diff options
| author |   sthen <sthen@openbsd.org> | 2015-11-05 21:21:03 +0000 |
|---|---|---|
| committer | sthen <sthen@openbsd.org> | 2015-11-05 21:21:03 +0000 |
| commit | a65f413bde3dff3df314a3d44b7f74bd439def16 (patch) | |
| tree | 8345d8aecc39d98d73f1b6aa537083c4cf5b931e /usr.sbin/nsd | |
| parent | newfs the ext2fs partition containing the boot blocks with -O 1 when running (diff) | |
| download | wireguard-openbsd-a65f413bde3dff3df314a3d44b7f74bd439def16.tar.xz wireguard-openbsd-a65f413bde3dff3df314a3d44b7f74bd439def16.zip | |
update to NSD 4.1.6, ok millert@ florian@
Diffstat (limited to 'usr.sbin/nsd')
| -rw-r--r-- | usr.sbin/nsd/acx_nlnetlabs.m4 | 47 | ||||
| -rw-r--r-- | usr.sbin/nsd/configlexer.lex | 1 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd-checkzone.8.in | 2 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd.conf.sample.in | 7 | ||||
| -rw-r--r-- | usr.sbin/nsd/nsd.h | 16 | ||||
| -rw-r--r-- | usr.sbin/nsd/options.h | 1 | ||||
| -rw-r--r-- | usr.sbin/nsd/query.h | 7 | ||||
| -rw-r--r-- | usr.sbin/nsd/xfrd-notify.c | 8 | ||||
| -rw-r--r-- | usr.sbin/nsd/xfrd-notify.h | 2 |
9 files changed, 75 insertions, 16 deletions
diff --git a/usr.sbin/nsd/acx_nlnetlabs.m4 b/usr.sbin/nsd/acx_nlnetlabs.m4 index decf0f58600..c9ca7558da5 100644 --- a/usr.sbin/nsd/acx_nlnetlabs.m4 +++ b/usr.sbin/nsd/acx_nlnetlabs.m4 @@ -2,7 +2,8 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 27 +# Version 28 +# 2015-08-28 ACX_CHECK_PIE and ACX_CHECK_RELRO_NOW added. # 2015-03-17 AHX_CONFIG_REALLOCARRAY added # 2013-09-19 FLTO help text improved. # 2013-07-18 Enable ACX_CHECK_COMPILER_FLAG to test for -Wstrict-prototypes @@ -94,6 +95,8 @@ # ACX_CHECK_MEMCMP_SIGNED - check if memcmp uses signed characters. # AHX_MEMCMP_BROKEN - replace memcmp func for CHECK_MEMCMP_SIGNED. # ACX_CHECK_SS_FAMILY - check for sockaddr_storage.ss_family +# ACX_CHECK_PIE - add --enable-pie option and check if works +# ACX_CHECK_RELRO_NOW - add --enable-relro-now option and check it # dnl Escape backslashes as \\, for C:\ paths, for the C preprocessor defines. @@ -1386,4 +1389,46 @@ AC_DEFUN([ACX_CHECK_SS_FAMILY], #endif ]) ]) +dnl Check if CC and linker support -fPIE and -pie. +dnl If so, sets them in CFLAGS / LDFLAGS. +AC_DEFUN([ACX_CHECK_PIE], [ + AC_ARG_ENABLE([pie], AS_HELP_STRING([--enable-pie], [Enable Position-Independent Executable (eg. to fully benefit from ASLR, small performance penalty)])) + AS_IF([test "x$enable_pie" = "xyes"], [ + AC_MSG_CHECKING([if $CC supports PIE]) + BAKLDFLAGS="$LDFLAGS" + BAKCFLAGS="$CFLAGS" + LDFLAGS="$LDFLAGS -pie" + CFLAGS="$CFLAGS -fPIE" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [LDFLAGS="$BAKLDFLAGS" ; CFLAGS="$BAKCFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + +dnl Check if linker supports -Wl,-z,relro,-z,now. +dnl If so, adds it to LDFLAGS. +AC_DEFUN([ACX_CHECK_RELRO_NOW], [ + AC_ARG_ENABLE([relro_now], AS_HELP_STRING([--enable-relro-now], [Enable full relocation binding at load-time (RELRO NOW, to protect GOT and .dtor areas)])) + AS_IF([test "x$enable_relro_now" = "xyes"], [ + AC_MSG_CHECKING([if $CC supports -Wl,-z,relro,-z,now]) + BAKLDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -Wl,-z,relro,-z,now" + AC_LINK_IFELSE([AC_LANG_PROGRAM([], [])], [ + if $CC $CFLAGS $LDFLAGS -o conftest conftest.c 2>&1 | grep "warning: no debug symbols in executable" >/dev/null; then + LDFLAGS="$BAKLDFLAGS" + AC_MSG_RESULT(no) + else + AC_MSG_RESULT(yes) + fi + rm -f conftest conftest.c conftest.o + ], [LDFLAGS="$BAKLDFLAGS" ; AC_MSG_RESULT(no)]) + ]) +]) + dnl End of file diff --git a/usr.sbin/nsd/configlexer.lex b/usr.sbin/nsd/configlexer.lex index 44cabe8ca57..e38e952a3f1 100644 --- a/usr.sbin/nsd/configlexer.lex +++ b/usr.sbin/nsd/configlexer.lex @@ -217,6 +217,7 @@ ipv4-edns-size{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IPV4_EDNS_SIZE;} ipv6-edns-size{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_IPV6_EDNS_SIZE;} pidfile{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PIDFILE;} port{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_PORT;} +reuseport{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_REUSEPORT;} statistics{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_STATISTICS;} chroot{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_CHROOT;} username{COLON} { LEXOUT(("v(%s) ", yytext)); return VAR_USERNAME;} diff --git a/usr.sbin/nsd/nsd-checkzone.8.in b/usr.sbin/nsd/nsd-checkzone.8.in index 648eb8784e5..3216c8c9ba0 100644 --- a/usr.sbin/nsd/nsd-checkzone.8.in +++ b/usr.sbin/nsd/nsd-checkzone.8.in @@ -1,4 +1,4 @@ -.TH "nsd\-checkzone" "8" "Jun 23, 2015" "NLnet Labs" "nsd 4.1.3" +.TH "nsd\-checkzone" "8" "Oct 22, 2015" "NLnet Labs" "nsd 4.1.6" .\" Copyright (c) 2014, NLnet Labs. All rights reserved. .\" See LICENSE for the license. .SH "NAME" diff --git a/usr.sbin/nsd/nsd.conf.sample.in b/usr.sbin/nsd/nsd.conf.sample.in index a401db69219..e3d1ff70fd8 100644 --- a/usr.sbin/nsd/nsd.conf.sample.in +++ b/usr.sbin/nsd/nsd.conf.sample.in @@ -17,6 +17,9 @@ server: # uncomment to specify specific interfaces to bind (default are the # wildcard interfaces 0.0.0.0 and ::0). + # For servers with multiple IP addresses, list them one by one, + # or the source address of replies could be wrong. + # Use ip-transparent to be able to list addresses that turn on later. # ip-address: 1.2.3.4 # ip-address: 1.2.3.4@5678 # ip-address: 12fe::8ef0 @@ -24,6 +27,10 @@ server: # Allow binding to non local addresses. Default no. # ip-transparent: no + # use the reuseport socket option for performance. + # The default is yes on linux, no for others. + # reuseport: no + # enable debug mode, does not fork daemon process into the background. # debug-mode: no diff --git a/usr.sbin/nsd/nsd.h b/usr.sbin/nsd/nsd.h index 7fd805e3746..8ebf1a2bae8 100644 --- a/usr.sbin/nsd/nsd.h +++ b/usr.sbin/nsd/nsd.h @@ -108,6 +108,7 @@ struct nsd_socket { struct addrinfo * addr; int s; + int fam; }; struct nsd_child @@ -118,6 +119,9 @@ struct nsd_child /* The child's process id. */ pid_t pid; + /* child number in child array */ + int child_num; + /* * Socket used by the parent process to send commands and * receive responses to/from this child process. @@ -198,15 +202,17 @@ struct nsd unsigned char *nsid; uint8_t file_rotation_ok; - /* number of interfaces, ifs < MAX_INTERFACES */ + /* number of interfaces */ size_t ifs; uint8_t grab_ip6_optional; + /* non0 if so_reuseport is in use, if so, tcp, udp array increased */ + int reuseport; - /* TCP specific configuration */ - struct nsd_socket tcp[MAX_INTERFACES]; + /* TCP specific configuration (array size ifs) */ + struct nsd_socket* tcp; - /* UDP specific configuration */ - struct nsd_socket udp[MAX_INTERFACES]; + /* UDP specific configuration (array size ifs) */ + struct nsd_socket* udp; edns_data_type edns_ipv4; #if defined(INET6) diff --git a/usr.sbin/nsd/options.h b/usr.sbin/nsd/options.h index da3d0979175..accf470a368 100644 --- a/usr.sbin/nsd/options.h +++ b/usr.sbin/nsd/options.h @@ -89,6 +89,7 @@ struct nsd_options { int zonefiles_write; int log_time_ascii; int round_robin; + int reuseport; /** remote control section. enable toggle. */ int control_enable; diff --git a/usr.sbin/nsd/query.h b/usr.sbin/nsd/query.h index 4ff21f770c5..a950de3e002 100644 --- a/usr.sbin/nsd/query.h +++ b/usr.sbin/nsd/query.h @@ -191,7 +191,7 @@ query_state_type query_process(query_type *q, nsd_type *nsd); * includes the packet header and question section. Space is reserved * for the optional EDNS record, if required. */ -void query_prepare_response(query_type *q); +void query_prepare_response(query_type *q, nsd_type* nsd); /* * Add EDNS0 information to the response if required. @@ -209,9 +209,4 @@ query_overflow(query_type *q) { return buffer_position(q->packet) > (q->maxlen - q->reserved_space); } -static inline int -query_overflow_nsid(query_type *q, uint16_t nsid_len) -{ - return buffer_position(q->packet) > (q->maxlen - q->reserved_space - nsid_len); -} #endif /* _QUERY_H_ */ diff --git a/usr.sbin/nsd/xfrd-notify.c b/usr.sbin/nsd/xfrd-notify.c index 6fb8e00e1e8..eb55c507d7d 100644 --- a/usr.sbin/nsd/xfrd-notify.c +++ b/usr.sbin/nsd/xfrd-notify.c @@ -325,11 +325,15 @@ notify_enable(struct notify_zone_t* zone, struct xfrd_soa* new_soa) } void -xfrd_notify_start(struct notify_zone_t* zone) +xfrd_notify_start(struct notify_zone_t* zone, struct xfrd_state* xfrd) { + xfrd_zone_t* xz; if(zone->is_waiting || zone->notify_send_enable) return; - notify_enable(zone, NULL); + xz = (xfrd_zone_t*)rbtree_search(xfrd->zones, zone->apex); + if(xz && xz->soa_nsd_acquired) + notify_enable(zone, &xz->soa_nsd); + else notify_enable(zone, NULL); } void diff --git a/usr.sbin/nsd/xfrd-notify.h b/usr.sbin/nsd/xfrd-notify.h index a4b7e088dbd..acda34308f3 100644 --- a/usr.sbin/nsd/xfrd-notify.h +++ b/usr.sbin/nsd/xfrd-notify.h @@ -73,7 +73,7 @@ void xfrd_del_notify(struct xfrd_state* xfrd, const dname_type* dname); void xfrd_send_notify(rbtree_t* tree, const struct dname* apex, struct xfrd_soa* new_soa); /* start notifications, if not started already (does not clobber SOA) */ -void xfrd_notify_start(struct notify_zone_t* zone); +void xfrd_notify_start(struct notify_zone_t* zone, struct xfrd_state* xfrd); /* handle soa update notify for a master zone. newsoa can be NULL. Makes sure that the soa (serial) has changed. Or drops notify. */ |