mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 06:37:08 +00:00
do not allow cache snooping by default.
git-svn-id: file:///svn/unbound/trunk@1220 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
a66e16cb31
commit
01cabbebc1
@ -124,6 +124,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
|
|||||||
control = acl_deny;
|
control = acl_deny;
|
||||||
else if(strcmp(s2, "refuse") == 0)
|
else if(strcmp(s2, "refuse") == 0)
|
||||||
control = acl_refuse;
|
control = acl_refuse;
|
||||||
|
else if(strcmp(s2, "allow_snoop") == 0)
|
||||||
|
control = acl_allow_snoop;
|
||||||
else {
|
else {
|
||||||
log_err("access control type %s unknown", str);
|
log_err("access control type %s unknown", str);
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -55,8 +55,10 @@ enum acl_access {
|
|||||||
acl_deny = 0,
|
acl_deny = 0,
|
||||||
/** disallow access, send a polite 'REFUSED' reply */
|
/** disallow access, send a polite 'REFUSED' reply */
|
||||||
acl_refuse,
|
acl_refuse,
|
||||||
/** allow full access */
|
/** allow full access for recursion (+RD) queries */
|
||||||
acl_allow
|
acl_allow,
|
||||||
|
/** allow full access for all queries, recursion and cache snooping */
|
||||||
|
acl_allow_snoop
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -785,6 +785,19 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
|
|||||||
c->buffer, worker->scratchpad)) {
|
c->buffer, worker->scratchpad)) {
|
||||||
return (ldns_buffer_limit(c->buffer) != 0);
|
return (ldns_buffer_limit(c->buffer) != 0);
|
||||||
}
|
}
|
||||||
|
if(!(LDNS_RD_WIRE(ldns_buffer_begin(c->buffer))) &&
|
||||||
|
acl != acl_allow_snoop ) {
|
||||||
|
ldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
|
||||||
|
ldns_buffer_write_at(c->buffer, 4,
|
||||||
|
(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
|
||||||
|
LDNS_QR_SET(ldns_buffer_begin(c->buffer));
|
||||||
|
LDNS_RCODE_SET(ldns_buffer_begin(c->buffer),
|
||||||
|
LDNS_RCODE_REFUSED);
|
||||||
|
ldns_buffer_flip(c->buffer);
|
||||||
|
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
|
||||||
|
&repinfo->addr, repinfo->addrlen);
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
h = query_info_hash(&qinfo);
|
h = query_info_hash(&qinfo);
|
||||||
if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
|
if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
|
||||||
/* answer from cache - we have acquired a readlock on it */
|
/* answer from cache - we have acquired a readlock on it */
|
||||||
|
@ -1,3 +1,9 @@
|
|||||||
|
1 September 2008: Wouter
|
||||||
|
- disallow nonrecursive queries for cache snooping by default.
|
||||||
|
You can allow is using access-control: <subnet> allow_snoop.
|
||||||
|
The defaults do allow access no authoritative data without RD bit.
|
||||||
|
- two tests for it and fixups of tests for nonrec refused.
|
||||||
|
|
||||||
29 August 2008: Wouter
|
29 August 2008: Wouter
|
||||||
- version 1.1 number in trunk.
|
- version 1.1 number in trunk.
|
||||||
- harden-referral-path option for query for NS records.
|
- harden-referral-path option for query for NS records.
|
||||||
|
@ -134,7 +134,8 @@ server:
|
|||||||
# control which clients are allowed to make (recursive) queries
|
# control which clients are allowed to make (recursive) queries
|
||||||
# to this server. Specify classless netblocks with /size and action.
|
# to this server. Specify classless netblocks with /size and action.
|
||||||
# By default everything is refused, except for localhost.
|
# By default everything is refused, except for localhost.
|
||||||
# Choose deny (drop message), refuse (polite error reply), allow.
|
# Choose deny (drop message), refuse (polite error reply),
|
||||||
|
# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
|
||||||
# access-control: 0.0.0.0/0 refuse
|
# access-control: 0.0.0.0/0 refuse
|
||||||
# access-control: 127.0.0.0/8 allow
|
# access-control: 127.0.0.0/8 allow
|
||||||
# access-control: ::0/0 refuse
|
# access-control: ::0/0 refuse
|
||||||
|
5
doc/plan
5
doc/plan
@ -31,8 +31,6 @@ total 6 of 8 weeks; 2 weeks for maintenance activities.
|
|||||||
because of the added load to 3rd parties.
|
because of the added load to 3rd parties.
|
||||||
* block nonRD queries, acl like.
|
* block nonRD queries, acl like.
|
||||||
what about our authority features, those are allowed.
|
what about our authority features, those are allowed.
|
||||||
one option that controls on/off of all private space.
|
|
||||||
note in config/man that we may consider turning on by default.
|
|
||||||
* DoS vector, flush more.
|
* DoS vector, flush more.
|
||||||
50% of max is for run-to-completion
|
50% of max is for run-to-completion
|
||||||
50% rest is for lifo queue with 100 msec timeout.
|
50% rest is for lifo queue with 100 msec timeout.
|
||||||
@ -41,6 +39,8 @@ if they have no signer or a different signed. Validate if you can,
|
|||||||
otherwise leave unchecked.
|
otherwise leave unchecked.
|
||||||
* block DNS rebinding attacks, block all A records from 1918 IP blocks,
|
* block DNS rebinding attacks, block all A records from 1918 IP blocks,
|
||||||
like dnswall does. Allow certain subdomains to do it, config options.
|
like dnswall does. Allow certain subdomains to do it, config options.
|
||||||
|
one option that controls on/off of all private space.
|
||||||
|
note in config/man that we may consider turning on by default.
|
||||||
|
|
||||||
*** Remote control feature
|
*** Remote control feature
|
||||||
* remote control using a TCP unbound-control commandline app.
|
* remote control using a TCP unbound-control commandline app.
|
||||||
@ -64,6 +64,7 @@ like dnswall does. Allow certain subdomains to do it, config options.
|
|||||||
*** Requested
|
*** Requested
|
||||||
* fallback to noEDNS if all queries are dropped.
|
* fallback to noEDNS if all queries are dropped.
|
||||||
* dnssec lameness fixen. Check to make sure.
|
* dnssec lameness fixen. Check to make sure.
|
||||||
|
* negative caching to avoid DS queries, NSEC, NSEC3 (w params).
|
||||||
* SHA256 supported fully.
|
* SHA256 supported fully.
|
||||||
* Make stub to localhost on different port work.
|
* Make stub to localhost on different port work.
|
||||||
* IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).
|
* IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).
|
||||||
|
@ -238,14 +238,36 @@ a daemon. Default is yes.
|
|||||||
.TP
|
.TP
|
||||||
.B access\-control: \fI<IP netblock> <action>
|
.B access\-control: \fI<IP netblock> <action>
|
||||||
The netblock is given as an IP4 or IP6 address with /size appended for a
|
The netblock is given as an IP4 or IP6 address with /size appended for a
|
||||||
classless network block. The action can be deny, refuse or allow.
|
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||||
Deny stops queries from hosts from that netblock.
|
\fIallow\fR or \fIallow_snoop\fR.
|
||||||
Refuse stops queries too, but sends a DNS rcode REFUSED error message back.
|
.IP
|
||||||
Allow gives access to clients from that netblock.
|
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||||
By default only localhost is allowed, the rest is refused.
|
.IP
|
||||||
The default is refused, because that is protocol\-friendly. The DNS protocol
|
The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED
|
||||||
is not designed to handle dropped packets due to policy, and dropping may
|
error message back.
|
||||||
result in (possibly excessive) retried queries.
|
.IP
|
||||||
|
The action \fIallow\fR gives access to clients from that netblock.
|
||||||
|
It gives only access for recursion clients (which is
|
||||||
|
what almost all clients need). Nonrecursive queries are refused.
|
||||||
|
.IP
|
||||||
|
The \fIallow\fR action does allow nonrecursive queries to access the
|
||||||
|
local\-data that is configured. The reason is that this does not involve
|
||||||
|
the unbound server recursive lookup algorithm, and static data is served
|
||||||
|
in the reply. This supports normal operations where nonrecursive queries
|
||||||
|
are made for the authoritative data. For nonrecursive queries any replies
|
||||||
|
from the dynamic cache are refused.
|
||||||
|
.IP
|
||||||
|
The action \fIallow_snoop\fR gives nonrecursive access too. This give
|
||||||
|
both recursive and non recursive access. The name \fIallow_snoop\fR refers
|
||||||
|
to cache snooping, a technique to use nonrecursive queries to examine
|
||||||
|
the cache contents (for malicious acts). However, nonrecursive queries can
|
||||||
|
also be a valuable debugging tool (when you want to examine the cache
|
||||||
|
contents). In that case use \fIallow_snoop\fR for your administration host.
|
||||||
|
.IP
|
||||||
|
By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
|
||||||
|
The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS
|
||||||
|
protocol is not designed to handle dropped packets due to policy, and
|
||||||
|
dropping may result in (possibly excessive) retried queries.
|
||||||
.TP
|
.TP
|
||||||
.B chroot: \fI<directory>
|
.B chroot: \fI<directory>
|
||||||
If chroot is enabled, you should pass the configfile (from the
|
If chroot is enabled, you should pass the configfile (from the
|
||||||
|
@ -381,11 +381,13 @@ fake_pending_callback(struct replay_runtime* runtime,
|
|||||||
struct fake_pending* p = runtime->pending_list;
|
struct fake_pending* p = runtime->pending_list;
|
||||||
struct comm_reply repinfo;
|
struct comm_reply repinfo;
|
||||||
struct comm_point c;
|
struct comm_point c;
|
||||||
void* cb_arg = p->cb_arg;
|
void* cb_arg;
|
||||||
comm_point_callback_t* cb = p->callback;
|
comm_point_callback_t* cb;
|
||||||
|
|
||||||
memset(&c, 0, sizeof(c));
|
memset(&c, 0, sizeof(c));
|
||||||
if(!p) fatal_exit("No pending queries.");
|
if(!p) fatal_exit("No pending queries.");
|
||||||
|
cb_arg = p->cb_arg;
|
||||||
|
cb = p->callback;
|
||||||
log_assert(todo->qname == NULL); /* or find that one */
|
log_assert(todo->qname == NULL); /* or find that one */
|
||||||
c.buffer = ldns_buffer_new(runtime->bufsize);
|
c.buffer = ldns_buffer_new(runtime->bufsize);
|
||||||
c.type = comm_udp;
|
c.type = comm_udp;
|
||||||
|
1
testdata/fwd.rpl
vendored
1
testdata/fwd.rpl
vendored
@ -24,6 +24,7 @@ RANGE_END
|
|||||||
|
|
||||||
STEP 1 QUERY
|
STEP 1 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
www.example.com. IN A
|
www.example.com. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
3
testdata/fwd_error.rpl
vendored
3
testdata/fwd_error.rpl
vendored
@ -4,6 +4,7 @@ CONFIG_END
|
|||||||
SCENARIO_BEGIN Forwarder and an error happens on server query.
|
SCENARIO_BEGIN Forwarder and an error happens on server query.
|
||||||
STEP 1 QUERY
|
STEP 1 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
www.example.com. IN A
|
www.example.com. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
|
|||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
MATCH opcode qname qtype
|
MATCH opcode qname qtype
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
REPLY SERVFAIL QR RA
|
REPLY SERVFAIL QR RD RA
|
||||||
MATCH all
|
MATCH all
|
||||||
www.example.com. IN A
|
www.example.com. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
2
testdata/fwd_notcached.rpl
vendored
2
testdata/fwd_notcached.rpl
vendored
@ -14,6 +14,7 @@ SCENARIO_BEGIN Query receives answer not from the cache
|
|||||||
|
|
||||||
STEP 1 QUERY
|
STEP 1 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
www.example.com. IN A
|
www.example.com. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
@ -50,6 +51,7 @@ ENTRY_END
|
|||||||
; another query, different, so not from cache.
|
; another query, different, so not from cache.
|
||||||
STEP 5 QUERY
|
STEP 5 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
www.example.net. IN A
|
www.example.net. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
3
testdata/fwd_timeout.rpl
vendored
3
testdata/fwd_timeout.rpl
vendored
@ -4,6 +4,7 @@ CONFIG_END
|
|||||||
SCENARIO_BEGIN Forwarder and a timeout happens on server query.
|
SCENARIO_BEGIN Forwarder and a timeout happens on server query.
|
||||||
STEP 1 QUERY
|
STEP 1 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
www.example.com. IN A
|
www.example.com. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
|
|||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
MATCH opcode qname qtype
|
MATCH opcode qname qtype
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
REPLY SERVFAIL QR RA
|
REPLY SERVFAIL QR RA RD
|
||||||
MATCH all
|
MATCH all
|
||||||
www.example.com. IN A
|
www.example.com. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
2
testdata/fwd_two.rpl
vendored
2
testdata/fwd_two.rpl
vendored
@ -26,6 +26,7 @@ RANGE_END
|
|||||||
|
|
||||||
STEP 1 QUERY
|
STEP 1 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
www.example.com. IN A
|
www.example.com. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
@ -43,6 +44,7 @@ STEP 3 NOTHING
|
|||||||
; another query
|
; another query
|
||||||
STEP 4 QUERY
|
STEP 4 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
www.example.net. IN A
|
www.example.net. IN A
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
BIN
testdata/local_norec.tpkg
vendored
Normal file
BIN
testdata/local_norec.tpkg
vendored
Normal file
Binary file not shown.
BIN
testdata/local_nosnoop.tpkg
vendored
Normal file
BIN
testdata/local_nosnoop.tpkg
vendored
Normal file
Binary file not shown.
1
testdata/val_refer_unsignadd.rpl
vendored
1
testdata/val_refer_unsignadd.rpl
vendored
@ -4,6 +4,7 @@ server:
|
|||||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||||
trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
|
trust-anchor: "example.net. 3600 IN DNSKEY 256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
|
||||||
val-override-date: "20070916134226"
|
val-override-date: "20070916134226"
|
||||||
|
access-control: 127.0.0.1 allow_snoop
|
||||||
|
|
||||||
stub-zone:
|
stub-zone:
|
||||||
name: "."
|
name: "."
|
||||||
|
1
testdata/val_referd.rpl
vendored
1
testdata/val_referd.rpl
vendored
@ -4,6 +4,7 @@ server:
|
|||||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||||
val-override-date: "20070916134226"
|
val-override-date: "20070916134226"
|
||||||
harden-referral-path: yes
|
harden-referral-path: yes
|
||||||
|
access-control: 127.0.0.1 allow_snoop
|
||||||
|
|
||||||
stub-zone:
|
stub-zone:
|
||||||
name: "."
|
name: "."
|
||||||
|
1
testdata/val_referglue.rpl
vendored
1
testdata/val_referglue.rpl
vendored
@ -4,6 +4,7 @@ server:
|
|||||||
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
|
||||||
val-override-date: "20070916134226"
|
val-override-date: "20070916134226"
|
||||||
directory: ""
|
directory: ""
|
||||||
|
access-control: 127.0.0.1 allow_snoop
|
||||||
|
|
||||||
stub-zone:
|
stub-zone:
|
||||||
name: "."
|
name: "."
|
||||||
|
12
testdata/version_bind_hide.rpl
vendored
12
testdata/version_bind_hide.rpl
vendored
@ -11,13 +11,14 @@ SCENARIO_BEGIN Test config hide options for identity and version queries
|
|||||||
; version.bind.
|
; version.bind.
|
||||||
STEP 1 QUERY
|
STEP 1 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
version.bind. CH TXT
|
version.bind. CH TXT
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
STEP 2 CHECK_ANSWER
|
STEP 2 CHECK_ANSWER
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
MATCH all
|
MATCH all
|
||||||
REPLY QR RA REFUSED
|
REPLY QR RD RA REFUSED
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
version.bind. CH TXT
|
version.bind. CH TXT
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
@ -25,13 +26,14 @@ ENTRY_END
|
|||||||
; version.server.
|
; version.server.
|
||||||
STEP 3 QUERY
|
STEP 3 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
version.server. CH TXT
|
version.server. CH TXT
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
STEP 4 CHECK_ANSWER
|
STEP 4 CHECK_ANSWER
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
MATCH all
|
MATCH all
|
||||||
REPLY QR RA REFUSED
|
REPLY QR RD RA REFUSED
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
version.server. CH TXT
|
version.server. CH TXT
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
@ -39,13 +41,14 @@ ENTRY_END
|
|||||||
; hostname.bind.
|
; hostname.bind.
|
||||||
STEP 5 QUERY
|
STEP 5 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
hostname.bind. CH TXT
|
hostname.bind. CH TXT
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
STEP 6 CHECK_ANSWER
|
STEP 6 CHECK_ANSWER
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
MATCH all
|
MATCH all
|
||||||
REPLY QR RA REFUSED
|
REPLY QR RD RA REFUSED
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
hostname.bind. CH TXT
|
hostname.bind. CH TXT
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
@ -53,13 +56,14 @@ ENTRY_END
|
|||||||
; id.server.
|
; id.server.
|
||||||
STEP 7 QUERY
|
STEP 7 QUERY
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
|
REPLY RD
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
id.server. CH TXT
|
id.server. CH TXT
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
STEP 8 CHECK_ANSWER
|
STEP 8 CHECK_ANSWER
|
||||||
ENTRY_BEGIN
|
ENTRY_BEGIN
|
||||||
MATCH all
|
MATCH all
|
||||||
REPLY QR RA REFUSED
|
REPLY QR RD RA REFUSED
|
||||||
SECTION QUESTION
|
SECTION QUESTION
|
||||||
id.server. CH TXT
|
id.server. CH TXT
|
||||||
ENTRY_END
|
ENTRY_END
|
||||||
|
@ -666,9 +666,9 @@ static const yytype_uint16 yyrline[] =
|
|||||||
374, 381, 389, 396, 403, 410, 417, 425, 433, 440,
|
374, 381, 389, 396, 403, 410, 417, 425, 433, 440,
|
||||||
449, 458, 465, 472, 483, 491, 504, 513, 521, 534,
|
449, 458, 465, 472, 483, 491, 504, 513, 521, 534,
|
||||||
543, 552, 561, 570, 583, 590, 600, 610, 620, 630,
|
543, 552, 561, 570, 583, 590, 600, 610, 620, 630,
|
||||||
640, 650, 657, 667, 680, 687, 705, 714, 723, 733,
|
640, 650, 657, 667, 681, 688, 706, 715, 724, 734,
|
||||||
743, 750, 758, 771, 779, 798, 805, 812, 819, 826,
|
744, 751, 759, 772, 780, 799, 806, 813, 820, 827,
|
||||||
833, 840
|
834, 841
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -2420,9 +2420,10 @@ yyreduce:
|
|||||||
{
|
{
|
||||||
OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
|
OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
|
||||||
if(strcmp((yyvsp[(3) - (3)].str), "deny")!=0 && strcmp((yyvsp[(3) - (3)].str), "refuse")!=0 &&
|
if(strcmp((yyvsp[(3) - (3)].str), "deny")!=0 && strcmp((yyvsp[(3) - (3)].str), "refuse")!=0 &&
|
||||||
strcmp((yyvsp[(3) - (3)].str), "allow")!=0) {
|
strcmp((yyvsp[(3) - (3)].str), "allow")!=0 &&
|
||||||
yyerror("expected deny, refuse or allow in "
|
strcmp((yyvsp[(3) - (3)].str), "allow_snoop")!=0) {
|
||||||
"access control action");
|
yyerror("expected deny, refuse, allow or allow_snoop "
|
||||||
|
"in access control action");
|
||||||
} else {
|
} else {
|
||||||
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)))
|
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)))
|
||||||
fatal_exit("out of memory adding acl");
|
fatal_exit("out of memory adding acl");
|
||||||
@ -2431,7 +2432,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 144:
|
case 144:
|
||||||
#line 681 "util/configparser.y"
|
#line 682 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_module_conf:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_module_conf:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
free(cfg_parser->cfg->module_conf);
|
free(cfg_parser->cfg->module_conf);
|
||||||
@ -2440,7 +2441,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 145:
|
case 145:
|
||||||
#line 688 "util/configparser.y"
|
#line 689 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(strlen((yyvsp[(2) - (2)].str)) == 0 || strcmp((yyvsp[(2) - (2)].str), "0") == 0) {
|
if(strlen((yyvsp[(2) - (2)].str)) == 0 || strcmp((yyvsp[(2) - (2)].str), "0") == 0) {
|
||||||
@ -2460,7 +2461,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 146:
|
case 146:
|
||||||
#line 706 "util/configparser.y"
|
#line 707 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
|
if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
|
||||||
@ -2471,7 +2472,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 147:
|
case 147:
|
||||||
#line 715 "util/configparser.y"
|
#line 716 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
|
if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
|
||||||
@ -2482,7 +2483,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 148:
|
case 148:
|
||||||
#line 724 "util/configparser.y"
|
#line 725 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
|
if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
|
||||||
@ -2494,7 +2495,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 149:
|
case 149:
|
||||||
#line 734 "util/configparser.y"
|
#line 735 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
|
if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
|
||||||
@ -2506,7 +2507,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 150:
|
case 150:
|
||||||
#line 744 "util/configparser.y"
|
#line 745 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
free(cfg_parser->cfg->val_nsec3_key_iterations);
|
free(cfg_parser->cfg->val_nsec3_key_iterations);
|
||||||
@ -2515,7 +2516,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 151:
|
case 151:
|
||||||
#line 751 "util/configparser.y"
|
#line 752 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->key_cache_size))
|
if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->key_cache_size))
|
||||||
@ -2525,7 +2526,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 152:
|
case 152:
|
||||||
#line 759 "util/configparser.y"
|
#line 760 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(atoi((yyvsp[(2) - (2)].str)) == 0)
|
if(atoi((yyvsp[(2) - (2)].str)) == 0)
|
||||||
@ -2540,7 +2541,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 153:
|
case 153:
|
||||||
#line 772 "util/configparser.y"
|
#line 773 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->neg_cache_size))
|
if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->neg_cache_size))
|
||||||
@ -2550,7 +2551,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 154:
|
case 154:
|
||||||
#line 780 "util/configparser.y"
|
#line 781 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
|
OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
|
||||||
if(strcmp((yyvsp[(3) - (3)].str), "static")!=0 && strcmp((yyvsp[(3) - (3)].str), "deny")!=0 &&
|
if(strcmp((yyvsp[(3) - (3)].str), "static")!=0 && strcmp((yyvsp[(3) - (3)].str), "deny")!=0 &&
|
||||||
@ -2571,7 +2572,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 155:
|
case 155:
|
||||||
#line 799 "util/configparser.y"
|
#line 800 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_local_data:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(server_local_data:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp[(2) - (2)].str)))
|
if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp[(2) - (2)].str)))
|
||||||
@ -2580,7 +2581,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 156:
|
case 156:
|
||||||
#line 806 "util/configparser.y"
|
#line 807 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
free(cfg_parser->cfg->stubs->name);
|
free(cfg_parser->cfg->stubs->name);
|
||||||
@ -2589,7 +2590,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 157:
|
case 157:
|
||||||
#line 813 "util/configparser.y"
|
#line 814 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(stub-host:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(stub-host:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp[(2) - (2)].str)))
|
if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp[(2) - (2)].str)))
|
||||||
@ -2598,7 +2599,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 158:
|
case 158:
|
||||||
#line 820 "util/configparser.y"
|
#line 821 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(stub-addr:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(stub-addr:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp[(2) - (2)].str)))
|
if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp[(2) - (2)].str)))
|
||||||
@ -2607,7 +2608,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 159:
|
case 159:
|
||||||
#line 827 "util/configparser.y"
|
#line 828 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
free(cfg_parser->cfg->forwards->name);
|
free(cfg_parser->cfg->forwards->name);
|
||||||
@ -2616,7 +2617,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 160:
|
case 160:
|
||||||
#line 834 "util/configparser.y"
|
#line 835 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(forward-host:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(forward-host:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp[(2) - (2)].str)))
|
if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp[(2) - (2)].str)))
|
||||||
@ -2625,7 +2626,7 @@ yyreduce:
|
|||||||
break;
|
break;
|
||||||
|
|
||||||
case 161:
|
case 161:
|
||||||
#line 841 "util/configparser.y"
|
#line 842 "util/configparser.y"
|
||||||
{
|
{
|
||||||
OUTYY(("P(forward-addr:%s)\n", (yyvsp[(2) - (2)].str)));
|
OUTYY(("P(forward-addr:%s)\n", (yyvsp[(2) - (2)].str)));
|
||||||
if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp[(2) - (2)].str)))
|
if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp[(2) - (2)].str)))
|
||||||
@ -2635,7 +2636,7 @@ yyreduce:
|
|||||||
|
|
||||||
|
|
||||||
/* Line 1267 of yacc.c. */
|
/* Line 1267 of yacc.c. */
|
||||||
#line 2639 "util/configparser.c"
|
#line 2640 "util/configparser.c"
|
||||||
default: break;
|
default: break;
|
||||||
}
|
}
|
||||||
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
|
YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
|
||||||
@ -2849,7 +2850,7 @@ yyreturn:
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#line 847 "util/configparser.y"
|
#line 848 "util/configparser.y"
|
||||||
|
|
||||||
|
|
||||||
/* parse helper routines could be here */
|
/* parse helper routines could be here */
|
||||||
|
@ -668,9 +668,10 @@ server_access_control: VAR_ACCESS_CONTROL STRING STRING
|
|||||||
{
|
{
|
||||||
OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
|
OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
|
||||||
if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
|
if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
|
||||||
strcmp($3, "allow")!=0) {
|
strcmp($3, "allow")!=0 &&
|
||||||
yyerror("expected deny, refuse or allow in "
|
strcmp($3, "allow_snoop")!=0) {
|
||||||
"access control action");
|
yyerror("expected deny, refuse, allow or allow_snoop "
|
||||||
|
"in access control action");
|
||||||
} else {
|
} else {
|
||||||
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
|
if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
|
||||||
fatal_exit("out of memory adding acl");
|
fatal_exit("out of memory adding acl");
|
||||||
|
Loading…
Reference in New Issue
Block a user