/*
* Create a specialised SSU table that points at an external DLZ database
*/
isc_result_t
dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
dns_dlzdb_t *dlzdatabase)
{
isc_result_t result;
dns_ssurule_t *rule;
dns_ssutable_t *table = NULL;
REQUIRE(tablep != NULL && *tablep == NULL);
result = dns_ssutable_create(mctx, &table);
if (result != ISC_R_SUCCESS)
return (result);
table->dlzdatabase = dlzdatabase;
rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
if (rule == NULL) {
dns_ssutable_detach(&table);
return (ISC_R_NOMEMORY);
}
rule->identity = NULL;
rule->name = NULL;
rule->types = NULL;
rule->grant = ISC_TRUE;
rule->matchtype = DNS_SSUMATCHTYPE_DLZ;
rule->ntypes = 0;
rule->types = NULL;
rule->magic = SSURULEMAGIC;
ISC_LIST_INITANDAPPEND(table->rules, rule, link);
*tablep = table;
return (ISC_R_SUCCESS);
}
/*%
* Parse the zone update-policy statement.
*/
static isc_result_t
configure_zone_ssutable(const cfg_obj_t *zconfig, dns_zone_t *zone,
const char *zname)
{
const cfg_obj_t *updatepolicy = NULL;
const cfg_listelt_t *element, *element2;
dns_ssutable_t *table = NULL;
isc_mem_t *mctx = dns_zone_getmctx(zone);
isc_boolean_t autoddns = ISC_FALSE;
isc_result_t result;
(void)cfg_map_get(zconfig, "update-policy", &updatepolicy);
if (updatepolicy == NULL) {
dns_zone_setssutable(zone, NULL);
return (ISC_R_SUCCESS);
}
if (cfg_obj_isstring(updatepolicy) &&
strcmp("local", cfg_obj_asstring(updatepolicy)) == 0) {
autoddns = ISC_TRUE;
updatepolicy = NULL;
}
result = dns_ssutable_create(mctx, &table);
if (result != ISC_R_SUCCESS)
return (result);
for (element = cfg_list_first(updatepolicy);
element != NULL;
element = cfg_list_next(element))
{
const cfg_obj_t *stmt = cfg_listelt_value(element);
const cfg_obj_t *mode = cfg_tuple_get(stmt, "mode");
const cfg_obj_t *identity = cfg_tuple_get(stmt, "identity");
const cfg_obj_t *matchtype = cfg_tuple_get(stmt, "matchtype");
const cfg_obj_t *dname = cfg_tuple_get(stmt, "name");
const cfg_obj_t *typelist = cfg_tuple_get(stmt, "types");
const char *str;
isc_boolean_t grant = ISC_FALSE;
isc_boolean_t usezone = ISC_FALSE;
unsigned int mtype = DNS_SSUMATCHTYPE_NAME;
dns_fixedname_t fname, fident;
isc_buffer_t b;
dns_rdatatype_t *types;
unsigned int i, n;
str = cfg_obj_asstring(mode);
if (strcasecmp(str, "grant") == 0)
grant = ISC_TRUE;
else if (strcasecmp(str, "deny") == 0)
grant = ISC_FALSE;
else
INSIST(0);
str = cfg_obj_asstring(matchtype);
if (strcasecmp(str, "name") == 0)
mtype = DNS_SSUMATCHTYPE_NAME;
else if (strcasecmp(str, "subdomain") == 0)
mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
else if (strcasecmp(str, "wildcard") == 0)
mtype = DNS_SSUMATCHTYPE_WILDCARD;
else if (strcasecmp(str, "self") == 0)
mtype = DNS_SSUMATCHTYPE_SELF;
else if (strcasecmp(str, "selfsub") == 0)
mtype = DNS_SSUMATCHTYPE_SELFSUB;
else if (strcasecmp(str, "selfwild") == 0)
mtype = DNS_SSUMATCHTYPE_SELFWILD;
else if (strcasecmp(str, "ms-self") == 0)
mtype = DNS_SSUMATCHTYPE_SELFMS;
else if (strcasecmp(str, "krb5-self") == 0)
mtype = DNS_SSUMATCHTYPE_SELFKRB5;
else if (strcasecmp(str, "ms-subdomain") == 0)
mtype = DNS_SSUMATCHTYPE_SUBDOMAINMS;
else if (strcasecmp(str, "krb5-subdomain") == 0)
mtype = DNS_SSUMATCHTYPE_SUBDOMAINKRB5;
else if (strcasecmp(str, "tcp-self") == 0)
mtype = DNS_SSUMATCHTYPE_TCPSELF;
else if (strcasecmp(str, "6to4-self") == 0)
mtype = DNS_SSUMATCHTYPE_6TO4SELF;
else if (strcasecmp(str, "zonesub") == 0) {
mtype = DNS_SSUMATCHTYPE_SUBDOMAIN;
usezone = ISC_TRUE;
} else if (strcasecmp(str, "external") == 0)
mtype = DNS_SSUMATCHTYPE_EXTERNAL;
else
INSIST(0);
dns_fixedname_init(&fident);
str = cfg_obj_asstring(identity);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
result = dns_name_fromtext(dns_fixedname_name(&fident), &b,
dns_rootname, 0, NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
"'%s' is not a valid name", str);
goto cleanup;
}
dns_fixedname_init(&fname);
if (usezone) {
result = dns_name_copy(dns_zone_getorigin(zone),
dns_fixedname_name(&fname),
NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
"error copying origin: %s",
isc_result_totext(result));
goto cleanup;
}
} else {
str = cfg_obj_asstring(dname);
isc_buffer_init(&b, str, strlen(str));
isc_buffer_add(&b, strlen(str));
result = dns_name_fromtext(dns_fixedname_name(&fname),
&b, dns_rootname, 0, NULL);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
"'%s' is not a valid name", str);
goto cleanup;
}
}
n = ns_config_listcount(typelist);
if (n == 0)
types = NULL;
else {
types = isc_mem_get(mctx, n * sizeof(dns_rdatatype_t));
if (types == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup;
}
}
i = 0;
for (element2 = cfg_list_first(typelist);
element2 != NULL;
element2 = cfg_list_next(element2))
{
const cfg_obj_t *typeobj;
isc_textregion_t r;
INSIST(i < n);
typeobj = cfg_listelt_value(element2);
str = cfg_obj_asstring(typeobj);
DE_CONST(str, r.base);
r.length = strlen(str);
result = dns_rdatatype_fromtext(&types[i++], &r);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(identity, ns_g_lctx, ISC_LOG_ERROR,
"'%s' is not a valid type", str);
isc_mem_put(mctx, types,
n * sizeof(dns_rdatatype_t));
goto cleanup;
}
}
INSIST(i == n);
result = dns_ssutable_addrule(table, grant,
dns_fixedname_name(&fident),
mtype,
dns_fixedname_name(&fname),
n, types);
if (types != NULL)
isc_mem_put(mctx, types, n * sizeof(dns_rdatatype_t));
if (result != ISC_R_SUCCESS) {
goto cleanup;
}
}
/*
* If "update-policy local;" and a session key exists,
* then use the default policy, which is equivalent to:
* update-policy { grant <session-keyname> zonesub any; };
*/
if (autoddns) {
dns_rdatatype_t any = dns_rdatatype_any;
if (ns_g_server->session_keyname == NULL) {
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
NS_LOGMODULE_SERVER, ISC_LOG_ERROR,
"failed to enable auto DDNS policy "
"for zone %s: session key not found",
zname);
result = ISC_R_NOTFOUND;
goto cleanup;
}
result = dns_ssutable_addrule(table, ISC_TRUE,
ns_g_server->session_keyname,
DNS_SSUMATCHTYPE_SUBDOMAIN,
dns_zone_getorigin(zone),
1, &any);
if (result != ISC_R_SUCCESS)
goto cleanup;
}
result = ISC_R_SUCCESS;
dns_zone_setssutable(zone, table);
cleanup:
dns_ssutable_detach(&table);
return (result);
}
isc_result_t
acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone)
{
isc_result_t result = ISC_R_SUCCESS;
cfg_parser_t *parser = NULL;
const cfg_listelt_t *el;
cfg_obj_t *policy = NULL;
dns_ssutable_t *table = NULL;
ld_string_t *new_policy_str = NULL;
isc_mem_t *mctx;
REQUIRE(zone != NULL);
mctx = dns_zone_getmctx(zone);
if (policy_str == NULL)
goto cleanup;
CHECK(bracket_str(mctx, policy_str, &new_policy_str));
CHECK(cfg_parser_create(mctx, dns_lctx, &parser));
result = cfg_parse_strbuf(parser, str_buf(new_policy_str), &cfg_type_update_policy, &policy);
if (result != ISC_R_SUCCESS) {
dns_zone_log(zone, ISC_LOG_ERROR,
"failed to parse policy string");
goto cleanup;
}
CHECK(dns_ssutable_create(mctx, &table));
for (el = cfg_list_first(policy); el != NULL; el = cfg_list_next(el)) {
const cfg_obj_t *stmt;
isc_boolean_t grant;
unsigned int match_type;
dns_fixedname_t fname, fident;
dns_rdatatype_t *types;
unsigned int n;
types = NULL;
stmt = cfg_listelt_value(el);
CHECK(get_mode(stmt, &grant));
CHECK(get_match_type(stmt, &match_type));
CHECK(get_fixed_name(stmt, "identity", &fident));
/* Use zone name for 'zonesub' match type */
result = get_fixed_name(stmt, "name", &fname);
if (result == ISC_R_NOTFOUND &&
match_type == DNS_SSUMATCHTYPE_SUBDOMAIN) {
dns_fixedname_init(&fname);
CHECK(dns_name_copy(dns_zone_getorigin(zone),
dns_fixedname_name(&fname),
&fname.buffer));
}
else if (result != ISC_R_SUCCESS)
goto cleanup;
CHECK(get_types(mctx, stmt, &types, &n));
if (match_type == DNS_SSUMATCHTYPE_WILDCARD &&
!dns_name_iswildcard(dns_fixedname_name(&fname))) {
char name[DNS_NAME_FORMATSIZE];
dns_name_format(dns_fixedname_name(&fname), name,
DNS_NAME_FORMATSIZE);
dns_zone_log(zone, ISC_LOG_ERROR,
"invalid update policy: "
"name '%s' is expected to be a wildcard",
name);
CLEANUP_WITH(DNS_R_BADNAME);
}
result = dns_ssutable_addrule(table, grant,
dns_fixedname_name(&fident),
match_type,
dns_fixedname_name(&fname),
n, types);
SAFE_MEM_PUT(mctx, types, n * sizeof(dns_rdatatype_t));
if (result != ISC_R_SUCCESS)
goto cleanup;
}
cleanup:
if (result == ISC_R_SUCCESS)
dns_zone_setssutable(zone, table);
str_destroy(&new_policy_str);
if (policy != NULL)
cfg_obj_destroy(parser, &policy);
if (parser != NULL)
cfg_parser_destroy(&parser);
if (table != NULL)
dns_ssutable_detach(&table);
return result;
}
