mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
- Fix #259: Fix unbound-checkconf does not check view existence.
unbound-checkconf checks access-control-view, access-control-tags, access-control-tag-actions and access-control-tag-datas. - Fix offset of error printout for access-control-tag-datas.
This commit is contained in:
parent
233c14a476
commit
4d009e19fc
@ -273,7 +273,7 @@ check_data(const char* data, const struct config_strlist* head)
|
||||
if(res == 0)
|
||||
return 1;
|
||||
log_err("rr data [char %d] parse error %s",
|
||||
(int)LDNS_WIREPARSE_OFFSET(res)-13,
|
||||
(int)LDNS_WIREPARSE_OFFSET(res)-2,
|
||||
sldns_get_errorstr_parse(res));
|
||||
return 0;
|
||||
}
|
||||
|
@ -1,3 +1,9 @@
|
||||
7 July 2020: Wouter
|
||||
- Fix #259: Fix unbound-checkconf does not check view existence.
|
||||
unbound-checkconf checks access-control-view, access-control-tags,
|
||||
access-control-tag-actions and access-control-tag-datas.
|
||||
- Fix offset of error printout for access-control-tag-datas.
|
||||
|
||||
6 July 2020: Wouter
|
||||
- run_vm cleanup better and removes trailing slash on single argument.
|
||||
|
||||
|
@ -58,6 +58,7 @@
|
||||
#include "services/authzone.h"
|
||||
#include "respip/respip.h"
|
||||
#include "sldns/sbuffer.h"
|
||||
#include "sldns/str2wire.h"
|
||||
#ifdef HAVE_GETOPT_H
|
||||
#include <getopt.h>
|
||||
#endif
|
||||
@ -194,6 +195,94 @@ localzonechecks(struct config_file* cfg)
|
||||
local_zones_delete(zs);
|
||||
}
|
||||
|
||||
/** checks for acl and views */
|
||||
static void
|
||||
acl_view_checks(struct config_file* cfg, struct views* views)
|
||||
{
|
||||
int d;
|
||||
struct sockaddr_storage a;
|
||||
socklen_t alen;
|
||||
struct config_str2list* acl;
|
||||
struct config_str3list* s3;
|
||||
struct config_strbytelist* sb;
|
||||
struct view* v;
|
||||
|
||||
/* acl_view */
|
||||
for(acl=cfg->acl_view; acl; acl = acl->next) {
|
||||
if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
|
||||
&d)) {
|
||||
fatal_exit("cannot parse access-control-view "
|
||||
"address %s %s", acl->str, acl->str2);
|
||||
}
|
||||
v = views_find_view(views, acl->str2, 0);
|
||||
if(!v) {
|
||||
fatal_exit("cannot find view for "
|
||||
"access-control-view: %s %s",
|
||||
acl->str, acl->str2);
|
||||
}
|
||||
lock_rw_unlock(&v->lock);
|
||||
}
|
||||
|
||||
/* acl_tags */
|
||||
for(sb=cfg->acl_tags; sb; sb = sb->next) {
|
||||
if(!netblockstrtoaddr(sb->str, UNBOUND_DNS_PORT, &a, &alen,
|
||||
&d)) {
|
||||
fatal_exit("cannot parse access-control-tags "
|
||||
"address %s", sb->str);
|
||||
}
|
||||
}
|
||||
|
||||
/* acl_tag_actions */
|
||||
for(s3=cfg->acl_tag_actions; s3; s3 = s3->next) {
|
||||
enum localzone_type t;
|
||||
if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen,
|
||||
&d)) {
|
||||
fatal_exit("cannot parse access-control-tag-actions "
|
||||
"address %s %s %s",
|
||||
s3->str, s3->str2, s3->str3);
|
||||
}
|
||||
if(find_tag_id(cfg, s3->str2) == -1) {
|
||||
fatal_exit("cannot parse tag %s (define-tag it), "
|
||||
"for access-control-tag-actions: %s %s %s",
|
||||
s3->str2, s3->str, s3->str2, s3->str3);
|
||||
}
|
||||
if(!local_zone_str2type(s3->str3, &t)) {
|
||||
fatal_exit("cannot parse access control action type %s"
|
||||
" for access-control-tag-actions: %s %s %s",
|
||||
s3->str3, s3->str, s3->str2, s3->str3);
|
||||
}
|
||||
}
|
||||
|
||||
/* acl_tag_datas */
|
||||
for(s3=cfg->acl_tag_datas; s3; s3 = s3->next) {
|
||||
char buf[65536];
|
||||
uint8_t rr[LDNS_RR_BUF_SIZE];
|
||||
size_t len = sizeof(rr);
|
||||
int res;
|
||||
if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen,
|
||||
&d)) {
|
||||
fatal_exit("cannot parse access-control-tag-datas address %s %s '%s'",
|
||||
s3->str, s3->str2, s3->str3);
|
||||
}
|
||||
if(find_tag_id(cfg, s3->str2) == -1) {
|
||||
fatal_exit("cannot parse tag %s (define-tag it), "
|
||||
"for access-control-tag-datas: %s %s '%s'",
|
||||
s3->str2, s3->str, s3->str2, s3->str3);
|
||||
}
|
||||
/* '.' is sufficient for validation, and it makes the call to
|
||||
* sldns_wirerr_get_type() simpler below. */
|
||||
snprintf(buf, sizeof(buf), "%s %s", ".", s3->str3);
|
||||
res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL,
|
||||
0, NULL, 0);
|
||||
if(res != 0) {
|
||||
fatal_exit("cannot parse rr data [char %d] parse error %s, for access-control-tag-datas: %s %s '%s'",
|
||||
(int)LDNS_WIREPARSE_OFFSET(res)-2,
|
||||
sldns_get_errorstr_parse(res),
|
||||
s3->str, s3->str2, s3->str3);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/** check view and response-ip configuration */
|
||||
static void
|
||||
view_and_respipchecks(struct config_file* cfg)
|
||||
@ -211,6 +300,7 @@ view_and_respipchecks(struct config_file* cfg)
|
||||
fatal_exit("Could not setup respip set");
|
||||
if(!respip_views_apply_cfg(views, cfg, &ignored))
|
||||
fatal_exit("Could not setup per-view respip sets");
|
||||
acl_view_checks(cfg, views);
|
||||
views_delete(views);
|
||||
respip_set_delete(respip);
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user