summaryrefslogtreecommitdiff
path: root/contrib/fastrpz.patch
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/fastrpz.patch')
-rw-r--r--contrib/fastrpz.patch352
1 files changed, 155 insertions, 197 deletions
diff --git a/contrib/fastrpz.patch b/contrib/fastrpz.patch
index 362e07cc6a8dc..6e78bf1b7cf3c 100644
--- a/contrib/fastrpz.patch
+++ b/contrib/fastrpz.patch
@@ -1,10 +1,15 @@
+Description: based on the included patch contrib/fastrpz.patch
+Author: fastrpz@farsightsecurity.com
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
===================================================================
RCS file: ./RCS/Makefile.in,v
retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./Makefile.in
---- ./Makefile.in
-+++ ./Makefile.in
-@@ -23,6 +23,8 @@
+Index: unbound-1.7.0~rc1/Makefile.in
+===================================================================
+--- unbound-1.7.0~rc1.orig/Makefile.in
++++ unbound-1.7.0~rc1/Makefile.in
+@@ -23,6 +23,8 @@ CHECKLOCK_SRC=testcode/checklocks.c
CHECKLOCK_OBJ=@CHECKLOCK_OBJ@
DNSTAP_SRC=@DNSTAP_SRC@
DNSTAP_OBJ=@DNSTAP_OBJ@
@@ -13,7 +18,7 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in
DNSCRYPT_SRC=@DNSCRYPT_SRC@
DNSCRYPT_OBJ=@DNSCRYPT_OBJ@
WITH_PYTHONMODULE=@WITH_PYTHONMODULE@
-@@ -125,7 +127,7 @@
+@@ -125,7 +127,7 @@ validator/val_sigcrypt.c validator/val_u
edns-subnet/edns-subnet.c edns-subnet/subnetmod.c \
edns-subnet/addrtree.c edns-subnet/subnet-whitelist.c \
cachedb/cachedb.c respip/respip.c $(CHECKLOCK_SRC) \
@@ -22,16 +27,16 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in
COMMON_OBJ_WITHOUT_NETCALL=dns.lo infra.lo rrset.lo dname.lo msgencode.lo \
as112.lo msgparse.lo msgreply.lo packed_rrset.lo iterator.lo iter_delegpt.lo \
iter_donotq.lo iter_fwd.lo iter_hints.lo iter_priv.lo iter_resptype.lo \
-@@ -137,7 +139,7 @@
+@@ -137,7 +139,7 @@ slabhash.lo timehist.lo tube.lo winsock_
validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
- val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo \
+ val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo cachedb.lo authzone.lo\
$(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
--$(IPSECMOD_OBJ)
-+$(FASTRPZ_OBJ) $(DNSCRYPT_OBJ)
- COMMON_OBJ_WITHOUT_NETCALL+=respip.lo
+-$(IPSECMOD_OBJ) respip.lo
++$(FASTRPZ_OBJ) $(IPSECMOD_OBJ) respip.lo
COMMON_OBJ_WITHOUT_UB_EVENT=$(COMMON_OBJ_WITHOUT_NETCALL) netevent.lo listen_dnsport.lo \
outside_network.lo
-@@ -398,6 +401,11 @@
+ COMMON_OBJ=$(COMMON_OBJ_WITHOUT_UB_EVENT) ub_event.lo
+@@ -400,6 +402,11 @@ dnscrypt.lo dnscrypt.o: $(srcdir)/dnscry
$(srcdir)/util/config_file.h $(srcdir)/util/log.h \
$(srcdir)/util/netevent.h
@@ -43,13 +48,11 @@ diff -u --unidirectional-new-file -r1.1 ./Makefile.in
# Python Module
pythonmod.lo pythonmod.o: $(srcdir)/pythonmod/pythonmod.c config.h \
pythonmod/interface.h \
+Index: unbound-1.7.0~rc1/config.h.in
===================================================================
-RCS file: ./RCS/config.h.in,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./config.h.in
---- ./config.h.in
-+++ ./config.h.in
-@@ -1199,4 +1199,11 @@
+--- unbound-1.7.0~rc1.orig/config.h.in
++++ unbound-1.7.0~rc1/config.h.in
+@@ -1228,4 +1228,11 @@ void *unbound_stat_realloc_log(void *ptr
/** the version of unbound-control that this software implements */
#define UNBOUND_CONTROL_VERSION 1
@@ -62,13 +65,11 @@ diff -u --unidirectional-new-file -r1.1 ./config.h.in
+#undef FASTRPZ_LIB_OPEN
+/** turn on fastrpz response policy zones */
+#undef ENABLE_FASTRPZ
+Index: unbound-1.7.0~rc1/configure.ac
===================================================================
-RCS file: ./RCS/configure.ac,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./configure.ac
---- ./configure.ac
-+++ ./configure.ac
-@@ -6,6 +6,7 @@
+--- unbound-1.7.0~rc1.orig/configure.ac
++++ unbound-1.7.0~rc1/configure.ac
+@@ -6,6 +6,7 @@ sinclude(ax_pthread.m4)
sinclude(acx_python.m4)
sinclude(ac_pkg_swig.m4)
sinclude(dnstap/dnstap.m4)
@@ -76,8 +77,8 @@ diff -u --unidirectional-new-file -r1.1 ./configure.ac
sinclude(dnscrypt/dnscrypt.m4)
# must be numbers. ac_defun because of later processing
-@@ -1352,6 +1353,9 @@
- ;;
+@@ -1453,6 +1454,9 @@ case "$enable_ipsecmod" in
+ ;;
esac
+# check for Fastrpz with fastrpz/rpz.m4
@@ -86,13 +87,11 @@ diff -u --unidirectional-new-file -r1.1 ./configure.ac
AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
# on openBSD, the implicit rule make $< work.
# on Solaris, it does not work ($? is changed sources, $^ lists dependencies).
+Index: unbound-1.7.0~rc1/daemon/daemon.c
===================================================================
-RCS file: ./daemon/RCS/daemon.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
---- ./daemon/daemon.c
-+++ ./daemon/daemon.c
-@@ -89,6 +89,9 @@
+--- unbound-1.7.0~rc1.orig/daemon/daemon.c
++++ unbound-1.7.0~rc1/daemon/daemon.c
+@@ -90,6 +90,9 @@
#include "sldns/keyraw.h"
#include "respip/respip.h"
#include <signal.h>
@@ -102,7 +101,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
-@@ -451,6 +454,14 @@
+@@ -461,6 +464,14 @@ daemon_create_workers(struct daemon* dae
fatal_exit("dnstap enabled in config but not built with dnstap support");
#endif
}
@@ -117,9 +116,9 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
for(i=0; i<daemon->num; i++) {
if(!(daemon->workers[i] = worker_create(daemon, i,
shufport+numport*i/daemon->num,
-@@ -691,6 +702,9 @@
- #ifdef USE_DNSTAP
- dt_delete(daemon->dtenv);
+@@ -710,6 +721,9 @@ daemon_cleanup(struct daemon* daemon)
+ #ifdef USE_DNSCRYPT
+ dnsc_delete(daemon->dnscenv);
#endif
+#ifdef ENABLE_FASTRPZ
+ rpz_delete(&daemon->rpz_clist, &daemon->rpz_client);
@@ -127,13 +126,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.c
daemon->cfg = NULL;
}
+Index: unbound-1.7.0~rc1/daemon/daemon.h
===================================================================
-RCS file: ./daemon/RCS/daemon.h,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.h
---- ./daemon/daemon.h
-+++ ./daemon/daemon.h
-@@ -134,6 +134,11 @@
+--- unbound-1.7.0~rc1.orig/daemon/daemon.h
++++ unbound-1.7.0~rc1/daemon/daemon.h
+@@ -134,6 +134,11 @@ struct daemon {
/** the dnscrypt environment */
struct dnsc_env* dnscenv;
#endif
@@ -145,13 +142,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/daemon.h
};
/**
+Index: unbound-1.7.0~rc1/daemon/worker.c
===================================================================
-RCS file: ./daemon/RCS/worker.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
---- ./daemon/worker.c
-+++ ./daemon/worker.c
-@@ -73,6 +73,9 @@
+--- unbound-1.7.0~rc1.orig/daemon/worker.c
++++ unbound-1.7.0~rc1/daemon/worker.c
+@@ -74,6 +74,9 @@
#include "libunbound/context.h"
#include "libunbound/libworker.h"
#include "sldns/sbuffer.h"
@@ -161,7 +156,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
#include "sldns/wire2str.h"
#include "util/shm_side/shm_main.h"
#include "dnscrypt/dnscrypt.h"
-@@ -526,8 +529,27 @@
+@@ -527,8 +530,27 @@ answer_norec_from_cache(struct worker* w
/* not secure */
secure = 0;
break;
@@ -189,7 +184,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
/* return this delegation from the cache */
edns->edns_version = EDNS_ADVERTISED_VERSION;
edns->udp_size = EDNS_ADVERTISED_SIZE;
-@@ -688,6 +710,23 @@
+@@ -689,6 +711,23 @@ answer_from_cache(struct worker* worker,
secure = 0;
}
} else secure = 0;
@@ -213,7 +208,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
edns->edns_version = EDNS_ADVERTISED_VERSION;
edns->udp_size = EDNS_ADVERTISED_SIZE;
-@@ -1267,6 +1306,15 @@
+@@ -1291,6 +1330,15 @@ worker_handle_request(struct comm_point*
log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
&repinfo->addr, repinfo->addrlen);
goto send_reply;
@@ -229,16 +224,16 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
}
/* If we've found a local alias, replace the qname with the alias
-@@ -1315,12 +1363,21 @@
+@@ -1339,12 +1387,21 @@ lookup_cache:
h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2));
if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) {
/* answer from cache - we have acquired a readlock on it */
-- if(answer_from_cache(worker, &qinfo,
-+ ret = answer_from_cache(worker, &qinfo,
+- if(answer_from_cache(worker, &qinfo,
++ ret = answer_from_cache(worker, &qinfo,
cinfo, &need_drop, &alias_rrset, &partial_rep,
- (struct reply_info*)e->data,
- *(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
- sldns_buffer_read_u16_at(c->buffer, 2), repinfo,
+ (struct reply_info*)e->data,
+ *(uint16_t*)(void *)sldns_buffer_begin(c->buffer),
+ sldns_buffer_read_u16_at(c->buffer, 2), repinfo,
- &edns)) {
+ &edns);
+#ifdef ENABLE_FASTRPZ
@@ -253,7 +248,7 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
/* prefetch it if the prefetch TTL expired.
* Note that if there is more than one pass
* its qname must be that used for cache
-@@ -1371,11 +1428,19 @@
+@@ -1398,11 +1455,19 @@ lookup_cache:
lock_rw_unlock(&e->lock);
}
if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) {
@@ -275,13 +270,11 @@ diff -u --unidirectional-new-file -r1.1 ./daemon/worker.c
goto send_reply;
}
verbose(VERB_ALGO, "answer norec from cache -- "
+Index: unbound-1.7.0~rc1/doc/unbound.conf.5.in
===================================================================
-RCS file: ./doc/RCS/unbound.conf.5.in,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./doc/unbound.conf.5.in
---- ./doc/unbound.conf.5.in
-+++ ./doc/unbound.conf.5.in
-@@ -1446,6 +1446,81 @@
+--- unbound-1.7.0~rc1.orig/doc/unbound.conf.5.in
++++ unbound-1.7.0~rc1/doc/unbound.conf.5.in
+@@ -1581,6 +1581,81 @@ It must be /96 or shorter. The default
.B dns64\-synthall: \fI<yes or no>\fR
Debug option, default no. If enabled, synthesize all AAAA records
despite the presence of actual AAAA records.
@@ -363,12 +356,10 @@ diff -u --unidirectional-new-file -r1.1 ./doc/unbound.conf.5.in
.SS "DNSCrypt Options"
.LP
The
+Index: unbound-1.7.0~rc1/fastrpz/librpz.h
===================================================================
-RCS file: ./fastrpz/RCS/librpz.h,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./fastrpz/librpz.h
---- ./fastrpz/librpz.h
-+++ ./fastrpz/librpz.h
+--- /dev/null
++++ unbound-1.7.0~rc1/fastrpz/librpz.h
@@ -0,0 +1,957 @@
+/*
+ * Define the interface from a DNS resolver to the Response Policy Zone
@@ -1327,12 +1318,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/librpz.h
+#endif /* LIBRPZ_LIB_OPEN */
+
+#endif /* LIBRPZ_H */
+Index: unbound-1.7.0~rc1/fastrpz/rpz.c
===================================================================
-RCS file: ./fastrpz/RCS/rpz.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.c
---- ./fastrpz/rpz.c
-+++ ./fastrpz/rpz.c
+--- /dev/null
++++ unbound-1.7.0~rc1/fastrpz/rpz.c
@@ -0,0 +1,1357 @@
+/*
+ * fastrpz/rpz.c - interface to the fastrpz response policy zone library
@@ -2691,12 +2680,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.c
+}
+
+#endif /* ENABLE_FASTRPZ */
+Index: unbound-1.7.0~rc1/fastrpz/rpz.h
===================================================================
-RCS file: ./fastrpz/RCS/rpz.h,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.h
---- ./fastrpz/rpz.h
-+++ ./fastrpz/rpz.h
+--- /dev/null
++++ unbound-1.7.0~rc1/fastrpz/rpz.h
@@ -0,0 +1,138 @@
+/*
+ * fastrpz/rpz.h - interface to the fastrpz response policy zone library
@@ -2836,12 +2823,10 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.h
+
+#endif /* ENABLE_FASTRPZ */
+#endif /* UNBOUND_FASTRPZ_RPZ_H */
+Index: unbound-1.7.0~rc1/fastrpz/rpz.m4
===================================================================
-RCS file: ./fastrpz/RCS/rpz.m4,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.m4
---- ./fastrpz/rpz.m4
-+++ ./fastrpz/rpz.m4
+--- /dev/null
++++ unbound-1.7.0~rc1/fastrpz/rpz.m4
@@ -0,0 +1,64 @@
+# fastrpz/rpz.m4
+
@@ -2907,13 +2892,11 @@ diff -u --unidirectional-new-file -r1.1 ./fastrpz/rpz.m4
+ AC_MSG_WARN([[dlopen and librpz.so needed for fastrpz]])
+ fi
+])
+Index: unbound-1.7.0~rc1/iterator/iterator.c
===================================================================
-RCS file: ./iterator/RCS/iterator.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
---- ./iterator/iterator.c
-+++ ./iterator/iterator.c
-@@ -67,6 +67,9 @@
+--- unbound-1.7.0~rc1.orig/iterator/iterator.c
++++ unbound-1.7.0~rc1/iterator/iterator.c
+@@ -68,6 +68,9 @@
#include "sldns/str2wire.h"
#include "sldns/parseutil.h"
#include "sldns/sbuffer.h"
@@ -2923,7 +2906,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
int
iter_init(struct module_env* env, int id)
-@@ -487,6 +490,23 @@
+@@ -511,6 +514,23 @@ handle_cname_response(struct module_qsta
if(ntohs(r->rk.type) == LDNS_RR_TYPE_CNAME &&
query_dname_compare(*mname, r->rk.dname) == 0 &&
!iter_find_rrset_in_prepend_answer(iq, r)) {
@@ -2947,7 +2930,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
/* Add this relevant CNAME rrset to the prepend list.*/
if(!iter_add_prepend_answer(qstate, iq, r))
return 0;
-@@ -495,6 +515,9 @@
+@@ -519,6 +539,9 @@ handle_cname_response(struct module_qsta
/* Other rrsets in the section are ignored. */
}
@@ -2957,7 +2940,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
/* add authority rrsets to authority prepend, for wildcarded CNAMEs */
for(i=msg->rep->an_numrrsets; i<msg->rep->an_numrrsets +
msg->rep->ns_numrrsets; i++) {
-@@ -996,6 +1019,7 @@
+@@ -1148,6 +1171,7 @@ processInitRequest(struct module_qstate*
uint8_t* delname;
size_t delnamelen;
struct dns_msg* msg = NULL;
@@ -2965,7 +2948,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
log_query_info(VERB_DETAIL, "resolving", &qstate->qinfo);
/* check effort */
-@@ -1056,8 +1080,7 @@
+@@ -1223,8 +1247,7 @@ processInitRequest(struct module_qstate*
}
if(msg) {
/* handle positive cache response */
@@ -2975,7 +2958,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
if(verbosity >= VERB_ALGO) {
log_dns_msg("msg from cache lookup", &msg->qinfo,
msg->rep);
-@@ -1065,7 +1088,22 @@
+@@ -1232,7 +1255,22 @@ processInitRequest(struct module_qstate*
(int)msg->rep->ttl,
(int)msg->rep->prefetch_ttl);
}
@@ -2998,7 +2981,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
if(type == RESPONSE_TYPE_CNAME) {
uint8_t* sname = 0;
size_t slen = 0;
-@@ -2321,6 +2359,62 @@
+@@ -2552,6 +2590,62 @@ processQueryResponse(struct module_qstat
sock_list_insert(&qstate->reply_origin,
&qstate->reply->addr, qstate->reply->addrlen,
qstate->region);
@@ -3061,7 +3044,7 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
if(FLAGS_GET_RCODE(iq->response->rep->flags) !=
LDNS_RCODE_NOERROR) {
-@@ -3022,12 +3116,44 @@
+@@ -3273,12 +3367,44 @@ processFinished(struct module_qstate* qs
* but only if we did recursion. The nonrecursion referral
* from cache does not need to be stored in the msg cache. */
if(!qstate->no_cache_store && qstate->query_flags&BIT_RD) {
@@ -3106,13 +3089,11 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.c
qstate->return_rcode = LDNS_RCODE_NOERROR;
qstate->return_msg = iq->response;
return 0;
+Index: unbound-1.7.0~rc1/iterator/iterator.h
===================================================================
-RCS file: ./iterator/RCS/iterator.h,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.h
---- ./iterator/iterator.h
-+++ ./iterator/iterator.h
-@@ -381,6 +381,16 @@
+--- unbound-1.7.0~rc1.orig/iterator/iterator.h
++++ unbound-1.7.0~rc1/iterator/iterator.h
+@@ -383,6 +383,16 @@ struct iter_qstate {
*/
int minimise_count;
@@ -3129,17 +3110,15 @@ diff -u --unidirectional-new-file -r1.1 ./iterator/iterator.h
/**
* Count number of time-outs. Used to prevent resolving failures when
* the QNAME minimisation QTYPE is blocked. */
+Index: unbound-1.7.0~rc1/services/cache/dns.c
===================================================================
-RCS file: ./services/cache/RCS/dns.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./services/cache/dns.c
---- ./services/cache/dns.c
-+++ ./services/cache/dns.c
-@@ -838,6 +838,14 @@
- struct regional* region, uint16_t flags)
+--- unbound-1.7.0~rc1.orig/services/cache/dns.c
++++ unbound-1.7.0~rc1/services/cache/dns.c
+@@ -876,6 +876,14 @@ dns_cache_store(struct module_env* env,
+ struct regional* region, uint32_t flags)
{
struct reply_info* rep = NULL;
-+
++
+#ifdef ENABLE_FASTRPZ
+ /* Never save RPZ rewritten data. */
+ if (msgrep->security == sec_status_rpz_drop ||
@@ -3150,12 +3129,10 @@ diff -u --unidirectional-new-file -r1.1 ./services/cache/dns.c
/* alloc, malloc properly (not in region, like msg is) */
rep = reply_info_copy(msgrep, env->alloc, NULL);
if(!rep)
+Index: unbound-1.7.0~rc1/services/mesh.c
===================================================================
-RCS file: ./services/RCS/mesh.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
---- ./services/mesh.c
-+++ ./services/mesh.c
+--- unbound-1.7.0~rc1.orig/services/mesh.c
++++ unbound-1.7.0~rc1/services/mesh.c
@@ -59,6 +59,9 @@
#include "sldns/wire2str.h"
#include "services/localzone.h"
@@ -3166,7 +3143,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
#include "respip/respip.h"
/** subtract timers and the values do not overflow or become negative */
-@@ -1011,6 +1014,13 @@
+@@ -1050,6 +1053,13 @@ mesh_send_reply(struct mesh_state* m, in
else secure = 0;
if(!rep && rcode == LDNS_RCODE_NOERROR)
rcode = LDNS_RCODE_SERVFAIL;
@@ -3180,7 +3157,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
/* send the reply */
/* We don't reuse the encoded answer if either the previous or current
* response has a local alias. We could compare the alias records
-@@ -1160,6 +1170,7 @@
+@@ -1199,6 +1209,7 @@ struct mesh_state* mesh_area_find(struct
key.s.is_valrec = valrec;
key.s.qinfo = *qinfo;
key.s.query_flags = qflags;
@@ -3188,7 +3165,7 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
/* We are searching for a similar mesh state when we DO want to
* aggregate the state. Thus unique is set to NULL. (default when we
* desire aggregation).*/
-@@ -1206,6 +1217,10 @@
+@@ -1245,6 +1256,10 @@ int mesh_state_add_reply(struct mesh_sta
if(!r)
return 0;
r->query_reply = *rep;
@@ -3199,13 +3176,11 @@ diff -u --unidirectional-new-file -r1.1 ./services/mesh.c
r->edns = *edns;
if(edns->opt_list) {
r->edns.opt_list = edns_opt_copy_region(edns->opt_list,
+Index: unbound-1.7.0~rc1/util/config_file.c
===================================================================
-RCS file: ./util/RCS/config_file.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/config_file.c
---- ./util/config_file.c
-+++ ./util/config_file.c
-@@ -1167,6 +1167,8 @@
+--- unbound-1.7.0~rc1.orig/util/config_file.c
++++ unbound-1.7.0~rc1/util/config_file.c
+@@ -1323,6 +1323,8 @@ config_delete(struct config_file* cfg)
free(cfg->dnstap_socket_path);
free(cfg->dnstap_identity);
free(cfg->dnstap_version);
@@ -3213,14 +3188,12 @@ diff -u --unidirectional-new-file -r1.1 ./util/config_file.c
+ free(cfg->rpz_cstr);
config_deldblstrlist(cfg->ratelimit_for_domain);
config_deldblstrlist(cfg->ratelimit_below_domain);
- free(cfg);
+ #ifdef USE_IPSECMOD
+Index: unbound-1.7.0~rc1/util/config_file.h
===================================================================
-RCS file: ./util/RCS/config_file.h,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/config_file.h
---- ./util/config_file.h
-+++ ./util/config_file.h
-@@ -416,6 +416,11 @@
+--- unbound-1.7.0~rc1.orig/util/config_file.h
++++ unbound-1.7.0~rc1/util/config_file.h
+@@ -431,6 +431,11 @@ struct config_file {
/** true to disable DNSSEC lameness check in iterator */
int disable_dnssec_lame_check;
@@ -3232,13 +3205,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/config_file.h
/** ratelimit for ip addresses. 0 is off, otherwise qps (unless overridden) */
int ip_ratelimit;
/** number of slabs for ip_ratelimit cache */
+Index: unbound-1.7.0~rc1/util/configlexer.lex
===================================================================
-RCS file: ./util/RCS/configlexer.lex,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/configlexer.lex
---- ./util/configlexer.lex
-+++ ./util/configlexer.lex
-@@ -395,6 +395,10 @@
+--- unbound-1.7.0~rc1.orig/util/configlexer.lex
++++ unbound-1.7.0~rc1/util/configlexer.lex
+@@ -412,6 +412,10 @@ dnstap-log-forwarder-query-messages{COLO
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) }
dnstap-log-forwarder-response-messages{COLON} {
YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) }
@@ -3249,13 +3220,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/configlexer.lex
disable-dnssec-lame-check{COLON} { YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) }
ip-ratelimit{COLON} { YDVAR(1, VAR_IP_RATELIMIT) }
ratelimit{COLON} { YDVAR(1, VAR_RATELIMIT) }
+Index: unbound-1.7.0~rc1/util/configparser.y
===================================================================
-RCS file: ./util/RCS/configparser.y,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
---- ./util/configparser.y
-+++ ./util/configparser.y
-@@ -124,6 +124,7 @@
+--- unbound-1.7.0~rc1.orig/util/configparser.y
++++ unbound-1.7.0~rc1/util/configparser.y
+@@ -124,6 +124,7 @@ extern struct config_parser_state* cfg_p
%token VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES
%token VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES
%token VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES
@@ -3263,16 +3232,16 @@ diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
%token VAR_RESPONSE_IP_TAG VAR_RESPONSE_IP VAR_RESPONSE_IP_DATA
%token VAR_HARDEN_ALGO_DOWNGRADE VAR_IP_TRANSPARENT
%token VAR_DISABLE_DNSSEC_LAME_CHECK
-@@ -153,7 +154,7 @@
- toplevelvar: serverstart contents_server | stubstart contents_stub |
+@@ -158,7 +159,7 @@ extern struct config_parser_state* cfg_p
+
+ %%
+ toplevelvars: /* empty */ | toplevelvars toplevelvar ;
+-toplevelvar: serverstart contents_server | stubstart contents_stub |
++toplevelvar: serverstart contents_server | stubstart contents_stub | rpzstart contents_rpz |
forwardstart contents_forward | pythonstart contents_py |
- rcstart contents_rc | dtstart contents_dt | viewstart
-- contents_view |
-+ contents_view | rpzstart contents_rpz |
- dnscstart contents_dnsc |
- cachedbstart contents_cachedb
- ;
-@@ -2160,6 +2161,50 @@
+ rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
+ dnscstart contents_dnsc | cachedbstart contents_cachedb |
+@@ -2384,6 +2385,50 @@ dt_dnstap_log_forwarder_response_message
(strcmp($2, "yes")==0);
}
;
@@ -3323,13 +3292,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/configparser.y
pythonstart: VAR_PYTHON
{
OUTYY(("\nP(python:)\n"));
+Index: unbound-1.7.0~rc1/util/data/msgencode.c
===================================================================
-RCS file: ./util/data/RCS/msgencode.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c
---- ./util/data/msgencode.c
-+++ ./util/data/msgencode.c
-@@ -585,6 +585,35 @@
+--- unbound-1.7.0~rc1.orig/util/data/msgencode.c
++++ unbound-1.7.0~rc1/util/data/msgencode.c
+@@ -585,6 +585,35 @@ insert_section(struct reply_info* rep, s
return RETVAL_OK;
}
@@ -3365,7 +3332,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c
/** store query section in wireformat buffer, return RETVAL */
static int
insert_query(struct query_info* qinfo, struct compress_tree_node** tree,
-@@ -748,6 +777,19 @@
+@@ -750,6 +779,19 @@ reply_info_encode(struct query_info* qin
return 0;
}
sldns_buffer_write_u16_at(buffer, 10, arcount);
@@ -3385,13 +3352,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/msgencode.c
}
sldns_buffer_flip(buffer);
return 1;
+Index: unbound-1.7.0~rc1/util/data/packed_rrset.c
===================================================================
-RCS file: ./util/data/RCS/packed_rrset.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.c
---- ./util/data/packed_rrset.c
-+++ ./util/data/packed_rrset.c
-@@ -254,6 +254,10 @@
+--- unbound-1.7.0~rc1.orig/util/data/packed_rrset.c
++++ unbound-1.7.0~rc1/util/data/packed_rrset.c
+@@ -254,6 +254,10 @@ sec_status_to_string(enum sec_status s)
case sec_status_indeterminate: return "sec_status_indeterminate";
case sec_status_insecure: return "sec_status_insecure";
case sec_status_secure: return "sec_status_secure";
@@ -3402,13 +3367,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.c
}
return "unknown_sec_status_value";
}
+Index: unbound-1.7.0~rc1/util/data/packed_rrset.h
===================================================================
-RCS file: ./util/data/RCS/packed_rrset.h,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.h
---- ./util/data/packed_rrset.h
-+++ ./util/data/packed_rrset.h
-@@ -189,7 +189,15 @@
+--- unbound-1.7.0~rc1.orig/util/data/packed_rrset.h
++++ unbound-1.7.0~rc1/util/data/packed_rrset.h
+@@ -189,7 +189,15 @@ enum sec_status {
sec_status_insecure,
/** SECURE means that the object (RRset or message) validated
* according to local policy. */
@@ -3425,12 +3388,10 @@ diff -u --unidirectional-new-file -r1.1 ./util/data/packed_rrset.h
};
/**
+Index: unbound-1.7.0~rc1/util/netevent.c
===================================================================
-RCS file: ./util/RCS/netevent.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
---- ./util/netevent.c
-+++ ./util/netevent.c
+--- unbound-1.7.0~rc1.orig/util/netevent.c
++++ unbound-1.7.0~rc1/util/netevent.c
@@ -54,6 +54,9 @@
#ifdef HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
@@ -3441,7 +3402,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
/* -------- Start of local definitions -------- */
/** if CMSG_ALIGN is not defined on this platform, a workaround */
-@@ -579,6 +582,9 @@
+@@ -585,6 +588,9 @@ comm_point_udp_ancil_callback(int fd, sh
struct cmsghdr* cmsg;
#endif /* S_SPLINT_S */
@@ -3451,9 +3412,9 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
rep.c = (struct comm_point*)arg;
log_assert(rep.c->type == comm_udp);
-@@ -668,6 +674,9 @@
+@@ -674,6 +680,9 @@ comm_point_udp_callback(int fd, short ev
int i;
- struct sldns_buffer *buffer;
+ struct sldns_buffer *buffer;
+#ifdef ENABLE_FASTRPZ
+ rep.rpz = NULL;
@@ -3461,17 +3422,17 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
rep.c = (struct comm_point*)arg;
log_assert(rep.c->type == comm_udp);
-@@ -711,6 +720,9 @@
+@@ -717,6 +726,9 @@ comm_point_udp_callback(int fd, short ev
(void)comm_point_send_udp_msg(rep.c, buffer,
(struct sockaddr*)&rep.addr, rep.addrlen);
}
+#ifdef ENABLE_FASTRPZ
+ rpz_end(&rep);
+#endif
- if(rep.c->fd != fd) /* commpoint closed to -1 or reused for
+ if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for
another UDP port. Note rep.c cannot be reused with TCP fd. */
break;
-@@ -2145,6 +2157,9 @@
+@@ -2956,6 +2968,9 @@ comm_point_send_reply(struct comm_reply
comm_point_start_listening(repinfo->c, -1,
repinfo->c->tcp_timeout_msec);
}
@@ -3481,7 +3442,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
}
void
-@@ -2154,6 +2169,9 @@
+@@ -2965,6 +2980,9 @@ comm_point_drop_reply(struct comm_reply*
return;
log_assert(repinfo && repinfo->c);
log_assert(repinfo->c->type != comm_tcp_accept);
@@ -3491,7 +3452,7 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
if(repinfo->c->type == comm_udp)
return;
reclaim_tcp_handler(repinfo->c);
-@@ -2173,6 +2191,9 @@
+@@ -2984,6 +3002,9 @@ comm_point_start_listening(struct comm_p
{
verbose(VERB_ALGO, "comm point start listening %d",
c->fd==-1?newfd:c->fd);
@@ -3501,13 +3462,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.c
if(c->type == comm_tcp_accept && !c->tcp_free) {
/* no use to start listening no free slots. */
return;
+Index: unbound-1.7.0~rc1/util/netevent.h
===================================================================
-RCS file: ./util/RCS/netevent.h,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./util/netevent.h
---- ./util/netevent.h
-+++ ./util/netevent.h
-@@ -117,6 +117,10 @@
+--- unbound-1.7.0~rc1.orig/util/netevent.h
++++ unbound-1.7.0~rc1/util/netevent.h
+@@ -119,6 +119,10 @@ struct comm_reply {
/** return type 0 (none), 4(IP4), 6(IP6) */
int srctype;
/* DnsCrypt context */
@@ -3518,13 +3477,11 @@ diff -u --unidirectional-new-file -r1.1 ./util/netevent.h
#ifdef USE_DNSCRYPT
uint8_t client_nonce[crypto_box_HALF_NONCEBYTES];
uint8_t nmkey[crypto_box_BEFORENMBYTES];
+Index: unbound-1.7.0~rc1/validator/validator.c
===================================================================
-RCS file: ./validator/RCS/validator.c,v
-retrieving revision 1.1
-diff -u --unidirectional-new-file -r1.1 ./validator/validator.c
---- ./validator/validator.c
-+++ ./validator/validator.c
-@@ -2552,6 +2552,12 @@
+--- unbound-1.7.0~rc1.orig/validator/validator.c
++++ unbound-1.7.0~rc1/validator/validator.c
+@@ -2688,6 +2688,12 @@ ds_response_to_ke(struct module_qstate*
default:
/* NSEC proof did not work, try next */
break;
@@ -3537,7 +3494,7 @@ diff -u --unidirectional-new-file -r1.1 ./validator/validator.c
}
sec = nsec3_prove_nods(qstate->env, ve,
-@@ -2584,6 +2590,12 @@
+@@ -2721,6 +2727,12 @@ ds_response_to_ke(struct module_qstate*
default:
/* NSEC3 proof did not work */
break;
@@ -3550,3 +3507,4 @@ diff -u --unidirectional-new-file -r1.1 ./validator/validator.c
}
/* Apparently, no available NSEC/NSEC3 proved NODATA, so
+