diff options
author | Cy Schubert <cy@FreeBSD.org> | 2022-10-16 19:24:20 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2022-10-16 19:24:20 +0000 |
commit | 643f9a0581e8aac7eb790ced1164748939829826 (patch) | |
tree | 426d366252d838c8c61b439342ab32eccd181425 /services | |
parent | 0dde6f4f8e604df8c6fbdab8b4aadb5ddf80c76f (diff) | |
download | src-643f9a0581e8aac7eb790ced1164748939829826.tar.gz src-643f9a0581e8aac7eb790ced1164748939829826.zip |
unbound: Vendor import 1.16.3vendor/unbound/1.17.0
Added ACL per interface, proxy protocol and bug fixes.
Announcement: https://nlnetlabs.nl/news/2022/Oct/13/unbound-1.17.0-released/
Diffstat (limited to 'services')
-rw-r--r-- | services/authzone.c | 6 | ||||
-rw-r--r-- | services/cache/infra.c | 37 | ||||
-rw-r--r-- | services/cache/infra.h | 7 | ||||
-rw-r--r-- | services/listen_dnsport.c | 134 | ||||
-rw-r--r-- | services/listen_dnsport.h | 14 | ||||
-rw-r--r-- | services/localzone.c | 12 | ||||
-rw-r--r-- | services/mesh.c | 13 | ||||
-rw-r--r-- | services/outside_network.c | 162 | ||||
-rw-r--r-- | services/outside_network.h | 24 | ||||
-rw-r--r-- | services/rpz.c | 28 | ||||
-rw-r--r-- | services/view.c | 5 |
11 files changed, 267 insertions, 175 deletions
diff --git a/services/authzone.c b/services/authzone.c index b9e0b11ef3bb..6de1e4319095 100644 --- a/services/authzone.c +++ b/services/authzone.c @@ -3699,7 +3699,7 @@ addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr, /* compare address (but not port number, that is the destination * port of the master, the port number of the received notify is * allowed to by any port on that master) */ - if(extstrtoaddr(master->host, &a, &alen) && + if(extstrtoaddr(master->host, &a, &alen, UNBOUND_DNS_PORT) && sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) { *fromhost = master; return 1; @@ -5381,7 +5381,7 @@ xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env) struct edns_data edns; sldns_buffer* buf = env->scratch_buffer; if(!master) return 0; - if(extstrtoaddr(master->host, &addr, &addrlen)) { + if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) { /* not needed, host is in IP addr format */ return 0; } @@ -6572,7 +6572,7 @@ xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env) struct edns_data edns; sldns_buffer* buf = env->scratch_buffer; if(!master) return 0; - if(extstrtoaddr(master->host, &addr, &addrlen)) { + if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) { /* not needed, host is in IP addr format */ return 0; } diff --git a/services/cache/infra.c b/services/cache/infra.c index 0461c815b86b..537cb949cf88 100644 --- a/services/cache/infra.c +++ b/services/cache/infra.c @@ -834,14 +834,13 @@ static struct lruhash_entry* infra_find_ratedata(struct infra_cache* infra, /** find data item in array for ip addresses */ static struct lruhash_entry* infra_find_ip_ratedata(struct infra_cache* infra, - struct comm_reply* repinfo, int wr) + struct sockaddr_storage* addr, socklen_t addrlen, int wr) { struct ip_rate_key key; - hashvalue_type h = hash_addr(&(repinfo->addr), - repinfo->addrlen, 0); + hashvalue_type h = hash_addr(addr, addrlen, 0); memset(&key, 0, sizeof(key)); - key.addr = repinfo->addr; - key.addrlen = repinfo->addrlen; + key.addr = *addr; + key.addrlen = addrlen; key.entry.hash = h; return slabhash_lookup(infra->client_ip_rates, h, &key, wr); } @@ -876,10 +875,9 @@ static void infra_create_ratedata(struct infra_cache* infra, /** create rate data item for ip address */ static void infra_ip_create_ratedata(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow) + struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow) { - hashvalue_type h = hash_addr(&(repinfo->addr), - repinfo->addrlen, 0); + hashvalue_type h = hash_addr(addr, addrlen, 0); struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k)); struct ip_rate_data* d = (struct ip_rate_data*)calloc(1, sizeof(*d)); if(!k || !d) { @@ -887,8 +885,8 @@ static void infra_ip_create_ratedata(struct infra_cache* infra, free(d); return; /* alloc failure */ } - k->addr = repinfo->addr; - k->addrlen = repinfo->addrlen; + k->addr = *addr; + k->addrlen = addrlen; lock_rw_init(&k->entry.lock); k->entry.hash = h; k->entry.key = k; @@ -985,8 +983,8 @@ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs)); ip[0]=0; if(replylist) { - addr_to_str((struct sockaddr_storage *)&replylist->addr, - replylist->addrlen, ip, sizeof(ip)); + addr_to_str((struct sockaddr_storage *)&replylist->remote_addr, + replylist->remote_addrlen, ip, sizeof(ip)); verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip); } else { verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts); @@ -1040,7 +1038,7 @@ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); - return (max >= lim); + return (max > lim); } size_t @@ -1054,8 +1052,8 @@ infra_get_mem(struct infra_cache* infra) } int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow, int backoff, - struct sldns_buffer* buffer) + struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow, + int backoff, struct sldns_buffer* buffer) { int max; struct lruhash_entry* entry; @@ -1065,7 +1063,7 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, return 1; } /* find or insert ratedata */ - entry = infra_find_ip_ratedata(infra, repinfo, 1); + entry = infra_find_ip_ratedata(infra, addr, addrlen, 1); if(entry) { int premax = infra_rate_max(entry->data, timenow, backoff); int* cur = infra_rate_give_second(entry->data, timenow); @@ -1073,10 +1071,9 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); - if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) { + if(premax <= infra_ip_ratelimit && max > infra_ip_ratelimit) { char client_ip[128], qnm[LDNS_MAX_DOMAINLEN+1+12+12]; - addr_to_str((struct sockaddr_storage *)&repinfo->addr, - repinfo->addrlen, client_ip, sizeof(client_ip)); + addr_to_str(addr, addrlen, client_ip, sizeof(client_ip)); qnm[0]=0; if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE && LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) { @@ -1101,6 +1098,6 @@ int infra_ip_ratelimit_inc(struct infra_cache* infra, } /* create */ - infra_ip_create_ratedata(infra, repinfo, timenow); + infra_ip_create_ratedata(infra, addr, addrlen, timenow); return 1; } diff --git a/services/cache/infra.h b/services/cache/infra.h index 6a2371aca477..faf7fd2f30e1 100644 --- a/services/cache/infra.h +++ b/services/cache/infra.h @@ -416,15 +416,16 @@ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name, /** Update query ratelimit hash and decide * whether or not a query should be dropped. * @param infra: infra cache - * @param repinfo: information about client + * @param addr: client address + * @param addrlen: client address length * @param timenow: what time it is now. * @param backoff: if backoff is enabled. * @param buffer: with query for logging. * @return 1 if it could be incremented. 0 if the increment overshot the * ratelimit and the query should be dropped. */ int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow, int backoff, - struct sldns_buffer* buffer); + struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow, + int backoff, struct sldns_buffer* buffer); /** * Get memory used by the infra cache. diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 1c7c177a007e..95606aff5d4e 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -124,12 +124,12 @@ verbose_print_addr(struct addrinfo *addr) (void)strlcpy(buf, "(null)", sizeof(buf)); } buf[sizeof(buf)-1] = 0; - verbose(VERB_ALGO, "creating %s%s socket %s %d", + verbose(VERB_ALGO, "creating %s%s socket %s %d", addr->ai_socktype==SOCK_DGRAM?"udp": addr->ai_socktype==SOCK_STREAM?"tcp":"otherproto", addr->ai_family==AF_INET?"4": addr->ai_family==AF_INET6?"6": - "_otherfam", buf, + "_otherfam", buf, ntohs(((struct sockaddr_in*)addr->ai_addr)->sin_port)); } } @@ -140,7 +140,9 @@ verbose_print_unbound_socket(struct unbound_socket* ub_sock) if(verbosity >= VERB_ALGO) { log_info("listing of unbound_socket structure:"); verbose_print_addr(ub_sock->addr); - log_info("s is: %d, fam is: %s", ub_sock->s, ub_sock->fam == AF_INET?"AF_INET":"AF_INET6"); + log_info("s is: %d, fam is: %s, acl: %s", ub_sock->s, + ub_sock->fam == AF_INET?"AF_INET":"AF_INET6", + ub_sock->acl?"yes":"no"); } } @@ -458,7 +460,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, int action; # endif # if defined(IPV6_V6ONLY) - if(v6only) { + if(v6only +# ifdef HAVE_SYSTEMD + /* Systemd wants to control if the socket is v6 only + * or both, with BindIPv6Only=default, ipv6-only or + * both in systemd.socket, so it is not set here. */ + && !got_fd_from_systemd +# endif + ) { int val=(v6only==2)?0:1; if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&val, (socklen_t)sizeof(val)) < 0) { @@ -511,12 +520,14 @@ create_udp_sock(int family, int socktype, struct sockaddr* addr, * instead which is writable; IPV6_MTU is readonly there. */ if (setsockopt(s, IPPROTO_IPV6, IPV6_USER_MTU, (void*)&mtu, (socklen_t)sizeof(mtu)) < 0) { - log_err("setsockopt(..., IPV6_USER_MTU, ...) failed: %s", - wsa_strerror(WSAGetLastError())); - sock_close(s); - *noproto = 0; - *inuse = 0; - return -1; + if (WSAGetLastError() != WSAENOPROTOOPT) { + log_err("setsockopt(..., IPV6_USER_MTU, ...) failed: %s", + wsa_strerror(WSAGetLastError())); + sock_close(s); + *noproto = 0; + *inuse = 0; + return -1; + } } # endif /* USE_WINSOCK */ # endif /* IPv6 MTU */ @@ -774,7 +785,14 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto, (void)reuseport; #endif /* defined(SO_REUSEPORT) */ #if defined(IPV6_V6ONLY) - if(addr->ai_family == AF_INET6 && v6only) { + if(addr->ai_family == AF_INET6 && v6only +# ifdef HAVE_SYSTEMD + /* Systemd wants to control if the socket is v6 only + * or both, with BindIPv6Only=default, ipv6-only or + * both in systemd.socket, so it is not set here. */ + && !got_fd_from_systemd +# endif + ) { if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&on, (socklen_t)sizeof(on)) < 0) { log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s", @@ -1030,6 +1048,7 @@ make_sock(int stype, const char* ifname, const char* port, ub_sock->addr = res; ub_sock->s = s; ub_sock->fam = hints->ai_family; + ub_sock->acl = NULL; return s; } @@ -1074,11 +1093,13 @@ make_sock_port(int stype, const char* ifname, const char* port, * @param list: list head. changed. * @param s: fd. * @param ftype: if fd is UDP. + * @param pp2_enabled: if PROXYv2 is enabled for this port. * @param ub_sock: socket with address. * @return false on failure. list in unchanged then. */ static int -port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unbound_socket* ub_sock) +port_insert(struct listen_port** list, int s, enum listen_type ftype, + int pp2_enabled, struct unbound_socket* ub_sock) { struct listen_port* item = (struct listen_port*)malloc( sizeof(struct listen_port)); @@ -1087,6 +1108,7 @@ port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unb item->next = *list; item->fd = s; item->ftype = ftype; + item->pp2_enabled = pp2_enabled; item->socket = ub_sock; *list = item; return 1; @@ -1182,6 +1204,7 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port, * @param ssl_port: ssl service port number * @param tls_additional_port: list of additional ssl service port numbers. * @param https_port: DoH service port number + * @param proxy_protocol_port: list of PROXYv2 port numbers. * @param reuseport: try to set SO_REUSEPORT if nonNULL and true. * set to false on exit if reuseport failed due to no kernel support. * @param transparent: set IP_TRANSPARENT socket option. @@ -1194,34 +1217,39 @@ if_is_ssl(const char* ifname, const char* port, int ssl_port, * @return: returns false on error. */ static int -ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, +ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, struct addrinfo *hints, const char* port, struct listen_port** list, size_t rcv, size_t snd, int ssl_port, struct config_strlist* tls_additional_port, int https_port, + struct config_strlist* proxy_protocol_port, int* reuseport, int transparent, int tcp_mss, int freebind, int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp) { int s, noip6=0; int is_https = if_is_https(ifname, port, https_port); + int is_dnscrypt = if_is_dnscrypt(ifname, port, dnscrypt_port); + int is_pp2 = if_is_pp2(ifname, port, proxy_protocol_port); int nodelay = is_https && http2_nodelay; struct unbound_socket* ub_sock; -#ifdef USE_DNSCRYPT - int is_dnscrypt = ((strchr(ifname, '@') && - atoi(strchr(ifname, '@')+1) == dnscrypt_port) || - (!strchr(ifname, '@') && atoi(port) == dnscrypt_port)); -#else - int is_dnscrypt = 0; - (void)dnscrypt_port; -#endif if(!do_udp && !do_tcp) return 0; + if(is_pp2) { + if(is_dnscrypt) { + fatal_exit("PROXYv2 and DNSCrypt combination not " + "supported!"); + } else if(is_https) { + fatal_exit("PROXYv2 and DoH combination not " + "supported!"); + } + } + if(do_auto) { ub_sock = calloc(1, sizeof(struct unbound_socket)); if(!ub_sock) return 0; - if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1239,8 +1267,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, free(ub_sock); return 0; } - if(!port_insert(list, s, - is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil, ub_sock)) { + if(!port_insert(list, s, is_dnscrypt + ?listen_type_udpancil_dnscrypt:listen_type_udpancil, + is_pp2, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1251,7 +1280,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, if(!ub_sock) return 0; /* regular udp socket */ - if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1262,8 +1291,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, } return 0; } - if(!port_insert(list, s, - is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp, ub_sock)) { + if(!port_insert(list, s, is_dnscrypt + ?listen_type_udp_dnscrypt:listen_type_udp, + is_pp2, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1285,7 +1315,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, port_type = listen_type_tcp_dnscrypt; else port_type = listen_type_tcp; - if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, &noip6, 0, 0, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1298,7 +1328,7 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, } if(is_ssl) verbose(VERB_ALGO, "setup TCP for SSL service"); - if(!port_insert(list, s, port_type, ub_sock)) { + if(!port_insert(list, s, port_type, is_pp2, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1387,14 +1417,16 @@ listen_create(struct comm_base* base, struct listen_port* ports, if(ports->ftype == listen_type_udp || ports->ftype == listen_type_udp_dnscrypt) { cp = comm_point_create_udp(base, ports->fd, - front->udp_buff, cb, cb_arg, ports->socket); + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); } else if(ports->ftype == listen_type_tcp || ports->ftype == listen_type_tcp_dnscrypt) { cp = comm_point_create_tcp(base, ports->fd, tcp_accept_count, tcp_idle_timeout, harden_large_queries, 0, NULL, tcp_conn_limit, bufsize, front->udp_buff, - ports->ftype, cb, cb_arg, ports->socket); + ports->ftype, ports->pp2_enabled, cb, cb_arg, + ports->socket); } else if(ports->ftype == listen_type_ssl || ports->ftype == listen_type_http) { cp = comm_point_create_tcp(base, ports->fd, @@ -1402,7 +1434,8 @@ listen_create(struct comm_base* base, struct listen_port* ports, harden_large_queries, http_max_streams, http_endpoint, tcp_conn_limit, bufsize, front->udp_buff, - ports->ftype, cb, cb_arg, ports->socket); + ports->ftype, ports->pp2_enabled, cb, cb_arg, + ports->socket); if(ports->ftype == listen_type_http) { if(!sslctx && !http_notls) { log_warn("HTTPS port configured, but " @@ -1428,7 +1461,8 @@ listen_create(struct comm_base* base, struct listen_port* ports, } else if(ports->ftype == listen_type_udpancil || ports->ftype == listen_type_udpancil_dnscrypt) { cp = comm_point_create_udp_ancil(base, ports->fd, - front->udp_buff, cb, cb_arg, ports->socket); + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); } if(!cp) { log_err("can't create commpoint"); @@ -1700,7 +1734,7 @@ int resolve_interface_names(char** ifs, int num_ifs, #endif /* HAVE_GETIFADDRS */ } -struct listen_port* +struct listen_port* listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, int* reuseport) { @@ -1763,7 +1797,9 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, + cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1778,7 +1814,9 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, + cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1791,12 +1829,13 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, } if(do_ip6) { hints.ai_family = AF_INET6; - if(!ports_create_if(do_auto?"::0":"::1", - do_auto, cfg->do_udp, do_tcp, + if(!ports_create_if(do_auto?"::0":"::1", + do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1806,12 +1845,13 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, } if(do_ip4) { hints.ai_family = AF_INET; - if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", - do_auto, cfg->do_udp, do_tcp, + if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", + do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1825,10 +1865,11 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, continue; hints.ai_family = AF_INET6; if(!ports_create_if(ifs[i], 0, cfg->do_udp, - do_tcp, &hints, portbuf, &list, + do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1840,10 +1881,11 @@ listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, continue; hints.ai_family = AF_INET; if(!ports_create_if(ifs[i], 0, cfg->do_udp, - do_tcp, &hints, portbuf, &list, + do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { diff --git a/services/listen_dnsport.h b/services/listen_dnsport.h index 0e63236bcbce..816d79aea61b 100644 --- a/services/listen_dnsport.h +++ b/services/listen_dnsport.h @@ -43,6 +43,7 @@ #define LISTEN_DNSPORT_H #include "util/netevent.h" +#include "daemon/acl_list.h" #ifdef HAVE_NGHTTP2_NGHTTP2_H #include <nghttp2/nghttp2.h> #endif @@ -107,11 +108,13 @@ enum listen_type { */ struct unbound_socket { /** socket-address structure */ - struct addrinfo * addr; + struct addrinfo* addr; /** socket descriptor returned by socket() syscall */ - int s; + int s; /** address family (AF_INET/IF_INET6) */ - int fam; + int fam; + /** ACL on the socket (listening interface) */ + struct acl_addr* acl; }; /** @@ -125,7 +128,10 @@ struct listen_port { int fd; /** type of file descriptor, udp or tcp */ enum listen_type ftype; - /** fill in unbpound_socket structure for every opened socket at Unbound startup */ + /** if the port should support PROXYv2 */ + int pp2_enabled; + /** fill in unbound_socket structure for every opened socket at + * Unbound startup */ struct unbound_socket* socket; }; diff --git a/services/localzone.c b/services/localzone.c index 3ed7d835d33e..3536b7aaa91b 100644 --- a/services/localzone.c +++ b/services/localzone.c @@ -1744,13 +1744,13 @@ local_zones_zone_answer(struct local_zone* z, struct module_env* env, /** print log information for an inform zone query */ static void lz_inform_print(struct local_zone* z, struct query_info* qinfo, - struct comm_reply* repinfo) + struct sockaddr_storage* addr, socklen_t addrlen) { char ip[128], txt[512]; char zname[LDNS_MAX_DOMAINLEN+1]; - uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port); + uint16_t port = ntohs(((struct sockaddr_in*)addr)->sin_port); dname_str(z->name, zname); - addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip)); + addr_to_str(addr, addrlen, ip, sizeof(ip)); snprintf(txt, sizeof(txt), "%s %s %s@%u", zname, local_zone_type2str(z->type), ip, (unsigned)port); log_nametypeclass(NO_VERBOSE, txt, qinfo->qname, qinfo->qtype, qinfo->qclass); @@ -1765,7 +1765,8 @@ lz_type(uint8_t *taglist, size_t taglen, uint8_t *taglist2, size_t taglen2, struct local_zone_override* lzo; if(repinfo && override_tree) { lzo = (struct local_zone_override*)addr_tree_lookup( - override_tree, &repinfo->addr, repinfo->addrlen); + override_tree, &repinfo->client_addr, + repinfo->client_addrlen); if(lzo && lzo->type) { verbose(VERB_ALGO, "local zone override to type %s", local_zone_type2str(lzo->type)); @@ -1888,7 +1889,8 @@ local_zones_answer(struct local_zones* zones, struct module_env* env, lzt == local_zone_inform_deny || lzt == local_zone_inform_redirect) && repinfo) - lz_inform_print(z, qinfo, repinfo); + lz_inform_print(z, qinfo, &repinfo->client_addr, + repinfo->client_addrlen); if(lzt != local_zone_always_refuse && lzt != local_zone_always_transparent diff --git a/services/mesh.c b/services/mesh.c index 2a411942663d..9007b6e08c32 100644 --- a/services/mesh.c +++ b/services/mesh.c @@ -806,7 +806,7 @@ static void mesh_schedule_prefetch_subnet(struct mesh_area* mesh, /* Fake the ECS data from the client's IP */ struct ecs_data ecs; memset(&ecs, 0, sizeof(ecs)); - subnet_option_from_ss(&rep->addr, &ecs, mesh->env->cfg); + subnet_option_from_ss(&rep->client_addr, &ecs, mesh->env->cfg); if(ecs.subnet_validdata == 0) { log_err("prefetch_subnet subnet_option_from_ss: invalid data"); return; @@ -1488,8 +1488,9 @@ mesh_send_reply(struct mesh_state* m, int rcode, struct reply_info* rep, } /* Log reply sent */ if(m->s.env->cfg->log_replies) { - log_reply_info(NO_VERBOSE, &m->s.qinfo, &r->query_reply.addr, - r->query_reply.addrlen, duration, 0, r_buffer); + log_reply_info(NO_VERBOSE, &m->s.qinfo, + &r->query_reply.client_addr, + r->query_reply.client_addrlen, duration, 0, r_buffer); } } @@ -1530,7 +1531,8 @@ void mesh_query_done(struct mesh_state* mstate) respip_inform_print(mstate->s.respip_action_info, r->qname, mstate->s.qinfo.qtype, mstate->s.qinfo.qclass, r->local_alias, - &r->query_reply); + &r->query_reply.client_addr, + r->query_reply.client_addrlen); if(mstate->s.env->cfg->stat_extended && mstate->s.respip_action_info->rpz_used) { if(mstate->s.respip_action_info->rpz_disabled) @@ -2180,7 +2182,8 @@ mesh_serve_expired_callback(void* arg) if(actinfo.addrinfo) { respip_inform_print(&actinfo, r->qname, qstate->qinfo.qtype, qstate->qinfo.qclass, - r->local_alias, &r->query_reply); + r->local_alias, &r->query_reply.client_addr, + r->query_reply.client_addrlen); if(qstate->env->cfg->stat_extended && actinfo.rpz_used) { if(actinfo.rpz_disabled) diff --git a/services/outside_network.c b/services/outside_network.c index 3f479a3a36fe..a4529ade52e0 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -86,10 +86,6 @@ static void serviced_tcp_initiate(struct serviced_query* sq, sldns_buffer* buff) static int randomize_and_send_udp(struct pending* pend, sldns_buffer* packet, int timeout); -/** remove waiting tcp from the outnet waiting list */ -static void waiting_list_remove(struct outside_network* outnet, - struct waiting_tcp* w); - /** select a DNS ID for a TCP stream */ static uint16_t tcp_select_id(struct outside_network* outnet, struct reuse_tcp* reuse); @@ -372,7 +368,8 @@ log_reuse_tcp(enum verbosity_value v, const char* msg, struct reuse_tcp* reuse) } /** pop the first element from the writewait list */ -static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse) +struct waiting_tcp* +reuse_write_wait_pop(struct reuse_tcp* reuse) { struct waiting_tcp* w = reuse->write_wait_first; if(!w) @@ -390,8 +387,8 @@ static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse) } /** remove the element from the writewait list */ -static void reuse_write_wait_remove(struct reuse_tcp* reuse, - struct waiting_tcp* w) +void +reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w) { log_assert(w); log_assert(w->write_wait_queued); @@ -415,8 +412,8 @@ static void reuse_write_wait_remove(struct reuse_tcp* reuse, } /** push the element after the last on the writewait list */ -static void reuse_write_wait_push_back(struct reuse_tcp* reuse, - struct waiting_tcp* w) +void +reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w) { if(!w) return; log_assert(!w->write_wait_queued); @@ -427,7 +424,9 @@ static void reuse_write_wait_push_back(struct reuse_tcp* reuse, w->write_wait_prev = reuse->write_wait_last; } else { reuse->write_wait_first = w; + w->write_wait_prev = NULL; } + w->write_wait_next = NULL; reuse->write_wait_last = w; w->write_wait_queued = 1; } @@ -721,12 +720,12 @@ outnet_tcp_take_into_use(struct waiting_tcp* w) pend->next_free = NULL; pend->query = w; pend->reuse.outnet = w->outnet; - pend->c->repinfo.addrlen = w->addrlen; + pend->c->repinfo.remote_addrlen = w->addrlen; pend->c->tcp_more_read_again = &pend->reuse.cp_more_read_again; pend->c->tcp_more_write_again = &pend->reuse.cp_more_write_again; pend->reuse.cp_more_read_again = 0; pend->reuse.cp_more_write_again = 0; - memcpy(&pend->c->repinfo.addr, &w->addr, w->addrlen); + memcpy(&pend->c->repinfo.remote_addr, &w->addr, w->addrlen); pend->reuse.pending = pend; /* Remove from tree in case the is_ssl will be different and causes the @@ -810,20 +809,50 @@ reuse_tcp_lru_snip(struct outside_network* outnet) return reuse; } -/** call callback on waiting_tcp, if not NULL */ -static void -waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error, - struct comm_reply* reply_info) +/** remove waiting tcp from the outnet waiting list */ +void +outnet_waiting_tcp_list_remove(struct outside_network* outnet, struct waiting_tcp* w) { - if(w && w->cb) { - fptr_ok(fptr_whitelist_pending_tcp(w->cb)); - (void)(*w->cb)(c, w->cb_arg, error, reply_info); + struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL; + w->on_tcp_waiting_list = 0; + while(p) { + if(p == w) { + /* remove w */ + if(prev) + prev->next_waiting = w->next_waiting; + else outnet->tcp_wait_first = w->next_waiting; + if(outnet->tcp_wait_last == w) + outnet->tcp_wait_last = prev; + w->next_waiting = NULL; + return; + } + prev = p; + p = p->next_waiting; } + /* outnet_waiting_tcp_list_remove is currently called only with items + * that are already in the waiting list. */ + log_assert(0); +} + +/** pop the first waiting tcp from the outnet waiting list */ +struct waiting_tcp* +outnet_waiting_tcp_list_pop(struct outside_network* outnet) +{ + struct waiting_tcp* w = outnet->tcp_wait_first; + if(!outnet->tcp_wait_first) return NULL; + log_assert(w->on_tcp_waiting_list); + outnet->tcp_wait_first = w->next_waiting; + if(outnet->tcp_wait_last == w) + outnet->tcp_wait_last = NULL; + w->on_tcp_waiting_list = 0; + w->next_waiting = NULL; + return w; } /** add waiting_tcp element to the outnet tcp waiting list */ -static void -outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w) +void +outnet_waiting_tcp_list_add(struct outside_network* outnet, + struct waiting_tcp* w, int set_timer) { struct timeval tv; log_assert(!w->on_tcp_waiting_list); @@ -835,16 +864,18 @@ outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w) else outnet->tcp_wait_first = w; outnet->tcp_wait_last = w; w->on_tcp_waiting_list = 1; + if(set_timer) { #ifndef S_SPLINT_S - tv.tv_sec = w->timeout/1000; - tv.tv_usec = (w->timeout%1000)*1000; + tv.tv_sec = w->timeout/1000; + tv.tv_usec = (w->timeout%1000)*1000; #endif - comm_timer_set(w->timer, &tv); + comm_timer_set(w->timer, &tv); + } } /** add waiting_tcp element as first to the outnet tcp waiting list */ -static void -outnet_add_tcp_waiting_first(struct outside_network* outnet, +void +outnet_waiting_tcp_list_add_first(struct outside_network* outnet, struct waiting_tcp* w, int reset_timer) { struct timeval tv; @@ -869,6 +900,17 @@ outnet_add_tcp_waiting_first(struct outside_network* outnet, (outnet->tcp_reuse_first && outnet->tcp_reuse_last)); } +/** call callback on waiting_tcp, if not NULL */ +static void +waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error, + struct comm_reply* reply_info) +{ + if(w && w->cb) { + fptr_ok(fptr_whitelist_pending_tcp(w->cb)); + (void)(*w->cb)(c, w->cb_arg, error, reply_info); + } +} + /** see if buffers can be used to service TCP queries */ static void use_free_buffer(struct outside_network* outnet) @@ -879,15 +921,10 @@ use_free_buffer(struct outside_network* outnet) struct pending_tcp* pend_tcp = NULL; #endif struct reuse_tcp* reuse = NULL; - w = outnet->tcp_wait_first; - log_assert(w->on_tcp_waiting_list); - outnet->tcp_wait_first = w->next_waiting; - if(outnet->tcp_wait_last == w) - outnet->tcp_wait_last = NULL; + w = outnet_waiting_tcp_list_pop(outnet); log_assert( (!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) || (outnet->tcp_reuse_first && outnet->tcp_reuse_last)); - w->on_tcp_waiting_list = 0; reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen, w->ssl_upstream); /* re-select an ID when moving to a new TCP buffer */ @@ -934,7 +971,7 @@ use_free_buffer(struct outside_network* outnet) #endif } else { /* no reuse and no free buffer, put back at the start */ - outnet_add_tcp_waiting_first(outnet, w, 0); + outnet_waiting_tcp_list_add_first(outnet, w, 0); break; } #ifdef USE_DNSTAP @@ -1008,7 +1045,7 @@ reuse_move_writewait_away(struct outside_network* outnet, * fail the query */ w->error_count ++; reuse_tree_by_id_delete(&pend->reuse, w); - outnet_add_tcp_waiting(outnet, w); + outnet_waiting_tcp_list_add(outnet, w, 1); } while((w = reuse_write_wait_pop(&pend->reuse)) != NULL) { if(verbosity >= VERB_CLIENT && w->pkt_len > 12+2+2 && @@ -1019,7 +1056,7 @@ reuse_move_writewait_away(struct outside_network* outnet, verbose(VERB_CLIENT, "reuse_move_writewait_away item %s", buf); } reuse_tree_by_id_delete(&pend->reuse, w); - outnet_add_tcp_waiting(outnet, w); + outnet_waiting_tcp_list_add(outnet, w, 1); } } @@ -1417,11 +1454,11 @@ outnet_udp_cb(struct comm_point* c, void* arg, int error, /* setup lookup key */ key.id = (unsigned)LDNS_ID_WIRE(sldns_buffer_begin(c->buffer)); - memcpy(&key.addr, &reply_info->addr, reply_info->addrlen); - key.addrlen = reply_info->addrlen; + memcpy(&key.addr, &reply_info->remote_addr, reply_info->remote_addrlen); + key.addrlen = reply_info->remote_addrlen; verbose(VERB_ALGO, "Incoming reply id = %4.4x", key.id); log_addr(VERB_ALGO, "Incoming reply addr =", - &reply_info->addr, reply_info->addrlen); + &reply_info->remote_addr, reply_info->remote_addrlen); /* find it, see if this thing is a valid query response */ verbose(VERB_ALGO, "lookup size is %d entries", (int)outnet->pending->count); @@ -1690,7 +1727,7 @@ outside_network_create(struct comm_base *base, size_t bufsize, return NULL; } pc->cp = comm_point_create_udp(outnet->base, -1, - outnet->udp_buff, outnet_udp_cb, outnet, NULL); + outnet->udp_buff, 0, outnet_udp_cb, outnet, NULL); if(!pc->cp) { log_err("malloc failed"); free(pc); @@ -2237,7 +2274,7 @@ outnet_tcptimer(void* arg) verbose(VERB_CLIENT, "outnet_tcptimer"); if(w->on_tcp_waiting_list) { /* it is on the waiting list */ - waiting_list_remove(outnet, w); + outnet_waiting_tcp_list_remove(outnet, w); waiting_tcp_callback(w, NULL, NETEVENT_TIMEOUT, NULL); waiting_tcp_delete(w); } else { @@ -2464,7 +2501,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet, #ifdef USE_DNSTAP w->sq = sq; #endif - outnet_add_tcp_waiting(sq->outnet, w); + outnet_waiting_tcp_list_add(sq->outnet, w, 1); } return w; } @@ -2545,8 +2582,10 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, #ifdef UNBOUND_DEBUG rbnode_type* ins; #endif - if(!sq) + if(!sq) { + alloc_reg_release(alloc, region); return NULL; + } sq->node.key = sq; sq->alloc = alloc; sq->region = region; @@ -2610,30 +2649,6 @@ serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, return sq; } -/** remove waiting tcp from the outnet waiting list */ -static void -waiting_list_remove(struct outside_network* outnet, struct waiting_tcp* w) -{ - struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL; - w->on_tcp_waiting_list = 0; - while(p) { - if(p == w) { - /* remove w */ - if(prev) - prev->next_waiting = w->next_waiting; - else outnet->tcp_wait_first = w->next_waiting; - if(outnet->tcp_wait_last == w) - outnet->tcp_wait_last = prev; - return; - } - prev = p; - p = p->next_waiting; - } - /* waiting_list_remove is currently called only with items that are - * already in the waiting list. */ - log_assert(0); -} - /** reuse tcp stream, remove serviced query from stream, * return true if the stream is kept, false if it is to be closed */ static int @@ -2728,7 +2743,7 @@ serviced_delete(struct serviced_query* sq) sq->pending = NULL; } else { verbose(VERB_CLIENT, "serviced_delete: tcpwait"); - waiting_list_remove(sq->outnet, w); + outnet_waiting_tcp_list_remove(sq->outnet, w); if(!w->in_cb_and_decommission) waiting_tcp_delete(w); } @@ -3101,8 +3116,8 @@ serviced_tcp_callback(struct comm_point* c, void* arg, int error, rep = &r2; r2.c = c; } - memcpy(&rep->addr, &sq->addr, sq->addrlen); - rep->addrlen = sq->addrlen; + memcpy(&rep->remote_addr, &sq->addr, sq->addrlen); + rep->remote_addrlen = sq->addrlen; serviced_callbacks(sq, error, c, rep); return 0; } @@ -3432,7 +3447,6 @@ outnet_serviced_query(struct outside_network* outnet, infra_ratelimit_dec(env->infra_cache, zone, zonelen, timenow); } - alloc_reg_release(env->alloc, region); return NULL; } if(!(cb = (struct service_callback*)regional_alloc( @@ -3581,7 +3595,7 @@ outnet_comm_point_for_udp(struct outside_network* outnet, if(fd == -1) { return NULL; } - cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff, + cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff, 0, cb, cb_arg, NULL); if(!cp) { log_err("malloc failure"); @@ -3669,8 +3683,8 @@ outnet_comm_point_for_tcp(struct outside_network* outnet, close(fd); return 0; } - cp->repinfo.addrlen = to_addrlen; - memcpy(&cp->repinfo.addr, to_addr, to_addrlen); + cp->repinfo.remote_addrlen = to_addrlen; + memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen); /* setup for SSL (if needed) */ if(ssl) { @@ -3745,8 +3759,8 @@ outnet_comm_point_for_http(struct outside_network* outnet, close(fd); return 0; } - cp->repinfo.addrlen = to_addrlen; - memcpy(&cp->repinfo.addr, to_addr, to_addrlen); + cp->repinfo.remote_addrlen = to_addrlen; + memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen); /* setup for SSL (if needed) */ if(ssl) { diff --git a/services/outside_network.h b/services/outside_network.h index c383b8f09e24..467c81f60ca2 100644 --- a/services/outside_network.h +++ b/services/outside_network.h @@ -718,6 +718,30 @@ struct reuse_tcp* reuse_tcp_lru_snip(struct outside_network* outnet); /** delete readwait waiting_tcp elements, deletes the elements in the list */ void reuse_del_readwait(rbtree_type* tree_by_id); +/** remove waiting tcp from the outnet waiting list */ +void outnet_waiting_tcp_list_remove(struct outside_network* outnet, + struct waiting_tcp* w); + +/** pop the first waiting tcp from the outnet waiting list */ +struct waiting_tcp* outnet_waiting_tcp_list_pop(struct outside_network* outnet); + +/** add waiting_tcp element to the outnet tcp waiting list */ +void outnet_waiting_tcp_list_add(struct outside_network* outnet, + struct waiting_tcp* w, int set_timer); + +/** add waiting_tcp element as first to the outnet tcp waiting list */ +void outnet_waiting_tcp_list_add_first(struct outside_network* outnet, + struct waiting_tcp* w, int reset_timer); + +/** pop the first element from the writewait list */ +struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse); + +/** remove the element from the writewait list */ +void reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w); + +/** push the element after the last on the writewait list */ +void reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w); + /** get TCP file descriptor for address, returns -1 on failure, * tcp_mss is 0 or maxseg size to set for TCP packets. */ int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, diff --git a/services/rpz.c b/services/rpz.c index 77b6266fecb9..e876f3f94834 100644 --- a/services/rpz.c +++ b/services/rpz.c @@ -1392,11 +1392,13 @@ log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode, dnamestr[0]=0; } if(repinfo) { - addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip)); - port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port); + addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip)); + port = ntohs(((struct sockaddr_in*)&repinfo->client_addr)->sin_port); } else if(ms && ms->mesh_info && ms->mesh_info->reply_list) { - addr_to_str(&ms->mesh_info->reply_list->query_reply.addr, ms->mesh_info->reply_list->query_reply.addrlen, ip, sizeof(ip)); - port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.addr)->sin_port); + addr_to_str(&ms->mesh_info->reply_list->query_reply.client_addr, + ms->mesh_info->reply_list->query_reply.client_addrlen, + ip, sizeof(ip)); + port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.client_addr)->sin_port); } else { ip[0]=0; port = 0; @@ -1468,7 +1470,9 @@ rpz_resolve_client_action_and_zone(struct auth_zones* az, struct query_info* qin } z = rpz_find_zone(r->local_zones, qinfo->qname, qinfo->qname_len, qinfo->qclass, 0, 0, 0); - node = rpz_ipbased_trigger_lookup(r->client_set, &repinfo->addr, repinfo->addrlen, "clientip"); + node = rpz_ipbased_trigger_lookup(r->client_set, + &repinfo->client_addr, repinfo->client_addrlen, + "clientip"); if((z || node) && r->action_override == RPZ_DISABLED_ACTION) { if(r->log) log_rpz_apply((node?"clientip":"qname"), @@ -2164,18 +2168,16 @@ rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* lock_rw_unlock(&az->rpz_lock); - if(raddr == NULL && z == NULL) { return NULL; } - else if(raddr != NULL) { + if(raddr == NULL && z == NULL) + return NULL; + + if(raddr != NULL) { if(z) { lock_rw_unlock(&z->lock); } return rpz_apply_nsip_trigger(ms, r, raddr, a); - } else if(z != NULL) { - if(raddr) { - lock_rw_unlock(&raddr->lock); - } - return rpz_apply_nsdname_trigger(ms, r, z, &match, a); - } else { return NULL; } + } + return rpz_apply_nsdname_trigger(ms, r, z, &match, a); } struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, diff --git a/services/view.c b/services/view.c index db48ae9545f8..72f3643184ee 100644 --- a/services/view.c +++ b/services/view.c @@ -66,8 +66,9 @@ views_create(void) return v; } -/** This prototype is defined in in respip.h, but we want to avoid - * unnecessary dependencies */ +/* \noop (ignore this comment for doxygen) + * This prototype is defined in in respip.h, but we want to avoid + * unnecessary dependencies */ void respip_set_delete(struct respip_set *set); void |