summaryrefslogtreecommitdiffstats
path: root/lib/dns/ssu.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:59:48 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 15:59:48 +0000
commit3b9b6d0b8e7f798023c9d109c490449d528fde80 (patch)
tree2e1c188dd7b8d7475cd163de9ae02c428343669b /lib/dns/ssu.c
parentInitial commit. (diff)
downloadbind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.tar.xz
bind9-3b9b6d0b8e7f798023c9d109c490449d528fde80.zip
Adding upstream version 1:9.18.19.upstream/1%9.18.19upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'lib/dns/ssu.c')
-rw-r--r--lib/dns/ssu.c715
1 files changed, 715 insertions, 0 deletions
diff --git a/lib/dns/ssu.c b/lib/dns/ssu.c
new file mode 100644
index 0000000..581cdcd
--- /dev/null
+++ b/lib/dns/ssu.c
@@ -0,0 +1,715 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*! \file */
+
+#include <stdbool.h>
+
+#include <isc/magic.h>
+#include <isc/mem.h>
+#include <isc/netaddr.h>
+#include <isc/print.h>
+#include <isc/refcount.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/dlz.h>
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/ssu.h>
+
+#include <dst/dst.h>
+#include <dst/gssapi.h>
+
+#define SSUTABLEMAGIC ISC_MAGIC('S', 'S', 'U', 'T')
+#define VALID_SSUTABLE(table) ISC_MAGIC_VALID(table, SSUTABLEMAGIC)
+
+#define SSURULEMAGIC ISC_MAGIC('S', 'S', 'U', 'R')
+#define VALID_SSURULE(table) ISC_MAGIC_VALID(table, SSURULEMAGIC)
+
+struct dns_ssurule {
+ unsigned int magic;
+ bool grant; /*%< is this a grant or a deny? */
+ dns_ssumatchtype_t matchtype; /*%< which type of pattern match? */
+ dns_name_t *identity; /*%< the identity to match */
+ dns_name_t *name; /*%< the name being updated */
+ unsigned int ntypes; /*%< number of data types covered */
+ dns_ssuruletype_t *types; /*%< the data types. Can include */
+ /* ANY. if NULL, defaults to all */
+ /* types except SIG, SOA, and NS */
+ ISC_LINK(dns_ssurule_t) link;
+};
+
+struct dns_ssutable {
+ unsigned int magic;
+ isc_mem_t *mctx;
+ isc_refcount_t references;
+ dns_dlzdb_t *dlzdatabase;
+ ISC_LIST(dns_ssurule_t) rules;
+};
+
+void
+dns_ssutable_create(isc_mem_t *mctx, dns_ssutable_t **tablep) {
+ dns_ssutable_t *table;
+
+ REQUIRE(tablep != NULL && *tablep == NULL);
+ REQUIRE(mctx != NULL);
+
+ table = isc_mem_get(mctx, sizeof(dns_ssutable_t));
+ isc_refcount_init(&table->references, 1);
+ table->mctx = NULL;
+ isc_mem_attach(mctx, &table->mctx);
+ ISC_LIST_INIT(table->rules);
+ table->magic = SSUTABLEMAGIC;
+ *tablep = table;
+}
+
+static void
+destroy(dns_ssutable_t *table) {
+ isc_mem_t *mctx;
+
+ REQUIRE(VALID_SSUTABLE(table));
+
+ mctx = table->mctx;
+ while (!ISC_LIST_EMPTY(table->rules)) {
+ dns_ssurule_t *rule = ISC_LIST_HEAD(table->rules);
+ if (rule->identity != NULL) {
+ dns_name_free(rule->identity, mctx);
+ isc_mem_put(mctx, rule->identity,
+ sizeof(*rule->identity));
+ }
+ if (rule->name != NULL) {
+ dns_name_free(rule->name, mctx);
+ isc_mem_put(mctx, rule->name, sizeof(*rule->name));
+ }
+ if (rule->types != NULL) {
+ isc_mem_put(mctx, rule->types,
+ rule->ntypes * sizeof(*rule->types));
+ }
+ ISC_LIST_UNLINK(table->rules, rule, link);
+ rule->magic = 0;
+ isc_mem_put(mctx, rule, sizeof(dns_ssurule_t));
+ }
+ isc_refcount_destroy(&table->references);
+ table->magic = 0;
+ isc_mem_putanddetach(&table->mctx, table, sizeof(dns_ssutable_t));
+}
+
+void
+dns_ssutable_attach(dns_ssutable_t *source, dns_ssutable_t **targetp) {
+ REQUIRE(VALID_SSUTABLE(source));
+ REQUIRE(targetp != NULL && *targetp == NULL);
+
+ isc_refcount_increment(&source->references);
+
+ *targetp = source;
+}
+
+void
+dns_ssutable_detach(dns_ssutable_t **tablep) {
+ dns_ssutable_t *table;
+
+ REQUIRE(tablep != NULL);
+ table = *tablep;
+ *tablep = NULL;
+ REQUIRE(VALID_SSUTABLE(table));
+
+ if (isc_refcount_decrement(&table->references) == 1) {
+ destroy(table);
+ }
+}
+
+void
+dns_ssutable_addrule(dns_ssutable_t *table, bool grant,
+ const dns_name_t *identity, dns_ssumatchtype_t matchtype,
+ const dns_name_t *name, unsigned int ntypes,
+ dns_ssuruletype_t *types) {
+ dns_ssurule_t *rule;
+ isc_mem_t *mctx;
+
+ REQUIRE(VALID_SSUTABLE(table));
+ REQUIRE(dns_name_isabsolute(identity));
+ REQUIRE(dns_name_isabsolute(name));
+ REQUIRE(matchtype <= dns_ssumatchtype_max);
+ if (matchtype == dns_ssumatchtype_wildcard) {
+ REQUIRE(dns_name_iswildcard(name));
+ }
+ if (ntypes > 0) {
+ REQUIRE(types != NULL);
+ }
+
+ mctx = table->mctx;
+ rule = isc_mem_get(mctx, sizeof(*rule));
+
+ rule->identity = NULL;
+ rule->name = NULL;
+ rule->types = NULL;
+
+ rule->grant = grant;
+
+ rule->identity = isc_mem_get(mctx, sizeof(*rule->identity));
+ dns_name_init(rule->identity, NULL);
+ dns_name_dup(identity, mctx, rule->identity);
+
+ rule->name = isc_mem_get(mctx, sizeof(*rule->name));
+ dns_name_init(rule->name, NULL);
+ dns_name_dup(name, mctx, rule->name);
+
+ rule->matchtype = matchtype;
+
+ rule->ntypes = ntypes;
+ if (ntypes > 0) {
+ rule->types = isc_mem_get(mctx, ntypes * sizeof(*rule->types));
+ memmove(rule->types, types, ntypes * sizeof(*rule->types));
+ } else {
+ rule->types = NULL;
+ }
+
+ rule->magic = SSURULEMAGIC;
+ ISC_LIST_INITANDAPPEND(table->rules, rule, link);
+}
+
+static bool
+isusertype(dns_rdatatype_t type) {
+ return (type != dns_rdatatype_ns && type != dns_rdatatype_soa &&
+ type != dns_rdatatype_rrsig);
+}
+
+static void
+reverse_from_address(dns_name_t *tcpself, const isc_netaddr_t *tcpaddr) {
+ char buf[16 * 4 + sizeof("IP6.ARPA.")];
+ isc_result_t result;
+ const unsigned char *ap;
+ isc_buffer_t b;
+ unsigned long l;
+
+ switch (tcpaddr->family) {
+ case AF_INET:
+ l = ntohl(tcpaddr->type.in.s_addr);
+ result = snprintf(buf, sizeof(buf),
+ "%lu.%lu.%lu.%lu.IN-ADDR.ARPA.",
+ (l >> 0) & 0xff, (l >> 8) & 0xff,
+ (l >> 16) & 0xff, (l >> 24) & 0xff);
+ RUNTIME_CHECK(result < sizeof(buf));
+ break;
+ case AF_INET6:
+ ap = tcpaddr->type.in6.s6_addr;
+ result = snprintf(
+ buf, sizeof(buf),
+ "%x.%x.%x.%x.%x.%x.%x.%x."
+ "%x.%x.%x.%x.%x.%x.%x.%x."
+ "%x.%x.%x.%x.%x.%x.%x.%x."
+ "%x.%x.%x.%x.%x.%x.%x.%x."
+ "IP6.ARPA.",
+ ap[15] & 0x0f, (ap[15] >> 4) & 0x0f, ap[14] & 0x0f,
+ (ap[14] >> 4) & 0x0f, ap[13] & 0x0f,
+ (ap[13] >> 4) & 0x0f, ap[12] & 0x0f,
+ (ap[12] >> 4) & 0x0f, ap[11] & 0x0f,
+ (ap[11] >> 4) & 0x0f, ap[10] & 0x0f,
+ (ap[10] >> 4) & 0x0f, ap[9] & 0x0f, (ap[9] >> 4) & 0x0f,
+ ap[8] & 0x0f, (ap[8] >> 4) & 0x0f, ap[7] & 0x0f,
+ (ap[7] >> 4) & 0x0f, ap[6] & 0x0f, (ap[6] >> 4) & 0x0f,
+ ap[5] & 0x0f, (ap[5] >> 4) & 0x0f, ap[4] & 0x0f,
+ (ap[4] >> 4) & 0x0f, ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
+ ap[2] & 0x0f, (ap[2] >> 4) & 0x0f, ap[1] & 0x0f,
+ (ap[1] >> 4) & 0x0f, ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
+ RUNTIME_CHECK(result < sizeof(buf));
+ break;
+ default:
+ UNREACHABLE();
+ }
+ isc_buffer_init(&b, buf, strlen(buf));
+ isc_buffer_add(&b, strlen(buf));
+ result = dns_name_fromtext(tcpself, &b, dns_rootname, 0, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
+static void
+stf_from_address(dns_name_t *stfself, const isc_netaddr_t *tcpaddr) {
+ char buf[sizeof("X.X.X.X.Y.Y.Y.Y.2.0.0.2.IP6.ARPA.")];
+ isc_result_t result;
+ const unsigned char *ap;
+ isc_buffer_t b;
+ unsigned long l;
+
+ switch (tcpaddr->family) {
+ case AF_INET:
+ l = ntohl(tcpaddr->type.in.s_addr);
+ result = snprintf(buf, sizeof(buf),
+ "%lx.%lx.%lx.%lx.%lx.%lx.%lx.%lx"
+ "2.0.0.2.IP6.ARPA.",
+ l & 0xf, (l >> 4) & 0xf, (l >> 8) & 0xf,
+ (l >> 12) & 0xf, (l >> 16) & 0xf,
+ (l >> 20) & 0xf, (l >> 24) & 0xf,
+ (l >> 28) & 0xf);
+ RUNTIME_CHECK(result < sizeof(buf));
+ break;
+ case AF_INET6:
+ ap = tcpaddr->type.in6.s6_addr;
+ result = snprintf(
+ buf, sizeof(buf),
+ "%x.%x.%x.%x.%x.%x.%x.%x."
+ "%x.%x.%x.%x.IP6.ARPA.",
+ ap[5] & 0x0f, (ap[5] >> 4) & 0x0f, ap[4] & 0x0f,
+ (ap[4] >> 4) & 0x0f, ap[3] & 0x0f, (ap[3] >> 4) & 0x0f,
+ ap[2] & 0x0f, (ap[2] >> 4) & 0x0f, ap[1] & 0x0f,
+ (ap[1] >> 4) & 0x0f, ap[0] & 0x0f, (ap[0] >> 4) & 0x0f);
+ RUNTIME_CHECK(result < sizeof(buf));
+ break;
+ default:
+ UNREACHABLE();
+ }
+ isc_buffer_init(&b, buf, strlen(buf));
+ isc_buffer_add(&b, strlen(buf));
+ result = dns_name_fromtext(stfself, &b, dns_rootname, 0, NULL);
+ RUNTIME_CHECK(result == ISC_R_SUCCESS);
+}
+
+bool
+dns_ssutable_checkrules(dns_ssutable_t *table, const dns_name_t *signer,
+ const dns_name_t *name, const isc_netaddr_t *addr,
+ bool tcp, dns_aclenv_t *env, dns_rdatatype_t type,
+ const dns_name_t *target, const dst_key_t *key,
+ const dns_ssurule_t **rulep) {
+ dns_fixedname_t fixed;
+ dns_name_t *stfself;
+ dns_name_t *tcpself;
+ dns_name_t *wildcard;
+ dns_ssurule_t *rule;
+ const dns_name_t *tname;
+ int match;
+ isc_result_t result;
+ unsigned int i;
+
+ REQUIRE(VALID_SSUTABLE(table));
+ REQUIRE(signer == NULL || dns_name_isabsolute(signer));
+ REQUIRE(dns_name_isabsolute(name));
+ REQUIRE(addr == NULL || env != NULL);
+
+ if (signer == NULL && addr == NULL) {
+ return (false);
+ }
+
+ for (rule = ISC_LIST_HEAD(table->rules); rule != NULL;
+ rule = ISC_LIST_NEXT(rule, link))
+ {
+ switch (rule->matchtype) {
+ case dns_ssumatchtype_local:
+ case dns_ssumatchtype_name:
+ case dns_ssumatchtype_self:
+ case dns_ssumatchtype_selfsub:
+ case dns_ssumatchtype_selfwild:
+ case dns_ssumatchtype_subdomain:
+ case dns_ssumatchtype_wildcard:
+ if (signer == NULL) {
+ continue;
+ }
+ if (dns_name_iswildcard(rule->identity)) {
+ if (!dns_name_matcheswildcard(signer,
+ rule->identity))
+ {
+ continue;
+ }
+ } else {
+ if (!dns_name_equal(signer, rule->identity)) {
+ continue;
+ }
+ }
+ break;
+ case dns_ssumatchtype_selfkrb5:
+ case dns_ssumatchtype_selfms:
+ case dns_ssumatchtype_selfsubkrb5:
+ case dns_ssumatchtype_selfsubms:
+ case dns_ssumatchtype_subdomainkrb5:
+ case dns_ssumatchtype_subdomainms:
+ case dns_ssumatchtype_subdomainselfkrb5rhs:
+ case dns_ssumatchtype_subdomainselfmsrhs:
+ if (signer == NULL) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_tcpself:
+ case dns_ssumatchtype_6to4self:
+ if (!tcp || addr == NULL) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_external:
+ case dns_ssumatchtype_dlz:
+ break;
+ }
+
+ switch (rule->matchtype) {
+ case dns_ssumatchtype_name:
+ if (!dns_name_equal(name, rule->name)) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_subdomain:
+ if (!dns_name_issubdomain(name, rule->name)) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_local:
+ if (addr == NULL) {
+ continue;
+ }
+ if (!dns_name_issubdomain(name, rule->name)) {
+ continue;
+ }
+ RWLOCK(&env->rwlock, isc_rwlocktype_read);
+ dns_acl_match(addr, NULL, env->localhost, NULL, &match,
+ NULL);
+ RWUNLOCK(&env->rwlock, isc_rwlocktype_read);
+ if (match == 0) {
+ if (signer != NULL) {
+ isc_log_write(dns_lctx,
+ DNS_LOGCATEGORY_GENERAL,
+ DNS_LOGMODULE_SSU,
+ ISC_LOG_WARNING,
+ "update-policy local: "
+ "match on session "
+ "key not from "
+ "localhost");
+ }
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_wildcard:
+ if (!dns_name_matcheswildcard(name, rule->name)) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_self:
+ if (!dns_name_equal(signer, name)) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_selfsub:
+ if (!dns_name_issubdomain(name, signer)) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_selfwild:
+ wildcard = dns_fixedname_initname(&fixed);
+ result = dns_name_concatenate(dns_wildcardname, signer,
+ wildcard, NULL);
+ if (result != ISC_R_SUCCESS) {
+ continue;
+ }
+ if (!dns_name_matcheswildcard(name, wildcard)) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_selfkrb5:
+ if (dst_gssapi_identitymatchesrealmkrb5(
+ signer, name, rule->identity, false))
+ {
+ break;
+ }
+ continue;
+ case dns_ssumatchtype_selfms:
+ if (dst_gssapi_identitymatchesrealmms(
+ signer, name, rule->identity, false))
+ {
+ break;
+ }
+ continue;
+ case dns_ssumatchtype_selfsubkrb5:
+ if (dst_gssapi_identitymatchesrealmkrb5(
+ signer, name, rule->identity, true))
+ {
+ break;
+ }
+ continue;
+ case dns_ssumatchtype_selfsubms:
+ if (dst_gssapi_identitymatchesrealmms(
+ signer, name, rule->identity, true))
+ {
+ break;
+ }
+ continue;
+ case dns_ssumatchtype_subdomainkrb5:
+ case dns_ssumatchtype_subdomainselfkrb5rhs:
+ if (!dns_name_issubdomain(name, rule->name)) {
+ continue;
+ }
+ tname = NULL;
+ switch (rule->matchtype) {
+ case dns_ssumatchtype_subdomainselfkrb5rhs:
+ if (type == dns_rdatatype_ptr) {
+ tname = target;
+ }
+ if (type == dns_rdatatype_srv) {
+ tname = target;
+ }
+ break;
+ default:
+ break;
+ }
+ if (dst_gssapi_identitymatchesrealmkrb5(
+ signer, tname, rule->identity, false))
+ {
+ break;
+ }
+ continue;
+ case dns_ssumatchtype_subdomainms:
+ case dns_ssumatchtype_subdomainselfmsrhs:
+ if (!dns_name_issubdomain(name, rule->name)) {
+ continue;
+ }
+ tname = NULL;
+ switch (rule->matchtype) {
+ case dns_ssumatchtype_subdomainselfmsrhs:
+ if (type == dns_rdatatype_ptr) {
+ tname = target;
+ }
+ if (type == dns_rdatatype_srv) {
+ tname = target;
+ }
+ break;
+ default:
+ break;
+ }
+ if (dst_gssapi_identitymatchesrealmms(
+ signer, tname, rule->identity, false))
+ {
+ break;
+ }
+ continue;
+ case dns_ssumatchtype_tcpself:
+ tcpself = dns_fixedname_initname(&fixed);
+ reverse_from_address(tcpself, addr);
+ if (dns_name_iswildcard(rule->identity)) {
+ if (!dns_name_matcheswildcard(tcpself,
+ rule->identity))
+ {
+ continue;
+ }
+ } else {
+ if (!dns_name_equal(tcpself, rule->identity)) {
+ continue;
+ }
+ }
+ if (!dns_name_equal(tcpself, name)) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_6to4self:
+ stfself = dns_fixedname_initname(&fixed);
+ stf_from_address(stfself, addr);
+ if (dns_name_iswildcard(rule->identity)) {
+ if (!dns_name_matcheswildcard(stfself,
+ rule->identity))
+ {
+ continue;
+ }
+ } else {
+ if (!dns_name_equal(stfself, rule->identity)) {
+ continue;
+ }
+ }
+ if (!dns_name_equal(stfself, name)) {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_external:
+ if (!dns_ssu_external_match(rule->identity, signer,
+ name, addr, type, key,
+ table->mctx))
+ {
+ continue;
+ }
+ break;
+ case dns_ssumatchtype_dlz:
+ if (!dns_dlz_ssumatch(table->dlzdatabase, signer, name,
+ addr, type, key))
+ {
+ continue;
+ }
+ break;
+ }
+
+ if (rule->ntypes == 0) {
+ /*
+ * If this is a DLZ rule, then the DLZ ssu
+ * checks will have already checked the type.
+ */
+ if (rule->matchtype != dns_ssumatchtype_dlz &&
+ !isusertype(type))
+ {
+ continue;
+ }
+ } else {
+ for (i = 0; i < rule->ntypes; i++) {
+ if (rule->types[i].type == dns_rdatatype_any ||
+ rule->types[i].type == type)
+ {
+ break;
+ }
+ }
+ if (i == rule->ntypes) {
+ continue;
+ }
+ }
+ if (rule->grant && rulep != NULL) {
+ *rulep = rule;
+ }
+ return (rule->grant);
+ }
+
+ return (false);
+}
+
+bool
+dns_ssurule_isgrant(const dns_ssurule_t *rule) {
+ REQUIRE(VALID_SSURULE(rule));
+ return (rule->grant);
+}
+
+dns_name_t *
+dns_ssurule_identity(const dns_ssurule_t *rule) {
+ REQUIRE(VALID_SSURULE(rule));
+ return (rule->identity);
+}
+
+unsigned int
+dns_ssurule_matchtype(const dns_ssurule_t *rule) {
+ REQUIRE(VALID_SSURULE(rule));
+ return (rule->matchtype);
+}
+
+dns_name_t *
+dns_ssurule_name(const dns_ssurule_t *rule) {
+ REQUIRE(VALID_SSURULE(rule));
+ return (rule->name);
+}
+
+unsigned int
+dns_ssurule_types(const dns_ssurule_t *rule, dns_ssuruletype_t **types) {
+ REQUIRE(VALID_SSURULE(rule));
+ REQUIRE(types != NULL && *types != NULL);
+ *types = rule->types;
+ return (rule->ntypes);
+}
+
+unsigned int
+dns_ssurule_max(const dns_ssurule_t *rule, dns_rdatatype_t type) {
+ unsigned int i;
+ unsigned int max = 0;
+
+ REQUIRE(VALID_SSURULE(rule));
+
+ for (i = 0; i < rule->ntypes; i++) {
+ if (rule->types[i].type == dns_rdatatype_any) {
+ max = rule->types[i].max;
+ }
+ if (rule->types[i].type == type) {
+ return (rule->types[i].max);
+ }
+ }
+ return (max);
+}
+
+isc_result_t
+dns_ssutable_firstrule(const dns_ssutable_t *table, dns_ssurule_t **rule) {
+ REQUIRE(VALID_SSUTABLE(table));
+ REQUIRE(rule != NULL && *rule == NULL);
+ *rule = ISC_LIST_HEAD(table->rules);
+ return (*rule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+isc_result_t
+dns_ssutable_nextrule(dns_ssurule_t *rule, dns_ssurule_t **nextrule) {
+ REQUIRE(VALID_SSURULE(rule));
+ REQUIRE(nextrule != NULL && *nextrule == NULL);
+ *nextrule = ISC_LIST_NEXT(rule, link);
+ return (*nextrule != NULL ? ISC_R_SUCCESS : ISC_R_NOMORE);
+}
+
+/*
+ * Create a specialised SSU table that points at an external DLZ database
+ */
+void
+dns_ssutable_createdlz(isc_mem_t *mctx, dns_ssutable_t **tablep,
+ dns_dlzdb_t *dlzdatabase) {
+ dns_ssurule_t *rule;
+ dns_ssutable_t *table = NULL;
+
+ REQUIRE(tablep != NULL && *tablep == NULL);
+
+ dns_ssutable_create(mctx, &table);
+
+ table->dlzdatabase = dlzdatabase;
+
+ rule = isc_mem_get(table->mctx, sizeof(dns_ssurule_t));
+
+ rule->identity = NULL;
+ rule->name = NULL;
+ rule->grant = true;
+ rule->matchtype = dns_ssumatchtype_dlz;
+ rule->ntypes = 0;
+ rule->types = NULL;
+ rule->magic = SSURULEMAGIC;
+
+ ISC_LIST_INITANDAPPEND(table->rules, rule, link);
+ *tablep = table;
+}
+
+isc_result_t
+dns_ssu_mtypefromstring(const char *str, dns_ssumatchtype_t *mtype) {
+ REQUIRE(str != NULL);
+ REQUIRE(mtype != NULL);
+
+ if (strcasecmp(str, "name") == 0) {
+ *mtype = dns_ssumatchtype_name;
+ } else if (strcasecmp(str, "subdomain") == 0) {
+ *mtype = dns_ssumatchtype_subdomain;
+ } else if (strcasecmp(str, "wildcard") == 0) {
+ *mtype = dns_ssumatchtype_wildcard;
+ } else if (strcasecmp(str, "self") == 0) {
+ *mtype = dns_ssumatchtype_self;
+ } else if (strcasecmp(str, "selfsub") == 0) {
+ *mtype = dns_ssumatchtype_selfsub;
+ } else if (strcasecmp(str, "selfwild") == 0) {
+ *mtype = dns_ssumatchtype_selfwild;
+ } else if (strcasecmp(str, "ms-self") == 0) {
+ *mtype = dns_ssumatchtype_selfms;
+ } else if (strcasecmp(str, "ms-selfsub") == 0) {
+ *mtype = dns_ssumatchtype_selfsubms;
+ } else if (strcasecmp(str, "krb5-self") == 0) {
+ *mtype = dns_ssumatchtype_selfkrb5;
+ } else if (strcasecmp(str, "krb5-selfsub") == 0) {
+ *mtype = dns_ssumatchtype_selfsubkrb5;
+ } else if (strcasecmp(str, "ms-subdomain") == 0) {
+ *mtype = dns_ssumatchtype_subdomainms;
+ } else if (strcasecmp(str, "ms-subdomain-self-rhs") == 0) {
+ *mtype = dns_ssumatchtype_subdomainselfmsrhs;
+ } else if (strcasecmp(str, "krb5-subdomain") == 0) {
+ *mtype = dns_ssumatchtype_subdomainkrb5;
+ } else if (strcasecmp(str, "krb5-subdomain-self-rhs") == 0) {
+ *mtype = dns_ssumatchtype_subdomainselfkrb5rhs;
+ } else if (strcasecmp(str, "tcp-self") == 0) {
+ *mtype = dns_ssumatchtype_tcpself;
+ } else if (strcasecmp(str, "6to4-self") == 0) {
+ *mtype = dns_ssumatchtype_6to4self;
+ } else if (strcasecmp(str, "zonesub") == 0) {
+ *mtype = dns_ssumatchtype_subdomain;
+ } else if (strcasecmp(str, "external") == 0) {
+ *mtype = dns_ssumatchtype_external;
+ } else {
+ return (ISC_R_NOTFOUND);
+ }
+ return (ISC_R_SUCCESS);
+}