upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Fixed contrib/fastrpz.patch, even though this already applied

Browse source 
cleanly for me, now also for others.


git-svn-id: file:///svn/unbound/trunk@4565 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-03-07 08:32:14 +00:00
parent 5c8819f1ac
commit 3a69cf5c69
2 changed files with 141 additions and 179 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

312
contrib/fastrpz.patch
View file

@ -1,10 +1,15 @@
Description: based on the included patch contrib/fastrpz.patch
Author: fastrpz@farsightsecurity.com
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
===================================================================
RCS file: ./RCS/Makefile.in,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./Makefile.in
--- ./Makefile.in
+++ ./Makefile.in
@@ -23,6 +23,8 @@
Index: unbound-1.7.0~rc1/Makefile.in
===================================================================
--- unbound-1.7.0~rc1.orig/Makefile.in
+++ unbound-1.7.0~rc1/Makefile.in
@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
DNSTAP_SRC=@DNSTAP_SRC@
DNSTAP_OBJ=@DNSTAP_OBJ@
@ -13,7 +18,7 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in
DNSCRYPT_SRC=@DNSCRYPT_SRC@
DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
@@ -125,7 +127,7 @@
@@ -125,7 +127,7 @@ validator/val_sigcrypt.c validator/val_u
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
@ -22,7 +27,7 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
@@ -137,7 +139,7 @@
@@ -137,7 +139,7 @@ slabhash.lo timehist.lo tube.lo winsock_
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
@ -31,7 +36,7 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
outside_network.lo
COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
@@ -398,6 +401,11 @@
@@ -400,6 +402,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscry
$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h
@ -43,13 +48,11 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in
# Python Module
pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
pythonmod/interface.h \
Index: unbound-1.7.0~rc1/config.h.in
===================================================================
RCS file: ./RCS/config.h.in,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./config.h.in
--- ./config.h.in
+++ ./config.h.in
@@ -1199,4 +1199,11 @@
--- unbound-1.7.0~rc1.orig/config.h.in
+++ unbound-1.7.0~rc1/config.h.in
@@ -1228,4 +1228,11 @@ void *unbound_stat_realloc_log(void *ptr
/** the version of unbound-control that this software implements */
#define UNBOUND_CONTROL_VERSION 1
@ -62,13 +65,11 @@ diff -u --unidirectional-new-file -r1.1 ./config.h.in
+#undef FASTRPZ_LIB_OPEN
+/** turn on fastrpz response policy zones */
+#undef ENABLE_FASTRPZ
Index: unbound-1.7.0~rc1/configure.ac
===================================================================
RCS file: ./RCS/configure.ac,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./configure.ac
--- ./configure.ac
+++ ./configure.ac
@@ -6,6 +6,7 @@
--- unbound-1.7.0~rc1.orig/configure.ac
+++ unbound-1.7.0~rc1/configure.ac
@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4)
sinclude(acx_python.m4)
sinclude(ac_pkg_swig.m4)
sinclude(dnstap/dnstap.m4)
@ -76,7 +77,7 @@ diff -u --unidirectional-new-file -r1.1 ./configure.ac
sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
@@ -1352,6 +1353,9 @@
@@ -1453,6 +1454,9 @@ case "$enable_ipsecmod" in
;;
esac
@ -86,13 +87,11 @@ diff -u --unidirectional-new-file -r1.1 ./configure.ac
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
Index: unbound-1.7.0~rc1/daemon/daemon.c
===================================================================
RCS file: ./daemon/RCS/daemon.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
--- ./daemon/daemon.c
+++ ./daemon/daemon.c
@@ -89,6 +89,9 @@
--- unbound-1.7.0~rc1.orig/daemon/daemon.c
+++ unbound-1.7.0~rc1/daemon/daemon.c
@@ -90,6 +90,9 @@
#include "sldns/keyraw.h"
#include "respip/respip.h"
#include <signal.h>
@ -102,7 +101,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
@@ -451,6 +454,14 @@
@@ -461,6 +464,14 @@ daemon_create_workers(struct daemon* dae
fatal_exit("dnstap enabled in config but not built with dnstap support");
#endif
}
@ -117,9 +116,9 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
for(i=0; i<daemon->num; i++) {
if(!(daemon->workers[i] = worker_create(daemon, i,
shufport+numport*i/daemon->num,
@@ -691,6 +702,9 @@
#ifdef USE_DNSTAP
dt_delete(daemon->dtenv);
@@ -710,6 +721,9 @@ daemon_cleanup(struct daemon* daemon)
#ifdef USE_DNSCRYPT
dnsc_delete(daemon->dnscenv);
#endif
+#ifdef ENABLE_FASTRPZ
+ rpz_delete(&daemon->rpz_clist, &daemon->rpz_client);
@ -127,13 +126,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
daemon->cfg = NULL;
}
Index: unbound-1.7.0~rc1/daemon/daemon.h
===================================================================
RCS file: ./daemon/RCS/daemon.h,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.h
--- ./daemon/daemon.h
+++ ./daemon/daemon.h
@@ -134,6 +134,11 @@
--- unbound-1.7.0~rc1.orig/daemon/daemon.h
+++ unbound-1.7.0~rc1/daemon/daemon.h
@@ -134,6 +134,11 @@ struct daemon {
/** the dnscrypt environment */
struct dnsc_env* dnscenv;
#endif
@ -145,13 +142,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.h
};
/**
Index: unbound-1.7.0~rc1/daemon/worker.c
===================================================================
RCS file: ./daemon/RCS/worker.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
--- ./daemon/worker.c
+++ ./daemon/worker.c
@@ -73,6 +73,9 @@
--- unbound-1.7.0~rc1.orig/daemon/worker.c
+++ unbound-1.7.0~rc1/daemon/worker.c
@@ -74,6 +74,9 @@
#include "libunbound/context.h"
#include "libunbound/libworker.h"
#include "sldns/sbuffer.h"
@ -161,7 +156,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
#include "sldns/wire2str.h"
#include "util/shm_side/shm_main.h"
#include "dnscrypt/dnscrypt.h"
@@ -526,8 +529,27 @@
@@ -527,8 +530,27 @@ answer_norec_from_cache(struct worker* w
/* not secure */
secure = 0;
break;
@ -189,7 +184,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
/* return this delegation from the cache */
edns->edns_version = EDNS_ADVERTISED_VERSION;
edns->udp_size = EDNS_ADVERTISED_SIZE;
@@ -688,6 +710,23 @@
@@ -689,6 +711,23 @@ answer_from_cache(struct worker* worker,
secure = 0;
}
} else secure = 0;
@ -213,7 +208,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
edns->edns_version = EDNS_ADVERTISED_VERSION;
edns->udp_size = EDNS_ADVERTISED_SIZE;
@@ -1267,6 +1306,15 @@
@@ -1291,6 +1330,15 @@ worker_handle_request(struct comm_point*
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
&repinfo->addr, repinfo->addrlen);
goto send_reply;
@ -229,7 +224,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
}
/* If we've found a local alias, replace the qname with the alias
@@ -1315,12 +1363,21 @@
@@ -1339,12 +1387,21 @@ lookup_cache:
h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
/* answer from cache - we have acquired a readlock on it */
@ -253,7 +248,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
/* prefetch it if the prefetch TTL expired.
* Note that if there is more than one pass
* its qname must be that used for cache
@@ -1371,11 +1428,19 @@
@@ -1398,11 +1455,19 @@ lookup_cache:
lock_rw_unlock(&e->lock);
}
if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
@ -275,13 +270,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
goto send_reply;
}
verbose(VERB_ALGO, "answer norec from cache -- "
Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in
===================================================================
RCS file: ./doc/RCS/unbound.conf.5.in,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./doc/unbound.conf.5.in
--- ./doc/unbound.conf.5.in
+++ ./doc/unbound.conf.5.in
@@ -1446,6 +1446,81 @@
--- unbound-1.7.0~rc1.orig/doc/unbound.conf.5.in
+++ unbound-1.7.0~rc1/doc/unbound.conf.5.in
@@ -1581,6 +1581,81 @@ It must be /96 or shorter. The default
.B dns64\-synthall: \fI<yes or no>\fR
Debug option, default no. If enabled, synthesize all AAAA records
despite the presence of actual AAAA records.
@ -363,12 +356,10 @@ diff -u --unidirectional-new-file -r1.1 ./doc/unbound.conf.5.in
.SS "DNSCrypt Options"
.LP
The
Index: unbound-1.7.0~rc1/fastrpz/librpz.h
===================================================================
RCS file: ./fastrpz/RCS/librpz.h,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./fastrpz/librpz.h
--- ./fastrpz/librpz.h
+++ ./fastrpz/librpz.h
--- /dev/null
+++ unbound-1.7.0~rc1/fastrpz/librpz.h
@@ -0,0 +1,957 @@
+/*
+ * Define the interface from a DNS resolver to the Response Policy Zone
@ -1327,12 +1318,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/librpz.h
+#endif /* LIBRPZ_LIB_OPEN */
+
+#endif /* LIBRPZ_H */
Index: unbound-1.7.0~rc1/fastrpz/rpz.c
===================================================================
RCS file: ./fastrpz/RCS/rpz.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.c
--- ./fastrpz/rpz.c
+++ ./fastrpz/rpz.c
--- /dev/null
+++ unbound-1.7.0~rc1/fastrpz/rpz.c
@@ -0,0 +1,1357 @@
+/*
+ * fastrpz/rpz.c - interface to the fastrpz response policy zone library
@ -2691,12 +2680,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.c
+}
+
+#endif /* ENABLE_FASTRPZ */
Index: unbound-1.7.0~rc1/fastrpz/rpz.h
===================================================================
RCS file: ./fastrpz/RCS/rpz.h,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.h
--- ./fastrpz/rpz.h
+++ ./fastrpz/rpz.h
--- /dev/null
+++ unbound-1.7.0~rc1/fastrpz/rpz.h
@@ -0,0 +1,138 @@
+/*
+ * fastrpz/rpz.h - interface to the fastrpz response policy zone library
@ -2836,12 +2823,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.h
+
+#endif /* ENABLE_FASTRPZ */
+#endif /* UNBOUND_FASTRPZ_RPZ_H */
Index: unbound-1.7.0~rc1/fastrpz/rpz.m4
===================================================================
RCS file: ./fastrpz/RCS/rpz.m4,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.m4
--- ./fastrpz/rpz.m4
+++ ./fastrpz/rpz.m4
--- /dev/null
+++ unbound-1.7.0~rc1/fastrpz/rpz.m4
@@ -0,0 +1,64 @@
+# fastrpz/rpz.m4
+
@ -2907,13 +2892,11 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.m4
+ AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]])
+ fi
+])
Index: unbound-1.7.0~rc1/iterator/iterator.c
===================================================================
RCS file: ./iterator/RCS/iterator.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
--- ./iterator/iterator.c
+++ ./iterator/iterator.c
@@ -67,6 +67,9 @@
--- unbound-1.7.0~rc1.orig/iterator/iterator.c
+++ unbound-1.7.0~rc1/iterator/iterator.c
@@ -68,6 +68,9 @@
#include "sldns/str2wire.h"
#include "sldns/parseutil.h"
#include "sldns/sbuffer.h"
@ -2923,7 +2906,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
int
iter_init(struct module_env* env, int id)
@@ -487,6 +490,23 @@
@@ -511,6 +514,23 @@ handle_cname_response(struct module_qsta
if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
query_dname_compare(*mname, r->rk.dname) == 0 &&
!iter_find_rrset_in_prepend_answer(iq, r)) {
@ -2947,7 +2930,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
/* Add this relevant CNAME rrset to the prepend list.*/
if(!iter_add_prepend_answer(qstate, iq, r))
return 0;
@@ -495,6 +515,9 @@
@@ -519,6 +539,9 @@ handle_cname_response(struct module_qsta
/* Other rrsets in the section are ignored. */
}
@ -2957,7 +2940,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
/* add authority rrsets to authority prepend, for wildcarded CNAMEs */
for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
msg->rep->ns_numrrsets; i++) {
@@ -996,6 +1019,7 @@
@@ -1148,6 +1171,7 @@ processInitRequest(struct module_qstate*
uint8_t* delname;
size_t delnamelen;
struct dns_msg* msg = NULL;
@ -2965,7 +2948,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
/* check effort */
@@ -1056,8 +1080,7 @@
@@ -1223,8 +1247,7 @@ processInitRequest(struct module_qstate*
}
if(msg) {
/* handle positive cache response */
@ -2975,7 +2958,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
if(verbosity >= VERB_ALGO) {
log_dns_msg("msg from cache lookup", &msg->qinfo,
msg->rep);
@@ -1065,7 +1088,22 @@
@@ -1232,7 +1255,22 @@ processInitRequest(struct module_qstate*
(int)msg->rep->ttl,
(int)msg->rep->prefetch_ttl);
}
@ -2998,7 +2981,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
if(type == RESPONSE_TYPE_CNAME) {
uint8_t* sname = 0;
size_t slen = 0;
@@ -2321,6 +2359,62 @@
@@ -2552,6 +2590,62 @@ processQueryResponse(struct module_qstat
sock_list_insert(&qstate->reply_origin,
&qstate->reply->addr, qstate->reply->addrlen,
qstate->region);
@ -3061,7 +3044,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
LDNS_RCODE_NOERROR) {
@@ -3022,12 +3116,44 @@
@@ -3273,12 +3367,44 @@ processFinished(struct module_qstate* qs
* but only if we did recursion. The nonrecursion referral
* from cache does not need to be stored in the msg cache. */
if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
@ -3106,13 +3089,11 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = iq->response;
return 0;
Index: unbound-1.7.0~rc1/iterator/iterator.h
===================================================================
RCS file: ./iterator/RCS/iterator.h,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.h
--- ./iterator/iterator.h
+++ ./iterator/iterator.h
@@ -381,6 +381,16 @@
--- unbound-1.7.0~rc1.orig/iterator/iterator.h
+++ unbound-1.7.0~rc1/iterator/iterator.h
@@ -383,6 +383,16 @@ struct iter_qstate {
*/
int minimise_count;
@ -3129,14 +3110,12 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.h
/**
* Count number of time-outs. Used to prevent resolving failures when
* the QNAME minimisation QTYPE is blocked. */
Index: unbound-1.7.0~rc1/services/cache/dns.c
===================================================================
RCS file: ./services/cache/RCS/dns.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./services/cache/dns.c
--- ./services/cache/dns.c
+++ ./services/cache/dns.c
@@ -838,6 +838,14 @@
struct regional* region, uint16_t flags)
--- unbound-1.7.0~rc1.orig/services/cache/dns.c
+++ unbound-1.7.0~rc1/services/cache/dns.c
@@ -876,6 +876,14 @@ dns_cache_store(struct module_env* env,
struct regional* region, uint32_t flags)
{
struct reply_info* rep = NULL;
+
@ -3150,12 +3129,10 @@ diff -u --unidirectional-new-file -r1.1 ./services/cache/dns.c
/* alloc, malloc properly (not in region, like msg is) */
rep = reply_info_copy(msgrep, env->alloc, NULL);
if(!rep)
Index: unbound-1.7.0~rc1/services/mesh.c
===================================================================
RCS file: ./services/RCS/mesh.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
--- ./services/mesh.c
+++ ./services/mesh.c
--- unbound-1.7.0~rc1.orig/services/mesh.c
+++ unbound-1.7.0~rc1/services/mesh.c
@@ -59,6 +59,9 @@
#include "sldns/wire2str.h"
#include "services/localzone.h"
@ -3166,7 +3143,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
#include "respip/respip.h"
/** subtract timers and the values do not overflow or become negative */
@@ -1011,6 +1014,13 @@
@@ -1050,6 +1053,13 @@ mesh_send_reply(struct mesh_state* m, in
else secure = 0;
if(!rep && rcode == LDNS_RCODE_NOERROR)
rcode = LDNS_RCODE_SERVFAIL;
@ -3180,7 +3157,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
/* send the reply */
/* We don't reuse the encoded answer if either the previous or current
* response has a local alias. We could compare the alias records
@@ -1160,6 +1170,7 @@
@@ -1199,6 +1209,7 @@ struct mesh_state* mesh_area_find(struct
key.s.is_valrec = valrec;
key.s.qinfo = *qinfo;
key.s.query_flags = qflags;
@ -3188,7 +3165,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
/* We are searching for a similar mesh state when we DO want to
* aggregate the state. Thus unique is set to NULL. (default when we
* desire aggregation).*/
@@ -1206,6 +1217,10 @@
@@ -1245,6 +1256,10 @@ int mesh_state_add_reply(struct mesh_sta
if(!r)
return 0;
r->query_reply = *rep;
@ -3199,13 +3176,11 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
r->edns = *edns;
if(edns->opt_list) {
r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
Index: unbound-1.7.0~rc1/util/config_file.c
===================================================================
RCS file: ./util/RCS/config_file.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/config_file.c
--- ./util/config_file.c
+++ ./util/config_file.c
@@ -1167,6 +1167,8 @@
--- unbound-1.7.0~rc1.orig/util/config_file.c
+++ unbound-1.7.0~rc1/util/config_file.c
@@ -1323,6 +1323,8 @@ config_delete(struct config_file* cfg)
free(cfg->dnstap_socket_path);
free(cfg->dnstap_identity);
free(cfg->dnstap_version);
@ -3213,14 +3188,12 @@ diff -u --unidirectional-new-file -r1.1 ./util/config_file.c
+ free(cfg->rpz_cstr);
config_deldblstrlist(cfg->ratelimit_for_domain);
config_deldblstrlist(cfg->ratelimit_below_domain);
free(cfg);
#ifdef USE_IPSECMOD
Index: unbound-1.7.0~rc1/util/config_file.h
===================================================================
RCS file: ./util/RCS/config_file.h,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/config_file.h
--- ./util/config_file.h
+++ ./util/config_file.h
@@ -416,6 +416,11 @@
--- unbound-1.7.0~rc1.orig/util/config_file.h
+++ unbound-1.7.0~rc1/util/config_file.h
@@ -431,6 +431,11 @@ struct config_file {
/** true to disable DNSSEC lameness check in iterator */
int disable_dnssec_lame_check;
@ -3232,13 +3205,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/config_file.h
/** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
int ip_ratelimit;
/** number of slabs for ip_ratelimit cache */
Index: unbound-1.7.0~rc1/util/configlexer.lex
===================================================================
RCS file: ./util/RCS/configlexer.lex,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/configlexer.lex
--- ./util/configlexer.lex
+++ ./util/configlexer.lex
@@ -395,6 +395,10 @@
--- unbound-1.7.0~rc1.orig/util/configlexer.lex
+++ unbound-1.7.0~rc1/util/configlexer.lex
@@ -412,6 +412,10 @@ dnstap-log-forwarder-query-messages{COLO
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
dnstap-log-forwarder-response-messages{COLON} {
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
@ -3249,13 +3220,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/configlexer.lex
disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) }
ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) }
Index: unbound-1.7.0~rc1/util/configparser.y
===================================================================
RCS file: ./util/RCS/configparser.y,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
--- ./util/configparser.y
+++ ./util/configparser.y
@@ -124,6 +124,7 @@
--- unbound-1.7.0~rc1.orig/util/configparser.y
+++ unbound-1.7.0~rc1/util/configparser.y
@@ -124,6 +124,7 @@ extern struct config_parser_state* cfg_p
%token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
%token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
%token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
@ -3263,7 +3232,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
%token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
%token VAR_DISABLE_DNSSEC_LAME_CHECK
@@ -158,7 +159,7 @@
@@ -158,7 +159,7 @@ extern struct config_parser_state* cfg_p
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -3272,7 +3241,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
forwardstart contents_forward | pythonstart contents_py |
rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
dnscstart contents_dnsc | cachedbstart contents_cachedb |
@@ -2160,6 +2161,50 @@
@@ -2384,6 +2385,50 @@ dt_dnstap_log_forwarder_response_message
(strcmp($2, "yes")==0);
}
;
@ -3323,13 +3292,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
pythonstart: VAR_PYTHON
{
OUTYY(("\nP(python:)\n"));
Index: unbound-1.7.0~rc1/util/data/msgencode.c
===================================================================
RCS file: ./util/data/RCS/msgencode.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c
--- ./util/data/msgencode.c
+++ ./util/data/msgencode.c
@@ -585,6 +585,35 @@
--- unbound-1.7.0~rc1.orig/util/data/msgencode.c
+++ unbound-1.7.0~rc1/util/data/msgencode.c
@@ -585,6 +585,35 @@ insert_section(struct reply_info* rep, s
return RETVAL_OK;
}
@ -3365,7 +3332,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c
/** store query section in wireformat buffer, return RETVAL */
static int
insert_query(struct query_info* qinfo, struct compress_tree_node** tree,
@@ -748,6 +777,19 @@
@@ -750,6 +779,19 @@ reply_info_encode(struct query_info* qin
return 0;
}
sldns_buffer_write_u16_at(buffer, 10, arcount);
@ -3385,13 +3352,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c
}
sldns_buffer_flip(buffer);
return 1;
Index: unbound-1.7.0~rc1/util/data/packed_rrset.c
===================================================================
RCS file: ./util/data/RCS/packed_rrset.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.c
--- ./util/data/packed_rrset.c
+++ ./util/data/packed_rrset.c
@@ -254,6 +254,10 @@
--- unbound-1.7.0~rc1.orig/util/data/packed_rrset.c
+++ unbound-1.7.0~rc1/util/data/packed_rrset.c
@@ -254,6 +254,10 @@ sec_status_to_string(enum sec_status s)
case sec_status_indeterminate: return "sec_status_indeterminate";
case sec_status_insecure: return "sec_status_insecure";
case sec_status_secure: return "sec_status_secure";
@ -3402,13 +3367,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.c
}
return "unknown_sec_status_value";
}
Index: unbound-1.7.0~rc1/util/data/packed_rrset.h
===================================================================
RCS file: ./util/data/RCS/packed_rrset.h,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.h
--- ./util/data/packed_rrset.h
+++ ./util/data/packed_rrset.h
@@ -189,7 +189,15 @@
--- unbound-1.7.0~rc1.orig/util/data/packed_rrset.h
+++ unbound-1.7.0~rc1/util/data/packed_rrset.h
@@ -189,7 +189,15 @@ enum sec_status {
sec_status_insecure,
/** SECURE means that the object (RRset or message) validated
* according to local policy. */
@ -3425,12 +3388,10 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.h
};
/**
Index: unbound-1.7.0~rc1/util/netevent.c
===================================================================
RCS file: ./util/RCS/netevent.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
--- ./util/netevent.c
+++ ./util/netevent.c
--- unbound-1.7.0~rc1.orig/util/netevent.c
+++ unbound-1.7.0~rc1/util/netevent.c
@@ -54,6 +54,9 @@
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
@ -3441,7 +3402,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
/* -------- Start of local definitions -------- */
/** if CMSG_ALIGN is not defined on this platform, a workaround */
@@ -579,6 +582,9 @@
@@ -585,6 +588,9 @@ comm_point_udp_ancil_callback(int fd, sh
struct cmsghdr* cmsg;
#endif /* S_SPLINT_S */
@ -3451,7 +3412,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
rep.c = (struct comm_point*)arg;
log_assert(rep.c->type == comm_udp);
@@ -668,6 +674,9 @@
@@ -674,6 +680,9 @@ comm_point_udp_callback(int fd, short ev
int i;
struct sldns_buffer *buffer;
@ -3461,7 +3422,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
rep.c = (struct comm_point*)arg;
log_assert(rep.c->type == comm_udp);
@@ -711,6 +720,9 @@
@@ -717,6 +726,9 @@ comm_point_udp_callback(int fd, short ev
(void)comm_point_send_udp_msg(rep.c, buffer,
(struct sockaddr*)&rep.addr, rep.addrlen);
}
@ -3471,7 +3432,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for
another UDP port. Note rep.c cannot be reused with TCP fd. */
break;
@@ -2145,6 +2157,9 @@
@@ -2956,6 +2968,9 @@ comm_point_send_reply(struct comm_reply
comm_point_start_listening(repinfo->c, -1,
repinfo->c->tcp_timeout_msec);
}
@ -3481,7 +3442,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
}
void
@@ -2154,6 +2169,9 @@
@@ -2965,6 +2980,9 @@ comm_point_drop_reply(struct comm_reply*
return;
log_assert(repinfo && repinfo->c);
log_assert(repinfo->c->type != comm_tcp_accept);
@ -3491,7 +3452,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
if(repinfo->c->type == comm_udp)
return;
reclaim_tcp_handler(repinfo->c);
@@ -2173,6 +2191,9 @@
@@ -2984,6 +3002,9 @@ comm_point_start_listening(struct comm_p
{
verbose(VERB_ALGO, "comm point start listening %d",
c->fd==-1?newfd:c->fd);
@ -3501,13 +3462,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
if(c->type == comm_tcp_accept && !c->tcp_free) {
/* no use to start listening no free slots. */
return;
Index: unbound-1.7.0~rc1/util/netevent.h
===================================================================
RCS file: ./util/RCS/netevent.h,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./util/netevent.h
--- ./util/netevent.h
+++ ./util/netevent.h
@@ -117,6 +117,10 @@
--- unbound-1.7.0~rc1.orig/util/netevent.h
+++ unbound-1.7.0~rc1/util/netevent.h
@@ -119,6 +119,10 @@ struct comm_reply {
/** return type 0 (none), 4(IP4), 6(IP6) */
int srctype;
/* DnsCrypt context */
@ -3518,13 +3477,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.h
#ifdef USE_DNSCRYPT
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
uint8_t nmkey[crypto_box_BEFORENMBYTES];
Index: unbound-1.7.0~rc1/validator/validator.c
===================================================================
RCS file: ./validator/RCS/validator.c,v
retrieving revision 1.1
diff -u --unidirectional-new-file -r1.1 ./validator/validator.c
--- ./validator/validator.c
+++ ./validator/validator.c
@@ -2552,6 +2552,12 @@
--- unbound-1.7.0~rc1.orig/validator/validator.c
+++ unbound-1.7.0~rc1/validator/validator.c
@@ -2688,6 +2688,12 @@ ds_response_to_ke(struct module_qstate*
default:
/* NSEC proof did not work, try next */
break;
@ -3537,7 +3494,7 @@ diff -u --unidirectional-new-file -r1.1 ./validator/validator.c
}
sec = nsec3_prove_nods(qstate->env, ve,
@@ -2584,6 +2590,12 @@
@@ -2721,6 +2727,12 @@ ds_response_to_ke(struct module_qstate*
default:
/* NSEC3 proof did not work */
break;
@ -3550,3 +3507,4 @@ diff -u --unidirectional-new-file -r1.1 ./validator/validator.c
}
/* Apparently, no available NSEC/NSEC3 proved NODATA, so

4
doc/Changelog
View file

@ -1,3 +1,7 @@
7 March 2018: Wouter
- Fixed contrib/fastrpz.patch, even though this already applied
cleanly for me, now also for others.
6 March 2018: Wouter
- Reverted fix for #3512, this may not be the best way forward;
although it could be changed at a later time, to stay similar to