From nobody Sun Mar 17 07:59:07 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ty9Nr212Vz4qJ82; Sun, 17 Mar 2024 07:59:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ty9Nr1gjKz43c0; Sun, 17 Mar 2024 07:59:08 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710662348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sH2GJlvaHx7lqKgof9pNkaCvEC0DE23APKk9HJuZSGk=; b=GUNZztiVli/VO6GM+q4rTSU+JuCTmO2lzjfkhw8iqz6Q9Z8rsge39O5E4TKEwVfc6qbRrF 1E4ZW0nSBQcogtz+QYsqRKPY5IFUsWgqN8h5C7T68BFecCZnL6fDyIwePNOx0A66tnkNVs I3n9qBAEmdFqeLTz1haTmyGh3+aoihskcUSlBOMAwBFKeRzR5rhTvNlsDua0KjpDMEqDJ7 GfFzJc0YTMRyCG0iNwr69HBrBnlENi6769VwgFWYidbKvwAj++IfyJWMA0t92EldUJKNmu UblffMSt6NCQQdE5TipX9Gs2Ie2eEpIyjg/yGPO4qNomBhxhEZWFfa4KweAnUQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1710662348; a=rsa-sha256; cv=none; b=H9mIrfoBPamMuDZfBzVZJskbaFFSPoqi7F+vWm3WynGBWzSVB8j+G3s2n4khFb2MLUHlvN OdFNORSdOIY/Yy+R+0mziq0GfF0f0ybXskJ+4vrrk3JMtjySnghLF4mi2BbFdOhaYgWDdM ukr1PczI8BDYgRRIZzt+Ib7lAl3EEZL3zAq1f7ntysi7Ix0iVmrnq07Xs+b93PGWPyfmX+ aqepnnwyr7REPt+EMrXsRpLIaPBMDJttUGFA/o2BE8q8q6vJANSmIMDDoObynSC2IRlLms 9FTX+G2VfBaYicZbGMzSdMHq/dpE5V7ocQsJZJ+we9GkcJPif9Q0N2y7NGlclA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710662348; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=sH2GJlvaHx7lqKgof9pNkaCvEC0DE23APKk9HJuZSGk=; b=B94dlOgid3Mr1iEy/rPPyXPOS05ytScnPHfjTk9Bmh4CR5f0vn4V4OGYV7/szgrLz05a4G o5vZebYxtbPFi0FSjeWcV59FfHp2/3IFVMbH9rXbooIuAFPHqrrbAedOuc0VfXYyS0gQRW PqWhkpP8OCouPCmKDhMj0eHy6AZJRPGri7iijWAt6Rl9EHoawrwVzWMcVpEzH1UVr+bx7R hDztDJH+YbTaxijNwnjrGl89oQttuVdo/c11w9riK6wYi98Nj0IAbGEzLVw3CboVPpIEtH S5SpTdyHhwh38RcsdfZ49AAwa+v8/QaEoSiezFrbtMjAGkheBtqhppTFtjLv6A== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ty9Nr1GYmzWcc; Sun, 17 Mar 2024 07:59:08 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 42H7x840050485; Sun, 17 Mar 2024 07:59:08 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 42H7x7EZ050470; Sun, 17 Mar 2024 07:59:07 GMT (envelope-from git) Date: Sun, 17 Mar 2024 07:59:07 GMT Message-Id: <202403170759.42H7x7EZ050470@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Cy Schubert Subject: git: b7c0c8c18e0f - main - unbound: Vendor import 1.19.3 List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: cy X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: b7c0c8c18e0f12bc22e251fbcabad719b364a38a Auto-Submitted: auto-generated The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=b7c0c8c18e0f12bc22e251fbcabad719b364a38a commit b7c0c8c18e0f12bc22e251fbcabad719b364a38a Merge: d50685b303e3 5a33598e88ad Author: Cy Schubert AuthorDate: 2024-03-17 00:13:09 +0000 Commit: Cy Schubert CommitDate: 2024-03-17 07:57:42 +0000 unbound: Vendor import 1.19.3 Release notes at https://www.nlnetlabs.nl/news/2024/Mar/14/unbound-1.19.3-released/ MFC after: 1 week Merge commit '5a33598e88ad8fbc0affa74dee0a2d8cc4010fbc' into main contrib/unbound/acx_nlnetlabs.m4 | 121 +- contrib/unbound/configure | 350 +- contrib/unbound/configure.ac | 28 +- contrib/unbound/daemon/remote.c | 10 +- contrib/unbound/daemon/worker.c | 28 +- contrib/unbound/dnstap/dnstap.c | 32 +- contrib/unbound/dnstap/dnstap.h | 4 + contrib/unbound/dnstap/dnstap.m4 | 107 +- contrib/unbound/dnstap/dnstap.proto | 82 +- contrib/unbound/doc/Changelog | 140 +- contrib/unbound/doc/README | 11 +- contrib/unbound/doc/example.conf.in | 25 +- contrib/unbound/doc/libunbound.3.in | 4 +- contrib/unbound/doc/unbound-anchor.8.in | 2 +- contrib/unbound/doc/unbound-checkconf.8.in | 2 +- contrib/unbound/doc/unbound-control.8.in | 2 +- contrib/unbound/doc/unbound-host.1.in | 2 +- contrib/unbound/doc/unbound.8.in | 4 +- contrib/unbound/doc/unbound.conf.5.in | 24 +- contrib/unbound/iterator/iter_fwd.c | 1 - contrib/unbound/iterator/iter_hints.c | 5 +- contrib/unbound/iterator/iter_scrub.c | 3 +- contrib/unbound/iterator/iterator.c | 8 +- contrib/unbound/services/authzone.c | 2 +- contrib/unbound/services/cache/dns.c | 12 +- contrib/unbound/services/localzone.c | 6 +- contrib/unbound/services/mesh.c | 10 +- contrib/unbound/services/outside_network.c | 46 +- .../cachedb_no_store.tdir/cachedb_no_store.post | 2 +- .../cachedb_no_store.tdir/cachedb_no_store.test | 14 +- .../unbound/testdata/iter_cname_minimise_nx.rpl | 1 - contrib/unbound/testdata/iter_dname_ttl.rpl | 310 + .../testdata/root_zonemd.tdir/root_zonemd.test | 32 +- contrib/unbound/testdata/rrset_use_cached.rpl | 151 + .../unbound/testdata/serve_expired_0ttl_nodata.rpl | 2 +- .../testdata/serve_expired_0ttl_nxdomain.rpl | 2 +- .../testdata/serve_expired_0ttl_servfail.rpl | 2 +- .../testdata/serve_expired_cached_servfail.rpl | 2 +- .../serve_expired_cached_servfail_refresh.rpl | 2 +- .../unbound/testdata/subnet_scopezero_noedns.crpl | 441 ++ contrib/unbound/util/config_file.c | 3 + contrib/unbound/util/config_file.h | 2 + contrib/unbound/util/configlexer.c | 7627 +++++++++++++++++++ contrib/unbound/util/configlexer.lex | 1 + contrib/unbound/util/configparser.c | 7713 ++++++++++++++++++++ contrib/unbound/util/configparser.h | 781 ++ contrib/unbound/util/configparser.y | 13 +- contrib/unbound/util/data/msgencode.c | 3 + contrib/unbound/util/data/msgreply.c | 53 +- contrib/unbound/util/data/msgreply.h | 6 +- contrib/unbound/util/data/packed_rrset.c | 5 +- contrib/unbound/util/iana_ports.inc | 1 - contrib/unbound/util/netevent.c | 12 +- contrib/unbound/validator/autotrust.c | 8 +- contrib/unbound/validator/val_sigcrypt.c | 2 +- contrib/unbound/validator/val_utils.c | 55 +- contrib/unbound/validator/validator.c | 2 + lib/libunbound/config.h | 6 +- 58 files changed, 18038 insertions(+), 287 deletions(-) diff --cc contrib/unbound/testdata/iter_dname_ttl.rpl index 000000000000,115947af3ab3..115947af3ab3 mode 000000,100644..100644 --- a/contrib/unbound/testdata/iter_dname_ttl.rpl +++ b/contrib/unbound/testdata/iter_dname_ttl.rpl diff --cc contrib/unbound/testdata/rrset_use_cached.rpl index 000000000000,8420ae02afe6..8420ae02afe6 mode 000000,100644..100644 --- a/contrib/unbound/testdata/rrset_use_cached.rpl +++ b/contrib/unbound/testdata/rrset_use_cached.rpl diff --cc contrib/unbound/testdata/subnet_scopezero_noedns.crpl index 000000000000,25df0dd71cf2..25df0dd71cf2 mode 000000,100644..100644 --- a/contrib/unbound/testdata/subnet_scopezero_noedns.crpl +++ b/contrib/unbound/testdata/subnet_scopezero_noedns.crpl diff --cc contrib/unbound/util/config_file.c index 5d3cdfb669af,000000000000..e8de5119ba68 mode 100644,000000..100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@@ -1,2721 -1,0 +1,2724 @@@ +/* + * util/config_file.c - reads and stores the config file for unbound. + * + * Copyright (c) 2007, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file contains functions for the config file. + */ + +#include "config.h" +#include +#include +#ifdef HAVE_TIME_H +#include +#endif +#include "util/log.h" +#include "util/configyyrename.h" +#include "util/config_file.h" +#include "configparser.h" +#include "util/net_help.h" +#include "util/data/msgparse.h" +#include "util/module.h" +#include "util/regional.h" +#include "util/fptr_wlist.h" +#include "util/data/dname.h" +#include "util/random.h" +#include "util/rtt.h" +#include "services/cache/infra.h" +#include "sldns/wire2str.h" +#include "sldns/parseutil.h" +#include "iterator/iterator.h" +#ifdef HAVE_GLOB_H +# include +#endif +#ifdef CLIENT_SUBNET +#include "edns-subnet/edns-subnet.h" +#endif +#ifdef HAVE_PWD_H +#include +#endif + +/** from cfg username, after daemonize setup performed */ +uid_t cfg_uid = (uid_t)-1; +/** from cfg username, after daemonize setup performed */ +gid_t cfg_gid = (gid_t)-1; +/** for debug allow small timeout values for fast rollovers */ +int autr_permit_small_holddown = 0; +/** size (in bytes) of stream wait buffers max */ +size_t stream_wait_max = 4 * 1024 * 1024; +size_t http2_query_buffer_max = 4 * 1024 * 1024; +size_t http2_response_buffer_max = 4 * 1024 * 1024; + +/** global config during parsing */ +struct config_parser_state* cfg_parser = 0; + +/** init ports possible for use */ +static void init_outgoing_availports(int* array, int num); + +/** init cookie with random data */ +static void init_cookie_secret(uint8_t* cookie_secret, size_t cookie_secret_len); + +struct config_file* +config_create(void) +{ + struct config_file* cfg; + cfg = (struct config_file*)calloc(1, sizeof(struct config_file)); + if(!cfg) + return NULL; + /* the defaults if no config is present */ + cfg->verbosity = 1; + cfg->stat_interval = 0; + cfg->stat_cumulative = 0; + cfg->stat_extended = 0; + cfg->stat_inhibit_zero = 1; + cfg->num_threads = 1; + cfg->port = UNBOUND_DNS_PORT; + cfg->do_ip4 = 1; + cfg->do_ip6 = 1; + cfg->do_udp = 1; + cfg->do_tcp = 1; + cfg->tcp_reuse_timeout = 60 * 1000; /* 60s in milisecs */ + cfg->max_reuse_tcp_queries = 200; + cfg->tcp_upstream = 0; + cfg->udp_upstream_without_downstream = 0; + cfg->tcp_mss = 0; + cfg->outgoing_tcp_mss = 0; + cfg->tcp_idle_timeout = 30 * 1000; /* 30s in millisecs */ + cfg->tcp_auth_query_timeout = 3 * 1000; /* 3s in millisecs */ + cfg->do_tcp_keepalive = 0; + cfg->tcp_keepalive_timeout = 120 * 1000; /* 120s in millisecs */ + cfg->sock_queue_timeout = 0; /* do not check timeout */ + cfg->ssl_service_key = NULL; + cfg->ssl_service_pem = NULL; + cfg->ssl_port = UNBOUND_DNS_OVER_TLS_PORT; + cfg->ssl_upstream = 0; + cfg->tls_cert_bundle = NULL; + cfg->tls_win_cert = 0; + cfg->tls_use_sni = 1; + cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT; + if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit; + cfg->http_max_streams = 100; + cfg->http_query_buffer_size = 4*1024*1024; + cfg->http_response_buffer_size = 4*1024*1024; + cfg->http_nodelay = 1; + cfg->use_syslog = 1; + cfg->log_identity = NULL; /* changed later with argv[0] */ + cfg->log_time_ascii = 0; + cfg->log_queries = 0; + cfg->log_replies = 0; + cfg->log_tag_queryreply = 0; + cfg->log_local_actions = 0; + cfg->log_servfail = 0; ++ cfg->log_destaddr = 0; +#ifndef USE_WINSOCK +# ifdef USE_MINI_EVENT + /* select max 1024 sockets */ + cfg->outgoing_num_ports = 960; + cfg->num_queries_per_thread = 512; +# else + /* libevent can use many sockets */ + cfg->outgoing_num_ports = 4096; + cfg->num_queries_per_thread = 1024; +# endif + cfg->outgoing_num_tcp = 10; + cfg->incoming_num_tcp = 10; +#else + cfg->outgoing_num_ports = 48; /* windows is limited in num fds */ + cfg->num_queries_per_thread = 24; + cfg->outgoing_num_tcp = 2; /* leaves 64-52=12 for: 4if,1stop,thread4 */ + cfg->incoming_num_tcp = 2; +#endif + cfg->stream_wait_size = 4 * 1024 * 1024; + cfg->edns_buffer_size = 1232; /* from DNS flagday recommendation */ + cfg->msg_buffer_size = 65552; /* 64 k + a small margin */ + cfg->msg_cache_size = 4 * 1024 * 1024; + cfg->msg_cache_slabs = 4; + cfg->jostle_time = 200; + cfg->rrset_cache_size = 4 * 1024 * 1024; + cfg->rrset_cache_slabs = 4; + cfg->host_ttl = 900; + cfg->bogus_ttl = 60; + cfg->min_ttl = 0; + cfg->max_ttl = 3600 * 24; + cfg->max_negative_ttl = 3600; + cfg->prefetch = 0; + cfg->prefetch_key = 0; + cfg->deny_any = 0; + cfg->infra_cache_slabs = 4; + cfg->infra_cache_numhosts = 10000; + cfg->infra_cache_min_rtt = 50; + cfg->infra_cache_max_rtt = 120000; + cfg->infra_keep_probing = 0; + cfg->delay_close = 0; + cfg->udp_connect = 1; + if(!(cfg->outgoing_avail_ports = (int*)calloc(65536, sizeof(int)))) + goto error_exit; + init_outgoing_availports(cfg->outgoing_avail_ports, 65536); + if(!(cfg->username = strdup(UB_USERNAME))) goto error_exit; +#ifdef HAVE_CHROOT + if(!(cfg->chrootdir = strdup(CHROOT_DIR))) goto error_exit; +#endif + if(!(cfg->directory = strdup(RUN_DIR))) goto error_exit; + if(!(cfg->logfile = strdup(""))) goto error_exit; + if(!(cfg->pidfile = strdup(PIDFILE))) goto error_exit; + if(!(cfg->target_fetch_policy = strdup("3 2 1 0 0"))) goto error_exit; + cfg->fast_server_permil = 0; + cfg->fast_server_num = 3; + cfg->donotqueryaddrs = NULL; + cfg->donotquery_localhost = 1; + cfg->root_hints = NULL; + cfg->use_systemd = 0; + cfg->do_daemonize = 1; + cfg->if_automatic = 0; + cfg->if_automatic_ports = NULL; + cfg->so_rcvbuf = 0; + cfg->so_sndbuf = 0; + cfg->so_reuseport = REUSEPORT_DEFAULT; + cfg->ip_transparent = 0; + cfg->ip_freebind = 0; + cfg->ip_dscp = 0; + cfg->num_ifs = 0; + cfg->ifs = NULL; + cfg->num_out_ifs = 0; + cfg->out_ifs = NULL; + cfg->stubs = NULL; + cfg->forwards = NULL; + cfg->auths = NULL; +#ifdef CLIENT_SUBNET + cfg->client_subnet = NULL; + cfg->client_subnet_zone = NULL; + cfg->client_subnet_opcode = LDNS_EDNS_CLIENT_SUBNET; + cfg->client_subnet_always_forward = 0; + cfg->max_client_subnet_ipv4 = 24; + cfg->max_client_subnet_ipv6 = 56; + cfg->min_client_subnet_ipv4 = 0; + cfg->min_client_subnet_ipv6 = 0; + cfg->max_ecs_tree_size_ipv4 = 100; + cfg->max_ecs_tree_size_ipv6 = 100; +#endif + cfg->views = NULL; + cfg->acls = NULL; + cfg->tcp_connection_limits = NULL; + cfg->harden_short_bufsize = 1; + cfg->harden_large_queries = 0; + cfg->harden_glue = 1; + cfg->harden_dnssec_stripped = 1; + cfg->harden_below_nxdomain = 1; + cfg->harden_referral_path = 0; + cfg->harden_algo_downgrade = 0; + cfg->harden_unknown_additional = 0; + cfg->use_caps_bits_for_id = 0; + cfg->caps_whitelist = NULL; + cfg->private_address = NULL; + cfg->private_domain = NULL; + cfg->unwanted_threshold = 0; + cfg->hide_identity = 0; + cfg->hide_version = 0; + cfg->hide_trustanchor = 0; + cfg->hide_http_user_agent = 0; + cfg->identity = NULL; + cfg->version = NULL; + cfg->http_user_agent = NULL; + cfg->nsid_cfg_str = NULL; + cfg->nsid = NULL; + cfg->nsid_len = 0; + cfg->auto_trust_anchor_file_list = NULL; + cfg->trust_anchor_file_list = NULL; + cfg->trust_anchor_list = NULL; + cfg->trusted_keys_file_list = NULL; + cfg->trust_anchor_signaling = 1; + cfg->root_key_sentinel = 1; + cfg->domain_insecure = NULL; + cfg->val_date_override = 0; + cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */ + cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */ + cfg->val_max_restart = 5; + cfg->val_clean_additional = 1; + cfg->val_log_level = 0; + cfg->val_log_squelch = 0; + cfg->val_permissive_mode = 0; + cfg->aggressive_nsec = 1; + cfg->ignore_cd = 0; + cfg->disable_edns_do = 0; + cfg->serve_expired = 0; + cfg->serve_expired_ttl = 0; + cfg->serve_expired_ttl_reset = 0; + cfg->serve_expired_reply_ttl = 30; + cfg->serve_expired_client_timeout = 0; + cfg->ede_serve_expired = 0; + cfg->serve_original_ttl = 0; + cfg->zonemd_permissive_mode = 0; + cfg->add_holddown = 30*24*3600; + cfg->del_holddown = 30*24*3600; + cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */ + cfg->permit_small_holddown = 0; + cfg->key_cache_size = 4 * 1024 * 1024; + cfg->key_cache_slabs = 4; + cfg->neg_cache_size = 1 * 1024 * 1024; + cfg->local_zones = NULL; + cfg->local_zones_nodefault = NULL; +#ifdef USE_IPSET + cfg->local_zones_ipset = NULL; +#endif + cfg->local_zones_disable_default = 0; + cfg->local_data = NULL; + cfg->local_zone_overrides = NULL; + cfg->unblock_lan_zones = 0; + cfg->insecure_lan_zones = 0; + cfg->python_script = NULL; + cfg->dynlib_file = NULL; + cfg->remote_control_enable = 0; + cfg->control_ifs.first = NULL; + cfg->control_ifs.last = NULL; + cfg->control_port = UNBOUND_CONTROL_PORT; + cfg->control_use_cert = 1; + cfg->minimal_responses = 1; + cfg->rrset_roundrobin = 1; + cfg->unknown_server_time_limit = 376; + cfg->max_udp_size = 1232; /* value taken from edns_buffer_size */ + if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) + goto error_exit; + if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem"))) + goto error_exit; + if(!(cfg->control_key_file = strdup(RUN_DIR"/unbound_control.key"))) + goto error_exit; + if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem"))) + goto error_exit; + +#ifdef CLIENT_SUBNET + if(!(cfg->module_conf = strdup("subnetcache validator iterator"))) goto error_exit; +#else + if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit; +#endif + if(!(cfg->val_nsec3_key_iterations = + strdup("1024 150 2048 150 4096 150"))) goto error_exit; +#if defined(DNSTAP_SOCKET_PATH) + if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH))) + goto error_exit; +#endif + cfg->dnstap_bidirectional = 1; + cfg->dnstap_tls = 1; + cfg->disable_dnssec_lame_check = 0; + cfg->ip_ratelimit_cookie = 0; + cfg->ip_ratelimit = 0; + cfg->ratelimit = 0; + cfg->ip_ratelimit_slabs = 4; + cfg->ratelimit_slabs = 4; + cfg->ip_ratelimit_size = 4*1024*1024; + cfg->ratelimit_size = 4*1024*1024; + cfg->ratelimit_for_domain = NULL; + cfg->ratelimit_below_domain = NULL; + cfg->ip_ratelimit_factor = 10; + cfg->ratelimit_factor = 10; + cfg->ip_ratelimit_backoff = 0; + cfg->ratelimit_backoff = 0; + cfg->outbound_msg_retry = 5; + cfg->max_sent_count = 32; + cfg->max_query_restarts = 11; + cfg->qname_minimisation = 1; + cfg->qname_minimisation_strict = 0; + cfg->shm_enable = 0; + cfg->shm_key = 11777; + cfg->edns_client_strings = NULL; + cfg->edns_client_string_opcode = 65001; + cfg->dnscrypt = 0; + cfg->dnscrypt_port = 0; + cfg->dnscrypt_provider = NULL; + cfg->dnscrypt_provider_cert = NULL; + cfg->dnscrypt_provider_cert_rotated = NULL; + cfg->dnscrypt_secret_key = NULL; + cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024; + cfg->dnscrypt_shared_secret_cache_slabs = 4; + cfg->dnscrypt_nonce_cache_size = 4*1024*1024; + cfg->dnscrypt_nonce_cache_slabs = 4; + cfg->pad_responses = 1; + cfg->pad_responses_block_size = 468; /* from RFC8467 */ + cfg->pad_queries = 1; + cfg->pad_queries_block_size = 128; /* from RFC8467 */ +#ifdef USE_IPSECMOD + cfg->ipsecmod_enabled = 1; + cfg->ipsecmod_ignore_bogus = 0; + cfg->ipsecmod_hook = NULL; + cfg->ipsecmod_max_ttl = 3600; + cfg->ipsecmod_whitelist = NULL; + cfg->ipsecmod_strict = 0; +#endif + cfg->do_answer_cookie = 0; + memset(cfg->cookie_secret, 0, sizeof(cfg->cookie_secret)); + cfg->cookie_secret_len = 16; + init_cookie_secret(cfg->cookie_secret, cfg->cookie_secret_len); +#ifdef USE_CACHEDB + if(!(cfg->cachedb_backend = strdup("testframe"))) goto error_exit; + if(!(cfg->cachedb_secret = strdup("default"))) goto error_exit; + cfg->cachedb_no_store = 0; +#ifdef USE_REDIS + if(!(cfg->redis_server_host = strdup("127.0.0.1"))) goto error_exit; + cfg->redis_server_path = NULL; + cfg->redis_server_password = NULL; + cfg->redis_timeout = 100; + cfg->redis_server_port = 6379; + cfg->redis_expire_records = 0; + cfg->redis_logical_db = 0; +#endif /* USE_REDIS */ +#endif /* USE_CACHEDB */ +#ifdef USE_IPSET + cfg->ipset_name_v4 = NULL; + cfg->ipset_name_v6 = NULL; +#endif + cfg->ede = 0; + return cfg; +error_exit: + config_delete(cfg); + return NULL; +} + +struct config_file* config_create_forlib(void) +{ + struct config_file* cfg = config_create(); + if(!cfg) return NULL; + /* modifications for library use, less verbose, less memory */ + free(cfg->chrootdir); + cfg->chrootdir = NULL; + cfg->verbosity = 0; + cfg->outgoing_num_ports = 16; /* in library use, this is 'reasonable' + and probably within the ulimit(maxfds) of the user */ + cfg->outgoing_num_tcp = 2; + cfg->msg_cache_size = 1024*1024; + cfg->msg_cache_slabs = 1; + cfg->rrset_cache_size = 1024*1024; + cfg->rrset_cache_slabs = 1; + cfg->infra_cache_slabs = 1; + cfg->use_syslog = 0; + cfg->key_cache_size = 1024*1024; + cfg->key_cache_slabs = 1; + cfg->neg_cache_size = 100 * 1024; + cfg->donotquery_localhost = 0; /* allow, so that you can ask a + forward nameserver running on localhost */ + cfg->val_log_level = 2; /* to fill why_bogus with */ + cfg->val_log_squelch = 1; + cfg->minimal_responses = 0; + cfg->harden_short_bufsize = 1; + return cfg; +} + +/** check that the value passed is >= 0 */ +#define IS_NUMBER_OR_ZERO \ + if(atoi(val) == 0 && strcmp(val, "0") != 0) return 0 +/** check that the value passed is > 0 */ +#define IS_NONZERO_NUMBER \ + if(atoi(val) == 0) return 0 +/** check that the value passed is not 0 and a power of 2 */ +#define IS_POW2_NUMBER \ + if(atoi(val) == 0 || !is_pow2((size_t)atoi(val))) return 0 +/** check that the value passed is yes or no */ +#define IS_YES_OR_NO \ + if(strcmp(val, "yes") != 0 && strcmp(val, "no") != 0) return 0 +/** put integer_or_zero into variable */ +#define S_NUMBER_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NUMBER_OR_ZERO; cfg->var = atoi(val); } +/** put integer_nonzero into variable */ +#define S_NUMBER_NONZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NONZERO_NUMBER; cfg->var = atoi(val); } +/** put integer_or_zero into unsigned */ +#define S_UNSIGNED_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NUMBER_OR_ZERO; cfg->var = (unsigned)atoi(val); } +/** put integer_or_zero into size_t */ +#define S_SIZET_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NUMBER_OR_ZERO; cfg->var = (size_t)atoi(val); } +/** put integer_nonzero into size_t */ +#define S_SIZET_NONZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NONZERO_NUMBER; cfg->var = (size_t)atoi(val); } +/** put yesno into variable */ +#define S_YNO(str, var) if(strcmp(opt, str) == 0) \ + { IS_YES_OR_NO; cfg->var = (strcmp(val, "yes") == 0); } +/** put memsize into variable */ +#define S_MEMSIZE(str, var) if(strcmp(opt, str)==0) \ + { return cfg_parse_memsize(val, &cfg->var); } +/** put pow2 number into variable */ +#define S_POW2(str, var) if(strcmp(opt, str)==0) \ + { IS_POW2_NUMBER; cfg->var = (size_t)atoi(val); } +/** put string into variable */ +#define S_STR(str, var) if(strcmp(opt, str)==0) \ + { free(cfg->var); return (cfg->var = strdup(val)) != NULL; } +/** put string into strlist */ +#define S_STRLIST(str, var) if(strcmp(opt, str)==0) \ + { return cfg_strlist_insert(&cfg->var, strdup(val)); } +/** put string into strlist if not present yet*/ +#define S_STRLIST_UNIQ(str, var) if(strcmp(opt, str)==0) \ + { if(cfg_strlist_find(cfg->var, val)) { return 0;} \ + return cfg_strlist_insert(&cfg->var, strdup(val)); } +/** append string to strlist */ +#define S_STRLIST_APPEND(str, var) if(strcmp(opt, str)==0) \ + { return cfg_strlist_append(&cfg->var, strdup(val)); } + +int config_set_option(struct config_file* cfg, const char* opt, + const char* val) +{ + char buf[64]; + if(!opt) return 0; + if(opt[strlen(opt)-1] != ':' && strlen(opt)+2stat_interval = 0; + else if(atoi(val) == 0) + return 0; + else cfg->stat_interval = atoi(val); + } else if(strcmp(opt, "num-threads:") == 0) { + /* not supported, library must have 1 thread in bgworker */ + return 0; + } else if(strcmp(opt, "outgoing-port-permit:") == 0) { + return cfg_mark_ports(val, 1, + cfg->outgoing_avail_ports, 65536); + } else if(strcmp(opt, "outgoing-port-avoid:") == 0) { + return cfg_mark_ports(val, 0, + cfg->outgoing_avail_ports, 65536); + } else if(strcmp(opt, "local-zone:") == 0) { + return cfg_parse_local_zone(cfg, val); + } else if(strcmp(opt, "val-override-date:") == 0) { + if(strcmp(val, "") == 0 || strcmp(val, "0") == 0) { + cfg->val_date_override = 0; + } else if(strlen(val) == 14) { + cfg->val_date_override = cfg_convert_timeval(val); + return cfg->val_date_override != 0; + } else { + if(atoi(val) == 0) return 0; + cfg->val_date_override = (uint32_t)atoi(val); + } + } else if(strcmp(opt, "local-data-ptr:") == 0) { + char* ptr = cfg_ptr_reverse((char*)opt); + return cfg_strlist_insert(&cfg->local_data, ptr); + } else if(strcmp(opt, "logfile:") == 0) { + cfg->use_syslog = 0; + free(cfg->logfile); + return (cfg->logfile = strdup(val)) != NULL; + } + else if(strcmp(opt, "log-time-ascii:") == 0) + { IS_YES_OR_NO; cfg->log_time_ascii = (strcmp(val, "yes") == 0); + log_set_time_asc(cfg->log_time_ascii); } + else S_SIZET_NONZERO("max-udp-size:", max_udp_size) + else S_YNO("use-syslog:", use_syslog) + else S_STR("log-identity:", log_identity) + else S_YNO("extended-statistics:", stat_extended) + else S_YNO("statistics-inhibit-zero:", stat_inhibit_zero) + else S_YNO("statistics-cumulative:", stat_cumulative) + else S_YNO("shm-enable:", shm_enable) + else S_NUMBER_OR_ZERO("shm-key:", shm_key) + else S_YNO("do-ip4:", do_ip4) + else S_YNO("do-ip6:", do_ip6) + else S_YNO("do-udp:", do_udp) + else S_YNO("do-tcp:", do_tcp) + else S_YNO("prefer-ip4:", prefer_ip4) + else S_YNO("prefer-ip6:", prefer_ip6) + else S_YNO("tcp-upstream:", tcp_upstream) + else S_YNO("udp-upstream-without-downstream:", + udp_upstream_without_downstream) + else S_NUMBER_NONZERO("tcp-mss:", tcp_mss) + else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss) + else S_NUMBER_NONZERO("tcp-auth-query-timeout:", tcp_auth_query_timeout) + else S_NUMBER_NONZERO("tcp-idle-timeout:", tcp_idle_timeout) + else S_NUMBER_NONZERO("max-reuse-tcp-queries:", max_reuse_tcp_queries) + else S_NUMBER_NONZERO("tcp-reuse-timeout:", tcp_reuse_timeout) + else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive) + else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout) + else S_NUMBER_OR_ZERO("sock-queue-timeout:", sock_queue_timeout) + else S_YNO("ssl-upstream:", ssl_upstream) + else S_YNO("tls-upstream:", ssl_upstream) + else S_STR("ssl-service-key:", ssl_service_key) + else S_STR("tls-service-key:", ssl_service_key) + else S_STR("ssl-service-pem:", ssl_service_pem) + else S_STR("tls-service-pem:", ssl_service_pem) + else S_NUMBER_NONZERO("ssl-port:", ssl_port) + else S_NUMBER_NONZERO("tls-port:", ssl_port) + else S_STR("ssl-cert-bundle:", tls_cert_bundle) + else S_STR("tls-cert-bundle:", tls_cert_bundle) + else S_YNO("tls-win-cert:", tls_win_cert) + else S_YNO("tls-system-cert:", tls_win_cert) + else S_STRLIST("additional-ssl-port:", tls_additional_port) + else S_STRLIST("additional-tls-port:", tls_additional_port) + else S_STRLIST("tls-additional-ports:", tls_additional_port) + else S_STRLIST("tls-additional-port:", tls_additional_port) + else S_STRLIST_APPEND("tls-session-ticket-keys:", tls_session_ticket_keys) + else S_STR("tls-ciphers:", tls_ciphers) + else S_STR("tls-ciphersuites:", tls_ciphersuites) + else S_YNO("tls-use-sni:", tls_use_sni) + else S_NUMBER_NONZERO("https-port:", https_port) + else S_STR("http-endpoint:", http_endpoint) + else S_NUMBER_NONZERO("http-max-streams:", http_max_streams) + else S_MEMSIZE("http-query-buffer-size:", http_query_buffer_size) + else S_MEMSIZE("http-response-buffer-size:", http_response_buffer_size) + else S_YNO("http-nodelay:", http_nodelay) + else S_YNO("http-notls-downstream:", http_notls_downstream) + else S_YNO("interface-automatic:", if_automatic) + else S_STR("interface-automatic-ports:", if_automatic_ports) + else S_YNO("use-systemd:", use_systemd) + else S_YNO("do-daemonize:", do_daemonize) + else S_NUMBER_NONZERO("port:", port) + else S_NUMBER_NONZERO("outgoing-range:", outgoing_num_ports) + else S_SIZET_OR_ZERO("outgoing-num-tcp:", outgoing_num_tcp) + else S_SIZET_OR_ZERO("incoming-num-tcp:", incoming_num_tcp) + else S_MEMSIZE("stream-wait-size:", stream_wait_size) + else S_SIZET_NONZERO("edns-buffer-size:", edns_buffer_size) + else S_SIZET_NONZERO("msg-buffer-size:", msg_buffer_size) + else S_MEMSIZE("msg-cache-size:", msg_cache_size) + else S_POW2("msg-cache-slabs:", msg_cache_slabs) + else S_SIZET_NONZERO("num-queries-per-thread:",num_queries_per_thread) + else S_SIZET_OR_ZERO("jostle-timeout:", jostle_time) + else S_MEMSIZE("so-rcvbuf:", so_rcvbuf) + else S_MEMSIZE("so-sndbuf:", so_sndbuf) + else S_YNO("so-reuseport:", so_reuseport) + else S_YNO("ip-transparent:", ip_transparent) + else S_YNO("ip-freebind:", ip_freebind) + else S_NUMBER_OR_ZERO("ip-dscp:", ip_dscp) + else S_MEMSIZE("rrset-cache-size:", rrset_cache_size) + else S_POW2("rrset-cache-slabs:", rrset_cache_slabs) + else S_YNO("prefetch:", prefetch) + else S_YNO("prefetch-key:", prefetch_key) + else S_YNO("deny-any:", deny_any) + else if(strcmp(opt, "cache-max-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->max_ttl = atoi(val); MAX_TTL=(time_t)cfg->max_ttl;} + else if(strcmp(opt, "cache-max-negative-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->max_negative_ttl = atoi(val); MAX_NEG_TTL=(time_t)cfg->max_negative_ttl;} + else if(strcmp(opt, "cache-min-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->min_ttl = atoi(val); MIN_TTL=(time_t)cfg->min_ttl;} + else if(strcmp(opt, "infra-cache-min-rtt:") == 0) { + IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val); + RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt; + } + else if(strcmp(opt, "infra-cache-max-rtt:") == 0) { + IS_NUMBER_OR_ZERO; cfg->infra_cache_max_rtt = atoi(val); + RTT_MAX_TIMEOUT=cfg->infra_cache_max_rtt; + USEFUL_SERVER_TOP_TIMEOUT = RTT_MAX_TIMEOUT; + BLACKLIST_PENALTY = USEFUL_SERVER_TOP_TIMEOUT*4; + } + else S_YNO("infra-keep-probing:", infra_keep_probing) + else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl) + else S_POW2("infra-cache-slabs:", infra_cache_slabs) + else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts) + else S_NUMBER_OR_ZERO("delay-close:", delay_close) + else S_YNO("udp-connect:", udp_connect) + else S_STR("chroot:", chrootdir) + else S_STR("username:", username) + else S_STR("directory:", directory) + else S_STR("pidfile:", pidfile) + else S_YNO("hide-identity:", hide_identity) + else S_YNO("hide-version:", hide_version) + else S_YNO("hide-trustanchor:", hide_trustanchor) + else S_YNO("hide-http-user-agent:", hide_http_user_agent) + else S_STR("identity:", identity) + else S_STR("version:", version) + else S_STR("http-user-agent:", http_user_agent) + else if(strcmp(opt, "nsid:") == 0) { + free(cfg->nsid_cfg_str); + if (!(cfg->nsid_cfg_str = strdup(val))) + return 0; + /* Empty string is just validly unsetting nsid */ + if (*val == 0) { + free(cfg->nsid); + cfg->nsid = NULL; + cfg->nsid_len = 0; + return 1; + } + cfg->nsid = cfg_parse_nsid(val, &cfg->nsid_len); + return cfg->nsid != NULL; + } + else S_STRLIST("root-hints:", root_hints) + else S_STR("target-fetch-policy:", target_fetch_policy) + else S_YNO("harden-glue:", harden_glue) + else S_YNO("harden-short-bufsize:", harden_short_bufsize) + else S_YNO("harden-large-queries:", harden_large_queries) + else S_YNO("harden-dnssec-stripped:", harden_dnssec_stripped) + else S_YNO("harden-below-nxdomain:", harden_below_nxdomain) + else S_YNO("harden-referral-path:", harden_referral_path) + else S_YNO("harden-algo-downgrade:", harden_algo_downgrade) + else S_YNO("harden-unknown-additional:", harden_unknown_additional) + else S_YNO("use-caps-for-id:", use_caps_bits_for_id) + else S_STRLIST("caps-whitelist:", caps_whitelist) + else S_SIZET_OR_ZERO("unwanted-reply-threshold:", unwanted_threshold) + else S_STRLIST("private-address:", private_address) + else S_STRLIST("private-domain:", private_domain) + else S_YNO("do-not-query-localhost:", donotquery_localhost) + else S_STRLIST("do-not-query-address:", donotqueryaddrs) + else S_STRLIST("auto-trust-anchor-file:", auto_trust_anchor_file_list) + else S_STRLIST("trust-anchor-file:", trust_anchor_file_list) + else S_STRLIST("trust-anchor:", trust_anchor_list) + else S_STRLIST("trusted-keys-file:", trusted_keys_file_list) + else S_YNO("trust-anchor-signaling:", trust_anchor_signaling) + else S_YNO("root-key-sentinel:", root_key_sentinel) + else S_STRLIST("domain-insecure:", domain_insecure) + else S_NUMBER_OR_ZERO("val-bogus-ttl:", bogus_ttl) + else S_YNO("val-clean-additional:", val_clean_additional) + else S_NUMBER_OR_ZERO("val-log-level:", val_log_level) + else S_YNO("val-log-squelch:", val_log_squelch) + else S_YNO("log-queries:", log_queries) + else S_YNO("log-replies:", log_replies) + else S_YNO("log-tag-queryreply:", log_tag_queryreply) + else S_YNO("log-local-actions:", log_local_actions) + else S_YNO("log-servfail:", log_servfail) ++ else S_YNO("log-destaddr:", log_destaddr) + else S_YNO("val-permissive-mode:", val_permissive_mode) + else S_YNO("aggressive-nsec:", aggressive_nsec) + else S_YNO("ignore-cd-flag:", ignore_cd) + else S_YNO("disable-edns-do:", disable_edns_do) + else if(strcmp(opt, "serve-expired:") == 0) + { IS_YES_OR_NO; cfg->serve_expired = (strcmp(val, "yes") == 0); + SERVE_EXPIRED = cfg->serve_expired; } + else if(strcmp(opt, "serve-expired-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->serve_expired_ttl = atoi(val); SERVE_EXPIRED_TTL=(time_t)cfg->serve_expired_ttl;} + else S_YNO("serve-expired-ttl-reset:", serve_expired_ttl_reset) + else if(strcmp(opt, "serve-expired-reply-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->serve_expired_reply_ttl = atoi(val); SERVE_EXPIRED_REPLY_TTL=(time_t)cfg->serve_expired_reply_ttl;} + else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout) + else S_YNO("ede:", ede) + else S_YNO("ede-serve-expired:", ede_serve_expired) + else S_YNO("serve-original-ttl:", serve_original_ttl) + else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) + else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode) + else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown) + else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown) + else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing) + else if(strcmp(opt, "permit-small-holddown:") == 0) + { IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0); + autr_permit_small_holddown = cfg->permit_small_holddown; } + else S_MEMSIZE("key-cache-size:", key_cache_size) + else S_POW2("key-cache-slabs:", key_cache_slabs) + else S_MEMSIZE("neg-cache-size:", neg_cache_size) + else S_YNO("minimal-responses:", minimal_responses) + else S_YNO("rrset-roundrobin:", rrset_roundrobin) + else S_NUMBER_OR_ZERO("unknown-server-time-limit:", unknown_server_time_limit) + else S_STRLIST("local-data:", local_data) + else S_YNO("unblock-lan-zones:", unblock_lan_zones) + else S_YNO("insecure-lan-zones:", insecure_lan_zones) + else S_YNO("control-enable:", remote_control_enable) + else S_STRLIST_APPEND("control-interface:", control_ifs) + else S_NUMBER_NONZERO("control-port:", control_port) + else S_STR("server-key-file:", server_key_file) + else S_STR("server-cert-file:", server_cert_file) + else S_STR("control-key-file:", control_key_file) + else S_STR("control-cert-file:", control_cert_file) + else S_STR("module-config:", module_conf) + else S_STRLIST("python-script:", python_script) + else S_STRLIST("dynlib-file:", dynlib_file) + else S_YNO("disable-dnssec-lame-check:", disable_dnssec_lame_check) +#ifdef CLIENT_SUBNET + /* Can't set max subnet prefix here, since that value is used when + * generating the address tree. */ + /* No client-subnet-always-forward here, module registration depends on + * this option. */ +#endif +#ifdef USE_DNSTAP + else S_YNO("dnstap-enable:", dnstap) + else S_YNO("dnstap-bidirectional:", dnstap_bidirectional) + else S_STR("dnstap-socket-path:", dnstap_socket_path) + else S_STR("dnstap-ip:", dnstap_ip) + else S_YNO("dnstap-tls:", dnstap_tls) + else S_STR("dnstap-tls-server-name:", dnstap_tls_server_name) + else S_STR("dnstap-tls-cert-bundle:", dnstap_tls_cert_bundle) + else S_STR("dnstap-tls-client-key-file:", dnstap_tls_client_key_file) + else S_STR("dnstap-tls-client-cert-file:", + dnstap_tls_client_cert_file) + else S_YNO("dnstap-send-identity:", dnstap_send_identity) + else S_YNO("dnstap-send-version:", dnstap_send_version) + else S_STR("dnstap-identity:", dnstap_identity) + else S_STR("dnstap-version:", dnstap_version) + else S_YNO("dnstap-log-resolver-query-messages:", + dnstap_log_resolver_query_messages) + else S_YNO("dnstap-log-resolver-response-messages:", + dnstap_log_resolver_response_messages) + else S_YNO("dnstap-log-client-query-messages:", + dnstap_log_client_query_messages) + else S_YNO("dnstap-log-client-response-messages:", + dnstap_log_client_response_messages) + else S_YNO("dnstap-log-forwarder-query-messages:", + dnstap_log_forwarder_query_messages) + else S_YNO("dnstap-log-forwarder-response-messages:", + dnstap_log_forwarder_response_messages) +#endif +#ifdef USE_DNSCRYPT + else S_YNO("dnscrypt-enable:", dnscrypt) + else S_NUMBER_NONZERO("dnscrypt-port:", dnscrypt_port) + else S_STR("dnscrypt-provider:", dnscrypt_provider) + else S_STRLIST_UNIQ("dnscrypt-provider-cert:", dnscrypt_provider_cert) + else S_STRLIST("dnscrypt-provider-cert-rotated:", dnscrypt_provider_cert_rotated) + else S_STRLIST_UNIQ("dnscrypt-secret-key:", dnscrypt_secret_key) + else S_MEMSIZE("dnscrypt-shared-secret-cache-size:", + dnscrypt_shared_secret_cache_size) + else S_POW2("dnscrypt-shared-secret-cache-slabs:", + dnscrypt_shared_secret_cache_slabs) + else S_MEMSIZE("dnscrypt-nonce-cache-size:", + dnscrypt_nonce_cache_size) + else S_POW2("dnscrypt-nonce-cache-slabs:", + dnscrypt_nonce_cache_slabs) +#endif + else if(strcmp(opt, "ip-ratelimit-cookie:") == 0) { + IS_NUMBER_OR_ZERO; cfg->ip_ratelimit_cookie = atoi(val); + infra_ip_ratelimit_cookie=cfg->ip_ratelimit_cookie; + } + else if(strcmp(opt, "ip-ratelimit:") == 0) { + IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val); + infra_ip_ratelimit=cfg->ip_ratelimit; + } + else if(strcmp(opt, "ratelimit:") == 0) { + IS_NUMBER_OR_ZERO; cfg->ratelimit = atoi(val); + infra_dp_ratelimit=cfg->ratelimit; + } + else S_MEMSIZE("ip-ratelimit-size:", ip_ratelimit_size) + else S_MEMSIZE("ratelimit-size:", ratelimit_size) + else S_POW2("ip-ratelimit-slabs:", ip_ratelimit_slabs) + else S_POW2("ratelimit-slabs:", ratelimit_slabs) + else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor) + else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor) + else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff) + else S_YNO("ratelimit-backoff:", ratelimit_backoff) + else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry) + else S_NUMBER_NONZERO("max-sent-count:", max_sent_count) + else S_NUMBER_NONZERO("max-query-restarts:", max_query_restarts) + else S_SIZET_NONZERO("fast-server-num:", fast_server_num) + else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil) + else S_YNO("qname-minimisation:", qname_minimisation) + else S_YNO("qname-minimisation-strict:", qname_minimisation_strict) + else S_YNO("pad-responses:", pad_responses) + else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size) + else S_YNO("pad-queries:", pad_queries) + else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size) + else S_STRLIST("proxy-protocol-port:", proxy_protocol_port) +#ifdef USE_IPSECMOD + else S_YNO("ipsecmod-enabled:", ipsecmod_enabled) + else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus) + else if(strcmp(opt, "ipsecmod-max-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); } + else S_YNO("ipsecmod-strict:", ipsecmod_strict) +#endif +#ifdef USE_CACHEDB + else S_YNO("cachedb-no-store:", cachedb_no_store) +#endif /* USE_CACHEDB */ + else if(strcmp(opt, "define-tag:") ==0) { + return config_add_tag(cfg, val); + /* val_sig_skew_min, max and val_max_restart are copied into val_env + * during init so this does not update val_env with set_option */ + } else if(strcmp(opt, "val-sig-skew-min:") == 0) + { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); } + else if(strcmp(opt, "val-sig-skew-max:") == 0) + { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); } + else if(strcmp(opt, "val-max-restart:") == 0) + { IS_NUMBER_OR_ZERO; cfg->val_max_restart = (int32_t)atoi(val); } + else if (strcmp(opt, "outgoing-interface:") == 0) { + char* d = strdup(val); + char** oi = + (char**)reallocarray(NULL, (size_t)cfg->num_out_ifs+1, sizeof(char*)); + if(!d || !oi) { free(d); free(oi); return -1; } + if(cfg->out_ifs && cfg->num_out_ifs) { + memmove(oi, cfg->out_ifs, cfg->num_out_ifs*sizeof(char*)); + free(cfg->out_ifs); + } + oi[cfg->num_out_ifs++] = d; + cfg->out_ifs = oi; + } else { + /* unknown or unsupported (from the set_option interface): + * interface, outgoing-interface, access-control, + * stub-zone, name, stub-addr, stub-host, stub-prime + * forward-first, stub-first, forward-ssl-upstream, + * stub-ssl-upstream, forward-zone, auth-zone + * name, forward-addr, forward-host, + * ratelimit-for-domain, ratelimit-below-domain, + * local-zone-tag, access-control-view, interface-*, + * send-client-subnet, client-subnet-always-forward, + * max-client-subnet-ipv4, max-client-subnet-ipv6, + * min-client-subnet-ipv4, min-client-subnet-ipv6, + * max-ecs-tree-size-ipv4, max-ecs-tree-size-ipv6, ipsecmod_hook, + * ipsecmod_whitelist. */ + return 0; + } + return 1; +} + +void config_print_func(char* line, void* arg) +{ + FILE* f = (FILE*)arg; + (void)fprintf(f, "%s\n", line); +} + +/** collate func arg */ +struct config_collate_arg { + /** list of result items */ + struct config_strlist_head list; + /** if a malloc error occurred, 0 is OK */ + int status; +}; + +void config_collate_func(char* line, void* arg) +{ *** 3407 LINES SKIPPED ***