- Fix #1263: Exempt loopback addresses from wait-limit.

doc/Changelog

@@ -1,3 +1,6 @@
+3 April 2025: Wouter
+	- Fix #1263: Exempt loopback addresses from wait-limit.
+
 2 April 2025: Yorgos
 	- Merge #1262 from markyang92, fix build with
 	  'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.

doc/example.conf.in

@@ -215,6 +215,12 @@ server:
 	# Apart from the default, the wait limit with cookie can be adjusted.
 	# wait-limit-cookie-netblock: 192.0.2.0/24 50000
 
+	# Defaults for loopback, it has no wait limit.
+	# wait-limit-netblock: 127.0.0.0/8 -1
+	# wait-limit-netblock: ::1/128 -1
+	# wait-limit-cookie-netblock: 127.0.0.0/8 -1
+	# wait-limit-cookie-netblock: ::1/128 -1
+
 	# the amount of memory to use for the RRset cache.
 	# plain value in bytes or you can append k, m or G. default is "4Mb".
 	# rrset-cache-size: 4m

doc/unbound.conf.5.in

@@ -326,11 +326,15 @@ The wait limit for the netblock. If not given the wait\-limit value is
 used. The most specific netblock is used to determine the limit. Useful for
 overriding the default for a specific, group or individual, server.
 The value -1 disables wait limits for the netblock.
+By default the loopback has a wait limit netblock of -1, it is not limited,
+because it is separated from the rest of network for spoofed packets.
+The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
 .TP
 .B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
 The wait limit for the netblock, when the query has a DNS cookie.
 If not given, the wait\-limit\-cookie value is used.
 The value -1 disables wait limits for the netblock.
+The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
 .TP
 .B so\-rcvbuf: \fI<number>
 If not 0, then set the SO_RCVBUF socket option to get more buffer

services/cache/infra.c

@@ -297,12 +297,43 @@ infra_wait_limit_netblock_insert(rbtree_type* wait_limits_netblock,
 	return 1;
 }
 
+/** Add a default wait limit netblock */
+static int
+wait_limit_netblock_default(struct rbtree_type* tree, char* str, int limit)
+{
+	struct wait_limit_netblock_info* d;
+	d = wait_limit_netblock_findcreate(tree, str);
+	if(!d)
+		return 0;
+	d->limit = limit;
+	return 1;
+}
+
 int
 setup_wait_limits(rbtree_type* wait_limits_netblock,
 	rbtree_type* wait_limits_cookie_netblock, struct config_file* cfg)
 {
 	addr_tree_init(wait_limits_netblock);
 	addr_tree_init(wait_limits_cookie_netblock);
+
+	/* Insert defaults */
+	/* The loopback address is separated from the rest of the network. */
+	/* wait-limit-netblock: 127.0.0.0/8 -1 */
+	if(!wait_limit_netblock_default(wait_limits_netblock, "127.0.0.0/8",
+		-1))
+		return 0;
+	/* wait-limit-netblock: ::1/128 -1 */
+	if(!wait_limit_netblock_default(wait_limits_netblock, "::1/128", -1))
+		return 0;
+	/* wait-limit-cookie-netblock: 127.0.0.0/8 -1 */
+	if(!wait_limit_netblock_default(wait_limits_cookie_netblock,
+		"127.0.0.0/8", -1))
+		return 0;
+	/* wait-limit-cookie-netblock: ::1/128 -1 */
+	if(!wait_limit_netblock_default(wait_limits_cookie_netblock,
+		"::1/128", -1))
+		return 0;
+
 	if(!infra_wait_limit_netblock_insert(wait_limits_netblock,
 		wait_limits_cookie_netblock, cfg))
 		return 0;