do not allow cache snooping by default.

git-svn-id: file:///svn/unbound/trunk@1220 be551aaa-1e26-0410-a405-d3ace91eadb9
2024-09-21 06:37:08 +00:00 · 2008-09-01 13:48:24 +00:00 · 2008-09-01 13:48:24 +00:00 · 01cabbebc1
commit 01cabbebc1
parent a66e16cb31
21 changed files with 115 additions and 50 deletions
--- a/daemon/acl_list.c
+++ b/daemon/acl_list.c
@ -124,6 +124,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
 		control = acl_deny;
 	else if(strcmp(s2, "refuse") == 0)
 		control = acl_refuse;
 	else if(strcmp(s2, "allow_snoop") == 0)
 		control = acl_allow_snoop;
 	else {
 		log_err("access control type %s unknown", str);
 		return 0;
--- a/daemon/acl_list.h
+++ b/daemon/acl_list.h
@ -55,8 +55,10 @@ enum acl_access {
 	acl_deny = 0,
 	/** disallow access, send a polite 'REFUSED' reply */
 	acl_refuse,
-	/** allow full access */
+	/** allow full access for recursion (+RD) queries */
-	acl_allow
+	acl_allow,
 	/** allow full access for all queries, recursion and cache snooping */
 	acl_allow_snoop
 };
 /**
--- a/daemon/worker.c
+++ b/daemon/worker.c
@ -785,6 +785,19 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		c->buffer, worker->scratchpad)) {
 		return (ldns_buffer_limit(c->buffer) != 0);
 	}
 	if(!(LDNS_RD_WIRE(ldns_buffer_begin(c->buffer))) &&
 		acl != acl_allow_snoop ) {
 		ldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
 		ldns_buffer_write_at(c->buffer, 4, 
 			(uint8_t*)"\0\0\0\0\0\0\0\0", 8);
 		LDNS_QR_SET(ldns_buffer_begin(c->buffer));
 		LDNS_RCODE_SET(ldns_buffer_begin(c->buffer), 
 			LDNS_RCODE_REFUSED);
 		ldns_buffer_flip(c->buffer);
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
 			&repinfo->addr, repinfo->addrlen);
 		return 1;
 	}
 	h = query_info_hash(&qinfo);
 	if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
 		/* answer from cache - we have acquired a readlock on it */
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,9 @@
 1 September 2008: Wouter
 	- disallow nonrecursive queries for cache snooping by default.
 	  You can allow is using access-control: <subnet> allow_snoop.
 	  The defaults do allow access no authoritative data without RD bit.
 	- two tests for it and fixups of tests for nonrec refused.
 29 August 2008: Wouter
 	- version 1.1 number in trunk.
 	- harden-referral-path option for query for NS records.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@ -134,7 +134,8 @@ server:
 	# control which clients are allowed to make (recursive) queries
 	# to this server. Specify classless netblocks with /size and action.
 	# By default everything is refused, except for localhost.
-	# Choose deny (drop message), refuse (polite error reply), allow.
+	# Choose deny (drop message), refuse (polite error reply),
 	# allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
 	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
 	# access-control: ::0/0 refuse
--- a/doc/plan
+++ b/doc/plan
@ -31,8 +31,6 @@ total 6 of 8 weeks; 2 weeks for maintenance activities.
  because of the added load to 3rd parties.
 * block nonRD queries, acl like.
 	what about our authority features, those are allowed.
 	one option that controls on/off of all private space.
 	note in config/man that we may consider turning on by default.
 * DoS vector, flush more.
 	50% of max is for run-to-completion
 	50% rest is for lifo queue with 100 msec timeout.
@ -41,6 +39,8 @@ if they have no signer or a different signed. Validate if you can,
 otherwise leave unchecked.
 * block DNS rebinding attacks, block all A records from 1918 IP blocks,
 like dnswall does.  Allow certain subdomains to do it, config options.
 	one option that controls on/off of all private space.
 	note in config/man that we may consider turning on by default.
 *** Remote control feature
 * remote control using a TCP unbound-control commandline app.  
@ -64,6 +64,7 @@ like dnswall does.  Allow certain subdomains to do it, config options.
 *** Requested
 * fallback to noEDNS if all queries are dropped.
 * dnssec lameness fixen. Check to make sure.
 * negative caching to avoid DS queries, NSEC, NSEC3 (w params).
 * SHA256 supported fully.
 * Make stub to localhost on different port work.
 * IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -238,14 +238,36 @@ a daemon. Default is yes.
 .TP
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a 
-classless network block. The action can be deny, refuse or allow.
+classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
-Deny stops queries from hosts from that netblock.
+\fIallow\fR or \fIallow_snoop\fR.
-Refuse stops queries too, but sends a DNS rcode REFUSED error message back.
+.IP
-Allow gives access to clients from that netblock.
+The action \fIdeny\fR stops queries from hosts from that netblock.
-By default only localhost is allowed, the rest is refused.
+.IP
-The default is refused, because that is protocol\-friendly. The DNS protocol
+The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 
-is not designed to handle dropped packets due to policy, and dropping may 
+error message back.
-result in (possibly excessive) retried queries.
+.IP
 The action \fIallow\fR gives access to clients from that netblock.  
 It gives only access for recursion clients (which is 
 what almost all clients need).  Nonrecursive queries are refused.
 .IP
 The \fIallow\fR action does allow nonrecursive queries to access the 
 local\-data that is configured.  The reason is that this does not involve
 the unbound server recursive lookup algorithm, and static data is served 
 in the reply.  This supports normal operations where nonrecursive queries 
 are made for the authoritative data.  For nonrecursive queries any replies 
 from the dynamic cache are refused.
 .IP
 The action \fIallow_snoop\fR gives nonrecursive access too.  This give 
 both recursive and non recursive access.  The name \fIallow_snoop\fR refers 
 to cache snooping, a technique to use nonrecursive queries to examine
 the cache contents (for malicious acts).  However, nonrecursive queries can 
 also be a valuable debugging tool (when you want to examine the cache 
 contents). In that case use \fIallow_snoop\fR for your administration host.
 .IP
 By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
 The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 
 protocol is not designed to handle dropped packets due to policy, and 
 dropping may result in (possibly excessive) retried queries.
 .TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@ -381,11 +381,13 @@ fake_pending_callback(struct replay_runtime* runtime,
 	struct fake_pending* p = runtime->pending_list;
 	struct comm_reply repinfo;
 	struct comm_point c;
-	void* cb_arg = p->cb_arg;
+	void* cb_arg;
-	comm_point_callback_t* cb = p->callback;
+	comm_point_callback_t* cb;
 	memset(&c, 0, sizeof(c));
 	if(!p) fatal_exit("No pending queries.");
 	cb_arg = p->cb_arg;
 	cb = p->callback;
 	log_assert(todo->qname == NULL); /* or find that one */
 	c.buffer = ldns_buffer_new(runtime->bufsize);
 	c.type = comm_udp;
--- a/testdata/fwd.rpl
+++ b/testdata/fwd.rpl
@ -24,6 +24,7 @@ RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
--- a/testdata/fwd_error.rpl
+++ b/testdata/fwd_error.rpl
@ -4,6 +4,7 @@ CONFIG_END
 SCENARIO_BEGIN Forwarder and an error happens on server query.
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode qname qtype
 SECTION QUESTION
-REPLY SERVFAIL QR RA
+REPLY SERVFAIL QR RD RA
 MATCH all
 www.example.com. IN A
 ENTRY_END
--- a/testdata/fwd_notcached.rpl
+++ b/testdata/fwd_notcached.rpl
@ -14,6 +14,7 @@ SCENARIO_BEGIN Query receives answer not from the cache
 STEP 1 QUERY
 ENTRY_BEGIN
 	REPLY RD
 	SECTION QUESTION
 	www.example.com. IN A
 ENTRY_END
@ -50,6 +51,7 @@ ENTRY_END
 ; another query, different, so not from cache.
 STEP 5 QUERY
 ENTRY_BEGIN
 	REPLY RD
 	SECTION QUESTION
 	www.example.net. IN A
 ENTRY_END
--- a/testdata/fwd_timeout.rpl
+++ b/testdata/fwd_timeout.rpl
@ -4,6 +4,7 @@ CONFIG_END
 SCENARIO_BEGIN Forwarder and a timeout happens on server query.
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode qname qtype
 SECTION QUESTION
-REPLY SERVFAIL QR RA
+REPLY SERVFAIL QR RA RD
 MATCH all
 www.example.com. IN A
 ENTRY_END
--- a/testdata/fwd_two.rpl
+++ b/testdata/fwd_two.rpl
@ -26,6 +26,7 @@ RANGE_END
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@ -43,6 +44,7 @@ STEP 3 NOTHING
 ; another query
 STEP 4 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END
--- a/testdata/local_norec.tpkg
+++ b/testdata/local_norec.tpkg
--- a/testdata/local_nosnoop.tpkg
+++ b/testdata/local_nosnoop.tpkg
--- a/testdata/val_refer_unsignadd.rpl
+++ b/testdata/val_refer_unsignadd.rpl
@ -4,6 +4,7 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	trust-anchor: "example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
 	val-override-date: "20070916134226"
 	access-control: 127.0.0.1 allow_snoop
 stub-zone:
 	name: "."
--- a/testdata/val_referd.rpl
+++ b/testdata/val_referd.rpl
@ -4,6 +4,7 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	harden-referral-path: yes
 	access-control: 127.0.0.1 allow_snoop
 stub-zone:
 	name: "."
--- a/testdata/val_referglue.rpl
+++ b/testdata/val_referglue.rpl
@ -4,6 +4,7 @@ server:
 	trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
 	val-override-date: "20070916134226"
 	directory: ""
 	access-control: 127.0.0.1 allow_snoop
 stub-zone:
 	name: "."
--- a/testdata/version_bind_hide.rpl
+++ b/testdata/version_bind_hide.rpl
@ -11,13 +11,14 @@ SCENARIO_BEGIN Test config hide options for identity and version queries
 ; version.bind.
 STEP 1 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 version.bind. CH TXT
 ENTRY_END
 STEP 2 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 version.bind. CH TXT
 ENTRY_END
@ -25,13 +26,14 @@ ENTRY_END
 ; version.server.
 STEP 3 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 version.server. CH TXT
 ENTRY_END
 STEP 4 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 version.server. CH TXT
 ENTRY_END
@ -39,13 +41,14 @@ ENTRY_END
 ; hostname.bind.
 STEP 5 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 hostname.bind. CH TXT
 ENTRY_END
 STEP 6 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 hostname.bind. CH TXT
 ENTRY_END
@ -53,13 +56,14 @@ ENTRY_END
 ; id.server.
 STEP 7 QUERY
 ENTRY_BEGIN
 REPLY RD
 SECTION QUESTION
 id.server. CH TXT
 ENTRY_END
 STEP 8 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 id.server. CH TXT
 ENTRY_END
--- a/util/configparser.c
+++ b/util/configparser.c
@ -666,9 +666,9 @@ static const yytype_uint16 yyrline[] =
     374,   381,   389,   396,   403,   410,   417,   425,   433,   440,
     449,   458,   465,   472,   483,   491,   504,   513,   521,   534,
     543,   552,   561,   570,   583,   590,   600,   610,   620,   630,
-     640,   650,   657,   667,   680,   687,   705,   714,   723,   733,
+     640,   650,   657,   667,   681,   688,   706,   715,   724,   734,
-     743,   750,   758,   771,   779,   798,   805,   812,   819,   826,
+     744,   751,   759,   772,   780,   799,   806,   813,   820,   827,
-     833,   840
+     834,   841
 };
 #endif
@ -2420,9 +2420,10 @@ yyreduce:
    {
 		OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
 		if(strcmp((yyvsp[(3) - (3)].str), "deny")!=0 && strcmp((yyvsp[(3) - (3)].str), "refuse")!=0 &&
-			strcmp((yyvsp[(3) - (3)].str), "allow")!=0) {
+			strcmp((yyvsp[(3) - (3)].str), "allow")!=0 && 
-			yyerror("expected deny, refuse or allow in "
+			strcmp((yyvsp[(3) - (3)].str), "allow_snoop")!=0) {
-				"access control action");
+			yyerror("expected deny, refuse, allow or allow_snoop "
 				"in access control action");
 		} else {
 			if(!cfg_str2list_insert(&cfg_parser->cfg->acls, (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)))
 				fatal_exit("out of memory adding acl");
@ -2431,7 +2432,7 @@ yyreduce:
    break;
  case 144:
-#line 681 "util/configparser.y"
+#line 682 "util/configparser.y"
    {
 		OUTYY(("P(server_module_conf:%s)\n", (yyvsp[(2) - (2)].str)));
 		free(cfg_parser->cfg->module_conf);
@ -2440,7 +2441,7 @@ yyreduce:
    break;
  case 145:
-#line 688 "util/configparser.y"
+#line 689 "util/configparser.y"
    {
 		OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(strlen((yyvsp[(2) - (2)].str)) == 0 || strcmp((yyvsp[(2) - (2)].str), "0") == 0) {
@ -2460,7 +2461,7 @@ yyreduce:
    break;
  case 146:
-#line 706 "util/configparser.y"
+#line 707 "util/configparser.y"
    {
 		OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
@ -2471,7 +2472,7 @@ yyreduce:
    break;
  case 147:
-#line 715 "util/configparser.y"
+#line 716 "util/configparser.y"
    {
 		OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
@ -2482,7 +2483,7 @@ yyreduce:
    break;
  case 148:
-#line 724 "util/configparser.y"
+#line 725 "util/configparser.y"
    {
 		OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
@ -2494,7 +2495,7 @@ yyreduce:
    break;
  case 149:
-#line 734 "util/configparser.y"
+#line 735 "util/configparser.y"
    {
 		OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
@ -2506,7 +2507,7 @@ yyreduce:
    break;
  case 150:
-#line 744 "util/configparser.y"
+#line 745 "util/configparser.y"
    {
 		OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[(2) - (2)].str)));
 		free(cfg_parser->cfg->val_nsec3_key_iterations);
@ -2515,7 +2516,7 @@ yyreduce:
    break;
  case 151:
-#line 751 "util/configparser.y"
+#line 752 "util/configparser.y"
    {
 		OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->key_cache_size))
@ -2525,7 +2526,7 @@ yyreduce:
    break;
  case 152:
-#line 759 "util/configparser.y"
+#line 760 "util/configparser.y"
    {
 		OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(atoi((yyvsp[(2) - (2)].str)) == 0)
@ -2540,7 +2541,7 @@ yyreduce:
    break;
  case 153:
-#line 772 "util/configparser.y"
+#line 773 "util/configparser.y"
    {
 		OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->neg_cache_size))
@ -2550,7 +2551,7 @@ yyreduce:
    break;
  case 154:
-#line 780 "util/configparser.y"
+#line 781 "util/configparser.y"
    {
 		OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
 		if(strcmp((yyvsp[(3) - (3)].str), "static")!=0 && strcmp((yyvsp[(3) - (3)].str), "deny")!=0 &&
@ -2571,7 +2572,7 @@ yyreduce:
    break;
  case 155:
-#line 799 "util/configparser.y"
+#line 800 "util/configparser.y"
    {
 		OUTYY(("P(server_local_data:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp[(2) - (2)].str)))
@ -2580,7 +2581,7 @@ yyreduce:
    break;
  case 156:
-#line 806 "util/configparser.y"
+#line 807 "util/configparser.y"
    {
 		OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
 		free(cfg_parser->cfg->stubs->name);
@ -2589,7 +2590,7 @@ yyreduce:
    break;
  case 157:
-#line 813 "util/configparser.y"
+#line 814 "util/configparser.y"
    {
 		OUTYY(("P(stub-host:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp[(2) - (2)].str)))
@ -2598,7 +2599,7 @@ yyreduce:
    break;
  case 158:
-#line 820 "util/configparser.y"
+#line 821 "util/configparser.y"
    {
 		OUTYY(("P(stub-addr:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp[(2) - (2)].str)))
@ -2607,7 +2608,7 @@ yyreduce:
    break;
  case 159:
-#line 827 "util/configparser.y"
+#line 828 "util/configparser.y"
    {
 		OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
 		free(cfg_parser->cfg->forwards->name);
@ -2616,7 +2617,7 @@ yyreduce:
    break;
  case 160:
-#line 834 "util/configparser.y"
+#line 835 "util/configparser.y"
    {
 		OUTYY(("P(forward-host:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp[(2) - (2)].str)))
@ -2625,7 +2626,7 @@ yyreduce:
    break;
  case 161:
-#line 841 "util/configparser.y"
+#line 842 "util/configparser.y"
    {
 		OUTYY(("P(forward-addr:%s)\n", (yyvsp[(2) - (2)].str)));
 		if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp[(2) - (2)].str)))
@ -2635,7 +2636,7 @@ yyreduce:
 /* Line 1267 of yacc.c.  */
-#line 2639 "util/configparser.c"
+#line 2640 "util/configparser.c"
      default: break;
    }
  YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@ -2849,7 +2850,7 @@ yyreturn:
 }
-#line 847 "util/configparser.y"
+#line 848 "util/configparser.y"
 /* parse helper routines could be here */
--- a/util/configparser.y
+++ b/util/configparser.y
@ -668,9 +668,10 @@ server_access_control: VAR_ACCESS_CONTROL STRING STRING
 	{
 		OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
 		if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
-			strcmp($3, "allow")!=0) {
+			strcmp($3, "allow")!=0 && 
-			yyerror("expected deny, refuse or allow in "
+			strcmp($3, "allow_snoop")!=0) {
-				"access control action");
+			yyerror("expected deny, refuse, allow or allow_snoop "
 				"in access control action");
 		} else {
 			if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
 				fatal_exit("out of memory adding acl");