- Fix #4154: make ECS_MAX_TREESIZE configurable, with

the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.


git-svn-id: file:///svn/unbound/trunk@4945 be551aaa-1e26-0410-a405-d3ace91eadb9

doc/Changelog

@@ -3,6 +3,8 @@
 	  group.
 	- check that the dnstap socket file can be opened and exists, print
 	  error if not.
+	- Fix #4154: make ECS_MAX_TREESIZE configurable, with
+	  the max-ecs-tree-size-ipv4 and max-ecs-tree-size-ipv6 options.
 
 22 October 2018: Ralph
 	- Change fast-server-num default to 3.

doc/unbound.conf.5.in

@@ -1841,6 +1841,14 @@ to expose to third parties for IPv6.  Defaults to 56.
 .B max\-client\-subnet\-ipv4: \fI<number>\fR
 Specifies the maximum prefix length of the client source address we are willing
 to expose to third parties for IPv4. Defaults to 24.
+.TP
+.B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
+Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
+This number applies for each qname/qclass/qtype tuple. Defaults to 100.
+.TP
+.B max\-ecs\-tree\-size\-ipv6: \fI<number>\fR
+Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
+This number applies for each qname/qclass/qtype tuple. Defaults to 100.
 .SS "Opportunistic IPsec Support Module Options"
 .LP
 The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod

edns-subnet/subnetmod.c

@@ -56,8 +56,6 @@
 #include "util/data/msgreply.h"
 #include "sldns/sbuffer.h"
 
-#define ECS_MAX_TREESIZE 100
-
 /** externally called */
 void 
 subnet_data_delete(void *d, void *ATTR_UNUSED(arg))
@@ -291,13 +289,13 @@ get_tree(struct subnet_msg_cache_data *data, struct ecs_data *edns,
 		if (!data->tree4)
 			data->tree4 = addrtree_create(
 				cfg->max_client_subnet_ipv4, &delfunc,
-				&sizefunc, env, ECS_MAX_TREESIZE);
+				&sizefunc, env, cfg->max_ecs_tree_size_ipv4);
 		tree = data->tree4;
 	} else {
 		if (!data->tree6)
 			data->tree6 = addrtree_create(
 				cfg->max_client_subnet_ipv6, &delfunc,
-				&sizefunc, env, ECS_MAX_TREESIZE);
+				&sizefunc, env, cfg->max_ecs_tree_size_ipv6);
 		tree = data->tree6;
 	}
 	return tree;

util/config_file.c

@@ -194,6 +194,8 @@ config_create(void)
 	cfg->client_subnet_always_forward = 0;
 	cfg->max_client_subnet_ipv4 = 24;
 	cfg->max_client_subnet_ipv6 = 56;
+	cfg->max_ecs_tree_size_ipv4 = 100;
+	cfg->max_ecs_tree_size_ipv6 = 100;
 #endif
 	cfg->views = NULL;
 	cfg->acls = NULL;
@@ -682,7 +684,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
 		 * ratelimit-for-domain, ratelimit-below-domain,
 		 * local-zone-tag, access-control-view,
 		 * send-client-subnet, client-subnet-always-forward,
-		 * max-client-subnet-ipv4, max-client-subnet-ipv6, ipsecmod_hook,
+		 * max-client-subnet-ipv4, max-client-subnet-ipv6,
+		 * max-ecs-tree-size-ipv4, max-ecs-tree-size-ipv6, ipsecmod_hook,
 		 * ipsecmod_whitelist. */
 		return 0;
 	}
@@ -981,6 +984,8 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LST(opt, "client-subnet-zone", client_subnet_zone)
 	else O_DEC(opt, "max-client-subnet-ipv4", max_client_subnet_ipv4)
 	else O_DEC(opt, "max-client-subnet-ipv6", max_client_subnet_ipv6)
+	else O_DEC(opt, "max-ecs-tree-size-ipv4", max_ecs_tree_size_ipv4)
+	else O_DEC(opt, "max-ecs-tree-size-ipv6", max_ecs_tree_size_ipv6)
 	else O_YNO(opt, "client-subnet-always-forward:",
 		client_subnet_always_forward)
 #endif

util/config_file.h

@@ -215,6 +215,9 @@ struct config_file {
 	/** Subnet length we are willing to give up privacy for */
 	uint8_t max_client_subnet_ipv4;
 	uint8_t max_client_subnet_ipv6;
+	/** Max number of nodes in the ECS radix tree */
+	uint32_t max_ecs_tree_size_ipv4;
+	uint32_t max_ecs_tree_size_ipv6;
 #endif
 	/** list of access control entries, linked list */
 	struct config_str2list* acls;

util/configlexer.lex

@@ -331,6 +331,8 @@ client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD)
 client-subnet-opcode{COLON}	{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
 max-client-subnet-ipv4{COLON}	{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
 max-client-subnet-ipv6{COLON}	{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
+max-ecs-tree-size-ipv4{COLON}	{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) }
+max-ecs-tree-size-ipv6{COLON}	{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
 hide-identity{COLON}		{ YDVAR(1, VAR_HIDE_IDENTITY) }
 hide-version{COLON}		{ YDVAR(1, VAR_HIDE_VERSION) }
 hide-trustanchor{COLON}		{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) }

util/configparser.h

@@ -228,76 +228,78 @@ extern int yydebug;
     VAR_CLIENT_SUBNET_OPCODE = 438,
     VAR_MAX_CLIENT_SUBNET_IPV4 = 439,
     VAR_MAX_CLIENT_SUBNET_IPV6 = 440,
-    VAR_CAPS_WHITELIST = 441,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 442,
-    VAR_PERMIT_SMALL_HOLDDOWN = 443,
-    VAR_QNAME_MINIMISATION = 444,
-    VAR_QNAME_MINIMISATION_STRICT = 445,
-    VAR_IP_FREEBIND = 446,
-    VAR_DEFINE_TAG = 447,
-    VAR_LOCAL_ZONE_TAG = 448,
-    VAR_ACCESS_CONTROL_TAG = 449,
-    VAR_LOCAL_ZONE_OVERRIDE = 450,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 451,
-    VAR_ACCESS_CONTROL_TAG_DATA = 452,
-    VAR_VIEW = 453,
-    VAR_ACCESS_CONTROL_VIEW = 454,
-    VAR_VIEW_FIRST = 455,
-    VAR_SERVE_EXPIRED = 456,
-    VAR_SERVE_EXPIRED_TTL = 457,
-    VAR_SERVE_EXPIRED_TTL_RESET = 458,
-    VAR_FAKE_DSA = 459,
-    VAR_FAKE_SHA1 = 460,
-    VAR_LOG_IDENTITY = 461,
-    VAR_HIDE_TRUSTANCHOR = 462,
-    VAR_TRUST_ANCHOR_SIGNALING = 463,
-    VAR_AGGRESSIVE_NSEC = 464,
-    VAR_USE_SYSTEMD = 465,
-    VAR_SHM_ENABLE = 466,
-    VAR_SHM_KEY = 467,
-    VAR_ROOT_KEY_SENTINEL = 468,
-    VAR_DNSCRYPT = 469,
-    VAR_DNSCRYPT_ENABLE = 470,
-    VAR_DNSCRYPT_PORT = 471,
-    VAR_DNSCRYPT_PROVIDER = 472,
-    VAR_DNSCRYPT_SECRET_KEY = 473,
-    VAR_DNSCRYPT_PROVIDER_CERT = 474,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 475,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 476,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 477,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 478,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 479,
-    VAR_IPSECMOD_ENABLED = 480,
-    VAR_IPSECMOD_HOOK = 481,
-    VAR_IPSECMOD_IGNORE_BOGUS = 482,
-    VAR_IPSECMOD_MAX_TTL = 483,
-    VAR_IPSECMOD_WHITELIST = 484,
-    VAR_IPSECMOD_STRICT = 485,
-    VAR_CACHEDB = 486,
-    VAR_CACHEDB_BACKEND = 487,
-    VAR_CACHEDB_SECRETSEED = 488,
-    VAR_CACHEDB_REDISHOST = 489,
-    VAR_CACHEDB_REDISPORT = 490,
-    VAR_CACHEDB_REDISTIMEOUT = 491,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 492,
-    VAR_FOR_UPSTREAM = 493,
-    VAR_AUTH_ZONE = 494,
-    VAR_ZONEFILE = 495,
-    VAR_MASTER = 496,
-    VAR_URL = 497,
-    VAR_FOR_DOWNSTREAM = 498,
-    VAR_FALLBACK_ENABLED = 499,
-    VAR_TLS_ADDITIONAL_PORT = 500,
-    VAR_LOW_RTT = 501,
-    VAR_LOW_RTT_PERMIL = 502,
-    VAR_FAST_SERVER_PERMIL = 503,
-    VAR_FAST_SERVER_NUM = 504,
-    VAR_ALLOW_NOTIFY = 505,
-    VAR_TLS_WIN_CERT = 506,
-    VAR_TCP_CONNECTION_LIMIT = 507,
-    VAR_FORWARD_NO_CACHE = 508,
-    VAR_STUB_NO_CACHE = 509,
-    VAR_LOG_SERVFAIL = 510
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 441,
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 442,
+    VAR_CAPS_WHITELIST = 443,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 444,
+    VAR_PERMIT_SMALL_HOLDDOWN = 445,
+    VAR_QNAME_MINIMISATION = 446,
+    VAR_QNAME_MINIMISATION_STRICT = 447,
+    VAR_IP_FREEBIND = 448,
+    VAR_DEFINE_TAG = 449,
+    VAR_LOCAL_ZONE_TAG = 450,
+    VAR_ACCESS_CONTROL_TAG = 451,
+    VAR_LOCAL_ZONE_OVERRIDE = 452,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 453,
+    VAR_ACCESS_CONTROL_TAG_DATA = 454,
+    VAR_VIEW = 455,
+    VAR_ACCESS_CONTROL_VIEW = 456,
+    VAR_VIEW_FIRST = 457,
+    VAR_SERVE_EXPIRED = 458,
+    VAR_SERVE_EXPIRED_TTL = 459,
+    VAR_SERVE_EXPIRED_TTL_RESET = 460,
+    VAR_FAKE_DSA = 461,
+    VAR_FAKE_SHA1 = 462,
+    VAR_LOG_IDENTITY = 463,
+    VAR_HIDE_TRUSTANCHOR = 464,
+    VAR_TRUST_ANCHOR_SIGNALING = 465,
+    VAR_AGGRESSIVE_NSEC = 466,
+    VAR_USE_SYSTEMD = 467,
+    VAR_SHM_ENABLE = 468,
+    VAR_SHM_KEY = 469,
+    VAR_ROOT_KEY_SENTINEL = 470,
+    VAR_DNSCRYPT = 471,
+    VAR_DNSCRYPT_ENABLE = 472,
+    VAR_DNSCRYPT_PORT = 473,
+    VAR_DNSCRYPT_PROVIDER = 474,
+    VAR_DNSCRYPT_SECRET_KEY = 475,
+    VAR_DNSCRYPT_PROVIDER_CERT = 476,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 477,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 478,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 479,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 480,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 481,
+    VAR_IPSECMOD_ENABLED = 482,
+    VAR_IPSECMOD_HOOK = 483,
+    VAR_IPSECMOD_IGNORE_BOGUS = 484,
+    VAR_IPSECMOD_MAX_TTL = 485,
+    VAR_IPSECMOD_WHITELIST = 486,
+    VAR_IPSECMOD_STRICT = 487,
+    VAR_CACHEDB = 488,
+    VAR_CACHEDB_BACKEND = 489,
+    VAR_CACHEDB_SECRETSEED = 490,
+    VAR_CACHEDB_REDISHOST = 491,
+    VAR_CACHEDB_REDISPORT = 492,
+    VAR_CACHEDB_REDISTIMEOUT = 493,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 494,
+    VAR_FOR_UPSTREAM = 495,
+    VAR_AUTH_ZONE = 496,
+    VAR_ZONEFILE = 497,
+    VAR_MASTER = 498,
+    VAR_URL = 499,
+    VAR_FOR_DOWNSTREAM = 500,
+    VAR_FALLBACK_ENABLED = 501,
+    VAR_TLS_ADDITIONAL_PORT = 502,
+    VAR_LOW_RTT = 503,
+    VAR_LOW_RTT_PERMIL = 504,
+    VAR_FAST_SERVER_PERMIL = 505,
+    VAR_FAST_SERVER_NUM = 506,
+    VAR_ALLOW_NOTIFY = 507,
+    VAR_TLS_WIN_CERT = 508,
+    VAR_TCP_CONNECTION_LIMIT = 509,
+    VAR_FORWARD_NO_CACHE = 510,
+    VAR_STUB_NO_CACHE = 511,
+    VAR_LOG_SERVFAIL = 512
   };
 #endif
 /* Tokens.  */
@@ -484,76 +486,78 @@ extern int yydebug;
 #define VAR_CLIENT_SUBNET_OPCODE 438
 #define VAR_MAX_CLIENT_SUBNET_IPV4 439
 #define VAR_MAX_CLIENT_SUBNET_IPV6 440
-#define VAR_CAPS_WHITELIST 441
-#define VAR_CACHE_MAX_NEGATIVE_TTL 442
-#define VAR_PERMIT_SMALL_HOLDDOWN 443
-#define VAR_QNAME_MINIMISATION 444
-#define VAR_QNAME_MINIMISATION_STRICT 445
-#define VAR_IP_FREEBIND 446
-#define VAR_DEFINE_TAG 447
-#define VAR_LOCAL_ZONE_TAG 448
-#define VAR_ACCESS_CONTROL_TAG 449
-#define VAR_LOCAL_ZONE_OVERRIDE 450
-#define VAR_ACCESS_CONTROL_TAG_ACTION 451
-#define VAR_ACCESS_CONTROL_TAG_DATA 452
-#define VAR_VIEW 453
-#define VAR_ACCESS_CONTROL_VIEW 454
-#define VAR_VIEW_FIRST 455
-#define VAR_SERVE_EXPIRED 456
-#define VAR_SERVE_EXPIRED_TTL 457
-#define VAR_SERVE_EXPIRED_TTL_RESET 458
-#define VAR_FAKE_DSA 459
-#define VAR_FAKE_SHA1 460
-#define VAR_LOG_IDENTITY 461
-#define VAR_HIDE_TRUSTANCHOR 462
-#define VAR_TRUST_ANCHOR_SIGNALING 463
-#define VAR_AGGRESSIVE_NSEC 464
-#define VAR_USE_SYSTEMD 465
-#define VAR_SHM_ENABLE 466
-#define VAR_SHM_KEY 467
-#define VAR_ROOT_KEY_SENTINEL 468
-#define VAR_DNSCRYPT 469
-#define VAR_DNSCRYPT_ENABLE 470
-#define VAR_DNSCRYPT_PORT 471
-#define VAR_DNSCRYPT_PROVIDER 472
-#define VAR_DNSCRYPT_SECRET_KEY 473
-#define VAR_DNSCRYPT_PROVIDER_CERT 474
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 475
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 476
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 477
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 478
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 479
-#define VAR_IPSECMOD_ENABLED 480
-#define VAR_IPSECMOD_HOOK 481
-#define VAR_IPSECMOD_IGNORE_BOGUS 482
-#define VAR_IPSECMOD_MAX_TTL 483
-#define VAR_IPSECMOD_WHITELIST 484
-#define VAR_IPSECMOD_STRICT 485
-#define VAR_CACHEDB 486
-#define VAR_CACHEDB_BACKEND 487
-#define VAR_CACHEDB_SECRETSEED 488
-#define VAR_CACHEDB_REDISHOST 489
-#define VAR_CACHEDB_REDISPORT 490
-#define VAR_CACHEDB_REDISTIMEOUT 491
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 492
-#define VAR_FOR_UPSTREAM 493
-#define VAR_AUTH_ZONE 494
-#define VAR_ZONEFILE 495
-#define VAR_MASTER 496
-#define VAR_URL 497
-#define VAR_FOR_DOWNSTREAM 498
-#define VAR_FALLBACK_ENABLED 499
-#define VAR_TLS_ADDITIONAL_PORT 500
-#define VAR_LOW_RTT 501
-#define VAR_LOW_RTT_PERMIL 502
-#define VAR_FAST_SERVER_PERMIL 503
-#define VAR_FAST_SERVER_NUM 504
-#define VAR_ALLOW_NOTIFY 505
-#define VAR_TLS_WIN_CERT 506
-#define VAR_TCP_CONNECTION_LIMIT 507
-#define VAR_FORWARD_NO_CACHE 508
-#define VAR_STUB_NO_CACHE 509
-#define VAR_LOG_SERVFAIL 510
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 441
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 442
+#define VAR_CAPS_WHITELIST 443
+#define VAR_CACHE_MAX_NEGATIVE_TTL 444
+#define VAR_PERMIT_SMALL_HOLDDOWN 445
+#define VAR_QNAME_MINIMISATION 446
+#define VAR_QNAME_MINIMISATION_STRICT 447
+#define VAR_IP_FREEBIND 448
+#define VAR_DEFINE_TAG 449
+#define VAR_LOCAL_ZONE_TAG 450
+#define VAR_ACCESS_CONTROL_TAG 451
+#define VAR_LOCAL_ZONE_OVERRIDE 452
+#define VAR_ACCESS_CONTROL_TAG_ACTION 453
+#define VAR_ACCESS_CONTROL_TAG_DATA 454
+#define VAR_VIEW 455
+#define VAR_ACCESS_CONTROL_VIEW 456
+#define VAR_VIEW_FIRST 457
+#define VAR_SERVE_EXPIRED 458
+#define VAR_SERVE_EXPIRED_TTL 459
+#define VAR_SERVE_EXPIRED_TTL_RESET 460
+#define VAR_FAKE_DSA 461
+#define VAR_FAKE_SHA1 462
+#define VAR_LOG_IDENTITY 463
+#define VAR_HIDE_TRUSTANCHOR 464
+#define VAR_TRUST_ANCHOR_SIGNALING 465
+#define VAR_AGGRESSIVE_NSEC 466
+#define VAR_USE_SYSTEMD 467
+#define VAR_SHM_ENABLE 468
+#define VAR_SHM_KEY 469
+#define VAR_ROOT_KEY_SENTINEL 470
+#define VAR_DNSCRYPT 471
+#define VAR_DNSCRYPT_ENABLE 472
+#define VAR_DNSCRYPT_PORT 473
+#define VAR_DNSCRYPT_PROVIDER 474
+#define VAR_DNSCRYPT_SECRET_KEY 475
+#define VAR_DNSCRYPT_PROVIDER_CERT 476
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 477
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 478
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 479
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 480
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 481
+#define VAR_IPSECMOD_ENABLED 482
+#define VAR_IPSECMOD_HOOK 483
+#define VAR_IPSECMOD_IGNORE_BOGUS 484
+#define VAR_IPSECMOD_MAX_TTL 485
+#define VAR_IPSECMOD_WHITELIST 486
+#define VAR_IPSECMOD_STRICT 487
+#define VAR_CACHEDB 488
+#define VAR_CACHEDB_BACKEND 489
+#define VAR_CACHEDB_SECRETSEED 490
+#define VAR_CACHEDB_REDISHOST 491
+#define VAR_CACHEDB_REDISPORT 492
+#define VAR_CACHEDB_REDISTIMEOUT 493
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 494
+#define VAR_FOR_UPSTREAM 495
+#define VAR_AUTH_ZONE 496
+#define VAR_ZONEFILE 497
+#define VAR_MASTER 498
+#define VAR_URL 499
+#define VAR_FOR_DOWNSTREAM 500
+#define VAR_FALLBACK_ENABLED 501
+#define VAR_TLS_ADDITIONAL_PORT 502
+#define VAR_LOW_RTT 503
+#define VAR_LOW_RTT_PERMIL 504
+#define VAR_FAST_SERVER_PERMIL 505
+#define VAR_FAST_SERVER_NUM 506
+#define VAR_ALLOW_NOTIFY 507
+#define VAR_TLS_WIN_CERT 508
+#define VAR_TCP_CONNECTION_LIMIT 509
+#define VAR_FORWARD_NO_CACHE 510
+#define VAR_STUB_NO_CACHE 511
+#define VAR_LOG_SERVFAIL 512
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -564,7 +568,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 568 "util/configparser.h" /* yacc.c:1909  */
+#line 572 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -135,6 +135,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
 %token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
 %token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
+%token VAR_MAX_ECS_TREE_SIZE_IPV4 VAR_MAX_ECS_TREE_SIZE_IPV6
 %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
 %token VAR_QNAME_MINIMISATION VAR_QNAME_MINIMISATION_STRICT VAR_IP_FREEBIND
 %token VAR_DEFINE_TAG VAR_LOCAL_ZONE_TAG VAR_ACCESS_CONTROL_TAG
@@ -238,6 +239,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_client_subnet_zone | server_client_subnet_always_forward |
 	server_client_subnet_opcode |
 	server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
+	server_max_ecs_tree_size_ipv4 | server_max_ecs_tree_size_ipv6 |
 	server_caps_whitelist | server_cache_max_negative_ttl |
 	server_permit_small_holddown | server_qname_minimisation |
 	server_ip_freebind | server_define_tag | server_local_zone_tag |
@@ -494,6 +496,36 @@ server_max_client_subnet_ipv6: VAR_MAX_CLIENT_SUBNET_IPV6 STRING_ARG
 		free($2);
 	}
 	;
+server_max_ecs_tree_size_ipv4: VAR_MAX_ECS_TREE_SIZE_IPV4 STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(max_ecs_tree_size_ipv4:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("IPv4 ECS tree size expected");
+		else if (atoi($2) < 0)
+			cfg_parser->cfg->max_ecs_tree_size_ipv4 = 0;
+		else cfg_parser->cfg->max_ecs_tree_size_ipv4 = (uint32_t)atoi($2);
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
+server_max_ecs_tree_size_ipv6: VAR_MAX_ECS_TREE_SIZE_IPV6 STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(max_ecs_tree_size_ipv6:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("IPv6 ECS tree size expected");
+		else if (atoi($2) < 0)
+			cfg_parser->cfg->max_ecs_tree_size_ipv6 = 0;
+		else cfg_parser->cfg->max_ecs_tree_size_ipv6 = (uint32_t)atoi($2);
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
 server_interface: VAR_INTERFACE STRING_ARG
 	{
 		OUTYY(("P(server_interface:%s)\n", $2));