- contrib/fastrpz.patch updated for code changes, and with git diff.

2025-12-20 23:00:56 -05:00 · 2019-05-02 11:17:41 +02:00 · 2019-05-02 11:17:41 +02:00 · f46c238552
commit f46c238552
parent 7e300939c0
2 changed files with 165 additions and 159 deletions
--- a/contrib/fastrpz.patch
+++ b/contrib/fastrpz.patch
@ -1,11 +1,11 @@
 Description: based on the included patch contrib/fastrpz.patch
 Author: fastrpz@farsightsecurity.com
 ---
-Index: unboundfastrpz/Makefile.in
+diff --git a/Makefile.in b/Makefile.in
-===================================================================
+index 03a6347..6758bea 100644
--- unboundfastrpz/Makefile.in	(revision 5073)
+--- a/Makefile.in
-+++ unboundfastrpz/Makefile.in	(working copy)
+++ b/Makefile.in
-@@ -23,6 +23,8 @@
+@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
 CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
 DNSTAP_SRC=@DNSTAP_SRC@
 DNSTAP_OBJ=@DNSTAP_OBJ@
@ -14,7 +14,7 @@ Index: unboundfastrpz/Makefile.in
 DNSCRYPT_SRC=@DNSCRYPT_SRC@
 DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
 WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
-@@ -126,7 +128,7 @@
+@@ -126,7 +128,7 @@ validator/val_sigcrypt.c validator/val_utils.c dns64/dns64.c \
 edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
 edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
 cachedb/cachedb.c cachedb/redis.c respip/respip.c $(CHECKLOCK_SRC) \
@ -23,7 +23,7 @@ Index: unboundfastrpz/Makefile.in
 COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
 as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
 iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
-@@ -139,7 +141,7 @@
+@@ -139,7 +141,7 @@ autotrust.lo val_anchor.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo redis.lo authzone.lo \
 $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
@ -32,7 +32,7 @@ Index: unboundfastrpz/Makefile.in
 COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
 outside_network.lo
 COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
-@@ -405,6 +407,11 @@
+@@ -405,6 +407,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h \
 	$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
 	$(srcdir)/util/netevent.h
@ -44,11 +44,11 @@ Index: unboundfastrpz/Makefile.in
 # Python Module
 pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
 	pythonmod/interface.h \
-Index: unboundfastrpz/config.h.in
+diff --git a/config.h.in b/config.h.in
-===================================================================
+index 74c14d1..a18f4ff 100644
--- unboundfastrpz/config.h.in	(revision 5073)
+--- a/config.h.in
-+++ unboundfastrpz/config.h.in	(working copy)
+++ b/config.h.in
-@@ -1293,4 +1293,11 @@
+@@ -1305,4 +1305,11 @@ void *unbound_stat_realloc_log(void *ptr, size_t size, const char* file,
 /** the version of unbound-control that this software implements */
 #define UNBOUND_CONTROL_VERSION 1
@ -61,11 +61,11 @@ Index: unboundfastrpz/config.h.in
 +#undef FASTRPZ_LIB_OPEN
 +/** turn on fastrpz response policy zones */
 +#undef ENABLE_FASTRPZ
-Index: unboundfastrpz/configure.ac
+diff --git a/configure.ac b/configure.ac
-===================================================================
+index abbecf0..6454274 100644
--- unboundfastrpz/configure.ac	(revision 5073)
+--- a/configure.ac
-+++ unboundfastrpz/configure.ac	(working copy)
+++ b/configure.ac
-@@ -6,6 +6,7 @@
+@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4)
 sinclude(acx_python.m4)
 sinclude(ac_pkg_swig.m4)
 sinclude(dnstap/dnstap.m4)
@ -73,7 +73,7 @@ Index: unboundfastrpz/configure.ac
 sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
-@@ -1575,6 +1576,9 @@
+@@ -1586,6 +1587,9 @@ case "$enable_ipsecmod" in
 		;;
 esac
@ -83,10 +83,10 @@ Index: unboundfastrpz/configure.ac
 AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
 # on openBSD, the implicit rule make $< work.
 # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
-Index: unboundfastrpz/daemon/daemon.c
+diff --git a/daemon/daemon.c b/daemon/daemon.c
-===================================================================
+index 7461a26..706f8f6 100644
--- unboundfastrpz/daemon/daemon.c	(revision 5073)
+--- a/daemon/daemon.c
-+++ unboundfastrpz/daemon/daemon.c	(working copy)
+++ b/daemon/daemon.c
@@ -91,6 +91,9 @@
 #include "sldns/keyraw.h"
 #include "respip/respip.h"
@ -97,36 +97,36 @@ Index: unboundfastrpz/daemon/daemon.c
 #ifdef HAVE_SYSTEMD
 #include <systemd/sd-daemon.h>
-@@ -462,6 +465,14 @@
+@@ -460,6 +463,14 @@ daemon_create_workers(struct daemon* daemon)
 		dt_apply_cfg(daemon->dtenv, daemon->cfg);
 #else
 		fatal_exit("dnstap enabled in config but not built with dnstap support");
- #endif
+#endif
- 	}
+	}
 +	if(daemon->cfg->rpz_enable) {
 +#ifdef ENABLE_FASTRPZ
 +		rpz_init(&daemon->rpz_clist, &daemon->rpz_client, daemon->cfg);
 +#else
 +		fatal_exit("fastrpz enabled in config"
 +			   " but not built with fastrpz");
-+#endif
+ #endif
-+	}
+ 	}
 	for(i=0; i<daemon->num; i++) {
- 		if(!(daemon->workers[i] = worker_create(daemon, i,
+@@ -718,6 +729,9 @@ daemon_cleanup(struct daemon* daemon)
- 			shufport+numport*i/daemon->num, 
+ #ifdef USE_DNSCRYPT
@@ -719,6 +730,9 @@
 	dnsc_delete(daemon->dnscenv);
 	daemon->dnscenv = NULL;
- #endif
+#endif
 +#ifdef ENABLE_FASTRPZ
 +	rpz_delete(&daemon->rpz_clist, &daemon->rpz_client);
-+#endif
+ #endif
 	daemon->cfg = NULL;
 }
- 
+diff --git a/daemon/daemon.h b/daemon/daemon.h
-Index: unboundfastrpz/daemon/daemon.h
+index 5749dbe..64ce230 100644
-===================================================================
+--- a/daemon/daemon.h
--- unboundfastrpz/daemon/daemon.h	(revision 5073)
+++ b/daemon/daemon.h
-+++ unboundfastrpz/daemon/daemon.h	(working copy)
+@@ -136,6 +136,11 @@ struct daemon {
@@ -136,6 +136,11 @@
 	/** the dnscrypt environment */
 	struct dnsc_env* dnscenv;
 #endif
@ -138,10 +138,10 @@ Index: unboundfastrpz/daemon/daemon.h
 };
 /**
-Index: unboundfastrpz/daemon/worker.c
+diff --git a/daemon/worker.c b/daemon/worker.c
-===================================================================
+index fc93817..e435226 100644
--- unboundfastrpz/daemon/worker.c	(revision 5073)
+--- a/daemon/worker.c
-+++ unboundfastrpz/daemon/worker.c	(working copy)
+++ b/daemon/worker.c
@@ -75,6 +75,9 @@
 #include "libunbound/context.h"
 #include "libunbound/libworker.h"
@ -152,7 +152,7 @@ Index: unboundfastrpz/daemon/worker.c
 #include "sldns/wire2str.h"
 #include "util/shm_side/shm_main.h"
 #include "dnscrypt/dnscrypt.h"
-@@ -533,8 +536,27 @@
+@@ -533,8 +536,27 @@ answer_norec_from_cache(struct worker* worker, struct query_info* qinfo,
 			/* not secure */
 			secure = 0;
 			break;
@ -180,7 +180,7 @@ Index: unboundfastrpz/daemon/worker.c
 	/* return this delegation from the cache */
 	edns_bak = *edns;
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
-@@ -702,6 +724,23 @@
+@@ -699,6 +721,23 @@ answer_from_cache(struct worker* worker, struct query_info* qinfo,
 			secure = 0;
 		}
 	} else	secure = 0;
@ -204,7 +204,7 @@ Index: unboundfastrpz/daemon/worker.c
 	edns_bak = *edns;
 	edns->edns_version = EDNS_ADVERTISED_VERSION;
-@@ -1407,6 +1446,15 @@
+@@ -1409,6 +1448,15 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 		log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
 			&repinfo->addr, repinfo->addrlen);
 		goto send_reply;
@ -220,7 +220,7 @@ Index: unboundfastrpz/daemon/worker.c
 	}
 	/* If we've found a local alias, replace the qname with the alias
-@@ -1455,12 +1503,21 @@
+@@ -1457,12 +1505,21 @@ lookup_cache:
 		h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
 		if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
 			/* answer from cache - we have acquired a readlock on it */
@ -244,7 +244,7 @@ Index: unboundfastrpz/daemon/worker.c
 				/* prefetch it if the prefetch TTL expired.
 				 * Note that if there is more than one pass
 				 * its qname must be that used for cache
-@@ -1514,11 +1571,19 @@
+@@ -1516,11 +1573,19 @@ lookup_cache:
 			lock_rw_unlock(&e->lock);
 		}
 		if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
@ -266,11 +266,11 @@ Index: unboundfastrpz/daemon/worker.c
 				goto send_reply;
 			}
 			verbose(VERB_ALGO, "answer norec from cache -- "
-Index: unboundfastrpz/doc/unbound.conf.5.in
+diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
-===================================================================
+index c14ee27..0b71eaf 100644
--- unboundfastrpz/doc/unbound.conf.5.in	(revision 5073)
+--- a/doc/unbound.conf.5.in
-+++ unboundfastrpz/doc/unbound.conf.5.in	(working copy)
+++ b/doc/unbound.conf.5.in
-@@ -1781,6 +1781,81 @@
+@@ -1795,6 +1795,81 @@ List domain for which the AAAA records are ignored and the A record is
 used by dns64 processing instead.  Can be entered multiple times, list a
 new domain for which it applies, one per line.  Applies also to names
 underneath the name given.
@ -352,10 +352,11 @@ Index: unboundfastrpz/doc/unbound.conf.5.in
 .SS "DNSCrypt Options"
 .LP
 The
-Index: unboundfastrpz/fastrpz/librpz.h
+diff --git a/fastrpz/librpz.h b/fastrpz/librpz.h
-===================================================================
+new file mode 100644
--- unboundfastrpz/fastrpz/librpz.h	(nonexistent)
+index 0000000..645279d
-+++ unboundfastrpz/fastrpz/librpz.h	(working copy)
+--- /dev/null
 +++ b/fastrpz/librpz.h
@@ -0,0 +1,957 @@
 +/*
 + * Define the interface from a DNS resolver to the Response Policy Zone
@ -1314,10 +1315,11 @@ Index: unboundfastrpz/fastrpz/librpz.h
 +#endif /* LIBRPZ_LIB_OPEN */
 +
 +#endif /* LIBRPZ_H */
-Index: unboundfastrpz/fastrpz/rpz.c
+diff --git a/fastrpz/rpz.c b/fastrpz/rpz.c
-===================================================================
+new file mode 100644
--- unboundfastrpz/fastrpz/rpz.c	(nonexistent)
+index 0000000..c5ab780
-+++ unboundfastrpz/fastrpz/rpz.c	(working copy)
+--- /dev/null
 +++ b/fastrpz/rpz.c
@@ -0,0 +1,1352 @@
 +/*
 + * fastrpz/rpz.c - interface to the fastrpz response policy zone library
@ -2671,10 +2673,11 @@ Index: unboundfastrpz/fastrpz/rpz.c
 +}
 +
 +#endif /* ENABLE_FASTRPZ */
-Index: unboundfastrpz/fastrpz/rpz.h
+diff --git a/fastrpz/rpz.h b/fastrpz/rpz.h
-===================================================================
+new file mode 100644
--- unboundfastrpz/fastrpz/rpz.h	(nonexistent)
+index 0000000..5d7e31c
-+++ unboundfastrpz/fastrpz/rpz.h	(working copy)
+--- /dev/null
 +++ b/fastrpz/rpz.h
@@ -0,0 +1,138 @@
 +/*
 + * fastrpz/rpz.h - interface to the fastrpz response policy zone library
@ -2814,10 +2817,11 @@ Index: unboundfastrpz/fastrpz/rpz.h
 +
 +#endif /* ENABLE_FASTRPZ */
 +#endif /* UNBOUND_FASTRPZ_RPZ_H */
-Index: unboundfastrpz/fastrpz/rpz.m4
+diff --git a/fastrpz/rpz.m4 b/fastrpz/rpz.m4
-===================================================================
+new file mode 100644
--- unboundfastrpz/fastrpz/rpz.m4	(nonexistent)
+index 0000000..2123535
-+++ unboundfastrpz/fastrpz/rpz.m4	(working copy)
+--- /dev/null
 +++ b/fastrpz/rpz.m4
@@ -0,0 +1,64 @@
 +# fastrpz/rpz.m4
 +
@ -2883,10 +2887,10 @@ Index: unboundfastrpz/fastrpz/rpz.m4
 +    AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]])
 +  fi
 +])
-Index: unboundfastrpz/iterator/iterator.c
+diff --git a/iterator/iterator.c b/iterator/iterator.c
-===================================================================
+index c906c27..55bf218 100644
--- unboundfastrpz/iterator/iterator.c	(revision 5073)
+--- a/iterator/iterator.c
-+++ unboundfastrpz/iterator/iterator.c	(working copy)
+++ b/iterator/iterator.c
@@ -68,6 +68,9 @@
 #include "sldns/str2wire.h"
 #include "sldns/parseutil.h"
@ -2897,7 +2901,7 @@ Index: unboundfastrpz/iterator/iterator.c
 /* in msec */
 int UNKNOWN_SERVER_NICENESS = 376;
-@@ -551,6 +554,23 @@
+@@ -551,6 +554,23 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 		if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
 			query_dname_compare(*mname, r->rk.dname) == 0 &&
 			!iter_find_rrset_in_prepend_answer(iq, r)) {
@ -2921,7 +2925,7 @@ Index: unboundfastrpz/iterator/iterator.c
 			/* Add this relevant CNAME rrset to the prepend list.*/
 			if(!iter_add_prepend_answer(qstate, iq, r))
 				return 0;
-@@ -559,6 +579,9 @@
+@@ -559,6 +579,9 @@ handle_cname_response(struct module_qstate* qstate, struct iter_qstate* iq,
 		/* Other rrsets in the section are ignored. */
 	}
@ -2931,7 +2935,7 @@ Index: unboundfastrpz/iterator/iterator.c
 	/* add authority rrsets to authority prepend, for wildcarded CNAMEs */
 	for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
 		msg->rep->ns_numrrsets; i++) {
-@@ -1195,6 +1218,7 @@
+@@ -1195,6 +1218,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	uint8_t* delname;
 	size_t delnamelen;
 	struct dns_msg* msg = NULL;
@ -2939,7 +2943,7 @@ Index: unboundfastrpz/iterator/iterator.c
 	log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
 	/* check effort */
-@@ -1281,8 +1305,7 @@
+@@ -1281,8 +1305,7 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 	}
 	if(msg) {
 		/* handle positive cache response */
@ -2949,7 +2953,7 @@ Index: unboundfastrpz/iterator/iterator.c
 		if(verbosity >= VERB_ALGO) {
 			log_dns_msg("msg from cache lookup", &msg->qinfo, 
 				msg->rep);
-@@ -1290,7 +1313,22 @@
+@@ -1290,7 +1313,22 @@ processInitRequest(struct module_qstate* qstate, struct iter_qstate* iq,
 				(int)msg->rep->ttl, 
 				(int)msg->rep->prefetch_ttl);
 		}
@ -2972,7 +2976,7 @@ Index: unboundfastrpz/iterator/iterator.c
 		if(type == RESPONSE_TYPE_CNAME) {
 			uint8_t* sname = 0;
 			size_t slen = 0;
-@@ -2694,6 +2732,62 @@
+@@ -2714,6 +2752,62 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
 			sock_list_insert(&qstate->reply_origin, 
 				&qstate->reply->addr, qstate->reply->addrlen, 
 				qstate->region);
@ -3035,7 +3039,7 @@ Index: unboundfastrpz/iterator/iterator.c
 		if(iq->minimisation_state != DONOT_MINIMISE_STATE
 			&& !(iq->chase_flags & BIT_RD)) {
 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
-@@ -3440,6 +3534,10 @@
+@@ -3467,12 +3561,44 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq,
 		 * but only if we did recursion. The nonrecursion referral
 		 * from cache does not need to be stored in the msg cache. */
 		if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
@ -3046,7 +3050,6 @@ Index: unboundfastrpz/iterator/iterator.c
 			iter_dns_store(qstate->env, &qstate->qinfo, 
 				iq->response->rep, 0, qstate->prefetch_leeway,
 				iq->dp&&iq->dp->has_parent_side_NS,
@@ -3446,6 +3544,34 @@
 				qstate->region, qstate->query_flags);
 		}
 	}
@ -3081,11 +3084,11 @@ Index: unboundfastrpz/iterator/iterator.c
 	qstate->return_rcode = LDNS_RCODE_NOERROR;
 	qstate->return_msg = iq->response;
 	return 0;
-Index: unboundfastrpz/iterator/iterator.h
+diff --git a/iterator/iterator.h b/iterator/iterator.h
-===================================================================
+index a2f1b57..e1e4a73 100644
--- unboundfastrpz/iterator/iterator.h	(revision 5073)
+--- a/iterator/iterator.h
-+++ unboundfastrpz/iterator/iterator.h	(working copy)
+++ b/iterator/iterator.h
-@@ -386,6 +386,16 @@
+@@ -386,6 +386,16 @@ struct iter_qstate {
 	 */
 	int minimise_count;
@ -3102,11 +3105,11 @@ Index: unboundfastrpz/iterator/iterator.h
 	/**
 	 * Count number of time-outs. Used to prevent resolving failures when
 	 * the QNAME minimisation QTYPE is blocked. */
-Index: unboundfastrpz/services/cache/dns.c
+diff --git a/services/cache/dns.c b/services/cache/dns.c
-===================================================================
+index aa4efec..5dd3412 100644
--- unboundfastrpz/services/cache/dns.c	(revision 5073)
+--- a/services/cache/dns.c
-+++ unboundfastrpz/services/cache/dns.c	(working copy)
+++ b/services/cache/dns.c
-@@ -939,6 +939,14 @@
+@@ -945,6 +945,14 @@ dns_cache_store(struct module_env* env, struct query_info* msgqinf,
 	struct regional* region, uint32_t flags)
 {
 	struct reply_info* rep = NULL;
@ -3121,10 +3124,10 @@ Index: unboundfastrpz/services/cache/dns.c
 	/* alloc, malloc properly (not in region, like msg is) */
 	rep = reply_info_copy(msgrep, env->alloc, NULL);
 	if(!rep)
-Index: unboundfastrpz/services/mesh.c
+diff --git a/services/mesh.c b/services/mesh.c
-===================================================================
+index d96289e..2e9f267 100644
--- unboundfastrpz/services/mesh.c	(revision 5073)
+--- a/services/mesh.c
-+++ unboundfastrpz/services/mesh.c	(working copy)
+++ b/services/mesh.c
@@ -60,6 +60,9 @@
 #include "sldns/wire2str.h"
 #include "services/localzone.h"
@ -3135,7 +3138,7 @@ Index: unboundfastrpz/services/mesh.c
 #include "respip/respip.h"
 #include "services/listen_dnsport.h"
-@@ -1072,6 +1075,13 @@
+@@ -1072,6 +1075,13 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep,
 	else	secure = 0;
 	if(!rep && rcode == LDNS_RCODE_NOERROR)
 		rcode = LDNS_RCODE_SERVFAIL;
@ -3149,7 +3152,7 @@ Index: unboundfastrpz/services/mesh.c
 	/* send the reply */
 	/* We don't reuse the encoded answer if either the previous or current
 	 * response has a local alias.  We could compare the alias records
-@@ -1247,6 +1257,7 @@
+@@ -1247,6 +1257,7 @@ struct mesh_state* mesh_area_find(struct mesh_area* mesh,
 	key.s.is_valrec = valrec;
 	key.s.qinfo = *qinfo;
 	key.s.query_flags = qflags;
@ -3157,7 +3160,7 @@ Index: unboundfastrpz/services/mesh.c
 	/* We are searching for a similar mesh state when we DO want to
 	 * aggregate the state. Thus unique is set to NULL. (default when we
 	 * desire aggregation).*/
-@@ -1293,6 +1304,10 @@
+@@ -1293,6 +1304,10 @@ int mesh_state_add_reply(struct mesh_state* s, struct edns_data* edns,
 	if(!r)
 		return 0;
 	r->query_reply = *rep;
@ -3168,11 +3171,11 @@ Index: unboundfastrpz/services/mesh.c
 	r->edns = *edns;
 	if(edns->opt_list) {
 		r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
-Index: unboundfastrpz/util/config_file.c
+diff --git a/util/config_file.c b/util/config_file.c
-===================================================================
+index 9b60254..d791f8f 100644
--- unboundfastrpz/util/config_file.c	(revision 5073)
+--- a/util/config_file.c
-+++ unboundfastrpz/util/config_file.c	(working copy)
+++ b/util/config_file.c
-@@ -1418,6 +1418,8 @@
+@@ -1418,6 +1418,8 @@ config_delete(struct config_file* cfg)
 	free(cfg->dnstap_socket_path);
 	free(cfg->dnstap_identity);
 	free(cfg->dnstap_version);
@ -3181,11 +3184,11 @@ Index: unboundfastrpz/util/config_file.c
 	config_deldblstrlist(cfg->ratelimit_for_domain);
 	config_deldblstrlist(cfg->ratelimit_below_domain);
 #ifdef USE_IPSECMOD
-Index: unboundfastrpz/util/config_file.h
+diff --git a/util/config_file.h b/util/config_file.h
-===================================================================
+index 3cffdbf..e0fa1c8 100644
--- unboundfastrpz/util/config_file.h	(revision 5073)
+--- a/util/config_file.h
-+++ unboundfastrpz/util/config_file.h	(working copy)
+++ b/util/config_file.h
-@@ -490,6 +490,11 @@
+@@ -490,6 +490,11 @@ struct config_file {
 	/** true to disable DNSSEC lameness check in iterator */
 	int disable_dnssec_lame_check;
@ -3197,11 +3200,11 @@ Index: unboundfastrpz/util/config_file.h
 	/** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
 	int ip_ratelimit;
 	/** number of slabs for ip_ratelimit cache */
-Index: unboundfastrpz/util/configlexer.lex
+diff --git a/util/configlexer.lex b/util/configlexer.lex
-===================================================================
+index 16b5bc5..038045d 100644
--- unboundfastrpz/util/configlexer.lex	(revision 5073)
+--- a/util/configlexer.lex
-+++ unboundfastrpz/util/configlexer.lex	(working copy)
+++ b/util/configlexer.lex
-@@ -439,6 +439,10 @@
+@@ -439,6 +439,10 @@ dnstap-log-forwarder-query-messages{COLON}	{
 		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
 dnstap-log-forwarder-response-messages{COLON}	{
 		YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
@ -3212,11 +3215,11 @@ Index: unboundfastrpz/util/configlexer.lex
 disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
 ip-ratelimit{COLON}		{ YDVAR(1, VAR_IP_RATELIMIT) }
 ratelimit{COLON}		{ YDVAR(1, VAR_RATELIMIT) }
-Index: unboundfastrpz/util/configparser.y
+diff --git a/util/configparser.y b/util/configparser.y
-===================================================================
+index c7b9169..bef15b5 100644
--- unboundfastrpz/util/configparser.y	(revision 5073)
+--- a/util/configparser.y
-+++ unboundfastrpz/util/configparser.y	(working copy)
+++ b/util/configparser.y
-@@ -125,6 +125,7 @@
+@@ -125,6 +125,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
 %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
 %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
@ -3224,7 +3227,7 @@ Index: unboundfastrpz/util/configparser.y
 %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
 %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
 %token VAR_DISABLE_DNSSEC_LAME_CHECK
-@@ -170,7 +171,7 @@
+@@ -170,7 +171,7 @@ extern struct config_parser_state* cfg_parser;
 %%
 toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -3233,7 +3236,7 @@ Index: unboundfastrpz/util/configparser.y
 	forwardstart contents_forward | pythonstart contents_py | 
 	rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
 	dnscstart contents_dnsc | cachedbstart contents_cachedb |
-@@ -2708,6 +2709,50 @@
+@@ -2710,6 +2711,50 @@ dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MES
 		free($2);
 	}
 	;
@ -3284,11 +3287,11 @@ Index: unboundfastrpz/util/configparser.y
 pythonstart: VAR_PYTHON
 	{ 
 		OUTYY(("\nP(python:)\n")); 
-Index: unboundfastrpz/util/data/msgencode.c
+diff --git a/util/data/msgencode.c b/util/data/msgencode.c
-===================================================================
+index 4c0a555..e51e9b8 100644
--- unboundfastrpz/util/data/msgencode.c	(revision 5073)
+--- a/util/data/msgencode.c
-+++ unboundfastrpz/util/data/msgencode.c	(working copy)
+++ b/util/data/msgencode.c
-@@ -590,6 +590,35 @@
+@@ -590,6 +590,35 @@ insert_section(struct reply_info* rep, size_t num_rrsets, uint16_t* num_rrs,
 	return RETVAL_OK;
 }
@ -3324,7 +3327,7 @@ Index: unboundfastrpz/util/data/msgencode.c
 /** store query section in wireformat buffer, return RETVAL */
 static int
 insert_query(struct query_info* qinfo, struct compress_tree_node** tree, 
-@@ -753,6 +782,19 @@
+@@ -753,6 +782,19 @@ reply_info_encode(struct query_info* qinfo, struct reply_info* rep,
 			return 0;
 		}
 		sldns_buffer_write_u16_at(buffer, 10, arcount);
@ -3344,11 +3347,11 @@ Index: unboundfastrpz/util/data/msgencode.c
 	}
 	sldns_buffer_flip(buffer);
 	return 1;
-Index: unboundfastrpz/util/data/packed_rrset.c
+diff --git a/util/data/packed_rrset.c b/util/data/packed_rrset.c
-===================================================================
+index 7b9d549..e44b2ce 100644
--- unboundfastrpz/util/data/packed_rrset.c	(revision 5073)
+--- a/util/data/packed_rrset.c
-+++ unboundfastrpz/util/data/packed_rrset.c	(working copy)
+++ b/util/data/packed_rrset.c
-@@ -255,6 +255,10 @@
+@@ -255,6 +255,10 @@ sec_status_to_string(enum sec_status s)
 	case sec_status_insecure: 	return "sec_status_insecure";
 	case sec_status_secure_sentinel_fail: 	return "sec_status_secure_sentinel_fail";
 	case sec_status_secure: 	return "sec_status_secure";
@ -3359,11 +3362,11 @@ Index: unboundfastrpz/util/data/packed_rrset.c
 	}
 	return "unknown_sec_status_value";
 }
-Index: unboundfastrpz/util/data/packed_rrset.h
+diff --git a/util/data/packed_rrset.h b/util/data/packed_rrset.h
-===================================================================
+index 3a5335d..2011321 100644
--- unboundfastrpz/util/data/packed_rrset.h	(revision 5073)
+--- a/util/data/packed_rrset.h
-+++ unboundfastrpz/util/data/packed_rrset.h	(working copy)
+++ b/util/data/packed_rrset.h
-@@ -193,7 +193,15 @@
+@@ -193,7 +193,15 @@ enum sec_status {
 	sec_status_secure_sentinel_fail,
 	/** SECURE means that the object (RRset or message) validated 
 	 * according to local policy. */
@ -3380,10 +3383,10 @@ Index: unboundfastrpz/util/data/packed_rrset.h
 };
 /**
-Index: unboundfastrpz/util/netevent.c
+diff --git a/util/netevent.c b/util/netevent.c
-===================================================================
+index b8b2a09..5ccc29a 100644
--- unboundfastrpz/util/netevent.c	(revision 5073)
+--- a/util/netevent.c
-+++ unboundfastrpz/util/netevent.c	(working copy)
+++ b/util/netevent.c
@@ -57,6 +57,9 @@
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
@ -3394,7 +3397,7 @@ Index: unboundfastrpz/util/netevent.c
 /* -------- Start of local definitions -------- */
 /** if CMSG_ALIGN is not defined on this platform, a workaround */
-@@ -590,6 +593,9 @@
+@@ -590,6 +593,9 @@ comm_point_udp_ancil_callback(int fd, short event, void* arg)
 	struct cmsghdr* cmsg;
 #endif /* S_SPLINT_S */
@ -3404,7 +3407,7 @@ Index: unboundfastrpz/util/netevent.c
 	rep.c = (struct comm_point*)arg;
 	log_assert(rep.c->type == comm_udp);
-@@ -679,6 +685,9 @@
+@@ -679,6 +685,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
 	int i;
 	struct sldns_buffer *buffer;
@ -3414,7 +3417,7 @@ Index: unboundfastrpz/util/netevent.c
 	rep.c = (struct comm_point*)arg;
 	log_assert(rep.c->type == comm_udp);
-@@ -722,6 +731,9 @@
+@@ -722,6 +731,9 @@ comm_point_udp_callback(int fd, short event, void* arg)
 			(void)comm_point_send_udp_msg(rep.c, buffer,
 				(struct sockaddr*)&rep.addr, rep.addrlen);
 		}
@ -3424,7 +3427,7 @@ Index: unboundfastrpz/util/netevent.c
 		if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for
 		another UDP port. Note rep.c cannot be reused with TCP fd. */
 			break;
-@@ -3108,6 +3120,9 @@
+@@ -3142,6 +3154,9 @@ comm_point_send_reply(struct comm_reply *repinfo)
 				repinfo->c->tcp_timeout_msec);
 		}
 	}
@ -3434,7 +3437,7 @@ Index: unboundfastrpz/util/netevent.c
 }
 void 
-@@ -3117,6 +3132,9 @@
+@@ -3151,6 +3166,9 @@ comm_point_drop_reply(struct comm_reply* repinfo)
 		return;
 	log_assert(repinfo && repinfo->c);
 	log_assert(repinfo->c->type != comm_tcp_accept);
@ -3444,21 +3447,21 @@ Index: unboundfastrpz/util/netevent.c
 	if(repinfo->c->type == comm_udp)
 		return;
 	if(repinfo->c->tcp_req_info)
-@@ -3138,6 +3156,9 @@
+@@ -3172,6 +3190,9 @@ comm_point_start_listening(struct comm_point* c, int newfd, int msec)
 {
- 	verbose(VERB_ALGO, "comm point start listening %d", 
+ 	verbose(VERB_ALGO, "comm point start listening %d (%d msec)", 
- 		c->fd==-1?newfd:c->fd);
+ 		c->fd==-1?newfd:c->fd, msec);
 +#ifdef ENABLE_FASTRPZ
 +	rpz_end(&c->repinfo);
 +#endif
 	if(c->type == comm_tcp_accept && !c->tcp_free) {
 		/* no use to start listening no free slots. */
 		return;
-Index: unboundfastrpz/util/netevent.h
+diff --git a/util/netevent.h b/util/netevent.h
-===================================================================
+index d80c72b..0233292 100644
--- unboundfastrpz/util/netevent.h	(revision 5073)
+--- a/util/netevent.h
-+++ unboundfastrpz/util/netevent.h	(working copy)
+++ b/util/netevent.h
-@@ -120,6 +120,10 @@
+@@ -120,6 +120,10 @@ struct comm_reply {
 	/** return type 0 (none), 4(IP4), 6(IP6) */
 	int srctype;
 	/* DnsCrypt context */
@ -3469,11 +3472,11 @@ Index: unboundfastrpz/util/netevent.h
 #ifdef USE_DNSCRYPT
 	uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
 	uint8_t nmkey[crypto_box_BEFORENMBYTES];
-Index: unboundfastrpz/validator/validator.c
+diff --git a/validator/validator.c b/validator/validator.c
-===================================================================
+index fa8d541..5628ef0 100644
--- unboundfastrpz/validator/validator.c	(revision 5073)
+--- a/validator/validator.c
-+++ unboundfastrpz/validator/validator.c	(working copy)
+++ b/validator/validator.c
-@@ -2755,6 +2755,12 @@
+@@ -2755,6 +2755,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
 			default:
 				/* NSEC proof did not work, try next */
 				break;
@ -3486,7 +3489,7 @@ Index: unboundfastrpz/validator/validator.c
 		}
 		sec = nsec3_prove_nods(qstate->env, ve, 
-@@ -2788,6 +2794,12 @@
+@@ -2788,6 +2794,12 @@ ds_response_to_ke(struct module_qstate* qstate, struct val_qstate* vq,
 			default:
 				/* NSEC3 proof did not work */
 				break;
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,6 @@
 2 May 2019: Wouter
 	- contrib/fastrpz.patch updated for code changes, and with git diff.
 1 May 2019: Wouter
 	- Update makedist for git.
 	- Nicer travis output for clang analysis.