mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
dnscrypt cache size configuration option.
git-svn-id: file:///svn/unbound/trunk@4328 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
a1153ba1f7
commit
a17400b45e
@ -791,9 +791,9 @@ dnsc_apply_cfg(struct dnsc_env *env, struct config_file *cfg)
|
||||
fatal_exit("dnsc_apply_cfg: could not load local data");
|
||||
}
|
||||
env->shared_secrets_cache = slabhash_create(
|
||||
cfg->msg_cache_slabs,
|
||||
cfg->dnscrypt_shared_secret_cache_slabs,
|
||||
HASH_DEFAULT_STARTARRAY,
|
||||
4000000,
|
||||
cfg->dnscrypt_shared_secret_cache_size,
|
||||
dnsc_shared_secrets_sizefunc,
|
||||
dnsc_shared_secrets_compfunc,
|
||||
dnsc_shared_secrets_delkeyfunc,
|
||||
|
@ -3,7 +3,7 @@
|
||||
- For #1417: escape ; in dnscrypt tests.
|
||||
- but reverted that, tests fails with that escape.
|
||||
- Fix #1417: [dnscrypt] shared secret cache counters, and works when
|
||||
dnscrypt is not enabled.
|
||||
dnscrypt is not enabled. And cache size configuration option.
|
||||
- make depend
|
||||
|
||||
30 August 2017: Wouter
|
||||
|
@ -1507,6 +1507,17 @@ times.
|
||||
.B dnscrypt\-provider\-cert: \fI<path to cert file>\fR
|
||||
Path to the certificate related to the \fBdnscrypt\-secret\-key\fRs.
|
||||
This option may be specified multiple times.
|
||||
.TP
|
||||
.B dnscrypt\-shared\-secret\-cache\-size: \fI<memory size>
|
||||
Give the size of the data structure in which the shared secret keys are kept
|
||||
in. Default 4m. In bytes or use m(mega), k(kilo), g(giga).
|
||||
The shared secret cache is used when a same client is making multiple queries
|
||||
using the same public key. It saves a substantial amount of CPU.
|
||||
.TP
|
||||
.B dnscrypt\-shared\-secret\-cache\-slabs: \fI<number>
|
||||
Give power of 2 number of slabs, this is used to reduce lock contention
|
||||
in the dnscrypt shared secrets cache. Close to the number of cpus is
|
||||
a fairly good setting.
|
||||
.SS "EDNS Client Subnet Module Options"
|
||||
.LP
|
||||
The ECS module must be configured in the \fBmodule\-config:\fR "subnetcache
|
||||
|
@ -282,6 +282,8 @@ config_create(void)
|
||||
cfg->dnscrypt_provider = NULL;
|
||||
cfg->dnscrypt_provider_cert = NULL;
|
||||
cfg->dnscrypt_secret_key = NULL;
|
||||
cfg->dnscrypt_shared_secret_cache_size = 4*1024*1024;
|
||||
cfg->dnscrypt_shared_secret_cache_slabs = 4;
|
||||
#ifdef USE_IPSECMOD
|
||||
cfg->ipsecmod_enabled = 1;
|
||||
cfg->ipsecmod_ignore_bogus = 0;
|
||||
@ -565,6 +567,10 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_STR("dnscrypt-provider:", dnscrypt_provider)
|
||||
else S_STRLIST("dnscrypt-provider-cert:", dnscrypt_provider_cert)
|
||||
else S_STRLIST("dnscrypt-secret-key:", dnscrypt_secret_key)
|
||||
else S_MEMSIZE("dnscrypt-shared-secret-cache-size:",
|
||||
dnscrypt_shared_secret_cache_size)
|
||||
else S_POW2("dnscrypt-shared-secret-cache-slabs:",
|
||||
dnscrypt_shared_secret_cache_slabs)
|
||||
#endif
|
||||
else if(strcmp(opt, "ip-ratelimit:") == 0) {
|
||||
IS_NUMBER_OR_ZERO; cfg->ip_ratelimit = atoi(val);
|
||||
@ -926,6 +932,10 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_STR(opt, "dnscrypt-provider", dnscrypt_provider)
|
||||
else O_LST(opt, "dnscrypt-provider-cert", dnscrypt_provider_cert)
|
||||
else O_LST(opt, "dnscrypt-secret-key", dnscrypt_secret_key)
|
||||
else O_MEM(opt, "dnscrypt-shared-secret-cache-size",
|
||||
dnscrypt_shared_secret_cache_size)
|
||||
else O_DEC(opt, "dnscrypt-shared-secret-cache-slabs",
|
||||
dnscrypt_shared_secret_cache_slabs)
|
||||
#endif
|
||||
else O_YNO(opt, "unblock-lan-zones", unblock_lan_zones)
|
||||
else O_YNO(opt, "insecure-lan-zones", insecure_lan_zones)
|
||||
|
@ -464,6 +464,10 @@ struct config_file {
|
||||
struct config_strlist* dnscrypt_secret_key;
|
||||
/** dnscrypt provider certs 1.cert */
|
||||
struct config_strlist* dnscrypt_provider_cert;
|
||||
/** memory size in bytes for dnscrypt shared secrets cache */
|
||||
size_t dnscrypt_shared_secret_cache_size;
|
||||
/** number of slabs for dnscrypt shared secrets cache */
|
||||
size_t dnscrypt_shared_secret_cache_slabs;
|
||||
|
||||
/** IPsec module */
|
||||
#ifdef USE_IPSECMOD
|
||||
|
@ -417,6 +417,10 @@ dnscrypt-port{COLON} { YDVAR(1, VAR_DNSCRYPT_PORT) }
|
||||
dnscrypt-provider{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER) }
|
||||
dnscrypt-secret-key{COLON} { YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) }
|
||||
dnscrypt-provider-cert{COLON} { YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) }
|
||||
dnscrypt-shared-secret-cache-size{COLON} {
|
||||
YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) }
|
||||
dnscrypt-shared-secret-cache-slabs{COLON} {
|
||||
YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) }
|
||||
ipsecmod-enabled{COLON} { YDVAR(1, VAR_IPSECMOD_ENABLED) }
|
||||
ipsecmod-ignore-bogus{COLON} { YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) }
|
||||
ipsecmod-hook{COLON} { YDVAR(1, VAR_IPSECMOD_HOOK) }
|
||||
|
@ -144,6 +144,8 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
|
||||
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
|
||||
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
|
||||
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE
|
||||
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
|
||||
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
|
||||
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
|
||||
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
|
||||
@ -2323,7 +2325,9 @@ contents_dnsc: contents_dnsc content_dnsc
|
||||
| ;
|
||||
content_dnsc:
|
||||
dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
|
||||
dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert
|
||||
dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert |
|
||||
dnsc_dnscrypt_shared_secret_cache_size |
|
||||
dnsc_dnscrypt_shared_secret_cache_slabs
|
||||
;
|
||||
dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG
|
||||
{
|
||||
@ -2366,7 +2370,27 @@ dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG
|
||||
fatal_exit("out of memory adding dnscrypt-secret-key");
|
||||
}
|
||||
;
|
||||
|
||||
dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2));
|
||||
if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size))
|
||||
yyerror("memory size expected");
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG
|
||||
{
|
||||
OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2));
|
||||
if(atoi($2) == 0)
|
||||
yyerror("number expected");
|
||||
else {
|
||||
cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2);
|
||||
if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs))
|
||||
yyerror("must be a power of 2");
|
||||
}
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
cachedbstart: VAR_CACHEDB
|
||||
{
|
||||
OUTYY(("\nP(cachedb:)\n"));
|
||||
|
Loading…
Reference in New Issue
Block a user