diff options
Diffstat (limited to 'contrib/fastrpz.patch')
-rw-r--r-- | contrib/fastrpz.patch | 352 |
1 files changed, 155 insertions, 197 deletions
diff --git a/contrib/fastrpz.patch b/contrib/fastrpz.patch index 362e07cc6a8dc..6e78bf1b7cf3c 100644 --- a/contrib/fastrpz.patch +++ b/contrib/fastrpz.patch @@ -1,10 +1,15 @@ +Description: based on the included patch contrib/fastrpz.patch +Author: fastrpz@farsightsecurity.com +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ =================================================================== RCS file: ./RCS/Makefile.in,v retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./Makefile.in ---- ./Makefile.in -+++ ./Makefile.in -@@ -23,6 +23,8 @@ +Index: unbound-1.7.0~rc1/Makefile.in +=================================================================== +--- unbound-1.7.0~rc1.orig/Makefile.in ++++ unbound-1.7.0~rc1/Makefile.in +@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c CHECKLOCK_OBJ=@CHECKLOCK_OBJ@ DNSTAP_SRC=@DNSTAP_SRC@ DNSTAP_OBJ=@DNSTAP_OBJ@ @@ -13,7 +18,7 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in DNSCRYPT_SRC=@DNSCRYPT_SRC@ DNSCRYPT_OBJ=@DNSCRYPT_OBJ@ WITH_PYTHONMODULE=@WITH_PYTHONMODULE@ -@@ -125,7 +127,7 @@ +@@ -125,7 +127,7 @@ validator/val_sigcrypt.c validator/val_u edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \ edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \ cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \ @@ -22,16 +27,16 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \ as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \ iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \ -@@ -137,7 +139,7 @@ +@@ -137,7 +139,7 @@ slabhash.lo timehist.lo tube.lo winsock_ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ - val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \ + val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\ $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \ --$(IPSECMOD_OBJ) -+$(FASTRPZ_OBJ) $(DNSCRYPT_OBJ) - COMMON_OBJ_WITHOUT_NETCALL+=respip.lo +-$(IPSECMOD_OBJ) respip.lo ++$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) respip.lo COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \ outside_network.lo -@@ -398,6 +401,11 @@ + COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo +@@ -400,6 +402,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscry $(srcdir)/util/config_file.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h @@ -43,13 +48,11 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in # Python Module pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \ pythonmod/interface.h \ +Index: unbound-1.7.0~rc1/config.h.in =================================================================== -RCS file: ./RCS/config.h.in,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./config.h.in ---- ./config.h.in -+++ ./config.h.in -@@ -1199,4 +1199,11 @@ +--- unbound-1.7.0~rc1.orig/config.h.in ++++ unbound-1.7.0~rc1/config.h.in +@@ -1228,4 +1228,11 @@ void *unbound_stat_realloc_log(void *ptr /** the version of unbound-control that this software implements */ #define UNBOUND_CONTROL_VERSION 1 @@ -62,13 +65,11 @@ diff -u --unidirectional-new-file -r1.1 ./config.h.in +#undef FASTRPZ_LIB_OPEN +/** turn on fastrpz response policy zones */ +#undef ENABLE_FASTRPZ +Index: unbound-1.7.0~rc1/configure.ac =================================================================== -RCS file: ./RCS/configure.ac,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./configure.ac ---- ./configure.ac -+++ ./configure.ac -@@ -6,6 +6,7 @@ +--- unbound-1.7.0~rc1.orig/configure.ac ++++ unbound-1.7.0~rc1/configure.ac +@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4) sinclude(acx_python.m4) sinclude(ac_pkg_swig.m4) sinclude(dnstap/dnstap.m4) @@ -76,8 +77,8 @@ diff -u --unidirectional-new-file -r1.1 ./configure.ac sinclude(dnscrypt/dnscrypt.m4) # must be numbers. ac_defun because of later processing -@@ -1352,6 +1353,9 @@ - ;; +@@ -1453,6 +1454,9 @@ case "$enable_ipsecmod" in + ;; esac +# check for Fastrpz with fastrpz/rpz.m4 @@ -86,13 +87,11 @@ diff -u --unidirectional-new-file -r1.1 ./configure.ac AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope]) # on openBSD, the implicit rule make $< work. # on Solaris, it does not work ($? is changed sources, $^ lists dependencies). +Index: unbound-1.7.0~rc1/daemon/daemon.c =================================================================== -RCS file: ./daemon/RCS/daemon.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c ---- ./daemon/daemon.c -+++ ./daemon/daemon.c -@@ -89,6 +89,9 @@ +--- unbound-1.7.0~rc1.orig/daemon/daemon.c ++++ unbound-1.7.0~rc1/daemon/daemon.c +@@ -90,6 +90,9 @@ #include "sldns/keyraw.h" #include "respip/respip.h" #include <signal.h> @@ -102,7 +101,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c #ifdef HAVE_SYSTEMD #include <systemd/sd-daemon.h> -@@ -451,6 +454,14 @@ +@@ -461,6 +464,14 @@ daemon_create_workers(struct daemon* dae fatal_exit("dnstap enabled in config but not built with dnstap support"); #endif } @@ -117,9 +116,9 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c for(i=0; i<daemon->num; i++) { if(!(daemon->workers[i] = worker_create(daemon, i, shufport+numport*i/daemon->num, -@@ -691,6 +702,9 @@ - #ifdef USE_DNSTAP - dt_delete(daemon->dtenv); +@@ -710,6 +721,9 @@ daemon_cleanup(struct daemon* daemon) + #ifdef USE_DNSCRYPT + dnsc_delete(daemon->dnscenv); #endif +#ifdef ENABLE_FASTRPZ + rpz_delete(&daemon->rpz_clist, &daemon->rpz_client); @@ -127,13 +126,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c daemon->cfg = NULL; } +Index: unbound-1.7.0~rc1/daemon/daemon.h =================================================================== -RCS file: ./daemon/RCS/daemon.h,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.h ---- ./daemon/daemon.h -+++ ./daemon/daemon.h -@@ -134,6 +134,11 @@ +--- unbound-1.7.0~rc1.orig/daemon/daemon.h ++++ unbound-1.7.0~rc1/daemon/daemon.h +@@ -134,6 +134,11 @@ struct daemon { /** the dnscrypt environment */ struct dnsc_env* dnscenv; #endif @@ -145,13 +142,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.h }; /** +Index: unbound-1.7.0~rc1/daemon/worker.c =================================================================== -RCS file: ./daemon/RCS/worker.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c ---- ./daemon/worker.c -+++ ./daemon/worker.c -@@ -73,6 +73,9 @@ +--- unbound-1.7.0~rc1.orig/daemon/worker.c ++++ unbound-1.7.0~rc1/daemon/worker.c +@@ -74,6 +74,9 @@ #include "libunbound/context.h" #include "libunbound/libworker.h" #include "sldns/sbuffer.h" @@ -161,7 +156,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c #include "sldns/wire2str.h" #include "util/shm_side/shm_main.h" #include "dnscrypt/dnscrypt.h" -@@ -526,8 +529,27 @@ +@@ -527,8 +530,27 @@ answer_norec_from_cache(struct worker* w /* not secure */ secure = 0; break; @@ -189,7 +184,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c /* return this delegation from the cache */ edns->edns_version = EDNS_ADVERTISED_VERSION; edns->udp_size = EDNS_ADVERTISED_SIZE; -@@ -688,6 +710,23 @@ +@@ -689,6 +711,23 @@ answer_from_cache(struct worker* worker, secure = 0; } } else secure = 0; @@ -213,7 +208,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c edns->edns_version = EDNS_ADVERTISED_VERSION; edns->udp_size = EDNS_ADVERTISED_SIZE; -@@ -1267,6 +1306,15 @@ +@@ -1291,6 +1330,15 @@ worker_handle_request(struct comm_point* log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from", &repinfo->addr, repinfo->addrlen); goto send_reply; @@ -229,16 +224,16 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c } /* If we've found a local alias, replace the qname with the alias -@@ -1315,12 +1363,21 @@ +@@ -1339,12 +1387,21 @@ lookup_cache: h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2)); if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) { /* answer from cache - we have acquired a readlock on it */ -- if(answer_from_cache(worker, &qinfo, -+ ret = answer_from_cache(worker, &qinfo, +- if(answer_from_cache(worker, &qinfo, ++ ret = answer_from_cache(worker, &qinfo, cinfo, &need_drop, &alias_rrset, &partial_rep, - (struct reply_info*)e->data, - *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), - sldns_buffer_read_u16_at(c->buffer, 2), repinfo, + (struct reply_info*)e->data, + *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), + sldns_buffer_read_u16_at(c->buffer, 2), repinfo, - &edns)) { + &edns); +#ifdef ENABLE_FASTRPZ @@ -253,7 +248,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c /* prefetch it if the prefetch TTL expired. * Note that if there is more than one pass * its qname must be that used for cache -@@ -1371,11 +1428,19 @@ +@@ -1398,11 +1455,19 @@ lookup_cache: lock_rw_unlock(&e->lock); } if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) { @@ -275,13 +270,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c goto send_reply; } verbose(VERB_ALGO, "answer norec from cache -- " +Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in =================================================================== -RCS file: ./doc/RCS/unbound.conf.5.in,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./doc/unbound.conf.5.in ---- ./doc/unbound.conf.5.in -+++ ./doc/unbound.conf.5.in -@@ -1446,6 +1446,81 @@ +--- unbound-1.7.0~rc1.orig/doc/unbound.conf.5.in ++++ unbound-1.7.0~rc1/doc/unbound.conf.5.in +@@ -1581,6 +1581,81 @@ It must be /96 or shorter. The default .B dns64\-synthall: \fI<yes or no>\fR Debug option, default no. If enabled, synthesize all AAAA records despite the presence of actual AAAA records. @@ -363,12 +356,10 @@ diff -u --unidirectional-new-file -r1.1 ./doc/unbound.conf.5.in .SS "DNSCrypt Options" .LP The +Index: unbound-1.7.0~rc1/fastrpz/librpz.h =================================================================== -RCS file: ./fastrpz/RCS/librpz.h,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./fastrpz/librpz.h ---- ./fastrpz/librpz.h -+++ ./fastrpz/librpz.h +--- /dev/null ++++ unbound-1.7.0~rc1/fastrpz/librpz.h @@ -0,0 +1,957 @@ +/* + * Define the interface from a DNS resolver to the Response Policy Zone @@ -1327,12 +1318,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/librpz.h +#endif /* LIBRPZ_LIB_OPEN */ + +#endif /* LIBRPZ_H */ +Index: unbound-1.7.0~rc1/fastrpz/rpz.c =================================================================== -RCS file: ./fastrpz/RCS/rpz.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.c ---- ./fastrpz/rpz.c -+++ ./fastrpz/rpz.c +--- /dev/null ++++ unbound-1.7.0~rc1/fastrpz/rpz.c @@ -0,0 +1,1357 @@ +/* + * fastrpz/rpz.c - interface to the fastrpz response policy zone library @@ -2691,12 +2680,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.c +} + +#endif /* ENABLE_FASTRPZ */ +Index: unbound-1.7.0~rc1/fastrpz/rpz.h =================================================================== -RCS file: ./fastrpz/RCS/rpz.h,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.h ---- ./fastrpz/rpz.h -+++ ./fastrpz/rpz.h +--- /dev/null ++++ unbound-1.7.0~rc1/fastrpz/rpz.h @@ -0,0 +1,138 @@ +/* + * fastrpz/rpz.h - interface to the fastrpz response policy zone library @@ -2836,12 +2823,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.h + +#endif /* ENABLE_FASTRPZ */ +#endif /* UNBOUND_FASTRPZ_RPZ_H */ +Index: unbound-1.7.0~rc1/fastrpz/rpz.m4 =================================================================== -RCS file: ./fastrpz/RCS/rpz.m4,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.m4 ---- ./fastrpz/rpz.m4 -+++ ./fastrpz/rpz.m4 +--- /dev/null ++++ unbound-1.7.0~rc1/fastrpz/rpz.m4 @@ -0,0 +1,64 @@ +# fastrpz/rpz.m4 + @@ -2907,13 +2892,11 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.m4 + AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]]) + fi +]) +Index: unbound-1.7.0~rc1/iterator/iterator.c =================================================================== -RCS file: ./iterator/RCS/iterator.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c ---- ./iterator/iterator.c -+++ ./iterator/iterator.c -@@ -67,6 +67,9 @@ +--- unbound-1.7.0~rc1.orig/iterator/iterator.c ++++ unbound-1.7.0~rc1/iterator/iterator.c +@@ -68,6 +68,9 @@ #include "sldns/str2wire.h" #include "sldns/parseutil.h" #include "sldns/sbuffer.h" @@ -2923,7 +2906,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c int iter_init(struct module_env* env, int id) -@@ -487,6 +490,23 @@ +@@ -511,6 +514,23 @@ handle_cname_response(struct module_qsta if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME && query_dname_compare(*mname, r->rk.dname) == 0 && !iter_find_rrset_in_prepend_answer(iq, r)) { @@ -2947,7 +2930,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c /* Add this relevant CNAME rrset to the prepend list.*/ if(!iter_add_prepend_answer(qstate, iq, r)) return 0; -@@ -495,6 +515,9 @@ +@@ -519,6 +539,9 @@ handle_cname_response(struct module_qsta /* Other rrsets in the section are ignored. */ } @@ -2957,7 +2940,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c /* add authority rrsets to authority prepend, for wildcarded CNAMEs */ for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets + msg->rep->ns_numrrsets; i++) { -@@ -996,6 +1019,7 @@ +@@ -1148,6 +1171,7 @@ processInitRequest(struct module_qstate* uint8_t* delname; size_t delnamelen; struct dns_msg* msg = NULL; @@ -2965,7 +2948,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo); /* check effort */ -@@ -1056,8 +1080,7 @@ +@@ -1223,8 +1247,7 @@ processInitRequest(struct module_qstate* } if(msg) { /* handle positive cache response */ @@ -2975,7 +2958,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c if(verbosity >= VERB_ALGO) { log_dns_msg("msg from cache lookup", &msg->qinfo, msg->rep); -@@ -1065,7 +1088,22 @@ +@@ -1232,7 +1255,22 @@ processInitRequest(struct module_qstate* (int)msg->rep->ttl, (int)msg->rep->prefetch_ttl); } @@ -2998,7 +2981,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c if(type == RESPONSE_TYPE_CNAME) { uint8_t* sname = 0; size_t slen = 0; -@@ -2321,6 +2359,62 @@ +@@ -2552,6 +2590,62 @@ processQueryResponse(struct module_qstat sock_list_insert(&qstate->reply_origin, &qstate->reply->addr, qstate->reply->addrlen, qstate->region); @@ -3061,7 +3044,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c if(iq->minimisation_state != DONOT_MINIMISE_STATE) { if(FLAGS_GET_RCODE(iq->response->rep->flags) != LDNS_RCODE_NOERROR) { -@@ -3022,12 +3116,44 @@ +@@ -3273,12 +3367,44 @@ processFinished(struct module_qstate* qs * but only if we did recursion. The nonrecursion referral * from cache does not need to be stored in the msg cache. */ if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) { @@ -3106,13 +3089,11 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c qstate->return_rcode = LDNS_RCODE_NOERROR; qstate->return_msg = iq->response; return 0; +Index: unbound-1.7.0~rc1/iterator/iterator.h =================================================================== -RCS file: ./iterator/RCS/iterator.h,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.h ---- ./iterator/iterator.h -+++ ./iterator/iterator.h -@@ -381,6 +381,16 @@ +--- unbound-1.7.0~rc1.orig/iterator/iterator.h ++++ unbound-1.7.0~rc1/iterator/iterator.h +@@ -383,6 +383,16 @@ struct iter_qstate { */ int minimise_count; @@ -3129,17 +3110,15 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.h /** * Count number of time-outs. Used to prevent resolving failures when * the QNAME minimisation QTYPE is blocked. */ +Index: unbound-1.7.0~rc1/services/cache/dns.c =================================================================== -RCS file: ./services/cache/RCS/dns.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./services/cache/dns.c ---- ./services/cache/dns.c -+++ ./services/cache/dns.c -@@ -838,6 +838,14 @@ - struct regional* region, uint16_t flags) +--- unbound-1.7.0~rc1.orig/services/cache/dns.c ++++ unbound-1.7.0~rc1/services/cache/dns.c +@@ -876,6 +876,14 @@ dns_cache_store(struct module_env* env, + struct regional* region, uint32_t flags) { struct reply_info* rep = NULL; -+ ++ +#ifdef ENABLE_FASTRPZ + /* Never save RPZ rewritten data. */ + if (msgrep->security == sec_status_rpz_drop || @@ -3150,12 +3129,10 @@ diff -u --unidirectional-new-file -r1.1 ./services/cache/dns.c /* alloc, malloc properly (not in region, like msg is) */ rep = reply_info_copy(msgrep, env->alloc, NULL); if(!rep) +Index: unbound-1.7.0~rc1/services/mesh.c =================================================================== -RCS file: ./services/RCS/mesh.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./services/mesh.c ---- ./services/mesh.c -+++ ./services/mesh.c +--- unbound-1.7.0~rc1.orig/services/mesh.c ++++ unbound-1.7.0~rc1/services/mesh.c @@ -59,6 +59,9 @@ #include "sldns/wire2str.h" #include "services/localzone.h" @@ -3166,7 +3143,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c #include "respip/respip.h" /** subtract timers and the values do not overflow or become negative */ -@@ -1011,6 +1014,13 @@ +@@ -1050,6 +1053,13 @@ mesh_send_reply(struct mesh_state* m, in else secure = 0; if(!rep && rcode == LDNS_RCODE_NOERROR) rcode = LDNS_RCODE_SERVFAIL; @@ -3180,7 +3157,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c /* send the reply */ /* We don't reuse the encoded answer if either the previous or current * response has a local alias. We could compare the alias records -@@ -1160,6 +1170,7 @@ +@@ -1199,6 +1209,7 @@ struct mesh_state* mesh_area_find(struct key.s.is_valrec = valrec; key.s.qinfo = *qinfo; key.s.query_flags = qflags; @@ -3188,7 +3165,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c /* We are searching for a similar mesh state when we DO want to * aggregate the state. Thus unique is set to NULL. (default when we * desire aggregation).*/ -@@ -1206,6 +1217,10 @@ +@@ -1245,6 +1256,10 @@ int mesh_state_add_reply(struct mesh_sta if(!r) return 0; r->query_reply = *rep; @@ -3199,13 +3176,11 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c r->edns = *edns; if(edns->opt_list) { r->edns.opt_list = edns_opt_copy_region(edns->opt_list, +Index: unbound-1.7.0~rc1/util/config_file.c =================================================================== -RCS file: ./util/RCS/config_file.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/config_file.c ---- ./util/config_file.c -+++ ./util/config_file.c -@@ -1167,6 +1167,8 @@ +--- unbound-1.7.0~rc1.orig/util/config_file.c ++++ unbound-1.7.0~rc1/util/config_file.c +@@ -1323,6 +1323,8 @@ config_delete(struct config_file* cfg) free(cfg->dnstap_socket_path); free(cfg->dnstap_identity); free(cfg->dnstap_version); @@ -3213,14 +3188,12 @@ diff -u --unidirectional-new-file -r1.1 ./util/config_file.c + free(cfg->rpz_cstr); config_deldblstrlist(cfg->ratelimit_for_domain); config_deldblstrlist(cfg->ratelimit_below_domain); - free(cfg); + #ifdef USE_IPSECMOD +Index: unbound-1.7.0~rc1/util/config_file.h =================================================================== -RCS file: ./util/RCS/config_file.h,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/config_file.h ---- ./util/config_file.h -+++ ./util/config_file.h -@@ -416,6 +416,11 @@ +--- unbound-1.7.0~rc1.orig/util/config_file.h ++++ unbound-1.7.0~rc1/util/config_file.h +@@ -431,6 +431,11 @@ struct config_file { /** true to disable DNSSEC lameness check in iterator */ int disable_dnssec_lame_check; @@ -3232,13 +3205,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/config_file.h /** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */ int ip_ratelimit; /** number of slabs for ip_ratelimit cache */ +Index: unbound-1.7.0~rc1/util/configlexer.lex =================================================================== -RCS file: ./util/RCS/configlexer.lex,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/configlexer.lex ---- ./util/configlexer.lex -+++ ./util/configlexer.lex -@@ -395,6 +395,10 @@ +--- unbound-1.7.0~rc1.orig/util/configlexer.lex ++++ unbound-1.7.0~rc1/util/configlexer.lex +@@ -412,6 +412,10 @@ dnstap-log-forwarder-query-messages{COLO YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) } dnstap-log-forwarder-response-messages{COLON} { YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) } @@ -3249,13 +3220,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/configlexer.lex disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) } ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) } ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) } +Index: unbound-1.7.0~rc1/util/configparser.y =================================================================== -RCS file: ./util/RCS/configparser.y,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/configparser.y ---- ./util/configparser.y -+++ ./util/configparser.y -@@ -124,6 +124,7 @@ +--- unbound-1.7.0~rc1.orig/util/configparser.y ++++ unbound-1.7.0~rc1/util/configparser.y +@@ -124,6 +124,7 @@ extern struct config_parser_state* cfg_p %token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES %token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES @@ -3263,16 +3232,16 @@ diff -u --unidirectional-new-file -r1.1 ./util/configparser.y %token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA %token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT %token VAR_DISABLE_DNSSEC_LAME_CHECK -@@ -153,7 +154,7 @@ - toplevelvar: serverstart contents_server | stubstart contents_stub | +@@ -158,7 +159,7 @@ extern struct config_parser_state* cfg_p + + %% + toplevelvars: /* empty */ | toplevelvars toplevelvar ; +-toplevelvar: serverstart contents_server | stubstart contents_stub | ++toplevelvar: serverstart contents_server | stubstart contents_stub | rpzstart contents_rpz | forwardstart contents_forward | pythonstart contents_py | - rcstart contents_rc | dtstart contents_dt | viewstart -- contents_view | -+ contents_view | rpzstart contents_rpz | - dnscstart contents_dnsc | - cachedbstart contents_cachedb - ; -@@ -2160,6 +2161,50 @@ + rcstart contents_rc | dtstart contents_dt | viewstart contents_view | + dnscstart contents_dnsc | cachedbstart contents_cachedb | +@@ -2384,6 +2385,50 @@ dt_dnstap_log_forwarder_response_message (strcmp($2, "yes")==0); } ; @@ -3323,13 +3292,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/configparser.y pythonstart: VAR_PYTHON { OUTYY(("\nP(python:)\n")); +Index: unbound-1.7.0~rc1/util/data/msgencode.c =================================================================== -RCS file: ./util/data/RCS/msgencode.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c ---- ./util/data/msgencode.c -+++ ./util/data/msgencode.c -@@ -585,6 +585,35 @@ +--- unbound-1.7.0~rc1.orig/util/data/msgencode.c ++++ unbound-1.7.0~rc1/util/data/msgencode.c +@@ -585,6 +585,35 @@ insert_section(struct reply_info* rep, s return RETVAL_OK; } @@ -3365,7 +3332,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c /** store query section in wireformat buffer, return RETVAL */ static int insert_query(struct query_info* qinfo, struct compress_tree_node** tree, -@@ -748,6 +777,19 @@ +@@ -750,6 +779,19 @@ reply_info_encode(struct query_info* qin return 0; } sldns_buffer_write_u16_at(buffer, 10, arcount); @@ -3385,13 +3352,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c } sldns_buffer_flip(buffer); return 1; +Index: unbound-1.7.0~rc1/util/data/packed_rrset.c =================================================================== -RCS file: ./util/data/RCS/packed_rrset.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.c ---- ./util/data/packed_rrset.c -+++ ./util/data/packed_rrset.c -@@ -254,6 +254,10 @@ +--- unbound-1.7.0~rc1.orig/util/data/packed_rrset.c ++++ unbound-1.7.0~rc1/util/data/packed_rrset.c +@@ -254,6 +254,10 @@ sec_status_to_string(enum sec_status s) case sec_status_indeterminate: return "sec_status_indeterminate"; case sec_status_insecure: return "sec_status_insecure"; case sec_status_secure: return "sec_status_secure"; @@ -3402,13 +3367,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.c } return "unknown_sec_status_value"; } +Index: unbound-1.7.0~rc1/util/data/packed_rrset.h =================================================================== -RCS file: ./util/data/RCS/packed_rrset.h,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.h ---- ./util/data/packed_rrset.h -+++ ./util/data/packed_rrset.h -@@ -189,7 +189,15 @@ +--- unbound-1.7.0~rc1.orig/util/data/packed_rrset.h ++++ unbound-1.7.0~rc1/util/data/packed_rrset.h +@@ -189,7 +189,15 @@ enum sec_status { sec_status_insecure, /** SECURE means that the object (RRset or message) validated * according to local policy. */ @@ -3425,12 +3388,10 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.h }; /** +Index: unbound-1.7.0~rc1/util/netevent.c =================================================================== -RCS file: ./util/RCS/netevent.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/netevent.c ---- ./util/netevent.c -+++ ./util/netevent.c +--- unbound-1.7.0~rc1.orig/util/netevent.c ++++ unbound-1.7.0~rc1/util/netevent.c @@ -54,6 +54,9 @@ #ifdef HAVE_OPENSSL_ERR_H #include <openssl/err.h> @@ -3441,7 +3402,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c /* -------- Start of local definitions -------- */ /** if CMSG_ALIGN is not defined on this platform, a workaround */ -@@ -579,6 +582,9 @@ +@@ -585,6 +588,9 @@ comm_point_udp_ancil_callback(int fd, sh struct cmsghdr* cmsg; #endif /* S_SPLINT_S */ @@ -3451,9 +3412,9 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c rep.c = (struct comm_point*)arg; log_assert(rep.c->type == comm_udp); -@@ -668,6 +674,9 @@ +@@ -674,6 +680,9 @@ comm_point_udp_callback(int fd, short ev int i; - struct sldns_buffer *buffer; + struct sldns_buffer *buffer; +#ifdef ENABLE_FASTRPZ + rep.rpz = NULL; @@ -3461,17 +3422,17 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c rep.c = (struct comm_point*)arg; log_assert(rep.c->type == comm_udp); -@@ -711,6 +720,9 @@ +@@ -717,6 +726,9 @@ comm_point_udp_callback(int fd, short ev (void)comm_point_send_udp_msg(rep.c, buffer, (struct sockaddr*)&rep.addr, rep.addrlen); } +#ifdef ENABLE_FASTRPZ + rpz_end(&rep); +#endif - if(rep.c->fd != fd) /* commpoint closed to -1 or reused for + if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for another UDP port. Note rep.c cannot be reused with TCP fd. */ break; -@@ -2145,6 +2157,9 @@ +@@ -2956,6 +2968,9 @@ comm_point_send_reply(struct comm_reply comm_point_start_listening(repinfo->c, -1, repinfo->c->tcp_timeout_msec); } @@ -3481,7 +3442,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c } void -@@ -2154,6 +2169,9 @@ +@@ -2965,6 +2980,9 @@ comm_point_drop_reply(struct comm_reply* return; log_assert(repinfo && repinfo->c); log_assert(repinfo->c->type != comm_tcp_accept); @@ -3491,7 +3452,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c if(repinfo->c->type == comm_udp) return; reclaim_tcp_handler(repinfo->c); -@@ -2173,6 +2191,9 @@ +@@ -2984,6 +3002,9 @@ comm_point_start_listening(struct comm_p { verbose(VERB_ALGO, "comm point start listening %d", c->fd==-1?newfd:c->fd); @@ -3501,13 +3462,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c if(c->type == comm_tcp_accept && !c->tcp_free) { /* no use to start listening no free slots. */ return; +Index: unbound-1.7.0~rc1/util/netevent.h =================================================================== -RCS file: ./util/RCS/netevent.h,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./util/netevent.h ---- ./util/netevent.h -+++ ./util/netevent.h -@@ -117,6 +117,10 @@ +--- unbound-1.7.0~rc1.orig/util/netevent.h ++++ unbound-1.7.0~rc1/util/netevent.h +@@ -119,6 +119,10 @@ struct comm_reply { /** return type 0 (none), 4(IP4), 6(IP6) */ int srctype; /* DnsCrypt context */ @@ -3518,13 +3477,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.h #ifdef USE_DNSCRYPT uint8_t client_nonce[crypto_box_HALF_NONCEBYTES]; uint8_t nmkey[crypto_box_BEFORENMBYTES]; +Index: unbound-1.7.0~rc1/validator/validator.c =================================================================== -RCS file: ./validator/RCS/validator.c,v -retrieving revision 1.1 -diff -u --unidirectional-new-file -r1.1 ./validator/validator.c ---- ./validator/validator.c -+++ ./validator/validator.c -@@ -2552,6 +2552,12 @@ +--- unbound-1.7.0~rc1.orig/validator/validator.c ++++ unbound-1.7.0~rc1/validator/validator.c +@@ -2688,6 +2688,12 @@ ds_response_to_ke(struct module_qstate* default: /* NSEC proof did not work, try next */ break; @@ -3537,7 +3494,7 @@ diff -u --unidirectional-new-file -r1.1 ./validator/validator.c } sec = nsec3_prove_nods(qstate->env, ve, -@@ -2584,6 +2590,12 @@ +@@ -2721,6 +2727,12 @@ ds_response_to_ke(struct module_qstate* default: /* NSEC3 proof did not work */ break; @@ -3550,3 +3507,4 @@ diff -u --unidirectional-new-file -r1.1 ./validator/validator.c } /* Apparently, no available NSEC/NSEC3 proved NODATA, so + |