From 8cee2ebac54a1c4a6b9cc1ee877ead57e529b7c2 Mon Sep 17 00:00:00 2001 From: Cy Schubert Date: Sun, 16 Oct 2022 13:42:15 -0700 Subject: [PATCH] Revert "unbound: Vendor import 1.17.0" This reverts commit 64d318ea98b7c59f5567d47a9a8474887d8b5cb8, reversing changes made to 8063dc03202fad7d6bdf34976bc8556fa3f23fa1. Revert a mismerge which reversed 8063dc03202fad7d6bdf34976bc8556fa3f23fa1. --- contrib/unbound/Makefile.in | 8 +- contrib/unbound/acx_nlnetlabs.m4 | 6 +- contrib/unbound/compat/arc4random.c | 8 +- contrib/unbound/config.guess | 8 +- contrib/unbound/config.h.in | 15 - contrib/unbound/config.sub | 27 +- contrib/unbound/configure | 100 +-- contrib/unbound/configure.ac | 13 +- contrib/unbound/daemon/acl_list.c | 473 ++-------- contrib/unbound/daemon/acl_list.h | 39 +- contrib/unbound/daemon/daemon.c | 61 +- contrib/unbound/daemon/daemon.h | 2 - contrib/unbound/daemon/remote.c | 6 +- contrib/unbound/daemon/stats.c | 27 +- contrib/unbound/daemon/worker.c | 152 ++-- contrib/unbound/daemon/worker.h | 4 - contrib/unbound/dnstap/dtstream.c | 4 +- .../unbound/dnstap/unbound-dnstap-socket.c | 4 +- contrib/unbound/doc/Changelog | 107 --- contrib/unbound/doc/README | 2 +- contrib/unbound/doc/example.conf.in | 68 +- contrib/unbound/doc/libunbound.3.in | 4 +- contrib/unbound/doc/unbound-anchor.8.in | 2 +- contrib/unbound/doc/unbound-checkconf.8.in | 2 +- contrib/unbound/doc/unbound-control.8.in | 2 +- contrib/unbound/doc/unbound-host.1.in | 2 +- contrib/unbound/doc/unbound.8.in | 4 +- contrib/unbound/doc/unbound.conf.5.in | 63 +- contrib/unbound/edns-subnet/addrtree.c | 9 +- contrib/unbound/edns-subnet/addrtree.h | 7 +- contrib/unbound/edns-subnet/subnetmod.c | 43 +- contrib/unbound/iterator/iter_hints.c | 2 +- contrib/unbound/iterator/iter_resptype.c | 6 +- contrib/unbound/iterator/iterator.c | 105 +-- contrib/unbound/iterator/iterator.h | 2 +- contrib/unbound/libunbound/libunbound.c | 4 +- contrib/unbound/respip/respip.c | 10 +- contrib/unbound/respip/respip.h | 6 +- contrib/unbound/services/authzone.c | 6 +- contrib/unbound/services/cache/infra.c | 37 +- contrib/unbound/services/cache/infra.h | 7 +- contrib/unbound/services/listen_dnsport.c | 134 +-- contrib/unbound/services/listen_dnsport.h | 14 +- contrib/unbound/services/localzone.c | 12 +- contrib/unbound/services/mesh.c | 13 +- contrib/unbound/services/outside_network.c | 162 ++-- contrib/unbound/services/outside_network.h | 24 - contrib/unbound/services/rpz.c | 28 +- contrib/unbound/services/view.c | 5 +- contrib/unbound/smallapp/unbound-checkconf.c | 18 +- contrib/unbound/smallapp/unbound-control.c | 4 +- contrib/unbound/testdata/iter_ghost_sub.rpl | 309 +++++++ .../testdata/iter_ghost_timewindow.rpl | 391 ++++++++ contrib/unbound/util/config_file.c | 54 +- contrib/unbound/util/config_file.h | 20 - contrib/unbound/util/configlexer.lex | 6 - contrib/unbound/util/configparser.y | 129 +-- contrib/unbound/util/fptr_wlist.c | 1 - contrib/unbound/util/net_help.c | 6 +- contrib/unbound/util/net_help.h | 8 +- contrib/unbound/util/netevent.c | 836 ++++-------------- contrib/unbound/util/netevent.h | 42 +- contrib/unbound/util/proxy_protocol.c | 139 --- contrib/unbound/util/proxy_protocol.h | 131 --- contrib/unbound/util/storage/dnstree.c | 13 - contrib/unbound/util/storage/dnstree.h | 10 - contrib/unbound/util/tube.c | 42 - contrib/unbound/util/tube.h | 8 - lib/libunbound/Makefile | 3 +- sys/fs/nfsserver/nfs_nfsdport.c | 4 + usr.sbin/unbound/config.h | 6 +- 71 files changed, 1348 insertions(+), 2681 deletions(-) create mode 100644 contrib/unbound/testdata/iter_ghost_sub.rpl create mode 100644 contrib/unbound/testdata/iter_ghost_timewindow.rpl delete mode 100644 contrib/unbound/util/proxy_protocol.c delete mode 100644 contrib/unbound/util/proxy_protocol.h diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in index e7c76c2588aa..3189731ad52f 100644 --- a/contrib/unbound/Makefile.in +++ b/contrib/unbound/Makefile.in @@ -130,7 +130,7 @@ util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \ util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \ util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \ util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \ -util/timehist.c util/tube.c util/proxy_protocol.c \ +util/timehist.c util/tube.c \ util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \ validator/autotrust.c validator/val_anchor.c validator/validator.c \ validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \ @@ -148,7 +148,7 @@ outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \ fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \ random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \ slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \ -autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \ +autotrust.lo val_anchor.lo rpz.lo \ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \ $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \ @@ -984,8 +984,6 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/dnstap/dnstap.h $(srcdir)/services/listen_dnsport.h -proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \ - $(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ @@ -1514,7 +1512,7 @@ asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libu $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h diff --git a/contrib/unbound/acx_nlnetlabs.m4 b/contrib/unbound/acx_nlnetlabs.m4 index cf436ec54bb6..1574f97bfe02 100644 --- a/contrib/unbound/acx_nlnetlabs.m4 +++ b/contrib/unbound/acx_nlnetlabs.m4 @@ -2,8 +2,7 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 44 -# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD. +# Version 43 # 2021-08-17 fix sed script in ssldir split handling. # 2021-08-17 fix for openssl to detect split version, with ssldir_include # and ssldir_lib output directories. @@ -964,9 +963,6 @@ AC_LANG_SOURCE([[ #ifdef HAVE_SYS_TYPES_H #include #endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif #ifdef HAVE_SYS_SOCKET_H #include #endif diff --git a/contrib/unbound/compat/arc4random.c b/contrib/unbound/compat/arc4random.c index 486ab89c68d8..b536d3143d42 100644 --- a/contrib/unbound/compat/arc4random.c +++ b/contrib/unbound/compat/arc4random.c @@ -57,8 +57,6 @@ #define BLOCKSZ 64 #define RSBUFSZ (16*BLOCKSZ) -#define REKEY_BASE (1024*1024) /* NB. should be a power of 2 */ - /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */ static struct { size_t rs_have; /* valid bytes at end of rs_buf */ @@ -181,7 +179,6 @@ static void _rs_stir(void) { u_char rnd[KEYSZ + IVSZ]; - uint32_t rekey_fuzz = 0; if (getentropy(rnd, sizeof rnd) == -1) { if(errno != ENOSYS || @@ -204,10 +201,7 @@ _rs_stir(void) rs->rs_have = 0; memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf)); - /* rekey interval should not be predictable */ - chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz, - (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz)); - rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE); + rs->rs_count = 1600000; } static inline void diff --git a/contrib/unbound/config.guess b/contrib/unbound/config.guess index 980b02083815..a419d8643b62 100755 --- a/contrib/unbound/config.guess +++ b/contrib/unbound/config.guess @@ -4,7 +4,7 @@ # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2022-09-17' +timestamp='2022-08-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -966,12 +966,6 @@ EOF GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC ;; - x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*) - GUESS="$UNAME_MACHINE-pc-managarm-mlibc" - ;; - *:[Mm]anagarm:*:*) - GUESS="$UNAME_MACHINE-unknown-managarm-mlibc" - ;; *:Minix:*:*) GUESS=$UNAME_MACHINE-unknown-minix ;; diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in index 2caecf30d040..cc1fbe864818 100644 --- a/contrib/unbound/config.h.in +++ b/contrib/unbound/config.h.in @@ -298,9 +298,6 @@ /* Define to 1 if you have the `getrlimit' function. */ #undef HAVE_GETRLIMIT -/* Define to 1 if you have the `gettid' function. */ -#undef HAVE_GETTID - /* Define to 1 if you have the `glob' function. */ #undef HAVE_GLOB @@ -460,12 +457,6 @@ /* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */ #undef HAVE_OSSL_PARAM_BLD_NEW -/* Define to 1 if you have the `poll' function. */ -#undef HAVE_POLL - -/* Define to 1 if you have the header file. */ -#undef HAVE_POLL_H - /* Define if you have POSIX threads libraries and header files. */ #undef HAVE_PTHREAD @@ -809,18 +800,12 @@ /* Shared data */ #undef SHARE_DIR -/* The size of `pthread_t', as computed by sizeof. */ -#undef SIZEOF_PTHREAD_T - /* The size of `size_t', as computed by sizeof. */ #undef SIZEOF_SIZE_T /* The size of `time_t', as computed by sizeof. */ #undef SIZEOF_TIME_T -/* The size of `unsigned long', as computed by sizeof. */ -#undef SIZEOF_UNSIGNED_LONG - /* define if (v)snprintf does not return length needed, (but length used) */ #undef SNPRINTF_RET_BROKEN diff --git a/contrib/unbound/config.sub b/contrib/unbound/config.sub index baf1512b3c03..fbaa37f2352d 100755 --- a/contrib/unbound/config.sub +++ b/contrib/unbound/config.sub @@ -4,7 +4,7 @@ # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2022-09-17' +timestamp='2022-08-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -145,7 +145,7 @@ case $1 in nto-qnx* | linux-* | uclinux-uclibc* \ | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ - | storm-chaos* | os2-emx* | rtmk-nova* | managarm-*) + | storm-chaos* | os2-emx* | rtmk-nova*) basic_machine=$field1 basic_os=$maybe_os ;; @@ -1341,10 +1341,6 @@ EOF kernel=linux os=`echo "$basic_os" | sed -e 's|linux|gnu|'` ;; - managarm*) - kernel=managarm - os=`echo "$basic_os" | sed -e 's|managarm|mlibc|'` - ;; *) kernel= os=$basic_os @@ -1758,7 +1754,7 @@ case $os in | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \ | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \ | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \ - | fiwix* | mlibc* ) + | fiwix* ) ;; # This one is extra strict with allowed versions sco3.2v2 | sco3.2v[4-9]* | sco5v6*) @@ -1766,9 +1762,6 @@ case $os in ;; none) ;; - kernel* ) - # Restricted further below - ;; *) echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2 exit 1 @@ -1779,26 +1772,16 @@ esac # (given a valid OS), if there is a kernel. case $kernel-$os in linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \ - | linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* ) + | linux-musl* | linux-relibc* | linux-uclibc* ) ;; uclinux-uclibc* ) ;; - managarm-mlibc* | managarm-kernel* ) - ;; - -dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* ) + -dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* ) # These are just libc implementations, not actual OSes, and thus # require a kernel. echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2 exit 1 ;; - -kernel* ) - echo "Invalid configuration \`$1': \`$os' needs explicit kernel." 1>&2 - exit 1 - ;; - *-kernel* ) - echo "Invalid configuration \`$1': \`$kernel' does not support \`$os'." 1>&2 - exit 1 - ;; kfreebsd*-gnu* | kopensolaris*-gnu*) ;; vxworks-simlinux | vxworks-simwindows | vxworks-spe) diff --git a/contrib/unbound/configure b/contrib/unbound/configure index a2837d18553b..f40187910ecc 100755 --- a/contrib/unbound/configure +++ b/contrib/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.17.0. +# Generated by GNU Autoconf 2.69 for unbound 1.16.3. # # Report bugs to . # @@ -591,8 +591,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.17.0' -PACKAGE_STRING='unbound 1.17.0' +PACKAGE_VERSION='1.16.3' +PACKAGE_STRING='unbound 1.16.3' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.17.0 to adapt to many kinds of systems. +\`configure' configures unbound 1.16.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1543,7 +1543,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.17.0:";; + short | recursive ) echo "Configuration of unbound 1.16.3:";; esac cat <<\_ACEOF @@ -1785,7 +1785,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.17.0 +unbound configure 1.16.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.17.0, which was +It was created by unbound $as_me 1.16.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2844,13 +2844,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu UNBOUND_VERSION_MAJOR=1 -UNBOUND_VERSION_MINOR=17 +UNBOUND_VERSION_MINOR=16 -UNBOUND_VERSION_MICRO=0 +UNBOUND_VERSION_MICRO=3 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=20 +LIBUNBOUND_REVISION=19 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2937,7 +2937,6 @@ LIBUNBOUND_AGE=1 # 1.16.1 had 9:17:1 # 1.16.2 had 9:18:1 # 1.16.3 had 9:19:1 -# 1.17.0 had 9:20:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -14773,7 +14772,7 @@ fi fi # Checks for header files. -for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h +for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default @@ -16032,9 +16031,6 @@ else #ifdef HAVE_SYS_TYPES_H #include #endif -#ifdef HAVE_SYS_SELECT_H -#include -#endif #ifdef HAVE_SYS_SOCKET_H #include #endif @@ -17105,72 +17101,6 @@ _ACEOF fi - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long" >&5 -$as_echo_n "checking size of unsigned long... " >&6; } -if ${ac_cv_sizeof_unsigned_long+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long))" "ac_cv_sizeof_unsigned_long" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_unsigned_long" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (unsigned long) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_unsigned_long=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long" >&5 -$as_echo "$ac_cv_sizeof_unsigned_long" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_UNSIGNED_LONG $ac_cv_sizeof_unsigned_long -_ACEOF - - - # The cast to long int works around a bug in the HP C Compiler -# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects -# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. -# This bug is HP SR number 8606223364. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of pthread_t" >&5 -$as_echo_n "checking size of pthread_t... " >&6; } -if ${ac_cv_sizeof_pthread_t+:} false; then : - $as_echo_n "(cached) " >&6 -else - if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (pthread_t))" "ac_cv_sizeof_pthread_t" "$ac_includes_default"; then : - -else - if test "$ac_cv_type_pthread_t" = yes; then - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "cannot compute sizeof (pthread_t) -See \`config.log' for more details" "$LINENO" 5; } - else - ac_cv_sizeof_pthread_t=0 - fi -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_pthread_t" >&5 -$as_echo "$ac_cv_sizeof_pthread_t" >&6; } - - - -cat >>confdefs.h <<_ACEOF -#define SIZEOF_PTHREAD_T $ac_cv_sizeof_pthread_t -_ACEOF - - if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -pthread unused during linking" >&5 @@ -20661,7 +20591,7 @@ if test "$ac_res" != no; then : fi -for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid +for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -22085,7 +22015,7 @@ _ACEOF -version=1.17.0 +version=1.16.3 date=`date +'%b %e, %Y'` @@ -22604,7 +22534,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.17.0, which was +This file was extended by unbound $as_me 1.16.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22670,7 +22600,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.17.0 +unbound config.status 1.16.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac index 57cc7e604b1e..bf8aa9d8cdb0 100644 --- a/contrib/unbound/configure.ac +++ b/contrib/unbound/configure.ac @@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) -m4_define([VERSION_MINOR],[17]) -m4_define([VERSION_MICRO],[0]) +m4_define([VERSION_MINOR],[16]) +m4_define([VERSION_MICRO],[3]) AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound]) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=20 +LIBUNBOUND_REVISION=19 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -105,7 +105,6 @@ LIBUNBOUND_AGE=1 # 1.16.1 had 9:17:1 # 1.16.2 had 9:18:1 # 1.16.3 had 9:19:1 -# 1.17.0 had 9:20:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -398,7 +397,7 @@ PKG_PROG_PKG_CONFIG fi # Checks for header files. -AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h],,, [AC_INCLUDES_DEFAULT]) +AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT]) # net/if.h portability for Darwin see: # https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html AC_CHECK_HEADERS([net/if.h],,, [ @@ -608,8 +607,6 @@ if test x_$withval != x_no; then CC="$PTHREAD_CC" ub_have_pthreads=yes AC_CHECK_TYPES([pthread_spinlock_t, pthread_rwlock_t],,,[#include ]) - AC_CHECK_SIZEOF([unsigned long]) - AC_CHECK_SIZEOF(pthread_t) if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then AC_MSG_CHECKING([if -pthread unused during linking]) @@ -1647,7 +1644,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([ AC_MSG_RESULT(no)) AC_SEARCH_LIBS([setusercontext], [util]) -AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid]) +AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex]) AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])]) AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])]) diff --git a/contrib/unbound/daemon/acl_list.c b/contrib/unbound/daemon/acl_list.c index f3961dbbb7ad..aecb3e0c6437 100644 --- a/contrib/unbound/daemon/acl_list.c +++ b/contrib/unbound/daemon/acl_list.c @@ -46,10 +46,9 @@ #include "util/config_file.h" #include "util/net_help.h" #include "services/localzone.h" -#include "services/listen_dnsport.h" #include "sldns/str2wire.h" -struct acl_list* +struct acl_list* acl_list_create(void) { struct acl_list* acl = (struct acl_list*)calloc(1, @@ -64,10 +63,10 @@ acl_list_create(void) return acl; } -void +void acl_list_delete(struct acl_list* acl) { - if(!acl) + if(!acl) return; regional_destroy(acl->region); free(acl); @@ -75,8 +74,8 @@ acl_list_delete(struct acl_list* acl) /** insert new address into acl_list structure */ static struct acl_addr* -acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr, - socklen_t addrlen, int net, enum acl_access control, +acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr, + socklen_t addrlen, int net, enum acl_access control, int complain_duplicates) { struct acl_addr* node = regional_alloc_zero(acl->region, @@ -91,31 +90,6 @@ acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr, return node; } -/** parse str to acl_access enum */ -static int -parse_acl_access(const char* str, enum acl_access* control) -{ - if(strcmp(str, "allow") == 0) - *control = acl_allow; - else if(strcmp(str, "deny") == 0) - *control = acl_deny; - else if(strcmp(str, "refuse") == 0) - *control = acl_refuse; - else if(strcmp(str, "deny_non_local") == 0) - *control = acl_deny_non_local; - else if(strcmp(str, "refuse_non_local") == 0) - *control = acl_refuse_non_local; - else if(strcmp(str, "allow_snoop") == 0) - *control = acl_allow_snoop; - else if(strcmp(str, "allow_setrd") == 0) - *control = acl_allow_setrd; - else { - log_err("access control type %s unknown", str); - return 0; - } - return 1; -} - /** apply acl_list string */ static int acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2, @@ -125,14 +99,29 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2, int net; socklen_t addrlen; enum acl_access control; - if(!parse_acl_access(s2, &control)) { + if(strcmp(s2, "allow") == 0) + control = acl_allow; + else if(strcmp(s2, "deny") == 0) + control = acl_deny; + else if(strcmp(s2, "refuse") == 0) + control = acl_refuse; + else if(strcmp(s2, "deny_non_local") == 0) + control = acl_deny_non_local; + else if(strcmp(s2, "refuse_non_local") == 0) + control = acl_refuse_non_local; + else if(strcmp(s2, "allow_snoop") == 0) + control = acl_allow_snoop; + else if(strcmp(s2, "allow_setrd") == 0) + control = acl_allow_setrd; + else { + log_err("access control type %s unknown", str); return 0; } if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) { log_err("cannot parse access control: %s %s", str, s2); return 0; } - if(!acl_list_insert(acl, &addr, addrlen, net, control, + if(!acl_list_insert(acl, &addr, addrlen, net, control, complain_duplicates)) { log_err("out of memory"); return 0; @@ -142,27 +131,19 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2, /** find or create node (NULL on parse or error) */ static struct acl_addr* -acl_find_or_create_str2addr(struct acl_list* acl, const char* str, - int is_interface, int port) +acl_find_or_create(struct acl_list* acl, const char* str) { struct acl_addr* node; struct sockaddr_storage addr; + int net; socklen_t addrlen; - int net = (str_is_ip6(str)?128:32); - if(is_interface) { - if(!extstrtoaddr(str, &addr, &addrlen, port)) { - log_err("cannot parse interface: %s", str); - return NULL; - } - } else { - if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) { - log_err("cannot parse netblock: %s", str); - return NULL; - } + if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) { + log_err("cannot parse netblock: %s", str); + return NULL; } /* find or create node */ if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, &addr, - addrlen, net)) && !is_interface) { + addrlen, net))) { /* create node, type 'allow' since otherwise tags are * pointless, can override with specific access-control: cfg */ if(!(node=(struct acl_addr*)acl_list_insert(acl, &addr, @@ -174,65 +155,14 @@ acl_find_or_create_str2addr(struct acl_list* acl, const char* str, return node; } -/** find or create node (NULL on error) */ -static struct acl_addr* -acl_find_or_create(struct acl_list* acl, struct sockaddr_storage* addr, - socklen_t addrlen, enum acl_access control) -{ - struct acl_addr* node; - int net = (addr_is_ip6(addr, addrlen)?128:32); - /* find or create node */ - if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, addr, - addrlen, net))) { - /* create node; - * can override with specific access-control: cfg */ - if(!(node=(struct acl_addr*)acl_list_insert(acl, addr, - addrlen, net, control, 1))) { - log_err("out of memory"); - return NULL; - } - } - return node; -} - -/** apply acl_interface string */ -static int -acl_interface_str_cfg(struct acl_list* acl_interface, const char* iface, - const char* s2, int port) -{ - struct acl_addr* node; - enum acl_access control; - if(!parse_acl_access(s2, &control)) { - return 0; - } - if(!(node=acl_find_or_create_str2addr(acl_interface, iface, 1, port))) { - log_err("cannot update ACL on non-configured interface: %s %d", - iface, port); - return 0; - } - node->control = control; - return 1; -} - -struct acl_addr* -acl_interface_insert(struct acl_list* acl_interface, - struct sockaddr_storage* addr, socklen_t addrlen, - enum acl_access control) -{ - return acl_find_or_create(acl_interface, addr, addrlen, control); -} - /** apply acl_tag string */ static int acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap, - size_t bitmaplen, int is_interface, int port) + size_t bitmaplen) { struct acl_addr* node; - if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) { - if(is_interface) - log_err("non-configured interface: %s", str); + if(!(node=acl_find_or_create(acl, str))) return 0; - } node->taglen = bitmaplen; node->taglist = regional_alloc_init(acl->region, bitmap, bitmaplen); if(!node->taglist) { @@ -245,14 +175,11 @@ acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap, /** apply acl_view string */ static int acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2, - struct views* vs, int is_interface, int port) + struct views* vs) { struct acl_addr* node; - if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) { - if(is_interface) - log_err("non-configured interface: %s", str); + if(!(node=acl_find_or_create(acl, str))) return 0; - } node->view = views_find_view(vs, str2, 0 /* get read lock*/); if(!node->view) { log_err("no view with name: %s", str2); @@ -265,17 +192,13 @@ acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2, /** apply acl_tag_action string */ static int acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg, - const char* str, const char* tag, const char* action, - int is_interface, int port) + const char* str, const char* tag, const char* action) { struct acl_addr* node; int tagid; enum localzone_type t; - if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) { - if(is_interface) - log_err("non-configured interface: %s", str); + if(!(node=acl_find_or_create(acl, str))) return 0; - } /* allocate array if not yet */ if(!node->tag_actions) { node->tag_actions = (uint8_t*)regional_alloc_zero(acl->region, @@ -358,17 +281,13 @@ check_data(const char* data, const struct config_strlist* head) /** apply acl_tag_data string */ static int acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg, - const char* str, const char* tag, const char* data, - int is_interface, int port) + const char* str, const char* tag, const char* data) { struct acl_addr* node; int tagid; char* dupdata; - if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) { - if(is_interface) - log_err("non-configured interface: %s", str); + if(!(node=acl_find_or_create(acl, str))) return 0; - } /* allocate array if not yet */ if(!node->tag_datas) { node->tag_datas = (struct config_strlist**)regional_alloc_zero( @@ -410,11 +329,11 @@ acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg, } /** read acl_list config */ -static int -read_acl_list(struct acl_list* acl, struct config_str2list* acls) +static int +read_acl_list(struct acl_list* acl, struct config_file* cfg) { struct config_str2list* p; - for(p = acls; p; p = p->next) { + for(p = cfg->acls; p; p = p->next) { log_assert(p->str && p->str2); if(!acl_list_str_cfg(acl, p->str, p->str2, 1)) return 0; @@ -422,38 +341,15 @@ read_acl_list(struct acl_list* acl, struct config_str2list* acls) return 1; } -/** read acl view config */ -static int -read_acl_view(struct acl_list* acl, struct config_str2list** acl_view, - struct views* v) -{ - struct config_str2list* np, *p = *acl_view; - *acl_view = NULL; - while(p) { - log_assert(p->str && p->str2); - if(!acl_list_view_cfg(acl, p->str, p->str2, v, 0, 0)) { - config_deldblstrlist(p); - return 0; - } - /* free the items as we go to free up memory */ - np = p->next; - free(p->str); - free(p->str2); - free(p); - p = np; - } - return 1; -} - /** read acl tags config */ -static int -read_acl_tags(struct acl_list* acl, struct config_strbytelist** acl_tags) +static int +read_acl_tags(struct acl_list* acl, struct config_file* cfg) { - struct config_strbytelist* np, *p = *acl_tags; - *acl_tags = NULL; + struct config_strbytelist* np, *p = cfg->acl_tags; + cfg->acl_tags = NULL; while(p) { log_assert(p->str && p->str2); - if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len, 0, 0)) { + if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len)) { config_del_strbytelist(p); return 0; } @@ -467,18 +363,38 @@ read_acl_tags(struct acl_list* acl, struct config_strbytelist** acl_tags) return 1; } +/** read acl view config */ +static int +read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v) +{ + struct config_str2list* np, *p = cfg->acl_view; + cfg->acl_view = NULL; + while(p) { + log_assert(p->str && p->str2); + if(!acl_list_view_cfg(acl, p->str, p->str2, v)) { + return 0; + } + /* free the items as we go to free up memory */ + np = p->next; + free(p->str); + free(p->str2); + free(p); + p = np; + } + return 1; +} + /** read acl tag actions config */ -static int -read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg, - struct config_str3list** acl_tag_actions) +static int +read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg) { struct config_str3list* p, *np; - p = *acl_tag_actions; - *acl_tag_actions = NULL; + p = cfg->acl_tag_actions; + cfg->acl_tag_actions = NULL; while(p) { log_assert(p->str && p->str2 && p->str3); if(!acl_list_tag_action_cfg(acl, cfg, p->str, p->str2, - p->str3, 0, 0)) { + p->str3)) { config_deltrplstrlist(p); return 0; } @@ -494,17 +410,15 @@ read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg, } /** read acl tag datas config */ -static int -read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg, - struct config_str3list** acl_tag_datas) +static int +read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg) { struct config_str3list* p, *np; - p = *acl_tag_datas; - *acl_tag_datas = NULL; + p = cfg->acl_tag_datas; + cfg->acl_tag_datas = NULL; while(p) { log_assert(p->str && p->str2 && p->str3); - if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3, - 0, 0)) { + if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3)) { config_deltrplstrlist(p); return 0; } @@ -519,27 +433,30 @@ read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg, return 1; } -int +int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, struct views* v) { regional_free_all(acl->region); addr_tree_init(&acl->tree); - if(!read_acl_list(acl, cfg->acls)) + if(!read_acl_list(acl, cfg)) return 0; - if(!read_acl_view(acl, &cfg->acl_view, v)) + if(!read_acl_view(acl, cfg, v)) return 0; - if(!read_acl_tags(acl, &cfg->acl_tags)) + if(!read_acl_tags(acl, cfg)) return 0; - if(!read_acl_tag_actions(acl, cfg, &cfg->acl_tag_actions)) + if(!read_acl_tag_actions(acl, cfg)) return 0; - if(!read_acl_tag_datas(acl, cfg, &cfg->acl_tag_datas)) + if(!read_acl_tag_datas(acl, cfg)) return 0; /* insert defaults, with '0' to ignore them if they are duplicates */ - /* the 'refuse' defaults for /0 are now done per interface instead */ + if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0)) + return 0; if(!acl_list_str_cfg(acl, "127.0.0.0/8", "allow", 0)) return 0; if(cfg->do_ip6) { + if(!acl_list_str_cfg(acl, "::0/0", "refuse", 0)) + return 0; if(!acl_list_str_cfg(acl, "::1", "allow", 0)) return 0; if(!acl_list_str_cfg(acl, "::ffff:127.0.0.1", "allow", 0)) @@ -549,223 +466,7 @@ acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, return 1; } -int -acl_interface_compare(const void* k1, const void* k2) -{ - struct addr_tree_node* n1 = (struct addr_tree_node*)k1; - struct addr_tree_node* n2 = (struct addr_tree_node*)k2; - return sockaddr_cmp(&n1->addr, n1->addrlen, &n2->addr, - n2->addrlen); - /* We don't care about comparing node->net. All addresses in the - * acl_interface tree have either 32 (ipv4) or 128 (ipv6). */ -} - -void -acl_interface_init(struct acl_list* acl_interface) -{ - regional_free_all(acl_interface->region); - /* We want comparison in the tree to include only address and port. - * We don't care about comparing node->net. All addresses in the - * acl_interface->tree should have either 32 (ipv4) or 128 (ipv6). - * Initialise with the appropriate compare function but keep treating - * it as an addr_tree. */ - addr_tree_addrport_init(&acl_interface->tree); -} - -static int -read_acl_interface_action(struct acl_list* acl_interface, - struct config_str2list* acls, int port) -{ - struct config_str2list* p; - for(p = acls; p; p = p->next) { - char** resif = NULL; - int num_resif = 0; - int i; - log_assert(p->str && p->str2); - if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) - return 0; - for(i = 0; istr2, port)){ - config_del_strarray(resif, num_resif); - return 0; - } - } - config_del_strarray(resif, num_resif); - } - return 1; -} - -/** read acl view config for interface */ -static int -read_acl_interface_view(struct acl_list* acl_interface, - struct config_str2list** acl_view, - struct views* v, int port) -{ - struct config_str2list* np, *p = *acl_view; - *acl_view = NULL; - while(p) { - char** resif = NULL; - int num_resif = 0; - int i; - log_assert(p->str && p->str2); - if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) { - config_deldblstrlist(p); - return 0; - } - for(i = 0; istr2, - v, 1, port)) { - config_del_strarray(resif, num_resif); - config_deldblstrlist(p); - return 0; - } - } - config_del_strarray(resif, num_resif); - /* free the items as we go to free up memory */ - np = p->next; - free(p->str); - free(p->str2); - free(p); - p = np; - } - return 1; -} - -/** read acl tags config for interface */ -static int -read_acl_interface_tags(struct acl_list* acl_interface, - struct config_strbytelist** acl_tags, int port) -{ - struct config_strbytelist* np, *p = *acl_tags; - *acl_tags = NULL; - while(p) { - char** resif = NULL; - int num_resif = 0; - int i; - log_assert(p->str && p->str2); - if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) { - config_del_strbytelist(p); - return 0; - } - for(i = 0; istr2, - p->str2len, 1, port)) { - config_del_strbytelist(p); - config_del_strarray(resif, num_resif); - return 0; - } - } - config_del_strarray(resif, num_resif); - /* free the items as we go to free up memory */ - np = p->next; - free(p->str); - free(p->str2); - free(p); - p = np; - } - return 1; -} - -/** read acl tag actions config for interface*/ -static int -read_acl_interface_tag_actions(struct acl_list* acl_interface, - struct config_file* cfg, - struct config_str3list** acl_tag_actions, int port) -{ - struct config_str3list* p, *np; - p = *acl_tag_actions; - *acl_tag_actions = NULL; - while(p) { - char** resif = NULL; - int num_resif = 0; - int i; - log_assert(p->str && p->str2 && p->str3); - if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) { - config_deltrplstrlist(p); - return 0; - } - for(i = 0; istr2, p->str3, 1, port)) { - config_deltrplstrlist(p); - config_del_strarray(resif, num_resif); - return 0; - } - } - config_del_strarray(resif, num_resif); - /* free the items as we go to free up memory */ - np = p->next; - free(p->str); - free(p->str2); - free(p->str3); - free(p); - p = np; - } - return 1; -} - -/** read acl tag datas config for interface */ -static int -read_acl_interface_tag_datas(struct acl_list* acl_interface, - struct config_file* cfg, - struct config_str3list** acl_tag_datas, int port) -{ - struct config_str3list* p, *np; - p = *acl_tag_datas; - *acl_tag_datas = NULL; - while(p) { - char** resif = NULL; - int num_resif = 0; - int i; - log_assert(p->str && p->str2 && p->str3); - if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) { - config_deltrplstrlist(p); - return 0; - } - for(i = 0; istr2, p->str3, 1, port)) { - config_deltrplstrlist(p); - config_del_strarray(resif, num_resif); - return 0; - } - } - config_del_strarray(resif, num_resif); - /* free the items as we go to free up memory */ - np = p->next; - free(p->str); - free(p->str2); - free(p->str3); - free(p); - p = np; - } - return 1; -} - -int -acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg, - struct views* v) -{ - if(!read_acl_interface_action(acl_interface, cfg->interface_actions, - cfg->port)) - return 0; - if(!read_acl_interface_view(acl_interface, &cfg->interface_view, v, - cfg->port)) - return 0; - if(!read_acl_interface_tags(acl_interface, &cfg->interface_tags, - cfg->port)) - return 0; - if(!read_acl_interface_tag_actions(acl_interface, cfg, - &cfg->interface_tag_actions, cfg->port)) - return 0; - if(!read_acl_interface_tag_datas(acl_interface, cfg, - &cfg->interface_tag_datas, cfg->port)) - return 0; - addr_tree_init_parents(&acl_interface->tree); - return 1; -} - -enum acl_access +enum acl_access acl_get_control(struct acl_addr* acl) { if(acl) return acl->control; @@ -780,7 +481,7 @@ acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr, addr, addrlen); } -size_t +size_t acl_list_get_mem(struct acl_list* acl) { if(!acl) return 0; diff --git a/contrib/unbound/daemon/acl_list.h b/contrib/unbound/daemon/acl_list.h index c717179baf5e..c09e832a1def 100644 --- a/contrib/unbound/daemon/acl_list.h +++ b/contrib/unbound/daemon/acl_list.h @@ -36,7 +36,7 @@ /** * \file * - * This file keeps track of the list of clients that are allowed to + * This file keeps track of the list of clients that are allowed to * access the server. */ @@ -74,7 +74,7 @@ enum acl_access { struct acl_list { /** regional for allocation */ struct regional* region; - /** + /** * Tree of the addresses that are allowed/blocked. * contents of type acl_addr. */ @@ -108,7 +108,7 @@ struct acl_addr { }; /** - * Create acl structure + * Create acl structure * @return new structure or NULL on error. */ struct acl_list* acl_list_create(void); @@ -119,20 +119,6 @@ struct acl_list* acl_list_create(void); */ void acl_list_delete(struct acl_list* acl); -/** - * Insert interface in the acl_list. This should happen when the listening - * interface is setup. - * @param acl_interface: acl_list to insert to. - * @param addr: interface IP. - * @param addrlen: length of the interface IP. - * @param control: acl_access. - * @return new structure or NULL on error. - */ -struct acl_addr* -acl_interface_insert(struct acl_list* acl_interface, - struct sockaddr_storage* addr, socklen_t addrlen, - enum acl_access control); - /** * Process access control config. * @param acl: where to store. @@ -143,25 +129,6 @@ acl_interface_insert(struct acl_list* acl_interface, int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, struct views* v); -/** compare ACL interface "addr_tree" nodes (+port) */ -int acl_interface_compare(const void* k1, const void* k2); - -/** - * Initialise (also clean) the acl_interface struct. - * @param acl_interface: where to store. - */ -void acl_interface_init(struct acl_list* acl_interface); - -/** - * Process interface control config. - * @param acl_interface: where to store. - * @param cfg: config options. - * @param v: views structure - * @return 0 on error. - */ -int acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg, - struct views* v); - /** * Lookup access control status for acl structure. * @param acl: structure for acl storage. diff --git a/contrib/unbound/daemon/daemon.c b/contrib/unbound/daemon/daemon.c index 71091133a487..4ed531855ee6 100644 --- a/contrib/unbound/daemon/daemon.c +++ b/contrib/unbound/daemon/daemon.c @@ -96,9 +96,6 @@ #ifdef HAVE_SYSTEMD #include #endif -#ifdef HAVE_NETDB_H -#include -#endif /** How many quit requests happened. */ static int sig_record_quit = 0; @@ -274,17 +271,8 @@ daemon_init(void) free(daemon); return NULL; } - daemon->acl_interface = acl_list_create(); - if(!daemon->acl_interface) { - acl_list_delete(daemon->acl); - edns_known_options_delete(daemon->env); - free(daemon->env); - free(daemon); - return NULL; - } daemon->tcl = tcl_list_create(); if(!daemon->tcl) { - acl_list_delete(daemon->acl_interface); acl_list_delete(daemon->acl); edns_known_options_delete(daemon->env); free(daemon->env); @@ -296,7 +284,6 @@ daemon_init(void) log_err("gettimeofday: %s", strerror(errno)); daemon->time_last_stat = daemon->time_boot; if((daemon->env->auth_zones = auth_zones_create()) == 0) { - acl_list_delete(daemon->acl_interface); acl_list_delete(daemon->acl); tcl_list_delete(daemon->tcl); edns_known_options_delete(daemon->env); @@ -306,7 +293,6 @@ daemon_init(void) } if(!(daemon->env->edns_strings = edns_strings_create())) { auth_zones_delete(daemon->env->auth_zones); - acl_list_delete(daemon->acl_interface); acl_list_delete(daemon->acl); tcl_list_delete(daemon->tcl); edns_known_options_delete(daemon->env); @@ -317,29 +303,6 @@ daemon_init(void) return daemon; } -static int setup_acl_for_ports(struct acl_list* list, - struct listen_port* port_list) -{ - struct acl_addr* acl_node; - struct addrinfo* addr; - for(; port_list; port_list=port_list->next) { - if(!port_list->socket) { - /* This is mainly for testbound where port_list is - * empty. */ - continue; - } - addr = port_list->socket->addr; - if(!(acl_node = acl_interface_insert(list, - (struct sockaddr_storage*)addr->ai_addr, - (socklen_t)addr->ai_addrlen, - acl_refuse))) { - return 0; - } - port_list->socket->acl = acl_node; - } - return 1; -} - int daemon_open_shared_ports(struct daemon* daemon) { @@ -357,8 +320,6 @@ daemon_open_shared_ports(struct daemon* daemon) free(daemon->ports); daemon->ports = NULL; } - /* clean acl_interface */ - acl_interface_init(daemon->acl_interface); if(!resolve_interface_names(daemon->cfg->ifs, daemon->cfg->num_ifs, NULL, &resif, &num_resif)) return 0; @@ -368,8 +329,7 @@ daemon_open_shared_ports(struct daemon* daemon) daemon->reuseport = 1; #endif /* try to use reuseport */ - p0 = listening_ports_open(daemon->cfg, resif, num_resif, - &daemon->reuseport); + p0 = listening_ports_open(daemon->cfg, resif, num_resif, &daemon->reuseport); if(!p0) { listening_ports_free(p0); config_del_strarray(resif, num_resif); @@ -390,12 +350,6 @@ daemon_open_shared_ports(struct daemon* daemon) return 0; } daemon->ports[0] = p0; - if(!setup_acl_for_ports(daemon->acl_interface, - daemon->ports[0])) { - listening_ports_free(p0); - config_del_strarray(resif, num_resif); - return 0; - } if(daemon->reuseport) { /* continue to use reuseport */ for(i=1; inum_ports; i++) { @@ -411,15 +365,6 @@ daemon_open_shared_ports(struct daemon* daemon) config_del_strarray(resif, num_resif); return 0; } - if(!setup_acl_for_ports(daemon->acl_interface, - daemon->ports[i])) { - for(i=0; inum_ports; i++) - listening_ports_free(daemon->ports[i]); - free(daemon->ports); - daemon->ports = NULL; - config_del_strarray(resif, num_resif); - return 0; - } } } config_del_strarray(resif, num_resif); @@ -659,9 +604,6 @@ daemon_fork(struct daemon* daemon) if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->views)) fatal_exit("Could not setup access control list"); - if(!acl_interface_apply_cfg(daemon->acl_interface, daemon->cfg, - daemon->views)) - fatal_exit("Could not setup interface control list"); if(!tcl_list_apply_cfg(daemon->tcl, daemon->cfg)) fatal_exit("Could not setup TCP connection limits"); if(daemon->cfg->dnscrypt) { @@ -838,7 +780,6 @@ daemon_delete(struct daemon* daemon) ub_randfree(daemon->rand); alloc_clear(&daemon->superalloc); acl_list_delete(daemon->acl); - acl_list_delete(daemon->acl_interface); tcl_list_delete(daemon->tcl); listen_desetup_locks(); free(daemon->chroot); diff --git a/contrib/unbound/daemon/daemon.h b/contrib/unbound/daemon/daemon.h index 58713e9ce466..3effbafb7918 100644 --- a/contrib/unbound/daemon/daemon.h +++ b/contrib/unbound/daemon/daemon.h @@ -113,8 +113,6 @@ struct daemon { struct module_stack mods; /** access control, which client IPs are allowed to connect */ struct acl_list* acl; - /** access control, which interfaces are allowed to connect */ - struct acl_list* acl_interface; /** TCP connection limit, limit connections from client IPs */ struct tcl_list* tcl; /** local authority zones */ diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c index 7d4a414002ac..ec7a4d5d93f4 100644 --- a/contrib/unbound/daemon/remote.c +++ b/contrib/unbound/daemon/remote.c @@ -494,8 +494,8 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err, n->c->do_not_close = 0; comm_point_stop_listening(n->c); comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT); - memcpy(&n->c->repinfo.remote_addr, &addr, addrlen); - n->c->repinfo.remote_addrlen = addrlen; + memcpy(&n->c->repinfo.addr, &addr, addrlen); + n->c->repinfo.addrlen = addrlen; if(rc->use_cert) { n->shake_state = rc_hs_read; n->ssl = SSL_new(rc->ctx); @@ -3304,7 +3304,7 @@ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s, if(r == 0) log_err("remote control connection closed prematurely"); log_addr(VERB_OPS, "failed connection from", - &s->c->repinfo.remote_addr, s->c->repinfo.remote_addrlen); + &s->c->repinfo.addr, s->c->repinfo.addrlen); log_crypto_err("remote control failed ssl"); clean_point(rc, s); } diff --git a/contrib/unbound/daemon/stats.c b/contrib/unbound/daemon/stats.c index 6b3834977844..57c42827161c 100644 --- a/contrib/unbound/daemon/stats.c +++ b/contrib/unbound/daemon/stats.c @@ -70,9 +70,6 @@ #include #endif -/** How long to wait for threads to transmit statistics, in msec. */ -#define STATS_THREAD_WAIT 60000 - /** add timers and the values do not overflow or become negative */ static void stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long long add_usec) @@ -383,28 +380,6 @@ void server_stats_obtain(struct worker* worker, struct worker* who, worker_send_cmd(who, worker_cmd_stats); else worker_send_cmd(who, worker_cmd_stats_noreset); verbose(VERB_ALGO, "wait for stats reply"); - if(tube_wait_timeout(worker->cmd, STATS_THREAD_WAIT) == 0) { - verbose(VERB_OPS, "no response from thread %d" -#ifdef HAVE_GETTID - " LWP %u" -#endif -#if defined(HAVE_PTHREAD) && defined(SIZEOF_PTHREAD_T) && defined(SIZEOF_UNSIGNED_LONG) -# if SIZEOF_PTHREAD_T == SIZEOF_UNSIGNED_LONG - " pthread 0x%lx" -# endif -#endif - , - who->thread_num -#ifdef HAVE_GETTID - , (unsigned)who->thread_tid -#endif -#if defined(HAVE_PTHREAD) && defined(SIZEOF_PTHREAD_T) && defined(SIZEOF_UNSIGNED_LONG) -# if SIZEOF_PTHREAD_T == SIZEOF_UNSIGNED_LONG - , (unsigned long)*((unsigned long*)&who->thr_id) -# endif -#endif - ); - } if(!tube_read_msg(worker->cmd, &reply, &len, 0)) fatal_exit("failed to read stats over cmd channel"); if(len != (uint32_t)sizeof(*s)) @@ -521,7 +496,7 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c, stats->qhttps++; } } - if(repinfo && addr_is_ip6(&repinfo->remote_addr, repinfo->remote_addrlen)) + if(repinfo && addr_is_ip6(&repinfo->addr, repinfo->addrlen)) stats->qipv6++; if( (flags&BIT_QR) ) stats->qbit_QR++; diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c index caefad621409..010c4dc0a281 100644 --- a/contrib/unbound/daemon/worker.c +++ b/contrib/unbound/daemon/worker.c @@ -547,8 +547,7 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo, static int apply_respip_action(struct worker* worker, const struct query_info* qinfo, struct respip_client_info* cinfo, struct reply_info* rep, - struct sockaddr_storage* addr, socklen_t addrlen, - struct ub_packed_rrset_key** alias_rrset, + struct comm_reply* repinfo, struct ub_packed_rrset_key** alias_rrset, struct reply_info** encode_repp, struct auth_zones* az) { struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL}; @@ -575,7 +574,7 @@ apply_respip_action(struct worker* worker, const struct query_info* qinfo, if(actinfo.addrinfo) { respip_inform_print(&actinfo, qinfo->qname, qinfo->qtype, qinfo->qclass, qinfo->local_alias, - addr, addrlen); + repinfo); if(worker->stats.extended && actinfo.rpz_used) { if(actinfo.rpz_disabled) @@ -704,7 +703,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, *alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */ if((worker->daemon->use_response_ip || worker->daemon->use_rpz) && !partial_rep && !apply_respip_action(worker, qinfo, cinfo, rep, - &repinfo->client_addr, repinfo->client_addrlen, alias_rrset, + repinfo, alias_rrset, &encode_rep, worker->env.auth_zones)) { goto bail_out; } else if(partial_rep && @@ -992,14 +991,12 @@ answer_chaos(struct worker* w, struct query_info* qinfo, * @param w: worker * @param qinfo: query info. Pointer into packet buffer. * @param edns: edns info from query. - * @param addr: client address. - * @param addrlen: client address length. + * @param repinfo: reply info with source address. * @param pkt: packet buffer. */ static void -answer_notify(struct worker* w, struct query_info* qinfo, - struct edns_data* edns, sldns_buffer* pkt, - struct sockaddr_storage* addr, socklen_t addrlen) +answer_notify(struct worker* w, struct query_info* qinfo, + struct edns_data* edns, sldns_buffer* pkt, struct comm_reply* repinfo) { int refused = 0; int rcode = LDNS_RCODE_NOERROR; @@ -1008,8 +1005,8 @@ answer_notify(struct worker* w, struct query_info* qinfo, if(!w->env.auth_zones) return; has_serial = auth_zone_parse_notify_serial(pkt, &serial); if(auth_zones_notify(w->env.auth_zones, &w->env, qinfo->qname, - qinfo->qname_len, qinfo->qclass, addr, - addrlen, has_serial, serial, &refused)) { + qinfo->qname_len, qinfo->qclass, &repinfo->addr, + repinfo->addrlen, has_serial, serial, &refused)) { rcode = LDNS_RCODE_NOERROR; } else { if(refused) @@ -1034,7 +1031,7 @@ answer_notify(struct worker* w, struct query_info* qinfo, "servfail for NOTIFY %sfor %s from", sr, zname); else snprintf(buf, sizeof(buf), "received NOTIFY %sfor %s from", sr, zname); - log_addr(VERB_DETAIL, buf, addr, addrlen); + log_addr(VERB_DETAIL, buf, &repinfo->addr, repinfo->addrlen); } edns->edns_version = EDNS_ADVERTISED_VERSION; edns->udp_size = EDNS_ADVERTISED_SIZE; @@ -1054,8 +1051,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl, { if(acl == deny) { if(verbosity >= VERB_ALGO) { - log_acl_action("dropped", &repinfo->client_addr, - repinfo->client_addrlen, acl, acladdr); + log_acl_action("dropped", &repinfo->addr, + repinfo->addrlen, acl, acladdr); log_buf(VERB_ALGO, "dropped", c->buffer); } comm_point_drop_reply(repinfo); @@ -1066,8 +1063,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl, size_t opt_rr_mark; if(verbosity >= VERB_ALGO) { - log_acl_action("refused", &repinfo->client_addr, - repinfo->client_addrlen, acl, acladdr); + log_acl_action("refused", &repinfo->addr, + repinfo->addrlen, acl, acladdr); log_buf(VERB_ALGO, "refuse", c->buffer); } @@ -1227,24 +1224,12 @@ deny_refuse(struct comm_point* c, enum acl_access acl, } static int -deny_refuse_all(struct comm_point* c, enum acl_access* acl, +deny_refuse_all(struct comm_point* c, enum acl_access acl, struct worker* worker, struct comm_reply* repinfo, - struct acl_addr** acladdr, int ede, int check_proxy) + struct acl_addr* acladdr, int ede) { - if(check_proxy) { - *acladdr = acl_addr_lookup(worker->daemon->acl, - &repinfo->remote_addr, repinfo->remote_addrlen); - } else { - *acladdr = acl_addr_lookup(worker->daemon->acl, - &repinfo->client_addr, repinfo->client_addrlen); - } - /* If there is no ACL based on client IP use the interface ACL. */ - if(!(*acladdr) && c->socket) { - *acladdr = c->socket->acl; - } - *acl = acl_get_control(*acladdr); - return deny_refuse(c, *acl, acl_deny, acl_refuse, worker, repinfo, - *acladdr, ede); + return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo, + acladdr, ede); } static int @@ -1256,7 +1241,7 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl, worker, repinfo, acladdr, ede); } -int +int worker_handle_request(struct comm_point* c, void* arg, int error, struct comm_reply* repinfo) { @@ -1301,16 +1286,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error, if(worker_check_request(c->buffer, worker) != 0) { verbose(VERB_ALGO, "dnscrypt: worker check request: bad query."); - log_addr(VERB_CLIENT,"from",&repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, + repinfo->addrlen); comm_point_drop_reply(repinfo); return 0; } if(!query_info_parse(&qinfo, c->buffer)) { verbose(VERB_ALGO, "dnscrypt: worker parse request: formerror."); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->addr, + repinfo->addrlen); comm_point_drop_reply(repinfo); return 0; } @@ -1338,30 +1323,25 @@ worker_handle_request(struct comm_point* c, void* arg, int error, * sending src (client)/dst (local service) addresses over DNSTAP from incoming request handler */ if(worker->dtenv.log_client_query_messages) { - log_addr(VERB_ALGO, "request from client", &repinfo->client_addr, repinfo->client_addrlen); + log_addr(VERB_ALGO, "request from client", &repinfo->addr, repinfo->addrlen); log_addr(VERB_ALGO, "to local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); - dt_msg_send_client_query(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer); + dt_msg_send_client_query(&worker->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer); } #endif - /* Check deny/refuse ACLs */ - if(repinfo->is_proxied) { - if((ret=deny_refuse_all(c, &acl, worker, repinfo, &acladdr, - worker->env.cfg->ede, 1)) != -1) { - if(ret == 1) - goto send_reply; - return ret; - } - } - if((ret=deny_refuse_all(c, &acl, worker, repinfo, &acladdr, - worker->env.cfg->ede, 0)) != -1) { + acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr, + repinfo->addrlen); + acl = acl_get_control(acladdr); + + if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr, + worker->env.cfg->ede)) != -1) + { if(ret == 1) goto send_reply; return ret; } - if((ret=worker_check_request(c->buffer, worker)) != 0) { verbose(VERB_ALGO, "worker check request: bad query."); - log_addr(VERB_CLIENT,"from",&repinfo->client_addr, repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); if(ret != -1) { LDNS_QR_SET(sldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret); @@ -1373,24 +1353,20 @@ worker_handle_request(struct comm_point* c, void* arg, int error, worker->stats.num_queries++; - /* check if this query should be dropped based on source ip rate limiting - * NOTE: we always check the repinfo->client_address. IP ratelimiting is - * implicitly disabled for proxies. */ - if(!infra_ip_ratelimit_inc(worker->env.infra_cache, - &repinfo->client_addr, repinfo->client_addrlen, + /* check if this query should be dropped based on source ip rate limiting */ + if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo, *worker->env.now, worker->env.cfg->ip_ratelimit_backoff, c->buffer)) { /* See if we are passed through with slip factor */ if(worker->env.cfg->ip_ratelimit_factor != 0 && ub_random_max(worker->env.rnd, - worker->env.cfg->ip_ratelimit_factor) == 0) { + worker->env.cfg->ip_ratelimit_factor) == 0) { + char addrbuf[128]; - addr_to_str(&repinfo->client_addr, - repinfo->client_addrlen, addrbuf, - sizeof(addrbuf)); - verbose(VERB_QUERY, "ip_ratelimit allowed through for " - "ip address %s because of slip in " - "ip_ratelimit_factor", addrbuf); + addr_to_str(&repinfo->addr, repinfo->addrlen, + addrbuf, sizeof(addrbuf)); + verbose(VERB_QUERY, "ip_ratelimit allowed through for ip address %s because of slip in ip_ratelimit_factor", + addrbuf); } else { worker->stats.num_queries_ip_ratelimited++; comm_point_drop_reply(repinfo); @@ -1401,8 +1377,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, /* see if query is in the cache */ if(!query_info_parse(&qinfo, c->buffer)) { verbose(VERB_ALGO, "worker parse request: formerror."); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); memset(&qinfo, 0, sizeof(qinfo)); /* zero qinfo.qname */ if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) { comm_point_drop_reply(repinfo); @@ -1416,14 +1391,13 @@ worker_handle_request(struct comm_point* c, void* arg, int error, } if(worker->env.cfg->log_queries) { char ip[128]; - addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip)); + addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip)); log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass); } if(qinfo.qtype == LDNS_RR_TYPE_AXFR || qinfo.qtype == LDNS_RR_TYPE_IXFR) { verbose(VERB_ALGO, "worker request: refused zone transfer."); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); sldns_buffer_rewind(c->buffer); LDNS_QR_SET(sldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), @@ -1440,8 +1414,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, qinfo.qtype == LDNS_RR_TYPE_MAILB || (qinfo.qtype >= 128 && qinfo.qtype <= 248)) { verbose(VERB_ALGO, "worker request: formerror for meta-type."); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) { comm_point_drop_reply(repinfo); return 0; @@ -1459,8 +1432,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, worker->scratchpad)) != 0) { struct edns_data reply_edns; verbose(VERB_ALGO, "worker parse edns: formerror."); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); memset(&reply_edns, 0, sizeof(reply_edns)); reply_edns.edns_present = 1; reply_edns.udp_size = EDNS_ADVERTISED_SIZE; @@ -1482,8 +1454,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, edns.opt_list_inplace_cb_out = NULL; edns.padding_block_size = 0; verbose(VERB_ALGO, "query with bad edns version."); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), sldns_buffer_read_u16_at(c->buffer, 2), NULL); @@ -1497,8 +1468,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, worker->daemon->cfg->harden_short_bufsize) { verbose(VERB_QUERY, "worker request: EDNS bufsize %d ignored", (int)edns.udp_size); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); edns.udp_size = NORMAL_UDP_SIZE; } } @@ -1507,14 +1477,12 @@ worker_handle_request(struct comm_point* c, void* arg, int error, verbose(VERB_QUERY, "worker request: max UDP reply size modified" " (%d to max-udp-size)", (int)edns.udp_size); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); edns.udp_size = worker->daemon->cfg->max_udp_size; } if(edns.udp_size < LDNS_HEADER_SIZE) { verbose(VERB_ALGO, "worker request: edns is too small."); - log_addr(VERB_CLIENT, "from", &repinfo->client_addr, - repinfo->client_addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->addr, repinfo->addrlen); LDNS_QR_SET(sldns_buffer_begin(c->buffer)); LDNS_TC_SET(sldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), @@ -1538,8 +1506,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, } if(LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) == LDNS_PACKET_NOTIFY) { - answer_notify(worker, &qinfo, &edns, c->buffer, - &repinfo->client_addr, repinfo->client_addrlen); + answer_notify(worker, &qinfo, &edns, c->buffer, repinfo); regional_free_all(worker->scratchpad); goto send_reply; } @@ -1615,7 +1582,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, sldns_buffer_read_u16_at(c->buffer, 2), &edns); regional_free_all(worker->scratchpad); log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from", - &repinfo->client_addr, repinfo->client_addrlen); + &repinfo->addr, repinfo->addrlen); goto send_reply; } @@ -1755,9 +1722,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error, if(verbosity >= VERB_CLIENT) { if(c->type == comm_udp) log_addr(VERB_CLIENT, "udp request from", - &repinfo->client_addr, repinfo->client_addrlen); + &repinfo->addr, repinfo->addrlen); else log_addr(VERB_CLIENT, "tcp request from", - &repinfo->client_addr, repinfo->client_addrlen); + &repinfo->addr, repinfo->addrlen); } /* grab a work request structure for this new request */ @@ -1789,8 +1756,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error, */ if(worker->dtenv.log_client_response_messages) { log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); - log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen); - dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer); + log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen); + dt_msg_send_client_response(&worker->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer); } #endif if(worker->env.cfg->log_replies) @@ -1802,12 +1769,10 @@ worker_handle_request(struct comm_point* c, void* arg, int error, /* log original qname, before the local alias was * used to resolve that CNAME to something else */ qinfo.qname = qinfo.local_alias->rrset->rk.dname; - log_reply_info(NO_VERBOSE, &qinfo, - &repinfo->client_addr, repinfo->client_addrlen, + log_reply_info(NO_VERBOSE, &qinfo, &repinfo->addr, repinfo->addrlen, tv, 1, c->buffer); } else { - log_reply_info(NO_VERBOSE, &qinfo, - &repinfo->client_addr, repinfo->client_addrlen, + log_reply_info(NO_VERBOSE, &qinfo, &repinfo->addr, repinfo->addrlen, tv, 1, c->buffer); } } @@ -1938,9 +1903,6 @@ worker_init(struct worker* worker, struct config_file *cfg, struct dt_env* dtenv = &worker->dtenv; #else void* dtenv = NULL; -#endif -#ifdef HAVE_GETTID - worker->thread_tid = gettid(); #endif worker->need_to_exit = 0; worker->base = comm_base_create(do_sigs); diff --git a/contrib/unbound/daemon/worker.h b/contrib/unbound/daemon/worker.h index 3fb52abd9d87..3887d0405ae6 100644 --- a/contrib/unbound/daemon/worker.h +++ b/contrib/unbound/daemon/worker.h @@ -86,10 +86,6 @@ struct worker { struct daemon* daemon; /** thread id */ ub_thread_type thr_id; -#ifdef HAVE_GETTID - /** thread tid, the LWP id. */ - pid_t thread_tid; -#endif /** pipe, for commands for this worker */ struct tube* cmd; /** the event base this worker works with */ diff --git a/contrib/unbound/dnstap/dtstream.c b/contrib/unbound/dnstap/dtstream.c index 9153f040472d..a1dd9703ea95 100644 --- a/contrib/unbound/dnstap/dtstream.c +++ b/contrib/unbound/dnstap/dtstream.c @@ -954,7 +954,7 @@ static int dtio_write_more(struct dt_io_thread* dtio) * -1: continue, >0: number of bytes read into buffer */ static ssize_t receive_bytes(struct dt_io_thread* dtio, void* buf, size_t len) { ssize_t r; - r = recv(dtio->fd, (void*)buf, len, MSG_DONTWAIT); + r = recv(dtio->fd, (void*)buf, len, 0); if(r == -1) { char* to = dtio->socket_path; if(!to) to = dtio->ip_str; @@ -1960,7 +1960,7 @@ static int dtio_open_output_tcp(struct dt_io_thread* dtio) memset(&addr, 0, sizeof(addr)); addrlen = (socklen_t)sizeof(addr); - if(!extstrtoaddr(dtio->ip_str, &addr, &addrlen, UNBOUND_DNS_PORT)) { + if(!extstrtoaddr(dtio->ip_str, &addr, &addrlen)) { log_err("could not parse IP '%s'", dtio->ip_str); return 0; } diff --git a/contrib/unbound/dnstap/unbound-dnstap-socket.c b/contrib/unbound/dnstap/unbound-dnstap-socket.c index 3bf889463eac..63292fbca36e 100644 --- a/contrib/unbound/dnstap/unbound-dnstap-socket.c +++ b/contrib/unbound/dnstap/unbound-dnstap-socket.c @@ -272,7 +272,7 @@ static int make_tcp_accept(char* ip) memset(&addr, 0, sizeof(addr)); len = (socklen_t)sizeof(addr); - if(!extstrtoaddr(ip, &addr, &len, UNBOUND_DNS_PORT)) { + if(!extstrtoaddr(ip, &addr, &len)) { log_err("could not parse IP '%s'", ip); return -1; } @@ -617,7 +617,7 @@ static void log_data_frame(uint8_t* pkt, size_t len) static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf, size_t len) { - ssize_t ret = recv(fd, buf, len, MSG_DONTWAIT); + ssize_t ret = recv(fd, buf, len, 0); if(ret == 0) { /* closed */ if(verbosity) log_info("dnstap client stream closed from %s", diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog index 727d1543ea4e..78f6c7afcb27 100644 --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,116 +1,9 @@ -11 October 2022: George - - Fix PROXYv2 header read for TCP connections when no proxied addresses - are provided. - -7 October 2022: George - - Fix to stop possible loops in the tcp reuse code (write_wait list - and tcp_wait list). Based on analysis and patch from Prad Seniappan - and Karthik Umashankar. - - Fix unit test to properly test the reuse_write_wait_pop function. - -6 October 2022: Wouter - - Fix to stop responses with TC flag from resulting in partial - responses. It retries to fetch the data elsewhere, or fails the - query and in depth fix removes the TC flag from the cached item. - - Fix proxy length debug output printout typecasts. - -5 October 2022: Wouter - - Fix dnscrypt compile for proxy protocol code changes. - -5 October 2022: George - - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging. - - Fix string comparison in mini_tdir.sh. - - Make ede.tdir test more predictable by using static data. - - Fix checkconf test for dnscrypt and proxy port. - -4 October 2022: George - - Merge #764: Leniency for target discovery when under load (for - NRDelegation changes). - -4 October 2022: Wouter - - Fix static analysis report to remove dead code from the - rpz_callback_from_iterator_module function. - - Fix to clean up after the acl_interface unit test. - -3 October 2022: George - - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port - configuration option). - -3 October 2022: Wouter - - Fix to remove erroneous TC flag from TCP upstream. - - Fix test tdir skip report printout. - - Fix windows compile, the identifier interface is defined in headers. - - Fix to close errno block in comm_point_tcp_handle_read outside of - ifdef. - -26 September 2022: George - - Better output for skipped tdir tests. - 21 September 2022: Wouter - Patch for CVE-2022-3204 Non-Responsive Delegation Attack. - - This patch was released in 1.16.3, the code repository continues - with the previous features and fixes for 1.17.0. - - Fix doxygen warning in respip.h. - -20 September 2022: George - - Convert tdir tests to use the new skip_test functionality. - - Remove unused testcode/mini_tpkg.sh file. - -16 September 2022: George - - Merge #753: ACL per interface. (New interface-* configuration - options). - -2 September 2022: Wouter - - Remove include that was there for debug purposes. - - Fix to check pthread_t size after pthread has been detected. - -1 September 2022: Wouter - - Fix to update config tests to fix checking if nonblocking sockets - work on OpenBSD. - - Slow down log frequency of write wait failures. - - Fix to set out of file descriptor warning to operational verbosity. - - Fix to log a verbose message at operational notice level if a - thread is not responding, to stats requests. It is logged with - thread identifiers. - -31 August 2022: Wouter - - Fix to avoid process wide fcntl calls mixed with nonblocking - operations after a blocked write. - - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive - operations, so that instruction reordering does not cause mistakenly - blocking socket operations. - - Fix to wait for blocked write on UDP sockets, with a timeout if it - takes too long the packet is dropped. - - Fix for wait for udp send to stop when packet is successfully sent. - -22 August 2022: Wouter - - Fix #741: systemd socket activation fails on IPv6. - -12 August 2022: Wouter - - Fix to log accept error ENFILE and EMFILE errno, but slowly, once - per 10 seconds. Also log accept failures when no slow down is used. - -5 August 2022: Wouter - - Fix #734 [FR] enable unbound-checkconf to detect more (basic) - errors. - -4 August 2022: Wouter - - Fix ratelimit inconsistency, for ip-ratelimits the value is the - amount allowed, like for ratelimits. - -2 August 2022: Wouter - - Fix edns subnet so that scope 0 answers only match sourcemask 0 - queries for answers from cache if from a query with sourcemask 0. - - Fix unittest for edns subnet change. - - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due - to unsupported IPV6_USER_MTU socket option being set. 1 August 2022: Wouter - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. - Tests for ghost domain fixes. - - Tag for 1.16.2 release. The code repo continues with 1.16.3. - - Fix #728: alloc_reg_obtain() core dump. Stop double - alloc_reg_release when serviced_create fails. 19 July 2022: George - Update documentation for 'outbound-msg-retry:'. diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README index 88444a5e3c99..92a6e88f6624 100644 --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.17.0 +README for Unbound 1.16.3 Copyright 2007 NLnet Labs http://unbound.net diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in index df0b2a1fb2c0..601165f753b7 100644 --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.17.0. +# See unbound.conf(5) man page, version 1.16.3. # # this is a comment. @@ -17,7 +17,7 @@ server: # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. - # verbosity: 1 + verbosity: 1 # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. @@ -50,7 +50,6 @@ server: # interface: 192.0.2.154 # interface: 192.0.2.154@5003 # interface: 2001:DB8::5 - # interface: eth0@5003 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. @@ -218,8 +217,7 @@ server: # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # define a number of tags here, use with local-zone, access-control, - # interface-*. + # define a number of tags here, use with local-zone, access-control. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -275,7 +273,9 @@ server: # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). + # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow + # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow @@ -284,7 +284,7 @@ server: # are tagged with one of these tags. # access-control-tag: 192.0.2.0/24 "tag2 tag3" - # set action for particular tag for given access control element. + # set action for particular tag for given access control element # if you have multiple tag values, the tag used to lookup the action # is the first tag match between access-control-tag and local-zone-tag # where "first" comes from the order of the define-tag values. @@ -296,58 +296,6 @@ server: # Set view for access control element # access-control-view: 192.0.2.0/24 viewname - # Similar to 'access-control:' but for interfaces. - # Control which listening interfaces are allowed to accept (recursive) - # queries for this server. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the action. - # The actions are the same as 'access-control:' above. - # By default all the interfaces configured are refused. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-action: 192.0.2.153 allow - # interface-action: 192.0.2.154 allow - # interface-action: 192.0.2.154@5003 allow - # interface-action: 2001:DB8::5 allow - # interface-action: eth0@5003 allow - - # Similar to 'access-control-tag:' but for interfaces. - # Tag interfaces with a list of tags (in "" with spaces between). - # Interfaces using these tags use localzones that are tagged with one - # of these tags. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the list of tags. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag: eth0@5003 "tag2 tag3" - - # Similar to 'access-control-tag-action:' but for interfaces. - # Set action for particular tag for a given interface element. - # If you have multiple tag values, the tag used to lookup the action - # is the first tag match between interface-tag and local-zone-tag - # where "first" comes from the order of the define-tag values. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the tag and action. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag-action: eth0@5003 tag3 refuse - - # Similar to 'access-control-tag-data:' but for interfaces. - # Set redirect data for a particular tag for an interface element. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the tag and the redirect data. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" - - # Similar to 'access-control-view:' but for interfaces. - # Set view for an interface element. - # The specified interfaces should be the same as the ones specified in - # 'interface:' followed by the view name. - # Note: any 'access-control*:' setting overrides all 'interface-*:' - # settings for targeted clients. - # interface-view: eth0@5003 viewname - # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. @@ -902,10 +850,6 @@ server: # Disable TLS for DNS-over-HTTP downstream service. # http-notls-downstream: no - # The interfaces that use these listed port numbers will support and - # expect PROXYv2. For UDP and TCP/TLS interfaces. - # proxy-protocol-port: portno for each of the port numbers. - # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in index b87289e0d764..baf29219495f 100644 --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "libunbound" "3" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.17.0 functions. +\- Unbound DNS validating resolver 1.16.3 functions. .SH "SYNOPSIS" .B #include .LP diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in index dc61b72dadb4..922c105177f3 100644 --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound-anchor" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in index ba6c334c7c78..9b56c79252e4 100644 --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound-checkconf" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/contrib/unbound/doc/unbound-control.8.in b/contrib/unbound/doc/unbound-control.8.in index 3841b9737f4e..e42e0cd544e7 100644 --- a/contrib/unbound/doc/unbound-control.8.in +++ b/contrib/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound-control" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound-control.8 -- unbound remote control manual .\" diff --git a/contrib/unbound/doc/unbound-host.1.in b/contrib/unbound/doc/unbound-host.1.in index 8371084c575b..aae95827d92c 100644 --- a/contrib/unbound/doc/unbound-host.1.in +++ b/contrib/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound\-host" "1" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/contrib/unbound/doc/unbound.8.in b/contrib/unbound/doc/unbound.8.in index ac61b0f7a10c..81a8f4f63f5e 100644 --- a/contrib/unbound/doc/unbound.8.in +++ b/contrib/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.17.0. +\- Unbound DNS validating resolver 1.16.3. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/contrib/unbound/doc/unbound.conf.5.in b/contrib/unbound/doc/unbound.conf.5.in index 6c021b900d89..4f542eb4757e 100644 --- a/contrib/unbound/doc/unbound.conf.5.in +++ b/contrib/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0" +.TH "unbound.conf" "5" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -118,7 +118,7 @@ The number of threads to create to serve clients. Use 1 for no threading. .B port: \fI The port number, default 53, on which the server responds to queries. .TP -.B interface: \fI +.B interface: \fI Interface to use to connect to the network. This interface is listened to for queries from clients, and answers to clients are given from it. Can be given multiple times to work on several interfaces. If none are @@ -129,7 +129,7 @@ A port number can be specified with @port (without spaces between interface and port number), if not specified the default port (from \fBport\fR) is used. .TP -.B ip\-address: \fI +.B ip\-address: \fI Same as interface: (for ease of compatibility with nsd.conf). .TP .B interface\-automatic: \fI @@ -656,17 +656,6 @@ Ignored if the option is not available. Default is yes. Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for local back end servers. Default is no. .TP -.B proxy\-protocol\-port: \fI -List port numbers as proxy\-protocol\-port, and when interfaces are defined, -eg. with the @port suffix, as this port number, they support and expect PROXYv2. -In this case the proxy address will only be used for the network communication -and initial ACL (check if the proxy itself is denied/refused by configuration). -The proxied address (if any) will then be used as the true client address and -will be used where applicable for logging, ACL, DNSTAP, RPZ and IP ratelimiting. -PROXYv2 is supported for UDP and TCP/TLS listening interfaces. -There is no support for PROXYv2 on a DoH or DNSCrypt listening interface. -Can list multiple, each on a new statement. -.TP .B use\-systemd: \fI Enable or disable systemd socket activation. Default is no. @@ -686,7 +675,7 @@ The netblock is given as an IP4 or IP6 address with /size appended for a classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, \fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. -The most specific netblock match is used, if none match \fIrefuse\fR is used. +The most specific netblock match is used, if none match \fIdeny\fR is used. The order of the access\-control statements therefore does not matter. .IP The action \fIdeny\fR stops queries from hosts from that netblock. @@ -752,46 +741,6 @@ Set redirect data for particular tag for given access control element. .B access\-control\-view: \fI Set view for given access control element. .TP -.B interface\-action: \fI -Similar to \fBaccess\-control:\fR but for interfaces. -.IP -The action is the same as the ones defined under \fBaccess\-control:\fR. -Interfaces are \fIrefuse\fRd by default. -By default only localhost (the IP netblock, not the loopback interface) is -\fIallow\fRed through the default \fBaccess\-control:\fR behavior. -.IP -Note that the interface needs to be already specified with \fBinterface:\fR -and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR -settings for targeted clients. -.TP -.B interface\-tag: \fI <"list of tags"> -Similar to \fBaccess\-control-tag:\fR but for interfaces. -.IP -Note that the interface needs to be already specified with \fBinterface:\fR -and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR -settings for targeted clients. -.TP -.B interface\-tag\-action: \fI -Similar to \fBaccess\-control-tag-action:\fR but for interfaces. -.IP -Note that the interface needs to be already specified with \fBinterface:\fR -and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR -settings for targeted clients. -.TP -.B interface\-tag\-data: \fI <"resource record string"> -Similar to \fBaccess\-control-tag-data:\fR but for interfaces. -.IP -Note that the interface needs to be already specified with \fBinterface:\fR -and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR -settings for targeted clients. -.TP -.B interface\-view: \fI -Similar to \fBaccess\-control-view:\fR but for interfaces. -.IP -Note that the interface needs to be already specified with \fBinterface:\fR -and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR -settings for targeted clients. -.TP .B chroot: \fI If chroot is enabled, you should pass the configfile (from the commandline) as a full path from the original root. After the @@ -1874,11 +1823,9 @@ section for options. To setup the correct self\-signed certificates use the The option is used to enable remote control, default is "no". If turned off, the server does not listen for control commands. .TP 5 -.B control\-interface: \fI +.B control\-interface: \fI Give IPv4 or IPv6 addresses or local socket path to listen on for control commands. -If an interface name is used instead of an ip address, the list of ip addresses -on that interface are used. By default localhost (127.0.0.1 and ::1) is listened to. Use 0.0.0.0 and ::0 to listen to all interfaces. If you change this and permissions have been dropped, you must restart diff --git a/contrib/unbound/edns-subnet/addrtree.c b/contrib/unbound/edns-subnet/addrtree.c index ebe71b9706e4..180a0227917c 100644 --- a/contrib/unbound/edns-subnet/addrtree.c +++ b/contrib/unbound/edns-subnet/addrtree.c @@ -97,7 +97,6 @@ node_create(struct addrtree *tree, void *elem, addrlen_t scope, tree->node_count++; node->scope = scope; node->ttl = ttl; - node->only_match_scope_zero = 0; node->edge[0] = NULL; node->edge[1] = NULL; node->parent_edge = NULL; @@ -156,7 +155,6 @@ clean_node(struct addrtree *tree, struct addrnode *node) if (!node->elem) return; tree->size_bytes -= tree->sizefunc(node->elem); tree->delfunc(tree->env, node->elem); - node->only_match_scope_zero = 0; node->elem = NULL; } @@ -360,7 +358,7 @@ issub(const addrkey_t *s1, addrlen_t l1, void addrtree_insert(struct addrtree *tree, const addrkey_t *addr, addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl, - time_t now, int only_match_scope_zero) + time_t now) { struct addrnode *newnode, *node; struct addredge *edge; @@ -383,7 +381,6 @@ addrtree_insert(struct addrtree *tree, const addrkey_t *addr, /* update this node's scope and data */ clean_node(tree, node); node->ttl = ttl; - node->only_match_scope_zero = only_match_scope_zero; node->elem = elem; node->scope = scope; tree->size_bytes += tree->sizefunc(elem); @@ -450,7 +447,6 @@ addrtree_insert(struct addrtree *tree, const addrkey_t *addr, newnode->elem = elem; newnode->scope = scope; newnode->ttl = ttl; - newnode->only_match_scope_zero = only_match_scope_zero; } tree->size_bytes += node_size(tree, newnode); @@ -487,8 +483,7 @@ addrtree_find(struct addrtree *tree, const addrkey_t *addr, /* Current node more specific then question. */ log_assert(depth <= sourcemask); /* does this node have data? if yes, see if we have a match */ - if (node->elem && node->ttl >= now && - !(sourcemask != 0 && node->only_match_scope_zero)) { + if (node->elem && node->ttl >= now) { /* saved at wrong depth */; log_assert(node->scope >= depth); if (depth == node->scope || diff --git a/contrib/unbound/edns-subnet/addrtree.h b/contrib/unbound/edns-subnet/addrtree.h index 0bc1837cdb80..1aea54e01f79 100644 --- a/contrib/unbound/edns-subnet/addrtree.h +++ b/contrib/unbound/edns-subnet/addrtree.h @@ -95,10 +95,6 @@ struct addrnode { time_t ttl; /** Number of significant bits in address. */ addrlen_t scope; - /** Only use the element for queries for subnet/0. Set if the query - * for /0 was answered with scope 0. For query /x answer scope 0, - * they can match anything and this is false. */ - int only_match_scope_zero; /** A node can have 0-2 edges, set to NULL for unused */ struct addredge *edge[2]; /** edge between this node and parent */ @@ -161,12 +157,11 @@ void addrtree_delete(struct addrtree *tree); * @param scope: Number of significant bits in addr. * @param elem: data to store in the tree. * @param ttl: elem is valid up to this time, seconds. - * @param only_match_scope_zero: set for when query /0 has scope /0 answer. * @param now: Current time in seconds. */ void addrtree_insert(struct addrtree *tree, const addrkey_t *addr, addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl, - time_t now, int only_match_scope_zero); + time_t now); /** * Find a node containing an element in the tree. diff --git a/contrib/unbound/edns-subnet/subnetmod.c b/contrib/unbound/edns-subnet/subnetmod.c index 0f1df417f6b5..75446113b742 100644 --- a/contrib/unbound/edns-subnet/subnetmod.c +++ b/contrib/unbound/edns-subnet/subnetmod.c @@ -55,7 +55,6 @@ #include "util/config_file.h" #include "util/data/msgreply.h" #include "sldns/sbuffer.h" -#include "sldns/wire2str.h" #include "iterator/iter_utils.h" /** externally called */ @@ -332,7 +331,6 @@ update_cache(struct module_qstate *qstate, int id) struct slabhash *subnet_msg_cache = sne->subnet_msg_cache; struct ecs_data *edns = &sq->ecs_client_in; size_t i; - int only_match_scope_zero; /* We already calculated hash upon lookup (lookup_and_reply) if we were * allowed to look in the ECS cache */ @@ -394,12 +392,9 @@ update_cache(struct module_qstate *qstate, int id) reply_info_set_ttls(rep, *qstate->env->now); rep->flags |= (BIT_RA | BIT_QR); /* fix flags to be sensible for */ rep->flags &= ~(BIT_AA | BIT_CD);/* a reply based on the cache */ - if(edns->subnet_source_mask == 0 && edns->subnet_scope_mask == 0) - only_match_scope_zero = 1; - else only_match_scope_zero = 0; addrtree_insert(tree, (addrkey_t*)edns->subnet_addr, edns->subnet_source_mask, sq->max_scope, rep, - rep->ttl, *qstate->env->now, only_match_scope_zero); + rep->ttl, *qstate->env->now); lock_rw_unlock(&lru_entry->lock); if (need_to_insert) { @@ -679,24 +674,6 @@ ecs_query_response(struct module_qstate* qstate, struct dns_msg* response, return 1; } -/** verbose print edns subnet option in pretty print */ -static void -subnet_log_print(const char* s, struct edns_option* ecs_opt) -{ - if(verbosity >= VERB_ALGO) { - char buf[256]; - char* str = buf; - size_t str_len = sizeof(buf); - if(!ecs_opt) { - verbose(VERB_ALGO, "%s (null)", s); - return; - } - (void)sldns_wire2str_edns_subnet_print(&str, &str_len, - ecs_opt->opt_data, ecs_opt->opt_len); - verbose(VERB_ALGO, "%s %s", s, buf); - } -} - int ecs_edns_back_parsed(struct module_qstate* qstate, int id, void* ATTR_UNUSED(cbargs)) @@ -711,7 +688,6 @@ ecs_edns_back_parsed(struct module_qstate* qstate, int id, qstate->env->cfg->client_subnet_opcode)) && parse_subnet_option(ecs_opt, &sq->ecs_server_in) && sq->subnet_sent && sq->ecs_server_in.subnet_validdata) { - subnet_log_print("answer has edns subnet", ecs_opt); /* Only skip global cache store if we sent an ECS option * and received one back. Answers from non-whitelisted * servers will end up in global cache. Answers for @@ -760,12 +736,11 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, qstate->ext_state[id] = module_finished; return; } - subnet_log_print("query has edns subnet", ecs_opt); sq->subnet_downstream = 1; } else if(qstate->mesh_info->reply_list) { subnet_option_from_ss( - &qstate->mesh_info->reply_list->query_reply.client_addr, + &qstate->mesh_info->reply_list->query_reply.addr, &sq->ecs_client_in, qstate->env->cfg); } @@ -800,13 +775,6 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, subnet_ecs_opt_list_append(&sq->ecs_client_out, &qstate->edns_opts_front_out, qstate, qstate->region); - if(verbosity >= VERB_ALGO) { - subnet_log_print("reply has edns subnet", - edns_opt_list_find( - qstate->edns_opts_front_out, - qstate->env->cfg-> - client_subnet_opcode)); - } return; } lock_rw_unlock(&sne->biglock); @@ -855,13 +823,6 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event, subnet_ecs_opt_list_append(&sq->ecs_client_out, &qstate->edns_opts_front_out, qstate, qstate->region); - if(verbosity >= VERB_ALGO) { - subnet_log_print("reply has edns subnet", - edns_opt_list_find( - qstate->edns_opts_front_out, - qstate->env->cfg-> - client_subnet_opcode)); - } } qstate->no_cache_store = sq->started_no_cache_store; qstate->no_cache_lookup = sq->started_no_cache_lookup; diff --git a/contrib/unbound/iterator/iter_hints.c b/contrib/unbound/iterator/iter_hints.c index a60d9a6b1cf2..9b1a200bbb17 100644 --- a/contrib/unbound/iterator/iter_hints.c +++ b/contrib/unbound/iterator/iter_hints.c @@ -100,7 +100,7 @@ ah(struct delegpt* dp, const char* sv, const char* ip) return 0; } if(!delegpt_add_ns_mlc(dp, dname, 0, NULL, UNBOUND_DNS_PORT) || - !extstrtoaddr(ip, &addr, &addrlen, UNBOUND_DNS_PORT) || + !extstrtoaddr(ip, &addr, &addrlen) || !delegpt_add_target_mlc(dp, dname, dname_len, &addr, addrlen, 0, 0)) { free(dname); diff --git a/contrib/unbound/iterator/iter_resptype.c b/contrib/unbound/iterator/iter_resptype.c index c2b824a0f9b8..f146a2b6bfe8 100644 --- a/contrib/unbound/iterator/iter_resptype.c +++ b/contrib/unbound/iterator/iter_resptype.c @@ -113,11 +113,7 @@ response_type_from_server(int rdset, if(!msg || !request) return RESPONSE_TYPE_THROWAWAY; - /* If the TC flag is set, the response is incomplete. Too large to - * fit even in TCP or so. Discard it, it cannot be retrieved here. */ - if((msg->rep->flags & BIT_TC)) - return RESPONSE_TYPE_THROWAWAY; - + /* If the message is NXDOMAIN, then it answers the question. */ if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN) { /* make sure its not recursive when we don't want it to */ diff --git a/contrib/unbound/iterator/iterator.c b/contrib/unbound/iterator/iterator.c index 2f3ad06fe6ea..da9b7990c506 100644 --- a/contrib/unbound/iterator/iterator.c +++ b/contrib/unbound/iterator/iterator.c @@ -255,9 +255,9 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super) log_err("out of memory adding missing"); } delegpt_mark_neg(dpns, qstate->qinfo.qtype); + dpns->resolved = 1; /* mark as failed */ if((dpns->got4 == 2 || !ie->supports_ipv4) && (dpns->got6 == 2 || !ie->supports_ipv6)) { - dpns->resolved = 1; /* mark as failed */ target_count_increase_nx(super_iq, 1); } } @@ -596,17 +596,15 @@ errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq) { if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) return; - if((qstate->reply && qstate->reply->remote_addrlen != 0) || - (iq->fail_reply && iq->fail_reply->remote_addrlen != 0)) { + if((qstate->reply && qstate->reply->addrlen != 0) || + (iq->fail_reply && iq->fail_reply->addrlen != 0)) { char from[256], frm[512]; - if(qstate->reply && qstate->reply->remote_addrlen != 0) - addr_to_str(&qstate->reply->remote_addr, - qstate->reply->remote_addrlen, from, - sizeof(from)); + if(qstate->reply && qstate->reply->addrlen != 0) + addr_to_str(&qstate->reply->addr, qstate->reply->addrlen, + from, sizeof(from)); else - addr_to_str(&iq->fail_reply->remote_addr, - iq->fail_reply->remote_addrlen, from, - sizeof(from)); + addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen, + from, sizeof(from)); snprintf(frm, sizeof(frm), "from %s", from); errinf(qstate, frm); } @@ -2264,7 +2262,6 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, size_t qout_orig_len = 0; int sq_check_ratelimit = 1; int sq_was_ratelimited = 0; - int can_do_promisc = 0; /* NOTE: a request will encounter this state for each target it * needs to send a query to. That is, at least one per referral, @@ -2592,12 +2589,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, if(iq->depth < ie->max_dependency_depth && iq->num_target_queries == 0 && (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0) - && iq->sent_count < TARGET_FETCH_STOP) { - can_do_promisc = 1; - } - /* if the mesh query list is full, then do not waste cpu and sockets to - * fetch promiscuous targets. They can be looked up when needed. */ - if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) { + && iq->sent_count < TARGET_FETCH_STOP + /* if the mesh query list is full, then do not waste cpu + * and sockets to fetch promiscuous targets. They can be + * looked up when needed. */ + && !mesh_jostle_exceeded(qstate->env->mesh) + ) { tf_policy = ie->target_fetch_policy[iq->depth]; } @@ -2769,37 +2766,6 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } - /* We have a target. We could have created promiscuous target - * queries but we are currently under pressure (mesh_jostle_exceeded). - * If we are configured to allow promiscuous target queries and haven't - * gone out to the network for a target query for this delegation, then - * it is possible to slip in a promiscuous one with a 1/10 chance. */ - if(can_do_promisc && tf_policy == 0 && iq->depth == 0 - && iq->depth < ie->max_dependency_depth - && ie->target_fetch_policy[iq->depth] != 0 - && iq->dp_target_count == 0 - && !ub_random_max(qstate->env->rnd, 10)) { - int extra = 0; - verbose(VERB_ALGO, "available target exists in cache but " - "attempt to get extra 1 target"); - (void)query_for_targets(qstate, iq, ie, id, 1, &extra); - /* errors ignored, these targets are not strictly necessary for - * this result, we do not have to reply with SERVFAIL */ - if(extra > 0) { - iq->num_target_queries += extra; - target_count_increase(iq, extra); - check_waiting_queries(iq, qstate, id); - /* undo qname minimise step because we'll get back here - * to do it again */ - if(qout_orig && iq->minimise_count > 0) { - iq->minimise_count--; - iq->qinfo_out.qname = qout_orig; - iq->qinfo_out.qname_len = qout_orig_len; - } - return 0; - } - } - /* Do not check ratelimit for forwarding queries or if we already got a * pass. */ sq_check_ratelimit = (!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok); @@ -2907,8 +2873,6 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), iq->response, &iq->qinfo_out, iq->dp); iq->chase_to_rd = 0; - /* remove TC flag, if this is erroneously set by TCP upstream */ - iq->response->rep->flags &= ~BIT_TC; if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && !iq->auth_zone_response) { /* When forwarding (RD bit is set), we handle referrals @@ -2932,8 +2896,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, * use dnssec-lame-bypass if it needs to query there.*/ if(qstate->reply) { struct delegpt_addr* a = delegpt_find_addr( - iq->dp, &qstate->reply->remote_addr, - qstate->reply->remote_addrlen); + iq->dp, &qstate->reply->addr, + qstate->reply->addrlen); if(a) a->dnsseclame = 1; } /* test the answer is from the zone we expected, @@ -3029,9 +2993,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, (*qstate->env->detach_subs)(qstate); iq->num_target_queries = 0; if(qstate->reply) - sock_list_insert(&qstate->reply_origin, - &qstate->reply->remote_addr, - qstate->reply->remote_addrlen, qstate->region); + sock_list_insert(&qstate->reply_origin, + &qstate->reply->addr, qstate->reply->addrlen, + qstate->region); if(iq->minimisation_state != DONOT_MINIMISE_STATE && !(iq->chase_flags & BIT_RD)) { if(FLAGS_GET_RCODE(iq->response->rep->flags) != @@ -3286,9 +3250,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, (*qstate->env->detach_subs)(qstate); iq->num_target_queries = 0; if(qstate->reply) - sock_list_insert(&qstate->reply_origin, - &qstate->reply->remote_addr, - qstate->reply->remote_addrlen, qstate->region); + sock_list_insert(&qstate->reply_origin, + &qstate->reply->addr, qstate->reply->addrlen, + qstate->region); verbose(VERB_ALGO, "cleared outbound list for query restart"); /* go to INIT_REQUEST_STATE for new qname. */ return next_state(iq, INIT_REQUEST_STATE); @@ -3302,10 +3266,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, } else if(qstate->reply) { /* need addr for lameness cache, but we may have * gotten this from cache, so test to be sure */ - if(!infra_set_lame(qstate->env->infra_cache, - &qstate->reply->remote_addr, - qstate->reply->remote_addrlen, - iq->dp->name, iq->dp->namelen, + if(!infra_set_lame(qstate->env->infra_cache, + &qstate->reply->addr, qstate->reply->addrlen, + iq->dp->name, iq->dp->namelen, *qstate->env->now, dnsseclame, 0, iq->qchase.qtype)) log_err("mark host lame: out of memory"); @@ -3322,9 +3285,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, * gotten this from cache, so test to be sure */ verbose(VERB_DETAIL, "mark as REC_LAME"); if(!infra_set_lame(qstate->env->infra_cache, - &qstate->reply->remote_addr, - qstate->reply->remote_addrlen, - iq->dp->name, iq->dp->namelen, + &qstate->reply->addr, qstate->reply->addrlen, + iq->dp->name, iq->dp->namelen, *qstate->env->now, 0, 1, iq->qchase.qtype)) log_err("mark host lame: out of memory"); } @@ -3565,13 +3527,12 @@ processTargetResponse(struct module_qstate* qstate, int id, } else { verbose(VERB_ALGO, "iterator TargetResponse failed"); delegpt_mark_neg(dpns, qstate->qinfo.qtype); + dpns->resolved = 1; /* fail the target */ if((dpns->got4 == 2 || !ie->supports_ipv4) && - (dpns->got6 == 2 || !ie->supports_ipv6)) { - dpns->resolved = 1; /* fail the target */ + (dpns->got6 == 2 || !ie->supports_ipv6) && /* do not count cached answers */ - if(qstate->reply_origin && qstate->reply_origin->len != 0) { - target_count_increase_nx(foriq, 1); - } + (qstate->reply_origin && qstate->reply_origin->len != 0)) { + target_count_increase_nx(foriq, 1); } } } @@ -4053,8 +4014,8 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq, if(!iq->response) goto handle_it; log_query_info(VERB_DETAIL, "response for", &qstate->qinfo); - log_name_addr(VERB_DETAIL, "reply from", iq->dp->name, - &qstate->reply->remote_addr, qstate->reply->remote_addrlen); + log_name_addr(VERB_DETAIL, "reply from", iq->dp->name, + &qstate->reply->addr, qstate->reply->addrlen); if(verbosity >= VERB_ALGO) log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo, iq->response->rep); diff --git a/contrib/unbound/iterator/iterator.h b/contrib/unbound/iterator/iterator.h index e35718cf33bd..b71b7fe9945f 100644 --- a/contrib/unbound/iterator/iterator.h +++ b/contrib/unbound/iterator/iterator.h @@ -324,7 +324,7 @@ struct iter_qstate { /** the number of times this query has been restarted. */ int query_restart_count; - /** the number of times this query has followed a referral. */ + /** the number of times this query as followed a referral. */ int referral_count; /** number of queries fired off */ diff --git a/contrib/unbound/libunbound/libunbound.c b/contrib/unbound/libunbound/libunbound.c index ea5ef24bb01c..038b7b927a74 100644 --- a/contrib/unbound/libunbound/libunbound.c +++ b/contrib/unbound/libunbound/libunbound.c @@ -951,7 +951,7 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr) lock_basic_unlock(&ctx->cfglock); /* check syntax for addr */ - if(!extstrtoaddr(addr, &storage, &stlen, UNBOUND_DNS_PORT)) { + if(!extstrtoaddr(addr, &storage, &stlen)) { errno=EINVAL; return UB_SYNTAX; } @@ -1031,7 +1031,7 @@ int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr, if(addr) { struct sockaddr_storage storage; socklen_t stlen; - if(!extstrtoaddr(addr, &storage, &stlen, UNBOUND_DNS_PORT)) { + if(!extstrtoaddr(addr, &storage, &stlen)) { errno=EINVAL; return UB_SYNTAX; } diff --git a/contrib/unbound/respip/respip.c b/contrib/unbound/respip/respip.c index 942e082b9577..deff663170aa 100644 --- a/contrib/unbound/respip/respip.c +++ b/contrib/unbound/respip/respip.c @@ -1290,7 +1290,7 @@ respip_set_is_empty(const struct respip_set* set) void respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname, uint16_t qtype, uint16_t qclass, struct local_rrset* local_alias, - struct sockaddr_storage* addr, socklen_t addrlen) + struct comm_reply* repinfo) { char srcip[128], respip[128], txt[512]; unsigned port; @@ -1300,10 +1300,10 @@ respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname, if(local_alias) qname = local_alias->rrset->rk.dname; - port = (unsigned)((addr->ss_family == AF_INET) ? - ntohs(((struct sockaddr_in*)addr)->sin_port) : - ntohs(((struct sockaddr_in6*)addr)->sin6_port)); - addr_to_str(addr, addrlen, srcip, sizeof(srcip)); + port = (unsigned)((repinfo->addr.ss_family == AF_INET) ? + ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port) : + ntohs(((struct sockaddr_in6*)&repinfo->addr)->sin6_port)); + addr_to_str(&repinfo->addr, repinfo->addrlen, srcip, sizeof(srcip)); addr_to_str(&respip_addr->addr, respip_addr->addrlen, respip, sizeof(respip)); if(respip_actinfo->rpz_log) { diff --git a/contrib/unbound/respip/respip.h b/contrib/unbound/respip/respip.h index e4ab5cc9cce3..988a72263390 100644 --- a/contrib/unbound/respip/respip.h +++ b/contrib/unbound/respip/respip.h @@ -251,13 +251,11 @@ int respip_set_is_empty(const struct respip_set* set); * @param local_alias: set to a local alias if the query matches an alias in * a local zone. In this case its owner name will be considered the actual * query name. - * @param addr: the client's source address and port. - * @param addrlen: the client's source address length. + * @param repinfo: reply info containing the client's source address and port. */ void respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname, uint16_t qtype, uint16_t qclass, - struct local_rrset* local_alias, struct sockaddr_storage* addr, - socklen_t addrlen); + struct local_rrset* local_alias, struct comm_reply* repinfo); /** * Find resp_addr in tree, create and add to tree if it does not exist. diff --git a/contrib/unbound/services/authzone.c b/contrib/unbound/services/authzone.c index ec502f11dd29..137c45b726b5 100644 --- a/contrib/unbound/services/authzone.c +++ b/contrib/unbound/services/authzone.c @@ -3699,7 +3699,7 @@ addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr, /* compare address (but not port number, that is the destination * port of the master, the port number of the received notify is * allowed to by any port on that master) */ - if(extstrtoaddr(master->host, &a, &alen, UNBOUND_DNS_PORT) && + if(extstrtoaddr(master->host, &a, &alen) && sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) { *fromhost = master; return 1; @@ -5381,7 +5381,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env) struct edns_data edns; sldns_buffer* buf = env->scratch_buffer; if(!master) return 0; - if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) { + if(extstrtoaddr(master->host, &addr, &addrlen)) { /* not needed, host is in IP addr format */ return 0; } @@ -6572,7 +6572,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env) struct edns_data edns; sldns_buffer* buf = env->scratch_buffer; if(!master) return 0; - if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) { + if(extstrtoaddr(master->host, &addr, &addrlen)) { /* not needed, host is in IP addr format */ return 0; } diff --git a/contrib/unbound/services/cache/infra.c b/contrib/unbound/services/cache/infra.c index 537cb949cf88..0461c815b86b 100644 --- a/contrib/unbound/services/cache/infra.c +++ b/contrib/unbound/services/cache/infra.c @@ -834,13 +834,14 @@ static struct lruhash_entry* infra_find_ratedata(struct infra_cache* infra, /** find data item in array for ip addresses */ static struct lruhash_entry* infra_find_ip_ratedata(struct infra_cache* infra, - struct sockaddr_storage* addr, socklen_t addrlen, int wr) + struct comm_reply* repinfo, int wr) { struct ip_rate_key key; - hashvalue_type h = hash_addr(addr, addrlen, 0); + hashvalue_type h = hash_addr(&(repinfo->addr), + repinfo->addrlen, 0); memset(&key, 0, sizeof(key)); - key.addr = *addr; - key.addrlen = addrlen; + key.addr = repinfo->addr; + key.addrlen = repinfo->addrlen; key.entry.hash = h; return slabhash_lookup(infra->client_ip_rates, h, &key, wr); } @@ -875,9 +876,10 @@ static void infra_create_ratedata(struct infra_cache* infra, /** create rate data item for ip address */ static void infra_ip_create_ratedata(struct infra_cache* infra, - struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow) + struct comm_reply* repinfo, time_t timenow) { - hashvalue_type h = hash_addr(addr, addrlen, 0); + hashvalue_type h = hash_addr(&(repinfo->addr), + repinfo->addrlen, 0); struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k)); struct ip_rate_data* d = (struct ip_rate_data*)calloc(1, sizeof(*d)); if(!k || !d) { @@ -885,8 +887,8 @@ static void infra_ip_create_ratedata(struct infra_cache* infra, free(d); return; /* alloc failure */ } - k->addr = *addr; - k->addrlen = addrlen; + k->addr = repinfo->addr; + k->addrlen = repinfo->addrlen; lock_rw_init(&k->entry.lock); k->entry.hash = h; k->entry.key = k; @@ -983,8 +985,8 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs)); ip[0]=0; if(replylist) { - addr_to_str((struct sockaddr_storage *)&replylist->remote_addr, - replylist->remote_addrlen, ip, sizeof(ip)); + addr_to_str((struct sockaddr_storage *)&replylist->addr, + replylist->addrlen, ip, sizeof(ip)); verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip); } else { verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts); @@ -1038,7 +1040,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); - return (max > lim); + return (max >= lim); } size_t @@ -1052,8 +1054,8 @@ infra_get_mem(struct infra_cache* infra) } int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow, - int backoff, struct sldns_buffer* buffer) + struct comm_reply* repinfo, time_t timenow, int backoff, + struct sldns_buffer* buffer) { int max; struct lruhash_entry* entry; @@ -1063,7 +1065,7 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, return 1; } /* find or insert ratedata */ - entry = infra_find_ip_ratedata(infra, addr, addrlen, 1); + entry = infra_find_ip_ratedata(infra, repinfo, 1); if(entry) { int premax = infra_rate_max(entry->data, timenow, backoff); int* cur = infra_rate_give_second(entry->data, timenow); @@ -1071,9 +1073,10 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); - if(premax <= infra_ip_ratelimit && max > infra_ip_ratelimit) { + if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) { char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12]; - addr_to_str(addr, addrlen, client_ip, sizeof(client_ip)); + addr_to_str((struct sockaddr_storage *)&repinfo->addr, + repinfo->addrlen, client_ip, sizeof(client_ip)); qnm[0]=0; if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE && LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) { @@ -1098,6 +1101,6 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, } /* create */ - infra_ip_create_ratedata(infra, addr, addrlen, timenow); + infra_ip_create_ratedata(infra, repinfo, timenow); return 1; } diff --git a/contrib/unbound/services/cache/infra.h b/contrib/unbound/services/cache/infra.h index faf7fd2f30e1..6a2371aca477 100644 --- a/contrib/unbound/services/cache/infra.h +++ b/contrib/unbound/services/cache/infra.h @@ -416,16 +416,15 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name, /** Update query ratelimit hash and decide * whether or not a query should be dropped. * @param infra: infra cache - * @param addr: client address - * @param addrlen: client address length + * @param repinfo: information about client * @param timenow: what time it is now. * @param backoff: if backoff is enabled. * @param buffer: with query for logging. * @return 1 if it could be incremented. 0 if the increment overshot the * ratelimit and the query should be dropped. */ int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow, - int backoff, struct sldns_buffer* buffer); + struct comm_reply* repinfo, time_t timenow, int backoff, + struct sldns_buffer* buffer); /** * Get memory used by the infra cache. diff --git a/contrib/unbound/services/listen_dnsport.c b/contrib/unbound/services/listen_dnsport.c index 95606aff5d4e..1c7c177a007e 100644 --- a/contrib/unbound/services/listen_dnsport.c +++ b/contrib/unbound/services/listen_dnsport.c @@ -124,12 +124,12 @@ verbose_print_addr(struct addrinfo *addr) (void)strlcpy(buf, "(null)", sizeof(buf)); } buf[sizeof(buf)-1] = 0; - verbose(VERB_ALGO, "creating %s%s socket %s %d", + verbose(VERB_ALGO, "creating %s%s socket %s %d", addr->ai_socktype==SOCK_DGRAM?"udp": addr->ai_socktype==SOCK_STREAM?"tcp":"otherproto", addr->ai_family==AF_INET?"4": addr->ai_family==AF_INET6?"6": - "_otherfam", buf, + "_otherfam", buf, ntohs(((struct sockaddr_in*)addr->ai_addr)->sin_port)); } } @@ -140,9 +140,7 @@ verbose_print_unbound_socket(struct unbound_socket* ub_sock) if(verbosity >= VERB_ALGO) { log_info("listing of unbound_socket structure:"); verbose_print_addr(ub_sock->addr); - log_info("s is: %d, fam is: %s, acl: %s", ub_sock->s, - ub_sock->fam == AF_INET?"AF_INET":"AF_INET6", - ub_sock->acl?"yes":"no"); + log_info("s is: %d, fam is: %s", ub_sock->s, ub_sock->fam == AF_INET?"AF_INET":"AF_INET6"); } } @@ -460,14 +458,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, int action; # endif # if defined(IPV6_V6ONLY) - if(v6only -# ifdef HAVE_SYSTEMD - /* Systemd wants to control if the socket is v6 only - * or both, with BindIPv6Only=default, ipv6-only or - * both in systemd.socket, so it is not set here. */ - && !got_fd_from_systemd -# endif - ) { + if(v6only) { int val=(v6only==2)?0:1; if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&val, (socklen_t)sizeof(val)) < 0) { @@ -520,14 +511,12 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, * instead which is writable; IPV6_MTU is readonly there. */ if (setsockopt(s, IPPROTO_IPV6, IPV6_USER_MTU, (void*)&mtu, (socklen_t)sizeof(mtu)) < 0) { - if (WSAGetLastError() != WSAENOPROTOOPT) { - log_err("setsockopt(..., IPV6_USER_MTU, ...) failed: %s", - wsa_strerror(WSAGetLastError())); - sock_close(s); - *noproto = 0; - *inuse = 0; - return -1; - } + log_err("setsockopt(..., IPV6_USER_MTU, ...) failed: %s", + wsa_strerror(WSAGetLastError())); + sock_close(s); + *noproto = 0; + *inuse = 0; + return -1; } # endif /* USE_WINSOCK */ # endif /* IPv6 MTU */ @@ -785,14 +774,7 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, (void)reuseport; #endif /* defined(SO_REUSEPORT) */ #if defined(IPV6_V6ONLY) - if(addr->ai_family == AF_INET6 && v6only -# ifdef HAVE_SYSTEMD - /* Systemd wants to control if the socket is v6 only - * or both, with BindIPv6Only=default, ipv6-only or - * both in systemd.socket, so it is not set here. */ - && !got_fd_from_systemd -# endif - ) { + if(addr->ai_family == AF_INET6 && v6only) { if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&on, (socklen_t)sizeof(on)) < 0) { log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s", @@ -1048,7 +1030,6 @@ make_sock(int stype, const char* ifname, const char* port, ub_sock->addr = res; ub_sock->s = s; ub_sock->fam = hints->ai_family; - ub_sock->acl = NULL; return s; } @@ -1093,13 +1074,11 @@ make_sock_port(int stype, const char* ifname, const char* port, * @param list: list head. changed. * @param s: fd. * @param ftype: if fd is UDP. - * @param pp2_enabled: if PROXYv2 is enabled for this port. * @param ub_sock: socket with address. * @return false on failure. list in unchanged then. */ static int -port_insert(struct listen_port** list, int s, enum listen_type ftype, - int pp2_enabled, struct unbound_socket* ub_sock) +port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unbound_socket* ub_sock) { struct listen_port* item = (struct listen_port*)malloc( sizeof(struct listen_port)); @@ -1108,7 +1087,6 @@ port_insert(struct listen_port** list, int s, enum listen_type ftype, item->next = *list; item->fd = s; item->ftype = ftype; - item->pp2_enabled = pp2_enabled; item->socket = ub_sock; *list = item; return 1; @@ -1204,7 +1182,6 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port, * @param ssl_port: ssl service port number * @param tls_additional_port: list of additional ssl service port numbers. * @param https_port: DoH service port number - * @param proxy_protocol_port: list of PROXYv2 port numbers. * @param reuseport: try to set SO_REUSEPORT if nonNULL and true. * set to false on exit if reuseport failed due to no kernel support. * @param transparent: set IP_TRANSPARENT socket option. @@ -1217,39 +1194,34 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port, * @return: returns false on error. */ static int -ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, +ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, struct addrinfo *hints, const char* port, struct listen_port** list, size_t rcv, size_t snd, int ssl_port, struct config_strlist* tls_additional_port, int https_port, - struct config_strlist* proxy_protocol_port, int* reuseport, int transparent, int tcp_mss, int freebind, int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp) { int s, noip6=0; int is_https = if_is_https(ifname, port, https_port); - int is_dnscrypt = if_is_dnscrypt(ifname, port, dnscrypt_port); - int is_pp2 = if_is_pp2(ifname, port, proxy_protocol_port); int nodelay = is_https && http2_nodelay; struct unbound_socket* ub_sock; +#ifdef USE_DNSCRYPT + int is_dnscrypt = ((strchr(ifname, '@') && + atoi(strchr(ifname, '@')+1) == dnscrypt_port) || + (!strchr(ifname, '@') && atoi(port) == dnscrypt_port)); +#else + int is_dnscrypt = 0; + (void)dnscrypt_port; +#endif if(!do_udp && !do_tcp) return 0; - if(is_pp2) { - if(is_dnscrypt) { - fatal_exit("PROXYv2 and DNSCrypt combination not " - "supported!"); - } else if(is_https) { - fatal_exit("PROXYv2 and DoH combination not " - "supported!"); - } - } - if(do_auto) { ub_sock = calloc(1, sizeof(struct unbound_socket)); if(!ub_sock) return 0; - if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1267,9 +1239,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, free(ub_sock); return 0; } - if(!port_insert(list, s, is_dnscrypt - ?listen_type_udpancil_dnscrypt:listen_type_udpancil, - is_pp2, ub_sock)) { + if(!port_insert(list, s, + is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1280,7 +1251,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, if(!ub_sock) return 0; /* regular udp socket */ - if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1291,9 +1262,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, } return 0; } - if(!port_insert(list, s, is_dnscrypt - ?listen_type_udp_dnscrypt:listen_type_udp, - is_pp2, ub_sock)) { + if(!port_insert(list, s, + is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1315,7 +1285,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, port_type = listen_type_tcp_dnscrypt; else port_type = listen_type_tcp; - if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, &noip6, 0, 0, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1328,7 +1298,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, } if(is_ssl) verbose(VERB_ALGO, "setup TCP for SSL service"); - if(!port_insert(list, s, port_type, is_pp2, ub_sock)) { + if(!port_insert(list, s, port_type, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1417,16 +1387,14 @@ listen_create(struct comm_base* base, struct listen_port* ports, if(ports->ftype == listen_type_udp || ports->ftype == listen_type_udp_dnscrypt) { cp = comm_point_create_udp(base, ports->fd, - front->udp_buff, ports->pp2_enabled, cb, - cb_arg, ports->socket); + front->udp_buff, cb, cb_arg, ports->socket); } else if(ports->ftype == listen_type_tcp || ports->ftype == listen_type_tcp_dnscrypt) { cp = comm_point_create_tcp(base, ports->fd, tcp_accept_count, tcp_idle_timeout, harden_large_queries, 0, NULL, tcp_conn_limit, bufsize, front->udp_buff, - ports->ftype, ports->pp2_enabled, cb, cb_arg, - ports->socket); + ports->ftype, cb, cb_arg, ports->socket); } else if(ports->ftype == listen_type_ssl || ports->ftype == listen_type_http) { cp = comm_point_create_tcp(base, ports->fd, @@ -1434,8 +1402,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, harden_large_queries, http_max_streams, http_endpoint, tcp_conn_limit, bufsize, front->udp_buff, - ports->ftype, ports->pp2_enabled, cb, cb_arg, - ports->socket); + ports->ftype, cb, cb_arg, ports->socket); if(ports->ftype == listen_type_http) { if(!sslctx && !http_notls) { log_warn("HTTPS port configured, but " @@ -1461,8 +1428,7 @@ listen_create(struct comm_base* base, struct listen_port* ports, } else if(ports->ftype == listen_type_udpancil || ports->ftype == listen_type_udpancil_dnscrypt) { cp = comm_point_create_udp_ancil(base, ports->fd, - front->udp_buff, ports->pp2_enabled, cb, - cb_arg, ports->socket); + front->udp_buff, cb, cb_arg, ports->socket); } if(!cp) { log_err("can't create commpoint"); @@ -1734,7 +1700,7 @@ int resolve_interface_names(char** ifs, int num_ifs, #endif /* HAVE_GETIFADDRS */ } -struct listen_port* +struct listen_port* listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, int* reuseport) { @@ -1797,9 +1763,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, - cfg->proxy_protocol_port, - reuseport, cfg->ip_transparent, + cfg->https_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1814,9 +1778,7 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, - cfg->proxy_protocol_port, - reuseport, cfg->ip_transparent, + cfg->https_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1829,13 +1791,12 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, } if(do_ip6) { hints.ai_family = AF_INET6; - if(!ports_create_if(do_auto?"::0":"::1", - do_auto, cfg->do_udp, do_tcp, + if(!ports_create_if(do_auto?"::0":"::1", + do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, cfg->proxy_protocol_port, - reuseport, cfg->ip_transparent, + cfg->https_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1845,13 +1806,12 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, } if(do_ip4) { hints.ai_family = AF_INET; - if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", - do_auto, cfg->do_udp, do_tcp, + if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", + do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, cfg->proxy_protocol_port, - reuseport, cfg->ip_transparent, + cfg->https_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1865,11 +1825,10 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, continue; hints.ai_family = AF_INET6; if(!ports_create_if(ifs[i], 0, cfg->do_udp, - do_tcp, &hints, portbuf, &list, + do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, cfg->proxy_protocol_port, - reuseport, cfg->ip_transparent, + cfg->https_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1881,11 +1840,10 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, continue; hints.ai_family = AF_INET; if(!ports_create_if(ifs[i], 0, cfg->do_udp, - do_tcp, &hints, portbuf, &list, + do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, cfg->proxy_protocol_port, - reuseport, cfg->ip_transparent, + cfg->https_port, reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { diff --git a/contrib/unbound/services/listen_dnsport.h b/contrib/unbound/services/listen_dnsport.h index 816d79aea61b..0e63236bcbce 100644 --- a/contrib/unbound/services/listen_dnsport.h +++ b/contrib/unbound/services/listen_dnsport.h @@ -43,7 +43,6 @@ #define LISTEN_DNSPORT_H #include "util/netevent.h" -#include "daemon/acl_list.h" #ifdef HAVE_NGHTTP2_NGHTTP2_H #include #endif @@ -108,13 +107,11 @@ enum listen_type { */ struct unbound_socket { /** socket-address structure */ - struct addrinfo* addr; + struct addrinfo * addr; /** socket descriptor returned by socket() syscall */ - int s; + int s; /** address family (AF_INET/IF_INET6) */ - int fam; - /** ACL on the socket (listening interface) */ - struct acl_addr* acl; + int fam; }; /** @@ -128,10 +125,7 @@ struct listen_port { int fd; /** type of file descriptor, udp or tcp */ enum listen_type ftype; - /** if the port should support PROXYv2 */ - int pp2_enabled; - /** fill in unbound_socket structure for every opened socket at - * Unbound startup */ + /** fill in unbpound_socket structure for every opened socket at Unbound startup */ struct unbound_socket* socket; }; diff --git a/contrib/unbound/services/localzone.c b/contrib/unbound/services/localzone.c index 3536b7aaa91b..3ed7d835d33e 100644 --- a/contrib/unbound/services/localzone.c +++ b/contrib/unbound/services/localzone.c @@ -1744,13 +1744,13 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env, /** print log information for an inform zone query */ static void lz_inform_print(struct local_zone* z, struct query_info* qinfo, - struct sockaddr_storage* addr, socklen_t addrlen) + struct comm_reply* repinfo) { char ip[128], txt[512]; char zname[LDNS_MAX_DOMAINLEN+1]; - uint16_t port = ntohs(((struct sockaddr_in*)addr)->sin_port); + uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port); dname_str(z->name, zname); - addr_to_str(addr, addrlen, ip, sizeof(ip)); + addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip)); snprintf(txt, sizeof(txt), "%s %s %s@%u", zname, local_zone_type2str(z->type), ip, (unsigned)port); log_nametypeclass(NO_VERBOSE, txt, qinfo->qname, qinfo->qtype, qinfo->qclass); @@ -1765,8 +1765,7 @@ lz_type(uint8_t *taglist, size_t taglen, uint8_t *taglist2, size_t taglen2, struct local_zone_override* lzo; if(repinfo && override_tree) { lzo = (struct local_zone_override*)addr_tree_lookup( - override_tree, &repinfo->client_addr, - repinfo->client_addrlen); + override_tree, &repinfo->addr, repinfo->addrlen); if(lzo && lzo->type) { verbose(VERB_ALGO, "local zone override to type %s", local_zone_type2str(lzo->type)); @@ -1889,8 +1888,7 @@ local_zones_answer(struct local_zones* zones, struct module_env* env, lzt == local_zone_inform_deny || lzt == local_zone_inform_redirect) && repinfo) - lz_inform_print(z, qinfo, &repinfo->client_addr, - repinfo->client_addrlen); + lz_inform_print(z, qinfo, repinfo); if(lzt != local_zone_always_refuse && lzt != local_zone_always_transparent diff --git a/contrib/unbound/services/mesh.c b/contrib/unbound/services/mesh.c index 9007b6e08c32..2a411942663d 100644 --- a/contrib/unbound/services/mesh.c +++ b/contrib/unbound/services/mesh.c @@ -806,7 +806,7 @@ static void mesh_schedule_prefetch_subnet(struct mesh_area* mesh, /* Fake the ECS data from the client's IP */ struct ecs_data ecs; memset(&ecs, 0, sizeof(ecs)); - subnet_option_from_ss(&rep->client_addr, &ecs, mesh->env->cfg); + subnet_option_from_ss(&rep->addr, &ecs, mesh->env->cfg); if(ecs.subnet_validdata == 0) { log_err("prefetch_subnet subnet_option_from_ss: invalid data"); return; @@ -1488,9 +1488,8 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep, } /* Log reply sent */ if(m->s.env->cfg->log_replies) { - log_reply_info(NO_VERBOSE, &m->s.qinfo, - &r->query_reply.client_addr, - r->query_reply.client_addrlen, duration, 0, r_buffer); + log_reply_info(NO_VERBOSE, &m->s.qinfo, &r->query_reply.addr, + r->query_reply.addrlen, duration, 0, r_buffer); } } @@ -1531,8 +1530,7 @@ void mesh_query_done(struct mesh_state* mstate) respip_inform_print(mstate->s.respip_action_info, r->qname, mstate->s.qinfo.qtype, mstate->s.qinfo.qclass, r->local_alias, - &r->query_reply.client_addr, - r->query_reply.client_addrlen); + &r->query_reply); if(mstate->s.env->cfg->stat_extended && mstate->s.respip_action_info->rpz_used) { if(mstate->s.respip_action_info->rpz_disabled) @@ -2182,8 +2180,7 @@ mesh_serve_expired_callback(void* arg) if(actinfo.addrinfo) { respip_inform_print(&actinfo, r->qname, qstate->qinfo.qtype, qstate->qinfo.qclass, - r->local_alias, &r->query_reply.client_addr, - r->query_reply.client_addrlen); + r->local_alias, &r->query_reply); if(qstate->env->cfg->stat_extended && actinfo.rpz_used) { if(actinfo.rpz_disabled) diff --git a/contrib/unbound/services/outside_network.c b/contrib/unbound/services/outside_network.c index a4529ade52e0..3f479a3a36fe 100644 --- a/contrib/unbound/services/outside_network.c +++ b/contrib/unbound/services/outside_network.c @@ -86,6 +86,10 @@ static void serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff) static int randomize_and_send_udp(struct pending* pend, sldns_buffer* packet, int timeout); +/** remove waiting tcp from the outnet waiting list */ +static void waiting_list_remove(struct outside_network* outnet, + struct waiting_tcp* w); + /** select a DNS ID for a TCP stream */ static uint16_t tcp_select_id(struct outside_network* outnet, struct reuse_tcp* reuse); @@ -368,8 +372,7 @@ log_reuse_tcp(enum verbosity_value v, const char* msg, struct reuse_tcp* reuse) } /** pop the first element from the writewait list */ -struct waiting_tcp* -reuse_write_wait_pop(struct reuse_tcp* reuse) +static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse) { struct waiting_tcp* w = reuse->write_wait_first; if(!w) @@ -387,8 +390,8 @@ reuse_write_wait_pop(struct reuse_tcp* reuse) } /** remove the element from the writewait list */ -void -reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w) +static void reuse_write_wait_remove(struct reuse_tcp* reuse, + struct waiting_tcp* w) { log_assert(w); log_assert(w->write_wait_queued); @@ -412,8 +415,8 @@ reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w) } /** push the element after the last on the writewait list */ -void -reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w) +static void reuse_write_wait_push_back(struct reuse_tcp* reuse, + struct waiting_tcp* w) { if(!w) return; log_assert(!w->write_wait_queued); @@ -424,9 +427,7 @@ reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w) w->write_wait_prev = reuse->write_wait_last; } else { reuse->write_wait_first = w; - w->write_wait_prev = NULL; } - w->write_wait_next = NULL; reuse->write_wait_last = w; w->write_wait_queued = 1; } @@ -720,12 +721,12 @@ outnet_tcp_take_into_use(struct waiting_tcp* w) pend->next_free = NULL; pend->query = w; pend->reuse.outnet = w->outnet; - pend->c->repinfo.remote_addrlen = w->addrlen; + pend->c->repinfo.addrlen = w->addrlen; pend->c->tcp_more_read_again = &pend->reuse.cp_more_read_again; pend->c->tcp_more_write_again = &pend->reuse.cp_more_write_again; pend->reuse.cp_more_read_again = 0; pend->reuse.cp_more_write_again = 0; - memcpy(&pend->c->repinfo.remote_addr, &w->addr, w->addrlen); + memcpy(&pend->c->repinfo.addr, &w->addr, w->addrlen); pend->reuse.pending = pend; /* Remove from tree in case the is_ssl will be different and causes the @@ -809,50 +810,20 @@ reuse_tcp_lru_snip(struct outside_network* outnet) return reuse; } -/** remove waiting tcp from the outnet waiting list */ -void -outnet_waiting_tcp_list_remove(struct outside_network* outnet, struct waiting_tcp* w) +/** call callback on waiting_tcp, if not NULL */ +static void +waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error, + struct comm_reply* reply_info) { - struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL; - w->on_tcp_waiting_list = 0; - while(p) { - if(p == w) { - /* remove w */ - if(prev) - prev->next_waiting = w->next_waiting; - else outnet->tcp_wait_first = w->next_waiting; - if(outnet->tcp_wait_last == w) - outnet->tcp_wait_last = prev; - w->next_waiting = NULL; - return; - } - prev = p; - p = p->next_waiting; + if(w && w->cb) { + fptr_ok(fptr_whitelist_pending_tcp(w->cb)); + (void)(*w->cb)(c, w->cb_arg, error, reply_info); } - /* outnet_waiting_tcp_list_remove is currently called only with items - * that are already in the waiting list. */ - log_assert(0); -} - -/** pop the first waiting tcp from the outnet waiting list */ -struct waiting_tcp* -outnet_waiting_tcp_list_pop(struct outside_network* outnet) -{ - struct waiting_tcp* w = outnet->tcp_wait_first; - if(!outnet->tcp_wait_first) return NULL; - log_assert(w->on_tcp_waiting_list); - outnet->tcp_wait_first = w->next_waiting; - if(outnet->tcp_wait_last == w) - outnet->tcp_wait_last = NULL; - w->on_tcp_waiting_list = 0; - w->next_waiting = NULL; - return w; } /** add waiting_tcp element to the outnet tcp waiting list */ -void -outnet_waiting_tcp_list_add(struct outside_network* outnet, - struct waiting_tcp* w, int set_timer) +static void +outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w) { struct timeval tv; log_assert(!w->on_tcp_waiting_list); @@ -864,18 +835,16 @@ outnet_waiting_tcp_list_add(struct outside_network* outnet, else outnet->tcp_wait_first = w; outnet->tcp_wait_last = w; w->on_tcp_waiting_list = 1; - if(set_timer) { #ifndef S_SPLINT_S - tv.tv_sec = w->timeout/1000; - tv.tv_usec = (w->timeout%1000)*1000; + tv.tv_sec = w->timeout/1000; + tv.tv_usec = (w->timeout%1000)*1000; #endif - comm_timer_set(w->timer, &tv); - } + comm_timer_set(w->timer, &tv); } /** add waiting_tcp element as first to the outnet tcp waiting list */ -void -outnet_waiting_tcp_list_add_first(struct outside_network* outnet, +static void +outnet_add_tcp_waiting_first(struct outside_network* outnet, struct waiting_tcp* w, int reset_timer) { struct timeval tv; @@ -900,17 +869,6 @@ outnet_waiting_tcp_list_add_first(struct outside_network* outnet, (outnet->tcp_reuse_first && outnet->tcp_reuse_last)); } -/** call callback on waiting_tcp, if not NULL */ -static void -waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error, - struct comm_reply* reply_info) -{ - if(w && w->cb) { - fptr_ok(fptr_whitelist_pending_tcp(w->cb)); - (void)(*w->cb)(c, w->cb_arg, error, reply_info); - } -} - /** see if buffers can be used to service TCP queries */ static void use_free_buffer(struct outside_network* outnet) @@ -921,10 +879,15 @@ use_free_buffer(struct outside_network* outnet) struct pending_tcp* pend_tcp = NULL; #endif struct reuse_tcp* reuse = NULL; - w = outnet_waiting_tcp_list_pop(outnet); + w = outnet->tcp_wait_first; + log_assert(w->on_tcp_waiting_list); + outnet->tcp_wait_first = w->next_waiting; + if(outnet->tcp_wait_last == w) + outnet->tcp_wait_last = NULL; log_assert( (!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) || (outnet->tcp_reuse_first && outnet->tcp_reuse_last)); + w->on_tcp_waiting_list = 0; reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen, w->ssl_upstream); /* re-select an ID when moving to a new TCP buffer */ @@ -971,7 +934,7 @@ use_free_buffer(struct outside_network* outnet) #endif } else { /* no reuse and no free buffer, put back at the start */ - outnet_waiting_tcp_list_add_first(outnet, w, 0); + outnet_add_tcp_waiting_first(outnet, w, 0); break; } #ifdef USE_DNSTAP @@ -1045,7 +1008,7 @@ reuse_move_writewait_away(struct outside_network* outnet, * fail the query */ w->error_count ++; reuse_tree_by_id_delete(&pend->reuse, w); - outnet_waiting_tcp_list_add(outnet, w, 1); + outnet_add_tcp_waiting(outnet, w); } while((w = reuse_write_wait_pop(&pend->reuse)) != NULL) { if(verbosity >= VERB_CLIENT && w->pkt_len > 12+2+2 && @@ -1056,7 +1019,7 @@ reuse_move_writewait_away(struct outside_network* outnet, verbose(VERB_CLIENT, "reuse_move_writewait_away item %s", buf); } reuse_tree_by_id_delete(&pend->reuse, w); - outnet_waiting_tcp_list_add(outnet, w, 1); + outnet_add_tcp_waiting(outnet, w); } } @@ -1454,11 +1417,11 @@ outnet_udp_cb(struct comm_point* c, void* arg, int error, /* setup lookup key */ key.id = (unsigned)LDNS_ID_WIRE(sldns_buffer_begin(c->buffer)); - memcpy(&key.addr, &reply_info->remote_addr, reply_info->remote_addrlen); - key.addrlen = reply_info->remote_addrlen; + memcpy(&key.addr, &reply_info->addr, reply_info->addrlen); + key.addrlen = reply_info->addrlen; verbose(VERB_ALGO, "Incoming reply id = %4.4x", key.id); log_addr(VERB_ALGO, "Incoming reply addr =", - &reply_info->remote_addr, reply_info->remote_addrlen); + &reply_info->addr, reply_info->addrlen); /* find it, see if this thing is a valid query response */ verbose(VERB_ALGO, "lookup size is %d entries", (int)outnet->pending->count); @@ -1727,7 +1690,7 @@ outside_network_create(struct comm_base *base, size_t bufsize, return NULL; } pc->cp = comm_point_create_udp(outnet->base, -1, - outnet->udp_buff, 0, outnet_udp_cb, outnet, NULL); + outnet->udp_buff, outnet_udp_cb, outnet, NULL); if(!pc->cp) { log_err("malloc failed"); free(pc); @@ -2274,7 +2237,7 @@ outnet_tcptimer(void* arg) verbose(VERB_CLIENT, "outnet_tcptimer"); if(w->on_tcp_waiting_list) { /* it is on the waiting list */ - outnet_waiting_tcp_list_remove(outnet, w); + waiting_list_remove(outnet, w); waiting_tcp_callback(w, NULL, NETEVENT_TIMEOUT, NULL); waiting_tcp_delete(w); } else { @@ -2501,7 +2464,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet, #ifdef USE_DNSTAP w->sq = sq; #endif - outnet_waiting_tcp_list_add(sq->outnet, w, 1); + outnet_add_tcp_waiting(sq->outnet, w); } return w; } @@ -2582,10 +2545,8 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, #ifdef UNBOUND_DEBUG rbnode_type* ins; #endif - if(!sq) { - alloc_reg_release(alloc, region); + if(!sq) return NULL; - } sq->node.key = sq; sq->alloc = alloc; sq->region = region; @@ -2649,6 +2610,30 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, return sq; } +/** remove waiting tcp from the outnet waiting list */ +static void +waiting_list_remove(struct outside_network* outnet, struct waiting_tcp* w) +{ + struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL; + w->on_tcp_waiting_list = 0; + while(p) { + if(p == w) { + /* remove w */ + if(prev) + prev->next_waiting = w->next_waiting; + else outnet->tcp_wait_first = w->next_waiting; + if(outnet->tcp_wait_last == w) + outnet->tcp_wait_last = prev; + return; + } + prev = p; + p = p->next_waiting; + } + /* waiting_list_remove is currently called only with items that are + * already in the waiting list. */ + log_assert(0); +} + /** reuse tcp stream, remove serviced query from stream, * return true if the stream is kept, false if it is to be closed */ static int @@ -2743,7 +2728,7 @@ serviced_delete(struct serviced_query* sq) sq->pending = NULL; } else { verbose(VERB_CLIENT, "serviced_delete: tcpwait"); - outnet_waiting_tcp_list_remove(sq->outnet, w); + waiting_list_remove(sq->outnet, w); if(!w->in_cb_and_decommission) waiting_tcp_delete(w); } @@ -3116,8 +3101,8 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error, rep = &r2; r2.c = c; } - memcpy(&rep->remote_addr, &sq->addr, sq->addrlen); - rep->remote_addrlen = sq->addrlen; + memcpy(&rep->addr, &sq->addr, sq->addrlen); + rep->addrlen = sq->addrlen; serviced_callbacks(sq, error, c, rep); return 0; } @@ -3447,6 +3432,7 @@ outnet_serviced_query(struct outside_network* outnet, infra_ratelimit_dec(env->infra_cache, zone, zonelen, timenow); } + alloc_reg_release(env->alloc, region); return NULL; } if(!(cb = (struct service_callback*)regional_alloc( @@ -3595,7 +3581,7 @@ outnet_comm_point_for_udp(struct outside_network* outnet, if(fd == -1) { return NULL; } - cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff, 0, + cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff, cb, cb_arg, NULL); if(!cp) { log_err("malloc failure"); @@ -3683,8 +3669,8 @@ outnet_comm_point_for_tcp(struct outside_network* outnet, close(fd); return 0; } - cp->repinfo.remote_addrlen = to_addrlen; - memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen); + cp->repinfo.addrlen = to_addrlen; + memcpy(&cp->repinfo.addr, to_addr, to_addrlen); /* setup for SSL (if needed) */ if(ssl) { @@ -3759,8 +3745,8 @@ outnet_comm_point_for_http(struct outside_network* outnet, close(fd); return 0; } - cp->repinfo.remote_addrlen = to_addrlen; - memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen); + cp->repinfo.addrlen = to_addrlen; + memcpy(&cp->repinfo.addr, to_addr, to_addrlen); /* setup for SSL (if needed) */ if(ssl) { diff --git a/contrib/unbound/services/outside_network.h b/contrib/unbound/services/outside_network.h index 467c81f60ca2..c383b8f09e24 100644 --- a/contrib/unbound/services/outside_network.h +++ b/contrib/unbound/services/outside_network.h @@ -718,30 +718,6 @@ struct reuse_tcp* reuse_tcp_lru_snip(struct outside_network* outnet); /** delete readwait waiting_tcp elements, deletes the elements in the list */ void reuse_del_readwait(rbtree_type* tree_by_id); -/** remove waiting tcp from the outnet waiting list */ -void outnet_waiting_tcp_list_remove(struct outside_network* outnet, - struct waiting_tcp* w); - -/** pop the first waiting tcp from the outnet waiting list */ -struct waiting_tcp* outnet_waiting_tcp_list_pop(struct outside_network* outnet); - -/** add waiting_tcp element to the outnet tcp waiting list */ -void outnet_waiting_tcp_list_add(struct outside_network* outnet, - struct waiting_tcp* w, int set_timer); - -/** add waiting_tcp element as first to the outnet tcp waiting list */ -void outnet_waiting_tcp_list_add_first(struct outside_network* outnet, - struct waiting_tcp* w, int reset_timer); - -/** pop the first element from the writewait list */ -struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse); - -/** remove the element from the writewait list */ -void reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w); - -/** push the element after the last on the writewait list */ -void reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w); - /** get TCP file descriptor for address, returns -1 on failure, * tcp_mss is 0 or maxseg size to set for TCP packets. */ int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, diff --git a/contrib/unbound/services/rpz.c b/contrib/unbound/services/rpz.c index e876f3f94834..77b6266fecb9 100644 --- a/contrib/unbound/services/rpz.c +++ b/contrib/unbound/services/rpz.c @@ -1392,13 +1392,11 @@ log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode, dnamestr[0]=0; } if(repinfo) { - addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip)); - port = ntohs(((struct sockaddr_in*)&repinfo->client_addr)->sin_port); + addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip)); + port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port); } else if(ms && ms->mesh_info && ms->mesh_info->reply_list) { - addr_to_str(&ms->mesh_info->reply_list->query_reply.client_addr, - ms->mesh_info->reply_list->query_reply.client_addrlen, - ip, sizeof(ip)); - port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.client_addr)->sin_port); + addr_to_str(&ms->mesh_info->reply_list->query_reply.addr, ms->mesh_info->reply_list->query_reply.addrlen, ip, sizeof(ip)); + port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.addr)->sin_port); } else { ip[0]=0; port = 0; @@ -1470,9 +1468,7 @@ rpz_resolve_client_action_and_zone(struct auth_zones* az, struct query_info* qin } z = rpz_find_zone(r->local_zones, qinfo->qname, qinfo->qname_len, qinfo->qclass, 0, 0, 0); - node = rpz_ipbased_trigger_lookup(r->client_set, - &repinfo->client_addr, repinfo->client_addrlen, - "clientip"); + node = rpz_ipbased_trigger_lookup(r->client_set, &repinfo->addr, repinfo->addrlen, "clientip"); if((z || node) && r->action_override == RPZ_DISABLED_ACTION) { if(r->log) log_rpz_apply((node?"clientip":"qname"), @@ -2168,16 +2164,18 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* lock_rw_unlock(&az->rpz_lock); - if(raddr == NULL && z == NULL) - return NULL; - - if(raddr != NULL) { + if(raddr == NULL && z == NULL) { return NULL; } + else if(raddr != NULL) { if(z) { lock_rw_unlock(&z->lock); } return rpz_apply_nsip_trigger(ms, r, raddr, a); - } - return rpz_apply_nsdname_trigger(ms, r, z, &match, a); + } else if(z != NULL) { + if(raddr) { + lock_rw_unlock(&raddr->lock); + } + return rpz_apply_nsdname_trigger(ms, r, z, &match, a); + } else { return NULL; } } struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, diff --git a/contrib/unbound/services/view.c b/contrib/unbound/services/view.c index 72f3643184ee..db48ae9545f8 100644 --- a/contrib/unbound/services/view.c +++ b/contrib/unbound/services/view.c @@ -66,9 +66,8 @@ views_create(void) return v; } -/* \noop (ignore this comment for doxygen) - * This prototype is defined in in respip.h, but we want to avoid - * unnecessary dependencies */ +/** This prototype is defined in in respip.h, but we want to avoid + * unnecessary dependencies */ void respip_set_delete(struct respip_set *set); void diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c index f6e55367790e..2d17c6116c30 100644 --- a/contrib/unbound/smallapp/unbound-checkconf.c +++ b/contrib/unbound/smallapp/unbound-checkconf.c @@ -316,7 +316,7 @@ warn_hosts(const char* typ, struct config_stub* list) struct config_strlist* h; for(s=list; s; s=s->next) { for(h=s->hosts; h; h=h->next) { - if(extstrtoaddr(h->str, &a, &alen, UNBOUND_DNS_PORT)) { + if(extstrtoaddr(h->str, &a, &alen)) { fprintf(stderr, "unbound-checkconf: warning:" " %s %s: \"%s\" is an IP%s address, " "and when looked up as a host name " @@ -338,8 +338,6 @@ interfacechecks(struct config_file* cfg) int i, j, i2, j2; char*** resif = NULL; int* num_resif = NULL; - char portbuf[32]; - snprintf(portbuf, sizeof(portbuf), "%d", cfg->port); if(cfg->num_ifs != 0) { resif = (char***)calloc(cfg->num_ifs, sizeof(char**)); @@ -361,21 +359,9 @@ interfacechecks(struct config_file* cfg) fatal_exit("could not resolve interface names, for %s", cfg->ifs[i]); } - /* check for port combinations that are not supported */ - if(if_is_pp2(resif[i][0], portbuf, cfg->proxy_protocol_port)) { - if(if_is_dnscrypt(resif[i][0], portbuf, - cfg->dnscrypt_port)) { - fatal_exit("PROXYv2 and DNSCrypt combination not " - "supported!"); - } else if(if_is_https(resif[i][0], portbuf, - cfg->https_port)) { - fatal_exit("PROXYv2 and DoH combination not " - "supported!"); - } - } /* search for duplicates in the returned addresses */ for(j=0; jport)) { + if(!extstrtoaddr(resif[i][j], &a, &alen)) { if(strcmp(cfg->ifs[i], resif[i][j]) != 0) fatal_exit("cannot parse interface address '%s' from the interface specified as '%s'", resif[i][j], cfg->ifs[i]); diff --git a/contrib/unbound/smallapp/unbound-control.c b/contrib/unbound/smallapp/unbound-control.c index d01ef284be89..bcb214ca3d43 100644 --- a/contrib/unbound/smallapp/unbound-control.c +++ b/contrib/unbound/smallapp/unbound-control.c @@ -601,7 +601,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd) struct sockaddr_storage addr2; socklen_t addrlen2; if(extstrtoaddr(cfg->control_ifs.first->str, &addr2, - &addrlen2, UNBOUND_DNS_PORT)) { + &addrlen2)) { svr = cfg->control_ifs.first->str; } else { if(!resolve_interface_names(NULL, 0, @@ -629,7 +629,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd) svr = "::1"; } if(strchr(svr, '@')) { - if(!extstrtoaddr(svr, &addr, &addrlen, UNBOUND_DNS_PORT)) + if(!extstrtoaddr(svr, &addr, &addrlen)) fatal_exit("could not parse IP@port: %s", svr); #ifdef HAVE_SYS_UN_H } else if(svr[0] == '/') { diff --git a/contrib/unbound/testdata/iter_ghost_sub.rpl b/contrib/unbound/testdata/iter_ghost_sub.rpl new file mode 100644 index 000000000000..ccd6b29842e4 --- /dev/null +++ b/contrib/unbound/testdata/iter_ghost_sub.rpl @@ -0,0 +1,309 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ghost subdomain of another subdomain. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. 86400 IN NS +SECTION ANSWER +. 86400 IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is delegated. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is no longer delegated. +RANGE_BEGIN 100 200 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +s.example.com. IN A +SECTION ANSWER +s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.example.com. IN NS s.example.com. +SECTION ADDITIONAL +s.example.com IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +s.s.example.com. IN A +SECTION ANSWER +s.s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.s.example.com. IN NS s.s.example.com. +SECTION ADDITIONAL +s.s.example.com IN A 1.2.3.4 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; get the delegation in cache +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +; time passes +STEP 25 TIME_PASSES ELAPSE 1800 + +; get another delegation in cache +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +s.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +s.example.com. IN A +SECTION ANSWER +s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.example.com. IN NS s.example.com. +ENTRY_END + +; time passes, 1800 + 1000 = 2800 of 3600 TTL on NS of s.example.com. and +; example.com. +STEP 45 TIME_PASSES ELAPSE 1000 + +; get another delegation in cache +STEP 50 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +s.s.example.com. IN A +ENTRY_END + +STEP 60 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +s.s.example.com. IN A +SECTION ANSWER +s.s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.s.example.com. IN NS s.s.example.com. +ENTRY_END + + +; time passes, 1800 + 2000 = 3800 of 3600 TTL on NS of s.example.com. and +; example.com. +STEP 75 TIME_PASSES ELAPSE 1000 + +; domain no longer delegated +; is the domain still up? + +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.s.example.com. IN A +ENTRY_END + +STEP 110 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.s.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +STEP 120 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.s.s.example.com. IN A +ENTRY_END + +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.s.s.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +STEP 140 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +SCENARIO_END diff --git a/contrib/unbound/testdata/iter_ghost_timewindow.rpl b/contrib/unbound/testdata/iter_ghost_timewindow.rpl new file mode 100644 index 000000000000..566be82a9cf8 --- /dev/null +++ b/contrib/unbound/testdata/iter_ghost_timewindow.rpl @@ -0,0 +1,391 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ghost subdomain with extension reply in timewindow. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. 86400 IN NS +SECTION ANSWER +. 86400 IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is delegated. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example2.com. IN NS +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is no longer delegated. +RANGE_BEGIN 100 300 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example2.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example2.com. IN NS +SECTION ANSWER +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com. 3610 IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN AAAA +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example2.com. IN A +SECTION ANSWER +www.example2.com. 3610 IN A 10.20.30.40 +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com 3610 IN A 1.2.3.5 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; get the delegation in cache +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +; get example2 in cache too to check other response type +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example2.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example2.com. IN A +SECTION ANSWER +www.example2.com. IN A 10.20.30.40 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com IN A 1.2.3.5 +ENTRY_END + +; time passes +STEP 95 TIME_PASSES ELAPSE 3595 + +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +ns.example.com. IN A +ENTRY_END + +; ns.example.com RANGE does not answer, only until step 100, +; so we provide an answer, but first, let time pass beyond the TTL. +; it is going to time 3605, just passed the 3600 expire TTL, but the +; query started at 3595 before the TTL expired. +STEP 110 TIME_PASSES ELAPSE 10 + +; provide the answer to the query sent. +STEP 120 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; check if the domain is still live. +STEP 140 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www2.example.com. IN A +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www2.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +; example2 is valid with TTL of 3610, it is time 3605 +STEP 160 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +ns.example2.com. IN A +ENTRY_END + +; move to time 3615 +STEP 170 TIME_PASSES ELAPSE 10 + +STEP 180 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com. IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. IN A 1.2.3.5 +ENTRY_END + +STEP 190 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ENTRY_END + +; check if the domain is still live. +STEP 200 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www2.example2.com. IN A +ENTRY_END + +STEP 210 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www2.example2.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +SCENARIO_END diff --git a/contrib/unbound/util/config_file.c b/contrib/unbound/util/config_file.c index 00422617dad7..976cb976f48e 100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@ -786,7 +786,6 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size) else S_YNO("pad-queries:", pad_queries) else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size) - else S_STRLIST("proxy-protocol-port:", proxy_protocol_port) #ifdef USE_IPSECMOD else S_YNO("ipsecmod-enabled:", ipsecmod_enabled) else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus) @@ -823,7 +822,7 @@ int config_set_option(struct config_file* cfg, const char* opt, * stub-ssl-upstream, forward-zone, auth-zone * name, forward-addr, forward-host, * ratelimit-for-domain, ratelimit-below-domain, - * local-zone-tag, access-control-view, interface-*, + * local-zone-tag, access-control-view, * send-client-subnet, client-subnet-always-forward, * max-client-subnet-ipv4, max-client-subnet-ipv6, * min-client-subnet-ipv4, min-client-subnet-ipv6, @@ -1253,17 +1252,11 @@ config_get_option(struct config_file* cfg, const char* opt, else O_LS3(opt, "access-control-tag-action", acl_tag_actions) else O_LS3(opt, "access-control-tag-data", acl_tag_datas) else O_LS2(opt, "access-control-view", acl_view) - else O_LS2(opt, "interface-action", interface_actions) - else O_LTG(opt, "interface-tag", interface_tags) - else O_LS3(opt, "interface-tag-action", interface_tag_actions) - else O_LS3(opt, "interface-tag-data", interface_tag_datas) - else O_LS2(opt, "interface-view", interface_view) else O_YNO(opt, "pad-responses", pad_responses) else O_DEC(opt, "pad-responses-block-size", pad_responses_block_size) else O_YNO(opt, "pad-queries", pad_queries) else O_DEC(opt, "pad-queries-block-size", pad_queries_block_size) else O_LS2(opt, "edns-client-strings", edns_client_strings) - else O_LST(opt, "proxy-protocol-port", proxy_protocol_port) #ifdef USE_IPSECMOD else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled) else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus) @@ -1309,7 +1302,6 @@ create_cfg_parser(struct config_file* cfg, char* filename, const char* chroot) cfg_parser->errors = 0; cfg_parser->cfg = cfg; cfg_parser->chroot = chroot; - cfg_parser->started_toplevel = 0; init_cfg_parse(); } @@ -1614,16 +1606,10 @@ config_delete(struct config_file* cfg) config_deltrplstrlist(cfg->local_zone_overrides); config_del_strarray(cfg->tagname, cfg->num_tags); config_del_strbytelist(cfg->local_zone_tags); - config_del_strbytelist(cfg->respip_tags); - config_deldblstrlist(cfg->acl_view); config_del_strbytelist(cfg->acl_tags); + config_del_strbytelist(cfg->respip_tags); config_deltrplstrlist(cfg->acl_tag_actions); config_deltrplstrlist(cfg->acl_tag_datas); - config_deldblstrlist(cfg->interface_actions); - config_deldblstrlist(cfg->interface_view); - config_del_strbytelist(cfg->interface_tags); - config_deltrplstrlist(cfg->interface_tag_actions); - config_deltrplstrlist(cfg->interface_tag_datas); config_delstrlist(cfg->control_ifs.first); free(cfg->server_key_file); free(cfg->server_cert_file); @@ -1644,7 +1630,6 @@ config_delete(struct config_file* cfg) config_delstrlist(cfg->python_script); config_delstrlist(cfg->dynlib_file); config_deldblstrlist(cfg->edns_client_strings); - config_delstrlist(cfg->proxy_protocol_port); #ifdef USE_IPSECMOD free(cfg->ipsecmod_hook); config_delstrlist(cfg->ipsecmod_whitelist); @@ -1815,9 +1800,6 @@ void ub_c_error_msg(const char* fmt, ...) void ub_c_error(const char *str) { cfg_parser->errors++; - if(strcmp(str, "syntax error")==0 && cfg_parser->started_toplevel ==0) - str = "syntax error, is there no section start after an " - "include-toplevel directive perhaps."; fprintf(stderr, "%s:%d: error: %s\n", cfg_parser->filename, cfg_parser->line, str); } @@ -2627,35 +2609,3 @@ int cfg_has_https(struct config_file* cfg) } return 0; } - -/** see if interface is PROXYv2, its port number == the proxy port number */ -int -if_is_pp2(const char* ifname, const char* port, - struct config_strlist* proxy_protocol_port) -{ - struct config_strlist* s; - char* p = strchr(ifname, '@'); - for(s = proxy_protocol_port; s; s = s->next) { - if(p && atoi(p+1) == atoi(s->str)) - return 1; - if(!p && atoi(port) == atoi(s->str)) - return 1; - } - return 0; -} - -/** see if interface is DNSCRYPT, its port number == the dnscrypt port number */ -int -if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port) -{ -#ifdef USE_DNSCRYPT - return ((strchr(ifname, '@') && - atoi(strchr(ifname, '@')+1) == dnscrypt_port) || - (!strchr(ifname, '@') && atoi(port) == dnscrypt_port)); -#else - (void)ifname; - (void)port; - (void)dnscrypt_port; - return 0; -#endif -} diff --git a/contrib/unbound/util/config_file.h b/contrib/unbound/util/config_file.h index b1406913a8c1..ed372522dfae 100644 --- a/contrib/unbound/util/config_file.h +++ b/contrib/unbound/util/config_file.h @@ -114,8 +114,6 @@ struct config_file { int do_tcp_keepalive; /** tcp keepalive timeout, in msec */ int tcp_keepalive_timeout; - /** proxy protocol ports */ - struct config_strlist* proxy_protocol_port; /** private key file for dnstcp-ssl service (enabled if not NULL) */ char* ssl_service_key; @@ -463,16 +461,6 @@ struct config_file { struct config_str3list* acl_tag_datas; /** list of aclname, view*/ struct config_str2list* acl_view; - /** list of interface action entries, linked list */ - struct config_str2list* interface_actions; - /** list of interface, tagbitlist */ - struct config_strbytelist* interface_tags; - /** list of interface, tagname, localzonetype */ - struct config_str3list* interface_tag_actions; - /** list of interface, tagname, redirectdata */ - struct config_str3list* interface_tag_datas; - /** list of interface, view*/ - struct config_str2list* interface_view; /** list of IP-netblock, tagbitlist */ struct config_strbytelist* respip_tags; /** list of response-driven access control entries, linked list */ @@ -1274,8 +1262,6 @@ struct config_parser_state { struct config_file* cfg; /** the current chroot dir (or NULL if none) */ const char* chroot; - /** if we are started in a toplevel, or not, after a force_toplevel */ - int started_toplevel; }; /** global config parser object used during config parsing */ @@ -1324,12 +1310,6 @@ int if_is_https(const char* ifname, const char* port, int https_port); */ int cfg_has_https(struct config_file* cfg); -/** see if interface is PROXYv2, its port number == the proxy port number */ -int if_is_pp2(const char* ifname, const char* port, - struct config_strlist* proxy_protocol_port); - -/** see if interface is DNSCRYPT, its port number == the dnscrypt port number */ -int if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port); #ifdef USE_LINUX_IP_LOCAL_PORT_RANGE #define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range" #endif diff --git a/contrib/unbound/util/configlexer.lex b/contrib/unbound/util/configlexer.lex index f614040b8605..7f7704b337ba 100644 --- a/contrib/unbound/util/configlexer.lex +++ b/contrib/unbound/util/configlexer.lex @@ -365,7 +365,6 @@ view-first{COLON} { YDVAR(1, VAR_VIEW_FIRST) } do-not-query-address{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) } do-not-query-localhost{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) } access-control{COLON} { YDVAR(2, VAR_ACCESS_CONTROL) } -interface-action{COLON} { YDVAR(2, VAR_INTERFACE_ACTION) } send-client-subnet{COLON} { YDVAR(1, VAR_SEND_CLIENT_SUBNET) } client-subnet-zone{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ZONE) } client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) } @@ -468,10 +467,6 @@ access-control-tag{COLON} { YDVAR(2, VAR_ACCESS_CONTROL_TAG) } access-control-tag-action{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) } access-control-tag-data{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) } access-control-view{COLON} { YDVAR(2, VAR_ACCESS_CONTROL_VIEW) } -interface-tag{COLON} { YDVAR(2, VAR_INTERFACE_TAG) } -interface-tag-action{COLON} { YDVAR(3, VAR_INTERFACE_TAG_ACTION) } -interface-tag-data{COLON} { YDVAR(3, VAR_INTERFACE_TAG_DATA) } -interface-view{COLON} { YDVAR(2, VAR_INTERFACE_VIEW) } local-zone-override{COLON} { YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) } dnstap{COLON} { YDVAR(0, VAR_DNSTAP) } dnstap-enable{COLON} { YDVAR(1, VAR_DNSTAP_ENABLE) } @@ -563,7 +558,6 @@ edns-client-string{COLON} { YDVAR(2, VAR_EDNS_CLIENT_STRING) } edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) } nsid{COLON} { YDVAR(1, VAR_NSID ) } ede{COLON} { YDVAR(1, VAR_EDE ) } -proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) } {NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } /* Quoted strings. Strip leading and ending quotes */ diff --git a/contrib/unbound/util/configparser.y b/contrib/unbound/util/configparser.y index 3ecdad2ad254..c23534019e5e 100644 --- a/contrib/unbound/util/configparser.y +++ b/contrib/unbound/util/configparser.y @@ -52,7 +52,6 @@ int ub_c_lex(void); void ub_c_error(const char *message); static void validate_respip_action(const char* action); -static void validate_acl_action(const char* action); /* these need to be global, otherwise they cannot be used inside yacc */ extern struct config_parser_state* cfg_parser; @@ -191,9 +190,6 @@ extern struct config_parser_state* cfg_parser; %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID %token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE %token VAR_RPZ_SIGNAL_NXDOMAIN_RA VAR_INTERFACE_AUTOMATIC_PORTS VAR_EDE -%token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG -%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA -%token VAR_PROXY_PROTOCOL_PORT %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -208,14 +204,12 @@ toplevelvar: serverstart contents_server | stubstart contents_stub | force_toplevel: VAR_FORCE_TOPLEVEL { OUTYY(("\nP(force-toplevel)\n")); - cfg_parser->started_toplevel = 0; } ; /* server: declaration */ serverstart: VAR_SERVER { OUTYY(("\nP(server:)\n")); - cfg_parser->started_toplevel = 1; } ; contents_server: contents_server content_server @@ -293,8 +287,6 @@ content_server: server_num_threads | server_verbosity | server_port | server_disable_dnssec_lame_check | server_access_control_tag | server_local_zone_override | server_access_control_tag_action | server_access_control_tag_data | server_access_control_view | - server_interface_action | server_interface_view | server_interface_tag | - server_interface_tag_action | server_interface_tag_data | server_qname_minimisation_strict | server_pad_responses | server_pad_responses_block_size | server_pad_queries | server_pad_queries_block_size | @@ -321,14 +313,13 @@ content_server: server_num_threads | server_verbosity | server_port | server_edns_client_string_opcode | server_nsid | server_zonemd_permissive_mode | server_max_reuse_tcp_queries | server_tcp_reuse_timeout | server_tcp_auth_query_timeout | - server_interface_automatic_ports | server_ede | - server_proxy_protocol_port + server_interface_automatic_ports | server_ede + ; stubstart: VAR_STUB_ZONE { struct config_stub* s; OUTYY(("\nP(stub_zone:)\n")); - cfg_parser->started_toplevel = 1; s = (struct config_stub*)calloc(1, sizeof(struct config_stub)); if(s) { s->next = cfg_parser->cfg->stubs; @@ -347,7 +338,6 @@ forwardstart: VAR_FORWARD_ZONE { struct config_stub* s; OUTYY(("\nP(forward_zone:)\n")); - cfg_parser->started_toplevel = 1; s = (struct config_stub*)calloc(1, sizeof(struct config_stub)); if(s) { s->next = cfg_parser->cfg->forwards; @@ -366,7 +356,6 @@ viewstart: VAR_VIEW { struct config_view* s; OUTYY(("\nP(view:)\n")); - cfg_parser->started_toplevel = 1; s = (struct config_view*)calloc(1, sizeof(struct config_view)); if(s) { s->next = cfg_parser->cfg->views; @@ -387,7 +376,6 @@ authstart: VAR_AUTH_ZONE { struct config_auth* s; OUTYY(("\nP(auth_zone:)\n")); - cfg_parser->started_toplevel = 1; s = (struct config_auth*)calloc(1, sizeof(struct config_auth)); if(s) { s->next = cfg_parser->cfg->auths; @@ -486,7 +474,6 @@ rpzstart: VAR_RPZ { struct config_auth* s; OUTYY(("\nP(rpz:)\n")); - cfg_parser->started_toplevel = 1; s = (struct config_auth*)calloc(1, sizeof(struct config_auth)); if(s) { s->next = cfg_parser->cfg->auths; @@ -1855,18 +1842,21 @@ server_do_not_query_localhost: VAR_DO_NOT_QUERY_LOCALHOST STRING_ARG server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG { OUTYY(("P(server_access_control:%s %s)\n", $2, $3)); - validate_acl_action($3); - if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3)) - fatal_exit("out of memory adding acl"); - } - ; -server_interface_action: VAR_INTERFACE_ACTION STRING_ARG STRING_ARG - { - OUTYY(("P(server_interface_action:%s %s)\n", $2, $3)); - validate_acl_action($3); - if(!cfg_str2list_insert( - &cfg_parser->cfg->interface_actions, $2, $3)) - fatal_exit("out of memory adding acl"); + if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 && + strcmp($3, "deny_non_local")!=0 && + strcmp($3, "refuse_non_local")!=0 && + strcmp($3, "allow_setrd")!=0 && + strcmp($3, "allow")!=0 && + strcmp($3, "allow_snoop")!=0) { + yyerror("expected deny, refuse, deny_non_local, " + "refuse_non_local, allow, allow_setrd or " + "allow_snoop in access control action"); + free($2); + free($3); + } else { + if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3)) + fatal_exit("out of memory adding acl"); + } } ; server_module_conf: VAR_MODULE_CONF STRING_ARG @@ -2424,60 +2414,6 @@ server_access_control_view: VAR_ACCESS_CONTROL_VIEW STRING_ARG STRING_ARG } } ; -server_interface_tag: VAR_INTERFACE_TAG STRING_ARG STRING_ARG - { - size_t len = 0; - uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, $3, - &len); - free($3); - OUTYY(("P(server_interface_tag:%s)\n", $2)); - if(!bitlist) { - yyerror("could not parse tags, (define-tag them first)"); - free($2); - } - if(bitlist) { - if(!cfg_strbytelist_insert( - &cfg_parser->cfg->interface_tags, - $2, bitlist, len)) { - yyerror("out of memory"); - free($2); - } - } - } - ; -server_interface_tag_action: VAR_INTERFACE_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG - { - OUTYY(("P(server_interface_tag_action:%s %s %s)\n", $2, $3, $4)); - if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_actions, - $2, $3, $4)) { - yyerror("out of memory"); - free($2); - free($3); - free($4); - } - } - ; -server_interface_tag_data: VAR_INTERFACE_TAG_DATA STRING_ARG STRING_ARG STRING_ARG - { - OUTYY(("P(server_interface_tag_data:%s %s %s)\n", $2, $3, $4)); - if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_datas, - $2, $3, $4)) { - yyerror("out of memory"); - free($2); - free($3); - free($4); - } - } - ; -server_interface_view: VAR_INTERFACE_VIEW STRING_ARG STRING_ARG - { - OUTYY(("P(server_interface_view:%s %s)\n", $2, $3)); - if(!cfg_str2list_insert(&cfg_parser->cfg->interface_view, - $2, $3)) { - yyerror("out of memory"); - } - } - ; server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG { size_t len = 0; @@ -2825,13 +2761,6 @@ server_ede: VAR_EDE STRING_ARG free($2); } ; -server_proxy_protocol_port: VAR_PROXY_PROTOCOL_PORT STRING_ARG - { - OUTYY(("P(server_proxy_protocol_port:%s)\n", $2)); - if(!cfg_strlist_insert(&cfg_parser->cfg->proxy_protocol_port, $2)) - yyerror("out of memory"); - } - ; stub_name: VAR_NAME STRING_ARG { OUTYY(("P(name:%s)\n", $2)); @@ -3174,7 +3103,6 @@ view_first: VAR_VIEW_FIRST STRING_ARG rcstart: VAR_REMOTE_CONTROL { OUTYY(("\nP(remote-control:)\n")); - cfg_parser->started_toplevel = 1; } ; contents_rc: contents_rc content_rc @@ -3247,7 +3175,6 @@ rc_control_cert_file: VAR_CONTROL_CERT_FILE STRING_ARG dtstart: VAR_DNSTAP { OUTYY(("\nP(dnstap:)\n")); - cfg_parser->started_toplevel = 1; } ; contents_dt: contents_dt content_dt @@ -3430,7 +3357,6 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES pythonstart: VAR_PYTHON { OUTYY(("\nP(python:)\n")); - cfg_parser->started_toplevel = 1; } ; contents_py: contents_py content_py @@ -3446,7 +3372,6 @@ py_script: VAR_PYTHON_SCRIPT STRING_ARG dynlibstart: VAR_DYNLIB { OUTYY(("\nP(dynlib:)\n")); - cfg_parser->started_toplevel = 1; } ; contents_dl: contents_dl content_dl @@ -3496,7 +3421,6 @@ server_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG dnscstart: VAR_DNSCRYPT { OUTYY(("\nP(dnscrypt:)\n")); - cfg_parser->started_toplevel = 1; } ; contents_dnsc: contents_dnsc content_dnsc @@ -3606,7 +3530,6 @@ dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG cachedbstart: VAR_CACHEDB { OUTYY(("\nP(cachedb:)\n")); - cfg_parser->started_toplevel = 1; } ; contents_cachedb: contents_cachedb content_cachedb @@ -3706,7 +3629,6 @@ server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG ipsetstart: VAR_IPSET { OUTYY(("\nP(ipset:)\n")); - cfg_parser->started_toplevel = 1; } ; contents_ipset: contents_ipset content_ipset @@ -3763,19 +3685,4 @@ validate_respip_action(const char* action) } } -static void -validate_acl_action(const char* action) -{ - if(strcmp(action, "deny")!=0 && - strcmp(action, "refuse")!=0 && - strcmp(action, "deny_non_local")!=0 && - strcmp(action, "refuse_non_local")!=0 && - strcmp(action, "allow_setrd")!=0 && - strcmp(action, "allow")!=0 && - strcmp(action, "allow_snoop")!=0) - { - yyerror("expected deny, refuse, deny_non_local, " - "refuse_non_local, allow, allow_setrd or " - "allow_snoop as access control action"); - } -} + diff --git a/contrib/unbound/util/fptr_wlist.c b/contrib/unbound/util/fptr_wlist.c index dc8ab6693876..05a22d402ee1 100644 --- a/contrib/unbound/util/fptr_wlist.c +++ b/contrib/unbound/util/fptr_wlist.c @@ -221,7 +221,6 @@ fptr_whitelist_rbtree_cmp(int (*fptr) (const void *, const void *)) if(fptr == &mesh_state_compare) return 1; else if(fptr == &mesh_state_ref_compare) return 1; else if(fptr == &addr_tree_compare) return 1; - else if(fptr == &addr_tree_addrport_compare) return 1; else if(fptr == &local_zone_cmp) return 1; else if(fptr == &local_data_cmp) return 1; else if(fptr == &fwd_cmp) return 1; diff --git a/contrib/unbound/util/net_help.c b/contrib/unbound/util/net_help.c index 54fad6986f3c..8153dbdd1818 100644 --- a/contrib/unbound/util/net_help.c +++ b/contrib/unbound/util/net_help.c @@ -233,11 +233,12 @@ log_addr(enum verbosity_value v, const char* str, else verbose(v, "%s %s port %d", str, dest, (int)port); } -int +int extstrtoaddr(const char* str, struct sockaddr_storage* addr, - socklen_t* addrlen, int port) + socklen_t* addrlen) { char* s; + int port = UNBOUND_DNS_PORT; if((s=strchr(str, '@'))) { char buf[MAX_ADDR_STRLEN]; if(s-str >= MAX_ADDR_STRLEN) { @@ -254,6 +255,7 @@ extstrtoaddr(const char* str, struct sockaddr_storage* addr, return ipstrtoaddr(str, port, addr, addrlen); } + int ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, socklen_t* addrlen) diff --git a/contrib/unbound/util/net_help.h b/contrib/unbound/util/net_help.h index f1881b3ed0ca..4dd398460294 100644 --- a/contrib/unbound/util/net_help.h +++ b/contrib/unbound/util/net_help.h @@ -96,11 +96,6 @@ extern uint16_t EDNS_ADVERTISED_SIZE; /** return a random 16-bit number given a random source */ #define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff) -/** define MSG_DONTWAIT for unsupported platforms */ -#ifndef MSG_DONTWAIT -#define MSG_DONTWAIT 0 -#endif - /** minimal responses when positive answer */ extern int MINIMAL_RESPONSES; @@ -183,11 +178,10 @@ void log_err_addr(const char* str, const char* err, * @param str: the string * @param addr: where to store sockaddr. * @param addrlen: length of stored sockaddr is returned. - * @param port: default port. * @return 0 on error. */ int extstrtoaddr(const char* str, struct sockaddr_storage* addr, - socklen_t* addrlen, int port); + socklen_t* addrlen); /** * Convert ip address string and port to sockaddr. diff --git a/contrib/unbound/util/netevent.c b/contrib/unbound/util/netevent.c index da59a9d60bda..841e0978738f 100644 --- a/contrib/unbound/util/netevent.c +++ b/contrib/unbound/util/netevent.c @@ -45,7 +45,6 @@ #include "util/net_help.h" #include "util/tcp_conn_limit.h" #include "util/fptr_wlist.h" -#include "util/proxy_protocol.h" #include "sldns/pkthdr.h" #include "sldns/sbuffer.h" #include "sldns/str2wire.h" @@ -61,9 +60,6 @@ #ifdef HAVE_NETDB_H #include #endif -#ifdef HAVE_POLL_H -#include -#endif #ifdef HAVE_OPENSSL_SSL_H #include @@ -111,9 +107,6 @@ #define NUM_UDP_PER_SELECT 1 #endif -/** timeout in millisec to wait for write to unblock, packets dropped after.*/ -#define SEND_BLOCKED_WAIT_TIMEOUT 200 - /** * The internal event structure for keeping ub_event info for the event. * Possibly other structures (list, tree) this is part of. @@ -139,10 +132,6 @@ struct internal_base { struct ub_event* slow_accept; /** true if slow_accept is enabled */ int slow_accept_enabled; - /** last log time for slow logging of file descriptor errors */ - time_t last_slow_log; - /** last log time for slow logging of write wait failures */ - time_t last_writewait_log; }; /** @@ -378,83 +367,29 @@ comm_point_send_udp_msg(struct comm_point *c, sldns_buffer* packet, * we want to send the answer, and we will wait for * the ethernet interface buffer to have space. */ #ifndef USE_WINSOCK - if(errno == EAGAIN || errno == EINTR || + if(errno == EAGAIN || # ifdef EWOULDBLOCK errno == EWOULDBLOCK || # endif errno == ENOBUFS) { #else if(WSAGetLastError() == WSAEINPROGRESS || - WSAGetLastError() == WSAEINTR || WSAGetLastError() == WSAENOBUFS || WSAGetLastError() == WSAEWOULDBLOCK) { #endif - /* if we set the fd blocking, other threads suddenly - * have a blocking fd that they operate on */ - while(sent == -1 && ( -#ifndef USE_WINSOCK - errno == EAGAIN || errno == EINTR || -# ifdef EWOULDBLOCK - errno == EWOULDBLOCK || -# endif - errno == ENOBUFS -#else - WSAGetLastError() == WSAEINPROGRESS || - WSAGetLastError() == WSAEINTR || - WSAGetLastError() == WSAENOBUFS || - WSAGetLastError() == WSAEWOULDBLOCK -#endif - )) { -#if defined(HAVE_POLL) || defined(USE_WINSOCK) - struct pollfd p; - int pret; - memset(&p, 0, sizeof(p)); - p.fd = c->fd; - p.events = POLLOUT | POLLERR | POLLHUP; -# ifndef USE_WINSOCK - pret = poll(&p, 1, SEND_BLOCKED_WAIT_TIMEOUT); -# else - pret = WSAPoll(&p, 1, - SEND_BLOCKED_WAIT_TIMEOUT); -# endif - if(pret == 0) { - /* timer expired */ - struct comm_base* b = c->ev->base; - if(b->eb->last_writewait_log+SLOW_LOG_TIME <= - b->eb->secs) { - b->eb->last_writewait_log = b->eb->secs; - verbose(VERB_OPS, "send udp blocked " - "for long, dropping packet."); - } - return 0; - } else if(pret < 0 && -#ifndef USE_WINSOCK - errno != EAGAIN && errno != EINTR && -# ifdef EWOULDBLOCK - errno != EWOULDBLOCK && -# endif - errno != ENOBUFS -#else - WSAGetLastError() != WSAEINPROGRESS && - WSAGetLastError() != WSAEINTR && - WSAGetLastError() != WSAENOBUFS && - WSAGetLastError() != WSAEWOULDBLOCK -#endif - ) { - log_err("poll udp out failed: %s", - sock_strerror(errno)); - return 0; - } -#endif /* defined(HAVE_POLL) || defined(USE_WINSOCK) */ - if (!is_connected) { - sent = sendto(c->fd, (void*)sldns_buffer_begin(packet), - sldns_buffer_remaining(packet), 0, - addr, addrlen); - } else { - sent = send(c->fd, (void*)sldns_buffer_begin(packet), - sldns_buffer_remaining(packet), 0); - } + int e; + fd_set_block(c->fd); + if (!is_connected) { + sent = sendto(c->fd, (void*)sldns_buffer_begin(packet), + sldns_buffer_remaining(packet), 0, + addr, addrlen); + } else { + sent = send(c->fd, (void*)sldns_buffer_begin(packet), + sldns_buffer_remaining(packet), 0); } + e = errno; + fd_set_nonblock(c->fd); + errno = e; } } if(sent == -1) { @@ -621,74 +556,22 @@ comm_point_send_udp_msg_if(struct comm_point *c, sldns_buffer* packet, * we want to send the answer, and we will wait for * the ethernet interface buffer to have space. */ #ifndef USE_WINSOCK - if(errno == EAGAIN || errno == EINTR || + if(errno == EAGAIN || # ifdef EWOULDBLOCK errno == EWOULDBLOCK || # endif errno == ENOBUFS) { #else if(WSAGetLastError() == WSAEINPROGRESS || - WSAGetLastError() == WSAEINTR || WSAGetLastError() == WSAENOBUFS || WSAGetLastError() == WSAEWOULDBLOCK) { #endif - while(sent == -1 && ( -#ifndef USE_WINSOCK - errno == EAGAIN || errno == EINTR || -# ifdef EWOULDBLOCK - errno == EWOULDBLOCK || -# endif - errno == ENOBUFS -#else - WSAGetLastError() == WSAEINPROGRESS || - WSAGetLastError() == WSAEINTR || - WSAGetLastError() == WSAENOBUFS || - WSAGetLastError() == WSAEWOULDBLOCK -#endif - )) { -#if defined(HAVE_POLL) || defined(USE_WINSOCK) - struct pollfd p; - int pret; - memset(&p, 0, sizeof(p)); - p.fd = c->fd; - p.events = POLLOUT | POLLERR | POLLHUP; -# ifndef USE_WINSOCK - pret = poll(&p, 1, SEND_BLOCKED_WAIT_TIMEOUT); -# else - pret = WSAPoll(&p, 1, - SEND_BLOCKED_WAIT_TIMEOUT); -# endif - if(pret == 0) { - /* timer expired */ - struct comm_base* b = c->ev->base; - if(b->eb->last_writewait_log+SLOW_LOG_TIME <= - b->eb->secs) { - b->eb->last_writewait_log = b->eb->secs; - verbose(VERB_OPS, "send udp blocked " - "for long, dropping packet."); - } - return 0; - } else if(pret < 0 && -#ifndef USE_WINSOCK - errno != EAGAIN && errno != EINTR && -# ifdef EWOULDBLOCK - errno != EWOULDBLOCK && -# endif - errno != ENOBUFS -#else - WSAGetLastError() != WSAEINPROGRESS && - WSAGetLastError() != WSAEINTR && - WSAGetLastError() != WSAENOBUFS && - WSAGetLastError() != WSAEWOULDBLOCK -#endif - ) { - log_err("poll udp out failed: %s", - sock_strerror(errno)); - return 0; - } -#endif /* defined(HAVE_POLL) || defined(USE_WINSOCK) */ - sent = sendmsg(c->fd, &msg, 0); - } + int e; + fd_set_block(c->fd); + sent = sendmsg(c->fd, &msg, 0); + e = errno; + fd_set_nonblock(c->fd); + errno = e; } } if(sent == -1) { @@ -756,67 +639,6 @@ static int udp_recv_needs_log(int err) return 1; } -/** Parses the PROXYv2 header from buf and updates the comm_reply struct. - * Returns 1 on success, 0 on failure. */ -static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, - int stream) { - size_t size; - struct pp2_header *header = pp2_read_header(buf); - if(header == NULL) return 0; - size = PP2_HEADER_SIZE + ntohs(header->len); - if((header->ver_cmd & 0xF) == PP2_CMD_LOCAL) { - /* A connection from the proxy itself. - * No need to do anything with addresses. */ - goto done; - } - if(header->fam_prot == 0x00) { - /* Unspecified family and protocol. This could be used for - * health checks by proxies. - * No need to do anything with addresses. */ - goto done; - } - /* Read the proxied address */ - switch(header->fam_prot) { - case 0x11: /* AF_INET|STREAM */ - case 0x12: /* AF_INET|DGRAM */ - { - struct sockaddr_in* addr = - (struct sockaddr_in*)&rep->client_addr; - addr->sin_family = AF_INET; - addr->sin_addr.s_addr = header->addr.addr4.src_addr; - addr->sin_port = header->addr.addr4.src_port; - rep->client_addrlen = (socklen_t)sizeof(struct sockaddr_in); - } - /* Ignore the destination address; it should be us. */ - break; - case 0x21: /* AF_INET6|STREAM */ - case 0x22: /* AF_INET6|DGRAM */ - { - struct sockaddr_in6* addr = - (struct sockaddr_in6*)&rep->client_addr; - memset(addr, 0, sizeof(*addr)); - addr->sin6_family = AF_INET6; - memcpy(&addr->sin6_addr, - header->addr.addr6.src_addr, 16); - addr->sin6_port = header->addr.addr6.src_port; - rep->client_addrlen = (socklen_t)sizeof(struct sockaddr_in6); - } - /* Ignore the destination address; it should be us. */ - break; - } - rep->is_proxied = 1; -done: - if(!stream) { - /* We are reading a whole packet; - * Move the rest of the data to overwrite the PROXYv2 header */ - /* XXX can we do better to avoid memmove? */ - memmove(header, ((void*)header)+size, - sldns_buffer_limit(buf)-size); - sldns_buffer_set_limit(buf, sldns_buffer_limit(buf)-size); - } - return 1; -} - void comm_point_udp_ancil_callback(int fd, short event, void* arg) { @@ -843,11 +665,11 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg) ub_comm_base_now(rep.c->ev->base); for(i=0; ibuffer); - rep.remote_addrlen = (socklen_t)sizeof(rep.remote_addr); + rep.addrlen = (socklen_t)sizeof(rep.addr); log_assert(fd != -1); log_assert(sldns_buffer_remaining(rep.c->buffer) > 0); - msg.msg_name = &rep.remote_addr; - msg.msg_namelen = (socklen_t)sizeof(rep.remote_addr); + msg.msg_name = &rep.addr; + msg.msg_namelen = (socklen_t)sizeof(rep.addr); iov[0].iov_base = sldns_buffer_begin(rep.c->buffer); iov[0].iov_len = sldns_buffer_remaining(rep.c->buffer); msg.msg_iov = iov; @@ -857,7 +679,7 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg) msg.msg_controllen = sizeof(ancil.buf); #endif /* S_SPLINT_S */ msg.msg_flags = 0; - rcv = recvmsg(fd, &msg, MSG_DONTWAIT); + rcv = recvmsg(fd, &msg, 0); if(rcv == -1) { if(errno != EAGAIN && errno != EINTR && udp_recv_needs_log(errno)) { @@ -865,11 +687,10 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg) } return; } - rep.remote_addrlen = msg.msg_namelen; + rep.addrlen = msg.msg_namelen; sldns_buffer_skip(rep.c->buffer, rcv); sldns_buffer_flip(rep.c->buffer); rep.srctype = 0; - rep.is_proxied = 0; #ifndef S_SPLINT_S for(cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; cmsg = CMSG_NXTHDR(&msg, cmsg)) { @@ -899,24 +720,11 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg) if(verbosity >= VERB_ALGO) p_ancil("receive_udp on interface", &rep); #endif /* S_SPLINT_S */ - - if(rep.c->pp2_enabled && !consume_pp2_header(rep.c->buffer, - &rep, 0)) { - log_err("proxy_protocol: could not consume PROXYv2 header"); - return; - } - if(!rep.is_proxied) { - rep.client_addrlen = rep.remote_addrlen; - memmove(&rep.client_addr, &rep.remote_addr, - rep.remote_addrlen); - } - fptr_ok(fptr_whitelist_comm_point(rep.c->callback)); if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) { /* send back immediate reply */ (void)comm_point_send_udp_msg_if(rep.c, rep.c->buffer, - (struct sockaddr*)&rep.remote_addr, - rep.remote_addrlen, &rep); + (struct sockaddr*)&rep.addr, rep.addrlen, &rep); } if(!rep.c || rep.c->fd == -1) /* commpoint closed */ break; @@ -947,12 +755,12 @@ comm_point_udp_callback(int fd, short event, void* arg) ub_comm_base_now(rep.c->ev->base); for(i=0; ibuffer); - rep.remote_addrlen = (socklen_t)sizeof(rep.remote_addr); + rep.addrlen = (socklen_t)sizeof(rep.addr); log_assert(fd != -1); log_assert(sldns_buffer_remaining(rep.c->buffer) > 0); rcv = recvfrom(fd, (void*)sldns_buffer_begin(rep.c->buffer), - sldns_buffer_remaining(rep.c->buffer), MSG_DONTWAIT, - (struct sockaddr*)&rep.remote_addr, &rep.remote_addrlen); + sldns_buffer_remaining(rep.c->buffer), 0, + (struct sockaddr*)&rep.addr, &rep.addrlen); if(rcv == -1) { #ifndef USE_WINSOCK if(errno != EAGAIN && errno != EINTR @@ -972,19 +780,6 @@ comm_point_udp_callback(int fd, short event, void* arg) sldns_buffer_skip(rep.c->buffer, rcv); sldns_buffer_flip(rep.c->buffer); rep.srctype = 0; - rep.is_proxied = 0; - - if(rep.c->pp2_enabled && !consume_pp2_header(rep.c->buffer, - &rep, 0)) { - log_err("proxy_protocol: could not consume PROXYv2 header"); - return; - } - if(!rep.is_proxied) { - rep.client_addrlen = rep.remote_addrlen; - memmove(&rep.client_addr, &rep.remote_addr, - rep.remote_addrlen); - } - fptr_ok(fptr_whitelist_comm_point(rep.c->callback)); if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) { /* send back immediate reply */ @@ -994,8 +789,7 @@ comm_point_udp_callback(int fd, short event, void* arg) buffer = rep.c->buffer; #endif (void)comm_point_send_udp_msg(rep.c, buffer, - (struct sockaddr*)&rep.remote_addr, - rep.remote_addrlen, 0); + (struct sockaddr*)&rep.addr, rep.addrlen, 0); } if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for another UDP port. Note rep.c cannot be reused with TCP fd. */ @@ -1095,16 +889,6 @@ int comm_point_perform_accept(struct comm_point* c, struct timeval tv; verbose(VERB_ALGO, "out of file descriptors: " "slow accept"); - ub_comm_base_now(b); - if(b->eb->last_slow_log+SLOW_LOG_TIME <= - b->eb->secs) { - b->eb->last_slow_log = b->eb->secs; - verbose(VERB_OPS, "accept failed, " - "slow down accept for %d " - "msec: %s", - NETEVENT_SLOW_ACCEPT_TIME, - sock_strerror(errno)); - } b->eb->slow_accept_enabled = 1; fptr_ok(fptr_whitelist_stop_accept( b->stop_accept)); @@ -1125,9 +909,6 @@ int comm_point_perform_accept(struct comm_point* c, /* we do not want to log here, * error: "event_add failed." */ } - } else { - log_err("accept, with no slow down, " - "failed: %s", sock_strerror(errno)); } return -1; } @@ -1311,16 +1092,10 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg) } log_assert(fd != -1); (void)fd; - new_fd = comm_point_perform_accept(c, &c_hdl->repinfo.remote_addr, - &c_hdl->repinfo.remote_addrlen); + new_fd = comm_point_perform_accept(c, &c_hdl->repinfo.addr, + &c_hdl->repinfo.addrlen); if(new_fd == -1) return; - /* Copy remote_address to client_address. - * Simplest way/time for streams to do that. */ - c_hdl->repinfo.client_addrlen = c_hdl->repinfo.remote_addrlen; - memmove(&c_hdl->repinfo.client_addr, - &c_hdl->repinfo.remote_addr, - c_hdl->repinfo.remote_addrlen); if(c->ssl) { c_hdl->ssl = incoming_ssl_fd(c->ssl, new_fd); if(!c_hdl->ssl) { @@ -1372,7 +1147,6 @@ reclaim_tcp_handler(struct comm_point* c) c->tcp_more_read_again = NULL; c->tcp_more_write_again = NULL; c->tcp_byte_count = 0; - c->pp2_header_state = pp2_header_none; sldns_buffer_clear(c->buffer); } @@ -1504,8 +1278,8 @@ ssl_handshake(struct comm_point* c) return 0; /* silence reset by peer */ #endif if(!tcp_connect_errno_needs_log( - (struct sockaddr*)&c->repinfo.remote_addr, - c->repinfo.remote_addrlen)) + (struct sockaddr*)&c->repinfo.addr, + c->repinfo.addrlen)) return 0; /* silence connect failures that show up because after connect this is the first system call that accesses the socket */ @@ -1517,9 +1291,8 @@ ssl_handshake(struct comm_point* c) unsigned long err = ERR_get_error(); if(!squelch_err_ssl_handshake(err)) { log_crypto_err_code("ssl handshake failed", err); - log_addr(VERB_OPS, "ssl handshake failed", - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + log_addr(VERB_OPS, "ssl handshake failed", &c->repinfo.addr, + c->repinfo.addrlen); } return 0; } @@ -1536,8 +1309,7 @@ ssl_handshake(struct comm_point* c) if(!x) { log_addr(VERB_ALGO, "SSL connection failed: " "no certificate", - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); return 0; } log_cert(VERB_ALGO, "peer certificate", x); @@ -1547,13 +1319,13 @@ ssl_handshake(struct comm_point* c) snprintf(buf, sizeof(buf), "SSL connection " "to %s authenticated", SSL_get0_peername(c->ssl)); - log_addr(VERB_ALGO, buf, &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + log_addr(VERB_ALGO, buf, &c->repinfo.addr, + c->repinfo.addrlen); } else { #endif log_addr(VERB_ALGO, "SSL connection " - "authenticated", &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + "authenticated", &c->repinfo.addr, + c->repinfo.addrlen); #ifdef HAVE_SSL_GET0_PEERNAME } #endif @@ -1570,15 +1342,14 @@ ssl_handshake(struct comm_point* c) } log_addr(VERB_ALGO, "SSL connection failed: " "failed to authenticate", - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); return 0; } } else { /* unauthenticated, the verify peer flag was not set * in c->ssl when the ssl object was created from ssl_ctx */ - log_addr(VERB_ALGO, "SSL connection", &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + log_addr(VERB_ALGO, "SSL connection", &c->repinfo.addr, + c->repinfo.addrlen); } #ifdef HAVE_SSL_GET0_ALPN_SELECTED @@ -1619,142 +1390,6 @@ ssl_handle_read(struct comm_point* c) if(c->ssl_shake_state != comm_ssl_shake_none) return 1; } - if(c->pp2_enabled && c->pp2_header_state != pp2_header_done) { - struct pp2_header* header = NULL; - size_t want_read_size = 0; - size_t current_read_size = 0; - if(c->pp2_header_state == pp2_header_none) { - want_read_size = PP2_HEADER_SIZE; - if(sldns_buffer_remaining(c->buffer)repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } - verbose(VERB_ALGO, "proxy_protocol: reading fixed " - "part of PROXYv2 header (len %lu)", - (unsigned long)want_read_size); - current_read_size = want_read_size; - if(c->tcp_byte_count < current_read_size) { - ERR_clear_error(); - if((r=SSL_read(c->ssl, (void*)sldns_buffer_at( - c->buffer, c->tcp_byte_count), - current_read_size - - c->tcp_byte_count)) <= 0) { - int want = SSL_get_error(c->ssl, r); - if(want == SSL_ERROR_ZERO_RETURN) { - if(c->tcp_req_info) - return tcp_req_info_handle_read_close(c->tcp_req_info); - return 0; /* shutdown, closed */ - } else if(want == SSL_ERROR_WANT_READ) { -#ifdef USE_WINSOCK - ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); -#endif - return 1; /* read more later */ - } else if(want == SSL_ERROR_WANT_WRITE) { - c->ssl_shake_state = comm_ssl_shake_hs_write; - comm_point_listen_for_rw(c, 0, 1); - return 1; - } else if(want == SSL_ERROR_SYSCALL) { -#ifdef ECONNRESET - if(errno == ECONNRESET && verbosity < 2) - return 0; /* silence reset by peer */ -#endif - if(errno != 0) - log_err("SSL_read syscall: %s", - strerror(errno)); - return 0; - } - log_crypto_err("could not SSL_read"); - return 0; - } - c->tcp_byte_count += r; - if(c->tcp_byte_count != current_read_size) return 1; - c->pp2_header_state = pp2_header_init; - } - } - if(c->pp2_header_state == pp2_header_init) { - header = pp2_read_header(c->buffer); - if(!header) { - log_err("proxy_protocol: could not parse " - "PROXYv2 header"); - return 0; - } - want_read_size = ntohs(header->len); - if(sldns_buffer_remaining(c->buffer) < - PP2_HEADER_SIZE + want_read_size) { - log_err_addr("proxy_protocol: not enough " - "buffer size to read PROXYv2 header", "", - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } - verbose(VERB_ALGO, "proxy_protocol: reading variable " - "part of PROXYv2 header (len %lu)", - (unsigned long)want_read_size); - current_read_size = PP2_HEADER_SIZE + want_read_size; - if(want_read_size == 0) { - /* nothing more to read; header is complete */ - c->pp2_header_state = pp2_header_done; - } else if(c->tcp_byte_count < current_read_size) { - ERR_clear_error(); - if((r=SSL_read(c->ssl, (void*)sldns_buffer_at( - c->buffer, c->tcp_byte_count), - current_read_size - - c->tcp_byte_count)) <= 0) { - int want = SSL_get_error(c->ssl, r); - if(want == SSL_ERROR_ZERO_RETURN) { - if(c->tcp_req_info) - return tcp_req_info_handle_read_close(c->tcp_req_info); - return 0; /* shutdown, closed */ - } else if(want == SSL_ERROR_WANT_READ) { -#ifdef USE_WINSOCK - ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); -#endif - return 1; /* read more later */ - } else if(want == SSL_ERROR_WANT_WRITE) { - c->ssl_shake_state = comm_ssl_shake_hs_write; - comm_point_listen_for_rw(c, 0, 1); - return 1; - } else if(want == SSL_ERROR_SYSCALL) { -#ifdef ECONNRESET - if(errno == ECONNRESET && verbosity < 2) - return 0; /* silence reset by peer */ -#endif - if(errno != 0) - log_err("SSL_read syscall: %s", - strerror(errno)); - return 0; - } - log_crypto_err("could not SSL_read"); - return 0; - } - c->tcp_byte_count += r; - if(c->tcp_byte_count != current_read_size) return 1; - c->pp2_header_state = pp2_header_done; - } - } - if(c->pp2_header_state != pp2_header_done || !header) { - log_err_addr("proxy_protocol: wrong state for the " - "PROXYv2 header", "", &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } - if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) { - log_err_addr("proxy_protocol: could not consume " - "PROXYv2 header", "", &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } - verbose(VERB_ALGO, "proxy_protocol: successful read of " - "PROXYv2 header"); - /* Clear and reset the buffer to read the following - * DNS packet(s). */ - sldns_buffer_clear(c->buffer); - c->tcp_byte_count = 0; - return 1; - } if(c->tcp_byte_count < sizeof(uint16_t)) { /* read length bytes */ ERR_clear_error(); @@ -2014,18 +1649,16 @@ ssl_handle_it(struct comm_point* c, int is_write) return ssl_handle_write(c); } -/** - * Handle tcp reading callback. +/** Handle tcp reading callback. * @param fd: file descriptor of socket. * @param c: comm point to read from into buffer. * @param short_ok: if true, very short packets are OK (for comm_local). - * @return: 0 on error + * @return: 0 on error */ static int comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) { ssize_t r; - int recv_initial = 0; log_assert(c->type == comm_tcp || c->type == comm_local); if(c->ssl) return ssl_handle_it(c, 0); @@ -2033,111 +1666,78 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) return 0; log_assert(fd != -1); - if(c->pp2_enabled && c->pp2_header_state != pp2_header_done) { - struct pp2_header* header = NULL; - size_t want_read_size = 0; - size_t current_read_size = 0; - if(c->pp2_header_state == pp2_header_none) { - want_read_size = PP2_HEADER_SIZE; - if(sldns_buffer_remaining(c->buffer)repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } - verbose(VERB_ALGO, "proxy_protocol: reading fixed " - "part of PROXYv2 header (len %lu)", - (unsigned long)want_read_size); - current_read_size = want_read_size; - if(c->tcp_byte_count < current_read_size) { - r = recv(fd, (void*)sldns_buffer_at(c->buffer, - c->tcp_byte_count), - current_read_size-c->tcp_byte_count, MSG_DONTWAIT); - if(r == 0) { - if(c->tcp_req_info) - return tcp_req_info_handle_read_close(c->tcp_req_info); - return 0; - } else if(r == -1) { - goto recv_error_initial; - } - c->tcp_byte_count += r; - if(c->tcp_byte_count != current_read_size) return 1; - c->pp2_header_state = pp2_header_init; - } - } - if(c->pp2_header_state == pp2_header_init) { - header = pp2_read_header(c->buffer); - if(!header) { - log_err("proxy_protocol: could not parse " - "PROXYv2 header"); - return 0; - } - want_read_size = ntohs(header->len); - if(sldns_buffer_remaining(c->buffer) < - PP2_HEADER_SIZE + want_read_size) { - log_err_addr("proxy_protocol: not enough " - "buffer size to read PROXYv2 header", "", - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } - verbose(VERB_ALGO, "proxy_protocol: reading variable " - "part of PROXYv2 header (len %lu)", - (unsigned long)want_read_size); - current_read_size = PP2_HEADER_SIZE + want_read_size; - if(want_read_size == 0) { - /* nothing more to read; header is complete */ - c->pp2_header_state = pp2_header_done; - } else if(c->tcp_byte_count < current_read_size) { - r = recv(fd, (void*)sldns_buffer_at(c->buffer, - c->tcp_byte_count), - current_read_size-c->tcp_byte_count, MSG_DONTWAIT); - if(r == 0) { - if(c->tcp_req_info) - return tcp_req_info_handle_read_close(c->tcp_req_info); - return 0; - } else if(r == -1) { - goto recv_error; - } - c->tcp_byte_count += r; - if(c->tcp_byte_count != current_read_size) return 1; - c->pp2_header_state = pp2_header_done; - } - } - if(c->pp2_header_state != pp2_header_done || !header) { - log_err_addr("proxy_protocol: wrong state for the " - "PROXYv2 header", "", &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } - if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) { - log_err_addr("proxy_protocol: could not consume " - "PROXYv2 header", "", &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } - verbose(VERB_ALGO, "proxy_protocol: successful read of " - "PROXYv2 header"); - /* Clear and reset the buffer to read the following - * DNS packet(s). */ - sldns_buffer_clear(c->buffer); - c->tcp_byte_count = 0; - return 1; - } - if(c->tcp_byte_count < sizeof(uint16_t)) { /* read length bytes */ r = recv(fd,(void*)sldns_buffer_at(c->buffer,c->tcp_byte_count), - sizeof(uint16_t)-c->tcp_byte_count, MSG_DONTWAIT); + sizeof(uint16_t)-c->tcp_byte_count, 0); if(r == 0) { if(c->tcp_req_info) return tcp_req_info_handle_read_close(c->tcp_req_info); return 0; } else if(r == -1) { - if(c->pp2_enabled) goto recv_error; - goto recv_error_initial; - } +#ifndef USE_WINSOCK + if(errno == EINTR || errno == EAGAIN) + return 1; +#ifdef ECONNRESET + if(errno == ECONNRESET && verbosity < 2) + return 0; /* silence reset by peer */ +#endif +#ifdef ECONNREFUSED + if(errno == ECONNREFUSED && verbosity < 2) + return 0; /* silence reset by peer */ +#endif +#ifdef ENETUNREACH + if(errno == ENETUNREACH && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef EHOSTDOWN + if(errno == EHOSTDOWN && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef EHOSTUNREACH + if(errno == EHOSTUNREACH && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef ENETDOWN + if(errno == ENETDOWN && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef EACCES + if(errno == EACCES && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef ENOTCONN + if(errno == ENOTCONN) { + log_err_addr("read (in tcp s) failed and this could be because TCP Fast Open is enabled [--disable-tfo-client --disable-tfo-server] but does not work", sock_strerror(errno), + &c->repinfo.addr, c->repinfo.addrlen); + return 0; + } +#endif +#else /* USE_WINSOCK */ + if(WSAGetLastError() == WSAECONNREFUSED && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAEHOSTDOWN && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAEHOSTUNREACH && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAENETDOWN && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAENETUNREACH && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAECONNRESET) + return 0; + if(WSAGetLastError() == WSAEINPROGRESS) + return 1; + if(WSAGetLastError() == WSAEWOULDBLOCK) { + ub_winsock_tcp_wouldblock(c->ev->ev, + UB_EV_READ); + return 1; + } +#endif + log_err_addr("read (in tcp s)", sock_strerror(errno), + &c->repinfo.addr, c->repinfo.addrlen); + return 0; + } c->tcp_byte_count += r; if(c->tcp_byte_count != sizeof(uint16_t)) return 1; @@ -2146,110 +1746,48 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) verbose(VERB_QUERY, "tcp: dropped larger than buffer"); return 0; } - sldns_buffer_set_limit(c->buffer, + sldns_buffer_set_limit(c->buffer, sldns_buffer_read_u16_at(c->buffer, 0)); - if(!short_ok && + if(!short_ok && sldns_buffer_limit(c->buffer) < LDNS_HEADER_SIZE) { verbose(VERB_QUERY, "tcp: dropped bogus too short."); return 0; } - verbose(VERB_ALGO, "Reading tcp query of length %d", + verbose(VERB_ALGO, "Reading tcp query of length %d", (int)sldns_buffer_limit(c->buffer)); } if(sldns_buffer_remaining(c->buffer) == 0) - log_err("in comm_point_tcp_handle_read buffer_remaining is " - "not > 0 as expected, continuing with (harmless) 0 " - "length recv"); + log_err("in comm_point_tcp_handle_read buffer_remaining is not > 0 as expected, continuing with (harmless) 0 length recv"); r = recv(fd, (void*)sldns_buffer_current(c->buffer), - sldns_buffer_remaining(c->buffer), MSG_DONTWAIT); + sldns_buffer_remaining(c->buffer), 0); if(r == 0) { if(c->tcp_req_info) return tcp_req_info_handle_read_close(c->tcp_req_info); return 0; } else if(r == -1) { - goto recv_error; +#ifndef USE_WINSOCK + if(errno == EINTR || errno == EAGAIN) + return 1; +#else /* USE_WINSOCK */ + if(WSAGetLastError() == WSAECONNRESET) + return 0; + if(WSAGetLastError() == WSAEINPROGRESS) + return 1; + if(WSAGetLastError() == WSAEWOULDBLOCK) { + ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); + return 1; + } +#endif + log_err_addr("read (in tcp r)", sock_strerror(errno), + &c->repinfo.addr, c->repinfo.addrlen); + return 0; } sldns_buffer_skip(c->buffer, r); if(sldns_buffer_remaining(c->buffer) <= 0) { tcp_callback_reader(c); } return 1; - -recv_error_initial: - recv_initial = 1; -recv_error: -#ifndef USE_WINSOCK - if(errno == EINTR || errno == EAGAIN) - return 1; - if(recv_initial) { -#ifdef ECONNRESET - if(errno == ECONNRESET && verbosity < 2) - return 0; /* silence reset by peer */ -#endif -#ifdef ECONNREFUSED - if(errno == ECONNREFUSED && verbosity < 2) - return 0; /* silence reset by peer */ -#endif -#ifdef ENETUNREACH - if(errno == ENETUNREACH && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef EHOSTDOWN - if(errno == EHOSTDOWN && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef EHOSTUNREACH - if(errno == EHOSTUNREACH && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef ENETDOWN - if(errno == ENETDOWN && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef EACCES - if(errno == EACCES && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef ENOTCONN - if(errno == ENOTCONN) { - log_err_addr("read (in tcp s) failed and this " - "could be because TCP Fast Open is " - "enabled [--disable-tfo-client " - "--disable-tfo-server] but does not " - "work", sock_strerror(errno), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); - return 0; - } -#endif - } -#else /* USE_WINSOCK */ - if(recv_initial) { - if(WSAGetLastError() == WSAECONNREFUSED && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAEHOSTDOWN && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAEHOSTUNREACH && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAENETDOWN && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAENETUNREACH && verbosity < 2) - return 0; - } - if(WSAGetLastError() == WSAECONNRESET) - return 0; - if(WSAGetLastError() == WSAEINPROGRESS) - return 1; - if(WSAGetLastError() == WSAEWOULDBLOCK) { - ub_winsock_tcp_wouldblock(c->ev->ev, - UB_EV_READ); - return 1; - } -#endif - log_err_addr("read (in tcp s)", sock_strerror(errno), - &c->repinfo.remote_addr, c->repinfo.remote_addrlen); - return 0; } /** @@ -2295,8 +1833,7 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) return 0; /* silence lots of chatter in the logs */ else if(error != 0) { log_err_addr("tcp connect", strerror(error), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); #else /* USE_WINSOCK */ /* examine error */ if(error == WSAEINPROGRESS) @@ -2308,8 +1845,7 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) return 0; else if(error != 0) { log_err_addr("tcp connect", wsa_strerror(error), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); #endif /* USE_WINSOCK */ return 0; } @@ -2341,8 +1877,8 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) iov[1].iov_len = sldns_buffer_limit(buffer); } log_assert(iov[0].iov_len > 0); - msg.msg_name = &c->repinfo.remote_addr; - msg.msg_namelen = c->repinfo.remote_addrlen; + msg.msg_name = &c->repinfo.addr; + msg.msg_namelen = c->repinfo.addrlen; msg.msg_iov = iov; msg.msg_iovlen = 2; r = sendmsg(fd, &msg, MSG_FASTOPEN); @@ -2368,16 +1904,14 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) if(verbosity < 2) return 0; /* silence lots of chatter in the logs */ log_err_addr("tcp sendmsg", strerror(errno), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); return 0; } verbose(VERB_ALGO, "tcp sendmsg for fastopen failed (with %s), try normal connect", strerror(errno)); /* fallthrough to nonFASTOPEN * (MSG_FASTOPEN on Linux 3 produces EPIPE) * we need to perform connect() */ - if(connect(fd, (struct sockaddr *)&c->repinfo.remote_addr, - c->repinfo.remote_addrlen) == -1) { + if(connect(fd, (struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen) == -1) { #ifdef EINPROGRESS if(errno == EINPROGRESS) return 1; /* wait until connect done*/ @@ -2388,12 +1922,9 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) return 1; /* wait until connect done*/ #endif if(tcp_connect_errno_needs_log( - (struct sockaddr *)&c->repinfo.remote_addr, - c->repinfo.remote_addrlen)) { + (struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen)) { log_err_addr("outgoing tcp: connect after EPIPE for fastopen", - strerror(errno), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + strerror(errno), &c->repinfo.addr, c->repinfo.addrlen); } return 0; } @@ -2458,12 +1989,10 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) #endif # ifdef HAVE_WRITEV log_err_addr("tcp writev", strerror(errno), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); # else /* HAVE_WRITEV */ log_err_addr("tcp send s", strerror(errno), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); # endif /* HAVE_WRITEV */ #else if(WSAGetLastError() == WSAENOTCONN) @@ -2479,8 +2008,7 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) return 0; /* silence reset by peer */ log_err_addr("tcp send s", wsa_strerror(WSAGetLastError()), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); #endif return 0; } @@ -2528,8 +2056,7 @@ comm_point_tcp_handle_write(int fd, struct comm_point* c) return 0; /* silence reset by peer */ #endif log_err_addr("tcp send r", sock_strerror(errno), - &c->repinfo.remote_addr, - c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); return 0; } if(c->tcp_write_and_read) { @@ -2775,7 +2302,7 @@ http_read_more(int fd, struct comm_point* c) ssize_t r; log_assert(sldns_buffer_remaining(c->buffer) > 0); r = recv(fd, (void*)sldns_buffer_current(c->buffer), - sldns_buffer_remaining(c->buffer), MSG_DONTWAIT); + sldns_buffer_remaining(c->buffer), 0); if(r == 0) { return 0; } else if(r == -1) { @@ -2793,7 +2320,7 @@ http_read_more(int fd, struct comm_point* c) } #endif log_err_addr("read (in http r)", sock_strerror(errno), - &c->repinfo.remote_addr, c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); return 0; } verbose(VERB_ALGO, "http read more skip to %d + %d", @@ -3213,7 +2740,7 @@ ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session), uint8_t* buf, } #endif /* HAVE_SSL */ - ret = recv(h2_session->c->fd, buf, len, MSG_DONTWAIT); + ret = recv(h2_session->c->fd, buf, len, 0); if(ret == 0) { return NGHTTP2_ERR_EOF; } else if(ret < 0) { @@ -3225,8 +2752,8 @@ ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session), uint8_t* buf, return NGHTTP2_ERR_CALLBACK_FAILURE; #endif log_err_addr("could not http2 recv: %s", strerror(errno), - &h2_session->c->repinfo.remote_addr, - h2_session->c->repinfo.remote_addrlen); + &h2_session->c->repinfo.addr, + h2_session->c->repinfo.addrlen); #else /* USE_WINSOCK */ if(WSAGetLastError() == WSAECONNRESET) return NGHTTP2_ERR_CALLBACK_FAILURE; @@ -3239,8 +2766,8 @@ ssize_t http2_recv_cb(nghttp2_session* ATTR_UNUSED(session), uint8_t* buf, } log_err_addr("could not http2 recv: %s", wsa_strerror(WSAGetLastError()), - &h2_session->c->repinfo.remote_addr, - h2_session->c->repinfo.remote_addrlen); + &h2_session->c->repinfo.addr, + h2_session->c->repinfo.addrlen); #endif return NGHTTP2_ERR_CALLBACK_FAILURE; } @@ -3262,8 +2789,8 @@ comm_point_http2_handle_read(int ATTR_UNUSED(fd), struct comm_point* c) if(ret != NGHTTP2_ERR_EOF && ret != NGHTTP2_ERR_CALLBACK_FAILURE) { char a[256]; - addr_to_str(&c->repinfo.remote_addr, - c->repinfo.remote_addrlen, a, sizeof(a)); + addr_to_str(&c->repinfo.addr, c->repinfo.addrlen, + a, sizeof(a)); verbose(VERB_QUERY, "http2: session_recv from %s failed, " "error: %s", a, nghttp2_strerror(ret)); } @@ -3411,7 +2938,7 @@ http_check_connect(int fd, struct comm_point* c) return 0; /* silence lots of chatter in the logs */ else if(error != 0) { log_err_addr("http connect", strerror(error), - &c->repinfo.remote_addr, c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); #else /* USE_WINSOCK */ /* examine error */ if(error == WSAEINPROGRESS) @@ -3423,7 +2950,7 @@ http_check_connect(int fd, struct comm_point* c) return 0; else if(error != 0) { log_err_addr("http connect", wsa_strerror(error), - &c->repinfo.remote_addr, c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); #endif /* USE_WINSOCK */ return 0; } @@ -3493,7 +3020,7 @@ http_write_more(int fd, struct comm_point* c) } #endif log_err_addr("http send r", sock_strerror(errno), - &c->repinfo.remote_addr, c->repinfo.remote_addrlen); + &c->repinfo.addr, c->repinfo.addrlen); return 0; } sldns_buffer_skip(c->buffer, r); @@ -3557,8 +3084,8 @@ ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session), const uint8_t* buf, return NGHTTP2_ERR_CALLBACK_FAILURE; #endif log_err_addr("could not http2 write: %s", strerror(errno), - &h2_session->c->repinfo.remote_addr, - h2_session->c->repinfo.remote_addrlen); + &h2_session->c->repinfo.addr, + h2_session->c->repinfo.addrlen); #else /* USE_WINSOCK */ if(WSAGetLastError() == WSAENOTCONN) return NGHTTP2_ERR_WOULDBLOCK; @@ -3573,8 +3100,8 @@ ssize_t http2_send_cb(nghttp2_session* ATTR_UNUSED(session), const uint8_t* buf, return NGHTTP2_ERR_CALLBACK_FAILURE; log_err_addr("could not http2 write: %s", wsa_strerror(WSAGetLastError()), - &h2_session->c->repinfo.remote_addr, - h2_session->c->repinfo.remote_addrlen); + &h2_session->c->repinfo.addr, + h2_session->c->repinfo.addrlen); #endif return NGHTTP2_ERR_CALLBACK_FAILURE; } @@ -3754,8 +3281,7 @@ void comm_point_raw_handle_callback(int ATTR_UNUSED(fd), struct comm_point* comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer, - int pp2_enabled, comm_point_callback_type* callback, - void* callback_arg, struct unbound_socket* socket) + comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -3795,8 +3321,6 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer, c->callback = callback; c->cb_arg = callback_arg; c->socket = socket; - c->pp2_enabled = pp2_enabled; - c->pp2_header_state = pp2_header_none; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3816,8 +3340,8 @@ comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer, } struct comm_point* -comm_point_create_udp_ancil(struct comm_base *base, int fd, - sldns_buffer* buffer, int pp2_enabled, +comm_point_create_udp_ancil(struct comm_base *base, int fd, + sldns_buffer* buffer, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, @@ -3858,8 +3382,6 @@ comm_point_create_udp_ancil(struct comm_base *base, int fd, c->callback = callback; c->cb_arg = callback_arg; c->socket = socket; - c->pp2_enabled = pp2_enabled; - c->pp2_header_state = pp2_header_none; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3939,8 +3461,6 @@ comm_point_create_tcp_handler(struct comm_base *base, c->callback = callback; c->cb_arg = callback_arg; c->socket = socket; - c->pp2_enabled = parent->pp2_enabled; - c->pp2_header_state = pp2_header_none; if(spoolbuf) { c->tcp_req_info = tcp_req_info_create(spoolbuf); if(!c->tcp_req_info) { @@ -4036,8 +3556,6 @@ comm_point_create_http_handler(struct comm_base *base, c->callback = callback; c->cb_arg = callback_arg; c->socket = socket; - c->pp2_enabled = 0; - c->pp2_header_state = pp2_header_none; c->http_min_version = http_version_2; c->http2_stream_max_qbuffer_size = bufsize; @@ -4102,8 +3620,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num, uint32_t http_max_streams, char* http_endpoint, struct tcl_list* tcp_conn_limit, size_t bufsize, struct sldns_buffer* spoolbuf, enum listen_type port_type, - int pp2_enabled, comm_point_callback_type* callback, - void* callback_arg, struct unbound_socket* socket) + comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -4154,8 +3671,6 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num, c->callback = NULL; c->cb_arg = NULL; c->socket = socket; - c->pp2_enabled = (port_type==listen_type_http?0:pp2_enabled); - c->pp2_header_state = pp2_header_none; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -4248,8 +3763,6 @@ comm_point_create_tcp_out(struct comm_base *base, size_t bufsize, c->repinfo.c = c; c->callback = callback; c->cb_arg = callback_arg; - c->pp2_enabled = 0; - c->pp2_header_state = pp2_header_none; evbits = UB_EV_PERSIST | UB_EV_WRITE; c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, comm_point_tcp_handle_callback, c); @@ -4316,8 +3829,6 @@ comm_point_create_http_out(struct comm_base *base, size_t bufsize, c->repinfo.c = c; c->callback = callback; c->cb_arg = callback_arg; - c->pp2_enabled = 0; - c->pp2_header_state = pp2_header_none; evbits = UB_EV_PERSIST | UB_EV_WRITE; c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, comm_point_http_handle_callback, c); @@ -4381,8 +3892,6 @@ comm_point_create_local(struct comm_base *base, int fd, size_t bufsize, #endif c->callback = callback; c->cb_arg = callback_arg; - c->pp2_enabled = 0; - c->pp2_header_state = pp2_header_none; /* ub_event stuff */ evbits = UB_EV_PERSIST | UB_EV_READ; c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -4444,8 +3953,6 @@ comm_point_create_raw(struct comm_base* base, int fd, int writing, #endif c->callback = callback; c->cb_arg = callback_arg; - c->pp2_enabled = 0; - c->pp2_header_state = pp2_header_none; /* ub_event stuff */ if(writing) evbits = UB_EV_PERSIST | UB_EV_WRITE; @@ -4561,21 +4068,20 @@ comm_point_send_reply(struct comm_reply *repinfo) #endif if(repinfo->c->type == comm_udp) { if(repinfo->srctype) - comm_point_send_udp_msg_if(repinfo->c, buffer, - (struct sockaddr*)&repinfo->remote_addr, - repinfo->remote_addrlen, repinfo); + comm_point_send_udp_msg_if(repinfo->c, + buffer, (struct sockaddr*)&repinfo->addr, + repinfo->addrlen, repinfo); else comm_point_send_udp_msg(repinfo->c, buffer, - (struct sockaddr*)&repinfo->remote_addr, - repinfo->remote_addrlen, 0); + (struct sockaddr*)&repinfo->addr, repinfo->addrlen, 0); #ifdef USE_DNSTAP /* * sending src (client)/dst (local service) addresses over DNSTAP from udp callback */ if(repinfo->c->dtenv != NULL && repinfo->c->dtenv->log_client_response_messages) { log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); - log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen); - dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer); + log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen); + dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer); } #endif } else { @@ -4585,8 +4091,8 @@ comm_point_send_reply(struct comm_reply *repinfo) */ if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) { log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); - log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen); - dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, + log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen); + dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, ( repinfo->c->tcp_req_info? repinfo->c->tcp_req_info->spool_buffer: repinfo->c->buffer )); } #endif diff --git a/contrib/unbound/util/netevent.h b/contrib/unbound/util/netevent.h index 3e7849c13949..9f4d28ba9f8f 100644 --- a/contrib/unbound/util/netevent.h +++ b/contrib/unbound/util/netevent.h @@ -102,8 +102,6 @@ typedef int comm_point_callback_type(struct comm_point*, void*, int, /** timeout to slow accept calls when not possible, in msec. */ #define NETEVENT_SLOW_ACCEPT_TIME 2000 -/** timeout to slow down log print, so it does not spam the logs, in sec */ -#define SLOW_LOG_TIME 10 /** * A communication point dispatcher. Thread specific. @@ -128,11 +126,10 @@ struct comm_reply { /** the comm_point with fd to send reply on to. */ struct comm_point* c; /** the address (for UDP based communication) */ - struct sockaddr_storage remote_addr; + struct sockaddr_storage addr; /** length of address */ - socklen_t remote_addrlen; - /** return type 0 (none), 4(IP4), 6(IP6) - * used only with listen_type_udp_ancil* */ + socklen_t addrlen; + /** return type 0 (none), 4(IP4), 6(IP6) */ int srctype; /* DnsCrypt context */ #ifdef USE_DNSCRYPT @@ -156,13 +153,6 @@ struct comm_reply { pktinfo; /** max udp size for udp packets */ size_t max_udp_size; - /* if set, the request came through a proxy */ - int is_proxied; - /** the client address - * the same as remote_addr if not proxied */ - struct sockaddr_storage client_addr; - /** the original address length */ - socklen_t client_addrlen; }; /** @@ -286,19 +276,6 @@ struct comm_point { /** variable with type of socket, UDP,TCP-accept,TCP,pipe */ type; - /* -------- PROXYv2 ------- */ - /** if set, PROXYv2 is expected on this connection */ - int pp2_enabled; - /** header state for the PROXYv2 header (for TCP) */ - enum { - /** no header encounter yet */ - pp2_header_none = 0, - /** read the static part of the header */ - pp2_header_init, - /** read the full header */ - pp2_header_done - } pp2_header_state; - /* ---------- Behaviour ----------- */ /** if set the connection is NOT closed on delete. */ int do_not_close; @@ -517,9 +494,8 @@ struct ub_event_base* comm_base_internal(struct comm_base* b); * Create an UDP comm point. Calls malloc. * setups the structure with the parameters you provide. * @param base: in which base to alloc the commpoint. - * @param fd: file descriptor of open UDP socket. + * @param fd : file descriptor of open UDP socket. * @param buffer: shared buffer by UDP sockets from this thread. - * @param pp2_enabled: if the comm point will support PROXYv2. * @param callback: callback function pointer. * @param callback_arg: will be passed to your callback function. * @param socket: and opened socket properties will be passed to your callback function. @@ -527,7 +503,7 @@ struct ub_event_base* comm_base_internal(struct comm_base* b); * Sets timeout to NULL. Turns off TCP options. */ struct comm_point* comm_point_create_udp(struct comm_base* base, - int fd, struct sldns_buffer* buffer, int pp2_enabled, + int fd, struct sldns_buffer* buffer, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** @@ -535,9 +511,8 @@ struct comm_point* comm_point_create_udp(struct comm_base* base, * Uses recvmsg instead of recv to get udp message. * setups the structure with the parameters you provide. * @param base: in which base to alloc the commpoint. - * @param fd: file descriptor of open UDP socket. + * @param fd : file descriptor of open UDP socket. * @param buffer: shared buffer by UDP sockets from this thread. - * @param pp2_enabled: if the comm point will support PROXYv2. * @param callback: callback function pointer. * @param callback_arg: will be passed to your callback function. * @param socket: and opened socket properties will be passed to your callback function. @@ -545,7 +520,7 @@ struct comm_point* comm_point_create_udp(struct comm_base* base, * Sets timeout to NULL. Turns off TCP options. */ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base, - int fd, struct sldns_buffer* buffer, int pp2_enabled, + int fd, struct sldns_buffer* buffer, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** @@ -567,7 +542,6 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base, * or NULL to not create those structures in the tcp handlers. * @param port_type: the type of port we are creating a TCP listener for. Used * to select handler type to use. - * @param pp2_enabled: if the comm point will support PROXYv2. * @param callback: callback function pointer for TCP handlers. * @param callback_arg: will be passed to your callback function. * @param socket: and opened socket properties will be passed to your callback function. @@ -581,7 +555,7 @@ struct comm_point* comm_point_create_tcp(struct comm_base* base, uint32_t http_max_streams, char* http_endpoint, struct tcl_list* tcp_conn_limit, size_t bufsize, struct sldns_buffer* spoolbuf, - enum listen_type port_type, int pp2_enabled, + enum listen_type port_type, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** diff --git a/contrib/unbound/util/proxy_protocol.c b/contrib/unbound/util/proxy_protocol.c deleted file mode 100644 index 757c5141db96..000000000000 --- a/contrib/unbound/util/proxy_protocol.c +++ /dev/null @@ -1,139 +0,0 @@ -/* - * util/proxy_protocol.c - event notification - * - * Copyright (c) 2022, NLnet Labs. All rights reserved. - * - * This software is open source. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of the NLNET LABS nor the names of its contributors may - * be used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED - * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * \file - * - * This file contains PROXY protocol functions. - */ -#include "config.h" -#include "util/log.h" -#include "util/proxy_protocol.h" - -int -pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src, - int stream) -{ - int af; - if(!src) return 0; - af = (int)((struct sockaddr_in*)src)->sin_family; - if(sldns_buffer_remaining(buf) < - PP2_HEADER_SIZE + (af==AF_INET?12:36)) { - return 0; - } - /* sig */ - sldns_buffer_write(buf, PP2_SIG, PP2_SIG_LEN); - /* version and command */ - sldns_buffer_write_u8(buf, (PP2_VERSION << 4) | PP2_CMD_PROXY); - if(af==AF_INET) { - /* family and protocol */ - sldns_buffer_write_u8(buf, - (PP2_AF_INET<<4) | - (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM)); - /* length */ - sldns_buffer_write_u16(buf, 12); - /* src addr */ - sldns_buffer_write(buf, - &((struct sockaddr_in*)src)->sin_addr.s_addr, 4); - /* dst addr */ - sldns_buffer_write_u32(buf, 0); - /* src port */ - sldns_buffer_write(buf, - &((struct sockaddr_in*)src)->sin_port, 2); - /* dst port */ - sldns_buffer_write_u16(buf, 0); - } else { - /* family and protocol */ - sldns_buffer_write_u8(buf, - (PP2_AF_INET6<<4) | - (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM)); - /* length */ - sldns_buffer_write_u16(buf, 36); - /* src addr */ - sldns_buffer_write(buf, - &((struct sockaddr_in6*)src)->sin6_addr, 16); - /* dst addr */ - sldns_buffer_set_at(buf, - sldns_buffer_position(buf), 0, 16); - sldns_buffer_skip(buf, 16); - /* src port */ - sldns_buffer_write(buf, - &((struct sockaddr_in6*)src)->sin6_port, 2); - /* dst port */ - sldns_buffer_write_u16(buf, 0); - } - return 1; -} - -struct pp2_header* -pp2_read_header(struct sldns_buffer* buf) -{ - size_t size; - struct pp2_header* header = (struct pp2_header*)sldns_buffer_begin(buf); - /* Try to fail all the unsupported cases first. */ - if(sldns_buffer_remaining(buf) < PP2_HEADER_SIZE) { - log_err("proxy_protocol: not enough space for header"); - return NULL; - } - /* Check for PROXYv2 header */ - if(memcmp(header, PP2_SIG, PP2_SIG_LEN) != 0 || - ((header->ver_cmd & 0xF0)>>4) != PP2_VERSION) { - log_err("proxy_protocol: could not match PROXYv2 header"); - return NULL; - } - /* Check the length */ - size = PP2_HEADER_SIZE + ntohs(header->len); - if(sldns_buffer_remaining(buf) < size) { - log_err("proxy_protocol: not enough space for header"); - return NULL; - } - /* Check for supported commands */ - if((header->ver_cmd & 0xF) != PP2_CMD_LOCAL && - (header->ver_cmd & 0xF) != PP2_CMD_PROXY) { - log_err("proxy_protocol: unsupported command"); - return NULL; - } - /* Check for supported family and protocol */ - if(header->fam_prot != 0x00 /* AF_UNSPEC|UNSPEC */ && - header->fam_prot != 0x11 /* AF_INET|STREAM */ && - header->fam_prot != 0x12 /* AF_INET|DGRAM */ && - header->fam_prot != 0x21 /* AF_INET6|STREAM */ && - header->fam_prot != 0x22 /* AF_INET6|DGRAM */) { - log_err("proxy_protocol: unsupported family and protocol"); - return NULL; - } - /* We have a correct header */ - return header; -} diff --git a/contrib/unbound/util/proxy_protocol.h b/contrib/unbound/util/proxy_protocol.h deleted file mode 100644 index 13cab9d7438e..000000000000 --- a/contrib/unbound/util/proxy_protocol.h +++ /dev/null @@ -1,131 +0,0 @@ -/* - * util/proxy_protocol.h - PROXY protocol - * - * Copyright (c) 2022, NLnet Labs. All rights reserved. - * - * This software is open source. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * - * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation - * and/or other materials provided with the distribution. - * - * Neither the name of the NLNET LABS nor the names of its contributors may - * be used to endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR - * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED - * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -/** - * \file - * - * This file contains PROXY protocol structs and functions. - * Only v2 is supported. TLVs are not currently supported. - */ -#ifndef PROXY_PROTOCOL_H -#define PROXY_PROTOCOL_H - -#include "sldns/sbuffer.h" - -/** PROXYv2 minimum header size */ -#define PP2_HEADER_SIZE 16 - -/** PROXYv2 header signature */ -#define PP2_SIG "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" -#define PP2_SIG_LEN 12 - -/** PROXYv2 version */ -#define PP2_VERSION 0x2 - -/** - * PROXYv2 command. - */ -enum pp2_command { - PP2_CMD_LOCAL = 0x0, - PP2_CMD_PROXY = 0x1 -}; - -/** - * PROXYv2 address family. - */ -enum pp2_af { - PP2_AF_UNSPEC = 0x0, - PP2_AF_INET = 0x1, - PP2_AF_INET6 = 0x2, - PP2_AF_UNIX = 0x3 -}; - -/** - * PROXYv2 protocol. - */ -enum pp2_protocol { - PP2_PROT_UNSPEC = 0x0, - PP2_PROT_STREAM = 0x1, - PP2_PROT_DGRAM = 0x2 -}; - -/** - * PROXYv2 header. - */ -struct pp2_header { - uint8_t sig[PP2_SIG_LEN]; - uint8_t ver_cmd; - uint8_t fam_prot; - uint16_t len; - union { - struct { /* for TCP/UDP over IPv4, len = 12 */ - uint32_t src_addr; - uint32_t dst_addr; - uint16_t src_port; - uint16_t dst_port; - } addr4; - struct { /* for TCP/UDP over IPv6, len = 36 */ - uint8_t src_addr[16]; - uint8_t dst_addr[16]; - uint16_t src_port; - uint16_t dst_port; - } addr6; - struct { /* for AF_UNIX sockets, len = 216 */ - uint8_t src_addr[108]; - uint8_t dst_addr[108]; - } addru; - } addr; -}; - -/** - * Write a PROXYv2 header at the current position of the buffer. - * @param buf: the buffer to write to. - * @param src: the source address. - * @param stream: if the protocol is stream or datagram. - * @return 1 on success, 0 on failure. - */ -int pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src, - int stream); - -/** - * Read a PROXYv2 header from the current position of the buffer. - * It does initial validation and returns a pointer to the buffer position on - * success. - * @param buf: the buffer to read from. - * @return the pointer to the buffer position on success, NULL on error. - */ -struct pp2_header* pp2_read_header(struct sldns_buffer* buf); - -#endif /* PROXY_PROTOCOL_H */ diff --git a/contrib/unbound/util/storage/dnstree.c b/contrib/unbound/util/storage/dnstree.c index eef393f91b69..f883044afa4b 100644 --- a/contrib/unbound/util/storage/dnstree.c +++ b/contrib/unbound/util/storage/dnstree.c @@ -71,14 +71,6 @@ int addr_tree_compare(const void* k1, const void* k2) return 0; } -int addr_tree_addrport_compare(const void* k1, const void* k2) -{ - struct addr_tree_node* n1 = (struct addr_tree_node*)k1; - struct addr_tree_node* n2 = (struct addr_tree_node*)k2; - return sockaddr_cmp(&n1->addr, n1->addrlen, &n2->addr, - n2->addrlen); -} - void name_tree_init(rbtree_type* tree) { rbtree_init(tree, &name_tree_compare); @@ -89,11 +81,6 @@ void addr_tree_init(rbtree_type* tree) rbtree_init(tree, &addr_tree_compare); } -void addr_tree_addrport_init(rbtree_type* tree) -{ - rbtree_init(tree, &addr_tree_addrport_compare); -} - int name_tree_insert(rbtree_type* tree, struct name_tree_node* node, uint8_t* name, size_t len, int labs, uint16_t dclass) { diff --git a/contrib/unbound/util/storage/dnstree.h b/contrib/unbound/util/storage/dnstree.h index 8aaa94098bc7..d54602fd7ddf 100644 --- a/contrib/unbound/util/storage/dnstree.h +++ b/contrib/unbound/util/storage/dnstree.h @@ -153,13 +153,6 @@ int name_tree_next_root(rbtree_type* tree, uint16_t* dclass); */ void addr_tree_init(rbtree_type* tree); -/** - * Init addr tree to be empty. - * The comparison function to be used is addr_tree_addrport_compare. - * @param tree: to init. - */ -void addr_tree_addrport_init(rbtree_type* tree); - /** * insert element into addr tree. * @param tree: addr tree @@ -214,7 +207,4 @@ int name_tree_compare(const void* k1, const void* k2); /** compare addr tree nodes */ int addr_tree_compare(const void* k1, const void* k2); -/** compare addr tree nodes (address and port only) */ -int addr_tree_addrport_compare(const void* k1, const void* k2); - #endif /* UTIL_STORAGE_DNSTREE_H */ diff --git a/contrib/unbound/util/tube.c b/contrib/unbound/util/tube.c index 43455feefb7f..40556e72020b 100644 --- a/contrib/unbound/util/tube.c +++ b/contrib/unbound/util/tube.c @@ -424,28 +424,6 @@ int tube_wait(struct tube* tube) return pollit(tube->sr, NULL); } -int tube_wait_timeout(struct tube* tube, int msec) -{ - struct timeval t; - int fd = tube->sr; - fd_set r; - t.tv_sec = msec/1000; - t.tv_usec = (msec%1000)*1000; -#ifndef S_SPLINT_S - FD_ZERO(&r); - FD_SET(FD_SET_T fd, &r); -#endif - while(1) { - if(select(fd+1, &r, NULL, NULL, &t) == -1) { - if(errno == EAGAIN || errno == EINTR) - continue; - return -1; - } - break; - } - return (int)(FD_ISSET(fd, &r)); -} - int tube_read_fd(struct tube* tube) { return tube->sr; @@ -671,26 +649,6 @@ int tube_wait(struct tube* tube) return 1; } -int tube_wait_timeout(struct tube* tube, int msec) -{ - /* block on eventhandle */ - DWORD res = WSAWaitForMultipleEvents( - 1 /* one event in array */, - &tube->event /* the event to wait for, our pipe signal */, - 0 /* wait for all events is false */, - msec /* wait for timeout */, - 0 /* we are not alertable for IO completion routines */ - ); - if(res == WSA_WAIT_TIMEOUT) { - return 0; - } - if(res == WSA_WAIT_IO_COMPLETION) { - /* a bit unexpected, since we were not alertable */ - return -1; - } - return 1; -} - int tube_read_fd(struct tube* ATTR_UNUSED(tube)) { /* nothing sensible on Windows */ diff --git a/contrib/unbound/util/tube.h b/contrib/unbound/util/tube.h index 5e4fb86445c9..5b1fdb8e8f46 100644 --- a/contrib/unbound/util/tube.h +++ b/contrib/unbound/util/tube.h @@ -204,14 +204,6 @@ int tube_poll(struct tube* tube); */ int tube_wait(struct tube* tube); -/** - * Wait for data to be ready with a timeout. - * @param tube: the tube to wait on. - * @param msec: timeout in milliseconds. - * @return 1 if there is something to read within timeout, readability. - * 0 on a timeout. On failures -1, like errors. */ -int tube_wait_timeout(struct tube* tube, int msec); - /** * Get FD that is readable when new information arrives. * @param tube diff --git a/lib/libunbound/Makefile b/lib/libunbound/Makefile index 4ce8fcb4ab92..fff53feed15b 100644 --- a/lib/libunbound/Makefile +++ b/lib/libunbound/Makefile @@ -23,8 +23,7 @@ SRCS= alloc.c as112.c authzone.c autotrust.c cachedb.c config_file.c \ listen_dnsport.c localzone.c locks.c log.c lookup3.c lruhash.c \ mesh.c mini_event.c modstack.c module.c msgencode.c msgparse.c \ msgreply.c net_help.c netevent.c outbound_list.c outside_network.c \ - packed_rrset.c parse.c parseutil.c proxy_protocol.c \ - random.c rbtree.c redis.c \ + packed_rrset.c parse.c parseutil.c random.c rbtree.c redis.c \ regional.c respip.c rpz.c rrdef.c rrset.c rtt.c sbuffer.c slabhash.c \ str2wire.c tcp_conn_limit.c timehist.c tube.c ub_event_pluggable.c \ val_anchor.c val_kcache.c val_kentry.c val_neg.c val_nsec.c \ diff --git a/sys/fs/nfsserver/nfs_nfsdport.c b/sys/fs/nfsserver/nfs_nfsdport.c index 8e15237bc10c..f7a97ef04018 100644 --- a/sys/fs/nfsserver/nfs_nfsdport.c +++ b/sys/fs/nfsserver/nfs_nfsdport.c @@ -6776,6 +6776,8 @@ nfsvno_setxattr(struct vnode *vp, char *name, int len, struct mbuf *m, if (error == 0) { error = VOP_SETEXTATTR(vp, EXTATTR_NAMESPACE_USER, name, uiop, cred, p); + if (error == 0) + error = VOP_FSYNC(vp, MNT_WAIT, p); free(iv, M_TEMP); } @@ -6811,6 +6813,8 @@ nfsvno_rmxattr(struct nfsrv_descript *nd, struct vnode *vp, char *name, if (error == EOPNOTSUPP) error = VOP_SETEXTATTR(vp, EXTATTR_NAMESPACE_USER, name, NULL, cred, p); + if (error == 0) + error = VOP_FSYNC(vp, MNT_WAIT, p); out: NFSEXITCODE(error); return (error); diff --git a/usr.sbin/unbound/config.h b/usr.sbin/unbound/config.h index 20822b930ab8..433fb57c5ee2 100644 --- a/usr.sbin/unbound/config.h +++ b/usr.sbin/unbound/config.h @@ -731,7 +731,7 @@ #define PACKAGE_NAME "unbound" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "unbound 1.17.0" +#define PACKAGE_STRING "unbound 1.16.3" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "unbound" @@ -740,7 +740,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.17.0" +#define PACKAGE_VERSION "1.16.3" /* default pidfile location */ #define PIDFILE "/var/unbound/unbound.pid" @@ -762,7 +762,7 @@ #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem" /* version number for resource files */ -#define RSRC_PACKAGE_VERSION 1,17,0,0 +#define RSRC_PACKAGE_VERSION 1,16,3,0 /* Directory to chdir to */ #define RUN_DIR "/var/unbound"