Merge branch 'master' of git://github.com/k9982874/unbound into k9982874-master

Makefile.in

@@ -176,11 +176,11 @@ DAEMON_OBJ=acl_list.lo cachedump.lo daemon.lo \
 shm_main.lo remote.lo stats.lo unbound.lo \
 worker.lo @WIN_DAEMON_OBJ@
 DAEMON_OBJ_LINK=$(DAEMON_OBJ) $(COMMON_OBJ_ALL_SYMBOLS) $(SLDNS_OBJ) \
-$(COMPAT_OBJ) @WIN_DAEMON_OBJ_LINK@
+$(COMPAT_OBJ) $(IPSET_OBJ) @WIN_DAEMON_OBJ_LINK@
 CHECKCONF_SRC=smallapp/unbound-checkconf.c smallapp/worker_cb.c
 CHECKCONF_OBJ=unbound-checkconf.lo worker_cb.lo
 CHECKCONF_OBJ_LINK=$(CHECKCONF_OBJ) $(COMMON_OBJ_ALL_SYMBOLS) $(SLDNS_OBJ) \
-$(COMPAT_OBJ) @WIN_CHECKCONF_OBJ_LINK@
+$(COMPAT_OBJ) $(IPSET_OBJ) @WIN_CHECKCONF_OBJ_LINK@
 CONTROL_SRC=smallapp/unbound-control.c
 CONTROL_OBJ=unbound-control.lo 
 CONTROL_OBJ_LINK=$(CONTROL_OBJ) worker_cb.lo $(COMMON_OBJ_ALL_SYMBOLS) \
@@ -229,10 +229,12 @@ DELAYER_SRC=testcode/delayer.c
 DELAYER_OBJ=delayer.lo
 DELAYER_OBJ_LINK=$(DELAYER_OBJ) worker_cb.lo $(COMMON_OBJ) $(COMPAT_OBJ) \
 $(SLDNS_OBJ)
+IPSET_SRC=@IPSET_SRC@
+IPSET_OBJ=@IPSET_OBJ@
 LIBUNBOUND_SRC=libunbound/context.c libunbound/libunbound.c \
 libunbound/libworker.c
 LIBUNBOUND_OBJ=context.lo libunbound.lo libworker.lo ub_event_pluggable.lo
-LIBUNBOUND_OBJ_LINK=$(LIBUNBOUND_OBJ) $(COMMON_OBJ_WITHOUT_UB_EVENT) $(SLDNS_OBJ) $(COMPAT_OBJ)
+LIBUNBOUND_OBJ_LINK=$(LIBUNBOUND_OBJ) $(COMMON_OBJ_WITHOUT_UB_EVENT) $(SLDNS_OBJ) $(COMPAT_OBJ) $(IPSET_OBJ)
 
 # win apps or "" if not on windows
 WINAPPS=@WINAPPS@
@@ -256,15 +258,18 @@ ALL_SRC=$(COMMON_SRC) $(UNITTEST_SRC) $(DAEMON_SRC) \
 	$(MEMSTATS_SRC) $(CHECKCONF_SRC) $(LIBUNBOUND_SRC) $(HOST_SRC) \
 	$(ASYNCLOOK_SRC) $(STREAMTCP_SRC) $(PERF_SRC) $(DELAYER_SRC) \
 	$(CONTROL_SRC) $(UBANCHOR_SRC) $(PETAL_SRC) \
-	$(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC)\
-	$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC)
+	$(PYTHONMOD_SRC) $(PYUNBOUND_SRC) $(WIN_DAEMON_THE_SRC) \
+	$(SVCINST_SRC) $(SVCUNINST_SRC) $(ANCHORUPD_SRC) $(SLDNS_SRC) \
+	$(IPSET_SRC)
+
 ALL_OBJ=$(COMMON_OBJ) $(UNITTEST_OBJ) $(DAEMON_OBJ) \
 	$(TESTBOUND_OBJ) $(LOCKVERIFY_OBJ) $(PKTVIEW_OBJ) \
 	$(MEMSTATS_OBJ) $(CHECKCONF_OBJ) $(LIBUNBOUND_OBJ) $(HOST_OBJ) \
 	$(ASYNCLOOK_OBJ) $(STREAMTCP_OBJ) $(PERF_OBJ) $(DELAYER_OBJ) \
 	$(CONTROL_OBJ) $(UBANCHOR_OBJ) $(PETAL_OBJ) \
 	$(COMPAT_OBJ) $(PYUNBOUND_OBJ) \
-	$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ)
+	$(SVCINST_OBJ) $(SVCUNINST_OBJ) $(ANCHORUPD_OBJ) $(SLDNS_OBJ) \
+	$(IPSET_OBJ)
 
 COMPILE=$(LIBTOOL) --tag=CC --mode=compile $(CC) $(CPPFLAGS) $(CFLAGS) @PTHREAD_CFLAGS_ONLY@
 LINK=$(LIBTOOL) --tag=CC --mode=link $(CC) $(staticexe) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS)
@@ -1462,3 +1467,6 @@ sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
 reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
 isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
 strsep.lo strsep.o: $(srcdir)/compat/strsep.c config.h
+
+ipset.lo ipset.o: $(srcdir)/ipset/ipset.c $(srcdir)/ipset/ipset.h config.h $(srcdir)/util/module.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/cache/dns.h

config.h.in

@@ -775,6 +775,9 @@
 /* Define to 1 to use ipsecmod support. */
 #undef USE_IPSECMOD
 
+/* Define to 1 to use ipset support */
+#undef USE_IPSET
+
 /* Define if you want to use internal select based events */
 #undef USE_MINI_EVENT
 

configure

@@ -638,6 +638,8 @@ INSTALLTARGET
 ALLTARGET
 SOURCEFILE
 SOURCEDETERMINE
+IPSET_OBJ
+IPSET_SRC
 IPSECMOD_HEADER
 IPSECMOD_OBJ
 DNSCRYPT_OBJ
@@ -878,6 +880,8 @@ enable_dnscrypt
 with_libsodium
 enable_cachedb
 enable_ipsecmod
+enable_ipset
+with_libmnl
 with_libunbound_only
 '
       ac_precious_vars='build_alias
@@ -1565,6 +1569,7 @@ Optional Features:
                           storage
   --enable-ipsecmod       Enable ipsecmod module that facilitates
                           opportunistic IPsec
+  --enable-ipset          enable ipset module
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1619,6 +1624,7 @@ Optional Packages:
   --with-protobuf-c=path  Path where protobuf-c is installed, for dnstap
   --with-libfstrm=path    Path where libfstrm is installed, for dnstap
   --with-libsodium=path   Path where libsodium is installed, for dnscrypt
+  --with-libmnl=path      specify explicit path for libmnl.
   --with-libunbound-only  do not build daemon and tool programs
 
 Some influential environment variables:
@@ -21050,6 +21056,59 @@ $as_echo "#define USE_IPSECMOD 1" >>confdefs.h
 		;;
 esac
 
+# check for ipset if requested
+# Check whether --enable-ipset was given.
+if test "${enable_ipset+set}" = set; then :
+  enableval=$enable_ipset;
+fi
+
+case "$enable_ipset" in
+    yes)
+
+$as_echo "#define USE_IPSET 1" >>confdefs.h
+
+		IPSET_SRC="ipset/ipset.c"
+
+		IPSET_OBJ="ipset.lo"
+
+
+		# mnl
+
+# Check whether --with-libmnl was given.
+if test "${with_libmnl+set}" = set; then :
+  withval=$with_libmnl;
+else
+   withval="yes"
+fi
+
+		found_libmnl="no"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5
+$as_echo_n "checking for libmnl... " >&6; }
+		if test x_$withval = x_ -o x_$withval = x_yes; then
+			withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
+		fi
+		for dir in $withval ; do
+			if test -f "$dir/include/libmnl/libmnl.h"; then
+				found_libmnl="yes"
+								if test "$dir" != "/usr"; then
+					CPPFLAGS="$CPPFLAGS -I$dir/include"
+					LDFLAGS="$LDFLAGS -L$dir/lib"
+				fi
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $dir" >&5
+$as_echo "found in $dir" >&6; }
+				LIBS="$LIBS -lmnl"
+				break;
+			fi
+		done
+		if test x_$found_libmnl != x_yes; then
+			as_fn_error $? "Could not find libmnl, libmnl.h" "$LINENO" 5
+		fi
+		;;
+    no|*)
+    	# nothing
+		;;
+esac
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
 # on openBSD, the implicit rule make $< work.

configure.ac

@@ -1604,6 +1604,47 @@ case "$enable_ipsecmod" in
 		;;
 esac
 
+# check for ipset if requested
+AC_ARG_ENABLE(ipset, AC_HELP_STRING([--enable-ipset], [enable ipset module]))
+case "$enable_ipset" in
+    yes)
+		AC_DEFINE([USE_IPSET], [1], [Define to 1 to use ipset support])
+		IPSET_SRC="ipset/ipset.c"
+		AC_SUBST(IPSET_SRC)
+		IPSET_OBJ="ipset.lo"
+		AC_SUBST(IPSET_OBJ)
+
+		# mnl
+		AC_ARG_WITH(libmnl, AC_HELP_STRING([--with-libmnl=path],
+			[specify explicit path for libmnl.]),
+			[ ],[ withval="yes" ])
+		found_libmnl="no"
+		AC_MSG_CHECKING(for libmnl)
+		if test x_$withval = x_ -o x_$withval = x_yes; then
+			withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
+		fi
+		for dir in $withval ; do
+			if test -f "$dir/include/libmnl/libmnl.h"; then
+				found_libmnl="yes"
+				dnl assume /usr is in default path.
+				if test "$dir" != "/usr"; then
+					CPPFLAGS="$CPPFLAGS -I$dir/include"
+					LDFLAGS="$LDFLAGS -L$dir/lib"
+				fi
+				AC_MSG_RESULT(found in $dir)
+				LIBS="$LIBS -lmnl"
+				break;
+			fi
+		done
+		if test x_$found_libmnl != x_yes; then
+			AC_ERROR([Could not find libmnl, libmnl.h])
+		fi
+		;;
+    no|*)
+    	# nothing
+		;;
+esac
+
 AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
 # on openBSD, the implicit rule make $< work.
 # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).

doc/example.conf.in

@@ -654,6 +654,9 @@ server:
 	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
 	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
 
+	# Add example.com into ipset
+	# local-zone: "example.com" ipset
+
 	# If unbound is running service for the local host then it is useful
 	# to perform lan-wide lookups to the upstream, and unblock the
 	# long list of local-zones above.  If this unbound is a dns server
@@ -992,3 +995,14 @@ remote-control:
 #     redis-server-port: 6379
 #     # timeout (in ms) for communication with the redis server
 #     redis-timeout: 100
+
+# IPSet
+# Add specify domain into set via ipset.
+# Note: To enable ipset needs run unbound as root user.
+# ipset:
+#     # set name for ip v4 addresses
+#     name-v4: "list-v4"
+#     # set name for ip v6 addresses
+#     name-v6: "list-v6"
+#
+

ipset/ipset.c

@@ -0,0 +1,346 @@
+#include "config.h"
+#include "ipset/ipset.h"
+#include "util/regional.h"
+#include "util/config_file.h"
+
+#include "services/cache/dns.h"
+
+#include "sldns/sbuffer.h"
+#include "sldns/wire2str.h"
+#include "sldns/parseutil.h"
+
+#include <libmnl/libmnl.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/ipset/ip_set.h>
+
+#define BUFF_LEN 256
+
+/**
+ * Return an error
+ * @param qstate: our query state
+ * @param id: module id
+ * @param rcode: error code (DNS errcode).
+ * @return: 0 for use by caller, to make notation easy, like:
+ * 	return error_response(..).
+ */
+static int error_response(struct module_qstate* qstate, int id, int rcode) {
+	verbose(VERB_QUERY, "return error response %s",
+		sldns_lookup_by_id(sldns_rcodes, rcode)?
+		sldns_lookup_by_id(sldns_rcodes, rcode)->name:"??");
+	qstate->return_rcode = rcode;
+	qstate->return_msg = NULL;
+	qstate->ext_state[id] = module_finished;
+	return 0;
+}
+
+static struct mnl_socket * open_mnl_socket() {
+	struct mnl_socket *mnl;
+
+	mnl = mnl_socket_open(NETLINK_NETFILTER);
+	if (!mnl) {
+		log_err("ipset: could not open netfilter.");
+		return NULL;
+	}
+
+	if (mnl_socket_bind(mnl, 0, MNL_SOCKET_AUTOPID) < 0) {
+		mnl_socket_close(mnl);
+		log_err("ipset: could not bind netfilter.");
+		return NULL;
+	}
+	return mnl;
+}
+
+static int add_to_ipset(struct mnl_socket *mnl, const char *setname, const void *ipaddr, int af) {
+	struct nlmsghdr *nlh;
+	struct nfgenmsg *nfg;
+	struct nlattr *nested[2];
+	static char buffer[BUFF_LEN];
+
+	if (strlen(setname) >= IPSET_MAXNAMELEN) {
+		errno = ENAMETOOLONG;
+		return -1;
+	}
+	if (af != AF_INET && af != AF_INET6) {
+		errno = EAFNOSUPPORT;
+		return -1;
+	}
+
+	nlh = mnl_nlmsg_put_header(buffer);
+	nlh->nlmsg_type = IPSET_CMD_ADD | (NFNL_SUBSYS_IPSET << 8);
+	nlh->nlmsg_flags = NLM_F_REQUEST|NLM_F_ACK|NLM_F_EXCL;
+
+	nfg = mnl_nlmsg_put_extra_header(nlh, sizeof(struct nfgenmsg));
+	nfg->nfgen_family = af;
+	nfg->version = NFNETLINK_V0;
+	nfg->res_id = htons(0);
+
+	mnl_attr_put_u8(nlh, IPSET_ATTR_PROTOCOL, IPSET_PROTOCOL);
+	mnl_attr_put(nlh, IPSET_ATTR_SETNAME, strlen(setname) + 1, setname);
+	nested[0] = mnl_attr_nest_start(nlh, IPSET_ATTR_DATA);
+	nested[1] = mnl_attr_nest_start(nlh, IPSET_ATTR_IP);
+	mnl_attr_put(nlh, (af == AF_INET ? IPSET_ATTR_IPADDR_IPV4 : IPSET_ATTR_IPADDR_IPV6)
+			| NLA_F_NET_BYTEORDER, (af == AF_INET ? sizeof(struct in_addr) : sizeof(struct in6_addr)), ipaddr);
+	mnl_attr_nest_end(nlh, nested[1]);
+	mnl_attr_nest_end(nlh, nested[0]);
+
+	if (mnl_socket_sendto(mnl, nlh, nlh->nlmsg_len) < 0) {
+		return -1;
+	}
+	return 0;
+}
+
+static int ipset_update(struct module_env *env, struct dns_msg *return_msg, struct ipset_env *ie) {
+	int ret;
+
+	struct mnl_socket *mnl;
+
+	int i, j;
+
+	const char *setname;
+
+	struct ub_packed_rrset_key *rrset;
+	struct packed_rrset_data *d;
+
+	int af;
+
+	static char dname[BUFF_LEN];
+	const char *s;
+	int dlen, plen;
+
+	struct config_strlist *p;
+
+	uint16_t rrtype;
+	size_t rr_len, rd_len;
+
+	uint8_t *rr_data;
+
+	mnl = (struct mnl_socket *)ie->mnl;
+	if (!mnl) {
+		// retry to create mnl socket
+		mnl = open_mnl_socket();
+		if (!mnl) {
+			return -1;
+		}
+
+		ie->mnl = mnl;
+	}
+
+	for (i = 0; i < return_msg->rep->rrset_count; ++i) {
+		setname = NULL;
+
+		rrset = return_msg->rep->rrsets[i];
+
+		if (rrset->rk.type == htons(LDNS_RR_TYPE_A)) {
+			af = AF_INET;
+			if ((ie->v4_enabled == 1)) {
+				setname = ie->name_v4;
+			}
+		} else {
+			af = AF_INET6;
+			if ((ie->v6_enabled == 1)) {
+				setname = ie->name_v6;
+			}
+		}
+
+		if (setname) {
+			dlen = sldns_wire2str_dname_buf(rrset->rk.dname, rrset->rk.dname_len, dname, BUFF_LEN);
+			if (dlen == 0) {
+				log_err("bad domain name");
+				return -1;
+			}
+			if (dname[dlen - 1] == '.') {
+				dlen--;
+			}
+
+			for (p = env->cfg->local_zones_ipset; p; p = p->next) {
+				plen = strlen(p->str);
+
+				if (dlen >= plen) {
+					s = dname + (dlen - plen);
+
+					if (strncasecmp(p->str, s, plen) == 0) {
+						d = (struct packed_rrset_data*)rrset->entry.data;
+						for (j = 0; j < d->count + d->rrsig_count; j++) {
+							rr_len = d->rr_len[j];
+							rr_data = d->rr_data[j];
+
+							rd_len = sldns_read_uint16(rr_data);
+							if (rr_len - 2 >= rd_len) {
+								ret = add_to_ipset(mnl, setname, rr_data + 2, af);
+								if (ret < 0) {
+									log_err("ipset: could not add %s into %s", dname, setname);
+
+									mnl_socket_close(mnl);
+									ie->mnl = NULL;
+									break;
+								}
+							}
+						}
+						break;
+					}
+				}
+			}
+		}
+	}
+
+	return 0;
+}
+
+int ipset_init(struct module_env* env, int id) {
+	struct ipset_env *ipset_env;
+
+	ipset_env = (struct ipset_env *)calloc(1, sizeof(struct ipset_env));
+	if (!ipset_env) {
+		log_err("malloc failure");
+		return 0;
+	}
+
+	env->modinfo[id] = (void *)ipset_env;
+
+	ipset_env->mnl == NULL;
+
+	ipset_env->name_v4 = env->cfg->ipset_name_v4;
+	ipset_env->name_v6 = env->cfg->ipset_name_v6;
+
+	ipset_env->v4_enabled = !ipset_env->name_v4 || (strlen(ipset_env->name_v4) == 0) ? 0 : 1;
+	ipset_env->v6_enabled = !ipset_env->name_v6 || (strlen(ipset_env->name_v6) == 0) ? 0 : 1;
+
+	if ((ipset_env->v4_enabled < 1) && (ipset_env->v6_enabled < 1)) {
+		log_err("ipset: set name no configuration?");
+		return 0;
+	}
+
+	return 1;
+}
+
+void ipset_deinit(struct module_env *env, int id) {
+	struct mnl_socket *mnl;
+	struct ipset_env *ipset_env;
+
+	if (!env || !env->modinfo[id]) {
+		return;
+	}
+
+	ipset_env = (struct ipset_env *)env->modinfo[id];
+
+	mnl = (struct mnl_socket *)ipset_env->mnl;
+	if (mnl) {
+		mnl_socket_close(mnl);
+		ipset_env->mnl = NULL;
+	}
+
+	free(ipset_env);
+	env->modinfo[id] = NULL;
+}
+
+static int ipset_new(struct module_qstate* qstate, int id) {
+	struct ipset_qstate *iq = (struct ipset_qstate *)regional_alloc(
+		qstate->region, sizeof(struct ipset_qstate));
+	qstate->minfo[id] = iq;
+	if (!iq) {
+		return 0;
+	}
+
+	memset(iq, 0, sizeof(*iq));
+	/* initialise it */
+	/* TODO */
+
+	return 1;
+}
+
+void ipset_operate(struct module_qstate *qstate, enum module_ev event, int id,
+	struct outbound_entry *outbound) {
+	struct ipset_env *ie = (struct ipset_env *)qstate->env->modinfo[id];
+	struct ipset_qstate *iq = (struct ipset_qstate *)qstate->minfo[id];
+	verbose(VERB_QUERY, "ipset[module %d] operate: extstate:%s event:%s",
+		id, strextstate(qstate->ext_state[id]), strmodulevent(event));
+	if (iq) {
+		log_query_info(VERB_QUERY, "ipset operate: query", &qstate->qinfo);
+	}
+
+	/* perform ipset state machine */
+	if ((event == module_event_new || event == module_event_pass) && !iq) {
+		if (!ipset_new(qstate, id)) {
+			(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+			return;
+		}
+		iq = (struct ipset_qstate*)qstate->minfo[id];
+	}
+
+	if (iq && (event == module_event_pass || event == module_event_new)) {
+		qstate->ext_state[id] = module_wait_module;
+		return;
+	}
+
+	if (iq && (event == module_event_moddone)) {
+		if (qstate->return_msg && qstate->return_msg->rep) {
+			ipset_update(qstate->env, qstate->return_msg, ie);
+		}
+		qstate->ext_state[id] = module_finished;
+		return;
+	}
+
+	if (iq && outbound) {
+		/* ipset does not need to process responses at this time
+		 * ignore it.
+		ipset_process_response(qstate, iq, ie, id, outbound, event);
+		*/
+		return;
+	}
+
+	if (event == module_event_error) {
+		verbose(VERB_ALGO, "got called with event error, giving up");
+		(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+		return;
+	}
+
+	if (!iq && (event == module_event_moddone)) {
+		/* during priming, module done but we never started */
+		qstate->ext_state[id] = module_finished;
+		return;
+	}
+
+	log_err("bad event for ipset");
+	(void)error_response(qstate, id, LDNS_RCODE_SERVFAIL);
+}
+
+void ipset_inform_super(struct module_qstate *ATTR_UNUSED(qstate),
+	int ATTR_UNUSED(id), struct module_qstate *ATTR_UNUSED(super)) {
+	/* ipset does not use subordinate requests at this time */
+	verbose(VERB_ALGO, "ipset inform_super was called");
+}
+
+void ipset_clear(struct module_qstate *qstate, int id) {
+	struct cachedb_qstate *iq;
+	if (!qstate) {
+		return;
+	}
+	iq = (struct cachedb_qstate *)qstate->minfo[id];
+	if (iq) {
+		/* free contents of iq */
+		/* TODO */
+	}
+	qstate->minfo[id] = NULL;
+}
+
+size_t ipset_get_mem(struct module_env *env, int id) {
+	struct ipset_env *ie = (struct ipset_env *)env->modinfo[id];
+	if (!ie) {
+		return 0;
+	}
+	return sizeof(*ie);
+}
+
+/**
+ * The ipset function block 
+ */
+static struct module_func_block ipset_block = {
+	"ipset",
+	&ipset_init, &ipset_deinit, &ipset_operate,
+	&ipset_inform_super, &ipset_clear, &ipset_get_mem
+};
+
+struct module_func_block * ipset_get_funcblock(void) {
+	return &ipset_block;
+}
+

ipset/ipset.h

@@ -0,0 +1,56 @@
+/**
+ * ipset.h
+ *
+ * Author: Kevin Chou
+ * Email: k9982874@gmail.com
+ */
+#ifndef IPSET_H
+#define IPSET_H
+
+#include "util/module.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct ipset_env {
+    void* mnl;
+
+	int v4_enabled;
+	int v6_enabled;
+
+	const char *name_v4;
+	const char *name_v6;
+};
+
+struct ipset_qstate {
+	int dummy;
+};
+
+/** Init the ipset module */
+int ipset_init(struct module_env* env, int id);
+/** Deinit the ipset module */
+void ipset_deinit(struct module_env* env, int id);
+/** Operate on an event on a query (in qstate). */
+void ipset_operate(struct module_qstate* qstate, enum module_ev event,
+	int id, struct outbound_entry* outbound);
+/** Subordinate query done, inform this super request of its conclusion */
+void ipset_inform_super(struct module_qstate* qstate, int id,
+	struct module_qstate* super);
+/** clear the ipset query-specific contents out of qstate */
+void ipset_clear(struct module_qstate* qstate, int id);
+/** return memory estimate for ipset module */
+size_t ipset_get_mem(struct module_env* env, int id);
+
+/**
+ * Get the function block with pointers to the ipset functions
+ * @return the function block for "ipset".
+ */
+struct module_func_block* ipset_get_funcblock(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* IPSET_H */
+

services/modstack.c

@@ -60,6 +60,9 @@
 #ifdef CLIENT_SUBNET
 #include "edns-subnet/subnetmod.h"
 #endif
+#ifdef USE_IPSET
+#include "ipset/ipset.h"
+#endif
 
 /** count number of modules (words) in the string */
 static int
@@ -145,6 +148,9 @@ module_list_avail(void)
 #endif
 #ifdef CLIENT_SUBNET
 		"subnetcache",
+#endif
+#ifdef USE_IPSET
+                "ipset",
 #endif
 		"respip",
 		"validator",
@@ -173,6 +179,9 @@ module_funcs_avail(void)
 #endif
 #ifdef CLIENT_SUBNET
 		&subnetmod_get_funcblock,
+#endif
+#ifdef USE_IPSET
+		&ipset_get_funcblock,
 #endif
 		&respip_get_funcblock,
 		&val_get_funcblock,

smallapp/unbound-checkconf.c

@@ -573,6 +573,10 @@ morechecks(struct config_file* cfg)
 		&& strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0
 		&& strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0
 		&& strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0
+#endif
+#ifdef USE_IPSET
+		&& strcmp(cfg->module_conf, "validator ipset iterator") != 0
+		&& strcmp(cfg->module_conf, "ipset iterator") != 0
 #endif
 		) {
 		fatal_exit("module conf '%s' is not known to work",

util/config_file.c

@@ -255,6 +255,9 @@ config_create(void)
 	cfg->neg_cache_size = 1 * 1024 * 1024;
 	cfg->local_zones = NULL;
 	cfg->local_zones_nodefault = NULL;
+#ifdef USE_IPSET
+	cfg->local_zones_ipset = NULL;
+#endif
 	cfg->local_zones_disable_default = 0;
 	cfg->local_data = NULL;
 	cfg->local_zone_overrides = NULL;
@@ -326,10 +329,14 @@ config_create(void)
 #ifdef USE_CACHEDB
 	cfg->cachedb_backend = NULL;
 	cfg->cachedb_secret = NULL;
+#endif
+#ifdef USE_IPSET
+	cfg->ipset_name_v4 = NULL;
+	cfg->ipset_name_v6 = NULL;
 #endif
 	return cfg;
 error_exit:
-	config_delete(cfg); 
+	config_delete(cfg);
 	return NULL;
 }
 
@@ -1091,6 +1098,10 @@ config_get_option(struct config_file* cfg, const char* opt,
 #ifdef USE_CACHEDB
 	else O_STR(opt, "backend", cachedb_backend)
 	else O_STR(opt, "secret-seed", cachedb_secret)
+#endif
+#ifdef USE_IPSET
+	else O_STR(opt, "name-v4", ipset_name_v4)
+	else O_STR(opt, "name-v6", ipset_name_v6)
 #endif
 	/* not here:
 	 * outgoing-permit, outgoing-avoid - have list of ports
@@ -1310,6 +1321,9 @@ config_delview(struct config_view* p)
 	free(p->name);
 	config_deldblstrlist(p->local_zones);
 	config_delstrlist(p->local_zones_nodefault);
+#ifdef USE_IPSET
+	config_delstrlist(p->local_zones_ipset);
+#endif
 	config_delstrlist(p->local_data);
 	free(p);
 }
@@ -1400,6 +1414,9 @@ config_delete(struct config_file* cfg)
 	free(cfg->val_nsec3_key_iterations);
 	config_deldblstrlist(cfg->local_zones);
 	config_delstrlist(cfg->local_zones_nodefault);
+#ifdef USE_IPSET
+	config_delstrlist(cfg->local_zones_ipset);
+#endif
 	config_delstrlist(cfg->local_data);
 	config_deltrplstrlist(cfg->local_zone_overrides);
 	config_del_strarray(cfg->tagname, cfg->num_tags);
@@ -1427,6 +1444,10 @@ config_delete(struct config_file* cfg)
 #ifdef USE_CACHEDB
 	free(cfg->cachedb_backend);
 	free(cfg->cachedb_secret);
+#endif
+#ifdef USE_IPSET
+	free(cfg->ipset_name_v4);
+	free(cfg->ipset_name_v6);
 #endif
 	free(cfg);
 }
@@ -2107,6 +2128,11 @@ cfg_parse_local_zone(struct config_file* cfg, const char* val)
 	if(strcmp(type, "nodefault")==0) {
 		return cfg_strlist_insert(&cfg->local_zones_nodefault, 
 			strdup(name));
+#ifdef USE_IPSET
+	} else if(strcmp(type, "ipset")==0) {
+		return cfg_strlist_insert(&cfg->local_zones_ipset, 
+			strdup(name));
+#endif
 	} else {
 		return cfg_str2list_insert(&cfg->local_zones, strdup(buf),
 			strdup(type));
@@ -2381,3 +2407,4 @@ int options_remote_is_address(struct config_file* cfg)
 	if(cfg->control_ifs.first->str[0] == 0) return 1;
 	return (cfg->control_ifs.first->str[0] != '/');
 }
+

util/config_file.h

@@ -384,6 +384,10 @@ struct config_file {
 	struct config_str2list* local_zones;
 	/** local zones nodefault list */
 	struct config_strlist* local_zones_nodefault;
+#ifdef USE_IPSET
+	/** local zones ipset list */
+	struct config_strlist* local_zones_ipset;
+#endif
 	/** do not add any default local zone */
 	int local_zones_disable_default;
 	/** local data RRs configured */
@@ -574,6 +578,12 @@ struct config_file {
 	/** timeout (in ms) for communication with the redis server */
 	int redis_timeout;
 #endif
+#endif
+
+	/* ipset module */
+#ifdef USE_IPSET
+	char* ipset_name_v4;
+	char* ipset_name_v6;
 #endif
 };
 
@@ -647,6 +657,10 @@ struct config_view {
 	struct config_strlist* local_data;
 	/** local zones nodefault list */
 	struct config_strlist* local_zones_nodefault;
+#ifdef USE_IPSET
+	/** local zones ipset list */
+	struct config_strlist* local_zones_ipset;
+#endif
 	/** Fallback to global local_zones when there is no match in the view
 	 * view specific tree. 1 for yes, 0 for no */	
 	int isfirst;
@@ -1181,3 +1195,4 @@ void w_config_adjust_directory(struct config_file* cfg);
 extern int fake_dsa, fake_sha1;
 
 #endif /* UTIL_CONFIG_FILE_H */
+

util/configlexer.lex

@@ -483,6 +483,9 @@ secret-seed{COLON}		{ YDVAR(1, VAR_CACHEDB_SECRETSEED) }
 redis-server-host{COLON}	{ YDVAR(1, VAR_CACHEDB_REDISHOST) }
 redis-server-port{COLON}	{ YDVAR(1, VAR_CACHEDB_REDISPORT) }
 redis-timeout{COLON}		{ YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) }
+ipset{COLON}			{ YDVAR(0, VAR_IPSET) }
+name-v4{COLON}			{ YDVAR(1, VAR_IPSET_NAME_V4) }
+name-v6{COLON}			{ YDVAR(1, VAR_IPSET_NAME_V6) }
 udp-upstream-without-downstream{COLON} { YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
 tcp-connection-limit{COLON}	{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
 <INITIAL,val>{NEWLINE}		{ LEXOUT(("NL\n")); cfg_parser->line++; }

util/configparser.h

@@ -1,8 +1,9 @@
-/* A Bison parser, made by GNU Bison 3.0.5.  */
+/* A Bison parser, made by GNU Bison 3.3.2.  */
 
 /* Bison interface for Yacc-like parsers in C
 
-   Copyright (C) 1984, 1989-1990, 2000-2015, 2018 Free Software Foundation, Inc.
+   Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
+   Inc.
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -30,6 +31,9 @@
    This special exception was added by the Free Software Foundation in
    version 2.2 of Bison.  */
 
+/* Undocumented macros, especially those whose name start with YY_,
+   are private implementation details.  Do not rely on them.  */
+
 #ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
 # define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
 /* Debug traces.  */
@@ -308,7 +312,10 @@ extern int yydebug;
     VAR_STREAM_WAIT_SIZE = 518,
     VAR_TLS_CIPHERS = 519,
     VAR_TLS_CIPHERSUITES = 520,
-    VAR_TLS_SESSION_TICKET_KEYS = 521
+    VAR_TLS_SESSION_TICKET_KEYS = 521,
+    VAR_IPSET = 522,
+    VAR_IPSET_NAME_V4 = 523,
+    VAR_IPSET_NAME_V6 = 524
   };
 #endif
 /* Tokens.  */
@@ -576,17 +583,20 @@ extern int yydebug;
 #define VAR_TLS_CIPHERS 519
 #define VAR_TLS_CIPHERSUITES 520
 #define VAR_TLS_SESSION_TICKET_KEYS 521
+#define VAR_IPSET 522
+#define VAR_IPSET_NAME_V4 523
+#define VAR_IPSET_NAME_V6 524
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
 
 union YYSTYPE
 {
-#line 66 "./util/configparser.y" /* yacc.c:1910  */
+#line 66 "./util/configparser.y" /* yacc.c:1921  */
 
 	char*	str;
 
-#line 590 "util/configparser.h" /* yacc.c:1910  */
+#line 600 "util/configparser.h" /* yacc.c:1921  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -167,6 +167,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_UNKNOWN_SERVER_TIME_LIMIT VAR_LOG_TAG_QUERYREPLY
 %token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES
 %token VAR_TLS_SESSION_TICKET_KEYS
+%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -174,7 +175,7 @@ toplevelvar: serverstart contents_server | stubstart contents_stub |
 	forwardstart contents_forward | pythonstart contents_py | 
 	rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
 	dnscstart contents_dnsc | cachedbstart contents_cachedb |
-	authstart contents_auth
+	ipsetstart contents_ipset | authstart contents_auth
 	;
 
 /* server: declaration */
@@ -1784,13 +1785,14 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 		   && strcmp($3, "always_nxdomain")!=0
 		   && strcmp($3, "noview")!=0
 		   && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0
-		   && strcmp($3, "inform_redirect") != 0) {
+		   && strcmp($3, "inform_redirect") != 0
+			 && strcmp($3, "ipset") != 0) {
 			yyerror("local-zone type: expected static, deny, "
 				"refuse, redirect, transparent, "
 				"typetransparent, inform, inform_deny, "
 				"inform_redirect, always_transparent, "
 				"always_refuse, always_nxdomain, noview "
-				"or nodefault");
+				", nodefault or ipset");
 			free($2);
 			free($3);
 		} else if(strcmp($3, "nodefault")==0) {
@@ -1798,6 +1800,13 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 				local_zones_nodefault, $2))
 				fatal_exit("out of memory adding local-zone");
 			free($3);
+#ifdef USE_IPSET
+		} else if(strcmp($3, "ipset")==0) {
+			if(!cfg_strlist_insert(&cfg_parser->cfg->
+				local_zones_ipset, $2))
+				fatal_exit("out of memory adding local-zone");
+			free($3);
+#endif
 		} else {
 			if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, 
 				$2, $3))
@@ -2455,6 +2464,13 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
 				local_zones_nodefault, $2))
 				fatal_exit("out of memory adding local-zone");
 			free($3);
+#ifdef USE_IPSET
+		} else if(strcmp($3, "ipset")==0) {
+			if(!cfg_strlist_insert(&cfg_parser->cfg->views->
+				local_zones_ipset, $2))
+				fatal_exit("out of memory adding local-zone");
+			free($3);
+#endif
 		} else {
 			if(!cfg_str2list_insert(
 				&cfg_parser->cfg->views->local_zones, 
@@ -2959,6 +2975,45 @@ server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG
 		}
 	}
 	;
+	ipsetstart: VAR_IPSET
+		{
+			OUTYY(("\nP(ipset:)\n"));
+		}
+		;
+	contents_ipset: contents_ipset content_ipset
+		| ;
+	content_ipset: ipset_name_v4 | ipset_name_v6
+		;
+	ipset_name_v4: VAR_IPSET_NAME_V4 STRING_ARG
+		{
+		#ifdef USE_IPSET
+			OUTYY(("P(name-v4:%s)\n", $2));
+			if(cfg_parser->cfg->ipset_name_v4)
+				yyerror("ipset name v4 override, there must be one "
+					"name for ip v4");
+			free(cfg_parser->cfg->ipset_name_v4);
+			cfg_parser->cfg->ipset_name_v4 = $2;
+		#else
+			OUTYY(("P(Compiled without ipset, ignoring)\n"));
+			free($2);
+		#endif
+		}
+	;
+	ipset_name_v6: VAR_IPSET_NAME_V6 STRING_ARG
+	{
+		#ifdef USE_IPSET
+			OUTYY(("P(name-v6:%s)\n", $2));
+			if(cfg_parser->cfg->ipset_name_v6)
+				yyerror("ipset name v6 override, there must be one "
+					"name for ip v6");
+			free(cfg_parser->cfg->ipset_name_v6);
+			cfg_parser->cfg->ipset_name_v6 = $2;
+		#else
+			OUTYY(("P(Compiled without ipset, ignoring)\n"));
+			free($2);
+		#endif
+		}
+	;
 %%
 
 /* parse helper routines could be here */
@@ -2978,3 +3033,5 @@ validate_respip_action(const char* action)
 			"always_refuse or always_nxdomain");
 	}
 }
+
+

util/fptr_wlist.c

@@ -90,6 +90,9 @@
 #ifdef CLIENT_SUBNET
 #include "edns-subnet/subnetmod.h"
 #endif
+#ifdef USE_IPSET
+#include "ipset/ipset.h"
+#endif
 
 int 
 fptr_whitelist_comm_point(comm_point_callback_type *fptr)
@@ -358,8 +361,8 @@ fptr_whitelist_modenv_kill_sub(void (*fptr)(struct module_qstate* newq))
 }
 
 int 
-fptr_whitelist_modenv_detect_cycle(int (*fptr)(        
-	struct module_qstate* qstate, struct query_info* qinfo,         
+fptr_whitelist_modenv_detect_cycle(int (*fptr)(
+	struct module_qstate* qstate, struct query_info* qinfo,
 	uint16_t flags, int prime, int valrec))
 {
 	if(fptr == &mesh_detect_cycle) return 1;
@@ -384,6 +387,9 @@ fptr_whitelist_mod_init(int (*fptr)(struct module_env* env, int id))
 #endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_init) return 1;
+#endif
+#ifdef USE_IPSET
+	else if(fptr == &ipset_init) return 1;
 #endif
 	return 0;
 }
@@ -406,6 +412,9 @@ fptr_whitelist_mod_deinit(void (*fptr)(struct module_env* env, int id))
 #endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_deinit) return 1;
+#endif
+#ifdef USE_IPSET
+	else if(fptr == &ipset_deinit) return 1;
 #endif
 	return 0;
 }
@@ -429,6 +438,9 @@ fptr_whitelist_mod_operate(void (*fptr)(struct module_qstate* qstate,
 #endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_operate) return 1;
+#endif
+#ifdef USE_IPSET
+	else if(fptr == &ipset_operate) return 1;
 #endif
 	return 0;
 }
@@ -452,6 +464,9 @@ fptr_whitelist_mod_inform_super(void (*fptr)(
 #endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_inform_super) return 1;
+#endif
+#ifdef USE_IPSET
+	else if(fptr == &ipset_inform_super) return 1;
 #endif
 	return 0;
 }
@@ -475,6 +490,9 @@ fptr_whitelist_mod_clear(void (*fptr)(struct module_qstate* qstate,
 #endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_clear) return 1;
+#endif
+#ifdef USE_IPSET
+	else if(fptr == &ipset_clear) return 1;
 #endif
 	return 0;
 }
@@ -497,6 +515,9 @@ fptr_whitelist_mod_get_mem(size_t (*fptr)(struct module_env* env, int id))
 #endif
 #ifdef CLIENT_SUBNET
 	else if(fptr == &subnetmod_get_mem) return 1;
+#endif
+#ifdef USE_IPSET
+	else if(fptr == &ipset_get_mem) return 1;
 #endif
 	return 0;
 }
@@ -597,3 +618,4 @@ int fptr_whitelist_inplace_cb_query_response(
 #endif
 	return 0;
 }
+