diff options
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/Changelog | 169 | ||||
| -rw-r--r-- | doc/README | 2 | ||||
| -rw-r--r-- | doc/example.conf.in | 33 | ||||
| -rw-r--r-- | doc/libunbound.3.in | 11 | ||||
| -rw-r--r-- | doc/unbound-anchor.8.in | 2 | ||||
| -rw-r--r-- | doc/unbound-checkconf.8.in | 2 | ||||
| -rw-r--r-- | doc/unbound-control.8.in | 16 | ||||
| -rw-r--r-- | doc/unbound-host.1.in | 2 | ||||
| -rw-r--r-- | doc/unbound.8.in | 4 | ||||
| -rw-r--r-- | doc/unbound.conf.5.in | 120 |
10 files changed, 332 insertions, 29 deletions
diff --git a/doc/Changelog b/doc/Changelog index 1fca26b643fd..725b82ac64b4 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,175 @@ +20 February 2020: Wouter + - Updated contrib/unbound_smf23.tar.gz with Solaris SMF service for + Unbound from Yuri Voinov. + +17 February 2020: Ralph + - Add respip to supported module-config options in unbound-checkconf. + +17 February 2020: George + - Remove unused variable. + +17 February 2020: Wouter + - contrib/drop2rpz: perl script that converts the Spamhaus DROP-List + in RPZ-Format, contributed by Andreas Schulze. + +14 February 2020: Wouter + - Fix spelling in unbound.conf.5.in. + - Stop unbound-checkconf from insisting that auth-zone and rpz + zonefiles have to exist. They can not exist, and download later. + +13 February 2020: Wouter + - tag for 1.10.0rc1 release. + +12 February 2020: Wouter + - Fix with libnettle make test with dsa disabled. + - Fix contrib/fastrpz.patch to apply cleanly. Fix for serve-stale + fixes, but it does not compile, conflicts with new rpz code. + - Fix to clean memory leak of respip_addr.lock when ip_tree deleted. + - Fix compile warning when threads disabled. + - updated version number to 1.10.0. + +10 February 2020: George + - Document 'ub_result.was_ratelimited' in libunbound. + - Fix use after free on log-identity after a reload; Fixes #163. + +6 February 2020: George + - Fix num_reply_states and num_detached_states counting with + serve_expired_callback. + - Cleaner code in mesh_serve_expired_lookup. + - Document in unbound.conf manpage that configuration clauses can be + repeated in the configuration file. + +6 February 2020: Wouter + - Fix num_reply_addr counting in mesh and tcp drop due to size + after serve_stale commit. + - Fix to create and destroy rpz_lock in auth_zones structure. + - Fix to lock zone before adding rpz qname trigger. + - Fix to lock and release once in mesh_serve_expired_lookup. + - Fix to put braces around empty if body when threading is disabled. + +5 February 2020: George + - Added serve-stale functionality as described in + draft-ietf-dnsop-serve-stale-10. `serve-expired-*` options can be used + to configure the behavior. + - Updated cachedb to honor `serve-expired-ttl`; Fixes #107. + - Renamed statistic `num.zero_ttl` to `num.expired` as expired replies + come with a configurable TTL value (`serve-expired-reply-ttl`). + - Fixed stats when replying with cached, cname-aliased records. + - Added missing default values for redis cachedb backend. + +3 February 2020: Ralph + - Add assertion to please static analyzer + +31 January 2020: Wouter + - Fix fclose on error in TLS session ticket code. + +30 January 2020: Ralph + - Fix memory leak in error condition remote.c + - Fix double free in error condition view.c + - Fix memory leak in do_auth_zone_transfer on success + - Merge RPZ support into master. Only QNAME and Response IP triggers are + supported. + - Stop working on socket when socket() call returns an error. + - Check malloc return values in TLS session ticket code + +30 January 2020: Wouter + - Fix subnet tests for disabled DSA algorithm by default. + - Update contrib/fastrpz.patch for clean diff with current code. + - Merge PR#151: Fixes for systemd units, by Maryse47, Edmonds + and Frzk. Updates the unbound.service systemd file and adds + a portable systemd service file. + - updated .gitignore for added contrib file. + - Add build rule for ipset to Makefile + - Add getentropy_freebsd.o to Makefile dependencies. + +29 January 2020: Ralph + - Merge PR#156 from Alexander Berkes; Added unbound-control + view_local_datas_remove command. + +29 January 2020: Wouter + - Fix #157: undefined reference to `htobe64'. + +28 January 2020: Ralph + - Merge PR#147; change rfc reference for reserved top level dns names. + +28 January 2020: Wouter + - iana portlist updated. + - Fix to silence the tls handshake errors for broken pipe and reset + by peer, unless verbosity is set to 2 or higher. + +27 January 2020: Ralph + - Merge PR#154; Allow use of libbsd functions with configure option + --with-libbsd. By Robert Edmonds and Steven Chamberlain. + - Merge PR#148; Add some TLS stats to unbound_munin_. By Fredrik Pettai. + +27 January 2020: Wouter + - Merge PR#155 from Robert Edmonds: contrib/libunbound.pc.in: Fixes + to Libs/Requires for crypto library dependencies. + - Fix #153: Disable validation for DSA algorithms. RFC 8624 + compliance. + +23 January 2020: Wouter + - Merge PR#150 from Frzk: Systemd unit without chroot. It add + contrib/unbound_nochroot.service.in, a systemd file for use with + chroot: "", see comments in the file, it uses systemd protections + instead. + +14 January 2020: Wouter + - Removed the dnscrypt_queries and dnscrypt_queries_chacha tests, + because dnscrypt-proxy (2.0.36) does not support the test setup + any more, and also the config file format does not seem to have + the appropriate keys to recreate that setup. + - Fix crash after reload where a stats lookup could reference old key + cache and neg cache structures. + - Fix for memory leak when edns subnet config options are read when + compiled without edns subnet support. + - Fix auth zone support for NSEC3 records without salt. + +10 January 2020: Wouter + - Fix the relationship between serve-expired and prefetch options, + patch from Saksham Manchanda from Secure64. + - Fix unreachable code in ssl set options code. + +8 January 2020: Ralph + - Fix #138: stop binding pidfile inside chroot dir in systemd service + file. + +8 January 2020: Wouter + - Fix 'make test' to work for --disable-sha1 configure option. + - Fix out-of-bounds null-byte write in sldns_bget_token_par while + parsing type WKS, reported by Luis Merino from X41 D-Sec. + - Updated sldns_bget_token_par fix for also space for the zero + delimiter after the character. And update for more spare space. + +6 January 2020: George + - Downgrade compat/getentropy_solaris.c to version 1.4 from OpenBSD. + The dl_iterate_phdr() function introduced in newer versions raises + compilation errors on solaris 10. + - Changes to compat/getentropy_solaris.c for, + ifdef stdint.h inclusion for older systems. + ifdef sha2.h inclusion for older systems. + +6 January 2020: Wouter + - Merge #135 from Florian Obser: Use passed in neg and key cache + if non-NULL. + - Fix #140: Document slave not downloading new zonefile upon update. + +16 December 2019: George + - Update mailing list URL. + +12 December 2019: Ralph + - Master is 1.9.7 in development. + - Fix typo to let serve-expired-ttl work with ub_ctx_set_option(), by + Florian Obser + +10 December 2019: Wouter + - Fix to make auth zone IXFR to fallback to AXFR if a single + response RR is received over TCP with the SOA in it. + 6 December 2019: Wouter - Fix ipsecmod compile. - Fix Makefile.in for ipset module compile, from Adi Prasaja. + - release-1.9.6 tag, which became the 1.9.6 release 5 December 2019: Wouter - unbound-fuzzers.tar.bz2: three programs for fuzzing, that are 1:1 diff --git a/doc/README b/doc/README index 334624575491..6bd34bbed956 100644 --- a/doc/README +++ b/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.9.6 +README for Unbound 1.10.1 Copyright 2007 NLnet Labs http://unbound.net diff --git a/doc/example.conf.in b/doc/example.conf.in index 0a8c179f971d..d9fe9c60b3d0 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.9.6. +# See unbound.conf(5) man page, version 1.10.1. # # this is a comment. @@ -558,8 +558,8 @@ server: # that set CD but cannot validate themselves. # ignore-cd-flag: no - # Serve expired responses from cache, with TTL 0 in the response, - # and then attempt to fetch the data afresh. + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. # serve-expired: no # # Limit serving of expired responses to configured seconds after @@ -571,6 +571,16 @@ server: # that the expired records will be served as long as there are queries # for it. # serve-expired-ttl-reset: no + # + # TTL value to use when replying with expired data. + # serve-expired-reply-ttl: 30 + # + # Time in milliseconds before replying to the client with expired data. + # This essentially enables the serve-stale behavior as specified in + # draft-ietf-dnsop-serve-stale-10 that first tries to resolve before + # immediately responding with expired data. 0 disables this behavior. + # A recommended value is 1800. + # serve-expired-client-timeout: 0 # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -1006,3 +1016,20 @@ remote-control: # name-v6: "list-v6" # +# Response Policy Zones +# RPZ policies. Applied in order of configuration. QNAME and Response IP +# Address trigger are the only supported triggers. Supported actions are: +# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from +# file, using zone transfer, or using HTTP. The respip module needs to be added +# to the module-config, e.g.: module-config: "respip validator iterator". +# rpz: +# name: "rpz.example.com" +# zonefile: "rpz.example.com" +# master: 192.0.2.0 +# allow-notify: 192.0.2.0/32 +# url: http://www.example.com/rpz.example.org.zone +# rpz-action-override: cname +# rpz-cname-override: www.example.org +# rpz-log: yes +# rpz-log-name: "example policy" +# tags: "example" diff --git a/doc/libunbound.3.in b/doc/libunbound.3.in index 19ef40236897..69c201116246 100644 --- a/doc/libunbound.3.in +++ b/doc/libunbound.3.in @@ -1,4 +1,4 @@ -.TH "libunbound" "3" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" +.TH "libunbound" "3" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.9.6 functions. +\- Unbound DNS validating resolver 1.10.1 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP @@ -396,12 +396,13 @@ The result of the DNS resolution and validation is returned as char* canonname; /* canonical name of result */ int rcode; /* additional error code in case of no data */ void* answer_packet; /* full network format answer packet */ - int answer_len; /* length of packet in octets */ + int answer_len; /* length of packet in octets */ int havedata; /* true if there is data */ int nxdomain; /* true if nodata because name does not exist */ - int secure; /* true if result is secure */ - int bogus; /* true if a security failure happened */ + int secure; /* true if result is secure */ + int bogus; /* true if a security failure happened */ char* why_bogus; /* string with error if bogus */ + int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */ int ttl; /* number of seconds the result is valid */ }; .fi diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index dc1c10cf5034..680066a75072 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" +.TH "unbound-anchor" "8" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" diff --git a/doc/unbound-checkconf.8.in b/doc/unbound-checkconf.8.in index 30d53f4bec13..8fb18410dfdd 100644 --- a/doc/unbound-checkconf.8.in +++ b/doc/unbound-checkconf.8.in @@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" +.TH "unbound-checkconf" "8" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" diff --git a/doc/unbound-control.8.in b/doc/unbound-control.8.in index 754fdf987aac..3747b1fa670e 100644 --- a/doc/unbound-control.8.in +++ b/doc/unbound-control.8.in @@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" +.TH "unbound-control" "8" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -323,6 +323,9 @@ serial check). And then the zone is transferred for a newer zone version. .B view_local_data_remove \fIview\fR \fIname \fIlocal_data_remove\fR for given view. .TP +.B view_local_datas_remove \fIview\fR +Remove a list of \fIlocal_data\fR for given view from stdin. Like local_datas_remove. +.TP .B view_local_datas \fIview\fR Add a list of \fIlocal_data\fR for given view from stdin. Like local_datas. .SH "EXIT CODE" @@ -379,8 +382,8 @@ and resulted in recursive processing, taking a slot in the requestlist. Not part of the recursivereplies (or the histogram thereof) or cachemiss, as a cache response was sent. .TP -.I threadX.num.zero_ttl -number of replies with ttl zero, because they served an expired cache entry. +.I threadX.num.expired +number of replies that served an expired cache entry. .TP .I threadX.num.recursivereplies The number of replies sent to queries that needed recursive processing. Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries. @@ -443,7 +446,7 @@ summed over threads. .I total.num.prefetch summed over threads. .TP -.I total.num.zero_ttl +.I total.num.expired summed over threads. .TP .I total.num.recursivereplies @@ -660,6 +663,11 @@ Number of queries that got an answer that contained EDNS client subnet data. Number of queries answered from the edns client subnet cache. These are counted as cachemiss by the main counters, but hit the client subnet specific cache, after getting processed by the edns client subnet module. +.TP +.I num.rpz.action.<rpz_action> +Number of queries answered using configured RPZ policy, per RPZ action type. +Possible actions are: nxdomain, nodata, passthru, drop, local_data, disabled, +and cname_override. .SH "FILES" .TP .I @ub_conf_file@ diff --git a/doc/unbound-host.1.in b/doc/unbound-host.1.in index ac8be5bff5f5..e2dcc4a9b0ee 100644 --- a/doc/unbound-host.1.in +++ b/doc/unbound-host.1.in @@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" +.TH "unbound\-host" "1" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" diff --git a/doc/unbound.8.in b/doc/unbound.8.in index 145620b73c9d..74c900ebcc0d 100644 --- a/doc/unbound.8.in +++ b/doc/unbound.8.in @@ -1,4 +1,4 @@ -.TH "unbound" "8" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" +.TH "unbound" "8" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.9.6. +\- Unbound DNS validating resolver 1.10.1. .SH "SYNOPSIS" .B unbound .RB [ \-h ] diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index d6352bcd983a..ffdbf8caa65b 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "dec 12, 2019" "NLnet Labs" "unbound 1.9.6" +.TH "unbound.conf" "5" "May 19, 2020" "NLnet Labs" "unbound 1.10.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -63,8 +63,10 @@ server: access\-control: 2001:DB8::/64 allow .fi .SH "FILE FORMAT" -There must be whitespace between keywords. Attribute keywords end with a colon ':'. -An attribute is followed by its containing attributes, or a value. +There must be whitespace between keywords. Attribute keywords end with a +colon ':'. An attribute is followed by a value, or its containing attributes +in which case it is referred to as a clause. Clauses can be repeated throughout +the file (or included files) to group attributes under the same clause. .P Files can be included using the .B include: @@ -1070,20 +1072,35 @@ The default value is "no". .TP .B serve\-expired: \fI<yes or no> If enabled, unbound attempts to serve old responses from cache with a -TTL of 0 in the response without waiting for the actual resolution to finish. -The actual resolution answer ends up in the cache later on. Default is "no". +TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the +actual resolution to finish. The actual resolution answer ends up in the cache +later on. Default is "no". .TP .B serve\-expired\-ttl: \fI<seconds> Limit serving of expired responses to configured seconds after expiration. 0 -disables the limit. This option only applies when \fBserve\-expired\fR is -enabled. The default is 0. +disables the limit. This option only applies when \fBserve\-expired\fR is +enabled. A suggested value per draft-ietf-dnsop-serve-stale-10 is between +86400 (1 day) and 259200 (3 days). The default is 0. .TP .B serve\-expired\-ttl\-reset: \fI<yes or no> Set the TTL of expired records to the \fBserve\-expired\-ttl\fR value after a -failed attempt to retrieve the record from upstream. This makes sure that the -expired records will be served as long as there are queries for it. Default is +failed attempt to retrieve the record from upstream. This makes sure that the +expired records will be served as long as there are queries for it. Default is "no". .TP +.B serve\-expired\-reply\-ttl: \fI<seconds> +TTL value to use when replying with expired data. If +\fBserve\-expired\-client\-timeout\fR is also used then it is RECOMMENDED to +use 30 as the value (draft-ietf-dnsop-serve-stale-10). The default is 30. +.TP +.B serve\-expired\-client\-timeout: \fI<msec> +Time in milliseconds before replying to the client with expired data. This +essentially enables the serve-stale behavior as specified in +draft-ietf-dnsop-serve-stale-10 that first tries to resolve before immediately +responding with expired data. A recommended value per +draft-ietf-dnsop-serve-stale-10 is 1800. Setting this to 0 will disable this +behavior. Default is 0. +.TP .B val\-nsec3\-keysize\-iterations: \fI<"list of values"> List of keysize and iteration count values, separated by spaces, surrounded by quotes. Default is "1024 150 2048 500 4096 2500". This determines the @@ -1296,7 +1313,7 @@ local\-data: "onion. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" .fi .TP 10 -\h'5'\fItest (RFC 2606)\fR +\h'5'\fItest (RFC 6761)\fR Default content: .nf local\-zone: "test." static @@ -1305,7 +1322,7 @@ local\-data: "test. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" .fi .TP 10 -\h'5'\fIinvalid (RFC 2606)\fR +\h'5'\fIinvalid (RFC 6761)\fR Default content: .nf local\-zone: "invalid." static @@ -1680,6 +1697,12 @@ Name of the authority zone. Where to download a copy of the zone from, with AXFR and IXFR. Multiple masters can be specified. They are all tried if one fails. With the "ip#name" notation a AXFR over TLS can be used. +If you point it at another Unbound instance, it would not work because +that does not support AXFR/IXFR for the zone, but if you used \fBurl:\fR to download +the zonefile as a text file from a webserver that would work. +If you specify the hostname, you cannot use the domain from the zonefile, +because it may not have that when retrieving that data, instead use a plain +IP address to avoid a circular dependency on retrieving that IP address. .TP .B url: \fI<url to zonefile> Where to download a zonefile for the zone. With http or https. An example @@ -1691,6 +1714,10 @@ see if the SOA serial number has changed, reducing the number of downloads. If none of the urls work, the masters are tried with IXFR and AXFR. For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used to authenticate the connection. +If you specify a hostname in the URL, you cannot use the domain from the +zonefile, because it may not have that when retrieving that data, instead +use a plain IP address to avoid a circular dependency on retrieving that IP +address. Avoid dependencies on name lookups by using a notation like "http://192.0.2.1/unbound-master/example.com.zone", with an explicit IP address. .TP .B allow\-notify: \fI<IP address or host name or netblockIP/prefix> With allow\-notify you can specify additional sources of notifies. @@ -2014,6 +2041,13 @@ to the query without performing iterative DNS resolution. If Unbound cannot even find an answer in the backend, it resolves the query as usual, and stores the answer in the backend. .P +This module interacts with the \fBserve\-expired\-*\fR options and will reply +with expired data if unbound is configured for that. Currently the use +of \fBserve\-expired\-client\-timeout:\fR and +\fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from +the external cache as these will result in a reply with 0 TTL without trying to +update the data first, ignoring the configured values. +.P If Unbound was built with \fB\-\-with\-libhiredis\fR on a system that has installed the hiredis C client library of Redis, @@ -2080,6 +2114,70 @@ If this timeout expires Unbound closes the connection, treats it as if the Redis server does not have the requested data, and will try to re-establish a new connection later. This option defaults to 100 milliseconds. +.SS Response Policy Zone Options +.LP +Response Policy Zones are configured with \fBrpz:\fR, and each one must have a +\fBname:\fR. There can be multiple ones, by listing multiple rpz clauses, each +with a different name. RPZ clauses are applied in order of configuration. The +\fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.: +\fBmodule-config: "respip validator iterator"\fR. +.P +Only the QNAME and Response IP Address triggers are supported. The supported RPZ +actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. RPZ QNAME triggers +are applied after +\fBlocal-zones\fR and before \fBauth-zones\fR. +.TP +.B name: \fI<zone name> +Name of the authority zone. +.TP +.B master: \fI<IP address or host name> +Where to download a copy of the zone from, with AXFR and IXFR. Multiple +masters can be specified. They are all tried if one fails. +.TP +.B url: \fI<url to zonefile> +Where to download a zonefile for the zone. With http or https. An example +for the url is "http://www.example.com/example.org.zone". Multiple url +statements can be given, they are tried in turn. If only urls are given +the SOA refresh timer is used to wait for making new downloads. If also +masters are listed, the masters are first probed with UDP SOA queries to +see if the SOA serial number has changed, reducing the number of downloads. +If none of the urls work, the masters are tried with IXFR and AXFR. +For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used +to authenticate the connection. +.TP +.B allow\-notify: \fI<IP address or host name or netblockIP/prefix> +With allow\-notify you can specify additional sources of notifies. +When notified, the server attempts to first probe and then zone transfer. +If the notify is from a master, it first attempts that master. Otherwise +other masters are attempted. If there are no masters, but only urls, the +file is downloaded when notified. The masters from master: statements are +allowed notify by default. +.TP +.B zonefile: \fI<filename> +The filename where the zone is stored. If not given then no zonefile is used. +If the file does not exist or is empty, unbound will attempt to fetch zone +data (eg. from the master servers). +.TP +.B rpz\-action\-override: \fI<action> +Always use this RPZ action for matching triggers from this zone. Possible action +are: nxdomain, nodata, passthru, drop, disabled and cname. +.TP +.B rpz\-cname\-override: \fI<domain> +The CNAME target domain to use if the cname action is configured for +\fBrpz\-action\-override\fR. +.TP +.B rpz\-log: \fI<yes or no> +Log all applied RPZ actions for this RPZ zone. Default is no. +.TP +.B rpz\-log\-name: \fI<name> +Specify a string to be part of the log line, for easy referencing. +.TP +.B tags: \fI<list of tags> +Limit the policies from this RPZ clause to clients with a matching tag. Tags +need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses +using \fBaccess\-control\-tag\fR. Enclose list of tags in quotes ("") and put +spaces between tags. If no tags are specified the policies from this clause will +be applied for all clients. .SH "MEMORY CONTROL EXAMPLE" In the example config settings below memory usage is reduced. Some service levels are lower, notable very large data and a high TCP load are no longer |