- access-control-tag-action and access-control-tag-data config

directives.
- make depend


git-svn-id: file:///svn/unbound/trunk@3759 be551aaa-1e26-0410-a405-d3ace91eadb9

Makefile.in

@@ -704,11 +704,12 @@ listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h
  $(srcdir)/util/rbtree.h  $(srcdir)/util/log.h $(srcdir)/util/config_file.h \
  $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h
 localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \
- $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \
- $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/as112.h
+ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h \
+ $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h \
+ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h \
+ $(srcdir)/util/netevent.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
+ $(srcdir)/util/as112.h
 mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \
  $(srcdir)/util/netevent.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \
@@ -759,7 +760,7 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
  $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/util/mini_event.h \
  $(srcdir)/util/rbtree.h $(srcdir)/services/outside_network.h  \
- $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
  $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \
@@ -956,7 +957,8 @@ unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/lo
  $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h $(srcdir)/util/locks.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \
  $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
@@ -1063,7 +1065,8 @@ worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(sr
  $(srcdir)/libunbound/libworker.h
 acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \
- $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h
+ $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h $(srcdir)/util/locks.h \
+ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h
 daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h  \
  $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \
@@ -1134,8 +1137,8 @@ context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbou
  $(srcdir)/libunbound/unbound.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h \
- $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \
- $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h $(srcdir)/sldns/sbuffer.h
+ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
+ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/sldns/sbuffer.h
 libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \
  $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \
  $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \
@@ -1143,7 +1146,7 @@ libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbou
  $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \
  $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
  $(srcdir)/sldns/sbuffer.h
 libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \
@@ -1153,11 +1156,12 @@ libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/li
  $(srcdir)/libunbound/unbound-event.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \
   $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \
- $(srcdir)/services/localzone.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \
- $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h \
- $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h \
- $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h \
- $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/cache/rrset.h \
+ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \
+ $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \
+ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \
+ $(srcdir)/util/data/msgencode.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \
+ $(srcdir)/sldns/str2wire.h
 unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \
  $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
 asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \
@@ -1225,7 +1229,6 @@ snprintf.lo snprintf.o: $(srcdir)/compat/snprintf.c config.h
 strlcat.lo strlcat.o: $(srcdir)/compat/strlcat.c config.h
 strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h
 strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h
-strsep.lo strsep.o: $(srcdir)/compat/strsep.c config.h
 getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h
 getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c config.h
 getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h
@@ -1237,3 +1240,4 @@ arc4_lock.lo arc4_lock.o: $(srcdir)/compat/arc4_lock.c config.h $(srcdir)/util/l
 sha512.lo sha512.o: $(srcdir)/compat/sha512.c config.h
 reallocarray.lo reallocarray.o: $(srcdir)/compat/reallocarray.c config.h
 isblank.lo isblank.o: $(srcdir)/compat/isblank.c config.h
+strsep.lo strsep.o: $(srcdir)/compat/strsep.c config.h

daemon/acl_list.c

@@ -45,6 +45,8 @@
 #include "util/log.h"
 #include "util/config_file.h"
 #include "util/net_help.h"
+#include "services/localzone.h"
+#include "sldns/str2wire.h"
 
 struct acl_list* 
 acl_list_create(void)
@@ -76,13 +78,11 @@ acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
 	socklen_t addrlen, int net, enum acl_access control, 
 	int complain_duplicates)
 {
-	struct acl_addr* node = regional_alloc(acl->region,
+	struct acl_addr* node = regional_alloc_zero(acl->region,
 		sizeof(struct acl_addr));
 	if(!node)
 		return NULL;
 	node->control = control;
-	node->taglist = NULL;
-	node->taglen = 0;
 	if(!addr_tree_insert(&acl->tree, &node->node, addr, addrlen, net)) {
 		if(complain_duplicates)
 			verbose(VERB_QUERY, "duplicate acl address ignored.");
@@ -127,18 +127,17 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
 	return 1;
 }
 
-/** apply acl_tag string */
-static int
-acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
-	size_t bitmaplen)
+/** find or create node (NULL on parse or error) */
+static struct acl_addr*
+acl_find_or_create(struct acl_list* acl, const char* str)
 {
+	struct acl_addr* node;
 	struct sockaddr_storage addr;
 	int net;
 	socklen_t addrlen;
-	struct acl_addr* node;
 	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
-		log_err("cannot parse netblock in access-control-tag: %s", str);
-		return 0;
+		log_err("cannot parse netblock: %s", str);
+		return NULL;
 	}
 	/* find or create node */
 	if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, &addr,
@@ -148,10 +147,20 @@ acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
 		if(!(node=(struct acl_addr*)acl_list_insert(acl, &addr,
 			addrlen, net, acl_allow, 1))) {
 			log_err("out of memory");
-			return 0;
+			return NULL;
 		}
 	}
-	log_assert(node);
+	return node;
+}
+
+/** apply acl_tag string */
+static int
+acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
+	size_t bitmaplen)
+{
+	struct acl_addr* node;
+	if(!(node=acl_find_or_create(acl, str)))
+		return 0;
 	node->taglen = bitmaplen;
 	node->taglist = regional_alloc_init(acl->region, bitmap, bitmaplen);
 	if(!node->taglist) {
@@ -161,6 +170,113 @@ acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
 	return 1;
 }
 
+/** apply acl_tag_action string */
+static int
+acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg,
+	const char* str, const char* tag, const char* action)
+{
+	struct acl_addr* node;
+	int tagid;
+	enum localzone_type t;
+	if(!(node=acl_find_or_create(acl, str)))
+		return 0;
+	/* allocate array if not yet */
+	if(!node->tag_actions) {
+		node->tag_actions = (uint8_t*)regional_alloc_zero(acl->region,
+			sizeof(*node->tag_actions)*cfg->num_tags);
+		if(!node->tag_actions) {
+			log_err("out of memory");
+			return 0;
+		}
+		node->tag_actions_size = cfg->num_tags;
+	}
+	/* parse tag */
+	if((tagid=find_tag_id(cfg, tag)) == -1) {
+		log_err("cannot parse tag (define-tag it): %s %s", str, tag);
+		return 0;
+	}
+	if((size_t)tagid >= node->tag_actions_size) {
+		log_err("tagid too large for array %s %s", str, tag);
+		return 0;
+	}
+	if(!local_zone_str2type(action, &t)) {
+		log_err("cannot parse access control action type: %s %s %s",
+			str, tag, action);
+		return 0;
+	}
+	node->tag_actions[tagid] = (uint8_t)t;
+	return 1;
+}
+
+/** check wire data parse */
+static int
+check_data(const char* data)
+{
+	char buf[65536];
+	uint8_t rr[LDNS_RR_BUF_SIZE];
+	size_t len = sizeof(rr);
+	int res;
+	snprintf(buf, sizeof(buf), "%s %s", "example.com.", data);
+	res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL, 0,
+		NULL, 0);
+	if(res == 0)
+		return 1;
+	log_err("rr data [char %d] parse error %s",
+		(int)LDNS_WIREPARSE_OFFSET(res)-13,
+		sldns_get_errorstr_parse(res));
+	return 0;
+}
+
+/** apply acl_tag_data string */
+static int
+acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
+	const char* str, const char* tag, const char* data)
+{
+	struct acl_addr* node;
+	int tagid;
+	char* dupdata;
+	if(!(node=acl_find_or_create(acl, str)))
+		return 0;
+	/* allocate array if not yet */
+	if(!node->tag_datas) {
+		node->tag_datas = (struct config_strlist**)regional_alloc_zero(
+			acl->region, sizeof(*node->tag_datas)*cfg->num_tags);
+		if(!node->tag_datas) {
+			log_err("out of memory");
+			return 0;
+		}
+		node->tag_datas_size = cfg->num_tags;
+	}
+	/* parse tag */
+	if((tagid=find_tag_id(cfg, tag)) == -1) {
+		log_err("cannot parse tag (define-tag it): %s %s", str, tag);
+		return 0;
+	}
+	if((size_t)tagid >= node->tag_datas_size) {
+		log_err("tagid too large for array %s %s", str, tag);
+		return 0;
+	}
+
+	/* check data? */
+	if(!check_data(data)) {
+		log_err("cannot parse access-control-tag data: %s %s '%s'",
+			str, tag, data);
+		return 0;
+	}
+
+	dupdata = regional_strdup(acl->region, data);
+	if(!dupdata) {
+		log_err("out of memory");
+		return 0;
+	}
+	if(!cfg_region_strlist_insert(acl->region,
+		&(node->tag_datas[tagid]), dupdata)) {
+		log_err("out of memory");
+		return 0;
+	}
+	return 1;
+}
+
 /** read acl_list config */
 static int 
 read_acl_list(struct acl_list* acl, struct config_file* cfg)
@@ -187,6 +303,33 @@ read_acl_tags(struct acl_list* acl, struct config_file* cfg)
 	return 1;
 }
 
+/** read acl tag actions config */
+static int 
+read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
+{
+	struct config_str3list* p;
+	for(p = cfg->acl_tag_actions; p; p = p->next) {
+		log_assert(p->str && p->str2 && p->str3);
+		if(!acl_list_tag_action_cfg(acl, cfg, p->str, p->str2,
+			p->str3))
+			return 0;
+	}
+	return 1;
+}
+
+/** read acl tag datas config */
+static int 
+read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
+{
+	struct config_str3list* p;
+	for(p = cfg->acl_tag_datas; p; p = p->next) {
+		log_assert(p->str && p->str2 && p->str3);
+		if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3))
+			return 0;
+	}
+	return 1;
+}
+
 int 
 acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
 {
@@ -196,6 +339,10 @@ acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg)
 		return 0;
 	if(!read_acl_tags(acl, cfg))
 		return 0;
+	if(!read_acl_tag_actions(acl, cfg))
+		return 0;
+	if(!read_acl_tag_datas(acl, cfg))
+		return 0;
 	/* insert defaults, with '0' to ignore them if they are duplicates */
 	if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0))
 		return 0;

daemon/acl_list.h

@@ -91,6 +91,15 @@ struct acl_addr {
 	uint8_t* taglist;
 	/** length of the taglist (in bytes) */
 	size_t taglen;
+	/** array per tagnumber of localzonetype(in one byte). NULL if none. */
+	uint8_t* tag_actions;
+	/** size of the tag_actions_array */
+	size_t tag_actions_size;
+	/** array per tagnumber, with per tag a list of rdata strings.
+	 * NULL if none.  strings are like 'A 127.0.0.1' 'AAAA ::1' */
+	struct config_strlist** tag_datas;
+	/** size of the tag_datas array */
+	size_t tag_datas_size;
 };
 
 /**

doc/Changelog

@@ -2,6 +2,8 @@
 	- Better help text from -h (from Ray Griffith).
 	- access-control-tag config directive.
 	- local-zone-override config directive.
+	- access-control-tag-action and access-control-tag-data config
+	  directives.
 
 3 June 2016: Wouter
 	- Fix to not ignore return value of chown() in daemon startup.

doc/example.conf.in

@@ -212,6 +212,12 @@ server:
 	# are tagged with one of these tags.
 	# access-control-tag: 192.0.2.0/24 "tag2 tag3"
 
+	# set action for particular tag for given access control element
+	# access-control-tag-action: 192.0.2.0/24 tag3 refuse
+
+	# set redirect data for particular tag for access control element
+	# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
+
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.

util/config_file.c

@@ -795,6 +795,8 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LTG(opt, "local-zone-tag", local_zone_tags)
 	else O_LTG(opt, "access-control-tag", acl_tags)
 	else O_LS3(opt, "local-zone-override", local_zone_overrides)
+	else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
+	else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
 	/* not here:
 	 * outgoing-permit, outgoing-avoid - have list of ports
 	 * local-zone - zones and nodefault variables
@@ -1049,6 +1051,8 @@ config_delete(struct config_file* cfg)
 	config_del_strarray(cfg->tagname, cfg->num_tags);
 	config_del_strbytelist(cfg->local_zone_tags);
 	config_del_strbytelist(cfg->acl_tags);
+	config_deltrplstrlist(cfg->acl_tag_actions);
+	config_deltrplstrlist(cfg->acl_tag_datas);
 	config_delstrlist(cfg->control_ifs);
 	free(cfg->server_key_file);
 	free(cfg->server_cert_file);
@@ -1206,6 +1210,23 @@ int cfg_strlist_append(struct config_strlist_head* list, char* item)
 	return 1;
 }
 
+int 
+cfg_region_strlist_insert(struct regional* region,
+	struct config_strlist** head, char* item)
+{
+	struct config_strlist *s;
+	if(!item || !head)
+		return 0;
+	s = (struct config_strlist*)regional_alloc_zero(region,
+		sizeof(struct config_strlist));
+	if(!s)
+		return 0;
+	s->str = item;
+	s->next = *head;
+	*head = s;
+	return 1;
+}
+
 int 
 cfg_strlist_insert(struct config_strlist** head, char* item)
 {

util/config_file.h

@@ -49,6 +49,7 @@ struct config_strbytelist;
 struct module_qstate;
 struct sock_list;
 struct ub_packed_rrset_key;
+struct regional;
 
 /**
  * The configuration options.
@@ -303,6 +304,10 @@ struct config_file {
 	struct config_strbytelist* local_zone_tags;
 	/** list of aclname, tagbitlist */
 	struct config_strbytelist* acl_tags;
+	/** list of aclname, tagname, localzonetype */
+	struct config_str3list* acl_tag_actions;
+	/** list of aclname, tagname, redirectdata */
+	struct config_str3list* acl_tag_datas;
 	/** tag list, array with tagname[i] is malloced string */
 	char** tagname;
 	/** number of items in the taglist */
@@ -595,6 +600,10 @@ int cfg_strlist_append(struct config_strlist_head* list, char* item);
  */
 int cfg_strlist_insert(struct config_strlist** head, char* item);
 
+/** insert with region for allocation. */
+int cfg_region_strlist_insert(struct regional* region,
+	struct config_strlist** head, char* item);
+
 /**
  * Insert string into str2list.
  * @param head: pointer to str2list head variable.

util/configlexer.lex

@@ -346,6 +346,8 @@ dns64-synthall{COLON}		{ YDVAR(1, VAR_DNS64_SYNTHALL) }
 define-tag{COLON}		{ YDVAR(1, VAR_DEFINE_TAG) }
 local-zone-tag{COLON}		{ YDVAR(2, VAR_LOCAL_ZONE_TAG) }
 access-control-tag{COLON}	{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) }
+access-control-tag-action{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) }
+access-control-tag-data{COLON}	{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) }
 local-zone-override{COLON}	{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) }
 dnstap{COLON}			{ YDVAR(0, VAR_DNSTAP) }
 dnstap-enable{COLON}		{ YDVAR(1, VAR_DNSTAP_ENABLE) }

util/configparser.h

@@ -213,7 +213,9 @@ extern int yydebug;
     VAR_DEFINE_TAG = 423,
     VAR_LOCAL_ZONE_TAG = 424,
     VAR_ACCESS_CONTROL_TAG = 425,
-    VAR_LOCAL_ZONE_OVERRIDE = 426
+    VAR_LOCAL_ZONE_OVERRIDE = 426,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 427,
+    VAR_ACCESS_CONTROL_TAG_DATA = 428
   };
 #endif
 /* Tokens.  */
@@ -386,6 +388,8 @@ extern int yydebug;
 #define VAR_LOCAL_ZONE_TAG 424
 #define VAR_ACCESS_CONTROL_TAG 425
 #define VAR_LOCAL_ZONE_OVERRIDE 426
+#define VAR_ACCESS_CONTROL_TAG_ACTION 427
+#define VAR_ACCESS_CONTROL_TAG_DATA 428
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -396,7 +400,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 400 "util/configparser.h" /* yacc.c:1909  */
+#line 404 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -127,6 +127,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
 %token VAR_QNAME_MINIMISATION VAR_IP_FREEBIND VAR_DEFINE_TAG VAR_LOCAL_ZONE_TAG
 %token VAR_ACCESS_CONTROL_TAG VAR_LOCAL_ZONE_OVERRIDE
+%token VAR_ACCESS_CONTROL_TAG_ACTION VAR_ACCESS_CONTROL_TAG_DATA
 
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@@ -196,7 +197,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_permit_small_holddown | server_qname_minimisation |
 	server_ip_freebind | server_define_tag | server_local_zone_tag |
 	server_disable_dnssec_lame_check | server_access_control_tag |
-	server_local_zone_override
+	server_local_zone_override | server_access_control_tag_action |
+	server_access_control_tag_data
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -1353,6 +1355,30 @@ server_access_control_tag: VAR_ACCESS_CONTROL_TAG STRING_ARG STRING_ARG
 		}
 	}
 	;
+server_access_control_tag_action: VAR_ACCESS_CONTROL_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(server_access_control_tag_action:%s %s %s)\n", $2, $3, $4));
+		if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_actions,
+			$2, $3, $4)) {
+			yyerror("out of memory");
+			free($2);
+			free($3);
+			free($4);
+		}
+	}
+	;
+server_access_control_tag_data: VAR_ACCESS_CONTROL_TAG_DATA STRING_ARG STRING_ARG STRING_ARG
+	{
+		OUTYY(("P(server_access_control_tag_data:%s %s %s)\n", $2, $3, $4));
+		if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_datas,
+			$2, $3, $4)) {
+			yyerror("out of memory");
+			free($2);
+			free($3);
+			free($4);
+		}
+	}
+	;
 server_local_zone_override: VAR_LOCAL_ZONE_OVERRIDE STRING_ARG STRING_ARG STRING_ARG
 	{
 		OUTYY(("P(server_local_zone_override:%s %s %s)\n", $2, $3, $4));