From b5cc8b6c59c0a43c837234a904fb41326cdd2e04 Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Mon, 24 Apr 2023 16:15:56 +0200 Subject: [PATCH 1/9] - Generalise the proxy protocol code --- daemon/worker.c | 2 + libunbound/libworker.c | 2 + testcode/streamtcp.c | 7 ++- util/netevent.c | 33 +++++++--- util/proxy_protocol.c | 136 +++++++++++++++++++++++++++-------------- util/proxy_protocol.h | 42 ++++++++++--- 6 files changed, 161 insertions(+), 61 deletions(-) diff --git a/daemon/worker.c b/daemon/worker.c index 99dcf9940..46331376d 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -66,6 +66,7 @@ #include "util/data/msgencode.h" #include "util/data/dname.h" #include "util/fptr_wlist.h" +#include "util/proxy_protocol.h" #include "util/tube.h" #include "util/edns.h" #include "iterator/iter_fwd.h" @@ -2168,6 +2169,7 @@ worker_init(struct worker* worker, struct config_file *cfg, worker->env.cfg->stat_interval); worker_restart_timer(worker); } + pp_init(&sldns_write_uint16, &sldns_write_uint32); return 1; } diff --git a/libunbound/libworker.c b/libunbound/libworker.c index ebc1df2e5..7d08b488a 100644 --- a/libunbound/libworker.c +++ b/libunbound/libworker.c @@ -62,6 +62,7 @@ #include "util/random.h" #include "util/config_file.h" #include "util/netevent.h" +#include "util/proxy_protocol.h" #include "util/storage/lookup3.h" #include "util/storage/slabhash.h" #include "util/net_help.h" @@ -263,6 +264,7 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb) w->env->kill_sub = &mesh_state_delete; w->env->detect_cycle = &mesh_detect_cycle; comm_base_timept(w->base, &w->env->now, &w->env->now_tv); + pp_init(&sldns_write_uint16, &sldns_write_uint32); return w; } diff --git a/testcode/streamtcp.c b/testcode/streamtcp.c index b2c0d5328..53b29852f 100644 --- a/testcode/streamtcp.c +++ b/testcode/streamtcp.c @@ -353,6 +353,7 @@ static int parse_pp2_client(const char* pp2_client, int udp, sldns_buffer* proxy_buf) { struct sockaddr_storage pp2_addr; + size_t bytes_written; socklen_t pp2_addrlen = 0; memset(&pp2_addr, 0, sizeof(pp2_addr)); if(*pp2_client == 0) return 0; @@ -361,7 +362,9 @@ static int parse_pp2_client(const char* pp2_client, int udp, exit(1); } sldns_buffer_clear(proxy_buf); - pp2_write_to_buf(proxy_buf, &pp2_addr, !udp); + bytes_written = pp2_write_to_buf(sldns_buffer_begin(proxy_buf), + sldns_buffer_remaining(proxy_buf), &pp2_addr, !udp); + sldns_buffer_set_position(proxy_buf, bytes_written); sldns_buffer_flip(proxy_buf); return 1; } @@ -529,6 +532,8 @@ int main(int argc, char** argv) break; case 'p': pp2_client = optarg; + pp_init(&sldns_write_uint16, + &sldns_write_uint32); break; case 'a': onarrival = 1; diff --git a/util/netevent.c b/util/netevent.c index fe3d51164..c0fe1e6a6 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -761,8 +761,11 @@ static int udp_recv_needs_log(int err) static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, int stream) { size_t size; - struct pp2_header *header = pp2_read_header(buf); - if(header == NULL) return 0; + struct pp2_header *header; + int err = pp2_read_header(sldns_buffer_begin(buf), + sldns_buffer_remaining(buf)); + if(err) return 0; + header = (struct pp2_header*)sldns_buffer_begin(buf); size = PP2_HEADER_SIZE + ntohs(header->len); if((header->ver_cmd & 0xF) == PP2_CMD_LOCAL) { /* A connection from the proxy itself. @@ -803,6 +806,10 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, } /* Ignore the destination address; it should be us. */ break; + default: + log_err("proxy_protocol: unsupported family and " + "protocol"); + return 0; } rep->is_proxied = 1; done: @@ -1675,12 +1682,17 @@ ssl_handle_read(struct comm_point* c) } } if(c->pp2_header_state == pp2_header_init) { - header = pp2_read_header(c->buffer); - if(!header) { + int err; + err = pp2_read_header( + sldns_buffer_begin(c->buffer), + sldns_buffer_remaining(c->buffer)); + if(err) { log_err("proxy_protocol: could not parse " - "PROXYv2 header"); + "PROXYv2 header (%s)", + pp_lookup_error(err)); return 0; } + header = (struct pp2_header*)sldns_buffer_begin(c->buffer); want_read_size = ntohs(header->len); if(sldns_buffer_remaining(c->buffer) < PP2_HEADER_SIZE + want_read_size) { @@ -2067,12 +2079,17 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) } } if(c->pp2_header_state == pp2_header_init) { - header = pp2_read_header(c->buffer); - if(!header) { + int err; + err = pp2_read_header( + sldns_buffer_begin(c->buffer), + sldns_buffer_remaining(c->buffer)); + if(err) { log_err("proxy_protocol: could not parse " - "PROXYv2 header"); + "PROXYv2 header (%s)", + pp_lookup_error(err)); return 0; } + header = (struct pp2_header*)sldns_buffer_begin(c->buffer); want_read_size = ntohs(header->len); if(sldns_buffer_remaining(c->buffer) < PP2_HEADER_SIZE + want_read_size) { diff --git a/util/proxy_protocol.c b/util/proxy_protocol.c index 757c5141d..fd253372f 100644 --- a/util/proxy_protocol.c +++ b/util/proxy_protocol.c @@ -38,102 +38,148 @@ * * This file contains PROXY protocol functions. */ -#include "config.h" -#include "util/log.h" #include "util/proxy_protocol.h" -int -pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src, +/** + * Internal struct initialized with function pointers for writing uint16 and + * uint32. + */ +struct proxy_protocol_data { + void (*write_uint16)(void* buf, uint16_t data); + void (*write_uint32)(void* buf, uint32_t data); +}; +struct proxy_protocol_data pp_data; + +/** + * Internal lookup table; could be further generic like sldns_lookup_table + * for all the future generic stuff. + */ +struct proxy_protocol_lookup_table { + int id; + const char *text; +}; + +/** + * Internal parsing error text; could be exposed with pp_lookup_error. + */ +static struct proxy_protocol_lookup_table pp_parse_errors_data[] = { + { PP_PARSE_NOERROR, "no parse error" }, + { PP_PARSE_SIZE, "not enough space for header" }, + { PP_PARSE_WRONG_HEADERv2, "could not match PROXYv2 header" }, + { PP_PARSE_UNKNOWN_CMD, "unknown command" }, + { PP_PARSE_UNKNOWN_FAM_PROT, "unknown family and protocol" }, +}; + +void +pp_init(void (*write_uint16)(void* buf, uint16_t data), + void (*write_uint32)(void* buf, uint32_t data)) { + pp_data.write_uint16 = write_uint16; + pp_data.write_uint32 = write_uint32; +} + +const char* +pp_lookup_error(enum pp_parse_errors error) { + return pp_parse_errors_data[error].text; +} + +size_t +pp2_write_to_buf(uint8_t* buf, size_t buflen, struct sockaddr_storage* src, int stream) { int af; + size_t expected_size; if(!src) return 0; af = (int)((struct sockaddr_in*)src)->sin_family; - if(sldns_buffer_remaining(buf) < - PP2_HEADER_SIZE + (af==AF_INET?12:36)) { + expected_size = PP2_HEADER_SIZE + (af==AF_INET?12:36); + if(buflen < expected_size) { return 0; } /* sig */ - sldns_buffer_write(buf, PP2_SIG, PP2_SIG_LEN); + memcpy(buf, PP2_SIG, PP2_SIG_LEN); + buf += PP2_SIG_LEN; /* version and command */ - sldns_buffer_write_u8(buf, (PP2_VERSION << 4) | PP2_CMD_PROXY); + *buf = (PP2_VERSION << 4) | PP2_CMD_PROXY; + buf++; if(af==AF_INET) { /* family and protocol */ - sldns_buffer_write_u8(buf, - (PP2_AF_INET<<4) | - (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM)); + *buf = (PP2_AF_INET<<4) | + (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM); + buf++; /* length */ - sldns_buffer_write_u16(buf, 12); + (*pp_data.write_uint16)(buf, 12); + buf += 2; /* src addr */ - sldns_buffer_write(buf, + memcpy(buf, &((struct sockaddr_in*)src)->sin_addr.s_addr, 4); + buf += 4; /* dst addr */ - sldns_buffer_write_u32(buf, 0); + (*pp_data.write_uint32)(buf, 0); + buf += 4; /* src port */ - sldns_buffer_write(buf, + memcpy(buf, &((struct sockaddr_in*)src)->sin_port, 2); + buf += 2; + /* dst addr */ /* dst port */ - sldns_buffer_write_u16(buf, 0); + (*pp_data.write_uint16)(buf, 12); } else { /* family and protocol */ - sldns_buffer_write_u8(buf, - (PP2_AF_INET6<<4) | - (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM)); + *buf = (PP2_AF_INET6<<4) | + (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM); + buf++; /* length */ - sldns_buffer_write_u16(buf, 36); + (*pp_data.write_uint16)(buf, 36); + buf += 2; /* src addr */ - sldns_buffer_write(buf, + memcpy(buf, &((struct sockaddr_in6*)src)->sin6_addr, 16); + buf += 16; /* dst addr */ - sldns_buffer_set_at(buf, - sldns_buffer_position(buf), 0, 16); - sldns_buffer_skip(buf, 16); + memset(buf, 0, 16); + buf += 16; /* src port */ - sldns_buffer_write(buf, - &((struct sockaddr_in6*)src)->sin6_port, 2); + memcpy(buf, &((struct sockaddr_in6*)src)->sin6_port, 2); + buf += 2; /* dst port */ - sldns_buffer_write_u16(buf, 0); + (*pp_data.write_uint16)(buf, 0); } - return 1; + return expected_size; } -struct pp2_header* -pp2_read_header(struct sldns_buffer* buf) +int +pp2_read_header(uint8_t* buf, size_t buflen) { size_t size; - struct pp2_header* header = (struct pp2_header*)sldns_buffer_begin(buf); + struct pp2_header* header = (struct pp2_header*)buf; /* Try to fail all the unsupported cases first. */ - if(sldns_buffer_remaining(buf) < PP2_HEADER_SIZE) { - log_err("proxy_protocol: not enough space for header"); - return NULL; + if(buflen < PP2_HEADER_SIZE) { + return PP_PARSE_SIZE; } /* Check for PROXYv2 header */ if(memcmp(header, PP2_SIG, PP2_SIG_LEN) != 0 || ((header->ver_cmd & 0xF0)>>4) != PP2_VERSION) { - log_err("proxy_protocol: could not match PROXYv2 header"); - return NULL; + return PP_PARSE_WRONG_HEADERv2; } /* Check the length */ size = PP2_HEADER_SIZE + ntohs(header->len); - if(sldns_buffer_remaining(buf) < size) { - log_err("proxy_protocol: not enough space for header"); - return NULL; + if(buflen < size) { + return PP_PARSE_SIZE; } /* Check for supported commands */ if((header->ver_cmd & 0xF) != PP2_CMD_LOCAL && (header->ver_cmd & 0xF) != PP2_CMD_PROXY) { - log_err("proxy_protocol: unsupported command"); - return NULL; + return PP_PARSE_UNKNOWN_CMD; } /* Check for supported family and protocol */ if(header->fam_prot != 0x00 /* AF_UNSPEC|UNSPEC */ && header->fam_prot != 0x11 /* AF_INET|STREAM */ && header->fam_prot != 0x12 /* AF_INET|DGRAM */ && header->fam_prot != 0x21 /* AF_INET6|STREAM */ && - header->fam_prot != 0x22 /* AF_INET6|DGRAM */) { - log_err("proxy_protocol: unsupported family and protocol"); - return NULL; + header->fam_prot != 0x22 /* AF_INET6|DGRAM */ && + header->fam_prot != 0x31 /* AF_UNIX|STREAM */ && + header->fam_prot != 0x32 /* AF_UNIX|DGRAM */) { + return PP_PARSE_UNKNOWN_FAM_PROT; } /* We have a correct header */ - return header; + return PP_PARSE_NOERROR; } diff --git a/util/proxy_protocol.h b/util/proxy_protocol.h index 13cab9d74..f4867ad6c 100644 --- a/util/proxy_protocol.h +++ b/util/proxy_protocol.h @@ -42,7 +42,7 @@ #ifndef PROXY_PROTOCOL_H #define PROXY_PROTOCOL_H -#include "sldns/sbuffer.h" +#include "config.h" /** PROXYv2 minimum header size */ #define PP2_HEADER_SIZE 16 @@ -109,23 +109,51 @@ struct pp2_header { } addr; }; +/** + * PROXY parse errors. + */ +enum pp_parse_errors { + PP_PARSE_NOERROR = 0, + PP_PARSE_SIZE, + PP_PARSE_WRONG_HEADERv2, + PP_PARSE_UNKNOWN_CMD, + PP_PARSE_UNKNOWN_FAM_PROT, +}; + +/** + * Initialize the internal proxy structure. + * @param write_uint16: pointer to a function that can write uint16. + * @param write_uint32: pointer to a function that can write uint32. + */ +void pp_init(void (*write_uint16)(void* buf, uint16_t data), + void (*write_uint32)(void* buf, uint32_t data)); + +/** + * Lookup the parsing error description. + * @param error: parsing error from pp2_read_header. + * @return the description. + */ +const char* pp_lookup_error(enum pp_parse_errors error); + /** * Write a PROXYv2 header at the current position of the buffer. - * @param buf: the buffer to write to. + * @param buf: pointer to the buffer to write data to. + * @param buflen: available size on the buffer. * @param src: the source address. * @param stream: if the protocol is stream or datagram. * @return 1 on success, 0 on failure. */ -int pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src, - int stream); +size_t pp2_write_to_buf(uint8_t* buf, size_t buflen, + struct sockaddr_storage* src, int stream); /** * Read a PROXYv2 header from the current position of the buffer. * It does initial validation and returns a pointer to the buffer position on * success. - * @param buf: the buffer to read from. - * @return the pointer to the buffer position on success, NULL on error. + * @param buf: pointer to the buffer data to read from. + * @param buflen: available size on the buffer. + * @return parsing error, 0 on success. */ -struct pp2_header* pp2_read_header(struct sldns_buffer* buf); +int pp2_read_header(uint8_t* buf, size_t buflen); #endif /* PROXY_PROTOCOL_H */ From 542f717bf9a01c5a84e357f23a17fd403be4b237 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 25 Apr 2023 08:16:19 +0200 Subject: [PATCH 2/9] - adjust generic proxy-protocol header for IPv6 support with ifdef. --- util/proxy_protocol.c | 11 ++++++++++- util/proxy_protocol.h | 7 ++++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/util/proxy_protocol.c b/util/proxy_protocol.c index fd253372f..03db06037 100644 --- a/util/proxy_protocol.c +++ b/util/proxy_protocol.c @@ -83,7 +83,12 @@ pp_lookup_error(enum pp_parse_errors error) { } size_t -pp2_write_to_buf(uint8_t* buf, size_t buflen, struct sockaddr_storage* src, +pp2_write_to_buf(uint8_t* buf, size_t buflen, +#ifdef INET6 + struct sockaddr_storage* src, +#else + struct sockaddr_in* src, +#endif int stream) { int af; @@ -123,6 +128,7 @@ pp2_write_to_buf(uint8_t* buf, size_t buflen, struct sockaddr_storage* src, /* dst port */ (*pp_data.write_uint16)(buf, 12); } else { +#ifdef INET6 /* family and protocol */ *buf = (PP2_AF_INET6<<4) | (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM); @@ -142,6 +148,9 @@ pp2_write_to_buf(uint8_t* buf, size_t buflen, struct sockaddr_storage* src, buf += 2; /* dst port */ (*pp_data.write_uint16)(buf, 0); +#else + return 0; +#endif /* INET6 */ } return expected_size; } diff --git a/util/proxy_protocol.h b/util/proxy_protocol.h index f4867ad6c..58d3f8d57 100644 --- a/util/proxy_protocol.h +++ b/util/proxy_protocol.h @@ -144,7 +144,12 @@ const char* pp_lookup_error(enum pp_parse_errors error); * @return 1 on success, 0 on failure. */ size_t pp2_write_to_buf(uint8_t* buf, size_t buflen, - struct sockaddr_storage* src, int stream); +#ifdef INET6 + struct sockaddr_storage* src, +#else + struct sockaddr_in* src, +#endif + int stream); /** * Read a PROXYv2 header from the current position of the buffer. From 4bcc0a0a7aadec12e51cedb2ffbd617e4122f37c Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 25 Apr 2023 16:44:58 +0200 Subject: [PATCH 3/9] streamtcp, implement IXFR=N queries, add documentation for proxy option. --- testcode/streamtcp.1 | 7 +++++++ testcode/streamtcp.c | 32 +++++++++++++++++++++++++++++++- 2 files changed, 38 insertions(+), 1 deletion(-) diff --git a/testcode/streamtcp.1 b/testcode/streamtcp.1 index f02b168d2..629e69570 100644 --- a/testcode/streamtcp.1 +++ b/testcode/streamtcp.1 @@ -61,6 +61,13 @@ Specify the server to send the queries to. If not specified localhost (127.0.0.1 .B \-d \fIsecs Delay after the connection before sending query. This tests the timeout on the other side, eg. if shorter the connection is closed. +.TP +.B \-p \fIclient +Use proxy protocol to send the query. Specify the ipaddr@portnr of the client +to include in PROXYv2. +.TP +.B IXFR=serial +Pass the type of the query as IXFR=N to send an IXFR query with serial N. .SH "EXAMPLES" .LP Some examples of use. diff --git a/testcode/streamtcp.c b/testcode/streamtcp.c index 53b29852f..ea9b3cf49 100644 --- a/testcode/streamtcp.c +++ b/testcode/streamtcp.c @@ -79,6 +79,7 @@ static void usage(char* argv[]) printf("-d secs delay after connection before sending query\n"); printf("-s use ssl\n"); printf("-h this help text\n"); + printf("IXFR=N for the type, sends ixfr query with serial N.\n"); exit(1); } @@ -123,6 +124,8 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, { struct query_info qinfo; size_t proxy_buf_limit = sldns_buffer_limit(proxy_buf); + int have_serial = 0; + uint32_t serial = 0; /* qname */ qinfo.qname = sldns_str2wire_dname(strname, &qinfo.qname_len); if(!qinfo.qname) { @@ -131,7 +134,13 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, } /* qtype and qclass */ - qinfo.qtype = sldns_get_rr_type_by_name(strtype); + if(strncasecmp(strtype, "IXFR=", 5) == 0) { + serial = (uint32_t)atoi(strtype+5); + have_serial = 1; + qinfo.qtype = LDNS_RR_TYPE_IXFR; + } else { + qinfo.qtype = sldns_get_rr_type_by_name(strtype); + } qinfo.qclass = sldns_get_rr_class_by_name(strclass); /* clear local alias */ @@ -142,6 +151,27 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, sldns_buffer_write_u16_at(buf, 0, id); sldns_buffer_write_u16_at(buf, 2, BIT_RD); + if(have_serial && qinfo.qtype == LDNS_RR_TYPE_IXFR) { + /* Attach serial to SOA record in the authority section. */ + sldns_buffer_set_position(buf, sldns_buffer_limit(buf)); + sldns_buffer_set_limit(buf, sldns_buffer_capacity(buf)); + /* Write compressed reference to the query */ + sldns_buffer_write_u16(buf, PTR_CREATE(LDNS_HEADER_SIZE)); + sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA); + sldns_buffer_write_u16(buf, qinfo.qclass); + sldns_buffer_write_u32(buf, 3600); /* TTL */ + sldns_buffer_write_u16(buf, 1+1+4*5); /* rdatalen */ + sldns_buffer_write_u8(buf, 0); /* primary "." */ + sldns_buffer_write_u8(buf, 0); /* email "." */ + sldns_buffer_write_u32(buf, serial); /* serial */ + sldns_buffer_write_u32(buf, 0); /* refresh */ + sldns_buffer_write_u32(buf, 0); /* retry */ + sldns_buffer_write_u32(buf, 0); /* expire */ + sldns_buffer_write_u32(buf, 0); /* minimum */ + LDNS_NSCOUNT_SET(sldns_buffer_begin(buf), 1); + sldns_buffer_flip(buf); + } + if(1) { /* add EDNS DO */ struct edns_data edns; From 15a2add0f85f6807ed8db67982e1689cb11c4a27 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Wed, 26 Apr 2023 11:57:10 +0200 Subject: [PATCH 4/9] streamtcp, implement NOTIFY[=N] that sends a notify packet. --- testcode/streamtcp.1 | 4 +++ testcode/streamtcp.c | 60 +++++++++++++++++++++++++++++++------------- 2 files changed, 47 insertions(+), 17 deletions(-) diff --git a/testcode/streamtcp.1 b/testcode/streamtcp.1 index 629e69570..55ed4a279 100644 --- a/testcode/streamtcp.1 +++ b/testcode/streamtcp.1 @@ -68,6 +68,10 @@ to include in PROXYv2. .TP .B IXFR=serial Pass the type of the query as IXFR=N to send an IXFR query with serial N. +.TP +.B NOTIFY[=serial] +Pass the type of the query as NOTIFY[=N] to send a notify packet. The serial N +of the new zone can be included. .SH "EXAMPLES" .LP Some examples of use. diff --git a/testcode/streamtcp.c b/testcode/streamtcp.c index ea9b3cf49..0cd9f185f 100644 --- a/testcode/streamtcp.c +++ b/testcode/streamtcp.c @@ -80,6 +80,7 @@ static void usage(char* argv[]) printf("-s use ssl\n"); printf("-h this help text\n"); printf("IXFR=N for the type, sends ixfr query with serial N.\n"); + printf("NOTIFY[=N] for the type, sends notify. Can set new zone serial N.\n"); exit(1); } @@ -116,6 +117,29 @@ open_svr(const char* svr, int udp, struct sockaddr_storage* addr, return fd; } +/** Append a SOA record with serial number */ +static void +write_soa_serial_to_buf(sldns_buffer* buf, struct query_info* qinfo, + uint32_t serial) +{ + sldns_buffer_set_position(buf, sldns_buffer_limit(buf)); + sldns_buffer_set_limit(buf, sldns_buffer_capacity(buf)); + /* Write compressed reference to the query */ + sldns_buffer_write_u16(buf, PTR_CREATE(LDNS_HEADER_SIZE)); + sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA); + sldns_buffer_write_u16(buf, qinfo->qclass); + sldns_buffer_write_u32(buf, 3600); /* TTL */ + sldns_buffer_write_u16(buf, 1+1+4*5); /* rdatalen */ + sldns_buffer_write_u8(buf, 0); /* primary "." */ + sldns_buffer_write_u8(buf, 0); /* email "." */ + sldns_buffer_write_u32(buf, serial); /* serial */ + sldns_buffer_write_u32(buf, 0); /* refresh */ + sldns_buffer_write_u32(buf, 0); /* retry */ + sldns_buffer_write_u32(buf, 0); /* expire */ + sldns_buffer_write_u32(buf, 0); /* minimum */ + sldns_buffer_flip(buf); +} + /** write a query over the TCP fd */ static void write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, @@ -124,7 +148,7 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, { struct query_info qinfo; size_t proxy_buf_limit = sldns_buffer_limit(proxy_buf); - int have_serial = 0; + int have_serial = 0, is_notify = 0; uint32_t serial = 0; /* qname */ qinfo.qname = sldns_str2wire_dname(strname, &qinfo.qname_len); @@ -138,6 +162,14 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, serial = (uint32_t)atoi(strtype+5); have_serial = 1; qinfo.qtype = LDNS_RR_TYPE_IXFR; + } else if(strcasecmp(strtype, "NOTIFY") == 0) { + is_notify = 1; + qinfo.qtype = LDNS_RR_TYPE_SOA; + } else if(strncasecmp(strtype, "NOTIFY=", 7) == 0) { + serial = (uint32_t)atoi(strtype+7); + have_serial = 1; + is_notify = 1; + qinfo.qtype = LDNS_RR_TYPE_SOA; } else { qinfo.qtype = sldns_get_rr_type_by_name(strtype); } @@ -153,23 +185,17 @@ write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, if(have_serial && qinfo.qtype == LDNS_RR_TYPE_IXFR) { /* Attach serial to SOA record in the authority section. */ - sldns_buffer_set_position(buf, sldns_buffer_limit(buf)); - sldns_buffer_set_limit(buf, sldns_buffer_capacity(buf)); - /* Write compressed reference to the query */ - sldns_buffer_write_u16(buf, PTR_CREATE(LDNS_HEADER_SIZE)); - sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA); - sldns_buffer_write_u16(buf, qinfo.qclass); - sldns_buffer_write_u32(buf, 3600); /* TTL */ - sldns_buffer_write_u16(buf, 1+1+4*5); /* rdatalen */ - sldns_buffer_write_u8(buf, 0); /* primary "." */ - sldns_buffer_write_u8(buf, 0); /* email "." */ - sldns_buffer_write_u32(buf, serial); /* serial */ - sldns_buffer_write_u32(buf, 0); /* refresh */ - sldns_buffer_write_u32(buf, 0); /* retry */ - sldns_buffer_write_u32(buf, 0); /* expire */ - sldns_buffer_write_u32(buf, 0); /* minimum */ + write_soa_serial_to_buf(buf, &qinfo, serial); LDNS_NSCOUNT_SET(sldns_buffer_begin(buf), 1); - sldns_buffer_flip(buf); + } + if(is_notify) { + LDNS_OPCODE_SET(sldns_buffer_begin(buf), LDNS_PACKET_NOTIFY); + LDNS_RD_CLR(sldns_buffer_begin(buf)); + LDNS_AA_SET(sldns_buffer_begin(buf)); + if(have_serial) { + write_soa_serial_to_buf(buf, &qinfo, serial); + LDNS_ANCOUNT_SET(sldns_buffer_begin(buf), 1); + } } if(1) { From 80153decd1a2dd66e97f81f305711094629303c0 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 2 May 2023 14:36:29 +0200 Subject: [PATCH 5/9] - Fix proxy-protocol buffer checks when writing and read from buffer. --- util/netevent.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/util/netevent.c b/util/netevent.c index c0fe1e6a6..4bbed6364 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1685,7 +1685,7 @@ ssl_handle_read(struct comm_point* c) int err; err = pp2_read_header( sldns_buffer_begin(c->buffer), - sldns_buffer_remaining(c->buffer)); + sldns_buffer_position(c->buffer)); if(err) { log_err("proxy_protocol: could not parse " "PROXYv2 header (%s)", @@ -1694,7 +1694,7 @@ ssl_handle_read(struct comm_point* c) } header = (struct pp2_header*)sldns_buffer_begin(c->buffer); want_read_size = ntohs(header->len); - if(sldns_buffer_remaining(c->buffer) < + if(sldns_buffer_limit(c->buffer) < PP2_HEADER_SIZE + want_read_size) { log_err_addr("proxy_protocol: not enough " "buffer size to read PROXYv2 header", "", @@ -1753,6 +1753,7 @@ ssl_handle_read(struct comm_point* c) c->repinfo.remote_addrlen); return 0; } + sldns_buffer_flip(c->buffer); if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) { log_err_addr("proxy_protocol: could not consume " "PROXYv2 header", "", &c->repinfo.remote_addr, @@ -2082,7 +2083,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) int err; err = pp2_read_header( sldns_buffer_begin(c->buffer), - sldns_buffer_remaining(c->buffer)); + sldns_buffer_position(c->buffer)); if(err) { log_err("proxy_protocol: could not parse " "PROXYv2 header (%s)", @@ -2091,7 +2092,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) } header = (struct pp2_header*)sldns_buffer_begin(c->buffer); want_read_size = ntohs(header->len); - if(sldns_buffer_remaining(c->buffer) < + if(sldns_buffer_limit(c->buffer) < PP2_HEADER_SIZE + want_read_size) { log_err_addr("proxy_protocol: not enough " "buffer size to read PROXYv2 header", "", @@ -2128,6 +2129,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) c->repinfo.remote_addrlen); return 0; } + sldns_buffer_flip(c->buffer); if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) { log_err_addr("proxy_protocol: could not consume " "PROXYv2 header", "", &c->repinfo.remote_addr, From cac1d13fda1072521031fa1779a161dc8203a774 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Tue, 2 May 2023 14:54:51 +0200 Subject: [PATCH 6/9] - Fix proxy-protocol to read header in multiple reads and check buffer size. --- util/netevent.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/util/netevent.c b/util/netevent.c index 4bbed6364..edb9da8b5 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -1677,6 +1677,7 @@ ssl_handle_read(struct comm_point* c) return 0; } c->tcp_byte_count += r; + sldns_buffer_skip(c->buffer, r); if(c->tcp_byte_count != current_read_size) return 1; c->pp2_header_state = pp2_header_init; } @@ -1685,7 +1686,7 @@ ssl_handle_read(struct comm_point* c) int err; err = pp2_read_header( sldns_buffer_begin(c->buffer), - sldns_buffer_position(c->buffer)); + sldns_buffer_limit(c->buffer)); if(err) { log_err("proxy_protocol: could not parse " "PROXYv2 header (%s)", @@ -1743,6 +1744,7 @@ ssl_handle_read(struct comm_point* c) return 0; } c->tcp_byte_count += r; + sldns_buffer_skip(c->buffer, r); if(c->tcp_byte_count != current_read_size) return 1; c->pp2_header_state = pp2_header_done; } @@ -2075,6 +2077,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) goto recv_error_initial; } c->tcp_byte_count += r; + sldns_buffer_skip(c->buffer, r); if(c->tcp_byte_count != current_read_size) return 1; c->pp2_header_state = pp2_header_init; } @@ -2083,7 +2086,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) int err; err = pp2_read_header( sldns_buffer_begin(c->buffer), - sldns_buffer_position(c->buffer)); + sldns_buffer_limit(c->buffer)); if(err) { log_err("proxy_protocol: could not parse " "PROXYv2 header (%s)", @@ -2119,6 +2122,7 @@ comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) goto recv_error; } c->tcp_byte_count += r; + sldns_buffer_skip(c->buffer, r); if(c->tcp_byte_count != current_read_size) return 1; c->pp2_header_state = pp2_header_done; } From 0102360e920d1b26fde0120f2ac1d7eb770fa3c4 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Fri, 29 Sep 2023 16:03:08 +0200 Subject: [PATCH 7/9] root-zonemd-test, add test for ZONEMD usage from the root zone, currently with the unsupported algorithm. --- testdata/root_zonemd.tdir/root_zonemd.conf | 34 +++++++++++++ testdata/root_zonemd.tdir/root_zonemd.dsc | 16 ++++++ testdata/root_zonemd.tdir/root_zonemd.post | 14 ++++++ testdata/root_zonemd.tdir/root_zonemd.pre | 50 +++++++++++++++++++ testdata/root_zonemd.tdir/root_zonemd.test | 51 ++++++++++++++++++++ testdata/root_zonemd.tdir/root_zonemd.testns | 9 ++++ 6 files changed, 174 insertions(+) create mode 100644 testdata/root_zonemd.tdir/root_zonemd.conf create mode 100644 testdata/root_zonemd.tdir/root_zonemd.dsc create mode 100644 testdata/root_zonemd.tdir/root_zonemd.post create mode 100644 testdata/root_zonemd.tdir/root_zonemd.pre create mode 100644 testdata/root_zonemd.tdir/root_zonemd.test create mode 100644 testdata/root_zonemd.tdir/root_zonemd.testns diff --git a/testdata/root_zonemd.tdir/root_zonemd.conf b/testdata/root_zonemd.tdir/root_zonemd.conf new file mode 100644 index 000000000..befb4fbe9 --- /dev/null +++ b/testdata/root_zonemd.tdir/root_zonemd.conf @@ -0,0 +1,34 @@ +server: + verbosity: 7 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + # for the test, so that DNSSEC verification works. + #val-override-date: 20230929090000 + trust-anchor: ". DS 20326 8 2 E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D" + +remote-control: + control-enable: yes + control-interface: @CONTROL_PATH@/controlpipe.@CONTROL_PID@ + control-use-cert: no + +# for the test, an upstream server in the test setup. +stub-zone: + name: "." + stub-addr: 127.0.0.1@@TOPORT@ + +# hyperlocal root zone +auth-zone: + name: "." + fallback-enabled: yes + for-downstream: no + for-upstream: yes + zonefile: "root.zone" + zonemd-check: yes + zonemd-reject-absence: yes diff --git a/testdata/root_zonemd.tdir/root_zonemd.dsc b/testdata/root_zonemd.tdir/root_zonemd.dsc new file mode 100644 index 000000000..8015ac2d1 --- /dev/null +++ b/testdata/root_zonemd.tdir/root_zonemd.dsc @@ -0,0 +1,16 @@ +BaseName: root_zonemd +Version: 1.0 +Description: ZONEMD check for root zone +CreationDate: Fri 29 Sep 09:00:00 CEST 2023 +Maintainer: dr. W.C.A. Wijngaards +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: root_zonemd.pre +Post: root_zonemd.post +Test: root_zonemd.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/root_zonemd.tdir/root_zonemd.post b/testdata/root_zonemd.tdir/root_zonemd.post new file mode 100644 index 000000000..a28599faf --- /dev/null +++ b/testdata/root_zonemd.tdir/root_zonemd.post @@ -0,0 +1,14 @@ +# #-- root_zonemd.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +echo "> cat logfiles" +cat fwd.log +cat unbound.log +kill_pid $FWD_PID +kill_pid $UNBOUND_PID +rm -f $CONTROL_PATH/controlpipe.$CONTROL_PID diff --git a/testdata/root_zonemd.tdir/root_zonemd.pre b/testdata/root_zonemd.tdir/root_zonemd.pre new file mode 100644 index 000000000..fe369bb20 --- /dev/null +++ b/testdata/root_zonemd.tdir/root_zonemd.pre @@ -0,0 +1,50 @@ +# #-- root_zonemd.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +. ../common.sh + +# attempt to download the root zone +from=k.root-servers.net +dig @$from . AXFR > root.txt +if test $? -ne 0; then + echo "could not fetch root zone" + skip_test "could not fetch root zone" +fi +grep " SOA " root.txt | head -1 > root.soa +cat root.soa >> root.zone +grep -v " SOA " root.txt >> root.zone +echo "fetched root.zone" +ls -l root.zone +cat root.soa + +get_random_port 2 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test + +# start forwarder +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT root_zonemd.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# make config file +CONTROL_PATH=/tmp +CONTROL_PID=$$ +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' -e 's?@CONTROL_PATH\@?'$CONTROL_PATH'?' -e 's/@CONTROL_PID@/'$CONTROL_PID'/' < root_zonemd.conf > ub.conf +# start unbound in the background +PRE="../.." +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test +echo "CONTROL_PATH=$CONTROL_PATH" >> .tpkg.var.test +echo "CONTROL_PID=$CONTROL_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_unbound_up unbound.log + diff --git a/testdata/root_zonemd.tdir/root_zonemd.test b/testdata/root_zonemd.tdir/root_zonemd.test new file mode 100644 index 000000000..da64ab6e9 --- /dev/null +++ b/testdata/root_zonemd.tdir/root_zonemd.test @@ -0,0 +1,51 @@ +# #-- root_zonemd.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +# do the test +echo "> dig www.example.com." +dig @localhost -p $UNBOUND_PORT . SOA | tee outfile +echo "> check answer" +if grep root-servers outfile | grep "nstld.verisign-grs.com"; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +echo "> unbound-control status" +$PRE/unbound-control -c ub.conf status +if test $? -ne 0; then + echo "wrong exit value." + exit 1 +else + echo "exit value: OK" +fi + +# This is the output when an unsupported algorithm is used. +if grep "auth zone . ZONEMD unsupported algorithm" unbound.log; then + echo "OK" +else + echo "ZONEMD verification not OK" + exit 1 +fi + +echo "> unbound-control auth_zone_reload ." +$PRE/unbound-control -c ub.conf auth_zone_reload . 2>&1 | tee outfile +if test $? -ne 0; then + echo "wrong exit value." + exit 1 +fi +# The output of the reload can be checked. +#echo "> check unbound-control output" +#if grep "example.com: ZONEMD verification successful" outfile; then + #echo "OK" +#else + #echo "Not OK" + #exit 1 +#fi + +exit 0 diff --git a/testdata/root_zonemd.tdir/root_zonemd.testns b/testdata/root_zonemd.tdir/root_zonemd.testns new file mode 100644 index 000000000..d538f2215 --- /dev/null +++ b/testdata/root_zonemd.tdir/root_zonemd.testns @@ -0,0 +1,9 @@ +# reply to everything +ENTRY_BEGIN +MATCH opcode +ADJUST copy_id copy_query +REPLY QR SERVFAIL +SECTION QUESTION +example.com. IN SOA +SECTION ANSWER +ENTRY_END From f804c087e41d47aad0999984d35e52672f4dccaa Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Fri, 29 Sep 2023 17:31:52 +0200 Subject: [PATCH 8/9] proxy-protocol, review comments: - more generic switch statement for address families; - comment the protocol values as such in their definitions; - less hardcoded values for address family and protocol combinations. --- util/netevent.c | 12 ++++++------ util/proxy_protocol.c | 27 ++++++++++++++++----------- util/proxy_protocol.h | 21 +++++++++++++++++---- 3 files changed, 39 insertions(+), 21 deletions(-) diff --git a/util/netevent.c b/util/netevent.c index edb9da8b5..6a455e858 100644 --- a/util/netevent.c +++ b/util/netevent.c @@ -772,7 +772,7 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, * No need to do anything with addresses. */ goto done; } - if(header->fam_prot == 0x00) { + if(header->fam_prot == PP2_UNSPEC_UNSPEC) { /* Unspecified family and protocol. This could be used for * health checks by proxies. * No need to do anything with addresses. */ @@ -780,8 +780,8 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, } /* Read the proxied address */ switch(header->fam_prot) { - case 0x11: /* AF_INET|STREAM */ - case 0x12: /* AF_INET|DGRAM */ + case PP2_INET_STREAM: + case PP2_INET_DGRAM: { struct sockaddr_in* addr = (struct sockaddr_in*)&rep->client_addr; @@ -792,8 +792,8 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, } /* Ignore the destination address; it should be us. */ break; - case 0x21: /* AF_INET6|STREAM */ - case 0x22: /* AF_INET6|DGRAM */ + case PP2_INET6_STREAM: + case PP2_INET6_DGRAM: { struct sockaddr_in6* addr = (struct sockaddr_in6*)&rep->client_addr; @@ -808,7 +808,7 @@ static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, break; default: log_err("proxy_protocol: unsupported family and " - "protocol"); + "protocol 0x%x", (int)header->fam_prot); return 0; } rep->is_proxied = 1; diff --git a/util/proxy_protocol.c b/util/proxy_protocol.c index 03db06037..a18804974 100644 --- a/util/proxy_protocol.c +++ b/util/proxy_protocol.c @@ -105,7 +105,8 @@ pp2_write_to_buf(uint8_t* buf, size_t buflen, /* version and command */ *buf = (PP2_VERSION << 4) | PP2_CMD_PROXY; buf++; - if(af==AF_INET) { + switch(af) { + case AF_INET: /* family and protocol */ *buf = (PP2_AF_INET<<4) | (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM); @@ -127,8 +128,9 @@ pp2_write_to_buf(uint8_t* buf, size_t buflen, /* dst addr */ /* dst port */ (*pp_data.write_uint16)(buf, 12); - } else { + break; #ifdef INET6 + case AF_INET6: /* family and protocol */ *buf = (PP2_AF_INET6<<4) | (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM); @@ -148,9 +150,12 @@ pp2_write_to_buf(uint8_t* buf, size_t buflen, buf += 2; /* dst port */ (*pp_data.write_uint16)(buf, 0); -#else - return 0; + break; #endif /* INET6 */ + case AF_UNIX: + /* fallthrough */ + default: + return 0; } return expected_size; } @@ -180,13 +185,13 @@ pp2_read_header(uint8_t* buf, size_t buflen) return PP_PARSE_UNKNOWN_CMD; } /* Check for supported family and protocol */ - if(header->fam_prot != 0x00 /* AF_UNSPEC|UNSPEC */ && - header->fam_prot != 0x11 /* AF_INET|STREAM */ && - header->fam_prot != 0x12 /* AF_INET|DGRAM */ && - header->fam_prot != 0x21 /* AF_INET6|STREAM */ && - header->fam_prot != 0x22 /* AF_INET6|DGRAM */ && - header->fam_prot != 0x31 /* AF_UNIX|STREAM */ && - header->fam_prot != 0x32 /* AF_UNIX|DGRAM */) { + if(header->fam_prot != PP2_UNSPEC_UNSPEC && + header->fam_prot != PP2_INET_STREAM && + header->fam_prot != PP2_INET_DGRAM && + header->fam_prot != PP2_INET6_STREAM && + header->fam_prot != PP2_INET6_DGRAM && + header->fam_prot != PP2_UNIX_STREAM && + header->fam_prot != PP2_UNIX_DGRAM) { return PP_PARSE_UNKNOWN_FAM_PROT; } /* We have a correct header */ diff --git a/util/proxy_protocol.h b/util/proxy_protocol.h index 58d3f8d57..ca81065bf 100644 --- a/util/proxy_protocol.h +++ b/util/proxy_protocol.h @@ -51,11 +51,11 @@ #define PP2_SIG "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" #define PP2_SIG_LEN 12 -/** PROXYv2 version */ +/** PROXYv2 version (protocol value) */ #define PP2_VERSION 0x2 /** - * PROXYv2 command. + * PROXYv2 command (protocol value). */ enum pp2_command { PP2_CMD_LOCAL = 0x0, @@ -63,7 +63,7 @@ enum pp2_command { }; /** - * PROXYv2 address family. + * PROXYv2 address family (protocol value). */ enum pp2_af { PP2_AF_UNSPEC = 0x0, @@ -73,7 +73,7 @@ enum pp2_af { }; /** - * PROXYv2 protocol. + * PROXYv2 protocol (protocol value). */ enum pp2_protocol { PP2_PROT_UNSPEC = 0x0, @@ -81,6 +81,19 @@ enum pp2_protocol { PP2_PROT_DGRAM = 0x2 }; +/** + * Expected combinations of address family and protocol values used in checks. + */ +enum pp2_af_protocol_combination { + PP2_UNSPEC_UNSPEC = (PP2_AF_UNSPEC<<4)|PP2_PROT_UNSPEC, + PP2_INET_STREAM = (PP2_AF_INET<<4)|PP2_PROT_STREAM, + PP2_INET_DGRAM = (PP2_AF_INET<<4)|PP2_PROT_DGRAM, + PP2_INET6_STREAM = (PP2_AF_INET6<<4)|PP2_PROT_STREAM, + PP2_INET6_DGRAM = (PP2_AF_INET6<<4)|PP2_PROT_DGRAM, + PP2_UNIX_STREAM = (PP2_AF_UNIX<<4)|PP2_PROT_STREAM, + PP2_UNIX_DGRAM = (PP2_AF_UNIX<<4)|PP2_PROT_DGRAM +}; + /** * PROXYv2 header. */ From 9342bf685e0742e1147bfee81b2985affc0b60bc Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Mon, 2 Oct 2023 16:13:23 +0200 Subject: [PATCH 9/9] - Fix misplaced comment. --- doc/Changelog | 3 +++ services/outside_network.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/doc/Changelog b/doc/Changelog index 9b3ccf8ea..cc79cc3c8 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +2 October 2023: George + - Fix misplaced comment. + 22 September 2023: Wouter - Fix #942: 1.18.0 libunbound DNS regression when built without OpenSSL. diff --git a/services/outside_network.c b/services/outside_network.c index 2a219cbc6..12923f07d 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -550,7 +550,6 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr, log_assert(&key_p.reuse != (struct reuse_tcp*)result); log_assert(&key_p != ((struct reuse_tcp*)result)->pending); } - /* not found, return null */ /* It is possible that we search for something before the first element * in the tree. Replace a null pointer with the first element. @@ -560,6 +559,7 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr, result = rbtree_first(&outnet->tcp_reuse); } + /* not found, return null */ if(!result || result == RBTREE_NULL) return NULL;