upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- Add mem.http.query_buffer and mem.http.response_buffer stats

Browse source 
- Add configurable limits for http-query-buffer-size and
  http-response-buffer-size
- Make http endpoint, max_streams, and TCP_NODELAY for HTTP sockets
  configurable.
This commit is contained in:
Ralph Dolmans 2020-05-12 18:12:19 +02:00
parent 6cc761f6b2
commit 8fc2320b5c
19 changed files with 4869 additions and 4404 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
Makefile.in
View file

@ -904,7 +904,7 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
$(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
$(srcdir)/services/outside_network.h $(srcdir)/services/cache/infra.h \
$(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
$(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
@ -915,7 +915,15 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
$(srcdir)/libunbound/worker.h
locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h
mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
$(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
$(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
$(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
$(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
$(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
$(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
$(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
@ -987,7 +995,7 @@ tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/u
$(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h
ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/tube.h
$(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
$(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
$(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
@ -997,7 +1005,7 @@ ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c
$(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
$(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
$(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
$(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
$(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@ -1160,7 +1168,8 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
$(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
$(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
$(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
$(srcdir)/sldns/parseutil.h
unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
$(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \

6
daemon/remote.c
View file

@ -853,6 +853,12 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon,
if(!print_longnum(ssl, "mem.streamwait"SQ,
(size_t)s->svr.mem_stream_wait))
return 0;
if(!print_longnum(ssl, "mem.http.query_buffer"SQ,
(size_t)s->svr.mem_http2_query_buffer))
return 0;
if(!print_longnum(ssl, "mem.http.response_buffer"SQ,
(size_t)s->svr.mem_http2_response_buffer))
return 0;
return 1;
}

4
daemon/stats.c
View file

@ -335,6 +335,10 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
}
s->svr.mem_stream_wait =
(long long)tcp_req_info_get_stream_buffer_size();
s->svr.mem_http2_query_buffer =
(long long)http2_get_query_buffer_size();
s->svr.mem_http2_response_buffer =
(long long)http2_get_response_buffer_size();
/* Set neg cache usage numbers */
set_neg_cache_stats(worker, &s->svr, reset);

4
daemon/worker.c
View file

@ -1797,8 +1797,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
cfg->do_tcp_keepalive
? cfg->tcp_keepalive_timeout
: cfg->tcp_idle_timeout,
cfg->harden_large_queries,
worker->daemon->tcl,
cfg->harden_large_queries, cfg->http_max_streams,
cfg->http_endpoint, worker->daemon->tcl,
worker->daemon->listen_sslctx,
dtenv, worker_handle_request, worker);
if(!worker->front) {

8
doc/unbound-control.8.in
View file

@ -506,6 +506,14 @@ negative cache.
Memory in bytes in used by the TCP and TLS stream wait buffers. These are
answers waiting to be written back to the clients.
.TP
.I mem.http.query_buffer
Memory in bytes used by the HTTP/2 query buffers. Containing (partial) DNS
queries waiting for request stream completion.
.TP
.I mem.http.response_buffer
Memory in bytes used by the HTTP/2 response buffers. Containing DNS responses
waiting to be written back to the clients.
.TP
.I histogram.<sec>.<usec>.to.<sec>.<usec>
Shows a histogram, summed over all threads. Every element counts the
recursive queries whose reply time fit between the lower and upper bound.

4
libunbound/unbound.h
View file

@ -788,6 +788,10 @@ struct ub_server_stats {
long long num_query_subnet_cache;
/** number of bytes in the stream wait buffers */
long long mem_stream_wait;
/** number of bytes in the HTTP2 query buffers */
long long mem_http2_query_buffer;
/** number of bytes in the HTTP2 response buffers */
long long mem_http2_response_buffer;
/** number of TLS connection resume */
long long qtls_resume;
/** RPZ action stats */

227
services/listen_dnsport.c
View file

@ -80,11 +80,23 @@
#ifndef THREADS_DISABLED
/** lock on the counter of stream buffer memory */
static lock_basic_type stream_wait_count_lock;
/** lock on the counter of HTTP2 query buffer memory */
static lock_basic_type http2_query_buffer_count_lock;
/** lock on the counter of HTTP2 response buffer memory */
static lock_basic_type http2_response_buffer_count_lock;
#endif
/** size (in bytes) of stream wait buffers */
static size_t stream_wait_count = 0;
/** is the lock initialised for stream wait buffers */
static int stream_wait_lock_inited = 0;
/** size (in bytes) of HTTP2 query buffers */
static size_t http2_query_buffer_count = 0;
/** is the lock initialised for HTTP2 query buffers */
static int http2_query_buffer_lock_inited = 0;
/** size (in bytes) of HTTP2 response buffers */
static size_t http2_response_buffer_count = 0;
/** is the lock initialised for HTTP2 response buffers */
static int http2_response_buffer_lock_inited = 0;
/**
* Debug print of the getaddrinfo returned address.
@ -707,20 +719,6 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
#else
log_warn(" setsockopt(TCP_NODELAY) unsupported");
#endif /* defined(IPPROTO_TCP) && defined(TCP_NODELAY) */
#if defined(IPPROTO_TCP) && defined(TCP_QUICKACK)
if(setsockopt(s, IPPROTO_TCP, TCP_QUICKACK, (void*)&on,
(socklen_t)sizeof(on)) < 0) {
#ifndef USE_WINSOCK
log_err(" setsockopt(.. TCP_QUICKACK ..) failed: %s",
strerror(errno));
#else
log_err(" setsockopt(.. TCP_QUICKACK ..) failed: %s",
wsa_strerror(WSAGetLastError()));
#endif
}
#else
log_warn(" setsockopt(TCP_QUICKACK) unsupported");
#endif /* defined(IPPROTO_TCP) && defined(TCP_QUICKACK) */
}
if (mss > 0) {
#if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
@ -1251,6 +1249,7 @@ if_is_https(const char* ifname, const char* port, int https_port)
* @param transparent: set IP_TRANSPARENT socket option.
* @param tcp_mss: maximum segment size of tcp socket. default if zero.
* @param freebind: set IP_FREEBIND socket option.
* @param http2_nodelay: set TCP_NODELAY on HTTP/2 connection
* @param use_systemd: if true, fetch sockets from systemd.
* @param dnscrypt_port: dnscrypt service port number
* @param dscp: DSCP to use.
@ -1262,11 +1261,11 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
size_t rcv, size_t snd, int ssl_port,
struct config_strlist* tls_additional_port, int https_port,
int* reuseport, int transparent, int tcp_mss, int freebind,
int use_systemd, int dnscrypt_port, int dscp)
int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp)
{
int s, noip6=0;
int is_https = if_is_https(ifname, port, https_port);
int nodelay = is_https; /* TODO make config option */
int nodelay = is_https && http2_nodelay;
#ifdef USE_DNSCRYPT
int is_dnscrypt = ((strchr(ifname, '@') &&
atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
@ -1384,7 +1383,8 @@ listen_cp_insert(struct comm_point* c, struct listen_dnsport* front)
struct listen_dnsport*
listen_create(struct comm_base* base, struct listen_port* ports,
size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
int harden_large_queries, struct tcl_list* tcp_conn_limit, void* sslctx,
int harden_large_queries, uint32_t http_max_streams,
char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg)
{
struct listen_dnsport* front = (struct listen_dnsport*)
@ -1404,6 +1404,14 @@ listen_create(struct comm_base* base, struct listen_port* ports,
lock_basic_init(&stream_wait_count_lock);
stream_wait_lock_inited = 1;
}
if(!http2_query_buffer_lock_inited) {
lock_basic_init(&http2_query_buffer_count_lock);
http2_query_buffer_lock_inited = 1;
}
if(!http2_response_buffer_lock_inited) {
lock_basic_init(&http2_response_buffer_count_lock);
http2_response_buffer_lock_inited = 1;
}
/* create comm points as needed */
while(ports) {
@ -1416,7 +1424,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
ports->ftype == listen_type_tcp_dnscrypt)
cp = comm_point_create_tcp(base, ports->fd,
tcp_accept_count, tcp_idle_timeout,
harden_large_queries,
harden_large_queries, 0, NULL,
tcp_conn_limit, bufsize, front->udp_buff,
ports->ftype, cb, cb_arg);
else if(ports->ftype == listen_type_ssl ||
@ -1424,6 +1432,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
cp = comm_point_create_tcp(base, ports->fd,
tcp_accept_count, tcp_idle_timeout,
harden_large_queries,
http_max_streams, http_endpoint,
tcp_conn_limit, bufsize, front->udp_buff,
ports->ftype, cb, cb_arg);
cp->ssl = sslctx;
@ -1518,6 +1527,14 @@ listen_delete(struct listen_dnsport* front)
stream_wait_lock_inited = 0;
lock_basic_destroy(&stream_wait_count_lock);
}
if(http2_query_buffer_lock_inited) {
http2_query_buffer_lock_inited = 0;
lock_basic_destroy(&http2_query_buffer_count_lock);
}
if(http2_response_buffer_lock_inited) {
http2_response_buffer_lock_inited = 0;
lock_basic_destroy(&http2_response_buffer_count_lock);
}
}
struct listen_port*
@ -1558,9 +1575,9 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
&hints, portbuf, &list,
cfg->so_rcvbuf, cfg->so_sndbuf,
cfg->ssl_port, cfg->tls_additional_port,
cfg->https_port,
reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
cfg->https_port, reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind,
cfg->http_nodelay, cfg->use_systemd,
cfg->dnscrypt_port, cfg->ip_dscp)) {
listening_ports_free(list);
return NULL;
@ -1573,9 +1590,9 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
&hints, portbuf, &list,
cfg->so_rcvbuf, cfg->so_sndbuf,
cfg->ssl_port, cfg->tls_additional_port,
cfg->https_port,
reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
cfg->https_port, reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind,
cfg->http_nodelay, cfg->use_systemd,
cfg->dnscrypt_port, cfg->ip_dscp)) {
listening_ports_free(list);
return NULL;
@ -1590,9 +1607,9 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
do_tcp, &hints, portbuf, &list,
cfg->so_rcvbuf, cfg->so_sndbuf,
cfg->ssl_port, cfg->tls_additional_port,
cfg->https_port,
reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
cfg->https_port, reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind,
cfg->http_nodelay, cfg->use_systemd,
cfg->dnscrypt_port, cfg->ip_dscp)) {
listening_ports_free(list);
return NULL;
@ -1605,9 +1622,9 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
do_tcp, &hints, portbuf, &list,
cfg->so_rcvbuf, cfg->so_sndbuf,
cfg->ssl_port, cfg->tls_additional_port,
cfg->https_port,
reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
cfg->https_port, reuseport, cfg->ip_transparent,
cfg->tcp_mss, cfg->ip_freebind,
cfg->http_nodelay, cfg->use_systemd,
cfg->dnscrypt_port, cfg->ip_dscp)) {
listening_ports_free(list);
return NULL;
@ -2050,6 +2067,28 @@ size_t tcp_req_info_get_stream_buffer_size(void)
return s;
}
size_t http2_get_query_buffer_size(void)
{
size_t s;
if(!http2_query_buffer_lock_inited)
return http2_query_buffer_count;
lock_basic_lock(&http2_query_buffer_count_lock);
s = http2_query_buffer_count;
lock_basic_unlock(&http2_query_buffer_count_lock);
return s;
}
size_t http2_get_response_buffer_size(void)
{
size_t s;
if(!http2_response_buffer_lock_inited)
return http2_response_buffer_count;
lock_basic_lock(&http2_response_buffer_count_lock);
s = http2_response_buffer_count;
lock_basic_unlock(&http2_response_buffer_count_lock);
return s;
}
#ifdef HAVE_NGHTTP2
/** nghttp2 callback. Used to copy response from rbuffer to nghttp2 session */
static ssize_t http2_submit_response_read_callback(
@ -2070,8 +2109,7 @@ static ssize_t http2_submit_response_read_callback(
sldns_buffer_remaining(h2_stream->rbuffer) == 0) {
verbose(VERB_QUERY, "http2: cannot submit buffer. No data "
"available in rbuffer");
sldns_buffer_free(h2_stream->rbuffer);
h2_stream->rbuffer = NULL;
/* rbuffer will be free'd in frame close cb */
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
}
@ -2085,6 +2123,10 @@ static ssize_t http2_submit_response_read_callback(
if(sldns_buffer_remaining(h2_stream->rbuffer) == 0) {
*data_flags |= NGHTTP2_DATA_FLAG_EOF;
lock_basic_lock(&http2_response_buffer_count_lock);
http2_response_buffer_count -=
sldns_buffer_capacity(h2_stream->rbuffer);
lock_basic_unlock(&http2_response_buffer_count_lock);
sldns_buffer_free(h2_stream->rbuffer);
h2_stream->rbuffer = NULL;
}
@ -2092,6 +2134,26 @@ static ssize_t http2_submit_response_read_callback(
return copylen;
}
/**
* Send RST_STREAM frame for stream.
* @param h2_session: http2 session to submit frame to
* @param h2_stream: http2 stream containing frame ID to use in RST_STREAM
* @return 0 on error, 1 otherwise
*/
static int http2_submit_rst_stream(struct http2_session* h2_session,
struct http2_stream* h2_stream)
{
int ret = nghttp2_submit_rst_stream(h2_session->session,
NGHTTP2_FLAG_NONE, h2_stream->stream_id,
NGHTTP2_INTERNAL_ERROR);
if(ret) {
verbose(VERB_QUERY, "http2: nghttp2_submit_rst_stream failed, "
"error: %s", nghttp2_strerror(ret));
return 0;
}
return 1;
}
/**
* DNS response ready to be submitted to nghttp2, to be prepared for sending
* out. Response is stored in c->buffer. Copy to rbuffer because the c->buffer
@ -2106,6 +2168,7 @@ int http2_submit_dns_response(struct http2_session* h2_session)
char status[4];
nghttp2_nv headers[2];
struct http2_stream* h2_stream = h2_session->c->h2_stream;
size_t rlen;
if(h2_stream->rbuffer) {
log_err("http2 submit response error: rbuffer already "
@ -2117,17 +2180,28 @@ int http2_submit_dns_response(struct http2_session* h2_session)
return 0;
}
if(!(h2_stream->rbuffer = sldns_buffer_new(
sldns_buffer_remaining(h2_session->c->buffer)))) {
log_err("http2 submit response error: malloc failure");
return 0;
}
if(snprintf(status, 4, "%d", h2_stream->status) != 3) {
verbose(VERB_QUERY, "http2: submit response error: "
"invalid status");
return 0;
}
rlen = sldns_buffer_remaining(h2_session->c->buffer);
lock_basic_lock(&http2_response_buffer_count_lock);
if(http2_response_buffer_count + rlen > http2_response_buffer_max) {
lock_basic_unlock(&http2_response_buffer_count_lock);
verbose(VERB_ALGO, "reset HTTP2 stream, no space left, "
"in https-response-buffer-size");
return http2_submit_rst_stream(h2_session, h2_stream);
}
if(!(h2_stream->rbuffer = sldns_buffer_new(rlen))) {
lock_basic_unlock(&http2_response_buffer_count_lock);
log_err("http2 submit response error: malloc failure");
return 0;
}
http2_response_buffer_count += rlen;
lock_basic_unlock(&http2_response_buffer_count_lock);
headers[0].name = (uint8_t*)":status";
headers[0].namelen = 7;
headers[0].value = (uint8_t*)status;
@ -2275,8 +2349,7 @@ static int http2_query_read_done(struct http2_session* h2_session,
}
if(sldns_buffer_remaining(h2_session->c->buffer) <
sldns_buffer_remaining(h2_stream->qbuffer)) {
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
/* qbuffer will be free'd in frame close cb */
sldns_buffer_clear(h2_session->c->buffer);
verbose(VERB_ALGO, "http2_query_read_done failure: can't fit "
"qbuffer in c->buffer");
@ -2287,6 +2360,9 @@ static int http2_query_read_done(struct http2_session* h2_session,
sldns_buffer_current(h2_stream->qbuffer),
sldns_buffer_remaining(h2_stream->qbuffer));
lock_basic_lock(&http2_query_buffer_count_lock);
http2_query_buffer_count -= sldns_buffer_capacity(h2_stream->qbuffer);
lock_basic_unlock(&http2_query_buffer_count_lock);
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
@ -2449,21 +2525,34 @@ static int http2_buffer_uri_query(struct http2_session* h2_session,
expectb64len = sldns_b64_pton_calculate_size(length);
log_assert(expectb64len > 0);
if(expectb64len >
h2_session->c->http2_max_qbuffer_size) {
h2_session->c->http2_stream_max_qbuffer_size) {
h2_stream->query_too_large = 1;
return 1;
}
lock_basic_lock(&http2_query_buffer_count_lock);
if(http2_query_buffer_count + expectb64len > http2_query_buffer_max) {
lock_basic_unlock(&http2_query_buffer_count_lock);
verbose(VERB_ALGO, "reset HTTP2 stream, no space left, "
"in http2-query-buffer-size");
return http2_submit_rst_stream(h2_session, h2_stream);
}
if(!(h2_stream->qbuffer = sldns_buffer_new(expectb64len))) {
lock_basic_unlock(&http2_query_buffer_count_lock);
log_err("http2_req_header fail, qbuffer "
"malloc failure");
return 0;
}
http2_query_buffer_count += expectb64len;
lock_basic_unlock(&http2_query_buffer_count_lock);
if(!(b64len = sldns_b64url_pton(
(char const *)start, length,
sldns_buffer_current(h2_stream->qbuffer),
expectb64len)) || b64len < 0) {
lock_basic_lock(&http2_query_buffer_count_lock);
http2_query_buffer_count -= expectb64len;
lock_basic_unlock(&http2_query_buffer_count_lock);
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
/* return without error, method can be an
@ -2518,6 +2607,10 @@ static int http2_req_header_cb(nghttp2_session* session,
h2_stream->http_method = HTTP_METHOD_POST;
if(h2_stream->qbuffer) {
/* POST method uses query from DATA frames */
lock_basic_lock(&http2_query_buffer_count_lock);
http2_query_buffer_count -=
sldns_buffer_capacity(h2_stream->qbuffer);
lock_basic_unlock(&http2_query_buffer_count_lock);
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
}
@ -2526,17 +2619,15 @@ static int http2_req_header_cb(nghttp2_session* session,
return 0;
}
if(namelen == 5 && memcmp(":path", name, namelen) == 0) {
/* Hard coded /dns-query endpoint, might be nice to make
* configurable.
* :path may contain DNS query, depending on method. Method might
/* :path may contain DNS query, depending on method. Method might
* not be known yet here, so check after finishing receiving
* stream. */
#define HTTP_ENDPOINT "/dns-query"
#define HTTP_QUERY_PARAM "?dns="
size_t el = sizeof(HTTP_ENDPOINT) - 1;
size_t el = strlen(h2_session->c->http_endpoint);
size_t qpl = sizeof(HTTP_QUERY_PARAM) - 1;
if(valuelen < el || memcmp(HTTP_ENDPOINT, value, el) != 0) {
if(valuelen < el || memcmp(h2_session->c->http_endpoint,
value, el) != 0) {
h2_stream->invalid_endpoint = 1;
return 0;
}
@ -2583,7 +2674,7 @@ static int http2_req_header_cb(nghttp2_session* session,
/* guaranteed to only contian digits and be null terminated */
h2_stream->content_length = atoi((const char*)value);
if(h2_stream->content_length >
h2_session->c->http2_max_qbuffer_size) {
h2_session->c->http2_stream_max_qbuffer_size) {
h2_stream->query_too_large = 1;
return 0;
}
@ -2599,6 +2690,7 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
{
struct http2_session* h2_session = (struct http2_session*)cb_arg;
struct http2_stream* h2_stream;
size_t qlen = 0;
if(!(h2_stream = nghttp2_session_get_stream_user_data(
h2_session->session, stream_id))) {
@ -2614,17 +2706,28 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
/* getting more data in DATA frame than
* advertised in content-length header. */
return NGHTTP2_ERR_CALLBACK_FAILURE;
h2_stream->qbuffer = sldns_buffer_new(
h2_stream->content_length);
} else if(len <= h2_session->c->http2_max_qbuffer_size) {
qlen = h2_stream->content_length;
} else if(len <= h2_session->c->http2_stream_max_qbuffer_size) {
/* setting this to msg-buffer-size can result in a lot
* of memory consuption. Most queries should fit in a
* single DATA frame, and most POST queries will
* containt content-length which does not impose this
* limit. */
h2_stream->qbuffer = sldns_buffer_new(len);
qlen = len;
}
}
if(!h2_stream->qbuffer && qlen) {
lock_basic_lock(&http2_query_buffer_count_lock);
if(http2_query_buffer_count + qlen > http2_query_buffer_max) {
lock_basic_unlock(&http2_query_buffer_count_lock);
verbose(VERB_ALGO, "reset HTTP2 stream, no space left, "
"in http2-query-buffer-size");
return http2_submit_rst_stream(h2_session, h2_stream);
}
if((h2_stream->qbuffer = sldns_buffer_new(qlen)))
http2_query_buffer_count += qlen;
lock_basic_unlock(&http2_query_buffer_count_lock);
}
if(!h2_stream->qbuffer ||
sldns_buffer_remaining(h2_stream->qbuffer) < len) {
@ -2640,6 +2743,26 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
return 0;
}
void http2_req_stream_clear(struct http2_stream* h2_stream)
{
if(h2_stream->qbuffer) {
lock_basic_lock(&http2_query_buffer_count_lock);
http2_query_buffer_count -=
sldns_buffer_capacity(h2_stream->qbuffer);
lock_basic_unlock(&http2_query_buffer_count_lock);
sldns_buffer_free(h2_stream->qbuffer);
h2_stream->qbuffer = NULL;
}
if(h2_stream->rbuffer) {
lock_basic_lock(&http2_response_buffer_count_lock);
http2_response_buffer_count -=
sldns_buffer_capacity(h2_stream->rbuffer);
lock_basic_unlock(&http2_response_buffer_count_lock);
sldns_buffer_free(h2_stream->rbuffer);
h2_stream->rbuffer = NULL;
}
}
nghttp2_session_callbacks* http2_req_callbacks_create()
{
nghttp2_session_callbacks *callbacks;

19
services/listen_dnsport.h
View file

@ -144,6 +144,8 @@ void listening_ports_free(struct listen_port* list);
* from clients.
* @param tcp_idle_timeout: idle timeout for TCP connections in msec.
* @param harden_large_queries: whether query size should be limited.
* @param http_max_streams: maximum number of HTTP/2 streams per connection.
* @param http_endpoint: HTTP endpoint to service queries on
* @param tcp_conn_limit: TCP connection limit info.
* @param sslctx: nonNULL if ssl context.
* @param dtenv: nonNULL if dnstap enabled.
@ -152,10 +154,11 @@ void listening_ports_free(struct listen_port* list);
* @param cb_arg: user data argument for callback function.
* @return: the malloced listening structure, ready for use. NULL on error.
*/
struct listen_dnsport* listen_create(struct comm_base* base,
struct listen_port* ports, size_t bufsize,
int tcp_accept_count, int tcp_idle_timeout, int harden_large_queries,
struct tcl_list* tcp_conn_limit, void* sslctx,
struct listen_dnsport*
listen_create(struct comm_base* base, struct listen_port* ports,
size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
int harden_large_queries, uint32_t http_max_streams,
char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg);
/**
@ -376,6 +379,11 @@ int tcp_req_info_handle_read_close(struct tcp_req_info* req);
/** get the size of currently used tcp stream wait buffers (in bytes) */
size_t tcp_req_info_get_stream_buffer_size(void);
/** get the size of currently used HTTP2 query buffers (in bytes) */
size_t http2_get_query_buffer_size(void);
/** get the size of currently used HTTP2 response buffers (in bytes) */
size_t http2_get_response_buffer_size(void);
#ifdef HAVE_NGHTTP2
/**
* Create nghttp2 callbacks to handle HTTP2 requests.
@ -383,6 +391,9 @@ size_t tcp_req_info_get_stream_buffer_size(void);
*/
nghttp2_session_callbacks* http2_req_callbacks_create();
/** Free http2 stream buffers and decrease buffer counters */
void http2_req_stream_clear(struct http2_stream* h2_stream);
/**
* DNS response ready to be submitted to nghttp2, to be prepared for sending
* out. Response is stored in c->buffer. Copy to rbuffer because the c->buffer

2
smallapp/unbound-control.c
View file

@ -275,6 +275,8 @@ static void print_mem(struct ub_shm_stat_info* shm_stat,
shm_stat->mem.dnscrypt_nonce);
#endif
PR_LL("mem.streamwait", s->svr.mem_stream_wait);
PR_LL("mem.http.query_buffer", s->svr.mem_http2_query_buffer);
PR_LL("mem.http.response_buffer", s->svr.mem_http2_response_buffer);
}
/** print histogram */

14
testcode/fake_event.c
View file

@ -869,6 +869,8 @@ listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports),
size_t bufsize, int ATTR_UNUSED(tcp_accept_count),
int ATTR_UNUSED(tcp_idle_timeout),
int ATTR_UNUSED(harden_large_queries),
uint32_t ATTR_UNUSED(http_max_streams),
char* ATTR_UNUSED(http_endpoint),
struct tcl_list* ATTR_UNUSED(tcp_conn_limit),
void* ATTR_UNUSED(sslctx), struct dt_env* ATTR_UNUSED(dtenv),
comm_point_callback_type* cb, void *cb_arg)
@ -1826,6 +1828,18 @@ tcp_req_info_get_stream_buffer_size(void)
return 0;
}
size_t
http2_get_query_buffer_size(void)
{
return 0;
}
size_t
http2_get_response_buffer_size(void)
{
return 0;
}
void http2_stream_add_meshstate(struct http2_stream* ATTR_UNUSED(h2_stream),
struct mesh_area* ATTR_UNUSED(mesh), struct mesh_state* ATTR_UNUSED(m))
{

26
util/config_file.c
View file

@ -78,6 +78,8 @@ gid_t cfg_gid = (gid_t)-1;
int autr_permit_small_holddown = 0;
/** size (in bytes) of stream wait buffers max */
size_t stream_wait_max = 4 * 1024 * 1024;
size_t http2_query_buffer_max = 4 * 1024 * 1024;
size_t http2_response_buffer_max = 4 * 1024 * 1024;
/** global config during parsing */
struct config_parser_state* cfg_parser = 0;
@ -116,8 +118,13 @@ config_create(void)
cfg->ssl_upstream = 0;
cfg->tls_cert_bundle = NULL;
cfg->tls_win_cert = 0;
cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
cfg->tls_use_sni = 1;
cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
cfg->http_max_streams = 100;
cfg->http_query_buffer_size = 4*1024*1024;
cfg->http_response_buffer_size = 4*1024*1024;
cfg->http_nodelay = 1;
cfg->use_syslog = 1;
cfg->log_identity = NULL; /* changed later with argv[0] */
cfg->log_time_ascii = 0;
@ -509,8 +516,13 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_STRLIST_APPEND("tls-session-ticket-keys:", tls_session_ticket_keys)
else S_STR("tls-ciphers:", tls_ciphers)
else S_STR("tls-ciphersuites:", tls_ciphersuites)
else S_NUMBER_NONZERO("https-port:", https_port)
else S_YNO("tls-use-sni:", tls_use_sni)
else S_NUMBER_NONZERO("https-port:", https_port)
else S_STR("http-endpoint", http_endpoint)
else S_NUMBER_NONZERO("http-max-streams", http_max_streams)
else S_MEMSIZE("http-query-buffer-size", http_query_buffer_size)
else S_MEMSIZE("http-response-buffer-size", http_response_buffer_size)
else S_YNO("http-nodelay", http_nodelay)
else S_YNO("interface-automatic:", if_automatic)
else S_YNO("use-systemd:", use_systemd)
else S_YNO("do-daemonize:", do_daemonize)
@ -965,8 +977,13 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LST(opt, "tls-session-ticket-keys", tls_session_ticket_keys.first)
else O_STR(opt, "tls-ciphers", tls_ciphers)
else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
else O_DEC(opt, "https-port", https_port)
else O_YNO(opt, "tls-use-sni", tls_use_sni)
else O_DEC(opt, "https-port", https_port)
else O_STR(opt, "http-endpoint", http_endpoint)
else O_UNS(opt, "http-max-streams", http_max_streams)
else O_MEM(opt, "http-query-buffer-size", http_query_buffer_size)
else O_MEM(opt, "http-response-buffer-size", http_response_buffer_size)
else O_YNO(opt, "http-nodelay", http_nodelay)
else O_YNO(opt, "use-systemd", use_systemd)
else O_YNO(opt, "do-daemonize", do_daemonize)
else O_STR(opt, "chroot", chrootdir)
@ -1431,6 +1448,7 @@ config_delete(struct config_file* cfg)
config_delstrlist(cfg->tls_session_ticket_keys.first);
free(cfg->tls_ciphers);
free(cfg->tls_ciphersuites);
free(cfg->http_endpoint);
if(cfg->log_identity) {
log_ident_revert_to_default();
free(cfg->log_identity);
@ -2039,6 +2057,8 @@ config_apply(struct config_file* config)
log_set_time_asc(config->log_time_ascii);
autr_permit_small_holddown = config->permit_small_holddown;
stream_wait_max = config->stream_wait_size;
http2_query_buffer_max = config->http_query_buffer_size;
http2_response_buffer_max = config->http_response_buffer_size;
}
void config_lookup_uid(struct config_file* cfg)

19
util/config_file.h
View file

@ -128,11 +128,22 @@ struct config_file {
char* tls_ciphers;
/** TLS chiphersuites (TLSv1.3) */
char* tls_ciphersuites;
/** port on which to provide DNS over HTTPS service */
int https_port;
/** if SNI is to be used */
int tls_use_sni;
/** port on which to provide DNS over HTTPS service */
int https_port;
/** endpoint for HTTP service */
char* http_endpoint;
/** MAX_CONCURRENT_STREAMS HTTP/2 setting */
uint32_t http_max_streams;
/** maximum size of all HTTP2 query buffers combined. */
size_t http_query_buffer_size;
/** maximum size of all HTTP2 response buffers combined. */
size_t http_response_buffer_size;
/** set TCP_NODELAY option for http sockets */
int http_nodelay;
/** outgoing port range number of ports (per thread) */
int outgoing_num_ports;
/** number of outgoing tcp buffers per (per thread) */
@ -622,6 +633,10 @@ extern gid_t cfg_gid;
extern int autr_permit_small_holddown;
/** size (in bytes) of stream wait buffers max */
extern size_t stream_wait_max;
/** size (in bytes) of all total HTTP2 query buffers max */
extern size_t http2_query_buffer_max;
/** size (in bytes) of all total HTTP2 response buffers max */
extern size_t http2_response_buffer_max;
/**
* Stub config options

4753
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

7
util/configlexer.lex
View file

@ -248,8 +248,13 @@ tls-additional-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
tls-session-ticket-keys{COLON} { YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
tls-ciphers{COLON} { YDVAR(1, VAR_TLS_CIPHERS) }
tls-ciphersuites{COLON} { YDVAR(1, VAR_TLS_CIPHERSUITES) }
https-port{COLON} { YDVAR(1, VAR_HTTPS_PORT) }
tls-use-sni{COLON} { YDVAR(1, VAR_TLS_USE_SNI) }
https-port{COLON} { YDVAR(1, VAR_HTTPS_PORT) }
http-endpoint{COLON} { YDVAR(1, VAR_HTTP_ENDPOINT) }
http-max-streams{COLON} { YDVAR(1, VAR_HTTP_MAX_STREAMS) }
http-query-buffer-size{COLON} { YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
http-response-buffer-size{COLON} { YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
http-nodelay{COLON} { YDVAR(1, VAR_HTTP_NODELAY) }
use-systemd{COLON} { YDVAR(1, VAR_USE_SYSTEMD) }
do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) }
interface{COLON} { YDVAR(1, VAR_INTERFACE) }

3444
util/configparser.c
View file

File diff suppressed because it is too large Load diff

600
util/configparser.h
View file

@ -184,153 +184,158 @@ extern int yydebug;
VAR_FORWARD_SSL_UPSTREAM = 394,
VAR_TLS_CERT_BUNDLE = 395,
VAR_HTTPS_PORT = 396,
VAR_STUB_FIRST = 397,
VAR_MINIMAL_RESPONSES = 398,
VAR_RRSET_ROUNDROBIN = 399,
VAR_MAX_UDP_SIZE = 400,
VAR_DELAY_CLOSE = 401,
VAR_UNBLOCK_LAN_ZONES = 402,
VAR_INSECURE_LAN_ZONES = 403,
VAR_INFRA_CACHE_MIN_RTT = 404,
VAR_DNS64_PREFIX = 405,
VAR_DNS64_SYNTHALL = 406,
VAR_DNS64_IGNORE_AAAA = 407,
VAR_DNSTAP = 408,
VAR_DNSTAP_ENABLE = 409,
VAR_DNSTAP_SOCKET_PATH = 410,
VAR_DNSTAP_IP = 411,
VAR_DNSTAP_TLS = 412,
VAR_DNSTAP_TLS_SERVER_NAME = 413,
VAR_DNSTAP_TLS_CERT_BUNDLE = 414,
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 415,
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 416,
VAR_DNSTAP_SEND_IDENTITY = 417,
VAR_DNSTAP_SEND_VERSION = 418,
VAR_DNSTAP_IDENTITY = 419,
VAR_DNSTAP_VERSION = 420,
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 421,
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 422,
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 423,
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 424,
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 425,
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 426,
VAR_RESPONSE_IP_TAG = 427,
VAR_RESPONSE_IP = 428,
VAR_RESPONSE_IP_DATA = 429,
VAR_HARDEN_ALGO_DOWNGRADE = 430,
VAR_IP_TRANSPARENT = 431,
VAR_IP_DSCP = 432,
VAR_DISABLE_DNSSEC_LAME_CHECK = 433,
VAR_IP_RATELIMIT = 434,
VAR_IP_RATELIMIT_SLABS = 435,
VAR_IP_RATELIMIT_SIZE = 436,
VAR_RATELIMIT = 437,
VAR_RATELIMIT_SLABS = 438,
VAR_RATELIMIT_SIZE = 439,
VAR_RATELIMIT_FOR_DOMAIN = 440,
VAR_RATELIMIT_BELOW_DOMAIN = 441,
VAR_IP_RATELIMIT_FACTOR = 442,
VAR_RATELIMIT_FACTOR = 443,
VAR_SEND_CLIENT_SUBNET = 444,
VAR_CLIENT_SUBNET_ZONE = 445,
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 446,
VAR_CLIENT_SUBNET_OPCODE = 447,
VAR_MAX_CLIENT_SUBNET_IPV4 = 448,
VAR_MAX_CLIENT_SUBNET_IPV6 = 449,
VAR_MIN_CLIENT_SUBNET_IPV4 = 450,
VAR_MIN_CLIENT_SUBNET_IPV6 = 451,
VAR_MAX_ECS_TREE_SIZE_IPV4 = 452,
VAR_MAX_ECS_TREE_SIZE_IPV6 = 453,
VAR_CAPS_WHITELIST = 454,
VAR_CACHE_MAX_NEGATIVE_TTL = 455,
VAR_PERMIT_SMALL_HOLDDOWN = 456,
VAR_QNAME_MINIMISATION = 457,
VAR_QNAME_MINIMISATION_STRICT = 458,
VAR_IP_FREEBIND = 459,
VAR_DEFINE_TAG = 460,
VAR_LOCAL_ZONE_TAG = 461,
VAR_ACCESS_CONTROL_TAG = 462,
VAR_LOCAL_ZONE_OVERRIDE = 463,
VAR_ACCESS_CONTROL_TAG_ACTION = 464,
VAR_ACCESS_CONTROL_TAG_DATA = 465,
VAR_VIEW = 466,
VAR_ACCESS_CONTROL_VIEW = 467,
VAR_VIEW_FIRST = 468,
VAR_SERVE_EXPIRED = 469,
VAR_SERVE_EXPIRED_TTL = 470,
VAR_SERVE_EXPIRED_TTL_RESET = 471,
VAR_SERVE_EXPIRED_REPLY_TTL = 472,
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 473,
VAR_FAKE_DSA = 474,
VAR_FAKE_SHA1 = 475,
VAR_LOG_IDENTITY = 476,
VAR_HIDE_TRUSTANCHOR = 477,
VAR_TRUST_ANCHOR_SIGNALING = 478,
VAR_AGGRESSIVE_NSEC = 479,
VAR_USE_SYSTEMD = 480,
VAR_SHM_ENABLE = 481,
VAR_SHM_KEY = 482,
VAR_ROOT_KEY_SENTINEL = 483,
VAR_DNSCRYPT = 484,
VAR_DNSCRYPT_ENABLE = 485,
VAR_DNSCRYPT_PORT = 486,
VAR_DNSCRYPT_PROVIDER = 487,
VAR_DNSCRYPT_SECRET_KEY = 488,
VAR_DNSCRYPT_PROVIDER_CERT = 489,
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 490,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 491,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 492,
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 493,
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 494,
VAR_IPSECMOD_ENABLED = 495,
VAR_IPSECMOD_HOOK = 496,
VAR_IPSECMOD_IGNORE_BOGUS = 497,
VAR_IPSECMOD_MAX_TTL = 498,
VAR_IPSECMOD_WHITELIST = 499,
VAR_IPSECMOD_STRICT = 500,
VAR_CACHEDB = 501,
VAR_CACHEDB_BACKEND = 502,
VAR_CACHEDB_SECRETSEED = 503,
VAR_CACHEDB_REDISHOST = 504,
VAR_CACHEDB_REDISPORT = 505,
VAR_CACHEDB_REDISTIMEOUT = 506,
VAR_CACHEDB_REDISEXPIRERECORDS = 507,
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 508,
VAR_FOR_UPSTREAM = 509,
VAR_AUTH_ZONE = 510,
VAR_ZONEFILE = 511,
VAR_MASTER = 512,
VAR_URL = 513,
VAR_FOR_DOWNSTREAM = 514,
VAR_FALLBACK_ENABLED = 515,
VAR_TLS_ADDITIONAL_PORT = 516,
VAR_LOW_RTT = 517,
VAR_LOW_RTT_PERMIL = 518,
VAR_FAST_SERVER_PERMIL = 519,
VAR_FAST_SERVER_NUM = 520,
VAR_ALLOW_NOTIFY = 521,
VAR_TLS_WIN_CERT = 522,
VAR_TCP_CONNECTION_LIMIT = 523,
VAR_FORWARD_NO_CACHE = 524,
VAR_STUB_NO_CACHE = 525,
VAR_LOG_SERVFAIL = 526,
VAR_DENY_ANY = 527,
VAR_UNKNOWN_SERVER_TIME_LIMIT = 528,
VAR_LOG_TAG_QUERYREPLY = 529,
VAR_STREAM_WAIT_SIZE = 530,
VAR_TLS_CIPHERS = 531,
VAR_TLS_CIPHERSUITES = 532,
VAR_TLS_USE_SNI = 533,
VAR_IPSET = 534,
VAR_IPSET_NAME_V4 = 535,
VAR_IPSET_NAME_V6 = 536,
VAR_TLS_SESSION_TICKET_KEYS = 537,
VAR_RPZ = 538,
VAR_TAGS = 539,
VAR_RPZ_ACTION_OVERRIDE = 540,
VAR_RPZ_CNAME_OVERRIDE = 541,
VAR_RPZ_LOG = 542,
VAR_RPZ_LOG_NAME = 543
VAR_HTTP_ENDPOINT = 397,
VAR_HTTP_MAX_STREAMS = 398,
VAR_HTTP_QUERY_BUFFER_SIZE = 399,
VAR_HTTP_RESPONSE_BUFFER_SIZE = 400,
VAR_HTTP_NODELAY = 401,
VAR_STUB_FIRST = 402,
VAR_MINIMAL_RESPONSES = 403,
VAR_RRSET_ROUNDROBIN = 404,
VAR_MAX_UDP_SIZE = 405,
VAR_DELAY_CLOSE = 406,
VAR_UNBLOCK_LAN_ZONES = 407,
VAR_INSECURE_LAN_ZONES = 408,
VAR_INFRA_CACHE_MIN_RTT = 409,
VAR_DNS64_PREFIX = 410,
VAR_DNS64_SYNTHALL = 411,
VAR_DNS64_IGNORE_AAAA = 412,
VAR_DNSTAP = 413,
VAR_DNSTAP_ENABLE = 414,
VAR_DNSTAP_SOCKET_PATH = 415,
VAR_DNSTAP_IP = 416,
VAR_DNSTAP_TLS = 417,
VAR_DNSTAP_TLS_SERVER_NAME = 418,
VAR_DNSTAP_TLS_CERT_BUNDLE = 419,
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 420,
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 421,
VAR_DNSTAP_SEND_IDENTITY = 422,
VAR_DNSTAP_SEND_VERSION = 423,
VAR_DNSTAP_IDENTITY = 424,
VAR_DNSTAP_VERSION = 425,
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 426,
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 427,
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 428,
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 429,
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 430,
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 431,
VAR_RESPONSE_IP_TAG = 432,
VAR_RESPONSE_IP = 433,
VAR_RESPONSE_IP_DATA = 434,
VAR_HARDEN_ALGO_DOWNGRADE = 435,
VAR_IP_TRANSPARENT = 436,
VAR_IP_DSCP = 437,
VAR_DISABLE_DNSSEC_LAME_CHECK = 438,
VAR_IP_RATELIMIT = 439,
VAR_IP_RATELIMIT_SLABS = 440,
VAR_IP_RATELIMIT_SIZE = 441,
VAR_RATELIMIT = 442,
VAR_RATELIMIT_SLABS = 443,
VAR_RATELIMIT_SIZE = 444,
VAR_RATELIMIT_FOR_DOMAIN = 445,
VAR_RATELIMIT_BELOW_DOMAIN = 446,
VAR_IP_RATELIMIT_FACTOR = 447,
VAR_RATELIMIT_FACTOR = 448,
VAR_SEND_CLIENT_SUBNET = 449,
VAR_CLIENT_SUBNET_ZONE = 450,
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 451,
VAR_CLIENT_SUBNET_OPCODE = 452,
VAR_MAX_CLIENT_SUBNET_IPV4 = 453,
VAR_MAX_CLIENT_SUBNET_IPV6 = 454,
VAR_MIN_CLIENT_SUBNET_IPV4 = 455,
VAR_MIN_CLIENT_SUBNET_IPV6 = 456,
VAR_MAX_ECS_TREE_SIZE_IPV4 = 457,
VAR_MAX_ECS_TREE_SIZE_IPV6 = 458,
VAR_CAPS_WHITELIST = 459,
VAR_CACHE_MAX_NEGATIVE_TTL = 460,
VAR_PERMIT_SMALL_HOLDDOWN = 461,
VAR_QNAME_MINIMISATION = 462,
VAR_QNAME_MINIMISATION_STRICT = 463,
VAR_IP_FREEBIND = 464,
VAR_DEFINE_TAG = 465,
VAR_LOCAL_ZONE_TAG = 466,
VAR_ACCESS_CONTROL_TAG = 467,
VAR_LOCAL_ZONE_OVERRIDE = 468,
VAR_ACCESS_CONTROL_TAG_ACTION = 469,
VAR_ACCESS_CONTROL_TAG_DATA = 470,
VAR_VIEW = 471,
VAR_ACCESS_CONTROL_VIEW = 472,
VAR_VIEW_FIRST = 473,
VAR_SERVE_EXPIRED = 474,
VAR_SERVE_EXPIRED_TTL = 475,
VAR_SERVE_EXPIRED_TTL_RESET = 476,
VAR_SERVE_EXPIRED_REPLY_TTL = 477,
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 478,
VAR_FAKE_DSA = 479,
VAR_FAKE_SHA1 = 480,
VAR_LOG_IDENTITY = 481,
VAR_HIDE_TRUSTANCHOR = 482,
VAR_TRUST_ANCHOR_SIGNALING = 483,
VAR_AGGRESSIVE_NSEC = 484,
VAR_USE_SYSTEMD = 485,
VAR_SHM_ENABLE = 486,
VAR_SHM_KEY = 487,
VAR_ROOT_KEY_SENTINEL = 488,
VAR_DNSCRYPT = 489,
VAR_DNSCRYPT_ENABLE = 490,
VAR_DNSCRYPT_PORT = 491,
VAR_DNSCRYPT_PROVIDER = 492,
VAR_DNSCRYPT_SECRET_KEY = 493,
VAR_DNSCRYPT_PROVIDER_CERT = 494,
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 495,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 496,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 497,
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 498,
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 499,
VAR_IPSECMOD_ENABLED = 500,
VAR_IPSECMOD_HOOK = 501,
VAR_IPSECMOD_IGNORE_BOGUS = 502,
VAR_IPSECMOD_MAX_TTL = 503,
VAR_IPSECMOD_WHITELIST = 504,
VAR_IPSECMOD_STRICT = 505,
VAR_CACHEDB = 506,
VAR_CACHEDB_BACKEND = 507,
VAR_CACHEDB_SECRETSEED = 508,
VAR_CACHEDB_REDISHOST = 509,
VAR_CACHEDB_REDISPORT = 510,
VAR_CACHEDB_REDISTIMEOUT = 511,
VAR_CACHEDB_REDISEXPIRERECORDS = 512,
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 513,
VAR_FOR_UPSTREAM = 514,
VAR_AUTH_ZONE = 515,
VAR_ZONEFILE = 516,
VAR_MASTER = 517,
VAR_URL = 518,
VAR_FOR_DOWNSTREAM = 519,
VAR_FALLBACK_ENABLED = 520,
VAR_TLS_ADDITIONAL_PORT = 521,
VAR_LOW_RTT = 522,
VAR_LOW_RTT_PERMIL = 523,
VAR_FAST_SERVER_PERMIL = 524,
VAR_FAST_SERVER_NUM = 525,
VAR_ALLOW_NOTIFY = 526,
VAR_TLS_WIN_CERT = 527,
VAR_TCP_CONNECTION_LIMIT = 528,
VAR_FORWARD_NO_CACHE = 529,
VAR_STUB_NO_CACHE = 530,
VAR_LOG_SERVFAIL = 531,
VAR_DENY_ANY = 532,
VAR_UNKNOWN_SERVER_TIME_LIMIT = 533,
VAR_LOG_TAG_QUERYREPLY = 534,
VAR_STREAM_WAIT_SIZE = 535,
VAR_TLS_CIPHERS = 536,
VAR_TLS_CIPHERSUITES = 537,
VAR_TLS_USE_SNI = 538,
VAR_IPSET = 539,
VAR_IPSET_NAME_V4 = 540,
VAR_IPSET_NAME_V6 = 541,
VAR_TLS_SESSION_TICKET_KEYS = 542,
VAR_RPZ = 543,
VAR_TAGS = 544,
VAR_RPZ_ACTION_OVERRIDE = 545,
VAR_RPZ_CNAME_OVERRIDE = 546,
VAR_RPZ_LOG = 547,
VAR_RPZ_LOG_NAME = 548
};
#endif
/* Tokens. */
@ -473,153 +478,158 @@ extern int yydebug;
#define VAR_FORWARD_SSL_UPSTREAM 394
#define VAR_TLS_CERT_BUNDLE 395
#define VAR_HTTPS_PORT 396
#define VAR_STUB_FIRST 397
#define VAR_MINIMAL_RESPONSES 398
#define VAR_RRSET_ROUNDROBIN 399
#define VAR_MAX_UDP_SIZE 400
#define VAR_DELAY_CLOSE 401
#define VAR_UNBLOCK_LAN_ZONES 402
#define VAR_INSECURE_LAN_ZONES 403
#define VAR_INFRA_CACHE_MIN_RTT 404
#define VAR_DNS64_PREFIX 405
#define VAR_DNS64_SYNTHALL 406
#define VAR_DNS64_IGNORE_AAAA 407
#define VAR_DNSTAP 408
#define VAR_DNSTAP_ENABLE 409
#define VAR_DNSTAP_SOCKET_PATH 410
#define VAR_DNSTAP_IP 411
#define VAR_DNSTAP_TLS 412
#define VAR_DNSTAP_TLS_SERVER_NAME 413
#define VAR_DNSTAP_TLS_CERT_BUNDLE 414
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 415
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 416
#define VAR_DNSTAP_SEND_IDENTITY 417
#define VAR_DNSTAP_SEND_VERSION 418
#define VAR_DNSTAP_IDENTITY 419
#define VAR_DNSTAP_VERSION 420
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 421
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 422
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 423
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 424
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 425
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 426
#define VAR_RESPONSE_IP_TAG 427
#define VAR_RESPONSE_IP 428
#define VAR_RESPONSE_IP_DATA 429
#define VAR_HARDEN_ALGO_DOWNGRADE 430
#define VAR_IP_TRANSPARENT 431
#define VAR_IP_DSCP 432
#define VAR_DISABLE_DNSSEC_LAME_CHECK 433
#define VAR_IP_RATELIMIT 434
#define VAR_IP_RATELIMIT_SLABS 435
#define VAR_IP_RATELIMIT_SIZE 436
#define VAR_RATELIMIT 437
#define VAR_RATELIMIT_SLABS 438
#define VAR_RATELIMIT_SIZE 439
#define VAR_RATELIMIT_FOR_DOMAIN 440
#define VAR_RATELIMIT_BELOW_DOMAIN 441
#define VAR_IP_RATELIMIT_FACTOR 442
#define VAR_RATELIMIT_FACTOR 443
#define VAR_SEND_CLIENT_SUBNET 444
#define VAR_CLIENT_SUBNET_ZONE 445
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 446
#define VAR_CLIENT_SUBNET_OPCODE 447
#define VAR_MAX_CLIENT_SUBNET_IPV4 448
#define VAR_MAX_CLIENT_SUBNET_IPV6 449
#define VAR_MIN_CLIENT_SUBNET_IPV4 450
#define VAR_MIN_CLIENT_SUBNET_IPV6 451
#define VAR_MAX_ECS_TREE_SIZE_IPV4 452
#define VAR_MAX_ECS_TREE_SIZE_IPV6 453
#define VAR_CAPS_WHITELIST 454
#define VAR_CACHE_MAX_NEGATIVE_TTL 455
#define VAR_PERMIT_SMALL_HOLDDOWN 456
#define VAR_QNAME_MINIMISATION 457
#define VAR_QNAME_MINIMISATION_STRICT 458
#define VAR_IP_FREEBIND 459
#define VAR_DEFINE_TAG 460
#define VAR_LOCAL_ZONE_TAG 461
#define VAR_ACCESS_CONTROL_TAG 462
#define VAR_LOCAL_ZONE_OVERRIDE 463
#define VAR_ACCESS_CONTROL_TAG_ACTION 464
#define VAR_ACCESS_CONTROL_TAG_DATA 465
#define VAR_VIEW 466
#define VAR_ACCESS_CONTROL_VIEW 467
#define VAR_VIEW_FIRST 468
#define VAR_SERVE_EXPIRED 469
#define VAR_SERVE_EXPIRED_TTL 470
#define VAR_SERVE_EXPIRED_TTL_RESET 471
#define VAR_SERVE_EXPIRED_REPLY_TTL 472
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 473
#define VAR_FAKE_DSA 474
#define VAR_FAKE_SHA1 475
#define VAR_LOG_IDENTITY 476
#define VAR_HIDE_TRUSTANCHOR 477
#define VAR_TRUST_ANCHOR_SIGNALING 478
#define VAR_AGGRESSIVE_NSEC 479
#define VAR_USE_SYSTEMD 480
#define VAR_SHM_ENABLE 481
#define VAR_SHM_KEY 482
#define VAR_ROOT_KEY_SENTINEL 483
#define VAR_DNSCRYPT 484
#define VAR_DNSCRYPT_ENABLE 485
#define VAR_DNSCRYPT_PORT 486
#define VAR_DNSCRYPT_PROVIDER 487
#define VAR_DNSCRYPT_SECRET_KEY 488
#define VAR_DNSCRYPT_PROVIDER_CERT 489
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 490
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 491
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 492
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 493
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 494
#define VAR_IPSECMOD_ENABLED 495
#define VAR_IPSECMOD_HOOK 496
#define VAR_IPSECMOD_IGNORE_BOGUS 497
#define VAR_IPSECMOD_MAX_TTL 498
#define VAR_IPSECMOD_WHITELIST 499
#define VAR_IPSECMOD_STRICT 500
#define VAR_CACHEDB 501
#define VAR_CACHEDB_BACKEND 502
#define VAR_CACHEDB_SECRETSEED 503
#define VAR_CACHEDB_REDISHOST 504
#define VAR_CACHEDB_REDISPORT 505
#define VAR_CACHEDB_REDISTIMEOUT 506
#define VAR_CACHEDB_REDISEXPIRERECORDS 507
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 508
#define VAR_FOR_UPSTREAM 509
#define VAR_AUTH_ZONE 510
#define VAR_ZONEFILE 511
#define VAR_MASTER 512
#define VAR_URL 513
#define VAR_FOR_DOWNSTREAM 514
#define VAR_FALLBACK_ENABLED 515
#define VAR_TLS_ADDITIONAL_PORT 516
#define VAR_LOW_RTT 517
#define VAR_LOW_RTT_PERMIL 518
#define VAR_FAST_SERVER_PERMIL 519
#define VAR_FAST_SERVER_NUM 520
#define VAR_ALLOW_NOTIFY 521
#define VAR_TLS_WIN_CERT 522
#define VAR_TCP_CONNECTION_LIMIT 523
#define VAR_FORWARD_NO_CACHE 524
#define VAR_STUB_NO_CACHE 525
#define VAR_LOG_SERVFAIL 526
#define VAR_DENY_ANY 527
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 528
#define VAR_LOG_TAG_QUERYREPLY 529
#define VAR_STREAM_WAIT_SIZE 530
#define VAR_TLS_CIPHERS 531
#define VAR_TLS_CIPHERSUITES 532
#define VAR_TLS_USE_SNI 533
#define VAR_IPSET 534
#define VAR_IPSET_NAME_V4 535
#define VAR_IPSET_NAME_V6 536
#define VAR_TLS_SESSION_TICKET_KEYS 537
#define VAR_RPZ 538
#define VAR_TAGS 539
#define VAR_RPZ_ACTION_OVERRIDE 540
#define VAR_RPZ_CNAME_OVERRIDE 541
#define VAR_RPZ_LOG 542
#define VAR_RPZ_LOG_NAME 543
#define VAR_HTTP_ENDPOINT 397
#define VAR_HTTP_MAX_STREAMS 398
#define VAR_HTTP_QUERY_BUFFER_SIZE 399
#define VAR_HTTP_RESPONSE_BUFFER_SIZE 400
#define VAR_HTTP_NODELAY 401
#define VAR_STUB_FIRST 402
#define VAR_MINIMAL_RESPONSES 403
#define VAR_RRSET_ROUNDROBIN 404
#define VAR_MAX_UDP_SIZE 405
#define VAR_DELAY_CLOSE 406
#define VAR_UNBLOCK_LAN_ZONES 407
#define VAR_INSECURE_LAN_ZONES 408
#define VAR_INFRA_CACHE_MIN_RTT 409
#define VAR_DNS64_PREFIX 410
#define VAR_DNS64_SYNTHALL 411
#define VAR_DNS64_IGNORE_AAAA 412
#define VAR_DNSTAP 413
#define VAR_DNSTAP_ENABLE 414
#define VAR_DNSTAP_SOCKET_PATH 415
#define VAR_DNSTAP_IP 416
#define VAR_DNSTAP_TLS 417
#define VAR_DNSTAP_TLS_SERVER_NAME 418
#define VAR_DNSTAP_TLS_CERT_BUNDLE 419
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 420
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 421
#define VAR_DNSTAP_SEND_IDENTITY 422
#define VAR_DNSTAP_SEND_VERSION 423
#define VAR_DNSTAP_IDENTITY 424
#define VAR_DNSTAP_VERSION 425
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 426
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 427
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 428
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 429
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 430
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 431
#define VAR_RESPONSE_IP_TAG 432
#define VAR_RESPONSE_IP 433
#define VAR_RESPONSE_IP_DATA 434
#define VAR_HARDEN_ALGO_DOWNGRADE 435
#define VAR_IP_TRANSPARENT 436
#define VAR_IP_DSCP 437
#define VAR_DISABLE_DNSSEC_LAME_CHECK 438
#define VAR_IP_RATELIMIT 439
#define VAR_IP_RATELIMIT_SLABS 440
#define VAR_IP_RATELIMIT_SIZE 441
#define VAR_RATELIMIT 442
#define VAR_RATELIMIT_SLABS 443
#define VAR_RATELIMIT_SIZE 444
#define VAR_RATELIMIT_FOR_DOMAIN 445
#define VAR_RATELIMIT_BELOW_DOMAIN 446
#define VAR_IP_RATELIMIT_FACTOR 447
#define VAR_RATELIMIT_FACTOR 448
#define VAR_SEND_CLIENT_SUBNET 449
#define VAR_CLIENT_SUBNET_ZONE 450
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 451
#define VAR_CLIENT_SUBNET_OPCODE 452
#define VAR_MAX_CLIENT_SUBNET_IPV4 453
#define VAR_MAX_CLIENT_SUBNET_IPV6 454
#define VAR_MIN_CLIENT_SUBNET_IPV4 455
#define VAR_MIN_CLIENT_SUBNET_IPV6 456
#define VAR_MAX_ECS_TREE_SIZE_IPV4 457
#define VAR_MAX_ECS_TREE_SIZE_IPV6 458
#define VAR_CAPS_WHITELIST 459
#define VAR_CACHE_MAX_NEGATIVE_TTL 460
#define VAR_PERMIT_SMALL_HOLDDOWN 461
#define VAR_QNAME_MINIMISATION 462
#define VAR_QNAME_MINIMISATION_STRICT 463
#define VAR_IP_FREEBIND 464
#define VAR_DEFINE_TAG 465
#define VAR_LOCAL_ZONE_TAG 466
#define VAR_ACCESS_CONTROL_TAG 467
#define VAR_LOCAL_ZONE_OVERRIDE 468
#define VAR_ACCESS_CONTROL_TAG_ACTION 469
#define VAR_ACCESS_CONTROL_TAG_DATA 470
#define VAR_VIEW 471
#define VAR_ACCESS_CONTROL_VIEW 472
#define VAR_VIEW_FIRST 473
#define VAR_SERVE_EXPIRED 474
#define VAR_SERVE_EXPIRED_TTL 475
#define VAR_SERVE_EXPIRED_TTL_RESET 476
#define VAR_SERVE_EXPIRED_REPLY_TTL 477
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 478
#define VAR_FAKE_DSA 479
#define VAR_FAKE_SHA1 480
#define VAR_LOG_IDENTITY 481
#define VAR_HIDE_TRUSTANCHOR 482
#define VAR_TRUST_ANCHOR_SIGNALING 483
#define VAR_AGGRESSIVE_NSEC 484
#define VAR_USE_SYSTEMD 485
#define VAR_SHM_ENABLE 486
#define VAR_SHM_KEY 487
#define VAR_ROOT_KEY_SENTINEL 488
#define VAR_DNSCRYPT 489
#define VAR_DNSCRYPT_ENABLE 490
#define VAR_DNSCRYPT_PORT 491
#define VAR_DNSCRYPT_PROVIDER 492
#define VAR_DNSCRYPT_SECRET_KEY 493
#define VAR_DNSCRYPT_PROVIDER_CERT 494
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 495
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 496
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 497
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 498
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 499
#define VAR_IPSECMOD_ENABLED 500
#define VAR_IPSECMOD_HOOK 501
#define VAR_IPSECMOD_IGNORE_BOGUS 502
#define VAR_IPSECMOD_MAX_TTL 503
#define VAR_IPSECMOD_WHITELIST 504
#define VAR_IPSECMOD_STRICT 505
#define VAR_CACHEDB 506
#define VAR_CACHEDB_BACKEND 507
#define VAR_CACHEDB_SECRETSEED 508
#define VAR_CACHEDB_REDISHOST 509
#define VAR_CACHEDB_REDISPORT 510
#define VAR_CACHEDB_REDISTIMEOUT 511
#define VAR_CACHEDB_REDISEXPIRERECORDS 512
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 513
#define VAR_FOR_UPSTREAM 514
#define VAR_AUTH_ZONE 515
#define VAR_ZONEFILE 516
#define VAR_MASTER 517
#define VAR_URL 518
#define VAR_FOR_DOWNSTREAM 519
#define VAR_FALLBACK_ENABLED 520
#define VAR_TLS_ADDITIONAL_PORT 521
#define VAR_LOW_RTT 522
#define VAR_LOW_RTT_PERMIL 523
#define VAR_FAST_SERVER_PERMIL 524
#define VAR_FAST_SERVER_NUM 525
#define VAR_ALLOW_NOTIFY 526
#define VAR_TLS_WIN_CERT 527
#define VAR_TCP_CONNECTION_LIMIT 528
#define VAR_FORWARD_NO_CACHE 529
#define VAR_STUB_NO_CACHE 530
#define VAR_LOG_SERVFAIL 531
#define VAR_DENY_ANY 532
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 533
#define VAR_LOG_TAG_QUERYREPLY 534
#define VAR_STREAM_WAIT_SIZE 535
#define VAR_TLS_CIPHERS 536
#define VAR_TLS_CIPHERSUITES 537
#define VAR_TLS_USE_SNI 538
#define VAR_IPSET 539
#define VAR_IPSET_NAME_V4 540
#define VAR_IPSET_NAME_V6 541
#define VAR_TLS_SESSION_TICKET_KEYS 542
#define VAR_RPZ 543
#define VAR_TAGS 544
#define VAR_RPZ_ACTION_OVERRIDE 545
#define VAR_RPZ_CNAME_OVERRIDE 546
#define VAR_RPZ_LOG 547
#define VAR_RPZ_LOG_NAME 548
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -630,7 +640,7 @@ union YYSTYPE
char* str;
#line 634 "util/configparser.h" /* yacc.c:1909 */
#line 644 "util/configparser.h" /* yacc.c:1909 */
};
typedef union YYSTYPE YYSTYPE;

68
util/configparser.y
View file

@ -111,7 +111,9 @@ extern struct config_parser_state* cfg_parser;
%token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
%token VAR_HTTPS_PORT
%token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
%token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
%token VAR_HTTP_NODELAY
%token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
@ -238,7 +240,9 @@ content_server: server_num_threads | server_verbosity | server_port |
server_log_queries | server_log_replies | server_tcp_upstream | server_ssl_upstream |
server_log_local_actions |
server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
server_https_port |
server_https_port | server_http_endpoint | server_http_max_streams |
server_http_query_buffer_size | server_http_response_buffer_size |
server_http_nodelay |
server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
server_so_reuseport | server_delay_close |
server_unblock_lan_zones | server_insecure_lan_zones |
@ -955,13 +959,6 @@ server_tls_session_ticket_keys: VAR_TLS_SESSION_TICKET_KEYS STRING_ARG
yyerror("out of memory");
}
;
server_https_port: VAR_HTTPS_PORT STRING_ARG
{
OUTYY(("P(server_https_port:%s)\n", $2));
if(atoi($2) == 0)
yyerror("port number expected");
else cfg_parser->cfg->https_port = atoi($2);
};
server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG
{
OUTYY(("P(server_tls_use_sni:%s)\n", $2));
@ -971,6 +968,59 @@ server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG
free($2);
}
;
server_https_port: VAR_HTTPS_PORT STRING_ARG
{
OUTYY(("P(server_https_port:%s)\n", $2));
if(atoi($2) == 0)
yyerror("port number expected");
else cfg_parser->cfg->https_port = atoi($2);
};
server_http_endpoint: VAR_HTTP_ENDPOINT STRING_ARG
{
OUTYY(("P(server_http_endpoint:%s)\n", $2));
free(cfg_parser->cfg->http_endpoint);
if($2 && $2[0] != '/') {
cfg_parser->cfg->http_endpoint = malloc(strlen($2)+2);
cfg_parser->cfg->http_endpoint[0] = '/';
memcpy(cfg_parser->cfg->http_endpoint+1, $2,
strlen($2)+1);
free($2);
} else {
cfg_parser->cfg->http_endpoint = $2;
}
};
server_http_max_streams: VAR_HTTP_MAX_STREAMS STRING_ARG
{
OUTYY(("P(server_http_max_streams:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
yyerror("number expected");
else cfg_parser->cfg->http_max_streams = atoi($2);
free($2);
};
server_http_query_buffer_size: VAR_HTTP_QUERY_BUFFER_SIZE STRING_ARG
{
OUTYY(("P(server_http_query_buffer_size:%s)\n", $2));
if(!cfg_parse_memsize($2,
&cfg_parser->cfg->http_query_buffer_size))
yyerror("memory size expected");
free($2);
};
server_http_response_buffer_size: VAR_HTTP_RESPONSE_BUFFER_SIZE STRING_ARG
{
OUTYY(("P(server_http_response_buffer_size:%s)\n", $2));
if(!cfg_parse_memsize($2,
&cfg_parser->cfg->http_response_buffer_size))
yyerror("memory size expected");
free($2);
};
server_http_nodelay: VAR_HTTP_NODELAY STRING_ARG
{
OUTYY(("P(server_http_nodelay:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->http_nodelay = (strcmp($2, "yes")==0);
free($2);
};
server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
{
OUTYY(("P(server_use_systemd:%s)\n", $2));

33
util/netevent.c
View file

@ -929,7 +929,8 @@ static int http2_submit_settings(struct http2_session* h2_session)
{
int ret;
nghttp2_settings_entry settings[1] = {
{NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, 100}};
{NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS,
h2_session->c->http2_max_streams}};
ret = nghttp2_submit_settings(h2_session->session, NGHTTP2_FLAG_NONE,
settings, 1);
@ -965,27 +966,27 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
* correct event base for the event structure for libevent */
ub_event_free(c_hdl->ev->ev);
if(c_hdl->type == comm_http) {
#ifdef HAVE_NGHTTP2
if(c_hdl->type == comm_http && c_hdl->h2_session) {
if(!http2_session_server_create(c_hdl->h2_session)) {
if(!c_hdl->h2_session ||
!http2_session_server_create(c_hdl->h2_session)) {
log_warn("failed to create nghttp2");
return;
}
if(!http2_submit_settings(c_hdl->h2_session)) {
if(!c_hdl->h2_session ||
!http2_submit_settings(c_hdl->h2_session)) {
log_warn("failed to submit http2 settings");
return;
}
#endif
c_hdl->ev->ev = ub_event_new(c_hdl->ev->base->eb->base, -1,
UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT,
comm_point_http_handle_callback, c_hdl);
} else {
#endif
c_hdl->ev->ev = ub_event_new(c_hdl->ev->base->eb->base, -1,
UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT,
comm_point_tcp_handle_callback, c_hdl);
#ifdef HAVE_NGHTTP2
}
#endif
if(!c_hdl->ev->ev) {
log_warn("could not ub_event_new, dropped tcp");
return;
@ -2295,10 +2296,7 @@ void http2_stream_delete(struct http2_session* h2_session,
mesh_state_remove_reply(h2_stream->mesh, h2_stream->mesh_state,
h2_session->c);
}
if(h2_stream->qbuffer)
sldns_buffer_free(h2_stream->qbuffer);
if(h2_stream->rbuffer)
sldns_buffer_free(h2_stream->rbuffer);
http2_req_stream_clear(h2_stream);
free(h2_stream);
}
#endif
@ -3091,6 +3089,7 @@ comm_point_create_tcp_handler(struct comm_base *base,
static struct comm_point*
comm_point_create_http_handler(struct comm_base *base,
struct comm_point* parent, size_t bufsize, int harden_large_queries,
uint32_t http_max_streams, char* http_endpoint,
comm_point_callback_type* callback, void* callback_arg)
{
struct comm_point* c = (struct comm_point*)calloc(1,
@ -3147,9 +3146,11 @@ comm_point_create_http_handler(struct comm_base *base,
c->cb_arg = callback_arg;
c->http_min_version = http_version_2;
c->http2_max_qbuffer_size = bufsize;
c->http2_stream_max_qbuffer_size = bufsize;
if(harden_large_queries && bufsize > 512)
c->http2_max_qbuffer_size = 512;
c->http2_stream_max_qbuffer_size = 512;
c->http2_max_streams = http_max_streams;
c->http_endpoint = strdup(http_endpoint);
c->alpn_h2 = 0;
#ifdef HAVE_NGHTTP2
if(!(c->h2_session = http2_session_create(c))) {
@ -3195,6 +3196,7 @@ comm_point_create_http_handler(struct comm_base *base,
struct comm_point*
comm_point_create_tcp(struct comm_base *base, int fd, int num,
int idle_timeout, int harden_large_queries,
uint32_t http_max_streams, char* http_endpoint,
struct tcl_list* tcp_conn_limit, size_t bufsize,
struct sldns_buffer* spoolbuf, enum listen_type port_type,
comm_point_callback_type* callback, void* callback_arg)
@ -3271,6 +3273,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num,
} else if(port_type == listen_type_http) {
c->tcp_handlers[i] = comm_point_create_http_handler(
base, c, bufsize, harden_large_queries,
http_max_streams, http_endpoint,
callback, callback_arg);
}
else {
@ -3592,6 +3595,10 @@ comm_point_delete(struct comm_point* c)
SSL_free(c->ssl);
#endif
}
if(c->type == comm_http && c->http_endpoint) {
free(c->http_endpoint);
c->http_endpoint = NULL;
}
comm_point_close(c);
if(c->tcp_handlers) {
int i;

12
util/netevent.h
View file

@ -219,6 +219,8 @@ struct comm_point {
http_version_none = 0,
http_version_2 = 2
} http_min_version;
/** http endpoint */
char* http_endpoint;
/* -------- HTTP/1.1 ------- */
/** Currently reading in http headers */
int http_in_headers;
@ -236,10 +238,13 @@ struct comm_point {
struct http2_session* h2_session;
/** set to 1 if h2 is negatiated using alpn */
int alpn_h2;
/** maximum allowed query buffer size */
size_t http2_max_qbuffer_size;
/** stream currently being handled */
struct http2_stream* h2_stream;
/** maximum allowed query buffer size, per stream */
size_t http2_stream_max_qbuffer_size;
/** maximum number of HTTP/2 streams per connection. Send in HTTP/2
* SETTINGS frame. */
uint32_t http2_max_streams;
/* -------- dnstap ------- */
/** the dnstap environment */
@ -481,6 +486,8 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
* many tcp handler commpoints.
* @param idle_timeout: TCP idle timeout in ms.
* @param harden_large_queries: whether query size should be limited.
* @param http_max_streams: maximum number of HTTP/2 streams per connection.
* @param http_endpoint: HTTP endpoint to service queries on
* @param tcp_conn_limit: TCP connection limit info.
* @param bufsize: size of buffer to create for handlers.
* @param spoolbuf: shared spool buffer for tcp_req_info structures.
@ -496,6 +503,7 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
*/
struct comm_point* comm_point_create_tcp(struct comm_base* base,
int fd, int num, int idle_timeout, int harden_large_queries,
uint32_t http_max_streams, char* http_endpoint,
struct tcl_list* tcp_conn_limit,
size_t bufsize, struct sldns_buffer* spoolbuf,
enum listen_type port_type,