upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-03 20:29:28 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Introduce ratelimit-backoff and ip-ratelimit-backoff options for more

Browse source 
aggressive rate limiting.
This commit is contained in:
George Thessalonikefs 2022-01-30 00:23:22 +01:00
parent f857af873e
commit 3086335724
13 changed files with 4153 additions and 4715 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
daemon/remote.c
View file

@ -2865,6 +2865,8 @@ struct ratelimit_list_arg {
int all;
/** current time */
time_t now;
/** if backoff is enabled */
int backoff;
};
#define ip_ratelimit_list_arg ratelimit_list_arg
@ -2878,7 +2880,7 @@ rate_list(struct lruhash_entry* e, void* arg)
struct rate_data* d = (struct rate_data*)e->data;
char buf[257];
int lim = infra_find_ratelimit(a->infra, k->name, k->namelen);
int max = infra_rate_max(d, a->now);
int max = infra_rate_max(d, a->now, a->backoff);
if(a->all == 0) {
if(max < lim)
return;
@ -2896,7 +2898,7 @@ ip_rate_list(struct lruhash_entry* e, void* arg)
struct ip_rate_key* k = (struct ip_rate_key*)e->key;
struct ip_rate_data* d = (struct ip_rate_data*)e->data;
int lim = infra_ip_ratelimit;
int max = infra_rate_max(d, a->now);
int max = infra_rate_max(d, a->now, a->backoff);
if(a->all == 0) {
if(max < lim)
return;
@ -2914,6 +2916,7 @@ do_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
a.infra = worker->env.infra_cache;
a.now = *worker->env.now;
a.ssl = ssl;
a.backoff = worker->env.cfg->ratelimit_backoff;
arg = skipwhite(arg);
if(strcmp(arg, "+a") == 0)
a.all = 1;
@ -2932,6 +2935,7 @@ do_ip_ratelimit_list(RES* ssl, struct worker* worker, char* arg)
a.infra = worker->env.infra_cache;
a.now = *worker->env.now;
a.ssl = ssl;
a.backoff = worker->env.cfg->ip_ratelimit_backoff;
arg = skipwhite(arg);
if(strcmp(arg, "+a") == 0)
a.all = 1;

3
daemon/worker.c
View file

@ -1167,7 +1167,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
/* check if this query should be dropped based on source ip rate limiting */
if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo,
*worker->env.now, c->buffer)) {
*worker->env.now,
worker->env.cfg->ip_ratelimit_backoff, c->buffer)) {
/* See if we are passed through with slip factor */
if(worker->env.cfg->ip_ratelimit_factor != 0 &&
ub_random_max(worker->env.rnd,

9
doc/unbound.conf.5.in
View file

@ -1671,6 +1671,15 @@ This can make ordinary queries complete (if repeatedly queried for),
and enter the cache, whilst also mitigating the traffic flow by the
factor given.
.TP 5
.B ratelimit\-backoff: \fI<yes or no>
If enabled, the ratelimit is treated as a hard failure instead of the default
maximum allowed constant rate. When the limit is reached, traffic is
ratelimited and demand continues to be kept track of for a 2 second rate
window. No traffic is allowed, except for ratelimit\-factor, until demand
decreases below the configured ratelimit for a 2 second rate window. Useful to
set ratelimit to a suspicious rate to aggressively limit unusually high
traffic. Default is off.
.TP 5
.B ratelimit\-for\-domain: \fI<domain> <number qps or 0>
Override the global ratelimit for an exact match domain name with the listed
number. You can give this for any number of names. For example, for

30
services/cache/infra.c vendored
View file

@ -934,20 +934,27 @@ static int* infra_rate_get_second(void* data, time_t t)
return infra_rate_find_second_or_none(data, t, 0);
}
int infra_rate_max(void* data, time_t now)
int infra_rate_max(void* data, time_t now, int backoff)
{
struct rate_data* d = (struct rate_data*)data;
int i, max = 0;
for(i=0; i<RATE_WINDOW; i++) {
if(now == d->timestamp[i]) {
return d->qps[i];
if(backoff) {
if(now-d->timestamp[i] <= RATE_WINDOW &&
d->qps[i] > max) {
max = d->qps[i];
}
} else {
if(now == d->timestamp[i]) {
return d->qps[i];
}
}
}
return max;
}
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow, struct query_info* qinfo,
size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
struct comm_reply* replylist)
{
int lim, max;
@ -964,10 +971,10 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
/* find or insert ratedata */
entry = infra_find_ratedata(infra, name, namelen, 1);
if(entry) {
int premax = infra_rate_max(entry->data, timenow);
int premax = infra_rate_max(entry->data, timenow, backoff);
int* cur = infra_rate_give_second(entry->data, timenow);
(*cur)++;
max = infra_rate_max(entry->data, timenow);
max = infra_rate_max(entry->data, timenow, backoff);
lock_rw_unlock(&entry->lock);
if(premax <= lim && max > lim) {
@ -1014,7 +1021,7 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
}
int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow)
size_t namelen, time_t timenow, int backoff)
{
struct lruhash_entry* entry;
int lim, max;
@ -1030,7 +1037,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
entry = infra_find_ratedata(infra, name, namelen, 0);
if(!entry)
return 0; /* not cached */
max = infra_rate_max(entry->data, timenow);
max = infra_rate_max(entry->data, timenow, backoff);
lock_rw_unlock(&entry->lock);
return (max >= lim);
@ -1047,7 +1054,8 @@ infra_get_mem(struct infra_cache* infra)
}
int infra_ip_ratelimit_inc(struct infra_cache* infra,
struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer)
struct comm_reply* repinfo, time_t timenow, int backoff,
struct sldns_buffer* buffer)
{
int max;
struct lruhash_entry* entry;
@ -1059,10 +1067,10 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra,
/* find or insert ratedata */
entry = infra_find_ip_ratedata(infra, repinfo, 1);
if(entry) {
int premax = infra_rate_max(entry->data, timenow);
int premax = infra_rate_max(entry->data, timenow, backoff);
int* cur = infra_rate_give_second(entry->data, timenow);
(*cur)++;
max = infra_rate_max(entry->data, timenow);
max = infra_rate_max(entry->data, timenow, backoff);
lock_rw_unlock(&entry->lock);
if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) {

14
services/cache/infra.h vendored
View file

@ -368,6 +368,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
* @param name: zone name
* @param namelen: zone name length
* @param timenow: what time it is now.
* @param backoff: if backoff is enabled.
* @param qinfo: for logging, query name.
* @param replylist: for logging, querier's address (if any).
* @return 1 if it could be incremented. 0 if the increment overshot the
@ -375,7 +376,7 @@ long long infra_get_host_rto(struct infra_cache* infra,
* Failures like alloc failures are not returned (probably as 1).
*/
int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow, struct query_info* qinfo,
size_t namelen, time_t timenow, int backoff, struct query_info* qinfo,
struct comm_reply* replylist);
/**
@ -398,13 +399,15 @@ void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name,
* @param name: zone name
* @param namelen: zone name length
* @param timenow: what time it is now.
* @param backoff: if backoff is enabled.
* @return true if exceeded.
*/
int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name,
size_t namelen, time_t timenow);
size_t namelen, time_t timenow, int backoff);
/** find the maximum rate stored. 0 if no information. */
int infra_rate_max(void* data, time_t now);
/** find the maximum rate stored. 0 if no information.
* When backoff is enabled look for the maximum in the whole RATE_WINDOW. */
int infra_rate_max(void* data, time_t now, int backoff);
/** find the ratelimit in qps for a domain. 0 if no limit for domain. */
int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
@ -415,11 +418,12 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name,
* @param infra: infra cache
* @param repinfo: information about client
* @param timenow: what time it is now.
* @param backoff: if backoff is enabled.
* @param buffer: with query for logging.
* @return 1 if it could be incremented. 0 if the increment overshot the
* ratelimit and the query should be dropped. */
int infra_ip_ratelimit_inc(struct infra_cache* infra,
struct comm_reply* repinfo, time_t timenow,
struct comm_reply* repinfo, time_t timenow, int backoff,
struct sldns_buffer* buffer);
/**

4
services/outside_network.c
View file

@ -3391,8 +3391,8 @@ outnet_serviced_query(struct outside_network* outnet,
if(check_ratelimit) {
timenow = *env->now;
if(!infra_ratelimit_inc(env->infra_cache, zone,
zonelen, timenow, &qstate->qinfo,
qstate->reply)) {
zonelen, timenow, env->cfg->ratelimit_backoff,
&qstate->qinfo, qstate->reply)) {
/* Can we pass through with slip factor? */
if(env->cfg->ratelimit_factor == 0 ||
ub_random_max(env->rnd,

8
util/config_file.c
View file

@ -328,9 +328,11 @@ config_create(void)
cfg->ratelimit_size = 4*1024*1024;
cfg->ratelimit_for_domain = NULL;
cfg->ratelimit_below_domain = NULL;
cfg->outbound_msg_retry = 5;
cfg->ip_ratelimit_factor = 10;
cfg->ratelimit_factor = 10;
cfg->ip_ratelimit_backoff = 0;
cfg->ratelimit_backoff = 0;
cfg->outbound_msg_retry = 5;
cfg->qname_minimisation = 1;
cfg->qname_minimisation_strict = 0;
cfg->shm_enable = 0;
@ -759,6 +761,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_POW2("ratelimit-slabs:", ratelimit_slabs)
else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor)
else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor)
else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff)
else S_YNO("ratelimit-backoff:", ratelimit_backoff)
else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry)
else S_SIZET_NONZERO("fast-server-num:", fast_server_num)
else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil)
@ -1211,6 +1215,8 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LS2(opt, "ratelimit-below-domain", ratelimit_below_domain)
else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor)
else O_DEC(opt, "ratelimit-factor", ratelimit_factor)
else O_YNO(opt, "ip-ratelimit-backoff", ip_ratelimit_backoff)
else O_YNO(opt, "ratelimit-backoff", ratelimit_backoff)
else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry)
else O_DEC(opt, "fast-server-num", fast_server_num)
else O_DEC(opt, "fast-server-permil", fast_server_permil)

9
util/config_file.h
View file

@ -565,6 +565,10 @@ struct config_file {
size_t ip_ratelimit_size;
/** ip_ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
int ip_ratelimit_factor;
/** ratelimit backoff, when on, if the limit is reached it is
* considered an attack and it backs off until 'demand' decreases over
* the RATE_WINDOW. */
int ip_ratelimit_backoff;
/** ratelimit for domains. 0 is off, otherwise qps (unless overridden) */
int ratelimit;
@ -578,6 +582,11 @@ struct config_file {
struct config_str2list* ratelimit_below_domain;
/** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */
int ratelimit_factor;
/** ratelimit backoff, when on, if the limit is reached it is
* considered an attack and it backs off until 'demand' decreases over
* the RATE_WINDOW. */
int ratelimit_backoff;
/** number of retries on outgoing queries */
int outbound_msg_retry;
/** minimise outgoing QNAME and hide original QTYPE if possible */

3573
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

2
util/configlexer.lex
View file

@ -502,6 +502,8 @@ ratelimit-for-domain{COLON} { YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) }
ratelimit-below-domain{COLON} { YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) }
ip-ratelimit-factor{COLON} { YDVAR(1, VAR_IP_RATELIMIT_FACTOR) }
ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) }
ip-ratelimit-backoff{COLON} { YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) }
ratelimit-backoff{COLON} { YDVAR(1, VAR_RATELIMIT_BACKOFF) }
outbound-msg-retry{COLON} { YDVAR(1, VAR_OUTBOUND_MSG_RETRY) }
low-rtt{COLON} { YDVAR(1, VAR_LOW_RTT) }
fast-server-num{COLON} { YDVAR(1, VAR_FAST_SERVER_NUM) }

4707
util/configparser.c
View file

File diff suppressed because it is too large Load diff

477
util/configparser.h
View file

@ -1,8 +1,8 @@
/* A Bison parser, made by GNU Bison 3.6.4. */
/* A Bison parser, made by GNU Bison 3.7.6. */
/* Bison interface for Yacc-like parsers in C
Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation,
Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation,
Inc.
This program is free software: you can redistribute it and/or modify
@ -16,7 +16,7 @@
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>. */
along with this program. If not, see <https://www.gnu.org/licenses/>. */
/* As a special exception, you may create a larger work that contains
part or all of the Bison parser skeleton and distribute that work
@ -257,126 +257,129 @@ extern int yydebug;
VAR_RATELIMIT_BELOW_DOMAIN = 458, /* VAR_RATELIMIT_BELOW_DOMAIN */
VAR_IP_RATELIMIT_FACTOR = 459, /* VAR_IP_RATELIMIT_FACTOR */
VAR_RATELIMIT_FACTOR = 460, /* VAR_RATELIMIT_FACTOR */
VAR_SEND_CLIENT_SUBNET = 461, /* VAR_SEND_CLIENT_SUBNET */
VAR_CLIENT_SUBNET_ZONE = 462, /* VAR_CLIENT_SUBNET_ZONE */
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 463, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
VAR_CLIENT_SUBNET_OPCODE = 464, /* VAR_CLIENT_SUBNET_OPCODE */
VAR_MAX_CLIENT_SUBNET_IPV4 = 465, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
VAR_MAX_CLIENT_SUBNET_IPV6 = 466, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
VAR_MIN_CLIENT_SUBNET_IPV4 = 467, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
VAR_MIN_CLIENT_SUBNET_IPV6 = 468, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
VAR_MAX_ECS_TREE_SIZE_IPV4 = 469, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
VAR_MAX_ECS_TREE_SIZE_IPV6 = 470, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
VAR_CAPS_WHITELIST = 471, /* VAR_CAPS_WHITELIST */
VAR_CACHE_MAX_NEGATIVE_TTL = 472, /* VAR_CACHE_MAX_NEGATIVE_TTL */
VAR_PERMIT_SMALL_HOLDDOWN = 473, /* VAR_PERMIT_SMALL_HOLDDOWN */
VAR_QNAME_MINIMISATION = 474, /* VAR_QNAME_MINIMISATION */
VAR_QNAME_MINIMISATION_STRICT = 475, /* VAR_QNAME_MINIMISATION_STRICT */
VAR_IP_FREEBIND = 476, /* VAR_IP_FREEBIND */
VAR_DEFINE_TAG = 477, /* VAR_DEFINE_TAG */
VAR_LOCAL_ZONE_TAG = 478, /* VAR_LOCAL_ZONE_TAG */
VAR_ACCESS_CONTROL_TAG = 479, /* VAR_ACCESS_CONTROL_TAG */
VAR_LOCAL_ZONE_OVERRIDE = 480, /* VAR_LOCAL_ZONE_OVERRIDE */
VAR_ACCESS_CONTROL_TAG_ACTION = 481, /* VAR_ACCESS_CONTROL_TAG_ACTION */
VAR_ACCESS_CONTROL_TAG_DATA = 482, /* VAR_ACCESS_CONTROL_TAG_DATA */
VAR_VIEW = 483, /* VAR_VIEW */
VAR_ACCESS_CONTROL_VIEW = 484, /* VAR_ACCESS_CONTROL_VIEW */
VAR_VIEW_FIRST = 485, /* VAR_VIEW_FIRST */
VAR_SERVE_EXPIRED = 486, /* VAR_SERVE_EXPIRED */
VAR_SERVE_EXPIRED_TTL = 487, /* VAR_SERVE_EXPIRED_TTL */
VAR_SERVE_EXPIRED_TTL_RESET = 488, /* VAR_SERVE_EXPIRED_TTL_RESET */
VAR_SERVE_EXPIRED_REPLY_TTL = 489, /* VAR_SERVE_EXPIRED_REPLY_TTL */
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 490, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
VAR_SERVE_ORIGINAL_TTL = 491, /* VAR_SERVE_ORIGINAL_TTL */
VAR_FAKE_DSA = 492, /* VAR_FAKE_DSA */
VAR_FAKE_SHA1 = 493, /* VAR_FAKE_SHA1 */
VAR_LOG_IDENTITY = 494, /* VAR_LOG_IDENTITY */
VAR_HIDE_TRUSTANCHOR = 495, /* VAR_HIDE_TRUSTANCHOR */
VAR_HIDE_HTTP_USER_AGENT = 496, /* VAR_HIDE_HTTP_USER_AGENT */
VAR_HTTP_USER_AGENT = 497, /* VAR_HTTP_USER_AGENT */
VAR_TRUST_ANCHOR_SIGNALING = 498, /* VAR_TRUST_ANCHOR_SIGNALING */
VAR_AGGRESSIVE_NSEC = 499, /* VAR_AGGRESSIVE_NSEC */
VAR_USE_SYSTEMD = 500, /* VAR_USE_SYSTEMD */
VAR_SHM_ENABLE = 501, /* VAR_SHM_ENABLE */
VAR_SHM_KEY = 502, /* VAR_SHM_KEY */
VAR_ROOT_KEY_SENTINEL = 503, /* VAR_ROOT_KEY_SENTINEL */
VAR_DNSCRYPT = 504, /* VAR_DNSCRYPT */
VAR_DNSCRYPT_ENABLE = 505, /* VAR_DNSCRYPT_ENABLE */
VAR_DNSCRYPT_PORT = 506, /* VAR_DNSCRYPT_PORT */
VAR_DNSCRYPT_PROVIDER = 507, /* VAR_DNSCRYPT_PROVIDER */
VAR_DNSCRYPT_SECRET_KEY = 508, /* VAR_DNSCRYPT_SECRET_KEY */
VAR_DNSCRYPT_PROVIDER_CERT = 509, /* VAR_DNSCRYPT_PROVIDER_CERT */
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 510, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 511, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 512, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 513, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 514, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
VAR_PAD_RESPONSES = 515, /* VAR_PAD_RESPONSES */
VAR_PAD_RESPONSES_BLOCK_SIZE = 516, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
VAR_PAD_QUERIES = 517, /* VAR_PAD_QUERIES */
VAR_PAD_QUERIES_BLOCK_SIZE = 518, /* VAR_PAD_QUERIES_BLOCK_SIZE */
VAR_IPSECMOD_ENABLED = 519, /* VAR_IPSECMOD_ENABLED */
VAR_IPSECMOD_HOOK = 520, /* VAR_IPSECMOD_HOOK */
VAR_IPSECMOD_IGNORE_BOGUS = 521, /* VAR_IPSECMOD_IGNORE_BOGUS */
VAR_IPSECMOD_MAX_TTL = 522, /* VAR_IPSECMOD_MAX_TTL */
VAR_IPSECMOD_WHITELIST = 523, /* VAR_IPSECMOD_WHITELIST */
VAR_IPSECMOD_STRICT = 524, /* VAR_IPSECMOD_STRICT */
VAR_CACHEDB = 525, /* VAR_CACHEDB */
VAR_CACHEDB_BACKEND = 526, /* VAR_CACHEDB_BACKEND */
VAR_CACHEDB_SECRETSEED = 527, /* VAR_CACHEDB_SECRETSEED */
VAR_CACHEDB_REDISHOST = 528, /* VAR_CACHEDB_REDISHOST */
VAR_CACHEDB_REDISPORT = 529, /* VAR_CACHEDB_REDISPORT */
VAR_CACHEDB_REDISTIMEOUT = 530, /* VAR_CACHEDB_REDISTIMEOUT */
VAR_CACHEDB_REDISEXPIRERECORDS = 531, /* VAR_CACHEDB_REDISEXPIRERECORDS */
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 532, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
VAR_FOR_UPSTREAM = 533, /* VAR_FOR_UPSTREAM */
VAR_AUTH_ZONE = 534, /* VAR_AUTH_ZONE */
VAR_ZONEFILE = 535, /* VAR_ZONEFILE */
VAR_MASTER = 536, /* VAR_MASTER */
VAR_URL = 537, /* VAR_URL */
VAR_FOR_DOWNSTREAM = 538, /* VAR_FOR_DOWNSTREAM */
VAR_FALLBACK_ENABLED = 539, /* VAR_FALLBACK_ENABLED */
VAR_TLS_ADDITIONAL_PORT = 540, /* VAR_TLS_ADDITIONAL_PORT */
VAR_LOW_RTT = 541, /* VAR_LOW_RTT */
VAR_LOW_RTT_PERMIL = 542, /* VAR_LOW_RTT_PERMIL */
VAR_FAST_SERVER_PERMIL = 543, /* VAR_FAST_SERVER_PERMIL */
VAR_FAST_SERVER_NUM = 544, /* VAR_FAST_SERVER_NUM */
VAR_ALLOW_NOTIFY = 545, /* VAR_ALLOW_NOTIFY */
VAR_TLS_WIN_CERT = 546, /* VAR_TLS_WIN_CERT */
VAR_TCP_CONNECTION_LIMIT = 547, /* VAR_TCP_CONNECTION_LIMIT */
VAR_FORWARD_NO_CACHE = 548, /* VAR_FORWARD_NO_CACHE */
VAR_STUB_NO_CACHE = 549, /* VAR_STUB_NO_CACHE */
VAR_LOG_SERVFAIL = 550, /* VAR_LOG_SERVFAIL */
VAR_DENY_ANY = 551, /* VAR_DENY_ANY */
VAR_UNKNOWN_SERVER_TIME_LIMIT = 552, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
VAR_LOG_TAG_QUERYREPLY = 553, /* VAR_LOG_TAG_QUERYREPLY */
VAR_STREAM_WAIT_SIZE = 554, /* VAR_STREAM_WAIT_SIZE */
VAR_TLS_CIPHERS = 555, /* VAR_TLS_CIPHERS */
VAR_TLS_CIPHERSUITES = 556, /* VAR_TLS_CIPHERSUITES */
VAR_TLS_USE_SNI = 557, /* VAR_TLS_USE_SNI */
VAR_IPSET = 558, /* VAR_IPSET */
VAR_IPSET_NAME_V4 = 559, /* VAR_IPSET_NAME_V4 */
VAR_IPSET_NAME_V6 = 560, /* VAR_IPSET_NAME_V6 */
VAR_TLS_SESSION_TICKET_KEYS = 561, /* VAR_TLS_SESSION_TICKET_KEYS */
VAR_RPZ = 562, /* VAR_RPZ */
VAR_TAGS = 563, /* VAR_TAGS */
VAR_RPZ_ACTION_OVERRIDE = 564, /* VAR_RPZ_ACTION_OVERRIDE */
VAR_RPZ_CNAME_OVERRIDE = 565, /* VAR_RPZ_CNAME_OVERRIDE */
VAR_RPZ_LOG = 566, /* VAR_RPZ_LOG */
VAR_RPZ_LOG_NAME = 567, /* VAR_RPZ_LOG_NAME */
VAR_DYNLIB = 568, /* VAR_DYNLIB */
VAR_DYNLIB_FILE = 569, /* VAR_DYNLIB_FILE */
VAR_EDNS_CLIENT_STRING = 570, /* VAR_EDNS_CLIENT_STRING */
VAR_EDNS_CLIENT_STRING_OPCODE = 571, /* VAR_EDNS_CLIENT_STRING_OPCODE */
VAR_NSID = 572, /* VAR_NSID */
VAR_ZONEMD_PERMISSIVE_MODE = 573, /* VAR_ZONEMD_PERMISSIVE_MODE */
VAR_ZONEMD_CHECK = 574, /* VAR_ZONEMD_CHECK */
VAR_ZONEMD_REJECT_ABSENCE = 575, /* VAR_ZONEMD_REJECT_ABSENCE */
VAR_RPZ_SIGNAL_NXDOMAIN_RA = 576 /* VAR_RPZ_SIGNAL_NXDOMAIN_RA */
VAR_IP_RATELIMIT_BACKOFF = 461, /* VAR_IP_RATELIMIT_BACKOFF */
VAR_RATELIMIT_BACKOFF = 462, /* VAR_RATELIMIT_BACKOFF */
VAR_SEND_CLIENT_SUBNET = 463, /* VAR_SEND_CLIENT_SUBNET */
VAR_CLIENT_SUBNET_ZONE = 464, /* VAR_CLIENT_SUBNET_ZONE */
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 465, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
VAR_CLIENT_SUBNET_OPCODE = 466, /* VAR_CLIENT_SUBNET_OPCODE */
VAR_MAX_CLIENT_SUBNET_IPV4 = 467, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
VAR_MAX_CLIENT_SUBNET_IPV6 = 468, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
VAR_MIN_CLIENT_SUBNET_IPV4 = 469, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
VAR_MIN_CLIENT_SUBNET_IPV6 = 470, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
VAR_MAX_ECS_TREE_SIZE_IPV4 = 471, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
VAR_MAX_ECS_TREE_SIZE_IPV6 = 472, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
VAR_CAPS_WHITELIST = 473, /* VAR_CAPS_WHITELIST */
VAR_CACHE_MAX_NEGATIVE_TTL = 474, /* VAR_CACHE_MAX_NEGATIVE_TTL */
VAR_PERMIT_SMALL_HOLDDOWN = 475, /* VAR_PERMIT_SMALL_HOLDDOWN */
VAR_QNAME_MINIMISATION = 476, /* VAR_QNAME_MINIMISATION */
VAR_QNAME_MINIMISATION_STRICT = 477, /* VAR_QNAME_MINIMISATION_STRICT */
VAR_IP_FREEBIND = 478, /* VAR_IP_FREEBIND */
VAR_DEFINE_TAG = 479, /* VAR_DEFINE_TAG */
VAR_LOCAL_ZONE_TAG = 480, /* VAR_LOCAL_ZONE_TAG */
VAR_ACCESS_CONTROL_TAG = 481, /* VAR_ACCESS_CONTROL_TAG */
VAR_LOCAL_ZONE_OVERRIDE = 482, /* VAR_LOCAL_ZONE_OVERRIDE */
VAR_ACCESS_CONTROL_TAG_ACTION = 483, /* VAR_ACCESS_CONTROL_TAG_ACTION */
VAR_ACCESS_CONTROL_TAG_DATA = 484, /* VAR_ACCESS_CONTROL_TAG_DATA */
VAR_VIEW = 485, /* VAR_VIEW */
VAR_ACCESS_CONTROL_VIEW = 486, /* VAR_ACCESS_CONTROL_VIEW */
VAR_VIEW_FIRST = 487, /* VAR_VIEW_FIRST */
VAR_SERVE_EXPIRED = 488, /* VAR_SERVE_EXPIRED */
VAR_SERVE_EXPIRED_TTL = 489, /* VAR_SERVE_EXPIRED_TTL */
VAR_SERVE_EXPIRED_TTL_RESET = 490, /* VAR_SERVE_EXPIRED_TTL_RESET */
VAR_SERVE_EXPIRED_REPLY_TTL = 491, /* VAR_SERVE_EXPIRED_REPLY_TTL */
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 492, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
VAR_SERVE_ORIGINAL_TTL = 493, /* VAR_SERVE_ORIGINAL_TTL */
VAR_FAKE_DSA = 494, /* VAR_FAKE_DSA */
VAR_FAKE_SHA1 = 495, /* VAR_FAKE_SHA1 */
VAR_LOG_IDENTITY = 496, /* VAR_LOG_IDENTITY */
VAR_HIDE_TRUSTANCHOR = 497, /* VAR_HIDE_TRUSTANCHOR */
VAR_HIDE_HTTP_USER_AGENT = 498, /* VAR_HIDE_HTTP_USER_AGENT */
VAR_HTTP_USER_AGENT = 499, /* VAR_HTTP_USER_AGENT */
VAR_TRUST_ANCHOR_SIGNALING = 500, /* VAR_TRUST_ANCHOR_SIGNALING */
VAR_AGGRESSIVE_NSEC = 501, /* VAR_AGGRESSIVE_NSEC */
VAR_USE_SYSTEMD = 502, /* VAR_USE_SYSTEMD */
VAR_SHM_ENABLE = 503, /* VAR_SHM_ENABLE */
VAR_SHM_KEY = 504, /* VAR_SHM_KEY */
VAR_ROOT_KEY_SENTINEL = 505, /* VAR_ROOT_KEY_SENTINEL */
VAR_DNSCRYPT = 506, /* VAR_DNSCRYPT */
VAR_DNSCRYPT_ENABLE = 507, /* VAR_DNSCRYPT_ENABLE */
VAR_DNSCRYPT_PORT = 508, /* VAR_DNSCRYPT_PORT */
VAR_DNSCRYPT_PROVIDER = 509, /* VAR_DNSCRYPT_PROVIDER */
VAR_DNSCRYPT_SECRET_KEY = 510, /* VAR_DNSCRYPT_SECRET_KEY */
VAR_DNSCRYPT_PROVIDER_CERT = 511, /* VAR_DNSCRYPT_PROVIDER_CERT */
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 512, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 513, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 514, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 515, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 516, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
VAR_PAD_RESPONSES = 517, /* VAR_PAD_RESPONSES */
VAR_PAD_RESPONSES_BLOCK_SIZE = 518, /* VAR_PAD_RESPONSES_BLOCK_SIZE */
VAR_PAD_QUERIES = 519, /* VAR_PAD_QUERIES */
VAR_PAD_QUERIES_BLOCK_SIZE = 520, /* VAR_PAD_QUERIES_BLOCK_SIZE */
VAR_IPSECMOD_ENABLED = 521, /* VAR_IPSECMOD_ENABLED */
VAR_IPSECMOD_HOOK = 522, /* VAR_IPSECMOD_HOOK */
VAR_IPSECMOD_IGNORE_BOGUS = 523, /* VAR_IPSECMOD_IGNORE_BOGUS */
VAR_IPSECMOD_MAX_TTL = 524, /* VAR_IPSECMOD_MAX_TTL */
VAR_IPSECMOD_WHITELIST = 525, /* VAR_IPSECMOD_WHITELIST */
VAR_IPSECMOD_STRICT = 526, /* VAR_IPSECMOD_STRICT */
VAR_CACHEDB = 527, /* VAR_CACHEDB */
VAR_CACHEDB_BACKEND = 528, /* VAR_CACHEDB_BACKEND */
VAR_CACHEDB_SECRETSEED = 529, /* VAR_CACHEDB_SECRETSEED */
VAR_CACHEDB_REDISHOST = 530, /* VAR_CACHEDB_REDISHOST */
VAR_CACHEDB_REDISPORT = 531, /* VAR_CACHEDB_REDISPORT */
VAR_CACHEDB_REDISTIMEOUT = 532, /* VAR_CACHEDB_REDISTIMEOUT */
VAR_CACHEDB_REDISEXPIRERECORDS = 533, /* VAR_CACHEDB_REDISEXPIRERECORDS */
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 534, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
VAR_FOR_UPSTREAM = 535, /* VAR_FOR_UPSTREAM */
VAR_AUTH_ZONE = 536, /* VAR_AUTH_ZONE */
VAR_ZONEFILE = 537, /* VAR_ZONEFILE */
VAR_MASTER = 538, /* VAR_MASTER */
VAR_URL = 539, /* VAR_URL */
VAR_FOR_DOWNSTREAM = 540, /* VAR_FOR_DOWNSTREAM */
VAR_FALLBACK_ENABLED = 541, /* VAR_FALLBACK_ENABLED */
VAR_TLS_ADDITIONAL_PORT = 542, /* VAR_TLS_ADDITIONAL_PORT */
VAR_LOW_RTT = 543, /* VAR_LOW_RTT */
VAR_LOW_RTT_PERMIL = 544, /* VAR_LOW_RTT_PERMIL */
VAR_FAST_SERVER_PERMIL = 545, /* VAR_FAST_SERVER_PERMIL */
VAR_FAST_SERVER_NUM = 546, /* VAR_FAST_SERVER_NUM */
VAR_ALLOW_NOTIFY = 547, /* VAR_ALLOW_NOTIFY */
VAR_TLS_WIN_CERT = 548, /* VAR_TLS_WIN_CERT */
VAR_TCP_CONNECTION_LIMIT = 549, /* VAR_TCP_CONNECTION_LIMIT */
VAR_FORWARD_NO_CACHE = 550, /* VAR_FORWARD_NO_CACHE */
VAR_STUB_NO_CACHE = 551, /* VAR_STUB_NO_CACHE */
VAR_LOG_SERVFAIL = 552, /* VAR_LOG_SERVFAIL */
VAR_DENY_ANY = 553, /* VAR_DENY_ANY */
VAR_UNKNOWN_SERVER_TIME_LIMIT = 554, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
VAR_LOG_TAG_QUERYREPLY = 555, /* VAR_LOG_TAG_QUERYREPLY */
VAR_STREAM_WAIT_SIZE = 556, /* VAR_STREAM_WAIT_SIZE */
VAR_TLS_CIPHERS = 557, /* VAR_TLS_CIPHERS */
VAR_TLS_CIPHERSUITES = 558, /* VAR_TLS_CIPHERSUITES */
VAR_TLS_USE_SNI = 559, /* VAR_TLS_USE_SNI */
VAR_IPSET = 560, /* VAR_IPSET */
VAR_IPSET_NAME_V4 = 561, /* VAR_IPSET_NAME_V4 */
VAR_IPSET_NAME_V6 = 562, /* VAR_IPSET_NAME_V6 */
VAR_TLS_SESSION_TICKET_KEYS = 563, /* VAR_TLS_SESSION_TICKET_KEYS */
VAR_RPZ = 564, /* VAR_RPZ */
VAR_TAGS = 565, /* VAR_TAGS */
VAR_RPZ_ACTION_OVERRIDE = 566, /* VAR_RPZ_ACTION_OVERRIDE */
VAR_RPZ_CNAME_OVERRIDE = 567, /* VAR_RPZ_CNAME_OVERRIDE */
VAR_RPZ_LOG = 568, /* VAR_RPZ_LOG */
VAR_RPZ_LOG_NAME = 569, /* VAR_RPZ_LOG_NAME */
VAR_DYNLIB = 570, /* VAR_DYNLIB */
VAR_DYNLIB_FILE = 571, /* VAR_DYNLIB_FILE */
VAR_EDNS_CLIENT_STRING = 572, /* VAR_EDNS_CLIENT_STRING */
VAR_EDNS_CLIENT_STRING_OPCODE = 573, /* VAR_EDNS_CLIENT_STRING_OPCODE */
VAR_NSID = 574, /* VAR_NSID */
VAR_ZONEMD_PERMISSIVE_MODE = 575, /* VAR_ZONEMD_PERMISSIVE_MODE */
VAR_ZONEMD_CHECK = 576, /* VAR_ZONEMD_CHECK */
VAR_ZONEMD_REJECT_ABSENCE = 577, /* VAR_ZONEMD_REJECT_ABSENCE */
VAR_RPZ_SIGNAL_NXDOMAIN_RA = 578 /* VAR_RPZ_SIGNAL_NXDOMAIN_RA */
};
typedef enum yytokentype yytoken_kind_t;
#endif
/* Token kinds. */
#define YYEMPTY -2
#define YYEOF 0
#define YYerror 256
#define YYUNDEF 257
@ -583,122 +586,124 @@ extern int yydebug;
#define VAR_RATELIMIT_BELOW_DOMAIN 458
#define VAR_IP_RATELIMIT_FACTOR 459
#define VAR_RATELIMIT_FACTOR 460
#define VAR_SEND_CLIENT_SUBNET 461
#define VAR_CLIENT_SUBNET_ZONE 462
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 463
#define VAR_CLIENT_SUBNET_OPCODE 464
#define VAR_MAX_CLIENT_SUBNET_IPV4 465
#define VAR_MAX_CLIENT_SUBNET_IPV6 466
#define VAR_MIN_CLIENT_SUBNET_IPV4 467
#define VAR_MIN_CLIENT_SUBNET_IPV6 468
#define VAR_MAX_ECS_TREE_SIZE_IPV4 469
#define VAR_MAX_ECS_TREE_SIZE_IPV6 470
#define VAR_CAPS_WHITELIST 471
#define VAR_CACHE_MAX_NEGATIVE_TTL 472
#define VAR_PERMIT_SMALL_HOLDDOWN 473
#define VAR_QNAME_MINIMISATION 474
#define VAR_QNAME_MINIMISATION_STRICT 475
#define VAR_IP_FREEBIND 476
#define VAR_DEFINE_TAG 477
#define VAR_LOCAL_ZONE_TAG 478
#define VAR_ACCESS_CONTROL_TAG 479
#define VAR_LOCAL_ZONE_OVERRIDE 480
#define VAR_ACCESS_CONTROL_TAG_ACTION 481
#define VAR_ACCESS_CONTROL_TAG_DATA 482
#define VAR_VIEW 483
#define VAR_ACCESS_CONTROL_VIEW 484
#define VAR_VIEW_FIRST 485
#define VAR_SERVE_EXPIRED 486
#define VAR_SERVE_EXPIRED_TTL 487
#define VAR_SERVE_EXPIRED_TTL_RESET 488
#define VAR_SERVE_EXPIRED_REPLY_TTL 489
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 490
#define VAR_SERVE_ORIGINAL_TTL 491
#define VAR_FAKE_DSA 492
#define VAR_FAKE_SHA1 493
#define VAR_LOG_IDENTITY 494
#define VAR_HIDE_TRUSTANCHOR 495
#define VAR_HIDE_HTTP_USER_AGENT 496
#define VAR_HTTP_USER_AGENT 497
#define VAR_TRUST_ANCHOR_SIGNALING 498
#define VAR_AGGRESSIVE_NSEC 499
#define VAR_USE_SYSTEMD 500
#define VAR_SHM_ENABLE 501
#define VAR_SHM_KEY 502
#define VAR_ROOT_KEY_SENTINEL 503
#define VAR_DNSCRYPT 504
#define VAR_DNSCRYPT_ENABLE 505
#define VAR_DNSCRYPT_PORT 506
#define VAR_DNSCRYPT_PROVIDER 507
#define VAR_DNSCRYPT_SECRET_KEY 508
#define VAR_DNSCRYPT_PROVIDER_CERT 509
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 510
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 511
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 512
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 513
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 514
#define VAR_PAD_RESPONSES 515
#define VAR_PAD_RESPONSES_BLOCK_SIZE 516
#define VAR_PAD_QUERIES 517
#define VAR_PAD_QUERIES_BLOCK_SIZE 518
#define VAR_IPSECMOD_ENABLED 519
#define VAR_IPSECMOD_HOOK 520
#define VAR_IPSECMOD_IGNORE_BOGUS 521
#define VAR_IPSECMOD_MAX_TTL 522
#define VAR_IPSECMOD_WHITELIST 523
#define VAR_IPSECMOD_STRICT 524
#define VAR_CACHEDB 525
#define VAR_CACHEDB_BACKEND 526
#define VAR_CACHEDB_SECRETSEED 527
#define VAR_CACHEDB_REDISHOST 528
#define VAR_CACHEDB_REDISPORT 529
#define VAR_CACHEDB_REDISTIMEOUT 530
#define VAR_CACHEDB_REDISEXPIRERECORDS 531
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 532
#define VAR_FOR_UPSTREAM 533
#define VAR_AUTH_ZONE 534
#define VAR_ZONEFILE 535
#define VAR_MASTER 536
#define VAR_URL 537
#define VAR_FOR_DOWNSTREAM 538
#define VAR_FALLBACK_ENABLED 539
#define VAR_TLS_ADDITIONAL_PORT 540
#define VAR_LOW_RTT 541
#define VAR_LOW_RTT_PERMIL 542
#define VAR_FAST_SERVER_PERMIL 543
#define VAR_FAST_SERVER_NUM 544
#define VAR_ALLOW_NOTIFY 545
#define VAR_TLS_WIN_CERT 546
#define VAR_TCP_CONNECTION_LIMIT 547
#define VAR_FORWARD_NO_CACHE 548
#define VAR_STUB_NO_CACHE 549
#define VAR_LOG_SERVFAIL 550
#define VAR_DENY_ANY 551
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 552
#define VAR_LOG_TAG_QUERYREPLY 553
#define VAR_STREAM_WAIT_SIZE 554
#define VAR_TLS_CIPHERS 555
#define VAR_TLS_CIPHERSUITES 556
#define VAR_TLS_USE_SNI 557
#define VAR_IPSET 558
#define VAR_IPSET_NAME_V4 559
#define VAR_IPSET_NAME_V6 560
#define VAR_TLS_SESSION_TICKET_KEYS 561
#define VAR_RPZ 562
#define VAR_TAGS 563
#define VAR_RPZ_ACTION_OVERRIDE 564
#define VAR_RPZ_CNAME_OVERRIDE 565
#define VAR_RPZ_LOG 566
#define VAR_RPZ_LOG_NAME 567
#define VAR_DYNLIB 568
#define VAR_DYNLIB_FILE 569
#define VAR_EDNS_CLIENT_STRING 570
#define VAR_EDNS_CLIENT_STRING_OPCODE 571
#define VAR_NSID 572
#define VAR_ZONEMD_PERMISSIVE_MODE 573
#define VAR_ZONEMD_CHECK 574
#define VAR_ZONEMD_REJECT_ABSENCE 575
#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 576
#define VAR_IP_RATELIMIT_BACKOFF 461
#define VAR_RATELIMIT_BACKOFF 462
#define VAR_SEND_CLIENT_SUBNET 463
#define VAR_CLIENT_SUBNET_ZONE 464
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 465
#define VAR_CLIENT_SUBNET_OPCODE 466
#define VAR_MAX_CLIENT_SUBNET_IPV4 467
#define VAR_MAX_CLIENT_SUBNET_IPV6 468
#define VAR_MIN_CLIENT_SUBNET_IPV4 469
#define VAR_MIN_CLIENT_SUBNET_IPV6 470
#define VAR_MAX_ECS_TREE_SIZE_IPV4 471
#define VAR_MAX_ECS_TREE_SIZE_IPV6 472
#define VAR_CAPS_WHITELIST 473
#define VAR_CACHE_MAX_NEGATIVE_TTL 474
#define VAR_PERMIT_SMALL_HOLDDOWN 475
#define VAR_QNAME_MINIMISATION 476
#define VAR_QNAME_MINIMISATION_STRICT 477
#define VAR_IP_FREEBIND 478
#define VAR_DEFINE_TAG 479
#define VAR_LOCAL_ZONE_TAG 480
#define VAR_ACCESS_CONTROL_TAG 481
#define VAR_LOCAL_ZONE_OVERRIDE 482
#define VAR_ACCESS_CONTROL_TAG_ACTION 483
#define VAR_ACCESS_CONTROL_TAG_DATA 484
#define VAR_VIEW 485
#define VAR_ACCESS_CONTROL_VIEW 486
#define VAR_VIEW_FIRST 487
#define VAR_SERVE_EXPIRED 488
#define VAR_SERVE_EXPIRED_TTL 489
#define VAR_SERVE_EXPIRED_TTL_RESET 490
#define VAR_SERVE_EXPIRED_REPLY_TTL 491
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 492
#define VAR_SERVE_ORIGINAL_TTL 493
#define VAR_FAKE_DSA 494
#define VAR_FAKE_SHA1 495
#define VAR_LOG_IDENTITY 496
#define VAR_HIDE_TRUSTANCHOR 497
#define VAR_HIDE_HTTP_USER_AGENT 498
#define VAR_HTTP_USER_AGENT 499
#define VAR_TRUST_ANCHOR_SIGNALING 500
#define VAR_AGGRESSIVE_NSEC 501
#define VAR_USE_SYSTEMD 502
#define VAR_SHM_ENABLE 503
#define VAR_SHM_KEY 504
#define VAR_ROOT_KEY_SENTINEL 505
#define VAR_DNSCRYPT 506
#define VAR_DNSCRYPT_ENABLE 507
#define VAR_DNSCRYPT_PORT 508
#define VAR_DNSCRYPT_PROVIDER 509
#define VAR_DNSCRYPT_SECRET_KEY 510
#define VAR_DNSCRYPT_PROVIDER_CERT 511
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 512
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 513
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 514
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 515
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 516
#define VAR_PAD_RESPONSES 517
#define VAR_PAD_RESPONSES_BLOCK_SIZE 518
#define VAR_PAD_QUERIES 519
#define VAR_PAD_QUERIES_BLOCK_SIZE 520
#define VAR_IPSECMOD_ENABLED 521
#define VAR_IPSECMOD_HOOK 522
#define VAR_IPSECMOD_IGNORE_BOGUS 523
#define VAR_IPSECMOD_MAX_TTL 524
#define VAR_IPSECMOD_WHITELIST 525
#define VAR_IPSECMOD_STRICT 526
#define VAR_CACHEDB 527
#define VAR_CACHEDB_BACKEND 528
#define VAR_CACHEDB_SECRETSEED 529
#define VAR_CACHEDB_REDISHOST 530
#define VAR_CACHEDB_REDISPORT 531
#define VAR_CACHEDB_REDISTIMEOUT 532
#define VAR_CACHEDB_REDISEXPIRERECORDS 533
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 534
#define VAR_FOR_UPSTREAM 535
#define VAR_AUTH_ZONE 536
#define VAR_ZONEFILE 537
#define VAR_MASTER 538
#define VAR_URL 539
#define VAR_FOR_DOWNSTREAM 540
#define VAR_FALLBACK_ENABLED 541
#define VAR_TLS_ADDITIONAL_PORT 542
#define VAR_LOW_RTT 543
#define VAR_LOW_RTT_PERMIL 544
#define VAR_FAST_SERVER_PERMIL 545
#define VAR_FAST_SERVER_NUM 546
#define VAR_ALLOW_NOTIFY 547
#define VAR_TLS_WIN_CERT 548
#define VAR_TCP_CONNECTION_LIMIT 549
#define VAR_FORWARD_NO_CACHE 550
#define VAR_STUB_NO_CACHE 551
#define VAR_LOG_SERVFAIL 552
#define VAR_DENY_ANY 553
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 554
#define VAR_LOG_TAG_QUERYREPLY 555
#define VAR_STREAM_WAIT_SIZE 556
#define VAR_TLS_CIPHERS 557
#define VAR_TLS_CIPHERSUITES 558
#define VAR_TLS_USE_SNI 559
#define VAR_IPSET 560
#define VAR_IPSET_NAME_V4 561
#define VAR_IPSET_NAME_V6 562
#define VAR_TLS_SESSION_TICKET_KEYS 563
#define VAR_RPZ 564
#define VAR_TAGS 565
#define VAR_RPZ_ACTION_OVERRIDE 566
#define VAR_RPZ_CNAME_OVERRIDE 567
#define VAR_RPZ_LOG 568
#define VAR_RPZ_LOG_NAME 569
#define VAR_DYNLIB 570
#define VAR_DYNLIB_FILE 571
#define VAR_EDNS_CLIENT_STRING 572
#define VAR_EDNS_CLIENT_STRING_OPCODE 573
#define VAR_NSID 574
#define VAR_ZONEMD_PERMISSIVE_MODE 575
#define VAR_ZONEMD_CHECK 576
#define VAR_ZONEMD_REJECT_ABSENCE 577
#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 578
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -708,7 +713,7 @@ union YYSTYPE
char* str;
#line 712 "util/configparser.h"
#line 717 "util/configparser.h"
};
typedef union YYSTYPE YYSTYPE;

24
util/configparser.y
View file

@ -142,6 +142,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_OUTBOUND_MSG_RETRY
%token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN
%token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR
%token VAR_IP_RATELIMIT_BACKOFF VAR_RATELIMIT_BACKOFF
%token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
%token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
%token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
@ -272,7 +273,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ip_ratelimit_size | server_ratelimit_size |
server_ratelimit_for_domain |
server_ratelimit_below_domain | server_ratelimit_factor |
server_ip_ratelimit_factor | server_outbound_msg_retry |
server_ip_ratelimit_factor | server_ratelimit_backoff |
server_ip_ratelimit_backoff | server_outbound_msg_retry |
server_send_client_subnet | server_client_subnet_zone |
server_client_subnet_always_forward | server_client_subnet_opcode |
server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
@ -2504,6 +2506,26 @@ server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG
free($2);
}
;
server_ip_ratelimit_backoff: VAR_IP_RATELIMIT_BACKOFF STRING_ARG
{
OUTYY(("P(server_ip_ratelimit_backoff:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->ip_ratelimit_backoff =
(strcmp($2, "yes")==0);
free($2);
}
;
server_ratelimit_backoff: VAR_RATELIMIT_BACKOFF STRING_ARG
{
OUTYY(("P(server_ratelimit_backoff:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->ratelimit_backoff =
(strcmp($2, "yes")==0);
free($2);
}
;
server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG
{
OUTYY(("P(server_outbound_msg_retry:%s)\n", $2));