upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-01-22 06:32:55 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge branch 'master' into stream-reuse

Browse source
This commit is contained in:
Wouter Wijngaards 2020-11-24 08:20:07 +01:00
commit ead06af086
25 changed files with 6382 additions and 5636 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
daemon/daemon.c
View file

@ -291,7 +291,7 @@ daemon_init(void)
free(daemon);
return NULL;
}
if(!(daemon->env->edns_tags = edns_tags_create())) {
if(!(daemon->env->edns_strings = edns_strings_create())) {
auth_zones_delete(daemon->env->auth_zones);
acl_list_delete(daemon->acl);
tcl_list_delete(daemon->tcl);
@ -638,9 +638,9 @@ daemon_fork(struct daemon* daemon)
&daemon->use_rpz))
fatal_exit("auth_zones could not be setup");
/* Set-up EDNS tags */
if(!edns_tags_apply_cfg(daemon->env->edns_tags, daemon->cfg))
fatal_exit("Could not set up EDNS tags");
/* Set-up EDNS strings */
if(!edns_strings_apply_cfg(daemon->env->edns_strings, daemon->cfg))
fatal_exit("Could not set up EDNS strings");
/* setup modules */
daemon_setup_modules(daemon);
@ -773,7 +773,7 @@ daemon_delete(struct daemon* daemon)
rrset_cache_delete(daemon->env->rrset_cache);
infra_delete(daemon->env->infra_cache);
edns_known_options_delete(daemon->env);
edns_tags_delete(daemon->env->edns_tags);
edns_strings_delete(daemon->env->edns_strings);
auth_zones_delete(daemon->env->auth_zones);
}
ub_randfree(daemon->rand);

55
daemon/unbound.c
View file

@ -337,22 +337,44 @@ readpid (const char* file)
/** write pid to file.
* @param pidfile: file name of pid file.
* @param pid: pid to write to file.
* @return false on failure
*/
static void
static int
writepid (const char* pidfile, pid_t pid)
{
FILE* f;
int fd;
char pidbuf[32];
size_t count = 0;
snprintf(pidbuf, sizeof(pidbuf), "%lu\n", (unsigned long)pid);
if ((f = fopen(pidfile, "w")) == NULL ) {
if((fd = open(pidfile, O_WRONLY | O_CREAT | O_TRUNC
#ifdef O_NOFOLLOW
| O_NOFOLLOW
#endif
, 0644)) == -1) {
log_err("cannot open pidfile %s: %s",
pidfile, strerror(errno));
return;
return 0;
}
if(fprintf(f, "%lu\n", (unsigned long)pid) < 0) {
log_err("cannot write to pidfile %s: %s",
pidfile, strerror(errno));
while(count < strlen(pidbuf)) {
ssize_t r = write(fd, pidbuf+count, strlen(pidbuf)-count);
if(r == -1) {
if(errno == EAGAIN || errno == EINTR)
continue;
log_err("cannot write to pidfile %s: %s",
pidfile, strerror(errno));
close(fd);
return 0;
} else if(r == 0) {
log_err("cannot write any bytes to pidfile %s: "
"write returns 0 bytes written", pidfile);
close(fd);
return 0;
}
count += r;
}
fclose(f);
close(fd);
return 1;
}
/**
@ -506,16 +528,17 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
/* write new pidfile (while still root, so can be outside chroot) */
#ifdef HAVE_KILL
if(cfg->pidfile && cfg->pidfile[0] && need_pidfile) {
writepid(daemon->pidfile, getpid());
if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
pidinchroot) {
if(writepid(daemon->pidfile, getpid())) {
if(cfg->username && cfg->username[0] && cfg_uid != (uid_t)-1 &&
pidinchroot) {
# ifdef HAVE_CHOWN
if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
(unsigned)cfg_uid, (unsigned)cfg_gid,
daemon->pidfile, strerror(errno));
}
if(chown(daemon->pidfile, cfg_uid, cfg_gid) == -1) {
verbose(VERB_QUERY, "cannot chown %u.%u %s: %s",
(unsigned)cfg_uid, (unsigned)cfg_gid,
daemon->pidfile, strerror(errno));
}
# endif /* HAVE_CHOWN */
}
}
}
#else

2
daemon/worker.c
View file

@ -1807,7 +1807,7 @@ worker_init(struct worker* worker, struct config_file *cfg,
&worker_alloc_cleanup, worker,
cfg->do_udp || cfg->udp_upstream_without_downstream,
worker->daemon->connect_sslctx, cfg->delay_close,
cfg->tls_use_sni, dtenv);
cfg->tls_use_sni, dtenv, cfg->udp_connect);
if(!worker->back) {
log_err("could not create outgoing sockets");
worker_delete(worker);

9
doc/Changelog
View file

@ -1,9 +1,18 @@
23 November 2020: George
- Merge PR #313 from Ralph Dolmans: Replace edns-client-tag with
edns-client-string option.
23 November 2020: Wouter
- Merge #351 from dvzrv: Add AF_NETLINK to set of allowed socket
address families.
- Fix #350: with the AF_NETLINK permission, to fix 1.12.0 error:
failed to list interfaces: getifaddrs: Address family not
supported by protocol.
- Fix #347: IP_DONTFRAG broken on Apple xcode 12.2.
- Option to toggle udp-connect, default is enabled.
- Fix for #303 CVE-2020-28935 : Fix that symlink does not interfere
with chown of pidfile.
- Further fix for it and retvalue 0 fix for it.
12 November 2020: Wouter
- Fix to connect() to UDP destinations, default turned on,

3
doc/example.conf.in
View file

@ -161,6 +161,9 @@ server:
# msec to wait before close of port on timeout UDP. 0 disables.
# delay-close: 0
# perform connect for UDP sockets to mitigate ICMP side channel.
# udp-connect: yes
# msec for waiting for an unknown server to reply. Increase if you
# are behind a slow satellite link, to eg. 1128.
# unknown-server-time-limit: 376

20
doc/unbound.conf.5.in
View file

@ -274,6 +274,10 @@ eg. 1500 msec. When timeouts happen you need extra sockets, it checks
the ID and remote IP of packets, and unwanted packets are added to the
unwanted packet counter.
.TP
.B udp\-connect: \fI<yes or no>
Perform connect for UDP sockets that mitigates ICMP side channel leakage.
Default is yes.
.TP
.B unknown\-server\-time\-limit: \fI<msec>
The wait time in msec for waiting for an unknown server to reply.
Increase this if you are behind a slow satellite link, to eg. 1128.
@ -1546,15 +1550,15 @@ Set the number of servers that should be used for fast server selection. Only
use the fastest specified number of servers with the fast\-server\-permil
option, that turns this on or off. The default is to use the fastest 3 servers.
.TP 5
.B edns\-client\-tag: \fI<IP netblock> <tag data>
Include an edns-client-tag option in queries with destination address matching
the configured IP netblock. This configuration option can be used multiple
times. The most specific match will be used. The tag data is configured in
decimal format, from 0 to 65535.
.B edns\-client\-string: \fI<IP netblock> <string>
Include an EDNS0 option containing configured ascii string in queries with
destination address matching the configured IP netblock. This configuration
option can be used multiple times. The most specific match will be used.
.TP 5
.B edns\-client\-tag\-opcode: \fI<opcode>
EDNS0 option code for the edns-client-tag option, from 0 to 65535. Default is
16, as assigned by IANA.
.B edns\-client\-string\-opcode: \fI<opcode>
EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535.
A value from the `Reserved for Local/Experimental` range (65001-65534) should
be used. Default is 65001.
.SS "Remote Control Options"
In the
.B remote\-control:

2
libunbound/context.c
View file

@ -80,7 +80,7 @@ context_finalize(struct ub_ctx* ctx)
return UB_INITFAIL;
if(!auth_zones_apply_cfg(ctx->env->auth_zones, cfg, 1, &is_rpz))
return UB_INITFAIL;
if(!edns_tags_apply_cfg(ctx->env->edns_tags, cfg))
if(!edns_strings_apply_cfg(ctx->env->edns_strings, cfg))
return UB_INITFAIL;
if(!slabhash_is_size(ctx->env->msg_cache, cfg->msg_cache_size,
cfg->msg_cache_slabs)) {

10
libunbound/libunbound.c
View file

@ -154,8 +154,8 @@ static struct ub_ctx* ub_ctx_create_nopipe(void)
errno = ENOMEM;
return NULL;
}
ctx->env->edns_tags = edns_tags_create();
if(!ctx->env->edns_tags) {
ctx->env->edns_strings = edns_strings_create();
if(!ctx->env->edns_strings) {
auth_zones_delete(ctx->env->auth_zones);
edns_known_options_delete(ctx->env);
config_delete(ctx->env->cfg);
@ -186,7 +186,7 @@ ub_ctx_create(void)
config_delete(ctx->env->cfg);
modstack_desetup(&ctx->mods, ctx->env);
edns_known_options_delete(ctx->env);
edns_tags_delete(ctx->env->edns_tags);
edns_strings_delete(ctx->env->edns_strings);
free(ctx->env);
free(ctx);
errno = e;
@ -199,7 +199,7 @@ ub_ctx_create(void)
config_delete(ctx->env->cfg);
modstack_desetup(&ctx->mods, ctx->env);
edns_known_options_delete(ctx->env);
edns_tags_delete(ctx->env->edns_tags);
edns_strings_delete(ctx->env->edns_strings);
free(ctx->env);
free(ctx);
errno = e;
@ -338,7 +338,7 @@ ub_ctx_delete(struct ub_ctx* ctx)
infra_delete(ctx->env->infra_cache);
config_delete(ctx->env->cfg);
edns_known_options_delete(ctx->env);
edns_tags_delete(ctx->env->edns_tags);
edns_strings_delete(ctx->env->edns_strings);
auth_zones_delete(ctx->env->auth_zones);
free(ctx->env);
}

2
libunbound/libworker.c
View file

@ -238,7 +238,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
ports, numports, cfg->unwanted_threshold,
cfg->outgoing_tcp_mss, &libworker_alloc_cleanup, w,
cfg->do_udp || cfg->udp_upstream_without_downstream, w->sslctx,
cfg->delay_close, cfg->tls_use_sni, NULL);
cfg->delay_close, cfg->tls_use_sni, NULL, cfg->udp_connect);
w->env->outnet = w->back;
if(!w->is_bg || w->is_bg_thread) {
lock_basic_unlock(&ctx->cfglock);

4
services/listen_dnsport.c
View file

@ -531,7 +531,9 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr,
return -1;
}
}
# elif defined(IP_DONTFRAG)
# elif defined(IP_DONTFRAG) && !defined(__APPLE__)
/* the IP_DONTFRAG option if defined in the 11.0 OSX headers,
* but does not work on that version, so we exclude it */
int off = 0;
if (setsockopt(s, IPPROTO_IP, IP_DONTFRAG,
&off, (socklen_t)sizeof(off)) < 0) {

22
services/outside_network.c
View file

@ -1333,7 +1333,8 @@ outside_network_create(struct comm_base *base, size_t bufsize,
struct ub_randstate* rnd, int use_caps_for_id, int* availports,
int numavailports, size_t unwanted_threshold, int tcp_mss,
void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv)
void* sslctx, int delayclose, int tls_use_sni, struct dt_env* dtenv,
int udp_connect)
{
struct outside_network* outnet = (struct outside_network*)
calloc(1, sizeof(struct outside_network));
@ -1371,6 +1372,9 @@ outside_network_create(struct comm_base *base, size_t bufsize,
outnet->delay_tv.tv_usec = (delayclose%1000)*1000;
}
#endif
if(udp_connect) {
outnet->udp_connect = 1;
}
if(numavailports == 0 || num_ports == 0) {
log_err("no outgoing ports available");
outside_network_delete(outnet);
@ -1742,7 +1746,7 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
my_if = ub_random_max(outnet->rnd, num_if);
pif = &ifs[my_if];
#ifndef DISABLE_EXPLICIT_PORT_RANDOMISATION
if(1) {
if(outnet->udp_connect) {
/* if we connect() we cannot reuse fds for a port */
if(pif->inuse >= pif->avail_total) {
tries++;
@ -1778,7 +1782,7 @@ select_ifport(struct outside_network* outnet, struct pending* pend,
if(fd != -1) {
verbose(VERB_ALGO, "opened UDP if=%d port=%d",
my_if, portno);
if(1) {
if(outnet->udp_connect) {
/* connect() to the destination */
if(connect(fd, (struct sockaddr*)&pend->addr,
pend->addrlen) < 0) {
@ -2949,18 +2953,18 @@ outnet_serviced_query(struct outside_network* outnet,
{
struct serviced_query* sq;
struct service_callback* cb;
struct edns_tag_addr* client_tag_addr;
struct edns_string_addr* client_string_addr;
if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen,
qstate, qstate->region))
return NULL;
if((client_tag_addr = edns_tag_addr_lookup(&env->edns_tags->client_tags,
addr, addrlen))) {
uint16_t client_tag = htons(client_tag_addr->tag_data);
if((client_string_addr = edns_string_addr_lookup(
&env->edns_strings->client_strings, addr, addrlen))) {
edns_opt_list_append(&qstate->edns_opts_back_out,
env->edns_tags->client_tag_opcode, 2,
(uint8_t*)&client_tag, qstate->region);
env->edns_strings->client_string_opcode,
client_string_addr->string_len,
client_string_addr->string, qstate->region);
}
serviced_gen_query(buff, qinfo->qname, qinfo->qname_len, qinfo->qtype,

7
services/outside_network.h
View file

@ -107,6 +107,9 @@ struct outside_network {
int delayclose;
/** timeout for delayclose */
struct timeval delay_tv;
/** if we perform udp-connect, connect() for UDP socket to mitigate
* ICMP side channel leakage */
int udp_connect;
/** array of outgoing IP4 interfaces */
struct port_if* ip4_ifs;
@ -514,6 +517,7 @@ struct serviced_query {
* msec to wait on timeouted udp sockets.
* @param tls_use_sni: if SNI is used for TLS connections.
* @param dtenv: environment to send dnstap events with (if enabled).
* @param udp_connect: if the udp_connect option is enabled.
* @return: the new structure (with no pending answers) or NULL on error.
*/
struct outside_network* outside_network_create(struct comm_base* base,
@ -522,7 +526,8 @@ struct outside_network* outside_network_create(struct comm_base* base,
struct ub_randstate* rnd, int use_caps_for_id, int* availports,
int numavailports, size_t unwanted_threshold, int tcp_mss,
void (*unwanted_action)(void*), void* unwanted_param, int do_udp,
void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv);
void* sslctx, int delayclose, int tls_use_sni, struct dt_env *dtenv,
int udp_connect);
/**
* Delete outside_network structure.

14
testcode/fake_event.c
View file

@ -1045,7 +1045,7 @@ outside_network_create(struct comm_base* base, size_t bufsize,
void (*unwanted_action)(void*), void* ATTR_UNUSED(unwanted_param),
int ATTR_UNUSED(do_udp), void* ATTR_UNUSED(sslctx),
int ATTR_UNUSED(delayclose), int ATTR_UNUSED(tls_use_sni),
struct dt_env* ATTR_UNUSED(dtenv))
struct dt_env* ATTR_UNUSED(dtenv), int ATTR_UNUSED(udp_connect))
{
struct replay_runtime* runtime = (struct replay_runtime*)base;
struct outside_network* outnet = calloc(1,
@ -1214,7 +1214,7 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
sldns_buffer_flip(pend->buffer);
if(1) {
struct edns_data edns;
struct edns_tag_addr* client_tag_addr;
struct edns_string_addr* client_string_addr;
if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen,
zone, zonelen, qstate, qstate->region)) {
free(pend);
@ -1228,13 +1228,13 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet,
edns.bits = 0;
if(dnssec)
edns.bits = EDNS_DO;
if((client_tag_addr = edns_tag_addr_lookup(
&env->edns_tags->client_tags,
if((client_string_addr = edns_string_addr_lookup(
&env->edns_strings->client_strings,
addr, addrlen))) {
uint16_t client_tag = htons(client_tag_addr->tag_data);
edns_opt_list_append(&qstate->edns_opts_back_out,
env->edns_tags->client_tag_opcode, 2,
(uint8_t*)&client_tag, qstate->region);
env->edns_strings->client_string_opcode,
client_string_addr->string_len,
client_string_addr->string, qstate->region);
}
edns.opt_list = qstate->edns_opts_back_out;
attach_edns_record(pend->buffer, &edns);

47
testdata/edns_client_tag.rpl → testdata/edns_client_string.rpl vendored
View file

@ -1,14 +1,14 @@
; config options
server:
edns-client-tag: 10.0.0.0/24 1234
edns-client-tag: 10.0.0.10/32 5678
edns-client-string: 10.0.0.0/24 "abc d"
edns-client-string: 10.0.0.10/32 "123AbC!"
stub-zone:
name: "tag1234."
name: "edns-string-abc."
stub-addr: 10.0.0.1
stub-zone:
name: "tag5678."
name: "edns-string-123."
stub-addr: 10.0.0.10
stub-zone:
@ -17,7 +17,7 @@ stub-zone:
CONFIG_END
SCENARIO_BEGIN Test EDNS client tag option
SCENARIO_BEGIN Test EDNS string tag option
RANGE_BEGIN 0 1000
ADDRESS 10.0.0.1
@ -26,9 +26,9 @@ MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
tag1234. IN A
edns-string-abc. IN A
SECTION ANSWER
tag1234. IN A 10.20.30.40
edns-string-abc. IN A 10.20.30.40
SECTION ADDITIONAL
ENTRY_END
RANGE_END
@ -40,9 +40,9 @@ MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
tag5678. IN A
edns-string-123. IN A
SECTION ANSWER
tag5678. IN A 10.20.30.40
edns-string-123. IN A 10.20.30.40
SECTION ADDITIONAL
ENTRY_END
RANGE_END
@ -65,19 +65,19 @@ STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
tag1234. IN A
edns-string-abc. IN A
ENTRY_END
STEP 20 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode ednsdata
SECTION QUESTION
tag1234. IN A
edns-string-abc. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 10 ; Opcode 16
00 02 ; Length 2
04 d2 ; 1234
fd e9 ; Opcode 65001
00 05 ; Length 5
61 62 63 20 64 ; "abc d"
HEX_EDNSDATA_END
ENTRY_END
@ -86,28 +86,29 @@ ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
tag1234. IN A
edns-string-abc. IN A
SECTION ANSWER
tag1234. IN A 10.20.30.40
edns-string-abc. IN A 10.20.30.40
ENTRY_END
STEP 110 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
tag5678. IN A
edns-string-123. IN A
ENTRY_END
STEP 120 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode ednsdata
SECTION QUESTION
tag5678. IN A
edns-string-123. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
00 10 ; Opcode 16
00 02 ; Length 2
16 2e ; 5678
fd e9 ; Opcode 65001
00 07 ; Length 7
31 32 33 41 62 ; "123Ab"
43 21 ; "C!"
HEX_EDNSDATA_END
ENTRY_END
@ -116,9 +117,9 @@ ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
tag5678. IN A
edns-string-123. IN A
SECTION ANSWER
tag5678. IN A 10.20.30.40
edns-string-123. IN A 10.20.30.40
ENTRY_END
STEP 210 QUERY

153
testdata/edns_client_string_opcode.rpl vendored Normal file
View file

@ -0,0 +1,153 @@
; config options
server:
edns-client-string: 10.0.0.0/24 "abc d"
edns-client-string: 10.0.0.10/32 "123AbC!"
edns-client-string-opcode: 65432
stub-zone:
name: "edns-string-abc."
stub-addr: 10.0.0.1
stub-zone:
name: "edns-string-123."
stub-addr: 10.0.0.10
stub-zone:
name: "notag."
stub-addr: 10.10.0.1
CONFIG_END
SCENARIO_BEGIN Test EDNS string tag option
RANGE_BEGIN 0 1000
ADDRESS 10.0.0.1
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
edns-string-abc. IN A
SECTION ANSWER
edns-string-abc. IN A 10.20.30.40
SECTION ADDITIONAL
ENTRY_END
RANGE_END
RANGE_BEGIN 0 1000
ADDRESS 10.0.0.10
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
edns-string-123. IN A
SECTION ANSWER
edns-string-123. IN A 10.20.30.40
SECTION ADDITIONAL
ENTRY_END
RANGE_END
RANGE_BEGIN 0 1000
ADDRESS 10.10.0.1
ENTRY_BEGIN
MATCH opcode qtype qname
ADJUST copy_id
REPLY QR NOERROR
SECTION QUESTION
notag. IN A
SECTION ANSWER
notag. IN A 10.20.30.40
SECTION ADDITIONAL
ENTRY_END
RANGE_END
STEP 10 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
edns-string-abc. IN A
ENTRY_END
STEP 20 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode ednsdata
SECTION QUESTION
edns-string-abc. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
ff 98 ; Opcode 65432
00 05 ; Length 5
61 62 63 20 64 ; "abc d"
HEX_EDNSDATA_END
ENTRY_END
STEP 30 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
edns-string-abc. IN A
SECTION ANSWER
edns-string-abc. IN A 10.20.30.40
ENTRY_END
STEP 110 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
edns-string-123. IN A
ENTRY_END
STEP 120 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode ednsdata
SECTION QUESTION
edns-string-123. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
ff 98 ; Opcode 65432
00 07 ; Length 7
31 32 33 41 62 ; "123Ab"
43 21 ; "C!"
HEX_EDNSDATA_END
ENTRY_END
STEP 130 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
edns-string-123. IN A
SECTION ANSWER
edns-string-123. IN A 10.20.30.40
ENTRY_END
STEP 210 QUERY
ENTRY_BEGIN
REPLY RD
SECTION QUESTION
notag. IN A
ENTRY_END
STEP 220 CHECK_OUT_QUERY
ENTRY_BEGIN
MATCH qname qtype opcode ednsdata
SECTION QUESTION
notag. IN A
SECTION ADDITIONAL
HEX_EDNSDATA_BEGIN
HEX_EDNSDATA_END
ENTRY_END
STEP 230 CHECK_ANSWER
ENTRY_BEGIN
MATCH all
REPLY QR RD RA NOERROR
SECTION QUESTION
notag. IN A
SECTION ANSWER
notag. IN A 10.20.30.40
ENTRY_END
SCENARIO_END

11
util/config_file.c
View file

@ -172,6 +172,7 @@ config_create(void)
cfg->infra_cache_min_rtt = 50;
cfg->infra_keep_probing = 0;
cfg->delay_close = 0;
cfg->udp_connect = 1;
if(!(cfg->outgoing_avail_ports = (int*)calloc(65536, sizeof(int))))
goto error_exit;
init_outgoing_availports(cfg->outgoing_avail_ports, 65536);
@ -322,8 +323,8 @@ config_create(void)
cfg->qname_minimisation_strict = 0;
cfg->shm_enable = 0;
cfg->shm_key = 11777;
cfg->edns_client_tags = NULL;
cfg->edns_client_tag_opcode = LDNS_EDNS_CLIENT_TAG;
cfg->edns_client_strings = NULL;
cfg->edns_client_string_opcode = 65001;
cfg->dnscrypt = 0;
cfg->dnscrypt_port = 0;
cfg->dnscrypt_provider = NULL;
@ -569,6 +570,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_POW2("infra-cache-slabs:", infra_cache_slabs)
else S_SIZET_NONZERO("infra-cache-numhosts:", infra_cache_numhosts)
else S_NUMBER_OR_ZERO("delay-close:", delay_close)
else S_YNO("udp-connect:", udp_connect)
else S_STR("chroot:", chrootdir)
else S_STR("username:", username)
else S_STR("directory:", directory)
@ -964,6 +966,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_YNO(opt, "infra-keep-probing", infra_keep_probing)
else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts)
else O_UNS(opt, "delay-close", delay_close)
else O_YNO(opt, "udp-connect", udp_connect)
else O_YNO(opt, "do-ip4", do_ip4)
else O_YNO(opt, "do-ip6", do_ip6)
else O_YNO(opt, "do-udp", do_udp)
@ -1155,7 +1158,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_LS3(opt, "access-control-tag-action", acl_tag_actions)
else O_LS3(opt, "access-control-tag-data", acl_tag_datas)
else O_LS2(opt, "access-control-view", acl_view)
else O_LS2(opt, "edns-client-tags", edns_client_tags)
else O_LS2(opt, "edns-client-strings", edns_client_strings)
#ifdef USE_IPSECMOD
else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled)
else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus)
@ -1524,7 +1527,7 @@ config_delete(struct config_file* cfg)
config_deldblstrlist(cfg->ratelimit_below_domain);
config_delstrlist(cfg->python_script);
config_delstrlist(cfg->dynlib_file);
config_deldblstrlist(cfg->edns_client_tags);
config_deldblstrlist(cfg->edns_client_strings);
#ifdef USE_IPSECMOD
free(cfg->ipsecmod_hook);
config_delstrlist(cfg->ipsecmod_whitelist);

10
util/config_file.h
View file

@ -185,6 +185,8 @@ struct config_file {
int infra_keep_probing;
/** delay close of udp-timeouted ports, if 0 no delayclose. in msec */
int delay_close;
/** udp_connect enable uses UDP connect to mitigate ICMP side channel */
int udp_connect;
/** the target fetch policy for the iterator */
char* target_fetch_policy;
@ -566,10 +568,10 @@ struct config_file {
/** SHM data - key for the shm */
int shm_key;
/** list of EDNS client tag entries, linked list */
struct config_str2list* edns_client_tags;
/** EDNS opcode to use for EDNS client tags */
uint16_t edns_client_tag_opcode;
/** list of EDNS client string entries, linked list */
struct config_str2list* edns_client_strings;
/** EDNS opcode to use for EDNS client strings */
uint16_t edns_client_string_opcode;
/** DNSCrypt */
/** true to enable dnscrypt */

4816
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

5
util/configlexer.lex
View file

@ -301,6 +301,7 @@ infra-keep-probing{COLON} { YDVAR(1, VAR_INFRA_KEEP_PROBING) }
num-queries-per-thread{COLON} { YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) }
jostle-timeout{COLON} { YDVAR(1, VAR_JOSTLE_TIMEOUT) }
delay-close{COLON} { YDVAR(1, VAR_DELAY_CLOSE) }
udp-connect{COLON} { YDVAR(1, VAR_UDP_CONNECT) }
target-fetch-policy{COLON} { YDVAR(1, VAR_TARGET_FETCH_POLICY) }
harden-short-bufsize{COLON} { YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) }
harden-large-queries{COLON} { YDVAR(1, VAR_HARDEN_LARGE_QUERIES) }
@ -528,8 +529,8 @@ name-v4{COLON} { YDVAR(1, VAR_IPSET_NAME_V4) }
name-v6{COLON} { YDVAR(1, VAR_IPSET_NAME_V6) }
udp-upstream-without-downstream{COLON} { YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) }
tcp-connection-limit{COLON} { YDVAR(2, VAR_TCP_CONNECTION_LIMIT) }
edns-client-tag{COLON} { YDVAR(2, VAR_EDNS_CLIENT_TAG) }
edns-client-tag-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_TAG_OPCODE) }
edns-client-string{COLON} { YDVAR(2, VAR_EDNS_CLIENT_STRING) }
edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) }
<INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; }
/* Quoted strings. Strip leading and ending quotes */

5728
util/configparser.c
View file

File diff suppressed because it is too large Load diff

919
util/configparser.h
View file

@ -1,8 +1,8 @@
/* A Bison parser, made by GNU Bison 3.4.1. */
/* A Bison parser, made by GNU Bison 3.6.4. */
/* Bison interface for Yacc-like parsers in C
Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2019 Free Software Foundation,
Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation,
Inc.
This program is free software: you can redistribute it and/or modify
@ -31,8 +31,9 @@
This special exception was added by the Free Software Foundation in
version 2.2 of Bison. */
/* Undocumented macros, especially those whose name start with YY_,
are private implementation details. Do not rely on them. */
/* DO NOT RELY ON FEATURES THAT ARE NOT DOCUMENTED in the manual,
especially those whose name start with YY_ or yy_. They are
private implementation details that can be changed or removed. */
#ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
# define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED
@ -44,313 +45,322 @@
extern int yydebug;
#endif
/* Token type. */
/* Token kinds. */
#ifndef YYTOKENTYPE
# define YYTOKENTYPE
enum yytokentype
{
SPACE = 258,
LETTER = 259,
NEWLINE = 260,
COMMENT = 261,
COLON = 262,
ANY = 263,
ZONESTR = 264,
STRING_ARG = 265,
VAR_FORCE_TOPLEVEL = 266,
VAR_SERVER = 267,
VAR_VERBOSITY = 268,
VAR_NUM_THREADS = 269,
VAR_PORT = 270,
VAR_OUTGOING_RANGE = 271,
VAR_INTERFACE = 272,
VAR_PREFER_IP4 = 273,
VAR_DO_IP4 = 274,
VAR_DO_IP6 = 275,
VAR_PREFER_IP6 = 276,
VAR_DO_UDP = 277,
VAR_DO_TCP = 278,
VAR_TCP_MSS = 279,
VAR_OUTGOING_TCP_MSS = 280,
VAR_TCP_IDLE_TIMEOUT = 281,
VAR_EDNS_TCP_KEEPALIVE = 282,
VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 283,
VAR_CHROOT = 284,
VAR_USERNAME = 285,
VAR_DIRECTORY = 286,
VAR_LOGFILE = 287,
VAR_PIDFILE = 288,
VAR_MSG_CACHE_SIZE = 289,
VAR_MSG_CACHE_SLABS = 290,
VAR_NUM_QUERIES_PER_THREAD = 291,
VAR_RRSET_CACHE_SIZE = 292,
VAR_RRSET_CACHE_SLABS = 293,
VAR_OUTGOING_NUM_TCP = 294,
VAR_INFRA_HOST_TTL = 295,
VAR_INFRA_LAME_TTL = 296,
VAR_INFRA_CACHE_SLABS = 297,
VAR_INFRA_CACHE_NUMHOSTS = 298,
VAR_INFRA_CACHE_LAME_SIZE = 299,
VAR_NAME = 300,
VAR_STUB_ZONE = 301,
VAR_STUB_HOST = 302,
VAR_STUB_ADDR = 303,
VAR_TARGET_FETCH_POLICY = 304,
VAR_HARDEN_SHORT_BUFSIZE = 305,
VAR_HARDEN_LARGE_QUERIES = 306,
VAR_FORWARD_ZONE = 307,
VAR_FORWARD_HOST = 308,
VAR_FORWARD_ADDR = 309,
VAR_DO_NOT_QUERY_ADDRESS = 310,
VAR_HIDE_IDENTITY = 311,
VAR_HIDE_VERSION = 312,
VAR_IDENTITY = 313,
VAR_VERSION = 314,
VAR_HARDEN_GLUE = 315,
VAR_MODULE_CONF = 316,
VAR_TRUST_ANCHOR_FILE = 317,
VAR_TRUST_ANCHOR = 318,
VAR_VAL_OVERRIDE_DATE = 319,
VAR_BOGUS_TTL = 320,
VAR_VAL_CLEAN_ADDITIONAL = 321,
VAR_VAL_PERMISSIVE_MODE = 322,
VAR_INCOMING_NUM_TCP = 323,
VAR_MSG_BUFFER_SIZE = 324,
VAR_KEY_CACHE_SIZE = 325,
VAR_KEY_CACHE_SLABS = 326,
VAR_TRUSTED_KEYS_FILE = 327,
VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 328,
VAR_USE_SYSLOG = 329,
VAR_OUTGOING_INTERFACE = 330,
VAR_ROOT_HINTS = 331,
VAR_DO_NOT_QUERY_LOCALHOST = 332,
VAR_CACHE_MAX_TTL = 333,
VAR_HARDEN_DNSSEC_STRIPPED = 334,
VAR_ACCESS_CONTROL = 335,
VAR_LOCAL_ZONE = 336,
VAR_LOCAL_DATA = 337,
VAR_INTERFACE_AUTOMATIC = 338,
VAR_STATISTICS_INTERVAL = 339,
VAR_DO_DAEMONIZE = 340,
VAR_USE_CAPS_FOR_ID = 341,
VAR_STATISTICS_CUMULATIVE = 342,
VAR_OUTGOING_PORT_PERMIT = 343,
VAR_OUTGOING_PORT_AVOID = 344,
VAR_DLV_ANCHOR_FILE = 345,
VAR_DLV_ANCHOR = 346,
VAR_NEG_CACHE_SIZE = 347,
VAR_HARDEN_REFERRAL_PATH = 348,
VAR_PRIVATE_ADDRESS = 349,
VAR_PRIVATE_DOMAIN = 350,
VAR_REMOTE_CONTROL = 351,
VAR_CONTROL_ENABLE = 352,
VAR_CONTROL_INTERFACE = 353,
VAR_CONTROL_PORT = 354,
VAR_SERVER_KEY_FILE = 355,
VAR_SERVER_CERT_FILE = 356,
VAR_CONTROL_KEY_FILE = 357,
VAR_CONTROL_CERT_FILE = 358,
VAR_CONTROL_USE_CERT = 359,
VAR_EXTENDED_STATISTICS = 360,
VAR_LOCAL_DATA_PTR = 361,
VAR_JOSTLE_TIMEOUT = 362,
VAR_STUB_PRIME = 363,
VAR_UNWANTED_REPLY_THRESHOLD = 364,
VAR_LOG_TIME_ASCII = 365,
VAR_DOMAIN_INSECURE = 366,
VAR_PYTHON = 367,
VAR_PYTHON_SCRIPT = 368,
VAR_VAL_SIG_SKEW_MIN = 369,
VAR_VAL_SIG_SKEW_MAX = 370,
VAR_CACHE_MIN_TTL = 371,
VAR_VAL_LOG_LEVEL = 372,
VAR_AUTO_TRUST_ANCHOR_FILE = 373,
VAR_KEEP_MISSING = 374,
VAR_ADD_HOLDDOWN = 375,
VAR_DEL_HOLDDOWN = 376,
VAR_SO_RCVBUF = 377,
VAR_EDNS_BUFFER_SIZE = 378,
VAR_PREFETCH = 379,
VAR_PREFETCH_KEY = 380,
VAR_SO_SNDBUF = 381,
VAR_SO_REUSEPORT = 382,
VAR_HARDEN_BELOW_NXDOMAIN = 383,
VAR_IGNORE_CD_FLAG = 384,
VAR_LOG_QUERIES = 385,
VAR_LOG_REPLIES = 386,
VAR_LOG_LOCAL_ACTIONS = 387,
VAR_TCP_UPSTREAM = 388,
VAR_SSL_UPSTREAM = 389,
VAR_SSL_SERVICE_KEY = 390,
VAR_SSL_SERVICE_PEM = 391,
VAR_SSL_PORT = 392,
VAR_FORWARD_FIRST = 393,
VAR_STUB_SSL_UPSTREAM = 394,
VAR_FORWARD_SSL_UPSTREAM = 395,
VAR_TLS_CERT_BUNDLE = 396,
VAR_HTTPS_PORT = 397,
VAR_HTTP_ENDPOINT = 398,
VAR_HTTP_MAX_STREAMS = 399,
VAR_HTTP_QUERY_BUFFER_SIZE = 400,
VAR_HTTP_RESPONSE_BUFFER_SIZE = 401,
VAR_HTTP_NODELAY = 402,
VAR_HTTP_NOTLS_DOWNSTREAM = 403,
VAR_STUB_FIRST = 404,
VAR_MINIMAL_RESPONSES = 405,
VAR_RRSET_ROUNDROBIN = 406,
VAR_MAX_UDP_SIZE = 407,
VAR_DELAY_CLOSE = 408,
VAR_UNBLOCK_LAN_ZONES = 409,
VAR_INSECURE_LAN_ZONES = 410,
VAR_INFRA_CACHE_MIN_RTT = 411,
VAR_INFRA_KEEP_PROBING = 412,
VAR_DNS64_PREFIX = 413,
VAR_DNS64_SYNTHALL = 414,
VAR_DNS64_IGNORE_AAAA = 415,
VAR_DNSTAP = 416,
VAR_DNSTAP_ENABLE = 417,
VAR_DNSTAP_SOCKET_PATH = 418,
VAR_DNSTAP_IP = 419,
VAR_DNSTAP_TLS = 420,
VAR_DNSTAP_TLS_SERVER_NAME = 421,
VAR_DNSTAP_TLS_CERT_BUNDLE = 422,
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 423,
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 424,
VAR_DNSTAP_SEND_IDENTITY = 425,
VAR_DNSTAP_SEND_VERSION = 426,
VAR_DNSTAP_BIDIRECTIONAL = 427,
VAR_DNSTAP_IDENTITY = 428,
VAR_DNSTAP_VERSION = 429,
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 430,
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 431,
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 432,
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 433,
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 434,
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 435,
VAR_RESPONSE_IP_TAG = 436,
VAR_RESPONSE_IP = 437,
VAR_RESPONSE_IP_DATA = 438,
VAR_HARDEN_ALGO_DOWNGRADE = 439,
VAR_IP_TRANSPARENT = 440,
VAR_IP_DSCP = 441,
VAR_DISABLE_DNSSEC_LAME_CHECK = 442,
VAR_IP_RATELIMIT = 443,
VAR_IP_RATELIMIT_SLABS = 444,
VAR_IP_RATELIMIT_SIZE = 445,
VAR_RATELIMIT = 446,
VAR_RATELIMIT_SLABS = 447,
VAR_RATELIMIT_SIZE = 448,
VAR_RATELIMIT_FOR_DOMAIN = 449,
VAR_RATELIMIT_BELOW_DOMAIN = 450,
VAR_IP_RATELIMIT_FACTOR = 451,
VAR_RATELIMIT_FACTOR = 452,
VAR_SEND_CLIENT_SUBNET = 453,
VAR_CLIENT_SUBNET_ZONE = 454,
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 455,
VAR_CLIENT_SUBNET_OPCODE = 456,
VAR_MAX_CLIENT_SUBNET_IPV4 = 457,
VAR_MAX_CLIENT_SUBNET_IPV6 = 458,
VAR_MIN_CLIENT_SUBNET_IPV4 = 459,
VAR_MIN_CLIENT_SUBNET_IPV6 = 460,
VAR_MAX_ECS_TREE_SIZE_IPV4 = 461,
VAR_MAX_ECS_TREE_SIZE_IPV6 = 462,
VAR_CAPS_WHITELIST = 463,
VAR_CACHE_MAX_NEGATIVE_TTL = 464,
VAR_PERMIT_SMALL_HOLDDOWN = 465,
VAR_QNAME_MINIMISATION = 466,
VAR_QNAME_MINIMISATION_STRICT = 467,
VAR_IP_FREEBIND = 468,
VAR_DEFINE_TAG = 469,
VAR_LOCAL_ZONE_TAG = 470,
VAR_ACCESS_CONTROL_TAG = 471,
VAR_LOCAL_ZONE_OVERRIDE = 472,
VAR_ACCESS_CONTROL_TAG_ACTION = 473,
VAR_ACCESS_CONTROL_TAG_DATA = 474,
VAR_VIEW = 475,
VAR_ACCESS_CONTROL_VIEW = 476,
VAR_VIEW_FIRST = 477,
VAR_SERVE_EXPIRED = 478,
VAR_SERVE_EXPIRED_TTL = 479,
VAR_SERVE_EXPIRED_TTL_RESET = 480,
VAR_SERVE_EXPIRED_REPLY_TTL = 481,
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 482,
VAR_FAKE_DSA = 483,
VAR_FAKE_SHA1 = 484,
VAR_LOG_IDENTITY = 485,
VAR_HIDE_TRUSTANCHOR = 486,
VAR_TRUST_ANCHOR_SIGNALING = 487,
VAR_AGGRESSIVE_NSEC = 488,
VAR_USE_SYSTEMD = 489,
VAR_SHM_ENABLE = 490,
VAR_SHM_KEY = 491,
VAR_ROOT_KEY_SENTINEL = 492,
VAR_DNSCRYPT = 493,
VAR_DNSCRYPT_ENABLE = 494,
VAR_DNSCRYPT_PORT = 495,
VAR_DNSCRYPT_PROVIDER = 496,
VAR_DNSCRYPT_SECRET_KEY = 497,
VAR_DNSCRYPT_PROVIDER_CERT = 498,
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 499,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 500,
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 501,
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 502,
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 503,
VAR_IPSECMOD_ENABLED = 504,
VAR_IPSECMOD_HOOK = 505,
VAR_IPSECMOD_IGNORE_BOGUS = 506,
VAR_IPSECMOD_MAX_TTL = 507,
VAR_IPSECMOD_WHITELIST = 508,
VAR_IPSECMOD_STRICT = 509,
VAR_CACHEDB = 510,
VAR_CACHEDB_BACKEND = 511,
VAR_CACHEDB_SECRETSEED = 512,
VAR_CACHEDB_REDISHOST = 513,
VAR_CACHEDB_REDISPORT = 514,
VAR_CACHEDB_REDISTIMEOUT = 515,
VAR_CACHEDB_REDISEXPIRERECORDS = 516,
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 517,
VAR_FOR_UPSTREAM = 518,
VAR_AUTH_ZONE = 519,
VAR_ZONEFILE = 520,
VAR_MASTER = 521,
VAR_URL = 522,
VAR_FOR_DOWNSTREAM = 523,
VAR_FALLBACK_ENABLED = 524,
VAR_TLS_ADDITIONAL_PORT = 525,
VAR_LOW_RTT = 526,
VAR_LOW_RTT_PERMIL = 527,
VAR_FAST_SERVER_PERMIL = 528,
VAR_FAST_SERVER_NUM = 529,
VAR_ALLOW_NOTIFY = 530,
VAR_TLS_WIN_CERT = 531,
VAR_TCP_CONNECTION_LIMIT = 532,
VAR_FORWARD_NO_CACHE = 533,
VAR_STUB_NO_CACHE = 534,
VAR_LOG_SERVFAIL = 535,
VAR_DENY_ANY = 536,
VAR_UNKNOWN_SERVER_TIME_LIMIT = 537,
VAR_LOG_TAG_QUERYREPLY = 538,
VAR_STREAM_WAIT_SIZE = 539,
VAR_TLS_CIPHERS = 540,
VAR_TLS_CIPHERSUITES = 541,
VAR_TLS_USE_SNI = 542,
VAR_IPSET = 543,
VAR_IPSET_NAME_V4 = 544,
VAR_IPSET_NAME_V6 = 545,
VAR_TLS_SESSION_TICKET_KEYS = 546,
VAR_RPZ = 547,
VAR_TAGS = 548,
VAR_RPZ_ACTION_OVERRIDE = 549,
VAR_RPZ_CNAME_OVERRIDE = 550,
VAR_RPZ_LOG = 551,
VAR_RPZ_LOG_NAME = 552,
VAR_DYNLIB = 553,
VAR_DYNLIB_FILE = 554,
VAR_EDNS_CLIENT_TAG = 555,
VAR_EDNS_CLIENT_TAG_OPCODE = 556
YYEMPTY = -2,
YYEOF = 0, /* "end of file" */
YYerror = 256, /* error */
YYUNDEF = 257, /* "invalid token" */
SPACE = 258, /* SPACE */
LETTER = 259, /* LETTER */
NEWLINE = 260, /* NEWLINE */
COMMENT = 261, /* COMMENT */
COLON = 262, /* COLON */
ANY = 263, /* ANY */
ZONESTR = 264, /* ZONESTR */
STRING_ARG = 265, /* STRING_ARG */
VAR_FORCE_TOPLEVEL = 266, /* VAR_FORCE_TOPLEVEL */
VAR_SERVER = 267, /* VAR_SERVER */
VAR_VERBOSITY = 268, /* VAR_VERBOSITY */
VAR_NUM_THREADS = 269, /* VAR_NUM_THREADS */
VAR_PORT = 270, /* VAR_PORT */
VAR_OUTGOING_RANGE = 271, /* VAR_OUTGOING_RANGE */
VAR_INTERFACE = 272, /* VAR_INTERFACE */
VAR_PREFER_IP4 = 273, /* VAR_PREFER_IP4 */
VAR_DO_IP4 = 274, /* VAR_DO_IP4 */
VAR_DO_IP6 = 275, /* VAR_DO_IP6 */
VAR_PREFER_IP6 = 276, /* VAR_PREFER_IP6 */
VAR_DO_UDP = 277, /* VAR_DO_UDP */
VAR_DO_TCP = 278, /* VAR_DO_TCP */
VAR_TCP_MSS = 279, /* VAR_TCP_MSS */
VAR_OUTGOING_TCP_MSS = 280, /* VAR_OUTGOING_TCP_MSS */
VAR_TCP_IDLE_TIMEOUT = 281, /* VAR_TCP_IDLE_TIMEOUT */
VAR_EDNS_TCP_KEEPALIVE = 282, /* VAR_EDNS_TCP_KEEPALIVE */
VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 283, /* VAR_EDNS_TCP_KEEPALIVE_TIMEOUT */
VAR_CHROOT = 284, /* VAR_CHROOT */
VAR_USERNAME = 285, /* VAR_USERNAME */
VAR_DIRECTORY = 286, /* VAR_DIRECTORY */
VAR_LOGFILE = 287, /* VAR_LOGFILE */
VAR_PIDFILE = 288, /* VAR_PIDFILE */
VAR_MSG_CACHE_SIZE = 289, /* VAR_MSG_CACHE_SIZE */
VAR_MSG_CACHE_SLABS = 290, /* VAR_MSG_CACHE_SLABS */
VAR_NUM_QUERIES_PER_THREAD = 291, /* VAR_NUM_QUERIES_PER_THREAD */
VAR_RRSET_CACHE_SIZE = 292, /* VAR_RRSET_CACHE_SIZE */
VAR_RRSET_CACHE_SLABS = 293, /* VAR_RRSET_CACHE_SLABS */
VAR_OUTGOING_NUM_TCP = 294, /* VAR_OUTGOING_NUM_TCP */
VAR_INFRA_HOST_TTL = 295, /* VAR_INFRA_HOST_TTL */
VAR_INFRA_LAME_TTL = 296, /* VAR_INFRA_LAME_TTL */
VAR_INFRA_CACHE_SLABS = 297, /* VAR_INFRA_CACHE_SLABS */
VAR_INFRA_CACHE_NUMHOSTS = 298, /* VAR_INFRA_CACHE_NUMHOSTS */
VAR_INFRA_CACHE_LAME_SIZE = 299, /* VAR_INFRA_CACHE_LAME_SIZE */
VAR_NAME = 300, /* VAR_NAME */
VAR_STUB_ZONE = 301, /* VAR_STUB_ZONE */
VAR_STUB_HOST = 302, /* VAR_STUB_HOST */
VAR_STUB_ADDR = 303, /* VAR_STUB_ADDR */
VAR_TARGET_FETCH_POLICY = 304, /* VAR_TARGET_FETCH_POLICY */
VAR_HARDEN_SHORT_BUFSIZE = 305, /* VAR_HARDEN_SHORT_BUFSIZE */
VAR_HARDEN_LARGE_QUERIES = 306, /* VAR_HARDEN_LARGE_QUERIES */
VAR_FORWARD_ZONE = 307, /* VAR_FORWARD_ZONE */
VAR_FORWARD_HOST = 308, /* VAR_FORWARD_HOST */
VAR_FORWARD_ADDR = 309, /* VAR_FORWARD_ADDR */
VAR_DO_NOT_QUERY_ADDRESS = 310, /* VAR_DO_NOT_QUERY_ADDRESS */
VAR_HIDE_IDENTITY = 311, /* VAR_HIDE_IDENTITY */
VAR_HIDE_VERSION = 312, /* VAR_HIDE_VERSION */
VAR_IDENTITY = 313, /* VAR_IDENTITY */
VAR_VERSION = 314, /* VAR_VERSION */
VAR_HARDEN_GLUE = 315, /* VAR_HARDEN_GLUE */
VAR_MODULE_CONF = 316, /* VAR_MODULE_CONF */
VAR_TRUST_ANCHOR_FILE = 317, /* VAR_TRUST_ANCHOR_FILE */
VAR_TRUST_ANCHOR = 318, /* VAR_TRUST_ANCHOR */
VAR_VAL_OVERRIDE_DATE = 319, /* VAR_VAL_OVERRIDE_DATE */
VAR_BOGUS_TTL = 320, /* VAR_BOGUS_TTL */
VAR_VAL_CLEAN_ADDITIONAL = 321, /* VAR_VAL_CLEAN_ADDITIONAL */
VAR_VAL_PERMISSIVE_MODE = 322, /* VAR_VAL_PERMISSIVE_MODE */
VAR_INCOMING_NUM_TCP = 323, /* VAR_INCOMING_NUM_TCP */
VAR_MSG_BUFFER_SIZE = 324, /* VAR_MSG_BUFFER_SIZE */
VAR_KEY_CACHE_SIZE = 325, /* VAR_KEY_CACHE_SIZE */
VAR_KEY_CACHE_SLABS = 326, /* VAR_KEY_CACHE_SLABS */
VAR_TRUSTED_KEYS_FILE = 327, /* VAR_TRUSTED_KEYS_FILE */
VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 328, /* VAR_VAL_NSEC3_KEYSIZE_ITERATIONS */
VAR_USE_SYSLOG = 329, /* VAR_USE_SYSLOG */
VAR_OUTGOING_INTERFACE = 330, /* VAR_OUTGOING_INTERFACE */
VAR_ROOT_HINTS = 331, /* VAR_ROOT_HINTS */
VAR_DO_NOT_QUERY_LOCALHOST = 332, /* VAR_DO_NOT_QUERY_LOCALHOST */
VAR_CACHE_MAX_TTL = 333, /* VAR_CACHE_MAX_TTL */
VAR_HARDEN_DNSSEC_STRIPPED = 334, /* VAR_HARDEN_DNSSEC_STRIPPED */
VAR_ACCESS_CONTROL = 335, /* VAR_ACCESS_CONTROL */
VAR_LOCAL_ZONE = 336, /* VAR_LOCAL_ZONE */
VAR_LOCAL_DATA = 337, /* VAR_LOCAL_DATA */
VAR_INTERFACE_AUTOMATIC = 338, /* VAR_INTERFACE_AUTOMATIC */
VAR_STATISTICS_INTERVAL = 339, /* VAR_STATISTICS_INTERVAL */
VAR_DO_DAEMONIZE = 340, /* VAR_DO_DAEMONIZE */
VAR_USE_CAPS_FOR_ID = 341, /* VAR_USE_CAPS_FOR_ID */
VAR_STATISTICS_CUMULATIVE = 342, /* VAR_STATISTICS_CUMULATIVE */
VAR_OUTGOING_PORT_PERMIT = 343, /* VAR_OUTGOING_PORT_PERMIT */
VAR_OUTGOING_PORT_AVOID = 344, /* VAR_OUTGOING_PORT_AVOID */
VAR_DLV_ANCHOR_FILE = 345, /* VAR_DLV_ANCHOR_FILE */
VAR_DLV_ANCHOR = 346, /* VAR_DLV_ANCHOR */
VAR_NEG_CACHE_SIZE = 347, /* VAR_NEG_CACHE_SIZE */
VAR_HARDEN_REFERRAL_PATH = 348, /* VAR_HARDEN_REFERRAL_PATH */
VAR_PRIVATE_ADDRESS = 349, /* VAR_PRIVATE_ADDRESS */
VAR_PRIVATE_DOMAIN = 350, /* VAR_PRIVATE_DOMAIN */
VAR_REMOTE_CONTROL = 351, /* VAR_REMOTE_CONTROL */
VAR_CONTROL_ENABLE = 352, /* VAR_CONTROL_ENABLE */
VAR_CONTROL_INTERFACE = 353, /* VAR_CONTROL_INTERFACE */
VAR_CONTROL_PORT = 354, /* VAR_CONTROL_PORT */
VAR_SERVER_KEY_FILE = 355, /* VAR_SERVER_KEY_FILE */
VAR_SERVER_CERT_FILE = 356, /* VAR_SERVER_CERT_FILE */
VAR_CONTROL_KEY_FILE = 357, /* VAR_CONTROL_KEY_FILE */
VAR_CONTROL_CERT_FILE = 358, /* VAR_CONTROL_CERT_FILE */
VAR_CONTROL_USE_CERT = 359, /* VAR_CONTROL_USE_CERT */
VAR_EXTENDED_STATISTICS = 360, /* VAR_EXTENDED_STATISTICS */
VAR_LOCAL_DATA_PTR = 361, /* VAR_LOCAL_DATA_PTR */
VAR_JOSTLE_TIMEOUT = 362, /* VAR_JOSTLE_TIMEOUT */
VAR_STUB_PRIME = 363, /* VAR_STUB_PRIME */
VAR_UNWANTED_REPLY_THRESHOLD = 364, /* VAR_UNWANTED_REPLY_THRESHOLD */
VAR_LOG_TIME_ASCII = 365, /* VAR_LOG_TIME_ASCII */
VAR_DOMAIN_INSECURE = 366, /* VAR_DOMAIN_INSECURE */
VAR_PYTHON = 367, /* VAR_PYTHON */
VAR_PYTHON_SCRIPT = 368, /* VAR_PYTHON_SCRIPT */
VAR_VAL_SIG_SKEW_MIN = 369, /* VAR_VAL_SIG_SKEW_MIN */
VAR_VAL_SIG_SKEW_MAX = 370, /* VAR_VAL_SIG_SKEW_MAX */
VAR_CACHE_MIN_TTL = 371, /* VAR_CACHE_MIN_TTL */
VAR_VAL_LOG_LEVEL = 372, /* VAR_VAL_LOG_LEVEL */
VAR_AUTO_TRUST_ANCHOR_FILE = 373, /* VAR_AUTO_TRUST_ANCHOR_FILE */
VAR_KEEP_MISSING = 374, /* VAR_KEEP_MISSING */
VAR_ADD_HOLDDOWN = 375, /* VAR_ADD_HOLDDOWN */
VAR_DEL_HOLDDOWN = 376, /* VAR_DEL_HOLDDOWN */
VAR_SO_RCVBUF = 377, /* VAR_SO_RCVBUF */
VAR_EDNS_BUFFER_SIZE = 378, /* VAR_EDNS_BUFFER_SIZE */
VAR_PREFETCH = 379, /* VAR_PREFETCH */
VAR_PREFETCH_KEY = 380, /* VAR_PREFETCH_KEY */
VAR_SO_SNDBUF = 381, /* VAR_SO_SNDBUF */
VAR_SO_REUSEPORT = 382, /* VAR_SO_REUSEPORT */
VAR_HARDEN_BELOW_NXDOMAIN = 383, /* VAR_HARDEN_BELOW_NXDOMAIN */
VAR_IGNORE_CD_FLAG = 384, /* VAR_IGNORE_CD_FLAG */
VAR_LOG_QUERIES = 385, /* VAR_LOG_QUERIES */
VAR_LOG_REPLIES = 386, /* VAR_LOG_REPLIES */
VAR_LOG_LOCAL_ACTIONS = 387, /* VAR_LOG_LOCAL_ACTIONS */
VAR_TCP_UPSTREAM = 388, /* VAR_TCP_UPSTREAM */
VAR_SSL_UPSTREAM = 389, /* VAR_SSL_UPSTREAM */
VAR_SSL_SERVICE_KEY = 390, /* VAR_SSL_SERVICE_KEY */
VAR_SSL_SERVICE_PEM = 391, /* VAR_SSL_SERVICE_PEM */
VAR_SSL_PORT = 392, /* VAR_SSL_PORT */
VAR_FORWARD_FIRST = 393, /* VAR_FORWARD_FIRST */
VAR_STUB_SSL_UPSTREAM = 394, /* VAR_STUB_SSL_UPSTREAM */
VAR_FORWARD_SSL_UPSTREAM = 395, /* VAR_FORWARD_SSL_UPSTREAM */
VAR_TLS_CERT_BUNDLE = 396, /* VAR_TLS_CERT_BUNDLE */
VAR_HTTPS_PORT = 397, /* VAR_HTTPS_PORT */
VAR_HTTP_ENDPOINT = 398, /* VAR_HTTP_ENDPOINT */
VAR_HTTP_MAX_STREAMS = 399, /* VAR_HTTP_MAX_STREAMS */
VAR_HTTP_QUERY_BUFFER_SIZE = 400, /* VAR_HTTP_QUERY_BUFFER_SIZE */
VAR_HTTP_RESPONSE_BUFFER_SIZE = 401, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */
VAR_HTTP_NODELAY = 402, /* VAR_HTTP_NODELAY */
VAR_HTTP_NOTLS_DOWNSTREAM = 403, /* VAR_HTTP_NOTLS_DOWNSTREAM */
VAR_STUB_FIRST = 404, /* VAR_STUB_FIRST */
VAR_MINIMAL_RESPONSES = 405, /* VAR_MINIMAL_RESPONSES */
VAR_RRSET_ROUNDROBIN = 406, /* VAR_RRSET_ROUNDROBIN */
VAR_MAX_UDP_SIZE = 407, /* VAR_MAX_UDP_SIZE */
VAR_DELAY_CLOSE = 408, /* VAR_DELAY_CLOSE */
VAR_UDP_CONNECT = 409, /* VAR_UDP_CONNECT */
VAR_UNBLOCK_LAN_ZONES = 410, /* VAR_UNBLOCK_LAN_ZONES */
VAR_INSECURE_LAN_ZONES = 411, /* VAR_INSECURE_LAN_ZONES */
VAR_INFRA_CACHE_MIN_RTT = 412, /* VAR_INFRA_CACHE_MIN_RTT */
VAR_INFRA_KEEP_PROBING = 413, /* VAR_INFRA_KEEP_PROBING */
VAR_DNS64_PREFIX = 414, /* VAR_DNS64_PREFIX */
VAR_DNS64_SYNTHALL = 415, /* VAR_DNS64_SYNTHALL */
VAR_DNS64_IGNORE_AAAA = 416, /* VAR_DNS64_IGNORE_AAAA */
VAR_DNSTAP = 417, /* VAR_DNSTAP */
VAR_DNSTAP_ENABLE = 418, /* VAR_DNSTAP_ENABLE */
VAR_DNSTAP_SOCKET_PATH = 419, /* VAR_DNSTAP_SOCKET_PATH */
VAR_DNSTAP_IP = 420, /* VAR_DNSTAP_IP */
VAR_DNSTAP_TLS = 421, /* VAR_DNSTAP_TLS */
VAR_DNSTAP_TLS_SERVER_NAME = 422, /* VAR_DNSTAP_TLS_SERVER_NAME */
VAR_DNSTAP_TLS_CERT_BUNDLE = 423, /* VAR_DNSTAP_TLS_CERT_BUNDLE */
VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 424, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */
VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 425, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */
VAR_DNSTAP_SEND_IDENTITY = 426, /* VAR_DNSTAP_SEND_IDENTITY */
VAR_DNSTAP_SEND_VERSION = 427, /* VAR_DNSTAP_SEND_VERSION */
VAR_DNSTAP_BIDIRECTIONAL = 428, /* VAR_DNSTAP_BIDIRECTIONAL */
VAR_DNSTAP_IDENTITY = 429, /* VAR_DNSTAP_IDENTITY */
VAR_DNSTAP_VERSION = 430, /* VAR_DNSTAP_VERSION */
VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 431, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 432, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 433, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */
VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 434, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */
VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */
VAR_RESPONSE_IP_TAG = 437, /* VAR_RESPONSE_IP_TAG */
VAR_RESPONSE_IP = 438, /* VAR_RESPONSE_IP */
VAR_RESPONSE_IP_DATA = 439, /* VAR_RESPONSE_IP_DATA */
VAR_HARDEN_ALGO_DOWNGRADE = 440, /* VAR_HARDEN_ALGO_DOWNGRADE */
VAR_IP_TRANSPARENT = 441, /* VAR_IP_TRANSPARENT */
VAR_IP_DSCP = 442, /* VAR_IP_DSCP */
VAR_DISABLE_DNSSEC_LAME_CHECK = 443, /* VAR_DISABLE_DNSSEC_LAME_CHECK */
VAR_IP_RATELIMIT = 444, /* VAR_IP_RATELIMIT */
VAR_IP_RATELIMIT_SLABS = 445, /* VAR_IP_RATELIMIT_SLABS */
VAR_IP_RATELIMIT_SIZE = 446, /* VAR_IP_RATELIMIT_SIZE */
VAR_RATELIMIT = 447, /* VAR_RATELIMIT */
VAR_RATELIMIT_SLABS = 448, /* VAR_RATELIMIT_SLABS */
VAR_RATELIMIT_SIZE = 449, /* VAR_RATELIMIT_SIZE */
VAR_RATELIMIT_FOR_DOMAIN = 450, /* VAR_RATELIMIT_FOR_DOMAIN */
VAR_RATELIMIT_BELOW_DOMAIN = 451, /* VAR_RATELIMIT_BELOW_DOMAIN */
VAR_IP_RATELIMIT_FACTOR = 452, /* VAR_IP_RATELIMIT_FACTOR */
VAR_RATELIMIT_FACTOR = 453, /* VAR_RATELIMIT_FACTOR */
VAR_SEND_CLIENT_SUBNET = 454, /* VAR_SEND_CLIENT_SUBNET */
VAR_CLIENT_SUBNET_ZONE = 455, /* VAR_CLIENT_SUBNET_ZONE */
VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 456, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */
VAR_CLIENT_SUBNET_OPCODE = 457, /* VAR_CLIENT_SUBNET_OPCODE */
VAR_MAX_CLIENT_SUBNET_IPV4 = 458, /* VAR_MAX_CLIENT_SUBNET_IPV4 */
VAR_MAX_CLIENT_SUBNET_IPV6 = 459, /* VAR_MAX_CLIENT_SUBNET_IPV6 */
VAR_MIN_CLIENT_SUBNET_IPV4 = 460, /* VAR_MIN_CLIENT_SUBNET_IPV4 */
VAR_MIN_CLIENT_SUBNET_IPV6 = 461, /* VAR_MIN_CLIENT_SUBNET_IPV6 */
VAR_MAX_ECS_TREE_SIZE_IPV4 = 462, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */
VAR_MAX_ECS_TREE_SIZE_IPV6 = 463, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */
VAR_CAPS_WHITELIST = 464, /* VAR_CAPS_WHITELIST */
VAR_CACHE_MAX_NEGATIVE_TTL = 465, /* VAR_CACHE_MAX_NEGATIVE_TTL */
VAR_PERMIT_SMALL_HOLDDOWN = 466, /* VAR_PERMIT_SMALL_HOLDDOWN */
VAR_QNAME_MINIMISATION = 467, /* VAR_QNAME_MINIMISATION */
VAR_QNAME_MINIMISATION_STRICT = 468, /* VAR_QNAME_MINIMISATION_STRICT */
VAR_IP_FREEBIND = 469, /* VAR_IP_FREEBIND */
VAR_DEFINE_TAG = 470, /* VAR_DEFINE_TAG */
VAR_LOCAL_ZONE_TAG = 471, /* VAR_LOCAL_ZONE_TAG */
VAR_ACCESS_CONTROL_TAG = 472, /* VAR_ACCESS_CONTROL_TAG */
VAR_LOCAL_ZONE_OVERRIDE = 473, /* VAR_LOCAL_ZONE_OVERRIDE */
VAR_ACCESS_CONTROL_TAG_ACTION = 474, /* VAR_ACCESS_CONTROL_TAG_ACTION */
VAR_ACCESS_CONTROL_TAG_DATA = 475, /* VAR_ACCESS_CONTROL_TAG_DATA */
VAR_VIEW = 476, /* VAR_VIEW */
VAR_ACCESS_CONTROL_VIEW = 477, /* VAR_ACCESS_CONTROL_VIEW */
VAR_VIEW_FIRST = 478, /* VAR_VIEW_FIRST */
VAR_SERVE_EXPIRED = 479, /* VAR_SERVE_EXPIRED */
VAR_SERVE_EXPIRED_TTL = 480, /* VAR_SERVE_EXPIRED_TTL */
VAR_SERVE_EXPIRED_TTL_RESET = 481, /* VAR_SERVE_EXPIRED_TTL_RESET */
VAR_SERVE_EXPIRED_REPLY_TTL = 482, /* VAR_SERVE_EXPIRED_REPLY_TTL */
VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 483, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */
VAR_FAKE_DSA = 484, /* VAR_FAKE_DSA */
VAR_FAKE_SHA1 = 485, /* VAR_FAKE_SHA1 */
VAR_LOG_IDENTITY = 486, /* VAR_LOG_IDENTITY */
VAR_HIDE_TRUSTANCHOR = 487, /* VAR_HIDE_TRUSTANCHOR */
VAR_TRUST_ANCHOR_SIGNALING = 488, /* VAR_TRUST_ANCHOR_SIGNALING */
VAR_AGGRESSIVE_NSEC = 489, /* VAR_AGGRESSIVE_NSEC */
VAR_USE_SYSTEMD = 490, /* VAR_USE_SYSTEMD */
VAR_SHM_ENABLE = 491, /* VAR_SHM_ENABLE */
VAR_SHM_KEY = 492, /* VAR_SHM_KEY */
VAR_ROOT_KEY_SENTINEL = 493, /* VAR_ROOT_KEY_SENTINEL */
VAR_DNSCRYPT = 494, /* VAR_DNSCRYPT */
VAR_DNSCRYPT_ENABLE = 495, /* VAR_DNSCRYPT_ENABLE */
VAR_DNSCRYPT_PORT = 496, /* VAR_DNSCRYPT_PORT */
VAR_DNSCRYPT_PROVIDER = 497, /* VAR_DNSCRYPT_PROVIDER */
VAR_DNSCRYPT_SECRET_KEY = 498, /* VAR_DNSCRYPT_SECRET_KEY */
VAR_DNSCRYPT_PROVIDER_CERT = 499, /* VAR_DNSCRYPT_PROVIDER_CERT */
VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 500, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 501, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */
VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 502, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */
VAR_DNSCRYPT_NONCE_CACHE_SIZE = 503, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */
VAR_DNSCRYPT_NONCE_CACHE_SLABS = 504, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */
VAR_IPSECMOD_ENABLED = 505, /* VAR_IPSECMOD_ENABLED */
VAR_IPSECMOD_HOOK = 506, /* VAR_IPSECMOD_HOOK */
VAR_IPSECMOD_IGNORE_BOGUS = 507, /* VAR_IPSECMOD_IGNORE_BOGUS */
VAR_IPSECMOD_MAX_TTL = 508, /* VAR_IPSECMOD_MAX_TTL */
VAR_IPSECMOD_WHITELIST = 509, /* VAR_IPSECMOD_WHITELIST */
VAR_IPSECMOD_STRICT = 510, /* VAR_IPSECMOD_STRICT */
VAR_CACHEDB = 511, /* VAR_CACHEDB */
VAR_CACHEDB_BACKEND = 512, /* VAR_CACHEDB_BACKEND */
VAR_CACHEDB_SECRETSEED = 513, /* VAR_CACHEDB_SECRETSEED */
VAR_CACHEDB_REDISHOST = 514, /* VAR_CACHEDB_REDISHOST */
VAR_CACHEDB_REDISPORT = 515, /* VAR_CACHEDB_REDISPORT */
VAR_CACHEDB_REDISTIMEOUT = 516, /* VAR_CACHEDB_REDISTIMEOUT */
VAR_CACHEDB_REDISEXPIRERECORDS = 517, /* VAR_CACHEDB_REDISEXPIRERECORDS */
VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 518, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */
VAR_FOR_UPSTREAM = 519, /* VAR_FOR_UPSTREAM */
VAR_AUTH_ZONE = 520, /* VAR_AUTH_ZONE */
VAR_ZONEFILE = 521, /* VAR_ZONEFILE */
VAR_MASTER = 522, /* VAR_MASTER */
VAR_URL = 523, /* VAR_URL */
VAR_FOR_DOWNSTREAM = 524, /* VAR_FOR_DOWNSTREAM */
VAR_FALLBACK_ENABLED = 525, /* VAR_FALLBACK_ENABLED */
VAR_TLS_ADDITIONAL_PORT = 526, /* VAR_TLS_ADDITIONAL_PORT */
VAR_LOW_RTT = 527, /* VAR_LOW_RTT */
VAR_LOW_RTT_PERMIL = 528, /* VAR_LOW_RTT_PERMIL */
VAR_FAST_SERVER_PERMIL = 529, /* VAR_FAST_SERVER_PERMIL */
VAR_FAST_SERVER_NUM = 530, /* VAR_FAST_SERVER_NUM */
VAR_ALLOW_NOTIFY = 531, /* VAR_ALLOW_NOTIFY */
VAR_TLS_WIN_CERT = 532, /* VAR_TLS_WIN_CERT */
VAR_TCP_CONNECTION_LIMIT = 533, /* VAR_TCP_CONNECTION_LIMIT */
VAR_FORWARD_NO_CACHE = 534, /* VAR_FORWARD_NO_CACHE */
VAR_STUB_NO_CACHE = 535, /* VAR_STUB_NO_CACHE */
VAR_LOG_SERVFAIL = 536, /* VAR_LOG_SERVFAIL */
VAR_DENY_ANY = 537, /* VAR_DENY_ANY */
VAR_UNKNOWN_SERVER_TIME_LIMIT = 538, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */
VAR_LOG_TAG_QUERYREPLY = 539, /* VAR_LOG_TAG_QUERYREPLY */
VAR_STREAM_WAIT_SIZE = 540, /* VAR_STREAM_WAIT_SIZE */
VAR_TLS_CIPHERS = 541, /* VAR_TLS_CIPHERS */
VAR_TLS_CIPHERSUITES = 542, /* VAR_TLS_CIPHERSUITES */
VAR_TLS_USE_SNI = 543, /* VAR_TLS_USE_SNI */
VAR_IPSET = 544, /* VAR_IPSET */
VAR_IPSET_NAME_V4 = 545, /* VAR_IPSET_NAME_V4 */
VAR_IPSET_NAME_V6 = 546, /* VAR_IPSET_NAME_V6 */
VAR_TLS_SESSION_TICKET_KEYS = 547, /* VAR_TLS_SESSION_TICKET_KEYS */
VAR_RPZ = 548, /* VAR_RPZ */
VAR_TAGS = 549, /* VAR_TAGS */
VAR_RPZ_ACTION_OVERRIDE = 550, /* VAR_RPZ_ACTION_OVERRIDE */
VAR_RPZ_CNAME_OVERRIDE = 551, /* VAR_RPZ_CNAME_OVERRIDE */
VAR_RPZ_LOG = 552, /* VAR_RPZ_LOG */
VAR_RPZ_LOG_NAME = 553, /* VAR_RPZ_LOG_NAME */
VAR_DYNLIB = 554, /* VAR_DYNLIB */
VAR_DYNLIB_FILE = 555, /* VAR_DYNLIB_FILE */
VAR_EDNS_CLIENT_STRING = 556, /* VAR_EDNS_CLIENT_STRING */
VAR_EDNS_CLIENT_STRING_OPCODE = 557 /* VAR_EDNS_CLIENT_STRING_OPCODE */
};
typedef enum yytokentype yytoken_kind_t;
#endif
/* Tokens. */
/* Token kinds. */
#define YYEOF 0
#define YYerror 256
#define YYUNDEF 257
#define SPACE 258
#define LETTER 259
#define NEWLINE 260
@ -502,154 +512,155 @@ extern int yydebug;
#define VAR_RRSET_ROUNDROBIN 406
#define VAR_MAX_UDP_SIZE 407
#define VAR_DELAY_CLOSE 408
#define VAR_UNBLOCK_LAN_ZONES 409
#define VAR_INSECURE_LAN_ZONES 410
#define VAR_INFRA_CACHE_MIN_RTT 411
#define VAR_INFRA_KEEP_PROBING 412
#define VAR_DNS64_PREFIX 413
#define VAR_DNS64_SYNTHALL 414
#define VAR_DNS64_IGNORE_AAAA 415
#define VAR_DNSTAP 416
#define VAR_DNSTAP_ENABLE 417
#define VAR_DNSTAP_SOCKET_PATH 418
#define VAR_DNSTAP_IP 419
#define VAR_DNSTAP_TLS 420
#define VAR_DNSTAP_TLS_SERVER_NAME 421
#define VAR_DNSTAP_TLS_CERT_BUNDLE 422
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 423
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 424
#define VAR_DNSTAP_SEND_IDENTITY 425
#define VAR_DNSTAP_SEND_VERSION 426
#define VAR_DNSTAP_BIDIRECTIONAL 427
#define VAR_DNSTAP_IDENTITY 428
#define VAR_DNSTAP_VERSION 429
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 430
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 431
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 432
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 433
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 434
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 435
#define VAR_RESPONSE_IP_TAG 436
#define VAR_RESPONSE_IP 437
#define VAR_RESPONSE_IP_DATA 438
#define VAR_HARDEN_ALGO_DOWNGRADE 439
#define VAR_IP_TRANSPARENT 440
#define VAR_IP_DSCP 441
#define VAR_DISABLE_DNSSEC_LAME_CHECK 442
#define VAR_IP_RATELIMIT 443
#define VAR_IP_RATELIMIT_SLABS 444
#define VAR_IP_RATELIMIT_SIZE 445
#define VAR_RATELIMIT 446
#define VAR_RATELIMIT_SLABS 447
#define VAR_RATELIMIT_SIZE 448
#define VAR_RATELIMIT_FOR_DOMAIN 449
#define VAR_RATELIMIT_BELOW_DOMAIN 450
#define VAR_IP_RATELIMIT_FACTOR 451
#define VAR_RATELIMIT_FACTOR 452
#define VAR_SEND_CLIENT_SUBNET 453
#define VAR_CLIENT_SUBNET_ZONE 454
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 455
#define VAR_CLIENT_SUBNET_OPCODE 456
#define VAR_MAX_CLIENT_SUBNET_IPV4 457
#define VAR_MAX_CLIENT_SUBNET_IPV6 458
#define VAR_MIN_CLIENT_SUBNET_IPV4 459
#define VAR_MIN_CLIENT_SUBNET_IPV6 460
#define VAR_MAX_ECS_TREE_SIZE_IPV4 461
#define VAR_MAX_ECS_TREE_SIZE_IPV6 462
#define VAR_CAPS_WHITELIST 463
#define VAR_CACHE_MAX_NEGATIVE_TTL 464
#define VAR_PERMIT_SMALL_HOLDDOWN 465
#define VAR_QNAME_MINIMISATION 466
#define VAR_QNAME_MINIMISATION_STRICT 467
#define VAR_IP_FREEBIND 468
#define VAR_DEFINE_TAG 469
#define VAR_LOCAL_ZONE_TAG 470
#define VAR_ACCESS_CONTROL_TAG 471
#define VAR_LOCAL_ZONE_OVERRIDE 472
#define VAR_ACCESS_CONTROL_TAG_ACTION 473
#define VAR_ACCESS_CONTROL_TAG_DATA 474
#define VAR_VIEW 475
#define VAR_ACCESS_CONTROL_VIEW 476
#define VAR_VIEW_FIRST 477
#define VAR_SERVE_EXPIRED 478
#define VAR_SERVE_EXPIRED_TTL 479
#define VAR_SERVE_EXPIRED_TTL_RESET 480
#define VAR_SERVE_EXPIRED_REPLY_TTL 481
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 482
#define VAR_FAKE_DSA 483
#define VAR_FAKE_SHA1 484
#define VAR_LOG_IDENTITY 485
#define VAR_HIDE_TRUSTANCHOR 486
#define VAR_TRUST_ANCHOR_SIGNALING 487
#define VAR_AGGRESSIVE_NSEC 488
#define VAR_USE_SYSTEMD 489
#define VAR_SHM_ENABLE 490
#define VAR_SHM_KEY 491
#define VAR_ROOT_KEY_SENTINEL 492
#define VAR_DNSCRYPT 493
#define VAR_DNSCRYPT_ENABLE 494
#define VAR_DNSCRYPT_PORT 495
#define VAR_DNSCRYPT_PROVIDER 496
#define VAR_DNSCRYPT_SECRET_KEY 497
#define VAR_DNSCRYPT_PROVIDER_CERT 498
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 499
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 500
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 501
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 502
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 503
#define VAR_IPSECMOD_ENABLED 504
#define VAR_IPSECMOD_HOOK 505
#define VAR_IPSECMOD_IGNORE_BOGUS 506
#define VAR_IPSECMOD_MAX_TTL 507
#define VAR_IPSECMOD_WHITELIST 508
#define VAR_IPSECMOD_STRICT 509
#define VAR_CACHEDB 510
#define VAR_CACHEDB_BACKEND 511
#define VAR_CACHEDB_SECRETSEED 512
#define VAR_CACHEDB_REDISHOST 513
#define VAR_CACHEDB_REDISPORT 514
#define VAR_CACHEDB_REDISTIMEOUT 515
#define VAR_CACHEDB_REDISEXPIRERECORDS 516
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 517
#define VAR_FOR_UPSTREAM 518
#define VAR_AUTH_ZONE 519
#define VAR_ZONEFILE 520
#define VAR_MASTER 521
#define VAR_URL 522
#define VAR_FOR_DOWNSTREAM 523
#define VAR_FALLBACK_ENABLED 524
#define VAR_TLS_ADDITIONAL_PORT 525
#define VAR_LOW_RTT 526
#define VAR_LOW_RTT_PERMIL 527
#define VAR_FAST_SERVER_PERMIL 528
#define VAR_FAST_SERVER_NUM 529
#define VAR_ALLOW_NOTIFY 530
#define VAR_TLS_WIN_CERT 531
#define VAR_TCP_CONNECTION_LIMIT 532
#define VAR_FORWARD_NO_CACHE 533
#define VAR_STUB_NO_CACHE 534
#define VAR_LOG_SERVFAIL 535
#define VAR_DENY_ANY 536
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 537
#define VAR_LOG_TAG_QUERYREPLY 538
#define VAR_STREAM_WAIT_SIZE 539
#define VAR_TLS_CIPHERS 540
#define VAR_TLS_CIPHERSUITES 541
#define VAR_TLS_USE_SNI 542
#define VAR_IPSET 543
#define VAR_IPSET_NAME_V4 544
#define VAR_IPSET_NAME_V6 545
#define VAR_TLS_SESSION_TICKET_KEYS 546
#define VAR_RPZ 547
#define VAR_TAGS 548
#define VAR_RPZ_ACTION_OVERRIDE 549
#define VAR_RPZ_CNAME_OVERRIDE 550
#define VAR_RPZ_LOG 551
#define VAR_RPZ_LOG_NAME 552
#define VAR_DYNLIB 553
#define VAR_DYNLIB_FILE 554
#define VAR_EDNS_CLIENT_TAG 555
#define VAR_EDNS_CLIENT_TAG_OPCODE 556
#define VAR_UDP_CONNECT 409
#define VAR_UNBLOCK_LAN_ZONES 410
#define VAR_INSECURE_LAN_ZONES 411
#define VAR_INFRA_CACHE_MIN_RTT 412
#define VAR_INFRA_KEEP_PROBING 413
#define VAR_DNS64_PREFIX 414
#define VAR_DNS64_SYNTHALL 415
#define VAR_DNS64_IGNORE_AAAA 416
#define VAR_DNSTAP 417
#define VAR_DNSTAP_ENABLE 418
#define VAR_DNSTAP_SOCKET_PATH 419
#define VAR_DNSTAP_IP 420
#define VAR_DNSTAP_TLS 421
#define VAR_DNSTAP_TLS_SERVER_NAME 422
#define VAR_DNSTAP_TLS_CERT_BUNDLE 423
#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 424
#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 425
#define VAR_DNSTAP_SEND_IDENTITY 426
#define VAR_DNSTAP_SEND_VERSION 427
#define VAR_DNSTAP_BIDIRECTIONAL 428
#define VAR_DNSTAP_IDENTITY 429
#define VAR_DNSTAP_VERSION 430
#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 431
#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 432
#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 433
#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 434
#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 435
#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 436
#define VAR_RESPONSE_IP_TAG 437
#define VAR_RESPONSE_IP 438
#define VAR_RESPONSE_IP_DATA 439
#define VAR_HARDEN_ALGO_DOWNGRADE 440
#define VAR_IP_TRANSPARENT 441
#define VAR_IP_DSCP 442
#define VAR_DISABLE_DNSSEC_LAME_CHECK 443
#define VAR_IP_RATELIMIT 444
#define VAR_IP_RATELIMIT_SLABS 445
#define VAR_IP_RATELIMIT_SIZE 446
#define VAR_RATELIMIT 447
#define VAR_RATELIMIT_SLABS 448
#define VAR_RATELIMIT_SIZE 449
#define VAR_RATELIMIT_FOR_DOMAIN 450
#define VAR_RATELIMIT_BELOW_DOMAIN 451
#define VAR_IP_RATELIMIT_FACTOR 452
#define VAR_RATELIMIT_FACTOR 453
#define VAR_SEND_CLIENT_SUBNET 454
#define VAR_CLIENT_SUBNET_ZONE 455
#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 456
#define VAR_CLIENT_SUBNET_OPCODE 457
#define VAR_MAX_CLIENT_SUBNET_IPV4 458
#define VAR_MAX_CLIENT_SUBNET_IPV6 459
#define VAR_MIN_CLIENT_SUBNET_IPV4 460
#define VAR_MIN_CLIENT_SUBNET_IPV6 461
#define VAR_MAX_ECS_TREE_SIZE_IPV4 462
#define VAR_MAX_ECS_TREE_SIZE_IPV6 463
#define VAR_CAPS_WHITELIST 464
#define VAR_CACHE_MAX_NEGATIVE_TTL 465
#define VAR_PERMIT_SMALL_HOLDDOWN 466
#define VAR_QNAME_MINIMISATION 467
#define VAR_QNAME_MINIMISATION_STRICT 468
#define VAR_IP_FREEBIND 469
#define VAR_DEFINE_TAG 470
#define VAR_LOCAL_ZONE_TAG 471
#define VAR_ACCESS_CONTROL_TAG 472
#define VAR_LOCAL_ZONE_OVERRIDE 473
#define VAR_ACCESS_CONTROL_TAG_ACTION 474
#define VAR_ACCESS_CONTROL_TAG_DATA 475
#define VAR_VIEW 476
#define VAR_ACCESS_CONTROL_VIEW 477
#define VAR_VIEW_FIRST 478
#define VAR_SERVE_EXPIRED 479
#define VAR_SERVE_EXPIRED_TTL 480
#define VAR_SERVE_EXPIRED_TTL_RESET 481
#define VAR_SERVE_EXPIRED_REPLY_TTL 482
#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 483
#define VAR_FAKE_DSA 484
#define VAR_FAKE_SHA1 485
#define VAR_LOG_IDENTITY 486
#define VAR_HIDE_TRUSTANCHOR 487
#define VAR_TRUST_ANCHOR_SIGNALING 488
#define VAR_AGGRESSIVE_NSEC 489
#define VAR_USE_SYSTEMD 490
#define VAR_SHM_ENABLE 491
#define VAR_SHM_KEY 492
#define VAR_ROOT_KEY_SENTINEL 493
#define VAR_DNSCRYPT 494
#define VAR_DNSCRYPT_ENABLE 495
#define VAR_DNSCRYPT_PORT 496
#define VAR_DNSCRYPT_PROVIDER 497
#define VAR_DNSCRYPT_SECRET_KEY 498
#define VAR_DNSCRYPT_PROVIDER_CERT 499
#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 500
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 501
#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 502
#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 503
#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 504
#define VAR_IPSECMOD_ENABLED 505
#define VAR_IPSECMOD_HOOK 506
#define VAR_IPSECMOD_IGNORE_BOGUS 507
#define VAR_IPSECMOD_MAX_TTL 508
#define VAR_IPSECMOD_WHITELIST 509
#define VAR_IPSECMOD_STRICT 510
#define VAR_CACHEDB 511
#define VAR_CACHEDB_BACKEND 512
#define VAR_CACHEDB_SECRETSEED 513
#define VAR_CACHEDB_REDISHOST 514
#define VAR_CACHEDB_REDISPORT 515
#define VAR_CACHEDB_REDISTIMEOUT 516
#define VAR_CACHEDB_REDISEXPIRERECORDS 517
#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 518
#define VAR_FOR_UPSTREAM 519
#define VAR_AUTH_ZONE 520
#define VAR_ZONEFILE 521
#define VAR_MASTER 522
#define VAR_URL 523
#define VAR_FOR_DOWNSTREAM 524
#define VAR_FALLBACK_ENABLED 525
#define VAR_TLS_ADDITIONAL_PORT 526
#define VAR_LOW_RTT 527
#define VAR_LOW_RTT_PERMIL 528
#define VAR_FAST_SERVER_PERMIL 529
#define VAR_FAST_SERVER_NUM 530
#define VAR_ALLOW_NOTIFY 531
#define VAR_TLS_WIN_CERT 532
#define VAR_TCP_CONNECTION_LIMIT 533
#define VAR_FORWARD_NO_CACHE 534
#define VAR_STUB_NO_CACHE 535
#define VAR_LOG_SERVFAIL 536
#define VAR_DENY_ANY 537
#define VAR_UNKNOWN_SERVER_TIME_LIMIT 538
#define VAR_LOG_TAG_QUERYREPLY 539
#define VAR_STREAM_WAIT_SIZE 540
#define VAR_TLS_CIPHERS 541
#define VAR_TLS_CIPHERSUITES 542
#define VAR_TLS_USE_SNI 543
#define VAR_IPSET 544
#define VAR_IPSET_NAME_V4 545
#define VAR_IPSET_NAME_V6 546
#define VAR_TLS_SESSION_TICKET_KEYS 547
#define VAR_RPZ 548
#define VAR_TAGS 549
#define VAR_RPZ_ACTION_OVERRIDE 550
#define VAR_RPZ_CNAME_OVERRIDE 551
#define VAR_RPZ_LOG 552
#define VAR_RPZ_LOG_NAME 553
#define VAR_DYNLIB 554
#define VAR_DYNLIB_FILE 555
#define VAR_EDNS_CLIENT_STRING 556
#define VAR_EDNS_CLIENT_STRING_OPCODE 557
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -659,7 +670,7 @@ union YYSTYPE
char* str;
#line 663 "util/configparser.h"
#line 674 "util/configparser.h"
};
typedef union YYSTYPE YYSTYPE;

40
util/configparser.y
View file

@ -116,7 +116,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
%token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM
%token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UDP_CONNECT
%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
%token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_KEEP_PROBING
%token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA
@ -178,7 +178,8 @@ extern struct config_parser_state* cfg_parser;
%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
%token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_TAG VAR_EDNS_CLIENT_TAG_OPCODE
%token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING
%token VAR_EDNS_CLIENT_STRING_OPCODE
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -251,7 +252,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_http_query_buffer_size | server_http_response_buffer_size |
server_http_nodelay | server_http_notls_downstream |
server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
server_so_reuseport | server_delay_close |
server_so_reuseport | server_delay_close | server_udp_connect |
server_unblock_lan_zones | server_insecure_lan_zones |
server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa |
server_infra_cache_min_rtt | server_harden_algo_downgrade |
@ -291,8 +292,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_unknown_server_time_limit | server_log_tag_queryreply |
server_stream_wait_size | server_tls_ciphers |
server_tls_ciphersuites | server_tls_session_ticket_keys |
server_tls_use_sni | server_edns_client_tag |
server_edns_client_tag_opcode
server_tls_use_sni | server_edns_client_string |
server_edns_client_string_opcode
;
stubstart: VAR_STUB_ZONE
{
@ -1443,6 +1444,15 @@ server_delay_close: VAR_DELAY_CLOSE STRING_ARG
free($2);
}
;
server_udp_connect: VAR_UDP_CONNECT STRING_ARG
{
OUTYY(("P(server_udp_connect:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->udp_connect = (strcmp($2, "yes")==0);
free($2);
}
;
server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG
{
OUTYY(("P(server_unblock_lan_zones:%s)\n", $2));
@ -2484,29 +2494,23 @@ server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG
#endif
}
;
server_edns_client_tag: VAR_EDNS_CLIENT_TAG STRING_ARG STRING_ARG
server_edns_client_string: VAR_EDNS_CLIENT_STRING STRING_ARG STRING_ARG
{
int tag_data;
OUTYY(("P(server_edns_client_tag:%s %s)\n", $2, $3));
tag_data = atoi($3);
if(tag_data > 65535 || tag_data < 0 ||
(tag_data == 0 && (strlen($3) != 1 || $3[0] != '0')))
yyerror("edns-client-tag data invalid, needs to be a "
"number from 0 to 65535");
OUTYY(("P(server_edns_client_string:%s %s)\n", $2, $3));
if(!cfg_str2list_insert(
&cfg_parser->cfg->edns_client_tags, $2, $3))
&cfg_parser->cfg->edns_client_strings, $2, $3))
fatal_exit("out of memory adding "
"edns-client-tag");
"edns-client-string");
}
;
server_edns_client_tag_opcode: VAR_EDNS_CLIENT_TAG_OPCODE STRING_ARG
server_edns_client_string_opcode: VAR_EDNS_CLIENT_STRING_OPCODE STRING_ARG
{
OUTYY(("P(edns_client_tag_opcode:%s)\n", $2));
OUTYY(("P(edns_client_string_opcode:%s)\n", $2));
if(atoi($2) == 0 && strcmp($2, "0") != 0)
yyerror("option code expected");
else if(atoi($2) > 65535 || atoi($2) < 0)
yyerror("option code must be in interval [0, 65535]");
else cfg_parser->cfg->edns_client_tag_opcode = atoi($2);
else cfg_parser->cfg->edns_client_string_opcode = atoi($2);
}
;

73
util/edns.c
View file

@ -48,81 +48,84 @@
#include "util/data/msgparse.h"
#include "util/data/msgreply.h"
struct edns_tags* edns_tags_create(void)
struct edns_strings* edns_strings_create(void)
{
struct edns_tags* edns_tags = calloc(1, sizeof(struct edns_tags));
if(!edns_tags)
struct edns_strings* edns_strings = calloc(1,
sizeof(struct edns_strings));
if(!edns_strings)
return NULL;
if(!(edns_tags->region = regional_create())) {
edns_tags_delete(edns_tags);
if(!(edns_strings->region = regional_create())) {
edns_strings_delete(edns_strings);
return NULL;
}
return edns_tags;
return edns_strings;
}
void edns_tags_delete(struct edns_tags* edns_tags)
void edns_strings_delete(struct edns_strings* edns_strings)
{
if(!edns_tags)
if(!edns_strings)
return;
regional_destroy(edns_tags->region);
free(edns_tags);
regional_destroy(edns_strings->region);
free(edns_strings);
}
static int
edns_tags_client_insert(struct edns_tags* edns_tags,
edns_strings_client_insert(struct edns_strings* edns_strings,
struct sockaddr_storage* addr, socklen_t addrlen, int net,
uint16_t tag_data)
const char* string)
{
struct edns_tag_addr* eta = regional_alloc_zero(edns_tags->region,
sizeof(struct edns_tag_addr));
if(!eta)
struct edns_string_addr* esa = regional_alloc_zero(edns_strings->region,
sizeof(struct edns_string_addr));
if(!esa)
return 0;
eta->tag_data = tag_data;
if(!addr_tree_insert(&edns_tags->client_tags, &eta->node, addr, addrlen,
net)) {
verbose(VERB_QUERY, "duplicate EDNS client tag ignored.");
esa->string_len = strlen(string);
esa->string = regional_alloc_init(edns_strings->region, string,
esa->string_len);
if(!esa->string)
return 0;
if(!addr_tree_insert(&edns_strings->client_strings, &esa->node, addr,
addrlen, net)) {
verbose(VERB_QUERY, "duplicate EDNS client string ignored.");
}
return 1;
}
int edns_tags_apply_cfg(struct edns_tags* edns_tags,
int edns_strings_apply_cfg(struct edns_strings* edns_strings,
struct config_file* config)
{
struct config_str2list* c;
regional_free_all(edns_tags->region);
addr_tree_init(&edns_tags->client_tags);
regional_free_all(edns_strings->region);
addr_tree_init(&edns_strings->client_strings);
for(c=config->edns_client_tags; c; c=c->next) {
for(c=config->edns_client_strings; c; c=c->next) {
struct sockaddr_storage addr;
socklen_t addrlen;
int net;
uint16_t tag_data;
log_assert(c->str && c->str2);
if(!netblockstrtoaddr(c->str, UNBOUND_DNS_PORT, &addr, &addrlen,
&net)) {
log_err("cannot parse EDNS client tag IP netblock: %s",
c->str);
log_err("cannot parse EDNS client string IP netblock: "
"%s", c->str);
return 0;
}
tag_data = atoi(c->str2); /* validated in config parser */
if(!edns_tags_client_insert(edns_tags, &addr, addrlen, net,
tag_data)) {
log_err("out of memory while adding EDNS tags");
if(!edns_strings_client_insert(edns_strings, &addr, addrlen,
net, c->str2)) {
log_err("out of memory while adding EDNS strings");
return 0;
}
}
edns_tags->client_tag_opcode = config->edns_client_tag_opcode;
edns_strings->client_string_opcode = config->edns_client_string_opcode;
addr_tree_init_parents(&edns_tags->client_tags);
addr_tree_init_parents(&edns_strings->client_strings);
return 1;
}
struct edns_tag_addr*
edns_tag_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
struct edns_string_addr*
edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
socklen_t addrlen)
{
return (struct edns_tag_addr*)addr_tree_lookup(tree, addr, addrlen);
return (struct edns_string_addr*)addr_tree_lookup(tree, addr, addrlen);
}
static int edns_keepalive(struct edns_data* edns_out, struct edns_data* edns_in,

52
util/edns.h
View file

@ -50,58 +50,60 @@ struct comm_point;
struct regional;
/**
* Structure containing all EDNS tags.
* Structure containing all EDNS strings.
*/
struct edns_tags {
/** Tree of EDNS client tags to use in upstream queries, per address
* prefix. Contains nodes of type edns_tag_addr. */
rbtree_type client_tags;
/** EDNS opcode to use for client tags */
uint16_t client_tag_opcode;
struct edns_strings {
/** Tree of EDNS client strings to use in upstream queries, per address
* prefix. Contains nodes of type edns_string_addr. */
rbtree_type client_strings;
/** EDNS opcode to use for client strings */
uint16_t client_string_opcode;
/** region to allocate tree nodes in */
struct regional* region;
};
/**
* EDNS tag. Node of rbtree, containing tag and prefix.
* EDNS string. Node of rbtree, containing string and prefix.
*/
struct edns_tag_addr {
struct edns_string_addr {
/** node in address tree, used for tree lookups. Need to be the first
* member of this struct. */
struct addr_tree_node node;
/** tag data, in host byte ordering */
uint16_t tag_data;
/** string, ascii format */
uint8_t* string;
/** length of string */
size_t string_len;
};
/**
* Create structure to hold EDNS tags
* @return: newly created edns_tags, NULL on alloc failure.
* Create structure to hold EDNS strings
* @return: newly created edns_strings, NULL on alloc failure.
*/
struct edns_tags* edns_tags_create(void);
struct edns_strings* edns_strings_create(void);
/** Delete EDNS tags structure
* @param edns_tags: struct to delete
/** Delete EDNS strings structure
* @param edns_strings: struct to delete
*/
void edns_tags_delete(struct edns_tags* edns_tags);
void edns_strings_delete(struct edns_strings* edns_strings);
/**
* Add configured EDNS tags
* @param edns_tags: edns tags to apply config to
* @param config: struct containing EDNS tags configuration
* Add configured EDNS strings
* @param edns_strings: edns strings to apply config to
* @param config: struct containing EDNS strings configuration
* @return 0 on error
*/
int edns_tags_apply_cfg(struct edns_tags* edns_tags,
int edns_strings_apply_cfg(struct edns_strings* edns_strings,
struct config_file* config);
/**
* Find tag for address.
* @param tree: tree containing EDNS tags per address prefix.
* Find string for address.
* @param tree: tree containing EDNS strings per address prefix.
* @param addr: address to use for tree lookup
* @param addrlen: length of address
* @return: matching tree node, NULL otherwise
*/
struct edns_tag_addr*
edns_tag_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
struct edns_string_addr*
edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr,
socklen_t addrlen);
/**

4
util/module.h
View file

@ -520,8 +520,8 @@ struct module_env {
struct edns_known_option* edns_known_options;
/* Number of known edns options */
size_t edns_known_options_num;
/** EDNS client tag information */
struct edns_tags* edns_tags;
/** EDNS client string information */
struct edns_strings* edns_strings;
/* Make every mesh state unique, do not aggregate mesh states. */
int unique_mesh;