mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-02-03 20:29:28 -05:00
Documentation for interface-* options.
This commit is contained in:
George Thessalonikefs
parent
7e9fd2114b
commit
aec33b3d63
2 changed files with 96 additions and 5 deletions
|
|
@ -218,7 +218,8 @@ server:
|
|||
# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
|
||||
# infra-cache-numhosts: 10000
|
||||
|
||||
# define a number of tags here, use with local-zone, access-control.
|
||||
# define a number of tags here, use with local-zone, access-control,
|
||||
# interface-*.
|
||||
# repeat the define-tag statement to add additional tags.
|
||||
# define-tag: "tag1 tag2 tag3"
|
||||
|
||||
|
|
@ -274,9 +275,7 @@ server:
|
|||
# allow_snoop (recursive and nonrecursive ok)
|
||||
# deny_non_local (drop queries unless can be answered from local-data)
|
||||
# refuse_non_local (like deny_non_local but polite error reply).
|
||||
# access-control: 0.0.0.0/0 refuse
|
||||
# access-control: 127.0.0.0/8 allow
|
||||
# access-control: ::0/0 refuse
|
||||
# access-control: ::1 allow
|
||||
# access-control: ::ffff:127.0.0.1 allow
|
||||
|
||||
|
|
@ -285,7 +284,7 @@ server:
|
|||
# are tagged with one of these tags.
|
||||
# access-control-tag: 192.0.2.0/24 "tag2 tag3"
|
||||
|
||||
# set action for particular tag for given access control element
|
||||
# set action for particular tag for given access control element.
|
||||
# if you have multiple tag values, the tag used to lookup the action
|
||||
# is the first tag match between access-control-tag and local-zone-tag
|
||||
# where "first" comes from the order of the define-tag values.
|
||||
|
|
@ -297,6 +296,58 @@ server:
|
|||
# Set view for access control element
|
||||
# access-control-view: 192.0.2.0/24 viewname
|
||||
|
||||
# Similar to 'access-control:' but for interfaces.
|
||||
# Control which listening interfaces are allowed to accept (recursive)
|
||||
# queries for this server.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the action.
|
||||
# The actions are the same as 'access-control:' above.
|
||||
# By default all the interfaces configured are refused.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-action: 192.0.2.153 allow
|
||||
# interface-action: 192.0.2.154 allow
|
||||
# interface-action: 192.0.2.154@5003 allow
|
||||
# interface-action: 2001:DB8::5 allow
|
||||
# interface-action: eth0@5003 allow
|
||||
|
||||
# Similar to 'access-control-tag:' but for interfaces.
|
||||
# Tag interfaces with a list of tags (in "" with spaces between).
|
||||
# Interfaces using these tags use localzones that are tagged with one
|
||||
# of these tags.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the list of tags.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-tag: eth0@5003 "tag2 tag3"
|
||||
|
||||
# Similar to 'access-control-tag-action:' but for interfaces.
|
||||
# Set action for particular tag for a given interface element.
|
||||
# If you have multiple tag values, the tag used to lookup the action
|
||||
# is the first tag match between interface-tag and local-zone-tag
|
||||
# where "first" comes from the order of the define-tag values.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the tag and action.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-tag-action: eth0@5003 tag3 refuse
|
||||
|
||||
# Similar to 'access-control-tag-data:' but for interfaces.
|
||||
# Set redirect data for a particular tag for an interface element.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the tag and the redirect data.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
|
||||
|
||||
# Similar to 'access-control-view:' but for interfaces.
|
||||
# Set view for an interface element.
|
||||
# The specified interfaces should be the same as the ones specified in
|
||||
# 'interface:' followed by the view name.
|
||||
# Note: any 'access-control*:' setting overrides all 'interface-*:'
|
||||
# settings for targeted clients.
|
||||
# interface-view: eth0@5003 viewname
|
||||
|
||||
# if given, a chroot(2) is done to the given directory.
|
||||
# i.e. you can chroot to the working directory, for example,
|
||||
# for extra security, but make sure all files are in that directory.
|
||||
|
|
|
|||
|
|
@ -675,7 +675,7 @@ The netblock is given as an IP4 or IP6 address with /size appended for a
|
|||
classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
|
||||
\fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
|
||||
\fIrefuse_non_local\fR.
|
||||
The most specific netblock match is used, if none match \fIdeny\fR is used.
|
||||
The most specific netblock match is used, if none match \fIrefuse\fR is used.
|
||||
The order of the access\-control statements therefore does not matter.
|
||||
.IP
|
||||
The action \fIdeny\fR stops queries from hosts from that netblock.
|
||||
|
|
@ -741,6 +741,46 @@ Set redirect data for particular tag for given access control element.
|
|||
.B access\-control\-view: \fI<IP netblock> <view name>
|
||||
Set view for given access control element.
|
||||
.TP
|
||||
.B interface\-action: \fI<ip address or interface name [@port]> <action>
|
||||
Similar to \fBaccess\-control:\fR but for interfaces.
|
||||
.IP
|
||||
The action is the same as the ones defined under \fBaccess\-control:\fR.
|
||||
Interfaces are \fIrefuse\fRd by default.
|
||||
By default only localhost (the IP netblock, not the loopback interface) is
|
||||
\fIallow\fRed through the default \fBaccess\-control:\fR behavior.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
|
||||
Similar to \fBaccess\-control-tag:\fR but for interfaces.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
|
||||
Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
|
||||
Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B interface\-view: \fI<ip address or interface name [@port]> <view name>
|
||||
Similar to \fBaccess\-control-view:\fR but for interfaces.
|
||||
.IP
|
||||
Note that the interface needs to be already specified with \fBinterface:\fR
|
||||
and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
|
||||
settings for targeted clients.
|
||||
.TP
|
||||
.B chroot: \fI<directory>
|
||||
If chroot is enabled, you should pass the configfile (from the
|
||||
commandline) as a full path from the original root. After the
|
||||
|
|
|
|||
Loading…
Reference in a new issue