diff options
| author |   sthen <sthen@openbsd.org> | 2019-09-11 14:13:27 +0000 |
|---|---|---|
| committer | sthen <sthen@openbsd.org> | 2019-09-11 14:13:27 +0000 |
| commit | 8240c1b9bc693c75af22f55f7dde8c82fcc364d1 (patch) | |
| tree | 64394e5228f8ef29a4a83e025d487d53a5412d97 | |
| parent | import unbound 1.9.3, thanks gonzalo@ dtucker@ for tests. (diff) | |
| download | wireguard-openbsd-8240c1b9bc693c75af22f55f7dde8c82fcc364d1.tar.xz wireguard-openbsd-8240c1b9bc693c75af22f55f7dde8c82fcc364d1.zip | |
merge unbound 1.9.3
40 files changed, 983 insertions, 380 deletions
diff --git a/usr.sbin/unbound/Makefile.in b/usr.sbin/unbound/Makefile.in index 017a330f05c..8768a8ae668 100644 --- a/usr.sbin/unbound/Makefile.in +++ b/usr.sbin/unbound/Makefile.in @@ -126,7 +126,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \ edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \ edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \ cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \ -$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC) +$(DNSTAP_SRC) $(DNSCRYPT_SRC) $(IPSECMOD_SRC) $(IPSET_SRC) COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ @@ -139,7 +139,7 @@ autotrust.lo val_anchor.lo \ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \ $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \ -$(IPSECMOD_OBJ) respip.lo +$(IPSECMOD_OBJ) $(IPSET_OBJ) respip.lo COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \ outside_network.lo COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo @@ -229,6 +229,8 @@ DELAYER_SRC=testcode/delayer.c DELAYER_OBJ=delayer.lo DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \ $(SLDNS_OBJ) +IPSET_SRC=@IPSET_SRC@ +IPSET_OBJ=@IPSET_OBJ@ LIBUNBOUND_SRC=libunbound/context.c libunbound/libunbound.c \ libunbound/libworker.c LIBUNBOUND_OBJ=context.lo libunbound.lo libworker.lo ub_event_pluggable.lo @@ -256,8 +258,9 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \ $(MEMSTATS_SRC) $(CHECKCONF_SRC) $(LIBUNBOUND_SRC) $(HOST_SRC) \ $(ASYNCLOOK_SRC) $(STREAMTCP_SRC) $(PERF_SRC) $(DELAYER_SRC) \ $(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) \ - $(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC)\ + $(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \ $(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC) + ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \ $(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \ $(MEMSTATS_OBJ) $(CHECKCONF_OBJ) $(LIBUNBOUND_OBJ) $(HOST_OBJ) \ @@ -636,17 +639,19 @@ depend: # Dependencies dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ - $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/val_nsec.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h \ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/cache/infra.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/sldns/pkthdr.h rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \ @@ -776,7 +781,10 @@ modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/service $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ $(srcdir)/respip/respip.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/services/view.h $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h + $(srcdir)/services/view.h $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h \ + $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \ + $(srcdir)/ipset/ipset.h view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ @@ -812,7 +820,8 @@ config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/ut $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/iana_ports.inc + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/edns-subnet/edns-subnet.h \ + $(srcdir)/util/iana_ports.inc configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \ $(srcdir)/util/config_file.h util/configparser.h configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \ @@ -845,26 +854,22 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/outside_network.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/validator/validator.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_nsec3.h \ - $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \ - $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h \ - $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \ - $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h \ - $(PYTHONMOD_HEADER) $(srcdir)/ipsecmod/ipsecmod.h + $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/services/outside_network.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/services/authzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ + $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \ + $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h $(PYTHONMOD_HEADER) \ + $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h \ + $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h -mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h +mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h @@ -927,14 +932,16 @@ tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/u $(srcdir)/services/modstack.h $(srcdir)/util/ub_event.h ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h + $(srcdir)/util/tube.h \ + ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \ $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h + $(srcdir)/services/modstack.h \ + winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ @@ -1026,13 +1033,27 @@ dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(src $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/data/dname.h \ $(srcdir)/sldns/str2wire.h -edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h -subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h +edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h +subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/edns-subnet/subnet-whitelist.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h -subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h +subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ + $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ @@ -1066,6 +1087,11 @@ ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelis $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/rbtree.h \ $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \ $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h +ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h @@ -1114,7 +1140,12 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h -unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h +unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/storage/slabhash.h $(srcdir)/edns-subnet/edns-subnet.h unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \ @@ -1186,7 +1217,8 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rtt.h $(srcdir)/services/authzone.h $(srcdir)/validator/val_kcache.h \ - $(srcdir)/validator/val_neg.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h \ unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \ $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ @@ -1281,7 +1313,8 @@ stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(s $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rtt.h $(srcdir)/services/authzone.h $(srcdir)/validator/val_kcache.h \ - $(srcdir)/validator/val_neg.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h \ replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ @@ -1324,7 +1357,8 @@ unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \ $(srcdir)/services/view.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \ - $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER) + $(srcdir)/respip/respip.h $(srcdir)/sldns/sbuffer.h $(PYTHONMOD_HEADER) \ + $(srcdir)/edns-subnet/subnet-whitelist.h worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ diff --git a/usr.sbin/unbound/config.h.in b/usr.sbin/unbound/config.h.in index e2d3116cccf..1bfe4426d1d 100644 --- a/usr.sbin/unbound/config.h.in +++ b/usr.sbin/unbound/config.h.in @@ -15,6 +15,9 @@ /* Do sha512 definitions in config.h */ #undef COMPAT_SHA512 +/* Command line arguments used with configure */ +#undef CONFCMDLINE + /* Pathname to the Unbound configuration file */ #undef CONFIGFILE @@ -775,6 +778,9 @@ /* Define to 1 to use ipsecmod support. */ #undef USE_IPSECMOD +/* Define to 1 to use ipset support */ +#undef USE_IPSET + /* Define if you want to use internal select based events */ #undef USE_MINI_EVENT diff --git a/usr.sbin/unbound/configure b/usr.sbin/unbound/configure index 4dd464a241a..dfcc5043c63 100644 --- a/usr.sbin/unbound/configure +++ b/usr.sbin/unbound/configure @@ -1,8 +1,8 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.9.2. +# Generated by GNU Autoconf 2.69 for unbound 1.9.3. # -# Report bugs to <unbound-bugs@nlnetlabs.nl>. +# Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>. # # # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. @@ -275,10 +275,11 @@ fi $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and -$0: unbound-bugs@nlnetlabs.nl about your system, including -$0: any error possibly output before this message. Then -$0: install a modern shell, or manually run the script -$0: under such a shell if you do have one." +$0: unbound-bugs@nlnetlabs.nl or +$0: https://github.com/NLnetLabs/unbound/issues about your +$0: system, including any error possibly output before this +$0: message. Then install a modern shell, or manually run +$0: the script under such a shell if you do have one." fi exit 1 fi @@ -590,9 +591,9 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.9.2' -PACKAGE_STRING='unbound 1.9.2' -PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl' +PACKAGE_VERSION='1.9.3' +PACKAGE_STRING='unbound 1.9.3' +PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' # Factoring default headers for most tests. @@ -638,6 +639,8 @@ INSTALLTARGET ALLTARGET SOURCEFILE SOURCEDETERMINE +IPSET_OBJ +IPSET_SRC IPSECMOD_HEADER IPSECMOD_OBJ DNSCRYPT_OBJ @@ -664,12 +667,6 @@ WIN_DAEMON_SRC WINAPPS WINDRES CHECKLOCK_OBJ -USE_SYSTEMD_FALSE -USE_SYSTEMD_TRUE -SYSTEMD_DAEMON_LIBS -SYSTEMD_DAEMON_CFLAGS -SYSTEMD_LIBS -SYSTEMD_CFLAGS staticexe PC_LIBEVENT_DEPENDENCY UNBOUND_EVENT_UNINSTALL @@ -705,6 +702,12 @@ PTHREAD_CFLAGS PTHREAD_LIBS PTHREAD_CC ax_pthread_config +USE_SYSTEMD_FALSE +USE_SYSTEMD_TRUE +SYSTEMD_DAEMON_LIBS +SYSTEMD_DAEMON_CFLAGS +SYSTEMD_LIBS +SYSTEMD_CFLAGS RUNTIME_PATH LIBOBJS PKG_CONFIG_LIBDIR @@ -841,6 +844,7 @@ with_sysroot enable_libtool_lock enable_rpath enable_largefile +enable_systemd enable_alloc_checks enable_alloc_lite enable_alloc_nonregional @@ -867,7 +871,6 @@ with_libevent with_libexpat with_libhiredis enable_static_exe -enable_systemd enable_lock_checks enable_allsymbols enable_dnstap @@ -878,6 +881,8 @@ enable_dnscrypt with_libsodium enable_cachedb enable_ipsecmod +enable_ipset +with_libmnl with_libunbound_only ' ac_precious_vars='build_alias @@ -895,11 +900,11 @@ LT_SYS_LIBRARY_PATH PKG_CONFIG PKG_CONFIG_PATH PKG_CONFIG_LIBDIR -PYTHON_VERSION SYSTEMD_CFLAGS SYSTEMD_LIBS SYSTEMD_DAEMON_CFLAGS -SYSTEMD_DAEMON_LIBS' +SYSTEMD_DAEMON_LIBS +PYTHON_VERSION' # Initialize some variables set by options. @@ -1440,7 +1445,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.9.2 to adapt to many kinds of systems. +\`configure' configures unbound 1.9.3 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1505,7 +1510,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.9.2:";; + short | recursive ) echo "Configuration of unbound 1.9.3:";; esac cat <<\_ACEOF @@ -1527,6 +1532,7 @@ Optional Features: --disable-libtool-lock avoid locking (might break parallel builds) --disable-rpath disable hardcoded rpath (default=enabled) --disable-largefile omit support for large files + --enable-systemd compile with systemd support --enable-alloc-checks enable to memory allocation statistics, for debug purposes --enable-alloc-lite enable for lightweight alloc assertions, for debug @@ -1553,7 +1559,6 @@ Optional Features: --enable-tfo-server Enable TCP Fast Open for server mode --enable-static-exe enable to compile executables statically against (event) libs, for debug purposes - --enable-systemd compile with systemd support --enable-lock-checks enable to check lock and unlock calls, for debug purposes --enable-allsymbols export all symbols from libunbound and link binaries @@ -1565,6 +1570,7 @@ Optional Features: storage --enable-ipsecmod Enable ipsecmod module that facilitates opportunistic IPsec + --enable-ipset enable ipset module Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1619,6 +1625,7 @@ Optional Packages: --with-protobuf-c=path Path where protobuf-c is installed, for dnstap --with-libfstrm=path Path where libfstrm is installed, for dnstap --with-libsodium=path Path where libsodium is installed, for dnscrypt + --with-libmnl=path specify explicit path for libmnl. --with-libunbound-only do not build daemon and tool programs Some influential environment variables: @@ -1643,10 +1650,6 @@ Some influential environment variables: directories to add to pkg-config's search path PKG_CONFIG_LIBDIR path overriding pkg-config's built-in search path - PYTHON_VERSION - The installed Python version to use, for example '2.3'. This - string will be appended to the Python interpreter canonical - name. SYSTEMD_CFLAGS C compiler flags for SYSTEMD, overriding pkg-config SYSTEMD_LIBS @@ -1655,11 +1658,15 @@ Some influential environment variables: C compiler flags for SYSTEMD_DAEMON, overriding pkg-config SYSTEMD_DAEMON_LIBS linker flags for SYSTEMD_DAEMON, overriding pkg-config + PYTHON_VERSION + The installed Python version to use, for example '2.3'. This + string will be appended to the Python interpreter canonical + name. Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. -Report bugs to <unbound-bugs@nlnetlabs.nl>. +Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>. _ACEOF ac_status=$? fi @@ -1722,7 +1729,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.9.2 +unbound configure 1.9.3 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1881,9 +1888,9 @@ $as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 $as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -( $as_echo "## ---------------------------------------- ## -## Report this to unbound-bugs@nlnetlabs.nl ## -## ---------------------------------------- ##" +( $as_echo "## --------------------------------------------------------------------------------------- ## +## Report this to unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues ## +## --------------------------------------------------------------------------------------- ##" ) | sed "s/^/$as_me: WARNING: /" >&2 ;; esac @@ -2431,7 +2438,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.9.2, which was +It was created by unbound $as_me 1.9.3, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2783,11 +2790,11 @@ UNBOUND_VERSION_MAJOR=1 UNBOUND_VERSION_MINOR=9 -UNBOUND_VERSION_MICRO=2 +UNBOUND_VERSION_MICRO=3 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=2 +LIBUNBOUND_REVISION=3 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2857,6 +2864,7 @@ LIBUNBOUND_AGE=1 # 1.9.0 had 9:0:1 # add ub_ctx_set_tls # 1.9.1 had 9:1:1 # 1.9.2 had 9:2:1 +# 1.9.3 had 9:3:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -2880,6 +2888,14 @@ LIBUNBOUND_AGE=1 + +cmdln="`echo $@ | sed -e 's/\\\\/\\\\\\\\/g' | sed -e 's/"/\\\\"/'g`" + +cat >>confdefs.h <<_ACEOF +#define CONFCMDLINE "$cmdln" +_ACEOF + + CFLAGS="$CFLAGS" ac_ext=c ac_cpp='$CPP $CPPFLAGS' @@ -16103,6 +16119,197 @@ $as_echo "#define REUSEPORT_DEFAULT 0" >>confdefs.h fi +# Include systemd.m4 - begin +# macros for configuring systemd +# Copyright 2015, Sami Kerola, CloudFlare. +# BSD licensed. +# Check whether --enable-systemd was given. +if test "${enable_systemd+set}" = set; then : + enableval=$enable_systemd; +else + enable_systemd=no +fi + +have_systemd=no +if test "x$enable_systemd" != xno; then : + + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD" >&5 +$as_echo_n "checking for SYSTEMD... " >&6; } + +if test -n "$SYSTEMD_CFLAGS"; then + pkg_cv_SYSTEMD_CFLAGS="$SYSTEMD_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SYSTEMD_CFLAGS=`$PKG_CONFIG --cflags "libsystemd" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$SYSTEMD_LIBS"; then + pkg_cv_SYSTEMD_LIBS="$SYSTEMD_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SYSTEMD_LIBS=`$PKG_CONFIG --libs "libsystemd" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SYSTEMD_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd" 2>&1` + else + SYSTEMD_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$SYSTEMD_PKG_ERRORS" >&5 + + have_systemd=no +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + have_systemd=no +else + SYSTEMD_CFLAGS=$pkg_cv_SYSTEMD_CFLAGS + SYSTEMD_LIBS=$pkg_cv_SYSTEMD_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + have_systemd=yes +fi + if test "x$have_systemd" != "xyes"; then : + + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD_DAEMON" >&5 +$as_echo_n "checking for SYSTEMD_DAEMON... " >&6; } + +if test -n "$SYSTEMD_DAEMON_CFLAGS"; then + pkg_cv_SYSTEMD_DAEMON_CFLAGS="$SYSTEMD_DAEMON_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SYSTEMD_DAEMON_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$SYSTEMD_DAEMON_LIBS"; then + pkg_cv_SYSTEMD_DAEMON_LIBS="$SYSTEMD_DAEMON_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_SYSTEMD_DAEMON_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-daemon" 2>&1` + else + SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-daemon" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$SYSTEMD_DAEMON_PKG_ERRORS" >&5 + + have_systemd_daemon=no +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + have_systemd_daemon=no +else + SYSTEMD_DAEMON_CFLAGS=$pkg_cv_SYSTEMD_DAEMON_CFLAGS + SYSTEMD_DAEMON_LIBS=$pkg_cv_SYSTEMD_DAEMON_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + have_systemd_daemon=yes +fi + if test "x$have_systemd_daemon" = "xyes"; then : + have_systemd=yes +fi + +fi + case $enable_systemd:$have_systemd in #( + yes:no) : + as_fn_error $? "systemd enabled but libsystemd not found" "$LINENO" 5 ;; #( + *:yes) : + +$as_echo "#define HAVE_SYSTEMD 1" >>confdefs.h + + LIBS="$LIBS $SYSTEMD_LIBS" + + ;; #( + *) : + ;; +esac + + +fi + if test "x$have_systemd" = xyes; then + USE_SYSTEMD_TRUE= + USE_SYSTEMD_FALSE='#' +else + USE_SYSTEMD_TRUE='#' + USE_SYSTEMD_FALSE= +fi + + +# Include systemd.m4 - end + # set memory allocation checking if requested # Check whether --enable-alloc-checks was given. if test "${enable_alloc_checks+set}" = set; then : @@ -19194,197 +19401,6 @@ if test x_$enable_static_exe = x_yes; then fi fi -# Include systemd.m4 - begin -# macros for configuring systemd -# Copyright 2015, Sami Kerola, CloudFlare. -# BSD licensed. -# Check whether --enable-systemd was given. -if test "${enable_systemd+set}" = set; then : - enableval=$enable_systemd; -else - enable_systemd=no -fi - -have_systemd=no -if test "x$enable_systemd" != xno; then : - - - -pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD" >&5 -$as_echo_n "checking for SYSTEMD... " >&6; } - -if test -n "$SYSTEMD_CFLAGS"; then - pkg_cv_SYSTEMD_CFLAGS="$SYSTEMD_CFLAGS" - elif test -n "$PKG_CONFIG"; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_SYSTEMD_CFLAGS=`$PKG_CONFIG --cflags "libsystemd" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi - else - pkg_failed=untried -fi -if test -n "$SYSTEMD_LIBS"; then - pkg_cv_SYSTEMD_LIBS="$SYSTEMD_LIBS" - elif test -n "$PKG_CONFIG"; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libsystemd") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_SYSTEMD_LIBS=`$PKG_CONFIG --libs "libsystemd" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi - else - pkg_failed=untried -fi - - - -if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - -if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then - _pkg_short_errors_supported=yes -else - _pkg_short_errors_supported=no -fi - if test $_pkg_short_errors_supported = yes; then - SYSTEMD_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd" 2>&1` - else - SYSTEMD_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd" 2>&1` - fi - # Put the nasty error message in config.log where it belongs - echo "$SYSTEMD_PKG_ERRORS" >&5 - - have_systemd=no -elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - have_systemd=no -else - SYSTEMD_CFLAGS=$pkg_cv_SYSTEMD_CFLAGS - SYSTEMD_LIBS=$pkg_cv_SYSTEMD_LIBS - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - have_systemd=yes -fi - if test "x$have_systemd" != "xyes"; then : - - -pkg_failed=no -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SYSTEMD_DAEMON" >&5 -$as_echo_n "checking for SYSTEMD_DAEMON... " >&6; } - -if test -n "$SYSTEMD_DAEMON_CFLAGS"; then - pkg_cv_SYSTEMD_DAEMON_CFLAGS="$SYSTEMD_DAEMON_CFLAGS" - elif test -n "$PKG_CONFIG"; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_SYSTEMD_DAEMON_CFLAGS=`$PKG_CONFIG --cflags "libsystemd-daemon" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi - else - pkg_failed=untried -fi -if test -n "$SYSTEMD_DAEMON_LIBS"; then - pkg_cv_SYSTEMD_DAEMON_LIBS="$SYSTEMD_DAEMON_LIBS" - elif test -n "$PKG_CONFIG"; then - if test -n "$PKG_CONFIG" && \ - { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsystemd-daemon\""; } >&5 - ($PKG_CONFIG --exists --print-errors "libsystemd-daemon") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then - pkg_cv_SYSTEMD_DAEMON_LIBS=`$PKG_CONFIG --libs "libsystemd-daemon" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes -else - pkg_failed=yes -fi - else - pkg_failed=untried -fi - - - -if test $pkg_failed = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - -if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then - _pkg_short_errors_supported=yes -else - _pkg_short_errors_supported=no -fi - if test $_pkg_short_errors_supported = yes; then - SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "libsystemd-daemon" 2>&1` - else - SYSTEMD_DAEMON_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "libsystemd-daemon" 2>&1` - fi - # Put the nasty error message in config.log where it belongs - echo "$SYSTEMD_DAEMON_PKG_ERRORS" >&5 - - have_systemd_daemon=no -elif test $pkg_failed = untried; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - have_systemd_daemon=no -else - SYSTEMD_DAEMON_CFLAGS=$pkg_cv_SYSTEMD_DAEMON_CFLAGS - SYSTEMD_DAEMON_LIBS=$pkg_cv_SYSTEMD_DAEMON_LIBS - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - have_systemd_daemon=yes -fi - if test "x$have_systemd_daemon" = "xyes"; then : - have_systemd=yes -fi - -fi - case $enable_systemd:$have_systemd in #( - yes:no) : - as_fn_error $? "systemd enabled but libsystemd not found" "$LINENO" 5 ;; #( - *:yes) : - -$as_echo "#define HAVE_SYSTEMD 1" >>confdefs.h - - LIBS="$LIBS $SYSTEMD_LIBS" - - ;; #( - *) : - ;; -esac - - -fi - if test "x$have_systemd" = xyes; then - USE_SYSTEMD_TRUE= - USE_SYSTEMD_FALSE='#' -else - USE_SYSTEMD_TRUE='#' - USE_SYSTEMD_FALSE= -fi - - -# Include systemd.m4 - end - # set lock checking if requested # Check whether --enable-lock_checks was given. if test "${enable_lock_checks+set}" = set; then : @@ -21049,6 +21065,59 @@ $as_echo "#define USE_IPSECMOD 1" >>confdefs.h ;; esac +# check for ipset if requested +# Check whether --enable-ipset was given. +if test "${enable_ipset+set}" = set; then : + enableval=$enable_ipset; +fi + +case "$enable_ipset" in + yes) + +$as_echo "#define USE_IPSET 1" >>confdefs.h + + IPSET_SRC="ipset/ipset.c" + + IPSET_OBJ="ipset.lo" + + + # mnl + +# Check whether --with-libmnl was given. +if test "${with_libmnl+set}" = set; then : + withval=$with_libmnl; +else + withval="yes" +fi + + found_libmnl="no" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5 +$as_echo_n "checking for libmnl... " >&6; } + if test x_$withval = x_ -o x_$withval = x_yes; then + withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" + fi + for dir in $withval ; do + if test -f "$dir/include/libmnl/libmnl.h"; then + found_libmnl="yes" + if test "$dir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$dir/include" + LDFLAGS="$LDFLAGS -L$dir/lib" + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $dir" >&5 +$as_echo "found in $dir" >&6; } + LIBS="$LIBS -lmnl" + break; + fi + done + if test x_$found_libmnl != x_yes; then + as_fn_error $? "Could not find libmnl, libmnl.h" "$LINENO" 5 + fi + ;; + no|*) + # nothing + ;; +esac + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; } # on openBSD, the implicit rule make $< work. @@ -21204,7 +21273,7 @@ _ACEOF -version=1.9.2 +version=1.9.3 date=`date +'%b %e, %Y'` @@ -21723,7 +21792,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.9.2, which was +This file was extended by unbound $as_me 1.9.3, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -21783,13 +21852,13 @@ $config_headers Configuration commands: $config_commands -Report bugs to <unbound-bugs@nlnetlabs.nl>." +Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.9.2 +unbound config.status 1.9.3 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/usr.sbin/unbound/configure.ac b/usr.sbin/unbound/configure.ac index 0ee53a3a566..7c67f8ed739 100644 --- a/usr.sbin/unbound/configure.ac +++ b/usr.sbin/unbound/configure.ac @@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) m4_define([VERSION_MINOR],[9]) -m4_define([VERSION_MICRO],[2]) -AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound) +m4_define([VERSION_MICRO],[3]) +AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues, unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=2 +LIBUNBOUND_REVISION=3 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -88,6 +88,7 @@ LIBUNBOUND_AGE=1 # 1.9.0 had 9:0:1 # add ub_ctx_set_tls # 1.9.1 had 9:1:1 # 1.9.2 had 9:2:1 +# 1.9.3 had 9:3:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -111,6 +112,10 @@ AC_SUBST(LIBUNBOUND_CURRENT) AC_SUBST(LIBUNBOUND_REVISION) AC_SUBST(LIBUNBOUND_AGE) + +cmdln="`echo $@ | sed -e 's/\\\\/\\\\\\\\/g' | sed -e 's/"/\\\\"/'g`" +AC_DEFINE_UNQUOTED(CONFCMDLINE, ["$cmdln"], [Command line arguments used with configure]) + CFLAGS="$CFLAGS" AC_AIX if test "$ac_cv_header_minix_config_h" = "yes"; then @@ -475,6 +480,10 @@ else AC_DEFINE(REUSEPORT_DEFAULT, 0, [if REUSEPORT is enabled by default]) fi +# Include systemd.m4 - begin +sinclude(systemd.m4) +# Include systemd.m4 - end + # set memory allocation checking if requested AC_ARG_ENABLE(alloc-checks, AC_HELP_STRING([--enable-alloc-checks], [ enable to memory allocation statistics, for debug purposes ]), @@ -1296,10 +1305,6 @@ if test x_$enable_static_exe = x_yes; then fi fi -# Include systemd.m4 - begin -sinclude(systemd.m4) -# Include systemd.m4 - end - # set lock checking if requested AC_ARG_ENABLE(lock_checks, AC_HELP_STRING([--enable-lock-checks], [ enable to check lock and unlock calls, for debug purposes ]), @@ -1603,6 +1608,47 @@ case "$enable_ipsecmod" in ;; esac +# check for ipset if requested +AC_ARG_ENABLE(ipset, AC_HELP_STRING([--enable-ipset], [enable ipset module])) +case "$enable_ipset" in + yes) + AC_DEFINE([USE_IPSET], [1], [Define to 1 to use ipset support]) + IPSET_SRC="ipset/ipset.c" + AC_SUBST(IPSET_SRC) + IPSET_OBJ="ipset.lo" + AC_SUBST(IPSET_OBJ) + + # mnl + AC_ARG_WITH(libmnl, AC_HELP_STRING([--with-libmnl=path], + [specify explicit path for libmnl.]), + [ ],[ withval="yes" ]) + found_libmnl="no" + AC_MSG_CHECKING(for libmnl) + if test x_$withval = x_ -o x_$withval = x_yes; then + withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" + fi + for dir in $withval ; do + if test -f "$dir/include/libmnl/libmnl.h"; then + found_libmnl="yes" + dnl assume /usr is in default path. + if test "$dir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$dir/include" + LDFLAGS="$LDFLAGS -L$dir/lib" + fi + AC_MSG_RESULT(found in $dir) + LIBS="$LIBS -lmnl" + break; + fi + done + if test x_$found_libmnl != x_yes; then + AC_ERROR([Could not find libmnl, libmnl.h]) + fi + ;; + no|*) + # nothing + ;; +esac + AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) # on openBSD, the implicit rule make $< work. # on Solaris, it does not work ($? is changed sources, $^ lists dependencies). diff --git a/usr.sbin/unbound/daemon/daemon.c b/usr.sbin/unbound/daemon/daemon.c index 7461a26e210..96cc443ea3b 100644 --- a/usr.sbin/unbound/daemon/daemon.c +++ b/usr.sbin/unbound/daemon/daemon.c @@ -575,6 +575,9 @@ void daemon_fork(struct daemon* daemon) { int have_view_respip_cfg = 0; +#ifdef HAVE_SYSTEMD + int ret; +#endif log_assert(daemon); if(!(daemon->views = views_create())) @@ -660,7 +663,12 @@ daemon_fork(struct daemon* daemon) /* Start resolver service on main thread. */ #ifdef HAVE_SYSTEMD - sd_notify(0, "READY=1"); + ret = sd_notify(0, "READY=1"); + if(ret <= 0 && getenv("NOTIFY_SOCKET")) + fatal_exit("sd_notify failed %s: %s. Make sure that unbound has " + "access/permission to use the socket presented by systemd.", + getenv("NOTIFY_SOCKET"), + (ret==0?"no $NOTIFY_SOCKET": strerror(-ret))); #endif log_info("start of service (%s).", PACKAGE_STRING); worker_work(daemon->workers[0]); diff --git a/usr.sbin/unbound/daemon/stats.c b/usr.sbin/unbound/daemon/stats.c index 504b0efccc4..a01fb6d342c 100644 --- a/usr.sbin/unbound/daemon/stats.c +++ b/usr.sbin/unbound/daemon/stats.c @@ -77,7 +77,7 @@ stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long l #ifndef S_SPLINT_S (*d_sec) += add_sec; (*d_usec) += add_usec; - if((*d_usec) > 1000000) { + if((*d_usec) >= 1000000) { (*d_usec) -= 1000000; (*d_sec)++; } diff --git a/usr.sbin/unbound/daemon/unbound.c b/usr.sbin/unbound/daemon/unbound.c index 6cc8225f5d1..f696b19d39e 100644 --- a/usr.sbin/unbound/daemon/unbound.c +++ b/usr.sbin/unbound/daemon/unbound.c @@ -88,31 +88,20 @@ # include "nss.h" #endif -/** print usage. */ -static void usage(void) +/** print build options. */ +static void +print_build_options(void) { const char** m; const char *evnm="event", *evsys="", *evmethod=""; time_t t; struct timeval now; struct ub_event_base* base; - printf("usage: unbound [options]\n"); - printf(" start unbound daemon DNS resolver.\n"); - printf("-h this help\n"); - printf("-c file config file to read instead of %s\n", CONFIGFILE); - printf(" file format is described in unbound.conf(5).\n"); - printf("-d do not fork into the background.\n"); - printf("-p do not create a pidfile.\n"); - printf("-v verbose (more times to increase verbosity)\n"); -#ifdef UB_ON_WINDOWS - printf("-w opt windows option: \n"); - printf(" install, remove - manage the services entry\n"); - printf(" service - used to start from services control panel\n"); -#endif - printf("Version %s\n", PACKAGE_VERSION); + printf("Version %s\n\n", PACKAGE_VERSION); + printf("Configure line: %s\n", CONFCMDLINE); base = ub_default_event_base(0,&t,&now); ub_get_event_sys(base, &evnm, &evsys, &evmethod); - printf("linked libs: %s %s (it uses %s), %s\n", + printf("Linked libs: %s %s (it uses %s), %s\n", evnm, evsys, evmethod, #ifdef HAVE_SSL # ifdef SSLEAY_VERSION @@ -126,16 +115,42 @@ static void usage(void) "nettle" #endif ); - printf("linked modules:"); + printf("Linked modules:"); for(m = module_list_avail(); *m; m++) printf(" %s", *m); printf("\n"); #ifdef USE_DNSCRYPT printf("DNSCrypt feature available\n"); #endif +#ifdef USE_TCP_FASTOPEN + printf("TCP Fastopen feature available\n"); +#endif + ub_event_base_free(base); + printf("\nBSD licensed, see LICENSE in source package for details.\n"); + printf("Report bugs to %s\n", PACKAGE_BUGREPORT); +} + +/** print usage. */ +static void +usage(void) +{ + printf("usage: unbound [options]\n"); + printf(" start unbound daemon DNS resolver.\n"); + printf("-h this help.\n"); + printf("-c file config file to read instead of %s\n", CONFIGFILE); + printf(" file format is described in unbound.conf(5).\n"); + printf("-d do not fork into the background.\n"); + printf("-p do not create a pidfile.\n"); + printf("-v verbose (more times to increase verbosity).\n"); + printf("-V show version number and build options.\n"); +#ifdef UB_ON_WINDOWS + printf("-w opt windows option: \n"); + printf(" install, remove - manage the services entry\n"); + printf(" service - used to start from services control panel\n"); +#endif + printf("\nVersion %s\n", PACKAGE_VERSION); printf("BSD licensed, see LICENSE in source package for details.\n"); printf("Report bugs to %s\n", PACKAGE_BUGREPORT); - ub_event_base_free(base); } #ifndef unbound_testbound @@ -720,7 +735,7 @@ main(int argc, char* argv[]) log_ident_default = strrchr(argv[0],'/')?strrchr(argv[0],'/')+1:argv[0]; log_ident_set(log_ident_default); /* parse the options */ - while( (c=getopt(argc, argv, "c:dhpvw:")) != -1) { + while( (c=getopt(argc, argv, "c:dhpvw:V")) != -1) { switch(c) { case 'c': cfgfile = optarg; @@ -741,6 +756,9 @@ main(int argc, char* argv[]) case 'w': winopt = optarg; break; + case 'V': + print_build_options(); + return 0; case '?': case 'h': default: diff --git a/usr.sbin/unbound/daemon/worker.c b/usr.sbin/unbound/daemon/worker.c index 661f6967d41..263fcddfe9b 100644 --- a/usr.sbin/unbound/daemon/worker.c +++ b/usr.sbin/unbound/daemon/worker.c @@ -721,8 +721,6 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo, if(encode_rep != rep) secure = 0; /* if rewritten, it can't be considered "secure" */ if(!encode_rep || *alias_rrset) { - sldns_buffer_clear(repinfo->c->buffer); - sldns_buffer_flip(repinfo->c->buffer); if(!encode_rep) *need_drop = 1; else { @@ -762,17 +760,14 @@ bail_out: return 0; } -/** Reply to client and perform prefetch to keep cache up to date. - * If the buffer for the reply is empty, it indicates that only prefetch is - * necessary and the reply should be suppressed (because it's dropped or - * being deferred). */ +/** Reply to client and perform prefetch to keep cache up to date. */ static void reply_and_prefetch(struct worker* worker, struct query_info* qinfo, - uint16_t flags, struct comm_reply* repinfo, time_t leeway) + uint16_t flags, struct comm_reply* repinfo, time_t leeway, int noreply) { /* first send answer to client to keep its latency * as small as a cachereply */ - if(sldns_buffer_limit(repinfo->c->buffer) != 0) { + if(!noreply) { if(repinfo->c->tcp_req_info) { sldns_buffer_copy( repinfo->c->tcp_req_info->spool_buffer, @@ -1100,7 +1095,7 @@ worker_handle_request(struct comm_point* c, void* arg, int error, struct respip_client_info* cinfo = NULL, cinfo_tmp; memset(&qinfo, 0, sizeof(qinfo)); - if(error != NETEVENT_NOERROR) { + if(error != NETEVENT_NOERROR || !repinfo) { /* some bad tcp query DNS formats give these error calls */ verbose(VERB_ALGO, "handle request called with err=%d", error); return 0; @@ -1484,7 +1479,8 @@ lookup_cache: lock_rw_unlock(&e->lock); reply_and_prefetch(worker, lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2), - repinfo, leeway); + repinfo, leeway, + (partial_rep || need_drop)); if(!partial_rep) { rc = 0; regional_free_all(worker->scratchpad); diff --git a/usr.sbin/unbound/doc/Changelog b/usr.sbin/unbound/doc/Changelog index 420f6ab7c18..e4bb719233f 100644 --- a/usr.sbin/unbound/doc/Changelog +++ b/usr.sbin/unbound/doc/Changelog @@ -1,6 +1,117 @@ +22 August 2019: Wouter + - Fix that pkg-config is setup before --enable-systemd needs it. + - 1.9.3rc2 release candidate tag. + +21 August 2019: Wouter + - Fix log_dns_msg to log irrespective of minimal responses config. + +19 August 2019: Ralph + - Document limitation of pidfile removal outside of chroot directory. + +16 August 2019: Wouter + - Fix unittest valgrind false positive uninitialised value report, + where if gcc 9.1.1 uses -O2 (but not -O1) then valgrind 3.15.0 + issues an uninitialised value for the token buffer at the str2wire.c + rrinternal_get_owner() strcmp with the '@' value. Rewritten to use + straight character comparisons removes the false positive. Also + valgrinds --expensive-definedness-checks=yes can stop this false + positive. + - Please doxygen's parser for "@" occurrence in doxygen comment. + - Fixup contrib/fastrpz.patch + - Remove warning about unknown cast-function-type warning pragma. + +15 August 2019: Wouter + - iana portlist updated. + - Fix autotrust temp file uniqueness windows compile. + - avoid warning about upcast on 32bit systems for autotrust. + - escape commandline contents for -V. + - Fix character buffer size in ub_ctx_hosts. + - 1.9.3rc1 release candidate tag. + - Option -V prints if TCP fastopen is available. + +14 August 2019: George + - Fix #59, when compiled with systemd support check that we can properly + communicate with systemd through the `NOTIFY_SOCKET`. + +14 August 2019: Wouter + - Generate configlexer with newer flex. + - Fix warning for unused variable for compilation without systemd. + +12 August 2019: George + - Introduce `-V` option to print the version number and build options. + Previously reported build options like linked libs and linked modules + are now moved from `-h` to `-V` as well for consistency. + - PACKAGE_BUGREPORT now also includes link to GitHub issues. + +1 August 2019: Wouter + - For #52 #53, second context does not close logfile override. + - Fix #52 #53, fix for example fail program. + - Fix to return after failed auth zone http chunk write. + - Fix to remove unused test for task_probe existance. + - Fix to timeval_add for remaining second in microseconds. + - Check repinfo in worker_handle_request, if null, drop it. + +29 July 2019: Wouter + - Add verbose log message when auth zone file is written, at level 4. + - Add hex print of trust anchor pointer to trust anchor file temp + name to make it unique, for libunbound created multiple contexts. + +23 July 2019: Wouter + - Fix question section mismatch in local zone redirect. + +19 July 2019: Wouter + - Fix #49: Set no renegotiation on the SSL context to stop client + session renegotiation. + +12 July 2019: Wouter + - Fix #48: Unbound returns additional records on NODATA response, + if minimal-responses is enabled, also the additional for negative + responses is removed. + +9 July 2019: Ralph + - Fix in respip addrtree selection. Absence of addr_tree_init_parents() + call made it impossible to go up the tree when the matching netmask is + too specific. + +5 July 2019: Ralph + - Fix for possible assertion failure when answering respip CNAME from + cache. + +25 June 2019: Wouter + - For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf + when do-not-query-localhost is turned on, or at default on, + unbound-checkconf prints a warning if it is found in forward-addr or + stub-addr statements. + +24 June 2019: Wouter + - Fix memleak in unit test, reported from the clang 8.0 static analyzer. + +18 June 2019: Wouter + - PR #28: IPSet module, by Kevin Chou. Created a module to support + the ipset that could add the domain's ip to a list easily. + Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. + - Fix to omit RRSIGs from addition to the ipset. + - Fix to make unbound-control with ipset, remove unused variable, + use unsigned type because of comparison, and assign null instead + of compare with it. Remade lex and yacc output. + - make depend + - Added documentation to the ipset files (for doxygen output). + - Merge PR #6: Python module: support multiple instances + - Merge PR #5: Python module: define constant MODULE_RESTART_NEXT + - Merge PR #4: Python module: assign something useful to the + per-query data store 'qdata' + - Fix python dict reference and double free in config. + +17 June 2019: Wouter + - Master contains version 1.9.3 in development. + - Fix #39: In libunbound, leftover logfile is close()d unpredictably. + - Fix for #24: Fix abort due to scan of auth zone masters using old + address from previous scan. + 12 June 2019: Wouter - Fix another spoolbuf storage code point, in prefetch. - - 1.9.2rc3 release candidate tag. + - 1.9.2rc3 release candidate tag. Which became the 1.9.2 release + on 17 June 2019. 11 June 2019: Wouter - Fix that fixes the Fix that spoolbuf is not used to store tcp diff --git a/usr.sbin/unbound/doc/README b/usr.sbin/unbound/doc/README index d468688b9b2..ea3fa0b94d9 100644 --- a/usr.sbin/unbound/doc/README +++ b/usr.sbin/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.9.2 +README for Unbound 1.9.3 Copyright 2007 NLnet Labs http://unbound.net diff --git a/usr.sbin/unbound/doc/example.conf.in b/usr.sbin/unbound/doc/example.conf.in index 72bed13f135..c8cce5e81d3 100644 --- a/usr.sbin/unbound/doc/example.conf.in +++ b/usr.sbin/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.9.2. +# See unbound.conf(5) man page, version 1.9.3. # # this is a comment. @@ -654,6 +654,9 @@ server: # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. + # Add example.com into ipset + # local-zone: "example.com" ipset + # If unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the # long list of local-zones above. If this unbound is a dns server @@ -992,3 +995,14 @@ remote-control: # redis-server-port: 6379 # # timeout (in ms) for communication with the redis server # redis-timeout: 100 + +# IPSet +# Add specify domain into set via ipset. +# Note: To enable ipset needs run unbound as root user. +# ipset: +# # set name for ip v4 addresses +# name-v4: "list-v4" +# # set name for ip v6 addresses +# name-v6: "list-v6" +# + diff --git a/usr.sbin/unbound/doc/libunbound.3.in b/usr.sbin/unbound/doc/libunbound.3.in index fd5c336e090..de50eba7221 100644 --- a/usr.sbin/unbound/doc/libunbound.3.in +++ b/usr.sbin/unbound/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "libunbound" "3" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.9.2 functions. +\- Unbound DNS validating resolver 1.9.3 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP diff --git a/usr.sbin/unbound/doc/unbound-anchor.8.in b/usr.sbin/unbound/doc/unbound-anchor.8.in index 76f4ea21f0c..875fbcc2001 100644 --- a/usr.sbin/unbound/doc/unbound-anchor.8.in +++ b/usr.sbin/unbound/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound-anchor" "8" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/usr.sbin/unbound/doc/unbound-checkconf.8.in b/usr.sbin/unbound/doc/unbound-checkconf.8.in index b3e6ff3c54b..b3e13db967d 100644 --- a/usr.sbin/unbound/doc/unbound-checkconf.8.in +++ b/usr.sbin/unbound/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound-checkconf" "8" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/usr.sbin/unbound/doc/unbound-control.8.in b/usr.sbin/unbound/doc/unbound-control.8.in index 2e16ac97a7b..57363f92b3e 100644 --- a/usr.sbin/unbound/doc/unbound-control.8.in +++ b/usr.sbin/unbound/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound-control" "8" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3" .\" .\" unbound-control.8 -- unbound remote control manual .\" diff --git a/usr.sbin/unbound/doc/unbound-host.1.in b/usr.sbin/unbound/doc/unbound-host.1.in index 58505d2370e..beccf54fbd3 100644 --- a/usr.sbin/unbound/doc/unbound-host.1.in +++ b/usr.sbin/unbound/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound\-host" "1" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/usr.sbin/unbound/doc/unbound.8.in b/usr.sbin/unbound/doc/unbound.8.in index 4d408dba6f0..5a76a0e4e4e 100644 --- a/usr.sbin/unbound/doc/unbound.8.in +++ b/usr.sbin/unbound/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound" "8" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.9.2. +\- Unbound DNS validating resolver 1.9.3. .SH "SYNOPSIS" .B unbound .RB [ \-h ] @@ -54,7 +54,7 @@ resolvers are using the same port number (53). The available options are: .TP .B \-h -Show the version and commandline option help. +Show the version number and commandline option help, and exit. .TP .B \-c\fI cfgfile Set the config file with settings for unbound to read instead of reading the @@ -76,6 +76,9 @@ concurrently. .B \-v Increase verbosity. If given multiple times, more information is logged. This is in addition to the verbosity (if any) from the config file. +.TP +.B \-V +Show the version number and build options, and exit. .SH "SEE ALSO" \fIunbound.conf\fR(5), \fIunbound\-checkconf\fR(8), diff --git a/usr.sbin/unbound/doc/unbound.conf.5.in b/usr.sbin/unbound/doc/unbound.conf.5.in index f683fd80e17..674f20e1693 100644 --- a/usr.sbin/unbound/doc/unbound.conf.5.in +++ b/usr.sbin/unbound/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Jun 17, 2019" "NLnet Labs" "unbound 1.9.2" +.TH "unbound.conf" "5" "Aug 27, 2019" "NLnet Labs" "unbound 1.9.3" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -593,7 +593,9 @@ In the last case the path is adjusted to remove the unused portion. The pidfile can be either a relative path to the working directory, or an absolute path relative to the original root. It is written just prior to chroot and dropping permissions. This allows the pidfile to be -/var/run/unbound.pid and the chroot to be /var/unbound, for example. +/var/run/unbound.pid and the chroot to be /var/unbound, for example. Note that +Unbound is not able to remove the pidfile after termination when it is located +outside of the chroot directory. .IP Additionally, unbound may need to access /dev/random (for entropy) from inside the chroot. @@ -1723,7 +1725,8 @@ clause gives the settings for the \fIpython\fR(1) script module. This module acts like the iterator and validator modules do, on queries and answers. To enable the script module it has to be compiled into the daemon, and the word "python" has to be put in the \fBmodule\-config:\fR option -(usually first, or between the validator and iterator). +(usually first, or between the validator and iterator). Multiple instances of +the python module are supported by adding the word "python" more than once. .LP If the \fBchroot:\fR option is enabled, you should make sure Python's library directory structure is bind mounted in the new root environment, see @@ -1732,7 +1735,8 @@ absolute path relative to the new root, or as a relative path to the working directory. .TP .B python\-script: \fI<python file>\fR -The script file to load. +The script file to load. Repeat this option for every python module instance +added to the \fBmodule\-config:\fR option. .SS "DNS64 Module Options" .LP The dns64 module must be configured in the \fBmodule\-config:\fR "dns64 diff --git a/usr.sbin/unbound/libunbound/context.c b/usr.sbin/unbound/libunbound/context.c index 20e3680ec3b..b8fe87d2e58 100644 --- a/usr.sbin/unbound/libunbound/context.c +++ b/usr.sbin/unbound/libunbound/context.c @@ -57,9 +57,16 @@ context_finalize(struct ub_ctx* ctx) { struct config_file* cfg = ctx->env->cfg; verbosity = cfg->verbosity; - if(ctx->logfile_override) + if(ctx_logfile_overridden && !ctx->logfile_override) { + log_file(NULL); /* clear that override */ + ctx_logfile_overridden = 0; + } + if(ctx->logfile_override) { + ctx_logfile_overridden = 1; log_file(ctx->log_out); - else log_init(cfg->logfile, cfg->use_syslog, NULL); + } else { + log_init(cfg->logfile, cfg->use_syslog, NULL); + } config_apply(cfg); if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env)) return UB_INITFAIL; diff --git a/usr.sbin/unbound/libunbound/context.h b/usr.sbin/unbound/libunbound/context.h index 11147226a8c..c3900154f8b 100644 --- a/usr.sbin/unbound/libunbound/context.h +++ b/usr.sbin/unbound/libunbound/context.h @@ -52,6 +52,9 @@ struct tube; struct sldns_buffer; struct ub_event_base; +/** store that the logfile has a debug override */ +extern int ctx_logfile_overridden; + /** * The context structure * diff --git a/usr.sbin/unbound/libunbound/libunbound.c b/usr.sbin/unbound/libunbound/libunbound.c index 5f5a8a10265..63770cc025d 100644 --- a/usr.sbin/unbound/libunbound/libunbound.c +++ b/usr.sbin/unbound/libunbound/libunbound.c @@ -79,6 +79,9 @@ #include <iphlpapi.h> #endif /* UB_ON_WINDOWS */ +/** store that the logfile has a debug override */ +int ctx_logfile_overridden = 0; + /** create context functionality, but no pipes */ static struct ub_ctx* ub_ctx_create_nopipe(void) { @@ -90,7 +93,8 @@ static struct ub_ctx* ub_ctx_create_nopipe(void) #endif checklock_start(); - log_init(NULL, 0, NULL); /* logs to stderr */ + if(!ctx_logfile_overridden) + log_init(NULL, 0, NULL); /* logs to stderr */ log_ident_set("libunbound"); #ifdef USE_WINSOCK if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) { @@ -328,6 +332,10 @@ ub_ctx_delete(struct ub_ctx* ctx) ub_randfree(ctx->seed_rnd); alloc_clear(&ctx->superalloc); traverse_postorder(&ctx->queries, delq, NULL); + if(ctx_logfile_overridden) { + log_file(NULL); + ctx_logfile_overridden = 0; + } free(ctx); #ifdef USE_WINSOCK WSACleanup(); @@ -469,6 +477,7 @@ int ub_ctx_debugout(struct ub_ctx* ctx, void* out) { lock_basic_lock(&ctx->cfglock); log_file((FILE*)out); + ctx_logfile_overridden = 1; ctx->logfile_override = 1; ctx->log_out = out; lock_basic_unlock(&ctx->cfglock); @@ -1150,7 +1159,7 @@ int ub_ctx_hosts(struct ub_ctx* ctx, const char* fname) { FILE* in; - char buf[1024], ldata[1024]; + char buf[1024], ldata[2048]; char* parse, *addr, *name, *ins; lock_basic_lock(&ctx->cfglock); if(ctx->finalized) { diff --git a/usr.sbin/unbound/respip/respip.c b/usr.sbin/unbound/respip/respip.c index d61877b556c..36a1c9726bd 100644 --- a/usr.sbin/unbound/respip/respip.c +++ b/usr.sbin/unbound/respip/respip.c @@ -361,6 +361,7 @@ respip_set_apply_cfg(struct respip_set* set, char* const* tagname, int num_tags, free(pd); pd = np; } + addr_tree_init_parents(&set->ip_tree); return 1; } diff --git a/usr.sbin/unbound/services/authzone.c b/usr.sbin/unbound/services/authzone.c index 1426f423a1b..792dc204967 100644 --- a/usr.sbin/unbound/services/authzone.c +++ b/usr.sbin/unbound/services/authzone.c @@ -3698,6 +3698,7 @@ static void xfr_transfer_start_lookups(struct auth_xfer* xfr) { /* delete all the looked up addresses in the list */ + xfr->task_transfer->scan_addr = NULL; xfr_masterlist_free_addrs(xfr->task_transfer->masters); /* start lookup at the first master */ @@ -3728,6 +3729,7 @@ static void xfr_probe_start_lookups(struct auth_xfer* xfr) { /* delete all the looked up addresses in the list */ + xfr->task_probe->scan_addr = NULL; xfr_masterlist_free_addrs(xfr->task_probe->masters); /* start lookup at the first master */ @@ -4865,6 +4867,11 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env) if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename, cfg->chrootdir, strlen(cfg->chrootdir)) == 0) zfilename += strlen(cfg->chrootdir); + if(verbosity >= VERB_ALGO) { + char nm[255+1]; + dname_str(z->name, nm); + verbose(VERB_ALGO, "write zonefile %s for %s", zfilename, nm); + } /* write to tempfile first */ if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) { @@ -4880,6 +4887,7 @@ xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env) if(!auth_zone_write_chunks(xfr, tmpfile)) { unlink(tmpfile); lock_rw_unlock(&z->lock); + return; } } else if(!auth_zone_write_file(z, tmpfile)) { unlink(tmpfile); @@ -6561,7 +6569,7 @@ xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env, /* don't lookup_only, if lookup timeout is 0 anyway, * or if we don't have masters to lookup */ tv.tv_sec = 0; - if(xfr->task_probe && xfr->task_probe->worker == NULL) + if(xfr->task_probe->worker == NULL) xfr->task_probe->only_lookup = 1; } if(verbosity >= VERB_ALGO) { diff --git a/usr.sbin/unbound/services/mesh.c b/usr.sbin/unbound/services/mesh.c index 59ee9a08ec0..27f919401bb 100644 --- a/usr.sbin/unbound/services/mesh.c +++ b/usr.sbin/unbound/services/mesh.c @@ -85,7 +85,7 @@ timeval_add(struct timeval* d, const struct timeval* add) #ifndef S_SPLINT_S d->tv_sec += add->tv_sec; d->tv_usec += add->tv_usec; - if(d->tv_usec > 1000000 ) { + if(d->tv_usec >= 1000000 ) { d->tv_usec -= 1000000; d->tv_sec++; } @@ -1340,14 +1340,15 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns, log_assert(!qinfo->local_alias->next && dsrc->count == 1 && qinfo->local_alias->rrset->rk.type == htons(LDNS_RR_TYPE_CNAME)); - /* Technically, we should make a local copy for the owner - * name of the RRset, but in the case of the first (and - * currently only) local alias RRset, the owner name should - * point to the qname of the corresponding query, which should - * be valid throughout the lifetime of this mesh_reply. So - * we can skip copying. */ - log_assert(qinfo->local_alias->rrset->rk.dname == - sldns_buffer_at(rep->c->buffer, LDNS_HEADER_SIZE)); + /* we should make a local copy for the owner name of + * the RRset */ + r->local_alias->rrset->rk.dname_len = + qinfo->local_alias->rrset->rk.dname_len; + r->local_alias->rrset->rk.dname = regional_alloc_init( + s->s.region, qinfo->local_alias->rrset->rk.dname, + qinfo->local_alias->rrset->rk.dname_len); + if(!r->local_alias->rrset->rk.dname) + return 0; /* the rrset is not packed, like in the cache, but it is * individualy allocated with an allocator from localzone. */ diff --git a/usr.sbin/unbound/services/modstack.c b/usr.sbin/unbound/services/modstack.c index 05b949d1e33..68e5928146d 100644 --- a/usr.sbin/unbound/services/modstack.c +++ b/usr.sbin/unbound/services/modstack.c @@ -60,6 +60,9 @@ #ifdef CLIENT_SUBNET #include "edns-subnet/subnetmod.h" #endif +#ifdef USE_IPSET +#include "ipset/ipset.h" +#endif /** count number of modules (words) in the string */ static int @@ -146,6 +149,9 @@ module_list_avail(void) #ifdef CLIENT_SUBNET "subnetcache", #endif +#ifdef USE_IPSET + "ipset", +#endif "respip", "validator", "iterator", @@ -174,6 +180,9 @@ module_funcs_avail(void) #ifdef CLIENT_SUBNET &subnetmod_get_funcblock, #endif +#ifdef USE_IPSET + &ipset_get_funcblock, +#endif &respip_get_funcblock, &val_get_funcblock, &iter_get_funcblock, diff --git a/usr.sbin/unbound/sldns/str2wire.c b/usr.sbin/unbound/sldns/str2wire.c index 1a51bb69560..097f621017f 100644 --- a/usr.sbin/unbound/sldns/str2wire.c +++ b/usr.sbin/unbound/sldns/str2wire.c @@ -187,7 +187,7 @@ rrinternal_get_owner(sldns_buffer* strbuf, uint8_t* rr, size_t* len, sldns_buffer_position(strbuf)); } - if(strcmp(token, "@") == 0) { + if(token[0]=='@' && token[1]=='\0') { uint8_t* tocopy; if (origin) { *dname_len = origin_len; diff --git a/usr.sbin/unbound/smallapp/unbound-checkconf.c b/usr.sbin/unbound/smallapp/unbound-checkconf.c index a8656e685f1..9dc6be0c346 100644 --- a/usr.sbin/unbound/smallapp/unbound-checkconf.c +++ b/usr.sbin/unbound/smallapp/unbound-checkconf.c @@ -146,6 +146,42 @@ check_mod(struct config_file* cfg, struct module_func_block* fb) edns_known_options_delete(&env); } +/** true if addr is a localhost address, 127.0.0.1 or ::1 (with maybe "@port" + * after it) */ +static int +str_addr_is_localhost(const char* a) +{ + if(strncmp(a, "127.", 4) == 0) return 1; + if(strncmp(a, "::1", 3) == 0) return 1; + return 0; +} + +/** check do-not-query-localhost */ +static void +donotquerylocalhostcheck(struct config_file* cfg) +{ + if(cfg->donotquery_localhost) { + struct config_stub* p; + struct config_strlist* s; + for(p=cfg->forwards; p; p=p->next) { + for(s=p->addrs; s; s=s->next) { + if(str_addr_is_localhost(s->str)) { + fprintf(stderr, "unbound-checkconf: warning: forward-addr: '%s' is specified for forward-zone: '%s', but do-not-query-localhost: yes means that the address will not be used for lookups.\n", + s->str, p->name); + } + } + } + for(p=cfg->stubs; p; p=p->next) { + for(s=p->addrs; s; s=s->next) { + if(str_addr_is_localhost(s->str)) { + fprintf(stderr, "unbound-checkconf: warning: stub-addr: '%s' is specified for stub-zone: '%s', but do-not-query-localhost: yes means that the address will not be used for lookups.\n", + s->str, p->name); + } + } + } + } +} + /** check localzones */ static void localzonechecks(struct config_file* cfg) @@ -574,6 +610,10 @@ morechecks(struct config_file* cfg) && strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0 && strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0 #endif +#ifdef USE_IPSET + && strcmp(cfg->module_conf, "validator ipset iterator") != 0 + && strcmp(cfg->module_conf, "ipset iterator") != 0 +#endif ) { fatal_exit("module conf '%s' is not known to work", cfg->module_conf); @@ -606,6 +646,7 @@ morechecks(struct config_file* cfg) cfg->control_cert_file); } + donotquerylocalhostcheck(cfg); localzonechecks(cfg); view_and_respipchecks(cfg); #ifdef CLIENT_SUBNET diff --git a/usr.sbin/unbound/smallapp/unbound-control.c b/usr.sbin/unbound/smallapp/unbound-control.c index 3ea6aa033c0..01e2385faab 100644 --- a/usr.sbin/unbound/smallapp/unbound-control.c +++ b/usr.sbin/unbound/smallapp/unbound-control.c @@ -499,6 +499,12 @@ setup_ctx(struct config_file* cfg) if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3) != SSL_OP_NO_SSLv3) ssl_err("could not set SSL_OP_NO_SSLv3"); +#if defined(SSL_OP_NO_RENEGOTIATION) + /* disable client renegotiation */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & + SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) + ssl_err("could not set SSL_OP_NO_RENEGOTIATION"); +#endif if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert)) ssl_path_err("Error setting up SSL_CTX client cert", c_cert); if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)) diff --git a/usr.sbin/unbound/util/config_file.c b/usr.sbin/unbound/util/config_file.c index d97ad998990..676b7af5492 100644 --- a/usr.sbin/unbound/util/config_file.c +++ b/usr.sbin/unbound/util/config_file.c @@ -255,6 +255,9 @@ config_create(void) cfg->neg_cache_size = 1 * 1024 * 1024; cfg->local_zones = NULL; cfg->local_zones_nodefault = NULL; +#ifdef USE_IPSET + cfg->local_zones_ipset = NULL; +#endif cfg->local_zones_disable_default = 0; cfg->local_data = NULL; cfg->local_zone_overrides = NULL; @@ -327,9 +330,13 @@ config_create(void) cfg->cachedb_backend = NULL; cfg->cachedb_secret = NULL; #endif +#ifdef USE_IPSET + cfg->ipset_name_v4 = NULL; + cfg->ipset_name_v6 = NULL; +#endif return cfg; error_exit: - config_delete(cfg); + config_delete(cfg); return NULL; } @@ -602,7 +609,7 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_STR("control-key-file:", control_key_file) else S_STR("control-cert-file:", control_cert_file) else S_STR("module-config:", module_conf) - else S_STR("python-script:", python_script) + else S_STRLIST("python-script:", python_script) else S_YNO("disable-dnssec-lame-check:", disable_dnssec_lame_check) #ifdef CLIENT_SUBNET /* Can't set max subnet prefix here, since that value is used when @@ -1054,7 +1061,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones) else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones) else O_DEC(opt, "max-udp-size", max_udp_size) - else O_STR(opt, "python-script", python_script) + else O_LST(opt, "python-script", python_script) else O_YNO(opt, "disable-dnssec-lame-check", disable_dnssec_lame_check) else O_DEC(opt, "ip-ratelimit", ip_ratelimit) else O_DEC(opt, "ratelimit", ratelimit) @@ -1092,6 +1099,10 @@ config_get_option(struct config_file* cfg, const char* opt, else O_STR(opt, "backend", cachedb_backend) else O_STR(opt, "secret-seed", cachedb_secret) #endif +#ifdef USE_IPSET + else O_STR(opt, "name-v4", ipset_name_v4) + else O_STR(opt, "name-v6", ipset_name_v6) +#endif /* not here: * outgoing-permit, outgoing-avoid - have list of ports * local-zone - zones and nodefault variables @@ -1310,6 +1321,9 @@ config_delview(struct config_view* p) free(p->name); config_deldblstrlist(p->local_zones); config_delstrlist(p->local_zones_nodefault); +#ifdef USE_IPSET + config_delstrlist(p->local_zones_ipset); +#endif config_delstrlist(p->local_data); free(p); } @@ -1384,7 +1398,6 @@ config_delete(struct config_file* cfg) free(cfg->version); free(cfg->module_conf); free(cfg->outgoing_avail_ports); - free(cfg->python_script); config_delstrlist(cfg->caps_whitelist); config_delstrlist(cfg->private_address); config_delstrlist(cfg->private_domain); @@ -1400,6 +1413,9 @@ config_delete(struct config_file* cfg) free(cfg->val_nsec3_key_iterations); config_deldblstrlist(cfg->local_zones); config_delstrlist(cfg->local_zones_nodefault); +#ifdef USE_IPSET + config_delstrlist(cfg->local_zones_ipset); +#endif config_delstrlist(cfg->local_data); config_deltrplstrlist(cfg->local_zone_overrides); config_del_strarray(cfg->tagname, cfg->num_tags); @@ -1420,6 +1436,7 @@ config_delete(struct config_file* cfg) free(cfg->dnstap_version); config_deldblstrlist(cfg->ratelimit_for_domain); config_deldblstrlist(cfg->ratelimit_below_domain); + config_delstrlist(cfg->python_script); #ifdef USE_IPSECMOD free(cfg->ipsecmod_hook); config_delstrlist(cfg->ipsecmod_whitelist); @@ -1428,6 +1445,10 @@ config_delete(struct config_file* cfg) free(cfg->cachedb_backend); free(cfg->cachedb_secret); #endif +#ifdef USE_IPSET + free(cfg->ipset_name_v4); + free(cfg->ipset_name_v6); +#endif free(cfg); } @@ -1630,6 +1651,31 @@ cfg_strlist_insert(struct config_strlist** head, char* item) return 1; } +int +cfg_strlist_append_ex(struct config_strlist** head, char* item) +{ + struct config_strlist *s; + if(!item || !head) + return 0; + s = (struct config_strlist*)calloc(1, sizeof(struct config_strlist)); + if(!s) + return 0; + s->str = item; + s->next = NULL; + + if (*head==NULL) { + *head = s; + } else { + struct config_strlist *last = *head; + while (last->next!=NULL) { + last = last->next; + } + last->next = s; + } + + return 1; +} + int cfg_str2list_insert(struct config_str2list** head, char* item, char* i2) { @@ -2107,6 +2153,11 @@ cfg_parse_local_zone(struct config_file* cfg, const char* val) if(strcmp(type, "nodefault")==0) { return cfg_strlist_insert(&cfg->local_zones_nodefault, strdup(name)); +#ifdef USE_IPSET + } else if(strcmp(type, "ipset")==0) { + return cfg_strlist_insert(&cfg->local_zones_ipset, + strdup(name)); +#endif } else { return cfg_str2list_insert(&cfg->local_zones, strdup(buf), strdup(type)); @@ -2381,3 +2432,4 @@ int options_remote_is_address(struct config_file* cfg) if(cfg->control_ifs.first->str[0] == 0) return 1; return (cfg->control_ifs.first->str[0] != '/'); } + diff --git a/usr.sbin/unbound/util/config_file.h b/usr.sbin/unbound/util/config_file.h index 3cffdbff938..b3ef930a0f1 100644 --- a/usr.sbin/unbound/util/config_file.h +++ b/usr.sbin/unbound/util/config_file.h @@ -384,6 +384,10 @@ struct config_file { struct config_str2list* local_zones; /** local zones nodefault list */ struct config_strlist* local_zones_nodefault; +#ifdef USE_IPSET + /** local zones ipset list */ + struct config_strlist* local_zones_ipset; +#endif /** do not add any default local zone */ int local_zones_disable_default; /** local data RRs configured */ @@ -433,7 +437,7 @@ struct config_file { char* control_cert_file; /** Python script file */ - char* python_script; + struct config_strlist* python_script; /** Use systemd socket activation. */ int use_systemd; @@ -575,6 +579,12 @@ struct config_file { int redis_timeout; #endif #endif + + /* ipset module */ +#ifdef USE_IPSET + char* ipset_name_v4; + char* ipset_name_v6; +#endif }; /** from cfg username, after daemonize setup performed */ @@ -647,6 +657,10 @@ struct config_view { struct config_strlist* local_data; /** local zones nodefault list */ struct config_strlist* local_zones_nodefault; +#ifdef USE_IPSET + /** local zones ipset list */ + struct config_strlist* local_zones_ipset; +#endif /** Fallback to global local_zones when there is no match in the view * view specific tree. 1 for yes, 0 for no */ int isfirst; @@ -821,6 +835,14 @@ char* config_collate_cat(struct config_strlist* list); int cfg_strlist_append(struct config_strlist_head* list, char* item); /** + * Searches the end of a string list and appends the given text. + * @param head: pointer to strlist head variable. + * @param item: new item. malloced by caller. if NULL the insertion fails. + * @return true on success. + */ +int cfg_strlist_append_ex(struct config_strlist** head, char* item); + +/** * Find string in strlist. * @param head: pointer to strlist head variable. * @param item: the item to search for. @@ -1181,3 +1203,4 @@ void w_config_adjust_directory(struct config_file* cfg); extern int fake_dsa, fake_sha1; #endif /* UTIL_CONFIG_FILE_H */ + diff --git a/usr.sbin/unbound/util/configlexer.lex b/usr.sbin/unbound/util/configlexer.lex index 16b5bc5471b..7a9729086af 100644 --- a/usr.sbin/unbound/util/configlexer.lex +++ b/usr.sbin/unbound/util/configlexer.lex @@ -483,6 +483,9 @@ secret-seed{COLON} { YDVAR(1, VAR_CACHEDB_SECRETSEED) } redis-server-host{COLON} { YDVAR(1, VAR_CACHEDB_REDISHOST) } redis-server-port{COLON} { YDVAR(1, VAR_CACHEDB_REDISPORT) } redis-timeout{COLON} { YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) } +ipset{COLON} { YDVAR(0, VAR_IPSET) } +name-v4{COLON} { YDVAR(1, VAR_IPSET_NAME_V4) } +name-v6{COLON} { YDVAR(1, VAR_IPSET_NAME_V6) } udp-upstream-without-downstream{COLON} { YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) } tcp-connection-limit{COLON} { YDVAR(2, VAR_TCP_CONNECTION_LIMIT) } <INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } diff --git a/usr.sbin/unbound/util/configparser.y b/usr.sbin/unbound/util/configparser.y index c7b916966e2..10227a2ff7f 100644 --- a/usr.sbin/unbound/util/configparser.y +++ b/usr.sbin/unbound/util/configparser.y @@ -167,6 +167,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES %token VAR_TLS_SESSION_TICKET_KEYS +%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6 %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; @@ -174,7 +175,7 @@ toplevelvar: serverstart contents_server | stubstart contents_stub | forwardstart contents_forward | pythonstart contents_py | rcstart contents_rc | dtstart contents_dt | viewstart contents_view | dnscstart contents_dnsc | cachedbstart contents_cachedb | - authstart contents_auth + ipsetstart contents_ipset | authstart contents_auth ; /* server: declaration */ @@ -1784,13 +1785,14 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG && strcmp($3, "always_nxdomain")!=0 && strcmp($3, "noview")!=0 && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0 - && strcmp($3, "inform_redirect") != 0) { + && strcmp($3, "inform_redirect") != 0 + && strcmp($3, "ipset") != 0) { yyerror("local-zone type: expected static, deny, " "refuse, redirect, transparent, " "typetransparent, inform, inform_deny, " "inform_redirect, always_transparent, " "always_refuse, always_nxdomain, noview " - "or nodefault"); + ", nodefault or ipset"); free($2); free($3); } else if(strcmp($3, "nodefault")==0) { @@ -1798,6 +1800,13 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG local_zones_nodefault, $2)) fatal_exit("out of memory adding local-zone"); free($3); +#ifdef USE_IPSET + } else if(strcmp($3, "ipset")==0) { + if(!cfg_strlist_insert(&cfg_parser->cfg-> + local_zones_ipset, $2)) + fatal_exit("out of memory adding local-zone"); + free($3); +#endif } else { if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, $2, $3)) @@ -2455,6 +2464,13 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG local_zones_nodefault, $2)) fatal_exit("out of memory adding local-zone"); free($3); +#ifdef USE_IPSET + } else if(strcmp($3, "ipset")==0) { + if(!cfg_strlist_insert(&cfg_parser->cfg->views-> + local_zones_ipset, $2)) + fatal_exit("out of memory adding local-zone"); + free($3); +#endif } else { if(!cfg_str2list_insert( &cfg_parser->cfg->views->local_zones, @@ -2722,8 +2738,8 @@ content_py: py_script py_script: VAR_PYTHON_SCRIPT STRING_ARG { OUTYY(("P(python-script:%s)\n", $2)); - free(cfg_parser->cfg->python_script); - cfg_parser->cfg->python_script = $2; + if(!cfg_strlist_append_ex(&cfg_parser->cfg->python_script, $2)) + yyerror("out of memory"); } server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG { @@ -2959,6 +2975,45 @@ server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG } } ; + ipsetstart: VAR_IPSET + { + OUTYY(("\nP(ipset:)\n")); + } + ; + contents_ipset: contents_ipset content_ipset + | ; + content_ipset: ipset_name_v4 | ipset_name_v6 + ; + ipset_name_v4: VAR_IPSET_NAME_V4 STRING_ARG + { + #ifdef USE_IPSET + OUTYY(("P(name-v4:%s)\n", $2)); + if(cfg_parser->cfg->ipset_name_v4) + yyerror("ipset name v4 override, there must be one " + "name for ip v4"); + free(cfg_parser->cfg->ipset_name_v4); + cfg_parser->cfg->ipset_name_v4 = $2; + #else + OUTYY(("P(Compiled without ipset, ignoring)\n")); + free($2); + #endif + } + ; + ipset_name_v6: VAR_IPSET_NAME_V6 STRING_ARG + { + #ifdef USE_IPSET + OUTYY(("P(name-v6:%s)\n", $2)); + if(cfg_parser->cfg->ipset_name_v6) + yyerror("ipset name v6 override, there must be one " + "name for ip v6"); + free(cfg_parser->cfg->ipset_name_v6); + cfg_parser->cfg->ipset_name_v6 = $2; + #else + OUTYY(("P(Compiled without ipset, ignoring)\n")); + free($2); + #endif + } + ; %% /* parse helper routines could be here */ @@ -2978,3 +3033,5 @@ validate_respip_action(const char* action) "always_refuse or always_nxdomain"); } } + + diff --git a/usr.sbin/unbound/util/data/msgencode.c b/usr.sbin/unbound/util/data/msgencode.c index 4c0a5550be1..a51a4b9b85d 100644 --- a/usr.sbin/unbound/util/data/msgencode.c +++ b/usr.sbin/unbound/util/data/msgencode.c @@ -639,15 +639,37 @@ positive_answer(struct reply_info* rep, uint16_t qtype) { return 0; } -int -reply_info_encode(struct query_info* qinfo, struct reply_info* rep, - uint16_t id, uint16_t flags, sldns_buffer* buffer, time_t timenow, - struct regional* region, uint16_t udpsize, int dnssec) +static int +negative_answer(struct reply_info* rep) { + size_t i; + int ns_seen = 0; + if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN) + return 1; + if(FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR && + rep->an_numrrsets != 0) + return 0; /* positive */ + if(FLAGS_GET_RCODE(rep->flags) != LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(rep->flags) != LDNS_RCODE_NXDOMAIN) + return 0; + for(i=rep->an_numrrsets; i<rep->an_numrrsets+rep->ns_numrrsets; i++){ + if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_SOA) + return 1; + if(ntohs(rep->rrsets[i]->rk.type) == LDNS_RR_TYPE_NS) + ns_seen = 1; + } + if(ns_seen) return 0; /* could be referral, NS, but no SOA */ + return 1; +} + +int +reply_info_encode(struct query_info* qinfo, struct reply_info* rep, + uint16_t id, uint16_t flags, sldns_buffer* buffer, time_t timenow, + struct regional* region, uint16_t udpsize, int dnssec, int minimise) { uint16_t ancount=0, nscount=0, arcount=0; struct compress_tree_node* tree = 0; int r; - size_t rr_offset; + size_t rr_offset; sldns_buffer_clear(buffer); if(udpsize < sldns_buffer_limit(buffer)) @@ -663,7 +685,7 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, /* insert query section */ if(rep->qdcount) { - if((r=insert_query(qinfo, &tree, buffer, region)) != + if((r=insert_query(qinfo, &tree, buffer, region)) != RETVAL_OK) { if(r == RETVAL_TRUNC) { /* create truncated message */ @@ -707,8 +729,8 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, } /* insert answer section */ - if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer, - 0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype, + if((r=insert_section(rep, rep->an_numrrsets, &ancount, buffer, + 0, timenow, region, &tree, LDNS_SECTION_ANSWER, qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) { if(r == RETVAL_TRUNC) { /* create truncated message */ @@ -722,9 +744,9 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, sldns_buffer_write_u16_at(buffer, 6, ancount); /* if response is positive answer, auth/add sections are not required */ - if( ! (MINIMAL_RESPONSES && positive_answer(rep, qinfo->qtype)) ) { + if( ! (minimise && positive_answer(rep, qinfo->qtype)) ) { /* insert auth section */ - if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer, + if((r=insert_section(rep, rep->ns_numrrsets, &nscount, buffer, rep->an_numrrsets, timenow, region, &tree, LDNS_SECTION_AUTHORITY, qinfo->qtype, dnssec, rr_offset)) != RETVAL_OK) { @@ -739,20 +761,22 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep, } sldns_buffer_write_u16_at(buffer, 8, nscount); - /* insert add section */ - if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer, - rep->an_numrrsets + rep->ns_numrrsets, timenow, region, - &tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype, - dnssec, rr_offset)) != RETVAL_OK) { - if(r == RETVAL_TRUNC) { - /* no need to set TC bit, this is the additional */ - sldns_buffer_write_u16_at(buffer, 10, arcount); - sldns_buffer_flip(buffer); - return 1; + if(! (minimise && negative_answer(rep))) { + /* insert add section */ + if((r=insert_section(rep, rep->ar_numrrsets, &arcount, buffer, + rep->an_numrrsets + rep->ns_numrrsets, timenow, region, + &tree, LDNS_SECTION_ADDITIONAL, qinfo->qtype, + dnssec, rr_offset)) != RETVAL_OK) { + if(r == RETVAL_TRUNC) { + /* no need to set TC bit, this is the additional */ + sldns_buffer_write_u16_at(buffer, 10, arcount); + sldns_buffer_flip(buffer); + return 1; + } + return 0; } - return 0; + sldns_buffer_write_u16_at(buffer, 10, arcount); } - sldns_buffer_write_u16_at(buffer, 10, arcount); } sldns_buffer_flip(buffer); return 1; @@ -763,7 +787,7 @@ calc_edns_field_size(struct edns_data* edns) { size_t rdatalen = 0; struct edns_option* opt; - if(!edns || !edns->edns_present) + if(!edns || !edns->edns_present) return 0; for(opt = edns->opt_list; opt; opt = opt->next) { rdatalen += 4 + opt->opt_len; @@ -850,7 +874,7 @@ reply_info_answer_encode(struct query_info* qinf, struct reply_info* rep, } if(!reply_info_encode(qinf, rep, id, flags, pkt, timenow, region, - udpsize, dnssec)) { + udpsize, dnssec, MINIMAL_RESPONSES)) { log_err("reply encode: out of memory"); return 0; } diff --git a/usr.sbin/unbound/util/data/msgreply.c b/usr.sbin/unbound/util/data/msgreply.c index 32aec4bf4c9..a2c09ac2016 100644 --- a/usr.sbin/unbound/util/data/msgreply.c +++ b/usr.sbin/unbound/util/data/msgreply.c @@ -819,7 +819,7 @@ log_dns_msg(const char* str, struct query_info* qinfo, struct reply_info* rep) sldns_buffer* buf = sldns_buffer_new(65535); struct regional* region = regional_create(); if(!reply_info_encode(qinfo, rep, 0, rep->flags, buf, 0, - region, 65535, 1)) { + region, 65535, 1, 0)) { log_info("%s: log_dns_msg: out of memory", str); } else { char* s = sldns_wire2str_pkt(sldns_buffer_begin(buf), diff --git a/usr.sbin/unbound/util/fptr_wlist.c b/usr.sbin/unbound/util/fptr_wlist.c index 94d23fa3a32..f5da501de19 100644 --- a/usr.sbin/unbound/util/fptr_wlist.c +++ b/usr.sbin/unbound/util/fptr_wlist.c @@ -90,6 +90,9 @@ #ifdef CLIENT_SUBNET #include "edns-subnet/subnetmod.h" #endif +#ifdef USE_IPSET +#include "ipset/ipset.h" +#endif int fptr_whitelist_comm_point(comm_point_callback_type *fptr) @@ -358,8 +361,8 @@ fptr_whitelist_modenv_kill_sub(void (*fptr)(struct module_qstate* newq)) } int -fptr_whitelist_modenv_detect_cycle(int (*fptr)( - struct module_qstate* qstate, struct query_info* qinfo, +fptr_whitelist_modenv_detect_cycle(int (*fptr)( + struct module_qstate* qstate, struct query_info* qinfo, uint16_t flags, int prime, int valrec)) { if(fptr == &mesh_detect_cycle) return 1; @@ -385,6 +388,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id)) #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_init) return 1; #endif +#ifdef USE_IPSET + else if(fptr == &ipset_init) return 1; +#endif return 0; } @@ -407,6 +413,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id)) #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_deinit) return 1; #endif +#ifdef USE_IPSET + else if(fptr == &ipset_deinit) return 1; +#endif return 0; } @@ -430,6 +439,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate, #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_operate) return 1; #endif +#ifdef USE_IPSET + else if(fptr == &ipset_operate) return 1; +#endif return 0; } @@ -453,6 +465,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)( #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_inform_super) return 1; #endif +#ifdef USE_IPSET + else if(fptr == &ipset_inform_super) return 1; +#endif return 0; } @@ -476,6 +491,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate, #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_clear) return 1; #endif +#ifdef USE_IPSET + else if(fptr == &ipset_clear) return 1; +#endif return 0; } @@ -498,6 +516,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id)) #ifdef CLIENT_SUBNET else if(fptr == &subnetmod_get_mem) return 1; #endif +#ifdef USE_IPSET + else if(fptr == &ipset_get_mem) return 1; +#endif return 0; } @@ -597,3 +618,4 @@ int fptr_whitelist_inplace_cb_query_response( #endif return 0; } + diff --git a/usr.sbin/unbound/util/iana_ports.inc b/usr.sbin/unbound/util/iana_ports.inc index aa972a67bd5..8577073c868 100644 --- a/usr.sbin/unbound/util/iana_ports.inc +++ b/usr.sbin/unbound/util/iana_ports.inc @@ -1848,7 +1848,6 @@ 2197, 2198, 2199, -2200, 2201, 2202, 2203, diff --git a/usr.sbin/unbound/util/mini_event.c b/usr.sbin/unbound/util/mini_event.c index faadf1a23c8..661d88d2e6f 100644 --- a/usr.sbin/unbound/util/mini_event.c +++ b/usr.sbin/unbound/util/mini_event.c @@ -313,7 +313,7 @@ int event_add(struct event* ev, struct timeval* tv) struct timeval *now = ev->ev_base->time_tv; ev->ev_timeout.tv_sec = tv->tv_sec + now->tv_sec; ev->ev_timeout.tv_usec = tv->tv_usec + now->tv_usec; - while(ev->ev_timeout.tv_usec > 1000000) { + while(ev->ev_timeout.tv_usec >= 1000000) { ev->ev_timeout.tv_usec -= 1000000; ev->ev_timeout.tv_sec++; } diff --git a/usr.sbin/unbound/util/net_help.c b/usr.sbin/unbound/util/net_help.c index 13bcdf8085b..88bfc225a8e 100644 --- a/usr.sbin/unbound/util/net_help.c +++ b/usr.sbin/unbound/util/net_help.c @@ -744,6 +744,14 @@ listen_sslctx_setup(void* ctxt) return 0; } #endif +#if defined(SSL_OP_NO_RENEGOTIATION) + /* disable client renegotiation */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & + SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { + log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); + return 0; + } +#endif #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) /* if we have sha256, set the cipher list to have no known vulns */ if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) @@ -962,6 +970,14 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) SSL_CTX_free(ctx); return NULL; } +#if defined(SSL_OP_NO_RENEGOTIATION) + /* disable client renegotiation */ + if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & + SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { + log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); + return 0; + } +#endif if(key && key[0]) { if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) { log_err("error in client certificate %s", pem); diff --git a/usr.sbin/unbound/util/winsock_event.c b/usr.sbin/unbound/util/winsock_event.c index 63d98796d19..de6c28ecb08 100644 --- a/usr.sbin/unbound/util/winsock_event.c +++ b/usr.sbin/unbound/util/winsock_event.c @@ -558,7 +558,7 @@ int event_add(struct event *ev, struct timeval *tv) struct timeval *now = ev->ev_base->time_tv; ev->ev_timeout.tv_sec = tv->tv_sec + now->tv_sec; ev->ev_timeout.tv_usec = tv->tv_usec + now->tv_usec; - while(ev->ev_timeout.tv_usec > 1000000) { + while(ev->ev_timeout.tv_usec >= 1000000) { ev->ev_timeout.tv_usec -= 1000000; ev->ev_timeout.tv_sec++; } diff --git a/usr.sbin/unbound/validator/autotrust.c b/usr.sbin/unbound/validator/autotrust.c index a72967302df..fba14ff7c3c 100644 --- a/usr.sbin/unbound/validator/autotrust.c +++ b/usr.sbin/unbound/validator/autotrust.c @@ -1175,15 +1175,28 @@ void autr_write_file(struct module_env* env, struct trust_anchor* tp) { FILE* out; char* fname = tp->autr->file; + long long llvalue; char tempf[2048]; log_assert(tp->autr); if(!env) { log_err("autr_write_file: Module environment is NULL."); return; } - /* unique name with pid number and thread number */ - snprintf(tempf, sizeof(tempf), "%s.%d-%d", fname, (int)getpid(), - env->worker?*(int*)env->worker:0); + /* unique name with pid number, thread number, and struct pointer + * (the pointer uniquifies for multiple libunbound contexts) */ +#if defined(SIZE_MAX) && defined(UINT32_MAX) && (UINT32_MAX == SIZE_MAX || INT32_MAX == SIZE_MAX) + /* avoid warning about upcast on 32bit systems */ + llvalue = (unsigned long)tp; +#else + llvalue = (unsigned long long)tp; +#endif +#ifndef USE_WINSOCK + snprintf(tempf, sizeof(tempf), "%s.%d-%d-%llx", fname, (int)getpid(), + env->worker?*(int*)env->worker:0, llvalue); +#else + snprintf(tempf, sizeof(tempf), "%s.%d-%d-%I64x", fname, (int)getpid(), + env->worker?*(int*)env->worker:0, llvalue); +#endif verbose(VERB_ALGO, "autotrust: write to disk: %s", tempf); out = fopen(tempf, "w"); if(!out) { |