- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.

git-svn-id: file:///svn/unbound/trunk@4951 be551aaa-1e26-0410-a405-d3ace91eadb9
2026-02-18 10:09:27 -05:00 · 2018-10-25 08:53:50 +00:00 · 2018-10-25 08:53:50 +00:00 · 6021341118
commit 6021341118
parent d5922830d0
10 changed files with 3797 additions and 3654 deletions
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
+25 October 2018: Ralph
+	- Add min-client-subnet-ipv6 and min-client-subnet-ipv4 options.
+
 25 October 2018: Wouter
 	- Fix #4191: NXDOMAIN vs SERVFAIL during dns64 PTR query.
 	- Fix #4190: Please create a "ANY" deny option, adds the option
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@ -1848,6 +1848,14 @@ to expose to third parties for IPv6.  Defaults to 56.
 Specifies the maximum prefix length of the client source address we are willing
 to expose to third parties for IPv4. Defaults to 24.
 .TP
+.B min\-client\-subnet\-ipv6: \fI<number>\fR
+Specifies the minimum prefix length of the IPv6 source mask we are willing to
+accept in queries. Shorter source masks result in REFUSED answers.
+.TP
+.B min\-client\-subnet\-ipv4: \fI<number>\fR
+Specifies the minimum prefix length of the IPv4 source mask we are willing to
+accept in queries. Shorter source masks result in REFUSED answers.
+.TP
 .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR
 Specifies the maximum number of subnets ECS answers kept in the ECS radix tree.
 This number applies for each qname/qclass/qtype tuple. Defaults to 100.
--- a/edns-subnet/subnetmod.c
+++ b/edns-subnet/subnetmod.c
@ -717,6 +717,17 @@ subnetmod_operate(struct module_qstate *qstate, enum module_ev event,
 			return;
 		}

+		/* Limit to minimum allowed source mask */
+		if(sq->ecs_client_in.subnet_source_mask != 0 && (
+			(sq->ecs_client_in.subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP4 &&
+			 sq->ecs_client_in.subnet_source_mask < qstate->env->cfg->min_client_subnet_ipv4) ||
+			(sq->ecs_client_in.subnet_addr_fam == EDNSSUBNET_ADDRFAM_IP6 &&
+			 sq->ecs_client_in.subnet_source_mask < qstate->env->cfg->max_client_subnet_ipv6))) {
+				qstate->return_rcode = LDNS_RCODE_REFUSED;
+				qstate->ext_state[id] = module_finished;
+				return;
+		}
+
 		lock_rw_wrlock(&sne->biglock);
 		if (lookup_and_reply(qstate, id, sq)) {
 			sne->num_msg_cache++;
--- a/util/config_file.c
+++ b/util/config_file.c
@ -195,6 +195,8 @@ config_create(void)
 	cfg->client_subnet_always_forward = 0;
 	cfg->max_client_subnet_ipv4 = 24;
 	cfg->max_client_subnet_ipv6 = 56;
+	cfg->min_client_subnet_ipv4 = 0;
+	cfg->min_client_subnet_ipv6 = 0;
 	cfg->max_ecs_tree_size_ipv4 = 100;
 	cfg->max_ecs_tree_size_ipv6 = 100;
 #endif
@ -687,6 +689,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 		 * local-zone-tag, access-control-view,
 		 * send-client-subnet, client-subnet-always-forward,
 		 * max-client-subnet-ipv4, max-client-subnet-ipv6,
+		 * min-client-subnet-ipv4, min-client-subnet-ipv6,
 		 * max-ecs-tree-size-ipv4, max-ecs-tree-size-ipv6, ipsecmod_hook,
 		 * ipsecmod_whitelist. */
 		return 0;
@ -987,6 +990,8 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LST(opt, "client-subnet-zone", client_subnet_zone)
 	else O_DEC(opt, "max-client-subnet-ipv4", max_client_subnet_ipv4)
 	else O_DEC(opt, "max-client-subnet-ipv6", max_client_subnet_ipv6)
+	else O_DEC(opt, "min-client-subnet-ipv4", min_client_subnet_ipv4)
+	else O_DEC(opt, "min-client-subnet-ipv6", min_client_subnet_ipv6)
 	else O_DEC(opt, "max-ecs-tree-size-ipv4", max_ecs_tree_size_ipv4)
 	else O_DEC(opt, "max-ecs-tree-size-ipv6", max_ecs_tree_size_ipv6)
 	else O_YNO(opt, "client-subnet-always-forward:",
--- a/util/config_file.h
+++ b/util/config_file.h
@ -215,6 +215,9 @@ struct config_file {
 	/** Subnet length we are willing to give up privacy for */
 	uint8_t max_client_subnet_ipv4;
 	uint8_t max_client_subnet_ipv6;
+	/** Minimum subnet length we are willing to answer */
+	uint8_t min_client_subnet_ipv4;
+	uint8_t min_client_subnet_ipv6;
 	/** Max number of nodes in the ECS radix tree */
 	uint32_t max_ecs_tree_size_ipv4;
 	uint32_t max_ecs_tree_size_ipv6;
--- a/util/configlexer.c
+++ b/util/configlexer.c
--- a/util/configlexer.lex
+++ b/util/configlexer.lex
@ -332,6 +332,8 @@ client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD)
 client-subnet-opcode{COLON}	{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) }
 max-client-subnet-ipv4{COLON}	{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) }
 max-client-subnet-ipv6{COLON}	{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) }
+min-client-subnet-ipv4{COLON}	{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV4) }
+min-client-subnet-ipv6{COLON}	{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV6) }
 max-ecs-tree-size-ipv4{COLON}	{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) }
 max-ecs-tree-size-ipv6{COLON}	{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) }
 hide-identity{COLON}		{ YDVAR(1, VAR_HIDE_IDENTITY) }
--- a/util/configparser.c
+++ b/util/configparser.c
--- a/util/configparser.h
+++ b/util/configparser.h
@ -228,79 +228,81 @@ extern int yydebug;
    VAR_CLIENT_SUBNET_OPCODE = 438,
    VAR_MAX_CLIENT_SUBNET_IPV4 = 439,
    VAR_MAX_CLIENT_SUBNET_IPV6 = 440,
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 441,
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 442,
-    VAR_CAPS_WHITELIST = 443,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 444,
-    VAR_PERMIT_SMALL_HOLDDOWN = 445,
-    VAR_QNAME_MINIMISATION = 446,
-    VAR_QNAME_MINIMISATION_STRICT = 447,
-    VAR_IP_FREEBIND = 448,
-    VAR_DEFINE_TAG = 449,
-    VAR_LOCAL_ZONE_TAG = 450,
-    VAR_ACCESS_CONTROL_TAG = 451,
-    VAR_LOCAL_ZONE_OVERRIDE = 452,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 453,
-    VAR_ACCESS_CONTROL_TAG_DATA = 454,
-    VAR_VIEW = 455,
-    VAR_ACCESS_CONTROL_VIEW = 456,
-    VAR_VIEW_FIRST = 457,
-    VAR_SERVE_EXPIRED = 458,
-    VAR_SERVE_EXPIRED_TTL = 459,
-    VAR_SERVE_EXPIRED_TTL_RESET = 460,
-    VAR_FAKE_DSA = 461,
-    VAR_FAKE_SHA1 = 462,
-    VAR_LOG_IDENTITY = 463,
-    VAR_HIDE_TRUSTANCHOR = 464,
-    VAR_TRUST_ANCHOR_SIGNALING = 465,
-    VAR_AGGRESSIVE_NSEC = 466,
-    VAR_USE_SYSTEMD = 467,
-    VAR_SHM_ENABLE = 468,
-    VAR_SHM_KEY = 469,
-    VAR_ROOT_KEY_SENTINEL = 470,
-    VAR_DNSCRYPT = 471,
-    VAR_DNSCRYPT_ENABLE = 472,
-    VAR_DNSCRYPT_PORT = 473,
-    VAR_DNSCRYPT_PROVIDER = 474,
-    VAR_DNSCRYPT_SECRET_KEY = 475,
-    VAR_DNSCRYPT_PROVIDER_CERT = 476,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 477,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 478,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 479,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 480,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 481,
-    VAR_IPSECMOD_ENABLED = 482,
-    VAR_IPSECMOD_HOOK = 483,
-    VAR_IPSECMOD_IGNORE_BOGUS = 484,
-    VAR_IPSECMOD_MAX_TTL = 485,
-    VAR_IPSECMOD_WHITELIST = 486,
-    VAR_IPSECMOD_STRICT = 487,
-    VAR_CACHEDB = 488,
-    VAR_CACHEDB_BACKEND = 489,
-    VAR_CACHEDB_SECRETSEED = 490,
-    VAR_CACHEDB_REDISHOST = 491,
-    VAR_CACHEDB_REDISPORT = 492,
-    VAR_CACHEDB_REDISTIMEOUT = 493,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 494,
-    VAR_FOR_UPSTREAM = 495,
-    VAR_AUTH_ZONE = 496,
-    VAR_ZONEFILE = 497,
-    VAR_MASTER = 498,
-    VAR_URL = 499,
-    VAR_FOR_DOWNSTREAM = 500,
-    VAR_FALLBACK_ENABLED = 501,
-    VAR_TLS_ADDITIONAL_PORT = 502,
-    VAR_LOW_RTT = 503,
-    VAR_LOW_RTT_PERMIL = 504,
-    VAR_FAST_SERVER_PERMIL = 505,
-    VAR_FAST_SERVER_NUM = 506,
-    VAR_ALLOW_NOTIFY = 507,
-    VAR_TLS_WIN_CERT = 508,
-    VAR_TCP_CONNECTION_LIMIT = 509,
-    VAR_FORWARD_NO_CACHE = 510,
-    VAR_STUB_NO_CACHE = 511,
-    VAR_LOG_SERVFAIL = 512,
-    VAR_DENY_ANY = 513
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 441,
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 442,
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 443,
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 444,
+    VAR_CAPS_WHITELIST = 445,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 446,
+    VAR_PERMIT_SMALL_HOLDDOWN = 447,
+    VAR_QNAME_MINIMISATION = 448,
+    VAR_QNAME_MINIMISATION_STRICT = 449,
+    VAR_IP_FREEBIND = 450,
+    VAR_DEFINE_TAG = 451,
+    VAR_LOCAL_ZONE_TAG = 452,
+    VAR_ACCESS_CONTROL_TAG = 453,
+    VAR_LOCAL_ZONE_OVERRIDE = 454,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 455,
+    VAR_ACCESS_CONTROL_TAG_DATA = 456,
+    VAR_VIEW = 457,
+    VAR_ACCESS_CONTROL_VIEW = 458,
+    VAR_VIEW_FIRST = 459,
+    VAR_SERVE_EXPIRED = 460,
+    VAR_SERVE_EXPIRED_TTL = 461,
+    VAR_SERVE_EXPIRED_TTL_RESET = 462,
+    VAR_FAKE_DSA = 463,
+    VAR_FAKE_SHA1 = 464,
+    VAR_LOG_IDENTITY = 465,
+    VAR_HIDE_TRUSTANCHOR = 466,
+    VAR_TRUST_ANCHOR_SIGNALING = 467,
+    VAR_AGGRESSIVE_NSEC = 468,
+    VAR_USE_SYSTEMD = 469,
+    VAR_SHM_ENABLE = 470,
+    VAR_SHM_KEY = 471,
+    VAR_ROOT_KEY_SENTINEL = 472,
+    VAR_DNSCRYPT = 473,
+    VAR_DNSCRYPT_ENABLE = 474,
+    VAR_DNSCRYPT_PORT = 475,
+    VAR_DNSCRYPT_PROVIDER = 476,
+    VAR_DNSCRYPT_SECRET_KEY = 477,
+    VAR_DNSCRYPT_PROVIDER_CERT = 478,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 479,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 480,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 481,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 482,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 483,
+    VAR_IPSECMOD_ENABLED = 484,
+    VAR_IPSECMOD_HOOK = 485,
+    VAR_IPSECMOD_IGNORE_BOGUS = 486,
+    VAR_IPSECMOD_MAX_TTL = 487,
+    VAR_IPSECMOD_WHITELIST = 488,
+    VAR_IPSECMOD_STRICT = 489,
+    VAR_CACHEDB = 490,
+    VAR_CACHEDB_BACKEND = 491,
+    VAR_CACHEDB_SECRETSEED = 492,
+    VAR_CACHEDB_REDISHOST = 493,
+    VAR_CACHEDB_REDISPORT = 494,
+    VAR_CACHEDB_REDISTIMEOUT = 495,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 496,
+    VAR_FOR_UPSTREAM = 497,
+    VAR_AUTH_ZONE = 498,
+    VAR_ZONEFILE = 499,
+    VAR_MASTER = 500,
+    VAR_URL = 501,
+    VAR_FOR_DOWNSTREAM = 502,
+    VAR_FALLBACK_ENABLED = 503,
+    VAR_TLS_ADDITIONAL_PORT = 504,
+    VAR_LOW_RTT = 505,
+    VAR_LOW_RTT_PERMIL = 506,
+    VAR_FAST_SERVER_PERMIL = 507,
+    VAR_FAST_SERVER_NUM = 508,
+    VAR_ALLOW_NOTIFY = 509,
+    VAR_TLS_WIN_CERT = 510,
+    VAR_TCP_CONNECTION_LIMIT = 511,
+    VAR_FORWARD_NO_CACHE = 512,
+    VAR_STUB_NO_CACHE = 513,
+    VAR_LOG_SERVFAIL = 514,
+    VAR_DENY_ANY = 515
  };
 #endif
 /* Tokens.  */
@ -487,79 +489,81 @@ extern int yydebug;
 #define VAR_CLIENT_SUBNET_OPCODE 438
 #define VAR_MAX_CLIENT_SUBNET_IPV4 439
 #define VAR_MAX_CLIENT_SUBNET_IPV6 440
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 441
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 442
-#define VAR_CAPS_WHITELIST 443
-#define VAR_CACHE_MAX_NEGATIVE_TTL 444
-#define VAR_PERMIT_SMALL_HOLDDOWN 445
-#define VAR_QNAME_MINIMISATION 446
-#define VAR_QNAME_MINIMISATION_STRICT 447
-#define VAR_IP_FREEBIND 448
-#define VAR_DEFINE_TAG 449
-#define VAR_LOCAL_ZONE_TAG 450
-#define VAR_ACCESS_CONTROL_TAG 451
-#define VAR_LOCAL_ZONE_OVERRIDE 452
-#define VAR_ACCESS_CONTROL_TAG_ACTION 453
-#define VAR_ACCESS_CONTROL_TAG_DATA 454
-#define VAR_VIEW 455
-#define VAR_ACCESS_CONTROL_VIEW 456
-#define VAR_VIEW_FIRST 457
-#define VAR_SERVE_EXPIRED 458
-#define VAR_SERVE_EXPIRED_TTL 459
-#define VAR_SERVE_EXPIRED_TTL_RESET 460
-#define VAR_FAKE_DSA 461
-#define VAR_FAKE_SHA1 462
-#define VAR_LOG_IDENTITY 463
-#define VAR_HIDE_TRUSTANCHOR 464
-#define VAR_TRUST_ANCHOR_SIGNALING 465
-#define VAR_AGGRESSIVE_NSEC 466
-#define VAR_USE_SYSTEMD 467
-#define VAR_SHM_ENABLE 468
-#define VAR_SHM_KEY 469
-#define VAR_ROOT_KEY_SENTINEL 470
-#define VAR_DNSCRYPT 471
-#define VAR_DNSCRYPT_ENABLE 472
-#define VAR_DNSCRYPT_PORT 473
-#define VAR_DNSCRYPT_PROVIDER 474
-#define VAR_DNSCRYPT_SECRET_KEY 475
-#define VAR_DNSCRYPT_PROVIDER_CERT 476
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 477
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 478
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 479
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 480
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 481
-#define VAR_IPSECMOD_ENABLED 482
-#define VAR_IPSECMOD_HOOK 483
-#define VAR_IPSECMOD_IGNORE_BOGUS 484
-#define VAR_IPSECMOD_MAX_TTL 485
-#define VAR_IPSECMOD_WHITELIST 486
-#define VAR_IPSECMOD_STRICT 487
-#define VAR_CACHEDB 488
-#define VAR_CACHEDB_BACKEND 489
-#define VAR_CACHEDB_SECRETSEED 490
-#define VAR_CACHEDB_REDISHOST 491
-#define VAR_CACHEDB_REDISPORT 492
-#define VAR_CACHEDB_REDISTIMEOUT 493
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 494
-#define VAR_FOR_UPSTREAM 495
-#define VAR_AUTH_ZONE 496
-#define VAR_ZONEFILE 497
-#define VAR_MASTER 498
-#define VAR_URL 499
-#define VAR_FOR_DOWNSTREAM 500
-#define VAR_FALLBACK_ENABLED 501
-#define VAR_TLS_ADDITIONAL_PORT 502
-#define VAR_LOW_RTT 503
-#define VAR_LOW_RTT_PERMIL 504
-#define VAR_FAST_SERVER_PERMIL 505
-#define VAR_FAST_SERVER_NUM 506
-#define VAR_ALLOW_NOTIFY 507
-#define VAR_TLS_WIN_CERT 508
-#define VAR_TCP_CONNECTION_LIMIT 509
-#define VAR_FORWARD_NO_CACHE 510
-#define VAR_STUB_NO_CACHE 511
-#define VAR_LOG_SERVFAIL 512
-#define VAR_DENY_ANY 513
+#define VAR_MIN_CLIENT_SUBNET_IPV4 441
+#define VAR_MIN_CLIENT_SUBNET_IPV6 442
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 443
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 444
+#define VAR_CAPS_WHITELIST 445
+#define VAR_CACHE_MAX_NEGATIVE_TTL 446
+#define VAR_PERMIT_SMALL_HOLDDOWN 447
+#define VAR_QNAME_MINIMISATION 448
+#define VAR_QNAME_MINIMISATION_STRICT 449
+#define VAR_IP_FREEBIND 450
+#define VAR_DEFINE_TAG 451
+#define VAR_LOCAL_ZONE_TAG 452
+#define VAR_ACCESS_CONTROL_TAG 453
+#define VAR_LOCAL_ZONE_OVERRIDE 454
+#define VAR_ACCESS_CONTROL_TAG_ACTION 455
+#define VAR_ACCESS_CONTROL_TAG_DATA 456
+#define VAR_VIEW 457
+#define VAR_ACCESS_CONTROL_VIEW 458
+#define VAR_VIEW_FIRST 459
+#define VAR_SERVE_EXPIRED 460
+#define VAR_SERVE_EXPIRED_TTL 461
+#define VAR_SERVE_EXPIRED_TTL_RESET 462
+#define VAR_FAKE_DSA 463
+#define VAR_FAKE_SHA1 464
+#define VAR_LOG_IDENTITY 465
+#define VAR_HIDE_TRUSTANCHOR 466
+#define VAR_TRUST_ANCHOR_SIGNALING 467
+#define VAR_AGGRESSIVE_NSEC 468
+#define VAR_USE_SYSTEMD 469
+#define VAR_SHM_ENABLE 470
+#define VAR_SHM_KEY 471
+#define VAR_ROOT_KEY_SENTINEL 472
+#define VAR_DNSCRYPT 473
+#define VAR_DNSCRYPT_ENABLE 474
+#define VAR_DNSCRYPT_PORT 475
+#define VAR_DNSCRYPT_PROVIDER 476
+#define VAR_DNSCRYPT_SECRET_KEY 477
+#define VAR_DNSCRYPT_PROVIDER_CERT 478
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 479
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 480
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 481
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 482
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 483
+#define VAR_IPSECMOD_ENABLED 484
+#define VAR_IPSECMOD_HOOK 485
+#define VAR_IPSECMOD_IGNORE_BOGUS 486
+#define VAR_IPSECMOD_MAX_TTL 487
+#define VAR_IPSECMOD_WHITELIST 488
+#define VAR_IPSECMOD_STRICT 489
+#define VAR_CACHEDB 490
+#define VAR_CACHEDB_BACKEND 491
+#define VAR_CACHEDB_SECRETSEED 492
+#define VAR_CACHEDB_REDISHOST 493
+#define VAR_CACHEDB_REDISPORT 494
+#define VAR_CACHEDB_REDISTIMEOUT 495
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 496
+#define VAR_FOR_UPSTREAM 497
+#define VAR_AUTH_ZONE 498
+#define VAR_ZONEFILE 499
+#define VAR_MASTER 500
+#define VAR_URL 501
+#define VAR_FOR_DOWNSTREAM 502
+#define VAR_FALLBACK_ENABLED 503
+#define VAR_TLS_ADDITIONAL_PORT 504
+#define VAR_LOW_RTT 505
+#define VAR_LOW_RTT_PERMIL 506
+#define VAR_FAST_SERVER_PERMIL 507
+#define VAR_FAST_SERVER_NUM 508
+#define VAR_ALLOW_NOTIFY 509
+#define VAR_TLS_WIN_CERT 510
+#define VAR_TCP_CONNECTION_LIMIT 511
+#define VAR_FORWARD_NO_CACHE 512
+#define VAR_STUB_NO_CACHE 513
+#define VAR_LOG_SERVFAIL 514
+#define VAR_DENY_ANY 515

 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -570,7 +574,7 @@ union YYSTYPE

 	char*	str;

-#line 574 "util/configparser.h" /* yacc.c:1909  */
+#line 578 "util/configparser.h" /* yacc.c:1909  */
 };

 typedef union YYSTYPE YYSTYPE;
--- a/util/configparser.y
+++ b/util/configparser.y
@ -135,6 +135,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE
 %token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE
 %token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6
+%token VAR_MIN_CLIENT_SUBNET_IPV4 VAR_MIN_CLIENT_SUBNET_IPV6
 %token VAR_MAX_ECS_TREE_SIZE_IPV4 VAR_MAX_ECS_TREE_SIZE_IPV6
 %token VAR_CAPS_WHITELIST VAR_CACHE_MAX_NEGATIVE_TTL VAR_PERMIT_SMALL_HOLDDOWN
 %token VAR_QNAME_MINIMISATION VAR_QNAME_MINIMISATION_STRICT VAR_IP_FREEBIND
@ -239,6 +240,7 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_client_subnet_zone | server_client_subnet_always_forward |
 	server_client_subnet_opcode |
 	server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 |
+	server_min_client_subnet_ipv4 | server_min_client_subnet_ipv6 |
 	server_max_ecs_tree_size_ipv4 | server_max_ecs_tree_size_ipv6 |
 	server_caps_whitelist | server_cache_max_negative_ttl |
 	server_permit_small_holddown | server_qname_minimisation |
@ -496,6 +498,40 @@ server_max_client_subnet_ipv6: VAR_MAX_CLIENT_SUBNET_IPV6 STRING_ARG
 		free($2);
 	}
 	;
+server_min_client_subnet_ipv4: VAR_MIN_CLIENT_SUBNET_IPV4 STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(min_client_subnet_ipv4:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("IPv4 subnet length expected");
+		else if (atoi($2) > 32)
+			cfg_parser->cfg->min_client_subnet_ipv4 = 32;
+		else if (atoi($2) < 0)
+			cfg_parser->cfg->min_client_subnet_ipv4 = 0;
+		else cfg_parser->cfg->min_client_subnet_ipv4 = (uint8_t)atoi($2);
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
+server_min_client_subnet_ipv6: VAR_MIN_CLIENT_SUBNET_IPV6 STRING_ARG
+	{
+	#ifdef CLIENT_SUBNET
+		OUTYY(("P(min_client_subnet_ipv6:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("Ipv6 subnet length expected");
+		else if (atoi($2) > 128)
+			cfg_parser->cfg->min_client_subnet_ipv6 = 128;
+		else if (atoi($2) < 0)
+			cfg_parser->cfg->min_client_subnet_ipv6 = 0;
+		else cfg_parser->cfg->min_client_subnet_ipv6 = (uint8_t)atoi($2);
+	#else
+		OUTYY(("P(Compiled without edns subnet option, ignoring)\n"));
+	#endif
+		free($2);
+	}
+	;
 server_max_ecs_tree_size_ipv4: VAR_MAX_ECS_TREE_SIZE_IPV4 STRING_ARG
 	{
 	#ifdef CLIENT_SUBNET