mirror of
https://github.com/NLnetLabs/unbound.git
synced 2026-06-11 09:31:28 -04:00
b935e83cee
Adds an nftset module alongside the existing ipset module. A new nftset: configuration section selects the nftables backend and is configured with family:, table:, name-v4:, name-v6:. Additionally both nftset and ipset have been given support for per-zone sets (configured with set: "zone" "name-v4" "name-v6"). Previously only a single global set name was supported. The nftset and ipset sections are mutually exclusive within a single config. Both backends share the majority of their code in ipset.c and use netlink via libmnl on Linux. The ipset path is unchanged on BSD. New support for checking netlink errors and best-effort error logging voa NETLINK_EXT_ACK string where available has been added for both nft and the original ipset support (which previously lacked reporting). Addditionally CAP_NET_ADMIN is now preserved across the privilege drop on Linux when the ipset or nftset module is configured, so the netlink socket can be opened after dropping root. |
||
|---|---|---|
| .. | ||
| cache | ||
| authzone.c | ||
| authzone.h | ||
| listen_dnsport.c | ||
| listen_dnsport.h | ||
| localzone.c | ||
| localzone.h | ||
| mesh.c | ||
| mesh.h | ||
| modstack.c | ||
| modstack.h | ||
| outbound_list.c | ||
| outbound_list.h | ||
| outside_network.c | ||
| outside_network.h | ||
| rpz.c | ||
| rpz.h | ||
| view.c | ||
| view.h | ||