1 /* 2 * options.c -- options functions. 3 * 4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved. 5 * 6 * See LICENSE for the license. 7 * 8 */ 9 #include "config.h" 10 #include <string.h> 11 #include <stdio.h> 12 #include <sys/stat.h> 13 #include <errno.h> 14 #ifdef HAVE_IFADDRS_H 15 #include <ifaddrs.h> 16 #endif 17 #include "options.h" 18 #include "query.h" 19 #include "tsig.h" 20 #include "difffile.h" 21 #include "rrl.h" 22 #include "bitset.h" 23 24 #include "configparser.h" 25 config_parser_state_type* cfg_parser = 0; 26 extern FILE* c_in, *c_out; 27 int c_parse(void); 28 int c_lex(void); 29 int c_wrap(void); 30 int c_lex_destroy(void); 31 extern char* c_text; 32 33 static int 34 rbtree_strcmp(const void* p1, const void* p2) 35 { 36 if(p1 == NULL && p2 == NULL) return 0; 37 if(p1 == NULL) return -1; 38 if(p2 == NULL) return 1; 39 return strcmp((const char*)p1, (const char*)p2); 40 } 41 42 struct nsd_options* 43 nsd_options_create(region_type* region) 44 { 45 struct nsd_options* opt; 46 opt = (struct nsd_options*)region_alloc(region, sizeof( 47 struct nsd_options)); 48 opt->region = region; 49 opt->zone_options = rbtree_create(region, 50 (int (*)(const void *, const void *)) dname_compare); 51 opt->configfile = NULL; 52 opt->zonestatnames = rbtree_create(opt->region, rbtree_strcmp); 53 opt->patterns = rbtree_create(region, rbtree_strcmp); 54 opt->keys = rbtree_create(region, rbtree_strcmp); 55 opt->tls_auths = rbtree_create(region, rbtree_strcmp); 56 opt->ip_addresses = NULL; 57 opt->ip_transparent = 0; 58 opt->ip_freebind = 0; 59 opt->send_buffer_size = 0; 60 opt->receive_buffer_size = 0; 61 opt->debug_mode = 0; 62 opt->verbosity = 0; 63 opt->hide_version = 0; 64 opt->hide_identity = 0; 65 opt->drop_updates = 0; 66 opt->do_ip4 = 1; 67 opt->do_ip6 = 1; 68 opt->database = DBFILE; 69 opt->identity = 0; 70 opt->version = 0; 71 opt->nsid = 0; 72 opt->logfile = 0; 73 opt->log_only_syslog = 0; 74 opt->log_time_ascii = 1; 75 opt->round_robin = 0; /* also packet.h::round_robin */ 76 opt->minimal_responses = 1; /* also packet.h::minimal_responses */ 77 opt->confine_to_zone = 0; 78 opt->refuse_any = 1; 79 opt->server_count = 1; 80 opt->cpu_affinity = NULL; 81 opt->service_cpu_affinity = NULL; 82 opt->tcp_count = 100; 83 opt->tcp_reject_overflow = 0; 84 opt->tcp_query_count = 0; 85 opt->tcp_timeout = TCP_TIMEOUT; 86 opt->tcp_mss = 0; 87 opt->outgoing_tcp_mss = 0; 88 opt->ipv4_edns_size = EDNS_MAX_MESSAGE_LEN; 89 opt->ipv6_edns_size = EDNS_MAX_MESSAGE_LEN; 90 opt->pidfile = PIDFILE; 91 opt->port = UDP_PORT; 92 /* deprecated? opt->port = TCP_PORT; */ 93 opt->reuseport = 0; 94 opt->xfrd_tcp_max = 128; 95 opt->xfrd_tcp_pipeline = 128; 96 opt->statistics = 0; 97 opt->chroot = 0; 98 opt->username = USER; 99 opt->zonesdir = ZONESDIR; 100 opt->xfrdfile = XFRDFILE; 101 opt->xfrdir = XFRDIR; 102 opt->zonelistfile = ZONELISTFILE; 103 #ifdef RATELIMIT 104 opt->rrl_size = RRL_BUCKETS; 105 opt->rrl_slip = RRL_SLIP; 106 opt->rrl_ipv4_prefix_length = RRL_IPV4_PREFIX_LENGTH; 107 opt->rrl_ipv6_prefix_length = RRL_IPV6_PREFIX_LENGTH; 108 # ifdef RATELIMIT_DEFAULT_OFF 109 opt->rrl_ratelimit = 0; 110 opt->rrl_whitelist_ratelimit = 0; 111 # else 112 opt->rrl_ratelimit = RRL_LIMIT/2; 113 opt->rrl_whitelist_ratelimit = RRL_WLIST_LIMIT/2; 114 # endif 115 #endif 116 #ifdef USE_DNSTAP 117 opt->dnstap_enable = 0; 118 opt->dnstap_socket_path = DNSTAP_SOCKET_PATH; 119 opt->dnstap_send_identity = 0; 120 opt->dnstap_send_version = 0; 121 opt->dnstap_identity = NULL; 122 opt->dnstap_version = NULL; 123 opt->dnstap_log_auth_query_messages = 0; 124 opt->dnstap_log_auth_response_messages = 0; 125 #endif 126 opt->zonefiles_check = 1; 127 if(opt->database == NULL || opt->database[0] == 0) 128 opt->zonefiles_write = ZONEFILES_WRITE_INTERVAL; 129 else opt->zonefiles_write = 0; 130 opt->xfrd_reload_timeout = 1; 131 opt->tls_service_key = NULL; 132 opt->tls_service_ocsp = NULL; 133 opt->tls_service_pem = NULL; 134 opt->tls_port = TLS_PORT; 135 opt->tls_cert_bundle = NULL; 136 opt->answer_cookie = 1; 137 opt->cookie_secret = NULL; 138 opt->cookie_secret_file = CONFIGDIR"/nsd_cookiesecrets.txt"; 139 opt->control_enable = 0; 140 opt->control_interface = NULL; 141 opt->control_port = NSD_CONTROL_PORT; 142 opt->server_key_file = CONFIGDIR"/nsd_server.key"; 143 opt->server_cert_file = CONFIGDIR"/nsd_server.pem"; 144 opt->control_key_file = CONFIGDIR"/nsd_control.key"; 145 opt->control_cert_file = CONFIGDIR"/nsd_control.pem"; 146 return opt; 147 } 148 149 int 150 nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone) 151 { 152 /* create dname for lookup */ 153 const dname_type* dname = dname_parse(opt->region, zone->name); 154 if(!dname) 155 return 0; 156 zone->node.key = dname; 157 if(!rbtree_insert(opt->zone_options, (rbnode_type*)zone)) 158 return 0; 159 return 1; 160 } 161 162 int 163 nsd_options_insert_pattern(struct nsd_options* opt, 164 struct pattern_options* pat) 165 { 166 if(!pat->pname) 167 return 0; 168 pat->node.key = pat->pname; 169 if(!rbtree_insert(opt->patterns, (rbnode_type*)pat)) 170 return 0; 171 return 1; 172 } 173 174 void 175 warn_if_directory(const char* filetype, FILE* f, const char* fname) 176 { 177 if(fileno(f) != -1) { 178 struct stat st; 179 memset(&st, 0, sizeof(st)); 180 if(fstat(fileno(f), &st) != -1) { 181 if(S_ISDIR(st.st_mode)) { 182 log_msg(LOG_WARNING, "trying to read %s but it is a directory: %s", filetype, fname); 183 } 184 } 185 } 186 } 187 188 int 189 parse_options_file(struct nsd_options* opt, const char* file, 190 void (*err)(void*,const char*), void* err_arg) 191 { 192 FILE *in = 0; 193 struct pattern_options* pat; 194 struct acl_options* acl; 195 196 if(!cfg_parser) { 197 cfg_parser = (config_parser_state_type*)region_alloc( 198 opt->region, sizeof(config_parser_state_type)); 199 cfg_parser->chroot = 0; 200 } 201 cfg_parser->err = err; 202 cfg_parser->err_arg = err_arg; 203 cfg_parser->filename = (char*)file; 204 cfg_parser->line = 1; 205 cfg_parser->errors = 0; 206 cfg_parser->opt = opt; 207 cfg_parser->pattern = NULL; 208 cfg_parser->zone = NULL; 209 cfg_parser->key = NULL; 210 cfg_parser->tls_auth = NULL; 211 212 in = fopen(cfg_parser->filename, "r"); 213 if(!in) { 214 if(err) { 215 char m[MAXSYSLOGMSGLEN]; 216 snprintf(m, sizeof(m), "Could not open %s: %s\n", 217 file, strerror(errno)); 218 err(err_arg, m); 219 } else { 220 fprintf(stderr, "Could not open %s: %s\n", 221 file, strerror(errno)); 222 } 223 return 0; 224 } 225 warn_if_directory("configfile", in, file); 226 c_in = in; 227 c_parse(); 228 fclose(in); 229 230 opt->configfile = region_strdup(opt->region, file); 231 232 RBTREE_FOR(pat, struct pattern_options*, opt->patterns) 233 { 234 /* lookup keys for acls */ 235 for(acl=pat->allow_notify; acl; acl=acl->next) 236 { 237 if(acl->nokey || acl->blocked) 238 continue; 239 acl->key_options = key_options_find(opt, acl->key_name); 240 if(!acl->key_options) 241 c_error("key %s in pattern %s could not be found", 242 acl->key_name, pat->pname); 243 } 244 for(acl=pat->notify; acl; acl=acl->next) 245 { 246 if(acl->nokey || acl->blocked) 247 continue; 248 acl->key_options = key_options_find(opt, acl->key_name); 249 if(!acl->key_options) 250 c_error("key %s in pattern %s could not be found", 251 acl->key_name, pat->pname); 252 } 253 for(acl=pat->request_xfr; acl; acl=acl->next) 254 { 255 /* Find tls_auth */ 256 if (!acl->tls_auth_name) 257 ; /* pass */ 258 else if (!(acl->tls_auth_options = 259 tls_auth_options_find(opt, acl->tls_auth_name))) 260 c_error("tls_auth %s in pattern %s could not be found", 261 acl->tls_auth_name, pat->pname); 262 /* Find key */ 263 if(acl->nokey || acl->blocked) 264 continue; 265 acl->key_options = key_options_find(opt, acl->key_name); 266 if(!acl->key_options) 267 c_error("key %s in pattern %s could not be found", 268 acl->key_name, pat->pname); 269 } 270 for(acl=pat->provide_xfr; acl; acl=acl->next) 271 { 272 if(acl->nokey || acl->blocked) 273 continue; 274 acl->key_options = key_options_find(opt, acl->key_name); 275 if(!acl->key_options) 276 c_error("key %s in pattern %s could not be found", 277 acl->key_name, pat->pname); 278 } 279 for(acl=pat->allow_query; acl; acl=acl->next) 280 { 281 if(acl->nokey || acl->blocked) 282 continue; 283 acl->key_options = key_options_find(opt, acl->key_name); 284 if(!acl->key_options) 285 c_error("key %s in pattern %s could not be found", 286 acl->key_name, pat->pname); 287 } 288 } 289 290 if(cfg_parser->errors > 0) 291 { 292 if(err) { 293 char m[MAXSYSLOGMSGLEN]; 294 snprintf(m, sizeof(m), "read %s failed: %d errors in " 295 "configuration file\n", file, 296 cfg_parser->errors); 297 err(err_arg, m); 298 } else { 299 fprintf(stderr, "read %s failed: %d errors in " 300 "configuration file\n", file, 301 cfg_parser->errors); 302 } 303 return 0; 304 } 305 return 1; 306 } 307 308 void options_zonestatnames_create(struct nsd_options* opt) 309 { 310 struct zone_options* zopt; 311 /* allocate "" as zonestat 0, for zones without a zonestat */ 312 if(!rbtree_search(opt->zonestatnames, "")) { 313 struct zonestatname* n; 314 n = (struct zonestatname*)region_alloc_zero(opt->region, 315 sizeof(*n)); 316 n->node.key = region_strdup(opt->region, ""); 317 if(!n->node.key) { 318 log_msg(LOG_ERR, "malloc failed: %s", strerror(errno)); 319 exit(1); 320 } 321 n->id = (unsigned)(opt->zonestatnames->count); 322 rbtree_insert(opt->zonestatnames, (rbnode_type*)n); 323 } 324 RBTREE_FOR(zopt, struct zone_options*, opt->zone_options) { 325 /* insert into tree, so that when read in later id exists */ 326 (void)getzonestatid(opt, zopt); 327 } 328 } 329 330 #define ZONELIST_HEADER "# NSD zone list\n# name pattern\n" 331 static int 332 comp_zonebucket(const void* a, const void* b) 333 { 334 /* the line size is much smaller than max-int, and positive, 335 * so the subtraction works */ 336 return *(const int*)b - *(const int*)a; 337 } 338 339 /* insert free entry into zonelist free buckets */ 340 static void 341 zone_list_free_insert(struct nsd_options* opt, int linesize, off_t off) 342 { 343 struct zonelist_free* e; 344 struct zonelist_bucket* b = (struct zonelist_bucket*)rbtree_search( 345 opt->zonefree, &linesize); 346 if(!b) { 347 b = region_alloc_zero(opt->region, sizeof(*b)); 348 b->linesize = linesize; 349 b->node = *RBTREE_NULL; 350 b->node.key = &b->linesize; 351 rbtree_insert(opt->zonefree, &b->node); 352 } 353 e = (struct zonelist_free*)region_alloc_zero(opt->region, sizeof(*e)); 354 e->next = b->list; 355 b->list = e; 356 e->off = off; 357 opt->zonefree_number++; 358 } 359 360 struct zone_options* 361 zone_list_zone_insert(struct nsd_options* opt, const char* nm, 362 const char* patnm, int linesize, off_t off) 363 { 364 struct pattern_options* pat = pattern_options_find(opt, patnm); 365 struct zone_options* zone; 366 if(!pat) { 367 log_msg(LOG_ERR, "pattern does not exist for zone %s " 368 "pattern %s", nm, patnm); 369 return NULL; 370 } 371 zone = zone_options_create(opt->region); 372 zone->part_of_config = 0; 373 zone->name = region_strdup(opt->region, nm); 374 zone->linesize = linesize; 375 zone->off = off; 376 zone->pattern = pat; 377 if(!nsd_options_insert_zone(opt, zone)) { 378 log_msg(LOG_ERR, "bad domain name or duplicate zone '%s' " 379 "pattern %s", nm, patnm); 380 region_recycle(opt->region, (void*)zone->name, strlen(nm)+1); 381 region_recycle(opt->region, zone, sizeof(*zone)); 382 return NULL; 383 } 384 return zone; 385 } 386 387 int 388 parse_zone_list_file(struct nsd_options* opt) 389 { 390 /* zonelist looks like this: 391 # name pattern 392 add example.com master 393 del example.net slave 394 add foo.bar.nl slave 395 add rutabaga.uk config 396 */ 397 char hdr[64]; 398 char buf[1024]; 399 400 /* create empty data structures */ 401 opt->zonefree = rbtree_create(opt->region, comp_zonebucket); 402 opt->zonelist = NULL; 403 opt->zonefree_number = 0; 404 opt->zonelist_off = 0; 405 406 /* try to open the zonelist file, an empty or nonexist file is OK */ 407 opt->zonelist = fopen(opt->zonelistfile, "r+"); 408 if(!opt->zonelist) { 409 if(errno == ENOENT) 410 return 1; /* file does not exist, it is created later */ 411 log_msg(LOG_ERR, "could not open zone list %s: %s", opt->zonelistfile, 412 strerror(errno)); 413 return 0; 414 } 415 /* read header */ 416 hdr[strlen(ZONELIST_HEADER)] = 0; 417 if(fread(hdr, 1, strlen(ZONELIST_HEADER), opt->zonelist) != 418 strlen(ZONELIST_HEADER) || strncmp(hdr, ZONELIST_HEADER, 419 strlen(ZONELIST_HEADER)) != 0) { 420 log_msg(LOG_ERR, "zone list %s contains bad header\n", opt->zonelistfile); 421 fclose(opt->zonelist); 422 opt->zonelist = NULL; 423 return 0; 424 } 425 buf[sizeof(buf)-1]=0; 426 427 /* read entries in file */ 428 while(fgets(buf, sizeof(buf), opt->zonelist)) { 429 /* skip comments and empty lines */ 430 if(buf[0] == 0 || buf[0] == '\n' || buf[0] == '#') 431 continue; 432 if(strncmp(buf, "add ", 4) == 0) { 433 int linesize = strlen(buf); 434 /* parse the 'add' line */ 435 /* pick last space on the line, so that the domain 436 * name can have a space in it (but not the pattern)*/ 437 char* space = strrchr(buf+4, ' '); 438 char* nm, *patnm; 439 if(!space) { 440 /* parse error */ 441 log_msg(LOG_ERR, "parse error in %s: '%s'", 442 opt->zonelistfile, buf); 443 continue; 444 } 445 nm = buf+4; 446 *space = 0; 447 patnm = space+1; 448 if(linesize && buf[linesize-1] == '\n') 449 buf[linesize-1] = 0; 450 451 /* store offset and line size for zone entry */ 452 /* and create zone entry in zonetree */ 453 (void)zone_list_zone_insert(opt, nm, patnm, linesize, 454 ftello(opt->zonelist)-linesize); 455 } else if(strncmp(buf, "del ", 4) == 0) { 456 /* store offset and line size for deleted entry */ 457 int linesize = strlen(buf); 458 zone_list_free_insert(opt, linesize, 459 ftello(opt->zonelist)-linesize); 460 } else { 461 log_msg(LOG_WARNING, "bad data in %s, '%s'", opt->zonelistfile, 462 buf); 463 } 464 } 465 /* store EOF offset */ 466 opt->zonelist_off = ftello(opt->zonelist); 467 return 1; 468 } 469 470 void 471 zone_options_delete(struct nsd_options* opt, struct zone_options* zone) 472 { 473 rbtree_delete(opt->zone_options, zone->node.key); 474 region_recycle(opt->region, (void*)zone->node.key, dname_total_size( 475 (dname_type*)zone->node.key)); 476 region_recycle(opt->region, zone, sizeof(*zone)); 477 } 478 479 /* add a new zone to the zonelist */ 480 struct zone_options* 481 zone_list_add(struct nsd_options* opt, const char* zname, const char* pname) 482 { 483 int r; 484 struct zonelist_free* e; 485 struct zonelist_bucket* b; 486 int linesize = 6 + strlen(zname) + strlen(pname); 487 /* create zone entry */ 488 struct zone_options* zone = zone_list_zone_insert(opt, zname, pname, 489 linesize, 0); 490 if(!zone) 491 return NULL; 492 493 /* use free entry or append to file or create new file */ 494 if(!opt->zonelist || opt->zonelist_off == 0) { 495 /* create new file */ 496 if(opt->zonelist) fclose(opt->zonelist); 497 opt->zonelist = fopen(opt->zonelistfile, "w+"); 498 if(!opt->zonelist) { 499 log_msg(LOG_ERR, "could not create zone list %s: %s", 500 opt->zonelistfile, strerror(errno)); 501 log_msg(LOG_ERR, "zone %s could not be added", zname); 502 zone_options_delete(opt, zone); 503 return NULL; 504 } 505 r = fprintf(opt->zonelist, ZONELIST_HEADER); 506 if(r != strlen(ZONELIST_HEADER)) { 507 if(r == -1) 508 log_msg(LOG_ERR, "could not write to %s: %s", 509 opt->zonelistfile, strerror(errno)); 510 else log_msg(LOG_ERR, "partial write to %s: disk full", 511 opt->zonelistfile); 512 log_msg(LOG_ERR, "zone %s could not be added", zname); 513 zone_options_delete(opt, zone); 514 return NULL; 515 } 516 zone->off = ftello(opt->zonelist); 517 if(zone->off == -1) 518 log_msg(LOG_ERR, "ftello(%s): %s", opt->zonelistfile, strerror(errno)); 519 r = fprintf(opt->zonelist, "add %s %s\n", zname, pname); 520 if(r != zone->linesize) { 521 if(r == -1) 522 log_msg(LOG_ERR, "could not write to %s: %s", 523 opt->zonelistfile, strerror(errno)); 524 else log_msg(LOG_ERR, "partial write to %s: disk full", 525 opt->zonelistfile); 526 log_msg(LOG_ERR, "zone %s could not be added", zname); 527 zone_options_delete(opt, zone); 528 return NULL; 529 } 530 opt->zonelist_off = ftello(opt->zonelist); 531 if(opt->zonelist_off == -1) 532 log_msg(LOG_ERR, "ftello(%s): %s", opt->zonelistfile, strerror(errno)); 533 if(fflush(opt->zonelist) != 0) { 534 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 535 } 536 return zone; 537 } 538 b = (struct zonelist_bucket*)rbtree_search(opt->zonefree, 539 &zone->linesize); 540 if(!b || b->list == NULL) { 541 /* no empty place, append to file */ 542 zone->off = opt->zonelist_off; 543 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 544 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 545 log_msg(LOG_ERR, "zone %s could not be added", zname); 546 zone_options_delete(opt, zone); 547 return NULL; 548 } 549 r = fprintf(opt->zonelist, "add %s %s\n", zname, pname); 550 if(r != zone->linesize) { 551 if(r == -1) 552 log_msg(LOG_ERR, "could not write to %s: %s", 553 opt->zonelistfile, strerror(errno)); 554 else log_msg(LOG_ERR, "partial write to %s: disk full", 555 opt->zonelistfile); 556 log_msg(LOG_ERR, "zone %s could not be added", zname); 557 zone_options_delete(opt, zone); 558 return NULL; 559 } 560 opt->zonelist_off += linesize; 561 if(fflush(opt->zonelist) != 0) { 562 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 563 } 564 return zone; 565 } 566 /* reuse empty spot */ 567 e = b->list; 568 zone->off = e->off; 569 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 570 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 571 log_msg(LOG_ERR, "zone %s could not be added", zname); 572 zone_options_delete(opt, zone); 573 return NULL; 574 } 575 r = fprintf(opt->zonelist, "add %s %s\n", zname, pname); 576 if(r != zone->linesize) { 577 if(r == -1) 578 log_msg(LOG_ERR, "could not write to %s: %s", 579 opt->zonelistfile, strerror(errno)); 580 else log_msg(LOG_ERR, "partial write to %s: disk full", 581 opt->zonelistfile); 582 log_msg(LOG_ERR, "zone %s could not be added", zname); 583 zone_options_delete(opt, zone); 584 return NULL; 585 } 586 if(fflush(opt->zonelist) != 0) { 587 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 588 } 589 590 /* snip off and recycle element */ 591 b->list = e->next; 592 region_recycle(opt->region, e, sizeof(*e)); 593 if(b->list == NULL) { 594 rbtree_delete(opt->zonefree, &b->linesize); 595 region_recycle(opt->region, b, sizeof(*b)); 596 } 597 opt->zonefree_number--; 598 return zone; 599 } 600 601 /* remove a zone on the zonelist */ 602 void 603 zone_list_del(struct nsd_options* opt, struct zone_options* zone) 604 { 605 /* put its space onto the free entry */ 606 if(fseeko(opt->zonelist, zone->off, SEEK_SET) == -1) { 607 log_msg(LOG_ERR, "fseeko(%s): %s", opt->zonelistfile, strerror(errno)); 608 return; 609 } 610 fprintf(opt->zonelist, "del"); 611 zone_list_free_insert(opt, zone->linesize, zone->off); 612 613 /* remove zone_options */ 614 zone_options_delete(opt, zone); 615 616 /* see if we need to compact: it is going to halve the zonelist */ 617 if(opt->zonefree_number > opt->zone_options->count) { 618 zone_list_compact(opt); 619 } else { 620 if(fflush(opt->zonelist) != 0) { 621 log_msg(LOG_ERR, "fflush %s: %s", opt->zonelistfile, strerror(errno)); 622 } 623 } 624 } 625 /* postorder delete of zonelist free space tree */ 626 static void 627 delbucket(region_type* region, struct zonelist_bucket* b) 628 { 629 struct zonelist_free* e, *f; 630 if(!b || (rbnode_type*)b==RBTREE_NULL) 631 return; 632 delbucket(region, (struct zonelist_bucket*)b->node.left); 633 delbucket(region, (struct zonelist_bucket*)b->node.right); 634 e = b->list; 635 while(e) { 636 f = e->next; 637 region_recycle(region, e, sizeof(*e)); 638 e = f; 639 } 640 region_recycle(region, b, sizeof(*b)); 641 } 642 643 /* compact zonelist file */ 644 void 645 zone_list_compact(struct nsd_options* opt) 646 { 647 char outname[1024]; 648 FILE* out; 649 struct zone_options* zone; 650 off_t off; 651 int r; 652 snprintf(outname, sizeof(outname), "%s~", opt->zonelistfile); 653 /* useful, when : count-of-free > count-of-used */ 654 /* write zonelist to zonelist~ */ 655 out = fopen(outname, "w+"); 656 if(!out) { 657 log_msg(LOG_ERR, "could not open %s: %s", outname, strerror(errno)); 658 return; 659 } 660 r = fprintf(out, ZONELIST_HEADER); 661 if(r == -1) { 662 log_msg(LOG_ERR, "write %s failed: %s", outname, 663 strerror(errno)); 664 fclose(out); 665 return; 666 } else if(r != strlen(ZONELIST_HEADER)) { 667 log_msg(LOG_ERR, "write %s was partial: disk full", 668 outname); 669 fclose(out); 670 return; 671 } 672 off = ftello(out); 673 if(off == -1) { 674 log_msg(LOG_ERR, "ftello(%s): %s", outname, strerror(errno)); 675 fclose(out); 676 return; 677 } 678 RBTREE_FOR(zone, struct zone_options*, opt->zone_options) { 679 if(zone->part_of_config) 680 continue; 681 r = fprintf(out, "add %s %s\n", zone->name, 682 zone->pattern->pname); 683 if(r < 0) { 684 log_msg(LOG_ERR, "write %s failed: %s", outname, 685 strerror(errno)); 686 fclose(out); 687 return; 688 } else if(r != zone->linesize) { 689 log_msg(LOG_ERR, "write %s was partial: disk full", 690 outname); 691 fclose(out); 692 return; 693 } 694 } 695 if(fflush(out) != 0) { 696 log_msg(LOG_ERR, "fflush %s: %s", outname, strerror(errno)); 697 } 698 699 /* rename zonelist~ onto zonelist */ 700 if(rename(outname, opt->zonelistfile) == -1) { 701 log_msg(LOG_ERR, "rename(%s to %s) failed: %s", 702 outname, opt->zonelistfile, strerror(errno)); 703 fclose(out); 704 return; 705 } 706 fclose(opt->zonelist); 707 /* set offsets */ 708 RBTREE_FOR(zone, struct zone_options*, opt->zone_options) { 709 if(zone->part_of_config) 710 continue; 711 zone->off = off; 712 off += zone->linesize; 713 } 714 /* empty the free tree */ 715 delbucket(opt->region, (struct zonelist_bucket*)opt->zonefree->root); 716 opt->zonefree->root = RBTREE_NULL; 717 opt->zonefree->count = 0; 718 opt->zonefree_number = 0; 719 /* finish */ 720 opt->zonelist = out; 721 opt->zonelist_off = off; 722 } 723 724 /* close zonelist file */ 725 void 726 zone_list_close(struct nsd_options* opt) 727 { 728 if(opt->zonelist) { 729 fclose(opt->zonelist); 730 opt->zonelist = NULL; 731 } 732 } 733 734 static void 735 c_error_va_list_pos(int showpos, const char* fmt, va_list args) 736 { 737 char* at = NULL; 738 cfg_parser->errors++; 739 if(showpos && c_text && c_text[0]!=0) { 740 at = c_text; 741 } 742 if(cfg_parser->err) { 743 char m[MAXSYSLOGMSGLEN]; 744 snprintf(m, sizeof(m), "%s:%d: ", cfg_parser->filename, 745 cfg_parser->line); 746 (*cfg_parser->err)(cfg_parser->err_arg, m); 747 if(at) { 748 snprintf(m, sizeof(m), "at '%s': ", at); 749 (*cfg_parser->err)(cfg_parser->err_arg, m); 750 } 751 (*cfg_parser->err)(cfg_parser->err_arg, "error: "); 752 vsnprintf(m, sizeof(m), fmt, args); 753 (*cfg_parser->err)(cfg_parser->err_arg, m); 754 (*cfg_parser->err)(cfg_parser->err_arg, "\n"); 755 return; 756 } 757 fprintf(stderr, "%s:%d: ", cfg_parser->filename, cfg_parser->line); 758 if(at) fprintf(stderr, "at '%s': ", at); 759 fprintf(stderr, "error: "); 760 vfprintf(stderr, fmt, args); 761 fprintf(stderr, "\n"); 762 } 763 764 void 765 c_error(const char *fmt, ...) 766 { 767 va_list ap; 768 int showpos = 0; 769 770 if (strcmp(fmt, "syntax error") == 0 || strcmp(fmt, "parse error") == 0) { 771 showpos = 1; 772 } 773 774 va_start(ap, fmt); 775 c_error_va_list_pos(showpos, fmt, ap); 776 va_end(ap); 777 } 778 779 int 780 c_wrap(void) 781 { 782 return 1; 783 } 784 785 struct zone_options* 786 zone_options_create(region_type* region) 787 { 788 struct zone_options* zone; 789 zone = (struct zone_options*)region_alloc(region, sizeof( 790 struct zone_options)); 791 zone->node = *RBTREE_NULL; 792 zone->name = 0; 793 zone->pattern = 0; 794 zone->part_of_config = 0; 795 return zone; 796 } 797 798 /* true is booleans are the same truth value */ 799 #define booleq(x,y) ( ((x) && (y)) || (!(x) && !(y)) ) 800 801 /* true is min_expire_time_expr has either an equal known value 802 * or none of these known values but booleanally equal 803 */ 804 #define expire_expr_eq(x,y) ( ( (x) == REFRESHPLUSRETRYPLUS1 \ 805 && (y) == REFRESHPLUSRETRYPLUS1 ) \ 806 || ( (x) != REFRESHPLUSRETRYPLUS1 \ 807 && (y) != REFRESHPLUSRETRYPLUS1 \ 808 && booleq((x), (y)))) 809 810 811 int 812 acl_equal(struct acl_options* p, struct acl_options* q) 813 { 814 if(!booleq(p->use_axfr_only, q->use_axfr_only)) return 0; 815 if(!booleq(p->allow_udp, q->allow_udp)) return 0; 816 if(strcmp(p->ip_address_spec, q->ip_address_spec)!=0) return 0; 817 /* the ip6, port, addr, mask, type: are derived from the ip_address_spec */ 818 if(!booleq(p->nokey, q->nokey)) return 0; 819 if(!booleq(p->blocked, q->blocked)) return 0; 820 if(p->key_name && q->key_name) { 821 if(strcmp(p->key_name, q->key_name)!=0) return 0; 822 } else if(p->key_name && !q->key_name) return 0; 823 else if(!p->key_name && q->key_name) return 0; 824 /* key_options is derived from key_name */ 825 if(p->tls_auth_name && q->tls_auth_name) { 826 if(strcmp(p->tls_auth_name, q->tls_auth_name)!=0) return 0; 827 } else if(p->tls_auth_name && !q->tls_auth_name) return 0; 828 else if(!p->tls_auth_name && q->tls_auth_name) return 0; 829 /* tls_auth_options is derived from tls_auth_name */ 830 return 1; 831 } 832 833 int 834 acl_list_equal(struct acl_options* p, struct acl_options* q) 835 { 836 /* must be same and in same order */ 837 while(p && q) { 838 if(!acl_equal(p, q)) 839 return 0; 840 p = p->next; 841 q = q->next; 842 } 843 if(!p && !q) return 1; 844 /* different lengths */ 845 return 0; 846 } 847 848 struct pattern_options* 849 pattern_options_create(region_type* region) 850 { 851 struct pattern_options* p; 852 p = (struct pattern_options*)region_alloc(region, sizeof( 853 struct pattern_options)); 854 p->node = *RBTREE_NULL; 855 p->pname = 0; 856 p->zonefile = 0; 857 p->zonestats = 0; 858 p->allow_notify = 0; 859 p->request_xfr = 0; 860 p->size_limit_xfr = 0; 861 p->notify = 0; 862 p->provide_xfr = 0; 863 p->allow_query = 0; 864 p->outgoing_interface = 0; 865 p->notify_retry = 5; 866 p->notify_retry_is_default = 1; 867 p->allow_axfr_fallback = 1; 868 p->allow_axfr_fallback_is_default = 1; 869 p->implicit = 0; 870 p->xfrd_flags = 0; 871 p->max_refresh_time = 2419200; /* 4 weeks */ 872 p->max_refresh_time_is_default = 1; 873 p->min_refresh_time = 0; 874 p->min_refresh_time_is_default = 1; 875 p->max_retry_time = 1209600; /* 2 weeks */ 876 p->max_retry_time_is_default = 1; 877 p->min_retry_time = 0; 878 p->min_retry_time_is_default = 1; 879 p->min_expire_time = 0; 880 p->min_expire_time_expr = EXPIRE_TIME_IS_DEFAULT; 881 #ifdef RATELIMIT 882 p->rrl_whitelist = 0; 883 #endif 884 p->multi_master_check = 0; 885 return p; 886 } 887 888 static void 889 acl_delete(region_type* region, struct acl_options* acl) 890 { 891 if(acl->ip_address_spec) 892 region_recycle(region, (void*)acl->ip_address_spec, 893 strlen(acl->ip_address_spec)+1); 894 if(acl->key_name) 895 region_recycle(region, (void*)acl->key_name, 896 strlen(acl->key_name)+1); 897 if(acl->tls_auth_name) 898 region_recycle(region, (void*)acl->tls_auth_name, 899 strlen(acl->tls_auth_name)+1); 900 /* key_options is a convenience pointer, not owned by the acl */ 901 region_recycle(region, acl, sizeof(*acl)); 902 } 903 904 static void 905 acl_list_delete(region_type* region, struct acl_options* list) 906 { 907 struct acl_options* n; 908 while(list) { 909 n = list->next; 910 acl_delete(region, list); 911 list = n; 912 } 913 } 914 915 void 916 pattern_options_remove(struct nsd_options* opt, const char* name) 917 { 918 struct pattern_options* p = (struct pattern_options*)rbtree_delete( 919 opt->patterns, name); 920 /* delete p and its contents */ 921 if (!p) 922 return; 923 if(p->pname) 924 region_recycle(opt->region, (void*)p->pname, 925 strlen(p->pname)+1); 926 if(p->zonefile) 927 region_recycle(opt->region, (void*)p->zonefile, 928 strlen(p->zonefile)+1); 929 if(p->zonestats) 930 region_recycle(opt->region, (void*)p->zonestats, 931 strlen(p->zonestats)+1); 932 acl_list_delete(opt->region, p->allow_notify); 933 acl_list_delete(opt->region, p->request_xfr); 934 acl_list_delete(opt->region, p->notify); 935 acl_list_delete(opt->region, p->provide_xfr); 936 acl_list_delete(opt->region, p->allow_query); 937 acl_list_delete(opt->region, p->outgoing_interface); 938 939 region_recycle(opt->region, p, sizeof(struct pattern_options)); 940 } 941 942 static struct acl_options* 943 copy_acl(region_type* region, struct acl_options* a) 944 { 945 struct acl_options* b; 946 if(!a) return NULL; 947 b = (struct acl_options*)region_alloc(region, sizeof(*b)); 948 /* copy the whole lot */ 949 *b = *a; 950 /* fix the pointers */ 951 if(a->ip_address_spec) 952 b->ip_address_spec = region_strdup(region, a->ip_address_spec); 953 if(a->key_name) 954 b->key_name = region_strdup(region, a->key_name); 955 if(a->tls_auth_name) 956 b->tls_auth_name = region_strdup(region, a->tls_auth_name); 957 b->next = NULL; 958 b->key_options = NULL; 959 b->tls_auth_options = NULL; 960 return b; 961 } 962 963 static struct acl_options* 964 copy_acl_list(struct nsd_options* opt, struct acl_options* a) 965 { 966 struct acl_options* b, *blast = NULL, *blist = NULL; 967 while(a) { 968 b = copy_acl(opt->region, a); 969 /* fixup key_options */ 970 if(b->key_name) 971 b->key_options = key_options_find(opt, b->key_name); 972 else b->key_options = NULL; 973 /* fixup tls_auth_options */ 974 if(b->tls_auth_name) 975 b->tls_auth_options = tls_auth_options_find(opt, b->tls_auth_name); 976 else b->tls_auth_options = NULL; 977 978 /* link as last into list */ 979 b->next = NULL; 980 if(!blist) blist = b; 981 else blast->next = b; 982 blast = b; 983 984 a = a->next; 985 } 986 return blist; 987 } 988 989 static void 990 copy_changed_acl(struct nsd_options* opt, struct acl_options** orig, 991 struct acl_options* anew) 992 { 993 if(!acl_list_equal(*orig, anew)) { 994 acl_list_delete(opt->region, *orig); 995 *orig = copy_acl_list(opt, anew); 996 } 997 } 998 999 static void 1000 copy_pat_fixed(region_type* region, struct pattern_options* orig, 1001 struct pattern_options* p) 1002 { 1003 orig->allow_axfr_fallback = p->allow_axfr_fallback; 1004 orig->allow_axfr_fallback_is_default = 1005 p->allow_axfr_fallback_is_default; 1006 orig->notify_retry = p->notify_retry; 1007 orig->notify_retry_is_default = p->notify_retry_is_default; 1008 orig->implicit = p->implicit; 1009 if(p->zonefile) 1010 orig->zonefile = region_strdup(region, p->zonefile); 1011 else orig->zonefile = NULL; 1012 if(p->zonestats) 1013 orig->zonestats = region_strdup(region, p->zonestats); 1014 else orig->zonestats = NULL; 1015 orig->max_refresh_time = p->max_refresh_time; 1016 orig->max_refresh_time_is_default = p->max_refresh_time_is_default; 1017 orig->min_refresh_time = p->min_refresh_time; 1018 orig->min_refresh_time_is_default = p->min_refresh_time_is_default; 1019 orig->max_retry_time = p->max_retry_time; 1020 orig->max_retry_time_is_default = p->max_retry_time_is_default; 1021 orig->min_retry_time = p->min_retry_time; 1022 orig->min_retry_time_is_default = p->min_retry_time_is_default; 1023 orig->min_expire_time = p->min_expire_time; 1024 orig->min_expire_time_expr = p->min_expire_time_expr; 1025 #ifdef RATELIMIT 1026 orig->rrl_whitelist = p->rrl_whitelist; 1027 #endif 1028 orig->multi_master_check = p->multi_master_check; 1029 } 1030 1031 void 1032 pattern_options_add_modify(struct nsd_options* opt, struct pattern_options* p) 1033 { 1034 struct pattern_options* orig = pattern_options_find(opt, p->pname); 1035 if(!orig) { 1036 /* needs to be copied to opt region */ 1037 orig = pattern_options_create(opt->region); 1038 orig->pname = region_strdup(opt->region, p->pname); 1039 copy_pat_fixed(opt->region, orig, p); 1040 orig->allow_notify = copy_acl_list(opt, p->allow_notify); 1041 orig->request_xfr = copy_acl_list(opt, p->request_xfr); 1042 orig->notify = copy_acl_list(opt, p->notify); 1043 orig->provide_xfr = copy_acl_list(opt, p->provide_xfr); 1044 orig->allow_query = copy_acl_list(opt, p->allow_query); 1045 orig->outgoing_interface = copy_acl_list(opt, 1046 p->outgoing_interface); 1047 nsd_options_insert_pattern(opt, orig); 1048 } else { 1049 /* modify in place so pointers stay valid (and copy 1050 into region). Do not touch unchanged acls. */ 1051 if(orig->zonefile) 1052 region_recycle(opt->region, (char*)orig->zonefile, 1053 strlen(orig->zonefile)+1); 1054 if(orig->zonestats) 1055 region_recycle(opt->region, (char*)orig->zonestats, 1056 strlen(orig->zonestats)+1); 1057 copy_pat_fixed(opt->region, orig, p); 1058 copy_changed_acl(opt, &orig->allow_notify, p->allow_notify); 1059 copy_changed_acl(opt, &orig->request_xfr, p->request_xfr); 1060 copy_changed_acl(opt, &orig->notify, p->notify); 1061 copy_changed_acl(opt, &orig->provide_xfr, p->provide_xfr); 1062 copy_changed_acl(opt, &orig->allow_query, p->allow_query); 1063 copy_changed_acl(opt, &orig->outgoing_interface, 1064 p->outgoing_interface); 1065 } 1066 } 1067 1068 struct pattern_options* 1069 pattern_options_find(struct nsd_options* opt, const char* name) 1070 { 1071 return (struct pattern_options*)rbtree_search(opt->patterns, name); 1072 } 1073 1074 int 1075 pattern_options_equal(struct pattern_options* p, struct pattern_options* q) 1076 { 1077 if(strcmp(p->pname, q->pname) != 0) return 0; 1078 if(!p->zonefile && q->zonefile) return 0; 1079 else if(p->zonefile && !q->zonefile) return 0; 1080 else if(p->zonefile && q->zonefile) { 1081 if(strcmp(p->zonefile, q->zonefile) != 0) return 0; 1082 } 1083 if(!p->zonestats && q->zonestats) return 0; 1084 else if(p->zonestats && !q->zonestats) return 0; 1085 else if(p->zonestats && q->zonestats) { 1086 if(strcmp(p->zonestats, q->zonestats) != 0) return 0; 1087 } 1088 if(!booleq(p->allow_axfr_fallback, q->allow_axfr_fallback)) return 0; 1089 if(!booleq(p->allow_axfr_fallback_is_default, 1090 q->allow_axfr_fallback_is_default)) return 0; 1091 if(p->notify_retry != q->notify_retry) return 0; 1092 if(!booleq(p->notify_retry_is_default, 1093 q->notify_retry_is_default)) return 0; 1094 if(!booleq(p->implicit, q->implicit)) return 0; 1095 if(!acl_list_equal(p->allow_notify, q->allow_notify)) return 0; 1096 if(!acl_list_equal(p->request_xfr, q->request_xfr)) return 0; 1097 if(!acl_list_equal(p->notify, q->notify)) return 0; 1098 if(!acl_list_equal(p->provide_xfr, q->provide_xfr)) return 0; 1099 if(!acl_list_equal(p->allow_query, q->allow_query)) return 0; 1100 if(!acl_list_equal(p->outgoing_interface, q->outgoing_interface)) 1101 return 0; 1102 if(p->max_refresh_time != q->max_refresh_time) return 0; 1103 if(!booleq(p->max_refresh_time_is_default, 1104 q->max_refresh_time_is_default)) return 0; 1105 if(p->min_refresh_time != q->min_refresh_time) return 0; 1106 if(!booleq(p->min_refresh_time_is_default, 1107 q->min_refresh_time_is_default)) return 0; 1108 if(p->max_retry_time != q->max_retry_time) return 0; 1109 if(!booleq(p->max_retry_time_is_default, 1110 q->max_retry_time_is_default)) return 0; 1111 if(p->min_retry_time != q->min_retry_time) return 0; 1112 if(!booleq(p->min_retry_time_is_default, 1113 q->min_retry_time_is_default)) return 0; 1114 if(p->min_expire_time != q->min_expire_time) return 0; 1115 if(!expire_expr_eq(p->min_expire_time_expr, 1116 q->min_expire_time_expr)) return 0; 1117 #ifdef RATELIMIT 1118 if(p->rrl_whitelist != q->rrl_whitelist) return 0; 1119 #endif 1120 if(!booleq(p->multi_master_check,q->multi_master_check)) return 0; 1121 if(p->size_limit_xfr != q->size_limit_xfr) return 0; 1122 return 1; 1123 } 1124 1125 static void 1126 marshal_u8(struct buffer* b, uint8_t v) 1127 { 1128 buffer_reserve(b, 1); 1129 buffer_write_u8(b, v); 1130 } 1131 1132 static uint8_t 1133 unmarshal_u8(struct buffer* b) 1134 { 1135 return buffer_read_u8(b); 1136 } 1137 1138 static void 1139 marshal_u64(struct buffer* b, uint64_t v) 1140 { 1141 buffer_reserve(b, 8); 1142 buffer_write_u64(b, v); 1143 } 1144 1145 static uint64_t 1146 unmarshal_u64(struct buffer* b) 1147 { 1148 return buffer_read_u64(b); 1149 } 1150 1151 #ifdef RATELIMIT 1152 static void 1153 marshal_u16(struct buffer* b, uint16_t v) 1154 { 1155 buffer_reserve(b, 2); 1156 buffer_write_u16(b, v); 1157 } 1158 #endif 1159 1160 #ifdef RATELIMIT 1161 static uint16_t 1162 unmarshal_u16(struct buffer* b) 1163 { 1164 return buffer_read_u16(b); 1165 } 1166 #endif 1167 1168 static void 1169 marshal_u32(struct buffer* b, uint32_t v) 1170 { 1171 buffer_reserve(b, 4); 1172 buffer_write_u32(b, v); 1173 } 1174 1175 static uint32_t 1176 unmarshal_u32(struct buffer* b) 1177 { 1178 return buffer_read_u32(b); 1179 } 1180 1181 static void 1182 marshal_str(struct buffer* b, const char* s) 1183 { 1184 if(!s) marshal_u8(b, 0); 1185 else { 1186 size_t len = strlen(s); 1187 marshal_u8(b, 1); 1188 buffer_reserve(b, len+1); 1189 buffer_write(b, s, len+1); 1190 } 1191 } 1192 1193 static char* 1194 unmarshal_str(region_type* r, struct buffer* b) 1195 { 1196 uint8_t nonnull = unmarshal_u8(b); 1197 if(nonnull) { 1198 char* result = region_strdup(r, (char*)buffer_current(b)); 1199 size_t len = strlen((char*)buffer_current(b)); 1200 buffer_skip(b, len+1); 1201 return result; 1202 } else return NULL; 1203 } 1204 1205 static void 1206 marshal_acl(struct buffer* b, struct acl_options* acl) 1207 { 1208 buffer_reserve(b, sizeof(*acl)); 1209 buffer_write(b, acl, sizeof(*acl)); 1210 marshal_str(b, acl->ip_address_spec); 1211 marshal_str(b, acl->key_name); 1212 marshal_str(b, acl->tls_auth_name); 1213 } 1214 1215 static struct acl_options* 1216 unmarshal_acl(region_type* r, struct buffer* b) 1217 { 1218 struct acl_options* acl = (struct acl_options*)region_alloc(r, 1219 sizeof(*acl)); 1220 buffer_read(b, acl, sizeof(*acl)); 1221 acl->next = NULL; 1222 acl->key_options = NULL; 1223 acl->tls_auth_options = NULL; 1224 acl->ip_address_spec = unmarshal_str(r, b); 1225 acl->key_name = unmarshal_str(r, b); 1226 acl->tls_auth_name = unmarshal_str(r, b); 1227 return acl; 1228 } 1229 1230 static void 1231 marshal_acl_list(struct buffer* b, struct acl_options* list) 1232 { 1233 while(list) { 1234 marshal_u8(b, 1); /* is there a next one marker */ 1235 marshal_acl(b, list); 1236 list = list->next; 1237 } 1238 marshal_u8(b, 0); /* end of list marker */ 1239 } 1240 1241 static struct acl_options* 1242 unmarshal_acl_list(region_type* r, struct buffer* b) 1243 { 1244 struct acl_options* a, *last=NULL, *list=NULL; 1245 while(unmarshal_u8(b)) { 1246 a = unmarshal_acl(r, b); 1247 /* link in */ 1248 a->next = NULL; 1249 if(!list) list = a; 1250 else last->next = a; 1251 last = a; 1252 } 1253 return list; 1254 } 1255 1256 void 1257 pattern_options_marshal(struct buffer* b, struct pattern_options* p) 1258 { 1259 marshal_str(b, p->pname); 1260 marshal_str(b, p->zonefile); 1261 marshal_str(b, p->zonestats); 1262 #ifdef RATELIMIT 1263 marshal_u16(b, p->rrl_whitelist); 1264 #endif 1265 marshal_u8(b, p->allow_axfr_fallback); 1266 marshal_u8(b, p->allow_axfr_fallback_is_default); 1267 marshal_u8(b, p->notify_retry); 1268 marshal_u8(b, p->notify_retry_is_default); 1269 marshal_u8(b, p->implicit); 1270 marshal_u64(b, p->size_limit_xfr); 1271 marshal_acl_list(b, p->allow_notify); 1272 marshal_acl_list(b, p->request_xfr); 1273 marshal_acl_list(b, p->notify); 1274 marshal_acl_list(b, p->provide_xfr); 1275 marshal_acl_list(b, p->allow_query); 1276 marshal_acl_list(b, p->outgoing_interface); 1277 marshal_u32(b, p->max_refresh_time); 1278 marshal_u8(b, p->max_refresh_time_is_default); 1279 marshal_u32(b, p->min_refresh_time); 1280 marshal_u8(b, p->min_refresh_time_is_default); 1281 marshal_u32(b, p->max_retry_time); 1282 marshal_u8(b, p->max_retry_time_is_default); 1283 marshal_u32(b, p->min_retry_time); 1284 marshal_u8(b, p->min_retry_time_is_default); 1285 marshal_u32(b, p->min_expire_time); 1286 marshal_u8(b, p->min_expire_time_expr); 1287 marshal_u8(b, p->multi_master_check); 1288 } 1289 1290 struct pattern_options* 1291 pattern_options_unmarshal(region_type* r, struct buffer* b) 1292 { 1293 struct pattern_options* p = pattern_options_create(r); 1294 p->pname = unmarshal_str(r, b); 1295 p->zonefile = unmarshal_str(r, b); 1296 p->zonestats = unmarshal_str(r, b); 1297 #ifdef RATELIMIT 1298 p->rrl_whitelist = unmarshal_u16(b); 1299 #endif 1300 p->allow_axfr_fallback = unmarshal_u8(b); 1301 p->allow_axfr_fallback_is_default = unmarshal_u8(b); 1302 p->notify_retry = unmarshal_u8(b); 1303 p->notify_retry_is_default = unmarshal_u8(b); 1304 p->implicit = unmarshal_u8(b); 1305 p->size_limit_xfr = unmarshal_u64(b); 1306 p->allow_notify = unmarshal_acl_list(r, b); 1307 p->request_xfr = unmarshal_acl_list(r, b); 1308 p->notify = unmarshal_acl_list(r, b); 1309 p->provide_xfr = unmarshal_acl_list(r, b); 1310 p->allow_query = unmarshal_acl_list(r, b); 1311 p->outgoing_interface = unmarshal_acl_list(r, b); 1312 p->max_refresh_time = unmarshal_u32(b); 1313 p->max_refresh_time_is_default = unmarshal_u8(b); 1314 p->min_refresh_time = unmarshal_u32(b); 1315 p->min_refresh_time_is_default = unmarshal_u8(b); 1316 p->max_retry_time = unmarshal_u32(b); 1317 p->max_retry_time_is_default = unmarshal_u8(b); 1318 p->min_retry_time = unmarshal_u32(b); 1319 p->min_retry_time_is_default = unmarshal_u8(b); 1320 p->min_expire_time = unmarshal_u32(b); 1321 p->min_expire_time_expr = unmarshal_u8(b); 1322 p->multi_master_check = unmarshal_u8(b); 1323 return p; 1324 } 1325 1326 struct key_options* 1327 key_options_create(region_type* region) 1328 { 1329 struct key_options* key; 1330 key = (struct key_options*)region_alloc_zero(region, 1331 sizeof(struct key_options)); 1332 return key; 1333 } 1334 1335 struct tls_auth_options* 1336 tls_auth_options_create(region_type* region) 1337 { 1338 struct tls_auth_options* tls_auth_options; 1339 tls_auth_options = (struct tls_auth_options*)region_alloc_zero(region, sizeof(struct tls_auth_options)); 1340 return tls_auth_options; 1341 } 1342 1343 void 1344 key_options_insert(struct nsd_options* opt, struct key_options* key) 1345 { 1346 if(!key->name) return; 1347 key->node.key = key->name; 1348 (void)rbtree_insert(opt->keys, &key->node); 1349 } 1350 1351 struct key_options* 1352 key_options_find(struct nsd_options* opt, const char* name) 1353 { 1354 return (struct key_options*)rbtree_search(opt->keys, name); 1355 } 1356 1357 void 1358 tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth) 1359 { 1360 if(!auth->name) return; 1361 auth->node.key = auth->name; 1362 (void)rbtree_insert(opt->tls_auths, &auth->node); 1363 } 1364 1365 struct tls_auth_options* 1366 tls_auth_options_find(struct nsd_options* opt, const char* name) 1367 { 1368 return (struct tls_auth_options*)rbtree_search(opt->tls_auths, name); 1369 } 1370 1371 /** remove tsig_key contents */ 1372 void 1373 key_options_desetup(region_type* region, struct key_options* key) 1374 { 1375 /* keep tsig_key pointer so that existing references keep valid */ 1376 if(!key->tsig_key) 1377 return; 1378 /* name stays the same */ 1379 if(key->tsig_key->data) { 1380 /* wipe secret! */ 1381 memset(key->tsig_key->data, 0xdd, key->tsig_key->size); 1382 region_recycle(region, key->tsig_key->data, 1383 key->tsig_key->size); 1384 key->tsig_key->data = NULL; 1385 key->tsig_key->size = 0; 1386 } 1387 } 1388 1389 /** add tsig_key contents */ 1390 void 1391 key_options_setup(region_type* region, struct key_options* key) 1392 { 1393 uint8_t data[16384]; /* 16KB */ 1394 int size; 1395 if(!key->tsig_key) { 1396 /* create it */ 1397 key->tsig_key = (tsig_key_type *) region_alloc(region, 1398 sizeof(tsig_key_type)); 1399 /* create name */ 1400 key->tsig_key->name = dname_parse(region, key->name); 1401 if(!key->tsig_key->name) { 1402 log_msg(LOG_ERR, "Failed to parse tsig key name %s", 1403 key->name); 1404 /* key and base64 were checked during syntax parse */ 1405 exit(1); 1406 } 1407 key->tsig_key->size = 0; 1408 key->tsig_key->data = NULL; 1409 } 1410 size = __b64_pton(key->secret, data, sizeof(data)); 1411 if(size == -1) { 1412 log_msg(LOG_ERR, "Failed to parse tsig key data %s", 1413 key->name); 1414 /* key and base64 were checked during syntax parse */ 1415 exit(1); 1416 } 1417 key->tsig_key->size = size; 1418 key->tsig_key->data = (uint8_t *)region_alloc_init(region, data, size); 1419 } 1420 1421 void 1422 key_options_remove(struct nsd_options* opt, const char* name) 1423 { 1424 struct key_options* k = key_options_find(opt, name); 1425 if(!k) return; 1426 (void)rbtree_delete(opt->keys, name); 1427 if(k->name) 1428 region_recycle(opt->region, k->name, strlen(k->name)+1); 1429 if(k->algorithm) 1430 region_recycle(opt->region, k->algorithm, strlen(k->algorithm)+1); 1431 if(k->secret) { 1432 memset(k->secret, 0xdd, strlen(k->secret)); /* wipe secret! */ 1433 region_recycle(opt->region, k->secret, strlen(k->secret)+1); 1434 } 1435 if(k->tsig_key) { 1436 tsig_del_key(k->tsig_key); 1437 if(k->tsig_key->name) 1438 region_recycle(opt->region, (void*)k->tsig_key->name, 1439 dname_total_size(k->tsig_key->name)); 1440 key_options_desetup(opt->region, k); 1441 region_recycle(opt->region, k->tsig_key, sizeof(tsig_key_type)); 1442 } 1443 region_recycle(opt->region, k, sizeof(struct key_options)); 1444 } 1445 1446 int 1447 key_options_equal(struct key_options* p, struct key_options* q) 1448 { 1449 return strcmp(p->name, q->name)==0 && strcmp(p->algorithm, 1450 q->algorithm)==0 && strcmp(p->secret, q->secret)==0; 1451 } 1452 1453 void 1454 key_options_add_modify(struct nsd_options* opt, struct key_options* key) 1455 { 1456 struct key_options* orig = key_options_find(opt, key->name); 1457 if(!orig) { 1458 /* needs to be copied to opt region */ 1459 orig = key_options_create(opt->region); 1460 orig->name = region_strdup(opt->region, key->name); 1461 orig->algorithm = region_strdup(opt->region, key->algorithm); 1462 orig->secret = region_strdup(opt->region, key->secret); 1463 key_options_setup(opt->region, orig); 1464 tsig_add_key(orig->tsig_key); 1465 key_options_insert(opt, orig); 1466 } else { 1467 /* modify entries in existing key, and copy to opt region */ 1468 key_options_desetup(opt->region, orig); 1469 region_recycle(opt->region, orig->algorithm, 1470 strlen(orig->algorithm)+1); 1471 orig->algorithm = region_strdup(opt->region, key->algorithm); 1472 region_recycle(opt->region, orig->secret, 1473 strlen(orig->secret)+1); 1474 orig->secret = region_strdup(opt->region, key->secret); 1475 key_options_setup(opt->region, orig); 1476 } 1477 } 1478 1479 int 1480 acl_check_incoming(struct acl_options* acl, struct query* q, 1481 struct acl_options** reason) 1482 { 1483 /* check each acl element. 1484 if 1 blocked element matches - return -1. 1485 if any element matches - return number. 1486 else return -1. */ 1487 int found_match = -1; 1488 int number = 0; 1489 struct acl_options* match = 0; 1490 1491 if(reason) 1492 *reason = NULL; 1493 1494 while(acl) 1495 { 1496 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "testing acl %s %s", 1497 acl->ip_address_spec, acl->nokey?"NOKEY": 1498 (acl->blocked?"BLOCKED":acl->key_name))); 1499 if(acl_addr_matches(acl, q) && acl_key_matches(acl, q)) { 1500 if(!match) 1501 { 1502 match = acl; /* remember first match */ 1503 found_match=number; 1504 } 1505 if(acl->blocked) { 1506 if(reason) 1507 *reason = acl; 1508 return -1; 1509 } 1510 } 1511 number++; 1512 acl = acl->next; 1513 } 1514 1515 if(reason) 1516 *reason = match; 1517 return found_match; 1518 } 1519 1520 #ifdef INET6 1521 int 1522 acl_addr_matches_ipv6host(struct acl_options* acl, struct sockaddr_storage* addr_storage, unsigned int port) 1523 { 1524 struct sockaddr_in6* addr = (struct sockaddr_in6*)addr_storage; 1525 if(acl->port != 0 && acl->port != port) 1526 return 0; 1527 switch(acl->rangetype) { 1528 case acl_range_mask: 1529 case acl_range_subnet: 1530 if(!acl_addr_match_mask((uint32_t*)&acl->addr.addr6, (uint32_t*)&addr->sin6_addr, 1531 (uint32_t*)&acl->range_mask.addr6, sizeof(struct in6_addr))) 1532 return 0; 1533 break; 1534 case acl_range_minmax: 1535 if(!acl_addr_match_range_v6((uint32_t*)&acl->addr.addr6, (uint32_t*)&addr->sin6_addr, 1536 (uint32_t*)&acl->range_mask.addr6, sizeof(struct in6_addr))) 1537 return 0; 1538 break; 1539 case acl_range_single: 1540 default: 1541 if(memcmp(&addr->sin6_addr, &acl->addr.addr6, 1542 sizeof(struct in6_addr)) != 0) 1543 return 0; 1544 break; 1545 } 1546 return 1; 1547 } 1548 #endif 1549 1550 int 1551 acl_addr_matches_ipv4host(struct acl_options* acl, struct sockaddr_in* addr, unsigned int port) 1552 { 1553 if(acl->port != 0 && acl->port != port) 1554 return 0; 1555 switch(acl->rangetype) { 1556 case acl_range_mask: 1557 case acl_range_subnet: 1558 if(!acl_addr_match_mask((uint32_t*)&acl->addr.addr, (uint32_t*)&addr->sin_addr, 1559 (uint32_t*)&acl->range_mask.addr, sizeof(struct in_addr))) 1560 return 0; 1561 break; 1562 case acl_range_minmax: 1563 if(!acl_addr_match_range_v4((uint32_t*)&acl->addr.addr, (uint32_t*)&addr->sin_addr, 1564 (uint32_t*)&acl->range_mask.addr, sizeof(struct in_addr))) 1565 return 0; 1566 break; 1567 case acl_range_single: 1568 default: 1569 if(memcmp(&addr->sin_addr, &acl->addr.addr, 1570 sizeof(struct in_addr)) != 0) 1571 return 0; 1572 break; 1573 } 1574 return 1; 1575 } 1576 1577 int 1578 acl_addr_matches_host(struct acl_options* acl, struct acl_options* host) 1579 { 1580 if(acl->is_ipv6) 1581 { 1582 #ifdef INET6 1583 struct sockaddr_storage* addr = (struct sockaddr_storage*)&host->addr; 1584 if(!host->is_ipv6) return 0; 1585 return acl_addr_matches_ipv6host(acl, addr, host->port); 1586 #else 1587 return 0; /* no inet6, no match */ 1588 #endif 1589 } 1590 else 1591 { 1592 struct sockaddr_in* addr = (struct sockaddr_in*)&host->addr; 1593 if(host->is_ipv6) return 0; 1594 return acl_addr_matches_ipv4host(acl, addr, host->port); 1595 } 1596 /* ENOTREACH */ 1597 return 0; 1598 } 1599 1600 int 1601 acl_addr_matches(struct acl_options* acl, struct query* q) 1602 { 1603 if(acl->is_ipv6) 1604 { 1605 #ifdef INET6 1606 struct sockaddr_storage* addr = (struct sockaddr_storage*)&q->addr; 1607 if(addr->ss_family != AF_INET6) 1608 return 0; 1609 return acl_addr_matches_ipv6host(acl, addr, ntohs(((struct sockaddr_in6*)addr)->sin6_port)); 1610 #else 1611 return 0; /* no inet6, no match */ 1612 #endif 1613 } 1614 else 1615 { 1616 struct sockaddr_in* addr = (struct sockaddr_in*)&q->addr; 1617 if(addr->sin_family != AF_INET) 1618 return 0; 1619 return acl_addr_matches_ipv4host(acl, addr, ntohs(addr->sin_port)); 1620 } 1621 /* ENOTREACH */ 1622 return 0; 1623 } 1624 1625 int 1626 acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz) 1627 { 1628 size_t i; 1629 #ifndef NDEBUG 1630 assert(sz % 4 == 0); 1631 #endif 1632 sz /= 4; 1633 for(i=0; i<sz; ++i) 1634 { 1635 if(((*a++)&*mask) != ((*b++)&*mask)) 1636 return 0; 1637 ++mask; 1638 } 1639 return 1; 1640 } 1641 1642 int 1643 acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz) 1644 { 1645 assert(sz == 4); (void)sz; 1646 /* check treats x as one huge number */ 1647 1648 /* if outside bounds, we are done */ 1649 if(*minval > *x) 1650 return 0; 1651 if(*maxval < *x) 1652 return 0; 1653 1654 return 1; 1655 } 1656 1657 #ifdef INET6 1658 int 1659 acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz) 1660 { 1661 size_t i; 1662 uint8_t checkmin = 1, checkmax = 1; 1663 #ifndef NDEBUG 1664 assert(sz % 4 == 0); 1665 #endif 1666 /* check treats x as one huge number */ 1667 sz /= 4; 1668 for(i=0; i<sz; ++i) 1669 { 1670 /* if outside bounds, we are done */ 1671 if(checkmin) 1672 if(minval[i] > x[i]) 1673 return 0; 1674 if(checkmax) 1675 if(maxval[i] < x[i]) 1676 return 0; 1677 /* if x is equal to a bound, that bound needs further checks */ 1678 if(checkmin && minval[i]!=x[i]) 1679 checkmin = 0; 1680 if(checkmax && maxval[i]!=x[i]) 1681 checkmax = 0; 1682 if(!checkmin && !checkmax) 1683 return 1; /* will always match */ 1684 } 1685 return 1; 1686 } 1687 #endif /* INET6 */ 1688 1689 int 1690 acl_key_matches(struct acl_options* acl, struct query* q) 1691 { 1692 if(acl->blocked) 1693 return 1; 1694 if(acl->nokey) { 1695 if(q->tsig.status == TSIG_NOT_PRESENT) 1696 return 1; 1697 return 0; 1698 } 1699 /* check name of tsig key */ 1700 if(q->tsig.status != TSIG_OK) { 1701 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail query has no TSIG")); 1702 return 0; /* query has no TSIG */ 1703 } 1704 if(q->tsig.error_code != TSIG_ERROR_NOERROR) { 1705 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail, tsig has error")); 1706 return 0; /* some tsig error */ 1707 } 1708 if(!acl->key_options->tsig_key) { 1709 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail no config")); 1710 return 0; /* key not properly configured */ 1711 } 1712 if(dname_compare(q->tsig.key_name, 1713 acl->key_options->tsig_key->name) != 0) { 1714 DEBUG(DEBUG_XFRD,2, (LOG_INFO, "keymatch fail wrong key name")); 1715 return 0; /* wrong key name */ 1716 } 1717 if(tsig_strlowercmp(q->tsig.algorithm->short_name, 1718 acl->key_options->algorithm) != 0 && ( 1719 strncmp("hmac-", q->tsig.algorithm->short_name, 5) != 0 || 1720 tsig_strlowercmp(q->tsig.algorithm->short_name+5, 1721 acl->key_options->algorithm) != 0) ) { 1722 DEBUG(DEBUG_XFRD,2, (LOG_ERR, "query tsig wrong algorithm")); 1723 return 0; /* no such algo */ 1724 } 1725 return 1; 1726 } 1727 1728 int 1729 acl_same_host(struct acl_options* a, struct acl_options* b) 1730 { 1731 if(a->is_ipv6 && !b->is_ipv6) 1732 return 0; 1733 if(!a->is_ipv6 && b->is_ipv6) 1734 return 0; 1735 if(a->port != b->port) 1736 return 0; 1737 if(a->rangetype != b->rangetype) 1738 return 0; 1739 if(!a->is_ipv6) { 1740 if(memcmp(&a->addr.addr, &b->addr.addr, 1741 sizeof(struct in_addr)) != 0) 1742 return 0; 1743 if(a->rangetype != acl_range_single && 1744 memcmp(&a->range_mask.addr, &b->range_mask.addr, 1745 sizeof(struct in_addr)) != 0) 1746 return 0; 1747 } else { 1748 #ifdef INET6 1749 if(memcmp(&a->addr.addr6, &b->addr.addr6, 1750 sizeof(struct in6_addr)) != 0) 1751 return 0; 1752 if(a->rangetype != acl_range_single && 1753 memcmp(&a->range_mask.addr6, &b->range_mask.addr6, 1754 sizeof(struct in6_addr)) != 0) 1755 return 0; 1756 #else 1757 return 0; 1758 #endif 1759 } 1760 return 1; 1761 } 1762 1763 #if defined(HAVE_SSL) 1764 void 1765 key_options_tsig_add(struct nsd_options* opt) 1766 { 1767 struct key_options* optkey; 1768 RBTREE_FOR(optkey, struct key_options*, opt->keys) { 1769 key_options_setup(opt->region, optkey); 1770 tsig_add_key(optkey->tsig_key); 1771 } 1772 } 1773 #endif 1774 1775 int 1776 zone_is_slave(struct zone_options* opt) 1777 { 1778 return opt && opt->pattern && opt->pattern->request_xfr != 0; 1779 } 1780 1781 /* get a character in string (or replacement char if not long enough) */ 1782 static const char* 1783 get_char(const char* str, size_t i) 1784 { 1785 static char res[2]; 1786 if(i >= strlen(str)) 1787 return "."; 1788 res[0] = str[i]; 1789 res[1] = 0; 1790 return res; 1791 } 1792 /* get end label of the zone name (or .) */ 1793 static const char* 1794 get_end_label(struct zone_options* zone, int i) 1795 { 1796 const dname_type* d = (const dname_type*)zone->node.key; 1797 if(i >= d->label_count) { 1798 return "."; 1799 } 1800 return wirelabel2str(dname_label(d, i)); 1801 } 1802 /* replace occurrences of one with two */ 1803 void 1804 replace_str(char* str, size_t len, const char* one, const char* two) 1805 { 1806 char* pos; 1807 char* at = str; 1808 while( (pos=strstr(at, one)) ) { 1809 if(strlen(str)+strlen(two)-strlen(one) >= len) 1810 return; /* no more space to replace */ 1811 /* stuff before pos is fine */ 1812 /* move the stuff after pos to make space for two, add 1813 * one to length of remainder to also copy the 0 byte end */ 1814 memmove(pos+strlen(two), pos+strlen(one), 1815 strlen(pos+strlen(one))+1); 1816 /* copy in two */ 1817 memmove(pos, two, strlen(two)); 1818 /* at is end of the newly inserted two (avoids recursion if 1819 * two contains one) */ 1820 at = pos+strlen(two); 1821 } 1822 } 1823 1824 const char* 1825 config_cook_string(struct zone_options* zone, const char* input) 1826 { 1827 static char f[1024]; 1828 /* if not a template, return as-is */ 1829 if(!strchr(input, '%')) { 1830 return input; 1831 } 1832 strlcpy(f, input, sizeof(f)); 1833 if(strstr(f, "%1")) 1834 replace_str(f, sizeof(f), "%1", get_char(zone->name, 0)); 1835 if(strstr(f, "%2")) 1836 replace_str(f, sizeof(f), "%2", get_char(zone->name, 1)); 1837 if(strstr(f, "%3")) 1838 replace_str(f, sizeof(f), "%3", get_char(zone->name, 2)); 1839 if(strstr(f, "%z")) 1840 replace_str(f, sizeof(f), "%z", get_end_label(zone, 1)); 1841 if(strstr(f, "%y")) 1842 replace_str(f, sizeof(f), "%y", get_end_label(zone, 2)); 1843 if(strstr(f, "%x")) 1844 replace_str(f, sizeof(f), "%x", get_end_label(zone, 3)); 1845 if(strstr(f, "%s")) 1846 replace_str(f, sizeof(f), "%s", zone->name); 1847 return f; 1848 } 1849 1850 const char* 1851 config_make_zonefile(struct zone_options* zone, struct nsd* nsd) 1852 { 1853 static char f[1024]; 1854 /* if not a template, return as-is */ 1855 if(!strchr(zone->pattern->zonefile, '%')) { 1856 if (nsd->chrootdir && nsd->chrootdir[0] && 1857 zone->pattern->zonefile && 1858 zone->pattern->zonefile[0] == '/' && 1859 strncmp(zone->pattern->zonefile, nsd->chrootdir, 1860 strlen(nsd->chrootdir)) == 0) 1861 /* -1 because chrootdir ends in trailing slash */ 1862 return zone->pattern->zonefile + strlen(nsd->chrootdir) - 1; 1863 return zone->pattern->zonefile; 1864 } 1865 strlcpy(f, zone->pattern->zonefile, sizeof(f)); 1866 if(strstr(f, "%1")) 1867 replace_str(f, sizeof(f), "%1", get_char(zone->name, 0)); 1868 if(strstr(f, "%2")) 1869 replace_str(f, sizeof(f), "%2", get_char(zone->name, 1)); 1870 if(strstr(f, "%3")) 1871 replace_str(f, sizeof(f), "%3", get_char(zone->name, 2)); 1872 if(strstr(f, "%z")) 1873 replace_str(f, sizeof(f), "%z", get_end_label(zone, 1)); 1874 if(strstr(f, "%y")) 1875 replace_str(f, sizeof(f), "%y", get_end_label(zone, 2)); 1876 if(strstr(f, "%x")) 1877 replace_str(f, sizeof(f), "%x", get_end_label(zone, 3)); 1878 if(strstr(f, "%s")) 1879 replace_str(f, sizeof(f), "%s", zone->name); 1880 if (nsd->chrootdir && nsd->chrootdir[0] && f[0] == '/' && 1881 strncmp(f, nsd->chrootdir, strlen(nsd->chrootdir)) == 0) 1882 /* -1 because chrootdir ends in trailing slash */ 1883 return f + strlen(nsd->chrootdir) - 1; 1884 return f; 1885 } 1886 1887 struct zone_options* 1888 zone_options_find(struct nsd_options* opt, const struct dname* apex) 1889 { 1890 return (struct zone_options*) rbtree_search(opt->zone_options, apex); 1891 } 1892 1893 struct acl_options* 1894 acl_find_num(struct acl_options* acl, int num) 1895 { 1896 int count = num; 1897 if(num < 0) 1898 return 0; 1899 while(acl && count > 0) { 1900 acl = acl->next; 1901 count--; 1902 } 1903 if(count == 0) 1904 return acl; 1905 return 0; 1906 } 1907 1908 /* true if ipv6 address, false if ipv4 */ 1909 int 1910 parse_acl_is_ipv6(const char* p) 1911 { 1912 /* see if addr is ipv6 or ipv4 -- by : and . */ 1913 while(*p) { 1914 if(*p == '.') return 0; 1915 if(*p == ':') return 1; 1916 ++p; 1917 } 1918 return 0; 1919 } 1920 1921 /* returns range type. mask is the 2nd part of the range */ 1922 int 1923 parse_acl_range_type(char* ip, char** mask) 1924 { 1925 char *p; 1926 if((p=strchr(ip, '&'))!=0) { 1927 *p = 0; 1928 *mask = p+1; 1929 return acl_range_mask; 1930 } 1931 if((p=strchr(ip, '/'))!=0) { 1932 *p = 0; 1933 *mask = p+1; 1934 return acl_range_subnet; 1935 } 1936 if((p=strchr(ip, '-'))!=0) { 1937 *p = 0; 1938 *mask = p+1; 1939 return acl_range_minmax; 1940 } 1941 *mask = 0; 1942 return acl_range_single; 1943 } 1944 1945 /* parses subnet mask, fills 0 mask as well */ 1946 void 1947 parse_acl_range_subnet(char* p, void* addr, int maxbits) 1948 { 1949 int subnet_bits = atoi(p); 1950 uint8_t* addr_bytes = (uint8_t*)addr; 1951 if(subnet_bits == 0 && strcmp(p, "0")!=0) { 1952 c_error("bad subnet range '%s'", p); 1953 return; 1954 } 1955 if(subnet_bits < 0 || subnet_bits > maxbits) { 1956 c_error("subnet of %d bits out of range [0..%d]", subnet_bits, maxbits); 1957 return; 1958 } 1959 /* fill addr with n bits of 1s (struct has been zeroed) */ 1960 while(subnet_bits >= 8) { 1961 *addr_bytes++ = 0xff; 1962 subnet_bits -= 8; 1963 } 1964 if(subnet_bits > 0) { 1965 uint8_t shifts[] = {0x0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff}; 1966 *addr_bytes = shifts[subnet_bits]; 1967 } 1968 } 1969 1970 struct acl_options* 1971 parse_acl_info(region_type* region, char* ip, const char* key) 1972 { 1973 char* p; 1974 struct acl_options* acl = (struct acl_options*)region_alloc(region, 1975 sizeof(struct acl_options)); 1976 acl->next = 0; 1977 /* ip */ 1978 acl->ip_address_spec = region_strdup(region, ip); 1979 acl->use_axfr_only = 0; 1980 acl->allow_udp = 0; 1981 acl->ixfr_disabled = 0; 1982 acl->bad_xfr_count = 0; 1983 acl->key_options = 0; 1984 acl->tls_auth_options = 0; 1985 acl->tls_auth_name = 0; 1986 acl->is_ipv6 = 0; 1987 acl->port = 0; 1988 memset(&acl->addr, 0, sizeof(union acl_addr_storage)); 1989 memset(&acl->range_mask, 0, sizeof(union acl_addr_storage)); 1990 if((p=strrchr(ip, '@'))!=0) { 1991 if(atoi(p+1) == 0) c_error("expected port number after '@'"); 1992 else acl->port = atoi(p+1); 1993 *p=0; 1994 } 1995 acl->rangetype = parse_acl_range_type(ip, &p); 1996 if(parse_acl_is_ipv6(ip)) { 1997 acl->is_ipv6 = 1; 1998 #ifdef INET6 1999 if(inet_pton(AF_INET6, ip, &acl->addr.addr6) != 1) 2000 c_error("Bad ip6 address '%s'", ip); 2001 if(acl->rangetype==acl_range_mask || acl->rangetype==acl_range_minmax) { 2002 assert(p); 2003 if(inet_pton(AF_INET6, p, &acl->range_mask.addr6) != 1) 2004 c_error("Bad ip6 address mask '%s'", p); 2005 } 2006 if(acl->rangetype==acl_range_subnet) { 2007 assert(p); 2008 parse_acl_range_subnet(p, &acl->range_mask.addr6, 128); 2009 } 2010 #else 2011 c_error("encountered IPv6 address '%s'.", ip); 2012 #endif /* INET6 */ 2013 } else { 2014 acl->is_ipv6 = 0; 2015 if(inet_pton(AF_INET, ip, &acl->addr.addr) != 1) 2016 c_error("Bad ip4 address '%s'", ip); 2017 if(acl->rangetype==acl_range_mask || acl->rangetype==acl_range_minmax) { 2018 assert(p); 2019 if(inet_pton(AF_INET, p, &acl->range_mask.addr) != 1) 2020 c_error("Bad ip4 address mask '%s'", p); 2021 } 2022 if(acl->rangetype==acl_range_subnet) { 2023 assert(p); 2024 parse_acl_range_subnet(p, &acl->range_mask.addr, 32); 2025 } 2026 } 2027 2028 /* key */ 2029 if(strcmp(key, "NOKEY")==0) { 2030 acl->nokey = 1; 2031 acl->blocked = 0; 2032 acl->key_name = 0; 2033 } else if(strcmp(key, "BLOCKED")==0) { 2034 acl->nokey = 0; 2035 acl->blocked = 1; 2036 acl->key_name = 0; 2037 } else { 2038 acl->nokey = 0; 2039 acl->blocked = 0; 2040 acl->key_name = region_strdup(region, key); 2041 } 2042 return acl; 2043 } 2044 2045 /* copy acl list at end of parser start, update current */ 2046 static 2047 void copy_and_append_acls(struct acl_options** start, struct acl_options* list) 2048 { 2049 struct acl_options *tail = NULL; 2050 2051 assert(start != NULL); 2052 2053 tail = *start; 2054 if(tail) { 2055 while(tail->next) { 2056 tail = tail->next; 2057 } 2058 } 2059 2060 while(list) { 2061 struct acl_options* acl = copy_acl(cfg_parser->opt->region, 2062 list); 2063 acl->next = NULL; 2064 if(tail) { 2065 tail->next = acl; 2066 } else { 2067 *start = acl; 2068 } 2069 tail = acl; 2070 list = list->next; 2071 } 2072 } 2073 2074 void 2075 config_apply_pattern(struct pattern_options *dest, const char* name) 2076 { 2077 /* find the pattern */ 2078 struct pattern_options* pat = pattern_options_find(cfg_parser->opt, 2079 name); 2080 if(!pat) { 2081 c_error("could not find pattern %s", name); 2082 return; 2083 } 2084 2085 /* apply settings */ 2086 if(pat->zonefile) 2087 dest->zonefile = region_strdup(cfg_parser->opt->region, 2088 pat->zonefile); 2089 if(pat->zonestats) 2090 dest->zonestats = region_strdup(cfg_parser->opt->region, 2091 pat->zonestats); 2092 if(!pat->allow_axfr_fallback_is_default) { 2093 dest->allow_axfr_fallback = pat->allow_axfr_fallback; 2094 dest->allow_axfr_fallback_is_default = 0; 2095 } 2096 if(!pat->notify_retry_is_default) { 2097 dest->notify_retry = pat->notify_retry; 2098 dest->notify_retry_is_default = 0; 2099 } 2100 if(!pat->max_refresh_time_is_default) { 2101 dest->max_refresh_time = pat->max_refresh_time; 2102 dest->max_refresh_time_is_default = 0; 2103 } 2104 if(!pat->min_refresh_time_is_default) { 2105 dest->min_refresh_time = pat->min_refresh_time; 2106 dest->min_refresh_time_is_default = 0; 2107 } 2108 if(!pat->max_retry_time_is_default) { 2109 dest->max_retry_time = pat->max_retry_time; 2110 dest->max_retry_time_is_default = 0; 2111 } 2112 if(!pat->min_retry_time_is_default) { 2113 dest->min_retry_time = pat->min_retry_time; 2114 dest->min_retry_time_is_default = 0; 2115 } 2116 if(!expire_time_is_default(pat->min_expire_time_expr)) { 2117 dest->min_expire_time = pat->min_expire_time; 2118 dest->min_expire_time_expr = pat->min_expire_time_expr; 2119 } 2120 dest->size_limit_xfr = pat->size_limit_xfr; 2121 #ifdef RATELIMIT 2122 dest->rrl_whitelist |= pat->rrl_whitelist; 2123 #endif 2124 /* append acl items */ 2125 copy_and_append_acls(&dest->allow_notify, pat->allow_notify); 2126 copy_and_append_acls(&dest->request_xfr, pat->request_xfr); 2127 copy_and_append_acls(&dest->notify, pat->notify); 2128 copy_and_append_acls(&dest->provide_xfr, pat->provide_xfr); 2129 copy_and_append_acls(&dest->allow_query, pat->allow_query); 2130 copy_and_append_acls(&dest->outgoing_interface, pat->outgoing_interface); 2131 if(pat->multi_master_check) 2132 dest->multi_master_check = pat->multi_master_check; 2133 } 2134 2135 void 2136 nsd_options_destroy(struct nsd_options* opt) 2137 { 2138 region_destroy(opt->region); 2139 #ifdef MEMCLEAN /* OS collects memory pages */ 2140 c_lex_destroy(); 2141 #endif 2142 } 2143 2144 unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt) 2145 { 2146 #ifdef USE_ZONE_STATS 2147 const char* statname; 2148 struct zonestatname* n; 2149 rbnode_type* res; 2150 /* try to find the instantiated zonestat name */ 2151 if(!zopt->pattern->zonestats || zopt->pattern->zonestats[0]==0) 2152 return 0; /* no zone stats */ 2153 statname = config_cook_string(zopt, zopt->pattern->zonestats); 2154 res = rbtree_search(opt->zonestatnames, statname); 2155 if(res) 2156 return ((struct zonestatname*)res)->id; 2157 /* create it */ 2158 n = (struct zonestatname*)region_alloc_zero(opt->region, sizeof(*n)); 2159 n->node.key = region_strdup(opt->region, statname); 2160 if(!n->node.key) { 2161 log_msg(LOG_ERR, "malloc failed: %s", strerror(errno)); 2162 exit(1); 2163 } 2164 n->id = (unsigned)(opt->zonestatnames->count); 2165 rbtree_insert(opt->zonestatnames, (rbnode_type*)n); 2166 return n->id; 2167 #else /* USE_ZONE_STATS */ 2168 (void)opt; (void)zopt; 2169 return 0; 2170 #endif /* USE_ZONE_STATS */ 2171 } 2172 2173 /** check if config turns on IP-address interface with certificates or a 2174 * named pipe without certificates. */ 2175 int 2176 options_remote_is_address(struct nsd_options* cfg) 2177 { 2178 if(!cfg->control_enable) return 0; 2179 if(!cfg->control_interface) return 1; 2180 if(!cfg->control_interface->address) return 1; 2181 if(cfg->control_interface->address[0] == 0) return 1; 2182 return (cfg->control_interface->address[0] != '/'); 2183 } 2184 2185 #ifdef HAVE_GETIFADDRS 2186 static void 2187 resolve_ifa_name(struct ifaddrs *ifas, const char *search_ifa, char ***ip_addresses, size_t *ip_addresses_size) 2188 { 2189 struct ifaddrs *ifa; 2190 size_t last_ip_addresses_size = *ip_addresses_size; 2191 2192 for(ifa = ifas; ifa != NULL; ifa = ifa->ifa_next) { 2193 sa_family_t family; 2194 const char* atsign; 2195 #ifdef INET6 /* | address ip | % | ifa name | @ | port | nul */ 2196 char addr_buf[INET6_ADDRSTRLEN + 1 + IF_NAMESIZE + 1 + 16 + 1]; 2197 #else 2198 char addr_buf[INET_ADDRSTRLEN + 1 + 16 + 1]; 2199 #endif 2200 2201 if((atsign=strrchr(search_ifa, '@')) != NULL) { 2202 if(strlen(ifa->ifa_name) != (size_t)(atsign-search_ifa) 2203 || strncmp(ifa->ifa_name, search_ifa, 2204 atsign-search_ifa) != 0) 2205 continue; 2206 } else { 2207 if(strcmp(ifa->ifa_name, search_ifa) != 0) 2208 continue; 2209 atsign = ""; 2210 } 2211 2212 if(ifa->ifa_addr == NULL) 2213 continue; 2214 2215 family = ifa->ifa_addr->sa_family; 2216 if(family == AF_INET) { 2217 char a4[INET_ADDRSTRLEN + 1]; 2218 struct sockaddr_in *in4 = (struct sockaddr_in *) 2219 ifa->ifa_addr; 2220 if(!inet_ntop(family, &in4->sin_addr, a4, sizeof(a4))) 2221 error("inet_ntop"); 2222 snprintf(addr_buf, sizeof(addr_buf), "%s%s", 2223 a4, atsign); 2224 } 2225 #ifdef INET6 2226 else if(family == AF_INET6) { 2227 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) 2228 ifa->ifa_addr; 2229 char a6[INET6_ADDRSTRLEN + 1]; 2230 char if_index_name[IF_NAMESIZE + 1]; 2231 if_index_name[0] = 0; 2232 if(!inet_ntop(family, &in6->sin6_addr, a6, sizeof(a6))) 2233 error("inet_ntop"); 2234 if_indextoname(in6->sin6_scope_id, 2235 (char *)if_index_name); 2236 if (strlen(if_index_name) != 0) { 2237 snprintf(addr_buf, sizeof(addr_buf), 2238 "%s%%%s%s", a6, if_index_name, atsign); 2239 } else { 2240 snprintf(addr_buf, sizeof(addr_buf), "%s%s", 2241 a6, atsign); 2242 } 2243 } 2244 #endif 2245 else { 2246 continue; 2247 } 2248 VERBOSITY(4, (LOG_INFO, "interface %s has address %s", 2249 search_ifa, addr_buf)); 2250 2251 *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); 2252 (*ip_addresses)[*ip_addresses_size] = xstrdup(addr_buf); 2253 (*ip_addresses_size)++; 2254 } 2255 2256 if (*ip_addresses_size == last_ip_addresses_size) { 2257 *ip_addresses = xrealloc(*ip_addresses, sizeof(char *) * (*ip_addresses_size + 1)); 2258 (*ip_addresses)[*ip_addresses_size] = xstrdup(search_ifa); 2259 (*ip_addresses_size)++; 2260 } 2261 } 2262 2263 static void 2264 resolve_interface_names_for_ref(struct ip_address_option** ip_addresses_ref, 2265 struct ifaddrs *addrs, region_type* region) 2266 { 2267 struct ip_address_option *ip_addr; 2268 struct ip_address_option *last = NULL; 2269 struct ip_address_option *first = NULL; 2270 2271 /* replace the list of ip_adresses with a new list where the 2272 * interface names are replaced with their ip-address strings 2273 * from getifaddrs. An interface can have several addresses. */ 2274 for(ip_addr = *ip_addresses_ref; ip_addr; ip_addr = ip_addr->next) { 2275 char **ip_addresses = NULL; 2276 size_t ip_addresses_size = 0, i; 2277 resolve_ifa_name(addrs, ip_addr->address, &ip_addresses, 2278 &ip_addresses_size); 2279 2280 for (i = 0; i < ip_addresses_size; i++) { 2281 struct ip_address_option *current; 2282 /* this copies the range_option, dev, and fib from 2283 * the original ip_address option to the new ones 2284 * with the addresses spelled out by resolve_ifa_name*/ 2285 current = region_alloc_init(region, ip_addr, 2286 sizeof(*ip_addr)); 2287 current->address = region_strdup(region, 2288 ip_addresses[i]); 2289 current->next = NULL; 2290 free(ip_addresses[i]); 2291 2292 if(first == NULL) { 2293 first = current; 2294 } else { 2295 last->next = current; 2296 } 2297 last = current; 2298 } 2299 free(ip_addresses); 2300 } 2301 *ip_addresses_ref = first; 2302 2303 } 2304 #endif /* HAVE_GETIFADDRS */ 2305 2306 void 2307 resolve_interface_names(struct nsd_options* options) 2308 { 2309 #ifdef HAVE_GETIFADDRS 2310 struct ifaddrs *addrs; 2311 2312 if(getifaddrs(&addrs) == -1) 2313 error("failed to list interfaces"); 2314 2315 resolve_interface_names_for_ref(&options->ip_addresses, 2316 addrs, options->region); 2317 resolve_interface_names_for_ref(&options->control_interface, 2318 addrs, options->region); 2319 2320 freeifaddrs(addrs); 2321 #else 2322 (void)options; 2323 #endif /* HAVE_GETIFADDRS */ 2324 } 2325