Home | History | Annotate | Download | only in dns

Lines Matching defs:acl

1 /*	$NetBSD: acl.c,v 1.11 2026/01/29 18:37:48 christos Exp $	*/
27 #include <dns/acl.h>
34  * Create a new ACL, including an IP table and an array with room
35  * for 'n' ACL elements.  The elements are uninitialized and the
42 	dns_acl_t *acl = isc_mem_get(mctx, sizeof(*acl));
43 	*acl = (dns_acl_t){
46 		.elements = isc_mem_cget(mctx, n, sizeof(acl->elements[0])),
52 	isc_mem_attach(mctx, &acl->mctx);
53 	dns_iptable_create(acl->mctx, &acl->iptable);
55 	*target = acl;
59  * Create a new ACL and initialize it with the value "any" or "none",
67 	dns_acl_t *acl = NULL;
69 	dns_acl_create(mctx, 0, &acl);
71 	result = dns_iptable_addprefix(acl->iptable, NULL, 0, !neg);
73 		dns_acl_detach(&acl);
77 	*target = acl;
82  * Create a new ACL that matches everything.
90  * Create a new ACL that matches nothing.
98  * If pos is true, test whether acl is set to "{ any; }"
99  * If pos is false, test whether acl is set to "{ none; }"
102 dns_acl_isanyornone(dns_acl_t *acl, bool pos) {
104 	if (acl == NULL || acl->iptable == NULL ||
105 	    acl->iptable->radix == NULL || acl->iptable->radix->head == NULL ||
106 	    acl->iptable->radix->head->prefix == NULL)
111 	if (acl->length != 0 || dns_acl_node_count(acl) != 1) {
115 	if (acl->iptable->radix->head->prefix->bitlen == 0 &&
116 	    acl->iptable->radix->head->data[0] != NULL &&
117 	    acl->iptable->radix->head->data[0] ==
118 		    acl->iptable->radix->head->data[1] &&
119 	    *(bool *)(acl->iptable->radix->head->data[0]) == pos)
128  * Test whether acl is set to "{ any; }"
131 dns_acl_isany(dns_acl_t *acl) {
132 	return dns_acl_isanyornone(acl, true);
136  * Test whether acl is set to "{ none; }"
139 dns_acl_isnone(dns_acl_t *acl) {
140 	return dns_acl_isanyornone(acl, false);
144  * Determine whether a given address or signer matches a given ACL.
145  * For a match with a positive ACL element or iptable radix entry,
146  * return with a positive value in match; for a match with a negated ACL
152 	      const dns_acl_t *acl, dns_aclenv_t *env, int *match,
181 	result = isc_radix_search(acl->iptable->radix, &node, &pfx);
197 	for (i = 0; i < acl->length; i++) {
198 		dns_aclelement_t *e = &acl->elements[i];
226 			     const dns_acl_t *acl, dns_aclenv_t *env,
232 	REQUIRE(DNS_ACL_VALID(acl));
234 	if (!ISC_LIST_EMPTY(acl->ports_and_transports)) {
236 		for (next = ISC_LIST_HEAD(acl->ports_and_transports);
266 	return dns_acl_match(reqaddr, reqsigner, acl, env, match, matchelt);
270  * Merge the contents of one ACL into another.  Call dns_iptable_merge()
273  * If pos is set to false, then the nested ACL is to be negated.  This
276  * an unexpected positive match in the parent ACL.
299 	 * values so as to keep the new ACL consistent.  If we're
317 		/* Duplicate nested acl. */
340 		/* reverse sense of positives if this is a negative acl */
350 	 * Merge the iptables.  Make sure the destination ACL's
371  * Like dns_acl_match, but matches against the single ACL element 'e'
372  * rather than a complete ACL, and returns true iff it matched.
376  * a reference to a named ACL or a nested ACL, a matching element
441 	 * That way, a negated indirect ACL will never become a
464 dns__acl_destroy_port_transports(dns_acl_t *acl) {
467 	ISC_LIST_FOREACH_SAFE(acl->ports_and_transports, port_proto, link, next)
469 		ISC_LIST_DEQUEUE(acl->ports_and_transports, port_proto, link);
470 		isc_mem_put(acl->mctx, port_proto, sizeof(*port_proto));
558  * Return true iff the acl 'a' is considered insecure, that is,
562  * control decisions.  We make no guarantee that an ACL for which
621  * Check whether an address/signer is allowed by a given acl/aclenv.
624 dns_acl_allowed(isc_netaddr_t *addr, const dns_name_t *signer, dns_acl_t *acl,
629 	if (acl == NULL) {
632 	result = dns_acl_match(addr, signer, acl, aclenv, &match, NULL);
640  * Initialize ACL environment, setting up localhost and localnets ACLs
677 	 * possibly destroy the acl objects.
749 dns_acl_add_port_transports(dns_acl_t *acl, const in_port_t port,
753 	REQUIRE(DNS_ACL_VALID(acl));
756 	port_proto = isc_mem_get(acl->mctx, sizeof(*port_proto));
764 	ISC_LIST_APPEND(acl->ports_and_transports, port_proto, link);
765 	acl->port_proto_entries++;
787 		 * Reverse sense of positives if this is a negative acl.  The