git: 1838dec31895 - main - unbound: Vendor import 1.17.1
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 15 Jan 2023 05:42:49 UTC
The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=1838dec31895fd4752fa8631322ab93be0705a66 commit 1838dec31895fd4752fa8631322ab93be0705a66 Merge: 249526dace5d 7699e1386a16 Author: Cy Schubert <cy@FreeBSD.org> AuthorDate: 2023-01-15 05:39:31 +0000 Commit: Cy Schubert <cy@FreeBSD.org> CommitDate: 2023-01-15 05:39:31 +0000 unbound: Vendor import 1.17.1 Release notes at https://www.nlnetlabs.nl/news/2023/Jan/12/unbound-1.17.1-released/. MFC after: 1 month Merge commit '7699e1386a16236002b26107ffd2dcbde375e197' into main contrib/unbound/Makefile.in | 4 +- contrib/unbound/README.md | 1 + contrib/unbound/cachedb/cachedb.c | 21 ++- contrib/unbound/configure | 25 +-- contrib/unbound/configure.ac | 5 +- contrib/unbound/contrib/unbound.service.in | 5 +- contrib/unbound/daemon/cachedump.c | 9 +- contrib/unbound/daemon/daemon.c | 91 ++++++++- contrib/unbound/daemon/daemon.h | 6 + contrib/unbound/daemon/remote.c | 16 +- contrib/unbound/daemon/worker.c | 21 ++- contrib/unbound/daemon/worker.h | 4 +- contrib/unbound/doc/Changelog | 86 +++++++++ contrib/unbound/doc/README | 2 +- contrib/unbound/doc/example.conf.in | 18 +- contrib/unbound/doc/libunbound.3.in | 4 +- contrib/unbound/doc/unbound-anchor.8.in | 2 +- contrib/unbound/doc/unbound-checkconf.8.in | 2 +- contrib/unbound/doc/unbound-control.8.in | 10 +- contrib/unbound/doc/unbound-host.1.in | 2 +- contrib/unbound/doc/unbound.8.in | 4 +- contrib/unbound/doc/unbound.conf.5.in | 36 +++- contrib/unbound/edns-subnet/subnetmod.c | 11 ++ contrib/unbound/iterator/iter_utils.c | 2 + contrib/unbound/iterator/iterator.c | 7 +- contrib/unbound/iterator/iterator.h | 10 +- contrib/unbound/libunbound/context.c | 1 + contrib/unbound/libunbound/context.h | 6 + contrib/unbound/libunbound/libunbound.c | 39 +++- contrib/unbound/libunbound/libworker.c | 1 + contrib/unbound/libunbound/unbound-event.h | 3 +- contrib/unbound/services/authzone.c | 1 + contrib/unbound/services/cache/dns.c | 8 + contrib/unbound/sldns/rrdef.h | 4 +- contrib/unbound/smallapp/unbound-control.c | 12 +- .../09-unbound-control.tdir/conf.bad_credentials | 5 + .../conf.spoofed_credentials | 5 + .../unbound/testdata/cachedb_servfail_cname.crpl | 181 ++++++++++++++++++ .../testdata/serve_expired_cached_servfail.rpl | 130 +++++++++++++ .../unbound/testdata/subnet_cached_servfail.crpl | 167 +++++++++++++++++ contrib/unbound/util/config_file.c | 9 + contrib/unbound/util/config_file.h | 7 + contrib/unbound/util/configlexer.lex | 3 + contrib/unbound/util/configparser.y | 34 +++- contrib/unbound/util/iana_ports.inc | 1 + contrib/unbound/util/netevent.c | 30 ++- contrib/unbound/util/tube.c | 53 ++++-- usr.sbin/unbound/config.h | 204 +++++++++++++++++---- 48 files changed, 1169 insertions(+), 139 deletions(-) diff --cc contrib/unbound/README.md index d1bbcf2b7797,000000000000..c3d9bc2492ef mode 100644,000000..100644 --- a/contrib/unbound/README.md +++ b/contrib/unbound/README.md @@@ -1,39 -1,0 +1,40 @@@ +# Unbound + +[![Travis Build Status](https://travis-ci.org/NLnetLabs/unbound.svg?branch=master)](https://travis-ci.org/NLnetLabs/unbound) +[![Packaging status](https://repology.org/badge/tiny-repos/unbound.svg)](https://repology.org/project/unbound/versions) +[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/unbound.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:unbound) +[![Documentation Status](https://readthedocs.org/projects/unbound/badge/?version=latest)](https://unbound.readthedocs.io/en/latest/?badge=latest) ++[![Mastodon Follow](https://img.shields.io/mastodon/follow/109262826617293067?domain=https%3A%2F%2Ffosstodon.org&style=social)](https://fosstodon.org/@nlnetlabs) + +Unbound is a validating, recursive, caching DNS resolver. It is designed to be +fast and lean and incorporates modern features based on open standards. If you +have any feedback, we would love to hear from you. Don’t hesitate to +[create an issue on Github](https://github.com/NLnetLabs/unbound/issues/new) +or post a message on the [Unbound mailing list](https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users). +You can learn more about Unbound by reading our +[documentation](https://unbound.docs.nlnetlabs.nl/). + +## Compiling + +Make sure you have the C toolchain, OpenSSL and its include files, and libexpat +installed. Unbound can be compiled and installed using: + +``` +./configure && make && make install +``` + +You can use libevent if you want. libevent is useful when using many (10000) +outgoing ports. By default max 256 ports are opened at the same time and the +builtin alternative is equally capable and a little faster. + +Use the `--with-libevent=dir` configure option to compile Unbound with libevent +support. + +## Unbound configuration + +All of Unbound's configuration options are described in the man pages, which +will be installed and are available on the Unbound +[documentation page](https://unbound.docs.nlnetlabs.nl/). + +An example configuration file is located in +[doc/example.conf](https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in). diff --cc contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials index 000000000000,11a131130000..11a131130000 mode 000000,100644..100644 --- a/contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials +++ b/contrib/unbound/testdata/09-unbound-control.tdir/conf.bad_credentials diff --cc contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials index 000000000000,25cb830dca4e..25cb830dca4e mode 000000,100644..100644 --- a/contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials +++ b/contrib/unbound/testdata/09-unbound-control.tdir/conf.spoofed_credentials diff --cc contrib/unbound/testdata/cachedb_servfail_cname.crpl index 000000000000,221f00d4df54..221f00d4df54 mode 000000,100644..100644 --- a/contrib/unbound/testdata/cachedb_servfail_cname.crpl +++ b/contrib/unbound/testdata/cachedb_servfail_cname.crpl diff --cc contrib/unbound/testdata/serve_expired_cached_servfail.rpl index 000000000000,286de708b9c5..286de708b9c5 mode 000000,100644..100644 --- a/contrib/unbound/testdata/serve_expired_cached_servfail.rpl +++ b/contrib/unbound/testdata/serve_expired_cached_servfail.rpl diff --cc contrib/unbound/testdata/subnet_cached_servfail.crpl index 000000000000,9c746d579124..9c746d579124 mode 000000,100644..100644 --- a/contrib/unbound/testdata/subnet_cached_servfail.crpl +++ b/contrib/unbound/testdata/subnet_cached_servfail.crpl diff --cc contrib/unbound/util/config_file.c index 00422617dad7,000000000000..d0b9904e133d mode 100644,000000..100644 --- a/contrib/unbound/util/config_file.c +++ b/contrib/unbound/util/config_file.c @@@ -1,2661 -1,0 +1,2670 @@@ +/* + * util/config_file.c - reads and stores the config file for unbound. + * + * Copyright (c) 2007, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file contains functions for the config file. + */ + +#include "config.h" +#include <ctype.h> +#include <stdarg.h> +#ifdef HAVE_TIME_H +#include <time.h> +#endif +#include "util/log.h" +#include "util/configyyrename.h" +#include "util/config_file.h" +#include "configparser.h" +#include "util/net_help.h" +#include "util/data/msgparse.h" +#include "util/module.h" +#include "util/regional.h" +#include "util/fptr_wlist.h" +#include "util/data/dname.h" +#include "util/rtt.h" +#include "services/cache/infra.h" +#include "sldns/wire2str.h" +#include "sldns/parseutil.h" +#include "iterator/iterator.h" +#ifdef HAVE_GLOB_H +# include <glob.h> +#endif +#ifdef CLIENT_SUBNET +#include "edns-subnet/edns-subnet.h" +#endif +#ifdef HAVE_PWD_H +#include <pwd.h> +#endif + +/** from cfg username, after daemonize setup performed */ +uid_t cfg_uid = (uid_t)-1; +/** from cfg username, after daemonize setup performed */ +gid_t cfg_gid = (gid_t)-1; +/** for debug allow small timeout values for fast rollovers */ +int autr_permit_small_holddown = 0; +/** size (in bytes) of stream wait buffers max */ +size_t stream_wait_max = 4 * 1024 * 1024; +size_t http2_query_buffer_max = 4 * 1024 * 1024; +size_t http2_response_buffer_max = 4 * 1024 * 1024; + +/** global config during parsing */ +struct config_parser_state* cfg_parser = 0; + +/** init ports possible for use */ +static void init_outgoing_availports(int* array, int num); + +struct config_file* +config_create(void) +{ + struct config_file* cfg; + cfg = (struct config_file*)calloc(1, sizeof(struct config_file)); + if(!cfg) + return NULL; + /* the defaults if no config is present */ + cfg->verbosity = 1; + cfg->stat_interval = 0; + cfg->stat_cumulative = 0; + cfg->stat_extended = 0; ++ cfg->stat_inhibit_zero = 1; + cfg->num_threads = 1; + cfg->port = UNBOUND_DNS_PORT; + cfg->do_ip4 = 1; + cfg->do_ip6 = 1; + cfg->do_udp = 1; + cfg->do_tcp = 1; + cfg->tcp_reuse_timeout = 60 * 1000; /* 60s in milisecs */ + cfg->max_reuse_tcp_queries = 200; + cfg->tcp_upstream = 0; + cfg->udp_upstream_without_downstream = 0; + cfg->tcp_mss = 0; + cfg->outgoing_tcp_mss = 0; + cfg->tcp_idle_timeout = 30 * 1000; /* 30s in millisecs */ + cfg->tcp_auth_query_timeout = 3 * 1000; /* 3s in millisecs */ + cfg->do_tcp_keepalive = 0; + cfg->tcp_keepalive_timeout = 120 * 1000; /* 120s in millisecs */ + cfg->ssl_service_key = NULL; + cfg->ssl_service_pem = NULL; + cfg->ssl_port = UNBOUND_DNS_OVER_TLS_PORT; + cfg->ssl_upstream = 0; + cfg->tls_cert_bundle = NULL; + cfg->tls_win_cert = 0; + cfg->tls_use_sni = 1; + cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT; + if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit; + cfg->http_max_streams = 100; + cfg->http_query_buffer_size = 4*1024*1024; + cfg->http_response_buffer_size = 4*1024*1024; + cfg->http_nodelay = 1; + cfg->use_syslog = 1; + cfg->log_identity = NULL; /* changed later with argv[0] */ + cfg->log_time_ascii = 0; + cfg->log_queries = 0; + cfg->log_replies = 0; + cfg->log_tag_queryreply = 0; + cfg->log_local_actions = 0; + cfg->log_servfail = 0; +#ifndef USE_WINSOCK +# ifdef USE_MINI_EVENT + /* select max 1024 sockets */ + cfg->outgoing_num_ports = 960; + cfg->num_queries_per_thread = 512; +# else + /* libevent can use many sockets */ + cfg->outgoing_num_ports = 4096; + cfg->num_queries_per_thread = 1024; +# endif + cfg->outgoing_num_tcp = 10; + cfg->incoming_num_tcp = 10; +#else + cfg->outgoing_num_ports = 48; /* windows is limited in num fds */ + cfg->num_queries_per_thread = 24; + cfg->outgoing_num_tcp = 2; /* leaves 64-52=12 for: 4if,1stop,thread4 */ + cfg->incoming_num_tcp = 2; +#endif + cfg->stream_wait_size = 4 * 1024 * 1024; + cfg->edns_buffer_size = 1232; /* from DNS flagday recommendation */ + cfg->msg_buffer_size = 65552; /* 64 k + a small margin */ + cfg->msg_cache_size = 4 * 1024 * 1024; + cfg->msg_cache_slabs = 4; + cfg->jostle_time = 200; + cfg->rrset_cache_size = 4 * 1024 * 1024; + cfg->rrset_cache_slabs = 4; + cfg->host_ttl = 900; + cfg->bogus_ttl = 60; + cfg->min_ttl = 0; + cfg->max_ttl = 3600 * 24; + cfg->max_negative_ttl = 3600; + cfg->prefetch = 0; + cfg->prefetch_key = 0; + cfg->deny_any = 0; + cfg->infra_cache_slabs = 4; + cfg->infra_cache_numhosts = 10000; + cfg->infra_cache_min_rtt = 50; + cfg->infra_cache_max_rtt = 120000; + cfg->infra_keep_probing = 0; + cfg->delay_close = 0; + cfg->udp_connect = 1; + if(!(cfg->outgoing_avail_ports = (int*)calloc(65536, sizeof(int)))) + goto error_exit; + init_outgoing_availports(cfg->outgoing_avail_ports, 65536); + if(!(cfg->username = strdup(UB_USERNAME))) goto error_exit; +#ifdef HAVE_CHROOT + if(!(cfg->chrootdir = strdup(CHROOT_DIR))) goto error_exit; +#endif + if(!(cfg->directory = strdup(RUN_DIR))) goto error_exit; + if(!(cfg->logfile = strdup(""))) goto error_exit; + if(!(cfg->pidfile = strdup(PIDFILE))) goto error_exit; + if(!(cfg->target_fetch_policy = strdup("3 2 1 0 0"))) goto error_exit; + cfg->fast_server_permil = 0; + cfg->fast_server_num = 3; + cfg->donotqueryaddrs = NULL; + cfg->donotquery_localhost = 1; + cfg->root_hints = NULL; + cfg->use_systemd = 0; + cfg->do_daemonize = 1; + cfg->if_automatic = 0; + cfg->if_automatic_ports = NULL; + cfg->so_rcvbuf = 0; + cfg->so_sndbuf = 0; + cfg->so_reuseport = REUSEPORT_DEFAULT; + cfg->ip_transparent = 0; + cfg->ip_freebind = 0; + cfg->ip_dscp = 0; + cfg->num_ifs = 0; + cfg->ifs = NULL; + cfg->num_out_ifs = 0; + cfg->out_ifs = NULL; + cfg->stubs = NULL; + cfg->forwards = NULL; + cfg->auths = NULL; +#ifdef CLIENT_SUBNET + cfg->client_subnet = NULL; + cfg->client_subnet_zone = NULL; + cfg->client_subnet_opcode = LDNS_EDNS_CLIENT_SUBNET; + cfg->client_subnet_always_forward = 0; + cfg->max_client_subnet_ipv4 = 24; + cfg->max_client_subnet_ipv6 = 56; + cfg->min_client_subnet_ipv4 = 0; + cfg->min_client_subnet_ipv6 = 0; + cfg->max_ecs_tree_size_ipv4 = 100; + cfg->max_ecs_tree_size_ipv6 = 100; +#endif + cfg->views = NULL; + cfg->acls = NULL; + cfg->tcp_connection_limits = NULL; + cfg->harden_short_bufsize = 1; + cfg->harden_large_queries = 0; + cfg->harden_glue = 1; + cfg->harden_dnssec_stripped = 1; + cfg->harden_below_nxdomain = 1; + cfg->harden_referral_path = 0; + cfg->harden_algo_downgrade = 0; + cfg->use_caps_bits_for_id = 0; + cfg->caps_whitelist = NULL; + cfg->private_address = NULL; + cfg->private_domain = NULL; + cfg->unwanted_threshold = 0; + cfg->hide_identity = 0; + cfg->hide_version = 0; + cfg->hide_trustanchor = 0; + cfg->hide_http_user_agent = 0; + cfg->identity = NULL; + cfg->version = NULL; + cfg->http_user_agent = NULL; + cfg->nsid_cfg_str = NULL; + cfg->nsid = NULL; + cfg->nsid_len = 0; + cfg->auto_trust_anchor_file_list = NULL; + cfg->trust_anchor_file_list = NULL; + cfg->trust_anchor_list = NULL; + cfg->trusted_keys_file_list = NULL; + cfg->trust_anchor_signaling = 1; + cfg->root_key_sentinel = 1; + cfg->domain_insecure = NULL; + cfg->val_date_override = 0; + cfg->val_sig_skew_min = 3600; /* at least daylight savings trouble */ + cfg->val_sig_skew_max = 86400; /* at most timezone settings trouble */ + cfg->val_max_restart = 5; + cfg->val_clean_additional = 1; + cfg->val_log_level = 0; + cfg->val_log_squelch = 0; + cfg->val_permissive_mode = 0; + cfg->aggressive_nsec = 1; + cfg->ignore_cd = 0; + cfg->serve_expired = 0; + cfg->serve_expired_ttl = 0; + cfg->serve_expired_ttl_reset = 0; + cfg->serve_expired_reply_ttl = 30; + cfg->serve_expired_client_timeout = 0; + cfg->ede_serve_expired = 0; + cfg->serve_original_ttl = 0; + cfg->zonemd_permissive_mode = 0; + cfg->add_holddown = 30*24*3600; + cfg->del_holddown = 30*24*3600; + cfg->keep_missing = 366*24*3600; /* one year plus a little leeway */ + cfg->permit_small_holddown = 0; + cfg->key_cache_size = 4 * 1024 * 1024; + cfg->key_cache_slabs = 4; + cfg->neg_cache_size = 1 * 1024 * 1024; + cfg->local_zones = NULL; + cfg->local_zones_nodefault = NULL; +#ifdef USE_IPSET + cfg->local_zones_ipset = NULL; +#endif + cfg->local_zones_disable_default = 0; + cfg->local_data = NULL; + cfg->local_zone_overrides = NULL; + cfg->unblock_lan_zones = 0; + cfg->insecure_lan_zones = 0; + cfg->python_script = NULL; + cfg->dynlib_file = NULL; + cfg->remote_control_enable = 0; + cfg->control_ifs.first = NULL; + cfg->control_ifs.last = NULL; + cfg->control_port = UNBOUND_CONTROL_PORT; + cfg->control_use_cert = 1; + cfg->minimal_responses = 1; + cfg->rrset_roundrobin = 1; + cfg->unknown_server_time_limit = 376; + cfg->max_udp_size = 4096; + if(!(cfg->server_key_file = strdup(RUN_DIR"/unbound_server.key"))) + goto error_exit; + if(!(cfg->server_cert_file = strdup(RUN_DIR"/unbound_server.pem"))) + goto error_exit; + if(!(cfg->control_key_file = strdup(RUN_DIR"/unbound_control.key"))) + goto error_exit; + if(!(cfg->control_cert_file = strdup(RUN_DIR"/unbound_control.pem"))) + goto error_exit; + +#ifdef CLIENT_SUBNET + if(!(cfg->module_conf = strdup("subnetcache validator iterator"))) goto error_exit; +#else + if(!(cfg->module_conf = strdup("validator iterator"))) goto error_exit; +#endif + if(!(cfg->val_nsec3_key_iterations = + strdup("1024 150 2048 150 4096 150"))) goto error_exit; +#if defined(DNSTAP_SOCKET_PATH) + if(!(cfg->dnstap_socket_path = strdup(DNSTAP_SOCKET_PATH))) + goto error_exit; +#endif + cfg->dnstap_bidirectional = 1; + cfg->dnstap_tls = 1; + cfg->disable_dnssec_lame_check = 0; + cfg->ip_ratelimit = 0; + cfg->ratelimit = 0; + cfg->ip_ratelimit_slabs = 4; + cfg->ratelimit_slabs = 4; + cfg->ip_ratelimit_size = 4*1024*1024; + cfg->ratelimit_size = 4*1024*1024; + cfg->ratelimit_for_domain = NULL; + cfg->ratelimit_below_domain = NULL; + cfg->ip_ratelimit_factor = 10; + cfg->ratelimit_factor = 10; + cfg->ip_ratelimit_backoff = 0; + cfg->ratelimit_backoff = 0; + cfg->outbound_msg_retry = 5; ++ cfg->max_sent_count = 32; ++ cfg->max_query_restarts = 11; + cfg->qname_minimisation = 1; + cfg->qname_minimisation_strict = 0; + cfg->shm_enable = 0; + cfg->shm_key = 11777; + cfg->edns_client_strings = NULL; + cfg->edns_client_string_opcode = 65001; + cfg->dnscrypt = 0; + cfg->dnscrypt_port = 0; + cfg->dnscrypt_provider = NULL; + cfg->dnscrypt_provider_cert = NULL; + cfg->dnscrypt_provider_cert_rotated = NULL; + cfg->dnscrypt_secret_key = NULL; + cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024; + cfg->dnscrypt_shared_secret_cache_slabs = 4; + cfg->dnscrypt_nonce_cache_size = 4*1024*1024; + cfg->dnscrypt_nonce_cache_slabs = 4; + cfg->pad_responses = 1; + cfg->pad_responses_block_size = 468; /* from RFC8467 */ + cfg->pad_queries = 1; + cfg->pad_queries_block_size = 128; /* from RFC8467 */ +#ifdef USE_IPSECMOD + cfg->ipsecmod_enabled = 1; + cfg->ipsecmod_ignore_bogus = 0; + cfg->ipsecmod_hook = NULL; + cfg->ipsecmod_max_ttl = 3600; + cfg->ipsecmod_whitelist = NULL; + cfg->ipsecmod_strict = 0; +#endif +#ifdef USE_CACHEDB + if(!(cfg->cachedb_backend = strdup("testframe"))) goto error_exit; + if(!(cfg->cachedb_secret = strdup("default"))) goto error_exit; +#ifdef USE_REDIS + if(!(cfg->redis_server_host = strdup("127.0.0.1"))) goto error_exit; + cfg->redis_timeout = 100; + cfg->redis_server_port = 6379; + cfg->redis_expire_records = 0; +#endif /* USE_REDIS */ +#endif /* USE_CACHEDB */ +#ifdef USE_IPSET + cfg->ipset_name_v4 = NULL; + cfg->ipset_name_v6 = NULL; +#endif + cfg->ede = 0; + return cfg; +error_exit: + config_delete(cfg); + return NULL; +} + +struct config_file* config_create_forlib(void) +{ + struct config_file* cfg = config_create(); + if(!cfg) return NULL; + /* modifications for library use, less verbose, less memory */ + free(cfg->chrootdir); + cfg->chrootdir = NULL; + cfg->verbosity = 0; + cfg->outgoing_num_ports = 16; /* in library use, this is 'reasonable' + and probably within the ulimit(maxfds) of the user */ + cfg->outgoing_num_tcp = 2; + cfg->msg_cache_size = 1024*1024; + cfg->msg_cache_slabs = 1; + cfg->rrset_cache_size = 1024*1024; + cfg->rrset_cache_slabs = 1; + cfg->infra_cache_slabs = 1; + cfg->use_syslog = 0; + cfg->key_cache_size = 1024*1024; + cfg->key_cache_slabs = 1; + cfg->neg_cache_size = 100 * 1024; + cfg->donotquery_localhost = 0; /* allow, so that you can ask a + forward nameserver running on localhost */ + cfg->val_log_level = 2; /* to fill why_bogus with */ + cfg->val_log_squelch = 1; + cfg->minimal_responses = 0; + cfg->harden_short_bufsize = 1; + return cfg; +} + +/** check that the value passed is >= 0 */ +#define IS_NUMBER_OR_ZERO \ + if(atoi(val) == 0 && strcmp(val, "0") != 0) return 0 +/** check that the value passed is > 0 */ +#define IS_NONZERO_NUMBER \ + if(atoi(val) == 0) return 0 +/** check that the value passed is not 0 and a power of 2 */ +#define IS_POW2_NUMBER \ + if(atoi(val) == 0 || !is_pow2((size_t)atoi(val))) return 0 +/** check that the value passed is yes or no */ +#define IS_YES_OR_NO \ + if(strcmp(val, "yes") != 0 && strcmp(val, "no") != 0) return 0 +/** put integer_or_zero into variable */ +#define S_NUMBER_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NUMBER_OR_ZERO; cfg->var = atoi(val); } +/** put integer_nonzero into variable */ +#define S_NUMBER_NONZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NONZERO_NUMBER; cfg->var = atoi(val); } +/** put integer_or_zero into unsigned */ +#define S_UNSIGNED_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NUMBER_OR_ZERO; cfg->var = (unsigned)atoi(val); } +/** put integer_or_zero into size_t */ +#define S_SIZET_OR_ZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NUMBER_OR_ZERO; cfg->var = (size_t)atoi(val); } +/** put integer_nonzero into size_t */ +#define S_SIZET_NONZERO(str, var) if(strcmp(opt, str) == 0) \ + { IS_NONZERO_NUMBER; cfg->var = (size_t)atoi(val); } +/** put yesno into variable */ +#define S_YNO(str, var) if(strcmp(opt, str) == 0) \ + { IS_YES_OR_NO; cfg->var = (strcmp(val, "yes") == 0); } +/** put memsize into variable */ +#define S_MEMSIZE(str, var) if(strcmp(opt, str)==0) \ + { return cfg_parse_memsize(val, &cfg->var); } +/** put pow2 number into variable */ +#define S_POW2(str, var) if(strcmp(opt, str)==0) \ + { IS_POW2_NUMBER; cfg->var = (size_t)atoi(val); } +/** put string into variable */ +#define S_STR(str, var) if(strcmp(opt, str)==0) \ + { free(cfg->var); return (cfg->var = strdup(val)) != NULL; } +/** put string into strlist */ +#define S_STRLIST(str, var) if(strcmp(opt, str)==0) \ + { return cfg_strlist_insert(&cfg->var, strdup(val)); } +/** put string into strlist if not present yet*/ +#define S_STRLIST_UNIQ(str, var) if(strcmp(opt, str)==0) \ + { if(cfg_strlist_find(cfg->var, val)) { return 0;} \ + return cfg_strlist_insert(&cfg->var, strdup(val)); } +/** append string to strlist */ +#define S_STRLIST_APPEND(str, var) if(strcmp(opt, str)==0) \ + { return cfg_strlist_append(&cfg->var, strdup(val)); } + +int config_set_option(struct config_file* cfg, const char* opt, + const char* val) +{ + char buf[64]; + if(!opt) return 0; + if(opt[strlen(opt)-1] != ':' && strlen(opt)+2<sizeof(buf)) { + snprintf(buf, sizeof(buf), "%s:", opt); + opt = buf; + } + S_NUMBER_OR_ZERO("verbosity:", verbosity) + else if(strcmp(opt, "statistics-interval:") == 0) { + if(strcmp(val, "0") == 0 || strcmp(val, "") == 0) + cfg->stat_interval = 0; + else if(atoi(val) == 0) + return 0; + else cfg->stat_interval = atoi(val); + } else if(strcmp(opt, "num-threads:") == 0) { + /* not supported, library must have 1 thread in bgworker */ + return 0; + } else if(strcmp(opt, "outgoing-port-permit:") == 0) { + return cfg_mark_ports(val, 1, + cfg->outgoing_avail_ports, 65536); + } else if(strcmp(opt, "outgoing-port-avoid:") == 0) { + return cfg_mark_ports(val, 0, + cfg->outgoing_avail_ports, 65536); + } else if(strcmp(opt, "local-zone:") == 0) { + return cfg_parse_local_zone(cfg, val); + } else if(strcmp(opt, "val-override-date:") == 0) { + if(strcmp(val, "") == 0 || strcmp(val, "0") == 0) { + cfg->val_date_override = 0; + } else if(strlen(val) == 14) { + cfg->val_date_override = cfg_convert_timeval(val); + return cfg->val_date_override != 0; + } else { + if(atoi(val) == 0) return 0; + cfg->val_date_override = (uint32_t)atoi(val); + } + } else if(strcmp(opt, "local-data-ptr:") == 0) { + char* ptr = cfg_ptr_reverse((char*)opt); + return cfg_strlist_insert(&cfg->local_data, ptr); + } else if(strcmp(opt, "logfile:") == 0) { + cfg->use_syslog = 0; + free(cfg->logfile); + return (cfg->logfile = strdup(val)) != NULL; + } + else if(strcmp(opt, "log-time-ascii:") == 0) + { IS_YES_OR_NO; cfg->log_time_ascii = (strcmp(val, "yes") == 0); + log_set_time_asc(cfg->log_time_ascii); } + else S_SIZET_NONZERO("max-udp-size:", max_udp_size) + else S_YNO("use-syslog:", use_syslog) + else S_STR("log-identity:", log_identity) + else S_YNO("extended-statistics:", stat_extended) ++ else S_YNO("statistics-inhibit-zero:", stat_inhibit_zero) + else S_YNO("statistics-cumulative:", stat_cumulative) + else S_YNO("shm-enable:", shm_enable) + else S_NUMBER_OR_ZERO("shm-key:", shm_key) + else S_YNO("do-ip4:", do_ip4) + else S_YNO("do-ip6:", do_ip6) + else S_YNO("do-udp:", do_udp) + else S_YNO("do-tcp:", do_tcp) + else S_YNO("prefer-ip4:", prefer_ip4) + else S_YNO("prefer-ip6:", prefer_ip6) + else S_YNO("tcp-upstream:", tcp_upstream) + else S_YNO("udp-upstream-without-downstream:", + udp_upstream_without_downstream) + else S_NUMBER_NONZERO("tcp-mss:", tcp_mss) + else S_NUMBER_NONZERO("outgoing-tcp-mss:", outgoing_tcp_mss) + else S_NUMBER_NONZERO("tcp-auth-query-timeout:", tcp_auth_query_timeout) + else S_NUMBER_NONZERO("tcp-idle-timeout:", tcp_idle_timeout) + else S_NUMBER_NONZERO("max-reuse-tcp-queries:", max_reuse_tcp_queries) + else S_NUMBER_NONZERO("tcp-reuse-timeout:", tcp_reuse_timeout) + else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive) + else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout) + else S_YNO("ssl-upstream:", ssl_upstream) + else S_YNO("tls-upstream:", ssl_upstream) + else S_STR("ssl-service-key:", ssl_service_key) + else S_STR("tls-service-key:", ssl_service_key) + else S_STR("ssl-service-pem:", ssl_service_pem) + else S_STR("tls-service-pem:", ssl_service_pem) + else S_NUMBER_NONZERO("ssl-port:", ssl_port) + else S_NUMBER_NONZERO("tls-port:", ssl_port) + else S_STR("ssl-cert-bundle:", tls_cert_bundle) + else S_STR("tls-cert-bundle:", tls_cert_bundle) + else S_YNO("tls-win-cert:", tls_win_cert) + else S_YNO("tls-system-cert:", tls_win_cert) + else S_STRLIST("additional-ssl-port:", tls_additional_port) + else S_STRLIST("additional-tls-port:", tls_additional_port) + else S_STRLIST("tls-additional-ports:", tls_additional_port) + else S_STRLIST("tls-additional-port:", tls_additional_port) + else S_STRLIST_APPEND("tls-session-ticket-keys:", tls_session_ticket_keys) + else S_STR("tls-ciphers:", tls_ciphers) + else S_STR("tls-ciphersuites:", tls_ciphersuites) + else S_YNO("tls-use-sni:", tls_use_sni) + else S_NUMBER_NONZERO("https-port:", https_port) + else S_STR("http-endpoint:", http_endpoint) + else S_NUMBER_NONZERO("http-max-streams:", http_max_streams) + else S_MEMSIZE("http-query-buffer-size:", http_query_buffer_size) + else S_MEMSIZE("http-response-buffer-size:", http_response_buffer_size) + else S_YNO("http-nodelay:", http_nodelay) + else S_YNO("http-notls-downstream:", http_notls_downstream) + else S_YNO("interface-automatic:", if_automatic) + else S_STR("interface-automatic-ports:", if_automatic_ports) + else S_YNO("use-systemd:", use_systemd) + else S_YNO("do-daemonize:", do_daemonize) + else S_NUMBER_NONZERO("port:", port) + else S_NUMBER_NONZERO("outgoing-range:", outgoing_num_ports) + else S_SIZET_OR_ZERO("outgoing-num-tcp:", outgoing_num_tcp) + else S_SIZET_OR_ZERO("incoming-num-tcp:", incoming_num_tcp) + else S_MEMSIZE("stream-wait-size:", stream_wait_size) + else S_SIZET_NONZERO("edns-buffer-size:", edns_buffer_size) + else S_SIZET_NONZERO("msg-buffer-size:", msg_buffer_size) + else S_MEMSIZE("msg-cache-size:", msg_cache_size) + else S_POW2("msg-cache-slabs:", msg_cache_slabs) + else S_SIZET_NONZERO("num-queries-per-thread:",num_queries_per_thread) + else S_SIZET_OR_ZERO("jostle-timeout:", jostle_time) + else S_MEMSIZE("so-rcvbuf:", so_rcvbuf) + else S_MEMSIZE("so-sndbuf:", so_sndbuf) + else S_YNO("so-reuseport:", so_reuseport) + else S_YNO("ip-transparent:", ip_transparent) + else S_YNO("ip-freebind:", ip_freebind) + else S_NUMBER_OR_ZERO("ip-dscp:", ip_dscp) + else S_MEMSIZE("rrset-cache-size:", rrset_cache_size) + else S_POW2("rrset-cache-slabs:", rrset_cache_slabs) + else S_YNO("prefetch:", prefetch) + else S_YNO("prefetch-key:", prefetch_key) + else S_YNO("deny-any:", deny_any) + else if(strcmp(opt, "cache-max-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->max_ttl = atoi(val); MAX_TTL=(time_t)cfg->max_ttl;} + else if(strcmp(opt, "cache-max-negative-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->max_negative_ttl = atoi(val); MAX_NEG_TTL=(time_t)cfg->max_negative_ttl;} + else if(strcmp(opt, "cache-min-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->min_ttl = atoi(val); MIN_TTL=(time_t)cfg->min_ttl;} + else if(strcmp(opt, "infra-cache-min-rtt:") == 0) { + IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val); + RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt; + } + else if(strcmp(opt, "infra-cache-max-rtt:") == 0) { + IS_NUMBER_OR_ZERO; cfg->infra_cache_max_rtt = atoi(val); + RTT_MAX_TIMEOUT=cfg->infra_cache_max_rtt; + USEFUL_SERVER_TOP_TIMEOUT = RTT_MAX_TIMEOUT; + BLACKLIST_PENALTY = USEFUL_SERVER_TOP_TIMEOUT*4; + } + else S_YNO("infra-keep-probing:", infra_keep_probing) + else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl) + else S_POW2("infra-cache-slabs:", infra_cache_slabs) + else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts) + else S_NUMBER_OR_ZERO("delay-close:", delay_close) + else S_YNO("udp-connect:", udp_connect) + else S_STR("chroot:", chrootdir) + else S_STR("username:", username) + else S_STR("directory:", directory) + else S_STR("pidfile:", pidfile) + else S_YNO("hide-identity:", hide_identity) + else S_YNO("hide-version:", hide_version) + else S_YNO("hide-trustanchor:", hide_trustanchor) + else S_YNO("hide-http-user-agent:", hide_http_user_agent) + else S_STR("identity:", identity) + else S_STR("version:", version) + else S_STR("http-user-agent:", http_user_agent) + else if(strcmp(opt, "nsid:") == 0) { + free(cfg->nsid_cfg_str); + if (!(cfg->nsid_cfg_str = strdup(val))) + return 0; + /* Empty string is just validly unsetting nsid */ + if (*val == 0) { + free(cfg->nsid); + cfg->nsid = NULL; + cfg->nsid_len = 0; + return 1; + } + cfg->nsid = cfg_parse_nsid(val, &cfg->nsid_len); + return cfg->nsid != NULL; + } + else S_STRLIST("root-hints:", root_hints) + else S_STR("target-fetch-policy:", target_fetch_policy) + else S_YNO("harden-glue:", harden_glue) + else S_YNO("harden-short-bufsize:", harden_short_bufsize) + else S_YNO("harden-large-queries:", harden_large_queries) + else S_YNO("harden-dnssec-stripped:", harden_dnssec_stripped) + else S_YNO("harden-below-nxdomain:", harden_below_nxdomain) + else S_YNO("harden-referral-path:", harden_referral_path) + else S_YNO("harden-algo-downgrade:", harden_algo_downgrade) + else S_YNO("use-caps-for-id:", use_caps_bits_for_id) + else S_STRLIST("caps-whitelist:", caps_whitelist) + else S_SIZET_OR_ZERO("unwanted-reply-threshold:", unwanted_threshold) + else S_STRLIST("private-address:", private_address) + else S_STRLIST("private-domain:", private_domain) + else S_YNO("do-not-query-localhost:", donotquery_localhost) + else S_STRLIST("do-not-query-address:", donotqueryaddrs) + else S_STRLIST("auto-trust-anchor-file:", auto_trust_anchor_file_list) + else S_STRLIST("trust-anchor-file:", trust_anchor_file_list) + else S_STRLIST("trust-anchor:", trust_anchor_list) + else S_STRLIST("trusted-keys-file:", trusted_keys_file_list) + else S_YNO("trust-anchor-signaling:", trust_anchor_signaling) + else S_YNO("root-key-sentinel:", root_key_sentinel) + else S_STRLIST("domain-insecure:", domain_insecure) + else S_NUMBER_OR_ZERO("val-bogus-ttl:", bogus_ttl) + else S_YNO("val-clean-additional:", val_clean_additional) + else S_NUMBER_OR_ZERO("val-log-level:", val_log_level) + else S_YNO("val-log-squelch:", val_log_squelch) + else S_YNO("log-queries:", log_queries) + else S_YNO("log-replies:", log_replies) + else S_YNO("log-tag-queryreply:", log_tag_queryreply) + else S_YNO("log-local-actions:", log_local_actions) + else S_YNO("log-servfail:", log_servfail) + else S_YNO("val-permissive-mode:", val_permissive_mode) + else S_YNO("aggressive-nsec:", aggressive_nsec) + else S_YNO("ignore-cd-flag:", ignore_cd) + else if(strcmp(opt, "serve-expired:") == 0) + { IS_YES_OR_NO; cfg->serve_expired = (strcmp(val, "yes") == 0); + SERVE_EXPIRED = cfg->serve_expired; } + else if(strcmp(opt, "serve-expired-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->serve_expired_ttl = atoi(val); SERVE_EXPIRED_TTL=(time_t)cfg->serve_expired_ttl;} + else S_YNO("serve-expired-ttl-reset:", serve_expired_ttl_reset) + else if(strcmp(opt, "serve-expired-reply-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->serve_expired_reply_ttl = atoi(val); SERVE_EXPIRED_REPLY_TTL=(time_t)cfg->serve_expired_reply_ttl;} + else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout) + else S_YNO("ede:", ede) + else S_YNO("ede-serve-expired:", ede_serve_expired) + else S_YNO("serve-original-ttl:", serve_original_ttl) + else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) + else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode) + else S_UNSIGNED_OR_ZERO("add-holddown:", add_holddown) + else S_UNSIGNED_OR_ZERO("del-holddown:", del_holddown) + else S_UNSIGNED_OR_ZERO("keep-missing:", keep_missing) + else if(strcmp(opt, "permit-small-holddown:") == 0) + { IS_YES_OR_NO; cfg->permit_small_holddown = (strcmp(val, "yes") == 0); + autr_permit_small_holddown = cfg->permit_small_holddown; } + else S_MEMSIZE("key-cache-size:", key_cache_size) + else S_POW2("key-cache-slabs:", key_cache_slabs) + else S_MEMSIZE("neg-cache-size:", neg_cache_size) + else S_YNO("minimal-responses:", minimal_responses) + else S_YNO("rrset-roundrobin:", rrset_roundrobin) + else S_NUMBER_OR_ZERO("unknown-server-time-limit:", unknown_server_time_limit) + else S_STRLIST("local-data:", local_data) + else S_YNO("unblock-lan-zones:", unblock_lan_zones) + else S_YNO("insecure-lan-zones:", insecure_lan_zones) + else S_YNO("control-enable:", remote_control_enable) + else S_STRLIST_APPEND("control-interface:", control_ifs) + else S_NUMBER_NONZERO("control-port:", control_port) + else S_STR("server-key-file:", server_key_file) + else S_STR("server-cert-file:", server_cert_file) + else S_STR("control-key-file:", control_key_file) + else S_STR("control-cert-file:", control_cert_file) + else S_STR("module-config:", module_conf) + else S_STRLIST("python-script:", python_script) + else S_STRLIST("dynlib-file:", dynlib_file) + else S_YNO("disable-dnssec-lame-check:", disable_dnssec_lame_check) +#ifdef CLIENT_SUBNET + /* Can't set max subnet prefix here, since that value is used when + * generating the address tree. */ + /* No client-subnet-always-forward here, module registration depends on + * this option. */ +#endif +#ifdef USE_DNSTAP + else S_YNO("dnstap-enable:", dnstap) + else S_YNO("dnstap-bidirectional:", dnstap_bidirectional) + else S_STR("dnstap-socket-path:", dnstap_socket_path) + else S_STR("dnstap-ip:", dnstap_ip) + else S_YNO("dnstap-tls:", dnstap_tls) + else S_STR("dnstap-tls-server-name:", dnstap_tls_server_name) + else S_STR("dnstap-tls-cert-bundle:", dnstap_tls_cert_bundle) + else S_STR("dnstap-tls-client-key-file:", dnstap_tls_client_key_file) + else S_STR("dnstap-tls-client-cert-file:", + dnstap_tls_client_cert_file) + else S_YNO("dnstap-send-identity:", dnstap_send_identity) + else S_YNO("dnstap-send-version:", dnstap_send_version) + else S_STR("dnstap-identity:", dnstap_identity) + else S_STR("dnstap-version:", dnstap_version) + else S_YNO("dnstap-log-resolver-query-messages:", + dnstap_log_resolver_query_messages) + else S_YNO("dnstap-log-resolver-response-messages:", + dnstap_log_resolver_response_messages) + else S_YNO("dnstap-log-client-query-messages:", + dnstap_log_client_query_messages) + else S_YNO("dnstap-log-client-response-messages:", + dnstap_log_client_response_messages) + else S_YNO("dnstap-log-forwarder-query-messages:", + dnstap_log_forwarder_query_messages) + else S_YNO("dnstap-log-forwarder-response-messages:", + dnstap_log_forwarder_response_messages) +#endif +#ifdef USE_DNSCRYPT + else S_YNO("dnscrypt-enable:", dnscrypt) + else S_NUMBER_NONZERO("dnscrypt-port:", dnscrypt_port) + else S_STR("dnscrypt-provider:", dnscrypt_provider) + else S_STRLIST_UNIQ("dnscrypt-provider-cert:", dnscrypt_provider_cert) + else S_STRLIST("dnscrypt-provider-cert-rotated:", dnscrypt_provider_cert_rotated) + else S_STRLIST_UNIQ("dnscrypt-secret-key:", dnscrypt_secret_key) + else S_MEMSIZE("dnscrypt-shared-secret-cache-size:", + dnscrypt_shared_secret_cache_size) + else S_POW2("dnscrypt-shared-secret-cache-slabs:", + dnscrypt_shared_secret_cache_slabs) + else S_MEMSIZE("dnscrypt-nonce-cache-size:", + dnscrypt_nonce_cache_size) + else S_POW2("dnscrypt-nonce-cache-slabs:", + dnscrypt_nonce_cache_slabs) +#endif + else if(strcmp(opt, "ip-ratelimit:") == 0) { + IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val); + infra_ip_ratelimit=cfg->ip_ratelimit; + } + else if(strcmp(opt, "ratelimit:") == 0) { + IS_NUMBER_OR_ZERO; cfg->ratelimit = atoi(val); + infra_dp_ratelimit=cfg->ratelimit; + } + else S_MEMSIZE("ip-ratelimit-size:", ip_ratelimit_size) + else S_MEMSIZE("ratelimit-size:", ratelimit_size) + else S_POW2("ip-ratelimit-slabs:", ip_ratelimit_slabs) + else S_POW2("ratelimit-slabs:", ratelimit_slabs) + else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor) + else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor) + else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff) + else S_YNO("ratelimit-backoff:", ratelimit_backoff) + else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry) ++ else S_NUMBER_NONZERO("max-sent-count:", max_sent_count) ++ else S_NUMBER_NONZERO("max-query-restarts:", max_query_restarts) + else S_SIZET_NONZERO("fast-server-num:", fast_server_num) + else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil) + else S_YNO("qname-minimisation:", qname_minimisation) + else S_YNO("qname-minimisation-strict:", qname_minimisation_strict) + else S_YNO("pad-responses:", pad_responses) + else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size) + else S_YNO("pad-queries:", pad_queries) + else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size) + else S_STRLIST("proxy-protocol-port:", proxy_protocol_port) +#ifdef USE_IPSECMOD + else S_YNO("ipsecmod-enabled:", ipsecmod_enabled) + else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus) + else if(strcmp(opt, "ipsecmod-max-ttl:") == 0) + { IS_NUMBER_OR_ZERO; cfg->ipsecmod_max_ttl = atoi(val); } + else S_YNO("ipsecmod-strict:", ipsecmod_strict) +#endif + else if(strcmp(opt, "define-tag:") ==0) { + return config_add_tag(cfg, val); + /* val_sig_skew_min, max and val_max_restart are copied into val_env + * during init so this does not update val_env with set_option */ + } else if(strcmp(opt, "val-sig-skew-min:") == 0) + { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_min = (int32_t)atoi(val); } + else if(strcmp(opt, "val-sig-skew-max:") == 0) + { IS_NUMBER_OR_ZERO; cfg->val_sig_skew_max = (int32_t)atoi(val); } + else if(strcmp(opt, "val-max-restart:") == 0) + { IS_NUMBER_OR_ZERO; cfg->val_max_restart = (int32_t)atoi(val); } + else if (strcmp(opt, "outgoing-interface:") == 0) { + char* d = strdup(val); + char** oi = + (char**)reallocarray(NULL, (size_t)cfg->num_out_ifs+1, sizeof(char*)); + if(!d || !oi) { free(d); free(oi); return -1; } + if(cfg->out_ifs && cfg->num_out_ifs) { + memmove(oi, cfg->out_ifs, cfg->num_out_ifs*sizeof(char*)); + free(cfg->out_ifs); + } + oi[cfg->num_out_ifs++] = d; + cfg->out_ifs = oi; + } else { + /* unknown or unsupported (from the set_option interface): + * interface, outgoing-interface, access-control, + * stub-zone, name, stub-addr, stub-host, stub-prime + * forward-first, stub-first, forward-ssl-upstream, + * stub-ssl-upstream, forward-zone, auth-zone + * name, forward-addr, forward-host, + * ratelimit-for-domain, ratelimit-below-domain, + * local-zone-tag, access-control-view, interface-*, + * send-client-subnet, client-subnet-always-forward, + * max-client-subnet-ipv4, max-client-subnet-ipv6, + * min-client-subnet-ipv4, min-client-subnet-ipv6, + * max-ecs-tree-size-ipv4, max-ecs-tree-size-ipv6, ipsecmod_hook, + * ipsecmod_whitelist. */ + return 0; + } + return 1; *** 3413 LINES SKIPPED ***