mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
do not allow cache snooping by default.
git-svn-id: file:///svn/unbound/trunk@1220 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
a66e16cb31
commit
01cabbebc1
@ -124,6 +124,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
|
||||
control = acl_deny;
|
||||
else if(strcmp(s2, "refuse") == 0)
|
||||
control = acl_refuse;
|
||||
else if(strcmp(s2, "allow_snoop") == 0)
|
||||
control = acl_allow_snoop;
|
||||
else {
|
||||
log_err("access control type %s unknown", str);
|
||||
return 0;
|
||||
|
@ -55,8 +55,10 @@ enum acl_access {
|
||||
acl_deny = 0,
|
||||
/** disallow access, send a polite 'REFUSED' reply */
|
||||
acl_refuse,
|
||||
/** allow full access */
|
||||
acl_allow
|
||||
/** allow full access for recursion (+RD) queries */
|
||||
acl_allow,
|
||||
/** allow full access for all queries, recursion and cache snooping */
|
||||
acl_allow_snoop
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -785,6 +785,19 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
||||
c->buffer, worker->scratchpad)) {
|
||||
return (ldns_buffer_limit(c->buffer) != 0);
|
||||
}
|
||||
if(!(LDNS_RD_WIRE(ldns_buffer_begin(c->buffer))) &&
|
||||
acl != acl_allow_snoop ) {
|
||||
ldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
|
||||
ldns_buffer_write_at(c->buffer, 4,
|
||||
(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
|
||||
LDNS_QR_SET(ldns_buffer_begin(c->buffer));
|
||||
LDNS_RCODE_SET(ldns_buffer_begin(c->buffer),
|
||||
LDNS_RCODE_REFUSED);
|
||||
ldns_buffer_flip(c->buffer);
|
||||
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
|
||||
&repinfo->addr, repinfo->addrlen);
|
||||
return 1;
|
||||
}
|
||||
h = query_info_hash(&qinfo);
|
||||
if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
|
||||
/* answer from cache - we have acquired a readlock on it */
|
||||
|
@ -1,3 +1,9 @@
|
||||
1 September 2008: Wouter
|
||||
- disallow nonrecursive queries for cache snooping by default.
|
||||
You can allow is using access-control: <subnet> allow_snoop.
|
||||
The defaults do allow access no authoritative data without RD bit.
|
||||
- two tests for it and fixups of tests for nonrec refused.
|
||||
|
||||
29 August 2008: Wouter
|
||||
- version 1.1 number in trunk.
|
||||
- harden-referral-path option for query for NS records.
|
||||
|
@ -134,7 +134,8 @@ server:
|
||||
# control which clients are allowed to make (recursive) queries
|
||||
# to this server. Specify classless netblocks with /size and action.
|
||||
# By default everything is refused, except for localhost.
|
||||
# Choose deny (drop message), refuse (polite error reply), allow.
|
||||
# Choose deny (drop message), refuse (polite error reply),
|
||||
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
|
||||
# access-control: 0.0.0.0/0 refuse
|
||||
# access-control: 127.0.0.0/8 allow
|
||||
# access-control: ::0/0 refuse
|
||||
|
5
doc/plan
5
doc/plan
@ -31,8 +31,6 @@ total 6 of 8 weeks; 2 weeks for maintenance activities.
|
||||
because of the added load to 3rd parties.
|
||||
* block nonRD queries, acl like.
|
||||
what about our authority features, those are allowed.
|
||||
one option that controls on/off of all private space.
|
||||
note in config/man that we may consider turning on by default.
|
||||
* DoS vector, flush more.
|
||||
50% of max is for run-to-completion
|
||||
50% rest is for lifo queue with 100 msec timeout.
|
||||
@ -41,6 +39,8 @@ if they have no signer or a different signed. Validate if you can,
|
||||
otherwise leave unchecked.
|
||||
* block DNS rebinding attacks, block all A records from 1918 IP blocks,
|
||||
like dnswall does. Allow certain subdomains to do it, config options.
|
||||
one option that controls on/off of all private space.
|
||||
note in config/man that we may consider turning on by default.
|
||||
|
||||
*** Remote control feature
|
||||
* remote control using a TCP unbound-control commandline app.
|
||||
@ -64,6 +64,7 @@ like dnswall does. Allow certain subdomains to do it, config options.
|
||||
*** Requested
|
||||
* fallback to noEDNS if all queries are dropped.
|
||||
* dnssec lameness fixen. Check to make sure.
|
||||
* negative caching to avoid DS queries, NSEC, NSEC3 (w params).
|
||||
* SHA256 supported fully.
|
||||
* Make stub to localhost on different port work.
|
||||
* IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).
|
||||
|
@ -238,14 +238,36 @@ a daemon. Default is yes.
|
||||
.TP
|
||||
.B access\-control: \fI<IP netblock> <action>
|
||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||
classless network block. The action can be deny, refuse or allow.
|
||||
Deny stops queries from hosts from that netblock.
|
||||
Refuse stops queries too, but sends a DNS rcode REFUSED error message back.
|
||||
Allow gives access to clients from that netblock.
|
||||
By default only localhost is allowed, the rest is refused.
|
||||
The default is refused, because that is protocol\-friendly. The DNS protocol
|
||||
is not designed to handle dropped packets due to policy, and dropping may
|
||||
result in (possibly excessive) retried queries.
|
||||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR or \fIallow_snoop\fR.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
.IP
|
||||
The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
|
||||
error message back.
|
||||
.IP
|
||||
The action \fIallow\fR gives access to clients from that netblock.
|
||||
It gives only access for recursion clients (which is
|
||||
what almost all clients need). Nonrecursive queries are refused.
|
||||
.IP
|
||||
The \fIallow\fR action does allow nonrecursive queries to access the
|
||||
local\-data that is configured. The reason is that this does not involve
|
||||
the unbound server recursive lookup algorithm, and static data is served
|
||||
in the reply. This supports normal operations where nonrecursive queries
|
||||
are made for the authoritative data. For nonrecursive queries any replies
|
||||
from the dynamic cache are refused.
|
||||
.IP
|
||||
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||
to cache snooping, a technique to use nonrecursive queries to examine
|
||||
the cache contents (for malicious acts). However, nonrecursive queries can
|
||||
also be a valuable debugging tool (when you want to examine the cache
|
||||
contents). In that case use \fIallow_snoop\fR for your administration host.
|
||||
.IP
|
||||
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||
protocol is not designed to handle dropped packets due to policy, and
|
||||
dropping may result in (possibly excessive) retried queries.
|
||||
.TP
|
||||
.B chroot: \fI<directory>
|
||||
If chroot is enabled, you should pass the configfile (from the
|
||||
|
@ -381,11 +381,13 @@ fake_pending_callback(struct replay_runtime* runtime,
|
||||
struct fake_pending* p = runtime->pending_list;
|
||||
struct comm_reply repinfo;
|
||||
struct comm_point c;
|
||||
void* cb_arg = p->cb_arg;
|
||||
comm_point_callback_t* cb = p->callback;
|
||||
void* cb_arg;
|
||||
comm_point_callback_t* cb;
|
||||
|
||||
memset(&c, 0, sizeof(c));
|
||||
if(!p) fatal_exit("No pending queries.");
|
||||
cb_arg = p->cb_arg;
|
||||
cb = p->callback;
|
||||
log_assert(todo->qname == NULL); /* or find that one */
|
||||
c.buffer = ldns_buffer_new(runtime->bufsize);
|
||||
c.type = comm_udp;
|
||||
|
1
testdata/fwd.rpl
vendored
1
testdata/fwd.rpl
vendored
@ -24,6 +24,7 @@ RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
3
testdata/fwd_error.rpl
vendored
3
testdata/fwd_error.rpl
vendored
@ -4,6 +4,7 @@ CONFIG_END
|
||||
SCENARIO_BEGIN Forwarder and an error happens on server query.
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
SECTION QUESTION
|
||||
REPLY SERVFAIL QR RA
|
||||
REPLY SERVFAIL QR RD RA
|
||||
MATCH all
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
2
testdata/fwd_notcached.rpl
vendored
2
testdata/fwd_notcached.rpl
vendored
@ -14,6 +14,7 @@ SCENARIO_BEGIN Query receives answer not from the cache
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
@ -50,6 +51,7 @@ ENTRY_END
|
||||
; another query, different, so not from cache.
|
||||
STEP 5 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.net. IN A
|
||||
ENTRY_END
|
||||
|
3
testdata/fwd_timeout.rpl
vendored
3
testdata/fwd_timeout.rpl
vendored
@ -4,6 +4,7 @@ CONFIG_END
|
||||
SCENARIO_BEGIN Forwarder and a timeout happens on server query.
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH opcode qname qtype
|
||||
SECTION QUESTION
|
||||
REPLY SERVFAIL QR RA
|
||||
REPLY SERVFAIL QR RA RD
|
||||
MATCH all
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
|
2
testdata/fwd_two.rpl
vendored
2
testdata/fwd_two.rpl
vendored
@ -26,6 +26,7 @@ RANGE_END
|
||||
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.com. IN A
|
||||
ENTRY_END
|
||||
@ -43,6 +44,7 @@ STEP 3 NOTHING
|
||||
; another query
|
||||
STEP 4 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
www.example.net. IN A
|
||||
ENTRY_END
|
||||
|
BIN
testdata/local_norec.tpkg
vendored
Normal file
BIN
testdata/local_norec.tpkg
vendored
Normal file
Binary file not shown.
BIN
testdata/local_nosnoop.tpkg
vendored
Normal file
BIN
testdata/local_nosnoop.tpkg
vendored
Normal file
Binary file not shown.
1
testdata/val_refer_unsignadd.rpl
vendored
1
testdata/val_refer_unsignadd.rpl
vendored
@ -4,6 +4,7 @@ server:
|
||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||
trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
|
||||
val-override-date: "20070916134226"
|
||||
access-control: 127.0.0.1 allow_snoop
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
|
1
testdata/val_referd.rpl
vendored
1
testdata/val_referd.rpl
vendored
@ -4,6 +4,7 @@ server:
|
||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||
val-override-date: "20070916134226"
|
||||
harden-referral-path: yes
|
||||
access-control: 127.0.0.1 allow_snoop
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
|
1
testdata/val_referglue.rpl
vendored
1
testdata/val_referglue.rpl
vendored
@ -4,6 +4,7 @@ server:
|
||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||
val-override-date: "20070916134226"
|
||||
directory: ""
|
||||
access-control: 127.0.0.1 allow_snoop
|
||||
|
||||
stub-zone:
|
||||
name: "."
|
||||
|
12
testdata/version_bind_hide.rpl
vendored
12
testdata/version_bind_hide.rpl
vendored
@ -11,13 +11,14 @@ SCENARIO_BEGIN Test config hide options for identity and version queries
|
||||
; version.bind.
|
||||
STEP 1 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
version.bind. CH TXT
|
||||
ENTRY_END
|
||||
STEP 2 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RA REFUSED
|
||||
REPLY QR RD RA REFUSED
|
||||
SECTION QUESTION
|
||||
version.bind. CH TXT
|
||||
ENTRY_END
|
||||
@ -25,13 +26,14 @@ ENTRY_END
|
||||
; version.server.
|
||||
STEP 3 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
version.server. CH TXT
|
||||
ENTRY_END
|
||||
STEP 4 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RA REFUSED
|
||||
REPLY QR RD RA REFUSED
|
||||
SECTION QUESTION
|
||||
version.server. CH TXT
|
||||
ENTRY_END
|
||||
@ -39,13 +41,14 @@ ENTRY_END
|
||||
; hostname.bind.
|
||||
STEP 5 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
hostname.bind. CH TXT
|
||||
ENTRY_END
|
||||
STEP 6 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RA REFUSED
|
||||
REPLY QR RD RA REFUSED
|
||||
SECTION QUESTION
|
||||
hostname.bind. CH TXT
|
||||
ENTRY_END
|
||||
@ -53,13 +56,14 @@ ENTRY_END
|
||||
; id.server.
|
||||
STEP 7 QUERY
|
||||
ENTRY_BEGIN
|
||||
REPLY RD
|
||||
SECTION QUESTION
|
||||
id.server. CH TXT
|
||||
ENTRY_END
|
||||
STEP 8 CHECK_ANSWER
|
||||
ENTRY_BEGIN
|
||||
MATCH all
|
||||
REPLY QR RA REFUSED
|
||||
REPLY QR RD RA REFUSED
|
||||
SECTION QUESTION
|
||||
id.server. CH TXT
|
||||
ENTRY_END
|
||||
|
@ -666,9 +666,9 @@ static const yytype_uint16 yyrline[] =
|
||||
374, 381, 389, 396, 403, 410, 417, 425, 433, 440,
|
||||
449, 458, 465, 472, 483, 491, 504, 513, 521, 534,
|
||||
543, 552, 561, 570, 583, 590, 600, 610, 620, 630,
|
||||
640, 650, 657, 667, 680, 687, 705, 714, 723, 733,
|
||||
743, 750, 758, 771, 779, 798, 805, 812, 819, 826,
|
||||
833, 840
|
||||
640, 650, 657, 667, 681, 688, 706, 715, 724, 734,
|
||||
744, 751, 759, 772, 780, 799, 806, 813, 820, 827,
|
||||
834, 841
|
||||
};
|
||||
#endif
|
||||
|
||||
@ -2420,9 +2420,10 @@ yyreduce:
|
||||
{
|
||||
OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
|
||||
if(strcmp((yyvsp[(3) - (3)].str), "deny")!=0 && strcmp((yyvsp[(3) - (3)].str), "refuse")!=0 &&
|
||||
strcmp((yyvsp[(3) - (3)].str), "allow")!=0) {
|
||||
yyerror("expected deny, refuse or allow in "
|
||||
"access control action");
|
||||
strcmp((yyvsp[(3) - (3)].str), "allow")!=0 &&
|
||||
strcmp((yyvsp[(3) - (3)].str), "allow_snoop")!=0) {
|
||||
yyerror("expected deny, refuse, allow or allow_snoop "
|
||||
"in access control action");
|
||||
} else {
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)))
|
||||
fatal_exit("out of memory adding acl");
|
||||
@ -2431,7 +2432,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 144:
|
||||
#line 681 "util/configparser.y"
|
||||
#line 682 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_module_conf:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
free(cfg_parser->cfg->module_conf);
|
||||
@ -2440,7 +2441,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 145:
|
||||
#line 688 "util/configparser.y"
|
||||
#line 689 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(strlen((yyvsp[(2) - (2)].str)) == 0 || strcmp((yyvsp[(2) - (2)].str), "0") == 0) {
|
||||
@ -2460,7 +2461,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 146:
|
||||
#line 706 "util/configparser.y"
|
||||
#line 707 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
|
||||
@ -2471,7 +2472,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 147:
|
||||
#line 715 "util/configparser.y"
|
||||
#line 716 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
|
||||
@ -2482,7 +2483,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 148:
|
||||
#line 724 "util/configparser.y"
|
||||
#line 725 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
|
||||
@ -2494,7 +2495,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 149:
|
||||
#line 734 "util/configparser.y"
|
||||
#line 735 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
|
||||
@ -2506,7 +2507,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 150:
|
||||
#line 744 "util/configparser.y"
|
||||
#line 745 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
free(cfg_parser->cfg->val_nsec3_key_iterations);
|
||||
@ -2515,7 +2516,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 151:
|
||||
#line 751 "util/configparser.y"
|
||||
#line 752 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->key_cache_size))
|
||||
@ -2525,7 +2526,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 152:
|
||||
#line 759 "util/configparser.y"
|
||||
#line 760 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(atoi((yyvsp[(2) - (2)].str)) == 0)
|
||||
@ -2540,7 +2541,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 153:
|
||||
#line 772 "util/configparser.y"
|
||||
#line 773 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->neg_cache_size))
|
||||
@ -2550,7 +2551,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 154:
|
||||
#line 780 "util/configparser.y"
|
||||
#line 781 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
|
||||
if(strcmp((yyvsp[(3) - (3)].str), "static")!=0 && strcmp((yyvsp[(3) - (3)].str), "deny")!=0 &&
|
||||
@ -2571,7 +2572,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 155:
|
||||
#line 799 "util/configparser.y"
|
||||
#line 800 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(server_local_data:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp[(2) - (2)].str)))
|
||||
@ -2580,7 +2581,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 156:
|
||||
#line 806 "util/configparser.y"
|
||||
#line 807 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
free(cfg_parser->cfg->stubs->name);
|
||||
@ -2589,7 +2590,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 157:
|
||||
#line 813 "util/configparser.y"
|
||||
#line 814 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(stub-host:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp[(2) - (2)].str)))
|
||||
@ -2598,7 +2599,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 158:
|
||||
#line 820 "util/configparser.y"
|
||||
#line 821 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(stub-addr:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp[(2) - (2)].str)))
|
||||
@ -2607,7 +2608,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 159:
|
||||
#line 827 "util/configparser.y"
|
||||
#line 828 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
free(cfg_parser->cfg->forwards->name);
|
||||
@ -2616,7 +2617,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 160:
|
||||
#line 834 "util/configparser.y"
|
||||
#line 835 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(forward-host:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp[(2) - (2)].str)))
|
||||
@ -2625,7 +2626,7 @@ yyreduce:
|
||||
break;
|
||||
|
||||
case 161:
|
||||
#line 841 "util/configparser.y"
|
||||
#line 842 "util/configparser.y"
|
||||
{
|
||||
OUTYY(("P(forward-addr:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||
if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp[(2) - (2)].str)))
|
||||
@ -2635,7 +2636,7 @@ yyreduce:
|
||||
|
||||
|
||||
/* Line 1267 of yacc.c. */
|
||||
#line 2639 "util/configparser.c"
|
||||
#line 2640 "util/configparser.c"
|
||||
default: break;
|
||||
}
|
||||
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
|
||||
@ -2849,7 +2850,7 @@ yyreturn:
|
||||
}
|
||||
|
||||
|
||||
#line 847 "util/configparser.y"
|
||||
#line 848 "util/configparser.y"
|
||||
|
||||
|
||||
/* parse helper routines could be here */
|
||||
|
@ -668,9 +668,10 @@ server_access_control: VAR_ACCESS_CONTROL STRING STRING
|
||||
{
|
||||
OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
|
||||
if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
|
||||
strcmp($3, "allow")!=0) {
|
||||
yyerror("expected deny, refuse or allow in "
|
||||
"access control action");
|
||||
strcmp($3, "allow")!=0 &&
|
||||
strcmp($3, "allow_snoop")!=0) {
|
||||
yyerror("expected deny, refuse, allow or allow_snoop "
|
||||
"in access control action");
|
||||
} else {
|
||||
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
|
||||
fatal_exit("out of memory adding acl");
|
||||
|
Loading…
Reference in New Issue
Block a user