Has a few fixes. The new "IPSet" code is linux only. Diff below is in order:
changelog, code changes, build scaffolding.
Any comments/concerns/OKs?
Index: doc/Changelog
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/Changelog,v
retrieving revision 1.33
diff -u -p -r1.33 Changelog
--- doc/Changelog 28 Jun 2019 15:17:16 -0000 1.33
+++ doc/Changelog 30 Aug 2019 13:58:03 -0000
@@ -1,6 +1,117 @@
+22 August 2019: Wouter
+ - Fix that pkg-config is setup before --enable-systemd needs it.
+ - 1.9.3rc2 release candidate tag.
+
+21 August 2019: Wouter
+ - Fix log_dns_msg to log irrespective of minimal responses config.
+
+19 August 2019: Ralph
+ - Document limitation of pidfile removal outside of chroot directory.
+
+16 August 2019: Wouter
+ - Fix unittest valgrind false positive uninitialised value report,
+ where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0
+ issues an uninitialised value for the token buffer at the str2wire.c
+ rrinternal_get_owner() strcmp with the '@' value. Rewritten to use
+ straight character comparisons removes the false positive. Also
+ valgrinds --expensive-definedness-checks=yes can stop this false
+ positive.
+ - Please doxygen's parser for "@" occurrence in doxygen comment.
+ - Fixup contrib/fastrpz.patch
+ - Remove warning about unknown cast-function-type warning pragma.
+
+15 August 2019: Wouter
+ - iana portlist updated.
+ - Fix autotrust temp file uniqueness windows compile.
+ - avoid warning about upcast on 32bit systems for autotrust.
+ - escape commandline contents for -V.
+ - Fix character buffer size in ub_ctx_hosts.
+ - 1.9.3rc1 release candidate tag.
+ - Option -V prints if TCP fastopen is available.
+
+14 August 2019: George
+ - Fix #59, when compiled with systemd support check that we can properly
+ communicate with systemd through the `NOTIFY_SOCKET`.
+
+14 August 2019: Wouter
+ - Generate configlexer with newer flex.
+ - Fix warning for unused variable for compilation without systemd.
+
+12 August 2019: George
+ - Introduce `-V` option to print the version number and build options.
+ Previously reported build options like linked libs and linked modules
+ are now moved from `-h` to `-V` as well for consistency.
+ - PACKAGE_BUGREPORT now also includes link to GitHub issues.
+
+1 August 2019: Wouter
+ - For #52 #53, second context does not close logfile override.
+ - Fix #52 #53, fix for example fail program.
+ - Fix to return after failed auth zone http chunk write.
+ - Fix to remove unused test for task_probe existance.
+ - Fix to timeval_add for remaining second in microseconds.
+ - Check repinfo in worker_handle_request, if null, drop it.
+
+29 July 2019: Wouter
+ - Add verbose log message when auth zone file is written, at level 4.
+ - Add hex print of trust anchor pointer to trust anchor file temp
+ name to make it unique, for libunbound created multiple contexts.
+
+23 July 2019: Wouter
+ - Fix question section mismatch in local zone redirect.
+
+19 July 2019: Wouter
+ - Fix #49: Set no renegotiation on the SSL context to stop client
+ session renegotiation.
+
+12 July 2019: Wouter
+ - Fix #48: Unbound returns additional records on NODATA response,
+ if minimal-responses is enabled, also the additional for negative
+ responses is removed.
+
+9 July 2019: Ralph
+ - Fix in respip addrtree selection. Absence of addr_tree_init_parents()
+ call made it impossible to go up the tree when the matching netmask is
+ too specific.
+
+5 July 2019: Ralph
+ - Fix for possible assertion failure when answering respip CNAME from
+ cache.
+
+25 June 2019: Wouter
+ - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
+ when do-not-query-localhost is turned on, or at default on,
+ unbound-checkconf prints a warning if it is found in forward-addr or
+ stub-addr statements.
+
+24 June 2019: Wouter
+ - Fix memleak in unit test, reported from the clang 8.0 static analyzer.
+
+18 June 2019: Wouter
+ - PR #28: IPSet module, by Kevin Chou. Created a module to support
+ the ipset that could add the domain's ip to a list easily.
+ Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
+ - Fix to omit RRSIGs from addition to the ipset.
+ - Fix to make unbound-control with ipset, remove unused variable,
+ use unsigned type because of comparison, and assign null instead
+ of compare with it. Remade lex and yacc output.
+ - make depend
+ - Added documentation to the ipset files (for doxygen output).
+ - Merge PR #6: Python module: support multiple instances
+ - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
+ - Merge PR #4: Python module: assign something useful to the
+ per-query data store 'qdata'
+ - Fix python dict reference and double free in config.
+
+17 June 2019: Wouter
+ - Master contains version 1.9.3 in development.
+ - Fix #39: In libunbound, leftover logfile is close()d unpredictably.
+ - Fix for #24: Fix abort due to scan of auth zone masters using old
+ address from previous scan.
+
12 June 2019: Wouter
- Fix another spoolbuf storage code point, in prefetch.
- - 1.9.2rc3 release candidate tag.
+ - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release
+ on 17 June 2019.
11 June 2019: Wouter
- Fix that fixes the Fix that spoolbuf is not used to store tcp
Index: daemon/daemon.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/daemon.c,v
retrieving revision 1.12
diff -u -p -r1.12 daemon.c
--- daemon/daemon.c 27 Mar 2019 12:06:17 -0000 1.12
+++ daemon/daemon.c 30 Aug 2019 13:58:03 -0000
@@ -575,6 +575,9 @@ void
daemon_fork(struct daemon* daemon)
{
int have_view_respip_cfg = 0;
+#ifdef HAVE_SYSTEMD
+ int ret;
+#endif
log_assert(daemon);
if(!(daemon->views = views_create()))
@@ -660,7 +663,12 @@ daemon_fork(struct daemon* daemon)
/* Start resolver service on main thread. */
#ifdef HAVE_SYSTEMD
- sd_notify(0, "READY=1");
+ ret = sd_notify(0, "READY=1");
+ if(ret <= 0 && getenv("NOTIFY_SOCKET"))
+ fatal_exit("sd_notify failed %s: %s. Make sure that unbound has
"
+ "access/permission to use the socket presented
by systemd.",
+ getenv("NOTIFY_SOCKET"),
+ (ret==0?"no $NOTIFY_SOCKET": strerror(-ret)));
#endif
log_info("start of service (%s).", PACKAGE_STRING);
worker_work(daemon->workers[0]);
Index: daemon/stats.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/stats.c,v
retrieving revision 1.8
diff -u -p -r1.8 stats.c
--- daemon/stats.c 8 Feb 2019 10:29:08 -0000 1.8
+++ daemon/stats.c 30 Aug 2019 13:58:03 -0000
@@ -77,7 +77,7 @@ stats_timeval_add(long long* d_sec, long
#ifndef S_SPLINT_S
(*d_sec) += add_sec;
(*d_usec) += add_usec;
- if((*d_usec) > 1000000) {
+ if((*d_usec) >= 1000000) {
(*d_usec) -= 1000000;
(*d_sec)++;
}
Index: daemon/unbound.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/unbound.c,v
retrieving revision 1.23
diff -u -p -r1.23 unbound.c
--- daemon/unbound.c 28 Jun 2019 15:17:16 -0000 1.23
+++ daemon/unbound.c 30 Aug 2019 13:58:03 -0000
@@ -88,31 +88,20 @@
# include "nss.h"
#endif
-/** print usage. */
-static void usage(void)
+/** print build options. */
+static void
+print_build_options(void)
{
const char** m;
const char *evnm="event", *evsys="", *evmethod="";
time_t t;
struct timeval now;
struct ub_event_base* base;
- printf("usage: unbound [options]\n");
- printf(" start unbound daemon DNS resolver.\n");
- printf("-h this help\n");
- printf("-c file config file to read instead of %s\n", CONFIGFILE);
- printf(" file format is described in unbound.conf(5).\n");
- printf("-d do not fork into the background.\n");
- printf("-p do not create a pidfile.\n");
- printf("-v verbose (more times to increase verbosity)\n");
-#ifdef UB_ON_WINDOWS
- printf("-w opt windows option: \n");
- printf(" install, remove - manage the services entry\n");
- printf(" service - used to start from services control panel\n");
-#endif
- printf("Version %s\n", PACKAGE_VERSION);
+ printf("Version %s\n\n", PACKAGE_VERSION);
+ printf("Configure line: %s\n", CONFCMDLINE);
base = ub_default_event_base(0,&t,&now);
ub_get_event_sys(base, &evnm, &evsys, &evmethod);
- printf("linked libs: %s %s (it uses %s), %s\n",
+ printf("Linked libs: %s %s (it uses %s), %s\n",
evnm, evsys, evmethod,
#ifdef HAVE_SSL
# ifdef SSLEAY_VERSION
@@ -126,16 +115,42 @@ static void usage(void)
"nettle"
#endif
);
- printf("linked modules:");
+ printf("Linked modules:");
for(m = module_list_avail(); *m; m++)
printf(" %s", *m);
printf("\n");
#ifdef USE_DNSCRYPT
printf("DNSCrypt feature available\n");
#endif
+#ifdef USE_TCP_FASTOPEN
+ printf("TCP Fastopen feature available\n");
+#endif
+ ub_event_base_free(base);
+ printf("\nBSD licensed, see LICENSE in source package for details.\n");
+ printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
+}
+
+/** print usage. */
+static void
+usage(void)
+{
+ printf("usage: unbound [options]\n");
+ printf(" start unbound daemon DNS resolver.\n");
+ printf("-h this help.\n");
+ printf("-c file config file to read instead of %s\n", CONFIGFILE);
+ printf(" file format is described in unbound.conf(5).\n");
+ printf("-d do not fork into the background.\n");
+ printf("-p do not create a pidfile.\n");
+ printf("-v verbose (more times to increase verbosity).\n");
+ printf("-V show version number and build options.\n");
+#ifdef UB_ON_WINDOWS
+ printf("-w opt windows option: \n");
+ printf(" install, remove - manage the services entry\n");
+ printf(" service - used to start from services control panel\n");
+#endif
+ printf("\nVersion %s\n", PACKAGE_VERSION);
printf("BSD licensed, see LICENSE in source package for details.\n");
printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
- ub_event_base_free(base);
}
#ifndef unbound_testbound
@@ -720,7 +735,7 @@ main(int argc, char* argv[])
log_ident_default = strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0];
log_ident_set(log_ident_default);
/* parse the options */
- while( (c=getopt(argc, argv, "c:dhpvw:")) != -1) {
+ while( (c=getopt(argc, argv, "c:dhpvw:V")) != -1) {
switch(c) {
case 'c':
cfgfile = optarg;
@@ -741,6 +756,9 @@ main(int argc, char* argv[])
case 'w':
winopt = optarg;
break;
+ case 'V':
+ print_build_options();
+ return 0;
case '?':
case 'h':
default:
Index: daemon/worker.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/daemon/worker.c,v
retrieving revision 1.24
diff -u -p -r1.24 worker.c
--- daemon/worker.c 28 Jun 2019 15:17:16 -0000 1.24
+++ daemon/worker.c 30 Aug 2019 13:58:03 -0000
@@ -721,8 +721,6 @@ answer_from_cache(struct worker* worker,
if(encode_rep != rep)
secure = 0; /* if rewritten, it can't be considered "secure" */
if(!encode_rep || *alias_rrset) {
- sldns_buffer_clear(repinfo->c->buffer);
- sldns_buffer_flip(repinfo->c->buffer);
if(!encode_rep)
*need_drop = 1;
else {
@@ -762,17 +760,14 @@ bail_out:
return 0;
}
-/** Reply to client and perform prefetch to keep cache up to date.
- * If the buffer for the reply is empty, it indicates that only prefetch is
- * necessary and the reply should be suppressed (because it's dropped or
- * being deferred). */
+/** Reply to client and perform prefetch to keep cache up to date. */
static void
reply_and_prefetch(struct worker* worker, struct query_info* qinfo,
- uint16_t flags, struct comm_reply* repinfo, time_t leeway)
+ uint16_t flags, struct comm_reply* repinfo, time_t leeway, int noreply)
{
/* first send answer to client to keep its latency
* as small as a cachereply */
- if(sldns_buffer_limit(repinfo->c->buffer) != 0) {
+ if(!noreply) {
if(repinfo->c->tcp_req_info) {
sldns_buffer_copy(
repinfo->c->tcp_req_info->spool_buffer,
@@ -1100,7 +1095,7 @@ worker_handle_request(struct comm_point*
struct respip_client_info* cinfo = NULL, cinfo_tmp;
memset(&qinfo, 0, sizeof(qinfo));
- if(error != NETEVENT_NOERROR) {
+ if(error != NETEVENT_NOERROR || !repinfo) {
/* some bad tcp query DNS formats give these error calls */
verbose(VERB_ALGO, "handle request called with err=%d", error);
return 0;
@@ -1484,7 +1479,8 @@ lookup_cache:
lock_rw_unlock(&e->lock);
reply_and_prefetch(worker, lookup_qinfo,
sldns_buffer_read_u16_at(c->buffer, 2),
- repinfo, leeway);
+ repinfo, leeway,
+ (partial_rep || need_drop));
if(!partial_rep) {
rc = 0;
regional_free_all(worker->scratchpad);
Index: ipset/ipset.c
===================================================================
RCS file: ipset/ipset.c
diff -N ipset/ipset.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ ipset/ipset.c 30 Aug 2019 13:58:04 -0000
@@ -0,0 +1,353 @@
+/**
+ * \file
+ * This file implements the ipset module. It can handle packets by putting
+ * the A and AAAA addresses that are configured in unbound.conf as type
+ * ipset (local-zone statements) into a firewall rule IPSet. For firewall
+ * blacklist and whitelist usage.
+ */
+#include "config.h"
+#include "ipset/ipset.h"
+#include "util/regional.h"
+#include "util/config_file.h"
+
+#include "services/cache/dns.h"
+
+#include "sldns/sbuffer.h"
+#include "sldns/wire2str.h"
+#include "sldns/parseutil.h"
+
+#include <libmnl/libmnl.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/ipset/ip_set.h>
+
+#define BUFF_LEN 256
+
+/**
+ * Return an error
+ * @param qstate: our query state
+ * @param id: module id
+ * @param rcode: error code (DNS errcode).
+ * @return: 0 for use by caller, to make notation easy, like:
+ * return error_response(..).
+ */
+static int error_response(struct module_qstate* qstate, int id, int rcode) {
+ verbose(VERB_QUERY, "return error response %s",
+ sldns_lookup_by_id(sldns_rcodes, rcode)?
+ sldns_lookup_by_id(sldns_rcodes, rcode)->name:"??");
+ qstate->return_rcode = rcode;
+ qstate->return_msg = NULL;
+ qstate->ext_state[id] = module_finished;
+ return 0;
+}
+
+static struct mnl_socket * open_mnl_socket() {
+ struct mnl_socket *mnl;
+
+ mnl = mnl_socket_open(NETLINK_NETFILTER);
+ if (!mnl) {
+ log_err("ipset: could not open netfilter.");
+ return NULL;
+ }
+
+ if (mnl_socket_bind(mnl, 0, MNL_SOCKET_AUTOPID) < 0) {
+ mnl_socket_close(mnl);
+ log_err("ipset: could not bind netfilter.");
+ return NULL;
+ }
+ return mnl;
+}
+
+static int add_to_ipset(struct mnl_socket *mnl, const char *setname, const
void *ipaddr, int af) {
+ struct nlmsghdr *nlh;
+ struct nfgenmsg *nfg;
+ struct nlattr *nested[2];
+ static char buffer[BUFF_LEN];
+
+ if (strlen(setname) >= IPSET_MAXNAMELEN) {
+ errno = ENAMETOOLONG;
+ return -1;
+ }
+ if (af != AF_INET && af != AF_INET6) {
+ errno = EAFNOSUPPORT;
+ return -1;
+ }
+
+ nlh = mnl_nlmsg_put_header(buffer);
+ nlh->nlmsg_type = IPSET_CMD_ADD | (NFNL_SUBSYS_IPSET << 8);
+ nlh->nlmsg_flags = NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL;
+
+ nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(struct nfgenmsg));
+ nfg->nfgen_family = af;
+ nfg->version = NFNETLINK_V0;
+ nfg->res_id = htons(0);
+
+ mnl_attr_put_u8(nlh, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+ mnl_attr_put(nlh, IPSET_ATTR_SETNAME, strlen(setname) + 1, setname);
+ nested[0] = mnl_attr_nest_start(nlh, IPSET_ATTR_DATA);
+ nested[1] = mnl_attr_nest_start(nlh, IPSET_ATTR_IP);
+ mnl_attr_put(nlh, (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 :
IPSET_ATTR_IPADDR_IPV6)
+ | NLA_F_NET_BYTEORDER, (af == AF_INET ? sizeof(struct
in_addr) : sizeof(struct in6_addr)), ipaddr);
+ mnl_attr_nest_end(nlh, nested[1]);
+ mnl_attr_nest_end(nlh, nested[0]);
+
+ if (mnl_socket_sendto(mnl, nlh, nlh->nlmsg_len) < 0) {
+ return -1;
+ }
+ return 0;
+}
+
+static int ipset_update(struct module_env *env, struct dns_msg *return_msg,
struct ipset_env *ie) {
+ int ret;
+
+ struct mnl_socket *mnl;
+
+ size_t i, j;
+
+ const char *setname;
+
+ struct ub_packed_rrset_key *rrset;
+ struct packed_rrset_data *d;
+
+ int af;
+
+ static char dname[BUFF_LEN];
+ const char *s;
+ int dlen, plen;
+
+ struct config_strlist *p;
+
+ size_t rr_len, rd_len;
+
+ uint8_t *rr_data;
+
+ mnl = (struct mnl_socket *)ie->mnl;
+ if (!mnl) {
+ // retry to create mnl socket
+ mnl = open_mnl_socket();
+ if (!mnl) {
+ return -1;
+ }
+
+ ie->mnl = mnl;
+ }
+
+ for (i = 0; i < return_msg->rep->rrset_count; ++i) {
+ setname = NULL;
+
+ rrset = return_msg->rep->rrsets[i];
+
+ if (rrset->rk.type == htons(LDNS_RR_TYPE_A)) {
+ af = AF_INET;
+ if ((ie->v4_enabled == 1)) {
+ setname = ie->name_v4;
+ }
+ } else {
+ af = AF_INET6;
+ if ((ie->v6_enabled == 1)) {
+ setname = ie->name_v6;
+ }
+ }
+
+ if (setname) {
+ dlen = sldns_wire2str_dname_buf(rrset->rk.dname,
rrset->rk.dname_len, dname, BUFF_LEN);
+ if (dlen == 0) {
+ log_err("bad domain name");
+ return -1;
+ }
+ if (dname[dlen - 1] == '.') {
+ dlen--;
+ }
+
+ for (p = env->cfg->local_zones_ipset; p; p = p->next) {
+ plen = strlen(p->str);
+
+ if (dlen >= plen) {
+ s = dname + (dlen - plen);
+
+ if (strncasecmp(p->str, s, plen) == 0) {
+ d = (struct
packed_rrset_data*)rrset->entry.data;
+ /* to d->count, not
d->rrsig_count, because we do not want to add the RRSIGs, only the addresses */
+ for (j = 0; j < d->count; j++) {
+ rr_len = d->rr_len[j];
+ rr_data = d->rr_data[j];
+
+ rd_len =
sldns_read_uint16(rr_data);
+ if (rr_len - 2 >=
rd_len) {
+ ret =
add_to_ipset(mnl, setname, rr_data + 2, af);
+ if (ret < 0) {
+
log_err("ipset: could not add %s into %s", dname, setname);
+
+
mnl_socket_close(mnl);
+ ie->mnl
= NULL;
+ break;
+ }
+ }
+ }
+ break;
+ }
+ }
+ }
+ }
+ }
+
+ return 0;
+}
+
+int ipset_init(struct module_env* env, int id) {
+ struct ipset_env *ipset_env;
+
+ ipset_env = (struct ipset_env *)calloc(1, sizeof(struct ipset_env));
+ if (!ipset_env) {
+ log_err("malloc failure");
+ return 0;
+ }
+
+ env->modinfo[id] = (void *)ipset_env;
+
+ ipset_env->mnl = NULL;
+
+ ipset_env->name_v4 = env->cfg->ipset_name_v4;
+ ipset_env->name_v6 = env->cfg->ipset_name_v6;
+
+ ipset_env->v4_enabled = !ipset_env->name_v4 ||
(strlen(ipset_env->name_v4) == 0) ? 0 : 1;
+ ipset_env->v6_enabled = !ipset_env->name_v6 ||
(strlen(ipset_env->name_v6) == 0) ? 0 : 1;
+
+ if ((ipset_env->v4_enabled < 1) && (ipset_env->v6_enabled < 1)) {
+ log_err("ipset: set name no configuration?");
+ return 0;
+ }
+
+ return 1;
+}
+
+void ipset_deinit(struct module_env *env, int id) {
+ struct mnl_socket *mnl;
+ struct ipset_env *ipset_env;
+
+ if (!env || !env->modinfo[id]) {
+ return;
+ }
+
+ ipset_env = (struct ipset_env *)env->modinfo[id];
+
+ mnl = (struct mnl_socket *)ipset_env->mnl;
+ if (mnl) {
+ mnl_socket_close(mnl);
+ ipset_env->mnl = NULL;
+ }
+
+ free(ipset_env);
+ env->modinfo[id] = NULL;
+}
+
+static int ipset_new(struct module_qstate* qstate, int id) {
+ struct ipset_qstate *iq = (struct ipset_qstate *)regional_alloc(
+ qstate->region, sizeof(struct ipset_qstate));
+ qstate->minfo[id] = iq;
+ if (!iq) {
+ return 0;
+ }
+
+ memset(iq, 0, sizeof(*iq));
+ /* initialise it */
+ /* TODO */
+
+ return 1;
+}
+
+void ipset_operate(struct module_qstate *qstate, enum module_ev event, int id,
+ struct outbound_entry *outbound) {
+ struct ipset_env *ie = (struct ipset_env *)qstate->env->modinfo[id];
+ struct ipset_qstate *iq = (struct ipset_qstate *)qstate->minfo[id];
+ verbose(VERB_QUERY, "ipset[module %d] operate: extstate:%s event:%s",
+ id, strextstate(qstate->ext_state[id]), strmodulevent(event));
+ if (iq) {
+ log_query_info(VERB_QUERY, "ipset operate: query",
&qstate->qinfo);
+ }
+
+ /* perform ipset state machine */
+ if ((event == module_event_new || event == module_event_pass) && !iq) {
+ if (!ipset_new(qstate, id)) {
+ (void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ return;
+ }
+ iq = (struct ipset_qstate*)qstate->minfo[id];
+ }
+
+ if (iq && (event == module_event_pass || event == module_event_new)) {
+ qstate->ext_state[id] = module_wait_module;
+ return;
+ }
+
+ if (iq && (event == module_event_moddone)) {
+ if (qstate->return_msg && qstate->return_msg->rep) {
+ ipset_update(qstate->env, qstate->return_msg, ie);
+ }
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
+
+ if (iq && outbound) {
+ /* ipset does not need to process responses at this time
+ * ignore it.
+ ipset_process_response(qstate, iq, ie, id, outbound, event);
+ */
+ return;
+ }
+
+ if (event == module_event_error) {
+ verbose(VERB_ALGO, "got called with event error, giving up");
+ (void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+ return;
+ }
+
+ if (!iq && (event == module_event_moddone)) {
+ /* during priming, module done but we never started */
+ qstate->ext_state[id] = module_finished;
+ return;
+ }
+
+ log_err("bad event for ipset");
+ (void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+}
+
+void ipset_inform_super(struct module_qstate *ATTR_UNUSED(qstate),
+ int ATTR_UNUSED(id), struct module_qstate *ATTR_UNUSED(super)) {
+ /* ipset does not use subordinate requests at this time */
+ verbose(VERB_ALGO, "ipset inform_super was called");
+}
+
+void ipset_clear(struct module_qstate *qstate, int id) {
+ struct cachedb_qstate *iq;
+ if (!qstate) {
+ return;
+ }
+ iq = (struct cachedb_qstate *)qstate->minfo[id];
+ if (iq) {
+ /* free contents of iq */
+ /* TODO */
+ }
+ qstate->minfo[id] = NULL;
+}
+
+size_t ipset_get_mem(struct module_env *env, int id) {
+ struct ipset_env *ie = (struct ipset_env *)env->modinfo[id];
+ if (!ie) {
+ return 0;
+ }
+ return sizeof(*ie);
+}
+
+/**
+ * The ipset function block
+ */
+static struct module_func_block ipset_block = {
+ "ipset",
+ &ipset_init, &ipset_deinit, &ipset_operate,
+ &ipset_inform_super, &ipset_clear, &ipset_get_mem
+};
+
+struct module_func_block * ipset_get_funcblock(void) {
+ return &ipset_block;
+}
+
Index: ipset/ipset.h
===================================================================
RCS file: ipset/ipset.h
diff -N ipset/ipset.h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ ipset/ipset.h 30 Aug 2019 13:58:04 -0000
@@ -0,0 +1,79 @@
+/**
+ * ipset.h
+ *
+ * Author: Kevin Chou
+ * Email: [email protected]
+ */
+#ifndef IPSET_H
+#define IPSET_H
+/** \file
+ *
+ * This file implements the ipset module. It can handle packets by putting
+ * the A and AAAA addresses that are configured in unbound.conf as type
+ * ipset (local-zone statements) into a firewall rule IPSet. For firewall
+ * blacklist and whitelist usage.
+ *
+ * To use the IPset module, install the libmnl-dev (or libmnl-devel) package
+ * and configure with --enable-ipset. And compile. Then enable the ipset
+ * module in unbound.conf with module-config: "ipset validator iterator"
+ * then create it with ipset -N blacklist iphash and then add
+ * local-zone: "example.com." ipset
+ * statements for the zones where you want the addresses of the names
+ * looked up added to the set.
+ *
+ * Set the name of the set with
+ * ipset:
+ * name-v4: "blacklist"
+ * name-v6: "blacklist6"
+ * in unbound.conf. The set can be used in this way:
+ * iptables -A INPUT -m set --set blacklist src -j DROP
+ * ip6tables -A INPUT -m set --set blacklist6 src -j DROP
+ */
+
+#include "util/module.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct ipset_env {
+ void* mnl;
+
+ int v4_enabled;
+ int v6_enabled;
+
+ const char *name_v4;
+ const char *name_v6;
+};
+
+struct ipset_qstate {
+ int dummy;
+};
+
+/** Init the ipset module */
+int ipset_init(struct module_env* env, int id);
+/** Deinit the ipset module */
+void ipset_deinit(struct module_env* env, int id);
+/** Operate on an event on a query (in qstate). */
+void ipset_operate(struct module_qstate* qstate, enum module_ev event,
+ int id, struct outbound_entry* outbound);
+/** Subordinate query done, inform this super request of its conclusion */
+void ipset_inform_super(struct module_qstate* qstate, int id,
+ struct module_qstate* super);
+/** clear the ipset query-specific contents out of qstate */
+void ipset_clear(struct module_qstate* qstate, int id);
+/** return memory estimate for ipset module */
+size_t ipset_get_mem(struct module_env* env, int id);
+
+/**
+ * Get the function block with pointers to the ipset functions
+ * @return the function block for "ipset".
+ */
+struct module_func_block* ipset_get_funcblock(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* IPSET_H */
+
Index: libunbound/context.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/libunbound/context.c,v
retrieving revision 1.6
diff -u -p -r1.6 context.c
--- libunbound/context.c 8 Oct 2018 16:03:53 -0000 1.6
+++ libunbound/context.c 30 Aug 2019 13:58:04 -0000
@@ -57,9 +57,16 @@ context_finalize(struct ub_ctx* ctx)
{
struct config_file* cfg = ctx->env->cfg;
verbosity = cfg->verbosity;
- if(ctx->logfile_override)
+ if(ctx_logfile_overridden && !ctx->logfile_override) {
+ log_file(NULL); /* clear that override */
+ ctx_logfile_overridden = 0;
+ }
+ if(ctx->logfile_override) {
+ ctx_logfile_overridden = 1;
log_file(ctx->log_out);
- else log_init(cfg->logfile, cfg->use_syslog, NULL);
+ } else {
+ log_init(cfg->logfile, cfg->use_syslog, NULL);
+ }
config_apply(cfg);
if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env))
return UB_INITFAIL;
Index: libunbound/context.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/libunbound/context.h,v
retrieving revision 1.5
diff -u -p -r1.5 context.h
--- libunbound/context.h 17 Sep 2018 09:46:12 -0000 1.5
+++ libunbound/context.h 30 Aug 2019 13:58:04 -0000
@@ -52,6 +52,9 @@ struct tube;
struct sldns_buffer;
struct ub_event_base;
+/** store that the logfile has a debug override */
+extern int ctx_logfile_overridden;
+
/**
* The context structure
*
Index: libunbound/libunbound.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/libunbound/libunbound.c,v
retrieving revision 1.13
diff -u -p -r1.13 libunbound.c
--- libunbound/libunbound.c 8 Feb 2019 10:29:08 -0000 1.13
+++ libunbound/libunbound.c 30 Aug 2019 13:58:04 -0000
@@ -79,6 +79,9 @@
#include <iphlpapi.h>
#endif /* UB_ON_WINDOWS */
+/** store that the logfile has a debug override */
+int ctx_logfile_overridden = 0;
+
/** create context functionality, but no pipes */
static struct ub_ctx* ub_ctx_create_nopipe(void)
{
@@ -90,7 +93,8 @@ static struct ub_ctx* ub_ctx_create_nopi
#endif
checklock_start();
- log_init(NULL, 0, NULL); /* logs to stderr */
+ if(!ctx_logfile_overridden)
+ log_init(NULL, 0, NULL); /* logs to stderr */
log_ident_set("libunbound");
#ifdef USE_WINSOCK
if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) {
@@ -328,6 +332,10 @@ ub_ctx_delete(struct ub_ctx* ctx)
ub_randfree(ctx->seed_rnd);
alloc_clear(&ctx->superalloc);
traverse_postorder(&ctx->queries, delq, NULL);
+ if(ctx_logfile_overridden) {
+ log_file(NULL);
+ ctx_logfile_overridden = 0;
+ }
free(ctx);
#ifdef USE_WINSOCK
WSACleanup();
@@ -469,6 +477,7 @@ int ub_ctx_debugout(struct ub_ctx* ctx,
{
lock_basic_lock(&ctx->cfglock);
log_file((FILE*)out);
+ ctx_logfile_overridden = 1;
ctx->logfile_override = 1;
ctx->log_out = out;
lock_basic_unlock(&ctx->cfglock);
@@ -1150,7 +1159,7 @@ int
ub_ctx_hosts(struct ub_ctx* ctx, const char* fname)
{
FILE* in;
- char buf[1024], ldata[1024];
+ char buf[1024], ldata[2048];
char* parse, *addr, *name, *ins;
lock_basic_lock(&ctx->cfglock);
if(ctx->finalized) {
Index: respip/respip.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/respip/respip.c,v
retrieving revision 1.5
diff -u -p -r1.5 respip.c
--- respip/respip.c 27 Mar 2019 12:06:18 -0000 1.5
+++ respip/respip.c 30 Aug 2019 13:58:04 -0000
@@ -361,6 +361,7 @@ respip_set_apply_cfg(struct respip_set*
free(pd);
pd = np;
}
+ addr_tree_init_parents(&set->ip_tree);
return 1;
}
Index: services/authzone.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/authzone.c,v
retrieving revision 1.11
diff -u -p -r1.11 authzone.c
--- services/authzone.c 28 Jun 2019 15:17:16 -0000 1.11
+++ services/authzone.c 30 Aug 2019 13:58:04 -0000
@@ -3698,6 +3698,7 @@ static void
xfr_transfer_start_lookups(struct auth_xfer* xfr)
{
/* delete all the looked up addresses in the list */
+ xfr->task_transfer->scan_addr = NULL;
xfr_masterlist_free_addrs(xfr->task_transfer->masters);
/* start lookup at the first master */
@@ -3728,6 +3729,7 @@ static void
xfr_probe_start_lookups(struct auth_xfer* xfr)
{
/* delete all the looked up addresses in the list */
+ xfr->task_probe->scan_addr = NULL;
xfr_masterlist_free_addrs(xfr->task_probe->masters);
/* start lookup at the first master */
@@ -4865,6 +4867,11 @@ xfr_write_after_update(struct auth_xfer*
if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
zfilename += strlen(cfg->chrootdir);
+ if(verbosity >= VERB_ALGO) {
+ char nm[255+1];
+ dname_str(z->name, nm);
+ verbose(VERB_ALGO, "write zonefile %s for %s", zfilename, nm);
+ }
/* write to tempfile first */
if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) {
@@ -4880,6 +4887,7 @@ xfr_write_after_update(struct auth_xfer*
if(!auth_zone_write_chunks(xfr, tmpfile)) {
unlink(tmpfile);
lock_rw_unlock(&z->lock);
+ return;
}
} else if(!auth_zone_write_file(z, tmpfile)) {
unlink(tmpfile);
@@ -6561,7 +6569,7 @@ xfr_set_timeout(struct auth_xfer* xfr, s
/* don't lookup_only, if lookup timeout is 0 anyway,
* or if we don't have masters to lookup */
tv.tv_sec = 0;
- if(xfr->task_probe && xfr->task_probe->worker == NULL)
+ if(xfr->task_probe->worker == NULL)
xfr->task_probe->only_lookup = 1;
}
if(verbosity >= VERB_ALGO) {
Index: services/mesh.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/mesh.c,v
retrieving revision 1.12
diff -u -p -r1.12 mesh.c
--- services/mesh.c 28 Jun 2019 15:17:16 -0000 1.12
+++ services/mesh.c 30 Aug 2019 13:58:04 -0000
@@ -85,7 +85,7 @@ timeval_add(struct timeval* d, const str
#ifndef S_SPLINT_S
d->tv_sec += add->tv_sec;
d->tv_usec += add->tv_usec;
- if(d->tv_usec > 1000000 ) {
+ if(d->tv_usec >= 1000000 ) {
d->tv_usec -= 1000000;
d->tv_sec++;
}
@@ -1340,14 +1340,15 @@ int mesh_state_add_reply(struct mesh_sta
log_assert(!qinfo->local_alias->next && dsrc->count == 1 &&
qinfo->local_alias->rrset->rk.type ==
htons(LDNS_RR_TYPE_CNAME));
- /* Technically, we should make a local copy for the owner
- * name of the RRset, but in the case of the first (and
- * currently only) local alias RRset, the owner name should
- * point to the qname of the corresponding query, which should
- * be valid throughout the lifetime of this mesh_reply. So
- * we can skip copying. */
- log_assert(qinfo->local_alias->rrset->rk.dname ==
- sldns_buffer_at(rep->c->buffer, LDNS_HEADER_SIZE));
+ /* we should make a local copy for the owner name of
+ * the RRset */
+ r->local_alias->rrset->rk.dname_len =
+ qinfo->local_alias->rrset->rk.dname_len;
+ r->local_alias->rrset->rk.dname = regional_alloc_init(
+ s->s.region, qinfo->local_alias->rrset->rk.dname,
+ qinfo->local_alias->rrset->rk.dname_len);
+ if(!r->local_alias->rrset->rk.dname)
+ return 0;
/* the rrset is not packed, like in the cache, but it is
* individualy allocated with an allocator from localzone. */
Index: services/modstack.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/services/modstack.c,v
retrieving revision 1.4
diff -u -p -r1.4 modstack.c
--- services/modstack.c 27 Mar 2019 12:06:18 -0000 1.4
+++ services/modstack.c 30 Aug 2019 13:58:04 -0000
@@ -60,6 +60,9 @@
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
#endif
+#ifdef USE_IPSET
+#include "ipset/ipset.h"
+#endif
/** count number of modules (words) in the string */
static int
@@ -146,6 +149,9 @@ module_list_avail(void)
#ifdef CLIENT_SUBNET
"subnetcache",
#endif
+#ifdef USE_IPSET
+ "ipset",
+#endif
"respip",
"validator",
"iterator",
@@ -173,6 +179,9 @@ module_funcs_avail(void)
#endif
#ifdef CLIENT_SUBNET
&subnetmod_get_funcblock,
+#endif
+#ifdef USE_IPSET
+ &ipset_get_funcblock,
#endif
&respip_get_funcblock,
&val_get_funcblock,
Index: sldns/str2wire.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/sldns/str2wire.c,v
retrieving revision 1.9
diff -u -p -r1.9 str2wire.c
--- sldns/str2wire.c 17 Sep 2018 09:46:12 -0000 1.9
+++ sldns/str2wire.c 30 Aug 2019 13:58:04 -0000
@@ -187,7 +187,7 @@ rrinternal_get_owner(sldns_buffer* strbu
sldns_buffer_position(strbuf));
}
- if(strcmp(token, "@") == 0) {
+ if(token[0]=='@' && token[1]=='\0') {
uint8_t* tocopy;
if (origin) {
*dname_len = origin_len;
Index: smallapp/unbound-checkconf.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-checkconf.c,v
retrieving revision 1.12
diff -u -p -r1.12 unbound-checkconf.c
--- smallapp/unbound-checkconf.c 23 May 2019 13:11:37 -0000 1.12
+++ smallapp/unbound-checkconf.c 30 Aug 2019 13:58:04 -0000
@@ -146,6 +146,42 @@ check_mod(struct config_file* cfg, struc
edns_known_options_delete(&env);
}
+/** true if addr is a localhost address, 127.0.0.1 or ::1 (with maybe "@port"
+ * after it) */
+static int
+str_addr_is_localhost(const char* a)
+{
+ if(strncmp(a, "127.", 4) == 0) return 1;
+ if(strncmp(a, "::1", 3) == 0) return 1;
+ return 0;
+}
+
+/** check do-not-query-localhost */
+static void
+donotquerylocalhostcheck(struct config_file* cfg)
+{
+ if(cfg->donotquery_localhost) {
+ struct config_stub* p;
+ struct config_strlist* s;
+ for(p=cfg->forwards; p; p=p->next) {
+ for(s=p->addrs; s; s=s->next) {
+ if(str_addr_is_localhost(s->str)) {
+ fprintf(stderr, "unbound-checkconf:
warning: forward-addr: '%s' is specified for forward-zone: '%s', but
do-not-query-localhost: yes means that the address will not be used for
lookups.\n",
+ s->str, p->name);
+ }
+ }
+ }
+ for(p=cfg->stubs; p; p=p->next) {
+ for(s=p->addrs; s; s=s->next) {
+ if(str_addr_is_localhost(s->str)) {
+ fprintf(stderr, "unbound-checkconf:
warning: stub-addr: '%s' is specified for stub-zone: '%s', but
do-not-query-localhost: yes means that the address will not be used for
lookups.\n",
+ s->str, p->name);
+ }
+ }
+ }
+ }
+}
+
/** check localzones */
static void
localzonechecks(struct config_file* cfg)
@@ -574,6 +610,10 @@ morechecks(struct config_file* cfg)
&& strcmp(cfg->module_conf, "ipsecmod python validator
iterator") != 0
&& strcmp(cfg->module_conf, "ipsecmod validator python
iterator") != 0
#endif
+#ifdef USE_IPSET
+ && strcmp(cfg->module_conf, "validator ipset iterator") != 0
+ && strcmp(cfg->module_conf, "ipset iterator") != 0
+#endif
) {
fatal_exit("module conf '%s' is not known to work",
cfg->module_conf);
@@ -606,6 +646,7 @@ morechecks(struct config_file* cfg)
cfg->control_cert_file);
}
+ donotquerylocalhostcheck(cfg);
localzonechecks(cfg);
view_and_respipchecks(cfg);
#ifdef CLIENT_SUBNET
Index: smallapp/unbound-control.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/smallapp/unbound-control.c,v
retrieving revision 1.14
diff -u -p -r1.14 unbound-control.c
--- smallapp/unbound-control.c 8 Feb 2019 10:29:08 -0000 1.14
+++ smallapp/unbound-control.c 30 Aug 2019 13:58:04 -0000
@@ -499,6 +499,12 @@ setup_ctx(struct config_file* cfg)
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
!= SSL_OP_NO_SSLv3)
ssl_err("could not set SSL_OP_NO_SSLv3");
+#if defined(SSL_OP_NO_RENEGOTIATION)
+ /* disable client renegotiation */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+ SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION)
+ ssl_err("could not set SSL_OP_NO_RENEGOTIATION");
+#endif
if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert))
ssl_path_err("Error setting up SSL_CTX client cert", c_cert);
if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM))
Index: testcode/delayer.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/delayer.c,v
retrieving revision 1.1.1.2
diff -u -p -r1.1.1.2 delayer.c
--- testcode/delayer.c 8 Oct 2018 16:02:24 -0000 1.1.1.2
+++ testcode/delayer.c 30 Aug 2019 13:58:04 -0000
@@ -174,7 +174,7 @@ dl_tv_add(struct timeval* t1, const stru
#ifndef S_SPLINT_S
t1->tv_sec += t2->tv_sec;
t1->tv_usec += t2->tv_usec;
- while(t1->tv_usec > 1000000) {
+ while(t1->tv_usec >= 1000000) {
t1->tv_usec -= 1000000;
t1->tv_sec++;
}
Index: testcode/fake_event.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/fake_event.c,v
retrieving revision 1.1.1.4
diff -u -p -r1.1.1.4 fake_event.c
--- testcode/fake_event.c 28 Jun 2019 15:15:41 -0000 1.1.1.4
+++ testcode/fake_event.c 30 Aug 2019 13:58:04 -0000
@@ -100,7 +100,7 @@ timeval_add(struct timeval* d, const str
#ifndef S_SPLINT_S
d->tv_sec += add->tv_sec;
d->tv_usec += add->tv_usec;
- if(d->tv_usec > 1000000) {
+ if(d->tv_usec >= 1000000) {
d->tv_usec -= 1000000;
d->tv_sec++;
}
Index: testcode/memstats.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/memstats.c,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 memstats.c
--- testcode/memstats.c 17 Sep 2018 09:43:46 -0000 1.1.1.1
+++ testcode/memstats.c 30 Aug 2019 13:58:04 -0000
@@ -106,9 +106,16 @@ get_codeline(rbtree_type* tree, char* ke
cl = calloc(1, sizeof(*cl));
if(!cl) return 0;
cl->codeline = strdup(key);
- if(!cl->codeline) return 0;
+ if(!cl->codeline) {
+ free(cl);
+ return 0;
+ }
cl->func = strdup(func);
- if(!cl->func) return 0;
+ if(!cl->func) {
+ free(cl->codeline);
+ free(cl);
+ return 0;
+ }
cl->alloc = 0;
cl->node.key = cl->codeline;
(void)rbtree_insert(tree, &cl->node);
Index: testcode/perf.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/perf.c,v
retrieving revision 1.1.1.3
diff -u -p -r1.1.1.3 perf.c
--- testcode/perf.c 8 Feb 2019 10:26:32 -0000 1.1.1.3
+++ testcode/perf.c 30 Aug 2019 13:58:04 -0000
@@ -177,7 +177,7 @@ perf_tv_add(struct timeval* t1, struct t
#ifndef S_SPLINT_S
t1->tv_sec += t2->tv_sec;
t1->tv_usec += t2->tv_usec;
- while(t1->tv_usec > 1000000) {
+ while(t1->tv_usec >= 1000000) {
t1->tv_usec -= 1000000;
t1->tv_sec++;
}
Index: testcode/unitmsgparse.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/testcode/unitmsgparse.c,v
retrieving revision 1.1.1.2
diff -u -p -r1.1.1.2 unitmsgparse.c
--- testcode/unitmsgparse.c 20 Sep 2018 23:14:39 -0000 1.1.1.2
+++ testcode/unitmsgparse.c 30 Aug 2019 13:58:04 -0000
@@ -179,7 +179,7 @@ perf_encode(struct query_info* qi, struc
/* encode a couple times */
for(i=0; i<max; i++) {
ret = reply_info_encode(qi, rep, id, flags, out, timenow,
- r2, 65535, (int)(edns->bits & EDNS_DO) );
+ r2, 65535, (int)(edns->bits & EDNS_DO), 0);
unit_assert(ret != 0); /* udp packets should fit */
attach_edns_record(out, edns);
regional_free_all(r2);
@@ -342,7 +342,7 @@ testpkt(sldns_buffer* pkt, struct alloc_
} else if(!check_formerr_gone) {
const size_t lim = 512;
ret = reply_info_encode(&qi, rep, id, flags, out, timenow,
- region, 65535, (int)(edns.bits & EDNS_DO) );
+ region, 65535, (int)(edns.bits & EDNS_DO), 0);
unit_assert(ret != 0); /* udp packets should fit */
attach_edns_record(out, &edns);
if(vbmp) printf("inlen %u outlen %u\n",
@@ -357,7 +357,7 @@ testpkt(sldns_buffer* pkt, struct alloc_
ret = reply_info_encode(&qi, rep, id, flags, out,
timenow, region,
lim - calc_edns_field_size(&edns),
- (int)(edns.bits & EDNS_DO));
+ (int)(edns.bits & EDNS_DO), 0);
unit_assert(ret != 0); /* should fit, but with TC */
attach_edns_record(out, &edns);
if( LDNS_QDCOUNT(sldns_buffer_begin(out)) !=
Index: util/config_file.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/config_file.c,v
retrieving revision 1.20
diff -u -p -r1.20 config_file.c
--- util/config_file.c 8 Feb 2019 10:29:08 -0000 1.20
+++ util/config_file.c 30 Aug 2019 13:58:04 -0000
@@ -255,6 +255,9 @@ config_create(void)
cfg->neg_cache_size = 1 * 1024 * 1024;
cfg->local_zones = NULL;
cfg->local_zones_nodefault = NULL;
+#ifdef USE_IPSET
+ cfg->local_zones_ipset = NULL;
+#endif
cfg->local_zones_disable_default = 0;
cfg->local_data = NULL;
cfg->local_zone_overrides = NULL;
@@ -327,9 +330,13 @@ config_create(void)
cfg->cachedb_backend = NULL;
cfg->cachedb_secret = NULL;
#endif
+#ifdef USE_IPSET
+ cfg->ipset_name_v4 = NULL;
+ cfg->ipset_name_v6 = NULL;
+#endif
return cfg;
error_exit:
- config_delete(cfg);
+ config_delete(cfg);
return NULL;
}
@@ -602,7 +609,7 @@ int config_set_option(struct config_file
else S_STR("control-key-file:", control_key_file)
else S_STR("control-cert-file:", control_cert_file)
else S_STR("module-config:", module_conf)
- else S_STR("python-script:", python_script)
+ else S_STRLIST("python-script:", python_script)
else S_YNO("disable-dnssec-lame-check:", disable_dnssec_lame_check)
#ifdef CLIENT_SUBNET
/* Can't set max subnet prefix here, since that value is used when
@@ -1054,7 +1061,7 @@ config_get_option(struct config_file* cf
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
else O_DEC(opt, "max-udp-size", max_udp_size)
- else O_STR(opt, "python-script", python_script)
+ else O_LST(opt, "python-script", python_script)
else O_YNO(opt, "disable-dnssec-lame-check", disable_dnssec_lame_check)
else O_DEC(opt, "ip-ratelimit", ip_ratelimit)
else O_DEC(opt, "ratelimit", ratelimit)
@@ -1092,6 +1099,10 @@ config_get_option(struct config_file* cf
else O_STR(opt, "backend", cachedb_backend)
else O_STR(opt, "secret-seed", cachedb_secret)
#endif
+#ifdef USE_IPSET
+ else O_STR(opt, "name-v4", ipset_name_v4)
+ else O_STR(opt, "name-v6", ipset_name_v6)
+#endif
/* not here:
* outgoing-permit, outgoing-avoid - have list of ports
* local-zone - zones and nodefault variables
@@ -1310,6 +1321,9 @@ config_delview(struct config_view* p)
free(p->name);
config_deldblstrlist(p->local_zones);
config_delstrlist(p->local_zones_nodefault);
+#ifdef USE_IPSET
+ config_delstrlist(p->local_zones_ipset);
+#endif
config_delstrlist(p->local_data);
free(p);
}
@@ -1384,7 +1398,6 @@ config_delete(struct config_file* cfg)
free(cfg->version);
free(cfg->module_conf);
free(cfg->outgoing_avail_ports);
- free(cfg->python_script);
config_delstrlist(cfg->caps_whitelist);
config_delstrlist(cfg->private_address);
config_delstrlist(cfg->private_domain);
@@ -1400,6 +1413,9 @@ config_delete(struct config_file* cfg)
free(cfg->val_nsec3_key_iterations);
config_deldblstrlist(cfg->local_zones);
config_delstrlist(cfg->local_zones_nodefault);
+#ifdef USE_IPSET
+ config_delstrlist(cfg->local_zones_ipset);
+#endif
config_delstrlist(cfg->local_data);
config_deltrplstrlist(cfg->local_zone_overrides);
config_del_strarray(cfg->tagname, cfg->num_tags);
@@ -1420,6 +1436,7 @@ config_delete(struct config_file* cfg)
free(cfg->dnstap_version);
config_deldblstrlist(cfg->ratelimit_for_domain);
config_deldblstrlist(cfg->ratelimit_below_domain);
+ config_delstrlist(cfg->python_script);
#ifdef USE_IPSECMOD
free(cfg->ipsecmod_hook);
config_delstrlist(cfg->ipsecmod_whitelist);
@@ -1428,6 +1445,10 @@ config_delete(struct config_file* cfg)
free(cfg->cachedb_backend);
free(cfg->cachedb_secret);
#endif
+#ifdef USE_IPSET
+ free(cfg->ipset_name_v4);
+ free(cfg->ipset_name_v6);
+#endif
free(cfg);
}
@@ -1630,6 +1651,31 @@ cfg_strlist_insert(struct config_strlist
return 1;
}
+int
+cfg_strlist_append_ex(struct config_strlist** head, char* item)
+{
+ struct config_strlist *s;
+ if(!item || !head)
+ return 0;
+ s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist));
+ if(!s)
+ return 0;
+ s->str = item;
+ s->next = NULL;
+
+ if (*head==NULL) {
+ *head = s;
+ } else {
+ struct config_strlist *last = *head;
+ while (last->next!=NULL) {
+ last = last->next;
+ }
+ last->next = s;
+ }
+
+ return 1;
+}
+
int
cfg_str2list_insert(struct config_str2list** head, char* item, char* i2)
{
@@ -2107,6 +2153,11 @@ cfg_parse_local_zone(struct config_file*
if(strcmp(type, "nodefault")==0) {
return cfg_strlist_insert(&cfg->local_zones_nodefault,
strdup(name));
+#ifdef USE_IPSET
+ } else if(strcmp(type, "ipset")==0) {
+ return cfg_strlist_insert(&cfg->local_zones_ipset,
+ strdup(name));
+#endif
} else {
return cfg_str2list_insert(&cfg->local_zones, strdup(buf),
strdup(type));
@@ -2381,3 +2432,4 @@ int options_remote_is_address(struct con
if(cfg->control_ifs.first->str[0] == 0) return 1;
return (cfg->control_ifs.first->str[0] != '/');
}
+
Index: util/config_file.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/config_file.h,v
retrieving revision 1.18
diff -u -p -r1.18 config_file.h
--- util/config_file.h 8 Feb 2019 10:29:08 -0000 1.18
+++ util/config_file.h 30 Aug 2019 13:58:04 -0000
@@ -384,6 +384,10 @@ struct config_file {
struct config_str2list* local_zones;
/** local zones nodefault list */
struct config_strlist* local_zones_nodefault;
+#ifdef USE_IPSET
+ /** local zones ipset list */
+ struct config_strlist* local_zones_ipset;
+#endif
/** do not add any default local zone */
int local_zones_disable_default;
/** local data RRs configured */
@@ -433,7 +437,7 @@ struct config_file {
char* control_cert_file;
/** Python script file */
- char* python_script;
+ struct config_strlist* python_script;
/** Use systemd socket activation. */
int use_systemd;
@@ -575,6 +579,12 @@ struct config_file {
int redis_timeout;
#endif
#endif
+
+ /* ipset module */
+#ifdef USE_IPSET
+ char* ipset_name_v4;
+ char* ipset_name_v6;
+#endif
};
/** from cfg username, after daemonize setup performed */
@@ -647,6 +657,10 @@ struct config_view {
struct config_strlist* local_data;
/** local zones nodefault list */
struct config_strlist* local_zones_nodefault;
+#ifdef USE_IPSET
+ /** local zones ipset list */
+ struct config_strlist* local_zones_ipset;
+#endif
/** Fallback to global local_zones when there is no match in the view
* view specific tree. 1 for yes, 0 for no */
int isfirst;
@@ -821,6 +835,14 @@ char* config_collate_cat(struct config_s
int cfg_strlist_append(struct config_strlist_head* list, char* item);
/**
+ * Searches the end of a string list and appends the given text.
+ * @param head: pointer to strlist head variable.
+ * @param item: new item. malloced by caller. if NULL the insertion fails.
+ * @return true on success.
+ */
+int cfg_strlist_append_ex(struct config_strlist** head, char* item);
+
+/**
* Find string in strlist.
* @param head: pointer to strlist head variable.
* @param item: the item to search for.
@@ -1181,3 +1203,4 @@ void w_config_adjust_directory(struct co
extern int fake_dsa, fake_sha1;
#endif /* UTIL_CONFIG_FILE_H */
+
Index: util/configlexer.lex
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/configlexer.lex,v
retrieving revision 1.14
diff -u -p -r1.14 configlexer.lex
--- util/configlexer.lex 8 Feb 2019 10:29:08 -0000 1.14
+++ util/configlexer.lex 30 Aug 2019 13:58:04 -0000
@@ -483,6 +483,9 @@ secret-seed{COLON} { YDVAR(1, VAR_CACHE
redis-server-host{COLON} { YDVAR(1, VAR_CACHEDB_REDISHOST) }
redis-server-port{COLON} { YDVAR(1, VAR_CACHEDB_REDISPORT) }
redis-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
+ipset{COLON} { YDVAR(0, VAR_IPSET) }
+name-v4{COLON} { YDVAR(1, VAR_IPSET_NAME_V4) }
+name-v6{COLON} { YDVAR(1, VAR_IPSET_NAME_V6) }
udp-upstream-without-downstream{COLON} { YDVAR(1,
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
tcp-connection-limit{COLON} { YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
Index: util/configparser.y
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/configparser.y,v
retrieving revision 1.15
diff -u -p -r1.15 configparser.y
--- util/configparser.y 27 Mar 2019 12:06:18 -0000 1.15
+++ util/configparser.y 30 Aug 2019 13:58:04 -0000
@@ -167,6 +167,7 @@ extern struct config_parser_state* cfg_p
%token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
%token VAR_TLS_SESSION_TICKET_KEYS
+%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -174,7 +175,7 @@ toplevelvar: serverstart contents_server
forwardstart contents_forward | pythonstart contents_py |
rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
dnscstart contents_dnsc | cachedbstart contents_cachedb |
- authstart contents_auth
+ ipsetstart contents_ipset | authstart contents_auth
;
/* server: declaration */
@@ -1784,13 +1785,14 @@ server_local_zone: VAR_LOCAL_ZONE STRING
&& strcmp($3, "always_nxdomain")!=0
&& strcmp($3, "noview")!=0
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
- && strcmp($3, "inform_redirect") != 0) {
+ && strcmp($3, "inform_redirect") != 0
+ && strcmp($3, "ipset") != 0) {
yyerror("local-zone type: expected static, deny, "
"refuse, redirect, transparent, "
"typetransparent, inform, inform_deny, "
"inform_redirect, always_transparent, "
"always_refuse, always_nxdomain, noview "
- "or nodefault");
+ ", nodefault or ipset");
free($2);
free($3);
} else if(strcmp($3, "nodefault")==0) {
@@ -1798,6 +1800,13 @@ server_local_zone: VAR_LOCAL_ZONE STRING
local_zones_nodefault, $2))
fatal_exit("out of memory adding local-zone");
free($3);
+#ifdef USE_IPSET
+ } else if(strcmp($3, "ipset")==0) {
+ if(!cfg_strlist_insert(&cfg_parser->cfg->
+ local_zones_ipset, $2))
+ fatal_exit("out of memory adding local-zone");
+ free($3);
+#endif
} else {
if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones,
$2, $3))
@@ -2455,6 +2464,13 @@ view_local_zone: VAR_LOCAL_ZONE STRING_A
local_zones_nodefault, $2))
fatal_exit("out of memory adding local-zone");
free($3);
+#ifdef USE_IPSET
+ } else if(strcmp($3, "ipset")==0) {
+ if(!cfg_strlist_insert(&cfg_parser->cfg->views->
+ local_zones_ipset, $2))
+ fatal_exit("out of memory adding local-zone");
+ free($3);
+#endif
} else {
if(!cfg_str2list_insert(
&cfg_parser->cfg->views->local_zones,
@@ -2722,8 +2738,8 @@ content_py: py_script
py_script: VAR_PYTHON_SCRIPT STRING_ARG
{
OUTYY(("P(python-script:%s)\n", $2));
- free(cfg_parser->cfg->python_script);
- cfg_parser->cfg->python_script = $2;
+ if(!cfg_strlist_append_ex(&cfg_parser->cfg->python_script, $2))
+ yyerror("out of memory");
}
server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG
{
@@ -2959,6 +2975,45 @@ server_tcp_connection_limit: VAR_TCP_CON
}
}
;
+ ipsetstart: VAR_IPSET
+ {
+ OUTYY(("\nP(ipset:)\n"));
+ }
+ ;
+ contents_ipset: contents_ipset content_ipset
+ | ;
+ content_ipset: ipset_name_v4 | ipset_name_v6
+ ;
+ ipset_name_v4: VAR_IPSET_NAME_V4 STRING_ARG
+ {
+ #ifdef USE_IPSET
+ OUTYY(("P(name-v4:%s)\n", $2));
+ if(cfg_parser->cfg->ipset_name_v4)
+ yyerror("ipset name v4 override, there must be
one "
+ "name for ip v4");
+ free(cfg_parser->cfg->ipset_name_v4);
+ cfg_parser->cfg->ipset_name_v4 = $2;
+ #else
+ OUTYY(("P(Compiled without ipset, ignoring)\n"));
+ free($2);
+ #endif
+ }
+ ;
+ ipset_name_v6: VAR_IPSET_NAME_V6 STRING_ARG
+ {
+ #ifdef USE_IPSET
+ OUTYY(("P(name-v6:%s)\n", $2));
+ if(cfg_parser->cfg->ipset_name_v6)
+ yyerror("ipset name v6 override, there must be
one "
+ "name for ip v6");
+ free(cfg_parser->cfg->ipset_name_v6);
+ cfg_parser->cfg->ipset_name_v6 = $2;
+ #else
+ OUTYY(("P(Compiled without ipset, ignoring)\n"));
+ free($2);
+ #endif
+ }
+ ;
%%
/* parse helper routines could be here */
@@ -2978,3 +3033,5 @@ validate_respip_action(const char* actio
"always_refuse or always_nxdomain");
}
}
+
+
Index: util/fptr_wlist.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/fptr_wlist.c,v
retrieving revision 1.15
diff -u -p -r1.15 fptr_wlist.c
--- util/fptr_wlist.c 28 Jun 2019 15:17:17 -0000 1.15
+++ util/fptr_wlist.c 30 Aug 2019 13:58:04 -0000
@@ -90,6 +90,9 @@
#ifdef CLIENT_SUBNET
#include "edns-subnet/subnetmod.h"
#endif
+#ifdef USE_IPSET
+#include "ipset/ipset.h"
+#endif
int
fptr_whitelist_comm_point(comm_point_callback_type *fptr)
@@ -358,8 +361,8 @@ fptr_whitelist_modenv_kill_sub(void (*fp
}
int
-fptr_whitelist_modenv_detect_cycle(int (*fptr)(
- struct module_qstate* qstate, struct query_info* qinfo,
+fptr_whitelist_modenv_detect_cycle(int (*fptr)(
+ struct module_qstate* qstate, struct query_info* qinfo,
uint16_t flags, int prime, int valrec))
{
if(fptr == &mesh_detect_cycle) return 1;
@@ -385,6 +388,9 @@ fptr_whitelist_mod_init(int (*fptr)(stru
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_init) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_init) return 1;
+#endif
return 0;
}
@@ -407,6 +413,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(s
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_deinit) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_deinit) return 1;
+#endif
return 0;
}
@@ -430,6 +439,9 @@ fptr_whitelist_mod_operate(void (*fptr)(
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_operate) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_operate) return 1;
+#endif
return 0;
}
@@ -453,6 +465,9 @@ fptr_whitelist_mod_inform_super(void (*f
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_inform_super) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_inform_super) return 1;
+#endif
return 0;
}
@@ -476,6 +491,9 @@ fptr_whitelist_mod_clear(void (*fptr)(st
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_clear) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_clear) return 1;
+#endif
return 0;
}
@@ -498,6 +516,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr
#ifdef CLIENT_SUBNET
else if(fptr == &subnetmod_get_mem) return 1;
#endif
+#ifdef USE_IPSET
+ else if(fptr == &ipset_get_mem) return 1;
+#endif
return 0;
}
@@ -597,3 +618,4 @@ int fptr_whitelist_inplace_cb_query_resp
#endif
return 0;
}
+
Index: util/iana_ports.inc
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/iana_ports.inc,v
retrieving revision 1.16
diff -u -p -r1.16 iana_ports.inc
--- util/iana_ports.inc 28 Jun 2019 15:17:17 -0000 1.16
+++ util/iana_ports.inc 30 Aug 2019 13:58:04 -0000
@@ -1848,7 +1848,6 @@
2197,
2198,
2199,
-2200,
2201,
2202,
2203,
Index: util/mini_event.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/mini_event.c,v
retrieving revision 1.4
diff -u -p -r1.4 mini_event.c
--- util/mini_event.c 8 Feb 2019 10:29:08 -0000 1.4
+++ util/mini_event.c 30 Aug 2019 13:58:04 -0000
@@ -313,7 +313,7 @@ int event_add(struct event* ev, struct t
struct timeval *now = ev->ev_base->time_tv;
ev->ev_timeout.tv_sec = tv->tv_sec + now->tv_sec;
ev->ev_timeout.tv_usec = tv->tv_usec + now->tv_usec;
- while(ev->ev_timeout.tv_usec > 1000000) {
+ while(ev->ev_timeout.tv_usec >= 1000000) {
ev->ev_timeout.tv_usec -= 1000000;
ev->ev_timeout.tv_sec++;
}
Index: util/net_help.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/net_help.c,v
retrieving revision 1.16
diff -u -p -r1.16 net_help.c
--- util/net_help.c 28 Jun 2019 15:17:17 -0000 1.16
+++ util/net_help.c 30 Aug 2019 13:58:04 -0000
@@ -744,6 +744,14 @@ listen_sslctx_setup(void* ctxt)
return 0;
}
#endif
+#if defined(SSL_OP_NO_RENEGOTIATION)
+ /* disable client renegotiation */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+ SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
+ log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+ return 0;
+ }
+#endif
#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
/* if we have sha256, set the cipher list to have no known vulns */
if(!SSL_CTX_set_cipher_list(ctx,
"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
@@ -962,6 +970,14 @@ void* connect_sslctx_create(char* key, c
SSL_CTX_free(ctx);
return NULL;
}
+#if defined(SSL_OP_NO_RENEGOTIATION)
+ /* disable client renegotiation */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
+ SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) {
+ log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION");
+ return 0;
+ }
+#endif
if(key && key[0]) {
if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
log_err("error in client certificate %s", pem);
Index: util/winsock_event.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/winsock_event.c,v
retrieving revision 1.3
diff -u -p -r1.3 winsock_event.c
--- util/winsock_event.c 17 Feb 2017 18:53:32 -0000 1.3
+++ util/winsock_event.c 30 Aug 2019 13:58:04 -0000
@@ -558,7 +558,7 @@ int event_add(struct event *ev, struct t
struct timeval *now = ev->ev_base->time_tv;
ev->ev_timeout.tv_sec = tv->tv_sec + now->tv_sec;
ev->ev_timeout.tv_usec = tv->tv_usec + now->tv_usec;
- while(ev->ev_timeout.tv_usec > 1000000) {
+ while(ev->ev_timeout.tv_usec >= 1000000) {
ev->ev_timeout.tv_usec -= 1000000;
ev->ev_timeout.tv_sec++;
}
Index: util/data/msgencode.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgencode.c,v
retrieving revision 1.7
diff -u -p -r1.7 msgencode.c
--- util/data/msgencode.c 4 Dec 2018 12:05:07 -0000 1.7
+++ util/data/msgencode.c 30 Aug 2019 13:58:04 -0000
@@ -639,15 +639,37 @@ positive_answer(struct reply_info* rep,
return 0;
}
-int
-reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
- uint16_t id, uint16_t flags, sldns_buffer* buffer, time_t timenow,
- struct regional* region, uint16_t udpsize, int dnssec)
+static int
+negative_answer(struct reply_info* rep) {
+ size_t i;
+ int ns_seen = 0;
+ if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN)
+ return 1;
+ if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR &&
+ rep->an_numrrsets != 0)
+ return 0; /* positive */
+ if(FLAGS_GET_RCODE(rep->flags) != LDNS_RCODE_NOERROR &&
+ FLAGS_GET_RCODE(rep->flags) != LDNS_RCODE_NXDOMAIN)
+ return 0;
+ for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++){
+ if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA)
+ return 1;
+ if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS)
+ ns_seen = 1;
+ }
+ if(ns_seen) return 0; /* could be referral, NS, but no SOA */
+ return 1;
+}
+
+int
+reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
+ uint16_t id, uint16_t flags, sldns_buffer* buffer, time_t timenow,
+ struct regional* region, uint16_t udpsize, int dnssec, int minimise)
{
uint16_t ancount=0, nscount=0, arcount=0;
struct compress_tree_node* tree = 0;
int r;
- size_t rr_offset;
+ size_t rr_offset;
sldns_buffer_clear(buffer);
if(udpsize < sldns_buffer_limit(buffer))
@@ -663,7 +685,7 @@ reply_info_encode(struct query_info* qin
/* insert query section */
if(rep->qdcount) {
- if((r=insert_query(qinfo, &tree, buffer, region)) !=
+ if((r=insert_query(qinfo, &tree, buffer, region)) !=
RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
@@ -707,8 +729,8 @@ reply_info_encode(struct query_info* qin
}
/* insert answer section */
- if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
- 0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
+ if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer,
+ 0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype,
dnssec, rr_offset)) != RETVAL_OK) {
if(r == RETVAL_TRUNC) {
/* create truncated message */
@@ -722,9 +744,9 @@ reply_info_encode(struct query_info* qin
sldns_buffer_write_u16_at(buffer, 6, ancount);
/* if response is positive answer, auth/add sections are not required */
- if( ! (MINIMAL_RESPONSES && positive_answer(rep, qinfo->qtype)) ) {
+ if( ! (minimise && positive_answer(rep, qinfo->qtype)) ) {
/* insert auth section */
- if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
+ if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer,
rep->an_numrrsets, timenow, region, &tree,
LDNS_SECTION_AUTHORITY, qinfo->qtype,
dnssec, rr_offset)) != RETVAL_OK) {
@@ -739,20 +761,22 @@ reply_info_encode(struct query_info* qin
}
sldns_buffer_write_u16_at(buffer, 8, nscount);
- /* insert add section */
- if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer,
- rep->an_numrrsets + rep->ns_numrrsets, timenow, region,
- &tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
- dnssec, rr_offset)) != RETVAL_OK) {
- if(r == RETVAL_TRUNC) {
- /* no need to set TC bit, this is the
additional */
- sldns_buffer_write_u16_at(buffer, 10, arcount);
- sldns_buffer_flip(buffer);
- return 1;
+ if(! (minimise && negative_answer(rep))) {
+ /* insert add section */
+ if((r=insert_section(rep, rep->ar_numrrsets, &arcount,
buffer,
+ rep->an_numrrsets + rep->ns_numrrsets, timenow,
region,
+ &tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype,
+ dnssec, rr_offset)) != RETVAL_OK) {
+ if(r == RETVAL_TRUNC) {
+ /* no need to set TC bit, this is the
additional */
+ sldns_buffer_write_u16_at(buffer, 10,
arcount);
+ sldns_buffer_flip(buffer);
+ return 1;
+ }
+ return 0;
}
- return 0;
+ sldns_buffer_write_u16_at(buffer, 10, arcount);
}
- sldns_buffer_write_u16_at(buffer, 10, arcount);
}
sldns_buffer_flip(buffer);
return 1;
@@ -763,7 +787,7 @@ calc_edns_field_size(struct edns_data* e
{
size_t rdatalen = 0;
struct edns_option* opt;
- if(!edns || !edns->edns_present)
+ if(!edns || !edns->edns_present)
return 0;
for(opt = edns->opt_list; opt; opt = opt->next) {
rdatalen += 4 + opt->opt_len;
@@ -850,7 +874,7 @@ reply_info_answer_encode(struct query_in
}
if(!reply_info_encode(qinf, rep, id, flags, pkt, timenow, region,
- udpsize, dnssec)) {
+ udpsize, dnssec, MINIMAL_RESPONSES)) {
log_err("reply encode: out of memory");
return 0;
}
Index: util/data/msgencode.h
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgencode.h,v
retrieving revision 1.1.1.3
diff -u -p -r1.1.1.3 msgencode.h
--- util/data/msgencode.h 16 Mar 2014 11:38:24 -0000 1.1.1.3
+++ util/data/msgencode.h 30 Aug 2019 13:58:04 -0000
@@ -85,12 +85,14 @@ int reply_info_answer_encode(struct quer
* @param region: to store temporary data in.
* @param udpsize: size of the answer, 512, from EDNS, or 64k for TCP.
* @param dnssec: if 0 DNSSEC records are omitted from the answer.
+ * @param minimise: if true, the answer is a minimal response, with
+ * authority and additional removed if possible.
* @return: nonzero is success, or
* 0 on error: malloc failure (no log_err has been done).
*/
int reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
uint16_t id, uint16_t flags, struct sldns_buffer* buffer, time_t
timenow,
- struct regional* region, uint16_t udpsize, int dnssec);
+ struct regional* region, uint16_t udpsize, int dnssec, int minimise);
/**
* Encode query packet. Assumes the buffer is large enough.
Index: util/data/msgreply.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/util/data/msgreply.c,v
retrieving revision 1.14
diff -u -p -r1.14 msgreply.c
--- util/data/msgreply.c 8 Feb 2019 10:29:08 -0000 1.14
+++ util/data/msgreply.c 30 Aug 2019 13:58:04 -0000
@@ -819,7 +819,7 @@ log_dns_msg(const char* str, struct quer
sldns_buffer* buf = sldns_buffer_new(65535);
struct regional* region = regional_create();
if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0,
- region, 65535, 1)) {
+ region, 65535, 1, 0)) {
log_info("%s: log_dns_msg: out of memory", str);
} else {
char* s = sldns_wire2str_pkt(sldns_buffer_begin(buf),
Index: validator/autotrust.c
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/validator/autotrust.c,v
retrieving revision 1.10
diff -u -p -r1.10 autotrust.c
--- validator/autotrust.c 8 Oct 2018 16:03:53 -0000 1.10
+++ validator/autotrust.c 30 Aug 2019 13:58:04 -0000
@@ -1175,15 +1175,28 @@ void autr_write_file(struct module_env*
{
FILE* out;
char* fname = tp->autr->file;
+ long long llvalue;
char tempf[2048];
log_assert(tp->autr);
if(!env) {
log_err("autr_write_file: Module environment is NULL.");
return;
}
- /* unique name with pid number and thread number */
- snprintf(tempf, sizeof(tempf), "%s.%d-%d", fname, (int)getpid(),
- env->worker?*(int*)env->worker:0);
+ /* unique name with pid number, thread number, and struct pointer
+ * (the pointer uniquifies for multiple libunbound contexts) */
+#if defined(SIZE_MAX) && defined(UINT32_MAX) && (UINT32_MAX == SIZE_MAX ||
INT32_MAX == SIZE_MAX)
+ /* avoid warning about upcast on 32bit systems */
+ llvalue = (unsigned long)tp;
+#else
+ llvalue = (unsigned long long)tp;
+#endif
+#ifndef USE_WINSOCK
+ snprintf(tempf, sizeof(tempf), "%s.%d-%d-%llx", fname, (int)getpid(),
+ env->worker?*(int*)env->worker:0, llvalue);
+#else
+ snprintf(tempf, sizeof(tempf), "%s.%d-%d-%I64x", fname, (int)getpid(),
+ env->worker?*(int*)env->worker:0, llvalue);
+#endif
verbose(VERB_ALGO, "autotrust: write to disk: %s", tempf);
out = fopen(tempf, "w");
if(!out) {
Index: Makefile.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/Makefile.in,v
retrieving revision 1.30
diff -u -p -r1.30 Makefile.in
--- Makefile.in 27 Mar 2019 12:06:17 -0000 1.30
+++ Makefile.in 30 Aug 2019 13:58:03 -0000
@@ -126,7 +126,7 @@ validator/val_sigcrypt.c validator/val_u
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \
-$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC)
+$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC) $(IPSET_SRC)
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -139,7 +139,7 @@ autotrust.lo val_anchor.lo \
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo
authzone.lo \
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
-$(IPSECMOD_OBJ) respip.lo
+$(IPSECMOD_OBJ) $(IPSET_OBJ) respip.lo
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo
listen_dnsport.lo \
outside_network.lo
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
@@ -229,6 +229,8 @@ DELAYER_SRC=testcode/delayer.c
DELAYER_OBJ=delayer.lo
DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
$(SLDNS_OBJ)
+IPSET_SRC=@IPSET_SRC@
+IPSET_OBJ=@IPSET_OBJ@
LIBUNBOUND_SRC=libunbound/context.c libunbound/libunbound.c \
libunbound/libworker.c
LIBUNBOUND_OBJ=context.lo libunbound.lo libworker.lo ub_event_pluggable.lo
@@ -256,8 +258,9 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(
$(MEMSTATS_SRC) $(CHECKCONF_SRC) $(LIBUNBOUND_SRC) $(HOST_SRC) \
$(ASYNCLOOK_SRC) $(STREAMTCP_SRC) $(PERF_SRC) $(DELAYER_SRC) \
$(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) \
- $(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC)\
+ $(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \
$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC)
+
ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
$(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \
$(MEMSTATS_OBJ) $(CHECKCONF_OBJ) $(LIBUNBOUND_OBJ) $(HOST_OBJ) \
@@ -636,17 +639,19 @@ depend:
# Dependencies
dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h
$(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \
- $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h
$(srcdir)/util/storage/lruhash.h \
- $(srcdir)/util/locks.h $(srcdir)/validator/val_utils.h
$(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h
$(srcdir)/validator/val_nsec.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h
$(srcdir)/util/locks.h \
+ $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h
$(srcdir)/services/cache/dns.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h
$(srcdir)/util/storage/slabhash.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/module.h
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h
infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h
$(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h
$(srcdir)/util/netevent.h \
- $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h
$(srcdir)/util/storage/lookup3.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h
$(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
$(srcdir)/services/cache/infra.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
$(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h
$(srcdir)/dnscrypt/dnscrypt.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h
$(srcdir)/util/data/dname.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h
$(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/util/module.h
$(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h
rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h
$(srcdir)/services/cache/rrset.h \
@@ -776,7 +781,10 @@ modstack.lo modstack.o: $(srcdir)/servic
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h
$(srcdir)/iterator/iterator.h \
$(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h
$(srcdir)/validator/val_utils.h \
$(srcdir)/respip/respip.h $(srcdir)/services/localzone.h
$(srcdir)/util/storage/dnstree.h \
- $(srcdir)/services/view.h $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h
+ $(srcdir)/services/view.h $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h \
+ $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h
$(srcdir)/util/net_help.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h
$(srcdir)/edns-subnet/edns-subnet.h \
+ $(srcdir)/ipset/ipset.h
view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h
$(srcdir)/util/rbtree.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h
$(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h
$(srcdir)/util/data/msgreply.h \
@@ -812,7 +820,8 @@ config_file.lo config_file.o: $(srcdir)/
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h
$(srcdir)/services/modstack.h \
$(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h
$(srcdir)/services/cache/infra.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h
$(srcdir)/sldns/parseutil.h \
- $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h
$(srcdir)/util/iana_ports.inc
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h
$(srcdir)/edns-subnet/edns-subnet.h \
+ $(srcdir)/util/iana_ports.inc
configlexer.lo configlexer.o: util/configlexer.c config.h
$(srcdir)/util/configyyrename.h \
$(srcdir)/util/config_file.h util/configparser.h
configparser.lo configparser.o: util/configparser.c config.h
$(srcdir)/util/configyyrename.h \
@@ -845,26 +854,22 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/ut
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
$(srcdir)/util/module.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h
$(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h
$(srcdir)/util/rbtree.h \
- $(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h
$(srcdir)/services/authzone.h \
- $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h
$(srcdir)/services/cache/rrset.h \
- $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h
$(srcdir)/iterator/iterator.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h
$(srcdir)/validator/validator.h \
- $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h
$(srcdir)/validator/val_nsec3.h \
- $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h
$(srcdir)/validator/val_neg.h \
- $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h
$(srcdir)/libunbound/context.h \
- $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h
$(srcdir)/libunbound/unbound-event.h \
- $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h
$(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \
- $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h
+ $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h
$(srcdir)/services/outside_network.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/view.h $(srcdir)/services/authzone.h
$(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \
+ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h
$(srcdir)/dns64/dns64.h \
+ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h
$(srcdir)/iterator/iter_fwd.h \
+ $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h
$(srcdir)/validator/val_anchor.h \
+ $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h
$(srcdir)/validator/val_kentry.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h
$(srcdir)/libunbound/libworker.h \
+ $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h
$(srcdir)/libunbound/unbound.h \
+ $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h
$(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h $(PYTHONMOD_HEADER) \
+ $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h
$(srcdir)/util/net_help.h \
+ $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h
$(srcdir)/ipset/ipset.h
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h
$(srcdir)/util/log.h
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h
$(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h
$(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
- $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h
$(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
- $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h
$(srcdir)/util/data/packed_rrset.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
- $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h
$(srcdir)/services/modstack.h
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h
$(srcdir)/util/mini_event.h
module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h
$(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h
$(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
$(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
@@ -927,14 +932,16 @@ tube.lo tube.o: $(srcdir)/util/tube.c co
$(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h
ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h
$(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
- $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
+ $(srcdir)/util/tube.h \
+
ub_event_pluggable.lo ub_event_pluggable.o:
$(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h
$(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
$(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h
$(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h
$(srcdir)/util/rbtree.h \
- $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h
$(srcdir)/util/rbtree.h
+ $(srcdir)/services/modstack.h \
+
winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h
$(srcdir)/validator/autotrust.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h
$(srcdir)/util/storage/lruhash.h \
@@ -1026,13 +1033,27 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.
$(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h
$(srcdir)/services/modstack.h \
$(srcdir)/util/net_help.h $(srcdir)/util/regional.h
$(srcdir)/util/storage/dnstree.h $(srcdir)/util/data/dname.h \
$(srcdir)/sldns/str2wire.h
-edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h
-subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h
+edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h
$(srcdir)/util/log.h
+subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h
$(srcdir)/edns-subnet/subnetmod.h \
+ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h
$(srcdir)/util/locks.h $(srcdir)/util/log.h \
+ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h
$(srcdir)/util/data/msgparse.h \
+ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
$(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h
$(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h \
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
+ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \
+ $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h
$(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \
+ $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h
addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h
$(srcdir)/util/log.h \
$(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h
$(srcdir)/util/locks.h \
$(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h
$(srcdir)/util/data/msgparse.h \
$(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h
$(srcdir)/edns-subnet/addrtree.h
-subnet-whitelist.lo subnet-whitelist.o:
$(srcdir)/edns-subnet/subnet-whitelist.c config.h
+subnet-whitelist.lo subnet-whitelist.o:
$(srcdir)/edns-subnet/subnet-whitelist.c config.h \
+ $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h
$(srcdir)/util/log.h \
+ $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h
$(srcdir)/util/rbtree.h \
+ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
+ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h
$(srcdir)/util/locks.h
cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h
redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h
respip.lo respip.o: $(srcdir)/respip/respip.c config.h
$(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \
@@ -1066,6 +1087,11 @@ ipsecmod-whitelist.lo ipsecmod-whitelist
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h
$(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \
$(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h
$(srcdir)/util/regional.h \
$(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h
$(srcdir)/sldns/str2wire.h
+ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h
$(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
$(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h
$(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h
$(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h
$(srcdir)/sldns/parseutil.h
unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h
$(srcdir)/util/log.h $(srcdir)/util/data/dname.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
$(srcdir)/testcode/unitmain.h \
$(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h
@@ -1114,7 +1140,12 @@ testpkts.lo testpkts.o: $(srcdir)/testco
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h
$(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
$(srcdir)/sldns/wire2str.h
-unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
+unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
$(srcdir)/util/log.h $(srcdir)/util/module.h \
+ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h
$(srcdir)/util/data/msgreply.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h
$(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h
$(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h
$(srcdir)/util/alloc.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h
$(srcdir)/edns-subnet/edns-subnet.h
unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h
$(srcdir)/services/authzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \
@@ -1186,7 +1217,8 @@ stats.lo stats.o: $(srcdir)/daemon/stats
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h
$(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h
$(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/services/authzone.h
$(srcdir)/validator/val_kcache.h \
- $(srcdir)/validator/val_neg.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h
$(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/edns-subnet.h \
unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h
$(srcdir)/daemon/daemon.h \
$(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \
@@ -1281,7 +1313,8 @@ stats.lo stats.o: $(srcdir)/daemon/stats
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h
$(srcdir)/services/cache/rrset.h \
$(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h
$(srcdir)/util/storage/dnstree.h \
$(srcdir)/util/rtt.h $(srcdir)/services/authzone.h
$(srcdir)/validator/val_kcache.h \
- $(srcdir)/validator/val_neg.h \
+ $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h
$(srcdir)/edns-subnet/addrtree.h \
+ $(srcdir)/edns-subnet/edns-subnet.h \
replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h
$(srcdir)/util/net_help.h \
$(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
@@ -1324,7 +1357,8 @@ unbound-checkconf.lo unbound-checkconf.o
$(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h
$(srcdir)/services/localzone.h \
$(srcdir)/services/view.h $(srcdir)/services/authzone.h
$(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \
$(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \
- $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER)
+ $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER) \
+ $(srcdir)/edns-subnet/subnet-whitelist.h
worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h
$(srcdir)/libunbound/context.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h
$(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h
$(srcdir)/util/data/packed_rrset.h \
Index: config.h.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/config.h.in,v
retrieving revision 1.16
diff -u -p -r1.16 config.h.in
--- config.h.in 28 Jun 2019 15:17:16 -0000 1.16
+++ config.h.in 30 Aug 2019 13:58:03 -0000
@@ -15,6 +15,9 @@
/* Do sha512 definitions in config.h */
#undef COMPAT_SHA512
+/* Command line arguments used with configure */
+#undef CONFCMDLINE
+
/* Pathname to the Unbound configuration file */
#undef CONFIGFILE
@@ -774,6 +777,9 @@
/* Define to 1 to use ipsecmod support. */
#undef USE_IPSECMOD
+
+/* Define to 1 to use ipset support */
+#undef USE_IPSET
/* Define if you want to use internal select based events */
#undef USE_MINI_EVENT
Index: configure
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/configure,v
retrieving revision 1.33
diff -u -p -r1.33 configure
--- configure 28 Jun 2019 15:17:16 -0000 1.33
+++ configure 30 Aug 2019 13:58:03 -0000
@@ -1,8 +1,8 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.9.2.
+# Generated by GNU Autoconf 2.69 for unbound 1.9.3.
#
-# Report bugs to <[email protected]>.
+# Report bugs to <[email protected] or
https://github.com/NLnetLabs/unbound/issues>.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -275,10 +275,11 @@ fi
$as_echo "$0: be upgraded to zsh 4.3.4 or later."
else
$as_echo "$0: Please tell [email protected] and
-$0: [email protected] about your system, including
-$0: any error possibly output before this message. Then
-$0: install a modern shell, or manually run the script
-$0: under such a shell if you do have one."
+$0: [email protected] or
+$0: https://github.com/NLnetLabs/unbound/issues about your
+$0: system, including any error possibly output before this
+$0: message. Then install a modern shell, or manually run
+$0: the script under such a shell if you do have one."
fi
exit 1
fi
@@ -590,9 +591,9 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='unbound'
PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.9.2'
-PACKAGE_STRING='unbound 1.9.2'
-PACKAGE_BUGREPORT='[email protected]'
+PACKAGE_VERSION='1.9.3'
+PACKAGE_STRING='unbound 1.9.3'
+PACKAGE_BUGREPORT='[email protected] or
https://github.com/NLnetLabs/unbound/issues'
PACKAGE_URL=''
# Factoring default headers for most tests.
@@ -638,6 +639,8 @@ INSTALLTARGET
ALLTARGET
SOURCEFILE
SOURCEDETERMINE
+IPSET_OBJ
+IPSET_SRC
IPSECMOD_HEADER
IPSECMOD_OBJ
DNSCRYPT_OBJ
@@ -664,12 +667,6 @@ WIN_DAEMON_SRC
WINAPPS
WINDRES
CHECKLOCK_OBJ
-USE_SYSTEMD_FALSE
-USE_SYSTEMD_TRUE
-SYSTEMD_DAEMON_LIBS
-SYSTEMD_DAEMON_CFLAGS
-SYSTEMD_LIBS
-SYSTEMD_CFLAGS
staticexe
PC_LIBEVENT_DEPENDENCY
UNBOUND_EVENT_UNINSTALL
@@ -705,6 +702,12 @@ PTHREAD_CFLAGS
PTHREAD_LIBS
PTHREAD_CC
ax_pthread_config
+USE_SYSTEMD_FALSE
+USE_SYSTEMD_TRUE
+SYSTEMD_DAEMON_LIBS
+SYSTEMD_DAEMON_CFLAGS
+SYSTEMD_LIBS
+SYSTEMD_CFLAGS
RUNTIME_PATH
LIBOBJS
PKG_CONFIG_LIBDIR
@@ -841,6 +844,7 @@ with_sysroot
enable_libtool_lock
enable_rpath
enable_largefile
+enable_systemd
enable_alloc_checks
enable_alloc_lite
enable_alloc_nonregional
@@ -867,7 +871,6 @@ with_libevent
with_libexpat
with_libhiredis
enable_static_exe
-enable_systemd
enable_lock_checks
enable_allsymbols
enable_dnstap
@@ -878,6 +881,8 @@ enable_dnscrypt
with_libsodium
enable_cachedb
enable_ipsecmod
+enable_ipset
+with_libmnl
with_libunbound_only
'
ac_precious_vars='build_alias
@@ -895,11 +900,11 @@ LT_SYS_LIBRARY_PATH
PKG_CONFIG
PKG_CONFIG_PATH
PKG_CONFIG_LIBDIR
-PYTHON_VERSION
SYSTEMD_CFLAGS
SYSTEMD_LIBS
SYSTEMD_DAEMON_CFLAGS
-SYSTEMD_DAEMON_LIBS'
+SYSTEMD_DAEMON_LIBS
+PYTHON_VERSION'
# Initialize some variables set by options.
@@ -1440,7 +1445,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures unbound 1.9.2 to adapt to many kinds of systems.
+\`configure' configures unbound 1.9.3 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1505,7 +1510,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of unbound 1.9.2:";;
+ short | recursive ) echo "Configuration of unbound 1.9.3:";;
esac
cat <<\_ACEOF
@@ -1527,6 +1532,7 @@ Optional Features:
--disable-libtool-lock avoid locking (might break parallel builds)
--disable-rpath disable hardcoded rpath (default=enabled)
--disable-largefile omit support for large files
+ --enable-systemd compile with systemd support
--enable-alloc-checks enable to memory allocation statistics, for debug
purposes
--enable-alloc-lite enable for lightweight alloc assertions, for debug
@@ -1553,7 +1559,6 @@ Optional Features:
--enable-tfo-server Enable TCP Fast Open for server mode
--enable-static-exe enable to compile executables statically against
(event) libs, for debug purposes
- --enable-systemd compile with systemd support
--enable-lock-checks enable to check lock and unlock calls, for debug
purposes
--enable-allsymbols export all symbols from libunbound and link binaries
@@ -1565,6 +1570,7 @@ Optional Features:
storage
--enable-ipsecmod Enable ipsecmod module that facilitates
opportunistic IPsec
+ --enable-ipset enable ipset module
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
@@ -1619,6 +1625,7 @@ Optional Packages:
--with-protobuf-c=path Path where protobuf-c is installed, for dnstap
--with-libfstrm=path Path where libfstrm is installed, for dnstap
--with-libsodium=path Path where libsodium is installed, for dnscrypt
+ --with-libmnl=path specify explicit path for libmnl.
--with-libunbound-only do not build daemon and tool programs
Some influential environment variables:
@@ -1643,10 +1650,6 @@ Some influential environment variables:
directories to add to pkg-config's search path
PKG_CONFIG_LIBDIR
path overriding pkg-config's built-in search path
- PYTHON_VERSION
- The installed Python version to use, for example '2.3'. This
- string will be appended to the Python interpreter canonical
- name.
SYSTEMD_CFLAGS
C compiler flags for SYSTEMD, overriding pkg-config
SYSTEMD_LIBS
@@ -1655,11 +1658,15 @@ Some influential environment variables:
C compiler flags for SYSTEMD_DAEMON, overriding pkg-config
SYSTEMD_DAEMON_LIBS
linker flags for SYSTEMD_DAEMON, overriding pkg-config
+ PYTHON_VERSION
+ The installed Python version to use, for example '2.3'. This
+ string will be appended to the Python interpreter canonical
+ name.
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
-Report bugs to <[email protected]>.
+Report bugs to <[email protected] or
https://github.com/NLnetLabs/unbound/issues>.
_ACEOF
ac_status=$?
fi
@@ -1722,7 +1729,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-unbound configure 1.9.2
+unbound configure 1.9.3
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1881,9 +1888,9 @@ $as_echo "$as_me: WARNING: $2: see the A
$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\""
>&2;}
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the
compiler's result" >&5
$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
-( $as_echo "## ---------------------------------------- ##
-## Report this to [email protected] ##
-## ---------------------------------------- ##"
+( $as_echo "##
---------------------------------------------------------------------------------------
##
+## Report this to [email protected] or
https://github.com/NLnetLabs/unbound/issues ##
+##
---------------------------------------------------------------------------------------
##"
) | sed "s/^/$as_me: WARNING: /" >&2
;;
esac
@@ -2431,7 +2438,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by unbound $as_me 1.9.2, which was
+It was created by unbound $as_me 1.9.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -2783,11 +2790,11 @@ UNBOUND_VERSION_MAJOR=1
UNBOUND_VERSION_MINOR=9
-UNBOUND_VERSION_MICRO=2
+UNBOUND_VERSION_MICRO=3
LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -2857,6 +2864,7 @@ LIBUNBOUND_AGE=1
# 1.9.0 had 9:0:1 # add ub_ctx_set_tls
# 1.9.1 had 9:1:1
# 1.9.2 had 9:2:1
+# 1.9.3 had 9:3:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -2880,6 +2888,14 @@ LIBUNBOUND_AGE=1
+
+cmdln="`echo $@ | sed -e 's/\\\\/\\\\\\\\/g' | sed -e 's/"/\\\\"/'g`"
+
+cat >>confdefs.h <<_ACEOF
+#define CONFCMDLINE "$cmdln"
+_ACEOF
+
+
CFLAGS="$CFLAGS"
ac_ext=c
ac_cpp='$CPP $CPPFLAGS'
@@ -16103,6 +16119,197 @@ $as_echo "#define REUSEPORT_DEFAULT 0" >
fi
+# Include systemd.m4 - begin
+# macros for configuring systemd
+# Copyright 2015, Sami Kerola, CloudFlare.
+# BSD licensed.
+# Check whether --enable-systemd was given.
+if test "${enable_systemd+set}" = set; then :
+ enableval=$enable_systemd;
+else
+ enable_systemd=no
+fi
+
+have_systemd=no
+if test "x$enable_systemd" != xno; then :
+
+
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD" >&5
+$as_echo_n "checking for SYSTEMD... " >&6; }
+
+if test -n "$SYSTEMD_CFLAGS"; then
+ pkg_cv_SYSTEMD_CFLAGS="$SYSTEMD_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists
--print-errors \"libsystemd\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_SYSTEMD_CFLAGS=`$PKG_CONFIG --cflags "libsystemd" 2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+if test -n "$SYSTEMD_LIBS"; then
+ pkg_cv_SYSTEMD_LIBS="$SYSTEMD_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists
--print-errors \"libsystemd\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_SYSTEMD_LIBS=`$PKG_CONFIG --libs "libsystemd" 2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+ _pkg_short_errors_supported=yes
+else
+ _pkg_short_errors_supported=no
+fi
+ if test $_pkg_short_errors_supported = yes; then
+ SYSTEMD_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors
--cflags --libs "libsystemd" 2>&1`
+ else
+ SYSTEMD_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs
"libsystemd" 2>&1`
+ fi
+ # Put the nasty error message in config.log where it belongs
+ echo "$SYSTEMD_PKG_ERRORS" >&5
+
+ have_systemd=no
+elif test $pkg_failed = untried; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ have_systemd=no
+else
+ SYSTEMD_CFLAGS=$pkg_cv_SYSTEMD_CFLAGS
+ SYSTEMD_LIBS=$pkg_cv_SYSTEMD_LIBS
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ have_systemd=yes
+fi
+ if test "x$have_systemd" != "xyes"; then :
+
+
+pkg_failed=no
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD_DAEMON" >&5
+$as_echo_n "checking for SYSTEMD_DAEMON... " >&6; }
+
+if test -n "$SYSTEMD_DAEMON_CFLAGS"; then
+ pkg_cv_SYSTEMD_DAEMON_CFLAGS="$SYSTEMD_DAEMON_CFLAGS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists
--print-errors \"libsystemd-daemon\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_SYSTEMD_DAEMON_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon"
2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+if test -n "$SYSTEMD_DAEMON_LIBS"; then
+ pkg_cv_SYSTEMD_DAEMON_LIBS="$SYSTEMD_DAEMON_LIBS"
+ elif test -n "$PKG_CONFIG"; then
+ if test -n "$PKG_CONFIG" && \
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists
--print-errors \"libsystemd-daemon\""; } >&5
+ ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then
+ pkg_cv_SYSTEMD_DAEMON_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon"
2>/dev/null`
+ test "x$?" != "x0" && pkg_failed=yes
+else
+ pkg_failed=yes
+fi
+ else
+ pkg_failed=untried
+fi
+
+
+
+if test $pkg_failed = yes; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
+ _pkg_short_errors_supported=yes
+else
+ _pkg_short_errors_supported=no
+fi
+ if test $_pkg_short_errors_supported = yes; then
+ SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --short-errors
--print-errors --cflags --libs "libsystemd-daemon" 2>&1`
+ else
+ SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags
--libs "libsystemd-daemon" 2>&1`
+ fi
+ # Put the nasty error message in config.log where it belongs
+ echo "$SYSTEMD_DAEMON_PKG_ERRORS" >&5
+
+ have_systemd_daemon=no
+elif test $pkg_failed = untried; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+ have_systemd_daemon=no
+else
+ SYSTEMD_DAEMON_CFLAGS=$pkg_cv_SYSTEMD_DAEMON_CFLAGS
+ SYSTEMD_DAEMON_LIBS=$pkg_cv_SYSTEMD_DAEMON_LIBS
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ have_systemd_daemon=yes
+fi
+ if test "x$have_systemd_daemon" = "xyes"; then :
+ have_systemd=yes
+fi
+
+fi
+ case $enable_systemd:$have_systemd in #(
+ yes:no) :
+ as_fn_error $? "systemd enabled but libsystemd not found" "$LINENO" 5 ;; #(
+ *:yes) :
+
+$as_echo "#define HAVE_SYSTEMD 1" >>confdefs.h
+
+ LIBS="$LIBS $SYSTEMD_LIBS"
+
+ ;; #(
+ *) :
+ ;;
+esac
+
+
+fi
+ if test "x$have_systemd" = xyes; then
+ USE_SYSTEMD_TRUE=
+ USE_SYSTEMD_FALSE='#'
+else
+ USE_SYSTEMD_TRUE='#'
+ USE_SYSTEMD_FALSE=
+fi
+
+
+# Include systemd.m4 - end
+
# set memory allocation checking if requested
# Check whether --enable-alloc-checks was given.
if test "${enable_alloc_checks+set}" = set; then :
@@ -19194,197 +19401,6 @@ if test x_$enable_static_exe = x_yes; th
fi
fi
-# Include systemd.m4 - begin
-# macros for configuring systemd
-# Copyright 2015, Sami Kerola, CloudFlare.
-# BSD licensed.
-# Check whether --enable-systemd was given.
-if test "${enable_systemd+set}" = set; then :
- enableval=$enable_systemd;
-else
- enable_systemd=no
-fi
-
-have_systemd=no
-if test "x$enable_systemd" != xno; then :
-
-
-
-pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD" >&5
-$as_echo_n "checking for SYSTEMD... " >&6; }
-
-if test -n "$SYSTEMD_CFLAGS"; then
- pkg_cv_SYSTEMD_CFLAGS="$SYSTEMD_CFLAGS"
- elif test -n "$PKG_CONFIG"; then
- if test -n "$PKG_CONFIG" && \
- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists
--print-errors \"libsystemd\""; } >&5
- ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- pkg_cv_SYSTEMD_CFLAGS=`$PKG_CONFIG --cflags "libsystemd" 2>/dev/null`
- test "x$?" != "x0" && pkg_failed=yes
-else
- pkg_failed=yes
-fi
- else
- pkg_failed=untried
-fi
-if test -n "$SYSTEMD_LIBS"; then
- pkg_cv_SYSTEMD_LIBS="$SYSTEMD_LIBS"
- elif test -n "$PKG_CONFIG"; then
- if test -n "$PKG_CONFIG" && \
- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists
--print-errors \"libsystemd\""; } >&5
- ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- pkg_cv_SYSTEMD_LIBS=`$PKG_CONFIG --libs "libsystemd" 2>/dev/null`
- test "x$?" != "x0" && pkg_failed=yes
-else
- pkg_failed=yes
-fi
- else
- pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
- _pkg_short_errors_supported=yes
-else
- _pkg_short_errors_supported=no
-fi
- if test $_pkg_short_errors_supported = yes; then
- SYSTEMD_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors
--cflags --libs "libsystemd" 2>&1`
- else
- SYSTEMD_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs
"libsystemd" 2>&1`
- fi
- # Put the nasty error message in config.log where it belongs
- echo "$SYSTEMD_PKG_ERRORS" >&5
-
- have_systemd=no
-elif test $pkg_failed = untried; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- have_systemd=no
-else
- SYSTEMD_CFLAGS=$pkg_cv_SYSTEMD_CFLAGS
- SYSTEMD_LIBS=$pkg_cv_SYSTEMD_LIBS
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_systemd=yes
-fi
- if test "x$have_systemd" != "xyes"; then :
-
-
-pkg_failed=no
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD_DAEMON" >&5
-$as_echo_n "checking for SYSTEMD_DAEMON... " >&6; }
-
-if test -n "$SYSTEMD_DAEMON_CFLAGS"; then
- pkg_cv_SYSTEMD_DAEMON_CFLAGS="$SYSTEMD_DAEMON_CFLAGS"
- elif test -n "$PKG_CONFIG"; then
- if test -n "$PKG_CONFIG" && \
- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists
--print-errors \"libsystemd-daemon\""; } >&5
- ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- pkg_cv_SYSTEMD_DAEMON_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon"
2>/dev/null`
- test "x$?" != "x0" && pkg_failed=yes
-else
- pkg_failed=yes
-fi
- else
- pkg_failed=untried
-fi
-if test -n "$SYSTEMD_DAEMON_LIBS"; then
- pkg_cv_SYSTEMD_DAEMON_LIBS="$SYSTEMD_DAEMON_LIBS"
- elif test -n "$PKG_CONFIG"; then
- if test -n "$PKG_CONFIG" && \
- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists
--print-errors \"libsystemd-daemon\""; } >&5
- ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5
- ac_status=$?
- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
- test $ac_status = 0; }; then
- pkg_cv_SYSTEMD_DAEMON_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon"
2>/dev/null`
- test "x$?" != "x0" && pkg_failed=yes
-else
- pkg_failed=yes
-fi
- else
- pkg_failed=untried
-fi
-
-
-
-if test $pkg_failed = yes; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
-
-if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then
- _pkg_short_errors_supported=yes
-else
- _pkg_short_errors_supported=no
-fi
- if test $_pkg_short_errors_supported = yes; then
- SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --short-errors
--print-errors --cflags --libs "libsystemd-daemon" 2>&1`
- else
- SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags
--libs "libsystemd-daemon" 2>&1`
- fi
- # Put the nasty error message in config.log where it belongs
- echo "$SYSTEMD_DAEMON_PKG_ERRORS" >&5
-
- have_systemd_daemon=no
-elif test $pkg_failed = untried; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }
- have_systemd_daemon=no
-else
- SYSTEMD_DAEMON_CFLAGS=$pkg_cv_SYSTEMD_DAEMON_CFLAGS
- SYSTEMD_DAEMON_LIBS=$pkg_cv_SYSTEMD_DAEMON_LIBS
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
- have_systemd_daemon=yes
-fi
- if test "x$have_systemd_daemon" = "xyes"; then :
- have_systemd=yes
-fi
-
-fi
- case $enable_systemd:$have_systemd in #(
- yes:no) :
- as_fn_error $? "systemd enabled but libsystemd not found" "$LINENO" 5 ;; #(
- *:yes) :
-
-$as_echo "#define HAVE_SYSTEMD 1" >>confdefs.h
-
- LIBS="$LIBS $SYSTEMD_LIBS"
-
- ;; #(
- *) :
- ;;
-esac
-
-
-fi
- if test "x$have_systemd" = xyes; then
- USE_SYSTEMD_TRUE=
- USE_SYSTEMD_FALSE='#'
-else
- USE_SYSTEMD_TRUE='#'
- USE_SYSTEMD_FALSE=
-fi
-
-
-# Include systemd.m4 - end
-
# set lock checking if requested
# Check whether --enable-lock_checks was given.
if test "${enable_lock_checks+set}" = set; then :
@@ -21049,6 +21065,59 @@ $as_echo "#define USE_IPSECMOD 1" >>conf
;;
esac
+# check for ipset if requested
+# Check whether --enable-ipset was given.
+if test "${enable_ipset+set}" = set; then :
+ enableval=$enable_ipset;
+fi
+
+case "$enable_ipset" in
+ yes)
+
+$as_echo "#define USE_IPSET 1" >>confdefs.h
+
+ IPSET_SRC="ipset/ipset.c"
+
+ IPSET_OBJ="ipset.lo"
+
+
+ # mnl
+
+# Check whether --with-libmnl was given.
+if test "${with_libmnl+set}" = set; then :
+ withval=$with_libmnl;
+else
+ withval="yes"
+fi
+
+ found_libmnl="no"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl"
>&5
+$as_echo_n "checking for libmnl... " >&6; }
+ if test x_$withval = x_ -o x_$withval = x_yes; then
+ withval="/usr/local /opt/local /usr/lib /usr/pkg
/usr/sfw /usr"
+ fi
+ for dir in $withval ; do
+ if test -f "$dir/include/libmnl/libmnl.h"; then
+ found_libmnl="yes"
+ if test "$dir"
!= "/usr"; then
+ CPPFLAGS="$CPPFLAGS -I$dir/include"
+ LDFLAGS="$LDFLAGS -L$dir/lib"
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}:
result: found in $dir" >&5
+$as_echo "found in $dir" >&6; }
+ LIBS="$LIBS -lmnl"
+ break;
+ fi
+ done
+ if test x_$found_libmnl != x_yes; then
+ as_fn_error $? "Could not find libmnl, libmnl.h"
"$LINENO" 5
+ fi
+ ;;
+ no|*)
+ # nothing
+ ;;
+esac
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $<
with implicit rule in scope" >&5
$as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in
scope... " >&6; }
# on openBSD, the implicit rule make $< work.
@@ -21204,7 +21273,7 @@ _ACEOF
-version=1.9.2
+version=1.9.3
date=`date +'%b %e, %Y'`
@@ -21723,7 +21792,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_wri
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by unbound $as_me 1.9.2, which was
+This file was extended by unbound $as_me 1.9.3, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -21783,13 +21852,13 @@ $config_headers
Configuration commands:
$config_commands
-Report bugs to <[email protected]>."
+Report bugs to <[email protected] or
https://github.com/NLnetLabs/unbound/issues>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //;
s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-unbound config.status 1.9.2
+unbound config.status 1.9.3
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
Index: configure.ac
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/configure.ac,v
retrieving revision 1.33
diff -u -p -r1.33 configure.ac
--- configure.ac 28 Jun 2019 15:17:16 -0000 1.33
+++ configure.ac 30 Aug 2019 13:58:03 -0000
@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
m4_define([VERSION_MAJOR],[1])
m4_define([VERSION_MINOR],[9])
-m4_define([VERSION_MICRO],[2])
-AC_INIT(unbound,
m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),
[email protected], unbound)
+m4_define([VERSION_MICRO],[3])
+AC_INIT(unbound,
m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),
[email protected] or https://github.com/NLnetLabs/unbound/issues,
unbound)
AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
LIBUNBOUND_AGE=1
# 1.0.0 had 0:12:0
# 1.0.1 had 0:13:0
@@ -88,6 +88,7 @@ LIBUNBOUND_AGE=1
# 1.9.0 had 9:0:1 # add ub_ctx_set_tls
# 1.9.1 had 9:1:1
# 1.9.2 had 9:2:1
+# 1.9.3 had 9:3:1
# Current -- the number of the binary API that we're implementing
# Revision -- which iteration of the implementation of the binary
@@ -111,6 +112,10 @@ AC_SUBST(LIBUNBOUND_CURRENT)
AC_SUBST(LIBUNBOUND_REVISION)
AC_SUBST(LIBUNBOUND_AGE)
+
+cmdln="`echo $@ | sed -e 's/\\\\/\\\\\\\\/g' | sed -e 's/"/\\\\"/'g`"
+AC_DEFINE_UNQUOTED(CONFCMDLINE, ["$cmdln"], [Command line arguments used with
configure])
+
CFLAGS="$CFLAGS"
AC_AIX
if test "$ac_cv_header_minix_config_h" = "yes"; then
@@ -475,6 +480,10 @@ else
AC_DEFINE(REUSEPORT_DEFAULT, 0, [if REUSEPORT is enabled by default])
fi
+# Include systemd.m4 - begin
+sinclude(systemd.m4)
+# Include systemd.m4 - end
+
# set memory allocation checking if requested
AC_ARG_ENABLE(alloc-checks, AC_HELP_STRING([--enable-alloc-checks],
[ enable to memory allocation statistics, for debug purposes ]),
@@ -1296,10 +1305,6 @@ if test x_$enable_static_exe = x_yes; th
fi
fi
-# Include systemd.m4 - begin
-sinclude(systemd.m4)
-# Include systemd.m4 - end
-
# set lock checking if requested
AC_ARG_ENABLE(lock_checks, AC_HELP_STRING([--enable-lock-checks],
[ enable to check lock and unlock calls, for debug purposes ]),
@@ -1600,6 +1605,47 @@ case "$enable_ipsecmod" in
;;
no|*)
# nothing
+ ;;
+esac
+
+# check for ipset if requested
+AC_ARG_ENABLE(ipset, AC_HELP_STRING([--enable-ipset], [enable ipset module]))
+case "$enable_ipset" in
+ yes)
+ AC_DEFINE([USE_IPSET], [1], [Define to 1 to use ipset support])
+ IPSET_SRC="ipset/ipset.c"
+ AC_SUBST(IPSET_SRC)
+ IPSET_OBJ="ipset.lo"
+ AC_SUBST(IPSET_OBJ)
+
+ # mnl
+ AC_ARG_WITH(libmnl, AC_HELP_STRING([--with-libmnl=path],
+ [specify explicit path for libmnl.]),
+ [ ],[ withval="yes" ])
+ found_libmnl="no"
+ AC_MSG_CHECKING(for libmnl)
+ if test x_$withval = x_ -o x_$withval = x_yes; then
+ withval="/usr/local /opt/local /usr/lib /usr/pkg
/usr/sfw /usr"
+ fi
+ for dir in $withval ; do
+ if test -f "$dir/include/libmnl/libmnl.h"; then
+ found_libmnl="yes"
+ dnl assume /usr is in default path.
+ if test "$dir" != "/usr"; then
+ CPPFLAGS="$CPPFLAGS -I$dir/include"
+ LDFLAGS="$LDFLAGS -L$dir/lib"
+ fi
+ AC_MSG_RESULT(found in $dir)
+ LIBS="$LIBS -lmnl"
+ break;
+ fi
+ done
+ if test x_$found_libmnl != x_yes; then
+ AC_ERROR([Could not find libmnl, libmnl.h])
+ fi
+ ;;
+ no|*)
+ # nothing
;;
esac
Index: doc/README
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/README,v
retrieving revision 1.20
diff -u -p -r1.20 README
--- doc/README 28 Jun 2019 15:17:16 -0000 1.20
+++ doc/README 30 Aug 2019 13:58:03 -0000
@@ -1,4 +1,4 @@
-README for Unbound 1.9.2
+README for Unbound 1.9.3
Copyright 2007 NLnet Labs
http://unbound.net
Index: doc/README.ipset.md
===================================================================
RCS file: doc/README.ipset.md
diff -N doc/README.ipset.md
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ doc/README.ipset.md 30 Aug 2019 13:58:03 -0000
@@ -0,0 +1,65 @@
+## Created a module to support the ipset that could add the domain's ip to a
list easily.
+
+### Purposes:
+* In my case, I can't access the facebook, twitter, youtube and thousands web
site for some reason. VPN is a solution. But the internet too slow whether all
traffics pass through the vpn.
+So, I set up a transparent proxy to proxy the traffic which has been blocked
only.
+At the final step, I need to install a dns service which would work with ipset
well to launch the system.
+I did some research for this. Unfortunately, Unbound, My favorite dns service
doesn't support ipset yet. So, I decided to implement it by my self and
contribute the patch. It's good for me and the community.
+```
+# unbound.conf
+server:
+ ...
+ local-zone: "facebook.com" ipset
+ local-zone: "twitter.com" ipset
+ local-zone: "instagram.com" ipset
+ more social website
+
+ipset:
+ name-v4: "gfwlist"
+```
+```
+# iptables
+iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT
--to-ports 10800
+iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT
--to-ports 10800
+```
+
+* This patch could work with iptables rules to batch block the IPs.
+```
+# unbound.conf
+server:
+ ...
+ local-zone: "facebook.com" ipset
+ local-zone: "twitter.com" ipset
+ local-zone: "instagram.com" ipset
+ more social website
+
+ipset:
+ name-v4: "blacklist"
+ name-v6: "blacklist6"
+```
+```
+# iptables
+iptables -A INPUT -m set --set blacklist src -j DROP
+ip6tables -A INPUT -m set --set blacklist6 src -j DROP
+```
+
+### Notes:
+* To enable this module the root privileges is required.
+* Please create a set with ipset command first. eg. **ipset -N blacklist
iphash**
+
+### How to use:
+```
+./configure --enable-ipset
+make && make install
+```
+
+### Configuration:
+```
+# unbound.conf
+server:
+ ...
+ local-zone: "example.com" ipset
+
+ipset:
+ name-v4: "blacklist"
+```
Index: doc/example.conf.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/example.conf.in,v
retrieving revision 1.24
diff -u -p -r1.24 example.conf.in
--- doc/example.conf.in 28 Jun 2019 15:17:16 -0000 1.24
+++ doc/example.conf.in 30 Aug 2019 13:58:03 -0000
@@ -1,7 +1,7 @@
#
# Example configuration file.
#
-# See unbound.conf(5) man page, version 1.9.2.
+# See unbound.conf(5) man page, version 1.9.3.
#
# this is a comment.
@@ -654,6 +654,9 @@ server:
# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
+ # Add example.com into ipset
+ # local-zone: "example.com" ipset
+
# If unbound is running service for the local host then it is useful
# to perform lan-wide lookups to the upstream, and unblock the
# long list of local-zones above. If this unbound is a dns server
@@ -992,3 +995,14 @@ remote-control:
# redis-server-port: 6379
# # timeout (in ms) for communication with the redis server
# redis-timeout: 100
+
+# IPSet
+# Add specify domain into set via ipset.
+# Note: To enable ipset needs run unbound as root user.
+# ipset:
+# # set name for ip v4 addresses
+# name-v4: "list-v4"
+# # set name for ip v6 addresses
+# name-v6: "list-v6"
+#
+
Index: doc/libunbound.3.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/libunbound.3.in,v
retrieving revision 1.22
diff -u -p -r1.22 libunbound.3.in
--- doc/libunbound.3.in 28 Jun 2019 15:17:16 -0000 1.22
+++ doc/libunbound.3.in 30 Aug 2019 13:58:03 -0000
@@ -1,4 +1,4 @@
-.TH "libunbound" "3" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
+.TH "libunbound" "3" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3"
.\"
.\" libunbound.3 -- unbound library functions manual
.\"
@@ -44,7 +44,7 @@
.B ub_ctx_zone_remove,
.B ub_ctx_data_add,
.B ub_ctx_data_remove
-\- Unbound DNS validating resolver 1.9.2 functions.
+\- Unbound DNS validating resolver 1.9.3 functions.
.SH "SYNOPSIS"
.B #include <unbound.h>
.LP
Index: doc/unbound-anchor.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-anchor.8.in,v
retrieving revision 1.21
diff -u -p -r1.21 unbound-anchor.8.in
--- doc/unbound-anchor.8.in 28 Jun 2019 15:17:16 -0000 1.21
+++ doc/unbound-anchor.8.in 30 Aug 2019 13:58:04 -0000
@@ -1,4 +1,4 @@
-.TH "unbound-anchor" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
+.TH "unbound-anchor" "8" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3"
.\"
.\" unbound-anchor.8 -- unbound anchor maintenance utility manual
.\"
Index: doc/unbound-checkconf.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-checkconf.8.in,v
retrieving revision 1.21
diff -u -p -r1.21 unbound-checkconf.8.in
--- doc/unbound-checkconf.8.in 28 Jun 2019 15:17:16 -0000 1.21
+++ doc/unbound-checkconf.8.in 30 Aug 2019 13:58:04 -0000
@@ -1,4 +1,4 @@
-.TH "unbound-checkconf" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
+.TH "unbound-checkconf" "8" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3"
.\"
.\" unbound-checkconf.8 -- unbound configuration checker manual
.\"
Index: doc/unbound-control.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-control.8.in,v
retrieving revision 1.23
diff -u -p -r1.23 unbound-control.8.in
--- doc/unbound-control.8.in 28 Jun 2019 15:17:16 -0000 1.23
+++ doc/unbound-control.8.in 30 Aug 2019 13:58:04 -0000
@@ -1,4 +1,4 @@
-.TH "unbound-control" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
+.TH "unbound-control" "8" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3"
.\"
.\" unbound-control.8 -- unbound remote control manual
.\"
Index: doc/unbound-host.1.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound-host.1.in,v
retrieving revision 1.23
diff -u -p -r1.23 unbound-host.1.in
--- doc/unbound-host.1.in 28 Jun 2019 15:17:16 -0000 1.23
+++ doc/unbound-host.1.in 30 Aug 2019 13:58:04 -0000
@@ -1,4 +1,4 @@
-.TH "unbound\-host" "1" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
+.TH "unbound\-host" "1" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3"
.\"
.\" unbound-host.1 -- unbound DNS lookup utility
.\"
Index: doc/unbound.8.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound.8.in,v
retrieving revision 1.24
diff -u -p -r1.24 unbound.8.in
--- doc/unbound.8.in 28 Jun 2019 15:17:16 -0000 1.24
+++ doc/unbound.8.in 30 Aug 2019 13:58:04 -0000
@@ -1,4 +1,4 @@
-.TH "unbound" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
+.TH "unbound" "8" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3"
.\"
.\" unbound.8 -- unbound manual
.\"
@@ -9,7 +9,7 @@
.\"
.SH "NAME"
.B unbound
-\- Unbound DNS validating resolver 1.9.2.
+\- Unbound DNS validating resolver 1.9.3.
.SH "SYNOPSIS"
.B unbound
.RB [ \-h ]
@@ -54,7 +54,7 @@ resolvers are using the same port number
The available options are:
.TP
.B \-h
-Show the version and commandline option help.
+Show the version number and commandline option help, and exit.
.TP
.B \-c\fI cfgfile
Set the config file with settings for unbound to read instead of reading the
@@ -76,6 +76,9 @@ concurrently.
.B \-v
Increase verbosity. If given multiple times, more information is logged.
This is in addition to the verbosity (if any) from the config file.
+.TP
+.B \-V
+Show the version number and build options, and exit.
.SH "SEE ALSO"
\fIunbound.conf\fR(5),
\fIunbound\-checkconf\fR(8),
Index: doc/unbound.conf.5.in
===================================================================
RCS file: /cvs/src/usr.sbin/unbound/doc/unbound.conf.5.in,v
retrieving revision 1.27
diff -u -p -r1.27 unbound.conf.5.in
--- doc/unbound.conf.5.in 28 Jun 2019 15:17:16 -0000 1.27
+++ doc/unbound.conf.5.in 30 Aug 2019 13:58:04 -0000
@@ -1,4 +1,4 @@
-.TH "unbound.conf" "5" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2"
+.TH "unbound.conf" "5" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3"
.\"
.\" unbound.conf.5 -- unbound.conf manual
.\"
@@ -593,7 +593,9 @@ In the last case the path is adjusted to
The pidfile can be either a relative path to the working directory, or
an absolute path relative to the original root. It is written just prior
to chroot and dropping permissions. This allows the pidfile to be
-/var/run/unbound.pid and the chroot to be /var/unbound, for example.
+/var/run/unbound.pid and the chroot to be /var/unbound, for example. Note that
+Unbound is not able to remove the pidfile after termination when it is located
+outside of the chroot directory.
.IP
Additionally, unbound may need to access /dev/random (for entropy)
from inside the chroot.
@@ -1723,7 +1725,8 @@ clause gives the settings for the \fIpyt
acts like the iterator and validator modules do, on queries and answers.
To enable the script module it has to be compiled into the daemon,
and the word "python" has to be put in the \fBmodule\-config:\fR option
-(usually first, or between the validator and iterator).
+(usually first, or between the validator and iterator). Multiple instances of
+the python module are supported by adding the word "python" more than once.
.LP
If the \fBchroot:\fR option is enabled, you should make sure Python's
library directory structure is bind mounted in the new root environment, see
@@ -1732,7 +1735,8 @@ absolute path relative to the new root,
directory.
.TP
.B python\-script: \fI<python file>\fR
-The script file to load.
+The script file to load. Repeat this option for every python module instance
+added to the \fBmodule\-config:\fR option.
.SS "DNS64 Module Options"
.LP
The dns64 module must be configured in the \fBmodule\-config:\fR "dns64
