unbound: Vendor import 1.17.0

Added ACL per interface, proxy protocol and bug fixes.

Announcement:   https://nlnetlabs.nl/news/2022/Oct/13/unbound-1.17.0-released/

Merge commit '643f9a0581e8aac7eb790ced1164748939829826' into new_merge

contrib/unbound/Makefile.in

@@ -130,7 +130,7 @@ util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
 util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
 util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
 util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \
-util/timehist.c util/tube.c \
+util/timehist.c util/tube.c util/proxy_protocol.c \
 util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
 validator/autotrust.c validator/val_anchor.c validator/validator.c \
 validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
@@ -148,7 +148,7 @@ outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
 fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
-autotrust.lo val_anchor.lo rpz.lo \
+autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
 $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
@@ -984,6 +984,8 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h
+proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \
+ $(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@@ -1512,7 +1514,7 @@ asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libu
  $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h
 streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h

contrib/unbound/acx_nlnetlabs.m4

@@ -2,7 +2,8 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 43
+# Version 44
+# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD.
 # 2021-08-17 fix sed script in ssldir split handling.
 # 2021-08-17 fix for openssl to detect split version, with ssldir_include
 # 	     and ssldir_lib output directories.
@@ -963,6 +964,9 @@ AC_LANG_SOURCE([[
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif

contrib/unbound/compat/arc4random.c

@@ -57,6 +57,8 @@
 #define BLOCKSZ	64
 #define RSBUFSZ	(16*BLOCKSZ)
 
+#define REKEY_BASE	(1024*1024) /* NB. should be a power of 2 */
+
 /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
 static struct {
 	size_t		rs_have;	/* valid bytes at end of rs_buf */
@@ -179,6 +181,7 @@ static void
 _rs_stir(void)
 {
 	u_char rnd[KEYSZ + IVSZ];
+	uint32_t rekey_fuzz = 0;
 
 	if (getentropy(rnd, sizeof rnd) == -1) {
 		if(errno != ENOSYS ||
@@ -201,7 +204,10 @@ _rs_stir(void)
 	rs->rs_have = 0;
 	memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 
-	rs->rs_count = 1600000;
+	/* rekey interval should not be predictable */
+	chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz,
+	    (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz));
+	rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE);
 }
 
 static inline void

contrib/unbound/config.guess

@@ -4,7 +4,7 @@
 
 # shellcheck disable=SC2006,SC2268 # see below for rationale
 
-timestamp='2022-08-01'
+timestamp='2022-09-17'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -966,6 +966,12 @@ EOF
 	GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'`
 	GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC
 	;;
+    x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*)
+	GUESS="$UNAME_MACHINE-pc-managarm-mlibc"
+	;;
+    *:[Mm]anagarm:*:*)
+	GUESS="$UNAME_MACHINE-unknown-managarm-mlibc"
+	;;
     *:Minix:*:*)
 	GUESS=$UNAME_MACHINE-unknown-minix
 	;;

contrib/unbound/config.h.in

@@ -298,6 +298,9 @@
 /* Define to 1 if you have the `getrlimit' function. */
 #undef HAVE_GETRLIMIT
 
+/* Define to 1 if you have the `gettid' function. */
+#undef HAVE_GETTID
+
 /* Define to 1 if you have the `glob' function. */
 #undef HAVE_GLOB
 
@@ -457,6 +460,12 @@
 /* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */
 #undef HAVE_OSSL_PARAM_BLD_NEW
 
+/* Define to 1 if you have the `poll' function. */
+#undef HAVE_POLL
+
+/* Define to 1 if you have the <poll.h> header file. */
+#undef HAVE_POLL_H
+
 /* Define if you have POSIX threads libraries and header files. */
 #undef HAVE_PTHREAD
 
@@ -800,12 +809,18 @@
 /* Shared data */
 #undef SHARE_DIR
 
+/* The size of `pthread_t', as computed by sizeof. */
+#undef SIZEOF_PTHREAD_T
+
 /* The size of `size_t', as computed by sizeof. */
 #undef SIZEOF_SIZE_T
 
 /* The size of `time_t', as computed by sizeof. */
 #undef SIZEOF_TIME_T
 
+/* The size of `unsigned long', as computed by sizeof. */
+#undef SIZEOF_UNSIGNED_LONG
+
 /* define if (v)snprintf does not return length needed, (but length used) */
 #undef SNPRINTF_RET_BROKEN
 

contrib/unbound/config.sub

@@ -4,7 +4,7 @@
 
 # shellcheck disable=SC2006,SC2268 # see below for rationale
 
-timestamp='2022-08-01'
+timestamp='2022-09-17'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -145,7 +145,7 @@ case $1 in
 			nto-qnx* | linux-* | uclinux-uclibc* \
 			| uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \
 			| netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \
-			| storm-chaos* | os2-emx* | rtmk-nova*)
+			| storm-chaos* | os2-emx* | rtmk-nova* | managarm-*)
 				basic_machine=$field1
 				basic_os=$maybe_os
 				;;
@@ -1341,6 +1341,10 @@ EOF
 		kernel=linux
 		os=`echo "$basic_os" | sed -e 's|linux|gnu|'`
 		;;
+	managarm*)
+		kernel=managarm
+		os=`echo "$basic_os" | sed -e 's|managarm|mlibc|'`
+		;;
 	*)
 		kernel=
 		os=$basic_os
@@ -1754,7 +1758,7 @@ case $os in
 	     | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
 	     | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
 	     | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \
-	     | fiwix* )
+	     | fiwix* | mlibc* )
 		;;
 	# This one is extra strict with allowed versions
 	sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
@@ -1762,6 +1766,9 @@ case $os in
 		;;
 	none)
 		;;
+	kernel* )
+		# Restricted further below
+		;;
 	*)
 		echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2
 		exit 1
@@ -1772,16 +1779,26 @@ esac
 # (given a valid OS), if there is a kernel.
 case $kernel-$os in
 	linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \
-		   | linux-musl* | linux-relibc* | linux-uclibc* )
+		   | linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* )
 		;;
 	uclinux-uclibc* )
 		;;
-	-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* )
+	managarm-mlibc* | managarm-kernel* )
+		;;
+	-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* )
 		# These are just libc implementations, not actual OSes, and thus
 		# require a kernel.
 		echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2
 		exit 1
 		;;
+	-kernel* )
+		echo "Invalid configuration \`$1': \`$os' needs explicit kernel." 1>&2
+		exit 1
+		;;
+	*-kernel* )
+		echo "Invalid configuration \`$1': \`$kernel' does not support \`$os'." 1>&2
+		exit 1
+		;;
 	kfreebsd*-gnu* | kopensolaris*-gnu*)
 		;;
 	vxworks-simlinux | vxworks-simwindows | vxworks-spe)

contrib/unbound/configure

@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.16.3.
+# Generated by GNU Autoconf 2.69 for unbound 1.17.0.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.16.3'
-PACKAGE_STRING='unbound 1.16.3'
+PACKAGE_VERSION='1.17.0'
+PACKAGE_STRING='unbound 1.17.0'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.16.3 to adapt to many kinds of systems.
+\`configure' configures unbound 1.17.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1543,7 +1543,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.16.3:";;
+     short | recursive ) echo "Configuration of unbound 1.17.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1785,7 +1785,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.16.3
+unbound configure 1.17.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.16.3, which was
+It was created by unbound $as_me 1.17.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2844,13 +2844,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=16
+UNBOUND_VERSION_MINOR=17
 
-UNBOUND_VERSION_MICRO=3
+UNBOUND_VERSION_MICRO=0
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=19
+LIBUNBOUND_REVISION=20
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2937,6 +2937,7 @@ LIBUNBOUND_AGE=1
 # 1.16.1 had 9:17:1
 # 1.16.2 had 9:18:1
 # 1.16.3 had 9:19:1
+# 1.17.0 had 9:20:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -14772,7 +14773,7 @@ fi
 fi
 
 # Checks for header files.
-for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
+for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@@ -16031,6 +16032,9 @@ else
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
@@ -17101,6 +17105,72 @@ _ACEOF
 
 fi
 
+		# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long" >&5
+$as_echo_n "checking size of unsigned long... " >&6; }
+if ${ac_cv_sizeof_unsigned_long+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long))" "ac_cv_sizeof_unsigned_long"        "$ac_includes_default"; then :
+
+else
+  if test "$ac_cv_type_unsigned_long" = yes; then
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (unsigned long)
+See \`config.log' for more details" "$LINENO" 5; }
+   else
+     ac_cv_sizeof_unsigned_long=0
+   fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long" >&5
+$as_echo "$ac_cv_sizeof_unsigned_long" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_UNSIGNED_LONG $ac_cv_sizeof_unsigned_long
+_ACEOF
+
+
+		# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of pthread_t" >&5
+$as_echo_n "checking size of pthread_t... " >&6; }
+if ${ac_cv_sizeof_pthread_t+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (pthread_t))" "ac_cv_sizeof_pthread_t"        "$ac_includes_default"; then :
+
+else
+  if test "$ac_cv_type_pthread_t" = yes; then
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (pthread_t)
+See \`config.log' for more details" "$LINENO" 5; }
+   else
+     ac_cv_sizeof_pthread_t=0
+   fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_pthread_t" >&5
+$as_echo "$ac_cv_sizeof_pthread_t" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_PTHREAD_T $ac_cv_sizeof_pthread_t
+_ACEOF
+
+
 
 		if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -pthread unused during linking" >&5
@@ -20591,7 +20661,7 @@ if test "$ac_res" != no; then :
 
 fi
 
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -22015,7 +22085,7 @@ _ACEOF
 
 
 
-version=1.16.3
+version=1.17.0
 
 date=`date +'%b %e, %Y'`
 
@@ -22534,7 +22604,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.16.3, which was
+This file was extended by unbound $as_me 1.17.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22600,7 +22670,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.16.3
+unbound config.status 1.17.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

contrib/unbound/configure.ac

@@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[16])
-m4_define([VERSION_MICRO],[3])
+m4_define([VERSION_MINOR],[17])
+m4_define([VERSION_MICRO],[0])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=19
+LIBUNBOUND_REVISION=20
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -105,6 +105,7 @@ LIBUNBOUND_AGE=1
 # 1.16.1 had 9:17:1
 # 1.16.2 had 9:18:1
 # 1.16.3 had 9:19:1
+# 1.17.0 had 9:20:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -397,7 +398,7 @@ PKG_PROG_PKG_CONFIG
 fi
 
 # Checks for header files.
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h],,, [AC_INCLUDES_DEFAULT])
 # net/if.h portability for Darwin see:
 # https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
 AC_CHECK_HEADERS([net/if.h],,, [
@@ -607,6 +608,8 @@ if test x_$withval != x_no; then
 		CC="$PTHREAD_CC"
 		ub_have_pthreads=yes
 		AC_CHECK_TYPES([pthread_spinlock_t, pthread_rwlock_t],,,[#include <pthread.h>])
+		AC_CHECK_SIZEOF([unsigned long])
+		AC_CHECK_SIZEOF(pthread_t)
 
 		if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then
 		AC_MSG_CHECKING([if -pthread unused during linking])
@@ -1644,7 +1647,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
   AC_MSG_RESULT(no))
 
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 

contrib/unbound/daemon/acl_list.c

@@ -46,9 +46,10 @@
 #include "util/config_file.h"
 #include "util/net_help.h"
 #include "services/localzone.h"
+#include "services/listen_dnsport.h"
 #include "sldns/str2wire.h"
 
-struct acl_list* 
+struct acl_list*
 acl_list_create(void)
 {
 	struct acl_list* acl = (struct acl_list*)calloc(1,
@@ -63,10 +64,10 @@ acl_list_create(void)
 	return acl;
 }
 
-void 
+void
 acl_list_delete(struct acl_list* acl)
 {
-	if(!acl) 
+	if(!acl)
 		return;
 	regional_destroy(acl->region);
 	free(acl);
@@ -74,8 +75,8 @@ acl_list_delete(struct acl_list* acl)
 
 /** insert new address into acl_list structure */
 static struct acl_addr*
-acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr, 
-	socklen_t addrlen, int net, enum acl_access control, 
+acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
+	socklen_t addrlen, int net, enum acl_access control,
 	int complain_duplicates)
 {
 	struct acl_addr* node = regional_alloc_zero(acl->region,
@@ -90,6 +91,31 @@ acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
 	return node;
 }
 
+/** parse str to acl_access enum */
+static int
+parse_acl_access(const char* str, enum acl_access* control)
+{
+	if(strcmp(str, "allow") == 0)
+		*control = acl_allow;
+	else if(strcmp(str, "deny") == 0)
+		*control = acl_deny;
+	else if(strcmp(str, "refuse") == 0)
+		*control = acl_refuse;
+	else if(strcmp(str, "deny_non_local") == 0)
+		*control = acl_deny_non_local;
+	else if(strcmp(str, "refuse_non_local") == 0)
+		*control = acl_refuse_non_local;
+	else if(strcmp(str, "allow_snoop") == 0)
+		*control = acl_allow_snoop;
+	else if(strcmp(str, "allow_setrd") == 0)
+		*control = acl_allow_setrd;
+	else {
+		log_err("access control type %s unknown", str);
+		return 0;
+	}
+	return 1;
+}
+
 /** apply acl_list string */
 static int
 acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
@@ -99,29 +125,14 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
 	int net;
 	socklen_t addrlen;
 	enum acl_access control;
-	if(strcmp(s2, "allow") == 0)
-		control = acl_allow;
-	else if(strcmp(s2, "deny") == 0)
-		control = acl_deny;
-	else if(strcmp(s2, "refuse") == 0)
-		control = acl_refuse;
-	else if(strcmp(s2, "deny_non_local") == 0)
-		control = acl_deny_non_local;
-	else if(strcmp(s2, "refuse_non_local") == 0)
-		control = acl_refuse_non_local;
-	else if(strcmp(s2, "allow_snoop") == 0)
-		control = acl_allow_snoop;
-	else if(strcmp(s2, "allow_setrd") == 0)
-		control = acl_allow_setrd;
-	else {
-		log_err("access control type %s unknown", str);
+	if(!parse_acl_access(s2, &control)) {
 		return 0;
 	}
 	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
 		log_err("cannot parse access control: %s %s", str, s2);
 		return 0;
 	}
-	if(!acl_list_insert(acl, &addr, addrlen, net, control, 
+	if(!acl_list_insert(acl, &addr, addrlen, net, control,
 		complain_duplicates)) {
 		log_err("out of memory");
 		return 0;
@@ -131,19 +142,27 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
 
 /** find or create node (NULL on parse or error) */
 static struct acl_addr*
-acl_find_or_create(struct acl_list* acl, const char* str)
+acl_find_or_create_str2addr(struct acl_list* acl, const char* str,
+	int is_interface, int port)
 {
 	struct acl_addr* node;
 	struct sockaddr_storage addr;
-	int net;
 	socklen_t addrlen;
-	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
-		log_err("cannot parse netblock: %s", str);
-		return NULL;
+	int net = (str_is_ip6(str)?128:32);
+	if(is_interface) {
+		if(!extstrtoaddr(str, &addr, &addrlen, port)) {
+			log_err("cannot parse interface: %s", str);
+			return NULL;
+		}
+	} else {
+		if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
+			log_err("cannot parse netblock: %s", str);
+			return NULL;
+		}
 	}
 	/* find or create node */
 	if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, &addr,
-		addrlen, net))) {
+		addrlen, net)) && !is_interface) {
 		/* create node, type 'allow' since otherwise tags are
 		 * pointless, can override with specific access-control: cfg */
 		if(!(node=(struct acl_addr*)acl_list_insert(acl, &addr,
@@ -155,14 +174,65 @@ acl_find_or_create(struct acl_list* acl, const char* str)
 	return node;
 }
 
+/** find or create node (NULL on error) */
+static struct acl_addr*
+acl_find_or_create(struct acl_list* acl, struct sockaddr_storage* addr,
+	socklen_t addrlen, enum acl_access control)
+{
+	struct acl_addr* node;
+	int net = (addr_is_ip6(addr, addrlen)?128:32);
+	/* find or create node */
+	if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, addr,
+		addrlen, net))) {
+		/* create node;
+		 * can override with specific access-control: cfg */
+		if(!(node=(struct acl_addr*)acl_list_insert(acl, addr,
+			addrlen, net, control, 1))) {
+			log_err("out of memory");
+			return NULL;
+		}
+	}
+	return node;
+}
+
+/** apply acl_interface string */
+static int
+acl_interface_str_cfg(struct acl_list* acl_interface, const char* iface,
+	const char* s2, int port)
+{
+	struct acl_addr* node;
+	enum acl_access control;
+	if(!parse_acl_access(s2, &control)) {
+		return 0;
+	}
+	if(!(node=acl_find_or_create_str2addr(acl_interface, iface, 1, port))) {
+		log_err("cannot update ACL on non-configured interface: %s %d",
+			iface, port);
+		return 0;
+	}
+	node->control = control;
+	return 1;
+}
+
+struct acl_addr*
+acl_interface_insert(struct acl_list* acl_interface,
+	struct sockaddr_storage* addr, socklen_t addrlen,
+	enum acl_access control)
+{
+	return acl_find_or_create(acl_interface, addr, addrlen, control);
+}
+
 /** apply acl_tag string */
 static int
 acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
-	size_t bitmaplen)
+	size_t bitmaplen, int is_interface, int port)
 {
 	struct acl_addr* node;
-	if(!(node=acl_find_or_create(acl, str)))
+	if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
+		if(is_interface)
+			log_err("non-configured interface: %s", str);
 		return 0;
+	}
 	node->taglen = bitmaplen;
 	node->taglist = regional_alloc_init(acl->region, bitmap, bitmaplen);
 	if(!node->taglist) {
@@ -175,11 +245,14 @@ acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
 /** apply acl_view string */
 static int
 acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2,
-	struct views* vs)
+	struct views* vs, int is_interface, int port)
 {
 	struct acl_addr* node;
-	if(!(node=acl_find_or_create(acl, str)))
+	if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
+		if(is_interface)
+			log_err("non-configured interface: %s", str);
 		return 0;
+	}
 	node->view = views_find_view(vs, str2, 0 /* get read lock*/);
 	if(!node->view) {
 		log_err("no view with name: %s", str2);
@@ -192,13 +265,17 @@ acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2,
 /** apply acl_tag_action string */
 static int
 acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg,
-	const char* str, const char* tag, const char* action)
+	const char* str, const char* tag, const char* action,
+	int is_interface, int port)
 {
 	struct acl_addr* node;
 	int tagid;
 	enum localzone_type t;
-	if(!(node=acl_find_or_create(acl, str)))
+	if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
+		if(is_interface)
+			log_err("non-configured interface: %s", str);
 		return 0;
+	}
 	/* allocate array if not yet */
 	if(!node->tag_actions) {
 		node->tag_actions = (uint8_t*)regional_alloc_zero(acl->region,
@@ -281,13 +358,17 @@ check_data(const char* data, const struct config_strlist* head)
 /** apply acl_tag_data string */
 static int
 acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
-	const char* str, const char* tag, const char* data)
+	const char* str, const char* tag, const char* data,
+	int is_interface, int port)
 {
 	struct acl_addr* node;
 	int tagid;
 	char* dupdata;
-	if(!(node=acl_find_or_create(acl, str)))
+	if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
+		if(is_interface)
+			log_err("non-configured interface: %s", str);
 		return 0;
+	}
 	/* allocate array if not yet */
 	if(!node->tag_datas) {
 		node->tag_datas = (struct config_strlist**)regional_alloc_zero(
@@ -329,11 +410,11 @@ acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
 }
 
 /** read acl_list config */
-static int 
-read_acl_list(struct acl_list* acl, struct config_file* cfg)
+static int
+read_acl_list(struct acl_list* acl, struct config_str2list* acls)
 {
 	struct config_str2list* p;
-	for(p = cfg->acls; p; p = p->next) {
+	for(p = acls; p; p = p->next) {
 		log_assert(p->str && p->str2);
 		if(!acl_list_str_cfg(acl, p->str, p->str2, 1))
 			return 0;
@@ -341,15 +422,38 @@ read_acl_list(struct acl_list* acl, struct config_file* cfg)
 	return 1;
 }
 
-/** read acl tags config */
-static int 
-read_acl_tags(struct acl_list* acl, struct config_file* cfg)
+/** read acl view config */
+static int
+read_acl_view(struct acl_list* acl, struct config_str2list** acl_view,
+	struct views* v)
 {
-	struct config_strbytelist* np, *p = cfg->acl_tags;
-	cfg->acl_tags = NULL;
+	struct config_str2list* np, *p = *acl_view;
+	*acl_view = NULL;
 	while(p) {
 		log_assert(p->str && p->str2);
-		if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len)) {
+		if(!acl_list_view_cfg(acl, p->str, p->str2, v, 0, 0)) {
+			config_deldblstrlist(p);
+			return 0;
+		}
+		/* free the items as we go to free up memory */
+		np = p->next;
+		free(p->str);
+		free(p->str2);
+		free(p);
+		p = np;
+	}
+	return 1;
+}
+
+/** read acl tags config */
+static int
+read_acl_tags(struct acl_list* acl, struct config_strbytelist** acl_tags)
+{
+	struct config_strbytelist* np, *p = *acl_tags;
+	*acl_tags = NULL;
+	while(p) {
+		log_assert(p->str && p->str2);
+		if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len, 0, 0)) {
 			config_del_strbytelist(p);
 			return 0;
 		}
@@ -363,38 +467,18 @@ read_acl_tags(struct acl_list* acl, struct config_file* cfg)
 	return 1;
 }
 
-/** read acl view config */
-static int 
-read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v)
-{
-	struct config_str2list* np, *p = cfg->acl_view;
-	cfg->acl_view = NULL;
-	while(p) {
-		log_assert(p->str && p->str2);
-		if(!acl_list_view_cfg(acl, p->str, p->str2, v)) {
-			return 0;
-		}
-		/* free the items as we go to free up memory */
-		np = p->next;
-		free(p->str);
-		free(p->str2);
-		free(p);
-		p = np;
-	}
-	return 1;
-}
-
 /** read acl tag actions config */
-static int 
-read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
+static int
+read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg,
+	struct config_str3list** acl_tag_actions)
 {
 	struct config_str3list* p, *np;
-	p = cfg->acl_tag_actions;
-	cfg->acl_tag_actions = NULL;
+	p = *acl_tag_actions;
+	*acl_tag_actions = NULL;
 	while(p) {
 		log_assert(p->str && p->str2 && p->str3);
 		if(!acl_list_tag_action_cfg(acl, cfg, p->str, p->str2,
-			p->str3)) {
+			p->str3, 0, 0)) {
 			config_deltrplstrlist(p);
 			return 0;
 		}
@@ -410,15 +494,17 @@ read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
 }
 
 /** read acl tag datas config */
-static int 
-read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
+static int
+read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg,
+	struct config_str3list** acl_tag_datas)
 {
 	struct config_str3list* p, *np;
-	p = cfg->acl_tag_datas;
-	cfg->acl_tag_datas = NULL;
+	p = *acl_tag_datas;
+	*acl_tag_datas = NULL;
 	while(p) {
 		log_assert(p->str && p->str2 && p->str3);
-		if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3)) {
+		if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3,
+			0, 0)) {
 			config_deltrplstrlist(p);
 			return 0;
 		}
@@ -433,30 +519,27 @@ read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
 	return 1;
 }
 
-int 
+int
 acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
 	struct views* v)
 {
 	regional_free_all(acl->region);
 	addr_tree_init(&acl->tree);
-	if(!read_acl_list(acl, cfg))
+	if(!read_acl_list(acl, cfg->acls))
 		return 0;
-	if(!read_acl_view(acl, cfg, v))
+	if(!read_acl_view(acl, &cfg->acl_view, v))
 		return 0;
-	if(!read_acl_tags(acl, cfg))
+	if(!read_acl_tags(acl, &cfg->acl_tags))
 		return 0;
-	if(!read_acl_tag_actions(acl, cfg))
+	if(!read_acl_tag_actions(acl, cfg, &cfg->acl_tag_actions))
 		return 0;
-	if(!read_acl_tag_datas(acl, cfg))
+	if(!read_acl_tag_datas(acl, cfg, &cfg->acl_tag_datas))
 		return 0;
 	/* insert defaults, with '0' to ignore them if they are duplicates */
-	if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0))
-		return 0;
+	/* the 'refuse' defaults for /0 are now done per interface instead */
 	if(!acl_list_str_cfg(acl, "127.0.0.0/8", "allow", 0))
 		return 0;
 	if(cfg->do_ip6) {
-		if(!acl_list_str_cfg(acl, "::0/0", "refuse", 0))
-			return 0;
 		if(!acl_list_str_cfg(acl, "::1", "allow", 0))
 			return 0;
 		if(!acl_list_str_cfg(acl, "::ffff:127.0.0.1", "allow", 0))
@@ -466,7 +549,223 @@ acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
 	return 1;
 }
 
-enum acl_access 
+int
+acl_interface_compare(const void* k1, const void* k2)
+{
+	struct addr_tree_node* n1 = (struct addr_tree_node*)k1;
+	struct addr_tree_node* n2 = (struct addr_tree_node*)k2;
+	return sockaddr_cmp(&n1->addr, n1->addrlen, &n2->addr,
+		n2->addrlen);
+	/* We don't care about comparing node->net. All addresses in the
+	 * acl_interface tree have either 32 (ipv4) or 128 (ipv6). */
+}
+
+void
+acl_interface_init(struct acl_list* acl_interface)
+{
+	regional_free_all(acl_interface->region);
+	/* We want comparison in the tree to include only address and port.
+	 * We don't care about comparing node->net. All addresses in the
+	 * acl_interface->tree should have either 32 (ipv4) or 128 (ipv6).
+	 * Initialise with the appropriate compare function but keep treating
+	 * it as an addr_tree. */
+	addr_tree_addrport_init(&acl_interface->tree);
+}
+
+static int
+read_acl_interface_action(struct acl_list* acl_interface,
+	struct config_str2list* acls, int port)
+{
+	struct config_str2list* p;
+	for(p = acls; p; p = p->next) {
+		char** resif = NULL;
+		int num_resif = 0;
+		int i;
+		log_assert(p->str && p->str2);
+		if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif))
+			return 0;
+		for(i = 0; i<num_resif; i++) {
+			if(!acl_interface_str_cfg(acl_interface, resif[i], p->str2, port)){
+				config_del_strarray(resif, num_resif);
+				return 0;
+			}
+		}
+		config_del_strarray(resif, num_resif);
+	}
+	return 1;
+}
+
+/** read acl view config for interface */
+static int
+read_acl_interface_view(struct acl_list* acl_interface,
+	struct config_str2list** acl_view,
+	struct views* v, int port)
+{
+	struct config_str2list* np, *p = *acl_view;
+	*acl_view = NULL;
+	while(p) {
+		char** resif = NULL;
+		int num_resif = 0;
+		int i;
+		log_assert(p->str && p->str2);
+		if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) {
+			config_deldblstrlist(p);
+			return 0;
+		}
+		for(i = 0; i<num_resif; i++) {
+			if(!acl_list_view_cfg(acl_interface, resif[i], p->str2,
+				v, 1, port)) {
+				config_del_strarray(resif, num_resif);
+				config_deldblstrlist(p);
+				return 0;
+			}
+		}
+		config_del_strarray(resif, num_resif);
+		/* free the items as we go to free up memory */
+		np = p->next;
+		free(p->str);
+		free(p->str2);
+		free(p);
+		p = np;
+	}
+	return 1;
+}
+
+/** read acl tags config for interface */
+static int
+read_acl_interface_tags(struct acl_list* acl_interface,
+	struct config_strbytelist** acl_tags, int port)
+{
+	struct config_strbytelist* np, *p = *acl_tags;
+	*acl_tags = NULL;
+	while(p) {
+		char** resif = NULL;
+		int num_resif = 0;
+		int i;
+		log_assert(p->str && p->str2);
+		if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) {
+			config_del_strbytelist(p);
+			return 0;
+		}
+		for(i = 0; i<num_resif; i++) {
+			if(!acl_list_tags_cfg(acl_interface, resif[i], p->str2,
+				p->str2len, 1, port)) {
+				config_del_strbytelist(p);
+				config_del_strarray(resif, num_resif);
+				return 0;
+			}
+		}
+		config_del_strarray(resif, num_resif);
+		/* free the items as we go to free up memory */
+		np = p->next;
+		free(p->str);
+		free(p->str2);
+		free(p);
+		p = np;
+	}
+	return 1;
+}
+
+/** read acl tag actions config for interface*/
+static int
+read_acl_interface_tag_actions(struct acl_list* acl_interface,
+	struct config_file* cfg,
+	struct config_str3list** acl_tag_actions, int port)
+{
+	struct config_str3list* p, *np;
+	p = *acl_tag_actions;
+	*acl_tag_actions = NULL;
+	while(p) {
+		char** resif = NULL;
+		int num_resif = 0;
+		int i;
+		log_assert(p->str && p->str2 && p->str3);
+		if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) {
+			config_deltrplstrlist(p);
+			return 0;
+		}
+		for(i = 0; i<num_resif; i++) {
+			if(!acl_list_tag_action_cfg(acl_interface, cfg,
+				resif[i], p->str2, p->str3, 1, port)) {
+				config_deltrplstrlist(p);
+				config_del_strarray(resif, num_resif);
+				return 0;
+			}
+		}
+		config_del_strarray(resif, num_resif);
+		/* free the items as we go to free up memory */
+		np = p->next;
+		free(p->str);
+		free(p->str2);
+		free(p->str3);
+		free(p);
+		p = np;
+	}
+	return 1;
+}
+
+/** read acl tag datas config for interface */
+static int
+read_acl_interface_tag_datas(struct acl_list* acl_interface,
+	struct config_file* cfg,
+	struct config_str3list** acl_tag_datas, int port)
+{
+	struct config_str3list* p, *np;
+	p = *acl_tag_datas;
+	*acl_tag_datas = NULL;
+	while(p) {
+		char** resif = NULL;
+		int num_resif = 0;
+		int i;
+		log_assert(p->str && p->str2 && p->str3);
+		if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) {
+			config_deltrplstrlist(p);
+			return 0;
+		}
+		for(i = 0; i<num_resif; i++) {
+			if(!acl_list_tag_data_cfg(acl_interface, cfg,
+				resif[i], p->str2, p->str3, 1, port)) {
+				config_deltrplstrlist(p);
+				config_del_strarray(resif, num_resif);
+				return 0;
+			}
+		}
+		config_del_strarray(resif, num_resif);
+		/* free the items as we go to free up memory */
+		np = p->next;
+		free(p->str);
+		free(p->str2);
+		free(p->str3);
+		free(p);
+		p = np;
+	}
+	return 1;
+}
+
+int
+acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg,
+	struct views* v)
+{
+	if(!read_acl_interface_action(acl_interface, cfg->interface_actions,
+		cfg->port))
+		return 0;
+	if(!read_acl_interface_view(acl_interface, &cfg->interface_view, v,
+		cfg->port))
+		return 0;
+	if(!read_acl_interface_tags(acl_interface, &cfg->interface_tags,
+		cfg->port))
+		return 0;
+	if(!read_acl_interface_tag_actions(acl_interface, cfg,
+		&cfg->interface_tag_actions, cfg->port))
+		return 0;
+	if(!read_acl_interface_tag_datas(acl_interface, cfg,
+		&cfg->interface_tag_datas, cfg->port))
+		return 0;
+	addr_tree_init_parents(&acl_interface->tree);
+	return 1;
+}
+
+enum acl_access
 acl_get_control(struct acl_addr* acl)
 {
 	if(acl) return acl->control;
@@ -481,7 +780,7 @@ acl_addr_lookup(struct acl_list* acl, struct sockaddr_storage* addr,
 		addr, addrlen);
 }
 
-size_t 
+size_t
 acl_list_get_mem(struct acl_list* acl)
 {
 	if(!acl) return 0;

contrib/unbound/daemon/acl_list.h

@@ -36,7 +36,7 @@
 /**
  * \file
  *
- * This file keeps track of the list of clients that are allowed to 
+ * This file keeps track of the list of clients that are allowed to
  * access the server.
  */
 
@@ -74,7 +74,7 @@ enum acl_access {
 struct acl_list {
 	/** regional for allocation */
 	struct regional* region;
-	/** 
+	/**
 	 * Tree of the addresses that are allowed/blocked.
 	 * contents of type acl_addr.
 	 */
@@ -108,7 +108,7 @@ struct acl_addr {
 };
 
 /**
- * Create acl structure 
+ * Create acl structure
  * @return new structure or NULL on error.
  */
 struct acl_list* acl_list_create(void);
@@ -119,6 +119,20 @@ struct acl_list* acl_list_create(void);
  */
 void acl_list_delete(struct acl_list* acl);
 
+/**
+ * Insert interface in the acl_list. This should happen when the listening
+ * interface is setup.
+ * @param acl_interface: acl_list to insert to.
+ * @param addr: interface IP.
+ * @param addrlen: length of the interface IP.
+ * @param control: acl_access.
+ * @return new structure or NULL on error.
+ */
+struct acl_addr*
+acl_interface_insert(struct acl_list* acl_interface,
+	struct sockaddr_storage* addr, socklen_t addrlen,
+	enum acl_access control);
+
 /**
  * Process access control config.
  * @param acl: where to store.
@@ -129,6 +143,25 @@ void acl_list_delete(struct acl_list* acl);
 int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
 	struct views* v);
 
+/** compare ACL interface "addr_tree" nodes (+port) */
+int acl_interface_compare(const void* k1, const void* k2);
+
+/**
+ * Initialise (also clean) the acl_interface struct.
+ * @param acl_interface: where to store.
+ */
+void acl_interface_init(struct acl_list* acl_interface);
+
+/**
+ * Process interface control config.
+ * @param acl_interface: where to store.
+ * @param cfg: config options.
+ * @param v: views structure
+ * @return 0 on error.
+ */
+int acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg,
+	struct views* v);
+
 /**
  * Lookup access control status for acl structure.
  * @param acl: structure for acl storage.

contrib/unbound/daemon/daemon.c

@@ -96,6 +96,9 @@
 #ifdef HAVE_SYSTEMD
 #include <systemd/sd-daemon.h>
 #endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
 
 /** How many quit requests happened. */
 static int sig_record_quit = 0;
@@ -271,8 +274,17 @@ daemon_init(void)
 		free(daemon);
 		return NULL;
 	}
+	daemon->acl_interface = acl_list_create();
+	if(!daemon->acl_interface) {
+		acl_list_delete(daemon->acl);
+		edns_known_options_delete(daemon->env);
+		free(daemon->env);
+		free(daemon);
+		return NULL;
+	}
 	daemon->tcl = tcl_list_create();
 	if(!daemon->tcl) {
+		acl_list_delete(daemon->acl_interface);
 		acl_list_delete(daemon->acl);
 		edns_known_options_delete(daemon->env);
 		free(daemon->env);
@@ -284,6 +296,7 @@ daemon_init(void)
 		log_err("gettimeofday: %s", strerror(errno));
 	daemon->time_last_stat = daemon->time_boot;
 	if((daemon->env->auth_zones = auth_zones_create()) == 0) {
+		acl_list_delete(daemon->acl_interface);
 		acl_list_delete(daemon->acl);
 		tcl_list_delete(daemon->tcl);
 		edns_known_options_delete(daemon->env);
@@ -293,6 +306,7 @@ daemon_init(void)
 	}
 	if(!(daemon->env->edns_strings = edns_strings_create())) {
 		auth_zones_delete(daemon->env->auth_zones);
+		acl_list_delete(daemon->acl_interface);
 		acl_list_delete(daemon->acl);
 		tcl_list_delete(daemon->tcl);
 		edns_known_options_delete(daemon->env);
@@ -303,6 +317,29 @@ daemon_init(void)
 	return daemon;	
 }
 
+static int setup_acl_for_ports(struct acl_list* list,
+	struct listen_port* port_list)
+{
+	struct acl_addr* acl_node;
+	struct addrinfo* addr;
+	for(; port_list; port_list=port_list->next) {
+		if(!port_list->socket) {
+			/* This is mainly for testbound where port_list is
+			 * empty. */
+			continue;
+		}
+		addr = port_list->socket->addr;
+		if(!(acl_node = acl_interface_insert(list,
+			(struct sockaddr_storage*)addr->ai_addr,
+			(socklen_t)addr->ai_addrlen,
+			acl_refuse))) {
+			return 0;
+		}
+		port_list->socket->acl = acl_node;
+	}
+	return 1;
+}
+
 int 
 daemon_open_shared_ports(struct daemon* daemon)
 {
@@ -320,6 +357,8 @@ daemon_open_shared_ports(struct daemon* daemon)
 			free(daemon->ports);
 			daemon->ports = NULL;
 		}
+		/* clean acl_interface */
+		acl_interface_init(daemon->acl_interface);
 		if(!resolve_interface_names(daemon->cfg->ifs,
 			daemon->cfg->num_ifs, NULL, &resif, &num_resif))
 			return 0;
@@ -329,7 +368,8 @@ daemon_open_shared_ports(struct daemon* daemon)
 			daemon->reuseport = 1;
 #endif
 		/* try to use reuseport */
-		p0 = listening_ports_open(daemon->cfg, resif, num_resif, &daemon->reuseport);
+		p0 = listening_ports_open(daemon->cfg, resif, num_resif,
+			&daemon->reuseport);
 		if(!p0) {
 			listening_ports_free(p0);
 			config_del_strarray(resif, num_resif);
@@ -350,6 +390,12 @@ daemon_open_shared_ports(struct daemon* daemon)
 			return 0;
 		}
 		daemon->ports[0] = p0;
+		if(!setup_acl_for_ports(daemon->acl_interface,
+		    daemon->ports[0])) {
+			listening_ports_free(p0);
+			config_del_strarray(resif, num_resif);
+			return 0;
+		}
 		if(daemon->reuseport) {
 			/* continue to use reuseport */
 			for(i=1; i<daemon->num_ports; i++) {
@@ -365,6 +411,15 @@ daemon_open_shared_ports(struct daemon* daemon)
 					config_del_strarray(resif, num_resif);
 					return 0;
 				}
+				if(!setup_acl_for_ports(daemon->acl_interface,
+					daemon->ports[i])) {
+					for(i=0; i<daemon->num_ports; i++)
+						listening_ports_free(daemon->ports[i]);
+					free(daemon->ports);
+					daemon->ports = NULL;
+					config_del_strarray(resif, num_resif);
+					return 0;
+				}
 			}
 		}
 		config_del_strarray(resif, num_resif);
@@ -604,6 +659,9 @@ daemon_fork(struct daemon* daemon)
 
 	if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->views))
 		fatal_exit("Could not setup access control list");
+	if(!acl_interface_apply_cfg(daemon->acl_interface, daemon->cfg,
+		daemon->views))
+		fatal_exit("Could not setup interface control list");
 	if(!tcl_list_apply_cfg(daemon->tcl, daemon->cfg))
 		fatal_exit("Could not setup TCP connection limits");
 	if(daemon->cfg->dnscrypt) {
@@ -780,6 +838,7 @@ daemon_delete(struct daemon* daemon)
 	ub_randfree(daemon->rand);
 	alloc_clear(&daemon->superalloc);
 	acl_list_delete(daemon->acl);
+	acl_list_delete(daemon->acl_interface);
 	tcl_list_delete(daemon->tcl);
 	listen_desetup_locks();
 	free(daemon->chroot);

contrib/unbound/daemon/daemon.h

@@ -113,6 +113,8 @@ struct daemon {
 	struct module_stack mods;
 	/** access control, which client IPs are allowed to connect */
 	struct acl_list* acl;
+	/** access control, which interfaces are allowed to connect */
+	struct acl_list* acl_interface;
 	/** TCP connection limit, limit connections from client IPs */
 	struct tcl_list* tcl;
 	/** local authority zones */

contrib/unbound/daemon/remote.c

@@ -494,8 +494,8 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
 	n->c->do_not_close = 0;
 	comm_point_stop_listening(n->c);
 	comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT);
-	memcpy(&n->c->repinfo.addr, &addr, addrlen);
-	n->c->repinfo.addrlen = addrlen;
+	memcpy(&n->c->repinfo.remote_addr, &addr, addrlen);
+	n->c->repinfo.remote_addrlen = addrlen;
 	if(rc->use_cert) {
 		n->shake_state = rc_hs_read;
 		n->ssl = SSL_new(rc->ctx);
@@ -3304,7 +3304,7 @@ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s,
 		if(r == 0)
 			log_err("remote control connection closed prematurely");
 		log_addr(VERB_OPS, "failed connection from",
-			&s->c->repinfo.addr, s->c->repinfo.addrlen);
+			&s->c->repinfo.remote_addr, s->c->repinfo.remote_addrlen);
 		log_crypto_err("remote control failed ssl");
 		clean_point(rc, s);
 	}

contrib/unbound/daemon/stats.c

@@ -70,6 +70,9 @@
 #include <openssl/ssl.h>
 #endif
 
+/** How long to wait for threads to transmit statistics, in msec. */
+#define STATS_THREAD_WAIT 60000
+
 /** add timers and the values do not overflow or become negative */
 static void
 stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long long add_usec)
@@ -380,6 +383,28 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
 		worker_send_cmd(who, worker_cmd_stats);
 	else 	worker_send_cmd(who, worker_cmd_stats_noreset);
 	verbose(VERB_ALGO, "wait for stats reply");
+	if(tube_wait_timeout(worker->cmd, STATS_THREAD_WAIT) == 0) {
+		verbose(VERB_OPS, "no response from thread %d"
+#ifdef HAVE_GETTID
+			" LWP %u"
+#endif
+#if defined(HAVE_PTHREAD) && defined(SIZEOF_PTHREAD_T) && defined(SIZEOF_UNSIGNED_LONG)
+#  if SIZEOF_PTHREAD_T == SIZEOF_UNSIGNED_LONG
+			" pthread 0x%lx"
+#  endif
+#endif
+			,
+			who->thread_num
+#ifdef HAVE_GETTID
+			, (unsigned)who->thread_tid
+#endif
+#if defined(HAVE_PTHREAD) && defined(SIZEOF_PTHREAD_T) && defined(SIZEOF_UNSIGNED_LONG)
+#  if SIZEOF_PTHREAD_T == SIZEOF_UNSIGNED_LONG
+			, (unsigned long)*((unsigned long*)&who->thr_id)
+#  endif
+#endif
+			);
+	}
 	if(!tube_read_msg(worker->cmd, &reply, &len, 0))
 		fatal_exit("failed to read stats over cmd channel");
 	if(len != (uint32_t)sizeof(*s))
@@ -496,7 +521,7 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
 				stats->qhttps++;
 		}
 	}
-	if(repinfo && addr_is_ip6(&repinfo->addr, repinfo->addrlen))
+	if(repinfo && addr_is_ip6(&repinfo->remote_addr, repinfo->remote_addrlen))
 		stats->qipv6++;
 	if( (flags&BIT_QR) )
 		stats->qbit_QR++;

contrib/unbound/daemon/worker.c

@@ -547,7 +547,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 static int
 apply_respip_action(struct worker* worker, const struct query_info* qinfo,
 	struct respip_client_info* cinfo, struct reply_info* rep,
-	struct comm_reply* repinfo, struct ub_packed_rrset_key** alias_rrset,
+	struct sockaddr_storage* addr, socklen_t addrlen,
+	struct ub_packed_rrset_key** alias_rrset,
 	struct reply_info** encode_repp, struct auth_zones* az)
 {
 	struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL};
@@ -574,7 +575,7 @@ apply_respip_action(struct worker* worker, const struct query_info* qinfo,
 	if(actinfo.addrinfo) {
 		respip_inform_print(&actinfo, qinfo->qname,
 			qinfo->qtype, qinfo->qclass, qinfo->local_alias,
-			repinfo);
+			addr, addrlen);
 
 		if(worker->stats.extended && actinfo.rpz_used) {
 			if(actinfo.rpz_disabled)
@@ -703,7 +704,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 	*alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */
 	if((worker->daemon->use_response_ip || worker->daemon->use_rpz) &&
 		!partial_rep && !apply_respip_action(worker, qinfo, cinfo, rep,
-		repinfo, alias_rrset,
+		&repinfo->client_addr, repinfo->client_addrlen, alias_rrset,
 		&encode_rep, worker->env.auth_zones)) {
 		goto bail_out;
 	} else if(partial_rep &&
@@ -991,12 +992,14 @@ answer_chaos(struct worker* w, struct query_info* qinfo,
  * @param w: worker
  * @param qinfo: query info. Pointer into packet buffer.
  * @param edns: edns info from query.
- * @param repinfo: reply info with source address.
+ * @param addr: client address.
+ * @param addrlen: client address length.
  * @param pkt: packet buffer.
  */
 static void
-answer_notify(struct worker* w, struct query_info* qinfo, 
-	struct edns_data* edns, sldns_buffer* pkt, struct comm_reply* repinfo)
+answer_notify(struct worker* w, struct query_info* qinfo,
+	struct edns_data* edns, sldns_buffer* pkt,
+	struct sockaddr_storage* addr, socklen_t addrlen)
 {
 	int refused = 0;
 	int rcode = LDNS_RCODE_NOERROR;
@@ -1005,8 +1008,8 @@ answer_notify(struct worker* w, struct query_info* qinfo,
 	if(!w->env.auth_zones) return;
 	has_serial = auth_zone_parse_notify_serial(pkt, &serial);
 	if(auth_zones_notify(w->env.auth_zones, &w->env, qinfo->qname,
-		qinfo->qname_len, qinfo->qclass, &repinfo->addr,
-		repinfo->addrlen, has_serial, serial, &refused)) {
+		qinfo->qname_len, qinfo->qclass, addr,
+		addrlen, has_serial, serial, &refused)) {
 		rcode = LDNS_RCODE_NOERROR;
 	} else {
 		if(refused)
@@ -1031,7 +1034,7 @@ answer_notify(struct worker* w, struct query_info* qinfo,
 				"servfail for NOTIFY %sfor %s from", sr, zname);
 		else	snprintf(buf, sizeof(buf),
 				"received NOTIFY %sfor %s from", sr, zname);
-		log_addr(VERB_DETAIL, buf, &repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_DETAIL, buf, addr, addrlen);
 	}
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
 	edns->udp_size = EDNS_ADVERTISED_SIZE;
@@ -1051,8 +1054,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 {
 	if(acl == deny) {
 		if(verbosity >= VERB_ALGO) {
-			log_acl_action("dropped", &repinfo->addr,
-				repinfo->addrlen, acl, acladdr);
+			log_acl_action("dropped", &repinfo->client_addr,
+				repinfo->client_addrlen, acl, acladdr);
 			log_buf(VERB_ALGO, "dropped", c->buffer);
 		}
 		comm_point_drop_reply(repinfo);
@@ -1063,8 +1066,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 		size_t opt_rr_mark;
 
 		if(verbosity >= VERB_ALGO) {
-			log_acl_action("refused", &repinfo->addr,
-				repinfo->addrlen, acl, acladdr);
+			log_acl_action("refused", &repinfo->client_addr,
+				repinfo->client_addrlen, acl, acladdr);
 			log_buf(VERB_ALGO, "refuse", c->buffer);
 		}
 
@@ -1224,12 +1227,24 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
 }
 
 static int
-deny_refuse_all(struct comm_point* c, enum acl_access acl,
+deny_refuse_all(struct comm_point* c, enum acl_access* acl,
 	struct worker* worker, struct comm_reply* repinfo,
-	struct acl_addr* acladdr, int ede)
+	struct acl_addr** acladdr, int ede, int check_proxy)
 {
-	return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo,
-		acladdr, ede);
+	if(check_proxy) {
+		*acladdr = acl_addr_lookup(worker->daemon->acl,
+			&repinfo->remote_addr, repinfo->remote_addrlen);
+	} else {
+		*acladdr = acl_addr_lookup(worker->daemon->acl,
+			&repinfo->client_addr, repinfo->client_addrlen);
+	}
+	/* If there is no ACL based on client IP use the interface ACL. */
+	if(!(*acladdr) && c->socket) {
+		*acladdr = c->socket->acl;
+	}
+	*acl = acl_get_control(*acladdr);
+	return deny_refuse(c, *acl, acl_deny, acl_refuse, worker, repinfo,
+		*acladdr, ede);
 }
 
 static int
@@ -1241,7 +1256,7 @@ deny_refuse_non_local(struct comm_point* c, enum acl_access acl,
 		worker, repinfo, acladdr, ede);
 }
 
-int 
+int
 worker_handle_request(struct comm_point* c, void* arg, int error,
 	struct comm_reply* repinfo)
 {
@@ -1286,16 +1301,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		if(worker_check_request(c->buffer, worker) != 0) {
 			verbose(VERB_ALGO,
 				"dnscrypt: worker check request: bad query.");
-			log_addr(VERB_CLIENT,"from",&repinfo->addr,
-				repinfo->addrlen);
+			log_addr(VERB_CLIENT,"from",&repinfo->client_addr,
+				repinfo->client_addrlen);
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
 		if(!query_info_parse(&qinfo, c->buffer)) {
 			verbose(VERB_ALGO,
 				"dnscrypt: worker parse request: formerror.");
-			log_addr(VERB_CLIENT, "from", &repinfo->addr,
-				repinfo->addrlen);
+			log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+				repinfo->client_addrlen);
 			comm_point_drop_reply(repinfo);
 			return 0;
 		}
@@ -1323,25 +1338,30 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	 * sending src (client)/dst (local service) addresses over DNSTAP from incoming request handler
 	 */
 	if(worker->dtenv.log_client_query_messages) {
-		log_addr(VERB_ALGO, "request from client", &repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_ALGO, "request from client", &repinfo->client_addr, repinfo->client_addrlen);
 		log_addr(VERB_ALGO, "to local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
-		dt_msg_send_client_query(&worker->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
+		dt_msg_send_client_query(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
 	}
 #endif
-	acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr, 
-		repinfo->addrlen);
-	acl = acl_get_control(acladdr);
-
-	if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr,
-		worker->env.cfg->ede)) != -1)
-	{
+	/* Check deny/refuse ACLs */
+	if(repinfo->is_proxied) {
+		if((ret=deny_refuse_all(c, &acl, worker, repinfo, &acladdr,
+			worker->env.cfg->ede, 1)) != -1) {
+			if(ret == 1)
+				goto send_reply;
+			return ret;
+		}
+	}
+	if((ret=deny_refuse_all(c, &acl, worker, repinfo, &acladdr,
+		worker->env.cfg->ede, 0)) != -1) {
 		if(ret == 1)
 			goto send_reply;
 		return ret;
 	}
+
 	if((ret=worker_check_request(c->buffer, worker)) != 0) {
 		verbose(VERB_ALGO, "worker check request: bad query.");
-		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_CLIENT,"from",&repinfo->client_addr, repinfo->client_addrlen);
 		if(ret != -1) {
 			LDNS_QR_SET(sldns_buffer_begin(c->buffer));
 			LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
@@ -1353,20 +1373,24 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 
 	worker->stats.num_queries++;
 
-	/* check if this query should be dropped based on source ip rate limiting */
-	if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
+	/* check if this query should be dropped based on source ip rate limiting
+	 * NOTE: we always check the repinfo->client_address. IP ratelimiting is
+	 *       implicitly disabled for proxies. */
+	if(!infra_ip_ratelimit_inc(worker->env.infra_cache,
+			&repinfo->client_addr, repinfo->client_addrlen,
 			*worker->env.now,
 			worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
 		/* See if we are passed through with slip factor */
 		if(worker->env.cfg->ip_ratelimit_factor != 0 &&
 			ub_random_max(worker->env.rnd,
-						  worker->env.cfg->ip_ratelimit_factor) == 0) {
-
+			worker->env.cfg->ip_ratelimit_factor) == 0) {
 			char addrbuf[128];
-			addr_to_str(&repinfo->addr, repinfo->addrlen,
-						addrbuf, sizeof(addrbuf));
-		  verbose(VERB_QUERY, "ip_ratelimit allowed through for ip address %s because of slip in ip_ratelimit_factor",
-				  addrbuf);
+			addr_to_str(&repinfo->client_addr,
+				repinfo->client_addrlen, addrbuf,
+				sizeof(addrbuf));
+			verbose(VERB_QUERY, "ip_ratelimit allowed through for "
+				"ip address %s because of slip in "
+				"ip_ratelimit_factor", addrbuf);
 		} else {
 			worker->stats.num_queries_ip_ratelimited++;
 			comm_point_drop_reply(repinfo);
@@ -1377,7 +1401,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	/* see if query is in the cache */
 	if(!query_info_parse(&qinfo, c->buffer)) {
 		verbose(VERB_ALGO, "worker parse request: formerror.");
-		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+			repinfo->client_addrlen);
 		memset(&qinfo, 0, sizeof(qinfo)); /* zero qinfo.qname */
 		if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) {
 			comm_point_drop_reply(repinfo);
@@ -1391,13 +1416,14 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	}
 	if(worker->env.cfg->log_queries) {
 		char ip[128];
-		addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
+		addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip));
 		log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
 	}
 	if(qinfo.qtype == LDNS_RR_TYPE_AXFR || 
 		qinfo.qtype == LDNS_RR_TYPE_IXFR) {
 		verbose(VERB_ALGO, "worker request: refused zone transfer.");
-		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+			repinfo->client_addrlen);
 		sldns_buffer_rewind(c->buffer);
 		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
 		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
@@ -1414,7 +1440,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		qinfo.qtype == LDNS_RR_TYPE_MAILB ||
 		(qinfo.qtype >= 128 && qinfo.qtype <= 248)) {
 		verbose(VERB_ALGO, "worker request: formerror for meta-type.");
-		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+			repinfo->client_addrlen);
 		if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) {
 			comm_point_drop_reply(repinfo);
 			return 0;
@@ -1432,7 +1459,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 					worker->scratchpad)) != 0) {
 		struct edns_data reply_edns;
 		verbose(VERB_ALGO, "worker parse edns: formerror.");
-		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+			repinfo->client_addrlen);
 		memset(&reply_edns, 0, sizeof(reply_edns));
 		reply_edns.edns_present = 1;
 		reply_edns.udp_size = EDNS_ADVERTISED_SIZE;
@@ -1454,7 +1482,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			edns.opt_list_inplace_cb_out = NULL;
 			edns.padding_block_size = 0;
 			verbose(VERB_ALGO, "query with bad edns version.");
-			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+			log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+				repinfo->client_addrlen);
 			error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
 				*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
 				sldns_buffer_read_u16_at(c->buffer, 2), NULL);
@@ -1468,7 +1497,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		   worker->daemon->cfg->harden_short_bufsize) {
 			verbose(VERB_QUERY, "worker request: EDNS bufsize %d ignored",
 				(int)edns.udp_size);
-			log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+			log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+				repinfo->client_addrlen);
 			edns.udp_size = NORMAL_UDP_SIZE;
 		}
 	}
@@ -1477,12 +1507,14 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		verbose(VERB_QUERY,
 			"worker request: max UDP reply size modified"
 			" (%d to max-udp-size)", (int)edns.udp_size);
-		log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+			repinfo->client_addrlen);
 		edns.udp_size = worker->daemon->cfg->max_udp_size;
 	}
 	if(edns.udp_size < LDNS_HEADER_SIZE) {
 		verbose(VERB_ALGO, "worker request: edns is too small.");
-		log_addr(VERB_CLIENT, "from", &repinfo->addr, repinfo->addrlen);
+		log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
+			repinfo->client_addrlen);
 		LDNS_QR_SET(sldns_buffer_begin(c->buffer));
 		LDNS_TC_SET(sldns_buffer_begin(c->buffer));
 		LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), 
@@ -1506,7 +1538,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	}
 	if(LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) ==
 		LDNS_PACKET_NOTIFY) {
-		answer_notify(worker, &qinfo, &edns, c->buffer, repinfo);
+		answer_notify(worker, &qinfo, &edns, c->buffer,
+			&repinfo->client_addr, repinfo->client_addrlen);
 		regional_free_all(worker->scratchpad);
 		goto send_reply;
 	}
@@ -1582,7 +1615,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			sldns_buffer_read_u16_at(c->buffer, 2), &edns);
 		regional_free_all(worker->scratchpad);
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
-			&repinfo->addr, repinfo->addrlen);
+			&repinfo->client_addr, repinfo->client_addrlen);
 
 		goto send_reply;
 	}
@@ -1722,9 +1755,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	if(verbosity >= VERB_CLIENT) {
 		if(c->type == comm_udp)
 			log_addr(VERB_CLIENT, "udp request from",
-				&repinfo->addr, repinfo->addrlen);
+				&repinfo->client_addr, repinfo->client_addrlen);
 		else	log_addr(VERB_CLIENT, "tcp request from",
-				&repinfo->addr, repinfo->addrlen);
+				&repinfo->client_addr, repinfo->client_addrlen);
 	}
 
 	/* grab a work request structure for this new request */
@@ -1756,8 +1789,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	 */
 	if(worker->dtenv.log_client_response_messages) {
 		log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
-                log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen);
-		dt_msg_send_client_response(&worker->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
+		log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
+		dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
 	}
 #endif
 	if(worker->env.cfg->log_replies)
@@ -1769,10 +1802,12 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 			/* log original qname, before the local alias was
 			 * used to resolve that CNAME to something else */
 			qinfo.qname = qinfo.local_alias->rrset->rk.dname;
-			log_reply_info(NO_VERBOSE, &qinfo, &repinfo->addr, repinfo->addrlen,
+			log_reply_info(NO_VERBOSE, &qinfo,
+				&repinfo->client_addr, repinfo->client_addrlen,
 				tv, 1, c->buffer);
 		} else {
-			log_reply_info(NO_VERBOSE, &qinfo, &repinfo->addr, repinfo->addrlen,
+			log_reply_info(NO_VERBOSE, &qinfo,
+				&repinfo->client_addr, repinfo->client_addrlen,
 				tv, 1, c->buffer);
 		}
 	}
@@ -1903,6 +1938,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
 	struct dt_env* dtenv = &worker->dtenv;
 #else
 	void* dtenv = NULL;
+#endif
+#ifdef HAVE_GETTID
+	worker->thread_tid = gettid();
 #endif
 	worker->need_to_exit = 0;
 	worker->base = comm_base_create(do_sigs);

contrib/unbound/daemon/worker.h

@@ -86,6 +86,10 @@ struct worker {
 	struct daemon* daemon;
 	/** thread id */
 	ub_thread_type thr_id;
+#ifdef HAVE_GETTID
+	/** thread tid, the LWP id. */
+	pid_t thread_tid;
+#endif
 	/** pipe, for commands for this worker */
 	struct tube* cmd;
 	/** the event base this worker works with */

contrib/unbound/dnstap/dtstream.c

@@ -954,7 +954,7 @@ static int dtio_write_more(struct dt_io_thread* dtio)
  * -1: continue, >0: number of bytes read into buffer */
 static ssize_t receive_bytes(struct dt_io_thread* dtio, void* buf, size_t len) {
 	ssize_t r;
-	r = recv(dtio->fd, (void*)buf, len, 0);
+	r = recv(dtio->fd, (void*)buf, len, MSG_DONTWAIT);
 	if(r == -1) {
 		char* to = dtio->socket_path;
 		if(!to) to = dtio->ip_str;
@@ -1960,7 +1960,7 @@ static int dtio_open_output_tcp(struct dt_io_thread* dtio)
 	memset(&addr, 0, sizeof(addr));
 	addrlen = (socklen_t)sizeof(addr);
 
-	if(!extstrtoaddr(dtio->ip_str, &addr, &addrlen)) {
+	if(!extstrtoaddr(dtio->ip_str, &addr, &addrlen, UNBOUND_DNS_PORT)) {
 		log_err("could not parse IP '%s'", dtio->ip_str);
 		return 0;
 	}

contrib/unbound/dnstap/unbound-dnstap-socket.c

@@ -272,7 +272,7 @@ static int make_tcp_accept(char* ip)
 
 	memset(&addr, 0, sizeof(addr));
 	len = (socklen_t)sizeof(addr);
-	if(!extstrtoaddr(ip, &addr, &len)) {
+	if(!extstrtoaddr(ip, &addr, &len, UNBOUND_DNS_PORT)) {
 		log_err("could not parse IP '%s'", ip);
 		return -1;
 	}
@@ -617,7 +617,7 @@ static void log_data_frame(uint8_t* pkt, size_t len)
 static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
 	size_t len)
 {
-	ssize_t ret = recv(fd, buf, len, 0);
+	ssize_t ret = recv(fd, buf, len, MSG_DONTWAIT);
 	if(ret == 0) {
 		/* closed */
 		if(verbosity) log_info("dnstap client stream closed from %s",

contrib/unbound/doc/Changelog

@@ -1,9 +1,116 @@
+11 October 2022: George
+	- Fix PROXYv2 header read for TCP connections when no proxied addresses
+	  are provided.
+
+7 October 2022: George
+	- Fix to stop possible loops in the tcp reuse code (write_wait list
+	  and tcp_wait list). Based on analysis and patch from Prad Seniappan
+	  and Karthik Umashankar.
+	- Fix unit test to properly test the reuse_write_wait_pop function.
+
+6 October 2022: Wouter
+	- Fix to stop responses with TC flag from resulting in partial
+	  responses. It retries to fetch the data elsewhere, or fails the
+	  query and in depth fix removes the TC flag from the cached item.
+	- Fix proxy length debug output printout typecasts.
+
+5 October 2022: Wouter
+	- Fix dnscrypt compile for proxy protocol code changes.
+
+5 October 2022: George
+	- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
+	- Fix string comparison in mini_tdir.sh.
+	- Make ede.tdir test more predictable by using static data.
+	- Fix checkconf test for dnscrypt and proxy port.
+
+4 October 2022: George
+	- Merge #764: Leniency for target discovery when under load (for
+	  NRDelegation changes).
+
+4 October 2022: Wouter
+	- Fix static analysis report to remove dead code from the
+	  rpz_callback_from_iterator_module function.
+	- Fix to clean up after the acl_interface unit test.
+
+3 October 2022: George
+	- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
+	  configuration option).
+
+3 October 2022: Wouter
+	- Fix to remove erroneous TC flag from TCP upstream.
+	- Fix test tdir skip report printout.
+	- Fix windows compile, the identifier interface is defined in headers.
+	- Fix to close errno block in comm_point_tcp_handle_read outside of
+	  ifdef.
+
+26 September 2022: George
+	- Better output for skipped tdir tests.
+
 21 September 2022: Wouter
 	- Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
+	- This patch was released in 1.16.3, the code repository continues
+	  with the previous features and fixes for 1.17.0.
+	- Fix doxygen warning in respip.h.
+
+20 September 2022: George
+	- Convert tdir tests to use the new skip_test functionality.
+	- Remove unused testcode/mini_tpkg.sh file.
+
+16 September 2022: George
+	- Merge #753: ACL per interface. (New interface-* configuration
+	  options).
+
+2 September 2022: Wouter
+	- Remove include that was there for debug purposes.
+	- Fix to check pthread_t size after pthread has been detected.
+
+1 September 2022: Wouter
+	- Fix to update config tests to fix checking if nonblocking sockets
+	  work on OpenBSD.
+	- Slow down log frequency of write wait failures.
+	- Fix to set out of file descriptor warning to operational verbosity.
+	- Fix to log a verbose message at operational notice level if a
+	  thread is not responding, to stats requests. It is logged with
+	  thread identifiers.
+
+31 August 2022: Wouter
+	- Fix to avoid process wide fcntl calls mixed with nonblocking
+	  operations after a blocked write.
+	- Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
+	  operations, so that instruction reordering does not cause mistakenly
+	  blocking socket operations.
+	- Fix to wait for blocked write on UDP sockets, with a timeout if it
+	  takes too long the packet is dropped.
+	- Fix for wait for udp send to stop when packet is successfully sent.
+
+22 August 2022: Wouter
+	- Fix #741: systemd socket activation fails on IPv6.
+
+12 August 2022: Wouter
+	- Fix to log accept error ENFILE and EMFILE errno, but slowly, once
+	  per 10 seconds. Also log accept failures when no slow down is used.
+
+5 August 2022: Wouter
+	- Fix #734 [FR] enable unbound-checkconf to detect more (basic)
+	  errors.
+
+4 August 2022: Wouter
+	- Fix ratelimit inconsistency, for ip-ratelimits the value is the
+	  amount allowed, like for ratelimits.
+
+2 August 2022: Wouter
+	- Fix edns subnet so that scope 0 answers only match sourcemask 0
+	  queries for answers from cache if from a query with sourcemask 0.
+	- Fix unittest for edns subnet change.
+	- Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
+	  to unsupported IPV6_USER_MTU socket option being set.
 
 1 August 2022: Wouter
 	- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
 	- Tests for ghost domain fixes.
+	- Tag for 1.16.2 release. The code repo continues with 1.16.3.
+	- Fix #728: alloc_reg_obtain() core dump. Stop double
+	  alloc_reg_release when serviced_create fails.
 
 19 July 2022: George
 	- Update documentation for 'outbound-msg-retry:'.

contrib/unbound/doc/README

@@ -1,4 +1,4 @@
-README for Unbound 1.16.3
+README for Unbound 1.17.0
 Copyright 2007 NLnet Labs
 http://unbound.net
 

contrib/unbound/doc/example.conf.in

@@ -1,7 +1,7 @@
 #
 # Example configuration file.
 #
-# See unbound.conf(5) man page, version 1.16.3.
+# See unbound.conf(5) man page, version 1.17.0.
 #
 # this is a comment.
 
@@ -17,7 +17,7 @@ server:
 	# whitespace is not necessary, but looks cleaner.
 
 	# verbosity number, 0 is least verbose. 1 is default.
-	verbosity: 1
+	# verbosity: 1
 
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
@@ -50,6 +50,7 @@ server:
 	# interface: 192.0.2.154
 	# interface: 192.0.2.154@5003
 	# interface: 2001:DB8::5
+	# interface: eth0@5003
 
 	# enable this feature to copy the source address of queries to reply.
 	# Socket options are not supported on all platforms. experimental.
@@ -217,7 +218,8 @@ server:
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
 
-	# define a number of tags here, use with local-zone, access-control.
+	# define a number of tags here, use with local-zone, access-control,
+	# interface-*.
 	# repeat the define-tag statement to add additional tags.
 	# define-tag: "tag1 tag2 tag3"
 
@@ -273,9 +275,7 @@ server:
 	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
-	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
-	# access-control: ::0/0 refuse
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow
 
@@ -284,7 +284,7 @@ server:
 	# are tagged with one of these tags.
 	# access-control-tag: 192.0.2.0/24 "tag2 tag3"
 
-	# set action for particular tag for given access control element
+	# set action for particular tag for given access control element.
 	# if you have multiple tag values, the tag used to lookup the action
 	# is the first tag match between access-control-tag and local-zone-tag
 	# where "first" comes from the order of the define-tag values.
@@ -296,6 +296,58 @@ server:
 	# Set view for access control element
 	# access-control-view: 192.0.2.0/24 viewname
 
+	# Similar to 'access-control:' but for interfaces.
+	# Control which listening interfaces are allowed to accept (recursive)
+	# queries for this server.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the action.
+	# The actions are the same as 'access-control:' above.
+	# By default all the interfaces configured are refused.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-action: 192.0.2.153 allow
+	# interface-action: 192.0.2.154 allow
+	# interface-action: 192.0.2.154@5003 allow
+	# interface-action: 2001:DB8::5 allow
+	# interface-action: eth0@5003 allow
+
+	# Similar to 'access-control-tag:' but for interfaces.
+	# Tag interfaces with a list of tags (in "" with spaces between).
+	# Interfaces using these tags use localzones that are tagged with one
+	# of these tags.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the list of tags.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag: eth0@5003 "tag2 tag3"
+
+	# Similar to 'access-control-tag-action:' but for interfaces.
+	# Set action for particular tag for a given interface element.
+	# If you have multiple tag values, the tag used to lookup the action
+	# is the first tag match between interface-tag and local-zone-tag
+	# where "first" comes from the order of the define-tag values.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the tag and action.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag-action: eth0@5003 tag3 refuse
+
+	# Similar to 'access-control-tag-data:' but for interfaces.
+	# Set redirect data for a particular tag for an interface element.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the tag and the redirect data.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
+
+	# Similar to 'access-control-view:' but for interfaces.
+	# Set view for an interface element.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the view name.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-view: eth0@5003 viewname
+
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.
@@ -850,6 +902,10 @@ server:
 	# Disable TLS for DNS-over-HTTP downstream service.
 	# http-notls-downstream: no
 
+	# The interfaces that use these listed port numbers will support and
+	# expect PROXYv2. For UDP and TCP/TLS interfaces.
+	# proxy-protocol-port: portno for each of the port numbers.
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96

contrib/unbound/doc/libunbound.3.in

@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "libunbound" "3" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" libunbound.3 -- unbound library functions manual
 .\"
@@ -44,7 +44,7 @@
 .B ub_ctx_zone_remove,
 .B ub_ctx_data_add,
 .B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.16.3 functions.
+\- Unbound DNS validating resolver 1.17.0 functions.
 .SH "SYNOPSIS"
 .B #include <unbound.h>
 .LP

contrib/unbound/doc/unbound-anchor.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound-anchor" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound-anchor.8 -- unbound anchor maintenance utility manual
 .\"

contrib/unbound/doc/unbound-checkconf.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound-checkconf" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound-checkconf.8 -- unbound configuration checker manual
 .\"

contrib/unbound/doc/unbound-control.8.in

@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound-control" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound-control.8 -- unbound remote control manual
 .\"

contrib/unbound/doc/unbound-host.1.in

@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound\-host" "1" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound-host.1 -- unbound DNS lookup utility
 .\"

contrib/unbound/doc/unbound.8.in

@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound.8 -- unbound manual
 .\"
@@ -9,7 +9,7 @@
 .\"
 .SH "NAME"
 .B unbound
-\- Unbound DNS validating resolver 1.16.3.
+\- Unbound DNS validating resolver 1.17.0.
 .SH "SYNOPSIS"
 .B unbound
 .RB [ \-h ]

contrib/unbound/doc/unbound.conf.5.in

@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
+.TH "unbound.conf" "5" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
 .\"
 .\" unbound.conf.5 -- unbound.conf manual
 .\"
@@ -118,7 +118,7 @@ The number of threads to create to serve clients. Use 1 for no threading.
 .B port: \fI<port number>
 The port number, default 53, on which the server responds to queries.
 .TP
-.B interface: \fI<ip address[@port]>
+.B interface: \fI<ip address or interface name [@port]>
 Interface to use to connect to the network. This interface is listened to
 for queries from clients, and answers to clients are given from it.
 Can be given multiple times to work on several interfaces. If none are
@@ -129,7 +129,7 @@ A port number can be specified with @port (without spaces between
 interface and port number), if not specified the default port (from
 \fBport\fR) is used.
 .TP
-.B ip\-address: \fI<ip address[@port]>
+.B ip\-address: \fI<ip address or interface name [@port]>
 Same as interface: (for ease of compatibility with nsd.conf).
 .TP
 .B interface\-automatic: \fI<yes or no>
@@ -656,6 +656,17 @@ Ignored if the option is not available. Default is yes.
 Disable use of TLS for the downstream DNS-over-HTTP connections.  Useful for
 local back end servers.  Default is no.
 .TP
+.B proxy\-protocol\-port: \fI<portnr>
+List port numbers as proxy\-protocol\-port, and when interfaces are defined,
+eg. with the @port suffix, as this port number, they support and expect PROXYv2.
+In this case the proxy address will only be used for the network communication
+and initial ACL (check if the proxy itself is denied/refused by configuration).
+The proxied address (if any) will then be used as the true client address and
+will be used where applicable for logging, ACL, DNSTAP, RPZ and IP ratelimiting.
+PROXYv2 is supported for UDP and TCP/TLS listening interfaces.
+There is no support for PROXYv2 on a DoH or DNSCrypt listening interface.
+Can list multiple, each on a new statement.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.
@@ -675,7 +686,7 @@ The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
 \fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
 \fIrefuse_non_local\fR.
-The most specific netblock match is used, if none match \fIdeny\fR is used.
+The most specific netblock match is used, if none match \fIrefuse\fR is used.
 The order of the access\-control statements therefore does not matter.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
@@ -741,6 +752,46 @@ Set redirect data for particular tag for given access control element.
 .B access\-control\-view: \fI<IP netblock> <view name>
 Set view for given access control element.
 .TP
+.B interface\-action: \fI<ip address or interface name [@port]> <action>
+Similar to \fBaccess\-control:\fR but for interfaces.
+.IP
+The action is the same as the ones defined under \fBaccess\-control:\fR.
+Interfaces are \fIrefuse\fRd by default.
+By default only localhost (the IP netblock, not the loopback interface) is
+\fIallow\fRed through the default \fBaccess\-control:\fR behavior.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
+Similar to \fBaccess\-control-tag:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
+Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
+Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-view: \fI<ip address or interface name [@port]> <view name>
+Similar to \fBaccess\-control-view:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the
@@ -1823,9 +1874,11 @@ section for options.  To setup the correct self\-signed certificates use the
 The option is used to enable remote control, default is "no".
 If turned off, the server does not listen for control commands.
 .TP 5
-.B control\-interface: \fI<ip address or path>
+.B control\-interface: \fI<ip address or interface name or path>
 Give IPv4 or IPv6 addresses or local socket path to listen on for
 control commands.
+If an interface name is used instead of an ip address, the list of ip addresses
+on that interface are used.
 By default localhost (127.0.0.1 and ::1) is listened to.
 Use 0.0.0.0 and ::0 to listen to all interfaces.
 If you change this and permissions have been dropped, you must restart

contrib/unbound/edns-subnet/addrtree.c

@@ -97,6 +97,7 @@ node_create(struct addrtree *tree, void *elem, addrlen_t scope,
 	tree->node_count++;
 	node->scope = scope;
 	node->ttl = ttl;
+	node->only_match_scope_zero = 0;
 	node->edge[0] = NULL;
 	node->edge[1] = NULL;
 	node->parent_edge = NULL;
@@ -155,6 +156,7 @@ clean_node(struct addrtree *tree, struct addrnode *node)
 	if (!node->elem) return;
 	tree->size_bytes -= tree->sizefunc(node->elem);
 	tree->delfunc(tree->env, node->elem);
+	node->only_match_scope_zero = 0;
 	node->elem = NULL;
 }
 
@@ -358,7 +360,7 @@ issub(const addrkey_t *s1, addrlen_t l1,
 void
 addrtree_insert(struct addrtree *tree, const addrkey_t *addr, 
 	addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl, 
-	time_t now)
+	time_t now, int only_match_scope_zero)
 {
 	struct addrnode *newnode, *node;
 	struct addredge *edge;
@@ -381,6 +383,7 @@ addrtree_insert(struct addrtree *tree, const addrkey_t *addr,
 			/* update this node's scope and data */
 			clean_node(tree, node);
 			node->ttl = ttl;
+			node->only_match_scope_zero = only_match_scope_zero;
 			node->elem = elem;
 			node->scope = scope;
 			tree->size_bytes += tree->sizefunc(elem);
@@ -447,6 +450,7 @@ addrtree_insert(struct addrtree *tree, const addrkey_t *addr,
 			newnode->elem = elem;
 			newnode->scope = scope;
 			newnode->ttl = ttl;
+			newnode->only_match_scope_zero = only_match_scope_zero;
 		} 
 		
 		tree->size_bytes += node_size(tree, newnode);
@@ -483,7 +487,8 @@ addrtree_find(struct addrtree *tree, const addrkey_t *addr,
 		/* Current node more specific then question. */
 		log_assert(depth <= sourcemask);
 		/* does this node have data? if yes, see if we have a match */
-		if (node->elem && node->ttl >= now) {
+		if (node->elem && node->ttl >= now &&
+			!(sourcemask != 0 && node->only_match_scope_zero)) {
 			/* saved at wrong depth */;
 			log_assert(node->scope >= depth);
 			if (depth == node->scope ||

contrib/unbound/edns-subnet/addrtree.h

@@ -95,6 +95,10 @@ struct addrnode {
 	time_t ttl;
 	/** Number of significant bits in address. */
 	addrlen_t scope;
+	/** Only use the element for queries for subnet/0. Set if the query
+	 * for /0 was answered with scope 0. For query /x answer scope 0,
+	 * they can match anything and this is false. */
+	int only_match_scope_zero;
 	/** A node can have 0-2 edges, set to NULL for unused */
 	struct addredge *edge[2];
 	/** edge between this node and parent */
@@ -157,11 +161,12 @@ void addrtree_delete(struct addrtree *tree);
  * @param scope: Number of significant bits in addr.
  * @param elem: data to store in the tree.
  * @param ttl: elem is valid up to this time, seconds.
+ * @param only_match_scope_zero: set for when query /0 has scope /0 answer.
  * @param now: Current time in seconds.
  */
 void addrtree_insert(struct addrtree *tree, const addrkey_t *addr, 
 	addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl, 
-	time_t now);
+	time_t now, int only_match_scope_zero);
 
 /**
  * Find a node containing an element in the tree.

contrib/unbound/edns-subnet/subnetmod.c

@@ -55,6 +55,7 @@
 #include "util/config_file.h"
 #include "util/data/msgreply.h"
 #include "sldns/sbuffer.h"
+#include "sldns/wire2str.h"
 #include "iterator/iter_utils.h"
 
 /** externally called */
@@ -331,6 +332,7 @@ update_cache(struct module_qstate *qstate, int id)
 	struct slabhash *subnet_msg_cache = sne->subnet_msg_cache;
 	struct ecs_data *edns = &sq->ecs_client_in;
 	size_t i;
+	int only_match_scope_zero;
 
 	/* We already calculated hash upon lookup (lookup_and_reply) if we were
 	 * allowed to look in the ECS cache */
@@ -392,9 +394,12 @@ update_cache(struct module_qstate *qstate, int id)
 	reply_info_set_ttls(rep, *qstate->env->now);
 	rep->flags |= (BIT_RA | BIT_QR); /* fix flags to be sensible for */
 	rep->flags &= ~(BIT_AA | BIT_CD);/* a reply based on the cache   */
+	if(edns->subnet_source_mask == 0 && edns->subnet_scope_mask == 0)
+		only_match_scope_zero = 1;
+	else only_match_scope_zero = 0;
 	addrtree_insert(tree, (addrkey_t*)edns->subnet_addr, 
 		edns->subnet_source_mask, sq->max_scope, rep,
-		rep->ttl, *qstate->env->now);
+		rep->ttl, *qstate->env->now, only_match_scope_zero);
 
 	lock_rw_unlock(&lru_entry->lock);
 	if (need_to_insert) {
@@ -674,6 +679,24 @@ ecs_query_response(struct module_qstate* qstate, struct dns_msg* response,
 	return 1;
 }
 
+/** verbose print edns subnet option in pretty print */
+static void
+subnet_log_print(const char* s, struct edns_option* ecs_opt)
+{
+	if(verbosity >= VERB_ALGO) {
+		char buf[256];
+		char* str = buf;
+		size_t str_len = sizeof(buf);
+		if(!ecs_opt) {
+			verbose(VERB_ALGO, "%s (null)", s);
+			return;
+		}
+		(void)sldns_wire2str_edns_subnet_print(&str, &str_len,
+			ecs_opt->opt_data, ecs_opt->opt_len);
+		verbose(VERB_ALGO, "%s %s", s, buf);
+	}
+}
+
 int
 ecs_edns_back_parsed(struct module_qstate* qstate, int id,
 	void* ATTR_UNUSED(cbargs))
@@ -688,6 +711,7 @@ ecs_edns_back_parsed(struct module_qstate* qstate, int id,
 		qstate->env->cfg->client_subnet_opcode)) &&
 		parse_subnet_option(ecs_opt, &sq->ecs_server_in) &&
 		sq->subnet_sent && sq->ecs_server_in.subnet_validdata) {
+			subnet_log_print("answer has edns subnet", ecs_opt);
 			/* Only skip global cache store if we sent an ECS option
 			 * and received one back. Answers from non-whitelisted
 			 * servers will end up in global cache. Answers for
@@ -736,11 +760,12 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
 				qstate->ext_state[id] = module_finished;
 				return;
 			}
+			subnet_log_print("query has edns subnet", ecs_opt);
 			sq->subnet_downstream = 1;
 		}
 		else if(qstate->mesh_info->reply_list) {
 			subnet_option_from_ss(
-				&qstate->mesh_info->reply_list->query_reply.addr,
+				&qstate->mesh_info->reply_list->query_reply.client_addr,
 				&sq->ecs_client_in, qstate->env->cfg);
 		}
 		
@@ -775,6 +800,13 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
 				subnet_ecs_opt_list_append(&sq->ecs_client_out,
 					&qstate->edns_opts_front_out, qstate,
 					qstate->region);
+				if(verbosity >= VERB_ALGO) {
+					subnet_log_print("reply has edns subnet",
+						edns_opt_list_find(
+						qstate->edns_opts_front_out,
+						qstate->env->cfg->
+						client_subnet_opcode));
+				}
 				return;
 			}
 			lock_rw_unlock(&sne->biglock);
@@ -823,6 +855,13 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
 			subnet_ecs_opt_list_append(&sq->ecs_client_out,
 				&qstate->edns_opts_front_out, qstate,
 				qstate->region);
+			if(verbosity >= VERB_ALGO) {
+				subnet_log_print("reply has edns subnet",
+					edns_opt_list_find(
+					qstate->edns_opts_front_out,
+					qstate->env->cfg->
+					client_subnet_opcode));
+			}
 		}
 		qstate->no_cache_store = sq->started_no_cache_store;
 		qstate->no_cache_lookup = sq->started_no_cache_lookup;

contrib/unbound/iterator/iter_hints.c

@@ -100,7 +100,7 @@ ah(struct delegpt* dp, const char* sv, const char* ip)
 		return 0;
 	}
 	if(!delegpt_add_ns_mlc(dp, dname, 0, NULL, UNBOUND_DNS_PORT) ||
-	   !extstrtoaddr(ip, &addr, &addrlen) ||
+	   !extstrtoaddr(ip, &addr, &addrlen, UNBOUND_DNS_PORT) ||
 	   !delegpt_add_target_mlc(dp, dname, dname_len,
 		&addr, addrlen, 0, 0)) {
 		free(dname);

contrib/unbound/iterator/iter_resptype.c

@@ -113,7 +113,11 @@ response_type_from_server(int rdset,
 
 	if(!msg || !request)
 		return RESPONSE_TYPE_THROWAWAY;
-	
+	/* If the TC flag is set, the response is incomplete. Too large to
+	 * fit even in TCP or so. Discard it, it cannot be retrieved here. */
+	if((msg->rep->flags & BIT_TC))
+		return RESPONSE_TYPE_THROWAWAY;
+
 	/* If the message is NXDOMAIN, then it answers the question. */
 	if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN) {
 		/* make sure its not recursive when we don't want it to */

contrib/unbound/iterator/iterator.c

@@ -255,9 +255,9 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
 				log_err("out of memory adding missing");
 		}
 		delegpt_mark_neg(dpns, qstate->qinfo.qtype);
-		dpns->resolved = 1; /* mark as failed */
 		if((dpns->got4 == 2 || !ie->supports_ipv4) &&
 			(dpns->got6 == 2 || !ie->supports_ipv6)) {
+			dpns->resolved = 1; /* mark as failed */
 			target_count_increase_nx(super_iq, 1);
 		}
 	}
@@ -596,15 +596,17 @@ errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
 {
 	if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail)
 		return;
-	if((qstate->reply && qstate->reply->addrlen != 0) ||
-		(iq->fail_reply && iq->fail_reply->addrlen != 0)) {
+	if((qstate->reply && qstate->reply->remote_addrlen != 0) ||
+		(iq->fail_reply && iq->fail_reply->remote_addrlen != 0)) {
 		char from[256], frm[512];
-		if(qstate->reply && qstate->reply->addrlen != 0)
-			addr_to_str(&qstate->reply->addr, qstate->reply->addrlen,
-				from, sizeof(from));
+		if(qstate->reply && qstate->reply->remote_addrlen != 0)
+			addr_to_str(&qstate->reply->remote_addr,
+				qstate->reply->remote_addrlen, from,
+				sizeof(from));
 		else
-			addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen,
-				from, sizeof(from));
+			addr_to_str(&iq->fail_reply->remote_addr,
+				iq->fail_reply->remote_addrlen, from,
+				sizeof(from));
 		snprintf(frm, sizeof(frm), "from %s", from);
 		errinf(qstate, frm);
 	}
@@ -2262,6 +2264,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	size_t qout_orig_len = 0;
 	int sq_check_ratelimit = 1;
 	int sq_was_ratelimited = 0;
+	int can_do_promisc = 0;
 
 	/* NOTE: a request will encounter this state for each target it
 	 * needs to send a query to. That is, at least one per referral,
@@ -2589,12 +2592,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 	if(iq->depth < ie->max_dependency_depth
 		&& iq->num_target_queries == 0
 		&& (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0)
-		&& iq->sent_count < TARGET_FETCH_STOP
-		/* if the mesh query list is full, then do not waste cpu
-		 * and sockets to fetch promiscuous targets. They can be
-		 * looked up when needed. */
-		&& !mesh_jostle_exceeded(qstate->env->mesh)
-		) {
+		&& iq->sent_count < TARGET_FETCH_STOP) {
+		can_do_promisc = 1;
+	}
+	/* if the mesh query list is full, then do not waste cpu and sockets to
+	 * fetch promiscuous targets. They can be looked up when needed. */
+	if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) {
 		tf_policy = ie->target_fetch_policy[iq->depth];
 	}
 
@@ -2766,6 +2769,37 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
 		return 0;
 	}
 
+	/* We have a target. We could have created promiscuous target
+	 * queries but we are currently under pressure (mesh_jostle_exceeded).
+	 * If we are configured to allow promiscuous target queries and haven't
+	 * gone out to the network for a target query for this delegation, then
+	 * it is possible to slip in a promiscuous one with a 1/10 chance. */
+	if(can_do_promisc && tf_policy == 0 && iq->depth == 0
+		&& iq->depth < ie->max_dependency_depth
+		&& ie->target_fetch_policy[iq->depth] != 0
+		&& iq->dp_target_count == 0
+		&& !ub_random_max(qstate->env->rnd, 10)) {
+		int extra = 0;
+		verbose(VERB_ALGO, "available target exists in cache but "
+			"attempt to get extra 1 target");
+		(void)query_for_targets(qstate, iq, ie, id, 1, &extra);
+		/* errors ignored, these targets are not strictly necessary for
+		* this result, we do not have to reply with SERVFAIL */
+		if(extra > 0) {
+			iq->num_target_queries += extra;
+			target_count_increase(iq, extra);
+			check_waiting_queries(iq, qstate, id);
+			/* undo qname minimise step because we'll get back here
+			 * to do it again */
+			if(qout_orig && iq->minimise_count > 0) {
+				iq->minimise_count--;
+				iq->qinfo_out.qname = qout_orig;
+				iq->qinfo_out.qname_len = qout_orig_len;
+			}
+			return 0;
+		}
+	}
+
 	/* Do not check ratelimit for forwarding queries or if we already got a
 	 * pass. */
 	sq_check_ratelimit = (!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok);
@@ -2873,6 +2907,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
 		iq->response, &iq->qinfo_out, iq->dp);
 	iq->chase_to_rd = 0;
+	/* remove TC flag, if this is erroneously set by TCP upstream */
+	iq->response->rep->flags &= ~BIT_TC;
 	if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
 		!iq->auth_zone_response) {
 		/* When forwarding (RD bit is set), we handle referrals 
@@ -2896,8 +2932,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			 * use dnssec-lame-bypass if it needs to query there.*/
 			if(qstate->reply) {
 				struct delegpt_addr* a = delegpt_find_addr(
-					iq->dp, &qstate->reply->addr,
-					qstate->reply->addrlen);
+					iq->dp, &qstate->reply->remote_addr,
+					qstate->reply->remote_addrlen);
 				if(a) a->dnsseclame = 1;
 			}
 			/* test the answer is from the zone we expected,
@@ -2993,9 +3029,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		(*qstate->env->detach_subs)(qstate);
 		iq->num_target_queries = 0;
 		if(qstate->reply)
-			sock_list_insert(&qstate->reply_origin, 
-				&qstate->reply->addr, qstate->reply->addrlen, 
-				qstate->region);
+			sock_list_insert(&qstate->reply_origin,
+				&qstate->reply->remote_addr,
+				qstate->reply->remote_addrlen, qstate->region);
 		if(iq->minimisation_state != DONOT_MINIMISE_STATE
 			&& !(iq->chase_flags & BIT_RD)) {
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
@@ -3250,9 +3286,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		(*qstate->env->detach_subs)(qstate);
 		iq->num_target_queries = 0;
 		if(qstate->reply)
-			sock_list_insert(&qstate->reply_origin, 
-				&qstate->reply->addr, qstate->reply->addrlen, 
-				qstate->region);
+			sock_list_insert(&qstate->reply_origin,
+				&qstate->reply->remote_addr,
+				qstate->reply->remote_addrlen, qstate->region);
 		verbose(VERB_ALGO, "cleared outbound list for query restart");
 		/* go to INIT_REQUEST_STATE for new qname. */
 		return next_state(iq, INIT_REQUEST_STATE);
@@ -3266,9 +3302,10 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 		} else if(qstate->reply) {
 			/* need addr for lameness cache, but we may have
 			 * gotten this from cache, so test to be sure */
-			if(!infra_set_lame(qstate->env->infra_cache, 
-				&qstate->reply->addr, qstate->reply->addrlen, 
-				iq->dp->name, iq->dp->namelen, 
+			if(!infra_set_lame(qstate->env->infra_cache,
+				&qstate->reply->remote_addr,
+				qstate->reply->remote_addrlen,
+				iq->dp->name, iq->dp->namelen,
 				*qstate->env->now, dnsseclame, 0,
 				iq->qchase.qtype))
 				log_err("mark host lame: out of memory");
@@ -3285,8 +3322,9 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			 * gotten this from cache, so test to be sure */
 			verbose(VERB_DETAIL, "mark as REC_LAME");
 			if(!infra_set_lame(qstate->env->infra_cache, 
-				&qstate->reply->addr, qstate->reply->addrlen, 
-				iq->dp->name, iq->dp->namelen, 
+				&qstate->reply->remote_addr,
+				qstate->reply->remote_addrlen,
+				iq->dp->name, iq->dp->namelen,
 				*qstate->env->now, 0, 1, iq->qchase.qtype))
 				log_err("mark host lame: out of memory");
 		} 
@@ -3527,12 +3565,13 @@ processTargetResponse(struct module_qstate* qstate, int id,
 	} else {
 		verbose(VERB_ALGO, "iterator TargetResponse failed");
 		delegpt_mark_neg(dpns, qstate->qinfo.qtype);
-		dpns->resolved = 1; /* fail the target */
 		if((dpns->got4 == 2 || !ie->supports_ipv4) &&
-			(dpns->got6 == 2 || !ie->supports_ipv6) &&
+			(dpns->got6 == 2 || !ie->supports_ipv6)) {
+			dpns->resolved = 1; /* fail the target */
 			/* do not count cached answers */
-			(qstate->reply_origin && qstate->reply_origin->len != 0)) {
-			target_count_increase_nx(foriq, 1);
+			if(qstate->reply_origin && qstate->reply_origin->len != 0) {
+				target_count_increase_nx(foriq, 1);
+			}
 		}
 	}
 }
@@ -4014,8 +4053,8 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
 	if(!iq->response)
 		goto handle_it;
 	log_query_info(VERB_DETAIL, "response for", &qstate->qinfo);
-	log_name_addr(VERB_DETAIL, "reply from", iq->dp->name, 
-		&qstate->reply->addr, qstate->reply->addrlen);
+	log_name_addr(VERB_DETAIL, "reply from", iq->dp->name,
+		&qstate->reply->remote_addr, qstate->reply->remote_addrlen);
 	if(verbosity >= VERB_ALGO)
 		log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo, 
 			iq->response->rep);

contrib/unbound/iterator/iterator.h

@@ -324,7 +324,7 @@ struct iter_qstate {
 	/** the number of times this query has been restarted. */
 	int query_restart_count;
 
-	/** the number of times this query as followed a referral. */
+	/** the number of times this query has followed a referral. */
 	int referral_count;
 
 	/** number of queries fired off */

contrib/unbound/libunbound/libunbound.c

@@ -951,7 +951,7 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
 	lock_basic_unlock(&ctx->cfglock);
 
 	/* check syntax for addr */
-	if(!extstrtoaddr(addr, &storage, &stlen)) {
+	if(!extstrtoaddr(addr, &storage, &stlen, UNBOUND_DNS_PORT)) {
 		errno=EINVAL;
 		return UB_SYNTAX;
 	}
@@ -1031,7 +1031,7 @@ int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
 	if(addr) {
 		struct sockaddr_storage storage;
 		socklen_t stlen;
-		if(!extstrtoaddr(addr, &storage, &stlen)) {
+		if(!extstrtoaddr(addr, &storage, &stlen, UNBOUND_DNS_PORT)) {
 			errno=EINVAL;
 			return UB_SYNTAX;
 		}

contrib/unbound/respip/respip.c

@@ -1290,7 +1290,7 @@ respip_set_is_empty(const struct respip_set* set)
 void
 respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname,
 	uint16_t qtype, uint16_t qclass, struct local_rrset* local_alias,
-	struct comm_reply* repinfo)
+	struct sockaddr_storage* addr, socklen_t addrlen)
 {
 	char srcip[128], respip[128], txt[512];
 	unsigned port;
@@ -1300,10 +1300,10 @@ respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname,
 
 	if(local_alias)
 		qname = local_alias->rrset->rk.dname;
-	port = (unsigned)((repinfo->addr.ss_family == AF_INET) ?
-		ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port) :
-		ntohs(((struct sockaddr_in6*)&repinfo->addr)->sin6_port));
-	addr_to_str(&repinfo->addr, repinfo->addrlen, srcip, sizeof(srcip));
+	port = (unsigned)((addr->ss_family == AF_INET) ?
+		ntohs(((struct sockaddr_in*)addr)->sin_port) :
+		ntohs(((struct sockaddr_in6*)addr)->sin6_port));
+	addr_to_str(addr, addrlen, srcip, sizeof(srcip));
 	addr_to_str(&respip_addr->addr, respip_addr->addrlen,
 		respip, sizeof(respip));
 	if(respip_actinfo->rpz_log) {

contrib/unbound/respip/respip.h

@@ -251,11 +251,13 @@ int respip_set_is_empty(const struct respip_set* set);
  * @param local_alias: set to a local alias if the query matches an alias in
  *  a local zone.  In this case its owner name will be considered the actual
  *  query name.
- * @param repinfo: reply info containing the client's source address and port.
+ * @param addr: the client's source address and port.
+ * @param addrlen: the client's source address length.
  */
 void respip_inform_print(struct respip_action_info* respip_actinfo,
 	uint8_t* qname, uint16_t qtype, uint16_t qclass,
-	struct local_rrset* local_alias, struct comm_reply* repinfo);
+	struct local_rrset* local_alias, struct sockaddr_storage* addr,
+	socklen_t addrlen);
 
 /**
  * Find resp_addr in tree, create and add to tree if it does not exist.

contrib/unbound/services/authzone.c

@@ -3699,7 +3699,7 @@ addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr,
 	/* compare address (but not port number, that is the destination
 	 * port of the master, the port number of the received notify is
 	 * allowed to by any port on that master) */
-	if(extstrtoaddr(master->host, &a, &alen) &&
+	if(extstrtoaddr(master->host, &a, &alen, UNBOUND_DNS_PORT) &&
 		sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) {
 		*fromhost = master;
 		return 1;
@@ -5381,7 +5381,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	struct edns_data edns;
 	sldns_buffer* buf = env->scratch_buffer;
 	if(!master) return 0;
-	if(extstrtoaddr(master->host, &addr, &addrlen)) {
+	if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) {
 		/* not needed, host is in IP addr format */
 		return 0;
 	}
@@ -6572,7 +6572,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
 	struct edns_data edns;
 	sldns_buffer* buf = env->scratch_buffer;
 	if(!master) return 0;
-	if(extstrtoaddr(master->host, &addr, &addrlen)) {
+	if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) {
 		/* not needed, host is in IP addr format */
 		return 0;
 	}

contrib/unbound/services/cache/infra.c

@@ -834,14 +834,13 @@ static struct lruhash_entry* infra_find_ratedata(struct infra_cache* infra,
 
 /** find data item in array for ip addresses */
 static struct lruhash_entry* infra_find_ip_ratedata(struct infra_cache* infra,
-	struct comm_reply* repinfo, int wr)
+	struct sockaddr_storage* addr, socklen_t addrlen, int wr)
 {
 	struct ip_rate_key key;
-	hashvalue_type h = hash_addr(&(repinfo->addr),
-		repinfo->addrlen, 0);
+	hashvalue_type h = hash_addr(addr, addrlen, 0);
 	memset(&key, 0, sizeof(key));
-	key.addr = repinfo->addr;
-	key.addrlen = repinfo->addrlen;
+	key.addr = *addr;
+	key.addrlen = addrlen;
 	key.entry.hash = h;
 	return slabhash_lookup(infra->client_ip_rates, h, &key, wr);
 }
@@ -876,10 +875,9 @@ static void infra_create_ratedata(struct infra_cache* infra,
 
 /** create rate data item for ip address */
 static void infra_ip_create_ratedata(struct infra_cache* infra,
-	struct comm_reply* repinfo, time_t timenow)
+	struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow)
 {
-	hashvalue_type h = hash_addr(&(repinfo->addr),
-	repinfo->addrlen, 0);
+	hashvalue_type h = hash_addr(addr, addrlen, 0);
 	struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k));
 	struct ip_rate_data* d = (struct ip_rate_data*)calloc(1, sizeof(*d));
 	if(!k || !d) {
@@ -887,8 +885,8 @@ static void infra_ip_create_ratedata(struct infra_cache* infra,
 		free(d);
 		return; /* alloc failure */
 	}
-	k->addr = repinfo->addr;
-	k->addrlen = repinfo->addrlen;
+	k->addr = *addr;
+	k->addrlen = addrlen;
 	lock_rw_init(&k->entry.lock);
 	k->entry.hash = h;
 	k->entry.key = k;
@@ -985,8 +983,8 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
 			sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs));
 			ip[0]=0;
 			if(replylist) {
-				addr_to_str((struct sockaddr_storage *)&replylist->addr,
-					replylist->addrlen, ip, sizeof(ip));
+				addr_to_str((struct sockaddr_storage *)&replylist->remote_addr,
+					replylist->remote_addrlen, ip, sizeof(ip));
 				verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip);
 			} else {
 				verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
@@ -1040,7 +1038,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
 	max = infra_rate_max(entry->data, timenow, backoff);
 	lock_rw_unlock(&entry->lock);
 
-	return (max >= lim);
+	return (max > lim);
 }
 
 size_t 
@@ -1054,8 +1052,8 @@ infra_get_mem(struct infra_cache* infra)
 }
 
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-	struct comm_reply* repinfo, time_t timenow, int backoff,
-	struct sldns_buffer* buffer)
+	struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
+	int backoff, struct sldns_buffer* buffer)
 {
 	int max;
 	struct lruhash_entry* entry;
@@ -1065,7 +1063,7 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
 		return 1;
 	}
 	/* find or insert ratedata */
-	entry = infra_find_ip_ratedata(infra, repinfo, 1);
+	entry = infra_find_ip_ratedata(infra, addr, addrlen, 1);
 	if(entry) {
 		int premax = infra_rate_max(entry->data, timenow, backoff);
 		int* cur = infra_rate_give_second(entry->data, timenow);
@@ -1073,10 +1071,9 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
 		max = infra_rate_max(entry->data, timenow, backoff);
 		lock_rw_unlock(&entry->lock);
 
-		if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {
+		if(premax <= infra_ip_ratelimit && max > infra_ip_ratelimit) {
 			char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
-			addr_to_str((struct sockaddr_storage *)&repinfo->addr,
-				repinfo->addrlen, client_ip, sizeof(client_ip));
+			addr_to_str(addr, addrlen, client_ip, sizeof(client_ip));
 			qnm[0]=0;
 			if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
 				LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
@@ -1101,6 +1098,6 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
 	}
 
 	/* create */
-	infra_ip_create_ratedata(infra, repinfo, timenow);
+	infra_ip_create_ratedata(infra, addr, addrlen, timenow);
 	return 1;
 }

contrib/unbound/services/cache/infra.h

@@ -416,15 +416,16 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
 /** Update query ratelimit hash and decide
  *  whether or not a query should be dropped.
  *  @param infra: infra cache
- *  @param repinfo: information about client
+ *  @param addr: client address
+ *  @param addrlen: client address length
  *  @param timenow: what time it is now.
  *  @param backoff: if backoff is enabled.
  *  @param buffer: with query for logging.
  *  @return 1 if it could be incremented. 0 if the increment overshot the
  *  ratelimit and the query should be dropped. */
 int infra_ip_ratelimit_inc(struct infra_cache* infra,
-	struct comm_reply* repinfo, time_t timenow, int backoff,
-	struct sldns_buffer* buffer);
+	struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
+	int backoff, struct sldns_buffer* buffer);
 
 /**
  * Get memory used by the infra cache.

contrib/unbound/services/listen_dnsport.c

@@ -124,12 +124,12 @@ verbose_print_addr(struct addrinfo *addr)
 			(void)strlcpy(buf, "(null)", sizeof(buf));
 		}
 		buf[sizeof(buf)-1] = 0;
-		verbose(VERB_ALGO, "creating %s%s socket %s %d", 
+		verbose(VERB_ALGO, "creating %s%s socket %s %d",
 			addr->ai_socktype==SOCK_DGRAM?"udp":
 			addr->ai_socktype==SOCK_STREAM?"tcp":"otherproto",
 			addr->ai_family==AF_INET?"4":
 			addr->ai_family==AF_INET6?"6":
-			"_otherfam", buf, 
+			"_otherfam", buf,
 			ntohs(((struct sockaddr_in*)addr->ai_addr)->sin_port));
 	}
 }
@@ -140,7 +140,9 @@ verbose_print_unbound_socket(struct unbound_socket* ub_sock)
 	if(verbosity >= VERB_ALGO) {
 		log_info("listing of unbound_socket structure:");
 		verbose_print_addr(ub_sock->addr);
-		log_info("s is: %d, fam is: %s", ub_sock->s, ub_sock->fam == AF_INET?"AF_INET":"AF_INET6");
+		log_info("s is: %d, fam is: %s, acl: %s", ub_sock->s,
+			ub_sock->fam == AF_INET?"AF_INET":"AF_INET6",
+			ub_sock->acl?"yes":"no");
 	}
 }
 
@@ -458,7 +460,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 		int action;
 # endif
 # if defined(IPV6_V6ONLY)
-		if(v6only) {
+		if(v6only
+#   ifdef HAVE_SYSTEMD
+			/* Systemd wants to control if the socket is v6 only
+			 * or both, with BindIPv6Only=default, ipv6-only or
+			 * both in systemd.socket, so it is not set here. */
+			&& !got_fd_from_systemd
+#   endif
+			) {
 			int val=(v6only==2)?0:1;
 			if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, 
 				(void*)&val, (socklen_t)sizeof(val)) < 0) {
@@ -511,12 +520,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
 		 * instead which is writable; IPV6_MTU is readonly there. */
 		if (setsockopt(s, IPPROTO_IPV6, IPV6_USER_MTU,
 			(void*)&mtu, (socklen_t)sizeof(mtu)) < 0) {
-			log_err("setsockopt(..., IPV6_USER_MTU, ...) failed: %s",
-				wsa_strerror(WSAGetLastError()));
-			sock_close(s);
-			*noproto = 0;
-			*inuse = 0;
-			return -1;
+			if (WSAGetLastError() != WSAENOPROTOOPT) {
+				log_err("setsockopt(..., IPV6_USER_MTU, ...) failed: %s",
+					wsa_strerror(WSAGetLastError()));
+				sock_close(s);
+				*noproto = 0;
+				*inuse = 0;
+				return -1;
+			}
 		}
 #   endif /* USE_WINSOCK */
 # endif /* IPv6 MTU */
@@ -774,7 +785,14 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 	(void)reuseport;
 #endif /* defined(SO_REUSEPORT) */
 #if defined(IPV6_V6ONLY)
-	if(addr->ai_family == AF_INET6 && v6only) {
+	if(addr->ai_family == AF_INET6 && v6only
+#  ifdef HAVE_SYSTEMD
+		/* Systemd wants to control if the socket is v6 only
+		 * or both, with BindIPv6Only=default, ipv6-only or
+		 * both in systemd.socket, so it is not set here. */
+		&& !got_fd_from_systemd
+#  endif
+		) {
 		if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, 
 			(void*)&on, (socklen_t)sizeof(on)) < 0) {
 			log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
@@ -1030,6 +1048,7 @@ make_sock(int stype, const char* ifname, const char* port,
 	ub_sock->addr = res;
 	ub_sock->s = s;
 	ub_sock->fam = hints->ai_family;
+	ub_sock->acl = NULL;
 
 	return s;
 }
@@ -1074,11 +1093,13 @@ make_sock_port(int stype, const char* ifname, const char* port,
  * @param list: list head. changed.
  * @param s: fd.
  * @param ftype: if fd is UDP.
+ * @param pp2_enabled: if PROXYv2 is enabled for this port.
  * @param ub_sock: socket with address.
  * @return false on failure. list in unchanged then.
  */
 static int
-port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unbound_socket* ub_sock)
+port_insert(struct listen_port** list, int s, enum listen_type ftype,
+	int pp2_enabled, struct unbound_socket* ub_sock)
 {
 	struct listen_port* item = (struct listen_port*)malloc(
 		sizeof(struct listen_port));
@@ -1087,6 +1108,7 @@ port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unb
 	item->next = *list;
 	item->fd = s;
 	item->ftype = ftype;
+	item->pp2_enabled = pp2_enabled;
 	item->socket = ub_sock;
 	*list = item;
 	return 1;
@@ -1182,6 +1204,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
  * @param ssl_port: ssl service port number
  * @param tls_additional_port: list of additional ssl service port numbers.
  * @param https_port: DoH service port number
+ * @param proxy_protocol_port: list of PROXYv2 port numbers.
  * @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
  * 	set to false on exit if reuseport failed due to no kernel support.
  * @param transparent: set IP_TRANSPARENT socket option.
@@ -1194,34 +1217,39 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
  * @return: returns false on error.
  */
 static int
-ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, 
+ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 	struct addrinfo *hints, const char* port, struct listen_port** list,
 	size_t rcv, size_t snd, int ssl_port,
 	struct config_strlist* tls_additional_port, int https_port,
+	struct config_strlist* proxy_protocol_port,
 	int* reuseport, int transparent, int tcp_mss, int freebind,
 	int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp)
 {
 	int s, noip6=0;
 	int is_https = if_is_https(ifname, port, https_port);
+	int is_dnscrypt = if_is_dnscrypt(ifname, port, dnscrypt_port);
+	int is_pp2 = if_is_pp2(ifname, port, proxy_protocol_port);
 	int nodelay = is_https && http2_nodelay;
 	struct unbound_socket* ub_sock;
-#ifdef USE_DNSCRYPT
-	int is_dnscrypt = ((strchr(ifname, '@') && 
-			atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
-			(!strchr(ifname, '@') && atoi(port) == dnscrypt_port));
-#else
-	int is_dnscrypt = 0;
-	(void)dnscrypt_port;
-#endif
 
 	if(!do_udp && !do_tcp)
 		return 0;
 
+	if(is_pp2) {
+		if(is_dnscrypt) {
+			fatal_exit("PROXYv2 and DNSCrypt combination not "
+				"supported!");
+		} else if(is_https) {
+			fatal_exit("PROXYv2 and DoH combination not "
+				"supported!");
+		}
+	}
+
 	if(do_auto) {
 		ub_sock = calloc(1, sizeof(struct unbound_socket));
 		if(!ub_sock)
 			return 0;
-		if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, 
+		if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1,
 			&noip6, rcv, snd, reuseport, transparent,
 			tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) {
 			freeaddrinfo(ub_sock->addr);
@@ -1239,8 +1267,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 			free(ub_sock);
 			return 0;
 		}
-		if(!port_insert(list, s,
-		   is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil, ub_sock)) {
+		if(!port_insert(list, s, is_dnscrypt
+			?listen_type_udpancil_dnscrypt:listen_type_udpancil,
+			is_pp2, ub_sock)) {
 			sock_close(s);
 			freeaddrinfo(ub_sock->addr);
 			free(ub_sock);
@@ -1251,7 +1280,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		if(!ub_sock)
 			return 0;
 		/* regular udp socket */
-		if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, 
+		if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1,
 			&noip6, rcv, snd, reuseport, transparent,
 			tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) {
 			freeaddrinfo(ub_sock->addr);
@@ -1262,8 +1291,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 			}
 			return 0;
 		}
-		if(!port_insert(list, s,
-		   is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp, ub_sock)) {
+		if(!port_insert(list, s, is_dnscrypt
+			?listen_type_udp_dnscrypt:listen_type_udp,
+			is_pp2, ub_sock)) {
 			sock_close(s);
 			freeaddrinfo(ub_sock->addr);
 			free(ub_sock);
@@ -1285,7 +1315,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 			port_type = listen_type_tcp_dnscrypt;
 		else
 			port_type = listen_type_tcp;
-		if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, 
+		if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
 			&noip6, 0, 0, reuseport, transparent, tcp_mss, nodelay,
 			freebind, use_systemd, dscp, ub_sock)) == -1) {
 			freeaddrinfo(ub_sock->addr);
@@ -1298,7 +1328,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		}
 		if(is_ssl)
 			verbose(VERB_ALGO, "setup TCP for SSL service");
-		if(!port_insert(list, s, port_type, ub_sock)) {
+		if(!port_insert(list, s, port_type, is_pp2, ub_sock)) {
 			sock_close(s);
 			freeaddrinfo(ub_sock->addr);
 			free(ub_sock);
@@ -1387,14 +1417,16 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 		if(ports->ftype == listen_type_udp ||
 		   ports->ftype == listen_type_udp_dnscrypt) {
 			cp = comm_point_create_udp(base, ports->fd,
-				front->udp_buff, cb, cb_arg, ports->socket);
+				front->udp_buff, ports->pp2_enabled, cb,
+				cb_arg, ports->socket);
 		} else if(ports->ftype == listen_type_tcp ||
 				ports->ftype == listen_type_tcp_dnscrypt) {
 			cp = comm_point_create_tcp(base, ports->fd,
 				tcp_accept_count, tcp_idle_timeout,
 				harden_large_queries, 0, NULL,
 				tcp_conn_limit, bufsize, front->udp_buff,
-				ports->ftype, cb, cb_arg, ports->socket);
+				ports->ftype, ports->pp2_enabled, cb, cb_arg,
+				ports->socket);
 		} else if(ports->ftype == listen_type_ssl ||
 			ports->ftype == listen_type_http) {
 			cp = comm_point_create_tcp(base, ports->fd,
@@ -1402,7 +1434,8 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 				harden_large_queries,
 				http_max_streams, http_endpoint,
 				tcp_conn_limit, bufsize, front->udp_buff,
-				ports->ftype, cb, cb_arg, ports->socket);
+				ports->ftype, ports->pp2_enabled, cb, cb_arg,
+				ports->socket);
 			if(ports->ftype == listen_type_http) {
 				if(!sslctx && !http_notls) {
 					log_warn("HTTPS port configured, but "
@@ -1428,7 +1461,8 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 		} else if(ports->ftype == listen_type_udpancil ||
 				  ports->ftype == listen_type_udpancil_dnscrypt) {
 			cp = comm_point_create_udp_ancil(base, ports->fd,
-				front->udp_buff, cb, cb_arg, ports->socket);
+				front->udp_buff, ports->pp2_enabled, cb,
+				cb_arg, ports->socket);
 		}
 		if(!cp) {
 			log_err("can't create commpoint");
@@ -1700,7 +1734,7 @@ int resolve_interface_names(char** ifs, int num_ifs,
 #endif /* HAVE_GETIFADDRS */
 }
 
-struct listen_port* 
+struct listen_port*
 listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 	int* reuseport)
 {
@@ -1763,7 +1797,9 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 						&hints, portbuf, &list,
 						cfg->so_rcvbuf, cfg->so_sndbuf,
 						cfg->ssl_port, cfg->tls_additional_port,
-						cfg->https_port, reuseport, cfg->ip_transparent,
+						cfg->https_port,
+						cfg->proxy_protocol_port,
+						reuseport, cfg->ip_transparent,
 						cfg->tcp_mss, cfg->ip_freebind,
 						cfg->http_nodelay, cfg->use_systemd,
 						cfg->dnscrypt_port, cfg->ip_dscp)) {
@@ -1778,7 +1814,9 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 						&hints, portbuf, &list,
 						cfg->so_rcvbuf, cfg->so_sndbuf,
 						cfg->ssl_port, cfg->tls_additional_port,
-						cfg->https_port, reuseport, cfg->ip_transparent,
+						cfg->https_port,
+						cfg->proxy_protocol_port,
+						reuseport, cfg->ip_transparent,
 						cfg->tcp_mss, cfg->ip_freebind,
 						cfg->http_nodelay, cfg->use_systemd,
 						cfg->dnscrypt_port, cfg->ip_dscp)) {
@@ -1791,12 +1829,13 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 		}
 		if(do_ip6) {
 			hints.ai_family = AF_INET6;
-			if(!ports_create_if(do_auto?"::0":"::1", 
-				do_auto, cfg->do_udp, do_tcp, 
+			if(!ports_create_if(do_auto?"::0":"::1",
+				do_auto, cfg->do_udp, do_tcp,
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
-				cfg->https_port, reuseport, cfg->ip_transparent,
+				cfg->https_port, cfg->proxy_protocol_port,
+				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind,
 				cfg->http_nodelay, cfg->use_systemd,
 				cfg->dnscrypt_port, cfg->ip_dscp)) {
@@ -1806,12 +1845,13 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 		}
 		if(do_ip4) {
 			hints.ai_family = AF_INET;
-			if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", 
-				do_auto, cfg->do_udp, do_tcp, 
+			if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1",
+				do_auto, cfg->do_udp, do_tcp,
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
-				cfg->https_port, reuseport, cfg->ip_transparent,
+				cfg->https_port, cfg->proxy_protocol_port,
+				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind,
 				cfg->http_nodelay, cfg->use_systemd,
 				cfg->dnscrypt_port, cfg->ip_dscp)) {
@@ -1825,10 +1865,11 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 				continue;
 			hints.ai_family = AF_INET6;
 			if(!ports_create_if(ifs[i], 0, cfg->do_udp,
-				do_tcp, &hints, portbuf, &list, 
+				do_tcp, &hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
-				cfg->https_port, reuseport, cfg->ip_transparent,
+				cfg->https_port, cfg->proxy_protocol_port,
+				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind,
 				cfg->http_nodelay, cfg->use_systemd,
 				cfg->dnscrypt_port, cfg->ip_dscp)) {
@@ -1840,10 +1881,11 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
 				continue;
 			hints.ai_family = AF_INET;
 			if(!ports_create_if(ifs[i], 0, cfg->do_udp,
-				do_tcp, &hints, portbuf, &list, 
+				do_tcp, &hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
-				cfg->https_port, reuseport, cfg->ip_transparent,
+				cfg->https_port, cfg->proxy_protocol_port,
+				reuseport, cfg->ip_transparent,
 				cfg->tcp_mss, cfg->ip_freebind,
 				cfg->http_nodelay, cfg->use_systemd,
 				cfg->dnscrypt_port, cfg->ip_dscp)) {

contrib/unbound/services/listen_dnsport.h

@@ -43,6 +43,7 @@
 #define LISTEN_DNSPORT_H
 
 #include "util/netevent.h"
+#include "daemon/acl_list.h"
 #ifdef HAVE_NGHTTP2_NGHTTP2_H
 #include <nghttp2/nghttp2.h>
 #endif
@@ -107,11 +108,13 @@ enum listen_type {
  */
 struct unbound_socket {
 	/** socket-address structure */
-        struct addrinfo *       addr;
+	struct addrinfo* addr;
 	/** socket descriptor returned by socket() syscall */
-        int                     s;
+	int s;
 	/** address family (AF_INET/IF_INET6) */
-        int                     fam;
+	int fam;
+	/** ACL on the socket (listening interface) */
+	struct acl_addr* acl;
 };
 
 /**
@@ -125,7 +128,10 @@ struct listen_port {
 	int fd;
 	/** type of file descriptor, udp or tcp */
 	enum listen_type ftype;
-	/** fill in unbpound_socket structure for every opened socket at Unbound startup */
+	/** if the port should support PROXYv2 */
+	int pp2_enabled;
+	/** fill in unbound_socket structure for every opened socket at
+	 * Unbound startup */
 	struct unbound_socket* socket;
 };
 

contrib/unbound/services/localzone.c

@@ -1744,13 +1744,13 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
 /** print log information for an inform zone query */
 static void
 lz_inform_print(struct local_zone* z, struct query_info* qinfo,
-	struct comm_reply* repinfo)
+	struct sockaddr_storage* addr, socklen_t addrlen)
 {
 	char ip[128], txt[512];
 	char zname[LDNS_MAX_DOMAINLEN+1];
-	uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
+	uint16_t port = ntohs(((struct sockaddr_in*)addr)->sin_port);
 	dname_str(z->name, zname);
-	addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
+	addr_to_str(addr, addrlen, ip, sizeof(ip));
 	snprintf(txt, sizeof(txt), "%s %s %s@%u", zname, local_zone_type2str(z->type), ip,
 		(unsigned)port);
 	log_nametypeclass(NO_VERBOSE, txt, qinfo->qname, qinfo->qtype, qinfo->qclass);
@@ -1765,7 +1765,8 @@ lz_type(uint8_t *taglist, size_t taglen, uint8_t *taglist2, size_t taglen2,
 	struct local_zone_override* lzo;	
 	if(repinfo && override_tree) {
 		lzo = (struct local_zone_override*)addr_tree_lookup(
-			override_tree, &repinfo->addr, repinfo->addrlen);
+			override_tree, &repinfo->client_addr,
+			repinfo->client_addrlen);
 		if(lzo && lzo->type) {
 			verbose(VERB_ALGO, "local zone override to type %s",
 				local_zone_type2str(lzo->type));
@@ -1888,7 +1889,8 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
 			lzt == local_zone_inform_deny ||
 			lzt == local_zone_inform_redirect)
 			&& repinfo)
-		lz_inform_print(z, qinfo, repinfo);
+		lz_inform_print(z, qinfo, &repinfo->client_addr,
+			repinfo->client_addrlen);
 
 	if(lzt != local_zone_always_refuse
 		&& lzt != local_zone_always_transparent

contrib/unbound/services/mesh.c

@@ -806,7 +806,7 @@ static void mesh_schedule_prefetch_subnet(struct mesh_area* mesh,
 		/* Fake the ECS data from the client's IP */
 		struct ecs_data ecs;
 		memset(&ecs, 0, sizeof(ecs));
-		subnet_option_from_ss(&rep->addr, &ecs, mesh->env->cfg);
+		subnet_option_from_ss(&rep->client_addr, &ecs, mesh->env->cfg);
 		if(ecs.subnet_validdata == 0) {
 			log_err("prefetch_subnet subnet_option_from_ss: invalid data");
 			return;
@@ -1488,8 +1488,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	}
 	/* Log reply sent */
 	if(m->s.env->cfg->log_replies) {
-		log_reply_info(NO_VERBOSE, &m->s.qinfo, &r->query_reply.addr,
-			r->query_reply.addrlen, duration, 0, r_buffer);
+		log_reply_info(NO_VERBOSE, &m->s.qinfo,
+			&r->query_reply.client_addr,
+			r->query_reply.client_addrlen, duration, 0, r_buffer);
 	}
 }
 
@@ -1530,7 +1531,8 @@ void mesh_query_done(struct mesh_state* mstate)
 			respip_inform_print(mstate->s.respip_action_info,
 				r->qname, mstate->s.qinfo.qtype,
 				mstate->s.qinfo.qclass, r->local_alias,
-				&r->query_reply);
+				&r->query_reply.client_addr,
+				r->query_reply.client_addrlen);
 			if(mstate->s.env->cfg->stat_extended &&
 				mstate->s.respip_action_info->rpz_used) {
 				if(mstate->s.respip_action_info->rpz_disabled)
@@ -2180,7 +2182,8 @@ mesh_serve_expired_callback(void* arg)
 		if(actinfo.addrinfo) {
 			respip_inform_print(&actinfo, r->qname,
 				qstate->qinfo.qtype, qstate->qinfo.qclass,
-				r->local_alias, &r->query_reply);
+				r->local_alias, &r->query_reply.client_addr,
+				r->query_reply.client_addrlen);
 
 			if(qstate->env->cfg->stat_extended && actinfo.rpz_used) {
 				if(actinfo.rpz_disabled)

contrib/unbound/services/outside_network.c

@@ -86,10 +86,6 @@ static void serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
 static int randomize_and_send_udp(struct pending* pend, sldns_buffer* packet,
 	int timeout);
 
-/** remove waiting tcp from the outnet waiting list */
-static void waiting_list_remove(struct outside_network* outnet,
-	struct waiting_tcp* w);
-
 /** select a DNS ID for a TCP stream */
 static uint16_t tcp_select_id(struct outside_network* outnet,
 	struct reuse_tcp* reuse);
@@ -372,7 +368,8 @@ log_reuse_tcp(enum verbosity_value v, const char* msg, struct reuse_tcp* reuse)
 }
 
 /** pop the first element from the writewait list */
-static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse)
+struct waiting_tcp*
+reuse_write_wait_pop(struct reuse_tcp* reuse)
 {
 	struct waiting_tcp* w = reuse->write_wait_first;
 	if(!w)
@@ -390,8 +387,8 @@ static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse)
 }
 
 /** remove the element from the writewait list */
-static void reuse_write_wait_remove(struct reuse_tcp* reuse,
-	struct waiting_tcp* w)
+void
+reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w)
 {
 	log_assert(w);
 	log_assert(w->write_wait_queued);
@@ -415,8 +412,8 @@ static void reuse_write_wait_remove(struct reuse_tcp* reuse,
 }
 
 /** push the element after the last on the writewait list */
-static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
-	struct waiting_tcp* w)
+void
+reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w)
 {
 	if(!w) return;
 	log_assert(!w->write_wait_queued);
@@ -427,7 +424,9 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
 		w->write_wait_prev = reuse->write_wait_last;
 	} else {
 		reuse->write_wait_first = w;
+		w->write_wait_prev = NULL;
 	}
+	w->write_wait_next = NULL;
 	reuse->write_wait_last = w;
 	w->write_wait_queued = 1;
 }
@@ -721,12 +720,12 @@ outnet_tcp_take_into_use(struct waiting_tcp* w)
 	pend->next_free = NULL;
 	pend->query = w;
 	pend->reuse.outnet = w->outnet;
-	pend->c->repinfo.addrlen = w->addrlen;
+	pend->c->repinfo.remote_addrlen = w->addrlen;
 	pend->c->tcp_more_read_again = &pend->reuse.cp_more_read_again;
 	pend->c->tcp_more_write_again = &pend->reuse.cp_more_write_again;
 	pend->reuse.cp_more_read_again = 0;
 	pend->reuse.cp_more_write_again = 0;
-	memcpy(&pend->c->repinfo.addr, &w->addr, w->addrlen);
+	memcpy(&pend->c->repinfo.remote_addr, &w->addr, w->addrlen);
 	pend->reuse.pending = pend;
 
 	/* Remove from tree in case the is_ssl will be different and causes the
@@ -810,20 +809,50 @@ reuse_tcp_lru_snip(struct outside_network* outnet)
 	return reuse;
 }
 
-/** call callback on waiting_tcp, if not NULL */
-static void
-waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error,
-	struct comm_reply* reply_info)
+/** remove waiting tcp from the outnet waiting list */
+void
+outnet_waiting_tcp_list_remove(struct outside_network* outnet, struct waiting_tcp* w)
 {
-	if(w && w->cb) {
-		fptr_ok(fptr_whitelist_pending_tcp(w->cb));
-		(void)(*w->cb)(c, w->cb_arg, error, reply_info);
+	struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL;
+	w->on_tcp_waiting_list = 0;
+	while(p) {
+		if(p == w) {
+			/* remove w */
+			if(prev)
+				prev->next_waiting = w->next_waiting;
+			else	outnet->tcp_wait_first = w->next_waiting;
+			if(outnet->tcp_wait_last == w)
+				outnet->tcp_wait_last = prev;
+			w->next_waiting = NULL;
+			return;
+		}
+		prev = p;
+		p = p->next_waiting;
 	}
+	/* outnet_waiting_tcp_list_remove is currently called only with items
+	 * that are already in the waiting list. */
+	log_assert(0);
+}
+
+/** pop the first waiting tcp from the outnet waiting list */
+struct waiting_tcp*
+outnet_waiting_tcp_list_pop(struct outside_network* outnet)
+{
+	struct waiting_tcp* w = outnet->tcp_wait_first;
+	if(!outnet->tcp_wait_first) return NULL;
+	log_assert(w->on_tcp_waiting_list);
+	outnet->tcp_wait_first = w->next_waiting;
+	if(outnet->tcp_wait_last == w)
+		outnet->tcp_wait_last = NULL;
+	w->on_tcp_waiting_list = 0;
+	w->next_waiting = NULL;
+	return w;
 }
 
 /** add waiting_tcp element to the outnet tcp waiting list */
-static void
-outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
+void
+outnet_waiting_tcp_list_add(struct outside_network* outnet,
+	struct waiting_tcp* w, int set_timer)
 {
 	struct timeval tv;
 	log_assert(!w->on_tcp_waiting_list);
@@ -835,16 +864,18 @@ outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
 	else	outnet->tcp_wait_first = w;
 	outnet->tcp_wait_last = w;
 	w->on_tcp_waiting_list = 1;
+	if(set_timer) {
 #ifndef S_SPLINT_S
-	tv.tv_sec = w->timeout/1000;
-	tv.tv_usec = (w->timeout%1000)*1000;
+		tv.tv_sec = w->timeout/1000;
+		tv.tv_usec = (w->timeout%1000)*1000;
 #endif
-	comm_timer_set(w->timer, &tv);
+		comm_timer_set(w->timer, &tv);
+	}
 }
 
 /** add waiting_tcp element as first to the outnet tcp waiting list */
-static void
-outnet_add_tcp_waiting_first(struct outside_network* outnet,
+void
+outnet_waiting_tcp_list_add_first(struct outside_network* outnet,
 	struct waiting_tcp* w, int reset_timer)
 {
 	struct timeval tv;
@@ -869,6 +900,17 @@ outnet_add_tcp_waiting_first(struct outside_network* outnet,
 		(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
 }
 
+/** call callback on waiting_tcp, if not NULL */
+static void
+waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error,
+	struct comm_reply* reply_info)
+{
+	if(w && w->cb) {
+		fptr_ok(fptr_whitelist_pending_tcp(w->cb));
+		(void)(*w->cb)(c, w->cb_arg, error, reply_info);
+	}
+}
+
 /** see if buffers can be used to service TCP queries */
 static void
 use_free_buffer(struct outside_network* outnet)
@@ -879,15 +921,10 @@ use_free_buffer(struct outside_network* outnet)
 		struct pending_tcp* pend_tcp = NULL;
 #endif
 		struct reuse_tcp* reuse = NULL;
-		w = outnet->tcp_wait_first;
-		log_assert(w->on_tcp_waiting_list);
-		outnet->tcp_wait_first = w->next_waiting;
-		if(outnet->tcp_wait_last == w)
-			outnet->tcp_wait_last = NULL;
+		w = outnet_waiting_tcp_list_pop(outnet);
 		log_assert(
 			(!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
 			(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
-		w->on_tcp_waiting_list = 0;
 		reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen,
 			w->ssl_upstream);
 		/* re-select an ID when moving to a new TCP buffer */
@@ -934,7 +971,7 @@ use_free_buffer(struct outside_network* outnet)
 #endif
 		} else {
 			/* no reuse and no free buffer, put back at the start */
-			outnet_add_tcp_waiting_first(outnet, w, 0);
+			outnet_waiting_tcp_list_add_first(outnet, w, 0);
 			break;
 		}
 #ifdef USE_DNSTAP
@@ -1008,7 +1045,7 @@ reuse_move_writewait_away(struct outside_network* outnet,
 		 * fail the query */
 		w->error_count ++;
 		reuse_tree_by_id_delete(&pend->reuse, w);
-		outnet_add_tcp_waiting(outnet, w);
+		outnet_waiting_tcp_list_add(outnet, w, 1);
 	}
 	while((w = reuse_write_wait_pop(&pend->reuse)) != NULL) {
 		if(verbosity >= VERB_CLIENT && w->pkt_len > 12+2+2 &&
@@ -1019,7 +1056,7 @@ reuse_move_writewait_away(struct outside_network* outnet,
 			verbose(VERB_CLIENT, "reuse_move_writewait_away item %s", buf);
 		}
 		reuse_tree_by_id_delete(&pend->reuse, w);
-		outnet_add_tcp_waiting(outnet, w);
+		outnet_waiting_tcp_list_add(outnet, w, 1);
 	}
 }
 
@@ -1417,11 +1454,11 @@ outnet_udp_cb(struct comm_point* c, void* arg, int error,
 
 	/* setup lookup key */
 	key.id = (unsigned)LDNS_ID_WIRE(sldns_buffer_begin(c->buffer));
-	memcpy(&key.addr, &reply_info->addr, reply_info->addrlen);
-	key.addrlen = reply_info->addrlen;
+	memcpy(&key.addr, &reply_info->remote_addr, reply_info->remote_addrlen);
+	key.addrlen = reply_info->remote_addrlen;
 	verbose(VERB_ALGO, "Incoming reply id = %4.4x", key.id);
 	log_addr(VERB_ALGO, "Incoming reply addr =", 
-		&reply_info->addr, reply_info->addrlen);
+		&reply_info->remote_addr, reply_info->remote_addrlen);
 
 	/* find it, see if this thing is a valid query response */
 	verbose(VERB_ALGO, "lookup size is %d entries", (int)outnet->pending->count);
@@ -1690,7 +1727,7 @@ outside_network_create(struct comm_base *base, size_t bufsize,
 			return NULL;
 		}
 		pc->cp = comm_point_create_udp(outnet->base, -1, 
-			outnet->udp_buff, outnet_udp_cb, outnet, NULL);
+			outnet->udp_buff, 0, outnet_udp_cb, outnet, NULL);
 		if(!pc->cp) {
 			log_err("malloc failed");
 			free(pc);
@@ -2237,7 +2274,7 @@ outnet_tcptimer(void* arg)
 	verbose(VERB_CLIENT, "outnet_tcptimer");
 	if(w->on_tcp_waiting_list) {
 		/* it is on the waiting list */
-		waiting_list_remove(outnet, w);
+		outnet_waiting_tcp_list_remove(outnet, w);
 		waiting_tcp_callback(w, NULL, NETEVENT_TIMEOUT, NULL);
 		waiting_tcp_delete(w);
 	} else {
@@ -2464,7 +2501,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
 #ifdef USE_DNSTAP
 		w->sq = sq;
 #endif
-		outnet_add_tcp_waiting(sq->outnet, w);
+		outnet_waiting_tcp_list_add(sq->outnet, w, 1);
 	}
 	return w;
 }
@@ -2545,8 +2582,10 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 #ifdef UNBOUND_DEBUG
 	rbnode_type* ins;
 #endif
-	if(!sq) 
+	if(!sq) {
+		alloc_reg_release(alloc, region);
 		return NULL;
+	}
 	sq->node.key = sq;
 	sq->alloc = alloc;
 	sq->region = region;
@@ -2610,30 +2649,6 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
 	return sq;
 }
 
-/** remove waiting tcp from the outnet waiting list */
-static void
-waiting_list_remove(struct outside_network* outnet, struct waiting_tcp* w)
-{
-	struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL;
-	w->on_tcp_waiting_list = 0;
-	while(p) {
-		if(p == w) {
-			/* remove w */
-			if(prev)
-				prev->next_waiting = w->next_waiting;
-			else	outnet->tcp_wait_first = w->next_waiting;
-			if(outnet->tcp_wait_last == w)
-				outnet->tcp_wait_last = prev;
-			return;
-		}
-		prev = p;
-		p = p->next_waiting;
-	}
-	/* waiting_list_remove is currently called only with items that are
-	 * already in the waiting list. */
-	log_assert(0);
-}
-
 /** reuse tcp stream, remove serviced query from stream,
  * return true if the stream is kept, false if it is to be closed */
 static int
@@ -2728,7 +2743,7 @@ serviced_delete(struct serviced_query* sq)
 				sq->pending = NULL;
 			} else {
 				verbose(VERB_CLIENT, "serviced_delete: tcpwait");
-				waiting_list_remove(sq->outnet, w);
+				outnet_waiting_tcp_list_remove(sq->outnet, w);
 				if(!w->in_cb_and_decommission)
 					waiting_tcp_delete(w);
 			}
@@ -3101,8 +3116,8 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
 		rep = &r2;
 		r2.c = c;
 	}
-	memcpy(&rep->addr, &sq->addr, sq->addrlen);
-	rep->addrlen = sq->addrlen;
+	memcpy(&rep->remote_addr, &sq->addr, sq->addrlen);
+	rep->remote_addrlen = sq->addrlen;
 	serviced_callbacks(sq, error, c, rep);
 	return 0;
 }
@@ -3432,7 +3447,6 @@ outnet_serviced_query(struct outside_network* outnet,
 				infra_ratelimit_dec(env->infra_cache,
 					zone, zonelen, timenow);
 			}
-			alloc_reg_release(env->alloc, region);
 			return NULL;
 		}
 		if(!(cb = (struct service_callback*)regional_alloc(
@@ -3581,7 +3595,7 @@ outnet_comm_point_for_udp(struct outside_network* outnet,
 	if(fd == -1) {
 		return NULL;
 	}
-	cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff,
+	cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff, 0,
 		cb, cb_arg, NULL);
 	if(!cp) {
 		log_err("malloc failure");
@@ -3669,8 +3683,8 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
 		close(fd);
 		return 0;
 	}
-	cp->repinfo.addrlen = to_addrlen;
-	memcpy(&cp->repinfo.addr, to_addr, to_addrlen);
+	cp->repinfo.remote_addrlen = to_addrlen;
+	memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen);
 
 	/* setup for SSL (if needed) */
 	if(ssl) {
@@ -3745,8 +3759,8 @@ outnet_comm_point_for_http(struct outside_network* outnet,
 		close(fd);
 		return 0;
 	}
-	cp->repinfo.addrlen = to_addrlen;
-	memcpy(&cp->repinfo.addr, to_addr, to_addrlen);
+	cp->repinfo.remote_addrlen = to_addrlen;
+	memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen);
 
 	/* setup for SSL (if needed) */
 	if(ssl) {

contrib/unbound/services/outside_network.h

@@ -718,6 +718,30 @@ struct reuse_tcp* reuse_tcp_lru_snip(struct outside_network* outnet);
 /** delete readwait waiting_tcp elements, deletes the elements in the list */
 void reuse_del_readwait(rbtree_type* tree_by_id);
 
+/** remove waiting tcp from the outnet waiting list */
+void outnet_waiting_tcp_list_remove(struct outside_network* outnet,
+	struct waiting_tcp* w);
+
+/** pop the first waiting tcp from the outnet waiting list */
+struct waiting_tcp* outnet_waiting_tcp_list_pop(struct outside_network* outnet);
+
+/** add waiting_tcp element to the outnet tcp waiting list */
+void outnet_waiting_tcp_list_add(struct outside_network* outnet,
+	struct waiting_tcp* w, int set_timer);
+
+/** add waiting_tcp element as first to the outnet tcp waiting list */
+void outnet_waiting_tcp_list_add_first(struct outside_network* outnet,
+	struct waiting_tcp* w, int reset_timer);
+
+/** pop the first element from the writewait list */
+struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse);
+
+/** remove the element from the writewait list */
+void reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w);
+
+/** push the element after the last on the writewait list */
+void reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w);
+
 /** get TCP file descriptor for address, returns -1 on failure,
  * tcp_mss is 0 or maxseg size to set for TCP packets. */
 int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen,

contrib/unbound/services/rpz.c

@@ -1392,11 +1392,13 @@ log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode,
 		dnamestr[0]=0;
 	}
 	if(repinfo) {
-		addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
-		port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
+		addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip));
+		port = ntohs(((struct sockaddr_in*)&repinfo->client_addr)->sin_port);
 	} else if(ms && ms->mesh_info && ms->mesh_info->reply_list) {
-		addr_to_str(&ms->mesh_info->reply_list->query_reply.addr, ms->mesh_info->reply_list->query_reply.addrlen, ip, sizeof(ip));
-		port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.addr)->sin_port);
+		addr_to_str(&ms->mesh_info->reply_list->query_reply.client_addr,
+			ms->mesh_info->reply_list->query_reply.client_addrlen,
+			ip, sizeof(ip));
+		port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.client_addr)->sin_port);
 	} else {
 		ip[0]=0;
 		port = 0;
@@ -1468,7 +1470,9 @@ rpz_resolve_client_action_and_zone(struct auth_zones* az, struct query_info* qin
 		}
 		z = rpz_find_zone(r->local_zones, qinfo->qname, qinfo->qname_len,
 			qinfo->qclass, 0, 0, 0);
-		node = rpz_ipbased_trigger_lookup(r->client_set, &repinfo->addr, repinfo->addrlen, "clientip");
+		node = rpz_ipbased_trigger_lookup(r->client_set,
+			&repinfo->client_addr, repinfo->client_addrlen,
+			"clientip");
 		if((z || node) && r->action_override == RPZ_DISABLED_ACTION) {
 			if(r->log)
 				log_rpz_apply((node?"clientip":"qname"),
@@ -2164,18 +2168,16 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
 
 	lock_rw_unlock(&az->rpz_lock);
 
-	if(raddr == NULL && z == NULL) { return NULL; }
-	else if(raddr != NULL) {
+	if(raddr == NULL && z == NULL)
+		return NULL;
+
+	if(raddr != NULL) {
 		if(z) {
 			lock_rw_unlock(&z->lock);
 		}
 		return rpz_apply_nsip_trigger(ms, r, raddr, a);
-	} else if(z != NULL) {
-		if(raddr) {
-			lock_rw_unlock(&raddr->lock);
-		}
-		return rpz_apply_nsdname_trigger(ms, r, z, &match, a);
-	} else { return NULL; }
+	}
+	return rpz_apply_nsdname_trigger(ms, r, z, &match, a);
 }
 
 struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,

contrib/unbound/services/view.c

@@ -66,8 +66,9 @@ views_create(void)
 	return v;
 }
 
-/** This prototype is defined in in respip.h, but we want to avoid
-  * unnecessary dependencies */
+/* \noop (ignore this comment for doxygen)
+ * This prototype is defined in in respip.h, but we want to avoid
+ * unnecessary dependencies */
 void respip_set_delete(struct respip_set *set);
 
 void 

contrib/unbound/smallapp/unbound-checkconf.c

@@ -316,7 +316,7 @@ warn_hosts(const char* typ, struct config_stub* list)
 	struct config_strlist* h;
 	for(s=list; s; s=s->next) {
 		for(h=s->hosts; h; h=h->next) {
-			if(extstrtoaddr(h->str, &a, &alen)) {
+			if(extstrtoaddr(h->str, &a, &alen, UNBOUND_DNS_PORT)) {
 				fprintf(stderr, "unbound-checkconf: warning:"
 				  " %s %s: \"%s\" is an IP%s address, "
 				  "and when looked up as a host name "
@@ -338,6 +338,8 @@ interfacechecks(struct config_file* cfg)
 	int i, j, i2, j2;
 	char*** resif = NULL;
 	int* num_resif = NULL;
+	char portbuf[32];
+	snprintf(portbuf, sizeof(portbuf), "%d", cfg->port);
 
 	if(cfg->num_ifs != 0) {
 		resif = (char***)calloc(cfg->num_ifs, sizeof(char**));
@@ -359,9 +361,21 @@ interfacechecks(struct config_file* cfg)
 			fatal_exit("could not resolve interface names, for %s",
 				cfg->ifs[i]);
 		}
+		/* check for port combinations that are not supported */
+		if(if_is_pp2(resif[i][0], portbuf, cfg->proxy_protocol_port)) {
+			if(if_is_dnscrypt(resif[i][0], portbuf,
+				cfg->dnscrypt_port)) {
+				fatal_exit("PROXYv2 and DNSCrypt combination not "
+					"supported!");
+			} else if(if_is_https(resif[i][0], portbuf,
+				cfg->https_port)) {
+				fatal_exit("PROXYv2 and DoH combination not "
+					"supported!");
+			}
+		}
 		/* search for duplicates in the returned addresses */
 		for(j=0; j<num_resif[i]; j++) {
-			if(!extstrtoaddr(resif[i][j], &a, &alen)) {
+			if(!extstrtoaddr(resif[i][j], &a, &alen, cfg->port)) {
 				if(strcmp(cfg->ifs[i], resif[i][j]) != 0)
 					fatal_exit("cannot parse interface address '%s' from the interface specified as '%s'",
 						resif[i][j], cfg->ifs[i]);

contrib/unbound/smallapp/unbound-control.c

@@ -601,7 +601,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
 			struct sockaddr_storage addr2;
 			socklen_t addrlen2;
 			if(extstrtoaddr(cfg->control_ifs.first->str, &addr2,
-				&addrlen2)) {
+				&addrlen2, UNBOUND_DNS_PORT)) {
 				svr = cfg->control_ifs.first->str;
 			} else {
 				if(!resolve_interface_names(NULL, 0,
@@ -629,7 +629,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
 			svr = "::1";
 	}
 	if(strchr(svr, '@')) {
-		if(!extstrtoaddr(svr, &addr, &addrlen))
+		if(!extstrtoaddr(svr, &addr, &addrlen, UNBOUND_DNS_PORT))
 			fatal_exit("could not parse IP@port: %s", svr);
 #ifdef HAVE_SYS_UN_H
 	} else if(svr[0] == '/') {

contrib/unbound/testdata/iter_ghost_sub.rpl

@@ -1,309 +0,0 @@
-; config options
-server:
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test ghost subdomain of another subdomain.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-. 86400 IN NS
-SECTION ANSWER
-. 86400 IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	86400 IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com.	86400 IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	86400 IN 	A	192.5.6.30
-ENTRY_END
-
-RANGE_END
-
-; a.gtld-servers.net.
-; this is the one where example.com is delegated.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.	86400 IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	86400 IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.4
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-; this is the one where example.com is no longer delegated.
-RANGE_BEGIN 100 200
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.	86400 IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	86400 IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NXDOMAIN
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-com.	86400 IN SOA a. b. 1 2 3 4 5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.com. IN A
-SECTION ANSWER
-ns.example.com. IN A	1.2.3.4
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-ns.example.com. IN AAAA
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A	10.20.30.40
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com 	IN A 	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-s.example.com. IN A
-SECTION ANSWER
-s.example.com. IN A	1.2.3.4
-SECTION AUTHORITY
-s.example.com.	IN NS	s.example.com.
-SECTION ADDITIONAL
-s.example.com 	IN A 	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR NOERROR
-SECTION QUESTION
-s.s.example.com. IN A
-SECTION ANSWER
-s.s.example.com. IN A	1.2.3.4
-SECTION AUTHORITY
-s.s.example.com.	IN NS	s.s.example.com.
-SECTION ADDITIONAL
-s.s.example.com 	IN A 	1.2.3.4
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; get the delegation in cache
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A	10.20.30.40
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com 	IN A 	1.2.3.4
-ENTRY_END
-
-; time passes
-STEP 25 TIME_PASSES ELAPSE 1800
-
-; get another delegation in cache
-STEP 30 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-s.example.com. IN A
-ENTRY_END
-
-STEP 40 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-s.example.com. IN A
-SECTION ANSWER
-s.example.com. IN A	1.2.3.4
-SECTION AUTHORITY
-s.example.com.	IN NS	s.example.com.
-ENTRY_END
-
-; time passes, 1800 + 1000 = 2800 of 3600 TTL on NS of s.example.com. and
-; example.com.
-STEP 45 TIME_PASSES ELAPSE 1000
-
-; get another delegation in cache
-STEP 50 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-s.s.example.com. IN A
-ENTRY_END
-
-STEP 60 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-s.s.example.com. IN A
-SECTION ANSWER
-s.s.example.com. IN A	1.2.3.4
-SECTION AUTHORITY
-s.s.example.com.	IN NS	s.s.example.com.
-ENTRY_END
-
-
-; time passes, 1800 + 2000 = 3800 of 3600 TTL on NS of s.example.com. and
-; example.com.
-STEP 75 TIME_PASSES ELAPSE 1000
-
-; domain no longer delegated
-; is the domain still up?
-
-STEP 100 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.s.example.com. IN A
-ENTRY_END
-
-STEP 110 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NXDOMAIN
-SECTION QUESTION
-www.s.example.com. IN A
-SECTION AUTHORITY
-com.	86400 IN SOA a. b. 1 2 3 4 5
-ENTRY_END
-
-STEP 120 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.s.s.example.com. IN A
-ENTRY_END
-
-STEP 130 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NXDOMAIN
-SECTION QUESTION
-www.s.s.example.com. IN A
-SECTION AUTHORITY
-com.	86400 IN SOA a. b. 1 2 3 4 5
-ENTRY_END
-
-STEP 140 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-STEP 150 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NXDOMAIN
-SECTION QUESTION
-www.example.com. IN A
-SECTION AUTHORITY
-com.	86400 IN SOA a. b. 1 2 3 4 5
-ENTRY_END
-
-SCENARIO_END

contrib/unbound/testdata/iter_ghost_timewindow.rpl

@@ -1,391 +0,0 @@
-; config options
-server:
-	target-fetch-policy: "0 0 0 0 0"
-	qname-minimisation: "no"
-	minimal-responses: no
-
-stub-zone:
-	name: "."
-	stub-addr: 193.0.14.129 	# K.ROOT-SERVERS.NET.
-CONFIG_END
-
-SCENARIO_BEGIN Test ghost subdomain with extension reply in timewindow.
-
-; K.ROOT-SERVERS.NET.
-RANGE_BEGIN 0 100
-	ADDRESS 193.0.14.129 
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-. 86400 IN NS
-SECTION ANSWER
-. 86400 IN NS	K.ROOT-SERVERS.NET.
-SECTION ADDITIONAL
-K.ROOT-SERVERS.NET.	86400 IN	A	193.0.14.129
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION AUTHORITY
-com.	86400 IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	86400 IN 	A	192.5.6.30
-ENTRY_END
-
-RANGE_END
-
-; a.gtld-servers.net.
-; this is the one where example.com is delegated.
-RANGE_BEGIN 0 100
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.	86400 IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	86400 IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NOERROR
-SECTION QUESTION
-example2.com. IN NS
-SECTION AUTHORITY
-example2.com.	3610 IN NS	ns.example2.com.
-SECTION ADDITIONAL
-ns.example2.com. 3610 IN A 1.2.3.5
-ENTRY_END
-RANGE_END
-
-; a.gtld-servers.net.
-; this is the one where example.com is no longer delegated.
-RANGE_BEGIN 100 300
-	ADDRESS 192.5.6.30
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-com. IN NS
-SECTION ANSWER
-com.	86400 IN NS	a.gtld-servers.net.
-SECTION ADDITIONAL
-a.gtld-servers.net.	86400 IN 	A	192.5.6.30
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NXDOMAIN
-SECTION QUESTION
-example.com. IN NS
-SECTION AUTHORITY
-com.	86400 IN SOA a. b. 1 2 3 4 5
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode subdomain
-ADJUST copy_id copy_query
-REPLY QR NXDOMAIN
-SECTION QUESTION
-example2.com. IN NS
-SECTION AUTHORITY
-com.	86400 IN SOA a. b. 1 2 3 4 5
-ENTRY_END
-RANGE_END
-
-; ns.example.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.4
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example.com. IN NS
-SECTION ANSWER
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com.		IN 	A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-ns.example.com. IN A
-SECTION ANSWER
-ns.example.com. IN A	1.2.3.4
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-ns.example.com. IN AAAA
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A	1.2.3.4
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A	10.20.30.40
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com 	IN A 	1.2.3.4
-ENTRY_END
-RANGE_END
-
-; ns.example2.com.
-RANGE_BEGIN 0 100
-	ADDRESS 1.2.3.5
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-example2.com. IN NS
-SECTION ANSWER
-example2.com.	3610 IN NS	ns.example2.com.
-SECTION ADDITIONAL
-ns.example2.com.		3610 IN 	A	1.2.3.5
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-ns.example2.com. IN A
-SECTION ANSWER
-ns.example2.com. 3610 IN A	1.2.3.5
-SECTION AUTHORITY
-example2.com.	3610 IN NS	ns.example2.com.
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-ns.example2.com. IN AAAA
-SECTION AUTHORITY
-example2.com.	3610 IN NS	ns.example2.com.
-SECTION ADDITIONAL
-ns.example2.com. 3610 IN A	1.2.3.5
-ENTRY_END
-
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-www.example2.com. IN A
-SECTION ANSWER
-www.example2.com. 3610 IN A	10.20.30.40
-SECTION AUTHORITY
-example2.com.	3610 IN NS	ns.example2.com.
-SECTION ADDITIONAL
-ns.example2.com 	3610 IN A 	1.2.3.5
-ENTRY_END
-RANGE_END
-
-STEP 1 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example.com. IN A
-ENTRY_END
-
-; get the delegation in cache
-STEP 20 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example.com. IN A
-SECTION ANSWER
-www.example.com. IN A	10.20.30.40
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com 	IN A 	1.2.3.4
-ENTRY_END
-
-; get example2 in cache too to check other response type
-STEP 30 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www.example2.com. IN A
-ENTRY_END
-
-STEP 40 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-www.example2.com. IN A
-SECTION ANSWER
-www.example2.com. IN A	10.20.30.40
-SECTION AUTHORITY
-example2.com.	IN NS	ns.example2.com.
-SECTION ADDITIONAL
-ns.example2.com 	IN A 	1.2.3.5
-ENTRY_END
-
-; time passes
-STEP 95 TIME_PASSES ELAPSE 3595
-
-STEP 100 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-ns.example.com. IN A
-ENTRY_END
-
-; ns.example.com RANGE does not answer, only until step 100,
-; so we provide an answer, but first, let time pass beyond the TTL.
-; it is going to time 3605, just passed the 3600 expire TTL, but the
-; query started at 3595 before the TTL expired.
-STEP 110 TIME_PASSES ELAPSE 10 
-
-; provide the answer to the query sent.
-STEP 120 CHECK_OUT_QUERY
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-ns.example.com. IN A
-SECTION ANSWER
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com 	IN A 	1.2.3.4
-ENTRY_END
-
-STEP 130 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-ns.example.com. IN A
-SECTION AUTHORITY
-example.com.	IN NS	ns.example.com.
-SECTION ADDITIONAL
-ns.example.com. IN A 	1.2.3.4
-ENTRY_END
-
-; check if the domain is still live.
-STEP 140 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www2.example.com. IN A
-ENTRY_END
-
-STEP 150 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NXDOMAIN
-SECTION QUESTION
-www2.example.com. IN A
-SECTION AUTHORITY
-com.	86400 IN SOA a. b. 1 2 3 4 5
-ENTRY_END
-
-; example2 is valid with TTL of 3610, it is time 3605
-STEP 160 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-ns.example2.com. IN A
-ENTRY_END
-
-; move to time 3615
-STEP 170 TIME_PASSES ELAPSE 10 
-
-STEP 180 CHECK_OUT_QUERY
-ENTRY_BEGIN
-MATCH opcode qtype qname
-ADJUST copy_id
-REPLY QR AA NOERROR
-SECTION QUESTION
-ns.example2.com. IN A
-SECTION ANSWER
-ns.example2.com. 	IN A 	1.2.3.5
-SECTION AUTHORITY
-example2.com.	IN NS	ns.example2.com.
-SECTION ADDITIONAL
-ns.example2.com. 	IN A 	1.2.3.5
-ENTRY_END
-
-STEP 190 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NOERROR
-SECTION QUESTION
-ns.example2.com. IN A
-SECTION ANSWER
-ns.example2.com 	IN A 	1.2.3.5
-SECTION AUTHORITY
-example2.com.	IN NS	ns.example2.com.
-SECTION ADDITIONAL
-ENTRY_END
-
-; check if the domain is still live.
-STEP 200 QUERY
-ENTRY_BEGIN
-REPLY RD
-SECTION QUESTION
-www2.example2.com. IN A
-ENTRY_END
-
-STEP 210 CHECK_ANSWER
-ENTRY_BEGIN
-MATCH all
-REPLY QR RD RA NXDOMAIN
-SECTION QUESTION
-www2.example2.com. IN A
-SECTION AUTHORITY
-com.	86400 IN SOA a. b. 1 2 3 4 5
-ENTRY_END
-
-SCENARIO_END

contrib/unbound/util/config_file.c

@@ -786,6 +786,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size)
 	else S_YNO("pad-queries:", pad_queries)
 	else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size)
+	else S_STRLIST("proxy-protocol-port:", proxy_protocol_port)
 #ifdef USE_IPSECMOD
 	else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
 	else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
@@ -822,7 +823,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 		 * stub-ssl-upstream, forward-zone, auth-zone
 		 * name, forward-addr, forward-host,
 		 * ratelimit-for-domain, ratelimit-below-domain,
-		 * local-zone-tag, access-control-view,
+		 * local-zone-tag, access-control-view, interface-*,
 		 * send-client-subnet, client-subnet-always-forward,
 		 * max-client-subnet-ipv4, max-client-subnet-ipv6,
 		 * min-client-subnet-ipv4, min-client-subnet-ipv6,
@@ -1252,11 +1253,17 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
 	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
 	else O_LS2(opt, "access-control-view", acl_view)
+	else O_LS2(opt, "interface-action", interface_actions)
+	else O_LTG(opt, "interface-tag", interface_tags)
+	else O_LS3(opt, "interface-tag-action", interface_tag_actions)
+	else O_LS3(opt, "interface-tag-data", interface_tag_datas)
+	else O_LS2(opt, "interface-view", interface_view)
 	else O_YNO(opt, "pad-responses", pad_responses)
 	else O_DEC(opt, "pad-responses-block-size", pad_responses_block_size)
 	else O_YNO(opt, "pad-queries", pad_queries)
 	else O_DEC(opt, "pad-queries-block-size", pad_queries_block_size)
 	else O_LS2(opt, "edns-client-strings", edns_client_strings)
+	else O_LST(opt, "proxy-protocol-port", proxy_protocol_port)
 #ifdef USE_IPSECMOD
 	else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
 	else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
@@ -1302,6 +1309,7 @@ create_cfg_parser(struct config_file* cfg, char* filename, const char* chroot)
 	cfg_parser->errors = 0;
 	cfg_parser->cfg = cfg;
 	cfg_parser->chroot = chroot;
+	cfg_parser->started_toplevel = 0;
 	init_cfg_parse();
 }
 
@@ -1606,10 +1614,16 @@ config_delete(struct config_file* cfg)
 	config_deltrplstrlist(cfg->local_zone_overrides);
 	config_del_strarray(cfg->tagname, cfg->num_tags);
 	config_del_strbytelist(cfg->local_zone_tags);
-	config_del_strbytelist(cfg->acl_tags);
 	config_del_strbytelist(cfg->respip_tags);
+	config_deldblstrlist(cfg->acl_view);
+	config_del_strbytelist(cfg->acl_tags);
 	config_deltrplstrlist(cfg->acl_tag_actions);
 	config_deltrplstrlist(cfg->acl_tag_datas);
+	config_deldblstrlist(cfg->interface_actions);
+	config_deldblstrlist(cfg->interface_view);
+	config_del_strbytelist(cfg->interface_tags);
+	config_deltrplstrlist(cfg->interface_tag_actions);
+	config_deltrplstrlist(cfg->interface_tag_datas);
 	config_delstrlist(cfg->control_ifs.first);
 	free(cfg->server_key_file);
 	free(cfg->server_cert_file);
@@ -1630,6 +1644,7 @@ config_delete(struct config_file* cfg)
 	config_delstrlist(cfg->python_script);
 	config_delstrlist(cfg->dynlib_file);
 	config_deldblstrlist(cfg->edns_client_strings);
+	config_delstrlist(cfg->proxy_protocol_port);
 #ifdef USE_IPSECMOD
 	free(cfg->ipsecmod_hook);
 	config_delstrlist(cfg->ipsecmod_whitelist);
@@ -1800,6 +1815,9 @@ void ub_c_error_msg(const char* fmt, ...)
 void ub_c_error(const char *str)
 {
 	cfg_parser->errors++;
+	if(strcmp(str, "syntax error")==0 && cfg_parser->started_toplevel ==0)
+		str = "syntax error, is there no section start after an "
+			"include-toplevel directive perhaps.";
 	fprintf(stderr, "%s:%d: error: %s\n", cfg_parser->filename,
 		cfg_parser->line, str);
 }
@@ -2609,3 +2627,35 @@ int cfg_has_https(struct config_file* cfg)
 	}
 	return 0;
 }
+
+/** see if interface is PROXYv2, its port number == the proxy port number */
+int
+if_is_pp2(const char* ifname, const char* port,
+	struct config_strlist* proxy_protocol_port)
+{
+	struct config_strlist* s;
+	char* p = strchr(ifname, '@');
+	for(s = proxy_protocol_port; s; s = s->next) {
+		if(p && atoi(p+1) == atoi(s->str))
+			return 1;
+		if(!p && atoi(port) == atoi(s->str))
+			return 1;
+	}
+	return 0;
+}
+
+/** see if interface is DNSCRYPT, its port number == the dnscrypt port number */
+int
+if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port)
+{
+#ifdef USE_DNSCRYPT
+	return ((strchr(ifname, '@') &&
+		atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
+		(!strchr(ifname, '@') && atoi(port) == dnscrypt_port));
+#else
+	(void)ifname;
+	(void)port;
+	(void)dnscrypt_port;
+	return 0;
+#endif
+}

contrib/unbound/util/config_file.h

@@ -114,6 +114,8 @@ struct config_file {
 	int do_tcp_keepalive;
 	/** tcp keepalive timeout, in msec */
 	int tcp_keepalive_timeout;
+	/** proxy protocol ports */
+	struct config_strlist* proxy_protocol_port;
 
 	/** private key file for dnstcp-ssl service (enabled if not NULL) */
 	char* ssl_service_key;
@@ -461,6 +463,16 @@ struct config_file {
 	struct config_str3list* acl_tag_datas;
 	/** list of aclname, view*/
 	struct config_str2list* acl_view;
+	/** list of interface action entries, linked list */
+	struct config_str2list* interface_actions;
+	/** list of interface, tagbitlist */
+	struct config_strbytelist* interface_tags;
+	/** list of interface, tagname, localzonetype */
+	struct config_str3list* interface_tag_actions;
+	/** list of interface, tagname, redirectdata */
+	struct config_str3list* interface_tag_datas;
+	/** list of interface, view*/
+	struct config_str2list* interface_view;
 	/** list of IP-netblock, tagbitlist */
 	struct config_strbytelist* respip_tags;
 	/** list of response-driven access control entries, linked list */
@@ -1262,6 +1274,8 @@ struct config_parser_state {
 	struct config_file* cfg;
 	/** the current chroot dir (or NULL if none) */
 	const char* chroot;
+	/** if we are started in a toplevel, or not, after a force_toplevel */
+	int started_toplevel;
 };
 
 /** global config parser object used during config parsing */
@@ -1310,6 +1324,12 @@ int if_is_https(const char* ifname, const char* port, int https_port);
  */
 int cfg_has_https(struct config_file* cfg);
 
+/** see if interface is PROXYv2, its port number == the proxy port number */
+int if_is_pp2(const char* ifname, const char* port,
+	struct config_strlist* proxy_protocol_port);
+
+/** see if interface is DNSCRYPT, its port number == the dnscrypt port number */
+int if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port);
 #ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
 #define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
 #endif

contrib/unbound/util/configlexer.lex

@@ -365,6 +365,7 @@ view-first{COLON}		{ YDVAR(1, VAR_VIEW_FIRST) }
 do-not-query-address{COLON}	{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
 do-not-query-localhost{COLON}	{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
 access-control{COLON}		{ YDVAR(2, VAR_ACCESS_CONTROL) }
+interface-action{COLON}		{ YDVAR(2, VAR_INTERFACE_ACTION) }
 send-client-subnet{COLON}	{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
 client-subnet-zone{COLON}	{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
 client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
@@ -467,6 +468,10 @@ access-control-tag{COLON}	{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
 access-control-tag-action{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
 access-control-tag-data{COLON}	{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
 access-control-view{COLON}	{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
+interface-tag{COLON}		{ YDVAR(2, VAR_INTERFACE_TAG) }
+interface-tag-action{COLON}	{ YDVAR(3, VAR_INTERFACE_TAG_ACTION) }
+interface-tag-data{COLON}	{ YDVAR(3, VAR_INTERFACE_TAG_DATA) }
+interface-view{COLON}		{ YDVAR(2, VAR_INTERFACE_VIEW) }
 local-zone-override{COLON}	{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
 dnstap{COLON}			{ YDVAR(0, VAR_DNSTAP) }
 dnstap-enable{COLON}		{ YDVAR(1, VAR_DNSTAP_ENABLE) }
@@ -558,6 +563,7 @@ edns-client-string{COLON}	{ YDVAR(2, VAR_EDNS_CLIENT_STRING) }
 edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
 nsid{COLON}			{ YDVAR(1, VAR_NSID ) }
 ede{COLON}			{ YDVAR(1, VAR_EDE ) }
+proxy-protocol-port{COLON}	{ YDVAR(1, VAR_PROXY_PROTOCOL_PORT) }
 <INITIAL,val>{NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++; }
 
 	/* Quoted strings. Strip leading and ending quotes */

contrib/unbound/util/configparser.y

@@ -52,6 +52,7 @@ int ub_c_lex(void);
 void ub_c_error(const char *message);
 
 static void validate_respip_action(const char* action);
+static void validate_acl_action(const char* action);
 
 /* these need to be global, otherwise they cannot be used inside yacc */
 extern struct config_parser_state* cfg_parser;
@@ -190,6 +191,9 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
 %token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
 %token VAR_RPZ_SIGNAL_NXDOMAIN_RA VAR_INTERFACE_AUTOMATIC_PORTS VAR_EDE
+%token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG
+%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
+%token VAR_PROXY_PROTOCOL_PORT
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -204,12 +208,14 @@ toplevelvar: serverstart contents_server | stubstart contents_stub |
 force_toplevel: VAR_FORCE_TOPLEVEL
 	{
 		OUTYY(("\nP(force-toplevel)\n"));
+		cfg_parser->started_toplevel = 0;
 	}
 	;
 /* server: declaration */
 serverstart: VAR_SERVER
 	{
 		OUTYY(("\nP(server:)\n"));
+		cfg_parser->started_toplevel = 1;
 	}
 	;
 contents_server: contents_server content_server
@@ -287,6 +293,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_disable_dnssec_lame_check | server_access_control_tag |
 	server_local_zone_override | server_access_control_tag_action |
 	server_access_control_tag_data | server_access_control_view |
+	server_interface_action | server_interface_view | server_interface_tag |
+	server_interface_tag_action | server_interface_tag_data |
 	server_qname_minimisation_strict |
 	server_pad_responses | server_pad_responses_block_size |
 	server_pad_queries | server_pad_queries_block_size |
@@ -313,13 +321,14 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_edns_client_string_opcode | server_nsid |
 	server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
 	server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
-	server_interface_automatic_ports | server_ede
-
+	server_interface_automatic_ports | server_ede |
+	server_proxy_protocol_port
 	;
 stubstart: VAR_STUB_ZONE
 	{
 		struct config_stub* s;
 		OUTYY(("\nP(stub_zone:)\n"));
+		cfg_parser->started_toplevel = 1;
 		s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
 		if(s) {
 			s->next = cfg_parser->cfg->stubs;
@@ -338,6 +347,7 @@ forwardstart: VAR_FORWARD_ZONE
 	{
 		struct config_stub* s;
 		OUTYY(("\nP(forward_zone:)\n"));
+		cfg_parser->started_toplevel = 1;
 		s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
 		if(s) {
 			s->next = cfg_parser->cfg->forwards;
@@ -356,6 +366,7 @@ viewstart: VAR_VIEW
 	{
 		struct config_view* s;
 		OUTYY(("\nP(view:)\n"));
+		cfg_parser->started_toplevel = 1;
 		s = (struct config_view*)calloc(1, sizeof(struct config_view));
 		if(s) {
 			s->next = cfg_parser->cfg->views;
@@ -376,6 +387,7 @@ authstart: VAR_AUTH_ZONE
 	{
 		struct config_auth* s;
 		OUTYY(("\nP(auth_zone:)\n"));
+		cfg_parser->started_toplevel = 1;
 		s = (struct config_auth*)calloc(1, sizeof(struct config_auth));
 		if(s) {
 			s->next = cfg_parser->cfg->auths;
@@ -474,6 +486,7 @@ rpzstart: VAR_RPZ
 	{
 		struct config_auth* s;
 		OUTYY(("\nP(rpz:)\n")); 
+		cfg_parser->started_toplevel = 1;
 		s = (struct config_auth*)calloc(1, sizeof(struct config_auth));
 		if(s) {
 			s->next = cfg_parser->cfg->auths;
@@ -1842,21 +1855,18 @@ server_do_not_query_localhost: VAR_DO_NOT_QUERY_LOCALHOST STRING_ARG
 server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG
 	{
 		OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
-		if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
-			strcmp($3, "deny_non_local")!=0 &&
-			strcmp($3, "refuse_non_local")!=0 &&
-			strcmp($3, "allow_setrd")!=0 &&
-			strcmp($3, "allow")!=0 &&
-			strcmp($3, "allow_snoop")!=0) {
-			yyerror("expected deny, refuse, deny_non_local, "
-				"refuse_non_local, allow, allow_setrd or "
-				"allow_snoop in access control action");
-			free($2);
-			free($3);
-		} else {
-			if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
-				fatal_exit("out of memory adding acl");
-		}
+		validate_acl_action($3);
+		if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
+			fatal_exit("out of memory adding acl");
+	}
+	;
+server_interface_action: VAR_INTERFACE_ACTION STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(server_interface_action:%s %s)\n", $2, $3));
+		validate_acl_action($3);
+		if(!cfg_str2list_insert(
+			&cfg_parser->cfg->interface_actions, $2, $3))
+			fatal_exit("out of memory adding acl");
 	}
 	;
 server_module_conf: VAR_MODULE_CONF STRING_ARG
@@ -2414,6 +2424,60 @@ server_access_control_view: VAR_ACCESS_CONTROL_VIEW STRING_ARG STRING_ARG
 		}
 	}
 	;
+server_interface_tag: VAR_INTERFACE_TAG STRING_ARG STRING_ARG
+	{
+		size_t len = 0;
+		uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, $3,
+			&len);
+		free($3);
+		OUTYY(("P(server_interface_tag:%s)\n", $2));
+		if(!bitlist) {
+			yyerror("could not parse tags, (define-tag them first)");
+			free($2);
+		}
+		if(bitlist) {
+			if(!cfg_strbytelist_insert(
+				&cfg_parser->cfg->interface_tags,
+				$2, bitlist, len)) {
+				yyerror("out of memory");
+				free($2);
+			}
+		}
+	}
+	;
+server_interface_tag_action: VAR_INTERFACE_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(server_interface_tag_action:%s %s %s)\n", $2, $3, $4));
+		if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_actions,
+			$2, $3, $4)) {
+			yyerror("out of memory");
+			free($2);
+			free($3);
+			free($4);
+		}
+	}
+	;
+server_interface_tag_data: VAR_INTERFACE_TAG_DATA STRING_ARG STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(server_interface_tag_data:%s %s %s)\n", $2, $3, $4));
+		if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_datas,
+			$2, $3, $4)) {
+			yyerror("out of memory");
+			free($2);
+			free($3);
+			free($4);
+		}
+	}
+	;
+server_interface_view: VAR_INTERFACE_VIEW STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(server_interface_view:%s %s)\n", $2, $3));
+		if(!cfg_str2list_insert(&cfg_parser->cfg->interface_view,
+			$2, $3)) {
+			yyerror("out of memory");
+		}
+	}
+	;
 server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG
 	{
 		size_t len = 0;
@@ -2761,6 +2825,13 @@ server_ede: VAR_EDE STRING_ARG
 		free($2);
 	}
 	;
+server_proxy_protocol_port: VAR_PROXY_PROTOCOL_PORT STRING_ARG
+	{
+		OUTYY(("P(server_proxy_protocol_port:%s)\n", $2));
+		if(!cfg_strlist_insert(&cfg_parser->cfg->proxy_protocol_port, $2))
+			yyerror("out of memory");
+	}
+	;
 stub_name: VAR_NAME STRING_ARG
 	{
 		OUTYY(("P(name:%s)\n", $2));
@@ -3103,6 +3174,7 @@ view_first: VAR_VIEW_FIRST STRING_ARG
 rcstart: VAR_REMOTE_CONTROL
 	{
 		OUTYY(("\nP(remote-control:)\n"));
+		cfg_parser->started_toplevel = 1;
 	}
 	;
 contents_rc: contents_rc content_rc
@@ -3175,6 +3247,7 @@ rc_control_cert_file: VAR_CONTROL_CERT_FILE STRING_ARG
 dtstart: VAR_DNSTAP
 	{
 		OUTYY(("\nP(dnstap:)\n"));
+		cfg_parser->started_toplevel = 1;
 	}
 	;
 contents_dt: contents_dt content_dt
@@ -3357,6 +3430,7 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
 pythonstart: VAR_PYTHON
 	{
 		OUTYY(("\nP(python:)\n"));
+		cfg_parser->started_toplevel = 1;
 	}
 	;
 contents_py: contents_py content_py
@@ -3372,6 +3446,7 @@ py_script: VAR_PYTHON_SCRIPT STRING_ARG
 dynlibstart: VAR_DYNLIB
 	{ 
 		OUTYY(("\nP(dynlib:)\n")); 
+		cfg_parser->started_toplevel = 1;
 	}
 	;
 contents_dl: contents_dl content_dl
@@ -3421,6 +3496,7 @@ server_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG
 dnscstart: VAR_DNSCRYPT
 	{
 		OUTYY(("\nP(dnscrypt:)\n"));
+		cfg_parser->started_toplevel = 1;
 	}
 	;
 contents_dnsc: contents_dnsc content_dnsc
@@ -3530,6 +3606,7 @@ dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG
 cachedbstart: VAR_CACHEDB
 	{
 		OUTYY(("\nP(cachedb:)\n"));
+		cfg_parser->started_toplevel = 1;
 	}
 	;
 contents_cachedb: contents_cachedb content_cachedb
@@ -3629,6 +3706,7 @@ server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG
 	ipsetstart: VAR_IPSET
 		{
 			OUTYY(("\nP(ipset:)\n"));
+			cfg_parser->started_toplevel = 1;
 		}
 		;
 	contents_ipset: contents_ipset content_ipset
@@ -3685,4 +3763,19 @@ validate_respip_action(const char* action)
 	}
 }
 
-
+static void
+validate_acl_action(const char* action)
+{
+	if(strcmp(action, "deny")!=0 &&
+		strcmp(action, "refuse")!=0 &&
+		strcmp(action, "deny_non_local")!=0 &&
+		strcmp(action, "refuse_non_local")!=0 &&
+		strcmp(action, "allow_setrd")!=0 &&
+		strcmp(action, "allow")!=0 &&
+		strcmp(action, "allow_snoop")!=0)
+	{
+		yyerror("expected deny, refuse, deny_non_local, "
+			"refuse_non_local, allow, allow_setrd or "
+			"allow_snoop as access control action");
+	}
+}

contrib/unbound/util/fptr_wlist.c

@@ -221,6 +221,7 @@ fptr_whitelist_rbtree_cmp(int (*fptr) (const void *, const void *))
 	if(fptr == &mesh_state_compare) return 1;
 	else if(fptr == &mesh_state_ref_compare) return 1;
 	else if(fptr == &addr_tree_compare) return 1;
+	else if(fptr == &addr_tree_addrport_compare) return 1;
 	else if(fptr == &local_zone_cmp) return 1;
 	else if(fptr == &local_data_cmp) return 1;
 	else if(fptr == &fwd_cmp) return 1;

contrib/unbound/util/net_help.c

@@ -233,12 +233,11 @@ log_addr(enum verbosity_value v, const char* str,
 	else	verbose(v, "%s %s port %d", str, dest, (int)port);
 }
 
-int 
+int
 extstrtoaddr(const char* str, struct sockaddr_storage* addr,
-	socklen_t* addrlen)
+	socklen_t* addrlen, int port)
 {
 	char* s;
-	int port = UNBOUND_DNS_PORT;
 	if((s=strchr(str, '@'))) {
 		char buf[MAX_ADDR_STRLEN];
 		if(s-str >= MAX_ADDR_STRLEN) {
@@ -255,7 +254,6 @@ extstrtoaddr(const char* str, struct sockaddr_storage* addr,
 	return ipstrtoaddr(str, port, addr, addrlen);
 }
 
-
 int 
 ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
 	socklen_t* addrlen)

contrib/unbound/util/net_help.h

@@ -96,6 +96,11 @@ extern uint16_t EDNS_ADVERTISED_SIZE;
 /** return a random 16-bit number given a random source */
 #define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff)
 
+/** define MSG_DONTWAIT for unsupported platforms */
+#ifndef MSG_DONTWAIT
+#define MSG_DONTWAIT 0
+#endif
+
 /** minimal responses when positive answer */
 extern int MINIMAL_RESPONSES;
 
@@ -178,10 +183,11 @@ void log_err_addr(const char* str, const char* err,
  * @param str: the string
  * @param addr: where to store sockaddr.
  * @param addrlen: length of stored sockaddr is returned.
+ * @param port: default port.
  * @return 0 on error.
  */
 int extstrtoaddr(const char* str, struct sockaddr_storage* addr, 
-	socklen_t* addrlen);
+	socklen_t* addrlen, int port);
 
 /**
  * Convert ip address string and port to sockaddr.

contrib/unbound/util/netevent.h

@@ -102,6 +102,8 @@ typedef int comm_point_callback_type(struct comm_point*, void*, int,
 
 /** timeout to slow accept calls when not possible, in msec. */
 #define NETEVENT_SLOW_ACCEPT_TIME 2000
+/** timeout to slow down log print, so it does not spam the logs, in sec */
+#define SLOW_LOG_TIME 10
 
 /**
  * A communication point dispatcher. Thread specific.
@@ -126,10 +128,11 @@ struct comm_reply {
 	/** the comm_point with fd to send reply on to. */
 	struct comm_point* c;
 	/** the address (for UDP based communication) */
-	struct sockaddr_storage addr;
+	struct sockaddr_storage remote_addr;
 	/** length of address */
-	socklen_t addrlen;
-	/** return type 0 (none), 4(IP4), 6(IP6) */
+	socklen_t remote_addrlen;
+	/** return type 0 (none), 4(IP4), 6(IP6)
+	 *  used only with listen_type_udp_ancil* */
 	int srctype;
 	/* DnsCrypt context */
 #ifdef USE_DNSCRYPT
@@ -153,6 +156,13 @@ struct comm_reply {
 		pktinfo;
 	/** max udp size for udp packets */
 	size_t max_udp_size;
+	/* if set, the request came through a proxy */
+	int is_proxied;
+	/** the client address
+	 *  the same as remote_addr if not proxied */
+	struct sockaddr_storage client_addr;
+	/** the original address length */
+	socklen_t client_addrlen;
 };
 
 /** 
@@ -276,6 +286,19 @@ struct comm_point {
 		/** variable with type of socket, UDP,TCP-accept,TCP,pipe */
 		type;
 
+	/* -------- PROXYv2 ------- */
+	/** if set, PROXYv2 is expected on this connection */
+	int pp2_enabled;
+	/** header state for the PROXYv2 header (for TCP) */
+	enum {
+		/** no header encounter yet */
+		pp2_header_none = 0,
+		/** read the static part of the header */
+		pp2_header_init,
+		/** read the full header */
+		pp2_header_done
+	} pp2_header_state;
+
 	/* ---------- Behaviour ----------- */
 	/** if set the connection is NOT closed on delete. */
 	int do_not_close;
@@ -494,8 +517,9 @@ struct ub_event_base* comm_base_internal(struct comm_base* b);
  * Create an UDP comm point. Calls malloc.
  * setups the structure with the parameters you provide.
  * @param base: in which base to alloc the commpoint.
- * @param fd : file descriptor of open UDP socket.
+ * @param fd: file descriptor of open UDP socket.
  * @param buffer: shared buffer by UDP sockets from this thread.
+ * @param pp2_enabled: if the comm point will support PROXYv2.
  * @param callback: callback function pointer.
  * @param callback_arg: will be passed to your callback function.
  * @param socket: and opened socket properties will be passed to your callback function.
@@ -503,7 +527,7 @@ struct ub_event_base* comm_base_internal(struct comm_base* b);
  * Sets timeout to NULL. Turns off TCP options.
  */
 struct comm_point* comm_point_create_udp(struct comm_base* base,
-	int fd, struct sldns_buffer* buffer, 
+	int fd, struct sldns_buffer* buffer, int pp2_enabled,
 	comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
 
 /**
@@ -511,8 +535,9 @@ struct comm_point* comm_point_create_udp(struct comm_base* base,
  * Uses recvmsg instead of recv to get udp message.
  * setups the structure with the parameters you provide.
  * @param base: in which base to alloc the commpoint.
- * @param fd : file descriptor of open UDP socket.
+ * @param fd: file descriptor of open UDP socket.
  * @param buffer: shared buffer by UDP sockets from this thread.
+ * @param pp2_enabled: if the comm point will support PROXYv2.
  * @param callback: callback function pointer.
  * @param callback_arg: will be passed to your callback function.
  * @param socket: and opened socket properties will be passed to your callback function.
@@ -520,7 +545,7 @@ struct comm_point* comm_point_create_udp(struct comm_base* base,
  * Sets timeout to NULL. Turns off TCP options.
  */
 struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
-	int fd, struct sldns_buffer* buffer, 
+	int fd, struct sldns_buffer* buffer, int pp2_enabled,
 	comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
 
 /**
@@ -542,6 +567,7 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
  * 	or NULL to not create those structures in the tcp handlers.
  * @param port_type: the type of port we are creating a TCP listener for. Used
  * 	to select handler type to use.
+ * @param pp2_enabled: if the comm point will support PROXYv2.
  * @param callback: callback function pointer for TCP handlers.
  * @param callback_arg: will be passed to your callback function.
  * @param socket: and opened socket properties will be passed to your callback function.
@@ -555,7 +581,7 @@ struct comm_point* comm_point_create_tcp(struct comm_base* base,
 	uint32_t http_max_streams, char* http_endpoint,
 	struct tcl_list* tcp_conn_limit,
 	size_t bufsize, struct sldns_buffer* spoolbuf,
-	enum listen_type port_type,
+	enum listen_type port_type, int pp2_enabled,
 	comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
 
 /**

contrib/unbound/util/proxy_protocol.c

@@ -0,0 +1,139 @@
+/*
+ * util/proxy_protocol.c - event notification
+ *
+ * Copyright (c) 2022, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains PROXY protocol functions.
+ */
+#include "config.h"
+#include "util/log.h"
+#include "util/proxy_protocol.h"
+
+int
+pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src,
+	int stream)
+{
+	int af;
+	if(!src) return 0;
+	af = (int)((struct sockaddr_in*)src)->sin_family;
+	if(sldns_buffer_remaining(buf) <
+		PP2_HEADER_SIZE + (af==AF_INET?12:36)) {
+		return 0;
+	}
+	/* sig */
+	sldns_buffer_write(buf, PP2_SIG, PP2_SIG_LEN);
+	/* version and command */
+	sldns_buffer_write_u8(buf, (PP2_VERSION << 4) | PP2_CMD_PROXY);
+	if(af==AF_INET) {
+		/* family and protocol */
+		sldns_buffer_write_u8(buf,
+			(PP2_AF_INET<<4) |
+			(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM));
+		/* length */
+		sldns_buffer_write_u16(buf, 12);
+		/* src addr */
+		sldns_buffer_write(buf,
+			&((struct sockaddr_in*)src)->sin_addr.s_addr, 4);
+		/* dst addr */
+		sldns_buffer_write_u32(buf, 0);
+		/* src port */
+		sldns_buffer_write(buf,
+			&((struct sockaddr_in*)src)->sin_port, 2);
+		/* dst port */
+		sldns_buffer_write_u16(buf, 0);
+	} else {
+		/* family and protocol */
+		sldns_buffer_write_u8(buf,
+			(PP2_AF_INET6<<4) |
+			(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM));
+		/* length */
+		sldns_buffer_write_u16(buf, 36);
+		/* src addr */
+		sldns_buffer_write(buf,
+			&((struct sockaddr_in6*)src)->sin6_addr, 16);
+		/* dst addr */
+		sldns_buffer_set_at(buf,
+			sldns_buffer_position(buf), 0, 16);
+		sldns_buffer_skip(buf, 16);
+		/* src port */
+		sldns_buffer_write(buf,
+			&((struct sockaddr_in6*)src)->sin6_port, 2);
+		/* dst port */
+		sldns_buffer_write_u16(buf, 0);
+	}
+	return 1;
+}
+
+struct pp2_header*
+pp2_read_header(struct sldns_buffer* buf)
+{
+	size_t size;
+	struct pp2_header* header = (struct pp2_header*)sldns_buffer_begin(buf);
+	/* Try to fail all the unsupported cases first. */
+	if(sldns_buffer_remaining(buf) < PP2_HEADER_SIZE) {
+		log_err("proxy_protocol: not enough space for header");
+		return NULL;
+	}
+	/* Check for PROXYv2 header */
+	if(memcmp(header, PP2_SIG, PP2_SIG_LEN) != 0 ||
+		((header->ver_cmd & 0xF0)>>4) != PP2_VERSION) {
+		log_err("proxy_protocol: could not match PROXYv2 header");
+		return NULL;
+	}
+	/* Check the length */
+	size = PP2_HEADER_SIZE + ntohs(header->len);
+	if(sldns_buffer_remaining(buf) < size) {
+		log_err("proxy_protocol: not enough space for header");
+		return NULL;
+	}
+	/* Check for supported commands */
+	if((header->ver_cmd & 0xF) != PP2_CMD_LOCAL &&
+		(header->ver_cmd & 0xF) != PP2_CMD_PROXY) {
+		log_err("proxy_protocol: unsupported command");
+		return NULL;
+	}
+	/* Check for supported family and protocol */
+	if(header->fam_prot != 0x00 /* AF_UNSPEC|UNSPEC */ &&
+		header->fam_prot != 0x11 /* AF_INET|STREAM */ &&
+		header->fam_prot != 0x12 /* AF_INET|DGRAM */ &&
+		header->fam_prot != 0x21 /* AF_INET6|STREAM */ &&
+		header->fam_prot != 0x22 /* AF_INET6|DGRAM */) {
+		log_err("proxy_protocol: unsupported family and protocol");
+		return NULL;
+	}
+	/* We have a correct header */
+	return header;
+}

contrib/unbound/util/proxy_protocol.h

@@ -0,0 +1,131 @@
+/*
+ * util/proxy_protocol.h - PROXY protocol
+ *
+ * Copyright (c) 2022, NLnet Labs. All rights reserved.
+ *
+ * This software is open source.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ * Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ * 
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ * 
+ * Neither the name of the NLNET LABS nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/**
+ * \file
+ *
+ * This file contains PROXY protocol structs and functions.
+ * Only v2 is supported. TLVs are not currently supported.
+ */
+#ifndef PROXY_PROTOCOL_H
+#define PROXY_PROTOCOL_H
+
+#include "sldns/sbuffer.h"
+
+/** PROXYv2 minimum header size */
+#define PP2_HEADER_SIZE 16
+
+/** PROXYv2 header signature */
+#define PP2_SIG "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A"
+#define PP2_SIG_LEN 12
+
+/** PROXYv2 version */
+#define PP2_VERSION 0x2
+
+/**
+ * PROXYv2 command.
+ */
+enum pp2_command {
+	PP2_CMD_LOCAL = 0x0,
+	PP2_CMD_PROXY = 0x1
+};
+
+/**
+ * PROXYv2 address family.
+ */
+enum pp2_af {
+	PP2_AF_UNSPEC = 0x0,
+	PP2_AF_INET = 0x1,
+	PP2_AF_INET6 = 0x2,
+	PP2_AF_UNIX = 0x3
+};
+
+/**
+ * PROXYv2 protocol.
+ */
+enum pp2_protocol {
+	PP2_PROT_UNSPEC = 0x0,
+	PP2_PROT_STREAM = 0x1,
+	PP2_PROT_DGRAM = 0x2
+};
+
+/**
+ * PROXYv2 header.
+ */
+struct pp2_header {
+	uint8_t sig[PP2_SIG_LEN];
+	uint8_t ver_cmd;
+	uint8_t fam_prot;
+	uint16_t len;
+	union {
+		struct {  /* for TCP/UDP over IPv4, len = 12 */
+			uint32_t src_addr;
+			uint32_t dst_addr;
+			uint16_t src_port;
+			uint16_t dst_port;
+		} addr4;
+		struct {  /* for TCP/UDP over IPv6, len = 36 */
+			uint8_t  src_addr[16];
+			uint8_t  dst_addr[16];
+			uint16_t src_port;
+			uint16_t dst_port;
+		} addr6;
+		struct {  /* for AF_UNIX sockets, len = 216 */
+			uint8_t src_addr[108];
+			uint8_t dst_addr[108];
+		} addru;
+	} addr;
+};
+
+/**
+ * Write a PROXYv2 header at the current position of the buffer.
+ * @param buf: the buffer to write to.
+ * @param src: the source address.
+ * @param stream: if the protocol is stream or datagram.
+ * @return 1 on success, 0 on failure.
+ */
+int pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src,
+	int stream);
+
+/**
+ * Read a PROXYv2 header from the current position of the buffer.
+ * It does initial validation and returns a pointer to the buffer position on
+ * success.
+ * @param buf: the buffer to read from.
+ * @return the pointer to the buffer position on success, NULL on error.
+ */
+struct pp2_header* pp2_read_header(struct sldns_buffer* buf);
+
+#endif /* PROXY_PROTOCOL_H */

contrib/unbound/util/storage/dnstree.c

@@ -71,6 +71,14 @@ int addr_tree_compare(const void* k1, const void* k2)
         return 0;
 }
 
+int addr_tree_addrport_compare(const void* k1, const void* k2)
+{
+	struct addr_tree_node* n1 = (struct addr_tree_node*)k1;
+	struct addr_tree_node* n2 = (struct addr_tree_node*)k2;
+	return sockaddr_cmp(&n1->addr, n1->addrlen, &n2->addr,
+		n2->addrlen);
+}
+
 void name_tree_init(rbtree_type* tree)
 {
 	rbtree_init(tree, &name_tree_compare);
@@ -81,6 +89,11 @@ void addr_tree_init(rbtree_type* tree)
 	rbtree_init(tree, &addr_tree_compare);
 }
 
+void addr_tree_addrport_init(rbtree_type* tree)
+{
+	rbtree_init(tree, &addr_tree_addrport_compare);
+}
+
 int name_tree_insert(rbtree_type* tree, struct name_tree_node* node, 
         uint8_t* name, size_t len, int labs, uint16_t dclass)
 {

contrib/unbound/util/storage/dnstree.h

@@ -153,6 +153,13 @@ int name_tree_next_root(rbtree_type* tree, uint16_t* dclass);
  */
 void addr_tree_init(rbtree_type* tree);
 
+/**
+ * Init addr tree to be empty.
+ * The comparison function to be used is addr_tree_addrport_compare.
+ * @param tree: to init.
+ */
+void addr_tree_addrport_init(rbtree_type* tree);
+
 /**
  * insert element into addr tree.
  * @param tree: addr tree
@@ -207,4 +214,7 @@ int name_tree_compare(const void* k1, const void* k2);
 /** compare addr tree nodes */
 int addr_tree_compare(const void* k1, const void* k2);
 
+/** compare addr tree nodes (address and port only) */
+int addr_tree_addrport_compare(const void* k1, const void* k2);
+
 #endif /* UTIL_STORAGE_DNSTREE_H */

contrib/unbound/util/tube.c

@@ -424,6 +424,28 @@ int tube_wait(struct tube* tube)
 	return pollit(tube->sr, NULL);
 }
 
+int tube_wait_timeout(struct tube* tube, int msec)
+{
+	struct timeval t;
+	int fd = tube->sr;
+	fd_set r;
+	t.tv_sec = msec/1000;
+	t.tv_usec = (msec%1000)*1000;
+#ifndef S_SPLINT_S
+	FD_ZERO(&r);
+	FD_SET(FD_SET_T fd, &r);
+#endif
+	while(1) {
+		if(select(fd+1, &r, NULL, NULL, &t) == -1) {
+			if(errno == EAGAIN || errno == EINTR)
+				continue;
+			return -1;
+		}
+		break;
+	}
+	return (int)(FD_ISSET(fd, &r));
+}
+
 int tube_read_fd(struct tube* tube)
 {
 	return tube->sr;
@@ -649,6 +671,26 @@ int tube_wait(struct tube* tube)
 	return 1;
 }
 
+int tube_wait_timeout(struct tube* tube, int msec)
+{
+	/* block on eventhandle */
+	DWORD res = WSAWaitForMultipleEvents(
+		1 /* one event in array */,
+		&tube->event /* the event to wait for, our pipe signal */,
+		0 /* wait for all events is false */,
+		msec /* wait for timeout */,
+		0 /* we are not alertable for IO completion routines */
+		);
+	if(res == WSA_WAIT_TIMEOUT) {
+		return 0;
+	}
+	if(res == WSA_WAIT_IO_COMPLETION) {
+		/* a bit unexpected, since we were not alertable */
+		return -1;
+	}
+	return 1;
+}
+
 int tube_read_fd(struct tube* ATTR_UNUSED(tube))
 {
 	/* nothing sensible on Windows */

contrib/unbound/util/tube.h

@@ -204,6 +204,14 @@ int tube_poll(struct tube* tube);
  */
 int tube_wait(struct tube* tube);
 
+/**
+ * Wait for data to be ready with a timeout.
+ * @param tube: the tube to wait on.
+ * @param msec: timeout in milliseconds.
+ * @return 1 if there is something to read within timeout, readability.
+ * 	0 on a timeout. On failures -1, like errors. */
+int tube_wait_timeout(struct tube* tube, int msec);
+
 /**
  * Get FD that is readable when new information arrives.
  * @param tube

lib/libunbound/Makefile

@@ -23,7 +23,8 @@ SRCS=	alloc.c as112.c authzone.c autotrust.c cachedb.c config_file.c \
 	listen_dnsport.c localzone.c locks.c log.c lookup3.c lruhash.c \
 	mesh.c mini_event.c modstack.c module.c msgencode.c msgparse.c \
 	msgreply.c net_help.c netevent.c outbound_list.c outside_network.c \
-	packed_rrset.c parse.c parseutil.c random.c rbtree.c redis.c \
+	packed_rrset.c parse.c parseutil.c proxy_protocol.c \
+	random.c rbtree.c redis.c \
 	regional.c respip.c rpz.c rrdef.c rrset.c rtt.c sbuffer.c slabhash.c \
 	str2wire.c tcp_conn_limit.c timehist.c tube.c ub_event_pluggable.c \
 	val_anchor.c val_kcache.c val_kentry.c val_neg.c val_nsec.c \

sys/fs/nfsserver/nfs_nfsdport.c

@@ -6776,8 +6776,6 @@ nfsvno_setxattr(struct vnode *vp, char *name, int len, struct mbuf *m,
 	if (error == 0) {
 		error = VOP_SETEXTATTR(vp, EXTATTR_NAMESPACE_USER, name, uiop,
 		    cred, p);
-		if (error == 0)
-			error = VOP_FSYNC(vp, MNT_WAIT, p);
 		free(iv, M_TEMP);
 	}
 
@@ -6813,8 +6811,6 @@ nfsvno_rmxattr(struct nfsrv_descript *nd, struct vnode *vp, char *name,
 	if (error == EOPNOTSUPP)
 		error = VOP_SETEXTATTR(vp, EXTATTR_NAMESPACE_USER, name, NULL,
 		    cred, p);
-	if (error == 0)
-		error = VOP_FSYNC(vp, MNT_WAIT, p);
 out:
 	NFSEXITCODE(error);
 	return (error);

usr.sbin/unbound/config.h

@@ -731,7 +731,7 @@
 #define PACKAGE_NAME "unbound"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING "unbound 1.16.3"
+#define PACKAGE_STRING "unbound 1.17.0"
 
 /* Define to the one symbol short name of this package. */
 #define PACKAGE_TARNAME "unbound"
@@ -740,7 +740,7 @@
 #define PACKAGE_URL ""
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "1.16.3"
+#define PACKAGE_VERSION "1.17.0"
 
 /* default pidfile location */
 #define PIDFILE "/var/unbound/unbound.pid"
@@ -762,7 +762,7 @@
 #define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
 
 /* version number for resource files */
-#define RSRC_PACKAGE_VERSION 1,16,3,0
+#define RSRC_PACKAGE_VERSION 1,17,0,0
 
 /* Directory to chdir to */
 #define RUN_DIR "/var/unbound"