1 /* 2 * options.h -- nsd.conf options definitions and prototypes 3 * 4 * Copyright (c) 2001-2006, NLnet Labs. All rights reserved. 5 * 6 * See LICENSE for the license. 7 * 8 */ 9 10 #ifndef OPTIONS_H 11 #define OPTIONS_H 12 13 #include <stdarg.h> 14 #include "region-allocator.h" 15 #include "rbtree.h" 16 struct query; 17 struct dname; 18 struct tsig_key; 19 struct buffer; 20 struct nsd; 21 22 typedef struct nsd_options nsd_options_type; 23 typedef struct pattern_options pattern_options_type; 24 typedef struct zone_options zone_options_type; 25 typedef struct range_option range_option_type; 26 typedef struct ip_address_option ip_address_option_type; 27 typedef struct cpu_option cpu_option_type; 28 typedef struct cpu_map_option cpu_map_option_type; 29 typedef struct acl_options acl_options_type; 30 typedef struct key_options key_options_type; 31 typedef struct tls_auth_options tls_auth_options_type; 32 typedef struct config_parser_state config_parser_state_type; 33 34 #define VERIFY_ZONE_INHERIT (2) 35 #define VERIFIER_FEED_ZONE_INHERIT (2) 36 #define VERIFIER_TIMEOUT_INHERIT (-1) 37 38 /* 39 * Options global for nsd. 40 */ 41 struct nsd_options { 42 /* config file name */ 43 char* configfile; 44 /* options for zones, by apex, contains zone_options */ 45 rbtree_type* zone_options; 46 /* patterns, by name, contains pattern_options */ 47 rbtree_type* patterns; 48 49 /* free space in zonelist file, contains zonelist_bucket */ 50 rbtree_type* zonefree; 51 /* number of free space lines in zonelist file */ 52 size_t zonefree_number; 53 /* zonelist file if open */ 54 FILE* zonelist; 55 /* last offset in file (or 0 if none) */ 56 off_t zonelist_off; 57 58 /* tree of zonestat names and their id values, entries are struct 59 * zonestatname with malloced key=stringname. The number of items 60 * is the max statnameid, no items are freed from this. 61 * kept correct in the xfrd process, and on startup. */ 62 rbtree_type* zonestatnames; 63 64 /* rbtree of keys defined, by name */ 65 rbtree_type* keys; 66 67 /* rbtree of tls_auth defined, by name */ 68 rbtree_type* tls_auths; 69 70 /* list of ip addresses to bind to (or NULL for all) */ 71 struct ip_address_option* ip_addresses; 72 73 int ip_transparent; 74 int ip_freebind; 75 int send_buffer_size; 76 int receive_buffer_size; 77 int debug_mode; 78 int verbosity; 79 int hide_version; 80 int hide_identity; 81 int drop_updates; 82 int do_ip4; 83 int do_ip6; 84 const char* database; 85 const char* identity; 86 const char* version; 87 const char* logfile; 88 int log_only_syslog; 89 int server_count; 90 struct cpu_option* cpu_affinity; 91 struct cpu_map_option* service_cpu_affinity; 92 int tcp_count; 93 int tcp_reject_overflow; 94 int confine_to_zone; 95 int tcp_query_count; 96 int tcp_timeout; 97 int tcp_mss; 98 int outgoing_tcp_mss; 99 size_t ipv4_edns_size; 100 size_t ipv6_edns_size; 101 const char* pidfile; 102 const char* port; 103 int statistics; 104 const char* chroot; 105 const char* username; 106 const char* zonesdir; 107 const char* xfrdfile; 108 const char* xfrdir; 109 const char* zonelistfile; 110 const char* nsid; 111 int xfrd_reload_timeout; 112 int zonefiles_check; 113 int zonefiles_write; 114 int log_time_ascii; 115 int round_robin; 116 int minimal_responses; 117 int refuse_any; 118 int reuseport; 119 /* max number of xfrd tcp sockets */ 120 int xfrd_tcp_max; 121 /* max number of simultaneous requests on xfrd tcp socket */ 122 int xfrd_tcp_pipeline; 123 124 /* private key file for TLS */ 125 char* tls_service_key; 126 /* ocsp stapling file for TLS */ 127 char* tls_service_ocsp; 128 /* certificate file for TLS */ 129 char* tls_service_pem; 130 /* TLS dedicated port */ 131 const char* tls_port; 132 /* TLS certificate bundle */ 133 const char* tls_cert_bundle; 134 135 /** remote control section. enable toggle. */ 136 int control_enable; 137 /** the interfaces the remote control should listen on */ 138 struct ip_address_option* control_interface; 139 /** port number for the control port */ 140 int control_port; 141 /** private key file for server */ 142 char* server_key_file; 143 /** certificate file for server */ 144 char* server_cert_file; 145 /** private key file for nsd-control */ 146 char* control_key_file; 147 /** certificate file for nsd-control */ 148 char* control_cert_file; 149 150 #ifdef RATELIMIT 151 /** number of buckets in rrl hashtable */ 152 size_t rrl_size; 153 /** max qps for queries, 0 is nolimit */ 154 size_t rrl_ratelimit; 155 /** ratio of slipped responses, 0 is noslip */ 156 size_t rrl_slip; 157 /** ip prefix length */ 158 size_t rrl_ipv4_prefix_length; 159 size_t rrl_ipv6_prefix_length; 160 /** max qps for whitelisted queries, 0 is nolimit */ 161 size_t rrl_whitelist_ratelimit; 162 #endif 163 /** if dnstap is enabled */ 164 int dnstap_enable; 165 /** dnstap socket path */ 166 char* dnstap_socket_path; 167 /** true to send "identity" via dnstap */ 168 int dnstap_send_identity; 169 /** true to send "version" via dnstap */ 170 int dnstap_send_version; 171 /** dnstap "identity", hostname is used if "". */ 172 char* dnstap_identity; 173 /** dnstap "version", package version is used if "". */ 174 char* dnstap_version; 175 /** true to log dnstap AUTH_QUERY message events */ 176 int dnstap_log_auth_query_messages; 177 /** true to log dnstap AUTH_RESPONSE message events */ 178 int dnstap_log_auth_response_messages; 179 180 /** do answer with server cookie when request contained cookie option */ 181 int answer_cookie; 182 /** cookie secret */ 183 char *cookie_secret; 184 /** path to cookie secret store */ 185 char const* cookie_secret_file; 186 /** enable verify */ 187 int verify_enable; 188 /** list of ip addresses used to serve zones for verification */ 189 struct ip_address_option* verify_ip_addresses; 190 /** default port 5347 */ 191 char *verify_port; 192 /** verify zones by default */ 193 int verify_zones; 194 /** default command to verify zones with */ 195 char **verifier; 196 /** maximum number of verifiers that may run simultaneously */ 197 int verifier_count; 198 /** whether or not to feed the zone to the verifier over stdin */ 199 uint8_t verifier_feed_zone; 200 /** maximum number of seconds that a verifier may take */ 201 uint32_t verifier_timeout; 202 203 region_type* region; 204 }; 205 206 struct range_option { 207 struct range_option* next; 208 int first; 209 int last; 210 }; 211 212 struct ip_address_option { 213 struct ip_address_option* next; 214 char* address; 215 struct range_option* servers; 216 int dev; 217 int fib; 218 }; 219 220 struct cpu_option { 221 struct cpu_option* next; 222 int cpu; 223 }; 224 225 struct cpu_map_option { 226 struct cpu_map_option* next; 227 int service; 228 int cpu; 229 }; 230 231 /* 232 * Defines for min_expire_time_expr value 233 */ 234 #define EXPIRE_TIME_HAS_VALUE 0 235 #define EXPIRE_TIME_IS_DEFAULT 1 236 #define REFRESHPLUSRETRYPLUS1 2 237 #define REFRESHPLUSRETRYPLUS1_STR "refresh+retry+1" 238 #define expire_time_is_default(x) (!( (x) == REFRESHPLUSRETRYPLUS1 \ 239 || (x) == EXPIRE_TIME_HAS_VALUE )) 240 241 242 /* 243 * Pattern of zone options, used to contain options for zone(s). 244 */ 245 struct pattern_options { 246 rbnode_type node; 247 const char* pname; /* name of the pattern, key of rbtree */ 248 const char* zonefile; 249 struct acl_options* allow_notify; 250 struct acl_options* request_xfr; 251 struct acl_options* notify; 252 struct acl_options* provide_xfr; 253 struct acl_options* allow_query; 254 struct acl_options* outgoing_interface; 255 const char* zonestats; 256 #ifdef RATELIMIT 257 uint16_t rrl_whitelist; /* bitmap with rrl types */ 258 #endif 259 uint8_t allow_axfr_fallback; 260 uint8_t allow_axfr_fallback_is_default; 261 uint8_t notify_retry; 262 uint8_t notify_retry_is_default; 263 uint8_t implicit; /* pattern is implicit, part_of_config zone used */ 264 uint8_t xfrd_flags; 265 uint32_t max_refresh_time; 266 uint8_t max_refresh_time_is_default; 267 uint32_t min_refresh_time; 268 uint8_t min_refresh_time_is_default; 269 uint32_t max_retry_time; 270 uint8_t max_retry_time_is_default; 271 uint32_t min_retry_time; 272 uint8_t min_retry_time_is_default; 273 uint32_t min_expire_time; 274 /* min_expir_time_expr is either a known value (REFRESHPLUSRETRYPLUS1 275 * or EXPIRE_EXPR_HAS_VALUE) or else min_expire_time is the default. 276 * This can be tested with expire_time_is_default(x) define. 277 */ 278 uint8_t min_expire_time_expr; 279 uint64_t size_limit_xfr; 280 uint8_t multi_master_check; 281 uint8_t store_ixfr; 282 uint8_t store_ixfr_is_default; 283 uint64_t ixfr_size; 284 uint8_t ixfr_size_is_default; 285 uint32_t ixfr_number; 286 uint8_t ixfr_number_is_default; 287 uint8_t create_ixfr; 288 uint8_t create_ixfr_is_default; 289 uint8_t verify_zone; 290 uint8_t verify_zone_is_default; 291 char **verifier; 292 uint8_t verifier_feed_zone; 293 uint8_t verifier_feed_zone_is_default; 294 int32_t verifier_timeout; 295 uint8_t verifier_timeout_is_default; 296 } ATTR_PACKED; 297 298 #define PATTERN_IMPLICIT_MARKER "_implicit_" 299 300 /* 301 * Options for a zone 302 */ 303 struct zone_options { 304 /* key is dname of apex */ 305 rbnode_type node; 306 307 /* is apex of the zone */ 308 const char* name; 309 /* if not part of config, the offset and linesize of zonelist entry */ 310 off_t off; 311 int linesize; 312 /* pattern for the zone options, if zone is part_of_config, this is 313 * a anonymous pattern created in-place */ 314 struct pattern_options* pattern; 315 /* zone is fixed into the main config, not in zonelist, cannot delete */ 316 uint8_t part_of_config; 317 } ATTR_PACKED; 318 319 union acl_addr_storage { 320 #ifdef INET6 321 struct in_addr addr; 322 struct in6_addr addr6; 323 #else 324 struct in_addr addr; 325 #endif 326 }; 327 328 /* 329 * Access control list element 330 */ 331 struct acl_options { 332 struct acl_options* next; 333 334 /* options */ 335 time_t ixfr_disabled; 336 int bad_xfr_count; 337 uint8_t use_axfr_only; 338 uint8_t allow_udp; 339 340 /* ip address range */ 341 const char* ip_address_spec; 342 uint8_t is_ipv6; 343 unsigned int port; /* is 0(no port) or suffix @port value */ 344 union acl_addr_storage addr; 345 union acl_addr_storage range_mask; 346 enum { 347 acl_range_single = 0, /* single address */ 348 acl_range_mask = 1, /* 10.20.30.40&255.255.255.0 */ 349 acl_range_subnet = 2, /* 10.20.30.40/28 */ 350 acl_range_minmax = 3 /* 10.20.30.40-10.20.30.60 (mask=max) */ 351 } rangetype; 352 353 /* key */ 354 uint8_t nokey; 355 uint8_t blocked; 356 const char* key_name; 357 struct key_options* key_options; 358 359 /* tls_auth for XoT */ 360 const char* tls_auth_name; 361 struct tls_auth_options* tls_auth_options; 362 } ATTR_PACKED; 363 364 /* 365 * Key definition 366 */ 367 struct key_options { 368 rbnode_type node; /* key of tree is name */ 369 char* name; 370 char* algorithm; 371 char* secret; 372 struct tsig_key* tsig_key; 373 } ATTR_PACKED; 374 375 /* 376 * TLS Auth definition for XoT 377 */ 378 struct tls_auth_options { 379 rbnode_type node; /* key of tree is name */ 380 char* name; 381 char* auth_domain_name; 382 char* client_cert; 383 char* client_key; 384 char* client_key_pw; 385 }; 386 387 /** zone list free space */ 388 struct zonelist_free { 389 struct zonelist_free* next; 390 off_t off; 391 }; 392 /** zonelist free bucket for a particular line length */ 393 struct zonelist_bucket { 394 rbnode_type node; /* key is ptr to linesize */ 395 int linesize; 396 struct zonelist_free* list; 397 }; 398 399 /* default zonefile write interval if database is "", in seconds */ 400 #define ZONEFILES_WRITE_INTERVAL 3600 401 402 struct zonestatname { 403 rbnode_type node; /* key is malloced string with cooked zonestat name */ 404 unsigned id; /* index in nsd.zonestat array */ 405 }; 406 407 /* 408 * Used during options parsing 409 */ 410 struct config_parser_state { 411 char* filename; 412 const char* chroot; 413 int line; 414 int errors; 415 struct nsd_options* opt; 416 struct pattern_options *pattern; 417 struct zone_options *zone; 418 struct key_options *key; 419 struct tls_auth_options *tls_auth; 420 struct ip_address_option *ip; 421 void (*err)(void*,const char*); 422 void* err_arg; 423 }; 424 425 extern config_parser_state_type* cfg_parser; 426 427 /* region will be put in nsd_options struct. Returns empty options struct. */ 428 struct nsd_options* nsd_options_create(region_type* region); 429 /* the number of zones that are configured */ 430 static inline size_t nsd_options_num_zones(struct nsd_options* opt) 431 { return opt->zone_options->count; } 432 /* insert a zone into the main options tree, returns 0 on error */ 433 int nsd_options_insert_zone(struct nsd_options* opt, struct zone_options* zone); 434 /* insert a pattern into the main options tree, returns 0 on error */ 435 int nsd_options_insert_pattern(struct nsd_options* opt, 436 struct pattern_options* pat); 437 438 /* parses options file. Returns false on failure. callback, if nonNULL, 439 * gets called with error strings, default prints. */ 440 int parse_options_file(struct nsd_options* opt, const char* file, 441 void (*err)(void*,const char*), void* err_arg); 442 struct zone_options* zone_options_create(region_type* region); 443 void zone_options_delete(struct nsd_options* opt, struct zone_options* zone); 444 /* find a zone by apex domain name, or NULL if not found. */ 445 struct zone_options* zone_options_find(struct nsd_options* opt, 446 const struct dname* apex); 447 struct pattern_options* pattern_options_create(region_type* region); 448 struct pattern_options* pattern_options_find(struct nsd_options* opt, const char* name); 449 int pattern_options_equal(struct pattern_options* p, struct pattern_options* q); 450 void pattern_options_remove(struct nsd_options* opt, const char* name); 451 void pattern_options_add_modify(struct nsd_options* opt, 452 struct pattern_options* p); 453 void pattern_options_marshal(struct buffer* buffer, struct pattern_options* p); 454 struct pattern_options* pattern_options_unmarshal(region_type* r, 455 struct buffer* b); 456 struct key_options* key_options_create(region_type* region); 457 void key_options_insert(struct nsd_options* opt, struct key_options* key); 458 struct key_options* key_options_find(struct nsd_options* opt, const char* name); 459 void key_options_remove(struct nsd_options* opt, const char* name); 460 int key_options_equal(struct key_options* p, struct key_options* q); 461 void key_options_add_modify(struct nsd_options* opt, struct key_options* key); 462 void key_options_setup(region_type* region, struct key_options* key); 463 void key_options_desetup(region_type* region, struct key_options* key); 464 /* TLS auth */ 465 struct tls_auth_options* tls_auth_options_create(region_type* region); 466 void tls_auth_options_insert(struct nsd_options* opt, struct tls_auth_options* auth); 467 struct tls_auth_options* tls_auth_options_find(struct nsd_options* opt, const char* name); 468 /* read in zone list file. Returns false on failure */ 469 int parse_zone_list_file(struct nsd_options* opt); 470 /* create zone entry and add to the zonelist file */ 471 struct zone_options* zone_list_add(struct nsd_options* opt, const char* zname, 472 const char* pname); 473 /* create zonelist entry, do not insert in file (called by _add) */ 474 struct zone_options* zone_list_zone_insert(struct nsd_options* opt, 475 const char* nm, const char* patnm, int linesize, off_t off); 476 void zone_list_del(struct nsd_options* opt, struct zone_options* zone); 477 void zone_list_compact(struct nsd_options* opt); 478 void zone_list_close(struct nsd_options* opt); 479 480 /* create zonestat name tree , for initially created zones */ 481 void options_zonestatnames_create(struct nsd_options* opt); 482 /* Get zonestat id for zone options, add new entry if necessary. 483 * instantiates the pattern's zonestat string */ 484 unsigned getzonestatid(struct nsd_options* opt, struct zone_options* zopt); 485 /* create string, same options as zonefile but no chroot changes */ 486 const char* config_cook_string(struct zone_options* zone, const char* input); 487 488 /** check if config for remote control turns on IP-address interface 489 * with certificates or a named pipe without certificates. */ 490 int options_remote_is_address(struct nsd_options* cfg); 491 492 #if defined(HAVE_SSL) 493 /* tsig must be inited, adds all keys in options to tsig. */ 494 void key_options_tsig_add(struct nsd_options* opt); 495 #endif 496 497 /* check acl list, acl number that matches if passed(0..), 498 * or failure (-1) if dropped */ 499 /* the reason why (the acl) is returned too (or NULL) */ 500 int acl_check_incoming(struct acl_options* acl, struct query* q, 501 struct acl_options** reason); 502 int acl_addr_matches_host(struct acl_options* acl, struct acl_options* host); 503 int acl_addr_matches(struct acl_options* acl, struct query* q); 504 int acl_key_matches(struct acl_options* acl, struct query* q); 505 int acl_addr_match_mask(uint32_t* a, uint32_t* b, uint32_t* mask, size_t sz); 506 int acl_addr_match_range_v6(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz); 507 int acl_addr_match_range_v4(uint32_t* minval, uint32_t* x, uint32_t* maxval, size_t sz); 508 509 /* returns true if acls are both from the same host */ 510 int acl_same_host(struct acl_options* a, struct acl_options* b); 511 /* find acl by number in the list */ 512 struct acl_options* acl_find_num(struct acl_options* acl, int num); 513 514 /* see if two acl lists are the same (same elements in same order, or empty) */ 515 int acl_list_equal(struct acl_options* p, struct acl_options* q); 516 /* see if two acl are the same */ 517 int acl_equal(struct acl_options* p, struct acl_options* q); 518 519 /* see if a zone is a slave or a master zone */ 520 int zone_is_slave(struct zone_options* opt); 521 /* create zonefile name, returns static pointer (perhaps to options data) */ 522 const char* config_make_zonefile(struct zone_options* zone, struct nsd* nsd); 523 524 #define ZONEC_PCT_TIME 5 /* seconds, then it starts to print pcts */ 525 #define ZONEC_PCT_COUNT 100000 /* elements before pct check is done */ 526 527 /* parsing helpers */ 528 void c_error(const char* msg, ...) ATTR_FORMAT(printf, 1,2); 529 int c_wrap(void); 530 struct acl_options* parse_acl_info(region_type* region, char* ip, 531 const char* key); 532 /* true if ipv6 address, false if ipv4 */ 533 int parse_acl_is_ipv6(const char* p); 534 /* returns range type. mask is the 2nd part of the range */ 535 int parse_acl_range_type(char* ip, char** mask); 536 /* parses subnet mask, fills 0 mask as well */ 537 void parse_acl_range_subnet(char* p, void* addr, int maxbits); 538 /* clean up options */ 539 void nsd_options_destroy(struct nsd_options* opt); 540 /* replace occurrences of one with two in buf, pass length of buffer */ 541 void replace_str(char* buf, size_t len, const char* one, const char* two); 542 /* apply pattern to the existing pattern in the parser */ 543 void config_apply_pattern(struct pattern_options *dest, const char* name); 544 /* if the file is a directory, print a warning, because flex just exit()s 545 * when a fileread fails because it is a directory, helps the user figure 546 * out what just happened */ 547 void warn_if_directory(const char* filetype, FILE* f, const char* fname); 548 /* resolve interface names in the options "ip-address:" (or "interface:") 549 * and "control-interface:" into the ip-addresses associated with those 550 * names. */ 551 void resolve_interface_names(struct nsd_options* options); 552 553 #endif /* OPTIONS_H */ 554