f09SDavid van Moolenbroek add_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
1252*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type, dns_name_t *src_name)
1253*00b67f09SDavid van Moolenbroek {
1254*00b67f09SDavid van Moolenbroek dns_rpz_cidr_key_t tgt_ip;
1255*00b67f09SDavid van Moolenbroek dns_rpz_prefix_t tgt_prefix;
1256*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t set;
1257*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *found;
1258*00b67f09SDavid van Moolenbroek isc_result_t result;
1259*00b67f09SDavid van Moolenbroek
1260*00b67f09SDavid van Moolenbroek result = name2ipkey(DNS_RPZ_ERROR_LEVEL, rpzs, rpz_num, rpz_type,
1261*00b67f09SDavid van Moolenbroek src_name, &tgt_ip, &tgt_prefix, &set);
1262*00b67f09SDavid van Moolenbroek /*
1263*00b67f09SDavid van Moolenbroek * Log complaints about bad owner names but let the zone load.
1264*00b67f09SDavid van Moolenbroek */
1265*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1266*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1267*00b67f09SDavid van Moolenbroek
1268*00b67f09SDavid van Moolenbroek result = search(rpzs, &tgt_ip, tgt_prefix, &set, ISC_TRUE, &found);
1269*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
1270*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
1271*00b67f09SDavid van Moolenbroek
1272*00b67f09SDavid van Moolenbroek /*
1273*00b67f09SDavid van Moolenbroek * Do not worry if the radix tree already exists,
1274*00b67f09SDavid van Moolenbroek * because diff_apply() likes to add nodes before deleting.
1275*00b67f09SDavid van Moolenbroek */
1276*00b67f09SDavid van Moolenbroek if (result == ISC_R_EXISTS)
1277*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1278*00b67f09SDavid van Moolenbroek
1279*00b67f09SDavid van Moolenbroek /*
1280*00b67f09SDavid van Moolenbroek * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
1281*00b67f09SDavid van Moolenbroek */
1282*00b67f09SDavid van Moolenbroek dns_name_format(src_name, namebuf, sizeof(namebuf));
1283*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
1284*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
1285*00b67f09SDavid van Moolenbroek "rpz add_cidr(%s) failed: %s",
1286*00b67f09SDavid van Moolenbroek namebuf, isc_result_totext(result));
1287*00b67f09SDavid van Moolenbroek return (result);
1288*00b67f09SDavid van Moolenbroek }
1289*00b67f09SDavid van Moolenbroek
1290*00b67f09SDavid van Moolenbroek adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_TRUE);
1291*00b67f09SDavid van Moolenbroek return (result);
1292*00b67f09SDavid van Moolenbroek }
1293*00b67f09SDavid van Moolenbroek
1294*00b67f09SDavid van Moolenbroek static isc_result_t
add_nm(dns_rpz_zones_t * rpzs,dns_name_t * trig_name,const dns_rpz_nm_data_t * new_data)1295*00b67f09SDavid van Moolenbroek add_nm(dns_rpz_zones_t *rpzs, dns_name_t *trig_name,
1296*00b67f09SDavid van Moolenbroek const dns_rpz_nm_data_t *new_data)
1297*00b67f09SDavid van Moolenbroek {
1298*00b67f09SDavid van Moolenbroek dns_rbtnode_t *nmnode;
1299*00b67f09SDavid van Moolenbroek dns_rpz_nm_data_t *nm_data;
1300*00b67f09SDavid van Moolenbroek isc_result_t result;
1301*00b67f09SDavid van Moolenbroek
1302*00b67f09SDavid van Moolenbroek nmnode = NULL;
1303*00b67f09SDavid van Moolenbroek result = dns_rbt_addnode(rpzs->rbt, trig_name, &nmnode);
1304*00b67f09SDavid van Moolenbroek switch (result) {
1305*00b67f09SDavid van Moolenbroek case ISC_R_SUCCESS:
1306*00b67f09SDavid van Moolenbroek case ISC_R_EXISTS:
1307*00b67f09SDavid van Moolenbroek nm_data = nmnode->data;
1308*00b67f09SDavid van Moolenbroek if (nm_data == NULL) {
1309*00b67f09SDavid van Moolenbroek nm_data = isc_mem_get(rpzs->mctx, sizeof(*nm_data));
1310*00b67f09SDavid van Moolenbroek if (nm_data == NULL)
1311*00b67f09SDavid van Moolenbroek return (ISC_R_NOMEMORY);
1312*00b67f09SDavid van Moolenbroek *nm_data = *new_data;
1313*00b67f09SDavid van Moolenbroek nmnode->data = nm_data;
1314*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1315*00b67f09SDavid van Moolenbroek }
1316*00b67f09SDavid van Moolenbroek break;
1317*00b67f09SDavid van Moolenbroek default:
1318*00b67f09SDavid van Moolenbroek return (result);
1319*00b67f09SDavid van Moolenbroek }
1320*00b67f09SDavid van Moolenbroek
1321*00b67f09SDavid van Moolenbroek /*
1322*00b67f09SDavid van Moolenbroek * Do not count bits that are already present
1323*00b67f09SDavid van Moolenbroek */
1324*00b67f09SDavid van Moolenbroek if ((nm_data->set.qname & new_data->set.qname) != 0 ||
1325*00b67f09SDavid van Moolenbroek (nm_data->set.ns & new_data->set.ns) != 0 ||
1326*00b67f09SDavid van Moolenbroek (nm_data->wild.qname & new_data->wild.qname) != 0 ||
1327*00b67f09SDavid van Moolenbroek (nm_data->wild.ns & new_data->wild.ns) != 0)
1328*00b67f09SDavid van Moolenbroek return (ISC_R_EXISTS);
1329*00b67f09SDavid van Moolenbroek
1330*00b67f09SDavid van Moolenbroek nm_data->set.qname |= new_data->set.qname;
1331*00b67f09SDavid van Moolenbroek nm_data->set.ns |= new_data->set.ns;
1332*00b67f09SDavid van Moolenbroek nm_data->wild.qname |= new_data->wild.qname;
1333*00b67f09SDavid van Moolenbroek nm_data->wild.ns |= new_data->wild.ns;
1334*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1335*00b67f09SDavid van Moolenbroek }
1336*00b67f09SDavid van Moolenbroek
1337*00b67f09SDavid van Moolenbroek static isc_result_t
add_name(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_rpz_type_t rpz_type,dns_name_t * src_name)1338*00b67f09SDavid van Moolenbroek add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
1339*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type, dns_name_t *src_name)
1340*00b67f09SDavid van Moolenbroek {
1341*00b67f09SDavid van Moolenbroek dns_rpz_nm_data_t new_data;
1342*00b67f09SDavid van Moolenbroek dns_fixedname_t trig_namef;
1343*00b67f09SDavid van Moolenbroek dns_name_t *trig_name;
1344*00b67f09SDavid van Moolenbroek isc_result_t result;
1345*00b67f09SDavid van Moolenbroek
1346*00b67f09SDavid van Moolenbroek /*
1347*00b67f09SDavid van Moolenbroek * No need for a summary database of names with only 1 policy zone.
1348*00b67f09SDavid van Moolenbroek */
1349*00b67f09SDavid van Moolenbroek if (rpzs->p.num_zones <= 1) {
1350*00b67f09SDavid van Moolenbroek adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE);
1351*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1352*00b67f09SDavid van Moolenbroek }
1353*00b67f09SDavid van Moolenbroek
1354*00b67f09SDavid van Moolenbroek dns_fixedname_init(&trig_namef);
1355*00b67f09SDavid van Moolenbroek trig_name = dns_fixedname_name(&trig_namef);
1356*00b67f09SDavid van Moolenbroek name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &new_data);
1357*00b67f09SDavid van Moolenbroek
1358*00b67f09SDavid van Moolenbroek result = add_nm(rpzs, trig_name, &new_data);
1359*00b67f09SDavid van Moolenbroek
1360*00b67f09SDavid van Moolenbroek /*
1361*00b67f09SDavid van Moolenbroek * Do not worry if the node already exists,
1362*00b67f09SDavid van Moolenbroek * because diff_apply() likes to add nodes before deleting.
1363*00b67f09SDavid van Moolenbroek */
1364*00b67f09SDavid van Moolenbroek if (result == ISC_R_EXISTS)
1365*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1366*00b67f09SDavid van Moolenbroek if (result == ISC_R_SUCCESS)
1367*00b67f09SDavid van Moolenbroek adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE);
1368*00b67f09SDavid van Moolenbroek return (result);
1369*00b67f09SDavid van Moolenbroek }
1370*00b67f09SDavid van Moolenbroek
1371*00b67f09SDavid van Moolenbroek /*
1372*00b67f09SDavid van Moolenbroek * Callback to free the data for a node in the summary RBT database.
1373*00b67f09SDavid van Moolenbroek */
1374*00b67f09SDavid van Moolenbroek static void
rpz_node_deleter(void * nm_data,void * mctx)1375*00b67f09SDavid van Moolenbroek rpz_node_deleter(void *nm_data, void *mctx) {
1376*00b67f09SDavid van Moolenbroek isc_mem_put(mctx, nm_data, sizeof(dns_rpz_nm_data_t));
1377*00b67f09SDavid van Moolenbroek }
1378*00b67f09SDavid van Moolenbroek
1379*00b67f09SDavid van Moolenbroek /*
1380*00b67f09SDavid van Moolenbroek * Get ready for a new set of policy zones.
1381*00b67f09SDavid van Moolenbroek */
1382*00b67f09SDavid van Moolenbroek isc_result_t
dns_rpz_new_zones(dns_rpz_zones_t ** rpzsp,isc_mem_t * mctx)1383*00b67f09SDavid van Moolenbroek dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx) {
1384*00b67f09SDavid van Moolenbroek dns_rpz_zones_t *new;
1385*00b67f09SDavid van Moolenbroek isc_result_t result;
1386*00b67f09SDavid van Moolenbroek
1387*00b67f09SDavid van Moolenbroek REQUIRE(rpzsp != NULL && *rpzsp == NULL);
1388*00b67f09SDavid van Moolenbroek
1389*00b67f09SDavid van Moolenbroek *rpzsp = NULL;
1390*00b67f09SDavid van Moolenbroek
1391*00b67f09SDavid van Moolenbroek new = isc_mem_get(mctx, sizeof(*new));
1392*00b67f09SDavid van Moolenbroek if (new == NULL)
1393*00b67f09SDavid van Moolenbroek return (ISC_R_NOMEMORY);
1394*00b67f09SDavid van Moolenbroek memset(new, 0, sizeof(*new));
1395*00b67f09SDavid van Moolenbroek
1396*00b67f09SDavid van Moolenbroek result = isc_rwlock_init(&new->search_lock, 0, 0);
1397*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
1398*00b67f09SDavid van Moolenbroek isc_mem_put(mctx, new, sizeof(*new));
1399*00b67f09SDavid van Moolenbroek return (result);
1400*00b67f09SDavid van Moolenbroek }
1401*00b67f09SDavid van Moolenbroek
1402*00b67f09SDavid van Moolenbroek result = isc_mutex_init(&new->maint_lock);
1403*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
1404*00b67f09SDavid van Moolenbroek isc_rwlock_destroy(&new->search_lock);
1405*00b67f09SDavid van Moolenbroek isc_mem_put(mctx, new, sizeof(*new));
1406*00b67f09SDavid van Moolenbroek return (result);
1407*00b67f09SDavid van Moolenbroek }
1408*00b67f09SDavid van Moolenbroek
1409*00b67f09SDavid van Moolenbroek result = isc_refcount_init(&new->refs, 1);
1410*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
1411*00b67f09SDavid van Moolenbroek DESTROYLOCK(&new->maint_lock);
1412*00b67f09SDavid van Moolenbroek isc_rwlock_destroy(&new->search_lock);
1413*00b67f09SDavid van Moolenbroek isc_mem_put(mctx, new, sizeof(*new));
1414*00b67f09SDavid van Moolenbroek return (result);
1415*00b67f09SDavid van Moolenbroek }
1416*00b67f09SDavid van Moolenbroek
1417*00b67f09SDavid van Moolenbroek result = dns_rbt_create(mctx, rpz_node_deleter, mctx, &new->rbt);
1418*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
1419*00b67f09SDavid van Moolenbroek isc_refcount_decrement(&new->refs, NULL);
1420*00b67f09SDavid van Moolenbroek isc_refcount_destroy(&new->refs);
1421*00b67f09SDavid van Moolenbroek DESTROYLOCK(&new->maint_lock);
1422*00b67f09SDavid van Moolenbroek isc_rwlock_destroy(&new->search_lock);
1423*00b67f09SDavid van Moolenbroek isc_mem_put(mctx, new, sizeof(*new));
1424*00b67f09SDavid van Moolenbroek return (result);
1425*00b67f09SDavid van Moolenbroek }
1426*00b67f09SDavid van Moolenbroek
1427*00b67f09SDavid van Moolenbroek isc_mem_attach(mctx, &new->mctx);
1428*00b67f09SDavid van Moolenbroek
1429*00b67f09SDavid van Moolenbroek *rpzsp = new;
1430*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1431*00b67f09SDavid van Moolenbroek }
1432*00b67f09SDavid van Moolenbroek
1433*00b67f09SDavid van Moolenbroek /*
1434*00b67f09SDavid van Moolenbroek * Free the radix tree of a response policy database.
1435*00b67f09SDavid van Moolenbroek */
1436*00b67f09SDavid van Moolenbroek static void
cidr_free(dns_rpz_zones_t * rpzs)1437*00b67f09SDavid van Moolenbroek cidr_free(dns_rpz_zones_t *rpzs) {
1438*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *cur, *child, *parent;
1439*00b67f09SDavid van Moolenbroek
1440*00b67f09SDavid van Moolenbroek cur = rpzs->cidr;
1441*00b67f09SDavid van Moolenbroek while (cur != NULL) {
1442*00b67f09SDavid van Moolenbroek /* Depth first. */
1443*00b67f09SDavid van Moolenbroek child = cur->child[0];
1444*00b67f09SDavid van Moolenbroek if (child != NULL) {
1445*00b67f09SDavid van Moolenbroek cur = child;
1446*00b67f09SDavid van Moolenbroek continue;
1447*00b67f09SDavid van Moolenbroek }
1448*00b67f09SDavid van Moolenbroek child = cur->child[1];
1449*00b67f09SDavid van Moolenbroek if (child != NULL) {
1450*00b67f09SDavid van Moolenbroek cur = child;
1451*00b67f09SDavid van Moolenbroek continue;
1452*00b67f09SDavid van Moolenbroek }
1453*00b67f09SDavid van Moolenbroek
1454*00b67f09SDavid van Moolenbroek /* Delete this leaf and go up. */
1455*00b67f09SDavid van Moolenbroek parent = cur->parent;
1456*00b67f09SDavid van Moolenbroek if (parent == NULL)
1457*00b67f09SDavid van Moolenbroek rpzs->cidr = NULL;
1458*00b67f09SDavid van Moolenbroek else
1459*00b67f09SDavid van Moolenbroek parent->child[parent->child[1] == cur] = NULL;
1460*00b67f09SDavid van Moolenbroek isc_mem_put(rpzs->mctx, cur, sizeof(*cur));
1461*00b67f09SDavid van Moolenbroek cur = parent;
1462*00b67f09SDavid van Moolenbroek }
1463*00b67f09SDavid van Moolenbroek }
1464*00b67f09SDavid van Moolenbroek
1465*00b67f09SDavid van Moolenbroek /*
1466*00b67f09SDavid van Moolenbroek * Discard a response policy zone blob
1467*00b67f09SDavid van Moolenbroek * before discarding the overall rpz structure.
1468*00b67f09SDavid van Moolenbroek */
1469*00b67f09SDavid van Moolenbroek static void
rpz_detach(dns_rpz_zone_t ** rpzp,dns_rpz_zones_t * rpzs)1470*00b67f09SDavid van Moolenbroek rpz_detach(dns_rpz_zone_t **rpzp, dns_rpz_zones_t *rpzs) {
1471*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *rpz;
1472*00b67f09SDavid van Moolenbroek unsigned int refs;
1473*00b67f09SDavid van Moolenbroek
1474*00b67f09SDavid van Moolenbroek rpz = *rpzp;
1475*00b67f09SDavid van Moolenbroek *rpzp = NULL;
1476*00b67f09SDavid van Moolenbroek isc_refcount_decrement(&rpz->refs, &refs);
1477*00b67f09SDavid van Moolenbroek if (refs != 0)
1478*00b67f09SDavid van Moolenbroek return;
1479*00b67f09SDavid van Moolenbroek isc_refcount_destroy(&rpz->refs);
1480*00b67f09SDavid van Moolenbroek
1481*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->origin))
1482*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->origin, rpzs->mctx);
1483*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->client_ip))
1484*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->client_ip, rpzs->mctx);
1485*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->ip))
1486*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->ip, rpzs->mctx);
1487*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->nsdname))
1488*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->nsdname, rpzs->mctx);
1489*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->nsip))
1490*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->nsip, rpzs->mctx);
1491*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->passthru))
1492*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->passthru, rpzs->mctx);
1493*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->drop))
1494*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->drop, rpzs->mctx);
1495*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->tcp_only))
1496*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->tcp_only, rpzs->mctx);
1497*00b67f09SDavid van Moolenbroek if (dns_name_dynamic(&rpz->cname))
1498*00b67f09SDavid van Moolenbroek dns_name_free(&rpz->cname, rpzs->mctx);
1499*00b67f09SDavid van Moolenbroek
1500*00b67f09SDavid van Moolenbroek isc_mem_put(rpzs->mctx, rpz, sizeof(*rpz));
1501*00b67f09SDavid van Moolenbroek }
1502*00b67f09SDavid van Moolenbroek
1503*00b67f09SDavid van Moolenbroek void
dns_rpz_attach_rpzs(dns_rpz_zones_t * rpzs,dns_rpz_zones_t ** rpzsp)1504*00b67f09SDavid van Moolenbroek dns_rpz_attach_rpzs(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **rpzsp) {
1505*00b67f09SDavid van Moolenbroek REQUIRE(rpzsp != NULL && *rpzsp == NULL);
1506*00b67f09SDavid van Moolenbroek isc_refcount_increment(&rpzs->refs, NULL);
1507*00b67f09SDavid van Moolenbroek *rpzsp = rpzs;
1508*00b67f09SDavid van Moolenbroek }
1509*00b67f09SDavid van Moolenbroek
1510*00b67f09SDavid van Moolenbroek /*
1511*00b67f09SDavid van Moolenbroek * Forget a view's policy zones.
1512*00b67f09SDavid van Moolenbroek */
1513*00b67f09SDavid van Moolenbroek void
dns_rpz_detach_rpzs(dns_rpz_zones_t ** rpzsp)1514*00b67f09SDavid van Moolenbroek dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) {
1515*00b67f09SDavid van Moolenbroek dns_rpz_zones_t *rpzs;
1516*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *rpz;
1517*00b67f09SDavid van Moolenbroek dns_rpz_num_t rpz_num;
1518*00b67f09SDavid van Moolenbroek unsigned int refs;
1519*00b67f09SDavid van Moolenbroek
1520*00b67f09SDavid van Moolenbroek REQUIRE(rpzsp != NULL);
1521*00b67f09SDavid van Moolenbroek rpzs = *rpzsp;
1522*00b67f09SDavid van Moolenbroek REQUIRE(rpzs != NULL);
1523*00b67f09SDavid van Moolenbroek
1524*00b67f09SDavid van Moolenbroek *rpzsp = NULL;
1525*00b67f09SDavid van Moolenbroek isc_refcount_decrement(&rpzs->refs, &refs);
1526*00b67f09SDavid van Moolenbroek
1527*00b67f09SDavid van Moolenbroek /*
1528*00b67f09SDavid van Moolenbroek * Forget the last of view's rpz machinery after the last reference.
1529*00b67f09SDavid van Moolenbroek */
1530*00b67f09SDavid van Moolenbroek if (refs == 0) {
1531*00b67f09SDavid van Moolenbroek for (rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES; ++rpz_num) {
1532*00b67f09SDavid van Moolenbroek rpz = rpzs->zones[rpz_num];
1533*00b67f09SDavid van Moolenbroek rpzs->zones[rpz_num] = NULL;
1534*00b67f09SDavid van Moolenbroek if (rpz != NULL)
1535*00b67f09SDavid van Moolenbroek rpz_detach(&rpz, rpzs);
1536*00b67f09SDavid van Moolenbroek }
1537*00b67f09SDavid van Moolenbroek
1538*00b67f09SDavid van Moolenbroek cidr_free(rpzs);
1539*00b67f09SDavid van Moolenbroek dns_rbt_destroy(&rpzs->rbt);
1540*00b67f09SDavid van Moolenbroek DESTROYLOCK(&rpzs->maint_lock);
1541*00b67f09SDavid van Moolenbroek isc_rwlock_destroy(&rpzs->search_lock);
1542*00b67f09SDavid van Moolenbroek isc_refcount_destroy(&rpzs->refs);
1543*00b67f09SDavid van Moolenbroek isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs));
1544*00b67f09SDavid van Moolenbroek }
1545*00b67f09SDavid van Moolenbroek }
1546*00b67f09SDavid van Moolenbroek
1547*00b67f09SDavid van Moolenbroek /*
1548*00b67f09SDavid van Moolenbroek * Create empty summary database to load one zone.
1549*00b67f09SDavid van Moolenbroek * The RBTDB write tree lock must be held.
1550*00b67f09SDavid van Moolenbroek */
1551*00b67f09SDavid van Moolenbroek isc_result_t
dns_rpz_beginload(dns_rpz_zones_t ** load_rpzsp,dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num)1552*00b67f09SDavid van Moolenbroek dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp,
1553*00b67f09SDavid van Moolenbroek dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num)
1554*00b67f09SDavid van Moolenbroek {
1555*00b67f09SDavid van Moolenbroek dns_rpz_zones_t *load_rpzs;
1556*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *rpz;
1557*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t tgt;
1558*00b67f09SDavid van Moolenbroek isc_result_t result;
1559*00b67f09SDavid van Moolenbroek
1560*00b67f09SDavid van Moolenbroek REQUIRE(rpz_num < rpzs->p.num_zones);
1561*00b67f09SDavid van Moolenbroek rpz = rpzs->zones[rpz_num];
1562*00b67f09SDavid van Moolenbroek REQUIRE(rpz != NULL);
1563*00b67f09SDavid van Moolenbroek
1564*00b67f09SDavid van Moolenbroek /*
1565*00b67f09SDavid van Moolenbroek * When reloading a zone, there are usually records among the summary
1566*00b67f09SDavid van Moolenbroek * data for the zone. Some of those records might be deleted by the
1567*00b67f09SDavid van Moolenbroek * reloaded zone data. To deal with that case:
1568*00b67f09SDavid van Moolenbroek * reload the new zone data into a new blank summary database
1569*00b67f09SDavid van Moolenbroek * if the reload fails, discard the new summary database
1570*00b67f09SDavid van Moolenbroek * if the new zone data is acceptable, copy the records for the
1571*00b67f09SDavid van Moolenbroek * other zones into the new summary CIDR and RBT databases
1572*00b67f09SDavid van Moolenbroek * and replace the old summary databases with the new, and
1573*00b67f09SDavid van Moolenbroek * correct the triggers and have values for the updated
1574*00b67f09SDavid van Moolenbroek * zone.
1575*00b67f09SDavid van Moolenbroek *
1576*00b67f09SDavid van Moolenbroek * At the first attempt to load a zone, there is no summary data
1577*00b67f09SDavid van Moolenbroek * for the zone and so no records that need to be deleted.
1578*00b67f09SDavid van Moolenbroek * This is also the most common case of policy zone loading.
1579*00b67f09SDavid van Moolenbroek * Most policy zone maintenance should be by incremental changes
1580*00b67f09SDavid van Moolenbroek * and so by the addition and deletion of individual records.
1581*00b67f09SDavid van Moolenbroek * Detect that case and load records the first time into the
1582*00b67f09SDavid van Moolenbroek * operational summary database
1583*00b67f09SDavid van Moolenbroek */
1584*00b67f09SDavid van Moolenbroek tgt = DNS_RPZ_ZBIT(rpz_num);
1585*00b67f09SDavid van Moolenbroek LOCK(&rpzs->maint_lock);
1586*00b67f09SDavid van Moolenbroek RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
1587*00b67f09SDavid van Moolenbroek if ((rpzs->load_begun & tgt) == 0) {
1588*00b67f09SDavid van Moolenbroek /*
1589*00b67f09SDavid van Moolenbroek * There is no existing version of the target zone.
1590*00b67f09SDavid van Moolenbroek */
1591*00b67f09SDavid van Moolenbroek rpzs->load_begun |= tgt;
1592*00b67f09SDavid van Moolenbroek dns_rpz_attach_rpzs(rpzs, load_rpzsp);
1593*00b67f09SDavid van Moolenbroek } else {
1594*00b67f09SDavid van Moolenbroek /*
1595*00b67f09SDavid van Moolenbroek * Setup the new RPZ struct with empty summary trees.
1596*00b67f09SDavid van Moolenbroek */
1597*00b67f09SDavid van Moolenbroek result = dns_rpz_new_zones(load_rpzsp, rpzs->mctx);
1598*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1599*00b67f09SDavid van Moolenbroek return (result);
1600*00b67f09SDavid van Moolenbroek load_rpzs = *load_rpzsp;
1601*00b67f09SDavid van Moolenbroek /*
1602*00b67f09SDavid van Moolenbroek * Initialize some members so that dns_rpz_add() works.
1603*00b67f09SDavid van Moolenbroek */
1604*00b67f09SDavid van Moolenbroek load_rpzs->p.num_zones = rpzs->p.num_zones;
1605*00b67f09SDavid van Moolenbroek memset(&load_rpzs->triggers, 0, sizeof(load_rpzs->triggers));
1606*00b67f09SDavid van Moolenbroek load_rpzs->zones[rpz_num] = rpz;
1607*00b67f09SDavid van Moolenbroek isc_refcount_increment(&rpz->refs, NULL);
1608*00b67f09SDavid van Moolenbroek }
1609*00b67f09SDavid van Moolenbroek
1610*00b67f09SDavid van Moolenbroek RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
1611*00b67f09SDavid van Moolenbroek UNLOCK(&rpzs->maint_lock);
1612*00b67f09SDavid van Moolenbroek
1613*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1614*00b67f09SDavid van Moolenbroek }
1615*00b67f09SDavid van Moolenbroek
1616*00b67f09SDavid van Moolenbroek /*
1617*00b67f09SDavid van Moolenbroek * This function updates "have" bits and also the qname_skip_recurse
1618*00b67f09SDavid van Moolenbroek * mask. It must be called when holding a write lock on rpzs->search_lock.
1619*00b67f09SDavid van Moolenbroek */
1620*00b67f09SDavid van Moolenbroek static void
fix_triggers(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num)1621*00b67f09SDavid van Moolenbroek fix_triggers(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) {
1622*00b67f09SDavid van Moolenbroek dns_rpz_num_t n;
1623*00b67f09SDavid van Moolenbroek dns_rpz_triggers_t old_totals;
1624*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t zbit;
1625*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
1626*00b67f09SDavid van Moolenbroek
1627*00b67f09SDavid van Moolenbroek /*
1628*00b67f09SDavid van Moolenbroek * rpzs->total_triggers is only used to log a message below.
1629*00b67f09SDavid van Moolenbroek */
1630*00b67f09SDavid van Moolenbroek
1631*00b67f09SDavid van Moolenbroek memmove(&old_totals, &rpzs->total_triggers, sizeof(old_totals));
1632*00b67f09SDavid van Moolenbroek memset(&rpzs->total_triggers, 0, sizeof(rpzs->total_triggers));
1633*00b67f09SDavid van Moolenbroek
1634*00b67f09SDavid van Moolenbroek #define SET_TRIG(n, zbit, type) \
1635*00b67f09SDavid van Moolenbroek if (rpzs->triggers[n].type == 0) { \
1636*00b67f09SDavid van Moolenbroek rpzs->have.type &= ~zbit; \
1637*00b67f09SDavid van Moolenbroek } else { \
1638*00b67f09SDavid van Moolenbroek rpzs->total_triggers.type += rpzs->triggers[n].type; \
1639*00b67f09SDavid van Moolenbroek rpzs->have.type |= zbit; \
1640*00b67f09SDavid van Moolenbroek }
1641*00b67f09SDavid van Moolenbroek
1642*00b67f09SDavid van Moolenbroek for (n = 0; n < rpzs->p.num_zones; ++n) {
1643*00b67f09SDavid van Moolenbroek zbit = DNS_RPZ_ZBIT(n);
1644*00b67f09SDavid van Moolenbroek SET_TRIG(n, zbit, client_ipv4);
1645*00b67f09SDavid van Moolenbroek SET_TRIG(n, zbit, client_ipv6);
1646*00b67f09SDavid van Moolenbroek SET_TRIG(n, zbit, qname);
1647*00b67f09SDavid van Moolenbroek SET_TRIG(n, zbit, ipv4);
1648*00b67f09SDavid van Moolenbroek SET_TRIG(n, zbit, ipv6);
1649*00b67f09SDavid van Moolenbroek SET_TRIG(n, zbit, nsdname);
1650*00b67f09SDavid van Moolenbroek SET_TRIG(n, zbit, nsipv4);
1651*00b67f09SDavid van Moolenbroek SET_TRIG(n, zbit, nsipv6);
1652*00b67f09SDavid van Moolenbroek }
1653*00b67f09SDavid van Moolenbroek
1654*00b67f09SDavid van Moolenbroek #undef SET_TRIG
1655*00b67f09SDavid van Moolenbroek
1656*00b67f09SDavid van Moolenbroek fix_qname_skip_recurse(rpzs);
1657*00b67f09SDavid van Moolenbroek
1658*00b67f09SDavid van Moolenbroek dns_name_format(&rpzs->zones[rpz_num]->origin,
1659*00b67f09SDavid van Moolenbroek namebuf, sizeof(namebuf));
1660*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
1661*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, DNS_RPZ_INFO_LEVEL,
1662*00b67f09SDavid van Moolenbroek "(re)loading policy zone '%s' changed from"
1663*00b67f09SDavid van Moolenbroek " %lu to %lu qname, %lu to %lu nsdname,"
1664*00b67f09SDavid van Moolenbroek " %lu to %lu IP, %lu to %lu NSIP,"
1665*00b67f09SDavid van Moolenbroek " %lu to %lu CLIENTIP entries",
1666*00b67f09SDavid van Moolenbroek namebuf,
1667*00b67f09SDavid van Moolenbroek (unsigned long) old_totals.qname,
1668*00b67f09SDavid van Moolenbroek (unsigned long) rpzs->total_triggers.qname,
1669*00b67f09SDavid van Moolenbroek (unsigned long) old_totals.nsdname,
1670*00b67f09SDavid van Moolenbroek (unsigned long) rpzs->total_triggers.nsdname,
1671*00b67f09SDavid van Moolenbroek (unsigned long) old_totals.ipv4 + old_totals.ipv6,
1672*00b67f09SDavid van Moolenbroek (unsigned long) (rpzs->total_triggers.ipv4 +
1673*00b67f09SDavid van Moolenbroek rpzs->total_triggers.ipv6),
1674*00b67f09SDavid van Moolenbroek (unsigned long) old_totals.nsipv4 + old_totals.nsipv6,
1675*00b67f09SDavid van Moolenbroek (unsigned long) (rpzs->total_triggers.nsipv4 +
1676*00b67f09SDavid van Moolenbroek rpzs->total_triggers.nsipv6),
1677*00b67f09SDavid van Moolenbroek (unsigned long) old_totals.client_ipv4 +
1678*00b67f09SDavid van Moolenbroek old_totals.client_ipv6,
1679*00b67f09SDavid van Moolenbroek (unsigned long) (rpzs->total_triggers.client_ipv4 +
1680*00b67f09SDavid van Moolenbroek rpzs->total_triggers.client_ipv6));
1681*00b67f09SDavid van Moolenbroek }
1682*00b67f09SDavid van Moolenbroek
1683*00b67f09SDavid van Moolenbroek /*
1684*00b67f09SDavid van Moolenbroek * Finish loading one zone. This function is called during a commit when
1685*00b67f09SDavid van Moolenbroek * a RPZ zone loading is complete. The RBTDB write tree lock must be
1686*00b67f09SDavid van Moolenbroek * held.
1687*00b67f09SDavid van Moolenbroek *
1688*00b67f09SDavid van Moolenbroek * Here, rpzs is a pointer to the view's common rpzs
1689*00b67f09SDavid van Moolenbroek * structure. *load_rpzsp is a rpzs structure that is local to the
1690*00b67f09SDavid van Moolenbroek * RBTDB, which is used during a single zone's load.
1691*00b67f09SDavid van Moolenbroek *
1692*00b67f09SDavid van Moolenbroek * During the zone load, i.e., between dns_rpz_beginload() and
1693*00b67f09SDavid van Moolenbroek * dns_rpz_ready(), only the zone that is being loaded updates
1694*00b67f09SDavid van Moolenbroek * *load_rpzsp. These updates in the summary databases inside load_rpzsp
1695*00b67f09SDavid van Moolenbroek * are made only for the rpz_num (and corresponding bit) of that
1696*00b67f09SDavid van Moolenbroek * zone. Nothing else reads or writes *load_rpzsp. The view's common
1697*00b67f09SDavid van Moolenbroek * rpzs is used during this time for queries.
1698*00b67f09SDavid van Moolenbroek *
1699*00b67f09SDavid van Moolenbroek * When zone loading is complete and we arrive here, the parts of the
1700*00b67f09SDavid van Moolenbroek * summary databases (CIDR and nsdname+qname RBT trees) from the view's
1701*00b67f09SDavid van Moolenbroek * common rpzs struct have to be merged into the summary databases of
1702*00b67f09SDavid van Moolenbroek * *load_rpzsp, as the summary databases of the view's common rpzs
1703*00b67f09SDavid van Moolenbroek * struct may have changed during the time the zone was being loaded.
1704*00b67f09SDavid van Moolenbroek *
1705*00b67f09SDavid van Moolenbroek * The function below carries out the merge. During the merge, it holds
1706*00b67f09SDavid van Moolenbroek * the maint_lock of the view's common rpzs struct so that it is not
1707*00b67f09SDavid van Moolenbroek * updated while the merging is taking place.
1708*00b67f09SDavid van Moolenbroek *
1709*00b67f09SDavid van Moolenbroek * After the merging is carried out, *load_rpzsp contains the most
1710*00b67f09SDavid van Moolenbroek * current state of the rpzs structure, i.e., the summary trees contain
1711*00b67f09SDavid van Moolenbroek * data for the new zone that was just loaded, as well as all other
1712*00b67f09SDavid van Moolenbroek * zones.
1713*00b67f09SDavid van Moolenbroek *
1714*00b67f09SDavid van Moolenbroek * Pointers to the summary databases of *load_rpzsp (CIDR and
1715*00b67f09SDavid van Moolenbroek * nsdname+qname RBT trees) are then swapped into the view's common rpz
1716*00b67f09SDavid van Moolenbroek * struct, so that the query path can continue using it. During the
1717*00b67f09SDavid van Moolenbroek * swap, the search_lock of the view's common rpz struct is acquired so
1718*00b67f09SDavid van Moolenbroek * that queries are paused while this swap occurs.
1719*00b67f09SDavid van Moolenbroek *
1720*00b67f09SDavid van Moolenbroek * The trigger counts for the new zone are also copied into the view's
1721*00b67f09SDavid van Moolenbroek * common rpz struct, and some other summary counts and masks are
1722*00b67f09SDavid van Moolenbroek * updated.
1723*00b67f09SDavid van Moolenbroek */
1724*00b67f09SDavid van Moolenbroek isc_result_t
dns_rpz_ready(dns_rpz_zones_t * rpzs,dns_rpz_zones_t ** load_rpzsp,dns_rpz_num_t rpz_num)1725*00b67f09SDavid van Moolenbroek dns_rpz_ready(dns_rpz_zones_t *rpzs,
1726*00b67f09SDavid van Moolenbroek dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num)
1727*00b67f09SDavid van Moolenbroek {
1728*00b67f09SDavid van Moolenbroek dns_rpz_zones_t *load_rpzs;
1729*00b67f09SDavid van Moolenbroek const dns_rpz_cidr_node_t *cnode, *next_cnode, *parent_cnode;
1730*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *found;
1731*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t new_bit;
1732*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t new_ip;
1733*00b67f09SDavid van Moolenbroek dns_rbt_t *rbt;
1734*00b67f09SDavid van Moolenbroek dns_rbtnodechain_t chain;
1735*00b67f09SDavid van Moolenbroek dns_rbtnode_t *nmnode;
1736*00b67f09SDavid van Moolenbroek dns_rpz_nm_data_t *nm_data, new_data;
1737*00b67f09SDavid van Moolenbroek dns_fixedname_t labelf, originf, namef;
1738*00b67f09SDavid van Moolenbroek dns_name_t *label, *origin, *name;
1739*00b67f09SDavid van Moolenbroek isc_result_t result;
1740*00b67f09SDavid van Moolenbroek
1741*00b67f09SDavid van Moolenbroek INSIST(rpzs != NULL);
1742*00b67f09SDavid van Moolenbroek LOCK(&rpzs->maint_lock);
1743*00b67f09SDavid van Moolenbroek load_rpzs = *load_rpzsp;
1744*00b67f09SDavid van Moolenbroek INSIST(load_rpzs != NULL);
1745*00b67f09SDavid van Moolenbroek
1746*00b67f09SDavid van Moolenbroek if (load_rpzs == rpzs) {
1747*00b67f09SDavid van Moolenbroek /*
1748*00b67f09SDavid van Moolenbroek * This is a successful initial zone loading, perhaps
1749*00b67f09SDavid van Moolenbroek * for a new instance of a view.
1750*00b67f09SDavid van Moolenbroek */
1751*00b67f09SDavid van Moolenbroek RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
1752*00b67f09SDavid van Moolenbroek fix_triggers(rpzs, rpz_num);
1753*00b67f09SDavid van Moolenbroek RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
1754*00b67f09SDavid van Moolenbroek UNLOCK(&rpzs->maint_lock);
1755*00b67f09SDavid van Moolenbroek dns_rpz_detach_rpzs(load_rpzsp);
1756*00b67f09SDavid van Moolenbroek return (ISC_R_SUCCESS);
1757*00b67f09SDavid van Moolenbroek }
1758*00b67f09SDavid van Moolenbroek
1759*00b67f09SDavid van Moolenbroek LOCK(&load_rpzs->maint_lock);
1760*00b67f09SDavid van Moolenbroek RWLOCK(&load_rpzs->search_lock, isc_rwlocktype_write);
1761*00b67f09SDavid van Moolenbroek
1762*00b67f09SDavid van Moolenbroek /*
1763*00b67f09SDavid van Moolenbroek * Unless there is only one policy zone, copy the other policy zones
1764*00b67f09SDavid van Moolenbroek * from the old policy structure to the new summary databases.
1765*00b67f09SDavid van Moolenbroek */
1766*00b67f09SDavid van Moolenbroek if (rpzs->p.num_zones > 1) {
1767*00b67f09SDavid van Moolenbroek new_bit = ~DNS_RPZ_ZBIT(rpz_num);
1768*00b67f09SDavid van Moolenbroek
1769*00b67f09SDavid van Moolenbroek /*
1770*00b67f09SDavid van Moolenbroek * Copy to the radix tree.
1771*00b67f09SDavid van Moolenbroek */
1772*00b67f09SDavid van Moolenbroek for (cnode = rpzs->cidr; cnode != NULL; cnode = next_cnode) {
1773*00b67f09SDavid van Moolenbroek new_ip.ip = cnode->set.ip & new_bit;
1774*00b67f09SDavid van Moolenbroek new_ip.client_ip = cnode->set.client_ip & new_bit;
1775*00b67f09SDavid van Moolenbroek new_ip.nsip = cnode->set.nsip & new_bit;
1776*00b67f09SDavid van Moolenbroek if (new_ip.client_ip != 0 ||
1777*00b67f09SDavid van Moolenbroek new_ip.ip != 0 ||
1778*00b67f09SDavid van Moolenbroek new_ip.nsip != 0) {
1779*00b67f09SDavid van Moolenbroek result = search(load_rpzs,
1780*00b67f09SDavid van Moolenbroek &cnode->ip, cnode->prefix,
1781*00b67f09SDavid van Moolenbroek &new_ip, ISC_TRUE, &found);
1782*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOMEMORY)
1783*00b67f09SDavid van Moolenbroek goto unlock_and_detach;
1784*00b67f09SDavid van Moolenbroek INSIST(result == ISC_R_SUCCESS);
1785*00b67f09SDavid van Moolenbroek }
1786*00b67f09SDavid van Moolenbroek /*
1787*00b67f09SDavid van Moolenbroek * Do down and to the left as far as possible.
1788*00b67f09SDavid van Moolenbroek */
1789*00b67f09SDavid van Moolenbroek next_cnode = cnode->child[0];
1790*00b67f09SDavid van Moolenbroek if (next_cnode != NULL)
1791*00b67f09SDavid van Moolenbroek continue;
1792*00b67f09SDavid van Moolenbroek /*
1793*00b67f09SDavid van Moolenbroek * Go up until we find a branch to the right where
1794*00b67f09SDavid van Moolenbroek * we previously took the branch to the left.
1795*00b67f09SDavid van Moolenbroek */
1796*00b67f09SDavid van Moolenbroek for (;;) {
1797*00b67f09SDavid van Moolenbroek parent_cnode = cnode->parent;
1798*00b67f09SDavid van Moolenbroek if (parent_cnode == NULL)
1799*00b67f09SDavid van Moolenbroek break;
1800*00b67f09SDavid van Moolenbroek if (parent_cnode->child[0] == cnode) {
1801*00b67f09SDavid van Moolenbroek next_cnode = parent_cnode->child[1];
1802*00b67f09SDavid van Moolenbroek if (next_cnode != NULL)
1803*00b67f09SDavid van Moolenbroek break;
1804*00b67f09SDavid van Moolenbroek }
1805*00b67f09SDavid van Moolenbroek cnode = parent_cnode;
1806*00b67f09SDavid van Moolenbroek }
1807*00b67f09SDavid van Moolenbroek }
1808*00b67f09SDavid van Moolenbroek
1809*00b67f09SDavid van Moolenbroek /*
1810*00b67f09SDavid van Moolenbroek * Copy to the summary RBT.
1811*00b67f09SDavid van Moolenbroek */
1812*00b67f09SDavid van Moolenbroek dns_fixedname_init(&namef);
1813*00b67f09SDavid van Moolenbroek name = dns_fixedname_name(&namef);
1814*00b67f09SDavid van Moolenbroek dns_fixedname_init(&labelf);
1815*00b67f09SDavid van Moolenbroek label = dns_fixedname_name(&labelf);
1816*00b67f09SDavid van Moolenbroek dns_fixedname_init(&originf);
1817*00b67f09SDavid van Moolenbroek origin = dns_fixedname_name(&originf);
1818*00b67f09SDavid van Moolenbroek dns_rbtnodechain_init(&chain, NULL);
1819*00b67f09SDavid van Moolenbroek result = dns_rbtnodechain_first(&chain, rpzs->rbt, NULL, NULL);
1820*00b67f09SDavid van Moolenbroek while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) {
1821*00b67f09SDavid van Moolenbroek result = dns_rbtnodechain_current(&chain, label, origin,
1822*00b67f09SDavid van Moolenbroek &nmnode);
1823*00b67f09SDavid van Moolenbroek INSIST(result == ISC_R_SUCCESS);
1824*00b67f09SDavid van Moolenbroek nm_data = nmnode->data;
1825*00b67f09SDavid van Moolenbroek if (nm_data != NULL) {
1826*00b67f09SDavid van Moolenbroek new_data.set.qname = (nm_data->set.qname &
1827*00b67f09SDavid van Moolenbroek new_bit);
1828*00b67f09SDavid van Moolenbroek new_data.set.ns = nm_data->set.ns & new_bit;
1829*00b67f09SDavid van Moolenbroek new_data.wild.qname = (nm_data->wild.qname &
1830*00b67f09SDavid van Moolenbroek new_bit);
1831*00b67f09SDavid van Moolenbroek new_data.wild.ns = nm_data->wild.ns & new_bit;
1832*00b67f09SDavid van Moolenbroek if (new_data.set.qname != 0 ||
1833*00b67f09SDavid van Moolenbroek new_data.set.ns != 0 ||
1834*00b67f09SDavid van Moolenbroek new_data.wild.qname != 0 ||
1835*00b67f09SDavid van Moolenbroek new_data.wild.ns != 0) {
1836*00b67f09SDavid van Moolenbroek result = dns_name_concatenate(label,
1837*00b67f09SDavid van Moolenbroek origin, name, NULL);
1838*00b67f09SDavid van Moolenbroek INSIST(result == ISC_R_SUCCESS);
1839*00b67f09SDavid van Moolenbroek result = add_nm(load_rpzs, name,
1840*00b67f09SDavid van Moolenbroek &new_data);
1841*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1842*00b67f09SDavid van Moolenbroek goto unlock_and_detach;
1843*00b67f09SDavid van Moolenbroek }
1844*00b67f09SDavid van Moolenbroek }
1845*00b67f09SDavid van Moolenbroek result = dns_rbtnodechain_next(&chain, NULL, NULL);
1846*00b67f09SDavid van Moolenbroek }
1847*00b67f09SDavid van Moolenbroek if (result != ISC_R_NOMORE && result != ISC_R_NOTFOUND) {
1848*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
1849*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
1850*00b67f09SDavid van Moolenbroek "dns_rpz_ready(): unexpected %s",
1851*00b67f09SDavid van Moolenbroek isc_result_totext(result));
1852*00b67f09SDavid van Moolenbroek goto unlock_and_detach;
1853*00b67f09SDavid van Moolenbroek }
1854*00b67f09SDavid van Moolenbroek }
1855*00b67f09SDavid van Moolenbroek
1856*00b67f09SDavid van Moolenbroek /*
1857*00b67f09SDavid van Moolenbroek * Exchange the summary databases.
1858*00b67f09SDavid van Moolenbroek */
1859*00b67f09SDavid van Moolenbroek RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
1860*00b67f09SDavid van Moolenbroek
1861*00b67f09SDavid van Moolenbroek rpzs->triggers[rpz_num] = load_rpzs->triggers[rpz_num];
1862*00b67f09SDavid van Moolenbroek fix_triggers(rpzs, rpz_num);
1863*00b67f09SDavid van Moolenbroek
1864*00b67f09SDavid van Moolenbroek found = rpzs->cidr;
1865*00b67f09SDavid van Moolenbroek rpzs->cidr = load_rpzs->cidr;
1866*00b67f09SDavid van Moolenbroek load_rpzs->cidr = found;
1867*00b67f09SDavid van Moolenbroek
1868*00b67f09SDavid van Moolenbroek rbt = rpzs->rbt;
1869*00b67f09SDavid van Moolenbroek rpzs->rbt = load_rpzs->rbt;
1870*00b67f09SDavid van Moolenbroek load_rpzs->rbt = rbt;
1871*00b67f09SDavid van Moolenbroek
1872*00b67f09SDavid van Moolenbroek RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
1873*00b67f09SDavid van Moolenbroek
1874*00b67f09SDavid van Moolenbroek result = ISC_R_SUCCESS;
1875*00b67f09SDavid van Moolenbroek
1876*00b67f09SDavid van Moolenbroek unlock_and_detach:
1877*00b67f09SDavid van Moolenbroek UNLOCK(&rpzs->maint_lock);
1878*00b67f09SDavid van Moolenbroek RWUNLOCK(&load_rpzs->search_lock, isc_rwlocktype_write);
1879*00b67f09SDavid van Moolenbroek UNLOCK(&load_rpzs->maint_lock);
1880*00b67f09SDavid van Moolenbroek dns_rpz_detach_rpzs(load_rpzsp);
1881*00b67f09SDavid van Moolenbroek return (result);
1882*00b67f09SDavid van Moolenbroek }
1883*00b67f09SDavid van Moolenbroek
1884*00b67f09SDavid van Moolenbroek /*
1885*00b67f09SDavid van Moolenbroek * Add an IP address to the radix tree or a name to the summary database.
1886*00b67f09SDavid van Moolenbroek */
1887*00b67f09SDavid van Moolenbroek isc_result_t
dns_rpz_add(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_name_t * src_name)1888*00b67f09SDavid van Moolenbroek dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *src_name)
1889*00b67f09SDavid van Moolenbroek {
1890*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *rpz;
1891*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type;
1892*00b67f09SDavid van Moolenbroek isc_result_t result = ISC_R_FAILURE;
1893*00b67f09SDavid van Moolenbroek
1894*00b67f09SDavid van Moolenbroek REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
1895*00b67f09SDavid van Moolenbroek rpz = rpzs->zones[rpz_num];
1896*00b67f09SDavid van Moolenbroek REQUIRE(rpz != NULL);
1897*00b67f09SDavid van Moolenbroek
1898*00b67f09SDavid van Moolenbroek rpz_type = type_from_name(rpz, src_name);
1899*00b67f09SDavid van Moolenbroek
1900*00b67f09SDavid van Moolenbroek LOCK(&rpzs->maint_lock);
1901*00b67f09SDavid van Moolenbroek RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
1902*00b67f09SDavid van Moolenbroek
1903*00b67f09SDavid van Moolenbroek switch (rpz_type) {
1904*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_QNAME:
1905*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSDNAME:
1906*00b67f09SDavid van Moolenbroek result = add_name(rpzs, rpz_num, rpz_type, src_name);
1907*00b67f09SDavid van Moolenbroek break;
1908*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_CLIENT_IP:
1909*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_IP:
1910*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSIP:
1911*00b67f09SDavid van Moolenbroek result = add_cidr(rpzs, rpz_num, rpz_type, src_name);
1912*00b67f09SDavid van Moolenbroek break;
1913*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_BAD:
1914*00b67f09SDavid van Moolenbroek break;
1915*00b67f09SDavid van Moolenbroek }
1916*00b67f09SDavid van Moolenbroek
1917*00b67f09SDavid van Moolenbroek RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
1918*00b67f09SDavid van Moolenbroek UNLOCK(&rpzs->maint_lock);
1919*00b67f09SDavid van Moolenbroek return (result);
1920*00b67f09SDavid van Moolenbroek }
1921*00b67f09SDavid van Moolenbroek
1922*00b67f09SDavid van Moolenbroek /*
1923*00b67f09SDavid van Moolenbroek * Remove an IP address from the radix tree.
1924*00b67f09SDavid van Moolenbroek */
1925*00b67f09SDavid van Moolenbroek static void
del_cidr(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_rpz_type_t rpz_type,dns_name_t * src_name)1926*00b67f09SDavid van Moolenbroek del_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
1927*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type, dns_name_t *src_name)
1928*00b67f09SDavid van Moolenbroek {
1929*00b67f09SDavid van Moolenbroek isc_result_t result;
1930*00b67f09SDavid van Moolenbroek dns_rpz_cidr_key_t tgt_ip;
1931*00b67f09SDavid van Moolenbroek dns_rpz_prefix_t tgt_prefix;
1932*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t tgt_set;
1933*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *tgt, *parent, *child;
1934*00b67f09SDavid van Moolenbroek
1935*00b67f09SDavid van Moolenbroek /*
1936*00b67f09SDavid van Moolenbroek * Do not worry about invalid rpz IP address names. If we
1937*00b67f09SDavid van Moolenbroek * are here, then something relevant was added and so was
1938*00b67f09SDavid van Moolenbroek * valid. Invalid names here are usually internal RBTDB nodes.
1939*00b67f09SDavid van Moolenbroek */
1940*00b67f09SDavid van Moolenbroek result = name2ipkey(DNS_RPZ_DEBUG_QUIET, rpzs, rpz_num, rpz_type,
1941*00b67f09SDavid van Moolenbroek src_name, &tgt_ip, &tgt_prefix, &tgt_set);
1942*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS)
1943*00b67f09SDavid van Moolenbroek return;
1944*00b67f09SDavid van Moolenbroek
1945*00b67f09SDavid van Moolenbroek result = search(rpzs, &tgt_ip, tgt_prefix, &tgt_set, ISC_FALSE, &tgt);
1946*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
1947*00b67f09SDavid van Moolenbroek INSIST(result == ISC_R_NOTFOUND ||
1948*00b67f09SDavid van Moolenbroek result == DNS_R_PARTIALMATCH);
1949*00b67f09SDavid van Moolenbroek /*
1950*00b67f09SDavid van Moolenbroek * Do not worry about missing summary RBT nodes that probably
1951*00b67f09SDavid van Moolenbroek * correspond to RBTDB nodes that were implicit RBT nodes
1952*00b67f09SDavid van Moolenbroek * that were later added for (often empty) wildcards
1953*00b67f09SDavid van Moolenbroek * and then to the RBTDB deferred cleanup list.
1954*00b67f09SDavid van Moolenbroek */
1955*00b67f09SDavid van Moolenbroek return;
1956*00b67f09SDavid van Moolenbroek }
1957*00b67f09SDavid van Moolenbroek
1958*00b67f09SDavid van Moolenbroek /*
1959*00b67f09SDavid van Moolenbroek * Mark the node and its parents to reflect the deleted IP address.
1960*00b67f09SDavid van Moolenbroek * Do not count bits that are already clear for internal RBTDB nodes.
1961*00b67f09SDavid van Moolenbroek */
1962*00b67f09SDavid van Moolenbroek tgt_set.client_ip &= tgt->set.client_ip;
1963*00b67f09SDavid van Moolenbroek tgt_set.ip &= tgt->set.ip;
1964*00b67f09SDavid van Moolenbroek tgt_set.nsip &= tgt->set.nsip;
1965*00b67f09SDavid van Moolenbroek tgt->set.client_ip &= ~tgt_set.client_ip;
1966*00b67f09SDavid van Moolenbroek tgt->set.ip &= ~tgt_set.ip;
1967*00b67f09SDavid van Moolenbroek tgt->set.nsip &= ~tgt_set.nsip;
1968*00b67f09SDavid van Moolenbroek set_sum_pair(tgt);
1969*00b67f09SDavid van Moolenbroek
1970*00b67f09SDavid van Moolenbroek adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_FALSE);
1971*00b67f09SDavid van Moolenbroek
1972*00b67f09SDavid van Moolenbroek /*
1973*00b67f09SDavid van Moolenbroek * We might need to delete 2 nodes.
1974*00b67f09SDavid van Moolenbroek */
1975*00b67f09SDavid van Moolenbroek do {
1976*00b67f09SDavid van Moolenbroek /*
1977*00b67f09SDavid van Moolenbroek * The node is now useless if it has no data of its own
1978*00b67f09SDavid van Moolenbroek * and 0 or 1 children. We are finished if it is not useless.
1979*00b67f09SDavid van Moolenbroek */
1980*00b67f09SDavid van Moolenbroek if ((child = tgt->child[0]) != NULL) {
1981*00b67f09SDavid van Moolenbroek if (tgt->child[1] != NULL)
1982*00b67f09SDavid van Moolenbroek break;
1983*00b67f09SDavid van Moolenbroek } else {
1984*00b67f09SDavid van Moolenbroek child = tgt->child[1];
1985*00b67f09SDavid van Moolenbroek }
1986*00b67f09SDavid van Moolenbroek if (tgt->set.client_ip != 0 ||
1987*00b67f09SDavid van Moolenbroek tgt->set.ip != 0 ||
1988*00b67f09SDavid van Moolenbroek tgt->set.nsip != 0)
1989*00b67f09SDavid van Moolenbroek break;
1990*00b67f09SDavid van Moolenbroek
1991*00b67f09SDavid van Moolenbroek /*
1992*00b67f09SDavid van Moolenbroek * Replace the pointer to this node in the parent with
1993*00b67f09SDavid van Moolenbroek * the remaining child or NULL.
1994*00b67f09SDavid van Moolenbroek */
1995*00b67f09SDavid van Moolenbroek parent = tgt->parent;
1996*00b67f09SDavid van Moolenbroek if (parent == NULL) {
1997*00b67f09SDavid van Moolenbroek rpzs->cidr = child;
1998*00b67f09SDavid van Moolenbroek } else {
1999*00b67f09SDavid van Moolenbroek parent->child[parent->child[1] == tgt] = child;
2000*00b67f09SDavid van Moolenbroek }
2001*00b67f09SDavid van Moolenbroek /*
2002*00b67f09SDavid van Moolenbroek * If the child exists fix up its parent pointer.
2003*00b67f09SDavid van Moolenbroek */
2004*00b67f09SDavid van Moolenbroek if (child != NULL)
2005*00b67f09SDavid van Moolenbroek child->parent = parent;
2006*00b67f09SDavid van Moolenbroek isc_mem_put(rpzs->mctx, tgt, sizeof(*tgt));
2007*00b67f09SDavid van Moolenbroek
2008*00b67f09SDavid van Moolenbroek tgt = parent;
2009*00b67f09SDavid van Moolenbroek } while (tgt != NULL);
2010*00b67f09SDavid van Moolenbroek }
2011*00b67f09SDavid van Moolenbroek
2012*00b67f09SDavid van Moolenbroek static void
del_name(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_rpz_type_t rpz_type,dns_name_t * src_name)2013*00b67f09SDavid van Moolenbroek del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
2014*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type, dns_name_t *src_name)
2015*00b67f09SDavid van Moolenbroek {
2016*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
2017*00b67f09SDavid van Moolenbroek dns_fixedname_t trig_namef;
2018*00b67f09SDavid van Moolenbroek dns_name_t *trig_name;
2019*00b67f09SDavid van Moolenbroek dns_rbtnode_t *nmnode;
2020*00b67f09SDavid van Moolenbroek dns_rpz_nm_data_t *nm_data, del_data;
2021*00b67f09SDavid van Moolenbroek isc_result_t result;
2022*00b67f09SDavid van Moolenbroek
2023*00b67f09SDavid van Moolenbroek /*
2024*00b67f09SDavid van Moolenbroek * No need for a summary database of names with only 1 policy zone.
2025*00b67f09SDavid van Moolenbroek */
2026*00b67f09SDavid van Moolenbroek if (rpzs->p.num_zones <= 1) {
2027*00b67f09SDavid van Moolenbroek adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
2028*00b67f09SDavid van Moolenbroek return;
2029*00b67f09SDavid van Moolenbroek }
2030*00b67f09SDavid van Moolenbroek
2031*00b67f09SDavid van Moolenbroek dns_fixedname_init(&trig_namef);
2032*00b67f09SDavid van Moolenbroek trig_name = dns_fixedname_name(&trig_namef);
2033*00b67f09SDavid van Moolenbroek name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data);
2034*00b67f09SDavid van Moolenbroek
2035*00b67f09SDavid van Moolenbroek nmnode = NULL;
2036*00b67f09SDavid van Moolenbroek result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, 0,
2037*00b67f09SDavid van Moolenbroek NULL, NULL);
2038*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
2039*00b67f09SDavid van Moolenbroek /*
2040*00b67f09SDavid van Moolenbroek * Do not worry about missing summary RBT nodes that probably
2041*00b67f09SDavid van Moolenbroek * correspond to RBTDB nodes that were implicit RBT nodes
2042*00b67f09SDavid van Moolenbroek * that were later added for (often empty) wildcards
2043*00b67f09SDavid van Moolenbroek * and then to the RBTDB deferred cleanup list.
2044*00b67f09SDavid van Moolenbroek */
2045*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND ||
2046*00b67f09SDavid van Moolenbroek result == DNS_R_PARTIALMATCH)
2047*00b67f09SDavid van Moolenbroek return;
2048*00b67f09SDavid van Moolenbroek dns_name_format(src_name, namebuf, sizeof(namebuf));
2049*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
2050*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
2051*00b67f09SDavid van Moolenbroek "rpz del_name(%s) node search failed: %s",
2052*00b67f09SDavid van Moolenbroek namebuf, isc_result_totext(result));
2053*00b67f09SDavid van Moolenbroek return;
2054*00b67f09SDavid van Moolenbroek }
2055*00b67f09SDavid van Moolenbroek
2056*00b67f09SDavid van Moolenbroek nm_data = nmnode->data;
2057*00b67f09SDavid van Moolenbroek INSIST(nm_data != NULL);
2058*00b67f09SDavid van Moolenbroek
2059*00b67f09SDavid van Moolenbroek /*
2060*00b67f09SDavid van Moolenbroek * Do not count bits that next existed for RBT nodes that would we
2061*00b67f09SDavid van Moolenbroek * would not have found in a summary for a single RBTDB tree.
2062*00b67f09SDavid van Moolenbroek */
2063*00b67f09SDavid van Moolenbroek del_data.set.qname &= nm_data->set.qname;
2064*00b67f09SDavid van Moolenbroek del_data.set.ns &= nm_data->set.ns;
2065*00b67f09SDavid van Moolenbroek del_data.wild.qname &= nm_data->wild.qname;
2066*00b67f09SDavid van Moolenbroek del_data.wild.ns &= nm_data->wild.ns;
2067*00b67f09SDavid van Moolenbroek
2068*00b67f09SDavid van Moolenbroek nm_data->set.qname &= ~del_data.set.qname;
2069*00b67f09SDavid van Moolenbroek nm_data->set.ns &= ~del_data.set.ns;
2070*00b67f09SDavid van Moolenbroek nm_data->wild.qname &= ~del_data.wild.qname;
2071*00b67f09SDavid van Moolenbroek nm_data->wild.ns &= ~del_data.wild.ns;
2072*00b67f09SDavid van Moolenbroek
2073*00b67f09SDavid van Moolenbroek if (nm_data->set.qname == 0 && nm_data->set.ns == 0 &&
2074*00b67f09SDavid van Moolenbroek nm_data->wild.qname == 0 && nm_data->wild.ns == 0) {
2075*00b67f09SDavid van Moolenbroek result = dns_rbt_deletenode(rpzs->rbt, nmnode, ISC_FALSE);
2076*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
2077*00b67f09SDavid van Moolenbroek /*
2078*00b67f09SDavid van Moolenbroek * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
2079*00b67f09SDavid van Moolenbroek */
2080*00b67f09SDavid van Moolenbroek dns_name_format(src_name, namebuf, sizeof(namebuf));
2081*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
2082*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
2083*00b67f09SDavid van Moolenbroek "rpz del_name(%s) node delete failed: %s",
2084*00b67f09SDavid van Moolenbroek namebuf, isc_result_totext(result));
2085*00b67f09SDavid van Moolenbroek }
2086*00b67f09SDavid van Moolenbroek }
2087*00b67f09SDavid van Moolenbroek
2088*00b67f09SDavid van Moolenbroek adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
2089*00b67f09SDavid van Moolenbroek }
2090*00b67f09SDavid van Moolenbroek
2091*00b67f09SDavid van Moolenbroek /*
2092*00b67f09SDavid van Moolenbroek * Remove an IP address from the radix tree or a name from the summary database.
2093*00b67f09SDavid van Moolenbroek */
2094*00b67f09SDavid van Moolenbroek void
dns_rpz_delete(dns_rpz_zones_t * rpzs,dns_rpz_num_t rpz_num,dns_name_t * src_name)2095*00b67f09SDavid van Moolenbroek dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
2096*00b67f09SDavid van Moolenbroek dns_name_t *src_name) {
2097*00b67f09SDavid van Moolenbroek dns_rpz_zone_t *rpz;
2098*00b67f09SDavid van Moolenbroek dns_rpz_type_t rpz_type;
2099*00b67f09SDavid van Moolenbroek
2100*00b67f09SDavid van Moolenbroek REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones);
2101*00b67f09SDavid van Moolenbroek rpz = rpzs->zones[rpz_num];
2102*00b67f09SDavid van Moolenbroek REQUIRE(rpz != NULL);
2103*00b67f09SDavid van Moolenbroek
2104*00b67f09SDavid van Moolenbroek rpz_type = type_from_name(rpz, src_name);
2105*00b67f09SDavid van Moolenbroek
2106*00b67f09SDavid van Moolenbroek LOCK(&rpzs->maint_lock);
2107*00b67f09SDavid van Moolenbroek RWLOCK(&rpzs->search_lock, isc_rwlocktype_write);
2108*00b67f09SDavid van Moolenbroek
2109*00b67f09SDavid van Moolenbroek switch (rpz_type) {
2110*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_QNAME:
2111*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSDNAME:
2112*00b67f09SDavid van Moolenbroek del_name(rpzs, rpz_num, rpz_type, src_name);
2113*00b67f09SDavid van Moolenbroek break;
2114*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_CLIENT_IP:
2115*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_IP:
2116*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSIP:
2117*00b67f09SDavid van Moolenbroek del_cidr(rpzs, rpz_num, rpz_type, src_name);
2118*00b67f09SDavid van Moolenbroek break;
2119*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_BAD:
2120*00b67f09SDavid van Moolenbroek break;
2121*00b67f09SDavid van Moolenbroek }
2122*00b67f09SDavid van Moolenbroek
2123*00b67f09SDavid van Moolenbroek RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_write);
2124*00b67f09SDavid van Moolenbroek UNLOCK(&rpzs->maint_lock);
2125*00b67f09SDavid van Moolenbroek }
2126*00b67f09SDavid van Moolenbroek
2127*00b67f09SDavid van Moolenbroek /*
2128*00b67f09SDavid van Moolenbroek * Search the summary radix tree to get a relative owner name in a
2129*00b67f09SDavid van Moolenbroek * policy zone relevant to a triggering IP address.
2130*00b67f09SDavid van Moolenbroek * rpz_type and zbits limit the search for IP address netaddr
2131*00b67f09SDavid van Moolenbroek * return the policy zone's number or DNS_RPZ_INVALID_NUM
2132*00b67f09SDavid van Moolenbroek * ip_name is the relative owner name found and
2133*00b67f09SDavid van Moolenbroek * *prefixp is its prefix length.
2134*00b67f09SDavid van Moolenbroek */
2135*00b67f09SDavid van Moolenbroek dns_rpz_num_t
dns_rpz_find_ip(dns_rpz_zones_t * rpzs,dns_rpz_type_t rpz_type,dns_rpz_zbits_t zbits,const isc_netaddr_t * netaddr,dns_name_t * ip_name,dns_rpz_prefix_t * prefixp)2136*00b67f09SDavid van Moolenbroek dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
2137*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr,
2138*00b67f09SDavid van Moolenbroek dns_name_t *ip_name, dns_rpz_prefix_t *prefixp)
2139*00b67f09SDavid van Moolenbroek {
2140*00b67f09SDavid van Moolenbroek dns_rpz_cidr_key_t tgt_ip;
2141*00b67f09SDavid van Moolenbroek dns_rpz_addr_zbits_t tgt_set;
2142*00b67f09SDavid van Moolenbroek dns_rpz_cidr_node_t *found;
2143*00b67f09SDavid van Moolenbroek isc_result_t result;
2144*00b67f09SDavid van Moolenbroek dns_rpz_num_t rpz_num;
2145*00b67f09SDavid van Moolenbroek dns_rpz_have_t have;
2146*00b67f09SDavid van Moolenbroek int i;
2147*00b67f09SDavid van Moolenbroek
2148*00b67f09SDavid van Moolenbroek LOCK(&rpzs->maint_lock);
2149*00b67f09SDavid van Moolenbroek have = rpzs->have;
2150*00b67f09SDavid van Moolenbroek UNLOCK(&rpzs->maint_lock);
2151*00b67f09SDavid van Moolenbroek
2152*00b67f09SDavid van Moolenbroek /*
2153*00b67f09SDavid van Moolenbroek * Convert IP address to CIDR tree key.
2154*00b67f09SDavid van Moolenbroek */
2155*00b67f09SDavid van Moolenbroek if (netaddr->family == AF_INET) {
2156*00b67f09SDavid van Moolenbroek tgt_ip.w[0] = 0;
2157*00b67f09SDavid van Moolenbroek tgt_ip.w[1] = 0;
2158*00b67f09SDavid van Moolenbroek tgt_ip.w[2] = ADDR_V4MAPPED;
2159*00b67f09SDavid van Moolenbroek tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr);
2160*00b67f09SDavid van Moolenbroek switch (rpz_type) {
2161*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_CLIENT_IP:
2162*00b67f09SDavid van Moolenbroek zbits &= have.client_ipv4;
2163*00b67f09SDavid van Moolenbroek break;
2164*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_IP:
2165*00b67f09SDavid van Moolenbroek zbits &= have.ipv4;
2166*00b67f09SDavid van Moolenbroek break;
2167*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSIP:
2168*00b67f09SDavid van Moolenbroek zbits &= have.nsipv4;
2169*00b67f09SDavid van Moolenbroek break;
2170*00b67f09SDavid van Moolenbroek default:
2171*00b67f09SDavid van Moolenbroek INSIST(0);
2172*00b67f09SDavid van Moolenbroek break;
2173*00b67f09SDavid van Moolenbroek }
2174*00b67f09SDavid van Moolenbroek } else if (netaddr->family == AF_INET6) {
2175*00b67f09SDavid van Moolenbroek dns_rpz_cidr_key_t src_ip6;
2176*00b67f09SDavid van Moolenbroek
2177*00b67f09SDavid van Moolenbroek /*
2178*00b67f09SDavid van Moolenbroek * Given the int aligned struct in_addr member of netaddr->type
2179*00b67f09SDavid van Moolenbroek * one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *,
2180*00b67f09SDavid van Moolenbroek * but some people object.
2181*00b67f09SDavid van Moolenbroek */
2182*00b67f09SDavid van Moolenbroek memmove(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w));
2183*00b67f09SDavid van Moolenbroek for (i = 0; i < 4; i++) {
2184*00b67f09SDavid van Moolenbroek tgt_ip.w[i] = ntohl(src_ip6.w[i]);
2185*00b67f09SDavid van Moolenbroek }
2186*00b67f09SDavid van Moolenbroek switch (rpz_type) {
2187*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_CLIENT_IP:
2188*00b67f09SDavid van Moolenbroek zbits &= have.client_ipv6;
2189*00b67f09SDavid van Moolenbroek break;
2190*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_IP:
2191*00b67f09SDavid van Moolenbroek zbits &= have.ipv6;
2192*00b67f09SDavid van Moolenbroek break;
2193*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSIP:
2194*00b67f09SDavid van Moolenbroek zbits &= have.nsipv6;
2195*00b67f09SDavid van Moolenbroek break;
2196*00b67f09SDavid van Moolenbroek default:
2197*00b67f09SDavid van Moolenbroek INSIST(0);
2198*00b67f09SDavid van Moolenbroek break;
2199*00b67f09SDavid van Moolenbroek }
2200*00b67f09SDavid van Moolenbroek } else {
2201*00b67f09SDavid van Moolenbroek return (DNS_RPZ_INVALID_NUM);
2202*00b67f09SDavid van Moolenbroek }
2203*00b67f09SDavid van Moolenbroek
2204*00b67f09SDavid van Moolenbroek if (zbits == 0)
2205*00b67f09SDavid van Moolenbroek return (DNS_RPZ_INVALID_NUM);
2206*00b67f09SDavid van Moolenbroek make_addr_set(&tgt_set, zbits, rpz_type);
2207*00b67f09SDavid van Moolenbroek
2208*00b67f09SDavid van Moolenbroek RWLOCK(&rpzs->search_lock, isc_rwlocktype_read);
2209*00b67f09SDavid van Moolenbroek result = search(rpzs, &tgt_ip, 128, &tgt_set, ISC_FALSE, &found);
2210*00b67f09SDavid van Moolenbroek if (result == ISC_R_NOTFOUND) {
2211*00b67f09SDavid van Moolenbroek /*
2212*00b67f09SDavid van Moolenbroek * There are no eligible zones for this IP address.
2213*00b67f09SDavid van Moolenbroek */
2214*00b67f09SDavid van Moolenbroek RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
2215*00b67f09SDavid van Moolenbroek return (DNS_RPZ_INVALID_NUM);
2216*00b67f09SDavid van Moolenbroek }
2217*00b67f09SDavid van Moolenbroek
2218*00b67f09SDavid van Moolenbroek /*
2219*00b67f09SDavid van Moolenbroek * Construct the trigger name for the longest matching trigger
2220*00b67f09SDavid van Moolenbroek * in the first eligible zone with a match.
2221*00b67f09SDavid van Moolenbroek */
2222*00b67f09SDavid van Moolenbroek *prefixp = found->prefix;
2223*00b67f09SDavid van Moolenbroek switch (rpz_type) {
2224*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_CLIENT_IP:
2225*00b67f09SDavid van Moolenbroek rpz_num = zbit_to_num(found->set.client_ip & tgt_set.client_ip);
2226*00b67f09SDavid van Moolenbroek break;
2227*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_IP:
2228*00b67f09SDavid van Moolenbroek rpz_num = zbit_to_num(found->set.ip & tgt_set.ip);
2229*00b67f09SDavid van Moolenbroek break;
2230*00b67f09SDavid van Moolenbroek case DNS_RPZ_TYPE_NSIP:
2231*00b67f09SDavid van Moolenbroek rpz_num = zbit_to_num(found->set.nsip & tgt_set.nsip);
2232*00b67f09SDavid van Moolenbroek break;
2233*00b67f09SDavid van Moolenbroek default:
2234*00b67f09SDavid van Moolenbroek INSIST(0);
2235*00b67f09SDavid van Moolenbroek break;
2236*00b67f09SDavid van Moolenbroek }
2237*00b67f09SDavid van Moolenbroek result = ip2name(&found->ip, found->prefix, dns_rootname, ip_name);
2238*00b67f09SDavid van Moolenbroek RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
2239*00b67f09SDavid van Moolenbroek if (result != ISC_R_SUCCESS) {
2240*00b67f09SDavid van Moolenbroek /*
2241*00b67f09SDavid van Moolenbroek * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
2242*00b67f09SDavid van Moolenbroek */
2243*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
2244*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
2245*00b67f09SDavid van Moolenbroek "rpz ip2name() failed: %s",
2246*00b67f09SDavid van Moolenbroek isc_result_totext(result));
2247*00b67f09SDavid van Moolenbroek return (DNS_RPZ_INVALID_NUM);
2248*00b67f09SDavid van Moolenbroek }
2249*00b67f09SDavid van Moolenbroek return (rpz_num);
2250*00b67f09SDavid van Moolenbroek }
2251*00b67f09SDavid van Moolenbroek
2252*00b67f09SDavid van Moolenbroek /*
2253*00b67f09SDavid van Moolenbroek * Search the summary radix tree for policy zones with triggers matching
2254*00b67f09SDavid van Moolenbroek * a name.
2255*00b67f09SDavid van Moolenbroek */
2256*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t
dns_rpz_find_name(dns_rpz_zones_t * rpzs,dns_rpz_type_t rpz_type,dns_rpz_zbits_t zbits,dns_name_t * trig_name)2257*00b67f09SDavid van Moolenbroek dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type,
2258*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t zbits, dns_name_t *trig_name)
2259*00b67f09SDavid van Moolenbroek {
2260*00b67f09SDavid van Moolenbroek char namebuf[DNS_NAME_FORMATSIZE];
2261*00b67f09SDavid van Moolenbroek dns_rbtnode_t *nmnode;
2262*00b67f09SDavid van Moolenbroek const dns_rpz_nm_data_t *nm_data;
2263*00b67f09SDavid van Moolenbroek dns_rpz_zbits_t found_zbits;
2264*00b67f09SDavid van Moolenbroek isc_result_t result;
2265*00b67f09SDavid van Moolenbroek
2266*00b67f09SDavid van Moolenbroek if (zbits == 0)
2267*00b67f09SDavid van Moolenbroek return (0);
2268*00b67f09SDavid van Moolenbroek
2269*00b67f09SDavid van Moolenbroek found_zbits = 0;
2270*00b67f09SDavid van Moolenbroek
2271*00b67f09SDavid van Moolenbroek RWLOCK(&rpzs->search_lock, isc_rwlocktype_read);
2272*00b67f09SDavid van Moolenbroek
2273*00b67f09SDavid van Moolenbroek nmnode = NULL;
2274*00b67f09SDavid van Moolenbroek result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL,
2275*00b67f09SDavid van Moolenbroek DNS_RBTFIND_EMPTYDATA, NULL, NULL);
2276*00b67f09SDavid van Moolenbroek switch (result) {
2277*00b67f09SDavid van Moolenbroek case ISC_R_SUCCESS:
2278*00b67f09SDavid van Moolenbroek nm_data = nmnode->data;
2279*00b67f09SDavid van Moolenbroek if (nm_data != NULL) {
2280*00b67f09SDavid van Moolenbroek if (rpz_type == DNS_RPZ_TYPE_QNAME)
2281*00b67f09SDavid van Moolenbroek found_zbits = nm_data->set.qname;
2282*00b67f09SDavid van Moolenbroek else
2283*00b67f09SDavid van Moolenbroek found_zbits = nm_data->set.ns;
2284*00b67f09SDavid van Moolenbroek }
2285*00b67f09SDavid van Moolenbroek nmnode = nmnode->parent;
2286*00b67f09SDavid van Moolenbroek /* fall thru */
2287*00b67f09SDavid van Moolenbroek case DNS_R_PARTIALMATCH:
2288*00b67f09SDavid van Moolenbroek while (nmnode != NULL) {
2289*00b67f09SDavid van Moolenbroek nm_data = nmnode->data;
2290*00b67f09SDavid van Moolenbroek if (nm_data != NULL) {
2291*00b67f09SDavid van Moolenbroek if (rpz_type == DNS_RPZ_TYPE_QNAME)
2292*00b67f09SDavid van Moolenbroek found_zbits |= nm_data->wild.qname;
2293*00b67f09SDavid van Moolenbroek else
2294*00b67f09SDavid van Moolenbroek found_zbits |= nm_data->wild.ns;
2295*00b67f09SDavid van Moolenbroek }
2296*00b67f09SDavid van Moolenbroek nmnode = nmnode->parent;
2297*00b67f09SDavid van Moolenbroek }
2298*00b67f09SDavid van Moolenbroek break;
2299*00b67f09SDavid van Moolenbroek
2300*00b67f09SDavid van Moolenbroek case ISC_R_NOTFOUND:
2301*00b67f09SDavid van Moolenbroek break;
2302*00b67f09SDavid van Moolenbroek
2303*00b67f09SDavid van Moolenbroek default:
2304*00b67f09SDavid van Moolenbroek /*
2305*00b67f09SDavid van Moolenbroek * bin/tests/system/rpz/tests.sh looks for "rpz.*failed".
2306*00b67f09SDavid van Moolenbroek */
2307*00b67f09SDavid van Moolenbroek dns_name_format(trig_name, namebuf, sizeof(namebuf));
2308*00b67f09SDavid van Moolenbroek isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ,
2309*00b67f09SDavid van Moolenbroek DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL,
2310*00b67f09SDavid van Moolenbroek "dns_rpz_find_name(%s) failed: %s",
2311*00b67f09SDavid van Moolenbroek namebuf, isc_result_totext(result));
2312*00b67f09SDavid van Moolenbroek break;
2313*00b67f09SDavid van Moolenbroek }
2314*00b67f09SDavid van Moolenbroek
2315*00b67f09SDavid van Moolenbroek RWUNLOCK(&rpzs->search_lock, isc_rwlocktype_read);
2316*00b67f09SDavid van Moolenbroek return (zbits & found_zbits);
2317*00b67f09SDavid van Moolenbroek }
2318*00b67f09SDavid van Moolenbroek
2319*00b67f09SDavid van Moolenbroek /*
2320*00b67f09SDavid van Moolenbroek * Translate CNAME rdata to a QNAME response policy action.
2321*00b67f09SDavid van Moolenbroek */
2322*00b67f09SDavid van Moolenbroek dns_rpz_policy_t
dns_rpz_decode_cname(dns_rpz_zone_t * rpz,dns_rdataset_t * rdataset,dns_name_t * selfname)2323*00b67f09SDavid van Moolenbroek dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset,
2324*00b67f09SDavid van Moolenbroek dns_name_t *selfname)
2325*00b67f09SDavid van Moolenbroek {
2326*00b67f09SDavid van Moolenbroek dns_rdata_t rdata = DNS_RDATA_INIT;
2327*00b67f09SDavid van Moolenbroek dns_rdata_cname_t cname;
2328*00b67f09SDavid van Moolenbroek isc_result_t result;
2329*00b67f09SDavid van Moolenbroek
2330*00b67f09SDavid van Moolenbroek result = dns_rdataset_first(rdataset);
2331*00b67f09SDavid van Moolenbroek INSIST(result == ISC_R_SUCCESS);
2332*00b67f09SDavid van Moolenbroek dns_rdataset_current(rdataset, &rdata);
2333*00b67f09SDavid van Moolenbroek result = dns_rdata_tostruct(&rdata, &cname, NULL);
2334*00b67f09SDavid van Moolenbroek INSIST(result == ISC_R_SUCCESS);
2335*00b67f09SDavid van Moolenbroek dns_rdata_reset(&rdata);
2336*00b67f09SDavid van Moolenbroek
2337*00b67f09SDavid van Moolenbroek /*
2338*00b67f09SDavid van Moolenbroek * CNAME . means NXDOMAIN
2339*00b67f09SDavid van Moolenbroek */
2340*00b67f09SDavid van Moolenbroek if (dns_name_equal(&cname.cname, dns_rootname))
2341*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_NXDOMAIN);
2342*00b67f09SDavid van Moolenbroek
2343*00b67f09SDavid van Moolenbroek if (dns_name_iswildcard(&cname.cname)) {
2344*00b67f09SDavid van Moolenbroek /*
2345*00b67f09SDavid van Moolenbroek * CNAME *. means NODATA
2346*00b67f09SDavid van Moolenbroek */
2347*00b67f09SDavid van Moolenbroek if (dns_name_countlabels(&cname.cname) == 2)
2348*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_NODATA);
2349*00b67f09SDavid van Moolenbroek
2350*00b67f09SDavid van Moolenbroek /*
2351*00b67f09SDavid van Moolenbroek * A qname of www.evil.com and a policy of
2352*00b67f09SDavid van Moolenbroek * *.evil.com CNAME *.garden.net
2353*00b67f09SDavid van Moolenbroek * gives a result of
2354*00b67f09SDavid van Moolenbroek * evil.com CNAME evil.com.garden.net
2355*00b67f09SDavid van Moolenbroek */
2356*00b67f09SDavid van Moolenbroek if (dns_name_countlabels(&cname.cname) > 2)
2357*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_WILDCNAME);
2358*00b67f09SDavid van Moolenbroek }
2359*00b67f09SDavid van Moolenbroek
2360*00b67f09SDavid van Moolenbroek /*
2361*00b67f09SDavid van Moolenbroek * CNAME rpz-tcp-only. means "send truncated UDP responses."
2362*00b67f09SDavid van Moolenbroek */
2363*00b67f09SDavid van Moolenbroek if (dns_name_equal(&cname.cname, &rpz->tcp_only))
2364*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_TCP_ONLY);
2365*00b67f09SDavid van Moolenbroek
2366*00b67f09SDavid van Moolenbroek /*
2367*00b67f09SDavid van Moolenbroek * CNAME rpz-drop. means "do not respond."
2368*00b67f09SDavid van Moolenbroek */
2369*00b67f09SDavid van Moolenbroek if (dns_name_equal(&cname.cname, &rpz->drop))
2370*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_DROP);
2371*00b67f09SDavid van Moolenbroek
2372*00b67f09SDavid van Moolenbroek /*
2373*00b67f09SDavid van Moolenbroek * CNAME rpz-passthru. means "do not rewrite."
2374*00b67f09SDavid van Moolenbroek */
2375*00b67f09SDavid van Moolenbroek if (dns_name_equal(&cname.cname, &rpz->passthru))
2376*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_PASSTHRU);
2377*00b67f09SDavid van Moolenbroek
2378*00b67f09SDavid van Moolenbroek /*
2379*00b67f09SDavid van Moolenbroek * 128.1.0.127.rpz-ip CNAME 128.1.0.0.127. is obsolete PASSTHRU
2380*00b67f09SDavid van Moolenbroek */
2381*00b67f09SDavid van Moolenbroek if (selfname != NULL && dns_name_equal(&cname.cname, selfname))
2382*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_PASSTHRU);
2383*00b67f09SDavid van Moolenbroek
2384*00b67f09SDavid van Moolenbroek /*
2385*00b67f09SDavid van Moolenbroek * Any other rdata gives a response consisting of the rdata.
2386*00b67f09SDavid van Moolenbroek */
2387*00b67f09SDavid van Moolenbroek return (DNS_RPZ_POLICY_RECORD);
2388*00b67f09SDavid van Moolenbroek }
2389