unbound: Vendor import 1.17.0
Added ACL per interface, proxy protocol and bug fixes. Announcement: https://nlnetlabs.nl/news/2022/Oct/13/unbound-1.17.0-released/ Merge commit '643f9a0581e8aac7eb790ced1164748939829826' into new_merge
This commit is contained in:
commit
64d318ea98
@ -130,7 +130,7 @@ util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
|
||||
util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
|
||||
util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
|
||||
util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \
|
||||
util/timehist.c util/tube.c \
|
||||
util/timehist.c util/tube.c util/proxy_protocol.c \
|
||||
util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
|
||||
validator/autotrust.c validator/val_anchor.c validator/validator.c \
|
||||
validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
|
||||
@ -148,7 +148,7 @@ outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
|
||||
fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
|
||||
random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
|
||||
slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
|
||||
autotrust.lo val_anchor.lo rpz.lo \
|
||||
autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \
|
||||
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
|
||||
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
|
||||
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
|
||||
@ -984,6 +984,8 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
|
||||
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
|
||||
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
|
||||
$(srcdir)/dnstap/dnstap.h $(srcdir)/services/listen_dnsport.h
|
||||
proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \
|
||||
$(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h
|
||||
net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
|
||||
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
|
||||
@ -1512,7 +1514,7 @@ asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libu
|
||||
$(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h
|
||||
streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/util/net_help.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
|
||||
$(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
|
||||
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
|
||||
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
|
||||
|
@ -2,7 +2,8 @@
|
||||
# Copyright 2009, Wouter Wijngaards, NLnet Labs.
|
||||
# BSD licensed.
|
||||
#
|
||||
# Version 43
|
||||
# Version 44
|
||||
# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD.
|
||||
# 2021-08-17 fix sed script in ssldir split handling.
|
||||
# 2021-08-17 fix for openssl to detect split version, with ssldir_include
|
||||
# and ssldir_lib output directories.
|
||||
@ -963,6 +964,9 @@ AC_LANG_SOURCE([[
|
||||
#ifdef HAVE_SYS_TYPES_H
|
||||
#include <sys/types.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_SELECT_H
|
||||
#include <sys/select.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_SOCKET_H
|
||||
#include <sys/socket.h>
|
||||
#endif
|
||||
|
@ -57,6 +57,8 @@
|
||||
#define BLOCKSZ 64
|
||||
#define RSBUFSZ (16*BLOCKSZ)
|
||||
|
||||
#define REKEY_BASE (1024*1024) /* NB. should be a power of 2 */
|
||||
|
||||
/* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
|
||||
static struct {
|
||||
size_t rs_have; /* valid bytes at end of rs_buf */
|
||||
@ -179,6 +181,7 @@ static void
|
||||
_rs_stir(void)
|
||||
{
|
||||
u_char rnd[KEYSZ + IVSZ];
|
||||
uint32_t rekey_fuzz = 0;
|
||||
|
||||
if (getentropy(rnd, sizeof rnd) == -1) {
|
||||
if(errno != ENOSYS ||
|
||||
@ -201,7 +204,10 @@ _rs_stir(void)
|
||||
rs->rs_have = 0;
|
||||
memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
|
||||
|
||||
rs->rs_count = 1600000;
|
||||
/* rekey interval should not be predictable */
|
||||
chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz,
|
||||
(uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz));
|
||||
rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE);
|
||||
}
|
||||
|
||||
static inline void
|
||||
|
8
contrib/unbound/config.guess
vendored
8
contrib/unbound/config.guess
vendored
@ -4,7 +4,7 @@
|
||||
|
||||
# shellcheck disable=SC2006,SC2268 # see below for rationale
|
||||
|
||||
timestamp='2022-08-01'
|
||||
timestamp='2022-09-17'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
@ -966,6 +966,12 @@ EOF
|
||||
GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'`
|
||||
GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC
|
||||
;;
|
||||
x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*)
|
||||
GUESS="$UNAME_MACHINE-pc-managarm-mlibc"
|
||||
;;
|
||||
*:[Mm]anagarm:*:*)
|
||||
GUESS="$UNAME_MACHINE-unknown-managarm-mlibc"
|
||||
;;
|
||||
*:Minix:*:*)
|
||||
GUESS=$UNAME_MACHINE-unknown-minix
|
||||
;;
|
||||
|
@ -298,6 +298,9 @@
|
||||
/* Define to 1 if you have the `getrlimit' function. */
|
||||
#undef HAVE_GETRLIMIT
|
||||
|
||||
/* Define to 1 if you have the `gettid' function. */
|
||||
#undef HAVE_GETTID
|
||||
|
||||
/* Define to 1 if you have the `glob' function. */
|
||||
#undef HAVE_GLOB
|
||||
|
||||
@ -457,6 +460,12 @@
|
||||
/* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */
|
||||
#undef HAVE_OSSL_PARAM_BLD_NEW
|
||||
|
||||
/* Define to 1 if you have the `poll' function. */
|
||||
#undef HAVE_POLL
|
||||
|
||||
/* Define to 1 if you have the <poll.h> header file. */
|
||||
#undef HAVE_POLL_H
|
||||
|
||||
/* Define if you have POSIX threads libraries and header files. */
|
||||
#undef HAVE_PTHREAD
|
||||
|
||||
@ -800,12 +809,18 @@
|
||||
/* Shared data */
|
||||
#undef SHARE_DIR
|
||||
|
||||
/* The size of `pthread_t', as computed by sizeof. */
|
||||
#undef SIZEOF_PTHREAD_T
|
||||
|
||||
/* The size of `size_t', as computed by sizeof. */
|
||||
#undef SIZEOF_SIZE_T
|
||||
|
||||
/* The size of `time_t', as computed by sizeof. */
|
||||
#undef SIZEOF_TIME_T
|
||||
|
||||
/* The size of `unsigned long', as computed by sizeof. */
|
||||
#undef SIZEOF_UNSIGNED_LONG
|
||||
|
||||
/* define if (v)snprintf does not return length needed, (but length used) */
|
||||
#undef SNPRINTF_RET_BROKEN
|
||||
|
||||
|
27
contrib/unbound/config.sub
vendored
27
contrib/unbound/config.sub
vendored
@ -4,7 +4,7 @@
|
||||
|
||||
# shellcheck disable=SC2006,SC2268 # see below for rationale
|
||||
|
||||
timestamp='2022-08-01'
|
||||
timestamp='2022-09-17'
|
||||
|
||||
# This file is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU General Public License as published by
|
||||
@ -145,7 +145,7 @@ case $1 in
|
||||
nto-qnx* | linux-* | uclinux-uclibc* \
|
||||
| uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \
|
||||
| netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \
|
||||
| storm-chaos* | os2-emx* | rtmk-nova*)
|
||||
| storm-chaos* | os2-emx* | rtmk-nova* | managarm-*)
|
||||
basic_machine=$field1
|
||||
basic_os=$maybe_os
|
||||
;;
|
||||
@ -1341,6 +1341,10 @@ EOF
|
||||
kernel=linux
|
||||
os=`echo "$basic_os" | sed -e 's|linux|gnu|'`
|
||||
;;
|
||||
managarm*)
|
||||
kernel=managarm
|
||||
os=`echo "$basic_os" | sed -e 's|managarm|mlibc|'`
|
||||
;;
|
||||
*)
|
||||
kernel=
|
||||
os=$basic_os
|
||||
@ -1754,7 +1758,7 @@ case $os in
|
||||
| onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
|
||||
| midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
|
||||
| nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \
|
||||
| fiwix* )
|
||||
| fiwix* | mlibc* )
|
||||
;;
|
||||
# This one is extra strict with allowed versions
|
||||
sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
|
||||
@ -1762,6 +1766,9 @@ case $os in
|
||||
;;
|
||||
none)
|
||||
;;
|
||||
kernel* )
|
||||
# Restricted further below
|
||||
;;
|
||||
*)
|
||||
echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2
|
||||
exit 1
|
||||
@ -1772,16 +1779,26 @@ esac
|
||||
# (given a valid OS), if there is a kernel.
|
||||
case $kernel-$os in
|
||||
linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \
|
||||
| linux-musl* | linux-relibc* | linux-uclibc* )
|
||||
| linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* )
|
||||
;;
|
||||
uclinux-uclibc* )
|
||||
;;
|
||||
-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* )
|
||||
managarm-mlibc* | managarm-kernel* )
|
||||
;;
|
||||
-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* )
|
||||
# These are just libc implementations, not actual OSes, and thus
|
||||
# require a kernel.
|
||||
echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2
|
||||
exit 1
|
||||
;;
|
||||
-kernel* )
|
||||
echo "Invalid configuration \`$1': \`$os' needs explicit kernel." 1>&2
|
||||
exit 1
|
||||
;;
|
||||
*-kernel* )
|
||||
echo "Invalid configuration \`$1': \`$kernel' does not support \`$os'." 1>&2
|
||||
exit 1
|
||||
;;
|
||||
kfreebsd*-gnu* | kopensolaris*-gnu*)
|
||||
;;
|
||||
vxworks-simlinux | vxworks-simwindows | vxworks-spe)
|
||||
|
100
contrib/unbound/configure
vendored
100
contrib/unbound/configure
vendored
@ -1,6 +1,6 @@
|
||||
#! /bin/sh
|
||||
# Guess values for system-dependent variables and create Makefiles.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.16.3.
|
||||
# Generated by GNU Autoconf 2.69 for unbound 1.17.0.
|
||||
#
|
||||
# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
|
||||
#
|
||||
@ -591,8 +591,8 @@ MAKEFLAGS=
|
||||
# Identity of this package.
|
||||
PACKAGE_NAME='unbound'
|
||||
PACKAGE_TARNAME='unbound'
|
||||
PACKAGE_VERSION='1.16.3'
|
||||
PACKAGE_STRING='unbound 1.16.3'
|
||||
PACKAGE_VERSION='1.17.0'
|
||||
PACKAGE_STRING='unbound 1.17.0'
|
||||
PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
|
||||
PACKAGE_URL=''
|
||||
|
||||
@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
|
||||
# Omit some internal or obsolete options to make the list less imposing.
|
||||
# This message is too long to be a string in the A/UX 3.1 sh.
|
||||
cat <<_ACEOF
|
||||
\`configure' configures unbound 1.16.3 to adapt to many kinds of systems.
|
||||
\`configure' configures unbound 1.17.0 to adapt to many kinds of systems.
|
||||
|
||||
Usage: $0 [OPTION]... [VAR=VALUE]...
|
||||
|
||||
@ -1543,7 +1543,7 @@ fi
|
||||
|
||||
if test -n "$ac_init_help"; then
|
||||
case $ac_init_help in
|
||||
short | recursive ) echo "Configuration of unbound 1.16.3:";;
|
||||
short | recursive ) echo "Configuration of unbound 1.17.0:";;
|
||||
esac
|
||||
cat <<\_ACEOF
|
||||
|
||||
@ -1785,7 +1785,7 @@ fi
|
||||
test -n "$ac_init_help" && exit $ac_status
|
||||
if $ac_init_version; then
|
||||
cat <<\_ACEOF
|
||||
unbound configure 1.16.3
|
||||
unbound configure 1.17.0
|
||||
generated by GNU Autoconf 2.69
|
||||
|
||||
Copyright (C) 2012 Free Software Foundation, Inc.
|
||||
@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
|
||||
This file contains any messages produced by compilers while
|
||||
running configure, to aid debugging if configure makes a mistake.
|
||||
|
||||
It was created by unbound $as_me 1.16.3, which was
|
||||
It was created by unbound $as_me 1.17.0, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
$ $0 $@
|
||||
@ -2844,13 +2844,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
UNBOUND_VERSION_MAJOR=1
|
||||
|
||||
UNBOUND_VERSION_MINOR=16
|
||||
UNBOUND_VERSION_MINOR=17
|
||||
|
||||
UNBOUND_VERSION_MICRO=3
|
||||
UNBOUND_VERSION_MICRO=0
|
||||
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=19
|
||||
LIBUNBOUND_REVISION=20
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -2937,6 +2937,7 @@ LIBUNBOUND_AGE=1
|
||||
# 1.16.1 had 9:17:1
|
||||
# 1.16.2 had 9:18:1
|
||||
# 1.16.3 had 9:19:1
|
||||
# 1.17.0 had 9:20:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -14772,7 +14773,7 @@ fi
|
||||
fi
|
||||
|
||||
# Checks for header files.
|
||||
for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
|
||||
for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h
|
||||
do :
|
||||
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
|
||||
ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
|
||||
@ -16031,6 +16032,9 @@ else
|
||||
#ifdef HAVE_SYS_TYPES_H
|
||||
#include <sys/types.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_SELECT_H
|
||||
#include <sys/select.h>
|
||||
#endif
|
||||
#ifdef HAVE_SYS_SOCKET_H
|
||||
#include <sys/socket.h>
|
||||
#endif
|
||||
@ -17101,6 +17105,72 @@ _ACEOF
|
||||
|
||||
fi
|
||||
|
||||
# The cast to long int works around a bug in the HP C Compiler
|
||||
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
|
||||
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
|
||||
# This bug is HP SR number 8606223364.
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long" >&5
|
||||
$as_echo_n "checking size of unsigned long... " >&6; }
|
||||
if ${ac_cv_sizeof_unsigned_long+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long))" "ac_cv_sizeof_unsigned_long" "$ac_includes_default"; then :
|
||||
|
||||
else
|
||||
if test "$ac_cv_type_unsigned_long" = yes; then
|
||||
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
|
||||
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
|
||||
as_fn_error 77 "cannot compute sizeof (unsigned long)
|
||||
See \`config.log' for more details" "$LINENO" 5; }
|
||||
else
|
||||
ac_cv_sizeof_unsigned_long=0
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long" >&5
|
||||
$as_echo "$ac_cv_sizeof_unsigned_long" >&6; }
|
||||
|
||||
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define SIZEOF_UNSIGNED_LONG $ac_cv_sizeof_unsigned_long
|
||||
_ACEOF
|
||||
|
||||
|
||||
# The cast to long int works around a bug in the HP C Compiler
|
||||
# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
|
||||
# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
|
||||
# This bug is HP SR number 8606223364.
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of pthread_t" >&5
|
||||
$as_echo_n "checking size of pthread_t... " >&6; }
|
||||
if ${ac_cv_sizeof_pthread_t+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (pthread_t))" "ac_cv_sizeof_pthread_t" "$ac_includes_default"; then :
|
||||
|
||||
else
|
||||
if test "$ac_cv_type_pthread_t" = yes; then
|
||||
{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
|
||||
$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
|
||||
as_fn_error 77 "cannot compute sizeof (pthread_t)
|
||||
See \`config.log' for more details" "$LINENO" 5; }
|
||||
else
|
||||
ac_cv_sizeof_pthread_t=0
|
||||
fi
|
||||
fi
|
||||
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_pthread_t" >&5
|
||||
$as_echo "$ac_cv_sizeof_pthread_t" >&6; }
|
||||
|
||||
|
||||
|
||||
cat >>confdefs.h <<_ACEOF
|
||||
#define SIZEOF_PTHREAD_T $ac_cv_sizeof_pthread_t
|
||||
_ACEOF
|
||||
|
||||
|
||||
|
||||
if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -pthread unused during linking" >&5
|
||||
@ -20591,7 +20661,7 @@ if test "$ac_res" != no; then :
|
||||
|
||||
fi
|
||||
|
||||
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex
|
||||
for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid
|
||||
do :
|
||||
as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
|
||||
ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
|
||||
@ -22015,7 +22085,7 @@ _ACEOF
|
||||
|
||||
|
||||
|
||||
version=1.16.3
|
||||
version=1.17.0
|
||||
|
||||
date=`date +'%b %e, %Y'`
|
||||
|
||||
@ -22534,7 +22604,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
|
||||
# report actual input values of CONFIG_FILES etc. instead of their
|
||||
# values after options handling.
|
||||
ac_log="
|
||||
This file was extended by unbound $as_me 1.16.3, which was
|
||||
This file was extended by unbound $as_me 1.17.0, which was
|
||||
generated by GNU Autoconf 2.69. Invocation command line was
|
||||
|
||||
CONFIG_FILES = $CONFIG_FILES
|
||||
@ -22600,7 +22670,7 @@ _ACEOF
|
||||
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
|
||||
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
|
||||
ac_cs_version="\\
|
||||
unbound config.status 1.16.3
|
||||
unbound config.status 1.17.0
|
||||
configured by $0, generated by GNU Autoconf 2.69,
|
||||
with options \\"\$ac_cs_config\\"
|
||||
|
||||
|
@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
|
||||
|
||||
# must be numbers. ac_defun because of later processing
|
||||
m4_define([VERSION_MAJOR],[1])
|
||||
m4_define([VERSION_MINOR],[16])
|
||||
m4_define([VERSION_MICRO],[3])
|
||||
m4_define([VERSION_MINOR],[17])
|
||||
m4_define([VERSION_MICRO],[0])
|
||||
AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
|
||||
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
|
||||
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
|
||||
|
||||
LIBUNBOUND_CURRENT=9
|
||||
LIBUNBOUND_REVISION=19
|
||||
LIBUNBOUND_REVISION=20
|
||||
LIBUNBOUND_AGE=1
|
||||
# 1.0.0 had 0:12:0
|
||||
# 1.0.1 had 0:13:0
|
||||
@ -105,6 +105,7 @@ LIBUNBOUND_AGE=1
|
||||
# 1.16.1 had 9:17:1
|
||||
# 1.16.2 had 9:18:1
|
||||
# 1.16.3 had 9:19:1
|
||||
# 1.17.0 had 9:20:1
|
||||
|
||||
# Current -- the number of the binary API that we're implementing
|
||||
# Revision -- which iteration of the implementation of the binary
|
||||
@ -397,7 +398,7 @@ PKG_PROG_PKG_CONFIG
|
||||
fi
|
||||
|
||||
# Checks for header files.
|
||||
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
|
||||
AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h],,, [AC_INCLUDES_DEFAULT])
|
||||
# net/if.h portability for Darwin see:
|
||||
# https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
|
||||
AC_CHECK_HEADERS([net/if.h],,, [
|
||||
@ -607,6 +608,8 @@ if test x_$withval != x_no; then
|
||||
CC="$PTHREAD_CC"
|
||||
ub_have_pthreads=yes
|
||||
AC_CHECK_TYPES([pthread_spinlock_t, pthread_rwlock_t],,,[#include <pthread.h>])
|
||||
AC_CHECK_SIZEOF([unsigned long])
|
||||
AC_CHECK_SIZEOF(pthread_t)
|
||||
|
||||
if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then
|
||||
AC_MSG_CHECKING([if -pthread unused during linking])
|
||||
@ -1644,7 +1647,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
|
||||
AC_MSG_RESULT(no))
|
||||
|
||||
AC_SEARCH_LIBS([setusercontext], [util])
|
||||
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex])
|
||||
AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid])
|
||||
AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
|
||||
AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
|
||||
|
||||
|
@ -46,6 +46,7 @@
|
||||
#include "util/config_file.h"
|
||||
#include "util/net_help.h"
|
||||
#include "services/localzone.h"
|
||||
#include "services/listen_dnsport.h"
|
||||
#include "sldns/str2wire.h"
|
||||
|
||||
struct acl_list*
|
||||
@ -90,6 +91,31 @@ acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
|
||||
return node;
|
||||
}
|
||||
|
||||
/** parse str to acl_access enum */
|
||||
static int
|
||||
parse_acl_access(const char* str, enum acl_access* control)
|
||||
{
|
||||
if(strcmp(str, "allow") == 0)
|
||||
*control = acl_allow;
|
||||
else if(strcmp(str, "deny") == 0)
|
||||
*control = acl_deny;
|
||||
else if(strcmp(str, "refuse") == 0)
|
||||
*control = acl_refuse;
|
||||
else if(strcmp(str, "deny_non_local") == 0)
|
||||
*control = acl_deny_non_local;
|
||||
else if(strcmp(str, "refuse_non_local") == 0)
|
||||
*control = acl_refuse_non_local;
|
||||
else if(strcmp(str, "allow_snoop") == 0)
|
||||
*control = acl_allow_snoop;
|
||||
else if(strcmp(str, "allow_setrd") == 0)
|
||||
*control = acl_allow_setrd;
|
||||
else {
|
||||
log_err("access control type %s unknown", str);
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** apply acl_list string */
|
||||
static int
|
||||
acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
|
||||
@ -99,22 +125,7 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
|
||||
int net;
|
||||
socklen_t addrlen;
|
||||
enum acl_access control;
|
||||
if(strcmp(s2, "allow") == 0)
|
||||
control = acl_allow;
|
||||
else if(strcmp(s2, "deny") == 0)
|
||||
control = acl_deny;
|
||||
else if(strcmp(s2, "refuse") == 0)
|
||||
control = acl_refuse;
|
||||
else if(strcmp(s2, "deny_non_local") == 0)
|
||||
control = acl_deny_non_local;
|
||||
else if(strcmp(s2, "refuse_non_local") == 0)
|
||||
control = acl_refuse_non_local;
|
||||
else if(strcmp(s2, "allow_snoop") == 0)
|
||||
control = acl_allow_snoop;
|
||||
else if(strcmp(s2, "allow_setrd") == 0)
|
||||
control = acl_allow_setrd;
|
||||
else {
|
||||
log_err("access control type %s unknown", str);
|
||||
if(!parse_acl_access(s2, &control)) {
|
||||
return 0;
|
||||
}
|
||||
if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
|
||||
@ -131,19 +142,27 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
|
||||
|
||||
/** find or create node (NULL on parse or error) */
|
||||
static struct acl_addr*
|
||||
acl_find_or_create(struct acl_list* acl, const char* str)
|
||||
acl_find_or_create_str2addr(struct acl_list* acl, const char* str,
|
||||
int is_interface, int port)
|
||||
{
|
||||
struct acl_addr* node;
|
||||
struct sockaddr_storage addr;
|
||||
int net;
|
||||
socklen_t addrlen;
|
||||
int net = (str_is_ip6(str)?128:32);
|
||||
if(is_interface) {
|
||||
if(!extstrtoaddr(str, &addr, &addrlen, port)) {
|
||||
log_err("cannot parse interface: %s", str);
|
||||
return NULL;
|
||||
}
|
||||
} else {
|
||||
if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
|
||||
log_err("cannot parse netblock: %s", str);
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
/* find or create node */
|
||||
if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, &addr,
|
||||
addrlen, net))) {
|
||||
addrlen, net)) && !is_interface) {
|
||||
/* create node, type 'allow' since otherwise tags are
|
||||
* pointless, can override with specific access-control: cfg */
|
||||
if(!(node=(struct acl_addr*)acl_list_insert(acl, &addr,
|
||||
@ -155,14 +174,65 @@ acl_find_or_create(struct acl_list* acl, const char* str)
|
||||
return node;
|
||||
}
|
||||
|
||||
/** find or create node (NULL on error) */
|
||||
static struct acl_addr*
|
||||
acl_find_or_create(struct acl_list* acl, struct sockaddr_storage* addr,
|
||||
socklen_t addrlen, enum acl_access control)
|
||||
{
|
||||
struct acl_addr* node;
|
||||
int net = (addr_is_ip6(addr, addrlen)?128:32);
|
||||
/* find or create node */
|
||||
if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, addr,
|
||||
addrlen, net))) {
|
||||
/* create node;
|
||||
* can override with specific access-control: cfg */
|
||||
if(!(node=(struct acl_addr*)acl_list_insert(acl, addr,
|
||||
addrlen, net, control, 1))) {
|
||||
log_err("out of memory");
|
||||
return NULL;
|
||||
}
|
||||
}
|
||||
return node;
|
||||
}
|
||||
|
||||
/** apply acl_interface string */
|
||||
static int
|
||||
acl_interface_str_cfg(struct acl_list* acl_interface, const char* iface,
|
||||
const char* s2, int port)
|
||||
{
|
||||
struct acl_addr* node;
|
||||
enum acl_access control;
|
||||
if(!parse_acl_access(s2, &control)) {
|
||||
return 0;
|
||||
}
|
||||
if(!(node=acl_find_or_create_str2addr(acl_interface, iface, 1, port))) {
|
||||
log_err("cannot update ACL on non-configured interface: %s %d",
|
||||
iface, port);
|
||||
return 0;
|
||||
}
|
||||
node->control = control;
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct acl_addr*
|
||||
acl_interface_insert(struct acl_list* acl_interface,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen,
|
||||
enum acl_access control)
|
||||
{
|
||||
return acl_find_or_create(acl_interface, addr, addrlen, control);
|
||||
}
|
||||
|
||||
/** apply acl_tag string */
|
||||
static int
|
||||
acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
|
||||
size_t bitmaplen)
|
||||
size_t bitmaplen, int is_interface, int port)
|
||||
{
|
||||
struct acl_addr* node;
|
||||
if(!(node=acl_find_or_create(acl, str)))
|
||||
if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
|
||||
if(is_interface)
|
||||
log_err("non-configured interface: %s", str);
|
||||
return 0;
|
||||
}
|
||||
node->taglen = bitmaplen;
|
||||
node->taglist = regional_alloc_init(acl->region, bitmap, bitmaplen);
|
||||
if(!node->taglist) {
|
||||
@ -175,11 +245,14 @@ acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
|
||||
/** apply acl_view string */
|
||||
static int
|
||||
acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2,
|
||||
struct views* vs)
|
||||
struct views* vs, int is_interface, int port)
|
||||
{
|
||||
struct acl_addr* node;
|
||||
if(!(node=acl_find_or_create(acl, str)))
|
||||
if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
|
||||
if(is_interface)
|
||||
log_err("non-configured interface: %s", str);
|
||||
return 0;
|
||||
}
|
||||
node->view = views_find_view(vs, str2, 0 /* get read lock*/);
|
||||
if(!node->view) {
|
||||
log_err("no view with name: %s", str2);
|
||||
@ -192,13 +265,17 @@ acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2,
|
||||
/** apply acl_tag_action string */
|
||||
static int
|
||||
acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg,
|
||||
const char* str, const char* tag, const char* action)
|
||||
const char* str, const char* tag, const char* action,
|
||||
int is_interface, int port)
|
||||
{
|
||||
struct acl_addr* node;
|
||||
int tagid;
|
||||
enum localzone_type t;
|
||||
if(!(node=acl_find_or_create(acl, str)))
|
||||
if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
|
||||
if(is_interface)
|
||||
log_err("non-configured interface: %s", str);
|
||||
return 0;
|
||||
}
|
||||
/* allocate array if not yet */
|
||||
if(!node->tag_actions) {
|
||||
node->tag_actions = (uint8_t*)regional_alloc_zero(acl->region,
|
||||
@ -281,13 +358,17 @@ check_data(const char* data, const struct config_strlist* head)
|
||||
/** apply acl_tag_data string */
|
||||
static int
|
||||
acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
|
||||
const char* str, const char* tag, const char* data)
|
||||
const char* str, const char* tag, const char* data,
|
||||
int is_interface, int port)
|
||||
{
|
||||
struct acl_addr* node;
|
||||
int tagid;
|
||||
char* dupdata;
|
||||
if(!(node=acl_find_or_create(acl, str)))
|
||||
if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
|
||||
if(is_interface)
|
||||
log_err("non-configured interface: %s", str);
|
||||
return 0;
|
||||
}
|
||||
/* allocate array if not yet */
|
||||
if(!node->tag_datas) {
|
||||
node->tag_datas = (struct config_strlist**)regional_alloc_zero(
|
||||
@ -330,10 +411,10 @@ acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
|
||||
|
||||
/** read acl_list config */
|
||||
static int
|
||||
read_acl_list(struct acl_list* acl, struct config_file* cfg)
|
||||
read_acl_list(struct acl_list* acl, struct config_str2list* acls)
|
||||
{
|
||||
struct config_str2list* p;
|
||||
for(p = cfg->acls; p; p = p->next) {
|
||||
for(p = acls; p; p = p->next) {
|
||||
log_assert(p->str && p->str2);
|
||||
if(!acl_list_str_cfg(acl, p->str, p->str2, 1))
|
||||
return 0;
|
||||
@ -341,16 +422,17 @@ read_acl_list(struct acl_list* acl, struct config_file* cfg)
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** read acl tags config */
|
||||
/** read acl view config */
|
||||
static int
|
||||
read_acl_tags(struct acl_list* acl, struct config_file* cfg)
|
||||
read_acl_view(struct acl_list* acl, struct config_str2list** acl_view,
|
||||
struct views* v)
|
||||
{
|
||||
struct config_strbytelist* np, *p = cfg->acl_tags;
|
||||
cfg->acl_tags = NULL;
|
||||
struct config_str2list* np, *p = *acl_view;
|
||||
*acl_view = NULL;
|
||||
while(p) {
|
||||
log_assert(p->str && p->str2);
|
||||
if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len)) {
|
||||
config_del_strbytelist(p);
|
||||
if(!acl_list_view_cfg(acl, p->str, p->str2, v, 0, 0)) {
|
||||
config_deldblstrlist(p);
|
||||
return 0;
|
||||
}
|
||||
/* free the items as we go to free up memory */
|
||||
@ -363,15 +445,16 @@ read_acl_tags(struct acl_list* acl, struct config_file* cfg)
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** read acl view config */
|
||||
/** read acl tags config */
|
||||
static int
|
||||
read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v)
|
||||
read_acl_tags(struct acl_list* acl, struct config_strbytelist** acl_tags)
|
||||
{
|
||||
struct config_str2list* np, *p = cfg->acl_view;
|
||||
cfg->acl_view = NULL;
|
||||
struct config_strbytelist* np, *p = *acl_tags;
|
||||
*acl_tags = NULL;
|
||||
while(p) {
|
||||
log_assert(p->str && p->str2);
|
||||
if(!acl_list_view_cfg(acl, p->str, p->str2, v)) {
|
||||
if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len, 0, 0)) {
|
||||
config_del_strbytelist(p);
|
||||
return 0;
|
||||
}
|
||||
/* free the items as we go to free up memory */
|
||||
@ -386,15 +469,16 @@ read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v)
|
||||
|
||||
/** read acl tag actions config */
|
||||
static int
|
||||
read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
|
||||
read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg,
|
||||
struct config_str3list** acl_tag_actions)
|
||||
{
|
||||
struct config_str3list* p, *np;
|
||||
p = cfg->acl_tag_actions;
|
||||
cfg->acl_tag_actions = NULL;
|
||||
p = *acl_tag_actions;
|
||||
*acl_tag_actions = NULL;
|
||||
while(p) {
|
||||
log_assert(p->str && p->str2 && p->str3);
|
||||
if(!acl_list_tag_action_cfg(acl, cfg, p->str, p->str2,
|
||||
p->str3)) {
|
||||
p->str3, 0, 0)) {
|
||||
config_deltrplstrlist(p);
|
||||
return 0;
|
||||
}
|
||||
@ -411,14 +495,16 @@ read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
|
||||
|
||||
/** read acl tag datas config */
|
||||
static int
|
||||
read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
|
||||
read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg,
|
||||
struct config_str3list** acl_tag_datas)
|
||||
{
|
||||
struct config_str3list* p, *np;
|
||||
p = cfg->acl_tag_datas;
|
||||
cfg->acl_tag_datas = NULL;
|
||||
p = *acl_tag_datas;
|
||||
*acl_tag_datas = NULL;
|
||||
while(p) {
|
||||
log_assert(p->str && p->str2 && p->str3);
|
||||
if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3)) {
|
||||
if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3,
|
||||
0, 0)) {
|
||||
config_deltrplstrlist(p);
|
||||
return 0;
|
||||
}
|
||||
@ -439,24 +525,21 @@ acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
|
||||
{
|
||||
regional_free_all(acl->region);
|
||||
addr_tree_init(&acl->tree);
|
||||
if(!read_acl_list(acl, cfg))
|
||||
if(!read_acl_list(acl, cfg->acls))
|
||||
return 0;
|
||||
if(!read_acl_view(acl, cfg, v))
|
||||
if(!read_acl_view(acl, &cfg->acl_view, v))
|
||||
return 0;
|
||||
if(!read_acl_tags(acl, cfg))
|
||||
if(!read_acl_tags(acl, &cfg->acl_tags))
|
||||
return 0;
|
||||
if(!read_acl_tag_actions(acl, cfg))
|
||||
if(!read_acl_tag_actions(acl, cfg, &cfg->acl_tag_actions))
|
||||
return 0;
|
||||
if(!read_acl_tag_datas(acl, cfg))
|
||||
if(!read_acl_tag_datas(acl, cfg, &cfg->acl_tag_datas))
|
||||
return 0;
|
||||
/* insert defaults, with '0' to ignore them if they are duplicates */
|
||||
if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0))
|
||||
return 0;
|
||||
/* the 'refuse' defaults for /0 are now done per interface instead */
|
||||
if(!acl_list_str_cfg(acl, "127.0.0.0/8", "allow", 0))
|
||||
return 0;
|
||||
if(cfg->do_ip6) {
|
||||
if(!acl_list_str_cfg(acl, "::0/0", "refuse", 0))
|
||||
return 0;
|
||||
if(!acl_list_str_cfg(acl, "::1", "allow", 0))
|
||||
return 0;
|
||||
if(!acl_list_str_cfg(acl, "::ffff:127.0.0.1", "allow", 0))
|
||||
@ -466,6 +549,222 @@ acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
acl_interface_compare(const void* k1, const void* k2)
|
||||
{
|
||||
struct addr_tree_node* n1 = (struct addr_tree_node*)k1;
|
||||
struct addr_tree_node* n2 = (struct addr_tree_node*)k2;
|
||||
return sockaddr_cmp(&n1->addr, n1->addrlen, &n2->addr,
|
||||
n2->addrlen);
|
||||
/* We don't care about comparing node->net. All addresses in the
|
||||
* acl_interface tree have either 32 (ipv4) or 128 (ipv6). */
|
||||
}
|
||||
|
||||
void
|
||||
acl_interface_init(struct acl_list* acl_interface)
|
||||
{
|
||||
regional_free_all(acl_interface->region);
|
||||
/* We want comparison in the tree to include only address and port.
|
||||
* We don't care about comparing node->net. All addresses in the
|
||||
* acl_interface->tree should have either 32 (ipv4) or 128 (ipv6).
|
||||
* Initialise with the appropriate compare function but keep treating
|
||||
* it as an addr_tree. */
|
||||
addr_tree_addrport_init(&acl_interface->tree);
|
||||
}
|
||||
|
||||
static int
|
||||
read_acl_interface_action(struct acl_list* acl_interface,
|
||||
struct config_str2list* acls, int port)
|
||||
{
|
||||
struct config_str2list* p;
|
||||
for(p = acls; p; p = p->next) {
|
||||
char** resif = NULL;
|
||||
int num_resif = 0;
|
||||
int i;
|
||||
log_assert(p->str && p->str2);
|
||||
if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif))
|
||||
return 0;
|
||||
for(i = 0; i<num_resif; i++) {
|
||||
if(!acl_interface_str_cfg(acl_interface, resif[i], p->str2, port)){
|
||||
config_del_strarray(resif, num_resif);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
config_del_strarray(resif, num_resif);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** read acl view config for interface */
|
||||
static int
|
||||
read_acl_interface_view(struct acl_list* acl_interface,
|
||||
struct config_str2list** acl_view,
|
||||
struct views* v, int port)
|
||||
{
|
||||
struct config_str2list* np, *p = *acl_view;
|
||||
*acl_view = NULL;
|
||||
while(p) {
|
||||
char** resif = NULL;
|
||||
int num_resif = 0;
|
||||
int i;
|
||||
log_assert(p->str && p->str2);
|
||||
if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) {
|
||||
config_deldblstrlist(p);
|
||||
return 0;
|
||||
}
|
||||
for(i = 0; i<num_resif; i++) {
|
||||
if(!acl_list_view_cfg(acl_interface, resif[i], p->str2,
|
||||
v, 1, port)) {
|
||||
config_del_strarray(resif, num_resif);
|
||||
config_deldblstrlist(p);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
config_del_strarray(resif, num_resif);
|
||||
/* free the items as we go to free up memory */
|
||||
np = p->next;
|
||||
free(p->str);
|
||||
free(p->str2);
|
||||
free(p);
|
||||
p = np;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** read acl tags config for interface */
|
||||
static int
|
||||
read_acl_interface_tags(struct acl_list* acl_interface,
|
||||
struct config_strbytelist** acl_tags, int port)
|
||||
{
|
||||
struct config_strbytelist* np, *p = *acl_tags;
|
||||
*acl_tags = NULL;
|
||||
while(p) {
|
||||
char** resif = NULL;
|
||||
int num_resif = 0;
|
||||
int i;
|
||||
log_assert(p->str && p->str2);
|
||||
if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) {
|
||||
config_del_strbytelist(p);
|
||||
return 0;
|
||||
}
|
||||
for(i = 0; i<num_resif; i++) {
|
||||
if(!acl_list_tags_cfg(acl_interface, resif[i], p->str2,
|
||||
p->str2len, 1, port)) {
|
||||
config_del_strbytelist(p);
|
||||
config_del_strarray(resif, num_resif);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
config_del_strarray(resif, num_resif);
|
||||
/* free the items as we go to free up memory */
|
||||
np = p->next;
|
||||
free(p->str);
|
||||
free(p->str2);
|
||||
free(p);
|
||||
p = np;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** read acl tag actions config for interface*/
|
||||
static int
|
||||
read_acl_interface_tag_actions(struct acl_list* acl_interface,
|
||||
struct config_file* cfg,
|
||||
struct config_str3list** acl_tag_actions, int port)
|
||||
{
|
||||
struct config_str3list* p, *np;
|
||||
p = *acl_tag_actions;
|
||||
*acl_tag_actions = NULL;
|
||||
while(p) {
|
||||
char** resif = NULL;
|
||||
int num_resif = 0;
|
||||
int i;
|
||||
log_assert(p->str && p->str2 && p->str3);
|
||||
if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) {
|
||||
config_deltrplstrlist(p);
|
||||
return 0;
|
||||
}
|
||||
for(i = 0; i<num_resif; i++) {
|
||||
if(!acl_list_tag_action_cfg(acl_interface, cfg,
|
||||
resif[i], p->str2, p->str3, 1, port)) {
|
||||
config_deltrplstrlist(p);
|
||||
config_del_strarray(resif, num_resif);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
config_del_strarray(resif, num_resif);
|
||||
/* free the items as we go to free up memory */
|
||||
np = p->next;
|
||||
free(p->str);
|
||||
free(p->str2);
|
||||
free(p->str3);
|
||||
free(p);
|
||||
p = np;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** read acl tag datas config for interface */
|
||||
static int
|
||||
read_acl_interface_tag_datas(struct acl_list* acl_interface,
|
||||
struct config_file* cfg,
|
||||
struct config_str3list** acl_tag_datas, int port)
|
||||
{
|
||||
struct config_str3list* p, *np;
|
||||
p = *acl_tag_datas;
|
||||
*acl_tag_datas = NULL;
|
||||
while(p) {
|
||||
char** resif = NULL;
|
||||
int num_resif = 0;
|
||||
int i;
|
||||
log_assert(p->str && p->str2 && p->str3);
|
||||
if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) {
|
||||
config_deltrplstrlist(p);
|
||||
return 0;
|
||||
}
|
||||
for(i = 0; i<num_resif; i++) {
|
||||
if(!acl_list_tag_data_cfg(acl_interface, cfg,
|
||||
resif[i], p->str2, p->str3, 1, port)) {
|
||||
config_deltrplstrlist(p);
|
||||
config_del_strarray(resif, num_resif);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
config_del_strarray(resif, num_resif);
|
||||
/* free the items as we go to free up memory */
|
||||
np = p->next;
|
||||
free(p->str);
|
||||
free(p->str2);
|
||||
free(p->str3);
|
||||
free(p);
|
||||
p = np;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg,
|
||||
struct views* v)
|
||||
{
|
||||
if(!read_acl_interface_action(acl_interface, cfg->interface_actions,
|
||||
cfg->port))
|
||||
return 0;
|
||||
if(!read_acl_interface_view(acl_interface, &cfg->interface_view, v,
|
||||
cfg->port))
|
||||
return 0;
|
||||
if(!read_acl_interface_tags(acl_interface, &cfg->interface_tags,
|
||||
cfg->port))
|
||||
return 0;
|
||||
if(!read_acl_interface_tag_actions(acl_interface, cfg,
|
||||
&cfg->interface_tag_actions, cfg->port))
|
||||
return 0;
|
||||
if(!read_acl_interface_tag_datas(acl_interface, cfg,
|
||||
&cfg->interface_tag_datas, cfg->port))
|
||||
return 0;
|
||||
addr_tree_init_parents(&acl_interface->tree);
|
||||
return 1;
|
||||
}
|
||||
|
||||
enum acl_access
|
||||
acl_get_control(struct acl_addr* acl)
|
||||
{
|
||||
|
@ -119,6 +119,20 @@ struct acl_list* acl_list_create(void);
|
||||
*/
|
||||
void acl_list_delete(struct acl_list* acl);
|
||||
|
||||
/**
|
||||
* Insert interface in the acl_list. This should happen when the listening
|
||||
* interface is setup.
|
||||
* @param acl_interface: acl_list to insert to.
|
||||
* @param addr: interface IP.
|
||||
* @param addrlen: length of the interface IP.
|
||||
* @param control: acl_access.
|
||||
* @return new structure or NULL on error.
|
||||
*/
|
||||
struct acl_addr*
|
||||
acl_interface_insert(struct acl_list* acl_interface,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen,
|
||||
enum acl_access control);
|
||||
|
||||
/**
|
||||
* Process access control config.
|
||||
* @param acl: where to store.
|
||||
@ -129,6 +143,25 @@ void acl_list_delete(struct acl_list* acl);
|
||||
int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg,
|
||||
struct views* v);
|
||||
|
||||
/** compare ACL interface "addr_tree" nodes (+port) */
|
||||
int acl_interface_compare(const void* k1, const void* k2);
|
||||
|
||||
/**
|
||||
* Initialise (also clean) the acl_interface struct.
|
||||
* @param acl_interface: where to store.
|
||||
*/
|
||||
void acl_interface_init(struct acl_list* acl_interface);
|
||||
|
||||
/**
|
||||
* Process interface control config.
|
||||
* @param acl_interface: where to store.
|
||||
* @param cfg: config options.
|
||||
* @param v: views structure
|
||||
* @return 0 on error.
|
||||
*/
|
||||
int acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg,
|
||||
struct views* v);
|
||||
|
||||
/**
|
||||
* Lookup access control status for acl structure.
|
||||
* @param acl: structure for acl storage.
|
||||
|
@ -96,6 +96,9 @@
|
||||
#ifdef HAVE_SYSTEMD
|
||||
#include <systemd/sd-daemon.h>
|
||||
#endif
|
||||
#ifdef HAVE_NETDB_H
|
||||
#include <netdb.h>
|
||||
#endif
|
||||
|
||||
/** How many quit requests happened. */
|
||||
static int sig_record_quit = 0;
|
||||
@ -271,8 +274,17 @@ daemon_init(void)
|
||||
free(daemon);
|
||||
return NULL;
|
||||
}
|
||||
daemon->acl_interface = acl_list_create();
|
||||
if(!daemon->acl_interface) {
|
||||
acl_list_delete(daemon->acl);
|
||||
edns_known_options_delete(daemon->env);
|
||||
free(daemon->env);
|
||||
free(daemon);
|
||||
return NULL;
|
||||
}
|
||||
daemon->tcl = tcl_list_create();
|
||||
if(!daemon->tcl) {
|
||||
acl_list_delete(daemon->acl_interface);
|
||||
acl_list_delete(daemon->acl);
|
||||
edns_known_options_delete(daemon->env);
|
||||
free(daemon->env);
|
||||
@ -284,6 +296,7 @@ daemon_init(void)
|
||||
log_err("gettimeofday: %s", strerror(errno));
|
||||
daemon->time_last_stat = daemon->time_boot;
|
||||
if((daemon->env->auth_zones = auth_zones_create()) == 0) {
|
||||
acl_list_delete(daemon->acl_interface);
|
||||
acl_list_delete(daemon->acl);
|
||||
tcl_list_delete(daemon->tcl);
|
||||
edns_known_options_delete(daemon->env);
|
||||
@ -293,6 +306,7 @@ daemon_init(void)
|
||||
}
|
||||
if(!(daemon->env->edns_strings = edns_strings_create())) {
|
||||
auth_zones_delete(daemon->env->auth_zones);
|
||||
acl_list_delete(daemon->acl_interface);
|
||||
acl_list_delete(daemon->acl);
|
||||
tcl_list_delete(daemon->tcl);
|
||||
edns_known_options_delete(daemon->env);
|
||||
@ -303,6 +317,29 @@ daemon_init(void)
|
||||
return daemon;
|
||||
}
|
||||
|
||||
static int setup_acl_for_ports(struct acl_list* list,
|
||||
struct listen_port* port_list)
|
||||
{
|
||||
struct acl_addr* acl_node;
|
||||
struct addrinfo* addr;
|
||||
for(; port_list; port_list=port_list->next) {
|
||||
if(!port_list->socket) {
|
||||
/* This is mainly for testbound where port_list is
|
||||
* empty. */
|
||||
continue;
|
||||
}
|
||||
addr = port_list->socket->addr;
|
||||
if(!(acl_node = acl_interface_insert(list,
|
||||
(struct sockaddr_storage*)addr->ai_addr,
|
||||
(socklen_t)addr->ai_addrlen,
|
||||
acl_refuse))) {
|
||||
return 0;
|
||||
}
|
||||
port_list->socket->acl = acl_node;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int
|
||||
daemon_open_shared_ports(struct daemon* daemon)
|
||||
{
|
||||
@ -320,6 +357,8 @@ daemon_open_shared_ports(struct daemon* daemon)
|
||||
free(daemon->ports);
|
||||
daemon->ports = NULL;
|
||||
}
|
||||
/* clean acl_interface */
|
||||
acl_interface_init(daemon->acl_interface);
|
||||
if(!resolve_interface_names(daemon->cfg->ifs,
|
||||
daemon->cfg->num_ifs, NULL, &resif, &num_resif))
|
||||
return 0;
|
||||
@ -329,7 +368,8 @@ daemon_open_shared_ports(struct daemon* daemon)
|
||||
daemon->reuseport = 1;
|
||||
#endif
|
||||
/* try to use reuseport */
|
||||
p0 = listening_ports_open(daemon->cfg, resif, num_resif, &daemon->reuseport);
|
||||
p0 = listening_ports_open(daemon->cfg, resif, num_resif,
|
||||
&daemon->reuseport);
|
||||
if(!p0) {
|
||||
listening_ports_free(p0);
|
||||
config_del_strarray(resif, num_resif);
|
||||
@ -350,6 +390,12 @@ daemon_open_shared_ports(struct daemon* daemon)
|
||||
return 0;
|
||||
}
|
||||
daemon->ports[0] = p0;
|
||||
if(!setup_acl_for_ports(daemon->acl_interface,
|
||||
daemon->ports[0])) {
|
||||
listening_ports_free(p0);
|
||||
config_del_strarray(resif, num_resif);
|
||||
return 0;
|
||||
}
|
||||
if(daemon->reuseport) {
|
||||
/* continue to use reuseport */
|
||||
for(i=1; i<daemon->num_ports; i++) {
|
||||
@ -365,6 +411,15 @@ daemon_open_shared_ports(struct daemon* daemon)
|
||||
config_del_strarray(resif, num_resif);
|
||||
return 0;
|
||||
}
|
||||
if(!setup_acl_for_ports(daemon->acl_interface,
|
||||
daemon->ports[i])) {
|
||||
for(i=0; i<daemon->num_ports; i++)
|
||||
listening_ports_free(daemon->ports[i]);
|
||||
free(daemon->ports);
|
||||
daemon->ports = NULL;
|
||||
config_del_strarray(resif, num_resif);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
config_del_strarray(resif, num_resif);
|
||||
@ -604,6 +659,9 @@ daemon_fork(struct daemon* daemon)
|
||||
|
||||
if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->views))
|
||||
fatal_exit("Could not setup access control list");
|
||||
if(!acl_interface_apply_cfg(daemon->acl_interface, daemon->cfg,
|
||||
daemon->views))
|
||||
fatal_exit("Could not setup interface control list");
|
||||
if(!tcl_list_apply_cfg(daemon->tcl, daemon->cfg))
|
||||
fatal_exit("Could not setup TCP connection limits");
|
||||
if(daemon->cfg->dnscrypt) {
|
||||
@ -780,6 +838,7 @@ daemon_delete(struct daemon* daemon)
|
||||
ub_randfree(daemon->rand);
|
||||
alloc_clear(&daemon->superalloc);
|
||||
acl_list_delete(daemon->acl);
|
||||
acl_list_delete(daemon->acl_interface);
|
||||
tcl_list_delete(daemon->tcl);
|
||||
listen_desetup_locks();
|
||||
free(daemon->chroot);
|
||||
|
@ -113,6 +113,8 @@ struct daemon {
|
||||
struct module_stack mods;
|
||||
/** access control, which client IPs are allowed to connect */
|
||||
struct acl_list* acl;
|
||||
/** access control, which interfaces are allowed to connect */
|
||||
struct acl_list* acl_interface;
|
||||
/** TCP connection limit, limit connections from client IPs */
|
||||
struct tcl_list* tcl;
|
||||
/** local authority zones */
|
||||
|
@ -494,8 +494,8 @@ int remote_accept_callback(struct comm_point* c, void* arg, int err,
|
||||
n->c->do_not_close = 0;
|
||||
comm_point_stop_listening(n->c);
|
||||
comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT);
|
||||
memcpy(&n->c->repinfo.addr, &addr, addrlen);
|
||||
n->c->repinfo.addrlen = addrlen;
|
||||
memcpy(&n->c->repinfo.remote_addr, &addr, addrlen);
|
||||
n->c->repinfo.remote_addrlen = addrlen;
|
||||
if(rc->use_cert) {
|
||||
n->shake_state = rc_hs_read;
|
||||
n->ssl = SSL_new(rc->ctx);
|
||||
@ -3304,7 +3304,7 @@ remote_handshake_later(struct daemon_remote* rc, struct rc_state* s,
|
||||
if(r == 0)
|
||||
log_err("remote control connection closed prematurely");
|
||||
log_addr(VERB_OPS, "failed connection from",
|
||||
&s->c->repinfo.addr, s->c->repinfo.addrlen);
|
||||
&s->c->repinfo.remote_addr, s->c->repinfo.remote_addrlen);
|
||||
log_crypto_err("remote control failed ssl");
|
||||
clean_point(rc, s);
|
||||
}
|
||||
|
@ -70,6 +70,9 @@
|
||||
#include <openssl/ssl.h>
|
||||
#endif
|
||||
|
||||
/** How long to wait for threads to transmit statistics, in msec. */
|
||||
#define STATS_THREAD_WAIT 60000
|
||||
|
||||
/** add timers and the values do not overflow or become negative */
|
||||
static void
|
||||
stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long long add_usec)
|
||||
@ -380,6 +383,28 @@ void server_stats_obtain(struct worker* worker, struct worker* who,
|
||||
worker_send_cmd(who, worker_cmd_stats);
|
||||
else worker_send_cmd(who, worker_cmd_stats_noreset);
|
||||
verbose(VERB_ALGO, "wait for stats reply");
|
||||
if(tube_wait_timeout(worker->cmd, STATS_THREAD_WAIT) == 0) {
|
||||
verbose(VERB_OPS, "no response from thread %d"
|
||||
#ifdef HAVE_GETTID
|
||||
" LWP %u"
|
||||
#endif
|
||||
#if defined(HAVE_PTHREAD) && defined(SIZEOF_PTHREAD_T) && defined(SIZEOF_UNSIGNED_LONG)
|
||||
# if SIZEOF_PTHREAD_T == SIZEOF_UNSIGNED_LONG
|
||||
" pthread 0x%lx"
|
||||
# endif
|
||||
#endif
|
||||
,
|
||||
who->thread_num
|
||||
#ifdef HAVE_GETTID
|
||||
, (unsigned)who->thread_tid
|
||||
#endif
|
||||
#if defined(HAVE_PTHREAD) && defined(SIZEOF_PTHREAD_T) && defined(SIZEOF_UNSIGNED_LONG)
|
||||
# if SIZEOF_PTHREAD_T == SIZEOF_UNSIGNED_LONG
|
||||
, (unsigned long)*((unsigned long*)&who->thr_id)
|
||||
# endif
|
||||
#endif
|
||||
);
|
||||
}
|
||||
if(!tube_read_msg(worker->cmd, &reply, &len, 0))
|
||||
fatal_exit("failed to read stats over cmd channel");
|
||||
if(len != (uint32_t)sizeof(*s))
|
||||
@ -496,7 +521,7 @@ void server_stats_insquery(struct ub_server_stats* stats, struct comm_point* c,
|
||||
stats->qhttps++;
|
||||
}
|
||||
}
|
||||
if(repinfo && addr_is_ip6(&repinfo->addr, repinfo->addrlen))
|
||||
if(repinfo && addr_is_ip6(&repinfo->remote_addr, repinfo->remote_addrlen))
|
||||
stats->qipv6++;
|
||||
if( (flags&BIT_QR) )
|
||||
stats->qbit_QR++;
|
||||
|
@ -547,7 +547,8 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
static int
|
||||
apply_respip_action(struct worker* worker, const struct query_info* qinfo,
|
||||
struct respip_client_info* cinfo, struct reply_info* rep,
|
||||
struct comm_reply* repinfo, struct ub_packed_rrset_key** alias_rrset,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen,
|
||||
struct ub_packed_rrset_key** alias_rrset,
|
||||
struct reply_info** encode_repp, struct auth_zones* az)
|
||||
{
|
||||
struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL};
|
||||
@ -574,7 +575,7 @@ apply_respip_action(struct worker* worker, const struct query_info* qinfo,
|
||||
if(actinfo.addrinfo) {
|
||||
respip_inform_print(&actinfo, qinfo->qname,
|
||||
qinfo->qtype, qinfo->qclass, qinfo->local_alias,
|
||||
repinfo);
|
||||
addr, addrlen);
|
||||
|
||||
if(worker->stats.extended && actinfo.rpz_used) {
|
||||
if(actinfo.rpz_disabled)
|
||||
@ -703,7 +704,7 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
|
||||
*alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */
|
||||
if((worker->daemon->use_response_ip || worker->daemon->use_rpz) &&
|
||||
!partial_rep && !apply_respip_action(worker, qinfo, cinfo, rep,
|
||||
repinfo, alias_rrset,
|
||||
&repinfo->client_addr, repinfo->client_addrlen, alias_rrset,
|
||||
&encode_rep, worker->env.auth_zones)) {
|
||||
goto bail_out;
|
||||
} else if(partial_rep &&
|
||||
@ -991,12 +992,14 @@ answer_chaos(struct worker* w, struct query_info* qinfo,
|
||||
* @param w: worker
|
||||
* @param qinfo: query info. Pointer into packet buffer.
|
||||
* @param edns: edns info from query.
|
||||
* @param repinfo: reply info with source address.
|
||||
* @param addr: client address.
|
||||
* @param addrlen: client address length.
|
||||
* @param pkt: packet buffer.
|
||||
*/
|
||||
static void
|
||||
answer_notify(struct worker* w, struct query_info* qinfo,
|
||||
struct edns_data* edns, sldns_buffer* pkt, struct comm_reply* repinfo)
|
||||
struct edns_data* edns, sldns_buffer* pkt,
|
||||
struct sockaddr_storage* addr, socklen_t addrlen)
|
||||
{
|
||||
int refused = 0;
|
||||
int rcode = LDNS_RCODE_NOERROR;
|
||||
@ -1005,8 +1008,8 @@ answer_notify(struct worker* w, struct query_info* qinfo,
|
||||
if(!w->env.auth_zones) return;
|
||||
has_serial = auth_zone_parse_notify_serial(pkt, &serial);
|
||||
if(auth_zones_notify(w->env.auth_zones, &w->env, qinfo->qname,
|
||||
qinfo->qname_len, qinfo->qclass, &repinfo->addr,
|
||||
repinfo->addrlen, has_serial, serial, &refused)) {
|
||||
qinfo->qname_len, qinfo->qclass, addr,
|
||||
addrlen, has_serial, serial, &refused)) {
|
||||
rcode = LDNS_RCODE_NOERROR;
|
||||
} else {
|
||||
if(refused)
|
||||
@ -1031,7 +1034,7 @@ answer_notify(struct worker* w, struct query_info* qinfo,
|
||||
"servfail for NOTIFY %sfor %s from", sr, zname);
|
||||
else snprintf(buf, sizeof(buf),
|
||||
"received NOTIFY %sfor %s from", sr, zname);
|
||||
log_addr(VERB_DETAIL, buf, &repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_DETAIL, buf, addr, addrlen);
|
||||
}
|
||||
edns->edns_version = EDNS_ADVERTISED_VERSION;
|
||||
edns->udp_size = EDNS_ADVERTISED_SIZE;
|
||||
@ -1051,8 +1054,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
|
||||
{
|
||||
if(acl == deny) {
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
log_acl_action("dropped", &repinfo->addr,
|
||||
repinfo->addrlen, acl, acladdr);
|
||||
log_acl_action("dropped", &repinfo->client_addr,
|
||||
repinfo->client_addrlen, acl, acladdr);
|
||||
log_buf(VERB_ALGO, "dropped", c->buffer);
|
||||
}
|
||||
comm_point_drop_reply(repinfo);
|
||||
@ -1063,8 +1066,8 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
|
||||
size_t opt_rr_mark;
|
||||
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
log_acl_action("refused", &repinfo->addr,
|
||||
repinfo->addrlen, acl, acladdr);
|
||||
log_acl_action("refused", &repinfo->client_addr,
|
||||
repinfo->client_addrlen, acl, acladdr);
|
||||
log_buf(VERB_ALGO, "refuse", c->buffer);
|
||||
}
|
||||
|
||||
@ -1224,12 +1227,24 @@ deny_refuse(struct comm_point* c, enum acl_access acl,
|
||||
}
|
||||
|
||||
static int
|
||||
deny_refuse_all(struct comm_point* c, enum acl_access acl,
|
||||
deny_refuse_all(struct comm_point* c, enum acl_access* acl,
|
||||
struct worker* worker, struct comm_reply* repinfo,
|
||||
struct acl_addr* acladdr, int ede)
|
||||
struct acl_addr** acladdr, int ede, int check_proxy)
|
||||
{
|
||||
return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo,
|
||||
acladdr, ede);
|
||||
if(check_proxy) {
|
||||
*acladdr = acl_addr_lookup(worker->daemon->acl,
|
||||
&repinfo->remote_addr, repinfo->remote_addrlen);
|
||||
} else {
|
||||
*acladdr = acl_addr_lookup(worker->daemon->acl,
|
||||
&repinfo->client_addr, repinfo->client_addrlen);
|
||||
}
|
||||
/* If there is no ACL based on client IP use the interface ACL. */
|
||||
if(!(*acladdr) && c->socket) {
|
||||
*acladdr = c->socket->acl;
|
||||
}
|
||||
*acl = acl_get_control(*acladdr);
|
||||
return deny_refuse(c, *acl, acl_deny, acl_refuse, worker, repinfo,
|
||||
*acladdr, ede);
|
||||
}
|
||||
|
||||
static int
|
||||
@ -1286,16 +1301,16 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
if(worker_check_request(c->buffer, worker) != 0) {
|
||||
verbose(VERB_ALGO,
|
||||
"dnscrypt: worker check request: bad query.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr,
|
||||
repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
comm_point_drop_reply(repinfo);
|
||||
return 0;
|
||||
}
|
||||
if(!query_info_parse(&qinfo, c->buffer)) {
|
||||
verbose(VERB_ALGO,
|
||||
"dnscrypt: worker parse request: formerror.");
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->addr,
|
||||
repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
comm_point_drop_reply(repinfo);
|
||||
return 0;
|
||||
}
|
||||
@ -1323,25 +1338,30 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
* sending src (client)/dst (local service) addresses over DNSTAP from incoming request handler
|
||||
*/
|
||||
if(worker->dtenv.log_client_query_messages) {
|
||||
log_addr(VERB_ALGO, "request from client", &repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_ALGO, "request from client", &repinfo->client_addr, repinfo->client_addrlen);
|
||||
log_addr(VERB_ALGO, "to local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
|
||||
dt_msg_send_client_query(&worker->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
|
||||
dt_msg_send_client_query(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
|
||||
}
|
||||
#endif
|
||||
acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr,
|
||||
repinfo->addrlen);
|
||||
acl = acl_get_control(acladdr);
|
||||
|
||||
if((ret=deny_refuse_all(c, acl, worker, repinfo, acladdr,
|
||||
worker->env.cfg->ede)) != -1)
|
||||
{
|
||||
/* Check deny/refuse ACLs */
|
||||
if(repinfo->is_proxied) {
|
||||
if((ret=deny_refuse_all(c, &acl, worker, repinfo, &acladdr,
|
||||
worker->env.cfg->ede, 1)) != -1) {
|
||||
if(ret == 1)
|
||||
goto send_reply;
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
if((ret=deny_refuse_all(c, &acl, worker, repinfo, &acladdr,
|
||||
worker->env.cfg->ede, 0)) != -1) {
|
||||
if(ret == 1)
|
||||
goto send_reply;
|
||||
return ret;
|
||||
}
|
||||
|
||||
if((ret=worker_check_request(c->buffer, worker)) != 0) {
|
||||
verbose(VERB_ALGO, "worker check request: bad query.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->client_addr, repinfo->client_addrlen);
|
||||
if(ret != -1) {
|
||||
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
|
||||
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret);
|
||||
@ -1353,20 +1373,24 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
|
||||
worker->stats.num_queries++;
|
||||
|
||||
/* check if this query should be dropped based on source ip rate limiting */
|
||||
if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
|
||||
/* check if this query should be dropped based on source ip rate limiting
|
||||
* NOTE: we always check the repinfo->client_address. IP ratelimiting is
|
||||
* implicitly disabled for proxies. */
|
||||
if(!infra_ip_ratelimit_inc(worker->env.infra_cache,
|
||||
&repinfo->client_addr, repinfo->client_addrlen,
|
||||
*worker->env.now,
|
||||
worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
|
||||
/* See if we are passed through with slip factor */
|
||||
if(worker->env.cfg->ip_ratelimit_factor != 0 &&
|
||||
ub_random_max(worker->env.rnd,
|
||||
worker->env.cfg->ip_ratelimit_factor) == 0) {
|
||||
|
||||
char addrbuf[128];
|
||||
addr_to_str(&repinfo->addr, repinfo->addrlen,
|
||||
addrbuf, sizeof(addrbuf));
|
||||
verbose(VERB_QUERY, "ip_ratelimit allowed through for ip address %s because of slip in ip_ratelimit_factor",
|
||||
addrbuf);
|
||||
addr_to_str(&repinfo->client_addr,
|
||||
repinfo->client_addrlen, addrbuf,
|
||||
sizeof(addrbuf));
|
||||
verbose(VERB_QUERY, "ip_ratelimit allowed through for "
|
||||
"ip address %s because of slip in "
|
||||
"ip_ratelimit_factor", addrbuf);
|
||||
} else {
|
||||
worker->stats.num_queries_ip_ratelimited++;
|
||||
comm_point_drop_reply(repinfo);
|
||||
@ -1377,7 +1401,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
/* see if query is in the cache */
|
||||
if(!query_info_parse(&qinfo, c->buffer)) {
|
||||
verbose(VERB_ALGO, "worker parse request: formerror.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
memset(&qinfo, 0, sizeof(qinfo)); /* zero qinfo.qname */
|
||||
if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) {
|
||||
comm_point_drop_reply(repinfo);
|
||||
@ -1391,13 +1416,14 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
}
|
||||
if(worker->env.cfg->log_queries) {
|
||||
char ip[128];
|
||||
addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
|
||||
addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip));
|
||||
log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass);
|
||||
}
|
||||
if(qinfo.qtype == LDNS_RR_TYPE_AXFR ||
|
||||
qinfo.qtype == LDNS_RR_TYPE_IXFR) {
|
||||
verbose(VERB_ALGO, "worker request: refused zone transfer.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
sldns_buffer_rewind(c->buffer);
|
||||
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
|
||||
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
|
||||
@ -1414,7 +1440,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
qinfo.qtype == LDNS_RR_TYPE_MAILB ||
|
||||
(qinfo.qtype >= 128 && qinfo.qtype <= 248)) {
|
||||
verbose(VERB_ALGO, "worker request: formerror for meta-type.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) {
|
||||
comm_point_drop_reply(repinfo);
|
||||
return 0;
|
||||
@ -1432,7 +1459,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
worker->scratchpad)) != 0) {
|
||||
struct edns_data reply_edns;
|
||||
verbose(VERB_ALGO, "worker parse edns: formerror.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
memset(&reply_edns, 0, sizeof(reply_edns));
|
||||
reply_edns.edns_present = 1;
|
||||
reply_edns.udp_size = EDNS_ADVERTISED_SIZE;
|
||||
@ -1454,7 +1482,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
edns.opt_list_inplace_cb_out = NULL;
|
||||
edns.padding_block_size = 0;
|
||||
verbose(VERB_ALGO, "query with bad edns version.");
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo,
|
||||
*(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
|
||||
sldns_buffer_read_u16_at(c->buffer, 2), NULL);
|
||||
@ -1468,7 +1497,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
worker->daemon->cfg->harden_short_bufsize) {
|
||||
verbose(VERB_QUERY, "worker request: EDNS bufsize %d ignored",
|
||||
(int)edns.udp_size);
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
edns.udp_size = NORMAL_UDP_SIZE;
|
||||
}
|
||||
}
|
||||
@ -1477,12 +1507,14 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
verbose(VERB_QUERY,
|
||||
"worker request: max UDP reply size modified"
|
||||
" (%d to max-udp-size)", (int)edns.udp_size);
|
||||
log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
edns.udp_size = worker->daemon->cfg->max_udp_size;
|
||||
}
|
||||
if(edns.udp_size < LDNS_HEADER_SIZE) {
|
||||
verbose(VERB_ALGO, "worker request: edns is too small.");
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->addr, repinfo->addrlen);
|
||||
log_addr(VERB_CLIENT, "from", &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
LDNS_QR_SET(sldns_buffer_begin(c->buffer));
|
||||
LDNS_TC_SET(sldns_buffer_begin(c->buffer));
|
||||
LDNS_RCODE_SET(sldns_buffer_begin(c->buffer),
|
||||
@ -1506,7 +1538,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
}
|
||||
if(LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) ==
|
||||
LDNS_PACKET_NOTIFY) {
|
||||
answer_notify(worker, &qinfo, &edns, c->buffer, repinfo);
|
||||
answer_notify(worker, &qinfo, &edns, c->buffer,
|
||||
&repinfo->client_addr, repinfo->client_addrlen);
|
||||
regional_free_all(worker->scratchpad);
|
||||
goto send_reply;
|
||||
}
|
||||
@ -1582,7 +1615,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
sldns_buffer_read_u16_at(c->buffer, 2), &edns);
|
||||
regional_free_all(worker->scratchpad);
|
||||
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
|
||||
&repinfo->addr, repinfo->addrlen);
|
||||
&repinfo->client_addr, repinfo->client_addrlen);
|
||||
|
||||
goto send_reply;
|
||||
}
|
||||
@ -1722,9 +1755,9 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
if(verbosity >= VERB_CLIENT) {
|
||||
if(c->type == comm_udp)
|
||||
log_addr(VERB_CLIENT, "udp request from",
|
||||
&repinfo->addr, repinfo->addrlen);
|
||||
&repinfo->client_addr, repinfo->client_addrlen);
|
||||
else log_addr(VERB_CLIENT, "tcp request from",
|
||||
&repinfo->addr, repinfo->addrlen);
|
||||
&repinfo->client_addr, repinfo->client_addrlen);
|
||||
}
|
||||
|
||||
/* grab a work request structure for this new request */
|
||||
@ -1756,8 +1789,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
*/
|
||||
if(worker->dtenv.log_client_response_messages) {
|
||||
log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen);
|
||||
log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen);
|
||||
dt_msg_send_client_response(&worker->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
|
||||
log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen);
|
||||
dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer);
|
||||
}
|
||||
#endif
|
||||
if(worker->env.cfg->log_replies)
|
||||
@ -1769,10 +1802,12 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
/* log original qname, before the local alias was
|
||||
* used to resolve that CNAME to something else */
|
||||
qinfo.qname = qinfo.local_alias->rrset->rk.dname;
|
||||
log_reply_info(NO_VERBOSE, &qinfo, &repinfo->addr, repinfo->addrlen,
|
||||
log_reply_info(NO_VERBOSE, &qinfo,
|
||||
&repinfo->client_addr, repinfo->client_addrlen,
|
||||
tv, 1, c->buffer);
|
||||
} else {
|
||||
log_reply_info(NO_VERBOSE, &qinfo, &repinfo->addr, repinfo->addrlen,
|
||||
log_reply_info(NO_VERBOSE, &qinfo,
|
||||
&repinfo->client_addr, repinfo->client_addrlen,
|
||||
tv, 1, c->buffer);
|
||||
}
|
||||
}
|
||||
@ -1903,6 +1938,9 @@ worker_init(struct worker* worker, struct config_file *cfg,
|
||||
struct dt_env* dtenv = &worker->dtenv;
|
||||
#else
|
||||
void* dtenv = NULL;
|
||||
#endif
|
||||
#ifdef HAVE_GETTID
|
||||
worker->thread_tid = gettid();
|
||||
#endif
|
||||
worker->need_to_exit = 0;
|
||||
worker->base = comm_base_create(do_sigs);
|
||||
|
@ -86,6 +86,10 @@ struct worker {
|
||||
struct daemon* daemon;
|
||||
/** thread id */
|
||||
ub_thread_type thr_id;
|
||||
#ifdef HAVE_GETTID
|
||||
/** thread tid, the LWP id. */
|
||||
pid_t thread_tid;
|
||||
#endif
|
||||
/** pipe, for commands for this worker */
|
||||
struct tube* cmd;
|
||||
/** the event base this worker works with */
|
||||
|
@ -954,7 +954,7 @@ static int dtio_write_more(struct dt_io_thread* dtio)
|
||||
* -1: continue, >0: number of bytes read into buffer */
|
||||
static ssize_t receive_bytes(struct dt_io_thread* dtio, void* buf, size_t len) {
|
||||
ssize_t r;
|
||||
r = recv(dtio->fd, (void*)buf, len, 0);
|
||||
r = recv(dtio->fd, (void*)buf, len, MSG_DONTWAIT);
|
||||
if(r == -1) {
|
||||
char* to = dtio->socket_path;
|
||||
if(!to) to = dtio->ip_str;
|
||||
@ -1960,7 +1960,7 @@ static int dtio_open_output_tcp(struct dt_io_thread* dtio)
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
addrlen = (socklen_t)sizeof(addr);
|
||||
|
||||
if(!extstrtoaddr(dtio->ip_str, &addr, &addrlen)) {
|
||||
if(!extstrtoaddr(dtio->ip_str, &addr, &addrlen, UNBOUND_DNS_PORT)) {
|
||||
log_err("could not parse IP '%s'", dtio->ip_str);
|
||||
return 0;
|
||||
}
|
||||
|
@ -272,7 +272,7 @@ static int make_tcp_accept(char* ip)
|
||||
|
||||
memset(&addr, 0, sizeof(addr));
|
||||
len = (socklen_t)sizeof(addr);
|
||||
if(!extstrtoaddr(ip, &addr, &len)) {
|
||||
if(!extstrtoaddr(ip, &addr, &len, UNBOUND_DNS_PORT)) {
|
||||
log_err("could not parse IP '%s'", ip);
|
||||
return -1;
|
||||
}
|
||||
@ -617,7 +617,7 @@ static void log_data_frame(uint8_t* pkt, size_t len)
|
||||
static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf,
|
||||
size_t len)
|
||||
{
|
||||
ssize_t ret = recv(fd, buf, len, 0);
|
||||
ssize_t ret = recv(fd, buf, len, MSG_DONTWAIT);
|
||||
if(ret == 0) {
|
||||
/* closed */
|
||||
if(verbosity) log_info("dnstap client stream closed from %s",
|
||||
|
@ -1,9 +1,116 @@
|
||||
11 October 2022: George
|
||||
- Fix PROXYv2 header read for TCP connections when no proxied addresses
|
||||
are provided.
|
||||
|
||||
7 October 2022: George
|
||||
- Fix to stop possible loops in the tcp reuse code (write_wait list
|
||||
and tcp_wait list). Based on analysis and patch from Prad Seniappan
|
||||
and Karthik Umashankar.
|
||||
- Fix unit test to properly test the reuse_write_wait_pop function.
|
||||
|
||||
6 October 2022: Wouter
|
||||
- Fix to stop responses with TC flag from resulting in partial
|
||||
responses. It retries to fetch the data elsewhere, or fails the
|
||||
query and in depth fix removes the TC flag from the cached item.
|
||||
- Fix proxy length debug output printout typecasts.
|
||||
|
||||
5 October 2022: Wouter
|
||||
- Fix dnscrypt compile for proxy protocol code changes.
|
||||
|
||||
5 October 2022: George
|
||||
- Use DEBUG_TDIR from environment in mini_tdir.sh for debugging.
|
||||
- Fix string comparison in mini_tdir.sh.
|
||||
- Make ede.tdir test more predictable by using static data.
|
||||
- Fix checkconf test for dnscrypt and proxy port.
|
||||
|
||||
4 October 2022: George
|
||||
- Merge #764: Leniency for target discovery when under load (for
|
||||
NRDelegation changes).
|
||||
|
||||
4 October 2022: Wouter
|
||||
- Fix static analysis report to remove dead code from the
|
||||
rpz_callback_from_iterator_module function.
|
||||
- Fix to clean up after the acl_interface unit test.
|
||||
|
||||
3 October 2022: George
|
||||
- Merge #760: PROXYv2 downstream support. (New proxy-protocol-port
|
||||
configuration option).
|
||||
|
||||
3 October 2022: Wouter
|
||||
- Fix to remove erroneous TC flag from TCP upstream.
|
||||
- Fix test tdir skip report printout.
|
||||
- Fix windows compile, the identifier interface is defined in headers.
|
||||
- Fix to close errno block in comm_point_tcp_handle_read outside of
|
||||
ifdef.
|
||||
|
||||
26 September 2022: George
|
||||
- Better output for skipped tdir tests.
|
||||
|
||||
21 September 2022: Wouter
|
||||
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack.
|
||||
- This patch was released in 1.16.3, the code repository continues
|
||||
with the previous features and fixes for 1.17.0.
|
||||
- Fix doxygen warning in respip.h.
|
||||
|
||||
20 September 2022: George
|
||||
- Convert tdir tests to use the new skip_test functionality.
|
||||
- Remove unused testcode/mini_tpkg.sh file.
|
||||
|
||||
16 September 2022: George
|
||||
- Merge #753: ACL per interface. (New interface-* configuration
|
||||
options).
|
||||
|
||||
2 September 2022: Wouter
|
||||
- Remove include that was there for debug purposes.
|
||||
- Fix to check pthread_t size after pthread has been detected.
|
||||
|
||||
1 September 2022: Wouter
|
||||
- Fix to update config tests to fix checking if nonblocking sockets
|
||||
work on OpenBSD.
|
||||
- Slow down log frequency of write wait failures.
|
||||
- Fix to set out of file descriptor warning to operational verbosity.
|
||||
- Fix to log a verbose message at operational notice level if a
|
||||
thread is not responding, to stats requests. It is logged with
|
||||
thread identifiers.
|
||||
|
||||
31 August 2022: Wouter
|
||||
- Fix to avoid process wide fcntl calls mixed with nonblocking
|
||||
operations after a blocked write.
|
||||
- Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive
|
||||
operations, so that instruction reordering does not cause mistakenly
|
||||
blocking socket operations.
|
||||
- Fix to wait for blocked write on UDP sockets, with a timeout if it
|
||||
takes too long the packet is dropped.
|
||||
- Fix for wait for udp send to stop when packet is successfully sent.
|
||||
|
||||
22 August 2022: Wouter
|
||||
- Fix #741: systemd socket activation fails on IPv6.
|
||||
|
||||
12 August 2022: Wouter
|
||||
- Fix to log accept error ENFILE and EMFILE errno, but slowly, once
|
||||
per 10 seconds. Also log accept failures when no slow down is used.
|
||||
|
||||
5 August 2022: Wouter
|
||||
- Fix #734 [FR] enable unbound-checkconf to detect more (basic)
|
||||
errors.
|
||||
|
||||
4 August 2022: Wouter
|
||||
- Fix ratelimit inconsistency, for ip-ratelimits the value is the
|
||||
amount allowed, like for ratelimits.
|
||||
|
||||
2 August 2022: Wouter
|
||||
- Fix edns subnet so that scope 0 answers only match sourcemask 0
|
||||
queries for answers from cache if from a query with sourcemask 0.
|
||||
- Fix unittest for edns subnet change.
|
||||
- Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due
|
||||
to unsupported IPV6_USER_MTU socket option being set.
|
||||
|
||||
1 August 2022: Wouter
|
||||
- Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
|
||||
- Tests for ghost domain fixes.
|
||||
- Tag for 1.16.2 release. The code repo continues with 1.16.3.
|
||||
- Fix #728: alloc_reg_obtain() core dump. Stop double
|
||||
alloc_reg_release when serviced_create fails.
|
||||
|
||||
19 July 2022: George
|
||||
- Update documentation for 'outbound-msg-retry:'.
|
||||
|
@ -1,4 +1,4 @@
|
||||
README for Unbound 1.16.3
|
||||
README for Unbound 1.17.0
|
||||
Copyright 2007 NLnet Labs
|
||||
http://unbound.net
|
||||
|
||||
|
@ -1,7 +1,7 @@
|
||||
#
|
||||
# Example configuration file.
|
||||
#
|
||||
# See unbound.conf(5) man page, version 1.16.3.
|
||||
# See unbound.conf(5) man page, version 1.17.0.
|
||||
#
|
||||
# this is a comment.
|
||||
|
||||
@ -17,7 +17,7 @@ server:
|
||||
# whitespace is not necessary, but looks cleaner.
|
||||
|
||||
# verbosity number, 0 is least verbose. 1 is default.
|
||||
verbosity: 1
|
||||
# verbosity: 1
|
||||
|
||||
# print statistics to the log (for every thread) every N seconds.
|
||||
# Set to "" or 0 to disable. Default is disabled.
|
||||
@ -50,6 +50,7 @@ server:
|
||||
# interface: 192.0.2.154
|
||||
# interface: 192.0.2.154@5003
|
||||
# interface: 2001:DB8::5
|
||||
# interface: eth0@5003
|
||||
|
||||
# enable this feature to copy the source address of queries to reply.
|
||||
# Socket options are not supported on all platforms. experimental.
|
||||
@ -217,7 +218,8 @@ server:
|
||||
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
|
||||
# infra-cache-numhosts: 10000
|
||||
|
||||
# define a number of tags here, use with local-zone, access-control.
|
||||
# define a number of tags here, use with local-zone, access-control,
|
||||
# interface-*.
|
||||
# repeat the define-tag statement to add additional tags.
|
||||
# define-tag: "tag1 tag2 tag3"
|
||||
|
||||
@ -273,9 +275,7 @@ server:
|
||||
# allow_snoop (recursive and nonrecursive ok)
|
||||
# deny_non_local (drop queries unless can be answered from local-data)
|
||||
# refuse_non_local (like deny_non_local but polite error reply).
|
||||
# access-control: 0.0.0.0/0 refuse
|
||||
# access-control: 127.0.0.0/8 allow
|
||||
# access-control: ::0/0 refuse
|
||||
# access-control: ::1 allow
|
||||
# access-control: ::ffff:127.0.0.1 allow
|
||||
|
||||
@ -284,7 +284,7 @@ server:
|
||||
# are tagged with one of these tags.
|
||||
# access-control-tag: 192.0.2.0/24 "tag2 tag3"
|
||||
|
||||
# set action for particular tag for given access control element
|
||||
# set action for particular tag for given access control element.
|
||||
# if you have multiple tag values, the tag used to lookup the action
|
||||
# is the first tag match between access-control-tag and local-zone-tag
|
||||
# where "first" comes from the order of the define-tag values.
|
||||
@ -296,6 +296,58 @@ server:
|
||||
# Set view for access control element
|
||||
# access-control-view: 192.0.2.0/24 viewname
|
||||
|
||||
# Similar to 'access-control:' but for interfaces.
|
||||
# Control which listening interfaces are allowed to accept (recursive)
|
||||
# queries for this server.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the action.
|
||||
# The actions are the same as 'access-control:' above.
|
||||
# By default all the interfaces configured are refused.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-action: 192.0.2.153 allow
|
||||
# interface-action: 192.0.2.154 allow
|
||||
# interface-action: 192.0.2.154@5003 allow
|
||||
# interface-action: 2001:DB8::5 allow
|
||||
# interface-action: eth0@5003 allow
|
||||
|
||||
# Similar to 'access-control-tag:' but for interfaces.
|
||||
# Tag interfaces with a list of tags (in "" with spaces between).
|
||||
# Interfaces using these tags use localzones that are tagged with one
|
||||
# of these tags.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the list of tags.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-tag: eth0@5003 "tag2 tag3"
|
||||
|
||||
# Similar to 'access-control-tag-action:' but for interfaces.
|
||||
# Set action for particular tag for a given interface element.
|
||||
# If you have multiple tag values, the tag used to lookup the action
|
||||
# is the first tag match between interface-tag and local-zone-tag
|
||||
# where "first" comes from the order of the define-tag values.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the tag and action.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-tag-action: eth0@5003 tag3 refuse
|
||||
|
||||
# Similar to 'access-control-tag-data:' but for interfaces.
|
||||
# Set redirect data for a particular tag for an interface element.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the tag and the redirect data.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
|
||||
|
||||
# Similar to 'access-control-view:' but for interfaces.
|
||||
# Set view for an interface element.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the view name.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-view: eth0@5003 viewname
|
||||
|
||||
# if given, a chroot(2) is done to the given directory.
|
||||
# i.e. you can chroot to the working directory, for example,
|
||||
# for extra security, but make sure all files are in that directory.
|
||||
@ -850,6 +902,10 @@ server:
|
||||
# Disable TLS for DNS-over-HTTP downstream service.
|
||||
# http-notls-downstream: no
|
||||
|
||||
# The interfaces that use these listed port numbers will support and
|
||||
# expect PROXYv2. For UDP and TCP/TLS interfaces.
|
||||
# proxy-protocol-port: portno for each of the port numbers.
|
||||
|
||||
# DNS64 prefix. Must be specified when DNS64 is use.
|
||||
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
|
||||
# dns64-prefix: 64:ff9b::0/96
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "libunbound" "3" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
|
||||
.TH "libunbound" "3" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
|
||||
.\"
|
||||
.\" libunbound.3 -- unbound library functions manual
|
||||
.\"
|
||||
@ -44,7 +44,7 @@
|
||||
.B ub_ctx_zone_remove,
|
||||
.B ub_ctx_data_add,
|
||||
.B ub_ctx_data_remove
|
||||
\- Unbound DNS validating resolver 1.16.3 functions.
|
||||
\- Unbound DNS validating resolver 1.17.0 functions.
|
||||
.SH "SYNOPSIS"
|
||||
.B #include <unbound.h>
|
||||
.LP
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-anchor" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
|
||||
.TH "unbound-anchor" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
|
||||
.\"
|
||||
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-checkconf" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
|
||||
.TH "unbound-checkconf" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
|
||||
.\"
|
||||
.\" unbound-checkconf.8 -- unbound configuration checker manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound-control" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
|
||||
.TH "unbound-control" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
|
||||
.\"
|
||||
.\" unbound-control.8 -- unbound remote control manual
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound\-host" "1" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
|
||||
.TH "unbound\-host" "1" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
|
||||
.\"
|
||||
.\" unbound-host.1 -- unbound DNS lookup utility
|
||||
.\"
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound" "8" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
|
||||
.TH "unbound" "8" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
|
||||
.\"
|
||||
.\" unbound.8 -- unbound manual
|
||||
.\"
|
||||
@ -9,7 +9,7 @@
|
||||
.\"
|
||||
.SH "NAME"
|
||||
.B unbound
|
||||
\- Unbound DNS validating resolver 1.16.3.
|
||||
\- Unbound DNS validating resolver 1.17.0.
|
||||
.SH "SYNOPSIS"
|
||||
.B unbound
|
||||
.RB [ \-h ]
|
||||
|
@ -1,4 +1,4 @@
|
||||
.TH "unbound.conf" "5" "Sep 21, 2022" "NLnet Labs" "unbound 1.16.3"
|
||||
.TH "unbound.conf" "5" "Oct 13, 2022" "NLnet Labs" "unbound 1.17.0"
|
||||
.\"
|
||||
.\" unbound.conf.5 -- unbound.conf manual
|
||||
.\"
|
||||
@ -118,7 +118,7 @@ The number of threads to create to serve clients. Use 1 for no threading.
|
||||
.B port: \fI<port number>
|
||||
The port number, default 53, on which the server responds to queries.
|
||||
.TP
|
||||
.B interface: \fI<ip address[@port]>
|
||||
.B interface: \fI<ip address or interface name [@port]>
|
||||
Interface to use to connect to the network. This interface is listened to
|
||||
for queries from clients, and answers to clients are given from it.
|
||||
Can be given multiple times to work on several interfaces. If none are
|
||||
@ -129,7 +129,7 @@ A port number can be specified with @port (without spaces between
|
||||
interface and port number), if not specified the default port (from
|
||||
\fBport\fR) is used.
|
||||
.TP
|
||||
.B ip\-address: \fI<ip address[@port]>
|
||||
.B ip\-address: \fI<ip address or interface name [@port]>
|
||||
Same as interface: (for ease of compatibility with nsd.conf).
|
||||
.TP
|
||||
.B interface\-automatic: \fI<yes or no>
|
||||
@ -656,6 +656,17 @@ Ignored if the option is not available. Default is yes.
|
||||
Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for
|
||||
local back end servers. Default is no.
|
||||
.TP
|
||||
.B proxy\-protocol\-port: \fI<portnr>
|
||||
List port numbers as proxy\-protocol\-port, and when interfaces are defined,
|
||||
eg. with the @port suffix, as this port number, they support and expect PROXYv2.
|
||||
In this case the proxy address will only be used for the network communication
|
||||
and initial ACL (check if the proxy itself is denied/refused by configuration).
|
||||
The proxied address (if any) will then be used as the true client address and
|
||||
will be used where applicable for logging, ACL, DNSTAP, RPZ and IP ratelimiting.
|
||||
PROXYv2 is supported for UDP and TCP/TLS listening interfaces.
|
||||
There is no support for PROXYv2 on a DoH or DNSCrypt listening interface.
|
||||
Can list multiple, each on a new statement.
|
||||
.TP
|
||||
.B use\-systemd: \fI<yes or no>
|
||||
Enable or disable systemd socket activation.
|
||||
Default is no.
|
||||
@ -675,7 +686,7 @@ The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
|
||||
\fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
The most specific netblock match is used, if none match \fIrefuse\fR is used.
|
||||
The order of the access\-control statements therefore does not matter.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
@ -741,6 +752,46 @@ Set redirect data for particular tag for given access control element.
|
||||
.B access\-control\-view: \fI<IP netblock> <view name>
|
||||
Set view for given access control element.
|
||||
.TP
|
||||
.B interface\-action: \fI<ip address or interface name [@port]> <action>
|
||||
Similar to \fBaccess\-control:\fR but for interfaces.
|
||||
.IP
|
||||
The action is the same as the ones defined under \fBaccess\-control:\fR.
|
||||
Interfaces are \fIrefuse\fRd by default.
|
||||
By default only localhost (the IP netblock, not the loopback interface) is
|
||||
\fIallow\fRed through the default \fBaccess\-control:\fR behavior.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
|
||||
Similar to \fBaccess\-control-tag:\fR but for interfaces.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
|
||||
Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
|
||||
Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B interface\-view: \fI<ip address or interface name [@port]> <view name>
|
||||
Similar to \fBaccess\-control-view:\fR but for interfaces.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B chroot: \fI<directory>
|
||||
If chroot is enabled, you should pass the configfile (from the
|
||||
commandline) as a full path from the original root. After the
|
||||
@ -1823,9 +1874,11 @@ section for options. To setup the correct self\-signed certificates use the
|
||||
The option is used to enable remote control, default is "no".
|
||||
If turned off, the server does not listen for control commands.
|
||||
.TP 5
|
||||
.B control\-interface: \fI<ip address or path>
|
||||
.B control\-interface: \fI<ip address or interface name or path>
|
||||
Give IPv4 or IPv6 addresses or local socket path to listen on for
|
||||
control commands.
|
||||
If an interface name is used instead of an ip address, the list of ip addresses
|
||||
on that interface are used.
|
||||
By default localhost (127.0.0.1 and ::1) is listened to.
|
||||
Use 0.0.0.0 and ::0 to listen to all interfaces.
|
||||
If you change this and permissions have been dropped, you must restart
|
||||
|
@ -97,6 +97,7 @@ node_create(struct addrtree *tree, void *elem, addrlen_t scope,
|
||||
tree->node_count++;
|
||||
node->scope = scope;
|
||||
node->ttl = ttl;
|
||||
node->only_match_scope_zero = 0;
|
||||
node->edge[0] = NULL;
|
||||
node->edge[1] = NULL;
|
||||
node->parent_edge = NULL;
|
||||
@ -155,6 +156,7 @@ clean_node(struct addrtree *tree, struct addrnode *node)
|
||||
if (!node->elem) return;
|
||||
tree->size_bytes -= tree->sizefunc(node->elem);
|
||||
tree->delfunc(tree->env, node->elem);
|
||||
node->only_match_scope_zero = 0;
|
||||
node->elem = NULL;
|
||||
}
|
||||
|
||||
@ -358,7 +360,7 @@ issub(const addrkey_t *s1, addrlen_t l1,
|
||||
void
|
||||
addrtree_insert(struct addrtree *tree, const addrkey_t *addr,
|
||||
addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl,
|
||||
time_t now)
|
||||
time_t now, int only_match_scope_zero)
|
||||
{
|
||||
struct addrnode *newnode, *node;
|
||||
struct addredge *edge;
|
||||
@ -381,6 +383,7 @@ addrtree_insert(struct addrtree *tree, const addrkey_t *addr,
|
||||
/* update this node's scope and data */
|
||||
clean_node(tree, node);
|
||||
node->ttl = ttl;
|
||||
node->only_match_scope_zero = only_match_scope_zero;
|
||||
node->elem = elem;
|
||||
node->scope = scope;
|
||||
tree->size_bytes += tree->sizefunc(elem);
|
||||
@ -447,6 +450,7 @@ addrtree_insert(struct addrtree *tree, const addrkey_t *addr,
|
||||
newnode->elem = elem;
|
||||
newnode->scope = scope;
|
||||
newnode->ttl = ttl;
|
||||
newnode->only_match_scope_zero = only_match_scope_zero;
|
||||
}
|
||||
|
||||
tree->size_bytes += node_size(tree, newnode);
|
||||
@ -483,7 +487,8 @@ addrtree_find(struct addrtree *tree, const addrkey_t *addr,
|
||||
/* Current node more specific then question. */
|
||||
log_assert(depth <= sourcemask);
|
||||
/* does this node have data? if yes, see if we have a match */
|
||||
if (node->elem && node->ttl >= now) {
|
||||
if (node->elem && node->ttl >= now &&
|
||||
!(sourcemask != 0 && node->only_match_scope_zero)) {
|
||||
/* saved at wrong depth */;
|
||||
log_assert(node->scope >= depth);
|
||||
if (depth == node->scope ||
|
||||
|
@ -95,6 +95,10 @@ struct addrnode {
|
||||
time_t ttl;
|
||||
/** Number of significant bits in address. */
|
||||
addrlen_t scope;
|
||||
/** Only use the element for queries for subnet/0. Set if the query
|
||||
* for /0 was answered with scope 0. For query /x answer scope 0,
|
||||
* they can match anything and this is false. */
|
||||
int only_match_scope_zero;
|
||||
/** A node can have 0-2 edges, set to NULL for unused */
|
||||
struct addredge *edge[2];
|
||||
/** edge between this node and parent */
|
||||
@ -157,11 +161,12 @@ void addrtree_delete(struct addrtree *tree);
|
||||
* @param scope: Number of significant bits in addr.
|
||||
* @param elem: data to store in the tree.
|
||||
* @param ttl: elem is valid up to this time, seconds.
|
||||
* @param only_match_scope_zero: set for when query /0 has scope /0 answer.
|
||||
* @param now: Current time in seconds.
|
||||
*/
|
||||
void addrtree_insert(struct addrtree *tree, const addrkey_t *addr,
|
||||
addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl,
|
||||
time_t now);
|
||||
time_t now, int only_match_scope_zero);
|
||||
|
||||
/**
|
||||
* Find a node containing an element in the tree.
|
||||
|
@ -55,6 +55,7 @@
|
||||
#include "util/config_file.h"
|
||||
#include "util/data/msgreply.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "sldns/wire2str.h"
|
||||
#include "iterator/iter_utils.h"
|
||||
|
||||
/** externally called */
|
||||
@ -331,6 +332,7 @@ update_cache(struct module_qstate *qstate, int id)
|
||||
struct slabhash *subnet_msg_cache = sne->subnet_msg_cache;
|
||||
struct ecs_data *edns = &sq->ecs_client_in;
|
||||
size_t i;
|
||||
int only_match_scope_zero;
|
||||
|
||||
/* We already calculated hash upon lookup (lookup_and_reply) if we were
|
||||
* allowed to look in the ECS cache */
|
||||
@ -392,9 +394,12 @@ update_cache(struct module_qstate *qstate, int id)
|
||||
reply_info_set_ttls(rep, *qstate->env->now);
|
||||
rep->flags |= (BIT_RA | BIT_QR); /* fix flags to be sensible for */
|
||||
rep->flags &= ~(BIT_AA | BIT_CD);/* a reply based on the cache */
|
||||
if(edns->subnet_source_mask == 0 && edns->subnet_scope_mask == 0)
|
||||
only_match_scope_zero = 1;
|
||||
else only_match_scope_zero = 0;
|
||||
addrtree_insert(tree, (addrkey_t*)edns->subnet_addr,
|
||||
edns->subnet_source_mask, sq->max_scope, rep,
|
||||
rep->ttl, *qstate->env->now);
|
||||
rep->ttl, *qstate->env->now, only_match_scope_zero);
|
||||
|
||||
lock_rw_unlock(&lru_entry->lock);
|
||||
if (need_to_insert) {
|
||||
@ -674,6 +679,24 @@ ecs_query_response(struct module_qstate* qstate, struct dns_msg* response,
|
||||
return 1;
|
||||
}
|
||||
|
||||
/** verbose print edns subnet option in pretty print */
|
||||
static void
|
||||
subnet_log_print(const char* s, struct edns_option* ecs_opt)
|
||||
{
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
char buf[256];
|
||||
char* str = buf;
|
||||
size_t str_len = sizeof(buf);
|
||||
if(!ecs_opt) {
|
||||
verbose(VERB_ALGO, "%s (null)", s);
|
||||
return;
|
||||
}
|
||||
(void)sldns_wire2str_edns_subnet_print(&str, &str_len,
|
||||
ecs_opt->opt_data, ecs_opt->opt_len);
|
||||
verbose(VERB_ALGO, "%s %s", s, buf);
|
||||
}
|
||||
}
|
||||
|
||||
int
|
||||
ecs_edns_back_parsed(struct module_qstate* qstate, int id,
|
||||
void* ATTR_UNUSED(cbargs))
|
||||
@ -688,6 +711,7 @@ ecs_edns_back_parsed(struct module_qstate* qstate, int id,
|
||||
qstate->env->cfg->client_subnet_opcode)) &&
|
||||
parse_subnet_option(ecs_opt, &sq->ecs_server_in) &&
|
||||
sq->subnet_sent && sq->ecs_server_in.subnet_validdata) {
|
||||
subnet_log_print("answer has edns subnet", ecs_opt);
|
||||
/* Only skip global cache store if we sent an ECS option
|
||||
* and received one back. Answers from non-whitelisted
|
||||
* servers will end up in global cache. Answers for
|
||||
@ -736,11 +760,12 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
||||
qstate->ext_state[id] = module_finished;
|
||||
return;
|
||||
}
|
||||
subnet_log_print("query has edns subnet", ecs_opt);
|
||||
sq->subnet_downstream = 1;
|
||||
}
|
||||
else if(qstate->mesh_info->reply_list) {
|
||||
subnet_option_from_ss(
|
||||
&qstate->mesh_info->reply_list->query_reply.addr,
|
||||
&qstate->mesh_info->reply_list->query_reply.client_addr,
|
||||
&sq->ecs_client_in, qstate->env->cfg);
|
||||
}
|
||||
|
||||
@ -775,6 +800,13 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
||||
subnet_ecs_opt_list_append(&sq->ecs_client_out,
|
||||
&qstate->edns_opts_front_out, qstate,
|
||||
qstate->region);
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
subnet_log_print("reply has edns subnet",
|
||||
edns_opt_list_find(
|
||||
qstate->edns_opts_front_out,
|
||||
qstate->env->cfg->
|
||||
client_subnet_opcode));
|
||||
}
|
||||
return;
|
||||
}
|
||||
lock_rw_unlock(&sne->biglock);
|
||||
@ -823,6 +855,13 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
|
||||
subnet_ecs_opt_list_append(&sq->ecs_client_out,
|
||||
&qstate->edns_opts_front_out, qstate,
|
||||
qstate->region);
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
subnet_log_print("reply has edns subnet",
|
||||
edns_opt_list_find(
|
||||
qstate->edns_opts_front_out,
|
||||
qstate->env->cfg->
|
||||
client_subnet_opcode));
|
||||
}
|
||||
}
|
||||
qstate->no_cache_store = sq->started_no_cache_store;
|
||||
qstate->no_cache_lookup = sq->started_no_cache_lookup;
|
||||
|
@ -100,7 +100,7 @@ ah(struct delegpt* dp, const char* sv, const char* ip)
|
||||
return 0;
|
||||
}
|
||||
if(!delegpt_add_ns_mlc(dp, dname, 0, NULL, UNBOUND_DNS_PORT) ||
|
||||
!extstrtoaddr(ip, &addr, &addrlen) ||
|
||||
!extstrtoaddr(ip, &addr, &addrlen, UNBOUND_DNS_PORT) ||
|
||||
!delegpt_add_target_mlc(dp, dname, dname_len,
|
||||
&addr, addrlen, 0, 0)) {
|
||||
free(dname);
|
||||
|
@ -113,6 +113,10 @@ response_type_from_server(int rdset,
|
||||
|
||||
if(!msg || !request)
|
||||
return RESPONSE_TYPE_THROWAWAY;
|
||||
/* If the TC flag is set, the response is incomplete. Too large to
|
||||
* fit even in TCP or so. Discard it, it cannot be retrieved here. */
|
||||
if((msg->rep->flags & BIT_TC))
|
||||
return RESPONSE_TYPE_THROWAWAY;
|
||||
|
||||
/* If the message is NXDOMAIN, then it answers the question. */
|
||||
if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN) {
|
||||
|
@ -255,9 +255,9 @@ error_supers(struct module_qstate* qstate, int id, struct module_qstate* super)
|
||||
log_err("out of memory adding missing");
|
||||
}
|
||||
delegpt_mark_neg(dpns, qstate->qinfo.qtype);
|
||||
dpns->resolved = 1; /* mark as failed */
|
||||
if((dpns->got4 == 2 || !ie->supports_ipv4) &&
|
||||
(dpns->got6 == 2 || !ie->supports_ipv6)) {
|
||||
dpns->resolved = 1; /* mark as failed */
|
||||
target_count_increase_nx(super_iq, 1);
|
||||
}
|
||||
}
|
||||
@ -596,15 +596,17 @@ errinf_reply(struct module_qstate* qstate, struct iter_qstate* iq)
|
||||
{
|
||||
if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail)
|
||||
return;
|
||||
if((qstate->reply && qstate->reply->addrlen != 0) ||
|
||||
(iq->fail_reply && iq->fail_reply->addrlen != 0)) {
|
||||
if((qstate->reply && qstate->reply->remote_addrlen != 0) ||
|
||||
(iq->fail_reply && iq->fail_reply->remote_addrlen != 0)) {
|
||||
char from[256], frm[512];
|
||||
if(qstate->reply && qstate->reply->addrlen != 0)
|
||||
addr_to_str(&qstate->reply->addr, qstate->reply->addrlen,
|
||||
from, sizeof(from));
|
||||
if(qstate->reply && qstate->reply->remote_addrlen != 0)
|
||||
addr_to_str(&qstate->reply->remote_addr,
|
||||
qstate->reply->remote_addrlen, from,
|
||||
sizeof(from));
|
||||
else
|
||||
addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen,
|
||||
from, sizeof(from));
|
||||
addr_to_str(&iq->fail_reply->remote_addr,
|
||||
iq->fail_reply->remote_addrlen, from,
|
||||
sizeof(from));
|
||||
snprintf(frm, sizeof(frm), "from %s", from);
|
||||
errinf(qstate, frm);
|
||||
}
|
||||
@ -2262,6 +2264,7 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
size_t qout_orig_len = 0;
|
||||
int sq_check_ratelimit = 1;
|
||||
int sq_was_ratelimited = 0;
|
||||
int can_do_promisc = 0;
|
||||
|
||||
/* NOTE: a request will encounter this state for each target it
|
||||
* needs to send a query to. That is, at least one per referral,
|
||||
@ -2589,12 +2592,12 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
if(iq->depth < ie->max_dependency_depth
|
||||
&& iq->num_target_queries == 0
|
||||
&& (!iq->target_count || iq->target_count[TARGET_COUNT_NX]==0)
|
||||
&& iq->sent_count < TARGET_FETCH_STOP
|
||||
/* if the mesh query list is full, then do not waste cpu
|
||||
* and sockets to fetch promiscuous targets. They can be
|
||||
* looked up when needed. */
|
||||
&& !mesh_jostle_exceeded(qstate->env->mesh)
|
||||
) {
|
||||
&& iq->sent_count < TARGET_FETCH_STOP) {
|
||||
can_do_promisc = 1;
|
||||
}
|
||||
/* if the mesh query list is full, then do not waste cpu and sockets to
|
||||
* fetch promiscuous targets. They can be looked up when needed. */
|
||||
if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) {
|
||||
tf_policy = ie->target_fetch_policy[iq->depth];
|
||||
}
|
||||
|
||||
@ -2766,6 +2769,37 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* We have a target. We could have created promiscuous target
|
||||
* queries but we are currently under pressure (mesh_jostle_exceeded).
|
||||
* If we are configured to allow promiscuous target queries and haven't
|
||||
* gone out to the network for a target query for this delegation, then
|
||||
* it is possible to slip in a promiscuous one with a 1/10 chance. */
|
||||
if(can_do_promisc && tf_policy == 0 && iq->depth == 0
|
||||
&& iq->depth < ie->max_dependency_depth
|
||||
&& ie->target_fetch_policy[iq->depth] != 0
|
||||
&& iq->dp_target_count == 0
|
||||
&& !ub_random_max(qstate->env->rnd, 10)) {
|
||||
int extra = 0;
|
||||
verbose(VERB_ALGO, "available target exists in cache but "
|
||||
"attempt to get extra 1 target");
|
||||
(void)query_for_targets(qstate, iq, ie, id, 1, &extra);
|
||||
/* errors ignored, these targets are not strictly necessary for
|
||||
* this result, we do not have to reply with SERVFAIL */
|
||||
if(extra > 0) {
|
||||
iq->num_target_queries += extra;
|
||||
target_count_increase(iq, extra);
|
||||
check_waiting_queries(iq, qstate, id);
|
||||
/* undo qname minimise step because we'll get back here
|
||||
* to do it again */
|
||||
if(qout_orig && iq->minimise_count > 0) {
|
||||
iq->minimise_count--;
|
||||
iq->qinfo_out.qname = qout_orig;
|
||||
iq->qinfo_out.qname_len = qout_orig_len;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
/* Do not check ratelimit for forwarding queries or if we already got a
|
||||
* pass. */
|
||||
sq_check_ratelimit = (!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok);
|
||||
@ -2873,6 +2907,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
(int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd),
|
||||
iq->response, &iq->qinfo_out, iq->dp);
|
||||
iq->chase_to_rd = 0;
|
||||
/* remove TC flag, if this is erroneously set by TCP upstream */
|
||||
iq->response->rep->flags &= ~BIT_TC;
|
||||
if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) &&
|
||||
!iq->auth_zone_response) {
|
||||
/* When forwarding (RD bit is set), we handle referrals
|
||||
@ -2896,8 +2932,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
* use dnssec-lame-bypass if it needs to query there.*/
|
||||
if(qstate->reply) {
|
||||
struct delegpt_addr* a = delegpt_find_addr(
|
||||
iq->dp, &qstate->reply->addr,
|
||||
qstate->reply->addrlen);
|
||||
iq->dp, &qstate->reply->remote_addr,
|
||||
qstate->reply->remote_addrlen);
|
||||
if(a) a->dnsseclame = 1;
|
||||
}
|
||||
/* test the answer is from the zone we expected,
|
||||
@ -2994,8 +3030,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->num_target_queries = 0;
|
||||
if(qstate->reply)
|
||||
sock_list_insert(&qstate->reply_origin,
|
||||
&qstate->reply->addr, qstate->reply->addrlen,
|
||||
qstate->region);
|
||||
&qstate->reply->remote_addr,
|
||||
qstate->reply->remote_addrlen, qstate->region);
|
||||
if(iq->minimisation_state != DONOT_MINIMISE_STATE
|
||||
&& !(iq->chase_flags & BIT_RD)) {
|
||||
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
|
||||
@ -3251,8 +3287,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
iq->num_target_queries = 0;
|
||||
if(qstate->reply)
|
||||
sock_list_insert(&qstate->reply_origin,
|
||||
&qstate->reply->addr, qstate->reply->addrlen,
|
||||
qstate->region);
|
||||
&qstate->reply->remote_addr,
|
||||
qstate->reply->remote_addrlen, qstate->region);
|
||||
verbose(VERB_ALGO, "cleared outbound list for query restart");
|
||||
/* go to INIT_REQUEST_STATE for new qname. */
|
||||
return next_state(iq, INIT_REQUEST_STATE);
|
||||
@ -3267,7 +3303,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
/* need addr for lameness cache, but we may have
|
||||
* gotten this from cache, so test to be sure */
|
||||
if(!infra_set_lame(qstate->env->infra_cache,
|
||||
&qstate->reply->addr, qstate->reply->addrlen,
|
||||
&qstate->reply->remote_addr,
|
||||
qstate->reply->remote_addrlen,
|
||||
iq->dp->name, iq->dp->namelen,
|
||||
*qstate->env->now, dnsseclame, 0,
|
||||
iq->qchase.qtype))
|
||||
@ -3285,7 +3322,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
* gotten this from cache, so test to be sure */
|
||||
verbose(VERB_DETAIL, "mark as REC_LAME");
|
||||
if(!infra_set_lame(qstate->env->infra_cache,
|
||||
&qstate->reply->addr, qstate->reply->addrlen,
|
||||
&qstate->reply->remote_addr,
|
||||
qstate->reply->remote_addrlen,
|
||||
iq->dp->name, iq->dp->namelen,
|
||||
*qstate->env->now, 0, 1, iq->qchase.qtype))
|
||||
log_err("mark host lame: out of memory");
|
||||
@ -3527,15 +3565,16 @@ processTargetResponse(struct module_qstate* qstate, int id,
|
||||
} else {
|
||||
verbose(VERB_ALGO, "iterator TargetResponse failed");
|
||||
delegpt_mark_neg(dpns, qstate->qinfo.qtype);
|
||||
dpns->resolved = 1; /* fail the target */
|
||||
if((dpns->got4 == 2 || !ie->supports_ipv4) &&
|
||||
(dpns->got6 == 2 || !ie->supports_ipv6) &&
|
||||
(dpns->got6 == 2 || !ie->supports_ipv6)) {
|
||||
dpns->resolved = 1; /* fail the target */
|
||||
/* do not count cached answers */
|
||||
(qstate->reply_origin && qstate->reply_origin->len != 0)) {
|
||||
if(qstate->reply_origin && qstate->reply_origin->len != 0) {
|
||||
target_count_increase_nx(foriq, 1);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Process response for DS NS Find queries, that attempt to find the delegation
|
||||
@ -4015,7 +4054,7 @@ process_response(struct module_qstate* qstate, struct iter_qstate* iq,
|
||||
goto handle_it;
|
||||
log_query_info(VERB_DETAIL, "response for", &qstate->qinfo);
|
||||
log_name_addr(VERB_DETAIL, "reply from", iq->dp->name,
|
||||
&qstate->reply->addr, qstate->reply->addrlen);
|
||||
&qstate->reply->remote_addr, qstate->reply->remote_addrlen);
|
||||
if(verbosity >= VERB_ALGO)
|
||||
log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo,
|
||||
iq->response->rep);
|
||||
|
@ -324,7 +324,7 @@ struct iter_qstate {
|
||||
/** the number of times this query has been restarted. */
|
||||
int query_restart_count;
|
||||
|
||||
/** the number of times this query as followed a referral. */
|
||||
/** the number of times this query has followed a referral. */
|
||||
int referral_count;
|
||||
|
||||
/** number of queries fired off */
|
||||
|
@ -951,7 +951,7 @@ ub_ctx_set_fwd(struct ub_ctx* ctx, const char* addr)
|
||||
lock_basic_unlock(&ctx->cfglock);
|
||||
|
||||
/* check syntax for addr */
|
||||
if(!extstrtoaddr(addr, &storage, &stlen)) {
|
||||
if(!extstrtoaddr(addr, &storage, &stlen, UNBOUND_DNS_PORT)) {
|
||||
errno=EINVAL;
|
||||
return UB_SYNTAX;
|
||||
}
|
||||
@ -1031,7 +1031,7 @@ int ub_ctx_set_stub(struct ub_ctx* ctx, const char* zone, const char* addr,
|
||||
if(addr) {
|
||||
struct sockaddr_storage storage;
|
||||
socklen_t stlen;
|
||||
if(!extstrtoaddr(addr, &storage, &stlen)) {
|
||||
if(!extstrtoaddr(addr, &storage, &stlen, UNBOUND_DNS_PORT)) {
|
||||
errno=EINVAL;
|
||||
return UB_SYNTAX;
|
||||
}
|
||||
|
@ -1290,7 +1290,7 @@ respip_set_is_empty(const struct respip_set* set)
|
||||
void
|
||||
respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname,
|
||||
uint16_t qtype, uint16_t qclass, struct local_rrset* local_alias,
|
||||
struct comm_reply* repinfo)
|
||||
struct sockaddr_storage* addr, socklen_t addrlen)
|
||||
{
|
||||
char srcip[128], respip[128], txt[512];
|
||||
unsigned port;
|
||||
@ -1300,10 +1300,10 @@ respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname,
|
||||
|
||||
if(local_alias)
|
||||
qname = local_alias->rrset->rk.dname;
|
||||
port = (unsigned)((repinfo->addr.ss_family == AF_INET) ?
|
||||
ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port) :
|
||||
ntohs(((struct sockaddr_in6*)&repinfo->addr)->sin6_port));
|
||||
addr_to_str(&repinfo->addr, repinfo->addrlen, srcip, sizeof(srcip));
|
||||
port = (unsigned)((addr->ss_family == AF_INET) ?
|
||||
ntohs(((struct sockaddr_in*)addr)->sin_port) :
|
||||
ntohs(((struct sockaddr_in6*)addr)->sin6_port));
|
||||
addr_to_str(addr, addrlen, srcip, sizeof(srcip));
|
||||
addr_to_str(&respip_addr->addr, respip_addr->addrlen,
|
||||
respip, sizeof(respip));
|
||||
if(respip_actinfo->rpz_log) {
|
||||
|
@ -251,11 +251,13 @@ int respip_set_is_empty(const struct respip_set* set);
|
||||
* @param local_alias: set to a local alias if the query matches an alias in
|
||||
* a local zone. In this case its owner name will be considered the actual
|
||||
* query name.
|
||||
* @param repinfo: reply info containing the client's source address and port.
|
||||
* @param addr: the client's source address and port.
|
||||
* @param addrlen: the client's source address length.
|
||||
*/
|
||||
void respip_inform_print(struct respip_action_info* respip_actinfo,
|
||||
uint8_t* qname, uint16_t qtype, uint16_t qclass,
|
||||
struct local_rrset* local_alias, struct comm_reply* repinfo);
|
||||
struct local_rrset* local_alias, struct sockaddr_storage* addr,
|
||||
socklen_t addrlen);
|
||||
|
||||
/**
|
||||
* Find resp_addr in tree, create and add to tree if it does not exist.
|
||||
|
@ -3699,7 +3699,7 @@ addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr,
|
||||
/* compare address (but not port number, that is the destination
|
||||
* port of the master, the port number of the received notify is
|
||||
* allowed to by any port on that master) */
|
||||
if(extstrtoaddr(master->host, &a, &alen) &&
|
||||
if(extstrtoaddr(master->host, &a, &alen, UNBOUND_DNS_PORT) &&
|
||||
sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) {
|
||||
*fromhost = master;
|
||||
return 1;
|
||||
@ -5381,7 +5381,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
|
||||
struct edns_data edns;
|
||||
sldns_buffer* buf = env->scratch_buffer;
|
||||
if(!master) return 0;
|
||||
if(extstrtoaddr(master->host, &addr, &addrlen)) {
|
||||
if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) {
|
||||
/* not needed, host is in IP addr format */
|
||||
return 0;
|
||||
}
|
||||
@ -6572,7 +6572,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
|
||||
struct edns_data edns;
|
||||
sldns_buffer* buf = env->scratch_buffer;
|
||||
if(!master) return 0;
|
||||
if(extstrtoaddr(master->host, &addr, &addrlen)) {
|
||||
if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) {
|
||||
/* not needed, host is in IP addr format */
|
||||
return 0;
|
||||
}
|
||||
|
37
contrib/unbound/services/cache/infra.c
vendored
37
contrib/unbound/services/cache/infra.c
vendored
@ -834,14 +834,13 @@ static struct lruhash_entry* infra_find_ratedata(struct infra_cache* infra,
|
||||
|
||||
/** find data item in array for ip addresses */
|
||||
static struct lruhash_entry* infra_find_ip_ratedata(struct infra_cache* infra,
|
||||
struct comm_reply* repinfo, int wr)
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, int wr)
|
||||
{
|
||||
struct ip_rate_key key;
|
||||
hashvalue_type h = hash_addr(&(repinfo->addr),
|
||||
repinfo->addrlen, 0);
|
||||
hashvalue_type h = hash_addr(addr, addrlen, 0);
|
||||
memset(&key, 0, sizeof(key));
|
||||
key.addr = repinfo->addr;
|
||||
key.addrlen = repinfo->addrlen;
|
||||
key.addr = *addr;
|
||||
key.addrlen = addrlen;
|
||||
key.entry.hash = h;
|
||||
return slabhash_lookup(infra->client_ip_rates, h, &key, wr);
|
||||
}
|
||||
@ -876,10 +875,9 @@ static void infra_create_ratedata(struct infra_cache* infra,
|
||||
|
||||
/** create rate data item for ip address */
|
||||
static void infra_ip_create_ratedata(struct infra_cache* infra,
|
||||
struct comm_reply* repinfo, time_t timenow)
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow)
|
||||
{
|
||||
hashvalue_type h = hash_addr(&(repinfo->addr),
|
||||
repinfo->addrlen, 0);
|
||||
hashvalue_type h = hash_addr(addr, addrlen, 0);
|
||||
struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k));
|
||||
struct ip_rate_data* d = (struct ip_rate_data*)calloc(1, sizeof(*d));
|
||||
if(!k || !d) {
|
||||
@ -887,8 +885,8 @@ static void infra_ip_create_ratedata(struct infra_cache* infra,
|
||||
free(d);
|
||||
return; /* alloc failure */
|
||||
}
|
||||
k->addr = repinfo->addr;
|
||||
k->addrlen = repinfo->addrlen;
|
||||
k->addr = *addr;
|
||||
k->addrlen = addrlen;
|
||||
lock_rw_init(&k->entry.lock);
|
||||
k->entry.hash = h;
|
||||
k->entry.key = k;
|
||||
@ -985,8 +983,8 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
|
||||
sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs));
|
||||
ip[0]=0;
|
||||
if(replylist) {
|
||||
addr_to_str((struct sockaddr_storage *)&replylist->addr,
|
||||
replylist->addrlen, ip, sizeof(ip));
|
||||
addr_to_str((struct sockaddr_storage *)&replylist->remote_addr,
|
||||
replylist->remote_addrlen, ip, sizeof(ip));
|
||||
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip);
|
||||
} else {
|
||||
verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts);
|
||||
@ -1040,7 +1038,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
|
||||
max = infra_rate_max(entry->data, timenow, backoff);
|
||||
lock_rw_unlock(&entry->lock);
|
||||
|
||||
return (max >= lim);
|
||||
return (max > lim);
|
||||
}
|
||||
|
||||
size_t
|
||||
@ -1054,8 +1052,8 @@ infra_get_mem(struct infra_cache* infra)
|
||||
}
|
||||
|
||||
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
struct comm_reply* repinfo, time_t timenow, int backoff,
|
||||
struct sldns_buffer* buffer)
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
|
||||
int backoff, struct sldns_buffer* buffer)
|
||||
{
|
||||
int max;
|
||||
struct lruhash_entry* entry;
|
||||
@ -1065,7 +1063,7 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
return 1;
|
||||
}
|
||||
/* find or insert ratedata */
|
||||
entry = infra_find_ip_ratedata(infra, repinfo, 1);
|
||||
entry = infra_find_ip_ratedata(infra, addr, addrlen, 1);
|
||||
if(entry) {
|
||||
int premax = infra_rate_max(entry->data, timenow, backoff);
|
||||
int* cur = infra_rate_give_second(entry->data, timenow);
|
||||
@ -1073,10 +1071,9 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
max = infra_rate_max(entry->data, timenow, backoff);
|
||||
lock_rw_unlock(&entry->lock);
|
||||
|
||||
if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {
|
||||
if(premax <= infra_ip_ratelimit && max > infra_ip_ratelimit) {
|
||||
char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12];
|
||||
addr_to_str((struct sockaddr_storage *)&repinfo->addr,
|
||||
repinfo->addrlen, client_ip, sizeof(client_ip));
|
||||
addr_to_str(addr, addrlen, client_ip, sizeof(client_ip));
|
||||
qnm[0]=0;
|
||||
if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE &&
|
||||
LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) {
|
||||
@ -1101,6 +1098,6 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
}
|
||||
|
||||
/* create */
|
||||
infra_ip_create_ratedata(infra, repinfo, timenow);
|
||||
infra_ip_create_ratedata(infra, addr, addrlen, timenow);
|
||||
return 1;
|
||||
}
|
||||
|
7
contrib/unbound/services/cache/infra.h
vendored
7
contrib/unbound/services/cache/infra.h
vendored
@ -416,15 +416,16 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
|
||||
/** Update query ratelimit hash and decide
|
||||
* whether or not a query should be dropped.
|
||||
* @param infra: infra cache
|
||||
* @param repinfo: information about client
|
||||
* @param addr: client address
|
||||
* @param addrlen: client address length
|
||||
* @param timenow: what time it is now.
|
||||
* @param backoff: if backoff is enabled.
|
||||
* @param buffer: with query for logging.
|
||||
* @return 1 if it could be incremented. 0 if the increment overshot the
|
||||
* ratelimit and the query should be dropped. */
|
||||
int infra_ip_ratelimit_inc(struct infra_cache* infra,
|
||||
struct comm_reply* repinfo, time_t timenow, int backoff,
|
||||
struct sldns_buffer* buffer);
|
||||
struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow,
|
||||
int backoff, struct sldns_buffer* buffer);
|
||||
|
||||
/**
|
||||
* Get memory used by the infra cache.
|
||||
|
@ -140,7 +140,9 @@ verbose_print_unbound_socket(struct unbound_socket* ub_sock)
|
||||
if(verbosity >= VERB_ALGO) {
|
||||
log_info("listing of unbound_socket structure:");
|
||||
verbose_print_addr(ub_sock->addr);
|
||||
log_info("s is: %d, fam is: %s", ub_sock->s, ub_sock->fam == AF_INET?"AF_INET":"AF_INET6");
|
||||
log_info("s is: %d, fam is: %s, acl: %s", ub_sock->s,
|
||||
ub_sock->fam == AF_INET?"AF_INET":"AF_INET6",
|
||||
ub_sock->acl?"yes":"no");
|
||||
}
|
||||
}
|
||||
|
||||
@ -458,7 +460,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
int action;
|
||||
# endif
|
||||
# if defined(IPV6_V6ONLY)
|
||||
if(v6only) {
|
||||
if(v6only
|
||||
# ifdef HAVE_SYSTEMD
|
||||
/* Systemd wants to control if the socket is v6 only
|
||||
* or both, with BindIPv6Only=default, ipv6-only or
|
||||
* both in systemd.socket, so it is not set here. */
|
||||
&& !got_fd_from_systemd
|
||||
# endif
|
||||
) {
|
||||
int val=(v6only==2)?0:1;
|
||||
if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
(void*)&val, (socklen_t)sizeof(val)) < 0) {
|
||||
@ -511,6 +520,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
* instead which is writable; IPV6_MTU is readonly there. */
|
||||
if (setsockopt(s, IPPROTO_IPV6, IPV6_USER_MTU,
|
||||
(void*)&mtu, (socklen_t)sizeof(mtu)) < 0) {
|
||||
if (WSAGetLastError() != WSAENOPROTOOPT) {
|
||||
log_err("setsockopt(..., IPV6_USER_MTU, ...) failed: %s",
|
||||
wsa_strerror(WSAGetLastError()));
|
||||
sock_close(s);
|
||||
@ -518,6 +528,7 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
|
||||
*inuse = 0;
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
# endif /* USE_WINSOCK */
|
||||
# endif /* IPv6 MTU */
|
||||
# if defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
|
||||
@ -774,7 +785,14 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
|
||||
(void)reuseport;
|
||||
#endif /* defined(SO_REUSEPORT) */
|
||||
#if defined(IPV6_V6ONLY)
|
||||
if(addr->ai_family == AF_INET6 && v6only) {
|
||||
if(addr->ai_family == AF_INET6 && v6only
|
||||
# ifdef HAVE_SYSTEMD
|
||||
/* Systemd wants to control if the socket is v6 only
|
||||
* or both, with BindIPv6Only=default, ipv6-only or
|
||||
* both in systemd.socket, so it is not set here. */
|
||||
&& !got_fd_from_systemd
|
||||
# endif
|
||||
) {
|
||||
if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY,
|
||||
(void*)&on, (socklen_t)sizeof(on)) < 0) {
|
||||
log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s",
|
||||
@ -1030,6 +1048,7 @@ make_sock(int stype, const char* ifname, const char* port,
|
||||
ub_sock->addr = res;
|
||||
ub_sock->s = s;
|
||||
ub_sock->fam = hints->ai_family;
|
||||
ub_sock->acl = NULL;
|
||||
|
||||
return s;
|
||||
}
|
||||
@ -1074,11 +1093,13 @@ make_sock_port(int stype, const char* ifname, const char* port,
|
||||
* @param list: list head. changed.
|
||||
* @param s: fd.
|
||||
* @param ftype: if fd is UDP.
|
||||
* @param pp2_enabled: if PROXYv2 is enabled for this port.
|
||||
* @param ub_sock: socket with address.
|
||||
* @return false on failure. list in unchanged then.
|
||||
*/
|
||||
static int
|
||||
port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unbound_socket* ub_sock)
|
||||
port_insert(struct listen_port** list, int s, enum listen_type ftype,
|
||||
int pp2_enabled, struct unbound_socket* ub_sock)
|
||||
{
|
||||
struct listen_port* item = (struct listen_port*)malloc(
|
||||
sizeof(struct listen_port));
|
||||
@ -1087,6 +1108,7 @@ port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unb
|
||||
item->next = *list;
|
||||
item->fd = s;
|
||||
item->ftype = ftype;
|
||||
item->pp2_enabled = pp2_enabled;
|
||||
item->socket = ub_sock;
|
||||
*list = item;
|
||||
return 1;
|
||||
@ -1182,6 +1204,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port,
|
||||
* @param ssl_port: ssl service port number
|
||||
* @param tls_additional_port: list of additional ssl service port numbers.
|
||||
* @param https_port: DoH service port number
|
||||
* @param proxy_protocol_port: list of PROXYv2 port numbers.
|
||||
* @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
|
||||
* set to false on exit if reuseport failed due to no kernel support.
|
||||
* @param transparent: set IP_TRANSPARENT socket option.
|
||||
@ -1198,25 +1221,30 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
struct addrinfo *hints, const char* port, struct listen_port** list,
|
||||
size_t rcv, size_t snd, int ssl_port,
|
||||
struct config_strlist* tls_additional_port, int https_port,
|
||||
struct config_strlist* proxy_protocol_port,
|
||||
int* reuseport, int transparent, int tcp_mss, int freebind,
|
||||
int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp)
|
||||
{
|
||||
int s, noip6=0;
|
||||
int is_https = if_is_https(ifname, port, https_port);
|
||||
int is_dnscrypt = if_is_dnscrypt(ifname, port, dnscrypt_port);
|
||||
int is_pp2 = if_is_pp2(ifname, port, proxy_protocol_port);
|
||||
int nodelay = is_https && http2_nodelay;
|
||||
struct unbound_socket* ub_sock;
|
||||
#ifdef USE_DNSCRYPT
|
||||
int is_dnscrypt = ((strchr(ifname, '@') &&
|
||||
atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
|
||||
(!strchr(ifname, '@') && atoi(port) == dnscrypt_port));
|
||||
#else
|
||||
int is_dnscrypt = 0;
|
||||
(void)dnscrypt_port;
|
||||
#endif
|
||||
|
||||
if(!do_udp && !do_tcp)
|
||||
return 0;
|
||||
|
||||
if(is_pp2) {
|
||||
if(is_dnscrypt) {
|
||||
fatal_exit("PROXYv2 and DNSCrypt combination not "
|
||||
"supported!");
|
||||
} else if(is_https) {
|
||||
fatal_exit("PROXYv2 and DoH combination not "
|
||||
"supported!");
|
||||
}
|
||||
}
|
||||
|
||||
if(do_auto) {
|
||||
ub_sock = calloc(1, sizeof(struct unbound_socket));
|
||||
if(!ub_sock)
|
||||
@ -1239,8 +1267,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
free(ub_sock);
|
||||
return 0;
|
||||
}
|
||||
if(!port_insert(list, s,
|
||||
is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil, ub_sock)) {
|
||||
if(!port_insert(list, s, is_dnscrypt
|
||||
?listen_type_udpancil_dnscrypt:listen_type_udpancil,
|
||||
is_pp2, ub_sock)) {
|
||||
sock_close(s);
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
@ -1262,8 +1291,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
if(!port_insert(list, s,
|
||||
is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp, ub_sock)) {
|
||||
if(!port_insert(list, s, is_dnscrypt
|
||||
?listen_type_udp_dnscrypt:listen_type_udp,
|
||||
is_pp2, ub_sock)) {
|
||||
sock_close(s);
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
@ -1298,7 +1328,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
}
|
||||
if(is_ssl)
|
||||
verbose(VERB_ALGO, "setup TCP for SSL service");
|
||||
if(!port_insert(list, s, port_type, ub_sock)) {
|
||||
if(!port_insert(list, s, port_type, is_pp2, ub_sock)) {
|
||||
sock_close(s);
|
||||
freeaddrinfo(ub_sock->addr);
|
||||
free(ub_sock);
|
||||
@ -1387,14 +1417,16 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
if(ports->ftype == listen_type_udp ||
|
||||
ports->ftype == listen_type_udp_dnscrypt) {
|
||||
cp = comm_point_create_udp(base, ports->fd,
|
||||
front->udp_buff, cb, cb_arg, ports->socket);
|
||||
front->udp_buff, ports->pp2_enabled, cb,
|
||||
cb_arg, ports->socket);
|
||||
} else if(ports->ftype == listen_type_tcp ||
|
||||
ports->ftype == listen_type_tcp_dnscrypt) {
|
||||
cp = comm_point_create_tcp(base, ports->fd,
|
||||
tcp_accept_count, tcp_idle_timeout,
|
||||
harden_large_queries, 0, NULL,
|
||||
tcp_conn_limit, bufsize, front->udp_buff,
|
||||
ports->ftype, cb, cb_arg, ports->socket);
|
||||
ports->ftype, ports->pp2_enabled, cb, cb_arg,
|
||||
ports->socket);
|
||||
} else if(ports->ftype == listen_type_ssl ||
|
||||
ports->ftype == listen_type_http) {
|
||||
cp = comm_point_create_tcp(base, ports->fd,
|
||||
@ -1402,7 +1434,8 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
harden_large_queries,
|
||||
http_max_streams, http_endpoint,
|
||||
tcp_conn_limit, bufsize, front->udp_buff,
|
||||
ports->ftype, cb, cb_arg, ports->socket);
|
||||
ports->ftype, ports->pp2_enabled, cb, cb_arg,
|
||||
ports->socket);
|
||||
if(ports->ftype == listen_type_http) {
|
||||
if(!sslctx && !http_notls) {
|
||||
log_warn("HTTPS port configured, but "
|
||||
@ -1428,7 +1461,8 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
} else if(ports->ftype == listen_type_udpancil ||
|
||||
ports->ftype == listen_type_udpancil_dnscrypt) {
|
||||
cp = comm_point_create_udp_ancil(base, ports->fd,
|
||||
front->udp_buff, cb, cb_arg, ports->socket);
|
||||
front->udp_buff, ports->pp2_enabled, cb,
|
||||
cb_arg, ports->socket);
|
||||
}
|
||||
if(!cp) {
|
||||
log_err("can't create commpoint");
|
||||
@ -1763,7 +1797,9 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->tls_additional_port,
|
||||
cfg->https_port, reuseport, cfg->ip_transparent,
|
||||
cfg->https_port,
|
||||
cfg->proxy_protocol_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
@ -1778,7 +1814,9 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->tls_additional_port,
|
||||
cfg->https_port, reuseport, cfg->ip_transparent,
|
||||
cfg->https_port,
|
||||
cfg->proxy_protocol_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
@ -1796,7 +1834,8 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->tls_additional_port,
|
||||
cfg->https_port, reuseport, cfg->ip_transparent,
|
||||
cfg->https_port, cfg->proxy_protocol_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
@ -1811,7 +1850,8 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->tls_additional_port,
|
||||
cfg->https_port, reuseport, cfg->ip_transparent,
|
||||
cfg->https_port, cfg->proxy_protocol_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
@ -1828,7 +1868,8 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
||||
do_tcp, &hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->tls_additional_port,
|
||||
cfg->https_port, reuseport, cfg->ip_transparent,
|
||||
cfg->https_port, cfg->proxy_protocol_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
@ -1843,7 +1884,8 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs,
|
||||
do_tcp, &hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, cfg->tls_additional_port,
|
||||
cfg->https_port, reuseport, cfg->ip_transparent,
|
||||
cfg->https_port, cfg->proxy_protocol_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind,
|
||||
cfg->http_nodelay, cfg->use_systemd,
|
||||
cfg->dnscrypt_port, cfg->ip_dscp)) {
|
||||
|
@ -43,6 +43,7 @@
|
||||
#define LISTEN_DNSPORT_H
|
||||
|
||||
#include "util/netevent.h"
|
||||
#include "daemon/acl_list.h"
|
||||
#ifdef HAVE_NGHTTP2_NGHTTP2_H
|
||||
#include <nghttp2/nghttp2.h>
|
||||
#endif
|
||||
@ -112,6 +113,8 @@ struct unbound_socket {
|
||||
int s;
|
||||
/** address family (AF_INET/IF_INET6) */
|
||||
int fam;
|
||||
/** ACL on the socket (listening interface) */
|
||||
struct acl_addr* acl;
|
||||
};
|
||||
|
||||
/**
|
||||
@ -125,7 +128,10 @@ struct listen_port {
|
||||
int fd;
|
||||
/** type of file descriptor, udp or tcp */
|
||||
enum listen_type ftype;
|
||||
/** fill in unbpound_socket structure for every opened socket at Unbound startup */
|
||||
/** if the port should support PROXYv2 */
|
||||
int pp2_enabled;
|
||||
/** fill in unbound_socket structure for every opened socket at
|
||||
* Unbound startup */
|
||||
struct unbound_socket* socket;
|
||||
};
|
||||
|
||||
|
@ -1744,13 +1744,13 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env,
|
||||
/** print log information for an inform zone query */
|
||||
static void
|
||||
lz_inform_print(struct local_zone* z, struct query_info* qinfo,
|
||||
struct comm_reply* repinfo)
|
||||
struct sockaddr_storage* addr, socklen_t addrlen)
|
||||
{
|
||||
char ip[128], txt[512];
|
||||
char zname[LDNS_MAX_DOMAINLEN+1];
|
||||
uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
|
||||
uint16_t port = ntohs(((struct sockaddr_in*)addr)->sin_port);
|
||||
dname_str(z->name, zname);
|
||||
addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
|
||||
addr_to_str(addr, addrlen, ip, sizeof(ip));
|
||||
snprintf(txt, sizeof(txt), "%s %s %s@%u", zname, local_zone_type2str(z->type), ip,
|
||||
(unsigned)port);
|
||||
log_nametypeclass(NO_VERBOSE, txt, qinfo->qname, qinfo->qtype, qinfo->qclass);
|
||||
@ -1765,7 +1765,8 @@ lz_type(uint8_t *taglist, size_t taglen, uint8_t *taglist2, size_t taglen2,
|
||||
struct local_zone_override* lzo;
|
||||
if(repinfo && override_tree) {
|
||||
lzo = (struct local_zone_override*)addr_tree_lookup(
|
||||
override_tree, &repinfo->addr, repinfo->addrlen);
|
||||
override_tree, &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
if(lzo && lzo->type) {
|
||||
verbose(VERB_ALGO, "local zone override to type %s",
|
||||
local_zone_type2str(lzo->type));
|
||||
@ -1888,7 +1889,8 @@ local_zones_answer(struct local_zones* zones, struct module_env* env,
|
||||
lzt == local_zone_inform_deny ||
|
||||
lzt == local_zone_inform_redirect)
|
||||
&& repinfo)
|
||||
lz_inform_print(z, qinfo, repinfo);
|
||||
lz_inform_print(z, qinfo, &repinfo->client_addr,
|
||||
repinfo->client_addrlen);
|
||||
|
||||
if(lzt != local_zone_always_refuse
|
||||
&& lzt != local_zone_always_transparent
|
||||
|
@ -806,7 +806,7 @@ static void mesh_schedule_prefetch_subnet(struct mesh_area* mesh,
|
||||
/* Fake the ECS data from the client's IP */
|
||||
struct ecs_data ecs;
|
||||
memset(&ecs, 0, sizeof(ecs));
|
||||
subnet_option_from_ss(&rep->addr, &ecs, mesh->env->cfg);
|
||||
subnet_option_from_ss(&rep->client_addr, &ecs, mesh->env->cfg);
|
||||
if(ecs.subnet_validdata == 0) {
|
||||
log_err("prefetch_subnet subnet_option_from_ss: invalid data");
|
||||
return;
|
||||
@ -1488,8 +1488,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
|
||||
}
|
||||
/* Log reply sent */
|
||||
if(m->s.env->cfg->log_replies) {
|
||||
log_reply_info(NO_VERBOSE, &m->s.qinfo, &r->query_reply.addr,
|
||||
r->query_reply.addrlen, duration, 0, r_buffer);
|
||||
log_reply_info(NO_VERBOSE, &m->s.qinfo,
|
||||
&r->query_reply.client_addr,
|
||||
r->query_reply.client_addrlen, duration, 0, r_buffer);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1530,7 +1531,8 @@ void mesh_query_done(struct mesh_state* mstate)
|
||||
respip_inform_print(mstate->s.respip_action_info,
|
||||
r->qname, mstate->s.qinfo.qtype,
|
||||
mstate->s.qinfo.qclass, r->local_alias,
|
||||
&r->query_reply);
|
||||
&r->query_reply.client_addr,
|
||||
r->query_reply.client_addrlen);
|
||||
if(mstate->s.env->cfg->stat_extended &&
|
||||
mstate->s.respip_action_info->rpz_used) {
|
||||
if(mstate->s.respip_action_info->rpz_disabled)
|
||||
@ -2180,7 +2182,8 @@ mesh_serve_expired_callback(void* arg)
|
||||
if(actinfo.addrinfo) {
|
||||
respip_inform_print(&actinfo, r->qname,
|
||||
qstate->qinfo.qtype, qstate->qinfo.qclass,
|
||||
r->local_alias, &r->query_reply);
|
||||
r->local_alias, &r->query_reply.client_addr,
|
||||
r->query_reply.client_addrlen);
|
||||
|
||||
if(qstate->env->cfg->stat_extended && actinfo.rpz_used) {
|
||||
if(actinfo.rpz_disabled)
|
||||
|
@ -86,10 +86,6 @@ static void serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff)
|
||||
static int randomize_and_send_udp(struct pending* pend, sldns_buffer* packet,
|
||||
int timeout);
|
||||
|
||||
/** remove waiting tcp from the outnet waiting list */
|
||||
static void waiting_list_remove(struct outside_network* outnet,
|
||||
struct waiting_tcp* w);
|
||||
|
||||
/** select a DNS ID for a TCP stream */
|
||||
static uint16_t tcp_select_id(struct outside_network* outnet,
|
||||
struct reuse_tcp* reuse);
|
||||
@ -372,7 +368,8 @@ log_reuse_tcp(enum verbosity_value v, const char* msg, struct reuse_tcp* reuse)
|
||||
}
|
||||
|
||||
/** pop the first element from the writewait list */
|
||||
static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse)
|
||||
struct waiting_tcp*
|
||||
reuse_write_wait_pop(struct reuse_tcp* reuse)
|
||||
{
|
||||
struct waiting_tcp* w = reuse->write_wait_first;
|
||||
if(!w)
|
||||
@ -390,8 +387,8 @@ static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse)
|
||||
}
|
||||
|
||||
/** remove the element from the writewait list */
|
||||
static void reuse_write_wait_remove(struct reuse_tcp* reuse,
|
||||
struct waiting_tcp* w)
|
||||
void
|
||||
reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w)
|
||||
{
|
||||
log_assert(w);
|
||||
log_assert(w->write_wait_queued);
|
||||
@ -415,8 +412,8 @@ static void reuse_write_wait_remove(struct reuse_tcp* reuse,
|
||||
}
|
||||
|
||||
/** push the element after the last on the writewait list */
|
||||
static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
|
||||
struct waiting_tcp* w)
|
||||
void
|
||||
reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w)
|
||||
{
|
||||
if(!w) return;
|
||||
log_assert(!w->write_wait_queued);
|
||||
@ -427,7 +424,9 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse,
|
||||
w->write_wait_prev = reuse->write_wait_last;
|
||||
} else {
|
||||
reuse->write_wait_first = w;
|
||||
w->write_wait_prev = NULL;
|
||||
}
|
||||
w->write_wait_next = NULL;
|
||||
reuse->write_wait_last = w;
|
||||
w->write_wait_queued = 1;
|
||||
}
|
||||
@ -721,12 +720,12 @@ outnet_tcp_take_into_use(struct waiting_tcp* w)
|
||||
pend->next_free = NULL;
|
||||
pend->query = w;
|
||||
pend->reuse.outnet = w->outnet;
|
||||
pend->c->repinfo.addrlen = w->addrlen;
|
||||
pend->c->repinfo.remote_addrlen = w->addrlen;
|
||||
pend->c->tcp_more_read_again = &pend->reuse.cp_more_read_again;
|
||||
pend->c->tcp_more_write_again = &pend->reuse.cp_more_write_again;
|
||||
pend->reuse.cp_more_read_again = 0;
|
||||
pend->reuse.cp_more_write_again = 0;
|
||||
memcpy(&pend->c->repinfo.addr, &w->addr, w->addrlen);
|
||||
memcpy(&pend->c->repinfo.remote_addr, &w->addr, w->addrlen);
|
||||
pend->reuse.pending = pend;
|
||||
|
||||
/* Remove from tree in case the is_ssl will be different and causes the
|
||||
@ -810,20 +809,50 @@ reuse_tcp_lru_snip(struct outside_network* outnet)
|
||||
return reuse;
|
||||
}
|
||||
|
||||
/** call callback on waiting_tcp, if not NULL */
|
||||
static void
|
||||
waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error,
|
||||
struct comm_reply* reply_info)
|
||||
/** remove waiting tcp from the outnet waiting list */
|
||||
void
|
||||
outnet_waiting_tcp_list_remove(struct outside_network* outnet, struct waiting_tcp* w)
|
||||
{
|
||||
if(w && w->cb) {
|
||||
fptr_ok(fptr_whitelist_pending_tcp(w->cb));
|
||||
(void)(*w->cb)(c, w->cb_arg, error, reply_info);
|
||||
struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL;
|
||||
w->on_tcp_waiting_list = 0;
|
||||
while(p) {
|
||||
if(p == w) {
|
||||
/* remove w */
|
||||
if(prev)
|
||||
prev->next_waiting = w->next_waiting;
|
||||
else outnet->tcp_wait_first = w->next_waiting;
|
||||
if(outnet->tcp_wait_last == w)
|
||||
outnet->tcp_wait_last = prev;
|
||||
w->next_waiting = NULL;
|
||||
return;
|
||||
}
|
||||
prev = p;
|
||||
p = p->next_waiting;
|
||||
}
|
||||
/* outnet_waiting_tcp_list_remove is currently called only with items
|
||||
* that are already in the waiting list. */
|
||||
log_assert(0);
|
||||
}
|
||||
|
||||
/** pop the first waiting tcp from the outnet waiting list */
|
||||
struct waiting_tcp*
|
||||
outnet_waiting_tcp_list_pop(struct outside_network* outnet)
|
||||
{
|
||||
struct waiting_tcp* w = outnet->tcp_wait_first;
|
||||
if(!outnet->tcp_wait_first) return NULL;
|
||||
log_assert(w->on_tcp_waiting_list);
|
||||
outnet->tcp_wait_first = w->next_waiting;
|
||||
if(outnet->tcp_wait_last == w)
|
||||
outnet->tcp_wait_last = NULL;
|
||||
w->on_tcp_waiting_list = 0;
|
||||
w->next_waiting = NULL;
|
||||
return w;
|
||||
}
|
||||
|
||||
/** add waiting_tcp element to the outnet tcp waiting list */
|
||||
static void
|
||||
outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
|
||||
void
|
||||
outnet_waiting_tcp_list_add(struct outside_network* outnet,
|
||||
struct waiting_tcp* w, int set_timer)
|
||||
{
|
||||
struct timeval tv;
|
||||
log_assert(!w->on_tcp_waiting_list);
|
||||
@ -835,16 +864,18 @@ outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w)
|
||||
else outnet->tcp_wait_first = w;
|
||||
outnet->tcp_wait_last = w;
|
||||
w->on_tcp_waiting_list = 1;
|
||||
if(set_timer) {
|
||||
#ifndef S_SPLINT_S
|
||||
tv.tv_sec = w->timeout/1000;
|
||||
tv.tv_usec = (w->timeout%1000)*1000;
|
||||
#endif
|
||||
comm_timer_set(w->timer, &tv);
|
||||
}
|
||||
}
|
||||
|
||||
/** add waiting_tcp element as first to the outnet tcp waiting list */
|
||||
static void
|
||||
outnet_add_tcp_waiting_first(struct outside_network* outnet,
|
||||
void
|
||||
outnet_waiting_tcp_list_add_first(struct outside_network* outnet,
|
||||
struct waiting_tcp* w, int reset_timer)
|
||||
{
|
||||
struct timeval tv;
|
||||
@ -869,6 +900,17 @@ outnet_add_tcp_waiting_first(struct outside_network* outnet,
|
||||
(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
|
||||
}
|
||||
|
||||
/** call callback on waiting_tcp, if not NULL */
|
||||
static void
|
||||
waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error,
|
||||
struct comm_reply* reply_info)
|
||||
{
|
||||
if(w && w->cb) {
|
||||
fptr_ok(fptr_whitelist_pending_tcp(w->cb));
|
||||
(void)(*w->cb)(c, w->cb_arg, error, reply_info);
|
||||
}
|
||||
}
|
||||
|
||||
/** see if buffers can be used to service TCP queries */
|
||||
static void
|
||||
use_free_buffer(struct outside_network* outnet)
|
||||
@ -879,15 +921,10 @@ use_free_buffer(struct outside_network* outnet)
|
||||
struct pending_tcp* pend_tcp = NULL;
|
||||
#endif
|
||||
struct reuse_tcp* reuse = NULL;
|
||||
w = outnet->tcp_wait_first;
|
||||
log_assert(w->on_tcp_waiting_list);
|
||||
outnet->tcp_wait_first = w->next_waiting;
|
||||
if(outnet->tcp_wait_last == w)
|
||||
outnet->tcp_wait_last = NULL;
|
||||
w = outnet_waiting_tcp_list_pop(outnet);
|
||||
log_assert(
|
||||
(!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) ||
|
||||
(outnet->tcp_reuse_first && outnet->tcp_reuse_last));
|
||||
w->on_tcp_waiting_list = 0;
|
||||
reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen,
|
||||
w->ssl_upstream);
|
||||
/* re-select an ID when moving to a new TCP buffer */
|
||||
@ -934,7 +971,7 @@ use_free_buffer(struct outside_network* outnet)
|
||||
#endif
|
||||
} else {
|
||||
/* no reuse and no free buffer, put back at the start */
|
||||
outnet_add_tcp_waiting_first(outnet, w, 0);
|
||||
outnet_waiting_tcp_list_add_first(outnet, w, 0);
|
||||
break;
|
||||
}
|
||||
#ifdef USE_DNSTAP
|
||||
@ -1008,7 +1045,7 @@ reuse_move_writewait_away(struct outside_network* outnet,
|
||||
* fail the query */
|
||||
w->error_count ++;
|
||||
reuse_tree_by_id_delete(&pend->reuse, w);
|
||||
outnet_add_tcp_waiting(outnet, w);
|
||||
outnet_waiting_tcp_list_add(outnet, w, 1);
|
||||
}
|
||||
while((w = reuse_write_wait_pop(&pend->reuse)) != NULL) {
|
||||
if(verbosity >= VERB_CLIENT && w->pkt_len > 12+2+2 &&
|
||||
@ -1019,7 +1056,7 @@ reuse_move_writewait_away(struct outside_network* outnet,
|
||||
verbose(VERB_CLIENT, "reuse_move_writewait_away item %s", buf);
|
||||
}
|
||||
reuse_tree_by_id_delete(&pend->reuse, w);
|
||||
outnet_add_tcp_waiting(outnet, w);
|
||||
outnet_waiting_tcp_list_add(outnet, w, 1);
|
||||
}
|
||||
}
|
||||
|
||||
@ -1417,11 +1454,11 @@ outnet_udp_cb(struct comm_point* c, void* arg, int error,
|
||||
|
||||
/* setup lookup key */
|
||||
key.id = (unsigned)LDNS_ID_WIRE(sldns_buffer_begin(c->buffer));
|
||||
memcpy(&key.addr, &reply_info->addr, reply_info->addrlen);
|
||||
key.addrlen = reply_info->addrlen;
|
||||
memcpy(&key.addr, &reply_info->remote_addr, reply_info->remote_addrlen);
|
||||
key.addrlen = reply_info->remote_addrlen;
|
||||
verbose(VERB_ALGO, "Incoming reply id = %4.4x", key.id);
|
||||
log_addr(VERB_ALGO, "Incoming reply addr =",
|
||||
&reply_info->addr, reply_info->addrlen);
|
||||
&reply_info->remote_addr, reply_info->remote_addrlen);
|
||||
|
||||
/* find it, see if this thing is a valid query response */
|
||||
verbose(VERB_ALGO, "lookup size is %d entries", (int)outnet->pending->count);
|
||||
@ -1690,7 +1727,7 @@ outside_network_create(struct comm_base *base, size_t bufsize,
|
||||
return NULL;
|
||||
}
|
||||
pc->cp = comm_point_create_udp(outnet->base, -1,
|
||||
outnet->udp_buff, outnet_udp_cb, outnet, NULL);
|
||||
outnet->udp_buff, 0, outnet_udp_cb, outnet, NULL);
|
||||
if(!pc->cp) {
|
||||
log_err("malloc failed");
|
||||
free(pc);
|
||||
@ -2237,7 +2274,7 @@ outnet_tcptimer(void* arg)
|
||||
verbose(VERB_CLIENT, "outnet_tcptimer");
|
||||
if(w->on_tcp_waiting_list) {
|
||||
/* it is on the waiting list */
|
||||
waiting_list_remove(outnet, w);
|
||||
outnet_waiting_tcp_list_remove(outnet, w);
|
||||
waiting_tcp_callback(w, NULL, NETEVENT_TIMEOUT, NULL);
|
||||
waiting_tcp_delete(w);
|
||||
} else {
|
||||
@ -2464,7 +2501,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet,
|
||||
#ifdef USE_DNSTAP
|
||||
w->sq = sq;
|
||||
#endif
|
||||
outnet_add_tcp_waiting(sq->outnet, w);
|
||||
outnet_waiting_tcp_list_add(sq->outnet, w, 1);
|
||||
}
|
||||
return w;
|
||||
}
|
||||
@ -2545,8 +2582,10 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
|
||||
#ifdef UNBOUND_DEBUG
|
||||
rbnode_type* ins;
|
||||
#endif
|
||||
if(!sq)
|
||||
if(!sq) {
|
||||
alloc_reg_release(alloc, region);
|
||||
return NULL;
|
||||
}
|
||||
sq->node.key = sq;
|
||||
sq->alloc = alloc;
|
||||
sq->region = region;
|
||||
@ -2610,30 +2649,6 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec,
|
||||
return sq;
|
||||
}
|
||||
|
||||
/** remove waiting tcp from the outnet waiting list */
|
||||
static void
|
||||
waiting_list_remove(struct outside_network* outnet, struct waiting_tcp* w)
|
||||
{
|
||||
struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL;
|
||||
w->on_tcp_waiting_list = 0;
|
||||
while(p) {
|
||||
if(p == w) {
|
||||
/* remove w */
|
||||
if(prev)
|
||||
prev->next_waiting = w->next_waiting;
|
||||
else outnet->tcp_wait_first = w->next_waiting;
|
||||
if(outnet->tcp_wait_last == w)
|
||||
outnet->tcp_wait_last = prev;
|
||||
return;
|
||||
}
|
||||
prev = p;
|
||||
p = p->next_waiting;
|
||||
}
|
||||
/* waiting_list_remove is currently called only with items that are
|
||||
* already in the waiting list. */
|
||||
log_assert(0);
|
||||
}
|
||||
|
||||
/** reuse tcp stream, remove serviced query from stream,
|
||||
* return true if the stream is kept, false if it is to be closed */
|
||||
static int
|
||||
@ -2728,7 +2743,7 @@ serviced_delete(struct serviced_query* sq)
|
||||
sq->pending = NULL;
|
||||
} else {
|
||||
verbose(VERB_CLIENT, "serviced_delete: tcpwait");
|
||||
waiting_list_remove(sq->outnet, w);
|
||||
outnet_waiting_tcp_list_remove(sq->outnet, w);
|
||||
if(!w->in_cb_and_decommission)
|
||||
waiting_tcp_delete(w);
|
||||
}
|
||||
@ -3101,8 +3116,8 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error,
|
||||
rep = &r2;
|
||||
r2.c = c;
|
||||
}
|
||||
memcpy(&rep->addr, &sq->addr, sq->addrlen);
|
||||
rep->addrlen = sq->addrlen;
|
||||
memcpy(&rep->remote_addr, &sq->addr, sq->addrlen);
|
||||
rep->remote_addrlen = sq->addrlen;
|
||||
serviced_callbacks(sq, error, c, rep);
|
||||
return 0;
|
||||
}
|
||||
@ -3432,7 +3447,6 @@ outnet_serviced_query(struct outside_network* outnet,
|
||||
infra_ratelimit_dec(env->infra_cache,
|
||||
zone, zonelen, timenow);
|
||||
}
|
||||
alloc_reg_release(env->alloc, region);
|
||||
return NULL;
|
||||
}
|
||||
if(!(cb = (struct service_callback*)regional_alloc(
|
||||
@ -3581,7 +3595,7 @@ outnet_comm_point_for_udp(struct outside_network* outnet,
|
||||
if(fd == -1) {
|
||||
return NULL;
|
||||
}
|
||||
cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff,
|
||||
cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff, 0,
|
||||
cb, cb_arg, NULL);
|
||||
if(!cp) {
|
||||
log_err("malloc failure");
|
||||
@ -3669,8 +3683,8 @@ outnet_comm_point_for_tcp(struct outside_network* outnet,
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
||||
cp->repinfo.addrlen = to_addrlen;
|
||||
memcpy(&cp->repinfo.addr, to_addr, to_addrlen);
|
||||
cp->repinfo.remote_addrlen = to_addrlen;
|
||||
memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen);
|
||||
|
||||
/* setup for SSL (if needed) */
|
||||
if(ssl) {
|
||||
@ -3745,8 +3759,8 @@ outnet_comm_point_for_http(struct outside_network* outnet,
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
||||
cp->repinfo.addrlen = to_addrlen;
|
||||
memcpy(&cp->repinfo.addr, to_addr, to_addrlen);
|
||||
cp->repinfo.remote_addrlen = to_addrlen;
|
||||
memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen);
|
||||
|
||||
/* setup for SSL (if needed) */
|
||||
if(ssl) {
|
||||
|
@ -718,6 +718,30 @@ struct reuse_tcp* reuse_tcp_lru_snip(struct outside_network* outnet);
|
||||
/** delete readwait waiting_tcp elements, deletes the elements in the list */
|
||||
void reuse_del_readwait(rbtree_type* tree_by_id);
|
||||
|
||||
/** remove waiting tcp from the outnet waiting list */
|
||||
void outnet_waiting_tcp_list_remove(struct outside_network* outnet,
|
||||
struct waiting_tcp* w);
|
||||
|
||||
/** pop the first waiting tcp from the outnet waiting list */
|
||||
struct waiting_tcp* outnet_waiting_tcp_list_pop(struct outside_network* outnet);
|
||||
|
||||
/** add waiting_tcp element to the outnet tcp waiting list */
|
||||
void outnet_waiting_tcp_list_add(struct outside_network* outnet,
|
||||
struct waiting_tcp* w, int set_timer);
|
||||
|
||||
/** add waiting_tcp element as first to the outnet tcp waiting list */
|
||||
void outnet_waiting_tcp_list_add_first(struct outside_network* outnet,
|
||||
struct waiting_tcp* w, int reset_timer);
|
||||
|
||||
/** pop the first element from the writewait list */
|
||||
struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse);
|
||||
|
||||
/** remove the element from the writewait list */
|
||||
void reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w);
|
||||
|
||||
/** push the element after the last on the writewait list */
|
||||
void reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w);
|
||||
|
||||
/** get TCP file descriptor for address, returns -1 on failure,
|
||||
* tcp_mss is 0 or maxseg size to set for TCP packets. */
|
||||
int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen,
|
||||
|
@ -1392,11 +1392,13 @@ log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode,
|
||||
dnamestr[0]=0;
|
||||
}
|
||||
if(repinfo) {
|
||||
addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip));
|
||||
port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port);
|
||||
addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip));
|
||||
port = ntohs(((struct sockaddr_in*)&repinfo->client_addr)->sin_port);
|
||||
} else if(ms && ms->mesh_info && ms->mesh_info->reply_list) {
|
||||
addr_to_str(&ms->mesh_info->reply_list->query_reply.addr, ms->mesh_info->reply_list->query_reply.addrlen, ip, sizeof(ip));
|
||||
port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.addr)->sin_port);
|
||||
addr_to_str(&ms->mesh_info->reply_list->query_reply.client_addr,
|
||||
ms->mesh_info->reply_list->query_reply.client_addrlen,
|
||||
ip, sizeof(ip));
|
||||
port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.client_addr)->sin_port);
|
||||
} else {
|
||||
ip[0]=0;
|
||||
port = 0;
|
||||
@ -1468,7 +1470,9 @@ rpz_resolve_client_action_and_zone(struct auth_zones* az, struct query_info* qin
|
||||
}
|
||||
z = rpz_find_zone(r->local_zones, qinfo->qname, qinfo->qname_len,
|
||||
qinfo->qclass, 0, 0, 0);
|
||||
node = rpz_ipbased_trigger_lookup(r->client_set, &repinfo->addr, repinfo->addrlen, "clientip");
|
||||
node = rpz_ipbased_trigger_lookup(r->client_set,
|
||||
&repinfo->client_addr, repinfo->client_addrlen,
|
||||
"clientip");
|
||||
if((z || node) && r->action_override == RPZ_DISABLED_ACTION) {
|
||||
if(r->log)
|
||||
log_rpz_apply((node?"clientip":"qname"),
|
||||
@ -2164,18 +2168,16 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate*
|
||||
|
||||
lock_rw_unlock(&az->rpz_lock);
|
||||
|
||||
if(raddr == NULL && z == NULL) { return NULL; }
|
||||
else if(raddr != NULL) {
|
||||
if(raddr == NULL && z == NULL)
|
||||
return NULL;
|
||||
|
||||
if(raddr != NULL) {
|
||||
if(z) {
|
||||
lock_rw_unlock(&z->lock);
|
||||
}
|
||||
return rpz_apply_nsip_trigger(ms, r, raddr, a);
|
||||
} else if(z != NULL) {
|
||||
if(raddr) {
|
||||
lock_rw_unlock(&raddr->lock);
|
||||
}
|
||||
return rpz_apply_nsdname_trigger(ms, r, z, &match, a);
|
||||
} else { return NULL; }
|
||||
}
|
||||
|
||||
struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms,
|
||||
|
@ -66,7 +66,8 @@ views_create(void)
|
||||
return v;
|
||||
}
|
||||
|
||||
/** This prototype is defined in in respip.h, but we want to avoid
|
||||
/* \noop (ignore this comment for doxygen)
|
||||
* This prototype is defined in in respip.h, but we want to avoid
|
||||
* unnecessary dependencies */
|
||||
void respip_set_delete(struct respip_set *set);
|
||||
|
||||
|
@ -316,7 +316,7 @@ warn_hosts(const char* typ, struct config_stub* list)
|
||||
struct config_strlist* h;
|
||||
for(s=list; s; s=s->next) {
|
||||
for(h=s->hosts; h; h=h->next) {
|
||||
if(extstrtoaddr(h->str, &a, &alen)) {
|
||||
if(extstrtoaddr(h->str, &a, &alen, UNBOUND_DNS_PORT)) {
|
||||
fprintf(stderr, "unbound-checkconf: warning:"
|
||||
" %s %s: \"%s\" is an IP%s address, "
|
||||
"and when looked up as a host name "
|
||||
@ -338,6 +338,8 @@ interfacechecks(struct config_file* cfg)
|
||||
int i, j, i2, j2;
|
||||
char*** resif = NULL;
|
||||
int* num_resif = NULL;
|
||||
char portbuf[32];
|
||||
snprintf(portbuf, sizeof(portbuf), "%d", cfg->port);
|
||||
|
||||
if(cfg->num_ifs != 0) {
|
||||
resif = (char***)calloc(cfg->num_ifs, sizeof(char**));
|
||||
@ -359,9 +361,21 @@ interfacechecks(struct config_file* cfg)
|
||||
fatal_exit("could not resolve interface names, for %s",
|
||||
cfg->ifs[i]);
|
||||
}
|
||||
/* check for port combinations that are not supported */
|
||||
if(if_is_pp2(resif[i][0], portbuf, cfg->proxy_protocol_port)) {
|
||||
if(if_is_dnscrypt(resif[i][0], portbuf,
|
||||
cfg->dnscrypt_port)) {
|
||||
fatal_exit("PROXYv2 and DNSCrypt combination not "
|
||||
"supported!");
|
||||
} else if(if_is_https(resif[i][0], portbuf,
|
||||
cfg->https_port)) {
|
||||
fatal_exit("PROXYv2 and DoH combination not "
|
||||
"supported!");
|
||||
}
|
||||
}
|
||||
/* search for duplicates in the returned addresses */
|
||||
for(j=0; j<num_resif[i]; j++) {
|
||||
if(!extstrtoaddr(resif[i][j], &a, &alen)) {
|
||||
if(!extstrtoaddr(resif[i][j], &a, &alen, cfg->port)) {
|
||||
if(strcmp(cfg->ifs[i], resif[i][j]) != 0)
|
||||
fatal_exit("cannot parse interface address '%s' from the interface specified as '%s'",
|
||||
resif[i][j], cfg->ifs[i]);
|
||||
|
@ -601,7 +601,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
|
||||
struct sockaddr_storage addr2;
|
||||
socklen_t addrlen2;
|
||||
if(extstrtoaddr(cfg->control_ifs.first->str, &addr2,
|
||||
&addrlen2)) {
|
||||
&addrlen2, UNBOUND_DNS_PORT)) {
|
||||
svr = cfg->control_ifs.first->str;
|
||||
} else {
|
||||
if(!resolve_interface_names(NULL, 0,
|
||||
@ -629,7 +629,7 @@ contact_server(const char* svr, struct config_file* cfg, int statuscmd)
|
||||
svr = "::1";
|
||||
}
|
||||
if(strchr(svr, '@')) {
|
||||
if(!extstrtoaddr(svr, &addr, &addrlen))
|
||||
if(!extstrtoaddr(svr, &addr, &addrlen, UNBOUND_DNS_PORT))
|
||||
fatal_exit("could not parse IP@port: %s", svr);
|
||||
#ifdef HAVE_SYS_UN_H
|
||||
} else if(svr[0] == '/') {
|
||||
|
309
contrib/unbound/testdata/iter_ghost_sub.rpl
vendored
309
contrib/unbound/testdata/iter_ghost_sub.rpl
vendored
@ -1,309 +0,0 @@
|
||||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: "no"
|
||||
minimal-responses: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test ghost subdomain of another subdomain.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
. 86400 IN NS
|
||||
SECTION ANSWER
|
||||
. 86400 IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. 86400 IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
; this is the one where example.com is delegated.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. 86400 IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. 86400 IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
; this is the one where example.com is no longer delegated.
|
||||
RANGE_BEGIN 100 200
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. 86400 IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. 86400 IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NXDOMAIN
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN SOA a. b. 1 2 3 4 5
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN A
|
||||
SECTION ANSWER
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
s.example.com. IN A
|
||||
SECTION ANSWER
|
||||
s.example.com. IN A 1.2.3.4
|
||||
SECTION AUTHORITY
|
||||
s.example.com. IN NS s.example.com.
|
||||
SECTION ADDITIONAL
|
||||
s.example.com IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
s.s.example.com. IN A
|
||||
SECTION ANSWER
|
||||
s.s.example.com. IN A 1.2.3.4
|
||||
SECTION AUTHORITY
|
||||
s.s.example.com. IN NS s.s.example.com.
|
||||
SECTION ADDITIONAL
|
||||
s.s.example.com IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; get the delegation in cache
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; time passes
|
||||
STEP 25 TIME_PASSES ELAPSE 1800
|
||||
|
||||
; get another delegation in cache
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
s.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 40 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
s.example.com. IN A
|
||||
SECTION ANSWER
|
||||
s.example.com. IN A 1.2.3.4
|
||||
SECTION AUTHORITY
|
||||
s.example.com. IN NS s.example.com.
|
||||
ENTRY_END
|
||||
|
||||
; time passes, 1800 + 1000 = 2800 of 3600 TTL on NS of s.example.com. and
|
||||
; example.com.
|
||||
STEP 45 TIME_PASSES ELAPSE 1000
|
||||
|
||||
; get another delegation in cache
|
||||
STEP 50 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
s.s.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 60 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
s.s.example.com. IN A
|
||||
SECTION ANSWER
|
||||
s.s.example.com. IN A 1.2.3.4
|
||||
SECTION AUTHORITY
|
||||
s.s.example.com. IN NS s.s.example.com.
|
||||
ENTRY_END
|
||||
|
||||
|
||||
; time passes, 1800 + 2000 = 3800 of 3600 TTL on NS of s.example.com. and
|
||||
; example.com.
|
||||
STEP 75 TIME_PASSES ELAPSE 1000
|
||||
|
||||
; domain no longer delegated
|
||||
; is the domain still up?
|
||||
|
||||
STEP 100 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.s.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 110 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www.s.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN SOA a. b. 1 2 3 4 5
|
||||
ENTRY_END
|
||||
|
||||
STEP 120 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.s.s.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 130 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www.s.s.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN SOA a. b. 1 2 3 4 5
|
||||
ENTRY_END
|
||||
|
||||
STEP 140 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 150 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN SOA a. b. 1 2 3 4 5
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
391
contrib/unbound/testdata/iter_ghost_timewindow.rpl
vendored
391
contrib/unbound/testdata/iter_ghost_timewindow.rpl
vendored
@ -1,391 +0,0 @@
|
||||
; config options
|
||||
server:
|
||||
target-fetch-policy: "0 0 0 0 0"
|
||||
qname-minimisation: "no"
|
||||
minimal-responses: no
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET.
|
||||
CONFIG_END
|
||||
|
||||
SCENARIO_BEGIN Test ghost subdomain with extension reply in timewindow.
|
||||
|
||||
; K.ROOT-SERVERS.NET.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 193.0.14.129
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
. 86400 IN NS
|
||||
SECTION ANSWER
|
||||
. 86400 IN NS K.ROOT-SERVERS.NET.
|
||||
SECTION ADDITIONAL
|
||||
K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. 86400 IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
; this is the one where example.com is delegated.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. 86400 IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. 86400 IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NOERROR
|
||||
SECTION QUESTION
|
||||
example2.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
example2.com. 3610 IN NS ns.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example2.com. 3610 IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; a.gtld-servers.net.
|
||||
; this is the one where example.com is no longer delegated.
|
||||
RANGE_BEGIN 100 300
|
||||
ADDRESS 192.5.6.30
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
com. IN NS
|
||||
SECTION ANSWER
|
||||
com. 86400 IN NS a.gtld-servers.net.
|
||||
SECTION ADDITIONAL
|
||||
a.gtld-servers.net. 86400 IN A 192.5.6.30
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NXDOMAIN
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN SOA a. b. 1 2 3 4 5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode subdomain
|
||||
ADJUST copy_id copy_query
|
||||
REPLY QR NXDOMAIN
|
||||
SECTION QUESTION
|
||||
example2.com. IN NS
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN SOA a. b. 1 2 3 4 5
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.4
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example.com. IN NS
|
||||
SECTION ANSWER
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN A
|
||||
SECTION ANSWER
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
; ns.example2.com.
|
||||
RANGE_BEGIN 0 100
|
||||
ADDRESS 1.2.3.5
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
example2.com. IN NS
|
||||
SECTION ANSWER
|
||||
example2.com. 3610 IN NS ns.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example2.com. 3610 IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example2.com. IN A
|
||||
SECTION ANSWER
|
||||
ns.example2.com. 3610 IN A 1.2.3.5
|
||||
SECTION AUTHORITY
|
||||
example2.com. 3610 IN NS ns.example2.com.
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example2.com. IN AAAA
|
||||
SECTION AUTHORITY
|
||||
example2.com. 3610 IN NS ns.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example2.com. 3610 IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example2.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example2.com. 3610 IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example2.com. 3610 IN NS ns.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example2.com 3610 IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; get the delegation in cache
|
||||
STEP 20 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; get example2 in cache too to check other response type
|
||||
STEP 30 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example2.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 40 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
www.example2.com. IN A
|
||||
SECTION ANSWER
|
||||
www.example2.com. IN A 10.20.30.40
|
||||
SECTION AUTHORITY
|
||||
example2.com. IN NS ns.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example2.com IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
; time passes
|
||||
STEP 95 TIME_PASSES ELAPSE 3595
|
||||
|
||||
STEP 100 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; ns.example.com RANGE does not answer, only until step 100,
|
||||
; so we provide an answer, but first, let time pass beyond the TTL.
|
||||
; it is going to time 3605, just passed the 3600 expire TTL, but the
|
||||
; query started at 3595 before the TTL expired.
|
||||
STEP 110 TIME_PASSES ELAPSE 10
|
||||
|
||||
; provide the answer to the query sent.
|
||||
STEP 120 CHECK_OUT_QUERY
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN A
|
||||
SECTION ANSWER
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
STEP 130 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
example.com. IN NS ns.example.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example.com. IN A 1.2.3.4
|
||||
ENTRY_END
|
||||
|
||||
; check if the domain is still live.
|
||||
STEP 140 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www2.example.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 150 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www2.example.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN SOA a. b. 1 2 3 4 5
|
||||
ENTRY_END
|
||||
|
||||
; example2 is valid with TTL of 3610, it is time 3605
|
||||
STEP 160 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
ns.example2.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
; move to time 3615
|
||||
STEP 170 TIME_PASSES ELAPSE 10
|
||||
|
||||
STEP 180 CHECK_OUT_QUERY
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qtype qname
|
||||
ADJUST copy_id
|
||||
REPLY QR AA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example2.com. IN A
|
||||
SECTION ANSWER
|
||||
ns.example2.com. IN A 1.2.3.5
|
||||
SECTION AUTHORITY
|
||||
example2.com. IN NS ns.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ns.example2.com. IN A 1.2.3.5
|
||||
ENTRY_END
|
||||
|
||||
STEP 190 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NOERROR
|
||||
SECTION QUESTION
|
||||
ns.example2.com. IN A
|
||||
SECTION ANSWER
|
||||
ns.example2.com IN A 1.2.3.5
|
||||
SECTION AUTHORITY
|
||||
example2.com. IN NS ns.example2.com.
|
||||
SECTION ADDITIONAL
|
||||
ENTRY_END
|
||||
|
||||
; check if the domain is still live.
|
||||
STEP 200 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www2.example2.com. IN A
|
||||
ENTRY_END
|
||||
|
||||
STEP 210 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RD RA NXDOMAIN
|
||||
SECTION QUESTION
|
||||
www2.example2.com. IN A
|
||||
SECTION AUTHORITY
|
||||
com. 86400 IN SOA a. b. 1 2 3 4 5
|
||||
ENTRY_END
|
||||
|
||||
SCENARIO_END
|
@ -786,6 +786,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size)
|
||||
else S_YNO("pad-queries:", pad_queries)
|
||||
else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size)
|
||||
else S_STRLIST("proxy-protocol-port:", proxy_protocol_port)
|
||||
#ifdef USE_IPSECMOD
|
||||
else S_YNO("ipsecmod-enabled:", ipsecmod_enabled)
|
||||
else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus)
|
||||
@ -822,7 +823,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
* stub-ssl-upstream, forward-zone, auth-zone
|
||||
* name, forward-addr, forward-host,
|
||||
* ratelimit-for-domain, ratelimit-below-domain,
|
||||
* local-zone-tag, access-control-view,
|
||||
* local-zone-tag, access-control-view, interface-*,
|
||||
* send-client-subnet, client-subnet-always-forward,
|
||||
* max-client-subnet-ipv4, max-client-subnet-ipv6,
|
||||
* min-client-subnet-ipv4, min-client-subnet-ipv6,
|
||||
@ -1252,11 +1253,17 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
|
||||
else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
|
||||
else O_LS2(opt, "access-control-view", acl_view)
|
||||
else O_LS2(opt, "interface-action", interface_actions)
|
||||
else O_LTG(opt, "interface-tag", interface_tags)
|
||||
else O_LS3(opt, "interface-tag-action", interface_tag_actions)
|
||||
else O_LS3(opt, "interface-tag-data", interface_tag_datas)
|
||||
else O_LS2(opt, "interface-view", interface_view)
|
||||
else O_YNO(opt, "pad-responses", pad_responses)
|
||||
else O_DEC(opt, "pad-responses-block-size", pad_responses_block_size)
|
||||
else O_YNO(opt, "pad-queries", pad_queries)
|
||||
else O_DEC(opt, "pad-queries-block-size", pad_queries_block_size)
|
||||
else O_LS2(opt, "edns-client-strings", edns_client_strings)
|
||||
else O_LST(opt, "proxy-protocol-port", proxy_protocol_port)
|
||||
#ifdef USE_IPSECMOD
|
||||
else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
|
||||
else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
|
||||
@ -1302,6 +1309,7 @@ create_cfg_parser(struct config_file* cfg, char* filename, const char* chroot)
|
||||
cfg_parser->errors = 0;
|
||||
cfg_parser->cfg = cfg;
|
||||
cfg_parser->chroot = chroot;
|
||||
cfg_parser->started_toplevel = 0;
|
||||
init_cfg_parse();
|
||||
}
|
||||
|
||||
@ -1606,10 +1614,16 @@ config_delete(struct config_file* cfg)
|
||||
config_deltrplstrlist(cfg->local_zone_overrides);
|
||||
config_del_strarray(cfg->tagname, cfg->num_tags);
|
||||
config_del_strbytelist(cfg->local_zone_tags);
|
||||
config_del_strbytelist(cfg->acl_tags);
|
||||
config_del_strbytelist(cfg->respip_tags);
|
||||
config_deldblstrlist(cfg->acl_view);
|
||||
config_del_strbytelist(cfg->acl_tags);
|
||||
config_deltrplstrlist(cfg->acl_tag_actions);
|
||||
config_deltrplstrlist(cfg->acl_tag_datas);
|
||||
config_deldblstrlist(cfg->interface_actions);
|
||||
config_deldblstrlist(cfg->interface_view);
|
||||
config_del_strbytelist(cfg->interface_tags);
|
||||
config_deltrplstrlist(cfg->interface_tag_actions);
|
||||
config_deltrplstrlist(cfg->interface_tag_datas);
|
||||
config_delstrlist(cfg->control_ifs.first);
|
||||
free(cfg->server_key_file);
|
||||
free(cfg->server_cert_file);
|
||||
@ -1630,6 +1644,7 @@ config_delete(struct config_file* cfg)
|
||||
config_delstrlist(cfg->python_script);
|
||||
config_delstrlist(cfg->dynlib_file);
|
||||
config_deldblstrlist(cfg->edns_client_strings);
|
||||
config_delstrlist(cfg->proxy_protocol_port);
|
||||
#ifdef USE_IPSECMOD
|
||||
free(cfg->ipsecmod_hook);
|
||||
config_delstrlist(cfg->ipsecmod_whitelist);
|
||||
@ -1800,6 +1815,9 @@ void ub_c_error_msg(const char* fmt, ...)
|
||||
void ub_c_error(const char *str)
|
||||
{
|
||||
cfg_parser->errors++;
|
||||
if(strcmp(str, "syntax error")==0 && cfg_parser->started_toplevel ==0)
|
||||
str = "syntax error, is there no section start after an "
|
||||
"include-toplevel directive perhaps.";
|
||||
fprintf(stderr, "%s:%d: error: %s\n", cfg_parser->filename,
|
||||
cfg_parser->line, str);
|
||||
}
|
||||
@ -2609,3 +2627,35 @@ int cfg_has_https(struct config_file* cfg)
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** see if interface is PROXYv2, its port number == the proxy port number */
|
||||
int
|
||||
if_is_pp2(const char* ifname, const char* port,
|
||||
struct config_strlist* proxy_protocol_port)
|
||||
{
|
||||
struct config_strlist* s;
|
||||
char* p = strchr(ifname, '@');
|
||||
for(s = proxy_protocol_port; s; s = s->next) {
|
||||
if(p && atoi(p+1) == atoi(s->str))
|
||||
return 1;
|
||||
if(!p && atoi(port) == atoi(s->str))
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** see if interface is DNSCRYPT, its port number == the dnscrypt port number */
|
||||
int
|
||||
if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port)
|
||||
{
|
||||
#ifdef USE_DNSCRYPT
|
||||
return ((strchr(ifname, '@') &&
|
||||
atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
|
||||
(!strchr(ifname, '@') && atoi(port) == dnscrypt_port));
|
||||
#else
|
||||
(void)ifname;
|
||||
(void)port;
|
||||
(void)dnscrypt_port;
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
@ -114,6 +114,8 @@ struct config_file {
|
||||
int do_tcp_keepalive;
|
||||
/** tcp keepalive timeout, in msec */
|
||||
int tcp_keepalive_timeout;
|
||||
/** proxy protocol ports */
|
||||
struct config_strlist* proxy_protocol_port;
|
||||
|
||||
/** private key file for dnstcp-ssl service (enabled if not NULL) */
|
||||
char* ssl_service_key;
|
||||
@ -461,6 +463,16 @@ struct config_file {
|
||||
struct config_str3list* acl_tag_datas;
|
||||
/** list of aclname, view*/
|
||||
struct config_str2list* acl_view;
|
||||
/** list of interface action entries, linked list */
|
||||
struct config_str2list* interface_actions;
|
||||
/** list of interface, tagbitlist */
|
||||
struct config_strbytelist* interface_tags;
|
||||
/** list of interface, tagname, localzonetype */
|
||||
struct config_str3list* interface_tag_actions;
|
||||
/** list of interface, tagname, redirectdata */
|
||||
struct config_str3list* interface_tag_datas;
|
||||
/** list of interface, view*/
|
||||
struct config_str2list* interface_view;
|
||||
/** list of IP-netblock, tagbitlist */
|
||||
struct config_strbytelist* respip_tags;
|
||||
/** list of response-driven access control entries, linked list */
|
||||
@ -1262,6 +1274,8 @@ struct config_parser_state {
|
||||
struct config_file* cfg;
|
||||
/** the current chroot dir (or NULL if none) */
|
||||
const char* chroot;
|
||||
/** if we are started in a toplevel, or not, after a force_toplevel */
|
||||
int started_toplevel;
|
||||
};
|
||||
|
||||
/** global config parser object used during config parsing */
|
||||
@ -1310,6 +1324,12 @@ int if_is_https(const char* ifname, const char* port, int https_port);
|
||||
*/
|
||||
int cfg_has_https(struct config_file* cfg);
|
||||
|
||||
/** see if interface is PROXYv2, its port number == the proxy port number */
|
||||
int if_is_pp2(const char* ifname, const char* port,
|
||||
struct config_strlist* proxy_protocol_port);
|
||||
|
||||
/** see if interface is DNSCRYPT, its port number == the dnscrypt port number */
|
||||
int if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port);
|
||||
#ifdef USE_LINUX_IP_LOCAL_PORT_RANGE
|
||||
#define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range"
|
||||
#endif
|
||||
|
@ -365,6 +365,7 @@ view-first{COLON} { YDVAR(1, VAR_VIEW_FIRST) }
|
||||
do-not-query-address{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) }
|
||||
do-not-query-localhost{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) }
|
||||
access-control{COLON} { YDVAR(2, VAR_ACCESS_CONTROL) }
|
||||
interface-action{COLON} { YDVAR(2, VAR_INTERFACE_ACTION) }
|
||||
send-client-subnet{COLON} { YDVAR(1, VAR_SEND_CLIENT_SUBNET) }
|
||||
client-subnet-zone{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ZONE) }
|
||||
client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) }
|
||||
@ -467,6 +468,10 @@ access-control-tag{COLON} { YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
|
||||
access-control-tag-action{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
|
||||
access-control-tag-data{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
|
||||
access-control-view{COLON} { YDVAR(2, VAR_ACCESS_CONTROL_VIEW) }
|
||||
interface-tag{COLON} { YDVAR(2, VAR_INTERFACE_TAG) }
|
||||
interface-tag-action{COLON} { YDVAR(3, VAR_INTERFACE_TAG_ACTION) }
|
||||
interface-tag-data{COLON} { YDVAR(3, VAR_INTERFACE_TAG_DATA) }
|
||||
interface-view{COLON} { YDVAR(2, VAR_INTERFACE_VIEW) }
|
||||
local-zone-override{COLON} { YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
|
||||
dnstap{COLON} { YDVAR(0, VAR_DNSTAP) }
|
||||
dnstap-enable{COLON} { YDVAR(1, VAR_DNSTAP_ENABLE) }
|
||||
@ -558,6 +563,7 @@ edns-client-string{COLON} { YDVAR(2, VAR_EDNS_CLIENT_STRING) }
|
||||
edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
|
||||
nsid{COLON} { YDVAR(1, VAR_NSID ) }
|
||||
ede{COLON} { YDVAR(1, VAR_EDE ) }
|
||||
proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) }
|
||||
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
|
||||
|
||||
/* Quoted strings. Strip leading and ending quotes */
|
||||
|
@ -52,6 +52,7 @@ int ub_c_lex(void);
|
||||
void ub_c_error(const char *message);
|
||||
|
||||
static void validate_respip_action(const char* action);
|
||||
static void validate_acl_action(const char* action);
|
||||
|
||||
/* these need to be global, otherwise they cannot be used inside yacc */
|
||||
extern struct config_parser_state* cfg_parser;
|
||||
@ -190,6 +191,9 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID
|
||||
%token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE
|
||||
%token VAR_RPZ_SIGNAL_NXDOMAIN_RA VAR_INTERFACE_AUTOMATIC_PORTS VAR_EDE
|
||||
%token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG
|
||||
%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA
|
||||
%token VAR_PROXY_PROTOCOL_PORT
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -204,12 +208,14 @@ toplevelvar: serverstart contents_server | stubstart contents_stub |
|
||||
force_toplevel: VAR_FORCE_TOPLEVEL
|
||||
{
|
||||
OUTYY(("\nP(force-toplevel)\n"));
|
||||
cfg_parser->started_toplevel = 0;
|
||||
}
|
||||
;
|
||||
/* server: declaration */
|
||||
serverstart: VAR_SERVER
|
||||
{
|
||||
OUTYY(("\nP(server:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
}
|
||||
;
|
||||
contents_server: contents_server content_server
|
||||
@ -287,6 +293,8 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_disable_dnssec_lame_check | server_access_control_tag |
|
||||
server_local_zone_override | server_access_control_tag_action |
|
||||
server_access_control_tag_data | server_access_control_view |
|
||||
server_interface_action | server_interface_view | server_interface_tag |
|
||||
server_interface_tag_action | server_interface_tag_data |
|
||||
server_qname_minimisation_strict |
|
||||
server_pad_responses | server_pad_responses_block_size |
|
||||
server_pad_queries | server_pad_queries_block_size |
|
||||
@ -313,13 +321,14 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_edns_client_string_opcode | server_nsid |
|
||||
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
|
||||
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
|
||||
server_interface_automatic_ports | server_ede
|
||||
|
||||
server_interface_automatic_ports | server_ede |
|
||||
server_proxy_protocol_port
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
struct config_stub* s;
|
||||
OUTYY(("\nP(stub_zone:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
|
||||
if(s) {
|
||||
s->next = cfg_parser->cfg->stubs;
|
||||
@ -338,6 +347,7 @@ forwardstart: VAR_FORWARD_ZONE
|
||||
{
|
||||
struct config_stub* s;
|
||||
OUTYY(("\nP(forward_zone:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
s = (struct config_stub*)calloc(1, sizeof(struct config_stub));
|
||||
if(s) {
|
||||
s->next = cfg_parser->cfg->forwards;
|
||||
@ -356,6 +366,7 @@ viewstart: VAR_VIEW
|
||||
{
|
||||
struct config_view* s;
|
||||
OUTYY(("\nP(view:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
s = (struct config_view*)calloc(1, sizeof(struct config_view));
|
||||
if(s) {
|
||||
s->next = cfg_parser->cfg->views;
|
||||
@ -376,6 +387,7 @@ authstart: VAR_AUTH_ZONE
|
||||
{
|
||||
struct config_auth* s;
|
||||
OUTYY(("\nP(auth_zone:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
s = (struct config_auth*)calloc(1, sizeof(struct config_auth));
|
||||
if(s) {
|
||||
s->next = cfg_parser->cfg->auths;
|
||||
@ -474,6 +486,7 @@ rpzstart: VAR_RPZ
|
||||
{
|
||||
struct config_auth* s;
|
||||
OUTYY(("\nP(rpz:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
s = (struct config_auth*)calloc(1, sizeof(struct config_auth));
|
||||
if(s) {
|
||||
s->next = cfg_parser->cfg->auths;
|
||||
@ -1842,21 +1855,18 @@ server_do_not_query_localhost: VAR_DO_NOT_QUERY_LOCALHOST STRING_ARG
|
||||
server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
|
||||
if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
|
||||
strcmp($3, "deny_non_local")!=0 &&
|
||||
strcmp($3, "refuse_non_local")!=0 &&
|
||||
strcmp($3, "allow_setrd")!=0 &&
|
||||
strcmp($3, "allow")!=0 &&
|
||||
strcmp($3, "allow_snoop")!=0) {
|
||||
yyerror("expected deny, refuse, deny_non_local, "
|
||||
"refuse_non_local, allow, allow_setrd or "
|
||||
"allow_snoop in access control action");
|
||||
free($2);
|
||||
free($3);
|
||||
} else {
|
||||
validate_acl_action($3);
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
|
||||
fatal_exit("out of memory adding acl");
|
||||
}
|
||||
;
|
||||
server_interface_action: VAR_INTERFACE_ACTION STRING_ARG STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_interface_action:%s %s)\n", $2, $3));
|
||||
validate_acl_action($3);
|
||||
if(!cfg_str2list_insert(
|
||||
&cfg_parser->cfg->interface_actions, $2, $3))
|
||||
fatal_exit("out of memory adding acl");
|
||||
}
|
||||
;
|
||||
server_module_conf: VAR_MODULE_CONF STRING_ARG
|
||||
@ -2414,6 +2424,60 @@ server_access_control_view: VAR_ACCESS_CONTROL_VIEW STRING_ARG STRING_ARG
|
||||
}
|
||||
}
|
||||
;
|
||||
server_interface_tag: VAR_INTERFACE_TAG STRING_ARG STRING_ARG
|
||||
{
|
||||
size_t len = 0;
|
||||
uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, $3,
|
||||
&len);
|
||||
free($3);
|
||||
OUTYY(("P(server_interface_tag:%s)\n", $2));
|
||||
if(!bitlist) {
|
||||
yyerror("could not parse tags, (define-tag them first)");
|
||||
free($2);
|
||||
}
|
||||
if(bitlist) {
|
||||
if(!cfg_strbytelist_insert(
|
||||
&cfg_parser->cfg->interface_tags,
|
||||
$2, bitlist, len)) {
|
||||
yyerror("out of memory");
|
||||
free($2);
|
||||
}
|
||||
}
|
||||
}
|
||||
;
|
||||
server_interface_tag_action: VAR_INTERFACE_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_interface_tag_action:%s %s %s)\n", $2, $3, $4));
|
||||
if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_actions,
|
||||
$2, $3, $4)) {
|
||||
yyerror("out of memory");
|
||||
free($2);
|
||||
free($3);
|
||||
free($4);
|
||||
}
|
||||
}
|
||||
;
|
||||
server_interface_tag_data: VAR_INTERFACE_TAG_DATA STRING_ARG STRING_ARG STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_interface_tag_data:%s %s %s)\n", $2, $3, $4));
|
||||
if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_datas,
|
||||
$2, $3, $4)) {
|
||||
yyerror("out of memory");
|
||||
free($2);
|
||||
free($3);
|
||||
free($4);
|
||||
}
|
||||
}
|
||||
;
|
||||
server_interface_view: VAR_INTERFACE_VIEW STRING_ARG STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_interface_view:%s %s)\n", $2, $3));
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->interface_view,
|
||||
$2, $3)) {
|
||||
yyerror("out of memory");
|
||||
}
|
||||
}
|
||||
;
|
||||
server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG
|
||||
{
|
||||
size_t len = 0;
|
||||
@ -2761,6 +2825,13 @@ server_ede: VAR_EDE STRING_ARG
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_proxy_protocol_port: VAR_PROXY_PROTOCOL_PORT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_proxy_protocol_port:%s)\n", $2));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->proxy_protocol_port, $2))
|
||||
yyerror("out of memory");
|
||||
}
|
||||
;
|
||||
stub_name: VAR_NAME STRING_ARG
|
||||
{
|
||||
OUTYY(("P(name:%s)\n", $2));
|
||||
@ -3103,6 +3174,7 @@ view_first: VAR_VIEW_FIRST STRING_ARG
|
||||
rcstart: VAR_REMOTE_CONTROL
|
||||
{
|
||||
OUTYY(("\nP(remote-control:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
}
|
||||
;
|
||||
contents_rc: contents_rc content_rc
|
||||
@ -3175,6 +3247,7 @@ rc_control_cert_file: VAR_CONTROL_CERT_FILE STRING_ARG
|
||||
dtstart: VAR_DNSTAP
|
||||
{
|
||||
OUTYY(("\nP(dnstap:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
}
|
||||
;
|
||||
contents_dt: contents_dt content_dt
|
||||
@ -3357,6 +3430,7 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
|
||||
pythonstart: VAR_PYTHON
|
||||
{
|
||||
OUTYY(("\nP(python:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
}
|
||||
;
|
||||
contents_py: contents_py content_py
|
||||
@ -3372,6 +3446,7 @@ py_script: VAR_PYTHON_SCRIPT STRING_ARG
|
||||
dynlibstart: VAR_DYNLIB
|
||||
{
|
||||
OUTYY(("\nP(dynlib:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
}
|
||||
;
|
||||
contents_dl: contents_dl content_dl
|
||||
@ -3421,6 +3496,7 @@ server_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG
|
||||
dnscstart: VAR_DNSCRYPT
|
||||
{
|
||||
OUTYY(("\nP(dnscrypt:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
}
|
||||
;
|
||||
contents_dnsc: contents_dnsc content_dnsc
|
||||
@ -3530,6 +3606,7 @@ dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG
|
||||
cachedbstart: VAR_CACHEDB
|
||||
{
|
||||
OUTYY(("\nP(cachedb:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
}
|
||||
;
|
||||
contents_cachedb: contents_cachedb content_cachedb
|
||||
@ -3629,6 +3706,7 @@ server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG
|
||||
ipsetstart: VAR_IPSET
|
||||
{
|
||||
OUTYY(("\nP(ipset:)\n"));
|
||||
cfg_parser->started_toplevel = 1;
|
||||
}
|
||||
;
|
||||
contents_ipset: contents_ipset content_ipset
|
||||
@ -3685,4 +3763,19 @@ validate_respip_action(const char* action)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
validate_acl_action(const char* action)
|
||||
{
|
||||
if(strcmp(action, "deny")!=0 &&
|
||||
strcmp(action, "refuse")!=0 &&
|
||||
strcmp(action, "deny_non_local")!=0 &&
|
||||
strcmp(action, "refuse_non_local")!=0 &&
|
||||
strcmp(action, "allow_setrd")!=0 &&
|
||||
strcmp(action, "allow")!=0 &&
|
||||
strcmp(action, "allow_snoop")!=0)
|
||||
{
|
||||
yyerror("expected deny, refuse, deny_non_local, "
|
||||
"refuse_non_local, allow, allow_setrd or "
|
||||
"allow_snoop as access control action");
|
||||
}
|
||||
}
|
||||
|
@ -221,6 +221,7 @@ fptr_whitelist_rbtree_cmp(int (*fptr) (const void *, const void *))
|
||||
if(fptr == &mesh_state_compare) return 1;
|
||||
else if(fptr == &mesh_state_ref_compare) return 1;
|
||||
else if(fptr == &addr_tree_compare) return 1;
|
||||
else if(fptr == &addr_tree_addrport_compare) return 1;
|
||||
else if(fptr == &local_zone_cmp) return 1;
|
||||
else if(fptr == &local_data_cmp) return 1;
|
||||
else if(fptr == &fwd_cmp) return 1;
|
||||
|
@ -235,10 +235,9 @@ log_addr(enum verbosity_value v, const char* str,
|
||||
|
||||
int
|
||||
extstrtoaddr(const char* str, struct sockaddr_storage* addr,
|
||||
socklen_t* addrlen)
|
||||
socklen_t* addrlen, int port)
|
||||
{
|
||||
char* s;
|
||||
int port = UNBOUND_DNS_PORT;
|
||||
if((s=strchr(str, '@'))) {
|
||||
char buf[MAX_ADDR_STRLEN];
|
||||
if(s-str >= MAX_ADDR_STRLEN) {
|
||||
@ -255,7 +254,6 @@ extstrtoaddr(const char* str, struct sockaddr_storage* addr,
|
||||
return ipstrtoaddr(str, port, addr, addrlen);
|
||||
}
|
||||
|
||||
|
||||
int
|
||||
ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr,
|
||||
socklen_t* addrlen)
|
||||
|
@ -96,6 +96,11 @@ extern uint16_t EDNS_ADVERTISED_SIZE;
|
||||
/** return a random 16-bit number given a random source */
|
||||
#define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff)
|
||||
|
||||
/** define MSG_DONTWAIT for unsupported platforms */
|
||||
#ifndef MSG_DONTWAIT
|
||||
#define MSG_DONTWAIT 0
|
||||
#endif
|
||||
|
||||
/** minimal responses when positive answer */
|
||||
extern int MINIMAL_RESPONSES;
|
||||
|
||||
@ -178,10 +183,11 @@ void log_err_addr(const char* str, const char* err,
|
||||
* @param str: the string
|
||||
* @param addr: where to store sockaddr.
|
||||
* @param addrlen: length of stored sockaddr is returned.
|
||||
* @param port: default port.
|
||||
* @return 0 on error.
|
||||
*/
|
||||
int extstrtoaddr(const char* str, struct sockaddr_storage* addr,
|
||||
socklen_t* addrlen);
|
||||
socklen_t* addrlen, int port);
|
||||
|
||||
/**
|
||||
* Convert ip address string and port to sockaddr.
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -102,6 +102,8 @@ typedef int comm_point_callback_type(struct comm_point*, void*, int,
|
||||
|
||||
/** timeout to slow accept calls when not possible, in msec. */
|
||||
#define NETEVENT_SLOW_ACCEPT_TIME 2000
|
||||
/** timeout to slow down log print, so it does not spam the logs, in sec */
|
||||
#define SLOW_LOG_TIME 10
|
||||
|
||||
/**
|
||||
* A communication point dispatcher. Thread specific.
|
||||
@ -126,10 +128,11 @@ struct comm_reply {
|
||||
/** the comm_point with fd to send reply on to. */
|
||||
struct comm_point* c;
|
||||
/** the address (for UDP based communication) */
|
||||
struct sockaddr_storage addr;
|
||||
struct sockaddr_storage remote_addr;
|
||||
/** length of address */
|
||||
socklen_t addrlen;
|
||||
/** return type 0 (none), 4(IP4), 6(IP6) */
|
||||
socklen_t remote_addrlen;
|
||||
/** return type 0 (none), 4(IP4), 6(IP6)
|
||||
* used only with listen_type_udp_ancil* */
|
||||
int srctype;
|
||||
/* DnsCrypt context */
|
||||
#ifdef USE_DNSCRYPT
|
||||
@ -153,6 +156,13 @@ struct comm_reply {
|
||||
pktinfo;
|
||||
/** max udp size for udp packets */
|
||||
size_t max_udp_size;
|
||||
/* if set, the request came through a proxy */
|
||||
int is_proxied;
|
||||
/** the client address
|
||||
* the same as remote_addr if not proxied */
|
||||
struct sockaddr_storage client_addr;
|
||||
/** the original address length */
|
||||
socklen_t client_addrlen;
|
||||
};
|
||||
|
||||
/**
|
||||
@ -276,6 +286,19 @@ struct comm_point {
|
||||
/** variable with type of socket, UDP,TCP-accept,TCP,pipe */
|
||||
type;
|
||||
|
||||
/* -------- PROXYv2 ------- */
|
||||
/** if set, PROXYv2 is expected on this connection */
|
||||
int pp2_enabled;
|
||||
/** header state for the PROXYv2 header (for TCP) */
|
||||
enum {
|
||||
/** no header encounter yet */
|
||||
pp2_header_none = 0,
|
||||
/** read the static part of the header */
|
||||
pp2_header_init,
|
||||
/** read the full header */
|
||||
pp2_header_done
|
||||
} pp2_header_state;
|
||||
|
||||
/* ---------- Behaviour ----------- */
|
||||
/** if set the connection is NOT closed on delete. */
|
||||
int do_not_close;
|
||||
@ -496,6 +519,7 @@ struct ub_event_base* comm_base_internal(struct comm_base* b);
|
||||
* @param base: in which base to alloc the commpoint.
|
||||
* @param fd: file descriptor of open UDP socket.
|
||||
* @param buffer: shared buffer by UDP sockets from this thread.
|
||||
* @param pp2_enabled: if the comm point will support PROXYv2.
|
||||
* @param callback: callback function pointer.
|
||||
* @param callback_arg: will be passed to your callback function.
|
||||
* @param socket: and opened socket properties will be passed to your callback function.
|
||||
@ -503,7 +527,7 @@ struct ub_event_base* comm_base_internal(struct comm_base* b);
|
||||
* Sets timeout to NULL. Turns off TCP options.
|
||||
*/
|
||||
struct comm_point* comm_point_create_udp(struct comm_base* base,
|
||||
int fd, struct sldns_buffer* buffer,
|
||||
int fd, struct sldns_buffer* buffer, int pp2_enabled,
|
||||
comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
|
||||
|
||||
/**
|
||||
@ -513,6 +537,7 @@ struct comm_point* comm_point_create_udp(struct comm_base* base,
|
||||
* @param base: in which base to alloc the commpoint.
|
||||
* @param fd: file descriptor of open UDP socket.
|
||||
* @param buffer: shared buffer by UDP sockets from this thread.
|
||||
* @param pp2_enabled: if the comm point will support PROXYv2.
|
||||
* @param callback: callback function pointer.
|
||||
* @param callback_arg: will be passed to your callback function.
|
||||
* @param socket: and opened socket properties will be passed to your callback function.
|
||||
@ -520,7 +545,7 @@ struct comm_point* comm_point_create_udp(struct comm_base* base,
|
||||
* Sets timeout to NULL. Turns off TCP options.
|
||||
*/
|
||||
struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
|
||||
int fd, struct sldns_buffer* buffer,
|
||||
int fd, struct sldns_buffer* buffer, int pp2_enabled,
|
||||
comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
|
||||
|
||||
/**
|
||||
@ -542,6 +567,7 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
|
||||
* or NULL to not create those structures in the tcp handlers.
|
||||
* @param port_type: the type of port we are creating a TCP listener for. Used
|
||||
* to select handler type to use.
|
||||
* @param pp2_enabled: if the comm point will support PROXYv2.
|
||||
* @param callback: callback function pointer for TCP handlers.
|
||||
* @param callback_arg: will be passed to your callback function.
|
||||
* @param socket: and opened socket properties will be passed to your callback function.
|
||||
@ -555,7 +581,7 @@ struct comm_point* comm_point_create_tcp(struct comm_base* base,
|
||||
uint32_t http_max_streams, char* http_endpoint,
|
||||
struct tcl_list* tcp_conn_limit,
|
||||
size_t bufsize, struct sldns_buffer* spoolbuf,
|
||||
enum listen_type port_type,
|
||||
enum listen_type port_type, int pp2_enabled,
|
||||
comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket);
|
||||
|
||||
/**
|
||||
|
139
contrib/unbound/util/proxy_protocol.c
Normal file
139
contrib/unbound/util/proxy_protocol.c
Normal file
@ -0,0 +1,139 @@
|
||||
/*
|
||||
* util/proxy_protocol.c - event notification
|
||||
*
|
||||
* Copyright (c) 2022, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* This file contains PROXY protocol functions.
|
||||
*/
|
||||
#include "config.h"
|
||||
#include "util/log.h"
|
||||
#include "util/proxy_protocol.h"
|
||||
|
||||
int
|
||||
pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src,
|
||||
int stream)
|
||||
{
|
||||
int af;
|
||||
if(!src) return 0;
|
||||
af = (int)((struct sockaddr_in*)src)->sin_family;
|
||||
if(sldns_buffer_remaining(buf) <
|
||||
PP2_HEADER_SIZE + (af==AF_INET?12:36)) {
|
||||
return 0;
|
||||
}
|
||||
/* sig */
|
||||
sldns_buffer_write(buf, PP2_SIG, PP2_SIG_LEN);
|
||||
/* version and command */
|
||||
sldns_buffer_write_u8(buf, (PP2_VERSION << 4) | PP2_CMD_PROXY);
|
||||
if(af==AF_INET) {
|
||||
/* family and protocol */
|
||||
sldns_buffer_write_u8(buf,
|
||||
(PP2_AF_INET<<4) |
|
||||
(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM));
|
||||
/* length */
|
||||
sldns_buffer_write_u16(buf, 12);
|
||||
/* src addr */
|
||||
sldns_buffer_write(buf,
|
||||
&((struct sockaddr_in*)src)->sin_addr.s_addr, 4);
|
||||
/* dst addr */
|
||||
sldns_buffer_write_u32(buf, 0);
|
||||
/* src port */
|
||||
sldns_buffer_write(buf,
|
||||
&((struct sockaddr_in*)src)->sin_port, 2);
|
||||
/* dst port */
|
||||
sldns_buffer_write_u16(buf, 0);
|
||||
} else {
|
||||
/* family and protocol */
|
||||
sldns_buffer_write_u8(buf,
|
||||
(PP2_AF_INET6<<4) |
|
||||
(stream?PP2_PROT_STREAM:PP2_PROT_DGRAM));
|
||||
/* length */
|
||||
sldns_buffer_write_u16(buf, 36);
|
||||
/* src addr */
|
||||
sldns_buffer_write(buf,
|
||||
&((struct sockaddr_in6*)src)->sin6_addr, 16);
|
||||
/* dst addr */
|
||||
sldns_buffer_set_at(buf,
|
||||
sldns_buffer_position(buf), 0, 16);
|
||||
sldns_buffer_skip(buf, 16);
|
||||
/* src port */
|
||||
sldns_buffer_write(buf,
|
||||
&((struct sockaddr_in6*)src)->sin6_port, 2);
|
||||
/* dst port */
|
||||
sldns_buffer_write_u16(buf, 0);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
struct pp2_header*
|
||||
pp2_read_header(struct sldns_buffer* buf)
|
||||
{
|
||||
size_t size;
|
||||
struct pp2_header* header = (struct pp2_header*)sldns_buffer_begin(buf);
|
||||
/* Try to fail all the unsupported cases first. */
|
||||
if(sldns_buffer_remaining(buf) < PP2_HEADER_SIZE) {
|
||||
log_err("proxy_protocol: not enough space for header");
|
||||
return NULL;
|
||||
}
|
||||
/* Check for PROXYv2 header */
|
||||
if(memcmp(header, PP2_SIG, PP2_SIG_LEN) != 0 ||
|
||||
((header->ver_cmd & 0xF0)>>4) != PP2_VERSION) {
|
||||
log_err("proxy_protocol: could not match PROXYv2 header");
|
||||
return NULL;
|
||||
}
|
||||
/* Check the length */
|
||||
size = PP2_HEADER_SIZE + ntohs(header->len);
|
||||
if(sldns_buffer_remaining(buf) < size) {
|
||||
log_err("proxy_protocol: not enough space for header");
|
||||
return NULL;
|
||||
}
|
||||
/* Check for supported commands */
|
||||
if((header->ver_cmd & 0xF) != PP2_CMD_LOCAL &&
|
||||
(header->ver_cmd & 0xF) != PP2_CMD_PROXY) {
|
||||
log_err("proxy_protocol: unsupported command");
|
||||
return NULL;
|
||||
}
|
||||
/* Check for supported family and protocol */
|
||||
if(header->fam_prot != 0x00 /* AF_UNSPEC|UNSPEC */ &&
|
||||
header->fam_prot != 0x11 /* AF_INET|STREAM */ &&
|
||||
header->fam_prot != 0x12 /* AF_INET|DGRAM */ &&
|
||||
header->fam_prot != 0x21 /* AF_INET6|STREAM */ &&
|
||||
header->fam_prot != 0x22 /* AF_INET6|DGRAM */) {
|
||||
log_err("proxy_protocol: unsupported family and protocol");
|
||||
return NULL;
|
||||
}
|
||||
/* We have a correct header */
|
||||
return header;
|
||||
}
|
131
contrib/unbound/util/proxy_protocol.h
Normal file
131
contrib/unbound/util/proxy_protocol.h
Normal file
@ -0,0 +1,131 @@
|
||||
/*
|
||||
* util/proxy_protocol.h - PROXY protocol
|
||||
*
|
||||
* Copyright (c) 2022, NLnet Labs. All rights reserved.
|
||||
*
|
||||
* This software is open source.
|
||||
*
|
||||
* Redistribution and use in source and binary forms, with or without
|
||||
* modification, are permitted provided that the following conditions
|
||||
* are met:
|
||||
*
|
||||
* Redistributions of source code must retain the above copyright notice,
|
||||
* this list of conditions and the following disclaimer.
|
||||
*
|
||||
* Redistributions in binary form must reproduce the above copyright notice,
|
||||
* this list of conditions and the following disclaimer in the documentation
|
||||
* and/or other materials provided with the distribution.
|
||||
*
|
||||
* Neither the name of the NLNET LABS nor the names of its contributors may
|
||||
* be used to endorse or promote products derived from this software without
|
||||
* specific prior written permission.
|
||||
*
|
||||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
|
||||
* TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
|
||||
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
|
||||
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
|
||||
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
|
||||
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/**
|
||||
* \file
|
||||
*
|
||||
* This file contains PROXY protocol structs and functions.
|
||||
* Only v2 is supported. TLVs are not currently supported.
|
||||
*/
|
||||
#ifndef PROXY_PROTOCOL_H
|
||||
#define PROXY_PROTOCOL_H
|
||||
|
||||
#include "sldns/sbuffer.h"
|
||||
|
||||
/** PROXYv2 minimum header size */
|
||||
#define PP2_HEADER_SIZE 16
|
||||
|
||||
/** PROXYv2 header signature */
|
||||
#define PP2_SIG "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A"
|
||||
#define PP2_SIG_LEN 12
|
||||
|
||||
/** PROXYv2 version */
|
||||
#define PP2_VERSION 0x2
|
||||
|
||||
/**
|
||||
* PROXYv2 command.
|
||||
*/
|
||||
enum pp2_command {
|
||||
PP2_CMD_LOCAL = 0x0,
|
||||
PP2_CMD_PROXY = 0x1
|
||||
};
|
||||
|
||||
/**
|
||||
* PROXYv2 address family.
|
||||
*/
|
||||
enum pp2_af {
|
||||
PP2_AF_UNSPEC = 0x0,
|
||||
PP2_AF_INET = 0x1,
|
||||
PP2_AF_INET6 = 0x2,
|
||||
PP2_AF_UNIX = 0x3
|
||||
};
|
||||
|
||||
/**
|
||||
* PROXYv2 protocol.
|
||||
*/
|
||||
enum pp2_protocol {
|
||||
PP2_PROT_UNSPEC = 0x0,
|
||||
PP2_PROT_STREAM = 0x1,
|
||||
PP2_PROT_DGRAM = 0x2
|
||||
};
|
||||
|
||||
/**
|
||||
* PROXYv2 header.
|
||||
*/
|
||||
struct pp2_header {
|
||||
uint8_t sig[PP2_SIG_LEN];
|
||||
uint8_t ver_cmd;
|
||||
uint8_t fam_prot;
|
||||
uint16_t len;
|
||||
union {
|
||||
struct { /* for TCP/UDP over IPv4, len = 12 */
|
||||
uint32_t src_addr;
|
||||
uint32_t dst_addr;
|
||||
uint16_t src_port;
|
||||
uint16_t dst_port;
|
||||
} addr4;
|
||||
struct { /* for TCP/UDP over IPv6, len = 36 */
|
||||
uint8_t src_addr[16];
|
||||
uint8_t dst_addr[16];
|
||||
uint16_t src_port;
|
||||
uint16_t dst_port;
|
||||
} addr6;
|
||||
struct { /* for AF_UNIX sockets, len = 216 */
|
||||
uint8_t src_addr[108];
|
||||
uint8_t dst_addr[108];
|
||||
} addru;
|
||||
} addr;
|
||||
};
|
||||
|
||||
/**
|
||||
* Write a PROXYv2 header at the current position of the buffer.
|
||||
* @param buf: the buffer to write to.
|
||||
* @param src: the source address.
|
||||
* @param stream: if the protocol is stream or datagram.
|
||||
* @return 1 on success, 0 on failure.
|
||||
*/
|
||||
int pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src,
|
||||
int stream);
|
||||
|
||||
/**
|
||||
* Read a PROXYv2 header from the current position of the buffer.
|
||||
* It does initial validation and returns a pointer to the buffer position on
|
||||
* success.
|
||||
* @param buf: the buffer to read from.
|
||||
* @return the pointer to the buffer position on success, NULL on error.
|
||||
*/
|
||||
struct pp2_header* pp2_read_header(struct sldns_buffer* buf);
|
||||
|
||||
#endif /* PROXY_PROTOCOL_H */
|
@ -71,6 +71,14 @@ int addr_tree_compare(const void* k1, const void* k2)
|
||||
return 0;
|
||||
}
|
||||
|
||||
int addr_tree_addrport_compare(const void* k1, const void* k2)
|
||||
{
|
||||
struct addr_tree_node* n1 = (struct addr_tree_node*)k1;
|
||||
struct addr_tree_node* n2 = (struct addr_tree_node*)k2;
|
||||
return sockaddr_cmp(&n1->addr, n1->addrlen, &n2->addr,
|
||||
n2->addrlen);
|
||||
}
|
||||
|
||||
void name_tree_init(rbtree_type* tree)
|
||||
{
|
||||
rbtree_init(tree, &name_tree_compare);
|
||||
@ -81,6 +89,11 @@ void addr_tree_init(rbtree_type* tree)
|
||||
rbtree_init(tree, &addr_tree_compare);
|
||||
}
|
||||
|
||||
void addr_tree_addrport_init(rbtree_type* tree)
|
||||
{
|
||||
rbtree_init(tree, &addr_tree_addrport_compare);
|
||||
}
|
||||
|
||||
int name_tree_insert(rbtree_type* tree, struct name_tree_node* node,
|
||||
uint8_t* name, size_t len, int labs, uint16_t dclass)
|
||||
{
|
||||
|
@ -153,6 +153,13 @@ int name_tree_next_root(rbtree_type* tree, uint16_t* dclass);
|
||||
*/
|
||||
void addr_tree_init(rbtree_type* tree);
|
||||
|
||||
/**
|
||||
* Init addr tree to be empty.
|
||||
* The comparison function to be used is addr_tree_addrport_compare.
|
||||
* @param tree: to init.
|
||||
*/
|
||||
void addr_tree_addrport_init(rbtree_type* tree);
|
||||
|
||||
/**
|
||||
* insert element into addr tree.
|
||||
* @param tree: addr tree
|
||||
@ -207,4 +214,7 @@ int name_tree_compare(const void* k1, const void* k2);
|
||||
/** compare addr tree nodes */
|
||||
int addr_tree_compare(const void* k1, const void* k2);
|
||||
|
||||
/** compare addr tree nodes (address and port only) */
|
||||
int addr_tree_addrport_compare(const void* k1, const void* k2);
|
||||
|
||||
#endif /* UTIL_STORAGE_DNSTREE_H */
|
||||
|
@ -424,6 +424,28 @@ int tube_wait(struct tube* tube)
|
||||
return pollit(tube->sr, NULL);
|
||||
}
|
||||
|
||||
int tube_wait_timeout(struct tube* tube, int msec)
|
||||
{
|
||||
struct timeval t;
|
||||
int fd = tube->sr;
|
||||
fd_set r;
|
||||
t.tv_sec = msec/1000;
|
||||
t.tv_usec = (msec%1000)*1000;
|
||||
#ifndef S_SPLINT_S
|
||||
FD_ZERO(&r);
|
||||
FD_SET(FD_SET_T fd, &r);
|
||||
#endif
|
||||
while(1) {
|
||||
if(select(fd+1, &r, NULL, NULL, &t) == -1) {
|
||||
if(errno == EAGAIN || errno == EINTR)
|
||||
continue;
|
||||
return -1;
|
||||
}
|
||||
break;
|
||||
}
|
||||
return (int)(FD_ISSET(fd, &r));
|
||||
}
|
||||
|
||||
int tube_read_fd(struct tube* tube)
|
||||
{
|
||||
return tube->sr;
|
||||
@ -649,6 +671,26 @@ int tube_wait(struct tube* tube)
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tube_wait_timeout(struct tube* tube, int msec)
|
||||
{
|
||||
/* block on eventhandle */
|
||||
DWORD res = WSAWaitForMultipleEvents(
|
||||
1 /* one event in array */,
|
||||
&tube->event /* the event to wait for, our pipe signal */,
|
||||
0 /* wait for all events is false */,
|
||||
msec /* wait for timeout */,
|
||||
0 /* we are not alertable for IO completion routines */
|
||||
);
|
||||
if(res == WSA_WAIT_TIMEOUT) {
|
||||
return 0;
|
||||
}
|
||||
if(res == WSA_WAIT_IO_COMPLETION) {
|
||||
/* a bit unexpected, since we were not alertable */
|
||||
return -1;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
int tube_read_fd(struct tube* ATTR_UNUSED(tube))
|
||||
{
|
||||
/* nothing sensible on Windows */
|
||||
|
@ -204,6 +204,14 @@ int tube_poll(struct tube* tube);
|
||||
*/
|
||||
int tube_wait(struct tube* tube);
|
||||
|
||||
/**
|
||||
* Wait for data to be ready with a timeout.
|
||||
* @param tube: the tube to wait on.
|
||||
* @param msec: timeout in milliseconds.
|
||||
* @return 1 if there is something to read within timeout, readability.
|
||||
* 0 on a timeout. On failures -1, like errors. */
|
||||
int tube_wait_timeout(struct tube* tube, int msec);
|
||||
|
||||
/**
|
||||
* Get FD that is readable when new information arrives.
|
||||
* @param tube
|
||||
|
@ -23,7 +23,8 @@ SRCS= alloc.c as112.c authzone.c autotrust.c cachedb.c config_file.c \
|
||||
listen_dnsport.c localzone.c locks.c log.c lookup3.c lruhash.c \
|
||||
mesh.c mini_event.c modstack.c module.c msgencode.c msgparse.c \
|
||||
msgreply.c net_help.c netevent.c outbound_list.c outside_network.c \
|
||||
packed_rrset.c parse.c parseutil.c random.c rbtree.c redis.c \
|
||||
packed_rrset.c parse.c parseutil.c proxy_protocol.c \
|
||||
random.c rbtree.c redis.c \
|
||||
regional.c respip.c rpz.c rrdef.c rrset.c rtt.c sbuffer.c slabhash.c \
|
||||
str2wire.c tcp_conn_limit.c timehist.c tube.c ub_event_pluggable.c \
|
||||
val_anchor.c val_kcache.c val_kentry.c val_neg.c val_nsec.c \
|
||||
|
@ -6776,8 +6776,6 @@ nfsvno_setxattr(struct vnode *vp, char *name, int len, struct mbuf *m,
|
||||
if (error == 0) {
|
||||
error = VOP_SETEXTATTR(vp, EXTATTR_NAMESPACE_USER, name, uiop,
|
||||
cred, p);
|
||||
if (error == 0)
|
||||
error = VOP_FSYNC(vp, MNT_WAIT, p);
|
||||
free(iv, M_TEMP);
|
||||
}
|
||||
|
||||
@ -6813,8 +6811,6 @@ nfsvno_rmxattr(struct nfsrv_descript *nd, struct vnode *vp, char *name,
|
||||
if (error == EOPNOTSUPP)
|
||||
error = VOP_SETEXTATTR(vp, EXTATTR_NAMESPACE_USER, name, NULL,
|
||||
cred, p);
|
||||
if (error == 0)
|
||||
error = VOP_FSYNC(vp, MNT_WAIT, p);
|
||||
out:
|
||||
NFSEXITCODE(error);
|
||||
return (error);
|
||||
|
@ -731,7 +731,7 @@
|
||||
#define PACKAGE_NAME "unbound"
|
||||
|
||||
/* Define to the full name and version of this package. */
|
||||
#define PACKAGE_STRING "unbound 1.16.3"
|
||||
#define PACKAGE_STRING "unbound 1.17.0"
|
||||
|
||||
/* Define to the one symbol short name of this package. */
|
||||
#define PACKAGE_TARNAME "unbound"
|
||||
@ -740,7 +740,7 @@
|
||||
#define PACKAGE_URL ""
|
||||
|
||||
/* Define to the version of this package. */
|
||||
#define PACKAGE_VERSION "1.16.3"
|
||||
#define PACKAGE_VERSION "1.17.0"
|
||||
|
||||
/* default pidfile location */
|
||||
#define PIDFILE "/var/unbound/unbound.pid"
|
||||
@ -762,7 +762,7 @@
|
||||
#define ROOT_CERT_FILE "/var/unbound/icannbundle.pem"
|
||||
|
||||
/* version number for resource files */
|
||||
#define RSRC_PACKAGE_VERSION 1,16,3,0
|
||||
#define RSRC_PACKAGE_VERSION 1,17,0,0
|
||||
|
||||
/* Directory to chdir to */
|
||||
#define RUN_DIR "/var/unbound"
|
||||
|
Loading…
Reference in New Issue
Block a user