1 /* 2 * options.h -- nsd.conf options definitions and prototypes 3 * 4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved. 5 * 6 * See LICENSE for the license. 7 * 8 */ 9 10 #ifndef OPTIONS_H 11 #define OPTIONS_H 12 13 #include <stdarg.h> 14 #include "region-allocator.h" 15 #include "rbtree.h" 16 struct query; 17 struct dname; 18 struct tsig_key; 19 struct buffer; 20 struct nsd; 21 struct proxy_protocol_port_list; 22 23 typedef struct nsd_options nsd_options_type; 24 typedef struct pattern_options pattern_options_type; 25 typedef struct zone_options zone_options_type; 26 typedef struct range_option range_option_type; 27 typedef struct ip_address_option ip_address_option_type; 28 typedef struct cpu_option cpu_option_type; 29 typedef struct cpu_map_option cpu_map_option_type; 30 typedef struct acl_options acl_options_type; 31 typedef struct key_options key_options_type; 32 typedef struct tls_auth_options tls_auth_options_type; 33 typedef struct config_parser_state config_parser_state_type; 34 35 #define VERIFY_ZONE_INHERIT (2) 36 #define VERIFIER_FEED_ZONE_INHERIT (2) 37 #define VERIFIER_TIMEOUT_INHERIT (-1) 38 39 /* 40 * Options global for nsd. 41 */ 42 struct nsd_options { 43 /* config file name */ 44 char* configfile; 45 /* options for zones, by apex, contains zone_options */ 46 rbtree_type* zone_options; 47 /* patterns, by name, contains pattern_options */ 48 rbtree_type* patterns; 49 50 /* free space in zonelist file, contains zonelist_bucket */ 51 rbtree_type* zonefree; 52 /* number of free space lines in zonelist file */ 53 size_t zonefree_number; 54 /* zonelist file if open */ 55 FILE* zonelist; 56 /* last offset in file (or 0 if none) */ 57 off_t zonelist_off; 58 59 /* tree of zonestat names and their id values, entries are struct 60 * zonestatname with malloced key=stringname. The number of items 61 * is the max statnameid, no items are freed from this. 62 * kept correct in the xfrd process, and on startup. */ 63 rbtree_type* zonestatnames; 64 65 /* rbtree of keys defined, by name */ 66 rbtree_type* keys; 67 68 /* rbtree of tls_auth defined, by name */ 69 rbtree_type* tls_auths; 70 71 /* list of ip addresses to bind to (or NULL for all) */ 72 struct ip_address_option* ip_addresses; 73 74 int ip_transparent; 75 int ip_freebind; 76 int send_buffer_size; 77 int receive_buffer_size; 78 int debug_mode; 79 int verbosity; 80 int hide_version; 81 int hide_identity; 82 int drop_updates; 83 int do_ip4; 84 int do_ip6; 85 const char* identity; 86 const char* version; 87 const char* logfile; 88 int log_only_syslog; 89 int server_count; 90 struct cpu_option* cpu_affinity; 91 struct cpu_map_option* service_cpu_affinity; 92 int tcp_count; 93 int tcp_reject_overflow; 94 int confine_to_zone; 95 int tcp_query_count; 96 int tcp_timeout; 97 int tcp_mss; 98 int outgoing_tcp_mss; 99 size_t ipv4_edns_size; 100 size_t ipv6_edns_size; 101 const char* pidfile; 102 const char* port; 103 int statistics; 104 const char* chroot; 105 const char* username; 106 const char* zonesdir; 107 const char* xfrdfile; 108 const char* xfrdir; 109 const char* zonelistfile; 110 const char* nsid; 111 int xfrd_reload_timeout; 112 int zonefiles_check; 113 int zonefiles_write; 114 int log_time_ascii; 115 int round_robin; 116 int minimal_responses; 117 int refuse_any; 118 int reuseport; 119 /* max number of xfrd tcp sockets */ 120 int xfrd_tcp_max; 121 /* max number of simultaneous requests on xfrd tcp socket */ 122 int xfrd_tcp_pipeline; 123 124 /* private key file for TLS */ 125 char* tls_service_key; 126 /* ocsp stapling file for TLS */ 127 char* tls_service_ocsp; 128 /* certificate file for TLS */ 129 char* tls_service_pem; 130 /* TLS dedicated port */ 131 const char* tls_port; 132 /* TLS certificate bundle */ 133 const char* tls_cert_bundle; 134 135 /* proxy protocol port list */ 136 struct proxy_protocol_port_list* proxy_protocol_port; 137 138 /** remote control section. enable toggle. */ 139 int control_enable; 140 /** the interfaces the remote control should listen on */ 141 struct ip_address_option* control_interface; 142 /** port number for the control port */ 143 int control_port; 144 /** private key file for server */ 145 char* server_key_file; 146 /** certificate file for server */ 147 char* server_cert_file; 148 /** private key file for nsd-control */ 149 char* control_key_file; 150 /** certificate file for nsd-control */ 151 char* control_cert_file; 152 153 #ifdef RATELIMIT 154 /** number of buckets in rrl hashtable */ 155 size_t rrl_size; 156 /** max qps for queries, 0 is nolimit */ 157 size_t rrl_ratelimit; 158 /** ratio of slipped responses, 0 is noslip */ 159 size_t rrl_slip; 160 /** ip prefix length */ 161 size_t rrl_ipv4_prefix_length; 162 size_t rrl_ipv6_prefix_length; 163 /** max qps for whitelisted queries, 0 is nolimit */ 164 size_t rrl_whitelist_ratelimit; 165 #endif 166 /** if dnstap is enabled */ 167 int dnstap_enable; 168 /** dnstap socket path */ 169 char* dnstap_socket_path; 170 /** dnstap IP, if "", it uses socket path. */ 171 char* dnstap_ip; 172 /** dnstap TLS enable */ 173 int dnstap_tls; 174 /** dnstap tls server authentication name */ 175 char* dnstap_tls_server_name; 176 /** dnstap server cert bundle */ 177 char* dnstap_tls_cert_bundle; 178 /** dnstap client key for client authentication */ 179 char* dnstap_tls_client_key_file; 180 /** dnstap client cert for client authentication */ 181 char* dnstap_tls_client_cert_file; 182 /** true to send "identity" via dnstap */ 183 int dnstap_send_identity; 184 /** true to send "version" via dnstap */ 185 int dnstap_send_version; 186 /** dnstap "identity", hostname is used if "". */ 187 char* dnstap_identity; 188 /** dnstap "version", package version is used if "". */ 189 char* dnstap_version; 190 /** true to log dnstap AUTH_QUERY message events */ 191 int dnstap_log_auth_query_messages; 192 /** true to log dnstap AUTH_RESPONSE message events */ 193 int dnstap_log_auth_response_messages; 194 195 /** do answer with server cookie when request contained cookie option */ 196 int answer_cookie; 197 /** cookie secret */ 198 char *cookie_secret; 199 /** path to cookie secret store */ 200 char const* cookie_secret_file; 201 /** enable verify */ 202 int verify_enable; 203 /** list of ip addresses used to serve zones for verification */ 204 struct ip_address_option* verify_ip_addresses; 205 /** default port 5347 */ 206 char *verify_port; 207 /** verify zones by default */ 208 int verify_zones; 209 /** default command to verify zones with */ 210 char **verifier; 211 /** maximum number of verifiers that may run simultaneously */ 212 int verifier_count; 213 /** whether or not to feed the zone to the verifier over stdin */ 214 uint8_t verifier_feed_zone; 215 /** maximum number of seconds that a verifier may take */ 216 uint32_t verifier_timeout; 217 218 region_type* region; 219 }; 220 221 struct range_option { 222 struct range_option* next; 223 int first; 224 int last; 225 }; 226 227 struct ip_address_option { 228 struct ip_address_option* next; 229 char* address; 230 struct range_option* servers; 231 int dev; 232 int fib; 233 }; 234 235 struct cpu_option { 236 struct cpu_option* next; 237 int cpu; 238 }; 239 240 struct cpu_map_option { 241 struct cpu_map_option* next; 242 int service; 243 int cpu; 244 }; 245 246 /* 247 * Defines for min_expire_time_expr value 248 */ 249 #define EXPIRE_TIME_HAS_VALUE 0 250 #define EXPIRE_TIME_IS_DEFAULT 1 251 #define REFRESHPLUSRETRYPLUS1 2 252 #define REFRESHPLUSRETRYPLUS1_STR "refresh+retry+1" 253 #define expire_time_is_default(x) (!( (x) == REFRESHPLUSRETRYPLUS1 \ 254 || (x) == EXPIRE_TIME_HAS_VALUE )) 255 256 257 /* 258 * Pattern of zone options, used to contain options for zone(s). 259 */ 260 struct pattern_options { 261 rbnode_type node; 262 const char* pname; /* name of the pattern, key of rbtree */ 263 const char* zonefile; 264 struct acl_options* allow_notify; 265 struct acl_options* request_xfr; 266 struct acl_options* notify; 267 struct acl_options* provide_xfr; 268 struct acl_options* allow_query; 269 struct acl_options* outgoing_interface; 270 const char* zonestats; 271 #ifdef RATELIMIT 272 uint16_t rrl_whitelist; /* bitmap with rrl types */ 273 #endif 274 uint8_t allow_axfr_fallback; 275 uint8_t allow_axfr_fallback_is_default; 276 uint8_t notify_retry; 277 uint8_t notify_retry_is_default; 278 uint8_t implicit; /* pattern is implicit, part_of_config zone used */ 279 uint8_t xfrd_flags; 280 uint32_t max_refresh_time; 281 uint8_t max_refresh_time_is_default; 282 uint32_t min_refresh_time; 283 uint8_t min_refresh_time_is_default; 284 uint32_t max_retry_time; 285 uint8_t max_retry_time_is_default; 286 uint32_t min_retry_time; 287 uint8_t min_retry_time_is_default; 288 uint32_t min_expire_time; 289 /* min_expir_time_expr is either a known value (REFRESHPLUSRETRYPLUS1 290 * or EXPIRE_EXPR_HAS_VALUE) or else min_expire_time is the default. 291 * This can be tested with expire_time_is_default(x) define. 292 */ 293 uint8_t min_expire_time_expr; 294 uint64_t size_limit_xfr; 295 uint8_t multi_master_check; 296 uint8_t store_ixfr; 297 uint8_t store_ixfr_is_default; 298 uint64_t ixfr_size; 299 uint8_t ixfr_size_is_default; 300 uint32_t ixfr_number; 301 uint8_t ixfr_number_is_default; 302 uint8_t create_ixfr; 303 uint8_t create_ixfr_is_default; 304 uint8_t verify_zone; 305 uint8_t verify_zone_is_default; 306 char **verifier; 307 uint8_t verifier_feed_zone; 308 uint8_t verifier_feed_zone_is_default; 309 int32_t verifier_timeout; 310 uint8_t verifier_timeout_is_default; 311 } ATTR_PACKED; 312 313 #define PATTERN_IMPLICIT_MARKER "_implicit_" 314 315 /* 316 * Options for a zone 317 */ 318 struct zone_options { 319 /* key is dname of apex */ 320 rbnode_type node; 321 322 /* is apex of the zone */ 323 const char* name; 324 /* if not part of config, the offset and linesize of zonelist entry */ 325 off_t off; 326 int linesize; 327 /* pattern for the zone options, if zone is part_of_config, this is 328 * a anonymous pattern created in-place */ 329 struct pattern_options* pattern; 330 /* zone is fixed into the main config, not in zonelist, cannot delete */ 331 uint8_t part_of_config; 332 } ATTR_PACKED; 333 334 union acl_addr_storage { 335 #ifdef INET6 336 struct in_addr addr; 337 struct in6_addr addr6; 338 #else 339 struct in_addr addr; 340 #endif 341 }; 342 343 /* 344 * Access control list element 345 */ 346 struct acl_options { 347 struct acl_options* next; 348 349 /* options */ 350 time_t ixfr_disabled; 351 int bad_xfr_count; 352 uint8_t use_axfr_only; 353 uint8_t allow_udp; 354 355 /* ip address range */ 356 const char* ip_address_spec; 357 uint8_t is_ipv6; 358 unsigned int port; /* is 0(no port) or suffix @port value */ 359 union acl_addr_storage addr; 360 union acl_addr_storage range_mask; 361 enum { 362 acl_range_single = 0, /* single address */ 363 acl_range_mask = 1, /* 10.20.30.40&255.255.255.0 */ 364 acl_range_subnet = 2, /* 10.20.30.40/28 */ 365 acl_range_minmax = 3 /* 10.20.30.40-10.20.30.60 (mask=max) */ 366 } rangetype; 367 368 /* key */ 369 uint8_t nokey; 370 uint8_t blocked; 371 const char* key_name; 372 struct key_options* key_options; 373 374 /* tls_auth for XoT */ 375 const char* tls_auth_name; 376 struct tls_auth_options* tls_auth_options; 377 } ATTR_PACKED; 378 379 /* 380 * Key definition 381 */ 382 struct key_options { 383 rbnode_type node; /* key of tree is name */ 384 char* name; 385 char* algorithm; 386 char* secret; 387 struct tsig_key* tsig_key; 388 } ATTR_PACKED; 389 390 /* 391 * TLS Auth definition for XoT 392 */ 393 struct tls_auth_options { 394 rbnode_type node; /* key of tree is name */ 395 char* name; 396 char* auth_domain_name; 397 char* client_cert; 398 char* client_key; 399 char* client_key_pw; 400 }; 401 402 /* proxy protocol port option list */ 403 struct proxy_protocol_port_list { 404 struct proxy_protocol_port_list* next; 405 int port; 406 }; 407 408 /** zone list free space */ 409 struct zonelist_free { 410 struct zonelist_free* next; 411 off_t off; 412 }; 413 /** zonelist free bucket for a particular line length */ 414 struct zonelist_bucket { 415 rbnode_type node; /* key is ptr to linesize */ 416 int linesize; 417 struct zonelist_free* list; 418 }; 419 420 /* default zonefile write interval if database is "", in seconds */ 421 #define ZONEFILES_WRITE_INTERVAL 3600 422 423 struct zonestatname { 424 rbnode_type node; /* key is malloced string with cooked zonestat name */ 425 unsigned id; /* index in nsd.zonestat array */ 426 }; 427 428 /* 429 * Used during options parsing 430 */ 431 struct config_parser_state { 432 char* filename; 433 const char* chroot; 434 int line; 435 int errors; 436 struct nsd_options* opt; 437 struct pattern_options *pattern; 438 struct zone_options *zone; 439 struct key_options *key; 440 struct tls_auth_options *tls_auth; 441 struct ip_address_option *ip; 442 void (*err)(void*,const char*); 443 void* err_arg; 444 }; 445 446 extern config_parser_state_type* cfg_parser; 447 448 /* region will be put in nsd_options struct. Returns empty options struct. */ 449 struct nsd_options* nsd_options_create(region_type* region); 450 /* the number of zones that are configured */ 451 static inline size_t nsd_options_num_zones(struct nsd_options* opt) 452 { return opt->zone_options->count; } 453 /* insert a zone into the main options tree, returns 0 on error */ 454 int nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone); 455 /* insert a pattern into the main options tree, returns 0 on error */ 456 int nsd_options_insert_pattern(struct nsd_options* opt, 457 struct pattern_options* pat); 458 459 /* parses options file. Returns false on failure. callback, if nonNULL, 460 * gets called with error strings, default prints. */ 461 int parse_options_file(struct nsd_options* opt, const char* file, 462 void (*err)(void*,const char*), void* err_arg); 463 struct zone_options* zone_options_create(region_type* region); 464 void zone_options_delete(struct nsd_options* opt, struct zone_options* zone); 465 /* find a zone by apex domain name, or NULL if not found. */ 466 struct zone_options* zone_options_find(struct nsd_options* opt, 467 const struct dname* apex); 468 struct pattern_options* pattern_options_create(region_type* region); 469 struct pattern_options* pattern_options_find(struct nsd_options* opt, const char* name); 470 int pattern_options_equal(struct pattern_options* p, struct pattern_options* q); 471 void pattern_options_remove(struct nsd_options* opt, const char* name); 472 void pattern_options_add_modify(struct nsd_options* opt, 473 struct pattern_options* p); 474 void pattern_options_marshal(struct buffer* buffer, struct pattern_options* p); 475 struct pattern_options* pattern_options_unmarshal(region_type* r, 476 struct buffer* b); 477 struct key_options* key_options_create(region_type* region); 478 void key_options_insert(struct nsd_options* opt, struct key_options* key); 479 struct key_options* key_options_find(struct nsd_options* opt, const char* name); 480 void key_options_remove(struct nsd_options* opt, const char* name); 481 int key_options_equal(struct key_options* p, struct key_options* q); 482 void key_options_add_modify(struct nsd_options* opt, struct key_options* key); 483 void key_options_setup(region_type* region, struct key_options* key); 484 void key_options_desetup(region_type* region, struct key_options* key); 485 /* TLS auth */ 486 struct tls_auth_options* tls_auth_options_create(region_type* region); 487 void tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth); 488 struct tls_auth_options* tls_auth_options_find(struct nsd_options* opt, const char* name); 489 /* read in zone list file. Returns false on failure */ 490 int parse_zone_list_file(struct nsd_options* opt); 491 /* create zone entry and add to the zonelist file */ 492 struct zone_options* zone_list_add(struct nsd_options* opt, const char* zname, 493 const char* pname); 494 /* create zonelist entry, do not insert in file (called by _add) */ 495 struct zone_options* zone_list_zone_insert(struct nsd_options* opt, 496 const char* nm, const char* patnm, int linesize, off_t off); 497 void zone_list_del(struct nsd_options* opt, struct zone_options* zone); 498 void zone_list_compact(struct nsd_options* opt); 499 void zone_list_close(struct nsd_options* opt); 500 501 /* create zonestat name tree , for initially created zones */ 502 void options_zonestatnames_create(struct nsd_options* opt); 503 /* Get zonestat id for zone options, add new entry if necessary. 504 * instantiates the pattern's zonestat string */ 505 unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt); 506 /* create string, same options as zonefile but no chroot changes */ 507 const char* config_cook_string(struct zone_options* zone, const char* input); 508 509 /** check if config for remote control turns on IP-address interface 510 * with certificates or a named pipe without certificates. */ 511 int options_remote_is_address(struct nsd_options* cfg); 512 513 #if defined(HAVE_SSL) 514 /* tsig must be inited, adds all keys in options to tsig. */ 515 void key_options_tsig_add(struct nsd_options* opt); 516 #endif 517 518 /* check acl list, acl number that matches if passed(0..), 519 * or failure (-1) if dropped */ 520 /* the reason why (the acl) is returned too (or NULL) */ 521 int acl_check_incoming(struct acl_options* acl, struct query* q, 522 struct acl_options** reason); 523 int acl_addr_matches_host(struct acl_options* acl, struct acl_options* host); 524 int acl_addr_matches(struct acl_options* acl, struct query* q); 525 int acl_addr_matches_proxy(struct acl_options* acl, struct query* q); 526 int acl_key_matches(struct acl_options* acl, struct query* q); 527 int acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz); 528 int acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz); 529 int acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz); 530 531 /* check acl list for blocks on address, return 0 if none, -1 if blocked. */ 532 int acl_check_incoming_block_proxy(struct acl_options* acl, struct query* q, 533 struct acl_options** reason); 534 535 /* returns true if acls are both from the same host */ 536 int acl_same_host(struct acl_options* a, struct acl_options* b); 537 /* find acl by number in the list */ 538 struct acl_options* acl_find_num(struct acl_options* acl, int num); 539 540 /* see if two acl lists are the same (same elements in same order, or empty) */ 541 int acl_list_equal(struct acl_options* p, struct acl_options* q); 542 /* see if two acl are the same */ 543 int acl_equal(struct acl_options* p, struct acl_options* q); 544 545 /* see if a zone is a slave or a master zone */ 546 int zone_is_slave(struct zone_options* opt); 547 /* create zonefile name, returns static pointer (perhaps to options data) */ 548 const char* config_make_zonefile(struct zone_options* zone, struct nsd* nsd); 549 550 #define ZONEC_PCT_TIME 5 /* seconds, then it starts to print pcts */ 551 #define ZONEC_PCT_COUNT 100000 /* elements before pct check is done */ 552 553 /* parsing helpers */ 554 void c_error(const char* msg, ...) ATTR_FORMAT(printf, 1,2); 555 int c_wrap(void); 556 struct acl_options* parse_acl_info(region_type* region, char* ip, 557 const char* key); 558 /* true if ipv6 address, false if ipv4 */ 559 int parse_acl_is_ipv6(const char* p); 560 /* returns range type. mask is the 2nd part of the range */ 561 int parse_acl_range_type(char* ip, char** mask); 562 /* parses subnet mask, fills 0 mask as well */ 563 void parse_acl_range_subnet(char* p, void* addr, int maxbits); 564 /* clean up options */ 565 void nsd_options_destroy(struct nsd_options* opt); 566 /* replace occurrences of one with two in buf, pass length of buffer */ 567 void replace_str(char* buf, size_t len, const char* one, const char* two); 568 /* apply pattern to the existing pattern in the parser */ 569 void config_apply_pattern(struct pattern_options *dest, const char* name); 570 /* if the file is a directory, print a warning, because flex just exit()s 571 * when a fileread fails because it is a directory, helps the user figure 572 * out what just happened */ 573 void warn_if_directory(const char* filetype, FILE* f, const char* fname); 574 /* resolve interface names in the options "ip-address:" (or "interface:") 575 * and "control-interface:" into the ip-addresses associated with those 576 * names. */ 577 void resolve_interface_names(struct nsd_options* options); 578 579 /* See if the sockaddr port number is listed in the proxy protocol ports. */ 580 int sockaddr_uses_proxy_protocol_port(struct nsd_options* options, 581 struct sockaddr* addr); 582 583 #endif /* OPTIONS_H */ 584