Projects
openEuler:Mainline
unbound
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:unbound.spec
Changed
@@ -1,10 +1,10 @@ %{!?delete_la: %global delete_la find $RPM_BUILD_ROOT -type f -name "*.la" -delete} Name: unbound -Version: 1.13.2 -Release: 3 +Version: 1.17.1 +Release: 1 Summary: Unbound is a validating, recursive, caching DNS resolver -License: BSD +License: BSD-3-Clause Url: https://nlnetlabs.nl/projects/unbound/about/ Source: https://nlnetlabs.nl/downloads/unbound/%{name}-%{version}.tar.gz Source1: unbound.service @@ -21,7 +21,6 @@ Source12: unbound-anchor.timer Source13: unbound-anchor.service -Patch0: backport-fix-q-doesnt-work-when-use-with-unbound-control-stats_shm.patch Patch1: unbound-remove-buildin-key.patch BuildRequires: make flex swig pkgconfig systemd @@ -30,6 +29,7 @@ %{?systemd_requires} Requires: %{name}-libs = %{version}-%{release} +Requires: openssl %description Unbound is a validating, recursive, caching DNS resolver. It is designed @@ -84,13 +84,13 @@ --enable-relro-now --enable-pie \\\ --enable-subnet --enable-ipsecmod \\\ --with-conf-file=%{_sysconfdir}/%{name}/unbound.conf \\\ - --with-pidfile=%{_localstatedir}/run/%{name}/%{name}.pid \\\ + --with-pidfile=%{_rundir}/%{name}/%{name}.pid \\\ --enable-sha2 --disable-gost --enable-ecdsa \\\ --with-rootkey-file=%{_sharedstatedir}/unbound/root.key \\\ --enable-linux-ip-local-port-range pushd %{name}-%{version} -%configure --with-pythonmodule --with-pyunbound PYTHON=%{__python3} \%{configure_args} +%configure --with-pythonmodule --with-pyunbound PYTHON=%{__python3} --disable-sha1 %{configure_args} %make_build %make_build streamtcp popd @@ -124,12 +124,7 @@ %delete_la -for mpage in ub_ctx ub_result ub_ctx_create ub_ctx_delete ub_ctx_set_option ub_ctx_get_option ub_ctx_config ub_ctx_set_fwd ub_ctx_resolvconf ub_ctx_hosts ub_ctx_add_ta ub_ctx_add_ta_file ub_ctx_trustedkeys ub_ctx_debugout ub_ctx_debuglevel ub_ctx_async ub_poll ub_wait ub_fd ub_process ub_resolve ub_resolve_async ub_cancel ub_resolve_free ub_strerror ub_ctx_print_local_zones ub_ctx_zone_add ub_ctx_zone_remove ub_ctx_data_add ub_ctx_data_remove; -do - echo ".so man3/libunbound.3" > $RPM_BUILD_ROOT%{_mandir}/man3/$mpage ; -done - -install -d $RPM_BUILD_ROOT%{_localstatedir}/run/unbound +install -d $RPM_BUILD_ROOT%{_rundir}/unbound install -d $RPM_BUILD_ROOT%{_sysconfdir}/unbound/{keys.d,conf.d,local.d} install -p %{SOURCE6} $RPM_BUILD_ROOT%{_sysconfdir}/unbound/keys.d/ @@ -186,6 +181,7 @@ %defattr(-,root,root) %doc doc/CREDITS doc/FEATURES doc/README doc/LICENSE %attr(0644,root,root) %{_tmpfilesdir}/unbound.conf +%attr(0755,unbound,unbound) %dir %{_rundir}/%{name} %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/%{name}/unbound.conf %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sysconfig/%{name} %dir %attr(0755,root,unbound) %{_sysconfdir}/%{name}/keys.d @@ -238,6 +234,42 @@ %{_mandir}/man* %changelog +* Tue Mar 07 2023 gaihuiying <eaglegai@163.com> - 1.17.1-1 +- Type:requirement +- CVE:NA +- SUG:NA +- DESC:update to 1.17.1 + +* Fri Mar 03 2023 gaihuiying <eaglegai@163.com> - 1.17.0-2 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:change run directory from /var/run to /run to fix "/usr/lib/tmpfiles.d/unbound.conf:1: xxxx" + +* Tue Nov 08 2022 gaihuiying <eaglegai@163.com> - 1.17.0-1 +- Type:requirement +- CVE:NA +- SUG:NA +- DESC:update to 1.17.0 + +* Thu Sep 22 2022 xingwei <xingwei14@h-partners.com> - 1.13.2-6 +- Type:cves +- CVE:CVE-2022-3204 +- SUG:NA +- DESC:fix CVE-2022-3204 + +* Wed Aug 03 2022 yanglu <yanglu72@h-partners.com> - 1.13.2-5 +- Type:cves +- CVE:CVE-2022-30689 CVE-2022-30699 +- SUG:NA +- DESC:fix CVE-2022-30689 and CVE-2022-30699 + +* Tue Aug 02 2022 gaihuiying <eaglegai@163.com> - 1.13.2-4 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:rebuild to 1.13.2-4 + * Sat Jun 11 2022 gaihuiying <eaglegai@163.com> - 1.13.2-3 - Type:bugfix - CVE:NA
View file
_service:tar_scm:backport-fix-q-doesnt-work-when-use-with-unbound-control-stats_shm.patch
Deleted
@@ -1,46 +0,0 @@ -From c60bed8eef8962c6f7d8deb266d438ff77baaaf5 Mon Sep 17 00:00:00 2001 -From: eaglegai <eaglegai@163.com> -Date: Fri, 18 Mar 2022 19:08:02 +0800 -Subject: PATCH fix -q doesn't work when use with 'unbound-control stats_shm' - -Signed-off-by: eaglegai <eaglegai@163.com> ---- - smallapp/unbound-control.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c -index c7c38276f..b0835e3e1 100644 ---- a/smallapp/unbound-control.c -+++ b/smallapp/unbound-control.c -@@ -444,7 +444,7 @@ static void do_stats_shm(struct config_file* cfg, struct ub_stats_info* stats, - #endif /* HAVE_SHMGET */ - - /** print statistics from shm memory segment */ --static void print_stats_shm(const char* cfgfile) -+static void print_stats_shm(const char* cfgfile, int quiet) - { - #ifdef HAVE_SHMGET - struct config_file* cfg; -@@ -474,8 +474,11 @@ static void print_stats_shm(const char* cfgfile) - fatal_exit("shmat(%d): %s", id_arr, strerror(errno)); - } - -- /* print the stats */ -- do_stats_shm(cfg, stats, shm_stat); -+ -+ if (!quiet) { -+ /* print the stats */ -+ do_stats_shm(cfg, stats, shm_stat); -+ } - - /* shutdown */ - shmdt(shm_stat); -@@ -987,7 +990,7 @@ int main(int argc, char* argv) - #endif - } - if(argc >= 1 && strcmp(argv0, "stats_shm")==0) { -- print_stats_shm(cfgfile); -+ print_stats_shm(cfgfile, quiet); - return 0; - } - check_args_for_listcmd(argc, argv);
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/unbound.git</param> - <param name="revision">3142f6b247877e9bdf610ef6e939ed2594c7ff47</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
View file
_service:tar_scm:tmpfiles-unbound.conf
Changed
@@ -1,1 +1,1 @@ -D /var/run/unbound 0755 unbound unbound - +D /run/unbound 0755 unbound unbound -
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.gitattributes
Deleted
@@ -1,1 +0,0 @@ -testdata/*.0-9 linguist-documentation
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.github
Deleted
-(directory)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.github/FUNDING.yml
Deleted
@@ -1,2 +0,0 @@ -github: NLnetLabs -custom: 'https://nlnetlabs.nl/funding/'
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.github/ISSUE_TEMPLATE
Deleted
-(directory)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.github/ISSUE_TEMPLATE/bug_report.md
Deleted
@@ -1,41 +0,0 @@ ---- -name: Bug report -about: Create a report to help us improve Unbound -title: '' -labels: '' -assignees: '' - ---- - -<!-- -Thanks for taking the time to report an issue! - -Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one. - -If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/). -We would like to keep GitHub issues for possible bugs and feature requests only. - -If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here. - -If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation. ---> - -**Describe the bug** -A clear and concise description of what the bug is. - -**To reproduce** -Steps to reproduce the behavior: -1. -2. -3. - -**Expected behavior** -A clear and concise description of what you expected to happen. - -**System:** - - Unbound version: - - OS: - - `unbound -V` output: - -**Additional information** -Add any other information that you may have gathered about the issue here.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.github/ISSUE_TEMPLATE/feature_request.md
Deleted
@@ -1,31 +0,0 @@ ---- -name: Feature request -about: Suggest an idea for Unbound -title: "FR" -labels: '' -assignees: '' - ---- - -<!-- -Thanks for taking the time to report an issue! - -Before continuing please make sure that you checked the existing (opened and closed) issues and pull requests to avoid opening a duplicate issue. We would rather prefer to add the information to the existing one. If you are able, feel free to reopen the closed issue afterwards. If not, please create a new issue linking to the old one. - -If you rather have a support question and you need guidance on running/configuring Unbound, please refrain from opening an issue and use the community support mailing list instead (https://www.nlnetlabs.nl/support/mailing-lists/). -We would like to keep GitHub issues for possible bugs and feature requests only. - -If you are unsure whether an issue is a bug or not, feel free to reach out to mailing list users or open an issue here. - -If you are opening an issue, please complete as much of the following sections as possible to give us a better understanding of your situation. ---> - -**Current behavior** -Is there a current behavior that the feature relates to? -If yes, would you wish the current behavior to change? - -**Describe the desired feature** -A clear and concise description of what the feature should be. - -**Potential use-case** -Describe how you see this feature being useful to other Unbound users.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.github/workflows
Deleted
-(directory)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.github/workflows/analysis_ports.yml
Deleted
@@ -1,346 +0,0 @@ -name: Analysis and Ports - -on: - workflow_dispatch: - inputs: - start: - description: 'Start analysis and port workflow' - default: 'yes' - required: true - -jobs: - build: - runs-on: ${{ matrix.os }} - strategy: - matrix: - include: - - name: GCC on Linux - os: ubuntu-latest - config: "--enable-debug --disable-flto" - make_test: "yes" - - name: Clang-analyzer - os: ubuntu-latest - config: "CC=clang --enable-debug --disable-flto --disable-static" - make_test: "yes" - clang_analysis: "yes" - - name: libevent - os: ubuntu-latest - install_libevent: "yes" - config: "CC=clang --enable-debug --disable-flto --with-libevent --disable-static" - make_test: "yes" - clang_analysis: "yes" - - name: OS X - os: macos-latest - install_expat: "yes" - config: "--enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat" - make_test: "yes" - - name: Clang on OS X - os: macos-latest - install_expat: "yes" - config: "CC=clang --enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat --disable-static" - make_test: "yes" - clang_analysis: "yes" - - name: ubsan (gcc undefined behaviour sanitizer) - os: ubuntu-latest - config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" --disable-flto --disable-static' - make_test: "yes" - - name: asan (gcc address sanitizer) - os: ubuntu-latest - config: 'CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" --disable-flto --disable-static' - make_test: "yes" - - name: Apple iPhone on iOS, armv7 - os: macos-latest - AUTOTOOLS_HOST: armv7-apple-ios - OPENSSL_HOST: ios-cross - IOS_SDK: iPhoneOS - IOS_CPU: armv7s - test_ios: "yes" - config: "no" - make: "no" - - name: Apple iPhone on iOS, arm64 - os: macos-latest - AUTOTOOLS_HOST: aarch64-apple-ios - OPENSSL_HOST: ios64-cross - IOS_SDK: iPhoneOS - IOS_CPU: arm64 - test_ios: "yes" - config: "no" - make: "no" - - name: Apple TV on iOS, arm64 - os: macos-latest - AUTOTOOLS_HOST: aarch64-apple-ios - OPENSSL_HOST: ios64-cross - IOS_SDK: AppleTVOS - IOS_CPU: arm64 - test_ios: "yes" - config: "no" - make: "no" - - name: Apple Watch on iOS, armv7 - os: macos-latest - AUTOTOOLS_HOST: armv7-apple-ios - OPENSSL_HOST: ios-cross - IOS_SDK: WatchOS - IOS_CPU: armv7k - test_ios: "yes" - config: "no" - make: "no" - - name: iPhoneSimulator on OS X, i386 - os: macos-latest - AUTOTOOLS_HOST: i386-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: iPhoneSimulator - IOS_CPU: i386 - test_ios: "yes" - config: "no" - make: "no" - - name: iPhoneSimulator on OS X, x86_64 - os: macos-latest - AUTOTOOLS_HOST: x86_64-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: iPhoneSimulator - IOS_CPU: x86_64 - test_ios: "yes" - config: "no" - make: "no" - - name: AppleTVSimulator on OS X, x86_64 - os: macos-latest - AUTOTOOLS_HOST: x86_64-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: AppleTVSimulator - IOS_CPU: x86_64 - test_ios: "yes" - config: "no" - make: "no" - - name: WatchSimulator on OS X, i386 - os: macos-latest - AUTOTOOLS_HOST: i386-apple-ios - OPENSSL_HOST: iphoneos-cross - IOS_SDK: WatchSimulator - IOS_CPU: i386 - test_ios: "yes" - config: "no" - make: "no" - - name: Android armv7a - os: ubuntu-latest - AUTOTOOLS_HOST: armv7a-linux-androidabi - OPENSSL_HOST: android-arm - ANDROID_CPU: armv7a - ANDROID_API: 23 - test_android: "yes" - config: "no" - make: "no" - - name: Android aarch64 - os: ubuntu-latest - AUTOTOOLS_HOST: aarch64-linux-android - OPENSSL_HOST: android-arm64 - ANDROID_CPU: aarch64 - ANDROID_API: 23 - test_android: "yes" - config: "no" - make: "no" - - name: Android x86 - os: ubuntu-latest - AUTOTOOLS_HOST: i686-linux-android - OPENSSL_HOST: android-x86 - ANDROID_CPU: x86 - ANDROID_API: 23 - test_android: "yes" - config: "no" - make: "no" - - name: Android x86_64 - os: ubuntu-latest - AUTOTOOLS_HOST: x86_64-linux-android - OPENSSL_HOST: android-x86_64 - ANDROID_CPU: x86_64 - ANDROID_API: 23 - test_android: "yes" - config: "no" - make: "no" - - name: Windows - os: windows-latest - test_windows: "yes" - config: "no" - make: "no" - - steps: - - uses: actions/checkout@v2 - with: - submodules: false - - name: test_windows - if: ${{ matrix.test_windows == 'yes' }} - shell: bash - run: | - export unboundpath=`pwd` - echo unboundpath=${unboundpath} - cd .. - export prepath=`pwd` - echo prepath=${prepath} - #echo "curl cpanm" - #curl -L -k -s -S -o cpanm https://cpanmin.us/ - #echo "perl cpanm Pod::Usage" - #perl cpanm Pod::Usage - mkdir openssl - echo "curl openssl" - curl -L -k -s -S -o openssl-1.1.1j.tar.gz https://www.openssl.org/source/openssl-1.1.1j.tar.gz - tar xzf openssl-1.1.1j.tar.gz - cd openssl-1.1.1j - # remove pod::Usage because we do not need -help or -man output - # from the Configure script - echo "Fixup ./Configure by removing use Pod::Usage require" - sed -e 's/use Pod::Usage//' < Configure > Configure.fix - echo "./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix=\""$prepath/openssl\""" - ./Configure.fix no-shared no-asm -DOPENSSL_NO_CAPIENG mingw64 --prefix="$prepath/openssl" - # make the libs only, build faster - echo "make build_libs" - #make - make build_libs - mv Makefile Makefile.orig - # fixup \\ in the installtop to /. - echo "fixup INSTALLTOP" - sed -e 's?^INSTALLTOP=.*$?INSTALLTOP='"$prepath"'/openssl?' < Makefile.orig > Makefile - # install the includes and libs only, build faster - echo "make install_dev" - #make install_sw - make install_dev - cd .. - mkdir expat - echo "curl expat" - curl -L -k -s -S -o expat-2.2.10.tar.gz https://github.com/libexpat/libexpat/releases/download/R_2_2_10/expat-2.2.10.tar.gz - tar xzf expat-2.2.10.tar.gz - cd expat-2.2.10 - echo "./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix=\"$prepath/expat\" --exec-prefix=\"$prepath/expat\" --bindir=\"$prepath/expat/bin\" --includedir=\"$prepath/expat/include\" --mandir=\"$prepath/expat/man\" --libdir=\"$prepath/expat/lib\"" - ./configure SHELL=/usr/bin/bash CONFIG_SHELL=/usr/bin/bash --prefix="$prepath/expat" --exec-prefix="$prepath/expat" --bindir="$prepath/expat/bin" --includedir="$prepath/expat/include" --mandir="$prepath/expat/man" --libdir="$prepath/expat/lib" - # fixup SHELL is treated specially, but SHELZZ is not by make. - echo "Fixup Makefiles by renaming SHELL to SHELLZZ" - mv Makefile Makefile.orig - sed -e 's/SHELL/SHELLZZ/g' < Makefile.orig > Makefile - mv lib/Makefile lib/Makefile.orig - sed -e 's/SHELL/SHELLZZ/g' < lib/Makefile.orig > lib/Makefile - mv doc/Makefile doc/Makefile.orig - sed -e 's/SHELL/SHELLZZ/g' < doc/Makefile.orig > doc/Makefile - mv examples/Makefile examples/Makefile.orig - sed -e 's/SHELL/SHELLZZ/g' < examples/Makefile.orig > examples/Makefile - mv tests/Makefile tests/Makefile.orig - sed -e 's/SHELL/SHELLZZ/g' < tests/Makefile.orig > tests/Makefile - mv xmlwf/Makefile xmlwf/Makefile.orig - sed -e 's/SHELL/SHELLZZ/g' < xmlwf/Makefile.orig > xmlwf/Makefile - echo "make" - make - echo "make install" - make install - cd .. - echo "unbound" - cd unbound - echo "./configure --enable-debug --enable-static-exe --disable-flto \"--with-ssl=$prepath/openssl\" --with-libexpat=\"$prepath/expat\" --disable-shared" - ./configure --enable-debug --enable-static-exe --disable-flto "--with-ssl=$prepath/openssl" --with-libexpat="$prepath/expat" --disable-shared - make - # specific test output - #make testbound.exe; ./testbound.exe -s - #make testbound; ./testbound.exe -p testdata/acl.rpl -o -vvvv - make test - - name: test_android - if: ${{ matrix.test_android == 'yes' }} - env: - AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }} - OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }} - ANDROID_API: ${{ matrix.ANDROID_API }} - ANDROID_CPU: ${{ matrix.ANDROID_CPU }} - run: | - #(already installed) ./contrib/android/install_tools.sh - export ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU" - echo ANDROID_PREFIX=${ANDROID_PREFIX} - export ANDROID_SDK_ROOT="$HOME/android-sdk" - echo ANDROID_SDK_ROOT=${ANDROID_SDK_ROOT} - export ANDROID_NDK_ROOT="$HOME/android-ndk" - echo ANDROID_NDK_ROOT=${ANDROID_NDK_ROOT} - export AUTOTOOLS_BUILD="$(./config.guess)" - echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD} - export PKG_CONFIG_PATH="$ANDROID_PREFIX/lib/pkgconfig" - echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH} - export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$ANDROID_PREFIX --with-ssl=$ANDROID_PREFIX --disable-gost --with-libexpat=$ANDROID_PREFIX" - echo CONFIG_OPTS=${CONFIG_OPTS} - echo "::group::install_ndk" - echo "./contrib/android/install_ndk.sh" - ./contrib/android/install_ndk.sh - echo "::endgroup::" - echo "::group::setenv_android.sh" - echo "./contrib/android/setenv_android.sh" - source ./contrib/android/setenv_android.sh - echo "::endgroup::" - echo "::group::install_openssl" - echo "./contrib/android/install_openssl.sh" - ./contrib/android/install_openssl.sh - echo "::endgroup::" - echo "::group::install_expat" - echo "./contrib/android/install_expat.sh" - ./contrib/android/install_expat.sh - echo "::endgroup::" - echo "::group::configure" - echo "./configure ${CONFIG_OPTS}" - ./configure ${CONFIG_OPTS} - echo "::endgroup::" - echo "::group::make" - # make is here to preserve environment variables - make - echo "::endgroup::" - echo "::group::make install" - make install - echo "::endgroup::" - - name: test ios - if: ${{ matrix.test_ios == 'yes' }} - env: - AUTOTOOLS_HOST: ${{ matrix.AUTOTOOLS_HOST }} - OPENSSL_HOST: ${{ matrix.OPENSSL_HOST }} - IOS_SDK: ${{ matrix.IOS_SDK }} - IOS_CPU: ${{ matrix.IOS_CPU }} - run: | - #(already installed) ./contrib/ios/install_tools.sh - export AUTOTOOLS_BUILD="$(./config.guess)" - echo AUTOTOOLS_BUILD=${AUTOTOOLS_BUILD} - export IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - echo IOS_PREFIX=${IOS_PREFIX} - export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig" - echo PKG_CONFIG_PATH=${PKG_CONFIG_PATH} - export CONFIG_OPTS="--build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST --prefix=$IOS_PREFIX --with-ssl=$IOS_PREFIX --disable-gost --with-libexpat=$IOS_PREFIX" - echo CONFIG_OPTS=${CONFIG_OPTS} - echo "::group::setenv_ios.sh" - echo "./contrib/ios/setenv_ios.sh" - source ./contrib/ios/setenv_ios.sh - echo "::endgroup::" - echo "::group::install_openssl" - echo "./contrib/ios/install_openssl.sh" - ./contrib/ios/install_openssl.sh - echo "::endgroup::" - echo "::group::install_expat" - echo "./contrib/ios/install_expat.sh" - ./contrib/ios/install_expat.sh - echo "::endgroup::" - echo "::group::configure" - echo "./configure ${CONFIG_OPTS}" - ./configure ${CONFIG_OPTS} - echo "::endgroup::" - echo "::group::make" - # make is here to preserve environment variables - make - echo "::endgroup::" - echo "::group::make install" - make install - echo "::endgroup::" - - name: install libevent - if: ${{ matrix.install_libevent == 'yes' }} - run: sudo apt-get install libevent-dev - - name: install expat - if: ${{ matrix.install_expat == 'yes' }} - run: brew install expat - - name: configure - if: ${{ matrix.config != 'no' }} - run: ./configure ${{ matrix.config }} - - name: make - if: ${{ matrix.make != 'no' }} - run: make - - name: make test - if: ${{ matrix.make_test == 'yes' }} - run: make test - - name: clang-analysis - if: ${{ matrix.clang_analysis == 'yes' }} - run: (cd testdata/clang-analysis.tdir; bash clang-analysis.test)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.github/workflows/ci.yml
Deleted
@@ -1,21 +0,0 @@ -name: ci - -on: - push: - branches: master - pull_request: - branches: master - -jobs: - build: - - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: configure - run: ./configure --enable-debug - - name: make - run: make - - name: make test - run: make test
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.gitignore
Deleted
@@ -1,58 +0,0 @@ -*.lo -*.o -/.libs/ -/.source -/Makefile -/autom4te.cache/ -/config.h -/config.h.in~ -/config.log -/config.status -/dnstap/dnstap_config.h -/dnscrypt/dnscrypt_config.h -/doc/example.conf -/doc/libunbound.3 -/doc/unbound-anchor.8 -/doc/unbound-checkconf.8 -/doc/unbound-control.8 -/doc/unbound-host.1 -/doc/unbound.8 -/doc/unbound.conf.5 -/libtool -/libunbound.la -/_unbound.la -/smallapp/unbound-control-setup.sh -/unbound -/unbound-anchor -/unbound-checkconf -/unbound-control -/unbound-control-setup -/unbound-host -/unbound.h -/asynclook -/delayer -/dohclient -/lock-verify -/memstats -/perf -/petal -/pktview -/streamtcp -/unbound-dnstap-socket -/testbound -/unittest -/contrib/libunbound.pc -/contrib/unbound.service -/contrib/unbound.socket -/contrib/unbound_portable.service -/dnstap/dnstap.pb-c.c -/dnstap/dnstap.pb-c.h -/libunbound/python/libunbound_wrap.c -/libunbound/python/unbound.py -/pythonmod/interface.h -/pythonmod/unboundmodule.py -/testdata/result.* -/testdata/.done-* -/testdata/.perfstats.txt -/doc/html -/doc/xml
View file
_service:tar_scm:unbound-1.13.2.tar.gz/.travis.yml
Deleted
@@ -1,380 +0,0 @@ -language: c - -git: - depth: 5 - -addons: - apt: - packages: - - libssl-dev - - libevent-dev - - libexpat-dev - - clang - homebrew: - packages: - - openssl - - libevent - - expat - # homebrew update takes 20min or hangs, so disable update - #update: true - -jobs: - include: - - os: linux - name: GCC on Linux, Amd64 - compiler: gcc - arch: amd64 - env: - - CONFIG_OPTS="--enable-debug --disable-flto" - - os: linux - name: Clang on Linux, Amd64, clang-analysis - compiler: clang - arch: amd64 - env: - - CONFIG_OPTS="--enable-debug --disable-flto" - - TEST_ANALYZER=yes - - os: osx - osx_image: xcode12.2 - name: Clang on OS X, Amd64, clang-analysis - compiler: clang - arch: amd64 - env: - - TEST_OSX=yes - - CONFIG_OPTS="--enable-debug --disable-flto --with-ssl=/usr/local/opt/openssl --with-libexpat=/usr/local/opt/expat" - - TEST_ANALYZER=yes - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: linux - name: Libevent, GCC on Linux, Amd64 - compiler: gcc - arch: amd64 - env: - - TEST_LIBEVENT=yes - - CONFIG_OPTS="--with-libevent" - - os: linux - name: Libevent, Clang on Linux, Amd64 - compiler: clang - arch: amd64 - env: - - TEST_LIBEVENT=yes - - CONFIG_OPTS="--with-libevent" - - os: osx - osx_image: xcode12.2 - name: Libevent, Clang on OS X, Amd64 - compiler: clang - arch: amd64 - env: - - TEST_OSX=yes - - TEST_LIBEVENT=yes - - CONFIG_OPTS="--disable-flto --with-ssl=/usr/local/opt/openssl --with-libevent=/usr/local/opt/libevent --with-libexpat=/usr/local/opt/expat" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: linux - name: UBsan, GCC on Linux, Amd64 - compiler: gcc - arch: amd64 - dist: bionic - env: - - TEST_UBSAN=yes - - os: linux - name: UBsan, Clang on Linux, Amd64 - compiler: clang - arch: amd64 - dist: bionic - env: - - TEST_UBSAN=yes - - os: linux - name: Asan, GCC on Linux, Amd64 - compiler: gcc - arch: amd64 - dist: bionic - env: - - TEST_ASAN=yes - - os: linux - name: Asan, Clang on Linux, Amd64 - compiler: clang - arch: amd64 - dist: bionic - env: - - TEST_ASAN=yes - - os: linux - name: GCC on Linux, Aarch64 - compiler: gcc - arch: arm64 - dist: bionic - env: - - CONFIG_OPTS="--enable-debug --disable-flto" - - os: linux - name: Clang on Linux, Aarch64 - compiler: clang - arch: arm64 - dist: bionic - env: - - CONFIG_OPTS="--enable-debug --disable-flto" - - os: linux - name: GCC on Linux, PowerPC64 - compiler: gcc - arch: ppc64le - dist: bionic - env: - - CONFIG_OPTS="--enable-debug --disable-flto" - - os: linux - name: Clang on Linux, PowerPC64 - compiler: clang - arch: ppc64le - dist: bionic - env: - - CONFIG_OPTS="--enable-debug --disable-flto" - - os: linux - name: GCC on Linux, s390x - compiler: gcc - arch: s390x - dist: bionic - env: - - CONFIG_OPTS="--enable-debug --disable-flto" - - os: linux - name: Clang on Linux, s390x - compiler: clang - arch: s390x - dist: bionic - env: - - CONFIG_OPTS="--enable-debug --disable-flto" - - os: osx - osx_image: xcode12.2 - name: Apple iPhone on iOS, armv7 - compiler: clang - env: - - TEST_IOS=yes - - AUTOTOOLS_HOST=armv7-apple-ios - - OPENSSL_HOST=ios-cross - - IOS_SDK=iPhoneOS - - IOS_CPU=armv7s - - IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: osx - osx_image: xcode12.2 - name: Apple iPhone on iOS, arm64 - compiler: clang - env: - - TEST_IOS=yes - - AUTOTOOLS_HOST=aarch64-apple-ios - - OPENSSL_HOST=ios64-cross - - IOS_SDK=iPhoneOS - - IOS_CPU=arm64 - - IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: osx - osx_image: xcode12.2 - name: Apple TV on iOS, arm64 - compiler: clang - env: - - TEST_IOS=yes - - AUTOTOOLS_HOST=aarch64-apple-ios - - OPENSSL_HOST=ios64-cross - - IOS_SDK=AppleTVOS - - IOS_CPU=arm64 - - IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: osx - osx_image: xcode12.2 - name: Apple Watch on iOS, armv7 - compiler: clang - env: - - TEST_IOS=yes - - AUTOTOOLS_HOST=armv7-apple-ios - - OPENSSL_HOST=ios-cross - - IOS_SDK=WatchOS - - IOS_CPU=armv7k - - IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: osx - osx_image: xcode12.2 - name: iPhoneSimulator on OS X, i386 - env: - - TEST_IOS=yes - - AUTOTOOLS_HOST=i386-apple-ios - - OPENSSL_HOST=iphoneos-cross - - IOS_CPU=i386 - - IOS_SDK=iPhoneSimulator - - IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: osx - osx_image: xcode12.2 - name: iPhoneSimulator on OS X, x86_64 - env: - - TEST_IOS=yes - - AUTOTOOLS_HOST=x86_64-apple-ios - - OPENSSL_HOST=iphoneos-cross - - IOS_CPU=x86_64 - - IOS_SDK=iPhoneSimulator - - IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: osx - osx_image: xcode12.2 - name: AppleTVSimulator on OS X, x86_64 - env: - - TEST_IOS=yes - - AUTOTOOLS_HOST=x86_64-apple-ios - - OPENSSL_HOST=iphoneos-cross - - IOS_CPU=x86_64 - - IOS_SDK=AppleTVSimulator - - IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: osx - osx_image: xcode12.2 - name: WatchSimulator on OS X, i386 - env: - - TEST_IOS=yes - - AUTOTOOLS_HOST=i386-apple-ios - - OPENSSL_HOST=iphoneos-cross - - IOS_CPU=i386 - - IOS_SDK=WatchSimulator - - IOS_PREFIX="$HOME/$IOS_SDK-$IOS_CPU" - - HOMEBREW_NO_AUTO_UPDATE=1 - - os: linux - name: Android armv7a, Linux, Amd64 - compiler: clang - arch: amd64 - dist: bionic - env: - - TEST_ANDROID=yes - - AUTOTOOLS_HOST=armv7a-linux-androideabi - - OPENSSL_HOST=android-arm - - ANDROID_CPU=armv7a - - ANDROID_API=23 - - ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU" - - ANDROID_SDK_ROOT="$HOME/android-sdk" - - ANDROID_NDK_ROOT="$HOME/android-ndk" - - os: linux - name: Android aarch64, Linux, Amd64 - compiler: clang - arch: amd64 - dist: bionic - env: - - TEST_ANDROID=yes - - AUTOTOOLS_HOST=aarch64-linux-android - - OPENSSL_HOST=android-arm64 - - ANDROID_CPU=aarch64 - - ANDROID_API=23 - - ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU" - - ANDROID_SDK_ROOT="$HOME/android-sdk" - - ANDROID_NDK_ROOT="$HOME/android-ndk" - - os: linux - name: Android x86, Linux, Amd64 - compiler: clang - arch: amd64 - dist: bionic - env: - - TEST_ANDROID=yes - - AUTOTOOLS_HOST=i686-linux-android - - OPENSSL_HOST=android-x86 - - ANDROID_CPU=x86 - - ANDROID_API=23 - - ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU" - - ANDROID_SDK_ROOT="$HOME/android-sdk" - - ANDROID_NDK_ROOT="$HOME/android-ndk" - - os: linux - name: Android x86_64, Linux, Amd64 - compiler: clang - arch: amd64 - dist: bionic - env: - - TEST_ANDROID=yes - - AUTOTOOLS_HOST=x86_64-linux-android - - OPENSSL_HOST=android-x86_64 - - ANDROID_CPU=x86_64 - - ANDROID_API=23 - - ANDROID_PREFIX="$HOME/android$ANDROID_API-$ANDROID_CPU" - - ANDROID_SDK_ROOT="$HOME/android-sdk" - - ANDROID_NDK_ROOT="$HOME/android-ndk" - - allow_failures: - - os: osx - name: Apple iPhone on iOS, armv7 - - os: osx - name: Apple iPhone on iOS, arm64 - - os: osx - name: Apple TV on iOS, arm64 - - os: osx - name: Apple Watch on iOS, armv7 - - os: osx - name: iPhoneSimulator on OS X, i386 - - os: osx - name: iPhoneSimulator on OS X, x86_64 - - os: osx - name: AppleTVSimulator on OS X, x86_64 - - os: osx - name: WatchSimulator on OS X, i386 - - os: linux - name: Android armv7a, Linux, Amd64 - - os: linux - name: Android aarch64, Linux, Amd64 - - os: linux - name: Android x86, Linux, Amd64 - - os: linux - name: Android x86_64, Linux, Amd64 - -before_script: - - | - if "$TEST_ANDROID" = "yes" ; then - ./contrib/android/install_tools.sh - elif "$TEST_IOS" = "yes" ; then - ./contrib/ios/install_tools.sh - fi - -# The Travis docs say to avoid calling exit in the script. It leads to -# some code duplication to avoid failures in cross-compiles. Also see -# https://docs.travis-ci.com/user/job-lifecycle/ in the Travis docs. -script: - - | - export MAKE_TEST="yes" - if "$TEST_UBSAN" = "yes" ; then - export CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=undefined -fno-sanitize-recover=all" - elif "$TEST_ASAN" = "yes" ; then - export CFLAGS="-DNDEBUG -g2 -O3 -fsanitize=address" - fi - - | - if "$TEST_IOS" = "yes" ; then - export AUTOTOOLS_BUILD="$(./config.guess)" - export PKG_CONFIG_PATH="$IOS_PREFIX/lib/pkgconfig" - source ./contrib/ios/setenv_ios.sh - ./contrib/ios/install_openssl.sh - ./contrib/ios/install_expat.sh - export CONFIG_OPTS="\ - --build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST \ - --prefix=$IOS_PREFIX \ - --with-ssl=$IOS_PREFIX --disable-gost \ - --with-libexpat=$IOS_PREFIX " - echo CONFIG_OPTS ${CONFIG_OPTS} - export MAKE_TEST=no - export TEST_INSTALL=yes - fi - - | - if "$TEST_ANDROID" = "yes" ; then - export AUTOTOOLS_BUILD="$(./config.guess)" - export PKG_CONFIG_PATH="$ANDROID_PREFIX/lib/pkgconfig" - ./contrib/android/install_ndk.sh - source ./contrib/android/setenv_android.sh - ./contrib/android/install_openssl.sh - ./contrib/android/install_expat.sh - export CONFIG_OPTS="\ - --build=$AUTOTOOLS_BUILD --host=$AUTOTOOLS_HOST \ - --prefix=$ANDROID_PREFIX \ - --with-ssl=$ANDROID_PREFIX --disable-gost \ - --with-libexpat=$ANDROID_PREFIX " - echo CONFIG_OPTS ${CONFIG_OPTS} - export MAKE_TEST=no - export TEST_INSTALL=yes - fi - - ./configure ${CONFIG_OPTS} - - make -j 2 - - | - if "$MAKE_TEST" = "yes" ; then - make test - fi - - | - if "$TEST_INSTALL" = "yes" ; then - make install - fi - - | - if "$TEST_ANALYZER" = "yes" ; then - (cd testdata/clang-analysis.tdir; bash clang-analysis.test) - fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/mini_tpkg.sh
Deleted
@@ -1,128 +0,0 @@ -# tpkg that only exes the files. -args="../.." -if test "$1" = "-a"; then - args=$2 - shift - shift -fi - -if test "$1" = "clean"; then - echo "rm -f result.* .done* .tpkg.var.master .tpkg.var.test" - rm -f result.* .done* .tpkg.var.master .tpkg.var.test - exit 0 -fi -if test "$1" = "fake"; then - echo "minitpkg fake $2" - echo "fake" > .done-`basename $2 .tpkg` - exit 0 -fi -if test "$1" = "report" || test "$2" = "report"; then - echo "Minitpkg Report" - for result in *.tpkg; do - name=`basename $result .tpkg` - if test -f ".done-$name"; then - if test "$1" != "-q"; then - echo "** PASSED ** : $name" - fi - else - if test -f "result.$name"; then - echo "!! FAILED !! : $name" - else - echo ">> SKIPPED<< : $name" - fi - fi - done - exit 0 -fi - -if test "$1" != 'exe'; then - # usage - echo "mini tpkg. Reduced functionality for old shells." - echo " tpkg exe <file>" - echo " tpkg fake <file>" - echo " tpkg clean" - echo " tpkg -q report" - exit 1 -fi -shift - -# do not execute if the disk is too full -#DISKLIMIT=100000 -# This check is not portable (to Solaris 10). -#avail=`df . | tail -1 | awk '{print $4}'` -#if test "$avail" -lt "$DISKLIMIT"; then - #echo "minitpkg: The disk is too full! Only $avail." - #exit 1 -#fi - -name=`basename $1 .tpkg` -dir=$name.$$ -result=result.$name -done=.done-$name -success="no" -if test -x "`which bash`"; then - shell="bash" -else - shell="sh" -fi - -# check already done -if test -f .done-$name; then - echo "minitpkg .done-$name exists. skip test." - exit 0 -fi - -# Extract -echo "minitpkg extract $1 to $dir" -mkdir $dir -gzip -cd $name.tpkg | (cd $dir; tar xf -) -cd $dir -mv $name.dir/* . - -# EXE -echo "minitpkg exe $name" > $result -grep "Description:" $name.dsc >> $result 2>&1 -echo "DateRunStart: "`date "+%s" 2>/dev/null` >> $result -if test -f $name.pre; then - echo "minitpkg exe $name.pre" - echo "minitpkg exe $name.pre" >> $result - $shell $name.pre $args >> $result - if test $? -ne 0; then - echo "Warning: $name.pre did not exit successfully" - fi -fi -if test -f $name.test; then - echo "minitpkg exe $name.test" - echo "minitpkg exe $name.test" >> $result - $shell $name.test $args >>$result 2>&1 - if test $? -ne 0; then - echo "$name: FAILED" >> $result - echo "$name: FAILED" - success="no" - else - echo "$name: PASSED" >> $result - echo "$name: PASSED" > ../.done-$name - echo "$name: PASSED" - success="yes" - fi -fi -if test -f $name.post; then - echo "minitpkg exe $name.post" - echo "minitpkg exe $name.post" >> $result - $shell $name.post $args >> $result - if test $? -ne 0; then - echo "Warning: $name.post did not exit successfully" - fi -fi -echo "DateRunEnd: "`date "+%s" 2>/dev/null` >> $result - -mv $result .. -cd .. -rm -rf $dir -# compat for windows where deletion may not succeed initially (files locked -# by processes that still have to exit). -if test $? -eq 1; then - echo "minitpkg waiting for processes to terminate" - sleep 2 # some time to exit, and try again - rm -rf $dir -fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnscrypt_cert.tdir/precheck.sh
Deleted
@@ -1,16 +0,0 @@ -# dnscrypt precheck.sh - -# if no dnscrypt; exit -if grep "define USE_DNSCRYPT 1" $PRE/config.h; then - echo "have dnscrypt" -else - echo "no dnscrypt" - exit 0 -fi - -# if no xchacha20 support in unbound; exit -if grep "define USE_DNSCRYPT_XCHACHA20 1" $PRE/config.h; then - xchacha20=1 -else - xchacha20=0 -fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnscrypt_cert_chacha.tdir/precheck.sh
Deleted
@@ -1,16 +0,0 @@ -# dnscrypt precheck.sh - -# if no dnscrypt; exit -if grep "define USE_DNSCRYPT 1" $PRE/config.h; then - echo "have dnscrypt" -else - echo "no dnscrypt" - exit 0 -fi - -# if no xchacha20 support in unbound; exit -if grep "define USE_DNSCRYPT_XCHACHA20 1" $PRE/config.h; then - xchacha20=1 -else - xchacha20=0 -fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/serve_expired_servfail.rpl
Deleted
@@ -1,117 +0,0 @@ -; config options -server: - module-config: "validator iterator" - qname-minimisation: "no" - minimal-responses: no - serve-expired: yes - serve-expired-client-timeout: 1800 - serve-expired-reply-ttl: 123 - log-servfail: yes - - -stub-zone: - name: "example.com" - stub-addr: 1.2.3.4 -CONFIG_END - -SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply -; Scenario overview: -; - query for example.com. IN A -; - check that we get an answer for example.com. IN A with the correct TTL -; - query again right after the TTL expired -; - answer from upstream is servfail -; - check that we get the expired cached answer instead - -; ns.example.com. -RANGE_BEGIN 0 20 - ADDRESS 1.2.3.4 - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR NOERROR - SECTION QUESTION - example.com. IN NS - SECTION ANSWER - example.com. IN NS ns.example.com. - SECTION ADDITIONAL - ns.example.com. IN A 1.2.3.4 - ENTRY_END - - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR NOERROR - SECTION QUESTION - example.com. IN A - SECTION ANSWER - example.com. 10 IN A 5.6.7.8 - SECTION AUTHORITY - example.com. IN NS ns.example.com. - SECTION ADDITIONAL - ns.example.com. IN A 1.2.3.4 - ENTRY_END -RANGE_END - -; ns.example.com. -RANGE_BEGIN 30 100 - ADDRESS 1.2.3.4 - ; response to A query - ENTRY_BEGIN - MATCH opcode qtype qname - ADJUST copy_id - REPLY QR AA SERVFAIL - SECTION QUESTION - example.com. IN A - ENTRY_END -RANGE_END - -; Query with RD flag -STEP 1 QUERY -ENTRY_BEGIN - REPLY RD - SECTION QUESTION - example.com. IN A -ENTRY_END - -; Check that we got the correct answer (should be cached) -STEP 10 CHECK_ANSWER -ENTRY_BEGIN - MATCH all ttl - REPLY QR RD RA NOERROR - SECTION QUESTION - example.com. IN A - SECTION ANSWER - example.com. 10 IN A 5.6.7.8 - SECTION AUTHORITY - example.com. IN NS ns.example.com. - SECTION ADDITIONAL - ns.example.com. IN A 1.2.3.4 -ENTRY_END - -; Wait for the TTL to expire -STEP 11 TIME_PASSES ELAPSE 3601 - -; Query again -STEP 30 QUERY -ENTRY_BEGIN - REPLY RD - SECTION QUESTION - example.com. IN A -ENTRY_END - -; Check that we got a stale answer -STEP 40 CHECK_ANSWER -ENTRY_BEGIN - MATCH all ttl - REPLY QR RD RA NOERROR - SECTION QUESTION - example.com. IN A - SECTION ANSWER - example.com. 123 IN A 5.6.7.8 - SECTION AUTHORITY - example.com. 123 IN NS ns.example.com. - SECTION ADDITIONAL - ns.example.com. 123 IN A 1.2.3.4 -ENTRY_END - -SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/Makefile.in -> _service:tar_scm:unbound-1.17.1.tar.gz/Makefile.in
Changed
@@ -57,10 +57,11 @@ STRIP=@STRIP@ CC=@CC@ CPPFLAGS=-I. @CPPFLAGS@ -PYTHON_CPPFLAGS=-I. @PYTHON_CPPFLAGS@ +PYTHON_CPPFLAGS=-I. -I$(srcdir) @PYTHON_CPPFLAGS@ CFLAGS=-DSRCDIR=$(srcdir) @CFLAGS@ LDFLAGS=@LDFLAGS@ LIBS=@LIBS@ +PYTHON_LIBS=@PYTHON_LIBS@ LIBOBJS=@LIBOBJS@ # filter out ctime_r from compat obj. LIBOBJ_WITHOUT_CTIME=@LIBOBJ_WITHOUT_CTIME@ @@ -85,6 +86,8 @@ LINTFLAGS+="-Dsigset_t=long" # FreeBSD LINTFLAGS+="-D__uint16_t=uint16_t" "-DEVP_PKEY_ASN1_METHOD=int" "-D_RuneLocale=int" "-D__va_list=va_list" "-D__uint32_t=uint32_t" "-D_Alignof(x)=x" "-D__aligned(x)=" "-D__requires_exclusive(x)=" "-D__requires_unlocked(x)=" "-D__locks_exclusive(x)=" "-D__trylocks_exclusive(x)=" "-D__unlocks(x)=" "-D__locks_shared(x)=" "-D__trylocks_shared(x)=" +# GCC Docker +LINTFLAGS+=@GCC_DOCKER_LINTFLAGS@ INSTALL=$(SHELL) $(srcdir)/install-sh @@ -127,7 +130,7 @@ util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \ util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \ util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \ -util/timehist.c util/tube.c \ +util/timehist.c util/tube.c util/proxy_protocol.c \ util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \ validator/autotrust.c validator/val_anchor.c validator/validator.c \ validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \ @@ -145,7 +148,7 @@ fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \ random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \ slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \ -autotrust.lo val_anchor.lo rpz.lo \ +autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \ validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \ val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \ $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \ @@ -341,7 +344,16 @@ test: unittest$(EXEEXT) testbound$(EXEEXT) ./unittest$(EXEEXT) ./testbound$(EXEEXT) -s - for x in $(srcdir)/testdata/*.rpl; do printf "%s" "$$x "; if ./testbound$(EXEEXT) -p $$x >/dev/null 2>&1; then echo OK; else echo failed; exit 1; fi done + for x in $(srcdir)/testdata/*.rpl; do \ + output=`./testbound$(EXEEXT) -p $$x -o -vvvvv 2>&1`; \ + if test $$? -eq 0; then \ + printf "%s OK\n" "$$x "; \ + else \ + printf "%s\n" "$$output "; \ + printf "%s failed\n" "$$x "; \ + exit 1; \ + fi; \ + done @echo test OK longtest: tests @@ -476,7 +488,7 @@ # Pyunbound python unbound wrapper _unbound.la: libunbound_wrap.lo libunbound.la - $(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) -L. -L.libs libunbound.la $(LIBS) + $(LIBTOOL) --tag=CC --mode=link $(CC) $(RUNTIME_PATH) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) -module -avoid-version -no-undefined -shared -o $@ libunbound_wrap.lo -rpath $(PYTHON_SITE_PKG) -L. -L.libs libunbound.la $(PYTHON_LIBS) util/config_file.c: util/configparser.h util/configlexer.c: $(srcdir)/util/configlexer.lex util/configparser.h @@ -553,7 +565,7 @@ pyunbound-install: $(INSTALL) -m 755 -d $(DESTDIR)$(PYTHON_SITE_PKG) - $(INSTALL) -c -m 644 $(srcdir)/libunbound/python/unbound.py $(DESTDIR)$(PYTHON_SITE_PKG)/unbound.py + $(INSTALL) -c -m 644 libunbound/python/unbound.py $(DESTDIR)$(PYTHON_SITE_PKG)/unbound.py $(LIBTOOL) --mode=install cp _unbound.la $(DESTDIR)$(PYTHON_SITE_PKG) $(LIBTOOL) --mode=finish $(DESTDIR)$(PYTHON_SITE_PKG) @@ -580,6 +592,8 @@ echo ".so man3/libunbound.3" > $(DESTDIR)$(mandir)/man3/$$mpage.3 ; \ done $(LIBTOOL) --mode=install cp unbound.h $(DESTDIR)$(includedir)/unbound.h + $(INSTALL) -m 755 -d $(DESTDIR)$(libdir)/pkgconfig + $(INSTALL) -m 644 contrib/libunbound.pc $(DESTDIR)$(libdir)/pkgconfig $(LIBTOOL) --mode=install cp libunbound.la $(DESTDIR)$(libdir) $(LIBTOOL) --mode=finish $(DESTDIR)$(libdir) @@ -589,8 +603,6 @@ $(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man8 $(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man5 $(INSTALL) -m 755 -d $(DESTDIR)$(mandir)/man1 - $(INSTALL) -m 755 -d $(DESTDIR)$(libdir)/pkgconfig - $(INSTALL) -m 644 contrib/libunbound.pc $(DESTDIR)$(libdir)/pkgconfig $(LIBTOOL) --mode=install cp -f unbound$(EXEEXT) $(DESTDIR)$(sbindir)/unbound$(EXEEXT) $(LIBTOOL) --mode=install cp -f unbound-checkconf$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-checkconf$(EXEEXT) $(LIBTOOL) --mode=install cp -f unbound-control$(EXEEXT) $(DESTDIR)$(sbindir)/unbound-control$(EXEEXT) @@ -604,7 +616,7 @@ $(INSTALL) -c -m 644 doc/unbound.conf.5 $(DESTDIR)$(mandir)/man5 $(INSTALL) -c -m 644 doc/unbound-host.1 $(DESTDIR)$(mandir)/man1 $(INSTALL) -c -m 755 unbound-control-setup $(DESTDIR)$(sbindir)/unbound-control-setup - if test ! -e $(DESTDIR)$(configfile); then $(INSTALL) -d `dirname $(DESTDIR)$(configfile)`; $(INSTALL) -c -m 644 doc/example.conf $(DESTDIR)$(configfile); fi + if test ! -e "$(DESTDIR)$(configfile)"; then $(INSTALL) -d `dirname "$(DESTDIR)$(configfile)"`; $(INSTALL) -c -m 644 doc/example.conf "$(DESTDIR)$(configfile)"; fi pythonmod-uninstall: rm -f -- $(DESTDIR)$(PYTHON_SITE_PKG)/unboundmodule.py @@ -633,7 +645,7 @@ rm -f -- $(DESTDIR)$(includedir)/unbound.h $(LIBTOOL) --mode=uninstall rm -f $(DESTDIR)$(libdir)/libunbound.la @echo - @echo "You still need to remove "`dirname $(DESTDIR)$(configfile)`" , $(DESTDIR)$(configfile) by hand" + @echo "You still need to remove "`dirname "$(DESTDIR)$(configfile)"`" , $(DESTDIR)$(configfile) by hand" iana_update: curl -o port-numbers.tmp https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml --compressed @@ -972,6 +984,8 @@ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/dnstap/dnstap.h $(srcdir)/services/listen_dnsport.h +proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \ + $(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ @@ -1245,7 +1259,7 @@ $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h + $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h $(srcdir)/services/outside_network.h daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ @@ -1500,7 +1514,7 @@ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
View file
_service:tar_scm:unbound-1.13.2.tar.gz/README-Travis.md -> _service:tar_scm:unbound-1.17.1.tar.gz/README-Travis.md
Changed
@@ -241,7 +241,7 @@ The fourth step builds OpenSSL and Expat. OpenSSL and Expat are built for iOS using the scripts `contrib/ios/install_openssl.sh` and `contrib/ios/install_expat.sh`. The scripts download, configure and install the latest release version of the libraries. The libraries are configured with `--prefix="$IOS_PREFIX"` so the headers are placed in `$IOS_PREFIX/include` directory, and the libraries are placed in the `$IOS_PREFIX/lib` directory. -`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair recieves a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported. +`IOS_PREFIX` is the value `$HOME/$IOS_SDK-$IOS_CPU`. The scheme handles both iOS SDKs and cpu architectures so the pair receives a unique installation directory. The libraries will be installed in `$HOME/iPhoneOS-armv7s`, `$HOME/iPhoneOS-arm64`, `$HOME/iPhoneSimulator-i386`, etc. For Autotools projects, the appropriate `PKG_CONFIG_PATH` is exported. `PKG_CONFIG_PATH` is an important variable. It is the userland equivalent to sysroot, and allows Autotools to find non-system headers and libraries for an architecture. Typical `PKG_CONFIG_PATH` are `$HOME/iPhoneOS-armv7s/lib/pkgconfig` and `$HOME/iPhoneOS-arm64/lib/pkgconfig`.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/README.md -> _service:tar_scm:unbound-1.17.1.tar.gz/README.md
Changed
@@ -4,6 +4,7 @@ !Packaging status(https://repology.org/badge/tiny-repos/unbound.svg)(https://repology.org/project/unbound/versions) !Fuzzing Status(https://oss-fuzz-build-logs.storage.googleapis.com/badges/unbound.svg)(https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:unbound) !Documentation Status(https://readthedocs.org/projects/unbound/badge/?version=latest)(https://unbound.readthedocs.io/en/latest/?badge=latest) +!Mastodon Follow(https://img.shields.io/mastodon/follow/109262826617293067?domain=https%3A%2F%2Ffosstodon.org&style=social)(https://fosstodon.org/@nlnetlabs) Unbound is a validating, recursive, caching DNS resolver. It is designed to be fast and lean and incorporates modern features based on open standards. If you @@ -11,7 +12,7 @@ create an issue on Github(https://github.com/NLnetLabs/unbound/issues/new) or post a message on the Unbound mailing list(https://lists.nlnetlabs.nl/mailman/listinfo/unbound-users). You can learn more about Unbound by reading our -documentation(https://nlnetlabs.nl/documentation/unbound/). +documentation(https://unbound.docs.nlnetlabs.nl/). ## Compiling @@ -33,7 +34,7 @@ All of Unbound's configuration options are described in the man pages, which will be installed and are available on the Unbound -documentation page(https://nlnetlabs.nl/documentation/unbound/). +documentation page(https://unbound.docs.nlnetlabs.nl/). An example configuration file is located in doc/example.conf(https://github.com/NLnetLabs/unbound/blob/master/doc/example.conf.in).
View file
_service:tar_scm:unbound-1.17.1.tar.gz/SECURITY.md
Added
@@ -0,0 +1,31 @@ +# Security Policy + +## Supported Versions + +NLnet Labs adheres to the straightforward, semantic versioning scheme that is +commonly used in the software industry. + +Support is provided in respect of the latest release, i.e. releases with the +highest minor and patch version level. We do not backport security fixes to +older (minor) versions. In the event a new major version is released (e.g. from +3.2.18 to 4.0.0), support will also be provided on the latest minor version of +the previous major version (3.2.18) for a period of one year from the release of +the new major version (4.0.0). + +In the event that, during this period, a new patch or minor version of the +previous major version is released, then support on these versions will only be +provided for the remainder of the one-year-period. + +You can find detailed information on our software support policy here: + +https://www.nlnetlabs.nl/support/software-support-policy/ + +## Reporting a Vulnerability + +We take security very seriously. If you have discovered a security vulnerability +in one of our projects and you would like to report it to us, you can send an +encrypted message to our Security Entry Point. + +Details are described here: + +https://www.nlnetlabs.nl/security-report/
View file
_service:tar_scm:unbound-1.13.2.tar.gz/acx_nlnetlabs.m4 -> _service:tar_scm:unbound-1.17.1.tar.gz/acx_nlnetlabs.m4
Changed
@@ -2,7 +2,11 @@ # Copyright 2009, Wouter Wijngaards, NLnet Labs. # BSD licensed. # -# Version 41 +# Version 44 +# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD. +# 2021-08-17 fix sed script in ssldir split handling. +# 2021-08-17 fix for openssl to detect split version, with ssldir_include +# and ssldir_lib output directories. # 2021-07-30 fix for openssl use of lib64 directory. # 2021-06-14 fix nonblocking test to use host instead of target for mingw test. # 2021-05-17 fix nonblocking socket test from grep on mingw32 to mingw for @@ -647,6 +651,30 @@ withval=$1 if test x_$withval != x_no; then AC_MSG_CHECKING(for SSL) + if test -n "$withval"; then + dnl look for openssl install with different version, eg. + dnl in /usr/include/openssl11/openssl/ssl.h + dnl and /usr/lib64/openssl11/libssl.so + dnl with the --with-ssl=/usr/include/openssl11 + if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then + ssldir="$withval" + found_ssl="yes" + withval="" + ssldir_include="$ssldir" + dnl find the libdir + ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + AC_MSG_ERROR(Could not find openssl lib file, $ssldir_lib/libssl.so,a, pass like "/usr/local" or "/usr/include/openssl11") + fi + fi + fi + fi if test x_$withval = x_ -o x_$withval = x_yes; then withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr" fi @@ -654,12 +682,12 @@ ssldir="$dir" if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes" - AC_DEFINE_UNQUOTED(HAVE_SSL, , Define if you have the SSL libraries installed.) - dnl assume /usr/include is already in the include-path. - if test "$ssldir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$ssldir/include" - LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include" - fi + ssldir_include="$ssldir/include" + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then + ssldir_lib="$ssldir/lib64" + else + ssldir_lib="$ssldir/lib" + fi break; fi done @@ -667,19 +695,16 @@ AC_MSG_ERROR(Cannot find the SSL libraries in $withval) else AC_MSG_RESULT(found in $ssldir) + AC_DEFINE_UNQUOTED(HAVE_SSL, , Define if you have the SSL libraries installed.) HAVE_SSL=yes - dnl assume /usr is already in the lib and dynlib paths. - if test "$ssldir" != "/usr" -a "$ssldir" != ""; then - if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then - LDFLAGS="$LDFLAGS -L$ssldir/lib64" - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64" - ACX_RUNTIME_PATH_ADD($ssldir/lib64) - else - LDFLAGS="$LDFLAGS -L$ssldir/lib" - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" - ACX_RUNTIME_PATH_ADD($ssldir/lib) - fi - fi + dnl assume /usr is already in the include, lib and dynlib paths. + if test "$ssldir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$ssldir_include" + LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include" + LDFLAGS="$LDFLAGS -L$ssldir_lib" + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib" + ACX_RUNTIME_PATH_ADD($ssldir_lib) + fi AC_MSG_CHECKING(for EVP_sha256 in -lcrypto) LIBS="$LIBS -lcrypto" @@ -758,7 +783,7 @@ AC_DEFUN(ACX_WITH_SSL, AC_ARG_WITH(ssl, AS_HELP_STRING(--with-ssl=pathname,enable SSL (will check /usr/local/ssl - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)), + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)), , withval="yes" ) @@ -776,7 +801,7 @@ AC_DEFUN(ACX_WITH_SSL_OPTIONAL, AC_ARG_WITH(ssl, AS_HELP_STRING(--with-ssl=pathname,enable SSL (will check /usr/local/ssl - /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr)), + /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr or specify like /usr/include/openssl11)), , withval="yes" ) @@ -939,6 +964,9 @@ #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> #endif +#ifdef HAVE_SYS_SELECT_H +#include <sys/select.h> +#endif #ifdef HAVE_SYS_SOCKET_H #include <sys/socket.h> #endif
View file
_service:tar_scm:unbound-1.13.2.tar.gz/acx_python.m4 -> _service:tar_scm:unbound-1.17.1.tar.gz/acx_python.m4
Changed
@@ -18,27 +18,45 @@ print(sys.version.split()0)"` fi - # - # Check if you have distutils, else fail - # - AC_MSG_CHECKING(for the distutils Python package) - if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then + # Check if you have sysconfig + AC_MSG_CHECKING(for the sysconfig Python module) + if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then AC_MSG_RESULT(yes) - else + sysconfig_module="sysconfig" + # if yes, use sysconfig, because distutils is deprecated. + else AC_MSG_RESULT(no) - AC_MSG_ERROR(cannot import Python module "distutils". -Please check your Python installation. The error was: -$ac_distutils_result) - PYTHON_VERSION="" - fi + # if no, try to use distutils + + # + # Check if you have distutils, else fail + # + AC_MSG_CHECKING(for the distutils Python package) + if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then + AC_MSG_RESULT(yes) + else + AC_MSG_RESULT(no) + AC_MSG_ERROR(cannot import Python module "distutils". + Please check your Python installation. The error was: + $ac_distutils_result) + PYTHON_VERSION="" + fi + + sysconfig_module="distutils.sysconfig" + fi # # Check for Python include path # AC_MSG_CHECKING(for Python include path) if test -z "$PYTHON_CPPFLAGS"; then - python_path=`$PYTHON -c "import distutils.sysconfig; \ - print(distutils.sysconfig.get_python_inc());"` + if test "$sysconfig_module" = "sysconfig"; then + python_path=`$PYTHON -c 'import sysconfig; \ + print(sysconfig.get_path("include"));'` + else + python_path=`$PYTHON -c "import distutils.sysconfig; \ + print(distutils.sysconfig.get_python_inc());"` + fi if test -n "${python_path}"; then python_path="-I$python_path" fi @@ -52,14 +70,14 @@ # AC_MSG_CHECKING(for Python library path) if test -z "$PYTHON_LDFLAGS"; then - PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \ + PYTHON_LDFLAGS=`$PYTHON -c "from $sysconfig_module import *; \ print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"` fi AC_MSG_RESULT($PYTHON_LDFLAGS) AC_SUBST(PYTHON_LDFLAGS) if test -z "$PYTHON_LIBDIR"; then - PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \ + PYTHON_LIBDIR=`$PYTHON -c "from $sysconfig_module import *; \ print(get_config_var('LIBDIR'));"` fi @@ -68,8 +86,13 @@ # AC_MSG_CHECKING(for Python site-packages path) if test -z "$PYTHON_SITE_PKG"; then - PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \ - print(distutils.sysconfig.get_python_lib(1,0));"` + if test "$sysconfig_module" = "sysconfig"; then + PYTHON_SITE_PKG=`$PYTHON -c 'import sysconfig; \ + print(sysconfig.get_path("platlib"));'` + else + PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \ + print(distutils.sysconfig.get_python_lib(1,0));"` + fi fi AC_MSG_RESULT($PYTHON_SITE_PKG) AC_SUBST(PYTHON_SITE_PKG)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/cachedb/cachedb.c -> _service:tar_scm:unbound-1.17.1.tar.gz/cachedb/cachedb.c
Changed
@@ -390,6 +390,15 @@ if(!qstate->return_msg || !qstate->return_msg->rep) return 0; + /* do not store failures like SERVFAIL in the cachedb, this avoids + * overwriting expired, valid, content with broken content. */ + if(FLAGS_GET_RCODE(qstate->return_msg->rep->flags) != + LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(qstate->return_msg->rep->flags) != + LDNS_RCODE_NXDOMAIN && + FLAGS_GET_RCODE(qstate->return_msg->rep->flags) != + LDNS_RCODE_YXDOMAIN) + return 0; /* We don't store the reply if its TTL is 0 unless serve-expired is * enabled. Such a reply won't be reusable and simply be a waste for * the backend. It's also compatible with the default behavior of @@ -519,7 +528,7 @@ sldns_buffer_set_limit(buf, lim); return 0; } - if(parse_extract_edns(prs, &edns, qstate->env->scratch) != + if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) != LDNS_RCODE_NOERROR) { sldns_buffer_set_limit(buf, lim); return 0; @@ -542,10 +551,16 @@ verbose(VERB_ALGO, "cachedb msg expired"); /* If serve-expired is enabled, we still use an expired message * setting the TTL to 0. */ - if(qstate->env->cfg->serve_expired) - adjust = -1; - else + if(!qstate->env->cfg->serve_expired || + (FLAGS_GET_RCODE(qstate->return_msg->rep->flags) + != LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(qstate->return_msg->rep->flags) + != LDNS_RCODE_NXDOMAIN && + FLAGS_GET_RCODE(qstate->return_msg->rep->flags) + != LDNS_RCODE_YXDOMAIN)) return 0; /* message expired */ + else + adjust = -1; } verbose(VERB_ALGO, "cachedb msg adjusted down by %d", (int)adjust); adjust_msg_ttl(qstate->return_msg, adjust); @@ -662,7 +677,7 @@ return; (void)dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep, 0, qstate->prefetch_leeway, 0, - qstate->region, store_flags); + qstate->region, store_flags, qstate->qstarttime); } /**
View file
_service:tar_scm:unbound-1.13.2.tar.gz/compat/arc4random.c -> _service:tar_scm:unbound-1.17.1.tar.gz/compat/arc4random.c
Changed
@@ -57,6 +57,8 @@ #define BLOCKSZ 64 #define RSBUFSZ (16*BLOCKSZ) +#define REKEY_BASE (1024*1024) /* NB. should be a power of 2 */ + /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */ static struct { size_t rs_have; /* valid bytes at end of rs_buf */ @@ -179,6 +181,7 @@ _rs_stir(void) { u_char rndKEYSZ + IVSZ; + uint32_t rekey_fuzz = 0; if (getentropy(rnd, sizeof rnd) == -1) { if(errno != ENOSYS || @@ -201,7 +204,10 @@ rs->rs_have = 0; memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf)); - rs->rs_count = 1600000; + /* rekey interval should not be predictable */ + chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz, + (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz)); + rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE); } static inline void
View file
_service:tar_scm:unbound-1.13.2.tar.gz/config.guess -> _service:tar_scm:unbound-1.17.1.tar.gz/config.guess
Changed
@@ -1,14 +1,14 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2021 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2021-06-03' +timestamp='2022-09-17' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -60,7 +60,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2021 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -437,7 +437,7 @@ # This test works for both compilers. if test "$CC_FOR_BUILD" != no_compiler_found; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + (CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH=x86_64 @@ -929,6 +929,9 @@ i*:PW*:*) GUESS=$UNAME_MACHINE-pc-pw32 ;; + *:SerenityOS:*:*) + GUESS=$UNAME_MACHINE-pc-serenity + ;; *:Interix*:*) case $UNAME_MACHINE in x86) @@ -963,6 +966,12 @@ GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/-(.*//'` GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC ;; + x86_64:Mmanagarm:*:*|i?86:Mmanagarm:*:*) + GUESS="$UNAME_MACHINE-pc-managarm-mlibc" + ;; + *:Mmanagarm:*:*) + GUESS="$UNAME_MACHINE-unknown-managarm-mlibc" + ;; *:Minix:*:*) GUESS=$UNAME_MACHINE-unknown-minix ;; @@ -1033,7 +1042,7 @@ k1om:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; - loongarch32:Linux:*:* | loongarch64:Linux:*:* | loongarchx32:Linux:*:*) + loongarch32:Linux:*:* | loongarch64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; m32r*:Linux:*:*) @@ -1148,16 +1157,27 @@ ;; x86_64:Linux:*:*) set_cc_for_build + CPU=$UNAME_MACHINE LIBCABI=$LIBC if test "$CC_FOR_BUILD" != no_compiler_found; then - if (echo '#ifdef __ILP32__'; echo IS_X32; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_X32 >/dev/null - then - LIBCABI=${LIBC}x32 - fi + ABI=64 + sed 's/^ //' << EOF > "$dummy.c" + #ifdef __i386__ + ABI=x86 + #else + #ifdef __ILP32__ + ABI=x32 + #endif + #endif +EOF + cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` + eval "$cc_set_abi" + case $ABI in + x86) CPU=i686 ;; + x32) LIBCABI=${LIBC}x32 ;; + esac fi - GUESS=$UNAME_MACHINE-pc-linux-$LIBCABI + GUESS=$CPU-pc-linux-$LIBCABI ;; xtensa*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC @@ -1364,8 +1384,11 @@ BePC:Haiku:*:*) # Haiku running on Intel PC compatible. GUESS=i586-pc-haiku ;; - x86_64:Haiku:*:*) - GUESS=x86_64-unknown-haiku + ppc:Haiku:*:*) # Haiku running on Apple PowerPC + GUESS=powerpc-apple-haiku + ;; + *:Haiku:*:*) # Haiku modern gcc (not bound by BeOS compat) + GUESS=$UNAME_MACHINE-unknown-haiku ;; SX-4:SUPER-UX:*:*) GUESS=sx4-nec-superux$UNAME_RELEASE @@ -1522,6 +1545,9 @@ i*86:rdos:*:*) GUESS=$UNAME_MACHINE-pc-rdos ;; + i*86:Fiwix:*:*) + GUESS=$UNAME_MACHINE-pc-fiwix + ;; *:AROS:*:*) GUESS=$UNAME_MACHINE-unknown-aros ;;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/config.h.in -> _service:tar_scm:unbound-1.17.1.tar.gz/config.h.in
Changed
@@ -72,6 +72,9 @@ /* If we have be64toh */ #undef HAVE_BE64TOH +/* Define to 1 if you have the `BIO_set_callback_ex' function. */ +#undef HAVE_BIO_SET_CALLBACK_EX + /* Define to 1 if you have the <bsd/stdlib.h> header file. */ #undef HAVE_BSD_STDLIB_H @@ -219,6 +222,10 @@ /* Define to 1 if you have the `EVP_cleanup' function. */ #undef HAVE_EVP_CLEANUP +/* Define to 1 if you have the `EVP_default_properties_is_fips_enabled' + function. */ +#undef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + /* Define to 1 if you have the `EVP_DigestVerify' function. */ #undef HAVE_EVP_DIGESTVERIFY @@ -291,6 +298,9 @@ /* Define to 1 if you have the `getrlimit' function. */ #undef HAVE_GETRLIMIT +/* Define to 1 if you have the `gettid' function. */ +#undef HAVE_GETTID + /* Define to 1 if you have the `glob' function. */ #undef HAVE_GLOB @@ -315,6 +325,9 @@ /* Define to 1 if you have the <ifaddrs.h> header file. */ #undef HAVE_IFADDRS_H +/* Define to 1 if you have the `if_nametoindex' function. */ +#undef HAVE_IF_NAMETOINDEX + /* Define to 1 if you have the `inet_aton' function. */ #undef HAVE_INET_ATON @@ -375,6 +388,9 @@ /* Define to 1 if you have the <netinet/tcp.h> header file. */ #undef HAVE_NETINET_TCP_H +/* Define to 1 if you have the <netioapi.h> header file. */ +#undef HAVE_NETIOAPI_H + /* Use libnettle for crypto */ #undef HAVE_NETTLE @@ -444,6 +460,12 @@ /* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */ #undef HAVE_OSSL_PARAM_BLD_NEW +/* Define to 1 if you have the `poll' function. */ +#undef HAVE_POLL + +/* Define to 1 if you have the <poll.h> header file. */ +#undef HAVE_POLL_H + /* Define if you have POSIX threads libraries and header files. */ #undef HAVE_PTHREAD @@ -787,12 +809,18 @@ /* Shared data */ #undef SHARE_DIR +/* The size of `pthread_t', as computed by sizeof. */ +#undef SIZEOF_PTHREAD_T + /* The size of `size_t', as computed by sizeof. */ #undef SIZEOF_SIZE_T /* The size of `time_t', as computed by sizeof. */ #undef SIZEOF_TIME_T +/* The size of `unsigned long', as computed by sizeof. */ +#undef SIZEOF_UNSIGNED_LONG + /* define if (v)snprintf does not return length needed, (but length used) */ #undef SNPRINTF_RET_BROKEN @@ -962,6 +990,10 @@ /* Define to 1 if you need to in order for `stat' and other things to work. */ #undef _POSIX_SOURCE +/* defined to use gcc ansi snprintf and sscanf that understands %lld when + compiled for windows. */ +#undef __USE_MINGW_ANSI_STDIO + /* Define to empty if `const' does not conform to ANSI C. */ #undef const @@ -1141,7 +1173,7 @@ #include <ws2tcpip.h> #endif -#ifndef USE_WINSOCK +#if !defined(USE_WINSOCK) || !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN) || defined(__USE_MINGW_ANSI_STDIO) #define ARG_LL "%ll" #else #define ARG_LL "%I64"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/config.sub -> _service:tar_scm:unbound-1.17.1.tar.gz/config.sub
Changed
@@ -1,14 +1,14 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2021 Free Software Foundation, Inc. +# Copyright 1992-2022 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale -timestamp='2021-07-03' +timestamp='2022-09-17' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 3 of the License, or +# the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but @@ -76,7 +76,7 @@ version="\ GNU config.sub ($timestamp) -Copyright 1992-2021 Free Software Foundation, Inc. +Copyright 1992-2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -121,9 +121,11 @@ # Split fields of configuration type # shellcheck disable=SC2162 +saved_IFS=$IFS IFS="-" read field1 field2 field3 field4 <<EOF $1 EOF +IFS=$saved_IFS # Separate into logical components for further validation case $1 in @@ -143,7 +145,7 @@ nto-qnx* | linux-* | uclinux-uclibc* \ | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ - | storm-chaos* | os2-emx* | rtmk-nova*) + | storm-chaos* | os2-emx* | rtmk-nova* | managarm-*) basic_machine=$field1 basic_os=$maybe_os ;; @@ -172,6 +174,10 @@ basic_machine=$field1 basic_os=$field2 ;; + zephyr*) + basic_machine=$field1-unknown + basic_os=$field2 + ;; # Manufacturers dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ | att* | 7300* | 3300* | delta* | motorola* | sun234* \ @@ -931,9 +937,11 @@ *-*) # shellcheck disable=SC2162 + saved_IFS=$IFS IFS="-" read cpu vendor <<EOF $basic_machine EOF + IFS=$saved_IFS ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and @@ -1012,6 +1020,11 @@ ;; # Here we normalize CPU types with a missing or matching vendor + armh-unknown | armh-alt) + cpu=armv7l + vendor=alt + basic_os=${basic_os:-linux-gnueabihf} + ;; dpx20-unknown | dpx20-bull) cpu=rs6000 vendor=bull @@ -1113,7 +1126,7 @@ xscale-* | xscaleebl-*) cpu=`echo "$cpu" | sed 's/^xscale/arm/'` ;; - arm64-*) + arm64-* | aarch64le-*) cpu=aarch64 ;; @@ -1194,7 +1207,7 @@ | k1om \ | le32 | le64 \ | lm32 \ - | loongarch32 | loongarch64 | loongarchx32 \ + | loongarch32 | loongarch64 \ | m32c | m32r | m32rle \ | m5200 | m68000 | m6800123460 | m68360 | m683?2 | m68k \ | m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x \ @@ -1296,7 +1309,7 @@ if test x$basic_os != x then -# First recognize some ad-hoc caes, or perhaps split kernel-os, or else just +# First recognize some ad-hoc cases, or perhaps split kernel-os, or else just # set os. case $basic_os in gnu/linux*) @@ -1313,9 +1326,11 @@ ;; *-*) # shellcheck disable=SC2162 + saved_IFS=$IFS IFS="-" read kernel os <<EOF $basic_os EOF + IFS=$saved_IFS ;; # Default OS when just kernel was specified nto*) @@ -1326,6 +1341,10 @@ kernel=linux os=`echo "$basic_os" | sed -e 's|linux|gnu|'` ;; + managarm*) + kernel=managarm + os=`echo "$basic_os" | sed -e 's|managarm|mlibc|'` + ;; *) kernel= os=$basic_os @@ -1697,7 +1716,7 @@ # Now, validate our (potentially fixed-up) OS. case $os in # Sometimes we do "kernel-libc", so those need to count as OSes. - musl* | newlib* | uclibc*) + musl* | newlib* | relibc* | uclibc*) ;; # Likewise for "kernel-abi" eabi* | gnueabi*) @@ -1738,7 +1757,8 @@ | skyos* | haiku* | rdos* | toppers* | drops* | es* \ | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \ | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \ - | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx*) + | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \ + | fiwix* | mlibc* ) ;; # This one is extra strict with allowed versions sco3.2v2 | sco3.2v4-9* | sco5v6*) @@ -1746,6 +1766,9 @@ ;; none) ;; + kernel* ) + # Restricted further below + ;; *) echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2 exit 1 @@ -1755,16 +1778,27 @@ # As a final step for OS-related things, validate the OS-kernel combination # (given a valid OS), if there is a kernel. case $kernel-$os in - linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* | linux-musl* | linux-uclibc* ) + linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \ + | linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* ) ;; uclinux-uclibc* ) ;; - -dietlibc* | -newlib* | -musl* | -uclibc* ) + managarm-mlibc* | managarm-kernel* ) + ;; + -dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* ) # These are just libc implementations, not actual OSes, and thus # require a kernel. echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2 exit 1 ;; + -kernel* ) + echo "Invalid configuration \`$1': \`$os' needs explicit kernel." 1>&2 + exit 1 + ;; + *-kernel* ) + echo "Invalid configuration \`$1': \`$kernel' does not support \`$os'." 1>&2 + exit 1 + ;; kfreebsd*-gnu* | kopensolaris*-gnu*) ;; vxworks-simlinux | vxworks-simwindows | vxworks-spe)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/configure -> _service:tar_scm:unbound-1.17.1.tar.gz/configure
Changed
@@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for unbound 1.13.2. +# Generated by GNU Autoconf 2.69 for unbound 1.17.1. # # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>. # @@ -591,8 +591,8 @@ # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.13.2' -PACKAGE_STRING='unbound 1.13.2' +PACKAGE_VERSION='1.17.1' +PACKAGE_STRING='unbound 1.17.1' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -682,6 +682,7 @@ HAVE_SSL PC_CRYPTO_DEPENDENCY CONFIG_DATE +GCC_DOCKER_LINTFLAGS NETBSD_LINTFLAGS PYUNBOUND_UNINSTALL PYUNBOUND_INSTALL @@ -697,6 +698,7 @@ SWIG_LIB SWIG PC_PY_DEPENDENCY +PYTHON_LIBS PY_MAJOR_VERSION PYTHON_SITE_PKG PYTHON_LDFLAGS @@ -811,6 +813,7 @@ docdir oldincludedir includedir +runstatedir localstatedir sharedstatedir sysconfdir @@ -962,6 +965,7 @@ sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' @@ -1214,6 +1218,15 @@ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ @@ -1351,7 +1364,7 @@ for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir + libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. @@ -1464,7 +1477,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures unbound 1.13.2 to adapt to many kinds of systems. +\`configure' configures unbound 1.17.1 to adapt to many kinds of systems. Usage: $0 OPTION... VAR=VALUE... @@ -1504,6 +1517,7 @@ --sysconfdir=DIR read-only single-machine data PREFIX/etc --sharedstatedir=DIR modifiable architecture-independent data PREFIX/com --localstatedir=DIR modifiable single-machine data PREFIX/var + --runstatedir=DIR modifiable per-process data LOCALSTATEDIR/run --libdir=DIR object code libraries EPREFIX/lib --includedir=DIR C header files PREFIX/include --oldincludedir=DIR C header files for non-gcc /usr/include @@ -1529,7 +1543,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.13.2:";; + short | recursive ) echo "Configuration of unbound 1.17.1:";; esac cat <<\_ACEOF @@ -1649,7 +1663,7 @@ --with-nettle=path use libnettle as crypto library, installed at path. --with-ssl=pathname enable SSL (will check /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw - /usr) + /usr or specify like /usr/include/openssl11) --with-libbsd Use portable libbsd functions --with-deprecate-rsa-1024 Deprecate RSA 1024 bit length, makes that an @@ -1771,7 +1785,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.13.2 +unbound configure 1.17.1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2480,7 +2494,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.13.2, which was +It was created by unbound $as_me 1.17.1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2830,13 +2844,13 @@ UNBOUND_VERSION_MAJOR=1 -UNBOUND_VERSION_MINOR=13 +UNBOUND_VERSION_MINOR=17 -UNBOUND_VERSION_MICRO=2 +UNBOUND_VERSION_MICRO=1 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=13 +LIBUNBOUND_REVISION=21 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -2917,6 +2931,14 @@ # 1.13.0 had 9:11:1 # 1.13.1 had 9:12:1 # 1.13.2 had 9:13:1 +# 1.14.0 had 9:14:1 +# 1.15.0 had 9:15:1 +# 1.16.0 had 9:16:1 +# 1.16.1 had 9:17:1 +# 1.16.2 had 9:18:1 +# 1.16.3 had 9:19:1 +# 1.17.0 had 9:20:1 +# 1.17.1 had 9:21:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -14752,7 +14774,7 @@ fi # Checks for header files. -for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h +for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h do : as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default @@ -14809,6 +14831,51 @@ done +for ac_header in netioapi.h +do : + ac_fn_c_check_header_compile "$LINENO" "netioapi.h" "ac_cv_header_netioapi_h" "$ac_includes_default +#if HAVE_SYS_PARAM_H +#include <sys/param.h> +#endif + +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif + +#ifdef HAVE_SYS_UIO_H +#include <sys/uio.h> +#endif + +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#endif + +#ifdef HAVE_NETINET_TCP_H +#include <netinet/tcp.h> +#endif + +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif + +#ifdef HAVE_WINSOCK2_H +#include <winsock2.h> +#endif + +#ifdef HAVE_WS2TCPIP_H +#include <ws2tcpip.h> +#endif + +" +if test "x$ac_cv_header_netioapi_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_NETIOAPI_H 1 +_ACEOF + +fi + +done + # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. @@ -15322,7 +15389,7 @@ fi -# check wether strptime also works +# check whether strptime also works # check some functions of the OS before linking libs (while still runnable). for ac_header in unistd.h @@ -15966,6 +16033,9 @@ #ifdef HAVE_SYS_TYPES_H #include <sys/types.h> #endif +#ifdef HAVE_SYS_SELECT_H +#include <sys/select.h> +#endif #ifdef HAVE_SYS_SOCKET_H #include <sys/socket.h> #endif @@ -17036,6 +17106,72 @@ fi + # The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3(sizeof (unsigned char)) >= 0;'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long" >&5 +$as_echo_n "checking size of unsigned long... " >&6; } +if ${ac_cv_sizeof_unsigned_long+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long))" "ac_cv_sizeof_unsigned_long" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_unsigned_long" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (unsigned long) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_unsigned_long=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long" >&5 +$as_echo "$ac_cv_sizeof_unsigned_long" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_UNSIGNED_LONG $ac_cv_sizeof_unsigned_long +_ACEOF + + + # The cast to long int works around a bug in the HP C Compiler +# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects +# declarations like `int a3(sizeof (unsigned char)) >= 0;'. +# This bug is HP SR number 8606223364. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of pthread_t" >&5 +$as_echo_n "checking size of pthread_t... " >&6; } +if ${ac_cv_sizeof_pthread_t+:} false; then : + $as_echo_n "(cached) " >&6 +else + if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (pthread_t))" "ac_cv_sizeof_pthread_t" "$ac_includes_default"; then : + +else + if test "$ac_cv_type_pthread_t" = yes; then + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "cannot compute sizeof (pthread_t) +See \`config.log' for more details" "$LINENO" 5; } + else + ac_cv_sizeof_pthread_t=0 + fi +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_pthread_t" >&5 +$as_echo "$ac_cv_sizeof_pthread_t" >&6; } + + + +cat >>confdefs.h <<_ACEOF +#define SIZEOF_PTHREAD_T $ac_cv_sizeof_pthread_t +_ACEOF + + if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking if -pthread unused during linking" >&5 @@ -17406,22 +17542,38 @@ print(sys.version.split()0)"` fi - # - # Check if you have distutils, else fail - # - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the distutils Python package" >&5 -$as_echo_n "checking for the distutils Python package... " >&6; } - if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then + # Check if you have sysconfig + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the sysconfig Python module" >&5 +$as_echo_n "checking for the sysconfig Python module... " >&6; } + if ac_sysconfig_result=`$PYTHON -c "import sysconfig" 2>&1`; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - else + sysconfig_module="sysconfig" + # if yes, use sysconfig, because distutils is deprecated. + else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } - as_fn_error $? "cannot import Python module \"distutils\". -Please check your Python installation. The error was: -$ac_distutils_result" "$LINENO" 5 - PYTHON_VERSION="" - fi + # if no, try to use distutils + + # + # Check if you have distutils, else fail + # + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the distutils Python package" >&5 +$as_echo_n "checking for the distutils Python package... " >&6; } + if ac_distutils_result=`$PYTHON -c "import distutils" 2>&1`; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "cannot import Python module \"distutils\". + Please check your Python installation. The error was: + $ac_distutils_result" "$LINENO" 5 + PYTHON_VERSION="" + fi + + sysconfig_module="distutils.sysconfig" + fi # # Check for Python include path @@ -17429,8 +17581,13 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python include path" >&5 $as_echo_n "checking for Python include path... " >&6; } if test -z "$PYTHON_CPPFLAGS"; then - python_path=`$PYTHON -c "import distutils.sysconfig; \ - print(distutils.sysconfig.get_python_inc());"` + if test "$sysconfig_module" = "sysconfig"; then + python_path=`$PYTHON -c 'import sysconfig; \ + print(sysconfig.get_path("include"));'` + else + python_path=`$PYTHON -c "import distutils.sysconfig; \ + print(distutils.sysconfig.get_python_inc());"` + fi if test -n "${python_path}"; then python_path="-I$python_path" fi @@ -17446,7 +17603,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python library path" >&5 $as_echo_n "checking for Python library path... " >&6; } if test -z "$PYTHON_LDFLAGS"; then - PYTHON_LDFLAGS=`$PYTHON -c "from distutils.sysconfig import *; \ + PYTHON_LDFLAGS=`$PYTHON -c "from $sysconfig_module import *; \ print('-L'+get_config_var('LIBDIR')+' -L'+get_config_var('LIBDEST')+' '+get_config_var('BLDLIBRARY'));"` fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_LDFLAGS" >&5 @@ -17454,7 +17611,7 @@ if test -z "$PYTHON_LIBDIR"; then - PYTHON_LIBDIR=`$PYTHON -c "from distutils.sysconfig import *; \ + PYTHON_LIBDIR=`$PYTHON -c "from $sysconfig_module import *; \ print(get_config_var('LIBDIR'));"` fi @@ -17464,8 +17621,13 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Python site-packages path" >&5 $as_echo_n "checking for Python site-packages path... " >&6; } if test -z "$PYTHON_SITE_PKG"; then - PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \ - print(distutils.sysconfig.get_python_lib(1,0));"` + if test "$sysconfig_module" = "sysconfig"; then + PYTHON_SITE_PKG=`$PYTHON -c 'import sysconfig; \ + print(sysconfig.get_path("platlib"));'` + else + PYTHON_SITE_PKG=`$PYTHON -c "import distutils.sysconfig; \ + print(distutils.sysconfig.get_python_lib(1,0));"` + fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON_SITE_PKG" >&5 $as_echo "$PYTHON_SITE_PKG" >&6; } @@ -17553,11 +17715,15 @@ $as_echo "#define HAVE_PYTHON 1" >>confdefs.h - if test -n "$LIBS"; then - LIBS="$PYTHON_LDFLAGS $LIBS" - else - LIBS="$PYTHON_LDFLAGS" + if test x_$ub_with_pythonmod != x_no; then + if test -n "$LIBS"; then + LIBS="$PYTHON_LDFLAGS $LIBS" + else + LIBS="$PYTHON_LDFLAGS" + fi fi + PYTHON_LIBS="$PYTHON_LDFLAGS" + if test -n "$CPPFLAGS"; then CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS" else @@ -17887,6 +18053,12 @@ NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_' fi + +if test "`uname`" = "Linux"; then + # splint cannot parse modern c99 header files + GCC_DOCKER_LINTFLAGS='-syntax' + +fi CONFIG_DATE=`date +%Y%m%d` @@ -17993,6 +18165,25 @@ if test x_$withval != x_no; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL" >&5 $as_echo_n "checking for SSL... " >&6; } + if test -n "$withval"; then + if test ! -f "$withval/include/openssl/ssl.h" -a -f "$withval/openssl/ssl.h"; then + ssldir="$withval" + found_ssl="yes" + withval="" + ssldir_include="$ssldir" + ssldir_lib=`echo $ssldir | sed -e 's/include/lib/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + ssldir_lib=`echo $ssldir | sed -e 's/include/lib64/'` + if test -f "$ssldir_lib/libssl.a" -o -f "$ssldir_lib/libssl.so"; then + : # found here + else + as_fn_error $? "Could not find openssl lib file, $ssldir_lib/libssl.so,a, pass like \"/usr/local\" or \"/usr/include/openssl11\"" "$LINENO" 5 + fi + fi + fi + fi if test x_$withval = x_ -o x_$withval = x_yes; then withval="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /opt/local /usr/sfw /usr" fi @@ -18000,15 +18191,12 @@ ssldir="$dir" if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes" - -cat >>confdefs.h <<_ACEOF -#define HAVE_SSL /**/ -_ACEOF - - if test "$ssldir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$ssldir/include" - LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir/include" - fi + ssldir_include="$ssldir/include" + if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then + ssldir_lib="$ssldir/lib64" + else + ssldir_lib="$ssldir/lib" + fi break; fi done @@ -18017,30 +18205,25 @@ else { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $ssldir" >&5 $as_echo "found in $ssldir" >&6; } - HAVE_SSL=yes - if test "$ssldir" != "/usr" -a "$ssldir" != ""; then - if test ! -d "$ssldir/lib" -a -d "$ssldir/lib64"; then - LDFLAGS="$LDFLAGS -L$ssldir/lib64" - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib64" - if test "x$enable_rpath" = xyes; then - if echo "$ssldir/lib64" | grep "^/" >/dev/null; then - RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib64" - fi - fi +cat >>confdefs.h <<_ACEOF +#define HAVE_SSL /**/ +_ACEOF - else - LDFLAGS="$LDFLAGS -L$ssldir/lib" - LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir/lib" + HAVE_SSL=yes + if test "$ssldir" != "/usr"; then + CPPFLAGS="$CPPFLAGS -I$ssldir_include" + LIBSSL_CPPFLAGS="$LIBSSL_CPPFLAGS -I$ssldir_include" + LDFLAGS="$LDFLAGS -L$ssldir_lib" + LIBSSL_LDFLAGS="$LIBSSL_LDFLAGS -L$ssldir_lib" if test "x$enable_rpath" = xyes; then - if echo "$ssldir/lib" | grep "^/" >/dev/null; then - RUNTIME_PATH="$RUNTIME_PATH -R$ssldir/lib" + if echo "$ssldir_lib" | grep "^/" >/dev/null; then + RUNTIME_PATH="$RUNTIME_PATH -R$ssldir_lib" fi fi - fi - fi + fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_sha256 in -lcrypto" >&5 $as_echo_n "checking for EVP_sha256 in -lcrypto... " >&6; } @@ -18328,7 +18511,7 @@ conftest$ac_exeext conftest.$ac_ext SSLLIB="-lssl" -PC_CRYPTO_DEPENDENCY="libcrypto libssl" +PC_CRYPTO_DEPENDENCY="" # check if -lcrypt32 is needed because CAPIENG needs that. (on windows) @@ -18369,7 +18552,7 @@ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for LibreSSL" >&5 $as_echo_n "checking for LibreSSL... " >&6; } -if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then +if grep VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } @@ -18436,7 +18619,7 @@ done -for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new +for ac_func in OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -18758,7 +18941,7 @@ ;; esac -# check wether gost also works +# check whether gost also works # Check whether --enable-gost was given. if test "${enable_gost+set}" = set; then : @@ -18791,7 +18974,7 @@ if test c${cross_compiling} = cno; then BAKCFLAGS="$CFLAGS" if test -n "$ssldir"; then - CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib" + CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib" fi if test "$cross_compiling" = yes; then : { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 @@ -18974,8 +19157,8 @@ # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency) { $as_echo "$as_me:${as_lineno-$LINENO}: checking if openssl supports SHA2 and ECDSA with EVP" >&5 $as_echo_n "checking if openssl supports SHA2 and ECDSA with EVP... " >&6; } - if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then - if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then + if grep OPENSSL_VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then + if grep OPENSSL_VERSION_NUMBER $ssldir_include/openssl/opensslv.h | grep 0x0 >/dev/null; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -19858,7 +20041,46 @@ else LIBS="$LIBS -lgdi32" fi - LIBS="$LIBS -lz" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for compress in -lz" >&5 +$as_echo_n "checking for compress in -lz... " >&6; } +if ${ac_cv_lib_z_compress+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lz $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char compress (); +int +main () +{ +return compress (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_z_compress=yes +else + ac_cv_lib_z_compress=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_compress" >&5 +$as_echo "$ac_cv_lib_z_compress" >&6; } +if test "x$ac_cv_lib_z_compress" = xyes; then : + LIBS="$LIBS -lz" +fi + LIBS="$LIBS -l:libssp.a" fi fi @@ -19878,7 +20100,46 @@ else LIBS="$LIBS -lgdi32" fi - LIBS="$LIBS -lz" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for compress in -lz" >&5 +$as_echo_n "checking for compress in -lz... " >&6; } +if ${ac_cv_lib_z_compress+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lz $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char compress (); +int +main () +{ +return compress (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_z_compress=yes +else + ac_cv_lib_z_compress=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_z_compress" >&5 +$as_echo "$ac_cv_lib_z_compress" >&6; } +if test "x$ac_cv_lib_z_compress" = xyes; then : + LIBS="$LIBS -lz" +fi + LIBS="$LIBS -l:libssp.a" fi fi @@ -20111,6 +20372,9 @@ WIN_CHECKCONF_OBJ_LINK="rsrc_unbound_checkconf.o" + +$as_echo "#define __USE_MINGW_ANSI_STDIO 1" >>confdefs.h + fi if test $ac_cv_func_getaddrinfo = no; then case " $LIBOBJS " in @@ -20398,7 +20662,7 @@ fi -for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs +for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -21608,10 +21872,16 @@ withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" fi for dir in $withval ; do - if test -f "$dir/include/libmnl/libmnl.h"; then + if test -f "$dir/include/libmnl/libmnl.h" -o -f "$dir/include/libmnl/libmnl/libmnl.h"; then found_libmnl="yes" - if test "$dir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$dir/include" + extralibmnl="" + if test -f "$dir/include/libmnl/libmnl/libmnl.h"; then + extralibmnl="/libmnl" + fi + if test "$dir" != "/usr" -o -n "$extralibmnl"; then + CPPFLAGS="$CPPFLAGS -I$dir/include$extralibmnl" + fi + if test "$dir" != "/usr"; then LDFLAGS="$LDFLAGS -L$dir/lib" fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $dir" >&5 @@ -21816,7 +22086,7 @@ -version=1.13.2 +version=1.17.1 date=`date +'%b %e, %Y'` @@ -22335,7 +22605,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.13.2, which was +This file was extended by unbound $as_me 1.17.1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -22401,7 +22671,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/\\""\`\$/\\\\&/g'`" ac_cs_version="\\ -unbound config.status 1.13.2 +unbound config.status 1.17.1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/configure.ac -> _service:tar_scm:unbound-1.17.1.tar.gz/configure.ac
Changed
@@ -10,15 +10,15 @@ # must be numbers. ac_defun because of later processing m4_define(VERSION_MAJOR,1) -m4_define(VERSION_MINOR,13) -m4_define(VERSION_MICRO,2) +m4_define(VERSION_MINOR,17) +m4_define(VERSION_MICRO,1) AC_INIT(unbound,m4_defn(VERSION_MAJOR).m4_defn(VERSION_MINOR).m4_defn(VERSION_MICRO),unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues,unbound) AC_SUBST(UNBOUND_VERSION_MAJOR, VERSION_MAJOR) AC_SUBST(UNBOUND_VERSION_MINOR, VERSION_MINOR) AC_SUBST(UNBOUND_VERSION_MICRO, VERSION_MICRO) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=13 +LIBUNBOUND_REVISION=21 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -99,6 +99,14 @@ # 1.13.0 had 9:11:1 # 1.13.1 had 9:12:1 # 1.13.2 had 9:13:1 +# 1.14.0 had 9:14:1 +# 1.15.0 had 9:15:1 +# 1.16.0 had 9:16:1 +# 1.16.1 had 9:17:1 +# 1.16.2 had 9:18:1 +# 1.16.3 had 9:19:1 +# 1.17.0 had 9:20:1 +# 1.17.1 had 9:21:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -391,7 +399,7 @@ fi # Checks for header files. -AC_CHECK_HEADERS(stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h,,, AC_INCLUDES_DEFAULT) +AC_CHECK_HEADERS(stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h,,, AC_INCLUDES_DEFAULT) # net/if.h portability for Darwin see: # https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html AC_CHECK_HEADERS(net/if.h,,, @@ -411,6 +419,39 @@ # Check for Apple header. This uncovers TARGET_OS_IPHONE, TARGET_OS_TV or TARGET_OS_WATCH AC_CHECK_HEADERS(TargetConditionals.h,,, AC_INCLUDES_DEFAULT) +AC_CHECK_HEADERS(netioapi.h,,, AC_INCLUDES_DEFAULT +#if HAVE_SYS_PARAM_H +#include <sys/param.h> +#endif + +#ifdef HAVE_SYS_SOCKET_H +#include <sys/socket.h> +#endif + +#ifdef HAVE_SYS_UIO_H +#include <sys/uio.h> +#endif + +#ifdef HAVE_NETINET_IN_H +#include <netinet/in.h> +#endif + +#ifdef HAVE_NETINET_TCP_H +#include <netinet/tcp.h> +#endif + +#ifdef HAVE_ARPA_INET_H +#include <arpa/inet.h> +#endif + +#ifdef HAVE_WINSOCK2_H +#include <winsock2.h> +#endif + +#ifdef HAVE_WS2TCPIP_H +#include <ws2tcpip.h> +#endif +) # check for types. # Using own tests for int64* because autoconf builtin only give 32bit. @@ -457,7 +498,7 @@ AC_SEARCH_LIBS(inet_pton, nsl) AC_SEARCH_LIBS(socket, socket) -# check wether strptime also works +# check whether strptime also works AC_DEFUN(AC_CHECK_STRPTIME_WORKS, AC_REQUIRE(AC_PROG_CC) AC_MSG_CHECKING(whether strptime works) @@ -568,6 +609,8 @@ CC="$PTHREAD_CC" ub_have_pthreads=yes AC_CHECK_TYPES(pthread_spinlock_t, pthread_rwlock_t,,,#include <pthread.h>) + AC_CHECK_SIZEOF(unsigned long) + AC_CHECK_SIZEOF(pthread_t) if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then AC_MSG_CHECKING(if -pthread unused during linking) @@ -699,11 +742,15 @@ AC_SUBST(PY_MAJOR_VERSION) # Have Python AC_DEFINE(HAVE_PYTHON,1,Define if you have Python libraries and header files.) - if test -n "$LIBS"; then - LIBS="$PYTHON_LDFLAGS $LIBS" - else - LIBS="$PYTHON_LDFLAGS" + if test x_$ub_with_pythonmod != x_no; then + if test -n "$LIBS"; then + LIBS="$PYTHON_LDFLAGS $LIBS" + else + LIBS="$PYTHON_LDFLAGS" + fi fi + PYTHON_LIBS="$PYTHON_LDFLAGS" + AC_SUBST(PYTHON_LIBS) if test -n "$CPPFLAGS"; then CPPFLAGS="$CPPFLAGS $PYTHON_CPPFLAGS" else @@ -776,6 +823,12 @@ NETBSD_LINTFLAGS='"-D__RENAME(x)=" -D_NETINET_IN_H_' AC_SUBST(NETBSD_LINTFLAGS) fi + +if test "`uname`" = "Linux"; then + # splint cannot parse modern c99 header files + GCC_DOCKER_LINTFLAGS='-syntax' + AC_SUBST(GCC_DOCKER_LINTFLAGS) +fi CONFIG_DATE=`date +%Y%m%d` AC_SUBST(CONFIG_DATE) @@ -830,7 +883,7 @@ ACX_LIB_SSL SSLLIB="-lssl" -PC_CRYPTO_DEPENDENCY="libcrypto libssl" +PC_CRYPTO_DEPENDENCY="" AC_SUBST(PC_CRYPTO_DEPENDENCY) # check if -lcrypt32 is needed because CAPIENG needs that. (on windows) @@ -850,7 +903,7 @@ ) AC_MSG_CHECKING(for LibreSSL) -if grep VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then +if grep VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "LibreSSL" >/dev/null; then AC_MSG_RESULT(yes) AC_DEFINE(HAVE_LIBRESSL, 1, Define if we have LibreSSL) # libressl provides these compat functions, but they may also be @@ -860,7 +913,7 @@ AC_MSG_RESULT(no) fi AC_CHECK_HEADERS(openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h,,, AC_INCLUDES_DEFAULT) -AC_CHECK_FUNCS(OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new) +AC_CHECK_FUNCS(OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex) # these check_funcs need -lssl BAKLIBS="$LIBS" @@ -973,14 +1026,14 @@ ;; esac -# check wether gost also works +# check whether gost also works AC_DEFUN(AC_CHECK_GOST_WORKS, AC_REQUIRE(AC_PROG_CC) AC_MSG_CHECKING(if GOST works) if test c${cross_compiling} = cno; then BAKCFLAGS="$CFLAGS" if test -n "$ssldir"; then - CFLAGS="$CFLAGS -Wl,-rpath,$ssldir/lib" + CFLAGS="$CFLAGS -Wl,-rpath,$ssldir_lib" fi AC_RUN_IFELSE(AC_LANG_SOURCE( #include <string.h> @@ -1103,8 +1156,8 @@ ) # see if OPENSSL 1.0.0 or later (has EVP MD and Verify independency) AC_MSG_CHECKING(if openssl supports SHA2 and ECDSA with EVP) - if grep OPENSSL_VERSION_TEXT $ssldir/include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then - if grep OPENSSL_VERSION_NUMBER $ssldir/include/openssl/opensslv.h | grep 0x0 >/dev/null; then + if grep OPENSSL_VERSION_TEXT $ssldir_include/openssl/opensslv.h | grep "OpenSSL" >/dev/null; then + if grep OPENSSL_VERSION_NUMBER $ssldir_include/openssl/opensslv.h | grep 0x0 >/dev/null; then AC_MSG_RESULT(no) AC_DEFINE_UNQUOTED(USE_ECDSA_EVP_WORKAROUND, 1, Define this to enable an EVP workaround for older openssl) else @@ -1453,7 +1506,7 @@ else LIBS="$LIBS -lgdi32" fi - LIBS="$LIBS -lz" + AC_CHECK_LIB(z, compress, LIBS="$LIBS -lz" ) LIBS="$LIBS -l:libssp.a" fi fi @@ -1470,7 +1523,7 @@ else LIBS="$LIBS -lgdi32" fi - LIBS="$LIBS -lz" + AC_CHECK_LIB(z, compress, LIBS="$LIBS -lz" ) LIBS="$LIBS -l:libssp.a" fi fi @@ -1508,6 +1561,7 @@ AC_SUBST(WIN_CONTROL_OBJ_LINK) WIN_CHECKCONF_OBJ_LINK="rsrc_unbound_checkconf.o" AC_SUBST(WIN_CHECKCONF_OBJ_LINK) + AC_DEFINE(__USE_MINGW_ANSI_STDIO, 1, defined to use gcc ansi snprintf and sscanf that understands %lld when compiled for windows.) fi if test $ac_cv_func_getaddrinfo = no; then AC_LIBOBJ(fake-rfc2553) @@ -1594,7 +1648,7 @@ AC_MSG_RESULT(no)) AC_SEARCH_LIBS(setusercontext, util) -AC_CHECK_FUNCS(tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs) +AC_CHECK_FUNCS(tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid) AC_CHECK_FUNCS(setresuid,,AC_CHECK_FUNCS(setreuid)) AC_CHECK_FUNCS(setresgid,,AC_CHECK_FUNCS(setregid)) @@ -1833,11 +1887,17 @@ withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr" fi for dir in $withval ; do - if test -f "$dir/include/libmnl/libmnl.h"; then + if test -f "$dir/include/libmnl/libmnl.h" -o -f "$dir/include/libmnl/libmnl/libmnl.h"; then found_libmnl="yes" dnl assume /usr is in default path. + extralibmnl="" + if test -f "$dir/include/libmnl/libmnl/libmnl.h"; then + extralibmnl="/libmnl" + fi + if test "$dir" != "/usr" -o -n "$extralibmnl"; then + CPPFLAGS="$CPPFLAGS -I$dir/include$extralibmnl" + fi if test "$dir" != "/usr"; then - CPPFLAGS="$CPPFLAGS -I$dir/include" LDFLAGS="$LDFLAGS -L$dir/lib" fi AC_MSG_RESULT(found in $dir) @@ -2015,7 +2075,7 @@ #include <ws2tcpip.h> #endif -#ifndef USE_WINSOCK +#if !defined(USE_WINSOCK) || !defined(HAVE_SNPRINTF) || defined(SNPRINTF_RET_BROKEN) || defined(__USE_MINGW_ANSI_STDIO) #define ARG_LL "%ll" #else #define ARG_LL "%I64"
View file
_service:tar_scm:unbound-1.17.1.tar.gz/contrib/Dockerfile.tests
Added
@@ -0,0 +1,11 @@ +FROM gcc:latest +WORKDIR /usr/src/unbound +RUN apt-get update +# install semantic parser & lexical analyzer +RUN apt-get install -y bison flex +# install packages used in tests +RUN apt-get install -y ldnsutils dnsutils xxd splint doxygen netcat +# accept short rsa keys, which are used in tests +RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /usr/lib/ssl/openssl.cnf + +CMD "/bin/bash"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/contrib/aaaa-filter-iterator.patch -> _service:tar_scm:unbound-1.17.1.tar.gz/contrib/aaaa-filter-iterator.patch
Changed
@@ -1,8 +1,8 @@ diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in -index f426ac5f..147fbfa9 100644 +index 5a75e319..c6c6dbe2 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in -@@ -872,6 +872,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when +@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when this option in enabled. Only use if you know what you are doing. This option only has effect when qname-minimisation is enabled. Default is no. .TP @@ -17,10 +17,10 @@ Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAINs answers. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c -index aae934dd..55c55de0 100644 +index f093c1bf..e55a2246 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c -@@ -667,6 +667,32 @@ static int sanitize_nsec_is_overreach(struct rrset_parse* rrset, +@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt, return 0; } @@ -53,7 +53,7 @@ /** * Given a response event, remove suspect RRsets from the response. * "Suspect" rrsets are potentially poison. Note that this routine expects -@@ -686,6 +712,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, struct query_info* qinfo, uint8_t* zonename, struct module_env* env, struct iter_env* ie) { @@ -61,7 +61,7 @@ int del_addi = 0; /* if additional-holding rrsets are deleted, we do not trust the normalized additional-A-AAAA any more */ struct rrset_parse* rrset, *prev; -@@ -721,6 +748,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, rrset = rrset->rrset_all_next; } @@ -75,7 +75,7 @@ /* At this point, we brutally remove ALL rrsets that aren't * children of the originating zone. The idea here is that, * as far as we know, the server that we contacted is ONLY -@@ -732,6 +766,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, rrset = msg->rrset_first; while(rrset) { @@ -101,22 +101,22 @@ if( (rrset->type == LDNS_RR_TYPE_A || rrset->type == LDNS_RR_TYPE_AAAA)) { diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c -index 7bc67da6..e10f547a 100644 +index 2482a1f4..bd5ba243 100644 --- a/iterator/iter_utils.c +++ b/iterator/iter_utils.c -@@ -175,6 +175,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) - } +@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) iter_env->supports_ipv6 = cfg->do_ip6; iter_env->supports_ipv4 = cfg->do_ip4; + iter_env->outbound_msg_retry = cfg->outbound_msg_retry; + iter_env->aaaa_filter = cfg->aaaa_filter; return 1; } diff --git a/iterator/iterator.c b/iterator/iterator.c -index 23b07ea9..ca29b48c 100644 +index 54006940..768fe202 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c -@@ -2127,6 +2127,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id) +@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id) return 0; } @@ -170,7 +170,7 @@ /** * This is the request event state where the request will be sent to one of -@@ -2186,6 +2233,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } @@ -184,7 +184,7 @@ /* Make sure we have a delegation point, otherwise priming failed * or another failure occurred */ if(!iq->dp) { -@@ -3574,6 +3628,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } @@ -246,7 +246,7 @@ /* * Return priming query results to interested super querystates. * -@@ -3593,6 +3702,9 @@ iter_inform_super(struct module_qstate* qstate, int id, +@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id, else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*) super->minfoid)->state == DSNS_FIND_STATE) processDSNSResponse(qstate, id, super); @@ -256,7 +256,7 @@ else if(qstate->return_rcode != LDNS_RCODE_NOERROR) error_supers(qstate, id, super); else if(qstate->is_priming) -@@ -3630,6 +3742,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq, case INIT_REQUEST_3_STATE: cont = processInitRequest3(qstate, iq, id); break; @@ -266,7 +266,7 @@ case QUERYTARGETS_STATE: cont = processQueryTargets(qstate, iq, ie, id); break; -@@ -3961,6 +4076,8 @@ iter_state_to_string(enum iter_state state) +@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state) return "INIT REQUEST STATE (stage 2)"; case INIT_REQUEST_3_STATE: return "INIT REQUEST STATE (stage 3)"; @@ -275,7 +275,7 @@ case QUERYTARGETS_STATE : return "QUERY TARGETS STATE"; case PRIME_RESP_STATE : -@@ -3985,6 +4102,7 @@ iter_state_is_responsestate(enum iter_state s) +@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s) case INIT_REQUEST_STATE : case INIT_REQUEST_2_STATE : case INIT_REQUEST_3_STATE : @@ -284,10 +284,10 @@ case COLLECT_CLASS_STATE : return 0; diff --git a/iterator/iterator.h b/iterator/iterator.h -index 342ac207..731948d1 100644 +index 8b840528..a61c4195 100644 --- a/iterator/iterator.h +++ b/iterator/iterator.h -@@ -135,6 +135,9 @@ struct iter_env { +@@ -133,6 +133,9 @@ struct iter_env { */ int* target_fetch_policy; @@ -297,7 +297,7 @@ /** lock on ratelimit counter */ lock_basic_type queries_ratelimit_lock; /** number of queries that have been ratelimited */ -@@ -186,6 +189,14 @@ enum iter_state { +@@ -187,6 +190,14 @@ enum iter_state { */ INIT_REQUEST_3_STATE, @@ -312,7 +312,7 @@ /** * Each time a delegation point changes for a given query or a * query times out and/or wakes up, this state is (re)visited. -@@ -375,6 +386,13 @@ struct iter_qstate { +@@ -376,6 +387,13 @@ struct iter_qstate { */ int refetch_glue; @@ -327,10 +327,10 @@ struct outbound_list outlist; diff --git a/pythonmod/interface.i b/pythonmod/interface.i -index f08b575d..47f1bb2e 100644 +index 1ca8686a..d91b19ec 100644 --- a/pythonmod/interface.i +++ b/pythonmod/interface.i -@@ -975,6 +975,7 @@ struct config_file { +@@ -995,6 +995,7 @@ struct config_file { int harden_dnssec_stripped; int harden_referral_path; int use_caps_bits_for_id; @@ -339,10 +339,10 @@ struct config_strlist* private_domain; size_t unwanted_threshold; diff --git a/util/config_file.c b/util/config_file.c -index 0ab8614a..729fb147 100644 +index 969d664b..8d94b008 100644 --- a/util/config_file.c +++ b/util/config_file.c -@@ -218,6 +218,7 @@ config_create(void) +@@ -231,6 +231,7 @@ config_create(void) cfg->harden_referral_path = 0; cfg->harden_algo_downgrade = 0; cfg->use_caps_bits_for_id = 0; @@ -351,10 +351,10 @@ cfg->private_address = NULL; cfg->private_domain = NULL; diff --git a/util/config_file.h b/util/config_file.h -index e61257a3..dabaa7bb 100644 +index c7c9a0a4..e3aa15b0 100644 --- a/util/config_file.h +++ b/util/config_file.h -@@ -260,6 +260,8 @@ struct config_file { +@@ -285,6 +285,8 @@ struct config_file { int harden_algo_downgrade; /** use 0x20 bits in query as random ID bits */ int use_caps_bits_for_id; @@ -364,38 +364,38 @@ struct config_strlist* caps_whitelist; /** strip away these private addrs from answers, no DNS Rebinding */ diff --git a/util/configlexer.lex b/util/configlexer.lex -index 79a0edca..4eaec678 100644 +index 34a0e5dd..c890be2a 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex -@@ -304,6 +304,7 @@ harden-algo-downgrade{COLON} { YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) } - use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } +@@ -317,6 +317,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } + caps-exempt{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } +aaaa-filter{COLON} { YDVAR(1, VAR_AAAA_FILTER) } private-address{COLON} { YDVAR(1, VAR_PRIVATE_ADDRESS) } private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) } prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) } diff --git a/util/configparser.y b/util/configparser.y -index 1d0e8658..f284dd43 100644 +index d4f965f9..8cc237c6 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser; - %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT + %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS +%token VAR_AAAA_FILTER %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE -@@ -233,6 +234,7 @@ content_server: server_num_threads | server_verbosity | server_port | +@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size | server_harden_referral_path | server_private_address | - server_private_domain | server_extended_statistics | + server_private_domain | server_extended_statistics | + server_aaaa_filter | - server_local_data_ptr | server_jostle_timeout | - server_unwanted_reply_threshold | server_log_time_ascii | - server_domain_insecure | server_val_sig_skew_min | -@@ -1563,6 +1565,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG + server_local_data_ptr | server_jostle_timeout | + server_unwanted_reply_threshold | server_log_time_ascii | + server_domain_insecure | server_val_sig_skew_min | +@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG yyerror("out of memory"); } ;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/contrib/drop2rpz -> _service:tar_scm:unbound-1.17.1.tar.gz/contrib/drop2rpz
Changed
@@ -4,7 +4,7 @@ # # unbound.conf: # rpz: -# name: "spamhaus-drop.rpz.local." +# name: "drop.spamhaus.org.rpz.local." # zonefile: "/path/tp/spamhaus-drop.rpz.local" # rpz-log: yes # rpz-log-name: "spamhaus-drop"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/contrib/metrics.awk -> _service:tar_scm:unbound-1.17.1.tar.gz/contrib/metrics.awk
Changed
@@ -28,6 +28,7 @@ print "unbound_hits_queries{type=\"total.num.prefetch\"} " val"total.num.prefetch"; print "unbound_hits_queries{type=\"num.query.tcp\"} " val"num.query.tcp"; print "unbound_hits_queries{type=\"num.query.tcpout\"} " val"num.query.tcpout"; + print "unbound_hits_queries{type=\"num.query.udpout\"} " val"num.query.udpout"; print "unbound_hits_queries{type=\"num.query.tls\"} " val"num.query.tls"; print "unbound_hits_queries{type=\"num.query.tls.resume\"} " val"num.query.tls.resume"; print "unbound_hits_queries{type=\"num.query.ipv6\"} " val"num.query.ipv6";
View file
_service:tar_scm:unbound-1.13.2.tar.gz/contrib/unbound.service.in -> _service:tar_scm:unbound-1.17.1.tar.gz/contrib/unbound.service.in
Changed
@@ -42,9 +42,8 @@ Unit Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) -After=network-online.target -Before=nss-lookup.target -Wants=network-online.target nss-lookup.target +After=network.target +Before=network-online.target nss-lookup.target Install WantedBy=multi-user.target @@ -64,7 +63,8 @@ ProtectControlGroups=true ProtectKernelLogs=true ProtectKernelModules=true -ProtectKernelTunables=true +# This breaks using socket options like 'so-rcvbuf'. Explicitly disable for visibility. +ProtectKernelTunables=false ProtectProc=invisible ProtectSystem=strict RuntimeDirectory=unbound
View file
_service:tar_scm:unbound-1.13.2.tar.gz/contrib/unbound_munin_ -> _service:tar_scm:unbound-1.17.1.tar.gz/contrib/unbound_munin_
Changed
@@ -253,6 +253,7 @@ p_config "total.num.prefetch" "cache prefetch" "ABSOLUTE" p_config "num.query.tcp" "TCP queries" "ABSOLUTE" p_config "num.query.tcpout" "TCP out queries" "ABSOLUTE" + p_config "num.query.udpout" "UDP out queries" "ABSOLUTE" p_config "num.query.tls" "TLS queries" "ABSOLUTE" p_config "num.query.tls.resume" "TLS resumes" "ABSOLUTE" p_config "num.query.ipv6" "IPv6 queries" "ABSOLUTE" @@ -452,7 +453,7 @@ for x in `grep "^thread0-90-9*\.num\.queries=" $state | sed -e 's/=.*//'` total.num.queries \ total.num.cachehits total.num.prefetch num.query.tcp \ - num.query.tcpout num.query.tls num.query.tls.resume \ + num.query.tcpout num.query.udpout num.query.tls num.query.tls.resume \ num.query.ipv6 unwanted.queries \ unwanted.replies; do if grep "^"$x"=" $state >/dev/null 2>&1; then
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/acl_list.c -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/acl_list.c
Changed
@@ -46,9 +46,10 @@ #include "util/config_file.h" #include "util/net_help.h" #include "services/localzone.h" +#include "services/listen_dnsport.h" #include "sldns/str2wire.h" -struct acl_list* +struct acl_list* acl_list_create(void) { struct acl_list* acl = (struct acl_list*)calloc(1, @@ -63,10 +64,10 @@ return acl; } -void +void acl_list_delete(struct acl_list* acl) { - if(!acl) + if(!acl) return; regional_destroy(acl->region); free(acl); @@ -74,8 +75,8 @@ /** insert new address into acl_list structure */ static struct acl_addr* -acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr, - socklen_t addrlen, int net, enum acl_access control, +acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr, + socklen_t addrlen, int net, enum acl_access control, int complain_duplicates) { struct acl_addr* node = regional_alloc_zero(acl->region, @@ -90,6 +91,31 @@ return node; } +/** parse str to acl_access enum */ +static int +parse_acl_access(const char* str, enum acl_access* control) +{ + if(strcmp(str, "allow") == 0) + *control = acl_allow; + else if(strcmp(str, "deny") == 0) + *control = acl_deny; + else if(strcmp(str, "refuse") == 0) + *control = acl_refuse; + else if(strcmp(str, "deny_non_local") == 0) + *control = acl_deny_non_local; + else if(strcmp(str, "refuse_non_local") == 0) + *control = acl_refuse_non_local; + else if(strcmp(str, "allow_snoop") == 0) + *control = acl_allow_snoop; + else if(strcmp(str, "allow_setrd") == 0) + *control = acl_allow_setrd; + else { + log_err("access control type %s unknown", str); + return 0; + } + return 1; +} + /** apply acl_list string */ static int acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2, @@ -99,29 +125,14 @@ int net; socklen_t addrlen; enum acl_access control; - if(strcmp(s2, "allow") == 0) - control = acl_allow; - else if(strcmp(s2, "deny") == 0) - control = acl_deny; - else if(strcmp(s2, "refuse") == 0) - control = acl_refuse; - else if(strcmp(s2, "deny_non_local") == 0) - control = acl_deny_non_local; - else if(strcmp(s2, "refuse_non_local") == 0) - control = acl_refuse_non_local; - else if(strcmp(s2, "allow_snoop") == 0) - control = acl_allow_snoop; - else if(strcmp(s2, "allow_setrd") == 0) - control = acl_allow_setrd; - else { - log_err("access control type %s unknown", str); + if(!parse_acl_access(s2, &control)) { return 0; } if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) { log_err("cannot parse access control: %s %s", str, s2); return 0; } - if(!acl_list_insert(acl, &addr, addrlen, net, control, + if(!acl_list_insert(acl, &addr, addrlen, net, control, complain_duplicates)) { log_err("out of memory"); return 0; @@ -131,19 +142,27 @@ /** find or create node (NULL on parse or error) */ static struct acl_addr* -acl_find_or_create(struct acl_list* acl, const char* str) +acl_find_or_create_str2addr(struct acl_list* acl, const char* str, + int is_interface, int port) { struct acl_addr* node; struct sockaddr_storage addr; - int net; socklen_t addrlen; - if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) { - log_err("cannot parse netblock: %s", str); - return NULL; + int net = (str_is_ip6(str)?128:32); + if(is_interface) { + if(!extstrtoaddr(str, &addr, &addrlen, port)) { + log_err("cannot parse interface: %s", str); + return NULL; + } + } else { + if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) { + log_err("cannot parse netblock: %s", str); + return NULL; + } } /* find or create node */ if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, &addr, - addrlen, net))) { + addrlen, net)) && !is_interface) { /* create node, type 'allow' since otherwise tags are * pointless, can override with specific access-control: cfg */ if(!(node=(struct acl_addr*)acl_list_insert(acl, &addr, @@ -155,14 +174,65 @@ return node; } +/** find or create node (NULL on error) */ +static struct acl_addr* +acl_find_or_create(struct acl_list* acl, struct sockaddr_storage* addr, + socklen_t addrlen, enum acl_access control) +{ + struct acl_addr* node; + int net = (addr_is_ip6(addr, addrlen)?128:32); + /* find or create node */ + if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, addr, + addrlen, net))) { + /* create node; + * can override with specific access-control: cfg */ + if(!(node=(struct acl_addr*)acl_list_insert(acl, addr, + addrlen, net, control, 1))) { + log_err("out of memory"); + return NULL; + } + } + return node; +} + +/** apply acl_interface string */ +static int +acl_interface_str_cfg(struct acl_list* acl_interface, const char* iface, + const char* s2, int port) +{ + struct acl_addr* node; + enum acl_access control; + if(!parse_acl_access(s2, &control)) { + return 0; + } + if(!(node=acl_find_or_create_str2addr(acl_interface, iface, 1, port))) { + log_err("cannot update ACL on non-configured interface: %s %d", + iface, port); + return 0; + } + node->control = control; + return 1; +} + +struct acl_addr* +acl_interface_insert(struct acl_list* acl_interface, + struct sockaddr_storage* addr, socklen_t addrlen, + enum acl_access control) +{ + return acl_find_or_create(acl_interface, addr, addrlen, control); +} + /** apply acl_tag string */ static int acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap, - size_t bitmaplen) + size_t bitmaplen, int is_interface, int port) { struct acl_addr* node; - if(!(node=acl_find_or_create(acl, str))) + if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) { + if(is_interface) + log_err("non-configured interface: %s", str); return 0; + } node->taglen = bitmaplen; node->taglist = regional_alloc_init(acl->region, bitmap, bitmaplen); if(!node->taglist) { @@ -175,11 +245,14 @@ /** apply acl_view string */ static int acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2, - struct views* vs) + struct views* vs, int is_interface, int port) { struct acl_addr* node; - if(!(node=acl_find_or_create(acl, str))) + if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) { + if(is_interface) + log_err("non-configured interface: %s", str); return 0; + } node->view = views_find_view(vs, str2, 0 /* get read lock*/); if(!node->view) { log_err("no view with name: %s", str2); @@ -192,13 +265,17 @@ /** apply acl_tag_action string */ static int acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg, - const char* str, const char* tag, const char* action) + const char* str, const char* tag, const char* action, + int is_interface, int port) { struct acl_addr* node; int tagid; enum localzone_type t; - if(!(node=acl_find_or_create(acl, str))) + if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) { + if(is_interface) + log_err("non-configured interface: %s", str); return 0; + } /* allocate array if not yet */ if(!node->tag_actions) { node->tag_actions = (uint8_t*)regional_alloc_zero(acl->region, @@ -281,13 +358,17 @@ /** apply acl_tag_data string */ static int acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg, - const char* str, const char* tag, const char* data) + const char* str, const char* tag, const char* data, + int is_interface, int port) { struct acl_addr* node; int tagid; char* dupdata; - if(!(node=acl_find_or_create(acl, str))) + if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) { + if(is_interface) + log_err("non-configured interface: %s", str); return 0; + } /* allocate array if not yet */ if(!node->tag_datas) { node->tag_datas = (struct config_strlist**)regional_alloc_zero( @@ -329,11 +410,11 @@ } /** read acl_list config */ -static int -read_acl_list(struct acl_list* acl, struct config_file* cfg) +static int +read_acl_list(struct acl_list* acl, struct config_str2list* acls) { struct config_str2list* p; - for(p = cfg->acls; p; p = p->next) { + for(p = acls; p; p = p->next) { log_assert(p->str && p->str2); if(!acl_list_str_cfg(acl, p->str, p->str2, 1)) return 0; @@ -341,16 +422,17 @@ return 1; } -/** read acl tags config */ -static int -read_acl_tags(struct acl_list* acl, struct config_file* cfg) +/** read acl view config */ +static int +read_acl_view(struct acl_list* acl, struct config_str2list** acl_view, + struct views* v) { - struct config_strbytelist* np, *p = cfg->acl_tags; - cfg->acl_tags = NULL; + struct config_str2list* np, *p = *acl_view; + *acl_view = NULL; while(p) { log_assert(p->str && p->str2); - if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len)) { - config_del_strbytelist(p); + if(!acl_list_view_cfg(acl, p->str, p->str2, v, 0, 0)) { + config_deldblstrlist(p); return 0; } /* free the items as we go to free up memory */ @@ -363,15 +445,16 @@ return 1; } -/** read acl view config */ -static int -read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v) +/** read acl tags config */ +static int +read_acl_tags(struct acl_list* acl, struct config_strbytelist** acl_tags) { - struct config_str2list* np, *p = cfg->acl_view; - cfg->acl_view = NULL; + struct config_strbytelist* np, *p = *acl_tags; + *acl_tags = NULL; while(p) { log_assert(p->str && p->str2); - if(!acl_list_view_cfg(acl, p->str, p->str2, v)) { + if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len, 0, 0)) { + config_del_strbytelist(p); return 0; } /* free the items as we go to free up memory */ @@ -385,16 +468,17 @@ } /** read acl tag actions config */ -static int -read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg) +static int +read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg, + struct config_str3list** acl_tag_actions) { struct config_str3list* p, *np; - p = cfg->acl_tag_actions; - cfg->acl_tag_actions = NULL; + p = *acl_tag_actions; + *acl_tag_actions = NULL; while(p) { log_assert(p->str && p->str2 && p->str3); if(!acl_list_tag_action_cfg(acl, cfg, p->str, p->str2, - p->str3)) { + p->str3, 0, 0)) { config_deltrplstrlist(p); return 0; } @@ -410,15 +494,17 @@ } /** read acl tag datas config */ -static int -read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg) +static int +read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg, + struct config_str3list** acl_tag_datas) { struct config_str3list* p, *np; - p = cfg->acl_tag_datas; - cfg->acl_tag_datas = NULL; + p = *acl_tag_datas; + *acl_tag_datas = NULL; while(p) { log_assert(p->str && p->str2 && p->str3); - if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3)) { + if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3, + 0, 0)) { config_deltrplstrlist(p); return 0; } @@ -433,30 +519,27 @@ return 1; } -int +int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, struct views* v) { regional_free_all(acl->region); addr_tree_init(&acl->tree); - if(!read_acl_list(acl, cfg)) + if(!read_acl_list(acl, cfg->acls)) return 0; - if(!read_acl_view(acl, cfg, v)) + if(!read_acl_view(acl, &cfg->acl_view, v)) return 0; - if(!read_acl_tags(acl, cfg)) + if(!read_acl_tags(acl, &cfg->acl_tags)) return 0; - if(!read_acl_tag_actions(acl, cfg)) + if(!read_acl_tag_actions(acl, cfg, &cfg->acl_tag_actions)) return 0; - if(!read_acl_tag_datas(acl, cfg)) + if(!read_acl_tag_datas(acl, cfg, &cfg->acl_tag_datas)) return 0; /* insert defaults, with '0' to ignore them if they are duplicates */ - if(!acl_list_str_cfg(acl, "0.0.0.0/0", "refuse", 0)) - return 0; + /* the 'refuse' defaults for /0 are now done per interface instead */ if(!acl_list_str_cfg(acl, "127.0.0.0/8", "allow", 0)) return 0; if(cfg->do_ip6) { - if(!acl_list_str_cfg(acl, "::0/0", "refuse", 0)) - return 0; if(!acl_list_str_cfg(acl, "::1", "allow", 0)) return 0; if(!acl_list_str_cfg(acl, "::ffff:127.0.0.1", "allow", 0)) @@ -466,7 +549,223 @@ return 1; } -enum acl_access +int +acl_interface_compare(const void* k1, const void* k2) +{ + struct addr_tree_node* n1 = (struct addr_tree_node*)k1; + struct addr_tree_node* n2 = (struct addr_tree_node*)k2; + return sockaddr_cmp(&n1->addr, n1->addrlen, &n2->addr, + n2->addrlen); + /* We don't care about comparing node->net. All addresses in the + * acl_interface tree have either 32 (ipv4) or 128 (ipv6). */ +} + +void +acl_interface_init(struct acl_list* acl_interface) +{ + regional_free_all(acl_interface->region); + /* We want comparison in the tree to include only address and port. + * We don't care about comparing node->net. All addresses in the + * acl_interface->tree should have either 32 (ipv4) or 128 (ipv6). + * Initialise with the appropriate compare function but keep treating + * it as an addr_tree. */ + addr_tree_addrport_init(&acl_interface->tree); +} + +static int +read_acl_interface_action(struct acl_list* acl_interface, + struct config_str2list* acls, int port) +{ + struct config_str2list* p; + for(p = acls; p; p = p->next) { + char** resif = NULL; + int num_resif = 0; + int i; + log_assert(p->str && p->str2); + if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) + return 0; + for(i = 0; i<num_resif; i++) { + if(!acl_interface_str_cfg(acl_interface, resifi, p->str2, port)){ + config_del_strarray(resif, num_resif); + return 0; + } + } + config_del_strarray(resif, num_resif); + } + return 1; +} + +/** read acl view config for interface */ +static int +read_acl_interface_view(struct acl_list* acl_interface, + struct config_str2list** acl_view, + struct views* v, int port) +{ + struct config_str2list* np, *p = *acl_view; + *acl_view = NULL; + while(p) { + char** resif = NULL; + int num_resif = 0; + int i; + log_assert(p->str && p->str2); + if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) { + config_deldblstrlist(p); + return 0; + } + for(i = 0; i<num_resif; i++) { + if(!acl_list_view_cfg(acl_interface, resifi, p->str2, + v, 1, port)) { + config_del_strarray(resif, num_resif); + config_deldblstrlist(p); + return 0; + } + } + config_del_strarray(resif, num_resif); + /* free the items as we go to free up memory */ + np = p->next; + free(p->str); + free(p->str2); + free(p); + p = np; + } + return 1; +} + +/** read acl tags config for interface */ +static int +read_acl_interface_tags(struct acl_list* acl_interface, + struct config_strbytelist** acl_tags, int port) +{ + struct config_strbytelist* np, *p = *acl_tags; + *acl_tags = NULL; + while(p) { + char** resif = NULL; + int num_resif = 0; + int i; + log_assert(p->str && p->str2); + if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) { + config_del_strbytelist(p); + return 0; + } + for(i = 0; i<num_resif; i++) { + if(!acl_list_tags_cfg(acl_interface, resifi, p->str2, + p->str2len, 1, port)) { + config_del_strbytelist(p); + config_del_strarray(resif, num_resif); + return 0; + } + } + config_del_strarray(resif, num_resif); + /* free the items as we go to free up memory */ + np = p->next; + free(p->str); + free(p->str2); + free(p); + p = np; + } + return 1; +} + +/** read acl tag actions config for interface*/ +static int +read_acl_interface_tag_actions(struct acl_list* acl_interface, + struct config_file* cfg, + struct config_str3list** acl_tag_actions, int port) +{ + struct config_str3list* p, *np; + p = *acl_tag_actions; + *acl_tag_actions = NULL; + while(p) { + char** resif = NULL; + int num_resif = 0; + int i; + log_assert(p->str && p->str2 && p->str3); + if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) { + config_deltrplstrlist(p); + return 0; + } + for(i = 0; i<num_resif; i++) { + if(!acl_list_tag_action_cfg(acl_interface, cfg, + resifi, p->str2, p->str3, 1, port)) { + config_deltrplstrlist(p); + config_del_strarray(resif, num_resif); + return 0; + } + } + config_del_strarray(resif, num_resif); + /* free the items as we go to free up memory */ + np = p->next; + free(p->str); + free(p->str2); + free(p->str3); + free(p); + p = np; + } + return 1; +} + +/** read acl tag datas config for interface */ +static int +read_acl_interface_tag_datas(struct acl_list* acl_interface, + struct config_file* cfg, + struct config_str3list** acl_tag_datas, int port) +{ + struct config_str3list* p, *np; + p = *acl_tag_datas; + *acl_tag_datas = NULL; + while(p) { + char** resif = NULL; + int num_resif = 0; + int i; + log_assert(p->str && p->str2 && p->str3); + if(!resolve_interface_names(&p->str, 1, NULL, &resif, &num_resif)) { + config_deltrplstrlist(p); + return 0; + } + for(i = 0; i<num_resif; i++) { + if(!acl_list_tag_data_cfg(acl_interface, cfg, + resifi, p->str2, p->str3, 1, port)) { + config_deltrplstrlist(p); + config_del_strarray(resif, num_resif); + return 0; + } + } + config_del_strarray(resif, num_resif); + /* free the items as we go to free up memory */ + np = p->next; + free(p->str); + free(p->str2); + free(p->str3); + free(p); + p = np; + } + return 1; +} + +int +acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg, + struct views* v) +{ + if(!read_acl_interface_action(acl_interface, cfg->interface_actions, + cfg->port)) + return 0; + if(!read_acl_interface_view(acl_interface, &cfg->interface_view, v, + cfg->port)) + return 0; + if(!read_acl_interface_tags(acl_interface, &cfg->interface_tags, + cfg->port)) + return 0; + if(!read_acl_interface_tag_actions(acl_interface, cfg, + &cfg->interface_tag_actions, cfg->port)) + return 0; + if(!read_acl_interface_tag_datas(acl_interface, cfg, + &cfg->interface_tag_datas, cfg->port)) + return 0; + addr_tree_init_parents(&acl_interface->tree); + return 1; +} + +enum acl_access acl_get_control(struct acl_addr* acl) { if(acl) return acl->control; @@ -481,9 +780,44 @@ addr, addrlen); } -size_t +size_t acl_list_get_mem(struct acl_list* acl) { if(!acl) return 0; return sizeof(*acl) + regional_get_mem(acl->region); } + +const char* acl_access_to_str(enum acl_access acl) +{ + switch(acl) { + case acl_deny: return "deny"; + case acl_refuse: return "refuse"; + case acl_deny_non_local: return "deny_non_local"; + case acl_refuse_non_local: return "refuse_non_local"; + case acl_allow: return "allow"; + case acl_allow_snoop: return "allow_snoop"; + case acl_allow_setrd: return "allow_setrd"; + default: break; + } + return "unknown"; +} + +void +log_acl_action(const char* action, struct sockaddr_storage* addr, + socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr) +{ + char a128, n128; + uint16_t port; + addr_to_str(addr, addrlen, a, sizeof(a)); + port = ntohs(((struct sockaddr_in*)addr)->sin_port); + if(acladdr) { + addr_to_str(&acladdr->node.addr, acladdr->node.addrlen, + n, sizeof(n)); + verbose(VERB_ALGO, "%s query from %s port %d because of " + "%s/%d %s", action, a, (int)port, n, acladdr->node.net, + acl_access_to_str(acl)); + } else { + verbose(VERB_ALGO, "%s query from %s port %d", action, a, + (int)port); + } +}
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/acl_list.h -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/acl_list.h
Changed
@@ -36,7 +36,7 @@ /** * \file * - * This file keeps track of the list of clients that are allowed to + * This file keeps track of the list of clients that are allowed to * access the server. */ @@ -74,7 +74,7 @@ struct acl_list { /** regional for allocation */ struct regional* region; - /** + /** * Tree of the addresses that are allowed/blocked. * contents of type acl_addr. */ @@ -108,7 +108,7 @@ }; /** - * Create acl structure + * Create acl structure * @return new structure or NULL on error. */ struct acl_list* acl_list_create(void); @@ -120,6 +120,20 @@ void acl_list_delete(struct acl_list* acl); /** + * Insert interface in the acl_list. This should happen when the listening + * interface is setup. + * @param acl_interface: acl_list to insert to. + * @param addr: interface IP. + * @param addrlen: length of the interface IP. + * @param control: acl_access. + * @return new structure or NULL on error. + */ +struct acl_addr* +acl_interface_insert(struct acl_list* acl_interface, + struct sockaddr_storage* addr, socklen_t addrlen, + enum acl_access control); + +/** * Process access control config. * @param acl: where to store. * @param cfg: config options. @@ -129,6 +143,25 @@ int acl_list_apply_cfg(struct acl_list* acl, struct config_file* cfg, struct views* v); +/** compare ACL interface "addr_tree" nodes (+port) */ +int acl_interface_compare(const void* k1, const void* k2); + +/** + * Initialise (also clean) the acl_interface struct. + * @param acl_interface: where to store. + */ +void acl_interface_init(struct acl_list* acl_interface); + +/** + * Process interface control config. + * @param acl_interface: where to store. + * @param cfg: config options. + * @param v: views structure + * @return 0 on error. + */ +int acl_interface_apply_cfg(struct acl_list* acl_interface, struct config_file* cfg, + struct views* v); + /** * Lookup access control status for acl structure. * @param acl: structure for acl storage. @@ -154,4 +187,15 @@ */ size_t acl_list_get_mem(struct acl_list* acl); +/* + * Get string for acl access specification + * @param acl: access type value + * @return string + */ +const char* acl_access_to_str(enum acl_access acl); + +/* log acl and addr for action */ +void log_acl_action(const char* action, struct sockaddr_storage* addr, + socklen_t addrlen, enum acl_access acl, struct acl_addr* acladdr); + #endif /* DAEMON_ACL_LIST_H */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/cachedump.c -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/cachedump.c
Changed
@@ -47,10 +47,12 @@ #include "services/cache/rrset.h" #include "services/cache/dns.h" #include "services/cache/infra.h" +#include "services/outside_network.h" #include "util/data/msgreply.h" #include "util/regional.h" #include "util/net_help.h" #include "util/data/dname.h" +#include "util/config_file.h" #include "iterator/iterator.h" #include "iterator/iter_delegpt.h" #include "iterator/iter_utils.h" @@ -385,7 +387,7 @@ struct rrset_ref ref; uint8_t* p; - ak = alloc_special_obtain(&worker->alloc); + ak = alloc_special_obtain(worker->alloc); if(!ak) { log_warn("error out of memory"); return 0; @@ -396,7 +398,7 @@ ak->rk.dname = (uint8_t*)memdup(k->rk.dname, k->rk.dname_len); if(!ak->rk.dname) { log_warn("error out of memory"); - ub_packed_rrset_parsedelete(ak, &worker->alloc); + ub_packed_rrset_parsedelete(ak, worker->alloc); return 0; } s = sizeof(*ad) + (sizeof(size_t) + sizeof(uint8_t*) + @@ -406,7 +408,7 @@ ad = (struct packed_rrset_data*)malloc(s); if(!ad) { log_warn("error out of memory"); - ub_packed_rrset_parsedelete(ak, &worker->alloc); + ub_packed_rrset_parsedelete(ak, worker->alloc); return 0; } p = (uint8_t*)ad; @@ -429,7 +431,8 @@ ref.key = ak; ref.id = ak->id; (void)rrset_cache_update(worker->env.rrset_cache, &ref, - &worker->alloc, *worker->env.now); + worker->alloc, *worker->env.now); + return 1; } @@ -677,7 +680,8 @@ if(!go_on) return 1; /* skip this one, not all references satisfied */ - if(!dns_cache_store(&worker->env, &qinf, &rep, 0, 0, 0, NULL, flags)) { + if(!dns_cache_store(&worker->env, &qinf, &rep, 0, 0, 0, NULL, flags, + *worker->env.now)) { log_warn("error out of memory"); return 0; } @@ -848,13 +852,15 @@ while(1) { dp = dns_cache_find_delegation(&worker->env, nm, nmlen, qinfo.qtype, qinfo.qclass, region, &msg, - *worker->env.now); + *worker->env.now, 0, NULL, 0); if(!dp) { return ssl_printf(ssl, "no delegation from " "cache; goes to configured roots\n"); } /* go up? */ - if(iter_dp_is_useless(&qinfo, BIT_RD, dp)) { + if(iter_dp_is_useless(&qinfo, BIT_RD, dp, + (worker->env.cfg->do_ip4 && worker->back->num_ip4 != 0), + (worker->env.cfg->do_ip6 && worker->back->num_ip6 != 0))) { print_dp_main(ssl, dp, msg); print_dp_details(ssl, worker, dp); if(!ssl_printf(ssl, "cache delegation was "
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/daemon.c -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/daemon.c
Changed
@@ -96,6 +96,9 @@ #ifdef HAVE_SYSTEMD #include <systemd/sd-daemon.h> #endif +#ifdef HAVE_NETDB_H +#include <netdb.h> +#endif /** How many quit requests happened. */ static int sig_record_quit = 0; @@ -210,7 +213,6 @@ } #endif /* USE_WINSOCK */ signal_handling_record(); - checklock_start(); #ifdef HAVE_SSL # ifdef HAVE_ERR_LOAD_CRYPTO_STRINGS ERR_load_crypto_strings(); @@ -272,18 +274,29 @@ free(daemon); return NULL; } + daemon->acl_interface = acl_list_create(); + if(!daemon->acl_interface) { + acl_list_delete(daemon->acl); + edns_known_options_delete(daemon->env); + free(daemon->env); + free(daemon); + return NULL; + } daemon->tcl = tcl_list_create(); if(!daemon->tcl) { + acl_list_delete(daemon->acl_interface); acl_list_delete(daemon->acl); edns_known_options_delete(daemon->env); free(daemon->env); free(daemon); return NULL; } + listen_setup_locks(); if(gettimeofday(&daemon->time_boot, NULL) < 0) log_err("gettimeofday: %s", strerror(errno)); daemon->time_last_stat = daemon->time_boot; if((daemon->env->auth_zones = auth_zones_create()) == 0) { + acl_list_delete(daemon->acl_interface); acl_list_delete(daemon->acl); tcl_list_delete(daemon->tcl); edns_known_options_delete(daemon->env); @@ -293,6 +306,7 @@ } if(!(daemon->env->edns_strings = edns_strings_create())) { auth_zones_delete(daemon->env->auth_zones); + acl_list_delete(daemon->acl_interface); acl_list_delete(daemon->acl); tcl_list_delete(daemon->tcl); edns_known_options_delete(daemon->env); @@ -303,6 +317,29 @@ return daemon; } +static int setup_acl_for_ports(struct acl_list* list, + struct listen_port* port_list) +{ + struct acl_addr* acl_node; + struct addrinfo* addr; + for(; port_list; port_list=port_list->next) { + if(!port_list->socket) { + /* This is mainly for testbound where port_list is + * empty. */ + continue; + } + addr = port_list->socket->addr; + if(!(acl_node = acl_interface_insert(list, + (struct sockaddr_storage*)addr->ai_addr, + (socklen_t)addr->ai_addrlen, + acl_refuse))) { + return 0; + } + port_list->socket->acl = acl_node; + } + return 1; +} + int daemon_open_shared_ports(struct daemon* daemon) { @@ -320,6 +357,8 @@ free(daemon->ports); daemon->ports = NULL; } + /* clean acl_interface */ + acl_interface_init(daemon->acl_interface); if(!resolve_interface_names(daemon->cfg->ifs, daemon->cfg->num_ifs, NULL, &resif, &num_resif)) return 0; @@ -329,7 +368,8 @@ daemon->reuseport = 1; #endif /* try to use reuseport */ - p0 = listening_ports_open(daemon->cfg, resif, num_resif, &daemon->reuseport); + p0 = listening_ports_open(daemon->cfg, resif, num_resif, + &daemon->reuseport); if(!p0) { listening_ports_free(p0); config_del_strarray(resif, num_resif); @@ -350,6 +390,12 @@ return 0; } daemon->ports0 = p0; + if(!setup_acl_for_ports(daemon->acl_interface, + daemon->ports0)) { + listening_ports_free(p0); + config_del_strarray(resif, num_resif); + return 0; + } if(daemon->reuseport) { /* continue to use reuseport */ for(i=1; i<daemon->num_ports; i++) { @@ -365,6 +411,15 @@ config_del_strarray(resif, num_resif); return 0; } + if(!setup_acl_for_ports(daemon->acl_interface, + daemon->portsi)) { + for(i=0; i<daemon->num_ports; i++) + listening_ports_free(daemon->portsi); + free(daemon->ports); + daemon->ports = NULL; + config_del_strarray(resif, num_resif); + return 0; + } } } config_del_strarray(resif, num_resif); @@ -434,6 +489,27 @@ } /** + * Clear and delete per-worker alloc caches, and free memory maintained in + * superalloc. + * The rrset and message caches must be empty at the time of call. + * @param daemon: the daemon that maintains the alloc caches to be cleared. + */ +static void +daemon_clear_allocs(struct daemon* daemon) +{ + int i; + + for(i=0; i<daemon->num; i++) { + alloc_clear(daemon->worker_allocsi); + free(daemon->worker_allocsi); + } + free(daemon->worker_allocs); + daemon->worker_allocs = NULL; + + alloc_clear_special(&daemon->superalloc); +} + +/** * Allocate empty worker structures. With backptr and thread-number, * from 0..numthread initialised. Used as user arguments to new threads. * Creates the daemon random generator if it does not exist yet. @@ -485,6 +561,21 @@ /* the above is not ports/numthr, due to rounding */ fatal_exit("could not create worker"); } + /* create per-worker alloc caches if not reusing existing ones. */ + if(!daemon->worker_allocs) { + daemon->worker_allocs = (struct alloc_cache**)calloc( + (size_t)daemon->num, sizeof(struct alloc_cache*)); + if(!daemon->worker_allocs) + fatal_exit("could not allocate worker allocs"); + for(i=0; i<daemon->num; i++) { + struct alloc_cache* alloc = calloc(1, + sizeof(struct alloc_cache)); + if (!alloc) + fatal_exit("could not allocate worker alloc"); + alloc_init(alloc, &daemon->superalloc, i); + daemon->worker_allocsi = alloc; + } + } free(shufport); } @@ -604,6 +695,9 @@ if(!acl_list_apply_cfg(daemon->acl, daemon->cfg, daemon->views)) fatal_exit("Could not setup access control list"); + if(!acl_interface_apply_cfg(daemon->acl_interface, daemon->cfg, + daemon->views)) + fatal_exit("Could not setup interface control list"); if(!tcl_list_apply_cfg(daemon->tcl, daemon->cfg)) fatal_exit("Could not setup TCP connection limits"); if(daemon->cfg->dnscrypt) { @@ -713,6 +807,7 @@ /* Shutdown SHM */ shm_main_shutdown(daemon); + daemon->reuse_cache = daemon->workers0->reuse_cache; daemon->need_to_exit = daemon->workers0->need_to_exit; } @@ -727,9 +822,16 @@ log_thread_set(NULL); /* clean up caches because * a) RRset IDs will be recycled after a reload, causing collisions - * b) validation config can change, thus rrset, msg, keycache clear */ - slabhash_clear(&daemon->env->rrset_cache->table); - slabhash_clear(daemon->env->msg_cache); + * b) validation config can change, thus rrset, msg, keycache clear + * + * If we are trying to keep the cache as long as possible, we should + * defer the cleanup until we know whether the new configuration allows + * the reuse. (If we're exiting, cleanup should be done here). */ + if(!daemon->reuse_cache || daemon->need_to_exit) { + slabhash_clear(&daemon->env->rrset_cache->table); + slabhash_clear(daemon->env->msg_cache); + } + daemon->old_num = daemon->num; /* save the current num */ local_zones_delete(daemon->local_zones); daemon->local_zones = NULL; respip_set_delete(daemon->respip_set); @@ -744,8 +846,13 @@ worker_delete(daemon->workersi); free(daemon->workers); daemon->workers = NULL; + /* Unless we're trying to keep the cache, worker alloc_caches should be + * cleared and freed here. We do this after deleting workers to + * guarantee that the alloc caches are valid throughout the lifetime + * of workers. */ + if(!daemon->reuse_cache || daemon->need_to_exit) + daemon_clear_allocs(daemon); daemon->num = 0; - alloc_clear_special(&daemon->superalloc); #ifdef USE_DNSTAP dt_delete(daemon->dtenv); daemon->dtenv = NULL; @@ -780,7 +887,9 @@ ub_randfree(daemon->rand); alloc_clear(&daemon->superalloc); acl_list_delete(daemon->acl); + acl_list_delete(daemon->acl_interface); tcl_list_delete(daemon->tcl); + listen_desetup_locks(); free(daemon->chroot); free(daemon->pidfile); free(daemon->env); @@ -794,7 +903,7 @@ ub_c_lex_destroy(); /* libcrypto cleanup */ #ifdef HAVE_SSL -# if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST) +# if defined(USE_GOST) sldns_key_EVP_unload_gost(); # endif # if HAVE_DECL_SSL_COMP_GET_COMPRESSION_METHODS && HAVE_DECL_SK_SSL_COMP_POP_FREE @@ -840,8 +949,42 @@ void daemon_apply_cfg(struct daemon* daemon, struct config_file* cfg) { + int new_num = cfg->num_threads?cfg->num_threads:1; + daemon->cfg = cfg; config_apply(cfg); + + /* If this is a reload and we deferred the decision on whether to + * reuse the alloc, RRset, and message caches, then check to see if + * it's safe to keep the caches: + * - changing the number of threads is obviously incompatible with + * keeping the per-thread alloc caches. It also means we have to + * clear RRset and message caches. (note that 'new_num' may be + * adjusted in daemon_create_workers, but for our purpose we can + * simply compare it with 'old_num'; if they are equal here, + * 'new_num' won't be adjusted to a different value than 'old_num'). + * - changing RRset cache size effectively clears any remaining cache + * entries. We could keep their keys in alloc caches, but it would + * be more consistent with the sense of the change to clear allocs + * and free memory. To do so we also have to clear message cache. + * - only changing message cache size does not necessarily affect + * RRset or alloc cache. But almost all new subsequent queries will + * require recursive resolution anyway, so it doesn't help much to + * just keep RRset and alloc caches. For simplicity we clear/free + * the other two, too. */ + if(daemon->worker_allocs && + (new_num != daemon->old_num || + !slabhash_is_size(daemon->env->msg_cache, cfg->msg_cache_size, + cfg->msg_cache_slabs) || + !slabhash_is_size(&daemon->env->rrset_cache->table, + cfg->rrset_cache_size, cfg->rrset_cache_slabs))) + { + log_warn("cannot reuse caches due to critical config change"); + slabhash_clear(&daemon->env->rrset_cache->table); + slabhash_clear(daemon->env->msg_cache); + daemon_clear_allocs(daemon); + } + if(!slabhash_is_size(daemon->env->msg_cache, cfg->msg_cache_size, cfg->msg_cache_slabs)) { slabhash_delete(daemon->env->msg_cache);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/daemon.h -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/daemon.h
Changed
@@ -99,8 +99,12 @@ void* listen_sslctx, *connect_sslctx; /** num threads allocated */ int num; + /** num threads allocated in the previous config or 0 at first */ + int old_num; /** the worker entries */ struct worker** workers; + /** per-worker allocation cache */ + struct alloc_cache **worker_allocs; /** do we need to exit unbound (or is it only a reload?) */ int need_to_exit; /** master random table ; used for port div between threads on reload*/ @@ -113,6 +117,8 @@ struct module_stack mods; /** access control, which client IPs are allowed to connect */ struct acl_list* acl; + /** access control, which interfaces are allowed to connect */ + struct acl_list* acl_interface; /** TCP connection limit, limit connections from client IPs */ struct tcl_list* tcl; /** local authority zones */ @@ -138,6 +144,8 @@ /** the dnscrypt environment */ struct dnsc_env* dnscenv; #endif + /** reuse existing cache on reload if other conditions allow it. */ + int reuse_cache; }; /**
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/remote.c -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/remote.c
Changed
@@ -105,8 +105,6 @@ /** what to put on statistics lines between var and value, ": " or "=" */ #define SQ "=" -/** if true, inhibits a lot of =0 lines from the stats output */ -static const int inhibit_zero = 1; /** subtract timers and the values do not overflow or become negative */ static void @@ -300,6 +298,7 @@ */ if(fd != -1) { #ifdef HAVE_CHOWN + chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); if (cfg->username && cfg->username0 && cfg_uid != (uid_t)-1) { if(chown(ip, cfg_uid, cfg_gid) == -1) @@ -307,7 +306,6 @@ (unsigned)cfg_uid, (unsigned)cfg_gid, ip, strerror(errno)); } - chmod(ip, (mode_t)(S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP)); #else (void)cfg; #endif @@ -494,8 +492,8 @@ n->c->do_not_close = 0; comm_point_stop_listening(n->c); comm_point_start_listening(n->c, -1, REMOTE_CONTROL_TCP_TIMEOUT); - memcpy(&n->c->repinfo.addr, &addr, addrlen); - n->c->repinfo.addrlen = addrlen; + memcpy(&n->c->repinfo.remote_addr, &addr, addrlen); + n->c->repinfo.remote_addrlen = addrlen; if(rc->use_cert) { n->shake_state = rc_hs_read; n->ssl = SSL_new(rc->ctx); @@ -684,8 +682,9 @@ /** do the reload command */ static void -do_reload(RES* ssl, struct worker* worker) +do_reload(RES* ssl, struct worker* worker, int reuse_cache) { + worker->reuse_cache = reuse_cache; worker->need_to_exit = 0; comm_base_exit(worker->base); send_ok(ssl); @@ -813,7 +812,7 @@ iter = mod_get_mem(&worker->env, "iterator"); respip = mod_get_mem(&worker->env, "respip"); #ifdef CLIENT_SUBNET - subnet = mod_get_mem(&worker->env, "subnet"); + subnet = mod_get_mem(&worker->env, "subnetcache"); #endif /* CLIENT_SUBNET */ #ifdef USE_IPSECMOD ipsecmod = mod_get_mem(&worker->env, "ipsecmod"); @@ -920,7 +919,7 @@ /** print extended stats */ static int -print_ext(RES* ssl, struct ub_stats_info* s) +print_ext(RES* ssl, struct ub_stats_info* s, int inhibit_zero) { int i; char nm32; @@ -988,6 +987,8 @@ (unsigned long)s->svr.qtcp)) return 0; if(!ssl_printf(ssl, "num.query.tcpout"SQ"%lu\n", (unsigned long)s->svr.qtcp_outgoing)) return 0; + if(!ssl_printf(ssl, "num.query.udpout"SQ"%lu\n", + (unsigned long)s->svr.qudp_outgoing)) return 0; if(!ssl_printf(ssl, "num.query.tls"SQ"%lu\n", (unsigned long)s->svr.qtls)) return 0; if(!ssl_printf(ssl, "num.query.tls.resume"SQ"%lu\n", @@ -1127,7 +1128,7 @@ return; if(!print_hist(ssl, &total)) return; - if(!print_ext(ssl, &total)) + if(!print_ext(ssl, &total, daemon->cfg->stat_inhibit_zero)) return; } } @@ -1961,6 +1962,8 @@ do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_PTR, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SRV, LDNS_RR_CLASS_IN); do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_NAPTR, LDNS_RR_CLASS_IN); + do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_SVCB, LDNS_RR_CLASS_IN); + do_cache_remove(w, nm, nmlen, LDNS_RR_TYPE_HTTPS, LDNS_RR_CLASS_IN); free(nm); send_ok(ssl); @@ -2015,7 +2018,7 @@ /** parse args into delegpt */ static struct delegpt* -parse_delegpt(RES* ssl, char* args, uint8_t* nm, int allow_names) +parse_delegpt(RES* ssl, char* args, uint8_t* nm) { /* parse args and add in */ char* p = args; @@ -2037,40 +2040,35 @@ } /* parse address */ if(!authextstrtoaddr(todo, &addr, &addrlen, &auth_name)) { - if(allow_names) { - uint8_t* n = NULL; - size_t ln; - int lb; - if(!parse_arg_name(ssl, todo, &n, &ln, &lb)) { - (void)ssl_printf(ssl, "error cannot " - "parse IP address or name " - "'%s'\n", todo); - delegpt_free_mlc(dp); - return NULL; - } - if(!delegpt_add_ns_mlc(dp, n, 0)) { - (void)ssl_printf(ssl, "error out of memory\n"); - free(n); - delegpt_free_mlc(dp); - return NULL; - } - free(n); - - } else { + uint8_t* dname= NULL; + int port; + dname = authextstrtodname(todo, &port, &auth_name); + if(!dname) { (void)ssl_printf(ssl, "error cannot parse" - " IP address '%s'\n", todo); + " '%s'\n", todo); + delegpt_free_mlc(dp); + return NULL; + } +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + if(auth_name) + log_err("no name verification functionality in " + "ssl library, ignored name for %s", todo); +#endif + if(!delegpt_add_ns_mlc(dp, dname, 0, auth_name, port)) { + (void)ssl_printf(ssl, "error out of memory\n"); + free(dname); delegpt_free_mlc(dp); return NULL; } } else { #if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) if(auth_name) - log_err("no name verification functionality in " + log_err("no name verification functionality in " "ssl library, ignored name for %s", todo); #endif /* add address */ if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, - auth_name)) { + auth_name, -1)) { (void)ssl_printf(ssl, "error out of memory\n"); delegpt_free_mlc(dp); return NULL; @@ -2103,7 +2101,7 @@ forwards_delete_zone(fwd, LDNS_RR_CLASS_IN, root); } else { struct delegpt* dp; - if(!(dp = parse_delegpt(ssl, args, root, 0))) + if(!(dp = parse_delegpt(ssl, args, root))) return; if(!forwards_add_zone(fwd, LDNS_RR_CLASS_IN, dp)) { (void)ssl_printf(ssl, "error out of memory\n"); @@ -2149,7 +2147,7 @@ /* parse dp */ if(dp) { - if(!(*dp = parse_delegpt(ssl, args, *nm, 1))) { + if(!(*dp = parse_delegpt(ssl, args, *nm))) { free(*nm); return 0; } @@ -2865,6 +2863,8 @@ int all; /** current time */ time_t now; + /** if backoff is enabled */ + int backoff; }; #define ip_ratelimit_list_arg ratelimit_list_arg @@ -2878,7 +2878,7 @@ struct rate_data* d = (struct rate_data*)e->data; char buf257; int lim = infra_find_ratelimit(a->infra, k->name, k->namelen); - int max = infra_rate_max(d, a->now); + int max = infra_rate_max(d, a->now, a->backoff); if(a->all == 0) { if(max < lim) return; @@ -2896,7 +2896,7 @@ struct ip_rate_key* k = (struct ip_rate_key*)e->key; struct ip_rate_data* d = (struct ip_rate_data*)e->data; int lim = infra_ip_ratelimit; - int max = infra_rate_max(d, a->now); + int max = infra_rate_max(d, a->now, a->backoff); if(a->all == 0) { if(max < lim) return; @@ -2914,6 +2914,7 @@ a.infra = worker->env.infra_cache; a.now = *worker->env.now; a.ssl = ssl; + a.backoff = worker->env.cfg->ratelimit_backoff; arg = skipwhite(arg); if(strcmp(arg, "+a") == 0) a.all = 1; @@ -2932,6 +2933,7 @@ a.infra = worker->env.infra_cache; a.now = *worker->env.now; a.ssl = ssl; + a.backoff = worker->env.cfg->ip_ratelimit_backoff; arg = skipwhite(arg); if(strcmp(arg, "+a") == 0) a.all = 1; @@ -3028,8 +3030,11 @@ if(cmdcmp(p, "stop", 4)) { do_stop(ssl, worker); return; + } else if(cmdcmp(p, "reload_keep_cache", 17)) { + do_reload(ssl, worker, 1); + return; } else if(cmdcmp(p, "reload", 6)) { - do_reload(ssl, worker); + do_reload(ssl, worker, 0); return; } else if(cmdcmp(p, "stats_noreset", 13)) { do_stats(ssl, worker, 0); @@ -3303,7 +3308,7 @@ if(r == 0) log_err("remote control connection closed prematurely"); log_addr(VERB_OPS, "failed connection from", - &s->c->repinfo.addr, s->c->repinfo.addrlen); + &s->c->repinfo.remote_addr, s->c->repinfo.remote_addrlen); log_crypto_err("remote control failed ssl"); clean_point(rc, s); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/stats.c -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/stats.c
Changed
@@ -70,6 +70,9 @@ #include <openssl/ssl.h> #endif +/** How long to wait for threads to transmit statistics, in msec. */ +#define STATS_THREAD_WAIT 60000 + /** add timers and the values do not overflow or become negative */ static void stats_timeval_add(long long* d_sec, long long* d_usec, long long add_sec, long long add_usec) @@ -137,7 +140,7 @@ set_subnet_stats(struct worker* worker, struct ub_server_stats* svr, int reset) { - int m = modstack_find(&worker->env.mesh->mods, "subnet"); + int m = modstack_find(&worker->env.mesh->mods, "subnetcache"); struct subnet_env* sne; if(m == -1) return; @@ -281,6 +284,7 @@ /* values from outside network */ s->svr.unwanted_replies = (long long)worker->back->unwanted_replies; s->svr.qtcp_outgoing = (long long)worker->back->num_tcp_outgoing; + s->svr.qudp_outgoing = (long long)worker->back->num_udp_outgoing; /* get and reset validator rrset bogus number */ s->svr.rrset_bogus = (long long)get_rrset_bogus(worker, reset); @@ -379,6 +383,28 @@ worker_send_cmd(who, worker_cmd_stats); else worker_send_cmd(who, worker_cmd_stats_noreset); verbose(VERB_ALGO, "wait for stats reply"); + if(tube_wait_timeout(worker->cmd, STATS_THREAD_WAIT) == 0) { + verbose(VERB_OPS, "no response from thread %d" +#ifdef HAVE_GETTID + " LWP %u" +#endif +#if defined(HAVE_PTHREAD) && defined(SIZEOF_PTHREAD_T) && defined(SIZEOF_UNSIGNED_LONG) +# if SIZEOF_PTHREAD_T == SIZEOF_UNSIGNED_LONG + " pthread 0x%lx" +# endif +#endif + , + who->thread_num +#ifdef HAVE_GETTID + , (unsigned)who->thread_tid +#endif +#if defined(HAVE_PTHREAD) && defined(SIZEOF_PTHREAD_T) && defined(SIZEOF_UNSIGNED_LONG) +# if SIZEOF_PTHREAD_T == SIZEOF_UNSIGNED_LONG + , (unsigned long)*((unsigned long*)&who->thr_id) +# endif +#endif + ); + } if(!tube_read_msg(worker->cmd, &reply, &len, 0)) fatal_exit("failed to read stats over cmd channel"); if(len != (uint32_t)sizeof(*s)) @@ -424,6 +450,7 @@ total->svr.qclass_big += a->svr.qclass_big; total->svr.qtcp += a->svr.qtcp; total->svr.qtcp_outgoing += a->svr.qtcp_outgoing; + total->svr.qudp_outgoing += a->svr.qudp_outgoing; total->svr.qtls += a->svr.qtls; total->svr.qtls_resume += a->svr.qtls_resume; total->svr.qhttps += a->svr.qhttps; @@ -494,7 +521,7 @@ stats->qhttps++; } } - if(repinfo && addr_is_ip6(&repinfo->addr, repinfo->addrlen)) + if(repinfo && addr_is_ip6(&repinfo->remote_addr, repinfo->remote_addrlen)) stats->qipv6++; if( (flags&BIT_QR) ) stats->qbit_QR++;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/unbound.c -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/unbound.c
Changed
@@ -781,6 +781,7 @@ int cmdline_cfg = 0; #endif + checklock_start(); log_init(NULL, 0, NULL); log_ident_default = strrchr(argv0,'/')?strrchr(argv0,'/')+1:argv0; log_ident_set_default(log_ident_default);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/worker.c -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/worker.c
Changed
@@ -98,7 +98,7 @@ /** ratelimit for error responses */ #define ERROR_RATELIMIT 100 /* qps */ -/** +/** * seconds to add to prefetch leeway. This is a TTL that expires old rrsets * earlier than they should in order to put the new update into the cache. * This additional value is to make sure that if not all TTLs are equal in @@ -133,7 +133,7 @@ rrset = slabhash_get_mem(&worker->env.rrset_cache->table); infra = infra_get_mem(worker->env.infra_cache); mesh = mesh_get_mem(worker->env.mesh); - ac = alloc_get_mem(&worker->alloc); + ac = alloc_get_mem(worker->alloc); superac = alloc_get_mem(&worker->daemon->superalloc); anch = anchors_get_mem(worker->env.anchors); iter = 0; @@ -146,7 +146,7 @@ (&worker->env, i); #ifdef CLIENT_SUBNET else if(strcmp(worker->env.mesh->mods.modi->name, - "subnet")==0) + "subnetcache")==0) subnet += (*worker->env.mesh->mods.modi->get_mem) (&worker->env, i); #endif /* CLIENT_SUBNET */ @@ -205,7 +205,7 @@ (&worker->env, i); #ifdef CLIENT_SUBNET else if(strcmp(worker->env.mesh->mods.modi->name, - "subnet")==0) + "subnetcache")==0) subnet += (*worker->env.mesh->mods.modi->get_mem) (&worker->env, i); #endif /* CLIENT_SUBNET */ @@ -449,7 +449,6 @@ * Then check if it needs validation, if so, this routine fails, * so that iterator can prime and validator can verify rrsets. */ - struct edns_data edns_bak; uint16_t udpsize = edns->udp_size; int secure = 0; time_t timenow = *worker->env.now; @@ -460,7 +459,7 @@ dp = dns_cache_find_delegation(&worker->env, qinfo->qname, qinfo->qname_len, qinfo->qtype, qinfo->qclass, - worker->scratchpad, &msg, timenow); + worker->scratchpad, &msg, timenow, 0, NULL, 0); if(!dp) { /* no delegation, need to reprime */ return 0; } @@ -485,6 +484,12 @@ msg->rep, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad, worker->env.now_tv)) return 0; + /* TODO store the reason for the bogus reply in cache + * and implement in here instead of the hardcoded EDE */ + if (worker->env.cfg->ede) { + EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out, + worker->scratchpad, LDNS_EDE_DNSSEC_BOGUS, ""); + } error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, &msg->qinfo, id, flags, edns); if(worker->stats.extended) { @@ -508,7 +513,6 @@ } } /* return this delegation from the cache */ - edns_bak = *edns; edns->edns_version = EDNS_ADVERTISED_VERSION; edns->udp_size = EDNS_ADVERTISED_SIZE; edns->ext_rcode = 0; @@ -518,15 +522,13 @@ worker->env.now_tv)) return 0; msg->rep->flags |= BIT_QR|BIT_RA; - if(!apply_edns_options(edns, &edns_bak, worker->env.cfg, - repinfo->c, worker->scratchpad) || - !reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags, + if(!reply_info_answer_encode(&msg->qinfo, msg->rep, id, flags, repinfo->c->buffer, 0, 1, worker->scratchpad, udpsize, edns, (int)(edns->bits & EDNS_DO), secure)) { if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL, LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad, worker->env.now_tv)) - edns->opt_list = NULL; + edns->opt_list_inplace_cb_out = NULL; error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, &msg->qinfo, id, flags, edns); } @@ -545,7 +547,8 @@ static int apply_respip_action(struct worker* worker, const struct query_info* qinfo, struct respip_client_info* cinfo, struct reply_info* rep, - struct comm_reply* repinfo, struct ub_packed_rrset_key** alias_rrset, + struct sockaddr_storage* addr, socklen_t addrlen, + struct ub_packed_rrset_key** alias_rrset, struct reply_info** encode_repp, struct auth_zones* az) { struct respip_action_info actinfo = {0, 0, 0, 0, NULL, 0, NULL}; @@ -557,7 +560,7 @@ return 1; if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, &actinfo, - alias_rrset, 0, worker->scratchpad, az)) + alias_rrset, 0, worker->scratchpad, az, NULL)) return 0; /* xxx_deny actions mean dropping the reply, unless the original reply @@ -572,7 +575,7 @@ if(actinfo.addrinfo) { respip_inform_print(&actinfo, qinfo->qname, qinfo->qtype, qinfo->qclass, qinfo->local_alias, - repinfo); + addr, addrlen); if(worker->stats.extended && actinfo.rpz_used) { if(actinfo.rpz_disabled) @@ -604,7 +607,6 @@ struct reply_info* rep, uint16_t id, uint16_t flags, struct comm_reply* repinfo, struct edns_data* edns) { - struct edns_data edns_bak; time_t timenow = *worker->env.now; uint16_t udpsize = edns->udp_size; struct reply_info* encode_rep = rep; @@ -621,6 +623,14 @@ if(worker->env.cfg->serve_expired_ttl && rep->serve_expired_ttl < timenow) return 0; + /* Ignore expired failure answers */ + if(FLAGS_GET_RCODE(rep->flags) != + LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(rep->flags) != + LDNS_RCODE_NXDOMAIN && + FLAGS_GET_RCODE(rep->flags) != + LDNS_RCODE_YXDOMAIN) + return 0; if(!rrset_array_lock(rep->ref, rep->rrset_count, 0)) return 0; *is_expired_answer = 1; @@ -659,6 +669,12 @@ LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad, worker->env.now_tv)) goto bail_out; + /* TODO store the reason for the bogus reply in cache + * and implement in here instead of the hardcoded EDE */ + if (worker->env.cfg->ede) { + EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out, + worker->scratchpad, LDNS_EDE_DNSSEC_BOGUS, ""); + } error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, qinfo, id, flags, edns); rrset_array_unlock_touch(worker->env.rrset_cache, @@ -685,7 +701,6 @@ } } else *is_secure_answer = 0; - edns_bak = *edns; edns->edns_version = EDNS_ADVERTISED_VERSION; edns->udp_size = EDNS_ADVERTISED_SIZE; edns->ext_rcode = 0; @@ -697,7 +712,7 @@ *alias_rrset = NULL; /* avoid confusion if caller set it to non-NULL */ if((worker->daemon->use_response_ip || worker->daemon->use_rpz) && !partial_rep && !apply_respip_action(worker, qinfo, cinfo, rep, - repinfo, alias_rrset, + &repinfo->client_addr, repinfo->client_addrlen, alias_rrset, &encode_rep, worker->env.auth_zones)) { goto bail_out; } else if(partial_rep && @@ -722,17 +737,23 @@ if(!*partial_repp) goto bail_out; } - } else if(!apply_edns_options(edns, &edns_bak, worker->env.cfg, - repinfo->c, worker->scratchpad) || - !reply_info_answer_encode(qinfo, encode_rep, id, flags, - repinfo->c->buffer, timenow, 1, worker->scratchpad, - udpsize, edns, (int)(edns->bits & EDNS_DO), *is_secure_answer)) { - if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, NULL, NULL, - LDNS_RCODE_SERVFAIL, edns, repinfo, worker->scratchpad, - worker->env.now_tv)) - edns->opt_list = NULL; - error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, - qinfo, id, flags, edns); + } else { + if (*is_expired_answer == 1 && + worker->env.cfg->ede_serve_expired && worker->env.cfg->ede) { + EDNS_OPT_LIST_APPEND_EDE(&edns->opt_list_out, + worker->scratchpad, LDNS_EDE_STALE_ANSWER, ""); + } + if(!reply_info_answer_encode(qinfo, encode_rep, id, flags, + repinfo->c->buffer, timenow, 1, worker->scratchpad, + udpsize, edns, (int)(edns->bits & EDNS_DO), + *is_secure_answer)) { + if(!inplace_cb_reply_servfail_call(&worker->env, qinfo, + NULL, NULL, LDNS_RCODE_SERVFAIL, edns, repinfo, + worker->scratchpad, worker->env.now_tv)) + edns->opt_list_inplace_cb_out = NULL; + error_encode(repinfo->c->buffer, LDNS_RCODE_SERVFAIL, + qinfo, id, flags, edns); + } } /* cannot send the reply right now, because blocking network syscall * is bad while holding locks. */ @@ -749,10 +770,12 @@ /** Reply to client and perform prefetch to keep cache up to date. */ static void -reply_and_prefetch(struct worker* worker, struct query_info* qinfo, - uint16_t flags, struct comm_reply* repinfo, time_t leeway, int noreply) +reply_and_prefetch(struct worker* worker, struct query_info* qinfo, + uint16_t flags, struct comm_reply* repinfo, time_t leeway, int noreply, + int rpz_passthru, struct edns_option* opt_list) { - /* first send answer to client to keep its latency + (void)opt_list; + /* first send answer to client to keep its latency * as small as a cachereply */ if(!noreply) { if(repinfo->c->tcp_req_info) { @@ -763,13 +786,23 @@ comm_point_send_reply(repinfo); } server_stats_prefetch(&worker->stats, worker); - +#ifdef CLIENT_SUBNET + /* Check if the subnet module is enabled. In that case pass over the + * comm_reply information for ECS generation later. The mesh states are + * unique when subnet is enabled. */ + if(modstack_find(&worker->env.mesh->mods, "subnetcache") != -1 + && worker->env.unique_mesh) { + mesh_new_prefetch(worker->env.mesh, qinfo, flags, leeway + + PREFETCH_EXPIRY_ADD, rpz_passthru, repinfo, opt_list); + return; + } +#endif /* create the prefetch in the mesh as a normal lookup without * client addrs waiting, which has the cache blacklisted (to bypass * the cache and go to the network for the data). */ /* this (potentially) runs the mesh for the new query */ - mesh_new_prefetch(worker->env.mesh, qinfo, flags, leeway + - PREFETCH_EXPIRY_ADD); + mesh_new_prefetch(worker->env.mesh, qinfo, flags, leeway + + PREFETCH_EXPIRY_ADD, rpz_passthru, NULL, NULL); } /** @@ -789,6 +822,14 @@ int i; unsigned int rd = LDNS_RD_WIRE(sldns_buffer_begin(pkt)); unsigned int cd = LDNS_CD_WIRE(sldns_buffer_begin(pkt)); + size_t udpsize = edns->udp_size; + edns->edns_version = EDNS_ADVERTISED_VERSION; + edns->udp_size = EDNS_ADVERTISED_SIZE; + edns->bits &= EDNS_DO; + if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL, + LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad, + worker->env.now_tv)) + edns->opt_list_inplace_cb_out = NULL; sldns_buffer_clear(pkt); sldns_buffer_skip(pkt, (ssize_t)sizeof(uint16_t)); /* skip id */ sldns_buffer_write_u16(pkt, (uint16_t)(BIT_QR|BIT_RA)); @@ -804,6 +845,12 @@ for(i=0; i<num; i++) { size_t len = strlen(stri); if(len>255) len=255; /* cap size of TXT record */ + if(sldns_buffer_position(pkt)+2+2+2+4+2+1+len+ + calc_edns_field_size(edns) > udpsize) { + sldns_buffer_write_u16_at(pkt, 6, i); /* ANCOUNT */ + LDNS_TC_SET(sldns_buffer_begin(pkt)); + break; + } sldns_buffer_write_u16(pkt, 0xc00c); /* compr ptr to query */ sldns_buffer_write_u16(pkt, LDNS_RR_TYPE_TXT); sldns_buffer_write_u16(pkt, LDNS_RR_CLASS_CH); @@ -813,13 +860,6 @@ sldns_buffer_write(pkt, stri, len); } sldns_buffer_flip(pkt); - edns->edns_version = EDNS_ADVERTISED_VERSION; - edns->udp_size = EDNS_ADVERTISED_SIZE; - edns->bits &= EDNS_DO; - if(!inplace_cb_reply_local_call(&worker->env, NULL, NULL, NULL, - LDNS_RCODE_NOERROR, edns, repinfo, worker->scratchpad, - worker->env.now_tv)) - edns->opt_list = NULL; if(sldns_buffer_capacity(pkt) >= sldns_buffer_limit(pkt)+calc_edns_field_size(edns)) attach_edns_record(pkt, edns); @@ -958,12 +998,14 @@ * @param w: worker * @param qinfo: query info. Pointer into packet buffer. * @param edns: edns info from query. - * @param repinfo: reply info with source address. + * @param addr: client address. + * @param addrlen: client address length. * @param pkt: packet buffer. */ static void -answer_notify(struct worker* w, struct query_info* qinfo, - struct edns_data* edns, sldns_buffer* pkt, struct comm_reply* repinfo) +answer_notify(struct worker* w, struct query_info* qinfo, + struct edns_data* edns, sldns_buffer* pkt, + struct sockaddr_storage* addr, socklen_t addrlen) { int refused = 0; int rcode = LDNS_RCODE_NOERROR; @@ -972,8 +1014,8 @@ if(!w->env.auth_zones) return; has_serial = auth_zone_parse_notify_serial(pkt, &serial); if(auth_zones_notify(w->env.auth_zones, &w->env, qinfo->qname, - qinfo->qname_len, qinfo->qclass, &repinfo->addr, - repinfo->addrlen, has_serial, serial, &refused)) { + qinfo->qname_len, qinfo->qclass, addr, + addrlen, has_serial, serial, &refused)) { rcode = LDNS_RCODE_NOERROR; } else { if(refused) @@ -998,13 +1040,12 @@ "servfail for NOTIFY %sfor %s from", sr, zname); else snprintf(buf, sizeof(buf), "received NOTIFY %sfor %s from", sr, zname); - log_addr(VERB_DETAIL, buf, &repinfo->addr, repinfo->addrlen); + log_addr(VERB_DETAIL, buf, addr, addrlen); } edns->edns_version = EDNS_ADVERTISED_VERSION; edns->udp_size = EDNS_ADVERTISED_SIZE; edns->ext_rcode = 0; edns->bits &= EDNS_DO; - edns->opt_list = NULL; error_encode(pkt, rcode, qinfo, *(uint16_t*)(void *)sldns_buffer_begin(pkt), sldns_buffer_read_u16_at(pkt, 2), edns); @@ -1014,52 +1055,214 @@ static int deny_refuse(struct comm_point* c, enum acl_access acl, enum acl_access deny, enum acl_access refuse, - struct worker* worker, struct comm_reply* repinfo) + struct worker* worker, struct comm_reply* repinfo, + struct acl_addr* acladdr, int ede) { if(acl == deny) { + if(verbosity >= VERB_ALGO) { + log_acl_action("dropped", &repinfo->client_addr, + repinfo->client_addrlen, acl, acladdr); + log_buf(VERB_ALGO, "dropped", c->buffer); + } comm_point_drop_reply(repinfo); if(worker->stats.extended) worker->stats.unwanted_queries++; return 0; } else if(acl == refuse) { - log_addr(VERB_ALGO, "refused query from", - &repinfo->addr, repinfo->addrlen); - log_buf(VERB_ALGO, "refuse", c->buffer); + size_t opt_rr_mark; + + if(verbosity >= VERB_ALGO) { + log_acl_action("refused", &repinfo->client_addr, + repinfo->client_addrlen, acl, acladdr); + log_buf(VERB_ALGO, "refuse", c->buffer); + } + if(worker->stats.extended) worker->stats.unwanted_queries++; if(worker_check_request(c->buffer, worker) == -1) { comm_point_drop_reply(repinfo); return 0; /* discard this */ } - sldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE); - sldns_buffer_write_at(c->buffer, 4, - (uint8_t*)"\0\0\0\0\0\0\0\0", 8); + /* worker_check_request() above guarantees that the buffer contains at + * least a header and that qdcount == 1 + */ + log_assert(sldns_buffer_limit(c->buffer) >= LDNS_HEADER_SIZE + && LDNS_QDCOUNT(sldns_buffer_begin(c->buffer)) == 1); + + sldns_buffer_skip(c->buffer, LDNS_HEADER_SIZE); /* skip header */ + + /* check additional section is present and that we respond with EDEs */ + if(LDNS_ARCOUNT(sldns_buffer_begin(c->buffer)) != 1 + || !ede) { + LDNS_QDCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_QR_SET(sldns_buffer_begin(c->buffer)); + LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), + LDNS_RCODE_REFUSED); + sldns_buffer_flip(c->buffer); + return 1; + } + + if (!query_dname_len(c->buffer)) { + LDNS_QDCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_QR_SET(sldns_buffer_begin(c->buffer)); + LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), + LDNS_RCODE_FORMERR); + sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE); + sldns_buffer_flip(c->buffer); + return 1; + } + /* space available for query type and class? */ + if (sldns_buffer_remaining(c->buffer) < 2 * sizeof(uint16_t)) { + LDNS_QR_SET(sldns_buffer_begin(c->buffer)); + LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), + LDNS_RCODE_FORMERR); + LDNS_QDCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE); + sldns_buffer_flip(c->buffer); + return 1; + } LDNS_QR_SET(sldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), LDNS_RCODE_REFUSED); - sldns_buffer_set_position(c->buffer, LDNS_HEADER_SIZE); + + sldns_buffer_skip(c->buffer, (ssize_t)sizeof(uint16_t)); /* skip qtype */ + + sldns_buffer_skip(c->buffer, (ssize_t)sizeof(uint16_t)); /* skip qclass */ + + /* The OPT RR to be returned should come directly after + * the query, so mark this spot. + */ + opt_rr_mark = sldns_buffer_position(c->buffer); + + /* Skip through the RR records */ + if(LDNS_ANCOUNT(sldns_buffer_begin(c->buffer)) != 0 || + LDNS_NSCOUNT(sldns_buffer_begin(c->buffer)) != 0) { + if(!skip_pkt_rrs(c->buffer, + ((int)LDNS_ANCOUNT(sldns_buffer_begin(c->buffer)))+ + ((int)LDNS_NSCOUNT(sldns_buffer_begin(c->buffer))))) { + LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), + LDNS_RCODE_FORMERR); + LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + sldns_buffer_set_position(c->buffer, opt_rr_mark); + sldns_buffer_flip(c->buffer); + return 1; + } + } + /* Do we have a valid OPT RR here? If not return REFUSED (could be a valid TSIG or something so no FORMERR) */ + /* domain name must be the root of length 1. */ + if(sldns_buffer_remaining(c->buffer) < 1 || *sldns_buffer_current(c->buffer) != 0) { + LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + sldns_buffer_set_position(c->buffer, opt_rr_mark); + sldns_buffer_flip(c->buffer); + return 1; + } else { + sldns_buffer_skip(c->buffer, 1); /* skip root label */ + } + if(sldns_buffer_remaining(c->buffer) < 2 || + sldns_buffer_read_u16(c->buffer) != LDNS_RR_TYPE_OPT) { + LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + sldns_buffer_set_position(c->buffer, opt_rr_mark); + sldns_buffer_flip(c->buffer); + return 1; + } + /* Write OPT RR directly after the query, + * so without the (possibly skipped) Answer and NS RRs + */ + LDNS_ANCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + LDNS_NSCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + sldns_buffer_clear(c->buffer); /* reset write limit */ + sldns_buffer_set_position(c->buffer, opt_rr_mark); + + /* Check if OPT record can be written + * 17 == root label (1) + RR type (2) + UDP Size (2) + * + Fields (4) + rdata len (2) + EDE Option code (2) + * + EDE Option length (2) + EDE info-code (2) + */ + if (sldns_buffer_available(c->buffer, 17) == 0) { + LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 0); + sldns_buffer_flip(c->buffer); + return 1; + } + + LDNS_ARCOUNT_SET(sldns_buffer_begin(c->buffer), 1); + + /* root label */ + sldns_buffer_write_u8(c->buffer, 0); + sldns_buffer_write_u16(c->buffer, LDNS_RR_TYPE_OPT); + sldns_buffer_write_u16(c->buffer, EDNS_ADVERTISED_SIZE); + + /* write OPT Record TTL Field */ + sldns_buffer_write_u32(c->buffer, 0); + + /* write rdata len: EDE option + length + info-code */ + sldns_buffer_write_u16(c->buffer, 6); + + /* write OPTIONS; add EDE option code */ + sldns_buffer_write_u16(c->buffer, LDNS_EDNS_EDE); + + /* write single EDE option length (for just 1 info-code) */ + sldns_buffer_write_u16(c->buffer, 2); + + /* write single EDE info-code */ + sldns_buffer_write_u16(c->buffer, LDNS_EDE_PROHIBITED); + sldns_buffer_flip(c->buffer); + + verbose(VERB_ALGO, "attached EDE code: %d", LDNS_EDE_PROHIBITED); + return 1; + } return -1; } static int -deny_refuse_all(struct comm_point* c, enum acl_access acl, - struct worker* worker, struct comm_reply* repinfo) +deny_refuse_all(struct comm_point* c, enum acl_access* acl, + struct worker* worker, struct comm_reply* repinfo, + struct acl_addr** acladdr, int ede, int check_proxy) { - return deny_refuse(c, acl, acl_deny, acl_refuse, worker, repinfo); + if(check_proxy) { + *acladdr = acl_addr_lookup(worker->daemon->acl, + &repinfo->remote_addr, repinfo->remote_addrlen); + } else { + *acladdr = acl_addr_lookup(worker->daemon->acl, + &repinfo->client_addr, repinfo->client_addrlen); + } + /* If there is no ACL based on client IP use the interface ACL. */ + if(!(*acladdr) && c->socket) { + *acladdr = c->socket->acl; + } + *acl = acl_get_control(*acladdr); + return deny_refuse(c, *acl, acl_deny, acl_refuse, worker, repinfo, + *acladdr, ede); } static int deny_refuse_non_local(struct comm_point* c, enum acl_access acl, - struct worker* worker, struct comm_reply* repinfo) + struct worker* worker, struct comm_reply* repinfo, + struct acl_addr* acladdr, int ede) { - return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, worker, repinfo); + return deny_refuse(c, acl, acl_deny_non_local, acl_refuse_non_local, + worker, repinfo, acladdr, ede); } -int +int worker_handle_request(struct comm_point* c, void* arg, int error, struct comm_reply* repinfo) { @@ -1069,12 +1272,14 @@ struct lruhash_entry* e; struct query_info qinfo; struct edns_data edns; + struct edns_option* original_edns_list = NULL; enum acl_access acl; struct acl_addr* acladdr; int rc = 0; int need_drop = 0; int is_expired_answer = 0; int is_secure_answer = 0; + int rpz_passthru = 0; /* We might have to chase a CNAME chain internally, in which case * we'll have up to two replies and combine them to build a complete * answer. These variables control this case. */ @@ -1102,16 +1307,16 @@ if(worker_check_request(c->buffer, worker) != 0) { verbose(VERB_ALGO, "dnscrypt: worker check request: bad query."); - log_addr(VERB_CLIENT,"from",&repinfo->addr, - repinfo->addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->client_addr, + repinfo->client_addrlen); comm_point_drop_reply(repinfo); return 0; } if(!query_info_parse(&qinfo, c->buffer)) { verbose(VERB_ALGO, "dnscrypt: worker parse request: formerror."); - log_addr(VERB_CLIENT, "from", &repinfo->addr, - repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); comm_point_drop_reply(repinfo); return 0; } @@ -1139,23 +1344,30 @@ * sending src (client)/dst (local service) addresses over DNSTAP from incoming request handler */ if(worker->dtenv.log_client_query_messages) { - log_addr(VERB_ALGO, "request from client", &repinfo->addr, repinfo->addrlen); + log_addr(VERB_ALGO, "request from client", &repinfo->client_addr, repinfo->client_addrlen); log_addr(VERB_ALGO, "to local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); - dt_msg_send_client_query(&worker->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer); + dt_msg_send_client_query(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer); } #endif - acladdr = acl_addr_lookup(worker->daemon->acl, &repinfo->addr, - repinfo->addrlen); - acl = acl_get_control(acladdr); - if((ret=deny_refuse_all(c, acl, worker, repinfo)) != -1) - { + /* Check deny/refuse ACLs */ + if(repinfo->is_proxied) { + if((ret=deny_refuse_all(c, &acl, worker, repinfo, &acladdr, + worker->env.cfg->ede, 1)) != -1) { + if(ret == 1) + goto send_reply; + return ret; + } + } + if((ret=deny_refuse_all(c, &acl, worker, repinfo, &acladdr, + worker->env.cfg->ede, 0)) != -1) { if(ret == 1) goto send_reply; return ret; } + if((ret=worker_check_request(c->buffer, worker)) != 0) { verbose(VERB_ALGO, "worker check request: bad query."); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT,"from",&repinfo->client_addr, repinfo->client_addrlen); if(ret != -1) { LDNS_QR_SET(sldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), ret); @@ -1167,19 +1379,24 @@ worker->stats.num_queries++; - /* check if this query should be dropped based on source ip rate limiting */ - if(!infra_ip_ratelimit_inc(worker->env.infra_cache, repinfo, - *worker->env.now, c->buffer)) { + /* check if this query should be dropped based on source ip rate limiting + * NOTE: we always check the repinfo->client_address. IP ratelimiting is + * implicitly disabled for proxies. */ + if(!infra_ip_ratelimit_inc(worker->env.infra_cache, + &repinfo->client_addr, repinfo->client_addrlen, + *worker->env.now, + worker->env.cfg->ip_ratelimit_backoff, c->buffer)) { /* See if we are passed through with slip factor */ if(worker->env.cfg->ip_ratelimit_factor != 0 && ub_random_max(worker->env.rnd, - worker->env.cfg->ip_ratelimit_factor) == 0) { - + worker->env.cfg->ip_ratelimit_factor) == 0) { char addrbuf128; - addr_to_str(&repinfo->addr, repinfo->addrlen, - addrbuf, sizeof(addrbuf)); - verbose(VERB_QUERY, "ip_ratelimit allowed through for ip address %s because of slip in ip_ratelimit_factor", - addrbuf); + addr_to_str(&repinfo->client_addr, + repinfo->client_addrlen, addrbuf, + sizeof(addrbuf)); + verbose(VERB_QUERY, "ip_ratelimit allowed through for " + "ip address %s because of slip in " + "ip_ratelimit_factor", addrbuf); } else { worker->stats.num_queries_ip_ratelimited++; comm_point_drop_reply(repinfo); @@ -1190,7 +1407,8 @@ /* see if query is in the cache */ if(!query_info_parse(&qinfo, c->buffer)) { verbose(VERB_ALGO, "worker parse request: formerror."); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); memset(&qinfo, 0, sizeof(qinfo)); /* zero qinfo.qname */ if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) { comm_point_drop_reply(repinfo); @@ -1204,13 +1422,14 @@ } if(worker->env.cfg->log_queries) { char ip128; - addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip)); + addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip)); log_query_in(ip, qinfo.qname, qinfo.qtype, qinfo.qclass); } if(qinfo.qtype == LDNS_RR_TYPE_AXFR || qinfo.qtype == LDNS_RR_TYPE_IXFR) { verbose(VERB_ALGO, "worker request: refused zone transfer."); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); sldns_buffer_rewind(c->buffer); LDNS_QR_SET(sldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), @@ -1227,7 +1446,8 @@ qinfo.qtype == LDNS_RR_TYPE_MAILB || (qinfo.qtype >= 128 && qinfo.qtype <= 248)) { verbose(VERB_ALGO, "worker request: formerror for meta-type."); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); if(worker_err_ratelimit(worker, LDNS_RCODE_FORMERR) == -1) { comm_point_drop_reply(repinfo); return 0; @@ -1241,10 +1461,12 @@ } goto send_reply; } - if((ret=parse_edns_from_pkt(c->buffer, &edns, worker->scratchpad)) != 0) { + if((ret=parse_edns_from_query_pkt(c->buffer, &edns, worker->env.cfg, c, + worker->scratchpad)) != 0) { struct edns_data reply_edns; verbose(VERB_ALGO, "worker parse edns: formerror."); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); memset(&reply_edns, 0, sizeof(reply_edns)); reply_edns.edns_present = 1; reply_edns.udp_size = EDNS_ADVERTISED_SIZE; @@ -1256,16 +1478,18 @@ goto send_reply; } if(edns.edns_present) { - struct edns_option* edns_opt; if(edns.edns_version != 0) { edns.ext_rcode = (uint8_t)(EDNS_RCODE_BADVERS>>4); edns.edns_version = EDNS_ADVERTISED_VERSION; edns.udp_size = EDNS_ADVERTISED_SIZE; edns.bits &= EDNS_DO; - edns.opt_list = NULL; + edns.opt_list_in = NULL; + edns.opt_list_out = NULL; + edns.opt_list_inplace_cb_out = NULL; edns.padding_block_size = 0; verbose(VERB_ALGO, "query with bad edns version."); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); error_encode(c->buffer, EDNS_RCODE_BADVERS&0xf, &qinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), sldns_buffer_read_u16_at(c->buffer, 2), NULL); @@ -1279,41 +1503,24 @@ worker->daemon->cfg->harden_short_bufsize) { verbose(VERB_QUERY, "worker request: EDNS bufsize %d ignored", (int)edns.udp_size); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); edns.udp_size = NORMAL_UDP_SIZE; } - if(c->type != comm_udp) { - edns_opt = edns_opt_list_find(edns.opt_list, LDNS_EDNS_KEEPALIVE); - if(edns_opt && edns_opt->opt_len > 0) { - edns.ext_rcode = 0; - edns.edns_version = EDNS_ADVERTISED_VERSION; - edns.udp_size = EDNS_ADVERTISED_SIZE; - edns.bits &= EDNS_DO; - edns.opt_list = NULL; - verbose(VERB_ALGO, "query with bad edns keepalive."); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); - error_encode(c->buffer, LDNS_RCODE_FORMERR, &qinfo, - *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), - sldns_buffer_read_u16_at(c->buffer, 2), NULL); - if(sldns_buffer_capacity(c->buffer) >= - sldns_buffer_limit(c->buffer)+calc_edns_field_size(&edns)) - attach_edns_record(c->buffer, &edns); - regional_free_all(worker->scratchpad); - goto send_reply; - } - } } if(edns.udp_size > worker->daemon->cfg->max_udp_size && c->type == comm_udp) { verbose(VERB_QUERY, "worker request: max UDP reply size modified" " (%d to max-udp-size)", (int)edns.udp_size); - log_addr(VERB_CLIENT,"from",&repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); edns.udp_size = worker->daemon->cfg->max_udp_size; } if(edns.udp_size < LDNS_HEADER_SIZE) { verbose(VERB_ALGO, "worker request: edns is too small."); - log_addr(VERB_CLIENT, "from", &repinfo->addr, repinfo->addrlen); + log_addr(VERB_CLIENT, "from", &repinfo->client_addr, + repinfo->client_addrlen); LDNS_QR_SET(sldns_buffer_begin(c->buffer)); LDNS_TC_SET(sldns_buffer_begin(c->buffer)); LDNS_RCODE_SET(sldns_buffer_begin(c->buffer), @@ -1337,7 +1544,8 @@ } if(LDNS_OPCODE_WIRE(sldns_buffer_begin(c->buffer)) == LDNS_PACKET_NOTIFY) { - answer_notify(worker, &qinfo, &edns, c->buffer, repinfo); + answer_notify(worker, &qinfo, &edns, c->buffer, + &repinfo->client_addr, repinfo->client_addrlen); regional_free_all(worker->scratchpad); goto send_reply; } @@ -1355,9 +1563,10 @@ goto send_reply; } if(worker->env.auth_zones && - rpz_apply_qname_trigger(worker->env.auth_zones, + rpz_callback_from_worker_request(worker->env.auth_zones, &worker->env, &qinfo, &edns, c->buffer, worker->scratchpad, - repinfo, acladdr->taglist, acladdr->taglen, &worker->stats)) { + repinfo, acladdr->taglist, acladdr->taglen, &worker->stats, + &rpz_passthru)) { regional_free_all(worker->scratchpad); if(sldns_buffer_limit(c->buffer) == 0) { comm_point_drop_reply(repinfo); @@ -1383,7 +1592,8 @@ /* We've looked in our local zones. If the answer isn't there, we * might need to bail out based on ACLs now. */ - if((ret=deny_refuse_non_local(c, acl, worker, repinfo)) != -1) + if((ret=deny_refuse_non_local(c, acl, worker, repinfo, acladdr, + worker->env.cfg->ede)) != -1) { regional_free_all(worker->scratchpad); if(ret == 1) @@ -1402,12 +1612,17 @@ * ACLs allow the snooping. */ if(!(LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) && acl != acl_allow_snoop ) { + if (worker->env.cfg->ede) { + EDNS_OPT_LIST_APPEND_EDE(&edns.opt_list_out, + worker->scratchpad, LDNS_EDE_NOT_AUTHORITATIVE, ""); + } error_encode(c->buffer, LDNS_RCODE_REFUSED, &qinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), - sldns_buffer_read_u16_at(c->buffer, 2), NULL); + sldns_buffer_read_u16_at(c->buffer, 2), &edns); regional_free_all(worker->scratchpad); log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from", - &repinfo->addr, repinfo->addrlen); + &repinfo->client_addr, repinfo->client_addrlen); + goto send_reply; } @@ -1448,20 +1663,26 @@ cinfo = &cinfo_tmp; } + /* Keep the original edns list around. The pointer could change if there is + * a cached answer (through the inplace callback function there). + * No need to actually copy the contents as they shouldn't change. + * Used while prefetching and subnet is enabled. */ + original_edns_list = edns.opt_list_in; lookup_cache: /* Lookup the cache. In case we chase an intermediate CNAME chain * this is a two-pass operation, and lookup_qinfo is different for * each pass. We should still pass the original qinfo to * answer_from_cache(), however, since it's used to build the reply. */ - if(!edns_bypass_cache_stage(edns.opt_list, &worker->env)) { + if(!edns_bypass_cache_stage(edns.opt_list_in, &worker->env)) { is_expired_answer = 0; is_secure_answer = 0; h = query_info_hash(lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2)); if((e=slabhash_lookup(worker->env.msg_cache, h, lookup_qinfo, 0))) { + struct reply_info* rep = (struct reply_info*)e->data; /* answer from cache - we have acquired a readlock on it */ - if(answer_from_cache(worker, &qinfo, - cinfo, &need_drop, &is_expired_answer, &is_secure_answer, - &alias_rrset, &partial_rep, (struct reply_info*)e->data, + if(answer_from_cache(worker, &qinfo, cinfo, &need_drop, + &is_expired_answer, &is_secure_answer, + &alias_rrset, &partial_rep, rep, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), sldns_buffer_read_u16_at(c->buffer, 2), repinfo, &edns)) { @@ -1469,21 +1690,22 @@ * Note that if there is more than one pass * its qname must be that used for cache * lookup. */ - if((worker->env.cfg->prefetch && *worker->env.now >= - ((struct reply_info*)e->data)->prefetch_ttl) || - (worker->env.cfg->serve_expired && - *worker->env.now >= ((struct reply_info*)e->data)->ttl)) { - - time_t leeway = ((struct reply_info*)e-> - data)->ttl - *worker->env.now; - if(((struct reply_info*)e->data)->ttl - < *worker->env.now) + if((worker->env.cfg->prefetch && + *worker->env.now >= rep->prefetch_ttl) || + (worker->env.cfg->serve_expired && + *worker->env.now > rep->ttl)) { + + time_t leeway = rep->ttl - *worker->env.now; + if(rep->ttl < *worker->env.now) leeway = 0; lock_rw_unlock(&e->lock); + reply_and_prefetch(worker, lookup_qinfo, sldns_buffer_read_u16_at(c->buffer, 2), repinfo, leeway, - (partial_rep || need_drop)); + (partial_rep || need_drop), + rpz_passthru, + original_edns_list); if(!partial_rep) { rc = 0; regional_free_all(worker->scratchpad); @@ -1520,6 +1742,7 @@ verbose(VERB_ALGO, "answer from the cache failed"); lock_rw_unlock(&e->lock); } + if(!LDNS_RD_WIRE(sldns_buffer_begin(c->buffer))) { if(answer_norec_from_cache(worker, &qinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), @@ -1538,15 +1761,16 @@ if(verbosity >= VERB_CLIENT) { if(c->type == comm_udp) log_addr(VERB_CLIENT, "udp request from", - &repinfo->addr, repinfo->addrlen); + &repinfo->client_addr, repinfo->client_addrlen); else log_addr(VERB_CLIENT, "tcp request from", - &repinfo->addr, repinfo->addrlen); + &repinfo->client_addr, repinfo->client_addrlen); } /* grab a work request structure for this new request */ mesh_new_client(worker->env.mesh, &qinfo, cinfo, sldns_buffer_read_u16_at(c->buffer, 2), - &edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer)); + &edns, repinfo, *(uint16_t*)(void *)sldns_buffer_begin(c->buffer), + rpz_passthru); regional_free_all(worker->scratchpad); worker_mem_report(worker, NULL); return 0; @@ -1571,8 +1795,8 @@ */ if(worker->dtenv.log_client_response_messages) { log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); - log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen); - dt_msg_send_client_response(&worker->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer); + log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen); + dt_msg_send_client_response(&worker->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, c->type, c->buffer); } #endif if(worker->env.cfg->log_replies) @@ -1584,10 +1808,12 @@ /* log original qname, before the local alias was * used to resolve that CNAME to something else */ qinfo.qname = qinfo.local_alias->rrset->rk.dname; - log_reply_info(NO_VERBOSE, &qinfo, &repinfo->addr, repinfo->addrlen, + log_reply_info(NO_VERBOSE, &qinfo, + &repinfo->client_addr, repinfo->client_addrlen, tv, 1, c->buffer); } else { - log_reply_info(NO_VERBOSE, &qinfo, &repinfo->addr, repinfo->addrlen, + log_reply_info(NO_VERBOSE, &qinfo, + &repinfo->client_addr, repinfo->client_addrlen, tv, 1, c->buffer); } } @@ -1611,6 +1837,9 @@ comm_base_exit(worker->base); break; #endif +#ifdef SIGBREAK + case SIGBREAK: +#endif case SIGINT: worker->need_to_exit = 1; comm_base_exit(worker->base); @@ -1716,6 +1945,9 @@ #else void* dtenv = NULL; #endif +#ifdef HAVE_GETTID + worker->thread_tid = gettid(); +#endif worker->need_to_exit = 0; worker->base = comm_base_create(do_sigs); if(!worker->base) { @@ -1729,6 +1961,9 @@ #ifdef SIGHUP ub_thread_sig_unblock(SIGHUP); #endif +#ifdef SIGBREAK + ub_thread_sig_unblock(SIGBREAK); +#endif ub_thread_sig_unblock(SIGINT); #ifdef SIGQUIT ub_thread_sig_unblock(SIGQUIT); @@ -1745,6 +1980,9 @@ || !comm_signal_bind(worker->comsig, SIGQUIT) #endif || !comm_signal_bind(worker->comsig, SIGTERM) +#ifdef SIGBREAK + || !comm_signal_bind(worker->comsig, SIGBREAK) +#endif || !comm_signal_bind(worker->comsig, SIGINT)) { log_err("could not create signal handlers"); worker_delete(worker); @@ -1827,15 +2065,14 @@ } server_stats_init(&worker->stats, cfg); - alloc_init(&worker->alloc, &worker->daemon->superalloc, - worker->thread_num); - alloc_set_id_cleanup(&worker->alloc, &worker_alloc_cleanup, worker); + worker->alloc = worker->daemon->worker_allocsworker->thread_num; + alloc_set_id_cleanup(worker->alloc, &worker_alloc_cleanup, worker); worker->env = *worker->daemon->env; comm_base_timept(worker->base, &worker->env.now, &worker->env.now_tv); worker->env.worker = worker; worker->env.worker_base = worker->base; worker->env.send_query = &worker_send_query; - worker->env.alloc = &worker->alloc; + worker->env.alloc = worker->alloc; worker->env.outnet = worker->back; worker->env.rnd = worker->rndstate; /* If case prefetch is triggered, the corresponding mesh will clear @@ -1979,7 +2216,7 @@ #endif /* USE_DNSTAP */ comm_base_delete(worker->base); ub_randfree(worker->rndstate); - alloc_clear(&worker->alloc); + /* don't touch worker->alloc, as it's maintained in daemon */ regional_destroy(worker->env.scratch); regional_destroy(worker->scratchpad); free(worker); @@ -1987,9 +2224,10 @@ struct outbound_entry* worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, - int want_dnssec, int nocaps, struct sockaddr_storage* addr, - socklen_t addrlen, uint8_t* zone, size_t zonelen, int ssl_upstream, - char* tls_auth_name, struct module_qstate* q) + int want_dnssec, int nocaps, int check_ratelimit, + struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, + size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, + struct module_qstate* q, int* was_ratelimited) { struct worker* worker = q->env->worker; struct outbound_entry* e = (struct outbound_entry*)regional_alloc( @@ -1998,9 +2236,10 @@ return NULL; e->qstate = q; e->qsent = outnet_serviced_query(worker->back, qinfo, flags, dnssec, - want_dnssec, nocaps, q->env->cfg->tcp_upstream, + want_dnssec, nocaps, check_ratelimit, tcp_upstream, ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q, - worker_handle_service_reply, e, worker->back->udp_buff, q->env); + worker_handle_service_reply, e, worker->back->udp_buff, q->env, + was_ratelimited); if(!e->qsent) { return NULL; } @@ -2021,6 +2260,7 @@ mesh_stats_clear(worker->env.mesh); worker->back->unwanted_replies = 0; worker->back->num_tcp_outgoing = 0; + worker->back->num_udp_outgoing = 0; } void worker_start_accept(void* arg) @@ -2044,10 +2284,11 @@ struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps), + int ATTR_UNUSED(check_ratelimit), struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), - uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), + uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), - struct module_qstate* ATTR_UNUSED(q)) + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/daemon/worker.h -> _service:tar_scm:unbound-1.17.1.tar.gz/daemon/worker.h
Changed
@@ -86,6 +86,10 @@ struct daemon* daemon; /** thread id */ ub_thread_type thr_id; +#ifdef HAVE_GETTID + /** thread tid, the LWP id. */ + pid_t thread_tid; +#endif /** pipe, for commands for this worker */ struct tube* cmd; /** the event base this worker works with */ @@ -114,7 +118,7 @@ /** do we need to restart or quit (on signal) */ int need_to_exit; /** allocation cache for this thread */ - struct alloc_cache alloc; + struct alloc_cache *alloc; /** per thread statistics */ struct ub_server_stats stats; /** thread scratch regional */ @@ -127,6 +131,8 @@ /** dnstap environment, changed for this thread */ struct dt_env dtenv; #endif + /** reuse existing cache on reload if other conditions allow it. */ + int reuse_cache; }; /**
View file
_service:tar_scm:unbound-1.13.2.tar.gz/dns64/dns64.c -> _service:tar_scm:unbound-1.17.1.tar.gz/dns64/dns64.c
Changed
@@ -652,7 +652,7 @@ if ( (!iq || !iq->started_no_cache_store) && qstate->return_msg && qstate->return_msg->rep && !dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep, - 0, 0, 0, NULL, qstate->query_flags)) + 0, 0, 0, NULL, qstate->query_flags, qstate->qstarttime)) log_err("out of memory"); /* do nothing */ @@ -685,8 +685,12 @@ switch(event) { case module_event_new: /* Tag this query as being new and fall through. */ - iq = (struct dns64_qstate*)regional_alloc( - qstate->region, sizeof(*iq)); + if (!(iq = (struct dns64_qstate*)regional_alloc( + qstate->region, sizeof(*iq)))) { + log_err("out of memory"); + qstate->ext_stateid = module_error; + return; + } qstate->minfoid = iq; iq->state = DNS64_NEW_QUERY; iq->started_no_cache_store = qstate->no_cache_store; @@ -913,8 +917,9 @@ sizeof(struct dns_msg)))) return; super->return_msg->qinfo = super->qinfo; - super->return_msg->rep = reply_info_copy(qstate->return_msg->rep, NULL, - super->region); + if (!(super->return_msg->rep = reply_info_copy(qstate->return_msg->rep, + NULL, super->region))) + return; /* * Adjust the domain name of the answer RR set so that it matches the @@ -986,7 +991,7 @@ /* Store the generated response in cache. */ if ( (!super_dq || !super_dq->started_no_cache_store) && !dns_cache_store(super->env, &super->qinfo, super->return_msg->rep, - 0, 0, 0, NULL, super->query_flags)) + 0, 0, 0, NULL, super->query_flags, qstate->qstarttime)) log_err("out of memory"); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/dnscrypt/dnscrypt.c -> _service:tar_scm:unbound-1.17.1.tar.gz/dnscrypt/dnscrypt.c
Changed
@@ -435,7 +435,7 @@ /** * Add the server nonce part to once. - * The nonce is made half of client nonce and the seconf half of the server + * The nonce is made half of client nonce and the second half of the server * nonce, both of them of size crypto_box_HALF_NONCEBYTES. * \paramin nonce: a uint8_t* of size crypto_box_NONCEBYTES */ @@ -674,7 +674,7 @@ /** * Insert local-zone and local-data into configuration. * In order to be able to serve certs over TXT, we can reuse the local-zone and - * local-data config option. The zone and qname are infered from the + * local-data config option. The zone and qname are inferred from the * provider_name and the content of the TXT record from the certificate content. * returns the number of certificate TXT record that were loaded. * < 0 in case of error.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/dnscrypt/dnscrypt.h -> _service:tar_scm:unbound-1.17.1.tar.gz/dnscrypt/dnscrypt.h
Changed
@@ -114,7 +114,7 @@ /** * handle a crypted dnscrypt request. - * Determine wether or not a query is coming over the dnscrypt listener and + * Determine whether or not a query is coming over the dnscrypt listener and * attempt to uncurve it or detect if it is a certificate query. * return 0 in case of failure. */ @@ -122,7 +122,7 @@ struct comm_reply* repinfo); /** * handle an unencrypted dnscrypt request. - * Determine wether or not a query is going over the dnscrypt channel and + * Determine whether or not a query is going over the dnscrypt channel and * attempt to curve it unless it was not crypted like when it is a * certificate query. * \return 0 in case of failure.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/dnstap/dtstream.c -> _service:tar_scm:unbound-1.17.1.tar.gz/dnstap/dtstream.c
Changed
@@ -188,9 +188,9 @@ /** start timer to wakeup dtio because there is content in the queue */ static void -dt_msg_queue_start_timer(struct dt_msg_queue* mq) +dt_msg_queue_start_timer(struct dt_msg_queue* mq, int wakeupnow) { - struct timeval tv; + struct timeval tv = {0}; /* Start a timer to process messages to be logged. * If we woke up the dtio thread for every message, the wakeup * messages take up too much processing power. If the queue @@ -204,19 +204,26 @@ /* do not start the timer if a timer already exists, perhaps * in another worker. So this variable is protected by a lock in - * dtio */ + * dtio. */ + + /* If we need to wakeupnow, 0 the timer to force the callback. */ lock_basic_lock(&mq->dtio->wakeup_timer_lock); if(mq->dtio->wakeup_timer_enabled) { + if(wakeupnow) { + comm_timer_set(mq->wakeup_timer, &tv); + } lock_basic_unlock(&mq->dtio->wakeup_timer_lock); return; } mq->dtio->wakeup_timer_enabled = 1; /* we are going to start one */ - lock_basic_unlock(&mq->dtio->wakeup_timer_lock); /* start the timer, in mq, in the event base of our worker */ - tv.tv_sec = 1; - tv.tv_usec = 0; + if(!wakeupnow) { + tv.tv_sec = 1; + tv.tv_usec = 0; + } comm_timer_set(mq->wakeup_timer, &tv); + lock_basic_unlock(&mq->dtio->wakeup_timer_lock); } void @@ -251,7 +258,7 @@ entry->buf = buf; entry->len = len; - /* aqcuire lock */ + /* acquire lock */ lock_basic_lock(&mq->lock); /* if list was empty, start timer for (eventual) wakeup */ if(mq->first == NULL) @@ -283,10 +290,8 @@ /* release lock */ lock_basic_unlock(&mq->lock); - if(wakeupnow) { - dtio_wakeup(mq->dtio); - } else if(wakeupstarttimer) { - dt_msg_queue_start_timer(mq); + if(wakeupnow || wakeupstarttimer) { + dt_msg_queue_start_timer(mq, wakeupnow); } } @@ -930,7 +935,7 @@ return 1; } -/** write more of the current messsage. false if incomplete, true if +/** write more of the current message. false if incomplete, true if * the message is done */ static int dtio_write_more(struct dt_io_thread* dtio) { @@ -949,7 +954,7 @@ * -1: continue, >0: number of bytes read into buffer */ static ssize_t receive_bytes(struct dt_io_thread* dtio, void* buf, size_t len) { ssize_t r; - r = recv(dtio->fd, (void*)buf, len, 0); + r = recv(dtio->fd, (void*)buf, len, MSG_DONTWAIT); if(r == -1) { char* to = dtio->socket_path; if(!to) to = dtio->ip_str; @@ -1181,7 +1186,7 @@ goto close_connection; return 1; } else { - /* unknow content type */ + /* unknown content type */ verbose(VERB_ALGO, "dnstap: ACCEPT frame " "contains unknown content type, " "closing connection"); @@ -1955,7 +1960,7 @@ memset(&addr, 0, sizeof(addr)); addrlen = (socklen_t)sizeof(addr); - if(!extstrtoaddr(dtio->ip_str, &addr, &addrlen)) { + if(!extstrtoaddr(dtio->ip_str, &addr, &addrlen, UNBOUND_DNS_PORT)) { log_err("could not parse IP '%s'", dtio->ip_str); return 0; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/dnstap/unbound-dnstap-socket.c -> _service:tar_scm:unbound-1.17.1.tar.gz/dnstap/unbound-dnstap-socket.c
Changed
@@ -272,7 +272,7 @@ memset(&addr, 0, sizeof(addr)); len = (socklen_t)sizeof(addr); - if(!extstrtoaddr(ip, &addr, &len)) { + if(!extstrtoaddr(ip, &addr, &len, UNBOUND_DNS_PORT)) { log_err("could not parse IP '%s'", ip); return -1; } @@ -617,7 +617,7 @@ static ssize_t receive_bytes(struct tap_data* data, int fd, void* buf, size_t len) { - ssize_t ret = recv(fd, buf, len, 0); + ssize_t ret = recv(fd, buf, len, MSG_DONTWAIT); if(ret == 0) { /* closed */ if(verbosity) log_info("dnstap client stream closed from %s", @@ -1264,9 +1264,9 @@ memset(&tls_list, 0, sizeof(tls_list)); /* lock debug start (if any) */ + checklock_start(); log_ident_set("unbound-dnstap-socket"); log_init(0, 0, 0); - checklock_start(); #ifdef SIGPIPE if(signal(SIGPIPE, SIG_IGN) == SIG_ERR) { @@ -1413,10 +1413,12 @@ struct outbound_entry* worker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), - int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), + int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit), + struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), - size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream), - char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q)) + size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), + int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; @@ -1445,10 +1447,12 @@ struct outbound_entry* libworker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), - int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), + int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit), + struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), - size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream), - char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q)) + size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), + int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/Changelog -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/Changelog
Changed
@@ -1,3 +1,743 @@ +5 January 2023: Wouter + - Tag for 1.17.1 release. + +2 January 2023: Wouter + - Fix windows compile for libunbound subprocess reap comm point closes. + - Update github workflows to use checkout v3. + +14 December 2022: George + - Merge #569 from JINMEI Tatuya: add keep-cache option to + 'unbound-control reload' to keep caches. + +13 December 2022: George + - Expose 'statistics-inhibit-zero' as a configuration option; the + default value retains Unbound's behavior. + - Expose 'max-sent-count' as a configuration option; the + default value retains Unbound's behavior. + - Merge #461 from Christian Allred: Add max-query-restarts option. + Exposes an internal configuration but the default value retains + Unbound's behavior. + +13 December 2022: Wouter + - Merge #808: Wrap Makefile script's directory variables in quotes. + - Fix to wrap Makefile scripts directory in quotes for uninstall. + +1 December 2022: Wouter + - Fix #773: When used with systemd-networkd, unbound does not start + until systemd-networkd-wait-online.service times out. + +30 November 2022: George + - Add SVCB and HTTPS to the types removed by 'unbound-control flush'. + - Clear documentation for interactivity between the subnet module and + the serve-expired and prefetch configuration options. + +30 November 2022: Wouter + - Fix #782: Segmentation fault in stats.c:404. + +28 November 2022: Wouter + - Fix for the ignore of tcp events for closed comm points, preserve + the use after free protection features. + +23 November 2022: Philip + - Merge #720 from jonathangray: fix use after free when + WSACreateEvent() fails. + +22 November 2022: George + - Ignore expired error responses. + +11 November 2022: Wouter + - Fix #779: doc Missing documention in ub_resolve_event() for + callback parameter was_ratelimited. + +9 November 2022: George + - Complementary fix for distutils.sysconfig deprecation in Python 3.10 + to commit 62c5039ab9da42713e006e840b7578e01d66e7f2. + +8 November 2022: Wouter + - Fix to ignore tcp events for closed comm points. + - Fix to make sure to not read again after a tcp comm point is closed. + - Fix #775: libunbound: subprocess reap causes parent process reap + to hang. + - iana portlist update. + +21 October 2022: George + - Merge #767 from jonathangray: consistently use IPv4/IPv6 in + unbound.conf.5. + +21 October 2022: Wouter + - Fix that cachedb does not store failures in the external cache. + +18 October 2022: George + - Clarify the use of MAX_SENT_COUNT in the iterator code. + +17 October 2022: Wouter + - testcode/dohclient sets log identity to its name. + +14 October 2022: Wouter + - Merge #768 from fobser: Arithmetic on a pointer to void is a GNU + extension. + - In unit test, print python script name list correctly. + +13 October 2022: Wouter + - Tag for 1.17.0 release. The code repository continues with 1.17.1. + +11 October 2022: George + - Fix PROXYv2 header read for TCP connections when no proxied addresses + are provided. + +7 October 2022: Wouter + - Tag for 1.17.0rc1 release. + +7 October 2022: George + - Fix to stop possible loops in the tcp reuse code (write_wait list + and tcp_wait list). Based on analysis and patch from Prad Seniappan + and Karthik Umashankar. + - Fix unit test to properly test the reuse_write_wait_pop function. + +6 October 2022: Wouter + - Fix to stop responses with TC flag from resulting in partial + responses. It retries to fetch the data elsewhere, or fails the + query and in depth fix removes the TC flag from the cached item. + - Fix proxy length debug output printout typecasts. + +5 October 2022: Wouter + - Fix dnscrypt compile for proxy protocol code changes. + +5 October 2022: George + - Use DEBUG_TDIR from environment in mini_tdir.sh for debugging. + - Fix string comparison in mini_tdir.sh. + - Make ede.tdir test more predictable by using static data. + - Fix checkconf test for dnscrypt and proxy port. + +4 October 2022: George + - Merge #764: Leniency for target discovery when under load (for + NRDelegation changes). + +4 October 2022: Wouter + - Fix static analysis report to remove dead code from the + rpz_callback_from_iterator_module function. + - Fix to clean up after the acl_interface unit test. + +3 October 2022: George + - Merge #760: PROXYv2 downstream support. (New proxy-protocol-port + configuration option). + +3 October 2022: Wouter + - Fix to remove erroneous TC flag from TCP upstream. + - Fix test tdir skip report printout. + - Fix windows compile, the identifier interface is defined in headers. + - Fix to close errno block in comm_point_tcp_handle_read outside of + ifdef. + +26 September 2022: George + - Better output for skipped tdir tests. + +21 September 2022: Wouter + - Patch for CVE-2022-3204 Non-Responsive Delegation Attack. + - This patch was released in 1.16.3, the code repository continues + with the previous features and fixes for 1.17.0. + - Fix doxygen warning in respip.h. + +20 September 2022: George + - Convert tdir tests to use the new skip_test functionality. + - Remove unused testcode/mini_tpkg.sh file. + +16 September 2022: George + - Merge #753: ACL per interface. (New interface-* configuration + options). + +2 September 2022: Wouter + - Remove include that was there for debug purposes. + - Fix to check pthread_t size after pthread has been detected. + +1 September 2022: Wouter + - Fix to update config tests to fix checking if nonblocking sockets + work on OpenBSD. + - Slow down log frequency of write wait failures. + - Fix to set out of file descriptor warning to operational verbosity. + - Fix to log a verbose message at operational notice level if a + thread is not responding, to stats requests. It is logged with + thread identifiers. + +31 August 2022: Wouter + - Fix to avoid process wide fcntl calls mixed with nonblocking + operations after a blocked write. + - Patch from Vadim Fedorenko that adds MSG_DONTWAIT to receive + operations, so that instruction reordering does not cause mistakenly + blocking socket operations. + - Fix to wait for blocked write on UDP sockets, with a timeout if it + takes too long the packet is dropped. + - Fix for wait for udp send to stop when packet is successfully sent. + +22 August 2022: Wouter + - Fix #741: systemd socket activation fails on IPv6. + +12 August 2022: Wouter + - Fix to log accept error ENFILE and EMFILE errno, but slowly, once + per 10 seconds. Also log accept failures when no slow down is used. + +5 August 2022: Wouter + - Fix #734 FR enable unbound-checkconf to detect more (basic) + errors. + +4 August 2022: Wouter + - Fix ratelimit inconsistency, for ip-ratelimits the value is the + amount allowed, like for ratelimits. + +2 August 2022: Wouter + - Fix edns subnet so that scope 0 answers only match sourcemask 0 + queries for answers from cache if from a query with sourcemask 0. + - Fix unittest for edns subnet change. + - Merge #730 from luisdallos: Fix startup failure on Windows 8.1 due + to unsupported IPV6_USER_MTU socket option being set. + +1 August 2022: Wouter + - Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699. + - Tests for ghost domain fixes. + - Tag for 1.16.2 release. The code repo continues with 1.16.3. + - Fix #728: alloc_reg_obtain() core dump. Stop double + alloc_reg_release when serviced_create fails. + +19 July 2022: George + - Update documentation for 'outbound-msg-retry:'. + +19 July 2022: Wouter + - Merge #718: Introduce infra-cache-max-rtt option to config max + retransmit timeout. + +15 July 2022: Wouter + - Merge PR 714: Avoid treat normal hosts as unresponsive servers. + And fixup the lock code. + - iana portlist update. + +12 July 2022: George + - For windows crosscompile, fix setting the IPV6_MTU socket option + equivalent (IPV6_USER_MTU); allows cross compiling with latest + cross-compiler versions. + +12 July 2022: Wouter + - Fix dname count in sldns parse type descriptor for SVCB and HTTPS. + +11 July 2022: Wouter + - Fix verbose EDE error printout. + +4 July 2022: George + - Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for + one loop pass'. + - Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on + outbound tcp sockets. + +4 July 2022: Wouter + - Tag for 1.16.1rc1 release. This became 1.16.1 on 11 July 2022. + The code repo continues with version 1.16.2 under development. + +3 July 2022: George + - Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS + mode on openssl3. + - Merge PR #660 from Petr Menšík: Sha1 runtime insecure. + - For #660: formatting, less verbose logging, add EDE information. + - Fix for correct openssl error when adding windows CA certificates to + the openssl trust store. + - Improve val_sigcrypt.c::algo_needs_missing for one loop pass. + - Reintroduce documentation and more EDE support for + val_sigcrypt.c::dnskeyset_verify_rrset_sig. + +1 July 2022: George + - Merge PR #706: NXNS fallback. + - From #706: Cached NXDOMAIN does not increase the target nx + responses. + - From #706: Don't generate parent side queries if we already + have the lame records in cache. + - From #706: When a lame address is the best choice, don't try to + generate target queries when the missing targets are all lame. + +29 June 2022: Wouter + - iana portlist update. + - Fix detection of libz on windows compile with static option. + - Fix compile warning for windows compile. + +29 June 2022: George + - Add debug option to the mini_tdir.sh test code. + - Fix #704: FR Statistics counter for number of outgoing UDP queries + sent; introduces 'num.query.udpout' to the 'unbound-control stats' + command. + - Fix to not count cached NXDOMAIN for MAX_TARGET_NX. + - Allow fallback to the parent side when MAX_TARGET_NX is reached. + This will also allow MAX_TARGET_NX more NXDOMAINs. + +28 June 2022: George + - Show the output of the exact .rpl run that failed with 'make test'. + - Fix for cached 0 TTL records to not trigger prefetching when + serve-expired-client-timeout is set. + +28 June 2022: Wouter + - Fix test program dohclient close to use portability routine. + +23 June 2022: Tom + - Clarify -v flag manpage entry (#705) + +22 June 2022: Philip + - Fix #663: use after free issue with edns options. + +21 June 2022: Philip + - Fix for loading locally stored zones that have lines with blanks or + blanks and comments. + +20 June 2022: George + - Remove unused LDNS function check for GOST Engine unloading. + +14 June 2022: George + - Merge PR #688: Rpz url notify issue. + - Note in the unbound.conf text that NOTIFY is allowed from the url: + addresses for auth and rpz zones. + +3 June 2022: George + - Fix for edns client subnet to respect not looking in its cache when + instructed to do so (e.g., prefetch). + +3 June 2022: Wouter + - makedist.sh picks up 32bit libssp-0.dll when 32bit compile. + +27 May 2022: Wouter + - Fix #684: FTBS configure script error with libmnl on openSUSE 15.3 (and possibly other distributions) + - Version is set to 1.16.0 for release. Release tag 1.16.0rc1. This + became release 1.16.0 on 2 June 2022. The source code branch + continues with version 1.16.1 under development. + +20 May 2022: Wouter + - Fix to silence test for ede error output to the console from the + test setup script. + - Fix ede test to not use default pidfile, and use local interface. + - Fix some lint type warnings. + +18 May 2022: George + - Fix typos in config_set_option for the 'num-threads' and + 'ede-serve-expired' options. + +15 May 2022: George + - Fix #678: FR modify behaviour of unbound-control rpz_enable zone, + by updating unbound-control's documentation. + +12 May 2022: George + - Fix #417: prefetch and ECS causing cache corruption when used + together. + +12 May 2022: Wouter + - Merge #677: Allow using system certificates not only on Windows, + from pemensik. + - For #677: Added tls-system-cert to config parser and documentation. + +11 May 2022: Wouter + - Fix #673: DNS over TLS: error: SSL_handshake syscall: No route to + host. + +10 May 2022: George + - Fix Python build in non-source directory; based on patch by + Michael Tokarev. + +6 May 2022: Tom + - Merge PR #604: Add basic support for EDE (RFC8914). + +28 April 2022: Wouter + - Fix #670: SERVFAIL problems with unbound 1.15.0 running on + OpenBSD 7.1. + +8 April 2022: Wouter + - Fix zonemd check to allow unsupported algorithms to load. + If there are only unsupported algorithms, or unsupported schemes, + and no failed or successful other ZONEMD records, or malformed + or bad ZONEMD records, the unsupported records allow the zone load. + - Fix zonemd unsupported algo check. + - Fix zonemd unsupported algo check reason to not copy to next record, + and check for success for debug printout. + - Fix zonemd unsupported algo check to print unsupported reason before + zeroing it. + - Fix zonemd unsupported algo check to set reason to NULL before the + check routine, but after malformed checks, to get the correct NULL + output when the digest matches. + +25 March 2022: Wouter + - Fix spelling error in comment in sldns_str2wire_svcparam_key_lookup. + +23 March 2022: Wouter + - Fix #651: FR Better logging for refused queries. + +18 March 2022: George + - Merge PR #648 from eaglegai: fix -q doesn't work when use with + 'unbound-control stats_shm'. + +17 March 2022: Wouter + - Fix to describe auth-zone and other configuration at the local-zone + configuration option, to allow for more broadly view of the options. + +16 March 2022: Wouter + - Fix to ensure uniform handling of spaces and tabs when parsing RRs. + +9 March 2022: Wouter + - Merge #644: Make `install-lib` make target install the pkg-config + file. + +7 March 2022: Wouter + - Fix configure for python to use sysutils, because distutils is + deprecated. It uses sysutils when available, distutils otherwise. + +3 March 2022: Wouter + - Fix #637: Integer Overflow in sldns_str2period function. + - Fix for #637: fix integer overflow checks in sldns_str2period. + +2 March 2022: George + - Merge PR #632 from scottrw93: Match cnames in ipset. + - Various fixes for #632: variable initialisation, convert the qinfo + to str once, accept trailing dot in the local-zone ipset option. + +2 March 2022: Wouter + - Fix compile warnings for printf ll format on mingw compile. + +1 March 2022: Wouter + - Fix pythonmod for change in iter_dp_is_useless function prototype. + +28 February 2022: George + - Fix #630: Unify the RPZ log messages. + - Merge #623 from rex4539: Fix typos. + +28 February 2022: Wouter + - Fix #633: Document unix domain socket support for unbound-control. + - Fix for #633: updated fix with new text. + - Fix edns client subnet to add the option based on the option list, + so that it is not state dependent, after the state fix of #605 for + double EDNS options. + - Fix for edns client subnet option add fix in removal code, from review. + +25 February 2022: Wouter + - Fix to detect that no IPv6 support means that IPv6 addresses are + useless for delegation point lookups. + - update Makefile dependencies. + - Fix check interface existence for support detection in remote lookup. + +18 February 2022: Wouter + - Fix that address not available is squelched from the logs for + udp connect failures. It is visible on verbosity 4 and more. + - Merge #631 from mollyim: Replace OpenSSL's ERR_PACK with + ERR_GET_REASON. + +16 February 2022: Wouter + - Fix for #628: fix rpz-passthru for qname trigger by localzone type. + +15 February 2022: Wouter + - Fix #628: A rpz-passthru action is not ending RPZ zone processing. + +11 February 2022: Wouter + - Fix #624: Unable to stop Unbound in Windows console (does not + respond to CTRL+C command). + - Fix #618: enabling interface-automatic disables DNS-over-TLS. + Adds the option to list interface-automatic-ports. + - Remove debug info from #618 fix. + +7 February 2022: Wouter + - Fix that TCP interface does not use TLS when TLS is also configured. + +4 February 2022: Wouter + - Fix #412: cache invalidation issue with CNAME+A. + +3 February 2022: Wouter + - Fix for #611: Integer overflow in sldns_wire2str_pkt_scan. + - Tag for 1.15.0rc1 created. That became 1.15.0 on 10 feb 2022. + The repository continues with version 1.15.1. + +2 February 2022: George + - Merge PR #532 from Shchelk: Fix: buffer overflow bug. + - Merge PR #616: Update ratelimit logic. It also introduces + ratelimit-backoff and ip-ratelimit-backoff configuration options. + - Change aggressive-nsec default to yes. + - Merge PR #617: Update stub/forward-host notation to accept port and + tls-auth-name. + - Update stream_ssl.tdir test to also use the new forward-host + notation. + +2 February 2022: Wouter + - Update version number in repo to 1.15.0 for upcoming release, + since it changes the aggressive-nsec default and the ratelimit change. + - Fix header comment for doxygen for authextstrtoaddr. + - please clang analyzer for loop in test code. + - Fix docker splint test to use more portable uname. + - Update contrib/aaaa-filter-iterator.patch with diff for current + software version. + +1 February 2022: George + - Merge PR #603 from fobser: Use OpenSSL 1.1 API to access DSA and RSA + internals. + +31 January 2022: George + - Fix review comment for use-after-free when failing to send UDP out. + +31 January 2022: Wouter + - iana portlist update. + +29 January 2022: George + - Fix tls-* and ssl-* documented alternate syntax to also be available + through remote-control and unbound-checkconf. + - Better cleanup on failed DoT/DoH listening socket creation. + +26 January 2022: George + - Fix #599: FR RFC 9156 (obsoletes RFC 7816), by noting the new RFC + document. + +26 January 2022: Wouter + - Test for NSID in SERVFAIL response due to DNSSEC bogus. + +25 January 2022: George + - Fix #588: Unbound 1.13.2 crashes due to p->pc is NULL in + serviced_udp_callback. + - Merge PR #612: TCP race condition. + +25 January 2022: Wouter + - Fix #610: Undefine-shift in sldns_str2wire_hip_buf. + +19 January 2022: George + - For dnstap, do not wakeupnow right there. Instead zero the timer to + force the wakeup callback asap. + +14 January 2022: George + - Merge PR #605: + - Fix EDNS to upstream where the same option could be attached + more than once. + - Add a region to serviced_query for allocations. + +14 January 2022: Wouter + - Add rpz: for-downstream: yesno option, where the RPZ zone is + authoritatively answered for, so the RPZ zone contents can be + checked with DNS queries directed at the RPZ zone. + - For #602: Allow the module-config "subnetcache validator cachedb + iterator". + +11 January 2022: George + - Fix prematurely terminated TCP queries when a reply has the same ID. + +7 January 2022: Wouter + - Merge #600 from pemensik: Change file mode before changing file + owner. + +5 January 2022: Wouter + - Fix for #596: fix that rpz return message is returned and not just + the rcode from the iterator return path. This fixes signal unset RA + after a CNAME. + - Fix unit tests for rpz now that the AA flag returns successfully from + the iterator loop. + - Fix for #596: add unit test for nsdname trigger and signal unset RA. + - Fix for #596: add unit test for nsip trigger and signal unset RA. + - Fix #598: Fix unbound-checkconf fatal error: module conf + 'respip dns64 validator iterator' is not known to work. + - Fix for #596: Fix rpz-signal-nxdomain-ra to work for clientip + triggered operation. + +4 January 2022: Wouter + - Fix #596: unset the RA bit when a query is blocked by an unbound + RPZ nxdomain reply. The option rpz-signal-nxdomain-ra allows to + signal that a domain is externally blocked to clients when it + is blocked with NXDOMAIN by unsetting RA. + - Fix to add test for rpz-signal-nxdomain-ra. + - Fix #596: only unset RA when NXDOMAIN is signalled. + - Fix that RPZ does not set RD flag on replies, it should be copied + from the query. + +22 December 2021: George + - contrib/aaaa-filter-iterator.patch file renewed diff content to + apply cleanly to the current coderepo for the current code version. + +20 December 2021: George + - Fix #591: Unbound-anchor manpage links to non-existent license file. + +13 December 2021: George + - Add missing configure flags for optional features in the + documentation. + - Fix Unbound capitalization in the documentation. + +13 December 2021: Wouter + - Fix to pick up other class local zone information before unlock. + +10 December 2021: George + - Allow local-data for classes other than IN to inherit a configured + local-zone's type if possible, instead of defaulting to type + transparent as per the implicit rule. + +10 December 2021: Wouter + - Add code similar to fix for ldns for tab between strings, for + consistency, the test case was not broken. + +6 December 2021: Wouter + - Merge PR #581 from fobser: Fix -Wmissing-prototypes and -Wshadow + warnings in rpz. + - Fix validator debug output about DS support, print correct algorithm. + +3 December 2021: Wouter + - Fix compile warning for if_nametoindex on windows 64bit. + +1 December 2021: Wouter + - configure is set to 1.14.0, and release branch. + This was released as version 1.14.0 on 9 Dec 2021, with the doxygen + fix below included. The main branch continues as 1.14.1. + - Fix doc/unbound.doxygen to remove obsolete tag warning. + +1 December 2021: George + - Merge PR #511 from yan12125: Reduce unnecessary linking. + - Merge PR #493 from Jaap: Fix generation of libunbound.pc. + - Merge PR #555 from fobser: Allow interface names as scope-id in IPv6 + link-local addresses. + - Merge PR #562 from Willem: Reset keepalive per new tcp session. + - Merge PR #522 from sibeream: memory management violations fixed. + - Merge PR #530 from Shchelk: Fix: dereferencing a null pointer. + - Fix #454: listen_dnsport.c:825: error: ‘IPV6_TCLASS’ undeclared. + - Fix #574: Review fixes for size allocation. + +30 November 2021: Wouter + - Fix to remove git tracking and ci information from release tarballs. + - iana portlist update. + +29 November 2021: Wouter + - Merge PR #570 from rex4539: Fix typos. + - Fix for #570: regen aclocal.m4, fix configure.ac for spelling. + - Fix to make python module opt_list use opt_list_in. + - Fix #574: unbound-checkconf reports fatal error if interface names + are used as value for interfaces: + - Fix #574: Review fixes for it. + - Fix #576: FR UB_* error codes in unbound.h + - Fix #574: Review fix for spelling. + +15 November 2021: Tom + - Improve EDNS option handling, now also works for synthesised + responses such as local-data and server.id CH TXT responses. + +5 November 2021: George + - Fix for #558: fix loop in comm_point->tcp_free when a comm_point is + reclaimed more than once during callbacks. + - Fix for #558: clear the UB_EV_TIMEOUT bit before adding an event. + +5 November 2021: Wouter + - Fix that forward-zone name is documented as the full name of the + zone. It is not relative but a fully qualified domain name. + - Fix analyzer review failure in rpz action override code to not + crash on unlocking the local zone lock. + - Fix to remove unused code from rpz resolve client and action + function. + - Merge #565: unbound.service.in: Disable ProtectKernelTunables again. + +2 November 2021: Wouter + - Fix #552: Unbound assumes index.html exists on RPZ host. + +11 October 2021: Wouter + - Fix chaos replies to have truncation for short message lengths, + or long reply strings. + - Fix to protect custom regional create against small values. + +4 October 2021: Wouter + - Fix to add example.conf note for outbound-msg-retry. + +27 September 2021: Wouter + - Implement RFC8375: Special-Use Domain 'home.arpa.'. + +21 September 2021: Wouter + - For crosscompile on windows, detect 64bit stackprotector library. + - Fix crosscompile shell syntax. + - Fix crosscompile windows to use libssp when it exists. + - For the windows compile script disable gost. + - Fix that on windows, use BIO_set_callback_ex instead of deprecated + BIO_set_callback. + - Fix crosscompile script for the shared build flags. + +20 September 2021: Wouter + - Fix crosscompile on windows to work with openssl 3.0.0 the + link with ws2_32 needs -l:libssp.a for __strcpy_chk. + Also copy results from lib64 directory if needed. + +10 September 2021: Wouter + - Fix initialisation errors reported by gcc sanitizer. + - Fix lock debug code for gcc sanitizer reports. + - Fix more initialisation errors reported by gcc sanitizer. + +8 September 2021: Wouter + - Merged #41 from Moritz Schneider: made outbound-msg-retry + configurable. + - Small fixes for #41: changelog, conflicts resolved, + processQueryResponse takes an iterator env argument like other + functions in the iterator, no colon in string for set_option, + and some whitespace style, to make it similar to the rest. + - Fix for #41: change outbound retry to int to fix signed comparison + warnings. + - Fix root_anchor test to check with new icannbundle date. + +3 September 2021: Wouter + - Fix #538: Fix subnetcache statistics. + +1 September 2021: Wouter + - Fix tcp fastopen failure when disabled, try normal connect instead. + +27 August 2021: Wouter + - Fix #533: Negative responses get cached even when setting + cache-max-negative-ttl: 1 + +25 August 2021: Wouter + - Merge #401: RPZ triggers. This add additional RPZ triggers, + unbound supports a full set of rpz triggers, and this now + includes nsdname, nsip and clientip triggers. Also actions + are fully supported, and this now includes the tcp-only action. + - Fix #536: error: RPZ: name of record (drop.spamhaus.org.rpz.local.) + to insert into RPZ. + - Fix the stream wait stream_wait_count_lock and http2 buffer locks + setup and desetup from race condition. + - Fix RPZ locks. Do not unlock zones lock if requested and rpz find + zone does not find the zone. Readlock the clientip that is found + for ipbased triggers. Unlock the nsdname zone lock when done. + Unlock zone and ip in rpz nsip and nsdname callback. Unlock + authzone and localzone if clientip found in rpz worker call. + - Fix compile warning in libunbound for listen desetup routine. + - Fix asynclook unit test for setup of lockchecks before log. + +20 August 2021: Wouter + - Fix #529: Fix: log_assert does nothing if UNBOUND_DEBUG is + undefined. + - Fix #531: Fix: passed to proc after free. + +17 August 2021: Wouter + - Fix that --with-ssl can use "/usr/include/openssl11" to pass the + location of a different openssl version. + - Fix #527: not sending quad9 cert to syslog (and may be more). + - Fix sed script in ssldir split handling. + +16 August 2021: George + - Merge PR #528 from fobser: Make sldns_str2wire_svcparam_buf() + static. + +16 August 2021: Wouter + - Fix to support harden-algo-downgrade for ZONEMD dnssec checks. + +13 August 2021: Wouter + - Support using system-wide crypto policies. + - Fix for #431: Squelch permission denied errors for udp connect, + and udp send, they are visible at higher verbosity settings. + - Fix zonemd verification of key that is not in DNS but in the zone + and needs a chain of trust. + - zonemd, fix order of bogus printout string manipulation. + +12 August 2021: George + - Merge PR #514, from ziollek: Docker environment for run tests. + - For #514: generate configure. + +12 August 2021: Wouter + - And 1.13.2rc1 became the 1.13.2 with the fix for the python module + build. The current code repository continues with version 1.13.3. + - Add test tool readzone to .gitignore. + - Merge #521: Update mini_event.c. + - Merge #523: fix: free() call more than once with the same pointer. + - Merge #519: Support for selective enabling tcp-upstream for + stub/forward zones. + - For #519: note stub-tcp-upstream and forward-tcp-upstream in + the example configuration file. + - For #519: yacc and lex. And fix python bindings, and test program + unbound-dnstap-socket. + - For #519: fix comments for doxygen. + - Fix to print error from unbound-anchor for writing to the key + file, also when not verbose. + 5 August 2021: Wouter - Tag for 1.13.2rc1 release. - Fix #520: Unbound 1.13.2rc1 fails to build python module.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/README -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/README
Changed
@@ -1,4 +1,4 @@ -README for Unbound 1.13.2 +README for Unbound 1.17.1 Copyright 2007 NLnet Labs http://unbound.net
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/README.tests -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/README.tests
Changed
@@ -15,6 +15,14 @@ * xxd and nc (optional) - for (malformed) packet transmission. The optional programs are detected and can be omitted. +You can also use prepared Dockerfile to run tests inside docker based on latest gcc image: +* build container: docker build -t unbound-tester -f contrib/Dockerfile.tests . +* run container: docker run -it --mount type=bind,source="$(pwd)",target=/usr/src/unbound --rm unbound-tester +* configure environment: ./configure +* run test: make test +* run long tests: make longtest +It is worth to mention that you need to enable ipv6 in your docker daemon configuration(https://docs.docker.com/config/daemon/ipv6/) because some tests need ipv6 network stack. + testdata/ contains the data for tests. testcode/ contains scripts and c code for the tests.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/example.conf.in -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/example.conf.in
Changed
@@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.13.2. +# See unbound.conf(5) man page, version 1.17.1. # # this is a comment. @@ -17,7 +17,7 @@ # whitespace is not necessary, but looks cleaner. # verbosity number, 0 is least verbose. 1 is default. - verbosity: 1 + # verbosity: 1 # print statistics to the log (for every thread) every N seconds. # Set to "" or 0 to disable. Default is disabled. @@ -35,9 +35,14 @@ # statistics-cumulative: no # enable extended statistics (query types, answer codes, status) - # printed from unbound-control. default off, because of speed. + # printed from unbound-control. Default off, because of speed. # extended-statistics: no + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + # number of threads to create. 1 disables threading. # num-threads: 1 @@ -50,11 +55,16 @@ # interface: 192.0.2.154 # interface: 192.0.2.154@5003 # interface: 2001:DB8::5 + # interface: eth0@5003 # enable this feature to copy the source address of queries to reply. # Socket options are not supported on all platforms. experimental. # interface-automatic: no + # instead of the default port, open additional ports separated by + # spaces when interface-automatic is enabled, by listing them here. + # interface-automatic-ports: "" + # port to answer queries from # port: 53 @@ -82,13 +92,13 @@ # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 - # permit unbound to use this port number or port range for + # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # outgoing-port-permit: 32768 - # deny unbound the use this of port number or port range for + # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some + # Use this to make sure Unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options @@ -164,6 +174,19 @@ # perform connect for UDP sockets to mitigate ICMP side channel. # udp-connect: yes + # The number of retries, per upstream nameserver in a delegation, when + # a throwaway response (also timeouts) is received. + # outbound-msg-retry: 5 + + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + # msec for waiting for an unknown server to reply. Increase if you # are behind a slow satellite link, to eg. 1128. # unknown-server-time-limit: 376 @@ -195,6 +218,9 @@ # minimum wait time for responses, increase if uplink is long. In msec. # infra-cache-min-rtt: 50 + # maximum wait time for responses. In msec. + # infra-cache-max-rtt: 120000 + # enable to make server probe down hosts more frequently. # infra-keep-probing: no @@ -206,7 +232,8 @@ # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # define a number of tags here, use with local-zone, access-control. + # define a number of tags here, use with local-zone, access-control, + # interface-*. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -251,7 +278,7 @@ # use-systemd: no # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when unbound runs as systemd service. + # Set the value to "no" when Unbound runs as systemd service. # do-daemonize: yes # control which clients are allowed to make (recursive) queries @@ -262,9 +289,7 @@ # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow @@ -273,7 +298,7 @@ # are tagged with one of these tags. # access-control-tag: 192.0.2.0/24 "tag2 tag3" - # set action for particular tag for given access control element + # set action for particular tag for given access control element. # if you have multiple tag values, the tag used to lookup the action # is the first tag match between access-control-tag and local-zone-tag # where "first" comes from the order of the define-tag values. @@ -285,6 +310,58 @@ # Set view for access control element # access-control-view: 192.0.2.0/24 viewname + # Similar to 'access-control:' but for interfaces. + # Control which listening interfaces are allowed to accept (recursive) + # queries for this server. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the action. + # The actions are the same as 'access-control:' above. + # By default all the interfaces configured are refused. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-action: 192.0.2.153 allow + # interface-action: 192.0.2.154 allow + # interface-action: 192.0.2.154@5003 allow + # interface-action: 2001:DB8::5 allow + # interface-action: eth0@5003 allow + + # Similar to 'access-control-tag:' but for interfaces. + # Tag interfaces with a list of tags (in "" with spaces between). + # Interfaces using these tags use localzones that are tagged with one + # of these tags. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the list of tags. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag: eth0@5003 "tag2 tag3" + + # Similar to 'access-control-tag-action:' but for interfaces. + # Set action for particular tag for a given interface element. + # If you have multiple tag values, the tag used to lookup the action + # is the first tag match between interface-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and action. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-action: eth0@5003 tag3 refuse + + # Similar to 'access-control-tag-data:' but for interfaces. + # Set redirect data for a particular tag for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and the redirect data. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" + + # Similar to 'access-control-view:' but for interfaces. + # Set view for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the view name. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-view: eth0@5003 viewname + # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. @@ -304,7 +381,7 @@ # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/urandom (for entropy). + # Additionally, Unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -439,7 +516,7 @@ # Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN # and other denials, using information from previous NXDOMAINs answers. - # aggressive-nsec: no + # aggressive-nsec: yes # Use 0x20-encoded random bits in the query to foil spoof attempts. # This feature is an experimental implementation of draft dns-0x20. @@ -514,7 +591,7 @@ # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start unbound (i.e. in the system boot scripts). + # you start Unbound (i.e. in the system boot scripts). # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). @@ -582,7 +659,7 @@ # val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of unbound are legacy servers (w2008) + # Enable it if the only clients of Unbound are legacy servers (w2008) # that set CD but cannot validate themselves. # ignore-cd-flag: no @@ -612,7 +689,7 @@ # Return the original TTL as received from the upstream name server rather # than the decrementing TTL as stored in the cache. Enabling this feature - # does not impact cache expiry, it only changes the TTL unbound embeds in + # does not impact cache expiry, it only changes the TTL Unbound embeds in # responses to queries. Note that enabling this feature implicitly disables # enforcement of the configured minimum and maximum TTL. # serve-original-ttl: no @@ -666,6 +743,7 @@ # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "home.arpa." nodefault # local-zone: "onion." nodefault # local-zone: "test." nodefault # local-zone: "invalid." nodefault @@ -705,9 +783,9 @@ # Add example.com into ipset # local-zone: "example.com" ipset - # If unbound is running service for the local host then it is useful + # If Unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this unbound is a dns server + # long list of local-zones above. If this Unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no @@ -807,6 +885,8 @@ # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # and on other systems, the default openssl certificates + # tls-system-cert: no # Pad queries over TLS upstreams # pad-queries: yes @@ -836,6 +916,10 @@ # Disable TLS for DNS-over-HTTP downstream service. # http-notls-downstream: no + # The interfaces that use these listed port numbers will support and + # expect PROXYv2. For UDP and TCP/TLS interfaces. + # proxy-protocol-port: portno for each of the port numbers. + # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 @@ -856,6 +940,10 @@ # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no + # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. # ratelimit-for-domain: example.com 1000 @@ -876,6 +964,10 @@ # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + # Limit the number of connections simultaneous from a netblock # tcp-connection-limit: 192.0.2.0/24 12 @@ -885,7 +977,15 @@ # the number of servers that will be used in the fast server selection. # fast-server-num: 3 - # Specific options for ipsecmod. unbound needs to be configured with + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + # ede: no + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + # ede-serve-expired: no + + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # # Enable or disable ipsecmod (it still needs to be defined in @@ -897,7 +997,7 @@ # listed in module-config (above). # ipsecmod-hook: "./my_executable" # - # When enabled unbound will reply with SERVFAIL if the return value of + # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no # @@ -962,10 +1062,10 @@ # For local sockets this option is ignored, and TLS is not used. # control-use-cert: "yes" - # unbound server key file. + # Unbound server key file. # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" - # unbound server certificate file. + # Unbound server certificate file. # server-cert-file: "@UNBOUND_RUN_DIR@/unbound_server.pem" # unbound-control key file. @@ -987,6 +1087,7 @@ # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no +# stub-tcp-upstream: no # stub-tls-upstream: no # stub-no-cache: no # stub-zone: @@ -1004,6 +1105,7 @@ # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no +# forward-tcp-upstream: no # forward-tls-upstream: no # forward-no-cache: no # forward-zone: @@ -1017,8 +1119,8 @@ # has a copy of the root for local usage. The second serves example.org # authoritatively. zonefile: reads from file (and writes to it if you also # download it), primary: fetches with AXFR and IXFR, or url to zonefile. -# With allow-notify: you can give additional (apart from primaries) sources of -# notifies. +# With allow-notify: you can give additional (apart from primaries and urls) +# sources of notifies. # auth-zone: # name: "." # primary: 199.9.14.201 # b.root-servers.net @@ -1066,8 +1168,9 @@ # local-zone: "example.com" refuse # DNSCrypt +# To enable, use --enable-dnscrypt to configure before compiling. # Caveats: -# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to # listen on `dnscrypt-port` with the follo0wing snippet: @@ -1086,7 +1189,9 @@ # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert # CacheDB -# Enable external backend DB as auxiliary cache. Specify the backend name +# External backend DB as auxiliary cache. +# To enable, use --enable-cachedb to configure before compiling. +# Specify the backend name # (default is "testframe", which has no use other than for debugging and # testing) and backend-specific options. The 'cachedb' module must be # included in module-config, just before the iterator module. @@ -1096,6 +1201,7 @@ # secret-seed: "default" # # # For "redis" backend: +# # (to enable, use --with-libhiredis to configure before compiling) # # redis server's IP address or host name # redis-server-host: 127.0.0.1 # # redis server's TCP port @@ -1107,7 +1213,9 @@ # IPSet # Add specify domain into set via ipset. -# Note: To enable ipset unbound needs to run as root user. +# To enable: +# o use --enable-ipset to configure before compiling; +# o Unbound then needs to run as root user. # ipset: # # set name for ip v4 addresses # name-v4: "list-v4" @@ -1115,9 +1223,10 @@ # name-v6: "list-v6" # -# Dnstap logging support, if compiled in. To enable, set the dnstap-enable -# to yes and also some of dnstap-log-..-messages to yes. And select an -# upstream log destination, by socket path, TCP or TLS destination. +# Dnstap logging support, if compiled in by using --enable-dnstap to configure. +# To enable, set the dnstap-enable to yes and also some of +# dnstap-log-..-messages to yes. And select an upstream log destination, by +# socket path, TCP or TLS destination. # dnstap: # dnstap-enable: no # # if set to yes frame streams will be used in bidirectional mode @@ -1130,7 +1239,7 @@ # dnstap-tls: yes # # name for authenticating the upstream server. or "" disabled. # dnstap-tls-server-name: "" -# # if "", it uses the cert bundle from the main unbound config. +# # if "", it uses the cert bundle from the main Unbound config. # dnstap-tls-cert-bundle: "" # # key file for client authentication, or "" disabled. # dnstap-tls-client-key-file: "" @@ -1150,10 +1259,11 @@ # dnstap-log-forwarder-response-messages: no # Response Policy Zones -# RPZ policies. Applied in order of configuration. QNAME and Response IP -# Address trigger are the only supported triggers. Supported actions are: -# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from -# file, using zone transfer, or using HTTP. The respip module needs to be added +# RPZ policies. Applied in order of configuration. QNAME, Response IP +# Address, nsdname, nsip and clientip triggers are supported. Supported +# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only +# and drop. Policies can be loaded from a file, or using zone +# transfer, or using HTTP. The respip module needs to be added # to the module-config, e.g.: module-config: "respip validator iterator". # rpz: # name: "rpz.example.com" @@ -1165,4 +1275,6 @@ # rpz-cname-override: www.example.org # rpz-log: yes # rpz-log-name: "example policy" +# rpz-signal-nxdomain-ra: no +# for-downstream: no # tags: "example"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/libunbound.3.in -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/libunbound.3.in
Changed
@@ -1,4 +1,4 @@ -.TH "libunbound" "3" "Aug 12, 2021" "NLnet Labs" "unbound 1.13.2" +.TH "libunbound" "3" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" libunbound.3 -- unbound library functions manual .\" @@ -44,7 +44,7 @@ .B ub_ctx_zone_remove, .B ub_ctx_data_add, .B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.13.2 functions. +\- Unbound DNS validating resolver 1.17.1 functions. .SH "SYNOPSIS" .B #include <unbound.h> .LP
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/unbound-anchor.8.in -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/unbound-anchor.8.in
Changed
@@ -1,4 +1,4 @@ -.TH "unbound-anchor" "8" "Aug 12, 2021" "NLnet Labs" "unbound 1.13.2" +.TH "unbound-anchor" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound-anchor.8 -- unbound anchor maintenance utility manual .\" @@ -41,7 +41,7 @@ .P It tests if the root anchor file works, and if not, and an update is possible, attempts to update the root anchor using the root update certificate. -It performs a https fetch of root-anchors.xml and checks the results (RFC7958), +It performs a https fetch of root-anchors.xml and checks the results (RFC7958), if all checks are successful, it updates the root anchor file. Otherwise the root anchor file is unchanged. It performs RFC5011 tracking if the DNSSEC information available via the DNS makes that possible. @@ -159,7 +159,7 @@ The root keys and update certificate included in this tool are provided for convenience and under the terms of our license (see the LICENSE file in the source distribution or -http://unbound.nlnetlabs.nl/svn/trunk/LICENSE) and might be stale or +https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or not suitable to your purpose. .P By running "unbound\-anchor \-l" the keys and certificate that are @@ -185,5 +185,5 @@ .I https://data.iana.org/root\-anchors/root\-anchors.p7s Signature on the root key information. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8).
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/unbound-checkconf.8.in -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/unbound-checkconf.8.in
Changed
@@ -1,4 +1,4 @@ -.TH "unbound-checkconf" "8" "Aug 12, 2021" "NLnet Labs" "unbound 1.13.2" +.TH "unbound-checkconf" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound-checkconf.8 -- unbound configuration checker manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" unbound\-checkconf -\- Check unbound configuration file for errors. +\- Check Unbound configuration file for errors. .SH "SYNOPSIS" .B unbound\-checkconf .RB \-h @@ -21,8 +21,8 @@ .B Unbound\-checkconf checks the configuration file for the \fIunbound\fR(8) -DNS resolver for syntax and other errors. -The config file syntax is described in +DNS resolver for syntax and other errors. +The config file syntax is described in \fIunbound.conf\fR(5). .P The available options are: @@ -34,19 +34,19 @@ Print full pathname, with chroot applied to it. Use with the \-o option. .TP .B \-o\fI option -If given, after checking the config file the value of this option is +If given, after checking the config file the value of this option is printed to stdout. For "" (disabled) options an empty line is printed. .TP .I cfgfile -The config file to read with settings for unbound. It is checked. +The config file to read with settings for Unbound. It is checked. If omitted, the config file at the default location is checked. .SH "EXIT CODE" -The unbound\-checkconf program exits with status code 1 on error, +The unbound\-checkconf program exits with status code 1 on error, 0 for a correct config file. .SH "FILES" .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8).
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/unbound-control.8.in -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/unbound-control.8.in
Changed
@@ -1,4 +1,4 @@ -.TH "unbound-control" "8" "Aug 12, 2021" "NLnet Labs" "unbound 1.13.2" +.TH "unbound-control" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound-control.8 -- unbound remote control manual .\" @@ -14,15 +14,15 @@ .SH "SYNOPSIS" .B unbound\-control .RB \-hq -.RB \-c +.RB \-c .IR cfgfile -.RB \-s +.RB \-s .IR server .IR command .SH "DESCRIPTION" .B Unbound\-control performs remote administration on the \fIunbound\fR(8) DNS server. -It reads the configuration file, contacts the unbound server over SSL +It reads the configuration file, contacts the Unbound server over SSL sends the command and displays the result. .P The available options are: @@ -44,8 +44,8 @@ There are several commands that the server understands. .TP .B start -Start the server. Simply execs \fIunbound\fR(8). The unbound executable -is searched for in the \fBPATH\fR set in the environment. It is started +Start the server. Simply execs \fIunbound\fR(8). The Unbound executable +is searched for in the \fBPATH\fR set in the environment. It is started with the config file specified using \fI\-c\fR or the default config file. .TP .B stop @@ -54,6 +54,12 @@ .B reload Reload the server. This flushes the cache and reads the config file fresh. .TP +.B reload_keep_cache +Reload the server but try to keep the RRset and message cache if +(re)configuration allows for it. +That means the caches sizes and the number of threads must not change between +reloads. +.TP .B verbosity \fInumber Change verbosity value for logging. Same values as \fBverbosity\fR keyword in \fIunbound.conf\fR(5). This new setting lasts until the server is issued @@ -65,8 +71,8 @@ attempt to close and open the syslog (which may not work if chrooted). .TP .B stats -Print statistics. Resets the internal counters to zero, this can be -controlled using the \fBstatistics\-cumulative\fR config statement. +Print statistics. Resets the internal counters to zero, this can be +controlled using the \fBstatistics\-cumulative\fR config statement. Statistics are printed with one name: value per line. .TP .B stats_noreset @@ -74,7 +80,7 @@ reset the internal counters to zero. .TP .B status -Display server status. Exit code 3 if not running (the connection to the +Display server status. Exit code 3 if not running (the connection to the port is refused), 1 on error, 0 if running. .TP .B local_zone \fIname\fR \fItype @@ -88,14 +94,14 @@ .B local_data \fIRR data... Add new local data, the given resource record. Like \fBlocal\-data\fR config statement, except for when no covering zone exists. In that case -this remote control command creates a transparent zone with the same +this remote control command creates a transparent zone with the same name as this record. .TP .B local_data_remove \fIname Remove all RR data from local name. If the name already has no items, nothing happens. Often results in NXDOMAIN for the name (in a static zone), -but if the name has become an empty nonterminal (there is still data in -domain names below the removed name), NOERROR nodata answers are the +but if the name has become an empty nonterminal (there is still data in +domain names below the removed name), NOERROR nodata answers are the result for that name. .TP .B local_zones @@ -125,22 +131,22 @@ in this way is supported in order to aid with debugging. .TP .B lookup \fIname -Print to stdout the name servers that would be used to look up the +Print to stdout the name servers that would be used to look up the name specified. .TP .B flush \fIname Remove the name from the cache. Removes the types -A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV and NAPTR. -Because that is fast to do. Other record types can be removed using -.B flush_type -or +A, AAAA, NS, SOA, CNAME, DNAME, MX, PTR, SRV, NAPTR, SVCB and HTTPS. +Because that is fast to do. Other record types can be removed using +.B flush_type +or .B flush_zone\fR. .TP .B flush_type \fIname\fR \fItype Remove the name, type information from the cache. .TP .B flush_zone \fIname -Remove all information at or below the name from the cache. +Remove all information at or below the name from the cache. The rrsets and key entries are removed so that new lookups will be performed. This needs to walk and inspect the entire cache, and is a slow operation. The entries are set to expired in the implementation of this command (so, @@ -187,7 +193,7 @@ must be between the option and the value. Some values may not have an effect if set this way, the new values are not written to the config file, not all options are supported. This is different from the set_option call -in libunbound, where all values work because unbound has not been initialized. +in libunbound, where all values work because Unbound has not been initialized. .IP The values that work are: statistics\-interval, statistics\-cumulative, do\-not\-query\-localhost, harden\-short\-bufsize, harden\-large\-queries, @@ -227,36 +233,36 @@ .TP .B insecure_add \fIzone Add a \fBdomain\-insecure\fR for the given zone, like the statement in unbound.conf. -Adds to the running unbound without affecting the cache contents (which may +Adds to the running Unbound without affecting the cache contents (which may still be bogus, use \fBflush_zone\fR to remove it), does not affect the config file. .TP .B insecure_remove \fIzone Removes domain\-insecure for the given zone. .TP .B forward_add \fR\fI+i\fR \fIzone addr ... -Add a new forward zone to running unbound. With +i option also adds a +Add a new forward zone to running Unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone (so it can resolve insecurely if you have a DNSSEC root trust anchor configured for other names). The addr can be IP4, IP6 or nameserver names, like \fIforward-zone\fR config in unbound.conf. .TP .B forward_remove \fR\fI+i\fR \fIzone -Remove a forward zone from running unbound. The +i also removes a +Remove a forward zone from running Unbound. The +i also removes a \fIdomain\-insecure\fR for the zone. .TP .B stub_add \fR\fI+ip\fR \fIzone addr ... -Add a new stub zone to running unbound. With +i option also adds a +Add a new stub zone to running Unbound. With +i option also adds a \fIdomain\-insecure\fR for the zone. With +p the stub zone is set to prime, without it it is set to notprime. The addr can be IP4, IP6 or nameserver names, like the \fIstub-zone\fR config in unbound.conf. .TP .B stub_remove \fR\fI+i\fR \fIzone -Remove a stub zone from running unbound. The +i also removes a +Remove a stub zone from running Unbound. The +i also removes a \fIdomain\-insecure\fR for the zone. .TP .B forward \fR\fIoff\fR | \fIaddr ...\fR Setup forwarding mode. Configures if the server should ask other upstream -nameservers, should go to the internet root nameservers itself, or show +nameservers, should go to the internet root nameservers itself, or show the current config. You could pass the nameservers after a DHCP update. .IP Without arguments the current list of addresses used to forward all queries @@ -289,20 +295,22 @@ ips are dropped before checking the cache. .TP .B list_auth_zones -List the auth zones that are configured. Printed one per line with a -status, indicating if the zone is expired and current serial number. +List the auth zones that are configured. Printed one per line with a status, +indicating if the zone is expired and current serial number. Configured RPZ +zones are included. .TP .B auth_zone_reload \fIzone\fR -Reload the auth zone from zonefile. The zonefile is read in overwriting -the current contents of the zone in memory. This changes the auth zone -contents itself, not the cache contents. Such cache contents exists if -you set unbound to validate with for-upstream yes and that can be cleared -with \fBflush_zone\fR \fIzone\fR. +Reload the auth zone (or RPZ zone) from zonefile. The zonefile is read in +overwriting the current contents of the zone in memory. This changes the auth +zone contents itself, not the cache contents. Such cache contents exists if +you set Unbound to validate with for-upstream yes and that can be cleared with +\fBflush_zone\fR \fIzone\fR. .TP .B auth_zone_transfer \fIzone\fR -Transfer the auth zone from master. The auth zone probe sequence is started, -where the masters are probed to see if they have an updated zone (with the SOA -serial check). And then the zone is transferred for a newer zone version. +Transfer the auth zone (or RPZ zone) from master. The auth zone probe sequence +is started, where the masters are probed to see if they have an updated zone +(with the SOA serial check). And then the zone is transferred for a newer zone +version. .TP .B rpz_enable \fIzone\fR Enable the RPZ zone if it had previously been disabled. @@ -336,7 +344,7 @@ .SH "EXIT CODE" The unbound\-control program exits with status code 1 on error, 0 on success. .SH "SET UP" -The setup requires a self\-signed certificate and private keys for both +The setup requires a self\-signed certificate and private keys for both the server and client. The script \fIunbound\-control\-setup\fR generates these in the default run directory, or with \-d in another directory. If you change the access control permissions on the key files you can decide @@ -350,7 +358,7 @@ a username in unbound.conf, the keys need read permission for the user credentials under which the daemon is started. The script preserves private keys present in the directory. -After running the script as root, turn on \fBcontrol\-enable\fR in +After running the script as root, turn on \fBcontrol\-enable\fR in \fIunbound.conf\fR. .SH "STATISTIC COUNTERS" The \fIstats\fR command shows a number of statistic counters. @@ -417,8 +425,8 @@ .TP .I threadX.recursion.time.median The median of the time it took to answer queries that needed recursive -processing. The median means that 50% of the user queries were answered in -less than this time. Because of big outliers (usually queries to non +processing. The median means that 50% of the user queries were answered in +less than this time. Because of big outliers (usually queries to non responsive servers), the average can be bigger than the median. This median has been calculated by interpolation from a histogram. .TP @@ -544,32 +552,36 @@ Also printed for other opcodes, UPDATE, ... .TP .I num.query.tcp -Number of queries that were made using TCP towards the unbound server. +Number of queries that were made using TCP towards the Unbound server. .TP .I num.query.tcpout -Number of queries that the unbound server made using TCP outgoing towards +Number of queries that the Unbound server made using TCP outgoing towards +other servers. +.TP +.I num.query.udpout +Number of queries that the Unbound server made using UDP outgoing towards other servers. .TP .I num.query.tls -Number of queries that were made using TLS towards the unbound server. +Number of queries that were made using TLS towards the Unbound server. These are also counted in num.query.tcp, because TLS uses TCP. .TP .I num.query.tls.resume Number of TLS session resumptions, these are queries over TLS towards -the unbound server where the client negotiated a TLS session resumption key. +the Unbound server where the client negotiated a TLS session resumption key. .TP .I num.query.https -Number of queries that were made using HTTPS towards the unbound server. +Number of queries that were made using HTTPS towards the Unbound server. These are also counted in num.query.tcp and num.query.tls, because HTTPS uses TLS and TCP. .TP .I num.query.ipv6 -Number of queries that were made using IPv6 towards the unbound server. +Number of queries that were made using IPv6 towards the Unbound server. .TP .I num.query.flags.RD The number of queries that had the RD flag set in the header. Also printed for flags QR, AA, TC, RA, Z, AD, CD. -Note that queries with flags QR, AA or TC may have been rejected +Note that queries with flags QR, AA or TC may have been rejected because of that. .TP .I num.query.edns.present @@ -603,7 +615,7 @@ Common for AAAA lookups when an A record exists, and no AAAA. .TP .I num.answer.secure -Number of answers that were secure. The answer validated correctly. +Number of answers that were secure. The answer validated correctly. The AD bit might have been set in some of these answers, where the client signalled (with DO or AD bit in the query) that they were ready to accept the AD bit in the answer. @@ -644,7 +656,7 @@ .I dnscrypt_shared_secret.cache.count The number of items in the shared secret cache. These are precomputed shared secrets for a given client public key/server secret key pair. Shared secrets -are CPU intensive and this cache allows unbound to avoid recomputing the +are CPU intensive and this cache allows Unbound to avoid recomputing the shared secret when multiple dnscrypt queries are sent from the same client. .TP .I dnscrypt_nonce.cache.count @@ -684,16 +696,16 @@ .TP .I num.rpz.action.<rpz_action> Number of queries answered using configured RPZ policy, per RPZ action type. -Possible actions are: nxdomain, nodata, passthru, drop, local_data, disabled, -and cname_override. +Possible actions are: nxdomain, nodata, passthru, drop, tcp\-only, local\-data, +disabled, and cname\-override. .SH "FILES" .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .TP .I @UNBOUND_RUN_DIR@ directory with private keys (unbound_server.key and unbound_control.key) and self\-signed certificates (unbound_server.pem and unbound_control.pem). .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8).
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/unbound-host.1.in -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/unbound-host.1.in
Changed
@@ -1,4 +1,4 @@ -.TH "unbound\-host" "1" "Aug 12, 2021" "NLnet Labs" "unbound 1.13.2" +.TH "unbound\-host" "1" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound-host.1 -- unbound DNS lookup utility .\" @@ -15,7 +15,7 @@ .RB \-C .IR configfile .RB \-vdhr46D -.RB \-c +.RB \-c .IR class .RB \-t .IR type @@ -28,12 +28,12 @@ .I hostname .SH "DESCRIPTION" .B Unbound\-host -uses the unbound validating resolver to query for the hostname and display -results. With the \fB\-v\fR option it displays validation +uses the Unbound validating resolver to query for the hostname and display +results. With the \fB\-v\fR option it displays validation status: secure, insecure, bogus (security failure). .P By default it reads no configuration file whatsoever. It attempts to reach -the internet root servers. With \fB\-C\fR an unbound config file and with +the internet root servers. With \fB\-C\fR an Unbound config file and with \fB\-r\fR resolv.conf can be read. .P The available options are: @@ -73,7 +73,7 @@ .TP .B \-D Enables DNSSEC validation. Reads the root anchor from the default configured -root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. +root anchor at the default location, \fI@UNBOUND_ROOTKEY_FILE@\fR. .TP .B \-f \fIkeyfile Reads keys from a file. Every line has a DS or DNSKEY record, in the format @@ -110,9 +110,9 @@ .P $ unbound\-host \-v \-y "example.com DS 31560 5 1 1CFED84787E6E19CCF9372C1187325972FE546CD" 192.0.2.153 .SH "EXIT CODE" -The unbound\-host program exits with status code 1 on error, +The unbound\-host program exits with status code 1 on error, 0 on no error. The data may not be available on exit code 0, exit code 1 means the lookup encountered a fatal error. .SH "SEE ALSO" -\fIunbound.conf\fR(5), +\fIunbound.conf\fR(5), \fIunbound\fR(8).
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/unbound.8.in -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/unbound.8.in
Changed
@@ -1,4 +1,4 @@ -.TH "unbound" "8" "Aug 12, 2021" "NLnet Labs" "unbound 1.13.2" +.TH "unbound" "8" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound.8 -- unbound manual .\" @@ -9,7 +9,7 @@ .\" .SH "NAME" .B unbound -\- Unbound DNS validating resolver 1.13.2. +\- Unbound DNS validating resolver 1.17.1. .SH "SYNOPSIS" .B unbound .RB \-h @@ -57,7 +57,7 @@ Show the version number and commandline option help, and exit. .TP .B \-c\fI cfgfile -Set the config file with settings for unbound to read instead of reading the +Set the config file with settings for Unbound to read instead of reading the file at the default location, @ub_conf_file@. The syntax is described in \fIunbound.conf\fR(5). .TP @@ -70,12 +70,12 @@ .TP .B \-p Don't use a pidfile. This argument should only be used by supervision -systems which can ensure that only one instance of unbound will run +systems which can ensure that only one instance of Unbound will run concurrently. .TP .B \-v Increase verbosity. If given multiple times, more information is logged. -This is in addition to the verbosity (if any) from the config file. +This is added to the verbosity (if any) from the config file. .TP .B \-V Show the version number and build options, and exit.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/unbound.conf.5.in -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/unbound.conf.5.in
Changed
@@ -1,4 +1,4 @@ -.TH "unbound.conf" "5" "Aug 12, 2021" "NLnet Labs" "unbound 1.13.2" +.TH "unbound.conf" "5" "Jan 12, 2023" "NLnet Labs" "unbound 1.17.1" .\" .\" unbound.conf.5 -- unbound.conf manual .\" @@ -104,7 +104,7 @@ This is because the median calculation requires data to be present. .TP .B statistics\-cumulative: \fI<yes or no> -If enabled, statistics are cumulative since starting unbound, without clearing +If enabled, statistics are cumulative since starting Unbound, without clearing the statistics counters after logging the statistics. Default is no. .TP .B extended\-statistics: \fI<yes or no> @@ -112,13 +112,21 @@ Default is off, because keeping track of more statistics takes time. The counters are listed in \fIunbound\-control\fR(8). .TP +.B statistics\-inhibit\-zero: \fI<yes or no> +If enabled, selected extended statistics with a value of 0 are inhibited from +printing with \fIunbound\-control\fR(8). +These are query types, query classes, query opcodes, answer rcodes +(except NOERROR, FORMERR, SERVFAIL, NXDOMAIN, NOTIMPL, REFUSED) and +RPZ actions. +Default is on. +.TP .B num\-threads: \fI<number> The number of threads to create to serve clients. Use 1 for no threading. .TP .B port: \fI<port number> The port number, default 53, on which the server responds to queries. .TP -.B interface: \fI<ip address@port> +.B interface: \fI<ip address or interface name @port> Interface to use to connect to the network. This interface is listened to for queries from clients, and answers to clients are given from it. Can be given multiple times to work on several interfaces. If none are @@ -129,17 +137,26 @@ interface and port number), if not specified the default port (from \fBport\fR) is used. .TP -.B ip\-address: \fI<ip address@port> +.B ip\-address: \fI<ip address or interface name @port> Same as interface: (for ease of compatibility with nsd.conf). .TP .B interface\-automatic: \fI<yes or no> Listen on all addresses on all (current and future) interfaces, detect the source interface on UDP queries and copy them to replies. This is a lot like ip\-transparent, but this option services all interfaces whilst with -ip\-transparent you can select which (future) interfaces unbound provides +ip\-transparent you can select which (future) interfaces Unbound provides service on. This feature is experimental, and needs support in your OS for particular socket options. Default value is no. .TP +.B interface\-automatic\-ports: \fI<string> +List the port numbers that interface-automatic listens on. If empty, the +default port is listened on. The port numbers are separated by spaces in the +string. Default is "". +.IP +This can be used to have interface automatic to deal with the interface, +and listen on the normal port number, by including it in the list, and +also https or dns over tls port numbers by putting them in the list as well. +.TP .B outgoing\-interface: \fI<ip address or ip6 netblock> Interface to use to connect to the network. This interface is used to send queries to authoritative servers and receive their replies. Can be given @@ -154,7 +171,7 @@ If an IPv6 netblock is specified instead of an individual IPv6 address, outgoing UDP queries will use a randomised source address taken from the netblock to counter spoofing. Requires the IPv6 netblock to be routed to the -host running unbound, and requires OS support for unprivileged non-local binds +host running Unbound, and requires OS support for unprivileged non-local binds (currently only supported on Linux). Several netblocks may be specified with multiple .B outgoing\-interface: @@ -174,7 +191,7 @@ very large value is best, use libevent to make this possible. .TP .B outgoing\-port\-permit: \fI<port number or range> -Permit unbound to open this port or range of ports for use to send queries. +Permit Unbound to open this port or range of ports for use to send queries. A larger number of permitted outgoing ports increases resilience against spoofing attempts. Make sure these ports are not needed by other daemons. By default only ports above 1024 that have not been assigned by IANA are used. @@ -187,8 +204,8 @@ of allowed ports. .TP .B outgoing\-port\-avoid: \fI<port number or range> -Do not permit unbound to open this port or range of ports for use to send -queries. Use this to make sure unbound does not grab a port that another +Do not permit Unbound to open this port or range of ports for use to send +queries. Use this to make sure Unbound does not grab a port that another daemon needs. The port is avoided on all outgoing interfaces, both IP4 and IP6. By default only ports above 1024 that have not been assigned by IANA are used. Give a port number or a range of the form "low\-high", without spaces. @@ -289,7 +306,7 @@ space on UDP port 53 incoming queries. So that short spikes on busy servers do not drop packets (see counter in netstat \-su). Default is 0 (use system value). Otherwise, the number of bytes to ask for, try -"4m" on a busy server. The OS caps it at a maximum, on linux unbound +"4m" on a busy server. The OS caps it at a maximum, on linux Unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.rmem_max. On BSD change kern.ipc.maxsockbuf in /etc/sysctl.conf. On OpenBSD change header and recompile kernel. On Solaris ndd \-set @@ -302,7 +319,7 @@ can get logged, the buffer overrun is also visible by netstat \-su. Default is 0 (use system value). Specify the number of bytes to ask for, try "4m" on a very busy server. The OS caps it at a maximum, on -linux unbound needs root permission to bypass the limit, or the admin +linux Unbound needs root permission to bypass the limit, or the admin can use sysctl net.core.wmem_max. On BSD, Solaris changes are similar to so\-rcvbuf. .TP @@ -319,18 +336,18 @@ evenly, reported for Linux systems (4.4.x). .TP .B ip\-transparent: \fI<yes or no> -If yes, then use IP_TRANSPARENT socket option on sockets where unbound +If yes, then use IP_TRANSPARENT socket option on sockets where Unbound is listening for incoming traffic. Default no. Allows you to bind to non\-local interfaces. For example for non\-existent IP addresses that are going to exist later on, with host failover configuration. This is a lot like interface\-automatic, but that one services all interfaces -and with this option you can select which (future) interfaces unbound -provides service on. This option needs unbound to be started with root +and with this option you can select which (future) interfaces Unbound +provides service on. This option needs Unbound to be started with root permissions on some systems. The option uses IP_BINDANY on FreeBSD systems and SO_BINDANY on OpenBSD systems. .TP .B ip\-freebind: \fI<yes or no> -If yes, then use IP_FREEBIND socket option on sockets where unbound +If yes, then use IP_FREEBIND socket option on sockets where Unbound is listening to incoming traffic. Default no. Allows you to bind to IP addresses that are nonlocal or do not exist, like when the network interface or IP address is down. Exists only on Linux, where the similar @@ -340,7 +357,7 @@ The value of the Differentiated Services Codepoint (DSCP) in the differentiated services field (DS) of the outgoing IP packet headers. The field replaces the outdated IPv4 Type-Of-Service field and the -IPV6 traffic class field. +IPv6 traffic class field. .TP .B rrset\-cache\-size: \fI<number> Number of bytes size of the RRset cache. Default is 4 megabytes. @@ -386,6 +403,10 @@ cache. Default is 50 milliseconds. Increase this value if using forwarders needing more time to do recursive name resolution. .TP +.B infra\-cache\-max\-rtt: \fI<msec> +Upper limit for dynamic retransmit timeout calculation in infrastructure +cache. Default is 2 minutes. +.TP .B infra\-keep\-probing: \fI<yes or no> If enabled the server keeps probing hosts that are down, in the one probe at a time regime. Default is no. Hosts that are down, eg. they did @@ -403,7 +424,7 @@ Enable or disable whether ip6 queries are answered or issued. Default is yes. If disabled, queries are not answered on IPv6, and queries are not sent on IPv6 to the internet nameservers. With this option you can disable the -ipv6 transport for sending DNS traffic, it does not impact the contents of +IPv6 transport for sending DNS traffic, it does not impact the contents of the DNS traffic, which may have ip4 and ip6 addresses in it. .TP .B prefer\-ip4: \fI<yes or no> @@ -485,7 +506,9 @@ .TP .B tcp\-upstream: \fI<yes or no> Enable or disable whether the upstream queries use TCP only for transport. -Default is no. Useful in tunneling scenarios. +Default is no. Useful in tunneling scenarios. If set to no you can specify +TCP transport only for selected forward or stub zones using forward-tcp-upstream +or stub-tcp-upstream respectively. .TP .B udp\-upstream\-without\-downstream: \fI<yes or no> Enable udp upstream even if do-udp is no. Default is no, and this does not @@ -497,10 +520,11 @@ Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in TCP wireformat. The other server must support this (see \fBtls\-service\-key\fR). -If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert to -load CA certs, otherwise the connections cannot be authenticated. -This option enables TLS for all of them, but if you do not set this you can -configure TLS specifically for some forward zones with forward\-tls\-upstream. And also with stub\-tls\-upstream. +If you enable this, also configure a tls\-cert\-bundle or use tls\-win\-cert or +tls\-system\-cert to load CA certs, otherwise the connections cannot be +authenticated. This option enables TLS for all of them, but if you do not set +this you can configure TLS specifically for some forward zones with +forward\-tls\-upstream. And also with stub\-tls\-upstream. .TP .B ssl\-upstream: \fI<yes or no> Alternate syntax for \fBtls\-upstream\fR. If both are present in the config @@ -549,7 +573,12 @@ Add the system certificates to the cert bundle certificates for authentication. If no cert bundle, it uses only these certificates. Default is no. On windows this option uses the certificates from the cert store. Use -the tls\-cert\-bundle option on other systems. +the tls\-cert\-bundle option on other systems. On other systems, this option +enables the system certificates. +.TP +.B tls\-system\-cert: \fI<yes or no> +This the same setting as the tls\-win\-cert setting, under a different name. +Because it is not windows specific. .TP .B tls\-additional\-port: \fI<portnr> List portnumbers as tls\-additional\-port, and when interfaces are defined, @@ -558,7 +587,7 @@ .TP .B tls-session-ticket-keys: \fI<file> If not "", lists files with 80 bytes of random contents that are used to -perform TLS session resumption for clients using the unbound server. +perform TLS session resumption for clients using the Unbound server. These files contain the secret key for the TLS session tickets. First key use to encrypt and decrypt TLS session tickets. Other keys use to decrypt only. With this you can roll over to new keys, @@ -635,13 +664,24 @@ Disable use of TLS for the downstream DNS-over-HTTP connections. Useful for local back end servers. Default is no. .TP +.B proxy\-protocol\-port: \fI<portnr> +List port numbers as proxy\-protocol\-port, and when interfaces are defined, +eg. with the @port suffix, as this port number, they support and expect PROXYv2. +In this case the proxy address will only be used for the network communication +and initial ACL (check if the proxy itself is denied/refused by configuration). +The proxied address (if any) will then be used as the true client address and +will be used where applicable for logging, ACL, DNSTAP, RPZ and IP ratelimiting. +PROXYv2 is supported for UDP and TCP/TLS listening interfaces. +There is no support for PROXYv2 on a DoH or DNSCrypt listening interface. +Can list multiple, each on a new statement. +.TP .B use\-systemd: \fI<yes or no> Enable or disable systemd socket activation. Default is no. .TP .B do\-daemonize: \fI<yes or no> -Enable or disable whether the unbound server forks into the background as -a daemon. Set the value to \fIno\fR when unbound runs as systemd service. +Enable or disable whether the Unbound server forks into the background as +a daemon. Set the value to \fIno\fR when Unbound runs as systemd service. Default is yes. .TP .B tcp\-connection\-limit: \fI<IP netblock> <limit> @@ -654,7 +694,7 @@ classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, \fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or \fIrefuse_non_local\fR. -The most specific netblock match is used, if none match \fIdeny\fR is used. +The most specific netblock match is used, if none match \fIrefuse\fR is used. The order of the access\-control statements therefore does not matter. .IP The action \fIdeny\fR stops queries from hosts from that netblock. @@ -668,7 +708,7 @@ .IP The \fIallow\fR action does allow nonrecursive queries to access the local\-data that is configured. The reason is that this does not involve -the unbound server recursive lookup algorithm, and static data is served +the Unbound server recursive lookup algorithm, and static data is served in the reply. This supports normal operations where nonrecursive queries are made for the authoritative data. For nonrecursive queries any replies from the dynamic cache are refused. @@ -720,6 +760,46 @@ .B access\-control\-view: \fI<IP netblock> <view name> Set view for given access control element. .TP +.B interface\-action: \fI<ip address or interface name @port> <action> +Similar to \fBaccess\-control:\fR but for interfaces. +.IP +The action is the same as the ones defined under \fBaccess\-control:\fR. +Interfaces are \fIrefuse\fRd by default. +By default only localhost (the IP netblock, not the loopback interface) is +\fIallow\fRed through the default \fBaccess\-control:\fR behavior. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP +.B interface\-tag: \fI<ip address or interface name @port> <"list of tags"> +Similar to \fBaccess\-control-tag:\fR but for interfaces. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP +.B interface\-tag\-action: \fI<ip address or interface name @port> <tag> <action> +Similar to \fBaccess\-control-tag-action:\fR but for interfaces. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP +.B interface\-tag\-data: \fI<ip address or interface name @port> <tag> <"resource record string"> +Similar to \fBaccess\-control-tag-data:\fR but for interfaces. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP +.B interface\-view: \fI<ip address or interface name @port> <view name> +Similar to \fBaccess\-control-view:\fR but for interfaces. +.IP +Note that the interface needs to be already specified with \fBinterface:\fR +and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR +settings for targeted clients. +.TP .B chroot: \fI<directory> If chroot is enabled, you should pass the configfile (from the commandline) as a full path from the original root. After the @@ -740,7 +820,7 @@ Unbound is not able to remove the pidfile after termination when it is located outside of the chroot directory. .IP -Additionally, unbound may need to access /dev/urandom (for entropy) +Additionally, Unbound may need to access /dev/urandom (for entropy) from inside the chroot. .IP If given a chroot is done to the given directory. By default chroot is @@ -774,7 +854,7 @@ SIGHUP. .TP .B use\-syslog: \fI<yes or no> -Sets unbound to send log messages to the syslogd, using +Sets Unbound to send log messages to the syslogd, using \fIsyslog\fR(3). The log facility LOG_DAEMON is used, with identity "unbound". The logfile setting is overridden when use\-syslog is turned on. @@ -784,7 +864,7 @@ If "" is given (default), then the name of the executable, usually "unbound" is used to report to the log. Enter a string to override it with that, which is useful on systems that run more than one instance of -unbound, with different configurations, so that the logs can be easily +Unbound, with different configurations, so that the logs can be easily distinguished against. .TP .B log\-time\-ascii: \fI<yes or no> @@ -872,12 +952,12 @@ If enabled trustanchor.unbound queries are refused. .TP .B target\-fetch\-policy: \fI<"list of numbers"> -Set the target fetch policy used by unbound to determine if it should fetch +Set the target fetch policy used by Unbound to determine if it should fetch nameserver target addresses opportunistically. The policy is described per dependency depth. .IP The number of values determines the maximum dependency depth -that unbound will pursue in answering a query. +that Unbound will pursue in answering a query. A value of \-1 means to fetch all targets opportunistically for that dependency depth. A value of 0 means to fetch on demand only. A positive value fetches that many targets opportunistically. @@ -971,7 +1051,7 @@ .B aggressive\-nsec: \fI<yes or no> Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other denials, using information from previous NXDOMAINs answers. -Default is no. It helps to reduce the query rate towards targets that get +Default is yes. It helps to reduce the query rate towards targets that get a very high nonexistent name lookup rate. .TP .B private\-address: \fI<IP address or subnet> @@ -1028,7 +1108,7 @@ .TP .B deny\-any: \fI<yes or no> If yes, deny queries of type ANY with an empty response. Default is no. -If disabled, unbound responds with a short list of resource records if some +If disabled, Unbound responds with a short list of resource records if some can be found in the cache and makes the upstream type ANY query if there are none. .TP @@ -1088,7 +1168,7 @@ The probes are run several times per month, thus the machine must be online frequently. The initial file can be one with contents as described in \fBtrust\-anchor\-file\fR. The file is written to when the anchor is updated, -so the unbound user must have write permission. Write permission to the file, +so the Unbound user must have write permission. Write permission to the file, but also to the directory it is in (to create a temporary file, which is necessary to deal with filesystem full events), it must also be inside the chroot (if that is used). @@ -1174,7 +1254,7 @@ that fails a line is printed to the logs. This way you can monitor what happens with validation. Use a diagnosis tool, such as dig or drill, to find out why validation is failing for these queries. At 2, not only -the query that failed is printed but also the reason why unbound thought +the query that failed is printed but also the reason why Unbound thought it was wrong and which server sent the faulty data. .TP .B val\-permissive\-mode: \fI<yes or no> @@ -1186,15 +1266,15 @@ The default value is "no". .TP .B ignore\-cd\-flag: \fI<yes or no> -Instruct unbound to ignore the CD flag from clients and refuse to +Instruct Unbound to ignore the CD flag from clients and refuse to return bogus answers to them. Thus, the CD (Checking Disabled) flag does not disable checking any more. This is useful if legacy (w2008) servers that set the CD flag but cannot validate DNSSEC themselves are -the clients, and then unbound provides them with DNSSEC protection. +the clients, and then Unbound provides them with DNSSEC protection. The default value is "no". .TP .B serve\-expired: \fI<yes or no> -If enabled, unbound attempts to serve old responses from cache with a +If enabled, Unbound attempts to serve old responses from cache with a TTL of \fBserve\-expired\-reply\-ttl\fR in the response without waiting for the actual resolution to finish. The actual resolution answer ends up in the cache later on. Default is "no". @@ -1225,14 +1305,14 @@ behavior. Default is 0. .TP .B serve\-original\-ttl: \fI<yes or no> -If enabled, unbound will always return the original TTL as received from +If enabled, Unbound will always return the original TTL as received from the upstream name server rather than the decrementing TTL as -stored in the cache. This feature may be useful if unbound serves as a -front-end to a hidden authoritative name server. Enabling this feature does -not impact cache expiry, it only changes the TTL unbound embeds in responses to +stored in the cache. This feature may be useful if Unbound serves as a +front-end to a hidden authoritative name server. Enabling this feature does +not impact cache expiry, it only changes the TTL Unbound embeds in responses to queries. Note that enabling this feature implicitly disables enforcement of -the configured minimum and maximum TTL, as it is assumed users who enable this -feature do not want unbound to change the TTL obtained from an upstream server. +the configured minimum and maximum TTL, as it is assumed users who enable this +feature do not want Unbound to change the TTL obtained from an upstream server. Thus, the values set using \fBcache\-min\-ttl\fR and \fBcache\-max\-ttl\fR are ignored. Default is "no". @@ -1293,11 +1373,11 @@ .TP .B unblock\-lan\-zones: \fI<yes or no> Default is disabled. If enabled, then for private address space, -the reverse lookups are no longer filtered. This allows unbound when +the reverse lookups are no longer filtered. This allows Unbound when running as dns service on a host where it provides service for that host, to put out all of the queries for the 'lan' upstream. When enabled, only localhost, 127.0.0.1 reverse and ::1 reverse zones are configured -with default local zones. Disable the option when unbound is running +with default local zones. Disable the option when Unbound is running as a (DHCP-) DNS network resolver for a group of machines, where such lookups should be filtered (RFC compliance), this also stops potential data leakage about the local network to the upstream DNS servers. @@ -1318,7 +1398,17 @@ .IP If you need more complicated authoritative data, with referrals, wildcards, CNAME/DNAME support, or DNSSEC authoritative service, setup a stub\-zone for -it as detailed in the stub zone section below. +it as detailed in the stub zone section below. A stub\-zone can be used to +have unbound send queries to another server, an authoritative server, to +fetch the information. With a forward\-zone, unbound sends queries to a server +that is a recursive server to fetch the information. With an auth\-zone a +zone can be loaded from file and used, it can be used like a local\-zone +for users downstream, or the auth\-zone information can be used to fetch +information from when resolving like it is an upstream server. The +forward\-zone and auth\-zone options are described in their sections below. +If you want to perform filtering of the information that the users can fetch, +the local\-zone and local\-data statements allow for this, but also the +rpz functionality can be used, described in the RPZ section. .TP 10 \h'5'\fIdeny\fR Do not send an answer, drop the query. @@ -1401,7 +1491,7 @@ to the query. If the view first is no, it'll resolve normally. If view first is enabled, it'll break perform that step and check the global answers. For when the view has view specific overrides but some zone has to be -answered from global local zone contents. +answered from global local zone contents. .TP 10 \h'5'\fInodefault\fR Used to turn off default contents for AS112 zones. The other types @@ -1410,13 +1500,13 @@ given zone. Use \fInodefault\fR if you use exactly that zone, if you want to use a subzone, use \fItransparent\fR. .P -The default zones are localhost, reverse 127.0.0.1 and ::1, the onion, test, -invalid and the AS112 zones. The AS112 zones are reverse DNS zones for -private use and reserved IP addresses for which the servers on the internet -cannot provide correct answers. They are configured by default to give -nxdomain (no reverse information) answers. The defaults can be turned off -by specifying your own local\-zone of that name, or using the 'nodefault' -type. Below is a list of the default zone contents. +The default zones are localhost, reverse 127.0.0.1 and ::1, the home.arpa, +the onion, test, invalid and the AS112 zones. The AS112 zones are reverse +DNS zones for private use and reserved IP addresses for which the servers +on the internet cannot provide correct answers. They are configured by +default to give nxdomain (no reverse information) answers. The defaults +can be turned off by specifying your own local\-zone of that name, or +using the 'nodefault' type. Below is a list of the default zone contents. .TP 10 \h'5'\fIlocalhost\fR The IP4 and IP6 localhost information is given. NS and SOA records are provided @@ -1457,6 +1547,15 @@ PTR localhost." .fi .TP 10 +\h'5'\fIhome.arpa (RFC 8375)\fR +Default content: +.nf +local\-zone: "home.arpa." static +local\-data: "home.arpa. 10800 IN NS localhost." +local\-data: "home.arpa. 10800 IN + SOA localhost. nobody.invalid. 1 3600 1200 604800 10800" +.fi +.TP 10 \h'5'\fIonion (RFC 7686)\fR Default content: .nf @@ -1580,7 +1679,7 @@ to redirect as specified by "\fIresource record string\fR". "Resource record string" is similar to that of \fIaccess-control-tag-action\fR, but it must be of either AAAA, A or CNAME types. -If the IP-netblock is an IPv6/IPV4 prefix, the record +If the IP-netblock is an IPv6/IPv4 prefix, the record must be AAAA/A respectively, unless it is a CNAME (which can be used for both versions of IP netblocks). If it is CNAME there must not be more than one \fIresponse-ip-data\fR for the same IP-netblock. @@ -1636,8 +1735,9 @@ ratelimited by this setting. The zone of the query is determined by examining the nameservers for it, the zone name is used to keep track of the rate. For example, 1000 may be a suitable value to stop the server from being -overloaded with random names, and keeps unbound from sending traffic to the -nameservers for those zones. +overloaded with random names, and keeps Unbound from sending traffic to the +nameservers for those zones. Configured forwarders are excluded from +ratelimiting. .TP 5 .B ratelimit\-size: \fI<memory size> Give the size of the data structure in which the current ongoing rates are @@ -1659,6 +1759,15 @@ and enter the cache, whilst also mitigating the traffic flow by the factor given. .TP 5 +.B ratelimit\-backoff: \fI<yes or no> +If enabled, the ratelimit is treated as a hard failure instead of the default +maximum allowed constant rate. When the limit is reached, traffic is +ratelimited and demand continues to be kept track of for a 2 second rate +window. No traffic is allowed, except for ratelimit\-factor, until demand +decreases below the configured ratelimit for a 2 second rate window. Useful to +set ratelimit to a suspicious rate to aggressively limit unusually high +traffic. Default is off. +.TP 5 .B ratelimit\-for\-domain: \fI<domain> <number qps or 0> Override the global ratelimit for an exact match domain name with the listed number. You can give this for any number of names. For example, for @@ -1675,7 +1784,7 @@ A value of 0 will disable ratelimiting for domain names that end in this name. .TP 5 .B ip\-ratelimit: \fI<number or 0> -Enable global ratelimiting of queries accepted per ip address. +Enable global ratelimiting of queries accepted per IP address. If 0, the default, it is disabled. This option is experimental at this time. The ratelimit is in queries per second that are allowed. More queries are completely dropped and will not receive a reply, SERVFAIL or otherwise. @@ -1702,6 +1811,38 @@ and enter the cache, whilst also mitigating the traffic flow by the factor given. .TP 5 +.B ip\-ratelimit\-backoff: \fI<yes or no> +If enabled, the ratelimit is treated as a hard failure instead of the default +maximum allowed constant rate. When the limit is reached, traffic is +ratelimited and demand continues to be kept track of for a 2 second rate +window. No traffic is allowed, except for ip\-ratelimit\-factor, until demand +decreases below the configured ratelimit for a 2 second rate window. Useful to +set ip\-ratelimit to a suspicious rate to aggressively limit unusually high +traffic. Default is off. +.TP 5 +.B outbound\-msg\-retry: \fI<number> +The number of retries, per upstream nameserver in a delegation, that Unbound +will attempt in case a throwaway response is received. +No response (timeout) contributes to the retry counter. +If a forward/stub zone is used, this is the number of retries per nameserver in +the zone. +Default is 5. +.TP 5 +.B max\-sent\-count: \fI<number> +Hard limit on the number of outgoing queries Unbound will make while resolving +a name, making sure large NS sets do not loop. +Results in SERVFAIL when reached. +It resets on query restarts (e.g., CNAME) and referrals. +Default is 32. +.TP 5 +.B max\-query\-restarts: \fI<number> +Hard limit on the number of times Unbound is allowed to restart a query upon +encountering a CNAME record. +Results in SERVFAIL when reached. +Changing this value needs caution as it can allow long CNAME chains to be +accepted, where Unbound needs to verify (resolve) each link individually. +Default is 11. +.TP 5 .B fast\-server\-permil: \fI<number> Specify how many times out of 1000 to pick from the set of fastest servers. 0 turns the feature off. A value of 900 would pick from the fastest @@ -1726,12 +1867,27 @@ EDNS0 option code for the \fIedns\-client\-string\fR option, from 0 to 65535. A value from the `Reserved for Local/Experimental` range (65001-65534) should be used. Default is 65001. +.TP 5 +.B ede: \fI<yes or no> +If enabled, Unbound will respond with Extended DNS Error codes (RFC8914). +These EDEs attach informative error messages to a response for various +errors. Default is "no". + +When the \fBval-log-level\fR option is also set to \fB2\fR, responses with +Extended DNS Errors concerning DNSSEC failures that are not served from cache, +will also contain a descriptive text message about the reason for the failure. +.TP 5 +.B ede\-serve\-expired: \fI<yes or no> +If enabled, Unbound will attach an Extended DNS Error (RFC8914) Code 3 - Stale +Answer as EDNS0 option to the expired response. Note that this will not attach +the EDE code without setting the global \fBede\fR option to "yes" as well. +Default is "no". .SS "Remote Control Options" In the .B remote\-control: clause are the declarations for the remote control facility. If this is enabled, the \fIunbound\-control\fR(8) utility can be used to send -commands to the running unbound server. The server uses these clauses +commands to the running Unbound server. The server uses these clauses to setup TLSv1 security for the connection. The \fIunbound\-control\fR(8) utility also reads the \fBremote\-control\fR section for options. To setup the correct self\-signed certificates use the @@ -1741,17 +1897,19 @@ The option is used to enable remote control, default is "no". If turned off, the server does not listen for control commands. .TP 5 -.B control\-interface: \fI<ip address or path> +.B control\-interface: \fI<ip address or interface name or path> Give IPv4 or IPv6 addresses or local socket path to listen on for control commands. +If an interface name is used instead of an ip address, the list of ip addresses +on that interface are used. By default localhost (127.0.0.1 and ::1) is listened to. Use 0.0.0.0 and ::0 to listen to all interfaces. If you change this and permissions have been dropped, you must restart the server for the change to take effect. .IP -If you set it to an absolute path, a local socket is used. The local socket +If you set it to an absolute path, a unix domain socket is used. This socket does not use the certificates and keys, so those files need not be present. -To restrict access, unbound sets permissions on the file to the user and +To restrict access, Unbound sets permissions on the file to the user and group that is configured, the access bits are set to allow the group members to access the control socket file. Put users that need to access the socket in the that group. To restrict access further, create a directory to put @@ -1771,12 +1929,12 @@ .B server\-key\-file: \fI<private key file> Path to the server private key, by default unbound_server.key. This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, but not by \fIunbound\-control\fR. +This file is used by the Unbound server, but not by \fIunbound\-control\fR. .TP 5 .B server\-cert\-file: \fI<certificate file.pem> Path to the server self signed certificate, by default unbound_server.pem. This file is generated by the \fIunbound\-control\-setup\fR utility. -This file is used by the unbound server, and also by \fIunbound\-control\fR. +This file is used by the Unbound server, and also by \fIunbound\-control\fR. .TP 5 .B control\-key\-file: \fI<private key file> Path to the control client private key, by default unbound_control.key. @@ -1794,24 +1952,24 @@ .B stub\-zone: clauses. Each with a name: and zero or more hostnames or IP addresses. For the stub zone this list of nameservers is used. Class IN is assumed. -The servers should be authority servers, not recursors; unbound performs +The servers should be authority servers, not recursors; Unbound performs the recursive processing itself for stub zones. .P The stub zone can be used to configure authoritative data to be used by the resolver that cannot be accessed using the public internet servers. This is useful for company\-local data or private zones. Setup an authoritative server on a different host (or different port). Enter a config -entry for unbound with +entry for Unbound with .B stub\-addr: <ip address of host@port>. -The unbound resolver can then access the data, without referring to the +The Unbound resolver can then access the data, without referring to the public internet for it. .P This setup allows DNSSEC signed zones to be served by that authoritative server, in which case a trusted key entry with the public key -can be put in config, so that unbound can validate the data and set the AD +can be put in config, so that Unbound can validate the data and set the AD bit on replies for the private zone (authoritative servers do not set the -AD bit). This setup makes unbound capable of answering queries for the +AD bit). This setup makes Unbound capable of answering queries for the private zone, and can even set the AD bit ('authentic'), but the AA ('authoritative') bit is not set on these replies. .P @@ -1819,20 +1977,26 @@ for \fBlocal\-zone:\fI name nodefault\fR for the zone if it is a locally served zone. The insecure clause stops DNSSEC from invalidating the zone. The local zone nodefault (or \fItransparent\fR) clause makes the -(reverse\-) zone bypass unbound's filtering of RFC1918 zones. +(reverse\-) zone bypass Unbound's filtering of RFC1918 zones. .TP .B name: \fI<domain name> -Name of the stub zone. +Name of the stub zone. This is the full domain name of the zone. .TP .B stub\-host: \fI<domain name> Name of stub zone nameserver. Is itself resolved before it is used. +To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B stub\-addr: \fI<IP address> IP address of stub zone nameserver. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. -If tls is enabled, then you can append a '#' and a name, then it'll check -the tls authentication certificates with that name. If you combine -the '@' and '#', the '@' comes first. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B stub\-prime: \fI<yes or no> This option is by default no. If enabled it performs NS set priming, @@ -1853,6 +2017,10 @@ .B stub\-ssl\-upstream: \fI<yes or no> Alternate syntax for \fBstub\-tls\-upstream\fR. .TP +.B stub\-tcp\-upstream: \fI<yes or no> +If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream. +Default is no. +.TP .B stub\-no\-cache: \fI<yes or no> Default is no. If enabled, data inside the stub is not cached. This is useful when you want immediate changes to be visible. @@ -1864,10 +2032,10 @@ addresses. For the forward zone this list of nameservers is used to forward the queries to. The servers listed as \fBforward\-host:\fR and \fBforward\-addr:\fR have to handle further recursion for the query. Thus, -those servers are not authority servers, but are (just like unbound is) -recursive servers too; unbound does not perform recursion itself for the +those servers are not authority servers, but are (just like Unbound is) +recursive servers too; Unbound does not perform recursion itself for the forward zone, it lets the remote server do it. Class IN is assumed. -CNAMEs are chased by unbound itself, asking the remote server for every +CNAMEs are chased by Unbound itself, asking the remote server for every name in the indirection chain, to protect the local cache from illegal indirect referenced items. A forward\-zone entry with name "." and a forward\-addr target will @@ -1875,17 +2043,23 @@ the cache). .TP .B name: \fI<domain name> -Name of the forward zone. +Name of the forward zone. This is the full domain name of the zone. .TP .B forward\-host: \fI<domain name> Name of server to forward to. Is itself resolved before it is used. +To use a nondefault port for DNS communication append '@' with the port number. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .TP .B forward\-addr: \fI<IP address> IP address of server to forward to. Can be IP 4 or IP 6. To use a nondefault port for DNS communication append '@' with the port number. -If tls is enabled, then you can append a '#' and a name, then it'll check -the tls authentication certificates with that name. If you combine -the '@' and '#', the '@' comes first. +If tls is enabled, then you can append a '#' and a name, then it'll check the +tls authentication certificates with that name. If you combine the '@' +and '#', the '@' comes first. If only '#' is used the default port is the +configured tls\-port. .IP At high verbosity it logs the TLS certificate, with TLS enabled. If you leave out the '#' and auth name from the forward\-addr, any @@ -1893,7 +2067,7 @@ .TP .B forward\-first: \fI<yes or no> If a forwarded query is met with a SERVFAIL error, and this option is -enabled, unbound will fall back to normal recursive resolution for this +enabled, Unbound will fall back to normal recursive resolution for this query as if no query forwarding had been specified. The default is "no". .TP .B forward\-tls\-upstream: \fI<yes or no> @@ -1905,6 +2079,10 @@ .B forward\-ssl\-upstream: \fI<yes or no> Alternate syntax for \fBforward\-tls\-upstream\fR. .TP +.B forward\-tcp\-upstream: \fI<yes or no> +If it is set to "yes" then upstream queries use TCP only for transport regardless of global flag tcp-upstream. +Default is no. +.TP .B forward\-no\-cache: \fI<yes or no> Default is no. If enabled, data inside the forward is not cached. This is useful when you want immediate changes to be visible. @@ -1915,7 +2093,7 @@ The authority zone with the name closest to the name looked up is used. Authority zones are processed after \fBlocal\-zones\fR and before cache (\fBfor\-downstream:\fR \fIyes\fR), and when used in this manner -make unbound respond like an authority server. Authority zones are also +make Unbound respond like an authority server. Authority zones are also processed after cache, just before going to the network to fetch information for recursion (\fBfor\-upstream:\fR \fIyes\fR), and when used in this manner provide a local copy of an authority server that speeds up @@ -1972,29 +2150,29 @@ When notified, the server attempts to first probe and then zone transfer. If the notify is from a primary, it first attempts that primary. Otherwise other primaries are attempted. If there are no primaries, but only urls, the -file is downloaded when notified. The primaries from primary: statements are -allowed notify by default. +file is downloaded when notified. The primaries from primary: and url: +statements are allowed notify by default. .TP .B fallback\-enabled: \fI<yes or no> -Default no. If enabled, unbound falls back to querying the internet as +Default no. If enabled, Unbound falls back to querying the internet as a resolver for this zone when lookups fail. For example for DNSSEC validation failures. .TP .B for\-downstream: \fI<yes or no> -Default yes. If enabled, unbound serves authority responses to -downstream clients for this zone. This option makes unbound behave, for +Default yes. If enabled, Unbound serves authority responses to +downstream clients for this zone. This option makes Unbound behave, for the queries with names in this zone, like one of the authority servers for -that zone. Turn it off if you want unbound to provide recursion for the +that zone. Turn it off if you want Unbound to provide recursion for the zone but have a local copy of zone data. If for\-downstream is no and -for\-upstream is yes, then unbound will DNSSEC validate the contents of the +for\-upstream is yes, then Unbound will DNSSEC validate the contents of the zone before serving the zone contents to clients and store validation results in the cache. .TP .B for\-upstream: \fI<yes or no> -Default yes. If enabled, unbound fetches data from this data collection +Default yes. If enabled, Unbound fetches data from this data collection for answering recursion queries. Instead of sending queries over the internet to the authority servers for this zone, it'll fetch the data directly from -the zone data. Turn it on when you want unbound to provide recursion for +the zone data. Turn it on when you want Unbound to provide recursion for downstream clients, and use the zone data as a local copy to speed up lookups. .TP .B zonemd\-check: \fI<yes or no> @@ -2018,14 +2196,14 @@ .TP .B zonefile: \fI<filename> The filename where the zone is stored. If not given then no zonefile is used. -If the file does not exist or is empty, unbound will attempt to fetch zone +If the file does not exist or is empty, Unbound will attempt to fetch zone data (eg. from the primary servers). .SS "View Options" .LP There may be multiple .B view: clauses. Each with a \fBname:\fR and zero or more \fBlocal\-zone\fR and -\fBlocal\-data\fR elements. Views can also contain view\-first, +\fBlocal\-data\fR elements. Views can also contain view\-first, response\-ip, response\-ip\-data and local\-data\-ptr elements. View can be mapped to requests by specifying the view name in an \fBaccess\-control\-view\fR element. Options from matching @@ -2118,9 +2296,9 @@ The .B dnscrypt: clause gives the settings of the dnscrypt channel. While those options are -available, they are only meaningful if unbound was compiled with +available, they are only meaningful if Unbound was compiled with \fB\-\-enable\-dnscrypt\fR. -Currently certificate and secret/public keys cannot be generated by unbound. +Currently certificate and secret/public keys cannot be generated by Unbound. You can use dnscrypt-wrapper to generate those: https://github.com/cofyc/\ dnscrypt-wrapper/blob/master/README.md#usage .TP @@ -2203,6 +2381,9 @@ configuration file. On top of that, for each query only 100 different subnets are allowed to be stored for each address family. Exceeding that number, older entries will be purged from cache. +.LP +This module does not interact with the \fBserve\-expired*\fR and +\fBprefetch:\fR options. .TP .B send\-client\-subnet: \fI<IP address>\fR Send client source address to this authority. Append /num to indicate a @@ -2239,7 +2420,7 @@ .TP .B min\-client\-subnet\-ipv4: \fI<number>\fR Specifies the minimum prefix length of the IPv4 source mask we are willing to -accept in queries. Shorter source masks result in REFUSED answers. Source mask +accept in queries. Shorter source masks result in REFUSED answers. Source mask of 0 is always accepted. Default is 0. .TP .B max\-ecs\-tree\-size\-ipv4: \fI<number>\fR @@ -2252,12 +2433,13 @@ .SS "Opportunistic IPsec Support Module Options" .LP The IPsec module must be configured in the \fBmodule\-config:\fR "ipsecmod -validator iterator" directive and be compiled into the daemon to be -enabled. These settings go in the \fBserver:\fR section. +validator iterator" directive and be compiled into Unbound by using +\fB\-\-enable\-ipsecmod\fR to be enabled. +These settings go in the \fBserver:\fR section. .LP -When unbound receives an A/AAAA query that is not in the cache and finds a +When Unbound receives an A/AAAA query that is not in the cache and finds a valid answer, it will withhold returning the answer and instead will generate -an IPSECKEY subquery for the same domain name. If an answer was found, unbound +an IPSECKEY subquery for the same domain name. If an answer was found, Unbound will call an external hook passing the following arguments: .TP 10 \h'5'\fIQNAME\fR @@ -2286,19 +2468,19 @@ .B ipsecmod-enabled: \fI<yes or no>\fR Specifies whether the IPsec module is enabled or not. The IPsec module still needs to be defined in the \fBmodule\-config:\fR directive. This option -facilitates turning on/off the module without restarting/reloading unbound. +facilitates turning on/off the module without restarting/reloading Unbound. Defaults to yes. .TP .B ipsecmod\-hook: \fI<filename>\fR -Specifies the external hook that unbound will call with \fIsystem\fR(3). The +Specifies the external hook that Unbound will call with \fIsystem\fR(3). The file can be specified as an absolute/relative path. The file needs the proper -permissions to be able to be executed by the same user that runs unbound. It +permissions to be able to be executed by the same user that runs Unbound. It must be present when the IPsec module is defined in the \fBmodule\-config:\fR directive. .TP .B ipsecmod-strict: \fI<yes or no>\fR -If enabled unbound requires the external hook to return a success value of 0. -Failing to do so unbound will reply with SERVFAIL. The A/AAAA answer will also +If enabled Unbound requires the external hook to return a success value of 0. +Failing to do so Unbound will reply with SERVFAIL. The A/AAAA answer will also not be cached. Defaults to no. .TP .B ipsecmod\-max-ttl: \fI<seconds>\fR @@ -2306,7 +2488,7 @@ Defaults to 3600. .TP .B ipsecmod-ignore-bogus: \fI<yes or no>\fR -Specifies the behaviour of unbound when the IPSECKEY answer is bogus. If set +Specifies the behaviour of Unbound when the IPSECKEY answer is bogus. If set to yes, the hook will be called and the A/AAAA answer will be returned to the client. If set to no, the hook will not be called and the answer to the A/AAAA query will be SERVFAIL. Mainly used for testing. Defaults to no. @@ -2333,7 +2515,7 @@ query as usual, and stores the answer in the backend. .P This module interacts with the \fBserve\-expired\-*\fR options and will reply -with expired data if unbound is configured for that. Currently the use +with expired data if Unbound is configured for that. Currently the use of \fBserve\-expired\-client\-timeout:\fR and \fBserve\-expired\-reply\-ttl:\fR is not consistent for data originating from the external cache as these will result in a reply with 0 TTL without trying to @@ -2391,7 +2573,7 @@ .P The following .B cachedb -otions are specific to the redis backend. +options are specific to the redis backend. .TP .B redis-server-host: \fI<server address or name>\fR The IP (either v6 or v4) address or domain name of the Redis server. @@ -2412,16 +2594,17 @@ This option defaults to 100 milliseconds. .TP .B redis-expire-records: \fI<yes or no> -If Redis record expiration is enabled. If yes, unbound sets timeout for Redis +If Redis record expiration is enabled. If yes, Unbound sets timeout for Redis records so that Redis can evict keys that have expired automatically. If -unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0, +Unbound is configured with \fBserve-expired\fR and \fBserve-expired-ttl\fR is 0, this option is internally reverted to "no". Redis SETEX support is required for this option (Redis >= 2.0.0). This option defaults to no. .SS DNSTAP Logging Options -DNSTAP support, when compiled in, is enabled in the \fBdnstap:\fR section. +DNSTAP support, when compiled in by using \fB\-\-enable\-dnstap\fR, is enabled +in the \fBdnstap:\fR section. This starts an extra thread (when compiled with threading) that writes -the log information to the destination. If unbound is compiled without +the log information to the destination. If Unbound is compiled without threading it does not spawn a thread, but connects per-process to the destination. .TP @@ -2479,19 +2662,19 @@ .TP .B dnstap-log-resolver-query-messages: \fI<yes or no> Enable to log resolver query messages. Default is no. -These are messages from unbound to upstream servers. +These are messages from Unbound to upstream servers. .TP .B dnstap-log-resolver-response-messages: \fI<yes or no> Enable to log resolver response messages. Default is no. -These are replies from upstream servers to unbound. +These are replies from upstream servers to Unbound. .TP .B dnstap-log-client-query-messages: \fI<yes or no> Enable to log client query messages. Default is no. -These are client queries to unbound. +These are client queries to Unbound. .TP .B dnstap-log-client-response-messages: \fI<yes or no> Enable to log client response messages. Default is no. -These are responses from unbound to clients. +These are responses from Unbound to clients. .TP .B dnstap-log-forwarder-query-messages: \fI<yes or no> Enable to log forwarder query messages. Default is no. @@ -2506,10 +2689,49 @@ \fBrespip\fR module needs to be added to the \fBmodule-config\fR, e.g.: \fBmodule-config: "respip validator iterator"\fR. .P -Only the QNAME and Response IP Address triggers are supported. The supported RPZ -actions are: NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. RPZ QNAME triggers -are applied after -\fBlocal-zones\fR and before \fBauth-zones\fR. +QNAME, Response IP Address, nsdname, nsip and clientip triggers are supported. +Supported actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp\-only +and drop. RPZ QNAME triggers are applied after \fBlocal\-zones\fR and +before \fBauth\-zones\fR. +.P +The rpz zone is formatted with a SOA start record as usual. The items in +the zone are entries, that specify what to act on (the trigger) and what to +do (the action). The trigger to act on is recorded in the name, the action +to do is recorded as the resource record. The names all end in the zone +name, so you could type the trigger names without a trailing dot in the +zonefile. +.P +An example RPZ record, that answers example.com with NXDOMAIN +.nf + example.com CNAME . +.fi +.P +The triggers are encoded in the name on the left +.nf + name query name + netblock.rpz-client-ip client IP address + netblock.rpz-ip response IP address in the answer + name.rpz-nsdname nameserver name + netblock.rpz-nsip nameserver IP address +.fi +The netblock is written as <netblocklen>.<ip address in reverse>. +For IPv6 use 'zz' for '::'. Specify individual addresses with scope length +of 32 or 128. For example, 24.10.100.51.198.rpz-ip is 198.51.100.10/24 and +32.10.zz.db8.2001.rpz-ip is 2001:db8:0:0:0:0:0:10/32. +.P +The actions are specified with the record on the right +.nf + CNAME . nxdomain reply + CNAME *. nodata reply + CNAME rpz-passthru. do nothing, allow to continue + CNAME rpz-drop. the query is dropped + CNAME rpz-tcp-only. answer over TCP + A 192.0.2.1 answer with this IP address +.fi +Other records like AAAA, TXT and other CNAMEs (not rpz-..) can also be used to +answer queries with that content. +.P +The RPZ zones can be configured in the config file with these settings in the \fBrpz:\fR block. .TP .B name: \fI<zone name> Name of the authority zone. @@ -2546,12 +2768,12 @@ When notified, the server attempts to first probe and then zone transfer. If the notify is from a primary, it first attempts that primary. Otherwise other primaries are attempted. If there are no primaries, but only urls, the -file is downloaded when notified. The primaries from primary: statements are -allowed notify by default. +file is downloaded when notified. The primaries from primary: and url: +statements are allowed notify by default. .TP .B zonefile: \fI<filename> The filename where the zone is stored. If not given then no zonefile is used. -If the file does not exist or is empty, unbound will attempt to fetch zone +If the file does not exist or is empty, Unbound will attempt to fetch zone data (eg. from the primary servers). .TP .B rpz\-action\-override: \fI<action> @@ -2568,6 +2790,17 @@ .B rpz\-log\-name: \fI<name> Specify a string to be part of the log line, for easy referencing. .TP +.B rpz\-signal\-nxdomain\-ra: \fI<yes or no> +Signal when a query is blocked by the RPZ with NXDOMAIN with an unset RA flag. +This allows certain clients, like dnsmasq, to infer that the domain is +externally blocked. Default is no. +.TP +.B for\-downstream: \fI<yes or no> +If enabled the zone is authoritatively answered for and queries for the RPZ +zone information are answered to downstream clients. This is useful for +monitoring scripts, that can then access the SOA information to check if +the rpz information is up to date. Default is no. +.TP .B tags: \fI<list of tags> Limit the policies from this RPZ clause to clients with a matching tag. Tags need to be defined in \fBdefine\-tag\fR and can be assigned to client addresses @@ -2608,7 +2841,7 @@ .SH "FILES" .TP .I @UNBOUND_RUN_DIR@ -default unbound working directory. +default Unbound working directory. .TP .I @UNBOUND_CHROOT_DIR@ default @@ -2616,13 +2849,13 @@ location. .TP .I @ub_conf_file@ -unbound configuration file. +Unbound configuration file. .TP .I @UNBOUND_PIDFILE@ -default unbound pidfile with process ID of the running daemon. +default Unbound pidfile with process ID of the running daemon. .TP .I unbound.log -unbound log file. default is to log to +Unbound log file. default is to log to \fIsyslog\fR(3). .SH "SEE ALSO" \fIunbound\fR(8),
View file
_service:tar_scm:unbound-1.13.2.tar.gz/doc/unbound.doxygen -> _service:tar_scm:unbound-1.17.1.tar.gz/doc/unbound.doxygen
Changed
@@ -279,10 +279,10 @@ # For small to medium size projects (<1000 input files) the default value is # probably good enough. For larger projects a too small cache size can cause # doxygen to be busy swapping symbols to and from disk most of the time -# causing a significant performance penality. +# causing a significant performance penalty. # If the system has enough physical memory increasing the cache will improve the # performance by keeping more symbols in memory. Note that the value works on -# a logarithmic scale so increasing the size by one will rougly double the +# a logarithmic scale so increasing the size by one will roughly double the # memory usage. The cache size is given by this formula: # 2^(16+SYMBOL_CACHE_SIZE). The valid range is 0..9, the default is 0, # corresponding to a cache size of 2^16 = 65536 symbols @@ -779,7 +779,7 @@ # the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns # in which this list will be split (can be a number in the range 1..20) -COLS_IN_ALPHA_INDEX = 5 +#COLS_IN_ALPHA_INDEX = 5 # In case all classes in a project start with a common prefix, all # classes will be put under the same header in the alphabetical index.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/edns-subnet/addrtree.c -> _service:tar_scm:unbound-1.17.1.tar.gz/edns-subnet/addrtree.c
Changed
@@ -97,6 +97,7 @@ tree->node_count++; node->scope = scope; node->ttl = ttl; + node->only_match_scope_zero = 0; node->edge0 = NULL; node->edge1 = NULL; node->parent_edge = NULL; @@ -155,6 +156,7 @@ if (!node->elem) return; tree->size_bytes -= tree->sizefunc(node->elem); tree->delfunc(tree->env, node->elem); + node->only_match_scope_zero = 0; node->elem = NULL; } @@ -358,7 +360,7 @@ void addrtree_insert(struct addrtree *tree, const addrkey_t *addr, addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl, - time_t now) + time_t now, int only_match_scope_zero) { struct addrnode *newnode, *node; struct addredge *edge; @@ -381,6 +383,7 @@ /* update this node's scope and data */ clean_node(tree, node); node->ttl = ttl; + node->only_match_scope_zero = only_match_scope_zero; node->elem = elem; node->scope = scope; tree->size_bytes += tree->sizefunc(elem); @@ -447,6 +450,7 @@ newnode->elem = elem; newnode->scope = scope; newnode->ttl = ttl; + newnode->only_match_scope_zero = only_match_scope_zero; } tree->size_bytes += node_size(tree, newnode); @@ -483,7 +487,8 @@ /* Current node more specific then question. */ log_assert(depth <= sourcemask); /* does this node have data? if yes, see if we have a match */ - if (node->elem && node->ttl >= now) { + if (node->elem && node->ttl >= now && + !(sourcemask != 0 && node->only_match_scope_zero)) { /* saved at wrong depth */; log_assert(node->scope >= depth); if (depth == node->scope ||
View file
_service:tar_scm:unbound-1.13.2.tar.gz/edns-subnet/addrtree.h -> _service:tar_scm:unbound-1.17.1.tar.gz/edns-subnet/addrtree.h
Changed
@@ -95,6 +95,10 @@ time_t ttl; /** Number of significant bits in address. */ addrlen_t scope; + /** Only use the element for queries for subnet/0. Set if the query + * for /0 was answered with scope 0. For query /x answer scope 0, + * they can match anything and this is false. */ + int only_match_scope_zero; /** A node can have 0-2 edges, set to NULL for unused */ struct addredge *edge2; /** edge between this node and parent */ @@ -157,11 +161,12 @@ * @param scope: Number of significant bits in addr. * @param elem: data to store in the tree. * @param ttl: elem is valid up to this time, seconds. + * @param only_match_scope_zero: set for when query /0 has scope /0 answer. * @param now: Current time in seconds. */ void addrtree_insert(struct addrtree *tree, const addrkey_t *addr, addrlen_t sourcemask, addrlen_t scope, void *elem, time_t ttl, - time_t now); + time_t now, int only_match_scope_zero); /** * Find a node containing an element in the tree.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/edns-subnet/edns-subnet.h -> _service:tar_scm:unbound-1.17.1.tar.gz/edns-subnet/edns-subnet.h
Changed
@@ -59,7 +59,7 @@ /** * copy the first n BITS from src to dst iff both src and dst - * are large enough, return 0 on succes + * are large enough, return 0 on success */ int copy_clear(uint8_t* dst, size_t dstlen, uint8_t* src, size_t srclen, size_t n);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/edns-subnet/subnetmod.c -> _service:tar_scm:unbound-1.17.1.tar.gz/edns-subnet/subnetmod.c
Changed
@@ -55,6 +55,7 @@ #include "util/config_file.h" #include "util/data/msgreply.h" #include "sldns/sbuffer.h" +#include "sldns/wire2str.h" #include "iterator/iter_utils.h" /** externally called */ @@ -93,13 +94,14 @@ qstate->minfoid = sq; memset(sq, 0, sizeof(*sq)); sq->started_no_cache_store = qstate->no_cache_store; + sq->started_no_cache_lookup = qstate->no_cache_lookup; return 1; } /** Add ecs struct to edns list, after parsing it to wire format. */ -static void -ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list, - struct module_qstate *qstate) +void +subnet_ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list, + struct module_qstate *qstate, struct regional *region) { size_t sn_octs, sn_octs_remainder; sldns_buffer* buf = qstate->env->scratch_buffer; @@ -131,7 +133,7 @@ edns_opt_list_append(list, qstate->env->cfg->client_subnet_opcode, sn_octs + sn_octs_remainder + 4, - sldns_buffer_begin(buf), qstate->region); + sldns_buffer_begin(buf), region); } } @@ -139,7 +141,7 @@ uint16_t ATTR_UNUSED(flags), struct module_qstate* qstate, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), - struct regional* ATTR_UNUSED(region), int id, void* ATTR_UNUSED(cbargs)) + struct regional *region, int id, void* ATTR_UNUSED(cbargs)) { struct subnet_qstate *sq; struct subnet_env *sn_env; @@ -162,17 +164,21 @@ /* Address on whitelist or client query contains ECS option, we * want to sent out ECS. Only add option if it is not already * set. */ - if(!(sq->subnet_sent)) { - ecs_opt_list_append(&sq->ecs_server_out, - &qstate->edns_opts_back_out, qstate); - sq->subnet_sent = 1; + if(!edns_opt_list_find(qstate->edns_opts_back_out, + qstate->env->cfg->client_subnet_opcode)) { + subnet_ecs_opt_list_append(&sq->ecs_server_out, + &qstate->edns_opts_back_out, qstate, region); } + sq->subnet_sent = 1; } - else if(sq->subnet_sent) { + else { /* Outgoing ECS option is set, but we don't want to sent it to * this address, remove option. */ - edns_opt_list_remove(&qstate->edns_opts_back_out, - qstate->env->cfg->client_subnet_opcode); + if(edns_opt_list_find(qstate->edns_opts_back_out, + qstate->env->cfg->client_subnet_opcode)) { + edns_opt_list_remove(&qstate->edns_opts_back_out, + qstate->env->cfg->client_subnet_opcode); + } sq->subnet_sent = 0; } return 1; @@ -198,6 +204,17 @@ } alloc_init(&sn_env->alloc, NULL, 0); env->modinfoid = (void*)sn_env; + + /* Warn that serve-expired and prefetch do not work with the subnet + * module cache. */ + if(env->cfg->serve_expired) + log_warn( + "subnetcache: serve-expired is set but not working " + "for data originating from the subnet module cache."); + if(env->cfg->prefetch) + log_warn( + "subnetcache: prefetch is set but not working " + "for data originating from the subnet module cache."); /* Copy msg_cache settings */ sn_env->subnet_msg_cache = slabhash_create(env->cfg->msg_cache_slabs, HASH_DEFAULT_STARTARRAY, env->cfg->msg_cache_size, @@ -227,7 +244,7 @@ env->unique_mesh = 1; if(!edns_register_option(env->cfg->client_subnet_opcode, env->cfg->client_subnet_always_forward /* bypass cache */, - 0 /* no aggregation */, env)) { + 1 /* no aggregation */, env)) { log_err("subnetcache: could not register opcode"); ecs_whitelist_delete(sn_env->whitelist); slabhash_delete(sn_env->subnet_msg_cache); @@ -326,10 +343,13 @@ struct slabhash *subnet_msg_cache = sne->subnet_msg_cache; struct ecs_data *edns = &sq->ecs_client_in; size_t i; + int only_match_scope_zero; - /* We already calculated hash upon lookup */ - hashvalue_type h = qstate->minfoid ? - ((struct subnet_qstate*)qstate->minfoid)->qinfo_hash : + /* We already calculated hash upon lookup (lookup_and_reply) if we were + * allowed to look in the ECS cache */ + hashvalue_type h = qstate->minfoid && + ((struct subnet_qstate*)qstate->minfoid)->qinfo_hash_calculated? + ((struct subnet_qstate*)qstate->minfoid)->qinfo_hash : query_info_hash(&qstate->qinfo, qstate->query_flags); /* Step 1, general qinfo lookup */ struct lruhash_entry *lru_entry = slabhash_lookup(subnet_msg_cache, h, @@ -385,9 +405,12 @@ reply_info_set_ttls(rep, *qstate->env->now); rep->flags |= (BIT_RA | BIT_QR); /* fix flags to be sensible for */ rep->flags &= ~(BIT_AA | BIT_CD);/* a reply based on the cache */ + if(edns->subnet_source_mask == 0 && edns->subnet_scope_mask == 0) + only_match_scope_zero = 1; + else only_match_scope_zero = 0; addrtree_insert(tree, (addrkey_t*)edns->subnet_addr, edns->subnet_source_mask, sq->max_scope, rep, - rep->ttl, *qstate->env->now); + rep->ttl, *qstate->env->now, only_match_scope_zero); lock_rw_unlock(&lru_entry->lock); if (need_to_insert) { @@ -412,7 +435,10 @@ memset(&sq->ecs_client_out, 0, sizeof(sq->ecs_client_out)); - if (sq) sq->qinfo_hash = h; /* Might be useful on cache miss */ + if (sq) { + sq->qinfo_hash = h; /* Might be useful on cache miss */ + sq->qinfo_hash_calculated = 1; + } e = slabhash_lookup(sne->subnet_msg_cache, h, &qstate->qinfo, 1); if (!e) return 0; /* qinfo not in cache */ data = e->data; @@ -497,7 +523,7 @@ if (!s_in->subnet_validdata) { /* The authority indicated no support for edns subnet. As a * consequence the answer ended up in the regular cache. It - * is still usefull to put it in the edns subnet cache for + * is still useful to put it in the edns subnet cache for * when a client explicitly asks for subnet specific answer. */ verbose(VERB_QUERY, "subnetcache: Authority indicates no support"); if(!sq->started_no_cache_store) { @@ -598,7 +624,7 @@ return 1; } -static void +void subnet_option_from_ss(struct sockaddr_storage *ss, struct ecs_data* ecs, struct config_file* cfg) { @@ -664,6 +690,24 @@ return 1; } +/** verbose print edns subnet option in pretty print */ +static void +subnet_log_print(const char* s, struct edns_option* ecs_opt) +{ + if(verbosity >= VERB_ALGO) { + char buf256; + char* str = buf; + size_t str_len = sizeof(buf); + if(!ecs_opt) { + verbose(VERB_ALGO, "%s (null)", s); + return; + } + (void)sldns_wire2str_edns_subnet_print(&str, &str_len, + ecs_opt->opt_data, ecs_opt->opt_len); + verbose(VERB_ALGO, "%s %s", s, buf); + } +} + int ecs_edns_back_parsed(struct module_qstate* qstate, int id, void* ATTR_UNUSED(cbargs)) @@ -678,6 +722,7 @@ qstate->env->cfg->client_subnet_opcode)) && parse_subnet_option(ecs_opt, &sq->ecs_server_in) && sq->subnet_sent && sq->ecs_server_in.subnet_validdata) { + subnet_log_print("answer has edns subnet", ecs_opt); /* Only skip global cache store if we sent an ECS option * and received one back. Answers from non-whitelisted * servers will end up in global cache. Answers for @@ -726,11 +771,12 @@ qstate->ext_stateid = module_finished; return; } + subnet_log_print("query has edns subnet", ecs_opt); sq->subnet_downstream = 1; } else if(qstate->mesh_info->reply_list) { subnet_option_from_ss( - &qstate->mesh_info->reply_list->query_reply.addr, + &qstate->mesh_info->reply_list->query_reply.client_addr, &sq->ecs_client_in, qstate->env->cfg); } @@ -754,18 +800,28 @@ return; } - lock_rw_wrlock(&sne->biglock); - if (lookup_and_reply(qstate, id, sq)) { - sne->num_msg_cache++; - lock_rw_unlock(&sne->biglock); - verbose(VERB_QUERY, "subnetcache: answered from cache"); - qstate->ext_stateid = module_finished; + if(!sq->started_no_cache_lookup && !qstate->blacklist) { + lock_rw_wrlock(&sne->biglock); + if(lookup_and_reply(qstate, id, sq)) { + sne->num_msg_cache++; + lock_rw_unlock(&sne->biglock); + verbose(VERB_QUERY, "subnetcache: answered from cache"); + qstate->ext_stateid = module_finished; - ecs_opt_list_append(&sq->ecs_client_out, - &qstate->edns_opts_front_out, qstate); - return; + subnet_ecs_opt_list_append(&sq->ecs_client_out, + &qstate->edns_opts_front_out, qstate, + qstate->region); + if(verbosity >= VERB_ALGO) { + subnet_log_print("reply has edns subnet", + edns_opt_list_find( + qstate->edns_opts_front_out, + qstate->env->cfg-> + client_subnet_opcode)); + } + return; + } + lock_rw_unlock(&sne->biglock); } - lock_rw_unlock(&sne->biglock); sq->ecs_server_out.subnet_addr_fam = sq->ecs_client_in.subnet_addr_fam; @@ -783,7 +839,7 @@ sq->ecs_server_out.subnet_source_mask = qstate->env->cfg->max_client_subnet_ipv6; /* Safe to copy completely, even if the source is limited by the - * configuration. ecs_opt_list_append() will limit the address. + * configuration. subnet_ecs_opt_list_append() will limit the address. * */ memcpy(&sq->ecs_server_out.subnet_addr, sq->ecs_client_in.subnet_addr, INET6_SIZE); @@ -807,10 +863,19 @@ qstate->ext_stateid = eval_response(qstate, id, sq); if(qstate->ext_stateid == module_finished && qstate->return_msg) { - ecs_opt_list_append(&sq->ecs_client_out, - &qstate->edns_opts_front_out, qstate); + subnet_ecs_opt_list_append(&sq->ecs_client_out, + &qstate->edns_opts_front_out, qstate, + qstate->region); + if(verbosity >= VERB_ALGO) { + subnet_log_print("reply has edns subnet", + edns_opt_list_find( + qstate->edns_opts_front_out, + qstate->env->cfg-> + client_subnet_opcode)); + } } qstate->no_cache_store = sq->started_no_cache_store; + qstate->no_cache_lookup = sq->started_no_cache_lookup; return; } if(sq && outbound) {
View file
_service:tar_scm:unbound-1.13.2.tar.gz/edns-subnet/subnetmod.h -> _service:tar_scm:unbound-1.17.1.tar.gz/edns-subnet/subnetmod.h
Changed
@@ -76,6 +76,7 @@ struct subnet_qstate { /** We need the hash for both cache lookup and insert */ hashvalue_type qinfo_hash; + int qinfo_hash_calculated; /** ecs_data for client communication */ struct ecs_data ecs_client_in; struct ecs_data ecs_client_out; @@ -92,6 +93,8 @@ uint8_t max_scope; /** has the subnet module been started with no_cache_store? */ int started_no_cache_store; + /** has the subnet module been started with no_cache_lookup? */ + int started_no_cache_lookup; }; void subnet_data_delete(void* d, void* ATTR_UNUSED(arg)); @@ -143,4 +146,11 @@ /** mark subnet msg to be deleted */ void subnet_markdel(void* key); +/** Add ecs struct to edns list, after parsing it to wire format. */ +void subnet_ecs_opt_list_append(struct ecs_data* ecs, struct edns_option** list, + struct module_qstate *qstate, struct regional *region); + +/** Create ecs_data from the sockaddr_storage information. */ +void subnet_option_from_ss(struct sockaddr_storage *ss, struct ecs_data* ecs, + struct config_file* cfg); #endif /* SUBNETMOD_H */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/ipsecmod/ipsecmod.c -> _service:tar_scm:unbound-1.17.1.tar.gz/ipsecmod/ipsecmod.c
Changed
@@ -37,7 +37,7 @@ * \file * * This file contains a module that facilitates opportunistic IPsec. It does so - * by also quering for the IPSECKEY for A/AAAA queries and calling a + * by also querying for the IPSECKEY for A/AAAA queries and calling a * configurable hook (eg. signaling an IKE daemon) before replying. */ @@ -456,7 +456,7 @@ /* Store A/AAAA in cache. */ if(!dns_cache_store(qstate->env, &qstate->qinfo, qstate->return_msg->rep, 0, qstate->prefetch_leeway, - 0, qstate->region, qstate->query_flags)) { + 0, qstate->region, qstate->query_flags, qstate->qstarttime)) { log_err("ipsecmod: out of memory caching record"); } qstate->ext_stateid = module_finished;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/ipsecmod/ipsecmod.h -> _service:tar_scm:unbound-1.17.1.tar.gz/ipsecmod/ipsecmod.h
Changed
@@ -37,7 +37,7 @@ * \file * * This file contains a module that facilitates opportunistic IPsec. It does so - * by also quering for the IPSECKEY for A/AAAA queries and calling a + * by also querying for the IPSECKEY for A/AAAA queries and calling a * configurable hook (eg. signaling an IKE daemon) before replying. */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/ipset/ipset.c -> _service:tar_scm:unbound-1.17.1.tar.gz/ipset/ipset.c
Changed
@@ -138,10 +138,10 @@ static int ipset_check_zones_for_rrset(struct module_env *env, struct ipset_env *ie, struct mnl_socket *mnl, struct ub_packed_rrset_key *rrset, - const char *setname, int af) + const char *qname, const int qlen, const char *setname, int af) { static char dnameBUFF_LEN; - const char *s; + const char *ds, *qs; int dlen, plen; struct config_strlist *p; @@ -152,70 +152,73 @@ log_err("bad domain name"); return -1; } - if (dnamedlen - 1 == '.') { - dlen--; - } for (p = env->cfg->local_zones_ipset; p; p = p->next) { + ds = NULL; + qs = NULL; plen = strlen(p->str); if (dlen >= plen) { - s = dname + (dlen - plen); - - if (strncasecmp(p->str, s, plen) == 0) { - d = (struct packed_rrset_data*)rrset->entry.data; - ipset_add_rrset_data(ie, mnl, d, setname, - af, dname); - break; - } + ds = dname + (dlen - plen); + } + if (qlen >= plen) { + qs = qname + (qlen - plen); + } + if ((ds && strncasecmp(p->str, ds, plen) == 0) + || (qs && strncasecmp(p->str, qs, plen) == 0)) { + d = (struct packed_rrset_data*)rrset->entry.data; + ipset_add_rrset_data(ie, mnl, d, setname, + af, dname); + break; } } return 0; } -static int ipset_update(struct module_env *env, struct dns_msg *return_msg, struct ipset_env *ie) { +static int ipset_update(struct module_env *env, struct dns_msg *return_msg, + struct query_info qinfo, struct ipset_env *ie) +{ struct mnl_socket *mnl; - size_t i; - const char *setname; - struct ub_packed_rrset_key *rrset; - int af; - + static char qnameBUFF_LEN; + int qlen; mnl = (struct mnl_socket *)ie->mnl; if (!mnl) { - // retry to create mnl socket + /* retry to create mnl socket */ mnl = open_mnl_socket(); if (!mnl) { return -1; } - ie->mnl = mnl; } - for (i = 0; i < return_msg->rep->rrset_count; ++i) { - setname = NULL; + qlen = sldns_wire2str_dname_buf(qinfo.qname, qinfo.qname_len, + qname, BUFF_LEN); + if(qlen == 0) { + log_err("bad domain name"); + return -1; + } + for(i = 0; i < return_msg->rep->rrset_count; i++) { + setname = NULL; rrset = return_msg->rep->rrsetsi; - - if (rrset->rk.type == htons(LDNS_RR_TYPE_A)) { + if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_A && + ie->v4_enabled == 1) { af = AF_INET; - if ((ie->v4_enabled == 1)) { - setname = ie->name_v4; - } - } else { + setname = ie->name_v4; + } else if(ntohs(rrset->rk.type) == LDNS_RR_TYPE_AAAA && + ie->v6_enabled == 1) { af = AF_INET6; - if ((ie->v6_enabled == 1)) { - setname = ie->name_v6; - } + setname = ie->name_v6; } if (setname) { if(ipset_check_zones_for_rrset(env, ie, mnl, rrset, - setname, af) == -1) + qname, qlen, setname, af) == -1) return -1; } } @@ -311,7 +314,7 @@ if (iq && (event == module_event_moddone)) { if (qstate->return_msg && qstate->return_msg->rep) { - ipset_update(qstate->env, qstate->return_msg, ie); + ipset_update(qstate->env, qstate->return_msg, qstate->qinfo, ie); } qstate->ext_stateid = module_finished; return;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iter_delegpt.c -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iter_delegpt.c
Changed
@@ -73,9 +73,12 @@ copy->bogus = dp->bogus; copy->has_parent_side_NS = dp->has_parent_side_NS; copy->ssl_upstream = dp->ssl_upstream; + copy->tcp_upstream = dp->tcp_upstream; for(ns = dp->nslist; ns; ns = ns->next) { - if(!delegpt_add_ns(copy, region, ns->name, ns->lame)) + if(!delegpt_add_ns(copy, region, ns->name, ns->lame, + ns->tls_auth_name, ns->port)) return NULL; + copy->nslist->cache_lookup_count = ns->cache_lookup_count; copy->nslist->resolved = ns->resolved; copy->nslist->got4 = ns->got4; copy->nslist->got6 = ns->got6; @@ -83,8 +86,8 @@ copy->nslist->done_pside6 = ns->done_pside6; } for(a = dp->target_list; a; a = a->next_target) { - if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen, - a->bogus, a->lame, a->tls_auth_name, NULL)) + if(!delegpt_add_addr(copy, region, &a->addr, a->addrlen, + a->bogus, a->lame, a->tls_auth_name, -1, NULL)) return NULL; } return copy; @@ -101,7 +104,7 @@ int delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name, - uint8_t lame) + uint8_t lame, char* tls_auth_name, int port) { struct delegpt_ns* ns; size_t len; @@ -119,12 +122,21 @@ ns->namelen = len; dp->nslist = ns; ns->name = regional_alloc_init(region, name, ns->namelen); + ns->cache_lookup_count = 0; ns->resolved = 0; ns->got4 = 0; ns->got6 = 0; ns->lame = lame; ns->done_pside4 = 0; ns->done_pside6 = 0; + ns->port = port; + if(tls_auth_name) { + ns->tls_auth_name = regional_strdup(region, tls_auth_name); + if(!ns->tls_auth_name) + return 0; + } else { + ns->tls_auth_name = NULL; + } return ns->name != 0; } @@ -158,9 +170,9 @@ return NULL; } -int -delegpt_add_target(struct delegpt* dp, struct regional* region, - uint8_t* name, size_t namelen, struct sockaddr_storage* addr, +int +delegpt_add_target(struct delegpt* dp, struct regional* region, + uint8_t* name, size_t namelen, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, uint8_t lame, int* additions) { struct delegpt_ns* ns = delegpt_find_ns(dp, name, namelen); @@ -175,18 +187,27 @@ else ns->got4 = 1; if(ns->got4 && ns->got6) ns->resolved = 1; + } else { + if(addr_is_ip6(addr, addrlen)) + ns->done_pside6 = 1; + else ns->done_pside4 = 1; } - return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, NULL, - additions); + log_assert(ns->port>0); + return delegpt_add_addr(dp, region, addr, addrlen, bogus, lame, + ns->tls_auth_name, ns->port, additions); } -int -delegpt_add_addr(struct delegpt* dp, struct regional* region, - struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, - uint8_t lame, char* tls_auth_name, int* additions) +int +delegpt_add_addr(struct delegpt* dp, struct regional* region, + struct sockaddr_storage* addr, socklen_t addrlen, uint8_t bogus, + uint8_t lame, char* tls_auth_name, int port, int* additions) { struct delegpt_addr* a; log_assert(!dp->dp_type_mlc); + if(port != -1) { + log_assert(port>0); + sockaddr_store_port(addr, addrlen, port); + } /* check for duplicates */ if((a = delegpt_find_addr(dp, addr, addrlen))) { if(bogus) @@ -323,13 +344,16 @@ } size_t -delegpt_count_missing_targets(struct delegpt* dp) +delegpt_count_missing_targets(struct delegpt* dp, int* alllame) { struct delegpt_ns* ns; - size_t n = 0; - for(ns = dp->nslist; ns; ns = ns->next) - if(!ns->resolved) - n++; + size_t n = 0, nlame = 0; + for(ns = dp->nslist; ns; ns = ns->next) { + if(ns->resolved) continue; + n++; + if(ns->lame) nlame++; + } + if(alllame && n == nlame) *alllame = 1; return n; } @@ -411,7 +435,8 @@ (size_t)sldns_read_uint16(nsdata->rr_datai)) continue; /* bad format */ /* add rdata of NS (= wirefmt dname), skip rdatalen bytes */ - if(!delegpt_add_ns(dp, region, nsdata->rr_datai+2, lame)) + if(!delegpt_add_ns(dp, region, nsdata->rr_datai+2, lame, + NULL, UNBOUND_DNS_PORT)) return 0; } return 1; @@ -428,7 +453,6 @@ log_assert(!dp->dp_type_mlc); memset(&sa, 0, len); sa.sin_family = AF_INET; - sa.sin_port = (in_port_t)htons(UNBOUND_DNS_PORT); for(i=0; i<d->count; i++) { if(d->rr_leni != 2 + INET_SIZE) continue; @@ -452,7 +476,6 @@ log_assert(!dp->dp_type_mlc); memset(&sa, 0, len); sa.sin6_family = AF_INET6; - sa.sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT); for(i=0; i<d->count; i++) { if(d->rr_leni != 2 + INET6_SIZE) /* rdatalen + len of IP6 */ continue; @@ -554,6 +577,7 @@ while(n) { nn = n->next; free(n->name); + free(n->tls_auth_name); free(n); n = nn; } @@ -576,7 +600,8 @@ return (dp->name != NULL); } -int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame) +int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame, + char* tls_auth_name, int port) { struct delegpt_ns* ns; size_t len; @@ -597,20 +622,37 @@ } ns->next = dp->nslist; dp->nslist = ns; + ns->cache_lookup_count = 0; ns->resolved = 0; ns->got4 = 0; ns->got6 = 0; ns->lame = (uint8_t)lame; ns->done_pside4 = 0; ns->done_pside6 = 0; + ns->port = port; + if(tls_auth_name) { + ns->tls_auth_name = strdup(tls_auth_name); + if(!ns->tls_auth_name) { + free(ns->name); + free(ns); + return 0; + } + } else { + ns->tls_auth_name = NULL; + } return 1; } int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr, - socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name) + socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name, + int port) { struct delegpt_addr* a; log_assert(dp->dp_type_mlc); + if(port != -1) { + log_assert(port>0); + sockaddr_store_port(addr, addrlen, port); + } /* check for duplicates */ if((a = delegpt_find_addr(dp, addr, addrlen))) { if(bogus) @@ -662,8 +704,14 @@ else ns->got4 = 1; if(ns->got4 && ns->got6) ns->resolved = 1; + } else { + if(addr_is_ip6(addr, addrlen)) + ns->done_pside6 = 1; + else ns->done_pside4 = 1; } - return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame, NULL); + log_assert(ns->port>0); + return delegpt_add_addr_mlc(dp, addr, addrlen, bogus, lame, + ns->tls_auth_name, ns->port); } size_t delegpt_get_mem(struct delegpt* dp)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iter_delegpt.h -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iter_delegpt.h
Changed
@@ -83,6 +83,8 @@ uint8_t dp_type_mlc; /** use SSL for upstream query */ uint8_t ssl_upstream; + /** use TCP for upstream query */ + uint8_t tcp_upstream; /** delegpt from authoritative zone that is locally hosted */ uint8_t auth_dp; /*** no cache */ @@ -99,6 +101,8 @@ uint8_t* name; /** length of name */ size_t namelen; + /** number of cache lookups for the name */ + int cache_lookup_count; /** * If the name has been resolved. false if not queried for yet. * true if the A, AAAA queries have been generated. @@ -124,6 +128,11 @@ * Also enabled if a parent-side cache entry exists, or a parent-side * negative-cache entry exists. */ uint8_t done_pside6; + /** the TLS authentication name, (if not NULL) to use. */ + char* tls_auth_name; + /** the port to use; it should mostly be the default 53 but configured + * upstreams can provide nondefault ports. */ + int port; }; /** @@ -189,10 +198,12 @@ * @param regional: where to allocate the info. * @param name: domain name in wire format. * @param lame: name is lame, disprefer it. + * @param tls_auth_name: TLS authentication name (or NULL). + * @param port: port to use for resolved addresses. * @return false on error. */ -int delegpt_add_ns(struct delegpt* dp, struct regional* regional, - uint8_t* name, uint8_t lame); +int delegpt_add_ns(struct delegpt* dp, struct regional* regional, + uint8_t* name, uint8_t lame, char* tls_auth_name, int port); /** * Add NS rrset; calls add_ns repeatedly. @@ -269,12 +280,14 @@ * @param bogus: if address is bogus. * @param lame: if address is lame. * @param tls_auth_name: TLS authentication name (or NULL). + * @param port: the port to use; if -1 the port is taken from addr. * @param additions: will be set to 1 if a new address is added * @return false on error. */ -int delegpt_add_addr(struct delegpt* dp, struct regional* regional, +int delegpt_add_addr(struct delegpt* dp, struct regional* regional, struct sockaddr_storage* addr, socklen_t addrlen, - uint8_t bogus, uint8_t lame, char* tls_auth_name, int* additions); + uint8_t bogus, uint8_t lame, char* tls_auth_name, int port, + int* additions); /** * Find NS record in name list of delegation point. @@ -319,9 +332,10 @@ /** * Count number of missing targets. These are ns names with no resolved flag. * @param dp: delegation point. + * @param alllame: if set, check if all the missing targets are lame. * @return number of missing targets (or 0). */ -size_t delegpt_count_missing_targets(struct delegpt* dp); +size_t delegpt_count_missing_targets(struct delegpt* dp, int* alllame); /** count total number of targets in dp */ size_t delegpt_count_targets(struct delegpt* dp); @@ -402,22 +416,27 @@ * @param dp: must have been created with delegpt_create_mlc. * @param name: the name to add. * @param lame: the name is lame, disprefer. + * @param tls_auth_name: TLS authentication name (or NULL). + * @param port: port to use for resolved addresses. * @return false on error. */ -int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame); +int delegpt_add_ns_mlc(struct delegpt* dp, uint8_t* name, uint8_t lame, + char* tls_auth_name, int port); /** * add an address to a malloced delegation point. - * @param dp: must have been created with delegpt_create_mlc. + * @param dp: must have been created with delegpt_create_mlc. * @param addr: the address. * @param addrlen: the length of addr. * @param bogus: if address is bogus. * @param lame: if address is lame. * @param tls_auth_name: TLS authentication name (or NULL). + * @param port: the port to use; if -1 the port is taken from addr. * @return false on error. */ int delegpt_add_addr_mlc(struct delegpt* dp, struct sockaddr_storage* addr, - socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name); + socklen_t addrlen, uint8_t bogus, uint8_t lame, char* tls_auth_name, + int port); /** * Add target address to the delegation point.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iter_fwd.c -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iter_fwd.c
Changed
@@ -200,21 +200,27 @@ } /** set fwd host names */ -static int +static int read_fwds_host(struct config_stub* s, struct delegpt* dp) { struct config_strlist* p; uint8_t* dname; - size_t dname_len; + char* tls_auth_name; + int port; for(p = s->hosts; p; p = p->next) { log_assert(p->str); - dname = sldns_str2wire_dname(p->str, &dname_len); + dname = authextstrtodname(p->str, &port, &tls_auth_name); if(!dname) { log_err("cannot parse forward %s server name: '%s'", s->name, p->str); return 0; } - if(!delegpt_add_ns_mlc(dp, dname, 0)) { +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + if(tls_auth_name) + log_err("no name verification functionality in " + "ssl library, ignored name for %s", p->str); +#endif + if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) { free(dname); log_err("out of memory"); return 0; @@ -245,7 +251,7 @@ "ssl library, ignored name for %s", p->str); #endif if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, - tls_auth_name)) { + tls_auth_name, -1)) { log_err("out of memory"); return 0; } @@ -276,6 +282,8 @@ dp->no_cache = s->no_cache; /* use SSL for queries to this forwarder */ dp->ssl_upstream = (uint8_t)s->ssl_upstream; + /* use TCP for queries to this forwarder */ + dp->tcp_upstream = (uint8_t)s->tcp_upstream; verbose(VERB_QUERY, "Forward zone server list:"); delegpt_log(VERB_QUERY, dp); if(!forwards_insert(fwd, LDNS_RR_CLASS_IN, dp))
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iter_hints.c -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iter_hints.c
Changed
@@ -99,8 +99,8 @@ log_err("could not parse %s", sv); return 0; } - if(!delegpt_add_ns_mlc(dp, dname, 0) || - !extstrtoaddr(ip, &addr, &addrlen) || + if(!delegpt_add_ns_mlc(dp, dname, 0, NULL, UNBOUND_DNS_PORT) || + !extstrtoaddr(ip, &addr, &addrlen, UNBOUND_DNS_PORT) || !delegpt_add_target_mlc(dp, dname, dname_len, &addr, addrlen, 0, 0)) { free(dname); @@ -213,21 +213,27 @@ } /** set stub host names */ -static int +static int read_stubs_host(struct config_stub* s, struct delegpt* dp) { struct config_strlist* p; - size_t dname_len; uint8_t* dname; + char* tls_auth_name; + int port; for(p = s->hosts; p; p = p->next) { log_assert(p->str); - dname = sldns_str2wire_dname(p->str, &dname_len); + dname = authextstrtodname(p->str, &port, &tls_auth_name); if(!dname) { log_err("cannot parse stub %s nameserver name: '%s'", s->name, p->str); return 0; } - if(!delegpt_add_ns_mlc(dp, dname, 0)) { +#if ! defined(HAVE_SSL_SET1_HOST) && ! defined(HAVE_X509_VERIFY_PARAM_SET1_HOST) + if(tls_auth_name) + log_err("no name verification functionality in " + "ssl library, ignored name for %s", p->str); +#endif + if(!delegpt_add_ns_mlc(dp, dname, 0, tls_auth_name, port)) { free(dname); log_err("out of memory"); return 0; @@ -258,7 +264,7 @@ "ssl library, ignored name for %s", p->str); #endif if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0, - auth_name)) { + auth_name, -1)) { log_err("out of memory"); return 0; } @@ -287,6 +293,8 @@ dp->no_cache = s->no_cache; /* ssl_upstream */ dp->ssl_upstream = (uint8_t)s->ssl_upstream; + /* tcp_upstream */ + dp->tcp_upstream = (uint8_t)s->tcp_upstream; delegpt_log(VERB_QUERY, dp); if(!hints_insert(hints, LDNS_RR_CLASS_IN, dp, !s->isprime)) return 0; @@ -336,7 +344,7 @@ if(sldns_wirerr_get_type(rr, rr_len, dname_len) == LDNS_RR_TYPE_NS) { if(!delegpt_add_ns_mlc(dp, sldns_wirerr_get_rdata(rr, - rr_len, dname_len), 0)) { + rr_len, dname_len), 0, NULL, UNBOUND_DNS_PORT)) { log_err("out of memory reading root hints"); goto stop_read; } @@ -395,10 +403,10 @@ delegpt_free_mlc(dp); return 1; } + delegpt_log(VERB_QUERY, dp); if(!hints_insert(hints, c, dp, 0)) { return 0; } - delegpt_log(VERB_QUERY, dp); return 1; stop_read:
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iter_resptype.c -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iter_resptype.c
Changed
@@ -113,7 +113,11 @@ if(!msg || !request) return RESPONSE_TYPE_THROWAWAY; - + /* If the TC flag is set, the response is incomplete. Too large to + * fit even in TCP or so. Discard it, it cannot be retrieved here. */ + if((msg->rep->flags & BIT_TC)) + return RESPONSE_TYPE_THROWAWAY; + /* If the message is NXDOMAIN, then it answers the question. */ if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_NXDOMAIN) { /* make sure its not recursive when we don't want it to */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iter_utils.c -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iter_utils.c
Changed
@@ -4,22 +4,22 @@ * Copyright (c) 2007, NLnet Labs. All rights reserved. * * This software is open source. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. - * + * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR @@ -37,7 +37,7 @@ * \file * * This file contains functions to assist the iterator module. - * Configuration options. Forward zones. + * Configuration options. Forward zones. */ #include "config.h" #include "iterator/iter_utils.h" @@ -70,8 +70,6 @@ /** time when nameserver glue is said to be 'recent' */ #define SUSPICION_RECENT_EXPIRY 86400 -/** penalty to validation failed blacklisted IPs */ -#define BLACKLIST_PENALTY (USEFUL_SERVER_TOP_TIMEOUT*4) /** fillup fetch policy array */ static void @@ -141,7 +139,7 @@ return 1; } -int +int iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) { int i; @@ -151,7 +149,7 @@ for(i=0; i<iter_env->max_dependency_depth+1; i++) verbose(VERB_QUERY, "target fetch policy for level %d is %d", i, iter_env->target_fetch_policyi); - + if(!iter_env->donotq) iter_env->donotq = donotq_create(); if(!iter_env->donotq || !donotq_apply_cfg(iter_env->donotq, cfg)) { @@ -176,6 +174,9 @@ } iter_env->supports_ipv6 = cfg->do_ip6; iter_env->supports_ipv4 = cfg->do_ip4; + iter_env->outbound_msg_retry = cfg->outbound_msg_retry; + iter_env->max_sent_count = cfg->max_sent_count; + iter_env->max_query_restarts = cfg->max_query_restarts; return 1; } @@ -212,7 +213,7 @@ * dnsseclame servers get penalty * USEFUL_SERVER_TOP_TIMEOUT*3 .. * recursion lame servers get penalty - * UNKNOWN_SERVER_NICENESS + * UNKNOWN_SERVER_NICENESS * If no information is known about the server, this is * returned. 376 msec or so. * +BLACKLIST_PENALTY (of USEFUL_TOP_TIMEOUT*4) for dnssec failed IPs. @@ -221,11 +222,11 @@ * is turned off (so we do not discard the reply). * When a final value is chosen that is recursionlame; RD bit is set on query. * Because of the numbers this means recursionlame also have dnssec lameness - * checking turned off. + * checking turned off. */ static int iter_filter_unsuitable(struct iter_env* iter_env, struct module_env* env, - uint8_t* name, size_t namelen, uint16_t qtype, time_t now, + uint8_t* name, size_t namelen, uint16_t qtype, time_t now, struct delegpt_addr* a) { int rtt, lame, reclame, dnsseclame; @@ -243,8 +244,8 @@ return -1; /* there is no ip4 available */ } /* check lameness - need zone , class info */ - if(infra_get_lame_rtt(env->infra_cache, &a->addr, a->addrlen, - name, namelen, qtype, &lame, &dnsseclame, &reclame, + if(infra_get_lame_rtt(env->infra_cache, &a->addr, a->addrlen, + name, namelen, qtype, &lame, &dnsseclame, &reclame, &rtt, now)) { log_addr(VERB_ALGO, "servselect", &a->addr, a->addrlen); verbose(VERB_ALGO, " rtt=%d%s%s%s%s", rtt, @@ -282,7 +283,7 @@ /** lookup RTT information, and also store fastest rtt (if any) */ static int iter_fill_rtt(struct iter_env* iter_env, struct module_env* env, - uint8_t* name, size_t namelen, uint16_t qtype, time_t now, + uint8_t* name, size_t namelen, uint16_t qtype, time_t now, struct delegpt* dp, int* best_rtt, struct sock_list* blacklist, size_t* num_suitable_results) { @@ -293,7 +294,7 @@ if(dp->bogus) return 0; /* NS bogus, all bogus, nothing found */ for(a=dp->result_list; a; a = a->next_result) { - a->sel_rtt = iter_filter_unsuitable(iter_env, env, + a->sel_rtt = iter_filter_unsuitable(iter_env, env, name, namelen, qtype, now, a); if(a->sel_rtt != -1) { if(sock_list_find(blacklist, &a->addr, a->addrlen)) @@ -329,7 +330,7 @@ int rtt_band; size_t i; int* rtt_list, *rtt_index; - + if(num_results < 1 || n >= num_results) { return -1; } @@ -361,21 +362,25 @@ * returns number of best targets (or 0, no suitable targets) */ static int iter_filter_order(struct iter_env* iter_env, struct module_env* env, - uint8_t* name, size_t namelen, uint16_t qtype, time_t now, - struct delegpt* dp, int* selected_rtt, int open_target, + uint8_t* name, size_t namelen, uint16_t qtype, time_t now, + struct delegpt* dp, int* selected_rtt, int open_target, struct sock_list* blacklist, time_t prefetch) { int got_num = 0, low_rtt = 0, swap_to_front, rtt_band = RTT_BAND, nth; + int alllame = 0; size_t num_results; struct delegpt_addr* a, *n, *prev=NULL; /* fillup sel_rtt and find best rtt in the bunch */ - got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp, + got_num = iter_fill_rtt(iter_env, env, name, namelen, qtype, now, dp, &low_rtt, blacklist, &num_results); - if(got_num == 0) + if(got_num == 0) return 0; if(low_rtt >= USEFUL_SERVER_TOP_TIMEOUT && - (delegpt_count_missing_targets(dp) > 0 || open_target > 0)) { + /* If all missing (or not fully resolved) targets are lame, + * then use the remaining lame address. */ + ((delegpt_count_missing_targets(dp, &alllame) > 0 && !alllame) || + open_target > 0)) { verbose(VERB_ALGO, "Bad choices, trying to get more choice"); return 0; /* we want more choice. The best choice is a bad one. return 0 to force the caller to fetch more */ @@ -548,9 +553,9 @@ return got_num; } -struct delegpt_addr* -iter_server_selection(struct iter_env* iter_env, - struct module_env* env, struct delegpt* dp, +struct delegpt_addr* +iter_server_selection(struct iter_env* iter_env, + struct module_env* env, struct delegpt* dp, uint8_t* name, size_t namelen, uint16_t qtype, int* dnssec_lame, int* chase_to_rd, int open_target, struct sock_list* blacklist, time_t prefetch) @@ -592,7 +597,7 @@ if(num == 1) { a = dp->result_list; - if(++a->attempts < OUTBOUND_MSG_RETRY) + if(++a->attempts < iter_env->outbound_msg_retry) return a; dp->result_list = a->next_result; return a; @@ -602,7 +607,7 @@ log_assert(num > 1); /* grab secure random number, to pick unexpected server. * also we need it to be threadsafe. */ - sel = ub_random_max(env->rnd, num); + sel = ub_random_max(env->rnd, num); a = dp->result_list; prev = NULL; while(sel > 0 && a) { @@ -612,7 +617,7 @@ } if(!a) /* robustness */ return NULL; - if(++a->attempts < OUTBOUND_MSG_RETRY) + if(++a->attempts < iter_env->outbound_msg_retry) return a; /* remove it from the delegation point result list */ if(prev) @@ -621,8 +626,8 @@ return a; } -struct dns_msg* -dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg, +struct dns_msg* +dns_alloc_msg(sldns_buffer* pkt, struct msg_parse* msg, struct regional* region) { struct dns_msg* m = (struct dns_msg*)regional_alloc(region, @@ -637,7 +642,7 @@ return m; } -struct dns_msg* +struct dns_msg* dns_copy_msg(struct dns_msg* from, struct regional* region) { struct dns_msg* m = (struct dns_msg*)regional_alloc(region, @@ -653,17 +658,17 @@ return m; } -void +void iter_dns_store(struct module_env* env, struct query_info* msgqinf, struct reply_info* msgrep, int is_referral, time_t leeway, int pside, - struct regional* region, uint16_t flags) + struct regional* region, uint16_t flags, time_t qstarttime) { if(!dns_cache_store(env, msgqinf, msgrep, is_referral, leeway, - pside, region, flags)) + pside, region, flags, qstarttime)) log_err("out of memory: cannot store data in cache"); } -int +int iter_ns_probability(struct ub_randstate* rnd, int n, int m) { int sel; @@ -671,7 +676,7 @@ return 1; /* we do not need secure random numbers here, but * we do need it to be threadsafe, so we use this */ - sel = ub_random_max(rnd, m); + sel = ub_random_max(rnd, m); return (sel < n); } @@ -688,12 +693,12 @@ qinf.local_alias = NULL; fptr_ok(fptr_whitelist_modenv_detect_cycle( qstate->env->detect_cycle)); - return (*qstate->env->detect_cycle)(qstate, &qinf, + return (*qstate->env->detect_cycle)(qstate, &qinf, (uint16_t)(BIT_RD|BIT_CD), qstate->is_priming, qstate->is_valrec); } -void +void iter_mark_cycle_targets(struct module_qstate* qstate, struct delegpt* dp) { struct delegpt_ns* ns; @@ -701,21 +706,21 @@ if(ns->resolved) continue; /* see if this ns as target causes dependency cycle */ - if(causes_cycle(qstate, ns->name, ns->namelen, + if(causes_cycle(qstate, ns->name, ns->namelen, LDNS_RR_TYPE_AAAA, qstate->qinfo.qclass) || - causes_cycle(qstate, ns->name, ns->namelen, + causes_cycle(qstate, ns->name, ns->namelen, LDNS_RR_TYPE_A, qstate->qinfo.qclass)) { log_nametypeclass(VERB_QUERY, "skipping target due " "to dependency cycle (harden-glue: no may " - "fix some of the cycles)", - ns->name, LDNS_RR_TYPE_A, + "fix some of the cycles)", + ns->name, LDNS_RR_TYPE_A, qstate->qinfo.qclass); ns->resolved = 1; } } } -void +void iter_mark_pside_cycle_targets(struct module_qstate* qstate, struct delegpt* dp) { struct delegpt_ns* ns; @@ -723,14 +728,14 @@ if(ns->done_pside4 && ns->done_pside6) continue; /* see if this ns as target causes dependency cycle */ - if(causes_cycle(qstate, ns->name, ns->namelen, + if(causes_cycle(qstate, ns->name, ns->namelen, LDNS_RR_TYPE_A, qstate->qinfo.qclass)) { log_nametypeclass(VERB_QUERY, "skipping target due " "to dependency cycle", ns->name, LDNS_RR_TYPE_A, qstate->qinfo.qclass); ns->done_pside4 = 1; } - if(causes_cycle(qstate, ns->name, ns->namelen, + if(causes_cycle(qstate, ns->name, ns->namelen, LDNS_RR_TYPE_AAAA, qstate->qinfo.qclass)) { log_nametypeclass(VERB_QUERY, "skipping target due " "to dependency cycle", ns->name, @@ -740,11 +745,12 @@ } } -int -iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, - struct delegpt* dp) +int +iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, + struct delegpt* dp, int supports_ipv4, int supports_ipv6) { struct delegpt_ns* ns; + struct delegpt_addr* a; /* check: * o RD qflag is on. * o no addresses are provided. @@ -757,17 +763,28 @@ */ if(!(qflags&BIT_RD)) return 0; - /* either available or unused targets */ - if(dp->usable_list || dp->result_list) - return 0; - + /* either available or unused targets, + * if they exist, the dp is not useless. */ + for(a = dp->usable_list; a; a = a->next_usable) { + if(!addr_is_ip6(&a->addr, a->addrlen) && supports_ipv4) + return 0; + else if(addr_is_ip6(&a->addr, a->addrlen) && supports_ipv6) + return 0; + } + for(a = dp->result_list; a; a = a->next_result) { + if(!addr_is_ip6(&a->addr, a->addrlen) && supports_ipv4) + return 0; + else if(addr_is_ip6(&a->addr, a->addrlen) && supports_ipv6) + return 0; + } + /* see if query is for one of the nameservers, which is glue */ - if( (qinfo->qtype == LDNS_RR_TYPE_A || - qinfo->qtype == LDNS_RR_TYPE_AAAA) && + if( ((qinfo->qtype == LDNS_RR_TYPE_A && supports_ipv4) || + (qinfo->qtype == LDNS_RR_TYPE_AAAA && supports_ipv6)) && dname_subdomain_c(qinfo->qname, dp->name) && delegpt_find_ns(dp, qinfo->qname, qinfo->qname_len)) return 1; - + for(ns = dp->nslist; ns; ns = ns->next) { if(ns->resolved) /* skip failed targets */ continue; @@ -785,7 +802,7 @@ return 0; /* a trust anchor exists above the name? */ if((a=anchors_lookup(env->anchors, qinfo->qname, qinfo->qname_len, - qinfo->qclass))) { + qinfo->qclass))) { if(a->numDS == 0 && a->numDNSKEY == 0) { /* insecure trust point */ lock_basic_unlock(&a->lock); @@ -798,7 +815,7 @@ return 0; } -int +int iter_indicates_dnssec(struct module_env* env, struct delegpt* dp, struct dns_msg* msg, uint16_t dclass) { @@ -842,7 +859,7 @@ return 0; } -int +int iter_msg_has_dnssec(struct dns_msg* msg) { size_t i; @@ -875,7 +892,7 @@ * and referral to example.com. NS ... , then origin zone * is .com. For a referral to sub.example.com. NS ... then * we do not know, since example.com. may be in between. */ - for(i=0; i<msg->rep->an_numrrsets+msg->rep->ns_numrrsets; + for(i=0; i<msg->rep->an_numrrsets+msg->rep->ns_numrrsets; i++) { struct ub_packed_rrset_key* s = msg->rep->rrsetsi; if(ntohs(s->rk.type) == LDNS_RR_TYPE_NS && @@ -890,7 +907,7 @@ return 0; } log_assert(type==RESPONSE_TYPE_ANSWER || type==RESPONSE_TYPE_CNAME); - /* not a referral, and not lame delegation (upwards), so, + /* not a referral, and not lame delegation (upwards), so, * any NS rrset must be from the zone itself */ if(reply_find_rrset_section_an(msg->rep, dp->name, dp->namelen, LDNS_RR_TYPE_NS, dclass) || @@ -906,7 +923,7 @@ } /** - * check equality of two rrsets + * check equality of two rrsets * @param k1: rrset * @param k2: rrset * @return true if equal @@ -935,7 +952,7 @@ for(i=0; i<t; i++) { if(d1->rr_leni != d2->rr_leni || /* no ttl check: d1->rr_ttli != d2->rr_ttli ||*/ - memcmp(d1->rr_datai, d2->rr_datai, + memcmp(d1->rr_datai, d2->rr_datai, d1->rr_leni) != 0) return 0; } @@ -966,7 +983,7 @@ return 0; } -int +int reply_equal(struct reply_info* p, struct reply_info* q, struct regional* region) { size_t i; @@ -1024,7 +1041,7 @@ return 1; } -void +void caps_strip_reply(struct reply_info* rep) { size_t i; @@ -1066,8 +1083,8 @@ FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN); } -void -iter_store_parentside_rrset(struct module_env* env, +void +iter_store_parentside_rrset(struct module_env* env, struct ub_packed_rrset_key* rrset) { struct rrset_ref ref; @@ -1107,12 +1124,12 @@ } } -void iter_store_parentside_neg(struct module_env* env, +void iter_store_parentside_neg(struct module_env* env, struct query_info* qinfo, struct reply_info* rep) { /* TTL: NS from referral in iq->deleg_msg, * or first RR from iq->response, - * or servfail5secs if !iq->response */ + * or servfail5secs if !iq->response */ time_t ttl = NORR_TTL; struct ub_packed_rrset_key* neg; struct packed_rrset_data* newd; @@ -1133,7 +1150,7 @@ neg->rk.type = htons(qinfo->qtype); neg->rk.rrset_class = htons(qinfo->qclass); neg->rk.flags = 0; - neg->rk.dname = regional_alloc_init(env->scratch, qinfo->qname, + neg->rk.dname = regional_alloc_init(env->scratch, qinfo->qname, qinfo->qname_len); if(!neg->rk.dname) { log_err("out of memory in store_parentside_neg"); @@ -1141,7 +1158,7 @@ } neg->rk.dname_len = qinfo->qname_len; neg->entry.hash = rrset_key_hash(&neg->rk); - newd = (struct packed_rrset_data*)regional_alloc_zero(env->scratch, + newd = (struct packed_rrset_data*)regional_alloc_zero(env->scratch, sizeof(struct packed_rrset_data) + sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t)); if(!newd) { @@ -1166,13 +1183,13 @@ iter_store_parentside_rrset(env, neg); } -int +int iter_lookup_parent_NS_from_cache(struct module_env* env, struct delegpt* dp, struct regional* region, struct query_info* qinfo) { struct ub_packed_rrset_key* akey; - akey = rrset_cache_lookup(env->rrset_cache, dp->name, - dp->namelen, LDNS_RR_TYPE_NS, qinfo->qclass, + akey = rrset_cache_lookup(env->rrset_cache, dp->name, + dp->namelen, LDNS_RR_TYPE_NS, qinfo->qclass, PACKED_RRSET_PARENT_SIDE, *env->now, 0); if(akey) { log_rrset_key(VERB_ALGO, "found parent-side NS in cache", akey); @@ -1194,9 +1211,12 @@ struct delegpt_ns* ns; size_t num = delegpt_count_targets(dp); for(ns = dp->nslist; ns; ns = ns->next) { + if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE) + continue; + ns->cache_lookup_count++; /* get cached parentside A */ - akey = rrset_cache_lookup(env->rrset_cache, ns->name, - ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass, + akey = rrset_cache_lookup(env->rrset_cache, ns->name, + ns->namelen, LDNS_RR_TYPE_A, qinfo->qclass, PACKED_RRSET_PARENT_SIDE, *env->now, 0); if(akey) { log_rrset_key(VERB_ALGO, "found parent-side", akey); @@ -1207,8 +1227,8 @@ lock_rw_unlock(&akey->entry.lock); } /* get cached parentside AAAA */ - akey = rrset_cache_lookup(env->rrset_cache, ns->name, - ns->namelen, LDNS_RR_TYPE_AAAA, qinfo->qclass, + akey = rrset_cache_lookup(env->rrset_cache, ns->name, + ns->namelen, LDNS_RR_TYPE_AAAA, qinfo->qclass, PACKED_RRSET_PARENT_SIDE, *env->now, 0); if(akey) { log_rrset_key(VERB_ALGO, "found parent-side", akey); @@ -1223,8 +1243,8 @@ return delegpt_count_targets(dp) != num; } -int -iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd, +int +iter_get_next_root(struct iter_hints* hints, struct iter_forwards* fwd, uint16_t* c) { uint16_t c1 = *c, c2 = *c; @@ -1246,7 +1266,7 @@ iter_scrub_ds(struct dns_msg* msg, struct ub_packed_rrset_key* ns, uint8_t* z) { /* Only the DS record for the delegation itself is expected. - * We allow DS for everything between the bailiwick and the + * We allow DS for everything between the bailiwick and the * zonecut, thus DS records must be at or above the zonecut. * And the DS records must be below the server authority zone. * The answer section is already scrubbed. */ @@ -1260,7 +1280,7 @@ s->rk.dname, ntohs(s->rk.type), ntohs(s->rk.rrset_class)); memmove(msg->rep->rrsets+i, msg->rep->rrsets+i+1, - sizeof(struct ub_packed_rrset_key*) * + sizeof(struct ub_packed_rrset_key*) * (msg->rep->rrset_count-i-1)); msg->rep->ns_numrrsets--; msg->rep->rrset_count--; @@ -1284,11 +1304,11 @@ msg->rep->an_numrrsets = 0; } -void iter_dec_attempts(struct delegpt* dp, int d) +void iter_dec_attempts(struct delegpt* dp, int d, int outbound_msg_retry) { struct delegpt_addr* a; for(a=dp->target_list; a; a = a->next_target) { - if(a->attempts >= OUTBOUND_MSG_RETRY) { + if(a->attempts >= outbound_msg_retry) { /* add back to result list */ a->next_result = dp->result_list; dp->result_list = a; @@ -1299,7 +1319,8 @@ } } -void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old) +void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old, + int outbound_msg_retry) { struct delegpt_addr* a, *o, *prev; for(a=dp->target_list; a; a = a->next_target) { @@ -1313,7 +1334,7 @@ prev = NULL; a = dp->usable_list; while(a) { - if(a->attempts >= OUTBOUND_MSG_RETRY) { + if(a->attempts >= outbound_msg_retry) { log_addr(VERB_ALGO, "remove from usable list dp", &a->addr, a->addrlen); /* remove from result list */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iter_utils.h -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iter_utils.h
Changed
@@ -62,6 +62,15 @@ struct module_stack; struct outside_network; +/* max number of lookups in the cache for target nameserver names. + * This stops, for large delegations, N*N lookups in the cache. */ +#define ITERATOR_NAME_CACHELOOKUP_MAX 3 +/* max number of lookups in the cache for parentside glue for nameserver names + * This stops, for larger delegations, N*N lookups in the cache. + * It is a little larger than the nonpside max, so it allows a couple extra + * lookups of parent side glue. */ +#define ITERATOR_NAME_CACHELOOKUP_MAX_PSIDE 5 + /** * Process config options and set iterator module state. * Sets default values if no config is found. @@ -132,6 +141,7 @@ * can be prefetch-updates. * @param region: to copy modified (cache is better) rrs back to. * @param flags: with BIT_CD for dns64 AAAA translated queries. + * @param qstarttime: time of query start. * return void, because we are not interested in alloc errors, * the iterator and validator can operate on the results in their * scratch space (the qstate.region) and are not dependent on the cache. @@ -140,7 +150,7 @@ */ void iter_dns_store(struct module_env* env, struct query_info* qinf, struct reply_info* rep, int is_referral, time_t leeway, int pside, - struct regional* region, uint16_t flags); + struct regional* region, uint16_t flags, time_t qstarttime); /** * Select randomly with n/m probability. @@ -175,10 +185,14 @@ * @param qinfo: query name and type * @param qflags: query flags with RD flag * @param dp: delegpt to check. + * @param supports_ipv4: if we support ipv4 for lookups to the target. + * if not, then the IPv4 addresses are useless. + * @param supports_ipv6: if we support ipv6 for lookups to the target. + * if not, then the IPv6 addresses are useless. * @return true if dp is useless. */ int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, - struct delegpt* dp); + struct delegpt* dp, int supports_ipv4, int supports_ipv6); /** * See if qname has DNSSEC needs. This is true if there is a trust anchor above @@ -347,16 +361,19 @@ * Remove query attempts from all available ips. For 0x20. * @param dp: delegpt. * @param d: decrease. + * @param outbound_msg_retry: number of retries of outgoing queries */ -void iter_dec_attempts(struct delegpt* dp, int d); +void iter_dec_attempts(struct delegpt* dp, int d, int outbound_msg_retry); /** * Add retry counts from older delegpt to newer delegpt. * Does not waste time on timeout'd (or other failing) addresses. * @param dp: new delegationpoint. * @param old: old delegationpoint. + * @param outbound_msg_retry: number of retries of outgoing queries */ -void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old); +void iter_merge_retry_counts(struct delegpt* dp, struct delegpt* old, + int outbound_msg_retry); /** * See if a DS response (type ANSWER) is too low: a nodata answer with
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iterator.c -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iterator.c
Changed
@@ -71,6 +71,10 @@ /* in msec */ int UNKNOWN_SERVER_NICENESS = 376; +/* in msec */ +int USEFUL_SERVER_TOP_TIMEOUT = 120000; +/* Equals USEFUL_SERVER_TOP_TIMEOUT*4 */ +int BLACKLIST_PENALTY = (120000*4); static void target_count_increase_nx(struct iter_qstate* iq, int num); @@ -251,10 +255,11 @@ log_err("out of memory adding missing"); } delegpt_mark_neg(dpns, qstate->qinfo.qtype); - dpns->resolved = 1; /* mark as failed */ if((dpns->got4 == 2 || !ie->supports_ipv4) && - (dpns->got6 == 2 || !ie->supports_ipv6)) + (dpns->got6 == 2 || !ie->supports_ipv6)) { + dpns->resolved = 1; /* mark as failed */ target_count_increase_nx(super_iq, 1); + } } if(qstate->qinfo.qtype == LDNS_RR_TYPE_NS) { /* prime failed to get delegation */ @@ -370,7 +375,7 @@ err.security = sec_status_indeterminate; verbose(VERB_ALGO, "store error response in message cache"); iter_dns_store(qstate->env, &qstate->qinfo, &err, 0, 0, 0, NULL, - qstate->query_flags); + qstate->query_flags, qstate->qstarttime); } return error_response(qstate, id, rcode); } @@ -591,15 +596,17 @@ { if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) return; - if((qstate->reply && qstate->reply->addrlen != 0) || - (iq->fail_reply && iq->fail_reply->addrlen != 0)) { + if((qstate->reply && qstate->reply->remote_addrlen != 0) || + (iq->fail_reply && iq->fail_reply->remote_addrlen != 0)) { char from256, frm512; - if(qstate->reply && qstate->reply->addrlen != 0) - addr_to_str(&qstate->reply->addr, qstate->reply->addrlen, - from, sizeof(from)); + if(qstate->reply && qstate->reply->remote_addrlen != 0) + addr_to_str(&qstate->reply->remote_addr, + qstate->reply->remote_addrlen, from, + sizeof(from)); else - addr_to_str(&iq->fail_reply->addr, iq->fail_reply->addrlen, - from, sizeof(from)); + addr_to_str(&iq->fail_reply->remote_addr, + iq->fail_reply->remote_addrlen, from, + sizeof(from)); snprintf(frm, sizeof(frm), "from %s", from); errinf(qstate, frm); } @@ -678,15 +685,20 @@ iq->qchase.qclass) != NULL; } -/** create target count structure for this query */ +/** + * Create target count structure for this query. This is always explicitly + * created for the parent query. + */ static void target_count_create(struct iter_qstate* iq) { if(!iq->target_count) { - iq->target_count = (int*)calloc(3, sizeof(int)); + iq->target_count = (int*)calloc(TARGET_COUNT_MAX, sizeof(int)); /* if calloc fails we simply do not track this number */ - if(iq->target_count) - iq->target_count0 = 1; + if(iq->target_count) { + iq->target_countTARGET_COUNT_REF = 1; + iq->nxns_dp = (uint8_t**)calloc(1, sizeof(uint8_t*)); + } } } @@ -695,7 +707,7 @@ { target_count_create(iq); if(iq->target_count) - iq->target_count1 += num; + iq->target_countTARGET_COUNT_QUERIES += num; iq->dp_target_count++; } @@ -704,7 +716,7 @@ { target_count_create(iq); if(iq->target_count) - iq->target_count2 += num; + iq->target_countTARGET_COUNT_NX += num; } /** @@ -799,8 +811,10 @@ subiq->num_target_queries = 0; target_count_create(iq); subiq->target_count = iq->target_count; - if(iq->target_count) - iq->target_count0 ++; /* extra reference */ + if(iq->target_count) { + iq->target_countTARGET_COUNT_REF ++; /* extra reference */ + subiq->nxns_dp = iq->nxns_dp; + } subiq->dp_target_count = 0; subiq->num_current_queries = 0; subiq->depth = iq->depth+1; @@ -1206,6 +1220,15 @@ (qstate->query_flags&BIT_RD) && !(qstate->query_flags&BIT_CD)){ return; } + /* we do not generate this prefetch when the query list is full, + * the query is fetched, if needed, when the validator wants it. + * At that time the validator waits for it, after spawning it. + * This means there is one state that uses cpu and a socket, the + * spawned while this one waits, and not several at the same time, + * if we had created the lookup here. And this helps to keep + * the total load down, but the query still succeeds to resolve. */ + if(mesh_jostle_exceeded(qstate->env->mesh)) + return; /* if the DNSKEY is in the cache this lookup will stop quickly */ log_nametypeclass(VERB_ALGO, "schedule dnskey prefetch", @@ -1291,7 +1314,7 @@ /* We enforce a maximum number of query restarts. This is primarily a * cheap way to prevent CNAME loops. */ - if(iq->query_restart_count > MAX_RESTART_COUNT) { + if(iq->query_restart_count > ie->max_query_restarts) { verbose(VERB_QUERY, "request has exceeded the maximum number" " of query restarts with %d", iq->query_restart_count); errinf(qstate, "request has exceeded the maximum number " @@ -1477,7 +1500,8 @@ iq->dp = dns_cache_find_delegation(qstate->env, delname, delnamelen, iq->qchase.qtype, iq->qchase.qclass, qstate->region, &iq->deleg_msg, - *qstate->env->now+qstate->prefetch_leeway); + *qstate->env->now+qstate->prefetch_leeway, 1, + dpname, dpnamelen); else iq->dp = NULL; /* If the cache has returned nothing, then we have a @@ -1533,36 +1557,6 @@ if(!iq->ratelimit_ok && qstate->prefetch_leeway) iq->ratelimit_ok = 1; /* allow prefetches, this keeps otherwise valid data in the cache */ - if(!iq->ratelimit_ok && infra_ratelimit_exceeded( - qstate->env->infra_cache, iq->dp->name, - iq->dp->namelen, *qstate->env->now)) { - /* and increment the rate, so that the rate for time - * now will also exceed the rate, keeping cache fresh */ - (void)infra_ratelimit_inc(qstate->env->infra_cache, - iq->dp->name, iq->dp->namelen, - *qstate->env->now, &qstate->qinfo, - qstate->reply); - /* see if we are passed through with slip factor */ - if(qstate->env->cfg->ratelimit_factor != 0 && - ub_random_max(qstate->env->rnd, - qstate->env->cfg->ratelimit_factor) == 1) { - iq->ratelimit_ok = 1; - log_nametypeclass(VERB_ALGO, "ratelimit allowed through for " - "delegation point", iq->dp->name, - LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); - } else { - lock_basic_lock(&ie->queries_ratelimit_lock); - ie->num_queries_ratelimited++; - lock_basic_unlock(&ie->queries_ratelimit_lock); - log_nametypeclass(VERB_ALGO, "ratelimit exceeded with " - "delegation point", iq->dp->name, - LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); - qstate->was_ratelimited = 1; - errinf(qstate, "query was ratelimited"); - errinf_dname(qstate, "for zone", iq->dp->name); - return error_response(qstate, id, LDNS_RCODE_SERVFAIL); - } - } /* see if this dp not useless. * It is useless if: @@ -1577,7 +1571,7 @@ * same server reply) if useless-checked. */ if(iter_dp_is_useless(&qstate->qinfo, qstate->query_flags, - iq->dp)) { + iq->dp, ie->supports_ipv4, ie->supports_ipv6)) { struct delegpt* retdp = NULL; if(!can_have_last_resort(qstate->env, iq->dp->name, iq->dp->namelen, iq->qchase.qclass, &retdp)) { if(retdp) { @@ -1799,7 +1793,8 @@ subiq->dp = dns_cache_find_delegation(qstate->env, name, namelen, qtype, qclass, subq->region, &subiq->deleg_msg, - *qstate->env->now+subq->prefetch_leeway); + *qstate->env->now+subq->prefetch_leeway, + 1, NULL, 0); /* if no dp, then it's from root, refetch unneeded */ if(subiq->dp) { subiq->dnssec_expected = iter_indicates_dnssec( @@ -1861,14 +1856,32 @@ int missing; int toget = 0; + iter_mark_cycle_targets(qstate, iq->dp); + missing = (int)delegpt_count_missing_targets(iq->dp, NULL); + log_assert(maxtargets != 0); /* that would not be useful */ + + /* Generate target requests. Basically, any missing targets + * are queried for here, regardless if it is necessary to do + * so to continue processing. */ + if(maxtargets < 0 || maxtargets > missing) + toget = missing; + else toget = maxtargets; + if(toget == 0) { + *num = 0; + return 1; + } + + /* now that we are sure that a target query is going to be made, + * check the limits. */ if(iq->depth == ie->max_dependency_depth) return 0; if(iq->depth > 0 && iq->target_count && - iq->target_count1 > MAX_TARGET_COUNT) { + iq->target_countTARGET_COUNT_QUERIES > MAX_TARGET_COUNT) { char sLDNS_MAX_DOMAINLEN+1; dname_str(qstate->qinfo.qname, s); verbose(VERB_QUERY, "request %s has exceeded the maximum " - "number of glue fetches %d", s, iq->target_count1); + "number of glue fetches %d", s, + iq->target_countTARGET_COUNT_QUERIES); return 0; } if(iq->dp_target_count > MAX_DP_TARGET_COUNT) { @@ -1880,20 +1893,6 @@ return 0; } - iter_mark_cycle_targets(qstate, iq->dp); - missing = (int)delegpt_count_missing_targets(iq->dp); - log_assert(maxtargets != 0); /* that would not be useful */ - - /* Generate target requests. Basically, any missing targets - * are queried for here, regardless if it is necessary to do - * so to continue processing. */ - if(maxtargets < 0 || maxtargets > missing) - toget = missing; - else toget = maxtargets; - if(toget == 0) { - *num = 0; - return 1; - } /* select 'toget' items from the total of 'missing' items */ log_assert(toget <= missing); @@ -1910,7 +1909,9 @@ continue; } - if(ie->supports_ipv6 && !ns->got6) { + if(ie->supports_ipv6 && + ((ns->lame && !ns->done_pside6) || + (!ns->lame && !ns->got6))) { /* Send the AAAA request. */ if(!generate_target_query(qstate, iq, id, ns->name, ns->namelen, @@ -1921,9 +1922,19 @@ return 0; } query_count++; + /* If the mesh query list is full, exit the loop here. + * This makes the routine spawn one query at a time, + * and this means there is no query state load + * increase, because the spawned state uses cpu and a + * socket while this state waits for that spawned + * state. Next time we can look up further targets */ + if(mesh_jostle_exceeded(qstate->env->mesh)) + break; } /* Send the A request. */ - if(ie->supports_ipv4 && !ns->got4) { + if(ie->supports_ipv4 && + ((ns->lame && !ns->done_pside4) || + (!ns->lame && !ns->got4))) { if(!generate_target_query(qstate, iq, id, ns->name, ns->namelen, LDNS_RR_TYPE_A, iq->qchase.qclass)) { @@ -1933,6 +1944,9 @@ return 0; } query_count++; + /* If the mesh query list is full, exit the loop. */ + if(mesh_jostle_exceeded(qstate->env->mesh)) + break; } /* mark this target as in progress. */ @@ -1988,12 +2002,13 @@ iq->chase_flags &= ~BIT_RD; /* go to authorities */ for(ns = p->nslist; ns; ns=ns->next) { (void)delegpt_add_ns(iq->dp, qstate->region, - ns->name, ns->lame); + ns->name, ns->lame, ns->tls_auth_name, + ns->port); } for(a = p->target_list; a; a=a->next_target) { (void)delegpt_add_addr(iq->dp, qstate->region, &a->addr, a->addrlen, a->bogus, - a->lame, a->tls_auth_name, NULL); + a->lame, a->tls_auth_name, -1, NULL); } } iq->dp->has_parent_side_NS = 1; @@ -2032,7 +2047,7 @@ return next_state(iq, QUERYTARGETS_STATE); } /* query for an extra name added by the parent-NS record */ - if(delegpt_count_missing_targets(iq->dp) > 0) { + if(delegpt_count_missing_targets(iq->dp, NULL) > 0) { int qs = 0; verbose(VERB_ALGO, "try parent-side target name"); if(!query_for_targets(qstate, iq, ie, id, 1, &qs)) { @@ -2053,11 +2068,12 @@ return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); } if(iq->depth > 0 && iq->target_count && - iq->target_count1 > MAX_TARGET_COUNT) { + iq->target_countTARGET_COUNT_QUERIES > MAX_TARGET_COUNT) { char sLDNS_MAX_DOMAINLEN+1; dname_str(qstate->qinfo.qname, s); verbose(VERB_QUERY, "request %s has exceeded the maximum " - "number of glue fetches %d", s, iq->target_count1); + "number of glue fetches %d", s, + iq->target_countTARGET_COUNT_QUERIES); errinf(qstate, "exceeded the maximum number of glue fetches"); return error_response_cache(qstate, id, LDNS_RCODE_SERVFAIL); } @@ -2091,6 +2107,15 @@ } ns->done_pside6 = 1; query_count++; + if(mesh_jostle_exceeded(qstate->env->mesh)) { + /* Wait for the lookup; do not spawn multiple + * lookups at a time. */ + verbose(VERB_ALGO, "try parent-side glue lookup"); + iq->num_target_queries += query_count; + target_count_increase(iq, query_count); + qstate->ext_stateid = module_wait_subquery; + return 0; + } } if(ie->supports_ipv4 && !ns->done_pside4) { /* Send the A request. */ @@ -2184,6 +2209,32 @@ return 0; } + +/** + * Check if we wait responses for sent queries and update the iterator's + * external state. + */ +static void +check_waiting_queries(struct iter_qstate* iq, struct module_qstate* qstate, + int id) +{ + if(iq->num_target_queries>0 && iq->num_current_queries>0) { + verbose(VERB_ALGO, "waiting for %d targets to " + "resolve or %d outstanding queries to " + "respond", iq->num_target_queries, + iq->num_current_queries); + qstate->ext_stateid = module_wait_reply; + } else if(iq->num_target_queries>0) { + verbose(VERB_ALGO, "waiting for %d targets to " + "resolve", iq->num_target_queries); + qstate->ext_stateid = module_wait_subquery; + } else { + verbose(VERB_ALGO, "waiting for %d " + "outstanding queries to respond", + iq->num_current_queries); + qstate->ext_stateid = module_wait_reply; + } +} /** * This is the request event state where the request will be sent to one of @@ -2211,9 +2262,12 @@ int auth_fallback = 0; uint8_t* qout_orig = NULL; size_t qout_orig_len = 0; + int sq_check_ratelimit = 1; + int sq_was_ratelimited = 0; + int can_do_promisc = 0; - /* NOTE: a request will encounter this state for each target it - * needs to send a query to. That is, at least one per referral, + /* NOTE: a request will encounter this state for each target it + * needs to send a query to. That is, at least one per referral, * more if some targets timeout or return throwaway answers. */ log_query_info(VERB_QUERY, "processQueryTargets:", &qstate->qinfo); @@ -2222,25 +2276,103 @@ iq->num_current_queries, iq->sent_count); /* Make sure that we haven't run away */ - /* FIXME: is this check even necessary? */ if(iq->referral_count > MAX_REFERRAL_COUNT) { verbose(VERB_QUERY, "request has exceeded the maximum " "number of referrrals with %d", iq->referral_count); errinf(qstate, "exceeded the maximum of referrals"); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } - if(iq->sent_count > MAX_SENT_COUNT) { + if(iq->sent_count > ie->max_sent_count) { verbose(VERB_QUERY, "request has exceeded the maximum " "number of sends with %d", iq->sent_count); errinf(qstate, "exceeded the maximum number of sends"); return error_response(qstate, id, LDNS_RCODE_SERVFAIL); } - if(iq->target_count && iq->target_count2 > MAX_TARGET_NX) { - verbose(VERB_QUERY, "request has exceeded the maximum " - " number of nxdomain nameserver lookups with %d", - iq->target_count2); - errinf(qstate, "exceeded the maximum nameserver nxdomains"); - return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + + /* Check if we reached MAX_TARGET_NX limit without a fallback activation. */ + if(iq->target_count && !*iq->nxns_dp && + iq->target_countTARGET_COUNT_NX > MAX_TARGET_NX) { + struct delegpt_ns* ns; + /* If we can wait for resolution, do so. */ + if(iq->num_target_queries>0 || iq->num_current_queries>0) { + check_waiting_queries(iq, qstate, id); + return 0; + } + verbose(VERB_ALGO, "request has exceeded the maximum " + "number of nxdomain nameserver lookups (%d) with %d", + MAX_TARGET_NX, iq->target_countTARGET_COUNT_NX); + /* Check for dp because we require one below */ + if(!iq->dp) { + verbose(VERB_QUERY, "Failed to get a delegation, " + "giving up"); + errinf(qstate, "failed to get a delegation (eg. prime " + "failure)"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + /* We reached the limit but we already have parent side + * information; stop resolution */ + if(iq->dp->has_parent_side_NS) { + verbose(VERB_ALGO, "parent-side information is " + "already present for the delegation point, no " + "fallback possible"); + errinf(qstate, "exceeded the maximum nameserver nxdomains"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + verbose(VERB_ALGO, "initiating parent-side fallback for " + "nxdomain nameserver lookups"); + /* Mark all the current NSes as resolved to allow for parent + * fallback */ + for(ns=iq->dp->nslist; ns; ns=ns->next) { + ns->resolved = 1; + } + /* Note the delegation point that triggered the NXNS fallback; + * no reason for shared queries to keep trying there. + * This also marks the fallback activation. */ + *iq->nxns_dp = malloc(iq->dp->namelen); + if(!*iq->nxns_dp) { + verbose(VERB_ALGO, "out of memory while initiating " + "fallback"); + errinf(qstate, "exceeded the maximum nameserver " + "nxdomains (malloc)"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + memcpy(*iq->nxns_dp, iq->dp->name, iq->dp->namelen); + } else if(iq->target_count && *iq->nxns_dp) { + /* Handle the NXNS fallback case. */ + /* If we can wait for resolution, do so. */ + if(iq->num_target_queries>0 || iq->num_current_queries>0) { + check_waiting_queries(iq, qstate, id); + return 0; + } + /* Check for dp because we require one below */ + if(!iq->dp) { + verbose(VERB_QUERY, "Failed to get a delegation, " + "giving up"); + errinf(qstate, "failed to get a delegation (eg. prime " + "failure)"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + + if(iq->target_countTARGET_COUNT_NX > MAX_TARGET_NX_FALLBACK) { + verbose(VERB_ALGO, "request has exceeded the maximum " + "number of fallback nxdomain nameserver " + "lookups (%d) with %d", MAX_TARGET_NX_FALLBACK, + iq->target_countTARGET_COUNT_NX); + errinf(qstate, "exceeded the maximum nameserver nxdomains"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + + if(!iq->dp->has_parent_side_NS) { + struct delegpt_ns* ns; + if(!dname_canonical_compare(*iq->nxns_dp, iq->dp->name)) { + verbose(VERB_ALGO, "this delegation point " + "initiated the fallback, marking the " + "nslist as resolved"); + for(ns=iq->dp->nslist; ns; ns=ns->next) { + ns->resolved = 1; + } + } + } } /* Make sure we have a delegation point, otherwise priming failed @@ -2298,7 +2430,7 @@ iq->minimise_count++; iq->timeout_count = 0; - iter_dec_attempts(iq->dp, 1); + iter_dec_attempts(iq->dp, 1, ie->outbound_msg_retry); /* Limit number of iterations for QNAMEs with more * than MAX_MINIMISE_COUNT labels. Send first MINIMISE_ONE_LAB @@ -2458,8 +2590,13 @@ * that servfail is cached, which is not good as opportunism goes. */ if(iq->depth < ie->max_dependency_depth && iq->num_target_queries == 0 - && (!iq->target_count || iq->target_count2==0) + && (!iq->target_count || iq->target_countTARGET_COUNT_NX==0) && iq->sent_count < TARGET_FETCH_STOP) { + can_do_promisc = 1; + } + /* if the mesh query list is full, then do not waste cpu and sockets to + * fetch promiscuous targets. They can be looked up when needed. */ + if(can_do_promisc && !mesh_jostle_exceeded(qstate->env->mesh)) { tf_policy = ie->target_fetch_policyiq->depth; } @@ -2492,7 +2629,7 @@ * the original query is one that matched too, so we have * caps_server+1 number of matching queries now */ if(iq->caps_server+1 >= naddr*3 || - iq->caps_server*2+2 >= MAX_SENT_COUNT) { + iq->caps_server*2+2 >= (size_t)ie->max_sent_count) { /* *2 on sentcount check because ipv6 may fail */ /* we're done, process the response */ verbose(VERB_ALGO, "0x20 fallback had %d responses " @@ -2500,7 +2637,7 @@ (int)iq->caps_server+1, (int)naddr*3); iq->response = iq->caps_response; iq->caps_fallback = 0; - iter_dec_attempts(iq->dp, 3); /* space for fallback */ + iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); /* space for fallback */ iq->num_current_queries++; /* RespState decrements it*/ iq->referral_count++; /* make sure we don't loop */ iq->sent_count = 0; @@ -2529,10 +2666,27 @@ /* Add the current set of unused targets to our queue. */ delegpt_add_unused_targets(iq->dp); + if(qstate->env->auth_zones) { + /* apply rpz triggers at query time */ + struct dns_msg* forged_response = rpz_callback_from_iterator_module(qstate, iq); + if(forged_response != NULL) { + qstate->ext_stateid = module_finished; + qstate->return_rcode = LDNS_RCODE_NOERROR; + qstate->return_msg = forged_response; + iq->response = forged_response; + next_state(iq, FINISHED_STATE); + if(!iter_prepend(iq, qstate->return_msg, qstate->region)) { + log_err("rpz: prepend rrsets: out of memory"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + return 0; + } + } + /* Select the next usable target, filtering out unsuitable targets. */ - target = iter_server_selection(ie, qstate->env, iq->dp, + target = iter_server_selection(ie, qstate->env, iq->dp, iq->dp->name, iq->dp->namelen, iq->qchase.qtype, - &iq->dnssec_lame_query, &iq->chase_to_rd, + &iq->dnssec_lame_query, &iq->chase_to_rd, iq->num_target_queries, qstate->blacklist, qstate->prefetch_leeway); @@ -2551,7 +2705,7 @@ /* If there is nothing to wait for, then we need * to distinguish between generating (a) new target * query, or failing. */ - if(delegpt_count_missing_targets(iq->dp) > 0) { + if(delegpt_count_missing_targets(iq->dp, NULL) > 0) { int qs = 0; verbose(VERB_ALGO, "querying for next " "missing target"); @@ -2563,7 +2717,7 @@ LDNS_RCODE_SERVFAIL); } if(qs == 0 && - delegpt_count_missing_targets(iq->dp) == 0){ + delegpt_count_missing_targets(iq->dp, NULL) == 0){ /* it looked like there were missing * targets, but they did not turn up. * Try the bad choices again (if any), @@ -2588,7 +2742,7 @@ (int)iq->caps_server+1); iq->response = iq->caps_response; iq->caps_fallback = 0; - iter_dec_attempts(iq->dp, 3); /* space for fallback */ + iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); /* space for fallback */ iq->num_current_queries++; /* RespState decrements it*/ iq->referral_count++; /* make sure we don't loop */ iq->sent_count = 0; @@ -2602,23 +2756,8 @@ /* otherwise, we have no current targets, so submerge * until one of the target or direct queries return. */ - if(iq->num_target_queries>0 && iq->num_current_queries>0) { - verbose(VERB_ALGO, "no current targets -- waiting " - "for %d targets to resolve or %d outstanding" - " queries to respond", iq->num_target_queries, - iq->num_current_queries); - qstate->ext_stateid = module_wait_reply; - } else if(iq->num_target_queries>0) { - verbose(VERB_ALGO, "no current targets -- waiting " - "for %d targets to resolve.", - iq->num_target_queries); - qstate->ext_stateid = module_wait_subquery; - } else { - verbose(VERB_ALGO, "no current targets -- waiting " - "for %d outstanding queries to respond.", - iq->num_current_queries); - qstate->ext_stateid = module_wait_reply; - } + verbose(VERB_ALGO, "no current targets"); + check_waiting_queries(iq, qstate, id); /* undo qname minimise step because we'll get back here * to do it again */ if(qout_orig && iq->minimise_count > 0) { @@ -2629,22 +2768,40 @@ return 0; } - /* if not forwarding, check ratelimits per delegationpoint name */ - if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) { - if(!infra_ratelimit_inc(qstate->env->infra_cache, iq->dp->name, - iq->dp->namelen, *qstate->env->now, &qstate->qinfo, - qstate->reply)) { - lock_basic_lock(&ie->queries_ratelimit_lock); - ie->num_queries_ratelimited++; - lock_basic_unlock(&ie->queries_ratelimit_lock); - verbose(VERB_ALGO, "query exceeded ratelimits"); - qstate->was_ratelimited = 1; - errinf_dname(qstate, "exceeded ratelimit for zone", - iq->dp->name); - return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + /* We have a target. We could have created promiscuous target + * queries but we are currently under pressure (mesh_jostle_exceeded). + * If we are configured to allow promiscuous target queries and haven't + * gone out to the network for a target query for this delegation, then + * it is possible to slip in a promiscuous one with a 1/10 chance. */ + if(can_do_promisc && tf_policy == 0 && iq->depth == 0 + && iq->depth < ie->max_dependency_depth + && ie->target_fetch_policyiq->depth != 0 + && iq->dp_target_count == 0 + && !ub_random_max(qstate->env->rnd, 10)) { + int extra = 0; + verbose(VERB_ALGO, "available target exists in cache but " + "attempt to get extra 1 target"); + (void)query_for_targets(qstate, iq, ie, id, 1, &extra); + /* errors ignored, these targets are not strictly necessary for + * this result, we do not have to reply with SERVFAIL */ + if(extra > 0) { + iq->num_target_queries += extra; + target_count_increase(iq, extra); + check_waiting_queries(iq, qstate, id); + /* undo qname minimise step because we'll get back here + * to do it again */ + if(qout_orig && iq->minimise_count > 0) { + iq->minimise_count--; + iq->qinfo_out.qname = qout_orig; + iq->qinfo_out.qname_len = qout_orig_len; + } + return 0; } } + /* Do not check ratelimit for forwarding queries or if we already got a + * pass. */ + sq_check_ratelimit = (!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok); /* We have a valid target. */ if(verbosity >= VERB_QUERY) { log_query_info(VERB_QUERY, "sending query:", &iq->qinfo_out); @@ -2656,24 +2813,32 @@ } fptr_ok(fptr_whitelist_modenv_send_query(qstate->env->send_query)); outq = (*qstate->env->send_query)(&iq->qinfo_out, - iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), + iq->chase_flags | (iq->chase_to_rd?BIT_RD:0), /* unset CD if to forwarder(RD set) and not dnssec retry * (blacklist nonempty) and no trust-anchors are configured * above the qname or on the first attempt when dnssec is on */ EDNS_DO| ((iq->chase_to_rd||(iq->chase_flags&BIT_RD)!=0)&& !qstate->blacklist&&(!iter_qname_indicates_dnssec(qstate->env, - &iq->qinfo_out)||target->attempts==1)?0:BIT_CD), + &iq->qinfo_out)||target->attempts==1)?0:BIT_CD), iq->dnssec_expected, iq->caps_fallback || is_caps_whitelisted( - ie, iq), &target->addr, target->addrlen, + ie, iq), sq_check_ratelimit, &target->addr, target->addrlen, iq->dp->name, iq->dp->namelen, + (iq->dp->tcp_upstream || qstate->env->cfg->tcp_upstream), (iq->dp->ssl_upstream || qstate->env->cfg->ssl_upstream), - target->tls_auth_name, qstate); + target->tls_auth_name, qstate, &sq_was_ratelimited); if(!outq) { + if(sq_was_ratelimited) { + lock_basic_lock(&ie->queries_ratelimit_lock); + ie->num_queries_ratelimited++; + lock_basic_unlock(&ie->queries_ratelimit_lock); + verbose(VERB_ALGO, "query exceeded ratelimits"); + qstate->was_ratelimited = 1; + errinf_dname(qstate, "exceeded ratelimit for zone", + iq->dp->name); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } log_addr(VERB_QUERY, "error sending query to auth server", &target->addr, target->addrlen); - if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) - infra_ratelimit_dec(qstate->env->infra_cache, iq->dp->name, - iq->dp->namelen, *qstate->env->now); if(qstate->env->cfg->qname_minimisation) iq->minimisation_state = SKIP_MINIMISE_STATE; return next_state(iq, QUERYTARGETS_STATE); @@ -2707,6 +2872,7 @@ * * @param qstate: query state. * @param iq: iterator query state. + * @param ie: iterator shared global environment. * @param id: module id. * @return true if the event requires more immediate processing, false if * not. This is generally only true when forwarding the request to @@ -2714,10 +2880,11 @@ */ static int processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq, - int id) + struct iter_env* ie, int id) { int dnsseclame = 0; enum response_type type; + iq->num_current_queries--; if(!inplace_cb_query_response_call(qstate->env, qstate, iq->response)) @@ -2739,6 +2906,8 @@ (int)((iq->chase_flags&BIT_RD) || iq->chase_to_rd), iq->response, &iq->qinfo_out, iq->dp); iq->chase_to_rd = 0; + /* remove TC flag, if this is erroneously set by TCP upstream */ + iq->response->rep->flags &= ~BIT_TC; if(type == RESPONSE_TYPE_REFERRAL && (iq->chase_flags&BIT_RD) && !iq->auth_zone_response) { /* When forwarding (RD bit is set), we handle referrals @@ -2762,8 +2931,8 @@ * use dnssec-lame-bypass if it needs to query there.*/ if(qstate->reply) { struct delegpt_addr* a = delegpt_find_addr( - iq->dp, &qstate->reply->addr, - qstate->reply->addrlen); + iq->dp, &qstate->reply->remote_addr, + qstate->reply->remote_addrlen); if(a) a->dnsseclame = 1; } /* test the answer is from the zone we expected, @@ -2845,9 +3014,12 @@ } if(!qstate->no_cache_store) iter_dns_store(qstate->env, &iq->response->qinfo, - iq->response->rep, 0, qstate->prefetch_leeway, + iq->response->rep, + iq->qchase.qtype != iq->response->qinfo.qtype, + qstate->prefetch_leeway, iq->dp&&iq->dp->has_parent_side_NS, - qstate->region, qstate->query_flags); + qstate->region, qstate->query_flags, + qstate->qstarttime); /* close down outstanding requests to be discarded */ outbound_list_clear(&iq->outlist); iq->num_current_queries = 0; @@ -2856,9 +3028,9 @@ (*qstate->env->detach_subs)(qstate); iq->num_target_queries = 0; if(qstate->reply) - sock_list_insert(&qstate->reply_origin, - &qstate->reply->addr, qstate->reply->addrlen, - qstate->region); + sock_list_insert(&qstate->reply_origin, + &qstate->reply->remote_addr, + qstate->reply->remote_addrlen, qstate->region); if(iq->minimisation_state != DONOT_MINIMISE_STATE && !(iq->chase_flags & BIT_RD)) { if(FLAGS_GET_RCODE(iq->response->rep->flags) != @@ -2915,14 +3087,6 @@ * delegation point, and back to the QUERYTARGETS_STATE. */ verbose(VERB_DETAIL, "query response was REFERRAL"); - if(!(iq->chase_flags & BIT_RD) && !iq->ratelimit_ok) { - /* we have a referral, no ratelimit, we can send - * our queries to the given name */ - infra_ratelimit_dec(qstate->env->infra_cache, - iq->dp->name, iq->dp->namelen, - *qstate->env->now); - } - /* if hardened, only store referral if we asked for it */ if(!qstate->no_cache_store && (!qstate->env->cfg->harden_referral_path || @@ -2944,7 +3108,8 @@ /* Store the referral under the current query */ /* no prefetch-leeway, since its not the answer */ iter_dns_store(qstate->env, &iq->response->qinfo, - iq->response->rep, 1, 0, 0, NULL, 0); + iq->response->rep, 1, 0, 0, NULL, 0, + qstate->qstarttime); if(iq->store_parent_NS) iter_store_parentside_NS(qstate->env, iq->response->rep); @@ -2983,7 +3148,8 @@ } if(iq->store_parent_NS && query_dname_compare(iq->dp->name, iq->store_parent_NS->name) == 0) - iter_merge_retry_counts(iq->dp, iq->store_parent_NS); + iter_merge_retry_counts(iq->dp, iq->store_parent_NS, + ie->outbound_msg_retry); delegpt_log(VERB_ALGO, iq->dp); /* Count this as a referral. */ iq->referral_count++; @@ -3057,10 +3223,43 @@ iter_dns_store(qstate->env, &iq->response->qinfo, iq->response->rep, 1, qstate->prefetch_leeway, iq->dp&&iq->dp->has_parent_side_NS, NULL, - qstate->query_flags); + qstate->query_flags, qstate->qstarttime); /* set the current request's qname to the new value. */ iq->qchase.qname = sname; iq->qchase.qname_len = snamelen; + if(qstate->env->auth_zones) { + /* apply rpz qname triggers after cname */ + struct dns_msg* forged_response = + rpz_callback_from_iterator_cname(qstate, iq); + while(forged_response && reply_find_rrset_section_an( + forged_response->rep, iq->qchase.qname, + iq->qchase.qname_len, LDNS_RR_TYPE_CNAME, + iq->qchase.qclass)) { + /* another cname to follow */ + if(!handle_cname_response(qstate, iq, forged_response, + &sname, &snamelen)) { + errinf(qstate, "malloc failure, CNAME info"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + iq->qchase.qname = sname; + iq->qchase.qname_len = snamelen; + forged_response = + rpz_callback_from_iterator_cname(qstate, iq); + } + if(forged_response != NULL) { + qstate->ext_stateid = module_finished; + qstate->return_rcode = LDNS_RCODE_NOERROR; + qstate->return_msg = forged_response; + iq->response = forged_response; + next_state(iq, FINISHED_STATE); + if(!iter_prepend(iq, qstate->return_msg, qstate->region)) { + log_err("rpz: after cname, prepend rrsets: out of memory"); + return error_response(qstate, id, LDNS_RCODE_SERVFAIL); + } + qstate->return_msg->qinfo = qstate->qinfo; + return 0; + } + } /* Clear the query state, since this is a query restart. */ iq->deleg_msg = NULL; iq->dp = NULL; @@ -3086,9 +3285,9 @@ (*qstate->env->detach_subs)(qstate); iq->num_target_queries = 0; if(qstate->reply) - sock_list_insert(&qstate->reply_origin, - &qstate->reply->addr, qstate->reply->addrlen, - qstate->region); + sock_list_insert(&qstate->reply_origin, + &qstate->reply->remote_addr, + qstate->reply->remote_addrlen, qstate->region); verbose(VERB_ALGO, "cleared outbound list for query restart"); /* go to INIT_REQUEST_STATE for new qname. */ return next_state(iq, INIT_REQUEST_STATE); @@ -3102,9 +3301,10 @@ } else if(qstate->reply) { /* need addr for lameness cache, but we may have * gotten this from cache, so test to be sure */ - if(!infra_set_lame(qstate->env->infra_cache, - &qstate->reply->addr, qstate->reply->addrlen, - iq->dp->name, iq->dp->namelen, + if(!infra_set_lame(qstate->env->infra_cache, + &qstate->reply->remote_addr, + qstate->reply->remote_addrlen, + iq->dp->name, iq->dp->namelen, *qstate->env->now, dnsseclame, 0, iq->qchase.qtype)) log_err("mark host lame: out of memory"); @@ -3121,8 +3321,9 @@ * gotten this from cache, so test to be sure */ verbose(VERB_DETAIL, "mark as REC_LAME"); if(!infra_set_lame(qstate->env->infra_cache, - &qstate->reply->addr, qstate->reply->addrlen, - iq->dp->name, iq->dp->namelen, + &qstate->reply->remote_addr, + qstate->reply->remote_addrlen, + iq->dp->name, iq->dp->namelen, *qstate->env->now, 0, 1, iq->qchase.qtype)) log_err("mark host lame: out of memory"); } @@ -3188,7 +3389,7 @@ /* Convert our response to a delegation point */ dp = delegpt_from_message(qstate->return_msg, forq->region); if(!dp) { - /* if there is no convertable delegation point, then + /* if there is no convertible delegation point, then * the ANSWER type was (presumably) a negative answer. */ verbose(VERB_ALGO, "prime response was not a positive " "ANSWER; failing"); @@ -3330,21 +3531,22 @@ log_err("out of memory adding pside glue"); } - /* This response is relevant to the current query, so we - * add (attempt to add, anyway) this target(s) and reactivate - * the original event. - * NOTE: we could only look for the AnswerRRset if the + /* This response is relevant to the current query, so we + * add (attempt to add, anyway) this target(s) and reactivate + * the original event. + * NOTE: we could only look for the AnswerRRset if the * response type was ANSWER. */ rrset = reply_find_answer_rrset(&iq->qchase, qstate->return_msg->rep); if(rrset) { int additions = 0; /* if CNAMEs have been followed - add new NS to delegpt. */ /* BTW. RFC 1918 says NS should not have got CNAMEs. Robust. */ - if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, + if(!delegpt_find_ns(foriq->dp, rrset->rk.dname, rrset->rk.dname_len)) { /* if dpns->lame then set newcname ns lame too */ - if(!delegpt_add_ns(foriq->dp, forq->region, - rrset->rk.dname, dpns->lame)) + if(!delegpt_add_ns(foriq->dp, forq->region, + rrset->rk.dname, dpns->lame, dpns->tls_auth_name, + dpns->port)) log_err("out of memory adding cnamed-ns"); } /* if dpns->lame then set the address(es) lame too */ @@ -3362,10 +3564,14 @@ } else { verbose(VERB_ALGO, "iterator TargetResponse failed"); delegpt_mark_neg(dpns, qstate->qinfo.qtype); - dpns->resolved = 1; /* fail the target */ if((dpns->got4 == 2 || !ie->supports_ipv4) && - (dpns->got6 == 2 || !ie->supports_ipv6)) - target_count_increase_nx(foriq, 1); + (dpns->got6 == 2 || !ie->supports_ipv6)) { + dpns->resolved = 1; /* fail the target */ + /* do not count cached answers */ + if(qstate->reply_origin && qstate->reply_origin->len != 0) { + target_count_increase_nx(foriq, 1); + } + } } } @@ -3626,7 +3832,8 @@ iter_dns_store(qstate->env, &qstate->qinfo, iq->response->rep, 0, qstate->prefetch_leeway, iq->dp&&iq->dp->has_parent_side_NS, - qstate->region, qstate->query_flags); + qstate->region, qstate->query_flags, + qstate->qstarttime); } } qstate->return_rcode = LDNS_RCODE_NOERROR; @@ -3694,7 +3901,7 @@ cont = processQueryTargets(qstate, iq, ie, id); break; case QUERY_RESP_STATE: - cont = processQueryResponse(qstate, iq, id); + cont = processQueryResponse(qstate, iq, ie, id); break; case PRIME_RESP_STATE: cont = processPrimeResponse(qstate, id); @@ -3764,7 +3971,7 @@ iq->num_current_queries--; /* need fresh attempts for the 0x20 fallback, if * that was the cause for the failure */ - iter_dec_attempts(iq->dp, 3); + iter_dec_attempts(iq->dp, 3, ie->outbound_msg_retry); verbose(VERB_DETAIL, "Capsforid: timeouts, starting fallback"); goto handle_it; } @@ -3798,15 +4005,15 @@ goto handle_it; } /* edns is not examined, but removed from message to help cache */ - if(parse_extract_edns(prs, &edns, qstate->env->scratch) != + if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) != LDNS_RCODE_NOERROR) { iq->parse_failures++; goto handle_it; } /* Copy the edns options we may got from the back end */ - if(edns.opt_list) { - qstate->edns_opts_back_in = edns_opt_copy_region(edns.opt_list, + if(edns.opt_list_in) { + qstate->edns_opts_back_in = edns_opt_copy_region(edns.opt_list_in, qstate->region); if(!qstate->edns_opts_back_in) { log_err("out of memory on incoming message"); @@ -3845,8 +4052,8 @@ if(!iq->response) goto handle_it; log_query_info(VERB_DETAIL, "response for", &qstate->qinfo); - log_name_addr(VERB_DETAIL, "reply from", iq->dp->name, - &qstate->reply->addr, qstate->reply->addrlen); + log_name_addr(VERB_DETAIL, "reply from", iq->dp->name, + &qstate->reply->remote_addr, qstate->reply->remote_addrlen); if(verbosity >= VERB_ALGO) log_dns_msg("incoming scrubbed packet:", &iq->response->qinfo, iq->response->rep); @@ -3983,8 +4190,11 @@ iq = (struct iter_qstate*)qstate->minfoid; if(iq) { outbound_list_clear(&iq->outlist); - if(iq->target_count && --iq->target_count0 == 0) + if(iq->target_count && --iq->target_countTARGET_COUNT_REF == 0) { free(iq->target_count); + if(*iq->nxns_dp) free(*iq->nxns_dp); + free(iq->nxns_dp); + } iq->num_current_queries = 0; } qstate->minfoid = NULL;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/iterator/iterator.h -> _service:tar_scm:unbound-1.17.1.tar.gz/iterator/iterator.h
Changed
@@ -60,12 +60,11 @@ /** max number of nxdomains allowed for target lookups for a query and * its subqueries */ #define MAX_TARGET_NX 5 -/** max number of query restarts. Determines max number of CNAME chain. */ -#define MAX_RESTART_COUNT 11 +/** max number of nxdomains allowed for target lookups for a query and + * its subqueries when fallback has kicked in */ +#define MAX_TARGET_NX_FALLBACK (MAX_TARGET_NX*2) /** max number of referrals. Makes sure resolver does not run away */ #define MAX_REFERRAL_COUNT 130 -/** max number of queries-sent-out. Make sure large NS set does not loop */ -#define MAX_SENT_COUNT 32 /** max number of queries for which to perform dnsseclameness detection, * (rrsigs missing detection) after that, just pick up that response */ #define DNSSEC_LAME_DETECT_COUNT 4 @@ -80,7 +79,7 @@ /** * number of labels from QNAME that are always send individually when using * QNAME minimisation, even when the number of labels of the QNAME is bigger - * tham MAX_MINIMISE_COUNT */ + * than MAX_MINIMISE_COUNT */ #define MINIMISE_ONE_LAB 4 #define MINIMISE_MULTIPLE_LABS (MAX_MINIMISE_COUNT - MINIMISE_ONE_LAB) /** at what query-sent-count to stop target fetch policy */ @@ -91,17 +90,17 @@ extern int UNKNOWN_SERVER_NICENESS; /** maximum timeout before a host is deemed unsuitable, in msec. * After host_ttl this will be timed out and the host will be tried again. - * Equals RTT_MAX_TIMEOUT - */ -#define USEFUL_SERVER_TOP_TIMEOUT 120000 -/** number of retries on outgoing queries */ -#define OUTBOUND_MSG_RETRY 5 + * Equals RTT_MAX_TIMEOUT, and thus when RTT_MAX_TIMEOUT is overwritten by + * config infra_cache_max_rtt, it will be overwritten as well. */ +extern int USEFUL_SERVER_TOP_TIMEOUT; +/** penalty to validation failed blacklisted IPs + * Equals USEFUL_SERVER_TOP_TIMEOUT*4, and thus when RTT_MAX_TIMEOUT is + * overwritten by config infra_cache_max_rtt, it will be overwritten as well. */ +extern int BLACKLIST_PENALTY; /** RTT band, within this amount from the best, servers are chosen randomly. * Chosen so that the UNKNOWN_SERVER_NICENESS falls within the band of a * fast server, this causes server exploration as a side benefit. msec. */ #define RTT_BAND 400 -/** Start value for blacklisting a host, 2*USEFUL_SERVER_TOP_TIMEOUT in sec */ -#define INFRA_BACKOFF_INITIAL 240 /** * Global state for the iterator. @@ -139,6 +138,15 @@ lock_basic_type queries_ratelimit_lock; /** number of queries that have been ratelimited */ size_t num_queries_ratelimited; + + /** number of retries on outgoing queries */ + int outbound_msg_retry; + + /** number of queries_sent */ + int max_sent_count; + + /** max number of query restarts to limit length of CNAME chain */ + int max_query_restarts; }; /** @@ -217,6 +225,21 @@ }; /** + * Shared counters for queries. + */ +enum target_count_variables { + /** Reference count for the shared iter_qstate->target_count. */ + TARGET_COUNT_REF = 0, + /** Number of target queries spawned for the query and subqueries. */ + TARGET_COUNT_QUERIES, + /** Number of nxdomain responses encountered. */ + TARGET_COUNT_NX, + + /** This should stay last here, it is used for the allocation */ + TARGET_COUNT_MAX, +}; + +/** * Per query state for the iterator module. */ struct iter_qstate { @@ -303,21 +326,26 @@ /** the number of times this query has been restarted. */ int query_restart_count; - /** the number of times this query as followed a referral. */ + /** the number of times this query has followed a referral. */ int referral_count; /** number of queries fired off */ int sent_count; - /** number of target queries spawned in 1, for this query and its - * subqueries, the malloced-array is shared, 0 refcount. - * in 2 the number of nxdomains is counted. */ + /** malloced-array shared with this query and its subqueries. It keeps + * track of the defined enum target_count_variables counters. */ int* target_count; /** number of target lookups per delegation point. Reset to 0 after * receiving referral answer. Not shared with subqueries. */ int dp_target_count; + /** Delegation point that triggered the NXNS fallback; shared with + * this query and its subqueries, count-referenced by the reference + * counter in target_count. + * This also marks the fallback activation. */ + uint8_t** nxns_dp; + /** if true, already tested for ratelimiting and passed the test */ int ratelimit_ok; @@ -378,7 +406,7 @@ /** list of pending queries to authoritative servers. */ struct outbound_list outlist; - /** QNAME minimisation state, RFC7816 */ + /** QNAME minimisation state, RFC9156 */ enum minimisation_state minimisation_state; /** State for capsfail: QNAME minimisation state for comparisons. */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/context.c -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/context.c
Changed
@@ -48,6 +48,7 @@ #include "services/cache/rrset.h" #include "services/cache/infra.h" #include "services/authzone.h" +#include "services/listen_dnsport.h" #include "util/data/msgreply.h" #include "util/storage/slabhash.h" #include "util/edns.h" @@ -69,10 +70,12 @@ } else { log_init(cfg->logfile, cfg->use_syslog, NULL); } + ctx->pipe_pid = getpid(); cfg_apply_local_port_policy(cfg, 65536); config_apply(cfg); if(!modstack_setup(&ctx->mods, cfg->module_conf, ctx->env)) return UB_INITFAIL; + listen_setup_locks(); log_edns_known_options(VERB_ALGO, ctx->env); ctx->local_zones = local_zones_create(); if(!ctx->local_zones)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/context.h -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/context.h
Changed
@@ -89,6 +89,12 @@ pid_t bg_pid; /** tid of bg worker thread */ ub_thread_type bg_tid; + /** pid when pipes are created. This was the process when the + * setup was called. Helps with clean up, so we can tell after a fork + * which side of the fork the delete is on. */ + pid_t pipe_pid; + /** when threaded, the worker that exists in the created thread. */ + struct libworker* thread_worker; /** do threading (instead of forking) for async resolution */ int dothread; @@ -177,35 +183,6 @@ }; /** - * The error constants - */ -enum ub_ctx_err { - /** no error */ - UB_NOERROR = 0, - /** socket operation. Set to -1, so that if an error from _fd() is - * passed (-1) it gives a socket error. */ - UB_SOCKET = -1, - /** alloc failure */ - UB_NOMEM = -2, - /** syntax error */ - UB_SYNTAX = -3, - /** DNS service failed */ - UB_SERVFAIL = -4, - /** fork() failed */ - UB_FORKFAIL = -5, - /** cfg change after finalize() */ - UB_AFTERFINAL = -6, - /** initialization failed (bad settings) */ - UB_INITFAIL = -7, - /** error in pipe communication with async bg worker */ - UB_PIPE = -8, - /** error reading from file (resolv.conf) */ - UB_READFILE = -9, - /** error async_id does not exist or result already been delivered */ - UB_NOID = -10 -}; - -/** * Command codes for libunbound pipe. * * Serialization looks like this:
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/libunbound.c -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/libunbound.c
Changed
@@ -64,6 +64,7 @@ #include "services/cache/infra.h" #include "services/cache/rrset.h" #include "services/authzone.h" +#include "services/listen_dnsport.h" #include "sldns/sbuffer.h" #ifdef HAVE_PTHREAD #include <signal.h> @@ -185,6 +186,7 @@ ub_randfree(ctx->seed_rnd); config_delete(ctx->env->cfg); modstack_desetup(&ctx->mods, ctx->env); + listen_desetup_locks(); edns_known_options_delete(ctx->env); edns_strings_delete(ctx->env->edns_strings); free(ctx->env); @@ -198,6 +200,7 @@ ub_randfree(ctx->seed_rnd); config_delete(ctx->env->cfg); modstack_desetup(&ctx->mods, ctx->env); + listen_desetup_locks(); edns_known_options_delete(ctx->env); edns_strings_delete(ctx->env->edns_strings); free(ctx->env); @@ -302,11 +305,31 @@ int do_stop = 1; if(!ctx) return; + /* if the delete is called but it has forked, and before the fork + * the context was finalized, then the bg worker is not stopped + * from here. There is one worker, but two contexts that refer to + * it and only one should clean up, the one with getpid == pipe_pid.*/ + if(ctx->created_bg && ctx->pipe_pid != getpid()) { + do_stop = 0; +#ifndef USE_WINSOCK + /* Stop events from getting deregistered, if the backend is + * epoll, the epoll fd is the same as the other process. + * That process should deregister them. */ + if(ctx->qq_pipe->listen_com) + ctx->qq_pipe->listen_com->event_added = 0; + if(ctx->qq_pipe->res_com) + ctx->qq_pipe->res_com->event_added = 0; + if(ctx->rr_pipe->listen_com) + ctx->rr_pipe->listen_com->event_added = 0; + if(ctx->rr_pipe->res_com) + ctx->rr_pipe->res_com->event_added = 0; +#endif + } /* see if bg thread is created and if threads have been killed */ /* no locks, because those may be held by terminated threads */ /* for processes the read pipe is closed and we see that on read */ #ifdef HAVE_PTHREAD - if(ctx->created_bg && ctx->dothread) { + if(ctx->created_bg && ctx->dothread && do_stop) { if(pthread_kill(ctx->bg_tid, 0) == ESRCH) { /* thread has been killed */ do_stop = 0; @@ -315,6 +338,23 @@ #endif /* HAVE_PTHREAD */ if(do_stop) ub_stop_bg(ctx); + if(ctx->created_bg && ctx->pipe_pid != getpid() && ctx->thread_worker) { + /* This delete is happening from a different process. Delete + * the thread worker from this process memory space. The + * thread is not there to do so, so it is freed here. */ + struct ub_event_base* evbase = comm_base_internal( + ctx->thread_worker->base); + libworker_delete_event(ctx->thread_worker); + ctx->thread_worker = NULL; +#ifdef USE_MINI_EVENT + ub_event_base_free(evbase); +#else + /* cannot event_base_free, because the epoll_fd cleanup + * in libevent could stop the original event_base in the + * other process from working. */ + free(evbase); +#endif + } libworker_delete_event(ctx->event_worker); modstack_desetup(&ctx->mods, ctx->env); @@ -344,6 +384,7 @@ } ub_randfree(ctx->seed_rnd); alloc_clear(&ctx->superalloc); + listen_desetup_locks(); traverse_postorder(&ctx->queries, delq, NULL); if(ctx_logfile_overridden) { log_file(NULL); @@ -947,7 +988,7 @@ lock_basic_unlock(&ctx->cfglock); /* check syntax for addr */ - if(!extstrtoaddr(addr, &storage, &stlen)) { + if(!extstrtoaddr(addr, &storage, &stlen, UNBOUND_DNS_PORT)) { errno=EINVAL; return UB_SYNTAX; } @@ -1027,7 +1068,7 @@ if(addr) { struct sockaddr_storage storage; socklen_t stlen; - if(!extstrtoaddr(addr, &storage, &stlen)) { + if(!extstrtoaddr(addr, &storage, &stlen, UNBOUND_DNS_PORT)) { errno=EINVAL; return UB_SYNTAX; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/libworker.c -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/libworker.c
Changed
@@ -395,6 +395,7 @@ w = libworker_setup(ctx, 1, NULL); if(!w) return UB_NOMEM; w->is_bg_thread = 1; + ctx->thread_worker = w; #ifdef ENABLE_LOCK_CHECKS w->thread_num = 1; /* for nicer DEBUG checklocks */ #endif @@ -600,7 +601,9 @@ edns->ext_rcode = 0; edns->edns_version = 0; edns->bits = EDNS_DO; - edns->opt_list = NULL; + edns->opt_list_in = NULL; + edns->opt_list_out = NULL; + edns->opt_list_inplace_cb_out = NULL; edns->padding_block_size = 0; if(sldns_buffer_capacity(w->back->udp_buff) < 65535) edns->udp_size = (uint16_t)sldns_buffer_capacity( @@ -648,7 +651,7 @@ } /* process new query */ if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, - w->back->udp_buff, qid, libworker_fg_done_cb, q)) { + w->back->udp_buff, qid, libworker_fg_done_cb, q, 0)) { free(qinfo.qname); return UB_NOMEM; } @@ -728,7 +731,7 @@ if(async_id) *async_id = q->querynum; if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, - w->back->udp_buff, qid, libworker_event_done_cb, q)) { + w->back->udp_buff, qid, libworker_event_done_cb, q, 0)) { free(qinfo.qname); return UB_NOMEM; } @@ -865,7 +868,7 @@ q->w = w; /* process new query */ if(!mesh_new_callback(w->env->mesh, &qinfo, qflags, &edns, - w->back->udp_buff, qid, libworker_bg_done_cb, q)) { + w->back->udp_buff, qid, libworker_bg_done_cb, q, 0)) { add_bg_result(w, q, NULL, UB_NOMEM, NULL, 0); } free(qinfo.qname); @@ -880,9 +883,10 @@ struct outbound_entry* libworker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, - size_t zonelen, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q) + size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, + struct module_qstate* q, int* was_ratelimited) { struct libworker* w = (struct libworker*)q->env->worker; struct outbound_entry* e = (struct outbound_entry*)regional_alloc( @@ -891,9 +895,10 @@ return NULL; e->qstate = q; e->qsent = outnet_serviced_query(w->back, qinfo, flags, dnssec, - want_dnssec, nocaps, q->env->cfg->tcp_upstream, ssl_upstream, + want_dnssec, nocaps, check_ratelimit, tcp_upstream, ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, q, - libworker_handle_service_reply, e, w->back->udp_buff, q->env); + libworker_handle_service_reply, e, w->back->udp_buff, q->env, + was_ratelimited); if(!e->qsent) { return NULL; } @@ -974,10 +979,11 @@ struct outbound_entry* worker_send_query(struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps), + int ATTR_UNUSED(check_ratelimit), struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), - uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), + uint8_t* ATTR_UNUSED(zone), size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), - struct module_qstate* ATTR_UNUSED(q)) + struct module_qstate* ATTR_UNUSED(q), int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/python/doc/examples/example4.rst -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/python/doc/examples/example4.rst
Changed
@@ -31,6 +31,6 @@ else: print "Result is insecure" -More detailed informations can be seen in libUnbound DNSSEC tutorial `here`_. +More detailed information can be seen in libUnbound DNSSEC tutorial `here`_. .. _here: http://www.unbound.net/documentation/libunbound-tutorial-6.html
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/python/libunbound.i -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/python/libunbound.i
Changed
@@ -363,7 +363,7 @@ ctx.debuglevel(3) ctx.debugout(fw) - Another option is to print the debug informations to stderr output + Another option is to print the debug information to stderr output ::
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/unbound-event.h -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/unbound-event.h
Changed
@@ -41,7 +41,7 @@ * * Use ub_ctx_create_event_ub_base() to create an unbound context that uses * the user provided event base API. Then, use the ub_resolve_event call - * to add DNS resolve queries to the context. Those then run whith the + * to add DNS resolve queries to the context. Those then run with the * provided event_base, and when they are done you get a function callback. * * This method does not fork another process or create a thread, the effort @@ -230,7 +230,7 @@ * @param callback: this is called on completion of the resolution. * It is called as: * void callback(void* mydata, int rcode, void* packet, int packet_len, - * int sec, char* why_bogus) + * int sec, char* why_bogus, int was_ratelimited) * with mydata: the same as passed here, you may pass NULL, * with rcode: 0 on no error, nonzero for mostly SERVFAIL situations, * this is a DNS rcode. @@ -241,6 +241,7 @@ * with packet_len: length in bytes of the packet buffer. * with sec: 0 if insecure, 1 if bogus, 2 if DNSSEC secure. * with why_bogus: text string explaining why it is bogus (or NULL). + * with was_ratelimited: if the query was ratelimited. * These point to buffers inside unbound; do not deallocate the packet or * error string. *
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/unbound.h -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/unbound.h
Changed
@@ -224,7 +224,7 @@ * It is called with * void* my_arg: your pointer to a (struct of) data of your choice, * or NULL. - * int err: if 0 all is OK, otherwise an error occured and no results + * int err: if 0 all is OK, otherwise an error occurred and no results * are forthcoming. * struct result: pointer to more detailed result structure. * This structure is allocated on the heap and needs to be @@ -233,6 +233,35 @@ typedef void (*ub_callback_type)(void*, int, struct ub_result*); /** + * The error constants + */ +enum ub_ctx_err { + /** no error */ + UB_NOERROR = 0, + /** socket operation. Set to -1, so that if an error from _fd() is + * passed (-1) it gives a socket error. */ + UB_SOCKET = -1, + /** alloc failure */ + UB_NOMEM = -2, + /** syntax error */ + UB_SYNTAX = -3, + /** DNS service failed */ + UB_SERVFAIL = -4, + /** fork() failed */ + UB_FORKFAIL = -5, + /** cfg change after finalize() */ + UB_AFTERFINAL = -6, + /** initialization failed (bad settings) */ + UB_INITFAIL = -7, + /** error in pipe communication with async bg worker */ + UB_PIPE = -8, + /** error reading from file (resolv.conf) */ + UB_READFILE = -9, + /** error async_id does not exist or result already been delivered */ + UB_NOID = -10 +}; + +/** * Create a resolving and validation context. * The information from /etc/resolv.conf and /etc/hosts is not utilised by * default. Use ub_ctx_resolvconf and ub_ctx_hosts to read them. @@ -563,6 +592,7 @@ /** * Convert error value to a human readable string. * @param err: error code from one of the libunbound functions. + * The error codes are from the type enum ub_ctx_err. * @return pointer to constant text string, zero terminated. */ const char* ub_strerror(int err); @@ -695,6 +725,8 @@ long long qtcp; /** number of outgoing queries over TCP */ long long qtcp_outgoing; + /** number of outgoing queries over UDP */ + long long qudp_outgoing; /** number of queries over (DNS over) TLS */ long long qtls; /** number of queries over (DNS over) HTTPS */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/libunbound/worker.h -> _service:tar_scm:unbound-1.17.1.tar.gz/libunbound/worker.h
Changed
@@ -58,22 +58,27 @@ * @param dnssec: if set, EDNS record will have DO bit set. * @param want_dnssec: signatures needed. * @param nocaps: ignore capsforid(if in config), do not perturb qname. + * @param check_ratelimit: if set, will check ratelimit before sending out. * @param addr: where to. * @param addrlen: length of addr. * @param zone: delegation point name. * @param zonelen: length of zone name wireformat dname. + * @param tcp_upstream: use TCP for upstream queries. * @param ssl_upstream: use SSL for upstream queries. * @param tls_auth_name: if ssl_upstream, use this name with TLS * authentication. - * @param q: wich query state to reactivate upon return. + * @param q: which query state to reactivate upon return. + * @param was_ratelimited: it will signal back if the query failed to pass the + * ratelimit check. * @return: false on failure (memory or socket related). no query was * sent. */ struct outbound_entry* libworker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, - size_t zonelen, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q); + size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, + struct module_qstate* q, int* was_ratelimited); /** process incoming serviced query replies from the network */ int libworker_handle_service_reply(struct comm_point* c, void* arg, int error, @@ -109,22 +114,27 @@ * @param dnssec: if set, EDNS record will have DO bit set. * @param want_dnssec: signatures needed. * @param nocaps: ignore capsforid(if in config), do not perturb qname. + * @param check_ratelimit: if set, will check ratelimit before sending out. * @param addr: where to. * @param addrlen: length of addr. * @param zone: wireformat dname of the zone. * @param zonelen: length of zone name. + * @param tcp_upstream: use TCP for upstream queries. * @param ssl_upstream: use SSL for upstream queries. * @param tls_auth_name: if ssl_upstream, use this name with TLS * authentication. - * @param q: wich query state to reactivate upon return. + * @param q: which query state to reactivate upon return. + * @param was_ratelimited: it will signal back if the query failed to pass the + * ratelimit check. * @return: false on failure (memory or socket related). no query was * sent. */ struct outbound_entry* worker_send_query(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, - size_t zonelen, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q); + size_t zonelen, int tcp_upstream, int ssl_upstream, char* tls_auth_name, + struct module_qstate* q, int* was_ratelimited); /** * process control messages from the main thread. Frees the control
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/doc/examples/example5.rst -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/doc/examples/example5.rst
Changed
@@ -90,7 +90,7 @@ log_info("python: Option code {} was not found in the " "list.".format(code)) -.. note:: All occurences of the EDNS option code will be removed from the list: +.. note:: All occurrences of the EDNS option code will be removed from the list: Controlling other modules' cache behavior
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/doc/modules/functions.rst -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/doc/modules/functions.rst
Changed
@@ -60,7 +60,7 @@ .. function:: edns_opt_list_remove(list, code); - Remove an ENDS option code from the list. + Remove an EDNS option code from the list. .. note:: All :class:`edns_option` with the code will be removed :param list: linked list of :class:`edns_option`
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/doc/modules/struct.rst -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/doc/modules/struct.rst
Changed
@@ -12,7 +12,7 @@ .. attribute:: qinfo - (:class:`query_info`) Informations about query being answered. Name, RR type, RR class. + (:class:`query_info`) Information about query being answered. Name, RR type, RR class. .. attribute:: query_flags @@ -77,7 +77,7 @@ .. attribute:: edns_opts_back_in_iter - Iterator for `ends_opts_back_in`. + Iterator for `edns_opts_back_in`. .. attribute:: edns_opts_front_out @@ -256,7 +256,7 @@ .. attribute:: qinfo - (:class:`query_info`) Informations about query. + (:class:`query_info`) Information about query. .. attribute:: rep @@ -440,7 +440,7 @@ .. method:: set_return_msg(self, qstate) - This method fills qstate return message according to the given informations. + This method fills qstate return message according to the given information. It takes lists of RRs in each section of answer, created necessary RRsets in wire format and store the result in :attr:`qstate.return_msg`. Returns 1 if OK.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/doc/usecase.rst -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/doc/usecase.rst
Changed
@@ -21,7 +21,7 @@ DNS based Wake-On-Lan --------------------- -Controled by secured queries secured with private key. +Controlled by secured queries secured with private key. Dynamic translation service ---------------------------
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/examples/edns.py -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/examples/edns.py
Changed
@@ -55,7 +55,7 @@ # Return True on success, False on failure. # # edns_opt_list_remove(edns_opt_list, code): -# Remove all occurences of the given EDNS option code from the +# Remove all occurrences of the given EDNS option code from the # edns_opt_list. # Return True when at least one EDNS option was removed, False otherwise. #
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/examples/inplace_callbacks.py -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/examples/inplace_callbacks.py
Changed
@@ -207,7 +207,7 @@ """ log_info("python: called back while servfail.") - # Append the example ENDS option + # Append the example EDNS option b = bytearray.fromhex("") edns_opt_list_append(opt_list_out, 65003, b, region)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/interface.i -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/interface.i
Changed
@@ -609,9 +609,9 @@ struct comm_reply query_reply; }; -%rename(_addr) comm_reply::addr; +%rename(_addr) comm_reply::client_addr; struct comm_reply { - struct sockaddr_storage addr; + struct sockaddr_storage client_addr; }; %extend comm_reply { @@ -678,11 +678,14 @@ uint8_t edns_version; uint16_t bits; uint16_t udp_size; - struct edns_option* opt_list; + struct edns_option* opt_list_in; + struct edns_option* opt_list_out; + struct edns_option* opt_list_inplace_cb_out; + uint16_t padding_block_size; }; %inline %{ struct edns_option** _edns_data_opt_list_get(struct edns_data* edns) { - return &edns->opt_list; + return &edns->opt_list_in; } %} %extend edns_data { @@ -709,9 +712,10 @@ /* --- services --- */ struct outbound_entry* (*send_query)(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, - uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q); + uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, + char* tls_auth_name, struct module_qstate* q, int* was_ratelimited); void (*detach_subs)(struct module_qstate* qstate); int (*attach_sub)(struct module_qstate* qstate, struct query_info* qinfo, uint16_t qflags, int prime, @@ -1341,7 +1345,7 @@ %pythoncode %{ class DNSMessage: def __init__(self, rr_name, rr_type, rr_class = RR_CLASS_IN, query_flags = 0, default_ttl = 0): - """Query flags is a combination of PKT_xx contants""" + """Query flags is a combination of PKT_xx constants""" self.rr_name = rr_name self.rr_type = rr_type self.rr_class = rr_class @@ -1371,9 +1375,10 @@ /* Functions which we will need to lookup delegations */ struct delegpt* dns_cache_find_delegation(struct module_env* env, uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass, - struct regional* region, struct dns_msg** msg, uint32_t timenow); + struct regional* region, struct dns_msg** msg, uint32_t timenow, + int noexpiredabove, uint8_t* expiretop, size_t expiretoplen); int iter_dp_is_useless(struct query_info* qinfo, uint16_t qflags, - struct delegpt* dp); + struct delegpt* dp, int supports_ipv4, int supports_ipv6); struct iter_hints_stub* hints_lookup_stub(struct iter_hints* hints, uint8_t* qname, uint16_t qclass, struct delegpt* dp); @@ -1400,10 +1405,11 @@ qinfo.qclass = LDNS_RR_CLASS_IN; while(1) { - dp = dns_cache_find_delegation(qstate->env, (uint8_t*)nm, nmlen, qinfo.qtype, qinfo.qclass, region, &msg, timenow); + dp = dns_cache_find_delegation(qstate->env, (uint8_t*)nm, nmlen, qinfo.qtype, qinfo.qclass, region, &msg, timenow, 0, NULL, 0); if(!dp) return NULL; - if(iter_dp_is_useless(&qinfo, BIT_RD, dp)) { + if(iter_dp_is_useless(&qinfo, BIT_RD, dp, + qstate->env->cfg->do_ip4, qstate->env->cfg->do_ip6)) { if (dname_is_root((uint8_t*)nm)) return NULL; nm = (char*)dp->name;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/pythonmod.c -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/pythonmod.c
Changed
@@ -255,7 +255,7 @@ int pythonmod_init(struct module_env* env, int id) { int py_mod_idx = py_mod_count++; - + /* Initialize module */ FILE* script_py = NULL; PyObject* py_init_arg, *res; @@ -316,23 +316,37 @@ if (py_mod_count==1) { /* Initialize Python */ - PyRun_SimpleString("import sys \n"); + if(PyRun_SimpleString("import sys \n") < 0 ) { + goto python_init_fail; + } PyRun_SimpleString("sys.path.append('.') \n"); + PyRun_SimpleString("sys.path.append('"RUN_DIR"') \n"); + PyRun_SimpleString("sys.path.append('"SHARE_DIR"') \n"); if(env->cfg->directory && env->cfg->directory0) { char wdir1524; snprintf(wdir, sizeof(wdir), "sys.path.append('%s') \n", env->cfg->directory); PyRun_SimpleString(wdir); } - PyRun_SimpleString("sys.path.append('"RUN_DIR"') \n"); - PyRun_SimpleString("sys.path.append('"SHARE_DIR"') \n"); - PyRun_SimpleString("import distutils.sysconfig \n"); - PyRun_SimpleString("sys.path.append(distutils.sysconfig.get_python_lib(1,0)) \n"); - if (PyRun_SimpleString("from unboundmodule import *\n") < 0) + /* Check if sysconfig is there and use that instead of distutils; + * distutils.sysconfig is deprecated in Python 3.10. */ + if(PyRun_SimpleString("import sysconfig \n") < 0) { + log_info("pythonmod: module sysconfig not available; " + "falling back to distutils.sysconfig."); + if(PyRun_SimpleString("import distutils.sysconfig \n") < 0 + || PyRun_SimpleString("sys.path.append(" + "distutils.sysconfig.get_python_lib(1,0)) \n") < 0) { + goto python_init_fail; + } + } else { + if(PyRun_SimpleString("sys.path.append(" + "sysconfig.get_path('platlib')) \n") < 0) { + goto python_init_fail; + } + } + if(PyRun_SimpleString("from unboundmodule import *\n") < 0) { - log_err("pythonmod: cannot initialize core module: unboundmodule.py"); - PyGILState_Release(gil); - return 0; + goto python_init_fail; } } @@ -480,6 +494,11 @@ PyGILState_Release(gil); return 1; + +python_init_fail: + log_err("pythonmod: cannot initialize core module: unboundmodule.py"); + PyGILState_Release(gil); + return 0; } void pythonmod_deinit(struct module_env* env, int id)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/pythonmod/pythonmod_utils.c -> _service:tar_scm:unbound-1.17.1.tar.gz/pythonmod/pythonmod_utils.c
Changed
@@ -72,7 +72,8 @@ } return dns_cache_store(qstate->env, qinfo, msgrep, is_referral, - qstate->prefetch_leeway, 0, NULL, qstate->query_flags); + qstate->prefetch_leeway, 0, NULL, qstate->query_flags, + qstate->qstarttime); } /* Invalidate the message associated with query_info stored in message cache */ @@ -132,7 +133,7 @@ return 0; } /* edns is not examined, but removed from message to help cache */ - if(parse_extract_edns(prs, &edns, qstate->env->scratch) != + if(parse_extract_edns_from_response_msg(prs, &edns, qstate->env->scratch) != LDNS_RCODE_NOERROR) return 0; @@ -171,14 +172,14 @@ } -/* Convert reply->addr to string */ +/* Convert reply->client_addr to string */ void reply_addr2str(struct comm_reply* reply, char* dest, int maxlen) { - int af = (int)((struct sockaddr_in*) &(reply->addr))->sin_family; - void* sinaddr = &((struct sockaddr_in*) &(reply->addr))->sin_addr; + int af = (int)((struct sockaddr_in*) &(reply->client_addr))->sin_family; + void* sinaddr = &((struct sockaddr_in*) &(reply->client_addr))->sin_addr; if(af == AF_INET6) - sinaddr = &((struct sockaddr_in6*)&(reply->addr))->sin6_addr; + sinaddr = &((struct sockaddr_in6*)&(reply->client_addr))->sin6_addr; dest0 = 0; if (inet_ntop(af, sinaddr, dest, (socklen_t)maxlen) == 0) return;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/respip/respip.c -> _service:tar_scm:unbound-1.17.1.tar.gz/respip/respip.c
Changed
@@ -25,6 +25,7 @@ #include "respip/respip.h" #include "services/view.h" #include "sldns/rrdef.h" +#include "util/data/dname.h" /** Subset of resp_addr.node, used for inform-variant logging */ @@ -483,8 +484,8 @@ * This function returns the copied rrset key on success, and NULL on memory * allocation failure. */ -static struct ub_packed_rrset_key* -copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region) +struct ub_packed_rrset_key* +respip_copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region) { struct ub_packed_rrset_key* ck = regional_alloc(region, sizeof(struct ub_packed_rrset_key)); @@ -602,7 +603,7 @@ */ static struct resp_addr* respip_addr_lookup(const struct reply_info *rep, struct respip_set* rs, - size_t* rrset_id) + size_t* rrset_id, size_t* rr_id) { size_t i; struct resp_addr* ra; @@ -625,6 +626,7 @@ &ss, addrlen); if(ra) { *rrset_id = i; + *rr_id = j; lock_rw_rdlock(&ra->lock); lock_rw_unlock(&rs->lock); return ra; @@ -635,43 +637,6 @@ return NULL; } -/* - * Create a new reply_info based on 'rep'. The new info is based on - * the passed 'rep', but ignores any rrsets except for the first 'an_numrrsets' - * RRsets in the answer section. These answer rrsets are copied to the - * new info, up to 'copy_rrsets' rrsets (which must not be larger than - * 'an_numrrsets'). If an_numrrsets > copy_rrsets, the remaining rrsets array - * entries will be kept empty so the caller can fill them later. When rrsets - * are copied, they are shallow copied. The caller must ensure that the - * copied rrsets are valid throughout its lifetime and must provide appropriate - * mutex if it can be shared by multiple threads. - */ -static struct reply_info * -make_new_reply_info(const struct reply_info* rep, struct regional* region, - size_t an_numrrsets, size_t copy_rrsets) -{ - struct reply_info* new_rep; - size_t i; - - /* create a base struct. we specify 'insecure' security status as - * the modified response won't be DNSSEC-valid. In our faked response - * the authority and additional sections will be empty (except possible - * EDNS0 OPT RR in the additional section appended on sending it out), - * so the total number of RRsets is an_numrrsets. */ - new_rep = construct_reply_info_base(region, rep->flags, - rep->qdcount, rep->ttl, rep->prefetch_ttl, - rep->serve_expired_ttl, an_numrrsets, 0, 0, an_numrrsets, - sec_status_insecure); - if(!new_rep) - return NULL; - if(!reply_info_alloc_rrset_keys(new_rep, NULL, region)) - return NULL; - for(i=0; i<copy_rrsets; i++) - new_rep->rrsetsi = rep->rrsetsi; - - return new_rep; -} - /** * See if response-ip or tag data should override the original answer rrset * (which is rep->rrsetsrrset_id) and if so override it. @@ -730,7 +695,7 @@ "response-ip redirect with tag data %d %s", tag, (tag<num_tags?tagnametag:"null")); /* use copy_rrset() to 'normalize' memory layout */ - rp = copy_rrset(&r, region); + rp = respip_copy_rrset(&r, region); if(!rp) return -1; } @@ -743,7 +708,7 @@ * rename the dname for other actions than redirect. This is because * response-ip-data isn't associated to any specific name. */ if(rp == data) { - rp = copy_rrset(rp, region); + rp = respip_copy_rrset(rp, region); if(!rp) return -1; rp->rk.dname = rep->rrsetsrrset_id->rk.dname; @@ -807,7 +772,6 @@ * is explicitly specified. */ int rcode = (action == respip_always_nxdomain)? LDNS_RCODE_NXDOMAIN:LDNS_RCODE_NOERROR; - /* We should empty the answer section except for any preceding * CNAMEs (in that case rrset_id > 0). Type-ANY case is * special as noted in respip_data_answer(). */ @@ -869,8 +833,11 @@ respip_use_rpz(struct resp_addr* raddr, struct rpz* r, enum respip_action* action, struct ub_packed_rrset_key** data, int* rpz_log, char** log_name, - int* rpz_cname_override, struct regional* region, int* is_rpz) + int* rpz_cname_override, struct regional* region, int* is_rpz, + int* rpz_passthru) { + if(rpz_passthru && *rpz_passthru) + return 0; if(r->action_override == RPZ_DISABLED_ACTION) { *is_rpz = 0; return 1; @@ -884,6 +851,9 @@ *data = r->cname_override; *rpz_cname_override = 1; } + if(*action == respip_always_transparent /* RPZ_PASSTHRU_ACTION */ + && rpz_passthru) + *rpz_passthru = 1; *rpz_log = r->log; if(r->log_name) if(!(*log_name = regional_strdup(region, r->log_name))) @@ -897,7 +867,7 @@ const struct respip_client_info* cinfo, const struct reply_info* rep, struct reply_info** new_repp, struct respip_action_info* actinfo, struct ub_packed_rrset_key** alias_rrset, int search_only, - struct regional* region, struct auth_zones* az) + struct regional* region, struct auth_zones* az, int* rpz_passthru) { const uint8_t* ctaglist; size_t ctaglen; @@ -907,7 +877,7 @@ size_t tag_datas_size; struct view* view = NULL; struct respip_set* ipset = NULL; - size_t rrset_id = 0; + size_t rrset_id = 0, rr_id = 0; enum respip_action action = respip_none; int tag = -1; struct resp_addr* raddr = NULL; @@ -948,7 +918,7 @@ lock_rw_rdlock(&view->lock); if(view->respip_set) { if((raddr = respip_addr_lookup(rep, - view->respip_set, &rrset_id))) { + view->respip_set, &rrset_id, &rr_id))) { /** for per-view respip directives the action * can only be direct (i.e. not tag-based) */ action = raddr->action; @@ -962,7 +932,7 @@ } } if(!raddr && (raddr = respip_addr_lookup(rep, ipset, - &rrset_id))) { + &rrset_id, &rr_id))) { action = (enum respip_action)local_data_find_tag_action( raddr->taglist, raddr->taglen, ctaglist, ctaglen, tag_actions, tag_actions_size, @@ -970,16 +940,16 @@ ipset->tagname, ipset->num_tags); } lock_rw_rdlock(&az->rpz_lock); - for(a = az->rpz_first; a && !raddr; a = a->rpz_az_next) { + for(a = az->rpz_first; a && !raddr && !(rpz_passthru && *rpz_passthru); a = a->rpz_az_next) { lock_rw_rdlock(&a->lock); r = a->rpz; if(!r->taglist || taglist_intersect(r->taglist, r->taglistlen, ctaglist, ctaglen)) { if((raddr = respip_addr_lookup(rep, - r->respip_set, &rrset_id))) { + r->respip_set, &rrset_id, &rr_id))) { if(!respip_use_rpz(raddr, r, &action, &data, &rpz_log, &log_name, &rpz_cname_override, - region, &rpz_used)) { + region, &rpz_used, rpz_passthru)) { log_err("out of memory"); lock_rw_unlock(&raddr->lock); lock_rw_unlock(&a->lock); @@ -987,6 +957,21 @@ return 0; } if(rpz_used) { + if(verbosity >= VERB_ALGO) { + struct sockaddr_storage ss; + socklen_t ss_len = 0; + char nm256, ip256; + char qn255+1; + if(!rdata2sockaddr(rep->rrsetsrrset_id->entry.data, ntohs(rep->rrsetsrrset_id->rk.type), rr_id, &ss, &ss_len)) + snprintf(ip, sizeof(ip), "invalidRRdata"); + else + addr_to_str(&ss, ss_len, ip, sizeof(ip)); + dname_str(qinfo->qname, qn); + addr_to_str(&raddr->node.addr, + raddr->node.addrlen, + nm, sizeof(nm)); + verbose(VERB_ALGO, "respip: rpz: response-ip trigger %s/%d on %s %s with action %s", nm, raddr->node.net, qn, ip, rpz_action_to_string(respip_action_to_rpz_action(action))); + } /* break to make sure 'a' stays pointed * to used auth_zone, and keeps lock */ break; @@ -1115,7 +1100,8 @@ if(!respip_rewrite_reply(&qstate->qinfo, qstate->client_info, qstate->return_msg->rep, &new_rep, &actinfo, &alias_rrset, 0, - qstate->region, qstate->env->auth_zones)) { + qstate->region, qstate->env->auth_zones, + &qstate->rpz_passthru)) { goto servfail; } if(actinfo.action != respip_none) { @@ -1190,7 +1176,7 @@ /* see if the target reply would be subject to a response-ip action. */ if(!respip_rewrite_reply(qinfo, cinfo, tgt_rep, &tmp_rep, &actinfo, - &alias_rrset, 1, region, az)) + &alias_rrset, 1, region, az, NULL)) return 0; if(actinfo.action != respip_none) { log_info("CNAME target of redirect response-ip action would " @@ -1209,7 +1195,7 @@ if(!new_rep) return 0; for(i=0,j=base_rep->an_numrrsets; i<tgt_rep->an_numrrsets; i++,j++) { - new_rep->rrsetsj = copy_rrset(tgt_rep->rrsetsi, region); + new_rep->rrsetsj = respip_copy_rrset(tgt_rep->rrsetsi, region); if(!new_rep->rrsetsj) return 0; } @@ -1304,7 +1290,7 @@ void respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname, uint16_t qtype, uint16_t qclass, struct local_rrset* local_alias, - struct comm_reply* repinfo) + struct sockaddr_storage* addr, socklen_t addrlen) { char srcip128, respip128, txt512; unsigned port; @@ -1314,15 +1300,15 @@ if(local_alias) qname = local_alias->rrset->rk.dname; - port = (unsigned)((repinfo->addr.ss_family == AF_INET) ? - ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port) : - ntohs(((struct sockaddr_in6*)&repinfo->addr)->sin6_port)); - addr_to_str(&repinfo->addr, repinfo->addrlen, srcip, sizeof(srcip)); + port = (unsigned)((addr->ss_family == AF_INET) ? + ntohs(((struct sockaddr_in*)addr)->sin_port) : + ntohs(((struct sockaddr_in6*)addr)->sin6_port)); + addr_to_str(addr, addrlen, srcip, sizeof(srcip)); addr_to_str(&respip_addr->addr, respip_addr->addrlen, respip, sizeof(respip)); if(respip_actinfo->rpz_log) { txtlen += snprintf(txt+txtlen, sizeof(txt)-txtlen, "%s", - "RPZ applied "); + "rpz: applied "); if(respip_actinfo->rpz_cname_override) actionstr = rpz_action_to_string( RPZ_CNAME_OVERRIDE_ACTION);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/respip/respip.h -> _service:tar_scm:unbound-1.17.1.tar.gz/respip/respip.h
Changed
@@ -176,6 +176,8 @@ * will be set (or intact) accordingly but the modified reply won't be built. * @param az: auth zones containing RPZ information. * @param region: allocator to build *new_repp. + * @param rpz_passthru: keeps track of query state can have passthru that + * stops further rpz processing. Or NULL for cached answer processing. * @return 1 on success, 0 on error. */ int respip_rewrite_reply(const struct query_info* qinfo, @@ -183,7 +185,8 @@ const struct reply_info *rep, struct reply_info** new_repp, struct respip_action_info* actinfo, struct ub_packed_rrset_key** alias_rrset, - int search_only, struct regional* region, struct auth_zones* az); + int search_only, struct regional* region, struct auth_zones* az, + int* rpz_passthru); /** * Get the response-ip function block. @@ -248,11 +251,13 @@ * @param local_alias: set to a local alias if the query matches an alias in * a local zone. In this case its owner name will be considered the actual * query name. - * @param repinfo: reply info containing the client's source address and port. + * @param addr: the client's source address and port. + * @param addrlen: the client's source address length. */ void respip_inform_print(struct respip_action_info* respip_actinfo, uint8_t* qname, uint16_t qtype, uint16_t qclass, - struct local_rrset* local_alias, struct comm_reply* repinfo); + struct local_rrset* local_alias, struct sockaddr_storage* addr, + socklen_t addrlen); /** * Find resp_addr in tree, create and add to tree if it does not exist. @@ -294,4 +299,7 @@ */ void respip_sockaddr_delete(struct respip_set* set, struct resp_addr* node); + +struct ub_packed_rrset_key* +respip_copy_rrset(const struct ub_packed_rrset_key* key, struct regional* region); #endif /* RESPIP_RESPIP_H */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/authzone.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/authzone.c
Changed
@@ -84,7 +84,7 @@ #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */ /* auth transfer timeout for TCP connections, in msec */ #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */ -/* auth transfer max backoff for failed tranfers and probes */ +/* auth transfer max backoff for failed transfers and probes */ #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */ /* auth http port number */ #define AUTH_HTTP_PORT 80 @@ -132,6 +132,7 @@ return NULL; msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA); msg->rep->authoritative = 1; + msg->rep->reason_bogus = LDNS_EDE_NONE; msg->rep->qdcount = 1; /* rrsets is NULL, no rrsets yet */ return msg; @@ -243,7 +244,7 @@ return 1; } -/** add rrset to authority section (no additonal section rrsets yet) */ +/** add rrset to authority section (no additional section rrsets yet) */ static int msg_add_rrset_ns(struct auth_zone* z, struct regional* region, struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset) @@ -1882,6 +1883,8 @@ struct regional* region = NULL; struct sldns_buffer* buf = NULL; uint32_t soa_serial = 0; + char* unsupported_reason = NULL; + int only_unsupported = 1; region = env->scratch; regional_free_all(region); buf = env->scratch_buffer; @@ -1911,6 +1914,7 @@ &hashalgo, &hash, &hashlen)) { /* malformed RR */ *reason = "ZONEMD rdata malformed"; + only_unsupported = 0; continue; } /* check for duplicates */ @@ -1920,25 +1924,51 @@ * is not allowed. */ *reason = "ZONEMD RRSet contains more than one RR " "with the same scheme and hash algorithm"; + only_unsupported = 0; continue; } regional_free_all(region); if(serial != soa_serial) { *reason = "ZONEMD serial is wrong"; + only_unsupported = 0; continue; } + *reason = NULL; if(auth_zone_generate_zonemd_check(z, scheme, hashalgo, hash, hashlen, region, buf, reason)) { /* success */ + if(*reason) { + if(!unsupported_reason) + unsupported_reason = *reason; + /* continue to check for valid ZONEMD */ + if(verbosity >= VERB_ALGO) { + char zstr255+1; + dname_str(z->name, zstr); + verbose(VERB_ALGO, "auth-zone %s ZONEMD %d %d is unsupported: %s", zstr, (int)scheme, (int)hashalgo, *reason); + } + *reason = NULL; + continue; + } if(verbosity >= VERB_ALGO) { char zstr255+1; dname_str(z->name, zstr); - verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr); + if(!*reason) + verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr); } return 1; } + only_unsupported = 0; /* try next one */ } + /* have we seen no failures but only unsupported algo, + * and one unsupported algorithm, or more. */ + if(only_unsupported && unsupported_reason) { + /* only unsupported algorithms, with valid serial, not + * malformed. Did not see supported algorithms, failed or + * successful ones. */ + *reason = unsupported_reason; + return 1; + } /* fail, we may have reason */ if(!*reason) *reason = "no ZONEMD records found"; @@ -1950,6 +1980,17 @@ return 0; } +/** find the apex SOA RRset, if it exists */ +struct auth_rrset* auth_zone_get_soa_rrset(struct auth_zone* z) +{ + struct auth_data* apex; + struct auth_rrset* soa; + apex = az_find_name(z, z->name, z->namelen); + if(!apex) return NULL; + soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA); + return soa; +} + /** find serial number of zone or false if none */ int auth_zone_get_serial(struct auth_zone* z, uint32_t* serial) @@ -2715,6 +2756,7 @@ == 0) { msg->rep->rrsetsi->rk.dname = newname; msg->rep->rrsetsi->rk.dname_len = newlen; + msg->rep->rrsetsi->entry.hash = rrset_key_hash(&msg->rep->rrsetsi->rk); } } } @@ -3507,7 +3549,7 @@ if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL, rcode, edns, repinfo, temp, env->now_tv)) - edns->opt_list = NULL; + edns->opt_list_inplace_cb_out = NULL; error_encode(buf, rcode|BIT_AA, qinfo, *(uint16_t*)sldns_buffer_begin(buf), sldns_buffer_read_u16_at(buf, 2), edns); @@ -3658,7 +3700,7 @@ /* compare address (but not port number, that is the destination * port of the master, the port number of the received notify is * allowed to by any port on that master) */ - if(extstrtoaddr(master->host, &a, &alen) && + if(extstrtoaddr(master->host, &a, &alen, UNBOUND_DNS_PORT) && sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) { *fromhost = master; return 1; @@ -3926,7 +3968,7 @@ struct auth_master* list = NULL, *last = NULL; struct auth_master* p; /* build up new list with copies */ - for(p = xfr->task_probe->masters; p; p=p->next) { + for(p = xfr->task_transfer->masters; p; p=p->next) { struct auth_master* m = auth_master_copy(p); if(!m) { auth_free_masters(list); @@ -4445,7 +4487,7 @@ return 1; } -/** process $ORIGIN for http */ +/** process $ORIGIN for http, 0 nothing, 1 done, 2 error */ static int http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate) { @@ -4456,13 +4498,16 @@ pstate->origin_len = sizeof(pstate->origin); s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8), pstate->origin, &pstate->origin_len); - if(s) pstate->origin_len = 0; + if(s) { + pstate->origin_len = 0; + return 2; + } return 1; } return 0; } -/** process $TTL for http */ +/** process $TTL for http, 0 nothing, 1 done, 2 error */ static int http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate) { @@ -4470,8 +4515,12 @@ if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line4)) { const char* end = NULL; + int overflow = 0; pstate->default_ttl = sldns_str2period( - sldns_strip_ws(line+5), &end); + sldns_strip_ws(line+5), &end, &overflow); + if(overflow) { + return 2; + } return 1; } return 0; @@ -4482,15 +4531,20 @@ chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos, sldns_buffer* buf, struct sldns_file_parse_state* pstate) { + int ret; while(chunkline_get_line_collated(chunk, chunk_pos, buf)) { if(chunkline_is_comment_line_or_empty(buf)) { /* a comment, go to next line */ continue; } - if(http_parse_origin(buf, pstate)) { + if((ret=http_parse_origin(buf, pstate))!=0) { + if(ret == 2) + return 0; continue; /* $ORIGIN has been handled */ } - if(http_parse_ttl(buf, pstate)) { + if((ret=http_parse_ttl(buf, pstate))!=0) { + if(ret == 2) + return 0; continue; /* $TTL has been handled */ } return 1; @@ -4996,6 +5050,7 @@ struct sldns_file_parse_state pstate; struct auth_chunk* chunk; size_t chunk_pos; + int ret; memset(&pstate, 0, sizeof(pstate)); pstate.default_ttl = 3600; if(xfr->namelen < sizeof(pstate.origin)) { @@ -5052,10 +5107,24 @@ continue; } /* parse line and add RR */ - if(http_parse_origin(scratch_buffer, &pstate)) { + if((ret=http_parse_origin(scratch_buffer, &pstate))!=0) { + if(ret == 2) { + verbose(VERB_ALGO, "error parsing ORIGIN on line %s:%d %s", + xfr->task_transfer->master->file, + pstate.lineno, + sldns_buffer_begin(scratch_buffer)); + return 0; + } continue; /* $ORIGIN has been handled */ } - if(http_parse_ttl(scratch_buffer, &pstate)) { + if((ret=http_parse_ttl(scratch_buffer, &pstate))!=0) { + if(ret == 2) { + verbose(VERB_ALGO, "error parsing TTL on line %s:%d %s", + xfr->task_transfer->master->file, + pstate.lineno, + sldns_buffer_begin(scratch_buffer)); + return 0; + } continue; /* $TTL has been handled */ } if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) { @@ -5313,7 +5382,7 @@ struct edns_data edns; sldns_buffer* buf = env->scratch_buffer; if(!master) return 0; - if(extstrtoaddr(master->host, &addr, &addrlen)) { + if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) { /* not needed, host is in IP addr format */ return 0; } @@ -5347,7 +5416,9 @@ edns.ext_rcode = 0; edns.edns_version = 0; edns.bits = EDNS_DO; - edns.opt_list = NULL; + edns.opt_list_in = NULL; + edns.opt_list_out = NULL; + edns.opt_list_inplace_cb_out = NULL; edns.padding_block_size = 0; if(sldns_buffer_capacity(buf) < 65535) edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); @@ -5357,7 +5428,7 @@ * called straight away */ lock_basic_unlock(&xfr->lock); if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, - &auth_xfer_transfer_lookup_callback, xfr)) { + &auth_xfer_transfer_lookup_callback, xfr, 0)) { lock_basic_lock(&xfr->lock); log_err("out of memory lookup up master %s", master->host); return 0; @@ -5442,6 +5513,8 @@ addr_to_str(&addr, addrlen, as, sizeof(as)); verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as); } + /* Create or refresh the list of allow_notify addrs */ + probe_copy_masters_for_allow_notify(xfr); return 1; } @@ -6480,7 +6553,7 @@ comm_point_delete(xfr->task_probe->cp); xfr->task_probe->cp = NULL; - /* if the result was not a successfull probe, we need + /* if the result was not a successful probe, we need * to send the next one */ xfr_probe_nextmaster(xfr); xfr_probe_send_or_end(xfr, env); @@ -6500,7 +6573,7 @@ struct edns_data edns; sldns_buffer* buf = env->scratch_buffer; if(!master) return 0; - if(extstrtoaddr(master->host, &addr, &addrlen)) { + if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) { /* not needed, host is in IP addr format */ return 0; } @@ -6536,7 +6609,9 @@ edns.ext_rcode = 0; edns.edns_version = 0; edns.bits = EDNS_DO; - edns.opt_list = NULL; + edns.opt_list_in = NULL; + edns.opt_list_out = NULL; + edns.opt_list_inplace_cb_out = NULL; edns.padding_block_size = 0; if(sldns_buffer_capacity(buf) < 65535) edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); @@ -6546,7 +6621,7 @@ * called straight away */ lock_basic_unlock(&xfr->lock); if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, - &auth_xfer_probe_lookup_callback, xfr)) { + &auth_xfer_probe_lookup_callback, xfr, 0)) { lock_basic_lock(&xfr->lock); log_err("out of memory lookup up master %s", master->host); return 0; @@ -7149,7 +7224,7 @@ while(p && *p == '/') p++; if(!p || p0 == 0) - *file = strdup("index.html"); + *file = strdup("/"); else *file = strdup(p); if(!*file) { log_err("malloc failure"); @@ -7617,13 +7692,16 @@ { uint8_t gen512; size_t genlen = 0; + *reason = NULL; if(!zonemd_hashalgo_supported(hashalgo)) { + /* allow it */ *reason = "unsupported algorithm"; - return 0; + return 1; } if(!zonemd_scheme_supported(scheme)) { + /* allow it */ *reason = "unsupported scheme"; - return 0; + return 1; } if(hashlen < 12) { /* the ZONEMD draft requires digests to fail if too small */ @@ -7683,7 +7761,7 @@ static int zonemd_dnssec_verify_rrset(struct auth_zone* z, struct module_env* env, struct module_stack* mods, struct ub_packed_rrset_key* dnskey, struct auth_data* node, - struct auth_rrset* rrset, char** why_bogus) + struct auth_rrset* rrset, char** why_bogus, uint8_t* sigalg) { struct ub_packed_rrset_key pk; enum sec_status sec; @@ -7711,7 +7789,7 @@ auth_zone_log(z->name, VERB_ALGO, "zonemd: verify %s RRset with DNSKEY", typestr); } - sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, NULL, why_bogus, + sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, sigalg, why_bogus, NULL, LDNS_SECTION_ANSWER, NULL); if(sec == sec_status_secure) { return 1; @@ -7755,7 +7833,7 @@ static int zonemd_check_dnssec_absence(struct auth_zone* z, struct module_env* env, struct module_stack* mods, struct ub_packed_rrset_key* dnskey, struct auth_data* apex, - char** reason, char** why_bogus) + char** reason, char** why_bogus, uint8_t* sigalg) { struct auth_rrset* nsec = NULL; if(!apex) { @@ -7767,7 +7845,7 @@ struct ub_packed_rrset_key pk; /* dnssec verify the NSEC */ if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex, - nsec, why_bogus)) { + nsec, why_bogus, sigalg)) { *reason = "DNSSEC verify failed for NSEC RRset"; return 0; } @@ -7810,7 +7888,7 @@ } /* dnssec verify the NSEC3 */ if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, match, - nsec3, why_bogus)) { + nsec3, why_bogus, sigalg)) { *reason = "DNSSEC verify failed for NSEC3 RRset"; return 0; } @@ -7831,7 +7909,8 @@ static int zonemd_check_dnssec_soazonemd(struct auth_zone* z, struct module_env* env, struct module_stack* mods, struct ub_packed_rrset_key* dnskey, struct auth_data* apex, - struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus) + struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus, + uint8_t* sigalg) { struct auth_rrset* soa; if(!apex) { @@ -7844,12 +7923,12 @@ return 0; } if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex, soa, - why_bogus)) { + why_bogus, sigalg)) { *reason = "DNSSEC verify failed for SOA RRset"; return 0; } if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex, - zonemd_rrset, why_bogus)) { + zonemd_rrset, why_bogus, sigalg)) { *reason = "DNSSEC verify failed for ZONEMD RRset"; return 0; } @@ -7908,12 +7987,14 @@ * @param is_insecure: if true, the dnskey is not used, the zone is insecure. * And dnssec is not used. It is DNSSEC secure insecure or not under * a trust anchor. + * @param sigalg: if nonNULL provide algorithm downgrade protection. + * Otherwise one algorithm is enough. Must have space of ALGO_NEEDS_MAX+1. * @param result: if not NULL result reason copied here. */ static void auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env, struct module_stack* mods, struct ub_packed_rrset_key* dnskey, - int is_insecure, char** result) + int is_insecure, char** result, uint8_t* sigalg) { char* reason = NULL, *why_bogus = NULL; struct auth_data* apex = NULL; @@ -7943,7 +8024,7 @@ } else if(!zonemd_rrset && dnskey && !is_insecure) { /* fetch, DNSSEC verify, and check NSEC/NSEC3 */ if(!zonemd_check_dnssec_absence(z, env, mods, dnskey, apex, - &reason, &why_bogus)) { + &reason, &why_bogus, sigalg)) { auth_zone_zonemd_fail(z, env, reason, why_bogus, result); return; } @@ -7951,7 +8032,7 @@ } else if(zonemd_rrset && dnskey && !is_insecure) { /* check DNSSEC verify of SOA and ZONEMD */ if(!zonemd_check_dnssec_soazonemd(z, env, mods, dnskey, apex, - zonemd_rrset, &reason, &why_bogus)) { + zonemd_rrset, &reason, &why_bogus, sigalg)) { auth_zone_zonemd_fail(z, env, reason, why_bogus, result); return; } @@ -7985,9 +8066,13 @@ } /* success! log the success */ - auth_zone_log(z->name, VERB_ALGO, "ZONEMD verification successful"); + if(reason) + auth_zone_log(z->name, VERB_ALGO, "ZONEMD %s", reason); + else auth_zone_log(z->name, VERB_ALGO, "ZONEMD verification successful"); if(result) { - *result = strdup("ZONEMD verification successful"); + if(reason) + *result = strdup(reason); + else *result = strdup("ZONEMD verification successful"); if(!*result) log_err("out of memory"); } } @@ -8047,7 +8132,7 @@ auth_zone_log(z->name, VERB_QUERY, "zonemd: verify DNSKEY RRset with trust anchor"); sec = val_verify_DNSKEY_with_TA(env, ve, keystorage, anchor->ds_rrset, - anchor->dnskey_rrset, NULL, why_bogus, NULL); + anchor->dnskey_rrset, NULL, why_bogus, NULL, NULL); regional_free_all(env->scratch); if(sec == sec_status_secure) { /* success */ @@ -8065,15 +8150,78 @@ return NULL; } +/** verify the DNSKEY from the zone with looked up DS record */ +static struct ub_packed_rrset_key* +auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z, + struct module_env* env, struct module_stack* mods, + struct ub_packed_rrset_key* ds, int* is_insecure, char** why_bogus, + struct ub_packed_rrset_key* keystorage, uint8_t* sigalg) +{ + struct auth_data* apex; + struct auth_rrset* dnskey_rrset; + enum sec_status sec; + struct val_env* ve; + int m; + + /* fetch DNSKEY from zone data */ + apex = az_find_name(z, z->name, z->namelen); + if(!apex) { + *why_bogus = "in verifywithDS, zone has no apex"; + return NULL; + } + dnskey_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_DNSKEY); + if(!dnskey_rrset || dnskey_rrset->data->count==0) { + *why_bogus = "in verifywithDS, zone has no DNSKEY"; + return NULL; + } + + m = modstack_find(mods, "validator"); + if(m == -1) { + *why_bogus = "in verifywithDS, have no validator module"; + return NULL; + } + ve = (struct val_env*)env->modinfom; + + memset(keystorage, 0, sizeof(*keystorage)); + keystorage->entry.key = keystorage; + keystorage->entry.data = dnskey_rrset->data; + keystorage->rk.dname = apex->name; + keystorage->rk.dname_len = apex->namelen; + keystorage->rk.type = htons(LDNS_RR_TYPE_DNSKEY); + keystorage->rk.rrset_class = htons(z->dclass); + auth_zone_log(z->name, VERB_QUERY, "zonemd: verify zone DNSKEY with DS"); + sec = val_verify_DNSKEY_with_DS(env, ve, keystorage, ds, sigalg, + why_bogus, NULL, NULL); + regional_free_all(env->scratch); + if(sec == sec_status_secure) { + /* success */ + return keystorage; + } else if(sec == sec_status_insecure) { + /* insecure */ + *is_insecure = 1; + } else { + /* bogus */ + *is_insecure = 0; + if(*why_bogus == NULL) + *why_bogus = "verify failed"; + auth_zone_log(z->name, VERB_ALGO, + "zonemd: verify DNSKEY RRset with DS failed: %s", + *why_bogus); + } + return NULL; +} + /** callback for ZONEMD lookup of DNSKEY */ void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf, enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited)) { struct auth_zone* z = (struct auth_zone*)arg; struct module_env* env; - char* reason = NULL; - struct ub_packed_rrset_key* dnskey = NULL; - int is_insecure = 0; + char* reason = NULL, *ds_bogus = NULL, *typestr="DNSKEY"; + struct ub_packed_rrset_key* dnskey = NULL, *ds = NULL; + int is_insecure = 0, downprot; + struct ub_packed_rrset_key keystorage; + uint8_t sigalgALGO_NEEDS_MAX+1; lock_rw_wrlock(&z->lock); env = z->zonemd_callback_env; @@ -8084,16 +8232,22 @@ lock_rw_unlock(&z->lock); return; /* stop on quit */ } + if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS) + typestr = "DS"; + downprot = env->cfg->harden_algo_downgrade; /* process result */ if(sec == sec_status_bogus) { reason = why_bogus; - if(!reason) - reason = "lookup of DNSKEY was bogus"; + if(!reason) { + if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY) + reason = "lookup of DNSKEY was bogus"; + else reason = "lookup of DS was bogus"; + } auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY was bogus: %s", reason); + "zonemd lookup of %s was bogus: %s", typestr, reason); } else if(rcode == LDNS_RCODE_NOERROR) { - uint16_t wanted_qtype = LDNS_RR_TYPE_DNSKEY; + uint16_t wanted_qtype = z->zonemd_callback_qtype; struct regional* temp = env->scratch; struct query_info rq; struct reply_info* rep; @@ -8106,25 +8260,29 @@ struct ub_packed_rrset_key* answer = reply_find_answer_rrset(&rq, rep); if(answer && sec == sec_status_secure) { - dnskey = answer; + if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY) + dnskey = answer; + else ds = answer; auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY was secure"); + "zonemd lookup of %s was secure", typestr); } else if(sec == sec_status_secure && !answer) { is_insecure = 1; auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY has no content, but is secure, treat as insecure"); + "zonemd lookup of %s has no content, but is secure, treat as insecure", typestr); } else if(sec == sec_status_insecure) { is_insecure = 1; auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY was insecure"); + "zonemd lookup of %s was insecure", typestr); } else if(sec == sec_status_indeterminate) { is_insecure = 1; auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY was indeterminate, treat as insecure"); + "zonemd lookup of %s was indeterminate, treat as insecure", typestr); } else { auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY has nodata"); - reason = "lookup of DNSKEY has nodata"; + "zonemd lookup of %s has nodata", typestr); + if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY) + reason = "lookup of DNSKEY has nodata"; + else reason = "lookup of DS has nodata"; } } else if(rep && rq.qtype == wanted_qtype && query_dname_compare(z->name, rq.qname) == 0 && @@ -8137,40 +8295,52 @@ * trust, as insecure. */ is_insecure = 1; auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY was secure NXDOMAIN, treat as insecure"); + "zonemd lookup of %s was secure NXDOMAIN, treat as insecure", typestr); } else if(rep && rq.qtype == wanted_qtype && query_dname_compare(z->name, rq.qname) == 0 && FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN && sec == sec_status_insecure) { is_insecure = 1; auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY was insecure NXDOMAIN, treat as insecure"); + "zonemd lookup of %s was insecure NXDOMAIN, treat as insecure", typestr); } else if(rep && rq.qtype == wanted_qtype && query_dname_compare(z->name, rq.qname) == 0 && FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN && sec == sec_status_indeterminate) { is_insecure = 1; auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY was indeterminate NXDOMAIN, treat as insecure"); + "zonemd lookup of %s was indeterminate NXDOMAIN, treat as insecure", typestr); } else { auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY has no answer"); - reason = "lookup of DNSKEY has no answer"; + "zonemd lookup of %s has no answer", typestr); + if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY) + reason = "lookup of DNSKEY has no answer"; + else reason = "lookup of DS has no answer"; } } else { auth_zone_log(z->name, VERB_ALGO, - "zonemd lookup of DNSKEY failed"); - reason = "lookup of DNSKEY failed"; + "zonemd lookup of %s failed", typestr); + if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY) + reason = "lookup of DNSKEY failed"; + else reason = "lookup of DS failed"; + } + + if(!reason && !is_insecure && !dnskey && ds) { + dnskey = auth_zone_verify_zonemd_key_with_ds(z, env, + &env->mesh->mods, ds, &is_insecure, &ds_bogus, + &keystorage, downprot?sigalg:NULL); + if(!dnskey && !is_insecure && !reason) + reason = "DNSKEY verify with DS failed"; } if(reason) { - auth_zone_zonemd_fail(z, env, reason, NULL, NULL); + auth_zone_zonemd_fail(z, env, reason, ds_bogus, NULL); lock_rw_unlock(&z->lock); return; } auth_zone_verify_zonemd_with_key(z, env, &env->mesh->mods, dnskey, - is_insecure, NULL); + is_insecure, NULL, downprot?sigalg:NULL); regional_free_all(env->scratch); lock_rw_unlock(&z->lock); } @@ -8183,14 +8353,21 @@ uint16_t qflags = BIT_RD; struct edns_data edns; sldns_buffer* buf = env->scratch_buffer; + int fetch_ds = 0; + if(!z->fallback_enabled) { + /* we cannot actually get the DNSKEY, because it is in the + * zone we have ourselves, and it is not served yet + * (possibly), so fetch type DS */ + fetch_ds = 1; + } if(z->zonemd_callback_env) { /* another worker is already working on the callback * for the DNSKEY lookup for ZONEMD verification. * We do not also have to do ZONEMD verification, let that * worker do it */ auth_zone_log(z->name, VERB_ALGO, - "zonemd needs lookup of DNSKEY and that already worked on by another worker"); + "zonemd needs lookup of %s and that already is worked on by another worker", (fetch_ds?"DS":"DNSKEY")); return 1; } @@ -8199,21 +8376,26 @@ qinfo.qname_len = z->namelen; qinfo.qname = z->name; qinfo.qclass = z->dclass; - qinfo.qtype = LDNS_RR_TYPE_DNSKEY; + if(fetch_ds) + qinfo.qtype = LDNS_RR_TYPE_DS; + else qinfo.qtype = LDNS_RR_TYPE_DNSKEY; qinfo.local_alias = NULL; if(verbosity >= VERB_ALGO) { char buf1512; char buf2LDNS_MAX_DOMAINLEN+1; dname_str(z->name, buf2); - snprintf(buf1, sizeof(buf1), "auth zone %s: lookup DNSKEY " - "for zonemd verification", buf2); + snprintf(buf1, sizeof(buf1), "auth zone %s: lookup %s " + "for zonemd verification", buf2, + (fetch_ds?"DS":"DNSKEY")); log_query_info(VERB_ALGO, buf1, &qinfo); } edns.edns_present = 1; edns.ext_rcode = 0; edns.edns_version = 0; edns.bits = EDNS_DO; - edns.opt_list = NULL; + edns.opt_list_in = NULL; + edns.opt_list_out = NULL; + edns.opt_list_inplace_cb_out = NULL; if(sldns_buffer_capacity(buf) < 65535) edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); else edns.udp_size = 65535; @@ -8221,12 +8403,14 @@ /* store the worker-specific module env for the callback. * We can then reference this when the callback executes */ z->zonemd_callback_env = env; + z->zonemd_callback_qtype = qinfo.qtype; /* the callback can be called straight away */ lock_rw_unlock(&z->lock); if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, - &auth_zonemd_dnskey_lookup_callback, z)) { + &auth_zonemd_dnskey_lookup_callback, z, 0)) { lock_rw_wrlock(&z->lock); - log_err("out of memory lookup up dnskey for zonemd"); + log_err("out of memory lookup of %s for zonemd", + (fetch_ds?"DS":"DNSKEY")); return 0; } lock_rw_wrlock(&z->lock); @@ -8245,6 +8429,8 @@ * If not present check if absence is allowed by DNSSEC */ if(!z->zonemd_check) return; + if(z->data.count == 0) + return; /* no data */ /* if zone is under a trustanchor */ /* is it equal to trustanchor - get dnskey's verified */ @@ -8298,7 +8484,7 @@ } auth_zone_verify_zonemd_with_key(z, env, mods, dnskey, is_insecure, - result); + result, NULL); regional_free_all(env->scratch); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/authzone.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/authzone.h
Changed
@@ -143,6 +143,8 @@ * worker has already picked up the zonemd verification task and * this worker does not have to do it as well. */ struct module_env* zonemd_callback_env; + /** for the zonemd callback, the type of data looked up */ + uint16_t zonemd_callback_qtype; /** zone has been deleted */ int zone_deleted; /** deletelist pointer, unused normally except during delete */ @@ -634,6 +636,9 @@ /** read auth zone from zonefile. caller must lock zone. false on failure */ int auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg); +/** find the apex SOA RRset, if it exists. NULL if no SOA RRset. */ +struct auth_rrset* auth_zone_get_soa_rrset(struct auth_zone* z); + /** find serial number of zone or false if none (no SOA record) */ int auth_zone_get_serial(struct auth_zone* z, uint32_t* serial); @@ -742,6 +747,9 @@ * @param region: temp region for allocs during canonicalisation. * @param buf: temp buffer during canonicalisation. * @param reason: string returned with failure reason. + * If the hash cannot be checked, but it is allowed, for unknown + * algorithms, the routine returns success, and the reason is nonNULL, + * with the allowance reason. * @return false on failure. */ int auth_zone_generate_zonemd_check(struct auth_zone* z, int scheme,
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/cache/dns.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/cache/dns.c
Changed
@@ -68,11 +68,16 @@ * in a prefetch situation to be updated (without becoming sticky). * @param qrep: update rrsets here if cache is better * @param region: for qrep allocs. + * @param qstarttime: time when delegations were looked up, this is perhaps + * earlier than the time in now. The time is used to determine if RRsets + * of type NS have expired, so that they can only be updated using + * lookups of delegation points that did not use them, since they had + * expired then. */ static void store_rrsets(struct module_env* env, struct reply_info* rep, time_t now, time_t leeway, int pside, struct reply_info* qrep, - struct regional* region) + struct regional* region, time_t qstarttime) { size_t i; /* see if rrset already exists in cache, if not insert it. */ @@ -81,8 +86,8 @@ rep->refi.id = rep->rrsetsi->id; /* update ref if it was in the cache */ switch(rrset_cache_update(env->rrset_cache, &rep->refi, - env->alloc, now + ((ntohs(rep->refi.key->rk.type)== - LDNS_RR_TYPE_NS && !pside)?0:leeway))) { + env->alloc, ((ntohs(rep->refi.key->rk.type)== + LDNS_RR_TYPE_NS && !pside)?qstarttime:now + leeway))) { case 0: /* ref unchanged, item inserted */ break; case 2: /* ref updated, cache is superior */ @@ -155,7 +160,8 @@ void dns_cache_store_msg(struct module_env* env, struct query_info* qinfo, hashvalue_type hash, struct reply_info* rep, time_t leeway, int pside, - struct reply_info* qrep, uint32_t flags, struct regional* region) + struct reply_info* qrep, uint32_t flags, struct regional* region, + time_t qstarttime) { struct msgreply_entry* e; time_t ttl = rep->ttl; @@ -170,7 +176,8 @@ /* there was a reply_info_sortref(rep) here but it seems to be * unnecessary, because the cache gets locked per rrset. */ reply_info_set_ttls(rep, *env->now); - store_rrsets(env, rep, *env->now, leeway, pside, qrep, region); + store_rrsets(env, rep, *env->now, leeway, pside, qrep, region, + qstarttime); if(ttl == 0 && !(flags & DNSCACHE_STORE_ZEROTTL)) { /* we do not store the message, but we did store the RRs, * which could be useful for delegation information */ @@ -194,10 +201,51 @@ slabhash_insert(env->msg_cache, hash, &e->entry, rep, env->alloc); } +/** see if an rrset is expired above the qname, return upper qname. */ +static int +rrset_expired_above(struct module_env* env, uint8_t** qname, size_t* qnamelen, + uint16_t searchtype, uint16_t qclass, time_t now, uint8_t* expiretop, + size_t expiretoplen) +{ + struct ub_packed_rrset_key *rrset; + uint8_t lablen; + + while(*qnamelen > 0) { + /* look one label higher */ + lablen = **qname; + *qname += lablen + 1; + *qnamelen -= lablen + 1; + if(*qnamelen <= 0) + break; + + /* looks up with a time of 0, to see expired entries */ + if((rrset = rrset_cache_lookup(env->rrset_cache, *qname, + *qnamelen, searchtype, qclass, 0, 0, 0))) { + struct packed_rrset_data* data = + (struct packed_rrset_data*)rrset->entry.data; + if(now > data->ttl) { + /* it is expired, this is not wanted */ + lock_rw_unlock(&rrset->entry.lock); + log_nametypeclass(VERB_ALGO, "this rrset is expired", *qname, searchtype, qclass); + return 1; + } + /* it is not expired, continue looking */ + lock_rw_unlock(&rrset->entry.lock); + } + + /* do not look above the expiretop. */ + if(expiretop && *qnamelen == expiretoplen && + query_dname_compare(*qname, expiretop)==0) + break; + } + return 0; +} + /** find closest NS or DNAME and returns the rrset (locked) */ static struct ub_packed_rrset_key* find_closest_of_type(struct module_env* env, uint8_t* qname, size_t qnamelen, - uint16_t qclass, time_t now, uint16_t searchtype, int stripfront) + uint16_t qclass, time_t now, uint16_t searchtype, int stripfront, + int noexpiredabove, uint8_t* expiretop, size_t expiretoplen) { struct ub_packed_rrset_key *rrset; uint8_t lablen; @@ -212,8 +260,40 @@ /* snip off front part of qname until the type is found */ while(qnamelen > 0) { if((rrset = rrset_cache_lookup(env->rrset_cache, qname, - qnamelen, searchtype, qclass, 0, now, 0))) - return rrset; + qnamelen, searchtype, qclass, 0, now, 0))) { + uint8_t* origqname = qname; + size_t origqnamelen = qnamelen; + if(!noexpiredabove) + return rrset; + /* if expiretop set, do not look above it, but + * qname is equal, so the just found result is also + * the nonexpired above part. */ + if(expiretop && qnamelen == expiretoplen && + query_dname_compare(qname, expiretop)==0) + return rrset; + /* check for expiry, but we have to let go of the rrset + * for the lock ordering */ + lock_rw_unlock(&rrset->entry.lock); + /* the expired_above function always takes off one + * label (if qnamelen>0) and returns the final qname + * where it searched, so we can continue from there + * turning the O N*N search into O N. */ + if(!rrset_expired_above(env, &qname, &qnamelen, + searchtype, qclass, now, expiretop, + expiretoplen)) { + /* we want to return rrset, but it may be + * gone from cache, if so, just loop like + * it was not in the cache in the first place. + */ + if((rrset = rrset_cache_lookup(env-> + rrset_cache, origqname, origqnamelen, + searchtype, qclass, 0, now, 0))) { + return rrset; + } + } + log_nametypeclass(VERB_ALGO, "ignoring rrset because expired rrsets exist above it", origqname, searchtype, qclass); + continue; + } /* snip off front label */ lablen = *qname; @@ -324,6 +404,9 @@ struct ub_packed_rrset_key* akey; time_t now = *env->now; for(ns = dp->nslist; ns; ns = ns->next) { + if(ns->cache_lookup_count > ITERATOR_NAME_CACHELOOKUP_MAX) + continue; + ns->cache_lookup_count++; akey = rrset_cache_lookup(env->rrset_cache, ns->name, ns->namelen, LDNS_RR_TYPE_A, qclass, 0, now, 0); if(akey) { @@ -428,6 +511,7 @@ return NULL; /* integer overflow protection */ msg->rep->flags = BIT_QR; /* with QR, no AA */ msg->rep->qdcount = 1; + msg->rep->reason_bogus = LDNS_EDE_NONE; msg->rep->rrsets = (struct ub_packed_rrset_key**) regional_alloc(region, capacity*sizeof(struct ub_packed_rrset_key*)); @@ -461,7 +545,8 @@ struct delegpt* dns_cache_find_delegation(struct module_env* env, uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass, - struct regional* region, struct dns_msg** msg, time_t now) + struct regional* region, struct dns_msg** msg, time_t now, + int noexpiredabove, uint8_t* expiretop, size_t expiretoplen) { /* try to find closest NS rrset */ struct ub_packed_rrset_key* nskey; @@ -469,7 +554,7 @@ struct delegpt* dp; nskey = find_closest_of_type(env, qname, qnamelen, qclass, now, - LDNS_RR_TYPE_NS, 0); + LDNS_RR_TYPE_NS, 0, noexpiredabove, expiretop, expiretoplen); if(!nskey) /* hope the caller has hints to prime or something */ return NULL; nsdata = (struct packed_rrset_data*)nskey->entry.data; @@ -524,6 +609,7 @@ sizeof(struct reply_info) - sizeof(struct rrset_ref)); if(!msg->rep) return NULL; + msg->rep->reason_bogus = LDNS_EDE_NONE; if(num > RR_COUNT_MAX) return NULL; /* integer overflow protection */ msg->rep->rrsets = (struct ub_packed_rrset_key**) @@ -550,6 +636,14 @@ r->serve_expired_ttl < now) { return NULL; } + /* Ignore expired failure answers */ + if(FLAGS_GET_RCODE(r->flags) != + LDNS_RCODE_NOERROR && + FLAGS_GET_RCODE(r->flags) != + LDNS_RCODE_NXDOMAIN && + FLAGS_GET_RCODE(r->flags) != + LDNS_RCODE_YXDOMAIN) + return 0; } else { return NULL; } @@ -577,6 +671,7 @@ msg->rep->ar_numrrsets = r->ar_numrrsets; msg->rep->rrset_count = r->rrset_count; msg->rep->authoritative = r->authoritative; + msg->rep->reason_bogus = r->reason_bogus; if(!rrset_array_lock(r->ref, r->rrset_count, now_control)) { return NULL; } @@ -632,6 +727,7 @@ msg->rep->ns_numrrsets = 0; msg->rep->ar_numrrsets = 0; msg->rep->rrset_count = 1; + msg->rep->reason_bogus = LDNS_EDE_NONE; msg->rep->rrsets0 = packed_rrset_copy_region(rrset, region, now); if(!msg->rep->rrsets0) /* copy CNAME */ return NULL; @@ -670,6 +766,7 @@ msg->rep->ns_numrrsets = 0; msg->rep->ar_numrrsets = 0; msg->rep->rrset_count = 1; + msg->rep->reason_bogus = LDNS_EDE_NONE; msg->rep->rrsets0 = packed_rrset_copy_region(rrset, region, now); if(!msg->rep->rrsets0) /* copy DNAME */ return NULL; @@ -835,7 +932,7 @@ * consistent with the DNAME */ if(!no_partial && (rrset=find_closest_of_type(env, qname, qnamelen, qclass, now, - LDNS_RR_TYPE_DNAME, 1))) { + LDNS_RR_TYPE_DNAME, 1, 0, NULL, 0))) { /* synthesize a DNAME+CNAME message based on this */ enum sec_status sec_status = sec_status_unchecked; struct dns_msg* msg = synth_dname_msg(rrset, region, now, &k, @@ -968,7 +1065,7 @@ int dns_cache_store(struct module_env* env, struct query_info* msgqinf, struct reply_info* msgrep, int is_referral, time_t leeway, int pside, - struct regional* region, uint32_t flags) + struct regional* region, uint32_t flags, time_t qstarttime) { struct reply_info* rep = NULL; /* alloc, malloc properly (not in region, like msg is) */ @@ -991,9 +1088,9 @@ /*ignore ret: it was in the cache, ref updated */ /* no leeway for typeNS */ (void)rrset_cache_update(env->rrset_cache, &ref, - env->alloc, *env->now + + env->alloc, ((ntohs(ref.key->rk.type)==LDNS_RR_TYPE_NS - && !pside) ? 0:leeway)); + && !pside) ? qstarttime:*env->now + leeway)); } free(rep); return 1; @@ -1015,7 +1112,7 @@ rep->flags &= ~(BIT_AA | BIT_CD); h = query_info_hash(&qinf, (uint16_t)flags); dns_cache_store_msg(env, &qinf, h, rep, leeway, pside, msgrep, - flags, region); + flags, region, qstarttime); /* qname is used inside query_info_entrysetup, and set to * NULL. If it has not been used, free it. free(0) is safe. */ free(qinf.qname);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/cache/dns.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/cache/dns.h
Changed
@@ -88,11 +88,13 @@ * @param flags: flags with BIT_CD for AAAA queries in dns64 translation. * The higher 16 bits are used internally to customize the cache policy. * (See DNSCACHE_STORE_xxx flags). + * @param qstarttime: time when the query was started, and thus when the + * delegations were looked up. * @return 0 on alloc error (out of memory). */ int dns_cache_store(struct module_env* env, struct query_info* qinf, struct reply_info* rep, int is_referral, time_t leeway, int pside, - struct regional* region, uint32_t flags); + struct regional* region, uint32_t flags, time_t qstarttime); /** * Store message in the cache. Stores in message cache and rrset cache. @@ -112,11 +114,14 @@ * can be updated to full TTL even in prefetch situations. * @param qrep: message that can be altered with better rrs from cache. * @param flags: customization flags for the cache policy. + * @param qstarttime: time when the query was started, and thus when the + * delegations were looked up. * @param region: to allocate into for qmsg. */ void dns_cache_store_msg(struct module_env* env, struct query_info* qinfo, hashvalue_type hash, struct reply_info* rep, time_t leeway, int pside, - struct reply_info* qrep, uint32_t flags, struct regional* region); + struct reply_info* qrep, uint32_t flags, struct regional* region, + time_t qstarttime); /** * Find a delegation from the cache. @@ -129,11 +134,18 @@ * @param msg: if not NULL, delegation message is returned here, synthesized * from the cache. * @param timenow: the time now, for checking if TTL on cache entries is OK. + * @param noexpiredabove: if set, no expired NS rrsets above the one found + * are tolerated. It only returns delegations where the delegations above + * it are valid. + * @param expiretop: if not NULL, name where check for expiry ends for + * noexpiredabove. + * @param expiretoplen: length of expiretop dname. * @return new delegation or NULL on error or if not found in cache. */ struct delegpt* dns_cache_find_delegation(struct module_env* env, uint8_t* qname, size_t qnamelen, uint16_t qtype, uint16_t qclass, - struct regional* region, struct dns_msg** msg, time_t timenow); + struct regional* region, struct dns_msg** msg, time_t timenow, + int noexpiredabove, uint8_t* expiretop, size_t expiretoplen); /** * generate dns_msg from cached message
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/cache/infra.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/cache/infra.c
Changed
@@ -721,13 +721,13 @@ else *rtt = USEFUL_SERVER_TOP_TIMEOUT-1000; } } + /* expired entry */ if(timenow > host->ttl) { - /* expired entry */ + /* see if this can be a re-probe of an unresponsive server */ /* minus 1000 because that is outside of the RTTBAND, so * blacklisted servers stay blacklisted if this is chosen */ - if(host->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT || - infra->infra_keep_probing) { + if(host->rtt.rto >= USEFUL_SERVER_TOP_TIMEOUT) { lock_rw_unlock(&e->lock); *rtt = USEFUL_SERVER_TOP_TIMEOUT-1000; *lame = 0; @@ -834,14 +834,13 @@ /** find data item in array for ip addresses */ static struct lruhash_entry* infra_find_ip_ratedata(struct infra_cache* infra, - struct comm_reply* repinfo, int wr) + struct sockaddr_storage* addr, socklen_t addrlen, int wr) { struct ip_rate_key key; - hashvalue_type h = hash_addr(&(repinfo->addr), - repinfo->addrlen, 0); + hashvalue_type h = hash_addr(addr, addrlen, 0); memset(&key, 0, sizeof(key)); - key.addr = repinfo->addr; - key.addrlen = repinfo->addrlen; + key.addr = *addr; + key.addrlen = addrlen; key.entry.hash = h; return slabhash_lookup(infra->client_ip_rates, h, &key, wr); } @@ -876,10 +875,9 @@ /** create rate data item for ip address */ static void infra_ip_create_ratedata(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow) + struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow) { - hashvalue_type h = hash_addr(&(repinfo->addr), - repinfo->addrlen, 0); + hashvalue_type h = hash_addr(addr, addrlen, 0); struct ip_rate_key* k = (struct ip_rate_key*)calloc(1, sizeof(*k)); struct ip_rate_data* d = (struct ip_rate_data*)calloc(1, sizeof(*d)); if(!k || !d) { @@ -887,8 +885,8 @@ free(d); return; /* alloc failure */ } - k->addr = repinfo->addr; - k->addrlen = repinfo->addrlen; + k->addr = *addr; + k->addrlen = addrlen; lock_rw_init(&k->entry.lock); k->entry.hash = h; k->entry.key = k; @@ -898,8 +896,9 @@ slabhash_insert(infra->client_ip_rates, h, &k->entry, d, NULL); } -/** find the second and return its rate counter, if none, remove oldest */ -static int* infra_rate_find_second(void* data, time_t t) +/** Find the second and return its rate counter. If none and should_add, remove + * oldest to accommodate. Else return none. */ +static int* infra_rate_find_second_or_none(void* data, time_t t, int should_add) { struct rate_data* d = (struct rate_data*)data; int i, oldest; @@ -907,6 +906,7 @@ if(d->timestampi == t) return &(d->qpsi); } + if(!should_add) return NULL; /* remove oldest timestamp, and insert it at t with 0 qps */ oldest = 0; for(i=0; i<RATE_WINDOW; i++) { @@ -918,21 +918,41 @@ return &(d->qpsoldest); } -int infra_rate_max(void* data, time_t now) +/** find the second and return its rate counter, if none, remove oldest to + * accommodate */ +static int* infra_rate_give_second(void* data, time_t t) +{ + return infra_rate_find_second_or_none(data, t, 1); +} + +/** find the second and return its rate counter only if it exists. Caller + * should check for NULL return value */ +static int* infra_rate_get_second(void* data, time_t t) +{ + return infra_rate_find_second_or_none(data, t, 0); +} + +int infra_rate_max(void* data, time_t now, int backoff) { struct rate_data* d = (struct rate_data*)data; int i, max = 0; for(i=0; i<RATE_WINDOW; i++) { - if(now-d->timestampi <= RATE_WINDOW) { - if(d->qpsi > max) + if(backoff) { + if(now-d->timestampi <= RATE_WINDOW && + d->qpsi > max) { max = d->qpsi; + } + } else { + if(now == d->timestampi) { + return d->qpsi; + } } } return max; } int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow, struct query_info* qinfo, + size_t namelen, time_t timenow, int backoff, struct query_info* qinfo, struct comm_reply* replylist) { int lim, max; @@ -949,13 +969,13 @@ /* find or insert ratedata */ entry = infra_find_ratedata(infra, name, namelen, 1); if(entry) { - int premax = infra_rate_max(entry->data, timenow); - int* cur = infra_rate_find_second(entry->data, timenow); + int premax = infra_rate_max(entry->data, timenow, backoff); + int* cur = infra_rate_give_second(entry->data, timenow); (*cur)++; - max = infra_rate_max(entry->data, timenow); + max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); - if(premax < lim && max >= lim) { + if(premax <= lim && max > lim) { char buf257, qnm257, ts12, cs12, ip128; dname_str(name, buf); dname_str(qinfo->qname, qnm); @@ -963,19 +983,19 @@ sldns_wire2str_class_buf(qinfo->qclass, cs, sizeof(cs)); ip0=0; if(replylist) { - addr_to_str((struct sockaddr_storage *)&replylist->addr, - replylist->addrlen, ip, sizeof(ip)); + addr_to_str((struct sockaddr_storage *)&replylist->remote_addr, + replylist->remote_addrlen, ip, sizeof(ip)); verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s from %s", buf, lim, qnm, cs, ts, ip); } else { verbose(VERB_OPS, "ratelimit exceeded %s %d query %s %s %s", buf, lim, qnm, cs, ts); } } - return (max < lim); + return (max <= lim); } /* create */ infra_create_ratedata(infra, name, namelen, timenow); - return (1 < lim); + return (1 <= lim); } void infra_ratelimit_dec(struct infra_cache* infra, uint8_t* name, @@ -987,14 +1007,19 @@ return; /* not enabled */ entry = infra_find_ratedata(infra, name, namelen, 1); if(!entry) return; /* not cached */ - cur = infra_rate_find_second(entry->data, timenow); + cur = infra_rate_get_second(entry->data, timenow); + if(cur == NULL) { + /* our timenow is not available anymore; nothing to decrease */ + lock_rw_unlock(&entry->lock); + return; + } if((*cur) > 0) (*cur)--; lock_rw_unlock(&entry->lock); } int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow) + size_t namelen, time_t timenow, int backoff) { struct lruhash_entry* entry; int lim, max; @@ -1010,10 +1035,10 @@ entry = infra_find_ratedata(infra, name, namelen, 0); if(!entry) return 0; /* not cached */ - max = infra_rate_max(entry->data, timenow); + max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); - return (max >= lim); + return (max > lim); } size_t @@ -1027,7 +1052,8 @@ } int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow, struct sldns_buffer* buffer) + struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow, + int backoff, struct sldns_buffer* buffer) { int max; struct lruhash_entry* entry; @@ -1037,18 +1063,17 @@ return 1; } /* find or insert ratedata */ - entry = infra_find_ip_ratedata(infra, repinfo, 1); + entry = infra_find_ip_ratedata(infra, addr, addrlen, 1); if(entry) { - int premax = infra_rate_max(entry->data, timenow); - int* cur = infra_rate_find_second(entry->data, timenow); + int premax = infra_rate_max(entry->data, timenow, backoff); + int* cur = infra_rate_give_second(entry->data, timenow); (*cur)++; - max = infra_rate_max(entry->data, timenow); + max = infra_rate_max(entry->data, timenow, backoff); lock_rw_unlock(&entry->lock); - if(premax < infra_ip_ratelimit && max >= infra_ip_ratelimit) { + if(premax <= infra_ip_ratelimit && max > infra_ip_ratelimit) { char client_ip128, qnmLDNS_MAX_DOMAINLEN+1+12+12; - addr_to_str((struct sockaddr_storage *)&repinfo->addr, - repinfo->addrlen, client_ip, sizeof(client_ip)); + addr_to_str(addr, addrlen, client_ip, sizeof(client_ip)); qnm0=0; if(sldns_buffer_limit(buffer)>LDNS_HEADER_SIZE && LDNS_QDCOUNT(sldns_buffer_begin(buffer))!=0) { @@ -1073,6 +1098,6 @@ } /* create */ - infra_ip_create_ratedata(infra, repinfo, timenow); + infra_ip_create_ratedata(infra, addr, addrlen, timenow); return 1; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/cache/infra.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/cache/infra.h
Changed
@@ -368,6 +368,7 @@ * @param name: zone name * @param namelen: zone name length * @param timenow: what time it is now. + * @param backoff: if backoff is enabled. * @param qinfo: for logging, query name. * @param replylist: for logging, querier's address (if any). * @return 1 if it could be incremented. 0 if the increment overshot the @@ -375,7 +376,7 @@ * Failures like alloc failures are not returned (probably as 1). */ int infra_ratelimit_inc(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow, struct query_info* qinfo, + size_t namelen, time_t timenow, int backoff, struct query_info* qinfo, struct comm_reply* replylist); /** @@ -398,13 +399,15 @@ * @param name: zone name * @param namelen: zone name length * @param timenow: what time it is now. + * @param backoff: if backoff is enabled. * @return true if exceeded. */ int infra_ratelimit_exceeded(struct infra_cache* infra, uint8_t* name, - size_t namelen, time_t timenow); + size_t namelen, time_t timenow, int backoff); -/** find the maximum rate stored, not too old. 0 if no information. */ -int infra_rate_max(void* data, time_t now); +/** find the maximum rate stored. 0 if no information. + * When backoff is enabled look for the maximum in the whole RATE_WINDOW. */ +int infra_rate_max(void* data, time_t now, int backoff); /** find the ratelimit in qps for a domain. 0 if no limit for domain. */ int infra_find_ratelimit(struct infra_cache* infra, uint8_t* name, @@ -413,14 +416,16 @@ /** Update query ratelimit hash and decide * whether or not a query should be dropped. * @param infra: infra cache - * @param repinfo: information about client + * @param addr: client address + * @param addrlen: client address length * @param timenow: what time it is now. + * @param backoff: if backoff is enabled. * @param buffer: with query for logging. * @return 1 if it could be incremented. 0 if the increment overshot the * ratelimit and the query should be dropped. */ int infra_ip_ratelimit_inc(struct infra_cache* infra, - struct comm_reply* repinfo, time_t timenow, - struct sldns_buffer* buffer); + struct sockaddr_storage* addr, socklen_t addrlen, time_t timenow, + int backoff, struct sldns_buffer* buffer); /** * Get memory used by the infra cache.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/cache/rrset.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/cache/rrset.h
Changed
@@ -120,7 +120,7 @@ * the new rrset. The reference may be changed if the cached rrset is * superior. * Before calling the rrset is presumed newly allocated and changeable. - * Afer calling you do not hold a lock, and the rrset is inserted in + * After calling you do not hold a lock, and the rrset is inserted in * the hashtable so you need a lock to change it. * @param alloc: how to allocate (and deallocate) the special rrset key. * @param timenow: current time (to see if ttl in cache is expired). @@ -143,7 +143,7 @@ * @param rrset: which rrset to cache as wildcard. This rrset is left * untouched. * @param ce: the closest encloser, will be uses to generate the wildcard dname. - * @param ce_len: the closest encloser lenght. + * @param ce_len: the closest encloser length. * @param alloc: how to allocate (and deallocate) the special rrset key. * @param timenow: current time (to see if ttl in cache is expired). */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/listen_dnsport.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/listen_dnsport.c
Changed
@@ -47,6 +47,7 @@ #ifdef USE_TCP_FASTOPEN #include <netinet/tcp.h> #endif +#include <ctype.h> #include "services/listen_dnsport.h" #include "services/outside_network.h" #include "util/netevent.h" @@ -123,12 +124,12 @@ (void)strlcpy(buf, "(null)", sizeof(buf)); } bufsizeof(buf)-1 = 0; - verbose(VERB_ALGO, "creating %s%s socket %s %d", + verbose(VERB_ALGO, "creating %s%s socket %s %d", addr->ai_socktype==SOCK_DGRAM?"udp": addr->ai_socktype==SOCK_STREAM?"tcp":"otherproto", addr->ai_family==AF_INET?"4": addr->ai_family==AF_INET6?"6": - "_otherfam", buf, + "_otherfam", buf, ntohs(((struct sockaddr_in*)addr->ai_addr)->sin_port)); } } @@ -139,7 +140,9 @@ if(verbosity >= VERB_ALGO) { log_info("listing of unbound_socket structure:"); verbose_print_addr(ub_sock->addr); - log_info("s is: %d, fam is: %s", ub_sock->s, ub_sock->fam == AF_INET?"AF_INET":"AF_INET6"); + log_info("s is: %d, fam is: %s, acl: %s", ub_sock->s, + ub_sock->fam == AF_INET?"AF_INET":"AF_INET6", + ub_sock->acl?"yes":"no"); } } @@ -457,7 +460,14 @@ int action; # endif # if defined(IPV6_V6ONLY) - if(v6only) { + if(v6only +# ifdef HAVE_SYSTEMD + /* Systemd wants to control if the socket is v6 only + * or both, with BindIPv6Only=default, ipv6-only or + * both in systemd.socket, so it is not set here. */ + && !got_fd_from_systemd +# endif + ) { int val=(v6only==2)?0:1; if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&val, (socklen_t)sizeof(val)) < 0) { @@ -489,6 +499,7 @@ return -1; } # elif defined(IPV6_MTU) +# ifndef USE_WINSOCK /* * On Linux, to send no larger than 1280, the PMTUD is * disabled by default for datagrams anyway, so we set @@ -496,13 +507,29 @@ */ if (setsockopt(s, IPPROTO_IPV6, IPV6_MTU, (void*)&mtu, (socklen_t)sizeof(mtu)) < 0) { - log_err("setsockopt(..., IPV6_MTU, ...) failed: %s", + log_err("setsockopt(..., IPV6_MTU, ...) failed: %s", sock_strerror(errno)); sock_close(s); *noproto = 0; *inuse = 0; return -1; } +# elif defined(IPV6_USER_MTU) + /* As later versions of the mingw crosscompiler define + * IPV6_MTU, do the same for windows but use IPV6_USER_MTU + * instead which is writable; IPV6_MTU is readonly there. */ + if (setsockopt(s, IPPROTO_IPV6, IPV6_USER_MTU, + (void*)&mtu, (socklen_t)sizeof(mtu)) < 0) { + if (WSAGetLastError() != WSAENOPROTOOPT) { + log_err("setsockopt(..., IPV6_USER_MTU, ...) failed: %s", + wsa_strerror(WSAGetLastError())); + sock_close(s); + *noproto = 0; + *inuse = 0; + return -1; + } + } +# endif /* USE_WINSOCK */ # endif /* IPv6 MTU */ # if defined(IPV6_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) # if defined(IP_PMTUDISC_OMIT) @@ -758,7 +785,14 @@ (void)reuseport; #endif /* defined(SO_REUSEPORT) */ #if defined(IPV6_V6ONLY) - if(addr->ai_family == AF_INET6 && v6only) { + if(addr->ai_family == AF_INET6 && v6only +# ifdef HAVE_SYSTEMD + /* Systemd wants to control if the socket is v6 only + * or both, with BindIPv6Only=default, ipv6-only or + * both in systemd.socket, so it is not set here. */ + && !got_fd_from_systemd +# endif + ) { if(setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (void*)&on, (socklen_t)sizeof(on)) < 0) { log_err("setsockopt(..., IPV6_V6ONLY, ...) failed: %s", @@ -869,9 +903,14 @@ ds = dscp << 2; switch(addrfamily) { case AF_INET6: - if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds, sizeof(ds)) < 0) + #ifdef IPV6_TCLASS + if(setsockopt(socket, IPPROTO_IPV6, IPV6_TCLASS, (void*)&ds, + sizeof(ds)) < 0) return sock_strerror(errno); break; + #else + return "IPV6_TCLASS not defined on this system"; + #endif default: if(setsockopt(socket, IPPROTO_IP, IP_TOS, (void*)&ds, sizeof(ds)) < 0) return sock_strerror(errno); @@ -1009,6 +1048,7 @@ ub_sock->addr = res; ub_sock->s = s; ub_sock->fam = hints->ai_family; + ub_sock->acl = NULL; return s; } @@ -1053,11 +1093,13 @@ * @param list: list head. changed. * @param s: fd. * @param ftype: if fd is UDP. + * @param pp2_enabled: if PROXYv2 is enabled for this port. * @param ub_sock: socket with address. * @return false on failure. list in unchanged then. */ static int -port_insert(struct listen_port** list, int s, enum listen_type ftype, struct unbound_socket* ub_sock) +port_insert(struct listen_port** list, int s, enum listen_type ftype, + int pp2_enabled, struct unbound_socket* ub_sock) { struct listen_port* item = (struct listen_port*)malloc( sizeof(struct listen_port)); @@ -1066,6 +1108,7 @@ item->next = *list; item->fd = s; item->ftype = ftype; + item->pp2_enabled = pp2_enabled; item->socket = ub_sock; *list = item; return 1; @@ -1152,7 +1195,7 @@ * @param do_auto: use automatic interface detection. * If enabled, then ifname must be the wildcard name. * @param do_udp: if udp should be used. - * @param do_tcp: if udp should be used. + * @param do_tcp: if tcp should be used. * @param hints: for getaddrinfo. family and flags have to be set by caller. * @param port: Port number to use (as string). * @param list: list of open ports, appended to, changed to point to list head. @@ -1161,6 +1204,7 @@ * @param ssl_port: ssl service port number * @param tls_additional_port: list of additional ssl service port numbers. * @param https_port: DoH service port number + * @param proxy_protocol_port: list of PROXYv2 port numbers. * @param reuseport: try to set SO_REUSEPORT if nonNULL and true. * set to false on exit if reuseport failed due to no kernel support. * @param transparent: set IP_TRANSPARENT socket option. @@ -1173,34 +1217,39 @@ * @return: returns false on error. */ static int -ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, +ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, struct addrinfo *hints, const char* port, struct listen_port** list, size_t rcv, size_t snd, int ssl_port, struct config_strlist* tls_additional_port, int https_port, + struct config_strlist* proxy_protocol_port, int* reuseport, int transparent, int tcp_mss, int freebind, int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp) { int s, noip6=0; int is_https = if_is_https(ifname, port, https_port); + int is_dnscrypt = if_is_dnscrypt(ifname, port, dnscrypt_port); + int is_pp2 = if_is_pp2(ifname, port, proxy_protocol_port); int nodelay = is_https && http2_nodelay; struct unbound_socket* ub_sock; -#ifdef USE_DNSCRYPT - int is_dnscrypt = ((strchr(ifname, '@') && - atoi(strchr(ifname, '@')+1) == dnscrypt_port) || - (!strchr(ifname, '@') && atoi(port) == dnscrypt_port)); -#else - int is_dnscrypt = 0; - (void)dnscrypt_port; -#endif if(!do_udp && !do_tcp) return 0; + if(is_pp2) { + if(is_dnscrypt) { + fatal_exit("PROXYv2 and DNSCrypt combination not " + "supported!"); + } else if(is_https) { + fatal_exit("PROXYv2 and DoH combination not " + "supported!"); + } + } + if(do_auto) { ub_sock = calloc(1, sizeof(struct unbound_socket)); if(!ub_sock) return 0; - if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1218,8 +1267,9 @@ free(ub_sock); return 0; } - if(!port_insert(list, s, - is_dnscrypt?listen_type_udpancil_dnscrypt:listen_type_udpancil, ub_sock)) { + if(!port_insert(list, s, is_dnscrypt + ?listen_type_udpancil_dnscrypt:listen_type_udpancil, + is_pp2, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1230,7 +1280,7 @@ if(!ub_sock) return 0; /* regular udp socket */ - if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_DGRAM, ifname, port, hints, 1, &noip6, rcv, snd, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1241,8 +1291,9 @@ } return 0; } - if(!port_insert(list, s, - is_dnscrypt?listen_type_udp_dnscrypt:listen_type_udp, ub_sock)) { + if(!port_insert(list, s, is_dnscrypt + ?listen_type_udp_dnscrypt:listen_type_udp, + is_pp2, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1264,7 +1315,7 @@ port_type = listen_type_tcp_dnscrypt; else port_type = listen_type_tcp; - if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, + if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1, &noip6, 0, 0, reuseport, transparent, tcp_mss, nodelay, freebind, use_systemd, dscp, ub_sock)) == -1) { freeaddrinfo(ub_sock->addr); @@ -1277,7 +1328,7 @@ } if(is_ssl) verbose(VERB_ALGO, "setup TCP for SSL service"); - if(!port_insert(list, s, port_type, ub_sock)) { + if(!port_insert(list, s, port_type, is_pp2, ub_sock)) { sock_close(s); freeaddrinfo(ub_sock->addr); free(ub_sock); @@ -1306,6 +1357,38 @@ return 1; } +void listen_setup_locks(void) +{ + if(!stream_wait_lock_inited) { + lock_basic_init(&stream_wait_count_lock); + stream_wait_lock_inited = 1; + } + if(!http2_query_buffer_lock_inited) { + lock_basic_init(&http2_query_buffer_count_lock); + http2_query_buffer_lock_inited = 1; + } + if(!http2_response_buffer_lock_inited) { + lock_basic_init(&http2_response_buffer_count_lock); + http2_response_buffer_lock_inited = 1; + } +} + +void listen_desetup_locks(void) +{ + if(stream_wait_lock_inited) { + stream_wait_lock_inited = 0; + lock_basic_destroy(&stream_wait_count_lock); + } + if(http2_query_buffer_lock_inited) { + http2_query_buffer_lock_inited = 0; + lock_basic_destroy(&http2_query_buffer_count_lock); + } + if(http2_response_buffer_lock_inited) { + http2_response_buffer_lock_inited = 0; + lock_basic_destroy(&http2_response_buffer_count_lock); + } +} + struct listen_dnsport* listen_create(struct comm_base* base, struct listen_port* ports, size_t bufsize, int tcp_accept_count, int tcp_idle_timeout, @@ -1327,57 +1410,47 @@ free(front); return NULL; } - if(!stream_wait_lock_inited) { - lock_basic_init(&stream_wait_count_lock); - stream_wait_lock_inited = 1; - } - if(!http2_query_buffer_lock_inited) { - lock_basic_init(&http2_query_buffer_count_lock); - http2_query_buffer_lock_inited = 1; - } - if(!http2_response_buffer_lock_inited) { - lock_basic_init(&http2_response_buffer_count_lock); - http2_response_buffer_lock_inited = 1; - } /* create comm points as needed */ while(ports) { struct comm_point* cp = NULL; if(ports->ftype == listen_type_udp || - ports->ftype == listen_type_udp_dnscrypt) - cp = comm_point_create_udp(base, ports->fd, - front->udp_buff, cb, cb_arg, ports->socket); - else if(ports->ftype == listen_type_tcp || - ports->ftype == listen_type_tcp_dnscrypt) - cp = comm_point_create_tcp(base, ports->fd, + ports->ftype == listen_type_udp_dnscrypt) { + cp = comm_point_create_udp(base, ports->fd, + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); + } else if(ports->ftype == listen_type_tcp || + ports->ftype == listen_type_tcp_dnscrypt) { + cp = comm_point_create_tcp(base, ports->fd, tcp_accept_count, tcp_idle_timeout, harden_large_queries, 0, NULL, tcp_conn_limit, bufsize, front->udp_buff, - ports->ftype, cb, cb_arg, ports->socket); - else if(ports->ftype == listen_type_ssl || + ports->ftype, ports->pp2_enabled, cb, cb_arg, + ports->socket); + } else if(ports->ftype == listen_type_ssl || ports->ftype == listen_type_http) { - cp = comm_point_create_tcp(base, ports->fd, + cp = comm_point_create_tcp(base, ports->fd, tcp_accept_count, tcp_idle_timeout, harden_large_queries, http_max_streams, http_endpoint, tcp_conn_limit, bufsize, front->udp_buff, - ports->ftype, cb, cb_arg, ports->socket); - if(http_notls && ports->ftype == listen_type_http) - cp->ssl = NULL; - else - cp->ssl = sslctx; + ports->ftype, ports->pp2_enabled, cb, cb_arg, + ports->socket); if(ports->ftype == listen_type_http) { if(!sslctx && !http_notls) { - log_warn("HTTPS port configured, but no TLS " - "tls-service-key or tls-service-pem " - "set"); + log_warn("HTTPS port configured, but " + "no TLS tls-service-key or " + "tls-service-pem set"); } #ifndef HAVE_SSL_CTX_SET_ALPN_SELECT_CB - if(!http_notls) - log_warn("Unbound is not compiled with an " - "OpenSSL version supporting ALPN " - " (OpenSSL >= 1.0.2). This is required " - "to use DNS-over-HTTPS"); + if(!http_notls) { + log_warn("Unbound is not compiled " + "with an OpenSSL version " + "supporting ALPN " + "(OpenSSL >= 1.0.2). This " + "is required to use " + "DNS-over-HTTPS"); + } #endif #ifndef HAVE_NGHTTP2_NGHTTP2_H log_warn("Unbound is not compiled with " @@ -1386,14 +1459,26 @@ #endif } } else if(ports->ftype == listen_type_udpancil || - ports->ftype == listen_type_udpancil_dnscrypt) - cp = comm_point_create_udp_ancil(base, ports->fd, - front->udp_buff, cb, cb_arg, ports->socket); + ports->ftype == listen_type_udpancil_dnscrypt) { + cp = comm_point_create_udp_ancil(base, ports->fd, + front->udp_buff, ports->pp2_enabled, cb, + cb_arg, ports->socket); + } if(!cp) { - log_err("can't create commpoint"); + log_err("can't create commpoint"); listen_delete(front); return NULL; } + if((http_notls && ports->ftype == listen_type_http) || + (ports->ftype == listen_type_tcp) || + (ports->ftype == listen_type_udp) || + (ports->ftype == listen_type_udpancil) || + (ports->ftype == listen_type_tcp_dnscrypt) || + (ports->ftype == listen_type_udp_dnscrypt) || + (ports->ftype == listen_type_udpancil_dnscrypt)) + cp->ssl = NULL; + else + cp->ssl = sslctx; cp->dtenv = dtenv; cp->do_not_close = 1; #ifdef USE_DNSCRYPT @@ -1454,18 +1539,6 @@ #endif sldns_buffer_free(front->udp_buff); free(front); - if(stream_wait_lock_inited) { - stream_wait_lock_inited = 0; - lock_basic_destroy(&stream_wait_count_lock); - } - if(http2_query_buffer_lock_inited) { - http2_query_buffer_lock_inited = 0; - lock_basic_destroy(&http2_query_buffer_count_lock); - } - if(http2_response_buffer_lock_inited) { - http2_response_buffer_lock_inited = 0; - lock_basic_destroy(&http2_response_buffer_count_lock); - } } #ifdef HAVE_GETIFADDRS @@ -1661,7 +1734,7 @@ #endif /* HAVE_GETIFADDRS */ } -struct listen_port* +struct listen_port* listening_ports_open(struct config_file* cfg, char** ifs, int num_ifs, int* reuseport) { @@ -1693,14 +1766,76 @@ } /* create ip4 and ip6 ports so that return addresses are nice. */ if(do_auto || num_ifs == 0) { + if(do_auto && cfg->if_automatic_ports && + cfg->if_automatic_ports0!=0) { + char* now = cfg->if_automatic_ports; + while(now && *now) { + char* after; + int extraport; + while(isspace((unsigned char)*now)) + now++; + if(!*now) + break; + after = now; + extraport = (int)strtol(now, &after, 10); + if(extraport < 0 || extraport > 65535) { + log_err("interface-automatic-ports port number out of range, at position %d of '%s'", (int)(now-cfg->if_automatic_ports)+1, cfg->if_automatic_ports); + listening_ports_free(list); + return NULL; + } + if(extraport == 0 && now == after) { + log_err("interface-automatic-ports could not be parsed, at position %d of '%s'", (int)(now-cfg->if_automatic_ports)+1, cfg->if_automatic_ports); + listening_ports_free(list); + return NULL; + } + now = after; + snprintf(portbuf, sizeof(portbuf), "%d", extraport); + if(do_ip6) { + hints.ai_family = AF_INET6; + if(!ports_create_if("::0", + do_auto, cfg->do_udp, do_tcp, + &hints, portbuf, &list, + cfg->so_rcvbuf, cfg->so_sndbuf, + cfg->ssl_port, cfg->tls_additional_port, + cfg->https_port, + cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, + cfg->tcp_mss, cfg->ip_freebind, + cfg->http_nodelay, cfg->use_systemd, + cfg->dnscrypt_port, cfg->ip_dscp)) { + listening_ports_free(list); + return NULL; + } + } + if(do_ip4) { + hints.ai_family = AF_INET; + if(!ports_create_if("0.0.0.0", + do_auto, cfg->do_udp, do_tcp, + &hints, portbuf, &list, + cfg->so_rcvbuf, cfg->so_sndbuf, + cfg->ssl_port, cfg->tls_additional_port, + cfg->https_port, + cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, + cfg->tcp_mss, cfg->ip_freebind, + cfg->http_nodelay, cfg->use_systemd, + cfg->dnscrypt_port, cfg->ip_dscp)) { + listening_ports_free(list); + return NULL; + } + } + } + return list; + } if(do_ip6) { hints.ai_family = AF_INET6; - if(!ports_create_if(do_auto?"::0":"::1", - do_auto, cfg->do_udp, do_tcp, + if(!ports_create_if(do_auto?"::0":"::1", + do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1710,12 +1845,13 @@ } if(do_ip4) { hints.ai_family = AF_INET; - if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", - do_auto, cfg->do_udp, do_tcp, + if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1", + do_auto, cfg->do_udp, do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1729,10 +1865,11 @@ continue; hints.ai_family = AF_INET6; if(!ports_create_if(ifsi, 0, cfg->do_udp, - do_tcp, &hints, portbuf, &list, + do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -1744,10 +1881,11 @@ continue; hints.ai_family = AF_INET; if(!ports_create_if(ifsi, 0, cfg->do_udp, - do_tcp, &hints, portbuf, &list, + do_tcp, &hints, portbuf, &list, cfg->so_rcvbuf, cfg->so_sndbuf, cfg->ssl_port, cfg->tls_additional_port, - cfg->https_port, reuseport, cfg->ip_transparent, + cfg->https_port, cfg->proxy_protocol_port, + reuseport, cfg->ip_transparent, cfg->tcp_mss, cfg->ip_freebind, cfg->http_nodelay, cfg->use_systemd, cfg->dnscrypt_port, cfg->ip_dscp)) { @@ -2610,7 +2748,7 @@ int ret; if(frame->hd.type != NGHTTP2_HEADERS || frame->headers.cat != NGHTTP2_HCAT_REQUEST) { - /* only interrested in request headers */ + /* only interested in request headers */ return 0; } if(!(h2_stream = http2_stream_create(frame->hd.stream_id))) { @@ -2738,7 +2876,7 @@ * the HEADER */ if(frame->hd.type != NGHTTP2_HEADERS || frame->headers.cat != NGHTTP2_HCAT_REQUEST) { - /* only interrested in request headers */ + /* only interested in request headers */ return 0; } if(!(h2_stream = nghttp2_session_get_stream_user_data(session, @@ -2834,7 +2972,7 @@ h2_stream->query_too_large = 1; return 0; } - /* guaranteed to only contian digits and be null terminated */ + /* guaranteed to only contain digits and be null terminated */ h2_stream->content_length = atoi((const char*)value); if(h2_stream->content_length > h2_session->c->http2_stream_max_qbuffer_size) { @@ -2874,7 +3012,7 @@ /* setting this to msg-buffer-size can result in a lot * of memory consuption. Most queries should fit in a * single DATA frame, and most POST queries will - * containt content-length which does not impose this + * contain content-length which does not impose this * limit. */ qlen = len; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/listen_dnsport.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/listen_dnsport.h
Changed
@@ -43,6 +43,7 @@ #define LISTEN_DNSPORT_H #include "util/netevent.h" +#include "daemon/acl_list.h" #ifdef HAVE_NGHTTP2_NGHTTP2_H #include <nghttp2/nghttp2.h> #endif @@ -107,11 +108,13 @@ */ struct unbound_socket { /** socket-address structure */ - struct addrinfo * addr; + struct addrinfo* addr; /** socket descriptor returned by socket() syscall */ - int s; + int s; /** address family (AF_INET/IF_INET6) */ - int fam; + int fam; + /** ACL on the socket (listening interface) */ + struct acl_addr* acl; }; /** @@ -125,7 +128,10 @@ int fd; /** type of file descriptor, udp or tcp */ enum listen_type ftype; - /** fill in unbpound_socket structure for every opened socket at Unbound startup */ + /** if the port should support PROXYv2 */ + int pp2_enabled; + /** fill in unbound_socket structure for every opened socket at + * Unbound startup */ struct unbound_socket* socket; }; @@ -199,6 +205,11 @@ */ void listen_delete(struct listen_dnsport* listen); +/** setup the locks for the listen ports */ +void listen_setup_locks(void); +/** desetup the locks for the listen ports */ +void listen_desetup_locks(void); + /** * delete listen_list of commpoints. Calls commpointdelete() on items. * This may close the fds or not depending on flags.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/localzone.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/localzone.c
Changed
@@ -56,6 +56,44 @@ * with 16 bytes for an A record, a 64K packet has about 4000 max */ #define LOCALZONE_RRSET_COUNT_MAX 4096 +/** print all RRsets in local zone */ +static void +local_zone_out(struct local_zone* z) +{ + struct local_data* d; + struct local_rrset* p; + RBTREE_FOR(d, struct local_data*, &z->data) { + for(p = d->rrsets; p; p = p->next) { + log_nametypeclass(NO_VERBOSE, "rrset", d->name, + ntohs(p->rrset->rk.type), + ntohs(p->rrset->rk.rrset_class)); + } + } +} + +static void +local_zone_print(struct local_zone* z) +{ + char buf64; + lock_rw_rdlock(&z->lock); + snprintf(buf, sizeof(buf), "%s zone", + local_zone_type2str(z->type)); + log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass); + local_zone_out(z); + lock_rw_unlock(&z->lock); +} + +void local_zones_print(struct local_zones* zones) +{ + struct local_zone* z; + lock_rw_rdlock(&zones->lock); + log_info("number of auth zones %u", (unsigned)zones->ztree.count); + RBTREE_FOR(z, struct local_zone*, &zones->ztree) { + local_zone_print(z); + } + lock_rw_unlock(&zones->lock); +} + struct local_zones* local_zones_create(void) { @@ -465,7 +503,7 @@ /* Mark the SOA record for the zone. This only marks the SOA rrset; the data * for the RR is entered later on local_zone_enter_rr() as with the other - * records. An artifical soa_negative record with a modified TTL (minimum of + * records. An artificial soa_negative record with a modified TTL (minimum of * the TTL and the SOA.MINIMUM) is also created and marked for usage with * negative answers and to avoid allocations during those answers. */ static int @@ -898,6 +936,11 @@ } lock_rw_unlock(&z->lock); } + /* home.arpa. zone (RFC 8375) */ + if(!add_empty_default(zones, cfg, "home.arpa.")) { + log_err("out of memory adding default zone"); + return 0; + } /* onion. zone (RFC 7686) */ if(!add_empty_default(zones, cfg, "onion.")) { log_err("out of memory adding default zone"); @@ -1005,6 +1048,38 @@ lock_rw_rdlock(&zones->lock); if(!local_zones_lookup(zones, rr_name, len, labs, rr_class, rr_type)) { + /* Check if there is a zone that this could go + * under but for different class; created zones are + * always for LDNS_RR_CLASS_IN. Create the zone with + * a different class but the same configured + * local_zone_type. */ + struct local_zone* z = local_zones_lookup(zones, + rr_name, len, labs, LDNS_RR_CLASS_IN, rr_type); + if(z) { + uint8_t* name = memdup(z->name, z->namelen); + size_t znamelen = z->namelen; + int znamelabs = z->namelabs; + enum localzone_type ztype = z->type; + lock_rw_unlock(&zones->lock); + if(!name) { + log_err("out of memory"); + free(rr_name); + return 0; + } + if(!( +#ifndef THREADS_DISABLED + z = +#endif + lz_enter_zone_dname(zones, name, + znamelen, znamelabs, + ztype, rr_class))) { + free(rr_name); + return 0; + } + lock_rw_unlock(&z->lock); + free(rr_name); + continue; + } if(!have_name) { dclass = rr_class; nm = rr_name; @@ -1215,38 +1290,6 @@ return (struct local_zone*)node; } -/** print all RRsets in local zone */ -static void -local_zone_out(struct local_zone* z) -{ - struct local_data* d; - struct local_rrset* p; - RBTREE_FOR(d, struct local_data*, &z->data) { - for(p = d->rrsets; p; p = p->next) { - log_nametypeclass(NO_VERBOSE, "rrset", d->name, - ntohs(p->rrset->rk.type), - ntohs(p->rrset->rk.rrset_class)); - } - } -} - -void local_zones_print(struct local_zones* zones) -{ - struct local_zone* z; - lock_rw_rdlock(&zones->lock); - log_info("number of auth zones %u", (unsigned)zones->ztree.count); - RBTREE_FOR(z, struct local_zone*, &zones->ztree) { - char buf64; - lock_rw_rdlock(&z->lock); - snprintf(buf, sizeof(buf), "%s zone", - local_zone_type2str(z->type)); - log_nametypeclass(NO_VERBOSE, buf, z->name, 0, z->dclass); - local_zone_out(z); - lock_rw_unlock(&z->lock); - } - lock_rw_unlock(&zones->lock); -} - /** encode answer consisting of 1 rrset */ static int local_encode(struct query_info* qinfo, struct module_env* env, @@ -1285,7 +1328,8 @@ static void local_error_encode(struct query_info* qinfo, struct module_env* env, struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, - struct regional* temp, int rcode, int r) + struct regional* temp, int rcode, int r, int ede_code, + const char* ede_txt) { edns->edns_version = EDNS_ADVERTISED_VERSION; edns->udp_size = EDNS_ADVERTISED_SIZE; @@ -1294,7 +1338,13 @@ if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL, rcode, edns, repinfo, temp, env->now_tv)) - edns->opt_list = NULL; + edns->opt_list_inplace_cb_out = NULL; + + if(ede_code != LDNS_EDE_NONE && env->cfg->ede) { + edns_opt_list_append_ede(&edns->opt_list_out, temp, + ede_code, ede_txt); + } + error_encode(buf, r, qinfo, *(uint16_t*)sldns_buffer_begin(buf), sldns_buffer_read_u16_at(buf, 2), edns); } @@ -1492,7 +1542,9 @@ qinfo->local_alias = NULL; local_error_encode(qinfo, env, edns, repinfo, buf, temp, LDNS_RCODE_YXDOMAIN, - (LDNS_RCODE_YXDOMAIN|BIT_AA)); + (LDNS_RCODE_YXDOMAIN|BIT_AA), + LDNS_EDE_OTHER, + "DNAME expansion became too large"); return 1; } memset(&qinfo->local_alias->rrset->entry, 0, @@ -1521,7 +1573,7 @@ /* write qname */ memmove(d->rr_data0 + sizeof(uint16_t), qinfo->qname, qinfo->qname_len - 1); - /* write cname target wilcard wildcard label */ + /* write cname target wildcard label */ memmove(d->rr_data0 + sizeof(uint16_t) + qinfo->qname_len - 1, ctarget + 2, ctargetlen - 2); @@ -1570,6 +1622,15 @@ return (lr == NULL); } +static inline int +local_zone_is_udp_query(struct comm_reply* repinfo) { + return repinfo != NULL + ? (repinfo->c != NULL + ? repinfo->c->type == comm_udp + : 0) + : 0; +} + int local_zones_zone_answer(struct local_zone* z, struct module_env* env, struct query_info* qinfo, struct edns_data* edns, @@ -1586,13 +1647,16 @@ } else if(lz_type == local_zone_refuse || lz_type == local_zone_always_refuse) { local_error_encode(qinfo, env, edns, repinfo, buf, temp, - LDNS_RCODE_REFUSED, (LDNS_RCODE_REFUSED|BIT_AA)); + LDNS_RCODE_REFUSED, (LDNS_RCODE_REFUSED|BIT_AA), + LDNS_EDE_NONE, NULL); return 1; } else if(lz_type == local_zone_static || lz_type == local_zone_redirect || lz_type == local_zone_inform_redirect || lz_type == local_zone_always_nxdomain || - lz_type == local_zone_always_nodata) { + lz_type == local_zone_always_nodata || + (lz_type == local_zone_truncate + && local_zone_is_udp_query(repinfo))) { /* for static, reply nodata or nxdomain * for redirect, reply nodata */ /* no additional section processing, @@ -1602,13 +1666,15 @@ */ int rcode = (ld || lz_type == local_zone_redirect || lz_type == local_zone_inform_redirect || - lz_type == local_zone_always_nodata)? + lz_type == local_zone_always_nodata || + lz_type == local_zone_truncate)? LDNS_RCODE_NOERROR:LDNS_RCODE_NXDOMAIN; - if(z->soa && z->soa_negative) + rcode = (lz_type == local_zone_truncate ? (rcode|BIT_TC) : rcode); + if(z != NULL && z->soa && z->soa_negative) return local_encode(qinfo, env, edns, repinfo, buf, temp, z->soa_negative, 0, rcode); - local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode, - (rcode|BIT_AA)); + local_error_encode(qinfo, env, edns, repinfo, buf, temp, + rcode, (rcode|BIT_AA), LDNS_EDE_NONE, NULL); return 1; } else if(lz_type == local_zone_typetransparent || lz_type == local_zone_always_transparent) { @@ -1649,9 +1715,10 @@ return local_encode(qinfo, env, edns, repinfo, buf, temp, &lrr, 1, LDNS_RCODE_NOERROR); } else { + /* NODATA: No EDE needed */ local_error_encode(qinfo, env, edns, repinfo, buf, temp, LDNS_RCODE_NOERROR, - (LDNS_RCODE_NOERROR|BIT_AA)); + (LDNS_RCODE_NOERROR|BIT_AA), -1, NULL); } return 1; } @@ -1661,11 +1728,12 @@ * does not, then we should make this noerror/nodata */ if(ld && ld->rrsets) { int rcode = LDNS_RCODE_NOERROR; - if(z->soa && z->soa_negative) + if(z != NULL && z->soa && z->soa_negative) return local_encode(qinfo, env, edns, repinfo, buf, temp, z->soa_negative, 0, rcode); + /* NODATA: No EDE needed */ local_error_encode(qinfo, env, edns, repinfo, buf, temp, rcode, - (rcode|BIT_AA)); + (rcode|BIT_AA), LDNS_EDE_NONE, NULL); return 1; } @@ -1676,13 +1744,13 @@ /** print log information for an inform zone query */ static void lz_inform_print(struct local_zone* z, struct query_info* qinfo, - struct comm_reply* repinfo) + struct sockaddr_storage* addr, socklen_t addrlen) { char ip128, txt512; char znameLDNS_MAX_DOMAINLEN+1; - uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port); + uint16_t port = ntohs(((struct sockaddr_in*)addr)->sin_port); dname_str(z->name, zname); - addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip)); + addr_to_str(addr, addrlen, ip, sizeof(ip)); snprintf(txt, sizeof(txt), "%s %s %s@%u", zname, local_zone_type2str(z->type), ip, (unsigned)port); log_nametypeclass(NO_VERBOSE, txt, qinfo->qname, qinfo->qtype, qinfo->qclass); @@ -1697,7 +1765,8 @@ struct local_zone_override* lzo; if(repinfo && override_tree) { lzo = (struct local_zone_override*)addr_tree_lookup( - override_tree, &repinfo->addr, repinfo->addrlen); + override_tree, &repinfo->client_addr, + repinfo->client_addrlen); if(lzo && lzo->type) { verbose(VERB_ALGO, "local zone override to type %s", local_zone_type2str(lzo->type)); @@ -1820,7 +1889,8 @@ lzt == local_zone_inform_deny || lzt == local_zone_inform_redirect) && repinfo) - lz_inform_print(z, qinfo, repinfo); + lz_inform_print(z, qinfo, &repinfo->client_addr, + repinfo->client_addrlen); if(lzt != local_zone_always_refuse && lzt != local_zone_always_transparent @@ -1860,6 +1930,7 @@ case local_zone_always_deny: return "always_deny"; case local_zone_always_null: return "always_null"; case local_zone_noview: return "noview"; + case local_zone_truncate: return "truncate"; case local_zone_invalid: return "invalid"; } return "badtyped"; @@ -1899,6 +1970,8 @@ *t = local_zone_always_null; else if(strcmp(type, "noview") == 0) *t = local_zone_noview; + else if(strcmp(type, "truncate") == 0) + *t = local_zone_truncate; else if(strcmp(type, "nodefault") == 0) *t = local_zone_nodefault; else return 0;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/localzone.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/localzone.h
Changed
@@ -101,6 +101,8 @@ local_zone_always_null, /** answer not from the view, but global or no-answer */ local_zone_noview, + /** truncate the response; client should retry via tcp */ + local_zone_truncate, /** Invalid type, cannot be used to generate answer */ local_zone_invalid }; @@ -255,7 +257,7 @@ * @param dclass: class to lookup. * @param dtype: type to lookup, if type DS a zone higher is used for zonecuts. * @param taglist: taglist to lookup. - * @param taglen: lenth of taglist. + * @param taglen: length of taglist. * @param ignoretags: lookup zone by name and class, regardless the * local-zone's tags. * @return closest local_zone or NULL if no covering zone is found. @@ -563,6 +565,8 @@ respip_always_nodata = local_zone_always_nodata, /** answer with nodata response */ respip_always_deny = local_zone_always_deny, + /** RPZ: truncate answer in order to force switch to tcp */ + respip_truncate = local_zone_truncate, /* The rest of the values are only possible as * access-control-tag-action */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/mesh.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/mesh.c
Changed
@@ -64,6 +64,11 @@ #include "respip/respip.h" #include "services/listen_dnsport.h" +#ifdef CLIENT_SUBNET +#include "edns-subnet/subnetmod.h" +#include "edns-subnet/edns-subnet.h" +#endif + /** subtract timers and the values do not overflow or become negative */ static void timeval_subtract(struct timeval* d, const struct timeval* end, const struct timeval* start) @@ -458,10 +463,11 @@ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, struct respip_client_info* cinfo, uint16_t qflags, - struct edns_data* edns, struct comm_reply* rep, uint16_t qid) + struct edns_data* edns, struct comm_reply* rep, uint16_t qid, + int rpz_passthru) { struct mesh_state* s = NULL; - int unique = unique_mesh_state(edns->opt_list, mesh->env); + int unique = unique_mesh_state(edns->opt_list_in, mesh->env); int was_detached = 0; int was_noreply = 0; int added = 0; @@ -505,7 +511,7 @@ log_err("mesh_state_create: out of memory; SERVFAIL"); if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv)) - edns->opt_list = NULL; + edns->opt_list_inplace_cb_out = NULL; error_encode(r_buffer, LDNS_RCODE_SERVFAIL, qinfo, qid, qflags, edns); comm_point_send_reply(rep); @@ -513,15 +519,16 @@ } if(unique) mesh_state_make_unique(s); + s->s.rpz_passthru = rpz_passthru; /* copy the edns options we got from the front */ - if(edns->opt_list) { - s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list, + if(edns->opt_list_in) { + s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list_in, s->s.region); if(!s->s.edns_opts_front_in) { log_err("mesh_state_create: out of memory; SERVFAIL"); if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, NULL, NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv)) - edns->opt_list = NULL; + edns->opt_list_inplace_cb_out = NULL; error_encode(r_buffer, LDNS_RCODE_SERVFAIL, qinfo, qid, qflags, edns); comm_point_send_reply(rep); @@ -594,7 +601,7 @@ servfail_mem: if(!inplace_cb_reply_servfail_call(mesh->env, qinfo, &s->s, NULL, LDNS_RCODE_SERVFAIL, edns, rep, mesh->env->scratch, mesh->env->now_tv)) - edns->opt_list = NULL; + edns->opt_list_inplace_cb_out = NULL; error_encode(r_buffer, LDNS_RCODE_SERVFAIL, qinfo, qid, qflags, edns); comm_point_send_reply(rep); @@ -606,10 +613,10 @@ int mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, struct edns_data* edns, sldns_buffer* buf, - uint16_t qid, mesh_cb_func_type cb, void* cb_arg) + uint16_t qid, mesh_cb_func_type cb, void* cb_arg, int rpz_passthru) { struct mesh_state* s = NULL; - int unique = unique_mesh_state(edns->opt_list, mesh->env); + int unique = unique_mesh_state(edns->opt_list_in, mesh->env); int timeout = mesh->env->cfg->serve_expired? mesh->env->cfg->serve_expired_client_timeout:0; int was_detached = 0; @@ -632,8 +639,9 @@ } if(unique) mesh_state_make_unique(s); - if(edns->opt_list) { - s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list, + s->s.rpz_passthru = rpz_passthru; + if(edns->opt_list_in) { + s->s.edns_opts_front_in = edns_opt_copy_region(edns->opt_list_in, s->s.region); if(!s->s.edns_opts_front_in) { return 0; @@ -686,7 +694,8 @@ * 0 (false), in which case the new state is only made runnable so it * will not be run recursively on top of the current state. */ static void mesh_schedule_prefetch(struct mesh_area* mesh, - struct query_info* qinfo, uint16_t qflags, time_t leeway, int run) + struct query_info* qinfo, uint16_t qflags, time_t leeway, int run, + int rpz_passthru) { struct mesh_state* s = mesh_area_find(mesh, NULL, qinfo, qflags&(BIT_RD|BIT_CD), 0, 0); @@ -732,15 +741,110 @@ /* move to either the forever or the jostle_list */ if(mesh->num_forever_states < mesh->max_forever_states) { mesh->num_forever_states ++; - mesh_list_insert(s, &mesh->forever_first, + mesh_list_insert(s, &mesh->forever_first, &mesh->forever_last); s->list_select = mesh_forever_list; } else { - mesh_list_insert(s, &mesh->jostle_first, + mesh_list_insert(s, &mesh->jostle_first, + &mesh->jostle_last); + s->list_select = mesh_jostle_list; + } + } + s->s.rpz_passthru = rpz_passthru; + + if(!run) { +#ifdef UNBOUND_DEBUG + n = +#else + (void) +#endif + rbtree_insert(&mesh->run, &s->run_node); + log_assert(n != NULL); + return; + } + + mesh_run(mesh, s, module_event_new, NULL); +} + +#ifdef CLIENT_SUBNET +/* Same logic as mesh_schedule_prefetch but tailored to the subnet module logic + * like passing along the comm_reply info. This will be faked into an EDNS + * option for processing by the subnet module if the client has not already + * attached its own ECS data. */ +static void mesh_schedule_prefetch_subnet(struct mesh_area* mesh, + struct query_info* qinfo, uint16_t qflags, time_t leeway, int run, + int rpz_passthru, struct comm_reply* rep, struct edns_option* edns_list) +{ + struct mesh_state* s = NULL; + struct edns_option* opt = NULL; +#ifdef UNBOUND_DEBUG + struct rbnode_type* n; +#endif + if(!mesh_make_new_space(mesh, NULL)) { + verbose(VERB_ALGO, "Too many queries. dropped prefetch."); + mesh->stats_dropped ++; + return; + } + + s = mesh_state_create(mesh->env, qinfo, NULL, + qflags&(BIT_RD|BIT_CD), 0, 0); + if(!s) { + log_err("prefetch_subnet mesh_state_create: out of memory"); + return; + } + mesh_state_make_unique(s); + + opt = edns_opt_list_find(edns_list, mesh->env->cfg->client_subnet_opcode); + if(opt) { + /* Use the client's ECS data */ + if(!edns_opt_list_append(&s->s.edns_opts_front_in, opt->opt_code, + opt->opt_len, opt->opt_data, s->s.region)) { + log_err("prefetch_subnet edns_opt_list_append: out of memory"); + return; + } + } else { + /* Fake the ECS data from the client's IP */ + struct ecs_data ecs; + memset(&ecs, 0, sizeof(ecs)); + subnet_option_from_ss(&rep->client_addr, &ecs, mesh->env->cfg); + if(ecs.subnet_validdata == 0) { + log_err("prefetch_subnet subnet_option_from_ss: invalid data"); + return; + } + subnet_ecs_opt_list_append(&ecs, &s->s.edns_opts_front_in, + &s->s, s->s.region); + if(!s->s.edns_opts_front_in) { + log_err("prefetch_subnet subnet_ecs_opt_list_append: out of memory"); + return; + } + } +#ifdef UNBOUND_DEBUG + n = +#else + (void) +#endif + rbtree_insert(&mesh->all, &s->node); + log_assert(n != NULL); + /* set detached (it is now) */ + mesh->num_detached_states++; + /* make it ignore the cache */ + sock_list_insert(&s->s.blacklist, NULL, 0, s->s.region); + s->s.prefetch_leeway = leeway; + + if(s->list_select == mesh_no_list) { + /* move to either the forever or the jostle_list */ + if(mesh->num_forever_states < mesh->max_forever_states) { + mesh->num_forever_states ++; + mesh_list_insert(s, &mesh->forever_first, + &mesh->forever_last); + s->list_select = mesh_forever_list; + } else { + mesh_list_insert(s, &mesh->jostle_first, &mesh->jostle_last); s->list_select = mesh_jostle_list; } } + s->s.rpz_passthru = rpz_passthru; if(!run) { #ifdef UNBOUND_DEBUG @@ -755,11 +859,22 @@ mesh_run(mesh, s, module_event_new, NULL); } +#endif /* CLIENT_SUBNET */ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo, - uint16_t qflags, time_t leeway) + uint16_t qflags, time_t leeway, int rpz_passthru, + struct comm_reply* rep, struct edns_option* opt_list) { - mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1); + (void)opt_list; + (void)rep; +#ifdef CLIENT_SUBNET + if(rep) + mesh_schedule_prefetch_subnet(mesh, qinfo, qflags, leeway, 1, + rpz_passthru, rep, opt_list); + else +#endif + mesh_schedule_prefetch(mesh, qinfo, qflags, leeway, 1, + rpz_passthru); } void mesh_report_reply(struct mesh_area* mesh, struct outbound_entry* e, @@ -839,6 +954,7 @@ mstate->s.no_cache_store = 0; mstate->s.need_refetch = 0; mstate->s.was_ratelimited = 0; + mstate->s.qstarttime = *env->now; /* init modules */ for(i=0; i<env->mesh->mods.num; i++) { @@ -1145,11 +1261,11 @@ if(rcode == LDNS_RCODE_SERVFAIL) { if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode, &r->edns, NULL, m->s.region, start_time)) - r->edns.opt_list = NULL; + r->edns.opt_list_inplace_cb_out = NULL; } else { if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode, &r->edns, NULL, m->s.region, start_time)) - r->edns.opt_list = NULL; + r->edns.opt_list_inplace_cb_out = NULL; } fptr_ok(fptr_whitelist_mesh_cb(r->cb)); (*r->cb)(r->cb_arg, rcode, r->buf, sec_status_unchecked, NULL, @@ -1183,6 +1299,22 @@ m->s.env->mesh->num_reply_addrs--; } +static inline int +mesh_is_rpz_respip_tcponly_action(struct mesh_state const* m) +{ + struct respip_action_info const* respip_info = m->s.respip_action_info; + return respip_info == NULL + ? 0 + : (respip_info->rpz_used + && !respip_info->rpz_disabled + && respip_info->action == respip_truncate); +} + +static inline int +mesh_is_udp(struct mesh_reply const* r) { + return r->query_reply.c->type == comm_udp; +} + /** * Send reply to mesh reply entry * @param m: mesh state to send it for. @@ -1201,22 +1333,24 @@ struct timeval end_time; struct timeval duration; int secure; - /* Copy the client's EDNS for later restore, to make sure the edns - * compare is with the correct edns options. */ - struct edns_data edns_bak = r->edns; /* briefly set the replylist to null in case the * meshsendreply calls tcpreqinfo sendreply that * comm_point_drops because of size, and then the * null stops the mesh state remove and thus * reply_list modification and accounting */ struct mesh_reply* rlist = m->reply_list; + + /* rpz: apply actions */ + rcode = mesh_is_udp(r) && mesh_is_rpz_respip_tcponly_action(m) + ? (rcode|BIT_TC) : rcode; + /* examine security status */ if(m->s.env->need_to_validate && (!(r->qflags&BIT_CD) || m->s.env->cfg->ignore_cd) && rep && (rep->security <= sec_status_bogus || rep->security == sec_status_secure_sentinel_fail)) { rcode = LDNS_RCODE_SERVFAIL; - if(m->s.env->cfg->stat_extended) + if(m->s.env->cfg->stat_extended) m->s.env->mesh->ans_bogus++; } if(rep && rep->security == sec_status_secure) @@ -1248,8 +1382,9 @@ prev->edns.edns_present == r->edns.edns_present && prev->edns.bits == r->edns.bits && prev->edns.udp_size == r->edns.udp_size && - edns_opt_list_compare(prev->edns.opt_list, r->edns.opt_list) - == 0) { + edns_opt_list_compare(prev->edns.opt_list_out, r->edns.opt_list_out) == 0 && + edns_opt_list_compare(prev->edns.opt_list_inplace_cb_out, r->edns.opt_list_inplace_cb_out) == 0 + ) { /* if the previous reply is identical to this one, fix ID */ if(prev_buffer != r_buffer) sldns_buffer_copy(r_buffer, prev_buffer); @@ -1265,11 +1400,41 @@ if(rcode == LDNS_RCODE_SERVFAIL) { if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode, &r->edns, &r->query_reply, m->s.region, &r->start_time)) - r->edns.opt_list = NULL; + r->edns.opt_list_inplace_cb_out = NULL; } else { if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, rcode, &r->edns, &r->query_reply, m->s.region, &r->start_time)) - r->edns.opt_list = NULL; + r->edns.opt_list_inplace_cb_out = NULL; + } + /* Send along EDE BOGUS EDNS0 option when answer is bogus */ + if(m->s.env->cfg->ede && rcode == LDNS_RCODE_SERVFAIL && + m->s.env->need_to_validate && (!(r->qflags&BIT_CD) || + m->s.env->cfg->ignore_cd) && rep && + (rep->security <= sec_status_bogus || + rep->security == sec_status_secure_sentinel_fail)) { + char *reason = m->s.env->cfg->val_log_level >= 2 + ? errinf_to_str_bogus(&m->s) : NULL; + + /* During validation the EDE code can be received via two + * code paths. One code path fills the reply_info EDE, and + * the other fills it in the errinf_strlist. These paths + * intersect at some points, but where is opaque due to + * the complexity of the validator. At the time of writing + * we make the choice to prefer the EDE from errinf_strlist + * but a compelling reason to do otherwise is just as valid + */ + sldns_ede_code reason_bogus = errinf_to_reason_bogus(&m->s); + if ((reason_bogus == LDNS_EDE_DNSSEC_BOGUS && + rep->reason_bogus != LDNS_EDE_NONE) || + reason_bogus == LDNS_EDE_NONE) { + reason_bogus = rep->reason_bogus; + } + + if(reason_bogus != LDNS_EDE_NONE) { + edns_opt_list_append_ede(&r->edns.opt_list_out, + m->s.region, reason_bogus, reason); + } + free(reason); } error_encode(r_buffer, rcode, &m->s.qinfo, r->qid, r->qflags, &r->edns); @@ -1286,9 +1451,6 @@ m->s.qinfo.local_alias = r->local_alias; if(!inplace_cb_reply_call(m->s.env, &m->s.qinfo, &m->s, rep, LDNS_RCODE_NOERROR, &r->edns, &r->query_reply, m->s.region, &r->start_time) || - !apply_edns_options(&r->edns, &edns_bak, - m->s.env->cfg, r->query_reply.c, - m->s.region) || !reply_info_answer_encode(&m->s.qinfo, rep, r->qid, r->qflags, r_buffer, 0, 1, m->s.env->scratch, udp_size, &r->edns, (int)(r->edns.bits & EDNS_DO), @@ -1296,11 +1458,12 @@ { if(!inplace_cb_reply_servfail_call(m->s.env, &m->s.qinfo, &m->s, rep, LDNS_RCODE_SERVFAIL, &r->edns, &r->query_reply, m->s.region, &r->start_time)) - r->edns.opt_list = NULL; + r->edns.opt_list_inplace_cb_out = NULL; + /* internal server error (probably malloc failure) so no + * EDE (RFC8914) needed */ error_encode(r_buffer, LDNS_RCODE_SERVFAIL, &m->s.qinfo, r->qid, r->qflags, &r->edns); } - r->edns = edns_bak; m->reply_list = NULL; comm_point_send_reply(&r->query_reply); m->reply_list = rlist; @@ -1325,8 +1488,9 @@ } /* Log reply sent */ if(m->s.env->cfg->log_replies) { - log_reply_info(NO_VERBOSE, &m->s.qinfo, &r->query_reply.addr, - r->query_reply.addrlen, duration, 0, r_buffer); + log_reply_info(NO_VERBOSE, &m->s.qinfo, + &r->query_reply.client_addr, + r->query_reply.client_addrlen, duration, 0, r_buffer); } } @@ -1346,7 +1510,7 @@ } if(mstate->s.return_rcode == LDNS_RCODE_SERVFAIL || (rep && FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_SERVFAIL)) { - /* we are SERVFAILing; check for expired asnwer here */ + /* we are SERVFAILing; check for expired answer here */ mesh_serve_expired_callback(mstate); if((mstate->reply_list || mstate->cb_list) && mstate->s.env->cfg->log_servfail @@ -1367,7 +1531,8 @@ respip_inform_print(mstate->s.respip_action_info, r->qname, mstate->s.qinfo.qtype, mstate->s.qinfo.qclass, r->local_alias, - &r->query_reply); + &r->query_reply.client_addr, + r->query_reply.client_addrlen); if(mstate->s.env->cfg->stat_extended && mstate->s.respip_action_info->rpz_used) { if(mstate->s.respip_action_info->rpz_disabled) @@ -1488,12 +1653,15 @@ r->cb = cb; r->cb_arg = cb_arg; r->edns = *edns; - if(edns->opt_list) { - r->edns.opt_list = edns_opt_copy_region(edns->opt_list, - s->s.region); - if(!r->edns.opt_list) - return 0; - } + if(edns->opt_list_in && !(r->edns.opt_list_in = + edns_opt_copy_region(edns->opt_list_in, s->s.region))) + return 0; + if(edns->opt_list_out && !(r->edns.opt_list_out = + edns_opt_copy_region(edns->opt_list_out, s->s.region))) + return 0; + if(edns->opt_list_inplace_cb_out && !(r->edns.opt_list_inplace_cb_out = + edns_opt_copy_region(edns->opt_list_inplace_cb_out, s->s.region))) + return 0; r->qid = qid; r->qflags = qflags; r->next = s->cb_list; @@ -1506,18 +1674,21 @@ struct comm_reply* rep, uint16_t qid, uint16_t qflags, const struct query_info* qinfo) { - struct mesh_reply* r = regional_alloc(s->s.region, + struct mesh_reply* r = regional_alloc(s->s.region, sizeof(struct mesh_reply)); if(!r) return 0; r->query_reply = *rep; r->edns = *edns; - if(edns->opt_list) { - r->edns.opt_list = edns_opt_copy_region(edns->opt_list, - s->s.region); - if(!r->edns.opt_list) - return 0; - } + if(edns->opt_list_in && !(r->edns.opt_list_in = + edns_opt_copy_region(edns->opt_list_in, s->s.region))) + return 0; + if(edns->opt_list_out && !(r->edns.opt_list_out = + edns_opt_copy_region(edns->opt_list_out, s->s.region))) + return 0; + if(edns->opt_list_inplace_cb_out && !(r->edns.opt_list_inplace_cb_out = + edns_opt_copy_region(edns->opt_list_inplace_cb_out, s->s.region))) + return 0; r->qid = qid; r->qflags = qflags; r->start_time = *s->s.env->now_tv; @@ -1563,7 +1734,7 @@ return 0; /* the rrset is not packed, like in the cache, but it is - * individualy allocated with an allocator from localzone. */ + * individually allocated with an allocator from localzone. */ d = regional_alloc_zero(s->s.region, sizeof(*d)); if(!d) return 0; @@ -1672,6 +1843,7 @@ if(mstate->s.curmod == 0) { struct query_info* qinfo = NULL; uint16_t qflags; + int rpz_p = 0; mesh_query_done(mstate); mesh_walk_supers(mesh, mstate); @@ -1680,13 +1852,15 @@ * from an external DNS server, we'll need to schedule * a prefetch after removing the current state, so * we need to make a copy of the query info here. */ - if(mstate->s.need_refetch) + if(mstate->s.need_refetch) { mesh_copy_qinfo(mstate, &qinfo, &qflags); + rpz_p = mstate->s.rpz_passthru; + } mesh_state_delete(&mstate->s); if(qinfo) { mesh_schedule_prefetch(mesh, qinfo, qflags, - 0, 1); + 0, 1, rpz_p); } return 0; } @@ -1896,7 +2070,7 @@ return 1; if(!respip_rewrite_reply(qinfo, cinfo, rep, encode_repp, actinfo, - alias_rrset, 0, qstate->region, az)) + alias_rrset, 0, qstate->region, az, NULL)) return 0; /* xxx_deny actions mean dropping the reply, unless the original reply @@ -2008,7 +2182,8 @@ if(actinfo.addrinfo) { respip_inform_print(&actinfo, r->qname, qstate->qinfo.qtype, qstate->qinfo.qclass, - r->local_alias, &r->query_reply); + r->local_alias, &r->query_reply.client_addr, + r->query_reply.client_addrlen); if(qstate->env->cfg->stat_extended && actinfo.rpz_used) { if(actinfo.rpz_disabled) @@ -2021,6 +2196,14 @@ } } + /* Add EDE Stale Answer (RCF8914). Ignore global ede as this is + * warning instead of an error */ + if (r->edns.edns_present && qstate->env->cfg->ede_serve_expired && + qstate->env->cfg->ede) { + edns_opt_list_append_ede(&r->edns.opt_list_out, + mstate->s.region, LDNS_EDE_STALE_ANSWER, NULL); + } + r_buffer = r->query_reply.c->buffer; if(r->query_reply.c->tcp_req_info) r_buffer = r->query_reply.c->tcp_req_info->spool_buffer; @@ -2060,3 +2243,10 @@ mesh_do_callback(mstate, LDNS_RCODE_NOERROR, msg->rep, c, &tv); } } + +int mesh_jostle_exceeded(struct mesh_area* mesh) +{ + if(mesh->all.count < mesh->max_reply_states) + return 0; + return 1; +}
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/mesh.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/mesh.h
Changed
@@ -296,10 +296,13 @@ * @param edns: edns data from client query. * @param rep: where to reply to. * @param qid: query id to reply with. + * @param rpz_passthru: if true, the rpz passthru was previously found and + * further rpz processing is stopped. */ void mesh_new_client(struct mesh_area* mesh, struct query_info* qinfo, struct respip_client_info* cinfo, uint16_t qflags, - struct edns_data* edns, struct comm_reply* rep, uint16_t qid); + struct edns_data* edns, struct comm_reply* rep, uint16_t qid, + int rpz_passthru); /** * New query with callback. Create new query state if needed, and @@ -314,11 +317,13 @@ * @param qid: query id to reply with. * @param cb: callback function. * @param cb_arg: callback user arg. + * @param rpz_passthru: if true, the rpz passthru was previously found and + * further rpz processing is stopped. * @return 0 on error. */ int mesh_new_callback(struct mesh_area* mesh, struct query_info* qinfo, uint16_t qflags, struct edns_data* edns, struct sldns_buffer* buf, - uint16_t qid, mesh_cb_func_type cb, void* cb_arg); + uint16_t qid, mesh_cb_func_type cb, void* cb_arg, int rpz_passthru); /** * New prefetch message. Create new query state if needed. @@ -328,9 +333,15 @@ * @param qinfo: query from client. * @param qflags: flags from client query. * @param leeway: TTL leeway what to expire earlier for this update. + * @param rpz_passthru: if true, the rpz passthru was previously found and + * further rpz processing is stopped. + * @param rep: comm_reply for the client; to be used when subnet is enabled. + * @param opt_list: edns opt_list from the client; to be used when subnet is + * enabled. */ void mesh_new_prefetch(struct mesh_area* mesh, struct query_info* qinfo, - uint16_t qflags, time_t leeway); + uint16_t qflags, time_t leeway, int rpz_passthru, + struct comm_reply* rep, struct edns_option* opt_list); /** * Handle new event from the wire. A serviced query has returned. @@ -674,4 +685,15 @@ mesh_serve_expired_lookup(struct module_qstate* qstate, struct query_info* lookup_qinfo); +/** + * See if the mesh has space for more queries. You can allocate queries + * anyway, but this checks for the allocated space. + * @param mesh: mesh area. + * @return true if the query list is full. + * It checks the number of all queries, not just number of reply states, + * that have a client address. So that spawned queries count too, + * that were created by the iterator, or other modules. + */ +int mesh_jostle_exceeded(struct mesh_area* mesh); + #endif /* SERVICES_MESH_H */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/outbound_list.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/outbound_list.h
Changed
@@ -79,7 +79,7 @@ * Clear the user owner outbound list structure. * Deletes serviced queries. * @param list: the list structure. It is cleared, but the list struct itself - * is callers responsability to delete. + * is callers responsibility to delete. */ void outbound_list_clear(struct outbound_list* list);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/outside_network.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/outside_network.c
Changed
@@ -86,14 +86,20 @@ static int randomize_and_send_udp(struct pending* pend, sldns_buffer* packet, int timeout); -/** remove waiting tcp from the outnet waiting list */ -static void waiting_list_remove(struct outside_network* outnet, - struct waiting_tcp* w); - /** select a DNS ID for a TCP stream */ static uint16_t tcp_select_id(struct outside_network* outnet, struct reuse_tcp* reuse); +/** Perform serviced query UDP sending operation */ +static int serviced_udp_send(struct serviced_query* sq, sldns_buffer* buff); + +/** Send serviced query over TCP return false on initial failure */ +static int serviced_tcp_send(struct serviced_query* sq, sldns_buffer* buff); + +/** call the callbacks for a serviced query */ +static void serviced_callbacks(struct serviced_query* sq, int error, + struct comm_point* c, struct comm_reply* rep); + int pending_cmp(const void* key1, const void* key2) { @@ -261,7 +267,7 @@ int s; int af; char* err; -#ifdef SO_REUSEADDR +#if defined(SO_REUSEADDR) || defined(IP_BIND_ADDRESS_NO_PORT) int on = 1; #endif #ifdef INET6 @@ -307,7 +313,13 @@ " setsockopt(TCP_MAXSEG) unsupported"); #endif /* defined(IPPROTO_TCP) && defined(TCP_MAXSEG) */ } - +#ifdef IP_BIND_ADDRESS_NO_PORT + if(setsockopt(s, IPPROTO_IP, IP_BIND_ADDRESS_NO_PORT, (void*)&on, + (socklen_t)sizeof(on)) < 0) { + verbose(VERB_ALGO, "outgoing tcp:" + " setsockopt(.. IP_BIND_ADDRESS_NO_PORT ..) failed"); + } +#endif /* IP_BIND_ADDRESS_NO_PORT */ return s; } @@ -356,7 +368,8 @@ } /** pop the first element from the writewait list */ -static struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse) +struct waiting_tcp* +reuse_write_wait_pop(struct reuse_tcp* reuse) { struct waiting_tcp* w = reuse->write_wait_first; if(!w) @@ -374,8 +387,8 @@ } /** remove the element from the writewait list */ -static void reuse_write_wait_remove(struct reuse_tcp* reuse, - struct waiting_tcp* w) +void +reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w) { log_assert(w); log_assert(w->write_wait_queued); @@ -399,8 +412,8 @@ } /** push the element after the last on the writewait list */ -static void reuse_write_wait_push_back(struct reuse_tcp* reuse, - struct waiting_tcp* w) +void +reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w) { if(!w) return; log_assert(!w->write_wait_queued); @@ -411,7 +424,9 @@ w->write_wait_prev = reuse->write_wait_last; } else { reuse->write_wait_first = w; + w->write_wait_prev = NULL; } + w->write_wait_next = NULL; reuse->write_wait_last = w; w->write_wait_queued = 1; } @@ -705,12 +720,12 @@ pend->next_free = NULL; pend->query = w; pend->reuse.outnet = w->outnet; - pend->c->repinfo.addrlen = w->addrlen; + pend->c->repinfo.remote_addrlen = w->addrlen; pend->c->tcp_more_read_again = &pend->reuse.cp_more_read_again; pend->c->tcp_more_write_again = &pend->reuse.cp_more_write_again; pend->reuse.cp_more_read_again = 0; pend->reuse.cp_more_write_again = 0; - memcpy(&pend->c->repinfo.addr, &w->addr, w->addrlen); + memcpy(&pend->c->repinfo.remote_addr, &w->addr, w->addrlen); pend->reuse.pending = pend; /* Remove from tree in case the is_ssl will be different and causes the @@ -794,20 +809,50 @@ return reuse; } -/** call callback on waiting_tcp, if not NULL */ -static void -waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error, - struct comm_reply* reply_info) +/** remove waiting tcp from the outnet waiting list */ +void +outnet_waiting_tcp_list_remove(struct outside_network* outnet, struct waiting_tcp* w) { - if(w && w->cb) { - fptr_ok(fptr_whitelist_pending_tcp(w->cb)); - (void)(*w->cb)(c, w->cb_arg, error, reply_info); + struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL; + w->on_tcp_waiting_list = 0; + while(p) { + if(p == w) { + /* remove w */ + if(prev) + prev->next_waiting = w->next_waiting; + else outnet->tcp_wait_first = w->next_waiting; + if(outnet->tcp_wait_last == w) + outnet->tcp_wait_last = prev; + w->next_waiting = NULL; + return; + } + prev = p; + p = p->next_waiting; } + /* outnet_waiting_tcp_list_remove is currently called only with items + * that are already in the waiting list. */ + log_assert(0); +} + +/** pop the first waiting tcp from the outnet waiting list */ +struct waiting_tcp* +outnet_waiting_tcp_list_pop(struct outside_network* outnet) +{ + struct waiting_tcp* w = outnet->tcp_wait_first; + if(!outnet->tcp_wait_first) return NULL; + log_assert(w->on_tcp_waiting_list); + outnet->tcp_wait_first = w->next_waiting; + if(outnet->tcp_wait_last == w) + outnet->tcp_wait_last = NULL; + w->on_tcp_waiting_list = 0; + w->next_waiting = NULL; + return w; } /** add waiting_tcp element to the outnet tcp waiting list */ -static void -outnet_add_tcp_waiting(struct outside_network* outnet, struct waiting_tcp* w) +void +outnet_waiting_tcp_list_add(struct outside_network* outnet, + struct waiting_tcp* w, int set_timer) { struct timeval tv; log_assert(!w->on_tcp_waiting_list); @@ -819,16 +864,18 @@ else outnet->tcp_wait_first = w; outnet->tcp_wait_last = w; w->on_tcp_waiting_list = 1; + if(set_timer) { #ifndef S_SPLINT_S - tv.tv_sec = w->timeout/1000; - tv.tv_usec = (w->timeout%1000)*1000; + tv.tv_sec = w->timeout/1000; + tv.tv_usec = (w->timeout%1000)*1000; #endif - comm_timer_set(w->timer, &tv); + comm_timer_set(w->timer, &tv); + } } /** add waiting_tcp element as first to the outnet tcp waiting list */ -static void -outnet_add_tcp_waiting_first(struct outside_network* outnet, +void +outnet_waiting_tcp_list_add_first(struct outside_network* outnet, struct waiting_tcp* w, int reset_timer) { struct timeval tv; @@ -836,6 +883,7 @@ if(w->on_tcp_waiting_list) return; w->next_waiting = outnet->tcp_wait_first; + log_assert(w->next_waiting != w); if(!outnet->tcp_wait_last) outnet->tcp_wait_last = w; outnet->tcp_wait_first = w; @@ -852,6 +900,17 @@ (outnet->tcp_reuse_first && outnet->tcp_reuse_last)); } +/** call callback on waiting_tcp, if not NULL */ +static void +waiting_tcp_callback(struct waiting_tcp* w, struct comm_point* c, int error, + struct comm_reply* reply_info) +{ + if(w && w->cb) { + fptr_ok(fptr_whitelist_pending_tcp(w->cb)); + (void)(*w->cb)(c, w->cb_arg, error, reply_info); + } +} + /** see if buffers can be used to service TCP queries */ static void use_free_buffer(struct outside_network* outnet) @@ -862,15 +921,10 @@ struct pending_tcp* pend_tcp = NULL; #endif struct reuse_tcp* reuse = NULL; - w = outnet->tcp_wait_first; - log_assert(w->on_tcp_waiting_list); - outnet->tcp_wait_first = w->next_waiting; - if(outnet->tcp_wait_last == w) - outnet->tcp_wait_last = NULL; + w = outnet_waiting_tcp_list_pop(outnet); log_assert( (!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) || (outnet->tcp_reuse_first && outnet->tcp_reuse_last)); - w->on_tcp_waiting_list = 0; reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen, w->ssl_upstream); /* re-select an ID when moving to a new TCP buffer */ @@ -917,7 +971,7 @@ #endif } else { /* no reuse and no free buffer, put back at the start */ - outnet_add_tcp_waiting_first(outnet, w, 0); + outnet_waiting_tcp_list_add_first(outnet, w, 0); break; } #ifdef USE_DNSTAP @@ -991,7 +1045,7 @@ * fail the query */ w->error_count ++; reuse_tree_by_id_delete(&pend->reuse, w); - outnet_add_tcp_waiting(outnet, w); + outnet_waiting_tcp_list_add(outnet, w, 1); } while((w = reuse_write_wait_pop(&pend->reuse)) != NULL) { if(verbosity >= VERB_CLIENT && w->pkt_len > 12+2+2 && @@ -1002,7 +1056,7 @@ verbose(VERB_CLIENT, "reuse_move_writewait_away item %s", buf); } reuse_tree_by_id_delete(&pend->reuse, w); - outnet_add_tcp_waiting(outnet, w); + outnet_waiting_tcp_list_add(outnet, w, 1); } } @@ -1136,6 +1190,22 @@ } } +/** mark the entry for being in the cb_and_decommission stage */ +static void mark_for_cb_and_decommission(rbnode_type* node, + void* ATTR_UNUSED(arg)) +{ + struct waiting_tcp* w = (struct waiting_tcp*)node->key; + /* Mark the waiting_tcp to signal later code (serviced_delete) that + * this item is part of the backed up tree_by_id and will be deleted + * later. */ + w->in_cb_and_decommission = 1; + /* Mark the serviced_query for deletion so that later code through + * callbacks (iter_clear .. outnet_serviced_query_stop) won't + * prematurely delete it. */ + if(w->cb) + ((struct serviced_query*)w->cb_arg)->to_be_deleted = 1; +} + /** perform callbacks for failure and also decommission pending tcp. * the callbacks remove references in sq->pending to the waiting_tcp * members of the tree_by_id in the pending tcp. The pending_tcp is @@ -1151,6 +1221,9 @@ pend->reuse.write_wait_first = NULL; pend->reuse.write_wait_last = NULL; decommission_pending_tcp(outnet, pend); + if(store.root != NULL && store.root != RBTREE_NULL) { + traverse_postorder(&store, &mark_for_cb_and_decommission, NULL); + } reuse_cb_readwait_for_failure(&store, error); reuse_del_readwait(&store); } @@ -1248,6 +1321,12 @@ c->buffer)); /* find the query the reply is for */ w = reuse_tcp_by_id_find(&pend->reuse, id); + /* Make sure that the reply we got is at least for a + * sent query with the same ID; the waiting_tcp that + * gets a reply is assumed to not be waiting to be + * sent. */ + if(w && (w->on_tcp_waiting_list || w->write_wait_queued)) + w = NULL; } } if(error == NETEVENT_NOERROR && !w) { @@ -1265,6 +1344,8 @@ } } if(w) { + log_assert(!w->on_tcp_waiting_list); + log_assert(!w->write_wait_queued); reuse_tree_by_id_delete(&pend->reuse, w); verbose(VERB_CLIENT, "outnet tcp callback query err %d buflen %d", error, (int)sldns_buffer_limit(c->buffer)); @@ -1324,7 +1405,7 @@ { struct pending* pend; /* process waiting queries */ - while(outnet->udp_wait_first && outnet->unused_fds + while(outnet->udp_wait_first && outnet->unused_fds && !outnet->want_to_quit) { pend = outnet->udp_wait_first; outnet->udp_wait_first = pend->next_waiting; @@ -1333,8 +1414,10 @@ sldns_buffer_write(outnet->udp_buff, pend->pkt, pend->pkt_len); sldns_buffer_flip(outnet->udp_buff); free(pend->pkt); /* freeing now makes get_mem correct */ - pend->pkt = NULL; + pend->pkt = NULL; pend->pkt_len = 0; + log_assert(!pend->sq->busy); + pend->sq->busy = 1; if(!randomize_and_send_udp(pend, outnet->udp_buff, pend->timeout)) { /* callback error on pending */ @@ -1344,6 +1427,8 @@ NETEVENT_CLOSED, NULL); } pending_delete(outnet, pend); + } else { + pend->sq->busy = 0; } } } @@ -1369,11 +1454,11 @@ /* setup lookup key */ key.id = (unsigned)LDNS_ID_WIRE(sldns_buffer_begin(c->buffer)); - memcpy(&key.addr, &reply_info->addr, reply_info->addrlen); - key.addrlen = reply_info->addrlen; + memcpy(&key.addr, &reply_info->remote_addr, reply_info->remote_addrlen); + key.addrlen = reply_info->remote_addrlen; verbose(VERB_ALGO, "Incoming reply id = %4.4x", key.id); log_addr(VERB_ALGO, "Incoming reply addr =", - &reply_info->addr, reply_info->addrlen); + &reply_info->remote_addr, reply_info->remote_addrlen); /* find it, see if this thing is a valid query response */ verbose(VERB_ALGO, "lookup size is %d entries", (int)outnet->pending->count); @@ -1454,7 +1539,6 @@ (*num_ip4)++; } } - } void @@ -1567,6 +1651,7 @@ outnet->tcp_reuse_timeout= tcp_reuse_timeout; outnet->tcp_auth_query_timeout = tcp_auth_query_timeout; outnet->num_tcp_outgoing = 0; + outnet->num_udp_outgoing = 0; outnet->infra = infra; outnet->rnd = rnd; outnet->sslctx = sslctx; @@ -1642,7 +1727,7 @@ return NULL; } pc->cp = comm_point_create_udp(outnet->base, -1, - outnet->udp_buff, outnet_udp_cb, outnet, NULL); + outnet->udp_buff, 0, outnet_udp_cb, outnet, NULL); if(!pc->cp) { log_err("malloc failed"); free(pc); @@ -1708,16 +1793,9 @@ serviced_node_del(rbnode_type* node, void* ATTR_UNUSED(arg)) { struct serviced_query* sq = (struct serviced_query*)node; - struct service_callback* p = sq->cblist, *np; - free(sq->qbuf); - free(sq->zone); - free(sq->tls_auth_name); - edns_opt_list_free(sq->opt_list); - while(p) { - np = p->next; - free(p); - p = np; - } + alloc_reg_release(sq->alloc, sq->region); + if(sq->timer) + comm_timer_delete(sq->timer); free(sq); } @@ -1935,7 +2013,7 @@ LDNS_ID_SET(sldns_buffer_begin(packet), pend->id); id_tries++; if(id_tries == MAX_ID_RETRY) { - pend->id=99999; /* non existant ID */ + pend->id=99999; /* non existent ID */ log_err("failed to generate unique ID, drop msg"); return 0; } @@ -1961,7 +2039,11 @@ # ifdef ENETDOWN case ENETDOWN: # endif +# ifdef EADDRNOTAVAIL + case EADDRNOTAVAIL: +# endif case EPERM: + case EACCES: if(verbosity >= VERB_ALGO) return 1; return 0; @@ -2104,6 +2186,7 @@ portcomm_loweruse(outnet, pend->pc); return 0; } + outnet->num_udp_outgoing++; /* system calls to set timeout after sending UDP to make roundtrip smaller. */ @@ -2173,10 +2256,13 @@ sq->outnet->udp_wait_last = pend; return pend; } + log_assert(!sq->busy); + sq->busy = 1; if(!randomize_and_send_udp(pend, packet, timeout)) { pending_delete(sq->outnet, pend); return NULL; } + sq->busy = 0; return pend; } @@ -2188,7 +2274,7 @@ verbose(VERB_CLIENT, "outnet_tcptimer"); if(w->on_tcp_waiting_list) { /* it is on the waiting list */ - waiting_list_remove(outnet, w); + outnet_waiting_tcp_list_remove(outnet, w); waiting_tcp_callback(w, NULL, NETEVENT_TIMEOUT, NULL); waiting_tcp_delete(w); } else { @@ -2246,7 +2332,7 @@ } /* equally pick a random unused element from the tree that is - * not in use. Pick a the n-th index of an ununused number, + * not in use. Pick a the n-th index of an unused number, * then loop over the empty spaces in the tree and find it */ log_assert(reuse->tree_by_id.count < 0xffff); select = ub_random_max(outnet->rnd, 0xffff - reuse->tree_by_id.count); @@ -2256,7 +2342,7 @@ node = rbtree_first(&reuse->tree_by_id); log_assert(node && node != RBTREE_NULL); /* tree not empty */ /* see if select is before first node */ - if(select < tree_by_id_get_id(node)) + if(select < (unsigned)tree_by_id_get_id(node)) return select; count += tree_by_id_get_id(node); /* perhaps select is between nodes */ @@ -2359,6 +2445,7 @@ #ifdef USE_DNSTAP w->sq = NULL; #endif + w->in_cb_and_decommission = 0; if(pend) { /* we have a buffer available right now */ if(reuse) { @@ -2414,7 +2501,7 @@ #ifdef USE_DNSTAP w->sq = sq; #endif - outnet_add_tcp_waiting(sq->outnet, w); + outnet_waiting_tcp_list_add(sq->outnet, w, 1); } return w; } @@ -2455,30 +2542,64 @@ return (struct serviced_query*)rbtree_search(outnet->serviced, &key); } +void +serviced_timer_cb(void* arg) +{ + struct serviced_query* sq = (struct serviced_query*)arg; + struct outside_network* outnet = sq->outnet; + verbose(VERB_ALGO, "serviced send timer"); + /* By the time this cb is called, if we don't have any registered + * callbacks for this serviced_query anymore; do not send. */ + if(!sq->cblist) + goto delete; + /* perform first network action */ + if(outnet->do_udp && !(sq->tcp_upstream || sq->ssl_upstream)) { + if(!serviced_udp_send(sq, outnet->udp_buff)) + goto delete; + } else { + if(!serviced_tcp_send(sq, outnet->udp_buff)) + goto delete; + } + /* Maybe by this time we don't have callbacks attached anymore. Don't + * proactively try to delete; let it run and maybe another callback + * will get attached by the time we get an answer. */ + return; +delete: + serviced_callbacks(sq, NETEVENT_CLOSED, NULL, NULL); +} + /** Create new serviced entry */ static struct serviced_query* serviced_create(struct outside_network* outnet, sldns_buffer* buff, int dnssec, int want_dnssec, int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, size_t zonelen, int qtype, struct edns_option* opt_list, - size_t pad_queries_block_size) + size_t pad_queries_block_size, struct alloc_cache* alloc, + struct regional* region) { struct serviced_query* sq = (struct serviced_query*)malloc(sizeof(*sq)); + struct timeval t; #ifdef UNBOUND_DEBUG rbnode_type* ins; #endif - if(!sq) + if(!sq) { + alloc_reg_release(alloc, region); return NULL; + } sq->node.key = sq; - sq->qbuf = memdup(sldns_buffer_begin(buff), sldns_buffer_limit(buff)); + sq->alloc = alloc; + sq->region = region; + sq->qbuf = regional_alloc_init(region, sldns_buffer_begin(buff), + sldns_buffer_limit(buff)); if(!sq->qbuf) { + alloc_reg_release(alloc, region); free(sq); return NULL; } sq->qbuflen = sldns_buffer_limit(buff); - sq->zone = memdup(zone, zonelen); + sq->zone = regional_alloc_init(region, zone, zonelen); if(!sq->zone) { - free(sq->qbuf); + alloc_reg_release(alloc, region); free(sq); return NULL; } @@ -2490,10 +2611,9 @@ sq->tcp_upstream = tcp_upstream; sq->ssl_upstream = ssl_upstream; if(tls_auth_name) { - sq->tls_auth_name = strdup(tls_auth_name); + sq->tls_auth_name = regional_strdup(region, tls_auth_name); if(!sq->tls_auth_name) { - free(sq->zone); - free(sq->qbuf); + alloc_reg_release(alloc, region); free(sq); return NULL; } @@ -2502,17 +2622,16 @@ } memcpy(&sq->addr, addr, addrlen); sq->addrlen = addrlen; - sq->opt_list = NULL; - if(opt_list) { - sq->opt_list = edns_opt_copy_alloc(opt_list); - if(!sq->opt_list) { - free(sq->tls_auth_name); - free(sq->zone); - free(sq->qbuf); - free(sq); - return NULL; - } + sq->opt_list = opt_list; + sq->busy = 0; + sq->timer = comm_timer_create(outnet->base, serviced_timer_cb, sq); + if(!sq->timer) { + alloc_reg_release(alloc, region); + free(sq); + return NULL; } + memset(&t, 0, sizeof(t)); + comm_timer_set(sq->timer, &t); sq->outnet = outnet; sq->cblist = NULL; sq->pending = NULL; @@ -2521,7 +2640,7 @@ sq->to_be_deleted = 0; sq->padding_block_size = pad_queries_block_size; #ifdef UNBOUND_DEBUG - ins = + ins = #else (void) #endif @@ -2530,30 +2649,6 @@ return sq; } -/** remove waiting tcp from the outnet waiting list */ -static void -waiting_list_remove(struct outside_network* outnet, struct waiting_tcp* w) -{ - struct waiting_tcp* p = outnet->tcp_wait_first, *prev = NULL; - w->on_tcp_waiting_list = 0; - while(p) { - if(p == w) { - /* remove w */ - if(prev) - prev->next_waiting = w->next_waiting; - else outnet->tcp_wait_first = w->next_waiting; - if(outnet->tcp_wait_last == w) - outnet->tcp_wait_last = prev; - return; - } - prev = p; - p = p->next_waiting; - } - /* waiting_list_remove is currently called only with items that are - * already in the waiting list. */ - log_assert(0); -} - /** reuse tcp stream, remove serviced query from stream, * return true if the stream is kept, false if it is to be closed */ static int @@ -2619,29 +2714,38 @@ struct waiting_tcp* w = (struct waiting_tcp*) sq->pending; verbose(VERB_CLIENT, "serviced_delete: TCP"); + log_assert(!(w->write_wait_queued && w->on_tcp_waiting_list)); /* if on stream-write-waiting list then * remove from waiting list and waiting_tcp_delete */ if(w->write_wait_queued) { struct pending_tcp* pend = (struct pending_tcp*)w->next_waiting; verbose(VERB_CLIENT, "serviced_delete: writewait"); - reuse_tree_by_id_delete(&pend->reuse, w); + if(!w->in_cb_and_decommission) + reuse_tree_by_id_delete(&pend->reuse, w); reuse_write_wait_remove(&pend->reuse, w); - waiting_tcp_delete(w); + if(!w->in_cb_and_decommission) + waiting_tcp_delete(w); } else if(!w->on_tcp_waiting_list) { struct pending_tcp* pend = (struct pending_tcp*)w->next_waiting; verbose(VERB_CLIENT, "serviced_delete: tcpreusekeep"); + /* w needs to stay on tree_by_id to not assign + * the same ID; remove the callback since its + * serviced_query will be gone. */ + w->cb = NULL; if(!reuse_tcp_remove_serviced_keep(w, sq)) { - reuse_cb_and_decommission(sq->outnet, - pend, NETEVENT_CLOSED); + if(!w->in_cb_and_decommission) + reuse_cb_and_decommission(sq->outnet, + pend, NETEVENT_CLOSED); use_free_buffer(sq->outnet); } sq->pending = NULL; } else { verbose(VERB_CLIENT, "serviced_delete: tcpwait"); - waiting_list_remove(sq->outnet, w); - waiting_tcp_delete(w); + outnet_waiting_tcp_list_remove(sq->outnet, w); + if(!w->in_cb_and_decommission) + waiting_tcp_delete(w); } } } @@ -2708,7 +2812,9 @@ edns.edns_present = 1; edns.ext_rcode = 0; edns.edns_version = EDNS_ADVERTISED_VERSION; - edns.opt_list = sq->opt_list; + edns.opt_list_in = NULL; + edns.opt_list_out = sq->opt_list; + edns.opt_list_inplace_cb_out = NULL; if(sq->status == serviced_query_UDP_EDNS_FRAG) { if(addr_is_ip6(&sq->addr, sq->addrlen)) { if(EDNS_FRAG_SIZE_IP6 < EDNS_ADVERTISED_SIZE) @@ -2731,8 +2837,8 @@ padding_option.opt_code = LDNS_EDNS_PADDING; padding_option.opt_len = 0; padding_option.opt_data = NULL; - padding_option.next = edns.opt_list; - edns.opt_list = &padding_option; + padding_option.next = edns.opt_list_out; + edns.opt_list_out = &padding_option; edns.padding_block_size = sq->padding_block_size; } attach_edns_record(buff, &edns); @@ -2889,7 +2995,8 @@ * use secondary buffer to store the query. * This is a data copy, but faster than packet to server */ backlen = sldns_buffer_limit(c->buffer); - backup_p = memdup(sldns_buffer_begin(c->buffer), backlen); + backup_p = regional_alloc_init(sq->region, + sldns_buffer_begin(c->buffer), backlen); if(!backup_p) { log_err("malloc failure in serviced query callbacks"); error = NETEVENT_CLOSED; @@ -2907,10 +3014,8 @@ } fptr_ok(fptr_whitelist_serviced_query(p->cb)); (void)(*p->cb)(c, p->cb_arg, error, rep); - free(p); } if(backup_p) { - free(backup_p); sq->outnet->svcd_overhead = 0; } verbose(VERB_ALGO, "svcd callbacks end"); @@ -2928,7 +3033,7 @@ struct waiting_tcp* w = (struct waiting_tcp*)sq->pending; struct pending_tcp* pend_tcp = NULL; struct port_if* pi = NULL; - if(!w->on_tcp_waiting_list && w->next_waiting) { + if(w && !w->on_tcp_waiting_list && w->next_waiting) { pend_tcp = (struct pending_tcp*)w->next_waiting; pi = pend_tcp->pi; } @@ -3011,8 +3116,8 @@ rep = &r2; r2.c = c; } - memcpy(&rep->addr, &sq->addr, sq->addrlen); - rep->addrlen = sq->addrlen; + memcpy(&rep->remote_addr, &sq->addr, sq->addrlen); + rep->remote_addrlen = sq->addrlen; serviced_callbacks(sq, error, c, rep); return 0; } @@ -3024,8 +3129,11 @@ sq->status==serviced_query_TCP_EDNS?"EDNS":""); serviced_encode(sq, buff, sq->status == serviced_query_TCP_EDNS); sq->last_sent_time = *sq->outnet->now_tv; + log_assert(!sq->busy); + sq->busy = 1; sq->pending = pending_tcp_query(sq, buff, sq->outnet->tcp_auth_query_timeout, serviced_tcp_callback, sq); + sq->busy = 0; if(!sq->pending) { /* delete from tree so that a retry by above layer does not * clash with this entry */ @@ -3057,8 +3165,11 @@ } else { timeout = sq->outnet->tcp_auth_query_timeout; } + log_assert(!sq->busy); + sq->busy = 1; sq->pending = pending_tcp_query(sq, buff, timeout, serviced_tcp_callback, sq); + sq->busy = 0; return sq->pending != NULL; } @@ -3109,7 +3220,6 @@ struct timeval now = *sq->outnet->now_tv; #ifdef USE_DNSTAP struct pending* p = (struct pending*)sq->pending; - struct port_if* pi = p->pc->pif; #endif sq->pending = NULL; /* removed after callback */ @@ -3151,14 +3261,16 @@ /* * sending src (local service)/dst (upstream) addresses over DNSTAP */ - if(error == NETEVENT_NOERROR && outnet->dtenv && - (outnet->dtenv->log_resolver_response_messages || - outnet->dtenv->log_forwarder_response_messages)) { + if(error == NETEVENT_NOERROR && outnet->dtenv && p->pc && + (outnet->dtenv->log_resolver_response_messages || + outnet->dtenv->log_forwarder_response_messages)) { log_addr(VERB_ALGO, "response from upstream", &sq->addr, sq->addrlen); - log_addr(VERB_ALGO, "to local addr", &pi->addr, pi->addrlen); - dt_msg_send_outside_response(outnet->dtenv, &sq->addr, &pi->addr, c->type, - sq->zone, sq->zonelen, sq->qbuf, sq->qbuflen, - &sq->last_sent_time, sq->outnet->now_tv, c->buffer); + log_addr(VERB_ALGO, "to local addr", &p->pc->pif->addr, + p->pc->pif->addrlen); + dt_msg_send_outside_response(outnet->dtenv, &sq->addr, + &p->pc->pif->addr, c->type, sq->zone, sq->zonelen, + sq->qbuf, sq->qbuflen, &sq->last_sent_time, + sq->outnet->now_tv, c->buffer); } #endif if( (sq->status == serviced_query_UDP_EDNS @@ -3248,64 +3360,116 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet, struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, - int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, - size_t zonelen, struct module_qstate* qstate, - comm_point_callback_type* callback, void* callback_arg, sldns_buffer* buff, - struct module_env* env) + int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream, + char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen, + uint8_t* zone, size_t zonelen, struct module_qstate* qstate, + comm_point_callback_type* callback, void* callback_arg, + sldns_buffer* buff, struct module_env* env, int* was_ratelimited) { struct serviced_query* sq; struct service_callback* cb; struct edns_string_addr* client_string_addr; - - if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen, - qstate, qstate->region)) + struct regional* region; + struct edns_option* backed_up_opt_list = qstate->edns_opts_back_out; + struct edns_option* per_upstream_opt_list = NULL; + time_t timenow = 0; + + /* If we have an already populated EDNS option list make a copy since + * we may now add upstream specific EDNS options. */ + /* Use a region that could be attached to a serviced_query, if it needs + * to be created. If an existing one is found then this region will be + * destroyed here. */ + region = alloc_reg_obtain(env->alloc); + if(!region) return NULL; + if(qstate->edns_opts_back_out) { + per_upstream_opt_list = edns_opt_copy_region( + qstate->edns_opts_back_out, region); + if(!per_upstream_opt_list) { + alloc_reg_release(env->alloc, region); return NULL; + } + qstate->edns_opts_back_out = per_upstream_opt_list; + } + + if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, + zonelen, qstate, region)) { + alloc_reg_release(env->alloc, region); + return NULL; + } + /* Restore the option list; we can explicitly use the copied one from + * now on. */ + per_upstream_opt_list = qstate->edns_opts_back_out; + qstate->edns_opts_back_out = backed_up_opt_list; if((client_string_addr = edns_string_addr_lookup( &env->edns_strings->client_strings, addr, addrlen))) { - edns_opt_list_append(&qstate->edns_opts_back_out, + edns_opt_list_append(&per_upstream_opt_list, env->edns_strings->client_string_opcode, client_string_addr->string_len, - client_string_addr->string, qstate->region); + client_string_addr->string, region); } serviced_gen_query(buff, qinfo->qname, qinfo->qname_len, qinfo->qtype, qinfo->qclass, flags); sq = lookup_serviced(outnet, buff, dnssec, addr, addrlen, - qstate->edns_opts_back_out); - /* duplicate entries are included in the callback list, because - * there is a counterpart registration by our caller that needs to - * be doubly-removed (with callbacks perhaps). */ - if(!(cb = (struct service_callback*)malloc(sizeof(*cb)))) - return NULL; + per_upstream_opt_list); if(!sq) { + /* Check ratelimit only for new serviced_query */ + if(check_ratelimit) { + timenow = *env->now; + if(!infra_ratelimit_inc(env->infra_cache, zone, + zonelen, timenow, env->cfg->ratelimit_backoff, + &qstate->qinfo, qstate->reply)) { + /* Can we pass through with slip factor? */ + if(env->cfg->ratelimit_factor == 0 || + ub_random_max(env->rnd, + env->cfg->ratelimit_factor) != 1) { + *was_ratelimited = 1; + alloc_reg_release(env->alloc, region); + return NULL; + } + log_nametypeclass(VERB_ALGO, + "ratelimit allowed through for " + "delegation point", zone, + LDNS_RR_TYPE_NS, LDNS_RR_CLASS_IN); + } + } /* make new serviced query entry */ sq = serviced_create(outnet, buff, dnssec, want_dnssec, nocaps, tcp_upstream, ssl_upstream, tls_auth_name, addr, addrlen, zone, zonelen, (int)qinfo->qtype, - qstate->edns_opts_back_out, + per_upstream_opt_list, ( ssl_upstream && env->cfg->pad_queries - ? env->cfg->pad_queries_block_size : 0 )); + ? env->cfg->pad_queries_block_size : 0 ), + env->alloc, region); if(!sq) { - free(cb); + if(check_ratelimit) { + infra_ratelimit_dec(env->infra_cache, + zone, zonelen, timenow); + } return NULL; } - /* perform first network action */ - if(outnet->do_udp && !(tcp_upstream || ssl_upstream)) { - if(!serviced_udp_send(sq, buff)) { - (void)rbtree_delete(outnet->serviced, sq); - serviced_node_del(&sq->node, NULL); - free(cb); - return NULL; - } - } else { - if(!serviced_tcp_send(sq, buff)) { - (void)rbtree_delete(outnet->serviced, sq); - serviced_node_del(&sq->node, NULL); - free(cb); - return NULL; + if(!(cb = (struct service_callback*)regional_alloc( + sq->region, sizeof(*cb)))) { + if(check_ratelimit) { + infra_ratelimit_dec(env->infra_cache, + zone, zonelen, timenow); } + (void)rbtree_delete(outnet->serviced, sq); + serviced_node_del(&sq->node, NULL); + return NULL; + } + /* No network action at this point; it will be invoked with the + * serviced_query timer instead to run outside of the mesh. */ + } else { + /* We don't need this region anymore. */ + alloc_reg_release(env->alloc, region); + /* duplicate entries are included in the callback list, because + * there is a counterpart registration by our caller that needs + * to be doubly-removed (with callbacks perhaps). */ + if(!(cb = (struct service_callback*)regional_alloc( + sq->region, sizeof(*cb)))) { + return NULL; } } /* add callback to list of callbacks */ @@ -3325,7 +3489,6 @@ if((*pp)->cb_arg == cb_arg) { struct service_callback* del = *pp; *pp = del->next; - free(del); return; } pp = &(*pp)->next; @@ -3334,13 +3497,13 @@ void outnet_serviced_query_stop(struct serviced_query* sq, void* cb_arg) { - if(!sq) + if(!sq) return; callback_list_remove(sq, cb_arg); /* if callbacks() routine scheduled deletion, let it do that */ - if(!sq->cblist && !sq->to_be_deleted) { + if(!sq->cblist && !sq->busy && !sq->to_be_deleted) { (void)rbtree_delete(sq->outnet->serviced, sq); - serviced_delete(sq); + serviced_delete(sq); } } @@ -3432,7 +3595,7 @@ if(fd == -1) { return NULL; } - cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff, + cp = comm_point_create_udp(outnet->base, fd, outnet->udp_buff, 0, cb, cb_arg, NULL); if(!cp) { log_err("malloc failure"); @@ -3520,8 +3683,8 @@ close(fd); return 0; } - cp->repinfo.addrlen = to_addrlen; - memcpy(&cp->repinfo.addr, to_addr, to_addrlen); + cp->repinfo.remote_addrlen = to_addrlen; + memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen); /* setup for SSL (if needed) */ if(ssl) { @@ -3596,8 +3759,8 @@ close(fd); return 0; } - cp->repinfo.addrlen = to_addrlen; - memcpy(&cp->repinfo.addr, to_addr, to_addrlen); + cp->repinfo.remote_addrlen = to_addrlen; + memcpy(&cp->repinfo.remote_addr, to_addr, to_addrlen); /* setup for SSL (if needed) */ if(ssl) {
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/outside_network.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/outside_network.h
Changed
@@ -43,7 +43,9 @@ #ifndef OUTSIDE_NETWORK_H #define OUTSIDE_NETWORK_H +#include "util/alloc.h" #include "util/rbtree.h" +#include "util/regional.h" #include "util/netevent.h" #include "dnstap/dnstap_config.h" struct pending; @@ -111,6 +113,8 @@ /** if we perform udp-connect, connect() for UDP socket to mitigate * ICMP side channel leakage */ int udp_connect; + /** number of udp packets sent. */ + size_t num_udp_outgoing; /** array of outgoing IP4 interfaces */ struct port_if* ip4_ifs; @@ -412,6 +416,8 @@ char* tls_auth_name; /** the packet was involved in an error, to stop looping errors */ int error_count; + /** if true, the item is at the cb_and_decommission stage */ + int in_cb_and_decommission; #ifdef USE_DNSTAP /** serviced query pointer for dnstap to get logging info, if nonNULL*/ struct serviced_query* sq; @@ -512,6 +518,15 @@ void* pending; /** block size with which to pad encrypted queries (default: 128) */ size_t padding_block_size; + /** region for this serviced query. Will be cleared when this + * serviced_query will be deleted */ + struct regional* region; + /** allocation service for the region */ + struct alloc_cache* alloc; + /** flash timer to start the net I/O as a separate event */ + struct comm_timer* timer; + /** true if serviced_query is currently doing net I/O and may block */ + int busy; }; /** @@ -619,6 +634,7 @@ * @param want_dnssec: signatures are needed, without EDNS the answer is * likely to be useless. * @param nocaps: ignore use_caps_for_id and use unperturbed qname. + * @param check_ratelimit: if set, will check ratelimit before sending out. * @param tcp_upstream: use TCP for upstream queries. * @param ssl_upstream: use SSL for upstream queries. * @param tls_auth_name: when ssl_upstream is true, use this name to check @@ -635,16 +651,18 @@ * @param callback_arg: user argument to callback function. * @param buff: scratch buffer to create query contents in. Empty on exit. * @param env: the module environment. + * @param was_ratelimited: it will signal back if the query failed to pass the + * ratelimit check. * @return 0 on error, or pointer to serviced query that is used to answer * this serviced query may be shared with other callbacks as well. */ struct serviced_query* outnet_serviced_query(struct outside_network* outnet, struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, - int nocaps, int tcp_upstream, int ssl_upstream, char* tls_auth_name, - struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, - size_t zonelen, struct module_qstate* qstate, + int nocaps, int check_ratelimit, int tcp_upstream, int ssl_upstream, + char* tls_auth_name, struct sockaddr_storage* addr, socklen_t addrlen, + uint8_t* zone, size_t zonelen, struct module_qstate* qstate, comm_point_callback_type* callback, void* callback_arg, - struct sldns_buffer* buff, struct module_env* env); + struct sldns_buffer* buff, struct module_env* env, int* was_ratelimited); /** * Remove service query callback. @@ -700,6 +718,30 @@ /** delete readwait waiting_tcp elements, deletes the elements in the list */ void reuse_del_readwait(rbtree_type* tree_by_id); +/** remove waiting tcp from the outnet waiting list */ +void outnet_waiting_tcp_list_remove(struct outside_network* outnet, + struct waiting_tcp* w); + +/** pop the first waiting tcp from the outnet waiting list */ +struct waiting_tcp* outnet_waiting_tcp_list_pop(struct outside_network* outnet); + +/** add waiting_tcp element to the outnet tcp waiting list */ +void outnet_waiting_tcp_list_add(struct outside_network* outnet, + struct waiting_tcp* w, int set_timer); + +/** add waiting_tcp element as first to the outnet tcp waiting list */ +void outnet_waiting_tcp_list_add_first(struct outside_network* outnet, + struct waiting_tcp* w, int reset_timer); + +/** pop the first element from the writewait list */ +struct waiting_tcp* reuse_write_wait_pop(struct reuse_tcp* reuse); + +/** remove the element from the writewait list */ +void reuse_write_wait_remove(struct reuse_tcp* reuse, struct waiting_tcp* w); + +/** push the element after the last on the writewait list */ +void reuse_write_wait_push_back(struct reuse_tcp* reuse, struct waiting_tcp* w); + /** get TCP file descriptor for address, returns -1 on failure, * tcp_mss is 0 or maxseg size to set for TCP packets. */ int outnet_get_tcp_fd(struct sockaddr_storage* addr, socklen_t addrlen, @@ -785,6 +827,9 @@ /** callback for outgoing TCP timer event */ void outnet_tcptimer(void* arg); +/** callback to send serviced queries */ +void serviced_timer_cb(void *arg); + /** callback for serviced query UDP answers */ int serviced_udp_callback(struct comm_point* c, void* arg, int error, struct comm_reply* rep);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/rpz.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/rpz.c
Changed
@@ -50,45 +50,50 @@ #include "util/data/dname.h" #include "util/locks.h" #include "util/regional.h" +#include "util/data/msgencode.h" +#include "services/cache/dns.h" +#include "iterator/iterator.h" +#include "iterator/iter_delegpt.h" +#include "daemon/worker.h" + +typedef struct resp_addr rpz_aclnode_type; + +struct matched_delegation_point { + uint8_t* dname; + size_t dname_len; +}; /** string for RPZ action enum */ const char* rpz_action_to_string(enum rpz_action a) { switch(a) { - case RPZ_NXDOMAIN_ACTION: return "nxdomain"; - case RPZ_NODATA_ACTION: return "nodata"; - case RPZ_PASSTHRU_ACTION: return "passthru"; - case RPZ_DROP_ACTION: return "drop"; - case RPZ_TCP_ONLY_ACTION: return "tcp_only"; - case RPZ_INVALID_ACTION: return "invalid"; - case RPZ_LOCAL_DATA_ACTION: return "local_data"; - case RPZ_DISABLED_ACTION: return "disabled"; - case RPZ_CNAME_OVERRIDE_ACTION: return "cname_override"; - case RPZ_NO_OVERRIDE_ACTION: return "no_override"; + case RPZ_NXDOMAIN_ACTION: return "rpz-nxdomain"; + case RPZ_NODATA_ACTION: return "rpz-nodata"; + case RPZ_PASSTHRU_ACTION: return "rpz-passthru"; + case RPZ_DROP_ACTION: return "rpz-drop"; + case RPZ_TCP_ONLY_ACTION: return "rpz-tcp-only"; + case RPZ_INVALID_ACTION: return "rpz-invalid"; + case RPZ_LOCAL_DATA_ACTION: return "rpz-local-data"; + case RPZ_DISABLED_ACTION: return "rpz-disabled"; + case RPZ_CNAME_OVERRIDE_ACTION: return "rpz-cname-override"; + case RPZ_NO_OVERRIDE_ACTION: return "rpz-no-override"; + default: return "rpz-unknown-action"; } - return "unknown"; } /** RPZ action enum for config string */ static enum rpz_action rpz_config_to_action(char* a) { - if(strcmp(a, "nxdomain") == 0) - return RPZ_NXDOMAIN_ACTION; - else if(strcmp(a, "nodata") == 0) - return RPZ_NODATA_ACTION; - else if(strcmp(a, "passthru") == 0) - return RPZ_PASSTHRU_ACTION; - else if(strcmp(a, "drop") == 0) - return RPZ_DROP_ACTION; - else if(strcmp(a, "tcp_only") == 0) - return RPZ_TCP_ONLY_ACTION; - else if(strcmp(a, "cname") == 0) - return RPZ_CNAME_OVERRIDE_ACTION; - else if(strcmp(a, "disabled") == 0) - return RPZ_DISABLED_ACTION; - return RPZ_INVALID_ACTION; + if(strcmp(a, "nxdomain") == 0) return RPZ_NXDOMAIN_ACTION; + else if(strcmp(a, "nodata") == 0) return RPZ_NODATA_ACTION; + else if(strcmp(a, "passthru") == 0) return RPZ_PASSTHRU_ACTION; + else if(strcmp(a, "drop") == 0) return RPZ_DROP_ACTION; + else if(strcmp(a, "tcp_only") == 0) return RPZ_TCP_ONLY_ACTION; + else if(strcmp(a, "cname") == 0) return RPZ_CNAME_OVERRIDE_ACTION; + else if(strcmp(a, "disabled") == 0) return RPZ_DISABLED_ACTION; + else return RPZ_INVALID_ACTION; } /** string for RPZ trigger enum */ @@ -96,14 +101,14 @@ rpz_trigger_to_string(enum rpz_trigger r) { switch(r) { - case RPZ_QNAME_TRIGGER: return "qname"; - case RPZ_CLIENT_IP_TRIGGER: return "client_ip"; - case RPZ_RESPONSE_IP_TRIGGER: return "response_ip"; - case RPZ_NSDNAME_TRIGGER: return "nsdname"; - case RPZ_NSIP_TRIGGER: return "nsip"; - case RPZ_INVALID_TRIGGER: return "invalid"; + case RPZ_QNAME_TRIGGER: return "rpz-qname"; + case RPZ_CLIENT_IP_TRIGGER: return "rpz-client-ip"; + case RPZ_RESPONSE_IP_TRIGGER: return "rpz-response-ip"; + case RPZ_NSDNAME_TRIGGER: return "rpz-nsdname"; + case RPZ_NSIP_TRIGGER: return "rpz-nsip"; + case RPZ_INVALID_TRIGGER: return "rpz-invalid"; + default: return "rpz-unknown-trigger"; } - return "unknown"; } /** @@ -138,6 +143,31 @@ } /** + * The RR types that are to be ignored. + * DNSSEC RRs at the apex, and SOA and NS are ignored. + */ +static int +rpz_type_ignored(uint16_t rr_type) +{ + switch(rr_type) { + case LDNS_RR_TYPE_SOA: + case LDNS_RR_TYPE_NS: + case LDNS_RR_TYPE_DNAME: + /* all DNSSEC-related RRs must be ignored */ + case LDNS_RR_TYPE_DNSKEY: + case LDNS_RR_TYPE_DS: + case LDNS_RR_TYPE_RRSIG: + case LDNS_RR_TYPE_NSEC: + case LDNS_RR_TYPE_NSEC3: + case LDNS_RR_TYPE_NSEC3PARAM: + return 1; + default: + break; + } + return 0; +} + +/** * Classify RPZ action for RR type/rdata * @param rr_type: the RR type * @param rdatawl: RDATA with 2 bytes length @@ -208,15 +238,15 @@ rpz_action_to_localzone_type(enum rpz_action a) { switch(a) { - case RPZ_NXDOMAIN_ACTION: return local_zone_always_nxdomain; - case RPZ_NODATA_ACTION: return local_zone_always_nodata; - case RPZ_DROP_ACTION: return local_zone_always_deny; - case RPZ_PASSTHRU_ACTION: return local_zone_always_transparent; + case RPZ_NXDOMAIN_ACTION: return local_zone_always_nxdomain; + case RPZ_NODATA_ACTION: return local_zone_always_nodata; + case RPZ_DROP_ACTION: return local_zone_always_deny; + case RPZ_PASSTHRU_ACTION: return local_zone_always_transparent; case RPZ_LOCAL_DATA_ACTION: /* fallthrough */ case RPZ_CNAME_OVERRIDE_ACTION: return local_zone_redirect; - case RPZ_INVALID_ACTION: /* fallthrough */ - case RPZ_TCP_ONLY_ACTION: /* fallthrough */ - default: return local_zone_invalid; + case RPZ_TCP_ONLY_ACTION: return local_zone_truncate; + case RPZ_INVALID_ACTION: /* fallthrough */ + default: return local_zone_invalid; } } @@ -224,15 +254,15 @@ rpz_action_to_respip_action(enum rpz_action a) { switch(a) { - case RPZ_NXDOMAIN_ACTION: return respip_always_nxdomain; - case RPZ_NODATA_ACTION: return respip_always_nodata; - case RPZ_DROP_ACTION: return respip_always_deny; - case RPZ_PASSTHRU_ACTION: return respip_always_transparent; - case RPZ_LOCAL_DATA_ACTION: /* fallthrough */ + case RPZ_NXDOMAIN_ACTION: return respip_always_nxdomain; + case RPZ_NODATA_ACTION: return respip_always_nodata; + case RPZ_DROP_ACTION: return respip_always_deny; + case RPZ_PASSTHRU_ACTION: return respip_always_transparent; + case RPZ_LOCAL_DATA_ACTION: /* fallthrough */ case RPZ_CNAME_OVERRIDE_ACTION: return respip_redirect; - case RPZ_INVALID_ACTION: /* fallthrough */ - case RPZ_TCP_ONLY_ACTION: /* fallthrough */ - default: return respip_invalid; + case RPZ_TCP_ONLY_ACTION: return respip_truncate; + case RPZ_INVALID_ACTION: /* fallthrough */ + default: return respip_invalid; } } @@ -240,14 +270,14 @@ localzone_type_to_rpz_action(enum localzone_type lzt) { switch(lzt) { - case local_zone_always_nxdomain: return RPZ_NXDOMAIN_ACTION; - case local_zone_always_nodata: return RPZ_NODATA_ACTION; - case local_zone_always_deny: return RPZ_DROP_ACTION; - case local_zone_always_transparent: return RPZ_PASSTHRU_ACTION; - case local_zone_redirect: return RPZ_LOCAL_DATA_ACTION; - case local_zone_invalid: - default: - return RPZ_INVALID_ACTION; + case local_zone_always_nxdomain: return RPZ_NXDOMAIN_ACTION; + case local_zone_always_nodata: return RPZ_NODATA_ACTION; + case local_zone_always_deny: return RPZ_DROP_ACTION; + case local_zone_always_transparent: return RPZ_PASSTHRU_ACTION; + case local_zone_redirect: return RPZ_LOCAL_DATA_ACTION; + case local_zone_truncate: return RPZ_TCP_ONLY_ACTION; + case local_zone_invalid: /* fallthrough */ + default: return RPZ_INVALID_ACTION; } } @@ -255,14 +285,14 @@ respip_action_to_rpz_action(enum respip_action a) { switch(a) { - case respip_always_nxdomain: return RPZ_NXDOMAIN_ACTION; - case respip_always_nodata: return RPZ_NODATA_ACTION; - case respip_always_deny: return RPZ_DROP_ACTION; - case respip_always_transparent: return RPZ_PASSTHRU_ACTION; - case respip_redirect: return RPZ_LOCAL_DATA_ACTION; - case respip_invalid: - default: - return RPZ_INVALID_ACTION; + case respip_always_nxdomain: return RPZ_NXDOMAIN_ACTION; + case respip_always_nodata: return RPZ_NODATA_ACTION; + case respip_always_deny: return RPZ_DROP_ACTION; + case respip_always_transparent: return RPZ_PASSTHRU_ACTION; + case respip_redirect: return RPZ_LOCAL_DATA_ACTION; + case respip_truncate: return RPZ_TCP_ONLY_ACTION; + case respip_invalid: /* fallthrough */ + default: return RPZ_INVALID_ACTION; } } @@ -298,12 +328,55 @@ return RPZ_QNAME_TRIGGER; } -void rpz_delete(struct rpz* r) +static inline struct clientip_synthesized_rrset* +rpz_clientip_synthesized_set_create(void) +{ + struct clientip_synthesized_rrset* set = calloc(1, sizeof(*set)); + if(set == NULL) { + return NULL; + } + set->region = regional_create(); + if(set->region == NULL) { + free(set); + return NULL; + } + addr_tree_init(&set->entries); + lock_rw_init(&set->lock); + return set; +} + +static void +rpz_clientip_synthesized_rr_delete(rbnode_type* n, void* ATTR_UNUSED(arg)) +{ + struct clientip_synthesized_rr* r = (struct clientip_synthesized_rr*)n->key; + lock_rw_destroy(&r->lock); +#ifdef THREADS_DISABLED + (void)r; +#endif +} + +static inline void +rpz_clientip_synthesized_set_delete(struct clientip_synthesized_rrset* set) +{ + if(set == NULL) { + return; + } + lock_rw_destroy(&set->lock); + traverse_postorder(&set->entries, rpz_clientip_synthesized_rr_delete, NULL); + regional_destroy(set->region); + free(set); +} + +void +rpz_delete(struct rpz* r) { if(!r) return; local_zones_delete(r->local_zones); + local_zones_delete(r->nsdname_zones); respip_set_delete(r->respip_set); + rpz_clientip_synthesized_set_delete(r->client_set); + rpz_clientip_synthesized_set_delete(r->ns_set); regional_destroy(r->region); free(r->taglist); free(r->log_name); @@ -315,13 +388,31 @@ { /* must hold write lock on auth_zone */ local_zones_delete(r->local_zones); + r->local_zones = NULL; + local_zones_delete(r->nsdname_zones); + r->nsdname_zones = NULL; respip_set_delete(r->respip_set); + r->respip_set = NULL; + rpz_clientip_synthesized_set_delete(r->client_set); + r->client_set = NULL; + rpz_clientip_synthesized_set_delete(r->ns_set); + r->ns_set = NULL; if(!(r->local_zones = local_zones_create())){ return 0; } + r->nsdname_zones = local_zones_create(); + if(r->nsdname_zones == NULL) { + return 0; + } if(!(r->respip_set = respip_set_create())) { return 0; } + if(!(r->client_set = rpz_clientip_synthesized_set_create())) { + return 0; + } + if(!(r->ns_set = rpz_clientip_synthesized_set_create())) { + return 0; + } return 1; } @@ -331,6 +422,14 @@ lock_rw_wrlock(&r->respip_set->lock); addr_tree_init_parents(&r->respip_set->ip_tree); lock_rw_unlock(&r->respip_set->lock); + + lock_rw_wrlock(&r->client_set->lock); + addr_tree_init_parents(&r->client_set->entries); + lock_rw_unlock(&r->client_set->lock); + + lock_rw_wrlock(&r->ns_set->lock); + addr_tree_init_parents(&r->ns_set->entries); + lock_rw_unlock(&r->ns_set->lock); } /** new rrset containing CNAME override, does not yet contain a dname */ @@ -394,9 +493,26 @@ if(!(r->local_zones = local_zones_create())){ goto err; } + + r->nsdname_zones = local_zones_create(); + if(r->local_zones == NULL){ + goto err; + } + if(!(r->respip_set = respip_set_create())) { goto err; } + + r->client_set = rpz_clientip_synthesized_set_create(); + if(r->client_set == NULL) { + goto err; + } + + r->ns_set = rpz_clientip_synthesized_set_create(); + if(r->ns_set == NULL) { + goto err; + } + r->taglistlen = p->rpz_taglistlen; r->taglist = memdup(p->rpz_taglist, r->taglistlen); if(p->rpz_action_override) { @@ -410,13 +526,13 @@ size_t nmlen = sizeof(nm); if(!p->rpz_cname) { - log_err("RPZ override with cname action found, but no " + log_err("rpz: override with cname action found, but no " "rpz-cname-override configured"); goto err; } if(sldns_str2wire_dname_buf(p->rpz_cname, nm, &nmlen) != 0) { - log_err("cannot parse RPZ cname override: %s", + log_err("rpz: cannot parse cname override: %s", p->rpz_cname); goto err; } @@ -426,6 +542,7 @@ } } r->log = p->rpz_log; + r->signal_nxdomain_ra = p->rpz_signal_nxdomain_ra; if(p->rpz_log_name) { if(!(r->log_name = strdup(p->rpz_log_name))) { log_err("malloc failure on RPZ log_name strdup"); @@ -437,8 +554,14 @@ if(r) { if(r->local_zones) local_zones_delete(r->local_zones); + if(r->nsdname_zones) + local_zones_delete(r->nsdname_zones); if(r->respip_set) respip_set_delete(r->respip_set); + if(r->client_set != NULL) + rpz_clientip_synthesized_set_delete(r->client_set); + if(r->ns_set != NULL) + rpz_clientip_synthesized_set_delete(r->ns_set); if(r->taglist) free(r->taglist); if(r->region) @@ -467,19 +590,17 @@ return newdnamelen + 1; /* + 1 for root label */ } -/** Insert RR into RPZ's local-zone */ static void -rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, - enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl, - uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len) +rpz_insert_local_zones_trigger(struct local_zones* lz, uint8_t* dname, + size_t dnamelen, enum rpz_action a, uint16_t rrtype, uint16_t rrclass, + uint32_t ttl, uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len) { struct local_zone* z; enum localzone_type tp = local_zone_always_transparent; int dnamelabs = dname_count_labels(dname); - char* rrstr; int newzone = 0; - if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION) { + if(a == RPZ_INVALID_ACTION) { char str255+1; if(rrtype == LDNS_RR_TYPE_SOA || rrtype == LDNS_RR_TYPE_NS || rrtype == LDNS_RR_TYPE_DNAME || @@ -493,243 +614,548 @@ return; /* no need to log these types as unsupported */ } dname_str(dname, str); - verbose(VERB_ALGO, "RPZ: qname trigger, %s skipping unsupported action: %s", + verbose(VERB_ALGO, "rpz: qname trigger, %s skipping unsupported action: %s", str, rpz_action_to_string(a)); free(dname); return; } - lock_rw_wrlock(&r->local_zones->lock); + lock_rw_wrlock(&lz->lock); /* exact match */ - z = local_zones_find(r->local_zones, dname, dnamelen, dnamelabs, - LDNS_RR_CLASS_IN); - if(z && a != RPZ_LOCAL_DATA_ACTION) { - rrstr = sldns_wire2str_rr(rr, rr_len); - if(!rrstr) { - log_err("malloc error while inserting RPZ qname " - "trigger"); + z = local_zones_find(lz, dname, dnamelen, dnamelabs, LDNS_RR_CLASS_IN); + if(z != NULL && a != RPZ_LOCAL_DATA_ACTION) { + char* rrstr = sldns_wire2str_rr(rr, rr_len); + if(rrstr == NULL) { + log_err("malloc error while inserting rpz nsdname trigger"); free(dname); - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&lz->lock); return; } - verbose(VERB_ALGO, "RPZ: skipping duplicate record: '%s'", - rrstr); + if(rrstr0) + rrstrstrlen(rrstr)-1=0; /* remove newline */ + verbose(VERB_ALGO, "rpz: skipping duplicate record: '%s'", rrstr); free(rrstr); free(dname); - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&lz->lock); return; } - if(!z) { + if(z == NULL) { tp = rpz_action_to_localzone_type(a); - if(!(z = local_zones_add_zone(r->local_zones, dname, dnamelen, - dnamelabs, rrclass, tp))) { - log_warn("RPZ create failed"); - lock_rw_unlock(&r->local_zones->lock); + z = local_zones_add_zone(lz, dname, dnamelen, + dnamelabs, rrclass, tp); + if(z == NULL) { + log_warn("rpz: create failed"); + lock_rw_unlock(&lz->lock); /* dname will be free'd in failed local_zone_create() */ return; } newzone = 1; } if(a == RPZ_LOCAL_DATA_ACTION) { - rrstr = sldns_wire2str_rr(rr, rr_len); - if(!rrstr) { - log_err("malloc error while inserting RPZ qname " - "trigger"); + char* rrstr = sldns_wire2str_rr(rr, rr_len); + if(rrstr == NULL) { + log_err("malloc error while inserting rpz nsdname trigger"); free(dname); - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&lz->lock); return; } lock_rw_wrlock(&z->lock); - local_zone_enter_rr(z, dname, dnamelen, dnamelabs, - rrtype, rrclass, ttl, rdata, rdata_len, rrstr); + local_zone_enter_rr(z, dname, dnamelen, dnamelabs, rrtype, + rrclass, ttl, rdata, rdata_len, rrstr); lock_rw_unlock(&z->lock); free(rrstr); } - if(!newzone) + if(!newzone) { free(dname); - lock_rw_unlock(&r->local_zones->lock); - return; + } + lock_rw_unlock(&lz->lock); } -/** Insert RR into RPZ's respip_set */ -static int -rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, +static void +rpz_log_dname(char const* msg, uint8_t* dname, size_t dname_len) +{ + char bufLDNS_MAX_DOMAINLEN+1; + (void)dname_len; + dname_str(dname, buf); + verbose(VERB_ALGO, "rpz: %s: <%s>", msg, buf); +} + +static void +rpz_insert_qname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl, uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len) { - struct resp_addr* node; - struct sockaddr_storage addr; - socklen_t addrlen; - int net, af; - char* rrstr; - enum respip_action respa = rpz_action_to_respip_action(a); + if(a == RPZ_INVALID_ACTION) { + verbose(VERB_ALGO, "rpz: skipping invalid action"); + free(dname); + return; + } - if(a == RPZ_TCP_ONLY_ACTION || a == RPZ_INVALID_ACTION || - respa == respip_invalid) { - char str255+1; - dname_str(dname, str); - verbose(VERB_ALGO, "RPZ: respip trigger, %s skipping unsupported action: %s", - str, rpz_action_to_string(a)); + rpz_insert_local_zones_trigger(r->local_zones, dname, dnamelen, a, rrtype, + rrclass, ttl, rdata, rdata_len, rr, rr_len); +} + +static int +rpz_strip_nsdname_suffix(uint8_t* dname, size_t maxdnamelen, + uint8_t** stripdname, size_t* stripdnamelen) +{ + uint8_t* tldstart = get_tld_label(dname, maxdnamelen); + uint8_t swap; + if(tldstart == NULL) { + if(dname == NULL) { + *stripdname = NULL; + *stripdnamelen = 0; + return 0; + } + *stripdname = memdup(dname, maxdnamelen); + if(!*stripdname) { + *stripdnamelen = 0; + log_err("malloc failure for rpz strip suffix"); + return 0; + } + *stripdnamelen = maxdnamelen; + return 1; + } + /* shorten the domain name briefly, + * then we allocate a new name with the correct length */ + swap = *tldstart; + *tldstart = 0; + (void)dname_count_size_labels(dname, stripdnamelen); + *stripdname = memdup(dname, *stripdnamelen); + *tldstart = swap; + if(!*stripdname) { + *stripdnamelen = 0; + log_err("malloc failure for rpz strip suffix"); return 0; } + return 1; +} - if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af)) - return 0; +static void +rpz_insert_nsdname_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, + enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl, + uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len) +{ + uint8_t* dname_stripped = NULL; + size_t dnamelen_stripped = 0; - lock_rw_wrlock(&r->respip_set->lock); + rpz_strip_nsdname_suffix(dname, dnamelen, &dname_stripped, + &dnamelen_stripped); + if(a == RPZ_INVALID_ACTION) { + verbose(VERB_ALGO, "rpz: skipping invalid action"); + free(dname_stripped); + return; + } + + /* dname_stripped is consumed or freed by the insert routine */ + rpz_insert_local_zones_trigger(r->nsdname_zones, dname_stripped, + dnamelen_stripped, a, rrtype, rrclass, ttl, rdata, rdata_len, + rr, rr_len); +} + +static int +rpz_insert_ipaddr_based_trigger(struct respip_set* set, struct sockaddr_storage* addr, + socklen_t addrlen, int net, enum rpz_action a, uint16_t rrtype, + uint16_t rrclass, uint32_t ttl, uint8_t* rdata, size_t rdata_len, + uint8_t* rr, size_t rr_len) +{ + struct resp_addr* node; + char* rrstr; + enum respip_action respa = rpz_action_to_respip_action(a); + + lock_rw_wrlock(&set->lock); rrstr = sldns_wire2str_rr(rr, rr_len); - if(!rrstr) { - log_err("malloc error while inserting RPZ respip trigger"); - lock_rw_unlock(&r->respip_set->lock); + if(rrstr == NULL) { + log_err("malloc error while inserting rpz ipaddr based trigger"); + lock_rw_unlock(&set->lock); return 0; } - if(!(node=respip_sockaddr_find_or_create(r->respip_set, &addr, addrlen, - net, 1, rrstr))) { - lock_rw_unlock(&r->respip_set->lock); + + node = respip_sockaddr_find_or_create(set, addr, addrlen, net, 1, rrstr); + if(node == NULL) { + lock_rw_unlock(&set->lock); free(rrstr); return 0; } lock_rw_wrlock(&node->lock); - lock_rw_unlock(&r->respip_set->lock); + lock_rw_unlock(&set->lock); + node->action = respa; if(a == RPZ_LOCAL_DATA_ACTION) { - respip_enter_rr(r->respip_set->region, node, rrtype, - rrclass, ttl, rdata, rdata_len, rrstr, ""); + respip_enter_rr(set->region, node, rrtype, + rrclass, ttl, rdata, rdata_len, rrstr, ""); } + lock_rw_unlock(&node->lock); free(rrstr); return 1; } -int -rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname, - size_t dnamelen, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, - uint8_t* rdatawl, size_t rdatalen, uint8_t* rr, size_t rr_len) +static inline struct clientip_synthesized_rr* +rpz_clientip_ensure_entry(struct clientip_synthesized_rrset* set, + struct sockaddr_storage* addr, socklen_t addrlen, int net) { - size_t policydnamelen; - /* name is free'd in local_zone delete */ - enum rpz_trigger t; - enum rpz_action a; - uint8_t* policydname; + int insert_ok; + struct clientip_synthesized_rr* node = + (struct clientip_synthesized_rr*)addr_tree_find(&set->entries, + addr, addrlen, net); - if(!dname_subdomain_c(dname, azname)) { - char* dname_str = sldns_wire2str_dname(dname, dnamelen); - char* azname_str = sldns_wire2str_dname(azname, aznamelen); - if(dname_str && azname_str) { - log_err("RPZ: name of record (%s) to insert into RPZ is not a " - "subdomain of the configured name of the RPZ zone (%s)", - dname_str, azname_str); - } else { - log_err("RPZ: name of record to insert into RPZ is not a " - "subdomain of the configured name of the RPZ zone"); - } - free(dname_str); - free(azname_str); - return 0; + if(node != NULL) { return node; } + + /* node does not yet exist => allocate one */ + node = regional_alloc_zero(set->region, sizeof(*node)); + if(node == NULL) { + log_err("out of memory"); + return NULL; } - log_assert(dnamelen >= aznamelen); - if(!(policydname = calloc(1, (dnamelen-aznamelen)+1))) { - log_err("malloc error while inserting RPZ RR"); - return 0; + lock_rw_init(&node->lock); + node->action = RPZ_INVALID_ACTION; + insert_ok = addr_tree_insert(&set->entries, &node->node, + addr, addrlen, net); + if (!insert_ok) { + log_warn("rpz: unexpected: unable to insert clientip address node"); + /* we can not free the just allocated node. + * theoretically a memleak */ + return NULL; } - a = rpz_rr_to_action(rr_type, rdatawl, rdatalen); - if(!(policydnamelen = strip_dname_origin(dname, dnamelen, aznamelen, - policydname, (dnamelen-aznamelen)+1))) { - free(policydname); - return 0; + return node; +} + +static void +rpz_report_rrset_error(const char* msg, uint8_t* rr, size_t rr_len) { + char* rrstr = sldns_wire2str_rr(rr, rr_len); + if(rrstr == NULL) { + log_err("malloc error while inserting rpz clientip based record"); + return; } - t = rpz_dname_to_trigger(policydname, policydnamelen); - if(t == RPZ_INVALID_TRIGGER) { - free(policydname); - verbose(VERB_ALGO, "RPZ: skipping invalid trigger"); - return 1; + log_err("rpz: unexpected: unable to insert %s: %s", msg, rrstr); + free(rrstr); +} + +/* from localzone.c; difference is we don't have a dname */ +static struct local_rrset* +rpz_clientip_new_rrset(struct regional* region, + struct clientip_synthesized_rr* raddr, uint16_t rrtype, uint16_t rrclass) +{ + struct packed_rrset_data* pd; + struct local_rrset* rrset = (struct local_rrset*) + regional_alloc_zero(region, sizeof(*rrset)); + if(rrset == NULL) { + log_err("out of memory"); + return NULL; } - if(t == RPZ_QNAME_TRIGGER) { - rpz_insert_qname_trigger(r, policydname, policydnamelen, - a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr, - rr_len); + rrset->next = raddr->data; + raddr->data = rrset; + rrset->rrset = (struct ub_packed_rrset_key*) + regional_alloc_zero(region, sizeof(*rrset->rrset)); + if(rrset->rrset == NULL) { + log_err("out of memory"); + return NULL; } - else if(t == RPZ_RESPONSE_IP_TRIGGER) { - rpz_insert_response_ip_trigger(r, policydname, policydnamelen, - a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr, - rr_len); - free(policydname); + rrset->rrset->entry.key = rrset->rrset; + pd = (struct packed_rrset_data*)regional_alloc_zero(region, sizeof(*pd)); + if(pd == NULL) { + log_err("out of memory"); + return NULL; } - else { - free(policydname); - verbose(VERB_ALGO, "RPZ: skipping unsupported trigger: %s", - rpz_trigger_to_string(t)); + pd->trust = rrset_trust_prim_noglue; + pd->security = sec_status_insecure; + rrset->rrset->entry.data = pd; + rrset->rrset->rk.type = htons(rrtype); + rrset->rrset->rk.rrset_class = htons(rrclass); + rrset->rrset->rk.dname = regional_alloc_zero(region, 1); + if(rrset->rrset->rk.dname == NULL) { + log_err("out of memory"); + return NULL; } - return 1; + rrset->rrset->rk.dname_len = 1; + return rrset; } -/** - * Find RPZ local-zone by qname. - * @param r: rpz containing local-zone tree - * @param qname: qname - * @param qname_len: length of qname - * @param qclass: qclass - * @param only_exact: if 1 only excact (non wildcard) matches are returned - * @param wr: get write lock for local-zone if 1, read lock if 0 - * @param zones_keep_lock: if set do not release the r->local_zones lock, this - * makes the caller of this function responsible for releasing the lock. - * @return: NULL or local-zone holding rd or wr lock - */ -static struct local_zone* -rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass, - int only_exact, int wr, int zones_keep_lock) +static int +rpz_clientip_enter_rr(struct regional* region, struct clientip_synthesized_rr* raddr, + uint16_t rrtype, uint16_t rrclass, time_t ttl, uint8_t* rdata, + size_t rdata_len) { - uint8_t* ce; - size_t ce_len; - int ce_labs; - uint8_t wcLDNS_MAX_DOMAINLEN+1; - int exact; - struct local_zone* z = NULL; - if(wr) { - lock_rw_wrlock(&r->local_zones->lock); - } else { - lock_rw_rdlock(&r->local_zones->lock); - } - z = local_zones_find_le(r->local_zones, qname, qname_len, - dname_count_labels(qname), - LDNS_RR_CLASS_IN, &exact); - if(!z || (only_exact && !exact)) { - lock_rw_unlock(&r->local_zones->lock); - return NULL; - } - if(wr) { - lock_rw_wrlock(&z->lock); - } else { - lock_rw_rdlock(&z->lock); + struct local_rrset* rrset; + if (rrtype == LDNS_RR_TYPE_CNAME && raddr->data != NULL) { + log_err("CNAME response-ip data can not co-exist with other " + "client-ip data"); + return 0; } - if(!zones_keep_lock) { - lock_rw_unlock(&r->local_zones->lock); + + rrset = rpz_clientip_new_rrset(region, raddr, rrtype, rrclass); + if(raddr->data == NULL) { + return 0; } - if(exact) - return z; + return rrset_insert_rr(region, rrset->rrset->entry.data, rdata, rdata_len, ttl, ""); +} - /* No exact match found, lookup wildcard. closest encloser must - * be the shared parent between the qname and the best local - * zone match, append '*' to that and do another lookup. */ +static int +rpz_clientip_insert_trigger_rr(struct clientip_synthesized_rrset* set, struct sockaddr_storage* addr, + socklen_t addrlen, int net, enum rpz_action a, uint16_t rrtype, + uint16_t rrclass, uint32_t ttl, uint8_t* rdata, size_t rdata_len, + uint8_t* rr, size_t rr_len) +{ + struct clientip_synthesized_rr* node; - ce = dname_get_shared_topdomain(z->name, qname); - if(!ce /* should not happen */) { - lock_rw_unlock(&z->lock); - if(zones_keep_lock) { - lock_rw_unlock(&r->local_zones->lock); - } - return NULL; - } + lock_rw_wrlock(&set->lock); + + node = rpz_clientip_ensure_entry(set, addr, addrlen, net); + if(node == NULL) { + lock_rw_unlock(&set->lock); + rpz_report_rrset_error("client ip address", rr, rr_len); + return 0; + } + + lock_rw_wrlock(&node->lock); + lock_rw_unlock(&set->lock); + + node->action = a; + if(a == RPZ_LOCAL_DATA_ACTION) { + if(!rpz_clientip_enter_rr(set->region, node, rrtype, + rrclass, ttl, rdata, rdata_len)) { + verbose(VERB_ALGO, "rpz: unable to insert clientip rr"); + lock_rw_unlock(&node->lock); + return 0; + } + + } + + lock_rw_unlock(&node->lock); + + return 1; +} + +static int +rpz_insert_clientip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, + enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl, + uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len) +{ + struct sockaddr_storage addr; + socklen_t addrlen; + int net, af; + + if(a == RPZ_INVALID_ACTION) { + return 0; + } + + if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af)) { + verbose(VERB_ALGO, "rpz: unable to parse client ip"); + return 0; + } + + return rpz_clientip_insert_trigger_rr(r->client_set, &addr, addrlen, net, + a, rrtype, rrclass, ttl, rdata, rdata_len, rr, rr_len); +} + +static int +rpz_insert_nsip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, + enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl, + uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len) +{ + struct sockaddr_storage addr; + socklen_t addrlen; + int net, af; + + if(a == RPZ_INVALID_ACTION) { + return 0; + } + + if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af)) { + verbose(VERB_ALGO, "rpz: unable to parse ns ip"); + return 0; + } + + return rpz_clientip_insert_trigger_rr(r->ns_set, &addr, addrlen, net, + a, rrtype, rrclass, ttl, rdata, rdata_len, rr, rr_len); +} + +/** Insert RR into RPZ's respip_set */ +static int +rpz_insert_response_ip_trigger(struct rpz* r, uint8_t* dname, size_t dnamelen, + enum rpz_action a, uint16_t rrtype, uint16_t rrclass, uint32_t ttl, + uint8_t* rdata, size_t rdata_len, uint8_t* rr, size_t rr_len) +{ + struct sockaddr_storage addr; + socklen_t addrlen; + int net, af; + + if(a == RPZ_INVALID_ACTION) { + return 0; + } + + if(!netblockdnametoaddr(dname, dnamelen, &addr, &addrlen, &net, &af)) { + verbose(VERB_ALGO, "rpz: unable to parse response ip"); + return 0; + } + + if(a == RPZ_INVALID_ACTION || + rpz_action_to_respip_action(a) == respip_invalid) { + char str255+1; + dname_str(dname, str); + verbose(VERB_ALGO, "rpz: respip trigger, %s skipping unsupported action: %s", + str, rpz_action_to_string(a)); + return 0; + } + + return rpz_insert_ipaddr_based_trigger(r->respip_set, &addr, addrlen, net, + a, rrtype, rrclass, ttl, rdata, rdata_len, rr, rr_len); +} + +int +rpz_insert_rr(struct rpz* r, uint8_t* azname, size_t aznamelen, uint8_t* dname, + size_t dnamelen, uint16_t rr_type, uint16_t rr_class, uint32_t rr_ttl, + uint8_t* rdatawl, size_t rdatalen, uint8_t* rr, size_t rr_len) +{ + size_t policydnamelen; + /* name is free'd in local_zone delete */ + enum rpz_trigger t; + enum rpz_action a; + uint8_t* policydname; + + if(rpz_type_ignored(rr_type)) { + /* this rpz action is not valid, eg. this is the SOA or NS RR */ + return 1; + } + if(!dname_subdomain_c(dname, azname)) { + char* dname_str = sldns_wire2str_dname(dname, dnamelen); + char* azname_str = sldns_wire2str_dname(azname, aznamelen); + if(dname_str && azname_str) { + log_err("rpz: name of record (%s) to insert into RPZ is not a " + "subdomain of the configured name of the RPZ zone (%s)", + dname_str, azname_str); + } else { + log_err("rpz: name of record to insert into RPZ is not a " + "subdomain of the configured name of the RPZ zone"); + } + free(dname_str); + free(azname_str); + return 0; + } + + log_assert(dnamelen >= aznamelen); + if(!(policydname = calloc(1, (dnamelen-aznamelen)+1))) { + log_err("malloc error while inserting RPZ RR"); + return 0; + } + + a = rpz_rr_to_action(rr_type, rdatawl, rdatalen); + if(!(policydnamelen = strip_dname_origin(dname, dnamelen, aznamelen, + policydname, (dnamelen-aznamelen)+1))) { + free(policydname); + return 0; + } + t = rpz_dname_to_trigger(policydname, policydnamelen); + if(t == RPZ_INVALID_TRIGGER) { + free(policydname); + verbose(VERB_ALGO, "rpz: skipping invalid trigger"); + return 1; + } + if(t == RPZ_QNAME_TRIGGER) { + /* policydname will be consumed, no free */ + rpz_insert_qname_trigger(r, policydname, policydnamelen, + a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr, + rr_len); + } else if(t == RPZ_RESPONSE_IP_TRIGGER) { + rpz_insert_response_ip_trigger(r, policydname, policydnamelen, + a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr, + rr_len); + free(policydname); + } else if(t == RPZ_CLIENT_IP_TRIGGER) { + rpz_insert_clientip_trigger(r, policydname, policydnamelen, + a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr, + rr_len); + free(policydname); + } else if(t == RPZ_NSIP_TRIGGER) { + rpz_insert_nsip_trigger(r, policydname, policydnamelen, + a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr, + rr_len); + free(policydname); + } else if(t == RPZ_NSDNAME_TRIGGER) { + rpz_insert_nsdname_trigger(r, policydname, policydnamelen, + a, rr_type, rr_class, rr_ttl, rdatawl, rdatalen, rr, + rr_len); + free(policydname); + } else { + free(policydname); + verbose(VERB_ALGO, "rpz: skipping unsupported trigger: %s", + rpz_trigger_to_string(t)); + } + return 1; +} + +/** + * Find RPZ local-zone by qname. + * @param zones: local-zone tree + * @param qname: qname + * @param qname_len: length of qname + * @param qclass: qclass + * @param only_exact: if 1 only exact (non wildcard) matches are returned + * @param wr: get write lock for local-zone if 1, read lock if 0 + * @param zones_keep_lock: if set do not release the r->local_zones lock, this + * makes the caller of this function responsible for releasing the lock. + * @return: NULL or local-zone holding rd or wr lock + */ +static struct local_zone* +rpz_find_zone(struct local_zones* zones, uint8_t* qname, size_t qname_len, uint16_t qclass, + int only_exact, int wr, int zones_keep_lock) +{ + uint8_t* ce; + size_t ce_len; + int ce_labs; + uint8_t wcLDNS_MAX_DOMAINLEN+1; + int exact; + struct local_zone* z = NULL; + + if(wr) { + lock_rw_wrlock(&zones->lock); + } else { + lock_rw_rdlock(&zones->lock); + } + z = local_zones_find_le(zones, qname, qname_len, + dname_count_labels(qname), + LDNS_RR_CLASS_IN, &exact); + if(!z || (only_exact && !exact)) { + if(!zones_keep_lock) { + lock_rw_unlock(&zones->lock); + } + return NULL; + } + if(wr) { + lock_rw_wrlock(&z->lock); + } else { + lock_rw_rdlock(&z->lock); + } + if(!zones_keep_lock) { + lock_rw_unlock(&zones->lock); + } + + if(exact) + return z; + + /* No exact match found, lookup wildcard. closest encloser must + * be the shared parent between the qname and the best local + * zone match, append '*' to that and do another lookup. */ + + ce = dname_get_shared_topdomain(z->name, qname); + if(!ce /* should not happen */) { + lock_rw_unlock(&z->lock); + if(zones_keep_lock) { + lock_rw_unlock(&zones->lock); + } + return NULL; + } ce_labs = dname_count_size_labels(ce, &ce_len); if(ce_len+2 > sizeof(wc)) { lock_rw_unlock(&z->lock); if(zones_keep_lock) { - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&zones->lock); } return NULL; } @@ -740,15 +1166,15 @@ if(!zones_keep_lock) { if(wr) { - lock_rw_wrlock(&r->local_zones->lock); + lock_rw_wrlock(&zones->lock); } else { - lock_rw_rdlock(&r->local_zones->lock); + lock_rw_rdlock(&zones->lock); } } - z = local_zones_find_le(r->local_zones, wc, + z = local_zones_find_le(zones, wc, ce_len+2, ce_labs+1, qclass, &exact); if(!z || !exact) { - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&zones->lock); return NULL; } if(wr) { @@ -757,7 +1183,7 @@ lock_rw_rdlock(&z->lock); } if(!zones_keep_lock) { - lock_rw_unlock(&r->local_zones->lock); + lock_rw_unlock(&zones->lock); } return z; } @@ -766,7 +1192,7 @@ * Remove RR from RPZ's local-data * @param z: local-zone for RPZ, holding write lock * @param policydname: dname of RR to remove - * @param policydnamelen: lenth of policydname + * @param policydnamelen: length of policydname * @param rr_type: RR type of RR to remove * @param rdata: rdata of RR to remove * @param rdatalen: length of rdata @@ -852,10 +1278,10 @@ { struct local_zone* z; int delete_zone = 1; - z = rpz_find_zone(r, dname, dnamelen, rr_class, + z = rpz_find_zone(r->local_zones, dname, dnamelen, rr_class, 1 /* only exact */, 1 /* wr lock */, 1 /* keep lock*/); if(!z) { - verbose(VERB_ALGO, "RPZ: cannot remove RR from IXFR, " + verbose(VERB_ALGO, "rpz: cannot remove RR from IXFR, " "RPZ domain not found"); return; } @@ -891,7 +1317,7 @@ lock_rw_wrlock(&r->respip_set->lock); if(!(node = (struct resp_addr*)addr_tree_find( &r->respip_set->ip_tree, &addr, addrlen, net))) { - verbose(VERB_ALGO, "RPZ: cannot remove RR from IXFR, " + verbose(VERB_ALGO, "rpz: cannot remove RR from IXFR, " "RPZ domain not found"); lock_rw_unlock(&r->respip_set->lock); return; @@ -944,118 +1370,1034 @@ /** print log information for an applied RPZ policy. Based on local-zone's * lz_inform_print(). + * The repinfo contains the reply address. If it is NULL, the module + * state is used to report the first IP address (if any). + * The dname is used, for the applied rpz, if NULL, addrnode is used. */ static void -log_rpz_apply(uint8_t* dname, enum rpz_action a, struct query_info* qinfo, - struct comm_reply* repinfo, char* log_name) +log_rpz_apply(char* trigger, uint8_t* dname, struct addr_tree_node* addrnode, + enum rpz_action a, struct query_info* qinfo, + struct comm_reply* repinfo, struct module_qstate* ms, char* log_name) { - char ip128, txt512; + char ip128, txt512, portstr32; char dnamestrLDNS_MAX_DOMAINLEN+1; - uint16_t port = ntohs(((struct sockaddr_in*)&repinfo->addr)->sin_port); - dname_str(dname, dnamestr); - addr_to_str(&repinfo->addr, repinfo->addrlen, ip, sizeof(ip)); - if(log_name) - snprintf(txt, sizeof(txt), "RPZ applied %s %s %s %s@%u", - log_name, dnamestr, rpz_action_to_string(a), ip, - (unsigned)port); - else - snprintf(txt, sizeof(txt), "RPZ applied %s %s %s@%u", - dnamestr, rpz_action_to_string(a), ip, (unsigned)port); + uint16_t port = 0; + if(dname) { + dname_str(dname, dnamestr); + } else if(addrnode) { + char addrbuf128; + addr_to_str(&addrnode->addr, addrnode->addrlen, addrbuf, sizeof(addrbuf)); + snprintf(dnamestr, sizeof(dnamestr), "%s/%d", addrbuf, addrnode->net); + } else { + dnamestr0=0; + } + if(repinfo) { + addr_to_str(&repinfo->client_addr, repinfo->client_addrlen, ip, sizeof(ip)); + port = ntohs(((struct sockaddr_in*)&repinfo->client_addr)->sin_port); + } else if(ms && ms->mesh_info && ms->mesh_info->reply_list) { + addr_to_str(&ms->mesh_info->reply_list->query_reply.client_addr, + ms->mesh_info->reply_list->query_reply.client_addrlen, + ip, sizeof(ip)); + port = ntohs(((struct sockaddr_in*)&ms->mesh_info->reply_list->query_reply.client_addr)->sin_port); + } else { + ip0=0; + port = 0; + } + snprintf(portstr, sizeof(portstr), "@%u", (unsigned)port); + snprintf(txt, sizeof(txt), "rpz: applied %s%s%s%s%s%s %s %s%s", + (log_name?"":""), (log_name?log_name:""), (log_name?" ":""), + (strcmp(trigger,"qname")==0?"":trigger), + (strcmp(trigger,"qname")==0?"":" "), + dnamestr, rpz_action_to_string(a), + (ip0?ip:""), (ip0?portstr:"")); log_nametypeclass(0, txt, qinfo->qname, qinfo->qtype, qinfo->qclass); } -int -rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env, - struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf, - struct regional* temp, struct comm_reply* repinfo, - uint8_t* taglist, size_t taglen, struct ub_server_stats* stats) +static struct clientip_synthesized_rr* +rpz_ipbased_trigger_lookup(struct clientip_synthesized_rrset* set, + struct sockaddr_storage* addr, socklen_t addrlen, char* triggername) +{ + struct clientip_synthesized_rr* raddr = NULL; + enum rpz_action action = RPZ_INVALID_ACTION; + + lock_rw_rdlock(&set->lock); + + raddr = (struct clientip_synthesized_rr*)addr_tree_lookup(&set->entries, + addr, addrlen); + if(raddr != NULL) { + lock_rw_rdlock(&raddr->lock); + action = raddr->action; + if(verbosity >= VERB_ALGO) { + char ip256, net256; + addr_to_str(addr, addrlen, ip, sizeof(ip)); + addr_to_str(&raddr->node.addr, raddr->node.addrlen, + net, sizeof(net)); + verbose(VERB_ALGO, "rpz: trigger %s %s/%d on %s action=%s", + triggername, net, raddr->node.net, ip, rpz_action_to_string(action)); + } + } + lock_rw_unlock(&set->lock); + + return raddr; +} + +static inline +struct clientip_synthesized_rr* +rpz_resolve_client_action_and_zone(struct auth_zones* az, struct query_info* qinfo, + struct comm_reply* repinfo, uint8_t* taglist, size_t taglen, + struct ub_server_stats* stats, + /* output parameters */ + struct local_zone** z_out, struct auth_zone** a_out, struct rpz** r_out) { + struct clientip_synthesized_rr* node = NULL; + struct auth_zone* a = NULL; struct rpz* r = NULL; - struct auth_zone* a; - int ret; - enum localzone_type lzt; struct local_zone* z = NULL; - struct local_data* ld = NULL; + lock_rw_rdlock(&az->rpz_lock); + for(a = az->rpz_first; a; a = a->rpz_az_next) { lock_rw_rdlock(&a->lock); r = a->rpz; - if(!r->disabled && (!r->taglist || taglist_intersect(r->taglist, - r->taglistlen, taglist, taglen))) { - z = rpz_find_zone(r, qinfo->qname, qinfo->qname_len, - qinfo->qclass, 0, 0, 0); - if(z && r->action_override == RPZ_DISABLED_ACTION) { - if(r->log) - log_rpz_apply(z->name, - r->action_override, - qinfo, repinfo, r->log_name); - /* TODO only register stats when stats_extended? - * */ - stats->rpz_actionr->action_override++; + if(r->disabled) { + lock_rw_unlock(&a->lock); + continue; + } + if(r->taglist && !taglist_intersect(r->taglist, + r->taglistlen, taglist, taglen)) { + lock_rw_unlock(&a->lock); + continue; + } + z = rpz_find_zone(r->local_zones, qinfo->qname, qinfo->qname_len, + qinfo->qclass, 0, 0, 0); + node = rpz_ipbased_trigger_lookup(r->client_set, + &repinfo->client_addr, repinfo->client_addrlen, + "clientip"); + if((z || node) && r->action_override == RPZ_DISABLED_ACTION) { + if(r->log) + log_rpz_apply((node?"clientip":"qname"), + (z?z->name:NULL), + (node?&node->node:NULL), + r->action_override, + qinfo, repinfo, NULL, r->log_name); + stats->rpz_actionr->action_override++; + if(z != NULL) { lock_rw_unlock(&z->lock); z = NULL; } - if(z) - break; + if(node != NULL) { + lock_rw_unlock(&node->lock); + node = NULL; + } + } + if(z || node) { + break; } - lock_rw_unlock(&a->lock); /* not found in this auth_zone */ + /* not found in this auth_zone */ + lock_rw_unlock(&a->lock); } + lock_rw_unlock(&az->rpz_lock); - if(!z) - return 0; /* not holding auth_zone.lock anymore */ - log_assert(r); - if(r->action_override == RPZ_NO_OVERRIDE_ACTION) - lzt = z->type; - else - lzt = rpz_action_to_localzone_type(r->action_override); + *r_out = r; + *a_out = a; + *z_out = z; + + return node; +} + +static inline int +rpz_is_udp_query(struct comm_reply* repinfo) { + return repinfo != NULL + ? (repinfo->c != NULL + ? repinfo->c->type == comm_udp + : 0) + : 0; +} + +/** encode answer consisting of 1 rrset */ +static int +rpz_local_encode(struct module_env* env, struct query_info* qinfo, + struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, + struct regional* temp, struct ub_packed_rrset_key* rrset, int ansec, + int rcode, struct ub_packed_rrset_key* soa_rrset) +{ + struct reply_info rep; + uint16_t udpsize; + struct ub_packed_rrset_key* rrsetlist3; + + memset(&rep, 0, sizeof(rep)); + rep.flags = (uint16_t)((BIT_QR | BIT_AA | BIT_RA) | rcode); + rep.qdcount = 1; + rep.rrset_count = ansec; + rep.rrsets = rrsetlist; + if(ansec > 0) { + rep.an_numrrsets = 1; + rep.rrsets0 = rrset; + rep.ttl = ((struct packed_rrset_data*)rrset->entry.data)->rr_ttl0; + } + if(soa_rrset != NULL) { + rep.ar_numrrsets = 1; + rep.rrsetsrep.rrset_count = soa_rrset; + rep.rrset_count ++; + if(rep.ttl < ((struct packed_rrset_data*)soa_rrset->entry.data)->rr_ttl0) { + rep.ttl = ((struct packed_rrset_data*)soa_rrset->entry.data)->rr_ttl0; + } + } + + udpsize = edns->udp_size; + edns->edns_version = EDNS_ADVERTISED_VERSION; + edns->udp_size = EDNS_ADVERTISED_SIZE; + edns->ext_rcode = 0; + edns->bits &= EDNS_DO; + if(!inplace_cb_reply_local_call(env, qinfo, NULL, &rep, rcode, edns, + repinfo, temp, env->now_tv) || + !reply_info_answer_encode(qinfo, &rep, + *(uint16_t*)sldns_buffer_begin(buf), sldns_buffer_read_u16_at(buf, 2), + buf, 0, 0, temp, udpsize, edns, (int)(edns->bits&EDNS_DO), 0)) { + error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo, + *(uint16_t*)sldns_buffer_begin(buf), + sldns_buffer_read_u16_at(buf, 2), edns); + } + + return 1; +} + +static struct local_rrset* +rpz_find_synthesized_rrset(uint16_t qtype, + struct clientip_synthesized_rr* data) +{ + struct local_rrset* cursor = data->data; + while( cursor != NULL) { + struct packed_rrset_key* packed_rrset = &cursor->rrset->rk; + if(htons(qtype) == packed_rrset->type) { + return cursor; + } + cursor = cursor->next; + } + return NULL; +} + +/** allocate SOA record ubrrsetkey in region */ +static struct ub_packed_rrset_key* +make_soa_ubrrset(struct auth_zone* auth_zone, struct auth_rrset* soa, + struct regional* temp) +{ + struct ub_packed_rrset_key csoa; + if(!soa) + return NULL; + memset(&csoa, 0, sizeof(csoa)); + csoa.entry.key = &csoa; + csoa.rk.rrset_class = htons(LDNS_RR_CLASS_IN); + csoa.rk.type = htons(LDNS_RR_TYPE_SOA); + csoa.rk.flags |= PACKED_RRSET_FIXEDTTL + | PACKED_RRSET_RPZ; + csoa.rk.dname = auth_zone->name; + csoa.rk.dname_len = auth_zone->namelen; + csoa.entry.hash = rrset_key_hash(&csoa.rk); + csoa.entry.data = soa->data; + return respip_copy_rrset(&csoa, temp); +} + +static void +rpz_apply_clientip_localdata_action(struct clientip_synthesized_rr* raddr, + struct module_env* env, struct query_info* qinfo, + struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf, + struct regional* temp, struct auth_zone* auth_zone) +{ + struct local_rrset* rrset; + enum rpz_action action = RPZ_INVALID_ACTION; + struct ub_packed_rrset_key* rp = NULL; + struct ub_packed_rrset_key* rsoa = NULL; + int rcode = LDNS_RCODE_NOERROR|BIT_AA; + int rrset_count = 1; + + /* prepare synthesized answer for client */ + action = raddr->action; + if(action == RPZ_LOCAL_DATA_ACTION && raddr->data == NULL ) { + verbose(VERB_ALGO, "rpz: bug: local-data action but no local data"); + return; + } + + /* check query type / rr type */ + rrset = rpz_find_synthesized_rrset(qinfo->qtype, raddr); + if(rrset == NULL) { + verbose(VERB_ALGO, "rpz: unable to find local-data for query"); + rrset_count = 0; + goto nodata; + } + + rp = respip_copy_rrset(rrset->rrset, temp); + if(!rp) { + verbose(VERB_ALGO, "rpz: local data action: out of memory"); + return; + } + + rp->rk.flags |= PACKED_RRSET_FIXEDTTL | PACKED_RRSET_RPZ; + rp->rk.dname = qinfo->qname; + rp->rk.dname_len = qinfo->qname_len; + rp->entry.hash = rrset_key_hash(&rp->rk); +nodata: + if(auth_zone) { + struct auth_rrset* soa = NULL; + soa = auth_zone_get_soa_rrset(auth_zone); + if(soa) { + rsoa = make_soa_ubrrset(auth_zone, soa, temp); + if(!rsoa) { + verbose(VERB_ALGO, "rpz: local data action soa: out of memory"); + return; + } + } + } + + rpz_local_encode(env, qinfo, edns, repinfo, buf, temp, rp, + rrset_count, rcode, rsoa); +} + +/** add additional section SOA record to the reply. + * Since this gets fed into the normal iterator answer creation, it + * gets minimal-responses applied to it, that can remove the additional SOA + * again. */ +static int +rpz_add_soa(struct reply_info* rep, struct module_qstate* ms, + struct auth_zone* az) +{ + struct auth_rrset* soa = NULL; + struct ub_packed_rrset_key* rsoa = NULL; + struct ub_packed_rrset_key** prevrrsets; + if(!az) return 1; + soa = auth_zone_get_soa_rrset(az); + if(!soa) return 1; + if(!rep) return 0; + rsoa = make_soa_ubrrset(az, soa, ms->region); + if(!rsoa) return 0; + prevrrsets = rep->rrsets; + rep->rrsets = regional_alloc_zero(ms->region, + sizeof(*rep->rrsets)*(rep->rrset_count+1)); + if(!rep->rrsets) + return 0; + if(prevrrsets && rep->rrset_count > 0) + memcpy(rep->rrsets, prevrrsets, rep->rrset_count*sizeof(*rep->rrsets)); + rep->rrset_count++; + rep->ar_numrrsets++; + rep->rrsetsrep->rrset_count-1 = rsoa; + return 1; +} + +static inline struct dns_msg* +rpz_dns_msg_new(struct regional* region) +{ + struct dns_msg* msg = + (struct dns_msg*)regional_alloc(region, + sizeof(struct dns_msg)); + if(msg == NULL) { return NULL; } + memset(msg, 0, sizeof(struct dns_msg)); + + return msg; +} + +static inline struct dns_msg* +rpz_synthesize_nodata(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms, + struct query_info* qinfo, struct auth_zone* az) +{ + struct dns_msg* msg = rpz_dns_msg_new(ms->region); + if(msg == NULL) { return msg; } + msg->qinfo = *qinfo; + msg->rep = construct_reply_info_base(ms->region, + LDNS_RCODE_NOERROR | BIT_QR | BIT_AA | BIT_RA, + 1, /* qd */ + 0, /* ttl */ + 0, /* prettl */ + 0, /* expttl */ + 0, /* an */ + 0, /* ns */ + 0, /* ar */ + 0, /* total */ + sec_status_insecure); + if(msg->rep) + msg->rep->authoritative = 1; + if(!rpz_add_soa(msg->rep, ms, az)) + return NULL; + return msg; +} + +static inline struct dns_msg* +rpz_synthesize_nxdomain(struct rpz* r, struct module_qstate* ms, + struct query_info* qinfo, struct auth_zone* az) +{ + struct dns_msg* msg = rpz_dns_msg_new(ms->region); + uint16_t flags; + if(msg == NULL) { return msg; } + msg->qinfo = *qinfo; + flags = LDNS_RCODE_NXDOMAIN | BIT_QR | BIT_AA | BIT_RA; + if(r->signal_nxdomain_ra) + flags &= ~BIT_RA; + msg->rep = construct_reply_info_base(ms->region, + flags, + 1, /* qd */ + 0, /* ttl */ + 0, /* prettl */ + 0, /* expttl */ + 0, /* an */ + 0, /* ns */ + 0, /* ar */ + 0, /* total */ + sec_status_insecure); + if(msg->rep) + msg->rep->authoritative = 1; + if(!rpz_add_soa(msg->rep, ms, az)) + return NULL; + return msg; +} + +static inline struct dns_msg* +rpz_synthesize_localdata_from_rrset(struct rpz* ATTR_UNUSED(r), struct module_qstate* ms, + struct query_info* qi, struct local_rrset* rrset, struct auth_zone* az) +{ + struct dns_msg* msg = NULL; + struct reply_info* new_reply_info; + struct ub_packed_rrset_key* rp; + + + msg = rpz_dns_msg_new(ms->region); + if(msg == NULL) { return NULL; } + + new_reply_info = construct_reply_info_base(ms->region, + LDNS_RCODE_NOERROR | BIT_QR | BIT_AA | BIT_RA, + 1, /* qd */ + 0, /* ttl */ + 0, /* prettl */ + 0, /* expttl */ + 1, /* an */ + 0, /* ns */ + 0, /* ar */ + 1, /* total */ + sec_status_insecure); + if(new_reply_info == NULL) { + log_err("out of memory"); + return NULL; + } + new_reply_info->authoritative = 1; + rp = respip_copy_rrset(rrset->rrset, ms->region); + if(rp == NULL) { + log_err("out of memory"); + return NULL; + } + rp->rk.dname = qi->qname; + rp->rk.dname_len = qi->qname_len; + /* this rrset is from the rpz data, or synthesized. + * It is not actually from the network, so we flag it with this + * flags as a fake RRset. If later the cache is used to look up + * rrsets, then the fake ones are not returned (if you look without + * the flag). For like CNAME lookups from the iterator or A, AAAA + * lookups for nameserver targets, it would use the without flag + * actual data. So that the actual network data and fake data + * are kept track of separately. */ + rp->rk.flags |= PACKED_RRSET_RPZ; + new_reply_info->rrsets0 = rp; + msg->rep = new_reply_info; + if(!rpz_add_soa(msg->rep, ms, az)) + return NULL; + return msg; +} + +static inline struct dns_msg* +rpz_synthesize_nsip_localdata(struct rpz* r, struct module_qstate* ms, + struct clientip_synthesized_rr* data, struct auth_zone* az) +{ + struct query_info* qi = &ms->qinfo; + struct local_rrset* rrset; + + rrset = rpz_find_synthesized_rrset(qi->qtype, data); + if(rrset == NULL) { + verbose(VERB_ALGO, "rpz: nsip: no matching local data found"); + return NULL; + } + + return rpz_synthesize_localdata_from_rrset(r, ms, &ms->qinfo, rrset, az); +} + +/* copy'n'paste from localzone.c */ +static struct local_rrset* +local_data_find_type(struct local_data* data, uint16_t type, int alias_ok) +{ + struct local_rrset* p; + type = htons(type); + for(p = data->rrsets; p; p = p->next) { + if(p->rrset->rk.type == type) + return p; + if(alias_ok && p->rrset->rk.type == htons(LDNS_RR_TYPE_CNAME)) + return p; + } + return NULL; +} + +/* based on localzone.c:local_data_answer() */ +static inline struct dns_msg* +rpz_synthesize_nsdname_localdata(struct rpz* r, struct module_qstate* ms, + struct local_zone* z, struct matched_delegation_point const* match, + struct auth_zone* az) +{ + struct local_data key; + struct local_data* ld; + struct local_rrset* rrset; + + if(match->dname == NULL) { return NULL; } + + key.node.key = &key; + key.name = match->dname; + key.namelen = match->dname_len; + key.namelabs = dname_count_labels(match->dname); + + rpz_log_dname("nsdname local data", key.name, key.namelen); + + ld = (struct local_data*)rbtree_search(&z->data, &key.node); + if(ld == NULL) { + verbose(VERB_ALGO, "rpz: nsdname: impossible: qname not found"); + return NULL; + } + + rrset = local_data_find_type(ld, ms->qinfo.qtype, 1); + if(rrset == NULL) { + verbose(VERB_ALGO, "rpz: nsdname: no matching local data found"); + return NULL; + } + + return rpz_synthesize_localdata_from_rrset(r, ms, &ms->qinfo, rrset, az); +} + +/* like local_data_answer for qname triggers after a cname */ +static struct dns_msg* +rpz_synthesize_qname_localdata_msg(struct rpz* r, struct module_qstate* ms, + struct query_info* qinfo, struct local_zone* z, struct auth_zone* az) +{ + struct local_data key; + struct local_data* ld; + struct local_rrset* rrset; + key.node.key = &key; + key.name = qinfo->qname; + key.namelen = qinfo->qname_len; + key.namelabs = dname_count_labels(qinfo->qname); + ld = (struct local_data*)rbtree_search(&z->data, &key.node); + if(ld == NULL) { + verbose(VERB_ALGO, "rpz: qname after cname: name not found"); + return NULL; + } + rrset = local_data_find_type(ld, qinfo->qtype, 1); + if(rrset == NULL) { + verbose(VERB_ALGO, "rpz: qname after cname: type not found"); + return NULL; + } + return rpz_synthesize_localdata_from_rrset(r, ms, qinfo, rrset, az); +} +static int +rpz_synthesize_qname_localdata(struct module_env* env, struct rpz* r, + struct local_zone* z, enum localzone_type lzt, struct query_info* qinfo, + struct edns_data* edns, sldns_buffer* buf, struct regional* temp, + struct comm_reply* repinfo, struct ub_server_stats* stats) +{ + struct local_data* ld = NULL; + int ret = 0; if(r->action_override == RPZ_CNAME_OVERRIDE_ACTION) { - qinfo->local_alias = - regional_alloc_zero(temp, sizeof(struct local_rrset)); - if(!qinfo->local_alias) { - lock_rw_unlock(&z->lock); - lock_rw_unlock(&a->lock); + qinfo->local_alias = regional_alloc_zero(temp, sizeof(struct local_rrset)); + if(qinfo->local_alias == NULL) { return 0; /* out of memory */ } - qinfo->local_alias->rrset = - regional_alloc_init(temp, r->cname_override, - sizeof(*r->cname_override)); - if(!qinfo->local_alias->rrset) { - lock_rw_unlock(&z->lock); - lock_rw_unlock(&a->lock); + qinfo->local_alias->rrset = regional_alloc_init(temp, r->cname_override, + sizeof(*r->cname_override)); + if(qinfo->local_alias->rrset == NULL) { return 0; /* out of memory */ } qinfo->local_alias->rrset->rk.dname = qinfo->qname; qinfo->local_alias->rrset->rk.dname_len = qinfo->qname_len; - if(r->log) - log_rpz_apply(z->name, RPZ_CNAME_OVERRIDE_ACTION, - qinfo, repinfo, r->log_name); + if(r->log) { + log_rpz_apply("qname", z->name, NULL, RPZ_CNAME_OVERRIDE_ACTION, + qinfo, repinfo, NULL, r->log_name); + } stats->rpz_actionRPZ_CNAME_OVERRIDE_ACTION++; - lock_rw_unlock(&z->lock); - lock_rw_unlock(&a->lock); return 0; } if(lzt == local_zone_redirect && local_data_answer(z, env, qinfo, edns, repinfo, buf, temp, dname_count_labels(qinfo->qname), &ld, lzt, -1, NULL, 0, NULL, 0)) { - if(r->log) - log_rpz_apply(z->name, + if(r->log) { + log_rpz_apply("qname", z->name, NULL, localzone_type_to_rpz_action(lzt), qinfo, - repinfo, r->log_name); + repinfo, NULL, r->log_name); + } stats->rpz_actionlocalzone_type_to_rpz_action(lzt)++; - lock_rw_unlock(&z->lock); - lock_rw_unlock(&a->lock); return !qinfo->local_alias; } ret = local_zones_zone_answer(z, env, qinfo, edns, repinfo, buf, temp, 0 /* no local data used */, lzt); - if(r->log) - log_rpz_apply(z->name, localzone_type_to_rpz_action(lzt), - qinfo, repinfo, r->log_name); + if(r->signal_nxdomain_ra && LDNS_RCODE_WIRE(sldns_buffer_begin(buf)) + == LDNS_RCODE_NXDOMAIN) + LDNS_RA_CLR(sldns_buffer_begin(buf)); + if(r->log) { + log_rpz_apply("qname", z->name, NULL, localzone_type_to_rpz_action(lzt), + qinfo, repinfo, NULL, r->log_name); + } stats->rpz_actionlocalzone_type_to_rpz_action(lzt)++; + return ret; +} + +static struct clientip_synthesized_rr* +rpz_delegation_point_ipbased_trigger_lookup(struct rpz* rpz, struct iter_qstate* is) +{ + struct delegpt_addr* cursor; + struct clientip_synthesized_rr* action = NULL; + if(is->dp == NULL) { return NULL; } + for(cursor = is->dp->target_list; + cursor != NULL; + cursor = cursor->next_target) { + if(cursor->bogus) { continue; } + action = rpz_ipbased_trigger_lookup(rpz->ns_set, &cursor->addr, + cursor->addrlen, "nsip"); + if(action != NULL) { return action; } + } + return NULL; +} + +static struct dns_msg* +rpz_apply_nsip_trigger(struct module_qstate* ms, struct rpz* r, + struct clientip_synthesized_rr* raddr, struct auth_zone* az) +{ + enum rpz_action action = raddr->action; + struct dns_msg* ret = NULL; + + if(r->action_override != RPZ_NO_OVERRIDE_ACTION) { + verbose(VERB_ALGO, "rpz: using override action=%s (replaces=%s)", + rpz_action_to_string(r->action_override), rpz_action_to_string(action)); + action = r->action_override; + } + + if(action == RPZ_LOCAL_DATA_ACTION && raddr->data == NULL) { + verbose(VERB_ALGO, "rpz: bug: nsip local data action but no local data"); + ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); + goto done; + } + + switch(action) { + case RPZ_NXDOMAIN_ACTION: + ret = rpz_synthesize_nxdomain(r, ms, &ms->qinfo, az); + break; + case RPZ_NODATA_ACTION: + ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); + break; + case RPZ_TCP_ONLY_ACTION: + /* basically a passthru here but the tcp-only will be + * honored before the query gets sent. */ + ms->respip_action_info->action = respip_truncate; + ret = NULL; + break; + case RPZ_DROP_ACTION: + ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); + ms->is_drop = 1; + break; + case RPZ_LOCAL_DATA_ACTION: + ret = rpz_synthesize_nsip_localdata(r, ms, raddr, az); + if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); } + break; + case RPZ_PASSTHRU_ACTION: + ret = NULL; + ms->rpz_passthru = 1; + break; + default: + verbose(VERB_ALGO, "rpz: nsip: bug: unhandled or invalid action: '%s'", + rpz_action_to_string(action)); + ret = NULL; + } + +done: + if(r->log) + log_rpz_apply("nsip", NULL, &raddr->node, + action, &ms->qinfo, NULL, ms, r->log_name); + if(ms->env->worker) + ms->env->worker->stats.rpz_actionaction++; + lock_rw_unlock(&raddr->lock); + return ret; +} + +static struct dns_msg* +rpz_apply_nsdname_trigger(struct module_qstate* ms, struct rpz* r, + struct local_zone* z, struct matched_delegation_point const* match, + struct auth_zone* az) +{ + struct dns_msg* ret = NULL; + enum rpz_action action = localzone_type_to_rpz_action(z->type); + + if(r->action_override != RPZ_NO_OVERRIDE_ACTION) { + verbose(VERB_ALGO, "rpz: using override action=%s (replaces=%s)", + rpz_action_to_string(r->action_override), rpz_action_to_string(action)); + action = r->action_override; + } + + switch(action) { + case RPZ_NXDOMAIN_ACTION: + ret = rpz_synthesize_nxdomain(r, ms, &ms->qinfo, az); + break; + case RPZ_NODATA_ACTION: + ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); + break; + case RPZ_TCP_ONLY_ACTION: + /* basically a passthru here but the tcp-only will be + * honored before the query gets sent. */ + ms->respip_action_info->action = respip_truncate; + ret = NULL; + break; + case RPZ_DROP_ACTION: + ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); + ms->is_drop = 1; + break; + case RPZ_LOCAL_DATA_ACTION: + ret = rpz_synthesize_nsdname_localdata(r, ms, z, match, az); + if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, &ms->qinfo, az); } + break; + case RPZ_PASSTHRU_ACTION: + ret = NULL; + ms->rpz_passthru = 1; + break; + default: + verbose(VERB_ALGO, "rpz: nsip: bug: unhandled or invalid action: '%s'", + rpz_action_to_string(action)); + ret = NULL; + } + + if(r->log) + log_rpz_apply("nsdname", match->dname, NULL, + action, &ms->qinfo, NULL, ms, r->log_name); + if(ms->env->worker) + ms->env->worker->stats.rpz_actionaction++; + lock_rw_unlock(&z->lock); + return ret; +} + +static struct local_zone* +rpz_delegation_point_zone_lookup(struct delegpt* dp, struct local_zones* zones, + uint16_t qclass, + /* output parameter */ + struct matched_delegation_point* match) +{ + struct delegpt_ns* nameserver; + struct local_zone* z = NULL; + + /* the rpz specs match the nameserver names (NS records), not the + * name of the delegation point itself, to the nsdname triggers */ + for(nameserver = dp->nslist; + nameserver != NULL; + nameserver = nameserver->next) { + z = rpz_find_zone(zones, nameserver->name, nameserver->namelen, + qclass, 0, 0, 0); + if(z != NULL) { + match->dname = nameserver->name; + match->dname_len = nameserver->namelen; + if(verbosity >= VERB_ALGO) { + char nm255+1, zn255+1; + dname_str(match->dname, nm); + dname_str(z->name, zn); + if(strcmp(nm, zn) != 0) + verbose(VERB_ALGO, "rpz: trigger nsdname %s on %s action=%s", + zn, nm, rpz_action_to_string(localzone_type_to_rpz_action(z->type))); + else + verbose(VERB_ALGO, "rpz: trigger nsdname %s action=%s", + nm, rpz_action_to_string(localzone_type_to_rpz_action(z->type))); + } + break; + } + } + + return z; +} + +struct dns_msg* +rpz_callback_from_iterator_module(struct module_qstate* ms, struct iter_qstate* is) +{ + struct auth_zones* az; + struct auth_zone* a; + struct clientip_synthesized_rr* raddr = NULL; + struct rpz* r = NULL; + struct local_zone* z = NULL; + struct matched_delegation_point match = {0}; + + if(ms->rpz_passthru) { + verbose(VERB_ALGO, "query is rpz_passthru, no further processing"); + return NULL; + } + + if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; } + + az = ms->env->auth_zones; + + verbose(VERB_ALGO, "rpz: iterator module callback: have_rpz=%d", az->rpz_first != NULL); + + lock_rw_rdlock(&az->rpz_lock); + + /* precedence of RPZ works, loosely, like this: + * CNAMEs in order of the CNAME chain. rpzs in the order they are + * configured. In an RPZ: first client-IP addr, then QNAME, then + * response IP, then NSDNAME, then NSIP. Longest match first. Smallest + * one from a set. */ + /* we use the precedence rules for the topics and triggers that + * are pertinent at this stage of the resolve processing */ + for(a = az->rpz_first; a != NULL; a = a->rpz_az_next) { + lock_rw_rdlock(&a->lock); + r = a->rpz; + if(r->disabled) { + lock_rw_unlock(&a->lock); + continue; + } + + /* the nsdname has precedence over the nsip triggers */ + z = rpz_delegation_point_zone_lookup(is->dp, r->nsdname_zones, + ms->qinfo.qclass, &match); + if(z != NULL) { + lock_rw_unlock(&a->lock); + break; + } + + raddr = rpz_delegation_point_ipbased_trigger_lookup(r, is); + if(raddr != NULL) { + lock_rw_unlock(&a->lock); + break; + } + lock_rw_unlock(&a->lock); + } + + lock_rw_unlock(&az->rpz_lock); + + if(raddr == NULL && z == NULL) + return NULL; + + if(raddr != NULL) { + if(z) { + lock_rw_unlock(&z->lock); + } + return rpz_apply_nsip_trigger(ms, r, raddr, a); + } + return rpz_apply_nsdname_trigger(ms, r, z, &match, a); +} + +struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* ms, + struct iter_qstate* is) +{ + struct auth_zones* az; + struct auth_zone* a = NULL; + struct rpz* r = NULL; + struct local_zone* z = NULL; + enum localzone_type lzt; + struct dns_msg* ret = NULL; + + if(ms->rpz_passthru) { + verbose(VERB_ALGO, "query is rpz_passthru, no further processing"); + return NULL; + } + + if(ms->env == NULL || ms->env->auth_zones == NULL) { return 0; } + az = ms->env->auth_zones; + + lock_rw_rdlock(&az->rpz_lock); + + for(a = az->rpz_first; a; a = a->rpz_az_next) { + lock_rw_rdlock(&a->lock); + r = a->rpz; + if(r->disabled) { + lock_rw_unlock(&a->lock); + continue; + } + z = rpz_find_zone(r->local_zones, is->qchase.qname, + is->qchase.qname_len, is->qchase.qclass, 0, 0, 0); + if(z && r->action_override == RPZ_DISABLED_ACTION) { + if(r->log) + log_rpz_apply("qname", z->name, NULL, + r->action_override, + &ms->qinfo, NULL, ms, r->log_name); + if(ms->env->worker) + ms->env->worker->stats.rpz_actionr->action_override++; + lock_rw_unlock(&z->lock); + z = NULL; + } + if(z) { + break; + } + /* not found in this auth_zone */ + lock_rw_unlock(&a->lock); + } + lock_rw_unlock(&az->rpz_lock); + + if(z == NULL) + return NULL; + if(r->action_override == RPZ_NO_OVERRIDE_ACTION) { + lzt = z->type; + } else { + lzt = rpz_action_to_localzone_type(r->action_override); + } + + if(verbosity >= VERB_ALGO) { + char nm255+1, zn255+1; + dname_str(is->qchase.qname, nm); + dname_str(z->name, zn); + if(strcmp(zn, nm) != 0) + verbose(VERB_ALGO, "rpz: qname trigger after cname %s on %s, with action=%s", + zn, nm, rpz_action_to_string(localzone_type_to_rpz_action(lzt))); + else + verbose(VERB_ALGO, "rpz: qname trigger after cname %s, with action=%s", + nm, rpz_action_to_string(localzone_type_to_rpz_action(lzt))); + } + switch(localzone_type_to_rpz_action(lzt)) { + case RPZ_NXDOMAIN_ACTION: + ret = rpz_synthesize_nxdomain(r, ms, &is->qchase, a); + break; + case RPZ_NODATA_ACTION: + ret = rpz_synthesize_nodata(r, ms, &is->qchase, a); + break; + case RPZ_TCP_ONLY_ACTION: + /* basically a passthru here but the tcp-only will be + * honored before the query gets sent. */ + ms->respip_action_info->action = respip_truncate; + ret = NULL; + break; + case RPZ_DROP_ACTION: + ret = rpz_synthesize_nodata(r, ms, &is->qchase, a); + ms->is_drop = 1; + break; + case RPZ_LOCAL_DATA_ACTION: + ret = rpz_synthesize_qname_localdata_msg(r, ms, &is->qchase, z, a); + if(ret == NULL) { ret = rpz_synthesize_nodata(r, ms, &is->qchase, a); } + break; + case RPZ_PASSTHRU_ACTION: + ret = NULL; + ms->rpz_passthru = 1; + break; + default: + verbose(VERB_ALGO, "rpz: qname trigger after cname: bug: unhandled or invalid action: '%s'", + rpz_action_to_string(localzone_type_to_rpz_action(lzt))); + ret = NULL; + } + lock_rw_unlock(&z->lock); + lock_rw_unlock(&a->lock); + return ret; +} + +static int +rpz_apply_maybe_clientip_trigger(struct auth_zones* az, struct module_env* env, + struct query_info* qinfo, struct edns_data* edns, struct comm_reply* repinfo, + uint8_t* taglist, size_t taglen, struct ub_server_stats* stats, + sldns_buffer* buf, struct regional* temp, + /* output parameters */ + struct local_zone** z_out, struct auth_zone** a_out, struct rpz** r_out, + int* passthru) +{ + int ret = 0; + enum rpz_action client_action; + struct clientip_synthesized_rr* node = rpz_resolve_client_action_and_zone( + az, qinfo, repinfo, taglist, taglen, stats, z_out, a_out, r_out); + + client_action = ((node == NULL) ? RPZ_INVALID_ACTION : node->action); + if(client_action == RPZ_PASSTHRU_ACTION) { + *passthru = 1; + } + if(*z_out == NULL || (client_action != RPZ_INVALID_ACTION && + client_action != RPZ_PASSTHRU_ACTION)) { + if(client_action == RPZ_PASSTHRU_ACTION + || client_action == RPZ_INVALID_ACTION + || (client_action == RPZ_TCP_ONLY_ACTION + && !rpz_is_udp_query(repinfo))) { + ret = 0; + goto done; + } + stats->rpz_actionclient_action++; + if(client_action == RPZ_LOCAL_DATA_ACTION) { + rpz_apply_clientip_localdata_action(node, env, qinfo, + edns, repinfo, buf, temp, *a_out); + } else { + if(*r_out && (*r_out)->log) + log_rpz_apply( + (node?"clientip":"qname"), + ((*z_out)?(*z_out)->name:NULL), + (node?&node->node:NULL), + client_action, qinfo, repinfo, NULL, + (*r_out)->log_name); + local_zones_zone_answer(*z_out /*likely NULL, no zone*/, env, qinfo, edns, + repinfo, buf, temp, 0 /* no local data used */, + rpz_action_to_localzone_type(client_action)); + if(*r_out && (*r_out)->signal_nxdomain_ra && + LDNS_RCODE_WIRE(sldns_buffer_begin(buf)) + == LDNS_RCODE_NXDOMAIN) + LDNS_RA_CLR(sldns_buffer_begin(buf)); + } + ret = 1; + goto done; + } + ret = -1; +done: + if(node != NULL) { + lock_rw_unlock(&node->lock); + } + return ret; +} + +int +rpz_callback_from_worker_request(struct auth_zones* az, struct module_env* env, + struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf, + struct regional* temp, struct comm_reply* repinfo, uint8_t* taglist, + size_t taglen, struct ub_server_stats* stats, int* passthru) +{ + struct rpz* r = NULL; + struct auth_zone* a = NULL; + struct local_zone* z = NULL; + int ret; + enum localzone_type lzt; + + int clientip_trigger = rpz_apply_maybe_clientip_trigger(az, env, qinfo, + edns, repinfo, taglist, taglen, stats, buf, temp, &z, &a, &r, + passthru); + if(clientip_trigger >= 0) { + if(a) { + lock_rw_unlock(&a->lock); + } + if(z) { + lock_rw_unlock(&z->lock); + } + return clientip_trigger; + } + + if(z == NULL) { + if(a) { + lock_rw_unlock(&a->lock); + } + return 0; + } + + log_assert(r); + + if(r->action_override == RPZ_NO_OVERRIDE_ACTION) { + lzt = z->type; + } else { + lzt = rpz_action_to_localzone_type(r->action_override); + } + if(r->action_override == RPZ_PASSTHRU_ACTION || + lzt == local_zone_always_transparent /* RPZ_PASSTHRU_ACTION */) { + *passthru = 1; + } + + if(verbosity >= VERB_ALGO) { + char nm255+1, zn255+1; + dname_str(qinfo->qname, nm); + dname_str(z->name, zn); + if(strcmp(zn, nm) != 0) + verbose(VERB_ALGO, "rpz: qname trigger %s on %s with action=%s", + zn, nm, rpz_action_to_string(localzone_type_to_rpz_action(lzt))); + else + verbose(VERB_ALGO, "rpz: qname trigger %s with action=%s", + nm, rpz_action_to_string(localzone_type_to_rpz_action(lzt))); + } + + ret = rpz_synthesize_qname_localdata(env, r, z, lzt, qinfo, edns, buf, temp, + repinfo, stats); + lock_rw_unlock(&z->lock); lock_rw_unlock(&a->lock);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/rpz.h -> _service:tar_scm:unbound-1.17.1.tar.gz/services/rpz.h
Changed
@@ -50,6 +50,7 @@ #include "sldns/sbuffer.h" #include "daemon/stats.h" #include "respip/respip.h" +struct iter_qstate; /** * RPZ triggers, only the QNAME trigger is currently supported in Unbound. @@ -83,6 +84,27 @@ RPZ_CNAME_OVERRIDE_ACTION, /* RPZ CNAME action override*/ }; +struct clientip_synthesized_rrset{ + struct regional* region; + struct rbtree_type entries; + lock_rw_type lock; /* lock on the respip tree */ +}; + +struct clientip_synthesized_rr { + /** node in address tree */ + struct addr_tree_node node; + /** lock on the node item */ + lock_rw_type lock; + /** tag bitlist */ + uint8_t* taglist; + /** length of the taglist (in bytes) */ + size_t taglen; + /** action for this address span */ + enum rpz_action action; + /** "local data" for this node */ + struct local_rrset* data; +}; + /** * RPZ containing policies. Pointed to from corresponding auth-zone. Part of a * linked list to keep configuration order. Iterating or changing the linked @@ -92,12 +114,17 @@ struct rpz { struct local_zones* local_zones; struct respip_set* respip_set; + struct clientip_synthesized_rrset* client_set; + struct clientip_synthesized_rrset* ns_set; + struct local_zones* nsdname_zones; uint8_t* taglist; size_t taglistlen; enum rpz_action action_override; struct ub_packed_rrset_key* cname_override; int log; char* log_name; + /** signal NXDOMAIN blocked with unset RA flag */ + int signal_nxdomain_ra; struct regional* region; int disabled; }; @@ -147,14 +174,39 @@ * @param temp: scratchpad * @param repinfo: reply info * @param taglist: taglist to lookup. - * @param taglen: lenth of taglist. + * @param taglen: length of taglist. * @param stats: worker stats struct + * @param passthru: returns if the query can passthru further rpz processing. * @return: 1 if client answer is ready, 0 to continue resolving */ -int rpz_apply_qname_trigger(struct auth_zones* az, struct module_env* env, +int rpz_callback_from_worker_request(struct auth_zones* az, struct module_env* env, struct query_info* qinfo, struct edns_data* edns, sldns_buffer* buf, struct regional* temp, struct comm_reply* repinfo, - uint8_t* taglist, size_t taglen, struct ub_server_stats* stats); + uint8_t* taglist, size_t taglen, struct ub_server_stats* stats, + int* passthru); + +/** + * Callback to process when the iterator module is about to send queries. + * Checks for nsip and nsdname triggers. + * @param qstate: the query state. + * @param iq: iterator module query state. + * @return NULL if nothing is done. Or a new message with the contents from + * the rpz, based on the delegation point. It is allocated in the + * qstate region. + */ +struct dns_msg* rpz_callback_from_iterator_module(struct module_qstate* qstate, + struct iter_qstate* iq); + +/** + * Callback to process when the iterator module has followed a cname. + * There can be a qname trigger for the new query name. + * @param qstate: the query state. + * @param iq: iterator module query state. + * @return NULL if nothing is done. Or a new message with the contents from + * the rpz, based on the iq.qchase. It is allocated in the qstate region. + */ +struct dns_msg* rpz_callback_from_iterator_cname(struct module_qstate* qstate, + struct iter_qstate* iq); /** * Delete RPZ @@ -186,7 +238,7 @@ respip_action_to_rpz_action(enum respip_action a); /** - * Prepare RPZ after procesing feed content. + * Prepare RPZ after processing feed content. * @param r: RPZ to use */ void rpz_finish_config(struct rpz* r);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/services/view.c -> _service:tar_scm:unbound-1.17.1.tar.gz/services/view.c
Changed
@@ -66,8 +66,9 @@ return v; } -/** This prototype is defined in in respip.h, but we want to avoid - * unnecessary dependencies */ +/* \noop (ignore this comment for doxygen) + * This prototype is defined in in respip.h, but we want to avoid + * unnecessary dependencies */ void respip_set_delete(struct respip_set *set); void
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/keyraw.c -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/keyraw.c
Changed
@@ -250,7 +250,8 @@ if(!(dsa = DSA_new())) { return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) +#if OPENSSL_VERSION_NUMBER < 0x10100000 || \ + (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f) #ifndef S_SPLINT_S dsa->p = P; dsa->q = Q; @@ -428,7 +429,8 @@ BN_free(modulus); return NULL; } -#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL) +#if OPENSSL_VERSION_NUMBER < 0x10100000 || \ + (defined(HAVE_LIBRESSL) && LIBRESSL_VERSION_NUMBER < 0x02070000f) #ifndef S_SPLINT_S rsa->n = modulus; rsa->e = exponent;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/parse.c -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/parse.c
Changed
@@ -34,7 +34,7 @@ { int c, prev_c; int p; /* 0 -> no parentheses seen, >0 nr of ( seen */ - int com, quoted; + int com, quoted, only_blank; char *t; size_t i; const char *d; @@ -53,6 +53,7 @@ com = 0; quoted = 0; prev_c = 0; + only_blank = 1; /* Assume we got only <blank> until now */ t = token; if (del0 == '"') { quoted = 1; @@ -101,6 +102,22 @@ if (line_nr) { *line_nr = *line_nr + 1; } + if (only_blank && i > 0) { + /* Got only <blank> so far. Reset and try + * again with the next line. + */ + i = 0; + t = token; + } + if (p == 0) { + /* If p != 0 then the next line is a continuation. So + * we assume that the next line starts with a blank only + * if it is actually a new line. + */ + only_blank = 1; /* Assume next line starts with + * <blank>. + */ + } if (p == 0 && i > 0) { goto tokenread; } else { @@ -131,12 +148,29 @@ /* check if we hit the delim */ for (d = del; *d; d++) { - if (c == *d && i > 0 && prev_c != '\\' && p == 0) { - if (c == '\n' && line_nr) { - *line_nr = *line_nr + 1; - } - goto tokenread; + if (c == *d) + break; + } + + if (c == *d && i > 0 && prev_c != '\\' && p == 0) { + if (c == '\n' && line_nr) { + *line_nr = *line_nr + 1; } + if (only_blank) { + /* Got only <blank> so far. Reset and + * try again with the next line. + */ + i = 0; + t = token; + only_blank = 1; + prev_c = c; + continue; + } + goto tokenread; + } + if (c != ' ' && c != '\t') { + /* Found something that is not <blank> */ + only_blank= 0; } if (c != '\0' && c != '\n') { i++; @@ -149,8 +183,13 @@ if (c != '\0' && c != '\n') { *t++ = c; } - if (c == '\n' && line_nr) { - *line_nr = *line_nr + 1; + if (c == '\n') { + if (line_nr) { + *line_nr = *line_nr + 1; + } + only_blank = 1; /* Assume next line starts with + * <blank>. + */ } if (c == '\\' && prev_c == '\\') prev_c = 0;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/parseutil.c -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/parseutil.c
Changed
@@ -209,11 +209,13 @@ } uint32_t -sldns_str2period(const char *nptr, const char **endptr) +sldns_str2period(const char *nptr, const char **endptr, int* overflow) { int sign = 0; uint32_t i = 0; uint32_t seconds = 0; + const uint32_t maxint = 0xffffffff; + *overflow = 0; for(*endptr = nptr; **endptr; (*endptr)++) { switch (**endptr) { @@ -236,26 +238,46 @@ break; case 's': case 'S': + if(seconds > maxint-i) { + *overflow = 1; + return 0; + } seconds += i; i = 0; break; case 'm': case 'M': + if(i > maxint/60 || seconds > maxint-(i*60)) { + *overflow = 1; + return 0; + } seconds += i * 60; i = 0; break; case 'h': case 'H': + if(i > maxint/(60*60) || seconds > maxint-(i*60*60)) { + *overflow = 1; + return 0; + } seconds += i * 60 * 60; i = 0; break; case 'd': case 'D': + if(i > maxint/(60*60*24) || seconds > maxint-(i*60*60*24)) { + *overflow = 1; + return 0; + } seconds += i * 60 * 60 * 24; i = 0; break; case 'w': case 'W': + if(i > maxint/(60*60*24*7) || seconds > maxint-(i*60*60*24*7)) { + *overflow = 1; + return 0; + } seconds += i * 60 * 60 * 24 * 7; i = 0; break; @@ -269,15 +291,27 @@ case '7': case '8': case '9': + if(i > maxint/10 || i*10 > maxint - (**endptr - '0')) { + *overflow = 1; + return 0; + } i *= 10; i += (**endptr - '0'); break; default: + if(seconds > maxint-i) { + *overflow = 1; + return 0; + } seconds += i; /* disregard signedness */ return seconds; } } + if(seconds > maxint-i) { + *overflow = 1; + return 0; + } seconds += i; /* disregard signedness */ return seconds;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/parseutil.h -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/parseutil.h
Changed
@@ -58,7 +58,7 @@ * The function interprets time as the number of seconds since epoch * with respect to now using serial arithmetics (rfc1982). * That number of seconds is then converted to broken-out time information. - * This is especially usefull when converting the inception and expiration + * This is especially useful when converting the inception and expiration * fields of RRSIG records. * * \paramin time number of seconds since epoch (midnight, January 1st, 1970) @@ -74,9 +74,11 @@ * converts a ttl value (like 5d2h) to a long. * \paramin nptr the start of the string * \paramout endptr points to the last char in case of error + * \paramout overflow returns if the string causes integer overflow error, + * the number is too big, string of digits too long. * \return the convert duration value */ -uint32_t sldns_str2period(const char *nptr, const char **endptr); +uint32_t sldns_str2period(const char *nptr, const char **endptr, int* overflow); /** * Returns the int value of the given (hex) digit
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/pkthdr.h -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/pkthdr.h
Changed
@@ -97,18 +97,22 @@ #define QDCOUNT(wirebuf) (ntohs(*(uint16_t *)(wirebuf+QDCOUNT_OFF))) */ #define LDNS_QDCOUNT(wirebuf) (sldns_read_uint16(wirebuf+LDNS_QDCOUNT_OFF)) +#define LDNS_QDCOUNT_SET(wirebuf, i) (sldns_write_uint16(wirebuf+LDNS_QDCOUNT_OFF, i)) /* Counter of the answer section */ #define LDNS_ANCOUNT_OFF 6 #define LDNS_ANCOUNT(wirebuf) (sldns_read_uint16(wirebuf+LDNS_ANCOUNT_OFF)) +#define LDNS_ANCOUNT_SET(wirebuf, i) (sldns_write_uint16(wirebuf+LDNS_ANCOUNT_OFF, i)) /* Counter of the authority section */ #define LDNS_NSCOUNT_OFF 8 #define LDNS_NSCOUNT(wirebuf) (sldns_read_uint16(wirebuf+LDNS_NSCOUNT_OFF)) +#define LDNS_NSCOUNT_SET(wirebuf, i) (sldns_write_uint16(wirebuf+LDNS_NSCOUNT_OFF, i)) /* Counter of the additional section */ #define LDNS_ARCOUNT_OFF 10 #define LDNS_ARCOUNT(wirebuf) (sldns_read_uint16(wirebuf+LDNS_ARCOUNT_OFF)) +#define LDNS_ARCOUNT_SET(wirebuf, i) (sldns_write_uint16(wirebuf+LDNS_ARCOUNT_OFF, i)) /** * The sections of a packet
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/rrdef.c -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/rrdef.c
Changed
@@ -381,9 +381,9 @@ /* 63 */ {LDNS_RR_TYPE_ZONEMD, "ZONEMD", 4, 4, type_zonemd_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 }, /* 64 */ - {LDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, LDNS_RDF_TYPE_SVCPARAM, LDNS_RR_NO_COMPRESS, 0 }, + {LDNS_RR_TYPE_SVCB, "SVCB", 2, 2, type_svcb_wireformat, LDNS_RDF_TYPE_SVCPARAM, LDNS_RR_NO_COMPRESS, 1 }, /* 65 */ - {LDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, LDNS_RDF_TYPE_SVCPARAM, LDNS_RR_NO_COMPRESS, 0 }, + {LDNS_RR_TYPE_HTTPS, "HTTPS", 2, 2, type_svcb_wireformat, LDNS_RDF_TYPE_SVCPARAM, LDNS_RR_NO_COMPRESS, 1 }, {(enum sldns_enum_rr_type)0, "TYPE66", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 }, {(enum sldns_enum_rr_type)0, "TYPE67", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 }, {(enum sldns_enum_rr_type)0, "TYPE68", 1, 1, type_0_wireformat, LDNS_RDF_TYPE_NONE, LDNS_RR_NO_COMPRESS, 0 },
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/rrdef.h -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/rrdef.h
Changed
@@ -196,8 +196,8 @@ LDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */ LDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */ LDNS_RR_TYPE_ZONEMD = 63, /* draft-ietf-dnsop-dns-zone-digest-12 */ - LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */ - LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */ + LDNS_RR_TYPE_SVCB = 64, /* draft-ietf-dnsop-svcb-https-04 */ + LDNS_RR_TYPE_HTTPS = 65, /* draft-ietf-dnsop-svcb-https-04 */ LDNS_RR_TYPE_SPF = 99, /* RFC 4408 */ @@ -435,10 +435,42 @@ LDNS_EDNS_CLIENT_SUBNET = 8, /* RFC7871 */ LDNS_EDNS_KEEPALIVE = 11, /* draft-ietf-dnsop-edns-tcp-keepalive*/ LDNS_EDNS_PADDING = 12, /* RFC7830 */ + LDNS_EDNS_EDE = 15, /* RFC8914 */ LDNS_EDNS_CLIENT_TAG = 16 /* draft-bellis-dnsop-edns-tags-01 */ }; typedef enum sldns_enum_edns_option sldns_edns_option; +enum sldns_enum_ede_code +{ + LDNS_EDE_NONE = -1, /* EDE undefined for internal use */ + LDNS_EDE_OTHER = 0, + LDNS_EDE_UNSUPPORTED_DNSKEY_ALG = 1, + LDNS_EDE_UNSUPPORTED_DS_DIGEST = 2, + LDNS_EDE_STALE_ANSWER = 3, + LDNS_EDE_FORGED_ANSWER = 4, + LDNS_EDE_DNSSEC_INDETERMINATE = 5, + LDNS_EDE_DNSSEC_BOGUS = 6, + LDNS_EDE_SIGNATURE_EXPIRED = 7, + LDNS_EDE_SIGNATURE_NOT_YET_VALID = 8, + LDNS_EDE_DNSKEY_MISSING = 9, + LDNS_EDE_RRSIGS_MISSING = 10, + LDNS_EDE_NO_ZONE_KEY_BIT_SET = 11, + LDNS_EDE_NSEC_MISSING = 12, + LDNS_EDE_CACHED_ERROR = 13, + LDNS_EDE_NOT_READY = 14, + LDNS_EDE_BLOCKED = 15, + LDNS_EDE_CENSORED = 16, + LDNS_EDE_FILTERED = 17, + LDNS_EDE_PROHIBITED = 18, + LDNS_EDE_STALE_NXDOMAIN_ANSWER = 19, + LDNS_EDE_NOT_AUTHORITATIVE = 20, + LDNS_EDE_NOT_SUPPORTED = 21, + LDNS_EDE_NO_REACHABLE_AUTHORITY = 22, + LDNS_EDE_NETWORK_ERROR = 23, + LDNS_EDE_INVALID_DATA = 24, +}; +typedef enum sldns_enum_ede_code sldns_ede_code; + #define LDNS_EDNS_MASK_DO_BIT 0x8000 /** TSIG and TKEY extended rcodes (16bit), 0-15 are the normal rcodes. */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/str2wire.c -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/str2wire.c
Changed
@@ -25,8 +25,10 @@ #include <netdb.h> #endif +/** bits for the offset */ +#define RET_OFFSET_MASK (((unsigned)(~LDNS_WIREPARSE_MASK))>>LDNS_WIREPARSE_SHIFT) /** return an error */ -#define RET_ERR(e, off) ((int)((e)|((off)<<LDNS_WIREPARSE_SHIFT))) +#define RET_ERR(e, off) ((int)(((e)&LDNS_WIREPARSE_MASK)|(((off)&RET_OFFSET_MASK)<<LDNS_WIREPARSE_SHIFT))) /** Move parse error but keep its ID */ #define RET_ERR_SHIFT(e, move) RET_ERR(LDNS_WIREPARSE_ERROR(e), LDNS_WIREPARSE_OFFSET(e)+(move)); @@ -247,11 +249,16 @@ int* not_there, uint32_t* ttl, uint32_t default_ttl) { const char* endptr; + int overflow; if(sldns_bget_token(strbuf, token, "\t\n ", token_len) == -1) { return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_TTL, sldns_buffer_position(strbuf)); } - *ttl = (uint32_t) sldns_str2period(token, &endptr); + *ttl = (uint32_t) sldns_str2period(token, &endptr, &overflow); + if(overflow) { + return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW, + sldns_buffer_position(strbuf)); + } if (strlen(token) > 0 && !isdigit((unsigned char)token0)) { *not_there = 1; @@ -371,7 +378,8 @@ /* skip spaces */ while(sldns_buffer_remaining(strbuf) > 0 && - *(sldns_buffer_current(strbuf)) == ' ') { + (*(sldns_buffer_current(strbuf)) == ' ' || + *(sldns_buffer_current(strbuf)) == '\t')) { sldns_buffer_skip(strbuf, 1); } @@ -543,9 +551,10 @@ { size_t slen; - /* skip spaces */ + /* skip spaces and tabs */ while(sldns_buffer_remaining(strbuf) > 0 && !*quoted && - *(sldns_buffer_current(strbuf)) == ' ') { + (*(sldns_buffer_current(strbuf)) == ' ' || + *(sldns_buffer_current(strbuf)) == '\t')) { sldns_buffer_skip(strbuf, 1); } @@ -601,7 +610,10 @@ size_t addstrlen = 0; /* add space */ - if(addlen < 1) return 0; + /* when addlen < 2, the token buffer is full considering the NULL byte + * from strlen and will lead to buffer overflow with the second + * assignment below. */ + if(addlen < 2) return 0; token*token_strlen = ' '; token++(*token_strlen) = 0; @@ -664,10 +676,10 @@ ,sldns_str2wire_svcparam_key_cmp); - /* The code below revolves around sematic errors in the SVCParam set. + /* The code below revolves around semantic errors in the SVCParam set. * So long as we do not distinguish between running Unbound as a primary * or as a secondary, we default to secondary behavior and we ignore the - * sematic errors. */ + * semantic errors. */ #ifdef SVCB_SEMANTIC_ERRORS { @@ -769,7 +781,8 @@ /* unknown RR data */ if(token_strlen>=2 && strncmp(token, "\\#", 2) == 0 && - !quoted && (token_strlen == 2 || token2==' ')) { + !quoted && (token_strlen == 2 || token2==' ' || + token2=='\t')) { was_unknown_rr_format = 1; if((status=rrinternal_parse_unknown(strbuf, token, token_len, rr, rr_len, &rr_cur_len, @@ -1049,12 +1062,15 @@ return s; } else if(strncmp(line, "$TTL", 4) == 0 && isspace((unsigned char)line4)) { const char* end = NULL; + int overflow = 0; strlcpy((char*)rr, line, *len); *len = 0; *dname_len = 0; if(!parse_state) return LDNS_WIREPARSE_ERR_OK; parse_state->default_ttl = sldns_str2period( - sldns_strip_ws(line+5), &end); + sldns_strip_ws(line+5), &end, &overflow); + if(overflow) + return LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW; } else if (strncmp(line, "$INCLUDE", 8) == 0) { strlcpy((char*)rr, line, *len); *len = 0; @@ -1111,7 +1127,7 @@ if (!strncmp(key, "mandatory", sizeof("mandatory")-1)) return SVCB_KEY_MANDATORY; if (!strncmp(key, "echconfig", sizeof("echconfig")-1)) - return SVCB_KEY_ECH; /* allow "echconfig as well as "ech" */ + return SVCB_KEY_ECH; /* allow "echconfig" as well as "ech" */ break; case sizeof("alpn")-1: @@ -1350,7 +1366,7 @@ */ qsort((void *)(rd + 4), count, sizeof(uint16_t), sldns_network_uint16_cmp); - /* The code below revolves around sematic errors in the SVCParam set. + /* The code below revolves around semantic errors in the SVCParam set. * So long as we do not distinguish between running Unbound as a primary * or as a secondary, we default to secondary behavior and we ignore the * semantic errors. */ @@ -1427,7 +1443,7 @@ } /* The source is already properly unescaped, this double unescaping is purely to allow for - * comma's in comma seperated alpn lists. + * comma's in comma separated alpn lists. * * In draft-ietf-dnsop-svcb-https-06 Section 7: * To enable simpler parsing, this SvcParamValue MUST NOT contain escape sequences. @@ -1565,7 +1581,7 @@ return LDNS_WIREPARSE_ERR_GENERAL; } -int sldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_len) +static int sldns_str2wire_svcparam_buf(const char* str, uint8_t* rd, size_t* rd_len) { const char* eq_pos; char unescaped_valLDNS_MAX_RDFLEN; @@ -1582,12 +1598,12 @@ if (*val_in == '"') { val_in++; while (*val_in != '"' - && (unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val) + && (size_t)(val_out - unescaped_val + 1) < sizeof(unescaped_val) && sldns_parse_char( (uint8_t*) val_out, &val_in)) { val_out++; } } else { - while ((unsigned)(val_out - unescaped_val + 1) < sizeof(unescaped_val) + while ((size_t)(val_out - unescaped_val + 1) < sizeof(unescaped_val) && sldns_parse_char( (uint8_t*) val_out, &val_in)) { val_out++; } @@ -2151,9 +2167,13 @@ int sldns_str2wire_period_buf(const char* str, uint8_t* rd, size_t* len) { const char* end; - uint32_t p = sldns_str2period(str, &end); + int overflow; + uint32_t p = sldns_str2period(str, &end, &overflow); if(*end != 0) return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_PERIOD, end-str); + if(overflow) + return RET_ERR(LDNS_WIREPARSE_ERR_SYNTAX_INTEGER_OVERFLOW, + end-str); if(*len < 4) return LDNS_WIREPARSE_ERR_BUFFER_TOO_SMALL; sldns_write_uint32(rd, p);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/str2wire.h -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/str2wire.h
Changed
@@ -187,7 +187,7 @@ #define LDNS_WIREPARSE_MASK 0x0fff #define LDNS_WIREPARSE_SHIFT 12 #define LDNS_WIREPARSE_ERROR(e) ((e)&LDNS_WIREPARSE_MASK) -#define LDNS_WIREPARSE_OFFSET(e) (((e)&~LDNS_WIREPARSE_MASK)>>LDNS_WIREPARSE_SHIFT) +#define LDNS_WIREPARSE_OFFSET(e) ((((unsigned)(e))&~LDNS_WIREPARSE_MASK)>>LDNS_WIREPARSE_SHIFT) /* use lookuptable to get error string, sldns_wireparse_errors */ #define LDNS_WIREPARSE_ERR_OK 0 #define LDNS_WIREPARSE_ERR_GENERAL 342
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/wire2str.c -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/wire2str.c
Changed
@@ -194,6 +194,7 @@ { 8, "edns-client-subnet" }, { 11, "edns-tcp-keepalive"}, { 12, "Padding" }, + { 15, "EDE"}, { 0, NULL} }; sldns_lookup_table* sldns_edns_options = sldns_edns_options_data; @@ -817,6 +818,7 @@ unsigned i, counter=0; unsigned maxcompr = MAX_COMPRESS_PTRS; /* loop detection, max compr ptrs */ int in_buf = 1; + size_t dname_len = 0; if(comprloop) { if(*comprloop != 0) maxcompr = 30; /* for like ipv6 reverse name, per label */ @@ -872,6 +874,16 @@ labellen = (uint8_t)*dlen; else if(!in_buf && pos+(size_t)labellen > pkt+pktlen) labellen = (uint8_t)(pkt + pktlen - pos); + dname_len += ((size_t)labellen)+1; + if(dname_len > LDNS_MAX_DOMAINLEN) { + /* dname_len counts the uncompressed length we have + * seen so far, and the domain name has become too + * long, prevent the loop from printing overly long + * content. */ + w += sldns_str_print(s, slen, + "ErrorDomainNameTooLong"); + return w; + } for(i=0; i<(unsigned)labellen; i++) { w += dname_char_print(s, slen, *pos++); } @@ -1059,7 +1071,7 @@ assert(data_len > 0); if (data_len % sizeof(uint16_t)) - return -1; // wireformat error, data_len must be multiple of shorts + return -1; /* wireformat error, data_len must be multiple of shorts */ w += sldns_str_print(s, slen, "="); w += sldns_print_svcparamkey(s, slen, sldns_read_uint16(data)); data += 2;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/sldns/wire2str.h -> _service:tar_scm:unbound-1.17.1.tar.gz/sldns/wire2str.h
Changed
@@ -59,7 +59,7 @@ char* sldns_wire2str_rr(uint8_t* rr, size_t len); /** - * Conver wire dname to a string. + * Convert wire dname to a string. * @param dname: the dname in uncompressed wireformat. * @param dname_len: length of the dname. * @return string or NULL on failure.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/smallapp/unbound-anchor.c -> _service:tar_scm:unbound-1.17.1.tar.gz/smallapp/unbound-anchor.c
Changed
@@ -2044,13 +2044,13 @@ const char* builtin_root_anchor = get_builtin_ds(); FILE* out = fopen(file, "w"); if(!out) { - if(verb) printf("%s: %s\n", file, strerror(errno)); - if(verb) printf(" could not write builtin anchor\n"); + printf("could not write builtin anchor, to file %s: %s\n", + file, strerror(errno)); return; } if(!fwrite(builtin_root_anchor, strlen(builtin_root_anchor), 1, out)) { - if(verb) printf("%s: %s\n", file, strerror(errno)); - if(verb) printf(" could not complete write builtin anchor\n"); + printf("could not complete write builtin anchor, to file %s: %s\n", + file, strerror(errno)); } fclose(out); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/smallapp/unbound-checkconf.c -> _service:tar_scm:unbound-1.17.1.tar.gz/smallapp/unbound-checkconf.c
Changed
@@ -54,6 +54,7 @@ #include "iterator/iter_hints.h" #include "validator/validator.h" #include "services/localzone.h" +#include "services/listen_dnsport.h" #include "services/view.h" #include "services/authzone.h" #include "respip/respip.h" @@ -315,7 +316,7 @@ struct config_strlist* h; for(s=list; s; s=s->next) { for(h=s->hosts; h; h=h->next) { - if(extstrtoaddr(h->str, &a, &alen)) { + if(extstrtoaddr(h->str, &a, &alen, UNBOUND_DNS_PORT)) { fprintf(stderr, "unbound-checkconf: warning:" " %s %s: \"%s\" is an IP%s address, " "and when looked up as a host name " @@ -334,19 +335,78 @@ int d; struct sockaddr_storage a; socklen_t alen; - int i, j; + int i, j, i2, j2; + char*** resif = NULL; + int* num_resif = NULL; + char portbuf32; + snprintf(portbuf, sizeof(portbuf), "%d", cfg->port); + + if(cfg->num_ifs != 0) { + resif = (char***)calloc(cfg->num_ifs, sizeof(char**)); + if(!resif) fatal_exit("malloc failure"); + num_resif = (int*)calloc(cfg->num_ifs, sizeof(int)); + if(!num_resif) fatal_exit("malloc failure"); + } for(i=0; i<cfg->num_ifs; i++) { - if(!extstrtoaddr(cfg->ifsi, &a, &alen)) { - fatal_exit("cannot parse interface specified as '%s'", - cfg->ifsi); - } - for(j=0; j<cfg->num_ifs; j++) { - if(i!=j && strcmp(cfg->ifsi, cfg->ifsj)==0) + /* search for duplicates in IP or ifname arguments */ + for(i2=0; i2<i; i2++) { + if(strcmp(cfg->ifsi, cfg->ifsi2) == 0) { fatal_exit("interface: %s present twice, " "cannot bind same ports twice.", cfg->ifsi); + } + } + if(!resolve_interface_names(&cfg->ifsi, 1, NULL, &resifi, + &num_resifi)) { + fatal_exit("could not resolve interface names, for %s", + cfg->ifsi); + } + /* check for port combinations that are not supported */ + if(if_is_pp2(resifi0, portbuf, cfg->proxy_protocol_port)) { + if(if_is_dnscrypt(resifi0, portbuf, + cfg->dnscrypt_port)) { + fatal_exit("PROXYv2 and DNSCrypt combination not " + "supported!"); + } else if(if_is_https(resifi0, portbuf, + cfg->https_port)) { + fatal_exit("PROXYv2 and DoH combination not " + "supported!"); + } + } + /* search for duplicates in the returned addresses */ + for(j=0; j<num_resifi; j++) { + if(!extstrtoaddr(resifij, &a, &alen, cfg->port)) { + if(strcmp(cfg->ifsi, resifij) != 0) + fatal_exit("cannot parse interface address '%s' from the interface specified as '%s'", + resifij, cfg->ifsi); + else + fatal_exit("cannot parse interface specified as '%s'", + cfg->ifsi); + } + for(i2=0; i2<i; i2++) { + for(j2=0; j2<num_resifi2; j2++) { + if(strcmp(resifij, resifi2j2) + == 0) { + char info11024, info21024; + if(strcmp(cfg->ifsi, resifij) != 0) + snprintf(info1, sizeof(info1), "address %s from interface: %s", resifij, cfg->ifsi); + else snprintf(info1, sizeof(info1), "interface: %s", cfg->ifsi); + if(strcmp(cfg->ifsi2, resifi2j2) != 0) + snprintf(info2, sizeof(info2), "address %s from interface: %s", resifi2j2, cfg->ifsi2); + else snprintf(info2, sizeof(info2), "interface: %s", cfg->ifsi2); + fatal_exit("%s present twice, cannot bind the same ports twice. The first entry is %s and the second is %s", resifij, info2, info1); + } + } + } } } + + for(i=0; i<cfg->num_ifs; i++) { + config_del_strarray(resifi, num_resifi); + } + free(resif); + free(num_resif); + for(i=0; i<cfg->num_out_ifs; i++) { if(!ipstrtoaddr(cfg->out_ifsi, UNBOUND_DNS_PORT, &a, &alen) && !netblockstrtoaddr(cfg->out_ifsi, UNBOUND_DNS_PORT, &a, &alen, &d)) { @@ -362,6 +422,28 @@ } } +/** check interface-automatic-ports */ +static void +ifautomaticportschecks(char* ifautomaticports) +{ + char* now = ifautomaticports; + while(now && *now) { + char* after; + int extraport; + while(isspace((unsigned char)*now)) + now++; + if(!*now) + break; + after = now; + extraport = (int)strtol(now, &after, 10); + if(extraport < 0 || extraport > 65535) + fatal_exit("interface-automatic-ports: port out of range at position %d in '%s'", (int)(now-ifautomaticports)+1, ifautomaticports); + if(extraport == 0 && now == after) + fatal_exit("interface-automatic-ports: parse error at position %d in '%s'", (int)(now-ifautomaticports)+1, ifautomaticports); + now = after; + } +} + /** check acl ips */ static void aclchecks(struct config_file* cfg) @@ -562,6 +644,7 @@ warn_hosts("stub-host", cfg->stubs); warn_hosts("forward-host", cfg->forwards); interfacechecks(cfg); + ifautomaticportschecks(cfg->if_automatic_ports); aclchecks(cfg); tcpconnlimitchecks(cfg); @@ -645,6 +728,8 @@ && strcmp(cfg->module_conf, "dns64 iterator") != 0 && strcmp(cfg->module_conf, "respip iterator") != 0 && strcmp(cfg->module_conf, "respip validator iterator") != 0 + && strcmp(cfg->module_conf, "respip dns64 validator iterator") != 0 + && strcmp(cfg->module_conf, "respip dns64 iterator") != 0 #ifdef WITH_PYTHONMODULE && strcmp(cfg->module_conf, "python iterator") != 0 && strcmp(cfg->module_conf, "python respip iterator") != 0 @@ -739,6 +824,10 @@ && strcmp(cfg->module_conf, "validator python cachedb iterator") != 0 && strcmp(cfg->module_conf, "respip validator python cachedb iterator") != 0 #endif +#if defined(CLIENT_SUBNET) && defined(USE_CACHEDB) + && strcmp(cfg->module_conf, "respip subnetcache validator cachedb iterator") != 0 + && strcmp(cfg->module_conf, "subnetcache validator cachedb iterator") != 0 +#endif #ifdef CLIENT_SUBNET && strcmp(cfg->module_conf, "subnetcache iterator") != 0 && strcmp(cfg->module_conf, "respip subnetcache iterator") != 0 @@ -909,9 +998,9 @@ const char* f; const char* opt = NULL; const char* cfgfile = CONFIGFILE; + checklock_start(); log_ident_set("unbound-checkconf"); log_init(NULL, 0, NULL); - checklock_start(); #ifdef USE_WINSOCK /* use registry config file in preference to compiletime location */ if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile")))
View file
_service:tar_scm:unbound-1.13.2.tar.gz/smallapp/unbound-control.c -> _service:tar_scm:unbound-1.17.1.tar.gz/smallapp/unbound-control.c
Changed
@@ -102,6 +102,12 @@ printf(" stop stops the server\n"); printf(" reload reloads the server\n"); printf(" (this flushes data, stats, requestlist)\n"); + printf(" reload_keep_cache reloads the server but tries to\n"); + printf(" keep the RRset and message cache\n"); + printf(" if (re)configuration allows for it.\n"); + printf(" That means the caches sizes and\n"); + printf(" the number of threads must not\n"); + printf(" change between reloads.\n"); printf(" stats print statistics\n"); printf(" stats_noreset peek at statistics\n"); #ifdef HAVE_SHMGET @@ -155,9 +161,9 @@ printf(" ratelimit_list +a list ratelimited domains\n"); printf(" ip_ratelimit_list +a list ratelimited ip addresses\n"); printf(" +a list all, also not ratelimited\n"); - printf(" list_auth_zones list auth zones\n"); - printf(" auth_zone_reload zone reload auth zone from zonefile\n"); - printf(" auth_zone_transfer zone transfer auth zone from master\n"); + printf(" list_auth_zones list auth zones (includes RPZ zones)\n"); + printf(" auth_zone_reload zone reload auth zone (or RPZ zone) from zonefile\n"); + printf(" auth_zone_transfer zone transfer auth zone (or RPZ zone) from master\n"); printf(" view_list_local_zones view list local-zones in view\n"); printf(" view_list_local_data view list local-data RRs in view\n"); printf(" view_local_zone view name type add local-zone in view\n"); @@ -180,8 +186,6 @@ #ifdef HAVE_SHMGET /** what to put on statistics lines between var and value, ": " or "=" */ #define SQ "=" -/** if true, inhibits a lot of =0 lines from the stats output */ -static const int inhibit_zero = 1; /** divide sum of timers to get average */ static void timeval_divide(struct timeval* avg, const struct timeval* sum, long long d) @@ -316,7 +320,7 @@ } /** print extended */ -static void print_extended(struct ub_stats_info* s) +static void print_extended(struct ub_stats_info* s, int inhibit_zero) { int i; char nm16; @@ -354,6 +358,7 @@ /* transport */ PR_UL("num.query.tcp", s->svr.qtcp); PR_UL("num.query.tcpout", s->svr.qtcp_outgoing); + PR_UL("num.query.udpout", s->svr.qudp_outgoing); PR_UL("num.query.tls", s->svr.qtls); PR_UL("num.query.tls_resume", s->svr.qtls_resume); PR_UL("num.query.ipv6", s->svr.qipv6); @@ -438,13 +443,13 @@ if(cfg->stat_extended) { print_mem(shm_stat, &stats0); print_hist(stats); - print_extended(stats); + print_extended(stats, cfg->stat_inhibit_zero); } } #endif /* HAVE_SHMGET */ /** print statistics from shm memory segment */ -static void print_stats_shm(const char* cfgfile) +static void print_stats_shm(const char* cfgfile, int quiet) { #ifdef HAVE_SHMGET struct config_file* cfg; @@ -474,8 +479,11 @@ fatal_exit("shmat(%d): %s", id_arr, strerror(errno)); } - /* print the stats */ - do_stats_shm(cfg, stats, shm_stat); + + if(!quiet) { + /* print the stats */ + do_stats_shm(cfg, stats, shm_stat); + } /* shutdown */ shmdt(shm_stat); @@ -483,6 +491,7 @@ config_delete(cfg); #else (void)cfgfile; + (void)quiet; #endif /* HAVE_SHMGET */ } @@ -499,7 +508,7 @@ { unsigned long err; err = ERR_peek_error(); - if (ERR_GET_LIB(err) == ERR_LIB_SYS) { + if(ERR_GET_LIB(err) == ERR_LIB_SYS) { fprintf(stderr, "error: %s\n%s: %s\n", s, path, ERR_reason_error_string(err)); exit(1); @@ -541,11 +550,11 @@ #endif if(!SSL_CTX_use_certificate_chain_file(ctx,c_cert)) ssl_path_err("Error setting up SSL_CTX client cert", c_cert); - if (!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)) + if(!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)) ssl_path_err("Error setting up SSL_CTX client key", c_key); - if (!SSL_CTX_check_private_key(ctx)) + if(!SSL_CTX_check_private_key(ctx)) ssl_err("Error setting up SSL_CTX client key"); - if (SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1) + if(SSL_CTX_load_verify_locations(ctx, s_cert, NULL) != 1) ssl_path_err("Error setting up SSL_CTX verify, server cert", s_cert); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); @@ -596,7 +605,7 @@ struct sockaddr_storage addr2; socklen_t addrlen2; if(extstrtoaddr(cfg->control_ifs.first->str, &addr2, - &addrlen2)) { + &addrlen2, UNBOUND_DNS_PORT)) { svr = cfg->control_ifs.first->str; } else { if(!resolve_interface_names(NULL, 0, @@ -624,7 +633,7 @@ svr = "::1"; } if(strchr(svr, '@')) { - if(!extstrtoaddr(svr, &addr, &addrlen)) + if(!extstrtoaddr(svr, &addr, &addrlen, UNBOUND_DNS_PORT)) fatal_exit("could not parse IP@port: %s", svr); #ifdef HAVE_SYS_UN_H } else if(svr0 == '/') { @@ -880,8 +889,9 @@ if(first_line && strncmp(buf, "error", 5) == 0) { printf("%s", buf); was_error = 1; - } else if (!quiet) + } else if(!quiet) { printf("%s", buf); + } first_line = 0; } @@ -944,9 +954,9 @@ extern int check_locking_order; check_locking_order = 0; #endif /* USE_THREAD_DEBUG */ + checklock_start(); log_ident_set("unbound-control"); log_init(NULL, 0, NULL); - checklock_start(); #ifdef USE_WINSOCK /* use registry config file in preference to compiletime location */ if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile"))) @@ -987,7 +997,7 @@ #endif } if(argc >= 1 && strcmp(argv0, "stats_shm")==0) { - print_stats_shm(cfgfile); + print_stats_shm(cfgfile, quiet); return 0; } check_args_for_listcmd(argc, argv);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/smallapp/worker_cb.c -> _service:tar_scm:unbound-1.17.1.tar.gz/smallapp/worker_cb.c
Changed
@@ -97,10 +97,12 @@ struct outbound_entry* worker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), - int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), + int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit), + struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), - size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream), - char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q)) + size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), + char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q), + int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0; @@ -129,10 +131,12 @@ struct outbound_entry* libworker_send_query( struct query_info* ATTR_UNUSED(qinfo), uint16_t ATTR_UNUSED(flags), int ATTR_UNUSED(dnssec), int ATTR_UNUSED(want_dnssec), - int ATTR_UNUSED(nocaps), struct sockaddr_storage* ATTR_UNUSED(addr), + int ATTR_UNUSED(nocaps), int ATTR_UNUSED(check_ratelimit), + struct sockaddr_storage* ATTR_UNUSED(addr), socklen_t ATTR_UNUSED(addrlen), uint8_t* ATTR_UNUSED(zone), - size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(ssl_upstream), - char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q)) + size_t ATTR_UNUSED(zonelen), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), + char* ATTR_UNUSED(tls_auth_name), struct module_qstate* ATTR_UNUSED(q), + int* ATTR_UNUSED(was_ratelimited)) { log_assert(0); return 0;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/asynclook.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/asynclook.c
Changed
@@ -406,10 +406,10 @@ struct lookinfo* lookups; int i, r, cancel=0, blocking=0, ext=0; + checklock_start(); /* init log now because solaris thr_key_create() is not threadsafe */ log_init(0,0,0); /* lock debug start (if any) */ - checklock_start(); /* create context */ ctx = ub_ctx_create();
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/delayer.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/delayer.c
Changed
@@ -974,7 +974,7 @@ dl_tv_add(&reuse, &delay); if(reuse.tv_sec == 0) reuse.tv_sec = 1; - if(!extstrtoaddr(serv_str, &srv_addr, &srv_len)) { + if(!extstrtoaddr(serv_str, &srv_addr, &srv_len, UNBOUND_DNS_PORT)) { printf("cannot parse forward address: %s\n", serv_str); exit(1); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/do-tests.sh -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/do-tests.sh
Changed
@@ -16,6 +16,7 @@ NEED_IPV6='fwd_ancil.tdir fwd_tcp_tc6.tdir stub_udp6.tdir edns_cache.tdir' NEED_NOMINGW='tcp_sigpipe.tdir 07-confroot.tdir 08-host-lib.tdir fwd_ancil.tdir' NEED_DNSCRYPT_PROXY='dnscrypt_queries.tdir dnscrypt_queries_chacha.tdir' +NEED_UNSHARE='acl_interface.tdir proxy_protocol.tdir' # test if dig and ldns-testns are available. test_tool_avail "dig" @@ -50,6 +51,7 @@ skip_if_in_list $test "$NEED_NC" "nc" skip_if_in_list $test "$NEED_WHOAMI" "whoami" skip_if_in_list $test "$NEED_DNSCRYPT_PROXY" "dnscrypt-proxy" + skip_if_in_list $test "$NEED_UNSHARE" "unshare" if echo $NEED_IPV6 | grep $test >/dev/null; then if test "$HAVE_IPV6" = no; then
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/dohclient.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/dohclient.c
Changed
@@ -358,7 +358,7 @@ } if(sldns_buffer_remaining(h2_stream->buf) < len) { - log_err("received data chunck does not fit into buffer"); + log_err("received data chunk does not fit into buffer"); return NGHTTP2_ERR_CALLBACK_FAILURE; } @@ -531,7 +531,7 @@ h2_session->block_select = 1; - /* hande query */ + /* handle query */ for(i=0; i<count; i+=3) { buf = make_query(qi, qi+1, qi+2); submit_query(h2_session, buf); @@ -551,7 +551,7 @@ if(ctx) { SSL_CTX_free(ctx); } - close(fd); + sock_close(fd); } /** getopt global, in case header files fail to declare it. */ @@ -571,8 +571,9 @@ return 1; } #endif - log_init(0, 0, 0); checklock_start(); + log_init(0, 0, 0); + log_ident_set("dohclient"); h2_session = http2_session_create(); if(!h2_session) fatal_exit("out of memory");
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/fake_event.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/fake_event.c
Changed
@@ -384,8 +384,8 @@ fill_buffer_with_reply(c.buffer, entry, pend->pkt, pend->pkt_len, pend->tcp_pkt_counter); repinfo.c = &c; - repinfo.addrlen = pend->addrlen; - memcpy(&repinfo.addr, &pend->addr, pend->addrlen); + repinfo.remote_addrlen = pend->addrlen; + memcpy(&repinfo.remote_addr, &pend->addr, pend->addrlen); if(!pend->serviced) { if(entry && entry->reply_list->next && pend->tcp_pkt_counter < count_reply_packets(entry)) { @@ -415,7 +415,7 @@ tr = transport_udp; if((runtime->now->addrlen == 0 || sockaddr_cmp( &runtime->now->addr, runtime->now->addrlen, - &ans->repinfo.addr, ans->repinfo.addrlen) == 0) && + &ans->repinfo.remote_addr, ans->repinfo.remote_addrlen) == 0) && find_match(runtime->now->match, ans->pkt, ans->pkt_len, tr)) { log_info("testbound matched event entry from line %d", @@ -453,10 +453,12 @@ repinfo.c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); if(!repinfo.c) fatal_exit("out of memory in fake_front_query"); - repinfo.addrlen = (socklen_t)sizeof(struct sockaddr_in); + repinfo.remote_addrlen = (socklen_t)sizeof(struct sockaddr_in); if(todo->addrlen != 0) { - repinfo.addrlen = todo->addrlen; - memcpy(&repinfo.addr, &todo->addr, todo->addrlen); + repinfo.remote_addrlen = todo->addrlen; + memcpy(&repinfo.remote_addr, &todo->addr, todo->addrlen); + repinfo.client_addrlen = todo->addrlen; + memcpy(&repinfo.client_addr, &todo->addr, todo->addrlen); } repinfo.c->fd = -1; repinfo.c->ev = (struct internal_event*)runtime; @@ -510,8 +512,8 @@ p->pkt_len, p->tcp_pkt_counter); } repinfo.c = &c; - repinfo.addrlen = p->addrlen; - memcpy(&repinfo.addr, &p->addr, p->addrlen); + repinfo.remote_addrlen = p->addrlen; + memcpy(&repinfo.remote_addr, &p->addr, p->addrlen); if(!p->serviced) { if(todo->match && todo->match->reply_list->next && !error && p->tcp_pkt_counter < count_reply_packets(todo->match)) { @@ -1187,12 +1189,13 @@ struct serviced_query* outnet_serviced_query(struct outside_network* outnet, struct query_info* qinfo, uint16_t flags, int dnssec, int ATTR_UNUSED(want_dnssec), int ATTR_UNUSED(nocaps), + int ATTR_UNUSED(check_ratelimit), int ATTR_UNUSED(tcp_upstream), int ATTR_UNUSED(ssl_upstream), char* ATTR_UNUSED(tls_auth_name), struct sockaddr_storage* addr, socklen_t addrlen, uint8_t* zone, size_t zonelen, struct module_qstate* qstate, comm_point_callback_type* callback, void* callback_arg, sldns_buffer* ATTR_UNUSED(buff), - struct module_env* env) + struct module_env* env, int* ATTR_UNUSED(was_ratelimited)) { struct replay_runtime* runtime = (struct replay_runtime*)outnet->base; struct fake_pending* pend = (struct fake_pending*)calloc(1, @@ -1222,11 +1225,37 @@ if(1) { struct edns_data edns; struct edns_string_addr* client_string_addr; + struct edns_option* backed_up_opt_list = + qstate->edns_opts_back_out; + struct edns_option* per_upstream_opt_list = NULL; + /* If we have an already populated EDNS option list make a copy + * since we may now add upstream specific EDNS options. */ + if(qstate->edns_opts_back_out) { + per_upstream_opt_list = edns_opt_copy_region( + qstate->edns_opts_back_out, qstate->region); + if(!per_upstream_opt_list) { + free(pend); + fatal_exit("out of memory"); + } + qstate->edns_opts_back_out = per_upstream_opt_list; + } if(!inplace_cb_query_call(env, qinfo, flags, addr, addrlen, zone, zonelen, qstate, qstate->region)) { free(pend); return NULL; } + /* Restore the option list; we can explicitly use the copied + * one from now on. */ + per_upstream_opt_list = qstate->edns_opts_back_out; + qstate->edns_opts_back_out = backed_up_opt_list; + if((client_string_addr = edns_string_addr_lookup( + &env->edns_strings->client_strings, + addr, addrlen))) { + edns_opt_list_append(&per_upstream_opt_list, + env->edns_strings->client_string_opcode, + client_string_addr->string_len, + client_string_addr->string, qstate->region); + } /* add edns */ edns.edns_present = 1; edns.ext_rcode = 0; @@ -1236,15 +1265,9 @@ if(dnssec) edns.bits = EDNS_DO; edns.padding_block_size = 0; - if((client_string_addr = edns_string_addr_lookup( - &env->edns_strings->client_strings, - addr, addrlen))) { - edns_opt_list_append(&qstate->edns_opts_back_out, - env->edns_strings->client_string_opcode, - client_string_addr->string_len, - client_string_addr->string, qstate->region); - } - edns.opt_list = qstate->edns_opts_back_out; + edns.opt_list_in = NULL; + edns.opt_list_out = per_upstream_opt_list; + edns.opt_list_inplace_cb_out = NULL; attach_edns_record(pend->buffer, &edns); } memcpy(&pend->addr, addr, addrlen); @@ -1323,7 +1346,7 @@ char** ATTR_UNUSED(ifs), int ATTR_UNUSED(num_ifs), int* ATTR_UNUSED(reuseport)) { - return calloc(1, 1); + return calloc(1, sizeof(struct listen_port)); } void listening_ports_free(struct listen_port* list) @@ -1422,6 +1445,11 @@ log_assert(0); } +void serviced_timer_cb(void *ATTR_UNUSED(arg)) +{ + log_assert(0); +} + void pending_udp_timer_delay_cb(void *ATTR_UNUSED(arg)) { log_assert(0); @@ -1637,6 +1665,7 @@ struct comm_point* comm_point_create_udp(struct comm_base *ATTR_UNUSED(base), int ATTR_UNUSED(fd), sldns_buffer* ATTR_UNUSED(buffer), + int ATTR_UNUSED(pp2_enabled), comm_point_callback_type* ATTR_UNUSED(callback), void* ATTR_UNUSED(callback_arg), struct unbound_socket* ATTR_UNUSED(socket))
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/lock_verify.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/lock_verify.c
Changed
@@ -387,6 +387,37 @@ fprintf(stderr, "\n"); } +/** delete lock ref */ +static void dellockref(rbnode_type* node, void* ATTR_UNUSED(arg)) +{ + struct lock_ref* o = (struct lock_ref*)node; + if(!o) return; + free(o->file); + free(o); +} + +/** delete lock node */ +static void delnode(rbnode_type* node, void* ATTR_UNUSED(arg)) +{ + struct order_lock* o = (struct order_lock*)node; + if(!o) return; + free(o->create_file); + if(o->smaller) { + traverse_postorder(o->smaller, &dellockref, NULL); + free(o->smaller); + } + free(o); +} + +/** delete allocated memory */ +static void locks_free(rbtree_type* all_locks) +{ + if(!all_locks) + return; + traverse_postorder(all_locks, &delnode, NULL); + free(all_locks); +} + /** main program to verify all traces passed */ int main(int argc, char* argv) @@ -403,6 +434,7 @@ usage(); return 1; } + checklock_start(); log_init(NULL, 0, NULL); log_ident_set("lock-verify"); /* init */ @@ -421,6 +453,7 @@ printf("checked %d locks in %d seconds with %d errors.\n", (int)all_locks->count, (int)(time(NULL)-starttime), errors_detected); + locks_free(all_locks); if(errors_detected) return 1; return 0; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/mini_tdir.sh -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/mini_tdir.sh
Changed
@@ -5,6 +5,11 @@ shift shift fi + +# This will keep the temporary directory around and return 1 when the test failed. +DEBUG=0 +test -n "$DEBUG_TDIR" && DEBUG=1 + quiet=0 if test "$1" = "-q"; then quiet=1 @@ -13,9 +18,9 @@ if test "$1" = "clean"; then if test $quiet = 0; then - echo "rm -f result.* .done* .tdir.var.master .tdir.var.test" + echo "rm -f result.* .done* .skip* .tdir.var.master .tdir.var.test" fi - rm -f result.* .done* .tdir.var.master .tdir.var.test + rm -f result.* .done* .skip* .tdir.var.master .tdir.var.test exit 0 fi if test "$1" = "fake"; then @@ -50,12 +55,15 @@ echo "** PASSED ** $timelen $name: $desc" pass=`expr $pass + 1` fi + elif test -f ".skip-$name"; then + echo ".. SKIPPED.. $timelen $name: $desc" + skip=`expr $skip + 1` else if test -f "result.$name"; then echo "!! FAILED !! $timelen $name: $desc" fail=`expr $fail + 1` else - echo ".> SKIPPED<< $timelen $name: $desc" + echo ".. SKIPPED.. $timelen $name: $desc" skip=`expr $skip + 1` fi fi @@ -77,11 +85,17 @@ if test $quiet = 0; then echo "** PASSED ** : $name" fi + elif test -f ".skip-$name"; then + if test $quiet = 0; then + echo ".. SKIPPED.. : $name" + fi else if test -f "result.$name"; then echo "!! FAILED !! : $name" else - echo ">> SKIPPED<< : $name" + if test $quiet = 0; then + echo ".. SKIPPED.. : $name" + fi fi fi done @@ -112,6 +126,7 @@ dir=$name.$$ result=result.$name done=.done-$name +skip=.skip-$name success="no" if test -x "`which bash`"; then shell="bash" @@ -120,8 +135,8 @@ fi # check already done -if test -f .done-$name; then - echo "minitdir .done-$name exists. skip test." +if test -f $done; then + echo "minitdir $done exists. skip test." exit 0 fi @@ -147,11 +162,16 @@ fi echo "minitdir exe $name.pre" >> $result $shell $name.pre $args >> $result - if test $? -ne 0; then + exit_value=$? + if test $exit_value -eq 3; then + echo "$name: SKIPPED" >> $result + echo "$name: SKIPPED" > ../$skip + echo "$name: SKIPPED" + elif test $exit_value -ne 0; then echo "Warning: $name.pre did not exit successfully" fi fi -if test -f $name.test; then +if test -f $name.test -a ! -f ../$skip; then if test $quiet = 0; then echo "minitdir exe $name.test" fi @@ -163,14 +183,14 @@ success="no" else echo "$name: PASSED" >> $result - echo "$name: PASSED" > ../.done-$name + echo "$name: PASSED" > ../$done if test $quiet = 0; then echo "$name: PASSED" fi success="yes" fi fi -if test -f $name.post; then +if test -f $name.post -a ! -f ../$skip; then if test $quiet = 0; then echo "minitdir exe $name.post" fi @@ -184,11 +204,18 @@ mv $result .. cd .. -rm -rf $dir -# compat for windows where deletion may not succeed initially (files locked -# by processes that still have to exit). -if test $? -eq 1; then - echo "minitdir waiting for processes to terminate" - sleep 2 # some time to exit, and try again +if test $DEBUG -eq 0; then rm -rf $dir + # compat for windows where deletion may not succeed initially (files locked + # by processes that still have to exit). + if test $? -eq 1; then + echo "minitdir waiting for processes to terminate" + sleep 2 # some time to exit, and try again + rm -rf $dir + fi +else + if test $success = "no"; then + exit 1 + fi + exit 0 fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/perf.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/perf.c
Changed
@@ -575,9 +575,9 @@ memset(&info, 0, sizeof(info)); info.io_num = 16; + checklock_start(); log_init(NULL, 0, NULL); log_ident_set("perf"); - checklock_start(); #ifdef USE_WINSOCK if((r = WSAStartup(MAKEWORD(2,2), &wsa_data)) != 0) fatal_exit("WSAStartup failed: %s", wsa_strerror(r)); @@ -618,7 +618,7 @@ printf("error: pass server IP address on commandline.\n"); usage(nm); } - if(!extstrtoaddr(argv0, &info.dest, &info.destlen)) { + if(!extstrtoaddr(argv0, &info.dest, &info.destlen, UNBOUND_DNS_PORT)) { printf("Could not parse ip: %s\n", argv0); exit(1); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/petal.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/petal.c
Changed
@@ -220,8 +220,11 @@ host0 = 0; while(read_ssl_line(ssl, buf, sizeof(buf))) { if(verb>=2) printf("read: %s\n", buf); - if(buf0 == 0) + if(buf0 == 0) { + int e = ERR_peek_error(); + printf("error string: %s\n", ERR_reason_error_string(e)); return 1; + } if(!process_one_header(buf, file, flen, host, hlen, vs)) return 0; } @@ -241,8 +244,11 @@ #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL SSL_CTX_set_security_level(ctx, 0); /* for keys in tests */ #endif - if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) + if(!SSL_CTX_use_certificate_chain_file(ctx, cert)) { + int e = ERR_peek_error(); + printf("error string: %s\n", ERR_reason_error_string(e)); print_exit("cannot read cert"); + } if(!SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) print_exit("cannot read key"); if(!SSL_CTX_check_private_key(ctx)) @@ -576,10 +582,9 @@ { SSL_CTX* sslctx = setup_ctx(key, cert); int fd = setup_fd(addr, port); - int go = 1; if(fd == -1) print_exit("could not setup sockets"); if(verb) {printf("petal start\n"); fflush(stdout);} - while(go) { + while(1) { struct sockaddr_storage from; socklen_t flen = (socklen_t)sizeof(from); int s;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/replay.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/replay.c
Changed
@@ -179,7 +179,8 @@ while(isspace((unsigned char)*parse)) parse++; strip_end_white(parse); - if(!extstrtoaddr(parse, &rng->addr, &rng->addrlen)) { + if(!extstrtoaddr(parse, &rng->addr, &rng->addrlen, + UNBOUND_DNS_PORT)) { log_err("Line %d: could not read ADDRESS: %s", pstate->lineno, parse); free(rng); @@ -287,7 +288,8 @@ } else if(parse_keyword(&remain, "QUERY")) { mom->evt_type = repevt_front_query; readentry = 1; - if(!extstrtoaddr("127.0.0.1", &mom->addr, &mom->addrlen)) + if(!extstrtoaddr("127.0.0.1", &mom->addr, &mom->addrlen, + UNBOUND_DNS_PORT)) fatal_exit("internal error"); } else if(parse_keyword(&remain, "CHECK_ANSWER")) { mom->evt_type = repevt_front_reply; @@ -354,7 +356,7 @@ m++; while(isspace((unsigned char)*m)) m++; - if(!extstrtoaddr(s, &mom->addr, &mom->addrlen)) + if(!extstrtoaddr(s, &mom->addr, &mom->addrlen, UNBOUND_DNS_PORT)) fatal_exit("bad infra_rtt address %s", s); strip_end_white(m); mom->variable = strdup(remain); @@ -372,7 +374,8 @@ while(isspace((unsigned char)*remain)) remain++; strip_end_white(remain); - if(!extstrtoaddr(remain, &mom->addr, &mom->addrlen)) { + if(!extstrtoaddr(remain, &mom->addr, &mom->addrlen, + UNBOUND_DNS_PORT)) { log_err("line %d: could not parse ADDRESS: %s", pstate->lineno, remain); free(mom);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/streamtcp.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/streamtcp.c
Changed
@@ -49,6 +49,7 @@ #include "util/locks.h" #include "util/log.h" #include "util/net_help.h" +#include "util/proxy_protocol.h" #include "util/data/msgencode.h" #include "util/data/msgparse.h" #include "util/data/msgreply.h" @@ -71,6 +72,7 @@ printf("usage: %s options name type class ...\n", argv0); printf(" sends the name-type-class queries over TCP.\n"); printf("-f server what ipaddr@portnr to send the queries to\n"); + printf("-p client what ipaddr@portnr to include in PROXYv2\n"); printf("-u use UDP. No retries are attempted.\n"); printf("-n do not wait for an answer.\n"); printf("-a print answers as they arrive.\n"); @@ -82,18 +84,17 @@ /** open TCP socket to svr */ static int -open_svr(const char* svr, int udp) +open_svr(const char* svr, int udp, struct sockaddr_storage* addr, + socklen_t* addrlen) { - struct sockaddr_storage addr; - socklen_t addrlen; int fd = -1; /* svr can be ip@port */ - memset(&addr, 0, sizeof(addr)); - if(!extstrtoaddr(svr, &addr, &addrlen)) { + memset(addr, 0, sizeof(*addr)); + if(!extstrtoaddr(svr, addr, addrlen, UNBOUND_DNS_PORT)) { printf("fatal: bad server specs '%s'\n", svr); exit(1); } - fd = socket(addr_is_ip6(&addr, addrlen)?PF_INET6:PF_INET, + fd = socket(addr_is_ip6(addr, *addrlen)?PF_INET6:PF_INET, udp?SOCK_DGRAM:SOCK_STREAM, 0); if(fd == -1) { #ifndef USE_WINSOCK @@ -103,7 +104,7 @@ #endif exit(1); } - if(connect(fd, (struct sockaddr*)&addr, addrlen) < 0) { + if(connect(fd, (struct sockaddr*)addr, *addrlen) < 0) { #ifndef USE_WINSOCK perror("connect() error"); #else @@ -116,11 +117,12 @@ /** write a query over the TCP fd */ static void -write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, +write_q(int fd, int udp, SSL* ssl, sldns_buffer* buf, uint16_t id, + sldns_buffer* proxy_buf, int pp2_parsed, const char* strname, const char* strtype, const char* strclass) { struct query_info qinfo; - uint16_t len; + size_t proxy_buf_limit = sldns_buffer_limit(proxy_buf); /* qname */ qinfo.qname = sldns_str2wire_dname(strname, &qinfo.qname_len); if(!qinfo.qname) { @@ -152,9 +154,27 @@ attach_edns_record(buf, &edns); } + /* we need to send the PROXYv2 information in every UDP message */ + if(udp && pp2_parsed) { + /* append the proxy_buf with the buf's content + * and use that for sending */ + if(sldns_buffer_capacity(proxy_buf) < + sldns_buffer_limit(proxy_buf) + + sldns_buffer_limit(buf)) { + printf("buffer too small for packet + proxy"); + exit(1); + } + sldns_buffer_clear(proxy_buf); + sldns_buffer_skip(proxy_buf, proxy_buf_limit); + sldns_buffer_write(proxy_buf, sldns_buffer_begin(buf), + sldns_buffer_limit(buf)); + sldns_buffer_flip(proxy_buf); + buf = proxy_buf; + } + /* send it */ if(!udp) { - len = (uint16_t)sldns_buffer_limit(buf); + uint16_t len = (uint16_t)sldns_buffer_limit(buf); len = htons(len); if(ssl) { if(SSL_write(ssl, (void*)&len, (int)sizeof(len)) <= 0) { @@ -167,7 +187,7 @@ #ifndef USE_WINSOCK perror("send() len failed"); #else - printf("send len: %s\n", + printf("send len: %s\n", wsa_strerror(WSAGetLastError())); #endif exit(1); @@ -182,17 +202,20 @@ } } else { if(send(fd, (void*)sldns_buffer_begin(buf), - sldns_buffer_limit(buf), 0) < + sldns_buffer_limit(buf), 0) < (ssize_t)sldns_buffer_limit(buf)) { #ifndef USE_WINSOCK perror("send() data failed"); #else - printf("send data: %s\n", wsa_strerror(WSAGetLastError())); + printf("send data: %s\n", + wsa_strerror(WSAGetLastError())); #endif exit(1); } } + /* reset the proxy_buf for next packet */ + sldns_buffer_set_limit(proxy_buf, proxy_buf_limit); free(qinfo.qname); } @@ -224,7 +247,7 @@ #ifndef USE_WINSOCK perror("read() len failed"); #else - printf("read len: %s\n", + printf("read len: %s\n", wsa_strerror(WSAGetLastError())); #endif exit(1); @@ -243,12 +266,12 @@ if(r != (int)len) fatal_exit("ssl_read %d of %d", r, len); } else { - if(recv(fd, (void*)sldns_buffer_begin(buf), len, 0) < + if(recv(fd, (void*)sldns_buffer_begin(buf), len, 0) < (ssize_t)len) { #ifndef USE_WINSOCK perror("read() data failed"); #else - printf("read data: %s\n", + printf("read data: %s\n", wsa_strerror(WSAGetLastError())); #endif exit(1); @@ -257,12 +280,12 @@ } else { ssize_t l; sldns_buffer_clear(buf); - if((l=recv(fd, (void*)sldns_buffer_begin(buf), + if((l=recv(fd, (void*)sldns_buffer_begin(buf), sldns_buffer_capacity(buf), 0)) < 0) { #ifndef USE_WINSOCK perror("read() data failed"); #else - printf("read data: %s\n", + printf("read data: %s\n", wsa_strerror(WSAGetLastError())); #endif exit(1); @@ -324,17 +347,40 @@ return (int)arc4random(); } +/* parse the pp2_client and populate the proxy_buffer + * It doesn't populate the destination parts. */ +static int parse_pp2_client(const char* pp2_client, int udp, + sldns_buffer* proxy_buf) +{ + struct sockaddr_storage pp2_addr; + socklen_t pp2_addrlen = 0; + memset(&pp2_addr, 0, sizeof(pp2_addr)); + if(*pp2_client == 0) return 0; + if(!extstrtoaddr(pp2_client, &pp2_addr, &pp2_addrlen, UNBOUND_DNS_PORT)) { + printf("fatal: bad proxy client specs '%s'\n", pp2_client); + exit(1); + } + sldns_buffer_clear(proxy_buf); + pp2_write_to_buf(proxy_buf, &pp2_addr, !udp); + sldns_buffer_flip(proxy_buf); + return 1; +} + /** send the TCP queries and print answers */ static void -send_em(const char* svr, int udp, int usessl, int noanswer, int onarrival, - int delay, int num, char** qs) +send_em(const char* svr, const char* pp2_client, int udp, int usessl, + int noanswer, int onarrival, int delay, int num, char** qs) { sldns_buffer* buf = sldns_buffer_new(65553); - int fd = open_svr(svr, udp); - int i, wait_results = 0; + sldns_buffer* proxy_buf = sldns_buffer_new(65553); + struct sockaddr_storage svr_addr; + socklen_t svr_addrlen; + int fd = open_svr(svr, udp, &svr_addr, &svr_addrlen); + int i, wait_results = 0, pp2_parsed; SSL_CTX* ctx = NULL; SSL* ssl = NULL; if(!buf) fatal_exit("out of memory"); + pp2_parsed = parse_pp2_client(pp2_client, udp, proxy_buf); if(usessl) { ctx = connect_sslctx_create(NULL, NULL, NULL, 0); if(!ctx) fatal_exit("cannot create ssl ctx"); @@ -361,6 +407,28 @@ } } } + /* Send the PROXYv2 information once per stream */ + if(!udp && pp2_parsed) { + if(ssl) { + if(SSL_write(ssl, (void*)sldns_buffer_begin(proxy_buf), + (int)sldns_buffer_limit(proxy_buf)) <= 0) { + log_crypto_err("cannot SSL_write"); + exit(1); + } + } else { + if(send(fd, (void*)sldns_buffer_begin(proxy_buf), + sldns_buffer_limit(proxy_buf), 0) < + (ssize_t)sldns_buffer_limit(proxy_buf)) { +#ifndef USE_WINSOCK + perror("send() data failed"); +#else + printf("send data: %s\n", + wsa_strerror(WSAGetLastError())); +#endif + exit(1); + } + } + } for(i=0; i<num; i+=3) { if (delay != 0) { #ifdef HAVE_SLEEP @@ -370,8 +438,9 @@ #endif } printf("\nNext query is %s %s %s\n", qsi, qsi+1, qsi+2); - write_q(fd, udp, ssl, buf, (uint16_t)get_random(), qsi, - qsi+1, qsi+2); + write_q(fd, udp, ssl, buf, (uint16_t)get_random(), proxy_buf, + pp2_parsed, + qsi, qsi+1, qsi+2); /* print at least one result */ if(onarrival) { wait_results += 1; /* one more answer to fetch */ @@ -390,6 +459,7 @@ } sock_close(fd); sldns_buffer_free(buf); + sldns_buffer_free(proxy_buf); printf("orderly exit\n"); } @@ -418,10 +488,11 @@ extern char* optarg; /** main program for streamtcp */ -int main(int argc, char** argv) +int main(int argc, char** argv) { int c; const char* svr = "127.0.0.1"; + const char* pp2_client = ""; int udp = 0; int noanswer = 0; int onarrival = 0; @@ -437,8 +508,8 @@ #endif /* lock debug start (if any) */ - log_init(0, 0, 0); checklock_start(); + log_init(0, 0, 0); #ifdef SIGPIPE if(signal(SIGPIPE, &sigh) == SIG_ERR) { @@ -451,11 +522,14 @@ if(argc == 1) { usage(argv); } - while( (c=getopt(argc, argv, "af:hnsud:")) != -1) { + while( (c=getopt(argc, argv, "af:p:hnsud:")) != -1) { switch(c) { case 'f': svr = optarg; break; + case 'p': + pp2_client = optarg; + break; case 'a': onarrival = 1; break; @@ -508,7 +582,7 @@ (void)OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); #endif } - send_em(svr, udp, usessl, noanswer, onarrival, delay, argc, argv); + send_em(svr, pp2_client, udp, usessl, noanswer, onarrival, delay, argc, argv); checklock_stop(); #ifdef USE_WINSOCK WSACleanup();
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/testbound.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/testbound.c
Changed
@@ -374,6 +374,7 @@ (void)unsetenv("NOTIFY_SOCKET"); #endif /* HAVE_SYSTEMD */ + checklock_start(); log_init(NULL, 0, NULL); /* determine commandline options for the daemon */ pass_argc = 1; @@ -604,3 +605,13 @@ { return 0; } + +void listen_setup_locks(void) +{ + /* nothing */ +} + +void listen_desetup_locks(void) +{ + /* nothing */ +}
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/testpkts.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/testpkts.c
Changed
@@ -128,6 +128,8 @@ e->match_answer = 1; } else if(str_keyword(&parse, "subdomain")) { e->match_subdomain = 1; + } else if(str_keyword(&parse, "all_noedns")) { + e->match_all_noedns = 1; } else if(str_keyword(&parse, "all")) { e->match_all = 1; } else if(str_keyword(&parse, "ttl")) { @@ -148,7 +150,22 @@ error("expected = or : in MATCH: %s", line); parse++; e->ixfr_soa_serial = (uint32_t)strtol(parse, (char**)&parse, 10); - while(isspace((unsigned char)*parse)) + while(isspace((unsigned char)*parse)) + parse++; + } else if(str_keyword(&parse, "ede")) { + e->match_ede = 1; + if(*parse != '=' && *parse != ':') + error("expected = or : in MATCH: %s", line); + parse++; + while(isspace((unsigned char)*parse)) + parse++; + if(str_keyword(&parse, "any")) { + e->match_ede_any = 1; + } else { + e->ede_info_code = (uint16_t)strtol(parse, + (char**)&parse, 10); + } + while(isspace((unsigned char)*parse)) parse++; } else { error("could not parse MATCH: '%s'", parse); @@ -266,11 +283,15 @@ e->match_answer = 0; e->match_subdomain = 0; e->match_all = 0; + e->match_all_noedns = 0; e->match_ttl = 0; e->match_do = 0; e->match_noedns = 0; e->match_serial = 0; e->ixfr_soa_serial = 0; + e->match_ede = 0; + e->match_ede_any = 0; + e->ede_info_code = -1; e->match_transport = transport_any; e->reply_list = NULL; e->copy_id = 0; @@ -817,7 +838,7 @@ return 0; } -/** get ptr to EDNS OPT record (and remaining length); behind the type u16 */ +/** get ptr to EDNS OPT record (and remaining length); after the type u16 */ static int pkt_find_edns_opt(uint8_t** p, size_t* plen) { @@ -884,6 +905,39 @@ return (int)(edns_bits&LDNS_EDNS_MASK_DO_BIT); } +/** Snips the EDE option out of the OPT record and returns the EDNS EDE + * INFO-CODE if found, else -1 */ +static int +extract_ede(uint8_t* pkt, size_t len) +{ + uint8_t *rdata, *opt_position = pkt; + uint16_t rdlen, optlen; + size_t remaining = len; + int ede_code; + if(!pkt_find_edns_opt(&opt_position, &remaining)) return -1; + if(remaining < 8) return -1; /* malformed */ + rdlen = sldns_read_uint16(opt_position+6); + rdata = opt_position + 8; + while(rdlen > 0) { + if(rdlen < 4) return -1; /* malformed */ + optlen = sldns_read_uint16(rdata+2); + if(sldns_read_uint16(rdata) == LDNS_EDNS_EDE) { + if(rdlen < 6) return -1; /* malformed */ + ede_code = sldns_read_uint16(rdata+4); + /* snip option from packet; assumes len is correct */ + memmove(rdata, rdata+4+optlen, + (pkt+len)-(rdata+4+optlen)); + /* update OPT size */ + sldns_write_uint16(opt_position+6, + sldns_read_uint16(opt_position+6)-(4+optlen)); + return ede_code; + } + rdlen -= 4 + optlen; + rdata += 4 + optlen; + } + return -1; +} + /** zero TTLs in packet */ static void zerottls(uint8_t* pkt, size_t pktlen) @@ -1201,7 +1255,7 @@ return 0; } - /* remove after answer section, (;; AUTH, ;; ADD, ;; MSG size ..) */ + /* remove after answer section, (;; ANS, ;; AUTH, ;; ADD ..) */ s = strstr(qcmpstr, ";; ANSWER SECTION"); if(!s) s = strstr(qcmpstr, ";; AUTHORITY SECTION"); if(!s) s = strstr(qcmpstr, ";; ADDITIONAL SECTION"); @@ -1292,18 +1346,36 @@ return r; } +/** ignore EDNS lines in the string by overwriting them with what's left or + * zero out if at end of the string */ +static int +ignore_edns_lines(char* str) { + char* edns = str, *n; + size_t str_len = strlen(str); + while((edns = strstr(edns, "; EDNS"))) { + n = strchr(edns, '\n'); + if(!n) { + /* EDNS at end of string; zero */ + *edns = 0; + break; + } + memmove(edns, n+1, str_len-(n-str)); + } + return 1; +} + /** match all of the packet */ int match_all(uint8_t* q, size_t qlen, uint8_t* p, size_t plen, int mttl, - int noloc) + int noloc, int noedns) { char* qstr, *pstr; uint8_t* qb = q, *pb = p; int r; - /* zero TTLs */ qb = memdup(q, qlen); pb = memdup(p, plen); if(!qb || !pb) error("out of memory"); + /* zero TTLs */ if(!mttl) { zerottls(qb, qlen); zerottls(pb, plen); @@ -1313,6 +1385,11 @@ qstr = sldns_wire2str_pkt(qb, qlen); pstr = sldns_wire2str_pkt(pb, plen); if(!qstr || !pstr) error("cannot pkt2string"); + /* should we ignore EDNS lines? */ + if(noedns) { + ignore_edns_lines(qstr); + ignore_edns_lines(pstr); + } r = (strcmp(qstr, pstr) == 0); if(!r) { /* remove ;; MSG SIZE (at end of string) */ @@ -1321,8 +1398,8 @@ s = strstr(pstr, ";; MSG SIZE"); if(s) *s=0; r = (strcmp(qstr, pstr) == 0); - if(!r && !noloc) { - /* we are going to fail see if it is because of EDNS */ + if(!r && !noloc && !noedns) { + /* we are going to fail, see if the cause is EDNS */ char* a = strstr(qstr, "; EDNS"); char* b = strstr(pstr, "; EDNS"); if( (a&&!b) || (b&&!a) ) { @@ -1428,13 +1505,32 @@ enum transport_type transport) { struct entry* p = entries; - uint8_t* reply; - size_t rlen; + uint8_t* reply, *query_pkt_orig; + size_t rlen, query_pkt_orig_len; + /* Keep the original packet; it may be modified */ + query_pkt_orig = memdup(query_pkt, len); + query_pkt_orig_len = len; for(p=entries; p; p=p->next) { verbose(3, "comparepkt: "); reply = p->reply_list->reply_pkt; rlen = p->reply_list->reply_len; - if(p->match_opcode && get_opcode(query_pkt, len) != + /* Restore the original packet for each entry */ + memcpy(query_pkt, query_pkt_orig, query_pkt_orig_len); + /* EDE should be first since it may modify the query_pkt */ + if(p->match_ede) { + int info_code = extract_ede(query_pkt, len); + if(info_code == -1) { + verbose(3, "bad EDE. Expected but not found\n"); + continue; + } else if(!p->match_ede_any && + (uint16_t)info_code != p->ede_info_code) { + verbose(3, "bad EDE INFO-CODE. Expected: %d, " + "and got: %d\n", (int)p->ede_info_code, + info_code); + continue; + } + } + if(p->match_opcode && get_opcode(query_pkt, len) != get_opcode(reply, rlen)) { verbose(3, "bad opcode\n"); continue; @@ -1502,14 +1598,25 @@ verbose(3, "bad transport\n"); continue; } + if(p->match_all_noedns && !match_all(query_pkt, len, reply, + rlen, (int)p->match_ttl, 0, 1)) { + verbose(3, "bad all_noedns match\n"); + continue; + } if(p->match_all && !match_all(query_pkt, len, reply, rlen, - (int)p->match_ttl, 0)) { + (int)p->match_ttl, 0, 0)) { verbose(3, "bad allmatch\n"); continue; } verbose(3, "match!\n"); + /* Restore the original packet */ + memcpy(query_pkt, query_pkt_orig, query_pkt_orig_len); + free(query_pkt_orig); return p; } + /* Restore the original packet */ + memcpy(query_pkt, query_pkt_orig, query_pkt_orig_len); + free(query_pkt_orig); return NULL; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/testpkts.h -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/testpkts.h
Changed
@@ -40,20 +40,30 @@ ENTRY_BEGIN ; first give MATCH lines, that say what queries are matched ; by this entry. - ; 'opcode' makes the query match the opcode from the reply - ; if you leave it out, any opcode matches this entry. - ; 'qtype' makes the query match the qtype from the reply - ; 'qname' makes the query match the qname from the reply - ; 'subdomain' makes the query match subdomains of qname from the reply - ; 'serial=1023' makes the query match if ixfr serial is 1023. + ; 'opcode' makes the query match the opcode from the reply; + ; if you leave it out, any opcode matches this entry. + ; 'qtype' makes the query match the qtype from the reply. + ; 'qname' makes the query match the qname from the reply. + ; 'subdomain' makes the query match subdomains of qname from the reply. + ; 'serial=1023' makes the query match if ixfr serial is 1023. ; 'all' has to match header byte for byte and all rrs in packet. + ; 'all_noedns' has to match header byte for byte and all rrs in packet; + ; ignoring EDNS. ; 'ttl' used with all, rrs in packet must also have matching TTLs. ; 'DO' will match only queries with DO bit set. ; 'noedns' matches queries without EDNS OPT records. - ; 'rcode' makes the query match the rcode from the reply - ; 'question' makes the query match the question section - ; 'answer' makes the query match the answer section + ; 'rcode' makes the query match the rcode from the reply. + ; 'question' makes the query match the question section. + ; 'answer' makes the query match the answer section. ; 'ednsdata' matches queries to HEX_EDNS section. + ; 'UDP' matches if the transport is UDP. + ; 'TCP' matches if the transport is TCP. + ; 'ede=2' makes the query match if the EDNS EDE info-code is 2. + ; It also snips the EDE record out of the packet to facilitate + ; other matches. + ; 'ede=any' makes the query match any EDNS EDE info-code. + ; It also snips the EDE record out of the packet to facilitate + ; other matches. MATCH opcode qtype qname serial=<value> all ttl MATCH UDP|TCP DO MATCH ... @@ -72,6 +82,12 @@ ; 'sleep=10' sleeps for 10 seconds before giving the answer (TCP is open) ADJUST sleep=<num> ; sleep before giving any reply ADJUST packet_sleep=<num> ; sleep before this packet in sequence + ; 'copy_ednsdata_assume_clientsubnet' copies ednsdata to reply, assumes + ; it is clientsubnet and adjusts scopemask to match sourcemask. + ADJUST copy_ednsdata_assume_clientsubnet + ; 'increment_ecs_scope' increments the ECS scope copied from the + ; sourcemask by one. + ADJUST increment_ecs_scope SECTION QUESTION <RRs, one per line> ; the RRcount is determined automatically. SECTION ANSWER @@ -167,11 +183,11 @@ /* match */ /* How to match an incoming query with this canned reply */ /** match query opcode with answer opcode */ - uint8_t match_opcode; + uint8_t match_opcode; /** match qtype with answer qtype */ - uint8_t match_qtype; + uint8_t match_qtype; /** match qname with answer qname */ - uint8_t match_qname; + uint8_t match_qname; /** match rcode with answer rcode */ uint8_t match_rcode; /** match question section */ @@ -179,11 +195,17 @@ /** match answer section */ uint8_t match_answer; /** match qname as subdomain of answer qname */ - uint8_t match_subdomain; + uint8_t match_subdomain; /** match SOA serial number, from auth section */ - uint8_t match_serial; + uint8_t match_serial; + /** match EDNS EDE info-code */ + uint8_t match_ede; + /** match any EDNS EDE info-code */ + uint8_t match_ede_any; /** match all of the packet */ uint8_t match_all; + /** match all of the packet; ignore EDNS */ + uint8_t match_all_noedns; /** match ttls in the packet */ uint8_t match_ttl; /** match DO bit */ @@ -193,9 +215,11 @@ /** match edns data field given in hex */ uint8_t match_ednsdata_raw; /** match query serial with this value. */ - uint32_t ixfr_soa_serial; + uint32_t ixfr_soa_serial; /** match on UDP/TCP */ - enum transport_type match_transport; + enum transport_type match_transport; + /** match EDNS EDE info-code with this value. */ + uint16_t ede_info_code; /** pre canned reply */ struct reply_packet *reply_list; @@ -260,10 +284,11 @@ * @param mttl: if true, ttls must match, if false, ttls do not need to match * @param noloc: if true, rrs may be reordered in their packet-section. * rrs are then matches without location of the rr being important. + * @param noedns: if true, edns is not compared, if false, edns must match. * @return true if matched. */ int match_all(uint8_t* q, size_t qlen, uint8_t* p, size_t plen, int mttl, - int noloc); + int noloc, int noedns); /** * copy & adjust packet, mallocs a copy.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/unitecs.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/unitecs.c
Changed
@@ -173,7 +173,7 @@ for (i = 0; i < 1000; i++) { l = randomkey(&k, 128); elem = (struct reply_info *) calloc(1, sizeof(struct reply_info)); - addrtree_insert(t, k, l, 64, elem, timenow + 10, timenow); + addrtree_insert(t, k, l, 64, elem, timenow + 10, timenow, 0); /* This should always hold because no items ever expire. They * could be overwritten, though. */ unit_assert( count <= t->node_count ); @@ -189,7 +189,7 @@ for (i = 0; i < 1000; i++) { l = randomkey(&k, 128); elem = (struct reply_info *) calloc(1, sizeof(struct reply_info)); - addrtree_insert(t, k, l, 64, elem, i + 10, i); + addrtree_insert(t, k, l, 64, elem, i + 10, i, 0); free(k); unit_assert( !addrtree_inconsistent(t) ); } @@ -201,7 +201,7 @@ for (i = 0; i < 1000; i++) { l = randomkey(&k, 128); elem = (struct reply_info *) calloc(1, sizeof(struct reply_info)); - addrtree_insert(t, k, l, 64, elem, i + 10, i); + addrtree_insert(t, k, l, 64, elem, i + 10, i, 0); unit_assert( t->node_count <= 27); free(k); unit_assert( !addrtree_inconsistent(t) );
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/unitldns.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/unitldns.c
Changed
@@ -243,28 +243,28 @@ memset(target, 0, sizeof(target)); result = sldns_b64_pton(p1, (uint8_t*)target, tarsize); - unit_assert(result == strlen("hello") && strcmp(target, "hello") == 0); + unit_assert(result == (int)strlen("hello") && strcmp(target, "hello") == 0); memset(target, 0, sizeof(target)); result = sldns_b64_pton(p2, (uint8_t*)target, tarsize); - unit_assert(result == strlen("hello>") && strcmp(target, "hello>") == 0); + unit_assert(result == (int)strlen("hello>") && strcmp(target, "hello>") == 0); memset(target, 0, sizeof(target)); result = sldns_b64_pton(p3, (uint8_t*)target, tarsize); - unit_assert(result == strlen("hello?!") && strcmp(target, "hello?!") == 0); + unit_assert(result == (int)strlen("hello?!") && strcmp(target, "hello?!") == 0); memset(target, 0, sizeof(target)); result = sldns_b64_pton(p4, (uint8_t*)target, tarsize); /* when padding is used everything that is not a block of 4 will be * ignored */ - unit_assert(result == strlen("hel") && strcmp(target, "hel") == 0); + unit_assert(result == (int)strlen("hel") && strcmp(target, "hel") == 0); memset(target, 0, sizeof(target)); result = sldns_b64url_pton(u1, strlen(u1), (uint8_t*)target, tarsize); - unit_assert(result == strlen("hello") && strcmp(target, "hello") == 0); + unit_assert(result == (int)strlen("hello") && strcmp(target, "hello") == 0); memset(target, 0, sizeof(target)); result = sldns_b64url_pton(u2, strlen(u2), (uint8_t*)target, tarsize); - unit_assert(result == strlen("hello>") && strcmp(target, "hello>") == 0); + unit_assert(result == (int)strlen("hello>") && strcmp(target, "hello>") == 0); memset(target, 0, sizeof(target)); result = sldns_b64url_pton(u3, strlen(u3), (uint8_t*)target, tarsize); - unit_assert(result == strlen("hello+/") && strcmp(target, "hello?!") == 0); + unit_assert(result == (int)strlen("hello+/") && strcmp(target, "hello?!") == 0); /* one item in block of four is not allowed */ memset(target, 0, sizeof(target)); result = sldns_b64url_pton(u4, strlen(u4), (uint8_t*)target, tarsize);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/unitmain.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/unitmain.c
Changed
@@ -861,6 +861,7 @@ int main(int argc, char* argv) { + checklock_start(); log_init(NULL, 0, NULL); if(argc != 1) { printf("usage: %s\n", argv0); @@ -888,7 +889,6 @@ if(NSS_NoDB_Init(".") != SECSuccess) fatal_exit("could not init NSS"); #endif /* HAVE_SSL or HAVE_NSS*/ - checklock_start(); authzone_test(); neg_test(); rnd_test(); @@ -918,7 +918,7 @@ checklock_stop(); printf("%d checks ok.\n", testcount); #ifdef HAVE_SSL -# if defined(USE_GOST) && defined(HAVE_LDNS_KEY_EVP_UNLOAD_GOST) +# if defined(USE_GOST) sldns_key_EVP_unload_gost(); # endif # ifdef HAVE_OPENSSL_CONFIG
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/unitmsgparse.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/unitmsgparse.c
Changed
@@ -137,7 +137,7 @@ /* compare packets */ unit_assert(match_all(sldns_buffer_begin(pkt), sldns_buffer_limit(pkt), sldns_buffer_begin(out), sldns_buffer_limit(out), 1, - matches_nolocation)); + matches_nolocation, 0)); return 0; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/unittcpreuse.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/unittcpreuse.c
Changed
@@ -44,6 +44,8 @@ #include "util/random.h" #include "services/outside_network.h" +#define MAX_TCP_WAITING_NODES 5 + /** add number of new IDs to the reuse tree, randomly chosen */ static void tcpid_addmore(struct reuse_tcp* reuse, struct outside_network* outnet, unsigned int addnum) @@ -228,9 +230,260 @@ free(outnet.tcp_conns); } +static void check_waiting_tcp_list(struct outside_network* outnet, + struct waiting_tcp* first, struct waiting_tcp* last, size_t total) +{ + size_t i, j; + struct waiting_tcp* w = outnet->tcp_wait_first; + struct waiting_tcp* n = NULL; + if(first) unit_assert(outnet->tcp_wait_first == first); + if(last) unit_assert(outnet->tcp_wait_last == last && !last->next_waiting); + for(i=0; w; i++) { + unit_assert(i<total); /* otherwise we are looping */ + unit_assert(w->on_tcp_waiting_list); + n = w->next_waiting; + for(j=0; n; j++) { + unit_assert(j<total-i-1); /* otherwise we are looping */ + unit_assert(n != w); + n = n->next_waiting; + } + w = w->next_waiting; + } +} + +/** clear the tcp waiting list */ +static void waiting_tcp_list_clear(struct outside_network* outnet) +{ + struct waiting_tcp* w = outnet->tcp_wait_first, *n = NULL; + if(!w) return; + unit_assert(outnet->tcp_wait_first); + unit_assert(outnet->tcp_wait_last); + while(w) { + n = w->next_waiting; + w->on_tcp_waiting_list = 0; + w->next_waiting = (struct waiting_tcp*)1; /* In purpose faux value */ + w = n; + } + outnet->tcp_wait_first = NULL; + outnet->tcp_wait_last = NULL; +} + +/** check removal of the waiting_tcp element on the given position of total + * elements */ +static void check_waiting_tcp_removal(int is_pop, + struct outside_network* outnet, struct waiting_tcp* store, + size_t position, size_t total) +{ + size_t i; + struct waiting_tcp* w; + waiting_tcp_list_clear(outnet); + for(i=0; i<total; i++) { + outnet_waiting_tcp_list_add(outnet, &storei, 0); + } + check_waiting_tcp_list(outnet, &store0, &storetotal-1, total); + + if(is_pop) { + w = outnet_waiting_tcp_list_pop(outnet); + unit_assert(w); /* please clang-analyser */ + } else { + w = outnet->tcp_wait_first; + for(i=0; i<position; i++) { + unit_assert(w); /* please clang-analyser */ + w = w->next_waiting; + } + unit_assert(w); /* please clang-analyser */ + outnet_waiting_tcp_list_remove(outnet, w); + } + unit_assert(!(w->on_tcp_waiting_list || w->next_waiting)); + + if(position == 0 && total == 1) { + /* the list should be empty */ + check_waiting_tcp_list(outnet, NULL, NULL, total-1); + } else if(position == 0) { + /* first element should be gone */ + check_waiting_tcp_list(outnet, &store1, &storetotal-1, total-1); + } else if(position == total - 1) { + /* last element should be gone */ + check_waiting_tcp_list(outnet, &store0, &storetotal-2, total-1); + } else { + /* an element should be gone */ + check_waiting_tcp_list(outnet, &store0, &storetotal-1, total-1); + } +} + +static void waiting_tcp_list_test(void) +{ + size_t i = 0; + struct outside_network outnet; + struct waiting_tcp* w, *t = NULL; + struct waiting_tcp storeMAX_TCP_WAITING_NODES; + memset(&outnet, 0, sizeof(outnet)); + memset(&store, 0, sizeof(store)); + + /* Check add first on empty list */ + unit_show_func("services/outside_network.c", "outnet_waiting_tcp_list_add_first"); + t = &storei; + outnet_waiting_tcp_list_add_first(&outnet, t, 0); + check_waiting_tcp_list(&outnet, t, t, 1); + + /* Check add */ + unit_show_func("services/outside_network.c", "outnet_waiting_tcp_list_add"); + for(i=1; i<MAX_TCP_WAITING_NODES-1; i++) { + w = &storei; + outnet_waiting_tcp_list_add(&outnet, w, 0); + } + check_waiting_tcp_list(&outnet, t, w, MAX_TCP_WAITING_NODES-1); + + /* Check add first on populated list */ + unit_show_func("services/outside_network.c", "outnet_waiting_tcp_list_add_first"); + w = &storei; + t = outnet.tcp_wait_last; + outnet_waiting_tcp_list_add_first(&outnet, w, 0); + check_waiting_tcp_list(&outnet, w, t, MAX_TCP_WAITING_NODES); + + /* Check removal */ + unit_show_func("services/outside_network.c", "outnet_waiting_tcp_list_remove"); + check_waiting_tcp_removal(0, &outnet, store, 2, 5); + check_waiting_tcp_removal(0, &outnet, store, 1, 3); + check_waiting_tcp_removal(0, &outnet, store, 0, 2); + check_waiting_tcp_removal(0, &outnet, store, 1, 2); + check_waiting_tcp_removal(0, &outnet, store, 0, 1); + + /* Check pop */ + unit_show_func("services/outside_network.c", "outnet_waiting_tcp_list_pop"); + check_waiting_tcp_removal(1, &outnet, store, 0, 3); + check_waiting_tcp_removal(1, &outnet, store, 0, 2); + check_waiting_tcp_removal(1, &outnet, store, 0, 1); +} + +static void check_reuse_write_wait(struct reuse_tcp* reuse, + struct waiting_tcp* first, struct waiting_tcp* last, size_t total) +{ + size_t i, j; + struct waiting_tcp* w = reuse->write_wait_first; + struct waiting_tcp* n = NULL; + if(first) unit_assert(reuse->write_wait_first == first && !first->write_wait_prev); + if(last) unit_assert(reuse->write_wait_last == last && !last->write_wait_next); + /* check one way */ + for(i=0; w; i++) { + unit_assert(i<total); /* otherwise we are looping */ + unit_assert(w->write_wait_queued); + n = w->write_wait_next; + for(j=0; n; j++) { + unit_assert(j<total-i-1); /* otherwise we are looping */ + unit_assert(n != w); + n = n->write_wait_next; + } + w = w->write_wait_next; + } + /* check the other way */ + w = reuse->write_wait_last; + for(i=0; w; i++) { + unit_assert(i<total); /* otherwise we are looping */ + unit_assert(w->write_wait_queued); + n = w->write_wait_prev; + for(j=0; n; j++) { + unit_assert(j<total-i-1); /* otherwise we are looping */ + unit_assert(n != w); + n = n->write_wait_prev; + } + w = w->write_wait_prev; + } +} + +/** clear the tcp waiting list */ +static void reuse_write_wait_clear(struct reuse_tcp* reuse) +{ + struct waiting_tcp* w = reuse->write_wait_first, *n = NULL; + if(!w) return; + unit_assert(reuse->write_wait_first); + unit_assert(reuse->write_wait_last); + while(w) { + n = w->write_wait_next; + w->write_wait_queued = 0; + w->write_wait_next = (struct waiting_tcp*)1; /* In purpose faux value */ + w->write_wait_prev = (struct waiting_tcp*)1; /* In purpose faux value */ + w = n; + } + reuse->write_wait_first = NULL; + reuse->write_wait_last = NULL; +} + +/** check removal of the reuse_write_wait element on the given position of total + * elements */ +static void check_reuse_write_wait_removal(int is_pop, + struct reuse_tcp* reuse, struct waiting_tcp* store, + size_t position, size_t total) +{ + size_t i; + struct waiting_tcp* w; + reuse_write_wait_clear(reuse); + for(i=0; i<total; i++) { + reuse_write_wait_push_back(reuse, &storei); + } + check_reuse_write_wait(reuse, &store0, &storetotal-1, total); + + if(is_pop) { + w = reuse_write_wait_pop(reuse); + } else { + w = reuse->write_wait_first; + for(i=0; i<position; i++) w = w->write_wait_next; + reuse_write_wait_remove(reuse, w); + } + unit_assert(!(w->write_wait_queued || w->write_wait_next || w->write_wait_prev)); + + if(position == 0 && total == 1) { + /* the list should be empty */ + check_reuse_write_wait(reuse, NULL, NULL, total-1); + } else if(position == 0) { + /* first element should be gone */ + check_reuse_write_wait(reuse, &store1, &storetotal-1, total-1); + } else if(position == total - 1) { + /* last element should be gone */ + check_reuse_write_wait(reuse, &store0, &storetotal-2, total-1); + } else { + /* an element should be gone */ + check_reuse_write_wait(reuse, &store0, &storetotal-1, total-1); + } +} + +static void reuse_write_wait_test(void) +{ + size_t i; + struct reuse_tcp reuse; + struct waiting_tcp storeMAX_TCP_WAITING_NODES; + struct waiting_tcp* w; + memset(&reuse, 0, sizeof(reuse)); + memset(&store, 0, sizeof(store)); + + /* Check adding */ + unit_show_func("services/outside_network.c", "reuse_write_wait_push_back"); + for(i=0; i<MAX_TCP_WAITING_NODES; i++) { + w = &storei; + reuse_write_wait_push_back(&reuse, w); + } + check_reuse_write_wait(&reuse, &store0, w, MAX_TCP_WAITING_NODES); + + /* Check removal */ + unit_show_func("services/outside_network.c", "reuse_write_wait_remove"); + check_reuse_write_wait_removal(0, &reuse, store, 2, 5); + check_reuse_write_wait_removal(0, &reuse, store, 1, 3); + check_reuse_write_wait_removal(0, &reuse, store, 0, 2); + check_reuse_write_wait_removal(0, &reuse, store, 1, 2); + check_reuse_write_wait_removal(0, &reuse, store, 0, 1); + + /* Check pop */ + unit_show_func("services/outside_network.c", "reuse_write_wait_pop"); + check_reuse_write_wait_removal(1, &reuse, store, 0, 3); + check_reuse_write_wait_removal(1, &reuse, store, 0, 2); + check_reuse_write_wait_removal(1, &reuse, store, 0, 1); +} + void tcpreuse_test(void) { unit_show_feature("tcp_reuse"); tcpid_test(); tcp_reuse_tree_list_test(); + waiting_tcp_list_test(); + reuse_write_wait_test(); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/unitverify.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/unitverify.c
Changed
@@ -187,7 +187,7 @@ } setup_sigalg(dnskey, sigalg); /* check all algorithms in the dnskey */ /* ok to give null as qstate here, won't be used for answer section. */ - sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason, + sec = dnskeyset_verify_rrset(env, ve, rrset, dnskey, sigalg, &reason, NULL, LDNS_SECTION_ANSWER, NULL); if(vsig) { printf("verify outcome is: %s %s\n", sec_status_to_string(sec),
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testcode/unitzonemd.c -> _service:tar_scm:unbound-1.17.1.tar.gz/testcode/unitzonemd.c
Changed
@@ -221,10 +221,10 @@ unit_assert(result && reason == NULL); result = auth_zone_generate_zonemd_check(z, 241, hashalgo, hash, hashlen, region, buf, &reason); - unit_assert(!result && strcmp(reason, "unsupported scheme")==0); + unit_assert(result && strcmp(reason, "unsupported scheme")==0); result = auth_zone_generate_zonemd_check(z, scheme, 242, hash, hashlen, region, buf, &reason); - unit_assert(!result && strcmp(reason, "unsupported algorithm")==0); + unit_assert(result && strcmp(reason, "unsupported algorithm")==0); result = auth_zone_generate_zonemd_check(z, scheme, hashalgo, hash, 2, region, buf, &reason); unit_assert(!result && strcmp(reason, "digest length too small, less than 12")==0);
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/03-testbound.tdir/03-testbound.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/03-testbound.tdir/03-testbound.test
Changed
@@ -103,6 +103,15 @@ fi fi + # detect if cachedb is needed + if echo $cleaninput | grep cachedb >/dev/null 2>&1; then + if grep "define USE_CACHEDB 1" $PRE/config.h >/dev/null 2>&1; then + : # CACHEDB is supported + else + continue + fi + fi + if test $do_valgrind = "yes"; then echo if (valgrind $VALGRIND_FLAGS $PRE/testbound -p $input >tmpout 2>&1;); then
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/04-checkconf.tdir/04-checkconf.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/04-checkconf.tdir/04-checkconf.test
Changed
@@ -28,6 +28,12 @@ else onwin=0 fi +# detect dnscrypt +if grep "define USE_DNSCRYPT 1" ../../config.h; then + with_dnscrypt=1 +else + with_dnscrypt=0 +fi # test check of config files. for f in bad.*; do @@ -37,6 +43,10 @@ echo "skipped on windows" continue fi + if test $f = "bad.proxy-and-dnscrypt" -a $with_dnscrypt -eq 0; then + echo "skipped; no DNSCRYPT support" + continue + fi $PRE/unbound-checkconf $f if test $? != 1; then
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/04-checkconf.tdir/bad.proxy-and-dnscrypt
Added
@@ -0,0 +1,6 @@ +server: + interface: 127.0.0.1 + proxy-protocol-port: 53 +dnscrypt: + dnscrypt-enable: yes + dnscrypt-port: 53
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/04-checkconf.tdir/bad.proxy-and-https
Added
@@ -0,0 +1,4 @@ +server: + interface: 127.0.0.1 + proxy-protocol-port: 53 + https-port: 53
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/07-confroot.tdir/07-confroot.dsc -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/07-confroot.tdir/07-confroot.dsc
Changed
@@ -8,7 +8,7 @@ CmdDepends: Depends: Help: -Pre: +Pre: 07-confroot.pre Post: Test: 07-confroot.test AuxFiles:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/07-confroot.tdir/07-confroot.pre
Added
@@ -0,0 +1,13 @@ +# #-- 07-confroot.pre --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." + +if uname | grep "MINGW" >/dev/null; then + # no chroot, no need to test. + # (test fails on / and \ comparisons, by the way). + skip_test "no chroot on windows, end test" +fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/07-confroot.tdir/07-confroot.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/07-confroot.tdir/07-confroot.test
Changed
@@ -6,13 +6,6 @@ PRE="../.." -if uname | grep "MINGW" >/dev/null; then - # no chroot, no need to test. - # (test fails on / en \ comparisons, by the way). - echo "no chroot on windows, end test" - exit 0 -fi - # create config file cwd=`pwd -P` subdir=$cwd/subdir
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/08-host-lib.tdir/08-host-lib.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/08-host-lib.tdir/08-host-lib.pre
Changed
@@ -4,7 +4,16 @@ # use .tpkg.var.test for in test variable passing -f .tpkg.var.test && source .tpkg.var.test +PRE="../.." . ../common.sh + +if grep FORK $PRE/config.h | grep "define" >/dev/null 2>&1; then + # nothing + : +else + skip_test "forking is not available; test skipped." +fi + get_random_port 2 FWD_PORT=$(($RND_PORT + 1)) echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/08-host-lib.tdir/08-host-lib.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/08-host-lib.tdir/08-host-lib.test
Changed
@@ -7,14 +7,6 @@ PRE="../.." . ../common.sh -if grep FORK $PRE/config.h | grep "define" >/dev/null 2>&1; then - # nothing - : -else - echo "forking is not available; test skipped." - exit 0 -fi - # test if fwder is up echo "> dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile" dig @127.0.0.1 -p $FWD_PORT www.example.com | tee outfile
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/09-unbound-control.tdir/09-unbound-control.conf -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/09-unbound-control.tdir/09-unbound-control.conf
Changed
@@ -1,6 +1,6 @@ server: verbosity: 2 - # num-threads: 1 + num-threads: 1 interface: 127.0.0.1 port: @PORT@ use-syslog: no @@ -9,6 +9,10 @@ chroot: "" username: "" do-not-query-localhost: no + access-control: 127.0.0.1 allow_snoop + msg-cache-size: 4m + rrset-cache-size: 4m + minimal-responses: yes remote-control: control-enable: yes control-interface: 127.0.0.1 @@ -21,4 +25,3 @@ forward-zone: name: "." forward-addr: "127.0.0.1@@TOPORT@" -
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/09-unbound-control.tdir/09-unbound-control.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/09-unbound-control.tdir/09-unbound-control.test
Changed
@@ -5,364 +5,317 @@ -f .tpkg.var.test && source .tpkg.var.test PRE="../.." +. ../common.sh -# exit value is 1 on usage -$PRE/unbound-control -h -if test $? -ne 1; then - echo "wrong exit value for usage." - exit 1 -else - echo "exit value for usage: OK" -fi - -# use lock-verify if possible - -# test if the server is up. -echo "> dig www.example.com." -dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile -echo "> check answer" -if grep "10.20.30.40" outfile; then - echo "OK" -else +# End the test +# $1: exit value +end () { echo "> cat logfiles" cat fwd.log cat unbound.log - echo "Not OK" - exit 1 -fi + exit $1 +} -# exit value is 1 when a bad command is given. -echo "$PRE/unbound-control -c ub.conf blablargh" -$PRE/unbound-control -c ub.conf blablargh -if test $? -ne 1; then - echo "wrong exit value on error." - echo "> cat logfiles" - cat fwd.log - cat unbound.lo - exit 1 -else - echo "correct exit value on error" -fi +# Expect a given exit value of the previous command +# $1: the expected exit value +# $2: optional text to print when failing +expect_exit_value () { + if test $? -ne $1; then + if test -z "$2"; then + if test $1 -eq 1; then + msg="on error" + else + msg="after success" + fi + else + msg="$2" + fi + echo "wrong exit value $msg" + end 1 + fi +} + +# Helper function for quering +# $@: at least the domain name to query and optional dig arguments +query () { + echo "> dig $@" + dig @127.0.0.1 -p $UNBOUND_PORT $@ | tee outfile +} + +# Expect something in the answer +# $1: expected regular expression +expect_answer () { + echo "> check answer for \"$1\"" + if grep "$1" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +# Fail the test for unexpected answers +# $1: unexpected regular expression +fail_answer () { + echo "> \"$1\" should not be in answer" + if grep "$1" outfile; then + echo "Not OK" + end 1 + else + echo "OK" + fi +} + +# Issue an unbound-control command +# $@: command arguments +control_command () { + echo "$PRE/unbound-control $@" + $PRE/unbound-control $@ > outfile +} + +# Dump the cache contents +# $@: optional options to unbound-control +cache_dump () { + echo "$PRE/unbound-control $@ dump_cache > cache.dump" + $PRE/unbound-control $@ dump_cache > cache.dump +} + +# Load cache contents +# $@: optional options to unbound-control +cache_load () { + echo "$PRE/unbound-control $@ load_cache < cache.dump" + $PRE/unbound-control $@ load_cache < cache.dump +} + +# Expect an entry in the cache dump +# $1: expected regular expression +expect_in_cache_dump () { + echo "> check cache dump for \"$1\"" + if grep "$1" cache.dump; then + echo "OK cache dump" + else + echo "Not OK cache dump" + end 1 + fi +} + +# Fail the test for unexpected entry in the cache dump +# $1: unexpected regular expression +fail_in_cache_dump () { + echo "> \"$1\" should not be in cache dump" + if grep "$1" cache.dump; then + echo "Not OK cache dump" + end 1 + else + echo "OK cache dump" + fi +} + +# start the test +cp ub.conf main.conf + +teststep "exit value is 1 on usage" +control_command -h +expect_exit_value 1 "for usage" + +# use lock-verify if possible + +teststep "test if the server is up" +query www.example.com. +expect_answer "10.20.30.40" + +teststep "exit value is 1 when a bad command is given" +control_command -c ub.conf blablargh +expect_exit_value 1 # reload the server. test if the server came up by putting a new # local-data element in the server. +teststep "reload the server" echo "server: local-data: 'afterreload. IN A 5.6.7.8'" >> ub.conf -echo "$PRE/unbound-control -c ub.conf reload" -$PRE/unbound-control -c ub.conf reload -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi - -echo "> dig afterreload." -dig @127.0.0.1 -p $UNBOUND_PORT afterreload. | tee outfile -echo "> check answer" -if grep "5.6.7.8" outfile; then - echo "OK" -else - echo "> cat logfiles" - cat fwd.log - cat unbound.log - echo "Not OK" - exit 1 -fi +control_command -c ub.conf reload +expect_exit_value 0 +query afterreload. +expect_answer "5.6.7.8" -# must have had queries now. 1 since reload. -echo "$PRE/unbound-control -c ub.conf stats" -$PRE/unbound-control -c ub.conf stats > tmp.$$ -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -if grep "^total.num.queries=1-90-9*$" tmp.$$; then - echo "OK" -else - echo "bad stats" - cat tmp.$$ - exit 1 -fi +teststep "must have had at least 1 query since reload" +control_command -c ub.conf stats +expect_exit_value 0 +expect_answer "^total.num.queries=1-90-9*$" -# verbosity -echo "$PRE/unbound-control -c ub.conf verbosity 2" -$PRE/unbound-control -c ub.conf verbosity 2 -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi +teststep "check verbosity" +control_command -c ub.conf verbosity 2 +expect_exit_value 0 -# check syntax error in parse -echo "$PRE/unbound-control -c ub.conf verbosity jkdf" -$PRE/unbound-control -c ub.conf verbosity jkdf -if test $? -ne 1; then - echo "wrong exit value after failure" - exit 1 -fi +teststep "check syntax error in parse" +control_command -c ub.conf verbosity jkdf +expect_exit_value 1 -# check bad credentials +teststep "check bad credentials" cp ub.conf bad.conf -echo "remote-control:" >> bad.conf -echo " server-key-file: bad_server.key" >> bad.conf -echo " server-cert-file: bad_server.pem" >> bad.conf -echo " control-key-file: bad_control.key" >> bad.conf -echo " control-cert-file: bad_control.pem" >> bad.conf -echo "$PRE/unbound-control -c bad.conf verbosity 2" -$PRE/unbound-control -c bad.conf verbosity 2 -if test $? -ne 1; then - echo "wrong exit value after failure" - exit 1 -fi +cat conf.bad_credentials >> bad.conf +control_command -c bad.conf verbosity 2 +expect_exit_value 1 -# check spoofedclient credentials +teststep "check spoofed client credentials" rm -f bad.conf cp ub.conf bad.conf -echo "remote-control:" >> bad.conf -echo " server-key-file: unbound_server.key" >> bad.conf -echo " server-cert-file: unbound_server.pem" >> bad.conf -echo " control-key-file: bad_control.key" >> bad.conf -echo " control-cert-file: bad_control.pem" >> bad.conf -echo "$PRE/unbound-control -c bad.conf verbosity 2" -$PRE/unbound-control -c bad.conf verbosity 2 -if test $? -ne 1; then - echo "wrong exit value after failure" - exit 1 -fi +cat conf.spoofed_credentials >> bad.conf +control_command -c bad.conf verbosity 2 +expect_exit_value 1 -# create a new local zone -echo "> test of local zone" -echo "$PRE/unbound-control -c ub.conf local_zone example.net static" -$PRE/unbound-control -c ub.conf local_zone example.net static -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -echo "$PRE/unbound-control -c ub.conf local_data www.example.net A 192.0.2.1" -$PRE/unbound-control -c ub.conf local_data www.example.net A 192.0.2.1 -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi +teststep "create a new local zone" +control_command -c ub.conf local_zone example.net static +expect_exit_value 0 +control_command -c ub.conf local_data www.example.net A 192.0.2.1 +expect_exit_value 0 -# check that www.example.net exists -echo "> dig www.example.net." -dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile -echo "> check answer" -if grep "192.0.2.1" outfile; then - echo "OK" -else - echo "> cat logfiles" - cat fwd.log - cat unbound.log - echo "Not OK" - exit 1 -fi +teststep "check that www.example.net exists" +query www.example.net. +expect_answer "192.0.2.1" -# check that mail.example.net has nxdomain -echo "> dig mail.example.net." -dig @127.0.0.1 -p $UNBOUND_PORT mail.example.net. | tee outfile -echo "> check answer" -if grep "NXDOMAIN" outfile; then - echo "OK" -else - echo "> cat logfiles" - cat fwd.log - cat unbound.log - echo "Not OK" - exit 1 -fi +teststep "check that mail.example.net has nxdomain" +query mail.example.net. +expect_answer "NXDOMAIN" -# remove www.example.net - check it gets nxdomain -echo "$PRE/unbound-control -c ub.conf local_data_remove www.example.net" -$PRE/unbound-control -c ub.conf local_data_remove www.example.net -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -echo "> dig www.example.net." -dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile -echo "> check answer" -if grep "NXDOMAIN" outfile; then - echo "OK" -else - echo "> cat logfiles" - cat fwd.log - cat unbound.log - echo "Not OK" - exit 1 -fi +teststep "remove www.example.net - check it gets nxdomain" +control_command -c ub.conf local_data_remove www.example.net +expect_exit_value 0 +query www.example.net. +expect_answer "NXDOMAIN" -# remove nonexistent name - check bug#287(segfault) does not happen. -echo "$PRE/unbound-control -c ub.conf local_data_remove test.example.net" -$PRE/unbound-control -c ub.conf local_data_remove test.example.net +teststep "remove nonexistent name - check bug#287(segfault) does not happen" +control_command -c ub.conf local_data_remove test.example.net # if crash then then we get: error: could not SSL_read from unbound-control -if test $? -ne 0; then - echo "wrong exit value after success" - cat unbound.log - echo "Not OK" - exit 1 -fi +expect_exit_value 0 -# remove example.net - check its gone. -echo "$PRE/unbound-control -c ub.conf local_zone_remove example.net" -$PRE/unbound-control -c ub.conf local_zone_remove example.net -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -echo "> dig www.example.net." -dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile -echo "> check answer" -if grep "SERVFAIL" outfile; then - echo "OK" -else - echo "> cat logfiles" - cat fwd.log - cat unbound.log - echo "Not OK" - exit 1 -fi +teststep "remove example.net - check its gone" +control_command -c ub.conf local_zone_remove example.net +expect_exit_value 0 +query www.example.net. +expect_answer "SERVFAIL" -# dump the cache -echo "> test cache dump" -# fillup cache -echo "dig www.example.com" -dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. -echo "$PRE/unbound-control -c ub.conf dump_cache" -$PRE/unbound-control -c ub.conf dump_cache > tmp.$$ -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -cat tmp.$$ -if grep 10.20.30.40 tmp.$$; then - echo "OK example.com is in cache dump" -else - echo "Not OK cache dump" - exit 1 -fi +teststep "dump the cache" +query www.example.com. +cache_dump -c ub.conf +expect_exit_value 0 +cat cache.dump +expect_in_cache "10.20.30.40" -# test lookup -echo "$PRE/unbound-control -c ub.conf lookup www.example.com" -$PRE/unbound-control -c ub.conf lookup www.example.com -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi +control_command -c ub.conf lookup www.example.com +expect_exit_value 0 # answer to lookup is meaningless because of use a forwarder, oh well. -# load the cache dump. -echo "$PRE/unbound-control -c ub.conf load_cache < tmp.$$" -$PRE/unbound-control -c ub.conf load_cache < tmp.$$ -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -echo "> dig www.example.com." -dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile -echo "> check answer" -if grep "10.20.30.40" outfile; then - echo "OK" -else - echo "> cat logfiles" - cat fwd.log - cat unbound.log - echo "Not OK" - exit 1 -fi +teststep "load the cache dump" +cache_load -c ub.conf +expect_exit_value 0 +query www.example.com. +expect_answer "10.20.30.40" -# load local-zones from file -echo "$PRE/unbound-control -c ub.conf local_zones < local_zones" -$PRE/unbound-control -c ub.conf local_zones < local_zones -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -echo "> dig localzonefromfile." -dig @127.0.0.1 -p $UNBOUND_PORT localzonefromfile | tee outfile -echo "> check answer" -if grep "REFUSED" outfile; then - echo "OK" -else - echo "Not OK" - exit 1 -fi +teststep "load local-zones from file" +control_command -c ub.conf local_zones < local_zones +expect_exit_value 0 +query localzonefromfile +expect_answer "REFUSED" -# load local-data from file -echo "$PRE/unbound-control -c ub.conf local_datas < local_data" -$PRE/unbound-control -c ub.conf local_datas < local_data -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -echo "> dig localdatafromfile." -dig @127.0.0.1 -p $UNBOUND_PORT -t txt localdatafromfile | tee outfile -echo "> check answer" -if grep "local data from file OK" outfile; then - echo "OK" -else - echo "Not OK" - exit 1 -fi +teststep "load local-data from file" +control_command -c ub.conf local_datas < local_data +expect_exit_value 0 +query -t txt localdatafromfile +expect_answer "local data from file OK" -# remove local-zone and local-data from file -echo "$PRE/unbound-control -c ub.conf local_zones_remove < local_zones_remove" -$PRE/unbound-control -c ub.conf local_zones_remove < local_zones_remove -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -echo "$PRE/unbound-control -c ub.conf local_datas_remove < local_data_remove" -$PRE/unbound-control -c ub.conf local_datas_remove < local_data_remove -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -echo "> check zone and data removal list_local_zones" -$PRE/unbound-control -c ub.conf list_local_zones | tee outfile -if grep "localzonefromfile" outfile; then - echo "Not OK" - exit 1 -fi -if grep "local data from file OK" outfile; then - echo "Not OK" - exit 1 -fi -if grep "otherlocalzone" outfile; then - echo "OK" -else - echo "Not OK" - exit 1 -fi +teststep "remove local-zone and local-data from file" +control_command -c ub.conf local_zones_remove < local_zones_remove +expect_exit_value 0 +control_command -c ub.conf local_datas_remove < local_data_remove +expect_exit_value 0 +control_command -c ub.conf list_local_zones +fail_answer "localzonefromfile" +fail_answer "local data from file OK" +expect_answer "otherlocalzone" -# flushing -echo "$PRE/unbound-control -c ub.conf flush www.example.net" -$PRE/unbound-control -c ub.conf flush www.example.net -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi +teststep "flushing" +control_command -c ub.conf flush www.example.net +expect_exit_value 0 +control_command -c ub.conf flush_type www.example.net TXT +expect_exit_value 0 +control_command -c ub.conf flush_zone example.net +expect_exit_value 0 -echo "$PRE/unbound-control -c ub.conf flush_type www.example.net TXT" -$PRE/unbound-control -c ub.conf flush_type www.example.net TXT -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi +teststep "reload the server for a clean state and populate the cache" +cp main.conf ub.conf +control_command -c ub.conf reload +expect_exit_value 0 +query www.example.com +expect_answer "10.20.30.40" -echo "$PRE/unbound-control -c ub.conf flush_zone example.net" -$PRE/unbound-control -c ub.conf flush_zone example.net -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi +teststep "reload and check cache dump - should be empty" +control_command -c ub.conf reload +expect_exit_value 0 +cache_dump -c ub.conf +expect_exit_value 0 +fail_in_cache_dump "www.example.com.*10.20.30.40" +fail_in_cache_dump "msg www.example.com. IN A" -# now stop the server -echo "$PRE/unbound-control -c ub.conf stop" -$PRE/unbound-control -c ub.conf stop -if test $? -ne 0; then - echo "wrong exit value after success" - exit 1 -fi -# see if the server has really exited. +query www.example.com +expect_answer "10.20.30.40" + +teststep "reload_keep_cache and check cache dump - should not be empty" +control_command -c ub.conf reload_keep_cache +expect_exit_value 0 +cache_dump -c ub.conf +expect_exit_value 0 +expect_in_cache_dump "www.example.com.*10.20.30.40" +expect_in_cache_dump "msg www.example.com. IN A" +query www.example.com +nordflag +expect_answer "10.20.30.40" + +teststep "change msg-cache-size and reload_keep_cache - should be empty" +echo "server: msg-cache-size: 2m" >> ub.conf +control_command -c ub.conf reload_keep_cache +expect_exit_value 0 +cache_dump -c ub.conf +expect_exit_value 0 +fail_in_cache_dump "www.example.com.*10.20.30.40" +fail_in_cache_dump "msg www.example.com. IN A" +query www.example.com +expect_answer "10.20.30.40" + +teststep "change rrset-cache-size and reload_keep_cache - should be empty" +echo "server: rrset-cache-size: 2m" >> ub.conf +control_command -c ub.conf reload_keep_cache +expect_exit_value 0 +cache_dump -c ub.conf +expect_exit_value 0 +fail_in_cache_dump "www.example.com.*10.20.30.40" +fail_in_cache_dump "msg www.example.com. IN A" +query www.example.com +expect_answer "10.20.30.40" + +teststep "change num-threads and reload_keep_cache - should be empty" +echo "server: num-threads: 2" >> ub.conf +control_command -c ub.conf reload_keep_cache +expect_exit_value 0 +cache_dump -c ub.conf +expect_exit_value 0 +fail_in_cache_dump "www.example.com.*10.20.30.40" +fail_in_cache_dump "msg www.example.com. IN A" +query www.example.com +expect_answer "10.20.30.40" + +teststep "change minimal-responses and reload_keep_cache - should not be empty" +echo "server: minimal-responses: no" >> ub.conf +control_command -c ub.conf reload_keep_cache +expect_exit_value 0 +cache_dump -c ub.conf +expect_exit_value 0 +expect_in_cache_dump "www.example.com.*10.20.30.40" +expect_in_cache_dump "msg www.example.com. IN A" + +teststep "now stop the server" +control_command -c ub.conf stop +expect_exit_value 0 + +teststep "see if the server has really exited" TRY_MAX=20 for (( try=0 ; try <= $TRY_MAX ; try++ )) ; do if kill -0 $UNBOUND_PID 2>&1 | tee tmp.$$; then @@ -379,11 +332,8 @@ done if kill -0 $UNBOUND_PID; then echo "still up!" - echo "> cat logfiles" - cat fwd.log - cat unbound.log echo "not stopped, failure" - exit 1 + end 1 else echo "stopped OK" @@ -392,15 +342,9 @@ echo "lock-verify test worked." else echo "lock-verify test failed." - cat fwd.log - cat unbound.log - exit 1 + end 1 fi fi fi -echo "> cat logfiles" -cat fwd.log -cat unbound.log -echo "> OK" -exit 0 +end 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/09-unbound-control.tdir/conf.bad_credentials
Added
@@ -0,0 +1,5 @@ +remote-control: + server-key-file: bad_server.key + server-cert-file: bad_server.pem + control-key-file: bad_control.key + control-cert-file: bad_control.pem
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/09-unbound-control.tdir/conf.spoofed_credentials
Added
@@ -0,0 +1,5 @@ +remote-control: + server-key-file: unbound_server.key + server-cert-file: unbound_server.pem + control-key-file: bad_control.key + control-cert-file: bad_control.pem
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/10-unbound-anchor.tdir/keys/unbound-control-setup
Changed
@@ -81,7 +81,7 @@ echo " -d dir use directory to store keys and certificates." echo " default: $DESTDIR" echo "please run this command using the same user id that the " - echo "unboun daemon uses, it needs read privileges." + echo "unbound daemon uses, it needs read privileges." exit 1 ;; esac
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir/acl_interface.conf
Added
@@ -0,0 +1,140 @@ +server: + verbosity: 7 + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + use-caps-for-id: no + define-tag: "one two refuse" + +# Interface configuration for IPv4 + interface: @IPV4_ADDR@@@PORT_ALLOW@ + interface: @IPV4_ADDR@@@PORT_DENY@ + interface: @IPV4_ADDR@@@PORT_REFUSE@ + interface: @IPV4_ADDR@@@PORT_TAG_1@ + interface: @IPV4_ADDR@@@PORT_TAG_2@ + interface: @IPV4_ADDR@@@PORT_TAG_3@ + interface: @IPV4_ADDR@@@PORT_VIEW_INT@ + interface: @IPV4_ADDR@@@PORT_VIEW_EXT@ + interface: @IPV4_ADDR@@@PORT_VIEW_INTEXT@ + + interface-action: @IPV4_ADDR@@@PORT_ALLOW@ allow + interface-action: @IPV4_ADDR@@@PORT_DENY@ deny + # interface-action: @IPV4_ADDR@@@PORT_REFUSE@ refuse # This is the default action + interface-action: @IPV4_ADDR@@@PORT_TAG_1@ allow + interface-action: @IPV4_ADDR@@@PORT_TAG_2@ allow + interface-action: @IPV4_ADDR@@@PORT_TAG_3@ allow + interface-action: @IPV4_ADDR@@@PORT_VIEW_INT@ allow + interface-action: @IPV4_ADDR@@@PORT_VIEW_EXT@ allow + interface-action: @IPV4_ADDR@@@PORT_VIEW_INTEXT@ allow + + interface-tag: @IPV4_ADDR@@@PORT_TAG_1@ "one" + interface-tag: @IPV4_ADDR@@@PORT_TAG_2@ "two" + interface-tag: @IPV4_ADDR@@@PORT_TAG_3@ "refuse" + interface-tag-action: @IPV4_ADDR@@@PORT_TAG_1@ one redirect + interface-tag-data: @IPV4_ADDR@@@PORT_TAG_1@ one "A 1.1.1.1" + interface-tag-action: @IPV4_ADDR@@@PORT_TAG_2@ two redirect + interface-tag-data: @IPV4_ADDR@@@PORT_TAG_2@ two "A 2.2.2.2" + interface-tag-action: @IPV4_ADDR@@@PORT_TAG_3@ refuse always_refuse + + interface-view: @IPV4_ADDR@@@PORT_VIEW_INT@ "int" + interface-view: @IPV4_ADDR@@@PORT_VIEW_EXT@ "ext" + interface-view: @IPV4_ADDR@@@PORT_VIEW_INTEXT@ "intext" + +# Mirrored interface configuration for IPv6 + interface: @IPV6_ADDR@@@PORT_ALLOW@ + interface: @IPV6_ADDR@@@PORT_DENY@ + interface: @IPV6_ADDR@@@PORT_REFUSE@ + interface: @IPV6_ADDR@@@PORT_TAG_1@ + interface: @IPV6_ADDR@@@PORT_TAG_2@ + interface: @IPV6_ADDR@@@PORT_TAG_3@ + interface: @IPV6_ADDR@@@PORT_VIEW_INT@ + interface: @IPV6_ADDR@@@PORT_VIEW_EXT@ + interface: @IPV6_ADDR@@@PORT_VIEW_INTEXT@ + + interface-action: @IPV6_ADDR@@@PORT_ALLOW@ allow + interface-action: @IPV6_ADDR@@@PORT_DENY@ deny + # interface-action: @IPV6_ADDR@@@PORT_REFUSE@ refuse # This is the default action + interface-action: @IPV6_ADDR@@@PORT_TAG_1@ allow + interface-action: @IPV6_ADDR@@@PORT_TAG_2@ allow + interface-action: @IPV6_ADDR@@@PORT_TAG_3@ allow + interface-action: @IPV6_ADDR@@@PORT_VIEW_INT@ allow + interface-action: @IPV6_ADDR@@@PORT_VIEW_EXT@ allow + interface-action: @IPV6_ADDR@@@PORT_VIEW_INTEXT@ allow + + interface-tag: @IPV6_ADDR@@@PORT_TAG_1@ "one" + interface-tag: @IPV6_ADDR@@@PORT_TAG_2@ "two" + interface-tag: @IPV6_ADDR@@@PORT_TAG_3@ "refuse" + interface-tag-action: @IPV6_ADDR@@@PORT_TAG_1@ one redirect + interface-tag-data: @IPV6_ADDR@@@PORT_TAG_1@ one "A 1.1.1.1" + interface-tag-action: @IPV6_ADDR@@@PORT_TAG_2@ two redirect + interface-tag-data: @IPV6_ADDR@@@PORT_TAG_2@ two "A 2.2.2.2" + interface-tag-action: @IPV6_ADDR@@@PORT_TAG_3@ refuse always_refuse + + interface-view: @IPV6_ADDR@@@PORT_VIEW_INT@ "int" + interface-view: @IPV6_ADDR@@@PORT_VIEW_EXT@ "ext" + interface-view: @IPV6_ADDR@@@PORT_VIEW_INTEXT@ "intext" + +# Mirrored interface configuration for interface name + interface: @INTERFACE@@@PORT_ALLOW@ + interface: @INTERFACE@@@PORT_DENY@ + interface: @INTERFACE@@@PORT_REFUSE@ + interface: @INTERFACE@@@PORT_TAG_1@ + interface: @INTERFACE@@@PORT_TAG_2@ + interface: @INTERFACE@@@PORT_TAG_3@ + interface: @INTERFACE@@@PORT_VIEW_INT@ + interface: @INTERFACE@@@PORT_VIEW_EXT@ + interface: @INTERFACE@@@PORT_VIEW_INTEXT@ + + interface-action: @INTERFACE@@@PORT_ALLOW@ allow + interface-action: @INTERFACE@@@PORT_DENY@ deny + # interface-action: @INTERFACE@@@PORT_REFUSE@ refuse # This is the default action + interface-action: @INTERFACE@@@PORT_TAG_1@ allow + interface-action: @INTERFACE@@@PORT_TAG_2@ allow + interface-action: @INTERFACE@@@PORT_TAG_3@ allow + interface-action: @INTERFACE@@@PORT_VIEW_INT@ allow + interface-action: @INTERFACE@@@PORT_VIEW_EXT@ allow + interface-action: @INTERFACE@@@PORT_VIEW_INTEXT@ allow + + interface-tag: @INTERFACE@@@PORT_TAG_1@ "one" + interface-tag: @INTERFACE@@@PORT_TAG_2@ "two" + interface-tag: @INTERFACE@@@PORT_TAG_3@ "refuse" + interface-tag-action: @INTERFACE@@@PORT_TAG_1@ one redirect + interface-tag-data: @INTERFACE@@@PORT_TAG_1@ one "A 1.1.1.1" + interface-tag-action: @INTERFACE@@@PORT_TAG_2@ two redirect + interface-tag-data: @INTERFACE@@@PORT_TAG_2@ two "A 2.2.2.2" + interface-tag-action: @INTERFACE@@@PORT_TAG_3@ refuse always_refuse + + interface-view: @INTERFACE@@@PORT_VIEW_INT@ "int" + interface-view: @INTERFACE@@@PORT_VIEW_EXT@ "ext" + interface-view: @INTERFACE@@@PORT_VIEW_INTEXT@ "intext" + +# Local zones configuration + local-zone: local. transparent + local-data: "local. A 0.0.0.0" + local-zone-tag: local. "one two refuse" + +# Views configuration +view: + name: "int" + view-first: yes + local-zone: "." refuse + local-zone: "internal" transparent +view: + name: "ext" + view-first: yes + local-zone: "internal" refuse +view: + name: "intext" + view-first: yes + +# Stubs configuration +forward-zone: + name: "." + forward-addr: @IPV4_ADDR@@@FORWARD_PORT@ + +stub-zone: + name: "internal" + stub-addr: @IPV4_ADDR@@@STUB_PORT@
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir/acl_interface.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: acl_interface +Version: 1.0 +Description: Check the interface-* settings +CreationDate: Fri 8 Oct 18:14:40 CEST 2021 +Maintainer: +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: acl_interface.pre +Post: acl_interface.post +Test: acl_interface.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir/acl_interface.post
Added
@@ -0,0 +1,11 @@ +# #-- acl_interface.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $UNBOUND_PID +kill_pid $FWD_PID +kill_pid $STUB_PID
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir/acl_interface.pre
Added
@@ -0,0 +1,75 @@ +# #-- acl_interface.pre--# +PRE="../.." +. ../common.sh + +# This test uses the unshare utility +if test ! -x "`which unshare 2>&1`"; then + skip_test "no unshare (from util-linux package) available, skip test" +fi + +get_random_port 11 + +PORT_ALLOW=$RND_PORT +PORT_DENY=$(($RND_PORT + 1)) +PORT_REFUSE=$(($RND_PORT + 2)) +PORT_TAG_1=$(($RND_PORT + 3)) +PORT_TAG_2=$(($RND_PORT + 4)) +PORT_TAG_3=$(($RND_PORT + 5)) +PORT_VIEW_INT=$(($RND_PORT + 6)) +PORT_VIEW_EXT=$(($RND_PORT + 7)) +PORT_VIEW_INTEXT=$(($RND_PORT + 8)) +FORWARD_PORT=$(($RND_PORT + 9)) +STUB_PORT=$(($RND_PORT + 10)) + +IPV4_ADDR=192.168.1.1 +IPV6_ADDR=2001:db8::1 + +INTERFACE=eth24 +INTERFACE_ADDR_1=10.0.0.1 +INTERFACE_ADDR_2=10.0.0.2 +INTERFACE_ADDR_3=10.0.0.3 +INTERFACE_ADDR_4=10.0.0.4 + +# make config file +sed \ + -e 's/@PORT_ALLOW\@/'$PORT_ALLOW'/' \ + -e 's/@PORT_DENY\@/'$PORT_DENY'/' \ + -e 's/@PORT_REFUSE\@/'$PORT_REFUSE'/' \ + -e 's/@PORT_TAG_1\@/'$PORT_TAG_1'/' \ + -e 's/@PORT_TAG_2\@/'$PORT_TAG_2'/' \ + -e 's/@PORT_TAG_3\@/'$PORT_TAG_3'/' \ + -e 's/@PORT_VIEW_INT\@/'$PORT_VIEW_INT'/' \ + -e 's/@PORT_VIEW_EXT\@/'$PORT_VIEW_EXT'/' \ + -e 's/@PORT_VIEW_INTEXT\@/'$PORT_VIEW_INTEXT'/' \ + -e 's/@FORWARD_PORT\@/'$FORWARD_PORT'/' \ + -e 's/@STUB_PORT\@/'$STUB_PORT'/' \ + -e 's/@IPV4_ADDR\@/'$IPV4_ADDR'/' \ + -e 's/@IPV6_ADDR\@/'$IPV6_ADDR'/' \ + -e 's/@INTERFACE\@/'$INTERFACE'/' \ + < acl_interface.conf > ub.conf + +if test -x "`which bash`"; then + shell="bash" +else + shell="sh" +fi + +echo "PORT_ALLOW=$PORT_ALLOW" >> .tpkg.var.test +echo "PORT_DENY=$PORT_DENY" >> .tpkg.var.test +echo "PORT_REFUSE=$PORT_REFUSE" >> .tpkg.var.test +echo "PORT_TAG_1=$PORT_TAG_1" >> .tpkg.var.test +echo "PORT_TAG_2=$PORT_TAG_2" >> .tpkg.var.test +echo "PORT_TAG_3=$PORT_TAG_3" >> .tpkg.var.test +echo "PORT_VIEW_INT=$PORT_VIEW_INT" >> .tpkg.var.test +echo "PORT_VIEW_EXT=$PORT_VIEW_EXT" >> .tpkg.var.test +echo "PORT_VIEW_INTEXT=$PORT_VIEW_INTEXT" >> .tpkg.var.test +echo "FORWARD_PORT=$FORWARD_PORT" >> .tpkg.var.test +echo "STUB_PORT=$STUB_PORT" >> .tpkg.var.test +echo "IPV4_ADDR=$IPV4_ADDR" >> .tpkg.var.test +echo "IPV6_ADDR=$IPV6_ADDR" >> .tpkg.var.test +echo "INTERFACE=$INTERFACE" >> .tpkg.var.test +echo "INTERFACE_ADDR_1=$INTERFACE_ADDR_1" >> .tpkg.var.test +echo "INTERFACE_ADDR_2=$INTERFACE_ADDR_2" >> .tpkg.var.test +echo "INTERFACE_ADDR_3=$INTERFACE_ADDR_3" >> .tpkg.var.test +echo "INTERFACE_ADDR_4=$INTERFACE_ADDR_4" >> .tpkg.var.test +echo "shell=$shell" >> .tpkg.var.test
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir/acl_interface.test
Added
@@ -0,0 +1,11 @@ +# #-- acl_interface.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test +PRE="../.." +. ../common.sh + +# Run the scenario in an unshared namespace +unshare -rUn $shell acl_interface.test.scenario +exit $?
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir/acl_interface.test.scenario
Added
@@ -0,0 +1,205 @@ +# #-- acl_interface.test.scenario --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test +PRE="../.." +. ../common.sh + +ip addr add $IPV4_ADDR dev lo +ip addr add $IPV6_ADDR dev lo +ip link set lo up + +ip link add $INTERFACE type dummy +ip addr add $INTERFACE_ADDR_1 dev $INTERFACE +ip addr add $INTERFACE_ADDR_2 dev $INTERFACE +ip addr add $INTERFACE_ADDR_3 dev $INTERFACE +ip addr add $INTERFACE_ADDR_4 dev $INTERFACE +ip link set $INTERFACE up + +# start the forwarder in the background +get_ldns_testns +$LDNS_TESTNS -p $FORWARD_PORT acl_interface.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# start the stub in the background +$LDNS_TESTNS -p $STUB_PORT acl_interface.testns2 >fwd2.log 2>&1 & +STUB_PID=$! +echo "STUB_PID=$STUB_PID" >> .tpkg.var.test + +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_ldns_testns_up fwd2.log +wait_unbound_up unbound.log + +end () { + echo "> cat logfiles" + cat fwd.log + cat fwd2.log + cat unbound.log + exit $1 +} + +# Query for the given domain to the given port +# $1: address family 4, 6 +# $2: port +# $3: dname +query () { + addr=$IPV4_ADDR + if test "$1" -eq 6; then + addr=$IPV6_ADDR + fi + echo "> dig -p $2 $3" + dig @"$addr" -p $2 $3 | tee outfile +} + +# Query for the given domain to the given port +# $1: address +# $2: port +# $3: dname +query_addr () { + echo "> dig @$1 -p $2 $3" + dig @"$1" -p $2 $3 | tee outfile +} + +expect_refused () { + echo "> check answer for REFUSED" + if grep "REFUSED" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +expect_external_answer () { + echo "> check external answer" + if grep "1.2.3.4" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +expect_internal_answer () { + echo "> check internal answer" + if grep "10.20.30.40" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +expect_tag_one_answer () { + echo "> check tag 'one' answer" + if grep "1.1.1.1" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +expect_tag_two_answer () { + echo "> check tag 'two' answer" + if grep "2.2.2.2" outfile; then + echo "OK" + else + echo "Not OK" + end 1 + fi +} + +# do the test + +for i in 4 6; do + query $i $PORT_REFUSE "www.external" + expect_refused + + query $i $PORT_REFUSE "www.internal" + expect_refused + + query $i $PORT_ALLOW "www.external" + expect_external_answer + + query $i $PORT_ALLOW "www.internal" + expect_internal_answer + + query $i $PORT_TAG_1 "local" + expect_tag_one_answer + + query $i $PORT_TAG_2 "local" + expect_tag_two_answer + + query $i $PORT_TAG_3 "local" + expect_refused + + query $i $PORT_VIEW_INT "www.internal" + expect_internal_answer + + query $i $PORT_VIEW_INT "www.external" + expect_refused + + query $i $PORT_VIEW_EXT "www.internal" + expect_refused + + query $i $PORT_VIEW_EXT "www.external" + expect_external_answer + + query $i $PORT_VIEW_INTEXT "www.internal" + expect_internal_answer + + query $i $PORT_VIEW_INTEXT "www.external" + expect_external_answer +done + +for addr in $INTERFACE_ADDR_1 $INTERFACE_ADDR_2 $INTERFACE_ADDR_3 $INTERFACE_ADDR_4; do + query_addr $addr $PORT_REFUSE "www.external" + expect_refused + + query_addr $addr $PORT_REFUSE "www.internal" + expect_refused + + query_addr $addr $PORT_ALLOW "www.external" + expect_external_answer + + query_addr $addr $PORT_ALLOW "www.internal" + expect_internal_answer + + query_addr $addr $PORT_TAG_1 "local" + expect_tag_one_answer + + query_addr $addr $PORT_TAG_2 "local" + expect_tag_two_answer + + query_addr $addr $PORT_TAG_3 "local" + expect_refused + + query_addr $addr $PORT_VIEW_INT "www.internal" + expect_internal_answer + + query_addr $addr $PORT_VIEW_INT "www.external" + expect_refused + + query_addr $addr $PORT_VIEW_EXT "www.internal" + expect_refused + + query_addr $addr $PORT_VIEW_EXT "www.external" + expect_external_answer + + query_addr $addr $PORT_VIEW_INTEXT "www.internal" + expect_internal_answer + + query_addr $addr $PORT_VIEW_INTEXT "www.external" + expect_external_answer +done + +end 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir/acl_interface.testns
Added
@@ -0,0 +1,26 @@ +; nameserver test file +$ORIGIN external. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 1.2.3.4 +ENTRY_END + +$ORIGIN local. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +@ IN A +SECTION ANSWER +@ IN A 127.0.0.1 +ENTRY_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/acl_interface.tdir/acl_interface.testns2
Added
@@ -0,0 +1,13 @@ +; nameserver test file +$ORIGIN internal. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 10.20.30.40 +ENTRY_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/auth_https.tdir/auth_https.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/auth_https.tdir/auth_https.test
Changed
@@ -5,6 +5,7 @@ -f .tpkg.var.test && source .tpkg.var.test PRE="../.." +. ../common.sh # do the test echo "> dig www.example.com." dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile @@ -48,4 +49,15 @@ exit 1 fi +# Test that notify is allowed from the webserver address +get_ldns_notify +echo "> ldns-notify -z example.com" +$LDNS_NOTIFY -p $UNBOUND_PORT -z example.com 127.0.0.1 | tee outfile +if grep "rcode: REFUSED" outfile; then + echo "Not OK" + exit 1 +else + echo "OK" +fi + exit 0
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/auth_xfr_ixfrmismatch.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/auth_xfr_ixfrmismatch.rpl
Changed
@@ -182,7 +182,7 @@ example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 www.example.com. IN A 1.2.3.4 mail.example.com. 3600 IN A 1.2.3.6 -; this is the delete of the nonexistant entry +; this is the delete of the nonexistent entry nonexist.example.com. 3600 IN A 1.2.3.4 example.com. IN SOA ns.example.com. hostmaster.example.com. 2 3600 900 86400 3600 EXTRA_PACKET
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/auth_zonemd_file_unknown.rpl
Added
@@ -0,0 +1,184 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + +auth-zone: + name: "example.com." + ## zonefile (or none). + ## zonefile: "example.com.zone" + ## master by IP address or hostname + ## can list multiple masters, each on one line. + ## master: + ## url for http fetch + ## url: + ## queries from downstream clients get authoritative answers. + ## for-downstream: yes + for-downstream: no + ## queries are used to fetch authoritative answers from this zone, + ## instead of unbound itself sending queries there. + ## for-upstream: yes + for-upstream: yes + ## on failures with for-upstream, fallback to sending queries to + ## the authority servers + ## fallback-enabled: no + zonemd-check: yes + + ## this line generates zonefile: \n"/tmp/xxx.example.com"\n + zonefile: +TEMPFILE_NAME example.com + ## this is the inline file /tmp/xxx.example.com + ## the tempfiles are deleted when the testrun is over. +TEMPFILE_CONTENTS example.com +example.com. IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600 +example.com. IN NS ns.example.com. +example.com. IN ZONEMD 200154054 1 22 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22 +example.com. IN ZONEMD 200154054 21 2 EFAA5B78B38AB1C45DE57B8167BCCE906451D0E72118E1F5E80B5F0C3CF04BFFC65D53C011185528EAD439D6F3A02F511961E090E5E4E0DFA013BD276D728B22 +www.example.com. IN A 127.0.0.1 +ns.example.com. IN A 127.0.0.1 +bar.example.com. IN A 1.2.3.4 +ding.example.com. IN A 1.2.3.4 +foo.example.com. IN A 1.2.3.4 +TEMPFILE_END + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test authority zone with ZONEMD with unknown algo from zonefile + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.44 +ENTRY_END +RANGE_END + +; ns.example.net. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.44 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.net. IN NS +SECTION ANSWER +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.net. IN A +SECTION ANSWER +ns.example.net. IN A 1.2.3.44 +SECTION AUTHORITY +example.net. IN NS ns.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.net. IN AAAA +SECTION AUTHORITY +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +www.example.net. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 127.0.0.1 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/auth_zonemd_xfr_chain_keyinxfr.rpl
Added
@@ -0,0 +1,315 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + trust-anchor: "com. DS 1444 8 2 0d72034e3e18a9ef383c164b68302433bbde957616e10cf44575fea2abae469c" + trust-anchor-signaling: no + val-override-date: 20201020135527 + +auth-zone: + name: "example.com." + ## zonefile (or none). + ## zonefile: "example.com.zone" + ## master by IP address or hostname + ## can list multiple masters, each on one line. + ## master: + master: 1.2.3.44 + ## url for http fetch + ## url: + ## queries from downstream clients get authoritative answers. + ## for-downstream: yes + + ## The for-downstream and fallback are disabled, the key cannot be + ## retrieved by DNS lookup, it is in the xfr itself. + ## only after the zone is loaded can it be looked up. + for-downstream: no + ## queries are used to fetch authoritative answers from this zone, + ## instead of unbound itself sending queries there. + ## for-upstream: yes + for-upstream: yes + ## on failures with for-upstream, fallback to sending queries to + ## the authority servers + ## fallback-enabled: no + fallback-enabled: no + zonemd-check: yes + + ## this line generates zonefile: \n"/tmp/xxx.example.com"\n + zonefile: +TEMPFILE_NAME example.com + ## this is the inline file /tmp/xxx.example.com + ## the tempfiles are deleted when the testrun is over. +TEMPFILE_CONTENTS example.com +TEMPFILE_END + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test authority zone with AXFR with ZONEMD with key in xfr + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.com. IN DS +SECTION ANSWER +example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af +example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk= +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN DS 55566 8 2 9c148338951ce1c3b5cd3da532f3d90dfcf92595148022f2c2fd98e5deee90af +example.com. 3600 IN RRSIG DS 8 2 3600 20201116135527 20201019135527 1444 com. BpV1M171SSkbdlGawwweJwQ0W+aNaCrgkt2QTsxCvbo1acR5i3AKm4REOUzo4I36lRx26mYkF9Topkeu0aFmov7P2uUhCxk4faFK7k87k97FAqZaDGp/K9b3YCfiwJBc5pJSUW0ndU/Ve5zAh/wL493RMSC7LwJr5JjV0NxydFk= +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +com. IN DNSKEY +SECTION ANSWER +com. 3600 IN DNSKEY 257 3 8 AwEAAbd9WqjzE2Pynz21OG5doSf9hFzMr5dhzz2waZ3vTa+0o5r7AjTAqmA1yH/B3+aAMihUm5ucZSfVqo7+kOaRE8yFj9aivOmA1n1+JLevJq/oyvQyjxQN2Qb89LyaNUT5oKZIiL+uyyhNW3KDR3SSbQ/GBwQNDHVcZi+JDR3RC0r7 ;{id = 1444 (ksk), size = 1024b} +com. 3600 IN RRSIG DNSKEY 8 1 3600 20201116135527 20201019135527 1444 com. BEOMfWvi6RgnHaHsst+Ed265hBuCkgMR7gDpu89J7ZrVL6DzMKnNVFdgjl/9xwLj/pkukc7qeLSHjAfLlN0E4THW7PVshscQnjvXCkktG2Ejx9fTyllAqeGDh9z9QDGlQZIGTMgb9413qZhNqe2Tda9PTJRpiZ8b4bdQp6V1kVo= +SECTION ADDITIONAL +ENTRY_END +RANGE_END + +; ns.example.net. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.44 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.net. IN NS +SECTION ANSWER +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +ns.example.net. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.net. IN A +SECTION ANSWER +ns.example.net. IN A 1.2.3.44 +SECTION AUTHORITY +example.net. IN NS ns.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.net. IN AAAA +SECTION AUTHORITY +example.net. IN NS ns.example.net. +SECTION ADDITIONAL +www.example.net. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN SOA +SECTION ANSWER +; serial, refresh, retry, expire, minimum +example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.com. IN AXFR +SECTION ANSWER +example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600 +example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM= +example.com. 3600 IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg= +example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566 (zsk), size = 1024b} +example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA= +example.com. 3600 IN TYPE63 \# 70 0bee1bc6010258f7620f93204bbb31b44f795b3409cc4abd9ef5601decc15675bd7751213152984eddce0626e6062e744b03b3e47711202fbb79e4a2eb8bc5cf46741b5cae6f +example.com. 3600 IN RRSIG TYPE63 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y= +example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY TYPE63 +example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo= +bar.example.com. 3600 IN A 1.2.3.4 +bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds= +bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC +bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0= +ding.example.com. 3600 IN A 1.2.3.4 +ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko= +ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC +ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU= +foo.example.com. 3600 IN A 1.2.3.4 +foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA= +foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC +foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s= +ns.example.com. 3600 IN A 127.0.0.1 +ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg= +ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC +ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A= +www.example.com. 3600 IN A 127.0.0.1 +www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ= +www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC +www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI= +example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +ENTRY_END + +STEP 30 TIME_PASSES ELAPSE 10 +STEP 40 TRAFFIC + +STEP 50 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 60 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 127.0.0.1 +ENTRY_END + +; the zonefile was updated with new contents +STEP 70 CHECK_TEMPFILE example.com +FILE_BEGIN +example.com. 3600 IN SOA ns.example.com. hostmaster.example.com. 200154054 28800 7200 604800 3600 +example.com. 3600 IN RRSIG SOA 8 2 3600 20201116135527 20201019135527 55566 example.com. gcFHT/Q4iDZ78CK6fyY2HZr8sRtgH2Rna9fEs06RW0gqMnfDntweoIaBamOZ7NlAP84aY2bZeanmEccmkHexByUpodCoKQ4NzVXctLr0TO4PVoFyfUfj62fjhM56SF8ioDxsoDQcPtYXcjNQjwfntWofMqHCMxrb9LzbgePzhOM= +example.com. 3600 IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 8 2 3600 20201116135527 20201019135527 55566 example.com. X+V3XsbJbBi9OsHpjMkGCox8RLY/uXp/XX/O/flTrIre9fMDWm9ZGnewtuQFpLgGc6hUTi0eLsuRWRA5fZXEKUBhmoR2Ph01KgE1gvlL7v6zPWQwXVcBRUr3mOSbYdNNkHkXEjiDBGEhNkfqR216zNgw563eEGXOkLUFNIx5Zpg= +example.com. 3600 IN NSEC bar.example.com. NS SOA RRSIG NSEC DNSKEY ZONEMD +example.com. 3600 IN RRSIG NSEC 8 2 3600 20201116135527 20201019135527 55566 example.com. ufLrlOQprAqjnH85Rt3T0Mxd3ZB0mBeeNIr84eFJ8Rk6WiWEPm0Y1R7GRufNI24Mj7iqLcL4nJM6KK6B7dJqjqu73jw1acuYNnbsoV2BNDRXRFP2FNWTpctVdi+955f3FzgsmEJXfGiSUG0YXAEcZmdCPCn5ii2jk8mk7r6KKYo= +example.com. 3600 IN DNSKEY 256 3 8 AwEAAdug/L739i0mgN2nuK/bhxu3wFn5Ud9nK2+XUmZQlPUEZUC5YZvm1rfMmEWTGBn87fFxEu/kjFZHJ55JLzqsbbpVHLbmKCTT2gYR2FV2WDKROGKuYbVkJIXdKAjJ0ONuK507NinYvlWXIoxHn22KAWOd9wKgSTNHBlmGkX+ts3hh ;{id = 55566} +example.com. 3600 IN RRSIG DNSKEY 8 2 3600 20201116135527 20201019135527 55566 example.com. fsdnVg38PKQTH2mDOwkXL6Jre7JP7Gf8WI3CvIbmeYQUJtAlpcSbZkS3wInm3kKMxOuT55BWzndQzpfmpo91OqJjG27W0k9301NMLUwFprA6b9HK+iPAT0JpYPDPzcm1bQdarLzLS+eD/GPwmyVSX7Gze+08VfE8m8sOW2r7UjA= +example.com. 3600 IN ZONEMD 200154054 1 2 58F7620F93204BBB31B44F795B3409CC4ABD9EF5601DECC15675BD7751213152984EDDCE0626E6062E744B03B3E47711202FBB79E4A2EB8BC5CF46741B5CAE6F +example.com. 3600 IN RRSIG ZONEMD 8 2 3600 20201116135527 20201019135527 55566 example.com. orn8ZF/yqj9u4WrhiO6gtEcTaVsnZSWWZLfXhcIOiWSB8kKCxtZl5cG17dD3Du1NllUwMRqkp0KleLhIoUS9xeQ/0x05u+CYLrfQ62oAiD7q54ZQzpXJIH52aQzKV70ZnO03CZowhQBnetmIoKX6xLogKo8pt+BdQbo3oVHxV8Y= +bar.example.com. 3600 IN A 1.2.3.4 +bar.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. NYhmRicF4C9+YxpWeQrepy4ALM1CM0USoDuGi3W5Xtp4/+YpCJfSIdR9vlJaJ2WayYuZrz9Ai2ci7oWwE1Fn3oywGwCKvGo9m0c3mC2eEtphE19wrop6pWu6um4RiFhmzYS1voraA3PAdYzze9U4NHzlk0+sb5vNZW9dSZS30Ds= +bar.example.com. 3600 IN NSEC ding.example.com. A RRSIG NSEC +bar.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. VhsGuBx20DXQZNU8ITAMnasn6NVyEjN9xtB8msH5xJn80UCuaqvFBURzcPWN3aHnykEvGfdPF/9P3WvlON0cMikWkqSLy6Q9bpvgAq13HWYh+ZcDoqLtICaB7RkBQc+6aHAqZFyQbD8/m8Kxt5eVJtV6rEuf+yPX0+3aXHhsRg0= +ding.example.com. 3600 IN A 1.2.3.4 +ding.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. OERsruISkpd1s68ute8Xm8YXisBCTkkiDMt34K+0dVqvySOJq63d3qN18BeUxZxLyHDB1eR3nZZKqEdkTqrv2r98skhWhjnOECpFbu5gKjtN/KPexbbJ+rxC0QqciuWOC7M6YE0cvI17/RB9KhVRy5rqY2X4Gt2wk2CNeD1dAko= +ding.example.com. 3600 IN NSEC foo.example.com. A RRSIG NSEC +ding.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. nb1W2aaKrU5iAQiY8gMsoMOejID19JMTEwY2rRoe+KsvzMs0rE0ifEkqit4blXaU0tfy0foJ70uqdJFqBoGz1NcSwZ6GNk/iNfGvG3XpxZ/zqEe7kkIucqqei794G7z9psqV94yZ3WaT+IswPpWrSaWv1w41RtcWufPhe4fOAmU= +foo.example.com. 3600 IN A 1.2.3.4 +foo.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. ZcUngb2pUejwnsshbJN/Dfr+Bzu8fcZXyqLArQ+10Bw1IPHyfx7yyUJ43V5tTYVHPSEsJzTnaWj+olVrNhVZxq5e0pgzSYPfGln2FEItEvMIOn33j8yKTpPW2MLyuFF5ZkXhosG20EUwRMvMmRHRz9mIZfwWoMbSGPukmLh8zMA= +foo.example.com. 3600 IN NSEC ns.example.com. A RRSIG NSEC +foo.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. fUZEpkEULRWDntN5Z7Kr8M83Hjhf08ECMKRpo6IBoBc3ayenj+YMgWAvFXC825wjENPYYWNGag0d32U83zCZxqgv+8uXZd3B7QDpTbL41aWZdc++s5YWTkYjyOWwJ1XHOv4nL3qEnJBXVzo/E1gbSKhTFuG97i+7J1MFd9MsC5s= +ns.example.com. 3600 IN A 127.0.0.1 +ns.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. SiuxuPtN/ITd+Z20j8UNUHJWbLHirE8zQOWMv5fAZ1rPKpAidrZgUL8J417GdrTwkueU2ywAJ7EzFJSwNTa7o/wUnq7svmOR6Ze6UQsKuZFZGEfqPNDRp4YuF86LU5jChuo+f/IRpydHrxVwGxDPCR9KarDM+ewfW+yI5bZeZcg= +ns.example.com. 3600 IN NSEC www.example.com. A RRSIG NSEC +ns.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. 0upKNYjiow4NDJm3I1RbUddE9GGuFYEVKswww5BAc/6WHuukupncL30lskvcSKGpByDssP2Hi2CufyEtYeGWh6q1TxtOFRqFBX1p6Q5b3tBlCtvv4h31dQR9uqLvq+GkGS5MR+0LO5kWagIpZmnI8YY5plVdXEtNbp2Ar8zvz/A= +www.example.com. 3600 IN A 127.0.0.1 +www.example.com. 3600 IN RRSIG A 8 3 3600 20201116135527 20201019135527 55566 example.com. AaIeICaPjV50TDrpbyOn94+hs8EYIMTmN4pYqj7e8GIGimqQIk5jgpwSx6SOoOF+uOqkf9GKHkQTn5YVGaeXwEQleg7mPTmMYKAOk06Y7MFUO1Vwt1Vt7Wo+Cpa3x2a1CmEkfFOi4WqP43VJnUtjjKmXoKRz3VUmqByyJYUAGbQ= +www.example.com. 3600 IN NSEC example.com. A RRSIG NSEC +www.example.com. 3600 IN RRSIG NSEC 8 3 3600 20201116135527 20201019135527 55566 example.com. meg/t6nIBqQZ0d5/dT7uu/3CuP4vE+HxqFQaj2fjUNceA/6C7QIQnqQ5Kyblg+XijDkQX0yvyFNHYdgF16UDgFT7tlNUCHk1SpF5BWzV4c4tBEhxASTz7UQo111O3Tyd6CldPzO/Se15Ud0/ZYltHEqWTfY5nJoXC/OJD9V2QOI= +FILE_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/autotrust_init_fail.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/autotrust_init_fail.rpl
Changed
@@ -4,6 +4,8 @@ log-time-ascii: yes fake-sha1: yes trust-anchor-signaling: no + ede: yes + stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. @@ -150,7 +152,7 @@ STEP 20 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=9 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/autotrust_init_failsig.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/autotrust_init_failsig.rpl
Changed
@@ -5,6 +5,8 @@ log-time-ascii: yes fake-sha1: yes trust-anchor-signaling: no + ede: yes + stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. @@ -138,7 +140,7 @@ STEP 20 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/autotrust_probefail.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/autotrust_probefail.rpl
Changed
@@ -4,6 +4,8 @@ log-time-ascii: yes fake-sha1: yes trust-anchor-signaling: no + ede: yes + stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. @@ -155,7 +157,7 @@ STEP 30 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=9 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/autotrust_probefailsig.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/autotrust_probefailsig.rpl
Changed
@@ -4,6 +4,8 @@ log-time-ascii: yes fake-sha1: yes trust-anchor-signaling: no + ede: yes + stub-zone: name: "." stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. @@ -155,7 +157,7 @@ STEP 30 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/black_ds_entry.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/black_ds_entry.rpl
Changed
@@ -6,6 +6,7 @@ target-fetch-policy: "0 0 0 0 0" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -578,7 +579,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=7 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.sub.example.com. IN A @@ -595,7 +596,7 @@ STEP 120 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=7 REPLY QR RD RA DO SERVFAIL SECTION QUESTION ftp.sub.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/black_key_entry.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/black_key_entry.rpl
Changed
@@ -6,6 +6,7 @@ target-fetch-policy: "0 0 0 0 0" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -560,7 +561,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=7 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.sub.example.com. IN A @@ -577,7 +578,7 @@ STEP 120 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=7 REPLY QR RD RA DO SERVFAIL SECTION QUESTION ftp.sub.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/black_prime_entry.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/black_prime_entry.rpl
Changed
@@ -7,6 +7,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -285,7 +286,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=7 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A @@ -304,7 +305,7 @@ ; recursion happens here. STEP 120 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=7 REPLY QR RD RA DO SERVFAIL SECTION QUESTION ftp.example.com. IN A
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_cached_zone.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_cached_zone.tdir/blanks.example.com.zone
Added
@@ -0,0 +1,23 @@ +; Test if the zone parser accepts various blank lines +@ IN SOA ns1.example.com dnsmaster.example.com. ( + 1 ; Serial + 7200 ; Refresh 2 hours + 3600 ; Retry 1 hour + 2419200 ; expire - 4 weeks + 3600 ; Minimum 1 hour +) + 7200 IN NS ns1 +ns1 IN A 192.0.2.1 + IN AAAA 2001:dbb::1 +; completely blank line + +; line with one space + +; line with one tab + +; line with spaces followed by comment + ; test comment +; line with tabs followed by comment + ; test comment +; Final line with spaces, tabs and comment + ; test comment
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_cached_zone.tdir/blanks_cached_zone.conf
Added
@@ -0,0 +1,20 @@ +server: + verbosity: 7 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + use-caps-for-id: yes + module-config: "respip validator iterator" + +auth-zone: + name: blanks.example.com + zonefile: "blanks.example.com.zone" + url: "https://127.0.0.1:@TOPORT@/blanks.example.com.zone" + for-upstream: yes + for-downstream: yes
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_cached_zone.tdir/blanks_cached_zone.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: blanks_cached_zone +Version: 1.0 +Description: Check if a cached zone with blank line can be loaded +CreationDate: Wed 08 Jun 2022 11:16:25 AM CEST +Maintainer: Philip Homburg +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: blanks_cached_zone.pre +Post: blanks_cached_zone.post +Test: blanks_cached_zone.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_cached_zone.tdir/blanks_cached_zone.post
Added
@@ -0,0 +1,10 @@ +# #-- blanks_cached_zone.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +PRE="../.." +. ../common.sh +kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_cached_zone.tdir/blanks_cached_zone.pre
Added
@@ -0,0 +1,23 @@ +# #-- blanks_cached_zone.pre--# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +. ../common.sh +get_random_port 2 +UNBOUND_PORT=$RND_PORT +UNUSED_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$UNUSED_PORT'/' < blanks_cached_zone.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_unbound_up unbound.log +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_cached_zone.tdir/blanks_cached_zone.test
Added
@@ -0,0 +1,51 @@ +# #-- blanks_cached_zone.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +# do the test +TARGET=ns1.blanks.example.com. +echo "> dig $TARGET" +dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +if grep SERVFAIL outfile; then + echo "> try again" + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 10 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 10 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +echo "> cat logfiles" +cat unbound.log +echo "> check answer" +if grep "192.0.2.1" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/127.0.0.1
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/127.0.0.1/blanks.example.com.zone
Added
@@ -0,0 +1,23 @@ +; Test if the zone parser accepts various blank lines +@ IN SOA ns1.example.com dnsmaster.example.com. ( + 1 ; Serial + 7200 ; Refresh 2 hours + 3600 ; Retry 1 hour + 2419200 ; expire - 4 weeks + 3600 ; Minimum 1 hour +) + 7200 IN NS ns1 +ns1 IN A 192.0.2.1 + IN AAAA 2001:dbb::1 +; completely blank line + +; line with one space + +; line with one tab + +; line with spaces followed by comment + ; test comment +; line with tabs followed by comment + ; test comment +; Final line with spaces, tabs and comment + ; test comment
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/blanks_https.conf
Added
@@ -0,0 +1,18 @@ +server: + verbosity: 7 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + use-caps-for-id: yes +auth-zone: + name: "blanks.example.com" + for-upstream: yes + for-downstream: yes + url: "https://127.0.0.1:@TOPORT@/blanks.example.com.zone" +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/blanks_https.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: blanks_https +Version: 1.0 +Description: Fetch a zone with blank lines over https +CreationDate: Tue 14 Jun 2022 04:43:21 PM CEST +Maintainer: Philip Homburg +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: blanks_https.pre +Post: blanks_https.post +Test: blanks_https.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/blanks_https.post
Added
@@ -0,0 +1,11 @@ +# #-- blanks_https.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +PRE="../.." +. ../common.sh +kill_pid $UNBOUND_PID +kill_pid $PETAL_PID
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/blanks_https.pre
Added
@@ -0,0 +1,34 @@ +# #-- blanks_https.pre--# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +. ../common.sh +get_random_port 2 +UNBOUND_PORT=$RND_PORT +PETAL_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "PETAL_PORT=$PETAL_PORT" >> .tpkg.var.test + +get_make +(cd $PRE; $MAKE petal) + +# start https daemon +$PRE/petal -v -a "127.0.0.1" -p $PETAL_PORT >petal.log 2>&1 & +PETAL_PID=$! +echo "PETAL_PID=$PETAL_PID" >> .tpkg.var.test +cat .tpkg.var.test +wait_petal_up petal.log + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$PETAL_PORT'/' < blanks_https.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_unbound_up unbound.log +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/blanks_https.test
Added
@@ -0,0 +1,52 @@ +# #-- blanks_https.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +# do the test +TARGET=ns1.blanks.example.com. +echo "> dig $TARGET" +dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +if grep SERVFAIL outfile; then + echo "> try again" + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 1 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 10 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +if grep SERVFAIL outfile; then + echo "> try again" + sleep 10 + dig @localhost -p $UNBOUND_PORT $TARGET | tee outfile +fi +echo "> cat logfiles" +cat petal.log +cat unbound.log +echo "> check answer" +if grep "192.0.2.1" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/petal.key
Added
@@ -0,0 +1,21 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIDfQIBAAKBwQC1xQ/Kca6zszZbcCtdOTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJ +RuN+Rm304SonpwghfP2/ULZNnuDgpG03/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1 +QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ867K029ypjOQtAJ85qdO3mERy7TGtdUcu +O6hLeVet419YeQ2F8cfNxn63d7bOzNGLPW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeU +J/i4YDWexFYSL+ECAwEAAQKBwCLXXQl+9O+5AEhSnd1Go1Jh0pSA7eBJOuXQcebG +Rb7ykp+6C4G2NtDziwwPRNdI6wQQQ0sym18RfyVQHydGr78/nbiIbB3HCn5e92Mh +mefzW6ow9Kvm2txLzGKA1lvoyRbNm81jnG/eygi3u7Nqd5PNv+4dHj2RkTlmxOeh +qnDMVP5md8uZPv6lYNnrnIzvLCR5vnPNdVwn89AqzI85IcDZdy0R9ZX4NBbsDgAU +6ig6uXuRXvSGiyJ/OUXSrnogaQJhAOjvkHUhVZQkPOxO90TNH4j0GdKKtbSWxIdz +lKfuJeBAEqs0TL+C6vbS81Xw3W1alyDdUBk3rJMOBqW6Ryq5HNL+j5H+Jfsh7fvc +Yle+5wHGci0P9zCFZCrY8It7n9XFIwJhAMfEi6oJa2G8waPJ1bQhxka82Tf9pnKM +XCn/1BBOFjVIx5F842cpA+zp5a62GENTGYPQTTRBB/2/ZwnW5aIkrlg54AtmbqBZ +Oh+2kJdJQD/tfoVmc5soUE2ScTHadK5RKwJhAN4w9kjkXS+MSZjX0kIMsBIBVkhh +C+aREjJqa9ir7/Ey7RvmLXdYuCxtGLRXp7/R8+rjcK49Tx6O+IRJZe042mfhbq3C +EhS1Tr86f4xXix9EXlDhs9bSxrOgcAN9Dv/opQJhAK7eBcPaav0rVfYh/8emqQHS +3fJ9Pu6WnzbEksWTFS2ff9KDGCx9YspIFJ5TF/oXDAaumGZdZrlgirm6O1kr8tGY +F97i04PZl1+bWAaWQH+1TUNI43m2WFUPE7coG2tb8QJgcddDg9VlXliZqgcETZfJ +kJmYETxrcSn3ao6v116N8yxhEgUgjkmsCTiFgx36iDVnXwK6PIt+sIu8MC7eYNa3 +berrv/M21K0LRn20IWRxvUobG070weHCAgkko7fTWgr2 +-----END RSA PRIVATE KEY-----
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/blanks_https.tdir/petal.pem
Added
@@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICFzCCAUACCQDO660L5y5LGDANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDEwVw +ZXRhbDAeFw0xMDA5MzAxMzQzMDFaFw0zMDA2MTcxMzQzMDFaMBAxDjAMBgNVBAMT +BXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC1xQ/Kca6zszZbcCtd +OTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJRuN+Rm304SonpwghfP2/ULZNnuDgpG03 +/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ8 +67K029ypjOQtAJ85qdO3mERy7TGtdUcuO6hLeVet419YeQ2F8cfNxn63d7bOzNGL +PW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeUJ/i4YDWexFYSL+ECAwEAATANBgkqhkiG +9w0BAQUFAAOBwQBBkX9KDP2RXbg+xPmdJ4P6CwvA5x1LZwC++ydVx4NlvT0pWicD +ZUnXjcWAJlkeOuUBAqFG7WHTrXpUUAjmdqFVq2yFjteUYBdrFz0RDB2jM9feeKYO +mTgxdZyT9a6humxCxt5VfgT02axLjm/2AqCyFPMbf4PASoJDln01AEuZLZ8Xl2gV +bYHMnHTGoD1Hu6FNEzRgkMC6XT8X3YjHvzQhpc/qL5wEfEsinQGdX4twsuWbf8xd +q7miNnkO8vd0maw= +-----END CERTIFICATE-----
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/cachedb_servfail_cname.crpl
Added
@@ -0,0 +1,181 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + minimal-responses: no + ;serve-expired: yes + module-config: "cachedb iterator" + +cachedb: + backend: "testframe" + secret-seed: "testvalue" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 +CONFIG_END + +SCENARIO_BEGIN Test cachedb store and servfail reply from cname. +; the servfail reply should not overwrite the cache contents. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns2.example.com. +SECTION ADDITIONAL +ns2.example.com. IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +foo.com. IN NS +SECTION AUTHORITY +foo.com. IN NS ns.example.com. +ENTRY_END +RANGE_END + +; ns2.example.com. +RANGE_BEGIN 0 20 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 10 IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns2.example.com., now failing +RANGE_BEGIN 20 100 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 10 IN CNAME foo.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA SERVFAIL +SECTION QUESTION +foo.example.com. IN A +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA SERVFAIL +SECTION QUESTION +ns2.example.com. IN A +SECTION ANSWER +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qname qtype +REPLY QR AA SERVFAIL +SECTION QUESTION +ns2.example.com. IN AAAA +SECTION ANSWER +ENTRY_END +RANGE_END + +; get and entry in cache, to make it expired. +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; get the answer for it +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 10 IN A 1.2.3.4 +ENTRY_END + +; it is now expired +STEP 20 TIME_PASSES ELAPSE 20 + +; get a servfail in cache for the destination +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +foo.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +foo.example.com. IN A +ENTRY_END + +; the query is now a CNAME to servfail. +; there is a valid, but expired, entry in cache. +STEP 50 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 60 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 10 IN CNAME foo.example.com. +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/clang-analysis.tdir/clang-analysis.dsc -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/clang-analysis.tdir/clang-analysis.dsc
Changed
@@ -7,7 +7,7 @@ Component: Depends: Help: -Pre: +Pre: clang-analysis.pre Post: Test: clang-analysis.test AuxFiles:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/clang-analysis.tdir/clang-analysis.pre
Added
@@ -0,0 +1,21 @@ +# #-- clang-analysis.pre --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test +# common functions +. ../common.sh + +PRE="../.." +if test ! -x "`which clang 2>&1`"; then + skip_test "No clang in path" +fi +#echo "have clang" +# test if assertions are enabled +if grep "^#define UNBOUND_DEBUG" $PRE/config.h >/dev/null; then + : +else + skip_test "UNBOUND_DEBUG is not enabled, skip test" + # no unbound debug means no assertions, and clang analyzer uses + # the assertions to make inferences. +fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/clang-analysis.tdir/clang-analysis.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/clang-analysis.tdir/clang-analysis.test
Changed
@@ -7,20 +7,6 @@ . ../common.sh PRE="../.." -if test ! -x "`which clang 2>&1`"; then - echo "No clang in path" - exit 0 -fi -#echo "have clang" -# test if assertions are enabled -if grep "^#define UNBOUND_DEBUG" $PRE/config.h >/dev/null; then - : -else - echo "UNBOUND_DEBUG is not enabled, skip test" - # no unbound debug means no assertions, and clang analyzer uses - # the assertions to make inferences. - exit 0 -fi # read value from Makefile # $1: result variable name
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/common.sh -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/common.sh
Changed
@@ -14,6 +14,7 @@ # info x : print info # test_tool_avail x : see if program in path and complain, exit if not. # get_ldns_testns : set LDNS_TESTNS to executable ldns-testns +# get_ldns_notify : set LDNS_NOTIFY to executable ldns-notify # get_make : set MAKE to gmake or make tool. # get_gcc : set cc or gcc in CC # get_pcat : set PCAT, PCAT_DIFF and PCAT_PRINT executables. @@ -26,7 +27,9 @@ # wait_petal_up : wait for petal to come up. # wait_nsd_up : wait for nsd to come up. # wait_server_up_or_fail: wait for server to come up or print a failure string +# skip_test x : print message and skip test (must be called in .pre) # kill_pid : kill a server, make sure and wait for it to go down. +# teststep : print the current test step in the output # print error and exit @@ -62,6 +65,15 @@ fi } +# get ldns-notify tool in LDNS_NOTIFY variable. +get_ldns_notify () { + if test -x "`which ldns-notify 2>&1`"; then + LDNS_NOTIFY=ldns-notify + else + LDNS_NOTIFY=/home/wouter/bin/ldns-notify + fi +} + # get make tool in MAKE variable, gmake is used if present. get_make () { if test -x "`which gmake 2>&1`"; then @@ -99,6 +111,13 @@ fi } +# Print a message and skip the test. Must be called in the .pre file. +# $1: message to print. +skip_test () { + echo "$1" + exit 3 +} + # function to get a number of random port numbers. # $1: number of random ports. # RND_PORT is returned as the starting port number @@ -254,3 +273,8 @@ fi } +# Print the current test step in the output +teststep () { + echo + echo "STEP $1 " +}
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnscrypt_cert.tdir/dnscrypt_cert.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnscrypt_cert.tdir/dnscrypt_cert.post
Changed
@@ -8,9 +8,6 @@ PRE="../.." . ../common.sh -# Check if we can run the test. -. ./precheck.sh - kill_pid $FWD_PID kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnscrypt_cert.tdir/dnscrypt_cert.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnscrypt_cert.tdir/dnscrypt_cert.pre
Changed
@@ -8,7 +8,11 @@ . ../common.sh # Check if we can run the test. -. ./precheck.sh +if grep "define USE_DNSCRYPT 1" $PRE/config.h; then + echo "have dnscrypt" +else + skip_test "no dnscrypt" +fi get_random_port 3 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnscrypt_cert.tdir/dnscrypt_cert.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnscrypt_cert.tdir/dnscrypt_cert.test
Changed
@@ -7,9 +7,6 @@ PRE="../.." . ../common.sh -# Check if we can run the test. -. ./precheck.sh - # do the test # Query plain request over DNSCrypt channel get closed
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.post
Changed
@@ -8,10 +8,5 @@ PRE="../.." . ../common.sh -# Check if we can run the test. -. ./precheck.sh - kill_pid $FWD_PID -if $xchacha20 -ne 0 ; then - kill_pid $UNBOUND_PID -fi +kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.pre
Changed
@@ -7,8 +7,17 @@ PRE="../.." . ../common.sh -# Check if we can run the test. -. ./precheck.sh +# if no dnscrypt; exit +if grep "define USE_DNSCRYPT 1" $PRE/config.h; then + echo "have dnscrypt" +else + skip_test "no dnscrypt" +fi +if grep "define USE_DNSCRYPT_XCHACHA20 1" $PRE/config.h; then + echo "have XChacha20 support" +else + skip_test "no XChacha20 support" +fi get_random_port 3 UNBOUND_PORT=$RND_PORT @@ -34,10 +43,5 @@ cat .tpkg.var.test wait_ldns_testns_up fwd.log -if $xchacha20 -eq 0 ; then - # no xchacha20 support, we expect unbound to exit with an error message. - wait_server_up unbound.log "Certificate for XChacha20 but libsodium does not support it" -else - wait_unbound_up unbound.log -fi +wait_unbound_up unbound.log
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnscrypt_cert_chacha.tdir/dnscrypt_cert_chacha.test
Changed
@@ -6,17 +6,9 @@ PRE="../.." . ../common.sh -# Check if we can run the test. -. ./precheck.sh # do the test -if $xchacha20 -eq 0 ; then - # Unbound would exit before we can attempt any tests. - echo "OK" - exit 0 -fi - # Query plain request over DNSCrypt channel get closed # We use TCP to avoid hanging on waiting for UDP. # We expect `outfile` to contain no DNS payload @@ -104,7 +96,7 @@ echo "> check answer" grep -F 'DNSC\000\002\000\000\1716\226\255*\244\002L\177g\025_\127tR\151\246R\203\178\153\248\006\137\"\138\173|G/,\160\152\015\010\172\184\220`\175\217\255,\162\018\178-d\007\246k0\003I\205w\026)\204B\002\161\010\245\243W\191\189Z\216\210x\025\204\247\173\227t\138\018\162~\152\253\211\031z\\\002m5\008\254\2244\246\243W\191\189Z\216\210Y\160\2158Y\160\2158u\210\219\184' outfile cert_found=$? - if \( $cert_found -eq 0 -a $xchacha20 -eq 1 \) -o \( $cert_found -ne 0 -a $xchacha20 -eq 0 \) ; then + if \( $cert_found -eq 0 \) ; then echo "OK" else echo "Not OK"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap.tdir/dnstap.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap.tdir/dnstap.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap.tdir/dnstap.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap.tdir/dnstap.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 3 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap.tdir/dnstap.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap.tdir/dnstap.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # test if the server is up. echo "> dig www.example.com."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_reconnect.tdir/dnstap_reconnect.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_reconnect.tdir/dnstap_reconnect.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_reconnect.tdir/dnstap_reconnect.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_reconnect.tdir/dnstap_reconnect.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 3 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_reconnect.tdir/dnstap_reconnect.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_reconnect.tdir/dnstap_reconnect.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # test if the server is up. echo "> dig www.example.com."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tcp.tdir/dnstap_tcp.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tcp.tdir/dnstap_tcp.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tcp.tdir/dnstap_tcp.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tcp.tdir/dnstap_tcp.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 4 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tcp.tdir/dnstap_tcp.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tcp.tdir/dnstap_tcp.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # test if the server is up. echo "> dig www.example.com."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls.tdir/dnstap_tls.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls.tdir/dnstap_tls.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls.tdir/dnstap_tls.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls.tdir/dnstap_tls.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 4 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls.tdir/dnstap_tls.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls.tdir/dnstap_tls.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # test if the server is up. echo "> dig www.example.com."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 4 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_badcert.tdir/dnstap_tls_badcert.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # test if the server is up. echo "> dig www.example.com."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 4 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_badname.tdir/dnstap_tls_badname.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # test if the server is up. echo "> dig www.example.com."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 4 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_clientauth.tdir/dnstap_tls_clientauth.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # test if the server is up. echo "> dig www.example.com."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 4 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dnstap_tls_peername.tdir/dnstap_tls_peername.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # test if the server is up. echo "> dig www.example.com."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream.tdir/doh_downstream.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream.tdir/doh_downstream.post
Changed
@@ -6,7 +6,6 @@ # # do your teardown here PRE="../.." -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi . ../common.sh kill_pid $FWD_PID kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream.tdir/doh_downstream.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream.tdir/doh_downstream.pre
Changed
@@ -6,7 +6,7 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 2 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream.tdir/doh_downstream.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream.tdir/doh_downstream.test
Changed
@@ -6,7 +6,6 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi get_make (cd $PRE; $MAKE dohclient)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.post
Changed
@@ -6,7 +6,6 @@ # # do your teardown here PRE="../.." -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi . ../common.sh kill_pid $UNBOUND_PID cat unbound.log
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.pre
Changed
@@ -6,7 +6,7 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 1 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_buffer_size.tdir/doh_downstream_buffer_size.test
Changed
@@ -6,7 +6,6 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi get_make (cd $PRE; $MAKE dohclient)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.post
Changed
@@ -7,6 +7,5 @@ # do your teardown here PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $UNBOUND_PID cat unbound.log
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.pre
Changed
@@ -6,7 +6,7 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 1 UNBOUND_PORT=$RND_PORT echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_endpoint.tdir/doh_downstream_endpoint.test
Changed
@@ -6,7 +6,6 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi get_make (cd $PRE; $MAKE dohclient)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_notls.tdir/doh_downstream_notls.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_notls.tdir/doh_downstream_notls.post
Changed
@@ -6,7 +6,6 @@ # # do your teardown here PRE="../.." -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi . ../common.sh kill_pid $FWD_PID kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_notls.tdir/doh_downstream_notls.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_notls.tdir/doh_downstream_notls.pre
Changed
@@ -6,7 +6,7 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 2 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_notls.tdir/doh_downstream_notls.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_notls.tdir/doh_downstream_notls.test
Changed
@@ -6,7 +6,6 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi get_make (cd $PRE; $MAKE dohclient)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_post.tdir/doh_downstream_post.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_post.tdir/doh_downstream_post.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $FWD_PID kill_pid $UNBOUND_PID cat unbound.log
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_post.tdir/doh_downstream_post.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_post.tdir/doh_downstream_post.pre
Changed
@@ -6,7 +6,7 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 2 UNBOUND_PORT=$RND_PORT FWD_PORT=$(($RND_PORT + 1))
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/doh_downstream_post.tdir/doh_downstream_post.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/doh_downstream_post.tdir/doh_downstream_post.test
Changed
@@ -6,7 +6,6 @@ PRE="../.." . ../common.sh -if grep "define HAVE_NGHTTP2 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi get_make (cd $PRE; $MAKE dohclient)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dynlibmod.tdir/dynlibmod.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dynlibmod.tdir/dynlibmod.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define WITH_DYNLIBMODULE 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $FWD_PID kill $UNBOUND_PID kill $UNBOUND_PID >/dev/null 2>&1
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dynlibmod.tdir/dynlibmod.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dynlibmod.tdir/dynlibmod.pre
Changed
@@ -7,7 +7,7 @@ . ../common.sh PRE="../.." -if grep "define WITH_DYNLIBMODULE 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define WITH_DYNLIBMODULE 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 3 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/dynlibmod.tdir/dynlibmod.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/dynlibmod.tdir/dynlibmod.test
Changed
@@ -6,7 +6,6 @@ . ../common.sh PRE="../.." -if grep "define WITH_DYNLIBMODULE 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi # compile the dynamic library module if grep "define USE_WINSOCK 1" $PRE/config.h; then
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/dnskey-failures.test
Added
@@ -0,0 +1,10 @@ +$ORIGIN dnskey-failures.test. + +@ SOA ns hostmaster ( + 1 ; serial + 14400 ; refresh (4 hours) + 1800 ; retry (30 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) +) + A 192.0.2.1
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/dnskey-failures.test.signed
Added
@@ -0,0 +1,7 @@ +dnskey-failures.test. 3600 IN SOA ns.dnskey-failures.test. hostmaster.dnskey-failures.test. 1 14400 1800 2419200 300 +dnskey-failures.test. 3600 IN RRSIG SOA 13 2 3600 20010201000000 20001230000000 45928 dnskey-failures.test. NKixvGKa0WHSI8oE5THI1hjm5nExVkryUmW15VoNZ3pwqUYexGWLIlfuYsTaDE5GVEtPpSKbA+PlYDk19EsLNQ== +dnskey-failures.test. 3600 IN A 192.0.2.1 +dnskey-failures.test. 3600 IN RRSIG A 13 2 3600 20010201000000 20001230000000 45928 dnskey-failures.test. FCEvbVL3TkzO7jWeOz7E/A3Q64QkpegVazS4OL+ybxN2o8OzXdCJN3QbCGdFP26/Rbj089ThDCZ0+OormAk1dw== +dnskey-failures.test. 3600 IN RRSIG DNSKEY 13 2 3600 20010201000000 20001230000000 45928 dnskey-failures.test. pEjWVsJbFiQBvwNGV3v0nVirMJDOYKXqC4IX9dFuRTnoWSb95anvB08pgaZ1ie+thk6YC1fX2fUTRKRFr3vHnA== +dnskey-failures.test. 300 IN NSEC dnskey-failures.test. A SOA RRSIG NSEC DNSKEY +dnskey-failures.test. 300 IN RRSIG NSEC 13 2 300 20010201000000 20001230000000 45928 dnskey-failures.test. /vAazBDetA5+np+fE7V6f9W+faEQT3ETGueNNhFPjUsPF1dU9Gglu4PZ15fWOxsk0DPWHNmTMF70ZCGQJ2k+fw==
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/dnssec-failures.test
Added
@@ -0,0 +1,15 @@ +$ORIGIN dnssec-failures.test. + +@ SOA ns hostmaster ( + 1 ; serial + 14400 ; refresh (4 hours) + 1800 ; retry (30 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) +) + NS ns +ns A 192.0.2.1 +notyetincepted TXT "Not yet incepted" +expired TXT "Expired" +sigsinvalid TXT "Signatures invalid" +missingrrsigs TXT "Signatures missing" \ No newline at end of file
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/dnssec-failures.test.signed
Added
@@ -0,0 +1,25 @@ +dnssec-failures.test. 3600 IN SOA ns.dnssec-failures.test. hostmaster.dnssec-failures.test. 1 14400 1800 2419200 300 +dnssec-failures.test. 3600 IN RRSIG SOA 13 2 3600 20010201000000 20001230000000 53876 dnssec-failures.test. K37BIR/jLR4tN1JtTx3MwzgozslvnFtwUquCSfiBykCcKIv6wErSI9Gnw/tjH0tXrLI1eoLa5oWkgtxy0KKybg== +dnssec-failures.test. 3600 IN NS ns.dnssec-failures.test. +dnssec-failures.test. 3600 IN RRSIG NS 13 2 3600 20010201000000 20001230000000 53876 dnssec-failures.test. JP6mYQORwnwwv+2q9UxpeeaVs5/171y3lyc1FKAY3FHmFqjd4Uo0byW8jgk/BrJyVkaDeZbjvuZq+BED0codpw== +dnssec-failures.test. 3600 IN DNSKEY 257 3 13 mx6xe39HZrYCpyC+9YmquHIf1WdWYaDqOfcpXg2Gtv5VJGS/WSO14txlUoKjYCldyRwcg9wT6JAwikpkzWS6UQ== ;{id = 53876 (ksk), size = 256b} +dnssec-failures.test. 3600 IN RRSIG DNSKEY 13 2 3600 20010201000000 20001230000000 53876 dnssec-failures.test. F760TrogHIBkenX7nGr6LEvocTcGAZamfAaiftIkwprBp21/LZ+qotGsFu9YWsxlGqB3KAINXYATjS6AEJfGEQ== +dnssec-failures.test. 300 IN NSEC expired.dnssec-failures.test. NS SOA RRSIG NSEC DNSKEY +dnssec-failures.test. 300 IN RRSIG NSEC 13 2 300 20010201000000 20001230000000 53876 dnssec-failures.test. Zk+RW0mbLSzwvSYuNQJhNdd4XmtQv47CiLtHbqOyS8/xt5Pt87T0v1UxnCkZAlA+VTEWbJkasq06ER1wMuTetA== +expired.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. UAhzOVumQZ2PVspwJS5NyOjZypIaQXfHMiXGEUYaZ161IfQdB3coBx2vF8MHdqbePOl6Z4oa51ltITMlBL+Stw== +missingrrsigs.dnssec-failures.test. 3600 IN TXT "Signatures missing" +missingrrsigs.dnssec-failures.test. 300 IN NSEC notyetincepted.dnssec-failures.test. TXT RRSIG NSEC +missingrrsigs.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. 4phKld6eMt4cxA4w6I1i29uAbdfbwFrkpRGLBWwerUgDbOdDwUm1de6t4QhBys7DtoZb3wIS+DLJYjBNbz7Sig== +notyetincepted.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. ix6Gg9uUZ0A56IQXbDJuBQ3vIm6QipuvzQTKd2wF6kZuEW/53wuy4ROBDIQ4IgnQD17vG8tJNeDOCfj0hh8+dQ== +ns.dnssec-failures.test. 3600 IN A 192.0.2.1 +ns.dnssec-failures.test. 3600 IN RRSIG A 13 3 3600 20010201000000 20001230000000 53876 dnssec-failures.test. PbcykgJEHG218vCkj9pD8W5JVqyCD9VRNOy3SHqCTvWGVAApasdZ7n5wzNVpHdKrqlTpyLwf6z6vv4NMYbEQdw== +ns.dnssec-failures.test. 300 IN NSEC sigsinvalid.dnssec-failures.test. A RRSIG NSEC +ns.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. SEO+C116gcmI0sY4lnIM4DQrUxqyaGIIqlvhxyGrzF9jJopRZB8gflQcYPy5qhIwGZJoEMB+SO4er4LCaS8NwA== +sigsinvalid.dnssec-failures.test. 3600 IN TXT "Signatures INVALID" +sigsinvalid.dnssec-failures.test. 3600 IN RRSIG TXT 13 3 3600 20010201000000 20001230000000 53876 dnssec-failures.test. 3XFjjPt+UyY4ZIj8PAINTtOTh7sk4OIAO5akFDQhqgB/Wv6f7dWdqvl8Y2RIqdh0WQz+nGPRMktS8exA3FKW4Q== +sigsinvalid.dnssec-failures.test. 300 IN NSEC dnssec-failures.test. TXT RRSIG NSEC +sigsinvalid.dnssec-failures.test. 300 IN RRSIG NSEC 13 3 300 20010201000000 20001230000000 53876 dnssec-failures.test. gmft6HYmqZalLwmdnuWBqJod3JD5fRoGqiwYXVFxySm2bHPvz8J9xSe7RdTSONXPUc+7mE8IHYff/gGW7gctqw== +expired.dnssec-failures.test. 3600 IN TXT "Expired" +expired.dnssec-failures.test. 3600 IN RRSIG TXT 13 3 3600 20001230000000 20001201000000 53876 dnssec-failures.test. 8zosYGmmGGcGcBuWaf3oL3TE/hpKDrddtm7ZQGndjmqkZ8CVg6RwFb+8YLqcG5du3Si0rmTuZId+qBOV/pnViA== +notyetincepted.dnssec-failures.test. 3600 IN TXT "Not yet incepted" +notyetincepted.dnssec-failures.test. 3600 IN RRSIG TXT 13 3 3600 20010201000000 20010103000000 53876 dnssec-failures.test. lmk0+oEdnnKa1oujIsMeimuElrKvrUSlBknsfSNqOo07VxJxT2R4qkKc95oiEmeSWHcVTOrXxEhtl4kAAactPg==
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/make-broken-zone.sh
Added
@@ -0,0 +1,75 @@ +#!/usr/bin/env bash + +# This script was used to generate the broken signed zones used for testing. + +# Override the current date; it is used in Unbound's configuration also. +NOW=20010101 + +# differentiate for MacOS with "gdate" +DATE=date +which gdate > /dev/null 2>&1 && DATE=gdate + +ONEMONTHAGO=`$DATE -d "$NOW - 1 month" +%Y%m%d` +ONEMONTH=`$DATE -d "$NOW + 1 month" +%Y%m%d` +YESTERDAY=`$DATE -d "$NOW - 2 days" +%Y%m%d` +TOMORROW=`$DATE -d "$NOW + 2 days" +%Y%m%d` + +# Root trust anchor +echo ". IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d" > bogus/trust-anchors + +# create oudated zones +CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnssec-failures.test` +echo $CSK +cat $CSK.ds >> bogus/trust-anchors + +ldns-signzone -i $YESTERDAY -e $ONEMONTH -f - bogus/dnssec-failures.test $CSK | \ + grep -v '^missingrrsigs\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ + sed 's/Signatures invalid/Signatures INVALID/g' | \ + grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' | \ + grep -v '^notyetincepted\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' | \ + grep -v '^expired\.dnssec-failures\.test\..*IN.*TXT' | \ + grep -v '^expired\.dnssec-failures\.test\..*IN.*RRSIG.*TXT' > base +ldns-signzone -i $ONEMONTHAGO -e $YESTERDAY -f - bogus/dnssec-failures.test $CSK | \ + grep -v ' NSEC ' | \ + grep '^expired\.dnssec-failures\.test\..*IN.*TXT' > expired +ldns-signzone -i $TOMORROW -e $ONEMONTH -f - bogus/dnssec-failures.test $CSK | \ + grep -v ' NSEC ' | \ + grep '^notyetincepted\.dnssec-failures\.test\..*IN.*TXT' > notyetincepted + +cat base expired notyetincepted > bogus/dnssec-failures.test.signed + +# cleanup old zone keys +rm -f $CSK.* + +# create zone with DNSKEY missing +CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom dnskey-failures.test` +echo $CSK +cat $CSK.ds >> bogus/trust-anchors + +ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/dnskey-failures.test $CSK +grep -v ' DNSKEY ' tmp.signed > bogus/dnskey-failures.test.signed + +# cleanup old zone keys +rm -f $CSK.* + +# create zone with NSEC missing +CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom nsec-failures.test` +echo $CSK +cat $CSK.ds >> bogus/trust-anchors + +ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/nsec-failures.test $CSK +grep -v ' NSEC ' tmp.signed > bogus/nsec-failures.test.signed + +# cleanup old zone keys +rm -f $CSK.* + +# create zone with RRSIGs missing +CSK=`ldns-keygen -a ECDSAP256SHA256 -k -r /dev/urandom rrsig-failures.test` +echo $CSK +cat $CSK.ds >> bogus/trust-anchors + +ldns-signzone -i $YESTERDAY -e $ONEMONTH -f tmp.signed bogus/rrsig-failures.test $CSK +grep -v ' RRSIG ' tmp.signed > bogus/rrsig-failures.test.signed + +# cleanup +rm -f base expired notyetincepted tmp.signed $CSK.*
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/nsec-failures.test
Added
@@ -0,0 +1,10 @@ +$ORIGIN nsec-failures.test. + +@ SOA ns hostmaster ( + 1 ; serial + 14400 ; refresh (4 hours) + 1800 ; retry (30 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) +) + A 192.0.2.1
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/nsec-failures.test.signed
Added
@@ -0,0 +1,7 @@ +nsec-failures.test. 3600 IN SOA ns.nsec-failures.test. hostmaster.nsec-failures.test. 1 14400 1800 2419200 300 +nsec-failures.test. 3600 IN RRSIG SOA 13 2 3600 20010201000000 20001230000000 12342 nsec-failures.test. ZdnRF2uI0IDJsHTXsd4TclX9gUEkxjp19LykHuI3DaCKe3bY8uTETta8i73hlKWJWeRjmgQojIsi9tBlivOwjQ== +nsec-failures.test. 3600 IN A 192.0.2.1 +nsec-failures.test. 3600 IN RRSIG A 13 2 3600 20010201000000 20001230000000 12342 nsec-failures.test. /JccCtWkuQgSF81gv6DPsxaicmlJoGAhVpCpR4JGgVz3tZMhIp+iXUGeI+CkBofw9G/MK66Hk937JRmMh9UTvQ== +nsec-failures.test. 3600 IN DNSKEY 257 3 13 41tJnzHY0o3WKid0ZsIo6S5SJdC1JiW0H/KizsAD2phHdi1AIDiBclL+nG2lKvPjMoX2hcMfd8h9DfU99HR3kg== ;{id = 12342 (ksk), size = 256b} +nsec-failures.test. 3600 IN RRSIG DNSKEY 13 2 3600 20010201000000 20001230000000 12342 nsec-failures.test. Y23xTzxdqQBjFsWLlqCRgPKT7raPcP0lAy2tR8trW5+vUAhBePXdVixp4AjoxEqXsLLalAtnJnc4QgH7+HO6PA== +nsec-failures.test. 300 IN RRSIG NSEC 13 2 300 20010201000000 20001230000000 12342 nsec-failures.test. KfpncqGIzIPNB2ExkH22/z0jAPmq8jTTjDkLte29iKqR9t3bSZlcS0MQ2QB7Z6tgks8fo7Zpc9+BvaDq7Y6ONg==
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/rrsig-failures.test
Added
@@ -0,0 +1,10 @@ +$ORIGIN rrsig-failures.test. + +@ SOA ns hostmaster ( + 1 ; serial + 14400 ; refresh (4 hours) + 1800 ; retry (30 minutes) + 2419200 ; expire (4 weeks) + 300 ; minimum (5 minutes) +) + A 192.0.2.1
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/rrsig-failures.test.signed
Added
@@ -0,0 +1,4 @@ +rrsig-failures.test. 3600 IN SOA ns.rrsig-failures.test. hostmaster.rrsig-failures.test. 1 14400 1800 2419200 300 +rrsig-failures.test. 3600 IN A 192.0.2.1 +rrsig-failures.test. 3600 IN DNSKEY 257 3 13 rIMJ4/qnOb91GuxKzAYiCdPNdEtUhyt+mi1Jz+NPP0rJQdGOhXr37LpctEiKK4isabCXcwYlVtFdDPopa4RufA== ;{id = 13838 (ksk), size = 256b} +rrsig-failures.test. 300 IN NSEC rrsig-failures.test. A SOA RRSIG NSEC DNSKEY
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/bogus/trust-anchors
Added
@@ -0,0 +1,5 @@ +. IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d +dnssec-failures.test. IN DS 53876 13 2 e0207223d847e0d8f3bd2afcf887f727178777a94563b94e1d0be8ca2f070d9a +dnskey-failures.test. IN DS 45928 13 2 9295d5c0d9296599809ce968f994a974d4da7752266ee124ead4ce980c006c20 +nsec-failures.test. IN DS 12342 13 2 b0a994fe4ff12a706b2a47a794601b254a8d28e040832ad6e39e96dbf7736ca2 +rrsig-failures.test. IN DS 13838 13 2 b083d59d2e7ac370e1103bc5ada2a921e4e65745ea8550350b6fcb57eba9f917
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/ede-auth.conf
Added
@@ -0,0 +1,27 @@ +server: + verbosity: 1 + use-syslog: no + chroot: "" + username: "" + directory: "" + pidfile: "unbound2.pid" + local-zone: test nodefault + interface: 127.0.0.1 + port: @PORT2@ + +auth-zone: + name: "dnssec-failures.test" + zonefile: "bogus/dnssec-failures.test.signed" + +auth-zone: + name: "dnskey-failures.test" + zonefile: "bogus/dnskey-failures.test.signed" + +auth-zone: + name: "nsec-failures.test" + zonefile: "bogus/nsec-failures.test.signed" + +auth-zone: + name: "rrsig-failures.test" + zonefile: "bogus/rrsig-failures.test.signed" +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/ede.conf
Added
@@ -0,0 +1,50 @@ +server: + verbosity: 2 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: . + pidfile: "unbound.pid" + chroot: "" + username: "" + directory: "" + val-log-level: 2 + + trust-anchor-file: "bogus/trust-anchors" + val-override-date: "20010101020202" + + module-config: "respip validator iterator" + + ede: yes + access-control: 127.0.0.2/32 refuse + access-control: 127.0.0.3/32 allow + + local-zone: hopsa.kidee. always_refuse + local-data: "hopsa.kidee. TXT hela hola" + + local-zone: nlnetlabs.nl transparent + local-data: "hopsa.nlnetlabs.nl. TXT hela hola" + + local-zone: uva.nl. always_null + + local-zone: example.com redirect + local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa." + + local-zone: test nodefault + do-not-query-localhost: no + +forward-zone: + name: "dnssec-failures.test" + forward-addr: 127.0.0.1@@PORT2@ + +forward-zone: + name: "dnskey-failures.test" + forward-addr: 127.0.0.1@@PORT2@ + +forward-zone: + name: "nsec-failures.test" + forward-addr: 127.0.0.1@@PORT2@ + +forward-zone: + name: "rrsig-failures.test" + forward-addr: 127.0.0.1@@PORT2@
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/ede.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: ede +Version: 1.0 +Description: Test Extended DNS Errors (rfc8914) +CreationDate: Fri Aug 20 15:42:11 UTC 2021 +Maintainer: Tom Carpay +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: ede.pre +Post: ede.post +Test: ede.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/ede.post
Added
@@ -0,0 +1,10 @@ +# #-- ede.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +# teardown +. ../common.sh +kill_pid $UNBOUND_PID +kill_pid $UNBOUND_PID2 \ No newline at end of file
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/ede.pre
Added
@@ -0,0 +1,33 @@ +# #-- ede.pre --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +. ../common.sh + +get_random_port 2 +UNBOUND_PORT=$RND_PORT +UNBOUND_PORT2=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "UNBOUND_PORT2=$UNBOUND_PORT2" >> .tpkg.var.test + +# rewrite config file with created ports +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' < ede.conf > temp.conf +sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < temp.conf > ub.conf +sed -e 's/@PORT2\@/'$UNBOUND_PORT2'/' < ede-auth.conf > ub2.conf + +# start unbound in the background +$PRE/unbound -d -c ub.conf > unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +# start authoritative unbound in the background +$PRE/unbound -d -c ub2.conf > unbound2.log 2>&1 & +UNBOUND_PID2=$! +echo "UNBOUND_PID2=$UNBOUND_PID2" >> .tpkg.var.test + +cat .tpkg.var.test +wait_unbound_up unbound.log +wait_unbound_up unbound2.log
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede.tdir/ede.test
Added
@@ -0,0 +1,72 @@ +# #-- ede.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + + +# DNSSEC failure: Signature Expired or DNSKEY Missing (depending on the servfail configuration) +dig @127.0.0.1 -p $UNBOUND_PORT servfail.nl > servfail.txt + +# DNSSEC failure: key not incepted +dig @127.0.0.1 -p $UNBOUND_PORT notyetincepted.dnssec-failures.test. TXT +dnssec > sig_notyetincepted.txt + +if ! grep -q -e "OPT=15: 00 08" -e "EDE: 8" sig_notyetincepted.txt +then + echo "Signature not yet valid does not return EDE Signature Not Yet Valid" + cat sig_notyetincepted.txt + exit 1 +fi + +# DNSSEC failure: key expired +dig @127.0.0.1 -p $UNBOUND_PORT expired.dnssec-failures.test. TXT +dnssec > sig_expired.txt + +if ! grep -q -e "OPT=15: 00 07" -e "EDE: 7" sig_expired.txt +then + echo "Expired signature does not return EDE Signature expired" + cat sig_expired.txt + exit 1 +fi + +# DNSSEC failure: missing rrsigs +dig @127.0.0.1 -p $UNBOUND_PORT missingrrsigs.dnssec-failures.test. TXT +dnssec > missingrrsigs.txt + +if ! grep -q -e "OPT=15: 00 0a" -e "EDE: 10" missingrrsigs.txt +then + echo "Expired signature does not return EDE RRSIGs missing" + cat missingrrsigs.txt + exit 1 +fi + +# signed zone with DNSKEY missing +dig @127.0.0.1 -p $UNBOUND_PORT dnskey-failures.test > dnskey-failure.txt + +if ! grep -q -e "OPT=15: 00 09" -e "EDE: 9" dnskey-failure.txt +then + echo "Expired signature does not return EDE DNSKEY missing" + cat dnskey-failure.txt + exit 1 +fi + +# signed zone with RRSIGs missing +dig @127.0.0.1 -p $UNBOUND_PORT rrsig-failures.test > rrsig-failure.txt + +if ! grep -q -e "OPT=15: 00 0a" -e "EDE: 10" rrsig-failure.txt +then + echo "Expired signature does not return EDE RRSIGs missing" + cat rrsig-failure.txt + exit 1 +fi + +# signed zone with NSEC missing +dig @127.0.0.1 -p $UNBOUND_PORT abc.nsec-failures.test > nsec-failure.txt + +if ! grep -q -e "OPT=15: 00 0c" -e "EDE: 12" nsec-failure.txt +then + echo "Expired signature does not return EDE NSEC missing" + cat nsec-failure.txt + exit 1 +fi + + +# @TODO DNSSEC indeterminate when implemented
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede_acl_refused.rpl
Added
@@ -0,0 +1,35 @@ +; config options +server: + access-control: 127.0.0.0/8 refuse + ede: yes +CONFIG_END + +SCENARIO_BEGIN Test ede-acl-refused +; Scenario overview: +; - query for example.com. A record with EDNS +; - check that we get a refused answer with EDE (RFC8914) code 18 - Prohibited + +; Query without RD flag +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + HEX_EDNSDATA_END +ENTRY_END + +; Check that we got ede 18 +STEP 2 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ede=18 + REPLY QR RD REFUSED + SECTION QUESTION + example.com. IN A + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + HEX_EDNSDATA_END +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede_cache_snoop_noth_auth.rpl
Added
@@ -0,0 +1,33 @@ +; config options +server: + ede: yes +CONFIG_END + +SCENARIO_BEGIN Test ede-cache-snoop-not-authoritative +; Scenario overview: +; - query for example.com. A record with EDNS without the RD bit +; - check that we get a refused answer with EDE (RFC8914) code 20 - Not Authoritative + +; Query without RD flag +STEP 1 QUERY +ENTRY_BEGIN + SECTION QUESTION + example.com. IN A + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + HEX_EDNSDATA_END +ENTRY_END + +; Check that we got ede 20 +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ede=20 + REPLY QR RA REFUSED + SECTION QUESTION + example.com. IN A + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + HEX_EDNSDATA_END +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ede_localzone_dname_expansion.rpl
Added
@@ -0,0 +1,37 @@ +; config options +server: + local-zone: example.com redirect + local-data: "example.com CNAME *.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaaa." + ede: yes + +CONFIG_END + +SCENARIO_BEGIN Test ede-localzone-dname-expansion +; Scenario overview: +; - query for www.qhqwer.qwer.qwer.h.example.com. (a large Qname) A record with EDNS +; - check that we get a YXDOMAIN answer with EDE (RFC8914) code 0 - Other (which adds a DNAME expansion message) + +; Query with RD flag +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + www.qhqwer.qwer.qwer.h.example.com A + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + HEX_EDNSDATA_END +ENTRY_END + +; Check that we got the correct answer (should be cached) +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ede=0 + REPLY QR AA RD RA YXDOMAIN + SECTION QUESTION + www.qhqwer.qwer.qwer.h.example.com A + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + HEX_EDNSDATA_END +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/edns_attached_once_per_upstream.rpl
Added
@@ -0,0 +1,90 @@ +; config options +server: + edns-client-string: 10.0.0.0/24 "abc d" + outbound-msg-retry: 1 + +stub-zone: + name: "edns-string-abc." + stub-addr: 10.0.0.3 + stub-first: yes + +forward-zone: + name: "." + forward-addr: 10.0.0.1 + +CONFIG_END + +SCENARIO_BEGIN Test that upstream specific EDNS is attached once; uses string tag option + +RANGE_BEGIN 0 1000 + ADDRESS 10.0.0.3 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR SERVFAIL +SECTION QUESTION +edns-string-abc. IN A +ENTRY_END +RANGE_END + +RANGE_BEGIN 0 1000 + ADDRESS 10.0.0.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +edns-string-abc. IN A +SECTION ANSWER +edns-string-abc. IN A 10.20.30.40 +SECTION ADDITIONAL +ENTRY_END +RANGE_END + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +edns-string-abc. IN A +ENTRY_END + +; This will receive SERVFAIL and the next address will be queried +STEP 20 CHECK_OUT_QUERY ADDRESS 10.0.0.3 +ENTRY_BEGIN +MATCH qname qtype opcode ednsdata +SECTION QUESTION +edns-string-abc. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + fd e9 ; Opcode 65001 + 00 05 ; Length 5 + 61 62 63 20 64 ; "abc d" + HEX_EDNSDATA_END +ENTRY_END + +; This will receive the answer; makes sure that EDNS is attached once +STEP 22 CHECK_OUT_QUERY ADDRESS 10.0.0.1 +ENTRY_BEGIN +MATCH qname qtype opcode ednsdata +SECTION QUESTION +edns-string-abc. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + fd e9 ; Opcode 65001 + 00 05 ; Length 5 + 61 62 63 20 64 ; "abc d" + HEX_EDNSDATA_END +ENTRY_END + + +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +edns-string-abc. IN A +SECTION ANSWER +edns-string-abc. IN A 10.20.30.40 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/edns_keepalive.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/edns_keepalive.rpl
Changed
@@ -47,14 +47,10 @@ STEP 10 CHECK_ANSWER ENTRY_BEGIN - MATCH TCP ednsdata + MATCH TCP REPLY RD FORMERR SECTION QUESTION www.example.com. IN A - SECTION ADDITIONAL - HEX_EDNSDATA_BEGIN - ; Empty - HEX_EDNSDATA_END ENTRY_END STEP 20 QUERY
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fetch_glue.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fetch_glue.rpl
Changed
@@ -176,36 +176,7 @@ ns.example.com. IN A 1.2.3.4 ENTRY_END -; due to ordering of answer packets, this is still outstanding, remove it -STEP 21 CHECK_OUT_QUERY -ENTRY_BEGIN -ADJUST copy_id -MATCH qname qtype -REPLY QR -SECTION QUESTION -ns.example.com IN AAAA -ENTRY_END - -; some more recursion needed. -; to finish the NS query -STEP 40 QUERY -ENTRY_BEGIN -REPLY RD -SECTION QUESTION -. IN NS -ENTRY_END - -STEP 41 CHECK_ANSWER -ENTRY_BEGIN -MATCH all -REPLY QR RD RA NOERROR -SECTION QUESTION -. IN NS -SECTION ANSWER -. IN NS K.ROOT-SERVERS.NET. -SECTION AUTHORITY -SECTION ADDITIONAL -K.ROOT-SERVERS.NET. IN A 193.0.14.129 -ENTRY_END +; let (possible) outstanding queries finish resolving +STEP 21 TRAFFIC SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fetch_glue_cname.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fetch_glue_cname.rpl
Changed
@@ -155,7 +155,7 @@ ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id -REPLY QR NOERROR +REPLY QR AA NOERROR SECTION QUESTION ns.example.com. IN AAAA SECTION AUTHORITY @@ -188,36 +188,7 @@ ns.example.com. IN A 1.2.3.4 ENTRY_END -; due to ordering of answer packets, this is still outstanding, remove it -STEP 21 CHECK_OUT_QUERY -ENTRY_BEGIN -ADJUST copy_id -MATCH qname qtype -REPLY QR -SECTION QUESTION -ns.example.com IN AAAA -ENTRY_END - -; some more recursion needed. -; to finish the NS query -STEP 40 QUERY -ENTRY_BEGIN -REPLY RD -SECTION QUESTION -. IN NS -ENTRY_END - -STEP 41 CHECK_ANSWER -ENTRY_BEGIN -MATCH all -REPLY QR RD RA NOERROR -SECTION QUESTION -. IN NS -SECTION ANSWER -. IN NS K.ROOT-SERVERS.NET. -SECTION AUTHORITY -SECTION ADDITIONAL -K.ROOT-SERVERS.NET. IN A 193.0.14.129 -ENTRY_END +; let (possible) outstanding queries finish resolving +STEP 21 TRAFFIC SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd.rpl
Changed
@@ -28,7 +28,7 @@ SECTION QUESTION www.example.com. IN A ENTRY_END -; unneccesary nothing steps. +; unnecessary nothing steps. STEP 2 NOTHING STEP 3 NOTHING STEP 4 CHECK_ANSWER
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd_0ttlservfail.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_0ttlservfail.rpl
Changed
@@ -2,6 +2,7 @@ ; config options go here. server: serve-expired: yes + prefetch: yes forward-zone: name: "." forward-addr: 216.0.0.1 CONFIG_END @@ -45,7 +46,7 @@ ENTRY_END ; enough to pass by the TTL of the servfail answer in cache -STEP 50 TIME_PASSES ELAPSE 40 +STEP 50 TIME_PASSES ELAPSE 5 ; this query triggers a prefetch STEP 210 QUERY
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd_ancil.tdir/fwd_ancil.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_ancil.tdir/fwd_ancil.post
Changed
@@ -6,11 +6,6 @@ # # do your teardown here . ../common.sh -if test `hostname`"" = "dicht.nlnetlabs.nl"; then - echo "In jail, no ::1, skip test" - exit 0 -fi - kill_pid $FWD_PID if fgrep "service stopped" unbound.log; then exit 0
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd_ancil.tdir/fwd_ancil.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_ancil.tdir/fwd_ancil.pre
Changed
@@ -6,8 +6,7 @@ . ../common.sh if test `hostname`"" = "dicht.nlnetlabs.nl"; then - echo "In jail, no ::1, skip test" - exit 0 + skip_test "In jail, no ::1, skip test" fi get_random_port 2 @@ -38,7 +37,6 @@ # string 'Start of service' in log. wait_server_up_or_fail unbound.log "start of service" "disable interface-automatic" if fgrep "disable interface-automatic" unbound.log; then - echo "skip test" - exit 1 + skip_test "skip test" fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd_ancil.tdir/fwd_ancil.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_ancil.tdir/fwd_ancil.test
Changed
@@ -7,11 +7,6 @@ PRE="../.." . ../common.sh -if test `hostname`"" = "dicht.nlnetlabs.nl"; then - echo "In jail, no ::1, skip test" - exit 0 -fi - if fgrep "disable interface-automatic" unbound.log; then echo "skip test" exit 0
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd_any.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_any.rpl
Changed
@@ -59,7 +59,7 @@ SECTION QUESTION www.example.com. IN A ENTRY_END -; unneccesary nothing steps. +; unnecessary nothing steps. STEP 20 NOTHING STEP 30 CHECK_ANSWER ENTRY_BEGIN
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd_error.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_error.rpl
Changed
@@ -9,7 +9,7 @@ www.example.com. IN A ENTRY_END ; But the pending query fails due to error (say TCP failure or malloc or ...) -; This is iterator/iterator.h OUTBOUND_MSG_RETRY number of errors. +; This is util/config_file.c outbound-msg-retry number of errors. STEP 2 ERROR STEP 3 ERROR STEP 4 ERROR
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_error_retries.rpl
Added
@@ -0,0 +1,27 @@ +; config options +server: + outbound-msg-retry: 1 + +forward-zone: + name: "." + forward-addr: 216.0.0.1 +CONFIG_END +SCENARIO_BEGIN Test basic forwarding with servfail and retry of 1 +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END +; query fails with servfail, now we make only outgoing-msg-retry=1 retries +STEP 2 ERROR +; returns servfail +STEP 14 CHECK_ANSWER +ENTRY_BEGIN +MATCH opcode qname qtype +SECTION QUESTION +REPLY SERVFAIL QR RD RA +MATCH all +www.example.com. IN A +ENTRY_END +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd_timeout.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_timeout.rpl
Changed
@@ -9,7 +9,7 @@ www.example.com. IN A ENTRY_END ; But the pending query times out! -; OUTBOUND_MSG_RETRY times timeout. +; outbound-msg-retry times timeout. STEP 2 TIMEOUT STEP 3 TIMEOUT STEP 4 TIMEOUT
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_udp_with_tcp_upstream.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.conf
Added
@@ -0,0 +1,20 @@ +server: + verbosity: 5 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no +forward-zone: + name: "tcp.example.com" + forward-addr: "127.0.0.1@@TOPORT@" + forward-tcp-upstream: "yes" +forward-zone: + name: "udp.example.com" + forward-addr: "127.0.0.1@@TOPORT@" + forward-tcp-upstream: "no" +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: fwd_udp_with_tcp_upstream +Version: 1.0 +Description: Forward an UDP packet to upstream via TCP and return reply. +CreationDate: Thu Aug 5 07:44:41 CEST 2021 +Maintainer: ziollek +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: fwd_udp_with_tcp_upstream.pre +Post: fwd_udp_with_tcp_upstream.post +Test: fwd_udp_with_tcp_upstream.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.post
Added
@@ -0,0 +1,10 @@ +# #-- fwd_udp_with_tcp_upstream.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $FWD_PID +kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.pre
Added
@@ -0,0 +1,31 @@ +# #-- fwd_udp_with_tcp_upstream.pre--# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +. ../common.sh +get_random_port 2 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test + +# start forwarder +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT fwd_udp_with_tcp_upstream.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < fwd_udp_with_tcp_upstream.conf > ub.conf +# start unbound in the background +PRE="../.." +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_unbound_up unbound.log +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.test
Added
@@ -0,0 +1,35 @@ +# #-- fwd_udp_with_tcp_upstream.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +# do the test +echo "> dig tcp.example.com." +dig @localhost -p $UNBOUND_PORT tcp.example.com. | tee outfile +echo "> cat logfiles" +cat fwd.log +cat unbound.log +echo "> check answer" +if grep "10.20.30.40" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +echo "> dig udp.example.com." +dig @localhost -p $UNBOUND_PORT udp.example.com. | tee outfile +echo "> cat logfiles" +cat fwd.log +cat unbound.log +echo "> check answer" +if grep "10.20.30.80" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_udp_with_tcp_upstream.tdir/fwd_udp_with_tcp_upstream.testns
Added
@@ -0,0 +1,25 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +MATCH TCP +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +tcp IN A +SECTION ANSWER +tcp IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +MATCH UDP +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +udp IN A +SECTION ANSWER +udp IN A 10.20.30.80 +ENTRY_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/fwd_zero.tdir/fwd_zero.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/fwd_zero.tdir/fwd_zero.test
Changed
@@ -7,7 +7,7 @@ PRE="../.." OPT="-i" -if nc -h 2>&1 | grep -- "-w secs" >/dev/null; then +if nc -h 2>&1 | grep -E -- "-w (timeout|secs)" >/dev/null; then OPT="-w" fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/http_user_agent.tdir/http_user_agent.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/http_user_agent.tdir/http_user_agent.test
Changed
@@ -81,12 +81,12 @@ cat petal.log cat unbound.log -# check petal.log for the correct number of occurences. +# check petal.log for the correct number of occurrences. # It should be 2 User-Agents, one being the custom. -echo "> check User-Agent occurences" -occurences=`grep "User-Agent:" petal.log | wc -l` -echo $occurences -if test $occurences -eq 2; then +echo "> check User-Agent occurrences" +occurrences=`grep "User-Agent:" petal.log | wc -l` +echo $occurrences +if test $occurrences -eq 2; then echo "OK" else echo "Not OK"
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ipset.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ipset.tdir/ipset.conf
Added
@@ -0,0 +1,23 @@ +server: + verbosity: 3 + num-threads: 1 + module-config: "ipset iterator" + outgoing-range: 16 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + local-zone: "example.net." ipset +stub-zone: + name: "example.net." + stub-addr: "127.0.0.1@@TOPORT@" +stub-zone: + name: "example.com." + stub-addr: "127.0.0.1@@TOPORT@" +ipset: + name-v4: atotallymadeupnamefor4 + name-v6: atotallymadeupnamefor6
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ipset.tdir/ipset.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: ipset +Version: 1.0 +Description: mock test ipset module +CreationDate: Wed Mar 2 13:00:38 CET 2022 +Maintainer: George Thessalonikefs +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: ipset.pre +Post: ipset.post +Test: ipset.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ipset.tdir/ipset.post
Added
@@ -0,0 +1,13 @@ +# #-- ipset.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +PRE="../.." +kill_pid $FWD_PID +kill_pid $UNBOUND_PID +cat unbound.log +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ipset.tdir/ipset.pre
Added
@@ -0,0 +1,33 @@ +# #-- ipset.pre--# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +. ../common.sh + +PRE="../.." +if grep "define USE_IPSET 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi + +get_random_port 2 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test + +# start forwarder +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT ipset.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < ipset.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_unbound_up unbound.log
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ipset.tdir/ipset.test
Added
@@ -0,0 +1,154 @@ +# #-- ipset.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +. ../common.sh +PRE="../.." + +# Make all the queries. They need to succeed by the way. +echo "> dig www.example.net." +dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. | tee outfile +echo "> check answer" +if grep "1.1.1.1" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi +echo "> check ipset" +if grep "ipset: add 1.1.1.1 to atotallymadeupnamefor4 for www.example.net." unbound.log; then + echo "ipset OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> dig www.example.net. AAAA" +dig @127.0.0.1 -p $UNBOUND_PORT www.example.net. AAAA | tee outfile +echo "> check answer" +if grep "::1" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi +echo "> check ipset" +if grep "ipset: add ::1 to atotallymadeupnamefor6 for www.example.net." unbound.log; then + echo "ipset OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> dig cname.example.net." +dig @127.0.0.1 -p $UNBOUND_PORT cname.example.net. | tee outfile +echo "> check answer" +if grep "2.2.2.2" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi +echo "> check ipset" +if grep "ipset: add 2.2.2.2 to atotallymadeupnamefor4 for target.example.net." unbound.log; then + echo "ipset OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> dig cname.example.net. AAAA" +dig @127.0.0.1 -p $UNBOUND_PORT cname.example.net. AAAA | tee outfile +echo "> check answer" +if grep "::2" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi +echo "> check ipset" +if grep "ipset: add ::2 to atotallymadeupnamefor6 for target.example.net." unbound.log; then + echo "ipset OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> dig outsidecname.example.net." +dig @127.0.0.1 -p $UNBOUND_PORT outsidecname.example.net. | tee outfile +echo "> check answer" +if grep "3.3.3.3" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi +echo "> check ipset" +if grep "ipset: add 3.3.3.3 to atotallymadeupnamefor4 for target.example.com." unbound.log; then + echo "ipset OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> dig outsidecname.example.net. AAAA" +dig @127.0.0.1 -p $UNBOUND_PORT outsidecname.example.net. AAAA | tee outfile +echo "> check answer" +if grep "::3" outfile; then + echo "OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi +echo "> check ipset" +if grep "ipset: add ::3 to atotallymadeupnamefor6 for target.example.com." unbound.log; then + echo "ipset OK" +else + echo "> cat logfiles" + cat fwd.log + cat unbound.log + echo "Not OK" + exit 1 +fi + +echo "> cat logfiles" +cat tap.log +cat tap.errlog +cat fwd.log +echo "> OK" +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ipset.tdir/ipset.testns
Added
@@ -0,0 +1,103 @@ +; nameserver test file +$ORIGIN example.net. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 1.1.1.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www IN AAAA +SECTION ANSWER +www IN AAAA ::1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +cname IN A +SECTION ANSWER +cname IN CNAME target.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +cname IN AAAA +SECTION ANSWER +cname IN CNAME target.example.net. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +outsidecname IN A +SECTION ANSWER +outsidecname IN CNAME target.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +outsidecname IN AAAA +SECTION ANSWER +outsidecname IN CNAME target.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +target IN A +SECTION ANSWER +target IN A 2.2.2.2 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +target IN AAAA +SECTION ANSWER +target IN AAAA ::2 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +target.example.com. IN A +SECTION ANSWER +target.example.com. IN A 3.3.3.3 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +target.example.com. IN AAAA +SECTION ANSWER +target.example.com. IN AAAA ::3 +ENTRY_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_auth_tc.rpl
Added
@@ -0,0 +1,138 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test authoritative response with erroneous TC flag + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +; erroneous TC flag here +REPLY QR TC NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_cname_minimise.rpl
Added
@@ -0,0 +1,179 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: yes + module-config: "iterator" + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test cname chain resolution with qname minimisation. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.44 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.44 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.44 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +www.example.com. IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 300 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.44 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c.example.com. IN A +SECTION ANSWER +c.example.com. 10 IN CNAME www.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c.example.com. IN CNAME +SECTION ANSWER +c.example.com. 10 IN CNAME www.example.com. +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c.example.com. IN CNAME +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +c.example.com. IN CNAME +SECTION ANSWER +c.example.com. 10 IN CNAME www.example.com. +ENTRY_END + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +c.example.com. IN A +SECTION ANSWER +c.example.com. 10 IN CNAME www.example.com. +www.example.com. 300 IN A 10.20.30.40 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_dp_ip6useless.rpl
Added
@@ -0,0 +1,168 @@ +; config options +server: + do-ip6: no + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test iterator when doip6 is no and dp is useless with only ip6 + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +; short TTL here, so it can expire +ns.example.com. 1 IN A 1.2.3.4 +ns.example.com. 100 IN AAAA ::53 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +; short TTL here, so it can expire +ns.example.com. 1 IN A 1.2.3.4 +ns.example.com. 100 IN AAAA ::53 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +; short TTL +ns.example.com. 1 IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION ANSWER +ns.example.com. IN AAAA ::53 +ENTRY_END + + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +mail.example.com. IN A 10.20.30.50 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +ENTRY_END + +STEP 20 TIME_PASSES ELAPSE 5.0 + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +mail.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +mail.example.com. IN A +SECTION ANSWER +mail.example.com. IN A 10.20.30.50 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/iter_emptydp_for_glue.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_emptydp_for_glue.rpl
Changed
@@ -164,11 +164,11 @@ ENTRY_END ENTRY_BEGIN -MATCH opcode qname +MATCH opcode subdomain ADJUST copy_id copy_query REPLY QR NOERROR SECTION QUESTION -ns.example.org. IN A +example.org. IN A SECTION AUTHORITY example.org. NS ns.example.net. example.org. NS ns.example.org.
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_ghost_sub.rpl
Added
@@ -0,0 +1,309 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ghost subdomain of another subdomain. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. 86400 IN NS +SECTION ANSWER +. 86400 IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is delegated. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is no longer delegated. +RANGE_BEGIN 100 200 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +s.example.com. IN A +SECTION ANSWER +s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.example.com. IN NS s.example.com. +SECTION ADDITIONAL +s.example.com IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +s.s.example.com. IN A +SECTION ANSWER +s.s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.s.example.com. IN NS s.s.example.com. +SECTION ADDITIONAL +s.s.example.com IN A 1.2.3.4 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; get the delegation in cache +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +; time passes +STEP 25 TIME_PASSES ELAPSE 1800 + +; get another delegation in cache +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +s.example.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +s.example.com. IN A +SECTION ANSWER +s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.example.com. IN NS s.example.com. +ENTRY_END + +; time passes, 1800 + 1000 = 2800 of 3600 TTL on NS of s.example.com. and +; example.com. +STEP 45 TIME_PASSES ELAPSE 1000 + +; get another delegation in cache +STEP 50 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +s.s.example.com. IN A +ENTRY_END + +STEP 60 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +s.s.example.com. IN A +SECTION ANSWER +s.s.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +s.s.example.com. IN NS s.s.example.com. +ENTRY_END + + +; time passes, 1800 + 2000 = 3800 of 3600 TTL on NS of s.example.com. and +; example.com. +STEP 75 TIME_PASSES ELAPSE 1000 + +; domain no longer delegated +; is the domain still up? + +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.s.example.com. IN A +ENTRY_END + +STEP 110 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.s.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +STEP 120 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.s.s.example.com. IN A +ENTRY_END + +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.s.s.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +STEP 140 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_ghost_timewindow.rpl
Added
@@ -0,0 +1,391 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test ghost subdomain with extension reply in timewindow. + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. 86400 IN NS +SECTION ANSWER +. 86400 IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is delegated. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example2.com. IN NS +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +; this is the one where example.com is no longer delegated. +RANGE_BEGIN 100 300 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. 86400 IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. 86400 IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +example2.com. IN NS +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +ns.example.com. IN A 1.2.3.4 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example2.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +example2.com. IN NS +SECTION ANSWER +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com. 3610 IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN AAAA +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. 3610 IN A 1.2.3.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example2.com. IN A +SECTION ANSWER +www.example2.com. 3610 IN A 10.20.30.40 +SECTION AUTHORITY +example2.com. 3610 IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com 3610 IN A 1.2.3.5 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; get the delegation in cache +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +; get example2 in cache too to check other response type +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example2.com. IN A +ENTRY_END + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example2.com. IN A +SECTION ANSWER +www.example2.com. IN A 10.20.30.40 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com IN A 1.2.3.5 +ENTRY_END + +; time passes +STEP 95 TIME_PASSES ELAPSE 3595 + +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +ns.example.com. IN A +ENTRY_END + +; ns.example.com RANGE does not answer, only until step 100, +; so we provide an answer, but first, let time pass beyond the TTL. +; it is going to time 3605, just passed the 3600 expire TTL, but the +; query started at 3595 before the TTL expired. +STEP 110 TIME_PASSES ELAPSE 10 + +; provide the answer to the query sent. +STEP 120 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION ANSWER +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com IN A 1.2.3.4 +ENTRY_END + +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +ns.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; check if the domain is still live. +STEP 140 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www2.example.com. IN A +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www2.example.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +; example2 is valid with TTL of 3610, it is time 3605 +STEP 160 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +ns.example2.com. IN A +ENTRY_END + +; move to time 3615 +STEP 170 TIME_PASSES ELAPSE 10 + +STEP 180 CHECK_OUT_QUERY +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com. IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ns.example2.com. IN A 1.2.3.5 +ENTRY_END + +STEP 190 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +ns.example2.com. IN A +SECTION ANSWER +ns.example2.com IN A 1.2.3.5 +SECTION AUTHORITY +example2.com. IN NS ns.example2.com. +SECTION ADDITIONAL +ENTRY_END + +; check if the domain is still live. +STEP 200 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www2.example2.com. IN A +ENTRY_END + +STEP 210 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +www2.example2.com. IN A +SECTION AUTHORITY +com. 86400 IN SOA a. b. 1 2 3 4 5 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_nxns_cached.rpl
Added
@@ -0,0 +1,384 @@ +; Check that cached NXDOMAIN replies for nameservers do not count towards the +; MAX_TARGET_NX limit. + +server: + module-config: "iterator" + trust-anchor-signaling: no + target-fetch-policy: "0 0 0 0 0" + verbosity: 3 + access-control: 127.0.0.1 allow_snoop + do-not-query-localhost: no + qname-minimisation: no + minimal-responses: no + rrset-roundrobin: no +stub-zone: + name: "example.com" + stub-addr: 127.0.0.2 +stub-zone: + name: "nameservers.com" + stub-addr: 127.0.0.3 +CONFIG_END + +SCENARIO_BEGIN Test that the NXNS countermeasure is not triggered for cached NXDOMAIN + +RANGE_BEGIN 0 100 + ADDRESS 127.0.0.1 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + b.a.example.com. IN A + SECTION ANSWER + b.a.example.com. IN A 127.0.0.0 + ENTRY_END +RANGE_END + +RANGE_BEGIN 31 100 + ADDRESS 127.0.0.3 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns1.nameservers.com. IN A + SECTION ANSWER + ns1.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns2.nameservers.com. IN A + SECTION ANSWER + ns2.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns3.nameservers.com. IN A + SECTION ANSWER + ns3.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns4.nameservers.com. IN A + SECTION ANSWER + ns4.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns5.nameservers.com. IN A + SECTION ANSWER + ns5.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns6.nameservers.com. IN A + SECTION ANSWER + ns6.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns7.nameservers.com. IN A + SECTION ANSWER + ns7.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns8.nameservers.com. IN A + SECTION ANSWER + ns8.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns9.nameservers.com. IN A + SECTION ANSWER + ns9.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns10.nameservers.com. IN A + SECTION ANSWER + ns10.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns11.nameservers.com. IN A + SECTION ANSWER + ns11.nameservers.com. IN A 127.0.0.1 + ENTRY_END + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns12.nameservers.com. IN A + SECTION ANSWER + ns12.nameservers.com. IN A 127.0.0.1 + ENTRY_END + + ; Reply no-data to AAAA queries + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + nameservers.com. IN A + ENTRY_END +RANGE_END + +; Query for a domain +STEP 0 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.example.com. IN A +ENTRY_END + +; Answer with delegation +STEP 1 REPLY +ENTRY_BEGIN +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.example.com. IN A +SECTION AUTHORITY +a.example.com. IN NS ns1.nameservers.com. +a.example.com. IN NS ns2.nameservers.com. +a.example.com. IN NS ns3.nameservers.com. +a.example.com. IN NS ns4.nameservers.com. +a.example.com. IN NS ns5.nameservers.com. +a.example.com. IN NS ns6.nameservers.com. +a.example.com. IN NS ns7.nameservers.com. +a.example.com. IN NS ns8.nameservers.com. +a.example.com. IN NS ns9.nameservers.com. +a.example.com. IN NS ns10.nameservers.com. +a.example.com. IN NS ns11.nameservers.com. +a.example.com. IN NS ns12.nameservers.com. +ENTRY_END + +; Reply NXDOMAIN to MAX_TARGET_NX queries(6) x2 (A+AAAA) +STEP 2 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +SECTION AUTHORITY +example.com. IN SOA ns.example.com email.example.com 1 2 3 4 60 +ENTRY_END +STEP 3 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +SECTION AUTHORITY +example.com. IN SOA ns.ns email.email 1 2 3 4 60 +ENTRY_END +STEP 4 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 5 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 6 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 7 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 8 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 9 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 10 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 11 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 12 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 13 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END + +; We should receive SERVFAIL because MAX_TARGET_NX was reached +STEP 14 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +a.example.com. IN A +ENTRY_END + +; Query for another domain in the same delegation +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +b.a.example.com. IN A +ENTRY_END + +; We still have 6 NSes that Unbound didn't try to resolve +; Reply with NXDOMAIN for 5 of them +STEP 21 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 22 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 23 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 24 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 25 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 26 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 27 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 28 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 29 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END +STEP 30 REPLY +ENTRY_BEGIN +ADJUST copy_id copy_query +REPLY QR NXDOMAIN +SECTION QUESTION +a.query. IN A +ENTRY_END + +; Unbound will reach the upstream and get the answer for the final NS +; which has the answer for the client query. + +STEP 40 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +b.a.example.com. IN A +SECTION ANSWER +b.a.example.com. IN A 127.0.0.0 +ENTRY_END + +; Allow for possible pending NS query (AAAA) to get answered +STEP 41 TRAFFIC + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_nxns_fallback.rpl
Added
@@ -0,0 +1,380 @@ +; Check if fallback to the parent side works when MAX_TARGET_NX is reached. + +server: + module-config: "iterator" + trust-anchor-signaling: no + target-fetch-policy: "0 0 0 0 0" + verbosity: 3 + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no + rrset-roundrobin: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test the NXNS fallback + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + nonexistant.com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + nonexistant.com. IN A + SECTION AUTHORITY + nonexistant.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns1.nonexistant.com. + example.com. IN NS ns2.nonexistant.com. + example.com. IN NS ns3.nonexistant.com. + example.com. IN NS ns4.nonexistant.com. + example.com. IN NS ns5.nonexistant.com. + example.com. IN NS ns6.nonexistant.com. + example.com. IN NS ns7.nonexistant.com. + example.com. IN NS ns8.nonexistant.com. + example.com. IN NS ns9.nonexistant.com. + example.com. IN NS ns10.nonexistant.com. + example.com. IN NS ns11.nonexistant.com. + example.com. IN NS ns12.nonexistant.com. + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns.example.com. IN A + SECTION ANSWER + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + ns.example.com. IN AAAA + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NXDOMAIN + SECTION QUESTION + nonexistant.com. IN A + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + a.example.com. IN A + SECTION ANSWER + a.example.com. IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns1.nonexistant.com. + example.com. IN NS ns2.nonexistant.com. + example.com. IN NS ns3.nonexistant.com. + example.com. IN NS ns4.nonexistant.com. + example.com. IN NS ns5.nonexistant.com. + example.com. IN NS ns6.nonexistant.com. + example.com. IN NS ns7.nonexistant.com. + example.com. IN NS ns8.nonexistant.com. + example.com. IN NS ns9.nonexistant.com. + example.com. IN NS ns10.nonexistant.com. + example.com. IN NS ns11.nonexistant.com. + example.com. IN NS ns12.nonexistant.com. + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + b.example.com. IN A + SECTION ANSWER + b.example.com. IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns1.nonexistant.com. + example.com. IN NS ns2.nonexistant.com. + example.com. IN NS ns3.nonexistant.com. + example.com. IN NS ns4.nonexistant.com. + example.com. IN NS ns5.nonexistant.com. + example.com. IN NS ns6.nonexistant.com. + example.com. IN NS ns7.nonexistant.com. + example.com. IN NS ns8.nonexistant.com. + example.com. IN NS ns9.nonexistant.com. + example.com. IN NS ns10.nonexistant.com. + example.com. IN NS ns11.nonexistant.com. + example.com. IN NS ns12.nonexistant.com. + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + c.example.com. IN A + SECTION ANSWER + c.example.com. IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns1.nonexistant.com. + example.com. IN NS ns2.nonexistant.com. + example.com. IN NS ns3.nonexistant.com. + example.com. IN NS ns4.nonexistant.com. + example.com. IN NS ns5.nonexistant.com. + example.com. IN NS ns6.nonexistant.com. + example.com. IN NS ns7.nonexistant.com. + example.com. IN NS ns8.nonexistant.com. + example.com. IN NS ns9.nonexistant.com. + example.com. IN NS ns10.nonexistant.com. + example.com. IN NS ns11.nonexistant.com. + example.com. IN NS ns12.nonexistant.com. + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + d.example.com. IN A + SECTION ANSWER + d.example.com. IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns1.nonexistant.com. + example.com. IN NS ns2.nonexistant.com. + example.com. IN NS ns3.nonexistant.com. + example.com. IN NS ns4.nonexistant.com. + example.com. IN NS ns5.nonexistant.com. + example.com. IN NS ns6.nonexistant.com. + example.com. IN NS ns7.nonexistant.com. + example.com. IN NS ns8.nonexistant.com. + example.com. IN NS ns9.nonexistant.com. + example.com. IN NS ns10.nonexistant.com. + example.com. IN NS ns11.nonexistant.com. + example.com. IN NS ns12.nonexistant.com. + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.example.com. IN A +ENTRY_END + +; This was resolved by asking the parent side nameservers +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +a.example.com. IN A +SECTION ANSWER +a.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns1.nonexistant.com. +example.com. IN NS ns2.nonexistant.com. +example.com. IN NS ns3.nonexistant.com. +example.com. IN NS ns4.nonexistant.com. +example.com. IN NS ns5.nonexistant.com. +example.com. IN NS ns6.nonexistant.com. +example.com. IN NS ns7.nonexistant.com. +example.com. IN NS ns8.nonexistant.com. +example.com. IN NS ns9.nonexistant.com. +example.com. IN NS ns10.nonexistant.com. +example.com. IN NS ns11.nonexistant.com. +example.com. IN NS ns12.nonexistant.com. +ENTRY_END + +; The child side nameservers are now known to Unbound + +; Query again, the child server nameservers will be asked now +STEP 3 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +b.example.com. IN A +ENTRY_END + +; This was resolved by falling back to the parent side nameservers +STEP 4 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +b.example.com. IN A +SECTION ANSWER +b.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns1.nonexistant.com. +example.com. IN NS ns2.nonexistant.com. +example.com. IN NS ns3.nonexistant.com. +example.com. IN NS ns4.nonexistant.com. +example.com. IN NS ns5.nonexistant.com. +example.com. IN NS ns6.nonexistant.com. +example.com. IN NS ns7.nonexistant.com. +example.com. IN NS ns8.nonexistant.com. +example.com. IN NS ns9.nonexistant.com. +example.com. IN NS ns10.nonexistant.com. +example.com. IN NS ns11.nonexistant.com. +example.com. IN NS ns12.nonexistant.com. +ENTRY_END + +; Query a third time, this will get the cached NXDOMAINs (no NX counter for +; those) and will go to the parent as a last resort. This query will test that +; we will not have resolution for the lame(parent side) addresses that could +; raise the NX counter because of no address addition to the delegation point +; (the same addresses are already there). +STEP 5 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c.example.com. IN A +ENTRY_END + +; This was resolved by going back to the parent side nameservers (child side +; was exhausted from cache and queries < MAX_TARGET_NX). +STEP 6 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +c.example.com. IN A +SECTION ANSWER +c.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns1.nonexistant.com. +example.com. IN NS ns2.nonexistant.com. +example.com. IN NS ns3.nonexistant.com. +example.com. IN NS ns4.nonexistant.com. +example.com. IN NS ns5.nonexistant.com. +example.com. IN NS ns6.nonexistant.com. +example.com. IN NS ns7.nonexistant.com. +example.com. IN NS ns8.nonexistant.com. +example.com. IN NS ns9.nonexistant.com. +example.com. IN NS ns10.nonexistant.com. +example.com. IN NS ns11.nonexistant.com. +example.com. IN NS ns12.nonexistant.com. +ENTRY_END + +; Allow for the nameserver glue to expire +STEP 10 TIME_PASSES ELAPSE 11 + +; Query again for the parent side fallback +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +d.example.com. IN A +ENTRY_END + +; This was resolved by falling back to the parent side nameservers +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +d.example.com. IN A +SECTION ANSWER +d.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns1.nonexistant.com. +example.com. IN NS ns2.nonexistant.com. +example.com. IN NS ns3.nonexistant.com. +example.com. IN NS ns4.nonexistant.com. +example.com. IN NS ns5.nonexistant.com. +example.com. IN NS ns6.nonexistant.com. +example.com. IN NS ns7.nonexistant.com. +example.com. IN NS ns8.nonexistant.com. +example.com. IN NS ns9.nonexistant.com. +example.com. IN NS ns10.nonexistant.com. +example.com. IN NS ns11.nonexistant.com. +example.com. IN NS ns12.nonexistant.com. +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_nxns_parentside.rpl
Added
@@ -0,0 +1,118 @@ +; Check if the NXNS fallback to the parent side does not mess with normal +; parent side resolution. Parent side resolution should SERVFAIL when reaching +; the MAX_TARGET_NX limit. + +server: + module-config: "iterator" + trust-anchor-signaling: no + target-fetch-policy: "0 0 0 0 0" + verbosity: 3 + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no + rrset-roundrobin: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test that the NXNS fallback does not mess with parent side resolution + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + nonexistant.com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype subdomain + ADJUST copy_id copy_query + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns1.nonexistant.com. + example.com. IN NS ns2.nonexistant.com. + example.com. IN NS ns3.nonexistant.com. + example.com. IN NS ns4.nonexistant.com. + example.com. IN NS ns5.nonexistant.com. + example.com. IN NS ns6.nonexistant.com. + example.com. IN NS ns7.nonexistant.com. + example.com. IN NS ns8.nonexistant.com. + ENTRY_END + + ENTRY_BEGIN + MATCH opcode subdomain + ADJUST copy_id copy_query + REPLY QR NXDOMAIN + SECTION QUESTION + nonexistant.com. IN A + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.example.com. IN A +ENTRY_END + +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +a.example.com. IN A +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/iter_prefetch_change.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_prefetch_change.rpl
Changed
@@ -22,9 +22,9 @@ SECTION QUESTION . IN NS SECTION ANSWER -. IN NS K.ROOT-SERVERS.NET. +. 86400 IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL -K.ROOT-SERVERS.NET. IN A 193.0.14.129 +K.ROOT-SERVERS.NET. 86400 IN A 193.0.14.129 ENTRY_END ENTRY_BEGIN @@ -34,9 +34,9 @@ SECTION QUESTION com. IN A SECTION AUTHORITY -com. IN NS a.gtld-servers.net. +com. 86400 IN NS a.gtld-servers.net. SECTION ADDITIONAL -a.gtld-servers.net. IN A 192.5.6.30 +a.gtld-servers.net. 86400 IN A 192.5.6.30 ENTRY_END RANGE_END @@ -50,9 +50,9 @@ SECTION QUESTION com. IN NS SECTION ANSWER -com. IN NS a.gtld-servers.net. +com. 86400 IN NS a.gtld-servers.net. SECTION ADDITIONAL -a.gtld-servers.net. IN A 192.5.6.30 +a.gtld-servers.net. 86400 IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN @@ -78,9 +78,9 @@ SECTION QUESTION com. IN NS SECTION ANSWER -com. IN NS a.gtld-servers.net. +com. 86400 IN NS a.gtld-servers.net. SECTION ADDITIONAL -a.gtld-servers.net. IN A 192.5.6.30 +a.gtld-servers.net. 86400 IN A 192.5.6.30 ENTRY_END ENTRY_BEGIN
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/iter_primenoglue.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_primenoglue.rpl
Changed
@@ -28,7 +28,7 @@ SECTION ANSWER . IN NS K.ROOT-SERVERS.NET. SECTION ADDITIONAL -; glue ommitted! +; glue omitted! ;K.ROOT-SERVERS.NET. IN A 193.0.14.129 ENTRY_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/iter_recurse.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_recurse.rpl
Changed
@@ -216,14 +216,7 @@ ;ns.example.net IN A 1.2.3.44 ENTRY_END -; due to ordering of answer packets, this is still outstanding, remove it -STEP 21 CHECK_OUT_QUERY -ENTRY_BEGIN -ADJUST copy_id -MATCH qname qtype -REPLY QR -SECTION QUESTION -ns.example.net IN AAAA -ENTRY_END +; let (possible) outstanding queries finish resolving +STEP 21 TRAFFIC SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/iter_scrub_dname_rev.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_scrub_dname_rev.rpl
Changed
@@ -17,7 +17,7 @@ SCENARIO_BEGIN Test scrub of reversed DNAME and CNAME in answer section RANGE_BEGIN 0 100 -; all adresses +; all addresses ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/iter_scrub_dname_sec.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/iter_scrub_dname_sec.rpl
Changed
@@ -17,7 +17,7 @@ SCENARIO_BEGIN Test scrub of secure DNAME in answer section RANGE_BEGIN 0 100 -; all adresses +; all addresses ENTRY_BEGIN MATCH opcode qtype qname ADJUST copy_id
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/localdata.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/localdata.rpl
Changed
@@ -45,9 +45,32 @@ local-data: "b.c.implicit. A 20.30.45.50" local-data: "c.c.implicit. A 20.30.44.50" + ; create implicit data in the ANY domain + ; this should inherit the local_zone_type of the already configured + ; zone 'refuse.top.' and not be transparent + local-data: "refuse.top. ANY TXT implicit_non_transparent" + +stub-zone: + name: "refuse.top" + stub-addr: 1.2.3.4 + CONFIG_END SCENARIO_BEGIN Test local data queries +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +; This entry should never be queried +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.refuse.top. IN A +SECTION ANSWER +www.refuse.top. IN A 5.5.5.5 +ENTRY_END +RANGE_END + ; id.server. STEP 1 QUERY ENTRY_BEGIN @@ -390,4 +413,35 @@ foo.null.top. IN AAAA ::0 ENTRY_END +; refuse zone for implicit local-data with CLASS != IN +STEP 64 QUERY +ENTRY_BEGIN +SECTION QUESTION +refuse.top. ANY TXT +ENTRY_END +STEP 65 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RA AA NOERROR +SECTION QUESTION +refuse.top. ANY TXT +SECTION ANSWER +refuse.top. ANY TXT implicit_non_transparent +ENTRY_END + +; refuse zone for implicit local-data with CLASS != IN +STEP 66 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.refuse.top. ANY A +ENTRY_END +STEP 67 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RA RD AA REFUSED +SECTION QUESTION +www.refuse.top. ANY A +ENTRY_END + SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/nsid_bogus.rpl
Added
@@ -0,0 +1,175 @@ +; config options +; The island of trust is at example.com +server: + trust-anchor: "example.com. 3600 IN DS 2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b" + val-override-date: "20070916134226" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + fake-sha1: yes + trust-anchor-signaling: no + minimal-responses: no + nsid: "ascii_hopsa kidee" + ede: yes + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test for NSID in SERVFAIL response due to DNSSEC bogus + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; response to DNSKEY priming query +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN DNSKEY +SECTION ANSWER +example.com. 3600 IN DNSKEY 256 3 3 ALXLUsWqUrY3JYER3T4TBJII s70j+sDS/UT2QRp61SE7S3E EXopNXoFE73JLRmvpi/UrOO/Vz4Se 6wXv/CYCKjGw06U4WRgR YXcpEhJROyNapmdIKSx hOzfLVE1gqA0PweZR8d tY3aNQSRn3sPpwJr6Mi /PqQKAMMrZ9ckJpf1+b QMOOvxgzz2U1GS18b3y ZKcgTMEaJzd/GZYzi/B N2DzQ0MsrSwYXfsNLFO Bbs8PJMW4LYIxeeOe6rUgkWOF 7CC9Dh/dduQ1QrsJhmZAEFfd6ByYV+ ;{id = 2854 (zsk), size = 1688b} +example.com. 3600 IN RRSIG DNSKEY 3 2 3600 20070926134802 20070829134802 2854 example.com. MCwCFG1yhRNtTEa3Eno2zhVVuy2EJX3wAhQeLyUp6+UXcpC5qGNu9tkrTEgPUg== ;{id = 2854} +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926135752 20070829135752 2854 example.com. MC0CFQCMSWxVehgOQLoYclB9PIAbNP229AIUeH0vNNGJhjnZiqgIOKvs1EhzqAo= ;{id = 2854} +ENTRY_END + +; nodata for ns.example.com AAAA +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.example.com. IN AAAA +SECTION ANSWER +SECTION ADDITIONAL +ENTRY_END + + +; response to query of interest +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +;good signature +;www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= ;{id = 2854} +;missing +www.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2855 example.com. MC0CFC99iE9K5y2WNgI0gFvBWaTi9wm6AhUAoUqOpDtG5Zct+Qr9F3mSdnbc6V4= +SECTION AUTHORITY +example.com. IN NS ns.example.com. +example.com. 3600 IN RRSIG NS 3 2 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCN+qHdJxoI/2tNKwsb08pra/G7aAIUAWA5sDdJTbrXA1/3OaesGBAO3sI= ;{id = 2854} +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ns.example.com. 3600 IN RRSIG A 3 3 3600 20070926134150 20070829134150 2854 example.com. MC0CFQCQMyTjn7WWwpwAR1LlVeLpRgZGuQIUCcJDEkwAuzytTDRlYK7nIMwH1CM= ;{id = 2854} +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + 00 03 ; Opcode NSID (3) + 00 00 ; Length 0 + HEX_EDNSDATA_END +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ede=9 +REPLY QR RD RA DO SERVFAIL +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + 00 03 ; Opcode NSID (3) + 00 0b ; Length 11 + 68 6F 70 73 61 20 ; "hopsa " + 6B 69 64 65 65 ; "kidee" + HEX_EDNSDATA_END +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/nss_compile.tdir/nss_compile.dsc -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/nss_compile.tdir/nss_compile.dsc
Changed
@@ -8,7 +8,7 @@ CmdDepends: Depends: Help: -Pre: +Pre: nss_compile.pre Post: Test: nss_compile.test AuxFiles:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/nss_compile.tdir/nss_compile.pre
Added
@@ -0,0 +1,13 @@ +# #-- nss_compile.pre --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +. ../common.sh +if test "`hostname`" = "open.nlnetlabs.nl"; then + echo "on open, continue test" +else + skip_test "not on open, no test, do this explicitly" +fi +exit 0
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/nss_compile.tdir/nss_compile.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/nss_compile.tdir/nss_compile.test
Changed
@@ -4,13 +4,6 @@ # use .tpkg.var.test for in test variable passing -f .tpkg.var.test && source .tpkg.var.test -if test "`hostname`" = "open.nlnetlabs.nl"; then - echo "on open, continue test" -else - echo "not on open, no test, do this explicitly" - exit 0 -fi - . ../common.sh get_make PRE="../.."
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/padding.tdir/padding.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/padding.tdir/padding.post
Changed
@@ -7,7 +7,6 @@ # do your teardown here . ../common.sh PRE="../.." -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi kill_pid $DNSTAP_SOCKET_PID kill_pid $FWD_PID kill_pid `cat unbound2.pid`
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/padding.tdir/padding.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/padding.tdir/padding.pre
Changed
@@ -6,7 +6,7 @@ PRE="../.." . ../common.sh -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi +if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else skip_test "test skipped"; fi get_random_port 5 UNBOUND_PORT=$RND_PORT
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/padding.tdir/padding.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/padding.tdir/padding.test
Changed
@@ -8,7 +8,6 @@ PRE="../.." . ../common.sh -if grep "define USE_DNSTAP 1" $PRE/config.h; then echo test enabled; else echo test skipped; exit 0; fi echo "> query www.example.com. A" dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/proxy_protocol.conf
Added
@@ -0,0 +1,34 @@ +server: + verbosity: 5 + num-threads: 1 + interface: 127.0.0.1@@PORT@ + interface: 127.0.0.1@@PROXYPORT@ + interface: 127.0.0.1@@PROXYTLSPORT@ + interface: @INTERFACE_ALLOW_ADDR@@@PORT@ + interface: @INTERFACE_ALLOW_ADDR@@@PROXYPORT@ + interface: @INTERFACE_ALLOW_ADDR@@@PROXYTLSPORT@ + interface: @INTERFACE_REFUSE_ADDR@@@PORT@ + interface: @INTERFACE_REFUSE_ADDR@@@PROXYPORT@ + interface: @INTERFACE_REFUSE_ADDR@@@PROXYTLSPORT@ + proxy-protocol-port: @PROXYPORT@ + proxy-protocol-port: @PROXYTLSPORT@ + tls-port: @PROXYTLSPORT@ + use-syslog: no + directory: . + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + tls-service-key: "unbound_server.key" + tls-service-pem: "unbound_server.pem" + + # 127.0.0.0/8 is allowed by default. + access-control: @CLIENT_ADDR_ALLOW@/32 allow + access-control: @CLIENT_ADDR_REFUSE@/32 refuse + access-control: @CLIENT_ADDR_ALLOW6@/128 allow + access-control: @CLIENT_ADDR_REFUSE6@/128 refuse + access-control: @INTERFACE_ALLOW_ADDR@/32 allow + +forward-zone: + name: "." + forward-addr: "127.0.0.1@@TOPORT@"
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/proxy_protocol.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: proxy_protocol +Version: 1.0 +Description: Test proxy protocol +CreationDate: Mon Mar 14 16:17:00 CET 2022 +Maintainer: Yorgos Thessalonikefs +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: proxy_protocol.pre +Post: proxy_protocol.post +Test: proxy_protocol.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/proxy_protocol.post
Added
@@ -0,0 +1,12 @@ +# #-- proxy_protocol.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $FWD_PID +kill_pid $UNBOUND_PID +cat unbound.log +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/proxy_protocol.pre
Added
@@ -0,0 +1,66 @@ +# #-- proxy_protocol.pre--# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +. ../common.sh + +# This test uses the unshare utility +if test ! -x "`which unshare 2>&1`"; then + skip_test "no unshare (from util-linux package) available, skip test" +fi + +get_make +(cd $PRE; $MAKE streamtcp) + +get_random_port 4 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +PROXY_PORT=$(($RND_PORT + 2)) +PROXY_TLS_PORT=$(($RND_PORT + 3)) + +INTERFACE_ALLOW=eth123 +INTERFACE_ALLOW_ADDR=10.1.2.3 +INTERFACE_REFUSE=eth234 +INTERFACE_REFUSE_ADDR=10.2.3.4 + +CLIENT_ADDR_ALLOW=1.2.3.4 +CLIENT_ADDR_ALLOW6=2001:db8::cafe:cafe +CLIENT_ADDR_REFUSE=5.6.7.8 +CLIENT_ADDR_REFUSE6=2001:db8::dead:beef + +# make config file +sed \ + -e 's/@PORT\@/'$UNBOUND_PORT'/' \ + -e 's/@TOPORT\@/'$FWD_PORT'/' \ + -e 's/@PROXYPORT\@/'$PROXY_PORT'/' \ + -e 's/@PROXYTLSPORT\@/'$PROXY_TLS_PORT'/' \ + -e 's/@INTERFACE_ALLOW_ADDR\@/'$INTERFACE_ALLOW_ADDR'/' \ + -e 's/@INTERFACE_REFUSE_ADDR\@/'$INTERFACE_REFUSE_ADDR'/' \ + -e 's/@CLIENT_ADDR_ALLOW\@/'$CLIENT_ADDR_ALLOW'/' \ + -e 's/@CLIENT_ADDR_ALLOW6\@/'$CLIENT_ADDR_ALLOW6'/' \ + -e 's/@CLIENT_ADDR_REFUSE\@/'$CLIENT_ADDR_REFUSE'/' \ + -e 's/@CLIENT_ADDR_REFUSE6\@/'$CLIENT_ADDR_REFUSE6'/' \ + < proxy_protocol.conf > ub.conf + +if test -x "`which bash`"; then + shell="bash" +else + shell="sh" +fi + +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test +echo "PROXY_PORT=$PROXY_PORT" >> .tpkg.var.test +echo "PROXY_TLS_PORT=$PROXY_TLS_PORT" >> .tpkg.var.test +echo "INTERFACE_ALLOW=$INTERFACE_ALLOW" >> .tpkg.var.test +echo "INTERFACE_ALLOW_ADDR=$INTERFACE_ALLOW_ADDR" >> .tpkg.var.test +echo "INTERFACE_REFUSE=$INTERFACE_REFUSE" >> .tpkg.var.test +echo "INTERFACE_REFUSE_ADDR=$INTERFACE_REFUSE_ADDR" >> .tpkg.var.test +echo "CLIENT_ADDR_ALLOW=$CLIENT_ADDR_ALLOW" >> .tpkg.var.test +echo "CLIENT_ADDR_ALLOW6=$CLIENT_ADDR_ALLOW6" >> .tpkg.var.test +echo "CLIENT_ADDR_REFUSE=$CLIENT_ADDR_REFUSE" >> .tpkg.var.test +echo "CLIENT_ADDR_REFUSE6=$CLIENT_ADDR_REFUSE6" >> .tpkg.var.test +echo "shell=$shell" >> .tpkg.var.test
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/proxy_protocol.test
Added
@@ -0,0 +1,12 @@ +# #-- proxy_protocol.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +. ../common.sh + +# Run the scenario in an unshared namespace +unshare -rUn $shell proxy_protocol.test.scenario +exit $?
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/proxy_protocol.test.scenario
Added
@@ -0,0 +1,193 @@ +# #-- proxy_protocol.test.scenario --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +. ../common.sh + +ip addr add 127.0.0.1 dev lo +ip link set lo up + +ip link add $INTERFACE_ALLOW type dummy +ip addr add $INTERFACE_ALLOW_ADDR dev $INTERFACE_ALLOW +ip link set $INTERFACE_ALLOW up + +ip link add $INTERFACE_REFUSE type dummy +ip addr add $INTERFACE_REFUSE_ADDR dev $INTERFACE_REFUSE +ip link set $INTERFACE_REFUSE up + +# start forwarder in the background +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT proxy_protocol.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +wait_ldns_testns_up fwd.log +wait_unbound_up unbound.log + +# call streamtcp and check return value +do_streamtcp () { + $PRE/streamtcp $* A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi +} + +send_query () { + server=$1 + client=$2 + prot=$3 + query=$4 + echo -n "> query $query to $server" + port=$UNBOUND_PORT + if test ! -z "$client"; then + port=$PROXY_PORT + fi + case $prot in + -u) + echo -n " (over UDP)" + ;; + -s) + echo -n " (over TLS)" + port=$PROXY_TLS_PORT + ;; + *) + echo -n " (over TCP)" + esac + if test ! -z "$client"; then + echo -n " ($client proxied)" + fi + echo + do_streamtcp $prot -f $server@$port $client $query + #cat outfile +} + +expect_answer () { + #query=$1 + #answer=$2 + if grep "$query" outfile | grep "$answer"; then + echo "content OK" + echo + else + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "result contents not OK" + exit 1 + fi +} + +expect_refuse () { + if grep "rcode: REFUSE" outfile; then + echo "content OK" + echo + else + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "result contents not OK" + exit 1 + fi +} + +# Start the test + +# Query without PROXYv2 +# Client localhost +# Expect the result back +server=127.0.0.1 +client="" +query="two.example.net." +answer="2.2.2.2" +for prot in "-u" ""; do + send_query "$server" "$client" "$prot" "$query" + expect_answer +done + +# Query with PROXYv2 +# Client $CLIENT_ADDR_ALLOW should be allowed +# Expect the result back +server=127.0.0.1 +client="-p $CLIENT_ADDR_ALLOW@1234" +query="one.example.net." +answer="1.1.1.1" +for prot in "-u" "" "-s"; do + send_query "$server" "$client" "$prot" "$query" + expect_answer +done + +# Query with PROXYv2 +# Client $CLIENT_ADDR_ALLOW6 should be allowed +# Expect the result back +server=127.0.0.1 +client="-p $CLIENT_ADDR_ALLOW6@1234" +query="one.example.net." +answer="1.1.1.1" +for prot in "-u" "" "-s"; do + send_query "$server" "$client" "$prot" "$query" + expect_answer +done + +# Query with PROXYv2 +# Client $CLIENT_ADDR_REFUSE should be refused +# Expect the REFUSE back +server=127.0.0.1 +client="-p $CLIENT_ADDR_REFUSE" +query="one.example.net." +answer="" +for prot in "-u" "" "-s"; do + send_query "$server" "$client" "$prot" "$query" + expect_refuse +done + +# Query with PROXYv2 +# Client $CLIENT_ADDR_REFUSE6 should be refused +# Expect the REFUSE back +server=127.0.0.1 +client="-p $CLIENT_ADDR_REFUSE6" +query="one.example.net." +answer="" +for prot in "-u" "" "-s"; do + send_query "$server" "$client" "$prot" "$query" + expect_refuse +done + +# Query with PROXYv2 +# Client $CLIENT_ADDR_ALLOW should be allowed; proxy source address should be allowed +# Expect the result back +server=$INTERFACE_ALLOW_ADDR +client="-p $CLIENT_ADDR_ALLOW@1234" +query="one.example.net." +answer="1.1.1.1" +for prot in "-u" "" "-s"; do + send_query "$server" "$client" "$prot" "$query" + expect_answer +done + +# Query with PROXYv2 +# Client $CLIENT_ADDR_ALLOW should be allowed; proxy source address should be refused +# Expect the REFUSE back +server=$INTERFACE_REFUSE_ADDR +client="-p $CLIENT_ADDR_ALLOW@1234" +query="one.example.net." +answer="" +for prot in "-u" "" "-s"; do + send_query "$server" "$client" "$prot" "$query" + expect_refuse +done + +echo "OK" +exit 0 +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/proxy_protocol.testns
Added
@@ -0,0 +1,23 @@ +; nameserver test file +$ORIGIN example.net. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR RD RA NOERROR +ADJUST copy_id +SECTION QUESTION +one IN A +SECTION ANSWER +one IN A 1.1.1.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR RD RA NOERROR +ADJUST copy_id +SECTION QUESTION +two IN A +SECTION ANSWER +two IN A 2.2.2.2 +ENTRY_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/unbound_server.key
Added
@@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI +0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq +GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z +uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K +WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5 +FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP +q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL +A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP +7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf +XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6 +iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7 +2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo +MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj +WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz +O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI +IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN +qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU +dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs +bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr +YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km +7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr +gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z +5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG +ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN +oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+ +s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW +zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx +ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1 +oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3 +BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS +mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8 +kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93 +7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8 +RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O +jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp +O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre +MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A== +-----END RSA PRIVATE KEY-----
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/proxy_protocol.tdir/unbound_server.pem
Added
@@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5 +WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB +igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32 +a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2 +4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot +aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4 +TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ +uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4 ++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz +XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx +dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW +84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7 +JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca +fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg +XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF +qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25 +sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD +yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe +CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ== +-----END CERTIFICATE-----
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pylib.tdir/pylib.lookup.conf -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pylib.tdir/pylib.lookup.conf
Changed
@@ -11,4 +11,4 @@ stub-zone: name: "example.com." stub-addr: "127.0.0.1@@TOPORT@" - + stub-no-cache: yes
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pylib.tdir/pylib.lookup.py -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pylib.tdir/pylib.lookup.py
Changed
@@ -9,9 +9,11 @@ import unbound qname = "www.example.com" +qname2 = "www2.example.com" qtype = unbound.RR_TYPE_A qclass = unbound.RR_CLASS_IN + def create_context(config_file="ub.lookup.conf", asyncflag=False): """ Create an unbound context to use for testing. @@ -69,32 +71,6 @@ print("Failed async resolve with: {}".format(retval)) -def test_ratelimit_fg_on(ctx): - """ - Test resolving a ratelimited domain with a foreground worker. - - """ - ctx.set_option("ratelimit:", "1") - ctx.set_option("ratelimit-factor:", "0") - status, result = ctx.resolve(qname, qtype, qclass) - if status == 0 and result.was_ratelimited: - print("Ratelimit-fg-on: pass") - else: - print("Failed ratelimit-fg-on with: {}".format(status)) - - -def test_ratelimit_fg_off(ctx): - """ - Test resolving a non-ratelimited domain with a foreground worker. - - """ - status, result = ctx.resolve(qname, qtype, qclass) - if status == 0 and result.havedata: - print("Ratelimit-fg-off: {}".format(result.data.address_list)) - else: - print("Failed ratelimit-fg-off with: {}".format(status)) - - def test_ratelimit_bg_on(ctx): """ Test resolving a ratelimited domain with a background worker. @@ -102,40 +78,32 @@ """ ctx.set_option("ratelimit:", "1") ctx.set_option("ratelimit-factor:", "0") - cb_data = dict(done=False) - retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass) - while retval == 0 and not cb_data'done': - time.sleep(0.1) - retval = ctx.process() - - if cb_data.get('was_ratelimited'): + total_runs = 6 + success_threshold = 4 # 2/3*total_runs + successes = 0 + for i in range(total_runs): + cb_data = dict(done=False) + cb_data2 = dict(done=False) + retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass) + retval, async_id = ctx.resolve_async(qname2, cb_data2, callback, qtype, qclass) + + while retval == 0 and not (cb_data'done' and cb_data'done'): + time.sleep(0.1) + retval = ctx.process() + + if bool(cb_data.get('was_ratelimited')) ^ bool(cb_data2.get('was_ratelimited')): + successes += 1 + if successes >= success_threshold: + break + time.sleep(1) + if successes >= success_threshold: print("Ratelimit-bg-on: pass") else: - print("Failed ratelimit-bg-on with: {}".format(status)) - - -def test_ratelimit_bg_off(ctx): - """ - Test resolving a non-ratelimited domain with a background worker. - - """ - cb_data = dict(done=False) - retval, async_id = ctx.resolve_async(qname, cb_data, callback, qtype, qclass) - while retval == 0 and not cb_data'done': - time.sleep(0.1) - retval = ctx.process() - - if cb_data.get('data'): - print("Ratelimit-bg-off: {}".format(cb_data'data'.address_list)) - else: - print("Failed ratelimit-bg-off with: {}".format(status)) + print("Failed ratelimit-bg-on") test_resolve(create_context()) test_async_resolve(create_context(asyncflag=True)) -test_ratelimit_fg_on(create_context()) -test_ratelimit_fg_off(create_context()) test_ratelimit_bg_on(create_context(asyncflag=True)) -test_ratelimit_bg_off(create_context(asyncflag=True)) sys.exit(0)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pylib.tdir/pylib.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pylib.tdir/pylib.post
Changed
@@ -8,13 +8,6 @@ PRE="../.." . ../common.sh -# if no python; exit -if grep "define WITH_PYUNBOUND 1" $PRE/config.h; then - echo "have pyunbound" -else - echo "no pyunbound" - exit 0 -fi # kill fwder kill_pid $FWD_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pylib.tdir/pylib.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pylib.tdir/pylib.pre
Changed
@@ -10,8 +10,7 @@ if grep "define WITH_PYUNBOUND 1" $PRE/config.h; then echo "have pyunbound" else - echo "no pyunbound" - exit 0 + skip_test "no pyunbound" fi # Copy the required libraries
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pylib.tdir/pylib.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pylib.tdir/pylib.test
Changed
@@ -5,13 +5,6 @@ -f .tpkg.var.test && source .tpkg.var.test PRE="../.." -if grep "define WITH_PYUNBOUND 1" $PRE/config.h; then - echo "have pyunbound" -else - echo "no pyunbound" - exit 0 -fi - if test "`uname 2>&1`" = "Darwin"; then echo export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:../../.libs" export DYLD_LIBRARY_PATH="$DYLD_LIBRARY_PATH:../../.libs" @@ -42,30 +35,12 @@ echo "Not OK (async resolve)" exit 1 fi -if grep "Ratelimit-fg-on: pass" outfile; then - : -else - echo "Not OK (ratelimit-fg-on)" - exit 1 -fi -if grep "Ratelimit-fg-off: \.\?10.20.30.40.\?\" outfile; then - : -else - echo "Not OK (ratelimit-fg-off)" - exit 1 -fi if grep "Ratelimit-bg-on: pass" outfile; then : else echo "Not OK (ratelimit-bg-on)" exit 1 fi -if grep "Ratelimit-bg-off: \.\?10.20.30.40.\?\" outfile; then - : -else - echo "Not OK (ratelimit-bg-off)" - exit 1 -fi echo "OK"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pylib.tdir/pylib.testns -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pylib.tdir/pylib.testns
Changed
@@ -12,3 +12,12 @@ www IN A 10.20.30.40 ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +www2 IN A +SECTION ANSWER +www2 IN A 10.20.30.40 +ENTRY_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pymod.tdir/pymod.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pymod.tdir/pymod.post
Changed
@@ -8,13 +8,6 @@ PRE="../.." . ../common.sh -# if no python; exit -if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then - echo "have python module" -else - echo "no python module" - exit 0 -fi kill_pid $FWD_PID kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pymod.tdir/pymod.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pymod.tdir/pymod.pre
Changed
@@ -10,8 +10,7 @@ if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then echo "have python module" else - echo "no python module" - exit 0 + skip_test "no python module" fi # get module python local cp $PRE/pythonmod/unboundmodule.py .
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pymod.tdir/pymod.py -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pymod.tdir/pymod.py
Changed
@@ -37,7 +37,12 @@ import os def init(id, cfg): - log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, cfg.python_script)) + scripts= + s = cfg.python_script + while s != None: + scripts.append(s.str) + s = s.next + log_info("pythonmod: init called, module id is %d port: %d script: %s" % (id, cfg.port, scripts)) return True def deinit(id):
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pymod.tdir/pymod.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pymod.tdir/pymod.test
Changed
@@ -5,12 +5,6 @@ -f .tpkg.var.test && source .tpkg.var.test PRE="../.." -if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then - echo "have python module" -else - echo "no python module" - exit 0 -fi if test "`uname 2>&1`" = "Darwin"; then ldnsdir=`grep ldnsdir= ../../Makefile | sed -e 's/ldnsdir=//'`
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pymod_thread.tdir/pymod_thread.post -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pymod_thread.tdir/pymod_thread.post
Changed
@@ -8,13 +8,6 @@ PRE="../.." . ../common.sh -# if no python; exit -if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then - echo "have python module" -else - echo "no python module" - exit 0 -fi kill_pid $FWD_PID kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pymod_thread.tdir/pymod_thread.pre -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pymod_thread.tdir/pymod_thread.pre
Changed
@@ -10,8 +10,7 @@ if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then echo "have python module" else - echo "no python module" - exit 0 + skip_test "no python module" fi # get module python local cp $PRE/pythonmod/unboundmodule.py .
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/pymod_thread.tdir/pymod_thread.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/pymod_thread.tdir/pymod_thread.test
Changed
@@ -5,12 +5,6 @@ -f .tpkg.var.test && source .tpkg.var.test PRE="../.." -if grep "define WITH_PYTHONMODULE 1" $PRE/config.h; then - echo "have python module" -else - echo "no python module" - exit 0 -fi if test "`uname 2>&1`" = "Darwin"; then ldnsdir=`grep ldnsdir= ../../Makefile | sed -e 's/ldnsdir=//'`
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/ratelimit.conf
Added
@@ -0,0 +1,29 @@ +server: + verbosity: 5 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: . + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + + ratelimit: 1 + ratelimit-factor: 0 + +stub-zone: + name: "example.com." + stub-addr: "127.0.0.1@@TOPORT@" + stub-no-cache: yes + +remote-control: + control-enable: yes + control-interface: 127.0.0.1 + # control-interface: ::1 + control-port: @CONTROL_PORT@ + server-key-file: "unbound_server.key" + server-cert-file: "unbound_server.pem" + control-key-file: "unbound_control.key" + control-cert-file: "unbound_control.pem"
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/ratelimit.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: ratelimit +Version: 1.0 +Description: Test ratelimit. +CreationDate: Sun Jan 30 00:40:00 CET 2022 +Maintainer: Yorgos Thessalonikefs +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: ratelimit.pre +Post: ratelimit.post +Test: ratelimit.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/ratelimit.post
Added
@@ -0,0 +1,14 @@ +# #-- ratelimit.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $STUB_PID +kill_pid $UNBOUND_PID +if test -f unbound.log; then + echo ">>> unbound log" + cat unbound.log +fi
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/ratelimit.pre
Added
@@ -0,0 +1,33 @@ +# #-- ratelimit.pre--# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +. ../common.sh +get_random_port 2 +UNBOUND_PORT=$RND_PORT +STUB_PORT=$(($RND_PORT + 1)) +CONTROL_PORT=$(($RND_PORT + 2)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "STUB_PORT=$STUB_PORT" >> .tpkg.var.test +echo "CONTROL_PORT=$CONTROL_PORT" >> .tpkg.var.test + +# start ldns-testns +get_ldns_testns +$LDNS_TESTNS -v -p $STUB_PORT ratelimit.testns >stub.log 2>&1 & +STUB_PID=$! +echo "STUB_PID=$STUB_PID" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$STUB_PORT'/' -e 's/@CONTROL_PORT\@/'$CONTROL_PORT'/' < ratelimit.conf > ub.conf +# start unbound in the background +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +wait_ldns_testns_up stub.log +wait_unbound_up unbound.log + +cat .tpkg.var.test
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/ratelimit.test
Added
@@ -0,0 +1,183 @@ +# #-- ratelimit.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +. ../common.sh + +get_make +(cd $PRE; $MAKE streamtcp) + +# These tests rely on second time precision. To combat false negatives the +# tests run multiple times and we allow 1/3 of the runs to fail. +total_runs=6 +success_threshold=4 # 2/3*total_runs + +successes=0 +echo "> Three parallel queries" +# For this test we send three parallel queries and we expect only one of them +# to be allowed through each second. +for i in $(seq 1 $total_runs); do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 2; then + ((successes++)) + fi + # We don't have to wait for all the runs to complete if we know + # we passed the threshold. + if test $successes -ge $success_threshold; then + break + fi + sleep 1 +done +if test $successes -ge $success_threshold; then + echo "Number of ratelimited queries OK for three parallel queries" +else + echo "Number of ratelimited queries not OK for three parallel queries" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries" + exit 1 +fi + +echo "> Activating ratelimit-factor" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3" +$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 3 +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi + +slipped_through=0 +echo "> Three parallel queries with ratelimit-factor" +# For this test we send three parallel queries and we expect at least two of +# them to be allowed through at a given second; one from the ratelimit itself +# and one from the ratelimit-factor. +for i in {1..10}; do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -lt 2; then + slipped_through=1 + break + fi + sleep 2 +done +if test $slipped_through -eq 0; then + echo "ratelimit-factor did not work" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "ratelimit-factor did not work" + exit 1 +fi +echo "ratelimit-factor OK" + +echo "> Disabling ratelimit-factor" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0" +$PRE/unbound-control -c ub.conf set_option ratelimit-factor: 0 +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi +echo "> Activating ratelimit-backoff" +echo "$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes" +$PRE/unbound-control -c ub.conf set_option ratelimit-backoff: yes +if test $? -ne 0; then + echo "wrong exit value after success" + exit 1 +fi + +successes=0 +echo "> Three parallel queries with backoff" +# For this test we send three parallel queries. The ratelimit should be reached +# for that second. Then for the next second we again send three parallel +# queries and we expect none of them to be allowed through because of the +# backoff logic that keeps rolling the RATE_WINDOW based on demand. +for i in $(seq 1 $total_runs); do + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + sleep 1 # Limit is reached; it should also be active for the next second + $PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 + if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 + fi + cat outfile + if test `grep "rcode: SERVFAIL" outfile | wc -l` -eq 3; then + ((successes++)) + fi + # We don't have to wait for all the runs to complete if we know + # we passed the threshold. + if test $successes -ge $success_threshold; then + break + fi +done + +if test $successes -ge $success_threshold; then + echo "three parallel queries with backoff OK" +else + echo "Number of ratelimited queries not OK for three parallel queries with backoff" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries with backoff" + exit 1 +fi + +echo "> Three parallel queries after backoff RATE_WINDOW" +sleep 3 # Make sure the RATE_WINDOW is renewed +# For this test we make three parallel queries after the RATE_WINDOW has passed +# without any new demand and we expect at least one query to pass through. This +# is to check that the backoff logic does not insist on past (outside of +# RATE_WINDOW) limits. +$PRE/streamtcp -na -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN www2.example.com. A IN www3.example.com. A IN >outfile 2>&1 +if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Not OK" + exit 1 +fi +cat outfile +if test `grep "rcode: NOERROR" outfile | wc -l` -gt 0; then + echo "Number of ratelimited queries OK for three parallel queries after backoff RATE_WINDOW" +else + echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW" + echo "> cat logfiles" + cat outfile + cat unbound.log + echo "Number of ratelimited queries not OK for three parallel queries after backoff RATE_WINDOW" + exit 1 +fi +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/ratelimit.testns
Added
@@ -0,0 +1,13 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype +REPLY QR AA NOERROR +ADJUST copy_id copy_query +SECTION QUESTION +wild IN A +SECTION ANSWER +wild IN A 10.20.30.40 +ENTRY_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/unbound_control.key
Added
@@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA +1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ +F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR +ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm +vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb +IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL +cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr +lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov +15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf +LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+ +Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57 +YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9 +whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c +lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax +tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ +U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9 +Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc +Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3 +ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+ +1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN +b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz +ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C +TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF +tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y +aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0 +A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU +LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U +R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy +7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj +7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw +jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1 +BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar +kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR +qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3 +VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9 +MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa +C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g= +-----END RSA PRIVATE KEY-----
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/unbound_control.pem
Added
@@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw +WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA +A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv +OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj +1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl +NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht +A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/ +Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB +TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/ +nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My ++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj +4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83 +hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU +9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn +ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ +pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD +72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ +muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP +uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte +-----END CERTIFICATE-----
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/unbound_server.key
Added
@@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI +0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq +GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z +uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K +WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5 +FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP +q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL +A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP +7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf +XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6 +iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7 +2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo +MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj +WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz +O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI +IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN +qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU +dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs +bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr +YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km +7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr +gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z +5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG +ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN +oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+ +s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW +zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx +ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1 +oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3 +BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS +mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8 +kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93 +7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8 +RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O +jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp +O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre +MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A== +-----END RSA PRIVATE KEY-----
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/ratelimit.tdir/unbound_server.pem
Added
@@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5 +WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB +igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32 +a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2 +4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot +aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4 +TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ +uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4 ++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz +XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx +dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW +84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7 +JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca +fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg +XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF +qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25 +sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD +yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe +CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ== +-----END CERTIFICATE-----
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/root_anchor.tdir/root_anchor.dsc -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/root_anchor.tdir/root_anchor.dsc
Changed
@@ -8,7 +8,7 @@ CmdDepends: Depends: Help: -Pre: +Pre: root_anchor.pre Post: Test: root_anchor.test AuxFiles:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/root_anchor.tdir/root_anchor.pre
Added
@@ -0,0 +1,11 @@ +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +# only do this test if the network is up. +if dig @k.root-servers.net . SOA 2>&1 | grep NOERROR ; then + : +else + skip_test "network is not up" +fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/root_anchor.tdir/root_anchor.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/root_anchor.tdir/root_anchor.test
Changed
@@ -5,15 +5,6 @@ PRE="../.." -# only do this test if the network is up. -echo "is the net up?" -if dig @k.root-servers.net . SOA 2>&1 | grep NOERROR ; then - echo yes -else - echo no - exit 0 -fi - # test that unbound-anchor, its builtin DNSKEY, works. # so the https is disabled (go to 127.0.0.1@10099). $PRE/unbound-anchor -u "127.0.0.1" -P 10099 -a test.ds -v @@ -27,7 +18,7 @@ echo "" # test that unbound-anchor, the builtin certificate, works -# so, force https with -F and the -c is a nonexistant file +# so, force https with -F and the -c is a nonexistent file $PRE/unbound-anchor -a test.cert -c test.pem -v -F # check that the test.cert file is OK. if $PRE/unbound-host -f test.cert -t SOA -v . 2>&1 | grep "(secure)"; then @@ -38,7 +29,7 @@ fi # use curl to see if the PGP certificate has been updated. -curl --time-cond "20170203 10:00:00" https://data.iana.org/root-anchors/icannbundle.pem > newcert +curl --time-cond "20210908 17:00:00" https://data.iana.org/root-anchors/icannbundle.pem > newcert if test -n "`cat newcert`"; then echo "icannbundle.pem has been updated" cat newcert
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/root_hints.tdir/root_hints.dsc -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/root_hints.tdir/root_hints.dsc
Changed
@@ -8,7 +8,7 @@ CmdDepends: Depends: Help: -Pre: +Pre: root_hints.pre Post: Test: root_hints.test AuxFiles:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/root_hints.tdir/root_hints.pre
Added
@@ -0,0 +1,11 @@ +# #-- root_hints.pre --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +# dig 9 ? +digv=`dig -v 2>&1 | wc -l` +if test $digv -ne 1; then + skip_test "Dig too old. skip test" +fi
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/root_hints.tdir/root_hints.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/root_hints.tdir/root_hints.test
Changed
@@ -1,4 +1,4 @@ -# #-- 06-ianaports.test --# +# #-- root_hints.test --# # source the master var file when it's there -f ../.tpkg.var.master && source ../.tpkg.var.master # use .tpkg.var.test for in test variable passing @@ -6,13 +6,6 @@ PRE="../.." -# dig 9 ? -digv=`dig -v 2>&1 | wc -l` -if test $digv -ne 1; then - echo "Dig too old. skip test" - exit 0 -fi - eval `grep ^srcdir= $PRE/Makefile` echo "srcdir="$srcdir
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/root_key_sentinel.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/root_key_sentinel.rpl
Changed
@@ -4,6 +4,7 @@ val-override-date: "20180423171826" target-fetch-policy: "0 0 0 0 0" trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -138,7 +139,7 @@ ; recursion happens here. STEP 22 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION root-key-sentinel-not-ta-19036. IN A @@ -154,7 +155,7 @@ ; recursion happens here. STEP 33 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION root-key-sentinel-is-ta-20326. IN A @@ -175,11 +176,11 @@ SECTION QUESTION root-key-sentinel-not-ta-20326. IN A SECTION AUTHORITY -. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400 -. 86400 IN RRSIG SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg== . 86400 IN NSEC aaa. NS SOA RRSIG NSEC DNSKEY . 86400 IN RRSIG NSEC 8 0 86400 20180506050000 20180423040000 39570 . E1FeP4/GvcPksKXgas9pslduWU6+cqqSoJpgtCeymd6t7MORbnsQJdUo rjqbRtxvOOnv5g4uVZdv0krSc/eqw8HWEiCW0oZWYLcz+h8eI4htt4uv 8LciVgQn3Aspic2b8uWdPTJUPuc94esn5AJZDMK9VOTwZD2UVqbv/k9U 4LG0o56yRQshYTG2hiutFXLYmzFe2YmKct6G7W50O7s5hwxTqqRwv9av 1Q3UZUj/ZARNt9z53pygJsDPDX+L2q4lowtiHJCRPjijm8K3Bwb8uFsG 3YB20K9d3krack9c6gAMJzpgeuFQ/b2HxiZMJPvJ3tHqIhDn0U5qoZdT Xq0WTw== room. 86400 IN NSEC rs. NS DS RRSIG NSEC room. 86400 IN RRSIG NSEC 8 1 86400 20180506050000 20180423040000 39570 . Fmhf8s0yVixynVdO6VWLEctcvb7+3UK9gu+9BhUPBS0SNedhMwfyiYaR MzWU9P99gVYUT1G/vXRqbAabtD3Ccnt/ydUBguZq3pV5GL+7czeEbZ5z 8/LlS+wyw2OTe4DOKzBZ7oZAA/r/Tz2bhVA6kNyIKFXAmBXuh7I5Ty7H elbIWh7Lq7QjZwN9LL4M1kSNePH2cmS3Lu/scRf3m3fN/70sgoYzKNB7 +Hbi/YjXBbRIcj7tHA6iMoZLGPXRMJdb6NqJNIaDIDtOA95cFa4oRx2P usBW9lpXG0YY+KDm1J6UjxUP7TIn0yXt+c0vy2cz7zu++ZEkdU29WtBG dUQEaA== +. 86400 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2018042300 1800 900 604800 86400 +. 86400 IN RRSIG SOA 8 0 86400 20180506050000 20180423040000 39570 . LboVfcSRUSuBcZPpkkOO1N6KpGO6DBzOGL6UtSVUssycPzGIZctcIM0s Kb71iBf3rxFjNVlgCuNFb74WpCyRQ2coB2uUQXVA81A+P4Qb62/s3Nr2 pRGxayA1Y0Uq2M4CRkh3bjgn/cEcEFSWTl+xDVjZO8hX98JdQjYmrVui 4zEQhsMM03sqkmjkH88owibWK7HDl6O0n6Imer2hCsVTlFv7PSrBHlXP KntkIMDtbGHZW/BkKnA6P1jfAVfgXr70bRVaDRddLqJp3EX6EuR83osg 8q46170NgCMCKK3ePItJYF16SEADFKdOQs19CMTXAN7M1p4cnGk2yRG/ 68BmCg== ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_clientip.rpl
Added
@@ -0,0 +1,264 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + minimal-responses: no + access-control: 192.0.0.0/8 allow + +rpz: + name: "rpz.example.com." + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +24.0.0.0.192.rpz-client-ip CNAME . +24.0.1.0.192.rpz-client-ip CNAME *. +24.0.2.0.192.rpz-client-ip CNAME rpz-drop. +24.0.3.0.192.rpz-client-ip CNAME rpz-passthru. +24.0.4.0.192.rpz-client-ip CNAME rpz-tcp-only. +24.0.5.0.192.rpz-client-ip A 127.0.0.1 +24.0.5.0.192.rpz-client-ip TXT "42" +TEMPFILE_END + +stub-zone: + name: "a." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test RPZ client ip triggers + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a. IN NS +SECTION ANSWER +a. IN NS ns.a. +SECTION ADDITIONAL +ns.a IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.a. IN A +SECTION ANSWER +a.a. IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.a. IN AAAA +SECTION ANSWER +a.a. IN AAAA 2001:db8::123 +ENTRY_END + +RANGE_END + +; unrelated client ip address -- passthru + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +; should be NXDOMAIN + +STEP 20 QUERY ADDRESS 192.0.0.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD RA NXDOMAIN +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +ENTRY_END + +; should be NODATA + +STEP 30 QUERY ADDRESS 192.0.1.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD RA NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +ENTRY_END + +; should be PASSTHRU + +STEP 40 QUERY ADDRESS 192.0.3.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +; should be TRUNCATED + +STEP 50 QUERY ADDRESS 192.0.4.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 51 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA TC RD RA NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +ENTRY_END + +; should not be TRUNCATED via TCP + +STEP 52 QUERY ADDRESS 192.0.4.1 +ENTRY_BEGIN +MATCH TCP +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 53 CHECK_ANSWER +ENTRY_BEGIN +MATCH all TCP +REPLY QR RD RA NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +; should be synthesized + +STEP 60 QUERY ADDRESS 192.0.5.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN A +ENTRY_END + +STEP 61 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD RA NOERROR +SECTION QUESTION +a.a. IN A +SECTION ANSWER +a.a. IN A 127.0.0.1 +SECTION ADDITIONAL +rpz.example.com. 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 ) +ENTRY_END + +; should be synthesized + +STEP 62 QUERY ADDRESS 192.0.5.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 63 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD RA NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "42" +SECTION ADDITIONAL +rpz.example.com. 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 ) +ENTRY_END + +; should be synthesized NODATA + +STEP 64 QUERY ADDRESS 192.0.5.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN AAAA +ENTRY_END + +STEP 65 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD RA NOERROR +SECTION QUESTION +a.a. IN AAAA +SECTION ADDITIONAL +rpz.example.com. 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( 1379078166 28800 7200 604800 7200 ) +ENTRY_END + +; should be DROPPED + +STEP 90 QUERY ADDRESS 192.0.2.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_nsdname.rpl
Added
@@ -0,0 +1,390 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + access-control: 192.0.0.0/8 allow + +rpz: + name: "rpz.example.com." + rpz-log: yes + rpz-log-name: "rpz.example.com" + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +ns1.gotham.aa.rpz-nsdname CNAME . +ns1.gotham.bb.rpz-nsdname CNAME *. +ns1.gotham.cc.rpz-nsdname CNAME rpz-drop. +ns1.gotham.com.rpz-nsdname CNAME rpz-passthru. +ns1.gotham.dd.rpz-nsdname CNAME rpz-tcp-only. +ns1.gotham.ff.rpz-nsdname A 127.0.0.1 +ns1.gotham.ff.rpz-nsdname TXT "42" +TEMPFILE_END + +stub-zone: + name: "." + stub-addr: 1.1.1.1 +CONFIG_END + +SCENARIO_BEGIN Test RPZ nsip triggers + +; . -------------------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 1.1.1.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS ns.root. +SECTION ADDITIONAL +ns.root IN A 1.1.1.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN A +SECTION AUTHORITY +com. IN NS ns1.com. +SECTION ADDITIONAL +ns1.com. IN A 8.8.8.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +aa. IN A +SECTION AUTHORITY +aa. IN NS ns1.aa. +SECTION ADDITIONAL +ns1.aa. IN A 8.8.0.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +bb. IN A +SECTION AUTHORITY +bb. IN NS ns1.bb. +SECTION ADDITIONAL +ns1.bb. IN A 8.8.1.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +cc. IN A +SECTION AUTHORITY +cc. IN NS ns1.cc. +SECTION ADDITIONAL +ns1.cc. IN A 8.8.2.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +dd. IN A +SECTION AUTHORITY +dd. IN NS ns1.dd. +SECTION ADDITIONAL +ns1.dd. IN A 8.8.3.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +ee. IN A +SECTION AUTHORITY +ee. IN NS ns1.ee. +SECTION ADDITIONAL +ns1.ee. IN A 8.8.5.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +ff. IN A +SECTION AUTHORITY +ff. IN NS ns1.ff. +SECTION ADDITIONAL +ns1.ff. IN A 8.8.6.8 +ENTRY_END + +RANGE_END + +; com. ----------------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 8.8.8.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS ns1.com. +SECTION ADDITIONAL +ns1.com. IN A 8.8.8.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.com. IN A +SECTION AUTHORITY +gotham.com. IN NS ns1.gotham.com. +SECTION ADDITIONAL +ns1.gotham.com. IN A 192.0.6.1 +ENTRY_END + +RANGE_END + +; aa. ------------------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 8.8.0.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +aa. IN NS +SECTION ANSWER +aa. IN NS ns1.aa. +SECTION ADDITIONAL +ns1.aa. IN A 8.8.0.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.aa. IN A +SECTION AUTHORITY +gotham.aa. IN NS ns1.gotham.aa. +SECTION ADDITIONAL +ns1.gotham.aa. IN A 192.0.0.1 +ENTRY_END + +RANGE_END + +; bb. ------------------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 8.8.1.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +bb. IN NS +SECTION ANSWER +bb. IN NS ns1.bb. +SECTION ADDITIONAL +ns1.bb. IN A 8.8.1.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.bb. IN A +SECTION AUTHORITY +gotham.bb. IN NS ns1.gotham.bb. +SECTION ADDITIONAL +ns1.gotham.bb. IN A 192.0.1.1 +ENTRY_END + +RANGE_END + +; ff. ------------------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 8.8.6.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ff. IN NS +SECTION ANSWER +ff. IN NS ns1.ff. +SECTION ADDITIONAL +ns1.ff. IN A 8.8.6.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.ff. IN A +SECTION AUTHORITY +gotham.ff. IN NS ns1.gotham.ff. +SECTION ADDITIONAL +ns1.gotham.ff. IN A 192.0.5.1 +ENTRY_END + +RANGE_END + +; ns1.gotham.com. ------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 192.0.6.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gotham.com. IN A +SECTION ANSWER +gotham.com. IN A 192.0.6.2 +ENTRY_END + +RANGE_END + +; ns1.gotham.aa. ------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 192.0.0.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gotham.aa. IN A +SECTION ANSWER +gotham.aa. IN A 192.0.0.2 +ENTRY_END + +RANGE_END + +; ns1.gotham.bb. ------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 192.0.1.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gotham.bb. IN A +SECTION ANSWER +gotham.bb. IN A 192.0.1.2 +ENTRY_END + +RANGE_END + +; ns1.gotham.ff. ------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 192.0.5.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gotham.ff. IN A +SECTION ANSWER +gotham.ff. IN A 192.0.5.2 +ENTRY_END + +RANGE_END + +; ---------------------------------------------------------------------------- + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.com. IN A +ENTRY_END + +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +gotham.com. IN A +SECTION ANSWER +gotham.com. IN A 192.0.6.2 +ENTRY_END + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.aa. IN A +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD RA NXDOMAIN +SECTION QUESTION +gotham.aa. IN A +SECTION ANSWER +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.bb. IN A +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +gotham.bb. IN A +SECTION ANSWER +ENTRY_END + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.ff. IN A +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +gotham.ff. IN A +SECTION ANSWER +gotham.ff. IN A 127.0.0.1 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_nsip.rpl
Added
@@ -0,0 +1,408 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + access-control: 192.0.0.0/8 allow + +rpz: + name: "rpz.example.com." + rpz-log: yes + rpz-log-name: "rpz.example.com" + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.gotham.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +24.0.0.0.192.rpz-nsip CNAME . +24.0.1.0.192.rpz-nsip CNAME *. +24.0.2.0.192.rpz-nsip CNAME rpz-drop. +24.0.3.0.192.rpz-nsip CNAME rpz-passthru. +24.0.4.0.192.rpz-nsip CNAME rpz-tcp-only. +24.0.5.0.192.rpz-nsip A 127.0.0.1 +24.0.5.0.192.rpz-nsip TXT "42" +TEMPFILE_END + +stub-zone: + name: "." + stub-addr: 1.1.1.1 +CONFIG_END + +SCENARIO_BEGIN Test RPZ nsip triggers + +; . -------------------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 1.1.1.1 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS ns.root. +SECTION ADDITIONAL +ns.root IN A 1.1.1.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN A +SECTION AUTHORITY +com. IN NS ns1.com. +SECTION ADDITIONAL +ns1.com. IN A 8.8.8.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +aa. IN A +SECTION AUTHORITY +aa. IN NS ns1.aa. +SECTION ADDITIONAL +ns1.aa. IN A 8.8.0.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +bb. IN A +SECTION AUTHORITY +bb. IN NS ns1.bb. +SECTION ADDITIONAL +ns1.bb. IN A 8.8.1.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +cc. IN A +SECTION AUTHORITY +cc. IN NS ns1.cc. +SECTION ADDITIONAL +ns1.cc. IN A 8.8.2.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +dd. IN A +SECTION AUTHORITY +dd. IN NS ns1.dd. +SECTION ADDITIONAL +ns1.dd. IN A 8.8.3.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +ee. IN A +SECTION AUTHORITY +ee. IN NS ns1.ee. +SECTION ADDITIONAL +ns1.ee. IN A 8.8.5.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +ff. IN A +SECTION AUTHORITY +ff. IN NS ns1.ff. +SECTION ADDITIONAL +ns1.ff. IN A 8.8.6.8 +ENTRY_END + +RANGE_END + +; com. ----------------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 8.8.8.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS ns1.com. +SECTION ADDITIONAL +ns1.com. IN A 8.8.8.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.com. IN A +SECTION AUTHORITY +gotham.com. IN NS ns1.gotham.com. +SECTION ADDITIONAL +ns1.gotham.com. IN A 192.0.6.1 +ENTRY_END + +RANGE_END + +; aa. ------------------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 8.8.0.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +aa. IN NS +SECTION ANSWER +aa. IN NS ns1.aa. +SECTION ADDITIONAL +ns1.aa. IN A 8.8.0.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.aa. IN A +SECTION AUTHORITY +gotham.aa. IN NS ns1.gotham.aa. +SECTION ADDITIONAL +ns1.gotham.aa. IN A 192.0.0.1 +ENTRY_END + +RANGE_END + +; bb. ------------------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 8.8.1.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +bb. IN NS +SECTION ANSWER +bb. IN NS ns1.bb. +SECTION ADDITIONAL +ns1.bb. IN A 8.8.1.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.bb. IN A +SECTION AUTHORITY +gotham.bb. IN NS ns1.gotham.bb. +SECTION ADDITIONAL +ns1.gotham.bb. IN A 192.0.1.1 +ENTRY_END + +RANGE_END + +; ff. ------------------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 8.8.6.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +ff. IN NS +SECTION ANSWER +ff. IN NS ns1.ff. +SECTION ADDITIONAL +ns1.ff. IN A 8.8.6.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +gotham.ff. IN A +SECTION AUTHORITY +gotham.ff. IN NS ns1.gotham.ff. +SECTION ADDITIONAL +ns1.gotham.ff. IN A 192.0.5.1 +ENTRY_END + +RANGE_END + +; ns1.gotham.com. ------------------------------------------------------------ +RANGE_BEGIN 0 100 + ADDRESS 192.0.6.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gotham.com. IN A +SECTION ANSWER +gotham.com. IN A 192.0.6.2 +ENTRY_END + +RANGE_END + +; ns1.gotham.aa. ------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 192.0.0.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gotham.aa. IN A +SECTION ANSWER +gotham.aa. IN A 192.0.0.2 +ENTRY_END + +RANGE_END + +; ns1.gotham.bb. ------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 192.0.1.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gotham.bb. IN A +SECTION ANSWER +gotham.bb. IN A 192.0.1.2 +ENTRY_END + +RANGE_END + +; ns1.gotham.ff. ------------------------------------------------------------- +RANGE_BEGIN 0 100 + ADDRESS 192.0.5.1 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +gotham.ff. IN A +SECTION ANSWER +gotham.ff. IN A 192.0.5.2 +ENTRY_END + +RANGE_END + +; ---------------------------------------------------------------------------- + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.com. IN A +ENTRY_END + +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +gotham.com. IN A +SECTION ANSWER +gotham.com. IN A 192.0.6.2 +ENTRY_END + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.aa. IN A +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD RA NXDOMAIN +SECTION QUESTION +gotham.aa. IN A +SECTION ANSWER +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.bb. IN A +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +gotham.bb. IN A +SECTION ANSWER +ENTRY_END + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.ff. IN A +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +gotham.ff. IN A +SECTION ANSWER +gotham.ff. IN A 127.0.0.1 +ENTRY_END + +; again with more cache items +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +gotham.ff. IN A +ENTRY_END + +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +gotham.ff. IN A +SECTION ANSWER +gotham.ff. IN A 127.0.0.1 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_passthru.rpl
Added
@@ -0,0 +1,154 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + access-control: 192.0.0.0/8 allow + +rpz: + name: "rpz.example.com." + rpz-log: yes + rpz-log-name: "rpz.example.com" + rpz-action-override: passthru + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +c.a TXT "local data 1st zone" +d.a A 127.0.0.1 +TEMPFILE_END + +rpz: + name: "wl.example.com." + rpz-log: yes + rpz-log-name: "wl.example.com" + zonefile: +TEMPFILE_NAME wl.example.com +TEMPFILE_CONTENTS wl.example.com +$ORIGIN example.com. +wl 3600 IN SOA ns1.wl.example.com. hostmaster.wl.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.wl.example.com. + 3600 IN NS ns2.wl.example.com. +$ORIGIN wl.example.com. +e.a CNAME rpz-passthru. +TEMPFILE_END + +rpz: + name: "rpz2.example.com." + rpz-log: yes + rpz-log-name: "rpz2.example.com" + rpz-action-override: nxdomain + zonefile: +TEMPFILE_NAME rpz2.example.com +TEMPFILE_CONTENTS rpz2.example.com +$ORIGIN example.com. +rpz2 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz2.example.com. +c.a TXT "local data 2nd zone" +24.0.5.0.192.rpz-client-ip A 127.0.0.1 +24.0.5.0.192.rpz-client-ip TXT "clientip 2nd zone" +24.0.3.2.1.rpz-ip A 127.0.0.2 +TEMPFILE_END + +stub-zone: + name: "a." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test RPZ passthru ends processing for later triggers. + +; a. +RANGE_BEGIN 0 1000 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c.a. IN TXT +SECTION ANSWER +c.a. IN TXT "answer from upstream ns" +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d.a. IN A +SECTION ANSWER +d.a. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e.a. IN A +SECTION ANSWER +e.a. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +STEP 10 QUERY ADDRESS 192.0.5.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c.a. IN TXT +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +c.a. IN TXT +SECTION ANSWER +c.a. IN TXT "answer from upstream ns" +ENTRY_END + +STEP 20 QUERY ADDRESS 192.0.2.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +d.a. IN A +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +d.a. IN A +SECTION ANSWER +d.a. IN A 1.2.3.4 +ENTRY_END + +STEP 30 QUERY ADDRESS 192.0.2.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +e.a. IN A +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +e.a. IN A +SECTION ANSWER +e.a. IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/rpz_qname.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_qname.rpl
Changed
@@ -6,6 +6,8 @@ rpz: name: "rpz.example.com." + rpz-log: yes + rpz-log-name: "rpz.example.com" zonefile: TEMPFILE_NAME rpz.example.com TEMPFILE_CONTENTS rpz.example.com @@ -20,10 +22,13 @@ *.a TXT "wildcard local data" b.a CNAME *. c.a CNAME rpz-passthru. +c.g CNAME rpz-passthru. TEMPFILE_END rpz: name: "rpz2.example.com." + rpz-log: yes + rpz-log-name: "rpz2.example.com" zonefile: TEMPFILE_NAME rpz2.example.com TEMPFILE_CONTENTS rpz2.example.com @@ -38,6 +43,8 @@ e CNAME *.a.example. *.e CNAME *.b.example. drop CNAME rpz-drop. +tcp CNAME rpz-tcp-only. +c.g CNAME . TEMPFILE_END stub-zone: @@ -46,12 +53,18 @@ stub-zone: name: "example." stub-addr: 10.20.30.50 +stub-zone: + name: "tcp." + stub-addr: 10.20.30.60 +stub-zone: + name: "g." + stub-addr: 10.20.30.40 CONFIG_END SCENARIO_BEGIN Test all support RPZ action for QNAME trigger ; a. -RANGE_BEGIN 0 100 +RANGE_BEGIN 0 1000 ADDRESS 10.20.30.40 ENTRY_BEGIN MATCH opcode qtype qname @@ -85,10 +98,20 @@ x.b.a. IN TXT "answer from upstream ns" ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c.g. IN TXT +SECTION ANSWER +c.g. IN TXT "answer from upstream ns" +ENTRY_END + RANGE_END ; example. -RANGE_BEGIN 0 100 +RANGE_BEGIN 0 1000 ADDRESS 10.20.30.50 ENTRY_BEGIN MATCH opcode qtype qname @@ -122,6 +145,42 @@ something.e.b.example. IN TXT "*.b.example. answer from upstream ns" ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +f.example. IN TXT +SECTION ANSWER +f.example. IN CNAME d. +ENTRY_END + +RANGE_END + +; tcp. +RANGE_BEGIN 0 1000 + ADDRESS 10.20.30.60 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +tcp. IN NS +SECTION ANSWER +tcp. IN NS ns.example. +SECTION ADDITIONAL +ns.tcp IN A 10.20.30.60 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +tcp. IN TXT +SECTION ANSWER +tcp. IN TXT "tcp. answer from upstream ns" +ENTRY_END RANGE_END STEP 10 QUERY @@ -295,10 +354,84 @@ ENTRY_END ; deny zone -STEP 90 QUERY +;STEP 90 QUERY +;ENTRY_BEGIN +;SECTION QUESTION +;drop. IN TXT +;ENTRY_END + +; tcp-only action + +STEP 95 QUERY ENTRY_BEGIN +REPLY RD SECTION QUESTION -drop. IN TXT +tcp. IN TXT ENTRY_END + +STEP 96 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA TC NOERROR +SECTION QUESTION +tcp. IN TXT +SECTION ANSWER +ENTRY_END + +STEP 97 QUERY +ENTRY_BEGIN +MATCH TCP +REPLY RD +SECTION QUESTION +tcp. IN TXT +ENTRY_END + +STEP 98 CHECK_ANSWER +ENTRY_BEGIN +MATCH all TCP +REPLY QR RD RA NOERROR +SECTION QUESTION +tcp. IN TXT +SECTION ANSWER +tcp. IN TXT "tcp. answer from upstream ns" +ENTRY_END + +; check if the name after the CNAME has the qname trigger applied to it. +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +f.example. IN TXT +ENTRY_END + +STEP 101 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA AA NOERROR +SECTION QUESTION +f.example. IN TXT +SECTION ANSWER +f.example. IN CNAME d. +d. IN TXT "local data 2nd zone" +ENTRY_END + +; check if passthru ends processing +STEP 110 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c.g. IN TXT +ENTRY_END + +STEP 111 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +c.g. IN TXT +SECTION ANSWER +c.g. IN TXT "answer from upstream ns" +ENTRY_END + ; no answer is checked at exit of testbound. SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_qname_tcponly.rpl
Added
@@ -0,0 +1,117 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + +rpz: + name: "rpz.example.com." + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +a.a CNAME rpz-passthru. +b.a CNAME rpz-tcp-only. +TEMPFILE_END + +stub-zone: + name: "a." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test RPZ qname trigger and tcp-only action + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a. IN NS +SECTION ANSWER +a. IN NS ns.a. +SECTION ADDITIONAL +ns.a IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +b.a. IN TXT +SECTION ANSWER +b.a. IN TXT "upstream txt rr b.a." +ENTRY_END + +RANGE_END + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN +MATCH UDP +REPLY RD +SECTION QUESTION +b.a. IN TXT +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all UDP +REPLY QR AA TC RD RA NOERROR +SECTION QUESTION +b.a. IN TXT +SECTION ANSWER +ENTRY_END + +STEP 30 QUERY +ENTRY_BEGIN +MATCH TCP +REPLY RD +SECTION QUESTION +b.a. IN TXT +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all TCP +REPLY QR RD RA NOERROR +SECTION QUESTION +b.a. IN TXT +SECTION ANSWER +b.a. IN TXT "upstream txt rr b.a." +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/rpz_respip.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_respip.rpl
Changed
@@ -20,6 +20,7 @@ 16.0.0.10.10.rpz-ip CNAME . 24.0.10.10.10.rpz-ip CNAME rpz-drop. 32.10.10.10.10.rpz-ip CNAME rpz-passthru. +32.1.1.1.10.rpz-ip CNAME rpz-tcp-only. 32.zz.db8.2001.rpz-ip CNAME *. 48.zz.aa.db8.2001.rpz-ip CNAME . 64.zz.bb.aa.db8.2001.rpz-ip CNAME rpz-drop. @@ -217,6 +218,16 @@ h. IN AAAA 2001:db8:aa:bb:cc::124 ENTRY_END +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +y. IN A +SECTION ANSWER +y. IN A 10.1.1.1 +ENTRY_END + RANGE_END STEP 1 QUERY @@ -446,4 +457,21 @@ e. IN AAAA ENTRY_END STEP 29 TIME_PASSES ELAPSE 12 + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +y. IN A +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR TC RD RA NOERROR +SECTION QUESTION +y. IN A +SECTION ANSWER +ENTRY_END + SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_respip_tcponly.rpl
Added
@@ -0,0 +1,207 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + +rpz: + name: "rpz.example.com." + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +8.0.0.0.10.rpz-ip CNAME *. +16.0.0.10.10.rpz-ip CNAME . +24.0.10.10.10.rpz-ip CNAME rpz-drop. +32.10.10.10.10.rpz-ip CNAME rpz-passthru. +32.1.1.1.10.rpz-ip CNAME rpz-tcp-only. +TEMPFILE_END + +stub-zone: + name: "." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test RPZ response IP address trigger and tcp-only action + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS ns. +SECTION ADDITIONAL +ns. IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a. IN A +SECTION ANSWER +a. IN A 10.0.0.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +b. IN A +SECTION ANSWER +b. IN A 10.1.0.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c. IN A +SECTION ANSWER +c. IN A 10.11.0.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d. IN A +SECTION ANSWER +d. IN A 10.10.0.123 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +f. IN A +SECTION ANSWER +f. IN A 10.10.10.10 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +y. IN A +SECTION ANSWER +y. IN A 10.1.1.1 +ENTRY_END + +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a. IN A +ENTRY_END + +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +a. IN A +SECTION ANSWER +ENTRY_END + +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +b. IN A +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +b. IN A +SECTION ANSWER +ENTRY_END + +STEP 13 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +d. IN A +ENTRY_END + +STEP 14 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NXDOMAIN +SECTION QUESTION +d. IN A +SECTION ANSWER +ENTRY_END + +STEP 17 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +f. IN A +ENTRY_END + +STEP 18 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +f. IN A +SECTION ANSWER +f. IN A 10.10.10.10 +ENTRY_END + +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +y. IN A +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR TC RD RA NOERROR +SECTION QUESTION +y. IN A +SECTION ANSWER +ENTRY_END + +STEP 40 QUERY +ENTRY_BEGIN +MATCH TCP +REPLY RD +SECTION QUESTION +y. IN A +ENTRY_END + +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all TCP +REPLY QR RD RA NOERROR +SECTION QUESTION +y. IN A +SECTION ANSWER +y. IN A 10.1.1.1 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/rpz_signal_nxdomain_ra.rpl
Added
@@ -0,0 +1,254 @@ +; config options +server: + module-config: "respip validator iterator" + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + access-control: 192.0.0.0/8 allow + +rpz: + name: "rpz.example.com." + rpz-signal-nxdomain-ra: yes + zonefile: +TEMPFILE_NAME rpz.example.com +TEMPFILE_CONTENTS rpz.example.com +$ORIGIN example.com. +rpz 3600 IN SOA ns1.rpz.example.com. hostmaster.rpz.example.com. ( + 1379078166 28800 7200 604800 7200 ) + 3600 IN NS ns1.rpz.example.com. + 3600 IN NS ns2.rpz.example.com. +$ORIGIN rpz.example.com. +a.a CNAME . +b.a CNAME . +ns1.a.rpz-nsdname CNAME . +24.0.0.0.192.rpz-nsip CNAME . +24.0.3.0.192.rpz-client-ip CNAME . +TEMPFILE_END + +stub-zone: + name: "a." + stub-addr: 10.20.30.40 +CONFIG_END + +SCENARIO_BEGIN Test RPZ qname trigger and signal NXDOMAIN with unset RA. + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.40 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a. IN NS +SECTION ANSWER +a. IN NS ns.a. +SECTION ADDITIONAL +ns.a IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +a.a. IN TXT "upstream txt rr a.a." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +b.a. IN TXT +SECTION ANSWER +b.a. IN TXT "upstream txt rr b.a." +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +c.a. IN TXT +SECTION ANSWER +c.a. IN CNAME b.a +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +d.a. IN NS +SECTION ANSWER +SECTION AUTHORITY +d.a. IN NS ns1.a. +SECTION ADDITIONAL +ns1.a. IN A 10.20.30.50 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +e.a. IN NS +SECTION ANSWER +SECTION AUTHORITY +e.a. IN NS ns2.a. +SECTION ADDITIONAL +ns2.a. IN A 192.0.0.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +f.a. IN TXT +SECTION ANSWER +f.a. IN TXT "upstream txt rr f.a." +ENTRY_END + +RANGE_END + +RANGE_BEGIN 0 100 + ADDRESS 10.20.30.50 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d.a. IN NS +SECTION ANSWER +d.a. IN NS ns1.a. +SECTION ADDITIONAL +ns1.a. IN A 10.20.30.50 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +d.d.a. IN TXT +SECTION ANSWER +d.d.a. IN TXT "upstream answer for d.d.a" +ENTRY_END + +RANGE_END + +RANGE_BEGIN 0 100 + ADDRESS 192.0.0.5 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e.a. IN NS +SECTION ANSWER +e.a. IN NS ns2.a. +SECTION ADDITIONAL +ns2.a. IN A 192.0.0.5 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +e.e.a. IN TXT +SECTION ANSWER +e.e.a. IN TXT "upstream answer for e.e.a" +ENTRY_END + +RANGE_END + +; qname trigger +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +a.a. IN TXT +ENTRY_END + +STEP 11 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +a.a. IN TXT +SECTION ANSWER +ENTRY_END + +; qname trigger after cname +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +c.a. IN TXT +ENTRY_END + +STEP 21 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +c.a. IN TXT +SECTION ANSWER +c.a. IN CNAME b.a +ENTRY_END + +; nsdname trigger +STEP 30 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +d.d.a. IN TXT +ENTRY_END + +STEP 31 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +d.d.a. IN TXT +SECTION ANSWER +ENTRY_END + +; nsip trigger +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +e.e.a. IN TXT +ENTRY_END + +STEP 41 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD AA NXDOMAIN +SECTION QUESTION +e.e.a. IN TXT +SECTION ANSWER +ENTRY_END + +; clientip trigger +STEP 50 QUERY ADDRESS 192.0.3.1 +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +f.a. IN TXT +ENTRY_END + +STEP 51 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR AA RD NXDOMAIN +SECTION QUESTION +f.a. IN TXT +SECTION ANSWER +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/serve_expired.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/serve_expired.rpl
Changed
@@ -5,6 +5,8 @@ minimal-responses: no serve-expired: yes access-control: 127.0.0.1/32 allow_snoop + ede: yes + ede-serve-expired: yes stub-zone: name: "example.com" @@ -78,6 +80,7 @@ ; Query again without RD bit STEP 30 QUERY ENTRY_BEGIN + REPLY DO SECTION QUESTION example.com. IN A ENTRY_END @@ -85,8 +88,8 @@ ; Check that we got a stale answer STEP 40 CHECK_ANSWER ENTRY_BEGIN - MATCH all ttl - REPLY QR RA NOERROR + MATCH all ttl ede=3 + REPLY QR RA DO NOERROR SECTION QUESTION example.com. IN A SECTION ANSWER
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/serve_expired_cached_servfail.rpl
Added
@@ -0,0 +1,130 @@ +; config options +server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no + serve-expired: yes + serve-expired-reply-ttl: 123 + log-servfail: yes + ede: yes + ede-serve-expired: yes + + +stub-zone: + name: "example.com" + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply +; Scenario overview: +; - query for example.com. IN A +; - answer from upstream is SERVFAIL; will be cached for NORR_TTL(5) +; - check that the client gets the SERVFAIL; also cached +; - query again right after the TTL expired +; - cached SERVFAIL should be ignored and upstream queried +; - check that we get the correct answer + +; ns.example.com. +RANGE_BEGIN 0 20 + ADDRESS 1.2.3.4 + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA SERVFAIL + SECTION QUESTION + example.com. IN A + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 30 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. 10 IN NS + SECTION ANSWER + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 10 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; Query with RD flag +STEP 0 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we get the SERVFAIL (will be cached) +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RD RA SERVFAIL + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Query again +STEP 20 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we get the cached SERVFAIL +STEP 30 CHECK_ANSWER +ENTRY_BEGIN + MATCH all + REPLY QR RD RA SERVFAIL + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Wait for the SERVFAIL to expire +STEP 31 TIME_PASSES ELAPSE 6 + +; Query again +STEP 40 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we got the correct answer +STEP 50 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 10 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/serve_expired_client_timeout.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/serve_expired_client_timeout.rpl
Changed
@@ -6,6 +6,8 @@ serve-expired: yes serve-expired-client-timeout: 1 serve-expired-reply-ttl: 123 + ede: yes + ede-serve-expired: yes stub-zone: name: "example.com" @@ -83,7 +85,7 @@ ; Query again STEP 30 QUERY ENTRY_BEGIN - REPLY RD + REPLY RD DO SECTION QUESTION example.com. IN A ENTRY_END @@ -94,8 +96,8 @@ ; Check that we got a stale answer STEP 40 CHECK_ANSWER ENTRY_BEGIN - MATCH all ttl - REPLY QR RD RA NOERROR + MATCH all ttl ede=3 + REPLY QR RD RA DO NOERROR SECTION QUESTION example.com. IN A SECTION ANSWER
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/serve_expired_client_timeout_no_prefetch.rpl
Added
@@ -0,0 +1,110 @@ +; config options +server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no + serve-expired: yes + serve-expired-client-timeout: 1 + serve-expired-reply-ttl: 123 + ede: yes + ede-serve-expired: yes + +stub-zone: + name: "example.com" + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN Test that no prefetch is triggered for 0TTL records with serve-expired and client-timeout enabled +; Scenario overview: +; - query for example.com. IN A +; - check that we get an answer for example.com. IN A with the correct TTL +; - query again right at the 0TTL cached entry +; - check that we get the cached answer with no prefetching triggered + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 10 + ADDRESS 1.2.3.4 + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 10 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; Query with RD flag +STEP 0 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we got the correct answer (should be cached) +STEP 1 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 10 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Wait for the TTL to expire and produce a 0 TTL cached record. +STEP 10 TIME_PASSES ELAPSE 10 + +; Query again +STEP 20 QUERY +ENTRY_BEGIN + REPLY RD DO + SECTION QUESTION + example.com. IN A +ENTRY_END + +; This should come from the cache with no prefetch triggered (earlier bug). +STEP 21 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA DO NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 0 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. 3590 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 3590 IN A 1.2.3.4 +ENTRY_END + +; If a prefetch triggers the test will fail with 'messages pending'. + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/serve_expired_client_timeout_servfail.rpl
Added
@@ -0,0 +1,119 @@ +; config options +server: + module-config: "validator iterator" + qname-minimisation: "no" + minimal-responses: no + serve-expired: yes + serve-expired-client-timeout: 1 + serve-expired-reply-ttl: 123 + log-servfail: yes + ede: yes + ede-serve-expired: yes + + +stub-zone: + name: "example.com" + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN Test serve-expired with client-timeout and a SERVFAIL upstream reply +; Scenario overview: +; - query for example.com. IN A +; - check that we get an answer for example.com. IN A with the correct TTL +; - query again right after the TTL expired +; - answer from upstream is servfail +; - check that we get the expired cached answer instead + +; ns.example.com. +RANGE_BEGIN 0 20 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. 10 IN NS + SECTION ANSWER + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 10 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 30 70 + ADDRESS 1.2.3.4 + ; response to A query + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR AA SERVFAIL + SECTION QUESTION + example.com. IN A + ENTRY_END +RANGE_END + +; Query with RD flag +STEP 1 QUERY +ENTRY_BEGIN + REPLY RD + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we got the correct answer (should be cached) +STEP 10 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl + REPLY QR RD RA NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 10 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. 10 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 10 IN A 1.2.3.4 +ENTRY_END + +; Wait for the TTL to expire +STEP 11 TIME_PASSES ELAPSE 11 + +; Query again +STEP 30 QUERY +ENTRY_BEGIN + REPLY RD DO + SECTION QUESTION + example.com. IN A +ENTRY_END + +; Check that we got a stale answer +STEP 40 CHECK_ANSWER +ENTRY_BEGIN + MATCH all ttl ede=3 + REPLY QR RD RA DO NOERROR + SECTION QUESTION + example.com. IN A + SECTION ANSWER + example.com. 123 IN A 5.6.7.8 + SECTION AUTHORITY + example.com. 123 IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. 123 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/serve_expired_reply_ttl.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/serve_expired_reply_ttl.rpl
Changed
@@ -5,6 +5,8 @@ minimal-responses: no serve-expired: yes serve-expired-reply-ttl: 123 + ede: yes + ede-serve-expired: yes stub-zone: name: "example.com" @@ -77,7 +79,7 @@ ; Query again STEP 30 QUERY ENTRY_BEGIN - REPLY RD + REPLY RD DO SECTION QUESTION example.com. IN A ENTRY_END @@ -85,8 +87,8 @@ ; Check that we got a stale answer STEP 40 CHECK_ANSWER ENTRY_BEGIN - MATCH all ttl - REPLY QR RD RA NOERROR + MATCH all ttl ede=3 + REPLY QR RD RA DO NOERROR SECTION QUESTION example.com. IN A SECTION ANSWER
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/serve_expired_zerottl.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/serve_expired_zerottl.rpl
Changed
@@ -5,6 +5,8 @@ minimal-responses: no serve-expired: yes serve-expired-reply-ttl: 123 + ede: yes + ede-serve-expired: yes stub-zone: name: "example.com" @@ -128,7 +130,7 @@ ; Query with RD flag STEP 40 QUERY ENTRY_BEGIN - REPLY RD + REPLY RD DO SECTION QUESTION example.com. IN A ENTRY_END @@ -136,8 +138,8 @@ ; Check that we got the correct answer STEP 49 CHECK_ANSWER ENTRY_BEGIN - MATCH all ttl - REPLY QR RD RA NOERROR + MATCH all ttl ede=3 + REPLY QR RD RA DO NOERROR SECTION QUESTION example.com. IN A SECTION ANSWER
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/serve_original_ttl.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/serve_original_ttl.rpl
Changed
@@ -9,6 +9,8 @@ cache-min-ttl: 20 serve-expired: yes serve-expired-reply-ttl: 123 + ede: yes + ede-serve-expired: yes stub-zone: name: "example.com" @@ -110,7 +112,7 @@ ; Query again STEP 40 QUERY ENTRY_BEGIN - REPLY + REPLY DO SECTION QUESTION example.com. IN A ENTRY_END @@ -118,8 +120,8 @@ ; Check that we got a stale answer with the original TTL STEP 50 CHECK_ANSWER ENTRY_BEGIN - MATCH all ttl - REPLY QR RA NOERROR + MATCH all ttl ede=3 + REPLY QR RA DO NOERROR SECTION QUESTION example.com. IN A SECTION ANSWER
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/stat_values.tdir/stat_values.conf -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/stat_values.tdir/stat_values.conf
Changed
@@ -1,5 +1,5 @@ server: - verbosity: 2 + verbosity: 5 num-threads: 1 interface: 127.0.0.1 port: @PORT@ @@ -11,6 +11,9 @@ do-not-query-localhost: no extended-statistics: yes identity: "stat_values" + outbound-msg-retry: 0 + root-key-sentinel: no + trust-anchor-signaling: no local-zone: local.zone static local-data: "www.local.zone A 192.0.2.1"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/stat_values.tdir/stat_values.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/stat_values.tdir/stat_values.test
Changed
@@ -186,6 +186,7 @@ num.query.flags.RD=1 num.query.flags.AD=1 num.query.edns.present=1 +num.query.udpout=1 msg.cache.count=1 rrset.cache.count=1 infra.cache.count=1 @@ -223,6 +224,7 @@ num.query.flags.RD=1 num.query.opcode.QUERY=1 num.query.type.A=1 +num.query.udpout=1 msg.cache.count=1 rrset.cache.count=1 infra.cache.count=1" @@ -249,6 +251,7 @@ num.query.flags.RD=1 num.query.flags.AD=1 num.query.edns.present=1 +num.query.udpout=1 msg.cache.count=2 rrset.cache.count=2 infra.cache.count=2 @@ -263,6 +266,7 @@ else end 1 fi +sleep 1 # make sure the outgoing UDP (and the edns1xx0 retry) are accounted for. check_stats "\ total.num.queries=1 total.num.expired=1 @@ -274,6 +278,7 @@ num.query.flags.RD=1 num.query.opcode.QUERY=1 num.query.type.A=1 +num.query.udpout=2 total.num.cachemiss=1 msg.cache.count=2 rrset.cache.count=2 @@ -327,6 +332,7 @@ num.query.flags.RD=1 num.query.opcode.QUERY=1 num.query.type.A=1 +num.query.udpout=1 total.num.queries=1 total.num.recursivereplies=1 msg.cache.count=3
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/stream_ssl.tdir/stream_ssl.clie.conf -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/stream_ssl.tdir/stream_ssl.clie.conf
Changed
@@ -16,3 +16,7 @@ forward-zone: name: "." forward-addr: "127.0.0.1@@SERVPORT@#unbound" + +forward-zone: + name: "test.host." + forward-host: "unbound.server@@SERVPORT@#unbound"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/stream_ssl.tdir/stream_ssl.serv.conf -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/stream_ssl.tdir/stream_ssl.serv.conf
Changed
@@ -10,6 +10,8 @@ username: "" do-not-query-localhost: yes local-data: "www.example.com. IN A 10.20.30.40" + local-data: "unbound.server. IN A 127.0.0.1" + local-data: "test.host. IN A 1.2.3.4" ssl-port: @SERVPORT@ ssl-service-key: "unbound_server.key" ssl-service-pem: "unbound_server.pem"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/stream_ssl.tdir/stream_ssl.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/stream_ssl.tdir/stream_ssl.test
Changed
@@ -73,4 +73,38 @@ exit 1 fi +rm -f outfile + +# test client unbound (no SSL towards it, but it does SSL to the SSL service) +# test that forward-host notation also works. +echo "> dig test.host. A IN" +dig @127.0.0.1 -p $CLIE_PORT test.host. >outfile 2>&1 +if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + echo "SSLSERVICE" + cat unboundserv.log + echo "SSLCLIENT" + cat unboundclie.log + echo "Not OK" + exit 1 +else + echo "exit status OK" +fi +echo "> cat logfiles" +cat outfile +echo "SSLSERVICE" +cat unboundserv.log +echo "SSLCLIENT" +cat unboundclie.log +echo "> check answer" +if grep "1.2.3.4" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +rm -f outfile exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_auth_tc.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_auth_tc.tdir/stub_auth_tc.conf
Added
@@ -0,0 +1,16 @@ +server: + verbosity: 4 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: . + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + +stub-zone: + name: "example.com" + stub-addr: "127.0.0.1@@TOPORT@" +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_auth_tc.tdir/stub_auth_tc.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: stub_auth_tc +Version: 1.0 +Description: Authority reply with erroneous TC in TCP +CreationDate: Mon Oct 3 09:11:32 CEST 2022 +Maintainer: dr. W.C.A. Wijngaards +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: stub_auth_tc.pre +Post: stub_auth_tc.post +Test: stub_auth_tc.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_auth_tc.tdir/stub_auth_tc.post
Added
@@ -0,0 +1,11 @@ +# #-- stub_auth_tc.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $FWD_PID +kill_pid $UNBOUND_PID +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_auth_tc.tdir/stub_auth_tc.pre
Added
@@ -0,0 +1,31 @@ +# #-- stub_auth_tc.pre--# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +. ../common.sh +get_random_port 2 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test + +# start forwarder +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT stub_auth_tc.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stub_auth_tc.conf > ub.conf +# start unbound in the background +PRE="../.." +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test +wait_ldns_testns_up fwd.log +wait_unbound_up unbound.log +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_auth_tc.tdir/stub_auth_tc.test
Added
@@ -0,0 +1,26 @@ +# #-- stub_auth_tc.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +# do the test +echo "> dig www.example.com." +dig @localhost -p $UNBOUND_PORT www.example.com. | tee outfile +echo "> cat logfiles" +cat fwd.log +cat unbound.log +echo "> check answer" +if grep "SERVFAIL" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi +if grep "flags:" outfile | grep " tc "; then + echo "Not OK, TC flag in output" + exit 1 +fi + +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_auth_tc.tdir/stub_auth_tc.testns
Added
@@ -0,0 +1,26 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname UDP +REPLY QR AA TC NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 10.20.30.40 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname TCP +; erroneous TC flag here. +REPLY QR AA TC NOERROR +ADJUST copy_id +SECTION QUESTION +www IN A +SECTION ANSWER +www IN A 10.20.30.40 +www IN A 10.20.30.41 +www IN A 10.20.30.42 +ENTRY_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_udp_with_tcp_upstream.tdir
Added
+(directory)
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.conf
Added
@@ -0,0 +1,19 @@ +server: + verbosity: 2 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: "" + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no +stub-zone: + name: "tcp.example.com" + stub-addr: "127.0.0.1@@TOPORT@" + stub-tcp-upstream: "yes" +stub-zone: + name: "udp.example.com" + stub-addr: "127.0.0.1@@TOPORT@" + stub-tcp-upstream: "no" \ No newline at end of file
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.dsc
Added
@@ -0,0 +1,16 @@ +BaseName: stub_udp_with_tcp_upstream +Version: 1.0 +Description: Stub server contacted via UDP with tcp upstream. +CreationDate: Thu Aug 5 07:44:41 CEST 2021 +Maintainer: ziollek +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: stub_udp_with_tcp_upstream.pre +Post: stub_udp_with_tcp_upstream.post +Test: stub_udp_with_tcp_upstream.test +AuxFiles: +Passed: +Failure:
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.post
Added
@@ -0,0 +1,10 @@ +# #-- stub_udp_with_tcp_upstream.post --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# source the test var file when it's there + -f .tpkg.var.test && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_pid $FWD_PID +kill_pid $UNBOUND_PID
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.pre
Added
@@ -0,0 +1,35 @@ +# #-- stub_udp_with_tcp_upstream.pre--# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test +. ../common.sh + +get_random_port 2 +UNBOUND_PORT=$RND_PORT +FWD_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "FWD_PORT=$FWD_PORT" >> .tpkg.var.test + +# start forwarder +get_ldns_testns +$LDNS_TESTNS -p $FWD_PORT stub_udp_with_tcp_upstream.testns >fwd.log 2>&1 & +FWD_PID=$! +echo "FWD_PID=$FWD_PID" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$FWD_PORT'/' < stub_udp_with_tcp_upstream.conf > ub.conf +# start unbound in the background +PRE="../.." +$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test + +cat .tpkg.var.test + +# wait for forwarder to come up +wait_ldns_testns_up fwd.log + +# wait for unbound to come up +wait_unbound_up unbound.log +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.test
Added
@@ -0,0 +1,37 @@ +# #-- stub_udp_with_tcp_upstream.test --# +# source the master var file when it's there + -f ../.tpkg.var.master && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing + -f .tpkg.var.test && source .tpkg.var.test + +PRE="../.." +# do the test +echo "> dig tcp.example.com." +dig @127.0.0.1 -p $UNBOUND_PORT tcp.example.com. | tee outfile +echo "> cat logfiles" +cat fwd.log +cat unbound.log +echo "> check answer" +if grep "10.20.30.40" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + + +# check if second stub is requested via udp +echo "> dig udp.example.com." +dig @127.0.0.1 -p $UNBOUND_PORT udp.example.com. | tee outfile +echo "> cat logfiles" +cat fwd.log +cat unbound.log +echo "> check answer" +if grep "10.20.30.80" outfile; then + echo "OK" +else + echo "Not OK" + exit 1 +fi + +exit 0
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/stub_udp_with_tcp_upstream.tdir/stub_udp_with_tcp_upstream.testns
Added
@@ -0,0 +1,48 @@ +; nameserver test file +$ORIGIN example.com. +$TTL 3600 + +ENTRY_BEGIN +MATCH opcode qtype qname +MATCH TCP +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +tcp IN A +SECTION ANSWER +tcp IN A 10.20.30.40 +SECTION AUTHORITY +@ IN NS ns.example.com. +SECTION ADDITIONAL +ns IN A 127.0.0.1 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +MATCH UDP +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +udp IN A +SECTION ANSWER +udp IN A 10.20.30.80 +SECTION AUTHORITY +@ IN NS ns.example.com. +SECTION ADDITIONAL +ns IN A 127.0.0.1 +ENTRY_END + +; root prime +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR AA NOERROR +ADJUST copy_id +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS root.server. +SECTION AUTHORITY +SECTION ADDITIONAL +root.server. IN A 127.0.0.1 +ENTRY_END +
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/subnet_cached_servfail.crpl
Added
@@ -0,0 +1,167 @@ +; Check if an expired SERVFAIL answer stored in the global cache does not block +; ECS queries to reach the ECS cache. + +server: + trust-anchor-signaling: no + target-fetch-policy: "0 0 0 0 0" + send-client-subnet: 1.2.3.4 + max-client-subnet-ipv4: 21 + module-config: "subnetcache iterator" + verbosity: 3 + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no + serve-expired: yes + prefetch: yes + +stub-zone: + name: "example.com." + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN Test that expired SERVFAIL in global cache does not block clients to reach the ECS cache + +; ns.example.com. +RANGE_BEGIN 0 10 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR SERVFAIL + SECTION QUESTION + www.example.com. IN A + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 11 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname ednsdata + ADJUST copy_id copy_ednsdata_assume_clientsubnet + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 10 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 05 ; option length + 00 01 ; Family + 08 00 ; source mask, scopemask + 7f ; address + HEX_EDNSDATA_END + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; This answer should be in the global cache +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; Bring the cached SERVFAIL to prefetch time +STEP 10 TIME_PASSES ELAPSE 5 + +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 00 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ENTRY_END + +; This answer was cached but a prefetch was triggerred +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH opcode qtype qname +REPLY QR RD RA SERVFAIL +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; Wait for the SERVFAIL to expire +STEP 13 TIME_PASSES ELAPSE 2 + +; Query again to verify that the record was prefetched and stored in the ECS +; cache (because the server replied with ECS this time) +STEP 14 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 00 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ENTRY_END + +; This record came from the ECS cache +STEP 15 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA DO NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 8 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3598 IN NS ns.example.com. +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 08 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ns.example.com. 3598 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/subnet_prefetch.crpl
Added
@@ -0,0 +1,224 @@ +; Check if the prefetch option works properly for messages stored in the global +; cache for non-ECS clients. The prefetch query needs to result in an ECS +; outgoing query based on the client's IP. + +server: + trust-anchor-signaling: no + target-fetch-policy: "0 0 0 0 0" + send-client-subnet: 1.2.3.4 + max-client-subnet-ipv4: 21 + module-config: "subnetcache iterator" + verbosity: 3 + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no + prefetch: yes + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test prefetch option for global cache with ECS enabled + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname ednsdata + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname ednsdata + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 10 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 10 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 11 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname ednsdata + ADJUST copy_id copy_ednsdata_assume_clientsubnet + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 10 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 15 00 ; source mask, scopemask + 7f 00 00 ; address + HEX_EDNSDATA_END + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; This answer should be in the global cache (because no ECS from upstream) +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Try to trigger a prefetch +STEP 3 TIME_PASSES ELAPSE 9 + +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; This record came from the global cache and a prefetch was triggered +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 1 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3591 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3591 IN A 1.2.3.4 +ENTRY_END + +; Allow time to pass so that the global cache record is expired +STEP 13 TIME_PASSES ELAPSE 2 + +; Query again to verify that the record was prefetched and stored in the ECS +; cache (because the server replied with ECS this time) +STEP 14 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; This record came from the ECS cache +STEP 15 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 8 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3598 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3598 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/subnet_prefetch_with_client_ecs.crpl
Added
@@ -0,0 +1,241 @@ +; Check if the prefetch option works properly for messages stored in the global +; cache for ECS clients. The prefetch query needs to result in an ECS +; outgoing query using the client's ECS data. + +server: + trust-anchor-signaling: no + target-fetch-policy: "0 0 0 0 0" + send-client-subnet: 1.2.3.4 + max-client-subnet-ipv4: 21 + module-config: "subnetcache iterator" + verbosity: 3 + access-control: 127.0.0.1 allow_snoop + qname-minimisation: no + minimal-responses: no + prefetch: yes + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test prefetch option for global cache with ECS enabled and ECS client + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + ENTRY_BEGIN + MATCH opcode qtype qname ednsdata + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + . IN NS + SECTION ANSWER + . IN NS K.ROOT-SERVERS.NET. + SECTION ADDITIONAL + K.ROOT-SERVERS.NET. IN A 193.0.14.129 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION AUTHORITY + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 + ENTRY_BEGIN + MATCH opcode qtype qname ednsdata + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + com. IN NS + SECTION ANSWER + com. IN NS a.gtld-servers.net. + SECTION ADDITIONAL + a.gtld-servers.net. IN A 192.5.6.30 + ENTRY_END + + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 10 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 10 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 11 100 + ADDRESS 1.2.3.4 + ENTRY_BEGIN + MATCH opcode qtype qname + ADJUST copy_id + REPLY QR NOERROR + SECTION QUESTION + example.com. IN NS + SECTION ANSWER + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + ns.example.com. IN A 1.2.3.4 + ENTRY_END + + ; response to query of interest + ENTRY_BEGIN + MATCH opcode qtype qname ednsdata + ADJUST copy_id copy_ednsdata_assume_clientsubnet + REPLY QR NOERROR + SECTION QUESTION + www.example.com. IN A + SECTION ANSWER + www.example.com. 10 IN A 10.20.30.40 + SECTION AUTHORITY + example.com. IN NS ns.example.com. + SECTION ADDITIONAL + HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 05 ; option length + 00 01 ; Family + 08 00 ; source mask, scopemask + 7f ; address + HEX_EDNSDATA_END + ns.example.com. IN A 1.2.3.4 + ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN A +ENTRY_END + +; This answer should be in the global cache +STEP 2 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +; Try to trigger a prefetch +STEP 3 TIME_PASSES ELAPSE 9 + +STEP 11 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 00 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ENTRY_END + +; This record came from the global cache and a prefetch was triggered +STEP 12 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA DO NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 1 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3591 IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. 3591 IN A 1.2.3.4 +ENTRY_END + +; Allow time to pass so that the global cache record is expired +STEP 13 TIME_PASSES ELAPSE 2 + +; Query again to verify that the record was prefetched and stored in the ECS +; cache (because the server replied with ECS this time) +STEP 14 QUERY +ENTRY_BEGIN +REPLY RD DO +SECTION QUESTION +www.example.com. IN A +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 00 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ENTRY_END + +; This record came from the ECS cache +STEP 15 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ttl +REPLY QR RD RA DO NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. 8 IN A 10.20.30.40 +SECTION AUTHORITY +example.com. 3598 IN NS ns.example.com. +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 00 05 ; OPC, optlen + 00 01 08 08 ; ip4, source 8, scope 0 + 7f ; 127.0.0.0/8 +HEX_EDNSDATA_END +ns.example.com. 3598 IN A 1.2.3.4 +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.17.1.tar.gz/testdata/subnet_scopezero.crpl
Added
@@ -0,0 +1,439 @@ +; scope of 0, if the query also had scope of 0, do not answer this +; to everyone, but only for scope 0 queries. Otherwise can answer cached. + +server: + target-fetch-policy: "0 0 0 0 0" + send-client-subnet: 1.2.3.4 + module-config: "subnetcache validator iterator" + verbosity: 4 + qname-minimisation: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 + +stub-zone: + name: "example.com" + stub-addr: 1.2.3.4 +CONFIG_END + +SCENARIO_BEGIN Test subnet cache with scope zero queries and responses. + +; the upstream server. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 + +ENTRY_BEGIN +MATCH opcode qtype qname ednsdata +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ;; we expect to receive empty +HEX_EDNSDATA_END +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END +RANGE_END + +RANGE_BEGIN 0 11 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +;copy_ednsdata_assume_clientsubnet +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 11 ; source mask, scopemask + 7f 00 00 ; address +HEX_EDNSDATA_END +ENTRY_END +RANGE_END + +RANGE_BEGIN 20 31 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +;copy_ednsdata_assume_clientsubnet +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.41 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 11 ; source mask, scopemask + 7f 01 00 ; address +HEX_EDNSDATA_END +ENTRY_END +RANGE_END + +RANGE_BEGIN 40 51 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +;copy_ednsdata_assume_clientsubnet +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.42 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 ; OPC + 00 04 ; option length + 00 01 ; Family + 00 00 ; source mask, scopemask + ; address 0.0.0.0/0 scope 0 +HEX_EDNSDATA_END +ENTRY_END +RANGE_END + +RANGE_BEGIN 120 131 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +;copy_ednsdata_assume_clientsubnet +REPLY QR NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.43 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 00 ; source mask, scopemask + 7f 02 00 ; address 127.2.0.0/24 scope 0 +HEX_EDNSDATA_END +ENTRY_END +RANGE_END + +; query for 127.0.0.0/24 +STEP 1 QUERY +ENTRY_BEGIN +HEX_ANSWER_BEGIN + 00 00 01 00 00 01 00 00 ;ID 0 + 00 00 00 01 03 77 77 77 ; www.example.com A? (DO) + 07 65 78 61 6d 70 6c 65 + 03 63 6f 6d 00 00 01 00 + 01 00 00 29 10 00 00 00 + 80 00 00 0b + + 00 08 00 07 ; OPC, optlen + 00 01 18 00 ; ip4, scope 24, source 0 + 7f 00 00 ;127.0.0.0/24 +HEX_ANSWER_END +ENTRY_END + +; answer is 10.20.30.40 for 127.0.0.0/24 scope 17 +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ednsdata +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 11 ; source mask, scopemask + 7f 00 00 ; address +HEX_EDNSDATA_END +ENTRY_END + +; query for 127.1.0.0/24 +STEP 20 QUERY +ENTRY_BEGIN +HEX_ANSWER_BEGIN + 00 00 01 00 00 01 00 00 ;ID 0 + 00 00 00 01 03 77 77 77 ; www.example.com A? (DO) + 07 65 78 61 6d 70 6c 65 + 03 63 6f 6d 00 00 01 00 + 01 00 00 29 10 00 00 00 + 80 00 00 0b + + 00 08 00 07 ; OPC, optlen + 00 01 18 00 ; ip4, scope 24, source 0 + 7f 01 00 ;127.1.0.0/24 +HEX_ANSWER_END +ENTRY_END + +; answer is 10.20.30.41 for 127.1.0.0/24 scope 17 +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ednsdata +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.41 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ; client is 127.1.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 11 ; source mask, scopemask + 7f 01 00 ; address +HEX_EDNSDATA_END +ENTRY_END + +; query for 0.0.0.0/0 +STEP 40 QUERY +ENTRY_BEGIN +HEX_ANSWER_BEGIN + 00 00 01 00 00 01 00 00 ;ID 0 + 00 00 00 01 03 77 77 77 ; www.example.com A? (DO) + 07 65 78 61 6d 70 6c 65 + 03 63 6f 6d 00 00 01 00 + 01 00 00 29 10 00 00 00 + 80 00 00 08 + + 00 08 00 04 ; OPC, optlen + 00 01 00 00 ; ip4, scope 0, source 0 + ;0.0.0.0/0 +HEX_ANSWER_END +ENTRY_END + +; answer is 10.20.30.42 for 0.0.0.0/0 scope 0 +STEP 50 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ednsdata +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.42 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 ; OPC + 00 04 ; option length + 00 01 ; Family + 00 00 ; source mask, scopemask + ; address +HEX_EDNSDATA_END +ENTRY_END + +; query for 127.0.0.0/24, again, it should be in cache. +; and not from the scope 0 answer. +STEP 60 QUERY +ENTRY_BEGIN +HEX_ANSWER_BEGIN + 00 00 01 00 00 01 00 00 ;ID 0 + 00 00 00 01 03 77 77 77 ; www.example.com A? (DO) + 07 65 78 61 6d 70 6c 65 + 03 63 6f 6d 00 00 01 00 + 01 00 00 29 10 00 00 00 + 80 00 00 0b + + 00 08 00 07 ; OPC, optlen + 00 01 18 00 ; ip4, scope 24, source 0 + 7f 00 00 ;127.0.0.0/24 +HEX_ANSWER_END +ENTRY_END + +; answer should be 10.20.30.40 for 127.0.0.0/24 scope 17 +STEP 70 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ednsdata +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.40 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 11 ; source mask, scopemask + 7f 00 00 ; address +HEX_EDNSDATA_END +ENTRY_END + +; query for 127.1.0.0/24, again, it should be in cache. +STEP 80 QUERY +ENTRY_BEGIN +HEX_ANSWER_BEGIN + 00 00 01 00 00 01 00 00 ;ID 0 + 00 00 00 01 03 77 77 77 ; www.example.com A? (DO) + 07 65 78 61 6d 70 6c 65 + 03 63 6f 6d 00 00 01 00 + 01 00 00 29 10 00 00 00 + 80 00 00 0b + + 00 08 00 07 ; OPC, optlen + 00 01 18 00 ; ip4, scope 24, source 0 + 7f 01 00 ;127.1.0.0/24 +HEX_ANSWER_END +ENTRY_END + +; answer should be 10.20.30.41 for 127.1.0.0/24 scope 17 +STEP 90 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ednsdata +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.41 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ; client is 127.1.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 11 ; source mask, scopemask + 7f 01 00 ; address +HEX_EDNSDATA_END +ENTRY_END + +; query for 0.0.0.0/0, again. +STEP 100 QUERY +ENTRY_BEGIN +HEX_ANSWER_BEGIN + 00 00 01 00 00 01 00 00 ;ID 0 + 00 00 00 01 03 77 77 77 ; www.example.com A? (DO) + 07 65 78 61 6d 70 6c 65 + 03 63 6f 6d 00 00 01 00 + 01 00 00 29 10 00 00 00 + 80 00 00 08 + + 00 08 00 04 ; OPC, optlen + 00 01 00 00 ; ip4, scope 0, source 0 + ;0.0.0.0/0 +HEX_ANSWER_END +ENTRY_END + +; answer should be 10.20.30.42 for 0.0.0.0/0 scope 0 +STEP 110 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ednsdata +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.42 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + 00 08 ; OPC + 00 04 ; option length + 00 01 ; Family + 00 00 ; source mask, scopemask + ; address +HEX_EDNSDATA_END +ENTRY_END + +; now a query for a /24 that gets an answer for a /0. +STEP 120 QUERY +ENTRY_BEGIN +HEX_ANSWER_BEGIN + 00 00 01 00 00 01 00 00 ;ID 0 + 00 00 00 01 03 77 77 77 ; www.example.com A? (DO) + 07 65 78 61 6d 70 6c 65 + 03 63 6f 6d 00 00 01 00 + 01 00 00 29 10 00 00 00 + 80 00 00 0b + + 00 08 00 07 ; OPC, optlen + 00 01 18 00 ; ip4, scope 24, source 0 + 7f 02 00 ;127.2.0.0/24 +HEX_ANSWER_END +ENTRY_END + +; answer should be 10.20.30.43 for 127.2.0.0/24 scope 0 +STEP 130 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ednsdata +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.43 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ; client is 127.2.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 00 ; source mask, scopemask + 7f 02 00 ; address +HEX_EDNSDATA_END +ENTRY_END + +; the scope 0 answer is now used to answer queries from +; query for 127.0.0.0/24 +STEP 140 QUERY +ENTRY_BEGIN +HEX_ANSWER_BEGIN + 00 00 01 00 00 01 00 00 ;ID 0 + 00 00 00 01 03 77 77 77 ; www.example.com A? (DO) + 07 65 78 61 6d 70 6c 65 + 03 63 6f 6d 00 00 01 00 + 01 00 00 29 10 00 00 00 + 80 00 00 0b + + 00 08 00 07 ; OPC, optlen + 00 01 18 00 ; ip4, scope 24, source 0 + 7f 00 00 ;127.0.0.0/24 +HEX_ANSWER_END +ENTRY_END + +STEP 150 CHECK_ANSWER +ENTRY_BEGIN +MATCH all ednsdata +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN A +SECTION ANSWER +www.example.com. IN A 10.20.30.43 +SECTION AUTHORITY +SECTION ADDITIONAL +HEX_EDNSDATA_BEGIN + ; client is 127.0.0.1 + 00 08 ; OPC + 00 07 ; option length + 00 01 ; Family + 18 00 ; source mask, scopemask + 7f 00 00 ; address +HEX_EDNSDATA_END +ENTRY_END + +SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/svcb.tdir/svcb.test -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/svcb.tdir/svcb.test
Changed
@@ -80,7 +80,7 @@ fi -# check all the succes and write them +# check all the success and write them if ! $PRE/readzone svcb.success-cases.zone > svcb.success-cases.zone.out then echo "Some particular success cases did not succeed to parse"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/test_ldnsrr.5 -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/test_ldnsrr.5
Changed
@@ -172,3 +172,5 @@ root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 ( f1ca0ccd91bd5573d9f431c00ee0101b2545c97602be0a97 8a3b11dbfc1c776d5b3e86ae3d973d6b5349ba7f04340f79 ) ; from ldns issue #121, 0.10m was parsed as 0.01m. foo. 12345 IN LOC 12 45 52.333 N 105 40 33.452 W -24m 0.1m 0.1m 0.1m +; from ldns issue #147, fix #148, tab between quoted strings. +foo 12345 IN HINFO "hohum" "weirdo"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/test_ldnsrr.c5 -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/test_ldnsrr.c5
Changed
@@ -212,3 +212,5 @@ root-servers.net. 3600000 IN ZONEMD 2018091100 1 1 F1CA0CCD91BD5573D9F431C00EE0101B2545C97602BE0A978A3B11DBFC1C776D5B3E86AE3D973D6B5349BA7F04340F79 03666F6F00001D00010000303900100011111182BD2D4D69530BD400988D20 foo. 12345 IN LOC 12 45 52.333 N 105 40 33.452 W -24m 0.10m 0.10m 0.10m +03666F6F00000D000100003039000D05686F68756D0677656972646F +foo. 12345 IN HINFO "hohum" "weirdo"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/ttl_msg.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/ttl_msg.rpl
Changed
@@ -411,7 +411,7 @@ ; cause a lookup for nx1.example.com bypassing the cache. ; with bug; this causes msg ttl for nx1 to be time(NOW)+ttl. ; so 15+5 = 20 -; visiable in debug log as "msg ttl is %d" +; visible in debug log as "msg ttl is %d" STEP 40 QUERY ENTRY_BEGIN REPLY RD
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_cnametocloser_nosig.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_cnametocloser_nosig.rpl
Changed
@@ -5,6 +5,7 @@ val-override-date: "20091113091234" fake-sha1: yes trust-anchor-signaling: no + ede: yes forward-zone: name: "." @@ -88,7 +89,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=9 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN AAAA
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_cnametonodata_nonsec.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_cnametonodata_nonsec.rpl
Changed
@@ -8,6 +8,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -254,12 +255,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=10 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_cnametoposnowc.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_cnametoposnowc.rpl
Changed
@@ -8,6 +8,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -253,13 +254,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_deleg_nons.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_deleg_nons.rpl
Changed
@@ -7,6 +7,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -261,7 +262,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=10 REPLY QR RD RA DO SERVFAIL SECTION QUESTION foo.www.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_dnamewc.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_dnamewc.rpl
Changed
@@ -8,6 +8,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -256,13 +257,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.sub.example.com. IN A SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_ds_cname.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_ds_cname.rpl
Changed
@@ -7,6 +7,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -195,11 +196,10 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=10 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A -SECTION ANSWER ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_faildnskey.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_faildnskey.rpl
Changed
@@ -7,6 +7,7 @@ # test that default value of harden-dnssec-stripped is still yes. fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -160,7 +161,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=9 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_keyprefetch_verify.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_keyprefetch_verify.rpl
Changed
@@ -219,7 +219,7 @@ ; now the key gets prefetched and has to be verified with the anchor, ; not with the key itself. -; this answer is from cache enyway. +; this answer is from cache anyway. STEP 30 QUERY ENTRY_BEGIN REPLY RD DO
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nodata_failsig.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nodata_failsig.rpl
Changed
@@ -7,6 +7,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -154,13 +155,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nodata_failwc.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nodata_failwc.rpl
Changed
@@ -7,6 +7,8 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes + stub-zone: name: "nsecwc.nlnetlabs.nl" stub-addr: "185.49.140.60" @@ -42,7 +44,7 @@ SECTION AUTHORITY nsecwc.nlnetlabs.nl. 3600 IN SOA ns.nlnetlabs.nl. ralph.nlnetlabs.nl. 1 14400 3600 604800 3600 nsecwc.nlnetlabs.nl. 3600 IN RRSIG SOA 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. bYibpCDg1LgrnYJgVahgu94LBqLIcNs4iC0SW8LV7pTI1hhuFKbLkO2O ekPdkJAWmu/KTytf8D+cdcK6X/9VS8QCVIF5S0hraHtNezu0f1B5ztg3 7Rqy+uJSucNKoykueAsz2z43GMgO0rGH3bqM7+3ii8p2E2rhzqEtG/D3 qyY= -; NSEC has a label lenght of 3, indication that the original owner name is: +; NSEC has a label length of 3, indication that the original owner name is: ; *.nsecwc.nlnetlabs.nl. The NSEC therefore does no prove the NODATA answer. _25._tcp.mail.nsecwc.nlnetlabs.nl. 3600 IN NSEC delegation.nsecwc.nlnetlabs.nl. TXT RRSIG NSEC _25._tcp.mail.nsecwc.nlnetlabs.nl. 3600 IN RRSIG NSEC 8 3 3600 20200101000000 20171108114635 565 nsecwc.nlnetlabs.nl. ddy1MRbshFuFJswlouNGHsZUF/tYu8BOCztY2JuHeTMyWL7rhRKp73q/ 1RAXMwywKsynT5ioY0bMtEQszeIEn29IYaPDHieLAobjF6BMu1kO7U2/ oEBrSHM/fx28BcaM5G4nfCIm3BlhQhWvk1NDHLn3Q26x4hF/dnmFOUet aXw= @@ -60,13 +62,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION _25._tcp.mail.nsecwc.nlnetlabs.nl. IN TLSA SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nokeyprime.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nokeyprime.rpl
Changed
@@ -6,6 +6,7 @@ target-fetch-policy: "0 0 0 0 0" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -153,7 +154,7 @@ STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=9 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nsec3_b1_nameerror_nowc.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nsec3_b1_nameerror_nowc.rpl
Changed
@@ -6,6 +6,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -133,7 +134,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION a.c.x.w.example. IN A @@ -145,7 +146,6 @@ ; 0p9mhaveqvm6t7vbl5lop2u3t2rp3tom.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. OSgWSm26B+cS+dDL8b5QrWr/dEWhtCsKlwKL IBHYH6blRxK9rC0bMJPwQ4mLIuw85H2EY762 BOCXJZMnpuwhpA== ) ; b4um86eghhds6nea196smvmlo4ors995.example. NSEC3 1 1 12 aabbccdd ( gjeqe526plbf1g8mklp59enfd789njgi MX RRSIG ) ; b4um86eghhds6nea196smvmlo4ors995.example. RRSIG NSEC3 7 2 3600 20150420235959 20051021000000 ( 40430 example. ZkPG3M32lmoHM6pa3D6gZFGB/rhL//Bs3Omh 5u4m/CUiwtblEVOaAKKZd7S959OeiX43aLX3 pOv0TSTyiTxIZg== ) -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nsec3_b2_nodata_nons.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nsec3_b2_nodata_nons.rpl
Changed
@@ -5,6 +5,7 @@ target-fetch-policy: "0 0 0 0 0" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -127,13 +128,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=12 REPLY QR RD RA DO SERVFAIL SECTION QUESTION ns1.example. IN MX SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nsec3_entnodata_optout_badopt.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nsec3_entnodata_optout_badopt.rpl
Changed
@@ -6,6 +6,7 @@ target-fetch-policy: "0 0 0 0 0" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -186,13 +187,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION ent.example.com. IN A SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nsec3_nods_badsig.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nsec3_nods_badsig.rpl
Changed
@@ -7,6 +7,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -226,13 +227,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=7 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.sub.example.com. IN A SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nsec3_optout_cache.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nsec3_optout_cache.rpl
Changed
@@ -138,7 +138,7 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AKHQ0gnNP5WDab1yqbd+Bt12CSSff88sqeDR40dvhiWOcYA8mmyjYNA= ; span around sub.example.com., same span as foo.example.com, but it has -; just changed and it is now larger to accomodate sub.example.com. +; just changed and it is now larger to accommodate sub.example.com. 6obgmo062d9935unjnnj2su5otaj9334.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 9r1f0ieoutlnjc03meng9e3bn2n0o9pd NS DS RRSIG 6obgmo062d9935unjnnj2su5otaj9334.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. ABzruSKUUcJRNlYDqZ4UmQH/WnzeXt9Gozp3chS4cR0sqsEeGjL54eQ= @@ -164,7 +164,7 @@ b6fuorg741ufili49mg9j4328ig53sqg.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. AKHQ0gnNP5WDab1yqbd+Bt12CSSff88sqeDR40dvhiWOcYA8mmyjYNA= ; span around sub.example.com., same span as foo.example.com, but it has -; just changed and it is now larger to accomodate sub.example.com. +; just changed and it is now larger to accommodate sub.example.com. 6obgmo062d9935unjnnj2su5otaj9334.example.com. IN NSEC3 1 1 123 aabb00123456bbccdd 9r1f0ieoutlnjc03meng9e3bn2n0o9pd NS DS RRSIG 6obgmo062d9935unjnnj2su5otaj9334.example.com. 3600 IN RRSIG NSEC3 3 3 3600 20070926135752 20070829135752 2854 example.com. ABzruSKUUcJRNlYDqZ4UmQH/WnzeXt9Gozp3chS4cR0sqsEeGjL54eQ=
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nx_failwc.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nx_failwc.rpl
Changed
@@ -7,6 +7,8 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes + stub-zone: name: "nsecwc.nlnetlabs.nl" stub-addr: "185.49.140.60" @@ -58,13 +60,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION a.nsecwc.nlnetlabs.nl. IN TXT SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_nx_overreach.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_nx_overreach.rpl
Changed
@@ -7,6 +7,7 @@ qname-minimisation: "no" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -154,13 +155,11 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=6 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A SECTION ANSWER -SECTION AUTHORITY -SECTION ADDITIONAL ENTRY_END SCENARIO_END
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_secds_nosig.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_secds_nosig.rpl
Changed
@@ -6,6 +6,7 @@ target-fetch-policy: "0 0 0 0 0" fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -223,7 +224,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=10 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.sub.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/testdata/val_ta_algo_missing.rpl -> _service:tar_scm:unbound-1.17.1.tar.gz/testdata/val_ta_algo_missing.rpl
Changed
@@ -10,6 +10,7 @@ harden-algo-downgrade: yes fake-sha1: yes trust-anchor-signaling: no + ede: yes stub-zone: name: "." @@ -165,7 +166,7 @@ ; recursion happens here. STEP 10 CHECK_ANSWER ENTRY_BEGIN -MATCH all +MATCH all ede=9 REPLY QR RD RA DO SERVFAIL SECTION QUESTION www.example.com. IN A
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/config_file.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/config_file.c
Changed
@@ -99,6 +99,7 @@ cfg->stat_interval = 0; cfg->stat_cumulative = 0; cfg->stat_extended = 0; + cfg->stat_inhibit_zero = 1; cfg->num_threads = 1; cfg->port = UNBOUND_DNS_PORT; cfg->do_ip4 = 1; @@ -173,6 +174,7 @@ cfg->infra_cache_slabs = 4; cfg->infra_cache_numhosts = 10000; cfg->infra_cache_min_rtt = 50; + cfg->infra_cache_max_rtt = 120000; cfg->infra_keep_probing = 0; cfg->delay_close = 0; cfg->udp_connect = 1; @@ -195,6 +197,7 @@ cfg->use_systemd = 0; cfg->do_daemonize = 1; cfg->if_automatic = 0; + cfg->if_automatic_ports = NULL; cfg->so_rcvbuf = 0; cfg->so_sndbuf = 0; cfg->so_reuseport = REUSEPORT_DEFAULT; @@ -260,13 +263,14 @@ cfg->val_log_level = 0; cfg->val_log_squelch = 0; cfg->val_permissive_mode = 0; - cfg->aggressive_nsec = 0; + cfg->aggressive_nsec = 1; cfg->ignore_cd = 0; cfg->serve_expired = 0; cfg->serve_expired_ttl = 0; cfg->serve_expired_ttl_reset = 0; cfg->serve_expired_reply_ttl = 30; cfg->serve_expired_client_timeout = 0; + cfg->ede_serve_expired = 0; cfg->serve_original_ttl = 0; cfg->zonemd_permissive_mode = 0; cfg->add_holddown = 30*24*3600; @@ -330,6 +334,11 @@ cfg->ratelimit_below_domain = NULL; cfg->ip_ratelimit_factor = 10; cfg->ratelimit_factor = 10; + cfg->ip_ratelimit_backoff = 0; + cfg->ratelimit_backoff = 0; + cfg->outbound_msg_retry = 5; + cfg->max_sent_count = 32; + cfg->max_query_restarts = 11; cfg->qname_minimisation = 1; cfg->qname_minimisation_strict = 0; cfg->shm_enable = 0; @@ -372,6 +381,7 @@ cfg->ipset_name_v4 = NULL; cfg->ipset_name_v6 = NULL; #endif + cfg->ede = 0; return cfg; error_exit: config_delete(cfg); @@ -473,7 +483,7 @@ else if(atoi(val) == 0) return 0; else cfg->stat_interval = atoi(val); - } else if(strcmp(opt, "num_threads:") == 0) { + } else if(strcmp(opt, "num-threads:") == 0) { /* not supported, library must have 1 thread in bgworker */ return 0; } else if(strcmp(opt, "outgoing-port-permit:") == 0) { @@ -509,6 +519,7 @@ else S_YNO("use-syslog:", use_syslog) else S_STR("log-identity:", log_identity) else S_YNO("extended-statistics:", stat_extended) + else S_YNO("statistics-inhibit-zero:", stat_inhibit_zero) else S_YNO("statistics-cumulative:", stat_cumulative) else S_YNO("shm-enable:", shm_enable) else S_NUMBER_OR_ZERO("shm-key:", shm_key) @@ -530,11 +541,18 @@ else S_YNO("edns-tcp-keepalive:", do_tcp_keepalive) else S_NUMBER_NONZERO("edns-tcp-keepalive-timeout:", tcp_keepalive_timeout) else S_YNO("ssl-upstream:", ssl_upstream) + else S_YNO("tls-upstream:", ssl_upstream) else S_STR("ssl-service-key:", ssl_service_key) + else S_STR("tls-service-key:", ssl_service_key) else S_STR("ssl-service-pem:", ssl_service_pem) + else S_STR("tls-service-pem:", ssl_service_pem) else S_NUMBER_NONZERO("ssl-port:", ssl_port) + else S_NUMBER_NONZERO("tls-port:", ssl_port) + else S_STR("ssl-cert-bundle:", tls_cert_bundle) else S_STR("tls-cert-bundle:", tls_cert_bundle) else S_YNO("tls-win-cert:", tls_win_cert) + else S_YNO("tls-system-cert:", tls_win_cert) + else S_STRLIST("additional-ssl-port:", tls_additional_port) else S_STRLIST("additional-tls-port:", tls_additional_port) else S_STRLIST("tls-additional-ports:", tls_additional_port) else S_STRLIST("tls-additional-port:", tls_additional_port) @@ -550,6 +568,7 @@ else S_YNO("http-nodelay:", http_nodelay) else S_YNO("http-notls-downstream:", http_notls_downstream) else S_YNO("interface-automatic:", if_automatic) + else S_STR("interface-automatic-ports:", if_automatic_ports) else S_YNO("use-systemd:", use_systemd) else S_YNO("do-daemonize:", do_daemonize) else S_NUMBER_NONZERO("port:", port) @@ -581,8 +600,14 @@ else if(strcmp(opt, "cache-min-ttl:") == 0) { IS_NUMBER_OR_ZERO; cfg->min_ttl = atoi(val); MIN_TTL=(time_t)cfg->min_ttl;} else if(strcmp(opt, "infra-cache-min-rtt:") == 0) { - IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val); - RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt; + IS_NUMBER_OR_ZERO; cfg->infra_cache_min_rtt = atoi(val); + RTT_MIN_TIMEOUT=cfg->infra_cache_min_rtt; + } + else if(strcmp(opt, "infra-cache-max-rtt:") == 0) { + IS_NUMBER_OR_ZERO; cfg->infra_cache_max_rtt = atoi(val); + RTT_MAX_TIMEOUT=cfg->infra_cache_max_rtt; + USEFUL_SERVER_TOP_TIMEOUT = RTT_MAX_TIMEOUT; + BLACKLIST_PENALTY = USEFUL_SERVER_TOP_TIMEOUT*4; } else S_YNO("infra-keep-probing:", infra_keep_probing) else S_NUMBER_OR_ZERO("infra-host-ttl:", host_ttl) @@ -659,6 +684,8 @@ else if(strcmp(opt, "serve-expired-reply-ttl:") == 0) { IS_NUMBER_OR_ZERO; cfg->serve_expired_reply_ttl = atoi(val); SERVE_EXPIRED_REPLY_TTL=(time_t)cfg->serve_expired_reply_ttl;} else S_NUMBER_OR_ZERO("serve-expired-client-timeout:", serve_expired_client_timeout) + else S_YNO("ede:", ede) + else S_YNO("ede-serve-expired:", ede_serve_expired) else S_YNO("serve-original-ttl:", serve_original_ttl) else S_STR("val-nsec3-keysize-iterations:", val_nsec3_key_iterations) else S_YNO("zonemd-permissive-mode:", zonemd_permissive_mode) @@ -752,6 +779,11 @@ else S_POW2("ratelimit-slabs:", ratelimit_slabs) else S_NUMBER_OR_ZERO("ip-ratelimit-factor:", ip_ratelimit_factor) else S_NUMBER_OR_ZERO("ratelimit-factor:", ratelimit_factor) + else S_YNO("ip-ratelimit-backoff:", ip_ratelimit_backoff) + else S_YNO("ratelimit-backoff:", ratelimit_backoff) + else S_NUMBER_NONZERO("outbound-msg-retry:", outbound_msg_retry) + else S_NUMBER_NONZERO("max-sent-count:", max_sent_count) + else S_NUMBER_NONZERO("max-query-restarts:", max_query_restarts) else S_SIZET_NONZERO("fast-server-num:", fast_server_num) else S_NUMBER_OR_ZERO("fast-server-permil:", fast_server_permil) else S_YNO("qname-minimisation:", qname_minimisation) @@ -760,6 +792,7 @@ else S_SIZET_NONZERO("pad-responses-block-size:", pad_responses_block_size) else S_YNO("pad-queries:", pad_queries) else S_SIZET_NONZERO("pad-queries-block-size:", pad_queries_block_size) + else S_STRLIST("proxy-protocol-port:", proxy_protocol_port) #ifdef USE_IPSECMOD else S_YNO("ipsecmod-enabled:", ipsecmod_enabled) else S_YNO("ipsecmod-ignore-bogus:", ipsecmod_ignore_bogus) @@ -796,7 +829,7 @@ * stub-ssl-upstream, forward-zone, auth-zone * name, forward-addr, forward-host, * ratelimit-for-domain, ratelimit-below-domain, - * local-zone-tag, access-control-view, + * local-zone-tag, access-control-view, interface-*, * send-client-subnet, client-subnet-always-forward, * max-client-subnet-ipv4, max-client-subnet-ipv6, * min-client-subnet-ipv4, min-client-subnet-ipv6, @@ -969,6 +1002,7 @@ else O_DEC(opt, "statistics-interval", stat_interval) else O_YNO(opt, "statistics-cumulative", stat_cumulative) else O_YNO(opt, "extended-statistics", stat_extended) + else O_YNO(opt, "statistics-inhibit-zero", stat_inhibit_zero) else O_YNO(opt, "shm-enable", shm_enable) else O_DEC(opt, "shm-key", shm_key) else O_YNO(opt, "use-syslog", use_syslog) @@ -978,6 +1012,7 @@ else O_IFC(opt, "interface", num_ifs, ifs) else O_IFC(opt, "outgoing-interface", num_out_ifs, out_ifs) else O_YNO(opt, "interface-automatic", if_automatic) + else O_STR(opt, "interface-automatic-ports", if_automatic_ports) else O_DEC(opt, "port", port) else O_DEC(opt, "outgoing-range", outgoing_num_ports) else O_DEC(opt, "outgoing-num-tcp", outgoing_num_tcp) @@ -1006,6 +1041,7 @@ else O_DEC(opt, "infra-host-ttl", host_ttl) else O_DEC(opt, "infra-cache-slabs", infra_cache_slabs) else O_DEC(opt, "infra-cache-min-rtt", infra_cache_min_rtt) + else O_UNS(opt, "infra-cache-max-rtt", infra_cache_max_rtt) else O_YNO(opt, "infra-keep-probing", infra_keep_probing) else O_MEM(opt, "infra-cache-numhosts", infra_cache_numhosts) else O_UNS(opt, "delay-close", delay_close) @@ -1027,11 +1063,20 @@ else O_YNO(opt, "edns-tcp-keepalive", do_tcp_keepalive) else O_DEC(opt, "edns-tcp-keepalive-timeout", tcp_keepalive_timeout) else O_YNO(opt, "ssl-upstream", ssl_upstream) + else O_YNO(opt, "tls-upstream", ssl_upstream) else O_STR(opt, "ssl-service-key", ssl_service_key) + else O_STR(opt, "tls-service-key", ssl_service_key) else O_STR(opt, "ssl-service-pem", ssl_service_pem) + else O_STR(opt, "tls-service-pem", ssl_service_pem) else O_DEC(opt, "ssl-port", ssl_port) + else O_DEC(opt, "tls-port", ssl_port) + else O_STR(opt, "ssl-cert-bundle", tls_cert_bundle) else O_STR(opt, "tls-cert-bundle", tls_cert_bundle) else O_YNO(opt, "tls-win-cert", tls_win_cert) + else O_YNO(opt, "tls-system-cert", tls_win_cert) + else O_LST(opt, "additional-ssl-port", tls_additional_port) + else O_LST(opt, "additional-tls-port", tls_additional_port) + else O_LST(opt, "tls-additional-ports", tls_additional_port) else O_LST(opt, "tls-additional-port", tls_additional_port) else O_LST(opt, "tls-session-ticket-keys", tls_session_ticket_keys.first) else O_STR(opt, "tls-ciphers", tls_ciphers) @@ -1088,6 +1133,8 @@ else O_YNO(opt, "serve-expired-ttl-reset", serve_expired_ttl_reset) else O_DEC(opt, "serve-expired-reply-ttl", serve_expired_reply_ttl) else O_DEC(opt, "serve-expired-client-timeout", serve_expired_client_timeout) + else O_YNO(opt, "ede", ede) + else O_YNO(opt, "ede-serve-expired", ede_serve_expired) else O_YNO(opt, "serve-original-ttl", serve_original_ttl) else O_STR(opt, "val-nsec3-keysize-iterations",val_nsec3_key_iterations) else O_YNO(opt, "zonemd-permissive-mode", zonemd_permissive_mode) @@ -1195,6 +1242,11 @@ else O_LS2(opt, "ratelimit-below-domain", ratelimit_below_domain) else O_DEC(opt, "ip-ratelimit-factor", ip_ratelimit_factor) else O_DEC(opt, "ratelimit-factor", ratelimit_factor) + else O_YNO(opt, "ip-ratelimit-backoff", ip_ratelimit_backoff) + else O_YNO(opt, "ratelimit-backoff", ratelimit_backoff) + else O_UNS(opt, "outbound-msg-retry", outbound_msg_retry) + else O_UNS(opt, "max-sent-count", max_sent_count) + else O_UNS(opt, "max-query-restarts", max_query_restarts) else O_DEC(opt, "fast-server-num", fast_server_num) else O_DEC(opt, "fast-server-permil", fast_server_permil) else O_DEC(opt, "val-sig-skew-min", val_sig_skew_min) @@ -1210,11 +1262,17 @@ else O_LS3(opt, "access-control-tag-action", acl_tag_actions) else O_LS3(opt, "access-control-tag-data", acl_tag_datas) else O_LS2(opt, "access-control-view", acl_view) + else O_LS2(opt, "interface-action", interface_actions) + else O_LTG(opt, "interface-tag", interface_tags) + else O_LS3(opt, "interface-tag-action", interface_tag_actions) + else O_LS3(opt, "interface-tag-data", interface_tag_datas) + else O_LS2(opt, "interface-view", interface_view) else O_YNO(opt, "pad-responses", pad_responses) else O_DEC(opt, "pad-responses-block-size", pad_responses_block_size) else O_YNO(opt, "pad-queries", pad_queries) else O_DEC(opt, "pad-queries-block-size", pad_queries_block_size) else O_LS2(opt, "edns-client-strings", edns_client_strings) + else O_LST(opt, "proxy-protocol-port", proxy_protocol_port) #ifdef USE_IPSECMOD else O_YNO(opt, "ipsecmod-enabled", ipsecmod_enabled) else O_YNO(opt, "ipsecmod-ignore-bogus", ipsecmod_ignore_bogus) @@ -1260,6 +1318,7 @@ cfg_parser->errors = 0; cfg_parser->cfg = cfg; cfg_parser->chroot = chroot; + cfg_parser->started_toplevel = 0; init_cfg_parse(); } @@ -1511,6 +1570,7 @@ free(cfg->directory); free(cfg->logfile); free(cfg->pidfile); + free(cfg->if_automatic_ports); free(cfg->target_fetch_policy); free(cfg->ssl_service_key); free(cfg->ssl_service_pem); @@ -1563,10 +1623,16 @@ config_deltrplstrlist(cfg->local_zone_overrides); config_del_strarray(cfg->tagname, cfg->num_tags); config_del_strbytelist(cfg->local_zone_tags); - config_del_strbytelist(cfg->acl_tags); config_del_strbytelist(cfg->respip_tags); + config_deldblstrlist(cfg->acl_view); + config_del_strbytelist(cfg->acl_tags); config_deltrplstrlist(cfg->acl_tag_actions); config_deltrplstrlist(cfg->acl_tag_datas); + config_deldblstrlist(cfg->interface_actions); + config_deldblstrlist(cfg->interface_view); + config_del_strbytelist(cfg->interface_tags); + config_deltrplstrlist(cfg->interface_tag_actions); + config_deltrplstrlist(cfg->interface_tag_datas); config_delstrlist(cfg->control_ifs.first); free(cfg->server_key_file); free(cfg->server_cert_file); @@ -1587,6 +1653,7 @@ config_delstrlist(cfg->python_script); config_delstrlist(cfg->dynlib_file); config_deldblstrlist(cfg->edns_client_strings); + config_delstrlist(cfg->proxy_protocol_port); #ifdef USE_IPSECMOD free(cfg->ipsecmod_hook); config_delstrlist(cfg->ipsecmod_whitelist); @@ -1757,6 +1824,9 @@ void ub_c_error(const char *str) { cfg_parser->errors++; + if(strcmp(str, "syntax error")==0 && cfg_parser->started_toplevel ==0) + str = "syntax error, is there no section start after an " + "include-toplevel directive perhaps."; fprintf(stderr, "%s:%d: error: %s\n", cfg_parser->filename, cfg_parser->line, str); } @@ -2187,11 +2257,14 @@ SERVE_ORIGINAL_TTL = config->serve_original_ttl; MAX_NEG_TTL = (time_t)config->max_negative_ttl; RTT_MIN_TIMEOUT = config->infra_cache_min_rtt; + RTT_MAX_TIMEOUT = config->infra_cache_max_rtt; EDNS_ADVERTISED_SIZE = (uint16_t)config->edns_buffer_size; MINIMAL_RESPONSES = config->minimal_responses; RRSET_ROUNDROBIN = config->rrset_roundrobin; LOG_TAG_QUERYREPLY = config->log_tag_queryreply; UNKNOWN_SERVER_NICENESS = config->unknown_server_time_limit; + USEFUL_SERVER_TOP_TIMEOUT = RTT_MAX_TIMEOUT; + BLACKLIST_PENALTY = USEFUL_SERVER_TOP_TIMEOUT*4; log_set_time_asc(config->log_time_ascii); autr_permit_small_holddown = config->permit_small_holddown; stream_wait_max = config->stream_wait_size; @@ -2459,7 +2532,7 @@ while(*ip_end && isspace((unsigned char)*ip_end)) ip_end++; if(name>ip_end) { - snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "%.*s", + snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), "%.*s", (int)(name-ip_end), ip_end); } snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), " PTR %s", name); @@ -2530,126 +2603,6 @@ } #endif /* UB_ON_WINDOWS */ -void errinf(struct module_qstate* qstate, const char* str) -{ - struct config_strlist* p; - if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !str) - return; - p = (struct config_strlist*)regional_alloc(qstate->region, sizeof(*p)); - if(!p) { - log_err("malloc failure in validator-error-info string"); - return; - } - p->next = NULL; - p->str = regional_strdup(qstate->region, str); - if(!p->str) { - log_err("malloc failure in validator-error-info string"); - return; - } - /* add at end */ - if(qstate->errinf) { - struct config_strlist* q = qstate->errinf; - while(q->next) - q = q->next; - q->next = p; - } else qstate->errinf = p; -} - -void errinf_origin(struct module_qstate* qstate, struct sock_list *origin) -{ - struct sock_list* p; - if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) - return; - for(p=origin; p; p=p->next) { - char buf256; - if(p == origin) - snprintf(buf, sizeof(buf), "from "); - else snprintf(buf, sizeof(buf), "and "); - if(p->len == 0) - snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), - "cache"); - else - addr_to_str(&p->addr, p->len, buf+strlen(buf), - sizeof(buf)-strlen(buf)); - errinf(qstate, buf); - } -} - -char* errinf_to_str_bogus(struct module_qstate* qstate) -{ - char buf20480; - char* p = buf; - size_t left = sizeof(buf); - struct config_strlist* s; - char dnameLDNS_MAX_DOMAINLEN+1; - char t16, c16; - sldns_wire2str_type_buf(qstate->qinfo.qtype, t, sizeof(t)); - sldns_wire2str_class_buf(qstate->qinfo.qclass, c, sizeof(c)); - dname_str(qstate->qinfo.qname, dname); - snprintf(p, left, "validation failure <%s %s %s>:", dname, t, c); - left -= strlen(p); p += strlen(p); - if(!qstate->errinf) - snprintf(p, left, " misc failure"); - else for(s=qstate->errinf; s; s=s->next) { - snprintf(p, left, " %s", s->str); - left -= strlen(p); p += strlen(p); - } - p = strdup(buf); - if(!p) - log_err("malloc failure in errinf_to_str"); - return p; -} - -char* errinf_to_str_servfail(struct module_qstate* qstate) -{ - char buf20480; - char* p = buf; - size_t left = sizeof(buf); - struct config_strlist* s; - char dnameLDNS_MAX_DOMAINLEN+1; - char t16, c16; - sldns_wire2str_type_buf(qstate->qinfo.qtype, t, sizeof(t)); - sldns_wire2str_class_buf(qstate->qinfo.qclass, c, sizeof(c)); - dname_str(qstate->qinfo.qname, dname); - snprintf(p, left, "SERVFAIL <%s %s %s>:", dname, t, c); - left -= strlen(p); p += strlen(p); - if(!qstate->errinf) - snprintf(p, left, " misc failure"); - else for(s=qstate->errinf; s; s=s->next) { - snprintf(p, left, " %s", s->str); - left -= strlen(p); p += strlen(p); - } - p = strdup(buf); - if(!p) - log_err("malloc failure in errinf_to_str"); - return p; -} - -void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr) -{ - char buf1024; - char dnameLDNS_MAX_DOMAINLEN+1; - char t16, c16; - if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !rr) - return; - sldns_wire2str_type_buf(ntohs(rr->rk.type), t, sizeof(t)); - sldns_wire2str_class_buf(ntohs(rr->rk.rrset_class), c, sizeof(c)); - dname_str(rr->rk.dname, dname); - snprintf(buf, sizeof(buf), "for <%s %s %s>", dname, t, c); - errinf(qstate, buf); -} - -void errinf_dname(struct module_qstate* qstate, const char* str, uint8_t* dname) -{ - char b1024; - char bufLDNS_MAX_DOMAINLEN+1; - if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !str || !dname) - return; - dname_str(dname, buf); - snprintf(b, sizeof(b), "%s %s", str, buf); - errinf(qstate, b); -} - int options_remote_is_address(struct config_file* cfg) { if(!cfg->remote_control_enable) return 0; @@ -2683,3 +2636,35 @@ } return 0; } + +/** see if interface is PROXYv2, its port number == the proxy port number */ +int +if_is_pp2(const char* ifname, const char* port, + struct config_strlist* proxy_protocol_port) +{ + struct config_strlist* s; + char* p = strchr(ifname, '@'); + for(s = proxy_protocol_port; s; s = s->next) { + if(p && atoi(p+1) == atoi(s->str)) + return 1; + if(!p && atoi(port) == atoi(s->str)) + return 1; + } + return 0; +} + +/** see if interface is DNSCRYPT, its port number == the dnscrypt port number */ +int +if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port) +{ +#ifdef USE_DNSCRYPT + return ((strchr(ifname, '@') && + atoi(strchr(ifname, '@')+1) == dnscrypt_port) || + (!strchr(ifname, '@') && atoi(port) == dnscrypt_port)); +#else + (void)ifname; + (void)port; + (void)dnscrypt_port; + return 0; +#endif +}
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/config_file.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/config_file.h
Changed
@@ -41,6 +41,7 @@ #ifndef UTIL_CONFIG_FILE_H #define UTIL_CONFIG_FILE_H +#include "sldns/rrdef.h" struct config_stub; struct config_auth; struct config_view; @@ -75,6 +76,8 @@ int stat_cumulative; /** if true, the statistics are kept in greater detail */ int stat_extended; + /** if true, inhibits a lot of =0 lines from the extended stats output */ + int stat_inhibit_zero; /** number of threads to create */ int num_threads; @@ -113,6 +116,8 @@ int do_tcp_keepalive; /** tcp keepalive timeout, in msec */ int tcp_keepalive_timeout; + /** proxy protocol ports */ + struct config_strlist* proxy_protocol_port; /** private key file for dnstcp-ssl service (enabled if not NULL) */ char* ssl_service_key; @@ -185,8 +190,10 @@ size_t infra_cache_slabs; /** max number of hosts in the infra cache */ size_t infra_cache_numhosts; - /** min value for infra cache rtt */ + /** min value for infra cache rtt (min retransmit timeout) */ int infra_cache_min_rtt; + /** max value for infra cache rtt (max retransmit timeout) */ + int infra_cache_max_rtt; /** keep probing hosts that are down */ int infra_keep_probing; /** delay close of udp-timeouted ports, if 0 no delayclose. in msec */ @@ -205,6 +212,8 @@ /** automatic interface for incoming messages. Uses ipv6 remapping, * and recvmsg/sendmsg ancillary data to detect interfaces, boolean */ int if_automatic; + /** extra ports to open if if_automatic enabled, or NULL for default */ + char* if_automatic_ports; /** SO_RCVBUF size to set on port 53 UDP socket */ size_t so_rcvbuf; /** SO_SNDBUF size to set on port 53 UDP socket */ @@ -404,6 +413,8 @@ /** serve expired entries only after trying to update the entries and this * timeout (in milliseconds) is reached */ int serve_expired_client_timeout; + /** serve EDE code 3 - Stale Answer (RFC8914) for expired entries */ + int ede_serve_expired; /** serve original TTLs rather than decrementing ones */ int serve_original_ttl; /** nsec3 maximum iterations per key size, string */ @@ -454,6 +465,16 @@ struct config_str3list* acl_tag_datas; /** list of aclname, view*/ struct config_str2list* acl_view; + /** list of interface action entries, linked list */ + struct config_str2list* interface_actions; + /** list of interface, tagbitlist */ + struct config_strbytelist* interface_tags; + /** list of interface, tagname, localzonetype */ + struct config_str3list* interface_tag_actions; + /** list of interface, tagname, redirectdata */ + struct config_str3list* interface_tag_datas; + /** list of interface, view*/ + struct config_str2list* interface_view; /** list of IP-netblock, tagbitlist */ struct config_strbytelist* respip_tags; /** list of response-driven access control entries, linked list */ @@ -565,6 +586,10 @@ size_t ip_ratelimit_size; /** ip_ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */ int ip_ratelimit_factor; + /** ratelimit backoff, when on, if the limit is reached it is + * considered an attack and it backs off until 'demand' decreases over + * the RATE_WINDOW. */ + int ip_ratelimit_backoff; /** ratelimit for domains. 0 is off, otherwise qps (unless overridden) */ int ratelimit; @@ -578,6 +603,18 @@ struct config_str2list* ratelimit_below_domain; /** ratelimit factor, 0 blocks all, 10 allows 1/10 of traffic */ int ratelimit_factor; + /** ratelimit backoff, when on, if the limit is reached it is + * considered an attack and it backs off until 'demand' decreases over + * the RATE_WINDOW. */ + int ratelimit_backoff; + + /** number of retries on outgoing queries */ + int outbound_msg_retry; + /** max sent queries per qstate; resets on query restarts (e.g., + * CNAMES) and referrals */ + int max_sent_count; + /** max number of query restarts; determines max length of CNAME chain */ + int max_query_restarts; /** minimise outgoing QNAME and hide original QTYPE if possible */ int qname_minimisation; /** minimise QNAME in strict mode, minimise according to RFC. @@ -666,6 +703,8 @@ char* ipset_name_v4; char* ipset_name_v6; #endif + /** respond with Extended DNS Errors (RFC8914) */ + int ede; }; /** from cfg username, after daemonize setup performed */ @@ -697,6 +736,8 @@ int isprime; /** if forward-first is set (failover to without if fails) */ int isfirst; + /** use tcp for queries to this stub */ + int tcp_upstream; /** use SSL for queries to this stub */ int ssl_upstream; /*** no cache */ @@ -741,6 +782,8 @@ /** Always reply with this CNAME target if the cname override action is * used */ char* rpz_cname; + /** signal nxdomain block with unset RA */ + int rpz_signal_nxdomain_ra; /** Check ZONEMD records for this zone */ int zonemd_check; /** Reject absence of ZONEMD records, zone must have one */ @@ -1106,7 +1149,7 @@ int cfg_parse_memsize(const char* str, size_t* res); /** - * Parse nsid from string into binary nsid. nsid is either a hexidecimal + * Parse nsid from string into binary nsid. nsid is either a hexadecimal * string or an ascii string prepended with ascii_ in which case the * characters after ascii_ are simply copied. * @param str: the string to parse. @@ -1225,56 +1268,6 @@ char* cfg_ptr_reverse(char* str); /** - * Append text to the error info for validation. - * @param qstate: query state. - * @param str: copied into query region and appended. - * Failures to allocate are logged. - */ -void errinf(struct module_qstate* qstate, const char* str); - -/** - * Append text to error info: from 1.2.3.4 - * @param qstate: query state. - * @param origin: sock list with origin of trouble. - * Every element added. - * If NULL: nothing is added. - * if 0len element: 'from cache' is added. - */ -void errinf_origin(struct module_qstate* qstate, struct sock_list *origin); - -/** - * Append text to error info: for RRset name type class - * @param qstate: query state. - * @param rr: rrset_key. - */ -void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr); - -/** - * Append text to error info: str dname - * @param qstate: query state. - * @param str: explanation string - * @param dname: the dname. - */ -void errinf_dname(struct module_qstate* qstate, const char* str, - uint8_t* dname); - -/** - * Create error info in string. For validation failures. - * @param qstate: query state. - * @return string or NULL on malloc failure (already logged). - * This string is malloced and has to be freed by caller. - */ -char* errinf_to_str_bogus(struct module_qstate* qstate); - -/** - * Create error info in string. For other servfails. - * @param qstate: query state. - * @return string or NULL on malloc failure (already logged). - * This string is malloced and has to be freed by caller. - */ -char* errinf_to_str_servfail(struct module_qstate* qstate); - -/** * Used during options parsing */ struct config_parser_state { @@ -1288,6 +1281,8 @@ struct config_file* cfg; /** the current chroot dir (or NULL if none) */ const char* chroot; + /** if we are started in a toplevel, or not, after a force_toplevel */ + int started_toplevel; }; /** global config parser object used during config parsing */ @@ -1336,6 +1331,12 @@ */ int cfg_has_https(struct config_file* cfg); +/** see if interface is PROXYv2, its port number == the proxy port number */ +int if_is_pp2(const char* ifname, const char* port, + struct config_strlist* proxy_protocol_port); + +/** see if interface is DNSCRYPT, its port number == the dnscrypt port number */ +int if_is_dnscrypt(const char* ifname, const char* port, int dnscrypt_port); #ifdef USE_LINUX_IP_LOCAL_PORT_RANGE #define LINUX_IP_LOCAL_PORT_RANGE_PATH "/proc/sys/net/ipv4/ip_local_port_range" #endif
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/configlexer.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/configlexer.c
Changed
@@ -354,8 +354,8 @@ (yy_hold_char) = *yy_cp; \ *yy_cp = '\0'; \ (yy_c_buf_p) = yy_cp; -#define YY_NUM_RULES 352 -#define YY_END_OF_BUFFER 353 +#define YY_NUM_RULES 372 +#define YY_END_OF_BUFFER 373 /* This struct is not used in this scanner, but its presence is necessary. */ struct yy_trans_info @@ -363,391 +363,413 @@ flex_int32_t yy_verify; flex_int32_t yy_nxt; }; -static const flex_int16_t yy_accept3484 = +static const flex_int16_t yy_accept3683 = { 0, - 1, 1, 326, 326, 330, 330, 334, 334, 338, 338, - 1, 1, 342, 342, 346, 346, 353, 350, 1, 324, - 324, 351, 2, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 351, 326, 327, 327, 328, - 351, 330, 331, 331, 332, 351, 337, 334, 335, 335, - 336, 351, 338, 339, 339, 340, 351, 349, 325, 2, - 329, 349, 351, 345, 342, 343, 343, 344, 351, 346, - 347, 347, 348, 351, 350, 0, 1, 2, 2, 2, - 2, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 326, - 0, 330, 0, 337, 0, 334, 338, 0, 349, 0, - 2, 2, 349, 345, 0, 342, 346, 0, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 349, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 128, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 137, - 350, 350, 350, 350, 350, 350, 350, 349, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 112, 350, 323, - 350, 350, 350, 350, 350, 350, 350, 8, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 129, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 142, 350, 350, 349, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 316, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 349, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 67, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 248, 350, 14, 15, 350, 19, 18, 350, - 350, 232, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 135, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 230, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 3, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 349, - 350, 350, 350, 350, 350, 350, 350, 310, 350, 350, - 309, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 333, 350, 350, 350, 350, 350, 350, 350, 350, 66, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 70, 350, 279, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 317, 318, - 350, 350, 350, 350, 350, 350, 350, 71, 350, 350, - 136, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 132, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 219, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 21, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 162, - 350, 350, 350, 350, 350, 349, 333, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 110, 350, - 350, 350, 350, 350, 350, 350, 287, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 188, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 161, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 109, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 35, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 36, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 68, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 134, 350, 350, 350, 349, 350, 350, 350, 350, 350, - 127, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 69, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 252, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 189, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 57, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 270, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 61, 350, 62, - - 350, 350, 350, 350, 350, 113, 350, 114, 350, 350, - 350, 350, 111, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 7, 350, 350, 350, 350, - 349, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 241, - 350, 350, 350, 350, 165, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 253, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 48, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 58, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 211, 350, 210, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 16, 17, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 72, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 218, 350, 350, 350, 350, - 350, 350, 116, 350, 115, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 202, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 143, - 350, 350, 350, 349, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 104, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 92, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 231, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 97, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 65, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 205, 206, 350, 350, 350, 281, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 6, 350, 350, 350, 350, 350, 350, 300, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 285, 350, 350, 350, - 350, 350, 350, 311, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 45, 350, 350, - 350, 350, 47, 350, 350, 350, 93, 350, 350, 350, - 350, 350, 55, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 349, 350, 198, 350, 350, 350, - 138, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 223, 350, 199, 350, 350, 350, 238, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 56, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 140, - 121, 350, 122, 350, 350, 350, 120, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 158, 350, 350, 53, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 269, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 200, 350, 350, - 350, 350, 350, 203, 350, 209, 350, 350, 350, 350, - 350, 350, 237, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 108, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 133, 350, - 350, 350, 350, 350, 350, 350, 63, 350, 350, 350, - 29, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 20, 350, 350, 350, 350, 350, 350, 30, - 39, 350, 170, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 196, 350, 350, - 349, 350, 350, 350, 350, 350, 350, 80, 82, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 289, 350, 350, 350, 350, 249, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 123, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 157, 350, 49, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 304, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 164, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 298, - - 350, 350, 350, 229, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 314, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 182, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 117, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 177, 350, 190, - 350, 350, 350, 350, 350, 350, 350, 349, 350, 146, - 350, 350, 350, 350, 350, 103, 350, 350, 350, 350, - 221, 350, 350, 350, 350, 350, 350, 239, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 261, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 139, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 181, 350, 350, 350, 350, 350, 350, 83, - 350, 84, 350, 350, 350, 350, 350, 64, 307, 350, - 350, 350, 350, 350, 91, 191, 350, 212, 350, 242, - 350, 350, 204, 282, 350, 350, 350, 350, 350, 350, - 76, 350, 193, 350, 350, 350, 350, 350, 9, 350, - 350, 350, 350, 350, 107, 350, 350, 350, 350, 274, - 350, 350, 350, 350, 220, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 349, 350, 350, 350, - 350, 180, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 166, 350, 288, 350, 350, 350, 350, 350, - 260, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 233, 350, 350, 350, 350, 350, 280, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 163, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 308, 350, 192, 350, 350, 350, 350, 350, 350, - 350, 350, 75, 77, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 106, 350, 350, 350, 350, 272, 350, - 350, 350, 350, 284, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 225, 37, 31, 33, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 38, 350, 32, 34, 350, 350, 350, 350, 350, - 350, 350, 350, 102, 350, 176, 350, 350, 350, 350, - - 350, 350, 350, 349, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 227, 224, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 74, 350, 350, 350, 141, - 350, 124, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 159, 50, 350, 350, 350, 341, 13, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 302, 350, - 305, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 12, 350, 350, 22, 350, 350, 350, 350, - 350, 278, 350, 350, 350, 350, 286, 350, 350, 350, - - 78, 350, 235, 350, 350, 350, 350, 350, 226, 350, - 350, 73, 350, 350, 350, 350, 350, 23, 350, 350, - 46, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 175, 174, 350, 350, 341, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 228, 222, 350, - 240, 350, 350, 290, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 85, 350, 350, - 350, 350, 273, 350, 350, 350, 350, 208, 350, 350, - - 350, 350, 350, 234, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 312, 313, 172, 350, 350, - 79, 350, 350, 350, 350, 183, 350, 350, 350, 118, - 119, 350, 350, 350, 25, 350, 350, 167, 350, 169, - 350, 213, 350, 350, 350, 350, 173, 350, 350, 350, - 350, 243, 350, 350, 350, 350, 350, 350, 350, 148, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 251, 350, 350, 350, 350, 350, 350, 350, - 321, 350, 27, 350, 283, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - - 89, 214, 350, 350, 271, 350, 306, 350, 207, 350, - 350, 350, 350, 350, 59, 350, 350, 350, 350, 350, - 350, 4, 350, 350, 350, 350, 131, 147, 350, 350, - 350, 187, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 246, 40, 41, 350, 350, 350, 350, 350, 350, 350, - 291, 350, 350, 350, 350, 350, 350, 350, 259, 350, - 350, 350, 350, 350, 350, 350, 350, 217, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 88, 350, 60, 277, 350, 247, 350, 350, 350, - - 350, 350, 11, 350, 350, 350, 350, 350, 350, 350, - 350, 130, 350, 350, 350, 350, 215, 94, 350, 350, - 43, 350, 350, 350, 350, 350, 350, 350, 350, 179, - 350, 350, 350, 350, 350, 350, 350, 150, 350, 350, - 350, 350, 250, 350, 350, 350, 350, 350, 258, 350, - 350, 350, 350, 144, 350, 350, 350, 125, 126, 350, - 350, 350, 96, 100, 95, 160, 350, 350, 350, 350, - 86, 350, 350, 350, 350, 350, 350, 10, 350, 350, - 350, 350, 350, 275, 315, 350, 350, 350, 350, 350, - 320, 42, 350, 350, 350, 350, 350, 178, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 101, 99, 350, 54, 350, 350, 87, - 303, 350, 350, 350, 350, 24, 350, 350, 350, 350, - 350, 201, 350, 350, 350, 350, 350, 216, 350, 350, - 350, 350, 350, 350, 350, 350, 197, 350, 350, 168, - 81, 350, 350, 350, 350, 350, 292, 350, 350, 350, - 350, 350, 350, 350, 255, 350, 350, 254, 145, 350, - 350, 98, 51, 350, 151, 152, 155, 156, 153, 154, - 90, 301, 350, 350, 276, 350, 350, 350, 26, 350, - - 171, 350, 350, 350, 350, 195, 350, 245, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 185, 184, - 44, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 299, 350, 350, 350, 350, 105, 350, - 244, 350, 268, 296, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 322, 350, 52, 5, 350, - 350, 236, 350, 350, 297, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 256, 28, 350, 350, 350, 350, - - 350, 350, 350, 350, 350, 350, 350, 350, 257, 350, - 350, 350, 149, 350, 350, 350, 350, 350, 350, 350, - 350, 186, 350, 194, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 293, 350, 350, 350, 350, 350, 350, - 350, 350, 350, 350, 350, 350, 350, 350, 350, 350, - 350, 319, 350, 350, 264, 350, 350, 350, 350, 350, - 294, 350, 350, 350, 350, 350, 350, 295, 350, 350, - 350, 262, 350, 265, 266, 350, 350, 350, 350, 350, - 263, 267, 0 + 1, 1, 346, 346, 350, 350, 354, 354, 358, 358, + 1, 1, 362, 362, 366, 366, 373, 370, 1, 344, + 344, 371, 2, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 371, 346, 347, 347, 348, + 371, 350, 351, 351, 352, 371, 357, 354, 355, 355, + 356, 371, 358, 359, 359, 360, 371, 369, 345, 2, + 349, 369, 371, 365, 362, 363, 363, 364, 371, 366, + 367, 367, 368, 371, 370, 0, 1, 2, 2, 2, + 2, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 346, + 0, 350, 0, 357, 0, 354, 358, 0, 369, 0, + 2, 2, 369, 365, 0, 362, 366, 0, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 369, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 342, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 133, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 143, 370, 370, 370, 370, + 370, 370, 370, 369, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 115, 370, 341, 370, + 370, 370, 370, 370, 370, 370, 370, 8, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 134, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 148, 370, 370, 369, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 334, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 369, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 69, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 261, 370, 14, 15, 370, 19, 18, 370, 370, + 241, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 141, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 239, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 3, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 369, 370, 370, 370, + 370, 370, 370, 370, 328, 370, 370, 327, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 353, 370, + 370, 370, 370, 370, 370, 370, 370, 68, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 72, 370, 297, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 335, 336, + 370, 370, 370, 370, 370, 370, 370, 370, 73, 370, + 370, 142, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 137, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 228, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 21, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 169, 370, 370, 370, 370, 370, + 369, 353, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 113, 370, 370, 370, 370, 370, 370, + 370, 305, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 196, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 168, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 112, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 35, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 36, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 70, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 140, 370, 370, 370, 369, 370, 370, + 370, 370, 370, 132, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 71, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 265, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 197, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 58, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 283, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 63, 370, 64, + 370, 370, 370, 370, 370, 116, 370, 117, 370, 370, + 370, 370, 370, 114, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 7, 370, 370, + + 370, 370, 369, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 250, 370, 370, 370, 370, 172, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 266, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 49, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 59, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 219, 370, 218, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 16, 17, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 74, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 227, 370, 370, 370, + 370, 370, 370, 119, 370, 118, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 210, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 149, 370, 370, 370, 369, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 107, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 95, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 240, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 100, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 67, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 213, 214, 370, 370, 370, 299, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 6, 370, 370, 370, 370, 370, 370, 370, 318, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 303, + 370, 370, 370, 370, 370, 370, 370, 329, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 46, 370, 370, 370, 370, 370, 48, 370, + 370, 370, 96, 370, 370, 370, 370, 370, 56, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 369, 370, 206, 370, 370, 370, 144, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 232, 370, 207, + 370, 370, 370, 247, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 57, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 146, 125, 370, 126, + 370, 370, 370, 370, 124, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 165, 370, 370, 54, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 282, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 208, 370, + 370, 370, 370, 370, 211, 370, 217, 370, 370, 370, + 370, 370, 370, 370, 370, 246, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 111, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 138, 370, 370, 370, 370, 370, + 370, 370, 370, 65, 370, 370, 370, 29, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 20, 370, 370, 370, 370, 370, 370, 370, 30, 39, + 370, 177, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 204, 370, 370, 369, + 370, 370, 370, 370, 370, 370, 82, 84, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 307, 370, 370, 370, 370, 262, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 127, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 164, 370, 50, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 256, 370, 370, 370, 370, + 370, 370, 370, 322, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 171, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 316, + + 370, 370, 370, 370, 238, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 332, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 189, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 120, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 184, 370, 198, 370, 370, 370, 370, + 370, 370, 370, 369, 370, 152, 370, 370, 370, 370, + 370, 106, 370, 370, 370, 370, 230, 370, 370, 370, + 370, 370, 370, 248, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 274, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 145, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 188, 370, 370, 370, 370, 370, 370, 370, 85, 370, + 86, 370, 370, 370, 370, 370, 259, 370, 370, 370, + 370, 66, 325, 370, 370, 370, 370, 370, 94, 199, + 370, 220, 370, 251, 370, 370, 212, 300, 370, 370, + 370, 370, 295, 370, 370, 370, 78, 370, 201, 370, + 370, 370, 370, 370, 370, 9, 370, 370, 370, 370, + + 370, 110, 370, 370, 370, 370, 370, 370, 287, 370, + 370, 370, 370, 229, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 369, + 370, 370, 370, 370, 187, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 173, 370, 306, 370, 370, + 370, 370, 370, 273, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 242, 370, 370, 370, 370, + 370, 370, 298, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 170, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 326, 370, 200, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 77, 79, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 109, 370, 370, 370, 370, + 370, 370, 285, 370, 370, 370, 370, 302, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 234, 37, 31, 33, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 38, 370, + 32, 34, 370, 40, 370, 370, 370, 370, 370, 370, + 370, 105, 370, 183, 370, 370, 370, 370, 370, 370, + 370, 369, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 236, 233, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 76, 370, 370, 370, 147, 370, + 128, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 166, 51, 370, 370, 370, 361, 13, 370, 370, + + 370, 370, 370, 370, 370, 153, 370, 370, 370, 370, + 370, 370, 370, 320, 370, 323, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 12, + 370, 370, 22, 370, 370, 370, 370, 370, 370, 370, + 291, 370, 370, 370, 370, 304, 370, 370, 370, 370, + 80, 370, 244, 370, 370, 370, 370, 370, 235, 370, + 370, 370, 75, 370, 370, 370, 370, 370, 370, 23, + 370, 370, 47, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 182, 181, 370, 370, 361, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 237, + + 231, 370, 249, 370, 370, 308, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 194, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 87, 370, 370, 370, 370, 370, 370, 370, + 286, 370, 370, 370, 370, 216, 370, 370, 370, 370, + 370, 370, 243, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 293, 370, 370, 370, 330, 331, 179, + 370, 370, 370, 81, 370, 370, 370, 370, 190, 370, + 370, 370, 370, 121, 123, 122, 370, 370, 370, 25, + + 370, 370, 174, 370, 176, 370, 221, 370, 370, 370, + 370, 180, 370, 370, 370, 370, 252, 370, 370, 370, + 370, 370, 370, 370, 155, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 264, 370, 370, + 370, 370, 370, 370, 370, 339, 370, 27, 370, 301, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 92, 222, 370, + 370, 258, 370, 370, 284, 370, 324, 370, 215, 370, + 370, 296, 370, 370, 370, 294, 60, 370, 370, 370, + 370, 370, 370, 370, 4, 370, 370, 370, 370, 136, + + 370, 154, 370, 370, 370, 195, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 255, 41, 42, 370, 370, + 370, 370, 370, 370, 370, 309, 370, 370, 370, 370, + 370, 370, 370, 272, 370, 370, 370, 370, 370, 370, + 370, 370, 225, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 91, 90, 370, + 370, 61, 370, 370, 290, 370, 260, 370, 370, 370, + 370, 370, 11, 370, 370, 370, 370, 343, 370, 370, + 370, 370, 135, 370, 370, 370, 370, 370, 370, 223, + + 97, 370, 370, 44, 370, 370, 370, 370, 370, 370, + 370, 370, 186, 370, 370, 370, 370, 370, 370, 370, + 157, 370, 370, 370, 370, 263, 370, 370, 370, 370, + 370, 271, 370, 370, 370, 370, 150, 370, 370, 370, + 129, 131, 130, 370, 370, 370, 99, 103, 98, 167, + 370, 370, 370, 370, 88, 370, 257, 292, 370, 370, + 370, 370, 370, 370, 10, 370, 370, 370, 370, 370, + 288, 333, 370, 370, 370, 370, 370, 370, 370, 338, + 43, 370, 370, 370, 370, 370, 185, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 104, 102, 370, 55, 370, 370, 89, 370, + 321, 370, 370, 370, 370, 24, 370, 370, 370, 370, + 370, 209, 370, 370, 370, 370, 370, 370, 224, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 205, 370, + 370, 175, 83, 370, 370, 370, 370, 370, 310, 370, + 370, 370, 370, 370, 370, 370, 268, 370, 370, 267, + 151, 370, 370, 101, 52, 370, 370, 158, 159, 162, + 163, 160, 161, 93, 319, 370, 370, 289, 139, 370, + 370, 370, 370, 26, 370, 178, 370, 370, 370, 370, + + 203, 370, 254, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 192, 191, 226, 45, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 317, 370, 370, 370, 370, 108, 370, 253, 370, + 281, 314, 370, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 340, 370, 53, 62, 5, 370, 370, + 245, 370, 370, 315, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 269, 28, 370, 370, 370, 370, 370, + + 370, 370, 370, 370, 370, 370, 370, 270, 370, 370, + 370, 156, 370, 370, 370, 370, 370, 370, 370, 370, + 193, 370, 202, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 311, 370, 370, 370, 370, 370, 370, 370, + 370, 370, 370, 370, 370, 370, 370, 370, 370, 370, + 337, 370, 370, 277, 370, 370, 370, 370, 370, 312, + 370, 370, 370, 370, 370, 370, 313, 370, 370, 370, + 275, 370, 278, 279, 370, 370, 370, 370, 370, 276, + 280, 0 } ; static const YY_CHAR yy_ec256 = @@ -793,787 +815,829 @@ 1, 1, 1, 1, 1, 1 } ; -static const flex_int16_t yy_base3502 = +static const flex_int16_t yy_base3701 = { 0, 0, 0, 64, 67, 70, 72, 78, 84, 89, 92, - 131, 137, 112, 118, 123, 142, 429, 383, 96, 9961, - 9961, 9961, 160, 185, 116, 183, 229, 132, 175, 173, + 131, 137, 112, 118, 123, 142, 488, 423, 96,10542, + 10542,10542, 160, 185, 116, 183, 229, 132, 175, 173, 232, 50, 66, 120, 263, 275, 151, 323, 134, 375, - 416, 286, 308, 283, 126, 237, 374, 9961, 9961, 9961, - 95, 372, 9961, 9961, 9961, 186, 361, 373, 9961, 9961, - 9961, 258, 309, 9961, 9961, 9961, 104, 293, 9961, 266, - 9961, 167, 351, 281, 311, 9961, 9961, 9961, 369, 268, - 9961, 9961, 9961, 146, 252, 378, 177, 0, 392, 0, + 416, 286, 308, 283, 126, 237, 374,10542,10542,10542, + 95, 372,10542,10542,10542, 186, 361, 373,10542,10542, + 10542, 258, 309,10542,10542,10542, 104, 293,10542, 266, + 10542, 167, 351, 281, 311,10542,10542,10542, 369, 268, + 10542,10542,10542, 146, 252, 378, 177, 0, 392, 0, 0, 303, 270, 235, 317, 362, 344, 384, 178, 177, - 226, 420, 377, 330, 379, 402, 414, 419, 410, 453, - 319, 367, 440, 429, 447, 454, 463, 459, 458, 489, - 495, 484, 474, 493, 499, 460, 500, 504, 510, 492, - 524, 520, 532, 525, 537, 529, 412, 533, 558, 539, - 531, 548, 565, 559, 250, 505, 587, 575, 574, 584, - 570, 580, 610, 601, 595, 604, 607, 614, 615, 208, - 294, 205, 236, 194, 670, 225, 180, 326, 158, 674, - 678, 0, 623, 152, 682, 176, 130, 653, 650, 680, - 661, 609, 675, 670, 676, 666, 671, 682, 672, 691, - 720, 697, 696, 703, 256, 726, 770, 731, 723, 714, - - 734, 737, 724, 718, 745, 740, 749, 759, 766, 728, - 773, 760, 772, 787, 819, 789, 762, 797, 339, 802, - 827, 378, 808, 443, 832, 805, 699, 829, 725, 838, - 836, 844, 843, 835, 852, 847, 866, 860, 849, 864, - 875, 874, 871, 865, 868, 911, 885, 878, 893, 892, - 894, 907, 908, 902, 913, 781, 909, 920, 921, 935, - 912, 937, 930, 919, 943, 950, 948, 956, 957, 938, - 958, 955, 953, 960, 954, 973, 969, 984, 994, 986, - 993, 1002, 989, 995, 988, 996, 999, 987, 1013, 1014, - 1022, 1026, 144, 1020, 1029, 1031, 1019, 1028, 1039, 1041, - - 1051, 1052, 1053, 1036, 1057, 1062, 1072, 1069, 1070, 1076, - 1079, 1088, 1055, 1067, 1065, 1082, 1092, 1098, 1087, 1100, - 1091, 1103, 1115, 1106, 1120, 1099, 1134, 1132, 1127, 1159, - 1136, 1128, 1148, 1189, 1154, 1143, 1162, 1185, 1169, 1155, - 1190, 1182, 1193, 1205, 1191, 1204, 1197, 1206, 1224, 1227, - 1215, 1231, 1229, 1220, 1226, 1233, 1249, 1258, 9961, 1242, - 1240, 1269, 1260, 1266, 1275, 1267, 1296, 1273, 1283, 1279, - 1291, 1298, 1344, 1392, 1293, 1311, 1301, 1304, 1307, 9961, - 1333, 1308, 1441, 1339, 1328, 1329, 1363, 1340, 1331, 1355, - 1364, 1356, 1300, 1359, 1367, 1390, 1403, 1400, 1379, 1389, - - 1406, 1419, 1410, 1306, 1438, 1442, 1437, 1431, 1383, 1434, - 1447, 1468, 1479, 1465, 1472, 1475, 1480, 1495, 1506, 1489, - 1492, 1500, 1486, 1483, 1487, 1513, 1515, 1535, 1580, 1452, - 1525, 1532, 1541, 1538, 1522, 1527, 1533, 1542, 1560, 1572, - 1556, 1578, 1568, 1401, 1583, 1573, 1590, 1607, 1592, 1599, - 1595, 1604, 1606, 1626, 1617, 1610, 1621, 1620, 1637, 1641, - 1638, 1633, 1648, 1647, 1634, 1650, 1636, 9961, 1669, 9961, - 1659, 1663, 1672, 1662, 1679, 1667, 1676, 9961, 1673, 1674, - 1675, 1690, 1710, 1700, 1717, 1708, 1702, 1715, 1718, 1711, - 1719, 1729, 1712, 1727, 1733, 1735, 1736, 1742, 1744, 1743, - - 1750, 1752, 1753, 1756, 1754, 1762, 1802, 9961, 1766, 1763, - 1782, 1792, 1768, 1793, 1788, 1813, 1827, 1811, 1807, 1831, - 1824, 1851, 1837, 1841, 1839, 1838, 1853, 1866, 1845, 1874, - 1871, 1864, 1872, 1880, 1863, 1883, 1884, 1895, 1893, 1891, - 1890, 9961, 1910, 1911, 1917, 1897, 1913, 1914, 1907, 1916, - 1920, 1909, 1924, 1932, 1947, 1934, 1942, 1551, 1965, 1951, - 1969, 1954, 1964, 1956, 1953, 1974, 1972, 1989, 1957, 1987, - 1990, 1986, 1988, 1994, 2004, 2007, 2014, 2023, 1999, 2000, - 2016, 2006, 2009, 2002, 2021, 2017, 2029, 2026, 2036, 2047, - 2034, 2053, 2041, 2055, 2044, 2061, 2049, 2048, 2065, 2071, - - 2050, 2074, 2078, 2095, 2085, 2103, 2086, 2082, 2089, 2092, - 2097, 2113, 2109, 2105, 9961, 2130, 2119, 2134, 2139, 2144, - 2145, 2146, 2136, 2135, 2147, 2155, 2162, 2157, 2156, 2160, - 2166, 2170, 2172, 2181, 2174, 2203, 2194, 2199, 2207, 2206, - 2205, 2193, 2208, 2214, 2197, 2212, 2218, 2230, 2225, 2215, - 2226, 2256, 2234, 2235, 2249, 2264, 2244, 2251, 2261, 2245, - 2272, 2270, 2276, 2275, 2274, 2293, 2285, 2283, 2280, 2287, - 2290, 2313, 2300, 2301, 2304, 2307, 2303, 2329, 2333, 2330, - 2328, 2332, 2334, 2335, 2336, 2350, 2346, 2324, 2353, 2356, - 2357, 2351, 2363, 2381, 2369, 2370, 2371, 2383, 2388, 2395, - - 2377, 2392, 2413, 2397, 2404, 2394, 2412, 2420, 2414, 2416, - 2424, 2429, 2428, 2438, 2422, 2443, 2449, 2440, 2452, 2457, - 2447, 2460, 2456, 2476, 2472, 2475, 2485, 2480, 2473, 2483, - 2487, 2470, 2490, 2510, 2506, 2503, 2504, 9961, 2496, 2497, - 2500, 2518, 2514, 2507, 2521, 2534, 2528, 2537, 2525, 2529, - 2530, 2580, 9961, 2545, 9961, 9961, 2551, 9961, 9961, 2567, - 2563, 9961, 2577, 2570, 2595, 2587, 2597, 2604, 2590, 2603, - 2606, 2566, 2613, 2648, 2614, 2610, 2624, 2617, 2632, 2619, - 2653, 2651, 2662, 2659, 2670, 2644, 2665, 2703, 2683, 2687, - 2684, 2696, 2704, 2697, 2706, 2708, 2707, 2714, 2710, 2700, - - 2717, 2698, 2720, 2730, 2741, 2735, 2737, 2752, 2736, 2743, - 2734, 2679, 2762, 2758, 2776, 9961, 2768, 2725, 2765, 2764, - 2769, 2777, 2772, 2780, 2779, 2788, 2790, 2785, 2791, 2792, - 2798, 2803, 2800, 2804, 2808, 2801, 2814, 2826, 2834, 2819, - 9961, 2824, 2830, 2818, 2835, 2843, 2841, 2849, 2845, 2831, - 2846, 2850, 2880, 2873, 2869, 2866, 2878, 2864, 2871, 2891, - 9961, 2890, 2895, 2876, 2899, 2906, 2893, 2903, 2910, 2908, - 2916, 2911, 2935, 2918, 2922, 2883, 2933, 2944, 2938, 2937, - 2940, 2945, 2960, 2943, 2958, 2962, 2959, 2967, 2968, 2969, - 2970, 2971, 2972, 2980, 2987, 2997, 2995, 3007, 2996, 2985, - - 3016, 3018, 3015, 3002, 3013, 3023, 3014, 3029, 3031, 3036, - 3041, 3020, 3026, 3054, 3047, 3051, 3043, 3059, 3066, 3077, - 3058, 3071, 3078, 3065, 3056, 3085, 3070, 9961, 3083, 3081, - 9961, 3086, 3098, 3094, 3143, 3100, 3116, 3108, 3124, 3104, - 3126, 3134, 3141, 3131, 3151, 3144, 3153, 3158, 3179, 3169, - 3182, 3176, 3185, 3180, 3177, 3186, 3192, 3196, 3203, 3142, - 3210, 3133, 381, 3221, 3204, 3147, 3214, 3259, 3206, 3215, - 3222, 3227, 3242, 3229, 3247, 3241, 3248, 3225, 3231, 3256, - 3269, 3271, 3268, 3263, 3275, 3270, 3283, 3140, 3289, 3284, - 9961, 3314, 3310, 3298, 3316, 3306, 3327, 3318, 3305, 9961, - - 3320, 3325, 3322, 3331, 3326, 3336, 3337, 3339, 3343, 3340, - 3356, 3362, 3363, 3367, 3358, 3379, 9961, 3361, 9961, 3364, - 3376, 3387, 3374, 3383, 3389, 3394, 3403, 3406, 9961, 9961, - 3410, 3404, 3416, 3385, 3418, 3414, 3412, 9961, 3430, 3453, - 9961, 3454, 3444, 3435, 3439, 3434, 3433, 3452, 3448, 3437, - 3464, 3472, 3468, 3482, 3474, 9961, 3466, 3473, 3492, 3493, - 3486, 3480, 3499, 3500, 3491, 9961, 3506, 3501, 3516, 3511, - 3508, 3514, 3518, 3531, 3539, 3519, 3528, 3532, 3545, 3529, - 3556, 3558, 3549, 3555, 3562, 3563, 3567, 9961, 3565, 3553, - 3557, 3578, 3581, 3588, 3582, 3584, 3583, 3580, 3597, 3603, - - 3585, 3609, 3598, 3590, 3612, 3608, 3624, 3607, 3627, 3621, - 3618, 3626, 3630, 3620, 91, 3628, 3635, 3633, 3636, 9961, - 3647, 3650, 3648, 3663, 3665, 3658, 128, 3662, 3657, 3669, - 3675, 3673, 3686, 3667, 3696, 3703, 3685, 3699, 3708, 3706, - 3702, 3705, 3712, 3700, 3721, 3718, 3707, 3728, 9961, 3724, - 3727, 3732, 3738, 3730, 3742, 3756, 9961, 3754, 3759, 3766, - 3764, 3769, 3765, 3781, 3763, 3777, 3785, 3773, 3788, 3789, - 3805, 3799, 3803, 3798, 9961, 3818, 3815, 3819, 3809, 3822, - 3831, 3830, 3823, 3828, 3833, 3836, 3844, 3846, 3849, 3845, - 3847, 3851, 3871, 3866, 3872, 3862, 3863, 3875, 3870, 3873, - - 3889, 3886, 3890, 3879, 3908, 3887, 9961, 3923, 3909, 3906, - 3914, 3910, 3911, 3921, 3913, 3944, 3936, 3929, 3918, 3945, - 3982, 3948, 3950, 3965, 3966, 3957, 3970, 3969, 3971, 3975, - 3984, 3992, 3998, 4018, 3988, 4002, 3973, 4007, 4004, 4022, - 4019, 4012, 4009, 4042, 4036, 4034, 4061, 4039, 4045, 4055, - 4086, 4051, 9961, 4049, 4072, 4046, 4065, 4095, 4084, 4076, - 4089, 4082, 4091, 4088, 4105, 4103, 4110, 4111, 4118, 4114, - 4130, 4115, 4122, 4133, 4125, 4121, 4142, 4136, 4139, 4150, - 4157, 9961, 4158, 4160, 4145, 4162, 4168, 4155, 4176, 4177, - 4174, 4169, 4172, 4180, 4188, 4183, 4191, 4189, 4202, 4206, - - 4203, 4217, 4195, 9961, 4220, 4199, 4226, 4210, 4227, 4234, - 4238, 4222, 4240, 4247, 4250, 4239, 4254, 4249, 4251, 9961, - 4267, 4268, 4266, 4274, 4273, 4276, 4261, 4275, 4289, 4270, - 9961, 4287, 4278, 4294, 4284, 4288, 4295, 4314, 4315, 4319, - 9961, 4329, 4313, 4310, 4312, 4316, 4320, 4326, 4335, 4331, - 4323, 4346, 4360, 4349, 4343, 4362, 9961, 4350, 4379, 4354, - 4359, 4374, 4370, 4373, 4387, 4399, 4376, 4381, 4403, 9961, - 4395, 4394, 4408, 4418, 4397, 4401, 4415, 4431, 4432, 4420, - 4421, 4434, 4429, 9961, 4426, 4444, 4451, 4454, 4446, 4452, - 4453, 4425, 4463, 4464, 4460, 4471, 4473, 4465, 4480, 4487, - - 4490, 4491, 4498, 4496, 4502, 4489, 4497, 4500, 4507, 4531, - 4533, 4523, 4538, 4540, 4535, 4526, 4522, 4546, 4549, 4550, - 4553, 4554, 4556, 9961, 4552, 4559, 4562, 4567, 4560, 4547, - 4576, 4568, 4592, 4577, 4588, 4595, 4587, 4586, 4611, 4621, - 4590, 4606, 4612, 4616, 4617, 4620, 4622, 4609, 4624, 4613, - 4640, 4630, 4628, 4651, 4644, 4653, 4665, 4647, 4656, 4657, - 4660, 4668, 4643, 4646, 4684, 4686, 4677, 4678, 4687, 4694, - 4698, 4695, 4703, 4688, 4708, 4705, 4727, 9961, 4692, 4715, - 4716, 4721, 4722, 4736, 4734, 4713, 4735, 4740, 4747, 4751, - 4760, 4749, 4754, 4748, 4763, 4775, 4759, 9961, 4767, 9961, - - 4768, 4766, 4787, 4797, 4780, 9961, 4801, 9961, 4802, 4803, - 4790, 4792, 9961, 4810, 4799, 4784, 4809, 4814, 4821, 4823, - 4825, 4824, 4837, 4830, 4852, 4845, 4840, 4841, 4835, 4839, - 4862, 4861, 4864, 4869, 4877, 4876, 4880, 4873, 4894, 4883, - 4879, 4886, 4904, 4896, 4907, 9961, 4899, 4911, 4903, 4913, - 4901, 4909, 4919, 4928, 4923, 4924, 4951, 4953, 4936, 4939, - 4957, 4960, 4962, 4941, 4963, 4966, 4828, 4950, 4977, 9961, - 4968, 4973, 4972, 4975, 9961, 4996, 4979, 5004, 5006, 4997, - 4992, 4998, 5009, 5014, 4999, 5008, 5002, 5040, 5021, 5045, - 5049, 9961, 5018, 5048, 5030, 5056, 5051, 5061, 5065, 5057, - - 5063, 5070, 5066, 5069, 5081, 5082, 5080, 5083, 5084, 5086, - 5107, 5101, 5109, 5089, 5110, 5105, 5113, 5102, 5097, 5104, - 5121, 5108, 5111, 5129, 5128, 5126, 5150, 5155, 5139, 5152, - 9961, 5148, 5149, 5156, 5167, 5144, 5147, 5145, 5166, 5168, - 9961, 5197, 5178, 5194, 5188, 5201, 5191, 5190, 5184, 5185, - 5205, 5195, 5212, 5211, 5218, 9961, 5228, 9961, 5215, 5233, - 5244, 5249, 5239, 5235, 5254, 5252, 5245, 5237, 5260, 5266, - 5263, 5255, 5261, 5264, 5267, 5290, 5280, 5303, 5297, 5285, - 5293, 5291, 5294, 5295, 5315, 5314, 5313, 9961, 9961, 5312, - 5316, 5322, 5328, 5318, 5326, 5347, 5351, 5352, 5338, 5345, - - 5341, 5381, 9961, 5353, 5355, 5369, 5368, 5374, 5380, 5377, - 5390, 5383, 5378, 5404, 5396, 9961, 5386, 5389, 5414, 5399, - 5418, 5416, 9961, 5420, 9961, 5405, 5415, 5429, 5417, 5426, - 5423, 5431, 5425, 5432, 5443, 5460, 5471, 5473, 5456, 5472, - 5455, 5458, 5459, 5474, 5464, 5484, 5466, 5479, 5462, 9961, - 5490, 5489, 5493, 5487, 5498, 5505, 5507, 5504, 5500, 9961, - 5515, 5519, 5527, 5517, 5506, 5535, 5522, 5531, 5532, 5538, - 5533, 5545, 5549, 5554, 9961, 5544, 5553, 5569, 5555, 5557, - 5571, 5583, 5582, 5586, 9961, 5584, 5578, 5574, 5591, 5580, - 5593, 5594, 5579, 5581, 5605, 5607, 5610, 5612, 5618, 5616, - - 5614, 5626, 5624, 5620, 5652, 5643, 5634, 5635, 5641, 5638, - 9961, 5644, 5647, 5653, 5658, 5670, 5667, 5676, 5682, 5687, - 5668, 5689, 5691, 5679, 5680, 5698, 5707, 5717, 5699, 9961, - 5718, 5703, 5722, 5715, 5706, 5729, 5723, 5716, 5719, 5735, - 5725, 5733, 5734, 5748, 5756, 5750, 5742, 5759, 5765, 5752, - 5767, 5769, 5768, 9961, 5806, 5762, 5775, 5789, 5782, 5792, - 5809, 5799, 5801, 5802, 5741, 5784, 5812, 5804, 5800, 5829, - 5825, 5818, 9961, 9961, 5832, 5816, 5833, 9961, 5835, 5826, - 5851, 5839, 5854, 5837, 5846, 5856, 5866, 5850, 5869, 5853, - 5868, 9961, 5862, 5877, 5871, 5880, 5897, 5898, 9961, 5882, - - 5904, 5886, 5903, 5896, 5890, 5893, 5907, 5913, 5911, 5895, - 5914, 5931, 5938, 5924, 5930, 5932, 9961, 5927, 5928, 5948, - 5949, 5941, 5946, 9961, 5943, 5963, 5965, 5958, 5969, 5981, - 5979, 5984, 5982, 5976, 5972, 5985, 5993, 5987, 5996, 5974, - 5999, 6003, 6010, 6006, 6002, 6020, 6024, 9961, 6023, 6025, - 6029, 6035, 9961, 6038, 6058, 6044, 9961, 6045, 6034, 6052, - 6042, 6069, 9961, 6055, 6062, 6061, 6074, 6053, 6079, 6064, - 6082, 6070, 6071, 6072, 6098, 6083, 9961, 6096, 6085, 6102, - 9961, 6111, 6115, 6118, 6120, 6101, 6088, 6126, 6119, 6127, - 6128, 9961, 6131, 9961, 6141, 6138, 6139, 9961, 6145, 6149, - - 6147, 6156, 6153, 6164, 6165, 6172, 6173, 6158, 6177, 6163, - 6168, 6189, 6196, 6199, 6180, 6194, 6188, 6195, 9961, 6217, - 6192, 6215, 6207, 6211, 6222, 6220, 6214, 6238, 6233, 9961, - 9961, 6240, 9961, 6245, 6234, 6236, 9961, 6242, 6239, 6260, - 6247, 6267, 6269, 6258, 6278, 6273, 9961, 6282, 6285, 9961, - 6265, 6277, 6294, 6279, 6290, 6280, 6291, 6298, 6292, 6295, - 6315, 6318, 6308, 6319, 6306, 6321, 6328, 9961, 6317, 6326, - 6329, 6339, 6333, 6342, 6364, 6360, 6350, 9961, 6366, 6373, - 6354, 6374, 6376, 9961, 6377, 9961, 6378, 6381, 6368, 6382, - 6393, 6387, 9961, 6413, 6402, 6418, 6395, 6414, 6422, 6420, - - 6423, 6408, 6407, 6435, 6431, 6443, 6432, 6437, 6430, 9961, - 6441, 6447, 6466, 6468, 6452, 6453, 6477, 6470, 6474, 6463, - 6483, 6478, 6480, 6484, 6488, 6497, 6493, 6495, 9961, 6505, - 6507, 6500, 6528, 6518, 6520, 6519, 9961, 6523, 6532, 6533, - 9961, 6526, 6522, 6534, 6551, 6536, 6549, 6552, 6546, 6558, - 6559, 6570, 9961, 6565, 6576, 6560, 6578, 6579, 6573, 9961, - 9961, 6602, 9961, 6585, 6566, 6598, 6596, 6592, 6611, 6622, - 6615, 6626, 6609, 6612, 6628, 6625, 6633, 9961, 6618, 6601, - 6634, 6667, 6638, 6639, 6647, 6655, 6648, 9961, 9961, 6643, - 6670, 6672, 6676, 6677, 6674, 6661, 6689, 6675, 6690, 6687, - - 6688, 6694, 9961, 6705, 6699, 6706, 6702, 9961, 6700, 6723, - 6707, 6716, 6733, 6717, 6724, 6721, 6734, 6720, 6745, 6749, - 6744, 6751, 6737, 6752, 6761, 6755, 6772, 6762, 6766, 6754, - 9961, 6779, 6776, 6786, 6769, 6767, 6788, 6789, 6796, 6799, - 6697, 9961, 6794, 9961, 6785, 6803, 6818, 6825, 6811, 6828, - 6834, 6826, 6830, 6819, 6835, 6840, 6842, 6847, 6850, 6844, - 6851, 6862, 6870, 6865, 6872, 6868, 9961, 6875, 6861, 6867, - 6871, 6884, 6885, 6874, 6896, 6886, 6903, 6890, 6910, 6916, - 6918, 6907, 6913, 6902, 6911, 6908, 9961, 6923, 6924, 6914, - 6926, 6929, 6930, 6941, 6957, 6939, 6940, 6949, 6960, 9961, - - 6950, 6942, 6970, 9961, 6952, 6955, 6966, 6971, 6980, 6976, - 6985, 6979, 6986, 9961, 6983, 6984, 6989, 7000, 6991, 6997, - 6993, 7024, 7017, 7027, 7030, 9961, 7035, 7020, 7034, 7038, - 7042, 7036, 7037, 7063, 7045, 9961, 7069, 7073, 7064, 7060, - 7085, 7061, 7066, 7088, 7084, 7087, 7072, 7090, 7083, 7093, - 7095, 7098, 7109, 7112, 7128, 7132, 7117, 9961, 7113, 9961, - 7115, 7129, 7136, 7146, 7142, 7140, 7153, 7145, 7162, 9961, - 7131, 7152, 7161, 7156, 7166, 9961, 7173, 7170, 7172, 7178, - 9961, 7188, 7189, 7176, 7180, 7201, 7203, 9961, 7206, 7205, - 7215, 7227, 7229, 7216, 7210, 7212, 7233, 7224, 7230, 7219, - - 7239, 7232, 7231, 7243, 9961, 7237, 7246, 7250, 7257, 7260, - 7265, 7258, 7275, 7255, 7267, 9961, 7276, 7263, 7266, 7277, - 7284, 7289, 7290, 7302, 7292, 7299, 7294, 7301, 7304, 7319, - 7311, 7314, 9961, 7318, 7317, 7329, 7340, 7335, 7346, 9961, - 7328, 9961, 7338, 7341, 7350, 7345, 7357, 9961, 9961, 7359, - 7354, 7362, 7366, 7367, 9961, 9961, 7378, 9961, 7364, 9961, - 7369, 7372, 9961, 9961, 7387, 7380, 7381, 7390, 7399, 7397, - 9961, 7400, 9961, 7416, 7411, 7405, 7391, 7415, 9961, 7409, - 7422, 7418, 7423, 7434, 9961, 7432, 7442, 7426, 7431, 9961, - 7451, 7453, 7445, 7436, 9961, 7459, 7465, 7461, 7449, 7468, - - 7469, 7473, 7470, 7471, 7478, 7494, 7462, 7483, 7501, 7507, - 7508, 7513, 7514, 7504, 7497, 7517, 7518, 7524, 7511, 7500, - 7527, 7509, 7532, 7521, 7555, 7538, 7558, 7560, 7550, 7551, - 7562, 7556, 7547, 7565, 7552, 7566, 7571, 7564, 7575, 7577, - 7581, 7592, 7582, 7593, 7588, 7609, 7600, 7613, 7608, 7616, - 7627, 9961, 7628, 7596, 7598, 7623, 7633, 7624, 7644, 7652, - 7657, 7658, 9961, 7660, 9961, 7662, 7648, 7653, 7651, 7650, - 9961, 7674, 7654, 7673, 7676, 7689, 7682, 7681, 7684, 7687, - 7688, 7711, 9961, 7707, 7699, 7697, 7708, 7718, 9961, 7721, - 7720, 7709, 7710, 7734, 7735, 7724, 7725, 7733, 7737, 7746, - - 7758, 7759, 7745, 7748, 7757, 9961, 7767, 7771, 7779, 7760, - 7773, 7762, 7768, 7786, 7776, 7777, 7794, 7800, 7801, 7805, - 7810, 9961, 7792, 9961, 7803, 7795, 7804, 7813, 7815, 7830, - 7824, 7826, 9961, 9961, 7828, 7822, 7836, 7831, 7832, 7854, - 7853, 7841, 7857, 9961, 7851, 7863, 7865, 7869, 9961, 7859, - 7875, 7877, 7876, 9961, 7873, 7878, 7894, 7879, 7880, 7889, - 7903, 7901, 7902, 7905, 7893, 7911, 9961, 9961, 9961, 9961, - 7914, 7909, 7919, 7920, 7921, 7930, 7940, 7941, 7927, 7932, - 7928, 9961, 7951, 9961, 9961, 7948, 7957, 7942, 7958, 7964, - 7946, 7973, 7966, 9961, 7971, 9961, 7976, 7983, 7979, 7987, - - 7995, 7991, 7978, 8002, 8000, 7999, 7993, 7998, 8017, 8014, - 8027, 8015, 8031, 8032, 8033, 9961, 9961, 8022, 8037, 8042, - 8052, 8034, 8043, 8026, 8055, 8047, 8060, 8059, 8056, 8069, - 8063, 8061, 8078, 8075, 8064, 9961, 8074, 8088, 8082, 9961, - 8087, 9961, 8089, 8092, 8095, 8104, 8091, 8101, 8105, 8114, - 8120, 9961, 9961, 8111, 8135, 8128, 9961, 9961, 8124, 8119, - 8126, 8136, 8141, 8130, 8133, 8144, 8154, 8146, 9961, 8152, - 9961, 8157, 8160, 8158, 8153, 8179, 8187, 8170, 8194, 8183, - 8182, 8191, 9961, 8184, 8185, 9961, 8200, 8199, 8197, 8189, - 8192, 9961, 8212, 8204, 8208, 8232, 9961, 8233, 8234, 8231, - - 9961, 8237, 9961, 8221, 8239, 8230, 8250, 8235, 9961, 8226, - 8251, 9961, 8243, 8254, 8253, 8259, 8262, 9961, 8255, 8249, - 9961, 8264, 8285, 8286, 8288, 8277, 8290, 8280, 8278, 8281, - 8302, 8298, 8297, 9961, 9961, 8305, 8304, 73, 8321, 8283, - 8307, 8310, 8312, 8308, 8313, 8322, 8341, 9961, 9961, 8337, - 9961, 8335, 8344, 9961, 8325, 8348, 8345, 8349, 8353, 8361, - 8336, 8368, 8359, 8370, 8378, 8373, 8371, 8383, 8401, 8404, - 8388, 8392, 8402, 8411, 8419, 8421, 8397, 8418, 8405, 8400, - 8427, 8428, 8416, 8431, 8442, 8417, 8439, 9961, 8456, 8457, - 8458, 8447, 9961, 8467, 8463, 8471, 8468, 9961, 8472, 8466, - - 8478, 8480, 8482, 9961, 8483, 8476, 8477, 8497, 8492, 8485, - 8498, 8520, 8504, 8512, 8518, 9961, 9961, 9961, 8524, 8526, - 9961, 8527, 8516, 8507, 8519, 9961, 8535, 8533, 8538, 9961, - 9961, 8536, 8547, 8546, 9961, 8548, 8563, 9961, 8554, 9961, - 8549, 9961, 8562, 8573, 8571, 8574, 9961, 8575, 8579, 8577, - 8607, 9961, 8585, 8586, 8587, 8594, 8589, 8596, 8612, 9961, - 8601, 8619, 8620, 8622, 8613, 8614, 8606, 8632, 8630, 8634, - 8618, 8650, 9961, 8651, 8657, 8658, 8659, 8646, 8641, 8652, - 9961, 8649, 9961, 8666, 9961, 8661, 8668, 8676, 8682, 8683, - 8678, 8690, 8695, 8684, 8701, 8703, 8688, 8687, 8716, 8715, - - 9961, 9961, 8719, 8720, 9961, 8711, 9961, 8721, 9961, 8725, - 8728, 8718, 8733, 8730, 9961, 8736, 8731, 8745, 8742, 8743, - 8737, 9961, 8752, 8759, 8748, 8765, 9961, 9961, 8757, 8779, - 8780, 9961, 8760, 8788, 8789, 8775, 8771, 8795, 8786, 8792, - 8776, 8804, 8802, 8793, 8806, 8808, 8810, 8824, 8831, 8829, - 9961, 9961, 9961, 8828, 8816, 8815, 8811, 8841, 8850, 8842, - 9961, 8854, 8839, 8857, 8845, 8851, 8856, 8849, 9961, 8853, - 8852, 8863, 8869, 8875, 8866, 8878, 8886, 9961, 8898, 8899, - 8901, 8889, 8902, 8904, 8908, 8910, 8911, 8905, 8893, 8922, - 8909, 9961, 8923, 9961, 9961, 8920, 9961, 8921, 8929, 8925, - - 8931, 8941, 9961, 8927, 8933, 8936, 8947, 8937, 8956, 8940, - 8962, 9961, 8977, 8967, 8954, 8970, 9961, 9961, 8958, 8976, - 9961, 8990, 8986, 8981, 8982, 8984, 8985, 8998, 8994, 9961, - 8997, 9000, 9009, 9010, 9011, 9007, 9025, 9961, 9027, 9014, - 9020, 9022, 9961, 9021, 9028, 9046, 9024, 9048, 9961, 9054, - 9041, 9055, 9060, 9961, 9050, 9071, 9066, 9961, 9961, 9076, - 9078, 9080, 9961, 9961, 9961, 9961, 9083, 9089, 9077, 9085, - 9961, 9095, 9101, 9110, 9102, 9115, 9113, 9961, 9114, 9109, - 9120, 9106, 9111, 9961, 9961, 9107, 9112, 9121, 9130, 9123, - 9961, 9961, 9131, 9128, 9145, 9151, 9146, 9961, 9147, 9158, - - 9164, 9157, 9167, 9169, 9171, 9162, 9170, 9191, 9186, 9172, - 9155, 9190, 9185, 9196, 9204, 9189, 9210, 9184, 9213, 9214, - 9215, 9207, 9216, 9961, 9961, 9220, 9961, 9224, 9217, 9961, - 9961, 9225, 9229, 9238, 9239, 9961, 9245, 9250, 9254, 9255, - 9231, 9961, 9251, 9259, 9252, 9256, 9242, 9961, 9263, 9248, - 9264, 9258, 9279, 9281, 9269, 9271, 9961, 9284, 9274, 9961, - 9961, 9285, 9277, 9283, 9301, 9287, 9961, 9310, 9320, 9304, - 9311, 9298, 9306, 9307, 9961, 9315, 9326, 9961, 9961, 9337, - 9312, 9961, 9961, 9329, 9961, 9961, 9961, 9961, 9961, 9961, - 9961, 9961, 9344, 9343, 9961, 9339, 9357, 9358, 9961, 9359, - - 9961, 9338, 9351, 9363, 9354, 9961, 9366, 9961, 9368, 9372, - 9370, 9387, 9377, 9395, 9385, 9381, 9388, 9393, 9378, 9402, - 9404, 9399, 9416, 9407, 9419, 9432, 9415, 9434, 9961, 9961, - 9961, 9423, 9425, 9441, 9438, 9449, 9452, 9454, 9456, 9444, - 9440, 9455, 9464, 9465, 9448, 9462, 9483, 9472, 9476, 9479, - 9493, 9474, 9495, 9961, 9498, 9487, 9489, 9505, 9961, 9492, - 9961, 9491, 9961, 9961, 9512, 9516, 9515, 9511, 9529, 9531, - 9513, 9520, 9518, 9536, 9528, 9961, 9546, 9961, 9961, 9532, - 9542, 9961, 9534, 9545, 9961, 9547, 9560, 9551, 9539, 9558, - 9563, 9572, 9576, 9583, 9961, 9961, 9564, 9568, 9569, 9593, - - 9595, 9606, 9601, 9607, 9609, 9611, 9598, 9610, 9961, 9618, - 9619, 9621, 9961, 9622, 9604, 9625, 9628, 9635, 9640, 9637, - 9644, 9961, 9641, 9961, 9658, 9651, 9661, 9646, 9653, 9662, - 9669, 9671, 9664, 9961, 9668, 9678, 9681, 9685, 9706, 9696, - 9702, 9691, 9711, 9712, 9713, 9714, 9718, 9719, 9697, 9727, - 9703, 9961, 9720, 9729, 9961, 9730, 9745, 9736, 9739, 9759, - 9961, 9751, 9742, 9746, 9763, 9767, 9769, 9961, 9768, 9770, - 9772, 9961, 9766, 9961, 9961, 9775, 9762, 9782, 9783, 9784, - 9961, 9961, 9961, 9841, 9848, 9855, 9862, 9869, 9876, 9883, - 102, 9890, 9897, 9904, 9911, 9918, 9925, 9932, 9939, 9946, + 226, 420, 377, 330, 379, 402, 414, 425, 413, 453, + 319, 367, 440, 429, 441, 455, 475, 479, 458, 482, + 490, 491, 489, 496, 504, 499, 521, 520, 506, 516, + 531, 514, 540, 527, 555, 530, 548, 541, 565, 538, + 547, 562, 576, 572, 250, 571, 601, 586, 591, 596, + 389, 598, 624, 597, 611, 618, 621, 627, 623, 208, + 294, 205, 236, 194, 669, 225, 180, 326, 158, 676, + 684, 0, 652, 152, 692, 176, 130, 492, 664, 676, + 662, 672, 682, 666, 686, 673, 683, 696, 668, 693, + 721, 681, 700, 717, 256, 727, 771, 733, 719, 740, + + 723, 732, 736, 726, 735, 756, 739, 767, 757, 762, + 763, 781, 759, 782, 783, 823, 790, 801, 809, 339, + 810, 836, 378, 806, 418, 835, 813, 443, 840, 459, + 828, 600, 858, 606, 851, 867, 819, 868, 862, 852, + 869, 870, 881, 871, 878, 872, 889, 917, 901, 896, + 915, 899, 645, 911, 744, 898, 922, 932, 905, 928, + 786, 854, 912, 863, 925, 926, 942, 947, 955, 965, + 961, 945, 966, 964, 956, 969, 958, 974, 985, 970, + 986, 982, 984, 991, 995, 1001, 999, 1005, 1012, 996, + 1004, 1022, 1027, 1023, 144, 1016, 1032, 1035, 1014, 1038, + + 1037, 1041, 1046, 1049, 1047,10542, 1043, 1057, 1074, 1073, + 1082, 1083, 1078, 1076, 1088, 1093, 1069, 1068, 1070, 1094, + 1098, 1108, 1101, 1113, 1103, 1105, 1126, 1106, 1138, 1125, + 1134, 1133, 1130, 1177, 1139, 1129, 1140, 1222, 1152, 1160, + 1164, 1178, 1183, 1185, 1143, 1182, 1191, 1204, 1217, 1184, + 1221, 1171, 1223, 1231, 1236, 1165, 1238, 1242, 1233, 1252, + 1255, 1258, 1256, 1285,10542, 1264, 1276, 1282, 1287, 1290, + 1291, 1279, 1313, 1317, 1309, 1312, 1278, 1320, 1361, 1409, + 1318, 1327, 1331, 1336, 1328,10542, 1357, 1353, 1458, 1356, + 1341, 1386, 1387, 1369, 1380, 1377, 1402, 1389, 1407, 1395, + + 1404, 1426, 1438, 1418, 1429, 1455, 1439, 1457, 1463, 1420, + 1479, 1466, 1452, 1469, 1468, 1467, 1487, 1504, 1513, 1488, + 1500, 1501, 1506, 1519, 1518, 1522, 1528, 1534, 1536, 1535, + 1514, 1541, 1540, 1546, 1566, 1611, 1539, 1562, 1565, 1568, + 1567, 1582, 1569, 1573, 1587, 1580, 1599, 1592, 1607, 1609, + 1578, 1615, 1610, 1626, 1635, 1617, 1618, 1619, 1636, 1652, + 1660, 1646, 1644, 1647, 1654, 1667, 1651, 1671, 1675, 1673, + 1674, 1681, 1678, 1668, 1705, 1690,10542, 1710,10542, 1693, + 1707, 1697, 1713, 1698, 1716, 1703, 1717,10542, 1708, 1709, + 1731, 1736, 1733, 1757, 1750, 1762, 1756, 1752, 1760, 1764, + + 1755, 1758, 1763, 1770, 1781, 1777, 1797, 1789, 1800, 1784, + 1754, 1808, 1804, 1795, 1813, 1798, 1802, 1807, 1848,10542, + 1799, 1796, 1823, 1839, 1832, 1850, 1836, 1853, 1881, 1845, + 1880, 1877, 1879, 1897, 1883, 1884, 1906, 1876, 1894, 1915, + 1903, 1917, 1904, 1910, 1920, 1933, 1921, 1929, 1945, 1930, + 1944, 1937, 1932,10542, 1949, 1964, 1965, 1959, 1961, 1955, + 1956, 1960, 1966, 1962, 1990, 1971, 1997, 1979, 1996, 2005, + 2014, 1998, 2017, 2001, 2012, 2002, 2007, 2028, 2024, 2029, + 2019, 2052, 2023, 2053, 2057, 2063, 2059, 2061, 2069, 2071, + 2049, 2047, 2058, 2074, 2073, 2062, 2075, 2079, 2086, 2076, + + 2088, 2089, 2092, 2094, 2108, 2104, 2106, 2103, 2123, 2110, + 2115, 2127, 2121, 2129, 2126, 2128, 2138, 2133, 2168, 2139, + 2160, 2151, 2148, 2172, 2178, 2167, 2170,10542, 2163, 2173, + 2159, 2188, 2196, 2190, 2197, 2195, 2198, 2206, 2205, 2221, + 2207, 2230, 2222, 2217, 2232, 2225, 2228, 2223, 2238, 2244, + 2240, 2245, 2257, 2263, 2265, 2270, 2258, 2266, 2267, 2272, + 2269, 2284, 2286, 2287, 2295, 2285, 2296, 2273, 2324, 2293, + 2304, 2316, 2314, 2307, 2318, 2325, 2312, 2328, 2331, 2333, + 2343, 2347, 2337, 2363, 2371, 2374, 2352, 2367, 2353, 2379, + 2364, 2365, 2366, 2370, 2380, 2390, 2399, 2404, 2397, 2405, + + 2396, 2402, 2416, 2407, 2391, 2415, 2411, 2424, 2418, 2423, + 2434, 2429, 2439, 2438, 2440, 2450, 2451, 2455, 2467, 2459, + 2475, 2479, 2477, 2471, 2478, 2493, 2482, 2492, 2494, 2498, + 2505, 2510, 2516, 2500, 2517, 2521, 2518, 2534, 2519, 2533, + 2543, 2542, 2535, 2551, 2555, 2553, 2545, 2562, 2549, 2561, + 2546, 2565, 2586, 2566, 2572, 2581,10542, 2578, 2601, 2580, + 2599, 2594, 2584, 2592, 2617, 2607, 2611, 2598, 2604, 2612, + 2658,10542, 2608,10542,10542, 2624,10542,10542, 2637, 2642, + 10542, 2625, 2649, 2645, 2668, 2661, 2682, 2685, 2687, 2644, + 2652, 2676, 2704, 2731, 2681, 2695, 2694, 2699, 2714, 2710, + + 2720, 2725, 2727, 2748, 2721, 2739, 2752, 2774, 2761, 2770, + 2757, 2751, 2780, 2782, 2783, 2784, 2702, 2788, 2773, 2775, + 2792, 2798, 2801, 2795, 2804, 2809, 2812, 2828, 2815, 2822, + 2813, 2811, 2832, 2827, 2846,10542, 2838, 2849, 2830, 2831, + 2847, 2857, 2858, 2871, 2865, 2866, 2861, 2878, 2879, 2873, + 2862, 2877, 2883, 2884, 2885, 2870, 2896, 2901, 2893, 2908, + 2917, 2924, 2904, 2906,10542, 2912, 2918, 2910, 2931, 2923, + 2935, 2941, 2926, 2930, 2947, 2951, 2971, 2958, 2959, 2954, + 2957, 2961, 2953, 2974, 2991,10542, 2987, 2979, 2984, 2985, + 2986, 2973, 2988, 3000, 3003, 3001, 3013, 3020, 3015, 3012, + + 3014, 3016, 3026, 3028, 3027, 3034, 3039, 3049, 3042, 3054, + 3062, 3051, 3047, 3055, 3060, 3069, 3065, 3066, 3071, 3075, + 3079, 3073, 3084, 3087, 3108, 3091, 3089, 3113, 3115, 3116, + 3100, 3111, 3124, 3112, 3136, 3118, 3126, 3122, 3130, 3128, + 3135, 3134, 3144, 3147, 3161, 3164, 3177, 3158, 3172, 3168, + 3156, 3159, 3184, 3171,10542, 3186, 3187,10542, 3157, 3188, + 3191, 3237, 3222, 3198, 3205, 3224, 3209, 3229, 3228, 3227, + 3225, 3245, 3271, 3254, 3251, 3272, 3247, 3278, 3267, 3277, + 3270, 3274, 3273, 3298, 3286, 3290, 3297, 3192, 3250, 3308, + 381, 3317, 3294, 3300, 3310, 3355, 3314, 3325, 3318, 3321, + + 3337, 3335, 3323, 3350, 3357, 3349, 3351, 3364, 3352, 3367, + 3373, 3386, 3376, 3387, 3388, 3389, 3407, 3390,10542, 3359, + 3415, 3401, 3416, 3396, 3427, 3419, 3422,10542, 3417, 3430, + 3413, 3432, 3443, 3431, 3455, 3442, 3447, 3444, 3451, 3456, + 3458, 3466, 3459, 3478,10542, 3468,10542, 3482, 3477, 3473, + 3475, 3486, 3487, 3494, 3483, 3500, 3507, 3511,10542,10542, + 3513, 3510, 3521, 3525, 3531, 3520, 3517, 3523,10542, 3514, + 3560,10542, 3550, 3538, 3558, 3548, 3544, 3552, 3549, 3556, + 3555, 3571, 3566, 3577, 3575, 3579, 3578,10542, 3572, 3598, + 3582, 3602, 3605, 3596, 3599, 3609, 3611, 3606,10542, 3615, + + 3604, 3634, 3627, 3624, 3635, 3628, 3647, 3648, 3638, 3633, + 3637, 3655, 3653, 3632, 3668, 3673, 3664, 3665, 3677, 3676, + 3683,10542, 3682, 3671, 3674, 3691, 3685, 3688, 3693, 3696, + 3701, 3695, 3680, 3708, 3716, 3714, 3722, 3712, 3724, 3715, + 3729, 3742, 3732, 3726, 3744, 3741, 3748, 3738, 3737, 91, + 3749, 3757, 3751, 3754,10542, 3753, 3773, 3775, 3780, 3781, + 3768, 128, 3776, 3777, 3784, 3793, 3782, 3801, 3794, 3810, + 3821, 3806, 3819, 3825, 3826, 3815, 3816, 3833, 3817, 3820, + 3828, 3846, 3844,10542, 3840, 3850, 3851, 3853, 3866, 3854, + 3870,10542, 3878, 3891, 3871, 3879, 3880, 3890, 3897, 3893, + + 3903, 3899, 3905, 3896, 3913, 3927, 3923, 3919, 3918, 3917, + 10542, 3934, 3938, 3942, 3931, 3944, 3937, 3948, 3952, 3958, + 3953, 3974, 3966, 3955, 3971, 3968, 3969, 3970, 3985, 3992, + 3997, 3982, 3996, 3994, 4005, 4006, 3999, 4008, 4012, 4013, + 4036, 4021,10542, 4047, 4029, 4031, 4038, 4030, 4033, 4048, + 4039, 4067, 4042, 4056, 4066, 4058, 4106, 4068, 4073, 4089, + 4090, 4094, 4095, 4097, 4096, 4100, 4109, 4118, 4134, 4144, + 4093, 4085, 4148, 4153, 4151, 4141, 4137, 4155, 4145, 4140, + 4156, 4168, 4164, 4161, 4166, 4198, 4192, 4176, 4172, 4203, + 4183,10542, 4200, 4193, 4195, 4205, 4202, 4233, 4217, 4224, + + 4231, 4234, 4228, 4230, 4235, 4238, 4245, 4255, 4247, 4258, + 4253, 4263, 4257, 4260, 4270, 4273, 4274, 4283, 4278, 4287, + 4289, 4290,10542, 4300, 4301, 4293, 4298, 4308, 4304, 4309, + 4310, 4316, 4319, 4320, 4323, 4322, 4325, 4315, 4350, 4334, + 4328, 4351, 4348, 4358, 4346,10542, 4359, 4355, 4352, 4361, + 4349, 4369, 4386, 4390, 4396, 4393, 4401, 4400, 4385, 4404, + 4407, 4406,10542, 4409, 4411, 4413, 4430, 4412, 4415, 4425, + 4432, 4447, 4428,10542, 4445, 4431, 4446, 4438, 4434, 4437, + 4468, 4471, 4461,10542, 4473, 4464, 4459, 4462, 4480, 4476, + 4475, 4495, 4477, 4474, 4494, 4503, 4510, 4491, 4511,10542, + + 4506, 4532, 4513, 4519, 4507, 4522, 4529, 4530, 4542, 4551, + 4552, 4539,10542, 4534, 4558, 4556, 4570, 4549, 4564, 4555, + 4579, 4581, 4583, 4574, 4576, 4593, 4582,10542, 4585, 4587, + 4589, 4603, 4614, 4606, 4608, 4626, 4610, 4612, 4617, 4629, + 4623, 4625, 4639, 4637, 4641, 4652, 4644, 4651, 4650, 4646, + 4661, 4671, 4663, 4681, 4665, 4666, 4673, 4690, 4694, 4689, + 4685, 4675, 4692, 4686, 4709, 4710, 4705, 4719,10542, 4711, + 4721, 4717, 4713, 4703, 4729, 4730, 4727, 4748, 4735, 4742, + 4746, 4753, 4744, 4764, 4765, 4754, 4778, 4766, 4768, 4775, + 4781, 4769, 4777, 4771, 4804, 4795, 4791, 4783, 4792, 4794, + + 4822, 4806, 4817, 4831, 4810, 4813, 4816, 4819, 4826, 4814, + 4821, 4824, 4853, 4857, 4844, 4848, 4849, 4864, 4868, 4865, + 4869, 4866, 4859, 4876, 4886, 4896,10542, 4887, 4877, 4892, + 4890, 4895, 4889, 4903, 4923, 4906, 4914, 4925, 4919, 4932, + 4935, 4920, 4926, 4922, 4937, 4933, 4943,10542, 4938,10542, + 4934, 4963, 4971, 4950, 4949,10542, 4973,10542, 4975, 4974, + 4964, 4965, 4970,10542, 4976, 4966, 4984, 4985, 4989, 5014, + 4995, 4996, 4999, 5019, 5006, 5030, 5026, 5023, 5011, 5013, + 5033, 5041, 5038, 5021, 5025, 5044, 5048, 5064, 5065, 5047, + 5071, 5051, 5060, 5066, 5076, 5062, 5078,10542, 5082, 5092, + + 5084, 5096, 5086, 5094, 5100, 5098, 5106, 5105, 5115, 5121, + 5111, 5129, 5134, 5127, 5132, 5135, 5138, 5141, 5156, 5150, + 5157,10542, 5152, 5160, 5153, 5163,10542, 5173, 5147, 5174, + 5180, 5177, 5167, 5188, 5183, 5194, 5193, 5197, 5196, 5222, + 5219, 5212, 5223,10542, 5218, 5224, 5206, 5232, 5192, 5210, + 5237, 5246, 5243, 5256, 5259, 5252, 5258, 5253, 5247, 5249, + 5251, 5269, 5282, 5286, 5287, 5283, 5294, 5274, 5295, 5291, + 5298, 5284, 5285, 5289, 5299, 5290, 5293, 5309, 5310, 5313, + 5329, 5337, 5322, 5335,10542, 5331, 5332, 5334, 5350, 5352, + 5351, 5353, 5349, 5354, 5381, 5374,10542, 5385, 5366, 5384, + + 5376, 5390, 5377, 5393, 5371, 5369, 5396, 5406, 5417, 5416, + 5410,10542, 5415,10542, 5402, 5433, 5431, 5438, 5429, 5422, + 5442, 5439, 5434, 5451, 5454, 5466, 5461, 5452, 5472, 5456, + 5460, 5480, 5463, 5483, 5485, 5490, 5484, 5498, 5481, 5493, + 5496, 5499, 5502, 5535, 5510, 5512,10542,10542, 5509, 5520, + 5526, 5528, 5530, 5539, 5551, 5549, 5558, 5554, 5542, 5547, + 5545, 5589,10542, 5566, 5573, 5522, 5577, 5578, 5601, 5581, + 5598, 5606, 5597, 5596, 5608, 5605,10542, 5593, 5600, 5617, + 5609, 5636, 5623,10542, 5626,10542, 5624, 5627, 5628, 5640, + 5625, 5633, 5649, 5650, 5651, 5644, 5654, 5679, 5661, 5670, + + 5677, 5669, 5683, 5667, 5666, 5671, 5692, 5686, 5706, 5681, + 5689, 5694,10542, 5702, 5695, 5714, 5719, 5708, 5720, 5726, + 5727, 5711,10542, 5729, 5735, 5745, 5737, 5742, 5723, 5741, + 5747, 5746, 5743, 5752, 5770, 5768, 5769,10542, 5763, 5758, + 5788, 5779, 5771, 5793, 5794, 5797, 5801,10542, 5798, 5802, + 5807, 5810, 5805, 5812, 5816, 5813, 5809, 5824, 5827, 5830, + 5843, 5838, 5837, 5840, 5851, 5841, 5832, 5861, 5875, 5869, + 5871, 5858, 5860,10542, 5870, 5872, 5876, 5878, 5889, 5890, + 5896, 5900, 5904, 5906, 5905, 5914, 5919, 5903, 5908, 5913, + 5915, 5922, 5943, 5941,10542, 5948, 5927, 5953, 5950, 5932, + + 5959, 5958, 5940, 5961, 5963, 5949, 5952, 5969, 5976, 5977, + 5987, 5970, 5997, 5975, 5980, 5979, 5988, 5993, 6001, 6005, + 6018,10542, 6034, 6003, 6020, 6025, 6022, 6026, 6036, 6037, + 6031, 6038, 6042, 6029, 6056, 6047, 6044, 6069, 6072, 6060, + 10542,10542, 6075, 6052, 6076,10542, 6079, 6068, 6081, 6071, + 6084, 6078, 6091, 6093, 6086, 6102, 6112, 6096, 6123, 6099, + 6115,10542, 6135, 6105, 6138, 6120, 6127, 6143, 6142,10542, + 6126, 6148, 6146, 6150, 6147, 6149, 6139, 6141, 6154, 6151, + 6176, 6162, 6166, 6184, 6193, 6199, 6175, 6181, 6194,10542, + 6177, 6178, 6204, 6201, 6186, 6211, 6202,10542, 6213, 6212, + + 6233, 6229, 6206, 6218, 6242, 6236, 6248, 6228, 6237, 6231, + 6260, 6261, 6262, 6263, 6258, 6253, 6257, 6286, 6280, 6267, + 6269, 6296,10542, 6259, 6290, 6284, 6297, 6303,10542, 6305, + 6319, 6317,10542, 6320, 6295, 6311, 6313, 6331,10542, 6322, + 6332, 6323, 6338, 6326, 6342, 6333, 6346, 6345, 6337, 6347, + 6349, 6358,10542, 6359, 6360, 6363,10542, 6372, 6376, 6357, + 6380, 6369, 6393, 6385, 6387, 6394, 6396,10542, 6403,10542, + 6398, 6397, 6410,10542, 6414, 6417, 6428, 6413, 6422, 6434, + 6437, 6440, 6445, 6427, 6441, 6430, 6432, 6458, 6460, 6457, + 6453, 6454, 6455, 6469,10542, 6485, 6461, 6467, 6482, 6475, + + 6492, 6490, 6489, 6484, 6502, 6508,10542,10542, 6504,10542, + 6511, 6509, 6517, 6523,10542, 6500, 6516, 6513, 6520, 6544, + 6547, 6528, 6551, 6548,10542, 6553, 6557,10542, 6536, 6555, + 6567, 6540, 6562, 6543, 6570, 6576, 6578, 6572, 6583, 6586, + 6585, 6589, 6581, 6582, 6596, 6624, 6603, 6627,10542, 6612, + 6608, 6609, 6615, 6622, 6617, 6638, 6642, 6623,10542, 6650, + 6659, 6639, 6658, 6645,10542, 6653,10542, 6660, 6666, 6664, + 6669, 6673, 6674, 6686, 6677,10542, 6681, 6685, 6695, 6680, + 6704, 6712, 6710, 6711, 6700, 6702, 6703, 6722, 6727, 6721, + 6713, 6751, 6736,10542, 6737, 6739, 6743, 6735, 6757, 6749, + + 6750, 6747, 6762, 6763, 6770, 6761, 6785, 6769, 6786, 6780, + 6790, 6794, 6795, 6784,10542, 6805, 6807, 6808, 6812, 6831, + 6811, 6815, 6828,10542, 6829, 6839, 6842,10542, 6832, 6853, + 6843, 6848, 6836, 6858, 6859, 6862, 6857, 6869, 6872, 6885, + 10542, 6879, 6880, 6874, 6888, 6897, 6886, 6898,10542,10542, + 6917,10542, 6905, 6903, 6912, 6910, 6906, 6925, 6908, 6932, + 6940, 6924, 6929, 6943, 6944, 6933,10542, 6938, 6778, 6950, + 6983, 6870, 6967, 6961, 6958, 6959,10542,10542, 6980, 6986, + 6973, 6981, 6988, 6978, 6977, 6997, 6991, 7002, 6998, 7006, + 7007,10542, 7015, 7000, 7017, 7016,10542, 7010, 7026, 7018, + + 7025, 7027, 7033, 7034, 7029, 7052, 7042, 7055, 7061, 7056, + 7067, 7048, 7047, 7062, 7058, 7068, 7076, 7077, 7078, 7086, + 10542, 7093, 7083, 7092, 7097, 7095, 7082, 7107, 7094, 7100, + 7104, 7135,10542, 7117,10542, 7123, 7127, 7131, 7138, 7128, + 7146, 7142, 7153, 7144, 7152, 7158, 7164, 7159, 7151, 7168, + 7161, 7166, 7167, 7179, 7197,10542, 7189, 7195, 7199, 7193, + 7190, 7207, 7206,10542, 7208, 7194, 7210, 7219, 7212, 7215, + 7217, 7218, 7225, 7247, 7233, 7244, 7250, 7251, 7239, 7245, + 7255, 7242, 7261, 7265, 7266,10542, 7257, 7264, 7268, 7267, + 7272, 7291, 7292, 7270, 7300, 7302, 7284, 7293, 7305,10542, + + 7294, 7312, 7310, 7318,10542, 7295, 7311, 7317, 7332, 7329, + 7324, 7322, 7343, 7335, 7337,10542, 7346, 7334, 7356, 7351, + 7339, 7353, 7361, 7359, 7368, 7373, 7370, 7384,10542, 7394, + 7379, 7388, 7396, 7380, 7395, 7389, 7415, 7412, 7399,10542, + 7414, 7422, 7428, 7421, 7418, 7435, 7413, 7423, 7448, 7442, + 7451, 7432, 7440, 7455, 7444, 7459, 7461, 7463, 7467, 7452, + 7478, 7482, 7477,10542, 7469,10542, 7480, 7483, 7486, 7503, + 7511, 7497, 7501, 7510, 7514,10542, 7505, 7519, 7517, 7516, + 7513,10542, 7533, 7537, 7539, 7538,10542, 7548, 7547, 7549, + 7543, 7556, 7558,10542, 7557, 7564, 7563, 7576, 7578, 7579, + + 7587, 7575, 7591, 7581, 7583, 7580, 7600, 7603, 7590, 7606, + 10542, 7605, 7610, 7612, 7616, 7617, 7614, 7620, 7615, 7630, + 7625, 7632,10542, 7641, 7631, 7633, 7643, 7640, 7660, 7649, + 7650, 7670, 7665, 7673, 7648, 7667, 7676, 7678, 7658, 7684, + 10542, 7677, 7672, 7697, 7712, 7713, 7701, 7715,10542, 7705, + 10542, 7704, 7706, 7722, 7716, 7724,10542, 7727, 7731, 7700, + 7736,10542,10542, 7744, 7740, 7743, 7738, 7747,10542,10542, + 7759,10542, 7742,10542, 7752, 7746,10542,10542, 7763, 7750, + 7754, 7757,10542, 7775, 7783, 7785,10542, 7791,10542, 7797, + 7774, 7795, 7782, 7784, 7799,10542, 7781, 7810, 7802, 7805, + + 7816,10542, 7803, 7811, 7822, 7839, 7818, 7827,10542, 7835, + 7845, 7831, 7833,10542, 7852, 7856, 7854, 7843, 7855, 7844, + 7860, 7866, 7862, 7871, 7878, 7869, 7877, 7879, 7889, 7873, + 7902, 7907, 7908, 7898, 7909, 7895, 7914, 7917, 7922, 7926, + 7903, 7912, 7916, 7931, 7935, 7904, 7933, 7938, 7948, 7952, + 7950, 7963, 7954, 7960, 7958, 7944, 7968, 7949, 7962, 7972, + 7965, 7980, 7976, 7978, 7991, 7984, 7992, 7988, 8011, 8000, + 8015, 8005, 8007, 8009,10542, 7999, 8001, 8025, 8027, 8031, + 8041, 8042, 8053, 8055, 8058,10542, 8060,10542, 8062, 8038, + 8065, 8051, 8052,10542, 8044, 8066, 8073, 8078, 8072, 8082, + + 8094, 8086, 8083, 8089, 8103,10542, 8108, 8114, 8105, 8093, + 8109, 8117,10542, 8128, 8124, 8120, 8122, 8125, 8141, 8135, + 8136, 8139, 8142, 8134, 8149, 8159, 8160, 8151, 8155, 8166, + 10542, 8174, 8179, 8193, 8176, 8177, 8175, 8170, 8178, 8186, + 8196, 8187, 8188, 8204, 8198, 8206, 8205, 8225, 8211, 8228, + 8212,10542, 8221,10542, 8220, 8222, 8231, 8239, 8237, 8245, + 8255, 8251, 8254,10542,10542, 8256, 8257, 8247, 8261, 8264, + 8262, 8263, 8274, 8278, 8290,10542, 8281, 8282, 8289, 8300, + 8299, 8298,10542, 8303, 8308, 8309, 8310,10542, 8307, 8305, + 8335, 8332, 8313, 8323, 8343, 8344, 8338, 8336, 8341, 8331, + + 8348,10542,10542,10542,10542, 8356, 8345, 8355, 8361, 8360, + 8372, 8376, 8381, 8382, 8383, 8367, 8366, 8380,10542, 8396, + 10542,10542, 8393,10542, 8397, 8387, 8400, 8403, 8407, 8406, + 8413,10542, 8416,10542, 8430, 8432, 8424, 8436, 8441, 8440, + 8425, 8446, 8442, 8450, 8429, 8443, 8459, 8460, 8474, 8463, + 8476, 8479, 8480,10542,10542, 8470, 8484, 8482, 8494, 8486, + 8488, 8490, 8500, 8492, 8509, 8489, 8507, 8516, 8505, 8533, + 8534, 8525, 8523, 8537,10542, 8531, 8539, 8542,10542, 8528, + 10542, 8541, 8543, 8549, 8529, 8550, 8569, 8570, 8558, 8571, + 8577,10542,10542, 8565, 8589, 8581,10542,10542, 8572, 8568, + + 8573, 8575, 8601, 8596, 8592,10542, 8604, 8608, 8621, 8597, + 8610, 8626, 8614,10542, 8619,10542, 8609, 8623, 8632, 8618, + 8647, 8652, 8636, 8639, 8656, 8658, 8654, 8640, 8659,10542, + 8660, 8663,10542, 8673, 8668, 8674, 8670, 8666, 8672, 8679, + 10542, 8701, 8686, 8708, 8709,10542, 8710, 8707, 8712, 8705, + 10542, 8716,10542, 8698, 8715, 8721, 8724, 8728,10542, 8703, + 8726, 8748,10542, 8727, 8752, 8756, 8754, 8745, 8750,10542, + 8759, 8743,10542, 8742, 8764, 8765, 8768, 8767, 8771, 8774, + 8778, 8783, 8779, 8780, 8795,10542,10542, 8805, 8798, 73, + 8813, 8788, 8792, 8800, 8810, 8807, 8804, 8814, 8817,10542, + + 10542, 8823,10542, 8825, 8832,10542, 8821, 8839, 8848, 8836, + 8852, 8840, 8841, 8837, 8865, 8856, 8871, 8863, 8867, 8864, + 10542, 8900, 8907, 8884, 8887, 8888, 8892, 8895, 8904, 8909, + 8890, 8913, 8901, 8898, 8912, 8930, 8919, 8936, 8920, 8922, + 8923, 8932,10542, 8944, 8954, 8955, 8945, 8961, 8967, 8948, + 10542, 8964, 8969, 8974, 8972,10542, 8978, 8971, 8975, 8983, + 8981, 8986,10542, 8979, 8989, 8992, 9005, 9003, 8996, 9007, + 8999, 9000, 9033,10542, 9008, 9016, 9027,10542,10542,10542, + 9024, 9037, 9026,10542, 9038, 9030, 9034, 9028,10542, 9049, + 9041, 8809, 9051,10542,10542,10542, 9045, 9057, 9060,10542, + + 9054, 9071,10542, 9067,10542, 9061,10542, 9075, 9078, 9084, + 9086,10542, 9087, 9090, 9077, 9119,10542, 9099, 9100, 9108, + 9106, 9101, 9097, 9124,10542, 9098, 9126, 9127, 9134, 9118, + 9125, 9117, 9135, 9139, 9144, 9143, 9149,10542, 9151, 9164, + 9167, 9159, 9154, 9162, 9165,10542, 9163,10542, 9174,10542, + 9166, 9175, 9184, 9181, 9189, 9187, 9186, 9201, 9212, 9199, + 9220, 9213, 9200, 9207, 9223, 9229, 9216,10542,10542, 9242, + 9224,10542, 9225, 9241,10542, 9232,10542, 9254,10542, 9239, + 9245,10542, 9252, 9247, 9259,10542,10542, 9267, 9250, 9262, + 9278, 9260, 9275, 9266,10542, 9291, 9281, 9277, 9276,10542, + + 9304,10542, 9280, 9306, 9308,10542, 9287, 9289, 9311, 9317, + 9305, 9301, 9324, 9314, 9328, 9319, 9331, 9326, 9322, 9330, + 9329, 9344, 9351, 9357, 9361,10542,10542,10542, 9353, 9347, + 9368, 9369, 9370, 9380, 9358,10542, 9374, 9382, 9378, 9371, + 9396, 9394, 9393,10542, 9387, 9386, 9391, 9395, 9402, 9400, + 9409, 9406,10542, 9424, 9428, 9430, 9427, 9420, 9435, 9437, + 9441, 9444, 9445, 9436, 9439, 9453, 9451,10542,10542, 9450, + 9442,10542, 9460, 9470,10542, 9454,10542, 9452, 9462, 9463, + 9464, 9487,10542, 9475, 9467, 9476, 9485,10542, 9478, 9497, + 9496, 9504,10542, 9489, 9513, 9490, 9500, 9516, 9523,10542, + + 10542, 9508, 9518,10542, 9530, 9527, 9522, 9543, 9535, 9531, + 9541, 9537,10542, 9540, 9546, 9533, 9545, 9556, 9563, 9570, + 10542, 9569, 9560, 9562, 9564,10542, 9567, 9583, 9590, 9574, + 9588,10542, 9600, 9594, 9586, 9611,10542, 9598, 9620, 9606, + 10542,10542,10542, 9624, 9628, 9625,10542,10542,10542,10542, + 9630, 9626, 9617, 9637,10542, 9627,10542,10542, 9639, 9650, + 9661, 9640, 9663, 9664,10542, 9660, 9662, 9670, 9654, 9659, + 10542,10542, 9674, 9656, 9658, 9677, 9679, 9666, 9687,10542, + 10542, 9669, 9701, 9706, 9703, 9698,10542, 9697, 9711, 9717, + 9709, 9719, 9722, 9723, 9714, 9721, 9742, 9732, 9736, 9730, + + 9737, 9739, 9753, 9756, 9743, 9765, 9772, 9767, 9768, 9771, + 9759, 9770,10542,10542, 9776,10542, 9777, 9781,10542, 9766, + 10542, 9791, 9796, 9805, 9806,10542, 9807, 9809, 9810, 9812, + 9787,10542, 9811, 9815, 9816, 9817, 9818, 9801,10542, 9804, + 9822, 9808, 9824, 9814, 9837, 9840, 9854, 9858,10542, 9844, + 9860,10542,10542, 9843, 9862, 9842, 9871, 9848,10542, 9870, + 9867, 9849, 9869, 9864, 9884, 9887,10542, 9898, 9896,10542, + 10542, 9908, 9891,10542,10542, 9881, 9889,10542,10542,10542, + 10542,10542,10542,10542,10542, 9910, 9914,10542,10542, 9900, + 9919, 9920, 9921,10542, 9922,10542, 9901, 9929, 9939, 9925, + + 10542, 9936,10542, 9930, 9944, 9949, 9956, 9946, 9959, 9951, + 9948, 9966, 9952, 9965, 9947, 9987, 9985, 9993, 9978, 9995, + 9982,10002, 9983,10008,10542,10542,10542,10542, 9992,10011, + 10007,10009,10015,10020,10016,10032,10022,10017,10036,10045, + 10046,10027,10038,10060,10042,10049,10057,10067,10054,10070, + 10071,10542,10075,10076,10063,10085,10542,10077,10542,10068, + 10542,10542,10093,10095,10097,10080,10111,10113,10100,10102, + 10098,10116,10110,10542,10128,10542,10542,10542,10109,10119, + 10542,10120,10127,10542,10125,10144,10132,10137,10140,10141, + 10157,10158,10156,10542,10542,10154,10152,10146,10169,10177, + + 10180,10185,10183,10189,10190,10172,10198,10542,10200,10197, + 10203,10542,10201,10187,10204,10207,10216,10213,10217,10210, + 10542,10218,10542,10220,10230,10243,10222,10232,10245,10253, + 10247,10260,10542,10229,10263,10257,10266,10270,10256,10279, + 10277,10265,10284,10293,10299,10294,10298,10283,10303,10288, + 10542,10309,10300,10542,10312,10313,10314,10323,10330,10542, + 10324,10328,10329,10336,10338,10345,10542,10343,10349,10346, + 10542,10354,10542,10542,10356,10358,10363,10362,10366,10542, + 10542,10542,10422,10429,10436,10443,10450,10457,10464, 102, + 10471,10478,10485,10492,10499,10506,10513,10520,10527,10534 - 9953 } ; -static const flex_int16_t yy_def3502 = +static const flex_int16_t yy_def3701 = { 0, - 3483, 1, 3484, 3484, 3485, 3485, 3486, 3486, 3487, 3487, - 3488, 3488, 3489, 3489, 3490, 3490, 3483, 3491, 3483, 3483, - 3483, 3483, 3492, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3493, 3483, 3483, 3483, - 3493, 3494, 3483, 3483, 3483, 3494, 3495, 3483, 3483, 3483, - 3483, 3495, 3496, 3483, 3483, 3483, 3496, 3497, 3483, 3498, - 3483, 3497, 3497, 3499, 3483, 3483, 3483, 3483, 3499, 3500, - 3483, 3483, 3483, 3500, 3491, 3491, 3483, 3501, 3492, 3501, - 3492, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3493, - 3493, 3494, 3494, 3495, 3495, 3483, 3496, 3496, 3497, 3497, - 3498, 3498, 3497, 3499, 3499, 3483, 3500, 3500, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3497, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3497, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3483, 3483, 3491, 3483, 3483, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3497, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3497, 3497, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, - - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3497, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3483, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3497, 3491, 3483, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3483, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3483, 3491, 3483, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3497, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3497, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491, - 3491, 3491, 3491, 3491, 3483, 3483, 3491, 3483, 3491, 3483, - 3491, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3497, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3483, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3497, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3483, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3483, 3491, 3491, 3491, 3483, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - - 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3483, 3491, 3491, 3497, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3491, - 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3483, 3483, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3483, - 3483, 3491, 3491, 3491, 3483, 3491, 3491, 3483, 3491, 3483, - 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - - 3483, 3483, 3491, 3491, 3483, 3491, 3483, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3483, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3483, 3483, 3491, 3483, 3491, 3491, 3491, - - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3483, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3483, 3483, 3491, - 3491, 3491, 3483, 3483, 3483, 3483, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, - 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3483, 3491, 3483, 3491, 3491, 3483, - 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3483, - 3483, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3483, 3491, 3491, 3483, 3483, 3491, - 3491, 3483, 3483, 3491, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3483, 3491, - - 3483, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3483, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3483, 3491, - 3483, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3483, 3483, 3491, - 3491, 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3483, 3483, 3491, 3491, 3491, 3491, - - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, - 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, 3491, - 3491, 3483, 3491, 3491, 3483, 3491, 3491, 3491, 3491, 3491, - 3483, 3491, 3491, 3491, 3491, 3491, 3491, 3483, 3491, 3491, - 3491, 3483, 3491, 3483, 3483, 3491, 3491, 3491, 3491, 3491, - 3483, 3483, 0, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, + 3682, 1, 3683, 3683, 3684, 3684, 3685, 3685, 3686, 3686, + 3687, 3687, 3688, 3688, 3689, 3689, 3682, 3690, 3682, 3682, + 3682, 3682, 3691, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3692, 3682, 3682, 3682, + 3692, 3693, 3682, 3682, 3682, 3693, 3694, 3682, 3682, 3682, + 3682, 3694, 3695, 3682, 3682, 3682, 3695, 3696, 3682, 3697, + 3682, 3696, 3696, 3698, 3682, 3682, 3682, 3682, 3698, 3699, + 3682, 3682, 3682, 3699, 3690, 3690, 3682, 3700, 3691, 3700, + 3691, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3692, + 3692, 3693, 3693, 3694, 3694, 3682, 3695, 3695, 3696, 3696, + 3697, 3697, 3696, 3698, 3698, 3682, 3699, 3699, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3696, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3696, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3696, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3696, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3682, 3682, 3690, 3682, 3682, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3696, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3682, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3696, 3696, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3696, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3682, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + + 3690, 3690, 3696, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3696, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3682, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3696, 3690, 3682, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3682, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3682, 3690, 3682, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3682, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3696, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3696, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3682, 3682, 3690, 3690, 3690, 3690, 3690, 3682, 3682, + 3690, 3682, 3690, 3682, 3690, 3690, 3682, 3682, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3682, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3696, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3682, 3682, 3682, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3682, 3682, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3696, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3682, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3682, 3690, 3690, 3690, 3682, 3682, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3682, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3682, 3690, 3690, 3696, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + + 3682, 3690, 3682, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3682, 3682, 3682, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3682, 3682, 3682, 3690, 3690, 3690, 3682, + + 3690, 3690, 3682, 3690, 3682, 3690, 3682, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3682, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3682, 3690, + 3690, 3682, 3690, 3690, 3682, 3690, 3682, 3690, 3682, 3690, + 3690, 3682, 3690, 3690, 3690, 3682, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3682, + + 3690, 3682, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3682, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3682, 3690, + 3690, 3682, 3690, 3690, 3682, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + + 3682, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3682, 3682, 3682, 3690, 3690, 3690, 3682, 3682, 3682, 3682, + 3690, 3690, 3690, 3690, 3682, 3690, 3682, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, + 3682, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, + 3682, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3682, 3690, 3682, 3690, 3690, 3682, 3690, + 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3682, 3682, 3690, 3690, 3690, 3690, 3690, 3682, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3682, + 3682, 3690, 3690, 3682, 3682, 3690, 3690, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3690, 3690, 3682, 3682, 3690, + 3690, 3690, 3690, 3682, 3690, 3682, 3690, 3690, 3690, 3690, + + 3682, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3682, 3682, 3682, 3682, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3682, 3690, 3682, 3690, + 3682, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3690, 3682, 3682, 3682, 3690, 3690, + 3682, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3682, 3682, 3690, 3690, 3690, 3690, 3690, + + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, + 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, 3690, + 3682, 3690, 3690, 3682, 3690, 3690, 3690, 3690, 3690, 3682, + 3690, 3690, 3690, 3690, 3690, 3690, 3682, 3690, 3690, 3690, + 3682, 3690, 3682, 3682, 3690, 3690, 3690, 3690, 3690, 3682, + 3682, 0, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682 - 3483 } ; -static const flex_int16_t yy_nxt10028 = +static const flex_int16_t yy_nxt10609 = { 0, 18, 19, 20, 21, 22, 23, 22, 18, 18, 18, 18, 18, 22, 24, 25, 26, 27, 28, 29, 18, @@ -1586,12 +1650,12 @@ 59, 60, 61, 120, 22, 58, 59, 60, 61, 86, 22, 64, 65, 66, 64, 65, 66, 87, 160, 160, - 1325, 88, 85, 51, 119, 86, 51, 167, 167, 56, + 1368, 88, 85, 51, 119, 86, 51, 167, 167, 56, 120, 56, 170, 75, 76, 77, 78, 62, 22, 75, 76, 77, 78, 62, 22, 81, 82, 83, 67, 97, 86, 67, 19, 20, 21, 69, 70, 71, 19, 20, 21, 69, 70, 71, 81, 82, 83, 121, 108, 177, - 177, 79, 72, 159, 409, 86, 97, 79, 72, 86, + 177, 79, 72, 159, 415, 86, 97, 79, 72, 86, 137, 90, 84, 90, 90, 86, 90, 170, 109, 178, 73, 86, 90, 86, 121, 108, 73, 176, 87, 72, 159, 84, 88, 86, 130, 72, 112, 137, 110, 162, @@ -1602,8 +1666,8 @@ 173, 113, 86, 98, 86, 188, 166, 92, 93, 111, 99, 94, 114, 165, 100, 187, 95, 101, 85, 162, 85, 85, 162, 85, 163, 96, 102, 161, 115, 85, - 103, 116, 189, 104, 181, 105, 106, 252, 117, 164, - 118, 164, 164, 292, 164, 86, 107, 90, 86, 90, + 103, 116, 189, 104, 181, 105, 106, 254, 117, 164, + 118, 164, 164, 294, 164, 86, 107, 90, 86, 90, 90, 86, 90, 102, 86, 115, 122, 103, 116, 189, 104, 181, 105, 106, 123, 117, 180, 118, 126, 86, 124, 86, 127, 107, 125, 86, 156, 160, 160, 148, @@ -1612,1075 +1676,1139 @@ 150, 123, 176, 180, 86, 126, 151, 124, 179, 127, 175, 125, 86, 156, 152, 86, 148, 157, 149, 167, 167, 158, 170, 128, 153, 129, 131, 150, 154, 155, - 132, 182, 86, 151, 133, 179, 328, 86, 168, 205, + 132, 182, 86, 151, 133, 179, 332, 86, 168, 206, 134, 152, 169, 135, 169, 169, 86, 169, 86, 184, 136, 153, 86, 131, 195, 154, 155, 132, 182, 86, - 174, 133, 174, 174, 166, 174, 205, 134, 86, 85, - 135, 85, 85, 86, 85, 332, 184, 136, 138, 1176, - 85, 195, 139, 90, 183, 90, 90, 206, 90, 185, + 174, 133, 174, 174, 166, 174, 206, 134, 86, 85, + 135, 85, 85, 86, 85, 336, 184, 136, 138, 1212, + 85, 195, 139, 90, 183, 90, 90, 207, 90, 185, 165, 86, 140, 141, 90, 142, 86, 193, 194, 197, 196, 163, 186, 161, 86, 138, 86, 86, 86, 139, - 86, 183, 86, 86, 206, 240, 185, 198, 3483, 140, + 86, 183, 263, 86, 207, 338, 185, 198, 86, 140, 141, 91, 142, 143, 193, 194, 144, 196, 190, 186, - 199, 86, 201, 145, 191, 200, 192, 146, 147, 86, - 334, 86, 240, 86, 198, 86, 207, 3483, 86, 86, - 143, 208, 3483, 144, 209, 190, 215, 199, 86, 201, - 145, 191, 200, 192, 146, 147, 202, 203, 211, 86, - 210, 212, 86, 207, 204, 228, 86, 3483, 208, 217, - 216, 209, 86, 86, 213, 214, 3483, 86, 86, 86, - - 225, 3483, 86, 202, 203, 211, 218, 210, 212, 226, - 220, 204, 228, 86, 221, 223, 217, 216, 227, 229, - 224, 213, 214, 86, 232, 230, 219, 225, 86, 253, - 222, 86, 86, 218, 86, 231, 226, 220, 86, 86, - 233, 221, 223, 86, 86, 227, 229, 224, 235, 86, - 234, 232, 230, 219, 237, 236, 253, 222, 238, 86, - 3483, 239, 231, 86, 86, 241, 245, 233, 86, 246, - 86, 86, 86, 3483, 242, 235, 86, 234, 86, 247, - 248, 237, 236, 243, 251, 238, 3483, 86, 239, 244, - 3483, 249, 241, 245, 257, 250, 246, 86, 86, 3483, - - 254, 242, 259, 261, 86, 258, 247, 248, 262, 86, - 243, 251, 267, 86, 86, 260, 244, 255, 249, 86, - 256, 257, 250, 86, 263, 266, 86, 254, 268, 259, - 261, 270, 258, 264, 86, 262, 277, 269, 272, 267, - 86, 271, 260, 86, 255, 265, 86, 256, 86, 86, - 3483, 263, 266, 86, 86, 268, 177, 177, 270, 3483, - 264, 3483, 170, 277, 269, 272, 3483, 273, 271, 3483, - 3483, 164, 265, 164, 164, 169, 164, 169, 169, 90, - 169, 90, 90, 174, 90, 174, 174, 274, 174, 86, - 3483, 276, 3483, 280, 273, 278, 281, 282, 283, 284, - - 86, 275, 279, 3483, 285, 86, 338, 3483, 3483, 86, - 86, 86, 286, 290, 86, 86, 291, 172, 276, 86, - 280, 86, 278, 281, 282, 283, 284, 287, 275, 279, - 86, 285, 340, 288, 289, 86, 86, 293, 86, 286, - 290, 294, 86, 291, 301, 303, 3483, 302, 306, 3483, - 307, 304, 308, 86, 305, 314, 310, 86, 295, 86, - 288, 289, 86, 86, 86, 86, 311, 86, 294, 3483, - 86, 301, 303, 86, 302, 306, 86, 307, 304, 86, - 309, 305, 314, 310, 86, 295, 296, 312, 86, 318, - 317, 297, 313, 311, 326, 370, 298, 315, 86, 86, - - 316, 86, 299, 300, 319, 86, 325, 309, 3483, 86, - 3483, 86, 86, 296, 312, 329, 318, 317, 297, 313, - 86, 326, 370, 298, 315, 327, 86, 316, 86, 299, - 300, 319, 320, 325, 330, 321, 86, 322, 337, 335, - 333, 86, 329, 342, 86, 331, 339, 86, 3483, 323, - 344, 324, 327, 336, 341, 3483, 3483, 3483, 86, 320, - 345, 3483, 321, 343, 322, 337, 86, 333, 86, 351, - 346, 86, 331, 339, 86, 86, 323, 86, 324, 347, - 336, 341, 86, 86, 348, 349, 86, 345, 86, 352, - 343, 86, 353, 356, 350, 354, 351, 346, 355, 86, - - 357, 364, 360, 86, 86, 86, 347, 86, 361, 362, - 86, 348, 349, 86, 86, 367, 352, 86, 358, 353, - 356, 350, 354, 359, 86, 355, 363, 357, 373, 360, - 369, 86, 86, 86, 368, 361, 362, 365, 366, 372, - 371, 86, 374, 375, 376, 378, 86, 86, 86, 3483, - 86, 86, 86, 363, 377, 381, 379, 369, 86, 86, - 86, 368, 380, 383, 365, 366, 372, 371, 3483, 86, - 375, 384, 378, 386, 86, 387, 86, 86, 382, 388, - 390, 377, 86, 379, 389, 3483, 391, 86, 385, 86, - 392, 394, 86, 86, 170, 86, 86, 86, 384, 86, - - 386, 395, 387, 396, 393, 382, 388, 390, 86, 398, - 397, 389, 86, 391, 3483, 385, 399, 392, 401, 403, - 405, 400, 402, 86, 404, 86, 86, 86, 86, 406, - 396, 393, 86, 86, 86, 86, 407, 397, 86, 408, - 3483, 86, 411, 399, 412, 401, 403, 413, 400, 402, - 410, 404, 86, 86, 415, 414, 406, 416, 86, 86, - 419, 86, 420, 407, 421, 86, 408, 86, 86, 411, - 86, 412, 417, 418, 413, 86, 422, 410, 86, 423, - 86, 415, 414, 426, 416, 424, 428, 431, 3483, 420, - 86, 86, 86, 427, 86, 429, 86, 432, 433, 417, - - 418, 86, 425, 422, 86, 435, 86, 434, 86, 86, - 426, 86, 424, 436, 431, 86, 438, 437, 86, 430, - 427, 86, 439, 445, 432, 433, 86, 86, 441, 425, - 86, 86, 435, 440, 434, 443, 442, 86, 86, 86, - 436, 446, 86, 438, 437, 86, 430, 447, 3483, 439, - 445, 448, 444, 3483, 86, 441, 3483, 455, 456, 86, - 440, 3483, 443, 442, 3483, 457, 86, 86, 463, 462, - 469, 86, 3483, 86, 447, 86, 467, 3483, 448, 444, - 449, 468, 86, 450, 455, 456, 464, 86, 451, 452, - 453, 454, 457, 86, 86, 463, 462, 469, 86, 465, - - 466, 86, 470, 3483, 458, 3483, 459, 449, 86, 478, - 450, 471, 476, 464, 472, 451, 452, 453, 454, 460, - 473, 86, 461, 479, 86, 477, 465, 466, 86, 86, - 86, 458, 86, 459, 474, 475, 86, 480, 471, 476, - 481, 472, 482, 86, 86, 86, 460, 473, 483, 461, - 479, 485, 477, 484, 86, 3483, 488, 493, 486, 86, - 487, 474, 475, 86, 480, 86, 86, 481, 86, 482, - 86, 489, 86, 490, 492, 483, 494, 495, 485, 86, - 484, 86, 491, 496, 493, 486, 507, 487, 86, 497, - 498, 3483, 499, 500, 505, 3483, 506, 86, 489, 86, - - 490, 492, 3483, 508, 495, 86, 86, 550, 86, 491, - 496, 501, 86, 563, 86, 509, 497, 498, 86, 499, - 500, 505, 86, 506, 502, 522, 523, 503, 525, 504, - 86, 526, 86, 527, 530, 86, 541, 86, 501, 86, - 86, 542, 509, 86, 524, 86, 86, 86, 528, 540, - 86, 502, 522, 523, 503, 525, 504, 510, 526, 511, - 527, 530, 546, 3483, 529, 512, 539, 86, 86, 513, - 86, 524, 86, 545, 514, 528, 540, 515, 86, 170, - 3483, 543, 547, 86, 510, 548, 511, 549, 544, 546, - 568, 529, 512, 539, 86, 86, 513, 551, 86, 552, - - 545, 514, 86, 86, 515, 516, 86, 517, 543, 547, - 554, 558, 548, 615, 549, 544, 553, 556, 86, 555, - 518, 559, 86, 519, 551, 520, 552, 521, 86, 86, - 3483, 86, 516, 560, 517, 557, 561, 562, 558, 86, - 86, 3483, 86, 553, 556, 86, 555, 518, 559, 86, - 519, 564, 520, 3483, 521, 531, 532, 567, 86, 601, - 560, 566, 557, 561, 562, 533, 534, 535, 536, 537, - 86, 569, 538, 86, 565, 570, 86, 86, 564, 3483, - 86, 86, 531, 532, 567, 571, 86, 3483, 566, 572, - 573, 86, 533, 534, 535, 536, 537, 574, 569, 538, - - 575, 565, 570, 576, 86, 582, 577, 86, 583, 578, - 587, 86, 571, 585, 86, 588, 3483, 586, 86, 86, - 579, 580, 86, 584, 574, 86, 86, 575, 86, 606, - 576, 86, 582, 577, 86, 583, 578, 587, 581, 86, - 585, 590, 588, 589, 586, 86, 602, 579, 580, 603, - 584, 608, 86, 3483, 86, 591, 592, 604, 609, 605, - 607, 86, 3483, 738, 86, 581, 86, 593, 590, 594, - 589, 86, 86, 602, 86, 610, 603, 86, 608, 3483, - 86, 86, 591, 592, 604, 609, 605, 607, 612, 611, - 86, 613, 3483, 614, 593, 86, 594, 595, 617, 86, - - 616, 3483, 610, 618, 3483, 596, 597, 86, 620, 598, - 599, 86, 86, 600, 619, 612, 611, 86, 613, 86, - 614, 623, 86, 624, 595, 617, 621, 616, 622, 86, - 618, 86, 596, 597, 86, 620, 598, 599, 86, 625, - 600, 627, 628, 86, 630, 86, 86, 626, 623, 86, - 624, 629, 631, 621, 633, 622, 86, 634, 632, 86, - 86, 635, 3483, 638, 636, 86, 625, 637, 627, 628, - 639, 630, 86, 86, 626, 86, 86, 86, 629, 631, - 86, 633, 640, 642, 634, 632, 86, 86, 635, 86, - 638, 636, 641, 643, 637, 644, 645, 639, 86, 646, - - 647, 86, 86, 648, 650, 649, 86, 651, 86, 640, - 642, 86, 86, 86, 86, 86, 652, 653, 86, 641, - 643, 654, 644, 645, 655, 656, 646, 647, 657, 86, - 648, 650, 649, 660, 651, 658, 663, 661, 659, 86, - 666, 86, 665, 652, 664, 3483, 662, 86, 654, 86, - 86, 86, 656, 669, 86, 657, 86, 86, 86, 672, - 660, 668, 658, 667, 661, 659, 86, 673, 86, 665, - 675, 664, 86, 662, 86, 86, 670, 671, 3483, 674, - 669, 86, 86, 86, 676, 677, 672, 678, 668, 86, - 667, 86, 86, 86, 673, 86, 688, 675, 687, 691, - - 3483, 86, 86, 670, 671, 86, 674, 86, 690, 689, - 692, 676, 677, 3483, 678, 679, 693, 3483, 3483, 3483, - 680, 86, 681, 688, 698, 687, 691, 86, 682, 694, - 683, 86, 86, 684, 685, 690, 689, 692, 697, 3483, - 686, 86, 679, 693, 695, 701, 86, 680, 696, 681, - 86, 698, 86, 3483, 706, 682, 694, 683, 702, 699, - 684, 685, 700, 86, 704, 697, 86, 686, 703, 705, - 86, 695, 701, 707, 3483, 696, 86, 86, 86, 709, - 86, 706, 710, 3483, 86, 708, 699, 711, 713, 700, - 86, 704, 86, 715, 716, 703, 705, 3483, 712, 714, - - 707, 718, 86, 86, 726, 86, 709, 3483, 722, 710, - 86, 86, 708, 86, 711, 713, 719, 717, 721, 86, - 715, 716, 86, 86, 720, 712, 714, 724, 718, 86, - 86, 723, 86, 725, 86, 722, 86, 727, 729, 732, - 733, 728, 730, 719, 717, 721, 86, 731, 86, 86, - 86, 720, 86, 86, 724, 86, 170, 734, 723, 86, - 725, 735, 737, 86, 727, 729, 732, 733, 728, 730, - 736, 86, 739, 86, 731, 740, 741, 3483, 742, 743, - 745, 86, 744, 3483, 734, 751, 86, 747, 735, 737, - 86, 746, 86, 86, 752, 86, 86, 736, 755, 753, - - 756, 757, 740, 86, 86, 742, 743, 745, 86, 744, - 748, 86, 751, 86, 747, 754, 758, 749, 746, 759, - 750, 760, 768, 766, 764, 86, 86, 86, 86, 86, - 761, 765, 763, 86, 770, 762, 769, 748, 86, 86, - 767, 86, 754, 86, 749, 86, 86, 750, 86, 768, - 766, 764, 773, 86, 774, 86, 86, 772, 765, 763, - 86, 770, 86, 769, 771, 86, 775, 767, 86, 776, - 779, 777, 778, 86, 780, 86, 781, 3483, 785, 773, - 86, 782, 783, 86, 772, 787, 86, 86, 86, 86, - 3483, 771, 86, 775, 86, 795, 776, 779, 777, 778, - - 86, 780, 784, 781, 86, 785, 786, 3483, 782, 783, - 86, 789, 788, 86, 798, 3483, 794, 86, 790, 796, - 797, 86, 795, 791, 86, 86, 792, 793, 86, 784, - 799, 86, 801, 786, 86, 800, 86, 802, 789, 788, - 803, 798, 86, 794, 86, 790, 796, 797, 86, 804, - 791, 3483, 86, 792, 793, 805, 3483, 799, 86, 801, - 808, 807, 800, 809, 810, 811, 812, 803, 816, 86, - 3483, 3483, 3483, 86, 86, 86, 804, 806, 86, 814, - 813, 817, 805, 86, 86, 86, 86, 808, 807, 815, - 809, 810, 811, 812, 86, 86, 86, 818, 822, 86, - - 820, 86, 821, 819, 806, 86, 814, 813, 817, 86, - 823, 86, 824, 86, 825, 3483, 815, 826, 827, 834, - 86, 828, 829, 830, 818, 822, 3483, 820, 833, 821, - 819, 832, 86, 86, 831, 835, 86, 836, 86, 824, - 837, 825, 86, 839, 86, 86, 86, 86, 828, 829, - 830, 86, 838, 86, 86, 833, 3483, 86, 832, 842, - 843, 831, 835, 840, 86, 86, 844, 837, 841, 86, - 839, 847, 849, 86, 86, 848, 3483, 851, 850, 838, - 845, 846, 856, 86, 86, 852, 842, 843, 86, 853, - 86, 854, 860, 844, 3483, 86, 862, 861, 857, 849, - - 86, 864, 848, 86, 851, 850, 855, 845, 846, 86, - 858, 86, 852, 86, 86, 86, 853, 863, 854, 86, - 859, 865, 86, 862, 86, 857, 86, 866, 864, 86, - 867, 868, 86, 855, 869, 871, 872, 858, 870, 86, - 86, 3483, 86, 86, 863, 3483, 86, 859, 865, 873, - 3483, 874, 86, 881, 866, 875, 882, 867, 868, 876, - 879, 869, 871, 86, 877, 870, 878, 86, 86, 86, - 3483, 86, 86, 86, 86, 86, 873, 880, 874, 883, - 884, 3483, 875, 882, 886, 86, 876, 879, 885, 86, - 86, 877, 86, 878, 887, 86, 86, 888, 890, 889, - - 3483, 891, 86, 896, 880, 897, 883, 884, 86, 86, - 86, 886, 895, 892, 893, 885, 86, 901, 3483, 894, - 86, 887, 86, 899, 888, 890, 889, 86, 891, 898, - 896, 86, 897, 86, 86, 900, 86, 903, 902, 895, - 892, 893, 904, 86, 901, 908, 894, 905, 907, 906, - 899, 86, 86, 86, 3483, 86, 898, 909, 910, 86, - 911, 86, 900, 86, 903, 902, 912, 86, 86, 904, - 913, 914, 908, 916, 905, 907, 906, 86, 915, 86, - 918, 917, 86, 919, 909, 910, 86, 911, 86, 920, - 921, 86, 3483, 912, 924, 86, 86, 913, 914, 86, - - 916, 922, 928, 927, 935, 915, 923, 918, 917, 86, - 925, 170, 86, 926, 86, 86, 920, 921, 931, 86, - 932, 924, 86, 929, 86, 933, 86, 934, 922, 86, - 927, 930, 936, 923, 937, 86, 86, 925, 938, 86, - 926, 941, 86, 86, 939, 86, 86, 932, 942, 86, - 929, 940, 933, 86, 934, 944, 943, 86, 930, 936, - 86, 937, 946, 3483, 86, 938, 945, 86, 86, 86, - 3483, 939, 954, 86, 3483, 942, 86, 3483, 940, 3483, - 955, 957, 944, 943, 86, 3483, 3483, 3483, 956, 946, - 86, 959, 3483, 945, 947, 958, 3483, 948, 967, 954, - - 3483, 949, 86, 961, 950, 86, 86, 955, 957, 86, - 962, 951, 952, 964, 953, 956, 86, 963, 959, 86, - 968, 947, 958, 960, 948, 967, 86, 977, 949, 86, - 961, 950, 966, 965, 86, 3483, 86, 962, 951, 952, - 964, 953, 86, 86, 963, 86, 976, 979, 980, 86, - 960, 3483, 86, 86, 977, 981, 86, 978, 86, 966, - 965, 969, 970, 86, 971, 3483, 3483, 972, 984, 982, - 3483, 86, 973, 976, 979, 980, 986, 3483, 974, 975, - 989, 988, 981, 86, 978, 983, 1015, 86, 969, 970, - 86, 971, 86, 985, 972, 984, 982, 987, 86, 973, - - 993, 86, 992, 986, 86, 974, 975, 989, 988, 86, - 990, 994, 983, 995, 997, 991, 3483, 996, 86, 1000, - 985, 998, 86, 86, 987, 999, 86, 993, 1001, 992, - 1005, 1003, 1021, 1004, 1002, 86, 86, 86, 994, 86, - 995, 997, 86, 86, 996, 86, 86, 86, 998, 86, - 1007, 1006, 999, 86, 1008, 1001, 86, 1005, 1003, 86, - 1004, 1002, 1009, 1010, 86, 1011, 1012, 1013, 1014, 86, - 1017, 1023, 3483, 86, 86, 86, 86, 1007, 1006, 1016, - 86, 1008, 86, 1018, 1025, 1020, 1024, 1026, 1019, 1009, - 1010, 86, 1011, 1012, 1013, 1014, 1022, 86, 1027, 1028, - - 1029, 86, 1030, 86, 86, 1031, 1016, 86, 86, 1033, - 3483, 86, 1020, 1024, 1026, 86, 86, 1034, 86, 86, - 1038, 1032, 1039, 1022, 86, 1027, 1028, 86, 1036, 86, - 86, 86, 1031, 1035, 1040, 1037, 1033, 86, 1041, 86, - 86, 1042, 86, 86, 1034, 1044, 3483, 86, 1032, 1039, - 1043, 1045, 1047, 86, 1046, 1036, 1049, 86, 86, 3483, - 1035, 1040, 1037, 86, 1048, 86, 1050, 1053, 1052, 86, - 86, 1051, 1044, 86, 86, 1054, 3483, 1043, 1045, 1047, - 86, 1046, 86, 1049, 86, 86, 1057, 1055, 86, 86, - 1079, 1048, 1056, 1050, 1053, 1052, 1058, 1059, 1051, 1060, - - 1061, 1062, 1054, 86, 1065, 86, 1063, 1066, 86, 1067, - 86, 3483, 86, 1057, 1064, 86, 1068, 86, 3483, 86, - 3483, 3483, 86, 1058, 1059, 1070, 1060, 1061, 1062, 86, - 86, 1065, 86, 1063, 86, 1071, 1067, 1074, 86, 1069, - 1073, 1064, 86, 1068, 1072, 86, 1075, 86, 1077, 86, - 86, 1076, 1070, 1078, 1080, 86, 3483, 86, 1084, 3483, - 1087, 86, 1071, 1083, 1074, 1085, 1069, 1073, 1081, 1082, - 1088, 1072, 86, 1075, 86, 1077, 86, 86, 1076, 86, - 1078, 1080, 86, 86, 86, 1084, 1086, 1087, 1091, 1093, - 1083, 1090, 1085, 1089, 1098, 1081, 1082, 86, 86, 86, - - 1092, 86, 1094, 1096, 1099, 1095, 86, 86, 86, 86, - 86, 86, 1097, 1086, 1101, 1091, 1093, 1103, 1090, 86, - 1089, 1100, 1102, 1104, 86, 1105, 86, 1092, 3483, 1094, - 1096, 1106, 1095, 1107, 86, 86, 86, 1108, 1113, 1097, - 1110, 86, 1112, 1114, 1103, 1109, 86, 1111, 1100, 1102, - 1116, 1117, 86, 86, 86, 86, 1115, 86, 1106, 86, - 1107, 1118, 86, 1120, 1108, 86, 3483, 1110, 86, 1112, - 86, 3483, 1109, 1121, 1111, 86, 1122, 1116, 1117, 1119, - 86, 1123, 86, 1115, 1126, 1128, 86, 1129, 1132, 1127, - 86, 1130, 3483, 86, 1124, 86, 1125, 86, 86, 1131, - - 1121, 1134, 1133, 1122, 86, 86, 1119, 1136, 1123, 86, - 86, 1137, 1128, 1146, 1129, 1132, 170, 86, 1130, 1135, - 86, 1124, 86, 1125, 86, 86, 1131, 1139, 1134, 1133, - 1138, 3483, 1147, 86, 1136, 1148, 1149, 86, 1137, 86, - 1146, 1150, 1151, 86, 3483, 1175, 1135, 86, 1154, 1173, - 3483, 1156, 1207, 3483, 1139, 86, 1157, 1138, 1140, 1147, - 1141, 1152, 1148, 86, 1142, 86, 1143, 1153, 1150, 1151, - 86, 1144, 86, 86, 1158, 1154, 1145, 1155, 1179, 86, - 86, 86, 86, 86, 1159, 1140, 86, 1141, 1152, 3483, - 86, 1142, 86, 1143, 1153, 1160, 1162, 86, 1144, 1163, - - 1165, 1158, 1166, 1145, 1155, 1179, 1167, 1161, 86, 1164, - 1168, 1159, 1169, 1170, 1171, 86, 86, 1174, 86, 86, - 1172, 86, 1160, 1162, 86, 86, 1163, 1165, 1177, 1166, - 1188, 86, 1189, 1167, 1161, 86, 1164, 1168, 1178, 1169, - 1170, 1171, 86, 86, 1180, 86, 1193, 1172, 1190, 86, - 3483, 1191, 3483, 86, 86, 1192, 1197, 1188, 3483, 1189, - 86, 86, 1198, 3483, 86, 1178, 86, 1194, 86, 1195, - 86, 1180, 1181, 1193, 1196, 1190, 1200, 1182, 1191, 1183, - 86, 86, 1192, 1197, 1199, 1184, 86, 86, 1201, 1198, - 1185, 1186, 1202, 1203, 1194, 86, 1195, 1187, 86, 1181, - - 1205, 1196, 86, 1204, 1182, 1208, 1183, 86, 86, 86, - 86, 1199, 1184, 1206, 86, 1201, 1209, 1185, 1186, 1202, - 1203, 1210, 86, 86, 1187, 1211, 3483, 1205, 86, 1212, - 1204, 1214, 1208, 1213, 1215, 1216, 1217, 86, 1221, 3483, - 1206, 1218, 3483, 1209, 86, 86, 1219, 1222, 3483, 86, - 1220, 3483, 1211, 86, 1224, 86, 1212, 86, 1214, 86, - 1213, 86, 1216, 1217, 86, 86, 86, 1223, 1218, 1226, - 86, 1225, 1227, 1219, 1222, 86, 86, 1220, 86, 86, - 1228, 1224, 86, 1229, 1230, 1231, 1233, 1232, 3483, 1234, - 1235, 3483, 1247, 3483, 1223, 86, 1226, 86, 1225, 1227, - - 86, 86, 86, 86, 1237, 1238, 86, 1228, 1236, 1239, - 1229, 1230, 1231, 86, 1232, 86, 1234, 1235, 86, 1240, - 1242, 1241, 86, 1243, 86, 1245, 86, 1244, 86, 1246, - 3483, 1237, 1238, 86, 3483, 1236, 1239, 1250, 3483, 1248, - 3483, 1249, 86, 86, 1263, 86, 1240, 1242, 1241, 86, - 1243, 86, 1245, 86, 1244, 86, 1246, 86, 1251, 1256, - 1252, 1257, 1259, 1260, 1250, 1253, 1248, 1254, 1249, 86, - 1255, 1258, 86, 86, 86, 1262, 86, 1261, 86, 1265, - 3483, 1269, 3483, 86, 3483, 1251, 1256, 86, 1257, 1259, - 1260, 86, 86, 86, 1254, 1266, 1264, 1255, 1258, 1267, - - 1268, 1274, 1262, 86, 1261, 86, 1270, 86, 1269, 1271, - 1272, 86, 86, 86, 1273, 1277, 1275, 1276, 1281, 86, - 1282, 86, 1266, 1264, 1278, 86, 1267, 1268, 1274, 1279, - 86, 86, 86, 1270, 1280, 1283, 1271, 1272, 86, 86, - 86, 1273, 1277, 1275, 1276, 86, 1285, 86, 1284, 1287, - 86, 1278, 1286, 86, 1291, 86, 1279, 86, 86, 1288, - 1290, 1280, 1283, 1292, 1289, 1293, 1294, 86, 86, 1296, - 86, 86, 1295, 1285, 1298, 1284, 1287, 3483, 86, 1286, - 1297, 1291, 1299, 1300, 86, 1302, 1288, 1290, 86, 1301, - 3483, 1289, 86, 1294, 86, 86, 86, 86, 1303, 1295, - - 1304, 86, 86, 1305, 86, 1306, 86, 1297, 1311, 1299, - 1300, 1308, 1309, 1307, 1314, 1316, 1301, 86, 1310, 86, - 86, 86, 86, 86, 86, 1303, 1312, 86, 1313, 86, - 1305, 1317, 1306, 1320, 1318, 1311, 86, 86, 1308, 1309, - 1307, 1314, 86, 1315, 1319, 1310, 86, 86, 86, 1321, - 1324, 86, 1322, 1312, 1323, 1313, 1327, 86, 1326, 86, - 86, 1318, 1331, 86, 1328, 86, 86, 86, 1332, 86, - 1315, 1319, 86, 1329, 86, 86, 1321, 1324, 1330, 1322, - 1333, 1323, 1334, 1327, 1337, 1326, 86, 86, 1336, 86, - 1335, 1328, 1339, 1338, 1340, 1332, 86, 170, 1341, 1342, - - 1329, 86, 86, 1343, 86, 1330, 86, 1333, 86, 1334, - 1344, 1337, 86, 1345, 86, 1336, 1346, 1335, 3483, 1339, - 1338, 1340, 1347, 1348, 86, 86, 1342, 1352, 1349, 1351, - 3483, 1350, 3483, 3483, 1355, 86, 1357, 1354, 86, 86, - 1345, 86, 86, 1346, 86, 86, 86, 86, 1361, 1347, - 1348, 86, 1353, 1358, 1352, 1349, 1351, 86, 1350, 1356, - 86, 1355, 1359, 86, 1354, 1360, 86, 86, 3483, 86, - 1367, 86, 1368, 1363, 1362, 1361, 1370, 86, 3483, 1353, - 1358, 86, 1364, 1369, 1365, 3483, 1356, 1366, 1371, 1359, - 1377, 1372, 1360, 86, 1374, 86, 1373, 1367, 86, 1368, - - 1363, 1362, 86, 86, 86, 86, 1376, 1375, 86, 1364, - 1369, 1365, 86, 1379, 1366, 1371, 86, 1377, 1372, 1378, - 86, 1374, 1380, 1373, 86, 1381, 1382, 86, 86, 1383, - 1384, 3483, 1385, 1376, 1375, 3483, 1386, 86, 86, 1388, - 1379, 1387, 86, 3483, 86, 3483, 1378, 1389, 86, 1380, - 1391, 1390, 1381, 1382, 86, 1392, 1383, 86, 86, 1385, - 1394, 86, 86, 1386, 1393, 1396, 1388, 86, 1387, 86, - 86, 1395, 86, 1397, 1389, 86, 1398, 1391, 1390, 1403, - 1399, 1400, 1392, 86, 86, 86, 86, 1394, 86, 1401, - 86, 1393, 1396, 1402, 1404, 1405, 1406, 1407, 1395, 3483, - - 1397, 86, 86, 1398, 1408, 86, 1412, 1399, 1400, 86, - 86, 86, 86, 1409, 86, 1413, 1401, 1410, 86, 1414, - 1402, 1404, 1405, 1406, 1407, 86, 86, 1411, 86, 86, - 1415, 1408, 1417, 1412, 1418, 3483, 1416, 1422, 1421, 1420, - 1409, 3483, 1419, 1427, 1410, 86, 1414, 86, 86, 86, - 86, 1423, 86, 86, 1411, 1426, 1424, 86, 1428, 1417, - 86, 1418, 86, 1416, 1422, 1421, 1420, 1425, 86, 1419, - 1427, 1437, 1438, 1436, 1440, 86, 1442, 3483, 3483, 1439, - 1452, 3483, 1426, 86, 86, 1428, 3483, 86, 1443, 86, - 3483, 1441, 1444, 3483, 1425, 1429, 86, 1445, 1437, 1430, - - 1436, 1440, 1431, 1432, 86, 86, 1439, 1433, 86, 86, - 86, 1447, 86, 1434, 86, 1443, 1458, 1435, 1441, 1444, - 1450, 86, 1429, 86, 1445, 1446, 1430, 86, 1453, 1431, - 1432, 86, 1451, 1448, 1433, 1449, 1454, 86, 1447, 1455, - 1434, 86, 1457, 86, 1435, 1456, 86, 1450, 86, 1459, - 1461, 86, 1446, 1460, 3483, 1453, 1467, 86, 86, 1451, - 1448, 86, 1449, 1454, 3483, 1473, 1455, 3483, 1469, 1457, - 3483, 1468, 1456, 86, 1472, 86, 1475, 1461, 86, 3483, - 1460, 86, 1462, 1467, 86, 86, 1476, 1463, 86, 1464, - 86, 1465, 1473, 1466, 86, 1469, 1470, 1471, 1468, 1474, - - 86, 1472, 1477, 1475, 86, 1479, 1481, 1478, 1482, 1462, - 1480, 86, 1483, 1476, 1463, 86, 1464, 1487, 1465, 1484, - 1466, 86, 3483, 86, 1488, 86, 1474, 86, 86, 1486, - 86, 3483, 1479, 1481, 86, 1482, 1485, 1480, 1489, 1483, - 1490, 1492, 86, 1493, 86, 3483, 1484, 1491, 1498, 86, - 86, 1488, 1494, 86, 86, 1495, 1486, 86, 1496, 1497, - 86, 86, 1500, 1485, 86, 1489, 1499, 1490, 1492, 86, - 1493, 1501, 86, 1502, 1491, 86, 1504, 1503, 86, 1494, - 1506, 86, 1495, 1505, 86, 1496, 1497, 1507, 1508, 86, - 1509, 1510, 1513, 1499, 86, 3483, 86, 86, 1501, 86, - - 1502, 86, 1511, 1504, 1503, 1512, 1516, 86, 86, 1518, - 1505, 86, 1515, 86, 1507, 86, 86, 1509, 1510, 86, - 1514, 1517, 86, 1519, 1520, 1522, 1524, 86, 86, 1511, - 86, 1521, 1512, 1516, 86, 1523, 1526, 1530, 86, 1515, - 3483, 86, 86, 1525, 1527, 86, 3483, 1514, 1517, 86, - 1519, 1520, 1522, 1524, 1528, 1529, 86, 1531, 1521, 86, - 1532, 86, 1523, 1526, 1530, 86, 86, 1533, 1536, 1534, - 1525, 1527, 1535, 86, 1538, 1539, 1537, 86, 86, 86, - 1542, 1528, 1529, 1540, 1531, 3483, 86, 1532, 86, 86, - 86, 1541, 1544, 86, 1533, 1536, 1534, 1543, 1545, 1535, - - 86, 1546, 1547, 1537, 1548, 86, 86, 86, 1549, 86, - 1540, 1551, 86, 86, 86, 86, 1550, 86, 1541, 1544, - 1552, 1554, 1555, 170, 1543, 1545, 86, 86, 86, 1547, - 1553, 1548, 3483, 86, 86, 1549, 1557, 1556, 1551, 1558, - 1562, 3483, 1560, 1550, 1561, 1559, 1563, 1552, 1565, 86, - 3483, 86, 86, 86, 86, 86, 1564, 1553, 86, 86, - 1567, 1570, 86, 1566, 1556, 86, 1558, 1562, 86, 1560, - 86, 1561, 1559, 1563, 86, 1565, 1568, 1569, 1571, 1572, - 1577, 1573, 86, 1564, 1576, 86, 1574, 1567, 86, 86, - 1566, 1575, 3483, 86, 1578, 1586, 1579, 1585, 86, 86, - - 1580, 86, 1588, 1568, 1569, 1571, 1572, 1577, 1573, 86, - 1589, 1576, 86, 86, 1581, 86, 1583, 1582, 86, 1584, - 86, 1578, 1586, 1579, 1585, 1591, 86, 1580, 1593, 1587, - 1592, 1590, 1609, 86, 86, 3483, 86, 1589, 86, 1594, - 86, 1581, 86, 1583, 1582, 1595, 1584, 86, 1596, 1597, - 1598, 1600, 1602, 1599, 86, 1593, 1587, 86, 1590, 86, - 86, 1601, 1606, 3483, 86, 86, 1594, 1605, 86, 3483, - 86, 86, 1595, 86, 1603, 1596, 1597, 1598, 1600, 1602, - 1599, 1604, 1607, 86, 1608, 86, 1612, 1610, 1601, 1606, - 86, 86, 86, 86, 1605, 1611, 1615, 1616, 1613, 86, - - 1614, 1603, 86, 86, 86, 3483, 1617, 1618, 1604, 1607, - 86, 1608, 86, 1612, 1610, 1622, 1623, 1621, 1624, 86, - 1626, 1619, 1611, 1615, 1616, 1613, 86, 1614, 86, 86, - 86, 1620, 1625, 1617, 1618, 86, 86, 86, 1627, 86, - 1628, 86, 1622, 1623, 1621, 1624, 86, 1626, 1619, 1629, - 3483, 1630, 1631, 1632, 1633, 1634, 1636, 1637, 1620, 1625, - 1638, 86, 86, 1635, 1641, 86, 3483, 1639, 3483, 1640, - 86, 3483, 86, 1646, 86, 1642, 1629, 86, 1630, 86, - 1632, 1633, 1634, 1643, 1645, 86, 86, 1648, 86, 86, - 1635, 86, 86, 86, 1639, 86, 1640, 1644, 86, 86, - - 1646, 86, 1642, 1647, 3483, 1649, 86, 86, 1651, 1650, - 1643, 1645, 1652, 1653, 1648, 86, 86, 1654, 1655, 1660, - 1668, 3483, 1659, 1656, 1644, 86, 86, 86, 1657, 86, - 1647, 86, 1649, 1658, 86, 1651, 1650, 1664, 1663, 1652, - 1653, 1666, 3483, 1661, 1654, 86, 1660, 1662, 86, 1659, - 86, 86, 86, 1665, 1667, 86, 86, 1669, 1672, 86, - 86, 86, 1670, 86, 1664, 1663, 1671, 86, 1666, 86, - 1661, 1674, 1675, 1682, 1662, 1673, 1681, 3483, 1676, 86, - 1665, 1667, 86, 86, 1669, 86, 86, 1677, 1678, 1670, - 86, 1679, 86, 1671, 1680, 86, 86, 1683, 1674, 86, - - 1682, 1684, 1673, 1681, 86, 1676, 1688, 86, 1685, 1686, - 1689, 1687, 1690, 1692, 1677, 1678, 86, 86, 1679, 1691, - 1705, 1680, 1698, 86, 1683, 86, 86, 86, 1684, 1693, - 1694, 86, 1699, 86, 86, 1685, 1686, 86, 1687, 1690, - 1692, 1695, 86, 1700, 86, 1696, 1691, 86, 1703, 1698, - 1702, 1704, 86, 1701, 86, 86, 1693, 1694, 1697, 1699, - 86, 86, 1706, 3483, 1708, 1707, 86, 1709, 1695, 1713, - 1700, 1716, 1696, 86, 86, 86, 1710, 1702, 1704, 86, - 1701, 1711, 1715, 1719, 1712, 1697, 86, 86, 86, 1706, - 86, 1708, 1707, 86, 1709, 1714, 1713, 1717, 86, 86, - - 1720, 1718, 86, 1710, 1721, 86, 86, 86, 1711, 3483, - 1719, 1712, 1722, 1723, 86, 1725, 1730, 1724, 1726, 86, - 1727, 3483, 1714, 86, 1717, 1728, 86, 1720, 1718, 86, - 1731, 86, 1729, 3483, 1733, 1781, 86, 3483, 86, 1722, - 86, 86, 86, 1730, 1724, 1726, 1732, 1727, 86, 86, - 1734, 3483, 1728, 86, 1737, 1736, 1738, 1731, 1735, 1729, - 86, 1733, 86, 86, 86, 1739, 1740, 86, 1742, 86, - 1741, 1744, 1743, 1732, 86, 1745, 86, 1734, 86, 86, - 86, 1737, 1736, 1738, 86, 1735, 1748, 1746, 1750, 3483, - 3483, 86, 1739, 1740, 1747, 1742, 1751, 1741, 1744, 1743, - - 86, 86, 1745, 86, 1749, 1752, 3483, 1753, 86, 1756, - 1755, 1760, 86, 1748, 1746, 86, 86, 1754, 86, 86, - 1757, 1747, 86, 1751, 1759, 86, 1761, 1758, 1762, 1764, - 1763, 1749, 1752, 86, 1753, 86, 1756, 1755, 86, 1765, - 170, 3483, 86, 86, 1754, 1766, 86, 1757, 86, 1769, - 86, 1759, 86, 1761, 1758, 1762, 1764, 1763, 86, 1767, - 1768, 1770, 86, 86, 1771, 3483, 1765, 86, 1773, 1775, - 1772, 1774, 1766, 1778, 3483, 86, 1769, 1779, 86, 1777, - 86, 1776, 1782, 1780, 1783, 1785, 1767, 1768, 1770, 86, - 86, 1771, 86, 1787, 1784, 1773, 86, 1772, 1774, 86, - - 1778, 86, 86, 1786, 1779, 86, 1777, 86, 1776, 1782, - 1780, 86, 86, 1788, 86, 1789, 86, 1790, 86, 1791, - 1787, 1784, 1793, 1792, 1795, 1794, 3483, 1796, 1803, 1797, - 1786, 86, 1798, 3483, 1799, 86, 86, 86, 86, 1807, - 1788, 86, 1789, 86, 1790, 86, 1791, 86, 86, 1793, - 1792, 1795, 1794, 86, 1796, 1800, 1797, 86, 1801, 1798, - 86, 1799, 1804, 1811, 1805, 1808, 1807, 1809, 1812, 86, - 1802, 1810, 1813, 1817, 1814, 3483, 1815, 3483, 3483, 86, - 1806, 3483, 1800, 1816, 86, 1801, 1818, 86, 86, 1804, - 86, 1805, 1808, 1824, 1809, 86, 86, 1802, 1810, 1823, - - 86, 1814, 86, 1815, 86, 86, 1819, 1806, 86, 86, - 1816, 1821, 1820, 1818, 1825, 1822, 1827, 1830, 1826, 86, - 86, 86, 86, 86, 1828, 86, 1823, 1829, 86, 1833, - 1831, 3483, 1832, 1819, 1836, 1834, 86, 1837, 1821, 1820, - 86, 86, 1822, 86, 86, 1826, 86, 86, 86, 86, - 86, 1828, 86, 1835, 1829, 1838, 1833, 1831, 1839, 1832, - 86, 1836, 1834, 1840, 1837, 86, 1841, 86, 86, 1842, - 1843, 1844, 1845, 1846, 1848, 1850, 1849, 1851, 86, 3483, - 1835, 1847, 1838, 86, 86, 1839, 86, 86, 86, 86, - 1840, 86, 1852, 1841, 86, 86, 1842, 1843, 1844, 1845, - - 1846, 1853, 1850, 1849, 1851, 86, 86, 86, 1847, 1854, - 1855, 1856, 1857, 3483, 1858, 1862, 1860, 86, 1859, 1852, - 1861, 3483, 1864, 86, 86, 3483, 1863, 86, 1853, 86, - 86, 1865, 1866, 86, 86, 1867, 86, 1855, 1856, 1857, - 86, 1858, 1862, 1860, 86, 1859, 1868, 1861, 1872, 1864, - 86, 86, 1871, 1863, 86, 1869, 1873, 86, 1865, 1866, - 1870, 1874, 1867, 1875, 1878, 1876, 3483, 86, 1880, 1877, - 1879, 3483, 86, 1868, 86, 1872, 86, 1881, 86, 1871, - 1883, 1882, 1869, 86, 86, 1886, 1884, 1870, 86, 1885, - 1875, 86, 1876, 86, 86, 1880, 1877, 1879, 1887, 86, - - 86, 1890, 86, 86, 1881, 86, 86, 1883, 1882, 1892, - 1891, 1888, 1886, 1884, 1889, 3483, 1885, 1893, 1894, 86, - 1896, 1895, 1898, 1897, 86, 1887, 3483, 1899, 1890, 86, - 86, 1900, 86, 86, 86, 1904, 86, 1901, 1888, 1906, - 3483, 1889, 86, 1907, 1893, 1894, 1903, 1896, 1895, 1902, - 1897, 86, 86, 86, 86, 86, 1905, 86, 1900, 3483, - 1908, 86, 1904, 3483, 1901, 86, 1906, 86, 1913, 1912, - 1907, 1915, 1910, 1903, 1909, 1911, 1902, 86, 1914, 1918, - 86, 1922, 1919, 1905, 86, 1921, 86, 1908, 1916, 1924, - 86, 86, 86, 1917, 86, 1913, 1912, 1925, 1915, 1910, - - 1926, 1909, 1911, 1920, 1927, 1914, 1918, 86, 86, 1919, - 1923, 1928, 1921, 86, 1929, 1931, 86, 86, 1930, 86, - 86, 1932, 86, 1936, 1933, 86, 3483, 1926, 86, 86, - 1920, 1927, 3483, 1934, 1941, 86, 1938, 1923, 86, 1935, - 1937, 1929, 1931, 86, 86, 1930, 1939, 1942, 1943, 1940, - 1945, 1933, 1944, 86, 86, 86, 86, 86, 1946, 86, - 1934, 1941, 86, 1938, 86, 86, 1935, 1937, 86, 1947, - 86, 86, 1948, 1939, 1942, 1943, 1940, 1945, 1950, 1944, - 1951, 1952, 86, 3483, 1953, 1946, 1957, 1954, 1955, 1958, - 1956, 1959, 1962, 1949, 86, 86, 1947, 86, 86, 86, - - 1960, 86, 1963, 86, 1966, 86, 3483, 1961, 1952, 1965, - 86, 86, 86, 86, 1954, 1955, 1958, 1956, 86, 1962, - 1949, 1964, 1968, 86, 1969, 1970, 86, 1960, 86, 86, - 1967, 1966, 86, 1976, 1961, 1971, 1965, 86, 1972, 86, - 1973, 1975, 1974, 86, 86, 86, 86, 1977, 1964, 1968, - 1981, 1969, 1970, 1978, 86, 1979, 170, 1967, 86, 1982, - 1976, 86, 1971, 1980, 1983, 1972, 86, 1973, 1975, 1974, - 86, 86, 86, 1984, 86, 1986, 1988, 86, 1985, 1989, - 1978, 1997, 1979, 86, 86, 1987, 1982, 1990, 86, 1991, - 1980, 1983, 86, 86, 86, 1992, 86, 1993, 1994, 1996, - - 1984, 1995, 1986, 1998, 1999, 1985, 1989, 2000, 86, 2001, - 86, 2002, 1987, 86, 1990, 2003, 1991, 86, 86, 86, - 86, 86, 86, 86, 1993, 86, 1996, 2006, 1995, 2007, - 86, 1999, 86, 86, 2000, 2004, 2001, 2005, 2002, 2008, - 2009, 2010, 2003, 2011, 86, 2012, 86, 2019, 2020, 86, - 3483, 86, 2014, 86, 2006, 86, 2007, 86, 2013, 86, - 2017, 2018, 2004, 86, 2005, 86, 2008, 2009, 2010, 2015, - 2011, 2021, 2012, 86, 86, 2022, 2016, 86, 2023, 2014, - 86, 2024, 86, 86, 2026, 2013, 86, 2017, 2018, 2029, - 2025, 86, 86, 2027, 2030, 2028, 2015, 86, 2021, 2031, - - 2032, 2033, 2022, 2016, 2034, 2023, 86, 86, 2024, 86, - 2037, 2026, 2035, 2036, 2040, 86, 2029, 2025, 86, 86, - 2027, 86, 2028, 2038, 2039, 2041, 86, 2032, 86, 2043, - 86, 2034, 2044, 2042, 3483, 2047, 2049, 86, 86, 2035, - 2036, 2040, 86, 2045, 2046, 86, 86, 2050, 2048, 2057, - 2038, 2053, 2051, 2078, 86, 86, 86, 86, 86, 2044, - 2042, 86, 86, 2049, 86, 2054, 2052, 2056, 86, 2055, - 2045, 2046, 86, 86, 86, 2048, 2065, 3483, 2053, 2051, - 86, 86, 2063, 2058, 2059, 2060, 3483, 86, 2069, 86, - 2061, 86, 2054, 2052, 2056, 86, 2055, 2062, 86, 2064, - - 2066, 86, 2070, 2071, 86, 2072, 86, 86, 86, 2063, - 2058, 2059, 2060, 2067, 86, 2069, 2074, 2061, 2068, 2073, - 2075, 86, 2079, 86, 2062, 2080, 2064, 2066, 86, 2070, - 2071, 86, 2072, 2076, 2082, 2077, 2081, 2084, 86, 86, - 86, 86, 2083, 86, 2086, 86, 2073, 2075, 86, 2079, - 2085, 86, 2080, 2087, 2088, 86, 2089, 86, 2091, 2090, - 2076, 2082, 2077, 2081, 86, 86, 2093, 2092, 86, 2083, - 2094, 86, 86, 2095, 86, 2096, 86, 2085, 86, 2102, - 2087, 2088, 2099, 2089, 2103, 86, 2090, 2097, 2098, 86, - 86, 2100, 86, 86, 2092, 86, 2101, 2094, 2110, 2105, - - 2095, 86, 2096, 2104, 2106, 86, 2102, 86, 86, 2099, - 86, 2109, 2107, 2108, 2097, 2098, 86, 2112, 2100, 86, - 2111, 86, 2113, 2101, 2114, 86, 2105, 2119, 2116, 86, - 2104, 2115, 86, 2118, 86, 86, 86, 86, 2120, 2107, - 2108, 2117, 86, 86, 2112, 2121, 86, 2111, 2124, 2113, - 86, 2114, 86, 86, 2119, 2116, 2122, 2123, 2115, 2126, - 2118, 2129, 2127, 86, 2125, 2128, 86, 86, 2117, 86, - 86, 86, 2130, 2131, 2132, 2124, 2135, 86, 2134, 2133, - 86, 2148, 86, 2122, 2123, 86, 2126, 86, 86, 2127, - 2136, 2125, 2128, 2137, 2141, 2138, 3483, 86, 2143, 2130, - - 2131, 2132, 86, 2135, 86, 2134, 2133, 2139, 86, 2142, - 2145, 86, 2140, 86, 2153, 86, 2144, 2136, 86, 2146, - 86, 86, 2138, 86, 86, 2143, 86, 2151, 2147, 2149, - 2150, 2152, 86, 2154, 2139, 86, 2142, 2145, 86, 2140, - 2155, 86, 86, 2144, 2156, 86, 2146, 2160, 2157, 86, - 2161, 2164, 2165, 2158, 2151, 2147, 2149, 2150, 2152, 86, - 2154, 2159, 86, 86, 86, 2162, 2168, 2155, 86, 2167, - 2163, 2156, 2166, 86, 86, 2157, 2169, 86, 2171, 2170, - 2158, 86, 2178, 86, 86, 2172, 2175, 2173, 2159, 2177, - 2174, 86, 86, 2168, 86, 2191, 2167, 86, 2176, 2166, - - 86, 86, 2179, 86, 2180, 2171, 2170, 2182, 86, 86, - 86, 86, 2172, 86, 2173, 2181, 2184, 2174, 86, 2185, - 2183, 86, 86, 3483, 86, 2176, 2186, 86, 2187, 2179, - 2188, 2180, 2189, 2190, 2182, 86, 2193, 170, 3483, 3483, - 86, 86, 2181, 2184, 2192, 2194, 2185, 2183, 2196, 2195, - 86, 3483, 2199, 2186, 86, 2187, 2197, 86, 86, 86, - 2190, 3483, 2198, 2193, 2202, 86, 86, 86, 2203, 2200, - 86, 2192, 2194, 2201, 2204, 2196, 2195, 86, 86, 2199, - 86, 2205, 2206, 2197, 86, 2208, 86, 2207, 86, 2198, - 2209, 2202, 86, 2211, 3483, 86, 2200, 86, 2210, 2212, - - 2201, 2204, 86, 86, 86, 2213, 2215, 86, 2205, 2206, - 2216, 86, 86, 2214, 2207, 2217, 86, 2209, 2218, 86, - 2211, 2219, 2222, 3483, 2225, 2210, 2212, 86, 86, 3483, - 2220, 86, 2213, 86, 86, 86, 2223, 2216, 86, 2224, - 2214, 2221, 2217, 2226, 2227, 2218, 86, 2228, 2219, 2222, - 86, 2225, 2231, 86, 86, 2229, 86, 2220, 2230, 86, - 2232, 86, 2233, 2223, 2234, 2236, 2224, 2237, 2221, 2235, - 2226, 2227, 86, 86, 2228, 86, 2238, 86, 86, 86, - 2239, 86, 2229, 2240, 86, 2230, 86, 2232, 2241, 2233, - 2242, 2234, 2236, 2243, 2244, 2247, 2235, 86, 2245, 86, - - 2246, 2248, 3483, 2238, 86, 2249, 86, 2239, 86, 2250, - 2240, 2253, 86, 2254, 2251, 2241, 86, 86, 86, 86, - 2243, 86, 2247, 2252, 86, 2245, 3483, 2246, 2255, 86, - 86, 86, 2249, 86, 86, 2258, 2250, 86, 2253, 2256, - 2254, 2251, 2257, 2259, 2260, 86, 2262, 86, 2261, 2264, - 2252, 2267, 3483, 2266, 86, 2255, 86, 86, 86, 2263, - 86, 2265, 2258, 2268, 3483, 86, 2256, 86, 86, 2257, - 2259, 2260, 86, 2262, 2269, 2261, 2264, 2271, 86, 2270, - 2266, 86, 2272, 2273, 2275, 3483, 2263, 2274, 2265, 86, - 2268, 2276, 2281, 86, 2284, 2277, 2282, 3483, 2278, 86, - - 3483, 2269, 2280, 86, 2271, 86, 2270, 86, 2279, 2272, - 2273, 2275, 86, 86, 2274, 86, 86, 86, 2276, 2281, - 86, 86, 2277, 2282, 2283, 2278, 86, 2285, 2286, 2280, - 2287, 2289, 86, 2288, 86, 2279, 2290, 2291, 2293, 2294, - 2292, 86, 2295, 3483, 2299, 3483, 86, 86, 2296, 2300, - 2301, 2283, 86, 86, 2285, 2286, 2298, 86, 2289, 86, - 2288, 86, 86, 2290, 2291, 2293, 2294, 2292, 2297, 86, - 86, 86, 2302, 2303, 86, 2296, 86, 2301, 2304, 2306, - 86, 2305, 86, 2298, 2308, 2307, 86, 2309, 2310, 3483, - 2314, 86, 86, 2311, 3483, 2297, 3483, 2316, 3483, 2302, - - 2303, 2317, 86, 2312, 2315, 86, 2306, 86, 2305, 86, - 2319, 2313, 2307, 86, 2309, 2310, 86, 86, 2318, 86, - 2311, 2323, 86, 86, 2316, 2320, 2321, 86, 2317, 2322, - 2312, 2315, 86, 2324, 86, 2325, 86, 2319, 2313, 86, - 2326, 2328, 2327, 2329, 86, 2318, 86, 2330, 2323, 2331, - 2332, 2333, 2320, 2321, 2334, 2335, 2322, 86, 86, 86, - 2324, 86, 86, 2336, 3483, 86, 2337, 86, 2328, 2327, - 2329, 86, 86, 86, 2330, 86, 2331, 2332, 2333, 2338, - 2339, 2334, 2335, 2340, 2341, 86, 2342, 2343, 86, 2344, - 86, 86, 2346, 2337, 2349, 2347, 2348, 86, 86, 86, - - 2345, 2353, 3483, 2352, 86, 86, 2338, 2339, 2367, 86, - 2340, 2341, 86, 2342, 2343, 86, 2344, 86, 86, 2346, - 2350, 2349, 2347, 2348, 86, 2354, 2355, 2345, 2353, 2356, - 2352, 86, 2357, 2351, 2358, 86, 2359, 86, 2360, 2361, - 86, 86, 2364, 2362, 2363, 2371, 2372, 2350, 86, 2366, - 86, 86, 2354, 2355, 86, 2376, 2356, 86, 2365, 2357, - 2351, 86, 2373, 2359, 86, 86, 2361, 86, 2368, 2364, - 2362, 2363, 86, 170, 2369, 2374, 2366, 86, 86, 2370, - 2375, 3483, 86, 2377, 3483, 2365, 86, 86, 2381, 2373, - 2382, 2384, 2386, 2380, 86, 2368, 2385, 2378, 2383, 2388, - - 86, 2390, 2374, 2387, 2426, 2389, 86, 2375, 2379, 86, - 2377, 86, 3483, 86, 86, 86, 86, 2382, 2384, 2386, - 2380, 2391, 2393, 3483, 2378, 2383, 86, 86, 86, 86, - 2387, 2392, 2389, 86, 2394, 2379, 86, 2395, 86, 86, - 2396, 86, 2397, 2398, 86, 86, 86, 2400, 2391, 2393, - 2399, 2403, 2401, 2402, 2404, 86, 86, 2405, 2392, 86, - 86, 2394, 86, 86, 2395, 2406, 2416, 2396, 2408, 2397, - 2398, 2407, 86, 86, 2400, 2409, 86, 2399, 2403, 2401, - 2402, 2404, 2410, 86, 86, 2411, 2412, 2414, 86, 2413, - 86, 86, 2406, 86, 86, 2408, 2415, 3483, 2407, 2417, - - 86, 86, 2409, 2421, 2420, 86, 86, 2418, 86, 2410, - 2428, 86, 2411, 2412, 2414, 86, 2413, 2419, 86, 2422, - 2424, 2427, 2423, 2415, 86, 86, 2417, 86, 86, 2429, - 2421, 2420, 2425, 86, 2418, 86, 2430, 2428, 86, 2431, - 2433, 2435, 86, 2432, 2419, 2437, 2422, 2424, 2427, 2423, - 86, 2434, 3483, 2439, 2440, 2436, 2429, 86, 86, 2425, - 2438, 2441, 2442, 2430, 86, 86, 2431, 86, 2435, 86, - 2432, 2443, 2437, 86, 86, 2445, 2444, 2448, 2434, 86, - 2439, 86, 2436, 86, 2449, 2450, 86, 2438, 2441, 86, - 86, 2446, 2451, 2452, 2447, 2454, 2455, 2456, 2443, 2453, - - 86, 86, 2445, 2444, 86, 2457, 86, 86, 2458, 86, - 86, 86, 2450, 86, 86, 2460, 2459, 2461, 2446, 2451, - 2452, 2447, 2454, 86, 86, 86, 2453, 2462, 2463, 86, - 2464, 2467, 2457, 2465, 2466, 86, 2471, 2468, 2473, 2469, - 2470, 86, 86, 2459, 2461, 2472, 86, 86, 2475, 86, - 86, 2479, 86, 86, 2462, 86, 2476, 86, 2467, 2474, - 2465, 2466, 86, 86, 2468, 86, 2469, 2470, 86, 86, - 2477, 2480, 2472, 2484, 2482, 2475, 2481, 2483, 86, 86, - 86, 86, 2485, 2476, 2486, 2478, 2474, 2489, 86, 86, - 2487, 86, 2490, 2488, 86, 2495, 86, 2477, 2480, 86, - - 2484, 2482, 2492, 2481, 2483, 86, 2493, 2491, 2497, 86, - 86, 2486, 2478, 2494, 2489, 86, 2496, 2487, 86, 86, - 2488, 2499, 86, 86, 86, 86, 2498, 2500, 86, 2492, - 86, 2501, 86, 2493, 2491, 2497, 86, 2502, 2503, 86, - 2494, 2504, 2508, 2496, 2509, 2505, 3483, 3483, 2499, 3483, - 3483, 2510, 3483, 2498, 2500, 2511, 86, 3483, 2501, 86, - 2506, 2513, 2507, 86, 2502, 2503, 86, 2520, 2504, 86, - 2514, 2509, 2505, 86, 86, 86, 86, 86, 2510, 2512, - 2515, 86, 2511, 2516, 86, 3483, 2517, 2506, 2513, 2507, - 2518, 2519, 2521, 2523, 2522, 2524, 3483, 2514, 2529, 86, - - 86, 2525, 86, 86, 2526, 86, 2512, 2515, 86, 2527, - 2516, 86, 86, 2517, 2530, 2528, 2531, 2518, 2519, 2532, - 2523, 2522, 86, 86, 86, 2529, 86, 86, 2525, 86, - 2533, 2526, 86, 2537, 86, 2535, 2527, 86, 2534, 2536, - 3483, 2530, 2528, 2531, 3483, 2538, 2532, 2539, 86, 2541, - 2540, 86, 86, 2542, 86, 2543, 86, 2533, 3483, 2550, - 2537, 2545, 2547, 2544, 3483, 2534, 2546, 86, 86, 3483, - 86, 86, 2538, 2552, 2539, 86, 2541, 2540, 3483, 86, - 2551, 86, 2543, 2553, 170, 86, 2550, 2554, 2545, 2547, - 2544, 86, 86, 2546, 2548, 86, 2549, 2555, 2556, 2557, - - 86, 86, 2558, 2559, 2562, 86, 2560, 2551, 2561, 86, - 2553, 86, 86, 2563, 2554, 86, 2564, 86, 2565, 86, - 2566, 2548, 2571, 2549, 2555, 2556, 2557, 86, 86, 2558, - 2559, 2562, 2567, 2560, 2568, 2561, 2569, 2570, 2572, 2578, - 86, 3483, 86, 2564, 86, 86, 2573, 2566, 2574, 86, - 2576, 86, 2577, 2581, 86, 86, 2575, 2579, 86, 2567, - 2580, 2582, 2583, 86, 2570, 2572, 86, 2589, 86, 86, - 86, 86, 86, 2573, 2584, 2574, 86, 2576, 86, 2577, - 2581, 2585, 86, 2575, 2579, 86, 2586, 2580, 2582, 86, - 2587, 2588, 2590, 2591, 86, 2592, 86, 86, 2593, 86, - - 2595, 2584, 86, 2594, 86, 86, 86, 2597, 2585, 2598, - 2599, 3483, 2600, 2586, 86, 86, 86, 2587, 2588, 2590, - 2591, 2596, 2592, 86, 2601, 2593, 2606, 2595, 86, 86, - 2594, 86, 2602, 86, 2597, 2603, 2604, 2599, 86, 2600, - 86, 86, 2607, 86, 2605, 2608, 2609, 2610, 2596, 2613, - 86, 2601, 3483, 86, 2615, 2611, 86, 86, 86, 2602, - 2612, 2620, 2603, 2604, 2614, 2616, 3483, 86, 86, 2607, - 2618, 2605, 2608, 2609, 86, 2619, 2613, 86, 2622, 86, - 86, 2615, 2611, 2617, 86, 86, 2621, 2612, 2623, 86, - 2624, 2614, 2616, 86, 2625, 2626, 86, 2618, 86, 3483, - - 2627, 86, 2619, 86, 2628, 86, 86, 2631, 86, 2633, - 2617, 86, 2634, 2621, 2630, 2623, 2632, 86, 2629, 86, - 86, 2625, 2626, 2635, 2636, 2638, 86, 2627, 3483, 86, - 86, 2628, 2639, 2637, 2631, 3483, 86, 2641, 86, 86, - 2640, 2630, 2642, 2632, 86, 2629, 2644, 2643, 86, 2646, - 86, 2636, 2638, 2645, 86, 86, 2647, 86, 2648, 2639, - 2637, 86, 86, 2649, 2641, 86, 2652, 2640, 2650, 2642, - 86, 86, 2653, 86, 2643, 86, 2651, 2654, 2655, 2656, - 2645, 86, 3483, 2647, 86, 2648, 2658, 2659, 86, 2657, - 86, 3483, 86, 2652, 2664, 2650, 2660, 2661, 86, 2653, - - 86, 86, 2662, 2651, 86, 2655, 2656, 86, 86, 86, - 86, 2663, 86, 2658, 2659, 2665, 2657, 86, 2666, 2667, - 2668, 2664, 86, 2660, 2661, 2669, 2670, 2672, 2671, 2662, - 3483, 2674, 2677, 86, 2673, 2676, 86, 2675, 2663, 86, - 86, 2679, 2665, 86, 3483, 2666, 86, 86, 86, 2681, - 86, 2678, 86, 86, 2672, 2671, 86, 86, 2674, 2677, - 86, 2673, 2676, 86, 2675, 2680, 86, 2682, 2679, 2683, - 2684, 86, 2685, 2686, 3483, 2687, 2681, 86, 2678, 2690, - 2689, 2688, 2691, 2694, 2692, 2695, 86, 2696, 3483, 86, - 86, 86, 2680, 3483, 86, 86, 2683, 86, 2693, 86, - - 2686, 86, 2687, 86, 86, 86, 2690, 2689, 2688, 2691, - 86, 2692, 2695, 2698, 86, 2697, 86, 2699, 2700, 2701, - 86, 86, 2702, 2703, 2704, 2693, 2705, 86, 3483, 2706, - 2710, 86, 86, 2711, 3483, 86, 3483, 86, 2712, 170, - 2698, 2714, 2697, 2707, 2699, 2700, 2701, 86, 86, 2702, - 2703, 2704, 86, 2705, 2708, 86, 2706, 2710, 2709, 2713, - 2711, 2715, 86, 86, 2716, 2712, 86, 86, 2714, 2717, - 2707, 2718, 86, 2719, 3483, 2720, 2722, 2724, 2721, 3483, - 3483, 2708, 2723, 86, 2726, 2709, 2713, 86, 2715, 86, - 86, 86, 86, 86, 3483, 2731, 86, 86, 2718, 86, - - 2719, 86, 2720, 2722, 2724, 2721, 2725, 2727, 2728, 2723, - 2729, 2726, 86, 86, 2730, 86, 2732, 2733, 2734, 2736, - 86, 86, 2731, 86, 2735, 2737, 86, 86, 86, 2739, - 2740, 2738, 2742, 2725, 2727, 2728, 86, 2729, 86, 2743, - 2744, 2730, 2741, 2732, 2733, 2734, 86, 86, 86, 86, - 86, 2735, 2737, 2745, 2747, 2748, 2739, 86, 2738, 86, - 86, 2749, 2746, 86, 86, 2751, 2743, 2744, 2750, 2741, - 2752, 2753, 86, 86, 86, 2756, 86, 2754, 2755, 2757, - 2745, 2747, 2748, 2758, 86, 86, 2759, 86, 2749, 2746, - 2760, 3483, 2751, 2762, 2763, 2750, 86, 86, 86, 86, - - 2761, 86, 2756, 2764, 2754, 2755, 86, 86, 2765, 2766, - 86, 2767, 86, 2769, 2768, 86, 86, 2760, 86, 2770, - 2762, 2763, 2771, 2772, 2773, 86, 2774, 2761, 2775, 3483, - 2764, 86, 2777, 86, 86, 2765, 2766, 2782, 2767, 86, - 86, 2768, 86, 86, 86, 2776, 2770, 2778, 2783, 86, - 2772, 2773, 86, 2774, 86, 2775, 2779, 2780, 2784, 2777, - 2781, 86, 2785, 86, 2782, 86, 2786, 86, 2788, 86, - 86, 86, 2776, 2789, 2778, 86, 2787, 2792, 2790, 2791, - 86, 3483, 3483, 2779, 2780, 2784, 2794, 2781, 2797, 2785, - 86, 2801, 86, 86, 2793, 2788, 86, 2798, 86, 2799, - - 2789, 2803, 86, 2787, 86, 2790, 2791, 2795, 86, 2796, - 2800, 2802, 86, 2794, 86, 86, 86, 86, 86, 86, - 2804, 2793, 2805, 2809, 2798, 2808, 2799, 2810, 86, 2807, - 2806, 2812, 86, 86, 2795, 3483, 2796, 2800, 2802, 2818, - 86, 86, 86, 2811, 86, 2813, 2814, 2804, 86, 2805, - 86, 2815, 2808, 86, 2810, 2820, 2807, 2806, 86, 86, - 86, 2816, 2817, 2821, 2819, 2822, 86, 86, 2824, 86, - 2811, 86, 2813, 2814, 2823, 2825, 3483, 2827, 2815, 86, - 86, 86, 2820, 3483, 2826, 86, 2829, 86, 2816, 2817, - 86, 2819, 2822, 2831, 2828, 2824, 86, 86, 2830, 2834, - - 2832, 2823, 2825, 86, 2827, 86, 2833, 2835, 2836, 2837, - 86, 2826, 86, 2829, 2838, 86, 2840, 86, 86, 2839, - 2831, 2828, 86, 2841, 2843, 2830, 86, 2832, 2842, 3483, - 86, 2844, 86, 2833, 86, 2836, 2837, 86, 86, 86, - 2845, 170, 2846, 2840, 2848, 2849, 2839, 2850, 2847, 2851, - 2841, 2855, 2857, 86, 86, 2842, 86, 2852, 2844, 2853, - 2856, 86, 2858, 2859, 2854, 86, 86, 2845, 2865, 2846, - 86, 86, 86, 86, 2850, 2847, 86, 2860, 2855, 2857, - 2861, 86, 86, 2862, 2852, 2866, 86, 2856, 2868, 2863, - 2859, 86, 2867, 2869, 86, 86, 2864, 2871, 86, 86, - - 86, 3483, 86, 86, 2860, 2870, 2873, 2861, 86, 2874, - 2862, 2872, 2877, 86, 86, 2868, 2863, 86, 2879, 2867, - 2869, 86, 2878, 2864, 2871, 2875, 86, 86, 86, 2876, - 86, 86, 2870, 2873, 86, 2880, 2874, 2881, 2872, 2877, - 86, 2882, 2883, 86, 86, 2879, 2884, 3483, 2888, 2878, - 86, 2886, 2875, 86, 2891, 2885, 2876, 2887, 86, 86, - 2889, 2890, 2880, 86, 2881, 86, 2893, 86, 2882, 86, - 2898, 2892, 86, 2884, 86, 86, 2897, 2894, 2886, 2895, - 86, 2891, 2885, 86, 2887, 86, 2900, 2889, 2890, 2896, - 2899, 86, 86, 86, 2901, 2904, 86, 86, 2892, 86, - - 2902, 2903, 2905, 2897, 2894, 2907, 2895, 2909, 2906, 86, - 2908, 3483, 3483, 2911, 2910, 2912, 2896, 2899, 86, 2913, - 2916, 86, 86, 86, 86, 2914, 86, 2902, 86, 2905, - 86, 86, 2907, 86, 2915, 2906, 86, 2908, 86, 86, - 2911, 2910, 2912, 86, 2917, 2918, 2913, 86, 2920, 2921, - 2919, 86, 2914, 2922, 2924, 2930, 2923, 2925, 2928, 2927, - 86, 2915, 2926, 3483, 2929, 86, 2931, 2935, 2932, 86, - 86, 86, 86, 86, 86, 2920, 86, 2919, 86, 2936, - 2922, 2924, 86, 2923, 2933, 2928, 2927, 2934, 86, 86, - 86, 2929, 86, 86, 86, 2932, 2937, 2938, 86, 2939, - - 2940, 86, 2942, 86, 2941, 2943, 2936, 2945, 2944, 2946, - 2947, 2933, 2949, 2948, 2934, 2957, 86, 86, 2953, 86, - 86, 2950, 86, 2937, 86, 86, 2939, 86, 2951, 86, - 2956, 2941, 2943, 2952, 2945, 2944, 86, 86, 2959, 2954, - 2948, 86, 2955, 86, 86, 2953, 86, 86, 2950, 86, - 2958, 86, 86, 2960, 2961, 2962, 3483, 2956, 2966, 2963, - 86, 86, 2964, 2965, 86, 2959, 2954, 3483, 2971, 2955, - 2969, 2973, 3483, 3483, 86, 86, 86, 2958, 2967, 2968, - 86, 2961, 2962, 86, 86, 2966, 2963, 86, 86, 2964, - 2965, 2970, 86, 2975, 2972, 2971, 2974, 2969, 86, 2977, - - 86, 2976, 2978, 2979, 2985, 2967, 2968, 86, 2980, 86, - 86, 2982, 86, 2981, 3483, 2986, 2983, 86, 2970, 2984, - 2975, 2972, 86, 2974, 2987, 2990, 2977, 86, 2976, 2978, - 2979, 86, 2988, 3483, 2989, 2991, 86, 2992, 2993, 86, - 86, 86, 2986, 86, 86, 2995, 2984, 2996, 2997, 2999, - 86, 2987, 2990, 2994, 3483, 86, 86, 86, 86, 2988, - 86, 2989, 2991, 2998, 2992, 2993, 86, 86, 3001, 3002, - 86, 3000, 2995, 3003, 2996, 2997, 2999, 3004, 86, 3005, - 2994, 86, 3006, 3007, 3009, 3008, 86, 3010, 3015, 3483, - 2998, 3483, 3483, 3016, 3483, 86, 86, 86, 3000, 3011, - - 3003, 3012, 86, 3013, 3004, 86, 86, 86, 3019, 3006, - 86, 86, 3008, 3014, 3010, 86, 86, 86, 3017, 86, - 3016, 86, 86, 3018, 86, 3020, 3011, 3021, 3012, 3023, - 3013, 86, 3022, 3024, 3025, 3019, 86, 86, 3027, 3028, - 3014, 3026, 3029, 86, 3030, 3017, 86, 3032, 3483, 3031, - 3018, 86, 3020, 3483, 3033, 86, 3023, 86, 86, 86, - 3024, 3025, 3034, 86, 3036, 86, 86, 3037, 3026, 3029, - 3039, 3030, 86, 3035, 86, 86, 3031, 86, 3040, 3042, - 3038, 3033, 3041, 3483, 3044, 86, 86, 86, 86, 3034, - 3043, 3036, 3046, 86, 3037, 3045, 3483, 3051, 3052, 3053, - - 3035, 86, 86, 3048, 3047, 3040, 3042, 3038, 3058, 3041, - 86, 3044, 86, 86, 86, 3054, 86, 3043, 86, 3046, - 3049, 3055, 3045, 3050, 86, 86, 86, 3056, 86, 3057, - 3048, 3047, 3483, 86, 3061, 86, 3059, 3060, 3063, 3064, - 86, 3067, 3054, 3062, 3483, 86, 86, 3049, 3055, 3065, - 3050, 86, 86, 86, 3056, 3068, 3057, 86, 86, 86, - 3066, 86, 3069, 3059, 3060, 3063, 3064, 3070, 3075, 86, - 3062, 86, 3073, 86, 3071, 3072, 3065, 3074, 3078, 3076, - 86, 3077, 3068, 3483, 3483, 86, 3079, 3066, 86, 86, - 86, 86, 3081, 3080, 3070, 3075, 86, 86, 86, 3073, - - 86, 3071, 3072, 3082, 3074, 86, 3076, 86, 3077, 3084, - 3085, 3083, 3086, 3079, 3088, 86, 3087, 86, 3090, 3081, - 3080, 86, 86, 86, 3089, 3091, 86, 86, 3092, 86, - 3082, 3094, 3095, 3097, 86, 3100, 3084, 3085, 3083, 3086, - 86, 3088, 86, 3087, 3096, 3090, 3093, 3102, 3103, 3106, - 86, 3089, 3091, 3098, 86, 86, 3099, 86, 86, 86, - 86, 3101, 3100, 3104, 86, 3109, 3105, 86, 3108, 86, - 86, 3096, 86, 3093, 3102, 86, 86, 3112, 3107, 3111, - 3098, 86, 86, 3099, 86, 3110, 3114, 86, 3101, 3113, - 3104, 86, 3109, 3105, 3116, 3108, 86, 3115, 86, 86, - - 3117, 3118, 3119, 3120, 86, 3107, 3111, 3121, 3125, 3123, - 86, 3126, 3110, 3124, 86, 86, 3113, 3128, 86, 86, - 3130, 3116, 3137, 3138, 3115, 86, 3122, 86, 86, 3119, - 3120, 86, 86, 3127, 86, 3125, 3123, 3131, 3129, 3132, - 3124, 86, 3134, 86, 3128, 86, 3133, 86, 3136, 86, - 86, 3143, 3135, 3122, 86, 86, 3139, 3140, 3146, 3483, - 3127, 3149, 3483, 86, 3131, 3129, 3132, 86, 86, 3134, - 86, 3142, 3141, 3133, 3144, 3136, 3145, 3150, 86, 3135, - 86, 86, 3151, 3139, 86, 3147, 3148, 3154, 86, 86, - 86, 86, 86, 86, 3153, 86, 86, 3155, 3142, 3141, - - 3152, 3144, 86, 3145, 3150, 86, 3156, 3157, 86, 3151, - 3158, 3159, 3147, 3148, 86, 3161, 3163, 86, 3160, 3162, - 3164, 3153, 3165, 3166, 3155, 86, 3170, 3152, 86, 3169, - 3167, 3168, 86, 3156, 3157, 3171, 3483, 86, 86, 3178, - 86, 86, 3161, 86, 86, 3160, 3162, 86, 86, 86, - 86, 3172, 3184, 3170, 3177, 3173, 3175, 3167, 3168, 86, - 86, 86, 86, 3174, 86, 3176, 86, 3180, 86, 3182, - 86, 3179, 86, 3181, 3185, 86, 86, 3183, 3172, 86, - 86, 3177, 3173, 3175, 3186, 3188, 86, 3189, 3191, 3195, - 3174, 3190, 3176, 86, 3180, 86, 3182, 86, 3179, 3187, - - 3181, 86, 3192, 3193, 3183, 3197, 86, 3194, 3196, 86, - 3198, 3199, 3188, 3200, 3189, 86, 86, 3201, 3190, 3483, - 86, 86, 3483, 86, 86, 86, 3187, 3483, 3204, 86, - 3193, 3205, 3197, 86, 3194, 3196, 86, 86, 3199, 86, - 3200, 3202, 3203, 3206, 3201, 3208, 86, 3207, 86, 86, - 86, 3211, 3209, 86, 3210, 3204, 3212, 3215, 3205, 86, - 86, 86, 3219, 86, 86, 3216, 86, 86, 3202, 3203, - 3206, 3217, 3208, 3218, 3207, 3213, 3214, 3220, 3211, 3209, - 86, 3210, 3221, 3212, 3215, 86, 3222, 86, 3224, 86, - 3225, 3223, 3216, 86, 86, 3227, 3226, 3230, 3217, 86, - - 3218, 3483, 3213, 3214, 3220, 86, 3228, 3231, 3229, 3221, - 86, 3232, 3233, 3222, 3236, 86, 86, 86, 3223, 86, - 3234, 3235, 86, 3226, 86, 3237, 3238, 3483, 86, 3239, - 3241, 3240, 3242, 3228, 86, 3229, 3243, 3244, 3247, 3245, - 86, 86, 3248, 3483, 3246, 86, 86, 3251, 86, 86, - 86, 86, 86, 86, 86, 3249, 3239, 3241, 3240, 86, - 86, 3252, 86, 3243, 3244, 3247, 3245, 86, 3250, 86, - 86, 3246, 3253, 3254, 3251, 3256, 3257, 3255, 3258, 3268, - 3259, 3260, 3249, 3261, 86, 86, 86, 3263, 3252, 3262, - 86, 3276, 3269, 3266, 86, 3250, 86, 86, 3267, 3253, - - 3254, 86, 3256, 86, 3255, 3258, 86, 3259, 86, 86, - 86, 86, 3264, 3272, 3263, 3265, 3262, 3270, 3271, 3269, - 3274, 3273, 3275, 86, 86, 86, 3278, 3279, 86, 86, - 86, 3277, 3282, 3281, 3280, 86, 3283, 3285, 3284, 3264, - 3272, 3286, 3265, 86, 3270, 3271, 86, 3274, 3273, 86, - 3287, 3288, 86, 86, 86, 86, 86, 3289, 3277, 86, - 3281, 3280, 3290, 86, 86, 3284, 3291, 3292, 86, 3293, - 86, 3295, 3294, 3296, 3298, 3299, 3301, 86, 86, 3300, - 3297, 86, 3305, 3306, 86, 3302, 3308, 86, 3483, 86, - 86, 86, 3310, 86, 86, 86, 3293, 86, 86, 3294, - - 3296, 3298, 86, 86, 3303, 3304, 3300, 3297, 86, 3305, - 86, 3307, 3302, 86, 3312, 3309, 86, 3313, 86, 3310, - 86, 3311, 86, 86, 86, 3314, 86, 3315, 3317, 3318, - 3316, 3303, 3304, 3321, 3483, 3320, 3319, 86, 3307, 3324, - 86, 3312, 3309, 86, 3313, 86, 86, 3322, 3311, 86, - 86, 86, 3314, 3323, 86, 3317, 3318, 3316, 3327, 86, - 3321, 3326, 3320, 3319, 3328, 86, 3324, 3325, 86, 3329, - 3330, 3331, 3333, 3332, 3322, 3483, 86, 86, 86, 3334, - 3323, 3483, 86, 86, 3483, 3327, 3335, 3339, 3326, 3483, - 86, 3328, 3336, 86, 3325, 3338, 86, 86, 86, 3333, - - 3332, 3340, 86, 3337, 3341, 86, 3334, 86, 3342, 86, - 3343, 86, 3344, 3335, 3339, 3347, 86, 86, 3345, 3336, - 86, 3346, 3338, 3350, 86, 3349, 86, 86, 3340, 3348, - 3337, 3341, 86, 3351, 86, 3342, 3353, 3343, 86, 3344, - 3352, 86, 3347, 86, 3354, 3345, 86, 3355, 3346, 3357, - 3350, 3356, 3349, 3359, 86, 86, 3348, 3358, 86, 3360, - 3351, 3361, 86, 3353, 86, 3362, 3363, 3352, 3364, 3483, - 3367, 86, 3366, 86, 3355, 3365, 3357, 86, 3356, 86, - 86, 3368, 3369, 86, 3358, 3370, 3360, 86, 86, 3371, - 3372, 86, 3362, 86, 86, 86, 3375, 3367, 3373, 3366, - - 3374, 86, 3365, 86, 86, 3376, 3377, 3378, 3368, 3369, - 3379, 86, 3370, 86, 3380, 86, 3371, 3382, 86, 3383, - 3381, 3384, 86, 3375, 3385, 3373, 86, 3374, 86, 3386, - 86, 86, 86, 3377, 86, 3387, 3389, 86, 3390, 3391, - 3395, 3380, 3388, 3483, 86, 3392, 3383, 3381, 3384, 3393, - 86, 86, 86, 3394, 86, 86, 3386, 86, 3396, 86, - 3399, 3400, 3387, 3483, 3404, 3397, 3391, 86, 86, 3388, - 86, 86, 3392, 86, 3398, 86, 3393, 3402, 86, 3401, - 3394, 86, 3403, 3405, 86, 86, 86, 3399, 3400, 3407, - 86, 3404, 3397, 3408, 3406, 3409, 3410, 86, 3411, 86, - - 3412, 3398, 86, 86, 3402, 3413, 3401, 86, 86, 3403, - 3405, 86, 3414, 3415, 3416, 86, 3407, 3421, 3483, 3483, - 3408, 3406, 86, 3410, 3417, 3411, 3418, 3412, 3419, 3420, - 3422, 3483, 86, 3424, 86, 3426, 3423, 86, 3425, 3414, - 86, 3416, 3483, 86, 3427, 86, 86, 3430, 86, 86, - 86, 3417, 3483, 3418, 3433, 3419, 3420, 86, 86, 3428, - 86, 86, 3426, 3423, 86, 3425, 3429, 86, 3431, 3432, - 3434, 3427, 3435, 3483, 86, 3436, 86, 3438, 3437, 86, - 86, 3433, 3441, 86, 3439, 86, 3428, 3440, 3442, 3443, - 86, 3445, 86, 3429, 3483, 3431, 3432, 86, 3447, 3435, - - 86, 86, 3436, 86, 3438, 3437, 3444, 86, 86, 3441, - 86, 3439, 3446, 3449, 3440, 3442, 3443, 86, 3445, 3448, - 86, 3450, 3451, 3452, 86, 3447, 3455, 3454, 3458, 3453, - 86, 3483, 3461, 3444, 3460, 86, 86, 3456, 3457, 3446, - 3449, 86, 86, 3483, 3459, 86, 3448, 3463, 3450, 3451, - 86, 86, 86, 86, 3454, 3458, 3453, 86, 86, 86, - 3462, 3460, 3464, 3468, 3456, 3457, 86, 3465, 86, 86, - 3466, 3459, 3467, 3469, 3463, 86, 3471, 3470, 86, 3472, - 3474, 86, 3475, 3477, 86, 86, 3483, 3462, 3473, 3464, - 86, 3476, 3478, 3479, 3465, 3481, 3482, 3466, 86, 3467, - - 3469, 86, 86, 3471, 3470, 86, 86, 86, 86, 86, - 3477, 86, 3483, 3480, 86, 3473, 3483, 3483, 3476, 3478, - 3479, 86, 86, 86, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3480, 47, 47, 47, 47, 47, 47, 47, 52, 52, - 52, 52, 52, 52, 52, 57, 57, 57, 57, 57, - 57, 57, 63, 63, 63, 63, 63, 63, 63, 68, - 68, 68, 68, 68, 68, 68, 74, 74, 74, 74, - 74, 74, 74, 80, 80, 80, 80, 80, 80, 80, - 89, 89, 3483, 89, 89, 89, 89, 160, 160, 3483, - - 3483, 3483, 160, 160, 162, 162, 3483, 3483, 162, 3483, - 162, 164, 3483, 3483, 3483, 3483, 3483, 164, 167, 167, - 3483, 3483, 3483, 167, 167, 169, 3483, 3483, 3483, 3483, - 3483, 169, 171, 171, 3483, 171, 171, 171, 171, 174, - 3483, 3483, 3483, 3483, 3483, 174, 177, 177, 3483, 3483, - 3483, 177, 177, 90, 90, 3483, 90, 90, 90, 90, - 17, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483 + 199, 86, 200, 145, 191, 202, 192, 146, 147, 263, + 342, 201, 86, 86, 198, 86, 208, 86, 210, 86, + 143, 209, 86, 144, 86, 190, 344, 199, 86, 200, + 145, 191, 202, 192, 146, 147, 203, 204, 201, 86, + 86, 211, 86, 208, 205, 210, 216, 3682, 209, 218, + 212, 3682, 86, 213, 86, 177, 177, 86, 86, 219, + + 3682, 3682, 3682, 203, 204, 221, 214, 215, 211, 222, + 217, 205, 227, 3682, 86, 226, 218, 212, 86, 220, + 213, 86, 224, 228, 229, 223, 219, 225, 86, 86, + 86, 232, 221, 214, 215, 86, 222, 217, 86, 227, + 230, 231, 226, 86, 235, 86, 220, 234, 233, 224, + 228, 229, 223, 86, 225, 86, 236, 237, 232, 86, + 86, 242, 241, 3682, 3682, 247, 86, 230, 231, 86, + 86, 235, 238, 243, 234, 233, 239, 86, 3682, 86, + 86, 244, 240, 236, 237, 248, 86, 86, 242, 241, + 245, 250, 247, 249, 86, 255, 246, 253, 3682, 238, + + 243, 86, 251, 239, 86, 259, 252, 346, 244, 240, + 86, 86, 248, 349, 256, 86, 260, 245, 250, 261, + 249, 268, 255, 246, 253, 86, 264, 262, 269, 251, + 86, 257, 259, 252, 258, 86, 86, 86, 265, 86, + 86, 256, 270, 260, 272, 86, 261, 266, 268, 273, + 86, 271, 370, 264, 262, 269, 3682, 86, 257, 267, + 86, 258, 86, 86, 3682, 265, 86, 274, 3682, 270, + 164, 272, 164, 164, 266, 164, 273, 169, 271, 169, + 169, 275, 169, 276, 86, 90, 267, 90, 90, 282, + 90, 170, 278, 174, 274, 174, 174, 277, 174, 279, + + 287, 86, 280, 86, 284, 86, 283, 86, 275, 281, + 285, 86, 86, 286, 288, 86, 282, 292, 291, 278, + 86, 86, 86, 172, 277, 86, 279, 287, 289, 280, + 293, 284, 86, 283, 290, 86, 281, 285, 295, 86, + 286, 288, 296, 304, 292, 291, 303, 305, 3682, 308, + 310, 373, 306, 309, 307, 314, 86, 293, 86, 297, + 86, 290, 86, 312, 3682, 86, 86, 311, 3682, 296, + 304, 86, 86, 303, 86, 86, 308, 310, 86, 86, + 309, 307, 314, 86, 315, 316, 297, 298, 317, 321, + 318, 313, 299, 379, 311, 86, 86, 300, 86, 322, + + 323, 86, 86, 301, 302, 319, 86, 329, 320, 3682, + 86, 315, 316, 3682, 298, 317, 321, 318, 313, 299, + 86, 86, 86, 333, 300, 86, 322, 323, 3682, 86, + 301, 302, 319, 330, 329, 320, 324, 331, 337, 325, + 86, 326, 339, 334, 345, 86, 341, 3682, 86, 86, + 333, 352, 86, 327, 335, 328, 340, 343, 86, 3682, + 330, 380, 86, 324, 331, 337, 325, 86, 326, 3682, + 382, 345, 347, 341, 86, 86, 350, 348, 352, 86, + 327, 335, 328, 340, 343, 351, 353, 354, 356, 357, + 86, 86, 360, 86, 3682, 358, 355, 86, 359, 347, + + 362, 86, 86, 350, 348, 361, 86, 86, 86, 86, + 86, 86, 351, 353, 354, 356, 357, 86, 366, 360, + 86, 363, 358, 355, 364, 359, 367, 362, 86, 365, + 374, 368, 361, 369, 3682, 86, 377, 86, 86, 375, + 86, 371, 372, 381, 86, 366, 376, 378, 363, 383, + 86, 86, 384, 367, 86, 385, 86, 374, 368, 386, + 369, 86, 387, 377, 86, 86, 375, 86, 371, 372, + 381, 86, 389, 376, 378, 390, 383, 400, 3682, 384, + 392, 86, 385, 393, 86, 388, 86, 395, 394, 396, + 397, 398, 391, 401, 86, 86, 3682, 86, 404, 402, + + 86, 403, 390, 170, 86, 86, 3682, 392, 86, 86, + 393, 411, 388, 86, 395, 394, 396, 397, 398, 391, + 399, 86, 405, 86, 86, 86, 402, 406, 403, 407, + 86, 408, 409, 410, 86, 86, 414, 412, 86, 3682, + 86, 413, 419, 86, 86, 417, 416, 399, 418, 405, + 426, 86, 421, 86, 406, 86, 407, 422, 408, 409, + 410, 86, 86, 414, 412, 420, 86, 423, 413, 419, + 424, 86, 417, 416, 86, 418, 86, 86, 425, 421, + 86, 428, 86, 427, 422, 86, 86, 429, 86, 430, + 3682, 433, 420, 434, 423, 435, 86, 424, 439, 431, + + 436, 438, 3682, 440, 3682, 425, 3682, 86, 86, 86, + 427, 442, 86, 86, 429, 86, 432, 86, 433, 441, + 434, 86, 86, 443, 437, 439, 431, 86, 438, 445, + 440, 444, 86, 86, 446, 447, 449, 86, 442, 448, + 86, 453, 86, 432, 86, 86, 441, 86, 454, 452, + 443, 437, 86, 450, 455, 479, 445, 464, 444, 463, + 462, 446, 447, 449, 86, 86, 448, 471, 86, 86, + 451, 3682, 86, 86, 3682, 454, 452, 86, 86, 86, + 450, 455, 86, 488, 464, 472, 463, 462, 473, 3682, + 476, 86, 474, 475, 471, 477, 3682, 451, 456, 86, + + 478, 457, 492, 86, 86, 486, 458, 459, 460, 461, + 86, 480, 472, 3682, 481, 473, 86, 86, 482, 474, + 475, 86, 86, 86, 86, 456, 3682, 478, 457, 492, + 86, 483, 486, 458, 459, 460, 461, 465, 480, 466, + 489, 481, 487, 86, 490, 482, 484, 485, 3682, 491, + 3682, 467, 468, 469, 3682, 470, 86, 495, 483, 494, + 86, 86, 86, 499, 465, 493, 466, 489, 3682, 487, + 86, 490, 86, 484, 485, 86, 491, 86, 467, 468, + 469, 86, 470, 496, 495, 498, 494, 497, 3682, 506, + 520, 86, 493, 505, 86, 86, 504, 86, 500, 3682, + + 501, 3682, 3682, 86, 507, 512, 510, 508, 511, 502, + 496, 3682, 498, 509, 497, 86, 503, 86, 86, 519, + 505, 86, 518, 504, 86, 500, 86, 501, 513, 86, + 86, 507, 512, 510, 508, 511, 502, 521, 517, 3682, + 509, 514, 535, 503, 515, 3682, 516, 3682, 86, 518, + 534, 86, 86, 3682, 539, 513, 86, 86, 537, 86, + 536, 3682, 552, 538, 521, 517, 86, 86, 514, 535, + 86, 515, 540, 516, 522, 86, 523, 534, 3682, 542, + 86, 539, 524, 551, 3682, 537, 525, 536, 541, 552, + 538, 526, 86, 553, 527, 86, 86, 3682, 554, 540, + + 86, 522, 557, 523, 559, 555, 542, 3682, 170, 524, + 551, 558, 556, 525, 562, 541, 86, 3682, 526, 86, + 561, 527, 528, 560, 529, 86, 86, 575, 86, 557, + 3682, 559, 555, 563, 86, 568, 564, 530, 558, 556, + 531, 86, 532, 86, 533, 566, 86, 561, 86, 528, + 560, 529, 565, 569, 567, 3682, 3682, 86, 3682, 86, + 563, 570, 568, 564, 530, 86, 572, 531, 86, 532, + 3682, 533, 543, 544, 573, 580, 578, 86, 86, 565, + 569, 567, 545, 546, 547, 548, 549, 571, 570, 550, + 574, 86, 576, 572, 86, 579, 86, 86, 577, 543, + + 544, 573, 86, 578, 581, 86, 86, 86, 86, 545, + 546, 547, 548, 549, 571, 582, 550, 574, 86, 576, + 586, 583, 579, 584, 585, 577, 86, 86, 587, 588, + 3682, 581, 589, 590, 3682, 591, 592, 593, 3682, 86, + 86, 600, 582, 86, 595, 86, 614, 586, 583, 598, + 596, 3682, 86, 86, 594, 587, 588, 86, 86, 589, + 590, 86, 591, 592, 593, 597, 599, 86, 600, 601, + 602, 595, 603, 86, 86, 86, 598, 596, 86, 86, + 86, 594, 616, 615, 617, 86, 604, 605, 618, 619, + 628, 621, 597, 599, 3682, 623, 601, 602, 606, 603, + + 607, 86, 620, 622, 86, 86, 86, 86, 86, 616, + 615, 617, 86, 604, 605, 618, 624, 86, 621, 86, + 626, 86, 623, 3682, 625, 606, 86, 607, 608, 620, + 622, 86, 629, 633, 627, 630, 609, 610, 86, 631, + 611, 612, 632, 624, 613, 634, 86, 626, 86, 86, + 86, 625, 635, 636, 86, 608, 86, 86, 86, 629, + 633, 627, 630, 609, 610, 86, 631, 611, 612, 637, + 640, 613, 634, 638, 86, 86, 641, 642, 643, 635, + 636, 639, 644, 86, 645, 86, 86, 3682, 646, 648, + 86, 86, 647, 86, 650, 651, 637, 640, 649, 86, + + 638, 652, 3682, 641, 642, 643, 86, 86, 639, 644, + 86, 645, 86, 86, 86, 646, 648, 86, 653, 647, + 86, 650, 651, 655, 654, 649, 656, 657, 652, 86, + 658, 660, 86, 661, 659, 662, 86, 86, 664, 666, + 665, 663, 86, 668, 86, 653, 86, 86, 86, 86, + 655, 654, 86, 656, 657, 86, 86, 658, 660, 669, + 661, 659, 662, 667, 670, 664, 666, 665, 663, 672, + 86, 671, 86, 673, 3682, 86, 3682, 681, 674, 677, + 675, 678, 3682, 676, 680, 679, 669, 689, 3682, 86, + 667, 86, 683, 86, 86, 86, 86, 86, 671, 86, + + 673, 86, 86, 86, 684, 674, 677, 675, 678, 86, + 676, 680, 679, 682, 689, 686, 86, 687, 688, 683, + 86, 691, 692, 86, 690, 3682, 694, 685, 86, 706, + 693, 705, 696, 695, 86, 86, 86, 86, 86, 86, + 682, 86, 686, 86, 687, 688, 86, 86, 691, 692, + 707, 690, 86, 694, 685, 708, 706, 693, 705, 696, + 695, 697, 86, 709, 711, 3682, 698, 710, 699, 712, + 3682, 86, 715, 3682, 700, 86, 701, 707, 86, 702, + 703, 3682, 708, 3682, 86, 3682, 704, 86, 697, 86, + 709, 711, 86, 698, 710, 699, 712, 716, 713, 715, + + 720, 700, 714, 701, 721, 718, 702, 703, 719, 3682, + 723, 726, 724, 704, 722, 86, 86, 717, 86, 86, + 86, 725, 86, 86, 716, 713, 727, 720, 728, 714, + 730, 731, 718, 86, 732, 719, 86, 723, 726, 724, + 729, 722, 86, 86, 717, 86, 734, 733, 725, 86, + 741, 738, 735, 727, 86, 728, 86, 730, 731, 86, + 86, 732, 737, 736, 740, 3682, 745, 729, 86, 86, + 742, 86, 86, 734, 733, 739, 86, 741, 738, 735, + 743, 744, 747, 86, 86, 746, 749, 748, 86, 737, + 736, 740, 751, 750, 86, 86, 753, 742, 86, 86, + + 86, 86, 739, 86, 170, 86, 752, 743, 744, 747, + 86, 754, 746, 749, 748, 755, 756, 757, 86, 751, + 750, 758, 759, 753, 760, 761, 3682, 762, 763, 86, + 3682, 3682, 3682, 752, 764, 86, 86, 86, 754, 766, + 86, 86, 755, 756, 86, 765, 86, 770, 773, 759, + 767, 86, 761, 86, 762, 763, 86, 768, 86, 771, + 769, 764, 86, 86, 772, 774, 766, 86, 86, 775, + 776, 777, 765, 778, 770, 773, 779, 767, 780, 782, + 783, 3682, 784, 781, 768, 3682, 86, 769, 86, 785, + 786, 86, 86, 787, 789, 788, 86, 86, 86, 794, + + 86, 86, 86, 790, 3682, 793, 782, 783, 86, 784, + 86, 791, 86, 86, 86, 86, 785, 786, 86, 792, + 787, 789, 788, 798, 796, 86, 795, 86, 86, 799, + 790, 86, 793, 86, 797, 807, 800, 801, 791, 3682, + 3682, 3682, 86, 86, 803, 86, 792, 86, 802, 86, + 798, 796, 804, 795, 86, 808, 799, 805, 806, 809, + 86, 797, 86, 800, 801, 86, 86, 86, 86, 814, + 822, 803, 86, 815, 824, 802, 817, 86, 86, 804, + 3682, 816, 808, 810, 805, 806, 809, 86, 811, 818, + 86, 812, 813, 820, 823, 819, 814, 821, 86, 86, + + 815, 824, 86, 817, 825, 828, 86, 86, 816, 86, + 810, 86, 86, 827, 829, 811, 818, 86, 812, 813, + 820, 823, 819, 830, 821, 832, 826, 86, 831, 86, + 833, 825, 828, 3682, 86, 86, 86, 86, 834, 835, + 827, 829, 836, 837, 86, 86, 86, 845, 838, 839, + 830, 842, 832, 826, 841, 831, 86, 833, 840, 843, + 86, 86, 86, 846, 86, 834, 835, 86, 844, 86, + 837, 86, 847, 848, 849, 838, 839, 86, 842, 86, + 850, 841, 3682, 86, 86, 840, 843, 851, 852, 855, + 846, 857, 853, 854, 859, 844, 86, 86, 3682, 847, + + 856, 863, 86, 858, 86, 86, 86, 850, 86, 86, + 860, 86, 86, 862, 851, 852, 855, 3682, 866, 853, + 854, 871, 861, 86, 86, 86, 86, 856, 863, 867, + 858, 864, 86, 868, 86, 86, 865, 860, 872, 873, + 862, 876, 874, 86, 875, 866, 86, 869, 870, 861, + 877, 86, 878, 86, 881, 86, 867, 86, 879, 3682, + 868, 882, 3682, 86, 86, 872, 873, 86, 876, 874, + 86, 875, 86, 880, 869, 870, 86, 877, 885, 878, + 883, 889, 86, 886, 890, 879, 86, 887, 882, 888, + 884, 86, 86, 891, 892, 893, 894, 897, 907, 3682, + + 880, 895, 86, 86, 86, 86, 86, 883, 889, 86, + 86, 890, 896, 86, 887, 898, 888, 884, 86, 86, + 891, 892, 893, 894, 900, 899, 902, 3682, 895, 86, + 86, 904, 901, 903, 906, 86, 86, 909, 86, 896, + 905, 86, 898, 86, 86, 914, 86, 908, 910, 911, + 86, 900, 899, 902, 86, 86, 912, 86, 904, 901, + 903, 906, 86, 86, 909, 913, 916, 905, 86, 915, + 917, 3682, 914, 86, 908, 910, 911, 86, 86, 86, + 918, 919, 920, 912, 922, 923, 921, 3682, 924, 86, + 86, 3682, 913, 916, 86, 925, 915, 917, 86, 930, + + 3682, 928, 927, 926, 3682, 3682, 86, 918, 919, 920, + 86, 922, 923, 921, 86, 924, 86, 86, 86, 929, + 931, 86, 925, 933, 934, 932, 930, 935, 928, 927, + 926, 86, 86, 86, 938, 936, 937, 86, 939, 86, + 942, 3682, 946, 3682, 86, 3682, 929, 931, 940, 86, + 933, 934, 932, 941, 935, 86, 86, 86, 86, 943, + 86, 938, 936, 937, 944, 939, 945, 942, 947, 949, + 948, 950, 86, 86, 86, 940, 952, 955, 958, 954, + 941, 86, 86, 951, 86, 86, 943, 953, 86, 959, + 170, 944, 86, 945, 86, 947, 949, 948, 950, 956, + + 86, 86, 960, 952, 86, 86, 954, 957, 962, 961, + 951, 86, 963, 3682, 953, 964, 959, 86, 965, 86, + 86, 966, 967, 86, 968, 86, 956, 969, 971, 960, + 970, 86, 3682, 86, 957, 981, 961, 86, 86, 963, + 86, 972, 964, 86, 973, 965, 86, 86, 966, 967, + 86, 86, 3682, 982, 969, 971, 86, 970, 983, 985, + 984, 3682, 981, 86, 86, 3682, 987, 986, 972, 3682, + 3682, 973, 974, 3682, 993, 975, 86, 989, 994, 976, + 982, 86, 977, 86, 86, 983, 985, 984, 86, 978, + 979, 86, 980, 987, 986, 990, 988, 86, 991, 974, + + 86, 993, 975, 3682, 989, 994, 976, 86, 995, 977, + 992, 996, 1005, 1004, 1028, 86, 978, 979, 3682, 980, + 86, 86, 990, 988, 86, 991, 86, 1006, 3682, 1007, + 1008, 3682, 3682, 86, 86, 995, 1010, 992, 86, 1005, + 1004, 86, 1012, 86, 997, 998, 1009, 999, 1015, 86, + 1000, 3682, 1011, 86, 1006, 1001, 1007, 1008, 1013, 86, + 86, 1002, 1003, 1010, 86, 1014, 86, 1017, 1023, 1012, + 86, 997, 998, 1009, 999, 1015, 1016, 1000, 86, 1011, + 1020, 1018, 1001, 1021, 1022, 1013, 1019, 86, 1002, 1003, + 86, 86, 1014, 1024, 1017, 1023, 86, 1030, 1026, 1025, + + 86, 1027, 1029, 1016, 3682, 3682, 1031, 1020, 1032, 86, + 1021, 1022, 86, 86, 86, 1035, 3682, 1036, 1043, 86, + 1024, 86, 86, 86, 1030, 1026, 1025, 86, 1027, 1029, + 1033, 86, 1034, 1031, 86, 1032, 1037, 86, 1038, 1045, + 86, 1039, 1035, 86, 1036, 1040, 1041, 1042, 86, 1044, + 86, 86, 86, 1046, 86, 1048, 1049, 1033, 1047, 1034, + 1050, 86, 1051, 1037, 1053, 1038, 86, 86, 1039, 86, + 86, 86, 1040, 1041, 1042, 1054, 1044, 86, 1055, 1052, + 1056, 1058, 1048, 3682, 1057, 86, 86, 1050, 86, 1051, + 1059, 1060, 1062, 1061, 1063, 3682, 86, 86, 1067, 1064, + + 86, 86, 1054, 1065, 86, 86, 1052, 1056, 1058, 86, + 86, 1057, 86, 1069, 1070, 1066, 86, 86, 86, 1062, + 1061, 1063, 86, 86, 86, 1067, 1064, 1068, 1071, 1072, + 1065, 1073, 86, 1076, 1074, 86, 3682, 1075, 3682, 1077, + 86, 1070, 1066, 86, 1080, 86, 1078, 86, 1079, 86, + 1081, 86, 1083, 3682, 1068, 1071, 86, 86, 1082, 3682, + 1076, 1074, 86, 86, 1075, 86, 1077, 1084, 1085, 86, + 86, 1080, 1090, 1078, 86, 1079, 1086, 1081, 1087, 1083, + 86, 1091, 1093, 1088, 1089, 1082, 86, 3682, 1092, 1094, + 86, 1099, 86, 86, 1084, 1085, 86, 86, 86, 1090, + + 86, 1098, 1101, 1086, 1095, 1103, 1096, 3682, 1091, 1093, + 86, 1089, 86, 86, 1097, 1092, 1094, 1100, 86, 1102, + 1104, 1112, 1107, 86, 86, 86, 86, 86, 1098, 1101, + 86, 1095, 1103, 1096, 1105, 1106, 1109, 1113, 3682, 86, + 86, 1097, 86, 1111, 1100, 1110, 1102, 1104, 1108, 1107, + 1114, 86, 86, 86, 86, 86, 1115, 1118, 1116, 86, + 1117, 1105, 1106, 1109, 1113, 86, 86, 86, 1120, 1119, + 1111, 1121, 1110, 86, 1122, 1108, 1125, 1114, 86, 1124, + 1133, 86, 1123, 1115, 1118, 1116, 86, 1117, 86, 1127, + 86, 1134, 1126, 86, 86, 1120, 1119, 1128, 1121, 86, + + 1129, 86, 1130, 1125, 86, 86, 1124, 1131, 86, 1123, + 86, 1132, 86, 1135, 86, 1136, 1127, 1137, 86, 1126, + 1139, 1138, 1140, 86, 1128, 1148, 86, 1129, 86, 1130, + 86, 1142, 1141, 1149, 1131, 1143, 3682, 1150, 1132, 86, + 1135, 1145, 1153, 1144, 1137, 1146, 3682, 86, 1138, 1147, + 86, 86, 86, 1152, 86, 86, 1155, 86, 1142, 1141, + 1151, 86, 1143, 86, 1150, 86, 1154, 86, 1145, 86, + 1144, 3682, 1146, 86, 86, 86, 1147, 1156, 1157, 1158, + 1152, 1165, 1172, 86, 1161, 1163, 86, 1151, 1164, 1162, + 1166, 1167, 1159, 1154, 1160, 86, 86, 86, 86, 1209, + + 86, 1168, 1169, 86, 1156, 1157, 1158, 86, 1165, 1172, + 86, 86, 1163, 1171, 1182, 1164, 170, 1166, 1167, 1159, + 1173, 1160, 1170, 86, 1174, 86, 86, 86, 1168, 1169, + 86, 86, 1183, 3682, 3682, 1181, 1184, 86, 3682, 3682, + 1171, 1182, 1189, 3682, 86, 1186, 1185, 1173, 86, 1170, + 3682, 1174, 1175, 1188, 1176, 1187, 3682, 1210, 1177, 1183, + 1178, 86, 1181, 86, 86, 1179, 86, 86, 86, 1189, + 1180, 1190, 1186, 1185, 1197, 1193, 86, 1194, 1191, 1175, + 1188, 1176, 1187, 1192, 86, 1177, 86, 1178, 1195, 86, + 86, 1200, 1179, 86, 1201, 1198, 1202, 1180, 1190, 1204, + + 1196, 1197, 1193, 1206, 1194, 1199, 86, 1203, 1207, 86, + 86, 86, 86, 86, 1208, 1195, 86, 86, 1200, 1205, + 1211, 1201, 1198, 1202, 1213, 86, 1204, 1196, 1214, 86, + 1206, 1215, 1199, 86, 1203, 1207, 86, 86, 1224, 86, + 1216, 1208, 1225, 1230, 1226, 1227, 1205, 86, 3682, 86, + 1228, 3682, 1229, 86, 3682, 1214, 86, 86, 1215, 1236, + 86, 3682, 86, 3682, 86, 1224, 1246, 1216, 1217, 1225, + 1230, 1226, 1227, 1218, 86, 1219, 86, 1228, 1231, 1229, + 1233, 1220, 1234, 1232, 1237, 3682, 1221, 1222, 86, 86, + 86, 86, 1235, 1223, 86, 1217, 86, 1238, 86, 3682, + + 1218, 1243, 1219, 86, 1240, 1231, 86, 1233, 1220, 1234, + 1232, 1237, 86, 1221, 1222, 86, 1239, 1241, 1242, 1235, + 1223, 1250, 1245, 1244, 1238, 86, 86, 86, 86, 86, + 1247, 1240, 1248, 1249, 1251, 86, 1252, 3682, 1254, 1257, + 86, 1256, 3682, 1239, 1241, 1242, 86, 3682, 1250, 1245, + 1244, 1255, 86, 1253, 86, 86, 86, 1247, 86, 1248, + 1249, 86, 1259, 1252, 1258, 1254, 86, 3682, 1256, 86, + 86, 86, 1260, 1262, 1261, 1264, 1263, 1265, 1255, 1266, + 1253, 86, 86, 86, 1267, 1269, 86, 3682, 1268, 1259, + 86, 1258, 1274, 1275, 86, 86, 1270, 86, 86, 1260, + + 1262, 1261, 1264, 1263, 1265, 86, 1266, 86, 1271, 1272, + 1273, 1267, 86, 1278, 86, 1268, 86, 86, 1276, 1274, + 1277, 86, 86, 1270, 1280, 86, 86, 1279, 1281, 3682, + 1282, 1283, 1285, 86, 1284, 1271, 1272, 1273, 1286, 86, + 1278, 1287, 1290, 3682, 1288, 1276, 86, 1277, 1289, 86, + 86, 1280, 86, 86, 1279, 1281, 86, 1282, 1283, 86, + 86, 1284, 86, 1293, 86, 1295, 1294, 1291, 1287, 1290, + 86, 1288, 1292, 1296, 1297, 1289, 1298, 86, 1303, 1300, + 1299, 1301, 1302, 86, 1305, 1309, 3682, 86, 86, 86, + 1293, 86, 1295, 1294, 86, 86, 1307, 86, 1304, 86, + + 1296, 1297, 1306, 1298, 1308, 86, 1300, 1299, 1301, 1302, + 86, 86, 1309, 1310, 86, 1311, 86, 86, 86, 1312, + 1315, 86, 1313, 1307, 1314, 1304, 1316, 3682, 1317, 1306, + 1318, 1308, 1320, 1319, 1322, 86, 1323, 86, 86, 1333, + 1310, 86, 1311, 86, 86, 86, 1312, 1315, 86, 1313, + 86, 1314, 1321, 1316, 86, 1317, 1324, 1318, 1325, 1320, + 1319, 1327, 1326, 86, 1329, 3682, 86, 86, 1328, 1330, + 1331, 86, 86, 86, 86, 1334, 86, 86, 1332, 1321, + 1335, 1336, 1337, 1324, 1338, 1325, 86, 86, 1327, 1326, + 1340, 1329, 86, 1339, 86, 1328, 1330, 1331, 1344, 1341, + + 1346, 1342, 1345, 86, 86, 1332, 1343, 86, 1336, 1337, + 86, 1351, 86, 86, 1347, 86, 86, 1348, 1349, 86, + 1339, 86, 86, 1352, 86, 1350, 1341, 86, 1342, 1345, + 86, 1353, 86, 1343, 86, 86, 1359, 1354, 1351, 1355, + 86, 1347, 1356, 1362, 1348, 1349, 1358, 86, 1357, 1360, + 1352, 86, 1350, 86, 86, 86, 1363, 3682, 1353, 1361, + 3682, 86, 1366, 86, 1354, 86, 1355, 1367, 86, 1356, + 1362, 86, 1364, 1358, 1365, 1357, 86, 86, 1370, 1369, + 86, 86, 1371, 86, 1373, 1374, 1361, 86, 86, 1366, + 86, 1372, 86, 86, 1367, 1375, 86, 1376, 1377, 1364, + + 1378, 1365, 1379, 1383, 1380, 1370, 1369, 170, 1381, 1371, + 1382, 1373, 86, 1384, 86, 86, 86, 1386, 1372, 86, + 86, 86, 1375, 86, 1376, 1377, 1385, 1378, 1387, 1379, + 1383, 1380, 86, 86, 1388, 1381, 1389, 1382, 3682, 1390, + 86, 1392, 1393, 1391, 1395, 86, 3682, 1397, 3682, 86, + 1394, 1396, 1400, 1385, 86, 86, 86, 3682, 86, 86, + 86, 1388, 3682, 1389, 86, 86, 1390, 86, 1392, 1393, + 1391, 1395, 86, 1398, 1397, 1399, 1401, 1394, 1396, 86, + 1403, 1402, 3682, 86, 1404, 86, 1405, 1406, 1412, 86, + 86, 1413, 86, 86, 1410, 3682, 1407, 3682, 1408, 1414, + + 1398, 1409, 1399, 1401, 1411, 86, 3682, 1403, 1402, 86, + 86, 1404, 1416, 1405, 1406, 1412, 1415, 86, 86, 86, + 1419, 1410, 1420, 1407, 1417, 1408, 1414, 1421, 1409, 86, + 86, 1411, 86, 1418, 1423, 86, 86, 1422, 86, 1416, + 1424, 1426, 86, 1415, 86, 1425, 1428, 1419, 1427, 1420, + 3682, 1417, 86, 1433, 1421, 1429, 86, 86, 86, 1430, + 1418, 1432, 86, 1431, 1422, 3682, 86, 1424, 1426, 1434, + 86, 3682, 1425, 86, 1441, 1427, 86, 86, 3682, 1435, + 1433, 86, 1429, 86, 1437, 1436, 1430, 86, 1432, 1438, + 1431, 86, 86, 1440, 86, 1442, 1434, 86, 1439, 1443, + + 1445, 1441, 1444, 1446, 1448, 86, 1435, 86, 86, 86, + 86, 1437, 1436, 86, 1449, 1451, 1438, 3682, 3682, 1447, + 1440, 86, 1442, 1454, 86, 1439, 1443, 1445, 1450, 1444, + 1446, 86, 1452, 86, 3682, 86, 86, 1453, 86, 1455, + 1457, 1449, 1451, 1458, 86, 86, 1447, 86, 3682, 1456, + 1454, 86, 86, 1459, 1460, 1450, 1461, 1462, 1463, 1452, + 86, 1465, 1464, 1467, 1453, 1466, 1455, 1457, 86, 86, + 86, 1473, 86, 1470, 1468, 86, 1456, 86, 86, 1469, + 1459, 86, 1471, 1461, 1462, 1463, 86, 86, 1465, 1464, + 1467, 1472, 1466, 1481, 1482, 86, 1483, 86, 1473, 3682, + + 1470, 3682, 3682, 1484, 1487, 86, 86, 86, 3682, 1471, + 3682, 1485, 86, 1488, 3682, 1496, 1486, 1489, 1472, 1474, + 1481, 1482, 1490, 1475, 86, 1495, 1476, 1477, 86, 86, + 1484, 1478, 86, 86, 86, 86, 86, 1479, 1485, 86, + 1488, 1480, 1496, 1486, 1489, 86, 1474, 1492, 86, 1490, + 1475, 1491, 1495, 1476, 1477, 1497, 3682, 86, 1478, 1493, + 1498, 1494, 1500, 1505, 1479, 3682, 1499, 3682, 1480, 1501, + 1504, 1503, 1502, 86, 1492, 1506, 86, 1508, 1491, 86, + 86, 1507, 3682, 86, 86, 1517, 1493, 86, 1494, 1500, + 86, 1509, 86, 1499, 86, 86, 1501, 1504, 1503, 1502, + + 86, 3682, 1516, 86, 1508, 86, 1520, 86, 1507, 1515, + 3682, 86, 1517, 1518, 1519, 86, 1521, 3682, 1509, 1510, + 1522, 3682, 86, 1525, 1511, 3682, 1512, 1523, 1513, 1516, + 1514, 86, 86, 1520, 86, 1524, 1515, 86, 1528, 86, + 1526, 86, 86, 1521, 86, 1527, 1510, 1522, 1530, 1532, + 1525, 1511, 1536, 1512, 1523, 1513, 86, 1514, 1529, 3682, + 1531, 1533, 1524, 86, 1535, 1528, 1534, 86, 1537, 86, + 86, 1538, 86, 86, 86, 1530, 1532, 86, 1539, 1540, + 1541, 1543, 3682, 1542, 86, 1529, 86, 1531, 1533, 1544, + 1548, 1535, 86, 1534, 86, 1537, 86, 86, 1538, 86, + + 1547, 1550, 86, 1545, 1551, 1539, 1540, 1541, 1543, 86, + 1542, 1546, 86, 86, 1549, 1552, 1544, 86, 1553, 1555, + 1556, 1558, 86, 1559, 1554, 3682, 86, 1547, 86, 86, + 1545, 1551, 86, 1560, 1564, 1569, 1557, 86, 1546, 86, + 86, 1549, 1552, 86, 1566, 1553, 1555, 86, 86, 86, + 1559, 1554, 1561, 1562, 86, 86, 1563, 1565, 86, 86, + 1560, 86, 86, 1557, 86, 1567, 1568, 86, 1570, 1571, + 3682, 1566, 1572, 86, 1574, 1578, 1573, 1576, 1577, 1561, + 1562, 3682, 1575, 1563, 1565, 86, 1579, 86, 86, 86, + 86, 86, 1567, 1568, 86, 1570, 1571, 86, 86, 1572, + + 86, 1574, 1578, 1573, 1576, 1577, 1580, 1581, 86, 1575, + 1583, 1582, 3682, 1579, 1584, 1586, 1590, 1585, 1591, 1594, + 3682, 3682, 1587, 3682, 86, 86, 1588, 3682, 3682, 86, + 1592, 1589, 86, 1580, 1581, 86, 1595, 1583, 1582, 86, + 86, 1584, 1586, 86, 1585, 86, 86, 1593, 86, 1587, + 86, 86, 86, 1588, 86, 1597, 1596, 1592, 1589, 1598, + 1599, 1601, 1600, 1595, 86, 1603, 1604, 86, 1602, 86, + 86, 86, 1605, 86, 1593, 1606, 86, 170, 1607, 1608, + 1609, 3682, 1597, 1596, 86, 86, 86, 1599, 1601, 1600, + 1610, 1612, 1603, 1604, 1613, 1602, 1611, 3682, 86, 1605, + + 86, 86, 1615, 86, 1614, 1616, 1608, 86, 1617, 1618, + 86, 1619, 86, 86, 86, 86, 86, 1610, 1612, 86, + 1621, 1613, 1622, 1611, 1620, 3682, 1623, 1630, 1624, 1615, + 86, 1614, 1616, 86, 86, 1617, 1618, 1625, 1619, 1626, + 1629, 1640, 86, 1628, 1627, 86, 86, 1621, 1631, 86, + 86, 1620, 86, 1623, 1630, 1624, 1632, 1633, 86, 1635, + 1634, 86, 1636, 3682, 1625, 1639, 1638, 1629, 86, 86, + 1628, 86, 1637, 86, 1641, 1631, 3682, 1643, 86, 1642, + 1645, 86, 1644, 1632, 1633, 1647, 1635, 1634, 86, 1636, + 86, 86, 1639, 1638, 86, 86, 1648, 86, 1649, 1637, + + 1650, 1641, 1646, 86, 1651, 3682, 1642, 1645, 1652, 86, + 1653, 1655, 1647, 86, 1654, 86, 1658, 1656, 86, 1657, + 86, 86, 86, 1648, 86, 1649, 86, 1650, 86, 1646, + 1659, 1651, 86, 1662, 1663, 1652, 1660, 1653, 1655, 1661, + 1664, 1654, 86, 1658, 1656, 86, 1657, 86, 1665, 86, + 1667, 86, 1668, 86, 1670, 1666, 86, 1659, 3682, 1676, + 1671, 1663, 86, 1660, 86, 86, 1661, 1664, 86, 1672, + 1669, 1675, 1681, 1682, 1673, 1665, 86, 1667, 86, 1668, + 86, 1670, 1666, 86, 1674, 86, 1676, 1671, 1677, 86, + 86, 86, 1678, 1690, 1680, 1679, 1672, 1669, 1675, 1683, + + 86, 1673, 86, 1684, 86, 86, 1685, 1686, 1688, 1689, + 86, 1674, 86, 1687, 86, 1677, 1691, 1692, 1693, 1678, + 86, 1680, 1679, 1697, 86, 86, 1683, 1701, 86, 86, + 1684, 86, 1694, 86, 1686, 1688, 1689, 1698, 1699, 3682, + 1687, 3682, 86, 1700, 86, 1693, 1704, 3682, 86, 86, + 86, 1695, 86, 1696, 1701, 1702, 86, 1703, 86, 1694, + 86, 1705, 1707, 1708, 1698, 1699, 86, 1706, 86, 86, + 1700, 1711, 1713, 1704, 86, 1710, 1712, 1714, 1695, 1709, + 1696, 86, 1702, 86, 1703, 86, 1715, 86, 1705, 1707, + 1708, 1716, 86, 86, 1706, 3682, 1719, 1717, 1720, 1718, + + 1721, 1723, 1710, 86, 86, 86, 1709, 86, 86, 1722, + 86, 1724, 1725, 1715, 86, 1727, 86, 86, 1716, 1728, + 86, 1726, 86, 1719, 1717, 1720, 1718, 1721, 1723, 1730, + 86, 86, 1729, 86, 86, 1732, 1722, 1731, 1733, 1725, + 1739, 1734, 1727, 86, 1735, 86, 1728, 1736, 1726, 86, + 1737, 1741, 86, 86, 1740, 86, 86, 1738, 86, 1729, + 86, 86, 1732, 86, 1731, 86, 1742, 1739, 1734, 3682, + 86, 1735, 1743, 1746, 1736, 1744, 1747, 1737, 1741, 1745, + 1748, 1740, 1749, 86, 1738, 1750, 1752, 86, 86, 3682, + 3682, 1751, 86, 1742, 1759, 3682, 86, 1753, 86, 1743, + + 1746, 1763, 1744, 86, 86, 86, 1745, 86, 86, 1749, + 1755, 1754, 1750, 1752, 1756, 86, 86, 1758, 1751, 1760, + 1764, 1759, 1761, 1762, 1753, 86, 86, 1757, 86, 86, + 1765, 86, 1768, 1766, 86, 86, 1769, 1755, 1754, 1767, + 1776, 1756, 86, 1774, 1758, 86, 1760, 1764, 1770, 1761, + 1762, 1771, 1772, 86, 1757, 1777, 1773, 1782, 86, 86, + 1766, 86, 86, 1769, 86, 86, 1767, 1779, 1778, 1775, + 1774, 86, 86, 86, 86, 1770, 86, 86, 1771, 1772, + 1780, 1783, 86, 1773, 1781, 1784, 1786, 3682, 86, 86, + 1785, 1790, 1787, 1788, 1779, 1778, 1775, 3682, 1789, 1791, + + 3682, 3682, 86, 86, 86, 86, 1793, 1780, 1783, 86, + 86, 1781, 86, 86, 86, 86, 1792, 1785, 1790, 1787, + 1788, 1794, 1796, 86, 86, 1789, 1791, 1795, 86, 1797, + 1798, 3682, 1800, 1793, 86, 86, 1799, 1801, 86, 1802, + 1805, 1804, 3682, 1792, 1803, 86, 3682, 1809, 1794, 1796, + 86, 1808, 86, 86, 1795, 1810, 1797, 1798, 86, 1800, + 86, 1811, 86, 1799, 86, 86, 1802, 1805, 1804, 86, + 1806, 1803, 86, 1807, 1809, 1812, 1813, 86, 1808, 1815, + 86, 1814, 1810, 86, 1816, 1817, 86, 86, 1811, 1819, + 86, 1818, 1820, 1821, 1823, 1822, 3682, 1806, 3682, 86, + + 1807, 86, 1812, 86, 86, 86, 1815, 1824, 1814, 1825, + 86, 1816, 1817, 1826, 1827, 86, 1819, 86, 1818, 1820, + 1821, 86, 1822, 86, 1828, 170, 1829, 3682, 1834, 1830, + 1831, 86, 1832, 86, 1824, 86, 1825, 86, 1835, 86, + 1826, 1827, 1833, 1836, 86, 86, 1838, 3682, 1839, 1840, + 86, 1828, 1842, 1829, 86, 1834, 1830, 1831, 1843, 1832, + 86, 1837, 3682, 1844, 1846, 1835, 86, 1841, 86, 1833, + 1836, 86, 1848, 86, 86, 1839, 1840, 86, 1847, 1842, + 86, 1850, 1845, 1852, 1849, 1843, 86, 1853, 1837, 86, + 1851, 86, 86, 1854, 1841, 86, 86, 1856, 1858, 86, + + 3682, 3682, 86, 1855, 1874, 1847, 86, 1859, 1850, 1845, + 1852, 1849, 86, 86, 1853, 1857, 86, 1851, 3682, 86, + 1854, 1861, 86, 1860, 1856, 1858, 1866, 86, 1862, 1867, + 1855, 86, 86, 86, 1859, 86, 86, 1863, 1868, 1870, + 1864, 1871, 1857, 1872, 1876, 86, 1875, 1873, 1861, 86, + 1860, 86, 1865, 1877, 1869, 1862, 1867, 86, 86, 1881, + 1878, 86, 86, 86, 1863, 1868, 1870, 1864, 1871, 1879, + 1872, 86, 1880, 1875, 1873, 1882, 86, 1884, 1883, 1865, + 1885, 1869, 86, 1886, 1887, 86, 86, 1878, 86, 1888, + 86, 86, 86, 1889, 1890, 86, 1879, 86, 86, 1880, + + 1891, 1892, 1882, 1895, 1884, 1883, 3682, 1885, 86, 1893, + 1886, 1887, 1894, 86, 1897, 1896, 1901, 1898, 3682, 1902, + 1899, 86, 86, 86, 86, 86, 86, 1891, 86, 86, + 86, 1900, 86, 86, 86, 1903, 1893, 86, 86, 1894, + 1904, 1897, 1896, 1901, 1898, 1906, 1902, 1899, 86, 86, + 1905, 1907, 86, 1908, 1909, 1910, 1911, 1913, 1900, 1912, + 3682, 86, 1903, 3682, 3682, 3682, 3682, 1904, 86, 1918, + 86, 86, 1906, 86, 86, 1917, 86, 1905, 1907, 1915, + 1908, 1909, 1910, 1911, 1914, 1916, 1912, 1919, 86, 86, + 86, 86, 86, 86, 1920, 1921, 1918, 1922, 1923, 1930, + + 1925, 1924, 1917, 1926, 1927, 86, 1915, 1929, 86, 3682, + 86, 1914, 1916, 86, 1919, 86, 86, 1931, 3682, 1928, + 86, 1920, 1921, 86, 86, 1923, 1930, 1925, 1924, 86, + 1926, 1927, 86, 1932, 1929, 86, 1933, 1934, 1936, 1939, + 1935, 86, 1937, 1941, 1931, 86, 1928, 1938, 1940, 86, + 1942, 1946, 1944, 1943, 86, 86, 86, 1945, 3682, 1947, + 1932, 86, 3682, 1933, 1934, 1936, 1939, 1935, 86, 1937, + 86, 1949, 86, 86, 1938, 1940, 1951, 86, 86, 1944, + 1943, 86, 1948, 1950, 1945, 1952, 1947, 1954, 1955, 1953, + 86, 86, 3682, 86, 1957, 86, 1962, 1961, 1949, 86, + + 86, 1956, 86, 1951, 1958, 86, 1960, 1959, 3682, 1948, + 1950, 86, 1952, 1964, 1954, 1955, 1953, 1963, 1965, 86, + 86, 1957, 86, 86, 86, 1967, 1966, 1971, 1956, 86, + 1968, 1958, 86, 1960, 1959, 86, 1972, 86, 86, 1975, + 1964, 86, 1969, 1976, 1963, 1965, 1973, 1970, 86, 86, + 1974, 86, 1967, 1966, 1971, 3682, 1993, 1968, 1977, 86, + 1978, 86, 1981, 1972, 1979, 86, 1975, 86, 1980, 86, + 1976, 1985, 1986, 1973, 86, 1988, 1982, 1974, 86, 1983, + 1987, 86, 1984, 1993, 86, 1977, 86, 1978, 86, 1981, + 86, 1979, 1991, 86, 1994, 1980, 1989, 86, 1985, 1986, + + 1992, 1990, 1988, 1982, 1995, 86, 1983, 1987, 1996, 1984, + 1998, 1997, 86, 1999, 2000, 2002, 86, 86, 3682, 1991, + 86, 1994, 2001, 2003, 2006, 2004, 2005, 1992, 86, 3682, + 2010, 1995, 86, 3682, 2007, 86, 86, 86, 1997, 86, + 86, 2000, 2016, 3682, 86, 86, 2011, 86, 86, 2001, + 2003, 2008, 2004, 2005, 2017, 2012, 86, 2009, 2013, 2014, + 2015, 2007, 86, 86, 86, 86, 86, 86, 2025, 2016, + 2021, 2019, 86, 2011, 2018, 86, 2020, 2026, 2008, 86, + 2022, 2017, 2012, 86, 2009, 2013, 2014, 2015, 86, 86, + 86, 2023, 2027, 86, 2028, 2029, 2031, 2021, 2019, 2030, + + 86, 2018, 2032, 2020, 2033, 86, 86, 2022, 86, 86, + 86, 2034, 2024, 2035, 2039, 2036, 86, 2037, 86, 2027, + 86, 2028, 86, 2031, 2038, 86, 2030, 2040, 86, 2032, + 2041, 86, 3682, 86, 86, 2053, 2042, 2044, 2034, 2024, + 2043, 86, 2036, 2045, 2037, 86, 2047, 86, 2046, 3682, + 86, 2038, 2048, 86, 2040, 2057, 2049, 2041, 86, 86, + 2050, 2051, 86, 2042, 2044, 86, 86, 2043, 86, 2052, + 2045, 2055, 2054, 2047, 86, 2046, 170, 2056, 2058, 2048, + 86, 86, 86, 2049, 86, 86, 86, 2050, 2051, 2059, + 2063, 86, 2060, 2061, 2062, 2064, 2052, 86, 2055, 2054, + + 3682, 2066, 86, 2065, 2056, 2058, 2068, 86, 86, 86, + 86, 2067, 2069, 2070, 2073, 2071, 2059, 2063, 86, 2060, + 2061, 2062, 2074, 2072, 3682, 3682, 2076, 86, 2066, 2075, + 2065, 2077, 86, 86, 3682, 3682, 86, 86, 2067, 2069, + 86, 86, 2071, 2079, 86, 2078, 86, 2082, 86, 86, + 2072, 86, 86, 2076, 2080, 86, 2075, 2081, 2077, 2084, + 2083, 2085, 2088, 86, 2090, 2096, 86, 2086, 2087, 86, + 2079, 86, 2078, 3682, 2082, 2089, 86, 86, 2091, 86, + 86, 2080, 86, 2095, 2081, 2092, 2084, 2083, 2085, 2088, + 86, 2090, 2093, 2097, 2086, 2087, 2094, 86, 2098, 86, + + 86, 3682, 2089, 2099, 2103, 2091, 2101, 2100, 86, 86, + 86, 86, 2092, 2106, 86, 86, 2107, 86, 2108, 2093, + 2097, 2102, 2104, 2094, 2105, 2098, 2110, 2115, 86, 86, + 2099, 2103, 2111, 2101, 2100, 86, 2112, 2109, 2116, 86, + 2106, 2113, 86, 86, 86, 86, 2114, 86, 2102, 2104, + 2117, 2105, 86, 86, 86, 2119, 2118, 2120, 86, 2111, + 2121, 86, 3682, 2112, 2109, 2116, 86, 2122, 2113, 2123, + 2125, 86, 2126, 2114, 2124, 2128, 2129, 2135, 2127, 86, + 86, 3682, 86, 2118, 2120, 2130, 2131, 86, 86, 86, + 2133, 86, 86, 2132, 2122, 2143, 2123, 86, 86, 2126, + + 86, 2124, 86, 2129, 2134, 2127, 3682, 2140, 86, 86, + 2141, 2142, 2130, 2131, 86, 86, 86, 2133, 86, 86, + 2132, 2136, 2137, 2138, 2146, 2144, 86, 86, 2139, 2150, + 3682, 2134, 86, 2145, 2140, 2147, 86, 2141, 2142, 2152, + 86, 2148, 86, 2155, 86, 2153, 2149, 2151, 2136, 2137, + 2138, 2146, 2144, 2154, 2159, 2139, 2150, 86, 2156, 86, + 2145, 86, 2147, 2157, 86, 86, 2152, 2160, 86, 2161, + 86, 2158, 2153, 86, 2151, 86, 86, 86, 2163, 2162, + 2154, 86, 2164, 86, 2165, 2156, 86, 2167, 2172, 2168, + 2157, 86, 2166, 3682, 2160, 86, 2161, 2169, 2158, 86, + + 2170, 2171, 2173, 2176, 2175, 2163, 2162, 86, 86, 2164, + 86, 86, 2174, 2178, 86, 86, 2168, 86, 86, 2166, + 86, 2179, 2186, 86, 2169, 86, 2177, 2170, 2171, 2173, + 86, 2175, 86, 2180, 2181, 86, 2182, 2183, 86, 2174, + 2178, 86, 2185, 2184, 86, 2187, 2189, 3682, 2179, 2186, + 2190, 86, 2188, 2177, 86, 2193, 2191, 2192, 2194, 86, + 2180, 2181, 86, 2182, 2183, 86, 86, 2195, 2196, 2200, + 2184, 2198, 2199, 2189, 86, 2201, 2197, 86, 86, 2188, + 86, 86, 86, 2191, 2192, 86, 86, 86, 86, 86, + 86, 2202, 2203, 86, 2195, 2196, 2200, 2205, 2198, 2199, + + 2206, 86, 2201, 2197, 2204, 86, 2207, 2208, 2209, 2212, + 2210, 3682, 2213, 2215, 86, 86, 86, 86, 2202, 2203, + 86, 2214, 2216, 86, 2205, 86, 2211, 2223, 2220, 2218, + 2224, 2204, 86, 86, 2208, 2209, 2212, 2210, 86, 2213, + 86, 86, 2217, 86, 2219, 86, 2221, 2222, 2214, 2216, + 86, 86, 86, 2211, 2223, 2220, 2218, 86, 2225, 2226, + 2228, 2229, 2231, 2230, 2227, 2236, 3682, 86, 86, 2217, + 86, 2219, 86, 2221, 2222, 86, 86, 2232, 3682, 2241, + 2244, 86, 2242, 2237, 2238, 2225, 2226, 86, 2229, 2231, + 2230, 2227, 86, 2233, 2234, 2235, 86, 86, 86, 86, + + 86, 86, 86, 2239, 2232, 2240, 86, 2244, 86, 2242, + 2237, 2238, 2243, 2245, 2248, 2249, 2247, 2250, 2246, 86, + 2233, 2234, 2235, 86, 2253, 86, 2251, 2254, 2256, 86, + 2239, 2252, 2240, 2255, 86, 86, 86, 2257, 2258, 2243, + 2245, 2248, 86, 2247, 86, 2246, 2259, 2261, 2260, 2264, + 86, 2262, 86, 2266, 3682, 2256, 86, 2267, 86, 86, + 2255, 86, 86, 2263, 2257, 86, 2270, 2265, 2268, 2277, + 86, 86, 86, 2259, 2261, 2260, 86, 86, 2262, 2269, + 2274, 86, 2271, 2272, 86, 86, 86, 2275, 170, 2276, + 2263, 2273, 2278, 2270, 2265, 2268, 86, 86, 86, 86, + + 2280, 2279, 86, 2281, 2282, 3682, 2269, 2274, 86, 2271, + 2272, 86, 2283, 2286, 2275, 86, 2276, 2284, 2273, 86, + 2285, 2287, 3682, 2288, 86, 2292, 86, 3682, 2279, 3682, + 2281, 2282, 86, 86, 3682, 86, 86, 86, 2289, 2283, + 2286, 2290, 86, 2293, 2284, 2291, 3682, 2285, 2287, 86, + 2288, 2294, 86, 86, 2295, 2296, 86, 2297, 3682, 2298, + 2300, 86, 2299, 2301, 2304, 2289, 86, 86, 2290, 86, + 2293, 86, 2291, 86, 2302, 2306, 86, 2303, 2294, 86, + 86, 2295, 2296, 2305, 86, 2307, 2298, 2300, 2312, 2299, + 2301, 2311, 86, 86, 86, 2308, 86, 86, 2309, 86, + + 86, 2302, 2306, 2313, 2303, 2315, 86, 2314, 86, 2310, + 2305, 2316, 2307, 2317, 86, 2312, 2321, 2318, 2311, 2319, + 2328, 86, 2308, 86, 86, 2309, 2322, 2326, 86, 86, + 2313, 86, 2315, 2320, 2314, 3682, 2310, 2323, 2316, 86, + 2317, 86, 2327, 86, 2318, 2324, 2319, 86, 86, 2329, + 86, 2325, 86, 2322, 2326, 86, 86, 2330, 2332, 86, + 2320, 2331, 86, 2333, 2323, 2335, 2340, 86, 2334, 2327, + 2336, 2337, 2324, 2338, 2339, 86, 2329, 2342, 2325, 86, + 3682, 2341, 86, 86, 2330, 2332, 86, 86, 2331, 2344, + 86, 2345, 86, 2340, 86, 2334, 86, 2336, 2337, 2346, + + 2338, 86, 2343, 2353, 2342, 2347, 86, 2348, 2341, 86, + 2349, 86, 2350, 2351, 3682, 86, 2344, 86, 2345, 2352, + 86, 86, 86, 2354, 86, 86, 2346, 2364, 86, 2343, + 2353, 2355, 2347, 2363, 2348, 86, 2356, 2349, 2357, 2350, + 2351, 2358, 86, 2362, 2361, 2359, 2352, 86, 86, 2366, + 2354, 86, 2365, 2367, 86, 2369, 86, 3682, 2360, 2368, + 2363, 86, 86, 86, 2374, 2357, 86, 2370, 2358, 2372, + 2362, 2361, 2359, 2371, 2375, 2373, 2366, 86, 86, 2365, + 2367, 86, 2369, 2379, 86, 2360, 2368, 2377, 2378, 86, + 2376, 2374, 86, 2382, 2370, 2384, 2372, 86, 86, 86, + + 2371, 2375, 2373, 86, 2380, 86, 2381, 2386, 86, 2383, + 2379, 2385, 86, 86, 2377, 2378, 86, 2376, 2387, 86, + 86, 2388, 2384, 3682, 86, 86, 2389, 2390, 2391, 2395, + 2392, 2380, 2393, 2381, 86, 2394, 2383, 2398, 2385, 86, + 3682, 86, 86, 86, 2396, 2387, 2397, 2405, 2388, 86, + 86, 86, 86, 2389, 2390, 2391, 2401, 2392, 2399, 2393, + 86, 86, 2394, 2400, 2398, 2403, 86, 2404, 2402, 2410, + 2406, 2396, 2407, 2397, 86, 86, 86, 2408, 86, 2409, + 2411, 2416, 86, 2401, 2412, 2473, 86, 3682, 86, 86, + 86, 2413, 2403, 2418, 2404, 2402, 86, 2406, 3682, 2407, + + 86, 86, 86, 2419, 2408, 2414, 2409, 2411, 86, 86, + 2417, 2412, 2421, 2415, 2422, 2420, 3682, 86, 2413, 86, + 2418, 2423, 2426, 86, 86, 86, 3682, 3682, 2424, 86, + 2419, 2425, 2414, 86, 86, 2430, 2431, 2417, 2428, 2421, + 2415, 2422, 2420, 2429, 86, 2427, 86, 86, 2423, 2426, + 86, 86, 2432, 2433, 86, 2424, 2434, 2436, 2425, 2435, + 2440, 3682, 2430, 2431, 2439, 3682, 2441, 86, 86, 3682, + 86, 86, 2427, 2437, 3682, 86, 3682, 2477, 86, 2432, + 2433, 86, 86, 2434, 2436, 2438, 2435, 86, 2442, 2443, + 2444, 2439, 86, 2441, 2445, 2446, 86, 86, 86, 2447, + + 2437, 86, 2448, 2449, 2450, 2452, 2451, 2454, 86, 86, + 3682, 86, 2438, 86, 2453, 2442, 2443, 2444, 86, 86, + 2464, 2445, 2446, 2458, 86, 86, 2447, 86, 2455, 2448, + 2449, 2450, 2452, 2451, 2454, 2456, 86, 86, 2459, 2460, + 2461, 2453, 86, 2462, 86, 86, 2463, 86, 2457, 86, + 2458, 86, 2466, 2465, 2467, 2455, 86, 3682, 2471, 2469, + 2468, 2470, 2456, 86, 86, 2459, 2460, 2461, 86, 2472, + 2462, 86, 86, 2463, 2478, 2457, 2479, 86, 2480, 86, + 2465, 2467, 86, 86, 2474, 2471, 2469, 2468, 2470, 170, + 2475, 2481, 2482, 2487, 2486, 2476, 2472, 86, 86, 2483, + + 86, 2488, 2489, 2479, 2491, 2480, 86, 2490, 2492, 3682, + 2494, 2474, 86, 2484, 2496, 2493, 86, 86, 2481, 86, + 86, 2486, 86, 2495, 2485, 86, 2483, 86, 2488, 2489, + 86, 2497, 2498, 2499, 2490, 2492, 86, 86, 3682, 86, + 2484, 86, 2493, 2502, 2505, 86, 86, 2501, 2500, 86, + 2495, 2485, 2504, 2503, 86, 86, 86, 86, 2497, 2498, + 2499, 2508, 2507, 2506, 86, 86, 86, 2511, 86, 2509, + 2502, 2505, 86, 86, 2501, 2500, 2510, 2512, 2515, 2504, + 2503, 86, 2518, 2513, 2514, 2516, 86, 86, 2508, 2507, + 2506, 86, 2517, 2520, 86, 86, 2509, 86, 2523, 2519, + + 86, 86, 2521, 2510, 2512, 2515, 86, 86, 2522, 2518, + 2513, 2514, 2516, 2524, 2525, 86, 86, 86, 2529, 2517, + 2520, 86, 86, 2526, 2532, 86, 2519, 2531, 2527, 2521, + 2528, 86, 86, 86, 86, 2522, 86, 2533, 2530, 86, + 2524, 2525, 2534, 86, 2535, 2529, 86, 3682, 2536, 2538, + 2526, 2532, 2539, 2537, 2531, 2527, 86, 2528, 2541, 2542, + 2540, 3682, 86, 2549, 2533, 2530, 86, 86, 2543, 2544, + 86, 2535, 2548, 2551, 86, 2536, 2538, 86, 3682, 2539, + 2537, 86, 2550, 86, 2546, 86, 2542, 2540, 2545, 2547, + 86, 86, 86, 2552, 2553, 2543, 2544, 86, 86, 2548, + + 86, 2557, 2562, 86, 2554, 86, 86, 86, 2558, 2550, + 2555, 2546, 2559, 2556, 2560, 2545, 2547, 2561, 86, 2563, + 2552, 2553, 3682, 2564, 2569, 2565, 2566, 2570, 86, 86, + 2572, 2554, 86, 86, 86, 2558, 86, 2555, 86, 2559, + 2556, 2560, 2567, 2568, 2561, 86, 86, 86, 2571, 86, + 2564, 86, 2565, 2566, 86, 2573, 86, 86, 86, 2574, + 2575, 2576, 2577, 2578, 86, 2579, 2580, 3682, 2581, 2567, + 2568, 2582, 86, 2583, 2586, 2571, 2587, 3682, 86, 2589, + 3682, 86, 2573, 86, 86, 2593, 86, 2575, 2576, 86, + 86, 2584, 2579, 2580, 86, 2581, 86, 2585, 2582, 2588, + + 86, 2586, 2590, 86, 86, 86, 86, 86, 2591, 86, + 2592, 86, 2593, 2594, 2596, 2597, 3682, 3682, 2584, 2599, + 2598, 2600, 2602, 86, 2585, 2603, 2588, 2604, 2595, 2590, + 86, 86, 86, 86, 86, 2591, 2609, 2592, 2605, 86, + 2594, 86, 2597, 2601, 86, 2608, 2599, 2598, 2600, 86, + 86, 86, 2606, 2610, 2604, 2595, 86, 86, 2614, 2607, + 2611, 86, 2612, 86, 2613, 2605, 2615, 3682, 86, 2618, + 2601, 86, 2608, 86, 86, 2616, 86, 2617, 86, 2606, + 2610, 2622, 86, 2619, 2624, 86, 2607, 2611, 2620, 2612, + 86, 2613, 86, 2615, 2623, 86, 2618, 2621, 86, 2625, + + 86, 2628, 2616, 2629, 2617, 2630, 3682, 86, 2622, 86, + 2619, 2624, 86, 2631, 2626, 2620, 2627, 2632, 86, 86, + 2633, 2623, 2634, 86, 2621, 2642, 2625, 86, 86, 2636, + 2629, 2638, 2630, 86, 86, 86, 2635, 2637, 86, 2639, + 2631, 2626, 2643, 2627, 2632, 2640, 2644, 2633, 2641, 2634, + 2645, 86, 86, 86, 86, 2646, 2636, 86, 2638, 2647, + 86, 86, 86, 2635, 2637, 2650, 2639, 86, 2648, 2649, + 2651, 86, 2640, 2644, 86, 2641, 2652, 2645, 2657, 86, + 2653, 86, 2654, 86, 2655, 2658, 2647, 86, 2656, 2659, + 86, 86, 2650, 2660, 86, 2648, 2649, 2651, 86, 2664, + + 86, 2661, 86, 2652, 2663, 2657, 86, 2653, 86, 2654, + 2665, 2655, 2662, 3682, 2669, 2656, 86, 86, 2668, 86, + 2660, 86, 86, 3682, 2666, 86, 2664, 2670, 2661, 2675, + 3682, 2663, 2667, 2673, 2677, 3682, 86, 3682, 3682, 2662, + 86, 2669, 86, 2676, 86, 2668, 2671, 2674, 2672, 170, + 86, 2666, 86, 86, 2670, 86, 86, 2678, 86, 2667, + 2673, 2677, 2681, 2682, 2683, 2679, 2680, 2685, 2686, 2688, + 2676, 2687, 86, 2671, 2674, 2672, 86, 86, 86, 2689, + 2690, 2684, 86, 2691, 2678, 2692, 86, 86, 86, 2681, + 2682, 2683, 2679, 2680, 2685, 86, 86, 86, 2687, 2694, + + 2693, 2695, 86, 86, 2696, 2697, 2689, 2690, 2684, 2698, + 2701, 2699, 3682, 2700, 86, 86, 2702, 86, 86, 86, + 86, 2704, 86, 2703, 2706, 2705, 86, 2693, 2695, 86, + 86, 2696, 2697, 2707, 2708, 2709, 2698, 2713, 2699, 86, + 2700, 2710, 86, 2702, 86, 86, 2712, 2711, 2704, 86, + 2703, 86, 2705, 86, 86, 86, 86, 2714, 2715, 86, + 2707, 2708, 2709, 2716, 86, 2717, 2719, 2722, 2710, 86, + 86, 86, 86, 2712, 2711, 2718, 2720, 2723, 2726, 86, + 86, 2721, 86, 2724, 2714, 2715, 2725, 86, 86, 86, + 2716, 2730, 2717, 2719, 2722, 2729, 2731, 86, 2727, 86, + + 2733, 2732, 2718, 2720, 86, 2726, 86, 2728, 2721, 86, + 2724, 86, 86, 2725, 2734, 86, 86, 86, 2730, 2735, + 2736, 2737, 2729, 86, 3682, 2727, 2739, 2733, 2732, 2738, + 2740, 2743, 2741, 3682, 2728, 2742, 86, 2744, 2747, 86, + 86, 2734, 2745, 86, 86, 86, 2746, 2750, 2737, 2748, + 2752, 86, 86, 2739, 86, 86, 2738, 2740, 2743, 2741, + 2749, 86, 2742, 86, 2744, 2747, 86, 2751, 2753, 2745, + 86, 2754, 2755, 2746, 2757, 86, 2748, 86, 2756, 86, + 2758, 86, 86, 86, 2760, 86, 86, 2749, 2759, 86, + 2761, 86, 2762, 86, 2751, 2753, 86, 2764, 86, 2755, + + 2763, 2757, 86, 2765, 2766, 2756, 2767, 2758, 2768, 3682, + 2769, 2760, 2772, 86, 86, 2759, 2771, 2761, 2770, 2762, + 86, 86, 86, 86, 86, 2773, 2774, 2763, 2776, 2775, + 86, 2777, 2778, 2767, 86, 2768, 86, 2769, 86, 2772, + 2779, 86, 86, 2771, 86, 2770, 2780, 2783, 2781, 86, + 86, 3682, 2773, 2774, 2782, 86, 2775, 86, 2777, 2778, + 2784, 86, 2785, 2786, 3682, 2787, 86, 2779, 2788, 2792, + 86, 2789, 86, 2790, 86, 2781, 2791, 2793, 86, 3682, + 2794, 2782, 86, 86, 86, 2802, 2798, 2784, 2795, 2785, + 2786, 86, 2787, 86, 86, 86, 2792, 2796, 2789, 86, + + 2790, 86, 2797, 2791, 2793, 86, 2801, 2794, 86, 2799, + 86, 2800, 86, 2798, 2803, 2795, 86, 86, 86, 2804, + 2805, 3682, 2806, 2807, 2796, 2808, 3682, 2813, 86, 2797, + 2810, 2809, 2818, 2801, 86, 2811, 2799, 86, 2800, 2812, + 2815, 86, 86, 86, 2814, 2819, 86, 86, 86, 2806, + 2807, 86, 2808, 86, 2813, 86, 86, 2810, 2809, 2818, + 2821, 86, 2811, 2816, 2822, 86, 2812, 2815, 2817, 2820, + 86, 2814, 86, 2823, 86, 2824, 2828, 86, 2825, 2826, + 3682, 2830, 2827, 86, 2832, 2829, 2833, 86, 86, 86, + 2816, 86, 2834, 86, 2831, 2817, 2820, 86, 3682, 86, + + 2823, 86, 86, 2828, 86, 2825, 2826, 86, 2830, 2827, + 2836, 86, 2829, 2833, 2835, 86, 2837, 86, 2839, 86, + 2838, 2831, 2840, 86, 2842, 2841, 2844, 86, 2843, 2847, + 86, 86, 3682, 3682, 2845, 2848, 2846, 2836, 86, 170, + 86, 2835, 2850, 2837, 86, 2839, 86, 2838, 86, 2840, + 86, 2842, 2841, 2844, 86, 2843, 2847, 2851, 2852, 2853, + 2849, 2845, 2848, 2846, 86, 2854, 86, 2855, 2859, 2850, + 86, 2856, 3682, 2857, 3682, 2858, 2863, 86, 3682, 2862, + 86, 86, 2861, 86, 2851, 2852, 2853, 2849, 2860, 3682, + 86, 86, 86, 2867, 86, 2859, 2864, 86, 2856, 86, + + 2857, 86, 2858, 2863, 86, 86, 2862, 2865, 2869, 2861, + 2866, 86, 86, 2871, 2868, 2860, 2873, 86, 2870, 2872, + 2867, 86, 86, 2864, 2874, 86, 2875, 2877, 86, 2879, + 2878, 2876, 86, 86, 2865, 2869, 2881, 2866, 3682, 3682, + 2871, 2868, 86, 2873, 86, 2870, 2872, 86, 86, 2880, + 2882, 2874, 2883, 86, 2877, 2884, 86, 2878, 2876, 86, + 2885, 86, 2886, 86, 86, 2890, 2887, 86, 2891, 2888, + 2889, 2892, 2893, 86, 86, 86, 2880, 2882, 86, 2883, + 86, 86, 2884, 2894, 2896, 2895, 2897, 2885, 86, 2886, + 86, 2898, 2890, 2887, 86, 2891, 2888, 2889, 86, 86, + + 2899, 2903, 2902, 2905, 2904, 86, 2900, 2901, 2906, 86, + 2894, 2896, 2895, 86, 86, 86, 86, 86, 86, 2907, + 2908, 2910, 2912, 2914, 2916, 86, 86, 86, 2903, 2902, + 2905, 2904, 86, 2900, 2901, 86, 2909, 86, 2911, 2913, + 3682, 2918, 2915, 86, 86, 86, 2907, 2908, 2910, 2912, + 86, 86, 2917, 2919, 2922, 2920, 3682, 3682, 3682, 86, + 86, 86, 2929, 2909, 86, 2911, 2913, 86, 2918, 2915, + 86, 2921, 2924, 2930, 3682, 2933, 86, 2923, 86, 2917, + 2919, 2922, 2920, 2925, 86, 2926, 86, 2928, 2927, 2929, + 86, 2931, 2932, 86, 86, 86, 86, 2934, 2921, 2924, + + 86, 86, 86, 86, 2923, 2935, 2936, 2939, 2937, 2938, + 2925, 2941, 2926, 86, 2928, 2927, 2940, 86, 2931, 2932, + 86, 86, 2946, 2942, 2934, 2951, 2948, 3682, 86, 86, + 2943, 2947, 2935, 2936, 2939, 2937, 2938, 86, 86, 86, + 2944, 2945, 86, 2940, 86, 2950, 86, 86, 86, 86, + 2942, 2949, 86, 2948, 2952, 2953, 3682, 2943, 2947, 2955, + 2959, 2954, 86, 2958, 2956, 2957, 2961, 2944, 2945, 2960, + 86, 86, 2950, 2963, 86, 86, 3682, 86, 2949, 2970, + 86, 2952, 86, 86, 86, 2964, 2955, 86, 2954, 2962, + 2958, 2956, 2957, 2961, 86, 86, 2960, 2965, 2971, 86, + + 86, 2966, 2967, 2968, 2969, 86, 86, 2972, 2973, 3682, + 2974, 86, 2964, 2976, 2975, 86, 2962, 2977, 3682, 86, + 86, 86, 86, 2978, 2965, 2971, 86, 2980, 2966, 2967, + 2968, 2969, 86, 2981, 2972, 86, 86, 2974, 2979, 86, + 2976, 2975, 86, 2982, 2977, 86, 86, 2983, 2986, 2984, + 2978, 2985, 86, 2987, 2980, 86, 2989, 2988, 2990, 2993, + 2981, 2991, 3682, 86, 86, 2979, 2995, 2992, 86, 86, + 2982, 86, 3682, 2994, 2983, 86, 2984, 2996, 2985, 86, + 86, 86, 86, 2989, 2988, 170, 2993, 2997, 2991, 86, + 2998, 3000, 3001, 2999, 2992, 3002, 3003, 3004, 86, 86, + + 2994, 3005, 86, 3007, 2996, 3008, 3006, 3010, 3011, 86, + 3013, 3682, 3682, 86, 2997, 86, 3009, 2998, 86, 86, + 2999, 86, 3002, 86, 3004, 86, 3012, 86, 86, 86, + 3007, 86, 3008, 86, 3014, 3011, 3015, 3013, 3016, 86, + 3017, 3018, 3019, 3009, 86, 3682, 86, 3020, 86, 3021, + 3022, 3682, 3025, 3012, 3682, 86, 3023, 3024, 3026, 3029, + 3027, 3014, 86, 3015, 86, 3016, 3028, 86, 86, 3019, + 86, 3033, 86, 86, 3020, 3030, 86, 3022, 86, 3025, + 86, 86, 86, 3023, 3024, 3026, 3029, 3027, 86, 86, + 3031, 3032, 3034, 3028, 3035, 3036, 3037, 86, 3033, 3038, + + 3040, 3682, 3030, 3039, 86, 3041, 3042, 86, 86, 86, + 86, 86, 86, 3043, 86, 3044, 86, 3031, 3032, 3034, + 86, 3035, 3036, 3045, 3049, 3046, 3038, 3040, 86, 3047, + 3039, 86, 3041, 3042, 3048, 86, 86, 3050, 3051, 3055, + 86, 3054, 3044, 86, 3056, 3052, 3053, 86, 86, 86, + 3045, 3049, 3046, 86, 3058, 3057, 3047, 86, 86, 3059, + 86, 3048, 86, 3062, 3050, 86, 3055, 3060, 3054, 3061, + 3063, 86, 3052, 3053, 3064, 86, 3066, 3065, 86, 86, + 3069, 3067, 3057, 3070, 3074, 3682, 86, 3682, 3068, 3682, + 3071, 86, 3073, 86, 3060, 86, 3061, 86, 86, 86, + + 3072, 3064, 86, 3066, 3065, 86, 3075, 86, 3067, 86, + 3070, 86, 86, 86, 3076, 3068, 3077, 3071, 86, 3073, + 3078, 3079, 3080, 3081, 3682, 86, 3083, 3072, 3084, 3082, + 3085, 3088, 3086, 3075, 3682, 3091, 3089, 86, 3682, 3094, + 86, 3076, 86, 3077, 86, 3087, 86, 86, 86, 86, + 3081, 86, 3090, 3083, 86, 86, 3082, 3085, 3092, 3086, + 86, 3093, 3091, 86, 3095, 86, 86, 86, 3096, 3097, + 3098, 3100, 3087, 3101, 3102, 3099, 3103, 3682, 3104, 3090, + 3105, 86, 86, 3107, 86, 3092, 3111, 86, 3093, 86, + 3682, 86, 3112, 86, 3106, 86, 3097, 3098, 86, 3108, + + 3101, 3102, 3099, 86, 86, 3104, 86, 86, 3109, 3110, + 86, 3113, 3114, 86, 3122, 3115, 3208, 86, 86, 86, + 3116, 3106, 86, 3118, 3119, 3117, 3108, 86, 3121, 3125, + 3124, 86, 3120, 3682, 86, 3109, 3110, 86, 3113, 86, + 3126, 3123, 3115, 86, 86, 3127, 86, 3128, 86, 86, + 3118, 3119, 86, 86, 3130, 3121, 86, 3124, 3129, 3120, + 86, 3131, 86, 3137, 86, 3132, 3133, 3126, 3123, 3134, + 3135, 86, 3127, 3136, 3128, 86, 86, 3138, 86, 86, + 86, 3130, 3139, 3682, 3144, 3129, 3140, 86, 3131, 3142, + 3137, 86, 3132, 3133, 3141, 86, 3134, 3135, 3143, 3150, + + 3136, 3151, 86, 86, 86, 3152, 86, 3145, 3153, 3139, + 86, 3144, 3146, 3140, 3147, 3149, 3142, 3154, 3156, 3148, + 3682, 3141, 3155, 86, 3682, 3143, 86, 86, 3151, 86, + 3157, 86, 3152, 3158, 86, 3153, 3159, 86, 3160, 86, + 86, 3164, 3149, 86, 3154, 3156, 86, 3161, 86, 3155, + 3162, 86, 86, 3163, 3165, 3166, 3168, 3157, 86, 86, + 3158, 86, 86, 3159, 3167, 3160, 3169, 3682, 3164, 86, + 3170, 86, 3171, 3172, 3161, 86, 3175, 3162, 3174, 3682, + 3163, 3165, 3166, 86, 86, 3173, 3177, 86, 3176, 3178, + 3179, 3167, 3180, 86, 86, 3182, 3181, 3170, 3682, 3171, + + 86, 3186, 3183, 86, 3187, 3174, 86, 3184, 86, 3185, + 86, 86, 3173, 86, 86, 3176, 3178, 86, 86, 3180, + 86, 3188, 86, 3181, 3189, 86, 3192, 3190, 86, 3183, + 3191, 86, 3193, 3196, 3184, 86, 3185, 3197, 86, 86, + 3194, 3199, 86, 3198, 86, 3195, 86, 86, 3188, 3200, + 3202, 3189, 3201, 3192, 3190, 86, 3203, 3191, 3205, 3193, + 3196, 3206, 3207, 86, 3197, 86, 86, 86, 3199, 86, + 3198, 3204, 86, 86, 3211, 3209, 86, 86, 3214, 3201, + 86, 3212, 3210, 3203, 86, 3205, 3213, 3682, 86, 3207, + 86, 3215, 3217, 86, 3216, 3218, 86, 3219, 3204, 86, + + 86, 3211, 3209, 3223, 3221, 3233, 86, 3220, 3212, 3210, + 86, 3226, 3227, 3213, 86, 3222, 86, 86, 3215, 3217, + 3228, 3216, 3218, 86, 3219, 86, 86, 3229, 3231, 86, + 3223, 3221, 3224, 3230, 3220, 3225, 86, 86, 86, 86, + 86, 3232, 3222, 3234, 3235, 86, 3236, 86, 3237, 3238, + 3239, 3242, 3240, 3682, 3229, 3231, 86, 86, 86, 3224, + 3230, 3244, 3225, 86, 86, 86, 86, 3245, 3232, 3241, + 3234, 3235, 3248, 86, 86, 3237, 3238, 3239, 86, 3240, + 3243, 3246, 86, 86, 3247, 3249, 3253, 3682, 86, 3250, + 86, 3254, 3251, 86, 3245, 3252, 3241, 3257, 86, 3248, + + 3255, 86, 86, 86, 86, 86, 86, 3243, 3246, 3256, + 3258, 3247, 3249, 86, 86, 3259, 3250, 3260, 3254, 3251, + 86, 3261, 3252, 86, 3257, 86, 86, 3255, 86, 3262, + 3266, 3263, 3682, 3264, 3265, 3268, 3256, 3258, 86, 86, + 86, 3269, 3259, 3274, 3260, 3267, 86, 3270, 3261, 3271, + 3273, 86, 86, 3275, 3272, 86, 3262, 3266, 3263, 86, + 3264, 3265, 86, 86, 86, 3276, 3277, 3278, 86, 3280, + 3274, 86, 3267, 3279, 3270, 3281, 3282, 3273, 86, 3283, + 86, 86, 3284, 3285, 86, 3286, 86, 3288, 3293, 86, + 3682, 86, 3276, 86, 3278, 3287, 3280, 3289, 86, 86, + + 3279, 86, 3281, 3282, 3290, 86, 86, 3291, 3292, 3284, + 3285, 3294, 3295, 3296, 86, 86, 86, 86, 3682, 86, + 86, 3298, 3287, 3300, 3289, 3297, 86, 3299, 86, 3301, + 86, 3290, 3302, 3303, 3291, 3292, 3304, 3306, 3309, 3295, + 86, 3313, 3682, 86, 86, 86, 3311, 86, 3298, 3307, + 86, 3308, 3297, 86, 3299, 3305, 86, 3310, 86, 3302, + 3303, 86, 3312, 86, 3306, 86, 3315, 86, 86, 86, + 86, 3314, 3316, 3311, 3317, 3320, 3307, 3318, 3308, 3319, + 3682, 3321, 3305, 86, 3310, 3322, 86, 3323, 3324, 3312, + 86, 3325, 86, 3315, 3326, 3327, 86, 86, 3314, 3316, + + 86, 3317, 3328, 3329, 3318, 3332, 3319, 86, 86, 86, + 86, 3333, 3322, 86, 3337, 3324, 3334, 86, 3325, 86, + 3336, 86, 3327, 3330, 3331, 86, 86, 3340, 3335, 3328, + 86, 3338, 86, 86, 86, 86, 3341, 3339, 3333, 86, + 3342, 86, 3343, 3334, 3344, 86, 3345, 3336, 86, 3347, + 3330, 3331, 3346, 3348, 3340, 3335, 3349, 3350, 3338, 86, + 3353, 3351, 3355, 86, 3339, 3682, 86, 86, 3354, 86, + 3356, 3344, 3357, 3345, 86, 86, 86, 3352, 86, 3346, + 86, 86, 3358, 86, 86, 3359, 3360, 3365, 3351, 86, + 86, 86, 86, 86, 3362, 3354, 3361, 3356, 3363, 86, + + 3364, 86, 86, 86, 3352, 3366, 86, 3367, 3371, 86, + 3369, 3368, 3359, 3360, 86, 86, 3372, 86, 3370, 3373, + 3374, 3362, 3375, 3361, 86, 3363, 86, 3364, 86, 86, + 3380, 3376, 3366, 3377, 3367, 86, 86, 3369, 3368, 86, + 3378, 3379, 3381, 86, 3382, 3370, 3373, 86, 3383, 3375, + 3384, 3386, 86, 3387, 3388, 86, 3389, 86, 3376, 3385, + 3377, 86, 86, 3390, 3682, 3391, 86, 3378, 3379, 86, + 86, 3382, 86, 3393, 86, 3383, 86, 3392, 3386, 86, + 86, 3388, 86, 3389, 86, 86, 3385, 3394, 3395, 3396, + 3390, 3397, 3391, 3408, 3398, 86, 3399, 3400, 3682, 86, + + 3393, 86, 86, 86, 3392, 3405, 86, 3404, 86, 86, + 3682, 3401, 3682, 86, 3394, 3395, 3396, 3406, 3397, 3402, + 3403, 3398, 86, 3399, 3400, 86, 3407, 86, 3409, 86, + 3410, 3412, 3405, 86, 3404, 3411, 3413, 86, 3401, 86, + 3414, 3415, 3416, 3417, 3406, 86, 3402, 3403, 3418, 3419, + 86, 3421, 3426, 3407, 3420, 3409, 86, 3410, 3412, 86, + 3422, 3423, 3411, 86, 86, 86, 86, 86, 3415, 86, + 3417, 3424, 3425, 3427, 3428, 3418, 86, 3430, 86, 86, + 3429, 3420, 3432, 3431, 3433, 3434, 3682, 3435, 3436, 86, + 3437, 3439, 3682, 86, 3438, 86, 3440, 86, 86, 86, + + 86, 86, 86, 86, 3430, 86, 3442, 3429, 86, 86, + 3431, 3433, 3434, 86, 3435, 3436, 86, 3437, 86, 3441, + 3443, 3438, 3444, 3440, 3445, 3446, 86, 3447, 3448, 3449, + 3450, 3682, 3451, 3442, 3452, 3453, 86, 86, 3455, 3458, + 86, 3454, 86, 3460, 3459, 86, 3441, 3443, 86, 3444, + 86, 3445, 3446, 86, 3447, 3448, 86, 3450, 86, 3451, + 86, 86, 86, 3456, 3462, 3455, 3457, 3461, 3454, 86, + 3464, 86, 3463, 3465, 3466, 86, 86, 3467, 86, 3468, + 3470, 86, 86, 3471, 3682, 3469, 3472, 3473, 3474, 3475, + 3456, 3462, 86, 3457, 3461, 86, 3477, 3464, 86, 3463, + + 3465, 3466, 3476, 3478, 86, 86, 86, 86, 3479, 86, + 86, 86, 3469, 3472, 3473, 86, 86, 3480, 3481, 3482, + 86, 3483, 3484, 3477, 3485, 3486, 86, 3488, 3489, 3476, + 86, 3493, 3487, 3492, 3494, 86, 3496, 3682, 3490, 3495, + 86, 3497, 3491, 86, 86, 86, 86, 86, 86, 86, + 86, 86, 3486, 86, 86, 86, 86, 86, 3493, 3487, + 3492, 86, 3498, 86, 3499, 3490, 3495, 3500, 3497, 3491, + 3501, 3502, 3503, 3504, 3510, 3511, 86, 3505, 3508, 86, + 3506, 86, 86, 86, 3507, 3509, 3512, 86, 86, 3498, + 3682, 3499, 3682, 86, 3500, 3513, 3682, 86, 3502, 86, + + 3504, 86, 3511, 86, 3505, 3508, 86, 3506, 86, 86, + 86, 3507, 3509, 3512, 3514, 3515, 3516, 3517, 3519, 3520, + 86, 3521, 3513, 86, 3518, 3524, 86, 3522, 86, 3523, + 86, 3525, 3526, 3527, 3528, 86, 3529, 86, 3682, 86, + 86, 3514, 3515, 3516, 3517, 3519, 3520, 86, 3521, 86, + 3530, 3518, 3524, 86, 3522, 3531, 3523, 3532, 86, 86, + 86, 86, 3533, 3529, 86, 3534, 3536, 3535, 86, 86, + 3537, 3682, 3539, 3538, 3545, 86, 3540, 3530, 86, 3541, + 3543, 3682, 3531, 86, 3532, 86, 86, 86, 86, 3533, + 86, 86, 3534, 3536, 3535, 86, 3542, 3537, 86, 3539, + + 3538, 3545, 3544, 3540, 86, 86, 3541, 3543, 3546, 3547, + 3548, 3549, 3550, 3551, 3552, 3553, 3682, 86, 3555, 3557, + 3682, 86, 86, 3542, 86, 3554, 86, 3559, 3561, 3544, + 3558, 86, 86, 3560, 86, 3546, 3547, 3548, 3549, 3550, + 3551, 86, 3553, 3556, 3562, 3555, 86, 86, 86, 3564, + 86, 3565, 3554, 3563, 86, 86, 86, 3558, 3682, 86, + 3560, 86, 3566, 3567, 3568, 3569, 86, 3570, 3571, 3682, + 3556, 86, 3682, 3572, 3573, 86, 3564, 86, 3565, 3574, + 3563, 86, 3576, 3577, 86, 86, 3575, 3578, 86, 3566, + 3567, 3568, 3569, 86, 3580, 3571, 86, 3581, 3583, 86, + + 3572, 3573, 86, 3579, 3582, 3584, 86, 86, 3585, 86, + 86, 3587, 3682, 3575, 86, 86, 86, 3586, 3588, 86, + 3589, 3580, 3594, 3682, 86, 3583, 3590, 3591, 3682, 3592, + 3579, 3582, 86, 3593, 86, 3585, 86, 86, 3587, 86, + 3595, 86, 3596, 3599, 3586, 3682, 3598, 3682, 86, 86, + 86, 3597, 86, 3590, 3591, 86, 3592, 3600, 86, 86, + 3593, 3601, 3603, 3602, 86, 3604, 86, 86, 3608, 3596, + 3599, 86, 3605, 3598, 3606, 3607, 86, 3611, 3597, 86, + 86, 3612, 3610, 86, 3600, 86, 3609, 3614, 3601, 3603, + 3602, 86, 3604, 86, 3613, 86, 86, 86, 3615, 3605, + + 3616, 3606, 3607, 3619, 3611, 3620, 3617, 3618, 86, 3610, + 3682, 86, 3621, 3609, 3622, 3623, 86, 3624, 3625, 86, + 3629, 3613, 86, 3626, 86, 3615, 86, 3616, 86, 86, + 3619, 3632, 3633, 3617, 3618, 3631, 86, 86, 3627, 86, + 86, 3622, 86, 86, 3624, 3625, 86, 3628, 3630, 86, + 3626, 3634, 86, 3637, 3635, 86, 86, 86, 3632, 86, + 3636, 86, 3631, 3638, 3641, 3627, 3640, 3643, 86, 86, + 3639, 86, 3682, 3648, 3628, 3630, 3644, 3651, 3634, 3646, + 3637, 3635, 86, 3647, 86, 3642, 86, 3636, 3645, 3682, + 3638, 3641, 86, 3640, 3643, 86, 86, 3639, 3649, 86, + + 3648, 3652, 86, 3644, 86, 86, 3646, 3653, 3650, 86, + 3647, 3654, 3642, 3655, 3657, 3645, 86, 3656, 86, 3659, + 3658, 3660, 86, 86, 3682, 3649, 3682, 86, 3652, 3662, + 3663, 3661, 86, 86, 3653, 3650, 3667, 86, 86, 86, + 3655, 3657, 86, 3666, 3656, 3664, 3659, 3658, 86, 3670, + 3671, 86, 86, 86, 3665, 3673, 3662, 3663, 3661, 3668, + 3669, 3674, 86, 86, 3672, 3675, 3682, 86, 86, 86, + 3666, 3676, 3664, 3677, 3680, 86, 3670, 86, 3681, 3682, + 3682, 3665, 86, 3682, 86, 86, 3668, 3669, 86, 3678, + 3682, 3672, 3675, 86, 3679, 86, 3682, 86, 3676, 3682, + + 3677, 86, 86, 3682, 3682, 86, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3678, 3682, 3682, 3682, + 3682, 3679, 47, 47, 47, 47, 47, 47, 47, 52, + 52, 52, 52, 52, 52, 52, 57, 57, 57, 57, + 57, 57, 57, 63, 63, 63, 63, 63, 63, 63, + 68, 68, 68, 68, 68, 68, 68, 74, 74, 74, + 74, 74, 74, 74, 80, 80, 80, 80, 80, 80, + 80, 89, 89, 3682, 89, 89, 89, 89, 160, 160, + 3682, 3682, 3682, 160, 160, 162, 162, 3682, 3682, 162, + 3682, 162, 164, 3682, 3682, 3682, 3682, 3682, 164, 167, + + 167, 3682, 3682, 3682, 167, 167, 169, 3682, 3682, 3682, + 3682, 3682, 169, 171, 171, 3682, 171, 171, 171, 171, + 174, 3682, 3682, 3682, 3682, 3682, 174, 177, 177, 3682, + 3682, 3682, 177, 177, 90, 90, 3682, 90, 90, 90, + 90, 17, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682 } ; -static const flex_int16_t yy_chk10028 = +static const flex_int16_t yy_chk10609 = { 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, @@ -2693,15 +2821,15 @@ 7, 7, 7, 33, 7, 8, 8, 8, 8, 32, 8, 9, 9, 9, 10, 10, 10, 19, 51, 51, - 1115, 19, 3491, 3, 32, 33, 4, 67, 67, 5, - 33, 6, 2838, 13, 13, 13, 13, 7, 13, 14, + 1150, 19, 3690, 3, 32, 33, 4, 67, 67, 5, + 33, 6, 2990, 13, 13, 13, 13, 7, 13, 14, 14, 14, 14, 8, 14, 15, 15, 15, 9, 25, - 1115, 10, 11, 11, 11, 11, 11, 11, 12, 12, + 1150, 10, 11, 11, 11, 11, 11, 11, 12, 12, 12, 12, 12, 12, 16, 16, 16, 34, 28, 84, - 84, 13, 11, 45, 293, 25, 25, 14, 12, 34, - 39, 23, 15, 23, 23, 45, 23, 1127, 28, 177, + 84, 13, 11, 45, 295, 25, 25, 14, 12, 34, + 39, 23, 15, 23, 23, 45, 23, 1162, 28, 177, 11, 28, 23, 39, 34, 28, 12, 176, 87, 11, - 45, 16, 87, 293, 37, 12, 30, 39, 29, 56, + 45, 16, 87, 295, 37, 12, 30, 39, 29, 56, 37, 174, 56, 72, 30, 28, 26, 169, 100, 23, 24, 24, 29, 26, 24, 30, 72, 26, 99, 24, @@ -2719,1072 +2847,1136 @@ 42, 35, 75, 93, 36, 36, 42, 35, 92, 36, 74, 35, 44, 44, 43, 42, 42, 44, 42, 168, 168, 44, 68, 36, 43, 36, 38, 42, 43, 43, - 38, 95, 92, 42, 38, 92, 219, 43, 63, 111, + 38, 95, 92, 42, 38, 92, 220, 43, 63, 111, 38, 43, 73, 38, 73, 73, 95, 73, 111, 97, 38, 43, 38, 38, 104, 43, 43, 38, 95, 104, - 79, 38, 79, 79, 58, 79, 111, 38, 219, 86, - 38, 86, 86, 97, 86, 222, 97, 38, 40, 963, + 79, 38, 79, 79, 58, 79, 111, 38, 220, 86, + 38, 86, 86, 97, 86, 223, 97, 38, 40, 991, 86, 104, 40, 89, 96, 89, 89, 112, 89, 98, 57, 96, 40, 40, 89, 40, 112, 103, 103, 106, - 105, 52, 98, 47, 40, 40, 103, 222, 105, 40, - 963, 96, 18, 98, 112, 137, 98, 106, 17, 40, + 105, 52, 98, 47, 40, 40, 103, 223, 105, 40, + 991, 96, 151, 98, 112, 225, 98, 106, 151, 40, 40, 89, 40, 41, 103, 103, 41, 105, 102, 98, - 107, 106, 109, 41, 102, 108, 102, 41, 41, 109, - 224, 137, 137, 107, 106, 41, 113, 0, 108, 102, - 41, 114, 0, 41, 115, 102, 118, 107, 114, 109, - 41, 102, 108, 102, 41, 41, 110, 110, 117, 113, - 116, 117, 224, 113, 110, 126, 115, 0, 114, 119, - 118, 115, 110, 116, 117, 117, 0, 119, 118, 126, - - 123, 0, 117, 110, 110, 117, 120, 116, 117, 124, - 121, 110, 126, 123, 121, 122, 119, 118, 125, 127, - 122, 117, 117, 122, 130, 128, 120, 123, 120, 146, - 121, 130, 124, 120, 121, 129, 124, 121, 125, 127, - 131, 121, 122, 128, 146, 125, 127, 122, 133, 129, - 132, 130, 128, 120, 135, 134, 146, 121, 135, 132, - 0, 136, 129, 131, 134, 138, 140, 131, 136, 141, - 141, 133, 138, 0, 139, 133, 135, 132, 140, 142, - 143, 135, 134, 139, 144, 135, 0, 142, 136, 139, - 0, 143, 138, 140, 148, 143, 141, 139, 144, 0, - - 147, 139, 149, 151, 143, 148, 142, 143, 152, 151, - 139, 144, 155, 149, 148, 150, 139, 147, 143, 152, - 147, 148, 143, 150, 153, 154, 147, 147, 156, 149, - 151, 158, 148, 153, 155, 152, 182, 157, 173, 155, - 154, 159, 150, 156, 147, 153, 157, 147, 182, 153, - 0, 153, 154, 158, 159, 156, 178, 178, 158, 0, - 153, 0, 173, 182, 157, 173, 0, 179, 159, 0, - 0, 165, 153, 165, 165, 170, 165, 170, 170, 171, - 170, 171, 171, 175, 171, 175, 175, 180, 175, 179, - 0, 181, 0, 184, 179, 183, 185, 186, 187, 188, - - 181, 180, 183, 0, 189, 186, 227, 0, 0, 184, - 187, 189, 190, 193, 183, 185, 194, 171, 181, 180, - 184, 188, 183, 185, 186, 187, 188, 191, 180, 183, - 190, 189, 229, 191, 192, 193, 192, 196, 227, 190, - 193, 196, 194, 194, 198, 200, 0, 199, 203, 0, - 204, 201, 205, 200, 202, 210, 206, 204, 196, 191, - 191, 192, 199, 203, 229, 196, 207, 210, 196, 0, - 198, 198, 200, 201, 199, 203, 202, 204, 201, 206, - 205, 202, 210, 206, 205, 196, 197, 208, 207, 213, - 212, 197, 209, 207, 217, 256, 197, 211, 208, 212, - - 211, 217, 197, 197, 214, 209, 216, 205, 0, 197, - 0, 213, 211, 197, 208, 220, 213, 212, 197, 209, - 256, 217, 256, 197, 211, 218, 214, 211, 216, 197, - 197, 214, 215, 216, 221, 215, 218, 215, 226, 225, - 223, 220, 220, 231, 226, 221, 228, 223, 0, 215, - 233, 215, 218, 225, 230, 0, 0, 0, 215, 215, - 234, 0, 215, 232, 215, 226, 221, 223, 228, 239, - 235, 225, 221, 228, 234, 231, 215, 230, 215, 236, - 225, 230, 233, 232, 237, 238, 236, 234, 239, 240, - 232, 235, 241, 244, 238, 242, 239, 235, 243, 238, - - 245, 251, 247, 240, 244, 237, 236, 245, 248, 249, - 243, 237, 238, 242, 241, 253, 240, 248, 246, 241, - 244, 238, 242, 246, 247, 243, 250, 245, 259, 247, - 255, 250, 249, 251, 254, 248, 249, 252, 252, 258, - 257, 254, 260, 261, 262, 264, 252, 253, 257, 0, - 246, 261, 255, 250, 263, 267, 265, 255, 264, 258, - 259, 254, 266, 268, 252, 252, 258, 257, 0, 263, - 261, 269, 264, 270, 260, 271, 262, 270, 267, 272, - 274, 263, 265, 265, 273, 0, 275, 267, 269, 266, - 276, 278, 273, 275, 272, 268, 269, 271, 269, 274, - - 270, 279, 271, 280, 277, 267, 272, 274, 277, 282, - 281, 273, 276, 275, 0, 269, 283, 276, 285, 287, - 289, 284, 286, 278, 288, 280, 288, 285, 283, 290, - 280, 277, 281, 279, 284, 286, 291, 281, 287, 292, - 0, 282, 295, 283, 296, 285, 287, 297, 284, 286, - 294, 288, 289, 290, 299, 298, 290, 300, 297, 294, - 303, 291, 304, 291, 305, 292, 292, 298, 295, 295, - 296, 296, 301, 302, 297, 304, 306, 294, 299, 307, - 300, 299, 298, 309, 300, 308, 311, 313, 0, 304, - 301, 302, 303, 310, 313, 312, 305, 314, 315, 301, - - 302, 306, 308, 306, 315, 317, 314, 316, 308, 309, - 309, 307, 308, 318, 313, 310, 320, 319, 311, 312, - 310, 316, 321, 326, 314, 315, 319, 312, 323, 308, - 321, 317, 317, 322, 316, 325, 324, 318, 326, 320, - 318, 327, 322, 320, 319, 324, 312, 328, 0, 321, - 326, 329, 325, 0, 323, 323, 0, 331, 332, 325, - 322, 0, 325, 324, 0, 333, 329, 332, 336, 335, - 340, 328, 0, 327, 328, 331, 339, 0, 329, 325, - 330, 339, 336, 330, 331, 332, 337, 333, 330, 330, - 330, 330, 333, 335, 340, 336, 335, 340, 330, 338, - - 338, 337, 341, 0, 334, 0, 334, 330, 339, 347, - 330, 342, 345, 337, 342, 330, 330, 330, 330, 334, - 343, 342, 334, 348, 338, 346, 338, 338, 334, 341, - 345, 334, 343, 334, 344, 344, 347, 349, 342, 345, - 350, 342, 351, 346, 344, 348, 334, 343, 352, 334, - 348, 354, 346, 353, 351, 0, 357, 361, 355, 354, - 356, 344, 344, 349, 349, 355, 350, 350, 353, 351, - 352, 358, 356, 358, 360, 352, 362, 363, 354, 361, - 353, 360, 358, 364, 361, 355, 370, 356, 357, 364, - 365, 0, 365, 366, 368, 0, 369, 358, 358, 363, - - 358, 360, 0, 371, 363, 364, 366, 393, 362, 358, - 364, 367, 368, 404, 365, 372, 364, 365, 370, 365, - 366, 368, 369, 369, 367, 375, 376, 367, 377, 367, - 371, 378, 375, 379, 382, 367, 386, 372, 367, 393, - 377, 386, 372, 378, 376, 404, 379, 382, 381, 385, - 376, 367, 375, 376, 367, 377, 367, 373, 378, 373, - 379, 382, 389, 0, 381, 373, 384, 385, 386, 373, - 389, 376, 381, 388, 373, 381, 385, 373, 384, 388, - 0, 387, 390, 373, 373, 391, 373, 392, 387, 389, - 409, 381, 373, 384, 390, 392, 373, 394, 394, 395, - - 388, 373, 387, 391, 373, 374, 395, 374, 387, 390, - 397, 399, 391, 444, 392, 387, 396, 398, 399, 397, - 374, 400, 409, 374, 394, 374, 395, 374, 400, 396, - 0, 374, 374, 401, 374, 398, 402, 403, 399, 398, - 444, 0, 397, 396, 398, 401, 397, 374, 400, 403, - 374, 405, 374, 0, 374, 383, 383, 408, 402, 430, - 401, 407, 398, 402, 403, 383, 383, 383, 383, 383, - 408, 410, 383, 410, 406, 411, 407, 405, 405, 0, - 383, 406, 383, 383, 408, 412, 411, 0, 407, 413, - 413, 430, 383, 383, 383, 383, 383, 414, 410, 383, - - 415, 406, 411, 416, 414, 420, 417, 412, 421, 418, - 424, 415, 412, 422, 416, 425, 0, 423, 413, 417, - 419, 419, 424, 421, 414, 423, 425, 415, 420, 435, - 416, 421, 420, 417, 418, 421, 418, 424, 419, 422, - 422, 427, 425, 426, 423, 419, 431, 419, 419, 432, - 421, 437, 426, 0, 427, 428, 428, 433, 438, 434, - 436, 435, 0, 558, 431, 419, 436, 428, 427, 428, - 426, 432, 437, 431, 428, 439, 432, 434, 437, 0, - 433, 438, 428, 428, 433, 438, 434, 436, 441, 440, - 558, 442, 0, 443, 428, 441, 428, 429, 446, 439, - - 445, 0, 439, 447, 0, 429, 429, 443, 449, 429, - 429, 440, 446, 429, 448, 441, 440, 442, 442, 429, - 443, 452, 445, 453, 429, 446, 450, 445, 451, 447, - 447, 449, 429, 429, 451, 449, 429, 429, 450, 454, - 429, 455, 456, 452, 458, 453, 448, 454, 452, 456, - 453, 457, 459, 450, 461, 451, 455, 462, 460, 458, - 457, 463, 0, 466, 464, 454, 454, 465, 455, 456, - 467, 458, 462, 465, 454, 467, 459, 461, 457, 459, - 460, 461, 469, 472, 462, 460, 464, 463, 463, 466, - 466, 464, 471, 473, 465, 474, 475, 467, 471, 476, - - 477, 474, 472, 479, 480, 479, 476, 481, 469, 469, - 472, 473, 479, 480, 481, 477, 482, 483, 475, 471, - 473, 484, 474, 475, 485, 486, 476, 477, 487, 482, - 479, 480, 479, 489, 481, 488, 492, 490, 488, 484, - 495, 487, 494, 482, 493, 0, 491, 486, 484, 483, - 490, 493, 486, 497, 488, 487, 485, 489, 491, 500, - 489, 496, 488, 495, 490, 488, 494, 501, 492, 494, - 503, 493, 495, 491, 496, 497, 498, 499, 0, 502, - 497, 498, 500, 499, 504, 505, 500, 506, 496, 501, - 495, 502, 503, 505, 501, 504, 510, 503, 509, 513, - - 0, 506, 510, 498, 499, 509, 502, 513, 512, 511, - 514, 504, 505, 0, 506, 507, 515, 0, 0, 0, - 507, 511, 507, 510, 519, 509, 513, 515, 507, 516, - 507, 512, 514, 507, 507, 512, 511, 514, 518, 0, - 507, 507, 507, 515, 517, 521, 519, 507, 517, 507, - 518, 519, 516, 0, 525, 507, 516, 507, 522, 520, - 507, 507, 520, 521, 523, 518, 517, 507, 522, 524, - 520, 517, 521, 526, 0, 517, 523, 526, 525, 528, - 524, 525, 529, 0, 529, 527, 520, 530, 532, 520, - 522, 523, 527, 534, 535, 522, 524, 0, 531, 533, - - 526, 537, 535, 532, 546, 528, 528, 0, 541, 529, - 531, 533, 527, 530, 530, 532, 538, 536, 540, 534, - 534, 535, 536, 537, 539, 531, 533, 544, 537, 541, - 540, 543, 539, 545, 538, 541, 546, 547, 549, 552, - 553, 548, 550, 538, 536, 540, 549, 551, 552, 543, - 544, 539, 547, 548, 544, 550, 545, 554, 543, 551, - 545, 555, 557, 553, 547, 549, 552, 553, 548, 550, - 556, 554, 559, 556, 551, 560, 561, 0, 562, 563, - 565, 557, 564, 0, 554, 569, 555, 567, 555, 557, - 560, 566, 565, 562, 570, 564, 569, 556, 572, 570, - - 573, 574, 560, 563, 559, 562, 563, 565, 561, 564, - 568, 567, 569, 566, 567, 571, 575, 568, 566, 576, - 568, 577, 584, 582, 580, 572, 570, 573, 568, 571, - 578, 581, 579, 574, 586, 578, 585, 568, 579, 580, - 583, 584, 571, 575, 568, 582, 576, 568, 583, 584, - 582, 580, 589, 577, 590, 581, 586, 588, 581, 579, - 585, 586, 578, 585, 587, 588, 591, 583, 587, 592, - 595, 593, 594, 591, 596, 589, 597, 0, 601, 589, - 593, 598, 599, 595, 588, 603, 590, 598, 597, 601, - 0, 587, 592, 591, 594, 608, 592, 595, 593, 594, - - 596, 596, 600, 597, 599, 601, 602, 0, 598, 599, - 600, 605, 604, 602, 611, 0, 607, 603, 606, 609, - 610, 608, 608, 606, 605, 607, 606, 606, 609, 600, - 612, 610, 614, 602, 604, 613, 611, 616, 605, 604, - 617, 611, 606, 607, 614, 606, 609, 610, 613, 618, - 606, 0, 612, 606, 606, 619, 0, 612, 617, 614, - 621, 620, 613, 622, 623, 624, 625, 617, 629, 616, - 0, 0, 0, 618, 624, 623, 618, 619, 619, 627, - 626, 630, 619, 620, 621, 622, 625, 621, 620, 628, - 622, 623, 624, 625, 626, 629, 628, 631, 635, 630, - - 633, 627, 634, 632, 619, 631, 627, 626, 630, 632, - 636, 633, 637, 635, 638, 0, 628, 639, 639, 646, - 634, 640, 641, 642, 631, 635, 0, 633, 645, 634, - 632, 644, 642, 637, 643, 647, 645, 648, 638, 637, - 649, 638, 636, 651, 641, 640, 639, 643, 640, 641, - 642, 646, 650, 644, 650, 645, 0, 647, 644, 653, - 654, 643, 647, 652, 649, 651, 655, 649, 652, 648, - 651, 656, 658, 653, 654, 657, 0, 660, 659, 650, - 655, 655, 664, 657, 660, 661, 653, 654, 655, 662, - 658, 663, 667, 655, 0, 652, 668, 667, 665, 658, - - 659, 670, 657, 656, 660, 659, 663, 655, 655, 662, - 666, 661, 661, 665, 664, 663, 662, 669, 663, 669, - 666, 671, 668, 668, 667, 665, 670, 672, 670, 671, - 673, 674, 666, 663, 675, 677, 678, 666, 676, 673, - 674, 0, 677, 675, 669, 0, 676, 666, 671, 679, - 0, 680, 672, 687, 672, 681, 688, 673, 674, 682, - 685, 675, 677, 688, 683, 676, 684, 681, 678, 680, - 0, 682, 679, 683, 684, 685, 679, 686, 680, 689, - 690, 0, 681, 688, 692, 687, 682, 685, 691, 686, - 692, 683, 689, 684, 693, 690, 691, 694, 696, 695, - - 0, 697, 693, 701, 686, 702, 689, 690, 695, 696, - 697, 692, 700, 698, 698, 691, 701, 706, 0, 699, - 694, 693, 698, 704, 694, 696, 695, 699, 697, 703, - 701, 702, 702, 706, 700, 705, 704, 708, 707, 700, - 698, 698, 709, 705, 706, 713, 699, 710, 712, 711, - 704, 707, 703, 709, 0, 710, 703, 714, 715, 708, - 716, 715, 705, 711, 708, 707, 717, 713, 712, 709, - 718, 719, 713, 721, 710, 712, 711, 714, 720, 718, - 723, 722, 716, 724, 714, 715, 721, 716, 717, 725, - 726, 719, 0, 717, 729, 723, 720, 718, 719, 722, - - 721, 727, 733, 732, 740, 720, 728, 723, 722, 732, - 730, 725, 729, 731, 726, 724, 725, 726, 735, 728, - 736, 729, 730, 734, 727, 737, 731, 739, 727, 733, - 732, 734, 741, 728, 742, 739, 740, 730, 743, 741, - 731, 746, 736, 737, 744, 735, 744, 736, 747, 734, - 734, 745, 737, 743, 739, 749, 748, 742, 734, 741, - 745, 742, 751, 0, 749, 743, 750, 747, 750, 751, - 0, 744, 754, 746, 0, 747, 748, 0, 745, 0, - 757, 761, 749, 748, 754, 0, 0, 0, 760, 751, - 757, 764, 0, 750, 752, 763, 0, 752, 772, 754, - - 0, 752, 761, 766, 752, 772, 760, 757, 761, 764, - 767, 752, 752, 769, 752, 760, 763, 768, 764, 752, - 773, 752, 763, 765, 752, 772, 766, 776, 752, 769, - 766, 752, 771, 770, 765, 0, 767, 767, 752, 752, - 769, 752, 770, 768, 768, 771, 775, 778, 779, 776, - 765, 0, 773, 775, 776, 780, 778, 777, 780, 771, - 770, 774, 774, 777, 774, 0, 0, 774, 782, 781, - 0, 779, 774, 775, 778, 779, 784, 0, 774, 774, - 787, 786, 780, 786, 777, 781, 812, 774, 774, 774, - 782, 774, 781, 783, 774, 782, 781, 785, 784, 774, - - 790, 783, 789, 784, 787, 774, 774, 787, 786, 785, - 788, 791, 781, 792, 794, 788, 0, 793, 812, 797, - 783, 795, 789, 791, 785, 796, 790, 790, 798, 789, - 802, 800, 818, 801, 799, 792, 794, 802, 791, 800, - 792, 794, 788, 793, 793, 795, 797, 796, 795, 799, - 804, 803, 796, 798, 805, 798, 801, 802, 800, 803, - 801, 799, 806, 807, 818, 808, 809, 810, 811, 804, - 814, 820, 0, 811, 806, 809, 807, 804, 803, 813, - 805, 805, 810, 815, 822, 817, 821, 823, 815, 806, - 807, 808, 808, 809, 810, 811, 819, 814, 824, 825, - - 826, 813, 827, 820, 819, 828, 813, 817, 821, 830, - 0, 823, 817, 821, 823, 815, 822, 831, 825, 824, - 835, 829, 836, 819, 828, 824, 825, 826, 833, 827, - 829, 830, 828, 832, 837, 834, 830, 831, 838, 833, - 836, 839, 832, 834, 831, 842, 0, 835, 829, 836, - 840, 843, 845, 837, 844, 833, 847, 844, 840, 0, - 832, 837, 834, 842, 846, 838, 848, 851, 850, 843, - 850, 849, 842, 839, 845, 852, 0, 840, 843, 845, - 847, 844, 846, 847, 849, 851, 854, 853, 848, 852, - 876, 846, 853, 848, 851, 850, 855, 856, 849, 857, - - 858, 859, 852, 858, 862, 856, 860, 863, 855, 864, - 859, 0, 854, 854, 860, 864, 865, 857, 0, 853, - 0, 0, 876, 855, 856, 867, 857, 858, 859, 862, - 860, 862, 867, 860, 863, 868, 864, 871, 865, 866, - 870, 860, 868, 865, 869, 866, 872, 870, 874, 869, - 872, 873, 867, 875, 877, 871, 0, 874, 881, 0, - 884, 875, 868, 880, 871, 882, 866, 870, 878, 879, - 885, 869, 877, 872, 873, 874, 880, 879, 873, 881, - 875, 877, 884, 878, 882, 881, 883, 884, 888, 890, - 880, 887, 882, 886, 895, 878, 879, 885, 887, 883, - - 889, 886, 891, 893, 896, 892, 888, 889, 890, 891, - 892, 893, 894, 883, 898, 888, 890, 900, 887, 894, - 886, 897, 899, 901, 900, 902, 895, 889, 0, 891, - 893, 903, 892, 904, 897, 899, 896, 905, 909, 894, - 906, 904, 908, 910, 900, 905, 898, 907, 897, 899, - 912, 913, 905, 907, 903, 901, 911, 902, 903, 912, - 904, 914, 906, 916, 905, 913, 0, 906, 908, 908, - 909, 0, 905, 917, 907, 910, 918, 912, 913, 915, - 911, 919, 917, 911, 920, 921, 915, 922, 925, 920, - 916, 923, 0, 914, 919, 925, 919, 921, 918, 924, - - 917, 927, 926, 918, 924, 919, 915, 930, 919, 927, - 922, 932, 921, 936, 922, 925, 920, 923, 923, 929, - 930, 919, 929, 919, 926, 932, 924, 934, 927, 926, - 933, 0, 937, 934, 930, 938, 939, 933, 932, 936, - 936, 940, 941, 940, 0, 962, 929, 938, 944, 960, - 0, 946, 988, 0, 934, 937, 946, 933, 935, 937, - 935, 942, 938, 939, 935, 941, 935, 943, 940, 941, - 944, 935, 962, 942, 947, 944, 935, 945, 966, 988, - 943, 960, 935, 946, 948, 935, 966, 935, 942, 0, - 945, 935, 947, 935, 943, 949, 950, 948, 935, 951, - - 952, 947, 953, 935, 945, 966, 954, 949, 950, 951, - 955, 948, 956, 957, 958, 952, 955, 961, 949, 954, - 959, 951, 949, 950, 953, 956, 951, 952, 964, 953, - 969, 957, 970, 954, 949, 958, 951, 955, 965, 956, - 957, 958, 959, 965, 967, 969, 974, 959, 971, 961, - 0, 972, 0, 967, 970, 973, 978, 969, 0, 970, - 964, 971, 979, 0, 978, 965, 972, 975, 974, 976, - 979, 967, 968, 974, 977, 971, 981, 968, 972, 968, - 976, 973, 973, 978, 980, 968, 975, 977, 982, 979, - 968, 968, 983, 984, 975, 980, 976, 968, 968, 968, - - 986, 977, 984, 985, 968, 989, 968, 983, 981, 986, - 982, 980, 968, 987, 985, 982, 990, 968, 968, 983, - 984, 992, 987, 990, 968, 993, 0, 986, 989, 994, - 985, 996, 989, 995, 997, 998, 999, 994, 1004, 0, - 987, 1001, 0, 990, 999, 996, 1002, 1005, 0, 993, - 1003, 0, 993, 992, 1007, 995, 994, 998, 996, 1001, - 995, 1003, 998, 999, 1002, 1005, 997, 1006, 1001, 1009, - 1004, 1008, 1010, 1002, 1005, 1006, 1007, 1003, 1008, 1010, - 1011, 1007, 1009, 1012, 1013, 1014, 1016, 1015, 0, 1018, - 1020, 0, 1034, 0, 1006, 1011, 1009, 1015, 1008, 1010, - - 1018, 1012, 1013, 1020, 1022, 1023, 1014, 1011, 1021, 1024, - 1012, 1013, 1014, 1023, 1015, 1021, 1018, 1020, 1016, 1025, - 1027, 1026, 1024, 1028, 1034, 1032, 1022, 1031, 1025, 1033, - 0, 1022, 1023, 1026, 0, 1021, 1024, 1037, 0, 1035, - 0, 1036, 1027, 1032, 1050, 1028, 1025, 1027, 1026, 1031, - 1028, 1037, 1032, 1036, 1031, 1033, 1033, 1035, 1039, 1043, - 1040, 1044, 1046, 1047, 1037, 1040, 1035, 1042, 1036, 1039, - 1042, 1045, 1047, 1046, 1044, 1049, 1050, 1048, 1045, 1052, - 0, 1057, 0, 1043, 0, 1039, 1043, 1049, 1044, 1046, - 1047, 1048, 1040, 1042, 1042, 1053, 1051, 1042, 1045, 1054, - - 1055, 1062, 1049, 1051, 1048, 1057, 1058, 1053, 1057, 1059, - 1060, 1052, 1058, 1055, 1061, 1065, 1063, 1064, 1070, 1062, - 1071, 1054, 1053, 1051, 1067, 1061, 1054, 1055, 1062, 1068, - 1065, 1059, 1060, 1058, 1069, 1072, 1059, 1060, 1063, 1064, - 1068, 1061, 1065, 1063, 1064, 1067, 1074, 1071, 1073, 1076, - 1070, 1067, 1075, 1072, 1080, 1069, 1068, 1073, 1076, 1077, - 1079, 1069, 1072, 1081, 1078, 1082, 1083, 1077, 1080, 1085, - 1074, 1078, 1084, 1074, 1087, 1073, 1076, 0, 1075, 1075, - 1086, 1080, 1089, 1090, 1079, 1092, 1077, 1079, 1083, 1091, - 0, 1078, 1090, 1083, 1084, 1081, 1091, 1082, 1093, 1084, - - 1094, 1085, 1086, 1095, 1089, 1096, 1087, 1086, 1101, 1089, - 1090, 1098, 1099, 1097, 1104, 1106, 1091, 1092, 1100, 1098, - 1093, 1095, 1097, 1096, 1101, 1093, 1102, 1094, 1103, 1104, - 1095, 1107, 1096, 1110, 1108, 1101, 1099, 1103, 1098, 1099, - 1097, 1104, 1100, 1105, 1109, 1100, 1108, 1106, 1102, 1111, - 1114, 1105, 1112, 1102, 1113, 1103, 1117, 1111, 1116, 1114, - 1110, 1108, 1122, 1107, 1118, 1112, 1109, 1116, 1123, 1113, - 1105, 1109, 1118, 1119, 1117, 1119, 1111, 1114, 1121, 1112, - 1124, 1113, 1125, 1117, 1129, 1116, 1121, 1123, 1128, 1122, - 1126, 1118, 1131, 1130, 1132, 1123, 1129, 1126, 1133, 1134, - - 1119, 1128, 1124, 1135, 1125, 1121, 1134, 1124, 1130, 1125, - 1136, 1129, 1132, 1137, 1131, 1128, 1138, 1126, 0, 1131, - 1130, 1132, 1139, 1140, 1137, 1133, 1134, 1144, 1141, 1143, - 0, 1142, 0, 0, 1147, 1135, 1150, 1146, 1138, 1144, - 1137, 1141, 1136, 1138, 1142, 1140, 1147, 1139, 1154, 1139, - 1140, 1143, 1145, 1151, 1144, 1141, 1143, 1146, 1142, 1148, - 1145, 1147, 1152, 1150, 1146, 1153, 1151, 1148, 0, 1154, - 1158, 1152, 1159, 1156, 1155, 1154, 1161, 1153, 0, 1145, - 1151, 1155, 1156, 1160, 1156, 0, 1148, 1156, 1162, 1152, - 1168, 1163, 1153, 1158, 1165, 1156, 1164, 1158, 1159, 1159, - - 1156, 1155, 1165, 1161, 1163, 1160, 1167, 1166, 1162, 1156, - 1160, 1156, 1168, 1170, 1156, 1162, 1166, 1168, 1163, 1169, - 1164, 1165, 1171, 1164, 1167, 1172, 1173, 1169, 1170, 1174, - 1176, 0, 1177, 1167, 1166, 0, 1178, 1174, 1172, 1180, - 1170, 1179, 1173, 0, 1171, 0, 1169, 1181, 1179, 1171, - 1183, 1182, 1172, 1173, 1177, 1184, 1174, 1176, 1178, 1177, - 1186, 1180, 1183, 1178, 1185, 1188, 1180, 1184, 1179, 1182, - 1181, 1187, 1185, 1189, 1181, 1186, 1190, 1183, 1182, 1195, - 1191, 1192, 1184, 1187, 1190, 1188, 1191, 1186, 1189, 1193, - 1192, 1185, 1188, 1194, 1196, 1197, 1198, 1199, 1187, 0, - - 1189, 1196, 1197, 1190, 1200, 1194, 1204, 1191, 1192, 1199, - 1193, 1195, 1200, 1201, 1198, 1205, 1193, 1202, 1204, 1206, - 1194, 1196, 1197, 1198, 1199, 1202, 1206, 1203, 1201, 1203, - 1208, 1200, 1210, 1204, 1211, 0, 1209, 1215, 1214, 1213, - 1201, 0, 1212, 1219, 1202, 1210, 1206, 1205, 1209, 1212, - 1213, 1216, 1215, 1211, 1203, 1218, 1216, 1219, 1220, 1210, - 1214, 1211, 1208, 1209, 1215, 1214, 1213, 1217, 1218, 1212, - 1219, 1223, 1224, 1222, 1226, 1217, 1228, 0, 0, 1225, - 1237, 0, 1218, 1216, 1220, 1220, 0, 1222, 1229, 1223, - 0, 1227, 1230, 0, 1217, 1221, 1226, 1231, 1223, 1221, - - 1222, 1226, 1221, 1221, 1224, 1225, 1225, 1221, 1228, 1227, - 1229, 1233, 1237, 1221, 1230, 1229, 1243, 1221, 1227, 1230, - 1235, 1221, 1221, 1231, 1231, 1232, 1221, 1235, 1238, 1221, - 1221, 1232, 1236, 1234, 1221, 1234, 1239, 1233, 1233, 1240, - 1221, 1236, 1242, 1239, 1221, 1241, 1238, 1235, 1243, 1244, - 1246, 1242, 1232, 1245, 0, 1238, 1248, 1234, 1241, 1236, - 1234, 1240, 1234, 1239, 0, 1254, 1240, 0, 1250, 1242, - 0, 1249, 1241, 1246, 1252, 1245, 1256, 1246, 1248, 0, - 1245, 1244, 1247, 1248, 1249, 1256, 1257, 1247, 1254, 1247, - 1252, 1247, 1254, 1247, 1250, 1250, 1251, 1251, 1249, 1255, - - 1247, 1252, 1258, 1256, 1257, 1259, 1261, 1258, 1262, 1247, - 1260, 1255, 1263, 1257, 1247, 1260, 1247, 1267, 1247, 1264, - 1247, 1262, 0, 1259, 1268, 1251, 1255, 1264, 1261, 1266, - 1263, 0, 1259, 1261, 1258, 1262, 1265, 1260, 1269, 1263, - 1270, 1272, 1266, 1273, 1265, 0, 1264, 1271, 1278, 1267, - 1268, 1268, 1274, 1270, 1272, 1275, 1266, 1269, 1276, 1277, - 1276, 1273, 1280, 1265, 1275, 1269, 1279, 1270, 1272, 1271, - 1273, 1281, 1274, 1283, 1271, 1278, 1285, 1284, 1279, 1274, - 1287, 1277, 1275, 1286, 1285, 1276, 1277, 1288, 1289, 1280, - 1290, 1291, 1294, 1279, 1288, 0, 1281, 1283, 1281, 1284, - - 1283, 1286, 1292, 1285, 1284, 1293, 1297, 1287, 1292, 1299, - 1286, 1293, 1296, 1291, 1288, 1289, 1290, 1290, 1291, 1294, - 1295, 1298, 1296, 1300, 1301, 1303, 1306, 1295, 1298, 1292, - 1297, 1302, 1293, 1297, 1303, 1305, 1308, 1312, 1306, 1296, - 0, 1299, 1301, 1307, 1309, 1300, 0, 1295, 1298, 1308, - 1300, 1301, 1303, 1306, 1310, 1311, 1302, 1313, 1302, 1305, - 1314, 1312, 1305, 1308, 1312, 1307, 1309, 1315, 1318, 1316, - 1307, 1309, 1317, 1310, 1321, 1322, 1319, 1311, 1316, 1313, - 1325, 1310, 1311, 1323, 1313, 0, 1314, 1314, 1318, 1315, - 1319, 1324, 1327, 1317, 1315, 1318, 1316, 1326, 1328, 1317, - - 1327, 1329, 1330, 1319, 1332, 1323, 1321, 1322, 1333, 1330, - 1323, 1335, 1325, 1324, 1328, 1326, 1334, 1333, 1324, 1327, - 1336, 1338, 1339, 1335, 1326, 1328, 1332, 1336, 1329, 1330, - 1337, 1332, 0, 1334, 1337, 1333, 1342, 1340, 1335, 1343, - 1346, 0, 1344, 1334, 1345, 1343, 1347, 1336, 1349, 1344, - 0, 1345, 1343, 1338, 1339, 1346, 1348, 1337, 1340, 1347, - 1351, 1354, 1351, 1350, 1340, 1348, 1343, 1346, 1342, 1344, - 1350, 1345, 1343, 1347, 1349, 1349, 1352, 1353, 1355, 1356, - 1361, 1358, 1355, 1348, 1360, 1352, 1359, 1351, 1354, 1358, - 1350, 1359, 0, 1360, 1362, 1368, 1363, 1367, 1361, 1353, - - 1364, 1356, 1371, 1352, 1353, 1355, 1356, 1361, 1358, 1363, - 1372, 1360, 1364, 1362, 1365, 1367, 1366, 1365, 1359, 1366, - 1368, 1362, 1368, 1363, 1367, 1374, 1365, 1364, 1375, 1369, - 1374, 1373, 1392, 1372, 1371, 0, 1375, 1372, 1366, 1376, - 1376, 1365, 1369, 1366, 1365, 1377, 1366, 1373, 1378, 1379, - 1380, 1382, 1385, 1381, 1377, 1375, 1369, 1374, 1373, 1380, - 1381, 1383, 1389, 0, 1392, 1385, 1376, 1388, 1383, 0, - 1378, 1379, 1377, 1382, 1386, 1378, 1379, 1380, 1382, 1385, - 1381, 1387, 1390, 1386, 1391, 1389, 1395, 1393, 1383, 1389, - 1387, 1390, 1391, 1388, 1388, 1394, 1398, 1399, 1396, 1395, - - 1397, 1386, 1393, 1394, 1398, 0, 1400, 1401, 1387, 1390, - 1396, 1391, 1397, 1395, 1393, 1405, 1406, 1404, 1407, 1399, - 1409, 1402, 1394, 1398, 1399, 1396, 1400, 1397, 1406, 1401, - 1402, 1403, 1408, 1400, 1401, 1404, 1407, 1403, 1410, 1408, - 1411, 1405, 1405, 1406, 1404, 1407, 1409, 1409, 1402, 1412, - 0, 1413, 1414, 1415, 1416, 1417, 1419, 1420, 1403, 1408, - 1421, 1417, 1412, 1418, 1425, 1416, 0, 1422, 0, 1423, - 1410, 0, 1411, 1430, 1415, 1426, 1412, 1413, 1413, 1414, - 1415, 1416, 1417, 1427, 1429, 1418, 1430, 1432, 1419, 1420, - 1418, 1425, 1421, 1422, 1422, 1423, 1423, 1428, 1426, 1429, - - 1430, 1427, 1426, 1431, 0, 1433, 1428, 1432, 1435, 1434, - 1427, 1429, 1436, 1437, 1432, 1431, 1434, 1438, 1439, 1442, - 1450, 0, 1441, 1439, 1428, 1438, 1437, 1435, 1440, 1441, - 1431, 1433, 1433, 1440, 1436, 1435, 1434, 1446, 1445, 1436, - 1437, 1448, 0, 1443, 1438, 1442, 1442, 1444, 1448, 1441, - 1439, 1443, 1450, 1447, 1449, 1444, 1445, 1451, 1454, 1446, - 1440, 1447, 1452, 1449, 1446, 1445, 1453, 1453, 1448, 1452, - 1443, 1456, 1457, 1464, 1444, 1455, 1463, 0, 1458, 1451, - 1447, 1449, 1463, 1455, 1451, 1464, 1458, 1459, 1460, 1452, - 1454, 1461, 1456, 1453, 1462, 1459, 1460, 1465, 1456, 1461, - - 1464, 1466, 1455, 1463, 1457, 1458, 1470, 1462, 1467, 1468, - 1471, 1469, 1472, 1474, 1459, 1460, 1467, 1468, 1461, 1473, - 1486, 1462, 1479, 1465, 1465, 1466, 1469, 1474, 1466, 1475, - 1476, 1479, 1480, 1470, 1472, 1467, 1468, 1471, 1469, 1472, - 1474, 1477, 1473, 1481, 1476, 1477, 1473, 1475, 1484, 1479, - 1483, 1485, 1486, 1482, 1480, 1481, 1475, 1476, 1477, 1480, - 1482, 1483, 1487, 0, 1489, 1488, 1477, 1490, 1477, 1494, - 1481, 1497, 1477, 1485, 1487, 1484, 1491, 1483, 1485, 1488, - 1482, 1492, 1496, 1502, 1493, 1477, 1489, 1494, 1492, 1487, - 1490, 1489, 1488, 1493, 1490, 1495, 1494, 1499, 1497, 1491, - - 1503, 1501, 1495, 1491, 1504, 1502, 1499, 1501, 1492, 0, - 1502, 1493, 1505, 1507, 1496, 1510, 1516, 1509, 1511, 1505, - 1512, 0, 1495, 1516, 1499, 1514, 1503, 1503, 1501, 1511, - 1517, 1512, 1515, 0, 1519, 1567, 1504, 0, 1515, 1505, - 1507, 1509, 1510, 1516, 1509, 1511, 1518, 1512, 1517, 1514, - 1520, 0, 1514, 1518, 1523, 1522, 1524, 1517, 1521, 1515, - 1519, 1519, 1520, 1522, 1521, 1525, 1526, 1567, 1528, 1524, - 1527, 1530, 1529, 1518, 1529, 1531, 1523, 1520, 1530, 1527, - 1528, 1523, 1522, 1524, 1526, 1521, 1534, 1532, 1536, 0, - 0, 1525, 1525, 1526, 1533, 1528, 1537, 1527, 1530, 1529, - - 1532, 1531, 1531, 1533, 1535, 1538, 0, 1539, 1534, 1542, - 1541, 1547, 1538, 1534, 1532, 1536, 1535, 1540, 1541, 1537, - 1543, 1533, 1540, 1537, 1545, 1542, 1548, 1544, 1549, 1551, - 1550, 1535, 1538, 1539, 1539, 1544, 1542, 1541, 1547, 1552, - 1551, 0, 1549, 1543, 1540, 1553, 1545, 1543, 1552, 1555, - 1548, 1545, 1550, 1548, 1544, 1549, 1551, 1550, 1553, 1554, - 1554, 1556, 1555, 1556, 1557, 0, 1552, 1554, 1559, 1561, - 1558, 1560, 1553, 1564, 0, 1559, 1555, 1565, 1560, 1563, - 1564, 1562, 1568, 1566, 1569, 1572, 1554, 1554, 1556, 1568, - 1557, 1557, 1558, 1574, 1571, 1559, 1561, 1558, 1560, 1562, - - 1564, 1563, 1565, 1573, 1565, 1566, 1563, 1571, 1562, 1568, - 1566, 1573, 1572, 1576, 1574, 1577, 1569, 1578, 1577, 1579, - 1574, 1571, 1581, 1580, 1583, 1582, 0, 1584, 1589, 1585, - 1573, 1581, 1586, 0, 1587, 1576, 1580, 1582, 1585, 1593, - 1576, 1587, 1577, 1578, 1578, 1579, 1579, 1586, 1583, 1581, - 1580, 1583, 1582, 1584, 1584, 1588, 1585, 1593, 1588, 1586, - 1589, 1587, 1590, 1597, 1591, 1594, 1593, 1595, 1598, 1595, - 1588, 1596, 1599, 1603, 1600, 0, 1601, 0, 0, 1588, - 1591, 0, 1588, 1602, 1590, 1588, 1604, 1594, 1591, 1590, - 1597, 1591, 1594, 1610, 1595, 1596, 1600, 1588, 1596, 1609, - - 1598, 1600, 1601, 1601, 1599, 1603, 1605, 1591, 1604, 1602, - 1602, 1607, 1606, 1604, 1611, 1608, 1613, 1616, 1612, 1607, - 1605, 1606, 1608, 1609, 1614, 1610, 1609, 1615, 1614, 1619, - 1617, 0, 1618, 1605, 1622, 1620, 1619, 1623, 1607, 1606, - 1612, 1618, 1608, 1620, 1616, 1612, 1611, 1622, 1613, 1615, - 1623, 1614, 1617, 1621, 1615, 1624, 1619, 1617, 1625, 1618, - 1621, 1622, 1620, 1626, 1623, 1626, 1627, 1625, 1624, 1628, - 1629, 1630, 1632, 1633, 1635, 1637, 1636, 1638, 1629, 0, - 1621, 1634, 1624, 1636, 1638, 1625, 1637, 1632, 1633, 1627, - 1626, 1630, 1639, 1627, 1628, 1634, 1628, 1629, 1630, 1632, - - 1633, 1640, 1637, 1636, 1638, 1639, 1635, 1640, 1634, 1642, - 1643, 1644, 1645, 0, 1646, 1650, 1648, 1643, 1647, 1639, - 1649, 0, 1652, 1649, 1650, 0, 1651, 1645, 1640, 1648, - 1647, 1653, 1654, 1644, 1652, 1654, 1642, 1643, 1644, 1645, - 1646, 1646, 1650, 1648, 1651, 1647, 1655, 1649, 1660, 1652, - 1654, 1653, 1659, 1651, 1659, 1657, 1661, 1655, 1653, 1654, - 1657, 1662, 1654, 1663, 1666, 1664, 0, 1657, 1668, 1665, - 1667, 0, 1660, 1655, 1664, 1660, 1668, 1669, 1663, 1659, - 1671, 1670, 1657, 1661, 1667, 1674, 1672, 1657, 1662, 1673, - 1663, 1666, 1664, 1665, 1672, 1668, 1665, 1667, 1675, 1669, - - 1673, 1677, 1671, 1674, 1669, 1670, 1675, 1671, 1670, 1679, - 1678, 1676, 1674, 1672, 1676, 0, 1673, 1680, 1681, 1677, - 1683, 1682, 1685, 1684, 1680, 1675, 0, 1685, 1677, 1676, - 1682, 1686, 1681, 1683, 1684, 1692, 1679, 1687, 1676, 1694, - 0, 1676, 1678, 1695, 1680, 1681, 1691, 1683, 1682, 1690, - 1684, 1690, 1687, 1686, 1685, 1691, 1693, 1694, 1686, 0, - 1696, 1692, 1692, 0, 1687, 1695, 1694, 1693, 1699, 1698, - 1695, 1701, 1697, 1691, 1696, 1697, 1690, 1699, 1700, 1704, - 1701, 1708, 1705, 1693, 1700, 1707, 1696, 1696, 1702, 1710, - 1697, 1698, 1704, 1702, 1705, 1699, 1698, 1711, 1701, 1697, - - 1712, 1696, 1697, 1706, 1713, 1700, 1704, 1707, 1706, 1705, - 1709, 1714, 1707, 1708, 1715, 1718, 1710, 1713, 1717, 1709, - 1702, 1719, 1712, 1722, 1720, 1717, 0, 1712, 1718, 1711, - 1706, 1713, 0, 1721, 1729, 1715, 1726, 1709, 1720, 1721, - 1724, 1715, 1718, 1714, 1726, 1717, 1727, 1730, 1731, 1728, - 1733, 1720, 1732, 1719, 1727, 1722, 1729, 1721, 1734, 1724, - 1721, 1729, 1731, 1726, 1733, 1730, 1721, 1724, 1728, 1735, - 1732, 1734, 1736, 1727, 1730, 1731, 1728, 1733, 1737, 1732, - 1738, 1739, 1735, 0, 1740, 1734, 1744, 1741, 1742, 1745, - 1743, 1746, 1749, 1736, 1741, 1739, 1735, 1742, 1743, 1736, - - 1747, 1749, 1751, 1745, 1754, 1747, 0, 1748, 1739, 1753, - 1737, 1740, 1738, 1744, 1741, 1742, 1745, 1743, 1748, 1749, - 1736, 1752, 1756, 1746, 1757, 1758, 1754, 1747, 1752, 1751, - 1755, 1754, 1753, 1765, 1748, 1759, 1753, 1755, 1761, 1759, - 1762, 1764, 1763, 1758, 1756, 1765, 1757, 1766, 1752, 1756, - 1770, 1757, 1758, 1767, 1761, 1768, 1764, 1755, 1762, 1771, - 1765, 1767, 1759, 1769, 1772, 1761, 1763, 1762, 1764, 1763, - 1768, 1769, 1771, 1773, 1766, 1776, 1778, 1770, 1774, 1779, - 1767, 1788, 1768, 1776, 1772, 1777, 1771, 1780, 1773, 1781, - 1769, 1772, 1777, 1774, 1779, 1782, 1780, 1783, 1784, 1787, - - 1773, 1786, 1776, 1789, 1790, 1774, 1779, 1791, 1778, 1792, - 1781, 1793, 1777, 1788, 1780, 1794, 1781, 1787, 1793, 1790, - 1794, 1783, 1782, 1786, 1783, 1784, 1787, 1797, 1786, 1798, - 1789, 1790, 1791, 1792, 1791, 1795, 1792, 1796, 1793, 1799, - 1800, 1801, 1794, 1802, 1795, 1803, 1796, 1808, 1809, 1797, - 0, 1798, 1804, 1801, 1797, 1800, 1798, 1799, 1803, 1804, - 1806, 1807, 1795, 1803, 1796, 1802, 1799, 1800, 1801, 1805, - 1802, 1810, 1803, 1807, 1808, 1812, 1805, 1810, 1813, 1804, - 1809, 1814, 1806, 1812, 1816, 1803, 1813, 1806, 1807, 1818, - 1815, 1805, 1814, 1817, 1819, 1817, 1805, 1815, 1810, 1820, - - 1821, 1822, 1812, 1805, 1823, 1813, 1817, 1821, 1814, 1816, - 1826, 1816, 1824, 1825, 1829, 1818, 1818, 1815, 1824, 1825, - 1817, 1819, 1817, 1827, 1828, 1831, 1820, 1821, 1822, 1833, - 1823, 1823, 1834, 1832, 0, 1837, 1839, 1826, 1829, 1824, - 1825, 1829, 1832, 1835, 1836, 1835, 1827, 1840, 1838, 1847, - 1827, 1843, 1841, 1865, 1834, 1838, 1828, 1831, 1839, 1834, - 1832, 1833, 1837, 1839, 1841, 1844, 1842, 1846, 1836, 1845, - 1835, 1836, 1842, 1843, 1840, 1838, 1852, 0, 1843, 1841, - 1865, 1847, 1850, 1848, 1848, 1848, 0, 1844, 1856, 1846, - 1848, 1850, 1844, 1842, 1846, 1845, 1845, 1849, 1848, 1851, - - 1853, 1856, 1857, 1858, 1849, 1859, 1851, 1853, 1852, 1850, - 1848, 1848, 1848, 1855, 1857, 1856, 1861, 1848, 1855, 1860, - 1862, 1859, 1866, 1866, 1849, 1867, 1851, 1853, 1858, 1857, - 1858, 1860, 1859, 1863, 1869, 1864, 1868, 1871, 1862, 1869, - 1863, 1864, 1870, 1868, 1875, 1855, 1860, 1862, 1861, 1866, - 1872, 1867, 1867, 1876, 1877, 1876, 1879, 1872, 1881, 1880, - 1863, 1869, 1864, 1868, 1871, 1880, 1883, 1882, 1870, 1870, - 1884, 1875, 1877, 1885, 1879, 1886, 1884, 1872, 1882, 1893, - 1876, 1877, 1889, 1879, 1894, 1885, 1880, 1887, 1888, 1888, - 1881, 1890, 1890, 1883, 1882, 1886, 1891, 1884, 1902, 1896, - - 1885, 1893, 1886, 1895, 1897, 1887, 1893, 1891, 1889, 1889, - 1895, 1901, 1898, 1900, 1887, 1888, 1894, 1904, 1890, 1896, - 1903, 1900, 1905, 1891, 1906, 1902, 1896, 1911, 1908, 1905, - 1895, 1907, 1906, 1910, 1910, 1904, 1897, 1898, 1912, 1898, - 1900, 1909, 1903, 1901, 1904, 1913, 1907, 1903, 1916, 1905, - 1909, 1906, 1908, 1911, 1911, 1908, 1914, 1915, 1907, 1918, - 1910, 1921, 1919, 1914, 1916, 1920, 1918, 1919, 1909, 1915, - 1912, 1916, 1922, 1923, 1925, 1916, 1928, 1913, 1927, 1926, - 1922, 1940, 1925, 1914, 1915, 1923, 1918, 1920, 1921, 1919, - 1929, 1916, 1920, 1930, 1933, 1931, 0, 1928, 1935, 1922, - - 1923, 1925, 1926, 1928, 1927, 1927, 1926, 1932, 1929, 1934, - 1937, 1935, 1932, 1940, 1945, 1934, 1936, 1929, 1931, 1938, - 1930, 1933, 1931, 1932, 1936, 1935, 1938, 1943, 1939, 1941, - 1942, 1944, 1937, 1946, 1932, 1939, 1934, 1937, 1941, 1932, - 1947, 1945, 1942, 1936, 1949, 1944, 1938, 1952, 1950, 1943, - 1954, 1956, 1958, 1950, 1943, 1939, 1941, 1942, 1944, 1946, - 1946, 1951, 1949, 1947, 1950, 1955, 1961, 1947, 1951, 1960, - 1955, 1949, 1959, 1959, 1952, 1950, 1962, 1954, 1965, 1964, - 1950, 1961, 1972, 1956, 1958, 1966, 1969, 1967, 1951, 1971, - 1968, 1960, 1968, 1961, 1964, 1987, 1960, 1955, 1970, 1959, - - 1966, 1965, 1973, 1970, 1974, 1965, 1964, 1976, 1962, 1972, - 1973, 1974, 1966, 1967, 1967, 1975, 1979, 1968, 1969, 1980, - 1978, 1971, 1976, 0, 1979, 1970, 1982, 1987, 1983, 1973, - 1984, 1974, 1985, 1986, 1976, 1978, 1989, 1975, 0, 0, - 1986, 1980, 1975, 1979, 1988, 1990, 1980, 1978, 1993, 1991, - 1982, 0, 1997, 1982, 1983, 1983, 1995, 1984, 1989, 1985, - 1986, 0, 1996, 1989, 2001, 1988, 1990, 1991, 2002, 1999, - 1993, 1988, 1990, 2000, 2003, 1993, 1991, 1996, 1997, 1997, - 1995, 2004, 2005, 1995, 1999, 2007, 2001, 2006, 2000, 1996, - 2008, 2001, 2003, 2010, 0, 2002, 1999, 2008, 2009, 2011, - - 2000, 2003, 2010, 2004, 2005, 2012, 2014, 2011, 2004, 2005, - 2015, 2006, 2007, 2013, 2006, 2016, 2009, 2008, 2017, 2015, - 2010, 2018, 2021, 0, 2024, 2009, 2011, 2017, 2012, 0, - 2020, 2021, 2012, 2016, 2018, 2013, 2022, 2015, 2014, 2023, - 2013, 2020, 2016, 2025, 2026, 2017, 2023, 2027, 2018, 2021, - 2024, 2024, 2032, 2027, 2022, 2028, 2020, 2020, 2029, 2026, - 2034, 2025, 2035, 2022, 2036, 2039, 2023, 2040, 2020, 2038, - 2025, 2026, 2029, 2035, 2027, 2036, 2041, 2028, 2039, 2032, - 2042, 2038, 2028, 2043, 2034, 2029, 2041, 2034, 2044, 2035, - 2045, 2036, 2039, 2046, 2048, 2052, 2038, 2044, 2049, 2040, - - 2051, 2053, 0, 2041, 2051, 2054, 2042, 2042, 2043, 2055, - 2043, 2058, 2046, 2059, 2056, 2044, 2052, 2045, 2054, 2056, - 2046, 2048, 2052, 2057, 2049, 2049, 0, 2051, 2060, 2055, - 2057, 2059, 2054, 2053, 2060, 2063, 2055, 2058, 2058, 2061, - 2059, 2056, 2062, 2064, 2065, 2065, 2067, 2063, 2066, 2069, - 2057, 2072, 0, 2071, 2061, 2060, 2069, 2062, 2064, 2067, - 2066, 2070, 2063, 2073, 0, 2070, 2061, 2067, 2071, 2062, - 2064, 2065, 2073, 2067, 2074, 2066, 2069, 2076, 2072, 2075, - 2071, 2074, 2077, 2079, 2081, 0, 2067, 2080, 2070, 2077, - 2073, 2082, 2089, 2081, 2092, 2083, 2090, 0, 2085, 2076, - - 0, 2074, 2088, 2075, 2076, 2079, 2075, 2089, 2087, 2077, - 2079, 2081, 2080, 2082, 2080, 2083, 2085, 2087, 2082, 2089, - 2088, 2090, 2083, 2090, 2091, 2085, 2092, 2094, 2095, 2088, - 2096, 2098, 2091, 2097, 2097, 2087, 2099, 2100, 2102, 2103, - 2101, 2095, 2104, 0, 2108, 0, 2103, 2102, 2105, 2108, - 2109, 2091, 2094, 2098, 2094, 2095, 2107, 2096, 2098, 2100, - 2097, 2099, 2101, 2099, 2100, 2102, 2103, 2101, 2106, 2109, - 2105, 2107, 2111, 2112, 2104, 2105, 2108, 2109, 2113, 2115, - 2111, 2114, 2106, 2107, 2117, 2116, 2112, 2118, 2119, 0, - 2122, 2115, 2116, 2120, 0, 2106, 0, 2124, 0, 2111, - - 2112, 2125, 2120, 2121, 2123, 2113, 2115, 2114, 2114, 2118, - 2127, 2121, 2116, 2119, 2118, 2119, 2117, 2122, 2126, 2123, - 2120, 2131, 2121, 2124, 2124, 2128, 2130, 2125, 2125, 2130, - 2121, 2123, 2127, 2132, 2128, 2133, 2126, 2127, 2121, 2132, - 2133, 2135, 2134, 2136, 2130, 2126, 2131, 2138, 2131, 2139, - 2140, 2142, 2128, 2130, 2143, 2144, 2130, 2134, 2136, 2135, - 2132, 2143, 2138, 2145, 0, 2142, 2146, 2133, 2135, 2134, - 2136, 2139, 2140, 2144, 2138, 2146, 2139, 2140, 2142, 2147, - 2148, 2143, 2144, 2149, 2150, 2149, 2151, 2152, 2147, 2154, - 2145, 2148, 2156, 2146, 2159, 2157, 2158, 2150, 2151, 2156, - - 2155, 2165, 0, 2164, 2154, 2165, 2147, 2148, 2180, 2152, - 2149, 2150, 2159, 2151, 2152, 2155, 2154, 2157, 2158, 2156, - 2162, 2159, 2157, 2158, 2164, 2166, 2167, 2155, 2165, 2168, - 2164, 2168, 2169, 2162, 2170, 2167, 2171, 2166, 2172, 2173, - 2180, 2162, 2176, 2174, 2175, 2183, 2184, 2162, 2173, 2179, - 2169, 2174, 2166, 2167, 2171, 2190, 2168, 2179, 2177, 2169, - 2162, 2170, 2185, 2171, 2176, 2172, 2173, 2175, 2181, 2176, - 2174, 2175, 2177, 2181, 2182, 2186, 2179, 2183, 2184, 2182, - 2187, 0, 2190, 2191, 0, 2177, 2185, 2187, 2193, 2185, - 2194, 2196, 2198, 2192, 2186, 2181, 2197, 2191, 2195, 2200, - - 2196, 2202, 2186, 2199, 2241, 2201, 2182, 2187, 2191, 2191, - 2191, 2192, 0, 2195, 2198, 2193, 2194, 2194, 2196, 2198, - 2192, 2204, 2206, 0, 2191, 2195, 2200, 2201, 2197, 2199, - 2199, 2205, 2201, 2202, 2207, 2191, 2241, 2209, 2205, 2209, - 2210, 2207, 2211, 2212, 2204, 2206, 2211, 2214, 2204, 2206, - 2213, 2217, 2215, 2216, 2218, 2212, 2214, 2219, 2205, 2218, - 2216, 2207, 2210, 2215, 2209, 2220, 2230, 2210, 2222, 2211, - 2212, 2221, 2213, 2217, 2214, 2223, 2223, 2213, 2217, 2215, - 2216, 2218, 2224, 2221, 2219, 2225, 2226, 2228, 2220, 2227, - 2222, 2224, 2220, 2230, 2226, 2222, 2229, 0, 2221, 2232, - - 2225, 2228, 2223, 2236, 2235, 2229, 2236, 2233, 2235, 2224, - 2245, 2227, 2225, 2226, 2228, 2233, 2227, 2234, 2232, 2237, - 2239, 2243, 2238, 2229, 2245, 2234, 2232, 2237, 2238, 2246, - 2236, 2235, 2240, 2243, 2233, 2239, 2247, 2245, 2240, 2248, - 2250, 2252, 2246, 2249, 2234, 2254, 2237, 2239, 2243, 2238, - 2249, 2251, 0, 2256, 2257, 2253, 2246, 2247, 2254, 2240, - 2255, 2258, 2259, 2247, 2248, 2252, 2248, 2250, 2252, 2253, - 2249, 2260, 2254, 2251, 2255, 2262, 2261, 2264, 2251, 2256, - 2256, 2257, 2253, 2260, 2265, 2266, 2258, 2255, 2258, 2259, - 2261, 2263, 2268, 2269, 2263, 2271, 2272, 2273, 2260, 2270, - - 2269, 2262, 2262, 2261, 2264, 2274, 2270, 2266, 2275, 2263, - 2271, 2265, 2266, 2274, 2268, 2277, 2276, 2278, 2263, 2268, - 2269, 2263, 2271, 2272, 2273, 2276, 2270, 2279, 2280, 2278, - 2281, 2284, 2274, 2282, 2283, 2275, 2289, 2285, 2291, 2286, - 2288, 2284, 2277, 2276, 2278, 2290, 2282, 2286, 2293, 2279, - 2285, 2296, 2283, 2290, 2279, 2280, 2294, 2281, 2284, 2292, - 2282, 2283, 2288, 2289, 2285, 2291, 2286, 2288, 2292, 2293, - 2295, 2297, 2290, 2302, 2299, 2293, 2298, 2301, 2296, 2297, - 2294, 2302, 2303, 2294, 2305, 2295, 2292, 2308, 2298, 2301, - 2306, 2305, 2309, 2307, 2306, 2315, 2295, 2295, 2297, 2299, - - 2302, 2299, 2311, 2298, 2301, 2307, 2312, 2310, 2317, 2303, - 2308, 2305, 2295, 2313, 2308, 2310, 2316, 2306, 2312, 2309, - 2307, 2319, 2315, 2316, 2311, 2313, 2318, 2320, 2317, 2311, - 2319, 2321, 2321, 2312, 2310, 2317, 2320, 2322, 2323, 2318, - 2313, 2324, 2327, 2316, 2328, 2325, 0, 0, 2319, 0, - 0, 2329, 0, 2318, 2320, 2330, 2323, 0, 2321, 2328, - 2325, 2332, 2325, 2322, 2322, 2323, 2324, 2340, 2324, 2325, - 2333, 2328, 2325, 2329, 2327, 2332, 2333, 2330, 2329, 2331, - 2334, 2331, 2330, 2335, 2335, 0, 2337, 2325, 2332, 2325, - 2338, 2339, 2341, 2343, 2342, 2344, 0, 2333, 2349, 2340, - - 2342, 2345, 2334, 2339, 2346, 2343, 2331, 2334, 2337, 2347, - 2335, 2347, 2338, 2337, 2350, 2348, 2351, 2338, 2339, 2352, - 2343, 2342, 2349, 2345, 2341, 2349, 2346, 2344, 2345, 2348, - 2353, 2346, 2350, 2357, 2351, 2355, 2347, 2352, 2354, 2356, - 0, 2350, 2348, 2351, 0, 2359, 2352, 2361, 2353, 2363, - 2362, 2354, 2359, 2364, 2361, 2365, 2357, 2353, 0, 2371, - 2357, 2366, 2368, 2365, 0, 2354, 2367, 2355, 2362, 0, - 2371, 2356, 2359, 2373, 2361, 2363, 2363, 2362, 0, 2366, - 2372, 2365, 2365, 2374, 2368, 2364, 2371, 2375, 2366, 2368, - 2365, 2372, 2367, 2367, 2369, 2374, 2369, 2377, 2378, 2379, - - 2373, 2369, 2380, 2382, 2385, 2375, 2383, 2372, 2384, 2378, - 2374, 2379, 2377, 2386, 2375, 2384, 2387, 2380, 2389, 2385, - 2390, 2369, 2395, 2369, 2377, 2378, 2379, 2382, 2383, 2380, - 2382, 2385, 2391, 2383, 2392, 2384, 2393, 2394, 2396, 2402, - 2386, 0, 2387, 2387, 2390, 2389, 2397, 2390, 2398, 2395, - 2400, 2396, 2401, 2406, 2391, 2394, 2399, 2403, 2400, 2391, - 2404, 2407, 2408, 2398, 2394, 2396, 2392, 2414, 2393, 2399, - 2403, 2402, 2397, 2397, 2409, 2398, 2406, 2400, 2401, 2401, - 2406, 2410, 2404, 2399, 2403, 2407, 2411, 2404, 2407, 2408, - 2412, 2413, 2415, 2417, 2414, 2418, 2409, 2412, 2419, 2410, - - 2421, 2409, 2418, 2420, 2411, 2419, 2415, 2423, 2410, 2424, - 2425, 0, 2426, 2411, 2413, 2417, 2420, 2412, 2413, 2415, - 2417, 2422, 2418, 2421, 2427, 2419, 2432, 2421, 2422, 2423, - 2420, 2425, 2428, 2427, 2423, 2429, 2430, 2425, 2426, 2426, - 2428, 2424, 2434, 2429, 2431, 2435, 2436, 2437, 2422, 2441, - 2431, 2427, 0, 2432, 2444, 2438, 2435, 2434, 2430, 2428, - 2439, 2451, 2429, 2430, 2443, 2445, 0, 2441, 2436, 2434, - 2447, 2431, 2435, 2436, 2438, 2450, 2441, 2443, 2453, 2437, - 2444, 2444, 2438, 2446, 2446, 2439, 2452, 2439, 2454, 2445, - 2457, 2443, 2445, 2451, 2459, 2461, 2447, 2447, 2450, 0, - - 2462, 2452, 2450, 2459, 2465, 2453, 2454, 2468, 2461, 2470, - 2446, 2462, 2472, 2452, 2467, 2454, 2469, 2457, 2466, 2466, - 2467, 2459, 2461, 2474, 2475, 2477, 2465, 2462, 0, 2468, - 2477, 2465, 2478, 2476, 2468, 0, 2470, 2481, 2469, 2472, - 2480, 2467, 2482, 2469, 2476, 2466, 2484, 2483, 2480, 2487, - 2475, 2475, 2477, 2486, 2478, 2474, 2488, 2482, 2489, 2478, - 2476, 2481, 2483, 2491, 2481, 2488, 2494, 2480, 2492, 2482, - 2489, 2486, 2496, 2484, 2483, 2494, 2493, 2497, 2498, 2499, - 2486, 2487, 0, 2488, 2493, 2489, 2501, 2502, 2499, 2500, - 2491, 0, 2492, 2494, 2507, 2492, 2503, 2504, 2496, 2496, - - 2498, 2507, 2505, 2493, 2497, 2498, 2499, 2500, 2501, 2503, - 2504, 2506, 2502, 2501, 2502, 2508, 2500, 2505, 2509, 2510, - 2511, 2507, 2508, 2503, 2504, 2512, 2513, 2515, 2514, 2505, - 0, 2517, 2520, 2506, 2516, 2519, 2515, 2518, 2506, 2520, - 2509, 2522, 2508, 2514, 0, 2509, 2510, 2511, 2522, 2524, - 2519, 2521, 2512, 2513, 2515, 2514, 2516, 2517, 2517, 2520, - 2524, 2516, 2519, 2518, 2518, 2523, 2521, 2525, 2522, 2526, - 2527, 2523, 2528, 2529, 0, 2530, 2524, 2526, 2521, 2533, - 2532, 2531, 2534, 2537, 2535, 2538, 2533, 2539, 0, 2529, - 2530, 2535, 2523, 0, 2525, 2532, 2526, 2527, 2536, 2528, - - 2529, 2531, 2530, 2538, 2534, 2536, 2533, 2532, 2531, 2534, - 2537, 2535, 2538, 2541, 2539, 2540, 2540, 2542, 2543, 2544, - 2541, 2543, 2545, 2546, 2547, 2536, 2548, 2545, 0, 2549, - 2554, 2542, 2544, 2555, 0, 2554, 0, 2555, 2556, 2547, - 2541, 2558, 2540, 2550, 2542, 2543, 2544, 2549, 2546, 2545, - 2546, 2547, 2548, 2548, 2551, 2550, 2549, 2554, 2553, 2557, - 2555, 2559, 2556, 2558, 2560, 2556, 2551, 2553, 2558, 2561, - 2550, 2562, 2557, 2564, 0, 2566, 2568, 2570, 2567, 0, - 0, 2551, 2569, 2559, 2573, 2553, 2557, 2567, 2559, 2570, - 2569, 2560, 2568, 2573, 0, 2578, 2561, 2562, 2562, 2564, - - 2564, 2566, 2566, 2568, 2570, 2567, 2572, 2574, 2575, 2569, - 2576, 2573, 2574, 2572, 2577, 2575, 2579, 2580, 2581, 2584, - 2578, 2577, 2578, 2579, 2582, 2585, 2580, 2581, 2576, 2587, - 2588, 2586, 2591, 2572, 2574, 2575, 2586, 2576, 2585, 2592, - 2593, 2577, 2590, 2579, 2580, 2581, 2584, 2587, 2592, 2593, - 2582, 2582, 2585, 2594, 2596, 2597, 2587, 2588, 2586, 2591, - 2590, 2598, 2595, 2596, 2597, 2600, 2592, 2593, 2599, 2590, - 2601, 2602, 2598, 2594, 2595, 2605, 2599, 2603, 2604, 2607, - 2594, 2596, 2597, 2608, 2603, 2600, 2609, 2604, 2598, 2595, - 2610, 0, 2600, 2612, 2613, 2599, 2605, 2601, 2602, 2610, - - 2611, 2612, 2605, 2614, 2603, 2604, 2607, 2613, 2615, 2616, - 2608, 2617, 2611, 2619, 2618, 2615, 2616, 2610, 2609, 2620, - 2612, 2613, 2621, 2623, 2625, 2614, 2626, 2611, 2627, 0, - 2614, 2623, 2629, 2617, 2626, 2615, 2616, 2636, 2617, 2618, - 2619, 2618, 2625, 2627, 2620, 2628, 2620, 2630, 2637, 2621, - 2623, 2625, 2628, 2626, 2629, 2627, 2631, 2632, 2638, 2629, - 2635, 2636, 2639, 2631, 2636, 2632, 2640, 2635, 2642, 2630, - 2638, 2639, 2628, 2643, 2630, 2637, 2641, 2647, 2645, 2646, - 2642, 0, 0, 2631, 2632, 2638, 2650, 2635, 2653, 2639, - 2645, 2658, 2641, 2640, 2648, 2642, 2643, 2655, 2650, 2656, - - 2643, 2660, 2646, 2641, 2647, 2645, 2646, 2651, 2648, 2652, - 2657, 2659, 2655, 2650, 2651, 2653, 2652, 2656, 2658, 2659, - 2661, 2648, 2662, 2666, 2655, 2665, 2656, 2671, 2660, 2664, - 2663, 2673, 2665, 2657, 2651, 0, 2652, 2657, 2659, 2679, - 2662, 2663, 2661, 2672, 2664, 2674, 2675, 2661, 2672, 2662, - 2666, 2676, 2665, 2671, 2671, 2681, 2664, 2663, 2673, 2674, - 2675, 2677, 2678, 2683, 2680, 2686, 2679, 2681, 2688, 2676, - 2672, 2680, 2674, 2675, 2687, 2689, 0, 2691, 2676, 2677, - 2678, 2688, 2681, 0, 2690, 2691, 2693, 2686, 2677, 2678, - 2683, 2680, 2686, 2697, 2692, 2688, 2687, 2689, 2695, 2700, - - 2698, 2687, 2689, 2690, 2691, 2693, 2699, 2701, 2702, 2703, - 2695, 2690, 2692, 2693, 2704, 2697, 2706, 2703, 2699, 2705, - 2697, 2692, 2698, 2707, 2709, 2695, 2700, 2698, 2708, 0, - 2702, 2710, 2707, 2699, 2701, 2702, 2703, 2708, 2706, 2705, - 2711, 2704, 2712, 2706, 2714, 2715, 2705, 2718, 2713, 2719, - 2707, 2722, 2724, 2710, 2712, 2708, 2709, 2720, 2710, 2721, - 2723, 2718, 2725, 2726, 2721, 2724, 2711, 2711, 2732, 2712, - 2713, 2714, 2715, 2722, 2718, 2713, 2719, 2727, 2722, 2724, - 2728, 2720, 2723, 2729, 2720, 2733, 2726, 2723, 2735, 2730, - 2726, 2721, 2734, 2737, 2725, 2729, 2731, 2739, 2728, 2727, - - 2732, 0, 2731, 2735, 2727, 2738, 2743, 2728, 2730, 2744, - 2729, 2741, 2747, 2737, 2734, 2735, 2730, 2733, 2749, 2734, - 2737, 2739, 2748, 2731, 2739, 2745, 2741, 2738, 2743, 2746, - 2747, 2744, 2738, 2743, 2745, 2750, 2744, 2751, 2741, 2747, - 2748, 2754, 2755, 2746, 2749, 2749, 2756, 0, 2762, 2748, - 2754, 2760, 2745, 2750, 2765, 2759, 2746, 2761, 2760, 2751, - 2763, 2764, 2750, 2759, 2751, 2761, 2767, 2756, 2754, 2764, - 2774, 2766, 2765, 2756, 2755, 2762, 2773, 2768, 2760, 2770, - 2763, 2765, 2759, 2766, 2761, 2768, 2776, 2763, 2764, 2772, - 2775, 2770, 2775, 2767, 2777, 2780, 2772, 2774, 2766, 2773, - - 2778, 2779, 2781, 2773, 2768, 2784, 2770, 2787, 2782, 2778, - 2785, 0, 0, 2789, 2788, 2790, 2772, 2775, 2776, 2791, - 2795, 2781, 2780, 2784, 2785, 2793, 2777, 2778, 2790, 2781, - 2782, 2791, 2784, 2779, 2794, 2782, 2789, 2785, 2788, 2787, - 2789, 2788, 2790, 2794, 2796, 2798, 2791, 2795, 2800, 2802, - 2799, 2793, 2793, 2804, 2806, 2813, 2805, 2807, 2810, 2808, - 2804, 2794, 2807, 0, 2811, 2810, 2814, 2819, 2815, 2806, - 2800, 2796, 2798, 2799, 2808, 2800, 2802, 2799, 2805, 2820, - 2804, 2806, 2813, 2805, 2816, 2810, 2808, 2817, 2820, 2807, - 2811, 2811, 2815, 2814, 2819, 2815, 2822, 2823, 2816, 2824, - - 2825, 2817, 2827, 2822, 2826, 2828, 2820, 2830, 2829, 2831, - 2832, 2816, 2836, 2833, 2817, 2844, 2826, 2829, 2840, 2828, - 2830, 2837, 2840, 2822, 2823, 2824, 2824, 2825, 2839, 2827, - 2843, 2826, 2828, 2839, 2830, 2829, 2833, 2832, 2846, 2841, - 2833, 2831, 2842, 2837, 2836, 2840, 2841, 2844, 2837, 2842, - 2845, 2843, 2845, 2847, 2850, 2852, 0, 2843, 2857, 2853, - 2839, 2846, 2855, 2856, 2855, 2846, 2841, 0, 2861, 2842, - 2859, 2863, 0, 0, 2852, 2861, 2850, 2845, 2858, 2858, - 2847, 2850, 2852, 2853, 2857, 2857, 2853, 2856, 2858, 2855, - 2856, 2860, 2859, 2865, 2862, 2861, 2864, 2859, 2863, 2866, - - 2860, 2865, 2867, 2868, 2872, 2858, 2858, 2862, 2869, 2864, - 2867, 2870, 2866, 2869, 0, 2873, 2870, 2865, 2860, 2871, - 2865, 2862, 2868, 2864, 2874, 2877, 2866, 2871, 2865, 2867, - 2868, 2872, 2875, 0, 2876, 2878, 2877, 2879, 2880, 2880, - 2869, 2873, 2873, 2870, 2879, 2882, 2871, 2883, 2884, 2886, - 2874, 2874, 2877, 2881, 0, 2883, 2886, 2878, 2875, 2875, - 2876, 2876, 2878, 2885, 2879, 2880, 2881, 2882, 2889, 2890, - 2884, 2887, 2882, 2891, 2883, 2884, 2886, 2892, 2887, 2894, - 2881, 2885, 2895, 2896, 2899, 2897, 2892, 2900, 2906, 0, - 2885, 0, 0, 2907, 0, 2889, 2890, 2891, 2887, 2901, - - 2891, 2902, 2895, 2903, 2892, 2900, 2894, 2897, 2910, 2895, - 2896, 2899, 2897, 2905, 2900, 2906, 2907, 2901, 2908, 2902, - 2907, 2903, 2905, 2909, 2910, 2911, 2901, 2912, 2902, 2913, - 2903, 2909, 2912, 2914, 2915, 2910, 2908, 2911, 2920, 2922, - 2905, 2919, 2923, 2913, 2924, 2908, 2924, 2927, 0, 2925, - 2909, 2914, 2911, 0, 2928, 2923, 2913, 2915, 2925, 2912, - 2914, 2915, 2929, 2919, 2933, 2920, 2922, 2934, 2919, 2923, - 2937, 2924, 2928, 2932, 2927, 2932, 2925, 2929, 2939, 2943, - 2936, 2928, 2941, 0, 2945, 2934, 2933, 2936, 2941, 2929, - 2944, 2933, 2948, 2939, 2934, 2946, 0, 2953, 2954, 2955, - - 2932, 2943, 2937, 2950, 2949, 2939, 2943, 2936, 2961, 2941, - 2945, 2945, 2944, 2946, 2948, 2956, 2950, 2944, 2949, 2948, - 2951, 2957, 2946, 2951, 2953, 2954, 2955, 2958, 2957, 2959, - 2950, 2949, 0, 2956, 2964, 2958, 2962, 2963, 2966, 2967, - 2961, 2970, 2956, 2965, 0, 2967, 2951, 2951, 2957, 2968, - 2951, 2959, 2965, 2966, 2958, 2971, 2959, 2971, 2962, 2963, - 2969, 2964, 2972, 2962, 2963, 2966, 2967, 2974, 2979, 2969, - 2965, 2968, 2977, 2970, 2975, 2976, 2968, 2978, 2984, 2980, - 2979, 2982, 2971, 0, 0, 2978, 2986, 2969, 2982, 2972, - 2974, 2980, 2988, 2987, 2974, 2979, 2975, 2976, 2977, 2977, - - 2986, 2975, 2976, 2989, 2978, 2984, 2980, 2987, 2982, 2991, - 2992, 2990, 2993, 2986, 2995, 2988, 2994, 2991, 2997, 2988, - 2987, 2989, 2990, 2994, 2996, 2998, 2998, 2997, 2999, 2992, - 2989, 3003, 3004, 3008, 2993, 3012, 2991, 2992, 2990, 2993, - 2995, 2995, 2996, 2994, 3006, 2997, 3000, 3014, 3016, 3019, - 3006, 2996, 2998, 3010, 3000, 2999, 3011, 3012, 3003, 3004, - 3008, 3013, 3012, 3017, 3010, 3023, 3018, 3011, 3021, 3014, - 3017, 3006, 3013, 3000, 3014, 3016, 3021, 3026, 3020, 3025, - 3010, 3019, 3020, 3011, 3018, 3024, 3030, 3025, 3013, 3029, - 3017, 3023, 3023, 3018, 3033, 3021, 3029, 3031, 3024, 3033, - - 3034, 3035, 3036, 3037, 3026, 3020, 3025, 3038, 3041, 3039, - 3037, 3042, 3024, 3040, 3036, 3041, 3029, 3044, 3030, 3031, - 3046, 3033, 3056, 3057, 3031, 3039, 3038, 3034, 3035, 3036, - 3037, 3040, 3044, 3043, 3038, 3041, 3039, 3047, 3045, 3048, - 3040, 3043, 3050, 3042, 3044, 3045, 3049, 3046, 3055, 3047, - 3057, 3063, 3054, 3038, 3056, 3055, 3058, 3059, 3066, 0, - 3043, 3068, 0, 3048, 3047, 3045, 3048, 3054, 3050, 3050, - 3049, 3062, 3060, 3049, 3064, 3055, 3065, 3070, 3063, 3054, - 3058, 3060, 3071, 3058, 3065, 3067, 3067, 3074, 3068, 3059, - 3066, 3071, 3070, 3062, 3073, 3067, 3064, 3075, 3062, 3060, - - 3072, 3064, 3072, 3065, 3070, 3075, 3076, 3077, 3073, 3071, - 3079, 3080, 3067, 3067, 3074, 3082, 3084, 3076, 3081, 3083, - 3085, 3073, 3086, 3087, 3075, 3077, 3091, 3072, 3082, 3090, - 3088, 3089, 3089, 3076, 3077, 3093, 0, 3079, 3080, 3104, - 3081, 3083, 3082, 3084, 3088, 3081, 3083, 3085, 3091, 3086, - 3087, 3096, 3110, 3091, 3102, 3098, 3100, 3088, 3089, 3096, - 3098, 3090, 3093, 3099, 3100, 3101, 3104, 3106, 3099, 3108, - 3101, 3105, 3105, 3107, 3111, 3106, 3108, 3109, 3096, 3110, - 3102, 3102, 3098, 3100, 3113, 3115, 3107, 3116, 3120, 3125, - 3099, 3119, 3101, 3115, 3106, 3109, 3108, 3119, 3105, 3114, - - 3107, 3111, 3122, 3123, 3109, 3127, 3114, 3124, 3126, 3116, - 3128, 3129, 3115, 3131, 3116, 3120, 3113, 3132, 3119, 0, - 3124, 3125, 0, 3126, 3127, 3123, 3114, 0, 3135, 3122, - 3123, 3136, 3127, 3129, 3124, 3126, 3131, 3128, 3129, 3132, - 3131, 3133, 3134, 3137, 3132, 3140, 3136, 3139, 3133, 3134, - 3135, 3144, 3141, 3140, 3142, 3135, 3145, 3147, 3136, 3141, - 3144, 3142, 3152, 3147, 3137, 3148, 3139, 3145, 3133, 3134, - 3137, 3150, 3140, 3151, 3139, 3146, 3146, 3153, 3144, 3141, - 3151, 3142, 3155, 3145, 3147, 3146, 3156, 3148, 3160, 3155, - 3161, 3157, 3148, 3150, 3152, 3167, 3162, 3170, 3150, 3153, - - 3151, 0, 3146, 3146, 3153, 3157, 3168, 3172, 3169, 3155, - 3156, 3173, 3173, 3156, 3175, 3160, 3169, 3161, 3157, 3162, - 3174, 3174, 3167, 3162, 3170, 3176, 3176, 0, 3168, 3177, - 3180, 3179, 3181, 3168, 3172, 3169, 3182, 3183, 3188, 3186, - 3173, 3175, 3189, 0, 3187, 3182, 3186, 3194, 3180, 3174, - 3183, 3187, 3177, 3179, 3176, 3190, 3177, 3180, 3179, 3181, - 3188, 3195, 3190, 3182, 3183, 3188, 3186, 3194, 3193, 3189, - 3193, 3187, 3196, 3197, 3194, 3200, 3201, 3199, 3202, 3210, - 3203, 3204, 3190, 3205, 3195, 3197, 3199, 3207, 3195, 3206, - 3196, 3218, 3211, 3209, 3211, 3193, 3202, 3200, 3209, 3196, - - 3197, 3206, 3200, 3201, 3199, 3202, 3203, 3203, 3204, 3207, - 3205, 3210, 3208, 3214, 3207, 3208, 3206, 3212, 3213, 3211, - 3216, 3215, 3217, 3218, 3213, 3209, 3220, 3221, 3216, 3212, - 3208, 3219, 3226, 3223, 3222, 3214, 3228, 3232, 3229, 3208, - 3214, 3233, 3208, 3215, 3212, 3213, 3222, 3216, 3215, 3217, - 3234, 3235, 3219, 3220, 3221, 3223, 3229, 3237, 3219, 3226, - 3223, 3222, 3238, 3228, 3232, 3229, 3239, 3240, 3233, 3241, - 3241, 3244, 3243, 3245, 3247, 3249, 3251, 3234, 3235, 3250, - 3246, 3247, 3255, 3256, 3237, 3252, 3259, 3250, 0, 3238, - 3243, 3245, 3263, 3239, 3240, 3246, 3241, 3252, 3244, 3243, - - 3245, 3247, 3249, 3251, 3253, 3254, 3250, 3246, 3255, 3255, - 3256, 3258, 3252, 3259, 3265, 3262, 3263, 3266, 3253, 3263, - 3254, 3264, 3264, 3258, 3262, 3268, 3266, 3269, 3271, 3272, - 3270, 3253, 3254, 3276, 0, 3274, 3273, 3272, 3258, 3281, - 3265, 3265, 3262, 3270, 3266, 3273, 3274, 3277, 3264, 3268, - 3271, 3281, 3268, 3280, 3276, 3271, 3272, 3270, 3294, 3269, - 3276, 3293, 3274, 3273, 3296, 3277, 3281, 3284, 3284, 3297, - 3298, 3300, 3303, 3302, 3277, 0, 3280, 3302, 3296, 3304, - 3280, 0, 3294, 3293, 0, 3294, 3305, 3311, 3293, 0, - 3303, 3296, 3307, 3305, 3284, 3310, 3297, 3298, 3300, 3303, - - 3302, 3312, 3304, 3309, 3313, 3307, 3304, 3309, 3314, 3311, - 3315, 3310, 3316, 3305, 3311, 3319, 3313, 3319, 3317, 3307, - 3316, 3318, 3310, 3322, 3315, 3321, 3312, 3317, 3312, 3320, - 3309, 3313, 3318, 3323, 3314, 3314, 3325, 3315, 3322, 3316, - 3324, 3320, 3319, 3321, 3326, 3317, 3324, 3327, 3318, 3332, - 3322, 3328, 3321, 3334, 3327, 3323, 3320, 3333, 3325, 3335, - 3323, 3336, 3332, 3325, 3333, 3337, 3338, 3324, 3339, 0, - 3342, 3326, 3341, 3328, 3327, 3340, 3332, 3335, 3328, 3341, - 3334, 3343, 3344, 3340, 3333, 3345, 3335, 3345, 3336, 3346, - 3347, 3337, 3337, 3338, 3342, 3339, 3350, 3342, 3348, 3341, - - 3349, 3346, 3340, 3343, 3344, 3351, 3352, 3353, 3343, 3344, - 3355, 3348, 3345, 3352, 3356, 3349, 3346, 3358, 3350, 3360, - 3357, 3362, 3347, 3350, 3365, 3348, 3356, 3349, 3357, 3366, - 3362, 3360, 3351, 3352, 3353, 3367, 3369, 3355, 3370, 3371, - 3375, 3356, 3368, 0, 3358, 3372, 3360, 3357, 3362, 3373, - 3368, 3365, 3371, 3374, 3367, 3366, 3366, 3373, 3377, 3372, - 3383, 3384, 3367, 0, 3389, 3380, 3371, 3375, 3369, 3368, - 3370, 3380, 3372, 3383, 3381, 3374, 3373, 3387, 3389, 3386, - 3374, 3381, 3388, 3390, 3384, 3377, 3386, 3383, 3384, 3392, - 3388, 3389, 3380, 3393, 3391, 3394, 3397, 3390, 3398, 3387, - - 3399, 3381, 3391, 3397, 3387, 3400, 3386, 3398, 3399, 3388, - 3390, 3392, 3401, 3402, 3403, 3393, 3392, 3408, 0, 0, - 3393, 3391, 3394, 3397, 3404, 3398, 3405, 3399, 3406, 3407, - 3410, 0, 3400, 3412, 3401, 3415, 3411, 3407, 3414, 3401, - 3403, 3403, 0, 3415, 3416, 3402, 3404, 3419, 3405, 3408, - 3406, 3404, 0, 3405, 3423, 3406, 3407, 3410, 3411, 3417, - 3412, 3414, 3415, 3411, 3416, 3414, 3418, 3417, 3420, 3421, - 3425, 3416, 3426, 0, 3418, 3426, 3420, 3428, 3427, 3419, - 3423, 3423, 3431, 3421, 3429, 3428, 3417, 3430, 3432, 3433, - 3426, 3436, 3429, 3418, 0, 3420, 3421, 3425, 3438, 3426, - - 3427, 3430, 3426, 3433, 3428, 3427, 3435, 3435, 3431, 3431, - 3432, 3429, 3437, 3440, 3430, 3432, 3433, 3436, 3436, 3439, - 3437, 3441, 3442, 3443, 3438, 3438, 3446, 3445, 3449, 3444, - 3442, 0, 3453, 3435, 3451, 3440, 3449, 3447, 3448, 3437, - 3440, 3441, 3451, 0, 3450, 3439, 3439, 3456, 3441, 3442, - 3443, 3444, 3445, 3446, 3445, 3449, 3444, 3447, 3448, 3453, - 3454, 3451, 3457, 3462, 3447, 3448, 3450, 3458, 3454, 3456, - 3459, 3450, 3460, 3463, 3456, 3458, 3465, 3464, 3459, 3466, - 3469, 3463, 3470, 3473, 3457, 3464, 0, 3454, 3467, 3457, - 3462, 3471, 3476, 3477, 3458, 3479, 3480, 3459, 3460, 3460, - - 3463, 3477, 3465, 3465, 3464, 3473, 3466, 3469, 3467, 3470, - 3473, 3471, 0, 3478, 3476, 3467, 0, 0, 3471, 3476, - 3477, 3478, 3479, 3480, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 3478, 3484, 3484, 3484, 3484, 3484, 3484, 3484, 3485, 3485, - 3485, 3485, 3485, 3485, 3485, 3486, 3486, 3486, 3486, 3486, - 3486, 3486, 3487, 3487, 3487, 3487, 3487, 3487, 3487, 3488, - 3488, 3488, 3488, 3488, 3488, 3488, 3489, 3489, 3489, 3489, - 3489, 3489, 3489, 3490, 3490, 3490, 3490, 3490, 3490, 3490, - 3492, 3492, 0, 3492, 3492, 3492, 3492, 3493, 3493, 0, - - 0, 0, 3493, 3493, 3494, 3494, 0, 0, 3494, 0, - 3494, 3495, 0, 0, 0, 0, 0, 3495, 3496, 3496, - 0, 0, 0, 3496, 3496, 3497, 0, 0, 0, 0, - 0, 3497, 3498, 3498, 0, 3498, 3498, 3498, 3498, 3499, - 0, 0, 0, 0, 0, 3499, 3500, 3500, 0, 0, - 0, 3500, 3500, 3501, 3501, 0, 3501, 3501, 3501, 3501, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, 3483, - 3483, 3483, 3483, 3483, 3483, 3483, 3483 + 107, 106, 108, 41, 102, 109, 102, 41, 41, 151, + 228, 108, 109, 107, 106, 41, 113, 225, 115, 102, + 41, 114, 18, 41, 108, 102, 230, 107, 114, 108, + 41, 102, 109, 102, 41, 41, 110, 110, 108, 113, + 115, 116, 228, 113, 110, 115, 118, 17, 114, 119, + 117, 0, 110, 117, 116, 178, 178, 119, 230, 120, + + 0, 0, 0, 110, 110, 121, 117, 117, 116, 121, + 118, 110, 124, 0, 117, 123, 119, 117, 118, 120, + 117, 120, 122, 125, 126, 121, 120, 122, 123, 121, + 122, 129, 121, 117, 117, 124, 121, 118, 126, 124, + 127, 128, 123, 125, 132, 129, 120, 131, 130, 122, + 125, 126, 121, 132, 122, 130, 133, 134, 129, 128, + 127, 137, 136, 0, 0, 140, 134, 127, 128, 136, + 131, 132, 135, 138, 131, 130, 135, 140, 0, 133, + 138, 139, 135, 133, 134, 141, 141, 137, 137, 136, + 139, 143, 140, 142, 135, 146, 139, 144, 0, 135, + + 138, 142, 143, 135, 139, 148, 143, 232, 139, 135, + 146, 144, 141, 234, 147, 143, 148, 139, 143, 149, + 142, 154, 146, 139, 144, 148, 152, 150, 155, 143, + 149, 147, 148, 143, 147, 150, 154, 152, 153, 232, + 147, 147, 156, 148, 158, 234, 149, 153, 154, 159, + 155, 157, 253, 152, 150, 155, 0, 156, 147, 153, + 157, 147, 159, 153, 0, 153, 158, 173, 0, 156, + 165, 158, 165, 165, 153, 165, 159, 170, 157, 170, + 170, 179, 170, 180, 253, 171, 153, 171, 171, 184, + 171, 173, 181, 175, 173, 175, 175, 180, 175, 182, + + 189, 181, 183, 179, 186, 184, 185, 189, 179, 183, + 187, 182, 186, 188, 190, 180, 184, 193, 192, 181, + 192, 183, 187, 171, 180, 185, 182, 189, 191, 183, + 194, 186, 190, 185, 191, 188, 183, 187, 196, 193, + 188, 190, 196, 199, 193, 192, 198, 200, 0, 202, + 204, 255, 200, 203, 201, 207, 194, 194, 199, 196, + 191, 191, 201, 206, 0, 204, 196, 205, 0, 196, + 199, 202, 198, 198, 205, 203, 202, 204, 207, 200, + 203, 201, 207, 255, 208, 209, 196, 197, 210, 213, + 211, 206, 197, 261, 205, 206, 209, 197, 213, 214, + + 215, 210, 211, 197, 197, 212, 208, 217, 212, 0, + 197, 208, 209, 0, 197, 210, 213, 211, 206, 197, + 212, 214, 215, 221, 197, 261, 214, 215, 0, 217, + 197, 197, 212, 218, 217, 212, 216, 219, 224, 216, + 218, 216, 226, 222, 231, 224, 227, 0, 219, 221, + 221, 237, 227, 216, 222, 216, 226, 229, 237, 0, + 218, 262, 216, 216, 219, 224, 216, 231, 216, 0, + 264, 231, 233, 227, 226, 222, 235, 233, 237, 229, + 216, 222, 216, 226, 229, 236, 238, 239, 240, 241, + 235, 240, 244, 262, 0, 242, 239, 233, 243, 233, + + 246, 239, 264, 235, 233, 245, 236, 238, 241, 242, + 244, 246, 236, 238, 239, 240, 241, 245, 249, 244, + 243, 247, 242, 239, 248, 243, 250, 246, 247, 248, + 256, 251, 245, 252, 0, 250, 259, 256, 252, 257, + 249, 254, 254, 263, 259, 249, 258, 260, 247, 265, + 254, 263, 266, 250, 251, 267, 248, 256, 251, 268, + 252, 257, 269, 259, 265, 266, 257, 260, 254, 254, + 263, 258, 270, 258, 260, 271, 265, 280, 0, 266, + 272, 267, 267, 273, 272, 269, 268, 275, 274, 276, + 277, 278, 271, 281, 269, 275, 0, 277, 284, 282, + + 271, 283, 271, 274, 270, 273, 0, 272, 276, 280, + 273, 291, 269, 278, 275, 274, 276, 277, 278, 271, + 279, 282, 285, 283, 279, 281, 282, 286, 283, 287, + 284, 288, 289, 290, 285, 290, 294, 292, 287, 0, + 286, 293, 299, 291, 288, 297, 296, 279, 298, 285, + 307, 289, 301, 299, 286, 296, 287, 302, 288, 289, + 290, 292, 294, 294, 292, 300, 293, 303, 293, 299, + 304, 297, 297, 296, 298, 298, 301, 300, 305, 301, + 302, 309, 307, 308, 302, 303, 305, 310, 304, 311, + 0, 313, 300, 314, 303, 315, 308, 304, 318, 312, + + 316, 317, 0, 319, 0, 305, 0, 318, 317, 319, + 308, 321, 310, 309, 310, 314, 312, 313, 313, 320, + 314, 311, 312, 322, 316, 318, 312, 315, 317, 324, + 319, 323, 316, 320, 325, 326, 328, 321, 321, 327, + 323, 331, 325, 312, 326, 328, 320, 322, 332, 330, + 322, 316, 324, 329, 333, 345, 324, 337, 323, 336, + 335, 325, 326, 328, 330, 327, 327, 339, 336, 333, + 329, 0, 332, 331, 0, 332, 330, 329, 335, 337, + 329, 333, 345, 352, 337, 340, 336, 335, 341, 0, + 343, 339, 342, 342, 339, 343, 0, 329, 334, 340, + + 344, 334, 356, 341, 356, 350, 334, 334, 334, 334, + 352, 346, 340, 0, 346, 341, 334, 342, 347, 342, + 342, 346, 343, 350, 344, 334, 0, 344, 334, 356, + 347, 348, 350, 334, 334, 334, 334, 338, 346, 338, + 353, 346, 351, 348, 354, 347, 349, 349, 0, 355, + 0, 338, 338, 338, 0, 338, 349, 359, 348, 358, + 351, 338, 353, 363, 338, 357, 338, 353, 0, 351, + 354, 354, 359, 349, 349, 355, 355, 357, 338, 338, + 338, 358, 338, 360, 359, 362, 358, 361, 0, 368, + 377, 360, 357, 367, 361, 363, 366, 362, 364, 0, + + 364, 0, 0, 366, 369, 372, 371, 370, 371, 364, + 360, 0, 362, 370, 361, 367, 364, 377, 372, 376, + 367, 368, 375, 366, 364, 364, 369, 364, 373, 370, + 371, 369, 372, 371, 370, 371, 364, 378, 374, 0, + 370, 373, 382, 364, 373, 0, 373, 0, 375, 375, + 381, 376, 373, 0, 385, 373, 374, 381, 383, 378, + 382, 0, 391, 384, 378, 374, 382, 385, 373, 382, + 383, 373, 387, 373, 379, 384, 379, 381, 0, 388, + 391, 385, 379, 390, 0, 383, 379, 382, 387, 391, + 384, 379, 388, 392, 379, 390, 387, 0, 392, 387, + + 379, 379, 394, 379, 396, 393, 388, 0, 394, 379, + 390, 395, 393, 379, 399, 387, 396, 0, 379, 395, + 398, 379, 380, 397, 380, 392, 393, 410, 398, 394, + 0, 396, 393, 400, 400, 404, 401, 380, 395, 393, + 380, 397, 380, 401, 380, 403, 399, 398, 380, 380, + 397, 380, 402, 404, 403, 0, 0, 404, 0, 410, + 400, 405, 404, 401, 380, 402, 407, 380, 405, 380, + 0, 380, 389, 389, 408, 415, 413, 403, 407, 402, + 404, 403, 389, 389, 389, 389, 389, 406, 405, 389, + 409, 413, 411, 407, 406, 414, 408, 389, 412, 389, + + 389, 408, 409, 413, 416, 412, 416, 415, 414, 389, + 389, 389, 389, 389, 406, 417, 389, 409, 411, 411, + 420, 418, 414, 419, 419, 412, 417, 420, 421, 422, + 0, 416, 423, 424, 0, 425, 426, 426, 0, 421, + 422, 431, 417, 418, 427, 423, 437, 420, 418, 429, + 428, 0, 419, 431, 426, 421, 422, 425, 424, 423, + 424, 426, 425, 426, 426, 428, 430, 427, 431, 432, + 433, 427, 434, 428, 430, 429, 429, 428, 437, 433, + 432, 426, 439, 438, 440, 434, 435, 435, 441, 442, + 451, 444, 428, 430, 0, 446, 432, 433, 435, 434, + + 435, 438, 443, 445, 439, 435, 441, 440, 443, 439, + 438, 440, 444, 435, 435, 441, 447, 451, 444, 446, + 449, 442, 446, 0, 448, 435, 445, 435, 436, 443, + 445, 448, 452, 456, 450, 453, 436, 436, 447, 454, + 436, 436, 455, 447, 436, 457, 449, 449, 450, 453, + 436, 448, 458, 459, 452, 436, 456, 457, 458, 452, + 456, 450, 453, 436, 436, 454, 454, 436, 436, 460, + 462, 436, 457, 461, 455, 459, 463, 464, 465, 458, + 459, 461, 466, 463, 467, 462, 464, 0, 468, 470, + 467, 460, 469, 465, 472, 473, 460, 462, 471, 461, + + 461, 474, 0, 463, 464, 465, 466, 474, 461, 466, + 468, 467, 470, 471, 469, 468, 470, 473, 475, 469, + 472, 472, 473, 478, 476, 471, 480, 481, 474, 476, + 482, 484, 480, 485, 483, 486, 482, 484, 489, 490, + 489, 487, 486, 492, 475, 475, 481, 489, 490, 478, + 478, 476, 483, 480, 481, 485, 487, 482, 484, 493, + 485, 483, 486, 491, 494, 489, 490, 489, 487, 496, + 491, 495, 493, 497, 0, 492, 0, 504, 498, 500, + 499, 501, 0, 499, 503, 502, 493, 511, 0, 495, + 491, 498, 506, 511, 501, 497, 494, 502, 495, 499, + + 497, 496, 503, 500, 507, 498, 500, 499, 501, 504, + 499, 503, 502, 505, 511, 508, 506, 509, 510, 506, + 505, 513, 514, 510, 512, 0, 516, 507, 508, 522, + 515, 521, 518, 517, 514, 522, 507, 516, 521, 509, + 505, 517, 508, 513, 509, 510, 518, 512, 513, 514, + 523, 512, 515, 516, 507, 524, 522, 515, 521, 518, + 517, 519, 523, 525, 527, 0, 519, 526, 519, 528, + 0, 525, 530, 0, 519, 527, 519, 523, 524, 519, + 519, 0, 524, 0, 530, 0, 519, 519, 519, 526, + 525, 527, 528, 519, 526, 519, 528, 531, 529, 530, + + 533, 519, 529, 519, 534, 532, 519, 519, 532, 0, + 535, 538, 536, 519, 534, 538, 532, 531, 533, 531, + 529, 537, 535, 536, 531, 529, 539, 533, 540, 529, + 542, 543, 532, 539, 544, 532, 534, 535, 538, 536, + 541, 534, 541, 543, 531, 537, 546, 545, 537, 544, + 553, 550, 547, 539, 540, 540, 542, 542, 543, 545, + 547, 544, 549, 548, 552, 0, 558, 541, 548, 550, + 555, 553, 546, 546, 545, 551, 552, 553, 550, 547, + 556, 557, 560, 551, 549, 559, 562, 561, 555, 549, + 548, 552, 564, 563, 560, 561, 566, 555, 558, 562, + + 559, 564, 551, 556, 557, 563, 565, 556, 557, 560, + 566, 567, 559, 562, 561, 568, 569, 570, 568, 564, + 563, 571, 572, 566, 573, 574, 0, 575, 576, 565, + 0, 0, 0, 565, 577, 569, 567, 572, 567, 579, + 574, 576, 568, 569, 570, 578, 577, 581, 583, 572, + 580, 575, 574, 571, 575, 576, 573, 580, 581, 582, + 580, 577, 583, 579, 582, 584, 579, 578, 580, 585, + 586, 587, 578, 588, 581, 583, 589, 580, 590, 591, + 592, 0, 593, 590, 580, 0, 592, 580, 591, 594, + 595, 582, 584, 596, 598, 597, 585, 593, 587, 603, + + 588, 596, 586, 599, 0, 602, 591, 592, 589, 593, + 590, 600, 595, 594, 597, 600, 594, 595, 598, 601, + 596, 598, 597, 607, 605, 599, 604, 601, 602, 608, + 599, 603, 602, 604, 606, 616, 609, 610, 600, 0, + 0, 0, 608, 606, 612, 607, 601, 605, 611, 610, + 607, 605, 613, 604, 611, 617, 608, 614, 615, 618, + 613, 606, 609, 609, 610, 615, 612, 616, 614, 620, + 629, 612, 618, 621, 631, 611, 623, 617, 620, 613, + 0, 622, 617, 619, 614, 615, 618, 623, 619, 624, + 622, 619, 619, 626, 630, 625, 620, 627, 631, 621, + + 621, 631, 629, 623, 632, 634, 626, 619, 622, 627, + 619, 624, 630, 633, 635, 619, 624, 625, 619, 619, + 626, 630, 625, 636, 627, 638, 632, 632, 637, 634, + 639, 632, 634, 0, 636, 633, 635, 637, 640, 641, + 633, 635, 642, 643, 639, 638, 641, 651, 644, 645, + 636, 648, 638, 632, 647, 637, 644, 639, 646, 649, + 640, 643, 648, 652, 646, 640, 641, 647, 650, 642, + 643, 645, 653, 654, 654, 644, 645, 649, 648, 651, + 655, 647, 0, 650, 652, 646, 649, 656, 657, 660, + 652, 662, 658, 659, 664, 650, 653, 657, 0, 653, + + 661, 668, 654, 663, 655, 658, 659, 655, 661, 656, + 665, 660, 668, 667, 656, 657, 660, 0, 670, 658, + 659, 673, 666, 662, 666, 663, 664, 661, 668, 671, + 663, 669, 670, 672, 665, 667, 669, 665, 674, 675, + 667, 678, 676, 671, 677, 670, 674, 672, 672, 666, + 679, 677, 680, 673, 682, 672, 671, 675, 681, 0, + 672, 683, 0, 669, 676, 674, 675, 678, 678, 676, + 679, 677, 680, 681, 672, 672, 683, 679, 685, 680, + 684, 688, 681, 685, 689, 681, 682, 686, 683, 687, + 684, 687, 689, 690, 691, 692, 693, 696, 705, 0, + + 681, 694, 684, 691, 692, 693, 688, 684, 688, 694, + 685, 689, 695, 686, 686, 697, 687, 684, 690, 695, + 690, 691, 692, 693, 699, 698, 701, 0, 694, 696, + 705, 703, 700, 702, 704, 701, 699, 707, 697, 695, + 703, 702, 697, 698, 700, 712, 704, 706, 708, 709, + 707, 699, 698, 701, 706, 703, 710, 709, 703, 700, + 702, 704, 710, 708, 707, 711, 714, 703, 712, 713, + 715, 0, 712, 711, 706, 708, 709, 714, 713, 715, + 716, 716, 717, 710, 719, 720, 718, 0, 721, 716, + 717, 0, 711, 714, 718, 722, 713, 715, 720, 727, + + 0, 725, 724, 723, 0, 0, 719, 716, 716, 717, + 724, 719, 720, 718, 721, 721, 723, 725, 722, 726, + 728, 727, 722, 730, 731, 729, 727, 732, 725, 724, + 723, 728, 726, 729, 735, 733, 734, 730, 736, 734, + 739, 0, 743, 0, 731, 0, 726, 728, 737, 732, + 730, 731, 729, 738, 732, 733, 735, 737, 739, 740, + 736, 735, 733, 734, 741, 736, 742, 739, 744, 746, + 745, 747, 740, 738, 743, 737, 749, 752, 754, 751, + 738, 742, 741, 748, 747, 751, 740, 750, 749, 755, + 744, 741, 746, 742, 745, 744, 746, 745, 747, 753, + + 750, 748, 756, 749, 752, 754, 751, 753, 759, 758, + 748, 755, 760, 0, 750, 761, 755, 758, 762, 760, + 756, 763, 764, 763, 765, 753, 753, 766, 768, 756, + 767, 764, 0, 762, 753, 773, 758, 768, 761, 760, + 759, 769, 761, 769, 770, 762, 766, 773, 763, 764, + 767, 770, 0, 776, 766, 768, 765, 767, 779, 782, + 780, 0, 773, 776, 782, 0, 784, 783, 769, 0, + 0, 770, 771, 0, 790, 771, 779, 786, 791, 771, + 776, 780, 771, 790, 784, 779, 782, 780, 783, 771, + 771, 791, 771, 784, 783, 787, 785, 771, 788, 771, + + 786, 790, 771, 0, 786, 791, 771, 785, 792, 771, + 789, 793, 796, 795, 817, 792, 771, 771, 0, 771, + 795, 787, 787, 785, 788, 788, 789, 797, 0, 798, + 799, 0, 0, 797, 796, 792, 801, 789, 798, 796, + 795, 817, 802, 793, 794, 794, 800, 794, 805, 800, + 794, 0, 801, 799, 797, 794, 798, 799, 803, 801, + 805, 794, 794, 801, 802, 804, 803, 807, 812, 802, + 794, 794, 794, 800, 794, 805, 806, 794, 806, 801, + 809, 808, 794, 810, 811, 803, 808, 804, 794, 794, + 812, 807, 804, 813, 807, 812, 811, 819, 815, 814, + + 809, 816, 818, 806, 0, 0, 820, 809, 821, 810, + 810, 811, 819, 808, 820, 824, 0, 825, 832, 813, + 813, 814, 815, 816, 819, 815, 814, 818, 816, 818, + 822, 821, 823, 820, 824, 821, 826, 822, 827, 834, + 823, 828, 824, 825, 825, 829, 830, 831, 826, 833, + 832, 827, 831, 835, 829, 837, 838, 822, 835, 823, + 839, 830, 840, 826, 842, 827, 834, 828, 828, 839, + 840, 833, 829, 830, 831, 843, 833, 837, 844, 841, + 845, 847, 837, 0, 846, 835, 841, 839, 838, 840, + 848, 849, 851, 850, 852, 0, 842, 843, 856, 853, + + 847, 851, 843, 854, 845, 846, 841, 845, 847, 856, + 844, 846, 850, 858, 859, 855, 852, 848, 849, 851, + 850, 852, 853, 854, 855, 856, 853, 857, 860, 861, + 854, 862, 859, 866, 863, 857, 0, 864, 0, 867, + 858, 859, 855, 863, 870, 864, 868, 860, 869, 868, + 871, 866, 873, 0, 857, 860, 861, 867, 872, 0, + 866, 863, 870, 862, 864, 873, 867, 874, 875, 874, + 869, 870, 879, 868, 871, 869, 876, 871, 877, 873, + 872, 880, 882, 877, 878, 872, 875, 0, 881, 883, + 876, 888, 883, 880, 874, 875, 881, 878, 879, 879, + + 882, 887, 890, 876, 884, 892, 885, 0, 880, 882, + 877, 878, 892, 884, 885, 881, 883, 889, 888, 891, + 893, 901, 896, 889, 890, 891, 887, 893, 887, 890, + 885, 884, 892, 885, 894, 895, 898, 902, 0, 894, + 896, 885, 895, 900, 889, 899, 891, 893, 897, 896, + 903, 900, 897, 901, 899, 902, 904, 907, 905, 898, + 906, 894, 895, 898, 902, 903, 905, 904, 909, 908, + 900, 910, 899, 906, 911, 897, 914, 903, 907, 913, + 922, 909, 912, 904, 907, 905, 913, 906, 908, 916, + 912, 923, 915, 910, 914, 909, 908, 917, 910, 915, + + 918, 911, 919, 914, 917, 918, 913, 920, 916, 912, + 919, 921, 922, 924, 920, 925, 916, 926, 921, 915, + 928, 927, 929, 923, 917, 936, 924, 918, 927, 919, + 926, 931, 930, 937, 920, 932, 0, 938, 921, 931, + 924, 933, 941, 932, 926, 934, 0, 925, 927, 935, + 932, 934, 928, 940, 929, 930, 943, 936, 931, 930, + 939, 938, 932, 933, 938, 937, 942, 940, 933, 939, + 932, 0, 934, 942, 941, 935, 935, 944, 945, 946, + 940, 950, 959, 943, 947, 948, 944, 939, 949, 947, + 951, 952, 946, 942, 946, 951, 959, 948, 952, 988, + + 945, 953, 954, 946, 944, 945, 946, 950, 950, 959, + 954, 949, 948, 957, 964, 949, 947, 951, 952, 946, + 960, 946, 956, 953, 961, 956, 957, 960, 953, 954, + 961, 988, 965, 0, 0, 963, 966, 964, 0, 0, + 957, 964, 971, 0, 965, 968, 967, 960, 967, 956, + 0, 961, 962, 970, 962, 969, 0, 989, 962, 965, + 962, 963, 963, 966, 971, 962, 970, 969, 968, 971, + 962, 972, 968, 967, 977, 974, 962, 975, 973, 962, + 970, 962, 969, 973, 972, 962, 977, 962, 976, 989, + 975, 979, 962, 974, 980, 978, 981, 962, 972, 983, + + 976, 977, 974, 985, 975, 978, 979, 982, 986, 981, + 973, 976, 983, 982, 987, 976, 980, 978, 979, 984, + 990, 980, 978, 981, 992, 985, 983, 976, 993, 986, + 985, 994, 978, 993, 982, 986, 987, 984, 997, 994, + 995, 987, 998, 1003, 999, 1000, 984, 990, 0, 995, + 1001, 0, 1002, 997, 0, 993, 992, 999, 994, 1009, + 1000, 0, 1003, 0, 998, 997, 1020, 995, 996, 998, + 1003, 999, 1000, 996, 1002, 996, 1001, 1001, 1004, 1002, + 1006, 996, 1007, 1005, 1010, 0, 996, 996, 1006, 1004, + 1007, 1009, 1008, 996, 996, 996, 1005, 1011, 1020, 0, + + 996, 1016, 996, 1008, 1013, 1004, 1010, 1006, 996, 1007, + 1005, 1010, 1011, 996, 996, 1013, 1012, 1014, 1015, 1008, + 996, 1024, 1018, 1017, 1011, 1012, 1014, 1015, 1016, 1018, + 1021, 1013, 1022, 1023, 1025, 1024, 1026, 0, 1029, 1032, + 1022, 1031, 0, 1012, 1014, 1015, 1017, 0, 1024, 1018, + 1017, 1030, 1031, 1027, 1021, 1023, 1029, 1021, 1026, 1022, + 1023, 1027, 1034, 1026, 1033, 1029, 1025, 0, 1031, 1030, + 1034, 1032, 1035, 1037, 1036, 1039, 1038, 1040, 1030, 1041, + 1027, 1036, 1033, 1038, 1042, 1044, 1037, 0, 1043, 1034, + 1039, 1033, 1051, 1052, 1035, 1040, 1046, 1041, 1043, 1035, + + 1037, 1036, 1039, 1038, 1040, 1042, 1041, 1046, 1048, 1049, + 1050, 1042, 1050, 1055, 1051, 1043, 1049, 1044, 1053, 1051, + 1054, 1048, 1055, 1046, 1057, 1052, 1053, 1056, 1058, 0, + 1061, 1062, 1064, 1054, 1063, 1048, 1049, 1050, 1065, 1056, + 1055, 1066, 1070, 0, 1067, 1053, 1057, 1054, 1068, 1062, + 1058, 1057, 1061, 1070, 1056, 1058, 1067, 1061, 1062, 1066, + 1063, 1063, 1068, 1073, 1064, 1074, 1073, 1071, 1066, 1070, + 1065, 1067, 1071, 1075, 1076, 1068, 1077, 1074, 1082, 1079, + 1078, 1080, 1081, 1077, 1084, 1089, 0, 1076, 1079, 1073, + 1073, 1078, 1074, 1073, 1081, 1080, 1086, 1075, 1083, 1071, + + 1075, 1076, 1085, 1077, 1087, 1083, 1079, 1078, 1080, 1081, + 1082, 1089, 1089, 1090, 1085, 1091, 1084, 1087, 1086, 1092, + 1095, 1091, 1093, 1086, 1094, 1083, 1096, 0, 1097, 1085, + 1098, 1087, 1101, 1100, 1103, 1094, 1104, 1090, 1095, 1114, + 1090, 1092, 1091, 1101, 1093, 1098, 1092, 1095, 1096, 1093, + 1097, 1094, 1102, 1096, 1100, 1097, 1105, 1098, 1106, 1101, + 1100, 1108, 1107, 1104, 1110, 0, 1103, 1106, 1109, 1111, + 1112, 1114, 1110, 1102, 1105, 1115, 1111, 1109, 1113, 1102, + 1116, 1117, 1118, 1105, 1119, 1106, 1107, 1108, 1108, 1107, + 1121, 1110, 1113, 1120, 1112, 1109, 1111, 1112, 1126, 1123, + + 1128, 1124, 1127, 1117, 1118, 1113, 1125, 1115, 1117, 1118, + 1124, 1133, 1116, 1125, 1129, 1120, 1119, 1130, 1131, 1133, + 1120, 1123, 1121, 1134, 1127, 1132, 1123, 1128, 1124, 1127, + 1126, 1135, 1129, 1125, 1132, 1130, 1141, 1136, 1133, 1137, + 1131, 1129, 1138, 1144, 1130, 1131, 1140, 1134, 1139, 1142, + 1134, 1138, 1132, 1136, 1140, 1135, 1145, 0, 1135, 1143, + 0, 1137, 1148, 1139, 1136, 1144, 1137, 1149, 1141, 1138, + 1144, 1143, 1146, 1140, 1147, 1139, 1149, 1148, 1152, 1151, + 1146, 1142, 1153, 1145, 1156, 1157, 1143, 1147, 1151, 1148, + 1153, 1154, 1156, 1154, 1149, 1158, 1152, 1159, 1160, 1146, + + 1161, 1147, 1163, 1167, 1164, 1152, 1151, 1161, 1165, 1153, + 1166, 1156, 1157, 1168, 1158, 1163, 1164, 1170, 1154, 1159, + 1160, 1167, 1158, 1165, 1159, 1160, 1169, 1161, 1171, 1163, + 1167, 1164, 1166, 1169, 1172, 1165, 1173, 1166, 0, 1174, + 1168, 1176, 1177, 1175, 1179, 1172, 0, 1181, 0, 1170, + 1178, 1180, 1185, 1169, 1176, 1177, 1179, 0, 1173, 1180, + 1171, 1172, 0, 1173, 1174, 1175, 1174, 1181, 1176, 1177, + 1175, 1179, 1178, 1182, 1181, 1183, 1186, 1178, 1180, 1185, + 1188, 1187, 0, 1183, 1189, 1182, 1190, 1191, 1195, 1186, + 1187, 1196, 1188, 1190, 1193, 0, 1191, 0, 1191, 1197, + + 1182, 1191, 1183, 1186, 1194, 1189, 0, 1188, 1187, 1191, + 1195, 1189, 1199, 1190, 1191, 1195, 1198, 1193, 1196, 1197, + 1202, 1193, 1203, 1191, 1200, 1191, 1197, 1204, 1191, 1198, + 1194, 1194, 1200, 1201, 1206, 1204, 1199, 1205, 1202, 1199, + 1207, 1209, 1201, 1198, 1203, 1208, 1212, 1202, 1210, 1203, + 0, 1200, 1205, 1217, 1204, 1213, 1210, 1209, 1208, 1214, + 1201, 1216, 1207, 1215, 1205, 0, 1206, 1207, 1209, 1218, + 1215, 0, 1208, 1212, 1224, 1210, 1217, 1213, 0, 1219, + 1217, 1214, 1213, 1216, 1221, 1220, 1214, 1218, 1216, 1222, + 1215, 1219, 1221, 1223, 1224, 1225, 1218, 1220, 1222, 1226, + + 1228, 1224, 1227, 1229, 1231, 1223, 1219, 1226, 1227, 1228, + 1225, 1221, 1220, 1222, 1232, 1234, 1222, 0, 0, 1230, + 1223, 1232, 1225, 1237, 1229, 1222, 1226, 1228, 1233, 1227, + 1229, 1230, 1235, 1234, 0, 1233, 1231, 1236, 1237, 1238, + 1240, 1232, 1234, 1241, 1235, 1236, 1230, 1238, 0, 1239, + 1237, 1239, 1240, 1242, 1244, 1233, 1245, 1246, 1247, 1235, + 1242, 1249, 1248, 1251, 1236, 1250, 1238, 1240, 1245, 1248, + 1246, 1256, 1249, 1253, 1252, 1241, 1239, 1247, 1251, 1252, + 1242, 1253, 1254, 1245, 1246, 1247, 1244, 1250, 1249, 1248, + 1251, 1255, 1250, 1258, 1259, 1254, 1260, 1256, 1256, 0, + + 1253, 0, 0, 1261, 1264, 1255, 1252, 1258, 0, 1254, + 0, 1262, 1259, 1265, 0, 1272, 1263, 1266, 1255, 1257, + 1258, 1259, 1267, 1257, 1272, 1271, 1257, 1257, 1260, 1261, + 1261, 1257, 1271, 1262, 1263, 1265, 1264, 1257, 1262, 1266, + 1265, 1257, 1272, 1263, 1266, 1257, 1257, 1269, 1267, 1267, + 1257, 1268, 1271, 1257, 1257, 1273, 0, 1268, 1257, 1270, + 1274, 1270, 1276, 1281, 1257, 0, 1275, 0, 1257, 1277, + 1280, 1279, 1278, 1269, 1269, 1282, 1277, 1284, 1268, 1280, + 1276, 1283, 0, 1270, 1279, 1289, 1270, 1273, 1270, 1276, + 1275, 1285, 1274, 1275, 1278, 1281, 1277, 1280, 1279, 1278, + + 1284, 0, 1288, 1283, 1284, 1285, 1291, 1282, 1283, 1287, + 0, 1289, 1289, 1290, 1290, 1288, 1293, 0, 1285, 1286, + 1294, 0, 1291, 1297, 1286, 0, 1286, 1295, 1286, 1288, + 1286, 1287, 1294, 1291, 1295, 1296, 1287, 1286, 1299, 1293, + 1298, 1297, 1290, 1293, 1296, 1298, 1286, 1294, 1301, 1303, + 1297, 1286, 1307, 1286, 1295, 1286, 1299, 1286, 1300, 0, + 1302, 1304, 1296, 1300, 1306, 1299, 1305, 1303, 1308, 1304, + 1301, 1309, 1298, 1302, 1305, 1301, 1303, 1306, 1310, 1311, + 1312, 1314, 0, 1313, 1307, 1300, 1309, 1302, 1304, 1315, + 1319, 1306, 1311, 1305, 1308, 1308, 1313, 1310, 1309, 1314, + + 1318, 1321, 1312, 1316, 1322, 1310, 1311, 1312, 1314, 1315, + 1313, 1317, 1316, 1317, 1320, 1324, 1315, 1319, 1325, 1327, + 1328, 1330, 1318, 1331, 1326, 0, 1320, 1318, 1321, 1322, + 1316, 1322, 1326, 1332, 1336, 1341, 1329, 1327, 1317, 1324, + 1325, 1320, 1324, 1329, 1338, 1325, 1327, 1328, 1330, 1331, + 1331, 1326, 1333, 1334, 1338, 1332, 1335, 1337, 1333, 1334, + 1332, 1336, 1335, 1329, 1337, 1339, 1340, 1341, 1342, 1343, + 0, 1338, 1344, 1340, 1347, 1351, 1345, 1349, 1350, 1333, + 1334, 0, 1348, 1335, 1337, 1345, 1352, 1343, 1351, 1339, + 1342, 1349, 1339, 1340, 1348, 1342, 1343, 1344, 1347, 1344, + + 1350, 1347, 1351, 1345, 1349, 1350, 1353, 1354, 1352, 1348, + 1356, 1355, 0, 1352, 1357, 1359, 1364, 1358, 1365, 1368, + 0, 0, 1360, 0, 1359, 1353, 1361, 0, 0, 1354, + 1366, 1362, 1356, 1353, 1354, 1355, 1369, 1356, 1355, 1358, + 1357, 1357, 1359, 1360, 1358, 1362, 1361, 1367, 1364, 1360, + 1365, 1368, 1366, 1361, 1369, 1371, 1370, 1366, 1362, 1372, + 1373, 1376, 1375, 1369, 1370, 1378, 1379, 1373, 1377, 1367, + 1376, 1371, 1380, 1379, 1367, 1381, 1380, 1378, 1382, 1383, + 1385, 0, 1371, 1370, 1375, 1377, 1372, 1373, 1376, 1375, + 1386, 1387, 1378, 1379, 1388, 1377, 1386, 0, 1387, 1380, + + 1383, 1388, 1390, 1386, 1389, 1391, 1383, 1381, 1392, 1393, + 1382, 1394, 1385, 1394, 1391, 1390, 1393, 1386, 1387, 1389, + 1396, 1388, 1397, 1386, 1395, 0, 1398, 1405, 1399, 1390, + 1398, 1389, 1391, 1395, 1392, 1392, 1393, 1401, 1394, 1402, + 1404, 1414, 1396, 1403, 1402, 1401, 1405, 1396, 1406, 1397, + 1399, 1395, 1403, 1398, 1405, 1399, 1407, 1408, 1404, 1409, + 1408, 1406, 1409, 0, 1401, 1412, 1411, 1404, 1407, 1408, + 1403, 1402, 1410, 1414, 1415, 1406, 0, 1417, 1412, 1416, + 1418, 1409, 1417, 1407, 1408, 1420, 1409, 1408, 1418, 1409, + 1410, 1411, 1412, 1411, 1420, 1416, 1421, 1415, 1422, 1410, + + 1423, 1415, 1419, 1419, 1424, 0, 1416, 1418, 1425, 1417, + 1426, 1429, 1420, 1424, 1427, 1425, 1432, 1430, 1421, 1431, + 1422, 1427, 1423, 1421, 1429, 1422, 1430, 1423, 1431, 1419, + 1433, 1424, 1426, 1436, 1437, 1425, 1434, 1426, 1429, 1435, + 1438, 1427, 1432, 1432, 1430, 1434, 1431, 1435, 1439, 1437, + 1441, 1438, 1442, 1433, 1444, 1440, 1439, 1433, 0, 1450, + 1445, 1437, 1441, 1434, 1442, 1436, 1435, 1438, 1440, 1446, + 1443, 1449, 1455, 1456, 1447, 1439, 1444, 1441, 1443, 1442, + 1445, 1444, 1440, 1447, 1448, 1450, 1450, 1445, 1451, 1449, + 1448, 1446, 1452, 1464, 1454, 1453, 1446, 1443, 1449, 1457, + + 1451, 1447, 1453, 1458, 1455, 1456, 1459, 1460, 1462, 1463, + 1452, 1448, 1457, 1461, 1462, 1451, 1465, 1466, 1467, 1452, + 1454, 1454, 1453, 1470, 1461, 1464, 1457, 1474, 1460, 1458, + 1458, 1463, 1468, 1459, 1460, 1462, 1463, 1471, 1472, 0, + 1461, 0, 1474, 1473, 1467, 1467, 1477, 0, 1465, 1466, + 1470, 1468, 1473, 1468, 1474, 1475, 1472, 1476, 1468, 1468, + 1471, 1478, 1480, 1481, 1471, 1472, 1477, 1479, 1475, 1476, + 1473, 1484, 1485, 1477, 1479, 1483, 1484, 1485, 1468, 1482, + 1468, 1480, 1475, 1483, 1476, 1481, 1486, 1478, 1478, 1480, + 1481, 1487, 1482, 1486, 1479, 0, 1490, 1488, 1491, 1489, + + 1492, 1494, 1483, 1484, 1485, 1488, 1482, 1489, 1492, 1493, + 1494, 1495, 1496, 1486, 1490, 1498, 1493, 1487, 1487, 1499, + 1491, 1497, 1498, 1490, 1488, 1491, 1489, 1492, 1494, 1501, + 1497, 1499, 1500, 1500, 1496, 1503, 1493, 1502, 1504, 1496, + 1510, 1505, 1498, 1495, 1506, 1502, 1499, 1507, 1497, 1505, + 1508, 1512, 1506, 1510, 1511, 1507, 1503, 1509, 1508, 1500, + 1511, 1501, 1503, 1512, 1502, 1509, 1513, 1510, 1505, 0, + 1504, 1506, 1514, 1517, 1507, 1515, 1518, 1508, 1512, 1516, + 1519, 1511, 1520, 1515, 1509, 1521, 1523, 1516, 1517, 0, + 0, 1522, 1513, 1513, 1529, 0, 1514, 1524, 1523, 1514, + + 1517, 1533, 1515, 1518, 1520, 1522, 1516, 1519, 1521, 1520, + 1526, 1525, 1521, 1523, 1526, 1524, 1529, 1528, 1522, 1530, + 1534, 1529, 1531, 1532, 1524, 1525, 1528, 1526, 1533, 1531, + 1535, 1530, 1538, 1536, 1532, 1526, 1539, 1526, 1525, 1537, + 1546, 1526, 1534, 1544, 1528, 1536, 1530, 1534, 1540, 1531, + 1532, 1541, 1542, 1537, 1526, 1547, 1543, 1554, 1539, 1542, + 1536, 1544, 1535, 1539, 1538, 1543, 1537, 1551, 1549, 1545, + 1544, 1540, 1546, 1551, 1541, 1540, 1545, 1549, 1541, 1542, + 1552, 1555, 1547, 1543, 1553, 1557, 1560, 0, 1555, 1554, + 1559, 1565, 1561, 1562, 1551, 1549, 1545, 0, 1563, 1566, + + 0, 0, 1552, 1561, 1562, 1566, 1568, 1552, 1555, 1563, + 1553, 1553, 1557, 1560, 1559, 1565, 1567, 1559, 1565, 1561, + 1562, 1569, 1571, 1567, 1568, 1563, 1566, 1570, 1569, 1572, + 1573, 0, 1575, 1568, 1571, 1572, 1574, 1576, 1573, 1577, + 1580, 1579, 0, 1567, 1578, 1575, 0, 1584, 1569, 1571, + 1579, 1583, 1580, 1570, 1570, 1585, 1572, 1573, 1574, 1575, + 1584, 1586, 1578, 1574, 1585, 1577, 1577, 1580, 1579, 1576, + 1581, 1578, 1581, 1582, 1584, 1587, 1588, 1583, 1583, 1590, + 1582, 1589, 1585, 1586, 1591, 1592, 1590, 1587, 1586, 1594, + 1592, 1593, 1595, 1596, 1599, 1597, 0, 1581, 0, 1593, + + 1582, 1596, 1587, 1588, 1589, 1594, 1590, 1600, 1589, 1601, + 1591, 1591, 1592, 1602, 1603, 1595, 1594, 1597, 1593, 1595, + 1596, 1599, 1597, 1601, 1604, 1603, 1605, 0, 1609, 1606, + 1606, 1600, 1607, 1604, 1600, 1602, 1601, 1606, 1610, 1605, + 1602, 1603, 1608, 1611, 1608, 1607, 1613, 0, 1614, 1615, + 1611, 1604, 1617, 1605, 1609, 1609, 1606, 1606, 1618, 1607, + 1610, 1612, 0, 1619, 1621, 1610, 1614, 1616, 1612, 1608, + 1611, 1615, 1624, 1613, 1616, 1614, 1615, 1617, 1623, 1617, + 1618, 1626, 1620, 1629, 1625, 1618, 1629, 1630, 1612, 1620, + 1628, 1623, 1625, 1631, 1616, 1619, 1621, 1633, 1635, 1624, + + 0, 0, 1626, 1632, 1649, 1623, 1633, 1636, 1626, 1620, + 1629, 1625, 1628, 1630, 1630, 1634, 1632, 1628, 0, 1631, + 1631, 1638, 1635, 1637, 1633, 1635, 1641, 1634, 1639, 1642, + 1632, 1649, 1637, 1636, 1636, 1639, 1638, 1640, 1643, 1645, + 1640, 1646, 1634, 1647, 1651, 1647, 1650, 1648, 1638, 1650, + 1637, 1642, 1640, 1652, 1643, 1639, 1642, 1645, 1641, 1656, + 1653, 1640, 1643, 1646, 1640, 1643, 1645, 1640, 1646, 1654, + 1647, 1648, 1655, 1650, 1648, 1657, 1651, 1659, 1658, 1640, + 1660, 1643, 1653, 1661, 1662, 1652, 1659, 1653, 1660, 1663, + 1661, 1656, 1658, 1664, 1665, 1654, 1654, 1657, 1655, 1655, + + 1666, 1667, 1657, 1670, 1659, 1658, 0, 1660, 1662, 1668, + 1661, 1662, 1669, 1668, 1672, 1671, 1676, 1673, 0, 1677, + 1674, 1663, 1666, 1672, 1673, 1664, 1665, 1666, 1674, 1676, + 1670, 1675, 1677, 1667, 1669, 1678, 1668, 1671, 1675, 1669, + 1679, 1672, 1671, 1676, 1673, 1681, 1677, 1674, 1678, 1679, + 1680, 1682, 1680, 1683, 1684, 1686, 1687, 1689, 1675, 1688, + 0, 1683, 1678, 0, 0, 0, 0, 1679, 1681, 1694, + 1686, 1687, 1681, 1688, 1684, 1693, 1682, 1680, 1682, 1691, + 1683, 1684, 1686, 1687, 1690, 1692, 1688, 1694, 1693, 1689, + 1691, 1690, 1692, 1694, 1695, 1696, 1694, 1698, 1699, 1706, + + 1701, 1700, 1693, 1702, 1703, 1699, 1691, 1705, 1706, 0, + 1705, 1690, 1692, 1696, 1694, 1701, 1703, 1707, 0, 1704, + 1695, 1695, 1696, 1700, 1698, 1699, 1706, 1701, 1700, 1702, + 1702, 1703, 1704, 1708, 1705, 1707, 1709, 1710, 1711, 1715, + 1710, 1715, 1713, 1717, 1707, 1708, 1704, 1713, 1716, 1711, + 1718, 1722, 1720, 1719, 1713, 1710, 1709, 1721, 0, 1723, + 1708, 1720, 0, 1709, 1710, 1711, 1715, 1710, 1719, 1713, + 1717, 1725, 1716, 1723, 1713, 1716, 1727, 1718, 1722, 1720, + 1719, 1721, 1724, 1726, 1721, 1728, 1723, 1730, 1731, 1729, + 1724, 1728, 0, 1725, 1733, 1730, 1737, 1736, 1725, 1731, + + 1727, 1732, 1733, 1727, 1734, 1726, 1735, 1734, 0, 1724, + 1726, 1729, 1728, 1739, 1730, 1731, 1729, 1738, 1740, 1732, + 1739, 1733, 1734, 1737, 1735, 1742, 1741, 1745, 1732, 1736, + 1743, 1734, 1740, 1735, 1734, 1741, 1746, 1738, 1742, 1751, + 1739, 1743, 1744, 1752, 1738, 1740, 1749, 1744, 1749, 1745, + 1750, 1746, 1742, 1741, 1745, 0, 1766, 1743, 1753, 1750, + 1754, 1766, 1756, 1746, 1755, 1751, 1751, 1752, 1755, 1753, + 1752, 1758, 1759, 1749, 1744, 1761, 1756, 1750, 1754, 1757, + 1760, 1759, 1757, 1766, 1761, 1753, 1760, 1754, 1756, 1756, + 1755, 1755, 1764, 1758, 1767, 1755, 1762, 1757, 1758, 1759, + + 1765, 1762, 1761, 1756, 1768, 1764, 1757, 1760, 1769, 1757, + 1771, 1770, 1765, 1772, 1773, 1775, 1767, 1768, 0, 1764, + 1770, 1767, 1774, 1776, 1780, 1778, 1779, 1765, 1762, 0, + 1783, 1768, 1778, 0, 1781, 1774, 1773, 1771, 1770, 1779, + 1769, 1773, 1791, 0, 1776, 1772, 1785, 1775, 1781, 1774, + 1776, 1782, 1778, 1779, 1792, 1787, 1780, 1782, 1788, 1789, + 1790, 1781, 1783, 1787, 1791, 1785, 1788, 1789, 1799, 1791, + 1796, 1794, 1792, 1785, 1793, 1782, 1795, 1800, 1782, 1790, + 1797, 1792, 1787, 1796, 1782, 1788, 1789, 1790, 1793, 1794, + 1795, 1798, 1801, 1797, 1802, 1803, 1805, 1796, 1794, 1804, + + 1799, 1793, 1806, 1795, 1807, 1805, 1804, 1797, 1802, 1800, + 1806, 1808, 1798, 1809, 1814, 1810, 1801, 1811, 1798, 1801, + 1810, 1802, 1803, 1805, 1812, 1808, 1804, 1815, 1811, 1806, + 1816, 1807, 0, 1812, 1815, 1829, 1817, 1819, 1808, 1798, + 1818, 1814, 1810, 1820, 1811, 1809, 1822, 1818, 1821, 0, + 1822, 1812, 1824, 1816, 1815, 1833, 1825, 1816, 1817, 1819, + 1826, 1827, 1829, 1817, 1819, 1820, 1821, 1818, 1824, 1828, + 1820, 1831, 1830, 1822, 1825, 1821, 1827, 1832, 1834, 1824, + 1830, 1828, 1833, 1825, 1826, 1832, 1831, 1826, 1827, 1835, + 1840, 1834, 1836, 1837, 1839, 1841, 1828, 1840, 1831, 1830, + + 0, 1843, 1839, 1842, 1832, 1834, 1845, 1836, 1837, 1835, + 1843, 1844, 1846, 1847, 1851, 1849, 1835, 1840, 1842, 1836, + 1837, 1839, 1852, 1850, 0, 0, 1854, 1841, 1843, 1853, + 1842, 1855, 1844, 1845, 0, 0, 1846, 1849, 1844, 1846, + 1847, 1850, 1849, 1857, 1853, 1856, 1851, 1860, 1857, 1852, + 1850, 1854, 1856, 1854, 1858, 1855, 1853, 1859, 1855, 1862, + 1861, 1863, 1866, 1858, 1867, 1872, 1859, 1864, 1865, 1860, + 1857, 1867, 1856, 0, 1860, 1866, 1863, 1862, 1868, 1864, + 1866, 1858, 1861, 1871, 1859, 1868, 1862, 1861, 1863, 1866, + 1865, 1867, 1869, 1873, 1864, 1865, 1870, 1872, 1875, 1873, + + 1868, 0, 1866, 1876, 1880, 1868, 1878, 1877, 1870, 1875, + 1871, 1876, 1868, 1882, 1869, 1877, 1883, 1878, 1884, 1869, + 1873, 1879, 1881, 1870, 1881, 1875, 1886, 1891, 1879, 1880, + 1876, 1880, 1887, 1878, 1877, 1881, 1888, 1885, 1892, 1882, + 1882, 1889, 1888, 1883, 1885, 1884, 1890, 1889, 1879, 1881, + 1893, 1881, 1890, 1886, 1891, 1896, 1894, 1897, 1887, 1887, + 1898, 1892, 0, 1888, 1885, 1892, 1897, 1899, 1889, 1900, + 1902, 1900, 1903, 1890, 1901, 1905, 1906, 1912, 1904, 1903, + 1894, 0, 1893, 1894, 1897, 1907, 1908, 1896, 1906, 1899, + 1910, 1907, 1898, 1909, 1899, 1917, 1900, 1902, 1901, 1903, + + 1904, 1901, 1905, 1906, 1911, 1904, 0, 1914, 1908, 1912, + 1915, 1916, 1907, 1908, 1914, 1909, 1910, 1910, 1916, 1915, + 1909, 1913, 1913, 1913, 1920, 1918, 1911, 1917, 1913, 1924, + 0, 1911, 1918, 1919, 1914, 1921, 1913, 1915, 1916, 1926, + 1919, 1923, 1924, 1929, 1920, 1927, 1923, 1925, 1913, 1913, + 1913, 1920, 1918, 1928, 1933, 1913, 1924, 1921, 1930, 1925, + 1919, 1927, 1921, 1931, 1926, 1928, 1926, 1934, 1934, 1935, + 1931, 1932, 1927, 1923, 1925, 1929, 1930, 1932, 1937, 1936, + 1928, 1933, 1938, 1937, 1939, 1930, 1936, 1943, 1949, 1944, + 1931, 1944, 1940, 0, 1934, 1935, 1935, 1945, 1932, 1940, + + 1947, 1948, 1950, 1953, 1952, 1937, 1936, 1948, 1938, 1938, + 1950, 1939, 1951, 1955, 1943, 1945, 1944, 1952, 1947, 1940, + 1949, 1956, 1964, 1951, 1945, 1955, 1954, 1947, 1948, 1950, + 1953, 1952, 1954, 1957, 1958, 1958, 1959, 1960, 1960, 1951, + 1955, 1956, 1963, 1961, 1964, 1965, 1967, 0, 1956, 1964, + 1968, 1957, 1966, 1954, 1961, 1972, 1969, 1971, 1973, 1966, + 1957, 1958, 1959, 1959, 1960, 1971, 1967, 1974, 1975, 1979, + 1961, 1977, 1978, 1967, 1963, 1980, 1976, 1965, 1977, 1966, + 1978, 1969, 1968, 1969, 1971, 1973, 1975, 1972, 1976, 1974, + 1980, 1981, 1982, 1979, 1974, 1975, 1979, 1984, 1977, 1978, + + 1985, 1982, 1980, 1976, 1983, 1983, 1986, 1987, 1988, 1991, + 1989, 0, 1992, 1994, 1987, 1981, 1991, 1992, 1981, 1982, + 1988, 1993, 1995, 1984, 1984, 1995, 1989, 2003, 2000, 1997, + 2004, 1983, 1985, 1989, 1987, 1988, 1991, 1989, 1986, 1992, + 1994, 1997, 1996, 1993, 1999, 2003, 2001, 2002, 1993, 1995, + 1996, 2000, 1999, 1989, 2003, 2000, 1997, 2004, 2005, 2006, + 2007, 2008, 2010, 2009, 2006, 2015, 0, 2008, 2002, 1996, + 2010, 1999, 2001, 2001, 2002, 2006, 2009, 2011, 0, 2020, + 2024, 2005, 2021, 2016, 2017, 2005, 2006, 2007, 2008, 2010, + 2009, 2006, 2016, 2012, 2013, 2014, 2017, 2015, 2024, 2011, + + 2012, 2013, 2014, 2018, 2011, 2019, 2020, 2024, 2021, 2021, + 2016, 2017, 2022, 2025, 2027, 2028, 2026, 2030, 2025, 2019, + 2012, 2013, 2014, 2026, 2032, 2018, 2031, 2034, 2036, 2025, + 2018, 2031, 2019, 2035, 2035, 2022, 2027, 2037, 2038, 2022, + 2025, 2027, 2028, 2026, 2030, 2025, 2040, 2042, 2041, 2045, + 2036, 2043, 2037, 2047, 0, 2036, 2032, 2048, 2031, 2034, + 2035, 2040, 2042, 2044, 2037, 2044, 2051, 2046, 2049, 2060, + 2038, 2041, 2046, 2040, 2042, 2041, 2049, 2043, 2043, 2050, + 2056, 2045, 2052, 2054, 2048, 2047, 2050, 2058, 2051, 2059, + 2044, 2055, 2061, 2051, 2046, 2049, 2060, 2052, 2054, 2055, + + 2063, 2062, 2056, 2064, 2065, 0, 2050, 2056, 2062, 2052, + 2054, 2058, 2066, 2071, 2058, 2059, 2059, 2067, 2055, 2061, + 2069, 2072, 0, 2073, 2064, 2078, 2065, 0, 2062, 0, + 2064, 2065, 2063, 2066, 0, 2067, 2072, 2071, 2075, 2066, + 2071, 2076, 2069, 2079, 2067, 2077, 0, 2069, 2072, 2073, + 2073, 2080, 2078, 2075, 2081, 2082, 2076, 2083, 0, 2084, + 2086, 2079, 2085, 2087, 2090, 2075, 2084, 2077, 2076, 2086, + 2079, 2087, 2077, 2080, 2088, 2092, 2081, 2089, 2080, 2082, + 2085, 2081, 2082, 2091, 2083, 2093, 2084, 2086, 2098, 2085, + 2087, 2097, 2091, 2092, 2093, 2094, 2090, 2088, 2096, 2089, + + 2097, 2088, 2092, 2099, 2089, 2101, 2098, 2100, 2094, 2096, + 2091, 2102, 2093, 2103, 2100, 2098, 2109, 2104, 2097, 2105, + 2118, 2099, 2094, 2104, 2096, 2096, 2111, 2116, 2103, 2102, + 2099, 2101, 2101, 2106, 2100, 0, 2096, 2112, 2102, 2116, + 2103, 2105, 2117, 2109, 2104, 2113, 2105, 2106, 2112, 2119, + 2111, 2114, 2118, 2111, 2116, 2117, 2113, 2120, 2122, 2119, + 2106, 2121, 2114, 2123, 2112, 2126, 2132, 2122, 2124, 2117, + 2127, 2129, 2113, 2130, 2131, 2129, 2119, 2134, 2114, 2132, + 0, 2133, 2134, 2120, 2120, 2122, 2121, 2124, 2121, 2136, + 2123, 2137, 2126, 2132, 2130, 2124, 2127, 2127, 2129, 2137, + + 2130, 2133, 2135, 2144, 2134, 2138, 2131, 2139, 2133, 2135, + 2140, 2138, 2141, 2142, 0, 2136, 2136, 2137, 2137, 2143, + 2143, 2144, 2139, 2145, 2141, 2140, 2137, 2153, 2142, 2135, + 2144, 2146, 2138, 2152, 2139, 2145, 2146, 2140, 2147, 2141, + 2142, 2148, 2147, 2151, 2150, 2148, 2143, 2151, 2152, 2155, + 2145, 2150, 2154, 2156, 2153, 2158, 2155, 0, 2148, 2157, + 2152, 2154, 2158, 2146, 2164, 2147, 2148, 2160, 2148, 2162, + 2151, 2150, 2148, 2161, 2166, 2163, 2155, 2156, 2162, 2154, + 2156, 2157, 2158, 2171, 2164, 2148, 2157, 2169, 2170, 2160, + 2168, 2164, 2166, 2174, 2160, 2177, 2162, 2163, 2161, 2168, + + 2161, 2166, 2163, 2170, 2172, 2169, 2173, 2179, 2171, 2175, + 2171, 2178, 2172, 2173, 2169, 2170, 2175, 2168, 2180, 2180, + 2177, 2181, 2177, 0, 2178, 2174, 2182, 2183, 2184, 2188, + 2185, 2172, 2186, 2173, 2179, 2187, 2175, 2191, 2178, 2185, + 0, 2186, 2187, 2181, 2189, 2180, 2190, 2198, 2181, 2183, + 2184, 2182, 2191, 2182, 2183, 2184, 2193, 2185, 2192, 2186, + 2190, 2188, 2187, 2192, 2191, 2196, 2189, 2197, 2195, 2203, + 2199, 2189, 2200, 2190, 2198, 2193, 2195, 2201, 2196, 2202, + 2204, 2208, 2197, 2193, 2205, 2269, 2202, 0, 2200, 2201, + 2192, 2206, 2196, 2210, 2197, 2195, 2199, 2199, 0, 2200, + + 2206, 2203, 2204, 2211, 2201, 2207, 2202, 2204, 2208, 2205, + 2209, 2205, 2213, 2207, 2214, 2212, 0, 2269, 2206, 2210, + 2210, 2216, 2218, 2214, 2207, 2209, 0, 0, 2217, 2211, + 2211, 2217, 2207, 2212, 2213, 2221, 2222, 2209, 2220, 2213, + 2207, 2214, 2212, 2220, 2216, 2219, 2217, 2218, 2216, 2218, + 2221, 2219, 2223, 2225, 2222, 2217, 2226, 2229, 2217, 2227, + 2232, 0, 2221, 2222, 2231, 0, 2233, 2223, 2225, 0, + 2220, 2229, 2219, 2230, 0, 2233, 0, 2272, 2226, 2223, + 2225, 2227, 2231, 2226, 2229, 2230, 2227, 2232, 2234, 2235, + 2236, 2231, 2230, 2233, 2237, 2238, 2237, 2234, 2235, 2239, + + 2230, 2236, 2240, 2242, 2243, 2245, 2244, 2247, 2238, 2272, + 0, 2239, 2230, 2244, 2246, 2234, 2235, 2236, 2242, 2243, + 2259, 2237, 2238, 2253, 2240, 2247, 2239, 2245, 2248, 2240, + 2242, 2243, 2245, 2244, 2247, 2251, 2246, 2248, 2254, 2255, + 2256, 2246, 2254, 2257, 2253, 2257, 2258, 2259, 2251, 2256, + 2253, 2255, 2261, 2260, 2262, 2248, 2251, 0, 2266, 2264, + 2263, 2265, 2251, 2262, 2258, 2254, 2255, 2256, 2263, 2268, + 2257, 2260, 2266, 2258, 2273, 2251, 2274, 2268, 2275, 2261, + 2260, 2262, 2264, 2265, 2270, 2266, 2264, 2263, 2265, 2270, + 2271, 2276, 2279, 2282, 2281, 2271, 2268, 2275, 2276, 2280, + + 2274, 2283, 2284, 2274, 2286, 2275, 2273, 2285, 2287, 0, + 2289, 2270, 2281, 2280, 2291, 2288, 2285, 2284, 2276, 2279, + 2282, 2281, 2271, 2290, 2280, 2280, 2280, 2283, 2283, 2284, + 2287, 2293, 2294, 2295, 2285, 2287, 2286, 2289, 0, 2294, + 2280, 2288, 2288, 2299, 2302, 2290, 2291, 2298, 2296, 2298, + 2290, 2280, 2301, 2300, 2293, 2296, 2295, 2300, 2293, 2294, + 2295, 2305, 2304, 2303, 2301, 2299, 2302, 2308, 2305, 2306, + 2299, 2302, 2303, 2304, 2298, 2296, 2307, 2309, 2312, 2301, + 2300, 2307, 2315, 2310, 2311, 2313, 2313, 2312, 2305, 2304, + 2303, 2306, 2314, 2317, 2308, 2310, 2306, 2315, 2320, 2316, + + 2309, 2314, 2318, 2307, 2309, 2312, 2311, 2316, 2319, 2315, + 2310, 2311, 2313, 2322, 2323, 2317, 2318, 2319, 2327, 2314, + 2317, 2327, 2323, 2324, 2330, 2320, 2316, 2329, 2325, 2318, + 2326, 2324, 2322, 2329, 2326, 2319, 2325, 2331, 2328, 2330, + 2322, 2323, 2332, 2331, 2334, 2327, 2328, 0, 2336, 2338, + 2324, 2330, 2339, 2337, 2329, 2325, 2334, 2326, 2341, 2342, + 2340, 0, 2336, 2349, 2331, 2328, 2337, 2340, 2343, 2344, + 2338, 2334, 2348, 2351, 2332, 2336, 2338, 2339, 0, 2339, + 2337, 2342, 2350, 2344, 2346, 2341, 2342, 2340, 2345, 2347, + 2349, 2345, 2343, 2352, 2353, 2343, 2344, 2346, 2348, 2348, + + 2351, 2357, 2361, 2347, 2354, 2352, 2353, 2350, 2358, 2350, + 2355, 2346, 2359, 2355, 2360, 2345, 2347, 2360, 2354, 2362, + 2352, 2353, 0, 2363, 2369, 2365, 2366, 2370, 2357, 2361, + 2372, 2354, 2360, 2366, 2358, 2358, 2355, 2355, 2359, 2359, + 2355, 2360, 2367, 2368, 2360, 2363, 2362, 2365, 2371, 2367, + 2363, 2369, 2365, 2366, 2370, 2373, 2371, 2372, 2368, 2374, + 2375, 2376, 2377, 2378, 2373, 2379, 2380, 0, 2381, 2367, + 2368, 2382, 2375, 2383, 2387, 2371, 2388, 0, 2379, 2390, + 0, 2382, 2373, 2376, 2380, 2394, 2374, 2375, 2376, 2377, + 2378, 2384, 2379, 2380, 2381, 2381, 2387, 2385, 2382, 2389, + + 2383, 2387, 2391, 2388, 2384, 2385, 2390, 2389, 2392, 2394, + 2393, 2391, 2394, 2395, 2396, 2397, 0, 0, 2384, 2399, + 2398, 2401, 2403, 2397, 2385, 2404, 2389, 2406, 2395, 2391, + 2392, 2393, 2398, 2401, 2406, 2392, 2411, 2393, 2407, 2395, + 2395, 2396, 2397, 2402, 2399, 2410, 2399, 2398, 2401, 2403, + 2407, 2402, 2408, 2412, 2406, 2395, 2408, 2404, 2417, 2409, + 2413, 2412, 2414, 2411, 2415, 2407, 2418, 0, 2410, 2421, + 2402, 2409, 2410, 2418, 2414, 2419, 2415, 2420, 2421, 2408, + 2412, 2425, 2413, 2422, 2427, 2417, 2409, 2413, 2423, 2414, + 2420, 2415, 2422, 2418, 2426, 2419, 2421, 2424, 2424, 2428, + + 2423, 2430, 2419, 2431, 2420, 2432, 0, 2425, 2425, 2427, + 2422, 2427, 2426, 2433, 2428, 2423, 2428, 2434, 2431, 2434, + 2435, 2426, 2436, 2428, 2424, 2445, 2428, 2432, 2436, 2438, + 2431, 2441, 2432, 2430, 2435, 2433, 2437, 2439, 2439, 2442, + 2433, 2428, 2446, 2428, 2434, 2443, 2447, 2435, 2444, 2436, + 2448, 2438, 2447, 2441, 2437, 2449, 2438, 2445, 2441, 2450, + 2444, 2442, 2448, 2437, 2439, 2453, 2442, 2443, 2451, 2452, + 2454, 2452, 2443, 2447, 2446, 2444, 2455, 2448, 2460, 2453, + 2456, 2450, 2457, 2455, 2458, 2461, 2450, 2449, 2459, 2462, + 2451, 2460, 2453, 2463, 2454, 2451, 2452, 2454, 2456, 2469, + + 2457, 2465, 2458, 2455, 2468, 2460, 2459, 2456, 2465, 2457, + 2470, 2458, 2467, 0, 2473, 2459, 2463, 2461, 2472, 2467, + 2463, 2462, 2468, 0, 2471, 2469, 2469, 2474, 2465, 2479, + 0, 2468, 2471, 2477, 2481, 0, 2472, 0, 0, 2467, + 2473, 2473, 2470, 2480, 2477, 2472, 2475, 2478, 2475, 2474, + 2471, 2471, 2481, 2475, 2474, 2480, 2479, 2483, 2478, 2471, + 2477, 2481, 2486, 2488, 2489, 2484, 2485, 2491, 2492, 2495, + 2480, 2493, 2483, 2475, 2478, 2475, 2484, 2486, 2485, 2496, + 2497, 2490, 2491, 2498, 2483, 2499, 2489, 2488, 2490, 2486, + 2488, 2489, 2484, 2485, 2491, 2492, 2495, 2493, 2493, 2501, + + 2500, 2502, 2497, 2496, 2503, 2504, 2496, 2497, 2490, 2505, + 2508, 2506, 0, 2507, 2502, 2498, 2509, 2499, 2500, 2506, + 2504, 2512, 2505, 2510, 2514, 2513, 2501, 2500, 2502, 2509, + 2503, 2503, 2504, 2515, 2516, 2517, 2505, 2521, 2506, 2507, + 2507, 2518, 2508, 2509, 2512, 2510, 2520, 2519, 2512, 2513, + 2510, 2514, 2513, 2517, 2519, 2515, 2516, 2522, 2524, 2518, + 2515, 2516, 2517, 2525, 2521, 2526, 2528, 2531, 2518, 2520, + 2525, 2522, 2526, 2520, 2519, 2527, 2529, 2532, 2535, 2528, + 2524, 2530, 2527, 2533, 2522, 2524, 2534, 2535, 2530, 2531, + 2525, 2539, 2526, 2528, 2531, 2538, 2540, 2539, 2536, 2529, + + 2543, 2542, 2527, 2529, 2533, 2535, 2536, 2537, 2530, 2532, + 2533, 2543, 2534, 2534, 2544, 2537, 2542, 2538, 2539, 2545, + 2546, 2547, 2538, 2540, 0, 2536, 2550, 2543, 2542, 2548, + 2552, 2555, 2553, 0, 2537, 2554, 2544, 2556, 2560, 2560, + 2547, 2544, 2558, 2552, 2550, 2553, 2559, 2565, 2547, 2561, + 2567, 2545, 2546, 2550, 2548, 2555, 2548, 2552, 2555, 2553, + 2564, 2554, 2554, 2556, 2556, 2560, 2558, 2566, 2568, 2558, + 2559, 2571, 2573, 2559, 2576, 2561, 2561, 2567, 2575, 2565, + 2579, 2573, 2566, 2564, 2581, 2576, 2568, 2564, 2580, 2580, + 2582, 2575, 2584, 2581, 2566, 2568, 2582, 2586, 2571, 2573, + + 2585, 2576, 2579, 2588, 2590, 2575, 2591, 2579, 2592, 0, + 2593, 2581, 2597, 2591, 2584, 2580, 2595, 2582, 2594, 2584, + 2597, 2593, 2585, 2594, 2586, 2598, 2599, 2585, 2601, 2600, + 2588, 2603, 2604, 2591, 2592, 2592, 2590, 2593, 2595, 2597, + 2605, 2599, 2603, 2595, 2600, 2594, 2606, 2610, 2607, 2598, + 2604, 0, 2598, 2599, 2608, 2601, 2600, 2607, 2603, 2604, + 2611, 2605, 2612, 2613, 0, 2615, 2608, 2605, 2616, 2620, + 2612, 2617, 2613, 2618, 2610, 2607, 2619, 2621, 2606, 0, + 2622, 2608, 2618, 2620, 2611, 2630, 2626, 2611, 2623, 2612, + 2613, 2615, 2615, 2617, 2619, 2616, 2620, 2624, 2617, 2621, + + 2618, 2623, 2625, 2619, 2621, 2622, 2629, 2622, 2626, 2627, + 2624, 2628, 2630, 2626, 2631, 2623, 2627, 2625, 2628, 2632, + 2633, 0, 2634, 2635, 2624, 2636, 0, 2641, 2629, 2625, + 2638, 2637, 2646, 2629, 2636, 2639, 2627, 2634, 2628, 2640, + 2643, 2631, 2641, 2646, 2642, 2647, 2632, 2633, 2635, 2634, + 2635, 2642, 2636, 2637, 2641, 2643, 2638, 2638, 2637, 2646, + 2649, 2639, 2639, 2644, 2650, 2640, 2640, 2643, 2645, 2648, + 2644, 2642, 2647, 2651, 2645, 2652, 2656, 2648, 2653, 2654, + 0, 2658, 2655, 2656, 2660, 2657, 2661, 2649, 2658, 2651, + 2644, 2650, 2662, 2653, 2659, 2645, 2648, 2655, 0, 2654, + + 2651, 2659, 2652, 2656, 2661, 2653, 2654, 2657, 2658, 2655, + 2664, 2660, 2657, 2661, 2663, 2663, 2665, 2664, 2667, 2662, + 2666, 2659, 2668, 2666, 2670, 2669, 2672, 2668, 2671, 2676, + 2665, 2667, 0, 0, 2673, 2677, 2674, 2664, 2676, 2670, + 2677, 2663, 2679, 2665, 2672, 2667, 2673, 2666, 2674, 2668, + 2669, 2670, 2669, 2672, 2671, 2671, 2676, 2680, 2681, 2682, + 2678, 2673, 2677, 2674, 2678, 2683, 2679, 2684, 2690, 2679, + 2680, 2685, 0, 2687, 0, 2689, 2695, 2690, 0, 2693, + 2681, 2682, 2692, 2695, 2680, 2681, 2682, 2678, 2691, 0, + 2692, 2693, 2683, 2699, 2684, 2690, 2696, 2685, 2685, 2687, + + 2687, 2689, 2689, 2695, 2691, 2696, 2693, 2697, 2701, 2692, + 2698, 2699, 2697, 2703, 2700, 2691, 2705, 2698, 2702, 2704, + 2699, 2700, 2703, 2696, 2707, 2702, 2708, 2710, 2704, 2712, + 2711, 2709, 2710, 2701, 2697, 2701, 2715, 2698, 0, 0, + 2703, 2700, 2705, 2705, 2709, 2702, 2704, 2707, 2711, 2714, + 2716, 2707, 2717, 2708, 2710, 2718, 2712, 2711, 2709, 2716, + 2719, 2717, 2720, 2715, 2718, 2724, 2721, 2714, 2725, 2722, + 2723, 2726, 2727, 2724, 2720, 2721, 2714, 2716, 2722, 2717, + 2719, 2723, 2718, 2728, 2730, 2729, 2732, 2719, 2725, 2720, + 2728, 2733, 2724, 2721, 2729, 2725, 2722, 2723, 2726, 2727, + + 2734, 2738, 2737, 2740, 2739, 2730, 2735, 2736, 2741, 2738, + 2728, 2730, 2729, 2732, 2737, 2735, 2736, 2739, 2733, 2742, + 2743, 2745, 2747, 2749, 2751, 2740, 2742, 2743, 2738, 2737, + 2740, 2739, 2734, 2735, 2736, 2741, 2744, 2745, 2746, 2748, + 0, 2755, 2750, 2744, 2747, 2746, 2742, 2743, 2745, 2747, + 2749, 2751, 2753, 2756, 2759, 2757, 0, 0, 0, 2755, + 2753, 2756, 2768, 2744, 2748, 2746, 2748, 2750, 2755, 2750, + 2757, 2758, 2761, 2769, 0, 2772, 2759, 2760, 2758, 2753, + 2756, 2759, 2757, 2762, 2760, 2763, 2768, 2767, 2766, 2768, + 2762, 2770, 2771, 2763, 2761, 2766, 2767, 2773, 2758, 2761, + + 2769, 2771, 2772, 2770, 2760, 2774, 2775, 2779, 2777, 2778, + 2762, 2781, 2763, 2773, 2767, 2766, 2780, 2774, 2770, 2771, + 2777, 2778, 2787, 2782, 2773, 2793, 2790, 0, 2779, 2775, + 2784, 2789, 2774, 2775, 2779, 2777, 2778, 2782, 2781, 2780, + 2785, 2786, 2784, 2780, 2790, 2792, 2789, 2785, 2786, 2787, + 2782, 2791, 2793, 2790, 2794, 2795, 0, 2784, 2789, 2797, + 2801, 2796, 2794, 2800, 2798, 2799, 2807, 2785, 2786, 2806, + 2800, 2792, 2792, 2809, 2791, 2798, 0, 2797, 2791, 2816, + 2799, 2794, 2795, 2796, 2807, 2810, 2797, 2801, 2796, 2808, + 2800, 2798, 2799, 2807, 2808, 2806, 2806, 2811, 2817, 2810, + + 2809, 2812, 2813, 2814, 2815, 2817, 2816, 2818, 2820, 0, + 2823, 2811, 2810, 2826, 2825, 2812, 2808, 2827, 0, 2818, + 2813, 2814, 2815, 2828, 2811, 2817, 2826, 2830, 2812, 2813, + 2814, 2815, 2823, 2831, 2818, 2820, 2825, 2823, 2829, 2827, + 2826, 2825, 2828, 2833, 2827, 2830, 2829, 2835, 2838, 2836, + 2828, 2837, 2831, 2839, 2830, 2833, 2841, 2840, 2842, 2845, + 2831, 2843, 0, 2837, 2841, 2829, 2847, 2844, 2845, 2835, + 2833, 2836, 0, 2846, 2835, 2838, 2836, 2848, 2837, 2840, + 2839, 2843, 2846, 2841, 2840, 2842, 2845, 2849, 2843, 2844, + 2850, 2852, 2853, 2851, 2844, 2856, 2857, 2858, 2847, 2848, + + 2846, 2859, 2850, 2860, 2848, 2861, 2859, 2863, 2864, 2856, + 2866, 0, 0, 2849, 2849, 2851, 2862, 2850, 2852, 2853, + 2851, 2858, 2856, 2857, 2858, 2860, 2865, 2861, 2866, 2862, + 2860, 2864, 2861, 2859, 2867, 2864, 2868, 2866, 2869, 2863, + 2870, 2871, 2872, 2862, 2869, 0, 2867, 2873, 2865, 2874, + 2876, 0, 2880, 2865, 0, 2868, 2877, 2878, 2882, 2885, + 2883, 2867, 2873, 2868, 2872, 2869, 2884, 2880, 2885, 2872, + 2876, 2889, 2870, 2871, 2873, 2886, 2874, 2876, 2877, 2880, + 2882, 2878, 2883, 2877, 2878, 2882, 2885, 2883, 2884, 2886, + 2887, 2888, 2890, 2884, 2891, 2894, 2895, 2889, 2889, 2896, + + 2900, 0, 2886, 2899, 2894, 2901, 2902, 2900, 2887, 2888, + 2890, 2899, 2901, 2903, 2902, 2904, 2891, 2887, 2888, 2890, + 2896, 2891, 2894, 2905, 2910, 2907, 2896, 2900, 2895, 2908, + 2899, 2905, 2901, 2902, 2909, 2904, 2910, 2911, 2912, 2918, + 2903, 2917, 2904, 2907, 2919, 2913, 2915, 2908, 2917, 2911, + 2905, 2910, 2907, 2913, 2921, 2920, 2908, 2920, 2915, 2922, + 2909, 2909, 2918, 2925, 2911, 2912, 2918, 2923, 2917, 2924, + 2926, 2919, 2913, 2915, 2927, 2923, 2929, 2928, 2924, 2928, + 2934, 2931, 2920, 2935, 2939, 0, 2921, 0, 2932, 0, + 2936, 2922, 2938, 2927, 2923, 2925, 2924, 2926, 2929, 2931, + + 2937, 2927, 2932, 2929, 2928, 2938, 2940, 2935, 2931, 2937, + 2935, 2939, 2934, 2936, 2942, 2932, 2943, 2936, 2940, 2938, + 2944, 2945, 2947, 2948, 0, 2943, 2950, 2937, 2952, 2949, + 2954, 2957, 2955, 2940, 0, 2960, 2957, 2954, 0, 2964, + 2942, 2942, 2960, 2943, 2950, 2956, 2948, 2944, 2945, 2947, + 2948, 2949, 2958, 2950, 2955, 2952, 2949, 2954, 2961, 2955, + 2956, 2962, 2960, 2957, 2965, 2961, 2964, 2958, 2966, 2967, + 2968, 2971, 2956, 2972, 2974, 2969, 2975, 0, 2976, 2958, + 2977, 2974, 2972, 2979, 2968, 2961, 2983, 2962, 2962, 2969, + 0, 2965, 2984, 2967, 2978, 2966, 2967, 2968, 2971, 2980, + + 2972, 2974, 2969, 2975, 2976, 2976, 2978, 2977, 2981, 2982, + 2979, 2985, 2988, 2980, 2996, 2989, 3092, 2981, 2983, 2984, + 2991, 2978, 2982, 2992, 2993, 2991, 2980, 2992, 2995, 2999, + 2998, 2993, 2994, 0, 2985, 2981, 2982, 2989, 2985, 2994, + 3002, 2997, 2989, 2997, 2988, 3004, 2996, 3005, 3092, 2995, + 2992, 2993, 2991, 2998, 3008, 2995, 2999, 2998, 3007, 2994, + 3007, 3009, 3002, 3014, 3004, 3010, 3010, 3002, 2997, 3011, + 3012, 3005, 3004, 3013, 3005, 3010, 3014, 3015, 3008, 3012, + 3013, 3008, 3016, 0, 3020, 3007, 3017, 3009, 3009, 3018, + 3014, 3011, 3010, 3010, 3017, 3016, 3011, 3012, 3019, 3025, + + 3013, 3026, 3018, 3020, 3015, 3027, 3019, 3022, 3028, 3016, + 3017, 3020, 3022, 3017, 3023, 3024, 3018, 3029, 3031, 3023, + 0, 3017, 3030, 3024, 0, 3019, 3025, 3026, 3026, 3031, + 3032, 3027, 3027, 3033, 3028, 3028, 3034, 3034, 3035, 3022, + 3033, 3039, 3024, 3029, 3029, 3031, 3023, 3036, 3030, 3030, + 3037, 3035, 3032, 3038, 3040, 3041, 3044, 3032, 3037, 3039, + 3033, 3040, 3041, 3034, 3042, 3035, 3045, 0, 3039, 3036, + 3046, 3042, 3047, 3048, 3036, 3038, 3052, 3037, 3050, 0, + 3038, 3040, 3041, 3044, 3047, 3049, 3054, 3050, 3053, 3055, + 3057, 3042, 3058, 3045, 3046, 3060, 3059, 3046, 0, 3047, + + 3048, 3065, 3061, 3052, 3066, 3050, 3049, 3062, 3053, 3064, + 3058, 3055, 3049, 3054, 3059, 3053, 3055, 3057, 3064, 3058, + 3061, 3067, 3060, 3059, 3068, 3062, 3071, 3069, 3065, 3061, + 3070, 3066, 3072, 3075, 3062, 3069, 3064, 3076, 3071, 3072, + 3073, 3081, 3068, 3077, 3067, 3073, 3070, 3075, 3067, 3082, + 3085, 3068, 3083, 3071, 3069, 3076, 3086, 3070, 3088, 3072, + 3075, 3090, 3091, 3081, 3076, 3083, 3077, 3088, 3081, 3086, + 3077, 3087, 3073, 3087, 3098, 3093, 3082, 3085, 3102, 3083, + 3091, 3099, 3097, 3086, 3097, 3088, 3101, 0, 3090, 3091, + 3093, 3104, 3108, 3101, 3106, 3109, 3098, 3110, 3087, 3099, + + 3106, 3098, 3093, 3115, 3113, 3126, 3104, 3111, 3099, 3097, + 3102, 3118, 3119, 3101, 3108, 3114, 3115, 3109, 3104, 3108, + 3120, 3106, 3109, 3110, 3110, 3111, 3113, 3121, 3123, 3114, + 3115, 3113, 3116, 3122, 3111, 3116, 3123, 3126, 3118, 3119, + 3122, 3124, 3114, 3127, 3128, 3121, 3129, 3120, 3130, 3131, + 3132, 3135, 3133, 0, 3121, 3123, 3132, 3130, 3116, 3116, + 3122, 3137, 3116, 3124, 3131, 3127, 3128, 3139, 3124, 3134, + 3127, 3128, 3142, 3129, 3133, 3130, 3131, 3132, 3134, 3133, + 3136, 3140, 3136, 3135, 3141, 3143, 3149, 0, 3137, 3144, + 3139, 3151, 3145, 3143, 3139, 3147, 3134, 3154, 3142, 3142, + + 3152, 3144, 3147, 3140, 3145, 3151, 3141, 3136, 3140, 3153, + 3155, 3141, 3143, 3149, 3152, 3156, 3144, 3157, 3151, 3145, + 3154, 3158, 3147, 3153, 3154, 3157, 3156, 3152, 3155, 3159, + 3163, 3160, 0, 3161, 3162, 3165, 3153, 3155, 3160, 3163, + 3158, 3166, 3156, 3173, 3157, 3164, 3164, 3167, 3158, 3170, + 3171, 3159, 3162, 3174, 3170, 3167, 3159, 3163, 3160, 3161, + 3161, 3162, 3165, 3171, 3173, 3176, 3178, 3180, 3166, 3183, + 3173, 3176, 3164, 3181, 3167, 3184, 3185, 3171, 3180, 3188, + 3174, 3170, 3189, 3190, 3181, 3191, 3184, 3193, 3199, 3189, + 0, 3183, 3176, 3178, 3180, 3192, 3183, 3194, 3185, 3192, + + 3181, 3190, 3184, 3185, 3196, 3194, 3188, 3197, 3198, 3189, + 3190, 3201, 3203, 3204, 3193, 3199, 3198, 3191, 0, 3203, + 3197, 3207, 3192, 3209, 3194, 3205, 3207, 3208, 3208, 3210, + 3196, 3196, 3211, 3212, 3197, 3198, 3213, 3214, 3217, 3203, + 3212, 3221, 0, 3201, 3211, 3204, 3219, 3205, 3207, 3215, + 3209, 3216, 3205, 3214, 3208, 3213, 3210, 3218, 3216, 3211, + 3212, 3219, 3220, 3213, 3214, 3218, 3223, 3215, 3221, 3220, + 3217, 3222, 3224, 3219, 3225, 3231, 3215, 3229, 3216, 3230, + 0, 3232, 3213, 3222, 3218, 3233, 3230, 3234, 3235, 3220, + 3223, 3237, 3229, 3223, 3238, 3239, 3224, 3235, 3222, 3224, + + 3225, 3225, 3240, 3241, 3229, 3243, 3230, 3231, 3232, 3233, + 3240, 3245, 3233, 3237, 3249, 3235, 3246, 3239, 3237, 3234, + 3248, 3238, 3239, 3242, 3242, 3246, 3245, 3252, 3247, 3240, + 3247, 3250, 3243, 3242, 3248, 3241, 3254, 3251, 3245, 3250, + 3255, 3249, 3256, 3246, 3257, 3252, 3258, 3248, 3251, 3260, + 3242, 3242, 3259, 3261, 3252, 3247, 3262, 3263, 3250, 3258, + 3266, 3264, 3270, 3254, 3251, 0, 3257, 3255, 3267, 3256, + 3271, 3257, 3273, 3258, 3259, 3264, 3260, 3265, 3265, 3259, + 3261, 3271, 3274, 3262, 3263, 3276, 3278, 3284, 3264, 3270, + 3267, 3278, 3266, 3276, 3280, 3267, 3279, 3271, 3281, 3273, + + 3282, 3279, 3280, 3281, 3265, 3285, 3285, 3286, 3291, 3274, + 3289, 3287, 3276, 3278, 3284, 3286, 3292, 3289, 3290, 3294, + 3295, 3280, 3296, 3279, 3287, 3281, 3282, 3282, 3294, 3296, + 3303, 3297, 3285, 3298, 3286, 3291, 3290, 3289, 3287, 3297, + 3299, 3302, 3305, 3292, 3306, 3290, 3294, 3302, 3307, 3296, + 3308, 3310, 3295, 3311, 3312, 3298, 3314, 3303, 3297, 3309, + 3298, 3307, 3299, 3315, 0, 3316, 3306, 3299, 3302, 3305, + 3310, 3306, 3316, 3318, 3309, 3307, 3312, 3317, 3310, 3314, + 3311, 3312, 3308, 3314, 3317, 3315, 3309, 3319, 3320, 3322, + 3315, 3323, 3316, 3335, 3324, 3318, 3325, 3327, 0, 3323, + + 3318, 3324, 3319, 3325, 3317, 3331, 3327, 3330, 3322, 3320, + 0, 3328, 0, 3330, 3319, 3320, 3322, 3333, 3323, 3329, + 3329, 3324, 3328, 3325, 3327, 3335, 3334, 3331, 3336, 3329, + 3338, 3340, 3331, 3334, 3330, 3339, 3344, 3338, 3328, 3333, + 3345, 3346, 3351, 3352, 3333, 3340, 3329, 3329, 3353, 3354, + 3336, 3359, 3362, 3334, 3356, 3336, 3353, 3338, 3340, 3339, + 3360, 3360, 3339, 3344, 3346, 3352, 3356, 3345, 3346, 3351, + 3352, 3361, 3361, 3363, 3363, 3353, 3354, 3366, 3359, 3362, + 3364, 3356, 3368, 3367, 3369, 3370, 0, 3373, 3374, 3360, + 3375, 3377, 0, 3369, 3376, 3374, 3378, 3375, 3370, 3366, + + 3361, 3367, 3363, 3364, 3366, 3378, 3382, 3364, 3382, 3368, + 3367, 3369, 3370, 3373, 3373, 3374, 3376, 3375, 3377, 3379, + 3383, 3376, 3384, 3378, 3385, 3386, 3379, 3388, 3389, 3390, + 3391, 0, 3392, 3382, 3393, 3394, 3388, 3386, 3396, 3398, + 3383, 3395, 3385, 3399, 3398, 3384, 3379, 3383, 3391, 3384, + 3389, 3385, 3386, 3395, 3388, 3389, 3390, 3391, 3392, 3392, + 3396, 3393, 3394, 3397, 3401, 3396, 3397, 3400, 3395, 3400, + 3403, 3398, 3402, 3404, 3405, 3399, 3401, 3406, 3402, 3407, + 3409, 3397, 3405, 3410, 0, 3408, 3411, 3412, 3415, 3417, + 3397, 3401, 3403, 3397, 3400, 3404, 3420, 3403, 3411, 3402, + + 3404, 3405, 3418, 3422, 3406, 3420, 3408, 3409, 3423, 3412, + 3410, 3407, 3408, 3411, 3412, 3415, 3417, 3424, 3425, 3427, + 3418, 3428, 3429, 3420, 3430, 3431, 3431, 3434, 3435, 3418, + 3422, 3440, 3433, 3438, 3441, 3423, 3443, 0, 3436, 3442, + 3438, 3444, 3437, 3440, 3424, 3425, 3427, 3442, 3428, 3429, + 3433, 3430, 3431, 3444, 3434, 3435, 3436, 3437, 3440, 3433, + 3438, 3441, 3445, 3443, 3446, 3436, 3442, 3447, 3444, 3437, + 3448, 3450, 3451, 3454, 3461, 3462, 3445, 3455, 3458, 3446, + 3456, 3456, 3454, 3450, 3457, 3460, 3463, 3458, 3462, 3445, + 0, 3446, 0, 3447, 3447, 3464, 0, 3448, 3450, 3451, + + 3454, 3455, 3462, 3464, 3455, 3458, 3461, 3456, 3463, 3460, + 3457, 3457, 3460, 3463, 3465, 3466, 3468, 3469, 3473, 3476, + 3476, 3477, 3464, 3465, 3472, 3490, 3466, 3486, 3477, 3487, + 3473, 3491, 3492, 3493, 3495, 3469, 3497, 3468, 0, 3490, + 3497, 3465, 3466, 3468, 3469, 3473, 3476, 3472, 3477, 3486, + 3498, 3472, 3490, 3487, 3486, 3499, 3487, 3500, 3491, 3492, + 3493, 3495, 3502, 3497, 3500, 3504, 3506, 3505, 3498, 3504, + 3507, 0, 3509, 3508, 3515, 3502, 3510, 3498, 3499, 3511, + 3513, 0, 3499, 3505, 3500, 3508, 3515, 3511, 3506, 3502, + 3510, 3513, 3504, 3506, 3505, 3507, 3512, 3507, 3509, 3509, + + 3508, 3515, 3514, 3510, 3514, 3512, 3511, 3513, 3516, 3517, + 3518, 3519, 3520, 3521, 3522, 3523, 0, 3519, 3529, 3531, + 0, 3521, 3523, 3512, 3517, 3524, 3516, 3533, 3535, 3514, + 3532, 3529, 3518, 3534, 3520, 3516, 3517, 3518, 3519, 3520, + 3521, 3522, 3523, 3530, 3536, 3529, 3531, 3524, 3532, 3538, + 3530, 3539, 3524, 3537, 3533, 3535, 3538, 3532, 0, 3534, + 3534, 3537, 3540, 3541, 3542, 3543, 3542, 3544, 3545, 0, + 3530, 3536, 0, 3546, 3547, 3539, 3538, 3543, 3539, 3548, + 3537, 3545, 3550, 3551, 3540, 3541, 3549, 3553, 3546, 3540, + 3541, 3542, 3543, 3549, 3555, 3545, 3547, 3556, 3560, 3544, + + 3546, 3547, 3555, 3554, 3558, 3563, 3548, 3560, 3564, 3550, + 3551, 3566, 0, 3549, 3553, 3554, 3558, 3565, 3567, 3566, + 3568, 3555, 3573, 0, 3556, 3560, 3569, 3570, 0, 3571, + 3554, 3558, 3563, 3572, 3564, 3564, 3565, 3571, 3566, 3569, + 3575, 3570, 3579, 3583, 3565, 0, 3582, 0, 3579, 3573, + 3567, 3580, 3568, 3569, 3570, 3572, 3571, 3585, 3580, 3582, + 3572, 3586, 3588, 3587, 3585, 3589, 3583, 3575, 3593, 3579, + 3583, 3587, 3590, 3582, 3591, 3592, 3588, 3598, 3580, 3589, + 3590, 3599, 3597, 3586, 3585, 3598, 3596, 3601, 3586, 3588, + 3587, 3597, 3589, 3596, 3600, 3593, 3591, 3592, 3602, 3590, + + 3603, 3591, 3592, 3606, 3598, 3607, 3604, 3605, 3599, 3597, + 0, 3606, 3609, 3596, 3610, 3611, 3600, 3613, 3614, 3601, + 3618, 3600, 3603, 3615, 3602, 3602, 3614, 3603, 3604, 3605, + 3606, 3622, 3624, 3604, 3605, 3620, 3610, 3607, 3616, 3609, + 3613, 3610, 3611, 3615, 3613, 3614, 3616, 3617, 3619, 3620, + 3615, 3625, 3618, 3627, 3625, 3617, 3619, 3622, 3622, 3624, + 3626, 3627, 3620, 3628, 3631, 3616, 3630, 3634, 3634, 3625, + 3629, 3628, 0, 3639, 3617, 3619, 3635, 3642, 3625, 3637, + 3627, 3625, 3626, 3638, 3629, 3632, 3631, 3626, 3636, 0, + 3628, 3631, 3630, 3630, 3634, 3639, 3636, 3629, 3640, 3632, + + 3639, 3643, 3635, 3635, 3642, 3637, 3637, 3644, 3641, 3638, + 3638, 3645, 3632, 3646, 3648, 3636, 3641, 3647, 3640, 3650, + 3649, 3652, 3648, 3643, 0, 3640, 0, 3650, 3643, 3655, + 3656, 3653, 3644, 3646, 3644, 3641, 3661, 3647, 3645, 3653, + 3646, 3648, 3649, 3659, 3647, 3657, 3650, 3649, 3652, 3664, + 3665, 3655, 3656, 3657, 3658, 3668, 3655, 3656, 3653, 3662, + 3663, 3669, 3658, 3661, 3666, 3670, 0, 3662, 3663, 3659, + 3659, 3672, 3657, 3675, 3678, 3664, 3664, 3665, 3679, 0, + 0, 3658, 3668, 0, 3666, 3670, 3662, 3663, 3669, 3676, + 0, 3666, 3670, 3672, 3677, 3675, 0, 3676, 3672, 0, + + 3675, 3678, 3677, 0, 0, 3679, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 3676, 0, 0, 0, + 0, 3677, 3683, 3683, 3683, 3683, 3683, 3683, 3683, 3684, + 3684, 3684, 3684, 3684, 3684, 3684, 3685, 3685, 3685, 3685, + 3685, 3685, 3685, 3686, 3686, 3686, 3686, 3686, 3686, 3686, + 3687, 3687, 3687, 3687, 3687, 3687, 3687, 3688, 3688, 3688, + 3688, 3688, 3688, 3688, 3689, 3689, 3689, 3689, 3689, 3689, + 3689, 3691, 3691, 0, 3691, 3691, 3691, 3691, 3692, 3692, + 0, 0, 0, 3692, 3692, 3693, 3693, 0, 0, 3693, + 0, 3693, 3694, 0, 0, 0, 0, 0, 3694, 3695, + + 3695, 0, 0, 0, 3695, 3695, 3696, 0, 0, 0, + 0, 0, 3696, 3697, 3697, 0, 3697, 3697, 3697, 3697, + 3698, 0, 0, 0, 0, 0, 3698, 3699, 3699, 0, + 0, 0, 3699, 3699, 3700, 3700, 0, 3700, 3700, 3700, + 3700, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682, + + 3682, 3682, 3682, 3682, 3682, 3682, 3682, 3682 } ; static yy_state_type yy_last_accepting_state; @@ -3990,7 +4182,7 @@ } #endif -#line 3991 "<stdout>" +#line 4183 "<stdout>" #define YY_NO_INPUT 1 #line 191 "util/configlexer.lex" #ifndef YY_NO_UNPUT @@ -3999,9 +4191,9 @@ #ifndef YY_NO_INPUT #define YY_NO_INPUT 1 #endif -#line 4000 "<stdout>" +#line 4192 "<stdout>" -#line 4002 "<stdout>" +#line 4194 "<stdout>" #define INITIAL 0 #define quotedstring 1 @@ -4225,7 +4417,7 @@ { #line 211 "util/configlexer.lex" -#line 4226 "<stdout>" +#line 4418 "<stdout>" while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */ { @@ -4258,13 +4450,13 @@ while ( yy_chkyy_baseyy_current_state + yy_c != yy_current_state ) { yy_current_state = (int) yy_defyy_current_state; - if ( yy_current_state >= 3484 ) + if ( yy_current_state >= 3683 ) yy_c = yy_metayy_c; } yy_current_state = yy_nxtyy_baseyy_current_state + yy_c; ++yy_cp; } - while ( yy_baseyy_current_state != 9961 ); + while ( yy_baseyy_current_state != 10542 ); yy_find_action: yy_act = yy_acceptyy_current_state; @@ -4489,7 +4681,7 @@ case 40: YY_RULE_SETUP #line 254 "util/configlexer.lex" -{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) } +{ YDVAR(1, VAR_TLS_WIN_CERT) } YY_BREAK case 41: YY_RULE_SETUP @@ -4509,72 +4701,72 @@ case 44: YY_RULE_SETUP #line 258 "util/configlexer.lex" -{ YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) } +{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) } YY_BREAK case 45: YY_RULE_SETUP #line 259 "util/configlexer.lex" -{ YDVAR(1, VAR_TLS_CIPHERS) } +{ YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) } YY_BREAK case 46: YY_RULE_SETUP #line 260 "util/configlexer.lex" -{ YDVAR(1, VAR_TLS_CIPHERSUITES) } +{ YDVAR(1, VAR_TLS_CIPHERS) } YY_BREAK case 47: YY_RULE_SETUP #line 261 "util/configlexer.lex" -{ YDVAR(1, VAR_TLS_USE_SNI) } +{ YDVAR(1, VAR_TLS_CIPHERSUITES) } YY_BREAK case 48: YY_RULE_SETUP #line 262 "util/configlexer.lex" -{ YDVAR(1, VAR_HTTPS_PORT) } +{ YDVAR(1, VAR_TLS_USE_SNI) } YY_BREAK case 49: YY_RULE_SETUP #line 263 "util/configlexer.lex" -{ YDVAR(1, VAR_HTTP_ENDPOINT) } +{ YDVAR(1, VAR_HTTPS_PORT) } YY_BREAK case 50: YY_RULE_SETUP #line 264 "util/configlexer.lex" -{ YDVAR(1, VAR_HTTP_MAX_STREAMS) } +{ YDVAR(1, VAR_HTTP_ENDPOINT) } YY_BREAK case 51: YY_RULE_SETUP #line 265 "util/configlexer.lex" -{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) } +{ YDVAR(1, VAR_HTTP_MAX_STREAMS) } YY_BREAK case 52: YY_RULE_SETUP #line 266 "util/configlexer.lex" -{ YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) } +{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) } YY_BREAK case 53: YY_RULE_SETUP #line 267 "util/configlexer.lex" -{ YDVAR(1, VAR_HTTP_NODELAY) } +{ YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) } YY_BREAK case 54: YY_RULE_SETUP #line 268 "util/configlexer.lex" -{ YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) } +{ YDVAR(1, VAR_HTTP_NODELAY) } YY_BREAK case 55: YY_RULE_SETUP #line 269 "util/configlexer.lex" -{ YDVAR(1, VAR_USE_SYSTEMD) } +{ YDVAR(1, VAR_HTTP_NOTLS_DOWNSTREAM) } YY_BREAK case 56: YY_RULE_SETUP #line 270 "util/configlexer.lex" -{ YDVAR(1, VAR_DO_DAEMONIZE) } +{ YDVAR(1, VAR_USE_SYSTEMD) } YY_BREAK case 57: YY_RULE_SETUP #line 271 "util/configlexer.lex" -{ YDVAR(1, VAR_INTERFACE) } +{ YDVAR(1, VAR_DO_DAEMONIZE) } YY_BREAK case 58: YY_RULE_SETUP @@ -4584,1374 +4776,1474 @@ case 59: YY_RULE_SETUP #line 273 "util/configlexer.lex" -{ YDVAR(1, VAR_OUTGOING_INTERFACE) } +{ YDVAR(1, VAR_INTERFACE) } YY_BREAK case 60: YY_RULE_SETUP #line 274 "util/configlexer.lex" -{ YDVAR(1, VAR_INTERFACE_AUTOMATIC) } +{ YDVAR(1, VAR_OUTGOING_INTERFACE) } YY_BREAK case 61: YY_RULE_SETUP #line 275 "util/configlexer.lex" -{ YDVAR(1, VAR_SO_RCVBUF) } +{ YDVAR(1, VAR_INTERFACE_AUTOMATIC) } YY_BREAK case 62: YY_RULE_SETUP #line 276 "util/configlexer.lex" -{ YDVAR(1, VAR_SO_SNDBUF) } +{ YDVAR(1, VAR_INTERFACE_AUTOMATIC_PORTS) } YY_BREAK case 63: YY_RULE_SETUP #line 277 "util/configlexer.lex" -{ YDVAR(1, VAR_SO_REUSEPORT) } +{ YDVAR(1, VAR_SO_RCVBUF) } YY_BREAK case 64: YY_RULE_SETUP #line 278 "util/configlexer.lex" -{ YDVAR(1, VAR_IP_TRANSPARENT) } +{ YDVAR(1, VAR_SO_SNDBUF) } YY_BREAK case 65: YY_RULE_SETUP #line 279 "util/configlexer.lex" -{ YDVAR(1, VAR_IP_FREEBIND) } +{ YDVAR(1, VAR_SO_REUSEPORT) } YY_BREAK case 66: YY_RULE_SETUP #line 280 "util/configlexer.lex" -{ YDVAR(1, VAR_IP_DSCP) } +{ YDVAR(1, VAR_IP_TRANSPARENT) } YY_BREAK case 67: YY_RULE_SETUP #line 281 "util/configlexer.lex" -{ YDVAR(1, VAR_CHROOT) } +{ YDVAR(1, VAR_IP_FREEBIND) } YY_BREAK case 68: YY_RULE_SETUP #line 282 "util/configlexer.lex" -{ YDVAR(1, VAR_USERNAME) } +{ YDVAR(1, VAR_IP_DSCP) } YY_BREAK case 69: YY_RULE_SETUP #line 283 "util/configlexer.lex" -{ YDVAR(1, VAR_DIRECTORY) } +{ YDVAR(1, VAR_CHROOT) } YY_BREAK case 70: YY_RULE_SETUP #line 284 "util/configlexer.lex" -{ YDVAR(1, VAR_LOGFILE) } +{ YDVAR(1, VAR_USERNAME) } YY_BREAK case 71: YY_RULE_SETUP #line 285 "util/configlexer.lex" -{ YDVAR(1, VAR_PIDFILE) } +{ YDVAR(1, VAR_DIRECTORY) } YY_BREAK case 72: YY_RULE_SETUP #line 286 "util/configlexer.lex" -{ YDVAR(1, VAR_ROOT_HINTS) } +{ YDVAR(1, VAR_LOGFILE) } YY_BREAK case 73: YY_RULE_SETUP #line 287 "util/configlexer.lex" -{ YDVAR(1, VAR_STREAM_WAIT_SIZE) } +{ YDVAR(1, VAR_PIDFILE) } YY_BREAK case 74: YY_RULE_SETUP #line 288 "util/configlexer.lex" -{ YDVAR(1, VAR_EDNS_BUFFER_SIZE) } +{ YDVAR(1, VAR_ROOT_HINTS) } YY_BREAK case 75: YY_RULE_SETUP #line 289 "util/configlexer.lex" -{ YDVAR(1, VAR_MSG_BUFFER_SIZE) } +{ YDVAR(1, VAR_STREAM_WAIT_SIZE) } YY_BREAK case 76: YY_RULE_SETUP #line 290 "util/configlexer.lex" -{ YDVAR(1, VAR_MSG_CACHE_SIZE) } +{ YDVAR(1, VAR_EDNS_BUFFER_SIZE) } YY_BREAK case 77: YY_RULE_SETUP #line 291 "util/configlexer.lex" -{ YDVAR(1, VAR_MSG_CACHE_SLABS) } +{ YDVAR(1, VAR_MSG_BUFFER_SIZE) } YY_BREAK case 78: YY_RULE_SETUP #line 292 "util/configlexer.lex" -{ YDVAR(1, VAR_RRSET_CACHE_SIZE) } +{ YDVAR(1, VAR_MSG_CACHE_SIZE) } YY_BREAK case 79: YY_RULE_SETUP #line 293 "util/configlexer.lex" -{ YDVAR(1, VAR_RRSET_CACHE_SLABS) } +{ YDVAR(1, VAR_MSG_CACHE_SLABS) } YY_BREAK case 80: YY_RULE_SETUP #line 294 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHE_MAX_TTL) } +{ YDVAR(1, VAR_RRSET_CACHE_SIZE) } YY_BREAK case 81: YY_RULE_SETUP #line 295 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) } +{ YDVAR(1, VAR_RRSET_CACHE_SLABS) } YY_BREAK case 82: YY_RULE_SETUP #line 296 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHE_MIN_TTL) } +{ YDVAR(1, VAR_CACHE_MAX_TTL) } YY_BREAK case 83: YY_RULE_SETUP #line 297 "util/configlexer.lex" -{ YDVAR(1, VAR_INFRA_HOST_TTL) } +{ YDVAR(1, VAR_CACHE_MAX_NEGATIVE_TTL) } YY_BREAK case 84: YY_RULE_SETUP #line 298 "util/configlexer.lex" -{ YDVAR(1, VAR_INFRA_LAME_TTL) } +{ YDVAR(1, VAR_CACHE_MIN_TTL) } YY_BREAK case 85: YY_RULE_SETUP #line 299 "util/configlexer.lex" -{ YDVAR(1, VAR_INFRA_CACHE_SLABS) } +{ YDVAR(1, VAR_INFRA_HOST_TTL) } YY_BREAK case 86: YY_RULE_SETUP #line 300 "util/configlexer.lex" -{ YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) } +{ YDVAR(1, VAR_INFRA_LAME_TTL) } YY_BREAK case 87: YY_RULE_SETUP #line 301 "util/configlexer.lex" -{ YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) } +{ YDVAR(1, VAR_INFRA_CACHE_SLABS) } YY_BREAK case 88: YY_RULE_SETUP #line 302 "util/configlexer.lex" -{ YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) } +{ YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) } YY_BREAK case 89: YY_RULE_SETUP #line 303 "util/configlexer.lex" -{ YDVAR(1, VAR_INFRA_KEEP_PROBING) } +{ YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) } YY_BREAK case 90: YY_RULE_SETUP #line 304 "util/configlexer.lex" -{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) } +{ YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) } YY_BREAK case 91: YY_RULE_SETUP #line 305 "util/configlexer.lex" -{ YDVAR(1, VAR_JOSTLE_TIMEOUT) } +{ YDVAR(1, VAR_INFRA_CACHE_MAX_RTT) } YY_BREAK case 92: YY_RULE_SETUP #line 306 "util/configlexer.lex" -{ YDVAR(1, VAR_DELAY_CLOSE) } +{ YDVAR(1, VAR_INFRA_KEEP_PROBING) } YY_BREAK case 93: YY_RULE_SETUP #line 307 "util/configlexer.lex" -{ YDVAR(1, VAR_UDP_CONNECT) } +{ YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) } YY_BREAK case 94: YY_RULE_SETUP #line 308 "util/configlexer.lex" -{ YDVAR(1, VAR_TARGET_FETCH_POLICY) } +{ YDVAR(1, VAR_JOSTLE_TIMEOUT) } YY_BREAK case 95: YY_RULE_SETUP #line 309 "util/configlexer.lex" -{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) } +{ YDVAR(1, VAR_DELAY_CLOSE) } YY_BREAK case 96: YY_RULE_SETUP #line 310 "util/configlexer.lex" -{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) } +{ YDVAR(1, VAR_UDP_CONNECT) } YY_BREAK case 97: YY_RULE_SETUP #line 311 "util/configlexer.lex" -{ YDVAR(1, VAR_HARDEN_GLUE) } +{ YDVAR(1, VAR_TARGET_FETCH_POLICY) } YY_BREAK case 98: YY_RULE_SETUP #line 312 "util/configlexer.lex" -{ YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) } +{ YDVAR(1, VAR_HARDEN_SHORT_BUFSIZE) } YY_BREAK case 99: YY_RULE_SETUP #line 313 "util/configlexer.lex" -{ YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) } +{ YDVAR(1, VAR_HARDEN_LARGE_QUERIES) } YY_BREAK case 100: YY_RULE_SETUP #line 314 "util/configlexer.lex" -{ YDVAR(1, VAR_HARDEN_REFERRAL_PATH) } +{ YDVAR(1, VAR_HARDEN_GLUE) } YY_BREAK case 101: YY_RULE_SETUP #line 315 "util/configlexer.lex" -{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) } +{ YDVAR(1, VAR_HARDEN_DNSSEC_STRIPPED) } YY_BREAK case 102: YY_RULE_SETUP #line 316 "util/configlexer.lex" -{ YDVAR(1, VAR_USE_CAPS_FOR_ID) } +{ YDVAR(1, VAR_HARDEN_BELOW_NXDOMAIN) } YY_BREAK case 103: YY_RULE_SETUP #line 317 "util/configlexer.lex" -{ YDVAR(1, VAR_CAPS_WHITELIST) } +{ YDVAR(1, VAR_HARDEN_REFERRAL_PATH) } YY_BREAK case 104: YY_RULE_SETUP #line 318 "util/configlexer.lex" -{ YDVAR(1, VAR_CAPS_WHITELIST) } +{ YDVAR(1, VAR_HARDEN_ALGO_DOWNGRADE) } YY_BREAK case 105: YY_RULE_SETUP #line 319 "util/configlexer.lex" -{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } +{ YDVAR(1, VAR_USE_CAPS_FOR_ID) } YY_BREAK case 106: YY_RULE_SETUP #line 320 "util/configlexer.lex" -{ YDVAR(1, VAR_PRIVATE_ADDRESS) } +{ YDVAR(1, VAR_CAPS_WHITELIST) } YY_BREAK case 107: YY_RULE_SETUP #line 321 "util/configlexer.lex" -{ YDVAR(1, VAR_PRIVATE_DOMAIN) } +{ YDVAR(1, VAR_CAPS_WHITELIST) } YY_BREAK case 108: YY_RULE_SETUP #line 322 "util/configlexer.lex" -{ YDVAR(1, VAR_PREFETCH_KEY) } +{ YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } YY_BREAK case 109: YY_RULE_SETUP #line 323 "util/configlexer.lex" -{ YDVAR(1, VAR_PREFETCH) } +{ YDVAR(1, VAR_PRIVATE_ADDRESS) } YY_BREAK case 110: YY_RULE_SETUP #line 324 "util/configlexer.lex" -{ YDVAR(1, VAR_DENY_ANY) } +{ YDVAR(1, VAR_PRIVATE_DOMAIN) } YY_BREAK case 111: YY_RULE_SETUP #line 325 "util/configlexer.lex" -{ YDVAR(0, VAR_STUB_ZONE) } +{ YDVAR(1, VAR_PREFETCH_KEY) } YY_BREAK case 112: YY_RULE_SETUP #line 326 "util/configlexer.lex" -{ YDVAR(1, VAR_NAME) } +{ YDVAR(1, VAR_PREFETCH) } YY_BREAK case 113: YY_RULE_SETUP #line 327 "util/configlexer.lex" -{ YDVAR(1, VAR_STUB_ADDR) } +{ YDVAR(1, VAR_DENY_ANY) } YY_BREAK case 114: YY_RULE_SETUP #line 328 "util/configlexer.lex" -{ YDVAR(1, VAR_STUB_HOST) } +{ YDVAR(0, VAR_STUB_ZONE) } YY_BREAK case 115: YY_RULE_SETUP #line 329 "util/configlexer.lex" -{ YDVAR(1, VAR_STUB_PRIME) } +{ YDVAR(1, VAR_NAME) } YY_BREAK case 116: YY_RULE_SETUP #line 330 "util/configlexer.lex" -{ YDVAR(1, VAR_STUB_FIRST) } +{ YDVAR(1, VAR_STUB_ADDR) } YY_BREAK case 117: YY_RULE_SETUP #line 331 "util/configlexer.lex" -{ YDVAR(1, VAR_STUB_NO_CACHE) } +{ YDVAR(1, VAR_STUB_HOST) } YY_BREAK case 118: YY_RULE_SETUP #line 332 "util/configlexer.lex" -{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) } +{ YDVAR(1, VAR_STUB_PRIME) } YY_BREAK case 119: YY_RULE_SETUP #line 333 "util/configlexer.lex" -{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) } +{ YDVAR(1, VAR_STUB_FIRST) } YY_BREAK case 120: YY_RULE_SETUP #line 334 "util/configlexer.lex" -{ YDVAR(0, VAR_FORWARD_ZONE) } +{ YDVAR(1, VAR_STUB_NO_CACHE) } YY_BREAK case 121: YY_RULE_SETUP #line 335 "util/configlexer.lex" -{ YDVAR(1, VAR_FORWARD_ADDR) } +{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) } YY_BREAK case 122: YY_RULE_SETUP #line 336 "util/configlexer.lex" -{ YDVAR(1, VAR_FORWARD_HOST) } +{ YDVAR(1, VAR_STUB_SSL_UPSTREAM) } YY_BREAK case 123: YY_RULE_SETUP #line 337 "util/configlexer.lex" -{ YDVAR(1, VAR_FORWARD_FIRST) } +{ YDVAR(1, VAR_STUB_TCP_UPSTREAM) } YY_BREAK case 124: YY_RULE_SETUP #line 338 "util/configlexer.lex" -{ YDVAR(1, VAR_FORWARD_NO_CACHE) } +{ YDVAR(0, VAR_FORWARD_ZONE) } YY_BREAK case 125: YY_RULE_SETUP #line 339 "util/configlexer.lex" -{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) } +{ YDVAR(1, VAR_FORWARD_ADDR) } YY_BREAK case 126: YY_RULE_SETUP #line 340 "util/configlexer.lex" -{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) } +{ YDVAR(1, VAR_FORWARD_HOST) } YY_BREAK case 127: YY_RULE_SETUP #line 341 "util/configlexer.lex" -{ YDVAR(0, VAR_AUTH_ZONE) } +{ YDVAR(1, VAR_FORWARD_FIRST) } YY_BREAK case 128: YY_RULE_SETUP #line 342 "util/configlexer.lex" -{ YDVAR(0, VAR_RPZ) } +{ YDVAR(1, VAR_FORWARD_NO_CACHE) } YY_BREAK case 129: YY_RULE_SETUP #line 343 "util/configlexer.lex" -{ YDVAR(1, VAR_TAGS) } +{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) } YY_BREAK case 130: YY_RULE_SETUP #line 344 "util/configlexer.lex" -{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) } +{ YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) } YY_BREAK case 131: YY_RULE_SETUP #line 345 "util/configlexer.lex" -{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) } +{ YDVAR(1, VAR_FORWARD_TCP_UPSTREAM) } YY_BREAK case 132: YY_RULE_SETUP #line 346 "util/configlexer.lex" -{ YDVAR(1, VAR_RPZ_LOG) } +{ YDVAR(0, VAR_AUTH_ZONE) } YY_BREAK case 133: YY_RULE_SETUP #line 347 "util/configlexer.lex" -{ YDVAR(1, VAR_RPZ_LOG_NAME) } +{ YDVAR(0, VAR_RPZ) } YY_BREAK case 134: YY_RULE_SETUP #line 348 "util/configlexer.lex" -{ YDVAR(1, VAR_ZONEFILE) } +{ YDVAR(1, VAR_TAGS) } YY_BREAK case 135: YY_RULE_SETUP #line 349 "util/configlexer.lex" -{ YDVAR(1, VAR_MASTER) } +{ YDVAR(1, VAR_RPZ_ACTION_OVERRIDE) } YY_BREAK case 136: YY_RULE_SETUP #line 350 "util/configlexer.lex" -{ YDVAR(1, VAR_MASTER) } +{ YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) } YY_BREAK case 137: YY_RULE_SETUP #line 351 "util/configlexer.lex" -{ YDVAR(1, VAR_URL) } +{ YDVAR(1, VAR_RPZ_LOG) } YY_BREAK case 138: YY_RULE_SETUP #line 352 "util/configlexer.lex" -{ YDVAR(1, VAR_ALLOW_NOTIFY) } +{ YDVAR(1, VAR_RPZ_LOG_NAME) } YY_BREAK case 139: YY_RULE_SETUP #line 353 "util/configlexer.lex" -{ YDVAR(1, VAR_FOR_DOWNSTREAM) } +{ YDVAR(1, VAR_RPZ_SIGNAL_NXDOMAIN_RA) } YY_BREAK case 140: YY_RULE_SETUP #line 354 "util/configlexer.lex" -{ YDVAR(1, VAR_FOR_UPSTREAM) } +{ YDVAR(1, VAR_ZONEFILE) } YY_BREAK case 141: YY_RULE_SETUP #line 355 "util/configlexer.lex" -{ YDVAR(1, VAR_FALLBACK_ENABLED) } +{ YDVAR(1, VAR_MASTER) } YY_BREAK case 142: YY_RULE_SETUP #line 356 "util/configlexer.lex" -{ YDVAR(0, VAR_VIEW) } +{ YDVAR(1, VAR_MASTER) } YY_BREAK case 143: YY_RULE_SETUP #line 357 "util/configlexer.lex" -{ YDVAR(1, VAR_VIEW_FIRST) } +{ YDVAR(1, VAR_URL) } YY_BREAK case 144: YY_RULE_SETUP #line 358 "util/configlexer.lex" -{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) } +{ YDVAR(1, VAR_ALLOW_NOTIFY) } YY_BREAK case 145: YY_RULE_SETUP #line 359 "util/configlexer.lex" -{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) } +{ YDVAR(1, VAR_FOR_DOWNSTREAM) } YY_BREAK case 146: YY_RULE_SETUP #line 360 "util/configlexer.lex" -{ YDVAR(2, VAR_ACCESS_CONTROL) } +{ YDVAR(1, VAR_FOR_UPSTREAM) } YY_BREAK case 147: YY_RULE_SETUP #line 361 "util/configlexer.lex" -{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) } +{ YDVAR(1, VAR_FALLBACK_ENABLED) } YY_BREAK case 148: YY_RULE_SETUP #line 362 "util/configlexer.lex" -{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) } +{ YDVAR(0, VAR_VIEW) } YY_BREAK case 149: YY_RULE_SETUP #line 363 "util/configlexer.lex" -{ YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) } +{ YDVAR(1, VAR_VIEW_FIRST) } YY_BREAK case 150: YY_RULE_SETUP #line 364 "util/configlexer.lex" -{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) } +{ YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) } YY_BREAK case 151: YY_RULE_SETUP #line 365 "util/configlexer.lex" -{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) } +{ YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) } YY_BREAK case 152: YY_RULE_SETUP #line 366 "util/configlexer.lex" -{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) } +{ YDVAR(2, VAR_ACCESS_CONTROL) } YY_BREAK case 153: YY_RULE_SETUP #line 367 "util/configlexer.lex" -{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV4) } +{ YDVAR(2, VAR_INTERFACE_ACTION) } YY_BREAK case 154: YY_RULE_SETUP #line 368 "util/configlexer.lex" -{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV6) } +{ YDVAR(1, VAR_SEND_CLIENT_SUBNET) } YY_BREAK case 155: YY_RULE_SETUP #line 369 "util/configlexer.lex" -{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) } +{ YDVAR(1, VAR_CLIENT_SUBNET_ZONE) } YY_BREAK case 156: YY_RULE_SETUP #line 370 "util/configlexer.lex" -{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) } +{ YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) } YY_BREAK case 157: YY_RULE_SETUP #line 371 "util/configlexer.lex" -{ YDVAR(1, VAR_HIDE_IDENTITY) } +{ YDVAR(1, VAR_CLIENT_SUBNET_OPCODE) } YY_BREAK case 158: YY_RULE_SETUP #line 372 "util/configlexer.lex" -{ YDVAR(1, VAR_HIDE_VERSION) } +{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV4) } YY_BREAK case 159: YY_RULE_SETUP #line 373 "util/configlexer.lex" -{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) } +{ YDVAR(1, VAR_MAX_CLIENT_SUBNET_IPV6) } YY_BREAK case 160: YY_RULE_SETUP #line 374 "util/configlexer.lex" -{ YDVAR(1, VAR_HIDE_HTTP_USER_AGENT) } +{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV4) } YY_BREAK case 161: YY_RULE_SETUP #line 375 "util/configlexer.lex" -{ YDVAR(1, VAR_IDENTITY) } +{ YDVAR(1, VAR_MIN_CLIENT_SUBNET_IPV6) } YY_BREAK case 162: YY_RULE_SETUP #line 376 "util/configlexer.lex" -{ YDVAR(1, VAR_VERSION) } +{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV4) } YY_BREAK case 163: YY_RULE_SETUP #line 377 "util/configlexer.lex" -{ YDVAR(1, VAR_HTTP_USER_AGENT) } +{ YDVAR(1, VAR_MAX_ECS_TREE_SIZE_IPV6) } YY_BREAK case 164: YY_RULE_SETUP #line 378 "util/configlexer.lex" -{ YDVAR(1, VAR_MODULE_CONF) } +{ YDVAR(1, VAR_HIDE_IDENTITY) } YY_BREAK case 165: YY_RULE_SETUP #line 379 "util/configlexer.lex" -{ YDVAR(1, VAR_DLV_ANCHOR) } +{ YDVAR(1, VAR_HIDE_VERSION) } YY_BREAK case 166: YY_RULE_SETUP #line 380 "util/configlexer.lex" -{ YDVAR(1, VAR_DLV_ANCHOR_FILE) } +{ YDVAR(1, VAR_HIDE_TRUSTANCHOR) } YY_BREAK case 167: YY_RULE_SETUP #line 381 "util/configlexer.lex" -{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) } +{ YDVAR(1, VAR_HIDE_HTTP_USER_AGENT) } YY_BREAK case 168: YY_RULE_SETUP #line 382 "util/configlexer.lex" -{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) } +{ YDVAR(1, VAR_IDENTITY) } YY_BREAK case 169: YY_RULE_SETUP #line 383 "util/configlexer.lex" -{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) } +{ YDVAR(1, VAR_VERSION) } YY_BREAK case 170: YY_RULE_SETUP #line 384 "util/configlexer.lex" -{ YDVAR(1, VAR_TRUST_ANCHOR) } +{ YDVAR(1, VAR_HTTP_USER_AGENT) } YY_BREAK case 171: YY_RULE_SETUP #line 385 "util/configlexer.lex" -{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) } +{ YDVAR(1, VAR_MODULE_CONF) } YY_BREAK case 172: YY_RULE_SETUP #line 386 "util/configlexer.lex" -{ YDVAR(1, VAR_ROOT_KEY_SENTINEL) } +{ YDVAR(1, VAR_DLV_ANCHOR) } YY_BREAK case 173: YY_RULE_SETUP #line 387 "util/configlexer.lex" -{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) } +{ YDVAR(1, VAR_DLV_ANCHOR_FILE) } YY_BREAK case 174: YY_RULE_SETUP #line 388 "util/configlexer.lex" -{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) } +{ YDVAR(1, VAR_TRUST_ANCHOR_FILE) } YY_BREAK case 175: YY_RULE_SETUP #line 389 "util/configlexer.lex" -{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) } +{ YDVAR(1, VAR_AUTO_TRUST_ANCHOR_FILE) } YY_BREAK case 176: YY_RULE_SETUP #line 390 "util/configlexer.lex" -{ YDVAR(1, VAR_VAL_MAX_RESTART) } +{ YDVAR(1, VAR_TRUSTED_KEYS_FILE) } YY_BREAK case 177: YY_RULE_SETUP #line 391 "util/configlexer.lex" -{ YDVAR(1, VAR_BOGUS_TTL) } +{ YDVAR(1, VAR_TRUST_ANCHOR) } YY_BREAK case 178: YY_RULE_SETUP #line 392 "util/configlexer.lex" -{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) } +{ YDVAR(1, VAR_TRUST_ANCHOR_SIGNALING) } YY_BREAK case 179: YY_RULE_SETUP #line 393 "util/configlexer.lex" -{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) } +{ YDVAR(1, VAR_ROOT_KEY_SENTINEL) } YY_BREAK case 180: YY_RULE_SETUP #line 394 "util/configlexer.lex" -{ YDVAR(1, VAR_AGGRESSIVE_NSEC) } +{ YDVAR(1, VAR_VAL_OVERRIDE_DATE) } YY_BREAK case 181: YY_RULE_SETUP #line 395 "util/configlexer.lex" -{ YDVAR(1, VAR_IGNORE_CD_FLAG) } +{ YDVAR(1, VAR_VAL_SIG_SKEW_MIN) } YY_BREAK case 182: YY_RULE_SETUP #line 396 "util/configlexer.lex" -{ YDVAR(1, VAR_SERVE_EXPIRED) } +{ YDVAR(1, VAR_VAL_SIG_SKEW_MAX) } YY_BREAK case 183: YY_RULE_SETUP #line 397 "util/configlexer.lex" -{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) } +{ YDVAR(1, VAR_VAL_MAX_RESTART) } YY_BREAK case 184: YY_RULE_SETUP #line 398 "util/configlexer.lex" -{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) } +{ YDVAR(1, VAR_BOGUS_TTL) } YY_BREAK case 185: YY_RULE_SETUP #line 399 "util/configlexer.lex" -{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) } +{ YDVAR(1, VAR_VAL_CLEAN_ADDITIONAL) } YY_BREAK case 186: YY_RULE_SETUP #line 400 "util/configlexer.lex" -{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) } +{ YDVAR(1, VAR_VAL_PERMISSIVE_MODE) } YY_BREAK case 187: YY_RULE_SETUP #line 401 "util/configlexer.lex" -{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) } +{ YDVAR(1, VAR_AGGRESSIVE_NSEC) } YY_BREAK case 188: YY_RULE_SETUP #line 402 "util/configlexer.lex" -{ YDVAR(1, VAR_FAKE_DSA) } +{ YDVAR(1, VAR_IGNORE_CD_FLAG) } YY_BREAK case 189: YY_RULE_SETUP #line 403 "util/configlexer.lex" -{ YDVAR(1, VAR_FAKE_SHA1) } +{ YDVAR(1, VAR_SERVE_EXPIRED) } YY_BREAK case 190: YY_RULE_SETUP #line 404 "util/configlexer.lex" -{ YDVAR(1, VAR_VAL_LOG_LEVEL) } +{ YDVAR(1, VAR_SERVE_EXPIRED_TTL) } YY_BREAK case 191: YY_RULE_SETUP #line 405 "util/configlexer.lex" -{ YDVAR(1, VAR_KEY_CACHE_SIZE) } +{ YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) } YY_BREAK case 192: YY_RULE_SETUP #line 406 "util/configlexer.lex" -{ YDVAR(1, VAR_KEY_CACHE_SLABS) } +{ YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) } YY_BREAK case 193: YY_RULE_SETUP #line 407 "util/configlexer.lex" -{ YDVAR(1, VAR_NEG_CACHE_SIZE) } +{ YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) } YY_BREAK case 194: YY_RULE_SETUP #line 408 "util/configlexer.lex" -{ - YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) } +{ YDVAR(1, VAR_EDE_SERVE_EXPIRED) } YY_BREAK case 195: YY_RULE_SETUP -#line 410 "util/configlexer.lex" -{ YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) } +#line 409 "util/configlexer.lex" +{ YDVAR(1, VAR_SERVE_ORIGINAL_TTL) } YY_BREAK case 196: YY_RULE_SETUP -#line 411 "util/configlexer.lex" -{ YDVAR(1, VAR_ZONEMD_CHECK) } +#line 410 "util/configlexer.lex" +{ YDVAR(1, VAR_FAKE_DSA) } YY_BREAK case 197: YY_RULE_SETUP -#line 412 "util/configlexer.lex" -{ YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) } +#line 411 "util/configlexer.lex" +{ YDVAR(1, VAR_FAKE_SHA1) } YY_BREAK case 198: YY_RULE_SETUP -#line 413 "util/configlexer.lex" -{ YDVAR(1, VAR_ADD_HOLDDOWN) } +#line 412 "util/configlexer.lex" +{ YDVAR(1, VAR_VAL_LOG_LEVEL) } YY_BREAK case 199: YY_RULE_SETUP -#line 414 "util/configlexer.lex" -{ YDVAR(1, VAR_DEL_HOLDDOWN) } +#line 413 "util/configlexer.lex" +{ YDVAR(1, VAR_KEY_CACHE_SIZE) } YY_BREAK case 200: YY_RULE_SETUP -#line 415 "util/configlexer.lex" -{ YDVAR(1, VAR_KEEP_MISSING) } +#line 414 "util/configlexer.lex" +{ YDVAR(1, VAR_KEY_CACHE_SLABS) } YY_BREAK case 201: YY_RULE_SETUP -#line 416 "util/configlexer.lex" -{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) } +#line 415 "util/configlexer.lex" +{ YDVAR(1, VAR_NEG_CACHE_SIZE) } YY_BREAK case 202: YY_RULE_SETUP -#line 417 "util/configlexer.lex" -{ YDVAR(1, VAR_USE_SYSLOG) } +#line 416 "util/configlexer.lex" +{ + YDVAR(1, VAR_VAL_NSEC3_KEYSIZE_ITERATIONS) } YY_BREAK case 203: YY_RULE_SETUP #line 418 "util/configlexer.lex" -{ YDVAR(1, VAR_LOG_IDENTITY) } +{ YDVAR(1, VAR_ZONEMD_PERMISSIVE_MODE) } YY_BREAK case 204: YY_RULE_SETUP #line 419 "util/configlexer.lex" -{ YDVAR(1, VAR_LOG_TIME_ASCII) } +{ YDVAR(1, VAR_ZONEMD_CHECK) } YY_BREAK case 205: YY_RULE_SETUP #line 420 "util/configlexer.lex" -{ YDVAR(1, VAR_LOG_QUERIES) } +{ YDVAR(1, VAR_ZONEMD_REJECT_ABSENCE) } YY_BREAK case 206: YY_RULE_SETUP #line 421 "util/configlexer.lex" -{ YDVAR(1, VAR_LOG_REPLIES) } +{ YDVAR(1, VAR_ADD_HOLDDOWN) } YY_BREAK case 207: YY_RULE_SETUP #line 422 "util/configlexer.lex" -{ YDVAR(1, VAR_LOG_TAG_QUERYREPLY) } +{ YDVAR(1, VAR_DEL_HOLDDOWN) } YY_BREAK case 208: YY_RULE_SETUP #line 423 "util/configlexer.lex" -{ YDVAR(1, VAR_LOG_LOCAL_ACTIONS) } +{ YDVAR(1, VAR_KEEP_MISSING) } YY_BREAK case 209: YY_RULE_SETUP #line 424 "util/configlexer.lex" -{ YDVAR(1, VAR_LOG_SERVFAIL) } +{ YDVAR(1, VAR_PERMIT_SMALL_HOLDDOWN) } YY_BREAK case 210: YY_RULE_SETUP #line 425 "util/configlexer.lex" -{ YDVAR(2, VAR_LOCAL_ZONE) } +{ YDVAR(1, VAR_USE_SYSLOG) } YY_BREAK case 211: YY_RULE_SETUP #line 426 "util/configlexer.lex" -{ YDVAR(1, VAR_LOCAL_DATA) } +{ YDVAR(1, VAR_LOG_IDENTITY) } YY_BREAK case 212: YY_RULE_SETUP #line 427 "util/configlexer.lex" -{ YDVAR(1, VAR_LOCAL_DATA_PTR) } +{ YDVAR(1, VAR_LOG_TIME_ASCII) } YY_BREAK case 213: YY_RULE_SETUP #line 428 "util/configlexer.lex" -{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) } +{ YDVAR(1, VAR_LOG_QUERIES) } YY_BREAK case 214: YY_RULE_SETUP #line 429 "util/configlexer.lex" -{ YDVAR(1, VAR_INSECURE_LAN_ZONES) } +{ YDVAR(1, VAR_LOG_REPLIES) } YY_BREAK case 215: YY_RULE_SETUP #line 430 "util/configlexer.lex" -{ YDVAR(1, VAR_STATISTICS_INTERVAL) } +{ YDVAR(1, VAR_LOG_TAG_QUERYREPLY) } YY_BREAK case 216: YY_RULE_SETUP #line 431 "util/configlexer.lex" -{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) } +{ YDVAR(1, VAR_LOG_LOCAL_ACTIONS) } YY_BREAK case 217: YY_RULE_SETUP #line 432 "util/configlexer.lex" -{ YDVAR(1, VAR_EXTENDED_STATISTICS) } +{ YDVAR(1, VAR_LOG_SERVFAIL) } YY_BREAK case 218: YY_RULE_SETUP #line 433 "util/configlexer.lex" -{ YDVAR(1, VAR_SHM_ENABLE) } +{ YDVAR(2, VAR_LOCAL_ZONE) } YY_BREAK case 219: YY_RULE_SETUP #line 434 "util/configlexer.lex" -{ YDVAR(1, VAR_SHM_KEY) } +{ YDVAR(1, VAR_LOCAL_DATA) } YY_BREAK case 220: YY_RULE_SETUP #line 435 "util/configlexer.lex" -{ YDVAR(0, VAR_REMOTE_CONTROL) } +{ YDVAR(1, VAR_LOCAL_DATA_PTR) } YY_BREAK case 221: YY_RULE_SETUP #line 436 "util/configlexer.lex" -{ YDVAR(1, VAR_CONTROL_ENABLE) } +{ YDVAR(1, VAR_UNBLOCK_LAN_ZONES) } YY_BREAK case 222: YY_RULE_SETUP #line 437 "util/configlexer.lex" -{ YDVAR(1, VAR_CONTROL_INTERFACE) } +{ YDVAR(1, VAR_INSECURE_LAN_ZONES) } YY_BREAK case 223: YY_RULE_SETUP #line 438 "util/configlexer.lex" -{ YDVAR(1, VAR_CONTROL_PORT) } +{ YDVAR(1, VAR_STATISTICS_INTERVAL) } YY_BREAK case 224: YY_RULE_SETUP #line 439 "util/configlexer.lex" -{ YDVAR(1, VAR_CONTROL_USE_CERT) } +{ YDVAR(1, VAR_STATISTICS_CUMULATIVE) } YY_BREAK case 225: YY_RULE_SETUP #line 440 "util/configlexer.lex" -{ YDVAR(1, VAR_SERVER_KEY_FILE) } +{ YDVAR(1, VAR_EXTENDED_STATISTICS) } YY_BREAK case 226: YY_RULE_SETUP #line 441 "util/configlexer.lex" -{ YDVAR(1, VAR_SERVER_CERT_FILE) } +{ YDVAR(1, VAR_STATISTICS_INHIBIT_ZERO) } YY_BREAK case 227: YY_RULE_SETUP #line 442 "util/configlexer.lex" -{ YDVAR(1, VAR_CONTROL_KEY_FILE) } +{ YDVAR(1, VAR_SHM_ENABLE) } YY_BREAK case 228: YY_RULE_SETUP #line 443 "util/configlexer.lex" -{ YDVAR(1, VAR_CONTROL_CERT_FILE) } +{ YDVAR(1, VAR_SHM_KEY) } YY_BREAK case 229: YY_RULE_SETUP #line 444 "util/configlexer.lex" -{ YDVAR(1, VAR_PYTHON_SCRIPT) } +{ YDVAR(0, VAR_REMOTE_CONTROL) } YY_BREAK case 230: YY_RULE_SETUP #line 445 "util/configlexer.lex" -{ YDVAR(0, VAR_PYTHON) } +{ YDVAR(1, VAR_CONTROL_ENABLE) } YY_BREAK case 231: YY_RULE_SETUP #line 446 "util/configlexer.lex" -{ YDVAR(1, VAR_DYNLIB_FILE) } +{ YDVAR(1, VAR_CONTROL_INTERFACE) } YY_BREAK case 232: YY_RULE_SETUP #line 447 "util/configlexer.lex" -{ YDVAR(0, VAR_DYNLIB) } +{ YDVAR(1, VAR_CONTROL_PORT) } YY_BREAK case 233: YY_RULE_SETUP #line 448 "util/configlexer.lex" -{ YDVAR(1, VAR_DOMAIN_INSECURE) } +{ YDVAR(1, VAR_CONTROL_USE_CERT) } YY_BREAK case 234: YY_RULE_SETUP #line 449 "util/configlexer.lex" -{ YDVAR(1, VAR_MINIMAL_RESPONSES) } +{ YDVAR(1, VAR_SERVER_KEY_FILE) } YY_BREAK case 235: YY_RULE_SETUP #line 450 "util/configlexer.lex" -{ YDVAR(1, VAR_RRSET_ROUNDROBIN) } +{ YDVAR(1, VAR_SERVER_CERT_FILE) } YY_BREAK case 236: YY_RULE_SETUP #line 451 "util/configlexer.lex" -{ YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) } +{ YDVAR(1, VAR_CONTROL_KEY_FILE) } YY_BREAK case 237: YY_RULE_SETUP #line 452 "util/configlexer.lex" -{ YDVAR(1, VAR_MAX_UDP_SIZE) } +{ YDVAR(1, VAR_CONTROL_CERT_FILE) } YY_BREAK case 238: YY_RULE_SETUP #line 453 "util/configlexer.lex" -{ YDVAR(1, VAR_DNS64_PREFIX) } +{ YDVAR(1, VAR_PYTHON_SCRIPT) } YY_BREAK case 239: YY_RULE_SETUP #line 454 "util/configlexer.lex" -{ YDVAR(1, VAR_DNS64_SYNTHALL) } +{ YDVAR(0, VAR_PYTHON) } YY_BREAK case 240: YY_RULE_SETUP #line 455 "util/configlexer.lex" -{ YDVAR(1, VAR_DNS64_IGNORE_AAAA) } +{ YDVAR(1, VAR_DYNLIB_FILE) } YY_BREAK case 241: YY_RULE_SETUP #line 456 "util/configlexer.lex" -{ YDVAR(1, VAR_DEFINE_TAG) } +{ YDVAR(0, VAR_DYNLIB) } YY_BREAK case 242: YY_RULE_SETUP #line 457 "util/configlexer.lex" -{ YDVAR(2, VAR_LOCAL_ZONE_TAG) } +{ YDVAR(1, VAR_DOMAIN_INSECURE) } YY_BREAK case 243: YY_RULE_SETUP #line 458 "util/configlexer.lex" -{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) } +{ YDVAR(1, VAR_MINIMAL_RESPONSES) } YY_BREAK case 244: YY_RULE_SETUP #line 459 "util/configlexer.lex" -{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) } +{ YDVAR(1, VAR_RRSET_ROUNDROBIN) } YY_BREAK case 245: YY_RULE_SETUP #line 460 "util/configlexer.lex" -{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) } +{ YDVAR(1, VAR_UNKNOWN_SERVER_TIME_LIMIT) } YY_BREAK case 246: YY_RULE_SETUP #line 461 "util/configlexer.lex" -{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) } +{ YDVAR(1, VAR_MAX_UDP_SIZE) } YY_BREAK case 247: YY_RULE_SETUP #line 462 "util/configlexer.lex" -{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) } +{ YDVAR(1, VAR_DNS64_PREFIX) } YY_BREAK case 248: YY_RULE_SETUP #line 463 "util/configlexer.lex" -{ YDVAR(0, VAR_DNSTAP) } +{ YDVAR(1, VAR_DNS64_SYNTHALL) } YY_BREAK case 249: YY_RULE_SETUP #line 464 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_ENABLE) } +{ YDVAR(1, VAR_DNS64_IGNORE_AAAA) } YY_BREAK case 250: YY_RULE_SETUP #line 465 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) } +{ YDVAR(1, VAR_DEFINE_TAG) } YY_BREAK case 251: YY_RULE_SETUP #line 466 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) } +{ YDVAR(2, VAR_LOCAL_ZONE_TAG) } YY_BREAK case 252: YY_RULE_SETUP #line 467 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_IP) } +{ YDVAR(2, VAR_ACCESS_CONTROL_TAG) } YY_BREAK case 253: YY_RULE_SETUP #line 468 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_TLS) } +{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) } YY_BREAK case 254: YY_RULE_SETUP #line 469 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_TLS_SERVER_NAME) } +{ YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) } YY_BREAK case 255: YY_RULE_SETUP #line 470 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_TLS_CERT_BUNDLE) } +{ YDVAR(2, VAR_ACCESS_CONTROL_VIEW) } YY_BREAK case 256: YY_RULE_SETUP #line 471 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSTAP_TLS_CLIENT_KEY_FILE) } +{ YDVAR(2, VAR_INTERFACE_TAG) } YY_BREAK case 257: YY_RULE_SETUP -#line 473 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSTAP_TLS_CLIENT_CERT_FILE) } +#line 472 "util/configlexer.lex" +{ YDVAR(3, VAR_INTERFACE_TAG_ACTION) } YY_BREAK case 258: YY_RULE_SETUP -#line 475 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) } +#line 473 "util/configlexer.lex" +{ YDVAR(3, VAR_INTERFACE_TAG_DATA) } YY_BREAK case 259: YY_RULE_SETUP -#line 476 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_SEND_VERSION) } +#line 474 "util/configlexer.lex" +{ YDVAR(2, VAR_INTERFACE_VIEW) } YY_BREAK case 260: YY_RULE_SETUP -#line 477 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_IDENTITY) } +#line 475 "util/configlexer.lex" +{ YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) } YY_BREAK case 261: YY_RULE_SETUP -#line 478 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSTAP_VERSION) } +#line 476 "util/configlexer.lex" +{ YDVAR(0, VAR_DNSTAP) } YY_BREAK case 262: YY_RULE_SETUP -#line 479 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) } +#line 477 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_ENABLE) } YY_BREAK case 263: YY_RULE_SETUP -#line 481 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) } +#line 478 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_BIDIRECTIONAL) } YY_BREAK case 264: YY_RULE_SETUP -#line 483 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) } +#line 479 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_SOCKET_PATH) } YY_BREAK case 265: YY_RULE_SETUP -#line 485 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) } +#line 480 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_IP) } YY_BREAK case 266: YY_RULE_SETUP -#line 487 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) } +#line 481 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_TLS) } YY_BREAK case 267: YY_RULE_SETUP -#line 489 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) } +#line 482 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_TLS_SERVER_NAME) } YY_BREAK case 268: YY_RULE_SETUP -#line 491 "util/configlexer.lex" -{ YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) } +#line 483 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_TLS_CERT_BUNDLE) } YY_BREAK case 269: YY_RULE_SETUP -#line 492 "util/configlexer.lex" -{ YDVAR(1, VAR_IP_RATELIMIT) } +#line 484 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSTAP_TLS_CLIENT_KEY_FILE) } YY_BREAK case 270: YY_RULE_SETUP -#line 493 "util/configlexer.lex" -{ YDVAR(1, VAR_RATELIMIT) } +#line 486 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSTAP_TLS_CLIENT_CERT_FILE) } YY_BREAK case 271: YY_RULE_SETUP -#line 494 "util/configlexer.lex" -{ YDVAR(1, VAR_IP_RATELIMIT_SLABS) } +#line 488 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_SEND_IDENTITY) } YY_BREAK case 272: YY_RULE_SETUP -#line 495 "util/configlexer.lex" -{ YDVAR(1, VAR_RATELIMIT_SLABS) } +#line 489 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_SEND_VERSION) } YY_BREAK case 273: YY_RULE_SETUP -#line 496 "util/configlexer.lex" -{ YDVAR(1, VAR_IP_RATELIMIT_SIZE) } +#line 490 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_IDENTITY) } YY_BREAK case 274: YY_RULE_SETUP -#line 497 "util/configlexer.lex" -{ YDVAR(1, VAR_RATELIMIT_SIZE) } +#line 491 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSTAP_VERSION) } YY_BREAK case 275: YY_RULE_SETUP -#line 498 "util/configlexer.lex" -{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) } +#line 492 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES) } YY_BREAK case 276: YY_RULE_SETUP -#line 499 "util/configlexer.lex" -{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) } +#line 494 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES) } YY_BREAK case 277: YY_RULE_SETUP -#line 500 "util/configlexer.lex" -{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) } +#line 496 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES) } YY_BREAK case 278: YY_RULE_SETUP -#line 501 "util/configlexer.lex" -{ YDVAR(1, VAR_RATELIMIT_FACTOR) } +#line 498 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES) } YY_BREAK case 279: YY_RULE_SETUP -#line 502 "util/configlexer.lex" -{ YDVAR(1, VAR_LOW_RTT) } +#line 500 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES) } YY_BREAK case 280: YY_RULE_SETUP -#line 503 "util/configlexer.lex" -{ YDVAR(1, VAR_FAST_SERVER_NUM) } +#line 502 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES) } YY_BREAK case 281: YY_RULE_SETUP #line 504 "util/configlexer.lex" -{ YDVAR(1, VAR_FAST_SERVER_PERMIL) } +{ YDVAR(1, VAR_DISABLE_DNSSEC_LAME_CHECK) } YY_BREAK case 282: YY_RULE_SETUP #line 505 "util/configlexer.lex" -{ YDVAR(1, VAR_FAST_SERVER_PERMIL) } +{ YDVAR(1, VAR_IP_RATELIMIT) } YY_BREAK case 283: YY_RULE_SETUP #line 506 "util/configlexer.lex" -{ YDVAR(1, VAR_FAST_SERVER_PERMIL) } +{ YDVAR(1, VAR_RATELIMIT) } YY_BREAK case 284: YY_RULE_SETUP #line 507 "util/configlexer.lex" -{ YDVAR(2, VAR_RESPONSE_IP_TAG) } +{ YDVAR(1, VAR_IP_RATELIMIT_SLABS) } YY_BREAK case 285: YY_RULE_SETUP #line 508 "util/configlexer.lex" -{ YDVAR(2, VAR_RESPONSE_IP) } +{ YDVAR(1, VAR_RATELIMIT_SLABS) } YY_BREAK case 286: YY_RULE_SETUP #line 509 "util/configlexer.lex" -{ YDVAR(2, VAR_RESPONSE_IP_DATA) } +{ YDVAR(1, VAR_IP_RATELIMIT_SIZE) } YY_BREAK case 287: YY_RULE_SETUP #line 510 "util/configlexer.lex" -{ YDVAR(0, VAR_DNSCRYPT) } +{ YDVAR(1, VAR_RATELIMIT_SIZE) } YY_BREAK case 288: YY_RULE_SETUP #line 511 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSCRYPT_ENABLE) } +{ YDVAR(2, VAR_RATELIMIT_FOR_DOMAIN) } YY_BREAK case 289: YY_RULE_SETUP #line 512 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSCRYPT_PORT) } +{ YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) } YY_BREAK case 290: YY_RULE_SETUP #line 513 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) } +{ YDVAR(1, VAR_IP_RATELIMIT_FACTOR) } YY_BREAK case 291: YY_RULE_SETUP #line 514 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) } +{ YDVAR(1, VAR_RATELIMIT_FACTOR) } YY_BREAK case 292: YY_RULE_SETUP #line 515 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) } +{ YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) } YY_BREAK case 293: YY_RULE_SETUP #line 516 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT_ROTATED) } +{ YDVAR(1, VAR_RATELIMIT_BACKOFF) } YY_BREAK case 294: YY_RULE_SETUP #line 517 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) } +{ YDVAR(1, VAR_OUTBOUND_MSG_RETRY) } YY_BREAK case 295: YY_RULE_SETUP -#line 519 "util/configlexer.lex" -{ - YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) } +#line 518 "util/configlexer.lex" +{ YDVAR(1, VAR_MAX_SENT_COUNT) } YY_BREAK case 296: YY_RULE_SETUP -#line 521 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) } +#line 519 "util/configlexer.lex" +{ YDVAR(1, VAR_MAX_QUERY_RESTARTS) } YY_BREAK case 297: YY_RULE_SETUP -#line 522 "util/configlexer.lex" -{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) } +#line 520 "util/configlexer.lex" +{ YDVAR(1, VAR_LOW_RTT) } YY_BREAK case 298: YY_RULE_SETUP -#line 523 "util/configlexer.lex" -{ YDVAR(1, VAR_PAD_RESPONSES) } +#line 521 "util/configlexer.lex" +{ YDVAR(1, VAR_FAST_SERVER_NUM) } YY_BREAK case 299: YY_RULE_SETUP -#line 524 "util/configlexer.lex" -{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) } +#line 522 "util/configlexer.lex" +{ YDVAR(1, VAR_FAST_SERVER_PERMIL) } YY_BREAK case 300: YY_RULE_SETUP -#line 525 "util/configlexer.lex" -{ YDVAR(1, VAR_PAD_QUERIES) } +#line 523 "util/configlexer.lex" +{ YDVAR(1, VAR_FAST_SERVER_PERMIL) } YY_BREAK case 301: YY_RULE_SETUP -#line 526 "util/configlexer.lex" -{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) } +#line 524 "util/configlexer.lex" +{ YDVAR(1, VAR_FAST_SERVER_PERMIL) } YY_BREAK case 302: YY_RULE_SETUP -#line 527 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSECMOD_ENABLED) } +#line 525 "util/configlexer.lex" +{ YDVAR(2, VAR_RESPONSE_IP_TAG) } YY_BREAK case 303: YY_RULE_SETUP -#line 528 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) } +#line 526 "util/configlexer.lex" +{ YDVAR(2, VAR_RESPONSE_IP) } YY_BREAK case 304: YY_RULE_SETUP -#line 529 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSECMOD_HOOK) } +#line 527 "util/configlexer.lex" +{ YDVAR(2, VAR_RESPONSE_IP_DATA) } YY_BREAK case 305: YY_RULE_SETUP -#line 530 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSECMOD_MAX_TTL) } +#line 528 "util/configlexer.lex" +{ YDVAR(0, VAR_DNSCRYPT) } YY_BREAK case 306: YY_RULE_SETUP -#line 531 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSECMOD_WHITELIST) } +#line 529 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSCRYPT_ENABLE) } YY_BREAK case 307: YY_RULE_SETUP -#line 532 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSECMOD_WHITELIST) } +#line 530 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSCRYPT_PORT) } YY_BREAK case 308: YY_RULE_SETUP -#line 533 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSECMOD_STRICT) } +#line 531 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSCRYPT_PROVIDER) } YY_BREAK case 309: YY_RULE_SETUP -#line 534 "util/configlexer.lex" -{ YDVAR(0, VAR_CACHEDB) } +#line 532 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSCRYPT_SECRET_KEY) } YY_BREAK case 310: YY_RULE_SETUP -#line 535 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHEDB_BACKEND) } +#line 533 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT) } YY_BREAK case 311: YY_RULE_SETUP -#line 536 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHEDB_SECRETSEED) } +#line 534 "util/configlexer.lex" +{ YDVAR(1, VAR_DNSCRYPT_PROVIDER_CERT_ROTATED) } YY_BREAK case 312: YY_RULE_SETUP -#line 537 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHEDB_REDISHOST) } +#line 535 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE) } YY_BREAK case 313: YY_RULE_SETUP -#line 538 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHEDB_REDISPORT) } +#line 537 "util/configlexer.lex" +{ + YDVAR(1, VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS) } YY_BREAK case 314: YY_RULE_SETUP #line 539 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) } +{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SIZE) } YY_BREAK case 315: YY_RULE_SETUP #line 540 "util/configlexer.lex" -{ YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) } +{ YDVAR(1, VAR_DNSCRYPT_NONCE_CACHE_SLABS) } YY_BREAK case 316: YY_RULE_SETUP #line 541 "util/configlexer.lex" -{ YDVAR(0, VAR_IPSET) } +{ YDVAR(1, VAR_PAD_RESPONSES) } YY_BREAK case 317: YY_RULE_SETUP #line 542 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSET_NAME_V4) } +{ YDVAR(1, VAR_PAD_RESPONSES_BLOCK_SIZE) } YY_BREAK case 318: YY_RULE_SETUP #line 543 "util/configlexer.lex" -{ YDVAR(1, VAR_IPSET_NAME_V6) } +{ YDVAR(1, VAR_PAD_QUERIES) } YY_BREAK case 319: YY_RULE_SETUP #line 544 "util/configlexer.lex" -{ YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) } +{ YDVAR(1, VAR_PAD_QUERIES_BLOCK_SIZE) } YY_BREAK case 320: YY_RULE_SETUP #line 545 "util/configlexer.lex" -{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) } +{ YDVAR(1, VAR_IPSECMOD_ENABLED) } YY_BREAK case 321: YY_RULE_SETUP #line 546 "util/configlexer.lex" -{ YDVAR(2, VAR_EDNS_CLIENT_STRING) } +{ YDVAR(1, VAR_IPSECMOD_IGNORE_BOGUS) } YY_BREAK case 322: YY_RULE_SETUP #line 547 "util/configlexer.lex" -{ YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) } +{ YDVAR(1, VAR_IPSECMOD_HOOK) } YY_BREAK case 323: YY_RULE_SETUP #line 548 "util/configlexer.lex" -{ YDVAR(1, VAR_NSID ) } +{ YDVAR(1, VAR_IPSECMOD_MAX_TTL) } YY_BREAK case 324: -/* rule 324 can match eol */ YY_RULE_SETUP #line 549 "util/configlexer.lex" -{ LEXOUT(("NL\n")); cfg_parser->line++; } +{ YDVAR(1, VAR_IPSECMOD_WHITELIST) } YY_BREAK -/* Quoted strings. Strip leading and ending quotes */ case 325: YY_RULE_SETUP +#line 550 "util/configlexer.lex" +{ YDVAR(1, VAR_IPSECMOD_WHITELIST) } + YY_BREAK +case 326: +YY_RULE_SETUP +#line 551 "util/configlexer.lex" +{ YDVAR(1, VAR_IPSECMOD_STRICT) } + YY_BREAK +case 327: +YY_RULE_SETUP #line 552 "util/configlexer.lex" +{ YDVAR(0, VAR_CACHEDB) } + YY_BREAK +case 328: +YY_RULE_SETUP +#line 553 "util/configlexer.lex" +{ YDVAR(1, VAR_CACHEDB_BACKEND) } + YY_BREAK +case 329: +YY_RULE_SETUP +#line 554 "util/configlexer.lex" +{ YDVAR(1, VAR_CACHEDB_SECRETSEED) } + YY_BREAK +case 330: +YY_RULE_SETUP +#line 555 "util/configlexer.lex" +{ YDVAR(1, VAR_CACHEDB_REDISHOST) } + YY_BREAK +case 331: +YY_RULE_SETUP +#line 556 "util/configlexer.lex" +{ YDVAR(1, VAR_CACHEDB_REDISPORT) } + YY_BREAK +case 332: +YY_RULE_SETUP +#line 557 "util/configlexer.lex" +{ YDVAR(1, VAR_CACHEDB_REDISTIMEOUT) } + YY_BREAK +case 333: +YY_RULE_SETUP +#line 558 "util/configlexer.lex" +{ YDVAR(1, VAR_CACHEDB_REDISEXPIRERECORDS) } + YY_BREAK +case 334: +YY_RULE_SETUP +#line 559 "util/configlexer.lex" +{ YDVAR(0, VAR_IPSET) } + YY_BREAK +case 335: +YY_RULE_SETUP +#line 560 "util/configlexer.lex" +{ YDVAR(1, VAR_IPSET_NAME_V4) } + YY_BREAK +case 336: +YY_RULE_SETUP +#line 561 "util/configlexer.lex" +{ YDVAR(1, VAR_IPSET_NAME_V6) } + YY_BREAK +case 337: +YY_RULE_SETUP +#line 562 "util/configlexer.lex" +{ YDVAR(1, VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM) } + YY_BREAK +case 338: +YY_RULE_SETUP +#line 563 "util/configlexer.lex" +{ YDVAR(2, VAR_TCP_CONNECTION_LIMIT) } + YY_BREAK +case 339: +YY_RULE_SETUP +#line 564 "util/configlexer.lex" +{ YDVAR(2, VAR_EDNS_CLIENT_STRING) } + YY_BREAK +case 340: +YY_RULE_SETUP +#line 565 "util/configlexer.lex" +{ YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) } + YY_BREAK +case 341: +YY_RULE_SETUP +#line 566 "util/configlexer.lex" +{ YDVAR(1, VAR_NSID ) } + YY_BREAK +case 342: +YY_RULE_SETUP +#line 567 "util/configlexer.lex" +{ YDVAR(1, VAR_EDE ) } + YY_BREAK +case 343: +YY_RULE_SETUP +#line 568 "util/configlexer.lex" +{ YDVAR(1, VAR_PROXY_PROTOCOL_PORT) } + YY_BREAK +case 344: +/* rule 344 can match eol */ +YY_RULE_SETUP +#line 569 "util/configlexer.lex" +{ LEXOUT(("NL\n")); cfg_parser->line++; } + YY_BREAK +/* Quoted strings. Strip leading and ending quotes */ +case 345: +YY_RULE_SETUP +#line 572 "util/configlexer.lex" { BEGIN(quotedstring); LEXOUT(("QS ")); } YY_BREAK case YY_STATE_EOF(quotedstring): -#line 553 "util/configlexer.lex" +#line 573 "util/configlexer.lex" { yyerror("EOF inside quoted string"); if(--num_args == 0) { BEGIN(INITIAL); } else { BEGIN(val); } } YY_BREAK -case 326: +case 346: YY_RULE_SETUP -#line 558 "util/configlexer.lex" +#line 578 "util/configlexer.lex" { LEXOUT(("STR(%s) ", yytext)); yymore(); } YY_BREAK -case 327: -/* rule 327 can match eol */ +case 347: +/* rule 347 can match eol */ YY_RULE_SETUP -#line 559 "util/configlexer.lex" +#line 579 "util/configlexer.lex" { yyerror("newline inside quoted string, no end \""); cfg_parser->line++; BEGIN(INITIAL); } YY_BREAK -case 328: +case 348: YY_RULE_SETUP -#line 561 "util/configlexer.lex" +#line 581 "util/configlexer.lex" { LEXOUT(("QE ")); if(--num_args == 0) { BEGIN(INITIAL); } @@ -5964,34 +6256,34 @@ } YY_BREAK /* Single Quoted strings. Strip leading and ending quotes */ -case 329: +case 349: YY_RULE_SETUP -#line 573 "util/configlexer.lex" +#line 593 "util/configlexer.lex" { BEGIN(singlequotedstr); LEXOUT(("SQS ")); } YY_BREAK case YY_STATE_EOF(singlequotedstr): -#line 574 "util/configlexer.lex" +#line 594 "util/configlexer.lex" { yyerror("EOF inside quoted string"); if(--num_args == 0) { BEGIN(INITIAL); } else { BEGIN(val); } } YY_BREAK -case 330: +case 350: YY_RULE_SETUP -#line 579 "util/configlexer.lex" +#line 599 "util/configlexer.lex" { LEXOUT(("STR(%s) ", yytext)); yymore(); } YY_BREAK -case 331: -/* rule 331 can match eol */ +case 351: +/* rule 351 can match eol */ YY_RULE_SETUP -#line 580 "util/configlexer.lex" +#line 600 "util/configlexer.lex" { yyerror("newline inside quoted string, no end '"); cfg_parser->line++; BEGIN(INITIAL); } YY_BREAK -case 332: +case 352: YY_RULE_SETUP -#line 582 "util/configlexer.lex" +#line 602 "util/configlexer.lex" { LEXOUT(("SQE ")); if(--num_args == 0) { BEGIN(INITIAL); } @@ -6004,38 +6296,38 @@ } YY_BREAK /* include: directive */ -case 333: +case 353: YY_RULE_SETUP -#line 594 "util/configlexer.lex" +#line 614 "util/configlexer.lex" { LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include); } YY_BREAK case YY_STATE_EOF(include): -#line 596 "util/configlexer.lex" +#line 616 "util/configlexer.lex" { yyerror("EOF inside include directive"); BEGIN(inc_prev); } YY_BREAK -case 334: +case 354: YY_RULE_SETUP -#line 600 "util/configlexer.lex" +#line 620 "util/configlexer.lex" { LEXOUT(("ISP ")); /* ignore */ } YY_BREAK -case 335: -/* rule 335 can match eol */ +case 355: +/* rule 355 can match eol */ YY_RULE_SETUP -#line 601 "util/configlexer.lex" +#line 621 "util/configlexer.lex" { LEXOUT(("NL\n")); cfg_parser->line++;} YY_BREAK -case 336: +case 356: YY_RULE_SETUP -#line 602 "util/configlexer.lex" +#line 622 "util/configlexer.lex" { LEXOUT(("IQS ")); BEGIN(include_quoted); } YY_BREAK -case 337: +case 357: YY_RULE_SETUP -#line 603 "util/configlexer.lex" +#line 623 "util/configlexer.lex" { LEXOUT(("Iunquotedstr(%s) ", yytext)); config_start_include_glob(yytext, 0); @@ -6043,27 +6335,27 @@ } YY_BREAK case YY_STATE_EOF(include_quoted): -#line 608 "util/configlexer.lex" +#line 628 "util/configlexer.lex" { yyerror("EOF inside quoted string"); BEGIN(inc_prev); } YY_BREAK -case 338: +case 358: YY_RULE_SETUP -#line 612 "util/configlexer.lex" +#line 632 "util/configlexer.lex" { LEXOUT(("ISTR(%s) ", yytext)); yymore(); } YY_BREAK -case 339: -/* rule 339 can match eol */ +case 359: +/* rule 359 can match eol */ YY_RULE_SETUP -#line 613 "util/configlexer.lex" +#line 633 "util/configlexer.lex" { yyerror("newline before \" in include name"); cfg_parser->line++; BEGIN(inc_prev); } YY_BREAK -case 340: +case 360: YY_RULE_SETUP -#line 615 "util/configlexer.lex" +#line 635 "util/configlexer.lex" { LEXOUT(("IQE ")); yytextyyleng - 1 = '\0'; @@ -6073,7 +6365,7 @@ YY_BREAK case YY_STATE_EOF(INITIAL): case YY_STATE_EOF(val): -#line 621 "util/configlexer.lex" +#line 641 "util/configlexer.lex" { LEXOUT(("LEXEOF ")); yy_set_bol(1); /* Set beginning of line, so "^" rules match. */ @@ -6088,39 +6380,39 @@ } YY_BREAK /* include-toplevel: directive */ -case 341: +case 361: YY_RULE_SETUP -#line 635 "util/configlexer.lex" +#line 655 "util/configlexer.lex" { LEXOUT(("v(%s) ", yytext)); inc_prev = YYSTATE; BEGIN(include_toplevel); } YY_BREAK case YY_STATE_EOF(include_toplevel): -#line 638 "util/configlexer.lex" +#line 658 "util/configlexer.lex" { yyerror("EOF inside include_toplevel directive"); BEGIN(inc_prev); } YY_BREAK -case 342: +case 362: YY_RULE_SETUP -#line 642 "util/configlexer.lex" +#line 662 "util/configlexer.lex" { LEXOUT(("ITSP ")); /* ignore */ } YY_BREAK -case 343: -/* rule 343 can match eol */ +case 363: +/* rule 363 can match eol */ YY_RULE_SETUP -#line 643 "util/configlexer.lex" +#line 663 "util/configlexer.lex" { LEXOUT(("NL\n")); cfg_parser->line++; } YY_BREAK -case 344: +case 364: YY_RULE_SETUP -#line 644 "util/configlexer.lex" +#line 664 "util/configlexer.lex" { LEXOUT(("ITQS ")); BEGIN(include_toplevel_quoted); } YY_BREAK -case 345: +case 365: YY_RULE_SETUP -#line 645 "util/configlexer.lex" +#line 665 "util/configlexer.lex" { LEXOUT(("ITunquotedstr(%s) ", yytext)); config_start_include_glob(yytext, 1); @@ -6129,29 +6421,29 @@ } YY_BREAK case YY_STATE_EOF(include_toplevel_quoted): -#line 651 "util/configlexer.lex" +#line 671 "util/configlexer.lex" { yyerror("EOF inside quoted string"); BEGIN(inc_prev); } YY_BREAK -case 346: +case 366: YY_RULE_SETUP -#line 655 "util/configlexer.lex" +#line 675 "util/configlexer.lex" { LEXOUT(("ITSTR(%s) ", yytext)); yymore(); } YY_BREAK -case 347: -/* rule 347 can match eol */ +case 367: +/* rule 367 can match eol */ YY_RULE_SETUP -#line 656 "util/configlexer.lex" +#line 676 "util/configlexer.lex" { yyerror("newline before \" in include name"); cfg_parser->line++; BEGIN(inc_prev); } YY_BREAK -case 348: +case 368: YY_RULE_SETUP -#line 660 "util/configlexer.lex" +#line 680 "util/configlexer.lex" { LEXOUT(("ITQE ")); yytextyyleng - 1 = '\0'; @@ -6160,33 +6452,33 @@ return (VAR_FORCE_TOPLEVEL); } YY_BREAK -case 349: +case 369: YY_RULE_SETUP -#line 668 "util/configlexer.lex" +#line 688 "util/configlexer.lex" { LEXOUT(("unquotedstr(%s) ", yytext)); if(--num_args == 0) { BEGIN(INITIAL); } yylval.str = strdup(yytext); return STRING_ARG; } YY_BREAK -case 350: +case 370: YY_RULE_SETUP -#line 672 "util/configlexer.lex" +#line 692 "util/configlexer.lex" { ub_c_error_msg("unknown keyword '%s'", yytext); } YY_BREAK -case 351: +case 371: YY_RULE_SETUP -#line 676 "util/configlexer.lex" +#line 696 "util/configlexer.lex" { ub_c_error_msg("stray '%s'", yytext); } YY_BREAK -case 352: +case 372: YY_RULE_SETUP -#line 680 "util/configlexer.lex" +#line 700 "util/configlexer.lex" ECHO; YY_BREAK -#line 6187 "<stdout>" +#line 6479 "<stdout>" case YY_END_OF_BUFFER: { @@ -6481,7 +6773,7 @@ while ( yy_chkyy_baseyy_current_state + yy_c != yy_current_state ) { yy_current_state = (int) yy_defyy_current_state; - if ( yy_current_state >= 3484 ) + if ( yy_current_state >= 3683 ) yy_c = yy_metayy_c; } yy_current_state = yy_nxtyy_baseyy_current_state + yy_c; @@ -6509,11 +6801,11 @@ while ( yy_chkyy_baseyy_current_state + yy_c != yy_current_state ) { yy_current_state = (int) yy_defyy_current_state; - if ( yy_current_state >= 3484 ) + if ( yy_current_state >= 3683 ) yy_c = yy_metayy_c; } yy_current_state = yy_nxtyy_baseyy_current_state + yy_c; - yy_is_jam = (yy_current_state == 3483); + yy_is_jam = (yy_current_state == 3682); return yy_is_jam ? 0 : yy_current_state; } @@ -7152,6 +7444,6 @@ #define YYTABLES_NAME "yytables" -#line 680 "util/configlexer.lex" +#line 700 "util/configlexer.lex"
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/configlexer.lex -> _service:tar_scm:unbound-1.17.1.tar.gz/util/configlexer.lex
Changed
@@ -251,6 +251,7 @@ ssl-cert-bundle{COLON} { YDVAR(1, VAR_TLS_CERT_BUNDLE) } tls-cert-bundle{COLON} { YDVAR(1, VAR_TLS_CERT_BUNDLE) } tls-win-cert{COLON} { YDVAR(1, VAR_TLS_WIN_CERT) } +tls-system-cert{COLON} { YDVAR(1, VAR_TLS_WIN_CERT) } additional-ssl-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) } additional-tls-port{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) } tls-additional-ports{COLON} { YDVAR(1, VAR_TLS_ADDITIONAL_PORT) } @@ -272,6 +273,7 @@ ip-address{COLON} { YDVAR(1, VAR_INTERFACE) } outgoing-interface{COLON} { YDVAR(1, VAR_OUTGOING_INTERFACE) } interface-automatic{COLON} { YDVAR(1, VAR_INTERFACE_AUTOMATIC) } +interface-automatic-ports{COLON} { YDVAR(1, VAR_INTERFACE_AUTOMATIC_PORTS) } so-rcvbuf{COLON} { YDVAR(1, VAR_SO_RCVBUF) } so-sndbuf{COLON} { YDVAR(1, VAR_SO_SNDBUF) } so-reuseport{COLON} { YDVAR(1, VAR_SO_REUSEPORT) } @@ -300,6 +302,7 @@ infra-cache-numhosts{COLON} { YDVAR(1, VAR_INFRA_CACHE_NUMHOSTS) } infra-cache-lame-size{COLON} { YDVAR(1, VAR_INFRA_CACHE_LAME_SIZE) } infra-cache-min-rtt{COLON} { YDVAR(1, VAR_INFRA_CACHE_MIN_RTT) } +infra-cache-max-rtt{COLON} { YDVAR(1, VAR_INFRA_CACHE_MAX_RTT) } infra-keep-probing{COLON} { YDVAR(1, VAR_INFRA_KEEP_PROBING) } num-queries-per-thread{COLON} { YDVAR(1, VAR_NUM_QUERIES_PER_THREAD) } jostle-timeout{COLON} { YDVAR(1, VAR_JOSTLE_TIMEOUT) } @@ -331,6 +334,7 @@ stub-no-cache{COLON} { YDVAR(1, VAR_STUB_NO_CACHE) } stub-ssl-upstream{COLON} { YDVAR(1, VAR_STUB_SSL_UPSTREAM) } stub-tls-upstream{COLON} { YDVAR(1, VAR_STUB_SSL_UPSTREAM) } +stub-tcp-upstream{COLON} { YDVAR(1, VAR_STUB_TCP_UPSTREAM) } forward-zone{COLON} { YDVAR(0, VAR_FORWARD_ZONE) } forward-addr{COLON} { YDVAR(1, VAR_FORWARD_ADDR) } forward-host{COLON} { YDVAR(1, VAR_FORWARD_HOST) } @@ -338,6 +342,7 @@ forward-no-cache{COLON} { YDVAR(1, VAR_FORWARD_NO_CACHE) } forward-ssl-upstream{COLON} { YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) } forward-tls-upstream{COLON} { YDVAR(1, VAR_FORWARD_SSL_UPSTREAM) } +forward-tcp-upstream{COLON} { YDVAR(1, VAR_FORWARD_TCP_UPSTREAM) } auth-zone{COLON} { YDVAR(0, VAR_AUTH_ZONE) } rpz{COLON} { YDVAR(0, VAR_RPZ) } tags{COLON} { YDVAR(1, VAR_TAGS) } @@ -345,6 +350,7 @@ rpz-cname-override{COLON} { YDVAR(1, VAR_RPZ_CNAME_OVERRIDE) } rpz-log{COLON} { YDVAR(1, VAR_RPZ_LOG) } rpz-log-name{COLON} { YDVAR(1, VAR_RPZ_LOG_NAME) } +rpz-signal-nxdomain-ra{COLON} { YDVAR(1, VAR_RPZ_SIGNAL_NXDOMAIN_RA) } zonefile{COLON} { YDVAR(1, VAR_ZONEFILE) } master{COLON} { YDVAR(1, VAR_MASTER) } primary{COLON} { YDVAR(1, VAR_MASTER) } @@ -358,6 +364,7 @@ do-not-query-address{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_ADDRESS) } do-not-query-localhost{COLON} { YDVAR(1, VAR_DO_NOT_QUERY_LOCALHOST) } access-control{COLON} { YDVAR(2, VAR_ACCESS_CONTROL) } +interface-action{COLON} { YDVAR(2, VAR_INTERFACE_ACTION) } send-client-subnet{COLON} { YDVAR(1, VAR_SEND_CLIENT_SUBNET) } client-subnet-zone{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ZONE) } client-subnet-always-forward{COLON} { YDVAR(1, VAR_CLIENT_SUBNET_ALWAYS_FORWARD) } @@ -398,6 +405,7 @@ serve-expired-ttl-reset{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_TTL_RESET) } serve-expired-reply-ttl{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_REPLY_TTL) } serve-expired-client-timeout{COLON} { YDVAR(1, VAR_SERVE_EXPIRED_CLIENT_TIMEOUT) } +ede-serve-expired{COLON} { YDVAR(1, VAR_EDE_SERVE_EXPIRED) } serve-original-ttl{COLON} { YDVAR(1, VAR_SERVE_ORIGINAL_TTL) } fake-dsa{COLON} { YDVAR(1, VAR_FAKE_DSA) } fake-sha1{COLON} { YDVAR(1, VAR_FAKE_SHA1) } @@ -430,6 +438,7 @@ statistics-interval{COLON} { YDVAR(1, VAR_STATISTICS_INTERVAL) } statistics-cumulative{COLON} { YDVAR(1, VAR_STATISTICS_CUMULATIVE) } extended-statistics{COLON} { YDVAR(1, VAR_EXTENDED_STATISTICS) } +statistics-inhibit-zero{COLON} { YDVAR(1, VAR_STATISTICS_INHIBIT_ZERO) } shm-enable{COLON} { YDVAR(1, VAR_SHM_ENABLE) } shm-key{COLON} { YDVAR(1, VAR_SHM_KEY) } remote-control{COLON} { YDVAR(0, VAR_REMOTE_CONTROL) } @@ -459,6 +468,10 @@ access-control-tag-action{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_ACTION) } access-control-tag-data{COLON} { YDVAR(3, VAR_ACCESS_CONTROL_TAG_DATA) } access-control-view{COLON} { YDVAR(2, VAR_ACCESS_CONTROL_VIEW) } +interface-tag{COLON} { YDVAR(2, VAR_INTERFACE_TAG) } +interface-tag-action{COLON} { YDVAR(3, VAR_INTERFACE_TAG_ACTION) } +interface-tag-data{COLON} { YDVAR(3, VAR_INTERFACE_TAG_DATA) } +interface-view{COLON} { YDVAR(2, VAR_INTERFACE_VIEW) } local-zone-override{COLON} { YDVAR(3, VAR_LOCAL_ZONE_OVERRIDE) } dnstap{COLON} { YDVAR(0, VAR_DNSTAP) } dnstap-enable{COLON} { YDVAR(1, VAR_DNSTAP_ENABLE) } @@ -499,6 +512,11 @@ ratelimit-below-domain{COLON} { YDVAR(2, VAR_RATELIMIT_BELOW_DOMAIN) } ip-ratelimit-factor{COLON} { YDVAR(1, VAR_IP_RATELIMIT_FACTOR) } ratelimit-factor{COLON} { YDVAR(1, VAR_RATELIMIT_FACTOR) } +ip-ratelimit-backoff{COLON} { YDVAR(1, VAR_IP_RATELIMIT_BACKOFF) } +ratelimit-backoff{COLON} { YDVAR(1, VAR_RATELIMIT_BACKOFF) } +outbound-msg-retry{COLON} { YDVAR(1, VAR_OUTBOUND_MSG_RETRY) } +max-sent-count{COLON} { YDVAR(1, VAR_MAX_SENT_COUNT) } +max-query-restarts{COLON} { YDVAR(1, VAR_MAX_QUERY_RESTARTS) } low-rtt{COLON} { YDVAR(1, VAR_LOW_RTT) } fast-server-num{COLON} { YDVAR(1, VAR_FAST_SERVER_NUM) } low-rtt-pct{COLON} { YDVAR(1, VAR_FAST_SERVER_PERMIL) } @@ -546,6 +564,8 @@ edns-client-string{COLON} { YDVAR(2, VAR_EDNS_CLIENT_STRING) } edns-client-string-opcode{COLON} { YDVAR(1, VAR_EDNS_CLIENT_STRING_OPCODE) } nsid{COLON} { YDVAR(1, VAR_NSID ) } +ede{COLON} { YDVAR(1, VAR_EDE ) } +proxy-protocol-port{COLON} { YDVAR(1, VAR_PROXY_PROTOCOL_PORT) } <INITIAL,val>{NEWLINE} { LEXOUT(("NL\n")); cfg_parser->line++; } /* Quoted strings. Strip leading and ending quotes */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/configparser.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/configparser.c
Changed
@@ -1,8 +1,8 @@ -/* A Bison parser, made by GNU Bison 3.6.4. */ +/* A Bison parser, made by GNU Bison 3.7.6. */ /* Bison implementation for Yacc-like parsers in C - Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation, + Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify @@ -16,7 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. */ + along with this program. If not, see <https://www.gnu.org/licenses/>. */ /* As a special exception, you may create a larger work that contains part or all of the Bison parser skeleton and distribute that work @@ -45,11 +45,11 @@ define necessary library symbols; they are noted "INFRINGES ON USER NAME SPACE" below. */ -/* Identify Bison output. */ -#define YYBISON 1 +/* Identify Bison output, and Bison version. */ +#define YYBISON 30706 -/* Bison version. */ -#define YYBISON_VERSION "3.6.4" +/* Bison version string. */ +#define YYBISON_VERSION "3.7.6" /* Skeleton name. */ #define YYSKELETON_NAME "yacc.c" @@ -85,6 +85,7 @@ void ub_c_error(const char *message); static void validate_respip_action(const char* action); +static void validate_acl_action(const char* action); /* these need to be global, otherwise they cannot be used inside yacc */ extern struct config_parser_state* cfg_parser; @@ -96,7 +97,7 @@ #endif -#line 100 "util/configparser.c" +#line 101 "util/configparser.c" # ifndef YY_CAST # ifdef __cplusplus @@ -119,687 +120,7 @@ # endif # endif -/* Use api.header.include to #include this header - instead of duplicating it here. */ -#ifndef YY_YY_UTIL_CONFIGPARSER_H_INCLUDED -# define YY_YY_UTIL_CONFIGPARSER_H_INCLUDED -/* Debug traces. */ -#ifndef YYDEBUG -# define YYDEBUG 0 -#endif -#if YYDEBUG -extern int yydebug; -#endif - -/* Token kinds. */ -#ifndef YYTOKENTYPE -# define YYTOKENTYPE - enum yytokentype - { - YYEMPTY = -2, - YYEOF = 0, /* "end of file" */ - YYerror = 256, /* error */ - YYUNDEF = 257, /* "invalid token" */ - SPACE = 258, /* SPACE */ - LETTER = 259, /* LETTER */ - NEWLINE = 260, /* NEWLINE */ - COMMENT = 261, /* COMMENT */ - COLON = 262, /* COLON */ - ANY = 263, /* ANY */ - ZONESTR = 264, /* ZONESTR */ - STRING_ARG = 265, /* STRING_ARG */ - VAR_FORCE_TOPLEVEL = 266, /* VAR_FORCE_TOPLEVEL */ - VAR_SERVER = 267, /* VAR_SERVER */ - VAR_VERBOSITY = 268, /* VAR_VERBOSITY */ - VAR_NUM_THREADS = 269, /* VAR_NUM_THREADS */ - VAR_PORT = 270, /* VAR_PORT */ - VAR_OUTGOING_RANGE = 271, /* VAR_OUTGOING_RANGE */ - VAR_INTERFACE = 272, /* VAR_INTERFACE */ - VAR_PREFER_IP4 = 273, /* VAR_PREFER_IP4 */ - VAR_DO_IP4 = 274, /* VAR_DO_IP4 */ - VAR_DO_IP6 = 275, /* VAR_DO_IP6 */ - VAR_PREFER_IP6 = 276, /* VAR_PREFER_IP6 */ - VAR_DO_UDP = 277, /* VAR_DO_UDP */ - VAR_DO_TCP = 278, /* VAR_DO_TCP */ - VAR_TCP_MSS = 279, /* VAR_TCP_MSS */ - VAR_OUTGOING_TCP_MSS = 280, /* VAR_OUTGOING_TCP_MSS */ - VAR_TCP_IDLE_TIMEOUT = 281, /* VAR_TCP_IDLE_TIMEOUT */ - VAR_EDNS_TCP_KEEPALIVE = 282, /* VAR_EDNS_TCP_KEEPALIVE */ - VAR_EDNS_TCP_KEEPALIVE_TIMEOUT = 283, /* VAR_EDNS_TCP_KEEPALIVE_TIMEOUT */ - VAR_CHROOT = 284, /* VAR_CHROOT */ - VAR_USERNAME = 285, /* VAR_USERNAME */ - VAR_DIRECTORY = 286, /* VAR_DIRECTORY */ - VAR_LOGFILE = 287, /* VAR_LOGFILE */ - VAR_PIDFILE = 288, /* VAR_PIDFILE */ - VAR_MSG_CACHE_SIZE = 289, /* VAR_MSG_CACHE_SIZE */ - VAR_MSG_CACHE_SLABS = 290, /* VAR_MSG_CACHE_SLABS */ - VAR_NUM_QUERIES_PER_THREAD = 291, /* VAR_NUM_QUERIES_PER_THREAD */ - VAR_RRSET_CACHE_SIZE = 292, /* VAR_RRSET_CACHE_SIZE */ - VAR_RRSET_CACHE_SLABS = 293, /* VAR_RRSET_CACHE_SLABS */ - VAR_OUTGOING_NUM_TCP = 294, /* VAR_OUTGOING_NUM_TCP */ - VAR_INFRA_HOST_TTL = 295, /* VAR_INFRA_HOST_TTL */ - VAR_INFRA_LAME_TTL = 296, /* VAR_INFRA_LAME_TTL */ - VAR_INFRA_CACHE_SLABS = 297, /* VAR_INFRA_CACHE_SLABS */ - VAR_INFRA_CACHE_NUMHOSTS = 298, /* VAR_INFRA_CACHE_NUMHOSTS */ - VAR_INFRA_CACHE_LAME_SIZE = 299, /* VAR_INFRA_CACHE_LAME_SIZE */ - VAR_NAME = 300, /* VAR_NAME */ - VAR_STUB_ZONE = 301, /* VAR_STUB_ZONE */ - VAR_STUB_HOST = 302, /* VAR_STUB_HOST */ - VAR_STUB_ADDR = 303, /* VAR_STUB_ADDR */ - VAR_TARGET_FETCH_POLICY = 304, /* VAR_TARGET_FETCH_POLICY */ - VAR_HARDEN_SHORT_BUFSIZE = 305, /* VAR_HARDEN_SHORT_BUFSIZE */ - VAR_HARDEN_LARGE_QUERIES = 306, /* VAR_HARDEN_LARGE_QUERIES */ - VAR_FORWARD_ZONE = 307, /* VAR_FORWARD_ZONE */ - VAR_FORWARD_HOST = 308, /* VAR_FORWARD_HOST */ - VAR_FORWARD_ADDR = 309, /* VAR_FORWARD_ADDR */ - VAR_DO_NOT_QUERY_ADDRESS = 310, /* VAR_DO_NOT_QUERY_ADDRESS */ - VAR_HIDE_IDENTITY = 311, /* VAR_HIDE_IDENTITY */ - VAR_HIDE_VERSION = 312, /* VAR_HIDE_VERSION */ - VAR_IDENTITY = 313, /* VAR_IDENTITY */ - VAR_VERSION = 314, /* VAR_VERSION */ - VAR_HARDEN_GLUE = 315, /* VAR_HARDEN_GLUE */ - VAR_MODULE_CONF = 316, /* VAR_MODULE_CONF */ - VAR_TRUST_ANCHOR_FILE = 317, /* VAR_TRUST_ANCHOR_FILE */ - VAR_TRUST_ANCHOR = 318, /* VAR_TRUST_ANCHOR */ - VAR_VAL_OVERRIDE_DATE = 319, /* VAR_VAL_OVERRIDE_DATE */ - VAR_BOGUS_TTL = 320, /* VAR_BOGUS_TTL */ - VAR_VAL_CLEAN_ADDITIONAL = 321, /* VAR_VAL_CLEAN_ADDITIONAL */ - VAR_VAL_PERMISSIVE_MODE = 322, /* VAR_VAL_PERMISSIVE_MODE */ - VAR_INCOMING_NUM_TCP = 323, /* VAR_INCOMING_NUM_TCP */ - VAR_MSG_BUFFER_SIZE = 324, /* VAR_MSG_BUFFER_SIZE */ - VAR_KEY_CACHE_SIZE = 325, /* VAR_KEY_CACHE_SIZE */ - VAR_KEY_CACHE_SLABS = 326, /* VAR_KEY_CACHE_SLABS */ - VAR_TRUSTED_KEYS_FILE = 327, /* VAR_TRUSTED_KEYS_FILE */ - VAR_VAL_NSEC3_KEYSIZE_ITERATIONS = 328, /* VAR_VAL_NSEC3_KEYSIZE_ITERATIONS */ - VAR_USE_SYSLOG = 329, /* VAR_USE_SYSLOG */ - VAR_OUTGOING_INTERFACE = 330, /* VAR_OUTGOING_INTERFACE */ - VAR_ROOT_HINTS = 331, /* VAR_ROOT_HINTS */ - VAR_DO_NOT_QUERY_LOCALHOST = 332, /* VAR_DO_NOT_QUERY_LOCALHOST */ - VAR_CACHE_MAX_TTL = 333, /* VAR_CACHE_MAX_TTL */ - VAR_HARDEN_DNSSEC_STRIPPED = 334, /* VAR_HARDEN_DNSSEC_STRIPPED */ - VAR_ACCESS_CONTROL = 335, /* VAR_ACCESS_CONTROL */ - VAR_LOCAL_ZONE = 336, /* VAR_LOCAL_ZONE */ - VAR_LOCAL_DATA = 337, /* VAR_LOCAL_DATA */ - VAR_INTERFACE_AUTOMATIC = 338, /* VAR_INTERFACE_AUTOMATIC */ - VAR_STATISTICS_INTERVAL = 339, /* VAR_STATISTICS_INTERVAL */ - VAR_DO_DAEMONIZE = 340, /* VAR_DO_DAEMONIZE */ - VAR_USE_CAPS_FOR_ID = 341, /* VAR_USE_CAPS_FOR_ID */ - VAR_STATISTICS_CUMULATIVE = 342, /* VAR_STATISTICS_CUMULATIVE */ - VAR_OUTGOING_PORT_PERMIT = 343, /* VAR_OUTGOING_PORT_PERMIT */ - VAR_OUTGOING_PORT_AVOID = 344, /* VAR_OUTGOING_PORT_AVOID */ - VAR_DLV_ANCHOR_FILE = 345, /* VAR_DLV_ANCHOR_FILE */ - VAR_DLV_ANCHOR = 346, /* VAR_DLV_ANCHOR */ - VAR_NEG_CACHE_SIZE = 347, /* VAR_NEG_CACHE_SIZE */ - VAR_HARDEN_REFERRAL_PATH = 348, /* VAR_HARDEN_REFERRAL_PATH */ - VAR_PRIVATE_ADDRESS = 349, /* VAR_PRIVATE_ADDRESS */ - VAR_PRIVATE_DOMAIN = 350, /* VAR_PRIVATE_DOMAIN */ - VAR_REMOTE_CONTROL = 351, /* VAR_REMOTE_CONTROL */ - VAR_CONTROL_ENABLE = 352, /* VAR_CONTROL_ENABLE */ - VAR_CONTROL_INTERFACE = 353, /* VAR_CONTROL_INTERFACE */ - VAR_CONTROL_PORT = 354, /* VAR_CONTROL_PORT */ - VAR_SERVER_KEY_FILE = 355, /* VAR_SERVER_KEY_FILE */ - VAR_SERVER_CERT_FILE = 356, /* VAR_SERVER_CERT_FILE */ - VAR_CONTROL_KEY_FILE = 357, /* VAR_CONTROL_KEY_FILE */ - VAR_CONTROL_CERT_FILE = 358, /* VAR_CONTROL_CERT_FILE */ - VAR_CONTROL_USE_CERT = 359, /* VAR_CONTROL_USE_CERT */ - VAR_TCP_REUSE_TIMEOUT = 360, /* VAR_TCP_REUSE_TIMEOUT */ - VAR_MAX_REUSE_TCP_QUERIES = 361, /* VAR_MAX_REUSE_TCP_QUERIES */ - VAR_EXTENDED_STATISTICS = 362, /* VAR_EXTENDED_STATISTICS */ - VAR_LOCAL_DATA_PTR = 363, /* VAR_LOCAL_DATA_PTR */ - VAR_JOSTLE_TIMEOUT = 364, /* VAR_JOSTLE_TIMEOUT */ - VAR_STUB_PRIME = 365, /* VAR_STUB_PRIME */ - VAR_UNWANTED_REPLY_THRESHOLD = 366, /* VAR_UNWANTED_REPLY_THRESHOLD */ - VAR_LOG_TIME_ASCII = 367, /* VAR_LOG_TIME_ASCII */ - VAR_DOMAIN_INSECURE = 368, /* VAR_DOMAIN_INSECURE */ - VAR_PYTHON = 369, /* VAR_PYTHON */ - VAR_PYTHON_SCRIPT = 370, /* VAR_PYTHON_SCRIPT */ - VAR_VAL_SIG_SKEW_MIN = 371, /* VAR_VAL_SIG_SKEW_MIN */ - VAR_VAL_SIG_SKEW_MAX = 372, /* VAR_VAL_SIG_SKEW_MAX */ - VAR_VAL_MAX_RESTART = 373, /* VAR_VAL_MAX_RESTART */ - VAR_CACHE_MIN_TTL = 374, /* VAR_CACHE_MIN_TTL */ - VAR_VAL_LOG_LEVEL = 375, /* VAR_VAL_LOG_LEVEL */ - VAR_AUTO_TRUST_ANCHOR_FILE = 376, /* VAR_AUTO_TRUST_ANCHOR_FILE */ - VAR_KEEP_MISSING = 377, /* VAR_KEEP_MISSING */ - VAR_ADD_HOLDDOWN = 378, /* VAR_ADD_HOLDDOWN */ - VAR_DEL_HOLDDOWN = 379, /* VAR_DEL_HOLDDOWN */ - VAR_SO_RCVBUF = 380, /* VAR_SO_RCVBUF */ - VAR_EDNS_BUFFER_SIZE = 381, /* VAR_EDNS_BUFFER_SIZE */ - VAR_PREFETCH = 382, /* VAR_PREFETCH */ - VAR_PREFETCH_KEY = 383, /* VAR_PREFETCH_KEY */ - VAR_SO_SNDBUF = 384, /* VAR_SO_SNDBUF */ - VAR_SO_REUSEPORT = 385, /* VAR_SO_REUSEPORT */ - VAR_HARDEN_BELOW_NXDOMAIN = 386, /* VAR_HARDEN_BELOW_NXDOMAIN */ - VAR_IGNORE_CD_FLAG = 387, /* VAR_IGNORE_CD_FLAG */ - VAR_LOG_QUERIES = 388, /* VAR_LOG_QUERIES */ - VAR_LOG_REPLIES = 389, /* VAR_LOG_REPLIES */ - VAR_LOG_LOCAL_ACTIONS = 390, /* VAR_LOG_LOCAL_ACTIONS */ - VAR_TCP_UPSTREAM = 391, /* VAR_TCP_UPSTREAM */ - VAR_SSL_UPSTREAM = 392, /* VAR_SSL_UPSTREAM */ - VAR_TCP_AUTH_QUERY_TIMEOUT = 393, /* VAR_TCP_AUTH_QUERY_TIMEOUT */ - VAR_SSL_SERVICE_KEY = 394, /* VAR_SSL_SERVICE_KEY */ - VAR_SSL_SERVICE_PEM = 395, /* VAR_SSL_SERVICE_PEM */ - VAR_SSL_PORT = 396, /* VAR_SSL_PORT */ - VAR_FORWARD_FIRST = 397, /* VAR_FORWARD_FIRST */ - VAR_STUB_SSL_UPSTREAM = 398, /* VAR_STUB_SSL_UPSTREAM */ - VAR_FORWARD_SSL_UPSTREAM = 399, /* VAR_FORWARD_SSL_UPSTREAM */ - VAR_TLS_CERT_BUNDLE = 400, /* VAR_TLS_CERT_BUNDLE */ - VAR_HTTPS_PORT = 401, /* VAR_HTTPS_PORT */ - VAR_HTTP_ENDPOINT = 402, /* VAR_HTTP_ENDPOINT */ - VAR_HTTP_MAX_STREAMS = 403, /* VAR_HTTP_MAX_STREAMS */ - VAR_HTTP_QUERY_BUFFER_SIZE = 404, /* VAR_HTTP_QUERY_BUFFER_SIZE */ - VAR_HTTP_RESPONSE_BUFFER_SIZE = 405, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */ - VAR_HTTP_NODELAY = 406, /* VAR_HTTP_NODELAY */ - VAR_HTTP_NOTLS_DOWNSTREAM = 407, /* VAR_HTTP_NOTLS_DOWNSTREAM */ - VAR_STUB_FIRST = 408, /* VAR_STUB_FIRST */ - VAR_MINIMAL_RESPONSES = 409, /* VAR_MINIMAL_RESPONSES */ - VAR_RRSET_ROUNDROBIN = 410, /* VAR_RRSET_ROUNDROBIN */ - VAR_MAX_UDP_SIZE = 411, /* VAR_MAX_UDP_SIZE */ - VAR_DELAY_CLOSE = 412, /* VAR_DELAY_CLOSE */ - VAR_UDP_CONNECT = 413, /* VAR_UDP_CONNECT */ - VAR_UNBLOCK_LAN_ZONES = 414, /* VAR_UNBLOCK_LAN_ZONES */ - VAR_INSECURE_LAN_ZONES = 415, /* VAR_INSECURE_LAN_ZONES */ - VAR_INFRA_CACHE_MIN_RTT = 416, /* VAR_INFRA_CACHE_MIN_RTT */ - VAR_INFRA_KEEP_PROBING = 417, /* VAR_INFRA_KEEP_PROBING */ - VAR_DNS64_PREFIX = 418, /* VAR_DNS64_PREFIX */ - VAR_DNS64_SYNTHALL = 419, /* VAR_DNS64_SYNTHALL */ - VAR_DNS64_IGNORE_AAAA = 420, /* VAR_DNS64_IGNORE_AAAA */ - VAR_DNSTAP = 421, /* VAR_DNSTAP */ - VAR_DNSTAP_ENABLE = 422, /* VAR_DNSTAP_ENABLE */ - VAR_DNSTAP_SOCKET_PATH = 423, /* VAR_DNSTAP_SOCKET_PATH */ - VAR_DNSTAP_IP = 424, /* VAR_DNSTAP_IP */ - VAR_DNSTAP_TLS = 425, /* VAR_DNSTAP_TLS */ - VAR_DNSTAP_TLS_SERVER_NAME = 426, /* VAR_DNSTAP_TLS_SERVER_NAME */ - VAR_DNSTAP_TLS_CERT_BUNDLE = 427, /* VAR_DNSTAP_TLS_CERT_BUNDLE */ - VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 428, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */ - VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 429, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */ - VAR_DNSTAP_SEND_IDENTITY = 430, /* VAR_DNSTAP_SEND_IDENTITY */ - VAR_DNSTAP_SEND_VERSION = 431, /* VAR_DNSTAP_SEND_VERSION */ - VAR_DNSTAP_BIDIRECTIONAL = 432, /* VAR_DNSTAP_BIDIRECTIONAL */ - VAR_DNSTAP_IDENTITY = 433, /* VAR_DNSTAP_IDENTITY */ - VAR_DNSTAP_VERSION = 434, /* VAR_DNSTAP_VERSION */ - VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */ - VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */ - VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 437, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */ - VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 438, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */ - VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 439, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */ - VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 440, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */ - VAR_RESPONSE_IP_TAG = 441, /* VAR_RESPONSE_IP_TAG */ - VAR_RESPONSE_IP = 442, /* VAR_RESPONSE_IP */ - VAR_RESPONSE_IP_DATA = 443, /* VAR_RESPONSE_IP_DATA */ - VAR_HARDEN_ALGO_DOWNGRADE = 444, /* VAR_HARDEN_ALGO_DOWNGRADE */ - VAR_IP_TRANSPARENT = 445, /* VAR_IP_TRANSPARENT */ - VAR_IP_DSCP = 446, /* VAR_IP_DSCP */ - VAR_DISABLE_DNSSEC_LAME_CHECK = 447, /* VAR_DISABLE_DNSSEC_LAME_CHECK */ - VAR_IP_RATELIMIT = 448, /* VAR_IP_RATELIMIT */ - VAR_IP_RATELIMIT_SLABS = 449, /* VAR_IP_RATELIMIT_SLABS */ - VAR_IP_RATELIMIT_SIZE = 450, /* VAR_IP_RATELIMIT_SIZE */ - VAR_RATELIMIT = 451, /* VAR_RATELIMIT */ - VAR_RATELIMIT_SLABS = 452, /* VAR_RATELIMIT_SLABS */ - VAR_RATELIMIT_SIZE = 453, /* VAR_RATELIMIT_SIZE */ - VAR_RATELIMIT_FOR_DOMAIN = 454, /* VAR_RATELIMIT_FOR_DOMAIN */ - VAR_RATELIMIT_BELOW_DOMAIN = 455, /* VAR_RATELIMIT_BELOW_DOMAIN */ - VAR_IP_RATELIMIT_FACTOR = 456, /* VAR_IP_RATELIMIT_FACTOR */ - VAR_RATELIMIT_FACTOR = 457, /* VAR_RATELIMIT_FACTOR */ - VAR_SEND_CLIENT_SUBNET = 458, /* VAR_SEND_CLIENT_SUBNET */ - VAR_CLIENT_SUBNET_ZONE = 459, /* VAR_CLIENT_SUBNET_ZONE */ - VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 460, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */ - VAR_CLIENT_SUBNET_OPCODE = 461, /* VAR_CLIENT_SUBNET_OPCODE */ - VAR_MAX_CLIENT_SUBNET_IPV4 = 462, /* VAR_MAX_CLIENT_SUBNET_IPV4 */ - VAR_MAX_CLIENT_SUBNET_IPV6 = 463, /* VAR_MAX_CLIENT_SUBNET_IPV6 */ - VAR_MIN_CLIENT_SUBNET_IPV4 = 464, /* VAR_MIN_CLIENT_SUBNET_IPV4 */ - VAR_MIN_CLIENT_SUBNET_IPV6 = 465, /* VAR_MIN_CLIENT_SUBNET_IPV6 */ - VAR_MAX_ECS_TREE_SIZE_IPV4 = 466, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */ - VAR_MAX_ECS_TREE_SIZE_IPV6 = 467, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */ - VAR_CAPS_WHITELIST = 468, /* VAR_CAPS_WHITELIST */ - VAR_CACHE_MAX_NEGATIVE_TTL = 469, /* VAR_CACHE_MAX_NEGATIVE_TTL */ - VAR_PERMIT_SMALL_HOLDDOWN = 470, /* VAR_PERMIT_SMALL_HOLDDOWN */ - VAR_QNAME_MINIMISATION = 471, /* VAR_QNAME_MINIMISATION */ - VAR_QNAME_MINIMISATION_STRICT = 472, /* VAR_QNAME_MINIMISATION_STRICT */ - VAR_IP_FREEBIND = 473, /* VAR_IP_FREEBIND */ - VAR_DEFINE_TAG = 474, /* VAR_DEFINE_TAG */ - VAR_LOCAL_ZONE_TAG = 475, /* VAR_LOCAL_ZONE_TAG */ - VAR_ACCESS_CONTROL_TAG = 476, /* VAR_ACCESS_CONTROL_TAG */ - VAR_LOCAL_ZONE_OVERRIDE = 477, /* VAR_LOCAL_ZONE_OVERRIDE */ - VAR_ACCESS_CONTROL_TAG_ACTION = 478, /* VAR_ACCESS_CONTROL_TAG_ACTION */ - VAR_ACCESS_CONTROL_TAG_DATA = 479, /* VAR_ACCESS_CONTROL_TAG_DATA */ - VAR_VIEW = 480, /* VAR_VIEW */ - VAR_ACCESS_CONTROL_VIEW = 481, /* VAR_ACCESS_CONTROL_VIEW */ - VAR_VIEW_FIRST = 482, /* VAR_VIEW_FIRST */ - VAR_SERVE_EXPIRED = 483, /* VAR_SERVE_EXPIRED */ - VAR_SERVE_EXPIRED_TTL = 484, /* VAR_SERVE_EXPIRED_TTL */ - VAR_SERVE_EXPIRED_TTL_RESET = 485, /* VAR_SERVE_EXPIRED_TTL_RESET */ - VAR_SERVE_EXPIRED_REPLY_TTL = 486, /* VAR_SERVE_EXPIRED_REPLY_TTL */ - VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 487, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */ - VAR_SERVE_ORIGINAL_TTL = 488, /* VAR_SERVE_ORIGINAL_TTL */ - VAR_FAKE_DSA = 489, /* VAR_FAKE_DSA */ - VAR_FAKE_SHA1 = 490, /* VAR_FAKE_SHA1 */ - VAR_LOG_IDENTITY = 491, /* VAR_LOG_IDENTITY */ - VAR_HIDE_TRUSTANCHOR = 492, /* VAR_HIDE_TRUSTANCHOR */ - VAR_HIDE_HTTP_USER_AGENT = 493, /* VAR_HIDE_HTTP_USER_AGENT */ - VAR_HTTP_USER_AGENT = 494, /* VAR_HTTP_USER_AGENT */ - VAR_TRUST_ANCHOR_SIGNALING = 495, /* VAR_TRUST_ANCHOR_SIGNALING */ - VAR_AGGRESSIVE_NSEC = 496, /* VAR_AGGRESSIVE_NSEC */ - VAR_USE_SYSTEMD = 497, /* VAR_USE_SYSTEMD */ - VAR_SHM_ENABLE = 498, /* VAR_SHM_ENABLE */ - VAR_SHM_KEY = 499, /* VAR_SHM_KEY */ - VAR_ROOT_KEY_SENTINEL = 500, /* VAR_ROOT_KEY_SENTINEL */ - VAR_DNSCRYPT = 501, /* VAR_DNSCRYPT */ - VAR_DNSCRYPT_ENABLE = 502, /* VAR_DNSCRYPT_ENABLE */ - VAR_DNSCRYPT_PORT = 503, /* VAR_DNSCRYPT_PORT */ - VAR_DNSCRYPT_PROVIDER = 504, /* VAR_DNSCRYPT_PROVIDER */ - VAR_DNSCRYPT_SECRET_KEY = 505, /* VAR_DNSCRYPT_SECRET_KEY */ - VAR_DNSCRYPT_PROVIDER_CERT = 506, /* VAR_DNSCRYPT_PROVIDER_CERT */ - VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 507, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */ - VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 508, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */ - VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 509, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */ - VAR_DNSCRYPT_NONCE_CACHE_SIZE = 510, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */ - VAR_DNSCRYPT_NONCE_CACHE_SLABS = 511, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */ - VAR_PAD_RESPONSES = 512, /* VAR_PAD_RESPONSES */ - VAR_PAD_RESPONSES_BLOCK_SIZE = 513, /* VAR_PAD_RESPONSES_BLOCK_SIZE */ - VAR_PAD_QUERIES = 514, /* VAR_PAD_QUERIES */ - VAR_PAD_QUERIES_BLOCK_SIZE = 515, /* VAR_PAD_QUERIES_BLOCK_SIZE */ - VAR_IPSECMOD_ENABLED = 516, /* VAR_IPSECMOD_ENABLED */ - VAR_IPSECMOD_HOOK = 517, /* VAR_IPSECMOD_HOOK */ - VAR_IPSECMOD_IGNORE_BOGUS = 518, /* VAR_IPSECMOD_IGNORE_BOGUS */ - VAR_IPSECMOD_MAX_TTL = 519, /* VAR_IPSECMOD_MAX_TTL */ - VAR_IPSECMOD_WHITELIST = 520, /* VAR_IPSECMOD_WHITELIST */ - VAR_IPSECMOD_STRICT = 521, /* VAR_IPSECMOD_STRICT */ - VAR_CACHEDB = 522, /* VAR_CACHEDB */ - VAR_CACHEDB_BACKEND = 523, /* VAR_CACHEDB_BACKEND */ - VAR_CACHEDB_SECRETSEED = 524, /* VAR_CACHEDB_SECRETSEED */ - VAR_CACHEDB_REDISHOST = 525, /* VAR_CACHEDB_REDISHOST */ - VAR_CACHEDB_REDISPORT = 526, /* VAR_CACHEDB_REDISPORT */ - VAR_CACHEDB_REDISTIMEOUT = 527, /* VAR_CACHEDB_REDISTIMEOUT */ - VAR_CACHEDB_REDISEXPIRERECORDS = 528, /* VAR_CACHEDB_REDISEXPIRERECORDS */ - VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 529, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */ - VAR_FOR_UPSTREAM = 530, /* VAR_FOR_UPSTREAM */ - VAR_AUTH_ZONE = 531, /* VAR_AUTH_ZONE */ - VAR_ZONEFILE = 532, /* VAR_ZONEFILE */ - VAR_MASTER = 533, /* VAR_MASTER */ - VAR_URL = 534, /* VAR_URL */ - VAR_FOR_DOWNSTREAM = 535, /* VAR_FOR_DOWNSTREAM */ - VAR_FALLBACK_ENABLED = 536, /* VAR_FALLBACK_ENABLED */ - VAR_TLS_ADDITIONAL_PORT = 537, /* VAR_TLS_ADDITIONAL_PORT */ - VAR_LOW_RTT = 538, /* VAR_LOW_RTT */ - VAR_LOW_RTT_PERMIL = 539, /* VAR_LOW_RTT_PERMIL */ - VAR_FAST_SERVER_PERMIL = 540, /* VAR_FAST_SERVER_PERMIL */ - VAR_FAST_SERVER_NUM = 541, /* VAR_FAST_SERVER_NUM */ - VAR_ALLOW_NOTIFY = 542, /* VAR_ALLOW_NOTIFY */ - VAR_TLS_WIN_CERT = 543, /* VAR_TLS_WIN_CERT */ - VAR_TCP_CONNECTION_LIMIT = 544, /* VAR_TCP_CONNECTION_LIMIT */ - VAR_FORWARD_NO_CACHE = 545, /* VAR_FORWARD_NO_CACHE */ - VAR_STUB_NO_CACHE = 546, /* VAR_STUB_NO_CACHE */ - VAR_LOG_SERVFAIL = 547, /* VAR_LOG_SERVFAIL */ - VAR_DENY_ANY = 548, /* VAR_DENY_ANY */ - VAR_UNKNOWN_SERVER_TIME_LIMIT = 549, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */ - VAR_LOG_TAG_QUERYREPLY = 550, /* VAR_LOG_TAG_QUERYREPLY */ - VAR_STREAM_WAIT_SIZE = 551, /* VAR_STREAM_WAIT_SIZE */ - VAR_TLS_CIPHERS = 552, /* VAR_TLS_CIPHERS */ - VAR_TLS_CIPHERSUITES = 553, /* VAR_TLS_CIPHERSUITES */ - VAR_TLS_USE_SNI = 554, /* VAR_TLS_USE_SNI */ - VAR_IPSET = 555, /* VAR_IPSET */ - VAR_IPSET_NAME_V4 = 556, /* VAR_IPSET_NAME_V4 */ - VAR_IPSET_NAME_V6 = 557, /* VAR_IPSET_NAME_V6 */ - VAR_TLS_SESSION_TICKET_KEYS = 558, /* VAR_TLS_SESSION_TICKET_KEYS */ - VAR_RPZ = 559, /* VAR_RPZ */ - VAR_TAGS = 560, /* VAR_TAGS */ - VAR_RPZ_ACTION_OVERRIDE = 561, /* VAR_RPZ_ACTION_OVERRIDE */ - VAR_RPZ_CNAME_OVERRIDE = 562, /* VAR_RPZ_CNAME_OVERRIDE */ - VAR_RPZ_LOG = 563, /* VAR_RPZ_LOG */ - VAR_RPZ_LOG_NAME = 564, /* VAR_RPZ_LOG_NAME */ - VAR_DYNLIB = 565, /* VAR_DYNLIB */ - VAR_DYNLIB_FILE = 566, /* VAR_DYNLIB_FILE */ - VAR_EDNS_CLIENT_STRING = 567, /* VAR_EDNS_CLIENT_STRING */ - VAR_EDNS_CLIENT_STRING_OPCODE = 568, /* VAR_EDNS_CLIENT_STRING_OPCODE */ - VAR_NSID = 569, /* VAR_NSID */ - VAR_ZONEMD_PERMISSIVE_MODE = 570, /* VAR_ZONEMD_PERMISSIVE_MODE */ - VAR_ZONEMD_CHECK = 571, /* VAR_ZONEMD_CHECK */ - VAR_ZONEMD_REJECT_ABSENCE = 572 /* VAR_ZONEMD_REJECT_ABSENCE */ - }; - typedef enum yytokentype yytoken_kind_t; -#endif -/* Token kinds. */ -#define YYEOF 0 -#define YYerror 256 -#define YYUNDEF 257 -#define SPACE 258 -#define LETTER 259 -#define NEWLINE 260 -#define COMMENT 261 -#define COLON 262 -#define ANY 263 -#define ZONESTR 264 -#define STRING_ARG 265 -#define VAR_FORCE_TOPLEVEL 266 -#define VAR_SERVER 267 -#define VAR_VERBOSITY 268 -#define VAR_NUM_THREADS 269 -#define VAR_PORT 270 -#define VAR_OUTGOING_RANGE 271 -#define VAR_INTERFACE 272 -#define VAR_PREFER_IP4 273 -#define VAR_DO_IP4 274 -#define VAR_DO_IP6 275 -#define VAR_PREFER_IP6 276 -#define VAR_DO_UDP 277 -#define VAR_DO_TCP 278 -#define VAR_TCP_MSS 279 -#define VAR_OUTGOING_TCP_MSS 280 -#define VAR_TCP_IDLE_TIMEOUT 281 -#define VAR_EDNS_TCP_KEEPALIVE 282 -#define VAR_EDNS_TCP_KEEPALIVE_TIMEOUT 283 -#define VAR_CHROOT 284 -#define VAR_USERNAME 285 -#define VAR_DIRECTORY 286 -#define VAR_LOGFILE 287 -#define VAR_PIDFILE 288 -#define VAR_MSG_CACHE_SIZE 289 -#define VAR_MSG_CACHE_SLABS 290 -#define VAR_NUM_QUERIES_PER_THREAD 291 -#define VAR_RRSET_CACHE_SIZE 292 -#define VAR_RRSET_CACHE_SLABS 293 -#define VAR_OUTGOING_NUM_TCP 294 -#define VAR_INFRA_HOST_TTL 295 -#define VAR_INFRA_LAME_TTL 296 -#define VAR_INFRA_CACHE_SLABS 297 -#define VAR_INFRA_CACHE_NUMHOSTS 298 -#define VAR_INFRA_CACHE_LAME_SIZE 299 -#define VAR_NAME 300 -#define VAR_STUB_ZONE 301 -#define VAR_STUB_HOST 302 -#define VAR_STUB_ADDR 303 -#define VAR_TARGET_FETCH_POLICY 304 -#define VAR_HARDEN_SHORT_BUFSIZE 305 -#define VAR_HARDEN_LARGE_QUERIES 306 -#define VAR_FORWARD_ZONE 307 -#define VAR_FORWARD_HOST 308 -#define VAR_FORWARD_ADDR 309 -#define VAR_DO_NOT_QUERY_ADDRESS 310 -#define VAR_HIDE_IDENTITY 311 -#define VAR_HIDE_VERSION 312 -#define VAR_IDENTITY 313 -#define VAR_VERSION 314 -#define VAR_HARDEN_GLUE 315 -#define VAR_MODULE_CONF 316 -#define VAR_TRUST_ANCHOR_FILE 317 -#define VAR_TRUST_ANCHOR 318 -#define VAR_VAL_OVERRIDE_DATE 319 -#define VAR_BOGUS_TTL 320 -#define VAR_VAL_CLEAN_ADDITIONAL 321 -#define VAR_VAL_PERMISSIVE_MODE 322 -#define VAR_INCOMING_NUM_TCP 323 -#define VAR_MSG_BUFFER_SIZE 324 -#define VAR_KEY_CACHE_SIZE 325 -#define VAR_KEY_CACHE_SLABS 326 -#define VAR_TRUSTED_KEYS_FILE 327 -#define VAR_VAL_NSEC3_KEYSIZE_ITERATIONS 328 -#define VAR_USE_SYSLOG 329 -#define VAR_OUTGOING_INTERFACE 330 -#define VAR_ROOT_HINTS 331 -#define VAR_DO_NOT_QUERY_LOCALHOST 332 -#define VAR_CACHE_MAX_TTL 333 -#define VAR_HARDEN_DNSSEC_STRIPPED 334 -#define VAR_ACCESS_CONTROL 335 -#define VAR_LOCAL_ZONE 336 -#define VAR_LOCAL_DATA 337 -#define VAR_INTERFACE_AUTOMATIC 338 -#define VAR_STATISTICS_INTERVAL 339 -#define VAR_DO_DAEMONIZE 340 -#define VAR_USE_CAPS_FOR_ID 341 -#define VAR_STATISTICS_CUMULATIVE 342 -#define VAR_OUTGOING_PORT_PERMIT 343 -#define VAR_OUTGOING_PORT_AVOID 344 -#define VAR_DLV_ANCHOR_FILE 345 -#define VAR_DLV_ANCHOR 346 -#define VAR_NEG_CACHE_SIZE 347 -#define VAR_HARDEN_REFERRAL_PATH 348 -#define VAR_PRIVATE_ADDRESS 349 -#define VAR_PRIVATE_DOMAIN 350 -#define VAR_REMOTE_CONTROL 351 -#define VAR_CONTROL_ENABLE 352 -#define VAR_CONTROL_INTERFACE 353 -#define VAR_CONTROL_PORT 354 -#define VAR_SERVER_KEY_FILE 355 -#define VAR_SERVER_CERT_FILE 356 -#define VAR_CONTROL_KEY_FILE 357 -#define VAR_CONTROL_CERT_FILE 358 -#define VAR_CONTROL_USE_CERT 359 -#define VAR_TCP_REUSE_TIMEOUT 360 -#define VAR_MAX_REUSE_TCP_QUERIES 361 -#define VAR_EXTENDED_STATISTICS 362 -#define VAR_LOCAL_DATA_PTR 363 -#define VAR_JOSTLE_TIMEOUT 364 -#define VAR_STUB_PRIME 365 -#define VAR_UNWANTED_REPLY_THRESHOLD 366 -#define VAR_LOG_TIME_ASCII 367 -#define VAR_DOMAIN_INSECURE 368 -#define VAR_PYTHON 369 -#define VAR_PYTHON_SCRIPT 370 -#define VAR_VAL_SIG_SKEW_MIN 371 -#define VAR_VAL_SIG_SKEW_MAX 372 -#define VAR_VAL_MAX_RESTART 373 -#define VAR_CACHE_MIN_TTL 374 -#define VAR_VAL_LOG_LEVEL 375 -#define VAR_AUTO_TRUST_ANCHOR_FILE 376 -#define VAR_KEEP_MISSING 377 -#define VAR_ADD_HOLDDOWN 378 -#define VAR_DEL_HOLDDOWN 379 -#define VAR_SO_RCVBUF 380 -#define VAR_EDNS_BUFFER_SIZE 381 -#define VAR_PREFETCH 382 -#define VAR_PREFETCH_KEY 383 -#define VAR_SO_SNDBUF 384 -#define VAR_SO_REUSEPORT 385 -#define VAR_HARDEN_BELOW_NXDOMAIN 386 -#define VAR_IGNORE_CD_FLAG 387 -#define VAR_LOG_QUERIES 388 -#define VAR_LOG_REPLIES 389 -#define VAR_LOG_LOCAL_ACTIONS 390 -#define VAR_TCP_UPSTREAM 391 -#define VAR_SSL_UPSTREAM 392 -#define VAR_TCP_AUTH_QUERY_TIMEOUT 393 -#define VAR_SSL_SERVICE_KEY 394 -#define VAR_SSL_SERVICE_PEM 395 -#define VAR_SSL_PORT 396 -#define VAR_FORWARD_FIRST 397 -#define VAR_STUB_SSL_UPSTREAM 398 -#define VAR_FORWARD_SSL_UPSTREAM 399 -#define VAR_TLS_CERT_BUNDLE 400 -#define VAR_HTTPS_PORT 401 -#define VAR_HTTP_ENDPOINT 402 -#define VAR_HTTP_MAX_STREAMS 403 -#define VAR_HTTP_QUERY_BUFFER_SIZE 404 -#define VAR_HTTP_RESPONSE_BUFFER_SIZE 405 -#define VAR_HTTP_NODELAY 406 -#define VAR_HTTP_NOTLS_DOWNSTREAM 407 -#define VAR_STUB_FIRST 408 -#define VAR_MINIMAL_RESPONSES 409 -#define VAR_RRSET_ROUNDROBIN 410 -#define VAR_MAX_UDP_SIZE 411 -#define VAR_DELAY_CLOSE 412 -#define VAR_UDP_CONNECT 413 -#define VAR_UNBLOCK_LAN_ZONES 414 -#define VAR_INSECURE_LAN_ZONES 415 -#define VAR_INFRA_CACHE_MIN_RTT 416 -#define VAR_INFRA_KEEP_PROBING 417 -#define VAR_DNS64_PREFIX 418 -#define VAR_DNS64_SYNTHALL 419 -#define VAR_DNS64_IGNORE_AAAA 420 -#define VAR_DNSTAP 421 -#define VAR_DNSTAP_ENABLE 422 -#define VAR_DNSTAP_SOCKET_PATH 423 -#define VAR_DNSTAP_IP 424 -#define VAR_DNSTAP_TLS 425 -#define VAR_DNSTAP_TLS_SERVER_NAME 426 -#define VAR_DNSTAP_TLS_CERT_BUNDLE 427 -#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 428 -#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 429 -#define VAR_DNSTAP_SEND_IDENTITY 430 -#define VAR_DNSTAP_SEND_VERSION 431 -#define VAR_DNSTAP_BIDIRECTIONAL 432 -#define VAR_DNSTAP_IDENTITY 433 -#define VAR_DNSTAP_VERSION 434 -#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 435 -#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 436 -#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 437 -#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 438 -#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 439 -#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 440 -#define VAR_RESPONSE_IP_TAG 441 -#define VAR_RESPONSE_IP 442 -#define VAR_RESPONSE_IP_DATA 443 -#define VAR_HARDEN_ALGO_DOWNGRADE 444 -#define VAR_IP_TRANSPARENT 445 -#define VAR_IP_DSCP 446 -#define VAR_DISABLE_DNSSEC_LAME_CHECK 447 -#define VAR_IP_RATELIMIT 448 -#define VAR_IP_RATELIMIT_SLABS 449 -#define VAR_IP_RATELIMIT_SIZE 450 -#define VAR_RATELIMIT 451 -#define VAR_RATELIMIT_SLABS 452 -#define VAR_RATELIMIT_SIZE 453 -#define VAR_RATELIMIT_FOR_DOMAIN 454 -#define VAR_RATELIMIT_BELOW_DOMAIN 455 -#define VAR_IP_RATELIMIT_FACTOR 456 -#define VAR_RATELIMIT_FACTOR 457 -#define VAR_SEND_CLIENT_SUBNET 458 -#define VAR_CLIENT_SUBNET_ZONE 459 -#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 460 -#define VAR_CLIENT_SUBNET_OPCODE 461 -#define VAR_MAX_CLIENT_SUBNET_IPV4 462 -#define VAR_MAX_CLIENT_SUBNET_IPV6 463 -#define VAR_MIN_CLIENT_SUBNET_IPV4 464 -#define VAR_MIN_CLIENT_SUBNET_IPV6 465 -#define VAR_MAX_ECS_TREE_SIZE_IPV4 466 -#define VAR_MAX_ECS_TREE_SIZE_IPV6 467 -#define VAR_CAPS_WHITELIST 468 -#define VAR_CACHE_MAX_NEGATIVE_TTL 469 -#define VAR_PERMIT_SMALL_HOLDDOWN 470 -#define VAR_QNAME_MINIMISATION 471 -#define VAR_QNAME_MINIMISATION_STRICT 472 -#define VAR_IP_FREEBIND 473 -#define VAR_DEFINE_TAG 474 -#define VAR_LOCAL_ZONE_TAG 475 -#define VAR_ACCESS_CONTROL_TAG 476 -#define VAR_LOCAL_ZONE_OVERRIDE 477 -#define VAR_ACCESS_CONTROL_TAG_ACTION 478 -#define VAR_ACCESS_CONTROL_TAG_DATA 479 -#define VAR_VIEW 480 -#define VAR_ACCESS_CONTROL_VIEW 481 -#define VAR_VIEW_FIRST 482 -#define VAR_SERVE_EXPIRED 483 -#define VAR_SERVE_EXPIRED_TTL 484 -#define VAR_SERVE_EXPIRED_TTL_RESET 485 -#define VAR_SERVE_EXPIRED_REPLY_TTL 486 -#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 487 -#define VAR_SERVE_ORIGINAL_TTL 488 -#define VAR_FAKE_DSA 489 -#define VAR_FAKE_SHA1 490 -#define VAR_LOG_IDENTITY 491 -#define VAR_HIDE_TRUSTANCHOR 492 -#define VAR_HIDE_HTTP_USER_AGENT 493 -#define VAR_HTTP_USER_AGENT 494 -#define VAR_TRUST_ANCHOR_SIGNALING 495 -#define VAR_AGGRESSIVE_NSEC 496 -#define VAR_USE_SYSTEMD 497 -#define VAR_SHM_ENABLE 498 -#define VAR_SHM_KEY 499 -#define VAR_ROOT_KEY_SENTINEL 500 -#define VAR_DNSCRYPT 501 -#define VAR_DNSCRYPT_ENABLE 502 -#define VAR_DNSCRYPT_PORT 503 -#define VAR_DNSCRYPT_PROVIDER 504 -#define VAR_DNSCRYPT_SECRET_KEY 505 -#define VAR_DNSCRYPT_PROVIDER_CERT 506 -#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 507 -#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 508 -#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 509 -#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 510 -#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 511 -#define VAR_PAD_RESPONSES 512 -#define VAR_PAD_RESPONSES_BLOCK_SIZE 513 -#define VAR_PAD_QUERIES 514 -#define VAR_PAD_QUERIES_BLOCK_SIZE 515 -#define VAR_IPSECMOD_ENABLED 516 -#define VAR_IPSECMOD_HOOK 517 -#define VAR_IPSECMOD_IGNORE_BOGUS 518 -#define VAR_IPSECMOD_MAX_TTL 519 -#define VAR_IPSECMOD_WHITELIST 520 -#define VAR_IPSECMOD_STRICT 521 -#define VAR_CACHEDB 522 -#define VAR_CACHEDB_BACKEND 523 -#define VAR_CACHEDB_SECRETSEED 524 -#define VAR_CACHEDB_REDISHOST 525 -#define VAR_CACHEDB_REDISPORT 526 -#define VAR_CACHEDB_REDISTIMEOUT 527 -#define VAR_CACHEDB_REDISEXPIRERECORDS 528 -#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 529 -#define VAR_FOR_UPSTREAM 530 -#define VAR_AUTH_ZONE 531 -#define VAR_ZONEFILE 532 -#define VAR_MASTER 533 -#define VAR_URL 534 -#define VAR_FOR_DOWNSTREAM 535 -#define VAR_FALLBACK_ENABLED 536 -#define VAR_TLS_ADDITIONAL_PORT 537 -#define VAR_LOW_RTT 538 -#define VAR_LOW_RTT_PERMIL 539 -#define VAR_FAST_SERVER_PERMIL 540 -#define VAR_FAST_SERVER_NUM 541 -#define VAR_ALLOW_NOTIFY 542 -#define VAR_TLS_WIN_CERT 543 -#define VAR_TCP_CONNECTION_LIMIT 544 -#define VAR_FORWARD_NO_CACHE 545 -#define VAR_STUB_NO_CACHE 546 -#define VAR_LOG_SERVFAIL 547 -#define VAR_DENY_ANY 548 -#define VAR_UNKNOWN_SERVER_TIME_LIMIT 549 -#define VAR_LOG_TAG_QUERYREPLY 550 -#define VAR_STREAM_WAIT_SIZE 551 -#define VAR_TLS_CIPHERS 552 -#define VAR_TLS_CIPHERSUITES 553 -#define VAR_TLS_USE_SNI 554 -#define VAR_IPSET 555 -#define VAR_IPSET_NAME_V4 556 -#define VAR_IPSET_NAME_V6 557 -#define VAR_TLS_SESSION_TICKET_KEYS 558 -#define VAR_RPZ 559 -#define VAR_TAGS 560 -#define VAR_RPZ_ACTION_OVERRIDE 561 -#define VAR_RPZ_CNAME_OVERRIDE 562 -#define VAR_RPZ_LOG 563 -#define VAR_RPZ_LOG_NAME 564 -#define VAR_DYNLIB 565 -#define VAR_DYNLIB_FILE 566 -#define VAR_EDNS_CLIENT_STRING 567 -#define VAR_EDNS_CLIENT_STRING_OPCODE 568 -#define VAR_NSID 569 -#define VAR_ZONEMD_PERMISSIVE_MODE 570 -#define VAR_ZONEMD_CHECK 571 -#define VAR_ZONEMD_REJECT_ABSENCE 572 - -/* Value type. */ -#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED -union YYSTYPE -{ -#line 66 "util/configparser.y" - - char* str; - -#line 790 "util/configparser.c" - -}; -typedef union YYSTYPE YYSTYPE; -# define YYSTYPE_IS_TRIVIAL 1 -# define YYSTYPE_IS_DECLARED 1 -#endif - - -extern YYSTYPE yylval; - -int yyparse (void); - -#endif /* !YY_YY_UTIL_CONFIGPARSER_H_INCLUDED */ +#include "configparser.h" /* Symbol kind. */ enum yysymbol_kind_t { @@ -950,521 +271,559 @@ YYSYMBOL_VAR_STUB_SSL_UPSTREAM = 143, /* VAR_STUB_SSL_UPSTREAM */ YYSYMBOL_VAR_FORWARD_SSL_UPSTREAM = 144, /* VAR_FORWARD_SSL_UPSTREAM */ YYSYMBOL_VAR_TLS_CERT_BUNDLE = 145, /* VAR_TLS_CERT_BUNDLE */ - YYSYMBOL_VAR_HTTPS_PORT = 146, /* VAR_HTTPS_PORT */ - YYSYMBOL_VAR_HTTP_ENDPOINT = 147, /* VAR_HTTP_ENDPOINT */ - YYSYMBOL_VAR_HTTP_MAX_STREAMS = 148, /* VAR_HTTP_MAX_STREAMS */ - YYSYMBOL_VAR_HTTP_QUERY_BUFFER_SIZE = 149, /* VAR_HTTP_QUERY_BUFFER_SIZE */ - YYSYMBOL_VAR_HTTP_RESPONSE_BUFFER_SIZE = 150, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */ - YYSYMBOL_VAR_HTTP_NODELAY = 151, /* VAR_HTTP_NODELAY */ - YYSYMBOL_VAR_HTTP_NOTLS_DOWNSTREAM = 152, /* VAR_HTTP_NOTLS_DOWNSTREAM */ - YYSYMBOL_VAR_STUB_FIRST = 153, /* VAR_STUB_FIRST */ - YYSYMBOL_VAR_MINIMAL_RESPONSES = 154, /* VAR_MINIMAL_RESPONSES */ - YYSYMBOL_VAR_RRSET_ROUNDROBIN = 155, /* VAR_RRSET_ROUNDROBIN */ - YYSYMBOL_VAR_MAX_UDP_SIZE = 156, /* VAR_MAX_UDP_SIZE */ - YYSYMBOL_VAR_DELAY_CLOSE = 157, /* VAR_DELAY_CLOSE */ - YYSYMBOL_VAR_UDP_CONNECT = 158, /* VAR_UDP_CONNECT */ - YYSYMBOL_VAR_UNBLOCK_LAN_ZONES = 159, /* VAR_UNBLOCK_LAN_ZONES */ - YYSYMBOL_VAR_INSECURE_LAN_ZONES = 160, /* VAR_INSECURE_LAN_ZONES */ - YYSYMBOL_VAR_INFRA_CACHE_MIN_RTT = 161, /* VAR_INFRA_CACHE_MIN_RTT */ - YYSYMBOL_VAR_INFRA_KEEP_PROBING = 162, /* VAR_INFRA_KEEP_PROBING */ - YYSYMBOL_VAR_DNS64_PREFIX = 163, /* VAR_DNS64_PREFIX */ - YYSYMBOL_VAR_DNS64_SYNTHALL = 164, /* VAR_DNS64_SYNTHALL */ - YYSYMBOL_VAR_DNS64_IGNORE_AAAA = 165, /* VAR_DNS64_IGNORE_AAAA */ - YYSYMBOL_VAR_DNSTAP = 166, /* VAR_DNSTAP */ - YYSYMBOL_VAR_DNSTAP_ENABLE = 167, /* VAR_DNSTAP_ENABLE */ - YYSYMBOL_VAR_DNSTAP_SOCKET_PATH = 168, /* VAR_DNSTAP_SOCKET_PATH */ - YYSYMBOL_VAR_DNSTAP_IP = 169, /* VAR_DNSTAP_IP */ - YYSYMBOL_VAR_DNSTAP_TLS = 170, /* VAR_DNSTAP_TLS */ - YYSYMBOL_VAR_DNSTAP_TLS_SERVER_NAME = 171, /* VAR_DNSTAP_TLS_SERVER_NAME */ - YYSYMBOL_VAR_DNSTAP_TLS_CERT_BUNDLE = 172, /* VAR_DNSTAP_TLS_CERT_BUNDLE */ - YYSYMBOL_VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 173, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */ - YYSYMBOL_VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 174, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */ - YYSYMBOL_VAR_DNSTAP_SEND_IDENTITY = 175, /* VAR_DNSTAP_SEND_IDENTITY */ - YYSYMBOL_VAR_DNSTAP_SEND_VERSION = 176, /* VAR_DNSTAP_SEND_VERSION */ - YYSYMBOL_VAR_DNSTAP_BIDIRECTIONAL = 177, /* VAR_DNSTAP_BIDIRECTIONAL */ - YYSYMBOL_VAR_DNSTAP_IDENTITY = 178, /* VAR_DNSTAP_IDENTITY */ - YYSYMBOL_VAR_DNSTAP_VERSION = 179, /* VAR_DNSTAP_VERSION */ - YYSYMBOL_VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 180, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */ - YYSYMBOL_VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 181, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */ - YYSYMBOL_VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 182, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */ - YYSYMBOL_VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 183, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */ - YYSYMBOL_VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 184, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */ - YYSYMBOL_VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 185, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */ - YYSYMBOL_VAR_RESPONSE_IP_TAG = 186, /* VAR_RESPONSE_IP_TAG */ - YYSYMBOL_VAR_RESPONSE_IP = 187, /* VAR_RESPONSE_IP */ - YYSYMBOL_VAR_RESPONSE_IP_DATA = 188, /* VAR_RESPONSE_IP_DATA */ - YYSYMBOL_VAR_HARDEN_ALGO_DOWNGRADE = 189, /* VAR_HARDEN_ALGO_DOWNGRADE */ - YYSYMBOL_VAR_IP_TRANSPARENT = 190, /* VAR_IP_TRANSPARENT */ - YYSYMBOL_VAR_IP_DSCP = 191, /* VAR_IP_DSCP */ - YYSYMBOL_VAR_DISABLE_DNSSEC_LAME_CHECK = 192, /* VAR_DISABLE_DNSSEC_LAME_CHECK */ - YYSYMBOL_VAR_IP_RATELIMIT = 193, /* VAR_IP_RATELIMIT */ - YYSYMBOL_VAR_IP_RATELIMIT_SLABS = 194, /* VAR_IP_RATELIMIT_SLABS */ - YYSYMBOL_VAR_IP_RATELIMIT_SIZE = 195, /* VAR_IP_RATELIMIT_SIZE */ - YYSYMBOL_VAR_RATELIMIT = 196, /* VAR_RATELIMIT */ - YYSYMBOL_VAR_RATELIMIT_SLABS = 197, /* VAR_RATELIMIT_SLABS */ - YYSYMBOL_VAR_RATELIMIT_SIZE = 198, /* VAR_RATELIMIT_SIZE */ - YYSYMBOL_VAR_RATELIMIT_FOR_DOMAIN = 199, /* VAR_RATELIMIT_FOR_DOMAIN */ - YYSYMBOL_VAR_RATELIMIT_BELOW_DOMAIN = 200, /* VAR_RATELIMIT_BELOW_DOMAIN */ - YYSYMBOL_VAR_IP_RATELIMIT_FACTOR = 201, /* VAR_IP_RATELIMIT_FACTOR */ - YYSYMBOL_VAR_RATELIMIT_FACTOR = 202, /* VAR_RATELIMIT_FACTOR */ - YYSYMBOL_VAR_SEND_CLIENT_SUBNET = 203, /* VAR_SEND_CLIENT_SUBNET */ - YYSYMBOL_VAR_CLIENT_SUBNET_ZONE = 204, /* VAR_CLIENT_SUBNET_ZONE */ - YYSYMBOL_VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 205, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */ - YYSYMBOL_VAR_CLIENT_SUBNET_OPCODE = 206, /* VAR_CLIENT_SUBNET_OPCODE */ - YYSYMBOL_VAR_MAX_CLIENT_SUBNET_IPV4 = 207, /* VAR_MAX_CLIENT_SUBNET_IPV4 */ - YYSYMBOL_VAR_MAX_CLIENT_SUBNET_IPV6 = 208, /* VAR_MAX_CLIENT_SUBNET_IPV6 */ - YYSYMBOL_VAR_MIN_CLIENT_SUBNET_IPV4 = 209, /* VAR_MIN_CLIENT_SUBNET_IPV4 */ - YYSYMBOL_VAR_MIN_CLIENT_SUBNET_IPV6 = 210, /* VAR_MIN_CLIENT_SUBNET_IPV6 */ - YYSYMBOL_VAR_MAX_ECS_TREE_SIZE_IPV4 = 211, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */ - YYSYMBOL_VAR_MAX_ECS_TREE_SIZE_IPV6 = 212, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */ - YYSYMBOL_VAR_CAPS_WHITELIST = 213, /* VAR_CAPS_WHITELIST */ - YYSYMBOL_VAR_CACHE_MAX_NEGATIVE_TTL = 214, /* VAR_CACHE_MAX_NEGATIVE_TTL */ - YYSYMBOL_VAR_PERMIT_SMALL_HOLDDOWN = 215, /* VAR_PERMIT_SMALL_HOLDDOWN */ - YYSYMBOL_VAR_QNAME_MINIMISATION = 216, /* VAR_QNAME_MINIMISATION */ - YYSYMBOL_VAR_QNAME_MINIMISATION_STRICT = 217, /* VAR_QNAME_MINIMISATION_STRICT */ - YYSYMBOL_VAR_IP_FREEBIND = 218, /* VAR_IP_FREEBIND */ - YYSYMBOL_VAR_DEFINE_TAG = 219, /* VAR_DEFINE_TAG */ - YYSYMBOL_VAR_LOCAL_ZONE_TAG = 220, /* VAR_LOCAL_ZONE_TAG */ - YYSYMBOL_VAR_ACCESS_CONTROL_TAG = 221, /* VAR_ACCESS_CONTROL_TAG */ - YYSYMBOL_VAR_LOCAL_ZONE_OVERRIDE = 222, /* VAR_LOCAL_ZONE_OVERRIDE */ - YYSYMBOL_VAR_ACCESS_CONTROL_TAG_ACTION = 223, /* VAR_ACCESS_CONTROL_TAG_ACTION */ - YYSYMBOL_VAR_ACCESS_CONTROL_TAG_DATA = 224, /* VAR_ACCESS_CONTROL_TAG_DATA */ - YYSYMBOL_VAR_VIEW = 225, /* VAR_VIEW */ - YYSYMBOL_VAR_ACCESS_CONTROL_VIEW = 226, /* VAR_ACCESS_CONTROL_VIEW */ - YYSYMBOL_VAR_VIEW_FIRST = 227, /* VAR_VIEW_FIRST */ - YYSYMBOL_VAR_SERVE_EXPIRED = 228, /* VAR_SERVE_EXPIRED */ - YYSYMBOL_VAR_SERVE_EXPIRED_TTL = 229, /* VAR_SERVE_EXPIRED_TTL */ - YYSYMBOL_VAR_SERVE_EXPIRED_TTL_RESET = 230, /* VAR_SERVE_EXPIRED_TTL_RESET */ - YYSYMBOL_VAR_SERVE_EXPIRED_REPLY_TTL = 231, /* VAR_SERVE_EXPIRED_REPLY_TTL */ - YYSYMBOL_VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 232, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */ - YYSYMBOL_VAR_SERVE_ORIGINAL_TTL = 233, /* VAR_SERVE_ORIGINAL_TTL */ - YYSYMBOL_VAR_FAKE_DSA = 234, /* VAR_FAKE_DSA */ - YYSYMBOL_VAR_FAKE_SHA1 = 235, /* VAR_FAKE_SHA1 */ - YYSYMBOL_VAR_LOG_IDENTITY = 236, /* VAR_LOG_IDENTITY */ - YYSYMBOL_VAR_HIDE_TRUSTANCHOR = 237, /* VAR_HIDE_TRUSTANCHOR */ - YYSYMBOL_VAR_HIDE_HTTP_USER_AGENT = 238, /* VAR_HIDE_HTTP_USER_AGENT */ - YYSYMBOL_VAR_HTTP_USER_AGENT = 239, /* VAR_HTTP_USER_AGENT */ - YYSYMBOL_VAR_TRUST_ANCHOR_SIGNALING = 240, /* VAR_TRUST_ANCHOR_SIGNALING */ - YYSYMBOL_VAR_AGGRESSIVE_NSEC = 241, /* VAR_AGGRESSIVE_NSEC */ - YYSYMBOL_VAR_USE_SYSTEMD = 242, /* VAR_USE_SYSTEMD */ - YYSYMBOL_VAR_SHM_ENABLE = 243, /* VAR_SHM_ENABLE */ - YYSYMBOL_VAR_SHM_KEY = 244, /* VAR_SHM_KEY */ - YYSYMBOL_VAR_ROOT_KEY_SENTINEL = 245, /* VAR_ROOT_KEY_SENTINEL */ - YYSYMBOL_VAR_DNSCRYPT = 246, /* VAR_DNSCRYPT */ - YYSYMBOL_VAR_DNSCRYPT_ENABLE = 247, /* VAR_DNSCRYPT_ENABLE */ - YYSYMBOL_VAR_DNSCRYPT_PORT = 248, /* VAR_DNSCRYPT_PORT */ - YYSYMBOL_VAR_DNSCRYPT_PROVIDER = 249, /* VAR_DNSCRYPT_PROVIDER */ - YYSYMBOL_VAR_DNSCRYPT_SECRET_KEY = 250, /* VAR_DNSCRYPT_SECRET_KEY */ - YYSYMBOL_VAR_DNSCRYPT_PROVIDER_CERT = 251, /* VAR_DNSCRYPT_PROVIDER_CERT */ - YYSYMBOL_VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 252, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */ - YYSYMBOL_VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 253, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */ - YYSYMBOL_VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 254, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */ - YYSYMBOL_VAR_DNSCRYPT_NONCE_CACHE_SIZE = 255, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */ - YYSYMBOL_VAR_DNSCRYPT_NONCE_CACHE_SLABS = 256, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */ - YYSYMBOL_VAR_PAD_RESPONSES = 257, /* VAR_PAD_RESPONSES */ - YYSYMBOL_VAR_PAD_RESPONSES_BLOCK_SIZE = 258, /* VAR_PAD_RESPONSES_BLOCK_SIZE */ - YYSYMBOL_VAR_PAD_QUERIES = 259, /* VAR_PAD_QUERIES */ - YYSYMBOL_VAR_PAD_QUERIES_BLOCK_SIZE = 260, /* VAR_PAD_QUERIES_BLOCK_SIZE */ - YYSYMBOL_VAR_IPSECMOD_ENABLED = 261, /* VAR_IPSECMOD_ENABLED */ - YYSYMBOL_VAR_IPSECMOD_HOOK = 262, /* VAR_IPSECMOD_HOOK */ - YYSYMBOL_VAR_IPSECMOD_IGNORE_BOGUS = 263, /* VAR_IPSECMOD_IGNORE_BOGUS */ - YYSYMBOL_VAR_IPSECMOD_MAX_TTL = 264, /* VAR_IPSECMOD_MAX_TTL */ - YYSYMBOL_VAR_IPSECMOD_WHITELIST = 265, /* VAR_IPSECMOD_WHITELIST */ - YYSYMBOL_VAR_IPSECMOD_STRICT = 266, /* VAR_IPSECMOD_STRICT */ - YYSYMBOL_VAR_CACHEDB = 267, /* VAR_CACHEDB */ - YYSYMBOL_VAR_CACHEDB_BACKEND = 268, /* VAR_CACHEDB_BACKEND */ - YYSYMBOL_VAR_CACHEDB_SECRETSEED = 269, /* VAR_CACHEDB_SECRETSEED */ - YYSYMBOL_VAR_CACHEDB_REDISHOST = 270, /* VAR_CACHEDB_REDISHOST */ - YYSYMBOL_VAR_CACHEDB_REDISPORT = 271, /* VAR_CACHEDB_REDISPORT */ - YYSYMBOL_VAR_CACHEDB_REDISTIMEOUT = 272, /* VAR_CACHEDB_REDISTIMEOUT */ - YYSYMBOL_VAR_CACHEDB_REDISEXPIRERECORDS = 273, /* VAR_CACHEDB_REDISEXPIRERECORDS */ - YYSYMBOL_VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 274, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */ - YYSYMBOL_VAR_FOR_UPSTREAM = 275, /* VAR_FOR_UPSTREAM */ - YYSYMBOL_VAR_AUTH_ZONE = 276, /* VAR_AUTH_ZONE */ - YYSYMBOL_VAR_ZONEFILE = 277, /* VAR_ZONEFILE */ - YYSYMBOL_VAR_MASTER = 278, /* VAR_MASTER */ - YYSYMBOL_VAR_URL = 279, /* VAR_URL */ - YYSYMBOL_VAR_FOR_DOWNSTREAM = 280, /* VAR_FOR_DOWNSTREAM */ - YYSYMBOL_VAR_FALLBACK_ENABLED = 281, /* VAR_FALLBACK_ENABLED */ - YYSYMBOL_VAR_TLS_ADDITIONAL_PORT = 282, /* VAR_TLS_ADDITIONAL_PORT */ - YYSYMBOL_VAR_LOW_RTT = 283, /* VAR_LOW_RTT */ - YYSYMBOL_VAR_LOW_RTT_PERMIL = 284, /* VAR_LOW_RTT_PERMIL */ - YYSYMBOL_VAR_FAST_SERVER_PERMIL = 285, /* VAR_FAST_SERVER_PERMIL */ - YYSYMBOL_VAR_FAST_SERVER_NUM = 286, /* VAR_FAST_SERVER_NUM */ - YYSYMBOL_VAR_ALLOW_NOTIFY = 287, /* VAR_ALLOW_NOTIFY */ - YYSYMBOL_VAR_TLS_WIN_CERT = 288, /* VAR_TLS_WIN_CERT */ - YYSYMBOL_VAR_TCP_CONNECTION_LIMIT = 289, /* VAR_TCP_CONNECTION_LIMIT */ - YYSYMBOL_VAR_FORWARD_NO_CACHE = 290, /* VAR_FORWARD_NO_CACHE */ - YYSYMBOL_VAR_STUB_NO_CACHE = 291, /* VAR_STUB_NO_CACHE */ - YYSYMBOL_VAR_LOG_SERVFAIL = 292, /* VAR_LOG_SERVFAIL */ - YYSYMBOL_VAR_DENY_ANY = 293, /* VAR_DENY_ANY */ - YYSYMBOL_VAR_UNKNOWN_SERVER_TIME_LIMIT = 294, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */ - YYSYMBOL_VAR_LOG_TAG_QUERYREPLY = 295, /* VAR_LOG_TAG_QUERYREPLY */ - YYSYMBOL_VAR_STREAM_WAIT_SIZE = 296, /* VAR_STREAM_WAIT_SIZE */ - YYSYMBOL_VAR_TLS_CIPHERS = 297, /* VAR_TLS_CIPHERS */ - YYSYMBOL_VAR_TLS_CIPHERSUITES = 298, /* VAR_TLS_CIPHERSUITES */ - YYSYMBOL_VAR_TLS_USE_SNI = 299, /* VAR_TLS_USE_SNI */ - YYSYMBOL_VAR_IPSET = 300, /* VAR_IPSET */ - YYSYMBOL_VAR_IPSET_NAME_V4 = 301, /* VAR_IPSET_NAME_V4 */ - YYSYMBOL_VAR_IPSET_NAME_V6 = 302, /* VAR_IPSET_NAME_V6 */ - YYSYMBOL_VAR_TLS_SESSION_TICKET_KEYS = 303, /* VAR_TLS_SESSION_TICKET_KEYS */ - YYSYMBOL_VAR_RPZ = 304, /* VAR_RPZ */ - YYSYMBOL_VAR_TAGS = 305, /* VAR_TAGS */ - YYSYMBOL_VAR_RPZ_ACTION_OVERRIDE = 306, /* VAR_RPZ_ACTION_OVERRIDE */ - YYSYMBOL_VAR_RPZ_CNAME_OVERRIDE = 307, /* VAR_RPZ_CNAME_OVERRIDE */ - YYSYMBOL_VAR_RPZ_LOG = 308, /* VAR_RPZ_LOG */ - YYSYMBOL_VAR_RPZ_LOG_NAME = 309, /* VAR_RPZ_LOG_NAME */ - YYSYMBOL_VAR_DYNLIB = 310, /* VAR_DYNLIB */ - YYSYMBOL_VAR_DYNLIB_FILE = 311, /* VAR_DYNLIB_FILE */ - YYSYMBOL_VAR_EDNS_CLIENT_STRING = 312, /* VAR_EDNS_CLIENT_STRING */ - YYSYMBOL_VAR_EDNS_CLIENT_STRING_OPCODE = 313, /* VAR_EDNS_CLIENT_STRING_OPCODE */ - YYSYMBOL_VAR_NSID = 314, /* VAR_NSID */ - YYSYMBOL_VAR_ZONEMD_PERMISSIVE_MODE = 315, /* VAR_ZONEMD_PERMISSIVE_MODE */ - YYSYMBOL_VAR_ZONEMD_CHECK = 316, /* VAR_ZONEMD_CHECK */ - YYSYMBOL_VAR_ZONEMD_REJECT_ABSENCE = 317, /* VAR_ZONEMD_REJECT_ABSENCE */ - YYSYMBOL_YYACCEPT = 318, /* $accept */ - YYSYMBOL_toplevelvars = 319, /* toplevelvars */ - YYSYMBOL_toplevelvar = 320, /* toplevelvar */ - YYSYMBOL_force_toplevel = 321, /* force_toplevel */ - YYSYMBOL_serverstart = 322, /* serverstart */ - YYSYMBOL_contents_server = 323, /* contents_server */ - YYSYMBOL_content_server = 324, /* content_server */ - YYSYMBOL_stubstart = 325, /* stubstart */ - YYSYMBOL_contents_stub = 326, /* contents_stub */ - YYSYMBOL_content_stub = 327, /* content_stub */ - YYSYMBOL_forwardstart = 328, /* forwardstart */ - YYSYMBOL_contents_forward = 329, /* contents_forward */ - YYSYMBOL_content_forward = 330, /* content_forward */ - YYSYMBOL_viewstart = 331, /* viewstart */ - YYSYMBOL_contents_view = 332, /* contents_view */ - YYSYMBOL_content_view = 333, /* content_view */ - YYSYMBOL_authstart = 334, /* authstart */ - YYSYMBOL_contents_auth = 335, /* contents_auth */ - YYSYMBOL_content_auth = 336, /* content_auth */ - YYSYMBOL_rpz_tag = 337, /* rpz_tag */ - YYSYMBOL_rpz_action_override = 338, /* rpz_action_override */ - YYSYMBOL_rpz_cname_override = 339, /* rpz_cname_override */ - YYSYMBOL_rpz_log = 340, /* rpz_log */ - YYSYMBOL_rpz_log_name = 341, /* rpz_log_name */ - YYSYMBOL_rpzstart = 342, /* rpzstart */ - YYSYMBOL_contents_rpz = 343, /* contents_rpz */ - YYSYMBOL_content_rpz = 344, /* content_rpz */ - YYSYMBOL_server_num_threads = 345, /* server_num_threads */ - YYSYMBOL_server_verbosity = 346, /* server_verbosity */ - YYSYMBOL_server_statistics_interval = 347, /* server_statistics_interval */ - YYSYMBOL_server_statistics_cumulative = 348, /* server_statistics_cumulative */ - YYSYMBOL_server_extended_statistics = 349, /* server_extended_statistics */ - YYSYMBOL_server_shm_enable = 350, /* server_shm_enable */ - YYSYMBOL_server_shm_key = 351, /* server_shm_key */ - YYSYMBOL_server_port = 352, /* server_port */ - YYSYMBOL_server_send_client_subnet = 353, /* server_send_client_subnet */ - YYSYMBOL_server_client_subnet_zone = 354, /* server_client_subnet_zone */ - YYSYMBOL_server_client_subnet_always_forward = 355, /* server_client_subnet_always_forward */ - YYSYMBOL_server_client_subnet_opcode = 356, /* server_client_subnet_opcode */ - YYSYMBOL_server_max_client_subnet_ipv4 = 357, /* server_max_client_subnet_ipv4 */ - YYSYMBOL_server_max_client_subnet_ipv6 = 358, /* server_max_client_subnet_ipv6 */ - YYSYMBOL_server_min_client_subnet_ipv4 = 359, /* server_min_client_subnet_ipv4 */ - YYSYMBOL_server_min_client_subnet_ipv6 = 360, /* server_min_client_subnet_ipv6 */ - YYSYMBOL_server_max_ecs_tree_size_ipv4 = 361, /* server_max_ecs_tree_size_ipv4 */ - YYSYMBOL_server_max_ecs_tree_size_ipv6 = 362, /* server_max_ecs_tree_size_ipv6 */ - YYSYMBOL_server_interface = 363, /* server_interface */ - YYSYMBOL_server_outgoing_interface = 364, /* server_outgoing_interface */ - YYSYMBOL_server_outgoing_range = 365, /* server_outgoing_range */ - YYSYMBOL_server_outgoing_port_permit = 366, /* server_outgoing_port_permit */ - YYSYMBOL_server_outgoing_port_avoid = 367, /* server_outgoing_port_avoid */ - YYSYMBOL_server_outgoing_num_tcp = 368, /* server_outgoing_num_tcp */ - YYSYMBOL_server_incoming_num_tcp = 369, /* server_incoming_num_tcp */ - YYSYMBOL_server_interface_automatic = 370, /* server_interface_automatic */ - YYSYMBOL_server_do_ip4 = 371, /* server_do_ip4 */ - YYSYMBOL_server_do_ip6 = 372, /* server_do_ip6 */ - YYSYMBOL_server_do_udp = 373, /* server_do_udp */ - YYSYMBOL_server_do_tcp = 374, /* server_do_tcp */ - YYSYMBOL_server_prefer_ip4 = 375, /* server_prefer_ip4 */ - YYSYMBOL_server_prefer_ip6 = 376, /* server_prefer_ip6 */ - YYSYMBOL_server_tcp_mss = 377, /* server_tcp_mss */ - YYSYMBOL_server_outgoing_tcp_mss = 378, /* server_outgoing_tcp_mss */ - YYSYMBOL_server_tcp_idle_timeout = 379, /* server_tcp_idle_timeout */ - YYSYMBOL_server_max_reuse_tcp_queries = 380, /* server_max_reuse_tcp_queries */ - YYSYMBOL_server_tcp_reuse_timeout = 381, /* server_tcp_reuse_timeout */ - YYSYMBOL_server_tcp_auth_query_timeout = 382, /* server_tcp_auth_query_timeout */ - YYSYMBOL_server_tcp_keepalive = 383, /* server_tcp_keepalive */ - YYSYMBOL_server_tcp_keepalive_timeout = 384, /* server_tcp_keepalive_timeout */ - YYSYMBOL_server_tcp_upstream = 385, /* server_tcp_upstream */ - YYSYMBOL_server_udp_upstream_without_downstream = 386, /* server_udp_upstream_without_downstream */ - YYSYMBOL_server_ssl_upstream = 387, /* server_ssl_upstream */ - YYSYMBOL_server_ssl_service_key = 388, /* server_ssl_service_key */ - YYSYMBOL_server_ssl_service_pem = 389, /* server_ssl_service_pem */ - YYSYMBOL_server_ssl_port = 390, /* server_ssl_port */ - YYSYMBOL_server_tls_cert_bundle = 391, /* server_tls_cert_bundle */ - YYSYMBOL_server_tls_win_cert = 392, /* server_tls_win_cert */ - YYSYMBOL_server_tls_additional_port = 393, /* server_tls_additional_port */ - YYSYMBOL_server_tls_ciphers = 394, /* server_tls_ciphers */ - YYSYMBOL_server_tls_ciphersuites = 395, /* server_tls_ciphersuites */ - YYSYMBOL_server_tls_session_ticket_keys = 396, /* server_tls_session_ticket_keys */ - YYSYMBOL_server_tls_use_sni = 397, /* server_tls_use_sni */ - YYSYMBOL_server_https_port = 398, /* server_https_port */ - YYSYMBOL_server_http_endpoint = 399, /* server_http_endpoint */ - YYSYMBOL_server_http_max_streams = 400, /* server_http_max_streams */ - YYSYMBOL_server_http_query_buffer_size = 401, /* server_http_query_buffer_size */ - YYSYMBOL_server_http_response_buffer_size = 402, /* server_http_response_buffer_size */ - YYSYMBOL_server_http_nodelay = 403, /* server_http_nodelay */ - YYSYMBOL_server_http_notls_downstream = 404, /* server_http_notls_downstream */ - YYSYMBOL_server_use_systemd = 405, /* server_use_systemd */ - YYSYMBOL_server_do_daemonize = 406, /* server_do_daemonize */ - YYSYMBOL_server_use_syslog = 407, /* server_use_syslog */ - YYSYMBOL_server_log_time_ascii = 408, /* server_log_time_ascii */ - YYSYMBOL_server_log_queries = 409, /* server_log_queries */ - YYSYMBOL_server_log_replies = 410, /* server_log_replies */ - YYSYMBOL_server_log_tag_queryreply = 411, /* server_log_tag_queryreply */ - YYSYMBOL_server_log_servfail = 412, /* server_log_servfail */ - YYSYMBOL_server_log_local_actions = 413, /* server_log_local_actions */ - YYSYMBOL_server_chroot = 414, /* server_chroot */ - YYSYMBOL_server_username = 415, /* server_username */ - YYSYMBOL_server_directory = 416, /* server_directory */ - YYSYMBOL_server_logfile = 417, /* server_logfile */ - YYSYMBOL_server_pidfile = 418, /* server_pidfile */ - YYSYMBOL_server_root_hints = 419, /* server_root_hints */ - YYSYMBOL_server_dlv_anchor_file = 420, /* server_dlv_anchor_file */ - YYSYMBOL_server_dlv_anchor = 421, /* server_dlv_anchor */ - YYSYMBOL_server_auto_trust_anchor_file = 422, /* server_auto_trust_anchor_file */ - YYSYMBOL_server_trust_anchor_file = 423, /* server_trust_anchor_file */ - YYSYMBOL_server_trusted_keys_file = 424, /* server_trusted_keys_file */ - YYSYMBOL_server_trust_anchor = 425, /* server_trust_anchor */ - YYSYMBOL_server_trust_anchor_signaling = 426, /* server_trust_anchor_signaling */ - YYSYMBOL_server_root_key_sentinel = 427, /* server_root_key_sentinel */ - YYSYMBOL_server_domain_insecure = 428, /* server_domain_insecure */ - YYSYMBOL_server_hide_identity = 429, /* server_hide_identity */ - YYSYMBOL_server_hide_version = 430, /* server_hide_version */ - YYSYMBOL_server_hide_trustanchor = 431, /* server_hide_trustanchor */ - YYSYMBOL_server_hide_http_user_agent = 432, /* server_hide_http_user_agent */ - YYSYMBOL_server_identity = 433, /* server_identity */ - YYSYMBOL_server_version = 434, /* server_version */ - YYSYMBOL_server_http_user_agent = 435, /* server_http_user_agent */ - YYSYMBOL_server_nsid = 436, /* server_nsid */ - YYSYMBOL_server_so_rcvbuf = 437, /* server_so_rcvbuf */ - YYSYMBOL_server_so_sndbuf = 438, /* server_so_sndbuf */ - YYSYMBOL_server_so_reuseport = 439, /* server_so_reuseport */ - YYSYMBOL_server_ip_transparent = 440, /* server_ip_transparent */ - YYSYMBOL_server_ip_freebind = 441, /* server_ip_freebind */ - YYSYMBOL_server_ip_dscp = 442, /* server_ip_dscp */ - YYSYMBOL_server_stream_wait_size = 443, /* server_stream_wait_size */ - YYSYMBOL_server_edns_buffer_size = 444, /* server_edns_buffer_size */ - YYSYMBOL_server_msg_buffer_size = 445, /* server_msg_buffer_size */ - YYSYMBOL_server_msg_cache_size = 446, /* server_msg_cache_size */ - YYSYMBOL_server_msg_cache_slabs = 447, /* server_msg_cache_slabs */ - YYSYMBOL_server_num_queries_per_thread = 448, /* server_num_queries_per_thread */ - YYSYMBOL_server_jostle_timeout = 449, /* server_jostle_timeout */ - YYSYMBOL_server_delay_close = 450, /* server_delay_close */ - YYSYMBOL_server_udp_connect = 451, /* server_udp_connect */ - YYSYMBOL_server_unblock_lan_zones = 452, /* server_unblock_lan_zones */ - YYSYMBOL_server_insecure_lan_zones = 453, /* server_insecure_lan_zones */ - YYSYMBOL_server_rrset_cache_size = 454, /* server_rrset_cache_size */ - YYSYMBOL_server_rrset_cache_slabs = 455, /* server_rrset_cache_slabs */ - YYSYMBOL_server_infra_host_ttl = 456, /* server_infra_host_ttl */ - YYSYMBOL_server_infra_lame_ttl = 457, /* server_infra_lame_ttl */ - YYSYMBOL_server_infra_cache_numhosts = 458, /* server_infra_cache_numhosts */ - YYSYMBOL_server_infra_cache_lame_size = 459, /* server_infra_cache_lame_size */ - YYSYMBOL_server_infra_cache_slabs = 460, /* server_infra_cache_slabs */ - YYSYMBOL_server_infra_cache_min_rtt = 461, /* server_infra_cache_min_rtt */ - YYSYMBOL_server_infra_keep_probing = 462, /* server_infra_keep_probing */ - YYSYMBOL_server_target_fetch_policy = 463, /* server_target_fetch_policy */ - YYSYMBOL_server_harden_short_bufsize = 464, /* server_harden_short_bufsize */ - YYSYMBOL_server_harden_large_queries = 465, /* server_harden_large_queries */ - YYSYMBOL_server_harden_glue = 466, /* server_harden_glue */ - YYSYMBOL_server_harden_dnssec_stripped = 467, /* server_harden_dnssec_stripped */ - YYSYMBOL_server_harden_below_nxdomain = 468, /* server_harden_below_nxdomain */ - YYSYMBOL_server_harden_referral_path = 469, /* server_harden_referral_path */ - YYSYMBOL_server_harden_algo_downgrade = 470, /* server_harden_algo_downgrade */ - YYSYMBOL_server_use_caps_for_id = 471, /* server_use_caps_for_id */ - YYSYMBOL_server_caps_whitelist = 472, /* server_caps_whitelist */ - YYSYMBOL_server_private_address = 473, /* server_private_address */ - YYSYMBOL_server_private_domain = 474, /* server_private_domain */ - YYSYMBOL_server_prefetch = 475, /* server_prefetch */ - YYSYMBOL_server_prefetch_key = 476, /* server_prefetch_key */ - YYSYMBOL_server_deny_any = 477, /* server_deny_any */ - YYSYMBOL_server_unwanted_reply_threshold = 478, /* server_unwanted_reply_threshold */ - YYSYMBOL_server_do_not_query_address = 479, /* server_do_not_query_address */ - YYSYMBOL_server_do_not_query_localhost = 480, /* server_do_not_query_localhost */ - YYSYMBOL_server_access_control = 481, /* server_access_control */ - YYSYMBOL_server_module_conf = 482, /* server_module_conf */ - YYSYMBOL_server_val_override_date = 483, /* server_val_override_date */ - YYSYMBOL_server_val_sig_skew_min = 484, /* server_val_sig_skew_min */ - YYSYMBOL_server_val_sig_skew_max = 485, /* server_val_sig_skew_max */ - YYSYMBOL_server_val_max_restart = 486, /* server_val_max_restart */ - YYSYMBOL_server_cache_max_ttl = 487, /* server_cache_max_ttl */ - YYSYMBOL_server_cache_max_negative_ttl = 488, /* server_cache_max_negative_ttl */ - YYSYMBOL_server_cache_min_ttl = 489, /* server_cache_min_ttl */ - YYSYMBOL_server_bogus_ttl = 490, /* server_bogus_ttl */ - YYSYMBOL_server_val_clean_additional = 491, /* server_val_clean_additional */ - YYSYMBOL_server_val_permissive_mode = 492, /* server_val_permissive_mode */ - YYSYMBOL_server_aggressive_nsec = 493, /* server_aggressive_nsec */ - YYSYMBOL_server_ignore_cd_flag = 494, /* server_ignore_cd_flag */ - YYSYMBOL_server_serve_expired = 495, /* server_serve_expired */ - YYSYMBOL_server_serve_expired_ttl = 496, /* server_serve_expired_ttl */ - YYSYMBOL_server_serve_expired_ttl_reset = 497, /* server_serve_expired_ttl_reset */ - YYSYMBOL_server_serve_expired_reply_ttl = 498, /* server_serve_expired_reply_ttl */ - YYSYMBOL_server_serve_expired_client_timeout = 499, /* server_serve_expired_client_timeout */ - YYSYMBOL_server_serve_original_ttl = 500, /* server_serve_original_ttl */ - YYSYMBOL_server_fake_dsa = 501, /* server_fake_dsa */ - YYSYMBOL_server_fake_sha1 = 502, /* server_fake_sha1 */ - YYSYMBOL_server_val_log_level = 503, /* server_val_log_level */ - YYSYMBOL_server_val_nsec3_keysize_iterations = 504, /* server_val_nsec3_keysize_iterations */ - YYSYMBOL_server_zonemd_permissive_mode = 505, /* server_zonemd_permissive_mode */ - YYSYMBOL_server_add_holddown = 506, /* server_add_holddown */ - YYSYMBOL_server_del_holddown = 507, /* server_del_holddown */ - YYSYMBOL_server_keep_missing = 508, /* server_keep_missing */ - YYSYMBOL_server_permit_small_holddown = 509, /* server_permit_small_holddown */ - YYSYMBOL_server_key_cache_size = 510, /* server_key_cache_size */ - YYSYMBOL_server_key_cache_slabs = 511, /* server_key_cache_slabs */ - YYSYMBOL_server_neg_cache_size = 512, /* server_neg_cache_size */ - YYSYMBOL_server_local_zone = 513, /* server_local_zone */ - YYSYMBOL_server_local_data = 514, /* server_local_data */ - YYSYMBOL_server_local_data_ptr = 515, /* server_local_data_ptr */ - YYSYMBOL_server_minimal_responses = 516, /* server_minimal_responses */ - YYSYMBOL_server_rrset_roundrobin = 517, /* server_rrset_roundrobin */ - YYSYMBOL_server_unknown_server_time_limit = 518, /* server_unknown_server_time_limit */ - YYSYMBOL_server_max_udp_size = 519, /* server_max_udp_size */ - YYSYMBOL_server_dns64_prefix = 520, /* server_dns64_prefix */ - YYSYMBOL_server_dns64_synthall = 521, /* server_dns64_synthall */ - YYSYMBOL_server_dns64_ignore_aaaa = 522, /* server_dns64_ignore_aaaa */ - YYSYMBOL_server_define_tag = 523, /* server_define_tag */ - YYSYMBOL_server_local_zone_tag = 524, /* server_local_zone_tag */ - YYSYMBOL_server_access_control_tag = 525, /* server_access_control_tag */ - YYSYMBOL_server_access_control_tag_action = 526, /* server_access_control_tag_action */ - YYSYMBOL_server_access_control_tag_data = 527, /* server_access_control_tag_data */ - YYSYMBOL_server_local_zone_override = 528, /* server_local_zone_override */ - YYSYMBOL_server_access_control_view = 529, /* server_access_control_view */ - YYSYMBOL_server_response_ip_tag = 530, /* server_response_ip_tag */ - YYSYMBOL_server_ip_ratelimit = 531, /* server_ip_ratelimit */ - YYSYMBOL_server_ratelimit = 532, /* server_ratelimit */ - YYSYMBOL_server_ip_ratelimit_size = 533, /* server_ip_ratelimit_size */ - YYSYMBOL_server_ratelimit_size = 534, /* server_ratelimit_size */ - YYSYMBOL_server_ip_ratelimit_slabs = 535, /* server_ip_ratelimit_slabs */ - YYSYMBOL_server_ratelimit_slabs = 536, /* server_ratelimit_slabs */ - YYSYMBOL_server_ratelimit_for_domain = 537, /* server_ratelimit_for_domain */ - YYSYMBOL_server_ratelimit_below_domain = 538, /* server_ratelimit_below_domain */ - YYSYMBOL_server_ip_ratelimit_factor = 539, /* server_ip_ratelimit_factor */ - YYSYMBOL_server_ratelimit_factor = 540, /* server_ratelimit_factor */ - YYSYMBOL_server_low_rtt = 541, /* server_low_rtt */ - YYSYMBOL_server_fast_server_num = 542, /* server_fast_server_num */ - YYSYMBOL_server_fast_server_permil = 543, /* server_fast_server_permil */ - YYSYMBOL_server_qname_minimisation = 544, /* server_qname_minimisation */ - YYSYMBOL_server_qname_minimisation_strict = 545, /* server_qname_minimisation_strict */ - YYSYMBOL_server_pad_responses = 546, /* server_pad_responses */ - YYSYMBOL_server_pad_responses_block_size = 547, /* server_pad_responses_block_size */ - YYSYMBOL_server_pad_queries = 548, /* server_pad_queries */ - YYSYMBOL_server_pad_queries_block_size = 549, /* server_pad_queries_block_size */ - YYSYMBOL_server_ipsecmod_enabled = 550, /* server_ipsecmod_enabled */ - YYSYMBOL_server_ipsecmod_ignore_bogus = 551, /* server_ipsecmod_ignore_bogus */ - YYSYMBOL_server_ipsecmod_hook = 552, /* server_ipsecmod_hook */ - YYSYMBOL_server_ipsecmod_max_ttl = 553, /* server_ipsecmod_max_ttl */ - YYSYMBOL_server_ipsecmod_whitelist = 554, /* server_ipsecmod_whitelist */ - YYSYMBOL_server_ipsecmod_strict = 555, /* server_ipsecmod_strict */ - YYSYMBOL_server_edns_client_string = 556, /* server_edns_client_string */ - YYSYMBOL_server_edns_client_string_opcode = 557, /* server_edns_client_string_opcode */ - YYSYMBOL_stub_name = 558, /* stub_name */ - YYSYMBOL_stub_host = 559, /* stub_host */ - YYSYMBOL_stub_addr = 560, /* stub_addr */ - YYSYMBOL_stub_first = 561, /* stub_first */ - YYSYMBOL_stub_no_cache = 562, /* stub_no_cache */ - YYSYMBOL_stub_ssl_upstream = 563, /* stub_ssl_upstream */ - YYSYMBOL_stub_prime = 564, /* stub_prime */ - YYSYMBOL_forward_name = 565, /* forward_name */ - YYSYMBOL_forward_host = 566, /* forward_host */ - YYSYMBOL_forward_addr = 567, /* forward_addr */ - YYSYMBOL_forward_first = 568, /* forward_first */ - YYSYMBOL_forward_no_cache = 569, /* forward_no_cache */ - YYSYMBOL_forward_ssl_upstream = 570, /* forward_ssl_upstream */ - YYSYMBOL_auth_name = 571, /* auth_name */ - YYSYMBOL_auth_zonefile = 572, /* auth_zonefile */ - YYSYMBOL_auth_master = 573, /* auth_master */ - YYSYMBOL_auth_url = 574, /* auth_url */ - YYSYMBOL_auth_allow_notify = 575, /* auth_allow_notify */ - YYSYMBOL_auth_zonemd_check = 576, /* auth_zonemd_check */ - YYSYMBOL_auth_zonemd_reject_absence = 577, /* auth_zonemd_reject_absence */ - YYSYMBOL_auth_for_downstream = 578, /* auth_for_downstream */ - YYSYMBOL_auth_for_upstream = 579, /* auth_for_upstream */ - YYSYMBOL_auth_fallback_enabled = 580, /* auth_fallback_enabled */ - YYSYMBOL_view_name = 581, /* view_name */ - YYSYMBOL_view_local_zone = 582, /* view_local_zone */ - YYSYMBOL_view_response_ip = 583, /* view_response_ip */ - YYSYMBOL_view_response_ip_data = 584, /* view_response_ip_data */ - YYSYMBOL_view_local_data = 585, /* view_local_data */ - YYSYMBOL_view_local_data_ptr = 586, /* view_local_data_ptr */ - YYSYMBOL_view_first = 587, /* view_first */ - YYSYMBOL_rcstart = 588, /* rcstart */ - YYSYMBOL_contents_rc = 589, /* contents_rc */ - YYSYMBOL_content_rc = 590, /* content_rc */ - YYSYMBOL_rc_control_enable = 591, /* rc_control_enable */ - YYSYMBOL_rc_control_port = 592, /* rc_control_port */ - YYSYMBOL_rc_control_interface = 593, /* rc_control_interface */ - YYSYMBOL_rc_control_use_cert = 594, /* rc_control_use_cert */ - YYSYMBOL_rc_server_key_file = 595, /* rc_server_key_file */ - YYSYMBOL_rc_server_cert_file = 596, /* rc_server_cert_file */ - YYSYMBOL_rc_control_key_file = 597, /* rc_control_key_file */ - YYSYMBOL_rc_control_cert_file = 598, /* rc_control_cert_file */ - YYSYMBOL_dtstart = 599, /* dtstart */ - YYSYMBOL_contents_dt = 600, /* contents_dt */ - YYSYMBOL_content_dt = 601, /* content_dt */ - YYSYMBOL_dt_dnstap_enable = 602, /* dt_dnstap_enable */ - YYSYMBOL_dt_dnstap_bidirectional = 603, /* dt_dnstap_bidirectional */ - YYSYMBOL_dt_dnstap_socket_path = 604, /* dt_dnstap_socket_path */ - YYSYMBOL_dt_dnstap_ip = 605, /* dt_dnstap_ip */ - YYSYMBOL_dt_dnstap_tls = 606, /* dt_dnstap_tls */ - YYSYMBOL_dt_dnstap_tls_server_name = 607, /* dt_dnstap_tls_server_name */ - YYSYMBOL_dt_dnstap_tls_cert_bundle = 608, /* dt_dnstap_tls_cert_bundle */ - YYSYMBOL_dt_dnstap_tls_client_key_file = 609, /* dt_dnstap_tls_client_key_file */ - YYSYMBOL_dt_dnstap_tls_client_cert_file = 610, /* dt_dnstap_tls_client_cert_file */ - YYSYMBOL_dt_dnstap_send_identity = 611, /* dt_dnstap_send_identity */ - YYSYMBOL_dt_dnstap_send_version = 612, /* dt_dnstap_send_version */ - YYSYMBOL_dt_dnstap_identity = 613, /* dt_dnstap_identity */ - YYSYMBOL_dt_dnstap_version = 614, /* dt_dnstap_version */ - YYSYMBOL_dt_dnstap_log_resolver_query_messages = 615, /* dt_dnstap_log_resolver_query_messages */ - YYSYMBOL_dt_dnstap_log_resolver_response_messages = 616, /* dt_dnstap_log_resolver_response_messages */ - YYSYMBOL_dt_dnstap_log_client_query_messages = 617, /* dt_dnstap_log_client_query_messages */ - YYSYMBOL_dt_dnstap_log_client_response_messages = 618, /* dt_dnstap_log_client_response_messages */ - YYSYMBOL_dt_dnstap_log_forwarder_query_messages = 619, /* dt_dnstap_log_forwarder_query_messages */ - YYSYMBOL_dt_dnstap_log_forwarder_response_messages = 620, /* dt_dnstap_log_forwarder_response_messages */ - YYSYMBOL_pythonstart = 621, /* pythonstart */ - YYSYMBOL_contents_py = 622, /* contents_py */ - YYSYMBOL_content_py = 623, /* content_py */ - YYSYMBOL_py_script = 624, /* py_script */ - YYSYMBOL_dynlibstart = 625, /* dynlibstart */ - YYSYMBOL_contents_dl = 626, /* contents_dl */ - YYSYMBOL_content_dl = 627, /* content_dl */ - YYSYMBOL_dl_file = 628, /* dl_file */ - YYSYMBOL_server_disable_dnssec_lame_check = 629, /* server_disable_dnssec_lame_check */ - YYSYMBOL_server_log_identity = 630, /* server_log_identity */ - YYSYMBOL_server_response_ip = 631, /* server_response_ip */ - YYSYMBOL_server_response_ip_data = 632, /* server_response_ip_data */ - YYSYMBOL_dnscstart = 633, /* dnscstart */ - YYSYMBOL_contents_dnsc = 634, /* contents_dnsc */ - YYSYMBOL_content_dnsc = 635, /* content_dnsc */ - YYSYMBOL_dnsc_dnscrypt_enable = 636, /* dnsc_dnscrypt_enable */ - YYSYMBOL_dnsc_dnscrypt_port = 637, /* dnsc_dnscrypt_port */ - YYSYMBOL_dnsc_dnscrypt_provider = 638, /* dnsc_dnscrypt_provider */ - YYSYMBOL_dnsc_dnscrypt_provider_cert = 639, /* dnsc_dnscrypt_provider_cert */ - YYSYMBOL_dnsc_dnscrypt_provider_cert_rotated = 640, /* dnsc_dnscrypt_provider_cert_rotated */ - YYSYMBOL_dnsc_dnscrypt_secret_key = 641, /* dnsc_dnscrypt_secret_key */ - YYSYMBOL_dnsc_dnscrypt_shared_secret_cache_size = 642, /* dnsc_dnscrypt_shared_secret_cache_size */ - YYSYMBOL_dnsc_dnscrypt_shared_secret_cache_slabs = 643, /* dnsc_dnscrypt_shared_secret_cache_slabs */ - YYSYMBOL_dnsc_dnscrypt_nonce_cache_size = 644, /* dnsc_dnscrypt_nonce_cache_size */ - YYSYMBOL_dnsc_dnscrypt_nonce_cache_slabs = 645, /* dnsc_dnscrypt_nonce_cache_slabs */ - YYSYMBOL_cachedbstart = 646, /* cachedbstart */ - YYSYMBOL_contents_cachedb = 647, /* contents_cachedb */ - YYSYMBOL_content_cachedb = 648, /* content_cachedb */ - YYSYMBOL_cachedb_backend_name = 649, /* cachedb_backend_name */ - YYSYMBOL_cachedb_secret_seed = 650, /* cachedb_secret_seed */ - YYSYMBOL_redis_server_host = 651, /* redis_server_host */ - YYSYMBOL_redis_server_port = 652, /* redis_server_port */ - YYSYMBOL_redis_timeout = 653, /* redis_timeout */ - YYSYMBOL_redis_expire_records = 654, /* redis_expire_records */ - YYSYMBOL_server_tcp_connection_limit = 655, /* server_tcp_connection_limit */ - YYSYMBOL_ipsetstart = 656, /* ipsetstart */ - YYSYMBOL_contents_ipset = 657, /* contents_ipset */ - YYSYMBOL_content_ipset = 658, /* content_ipset */ - YYSYMBOL_ipset_name_v4 = 659, /* ipset_name_v4 */ - YYSYMBOL_ipset_name_v6 = 660 /* ipset_name_v6 */ + YYSYMBOL_VAR_STUB_TCP_UPSTREAM = 146, /* VAR_STUB_TCP_UPSTREAM */ + YYSYMBOL_VAR_FORWARD_TCP_UPSTREAM = 147, /* VAR_FORWARD_TCP_UPSTREAM */ + YYSYMBOL_VAR_HTTPS_PORT = 148, /* VAR_HTTPS_PORT */ + YYSYMBOL_VAR_HTTP_ENDPOINT = 149, /* VAR_HTTP_ENDPOINT */ + YYSYMBOL_VAR_HTTP_MAX_STREAMS = 150, /* VAR_HTTP_MAX_STREAMS */ + YYSYMBOL_VAR_HTTP_QUERY_BUFFER_SIZE = 151, /* VAR_HTTP_QUERY_BUFFER_SIZE */ + YYSYMBOL_VAR_HTTP_RESPONSE_BUFFER_SIZE = 152, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */ + YYSYMBOL_VAR_HTTP_NODELAY = 153, /* VAR_HTTP_NODELAY */ + YYSYMBOL_VAR_HTTP_NOTLS_DOWNSTREAM = 154, /* VAR_HTTP_NOTLS_DOWNSTREAM */ + YYSYMBOL_VAR_STUB_FIRST = 155, /* VAR_STUB_FIRST */ + YYSYMBOL_VAR_MINIMAL_RESPONSES = 156, /* VAR_MINIMAL_RESPONSES */ + YYSYMBOL_VAR_RRSET_ROUNDROBIN = 157, /* VAR_RRSET_ROUNDROBIN */ + YYSYMBOL_VAR_MAX_UDP_SIZE = 158, /* VAR_MAX_UDP_SIZE */ + YYSYMBOL_VAR_DELAY_CLOSE = 159, /* VAR_DELAY_CLOSE */ + YYSYMBOL_VAR_UDP_CONNECT = 160, /* VAR_UDP_CONNECT */ + YYSYMBOL_VAR_UNBLOCK_LAN_ZONES = 161, /* VAR_UNBLOCK_LAN_ZONES */ + YYSYMBOL_VAR_INSECURE_LAN_ZONES = 162, /* VAR_INSECURE_LAN_ZONES */ + YYSYMBOL_VAR_INFRA_CACHE_MIN_RTT = 163, /* VAR_INFRA_CACHE_MIN_RTT */ + YYSYMBOL_VAR_INFRA_CACHE_MAX_RTT = 164, /* VAR_INFRA_CACHE_MAX_RTT */ + YYSYMBOL_VAR_INFRA_KEEP_PROBING = 165, /* VAR_INFRA_KEEP_PROBING */ + YYSYMBOL_VAR_DNS64_PREFIX = 166, /* VAR_DNS64_PREFIX */ + YYSYMBOL_VAR_DNS64_SYNTHALL = 167, /* VAR_DNS64_SYNTHALL */ + YYSYMBOL_VAR_DNS64_IGNORE_AAAA = 168, /* VAR_DNS64_IGNORE_AAAA */ + YYSYMBOL_VAR_DNSTAP = 169, /* VAR_DNSTAP */ + YYSYMBOL_VAR_DNSTAP_ENABLE = 170, /* VAR_DNSTAP_ENABLE */ + YYSYMBOL_VAR_DNSTAP_SOCKET_PATH = 171, /* VAR_DNSTAP_SOCKET_PATH */ + YYSYMBOL_VAR_DNSTAP_IP = 172, /* VAR_DNSTAP_IP */ + YYSYMBOL_VAR_DNSTAP_TLS = 173, /* VAR_DNSTAP_TLS */ + YYSYMBOL_VAR_DNSTAP_TLS_SERVER_NAME = 174, /* VAR_DNSTAP_TLS_SERVER_NAME */ + YYSYMBOL_VAR_DNSTAP_TLS_CERT_BUNDLE = 175, /* VAR_DNSTAP_TLS_CERT_BUNDLE */ + YYSYMBOL_VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 176, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */ + YYSYMBOL_VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 177, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */ + YYSYMBOL_VAR_DNSTAP_SEND_IDENTITY = 178, /* VAR_DNSTAP_SEND_IDENTITY */ + YYSYMBOL_VAR_DNSTAP_SEND_VERSION = 179, /* VAR_DNSTAP_SEND_VERSION */ + YYSYMBOL_VAR_DNSTAP_BIDIRECTIONAL = 180, /* VAR_DNSTAP_BIDIRECTIONAL */ + YYSYMBOL_VAR_DNSTAP_IDENTITY = 181, /* VAR_DNSTAP_IDENTITY */ + YYSYMBOL_VAR_DNSTAP_VERSION = 182, /* VAR_DNSTAP_VERSION */ + YYSYMBOL_VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 183, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */ + YYSYMBOL_VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 184, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */ + YYSYMBOL_VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 185, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */ + YYSYMBOL_VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 186, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */ + YYSYMBOL_VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 187, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */ + YYSYMBOL_VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 188, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */ + YYSYMBOL_VAR_RESPONSE_IP_TAG = 189, /* VAR_RESPONSE_IP_TAG */ + YYSYMBOL_VAR_RESPONSE_IP = 190, /* VAR_RESPONSE_IP */ + YYSYMBOL_VAR_RESPONSE_IP_DATA = 191, /* VAR_RESPONSE_IP_DATA */ + YYSYMBOL_VAR_HARDEN_ALGO_DOWNGRADE = 192, /* VAR_HARDEN_ALGO_DOWNGRADE */ + YYSYMBOL_VAR_IP_TRANSPARENT = 193, /* VAR_IP_TRANSPARENT */ + YYSYMBOL_VAR_IP_DSCP = 194, /* VAR_IP_DSCP */ + YYSYMBOL_VAR_DISABLE_DNSSEC_LAME_CHECK = 195, /* VAR_DISABLE_DNSSEC_LAME_CHECK */ + YYSYMBOL_VAR_IP_RATELIMIT = 196, /* VAR_IP_RATELIMIT */ + YYSYMBOL_VAR_IP_RATELIMIT_SLABS = 197, /* VAR_IP_RATELIMIT_SLABS */ + YYSYMBOL_VAR_IP_RATELIMIT_SIZE = 198, /* VAR_IP_RATELIMIT_SIZE */ + YYSYMBOL_VAR_RATELIMIT = 199, /* VAR_RATELIMIT */ + YYSYMBOL_VAR_RATELIMIT_SLABS = 200, /* VAR_RATELIMIT_SLABS */ + YYSYMBOL_VAR_RATELIMIT_SIZE = 201, /* VAR_RATELIMIT_SIZE */ + YYSYMBOL_VAR_OUTBOUND_MSG_RETRY = 202, /* VAR_OUTBOUND_MSG_RETRY */ + YYSYMBOL_VAR_MAX_SENT_COUNT = 203, /* VAR_MAX_SENT_COUNT */ + YYSYMBOL_VAR_MAX_QUERY_RESTARTS = 204, /* VAR_MAX_QUERY_RESTARTS */ + YYSYMBOL_VAR_RATELIMIT_FOR_DOMAIN = 205, /* VAR_RATELIMIT_FOR_DOMAIN */ + YYSYMBOL_VAR_RATELIMIT_BELOW_DOMAIN = 206, /* VAR_RATELIMIT_BELOW_DOMAIN */ + YYSYMBOL_VAR_IP_RATELIMIT_FACTOR = 207, /* VAR_IP_RATELIMIT_FACTOR */ + YYSYMBOL_VAR_RATELIMIT_FACTOR = 208, /* VAR_RATELIMIT_FACTOR */ + YYSYMBOL_VAR_IP_RATELIMIT_BACKOFF = 209, /* VAR_IP_RATELIMIT_BACKOFF */ + YYSYMBOL_VAR_RATELIMIT_BACKOFF = 210, /* VAR_RATELIMIT_BACKOFF */ + YYSYMBOL_VAR_SEND_CLIENT_SUBNET = 211, /* VAR_SEND_CLIENT_SUBNET */ + YYSYMBOL_VAR_CLIENT_SUBNET_ZONE = 212, /* VAR_CLIENT_SUBNET_ZONE */ + YYSYMBOL_VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 213, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */ + YYSYMBOL_VAR_CLIENT_SUBNET_OPCODE = 214, /* VAR_CLIENT_SUBNET_OPCODE */ + YYSYMBOL_VAR_MAX_CLIENT_SUBNET_IPV4 = 215, /* VAR_MAX_CLIENT_SUBNET_IPV4 */ + YYSYMBOL_VAR_MAX_CLIENT_SUBNET_IPV6 = 216, /* VAR_MAX_CLIENT_SUBNET_IPV6 */ + YYSYMBOL_VAR_MIN_CLIENT_SUBNET_IPV4 = 217, /* VAR_MIN_CLIENT_SUBNET_IPV4 */ + YYSYMBOL_VAR_MIN_CLIENT_SUBNET_IPV6 = 218, /* VAR_MIN_CLIENT_SUBNET_IPV6 */ + YYSYMBOL_VAR_MAX_ECS_TREE_SIZE_IPV4 = 219, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */ + YYSYMBOL_VAR_MAX_ECS_TREE_SIZE_IPV6 = 220, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */ + YYSYMBOL_VAR_CAPS_WHITELIST = 221, /* VAR_CAPS_WHITELIST */ + YYSYMBOL_VAR_CACHE_MAX_NEGATIVE_TTL = 222, /* VAR_CACHE_MAX_NEGATIVE_TTL */ + YYSYMBOL_VAR_PERMIT_SMALL_HOLDDOWN = 223, /* VAR_PERMIT_SMALL_HOLDDOWN */ + YYSYMBOL_VAR_QNAME_MINIMISATION = 224, /* VAR_QNAME_MINIMISATION */ + YYSYMBOL_VAR_QNAME_MINIMISATION_STRICT = 225, /* VAR_QNAME_MINIMISATION_STRICT */ + YYSYMBOL_VAR_IP_FREEBIND = 226, /* VAR_IP_FREEBIND */ + YYSYMBOL_VAR_DEFINE_TAG = 227, /* VAR_DEFINE_TAG */ + YYSYMBOL_VAR_LOCAL_ZONE_TAG = 228, /* VAR_LOCAL_ZONE_TAG */ + YYSYMBOL_VAR_ACCESS_CONTROL_TAG = 229, /* VAR_ACCESS_CONTROL_TAG */ + YYSYMBOL_VAR_LOCAL_ZONE_OVERRIDE = 230, /* VAR_LOCAL_ZONE_OVERRIDE */ + YYSYMBOL_VAR_ACCESS_CONTROL_TAG_ACTION = 231, /* VAR_ACCESS_CONTROL_TAG_ACTION */ + YYSYMBOL_VAR_ACCESS_CONTROL_TAG_DATA = 232, /* VAR_ACCESS_CONTROL_TAG_DATA */ + YYSYMBOL_VAR_VIEW = 233, /* VAR_VIEW */ + YYSYMBOL_VAR_ACCESS_CONTROL_VIEW = 234, /* VAR_ACCESS_CONTROL_VIEW */ + YYSYMBOL_VAR_VIEW_FIRST = 235, /* VAR_VIEW_FIRST */ + YYSYMBOL_VAR_SERVE_EXPIRED = 236, /* VAR_SERVE_EXPIRED */ + YYSYMBOL_VAR_SERVE_EXPIRED_TTL = 237, /* VAR_SERVE_EXPIRED_TTL */ + YYSYMBOL_VAR_SERVE_EXPIRED_TTL_RESET = 238, /* VAR_SERVE_EXPIRED_TTL_RESET */ + YYSYMBOL_VAR_SERVE_EXPIRED_REPLY_TTL = 239, /* VAR_SERVE_EXPIRED_REPLY_TTL */ + YYSYMBOL_VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 240, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */ + YYSYMBOL_VAR_EDE_SERVE_EXPIRED = 241, /* VAR_EDE_SERVE_EXPIRED */ + YYSYMBOL_VAR_SERVE_ORIGINAL_TTL = 242, /* VAR_SERVE_ORIGINAL_TTL */ + YYSYMBOL_VAR_FAKE_DSA = 243, /* VAR_FAKE_DSA */ + YYSYMBOL_VAR_FAKE_SHA1 = 244, /* VAR_FAKE_SHA1 */ + YYSYMBOL_VAR_LOG_IDENTITY = 245, /* VAR_LOG_IDENTITY */ + YYSYMBOL_VAR_HIDE_TRUSTANCHOR = 246, /* VAR_HIDE_TRUSTANCHOR */ + YYSYMBOL_VAR_HIDE_HTTP_USER_AGENT = 247, /* VAR_HIDE_HTTP_USER_AGENT */ + YYSYMBOL_VAR_HTTP_USER_AGENT = 248, /* VAR_HTTP_USER_AGENT */ + YYSYMBOL_VAR_TRUST_ANCHOR_SIGNALING = 249, /* VAR_TRUST_ANCHOR_SIGNALING */ + YYSYMBOL_VAR_AGGRESSIVE_NSEC = 250, /* VAR_AGGRESSIVE_NSEC */ + YYSYMBOL_VAR_USE_SYSTEMD = 251, /* VAR_USE_SYSTEMD */ + YYSYMBOL_VAR_SHM_ENABLE = 252, /* VAR_SHM_ENABLE */ + YYSYMBOL_VAR_SHM_KEY = 253, /* VAR_SHM_KEY */ + YYSYMBOL_VAR_ROOT_KEY_SENTINEL = 254, /* VAR_ROOT_KEY_SENTINEL */ + YYSYMBOL_VAR_DNSCRYPT = 255, /* VAR_DNSCRYPT */ + YYSYMBOL_VAR_DNSCRYPT_ENABLE = 256, /* VAR_DNSCRYPT_ENABLE */ + YYSYMBOL_VAR_DNSCRYPT_PORT = 257, /* VAR_DNSCRYPT_PORT */ + YYSYMBOL_VAR_DNSCRYPT_PROVIDER = 258, /* VAR_DNSCRYPT_PROVIDER */ + YYSYMBOL_VAR_DNSCRYPT_SECRET_KEY = 259, /* VAR_DNSCRYPT_SECRET_KEY */ + YYSYMBOL_VAR_DNSCRYPT_PROVIDER_CERT = 260, /* VAR_DNSCRYPT_PROVIDER_CERT */ + YYSYMBOL_VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 261, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */ + YYSYMBOL_VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 262, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */ + YYSYMBOL_VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 263, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */ + YYSYMBOL_VAR_DNSCRYPT_NONCE_CACHE_SIZE = 264, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */ + YYSYMBOL_VAR_DNSCRYPT_NONCE_CACHE_SLABS = 265, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */ + YYSYMBOL_VAR_PAD_RESPONSES = 266, /* VAR_PAD_RESPONSES */ + YYSYMBOL_VAR_PAD_RESPONSES_BLOCK_SIZE = 267, /* VAR_PAD_RESPONSES_BLOCK_SIZE */ + YYSYMBOL_VAR_PAD_QUERIES = 268, /* VAR_PAD_QUERIES */ + YYSYMBOL_VAR_PAD_QUERIES_BLOCK_SIZE = 269, /* VAR_PAD_QUERIES_BLOCK_SIZE */ + YYSYMBOL_VAR_IPSECMOD_ENABLED = 270, /* VAR_IPSECMOD_ENABLED */ + YYSYMBOL_VAR_IPSECMOD_HOOK = 271, /* VAR_IPSECMOD_HOOK */ + YYSYMBOL_VAR_IPSECMOD_IGNORE_BOGUS = 272, /* VAR_IPSECMOD_IGNORE_BOGUS */ + YYSYMBOL_VAR_IPSECMOD_MAX_TTL = 273, /* VAR_IPSECMOD_MAX_TTL */ + YYSYMBOL_VAR_IPSECMOD_WHITELIST = 274, /* VAR_IPSECMOD_WHITELIST */ + YYSYMBOL_VAR_IPSECMOD_STRICT = 275, /* VAR_IPSECMOD_STRICT */ + YYSYMBOL_VAR_CACHEDB = 276, /* VAR_CACHEDB */ + YYSYMBOL_VAR_CACHEDB_BACKEND = 277, /* VAR_CACHEDB_BACKEND */ + YYSYMBOL_VAR_CACHEDB_SECRETSEED = 278, /* VAR_CACHEDB_SECRETSEED */ + YYSYMBOL_VAR_CACHEDB_REDISHOST = 279, /* VAR_CACHEDB_REDISHOST */ + YYSYMBOL_VAR_CACHEDB_REDISPORT = 280, /* VAR_CACHEDB_REDISPORT */ + YYSYMBOL_VAR_CACHEDB_REDISTIMEOUT = 281, /* VAR_CACHEDB_REDISTIMEOUT */ + YYSYMBOL_VAR_CACHEDB_REDISEXPIRERECORDS = 282, /* VAR_CACHEDB_REDISEXPIRERECORDS */ + YYSYMBOL_VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 283, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */ + YYSYMBOL_VAR_FOR_UPSTREAM = 284, /* VAR_FOR_UPSTREAM */ + YYSYMBOL_VAR_AUTH_ZONE = 285, /* VAR_AUTH_ZONE */ + YYSYMBOL_VAR_ZONEFILE = 286, /* VAR_ZONEFILE */ + YYSYMBOL_VAR_MASTER = 287, /* VAR_MASTER */ + YYSYMBOL_VAR_URL = 288, /* VAR_URL */ + YYSYMBOL_VAR_FOR_DOWNSTREAM = 289, /* VAR_FOR_DOWNSTREAM */ + YYSYMBOL_VAR_FALLBACK_ENABLED = 290, /* VAR_FALLBACK_ENABLED */ + YYSYMBOL_VAR_TLS_ADDITIONAL_PORT = 291, /* VAR_TLS_ADDITIONAL_PORT */ + YYSYMBOL_VAR_LOW_RTT = 292, /* VAR_LOW_RTT */ + YYSYMBOL_VAR_LOW_RTT_PERMIL = 293, /* VAR_LOW_RTT_PERMIL */ + YYSYMBOL_VAR_FAST_SERVER_PERMIL = 294, /* VAR_FAST_SERVER_PERMIL */ + YYSYMBOL_VAR_FAST_SERVER_NUM = 295, /* VAR_FAST_SERVER_NUM */ + YYSYMBOL_VAR_ALLOW_NOTIFY = 296, /* VAR_ALLOW_NOTIFY */ + YYSYMBOL_VAR_TLS_WIN_CERT = 297, /* VAR_TLS_WIN_CERT */ + YYSYMBOL_VAR_TCP_CONNECTION_LIMIT = 298, /* VAR_TCP_CONNECTION_LIMIT */ + YYSYMBOL_VAR_FORWARD_NO_CACHE = 299, /* VAR_FORWARD_NO_CACHE */ + YYSYMBOL_VAR_STUB_NO_CACHE = 300, /* VAR_STUB_NO_CACHE */ + YYSYMBOL_VAR_LOG_SERVFAIL = 301, /* VAR_LOG_SERVFAIL */ + YYSYMBOL_VAR_DENY_ANY = 302, /* VAR_DENY_ANY */ + YYSYMBOL_VAR_UNKNOWN_SERVER_TIME_LIMIT = 303, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */ + YYSYMBOL_VAR_LOG_TAG_QUERYREPLY = 304, /* VAR_LOG_TAG_QUERYREPLY */ + YYSYMBOL_VAR_STREAM_WAIT_SIZE = 305, /* VAR_STREAM_WAIT_SIZE */ + YYSYMBOL_VAR_TLS_CIPHERS = 306, /* VAR_TLS_CIPHERS */ + YYSYMBOL_VAR_TLS_CIPHERSUITES = 307, /* VAR_TLS_CIPHERSUITES */ + YYSYMBOL_VAR_TLS_USE_SNI = 308, /* VAR_TLS_USE_SNI */ + YYSYMBOL_VAR_IPSET = 309, /* VAR_IPSET */ + YYSYMBOL_VAR_IPSET_NAME_V4 = 310, /* VAR_IPSET_NAME_V4 */ + YYSYMBOL_VAR_IPSET_NAME_V6 = 311, /* VAR_IPSET_NAME_V6 */ + YYSYMBOL_VAR_TLS_SESSION_TICKET_KEYS = 312, /* VAR_TLS_SESSION_TICKET_KEYS */ + YYSYMBOL_VAR_RPZ = 313, /* VAR_RPZ */ + YYSYMBOL_VAR_TAGS = 314, /* VAR_TAGS */ + YYSYMBOL_VAR_RPZ_ACTION_OVERRIDE = 315, /* VAR_RPZ_ACTION_OVERRIDE */ + YYSYMBOL_VAR_RPZ_CNAME_OVERRIDE = 316, /* VAR_RPZ_CNAME_OVERRIDE */ + YYSYMBOL_VAR_RPZ_LOG = 317, /* VAR_RPZ_LOG */ + YYSYMBOL_VAR_RPZ_LOG_NAME = 318, /* VAR_RPZ_LOG_NAME */ + YYSYMBOL_VAR_DYNLIB = 319, /* VAR_DYNLIB */ + YYSYMBOL_VAR_DYNLIB_FILE = 320, /* VAR_DYNLIB_FILE */ + YYSYMBOL_VAR_EDNS_CLIENT_STRING = 321, /* VAR_EDNS_CLIENT_STRING */ + YYSYMBOL_VAR_EDNS_CLIENT_STRING_OPCODE = 322, /* VAR_EDNS_CLIENT_STRING_OPCODE */ + YYSYMBOL_VAR_NSID = 323, /* VAR_NSID */ + YYSYMBOL_VAR_ZONEMD_PERMISSIVE_MODE = 324, /* VAR_ZONEMD_PERMISSIVE_MODE */ + YYSYMBOL_VAR_ZONEMD_CHECK = 325, /* VAR_ZONEMD_CHECK */ + YYSYMBOL_VAR_ZONEMD_REJECT_ABSENCE = 326, /* VAR_ZONEMD_REJECT_ABSENCE */ + YYSYMBOL_VAR_RPZ_SIGNAL_NXDOMAIN_RA = 327, /* VAR_RPZ_SIGNAL_NXDOMAIN_RA */ + YYSYMBOL_VAR_INTERFACE_AUTOMATIC_PORTS = 328, /* VAR_INTERFACE_AUTOMATIC_PORTS */ + YYSYMBOL_VAR_EDE = 329, /* VAR_EDE */ + YYSYMBOL_VAR_INTERFACE_ACTION = 330, /* VAR_INTERFACE_ACTION */ + YYSYMBOL_VAR_INTERFACE_VIEW = 331, /* VAR_INTERFACE_VIEW */ + YYSYMBOL_VAR_INTERFACE_TAG = 332, /* VAR_INTERFACE_TAG */ + YYSYMBOL_VAR_INTERFACE_TAG_ACTION = 333, /* VAR_INTERFACE_TAG_ACTION */ + YYSYMBOL_VAR_INTERFACE_TAG_DATA = 334, /* VAR_INTERFACE_TAG_DATA */ + YYSYMBOL_VAR_PROXY_PROTOCOL_PORT = 335, /* VAR_PROXY_PROTOCOL_PORT */ + YYSYMBOL_VAR_STATISTICS_INHIBIT_ZERO = 336, /* VAR_STATISTICS_INHIBIT_ZERO */ + YYSYMBOL_YYACCEPT = 337, /* $accept */ + YYSYMBOL_toplevelvars = 338, /* toplevelvars */ + YYSYMBOL_toplevelvar = 339, /* toplevelvar */ + YYSYMBOL_force_toplevel = 340, /* force_toplevel */ + YYSYMBOL_serverstart = 341, /* serverstart */ + YYSYMBOL_contents_server = 342, /* contents_server */ + YYSYMBOL_content_server = 343, /* content_server */ + YYSYMBOL_stubstart = 344, /* stubstart */ + YYSYMBOL_contents_stub = 345, /* contents_stub */ + YYSYMBOL_content_stub = 346, /* content_stub */ + YYSYMBOL_forwardstart = 347, /* forwardstart */ + YYSYMBOL_contents_forward = 348, /* contents_forward */ + YYSYMBOL_content_forward = 349, /* content_forward */ + YYSYMBOL_viewstart = 350, /* viewstart */ + YYSYMBOL_contents_view = 351, /* contents_view */ + YYSYMBOL_content_view = 352, /* content_view */ + YYSYMBOL_authstart = 353, /* authstart */ + YYSYMBOL_contents_auth = 354, /* contents_auth */ + YYSYMBOL_content_auth = 355, /* content_auth */ + YYSYMBOL_rpz_tag = 356, /* rpz_tag */ + YYSYMBOL_rpz_action_override = 357, /* rpz_action_override */ + YYSYMBOL_rpz_cname_override = 358, /* rpz_cname_override */ + YYSYMBOL_rpz_log = 359, /* rpz_log */ + YYSYMBOL_rpz_log_name = 360, /* rpz_log_name */ + YYSYMBOL_rpz_signal_nxdomain_ra = 361, /* rpz_signal_nxdomain_ra */ + YYSYMBOL_rpzstart = 362, /* rpzstart */ + YYSYMBOL_contents_rpz = 363, /* contents_rpz */ + YYSYMBOL_content_rpz = 364, /* content_rpz */ + YYSYMBOL_server_num_threads = 365, /* server_num_threads */ + YYSYMBOL_server_verbosity = 366, /* server_verbosity */ + YYSYMBOL_server_statistics_interval = 367, /* server_statistics_interval */ + YYSYMBOL_server_statistics_cumulative = 368, /* server_statistics_cumulative */ + YYSYMBOL_server_extended_statistics = 369, /* server_extended_statistics */ + YYSYMBOL_server_statistics_inhibit_zero = 370, /* server_statistics_inhibit_zero */ + YYSYMBOL_server_shm_enable = 371, /* server_shm_enable */ + YYSYMBOL_server_shm_key = 372, /* server_shm_key */ + YYSYMBOL_server_port = 373, /* server_port */ + YYSYMBOL_server_send_client_subnet = 374, /* server_send_client_subnet */ + YYSYMBOL_server_client_subnet_zone = 375, /* server_client_subnet_zone */ + YYSYMBOL_server_client_subnet_always_forward = 376, /* server_client_subnet_always_forward */ + YYSYMBOL_server_client_subnet_opcode = 377, /* server_client_subnet_opcode */ + YYSYMBOL_server_max_client_subnet_ipv4 = 378, /* server_max_client_subnet_ipv4 */ + YYSYMBOL_server_max_client_subnet_ipv6 = 379, /* server_max_client_subnet_ipv6 */ + YYSYMBOL_server_min_client_subnet_ipv4 = 380, /* server_min_client_subnet_ipv4 */ + YYSYMBOL_server_min_client_subnet_ipv6 = 381, /* server_min_client_subnet_ipv6 */ + YYSYMBOL_server_max_ecs_tree_size_ipv4 = 382, /* server_max_ecs_tree_size_ipv4 */ + YYSYMBOL_server_max_ecs_tree_size_ipv6 = 383, /* server_max_ecs_tree_size_ipv6 */ + YYSYMBOL_server_interface = 384, /* server_interface */ + YYSYMBOL_server_outgoing_interface = 385, /* server_outgoing_interface */ + YYSYMBOL_server_outgoing_range = 386, /* server_outgoing_range */ + YYSYMBOL_server_outgoing_port_permit = 387, /* server_outgoing_port_permit */ + YYSYMBOL_server_outgoing_port_avoid = 388, /* server_outgoing_port_avoid */ + YYSYMBOL_server_outgoing_num_tcp = 389, /* server_outgoing_num_tcp */ + YYSYMBOL_server_incoming_num_tcp = 390, /* server_incoming_num_tcp */ + YYSYMBOL_server_interface_automatic = 391, /* server_interface_automatic */ + YYSYMBOL_server_interface_automatic_ports = 392, /* server_interface_automatic_ports */ + YYSYMBOL_server_do_ip4 = 393, /* server_do_ip4 */ + YYSYMBOL_server_do_ip6 = 394, /* server_do_ip6 */ + YYSYMBOL_server_do_udp = 395, /* server_do_udp */ + YYSYMBOL_server_do_tcp = 396, /* server_do_tcp */ + YYSYMBOL_server_prefer_ip4 = 397, /* server_prefer_ip4 */ + YYSYMBOL_server_prefer_ip6 = 398, /* server_prefer_ip6 */ + YYSYMBOL_server_tcp_mss = 399, /* server_tcp_mss */ + YYSYMBOL_server_outgoing_tcp_mss = 400, /* server_outgoing_tcp_mss */ + YYSYMBOL_server_tcp_idle_timeout = 401, /* server_tcp_idle_timeout */ + YYSYMBOL_server_max_reuse_tcp_queries = 402, /* server_max_reuse_tcp_queries */ + YYSYMBOL_server_tcp_reuse_timeout = 403, /* server_tcp_reuse_timeout */ + YYSYMBOL_server_tcp_auth_query_timeout = 404, /* server_tcp_auth_query_timeout */ + YYSYMBOL_server_tcp_keepalive = 405, /* server_tcp_keepalive */ + YYSYMBOL_server_tcp_keepalive_timeout = 406, /* server_tcp_keepalive_timeout */ + YYSYMBOL_server_tcp_upstream = 407, /* server_tcp_upstream */ + YYSYMBOL_server_udp_upstream_without_downstream = 408, /* server_udp_upstream_without_downstream */ + YYSYMBOL_server_ssl_upstream = 409, /* server_ssl_upstream */ + YYSYMBOL_server_ssl_service_key = 410, /* server_ssl_service_key */ + YYSYMBOL_server_ssl_service_pem = 411, /* server_ssl_service_pem */ + YYSYMBOL_server_ssl_port = 412, /* server_ssl_port */ + YYSYMBOL_server_tls_cert_bundle = 413, /* server_tls_cert_bundle */ + YYSYMBOL_server_tls_win_cert = 414, /* server_tls_win_cert */ + YYSYMBOL_server_tls_additional_port = 415, /* server_tls_additional_port */ + YYSYMBOL_server_tls_ciphers = 416, /* server_tls_ciphers */ + YYSYMBOL_server_tls_ciphersuites = 417, /* server_tls_ciphersuites */ + YYSYMBOL_server_tls_session_ticket_keys = 418, /* server_tls_session_ticket_keys */ + YYSYMBOL_server_tls_use_sni = 419, /* server_tls_use_sni */ + YYSYMBOL_server_https_port = 420, /* server_https_port */ + YYSYMBOL_server_http_endpoint = 421, /* server_http_endpoint */ + YYSYMBOL_server_http_max_streams = 422, /* server_http_max_streams */ + YYSYMBOL_server_http_query_buffer_size = 423, /* server_http_query_buffer_size */ + YYSYMBOL_server_http_response_buffer_size = 424, /* server_http_response_buffer_size */ + YYSYMBOL_server_http_nodelay = 425, /* server_http_nodelay */ + YYSYMBOL_server_http_notls_downstream = 426, /* server_http_notls_downstream */ + YYSYMBOL_server_use_systemd = 427, /* server_use_systemd */ + YYSYMBOL_server_do_daemonize = 428, /* server_do_daemonize */ + YYSYMBOL_server_use_syslog = 429, /* server_use_syslog */ + YYSYMBOL_server_log_time_ascii = 430, /* server_log_time_ascii */ + YYSYMBOL_server_log_queries = 431, /* server_log_queries */ + YYSYMBOL_server_log_replies = 432, /* server_log_replies */ + YYSYMBOL_server_log_tag_queryreply = 433, /* server_log_tag_queryreply */ + YYSYMBOL_server_log_servfail = 434, /* server_log_servfail */ + YYSYMBOL_server_log_local_actions = 435, /* server_log_local_actions */ + YYSYMBOL_server_chroot = 436, /* server_chroot */ + YYSYMBOL_server_username = 437, /* server_username */ + YYSYMBOL_server_directory = 438, /* server_directory */ + YYSYMBOL_server_logfile = 439, /* server_logfile */ + YYSYMBOL_server_pidfile = 440, /* server_pidfile */ + YYSYMBOL_server_root_hints = 441, /* server_root_hints */ + YYSYMBOL_server_dlv_anchor_file = 442, /* server_dlv_anchor_file */ + YYSYMBOL_server_dlv_anchor = 443, /* server_dlv_anchor */ + YYSYMBOL_server_auto_trust_anchor_file = 444, /* server_auto_trust_anchor_file */ + YYSYMBOL_server_trust_anchor_file = 445, /* server_trust_anchor_file */ + YYSYMBOL_server_trusted_keys_file = 446, /* server_trusted_keys_file */ + YYSYMBOL_server_trust_anchor = 447, /* server_trust_anchor */ + YYSYMBOL_server_trust_anchor_signaling = 448, /* server_trust_anchor_signaling */ + YYSYMBOL_server_root_key_sentinel = 449, /* server_root_key_sentinel */ + YYSYMBOL_server_domain_insecure = 450, /* server_domain_insecure */ + YYSYMBOL_server_hide_identity = 451, /* server_hide_identity */ + YYSYMBOL_server_hide_version = 452, /* server_hide_version */ + YYSYMBOL_server_hide_trustanchor = 453, /* server_hide_trustanchor */ + YYSYMBOL_server_hide_http_user_agent = 454, /* server_hide_http_user_agent */ + YYSYMBOL_server_identity = 455, /* server_identity */ + YYSYMBOL_server_version = 456, /* server_version */ + YYSYMBOL_server_http_user_agent = 457, /* server_http_user_agent */ + YYSYMBOL_server_nsid = 458, /* server_nsid */ + YYSYMBOL_server_so_rcvbuf = 459, /* server_so_rcvbuf */ + YYSYMBOL_server_so_sndbuf = 460, /* server_so_sndbuf */ + YYSYMBOL_server_so_reuseport = 461, /* server_so_reuseport */ + YYSYMBOL_server_ip_transparent = 462, /* server_ip_transparent */ + YYSYMBOL_server_ip_freebind = 463, /* server_ip_freebind */ + YYSYMBOL_server_ip_dscp = 464, /* server_ip_dscp */ + YYSYMBOL_server_stream_wait_size = 465, /* server_stream_wait_size */ + YYSYMBOL_server_edns_buffer_size = 466, /* server_edns_buffer_size */ + YYSYMBOL_server_msg_buffer_size = 467, /* server_msg_buffer_size */ + YYSYMBOL_server_msg_cache_size = 468, /* server_msg_cache_size */ + YYSYMBOL_server_msg_cache_slabs = 469, /* server_msg_cache_slabs */ + YYSYMBOL_server_num_queries_per_thread = 470, /* server_num_queries_per_thread */ + YYSYMBOL_server_jostle_timeout = 471, /* server_jostle_timeout */ + YYSYMBOL_server_delay_close = 472, /* server_delay_close */ + YYSYMBOL_server_udp_connect = 473, /* server_udp_connect */ + YYSYMBOL_server_unblock_lan_zones = 474, /* server_unblock_lan_zones */ + YYSYMBOL_server_insecure_lan_zones = 475, /* server_insecure_lan_zones */ + YYSYMBOL_server_rrset_cache_size = 476, /* server_rrset_cache_size */ + YYSYMBOL_server_rrset_cache_slabs = 477, /* server_rrset_cache_slabs */ + YYSYMBOL_server_infra_host_ttl = 478, /* server_infra_host_ttl */ + YYSYMBOL_server_infra_lame_ttl = 479, /* server_infra_lame_ttl */ + YYSYMBOL_server_infra_cache_numhosts = 480, /* server_infra_cache_numhosts */ + YYSYMBOL_server_infra_cache_lame_size = 481, /* server_infra_cache_lame_size */ + YYSYMBOL_server_infra_cache_slabs = 482, /* server_infra_cache_slabs */ + YYSYMBOL_server_infra_cache_min_rtt = 483, /* server_infra_cache_min_rtt */ + YYSYMBOL_server_infra_cache_max_rtt = 484, /* server_infra_cache_max_rtt */ + YYSYMBOL_server_infra_keep_probing = 485, /* server_infra_keep_probing */ + YYSYMBOL_server_target_fetch_policy = 486, /* server_target_fetch_policy */ + YYSYMBOL_server_harden_short_bufsize = 487, /* server_harden_short_bufsize */ + YYSYMBOL_server_harden_large_queries = 488, /* server_harden_large_queries */ + YYSYMBOL_server_harden_glue = 489, /* server_harden_glue */ + YYSYMBOL_server_harden_dnssec_stripped = 490, /* server_harden_dnssec_stripped */ + YYSYMBOL_server_harden_below_nxdomain = 491, /* server_harden_below_nxdomain */ + YYSYMBOL_server_harden_referral_path = 492, /* server_harden_referral_path */ + YYSYMBOL_server_harden_algo_downgrade = 493, /* server_harden_algo_downgrade */ + YYSYMBOL_server_use_caps_for_id = 494, /* server_use_caps_for_id */ + YYSYMBOL_server_caps_whitelist = 495, /* server_caps_whitelist */ + YYSYMBOL_server_private_address = 496, /* server_private_address */ + YYSYMBOL_server_private_domain = 497, /* server_private_domain */ + YYSYMBOL_server_prefetch = 498, /* server_prefetch */ + YYSYMBOL_server_prefetch_key = 499, /* server_prefetch_key */ + YYSYMBOL_server_deny_any = 500, /* server_deny_any */ + YYSYMBOL_server_unwanted_reply_threshold = 501, /* server_unwanted_reply_threshold */ + YYSYMBOL_server_do_not_query_address = 502, /* server_do_not_query_address */ + YYSYMBOL_server_do_not_query_localhost = 503, /* server_do_not_query_localhost */ + YYSYMBOL_server_access_control = 504, /* server_access_control */ + YYSYMBOL_server_interface_action = 505, /* server_interface_action */ + YYSYMBOL_server_module_conf = 506, /* server_module_conf */ + YYSYMBOL_server_val_override_date = 507, /* server_val_override_date */ + YYSYMBOL_server_val_sig_skew_min = 508, /* server_val_sig_skew_min */ + YYSYMBOL_server_val_sig_skew_max = 509, /* server_val_sig_skew_max */ + YYSYMBOL_server_val_max_restart = 510, /* server_val_max_restart */ + YYSYMBOL_server_cache_max_ttl = 511, /* server_cache_max_ttl */ + YYSYMBOL_server_cache_max_negative_ttl = 512, /* server_cache_max_negative_ttl */ + YYSYMBOL_server_cache_min_ttl = 513, /* server_cache_min_ttl */ + YYSYMBOL_server_bogus_ttl = 514, /* server_bogus_ttl */ + YYSYMBOL_server_val_clean_additional = 515, /* server_val_clean_additional */ + YYSYMBOL_server_val_permissive_mode = 516, /* server_val_permissive_mode */ + YYSYMBOL_server_aggressive_nsec = 517, /* server_aggressive_nsec */ + YYSYMBOL_server_ignore_cd_flag = 518, /* server_ignore_cd_flag */ + YYSYMBOL_server_serve_expired = 519, /* server_serve_expired */ + YYSYMBOL_server_serve_expired_ttl = 520, /* server_serve_expired_ttl */ + YYSYMBOL_server_serve_expired_ttl_reset = 521, /* server_serve_expired_ttl_reset */ + YYSYMBOL_server_serve_expired_reply_ttl = 522, /* server_serve_expired_reply_ttl */ + YYSYMBOL_server_serve_expired_client_timeout = 523, /* server_serve_expired_client_timeout */ + YYSYMBOL_server_ede_serve_expired = 524, /* server_ede_serve_expired */ + YYSYMBOL_server_serve_original_ttl = 525, /* server_serve_original_ttl */ + YYSYMBOL_server_fake_dsa = 526, /* server_fake_dsa */ + YYSYMBOL_server_fake_sha1 = 527, /* server_fake_sha1 */ + YYSYMBOL_server_val_log_level = 528, /* server_val_log_level */ + YYSYMBOL_server_val_nsec3_keysize_iterations = 529, /* server_val_nsec3_keysize_iterations */ + YYSYMBOL_server_zonemd_permissive_mode = 530, /* server_zonemd_permissive_mode */ + YYSYMBOL_server_add_holddown = 531, /* server_add_holddown */ + YYSYMBOL_server_del_holddown = 532, /* server_del_holddown */ + YYSYMBOL_server_keep_missing = 533, /* server_keep_missing */ + YYSYMBOL_server_permit_small_holddown = 534, /* server_permit_small_holddown */ + YYSYMBOL_server_key_cache_size = 535, /* server_key_cache_size */ + YYSYMBOL_server_key_cache_slabs = 536, /* server_key_cache_slabs */ + YYSYMBOL_server_neg_cache_size = 537, /* server_neg_cache_size */ + YYSYMBOL_server_local_zone = 538, /* server_local_zone */ + YYSYMBOL_server_local_data = 539, /* server_local_data */ + YYSYMBOL_server_local_data_ptr = 540, /* server_local_data_ptr */ + YYSYMBOL_server_minimal_responses = 541, /* server_minimal_responses */ + YYSYMBOL_server_rrset_roundrobin = 542, /* server_rrset_roundrobin */ + YYSYMBOL_server_unknown_server_time_limit = 543, /* server_unknown_server_time_limit */ + YYSYMBOL_server_max_udp_size = 544, /* server_max_udp_size */ + YYSYMBOL_server_dns64_prefix = 545, /* server_dns64_prefix */ + YYSYMBOL_server_dns64_synthall = 546, /* server_dns64_synthall */ + YYSYMBOL_server_dns64_ignore_aaaa = 547, /* server_dns64_ignore_aaaa */ + YYSYMBOL_server_define_tag = 548, /* server_define_tag */ + YYSYMBOL_server_local_zone_tag = 549, /* server_local_zone_tag */ + YYSYMBOL_server_access_control_tag = 550, /* server_access_control_tag */ + YYSYMBOL_server_access_control_tag_action = 551, /* server_access_control_tag_action */ + YYSYMBOL_server_access_control_tag_data = 552, /* server_access_control_tag_data */ + YYSYMBOL_server_local_zone_override = 553, /* server_local_zone_override */ + YYSYMBOL_server_access_control_view = 554, /* server_access_control_view */ + YYSYMBOL_server_interface_tag = 555, /* server_interface_tag */ + YYSYMBOL_server_interface_tag_action = 556, /* server_interface_tag_action */ + YYSYMBOL_server_interface_tag_data = 557, /* server_interface_tag_data */ + YYSYMBOL_server_interface_view = 558, /* server_interface_view */ + YYSYMBOL_server_response_ip_tag = 559, /* server_response_ip_tag */ + YYSYMBOL_server_ip_ratelimit = 560, /* server_ip_ratelimit */ + YYSYMBOL_server_ratelimit = 561, /* server_ratelimit */ + YYSYMBOL_server_ip_ratelimit_size = 562, /* server_ip_ratelimit_size */ + YYSYMBOL_server_ratelimit_size = 563, /* server_ratelimit_size */ + YYSYMBOL_server_ip_ratelimit_slabs = 564, /* server_ip_ratelimit_slabs */ + YYSYMBOL_server_ratelimit_slabs = 565, /* server_ratelimit_slabs */ + YYSYMBOL_server_ratelimit_for_domain = 566, /* server_ratelimit_for_domain */ + YYSYMBOL_server_ratelimit_below_domain = 567, /* server_ratelimit_below_domain */ + YYSYMBOL_server_ip_ratelimit_factor = 568, /* server_ip_ratelimit_factor */ + YYSYMBOL_server_ratelimit_factor = 569, /* server_ratelimit_factor */ + YYSYMBOL_server_ip_ratelimit_backoff = 570, /* server_ip_ratelimit_backoff */ + YYSYMBOL_server_ratelimit_backoff = 571, /* server_ratelimit_backoff */ + YYSYMBOL_server_outbound_msg_retry = 572, /* server_outbound_msg_retry */ + YYSYMBOL_server_max_sent_count = 573, /* server_max_sent_count */ + YYSYMBOL_server_max_query_restarts = 574, /* server_max_query_restarts */ + YYSYMBOL_server_low_rtt = 575, /* server_low_rtt */ + YYSYMBOL_server_fast_server_num = 576, /* server_fast_server_num */ + YYSYMBOL_server_fast_server_permil = 577, /* server_fast_server_permil */ + YYSYMBOL_server_qname_minimisation = 578, /* server_qname_minimisation */ + YYSYMBOL_server_qname_minimisation_strict = 579, /* server_qname_minimisation_strict */ + YYSYMBOL_server_pad_responses = 580, /* server_pad_responses */ + YYSYMBOL_server_pad_responses_block_size = 581, /* server_pad_responses_block_size */ + YYSYMBOL_server_pad_queries = 582, /* server_pad_queries */ + YYSYMBOL_server_pad_queries_block_size = 583, /* server_pad_queries_block_size */ + YYSYMBOL_server_ipsecmod_enabled = 584, /* server_ipsecmod_enabled */ + YYSYMBOL_server_ipsecmod_ignore_bogus = 585, /* server_ipsecmod_ignore_bogus */ + YYSYMBOL_server_ipsecmod_hook = 586, /* server_ipsecmod_hook */ + YYSYMBOL_server_ipsecmod_max_ttl = 587, /* server_ipsecmod_max_ttl */ + YYSYMBOL_server_ipsecmod_whitelist = 588, /* server_ipsecmod_whitelist */ + YYSYMBOL_server_ipsecmod_strict = 589, /* server_ipsecmod_strict */ + YYSYMBOL_server_edns_client_string = 590, /* server_edns_client_string */ + YYSYMBOL_server_edns_client_string_opcode = 591, /* server_edns_client_string_opcode */ + YYSYMBOL_server_ede = 592, /* server_ede */ + YYSYMBOL_server_proxy_protocol_port = 593, /* server_proxy_protocol_port */ + YYSYMBOL_stub_name = 594, /* stub_name */ + YYSYMBOL_stub_host = 595, /* stub_host */ + YYSYMBOL_stub_addr = 596, /* stub_addr */ + YYSYMBOL_stub_first = 597, /* stub_first */ + YYSYMBOL_stub_no_cache = 598, /* stub_no_cache */ + YYSYMBOL_stub_ssl_upstream = 599, /* stub_ssl_upstream */ + YYSYMBOL_stub_tcp_upstream = 600, /* stub_tcp_upstream */ + YYSYMBOL_stub_prime = 601, /* stub_prime */ + YYSYMBOL_forward_name = 602, /* forward_name */ + YYSYMBOL_forward_host = 603, /* forward_host */ + YYSYMBOL_forward_addr = 604, /* forward_addr */ + YYSYMBOL_forward_first = 605, /* forward_first */ + YYSYMBOL_forward_no_cache = 606, /* forward_no_cache */ + YYSYMBOL_forward_ssl_upstream = 607, /* forward_ssl_upstream */ + YYSYMBOL_forward_tcp_upstream = 608, /* forward_tcp_upstream */ + YYSYMBOL_auth_name = 609, /* auth_name */ + YYSYMBOL_auth_zonefile = 610, /* auth_zonefile */ + YYSYMBOL_auth_master = 611, /* auth_master */ + YYSYMBOL_auth_url = 612, /* auth_url */ + YYSYMBOL_auth_allow_notify = 613, /* auth_allow_notify */ + YYSYMBOL_auth_zonemd_check = 614, /* auth_zonemd_check */ + YYSYMBOL_auth_zonemd_reject_absence = 615, /* auth_zonemd_reject_absence */ + YYSYMBOL_auth_for_downstream = 616, /* auth_for_downstream */ + YYSYMBOL_auth_for_upstream = 617, /* auth_for_upstream */ + YYSYMBOL_auth_fallback_enabled = 618, /* auth_fallback_enabled */ + YYSYMBOL_view_name = 619, /* view_name */ + YYSYMBOL_view_local_zone = 620, /* view_local_zone */ + YYSYMBOL_view_response_ip = 621, /* view_response_ip */ + YYSYMBOL_view_response_ip_data = 622, /* view_response_ip_data */ + YYSYMBOL_view_local_data = 623, /* view_local_data */ + YYSYMBOL_view_local_data_ptr = 624, /* view_local_data_ptr */ + YYSYMBOL_view_first = 625, /* view_first */ + YYSYMBOL_rcstart = 626, /* rcstart */ + YYSYMBOL_contents_rc = 627, /* contents_rc */ + YYSYMBOL_content_rc = 628, /* content_rc */ + YYSYMBOL_rc_control_enable = 629, /* rc_control_enable */ + YYSYMBOL_rc_control_port = 630, /* rc_control_port */ + YYSYMBOL_rc_control_interface = 631, /* rc_control_interface */ + YYSYMBOL_rc_control_use_cert = 632, /* rc_control_use_cert */ + YYSYMBOL_rc_server_key_file = 633, /* rc_server_key_file */ + YYSYMBOL_rc_server_cert_file = 634, /* rc_server_cert_file */ + YYSYMBOL_rc_control_key_file = 635, /* rc_control_key_file */ + YYSYMBOL_rc_control_cert_file = 636, /* rc_control_cert_file */ + YYSYMBOL_dtstart = 637, /* dtstart */ + YYSYMBOL_contents_dt = 638, /* contents_dt */ + YYSYMBOL_content_dt = 639, /* content_dt */ + YYSYMBOL_dt_dnstap_enable = 640, /* dt_dnstap_enable */ + YYSYMBOL_dt_dnstap_bidirectional = 641, /* dt_dnstap_bidirectional */ + YYSYMBOL_dt_dnstap_socket_path = 642, /* dt_dnstap_socket_path */ + YYSYMBOL_dt_dnstap_ip = 643, /* dt_dnstap_ip */ + YYSYMBOL_dt_dnstap_tls = 644, /* dt_dnstap_tls */ + YYSYMBOL_dt_dnstap_tls_server_name = 645, /* dt_dnstap_tls_server_name */ + YYSYMBOL_dt_dnstap_tls_cert_bundle = 646, /* dt_dnstap_tls_cert_bundle */ + YYSYMBOL_dt_dnstap_tls_client_key_file = 647, /* dt_dnstap_tls_client_key_file */ + YYSYMBOL_dt_dnstap_tls_client_cert_file = 648, /* dt_dnstap_tls_client_cert_file */ + YYSYMBOL_dt_dnstap_send_identity = 649, /* dt_dnstap_send_identity */ + YYSYMBOL_dt_dnstap_send_version = 650, /* dt_dnstap_send_version */ + YYSYMBOL_dt_dnstap_identity = 651, /* dt_dnstap_identity */ + YYSYMBOL_dt_dnstap_version = 652, /* dt_dnstap_version */ + YYSYMBOL_dt_dnstap_log_resolver_query_messages = 653, /* dt_dnstap_log_resolver_query_messages */ + YYSYMBOL_dt_dnstap_log_resolver_response_messages = 654, /* dt_dnstap_log_resolver_response_messages */ + YYSYMBOL_dt_dnstap_log_client_query_messages = 655, /* dt_dnstap_log_client_query_messages */ + YYSYMBOL_dt_dnstap_log_client_response_messages = 656, /* dt_dnstap_log_client_response_messages */ + YYSYMBOL_dt_dnstap_log_forwarder_query_messages = 657, /* dt_dnstap_log_forwarder_query_messages */ + YYSYMBOL_dt_dnstap_log_forwarder_response_messages = 658, /* dt_dnstap_log_forwarder_response_messages */ + YYSYMBOL_pythonstart = 659, /* pythonstart */ + YYSYMBOL_contents_py = 660, /* contents_py */ + YYSYMBOL_content_py = 661, /* content_py */ + YYSYMBOL_py_script = 662, /* py_script */ + YYSYMBOL_dynlibstart = 663, /* dynlibstart */ + YYSYMBOL_contents_dl = 664, /* contents_dl */ + YYSYMBOL_content_dl = 665, /* content_dl */ + YYSYMBOL_dl_file = 666, /* dl_file */ + YYSYMBOL_server_disable_dnssec_lame_check = 667, /* server_disable_dnssec_lame_check */ + YYSYMBOL_server_log_identity = 668, /* server_log_identity */ + YYSYMBOL_server_response_ip = 669, /* server_response_ip */ + YYSYMBOL_server_response_ip_data = 670, /* server_response_ip_data */ + YYSYMBOL_dnscstart = 671, /* dnscstart */ + YYSYMBOL_contents_dnsc = 672, /* contents_dnsc */ + YYSYMBOL_content_dnsc = 673, /* content_dnsc */ + YYSYMBOL_dnsc_dnscrypt_enable = 674, /* dnsc_dnscrypt_enable */ + YYSYMBOL_dnsc_dnscrypt_port = 675, /* dnsc_dnscrypt_port */ + YYSYMBOL_dnsc_dnscrypt_provider = 676, /* dnsc_dnscrypt_provider */ + YYSYMBOL_dnsc_dnscrypt_provider_cert = 677, /* dnsc_dnscrypt_provider_cert */ + YYSYMBOL_dnsc_dnscrypt_provider_cert_rotated = 678, /* dnsc_dnscrypt_provider_cert_rotated */ + YYSYMBOL_dnsc_dnscrypt_secret_key = 679, /* dnsc_dnscrypt_secret_key */ + YYSYMBOL_dnsc_dnscrypt_shared_secret_cache_size = 680, /* dnsc_dnscrypt_shared_secret_cache_size */ + YYSYMBOL_dnsc_dnscrypt_shared_secret_cache_slabs = 681, /* dnsc_dnscrypt_shared_secret_cache_slabs */ + YYSYMBOL_dnsc_dnscrypt_nonce_cache_size = 682, /* dnsc_dnscrypt_nonce_cache_size */ + YYSYMBOL_dnsc_dnscrypt_nonce_cache_slabs = 683, /* dnsc_dnscrypt_nonce_cache_slabs */ + YYSYMBOL_cachedbstart = 684, /* cachedbstart */ + YYSYMBOL_contents_cachedb = 685, /* contents_cachedb */ + YYSYMBOL_content_cachedb = 686, /* content_cachedb */ + YYSYMBOL_cachedb_backend_name = 687, /* cachedb_backend_name */ + YYSYMBOL_cachedb_secret_seed = 688, /* cachedb_secret_seed */ + YYSYMBOL_redis_server_host = 689, /* redis_server_host */ + YYSYMBOL_redis_server_port = 690, /* redis_server_port */ + YYSYMBOL_redis_timeout = 691, /* redis_timeout */ + YYSYMBOL_redis_expire_records = 692, /* redis_expire_records */ + YYSYMBOL_server_tcp_connection_limit = 693, /* server_tcp_connection_limit */ + YYSYMBOL_ipsetstart = 694, /* ipsetstart */ + YYSYMBOL_contents_ipset = 695, /* contents_ipset */ + YYSYMBOL_content_ipset = 696, /* content_ipset */ + YYSYMBOL_ipset_name_v4 = 697, /* ipset_name_v4 */ + YYSYMBOL_ipset_name_v6 = 698 /* ipset_name_v6 */ }; typedef enum yysymbol_kind_t yysymbol_kind_t; @@ -1508,6 +867,18 @@ typedef short yytype_int16; #endif +/* Work around bug in HP-UX 11.23, which defines these macros + incorrectly for preprocessor constants. This workaround can likely + be removed in 2023, as HPE has promised support for HP-UX 11.23 + (aka HP-UX 11i v2) only through the end of 2022; see Table 2 of + <https://h20195.www2.hpe.com/V2/getpdf.aspx/4AA4-7673ENW.pdf>. */ +#ifdef __hpux +# undef UINT_LEAST8_MAX +# undef UINT_LEAST16_MAX +# define UINT_LEAST8_MAX 255 +# define UINT_LEAST16_MAX 65535 +#endif + #if defined __UINT_LEAST8_MAX__ && __UINT_LEAST8_MAX__ <= __INT_MAX__ typedef __UINT_LEAST8_TYPE__ yytype_uint8; #elif (!defined __UINT_LEAST8_MAX__ && defined YY_STDINT_H \ @@ -1605,9 +976,9 @@ /* Suppress unused-variable warnings by "using" E. */ #if ! defined lint || defined __GNUC__ -# define YYUSE(E) ((void) (E)) +# define YY_USE(E) ((void) (E)) #else -# define YYUSE(E) /* empty */ +# define YY_USE(E) /* empty */ #endif #if defined __GNUC__ && ! defined __ICC && 407 <= __GNUC__ * 100 + __GNUC_MINOR__ @@ -1774,18 +1145,19 @@ /* YYFINAL -- State number of the termination state. */ #define YYFINAL 2 /* YYLAST -- Last index in YYTABLE. */ -#define YYLAST 672 +#define YYLAST 719 /* YYNTOKENS -- Number of terminals. */ -#define YYNTOKENS 318 +#define YYNTOKENS 337 /* YYNNTS -- Number of nonterminals. */ -#define YYNNTS 343 +#define YYNNTS 362 /* YYNRULES -- Number of rules. */ -#define YYNRULES 662 +#define YYNRULES 701 /* YYNSTATES -- Number of states. */ -#define YYNSTATES 984 +#define YYNSTATES 1049 -#define YYMAXUTOK 572 +/* YYMAXUTOK -- Last valid token kind. */ +#define YYMAXUTOK 591 /* YYTRANSLATE(TOKEN-NUM) -- Symbol number corresponding to TOKEN-NUM @@ -1856,80 +1228,86 @@ 285, 286, 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, 312, 313, 314, - 315, 316, 317 + 315, 316, 317, 318, 319, 320, 321, 322, 323, 324, + 325, 326, 327, 328, 329, 330, 331, 332, 333, 334, + 335, 336 }; #if YYDEBUG /* YYRLINEYYN -- Source line where rule number YYN was defined. */ static const yytype_int16 yyrline = { - 0, 190, 190, 190, 191, 191, 192, 192, 193, 193, - 193, 194, 194, 195, 195, 196, 196, 197, 199, 205, - 210, 211, 212, 212, 212, 213, 213, 214, 214, 214, - 215, 215, 216, 216, 216, 217, 217, 218, 218, 218, - 219, 219, 219, 220, 220, 221, 221, 222, 222, 223, - 223, 224, 224, 225, 225, 226, 226, 227, 227, 228, - 228, 228, 229, 229, 230, 230, 230, 231, 231, 231, - 232, 232, 233, 233, 234, 234, 235, 235, 236, 236, - 236, 237, 237, 238, 238, 239, 239, 239, 240, 240, - 241, 241, 242, 242, 243, 243, 243, 244, 244, 245, - 245, 246, 246, 247, 247, 248, 248, 249, 249, 250, - 250, 251, 251, 252, 252, 252, 253, 253, 253, 254, - 254, 254, 255, 255, 255, 255, 256, 257, 257, 257, - 258, 258, 258, 259, 259, 260, 260, 261, 261, 261, - 262, 262, 262, 263, 263, 264, 264, 264, 265, 265, - 266, 266, 266, 267, 267, 268, 268, 269, 269, 270, - 271, 271, 272, 272, 273, 273, 274, 275, 275, 276, - 276, 277, 277, 278, 278, 279, 279, 280, 280, 280, - 281, 281, 282, 282, 283, 283, 284, 285, 285, 286, - 286, 287, 288, 288, 289, 289, 290, 290, 291, 291, - 292, 292, 292, 293, 293, 293, 294, 294, 295, 296, - 296, 297, 297, 298, 298, 299, 299, 300, 300, 300, - 301, 301, 301, 302, 302, 302, 303, 303, 304, 304, - 305, 305, 306, 306, 307, 307, 308, 308, 309, 309, - 312, 324, 325, 326, 326, 326, 326, 326, 327, 327, - 329, 341, 342, 343, 343, 343, 343, 344, 344, 346, - 360, 361, 362, 362, 362, 362, 363, 363, 363, 365, - 384, 385, 386, 386, 386, 386, 387, 387, 387, 388, - 388, 388, 391, 410, 427, 435, 445, 453, 470, 471, - 472, 472, 472, 472, 472, 473, 473, 473, 474, 474, - 476, 485, 494, 505, 514, 523, 532, 543, 552, 564, - 578, 593, 604, 621, 638, 655, 672, 687, 702, 715, - 730, 739, 748, 757, 766, 775, 784, 793, 802, 811, - 820, 829, 838, 847, 856, 869, 880, 891, 902, 911, - 924, 933, 942, 951, 958, 965, 974, 981, 990, 998, - 1005, 1012, 1020, 1029, 1037, 1053, 1061, 1069, 1077, 1085, - 1093, 1102, 1111, 1125, 1134, 1143, 1152, 1161, 1170, 1179, - 1186, 1193, 1219, 1227, 1234, 1241, 1248, 1255, 1263, 1271, - 1279, 1286, 1297, 1308, 1315, 1324, 1333, 1342, 1351, 1358, - 1365, 1372, 1388, 1396, 1404, 1414, 1424, 1434, 1448, 1456, - 1469, 1480, 1488, 1501, 1510, 1519, 1528, 1537, 1547, 1557, - 1565, 1578, 1587, 1595, 1604, 1612, 1625, 1634, 1644, 1651, - 1661, 1671, 1681, 1691, 1701, 1711, 1721, 1731, 1738, 1745, - 1752, 1761, 1770, 1779, 1788, 1795, 1805, 1825, 1832, 1850, - 1863, 1876, 1889, 1898, 1907, 1916, 1925, 1935, 1945, 1956, - 1965, 1974, 1983, 1992, 2001, 2010, 2019, 2032, 2045, 2054, - 2061, 2070, 2079, 2088, 2097, 2106, 2114, 2127, 2135, 2180, - 2187, 2202, 2212, 2222, 2229, 2236, 2243, 2252, 2260, 2274, - 2295, 2316, 2328, 2340, 2352, 2361, 2382, 2392, 2401, 2409, - 2417, 2430, 2443, 2458, 2473, 2482, 2491, 2497, 2506, 2515, - 2525, 2535, 2545, 2554, 2564, 2573, 2586, 2599, 2611, 2625, - 2637, 2651, 2660, 2672, 2682, 2689, 2696, 2705, 2714, 2724, - 2734, 2744, 2751, 2758, 2767, 2776, 2786, 2796, 2803, 2810, - 2817, 2825, 2835, 2845, 2855, 2865, 2875, 2885, 2931, 2941, - 2949, 2957, 2972, 2981, 2986, 2987, 2988, 2988, 2988, 2989, - 2989, 2989, 2990, 2990, 2992, 3002, 3011, 3018, 3025, 3032, - 3039, 3046, 3053, 3058, 3059, 3060, 3060, 3060, 3061, 3061, - 3061, 3062, 3063, 3063, 3064, 3064, 3065, 3065, 3066, 3067, - 3068, 3069, 3070, 3071, 3073, 3082, 3092, 3099, 3106, 3115, - 3122, 3129, 3136, 3143, 3152, 3161, 3168, 3175, 3185, 3195, - 3205, 3215, 3225, 3235, 3240, 3241, 3242, 3244, 3250, 3255, - 3256, 3257, 3259, 3265, 3275, 3282, 3291, 3299, 3304, 3305, - 3307, 3307, 3307, 3308, 3308, 3309, 3310, 3311, 3312, 3313, - 3315, 3325, 3334, 3341, 3350, 3357, 3366, 3374, 3387, 3395, - 3408, 3413, 3414, 3415, 3415, 3416, 3416, 3416, 3417, 3419, - 3431, 3443, 3455, 3470, 3483, 3496, 3507, 3512, 3513, 3514, - 3514, 3516, 3531 + 0, 199, 199, 199, 200, 200, 201, 201, 202, 202, + 202, 203, 203, 204, 204, 205, 205, 206, 208, 215, + 221, 222, 223, 223, 223, 224, 224, 225, 225, 225, + 226, 226, 227, 227, 227, 228, 228, 229, 229, 229, + 230, 230, 230, 231, 231, 232, 232, 233, 233, 234, + 234, 235, 235, 236, 236, 237, 237, 238, 238, 239, + 239, 239, 240, 240, 241, 241, 241, 242, 242, 242, + 243, 243, 244, 244, 245, 245, 246, 246, 247, 247, + 247, 248, 248, 249, 249, 250, 250, 250, 251, 251, + 252, 252, 253, 253, 254, 254, 254, 255, 255, 256, + 256, 257, 257, 258, 258, 259, 259, 260, 260, 261, + 261, 262, 262, 263, 263, 263, 264, 264, 264, 265, + 265, 265, 266, 266, 266, 266, 267, 268, 268, 268, + 269, 269, 269, 270, 270, 271, 271, 272, 272, 272, + 273, 273, 273, 274, 274, 275, 275, 275, 276, 276, + 276, 277, 277, 277, 278, 278, 279, 279, 280, 280, + 281, 282, 282, 283, 283, 284, 284, 285, 285, 286, + 286, 287, 287, 288, 288, 289, 289, 290, 290, 291, + 291, 292, 292, 293, 293, 293, 294, 294, 295, 295, + 296, 296, 297, 297, 297, 298, 298, 299, 300, 300, + 301, 301, 302, 303, 303, 304, 304, 305, 305, 305, + 306, 306, 307, 307, 307, 308, 308, 308, 309, 309, + 310, 311, 311, 312, 312, 313, 313, 314, 314, 315, + 315, 315, 316, 316, 316, 317, 317, 317, 318, 318, + 319, 319, 320, 320, 321, 321, 322, 322, 323, 323, + 324, 324, 325, 325, 326, 326, 328, 342, 343, 344, + 344, 344, 344, 344, 345, 345, 345, 347, 361, 362, + 363, 363, 363, 363, 364, 364, 364, 366, 382, 383, + 384, 384, 384, 384, 385, 385, 385, 387, 408, 409, + 410, 410, 410, 410, 411, 411, 411, 412, 412, 412, + 415, 434, 451, 459, 469, 476, 486, 505, 506, 507, + 507, 507, 507, 507, 508, 508, 508, 509, 509, 509, + 509, 511, 520, 529, 540, 549, 558, 567, 576, 587, + 596, 608, 622, 637, 648, 665, 682, 699, 716, 731, + 746, 759, 774, 783, 792, 801, 810, 819, 828, 835, + 844, 853, 862, 871, 880, 889, 898, 907, 920, 931, + 942, 953, 962, 975, 984, 993, 1002, 1009, 1016, 1025, + 1032, 1041, 1049, 1056, 1063, 1071, 1080, 1088, 1104, 1112, + 1120, 1128, 1136, 1144, 1153, 1162, 1176, 1185, 1194, 1203, + 1212, 1221, 1230, 1237, 1244, 1270, 1278, 1285, 1292, 1299, + 1306, 1314, 1322, 1330, 1337, 1348, 1359, 1366, 1375, 1384, + 1393, 1402, 1409, 1416, 1423, 1439, 1447, 1455, 1465, 1475, + 1485, 1499, 1507, 1520, 1531, 1539, 1552, 1561, 1570, 1579, + 1588, 1598, 1608, 1616, 1629, 1638, 1646, 1655, 1663, 1676, + 1685, 1694, 1704, 1711, 1721, 1731, 1741, 1751, 1761, 1771, + 1781, 1791, 1798, 1805, 1812, 1821, 1830, 1839, 1848, 1855, + 1865, 1873, 1882, 1889, 1907, 1920, 1933, 1946, 1955, 1964, + 1973, 1982, 1992, 2002, 2013, 2022, 2031, 2040, 2049, 2058, + 2067, 2076, 2085, 2098, 2111, 2120, 2127, 2136, 2145, 2154, + 2163, 2172, 2180, 2193, 2201, 2256, 2263, 2278, 2288, 2298, + 2305, 2312, 2319, 2328, 2336, 2350, 2371, 2392, 2404, 2416, + 2428, 2437, 2458, 2470, 2482, 2491, 2512, 2521, 2530, 2538, + 2546, 2559, 2572, 2587, 2602, 2611, 2620, 2630, 2640, 2649, + 2658, 2667, 2673, 2682, 2691, 2701, 2711, 2721, 2730, 2740, + 2749, 2762, 2775, 2787, 2801, 2813, 2827, 2836, 2847, 2856, + 2863, 2873, 2880, 2887, 2896, 2905, 2915, 2925, 2935, 2945, + 2952, 2959, 2968, 2977, 2987, 2997, 3007, 3014, 3021, 3028, + 3036, 3046, 3056, 3066, 3076, 3086, 3096, 3152, 3162, 3170, + 3178, 3193, 3202, 3208, 3209, 3210, 3210, 3210, 3211, 3211, + 3211, 3212, 3212, 3214, 3224, 3233, 3240, 3247, 3254, 3261, + 3268, 3275, 3281, 3282, 3283, 3283, 3283, 3284, 3284, 3284, + 3285, 3286, 3286, 3287, 3287, 3288, 3288, 3289, 3290, 3291, + 3292, 3293, 3294, 3296, 3305, 3315, 3322, 3329, 3338, 3345, + 3352, 3359, 3366, 3375, 3384, 3391, 3398, 3408, 3418, 3428, + 3438, 3448, 3458, 3464, 3465, 3466, 3468, 3474, 3480, 3481, + 3482, 3484, 3490, 3500, 3507, 3516, 3524, 3530, 3531, 3533, + 3533, 3533, 3534, 3534, 3535, 3536, 3537, 3538, 3539, 3541, + 3551, 3560, 3567, 3576, 3583, 3592, 3600, 3613, 3621, 3634, + 3640, 3641, 3642, 3642, 3643, 3643, 3643, 3644, 3646, 3658, + 3670, 3682, 3697, 3710, 3723, 3734, 3740, 3741, 3742, 3742, + 3744, 3759 }; #endif @@ -1993,20 +1371,21 @@ "VAR_SSL_UPSTREAM", "VAR_TCP_AUTH_QUERY_TIMEOUT", "VAR_SSL_SERVICE_KEY", "VAR_SSL_SERVICE_PEM", "VAR_SSL_PORT", "VAR_FORWARD_FIRST", "VAR_STUB_SSL_UPSTREAM", "VAR_FORWARD_SSL_UPSTREAM", - "VAR_TLS_CERT_BUNDLE", "VAR_HTTPS_PORT", "VAR_HTTP_ENDPOINT", + "VAR_TLS_CERT_BUNDLE", "VAR_STUB_TCP_UPSTREAM", + "VAR_FORWARD_TCP_UPSTREAM", "VAR_HTTPS_PORT", "VAR_HTTP_ENDPOINT", "VAR_HTTP_MAX_STREAMS", "VAR_HTTP_QUERY_BUFFER_SIZE", "VAR_HTTP_RESPONSE_BUFFER_SIZE", "VAR_HTTP_NODELAY", "VAR_HTTP_NOTLS_DOWNSTREAM", "VAR_STUB_FIRST", "VAR_MINIMAL_RESPONSES", "VAR_RRSET_ROUNDROBIN", "VAR_MAX_UDP_SIZE", "VAR_DELAY_CLOSE", "VAR_UDP_CONNECT", "VAR_UNBLOCK_LAN_ZONES", "VAR_INSECURE_LAN_ZONES", - "VAR_INFRA_CACHE_MIN_RTT", "VAR_INFRA_KEEP_PROBING", "VAR_DNS64_PREFIX", - "VAR_DNS64_SYNTHALL", "VAR_DNS64_IGNORE_AAAA", "VAR_DNSTAP", - "VAR_DNSTAP_ENABLE", "VAR_DNSTAP_SOCKET_PATH", "VAR_DNSTAP_IP", - "VAR_DNSTAP_TLS", "VAR_DNSTAP_TLS_SERVER_NAME", - "VAR_DNSTAP_TLS_CERT_BUNDLE", "VAR_DNSTAP_TLS_CLIENT_KEY_FILE", - "VAR_DNSTAP_TLS_CLIENT_CERT_FILE", "VAR_DNSTAP_SEND_IDENTITY", - "VAR_DNSTAP_SEND_VERSION", "VAR_DNSTAP_BIDIRECTIONAL", - "VAR_DNSTAP_IDENTITY", "VAR_DNSTAP_VERSION", + "VAR_INFRA_CACHE_MIN_RTT", "VAR_INFRA_CACHE_MAX_RTT", + "VAR_INFRA_KEEP_PROBING", "VAR_DNS64_PREFIX", "VAR_DNS64_SYNTHALL", + "VAR_DNS64_IGNORE_AAAA", "VAR_DNSTAP", "VAR_DNSTAP_ENABLE", + "VAR_DNSTAP_SOCKET_PATH", "VAR_DNSTAP_IP", "VAR_DNSTAP_TLS", + "VAR_DNSTAP_TLS_SERVER_NAME", "VAR_DNSTAP_TLS_CERT_BUNDLE", + "VAR_DNSTAP_TLS_CLIENT_KEY_FILE", "VAR_DNSTAP_TLS_CLIENT_CERT_FILE", + "VAR_DNSTAP_SEND_IDENTITY", "VAR_DNSTAP_SEND_VERSION", + "VAR_DNSTAP_BIDIRECTIONAL", "VAR_DNSTAP_IDENTITY", "VAR_DNSTAP_VERSION", "VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES", "VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES", "VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES", @@ -2017,8 +1396,10 @@ "VAR_IP_TRANSPARENT", "VAR_IP_DSCP", "VAR_DISABLE_DNSSEC_LAME_CHECK", "VAR_IP_RATELIMIT", "VAR_IP_RATELIMIT_SLABS", "VAR_IP_RATELIMIT_SIZE", "VAR_RATELIMIT", "VAR_RATELIMIT_SLABS", "VAR_RATELIMIT_SIZE", + "VAR_OUTBOUND_MSG_RETRY", "VAR_MAX_SENT_COUNT", "VAR_MAX_QUERY_RESTARTS", "VAR_RATELIMIT_FOR_DOMAIN", "VAR_RATELIMIT_BELOW_DOMAIN", "VAR_IP_RATELIMIT_FACTOR", "VAR_RATELIMIT_FACTOR", + "VAR_IP_RATELIMIT_BACKOFF", "VAR_RATELIMIT_BACKOFF", "VAR_SEND_CLIENT_SUBNET", "VAR_CLIENT_SUBNET_ZONE", "VAR_CLIENT_SUBNET_ALWAYS_FORWARD", "VAR_CLIENT_SUBNET_OPCODE", "VAR_MAX_CLIENT_SUBNET_IPV4", "VAR_MAX_CLIENT_SUBNET_IPV6", @@ -2032,9 +1413,9 @@ "VAR_ACCESS_CONTROL_TAG_DATA", "VAR_VIEW", "VAR_ACCESS_CONTROL_VIEW", "VAR_VIEW_FIRST", "VAR_SERVE_EXPIRED", "VAR_SERVE_EXPIRED_TTL", "VAR_SERVE_EXPIRED_TTL_RESET", "VAR_SERVE_EXPIRED_REPLY_TTL", - "VAR_SERVE_EXPIRED_CLIENT_TIMEOUT", "VAR_SERVE_ORIGINAL_TTL", - "VAR_FAKE_DSA", "VAR_FAKE_SHA1", "VAR_LOG_IDENTITY", - "VAR_HIDE_TRUSTANCHOR", "VAR_HIDE_HTTP_USER_AGENT", + "VAR_SERVE_EXPIRED_CLIENT_TIMEOUT", "VAR_EDE_SERVE_EXPIRED", + "VAR_SERVE_ORIGINAL_TTL", "VAR_FAKE_DSA", "VAR_FAKE_SHA1", + "VAR_LOG_IDENTITY", "VAR_HIDE_TRUSTANCHOR", "VAR_HIDE_HTTP_USER_AGENT", "VAR_HTTP_USER_AGENT", "VAR_TRUST_ANCHOR_SIGNALING", "VAR_AGGRESSIVE_NSEC", "VAR_USE_SYSTEMD", "VAR_SHM_ENABLE", "VAR_SHM_KEY", "VAR_ROOT_KEY_SENTINEL", "VAR_DNSCRYPT", @@ -2065,17 +1446,21 @@ "VAR_RPZ_LOG_NAME", "VAR_DYNLIB", "VAR_DYNLIB_FILE", "VAR_EDNS_CLIENT_STRING", "VAR_EDNS_CLIENT_STRING_OPCODE", "VAR_NSID", "VAR_ZONEMD_PERMISSIVE_MODE", "VAR_ZONEMD_CHECK", - "VAR_ZONEMD_REJECT_ABSENCE", "$accept", "toplevelvars", "toplevelvar", + "VAR_ZONEMD_REJECT_ABSENCE", "VAR_RPZ_SIGNAL_NXDOMAIN_RA", + "VAR_INTERFACE_AUTOMATIC_PORTS", "VAR_EDE", "VAR_INTERFACE_ACTION", + "VAR_INTERFACE_VIEW", "VAR_INTERFACE_TAG", "VAR_INTERFACE_TAG_ACTION", + "VAR_INTERFACE_TAG_DATA", "VAR_PROXY_PROTOCOL_PORT", + "VAR_STATISTICS_INHIBIT_ZERO", "$accept", "toplevelvars", "toplevelvar", "force_toplevel", "serverstart", "contents_server", "content_server", "stubstart", "contents_stub", "content_stub", "forwardstart", "contents_forward", "content_forward", "viewstart", "contents_view", "content_view", "authstart", "contents_auth", "content_auth", "rpz_tag", "rpz_action_override", "rpz_cname_override", "rpz_log", "rpz_log_name", - "rpzstart", "contents_rpz", "content_rpz", "server_num_threads", - "server_verbosity", "server_statistics_interval", + "rpz_signal_nxdomain_ra", "rpzstart", "contents_rpz", "content_rpz", + "server_num_threads", "server_verbosity", "server_statistics_interval", "server_statistics_cumulative", "server_extended_statistics", - "server_shm_enable", "server_shm_key", "server_port", - "server_send_client_subnet", "server_client_subnet_zone", + "server_statistics_inhibit_zero", "server_shm_enable", "server_shm_key", + "server_port", "server_send_client_subnet", "server_client_subnet_zone", "server_client_subnet_always_forward", "server_client_subnet_opcode", "server_max_client_subnet_ipv4", "server_max_client_subnet_ipv6", "server_min_client_subnet_ipv4", "server_min_client_subnet_ipv6", @@ -2083,44 +1468,45 @@ "server_interface", "server_outgoing_interface", "server_outgoing_range", "server_outgoing_port_permit", "server_outgoing_port_avoid", "server_outgoing_num_tcp", "server_incoming_num_tcp", - "server_interface_automatic", "server_do_ip4", "server_do_ip6", - "server_do_udp", "server_do_tcp", "server_prefer_ip4", - "server_prefer_ip6", "server_tcp_mss", "server_outgoing_tcp_mss", - "server_tcp_idle_timeout", "server_max_reuse_tcp_queries", - "server_tcp_reuse_timeout", "server_tcp_auth_query_timeout", - "server_tcp_keepalive", "server_tcp_keepalive_timeout", - "server_tcp_upstream", "server_udp_upstream_without_downstream", - "server_ssl_upstream", "server_ssl_service_key", - "server_ssl_service_pem", "server_ssl_port", "server_tls_cert_bundle", - "server_tls_win_cert", "server_tls_additional_port", - "server_tls_ciphers", "server_tls_ciphersuites", - "server_tls_session_ticket_keys", "server_tls_use_sni", - "server_https_port", "server_http_endpoint", "server_http_max_streams", - "server_http_query_buffer_size", "server_http_response_buffer_size", - "server_http_nodelay", "server_http_notls_downstream", - "server_use_systemd", "server_do_daemonize", "server_use_syslog", - "server_log_time_ascii", "server_log_queries", "server_log_replies", - "server_log_tag_queryreply", "server_log_servfail", - "server_log_local_actions", "server_chroot", "server_username", - "server_directory", "server_logfile", "server_pidfile", - "server_root_hints", "server_dlv_anchor_file", "server_dlv_anchor", - "server_auto_trust_anchor_file", "server_trust_anchor_file", - "server_trusted_keys_file", "server_trust_anchor", - "server_trust_anchor_signaling", "server_root_key_sentinel", - "server_domain_insecure", "server_hide_identity", "server_hide_version", - "server_hide_trustanchor", "server_hide_http_user_agent", - "server_identity", "server_version", "server_http_user_agent", - "server_nsid", "server_so_rcvbuf", "server_so_sndbuf", - "server_so_reuseport", "server_ip_transparent", "server_ip_freebind", - "server_ip_dscp", "server_stream_wait_size", "server_edns_buffer_size", - "server_msg_buffer_size", "server_msg_cache_size", - "server_msg_cache_slabs", "server_num_queries_per_thread", - "server_jostle_timeout", "server_delay_close", "server_udp_connect", - "server_unblock_lan_zones", "server_insecure_lan_zones", - "server_rrset_cache_size", "server_rrset_cache_slabs", - "server_infra_host_ttl", "server_infra_lame_ttl", - "server_infra_cache_numhosts", "server_infra_cache_lame_size", - "server_infra_cache_slabs", "server_infra_cache_min_rtt", + "server_interface_automatic", "server_interface_automatic_ports", + "server_do_ip4", "server_do_ip6", "server_do_udp", "server_do_tcp", + "server_prefer_ip4", "server_prefer_ip6", "server_tcp_mss", + "server_outgoing_tcp_mss", "server_tcp_idle_timeout", + "server_max_reuse_tcp_queries", "server_tcp_reuse_timeout", + "server_tcp_auth_query_timeout", "server_tcp_keepalive", + "server_tcp_keepalive_timeout", "server_tcp_upstream", + "server_udp_upstream_without_downstream", "server_ssl_upstream", + "server_ssl_service_key", "server_ssl_service_pem", "server_ssl_port", + "server_tls_cert_bundle", "server_tls_win_cert", + "server_tls_additional_port", "server_tls_ciphers", + "server_tls_ciphersuites", "server_tls_session_ticket_keys", + "server_tls_use_sni", "server_https_port", "server_http_endpoint", + "server_http_max_streams", "server_http_query_buffer_size", + "server_http_response_buffer_size", "server_http_nodelay", + "server_http_notls_downstream", "server_use_systemd", + "server_do_daemonize", "server_use_syslog", "server_log_time_ascii", + "server_log_queries", "server_log_replies", "server_log_tag_queryreply", + "server_log_servfail", "server_log_local_actions", "server_chroot", + "server_username", "server_directory", "server_logfile", + "server_pidfile", "server_root_hints", "server_dlv_anchor_file", + "server_dlv_anchor", "server_auto_trust_anchor_file", + "server_trust_anchor_file", "server_trusted_keys_file", + "server_trust_anchor", "server_trust_anchor_signaling", + "server_root_key_sentinel", "server_domain_insecure", + "server_hide_identity", "server_hide_version", "server_hide_trustanchor", + "server_hide_http_user_agent", "server_identity", "server_version", + "server_http_user_agent", "server_nsid", "server_so_rcvbuf", + "server_so_sndbuf", "server_so_reuseport", "server_ip_transparent", + "server_ip_freebind", "server_ip_dscp", "server_stream_wait_size", + "server_edns_buffer_size", "server_msg_buffer_size", + "server_msg_cache_size", "server_msg_cache_slabs", + "server_num_queries_per_thread", "server_jostle_timeout", + "server_delay_close", "server_udp_connect", "server_unblock_lan_zones", + "server_insecure_lan_zones", "server_rrset_cache_size", + "server_rrset_cache_slabs", "server_infra_host_ttl", + "server_infra_lame_ttl", "server_infra_cache_numhosts", + "server_infra_cache_lame_size", "server_infra_cache_slabs", + "server_infra_cache_min_rtt", "server_infra_cache_max_rtt", "server_infra_keep_probing", "server_target_fetch_policy", "server_harden_short_bufsize", "server_harden_large_queries", "server_harden_glue", "server_harden_dnssec_stripped", @@ -2130,7 +1516,7 @@ "server_private_domain", "server_prefetch", "server_prefetch_key", "server_deny_any", "server_unwanted_reply_threshold", "server_do_not_query_address", "server_do_not_query_localhost", - "server_access_control", "server_module_conf", + "server_access_control", "server_interface_action", "server_module_conf", "server_val_override_date", "server_val_sig_skew_min", "server_val_sig_skew_max", "server_val_max_restart", "server_cache_max_ttl", "server_cache_max_negative_ttl", @@ -2139,10 +1525,11 @@ "server_aggressive_nsec", "server_ignore_cd_flag", "server_serve_expired", "server_serve_expired_ttl", "server_serve_expired_ttl_reset", "server_serve_expired_reply_ttl", - "server_serve_expired_client_timeout", "server_serve_original_ttl", - "server_fake_dsa", "server_fake_sha1", "server_val_log_level", - "server_val_nsec3_keysize_iterations", "server_zonemd_permissive_mode", - "server_add_holddown", "server_del_holddown", "server_keep_missing", + "server_serve_expired_client_timeout", "server_ede_serve_expired", + "server_serve_original_ttl", "server_fake_dsa", "server_fake_sha1", + "server_val_log_level", "server_val_nsec3_keysize_iterations", + "server_zonemd_permissive_mode", "server_add_holddown", + "server_del_holddown", "server_keep_missing", "server_permit_small_holddown", "server_key_cache_size", "server_key_cache_slabs", "server_neg_cache_size", "server_local_zone", "server_local_data", "server_local_data_ptr", "server_minimal_responses", @@ -2151,12 +1538,16 @@ "server_dns64_ignore_aaaa", "server_define_tag", "server_local_zone_tag", "server_access_control_tag", "server_access_control_tag_action", "server_access_control_tag_data", "server_local_zone_override", - "server_access_control_view", "server_response_ip_tag", - "server_ip_ratelimit", "server_ratelimit", "server_ip_ratelimit_size", - "server_ratelimit_size", "server_ip_ratelimit_slabs", - "server_ratelimit_slabs", "server_ratelimit_for_domain", - "server_ratelimit_below_domain", "server_ip_ratelimit_factor", - "server_ratelimit_factor", "server_low_rtt", "server_fast_server_num", + "server_access_control_view", "server_interface_tag", + "server_interface_tag_action", "server_interface_tag_data", + "server_interface_view", "server_response_ip_tag", "server_ip_ratelimit", + "server_ratelimit", "server_ip_ratelimit_size", "server_ratelimit_size", + "server_ip_ratelimit_slabs", "server_ratelimit_slabs", + "server_ratelimit_for_domain", "server_ratelimit_below_domain", + "server_ip_ratelimit_factor", "server_ratelimit_factor", + "server_ip_ratelimit_backoff", "server_ratelimit_backoff", + "server_outbound_msg_retry", "server_max_sent_count", + "server_max_query_restarts", "server_low_rtt", "server_fast_server_num", "server_fast_server_permil", "server_qname_minimisation", "server_qname_minimisation_strict", "server_pad_responses", "server_pad_responses_block_size", "server_pad_queries", @@ -2164,16 +1555,18 @@ "server_ipsecmod_ignore_bogus", "server_ipsecmod_hook", "server_ipsecmod_max_ttl", "server_ipsecmod_whitelist", "server_ipsecmod_strict", "server_edns_client_string", - "server_edns_client_string_opcode", "stub_name", "stub_host", - "stub_addr", "stub_first", "stub_no_cache", "stub_ssl_upstream", + "server_edns_client_string_opcode", "server_ede", + "server_proxy_protocol_port", "stub_name", "stub_host", "stub_addr", + "stub_first", "stub_no_cache", "stub_ssl_upstream", "stub_tcp_upstream", "stub_prime", "forward_name", "forward_host", "forward_addr", - "forward_first", "forward_no_cache", "forward_ssl_upstream", "auth_name", - "auth_zonefile", "auth_master", "auth_url", "auth_allow_notify", - "auth_zonemd_check", "auth_zonemd_reject_absence", "auth_for_downstream", - "auth_for_upstream", "auth_fallback_enabled", "view_name", - "view_local_zone", "view_response_ip", "view_response_ip_data", - "view_local_data", "view_local_data_ptr", "view_first", "rcstart", - "contents_rc", "content_rc", "rc_control_enable", "rc_control_port", + "forward_first", "forward_no_cache", "forward_ssl_upstream", + "forward_tcp_upstream", "auth_name", "auth_zonefile", "auth_master", + "auth_url", "auth_allow_notify", "auth_zonemd_check", + "auth_zonemd_reject_absence", "auth_for_downstream", "auth_for_upstream", + "auth_fallback_enabled", "view_name", "view_local_zone", + "view_response_ip", "view_response_ip_data", "view_local_data", + "view_local_data_ptr", "view_first", "rcstart", "contents_rc", + "content_rc", "rc_control_enable", "rc_control_port", "rc_control_interface", "rc_control_use_cert", "rc_server_key_file", "rc_server_cert_file", "rc_control_key_file", "rc_control_cert_file", "dtstart", "contents_dt", "content_dt", "dt_dnstap_enable", @@ -2247,11 +1640,13 @@ 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, 545, 546, 547, 548, 549, 550, 551, 552, 553, 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, - 565, 566, 567, 568, 569, 570, 571, 572 + 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, + 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, + 585, 586, 587, 588, 589, 590, 591 }; #endif -#define YYPACT_NINF (-302) +#define YYPACT_NINF (-286) #define yypact_value_is_default(Yyn) \ ((Yyn) == YYPACT_NINF) @@ -2265,105 +1660,111 @@ STATE-NUM. */ static const yytype_int16 yypact = { - -302, 0, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, 298, -43, -38, -42, -44, -28, -29, -149, - -109, -301, -194, -192, -293, 3, 4, 27, 28, 31, - 32, 33, 34, 35, 37, 38, 39, 40, 41, 53, - 54, 55, 72, 73, 74, 75, 76, 77, 78, 79, - 80, 81, 82, 83, 84, 85, 87, 88, 89, 91, - 92, 93, 95, 97, 98, 99, 101, 102, 103, 105, - 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, - 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, - 126, 127, 128, 129, 130, 131, 132, 133, 134, 137, - 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, - 148, 149, 150, 151, 152, 153, 154, 155, 157, 158, - 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, - 169, 170, 171, 172, 173, 174, 176, 177, 178, 179, - 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, - 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, - 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, - 210, 211, 212, 213, 214, 216, 217, 218, 219, 220, - 222, 228, 229, 230, 231, 232, 234, 235, 237, 243, - 244, 245, 246, 247, 248, 250, 251, 252, 253, 254, - 255, 256, 258, 259, 260, 261, 264, 265, 272, 273, - 274, 275, 276, 277, 278, 279, 280, 281, 282, 283, - 284, 285, 286, 287, 288, 289, 291, 292, 293, 295, - 296, 297, 299, 333, 334, 335, 336, 340, 341, 342, - 384, 385, 386, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, 387, 388, 389, 390, 391, 392, 398, -302, - -302, -302, -302, -302, -302, -302, -302, 402, 403, 430, - 431, 432, 441, -302, -302, -302, -302, -302, -302, -302, - 454, 455, 456, 457, 458, 459, 460, -302, -302, -302, - -302, -302, -302, -302, -302, 461, 462, 463, 464, 465, - 466, 467, 468, 469, 470, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, 471, 472, 473, 513, - 515, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, 534, 535, 536, 537, 538, 539, 540, 541, - -302, -302, -302, -302, -302, -302, -302, -302, -302, 542, - 543, 544, 555, 556, 557, 558, 559, 560, 561, 563, - 564, 565, 566, 567, 568, 569, 572, 575, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, 578, -302, - -302, 579, -302, -302, 588, 589, 590, 592, 593, 594, - 595, 596, 597, 598, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, 599, 604, 605, 606, 607, - 608, -302, -302, -302, -302, -302, -302, -302, 609, 610, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, 611, 612, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, 613, 614, 615, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, 616, 617, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, 618, 619, 620, - 621, 622, 623, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, 624, -302, -302, - -302, -302, -302, -302, -302, -302, -302, 625, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, 626, -302, -302, 627, 628, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, 629, 630, 631, -302, -302, -302, -302, -302, - -302, -302, -302, -302 + -286, 252, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -13, 203, 220, 52, 84, 38, 238, 211, + -81, -285, -95, -193, -278, 29, 30, 31, 80, 81, + 91, 92, 120, 121, 132, 146, 147, 148, 149, 161, + 162, 163, 164, 165, 210, 212, 234, 235, 236, 237, + 239, 256, 257, 258, 259, 261, 262, 265, 266, 267, + 270, 273, 276, 286, 287, 290, 291, 292, 293, 295, + 296, 297, 302, 304, 318, 319, 320, 321, 322, 323, + 333, 334, 335, 337, 340, 341, 347, 349, 350, 351, + 353, 359, 365, 366, 367, 368, 369, 390, 391, 392, + 393, 394, 395, 396, 397, 398, 401, 402, 403, 404, + 405, 406, 407, 408, 409, 410, 412, 413, 414, 415, + 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, + 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, + 436, 437, 438, 439, 440, 441, 442, 443, 444, 445, + 446, 447, 448, 449, 450, 451, 452, 453, 454, 455, + 456, 457, 458, 459, 460, 461, 462, 463, 464, 465, + 466, 467, 468, 469, 470, 471, 472, 473, 474, 476, + 477, 478, 479, 480, 481, 482, 483, 484, 485, 486, + 487, 488, 489, 490, 491, 492, 494, 495, 496, 498, + 499, 500, 501, 502, 503, 504, 505, 506, 507, 508, + 510, 511, 512, 513, 514, 515, 516, 517, 519, 520, + 521, 522, 523, 524, 525, 526, 528, 529, 530, 531, + 532, 533, 534, 535, 536, 537, 538, 539, 540, 541, + 542, 543, 544, 545, 546, 547, 548, 549, 550, 552, + 553, 554, 556, 557, 558, 559, 560, 562, 563, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, 564, 565, 566, 567, 568, 569, + 570, 571, -286, -286, -286, -286, -286, -286, -286, -286, + -286, 572, 573, 574, 575, 576, 577, 578, -286, -286, + -286, -286, -286, -286, -286, -286, 579, 580, 581, 582, + 583, 584, 585, -286, -286, -286, -286, -286, -286, -286, + -286, 586, 587, 588, 589, 590, 591, 592, 593, 594, + 595, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, 596, 597, 598, 599, 600, 601, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, 602, 603, 604, 605, 606, 607, 608, 609, -286, + -286, -286, -286, -286, -286, -286, -286, -286, 610, 611, + 612, 613, 614, 615, 616, 617, 618, 619, 620, 621, + 622, 623, 624, 625, 626, 627, 628, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, 629, -286, -286, + 630, -286, -286, 631, 632, 633, 634, 635, 636, 637, + 638, 639, 640, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, 641, 642, 643, 644, 645, 646, + -286, -286, -286, -286, -286, -286, -286, 647, 648, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, 649, 650, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, 651, 652, 653, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, 654, + 655, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, 656, 657, 658, 659, 660, 661, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, 662, -286, -286, -286, -286, -286, -286, + -286, -286, -286, 663, -286, -286, -286, -286, -286, 664, + 665, 666, 667, 668, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, 669, -286, -286, 670, 671, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + 672, 673, 674, -286, -286, -286, -286, -286, -286, 675, + 676, -286, -286, -286, -286, -286, -286, -286, -286 }; /* YYDEFACTSTATE-NUM -- Default reduction number in state STATE-NUM. @@ -2371,10 +1772,10 @@ means the default is an error. */ static const yytype_int16 yydefact = { - 2, 0, 1, 18, 19, 240, 250, 543, 603, 562, - 259, 617, 640, 269, 656, 287, 608, 3, 17, 21, - 242, 252, 261, 271, 289, 545, 564, 605, 610, 619, - 642, 658, 4, 5, 6, 10, 14, 15, 8, 9, + 2, 0, 1, 18, 19, 256, 267, 582, 642, 601, + 277, 656, 679, 287, 695, 306, 647, 3, 17, 21, + 258, 269, 279, 289, 308, 584, 603, 644, 649, 658, + 681, 697, 4, 5, 6, 10, 14, 15, 8, 9, 7, 16, 11, 12, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -2397,159 +1798,169 @@ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 20, 22, 23, 88, 91, 100, 203, - 204, 24, 163, 164, 165, 166, 167, 168, 169, 170, - 171, 172, 37, 79, 25, 92, 93, 48, 72, 87, - 26, 27, 30, 31, 28, 29, 32, 33, 34, 237, - 238, 239, 35, 36, 124, 215, 125, 127, 128, 129, - 217, 222, 218, 229, 230, 231, 232, 130, 131, 132, - 133, 134, 135, 136, 199, 89, 78, 104, 122, 123, - 227, 224, 126, 38, 39, 40, 41, 42, 80, 94, - 95, 111, 66, 76, 67, 207, 208, 105, 58, 59, - 206, 62, 60, 61, 63, 235, 115, 119, 140, 150, - 177, 153, 228, 116, 73, 43, 44, 45, 102, 141, - 142, 143, 144, 46, 47, 49, 50, 52, 53, 51, - 148, 154, 54, 55, 56, 64, 83, 120, 97, 149, - 90, 173, 98, 99, 117, 118, 225, 103, 57, 81, - 84, 65, 68, 106, 107, 108, 82, 174, 109, 69, - 70, 71, 216, 121, 191, 192, 193, 194, 195, 196, - 197, 205, 110, 77, 236, 112, 113, 114, 175, 74, - 75, 96, 85, 86, 101, 137, 138, 226, 139, 145, - 146, 147, 178, 179, 181, 183, 184, 182, 185, 200, - 151, 152, 157, 158, 155, 156, 159, 160, 162, 161, - 219, 221, 220, 176, 186, 187, 188, 189, 190, 209, - 211, 210, 212, 213, 214, 233, 234, 180, 198, 201, - 202, 223, 0, 0, 0, 0, 0, 0, 0, 241, - 243, 244, 245, 247, 248, 249, 246, 0, 0, 0, - 0, 0, 0, 251, 253, 254, 255, 256, 257, 258, - 0, 0, 0, 0, 0, 0, 0, 260, 262, 263, - 266, 267, 264, 268, 265, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 270, 272, 273, 274, 275, - 279, 280, 281, 276, 277, 278, 0, 0, 0, 0, - 0, 292, 296, 297, 298, 299, 288, 290, 291, 293, - 294, 295, 0, 0, 0, 0, 0, 0, 0, 0, - 544, 546, 548, 547, 553, 549, 550, 551, 552, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 563, 565, - 567, 566, 568, 569, 570, 571, 572, 573, 574, 575, - 576, 577, 578, 579, 580, 581, 582, 583, 0, 604, - 606, 0, 609, 611, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 618, 620, 621, 622, 624, 625, - 623, 626, 627, 628, 629, 0, 0, 0, 0, 0, - 0, 641, 643, 644, 645, 646, 647, 648, 0, 0, - 657, 659, 660, 301, 300, 307, 320, 318, 330, 326, - 327, 331, 328, 329, 332, 333, 334, 338, 339, 369, - 370, 371, 372, 373, 401, 402, 403, 409, 410, 323, - 411, 412, 415, 413, 414, 418, 419, 420, 434, 384, - 385, 388, 389, 421, 437, 378, 380, 438, 445, 446, - 447, 324, 400, 465, 466, 379, 459, 362, 319, 374, - 435, 442, 422, 0, 0, 469, 325, 302, 361, 426, - 303, 321, 322, 375, 376, 467, 424, 428, 429, 336, - 335, 304, 470, 404, 433, 363, 383, 439, 440, 441, - 444, 458, 377, 463, 461, 462, 392, 399, 430, 431, - 393, 394, 423, 449, 364, 365, 368, 340, 342, 337, - 343, 344, 345, 346, 353, 354, 355, 356, 357, 358, - 359, 471, 472, 474, 405, 406, 407, 408, 416, 417, - 475, 476, 477, 0, 0, 0, 425, 395, 397, 613, - 486, 490, 488, 487, 491, 489, 0, 0, 494, 495, - 308, 309, 310, 311, 312, 313, 314, 315, 316, 317, - 427, 443, 464, 499, 500, 396, 478, 0, 0, 0, - 0, 0, 0, 450, 451, 452, 453, 454, 455, 456, - 457, 614, 386, 387, 390, 381, 448, 360, 305, 306, - 382, 501, 502, 503, 504, 505, 507, 506, 508, 509, - 510, 341, 348, 496, 498, 497, 347, 0, 367, 432, - 473, 366, 398, 349, 350, 352, 351, 0, 512, 391, - 460, 513, 514, 515, 519, 518, 516, 517, 520, 521, - 522, 523, 525, 524, 536, 0, 540, 541, 0, 0, - 542, 526, 534, 527, 528, 529, 533, 535, 530, 531, - 532, 282, 283, 284, 285, 286, 554, 556, 555, 558, - 559, 560, 561, 557, 584, 586, 587, 588, 589, 590, - 591, 592, 593, 594, 585, 595, 596, 597, 598, 599, - 600, 601, 602, 607, 612, 630, 631, 632, 635, 633, - 634, 636, 637, 638, 639, 649, 650, 651, 652, 653, - 654, 661, 662, 436, 468, 485, 615, 616, 492, 493, - 479, 480, 0, 0, 0, 484, 655, 511, 537, 538, - 539, 483, 481, 482 + 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, + 22, 23, 88, 91, 100, 255, 215, 216, 24, 169, + 170, 171, 172, 173, 174, 175, 176, 177, 178, 37, + 79, 25, 92, 93, 48, 72, 87, 252, 26, 27, + 30, 31, 28, 29, 32, 33, 34, 249, 250, 251, + 35, 36, 124, 227, 125, 127, 128, 129, 229, 234, + 230, 241, 242, 243, 244, 130, 131, 132, 133, 134, + 135, 136, 211, 89, 78, 104, 122, 123, 239, 236, + 126, 38, 39, 40, 41, 42, 80, 94, 95, 111, + 66, 76, 67, 219, 220, 105, 58, 59, 218, 62, + 60, 61, 63, 247, 115, 119, 140, 151, 183, 154, + 240, 116, 73, 43, 44, 45, 102, 141, 142, 143, + 144, 46, 47, 49, 50, 52, 53, 51, 148, 149, + 155, 54, 55, 56, 64, 83, 120, 97, 150, 90, + 179, 98, 99, 117, 118, 237, 103, 57, 81, 84, + 192, 65, 68, 106, 107, 108, 82, 180, 109, 69, + 70, 71, 228, 121, 202, 203, 204, 205, 206, 207, + 208, 209, 217, 110, 77, 248, 112, 113, 114, 181, + 74, 75, 96, 85, 86, 101, 137, 138, 238, 139, + 145, 146, 147, 184, 185, 187, 189, 190, 188, 191, + 194, 195, 196, 193, 212, 152, 153, 158, 159, 156, + 157, 160, 161, 163, 162, 165, 164, 166, 167, 168, + 231, 233, 232, 182, 197, 198, 199, 200, 201, 221, + 223, 222, 224, 225, 226, 245, 246, 253, 254, 186, + 210, 213, 214, 235, 0, 0, 0, 0, 0, 0, + 0, 0, 257, 259, 260, 261, 263, 264, 265, 266, + 262, 0, 0, 0, 0, 0, 0, 0, 268, 270, + 271, 272, 273, 274, 275, 276, 0, 0, 0, 0, + 0, 0, 0, 278, 280, 281, 284, 285, 282, 286, + 283, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 288, 290, 291, 292, 293, 297, 298, 299, 294, + 295, 296, 0, 0, 0, 0, 0, 0, 311, 315, + 316, 317, 318, 319, 307, 309, 310, 312, 313, 314, + 320, 0, 0, 0, 0, 0, 0, 0, 0, 583, + 585, 587, 586, 592, 588, 589, 590, 591, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 602, 604, 606, + 605, 607, 608, 609, 610, 611, 612, 613, 614, 615, + 616, 617, 618, 619, 620, 621, 622, 0, 643, 645, + 0, 648, 650, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 657, 659, 660, 661, 663, 664, 662, + 665, 666, 667, 668, 0, 0, 0, 0, 0, 0, + 680, 682, 683, 684, 685, 686, 687, 0, 0, 696, + 698, 699, 322, 321, 329, 342, 340, 353, 349, 350, + 354, 351, 352, 355, 356, 357, 361, 362, 392, 393, + 394, 395, 396, 424, 425, 426, 432, 433, 345, 434, + 435, 438, 436, 437, 442, 443, 444, 458, 407, 408, + 411, 412, 445, 462, 401, 403, 463, 470, 471, 472, + 346, 423, 491, 492, 402, 485, 385, 341, 397, 459, + 467, 446, 0, 0, 495, 347, 323, 384, 450, 324, + 343, 344, 398, 399, 493, 448, 452, 453, 359, 358, + 325, 496, 427, 457, 386, 406, 464, 465, 466, 469, + 484, 400, 489, 487, 488, 415, 422, 454, 455, 416, + 417, 447, 474, 387, 388, 391, 363, 365, 360, 366, + 367, 368, 369, 376, 377, 378, 379, 380, 381, 382, + 497, 498, 500, 428, 429, 430, 431, 439, 440, 441, + 501, 502, 503, 0, 0, 0, 449, 418, 420, 652, + 516, 520, 518, 517, 521, 519, 528, 529, 530, 0, + 0, 524, 525, 526, 527, 330, 331, 332, 333, 334, + 335, 336, 337, 338, 339, 451, 468, 490, 534, 535, + 419, 504, 0, 0, 0, 0, 0, 0, 475, 476, + 477, 478, 479, 480, 481, 482, 483, 653, 409, 410, + 413, 404, 473, 383, 327, 328, 405, 536, 537, 538, + 539, 540, 542, 541, 543, 544, 545, 364, 371, 531, + 533, 532, 370, 0, 390, 456, 499, 389, 421, 372, + 373, 375, 374, 0, 547, 414, 486, 348, 548, 0, + 0, 0, 0, 0, 549, 326, 550, 551, 552, 557, + 555, 556, 553, 554, 558, 559, 560, 561, 563, 564, + 562, 575, 0, 579, 580, 0, 0, 581, 565, 573, + 566, 567, 568, 572, 574, 569, 570, 571, 300, 301, + 302, 303, 304, 305, 593, 595, 594, 597, 598, 599, + 600, 596, 623, 625, 626, 627, 628, 629, 630, 631, + 632, 633, 624, 634, 635, 636, 637, 638, 639, 640, + 641, 646, 651, 669, 670, 671, 674, 672, 673, 675, + 676, 677, 678, 688, 689, 690, 691, 692, 693, 700, + 701, 460, 494, 515, 654, 655, 522, 523, 505, 506, + 0, 0, 0, 510, 694, 546, 461, 514, 511, 0, + 0, 576, 577, 578, 509, 507, 508, 512, 513 }; /* YYPGOTONTERM-NUM. */ static const yytype_int16 yypgoto = { - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, 271, 632, 633, 634, 635, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302, -302, -302, -302, -302, -302, -302, -302, - -302, -302, -302 + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, 677, 678, 679, 680, 681, -286, -286, 682, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286, -286, -286, -286, -286, -286, -286, -286, -286, + -286, -286 }; /* YYDEFGOTONTERM-NUM. */ static const yytype_int16 yydefgoto = { - -1, 1, 17, 18, 19, 32, 263, 20, 33, 489, - 21, 34, 503, 22, 35, 517, 23, 36, 535, 551, - 552, 553, 554, 555, 24, 37, 556, 264, 265, 266, - 267, 268, 269, 270, 271, 272, 273, 274, 275, 276, - 277, 278, 279, 280, 281, 282, 283, 284, 285, 286, - 287, 288, 289, 290, 291, 292, 293, 294, 295, 296, - 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, - 307, 308, 309, 310, 311, 312, 313, 314, 315, 316, - 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, - 327, 328, 329, 330, 331, 332, 333, 334, 335, 336, - 337, 338, 339, 340, 341, 342, 343, 344, 345, 346, - 347, 348, 349, 350, 351, 352, 353, 354, 355, 356, - 357, 358, 359, 360, 361, 362, 363, 364, 365, 366, - 367, 368, 369, 370, 371, 372, 373, 374, 375, 376, - 377, 378, 379, 380, 381, 382, 383, 384, 385, 386, - 387, 388, 389, 390, 391, 392, 393, 394, 395, 396, - 397, 398, 399, 400, 401, 402, 403, 404, 405, 406, - 407, 408, 409, 410, 411, 412, 413, 414, 415, 416, - 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, - 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, - 437, 438, 439, 440, 441, 442, 443, 444, 445, 446, - 447, 448, 449, 450, 451, 452, 453, 454, 455, 456, - 457, 458, 459, 460, 461, 462, 463, 464, 465, 466, - 467, 468, 469, 470, 471, 472, 473, 474, 475, 476, - 490, 491, 492, 493, 494, 495, 496, 504, 505, 506, - 507, 508, 509, 536, 537, 538, 539, 540, 541, 542, - 543, 544, 545, 518, 519, 520, 521, 522, 523, 524, - 25, 38, 570, 571, 572, 573, 574, 575, 576, 577, - 578, 26, 39, 598, 599, 600, 601, 602, 603, 604, - 605, 606, 607, 608, 609, 610, 611, 612, 613, 614, - 615, 616, 617, 27, 40, 619, 620, 28, 41, 622, - 623, 477, 478, 479, 480, 29, 42, 634, 635, 636, - 637, 638, 639, 640, 641, 642, 643, 644, 30, 43, - 651, 652, 653, 654, 655, 656, 657, 481, 31, 44, - 660, 661, 662 + 0, 1, 17, 18, 19, 32, 279, 20, 33, 522, + 21, 34, 538, 22, 35, 553, 23, 36, 571, 588, + 589, 590, 591, 592, 593, 24, 37, 594, 280, 281, + 282, 283, 284, 285, 286, 287, 288, 289, 290, 291, + 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, + 302, 303, 304, 305, 306, 307, 308, 309, 310, 311, + 312, 313, 314, 315, 316, 317, 318, 319, 320, 321, + 322, 323, 324, 325, 326, 327, 328, 329, 330, 331, + 332, 333, 334, 335, 336, 337, 338, 339, 340, 341, + 342, 343, 344, 345, 346, 347, 348, 349, 350, 351, + 352, 353, 354, 355, 356, 357, 358, 359, 360, 361, + 362, 363, 364, 365, 366, 367, 368, 369, 370, 371, + 372, 373, 374, 375, 376, 377, 378, 379, 380, 381, + 382, 383, 384, 385, 386, 387, 388, 389, 390, 391, + 392, 393, 394, 395, 396, 397, 398, 399, 400, 401, + 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, + 412, 413, 414, 415, 416, 417, 418, 419, 420, 421, + 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, + 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, + 442, 443, 444, 445, 446, 447, 448, 449, 450, 451, + 452, 453, 454, 455, 456, 457, 458, 459, 460, 461, + 462, 463, 464, 465, 466, 467, 468, 469, 470, 471, + 472, 473, 474, 475, 476, 477, 478, 479, 480, 481, + 482, 483, 484, 485, 486, 487, 488, 489, 490, 491, + 492, 493, 494, 495, 496, 497, 498, 499, 500, 501, + 502, 503, 504, 505, 506, 507, 508, 523, 524, 525, + 526, 527, 528, 529, 530, 539, 540, 541, 542, 543, + 544, 545, 572, 573, 574, 575, 576, 577, 578, 579, + 580, 581, 554, 555, 556, 557, 558, 559, 560, 25, + 38, 609, 610, 611, 612, 613, 614, 615, 616, 617, + 26, 39, 637, 638, 639, 640, 641, 642, 643, 644, + 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, + 655, 656, 27, 40, 658, 659, 28, 41, 661, 662, + 509, 510, 511, 512, 29, 42, 673, 674, 675, 676, + 677, 678, 679, 680, 681, 682, 683, 30, 43, 690, + 691, 692, 693, 694, 695, 696, 513, 31, 44, 699, + 700, 701 }; /* YYTABLEYYPACTSTATE-NUM -- What to do in state STATE-NUM. If @@ -2557,157 +1968,165 @@ number is the opposite. If YYTABLE_NINF, syntax error. */ static const yytype_int16 yytable = { - 2, 525, 482, 510, 483, 484, 618, 497, 658, 659, - 621, 3, 4, 663, 664, 498, 499, 525, 579, 580, - 581, 582, 583, 584, 585, 586, 587, 588, 589, 590, - 591, 592, 593, 594, 595, 596, 597, 665, 666, 511, - 512, 667, 668, 669, 670, 671, 5, 672, 673, 674, - 675, 676, 6, 624, 625, 626, 627, 628, 629, 630, - 631, 632, 633, 677, 678, 679, 513, 485, 562, 563, - 564, 565, 566, 567, 568, 569, 645, 646, 647, 648, - 649, 650, 680, 681, 682, 683, 684, 685, 686, 687, - 688, 689, 690, 691, 692, 693, 7, 694, 695, 696, - 486, 697, 698, 699, 500, 700, 501, 701, 702, 703, - 487, 704, 705, 706, 8, 707, 708, 709, 710, 711, - 712, 713, 714, 715, 716, 717, 718, 719, 720, 721, - 722, 723, 724, 725, 726, 727, 728, 729, 730, 731, - 732, 733, 734, 735, 736, 514, 515, 737, 738, 739, - 740, 741, 742, 743, 744, 745, 746, 747, 748, 749, - 750, 751, 752, 753, 754, 755, 9, 756, 757, 758, - 759, 760, 761, 762, 763, 764, 765, 766, 767, 768, - 769, 770, 771, 772, 773, 516, 774, 775, 776, 777, - 778, 779, 780, 781, 782, 783, 784, 785, 786, 787, - 788, 789, 790, 791, 792, 793, 794, 795, 796, 797, - 798, 799, 800, 801, 802, 803, 804, 805, 806, 807, - 808, 809, 810, 811, 812, 10, 813, 814, 815, 816, - 817, 526, 818, 527, 528, 529, 530, 531, 819, 820, - 821, 822, 823, 532, 824, 825, 11, 826, 488, 527, - 528, 529, 502, 827, 828, 829, 830, 831, 832, 532, - 833, 834, 835, 836, 837, 838, 839, 12, 840, 841, - 842, 843, 533, 534, 844, 845, 13, 546, 547, 548, - 549, 550, 846, 847, 848, 849, 850, 851, 852, 853, - 854, 855, 856, 857, 858, 859, 860, 861, 862, 863, - 14, 864, 865, 866, 15, 867, 868, 869, 557, 870, - 16, 45, 46, 47, 48, 49, 50, 51, 52, 53, - 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, - 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, - 74, 75, 76, 871, 872, 873, 874, 77, 78, 79, - 875, 876, 877, 80, 81, 82, 83, 84, 85, 86, - 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, - 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, - 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, - 117, 118, 119, 120, 878, 879, 880, 881, 882, 883, - 884, 885, 886, 121, 122, 123, 124, 125, 887, 126, - 127, 128, 888, 889, 129, 130, 131, 132, 133, 134, - 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, - 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, - 890, 891, 892, 155, 156, 157, 158, 159, 160, 161, - 162, 893, 163, 164, 165, 166, 167, 168, 169, 170, - 171, 172, 173, 174, 894, 895, 896, 897, 898, 899, - 900, 901, 902, 903, 904, 905, 906, 907, 908, 909, - 910, 911, 912, 913, 175, 176, 177, 178, 179, 180, - 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, - 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, - 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, - 211, 212, 213, 914, 214, 915, 215, 216, 217, 218, - 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, - 229, 230, 231, 232, 916, 917, 918, 919, 920, 921, - 922, 923, 924, 925, 926, 233, 234, 235, 236, 237, - 238, 239, 240, 241, 242, 927, 928, 929, 930, 931, - 932, 933, 243, 934, 935, 936, 937, 938, 939, 940, - 244, 245, 941, 246, 247, 942, 248, 249, 943, 944, - 250, 251, 252, 253, 254, 255, 256, 257, 945, 946, - 947, 258, 948, 949, 950, 951, 952, 953, 954, 955, - 259, 260, 261, 262, 956, 957, 958, 959, 960, 961, + 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, + 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, + 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, + 75, 76, 697, 698, 657, 660, 77, 78, 79, 702, + 703, 704, 80, 81, 82, 83, 84, 85, 86, 87, + 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, + 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, + 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, + 118, 119, 120, 561, 684, 685, 686, 687, 688, 689, + 705, 706, 121, 122, 123, 124, 125, 546, 126, 127, + 128, 707, 708, 129, 130, 131, 132, 133, 134, 135, + 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, + 146, 147, 148, 149, 150, 151, 152, 153, 154, 561, + 709, 710, 155, 547, 548, 156, 157, 158, 159, 160, + 161, 162, 711, 163, 164, 165, 166, 167, 168, 169, + 170, 171, 172, 173, 174, 175, 712, 713, 714, 715, + 549, 663, 664, 665, 666, 667, 668, 669, 670, 671, + 672, 716, 717, 718, 719, 720, 176, 177, 178, 179, + 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, + 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, + 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, + 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, + 721, 220, 722, 221, 222, 223, 224, 225, 226, 227, + 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, + 238, 239, 550, 551, 723, 724, 725, 726, 514, 727, + 515, 516, 2, 240, 241, 242, 243, 244, 245, 246, + 247, 248, 249, 3, 4, 531, 728, 729, 730, 731, + 250, 732, 733, 532, 533, 734, 735, 736, 251, 252, + 737, 253, 254, 738, 255, 256, 739, 552, 257, 258, + 259, 260, 261, 262, 263, 264, 740, 741, 5, 265, + 742, 743, 744, 745, 6, 746, 747, 748, 266, 267, + 268, 269, 749, 517, 750, 270, 271, 272, 273, 274, + 275, 276, 277, 278, 563, 564, 565, 566, 751, 752, + 753, 754, 755, 756, 568, 601, 602, 603, 604, 605, + 606, 607, 608, 757, 758, 759, 518, 760, 7, 519, + 761, 762, 582, 583, 584, 585, 586, 763, 520, 764, + 765, 766, 534, 767, 535, 587, 8, 536, 562, 768, + 563, 564, 565, 566, 567, 769, 770, 771, 772, 773, + 568, 618, 619, 620, 621, 622, 623, 624, 625, 626, + 627, 628, 629, 630, 631, 632, 633, 634, 635, 636, + 774, 775, 776, 777, 778, 779, 780, 781, 782, 569, + 570, 783, 784, 785, 786, 787, 788, 789, 790, 791, + 792, 9, 793, 794, 795, 796, 797, 798, 799, 800, + 801, 802, 803, 804, 805, 806, 807, 808, 809, 810, + 811, 812, 813, 814, 815, 816, 817, 818, 819, 820, + 821, 822, 823, 824, 825, 826, 827, 828, 829, 830, + 831, 832, 833, 834, 835, 836, 837, 838, 839, 840, + 841, 842, 843, 844, 845, 846, 847, 848, 849, 850, + 851, 852, 853, 854, 855, 10, 856, 857, 858, 859, + 860, 861, 862, 863, 864, 865, 866, 867, 868, 869, + 870, 871, 872, 521, 873, 874, 875, 11, 876, 877, + 878, 879, 880, 881, 882, 883, 884, 885, 886, 537, + 887, 888, 889, 890, 891, 892, 893, 894, 12, 895, + 896, 897, 898, 899, 900, 901, 902, 13, 903, 904, + 905, 906, 907, 908, 909, 910, 911, 912, 913, 914, + 915, 916, 917, 918, 919, 920, 921, 922, 923, 924, + 925, 14, 926, 927, 928, 15, 929, 930, 931, 932, + 933, 16, 934, 935, 936, 937, 938, 939, 940, 941, + 942, 943, 944, 945, 946, 947, 948, 949, 950, 951, + 952, 953, 954, 955, 956, 957, 958, 959, 960, 961, 962, 963, 964, 965, 966, 967, 968, 969, 970, 971, 972, 973, 974, 975, 976, 977, 978, 979, 980, 981, - 982, 983, 0, 0, 0, 0, 0, 0, 0, 0, + 982, 983, 984, 985, 986, 987, 988, 989, 990, 991, + 992, 993, 994, 995, 996, 997, 998, 999, 1000, 1001, + 1002, 1003, 1004, 1005, 1006, 1007, 1008, 1009, 1010, 1011, + 1012, 1013, 1014, 1015, 1016, 1017, 1018, 1019, 1020, 1021, + 1022, 1023, 1024, 1025, 1026, 1027, 1028, 1029, 1030, 1031, + 1032, 1033, 1034, 1035, 1036, 1037, 1038, 1039, 1040, 1041, + 1042, 1043, 1044, 1045, 1046, 1047, 1048, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 558, - 559, 560, 561 + 0, 0, 0, 0, 595, 596, 597, 598, 599, 600 }; static const yytype_int16 yycheck = { - 0, 45, 45, 45, 47, 48, 115, 45, 301, 302, - 311, 11, 12, 10, 10, 53, 54, 45, 167, 168, - 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, - 179, 180, 181, 182, 183, 184, 185, 10, 10, 81, - 82, 10, 10, 10, 10, 10, 46, 10, 10, 10, - 10, 10, 52, 247, 248, 249, 250, 251, 252, 253, - 254, 255, 256, 10, 10, 10, 108, 110, 97, 98, - 99, 100, 101, 102, 103, 104, 268, 269, 270, 271, - 272, 273, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 96, 10, 10, 10, - 143, 10, 10, 10, 142, 10, 144, 10, 10, 10, - 153, 10, 10, 10, 114, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 187, 188, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 166, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 227, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 225, 10, 10, 10, 10, - 10, 275, 10, 277, 278, 279, 280, 281, 10, 10, - 10, 10, 10, 287, 10, 10, 246, 10, 291, 277, - 278, 279, 290, 10, 10, 10, 10, 10, 10, 287, - 10, 10, 10, 10, 10, 10, 10, 267, 10, 10, - 10, 10, 316, 317, 10, 10, 276, 305, 306, 307, - 308, 309, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 300, 10, 10, 10, 304, 10, 10, 10, 37, 10, - 310, 13, 14, 15, 16, 17, 18, 19, 20, 21, - 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, - 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, - 42, 43, 44, 10, 10, 10, 10, 49, 50, 51, - 10, 10, 10, 55, 56, 57, 58, 59, 60, 61, - 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, - 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, - 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, - 92, 93, 94, 95, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 105, 106, 107, 108, 109, 10, 111, - 112, 113, 10, 10, 116, 117, 118, 119, 120, 121, - 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, - 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, - 10, 10, 10, 145, 146, 147, 148, 149, 150, 151, - 152, 10, 154, 155, 156, 157, 158, 159, 160, 161, - 162, 163, 164, 165, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 186, 187, 188, 189, 190, 191, - 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, - 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, - 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, - 222, 223, 224, 10, 226, 10, 228, 229, 230, 231, - 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, - 242, 243, 244, 245, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10, 10, 257, 258, 259, 260, 261, - 262, 263, 264, 265, 266, 10, 10, 10, 10, 10, - 10, 10, 274, 10, 10, 10, 10, 10, 10, 10, - 282, 283, 10, 285, 286, 10, 288, 289, 10, 10, - 292, 293, 294, 295, 296, 297, 298, 299, 10, 10, - 10, 303, 10, 10, 10, 10, 10, 10, 10, 10, - 312, 313, 314, 315, 10, 10, 10, 10, 10, 10, + 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, + 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, + 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, + 43, 44, 310, 311, 115, 320, 49, 50, 51, 10, + 10, 10, 55, 56, 57, 58, 59, 60, 61, 62, + 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, + 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, + 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, + 93, 94, 95, 45, 277, 278, 279, 280, 281, 282, + 10, 10, 105, 106, 107, 108, 109, 45, 111, 112, + 113, 10, 10, 116, 117, 118, 119, 120, 121, 122, + 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, + 133, 134, 135, 136, 137, 138, 139, 140, 141, 45, + 10, 10, 145, 81, 82, 148, 149, 150, 151, 152, + 153, 154, 10, 156, 157, 158, 159, 160, 161, 162, + 163, 164, 165, 166, 167, 168, 10, 10, 10, 10, + 108, 256, 257, 258, 259, 260, 261, 262, 263, 264, + 265, 10, 10, 10, 10, 10, 189, 190, 191, 192, + 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, + 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, + 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, + 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, + 10, 234, 10, 236, 237, 238, 239, 240, 241, 242, + 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, + 253, 254, 190, 191, 10, 10, 10, 10, 45, 10, + 47, 48, 0, 266, 267, 268, 269, 270, 271, 272, + 273, 274, 275, 11, 12, 45, 10, 10, 10, 10, + 283, 10, 10, 53, 54, 10, 10, 10, 291, 292, + 10, 294, 295, 10, 297, 298, 10, 235, 301, 302, + 303, 304, 305, 306, 307, 308, 10, 10, 46, 312, + 10, 10, 10, 10, 52, 10, 10, 10, 321, 322, + 323, 324, 10, 110, 10, 328, 329, 330, 331, 332, + 333, 334, 335, 336, 286, 287, 288, 289, 10, 10, + 10, 10, 10, 10, 296, 97, 98, 99, 100, 101, + 102, 103, 104, 10, 10, 10, 143, 10, 96, 146, + 10, 10, 314, 315, 316, 317, 318, 10, 155, 10, + 10, 10, 142, 10, 144, 327, 114, 147, 284, 10, + 286, 287, 288, 289, 290, 10, 10, 10, 10, 10, + 296, 170, 171, 172, 173, 174, 175, 176, 177, 178, + 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 325, + 326, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 169, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 233, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 300, 10, 10, 10, 255, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 299, + 10, 10, 10, 10, 10, 10, 10, 10, 276, 10, + 10, 10, 10, 10, 10, 10, 10, 285, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 309, 10, 10, 10, 313, 10, 10, 10, 10, + 10, 319, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, -1, -1, -1, -1, -1, -1, -1, -1, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, 37, - 37, 37, 37 + -1, -1, -1, -1, 37, 37, 37, 37, 37, 37 }; /* YYSTOSSTATE-NUM -- The (internal number of the) accessing symbol of state STATE-NUM. */ static const yytype_int16 yystos = { - 0, 319, 0, 11, 12, 46, 52, 96, 114, 166, - 225, 246, 267, 276, 300, 304, 310, 320, 321, 322, - 325, 328, 331, 334, 342, 588, 599, 621, 625, 633, - 646, 656, 323, 326, 329, 332, 335, 343, 589, 600, - 622, 626, 634, 647, 657, 13, 14, 15, 16, 17, + 0, 338, 0, 11, 12, 46, 52, 96, 114, 169, + 233, 255, 276, 285, 309, 313, 319, 339, 340, 341, + 344, 347, 350, 353, 362, 626, 637, 659, 663, 671, + 684, 694, 342, 345, 348, 351, 354, 363, 627, 638, + 660, 664, 672, 685, 695, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 49, 50, 51, @@ -2718,58 +2137,63 @@ 95, 105, 106, 107, 108, 109, 111, 112, 113, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, - 137, 138, 139, 140, 141, 145, 146, 147, 148, 149, - 150, 151, 152, 154, 155, 156, 157, 158, 159, 160, - 161, 162, 163, 164, 165, 186, 187, 188, 189, 190, - 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, - 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, - 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, - 221, 222, 223, 224, 226, 228, 229, 230, 231, 232, - 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, - 243, 244, 245, 257, 258, 259, 260, 261, 262, 263, - 264, 265, 266, 274, 282, 283, 285, 286, 288, 289, - 292, 293, 294, 295, 296, 297, 298, 299, 303, 312, - 313, 314, 315, 324, 345, 346, 347, 348, 349, 350, - 351, 352, 353, 354, 355, 356, 357, 358, 359, 360, - 361, 362, 363, 364, 365, 366, 367, 368, 369, 370, - 371, 372, 373, 374, 375, 376, 377, 378, 379, 380, - 381, 382, 383, 384, 385, 386, 387, 388, 389, 390, - 391, 392, 393, 394, 395, 396, 397, 398, 399, 400, - 401, 402, 403, 404, 405, 406, 407, 408, 409, 410, - 411, 412, 413, 414, 415, 416, 417, 418, 419, 420, - 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, - 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, - 441, 442, 443, 444, 445, 446, 447, 448, 449, 450, - 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, - 461, 462, 463, 464, 465, 466, 467, 468, 469, 470, - 471, 472, 473, 474, 475, 476, 477, 478, 479, 480, - 481, 482, 483, 484, 485, 486, 487, 488, 489, 490, - 491, 492, 493, 494, 495, 496, 497, 498, 499, 500, - 501, 502, 503, 504, 505, 506, 507, 508, 509, 510, - 511, 512, 513, 514, 515, 516, 517, 518, 519, 520, - 521, 522, 523, 524, 525, 526, 527, 528, 529, 530, - 531, 532, 533, 534, 535, 536, 537, 538, 539, 540, - 541, 542, 543, 544, 545, 546, 547, 548, 549, 550, - 551, 552, 553, 554, 555, 556, 557, 629, 630, 631, - 632, 655, 45, 47, 48, 110, 143, 153, 291, 327, - 558, 559, 560, 561, 562, 563, 564, 45, 53, 54, - 142, 144, 290, 330, 565, 566, 567, 568, 569, 570, - 45, 81, 82, 108, 187, 188, 227, 333, 581, 582, - 583, 584, 585, 586, 587, 45, 275, 277, 278, 279, - 280, 281, 287, 316, 317, 336, 571, 572, 573, 574, - 575, 576, 577, 578, 579, 580, 305, 306, 307, 308, - 309, 337, 338, 339, 340, 341, 344, 571, 572, 573, - 574, 575, 97, 98, 99, 100, 101, 102, 103, 104, - 590, 591, 592, 593, 594, 595, 596, 597, 598, 167, - 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, - 178, 179, 180, 181, 182, 183, 184, 185, 601, 602, - 603, 604, 605, 606, 607, 608, 609, 610, 611, 612, - 613, 614, 615, 616, 617, 618, 619, 620, 115, 623, - 624, 311, 627, 628, 247, 248, 249, 250, 251, 252, - 253, 254, 255, 256, 635, 636, 637, 638, 639, 640, - 641, 642, 643, 644, 645, 268, 269, 270, 271, 272, - 273, 648, 649, 650, 651, 652, 653, 654, 301, 302, - 658, 659, 660, 10, 10, 10, 10, 10, 10, 10, + 137, 138, 139, 140, 141, 145, 148, 149, 150, 151, + 152, 153, 154, 156, 157, 158, 159, 160, 161, 162, + 163, 164, 165, 166, 167, 168, 189, 190, 191, 192, + 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, + 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, + 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, + 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, + 234, 236, 237, 238, 239, 240, 241, 242, 243, 244, + 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, + 266, 267, 268, 269, 270, 271, 272, 273, 274, 275, + 283, 291, 292, 294, 295, 297, 298, 301, 302, 303, + 304, 305, 306, 307, 308, 312, 321, 322, 323, 324, + 328, 329, 330, 331, 332, 333, 334, 335, 336, 343, + 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, + 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, + 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, + 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, + 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, + 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, + 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, + 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, + 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, + 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, + 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, + 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, + 485, 486, 487, 488, 489, 490, 491, 492, 493, 494, + 495, 496, 497, 498, 499, 500, 501, 502, 503, 504, + 505, 506, 507, 508, 509, 510, 511, 512, 513, 514, + 515, 516, 517, 518, 519, 520, 521, 522, 523, 524, + 525, 526, 527, 528, 529, 530, 531, 532, 533, 534, + 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, + 545, 546, 547, 548, 549, 550, 551, 552, 553, 554, + 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, + 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, + 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, + 585, 586, 587, 588, 589, 590, 591, 592, 593, 667, + 668, 669, 670, 693, 45, 47, 48, 110, 143, 146, + 155, 300, 346, 594, 595, 596, 597, 598, 599, 600, + 601, 45, 53, 54, 142, 144, 147, 299, 349, 602, + 603, 604, 605, 606, 607, 608, 45, 81, 82, 108, + 190, 191, 235, 352, 619, 620, 621, 622, 623, 624, + 625, 45, 284, 286, 287, 288, 289, 290, 296, 325, + 326, 355, 609, 610, 611, 612, 613, 614, 615, 616, + 617, 618, 314, 315, 316, 317, 318, 327, 356, 357, + 358, 359, 360, 361, 364, 609, 610, 611, 612, 613, + 616, 97, 98, 99, 100, 101, 102, 103, 104, 628, + 629, 630, 631, 632, 633, 634, 635, 636, 170, 171, + 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, + 182, 183, 184, 185, 186, 187, 188, 639, 640, 641, + 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, + 652, 653, 654, 655, 656, 657, 658, 115, 661, 662, + 320, 665, 666, 256, 257, 258, 259, 260, 261, 262, + 263, 264, 265, 673, 674, 675, 676, 677, 678, 679, + 680, 681, 682, 683, 277, 278, 279, 280, 281, 282, + 686, 687, 688, 689, 690, 691, 692, 310, 311, 696, + 697, 698, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, @@ -2801,79 +2225,84 @@ 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, - 10, 10, 10, 10 + 10, 10, 10, 10, 10, 10, 10, 10, 10, 10, + 10, 10, 10, 10, 10, 10, 10, 10, 10 }; /* YYR1YYN -- Symbol number of symbol that rule YYN derives. */ static const yytype_int16 yyr1 = { - 0, 318, 319, 319, 320, 320, 320, 320, 320, 320, - 320, 320, 320, 320, 320, 320, 320, 320, 321, 322, - 323, 323, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 324, 324, 324, 324, 324, 324, 324, 324, 324, 324, - 325, 326, 326, 327, 327, 327, 327, 327, 327, 327, - 328, 329, 329, 330, 330, 330, 330, 330, 330, 331, - 332, 332, 333, 333, 333, 333, 333, 333, 333, 334, - 335, 335, 336, 336, 336, 336, 336, 336, 336, 336, - 336, 336, 337, 338, 339, 340, 341, 342, 343, 343, - 344, 344, 344, 344, 344, 344, 344, 344, 344, 344, - 345, 346, 347, 348, 349, 350, 351, 352, 353, 354, - 355, 356, 357, 358, 359, 360, 361, 362, 363, 364, - 365, 366, 367, 368, 369, 370, 371, 372, 373, 374, - 375, 376, 377, 378, 379, 380, 381, 382, 383, 384, - 385, 386, 387, 388, 389, 390, 391, 392, 393, 394, - 395, 396, 397, 398, 399, 400, 401, 402, 403, 404, - 405, 406, 407, 408, 409, 410, 411, 412, 413, 414, - 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, - 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, - 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, - 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, - 455, 456, 457, 458, 459, 460, 461, 462, 463, 464, - 465, 466, 467, 468, 469, 470, 471, 472, 473, 474, - 475, 476, 477, 478, 479, 480, 481, 482, 483, 484, - 485, 486, 487, 488, 489, 490, 491, 492, 493, 494, - 495, 496, 497, 498, 499, 500, 501, 502, 503, 504, - 505, 506, 507, 508, 509, 510, 511, 512, 513, 514, - 515, 516, 517, 518, 519, 520, 521, 522, 523, 524, - 525, 526, 527, 528, 529, 530, 531, 532, 533, 534, - 535, 536, 537, 538, 539, 540, 541, 542, 543, 544, - 545, 546, 547, 548, 549, 550, 551, 552, 553, 554, - 555, 556, 557, 558, 559, 560, 561, 562, 563, 564, - 565, 566, 567, 568, 569, 570, 571, 572, 573, 574, - 575, 576, 577, 578, 579, 580, 581, 582, 583, 584, - 585, 586, 587, 588, 589, 589, 590, 590, 590, 590, - 590, 590, 590, 590, 591, 592, 593, 594, 595, 596, - 597, 598, 599, 600, 600, 601, 601, 601, 601, 601, - 601, 601, 601, 601, 601, 601, 601, 601, 601, 601, - 601, 601, 601, 601, 602, 603, 604, 605, 606, 607, - 608, 609, 610, 611, 612, 613, 614, 615, 616, 617, - 618, 619, 620, 621, 622, 622, 623, 624, 625, 626, - 626, 627, 628, 629, 630, 631, 632, 633, 634, 634, - 635, 635, 635, 635, 635, 635, 635, 635, 635, 635, - 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, - 646, 647, 647, 648, 648, 648, 648, 648, 648, 649, - 650, 651, 652, 653, 654, 655, 656, 657, 657, 658, - 658, 659, 660 + 0, 337, 338, 338, 339, 339, 339, 339, 339, 339, + 339, 339, 339, 339, 339, 339, 339, 339, 340, 341, + 342, 342, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 343, 343, 343, 343, + 343, 343, 343, 343, 343, 343, 344, 345, 345, 346, + 346, 346, 346, 346, 346, 346, 346, 347, 348, 348, + 349, 349, 349, 349, 349, 349, 349, 350, 351, 351, + 352, 352, 352, 352, 352, 352, 352, 353, 354, 354, + 355, 355, 355, 355, 355, 355, 355, 355, 355, 355, + 356, 357, 358, 359, 360, 361, 362, 363, 363, 364, + 364, 364, 364, 364, 364, 364, 364, 364, 364, 364, + 364, 365, 366, 367, 368, 369, 370, 371, 372, 373, + 374, 375, 376, 377, 378, 379, 380, 381, 382, 383, + 384, 385, 386, 387, 388, 389, 390, 391, 392, 393, + 394, 395, 396, 397, 398, 399, 400, 401, 402, 403, + 404, 405, 406, 407, 408, 409, 410, 411, 412, 413, + 414, 415, 416, 417, 418, 419, 420, 421, 422, 423, + 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, + 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, + 444, 445, 446, 447, 448, 449, 450, 451, 452, 453, + 454, 455, 456, 457, 458, 459, 460, 461, 462, 463, + 464, 465, 466, 467, 468, 469, 470, 471, 472, 473, + 474, 475, 476, 477, 478, 479, 480, 481, 482, 483, + 484, 485, 486, 487, 488, 489, 490, 491, 492, 493, + 494, 495, 496, 497, 498, 499, 500, 501, 502, 503, + 504, 505, 506, 507, 508, 509, 510, 511, 512, 513, + 514, 515, 516, 517, 518, 519, 520, 521, 522, 523, + 524, 525, 526, 527, 528, 529, 530, 531, 532, 533, + 534, 535, 536, 537, 538, 539, 540, 541, 542, 543, + 544, 545, 546, 547, 548, 549, 550, 551, 552, 553, + 554, 555, 556, 557, 558, 559, 560, 561, 562, 563, + 564, 565, 566, 567, 568, 569, 570, 571, 572, 573, + 574, 575, 576, 577, 578, 579, 580, 581, 582, 583, + 584, 585, 586, 587, 588, 589, 590, 591, 592, 593, + 594, 595, 596, 597, 598, 599, 600, 601, 602, 603, + 604, 605, 606, 607, 608, 609, 610, 611, 612, 613, + 614, 615, 616, 617, 618, 619, 620, 621, 622, 623, + 624, 625, 626, 627, 627, 628, 628, 628, 628, 628, + 628, 628, 628, 629, 630, 631, 632, 633, 634, 635, + 636, 637, 638, 638, 639, 639, 639, 639, 639, 639, + 639, 639, 639, 639, 639, 639, 639, 639, 639, 639, + 639, 639, 639, 640, 641, 642, 643, 644, 645, 646, + 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, + 657, 658, 659, 660, 660, 661, 662, 663, 664, 664, + 665, 666, 667, 668, 669, 670, 671, 672, 672, 673, + 673, 673, 673, 673, 673, 673, 673, 673, 673, 674, + 675, 676, 677, 678, 679, 680, 681, 682, 683, 684, + 685, 685, 686, 686, 686, 686, 686, 686, 687, 688, + 689, 690, 691, 692, 693, 694, 695, 695, 696, 696, + 697, 698 }; /* YYR2YYN -- Number of symbols on the right hand side of rule YYN. */ @@ -2903,12 +2332,15 @@ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 2, 0, 1, 1, 1, 1, 1, 1, 1, - 1, 2, 0, 1, 1, 1, 1, 1, 1, 1, - 2, 0, 1, 1, 1, 1, 1, 1, 1, 1, - 2, 0, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 2, 2, 2, 2, 2, 1, 2, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 2, 0, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 2, 0, + 1, 1, 1, 1, 1, 1, 1, 1, 2, 0, + 1, 1, 1, 1, 1, 1, 1, 1, 2, 0, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 2, 2, 2, 2, 2, 2, 1, 2, 0, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, @@ -2922,30 +2354,31 @@ 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 3, 2, 2, 2, + 3, 3, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 3, 2, - 2, 2, 2, 2, 2, 2, 2, 2, 2, 3, - 3, 4, 4, 4, 3, 3, 2, 2, 2, 2, + 2, 2, 2, 2, 3, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 3, 3, 4, 4, 4, + 3, 3, 4, 4, 3, 3, 2, 2, 2, 2, 2, 2, 3, 3, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 3, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 2, 2, 2, 2, 2, 3, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 2, 2, 2, 2, 3, 3, 3, - 2, 2, 2, 1, 2, 0, 1, 1, 1, 1, - 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, - 2, 2, 1, 2, 0, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 1, 2, 0, 1, 2, 1, 2, - 0, 1, 2, 2, 2, 3, 3, 1, 2, 0, + 2, 2, 2, 2, 2, 2, 3, 3, 3, 2, + 2, 2, 1, 2, 0, 1, 1, 1, 1, 1, + 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, + 2, 1, 2, 0, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 1, 2, 0, 1, 1, 1, 1, 1, 1, 2, - 2, 2, 2, 2, 2, 3, 1, 2, 0, 1, - 1, 2, 2 + 2, 2, 1, 2, 0, 1, 2, 1, 2, 0, + 1, 2, 2, 2, 3, 3, 1, 2, 0, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, + 2, 2, 2, 2, 2, 2, 2, 2, 2, 1, + 2, 0, 1, 1, 1, 1, 1, 1, 2, 2, + 2, 2, 2, 2, 3, 1, 2, 0, 1, 1, + 2, 2 }; @@ -3024,7 +2457,7 @@ yysymbol_kind_t yykind, YYSTYPE const * const yyvaluep) { FILE *yyoutput = yyo; - YYUSE (yyoutput); + YY_USE (yyoutput); if (!yyvaluep) return; # ifdef YYPRINT @@ -3032,7 +2465,7 @@ YYPRINT (yyo, yytoknumyykind, *yyvaluep); # endif YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN - YYUSE (yykind); + YY_USE (yykind); YY_IGNORE_MAYBE_UNINITIALIZED_END } @@ -3146,18 +2579,18 @@ yydestruct (const char *yymsg, yysymbol_kind_t yykind, YYSTYPE *yyvaluep) { - YYUSE (yyvaluep); + YY_USE (yyvaluep); if (!yymsg) yymsg = "Deleting"; YY_SYMBOL_PRINT (yymsg, yykind, yyvaluep, yylocationp); YY_IGNORE_MAYBE_UNINITIALIZED_BEGIN - YYUSE (yykind); + YY_USE (yykind); YY_IGNORE_MAYBE_UNINITIALIZED_END } -/* The lookahead symbol. */ +/* Lookahead token kind. */ int yychar; /* The semantic value of the lookahead symbol. */ @@ -3175,34 +2608,30 @@ int yyparse (void) { - yy_state_fast_t yystate; + yy_state_fast_t yystate = 0; /* Number of tokens to shift before error messages enabled. */ - int yyerrstatus; + int yyerrstatus = 0; - /* The stacks and their tools: - 'yyss': related to states. - 'yyvs': related to semantic values. - - Refer to the stacks through separate pointers, to allow yyoverflow + /* Refer to the stacks through separate pointers, to allow yyoverflow to reallocate them elsewhere. */ /* Their size. */ - YYPTRDIFF_T yystacksize; + YYPTRDIFF_T yystacksize = YYINITDEPTH; - /* The state stack. */ + /* The state stack: array, bottom, top. */ yy_state_t yyssaYYINITDEPTH; - yy_state_t *yyss; - yy_state_t *yyssp; + yy_state_t *yyss = yyssa; + yy_state_t *yyssp = yyss; - /* The semantic value stack. */ + /* The semantic value stack: array, bottom, top. */ YYSTYPE yyvsaYYINITDEPTH; - YYSTYPE *yyvs; - YYSTYPE *yyvsp; + YYSTYPE *yyvs = yyvsa; + YYSTYPE *yyvsp = yyvs; int yyn; /* The return value of yyparse. */ int yyresult; - /* Lookahead token as an internal (translated) token number. */ + /* Lookahead symbol kind. */ yysymbol_kind_t yytoken = YYSYMBOL_YYEMPTY; /* The variables used to return semantic value and location from the action routines. */ @@ -3216,15 +2645,6 @@ Keep to zero when no symbol should be popped. */ int yylen = 0; - yynerrs = 0; - yystate = 0; - yyerrstatus = 0; - - yystacksize = YYINITDEPTH; - yyssp = yyss = yyssa; - yyvsp = yyvs = yyvsa; - - YYDPRINTF ((stderr, "Starting parse\n")); yychar = YYEMPTY; /* Cause a token to be read. */ @@ -3425,74 +2845,83 @@ YY_REDUCE_PRINT (yyn); switch (yyn) { - case 18: -#line 200 "util/configparser.y" + case 18: /* force_toplevel: VAR_FORCE_TOPLEVEL */ +#line 209 "util/configparser.y" { OUTYY(("\nP(force-toplevel)\n")); + cfg_parser->started_toplevel = 0; } -#line 3434 "util/configparser.c" +#line 2855 "util/configparser.c" break; - case 19: -#line 206 "util/configparser.y" - { + case 19: /* serverstart: VAR_SERVER */ +#line 216 "util/configparser.y" + { OUTYY(("\nP(server:)\n")); + cfg_parser->started_toplevel = 1; } -#line 3442 "util/configparser.c" +#line 2864 "util/configparser.c" break; - case 240: -#line 313 "util/configparser.y" + case 256: /* stubstart: VAR_STUB_ZONE */ +#line 329 "util/configparser.y" { struct config_stub* s; - OUTYY(("\nP(stub_zone:)\n")); + OUTYY(("\nP(stub_zone:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_stub*)calloc(1, sizeof(struct config_stub)); if(s) { s->next = cfg_parser->cfg->stubs; cfg_parser->cfg->stubs = s; - } else + } else { yyerror("out of memory"); + } } -#line 3457 "util/configparser.c" +#line 2881 "util/configparser.c" break; - case 250: -#line 330 "util/configparser.y" + case 267: /* forwardstart: VAR_FORWARD_ZONE */ +#line 348 "util/configparser.y" { struct config_stub* s; - OUTYY(("\nP(forward_zone:)\n")); + OUTYY(("\nP(forward_zone:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_stub*)calloc(1, sizeof(struct config_stub)); if(s) { s->next = cfg_parser->cfg->forwards; cfg_parser->cfg->forwards = s; - } else + } else { yyerror("out of memory"); + } } -#line 3472 "util/configparser.c" +#line 2898 "util/configparser.c" break; - case 259: -#line 347 "util/configparser.y" + case 277: /* viewstart: VAR_VIEW */ +#line 367 "util/configparser.y" { struct config_view* s; - OUTYY(("\nP(view:)\n")); + OUTYY(("\nP(view:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_view*)calloc(1, sizeof(struct config_view)); if(s) { s->next = cfg_parser->cfg->views; if(s->next && !s->next->name) yyerror("view without name"); cfg_parser->cfg->views = s; - } else + } else { yyerror("out of memory"); + } } -#line 3489 "util/configparser.c" +#line 2917 "util/configparser.c" break; - case 269: -#line 366 "util/configparser.y" + case 287: /* authstart: VAR_AUTH_ZONE */ +#line 388 "util/configparser.y" { struct config_auth* s; - OUTYY(("\nP(auth_zone:)\n")); + OUTYY(("\nP(auth_zone:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_auth*)calloc(1, sizeof(struct config_auth)); if(s) { s->next = cfg_parser->cfg->auths; @@ -3504,14 +2933,15 @@ s->zonemd_check = 0; s->zonemd_reject_absence = 0; s->isrpz = 0; - } else + } else { yyerror("out of memory"); + } } -#line 3511 "util/configparser.c" +#line 2941 "util/configparser.c" break; - case 282: -#line 392 "util/configparser.y" + case 300: /* rpz_tag: VAR_TAGS STRING_ARG */ +#line 416 "util/configparser.y" { uint8_t* bitlist; size_t len = 0; @@ -3528,11 +2958,11 @@ } } -#line 3532 "util/configparser.c" +#line 2962 "util/configparser.c" break; - case 283: -#line 411 "util/configparser.y" + case 301: /* rpz_action_override: VAR_RPZ_ACTION_OVERRIDE STRING_ARG */ +#line 435 "util/configparser.y" { OUTYY(("P(rpz_action_override:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "nxdomain")!=0 && strcmp((yyvsp0.str), "nodata")!=0 && @@ -3547,21 +2977,21 @@ cfg_parser->cfg->auths->rpz_action_override = (yyvsp0.str); } } -#line 3551 "util/configparser.c" +#line 2981 "util/configparser.c" break; - case 284: -#line 428 "util/configparser.y" + case 302: /* rpz_cname_override: VAR_RPZ_CNAME_OVERRIDE STRING_ARG */ +#line 452 "util/configparser.y" { OUTYY(("P(rpz_cname_override:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->auths->rpz_cname); cfg_parser->cfg->auths->rpz_cname = (yyvsp0.str); } -#line 3561 "util/configparser.c" +#line 2991 "util/configparser.c" break; - case 285: -#line 436 "util/configparser.y" + case 303: /* rpz_log: VAR_RPZ_LOG STRING_ARG */ +#line 460 "util/configparser.y" { OUTYY(("P(rpz_log:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -3569,24 +2999,37 @@ else cfg_parser->cfg->auths->rpz_log = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 3573 "util/configparser.c" +#line 3003 "util/configparser.c" break; - case 286: -#line 446 "util/configparser.y" + case 304: /* rpz_log_name: VAR_RPZ_LOG_NAME STRING_ARG */ +#line 470 "util/configparser.y" { OUTYY(("P(rpz_log_name:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->auths->rpz_log_name); cfg_parser->cfg->auths->rpz_log_name = (yyvsp0.str); } -#line 3583 "util/configparser.c" +#line 3013 "util/configparser.c" break; - case 287: -#line 454 "util/configparser.y" + case 305: /* rpz_signal_nxdomain_ra: VAR_RPZ_SIGNAL_NXDOMAIN_RA STRING_ARG */ +#line 477 "util/configparser.y" + { + OUTYY(("P(rpz_signal_nxdomain_ra:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->auths->rpz_signal_nxdomain_ra = (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 3025 "util/configparser.c" + break; + + case 306: /* rpzstart: VAR_RPZ */ +#line 487 "util/configparser.y" { struct config_auth* s; OUTYY(("\nP(rpz:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_auth*)calloc(1, sizeof(struct config_auth)); if(s) { s->next = cfg_parser->cfg->auths; @@ -3596,40 +3039,41 @@ s->for_upstream = 0; s->fallback_enabled = 0; s->isrpz = 1; - } else + } else { yyerror("out of memory"); + } } -#line 3603 "util/configparser.c" +#line 3047 "util/configparser.c" break; - case 300: -#line 477 "util/configparser.y" - { - OUTYY(("P(server_num_threads:%s)\n", (yyvsp0.str))); + case 321: /* server_num_threads: VAR_NUM_THREADS STRING_ARG */ +#line 512 "util/configparser.y" + { + OUTYY(("P(server_num_threads:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) yyerror("number expected"); else cfg_parser->cfg->num_threads = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 3615 "util/configparser.c" +#line 3059 "util/configparser.c" break; - case 301: -#line 486 "util/configparser.y" - { - OUTYY(("P(server_verbosity:%s)\n", (yyvsp0.str))); + case 322: /* server_verbosity: VAR_VERBOSITY STRING_ARG */ +#line 521 "util/configparser.y" + { + OUTYY(("P(server_verbosity:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) yyerror("number expected"); else cfg_parser->cfg->verbosity = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 3627 "util/configparser.c" +#line 3071 "util/configparser.c" break; - case 302: -#line 495 "util/configparser.y" - { - OUTYY(("P(server_statistics_interval:%s)\n", (yyvsp0.str))); + case 323: /* server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG */ +#line 530 "util/configparser.y" + { + OUTYY(("P(server_statistics_interval:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "") == 0 || strcmp((yyvsp0.str), "0") == 0) cfg_parser->cfg->stat_interval = 0; else if(atoi((yyvsp0.str)) == 0) @@ -3637,11 +3081,11 @@ else cfg_parser->cfg->stat_interval = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 3641 "util/configparser.c" +#line 3085 "util/configparser.c" break; - case 303: -#line 506 "util/configparser.y" + case 324: /* server_statistics_cumulative: VAR_STATISTICS_CUMULATIVE STRING_ARG */ +#line 541 "util/configparser.y" { OUTYY(("P(server_statistics_cumulative:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -3649,11 +3093,11 @@ else cfg_parser->cfg->stat_cumulative = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 3653 "util/configparser.c" +#line 3097 "util/configparser.c" break; - case 304: -#line 515 "util/configparser.y" + case 325: /* server_extended_statistics: VAR_EXTENDED_STATISTICS STRING_ARG */ +#line 550 "util/configparser.y" { OUTYY(("P(server_extended_statistics:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -3661,11 +3105,23 @@ else cfg_parser->cfg->stat_extended = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 3665 "util/configparser.c" +#line 3109 "util/configparser.c" break; - case 305: -#line 524 "util/configparser.y" + case 326: /* server_statistics_inhibit_zero: VAR_STATISTICS_INHIBIT_ZERO STRING_ARG */ +#line 559 "util/configparser.y" + { + OUTYY(("P(server_statistics_inhibit_zero:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->stat_inhibit_zero = (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 3121 "util/configparser.c" + break; + + case 327: /* server_shm_enable: VAR_SHM_ENABLE STRING_ARG */ +#line 568 "util/configparser.y" { OUTYY(("P(server_shm_enable:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -3673,13 +3129,13 @@ else cfg_parser->cfg->shm_enable = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 3677 "util/configparser.c" +#line 3133 "util/configparser.c" break; - case 306: -#line 533 "util/configparser.y" - { - OUTYY(("P(server_shm_key:%s)\n", (yyvsp0.str))); + case 328: /* server_shm_key: VAR_SHM_KEY STRING_ARG */ +#line 577 "util/configparser.y" + { + OUTYY(("P(server_shm_key:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "") == 0 || strcmp((yyvsp0.str), "0") == 0) cfg_parser->cfg->shm_key = 0; else if(atoi((yyvsp0.str)) == 0) @@ -3687,11 +3143,11 @@ else cfg_parser->cfg->shm_key = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 3691 "util/configparser.c" +#line 3147 "util/configparser.c" break; - case 307: -#line 544 "util/configparser.y" + case 329: /* server_port: VAR_PORT STRING_ARG */ +#line 588 "util/configparser.y" { OUTYY(("P(server_port:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -3699,11 +3155,11 @@ else cfg_parser->cfg->port = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 3703 "util/configparser.c" +#line 3159 "util/configparser.c" break; - case 308: -#line 553 "util/configparser.y" + case 330: /* server_send_client_subnet: VAR_SEND_CLIENT_SUBNET STRING_ARG */ +#line 597 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(server_send_client_subnet:%s)\n", (yyvsp0.str))); @@ -3714,11 +3170,11 @@ free((yyvsp0.str)); #endif } -#line 3718 "util/configparser.c" +#line 3174 "util/configparser.c" break; - case 309: -#line 565 "util/configparser.y" + case 331: /* server_client_subnet_zone: VAR_CLIENT_SUBNET_ZONE STRING_ARG */ +#line 609 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(server_client_subnet_zone:%s)\n", (yyvsp0.str))); @@ -3730,11 +3186,11 @@ free((yyvsp0.str)); #endif } -#line 3734 "util/configparser.c" +#line 3190 "util/configparser.c" break; - case 310: -#line 579 "util/configparser.y" + case 332: /* server_client_subnet_always_forward: VAR_CLIENT_SUBNET_ALWAYS_FORWARD STRING_ARG */ +#line 623 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(server_client_subnet_always_forward:%s)\n", (yyvsp0.str))); @@ -3748,11 +3204,11 @@ #endif free((yyvsp0.str)); } -#line 3752 "util/configparser.c" +#line 3208 "util/configparser.c" break; - case 311: -#line 594 "util/configparser.y" + case 333: /* server_client_subnet_opcode: VAR_CLIENT_SUBNET_OPCODE STRING_ARG */ +#line 638 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(client_subnet_opcode:%s)\n", (yyvsp0.str))); @@ -3762,11 +3218,11 @@ #endif free((yyvsp0.str)); } -#line 3766 "util/configparser.c" +#line 3222 "util/configparser.c" break; - case 312: -#line 605 "util/configparser.y" + case 334: /* server_max_client_subnet_ipv4: VAR_MAX_CLIENT_SUBNET_IPV4 STRING_ARG */ +#line 649 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(max_client_subnet_ipv4:%s)\n", (yyvsp0.str))); @@ -3782,11 +3238,11 @@ #endif free((yyvsp0.str)); } -#line 3786 "util/configparser.c" +#line 3242 "util/configparser.c" break; - case 313: -#line 622 "util/configparser.y" + case 335: /* server_max_client_subnet_ipv6: VAR_MAX_CLIENT_SUBNET_IPV6 STRING_ARG */ +#line 666 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(max_client_subnet_ipv6:%s)\n", (yyvsp0.str))); @@ -3802,11 +3258,11 @@ #endif free((yyvsp0.str)); } -#line 3806 "util/configparser.c" +#line 3262 "util/configparser.c" break; - case 314: -#line 639 "util/configparser.y" + case 336: /* server_min_client_subnet_ipv4: VAR_MIN_CLIENT_SUBNET_IPV4 STRING_ARG */ +#line 683 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(min_client_subnet_ipv4:%s)\n", (yyvsp0.str))); @@ -3822,11 +3278,11 @@ #endif free((yyvsp0.str)); } -#line 3826 "util/configparser.c" +#line 3282 "util/configparser.c" break; - case 315: -#line 656 "util/configparser.y" + case 337: /* server_min_client_subnet_ipv6: VAR_MIN_CLIENT_SUBNET_IPV6 STRING_ARG */ +#line 700 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(min_client_subnet_ipv6:%s)\n", (yyvsp0.str))); @@ -3842,11 +3298,11 @@ #endif free((yyvsp0.str)); } -#line 3846 "util/configparser.c" +#line 3302 "util/configparser.c" break; - case 316: -#line 673 "util/configparser.y" + case 338: /* server_max_ecs_tree_size_ipv4: VAR_MAX_ECS_TREE_SIZE_IPV4 STRING_ARG */ +#line 717 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(max_ecs_tree_size_ipv4:%s)\n", (yyvsp0.str))); @@ -3860,11 +3316,11 @@ #endif free((yyvsp0.str)); } -#line 3864 "util/configparser.c" +#line 3320 "util/configparser.c" break; - case 317: -#line 688 "util/configparser.y" + case 339: /* server_max_ecs_tree_size_ipv6: VAR_MAX_ECS_TREE_SIZE_IPV6 STRING_ARG */ +#line 732 "util/configparser.y" { #ifdef CLIENT_SUBNET OUTYY(("P(max_ecs_tree_size_ipv6:%s)\n", (yyvsp0.str))); @@ -3878,33 +3334,33 @@ #endif free((yyvsp0.str)); } -#line 3882 "util/configparser.c" +#line 3338 "util/configparser.c" break; - case 318: -#line 703 "util/configparser.y" + case 340: /* server_interface: VAR_INTERFACE STRING_ARG */ +#line 747 "util/configparser.y" { OUTYY(("P(server_interface:%s)\n", (yyvsp0.str))); if(cfg_parser->cfg->num_ifs == 0) cfg_parser->cfg->ifs = calloc(1, sizeof(char*)); - else cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs, + else cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs, (cfg_parser->cfg->num_ifs+1)*sizeof(char*)); if(!cfg_parser->cfg->ifs) yyerror("out of memory"); else cfg_parser->cfg->ifscfg_parser->cfg->num_ifs++ = (yyvsp0.str); } -#line 3898 "util/configparser.c" +#line 3354 "util/configparser.c" break; - case 319: -#line 716 "util/configparser.y" + case 341: /* server_outgoing_interface: VAR_OUTGOING_INTERFACE STRING_ARG */ +#line 760 "util/configparser.y" { OUTYY(("P(server_outgoing_interface:%s)\n", (yyvsp0.str))); if(cfg_parser->cfg->num_out_ifs == 0) cfg_parser->cfg->out_ifs = calloc(1, sizeof(char*)); - else cfg_parser->cfg->out_ifs = realloc( - cfg_parser->cfg->out_ifs, + else cfg_parser->cfg->out_ifs = realloc( + cfg_parser->cfg->out_ifs, (cfg_parser->cfg->num_out_ifs+1)*sizeof(char*)); if(!cfg_parser->cfg->out_ifs) yyerror("out of memory"); @@ -3912,11 +3368,11 @@ cfg_parser->cfg->out_ifs cfg_parser->cfg->num_out_ifs++ = (yyvsp0.str); } -#line 3916 "util/configparser.c" +#line 3372 "util/configparser.c" break; - case 320: -#line 731 "util/configparser.y" + case 342: /* server_outgoing_range: VAR_OUTGOING_RANGE STRING_ARG */ +#line 775 "util/configparser.y" { OUTYY(("P(server_outgoing_range:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -3924,35 +3380,35 @@ else cfg_parser->cfg->outgoing_num_ports = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 3928 "util/configparser.c" +#line 3384 "util/configparser.c" break; - case 321: -#line 740 "util/configparser.y" + case 343: /* server_outgoing_port_permit: VAR_OUTGOING_PORT_PERMIT STRING_ARG */ +#line 784 "util/configparser.y" { OUTYY(("P(server_outgoing_port_permit:%s)\n", (yyvsp0.str))); - if(!cfg_mark_ports((yyvsp0.str), 1, + if(!cfg_mark_ports((yyvsp0.str), 1, cfg_parser->cfg->outgoing_avail_ports, 65536)) yyerror("port number or range (\"low-high\") expected"); free((yyvsp0.str)); } -#line 3940 "util/configparser.c" +#line 3396 "util/configparser.c" break; - case 322: -#line 749 "util/configparser.y" + case 344: /* server_outgoing_port_avoid: VAR_OUTGOING_PORT_AVOID STRING_ARG */ +#line 793 "util/configparser.y" { OUTYY(("P(server_outgoing_port_avoid:%s)\n", (yyvsp0.str))); - if(!cfg_mark_ports((yyvsp0.str), 0, + if(!cfg_mark_ports((yyvsp0.str), 0, cfg_parser->cfg->outgoing_avail_ports, 65536)) yyerror("port number or range (\"low-high\") expected"); free((yyvsp0.str)); } -#line 3952 "util/configparser.c" +#line 3408 "util/configparser.c" break; - case 323: -#line 758 "util/configparser.y" + case 345: /* server_outgoing_num_tcp: VAR_OUTGOING_NUM_TCP STRING_ARG */ +#line 802 "util/configparser.y" { OUTYY(("P(server_outgoing_num_tcp:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -3960,11 +3416,11 @@ else cfg_parser->cfg->outgoing_num_tcp = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 3964 "util/configparser.c" +#line 3420 "util/configparser.c" break; - case 324: -#line 767 "util/configparser.y" + case 346: /* server_incoming_num_tcp: VAR_INCOMING_NUM_TCP STRING_ARG */ +#line 811 "util/configparser.y" { OUTYY(("P(server_incoming_num_tcp:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -3972,11 +3428,11 @@ else cfg_parser->cfg->incoming_num_tcp = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 3976 "util/configparser.c" +#line 3432 "util/configparser.c" break; - case 325: -#line 776 "util/configparser.y" + case 347: /* server_interface_automatic: VAR_INTERFACE_AUTOMATIC STRING_ARG */ +#line 820 "util/configparser.y" { OUTYY(("P(server_interface_automatic:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -3984,11 +3440,21 @@ else cfg_parser->cfg->if_automatic = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 3988 "util/configparser.c" +#line 3444 "util/configparser.c" + break; + + case 348: /* server_interface_automatic_ports: VAR_INTERFACE_AUTOMATIC_PORTS STRING_ARG */ +#line 829 "util/configparser.y" + { + OUTYY(("P(server_interface_automatic_ports:%s)\n", (yyvsp0.str))); + free(cfg_parser->cfg->if_automatic_ports); + cfg_parser->cfg->if_automatic_ports = (yyvsp0.str); + } +#line 3454 "util/configparser.c" break; - case 326: -#line 785 "util/configparser.y" + case 349: /* server_do_ip4: VAR_DO_IP4 STRING_ARG */ +#line 836 "util/configparser.y" { OUTYY(("P(server_do_ip4:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -3996,11 +3462,11 @@ else cfg_parser->cfg->do_ip4 = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4000 "util/configparser.c" +#line 3466 "util/configparser.c" break; - case 327: -#line 794 "util/configparser.y" + case 350: /* server_do_ip6: VAR_DO_IP6 STRING_ARG */ +#line 845 "util/configparser.y" { OUTYY(("P(server_do_ip6:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4008,11 +3474,11 @@ else cfg_parser->cfg->do_ip6 = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4012 "util/configparser.c" +#line 3478 "util/configparser.c" break; - case 328: -#line 803 "util/configparser.y" + case 351: /* server_do_udp: VAR_DO_UDP STRING_ARG */ +#line 854 "util/configparser.y" { OUTYY(("P(server_do_udp:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4020,11 +3486,11 @@ else cfg_parser->cfg->do_udp = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4024 "util/configparser.c" +#line 3490 "util/configparser.c" break; - case 329: -#line 812 "util/configparser.y" + case 352: /* server_do_tcp: VAR_DO_TCP STRING_ARG */ +#line 863 "util/configparser.y" { OUTYY(("P(server_do_tcp:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4032,11 +3498,11 @@ else cfg_parser->cfg->do_tcp = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4036 "util/configparser.c" +#line 3502 "util/configparser.c" break; - case 330: -#line 821 "util/configparser.y" + case 353: /* server_prefer_ip4: VAR_PREFER_IP4 STRING_ARG */ +#line 872 "util/configparser.y" { OUTYY(("P(server_prefer_ip4:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4044,11 +3510,11 @@ else cfg_parser->cfg->prefer_ip4 = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4048 "util/configparser.c" +#line 3514 "util/configparser.c" break; - case 331: -#line 830 "util/configparser.y" + case 354: /* server_prefer_ip6: VAR_PREFER_IP6 STRING_ARG */ +#line 881 "util/configparser.y" { OUTYY(("P(server_prefer_ip6:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4056,23 +3522,23 @@ else cfg_parser->cfg->prefer_ip6 = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4060 "util/configparser.c" +#line 3526 "util/configparser.c" break; - case 332: -#line 839 "util/configparser.y" + case 355: /* server_tcp_mss: VAR_TCP_MSS STRING_ARG */ +#line 890 "util/configparser.y" { OUTYY(("P(server_tcp_mss:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) - yyerror("number expected"); - else cfg_parser->cfg->tcp_mss = atoi((yyvsp0.str)); - free((yyvsp0.str)); + if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->tcp_mss = atoi((yyvsp0.str)); + free((yyvsp0.str)); } -#line 4072 "util/configparser.c" +#line 3538 "util/configparser.c" break; - case 333: -#line 848 "util/configparser.y" + case 356: /* server_outgoing_tcp_mss: VAR_OUTGOING_TCP_MSS STRING_ARG */ +#line 899 "util/configparser.y" { OUTYY(("P(server_outgoing_tcp_mss:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4080,11 +3546,11 @@ else cfg_parser->cfg->outgoing_tcp_mss = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4084 "util/configparser.c" +#line 3550 "util/configparser.c" break; - case 334: -#line 857 "util/configparser.y" + case 357: /* server_tcp_idle_timeout: VAR_TCP_IDLE_TIMEOUT STRING_ARG */ +#line 908 "util/configparser.y" { OUTYY(("P(server_tcp_idle_timeout:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4096,11 +3562,11 @@ else cfg_parser->cfg->tcp_idle_timeout = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4100 "util/configparser.c" +#line 3566 "util/configparser.c" break; - case 335: -#line 870 "util/configparser.y" + case 358: /* server_max_reuse_tcp_queries: VAR_MAX_REUSE_TCP_QUERIES STRING_ARG */ +#line 921 "util/configparser.y" { OUTYY(("P(server_max_reuse_tcp_queries:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4110,11 +3576,11 @@ else cfg_parser->cfg->max_reuse_tcp_queries = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4114 "util/configparser.c" +#line 3580 "util/configparser.c" break; - case 336: -#line 881 "util/configparser.y" + case 359: /* server_tcp_reuse_timeout: VAR_TCP_REUSE_TIMEOUT STRING_ARG */ +#line 932 "util/configparser.y" { OUTYY(("P(server_tcp_reuse_timeout:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4124,11 +3590,11 @@ else cfg_parser->cfg->tcp_reuse_timeout = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4128 "util/configparser.c" +#line 3594 "util/configparser.c" break; - case 337: -#line 892 "util/configparser.y" + case 360: /* server_tcp_auth_query_timeout: VAR_TCP_AUTH_QUERY_TIMEOUT STRING_ARG */ +#line 943 "util/configparser.y" { OUTYY(("P(server_tcp_auth_query_timeout:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4138,11 +3604,11 @@ else cfg_parser->cfg->tcp_auth_query_timeout = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4142 "util/configparser.c" +#line 3608 "util/configparser.c" break; - case 338: -#line 903 "util/configparser.y" + case 361: /* server_tcp_keepalive: VAR_EDNS_TCP_KEEPALIVE STRING_ARG */ +#line 954 "util/configparser.y" { OUTYY(("P(server_tcp_keepalive:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4150,11 +3616,11 @@ else cfg_parser->cfg->do_tcp_keepalive = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4154 "util/configparser.c" +#line 3620 "util/configparser.c" break; - case 339: -#line 912 "util/configparser.y" + case 362: /* server_tcp_keepalive_timeout: VAR_EDNS_TCP_KEEPALIVE_TIMEOUT STRING_ARG */ +#line 963 "util/configparser.y" { OUTYY(("P(server_tcp_keepalive_timeout:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4166,11 +3632,11 @@ else cfg_parser->cfg->tcp_keepalive_timeout = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4170 "util/configparser.c" +#line 3636 "util/configparser.c" break; - case 340: -#line 925 "util/configparser.y" + case 363: /* server_tcp_upstream: VAR_TCP_UPSTREAM STRING_ARG */ +#line 976 "util/configparser.y" { OUTYY(("P(server_tcp_upstream:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4178,11 +3644,11 @@ else cfg_parser->cfg->tcp_upstream = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4182 "util/configparser.c" +#line 3648 "util/configparser.c" break; - case 341: -#line 934 "util/configparser.y" + case 364: /* server_udp_upstream_without_downstream: VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM STRING_ARG */ +#line 985 "util/configparser.y" { OUTYY(("P(server_udp_upstream_without_downstream:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4190,11 +3656,11 @@ else cfg_parser->cfg->udp_upstream_without_downstream = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4194 "util/configparser.c" +#line 3660 "util/configparser.c" break; - case 342: -#line 943 "util/configparser.y" + case 365: /* server_ssl_upstream: VAR_SSL_UPSTREAM STRING_ARG */ +#line 994 "util/configparser.y" { OUTYY(("P(server_ssl_upstream:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4202,31 +3668,31 @@ else cfg_parser->cfg->ssl_upstream = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4206 "util/configparser.c" +#line 3672 "util/configparser.c" break; - case 343: -#line 952 "util/configparser.y" + case 366: /* server_ssl_service_key: VAR_SSL_SERVICE_KEY STRING_ARG */ +#line 1003 "util/configparser.y" { OUTYY(("P(server_ssl_service_key:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->ssl_service_key); cfg_parser->cfg->ssl_service_key = (yyvsp0.str); } -#line 4216 "util/configparser.c" +#line 3682 "util/configparser.c" break; - case 344: -#line 959 "util/configparser.y" + case 367: /* server_ssl_service_pem: VAR_SSL_SERVICE_PEM STRING_ARG */ +#line 1010 "util/configparser.y" { OUTYY(("P(server_ssl_service_pem:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->ssl_service_pem); cfg_parser->cfg->ssl_service_pem = (yyvsp0.str); } -#line 4226 "util/configparser.c" +#line 3692 "util/configparser.c" break; - case 345: -#line 966 "util/configparser.y" + case 368: /* server_ssl_port: VAR_SSL_PORT STRING_ARG */ +#line 1017 "util/configparser.y" { OUTYY(("P(server_ssl_port:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -4234,21 +3700,21 @@ else cfg_parser->cfg->ssl_port = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4238 "util/configparser.c" +#line 3704 "util/configparser.c" break; - case 346: -#line 975 "util/configparser.y" + case 369: /* server_tls_cert_bundle: VAR_TLS_CERT_BUNDLE STRING_ARG */ +#line 1026 "util/configparser.y" { OUTYY(("P(server_tls_cert_bundle:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->tls_cert_bundle); cfg_parser->cfg->tls_cert_bundle = (yyvsp0.str); } -#line 4248 "util/configparser.c" +#line 3714 "util/configparser.c" break; - case 347: -#line 982 "util/configparser.y" + case 370: /* server_tls_win_cert: VAR_TLS_WIN_CERT STRING_ARG */ +#line 1033 "util/configparser.y" { OUTYY(("P(server_tls_win_cert:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4256,53 +3722,53 @@ else cfg_parser->cfg->tls_win_cert = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4260 "util/configparser.c" +#line 3726 "util/configparser.c" break; - case 348: -#line 991 "util/configparser.y" + case 371: /* server_tls_additional_port: VAR_TLS_ADDITIONAL_PORT STRING_ARG */ +#line 1042 "util/configparser.y" { OUTYY(("P(server_tls_additional_port:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->tls_additional_port, (yyvsp0.str))) yyerror("out of memory"); } -#line 4271 "util/configparser.c" +#line 3737 "util/configparser.c" break; - case 349: -#line 999 "util/configparser.y" + case 372: /* server_tls_ciphers: VAR_TLS_CIPHERS STRING_ARG */ +#line 1050 "util/configparser.y" { OUTYY(("P(server_tls_ciphers:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->tls_ciphers); cfg_parser->cfg->tls_ciphers = (yyvsp0.str); } -#line 4281 "util/configparser.c" +#line 3747 "util/configparser.c" break; - case 350: -#line 1006 "util/configparser.y" + case 373: /* server_tls_ciphersuites: VAR_TLS_CIPHERSUITES STRING_ARG */ +#line 1057 "util/configparser.y" { OUTYY(("P(server_tls_ciphersuites:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->tls_ciphersuites); cfg_parser->cfg->tls_ciphersuites = (yyvsp0.str); } -#line 4291 "util/configparser.c" +#line 3757 "util/configparser.c" break; - case 351: -#line 1013 "util/configparser.y" + case 374: /* server_tls_session_ticket_keys: VAR_TLS_SESSION_TICKET_KEYS STRING_ARG */ +#line 1064 "util/configparser.y" { OUTYY(("P(server_tls_session_ticket_keys:%s)\n", (yyvsp0.str))); if(!cfg_strlist_append(&cfg_parser->cfg->tls_session_ticket_keys, (yyvsp0.str))) yyerror("out of memory"); } -#line 4302 "util/configparser.c" +#line 3768 "util/configparser.c" break; - case 352: -#line 1021 "util/configparser.y" + case 375: /* server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG */ +#line 1072 "util/configparser.y" { OUTYY(("P(server_tls_use_sni:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4310,11 +3776,11 @@ else cfg_parser->cfg->tls_use_sni = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4314 "util/configparser.c" +#line 3780 "util/configparser.c" break; - case 353: -#line 1030 "util/configparser.y" + case 376: /* server_https_port: VAR_HTTPS_PORT STRING_ARG */ +#line 1081 "util/configparser.y" { OUTYY(("P(server_https_port:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -4322,11 +3788,11 @@ else cfg_parser->cfg->https_port = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4326 "util/configparser.c" +#line 3792 "util/configparser.c" break; - case 354: -#line 1038 "util/configparser.y" + case 377: /* server_http_endpoint: VAR_HTTP_ENDPOINT STRING_ARG */ +#line 1089 "util/configparser.y" { OUTYY(("P(server_http_endpoint:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->http_endpoint); @@ -4342,11 +3808,11 @@ cfg_parser->cfg->http_endpoint = (yyvsp0.str); } } -#line 4346 "util/configparser.c" +#line 3812 "util/configparser.c" break; - case 355: -#line 1054 "util/configparser.y" + case 378: /* server_http_max_streams: VAR_HTTP_MAX_STREAMS STRING_ARG */ +#line 1105 "util/configparser.y" { OUTYY(("P(server_http_max_streams:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4354,11 +3820,11 @@ else cfg_parser->cfg->http_max_streams = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4358 "util/configparser.c" +#line 3824 "util/configparser.c" break; - case 356: -#line 1062 "util/configparser.y" + case 379: /* server_http_query_buffer_size: VAR_HTTP_QUERY_BUFFER_SIZE STRING_ARG */ +#line 1113 "util/configparser.y" { OUTYY(("P(server_http_query_buffer_size:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), @@ -4366,11 +3832,11 @@ yyerror("memory size expected"); free((yyvsp0.str)); } -#line 4370 "util/configparser.c" +#line 3836 "util/configparser.c" break; - case 357: -#line 1070 "util/configparser.y" + case 380: /* server_http_response_buffer_size: VAR_HTTP_RESPONSE_BUFFER_SIZE STRING_ARG */ +#line 1121 "util/configparser.y" { OUTYY(("P(server_http_response_buffer_size:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), @@ -4378,11 +3844,11 @@ yyerror("memory size expected"); free((yyvsp0.str)); } -#line 4382 "util/configparser.c" +#line 3848 "util/configparser.c" break; - case 358: -#line 1078 "util/configparser.y" + case 381: /* server_http_nodelay: VAR_HTTP_NODELAY STRING_ARG */ +#line 1129 "util/configparser.y" { OUTYY(("P(server_http_nodelay:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4390,11 +3856,11 @@ else cfg_parser->cfg->http_nodelay = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4394 "util/configparser.c" +#line 3860 "util/configparser.c" break; - case 359: -#line 1086 "util/configparser.y" + case 382: /* server_http_notls_downstream: VAR_HTTP_NOTLS_DOWNSTREAM STRING_ARG */ +#line 1137 "util/configparser.y" { OUTYY(("P(server_http_notls_downstream:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4402,11 +3868,11 @@ else cfg_parser->cfg->http_notls_downstream = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4406 "util/configparser.c" +#line 3872 "util/configparser.c" break; - case 360: -#line 1094 "util/configparser.y" + case 383: /* server_use_systemd: VAR_USE_SYSTEMD STRING_ARG */ +#line 1145 "util/configparser.y" { OUTYY(("P(server_use_systemd:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4414,11 +3880,11 @@ else cfg_parser->cfg->use_systemd = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4418 "util/configparser.c" +#line 3884 "util/configparser.c" break; - case 361: -#line 1103 "util/configparser.y" + case 384: /* server_do_daemonize: VAR_DO_DAEMONIZE STRING_ARG */ +#line 1154 "util/configparser.y" { OUTYY(("P(server_do_daemonize:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4426,11 +3892,11 @@ else cfg_parser->cfg->do_daemonize = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4430 "util/configparser.c" +#line 3896 "util/configparser.c" break; - case 362: -#line 1112 "util/configparser.y" + case 385: /* server_use_syslog: VAR_USE_SYSLOG STRING_ARG */ +#line 1163 "util/configparser.y" { OUTYY(("P(server_use_syslog:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4443,11 +3909,11 @@ #endif free((yyvsp0.str)); } -#line 4447 "util/configparser.c" +#line 3913 "util/configparser.c" break; - case 363: -#line 1126 "util/configparser.y" + case 386: /* server_log_time_ascii: VAR_LOG_TIME_ASCII STRING_ARG */ +#line 1177 "util/configparser.y" { OUTYY(("P(server_log_time_ascii:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4455,11 +3921,11 @@ else cfg_parser->cfg->log_time_ascii = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4459 "util/configparser.c" +#line 3925 "util/configparser.c" break; - case 364: -#line 1135 "util/configparser.y" + case 387: /* server_log_queries: VAR_LOG_QUERIES STRING_ARG */ +#line 1186 "util/configparser.y" { OUTYY(("P(server_log_queries:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4467,35 +3933,35 @@ else cfg_parser->cfg->log_queries = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4471 "util/configparser.c" +#line 3937 "util/configparser.c" break; - case 365: -#line 1144 "util/configparser.y" - { - OUTYY(("P(server_log_replies:%s)\n", (yyvsp0.str))); - if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->log_replies = (strcmp((yyvsp0.str), "yes")==0); - free((yyvsp0.str)); - } -#line 4483 "util/configparser.c" + case 388: /* server_log_replies: VAR_LOG_REPLIES STRING_ARG */ +#line 1195 "util/configparser.y" + { + OUTYY(("P(server_log_replies:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->log_replies = (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 3949 "util/configparser.c" break; - case 366: -#line 1153 "util/configparser.y" - { - OUTYY(("P(server_log_tag_queryreply:%s)\n", (yyvsp0.str))); - if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->log_tag_queryreply = (strcmp((yyvsp0.str), "yes")==0); - free((yyvsp0.str)); - } -#line 4495 "util/configparser.c" + case 389: /* server_log_tag_queryreply: VAR_LOG_TAG_QUERYREPLY STRING_ARG */ +#line 1204 "util/configparser.y" + { + OUTYY(("P(server_log_tag_queryreply:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->log_tag_queryreply = (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 3961 "util/configparser.c" break; - case 367: -#line 1162 "util/configparser.y" + case 390: /* server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG */ +#line 1213 "util/configparser.y" { OUTYY(("P(server_log_servfail:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4503,43 +3969,43 @@ else cfg_parser->cfg->log_servfail = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4507 "util/configparser.c" +#line 3973 "util/configparser.c" break; - case 368: -#line 1171 "util/configparser.y" - { - OUTYY(("P(server_log_local_actions:%s)\n", (yyvsp0.str))); - if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->log_local_actions = (strcmp((yyvsp0.str), "yes")==0); - free((yyvsp0.str)); - } -#line 4519 "util/configparser.c" + case 391: /* server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG */ +#line 1222 "util/configparser.y" + { + OUTYY(("P(server_log_local_actions:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->log_local_actions = (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 3985 "util/configparser.c" break; - case 369: -#line 1180 "util/configparser.y" + case 392: /* server_chroot: VAR_CHROOT STRING_ARG */ +#line 1231 "util/configparser.y" { OUTYY(("P(server_chroot:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->chrootdir); cfg_parser->cfg->chrootdir = (yyvsp0.str); } -#line 4529 "util/configparser.c" +#line 3995 "util/configparser.c" break; - case 370: -#line 1187 "util/configparser.y" + case 393: /* server_username: VAR_USERNAME STRING_ARG */ +#line 1238 "util/configparser.y" { OUTYY(("P(server_username:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->username); cfg_parser->cfg->username = (yyvsp0.str); } -#line 4539 "util/configparser.c" +#line 4005 "util/configparser.c" break; - case 371: -#line 1194 "util/configparser.y" + case 394: /* server_directory: VAR_DIRECTORY STRING_ARG */ +#line 1245 "util/configparser.y" { OUTYY(("P(server_directory:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->directory); @@ -4558,111 +4024,111 @@ cfg_parser->chroot)) == 0) d += strlen(cfg_parser->chroot); if(d0) { - if(chdir(d)) + if(chdir(d)) log_err("cannot chdir to directory: %s (%s)", d, strerror(errno)); } } } -#line 4568 "util/configparser.c" +#line 4034 "util/configparser.c" break; - case 372: -#line 1220 "util/configparser.y" + case 395: /* server_logfile: VAR_LOGFILE STRING_ARG */ +#line 1271 "util/configparser.y" { OUTYY(("P(server_logfile:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->logfile); cfg_parser->cfg->logfile = (yyvsp0.str); cfg_parser->cfg->use_syslog = 0; } -#line 4579 "util/configparser.c" +#line 4045 "util/configparser.c" break; - case 373: -#line 1228 "util/configparser.y" + case 396: /* server_pidfile: VAR_PIDFILE STRING_ARG */ +#line 1279 "util/configparser.y" { OUTYY(("P(server_pidfile:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->pidfile); cfg_parser->cfg->pidfile = (yyvsp0.str); } -#line 4589 "util/configparser.c" +#line 4055 "util/configparser.c" break; - case 374: -#line 1235 "util/configparser.y" + case 397: /* server_root_hints: VAR_ROOT_HINTS STRING_ARG */ +#line 1286 "util/configparser.y" { OUTYY(("P(server_root_hints:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->root_hints, (yyvsp0.str))) yyerror("out of memory"); } -#line 4599 "util/configparser.c" +#line 4065 "util/configparser.c" break; - case 375: -#line 1242 "util/configparser.y" + case 398: /* server_dlv_anchor_file: VAR_DLV_ANCHOR_FILE STRING_ARG */ +#line 1293 "util/configparser.y" { OUTYY(("P(server_dlv_anchor_file:%s)\n", (yyvsp0.str))); log_warn("option dlv-anchor-file ignored: DLV is decommissioned"); free((yyvsp0.str)); } -#line 4609 "util/configparser.c" +#line 4075 "util/configparser.c" break; - case 376: -#line 1249 "util/configparser.y" + case 399: /* server_dlv_anchor: VAR_DLV_ANCHOR STRING_ARG */ +#line 1300 "util/configparser.y" { OUTYY(("P(server_dlv_anchor:%s)\n", (yyvsp0.str))); log_warn("option dlv-anchor ignored: DLV is decommissioned"); free((yyvsp0.str)); } -#line 4619 "util/configparser.c" +#line 4085 "util/configparser.c" break; - case 377: -#line 1256 "util/configparser.y" + case 400: /* server_auto_trust_anchor_file: VAR_AUTO_TRUST_ANCHOR_FILE STRING_ARG */ +#line 1307 "util/configparser.y" { OUTYY(("P(server_auto_trust_anchor_file:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg-> auto_trust_anchor_file_list, (yyvsp0.str))) yyerror("out of memory"); } -#line 4630 "util/configparser.c" +#line 4096 "util/configparser.c" break; - case 378: -#line 1264 "util/configparser.y" + case 401: /* server_trust_anchor_file: VAR_TRUST_ANCHOR_FILE STRING_ARG */ +#line 1315 "util/configparser.y" { OUTYY(("P(server_trust_anchor_file:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg-> trust_anchor_file_list, (yyvsp0.str))) yyerror("out of memory"); } -#line 4641 "util/configparser.c" +#line 4107 "util/configparser.c" break; - case 379: -#line 1272 "util/configparser.y" + case 402: /* server_trusted_keys_file: VAR_TRUSTED_KEYS_FILE STRING_ARG */ +#line 1323 "util/configparser.y" { OUTYY(("P(server_trusted_keys_file:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg-> trusted_keys_file_list, (yyvsp0.str))) yyerror("out of memory"); } -#line 4652 "util/configparser.c" +#line 4118 "util/configparser.c" break; - case 380: -#line 1280 "util/configparser.y" + case 403: /* server_trust_anchor: VAR_TRUST_ANCHOR STRING_ARG */ +#line 1331 "util/configparser.y" { OUTYY(("P(server_trust_anchor:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->trust_anchor_list, (yyvsp0.str))) yyerror("out of memory"); } -#line 4662 "util/configparser.c" +#line 4128 "util/configparser.c" break; - case 381: -#line 1287 "util/configparser.y" + case 404: /* server_trust_anchor_signaling: VAR_TRUST_ANCHOR_SIGNALING STRING_ARG */ +#line 1338 "util/configparser.y" { OUTYY(("P(server_trust_anchor_signaling:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4672,11 +4138,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4676 "util/configparser.c" +#line 4142 "util/configparser.c" break; - case 382: -#line 1298 "util/configparser.y" + case 405: /* server_root_key_sentinel: VAR_ROOT_KEY_SENTINEL STRING_ARG */ +#line 1349 "util/configparser.y" { OUTYY(("P(server_root_key_sentinel:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4686,21 +4152,21 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4690 "util/configparser.c" +#line 4156 "util/configparser.c" break; - case 383: -#line 1309 "util/configparser.y" + case 406: /* server_domain_insecure: VAR_DOMAIN_INSECURE STRING_ARG */ +#line 1360 "util/configparser.y" { OUTYY(("P(server_domain_insecure:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->domain_insecure, (yyvsp0.str))) yyerror("out of memory"); } -#line 4700 "util/configparser.c" +#line 4166 "util/configparser.c" break; - case 384: -#line 1316 "util/configparser.y" + case 407: /* server_hide_identity: VAR_HIDE_IDENTITY STRING_ARG */ +#line 1367 "util/configparser.y" { OUTYY(("P(server_hide_identity:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4708,11 +4174,11 @@ else cfg_parser->cfg->hide_identity = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4712 "util/configparser.c" +#line 4178 "util/configparser.c" break; - case 385: -#line 1325 "util/configparser.y" + case 408: /* server_hide_version: VAR_HIDE_VERSION STRING_ARG */ +#line 1376 "util/configparser.y" { OUTYY(("P(server_hide_version:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4720,11 +4186,11 @@ else cfg_parser->cfg->hide_version = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4724 "util/configparser.c" +#line 4190 "util/configparser.c" break; - case 386: -#line 1334 "util/configparser.y" + case 409: /* server_hide_trustanchor: VAR_HIDE_TRUSTANCHOR STRING_ARG */ +#line 1385 "util/configparser.y" { OUTYY(("P(server_hide_trustanchor:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4732,11 +4198,11 @@ else cfg_parser->cfg->hide_trustanchor = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4736 "util/configparser.c" +#line 4202 "util/configparser.c" break; - case 387: -#line 1343 "util/configparser.y" + case 410: /* server_hide_http_user_agent: VAR_HIDE_HTTP_USER_AGENT STRING_ARG */ +#line 1394 "util/configparser.y" { OUTYY(("P(server_hide_user_agent:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4744,41 +4210,41 @@ else cfg_parser->cfg->hide_http_user_agent = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4748 "util/configparser.c" +#line 4214 "util/configparser.c" break; - case 388: -#line 1352 "util/configparser.y" + case 411: /* server_identity: VAR_IDENTITY STRING_ARG */ +#line 1403 "util/configparser.y" { OUTYY(("P(server_identity:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->identity); cfg_parser->cfg->identity = (yyvsp0.str); } -#line 4758 "util/configparser.c" +#line 4224 "util/configparser.c" break; - case 389: -#line 1359 "util/configparser.y" + case 412: /* server_version: VAR_VERSION STRING_ARG */ +#line 1410 "util/configparser.y" { OUTYY(("P(server_version:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->version); cfg_parser->cfg->version = (yyvsp0.str); } -#line 4768 "util/configparser.c" +#line 4234 "util/configparser.c" break; - case 390: -#line 1366 "util/configparser.y" + case 413: /* server_http_user_agent: VAR_HTTP_USER_AGENT STRING_ARG */ +#line 1417 "util/configparser.y" { OUTYY(("P(server_http_user_agent:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->http_user_agent); cfg_parser->cfg->http_user_agent = (yyvsp0.str); } -#line 4778 "util/configparser.c" +#line 4244 "util/configparser.c" break; - case 391: -#line 1373 "util/configparser.y" + case 414: /* server_nsid: VAR_NSID STRING_ARG */ +#line 1424 "util/configparser.y" { OUTYY(("P(server_nsid:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->nsid_cfg_str); @@ -4793,72 +4259,72 @@ yyerror("the NSID must be either a hex string or an " "ascii character string prepended with ascii_."); } -#line 4797 "util/configparser.c" +#line 4263 "util/configparser.c" break; - case 392: -#line 1389 "util/configparser.y" + case 415: /* server_so_rcvbuf: VAR_SO_RCVBUF STRING_ARG */ +#line 1440 "util/configparser.y" { OUTYY(("P(server_so_rcvbuf:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->so_rcvbuf)) yyerror("buffer size expected"); free((yyvsp0.str)); } -#line 4808 "util/configparser.c" +#line 4274 "util/configparser.c" break; - case 393: -#line 1397 "util/configparser.y" + case 416: /* server_so_sndbuf: VAR_SO_SNDBUF STRING_ARG */ +#line 1448 "util/configparser.y" { OUTYY(("P(server_so_sndbuf:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->so_sndbuf)) yyerror("buffer size expected"); free((yyvsp0.str)); } -#line 4819 "util/configparser.c" +#line 4285 "util/configparser.c" break; - case 394: -#line 1405 "util/configparser.y" - { - OUTYY(("P(server_so_reuseport:%s)\n", (yyvsp0.str))); - if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->so_reuseport = - (strcmp((yyvsp0.str), "yes")==0); - free((yyvsp0.str)); - } -#line 4832 "util/configparser.c" + case 417: /* server_so_reuseport: VAR_SO_REUSEPORT STRING_ARG */ +#line 1456 "util/configparser.y" + { + OUTYY(("P(server_so_reuseport:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->so_reuseport = + (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 4298 "util/configparser.c" break; - case 395: -#line 1415 "util/configparser.y" - { - OUTYY(("P(server_ip_transparent:%s)\n", (yyvsp0.str))); - if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->ip_transparent = - (strcmp((yyvsp0.str), "yes")==0); - free((yyvsp0.str)); - } -#line 4845 "util/configparser.c" + case 418: /* server_ip_transparent: VAR_IP_TRANSPARENT STRING_ARG */ +#line 1466 "util/configparser.y" + { + OUTYY(("P(server_ip_transparent:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ip_transparent = + (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 4311 "util/configparser.c" break; - case 396: -#line 1425 "util/configparser.y" - { - OUTYY(("P(server_ip_freebind:%s)\n", (yyvsp0.str))); - if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->ip_freebind = - (strcmp((yyvsp0.str), "yes")==0); - free((yyvsp0.str)); - } -#line 4858 "util/configparser.c" + case 419: /* server_ip_freebind: VAR_IP_FREEBIND STRING_ARG */ +#line 1476 "util/configparser.y" + { + OUTYY(("P(server_ip_freebind:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ip_freebind = + (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 4324 "util/configparser.c" break; - case 397: -#line 1435 "util/configparser.y" + case 420: /* server_ip_dscp: VAR_IP_DSCP STRING_ARG */ +#line 1486 "util/configparser.y" { OUTYY(("P(server_ip_dscp:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4871,22 +4337,22 @@ cfg_parser->cfg->ip_dscp = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4875 "util/configparser.c" +#line 4341 "util/configparser.c" break; - case 398: -#line 1449 "util/configparser.y" + case 421: /* server_stream_wait_size: VAR_STREAM_WAIT_SIZE STRING_ARG */ +#line 1500 "util/configparser.y" { OUTYY(("P(server_stream_wait_size:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->stream_wait_size)) yyerror("memory size expected"); free((yyvsp0.str)); } -#line 4886 "util/configparser.c" +#line 4352 "util/configparser.c" break; - case 399: -#line 1457 "util/configparser.y" + case 422: /* server_edns_buffer_size: VAR_EDNS_BUFFER_SIZE STRING_ARG */ +#line 1508 "util/configparser.y" { OUTYY(("P(server_edns_buffer_size:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -4898,11 +4364,11 @@ else cfg_parser->cfg->edns_buffer_size = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4902 "util/configparser.c" +#line 4368 "util/configparser.c" break; - case 400: -#line 1470 "util/configparser.y" + case 423: /* server_msg_buffer_size: VAR_MSG_BUFFER_SIZE STRING_ARG */ +#line 1521 "util/configparser.y" { OUTYY(("P(server_msg_buffer_size:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -4912,38 +4378,38 @@ else cfg_parser->cfg->msg_buffer_size = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4916 "util/configparser.c" +#line 4382 "util/configparser.c" break; - case 401: -#line 1481 "util/configparser.y" + case 424: /* server_msg_cache_size: VAR_MSG_CACHE_SIZE STRING_ARG */ +#line 1532 "util/configparser.y" { OUTYY(("P(server_msg_cache_size:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->msg_cache_size)) yyerror("memory size expected"); free((yyvsp0.str)); } -#line 4927 "util/configparser.c" +#line 4393 "util/configparser.c" break; - case 402: -#line 1489 "util/configparser.y" + case 425: /* server_msg_cache_slabs: VAR_MSG_CACHE_SLABS STRING_ARG */ +#line 1540 "util/configparser.y" { OUTYY(("P(server_msg_cache_slabs:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0) + if(atoi((yyvsp0.str)) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->msg_cache_slabs = atoi((yyvsp0.str)); if(!is_pow2(cfg_parser->cfg->msg_cache_slabs)) yyerror("must be a power of 2"); } free((yyvsp0.str)); } -#line 4943 "util/configparser.c" +#line 4409 "util/configparser.c" break; - case 403: -#line 1502 "util/configparser.y" + case 426: /* server_num_queries_per_thread: VAR_NUM_QUERIES_PER_THREAD STRING_ARG */ +#line 1553 "util/configparser.y" { OUTYY(("P(server_num_queries_per_thread:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -4951,11 +4417,11 @@ else cfg_parser->cfg->num_queries_per_thread = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4955 "util/configparser.c" +#line 4421 "util/configparser.c" break; - case 404: -#line 1511 "util/configparser.y" + case 427: /* server_jostle_timeout: VAR_JOSTLE_TIMEOUT STRING_ARG */ +#line 1562 "util/configparser.y" { OUTYY(("P(server_jostle_timeout:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4963,11 +4429,11 @@ else cfg_parser->cfg->jostle_time = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4967 "util/configparser.c" +#line 4433 "util/configparser.c" break; - case 405: -#line 1520 "util/configparser.y" + case 428: /* server_delay_close: VAR_DELAY_CLOSE STRING_ARG */ +#line 1571 "util/configparser.y" { OUTYY(("P(server_delay_close:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -4975,11 +4441,11 @@ else cfg_parser->cfg->delay_close = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 4979 "util/configparser.c" +#line 4445 "util/configparser.c" break; - case 406: -#line 1529 "util/configparser.y" + case 429: /* server_udp_connect: VAR_UDP_CONNECT STRING_ARG */ +#line 1580 "util/configparser.y" { OUTYY(("P(server_udp_connect:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -4987,64 +4453,64 @@ else cfg_parser->cfg->udp_connect = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 4991 "util/configparser.c" +#line 4457 "util/configparser.c" break; - case 407: -#line 1538 "util/configparser.y" + case 430: /* server_unblock_lan_zones: VAR_UNBLOCK_LAN_ZONES STRING_ARG */ +#line 1589 "util/configparser.y" { OUTYY(("P(server_unblock_lan_zones:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->unblock_lan_zones = + else cfg_parser->cfg->unblock_lan_zones = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5004 "util/configparser.c" +#line 4470 "util/configparser.c" break; - case 408: -#line 1548 "util/configparser.y" + case 431: /* server_insecure_lan_zones: VAR_INSECURE_LAN_ZONES STRING_ARG */ +#line 1599 "util/configparser.y" { OUTYY(("P(server_insecure_lan_zones:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->insecure_lan_zones = + else cfg_parser->cfg->insecure_lan_zones = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5017 "util/configparser.c" +#line 4483 "util/configparser.c" break; - case 409: -#line 1558 "util/configparser.y" + case 432: /* server_rrset_cache_size: VAR_RRSET_CACHE_SIZE STRING_ARG */ +#line 1609 "util/configparser.y" { OUTYY(("P(server_rrset_cache_size:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->rrset_cache_size)) yyerror("memory size expected"); free((yyvsp0.str)); } -#line 5028 "util/configparser.c" +#line 4494 "util/configparser.c" break; - case 410: -#line 1566 "util/configparser.y" + case 433: /* server_rrset_cache_slabs: VAR_RRSET_CACHE_SLABS STRING_ARG */ +#line 1617 "util/configparser.y" { OUTYY(("P(server_rrset_cache_slabs:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0) + if(atoi((yyvsp0.str)) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->rrset_cache_slabs = atoi((yyvsp0.str)); if(!is_pow2(cfg_parser->cfg->rrset_cache_slabs)) yyerror("must be a power of 2"); } free((yyvsp0.str)); } -#line 5044 "util/configparser.c" +#line 4510 "util/configparser.c" break; - case 411: -#line 1579 "util/configparser.y" + case 434: /* server_infra_host_ttl: VAR_INFRA_HOST_TTL STRING_ARG */ +#line 1630 "util/configparser.y" { OUTYY(("P(server_infra_host_ttl:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5052,22 +4518,22 @@ else cfg_parser->cfg->host_ttl = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5056 "util/configparser.c" +#line 4522 "util/configparser.c" break; - case 412: -#line 1588 "util/configparser.y" + case 435: /* server_infra_lame_ttl: VAR_INFRA_LAME_TTL STRING_ARG */ +#line 1639 "util/configparser.y" { OUTYY(("P(server_infra_lame_ttl:%s)\n", (yyvsp0.str))); verbose(VERB_DETAIL, "ignored infra-lame-ttl: %s (option " "removed, use infra-host-ttl)", (yyvsp0.str)); free((yyvsp0.str)); } -#line 5067 "util/configparser.c" +#line 4533 "util/configparser.c" break; - case 413: -#line 1596 "util/configparser.y" + case 436: /* server_infra_cache_numhosts: VAR_INFRA_CACHE_NUMHOSTS STRING_ARG */ +#line 1647 "util/configparser.y" { OUTYY(("P(server_infra_cache_numhosts:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -5075,38 +4541,38 @@ else cfg_parser->cfg->infra_cache_numhosts = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5079 "util/configparser.c" +#line 4545 "util/configparser.c" break; - case 414: -#line 1605 "util/configparser.y" + case 437: /* server_infra_cache_lame_size: VAR_INFRA_CACHE_LAME_SIZE STRING_ARG */ +#line 1656 "util/configparser.y" { OUTYY(("P(server_infra_cache_lame_size:%s)\n", (yyvsp0.str))); verbose(VERB_DETAIL, "ignored infra-cache-lame-size: %s " "(option removed, use infra-cache-numhosts)", (yyvsp0.str)); free((yyvsp0.str)); } -#line 5090 "util/configparser.c" +#line 4556 "util/configparser.c" break; - case 415: -#line 1613 "util/configparser.y" + case 438: /* server_infra_cache_slabs: VAR_INFRA_CACHE_SLABS STRING_ARG */ +#line 1664 "util/configparser.y" { OUTYY(("P(server_infra_cache_slabs:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0) + if(atoi((yyvsp0.str)) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->infra_cache_slabs = atoi((yyvsp0.str)); if(!is_pow2(cfg_parser->cfg->infra_cache_slabs)) yyerror("must be a power of 2"); } free((yyvsp0.str)); } -#line 5106 "util/configparser.c" +#line 4572 "util/configparser.c" break; - case 416: -#line 1626 "util/configparser.y" + case 439: /* server_infra_cache_min_rtt: VAR_INFRA_CACHE_MIN_RTT STRING_ARG */ +#line 1677 "util/configparser.y" { OUTYY(("P(server_infra_cache_min_rtt:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5114,11 +4580,23 @@ else cfg_parser->cfg->infra_cache_min_rtt = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5118 "util/configparser.c" +#line 4584 "util/configparser.c" + break; + + case 440: /* server_infra_cache_max_rtt: VAR_INFRA_CACHE_MAX_RTT STRING_ARG */ +#line 1686 "util/configparser.y" + { + OUTYY(("P(server_infra_cache_max_rtt:%s)\n", (yyvsp0.str))); + if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->infra_cache_max_rtt = atoi((yyvsp0.str)); + free((yyvsp0.str)); + } +#line 4596 "util/configparser.c" break; - case 417: -#line 1635 "util/configparser.y" + case 441: /* server_infra_keep_probing: VAR_INFRA_KEEP_PROBING STRING_ARG */ +#line 1695 "util/configparser.y" { OUTYY(("P(server_infra_keep_probing:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5127,155 +4605,155 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5131 "util/configparser.c" +#line 4609 "util/configparser.c" break; - case 418: -#line 1645 "util/configparser.y" + case 442: /* server_target_fetch_policy: VAR_TARGET_FETCH_POLICY STRING_ARG */ +#line 1705 "util/configparser.y" { OUTYY(("P(server_target_fetch_policy:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->target_fetch_policy); cfg_parser->cfg->target_fetch_policy = (yyvsp0.str); } -#line 5141 "util/configparser.c" +#line 4619 "util/configparser.c" break; - case 419: -#line 1652 "util/configparser.y" + case 443: /* server_harden_short_bufsize: VAR_HARDEN_SHORT_BUFSIZE STRING_ARG */ +#line 1712 "util/configparser.y" { OUTYY(("P(server_harden_short_bufsize:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_short_bufsize = + else cfg_parser->cfg->harden_short_bufsize = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5154 "util/configparser.c" +#line 4632 "util/configparser.c" break; - case 420: -#line 1662 "util/configparser.y" + case 444: /* server_harden_large_queries: VAR_HARDEN_LARGE_QUERIES STRING_ARG */ +#line 1722 "util/configparser.y" { OUTYY(("P(server_harden_large_queries:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_large_queries = + else cfg_parser->cfg->harden_large_queries = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5167 "util/configparser.c" +#line 4645 "util/configparser.c" break; - case 421: -#line 1672 "util/configparser.y" + case 445: /* server_harden_glue: VAR_HARDEN_GLUE STRING_ARG */ +#line 1732 "util/configparser.y" { OUTYY(("P(server_harden_glue:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_glue = + else cfg_parser->cfg->harden_glue = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5180 "util/configparser.c" +#line 4658 "util/configparser.c" break; - case 422: -#line 1682 "util/configparser.y" + case 446: /* server_harden_dnssec_stripped: VAR_HARDEN_DNSSEC_STRIPPED STRING_ARG */ +#line 1742 "util/configparser.y" { OUTYY(("P(server_harden_dnssec_stripped:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_dnssec_stripped = + else cfg_parser->cfg->harden_dnssec_stripped = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5193 "util/configparser.c" +#line 4671 "util/configparser.c" break; - case 423: -#line 1692 "util/configparser.y" + case 447: /* server_harden_below_nxdomain: VAR_HARDEN_BELOW_NXDOMAIN STRING_ARG */ +#line 1752 "util/configparser.y" { OUTYY(("P(server_harden_below_nxdomain:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_below_nxdomain = + else cfg_parser->cfg->harden_below_nxdomain = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5206 "util/configparser.c" +#line 4684 "util/configparser.c" break; - case 424: -#line 1702 "util/configparser.y" + case 448: /* server_harden_referral_path: VAR_HARDEN_REFERRAL_PATH STRING_ARG */ +#line 1762 "util/configparser.y" { OUTYY(("P(server_harden_referral_path:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_referral_path = + else cfg_parser->cfg->harden_referral_path = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5219 "util/configparser.c" +#line 4697 "util/configparser.c" break; - case 425: -#line 1712 "util/configparser.y" + case 449: /* server_harden_algo_downgrade: VAR_HARDEN_ALGO_DOWNGRADE STRING_ARG */ +#line 1772 "util/configparser.y" { OUTYY(("P(server_harden_algo_downgrade:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_algo_downgrade = + else cfg_parser->cfg->harden_algo_downgrade = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5232 "util/configparser.c" +#line 4710 "util/configparser.c" break; - case 426: -#line 1722 "util/configparser.y" + case 450: /* server_use_caps_for_id: VAR_USE_CAPS_FOR_ID STRING_ARG */ +#line 1782 "util/configparser.y" { OUTYY(("P(server_use_caps_for_id:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->use_caps_bits_for_id = + else cfg_parser->cfg->use_caps_bits_for_id = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5245 "util/configparser.c" +#line 4723 "util/configparser.c" break; - case 427: -#line 1732 "util/configparser.y" + case 451: /* server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG */ +#line 1792 "util/configparser.y" { OUTYY(("P(server_caps_whitelist:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->caps_whitelist, (yyvsp0.str))) yyerror("out of memory"); } -#line 5255 "util/configparser.c" +#line 4733 "util/configparser.c" break; - case 428: -#line 1739 "util/configparser.y" + case 452: /* server_private_address: VAR_PRIVATE_ADDRESS STRING_ARG */ +#line 1799 "util/configparser.y" { OUTYY(("P(server_private_address:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->private_address, (yyvsp0.str))) yyerror("out of memory"); } -#line 5265 "util/configparser.c" +#line 4743 "util/configparser.c" break; - case 429: -#line 1746 "util/configparser.y" + case 453: /* server_private_domain: VAR_PRIVATE_DOMAIN STRING_ARG */ +#line 1806 "util/configparser.y" { OUTYY(("P(server_private_domain:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->private_domain, (yyvsp0.str))) yyerror("out of memory"); } -#line 5275 "util/configparser.c" +#line 4753 "util/configparser.c" break; - case 430: -#line 1753 "util/configparser.y" + case 454: /* server_prefetch: VAR_PREFETCH STRING_ARG */ +#line 1813 "util/configparser.y" { OUTYY(("P(server_prefetch:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5283,11 +4761,11 @@ else cfg_parser->cfg->prefetch = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5287 "util/configparser.c" +#line 4765 "util/configparser.c" break; - case 431: -#line 1762 "util/configparser.y" + case 455: /* server_prefetch_key: VAR_PREFETCH_KEY STRING_ARG */ +#line 1822 "util/configparser.y" { OUTYY(("P(server_prefetch_key:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5295,11 +4773,11 @@ else cfg_parser->cfg->prefetch_key = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5299 "util/configparser.c" +#line 4777 "util/configparser.c" break; - case 432: -#line 1771 "util/configparser.y" + case 456: /* server_deny_any: VAR_DENY_ANY STRING_ARG */ +#line 1831 "util/configparser.y" { OUTYY(("P(server_deny_any:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5307,11 +4785,11 @@ else cfg_parser->cfg->deny_any = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5311 "util/configparser.c" +#line 4789 "util/configparser.c" break; - case 433: -#line 1780 "util/configparser.y" + case 457: /* server_unwanted_reply_threshold: VAR_UNWANTED_REPLY_THRESHOLD STRING_ARG */ +#line 1840 "util/configparser.y" { OUTYY(("P(server_unwanted_reply_threshold:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5319,73 +4797,73 @@ else cfg_parser->cfg->unwanted_threshold = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5323 "util/configparser.c" +#line 4801 "util/configparser.c" break; - case 434: -#line 1789 "util/configparser.y" + case 458: /* server_do_not_query_address: VAR_DO_NOT_QUERY_ADDRESS STRING_ARG */ +#line 1849 "util/configparser.y" { OUTYY(("P(server_do_not_query_address:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->donotqueryaddrs, (yyvsp0.str))) yyerror("out of memory"); } -#line 5333 "util/configparser.c" +#line 4811 "util/configparser.c" break; - case 435: -#line 1796 "util/configparser.y" + case 459: /* server_do_not_query_localhost: VAR_DO_NOT_QUERY_LOCALHOST STRING_ARG */ +#line 1856 "util/configparser.y" { OUTYY(("P(server_do_not_query_localhost:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->donotquery_localhost = + else cfg_parser->cfg->donotquery_localhost = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5346 "util/configparser.c" +#line 4824 "util/configparser.c" break; - case 436: -#line 1806 "util/configparser.y" + case 460: /* server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG */ +#line 1866 "util/configparser.y" { OUTYY(("P(server_access_control:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); - if(strcmp((yyvsp0.str), "deny")!=0 && strcmp((yyvsp0.str), "refuse")!=0 && - strcmp((yyvsp0.str), "deny_non_local")!=0 && - strcmp((yyvsp0.str), "refuse_non_local")!=0 && - strcmp((yyvsp0.str), "allow_setrd")!=0 && - strcmp((yyvsp0.str), "allow")!=0 && - strcmp((yyvsp0.str), "allow_snoop")!=0) { - yyerror("expected deny, refuse, deny_non_local, " - "refuse_non_local, allow, allow_setrd or " - "allow_snoop in access control action"); - free((yyvsp-1.str)); - free((yyvsp0.str)); - } else { - if(!cfg_str2list_insert(&cfg_parser->cfg->acls, (yyvsp-1.str), (yyvsp0.str))) - fatal_exit("out of memory adding acl"); - } + validate_acl_action((yyvsp0.str)); + if(!cfg_str2list_insert(&cfg_parser->cfg->acls, (yyvsp-1.str), (yyvsp0.str))) + fatal_exit("out of memory adding acl"); } -#line 5369 "util/configparser.c" +#line 4835 "util/configparser.c" break; - case 437: -#line 1826 "util/configparser.y" + case 461: /* server_interface_action: VAR_INTERFACE_ACTION STRING_ARG STRING_ARG */ +#line 1874 "util/configparser.y" + { + OUTYY(("P(server_interface_action:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); + validate_acl_action((yyvsp0.str)); + if(!cfg_str2list_insert( + &cfg_parser->cfg->interface_actions, (yyvsp-1.str), (yyvsp0.str))) + fatal_exit("out of memory adding acl"); + } +#line 4847 "util/configparser.c" + break; + + case 462: /* server_module_conf: VAR_MODULE_CONF STRING_ARG */ +#line 1883 "util/configparser.y" { OUTYY(("P(server_module_conf:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->module_conf); cfg_parser->cfg->module_conf = (yyvsp0.str); } -#line 5379 "util/configparser.c" +#line 4857 "util/configparser.c" break; - case 438: -#line 1833 "util/configparser.y" + case 463: /* server_val_override_date: VAR_VAL_OVERRIDE_DATE STRING_ARG */ +#line 1890 "util/configparser.y" { OUTYY(("P(server_val_override_date:%s)\n", (yyvsp0.str))); if(*(yyvsp0.str) == '\0' || strcmp((yyvsp0.str), "0") == 0) { cfg_parser->cfg->val_date_override = 0; } else if(strlen((yyvsp0.str)) == 14) { - cfg_parser->cfg->val_date_override = + cfg_parser->cfg->val_date_override = cfg_convert_timeval((yyvsp0.str)); if(!cfg_parser->cfg->val_date_override) yyerror("bad date/time specification"); @@ -5396,11 +4874,11 @@ } free((yyvsp0.str)); } -#line 5400 "util/configparser.c" +#line 4878 "util/configparser.c" break; - case 439: -#line 1851 "util/configparser.y" + case 464: /* server_val_sig_skew_min: VAR_VAL_SIG_SKEW_MIN STRING_ARG */ +#line 1908 "util/configparser.y" { OUTYY(("P(server_val_sig_skew_min:%s)\n", (yyvsp0.str))); if(*(yyvsp0.str) == '\0' || strcmp((yyvsp0.str), "0") == 0) { @@ -5412,11 +4890,11 @@ } free((yyvsp0.str)); } -#line 5416 "util/configparser.c" +#line 4894 "util/configparser.c" break; - case 440: -#line 1864 "util/configparser.y" + case 465: /* server_val_sig_skew_max: VAR_VAL_SIG_SKEW_MAX STRING_ARG */ +#line 1921 "util/configparser.y" { OUTYY(("P(server_val_sig_skew_max:%s)\n", (yyvsp0.str))); if(*(yyvsp0.str) == '\0' || strcmp((yyvsp0.str), "0") == 0) { @@ -5428,11 +4906,11 @@ } free((yyvsp0.str)); } -#line 5432 "util/configparser.c" +#line 4910 "util/configparser.c" break; - case 441: -#line 1877 "util/configparser.y" + case 466: /* server_val_max_restart: VAR_VAL_MAX_RESTART STRING_ARG */ +#line 1934 "util/configparser.y" { OUTYY(("P(server_val_max_restart:%s)\n", (yyvsp0.str))); if(*(yyvsp0.str) == '\0' || strcmp((yyvsp0.str), "0") == 0) { @@ -5444,11 +4922,11 @@ } free((yyvsp0.str)); } -#line 5448 "util/configparser.c" +#line 4926 "util/configparser.c" break; - case 442: -#line 1890 "util/configparser.y" + case 467: /* server_cache_max_ttl: VAR_CACHE_MAX_TTL STRING_ARG */ +#line 1947 "util/configparser.y" { OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5456,11 +4934,11 @@ else cfg_parser->cfg->max_ttl = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5460 "util/configparser.c" +#line 4938 "util/configparser.c" break; - case 443: -#line 1899 "util/configparser.y" + case 468: /* server_cache_max_negative_ttl: VAR_CACHE_MAX_NEGATIVE_TTL STRING_ARG */ +#line 1956 "util/configparser.y" { OUTYY(("P(server_cache_max_negative_ttl:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5468,11 +4946,11 @@ else cfg_parser->cfg->max_negative_ttl = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5472 "util/configparser.c" +#line 4950 "util/configparser.c" break; - case 444: -#line 1908 "util/configparser.y" + case 469: /* server_cache_min_ttl: VAR_CACHE_MIN_TTL STRING_ARG */ +#line 1965 "util/configparser.y" { OUTYY(("P(server_cache_min_ttl:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5480,11 +4958,11 @@ else cfg_parser->cfg->min_ttl = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5484 "util/configparser.c" +#line 4962 "util/configparser.c" break; - case 445: -#line 1917 "util/configparser.y" + case 470: /* server_bogus_ttl: VAR_BOGUS_TTL STRING_ARG */ +#line 1974 "util/configparser.y" { OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5492,37 +4970,37 @@ else cfg_parser->cfg->bogus_ttl = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5496 "util/configparser.c" +#line 4974 "util/configparser.c" break; - case 446: -#line 1926 "util/configparser.y" + case 471: /* server_val_clean_additional: VAR_VAL_CLEAN_ADDITIONAL STRING_ARG */ +#line 1983 "util/configparser.y" { OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->val_clean_additional = + else cfg_parser->cfg->val_clean_additional = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5509 "util/configparser.c" +#line 4987 "util/configparser.c" break; - case 447: -#line 1936 "util/configparser.y" + case 472: /* server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING_ARG */ +#line 1993 "util/configparser.y" { OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->val_permissive_mode = + else cfg_parser->cfg->val_permissive_mode = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5522 "util/configparser.c" +#line 5000 "util/configparser.c" break; - case 448: -#line 1946 "util/configparser.y" + case 473: /* server_aggressive_nsec: VAR_AGGRESSIVE_NSEC STRING_ARG */ +#line 2003 "util/configparser.y" { OUTYY(("P(server_aggressive_nsec:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5532,11 +5010,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5536 "util/configparser.c" +#line 5014 "util/configparser.c" break; - case 449: -#line 1957 "util/configparser.y" + case 474: /* server_ignore_cd_flag: VAR_IGNORE_CD_FLAG STRING_ARG */ +#line 2014 "util/configparser.y" { OUTYY(("P(server_ignore_cd_flag:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5544,11 +5022,11 @@ else cfg_parser->cfg->ignore_cd = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5548 "util/configparser.c" +#line 5026 "util/configparser.c" break; - case 450: -#line 1966 "util/configparser.y" + case 475: /* server_serve_expired: VAR_SERVE_EXPIRED STRING_ARG */ +#line 2023 "util/configparser.y" { OUTYY(("P(server_serve_expired:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5556,11 +5034,11 @@ else cfg_parser->cfg->serve_expired = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5560 "util/configparser.c" +#line 5038 "util/configparser.c" break; - case 451: -#line 1975 "util/configparser.y" + case 476: /* server_serve_expired_ttl: VAR_SERVE_EXPIRED_TTL STRING_ARG */ +#line 2032 "util/configparser.y" { OUTYY(("P(server_serve_expired_ttl:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5568,11 +5046,11 @@ else cfg_parser->cfg->serve_expired_ttl = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5572 "util/configparser.c" +#line 5050 "util/configparser.c" break; - case 452: -#line 1984 "util/configparser.y" + case 477: /* server_serve_expired_ttl_reset: VAR_SERVE_EXPIRED_TTL_RESET STRING_ARG */ +#line 2041 "util/configparser.y" { OUTYY(("P(server_serve_expired_ttl_reset:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5580,11 +5058,11 @@ else cfg_parser->cfg->serve_expired_ttl_reset = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5584 "util/configparser.c" +#line 5062 "util/configparser.c" break; - case 453: -#line 1993 "util/configparser.y" + case 478: /* server_serve_expired_reply_ttl: VAR_SERVE_EXPIRED_REPLY_TTL STRING_ARG */ +#line 2050 "util/configparser.y" { OUTYY(("P(server_serve_expired_reply_ttl:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5592,11 +5070,11 @@ else cfg_parser->cfg->serve_expired_reply_ttl = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5596 "util/configparser.c" +#line 5074 "util/configparser.c" break; - case 454: -#line 2002 "util/configparser.y" + case 479: /* server_serve_expired_client_timeout: VAR_SERVE_EXPIRED_CLIENT_TIMEOUT STRING_ARG */ +#line 2059 "util/configparser.y" { OUTYY(("P(server_serve_expired_client_timeout:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5604,11 +5082,23 @@ else cfg_parser->cfg->serve_expired_client_timeout = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5608 "util/configparser.c" +#line 5086 "util/configparser.c" break; - case 455: -#line 2011 "util/configparser.y" + case 480: /* server_ede_serve_expired: VAR_EDE_SERVE_EXPIRED STRING_ARG */ +#line 2068 "util/configparser.y" + { + OUTYY(("P(server_ede_serve_expired:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ede_serve_expired = (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 5098 "util/configparser.c" + break; + + case 481: /* server_serve_original_ttl: VAR_SERVE_ORIGINAL_TTL STRING_ARG */ +#line 2077 "util/configparser.y" { OUTYY(("P(server_serve_original_ttl:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5616,11 +5106,11 @@ else cfg_parser->cfg->serve_original_ttl = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5620 "util/configparser.c" +#line 5110 "util/configparser.c" break; - case 456: -#line 2020 "util/configparser.y" + case 482: /* server_fake_dsa: VAR_FAKE_DSA STRING_ARG */ +#line 2086 "util/configparser.y" { OUTYY(("P(server_fake_dsa:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5632,11 +5122,11 @@ #endif free((yyvsp0.str)); } -#line 5636 "util/configparser.c" +#line 5126 "util/configparser.c" break; - case 457: -#line 2033 "util/configparser.y" + case 483: /* server_fake_sha1: VAR_FAKE_SHA1 STRING_ARG */ +#line 2099 "util/configparser.y" { OUTYY(("P(server_fake_sha1:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5648,11 +5138,11 @@ #endif free((yyvsp0.str)); } -#line 5652 "util/configparser.c" +#line 5142 "util/configparser.c" break; - case 458: -#line 2046 "util/configparser.y" + case 484: /* server_val_log_level: VAR_VAL_LOG_LEVEL STRING_ARG */ +#line 2112 "util/configparser.y" { OUTYY(("P(server_val_log_level:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5660,21 +5150,21 @@ else cfg_parser->cfg->val_log_level = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5664 "util/configparser.c" +#line 5154 "util/configparser.c" break; - case 459: -#line 2055 "util/configparser.y" + case 485: /* server_val_nsec3_keysize_iterations: VAR_VAL_NSEC3_KEYSIZE_ITERATIONS STRING_ARG */ +#line 2121 "util/configparser.y" { OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->val_nsec3_key_iterations); cfg_parser->cfg->val_nsec3_key_iterations = (yyvsp0.str); } -#line 5674 "util/configparser.c" +#line 5164 "util/configparser.c" break; - case 460: -#line 2062 "util/configparser.y" + case 486: /* server_zonemd_permissive_mode: VAR_ZONEMD_PERMISSIVE_MODE STRING_ARG */ +#line 2128 "util/configparser.y" { OUTYY(("P(server_zonemd_permissive_mode:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5682,11 +5172,11 @@ else cfg_parser->cfg->zonemd_permissive_mode = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5686 "util/configparser.c" +#line 5176 "util/configparser.c" break; - case 461: -#line 2071 "util/configparser.y" + case 487: /* server_add_holddown: VAR_ADD_HOLDDOWN STRING_ARG */ +#line 2137 "util/configparser.y" { OUTYY(("P(server_add_holddown:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5694,11 +5184,11 @@ else cfg_parser->cfg->add_holddown = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5698 "util/configparser.c" +#line 5188 "util/configparser.c" break; - case 462: -#line 2080 "util/configparser.y" + case 488: /* server_del_holddown: VAR_DEL_HOLDDOWN STRING_ARG */ +#line 2146 "util/configparser.y" { OUTYY(("P(server_del_holddown:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5706,11 +5196,11 @@ else cfg_parser->cfg->del_holddown = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5710 "util/configparser.c" +#line 5200 "util/configparser.c" break; - case 463: -#line 2089 "util/configparser.y" + case 489: /* server_keep_missing: VAR_KEEP_MISSING STRING_ARG */ +#line 2155 "util/configparser.y" { OUTYY(("P(server_keep_missing:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -5718,11 +5208,11 @@ else cfg_parser->cfg->keep_missing = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5722 "util/configparser.c" +#line 5212 "util/configparser.c" break; - case 464: -#line 2098 "util/configparser.y" + case 490: /* server_permit_small_holddown: VAR_PERMIT_SMALL_HOLDDOWN STRING_ARG */ +#line 2164 "util/configparser.y" { OUTYY(("P(server_permit_small_holddown:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5731,49 +5221,49 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5735 "util/configparser.c" +#line 5225 "util/configparser.c" break; - case 465: -#line 2107 "util/configparser.y" + case 491: /* server_key_cache_size: VAR_KEY_CACHE_SIZE STRING_ARG */ +#line 2173 "util/configparser.y" { OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->key_cache_size)) yyerror("memory size expected"); free((yyvsp0.str)); } -#line 5746 "util/configparser.c" +#line 5236 "util/configparser.c" break; - case 466: -#line 2115 "util/configparser.y" + case 492: /* server_key_cache_slabs: VAR_KEY_CACHE_SLABS STRING_ARG */ +#line 2181 "util/configparser.y" { OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0) + if(atoi((yyvsp0.str)) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->key_cache_slabs = atoi((yyvsp0.str)); if(!is_pow2(cfg_parser->cfg->key_cache_slabs)) yyerror("must be a power of 2"); } free((yyvsp0.str)); } -#line 5762 "util/configparser.c" +#line 5252 "util/configparser.c" break; - case 467: -#line 2128 "util/configparser.y" + case 493: /* server_neg_cache_size: VAR_NEG_CACHE_SIZE STRING_ARG */ +#line 2194 "util/configparser.y" { OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->neg_cache_size)) yyerror("memory size expected"); free((yyvsp0.str)); } -#line 5773 "util/configparser.c" +#line 5263 "util/configparser.c" break; - case 468: -#line 2136 "util/configparser.y" + case 494: /* server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG */ +#line 2202 "util/configparser.y" { OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); if(strcmp((yyvsp0.str), "static")!=0 && strcmp((yyvsp0.str), "deny")!=0 && @@ -5789,7 +5279,7 @@ && strcmp((yyvsp0.str), "noview")!=0 && strcmp((yyvsp0.str), "inform")!=0 && strcmp((yyvsp0.str), "inform_deny")!=0 && strcmp((yyvsp0.str), "inform_redirect") != 0 - && strcmp((yyvsp0.str), "ipset") != 0) { + && strcmp((yyvsp0.str), "ipset") != 0) { yyerror("local-zone type: expected static, deny, " "refuse, redirect, transparent, " "typetransparent, inform, inform_deny, " @@ -5806,32 +5296,42 @@ free((yyvsp0.str)); #ifdef USE_IPSET } else if(strcmp((yyvsp0.str), "ipset")==0) { + size_t len = strlen((yyvsp-1.str)); + /* Make sure to add the trailing dot. + * These are str compared to domain names. */ + if((yyvsp-1.str)len-1 != '.') { + if(!((yyvsp-1.str) = realloc((yyvsp-1.str), len+2))) { + fatal_exit("out of memory adding local-zone"); + } + (yyvsp-1.str)len = '.'; + (yyvsp-1.str)len+1 = 0; + } if(!cfg_strlist_insert(&cfg_parser->cfg-> local_zones_ipset, (yyvsp-1.str))) fatal_exit("out of memory adding local-zone"); free((yyvsp0.str)); #endif } else { - if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, + if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, (yyvsp-1.str), (yyvsp0.str))) fatal_exit("out of memory adding local-zone"); } } -#line 5821 "util/configparser.c" +#line 5321 "util/configparser.c" break; - case 469: -#line 2181 "util/configparser.y" + case 495: /* server_local_data: VAR_LOCAL_DATA STRING_ARG */ +#line 2257 "util/configparser.y" { OUTYY(("P(server_local_data:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp0.str))) fatal_exit("out of memory adding local-data"); } -#line 5831 "util/configparser.c" +#line 5331 "util/configparser.c" break; - case 470: -#line 2188 "util/configparser.y" + case 496: /* server_local_data_ptr: VAR_LOCAL_DATA_PTR STRING_ARG */ +#line 2264 "util/configparser.y" { char* ptr; OUTYY(("P(server_local_data_ptr:%s)\n", (yyvsp0.str))); @@ -5845,11 +5345,11 @@ yyerror("local-data-ptr could not be reversed"); } } -#line 5849 "util/configparser.c" +#line 5349 "util/configparser.c" break; - case 471: -#line 2203 "util/configparser.y" + case 497: /* server_minimal_responses: VAR_MINIMAL_RESPONSES STRING_ARG */ +#line 2279 "util/configparser.y" { OUTYY(("P(server_minimal_responses:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5858,11 +5358,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5862 "util/configparser.c" +#line 5362 "util/configparser.c" break; - case 472: -#line 2213 "util/configparser.y" + case 498: /* server_rrset_roundrobin: VAR_RRSET_ROUNDROBIN STRING_ARG */ +#line 2289 "util/configparser.y" { OUTYY(("P(server_rrset_roundrobin:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5871,41 +5371,41 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5875 "util/configparser.c" +#line 5375 "util/configparser.c" break; - case 473: -#line 2223 "util/configparser.y" + case 499: /* server_unknown_server_time_limit: VAR_UNKNOWN_SERVER_TIME_LIMIT STRING_ARG */ +#line 2299 "util/configparser.y" { OUTYY(("P(server_unknown_server_time_limit:%s)\n", (yyvsp0.str))); cfg_parser->cfg->unknown_server_time_limit = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5885 "util/configparser.c" +#line 5385 "util/configparser.c" break; - case 474: -#line 2230 "util/configparser.y" + case 500: /* server_max_udp_size: VAR_MAX_UDP_SIZE STRING_ARG */ +#line 2306 "util/configparser.y" { OUTYY(("P(server_max_udp_size:%s)\n", (yyvsp0.str))); cfg_parser->cfg->max_udp_size = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 5895 "util/configparser.c" +#line 5395 "util/configparser.c" break; - case 475: -#line 2237 "util/configparser.y" + case 501: /* server_dns64_prefix: VAR_DNS64_PREFIX STRING_ARG */ +#line 2313 "util/configparser.y" { OUTYY(("P(dns64_prefix:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dns64_prefix); cfg_parser->cfg->dns64_prefix = (yyvsp0.str); } -#line 5905 "util/configparser.c" +#line 5405 "util/configparser.c" break; - case 476: -#line 2244 "util/configparser.y" + case 502: /* server_dns64_synthall: VAR_DNS64_SYNTHALL STRING_ARG */ +#line 2320 "util/configparser.y" { OUTYY(("P(server_dns64_synthall:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -5913,22 +5413,22 @@ else cfg_parser->cfg->dns64_synthall = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 5917 "util/configparser.c" +#line 5417 "util/configparser.c" break; - case 477: -#line 2253 "util/configparser.y" + case 503: /* server_dns64_ignore_aaaa: VAR_DNS64_IGNORE_AAAA STRING_ARG */ +#line 2329 "util/configparser.y" { OUTYY(("P(dns64_ignore_aaaa:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->dns64_ignore_aaaa, (yyvsp0.str))) fatal_exit("out of memory adding dns64-ignore-aaaa"); } -#line 5928 "util/configparser.c" +#line 5428 "util/configparser.c" break; - case 478: -#line 2261 "util/configparser.y" + case 504: /* server_define_tag: VAR_DEFINE_TAG STRING_ARG */ +#line 2337 "util/configparser.y" { char* p, *s = (yyvsp0.str); OUTYY(("P(server_define_tag:%s)\n", (yyvsp0.str))); @@ -5941,11 +5441,11 @@ } free((yyvsp0.str)); } -#line 5945 "util/configparser.c" +#line 5445 "util/configparser.c" break; - case 479: -#line 2275 "util/configparser.y" + case 505: /* server_local_zone_tag: VAR_LOCAL_ZONE_TAG STRING_ARG STRING_ARG */ +#line 2351 "util/configparser.y" { size_t len = 0; uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp0.str), @@ -5965,11 +5465,11 @@ } } } -#line 5969 "util/configparser.c" +#line 5469 "util/configparser.c" break; - case 480: -#line 2296 "util/configparser.y" + case 506: /* server_access_control_tag: VAR_ACCESS_CONTROL_TAG STRING_ARG STRING_ARG */ +#line 2372 "util/configparser.y" { size_t len = 0; uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp0.str), @@ -5989,11 +5489,11 @@ } } } -#line 5993 "util/configparser.c" +#line 5493 "util/configparser.c" break; - case 481: -#line 2317 "util/configparser.y" + case 507: /* server_access_control_tag_action: VAR_ACCESS_CONTROL_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG */ +#line 2393 "util/configparser.y" { OUTYY(("P(server_access_control_tag_action:%s %s %s)\n", (yyvsp-2.str), (yyvsp-1.str), (yyvsp0.str))); if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_actions, @@ -6004,11 +5504,11 @@ free((yyvsp0.str)); } } -#line 6008 "util/configparser.c" +#line 5508 "util/configparser.c" break; - case 482: -#line 2329 "util/configparser.y" + case 508: /* server_access_control_tag_data: VAR_ACCESS_CONTROL_TAG_DATA STRING_ARG STRING_ARG STRING_ARG */ +#line 2405 "util/configparser.y" { OUTYY(("P(server_access_control_tag_data:%s %s %s)\n", (yyvsp-2.str), (yyvsp-1.str), (yyvsp0.str))); if(!cfg_str3list_insert(&cfg_parser->cfg->acl_tag_datas, @@ -6019,11 +5519,11 @@ free((yyvsp0.str)); } } -#line 6023 "util/configparser.c" +#line 5523 "util/configparser.c" break; - case 483: -#line 2341 "util/configparser.y" + case 509: /* server_local_zone_override: VAR_LOCAL_ZONE_OVERRIDE STRING_ARG STRING_ARG STRING_ARG */ +#line 2417 "util/configparser.y" { OUTYY(("P(server_local_zone_override:%s %s %s)\n", (yyvsp-2.str), (yyvsp-1.str), (yyvsp0.str))); if(!cfg_str3list_insert(&cfg_parser->cfg->local_zone_overrides, @@ -6034,11 +5534,11 @@ free((yyvsp0.str)); } } -#line 6038 "util/configparser.c" +#line 5538 "util/configparser.c" break; - case 484: -#line 2353 "util/configparser.y" + case 510: /* server_access_control_view: VAR_ACCESS_CONTROL_VIEW STRING_ARG STRING_ARG */ +#line 2429 "util/configparser.y" { OUTYY(("P(server_access_control_view:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); if(!cfg_str2list_insert(&cfg_parser->cfg->acl_view, @@ -6046,11 +5546,77 @@ yyerror("out of memory"); } } -#line 6050 "util/configparser.c" +#line 5550 "util/configparser.c" break; - case 485: -#line 2362 "util/configparser.y" + case 511: /* server_interface_tag: VAR_INTERFACE_TAG STRING_ARG STRING_ARG */ +#line 2438 "util/configparser.y" + { + size_t len = 0; + uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp0.str), + &len); + free((yyvsp0.str)); + OUTYY(("P(server_interface_tag:%s)\n", (yyvsp-1.str))); + if(!bitlist) { + yyerror("could not parse tags, (define-tag them first)"); + free((yyvsp-1.str)); + } + if(bitlist) { + if(!cfg_strbytelist_insert( + &cfg_parser->cfg->interface_tags, + (yyvsp-1.str), bitlist, len)) { + yyerror("out of memory"); + free((yyvsp-1.str)); + } + } + } +#line 5574 "util/configparser.c" + break; + + case 512: /* server_interface_tag_action: VAR_INTERFACE_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG */ +#line 2459 "util/configparser.y" + { + OUTYY(("P(server_interface_tag_action:%s %s %s)\n", (yyvsp-2.str), (yyvsp-1.str), (yyvsp0.str))); + if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_actions, + (yyvsp-2.str), (yyvsp-1.str), (yyvsp0.str))) { + yyerror("out of memory"); + free((yyvsp-2.str)); + free((yyvsp-1.str)); + free((yyvsp0.str)); + } + } +#line 5589 "util/configparser.c" + break; + + case 513: /* server_interface_tag_data: VAR_INTERFACE_TAG_DATA STRING_ARG STRING_ARG STRING_ARG */ +#line 2471 "util/configparser.y" + { + OUTYY(("P(server_interface_tag_data:%s %s %s)\n", (yyvsp-2.str), (yyvsp-1.str), (yyvsp0.str))); + if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_datas, + (yyvsp-2.str), (yyvsp-1.str), (yyvsp0.str))) { + yyerror("out of memory"); + free((yyvsp-2.str)); + free((yyvsp-1.str)); + free((yyvsp0.str)); + } + } +#line 5604 "util/configparser.c" + break; + + case 514: /* server_interface_view: VAR_INTERFACE_VIEW STRING_ARG STRING_ARG */ +#line 2483 "util/configparser.y" + { + OUTYY(("P(server_interface_view:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); + if(!cfg_str2list_insert(&cfg_parser->cfg->interface_view, + (yyvsp-1.str), (yyvsp0.str))) { + yyerror("out of memory"); + } + } +#line 5616 "util/configparser.c" + break; + + case 515: /* server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG */ +#line 2492 "util/configparser.y" { size_t len = 0; uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, (yyvsp0.str), @@ -6070,89 +5636,89 @@ } } } -#line 6074 "util/configparser.c" +#line 5640 "util/configparser.c" break; - case 486: -#line 2383 "util/configparser.y" - { - OUTYY(("P(server_ip_ratelimit:%s)\n", (yyvsp0.str))); + case 516: /* server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG */ +#line 2513 "util/configparser.y" + { + OUTYY(("P(server_ip_ratelimit:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) yyerror("number expected"); else cfg_parser->cfg->ip_ratelimit = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 6086 "util/configparser.c" +#line 5652 "util/configparser.c" break; - case 487: -#line 2393 "util/configparser.y" - { - OUTYY(("P(server_ratelimit:%s)\n", (yyvsp0.str))); + case 517: /* server_ratelimit: VAR_RATELIMIT STRING_ARG */ +#line 2522 "util/configparser.y" + { + OUTYY(("P(server_ratelimit:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) yyerror("number expected"); else cfg_parser->cfg->ratelimit = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 6098 "util/configparser.c" +#line 5664 "util/configparser.c" break; - case 488: -#line 2402 "util/configparser.y" - { - OUTYY(("P(server_ip_ratelimit_size:%s)\n", (yyvsp0.str))); - if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->ip_ratelimit_size)) - yyerror("memory size expected"); - free((yyvsp0.str)); - } -#line 6109 "util/configparser.c" + case 518: /* server_ip_ratelimit_size: VAR_IP_RATELIMIT_SIZE STRING_ARG */ +#line 2531 "util/configparser.y" + { + OUTYY(("P(server_ip_ratelimit_size:%s)\n", (yyvsp0.str))); + if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->ip_ratelimit_size)) + yyerror("memory size expected"); + free((yyvsp0.str)); + } +#line 5675 "util/configparser.c" break; - case 489: -#line 2410 "util/configparser.y" + case 519: /* server_ratelimit_size: VAR_RATELIMIT_SIZE STRING_ARG */ +#line 2539 "util/configparser.y" { OUTYY(("P(server_ratelimit_size:%s)\n", (yyvsp0.str))); if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->ratelimit_size)) yyerror("memory size expected"); free((yyvsp0.str)); } -#line 6120 "util/configparser.c" +#line 5686 "util/configparser.c" break; - case 490: -#line 2418 "util/configparser.y" - { - OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0) - yyerror("number expected"); - else { - cfg_parser->cfg->ip_ratelimit_slabs = atoi((yyvsp0.str)); - if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs)) - yyerror("must be a power of 2"); - } - free((yyvsp0.str)); - } -#line 6136 "util/configparser.c" + case 520: /* server_ip_ratelimit_slabs: VAR_IP_RATELIMIT_SLABS STRING_ARG */ +#line 2547 "util/configparser.y" + { + OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", (yyvsp0.str))); + if(atoi((yyvsp0.str)) == 0) { + yyerror("number expected"); + } else { + cfg_parser->cfg->ip_ratelimit_slabs = atoi((yyvsp0.str)); + if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs)) + yyerror("must be a power of 2"); + } + free((yyvsp0.str)); + } +#line 5702 "util/configparser.c" break; - case 491: -#line 2431 "util/configparser.y" + case 521: /* server_ratelimit_slabs: VAR_RATELIMIT_SLABS STRING_ARG */ +#line 2560 "util/configparser.y" { OUTYY(("P(server_ratelimit_slabs:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0) + if(atoi((yyvsp0.str)) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->ratelimit_slabs = atoi((yyvsp0.str)); if(!is_pow2(cfg_parser->cfg->ratelimit_slabs)) yyerror("must be a power of 2"); } free((yyvsp0.str)); } -#line 6152 "util/configparser.c" +#line 5718 "util/configparser.c" break; - case 492: -#line 2444 "util/configparser.y" + case 522: /* server_ratelimit_for_domain: VAR_RATELIMIT_FOR_DOMAIN STRING_ARG STRING_ARG */ +#line 2573 "util/configparser.y" { OUTYY(("P(server_ratelimit_for_domain:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) { @@ -6166,11 +5732,11 @@ "ratelimit-for-domain"); } } -#line 6170 "util/configparser.c" +#line 5736 "util/configparser.c" break; - case 493: -#line 2459 "util/configparser.y" + case 523: /* server_ratelimit_below_domain: VAR_RATELIMIT_BELOW_DOMAIN STRING_ARG STRING_ARG */ +#line 2588 "util/configparser.y" { OUTYY(("P(server_ratelimit_below_domain:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) { @@ -6184,94 +5750,156 @@ "ratelimit-below-domain"); } } -#line 6188 "util/configparser.c" +#line 5754 "util/configparser.c" break; - case 494: -#line 2474 "util/configparser.y" - { - OUTYY(("P(server_ip_ratelimit_factor:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) - yyerror("number expected"); - else cfg_parser->cfg->ip_ratelimit_factor = atoi((yyvsp0.str)); - free((yyvsp0.str)); + case 524: /* server_ip_ratelimit_factor: VAR_IP_RATELIMIT_FACTOR STRING_ARG */ +#line 2603 "util/configparser.y" + { + OUTYY(("P(server_ip_ratelimit_factor:%s)\n", (yyvsp0.str))); + if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->ip_ratelimit_factor = atoi((yyvsp0.str)); + free((yyvsp0.str)); } -#line 6200 "util/configparser.c" +#line 5766 "util/configparser.c" break; - case 495: -#line 2483 "util/configparser.y" - { - OUTYY(("P(server_ratelimit_factor:%s)\n", (yyvsp0.str))); + case 525: /* server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG */ +#line 2612 "util/configparser.y" + { + OUTYY(("P(server_ratelimit_factor:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) yyerror("number expected"); else cfg_parser->cfg->ratelimit_factor = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 6212 "util/configparser.c" +#line 5778 "util/configparser.c" break; - case 496: -#line 2492 "util/configparser.y" - { + case 526: /* server_ip_ratelimit_backoff: VAR_IP_RATELIMIT_BACKOFF STRING_ARG */ +#line 2621 "util/configparser.y" + { + OUTYY(("P(server_ip_ratelimit_backoff:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ip_ratelimit_backoff = + (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 5791 "util/configparser.c" + break; + + case 527: /* server_ratelimit_backoff: VAR_RATELIMIT_BACKOFF STRING_ARG */ +#line 2631 "util/configparser.y" + { + OUTYY(("P(server_ratelimit_backoff:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ratelimit_backoff = + (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 5804 "util/configparser.c" + break; + + case 528: /* server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG */ +#line 2641 "util/configparser.y" + { + OUTYY(("P(server_outbound_msg_retry:%s)\n", (yyvsp0.str))); + if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->outbound_msg_retry = atoi((yyvsp0.str)); + free((yyvsp0.str)); + } +#line 5816 "util/configparser.c" + break; + + case 529: /* server_max_sent_count: VAR_MAX_SENT_COUNT STRING_ARG */ +#line 2650 "util/configparser.y" + { + OUTYY(("P(server_max_sent_count:%s)\n", (yyvsp0.str))); + if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->max_sent_count = atoi((yyvsp0.str)); + free((yyvsp0.str)); + } +#line 5828 "util/configparser.c" + break; + + case 530: /* server_max_query_restarts: VAR_MAX_QUERY_RESTARTS STRING_ARG */ +#line 2659 "util/configparser.y" + { + OUTYY(("P(server_max_query_restarts:%s)\n", (yyvsp0.str))); + if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->max_query_restarts = atoi((yyvsp0.str)); + free((yyvsp0.str)); + } +#line 5840 "util/configparser.c" + break; + + case 531: /* server_low_rtt: VAR_LOW_RTT STRING_ARG */ +#line 2668 "util/configparser.y" + { OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n")); free((yyvsp0.str)); } -#line 6221 "util/configparser.c" +#line 5849 "util/configparser.c" break; - case 497: -#line 2498 "util/configparser.y" - { - OUTYY(("P(server_fast_server_num:%s)\n", (yyvsp0.str))); + case 532: /* server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG */ +#line 2674 "util/configparser.y" + { + OUTYY(("P(server_fast_server_num:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) <= 0) yyerror("number expected"); else cfg_parser->cfg->fast_server_num = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 6233 "util/configparser.c" +#line 5861 "util/configparser.c" break; - case 498: -#line 2507 "util/configparser.y" - { - OUTYY(("P(server_fast_server_permil:%s)\n", (yyvsp0.str))); + case 533: /* server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG */ +#line 2683 "util/configparser.y" + { + OUTYY(("P(server_fast_server_permil:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) yyerror("number expected"); else cfg_parser->cfg->fast_server_permil = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 6245 "util/configparser.c" +#line 5873 "util/configparser.c" break; - case 499: -#line 2516 "util/configparser.y" + case 534: /* server_qname_minimisation: VAR_QNAME_MINIMISATION STRING_ARG */ +#line 2692 "util/configparser.y" { OUTYY(("P(server_qname_minimisation:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->qname_minimisation = + else cfg_parser->cfg->qname_minimisation = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6258 "util/configparser.c" +#line 5886 "util/configparser.c" break; - case 500: -#line 2526 "util/configparser.y" + case 535: /* server_qname_minimisation_strict: VAR_QNAME_MINIMISATION_STRICT STRING_ARG */ +#line 2702 "util/configparser.y" { OUTYY(("P(server_qname_minimisation_strict:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->qname_minimisation_strict = + else cfg_parser->cfg->qname_minimisation_strict = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6271 "util/configparser.c" +#line 5899 "util/configparser.c" break; - case 501: -#line 2536 "util/configparser.y" + case 536: /* server_pad_responses: VAR_PAD_RESPONSES STRING_ARG */ +#line 2712 "util/configparser.y" { OUTYY(("P(server_pad_responses:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6280,11 +5908,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6284 "util/configparser.c" +#line 5912 "util/configparser.c" break; - case 502: -#line 2546 "util/configparser.y" + case 537: /* server_pad_responses_block_size: VAR_PAD_RESPONSES_BLOCK_SIZE STRING_ARG */ +#line 2722 "util/configparser.y" { OUTYY(("P(server_pad_responses_block_size:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -6292,11 +5920,11 @@ else cfg_parser->cfg->pad_responses_block_size = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 6296 "util/configparser.c" +#line 5924 "util/configparser.c" break; - case 503: -#line 2555 "util/configparser.y" + case 538: /* server_pad_queries: VAR_PAD_QUERIES STRING_ARG */ +#line 2731 "util/configparser.y" { OUTYY(("P(server_pad_queries:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6305,11 +5933,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6309 "util/configparser.c" +#line 5937 "util/configparser.c" break; - case 504: -#line 2565 "util/configparser.y" + case 539: /* server_pad_queries_block_size: VAR_PAD_QUERIES_BLOCK_SIZE STRING_ARG */ +#line 2741 "util/configparser.y" { OUTYY(("P(server_pad_queries_block_size:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -6317,11 +5945,11 @@ else cfg_parser->cfg->pad_queries_block_size = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 6321 "util/configparser.c" +#line 5949 "util/configparser.c" break; - case 505: -#line 2574 "util/configparser.y" + case 540: /* server_ipsecmod_enabled: VAR_IPSECMOD_ENABLED STRING_ARG */ +#line 2750 "util/configparser.y" { #ifdef USE_IPSECMOD OUTYY(("P(server_ipsecmod_enabled:%s)\n", (yyvsp0.str))); @@ -6333,11 +5961,11 @@ #endif free((yyvsp0.str)); } -#line 6337 "util/configparser.c" +#line 5965 "util/configparser.c" break; - case 506: -#line 2587 "util/configparser.y" + case 541: /* server_ipsecmod_ignore_bogus: VAR_IPSECMOD_IGNORE_BOGUS STRING_ARG */ +#line 2763 "util/configparser.y" { #ifdef USE_IPSECMOD OUTYY(("P(server_ipsecmod_ignore_bogus:%s)\n", (yyvsp0.str))); @@ -6349,11 +5977,11 @@ #endif free((yyvsp0.str)); } -#line 6353 "util/configparser.c" +#line 5981 "util/configparser.c" break; - case 507: -#line 2600 "util/configparser.y" + case 542: /* server_ipsecmod_hook: VAR_IPSECMOD_HOOK STRING_ARG */ +#line 2776 "util/configparser.y" { #ifdef USE_IPSECMOD OUTYY(("P(server_ipsecmod_hook:%s)\n", (yyvsp0.str))); @@ -6364,11 +5992,11 @@ free((yyvsp0.str)); #endif } -#line 6368 "util/configparser.c" +#line 5996 "util/configparser.c" break; - case 508: -#line 2612 "util/configparser.y" + case 543: /* server_ipsecmod_max_ttl: VAR_IPSECMOD_MAX_TTL STRING_ARG */ +#line 2788 "util/configparser.y" { #ifdef USE_IPSECMOD OUTYY(("P(server_ipsecmod_max_ttl:%s)\n", (yyvsp0.str))); @@ -6381,11 +6009,11 @@ free((yyvsp0.str)); #endif } -#line 6385 "util/configparser.c" +#line 6013 "util/configparser.c" break; - case 509: -#line 2626 "util/configparser.y" + case 544: /* server_ipsecmod_whitelist: VAR_IPSECMOD_WHITELIST STRING_ARG */ +#line 2802 "util/configparser.y" { #ifdef USE_IPSECMOD OUTYY(("P(server_ipsecmod_whitelist:%s)\n", (yyvsp0.str))); @@ -6396,11 +6024,11 @@ free((yyvsp0.str)); #endif } -#line 6400 "util/configparser.c" +#line 6028 "util/configparser.c" break; - case 510: -#line 2638 "util/configparser.y" + case 545: /* server_ipsecmod_strict: VAR_IPSECMOD_STRICT STRING_ARG */ +#line 2814 "util/configparser.y" { #ifdef USE_IPSECMOD OUTYY(("P(server_ipsecmod_strict:%s)\n", (yyvsp0.str))); @@ -6413,11 +6041,11 @@ free((yyvsp0.str)); #endif } -#line 6417 "util/configparser.c" +#line 6045 "util/configparser.c" break; - case 511: -#line 2652 "util/configparser.y" + case 546: /* server_edns_client_string: VAR_EDNS_CLIENT_STRING STRING_ARG STRING_ARG */ +#line 2828 "util/configparser.y" { OUTYY(("P(server_edns_client_string:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); if(!cfg_str2list_insert( @@ -6425,11 +6053,11 @@ fatal_exit("out of memory adding " "edns-client-string"); } -#line 6429 "util/configparser.c" +#line 6057 "util/configparser.c" break; - case 512: -#line 2661 "util/configparser.y" + case 547: /* server_edns_client_string_opcode: VAR_EDNS_CLIENT_STRING_OPCODE STRING_ARG */ +#line 2837 "util/configparser.y" { OUTYY(("P(edns_client_string_opcode:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0 && strcmp((yyvsp0.str), "0") != 0) @@ -6438,13 +6066,34 @@ yyerror("option code must be in interval 0, 65535"); else cfg_parser->cfg->edns_client_string_opcode = atoi((yyvsp0.str)); free((yyvsp0.str)); + } +#line 6071 "util/configparser.c" + break; + + case 548: /* server_ede: VAR_EDE STRING_ARG */ +#line 2848 "util/configparser.y" + { + OUTYY(("P(server_ede:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ede = (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 6083 "util/configparser.c" + break; + case 549: /* server_proxy_protocol_port: VAR_PROXY_PROTOCOL_PORT STRING_ARG */ +#line 2857 "util/configparser.y" + { + OUTYY(("P(server_proxy_protocol_port:%s)\n", (yyvsp0.str))); + if(!cfg_strlist_insert(&cfg_parser->cfg->proxy_protocol_port, (yyvsp0.str))) + yyerror("out of memory"); } -#line 6444 "util/configparser.c" +#line 6093 "util/configparser.c" break; - case 513: -#line 2673 "util/configparser.y" + case 550: /* stub_name: VAR_NAME STRING_ARG */ +#line 2864 "util/configparser.y" { OUTYY(("P(name:%s)\n", (yyvsp0.str))); if(cfg_parser->cfg->stubs->name) @@ -6453,31 +6102,31 @@ free(cfg_parser->cfg->stubs->name); cfg_parser->cfg->stubs->name = (yyvsp0.str); } -#line 6457 "util/configparser.c" +#line 6106 "util/configparser.c" break; - case 514: -#line 2683 "util/configparser.y" + case 551: /* stub_host: VAR_STUB_HOST STRING_ARG */ +#line 2874 "util/configparser.y" { OUTYY(("P(stub-host:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp0.str))) yyerror("out of memory"); } -#line 6467 "util/configparser.c" +#line 6116 "util/configparser.c" break; - case 515: -#line 2690 "util/configparser.y" + case 552: /* stub_addr: VAR_STUB_ADDR STRING_ARG */ +#line 2881 "util/configparser.y" { OUTYY(("P(stub-addr:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp0.str))) yyerror("out of memory"); } -#line 6477 "util/configparser.c" +#line 6126 "util/configparser.c" break; - case 516: -#line 2697 "util/configparser.y" + case 553: /* stub_first: VAR_STUB_FIRST STRING_ARG */ +#line 2888 "util/configparser.y" { OUTYY(("P(stub-first:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6485,11 +6134,11 @@ else cfg_parser->cfg->stubs->isfirst=(strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6489 "util/configparser.c" +#line 6138 "util/configparser.c" break; - case 517: -#line 2706 "util/configparser.y" + case 554: /* stub_no_cache: VAR_STUB_NO_CACHE STRING_ARG */ +#line 2897 "util/configparser.y" { OUTYY(("P(stub-no-cache:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6497,37 +6146,50 @@ else cfg_parser->cfg->stubs->no_cache=(strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6501 "util/configparser.c" +#line 6150 "util/configparser.c" break; - case 518: -#line 2715 "util/configparser.y" + case 555: /* stub_ssl_upstream: VAR_STUB_SSL_UPSTREAM STRING_ARG */ +#line 2906 "util/configparser.y" { OUTYY(("P(stub-ssl-upstream:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->stubs->ssl_upstream = + else cfg_parser->cfg->stubs->ssl_upstream = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6514 "util/configparser.c" +#line 6163 "util/configparser.c" break; - case 519: -#line 2725 "util/configparser.y" + case 556: /* stub_tcp_upstream: VAR_STUB_TCP_UPSTREAM STRING_ARG */ +#line 2916 "util/configparser.y" + { + OUTYY(("P(stub-tcp-upstream:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->stubs->tcp_upstream = + (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 6176 "util/configparser.c" + break; + + case 557: /* stub_prime: VAR_STUB_PRIME STRING_ARG */ +#line 2926 "util/configparser.y" { OUTYY(("P(stub-prime:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->stubs->isprime = + else cfg_parser->cfg->stubs->isprime = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6527 "util/configparser.c" +#line 6189 "util/configparser.c" break; - case 520: -#line 2735 "util/configparser.y" + case 558: /* forward_name: VAR_NAME STRING_ARG */ +#line 2936 "util/configparser.y" { OUTYY(("P(name:%s)\n", (yyvsp0.str))); if(cfg_parser->cfg->forwards->name) @@ -6536,31 +6198,31 @@ free(cfg_parser->cfg->forwards->name); cfg_parser->cfg->forwards->name = (yyvsp0.str); } -#line 6540 "util/configparser.c" +#line 6202 "util/configparser.c" break; - case 521: -#line 2745 "util/configparser.y" + case 559: /* forward_host: VAR_FORWARD_HOST STRING_ARG */ +#line 2946 "util/configparser.y" { OUTYY(("P(forward-host:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp0.str))) yyerror("out of memory"); } -#line 6550 "util/configparser.c" +#line 6212 "util/configparser.c" break; - case 522: -#line 2752 "util/configparser.y" + case 560: /* forward_addr: VAR_FORWARD_ADDR STRING_ARG */ +#line 2953 "util/configparser.y" { OUTYY(("P(forward-addr:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp0.str))) yyerror("out of memory"); } -#line 6560 "util/configparser.c" +#line 6222 "util/configparser.c" break; - case 523: -#line 2759 "util/configparser.y" + case 561: /* forward_first: VAR_FORWARD_FIRST STRING_ARG */ +#line 2960 "util/configparser.y" { OUTYY(("P(forward-first:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6568,11 +6230,11 @@ else cfg_parser->cfg->forwards->isfirst=(strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6572 "util/configparser.c" +#line 6234 "util/configparser.c" break; - case 524: -#line 2768 "util/configparser.y" + case 562: /* forward_no_cache: VAR_FORWARD_NO_CACHE STRING_ARG */ +#line 2969 "util/configparser.y" { OUTYY(("P(forward-no-cache:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6580,24 +6242,37 @@ else cfg_parser->cfg->forwards->no_cache=(strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6584 "util/configparser.c" +#line 6246 "util/configparser.c" break; - case 525: -#line 2777 "util/configparser.y" + case 563: /* forward_ssl_upstream: VAR_FORWARD_SSL_UPSTREAM STRING_ARG */ +#line 2978 "util/configparser.y" { OUTYY(("P(forward-ssl-upstream:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->forwards->ssl_upstream = + else cfg_parser->cfg->forwards->ssl_upstream = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6597 "util/configparser.c" +#line 6259 "util/configparser.c" + break; + + case 564: /* forward_tcp_upstream: VAR_FORWARD_TCP_UPSTREAM STRING_ARG */ +#line 2988 "util/configparser.y" + { + OUTYY(("P(forward-tcp-upstream:%s)\n", (yyvsp0.str))); + if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->forwards->tcp_upstream = + (strcmp((yyvsp0.str), "yes")==0); + free((yyvsp0.str)); + } +#line 6272 "util/configparser.c" break; - case 526: -#line 2787 "util/configparser.y" + case 565: /* auth_name: VAR_NAME STRING_ARG */ +#line 2998 "util/configparser.y" { OUTYY(("P(name:%s)\n", (yyvsp0.str))); if(cfg_parser->cfg->auths->name) @@ -6606,52 +6281,52 @@ free(cfg_parser->cfg->auths->name); cfg_parser->cfg->auths->name = (yyvsp0.str); } -#line 6610 "util/configparser.c" +#line 6285 "util/configparser.c" break; - case 527: -#line 2797 "util/configparser.y" + case 566: /* auth_zonefile: VAR_ZONEFILE STRING_ARG */ +#line 3008 "util/configparser.y" { OUTYY(("P(zonefile:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->auths->zonefile); cfg_parser->cfg->auths->zonefile = (yyvsp0.str); } -#line 6620 "util/configparser.c" +#line 6295 "util/configparser.c" break; - case 528: -#line 2804 "util/configparser.y" + case 567: /* auth_master: VAR_MASTER STRING_ARG */ +#line 3015 "util/configparser.y" { OUTYY(("P(master:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->auths->masters, (yyvsp0.str))) yyerror("out of memory"); } -#line 6630 "util/configparser.c" +#line 6305 "util/configparser.c" break; - case 529: -#line 2811 "util/configparser.y" + case 568: /* auth_url: VAR_URL STRING_ARG */ +#line 3022 "util/configparser.y" { OUTYY(("P(url:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->auths->urls, (yyvsp0.str))) yyerror("out of memory"); } -#line 6640 "util/configparser.c" +#line 6315 "util/configparser.c" break; - case 530: -#line 2818 "util/configparser.y" + case 569: /* auth_allow_notify: VAR_ALLOW_NOTIFY STRING_ARG */ +#line 3029 "util/configparser.y" { OUTYY(("P(allow-notify:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->auths->allow_notify, (yyvsp0.str))) yyerror("out of memory"); } -#line 6651 "util/configparser.c" +#line 6326 "util/configparser.c" break; - case 531: -#line 2826 "util/configparser.y" + case 570: /* auth_zonemd_check: VAR_ZONEMD_CHECK STRING_ARG */ +#line 3037 "util/configparser.y" { OUTYY(("P(zonemd-check:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6660,11 +6335,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6664 "util/configparser.c" +#line 6339 "util/configparser.c" break; - case 532: -#line 2836 "util/configparser.y" + case 571: /* auth_zonemd_reject_absence: VAR_ZONEMD_REJECT_ABSENCE STRING_ARG */ +#line 3047 "util/configparser.y" { OUTYY(("P(zonemd-reject-absence:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6673,11 +6348,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6677 "util/configparser.c" +#line 6352 "util/configparser.c" break; - case 533: -#line 2846 "util/configparser.y" + case 572: /* auth_for_downstream: VAR_FOR_DOWNSTREAM STRING_ARG */ +#line 3057 "util/configparser.y" { OUTYY(("P(for-downstream:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6686,11 +6361,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6690 "util/configparser.c" +#line 6365 "util/configparser.c" break; - case 534: -#line 2856 "util/configparser.y" + case 573: /* auth_for_upstream: VAR_FOR_UPSTREAM STRING_ARG */ +#line 3067 "util/configparser.y" { OUTYY(("P(for-upstream:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6699,11 +6374,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6703 "util/configparser.c" +#line 6378 "util/configparser.c" break; - case 535: -#line 2866 "util/configparser.y" + case 574: /* auth_fallback_enabled: VAR_FALLBACK_ENABLED STRING_ARG */ +#line 3077 "util/configparser.y" { OUTYY(("P(fallback-enabled:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6712,11 +6387,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6716 "util/configparser.c" +#line 6391 "util/configparser.c" break; - case 536: -#line 2876 "util/configparser.y" + case 575: /* view_name: VAR_NAME STRING_ARG */ +#line 3087 "util/configparser.y" { OUTYY(("P(name:%s)\n", (yyvsp0.str))); if(cfg_parser->cfg->views->name) @@ -6725,11 +6400,11 @@ free(cfg_parser->cfg->views->name); cfg_parser->cfg->views->name = (yyvsp0.str); } -#line 6729 "util/configparser.c" +#line 6404 "util/configparser.c" break; - case 537: -#line 2886 "util/configparser.y" + case 576: /* view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG */ +#line 3097 "util/configparser.y" { OUTYY(("P(view_local_zone:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); if(strcmp((yyvsp0.str), "static")!=0 && strcmp((yyvsp0.str), "deny")!=0 && @@ -6762,6 +6437,16 @@ free((yyvsp0.str)); #ifdef USE_IPSET } else if(strcmp((yyvsp0.str), "ipset")==0) { + size_t len = strlen((yyvsp-1.str)); + /* Make sure to add the trailing dot. + * These are str compared to domain names. */ + if((yyvsp-1.str)len-1 != '.') { + if(!((yyvsp-1.str) = realloc((yyvsp-1.str), len+2))) { + fatal_exit("out of memory adding local-zone"); + } + (yyvsp-1.str)len = '.'; + (yyvsp-1.str)len+1 = 0; + } if(!cfg_strlist_insert(&cfg_parser->cfg->views-> local_zones_ipset, (yyvsp-1.str))) fatal_exit("out of memory adding local-zone"); @@ -6769,16 +6454,16 @@ #endif } else { if(!cfg_str2list_insert( - &cfg_parser->cfg->views->local_zones, + &cfg_parser->cfg->views->local_zones, (yyvsp-1.str), (yyvsp0.str))) fatal_exit("out of memory adding local-zone"); } } -#line 6778 "util/configparser.c" +#line 6463 "util/configparser.c" break; - case 538: -#line 2932 "util/configparser.y" + case 577: /* view_response_ip: VAR_RESPONSE_IP STRING_ARG STRING_ARG */ +#line 3153 "util/configparser.y" { OUTYY(("P(view_response_ip:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); validate_respip_action((yyvsp0.str)); @@ -6787,33 +6472,33 @@ fatal_exit("out of memory adding per-view " "response-ip action"); } -#line 6791 "util/configparser.c" +#line 6476 "util/configparser.c" break; - case 539: -#line 2942 "util/configparser.y" + case 578: /* view_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG */ +#line 3163 "util/configparser.y" { OUTYY(("P(view_response_ip_data:%s)\n", (yyvsp-1.str))); if(!cfg_str2list_insert( &cfg_parser->cfg->views->respip_data, (yyvsp-1.str), (yyvsp0.str))) fatal_exit("out of memory adding response-ip-data"); } -#line 6802 "util/configparser.c" +#line 6487 "util/configparser.c" break; - case 540: -#line 2950 "util/configparser.y" + case 579: /* view_local_data: VAR_LOCAL_DATA STRING_ARG */ +#line 3171 "util/configparser.y" { OUTYY(("P(view_local_data:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->views->local_data, (yyvsp0.str))) { fatal_exit("out of memory adding local-data"); } } -#line 6813 "util/configparser.c" +#line 6498 "util/configparser.c" break; - case 541: -#line 2958 "util/configparser.y" + case 580: /* view_local_data_ptr: VAR_LOCAL_DATA_PTR STRING_ARG */ +#line 3179 "util/configparser.y" { char* ptr; OUTYY(("P(view_local_data_ptr:%s)\n", (yyvsp0.str))); @@ -6827,11 +6512,11 @@ yyerror("local-data-ptr could not be reversed"); } } -#line 6831 "util/configparser.c" +#line 6516 "util/configparser.c" break; - case 542: -#line 2973 "util/configparser.y" + case 581: /* view_first: VAR_VIEW_FIRST STRING_ARG */ +#line 3194 "util/configparser.y" { OUTYY(("P(view-first:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6839,32 +6524,33 @@ else cfg_parser->cfg->views->isfirst=(strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6843 "util/configparser.c" +#line 6528 "util/configparser.c" break; - case 543: -#line 2982 "util/configparser.y" - { - OUTYY(("\nP(remote-control:)\n")); + case 582: /* rcstart: VAR_REMOTE_CONTROL */ +#line 3203 "util/configparser.y" + { + OUTYY(("\nP(remote-control:)\n")); + cfg_parser->started_toplevel = 1; } -#line 6851 "util/configparser.c" +#line 6537 "util/configparser.c" break; - case 554: -#line 2993 "util/configparser.y" + case 593: /* rc_control_enable: VAR_CONTROL_ENABLE STRING_ARG */ +#line 3215 "util/configparser.y" { OUTYY(("P(control_enable:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->remote_control_enable = + else cfg_parser->cfg->remote_control_enable = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6864 "util/configparser.c" +#line 6550 "util/configparser.c" break; - case 555: -#line 3003 "util/configparser.y" + case 594: /* rc_control_port: VAR_CONTROL_PORT STRING_ARG */ +#line 3225 "util/configparser.y" { OUTYY(("P(control_port:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -6872,79 +6558,80 @@ else cfg_parser->cfg->control_port = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 6876 "util/configparser.c" +#line 6562 "util/configparser.c" break; - case 556: -#line 3012 "util/configparser.y" + case 595: /* rc_control_interface: VAR_CONTROL_INTERFACE STRING_ARG */ +#line 3234 "util/configparser.y" { OUTYY(("P(control_interface:%s)\n", (yyvsp0.str))); if(!cfg_strlist_append(&cfg_parser->cfg->control_ifs, (yyvsp0.str))) yyerror("out of memory"); } -#line 6886 "util/configparser.c" +#line 6572 "util/configparser.c" break; - case 557: -#line 3019 "util/configparser.y" + case 596: /* rc_control_use_cert: VAR_CONTROL_USE_CERT STRING_ARG */ +#line 3241 "util/configparser.y" { OUTYY(("P(control_use_cert:%s)\n", (yyvsp0.str))); cfg_parser->cfg->control_use_cert = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6896 "util/configparser.c" +#line 6582 "util/configparser.c" break; - case 558: -#line 3026 "util/configparser.y" + case 597: /* rc_server_key_file: VAR_SERVER_KEY_FILE STRING_ARG */ +#line 3248 "util/configparser.y" { OUTYY(("P(rc_server_key_file:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->server_key_file); cfg_parser->cfg->server_key_file = (yyvsp0.str); } -#line 6906 "util/configparser.c" +#line 6592 "util/configparser.c" break; - case 559: -#line 3033 "util/configparser.y" + case 598: /* rc_server_cert_file: VAR_SERVER_CERT_FILE STRING_ARG */ +#line 3255 "util/configparser.y" { OUTYY(("P(rc_server_cert_file:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->server_cert_file); cfg_parser->cfg->server_cert_file = (yyvsp0.str); } -#line 6916 "util/configparser.c" +#line 6602 "util/configparser.c" break; - case 560: -#line 3040 "util/configparser.y" + case 599: /* rc_control_key_file: VAR_CONTROL_KEY_FILE STRING_ARG */ +#line 3262 "util/configparser.y" { OUTYY(("P(rc_control_key_file:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->control_key_file); cfg_parser->cfg->control_key_file = (yyvsp0.str); } -#line 6926 "util/configparser.c" +#line 6612 "util/configparser.c" break; - case 561: -#line 3047 "util/configparser.y" + case 600: /* rc_control_cert_file: VAR_CONTROL_CERT_FILE STRING_ARG */ +#line 3269 "util/configparser.y" { OUTYY(("P(rc_control_cert_file:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->control_cert_file); cfg_parser->cfg->control_cert_file = (yyvsp0.str); } -#line 6936 "util/configparser.c" +#line 6622 "util/configparser.c" break; - case 562: -#line 3054 "util/configparser.y" + case 601: /* dtstart: VAR_DNSTAP */ +#line 3276 "util/configparser.y" { OUTYY(("\nP(dnstap:)\n")); + cfg_parser->started_toplevel = 1; } -#line 6944 "util/configparser.c" +#line 6631 "util/configparser.c" break; - case 584: -#line 3074 "util/configparser.y" + case 623: /* dt_dnstap_enable: VAR_DNSTAP_ENABLE STRING_ARG */ +#line 3297 "util/configparser.y" { OUTYY(("P(dt_dnstap_enable:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6952,11 +6639,11 @@ else cfg_parser->cfg->dnstap = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6956 "util/configparser.c" +#line 6643 "util/configparser.c" break; - case 585: -#line 3083 "util/configparser.y" + case 624: /* dt_dnstap_bidirectional: VAR_DNSTAP_BIDIRECTIONAL STRING_ARG */ +#line 3306 "util/configparser.y" { OUTYY(("P(dt_dnstap_bidirectional:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6965,31 +6652,31 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 6969 "util/configparser.c" +#line 6656 "util/configparser.c" break; - case 586: -#line 3093 "util/configparser.y" + case 625: /* dt_dnstap_socket_path: VAR_DNSTAP_SOCKET_PATH STRING_ARG */ +#line 3316 "util/configparser.y" { OUTYY(("P(dt_dnstap_socket_path:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnstap_socket_path); cfg_parser->cfg->dnstap_socket_path = (yyvsp0.str); } -#line 6979 "util/configparser.c" +#line 6666 "util/configparser.c" break; - case 587: -#line 3100 "util/configparser.y" + case 626: /* dt_dnstap_ip: VAR_DNSTAP_IP STRING_ARG */ +#line 3323 "util/configparser.y" { OUTYY(("P(dt_dnstap_ip:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnstap_ip); cfg_parser->cfg->dnstap_ip = (yyvsp0.str); } -#line 6989 "util/configparser.c" +#line 6676 "util/configparser.c" break; - case 588: -#line 3107 "util/configparser.y" + case 627: /* dt_dnstap_tls: VAR_DNSTAP_TLS STRING_ARG */ +#line 3330 "util/configparser.y" { OUTYY(("P(dt_dnstap_tls:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -6997,51 +6684,51 @@ else cfg_parser->cfg->dnstap_tls = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7001 "util/configparser.c" +#line 6688 "util/configparser.c" break; - case 589: -#line 3116 "util/configparser.y" + case 628: /* dt_dnstap_tls_server_name: VAR_DNSTAP_TLS_SERVER_NAME STRING_ARG */ +#line 3339 "util/configparser.y" { OUTYY(("P(dt_dnstap_tls_server_name:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnstap_tls_server_name); cfg_parser->cfg->dnstap_tls_server_name = (yyvsp0.str); } -#line 7011 "util/configparser.c" +#line 6698 "util/configparser.c" break; - case 590: -#line 3123 "util/configparser.y" + case 629: /* dt_dnstap_tls_cert_bundle: VAR_DNSTAP_TLS_CERT_BUNDLE STRING_ARG */ +#line 3346 "util/configparser.y" { OUTYY(("P(dt_dnstap_tls_cert_bundle:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnstap_tls_cert_bundle); cfg_parser->cfg->dnstap_tls_cert_bundle = (yyvsp0.str); } -#line 7021 "util/configparser.c" +#line 6708 "util/configparser.c" break; - case 591: -#line 3130 "util/configparser.y" + case 630: /* dt_dnstap_tls_client_key_file: VAR_DNSTAP_TLS_CLIENT_KEY_FILE STRING_ARG */ +#line 3353 "util/configparser.y" { OUTYY(("P(dt_dnstap_tls_client_key_file:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnstap_tls_client_key_file); cfg_parser->cfg->dnstap_tls_client_key_file = (yyvsp0.str); } -#line 7031 "util/configparser.c" +#line 6718 "util/configparser.c" break; - case 592: -#line 3137 "util/configparser.y" + case 631: /* dt_dnstap_tls_client_cert_file: VAR_DNSTAP_TLS_CLIENT_CERT_FILE STRING_ARG */ +#line 3360 "util/configparser.y" { OUTYY(("P(dt_dnstap_tls_client_cert_file:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnstap_tls_client_cert_file); cfg_parser->cfg->dnstap_tls_client_cert_file = (yyvsp0.str); } -#line 7041 "util/configparser.c" +#line 6728 "util/configparser.c" break; - case 593: -#line 3144 "util/configparser.y" + case 632: /* dt_dnstap_send_identity: VAR_DNSTAP_SEND_IDENTITY STRING_ARG */ +#line 3367 "util/configparser.y" { OUTYY(("P(dt_dnstap_send_identity:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7049,11 +6736,11 @@ else cfg_parser->cfg->dnstap_send_identity = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7053 "util/configparser.c" +#line 6740 "util/configparser.c" break; - case 594: -#line 3153 "util/configparser.y" + case 633: /* dt_dnstap_send_version: VAR_DNSTAP_SEND_VERSION STRING_ARG */ +#line 3376 "util/configparser.y" { OUTYY(("P(dt_dnstap_send_version:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7061,31 +6748,31 @@ else cfg_parser->cfg->dnstap_send_version = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7065 "util/configparser.c" +#line 6752 "util/configparser.c" break; - case 595: -#line 3162 "util/configparser.y" + case 634: /* dt_dnstap_identity: VAR_DNSTAP_IDENTITY STRING_ARG */ +#line 3385 "util/configparser.y" { OUTYY(("P(dt_dnstap_identity:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnstap_identity); cfg_parser->cfg->dnstap_identity = (yyvsp0.str); } -#line 7075 "util/configparser.c" +#line 6762 "util/configparser.c" break; - case 596: -#line 3169 "util/configparser.y" + case 635: /* dt_dnstap_version: VAR_DNSTAP_VERSION STRING_ARG */ +#line 3392 "util/configparser.y" { OUTYY(("P(dt_dnstap_version:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnstap_version); cfg_parser->cfg->dnstap_version = (yyvsp0.str); } -#line 7085 "util/configparser.c" +#line 6772 "util/configparser.c" break; - case 597: -#line 3176 "util/configparser.y" + case 636: /* dt_dnstap_log_resolver_query_messages: VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES STRING_ARG */ +#line 3399 "util/configparser.y" { OUTYY(("P(dt_dnstap_log_resolver_query_messages:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7094,11 +6781,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7098 "util/configparser.c" +#line 6785 "util/configparser.c" break; - case 598: -#line 3186 "util/configparser.y" + case 637: /* dt_dnstap_log_resolver_response_messages: VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES STRING_ARG */ +#line 3409 "util/configparser.y" { OUTYY(("P(dt_dnstap_log_resolver_response_messages:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7107,11 +6794,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7111 "util/configparser.c" +#line 6798 "util/configparser.c" break; - case 599: -#line 3196 "util/configparser.y" + case 638: /* dt_dnstap_log_client_query_messages: VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES STRING_ARG */ +#line 3419 "util/configparser.y" { OUTYY(("P(dt_dnstap_log_client_query_messages:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7120,11 +6807,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7124 "util/configparser.c" +#line 6811 "util/configparser.c" break; - case 600: -#line 3206 "util/configparser.y" + case 639: /* dt_dnstap_log_client_response_messages: VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES STRING_ARG */ +#line 3429 "util/configparser.y" { OUTYY(("P(dt_dnstap_log_client_response_messages:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7133,11 +6820,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7137 "util/configparser.c" +#line 6824 "util/configparser.c" break; - case 601: -#line 3216 "util/configparser.y" + case 640: /* dt_dnstap_log_forwarder_query_messages: VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES STRING_ARG */ +#line 3439 "util/configparser.y" { OUTYY(("P(dt_dnstap_log_forwarder_query_messages:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7146,11 +6833,11 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7150 "util/configparser.c" +#line 6837 "util/configparser.c" break; - case 602: -#line 3226 "util/configparser.y" + case 641: /* dt_dnstap_log_forwarder_response_messages: VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES STRING_ARG */ +#line 3449 "util/configparser.y" { OUTYY(("P(dt_dnstap_log_forwarder_response_messages:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7159,47 +6846,49 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7163 "util/configparser.c" +#line 6850 "util/configparser.c" break; - case 603: -#line 3236 "util/configparser.y" - { - OUTYY(("\nP(python:)\n")); + case 642: /* pythonstart: VAR_PYTHON */ +#line 3459 "util/configparser.y" + { + OUTYY(("\nP(python:)\n")); + cfg_parser->started_toplevel = 1; } -#line 7171 "util/configparser.c" +#line 6859 "util/configparser.c" break; - case 607: -#line 3245 "util/configparser.y" + case 646: /* py_script: VAR_PYTHON_SCRIPT STRING_ARG */ +#line 3469 "util/configparser.y" { OUTYY(("P(python-script:%s)\n", (yyvsp0.str))); if(!cfg_strlist_append_ex(&cfg_parser->cfg->python_script, (yyvsp0.str))) yyerror("out of memory"); } -#line 7181 "util/configparser.c" +#line 6869 "util/configparser.c" break; - case 608: -#line 3251 "util/configparser.y" + case 647: /* dynlibstart: VAR_DYNLIB */ +#line 3475 "util/configparser.y" { OUTYY(("\nP(dynlib:)\n")); + cfg_parser->started_toplevel = 1; } -#line 7189 "util/configparser.c" +#line 6878 "util/configparser.c" break; - case 612: -#line 3260 "util/configparser.y" + case 651: /* dl_file: VAR_DYNLIB_FILE STRING_ARG */ +#line 3485 "util/configparser.y" { OUTYY(("P(dynlib-file:%s)\n", (yyvsp0.str))); if(!cfg_strlist_append_ex(&cfg_parser->cfg->dynlib_file, (yyvsp0.str))) yyerror("out of memory"); } -#line 7199 "util/configparser.c" +#line 6888 "util/configparser.c" break; - case 613: -#line 3266 "util/configparser.y" + case 652: /* server_disable_dnssec_lame_check: VAR_DISABLE_DNSSEC_LAME_CHECK STRING_ARG */ +#line 3491 "util/configparser.y" { OUTYY(("P(disable_dnssec_lame_check:%s)\n", (yyvsp0.str))); if (strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7208,21 +6897,21 @@ (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7212 "util/configparser.c" +#line 6901 "util/configparser.c" break; - case 614: -#line 3276 "util/configparser.y" + case 653: /* server_log_identity: VAR_LOG_IDENTITY STRING_ARG */ +#line 3501 "util/configparser.y" { OUTYY(("P(server_log_identity:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->log_identity); cfg_parser->cfg->log_identity = (yyvsp0.str); } -#line 7222 "util/configparser.c" +#line 6911 "util/configparser.c" break; - case 615: -#line 3283 "util/configparser.y" + case 654: /* server_response_ip: VAR_RESPONSE_IP STRING_ARG STRING_ARG */ +#line 3508 "util/configparser.y" { OUTYY(("P(server_response_ip:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); validate_respip_action((yyvsp0.str)); @@ -7230,30 +6919,31 @@ (yyvsp-1.str), (yyvsp0.str))) fatal_exit("out of memory adding response-ip"); } -#line 7234 "util/configparser.c" +#line 6923 "util/configparser.c" break; - case 616: -#line 3292 "util/configparser.y" + case 655: /* server_response_ip_data: VAR_RESPONSE_IP_DATA STRING_ARG STRING_ARG */ +#line 3517 "util/configparser.y" { OUTYY(("P(server_response_ip_data:%s)\n", (yyvsp-1.str))); if(!cfg_str2list_insert(&cfg_parser->cfg->respip_data, (yyvsp-1.str), (yyvsp0.str))) fatal_exit("out of memory adding response-ip-data"); } -#line 7245 "util/configparser.c" +#line 6934 "util/configparser.c" break; - case 617: -#line 3300 "util/configparser.y" + case 656: /* dnscstart: VAR_DNSCRYPT */ +#line 3525 "util/configparser.y" { OUTYY(("\nP(dnscrypt:)\n")); + cfg_parser->started_toplevel = 1; } -#line 7253 "util/configparser.c" +#line 6943 "util/configparser.c" break; - case 630: -#line 3316 "util/configparser.y" + case 669: /* dnsc_dnscrypt_enable: VAR_DNSCRYPT_ENABLE STRING_ARG */ +#line 3542 "util/configparser.y" { OUTYY(("P(dnsc_dnscrypt_enable:%s)\n", (yyvsp0.str))); if(strcmp((yyvsp0.str), "yes") != 0 && strcmp((yyvsp0.str), "no") != 0) @@ -7261,11 +6951,11 @@ else cfg_parser->cfg->dnscrypt = (strcmp((yyvsp0.str), "yes")==0); free((yyvsp0.str)); } -#line 7265 "util/configparser.c" +#line 6955 "util/configparser.c" break; - case 631: -#line 3326 "util/configparser.y" + case 670: /* dnsc_dnscrypt_port: VAR_DNSCRYPT_PORT STRING_ARG */ +#line 3552 "util/configparser.y" { OUTYY(("P(dnsc_dnscrypt_port:%s)\n", (yyvsp0.str))); if(atoi((yyvsp0.str)) == 0) @@ -7273,21 +6963,21 @@ else cfg_parser->cfg->dnscrypt_port = atoi((yyvsp0.str)); free((yyvsp0.str)); } -#line 7277 "util/configparser.c" +#line 6967 "util/configparser.c" break; - case 632: -#line 3335 "util/configparser.y" + case 671: /* dnsc_dnscrypt_provider: VAR_DNSCRYPT_PROVIDER STRING_ARG */ +#line 3561 "util/configparser.y" { OUTYY(("P(dnsc_dnscrypt_provider:%s)\n", (yyvsp0.str))); free(cfg_parser->cfg->dnscrypt_provider); cfg_parser->cfg->dnscrypt_provider = (yyvsp0.str); } -#line 7287 "util/configparser.c" +#line 6977 "util/configparser.c" break; - case 633: -#line 3342 "util/configparser.y" + case 672: /* dnsc_dnscrypt_provider_cert: VAR_DNSCRYPT_PROVIDER_CERT STRING_ARG */ +#line 3568 "util/configparser.y" { OUTYY(("P(dnsc_dnscrypt_provider_cert:%s)\n", (yyvsp0.str))); if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_provider_cert, (yyvsp0.str))) @@ -7295,21 +6985,21 @@ if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert, (yyvsp0.str))) fatal_exit("out of memory adding dnscrypt-provider-cert"); } -#line 7299 "util/configparser.c" +#line 6989 "util/configparser.c" break; - case 634: -#line 3351 "util/configparser.y" + case 673: /* dnsc_dnscrypt_provider_cert_rotated: VAR_DNSCRYPT_PROVIDER_CERT_ROTATED STRING_ARG */ +#line 3577 "util/configparser.y" { OUTYY(("P(dnsc_dnscrypt_provider_cert_rotated:%s)\n", (yyvsp0.str))); if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert_rotated, (yyvsp0.str))) fatal_exit("out of memory adding dnscrypt-provider-cert-rotated"); } -#line 7309 "util/configparser.c" +#line 6999 "util/configparser.c" break; - case 635: -#line 3358 "util/configparser.y" + case 674: /* dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG */ +#line 3584 "util/configparser.y" { OUTYY(("P(dnsc_dnscrypt_secret_key:%s)\n", (yyvsp0.str))); if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_secret_key, (yyvsp0.str))) @@ -7317,73 +7007,74 @@ if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_secret_key, (yyvsp0.str))) fatal_exit("out of memory adding dnscrypt-secret-key"); } -#line 7321 "util/configparser.c" +#line 7011 "util/configparser.c" break; - case 636: -#line 3367 "util/configparser.y" + case 675: /* dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG */ +#line 3593 "util/configparser.y" { - OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", (yyvsp0.str))); - if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->dnscrypt_shared_secret_cache_size)) - yyerror("memory size expected"); - free((yyvsp0.str)); + OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", (yyvsp0.str))); + if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->dnscrypt_shared_secret_cache_size)) + yyerror("memory size expected"); + free((yyvsp0.str)); } -#line 7332 "util/configparser.c" +#line 7022 "util/configparser.c" break; - case 637: -#line 3375 "util/configparser.y" + case 676: /* dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG */ +#line 3601 "util/configparser.y" { - OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0) - yyerror("number expected"); - else { - cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi((yyvsp0.str)); - if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs)) - yyerror("must be a power of 2"); - } - free((yyvsp0.str)); + OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", (yyvsp0.str))); + if(atoi((yyvsp0.str)) == 0) { + yyerror("number expected"); + } else { + cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi((yyvsp0.str)); + if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs)) + yyerror("must be a power of 2"); + } + free((yyvsp0.str)); } -#line 7348 "util/configparser.c" +#line 7038 "util/configparser.c" break; - case 638: -#line 3388 "util/configparser.y" + case 677: /* dnsc_dnscrypt_nonce_cache_size: VAR_DNSCRYPT_NONCE_CACHE_SIZE STRING_ARG */ +#line 3614 "util/configparser.y" { - OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", (yyvsp0.str))); - if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->dnscrypt_nonce_cache_size)) - yyerror("memory size expected"); - free((yyvsp0.str)); + OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", (yyvsp0.str))); + if(!cfg_parse_memsize((yyvsp0.str), &cfg_parser->cfg->dnscrypt_nonce_cache_size)) + yyerror("memory size expected"); + free((yyvsp0.str)); } -#line 7359 "util/configparser.c" +#line 7049 "util/configparser.c" break; - case 639: -#line 3396 "util/configparser.y" + case 678: /* dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG */ +#line 3622 "util/configparser.y" { - OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", (yyvsp0.str))); - if(atoi((yyvsp0.str)) == 0) - yyerror("number expected"); - else { - cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi((yyvsp0.str)); - if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs)) - yyerror("must be a power of 2"); - } - free((yyvsp0.str)); + OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", (yyvsp0.str))); + if(atoi((yyvsp0.str)) == 0) { + yyerror("number expected"); + } else { + cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi((yyvsp0.str)); + if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs)) + yyerror("must be a power of 2"); + } + free((yyvsp0.str)); } -#line 7375 "util/configparser.c" +#line 7065 "util/configparser.c" break; - case 640: -#line 3409 "util/configparser.y" + case 679: /* cachedbstart: VAR_CACHEDB */ +#line 3635 "util/configparser.y" { OUTYY(("\nP(cachedb:)\n")); + cfg_parser->started_toplevel = 1; } -#line 7383 "util/configparser.c" +#line 7074 "util/configparser.c" break; - case 649: -#line 3420 "util/configparser.y" + case 688: /* cachedb_backend_name: VAR_CACHEDB_BACKEND STRING_ARG */ +#line 3647 "util/configparser.y" { #ifdef USE_CACHEDB OUTYY(("P(backend:%s)\n", (yyvsp0.str))); @@ -7394,11 +7085,11 @@ free((yyvsp0.str)); #endif } -#line 7398 "util/configparser.c" +#line 7089 "util/configparser.c" break; - case 650: -#line 3432 "util/configparser.y" + case 689: /* cachedb_secret_seed: VAR_CACHEDB_SECRETSEED STRING_ARG */ +#line 3659 "util/configparser.y" { #ifdef USE_CACHEDB OUTYY(("P(secret-seed:%s)\n", (yyvsp0.str))); @@ -7409,11 +7100,11 @@ free((yyvsp0.str)); #endif } -#line 7413 "util/configparser.c" +#line 7104 "util/configparser.c" break; - case 651: -#line 3444 "util/configparser.y" + case 690: /* redis_server_host: VAR_CACHEDB_REDISHOST STRING_ARG */ +#line 3671 "util/configparser.y" { #if defined(USE_CACHEDB) && defined(USE_REDIS) OUTYY(("P(redis_server_host:%s)\n", (yyvsp0.str))); @@ -7424,11 +7115,11 @@ free((yyvsp0.str)); #endif } -#line 7428 "util/configparser.c" +#line 7119 "util/configparser.c" break; - case 652: -#line 3456 "util/configparser.y" + case 691: /* redis_server_port: VAR_CACHEDB_REDISPORT STRING_ARG */ +#line 3683 "util/configparser.y" { #if defined(USE_CACHEDB) && defined(USE_REDIS) int port; @@ -7442,11 +7133,11 @@ #endif free((yyvsp0.str)); } -#line 7446 "util/configparser.c" +#line 7137 "util/configparser.c" break; - case 653: -#line 3471 "util/configparser.y" + case 692: /* redis_timeout: VAR_CACHEDB_REDISTIMEOUT STRING_ARG */ +#line 3698 "util/configparser.y" { #if defined(USE_CACHEDB) && defined(USE_REDIS) OUTYY(("P(redis_timeout:%s)\n", (yyvsp0.str))); @@ -7458,11 +7149,11 @@ #endif free((yyvsp0.str)); } -#line 7462 "util/configparser.c" +#line 7153 "util/configparser.c" break; - case 654: -#line 3484 "util/configparser.y" + case 693: /* redis_expire_records: VAR_CACHEDB_REDISEXPIRERECORDS STRING_ARG */ +#line 3711 "util/configparser.y" { #if defined(USE_CACHEDB) && defined(USE_REDIS) OUTYY(("P(redis_expire_records:%s)\n", (yyvsp0.str))); @@ -7474,11 +7165,11 @@ #endif free((yyvsp0.str)); } -#line 7478 "util/configparser.c" +#line 7169 "util/configparser.c" break; - case 655: -#line 3497 "util/configparser.y" + case 694: /* server_tcp_connection_limit: VAR_TCP_CONNECTION_LIMIT STRING_ARG STRING_ARG */ +#line 3724 "util/configparser.y" { OUTYY(("P(server_tcp_connection_limit:%s %s)\n", (yyvsp-1.str), (yyvsp0.str))); if (atoi((yyvsp0.str)) < 0) @@ -7488,19 +7179,20 @@ fatal_exit("out of memory adding tcp connection limit"); } } -#line 7492 "util/configparser.c" +#line 7183 "util/configparser.c" break; - case 656: -#line 3508 "util/configparser.y" + case 695: /* ipsetstart: VAR_IPSET */ +#line 3735 "util/configparser.y" { OUTYY(("\nP(ipset:)\n")); + cfg_parser->started_toplevel = 1; } -#line 7500 "util/configparser.c" +#line 7192 "util/configparser.c" break; - case 661: -#line 3517 "util/configparser.y" + case 700: /* ipset_name_v4: VAR_IPSET_NAME_V4 STRING_ARG */ +#line 3745 "util/configparser.y" { #ifdef USE_IPSET OUTYY(("P(name-v4:%s)\n", (yyvsp0.str))); @@ -7514,11 +7206,11 @@ free((yyvsp0.str)); #endif } -#line 7518 "util/configparser.c" +#line 7210 "util/configparser.c" break; - case 662: -#line 3532 "util/configparser.y" + case 701: /* ipset_name_v6: VAR_IPSET_NAME_V6 STRING_ARG */ +#line 3760 "util/configparser.y" { #ifdef USE_IPSET OUTYY(("P(name-v6:%s)\n", (yyvsp0.str))); @@ -7532,11 +7224,11 @@ free((yyvsp0.str)); #endif } -#line 7536 "util/configparser.c" +#line 7228 "util/configparser.c" break; -#line 7540 "util/configparser.c" +#line 7232 "util/configparser.c" default: break; } @@ -7696,13 +7388,13 @@ yyexhaustedlab: yyerror (YY_("memory exhausted")); yyresult = 2; - /* Fall through. */ + goto yyreturn; #endif -/*-----------------------------------------------------. -| yyreturn -- parsing is finished, return the result. | -`-----------------------------------------------------*/ +/*-------------------------------------------------------. +| yyreturn -- parsing is finished, clean up and return. | +`-------------------------------------------------------*/ yyreturn: if (yychar != YYEMPTY) { @@ -7730,7 +7422,7 @@ return yyresult; } -#line 3546 "util/configparser.y" +#line 3774 "util/configparser.y" /* parse helper routines could be here */ @@ -7751,4 +7443,19 @@ } } - +static void +validate_acl_action(const char* action) +{ + if(strcmp(action, "deny")!=0 && + strcmp(action, "refuse")!=0 && + strcmp(action, "deny_non_local")!=0 && + strcmp(action, "refuse_non_local")!=0 && + strcmp(action, "allow_setrd")!=0 && + strcmp(action, "allow")!=0 && + strcmp(action, "allow_snoop")!=0) + { + yyerror("expected deny, refuse, deny_non_local, " + "refuse_non_local, allow, allow_setrd or " + "allow_snoop as access control action"); + } +}
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/configparser.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/configparser.h
Changed
@@ -1,8 +1,8 @@ -/* A Bison parser, made by GNU Bison 3.6.4. */ +/* A Bison parser, made by GNU Bison 3.7.6. */ /* Bison interface for Yacc-like parsers in C - Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2020 Free Software Foundation, + Copyright (C) 1984, 1989-1990, 2000-2015, 2018-2021 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify @@ -16,7 +16,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. */ + along with this program. If not, see <https://www.gnu.org/licenses/>. */ /* As a special exception, you may create a larger work that contains part or all of the Bison parser skeleton and distribute that work @@ -197,182 +197,202 @@ VAR_STUB_SSL_UPSTREAM = 398, /* VAR_STUB_SSL_UPSTREAM */ VAR_FORWARD_SSL_UPSTREAM = 399, /* VAR_FORWARD_SSL_UPSTREAM */ VAR_TLS_CERT_BUNDLE = 400, /* VAR_TLS_CERT_BUNDLE */ - VAR_HTTPS_PORT = 401, /* VAR_HTTPS_PORT */ - VAR_HTTP_ENDPOINT = 402, /* VAR_HTTP_ENDPOINT */ - VAR_HTTP_MAX_STREAMS = 403, /* VAR_HTTP_MAX_STREAMS */ - VAR_HTTP_QUERY_BUFFER_SIZE = 404, /* VAR_HTTP_QUERY_BUFFER_SIZE */ - VAR_HTTP_RESPONSE_BUFFER_SIZE = 405, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */ - VAR_HTTP_NODELAY = 406, /* VAR_HTTP_NODELAY */ - VAR_HTTP_NOTLS_DOWNSTREAM = 407, /* VAR_HTTP_NOTLS_DOWNSTREAM */ - VAR_STUB_FIRST = 408, /* VAR_STUB_FIRST */ - VAR_MINIMAL_RESPONSES = 409, /* VAR_MINIMAL_RESPONSES */ - VAR_RRSET_ROUNDROBIN = 410, /* VAR_RRSET_ROUNDROBIN */ - VAR_MAX_UDP_SIZE = 411, /* VAR_MAX_UDP_SIZE */ - VAR_DELAY_CLOSE = 412, /* VAR_DELAY_CLOSE */ - VAR_UDP_CONNECT = 413, /* VAR_UDP_CONNECT */ - VAR_UNBLOCK_LAN_ZONES = 414, /* VAR_UNBLOCK_LAN_ZONES */ - VAR_INSECURE_LAN_ZONES = 415, /* VAR_INSECURE_LAN_ZONES */ - VAR_INFRA_CACHE_MIN_RTT = 416, /* VAR_INFRA_CACHE_MIN_RTT */ - VAR_INFRA_KEEP_PROBING = 417, /* VAR_INFRA_KEEP_PROBING */ - VAR_DNS64_PREFIX = 418, /* VAR_DNS64_PREFIX */ - VAR_DNS64_SYNTHALL = 419, /* VAR_DNS64_SYNTHALL */ - VAR_DNS64_IGNORE_AAAA = 420, /* VAR_DNS64_IGNORE_AAAA */ - VAR_DNSTAP = 421, /* VAR_DNSTAP */ - VAR_DNSTAP_ENABLE = 422, /* VAR_DNSTAP_ENABLE */ - VAR_DNSTAP_SOCKET_PATH = 423, /* VAR_DNSTAP_SOCKET_PATH */ - VAR_DNSTAP_IP = 424, /* VAR_DNSTAP_IP */ - VAR_DNSTAP_TLS = 425, /* VAR_DNSTAP_TLS */ - VAR_DNSTAP_TLS_SERVER_NAME = 426, /* VAR_DNSTAP_TLS_SERVER_NAME */ - VAR_DNSTAP_TLS_CERT_BUNDLE = 427, /* VAR_DNSTAP_TLS_CERT_BUNDLE */ - VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 428, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */ - VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 429, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */ - VAR_DNSTAP_SEND_IDENTITY = 430, /* VAR_DNSTAP_SEND_IDENTITY */ - VAR_DNSTAP_SEND_VERSION = 431, /* VAR_DNSTAP_SEND_VERSION */ - VAR_DNSTAP_BIDIRECTIONAL = 432, /* VAR_DNSTAP_BIDIRECTIONAL */ - VAR_DNSTAP_IDENTITY = 433, /* VAR_DNSTAP_IDENTITY */ - VAR_DNSTAP_VERSION = 434, /* VAR_DNSTAP_VERSION */ - VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 435, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */ - VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 436, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */ - VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 437, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */ - VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 438, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */ - VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 439, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */ - VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 440, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */ - VAR_RESPONSE_IP_TAG = 441, /* VAR_RESPONSE_IP_TAG */ - VAR_RESPONSE_IP = 442, /* VAR_RESPONSE_IP */ - VAR_RESPONSE_IP_DATA = 443, /* VAR_RESPONSE_IP_DATA */ - VAR_HARDEN_ALGO_DOWNGRADE = 444, /* VAR_HARDEN_ALGO_DOWNGRADE */ - VAR_IP_TRANSPARENT = 445, /* VAR_IP_TRANSPARENT */ - VAR_IP_DSCP = 446, /* VAR_IP_DSCP */ - VAR_DISABLE_DNSSEC_LAME_CHECK = 447, /* VAR_DISABLE_DNSSEC_LAME_CHECK */ - VAR_IP_RATELIMIT = 448, /* VAR_IP_RATELIMIT */ - VAR_IP_RATELIMIT_SLABS = 449, /* VAR_IP_RATELIMIT_SLABS */ - VAR_IP_RATELIMIT_SIZE = 450, /* VAR_IP_RATELIMIT_SIZE */ - VAR_RATELIMIT = 451, /* VAR_RATELIMIT */ - VAR_RATELIMIT_SLABS = 452, /* VAR_RATELIMIT_SLABS */ - VAR_RATELIMIT_SIZE = 453, /* VAR_RATELIMIT_SIZE */ - VAR_RATELIMIT_FOR_DOMAIN = 454, /* VAR_RATELIMIT_FOR_DOMAIN */ - VAR_RATELIMIT_BELOW_DOMAIN = 455, /* VAR_RATELIMIT_BELOW_DOMAIN */ - VAR_IP_RATELIMIT_FACTOR = 456, /* VAR_IP_RATELIMIT_FACTOR */ - VAR_RATELIMIT_FACTOR = 457, /* VAR_RATELIMIT_FACTOR */ - VAR_SEND_CLIENT_SUBNET = 458, /* VAR_SEND_CLIENT_SUBNET */ - VAR_CLIENT_SUBNET_ZONE = 459, /* VAR_CLIENT_SUBNET_ZONE */ - VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 460, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */ - VAR_CLIENT_SUBNET_OPCODE = 461, /* VAR_CLIENT_SUBNET_OPCODE */ - VAR_MAX_CLIENT_SUBNET_IPV4 = 462, /* VAR_MAX_CLIENT_SUBNET_IPV4 */ - VAR_MAX_CLIENT_SUBNET_IPV6 = 463, /* VAR_MAX_CLIENT_SUBNET_IPV6 */ - VAR_MIN_CLIENT_SUBNET_IPV4 = 464, /* VAR_MIN_CLIENT_SUBNET_IPV4 */ - VAR_MIN_CLIENT_SUBNET_IPV6 = 465, /* VAR_MIN_CLIENT_SUBNET_IPV6 */ - VAR_MAX_ECS_TREE_SIZE_IPV4 = 466, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */ - VAR_MAX_ECS_TREE_SIZE_IPV6 = 467, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */ - VAR_CAPS_WHITELIST = 468, /* VAR_CAPS_WHITELIST */ - VAR_CACHE_MAX_NEGATIVE_TTL = 469, /* VAR_CACHE_MAX_NEGATIVE_TTL */ - VAR_PERMIT_SMALL_HOLDDOWN = 470, /* VAR_PERMIT_SMALL_HOLDDOWN */ - VAR_QNAME_MINIMISATION = 471, /* VAR_QNAME_MINIMISATION */ - VAR_QNAME_MINIMISATION_STRICT = 472, /* VAR_QNAME_MINIMISATION_STRICT */ - VAR_IP_FREEBIND = 473, /* VAR_IP_FREEBIND */ - VAR_DEFINE_TAG = 474, /* VAR_DEFINE_TAG */ - VAR_LOCAL_ZONE_TAG = 475, /* VAR_LOCAL_ZONE_TAG */ - VAR_ACCESS_CONTROL_TAG = 476, /* VAR_ACCESS_CONTROL_TAG */ - VAR_LOCAL_ZONE_OVERRIDE = 477, /* VAR_LOCAL_ZONE_OVERRIDE */ - VAR_ACCESS_CONTROL_TAG_ACTION = 478, /* VAR_ACCESS_CONTROL_TAG_ACTION */ - VAR_ACCESS_CONTROL_TAG_DATA = 479, /* VAR_ACCESS_CONTROL_TAG_DATA */ - VAR_VIEW = 480, /* VAR_VIEW */ - VAR_ACCESS_CONTROL_VIEW = 481, /* VAR_ACCESS_CONTROL_VIEW */ - VAR_VIEW_FIRST = 482, /* VAR_VIEW_FIRST */ - VAR_SERVE_EXPIRED = 483, /* VAR_SERVE_EXPIRED */ - VAR_SERVE_EXPIRED_TTL = 484, /* VAR_SERVE_EXPIRED_TTL */ - VAR_SERVE_EXPIRED_TTL_RESET = 485, /* VAR_SERVE_EXPIRED_TTL_RESET */ - VAR_SERVE_EXPIRED_REPLY_TTL = 486, /* VAR_SERVE_EXPIRED_REPLY_TTL */ - VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 487, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */ - VAR_SERVE_ORIGINAL_TTL = 488, /* VAR_SERVE_ORIGINAL_TTL */ - VAR_FAKE_DSA = 489, /* VAR_FAKE_DSA */ - VAR_FAKE_SHA1 = 490, /* VAR_FAKE_SHA1 */ - VAR_LOG_IDENTITY = 491, /* VAR_LOG_IDENTITY */ - VAR_HIDE_TRUSTANCHOR = 492, /* VAR_HIDE_TRUSTANCHOR */ - VAR_HIDE_HTTP_USER_AGENT = 493, /* VAR_HIDE_HTTP_USER_AGENT */ - VAR_HTTP_USER_AGENT = 494, /* VAR_HTTP_USER_AGENT */ - VAR_TRUST_ANCHOR_SIGNALING = 495, /* VAR_TRUST_ANCHOR_SIGNALING */ - VAR_AGGRESSIVE_NSEC = 496, /* VAR_AGGRESSIVE_NSEC */ - VAR_USE_SYSTEMD = 497, /* VAR_USE_SYSTEMD */ - VAR_SHM_ENABLE = 498, /* VAR_SHM_ENABLE */ - VAR_SHM_KEY = 499, /* VAR_SHM_KEY */ - VAR_ROOT_KEY_SENTINEL = 500, /* VAR_ROOT_KEY_SENTINEL */ - VAR_DNSCRYPT = 501, /* VAR_DNSCRYPT */ - VAR_DNSCRYPT_ENABLE = 502, /* VAR_DNSCRYPT_ENABLE */ - VAR_DNSCRYPT_PORT = 503, /* VAR_DNSCRYPT_PORT */ - VAR_DNSCRYPT_PROVIDER = 504, /* VAR_DNSCRYPT_PROVIDER */ - VAR_DNSCRYPT_SECRET_KEY = 505, /* VAR_DNSCRYPT_SECRET_KEY */ - VAR_DNSCRYPT_PROVIDER_CERT = 506, /* VAR_DNSCRYPT_PROVIDER_CERT */ - VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 507, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */ - VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 508, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */ - VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 509, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */ - VAR_DNSCRYPT_NONCE_CACHE_SIZE = 510, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */ - VAR_DNSCRYPT_NONCE_CACHE_SLABS = 511, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */ - VAR_PAD_RESPONSES = 512, /* VAR_PAD_RESPONSES */ - VAR_PAD_RESPONSES_BLOCK_SIZE = 513, /* VAR_PAD_RESPONSES_BLOCK_SIZE */ - VAR_PAD_QUERIES = 514, /* VAR_PAD_QUERIES */ - VAR_PAD_QUERIES_BLOCK_SIZE = 515, /* VAR_PAD_QUERIES_BLOCK_SIZE */ - VAR_IPSECMOD_ENABLED = 516, /* VAR_IPSECMOD_ENABLED */ - VAR_IPSECMOD_HOOK = 517, /* VAR_IPSECMOD_HOOK */ - VAR_IPSECMOD_IGNORE_BOGUS = 518, /* VAR_IPSECMOD_IGNORE_BOGUS */ - VAR_IPSECMOD_MAX_TTL = 519, /* VAR_IPSECMOD_MAX_TTL */ - VAR_IPSECMOD_WHITELIST = 520, /* VAR_IPSECMOD_WHITELIST */ - VAR_IPSECMOD_STRICT = 521, /* VAR_IPSECMOD_STRICT */ - VAR_CACHEDB = 522, /* VAR_CACHEDB */ - VAR_CACHEDB_BACKEND = 523, /* VAR_CACHEDB_BACKEND */ - VAR_CACHEDB_SECRETSEED = 524, /* VAR_CACHEDB_SECRETSEED */ - VAR_CACHEDB_REDISHOST = 525, /* VAR_CACHEDB_REDISHOST */ - VAR_CACHEDB_REDISPORT = 526, /* VAR_CACHEDB_REDISPORT */ - VAR_CACHEDB_REDISTIMEOUT = 527, /* VAR_CACHEDB_REDISTIMEOUT */ - VAR_CACHEDB_REDISEXPIRERECORDS = 528, /* VAR_CACHEDB_REDISEXPIRERECORDS */ - VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 529, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */ - VAR_FOR_UPSTREAM = 530, /* VAR_FOR_UPSTREAM */ - VAR_AUTH_ZONE = 531, /* VAR_AUTH_ZONE */ - VAR_ZONEFILE = 532, /* VAR_ZONEFILE */ - VAR_MASTER = 533, /* VAR_MASTER */ - VAR_URL = 534, /* VAR_URL */ - VAR_FOR_DOWNSTREAM = 535, /* VAR_FOR_DOWNSTREAM */ - VAR_FALLBACK_ENABLED = 536, /* VAR_FALLBACK_ENABLED */ - VAR_TLS_ADDITIONAL_PORT = 537, /* VAR_TLS_ADDITIONAL_PORT */ - VAR_LOW_RTT = 538, /* VAR_LOW_RTT */ - VAR_LOW_RTT_PERMIL = 539, /* VAR_LOW_RTT_PERMIL */ - VAR_FAST_SERVER_PERMIL = 540, /* VAR_FAST_SERVER_PERMIL */ - VAR_FAST_SERVER_NUM = 541, /* VAR_FAST_SERVER_NUM */ - VAR_ALLOW_NOTIFY = 542, /* VAR_ALLOW_NOTIFY */ - VAR_TLS_WIN_CERT = 543, /* VAR_TLS_WIN_CERT */ - VAR_TCP_CONNECTION_LIMIT = 544, /* VAR_TCP_CONNECTION_LIMIT */ - VAR_FORWARD_NO_CACHE = 545, /* VAR_FORWARD_NO_CACHE */ - VAR_STUB_NO_CACHE = 546, /* VAR_STUB_NO_CACHE */ - VAR_LOG_SERVFAIL = 547, /* VAR_LOG_SERVFAIL */ - VAR_DENY_ANY = 548, /* VAR_DENY_ANY */ - VAR_UNKNOWN_SERVER_TIME_LIMIT = 549, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */ - VAR_LOG_TAG_QUERYREPLY = 550, /* VAR_LOG_TAG_QUERYREPLY */ - VAR_STREAM_WAIT_SIZE = 551, /* VAR_STREAM_WAIT_SIZE */ - VAR_TLS_CIPHERS = 552, /* VAR_TLS_CIPHERS */ - VAR_TLS_CIPHERSUITES = 553, /* VAR_TLS_CIPHERSUITES */ - VAR_TLS_USE_SNI = 554, /* VAR_TLS_USE_SNI */ - VAR_IPSET = 555, /* VAR_IPSET */ - VAR_IPSET_NAME_V4 = 556, /* VAR_IPSET_NAME_V4 */ - VAR_IPSET_NAME_V6 = 557, /* VAR_IPSET_NAME_V6 */ - VAR_TLS_SESSION_TICKET_KEYS = 558, /* VAR_TLS_SESSION_TICKET_KEYS */ - VAR_RPZ = 559, /* VAR_RPZ */ - VAR_TAGS = 560, /* VAR_TAGS */ - VAR_RPZ_ACTION_OVERRIDE = 561, /* VAR_RPZ_ACTION_OVERRIDE */ - VAR_RPZ_CNAME_OVERRIDE = 562, /* VAR_RPZ_CNAME_OVERRIDE */ - VAR_RPZ_LOG = 563, /* VAR_RPZ_LOG */ - VAR_RPZ_LOG_NAME = 564, /* VAR_RPZ_LOG_NAME */ - VAR_DYNLIB = 565, /* VAR_DYNLIB */ - VAR_DYNLIB_FILE = 566, /* VAR_DYNLIB_FILE */ - VAR_EDNS_CLIENT_STRING = 567, /* VAR_EDNS_CLIENT_STRING */ - VAR_EDNS_CLIENT_STRING_OPCODE = 568, /* VAR_EDNS_CLIENT_STRING_OPCODE */ - VAR_NSID = 569, /* VAR_NSID */ - VAR_ZONEMD_PERMISSIVE_MODE = 570, /* VAR_ZONEMD_PERMISSIVE_MODE */ - VAR_ZONEMD_CHECK = 571, /* VAR_ZONEMD_CHECK */ - VAR_ZONEMD_REJECT_ABSENCE = 572 /* VAR_ZONEMD_REJECT_ABSENCE */ + VAR_STUB_TCP_UPSTREAM = 401, /* VAR_STUB_TCP_UPSTREAM */ + VAR_FORWARD_TCP_UPSTREAM = 402, /* VAR_FORWARD_TCP_UPSTREAM */ + VAR_HTTPS_PORT = 403, /* VAR_HTTPS_PORT */ + VAR_HTTP_ENDPOINT = 404, /* VAR_HTTP_ENDPOINT */ + VAR_HTTP_MAX_STREAMS = 405, /* VAR_HTTP_MAX_STREAMS */ + VAR_HTTP_QUERY_BUFFER_SIZE = 406, /* VAR_HTTP_QUERY_BUFFER_SIZE */ + VAR_HTTP_RESPONSE_BUFFER_SIZE = 407, /* VAR_HTTP_RESPONSE_BUFFER_SIZE */ + VAR_HTTP_NODELAY = 408, /* VAR_HTTP_NODELAY */ + VAR_HTTP_NOTLS_DOWNSTREAM = 409, /* VAR_HTTP_NOTLS_DOWNSTREAM */ + VAR_STUB_FIRST = 410, /* VAR_STUB_FIRST */ + VAR_MINIMAL_RESPONSES = 411, /* VAR_MINIMAL_RESPONSES */ + VAR_RRSET_ROUNDROBIN = 412, /* VAR_RRSET_ROUNDROBIN */ + VAR_MAX_UDP_SIZE = 413, /* VAR_MAX_UDP_SIZE */ + VAR_DELAY_CLOSE = 414, /* VAR_DELAY_CLOSE */ + VAR_UDP_CONNECT = 415, /* VAR_UDP_CONNECT */ + VAR_UNBLOCK_LAN_ZONES = 416, /* VAR_UNBLOCK_LAN_ZONES */ + VAR_INSECURE_LAN_ZONES = 417, /* VAR_INSECURE_LAN_ZONES */ + VAR_INFRA_CACHE_MIN_RTT = 418, /* VAR_INFRA_CACHE_MIN_RTT */ + VAR_INFRA_CACHE_MAX_RTT = 419, /* VAR_INFRA_CACHE_MAX_RTT */ + VAR_INFRA_KEEP_PROBING = 420, /* VAR_INFRA_KEEP_PROBING */ + VAR_DNS64_PREFIX = 421, /* VAR_DNS64_PREFIX */ + VAR_DNS64_SYNTHALL = 422, /* VAR_DNS64_SYNTHALL */ + VAR_DNS64_IGNORE_AAAA = 423, /* VAR_DNS64_IGNORE_AAAA */ + VAR_DNSTAP = 424, /* VAR_DNSTAP */ + VAR_DNSTAP_ENABLE = 425, /* VAR_DNSTAP_ENABLE */ + VAR_DNSTAP_SOCKET_PATH = 426, /* VAR_DNSTAP_SOCKET_PATH */ + VAR_DNSTAP_IP = 427, /* VAR_DNSTAP_IP */ + VAR_DNSTAP_TLS = 428, /* VAR_DNSTAP_TLS */ + VAR_DNSTAP_TLS_SERVER_NAME = 429, /* VAR_DNSTAP_TLS_SERVER_NAME */ + VAR_DNSTAP_TLS_CERT_BUNDLE = 430, /* VAR_DNSTAP_TLS_CERT_BUNDLE */ + VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 431, /* VAR_DNSTAP_TLS_CLIENT_KEY_FILE */ + VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 432, /* VAR_DNSTAP_TLS_CLIENT_CERT_FILE */ + VAR_DNSTAP_SEND_IDENTITY = 433, /* VAR_DNSTAP_SEND_IDENTITY */ + VAR_DNSTAP_SEND_VERSION = 434, /* VAR_DNSTAP_SEND_VERSION */ + VAR_DNSTAP_BIDIRECTIONAL = 435, /* VAR_DNSTAP_BIDIRECTIONAL */ + VAR_DNSTAP_IDENTITY = 436, /* VAR_DNSTAP_IDENTITY */ + VAR_DNSTAP_VERSION = 437, /* VAR_DNSTAP_VERSION */ + VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 438, /* VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES */ + VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 439, /* VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES */ + VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 440, /* VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES */ + VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 441, /* VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES */ + VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 442, /* VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES */ + VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 443, /* VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES */ + VAR_RESPONSE_IP_TAG = 444, /* VAR_RESPONSE_IP_TAG */ + VAR_RESPONSE_IP = 445, /* VAR_RESPONSE_IP */ + VAR_RESPONSE_IP_DATA = 446, /* VAR_RESPONSE_IP_DATA */ + VAR_HARDEN_ALGO_DOWNGRADE = 447, /* VAR_HARDEN_ALGO_DOWNGRADE */ + VAR_IP_TRANSPARENT = 448, /* VAR_IP_TRANSPARENT */ + VAR_IP_DSCP = 449, /* VAR_IP_DSCP */ + VAR_DISABLE_DNSSEC_LAME_CHECK = 450, /* VAR_DISABLE_DNSSEC_LAME_CHECK */ + VAR_IP_RATELIMIT = 451, /* VAR_IP_RATELIMIT */ + VAR_IP_RATELIMIT_SLABS = 452, /* VAR_IP_RATELIMIT_SLABS */ + VAR_IP_RATELIMIT_SIZE = 453, /* VAR_IP_RATELIMIT_SIZE */ + VAR_RATELIMIT = 454, /* VAR_RATELIMIT */ + VAR_RATELIMIT_SLABS = 455, /* VAR_RATELIMIT_SLABS */ + VAR_RATELIMIT_SIZE = 456, /* VAR_RATELIMIT_SIZE */ + VAR_OUTBOUND_MSG_RETRY = 457, /* VAR_OUTBOUND_MSG_RETRY */ + VAR_MAX_SENT_COUNT = 458, /* VAR_MAX_SENT_COUNT */ + VAR_MAX_QUERY_RESTARTS = 459, /* VAR_MAX_QUERY_RESTARTS */ + VAR_RATELIMIT_FOR_DOMAIN = 460, /* VAR_RATELIMIT_FOR_DOMAIN */ + VAR_RATELIMIT_BELOW_DOMAIN = 461, /* VAR_RATELIMIT_BELOW_DOMAIN */ + VAR_IP_RATELIMIT_FACTOR = 462, /* VAR_IP_RATELIMIT_FACTOR */ + VAR_RATELIMIT_FACTOR = 463, /* VAR_RATELIMIT_FACTOR */ + VAR_IP_RATELIMIT_BACKOFF = 464, /* VAR_IP_RATELIMIT_BACKOFF */ + VAR_RATELIMIT_BACKOFF = 465, /* VAR_RATELIMIT_BACKOFF */ + VAR_SEND_CLIENT_SUBNET = 466, /* VAR_SEND_CLIENT_SUBNET */ + VAR_CLIENT_SUBNET_ZONE = 467, /* VAR_CLIENT_SUBNET_ZONE */ + VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 468, /* VAR_CLIENT_SUBNET_ALWAYS_FORWARD */ + VAR_CLIENT_SUBNET_OPCODE = 469, /* VAR_CLIENT_SUBNET_OPCODE */ + VAR_MAX_CLIENT_SUBNET_IPV4 = 470, /* VAR_MAX_CLIENT_SUBNET_IPV4 */ + VAR_MAX_CLIENT_SUBNET_IPV6 = 471, /* VAR_MAX_CLIENT_SUBNET_IPV6 */ + VAR_MIN_CLIENT_SUBNET_IPV4 = 472, /* VAR_MIN_CLIENT_SUBNET_IPV4 */ + VAR_MIN_CLIENT_SUBNET_IPV6 = 473, /* VAR_MIN_CLIENT_SUBNET_IPV6 */ + VAR_MAX_ECS_TREE_SIZE_IPV4 = 474, /* VAR_MAX_ECS_TREE_SIZE_IPV4 */ + VAR_MAX_ECS_TREE_SIZE_IPV6 = 475, /* VAR_MAX_ECS_TREE_SIZE_IPV6 */ + VAR_CAPS_WHITELIST = 476, /* VAR_CAPS_WHITELIST */ + VAR_CACHE_MAX_NEGATIVE_TTL = 477, /* VAR_CACHE_MAX_NEGATIVE_TTL */ + VAR_PERMIT_SMALL_HOLDDOWN = 478, /* VAR_PERMIT_SMALL_HOLDDOWN */ + VAR_QNAME_MINIMISATION = 479, /* VAR_QNAME_MINIMISATION */ + VAR_QNAME_MINIMISATION_STRICT = 480, /* VAR_QNAME_MINIMISATION_STRICT */ + VAR_IP_FREEBIND = 481, /* VAR_IP_FREEBIND */ + VAR_DEFINE_TAG = 482, /* VAR_DEFINE_TAG */ + VAR_LOCAL_ZONE_TAG = 483, /* VAR_LOCAL_ZONE_TAG */ + VAR_ACCESS_CONTROL_TAG = 484, /* VAR_ACCESS_CONTROL_TAG */ + VAR_LOCAL_ZONE_OVERRIDE = 485, /* VAR_LOCAL_ZONE_OVERRIDE */ + VAR_ACCESS_CONTROL_TAG_ACTION = 486, /* VAR_ACCESS_CONTROL_TAG_ACTION */ + VAR_ACCESS_CONTROL_TAG_DATA = 487, /* VAR_ACCESS_CONTROL_TAG_DATA */ + VAR_VIEW = 488, /* VAR_VIEW */ + VAR_ACCESS_CONTROL_VIEW = 489, /* VAR_ACCESS_CONTROL_VIEW */ + VAR_VIEW_FIRST = 490, /* VAR_VIEW_FIRST */ + VAR_SERVE_EXPIRED = 491, /* VAR_SERVE_EXPIRED */ + VAR_SERVE_EXPIRED_TTL = 492, /* VAR_SERVE_EXPIRED_TTL */ + VAR_SERVE_EXPIRED_TTL_RESET = 493, /* VAR_SERVE_EXPIRED_TTL_RESET */ + VAR_SERVE_EXPIRED_REPLY_TTL = 494, /* VAR_SERVE_EXPIRED_REPLY_TTL */ + VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 495, /* VAR_SERVE_EXPIRED_CLIENT_TIMEOUT */ + VAR_EDE_SERVE_EXPIRED = 496, /* VAR_EDE_SERVE_EXPIRED */ + VAR_SERVE_ORIGINAL_TTL = 497, /* VAR_SERVE_ORIGINAL_TTL */ + VAR_FAKE_DSA = 498, /* VAR_FAKE_DSA */ + VAR_FAKE_SHA1 = 499, /* VAR_FAKE_SHA1 */ + VAR_LOG_IDENTITY = 500, /* VAR_LOG_IDENTITY */ + VAR_HIDE_TRUSTANCHOR = 501, /* VAR_HIDE_TRUSTANCHOR */ + VAR_HIDE_HTTP_USER_AGENT = 502, /* VAR_HIDE_HTTP_USER_AGENT */ + VAR_HTTP_USER_AGENT = 503, /* VAR_HTTP_USER_AGENT */ + VAR_TRUST_ANCHOR_SIGNALING = 504, /* VAR_TRUST_ANCHOR_SIGNALING */ + VAR_AGGRESSIVE_NSEC = 505, /* VAR_AGGRESSIVE_NSEC */ + VAR_USE_SYSTEMD = 506, /* VAR_USE_SYSTEMD */ + VAR_SHM_ENABLE = 507, /* VAR_SHM_ENABLE */ + VAR_SHM_KEY = 508, /* VAR_SHM_KEY */ + VAR_ROOT_KEY_SENTINEL = 509, /* VAR_ROOT_KEY_SENTINEL */ + VAR_DNSCRYPT = 510, /* VAR_DNSCRYPT */ + VAR_DNSCRYPT_ENABLE = 511, /* VAR_DNSCRYPT_ENABLE */ + VAR_DNSCRYPT_PORT = 512, /* VAR_DNSCRYPT_PORT */ + VAR_DNSCRYPT_PROVIDER = 513, /* VAR_DNSCRYPT_PROVIDER */ + VAR_DNSCRYPT_SECRET_KEY = 514, /* VAR_DNSCRYPT_SECRET_KEY */ + VAR_DNSCRYPT_PROVIDER_CERT = 515, /* VAR_DNSCRYPT_PROVIDER_CERT */ + VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 516, /* VAR_DNSCRYPT_PROVIDER_CERT_ROTATED */ + VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 517, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE */ + VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 518, /* VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS */ + VAR_DNSCRYPT_NONCE_CACHE_SIZE = 519, /* VAR_DNSCRYPT_NONCE_CACHE_SIZE */ + VAR_DNSCRYPT_NONCE_CACHE_SLABS = 520, /* VAR_DNSCRYPT_NONCE_CACHE_SLABS */ + VAR_PAD_RESPONSES = 521, /* VAR_PAD_RESPONSES */ + VAR_PAD_RESPONSES_BLOCK_SIZE = 522, /* VAR_PAD_RESPONSES_BLOCK_SIZE */ + VAR_PAD_QUERIES = 523, /* VAR_PAD_QUERIES */ + VAR_PAD_QUERIES_BLOCK_SIZE = 524, /* VAR_PAD_QUERIES_BLOCK_SIZE */ + VAR_IPSECMOD_ENABLED = 525, /* VAR_IPSECMOD_ENABLED */ + VAR_IPSECMOD_HOOK = 526, /* VAR_IPSECMOD_HOOK */ + VAR_IPSECMOD_IGNORE_BOGUS = 527, /* VAR_IPSECMOD_IGNORE_BOGUS */ + VAR_IPSECMOD_MAX_TTL = 528, /* VAR_IPSECMOD_MAX_TTL */ + VAR_IPSECMOD_WHITELIST = 529, /* VAR_IPSECMOD_WHITELIST */ + VAR_IPSECMOD_STRICT = 530, /* VAR_IPSECMOD_STRICT */ + VAR_CACHEDB = 531, /* VAR_CACHEDB */ + VAR_CACHEDB_BACKEND = 532, /* VAR_CACHEDB_BACKEND */ + VAR_CACHEDB_SECRETSEED = 533, /* VAR_CACHEDB_SECRETSEED */ + VAR_CACHEDB_REDISHOST = 534, /* VAR_CACHEDB_REDISHOST */ + VAR_CACHEDB_REDISPORT = 535, /* VAR_CACHEDB_REDISPORT */ + VAR_CACHEDB_REDISTIMEOUT = 536, /* VAR_CACHEDB_REDISTIMEOUT */ + VAR_CACHEDB_REDISEXPIRERECORDS = 537, /* VAR_CACHEDB_REDISEXPIRERECORDS */ + VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 538, /* VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM */ + VAR_FOR_UPSTREAM = 539, /* VAR_FOR_UPSTREAM */ + VAR_AUTH_ZONE = 540, /* VAR_AUTH_ZONE */ + VAR_ZONEFILE = 541, /* VAR_ZONEFILE */ + VAR_MASTER = 542, /* VAR_MASTER */ + VAR_URL = 543, /* VAR_URL */ + VAR_FOR_DOWNSTREAM = 544, /* VAR_FOR_DOWNSTREAM */ + VAR_FALLBACK_ENABLED = 545, /* VAR_FALLBACK_ENABLED */ + VAR_TLS_ADDITIONAL_PORT = 546, /* VAR_TLS_ADDITIONAL_PORT */ + VAR_LOW_RTT = 547, /* VAR_LOW_RTT */ + VAR_LOW_RTT_PERMIL = 548, /* VAR_LOW_RTT_PERMIL */ + VAR_FAST_SERVER_PERMIL = 549, /* VAR_FAST_SERVER_PERMIL */ + VAR_FAST_SERVER_NUM = 550, /* VAR_FAST_SERVER_NUM */ + VAR_ALLOW_NOTIFY = 551, /* VAR_ALLOW_NOTIFY */ + VAR_TLS_WIN_CERT = 552, /* VAR_TLS_WIN_CERT */ + VAR_TCP_CONNECTION_LIMIT = 553, /* VAR_TCP_CONNECTION_LIMIT */ + VAR_FORWARD_NO_CACHE = 554, /* VAR_FORWARD_NO_CACHE */ + VAR_STUB_NO_CACHE = 555, /* VAR_STUB_NO_CACHE */ + VAR_LOG_SERVFAIL = 556, /* VAR_LOG_SERVFAIL */ + VAR_DENY_ANY = 557, /* VAR_DENY_ANY */ + VAR_UNKNOWN_SERVER_TIME_LIMIT = 558, /* VAR_UNKNOWN_SERVER_TIME_LIMIT */ + VAR_LOG_TAG_QUERYREPLY = 559, /* VAR_LOG_TAG_QUERYREPLY */ + VAR_STREAM_WAIT_SIZE = 560, /* VAR_STREAM_WAIT_SIZE */ + VAR_TLS_CIPHERS = 561, /* VAR_TLS_CIPHERS */ + VAR_TLS_CIPHERSUITES = 562, /* VAR_TLS_CIPHERSUITES */ + VAR_TLS_USE_SNI = 563, /* VAR_TLS_USE_SNI */ + VAR_IPSET = 564, /* VAR_IPSET */ + VAR_IPSET_NAME_V4 = 565, /* VAR_IPSET_NAME_V4 */ + VAR_IPSET_NAME_V6 = 566, /* VAR_IPSET_NAME_V6 */ + VAR_TLS_SESSION_TICKET_KEYS = 567, /* VAR_TLS_SESSION_TICKET_KEYS */ + VAR_RPZ = 568, /* VAR_RPZ */ + VAR_TAGS = 569, /* VAR_TAGS */ + VAR_RPZ_ACTION_OVERRIDE = 570, /* VAR_RPZ_ACTION_OVERRIDE */ + VAR_RPZ_CNAME_OVERRIDE = 571, /* VAR_RPZ_CNAME_OVERRIDE */ + VAR_RPZ_LOG = 572, /* VAR_RPZ_LOG */ + VAR_RPZ_LOG_NAME = 573, /* VAR_RPZ_LOG_NAME */ + VAR_DYNLIB = 574, /* VAR_DYNLIB */ + VAR_DYNLIB_FILE = 575, /* VAR_DYNLIB_FILE */ + VAR_EDNS_CLIENT_STRING = 576, /* VAR_EDNS_CLIENT_STRING */ + VAR_EDNS_CLIENT_STRING_OPCODE = 577, /* VAR_EDNS_CLIENT_STRING_OPCODE */ + VAR_NSID = 578, /* VAR_NSID */ + VAR_ZONEMD_PERMISSIVE_MODE = 579, /* VAR_ZONEMD_PERMISSIVE_MODE */ + VAR_ZONEMD_CHECK = 580, /* VAR_ZONEMD_CHECK */ + VAR_ZONEMD_REJECT_ABSENCE = 581, /* VAR_ZONEMD_REJECT_ABSENCE */ + VAR_RPZ_SIGNAL_NXDOMAIN_RA = 582, /* VAR_RPZ_SIGNAL_NXDOMAIN_RA */ + VAR_INTERFACE_AUTOMATIC_PORTS = 583, /* VAR_INTERFACE_AUTOMATIC_PORTS */ + VAR_EDE = 584, /* VAR_EDE */ + VAR_INTERFACE_ACTION = 585, /* VAR_INTERFACE_ACTION */ + VAR_INTERFACE_VIEW = 586, /* VAR_INTERFACE_VIEW */ + VAR_INTERFACE_TAG = 587, /* VAR_INTERFACE_TAG */ + VAR_INTERFACE_TAG_ACTION = 588, /* VAR_INTERFACE_TAG_ACTION */ + VAR_INTERFACE_TAG_DATA = 589, /* VAR_INTERFACE_TAG_DATA */ + VAR_PROXY_PROTOCOL_PORT = 590, /* VAR_PROXY_PROTOCOL_PORT */ + VAR_STATISTICS_INHIBIT_ZERO = 591 /* VAR_STATISTICS_INHIBIT_ZERO */ }; typedef enum yytokentype yytoken_kind_t; #endif /* Token kinds. */ +#define YYEMPTY -2 #define YYEOF 0 #define YYerror 256 #define YYUNDEF 257 @@ -519,188 +539,207 @@ #define VAR_STUB_SSL_UPSTREAM 398 #define VAR_FORWARD_SSL_UPSTREAM 399 #define VAR_TLS_CERT_BUNDLE 400 -#define VAR_HTTPS_PORT 401 -#define VAR_HTTP_ENDPOINT 402 -#define VAR_HTTP_MAX_STREAMS 403 -#define VAR_HTTP_QUERY_BUFFER_SIZE 404 -#define VAR_HTTP_RESPONSE_BUFFER_SIZE 405 -#define VAR_HTTP_NODELAY 406 -#define VAR_HTTP_NOTLS_DOWNSTREAM 407 -#define VAR_STUB_FIRST 408 -#define VAR_MINIMAL_RESPONSES 409 -#define VAR_RRSET_ROUNDROBIN 410 -#define VAR_MAX_UDP_SIZE 411 -#define VAR_DELAY_CLOSE 412 -#define VAR_UDP_CONNECT 413 -#define VAR_UNBLOCK_LAN_ZONES 414 -#define VAR_INSECURE_LAN_ZONES 415 -#define VAR_INFRA_CACHE_MIN_RTT 416 -#define VAR_INFRA_KEEP_PROBING 417 -#define VAR_DNS64_PREFIX 418 -#define VAR_DNS64_SYNTHALL 419 -#define VAR_DNS64_IGNORE_AAAA 420 -#define VAR_DNSTAP 421 -#define VAR_DNSTAP_ENABLE 422 -#define VAR_DNSTAP_SOCKET_PATH 423 -#define VAR_DNSTAP_IP 424 -#define VAR_DNSTAP_TLS 425 -#define VAR_DNSTAP_TLS_SERVER_NAME 426 -#define VAR_DNSTAP_TLS_CERT_BUNDLE 427 -#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 428 -#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 429 -#define VAR_DNSTAP_SEND_IDENTITY 430 -#define VAR_DNSTAP_SEND_VERSION 431 -#define VAR_DNSTAP_BIDIRECTIONAL 432 -#define VAR_DNSTAP_IDENTITY 433 -#define VAR_DNSTAP_VERSION 434 -#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 435 -#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 436 -#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 437 -#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 438 -#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 439 -#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 440 -#define VAR_RESPONSE_IP_TAG 441 -#define VAR_RESPONSE_IP 442 -#define VAR_RESPONSE_IP_DATA 443 -#define VAR_HARDEN_ALGO_DOWNGRADE 444 -#define VAR_IP_TRANSPARENT 445 -#define VAR_IP_DSCP 446 -#define VAR_DISABLE_DNSSEC_LAME_CHECK 447 -#define VAR_IP_RATELIMIT 448 -#define VAR_IP_RATELIMIT_SLABS 449 -#define VAR_IP_RATELIMIT_SIZE 450 -#define VAR_RATELIMIT 451 -#define VAR_RATELIMIT_SLABS 452 -#define VAR_RATELIMIT_SIZE 453 -#define VAR_RATELIMIT_FOR_DOMAIN 454 -#define VAR_RATELIMIT_BELOW_DOMAIN 455 -#define VAR_IP_RATELIMIT_FACTOR 456 -#define VAR_RATELIMIT_FACTOR 457 -#define VAR_SEND_CLIENT_SUBNET 458 -#define VAR_CLIENT_SUBNET_ZONE 459 -#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 460 -#define VAR_CLIENT_SUBNET_OPCODE 461 -#define VAR_MAX_CLIENT_SUBNET_IPV4 462 -#define VAR_MAX_CLIENT_SUBNET_IPV6 463 -#define VAR_MIN_CLIENT_SUBNET_IPV4 464 -#define VAR_MIN_CLIENT_SUBNET_IPV6 465 -#define VAR_MAX_ECS_TREE_SIZE_IPV4 466 -#define VAR_MAX_ECS_TREE_SIZE_IPV6 467 -#define VAR_CAPS_WHITELIST 468 -#define VAR_CACHE_MAX_NEGATIVE_TTL 469 -#define VAR_PERMIT_SMALL_HOLDDOWN 470 -#define VAR_QNAME_MINIMISATION 471 -#define VAR_QNAME_MINIMISATION_STRICT 472 -#define VAR_IP_FREEBIND 473 -#define VAR_DEFINE_TAG 474 -#define VAR_LOCAL_ZONE_TAG 475 -#define VAR_ACCESS_CONTROL_TAG 476 -#define VAR_LOCAL_ZONE_OVERRIDE 477 -#define VAR_ACCESS_CONTROL_TAG_ACTION 478 -#define VAR_ACCESS_CONTROL_TAG_DATA 479 -#define VAR_VIEW 480 -#define VAR_ACCESS_CONTROL_VIEW 481 -#define VAR_VIEW_FIRST 482 -#define VAR_SERVE_EXPIRED 483 -#define VAR_SERVE_EXPIRED_TTL 484 -#define VAR_SERVE_EXPIRED_TTL_RESET 485 -#define VAR_SERVE_EXPIRED_REPLY_TTL 486 -#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 487 -#define VAR_SERVE_ORIGINAL_TTL 488 -#define VAR_FAKE_DSA 489 -#define VAR_FAKE_SHA1 490 -#define VAR_LOG_IDENTITY 491 -#define VAR_HIDE_TRUSTANCHOR 492 -#define VAR_HIDE_HTTP_USER_AGENT 493 -#define VAR_HTTP_USER_AGENT 494 -#define VAR_TRUST_ANCHOR_SIGNALING 495 -#define VAR_AGGRESSIVE_NSEC 496 -#define VAR_USE_SYSTEMD 497 -#define VAR_SHM_ENABLE 498 -#define VAR_SHM_KEY 499 -#define VAR_ROOT_KEY_SENTINEL 500 -#define VAR_DNSCRYPT 501 -#define VAR_DNSCRYPT_ENABLE 502 -#define VAR_DNSCRYPT_PORT 503 -#define VAR_DNSCRYPT_PROVIDER 504 -#define VAR_DNSCRYPT_SECRET_KEY 505 -#define VAR_DNSCRYPT_PROVIDER_CERT 506 -#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 507 -#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 508 -#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 509 -#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 510 -#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 511 -#define VAR_PAD_RESPONSES 512 -#define VAR_PAD_RESPONSES_BLOCK_SIZE 513 -#define VAR_PAD_QUERIES 514 -#define VAR_PAD_QUERIES_BLOCK_SIZE 515 -#define VAR_IPSECMOD_ENABLED 516 -#define VAR_IPSECMOD_HOOK 517 -#define VAR_IPSECMOD_IGNORE_BOGUS 518 -#define VAR_IPSECMOD_MAX_TTL 519 -#define VAR_IPSECMOD_WHITELIST 520 -#define VAR_IPSECMOD_STRICT 521 -#define VAR_CACHEDB 522 -#define VAR_CACHEDB_BACKEND 523 -#define VAR_CACHEDB_SECRETSEED 524 -#define VAR_CACHEDB_REDISHOST 525 -#define VAR_CACHEDB_REDISPORT 526 -#define VAR_CACHEDB_REDISTIMEOUT 527 -#define VAR_CACHEDB_REDISEXPIRERECORDS 528 -#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 529 -#define VAR_FOR_UPSTREAM 530 -#define VAR_AUTH_ZONE 531 -#define VAR_ZONEFILE 532 -#define VAR_MASTER 533 -#define VAR_URL 534 -#define VAR_FOR_DOWNSTREAM 535 -#define VAR_FALLBACK_ENABLED 536 -#define VAR_TLS_ADDITIONAL_PORT 537 -#define VAR_LOW_RTT 538 -#define VAR_LOW_RTT_PERMIL 539 -#define VAR_FAST_SERVER_PERMIL 540 -#define VAR_FAST_SERVER_NUM 541 -#define VAR_ALLOW_NOTIFY 542 -#define VAR_TLS_WIN_CERT 543 -#define VAR_TCP_CONNECTION_LIMIT 544 -#define VAR_FORWARD_NO_CACHE 545 -#define VAR_STUB_NO_CACHE 546 -#define VAR_LOG_SERVFAIL 547 -#define VAR_DENY_ANY 548 -#define VAR_UNKNOWN_SERVER_TIME_LIMIT 549 -#define VAR_LOG_TAG_QUERYREPLY 550 -#define VAR_STREAM_WAIT_SIZE 551 -#define VAR_TLS_CIPHERS 552 -#define VAR_TLS_CIPHERSUITES 553 -#define VAR_TLS_USE_SNI 554 -#define VAR_IPSET 555 -#define VAR_IPSET_NAME_V4 556 -#define VAR_IPSET_NAME_V6 557 -#define VAR_TLS_SESSION_TICKET_KEYS 558 -#define VAR_RPZ 559 -#define VAR_TAGS 560 -#define VAR_RPZ_ACTION_OVERRIDE 561 -#define VAR_RPZ_CNAME_OVERRIDE 562 -#define VAR_RPZ_LOG 563 -#define VAR_RPZ_LOG_NAME 564 -#define VAR_DYNLIB 565 -#define VAR_DYNLIB_FILE 566 -#define VAR_EDNS_CLIENT_STRING 567 -#define VAR_EDNS_CLIENT_STRING_OPCODE 568 -#define VAR_NSID 569 -#define VAR_ZONEMD_PERMISSIVE_MODE 570 -#define VAR_ZONEMD_CHECK 571 -#define VAR_ZONEMD_REJECT_ABSENCE 572 +#define VAR_STUB_TCP_UPSTREAM 401 +#define VAR_FORWARD_TCP_UPSTREAM 402 +#define VAR_HTTPS_PORT 403 +#define VAR_HTTP_ENDPOINT 404 +#define VAR_HTTP_MAX_STREAMS 405 +#define VAR_HTTP_QUERY_BUFFER_SIZE 406 +#define VAR_HTTP_RESPONSE_BUFFER_SIZE 407 +#define VAR_HTTP_NODELAY 408 +#define VAR_HTTP_NOTLS_DOWNSTREAM 409 +#define VAR_STUB_FIRST 410 +#define VAR_MINIMAL_RESPONSES 411 +#define VAR_RRSET_ROUNDROBIN 412 +#define VAR_MAX_UDP_SIZE 413 +#define VAR_DELAY_CLOSE 414 +#define VAR_UDP_CONNECT 415 +#define VAR_UNBLOCK_LAN_ZONES 416 +#define VAR_INSECURE_LAN_ZONES 417 +#define VAR_INFRA_CACHE_MIN_RTT 418 +#define VAR_INFRA_CACHE_MAX_RTT 419 +#define VAR_INFRA_KEEP_PROBING 420 +#define VAR_DNS64_PREFIX 421 +#define VAR_DNS64_SYNTHALL 422 +#define VAR_DNS64_IGNORE_AAAA 423 +#define VAR_DNSTAP 424 +#define VAR_DNSTAP_ENABLE 425 +#define VAR_DNSTAP_SOCKET_PATH 426 +#define VAR_DNSTAP_IP 427 +#define VAR_DNSTAP_TLS 428 +#define VAR_DNSTAP_TLS_SERVER_NAME 429 +#define VAR_DNSTAP_TLS_CERT_BUNDLE 430 +#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 431 +#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 432 +#define VAR_DNSTAP_SEND_IDENTITY 433 +#define VAR_DNSTAP_SEND_VERSION 434 +#define VAR_DNSTAP_BIDIRECTIONAL 435 +#define VAR_DNSTAP_IDENTITY 436 +#define VAR_DNSTAP_VERSION 437 +#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 438 +#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 439 +#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 440 +#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 441 +#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 442 +#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 443 +#define VAR_RESPONSE_IP_TAG 444 +#define VAR_RESPONSE_IP 445 +#define VAR_RESPONSE_IP_DATA 446 +#define VAR_HARDEN_ALGO_DOWNGRADE 447 +#define VAR_IP_TRANSPARENT 448 +#define VAR_IP_DSCP 449 +#define VAR_DISABLE_DNSSEC_LAME_CHECK 450 +#define VAR_IP_RATELIMIT 451 +#define VAR_IP_RATELIMIT_SLABS 452 +#define VAR_IP_RATELIMIT_SIZE 453 +#define VAR_RATELIMIT 454 +#define VAR_RATELIMIT_SLABS 455 +#define VAR_RATELIMIT_SIZE 456 +#define VAR_OUTBOUND_MSG_RETRY 457 +#define VAR_MAX_SENT_COUNT 458 +#define VAR_MAX_QUERY_RESTARTS 459 +#define VAR_RATELIMIT_FOR_DOMAIN 460 +#define VAR_RATELIMIT_BELOW_DOMAIN 461 +#define VAR_IP_RATELIMIT_FACTOR 462 +#define VAR_RATELIMIT_FACTOR 463 +#define VAR_IP_RATELIMIT_BACKOFF 464 +#define VAR_RATELIMIT_BACKOFF 465 +#define VAR_SEND_CLIENT_SUBNET 466 +#define VAR_CLIENT_SUBNET_ZONE 467 +#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 468 +#define VAR_CLIENT_SUBNET_OPCODE 469 +#define VAR_MAX_CLIENT_SUBNET_IPV4 470 +#define VAR_MAX_CLIENT_SUBNET_IPV6 471 +#define VAR_MIN_CLIENT_SUBNET_IPV4 472 +#define VAR_MIN_CLIENT_SUBNET_IPV6 473 +#define VAR_MAX_ECS_TREE_SIZE_IPV4 474 +#define VAR_MAX_ECS_TREE_SIZE_IPV6 475 +#define VAR_CAPS_WHITELIST 476 +#define VAR_CACHE_MAX_NEGATIVE_TTL 477 +#define VAR_PERMIT_SMALL_HOLDDOWN 478 +#define VAR_QNAME_MINIMISATION 479 +#define VAR_QNAME_MINIMISATION_STRICT 480 +#define VAR_IP_FREEBIND 481 +#define VAR_DEFINE_TAG 482 +#define VAR_LOCAL_ZONE_TAG 483 +#define VAR_ACCESS_CONTROL_TAG 484 +#define VAR_LOCAL_ZONE_OVERRIDE 485 +#define VAR_ACCESS_CONTROL_TAG_ACTION 486 +#define VAR_ACCESS_CONTROL_TAG_DATA 487 +#define VAR_VIEW 488 +#define VAR_ACCESS_CONTROL_VIEW 489 +#define VAR_VIEW_FIRST 490 +#define VAR_SERVE_EXPIRED 491 +#define VAR_SERVE_EXPIRED_TTL 492 +#define VAR_SERVE_EXPIRED_TTL_RESET 493 +#define VAR_SERVE_EXPIRED_REPLY_TTL 494 +#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 495 +#define VAR_EDE_SERVE_EXPIRED 496 +#define VAR_SERVE_ORIGINAL_TTL 497 +#define VAR_FAKE_DSA 498 +#define VAR_FAKE_SHA1 499 +#define VAR_LOG_IDENTITY 500 +#define VAR_HIDE_TRUSTANCHOR 501 +#define VAR_HIDE_HTTP_USER_AGENT 502 +#define VAR_HTTP_USER_AGENT 503 +#define VAR_TRUST_ANCHOR_SIGNALING 504 +#define VAR_AGGRESSIVE_NSEC 505 +#define VAR_USE_SYSTEMD 506 +#define VAR_SHM_ENABLE 507 +#define VAR_SHM_KEY 508 +#define VAR_ROOT_KEY_SENTINEL 509 +#define VAR_DNSCRYPT 510 +#define VAR_DNSCRYPT_ENABLE 511 +#define VAR_DNSCRYPT_PORT 512 +#define VAR_DNSCRYPT_PROVIDER 513 +#define VAR_DNSCRYPT_SECRET_KEY 514 +#define VAR_DNSCRYPT_PROVIDER_CERT 515 +#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 516 +#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 517 +#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 518 +#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 519 +#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 520 +#define VAR_PAD_RESPONSES 521 +#define VAR_PAD_RESPONSES_BLOCK_SIZE 522 +#define VAR_PAD_QUERIES 523 +#define VAR_PAD_QUERIES_BLOCK_SIZE 524 +#define VAR_IPSECMOD_ENABLED 525 +#define VAR_IPSECMOD_HOOK 526 +#define VAR_IPSECMOD_IGNORE_BOGUS 527 +#define VAR_IPSECMOD_MAX_TTL 528 +#define VAR_IPSECMOD_WHITELIST 529 +#define VAR_IPSECMOD_STRICT 530 +#define VAR_CACHEDB 531 +#define VAR_CACHEDB_BACKEND 532 +#define VAR_CACHEDB_SECRETSEED 533 +#define VAR_CACHEDB_REDISHOST 534 +#define VAR_CACHEDB_REDISPORT 535 +#define VAR_CACHEDB_REDISTIMEOUT 536 +#define VAR_CACHEDB_REDISEXPIRERECORDS 537 +#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 538 +#define VAR_FOR_UPSTREAM 539 +#define VAR_AUTH_ZONE 540 +#define VAR_ZONEFILE 541 +#define VAR_MASTER 542 +#define VAR_URL 543 +#define VAR_FOR_DOWNSTREAM 544 +#define VAR_FALLBACK_ENABLED 545 +#define VAR_TLS_ADDITIONAL_PORT 546 +#define VAR_LOW_RTT 547 +#define VAR_LOW_RTT_PERMIL 548 +#define VAR_FAST_SERVER_PERMIL 549 +#define VAR_FAST_SERVER_NUM 550 +#define VAR_ALLOW_NOTIFY 551 +#define VAR_TLS_WIN_CERT 552 +#define VAR_TCP_CONNECTION_LIMIT 553 +#define VAR_FORWARD_NO_CACHE 554 +#define VAR_STUB_NO_CACHE 555 +#define VAR_LOG_SERVFAIL 556 +#define VAR_DENY_ANY 557 +#define VAR_UNKNOWN_SERVER_TIME_LIMIT 558 +#define VAR_LOG_TAG_QUERYREPLY 559 +#define VAR_STREAM_WAIT_SIZE 560 +#define VAR_TLS_CIPHERS 561 +#define VAR_TLS_CIPHERSUITES 562 +#define VAR_TLS_USE_SNI 563 +#define VAR_IPSET 564 +#define VAR_IPSET_NAME_V4 565 +#define VAR_IPSET_NAME_V6 566 +#define VAR_TLS_SESSION_TICKET_KEYS 567 +#define VAR_RPZ 568 +#define VAR_TAGS 569 +#define VAR_RPZ_ACTION_OVERRIDE 570 +#define VAR_RPZ_CNAME_OVERRIDE 571 +#define VAR_RPZ_LOG 572 +#define VAR_RPZ_LOG_NAME 573 +#define VAR_DYNLIB 574 +#define VAR_DYNLIB_FILE 575 +#define VAR_EDNS_CLIENT_STRING 576 +#define VAR_EDNS_CLIENT_STRING_OPCODE 577 +#define VAR_NSID 578 +#define VAR_ZONEMD_PERMISSIVE_MODE 579 +#define VAR_ZONEMD_CHECK 580 +#define VAR_ZONEMD_REJECT_ABSENCE 581 +#define VAR_RPZ_SIGNAL_NXDOMAIN_RA 582 +#define VAR_INTERFACE_AUTOMATIC_PORTS 583 +#define VAR_EDE 584 +#define VAR_INTERFACE_ACTION 585 +#define VAR_INTERFACE_VIEW 586 +#define VAR_INTERFACE_TAG 587 +#define VAR_INTERFACE_TAG_ACTION 588 +#define VAR_INTERFACE_TAG_DATA 589 +#define VAR_PROXY_PROTOCOL_PORT 590 +#define VAR_STATISTICS_INHIBIT_ZERO 591 /* Value type. */ #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED union YYSTYPE { -#line 66 "util/configparser.y" +#line 67 "util/configparser.y" char* str; -#line 704 "util/configparser.h" +#line 743 "util/configparser.h" }; typedef union YYSTYPE YYSTYPE;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/configparser.y -> _service:tar_scm:unbound-1.17.1.tar.gz/util/configparser.y
Changed
@@ -4,24 +4,24 @@ * Copyright (c) 2001-2006, NLnet Labs. All rights reserved. * * Copyright (c) 2007, NLnet Labs. All rights reserved. - * + * * This software is open source. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: - * + * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. - * + * * Redistributions in binary form must reproduce the above copyright notice, * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. - * + * * Neither the name of the NLNET LABS nor the names of its contributors may * be used to endorse or promote products derived from this software without * specific prior written permission. - * + * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR @@ -52,6 +52,7 @@ void ub_c_error(const char *message); static void validate_respip_action(const char* action); +static void validate_acl_action(const char* action); /* these need to be global, otherwise they cannot be used inside yacc */ extern struct config_parser_state* cfg_parser; @@ -88,13 +89,13 @@ %token VAR_TRUST_ANCHOR_FILE VAR_TRUST_ANCHOR VAR_VAL_OVERRIDE_DATE %token VAR_BOGUS_TTL VAR_VAL_CLEAN_ADDITIONAL VAR_VAL_PERMISSIVE_MODE %token VAR_INCOMING_NUM_TCP VAR_MSG_BUFFER_SIZE VAR_KEY_CACHE_SIZE -%token VAR_KEY_CACHE_SLABS VAR_TRUSTED_KEYS_FILE -%token VAR_VAL_NSEC3_KEYSIZE_ITERATIONS VAR_USE_SYSLOG +%token VAR_KEY_CACHE_SLABS VAR_TRUSTED_KEYS_FILE +%token VAR_VAL_NSEC3_KEYSIZE_ITERATIONS VAR_USE_SYSLOG %token VAR_OUTGOING_INTERFACE VAR_ROOT_HINTS VAR_DO_NOT_QUERY_LOCALHOST %token VAR_CACHE_MAX_TTL VAR_HARDEN_DNSSEC_STRIPPED VAR_ACCESS_CONTROL %token VAR_LOCAL_ZONE VAR_LOCAL_DATA VAR_INTERFACE_AUTOMATIC %token VAR_STATISTICS_INTERVAL VAR_DO_DAEMONIZE VAR_USE_CAPS_FOR_ID -%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT +%token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE @@ -113,13 +114,14 @@ %token VAR_SSL_UPSTREAM VAR_TCP_AUTH_QUERY_TIMEOUT VAR_SSL_SERVICE_KEY %token VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST %token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE +%token VAR_STUB_TCP_UPSTREAM VAR_FORWARD_TCP_UPSTREAM %token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS %token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE %token VAR_HTTP_NODELAY VAR_HTTP_NOTLS_DOWNSTREAM %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE VAR_UDP_CONNECT %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES -%token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_KEEP_PROBING +%token VAR_INFRA_CACHE_MIN_RTT VAR_INFRA_CACHE_MAX_RTT VAR_INFRA_KEEP_PROBING %token VAR_DNS64_PREFIX VAR_DNS64_SYNTHALL VAR_DNS64_IGNORE_AAAA %token VAR_DNSTAP VAR_DNSTAP_ENABLE VAR_DNSTAP_SOCKET_PATH VAR_DNSTAP_IP %token VAR_DNSTAP_TLS VAR_DNSTAP_TLS_SERVER_NAME VAR_DNSTAP_TLS_CERT_BUNDLE @@ -138,8 +140,10 @@ %token VAR_DISABLE_DNSSEC_LAME_CHECK %token VAR_IP_RATELIMIT VAR_IP_RATELIMIT_SLABS VAR_IP_RATELIMIT_SIZE %token VAR_RATELIMIT VAR_RATELIMIT_SLABS VAR_RATELIMIT_SIZE +%token VAR_OUTBOUND_MSG_RETRY VAR_MAX_SENT_COUNT VAR_MAX_QUERY_RESTARTS %token VAR_RATELIMIT_FOR_DOMAIN VAR_RATELIMIT_BELOW_DOMAIN %token VAR_IP_RATELIMIT_FACTOR VAR_RATELIMIT_FACTOR +%token VAR_IP_RATELIMIT_BACKOFF VAR_RATELIMIT_BACKOFF %token VAR_SEND_CLIENT_SUBNET VAR_CLIENT_SUBNET_ZONE %token VAR_CLIENT_SUBNET_ALWAYS_FORWARD VAR_CLIENT_SUBNET_OPCODE %token VAR_MAX_CLIENT_SUBNET_IPV4 VAR_MAX_CLIENT_SUBNET_IPV6 @@ -152,7 +156,8 @@ %token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW %token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_SERVE_EXPIRED_TTL %token VAR_SERVE_EXPIRED_TTL_RESET VAR_SERVE_EXPIRED_REPLY_TTL -%token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_SERVE_ORIGINAL_TTL VAR_FAKE_DSA +%token VAR_SERVE_EXPIRED_CLIENT_TIMEOUT VAR_EDE_SERVE_EXPIRED +%token VAR_SERVE_ORIGINAL_TTL VAR_FAKE_DSA %token VAR_FAKE_SHA1 VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR %token VAR_HIDE_HTTP_USER_AGENT VAR_HTTP_USER_AGENT %token VAR_TRUST_ANCHOR_SIGNALING VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD @@ -185,11 +190,15 @@ %token VAR_DYNLIB VAR_DYNLIB_FILE VAR_EDNS_CLIENT_STRING %token VAR_EDNS_CLIENT_STRING_OPCODE VAR_NSID %token VAR_ZONEMD_PERMISSIVE_MODE VAR_ZONEMD_CHECK VAR_ZONEMD_REJECT_ABSENCE +%token VAR_RPZ_SIGNAL_NXDOMAIN_RA VAR_INTERFACE_AUTOMATIC_PORTS VAR_EDE +%token VAR_INTERFACE_ACTION VAR_INTERFACE_VIEW VAR_INTERFACE_TAG +%token VAR_INTERFACE_TAG_ACTION VAR_INTERFACE_TAG_DATA +%token VAR_PROXY_PROTOCOL_PORT VAR_STATISTICS_INHIBIT_ZERO %% toplevelvars: /* empty */ | toplevelvars toplevelvar ; toplevelvar: serverstart contents_server | stubstart contents_stub | - forwardstart contents_forward | pythonstart contents_py | + forwardstart contents_forward | pythonstart contents_py | rcstart contents_rc | dtstart contents_dt | viewstart contents_view | dnscstart contents_dnsc | cachedbstart contents_cachedb | ipsetstart contents_ipset | authstart contents_auth | @@ -199,12 +208,14 @@ force_toplevel: VAR_FORCE_TOPLEVEL { OUTYY(("\nP(force-toplevel)\n")); + cfg_parser->started_toplevel = 0; } ; /* server: declaration */ serverstart: VAR_SERVER - { + { OUTYY(("\nP(server:)\n")); + cfg_parser->started_toplevel = 1; } ; contents_server: contents_server content_server @@ -215,14 +226,14 @@ server_do_udp | server_do_tcp | server_tcp_mss | server_outgoing_tcp_mss | server_tcp_idle_timeout | server_tcp_keepalive | server_tcp_keepalive_timeout | - server_interface | server_chroot | server_username | + server_interface | server_chroot | server_username | server_directory | server_logfile | server_pidfile | server_msg_cache_size | server_msg_cache_slabs | - server_num_queries_per_thread | server_rrset_cache_size | - server_rrset_cache_slabs | server_outgoing_num_tcp | - server_infra_host_ttl | server_infra_lame_ttl | + server_num_queries_per_thread | server_rrset_cache_size | + server_rrset_cache_slabs | server_outgoing_num_tcp | + server_infra_host_ttl | server_infra_lame_ttl | server_infra_cache_slabs | server_infra_cache_numhosts | - server_infra_cache_lame_size | server_target_fetch_policy | + server_infra_cache_lame_size | server_target_fetch_policy | server_harden_short_bufsize | server_harden_large_queries | server_do_not_query_address | server_hide_identity | server_hide_version | server_identity | server_version | @@ -230,22 +241,22 @@ server_harden_glue | server_module_conf | server_trust_anchor_file | server_trust_anchor | server_val_override_date | server_bogus_ttl | server_val_clean_additional | server_val_permissive_mode | - server_incoming_num_tcp | server_msg_buffer_size | - server_key_cache_size | server_key_cache_slabs | + server_incoming_num_tcp | server_msg_buffer_size | + server_key_cache_size | server_key_cache_slabs | server_trusted_keys_file | server_val_nsec3_keysize_iterations | server_use_syslog | server_outgoing_interface | server_root_hints | server_do_not_query_localhost | server_cache_max_ttl | server_harden_dnssec_stripped | server_access_control | server_local_zone | server_local_data | server_interface_automatic | - server_statistics_interval | server_do_daemonize | + server_statistics_interval | server_do_daemonize | server_use_caps_for_id | server_statistics_cumulative | server_outgoing_port_permit | server_outgoing_port_avoid | server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size | server_harden_referral_path | server_private_address | - server_private_domain | server_extended_statistics | - server_local_data_ptr | server_jostle_timeout | - server_unwanted_reply_threshold | server_log_time_ascii | - server_domain_insecure | server_val_sig_skew_min | + server_private_domain | server_extended_statistics | + server_local_data_ptr | server_jostle_timeout | + server_unwanted_reply_threshold | server_log_time_ascii | + server_domain_insecure | server_val_sig_skew_min | server_val_sig_skew_max | server_val_max_restart | server_cache_min_ttl | server_val_log_level | server_auto_trust_anchor_file | server_add_holddown | @@ -262,16 +273,18 @@ server_so_reuseport | server_delay_close | server_udp_connect | server_unblock_lan_zones | server_insecure_lan_zones | server_dns64_prefix | server_dns64_synthall | server_dns64_ignore_aaaa | - server_infra_cache_min_rtt | server_harden_algo_downgrade | + server_infra_cache_min_rtt | server_infra_cache_max_rtt | server_harden_algo_downgrade | server_ip_transparent | server_ip_ratelimit | server_ratelimit | server_ip_dscp | server_infra_keep_probing | server_ip_ratelimit_slabs | server_ratelimit_slabs | server_ip_ratelimit_size | server_ratelimit_size | server_ratelimit_for_domain | server_ratelimit_below_domain | server_ratelimit_factor | - server_ip_ratelimit_factor | server_send_client_subnet | - server_client_subnet_zone | server_client_subnet_always_forward | - server_client_subnet_opcode | + server_ip_ratelimit_factor | server_ratelimit_backoff | + server_ip_ratelimit_backoff | server_outbound_msg_retry | + server_max_sent_count | server_max_query_restarts | + server_send_client_subnet | server_client_subnet_zone | + server_client_subnet_always_forward | server_client_subnet_opcode | server_max_client_subnet_ipv4 | server_max_client_subnet_ipv6 | server_min_client_subnet_ipv4 | server_min_client_subnet_ipv6 | server_max_ecs_tree_size_ipv4 | server_max_ecs_tree_size_ipv6 | @@ -281,13 +294,15 @@ server_disable_dnssec_lame_check | server_access_control_tag | server_local_zone_override | server_access_control_tag_action | server_access_control_tag_data | server_access_control_view | + server_interface_action | server_interface_view | server_interface_tag | + server_interface_tag_action | server_interface_tag_data | server_qname_minimisation_strict | server_pad_responses | server_pad_responses_block_size | server_pad_queries | server_pad_queries_block_size | server_serve_expired | server_serve_expired_ttl | server_serve_expired_ttl_reset | server_serve_expired_reply_ttl | server_serve_expired_client_timeout | - server_serve_original_ttl | server_fake_dsa | + server_ede_serve_expired | server_serve_original_ttl | server_fake_dsa | server_log_identity | server_use_systemd | server_response_ip_tag | server_response_ip | server_response_ip_data | server_shm_enable | server_shm_key | server_fake_sha1 | @@ -306,58 +321,65 @@ server_tls_use_sni | server_edns_client_string | server_edns_client_string_opcode | server_nsid | server_zonemd_permissive_mode | server_max_reuse_tcp_queries | - server_tcp_reuse_timeout | server_tcp_auth_query_timeout - + server_tcp_reuse_timeout | server_tcp_auth_query_timeout | + server_interface_automatic_ports | server_ede | + server_proxy_protocol_port | server_statistics_inhibit_zero ; stubstart: VAR_STUB_ZONE { struct config_stub* s; - OUTYY(("\nP(stub_zone:)\n")); + OUTYY(("\nP(stub_zone:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_stub*)calloc(1, sizeof(struct config_stub)); if(s) { s->next = cfg_parser->cfg->stubs; cfg_parser->cfg->stubs = s; - } else + } else { yyerror("out of memory"); + } } ; -contents_stub: contents_stub content_stub +contents_stub: contents_stub content_stub | ; content_stub: stub_name | stub_host | stub_addr | stub_prime | stub_first | - stub_no_cache | stub_ssl_upstream + stub_no_cache | stub_ssl_upstream | stub_tcp_upstream ; forwardstart: VAR_FORWARD_ZONE { struct config_stub* s; - OUTYY(("\nP(forward_zone:)\n")); + OUTYY(("\nP(forward_zone:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_stub*)calloc(1, sizeof(struct config_stub)); if(s) { s->next = cfg_parser->cfg->forwards; cfg_parser->cfg->forwards = s; - } else + } else { yyerror("out of memory"); + } } ; -contents_forward: contents_forward content_forward +contents_forward: contents_forward content_forward | ; content_forward: forward_name | forward_host | forward_addr | forward_first | - forward_no_cache | forward_ssl_upstream + forward_no_cache | forward_ssl_upstream | forward_tcp_upstream ; viewstart: VAR_VIEW { struct config_view* s; - OUTYY(("\nP(view:)\n")); + OUTYY(("\nP(view:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_view*)calloc(1, sizeof(struct config_view)); if(s) { s->next = cfg_parser->cfg->views; if(s->next && !s->next->name) yyerror("view without name"); cfg_parser->cfg->views = s; - } else + } else { yyerror("out of memory"); + } } ; -contents_view: contents_view content_view +contents_view: contents_view content_view | ; content_view: view_name | view_local_zone | view_local_data | view_first | view_response_ip | view_response_ip_data | view_local_data_ptr @@ -365,7 +387,8 @@ authstart: VAR_AUTH_ZONE { struct config_auth* s; - OUTYY(("\nP(auth_zone:)\n")); + OUTYY(("\nP(auth_zone:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_auth*)calloc(1, sizeof(struct config_auth)); if(s) { s->next = cfg_parser->cfg->auths; @@ -377,11 +400,12 @@ s->zonemd_check = 0; s->zonemd_reject_absence = 0; s->isrpz = 0; - } else + } else { yyerror("out of memory"); + } } ; -contents_auth: contents_auth content_auth +contents_auth: contents_auth content_auth | ; content_auth: auth_name | auth_zonefile | auth_master | auth_url | auth_for_downstream | auth_for_upstream | auth_fallback_enabled | @@ -449,11 +473,21 @@ cfg_parser->cfg->auths->rpz_log_name = $2; } ; +rpz_signal_nxdomain_ra: VAR_RPZ_SIGNAL_NXDOMAIN_RA STRING_ARG + { + OUTYY(("P(rpz_signal_nxdomain_ra:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->auths->rpz_signal_nxdomain_ra = (strcmp($2, "yes")==0); + free($2); + } + ; rpzstart: VAR_RPZ { struct config_auth* s; OUTYY(("\nP(rpz:)\n")); + cfg_parser->started_toplevel = 1; s = (struct config_auth*)calloc(1, sizeof(struct config_auth)); if(s) { s->next = cfg_parser->cfg->auths; @@ -463,37 +497,38 @@ s->for_upstream = 0; s->fallback_enabled = 0; s->isrpz = 1; - } else + } else { yyerror("out of memory"); + } } ; contents_rpz: contents_rpz content_rpz | ; content_rpz: auth_name | auth_zonefile | rpz_tag | auth_master | auth_url | auth_allow_notify | rpz_action_override | rpz_cname_override | - rpz_log | rpz_log_name + rpz_log | rpz_log_name | rpz_signal_nxdomain_ra | auth_for_downstream ; -server_num_threads: VAR_NUM_THREADS STRING_ARG - { - OUTYY(("P(server_num_threads:%s)\n", $2)); +server_num_threads: VAR_NUM_THREADS STRING_ARG + { + OUTYY(("P(server_num_threads:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->num_threads = atoi($2); free($2); } ; -server_verbosity: VAR_VERBOSITY STRING_ARG - { - OUTYY(("P(server_verbosity:%s)\n", $2)); +server_verbosity: VAR_VERBOSITY STRING_ARG + { + OUTYY(("P(server_verbosity:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->verbosity = atoi($2); free($2); } ; -server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG - { - OUTYY(("P(server_statistics_interval:%s)\n", $2)); +server_statistics_interval: VAR_STATISTICS_INTERVAL STRING_ARG + { + OUTYY(("P(server_statistics_interval:%s)\n", $2)); if(strcmp($2, "") == 0 || strcmp($2, "0") == 0) cfg_parser->cfg->stat_interval = 0; else if(atoi($2) == 0) @@ -520,6 +555,15 @@ free($2); } ; +server_statistics_inhibit_zero: VAR_STATISTICS_INHIBIT_ZERO STRING_ARG + { + OUTYY(("P(server_statistics_inhibit_zero:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->stat_inhibit_zero = (strcmp($2, "yes")==0); + free($2); + } + ; server_shm_enable: VAR_SHM_ENABLE STRING_ARG { OUTYY(("P(server_shm_enable:%s)\n", $2)); @@ -529,9 +573,9 @@ free($2); } ; -server_shm_key: VAR_SHM_KEY STRING_ARG - { - OUTYY(("P(server_shm_key:%s)\n", $2)); +server_shm_key: VAR_SHM_KEY STRING_ARG + { + OUTYY(("P(server_shm_key:%s)\n", $2)); if(strcmp($2, "") == 0 || strcmp($2, "0") == 0) cfg_parser->cfg->shm_key = 0; else if(atoi($2) == 0) @@ -704,7 +748,7 @@ OUTYY(("P(server_interface:%s)\n", $2)); if(cfg_parser->cfg->num_ifs == 0) cfg_parser->cfg->ifs = calloc(1, sizeof(char*)); - else cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs, + else cfg_parser->cfg->ifs = realloc(cfg_parser->cfg->ifs, (cfg_parser->cfg->num_ifs+1)*sizeof(char*)); if(!cfg_parser->cfg->ifs) yyerror("out of memory"); @@ -717,8 +761,8 @@ OUTYY(("P(server_outgoing_interface:%s)\n", $2)); if(cfg_parser->cfg->num_out_ifs == 0) cfg_parser->cfg->out_ifs = calloc(1, sizeof(char*)); - else cfg_parser->cfg->out_ifs = realloc( - cfg_parser->cfg->out_ifs, + else cfg_parser->cfg->out_ifs = realloc( + cfg_parser->cfg->out_ifs, (cfg_parser->cfg->num_out_ifs+1)*sizeof(char*)); if(!cfg_parser->cfg->out_ifs) yyerror("out of memory"); @@ -739,7 +783,7 @@ server_outgoing_port_permit: VAR_OUTGOING_PORT_PERMIT STRING_ARG { OUTYY(("P(server_outgoing_port_permit:%s)\n", $2)); - if(!cfg_mark_ports($2, 1, + if(!cfg_mark_ports($2, 1, cfg_parser->cfg->outgoing_avail_ports, 65536)) yyerror("port number or range (\"low-high\") expected"); free($2); @@ -748,7 +792,7 @@ server_outgoing_port_avoid: VAR_OUTGOING_PORT_AVOID STRING_ARG { OUTYY(("P(server_outgoing_port_avoid:%s)\n", $2)); - if(!cfg_mark_ports($2, 0, + if(!cfg_mark_ports($2, 0, cfg_parser->cfg->outgoing_avail_ports, 65536)) yyerror("port number or range (\"low-high\") expected"); free($2); @@ -781,6 +825,13 @@ free($2); } ; +server_interface_automatic_ports: VAR_INTERFACE_AUTOMATIC_PORTS STRING_ARG + { + OUTYY(("P(server_interface_automatic_ports:%s)\n", $2)); + free(cfg_parser->cfg->if_automatic_ports); + cfg_parser->cfg->if_automatic_ports = $2; + } + ; server_do_ip4: VAR_DO_IP4 STRING_ARG { OUTYY(("P(server_do_ip4:%s)\n", $2)); @@ -838,10 +889,10 @@ server_tcp_mss: VAR_TCP_MSS STRING_ARG { OUTYY(("P(server_tcp_mss:%s)\n", $2)); - if(atoi($2) == 0 && strcmp($2, "0") != 0) - yyerror("number expected"); - else cfg_parser->cfg->tcp_mss = atoi($2); - free($2); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->tcp_mss = atoi($2); + free($2); } ; server_outgoing_tcp_mss: VAR_OUTGOING_TCP_MSS STRING_ARG @@ -1141,23 +1192,23 @@ } ; server_log_replies: VAR_LOG_REPLIES STRING_ARG - { - OUTYY(("P(server_log_replies:%s)\n", $2)); - if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->log_replies = (strcmp($2, "yes")==0); - free($2); - } - ; + { + OUTYY(("P(server_log_replies:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->log_replies = (strcmp($2, "yes")==0); + free($2); + } + ; server_log_tag_queryreply: VAR_LOG_TAG_QUERYREPLY STRING_ARG - { - OUTYY(("P(server_log_tag_queryreply:%s)\n", $2)); - if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0); - free($2); - } - ; + { + OUTYY(("P(server_log_tag_queryreply:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->log_tag_queryreply = (strcmp($2, "yes")==0); + free($2); + } + ; server_log_servfail: VAR_LOG_SERVFAIL STRING_ARG { OUTYY(("P(server_log_servfail:%s)\n", $2)); @@ -1168,14 +1219,14 @@ } ; server_log_local_actions: VAR_LOG_LOCAL_ACTIONS STRING_ARG - { - OUTYY(("P(server_log_local_actions:%s)\n", $2)); - if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->log_local_actions = (strcmp($2, "yes")==0); - free($2); - } - ; + { + OUTYY(("P(server_log_local_actions:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->log_local_actions = (strcmp($2, "yes")==0); + free($2); + } + ; server_chroot: VAR_CHROOT STRING_ARG { OUTYY(("P(server_chroot:%s)\n", $2)); @@ -1209,7 +1260,7 @@ cfg_parser->chroot)) == 0) d += strlen(cfg_parser->chroot); if(d0) { - if(chdir(d)) + if(chdir(d)) log_err("cannot chdir to directory: %s (%s)", d, strerror(errno)); } @@ -1402,35 +1453,35 @@ } ; server_so_reuseport: VAR_SO_REUSEPORT STRING_ARG - { - OUTYY(("P(server_so_reuseport:%s)\n", $2)); - if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->so_reuseport = - (strcmp($2, "yes")==0); - free($2); - } - ; + { + OUTYY(("P(server_so_reuseport:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->so_reuseport = + (strcmp($2, "yes")==0); + free($2); + } + ; server_ip_transparent: VAR_IP_TRANSPARENT STRING_ARG - { - OUTYY(("P(server_ip_transparent:%s)\n", $2)); - if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->ip_transparent = - (strcmp($2, "yes")==0); - free($2); - } - ; + { + OUTYY(("P(server_ip_transparent:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ip_transparent = + (strcmp($2, "yes")==0); + free($2); + } + ; server_ip_freebind: VAR_IP_FREEBIND STRING_ARG - { - OUTYY(("P(server_ip_freebind:%s)\n", $2)); - if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) - yyerror("expected yes or no."); - else cfg_parser->cfg->ip_freebind = - (strcmp($2, "yes")==0); - free($2); - } - ; + { + OUTYY(("P(server_ip_freebind:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ip_freebind = + (strcmp($2, "yes")==0); + free($2); + } + ; server_ip_dscp: VAR_IP_DSCP STRING_ARG { OUTYY(("P(server_ip_dscp:%s)\n", $2)); @@ -1488,9 +1539,9 @@ server_msg_cache_slabs: VAR_MSG_CACHE_SLABS STRING_ARG { OUTYY(("P(server_msg_cache_slabs:%s)\n", $2)); - if(atoi($2) == 0) + if(atoi($2) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->msg_cache_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->msg_cache_slabs)) yyerror("must be a power of 2"); @@ -1539,7 +1590,7 @@ OUTYY(("P(server_unblock_lan_zones:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->unblock_lan_zones = + else cfg_parser->cfg->unblock_lan_zones = (strcmp($2, "yes")==0); free($2); } @@ -1549,7 +1600,7 @@ OUTYY(("P(server_insecure_lan_zones:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->insecure_lan_zones = + else cfg_parser->cfg->insecure_lan_zones = (strcmp($2, "yes")==0); free($2); } @@ -1565,9 +1616,9 @@ server_rrset_cache_slabs: VAR_RRSET_CACHE_SLABS STRING_ARG { OUTYY(("P(server_rrset_cache_slabs:%s)\n", $2)); - if(atoi($2) == 0) + if(atoi($2) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->rrset_cache_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->rrset_cache_slabs)) yyerror("must be a power of 2"); @@ -1612,9 +1663,9 @@ server_infra_cache_slabs: VAR_INFRA_CACHE_SLABS STRING_ARG { OUTYY(("P(server_infra_cache_slabs:%s)\n", $2)); - if(atoi($2) == 0) + if(atoi($2) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->infra_cache_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->infra_cache_slabs)) yyerror("must be a power of 2"); @@ -1631,6 +1682,15 @@ free($2); } ; +server_infra_cache_max_rtt: VAR_INFRA_CACHE_MAX_RTT STRING_ARG + { + OUTYY(("P(server_infra_cache_max_rtt:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->infra_cache_max_rtt = atoi($2); + free($2); + } + ; server_infra_keep_probing: VAR_INFRA_KEEP_PROBING STRING_ARG { OUTYY(("P(server_infra_keep_probing:%s)\n", $2)); @@ -1653,7 +1713,7 @@ OUTYY(("P(server_harden_short_bufsize:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_short_bufsize = + else cfg_parser->cfg->harden_short_bufsize = (strcmp($2, "yes")==0); free($2); } @@ -1663,7 +1723,7 @@ OUTYY(("P(server_harden_large_queries:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_large_queries = + else cfg_parser->cfg->harden_large_queries = (strcmp($2, "yes")==0); free($2); } @@ -1673,7 +1733,7 @@ OUTYY(("P(server_harden_glue:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_glue = + else cfg_parser->cfg->harden_glue = (strcmp($2, "yes")==0); free($2); } @@ -1683,7 +1743,7 @@ OUTYY(("P(server_harden_dnssec_stripped:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_dnssec_stripped = + else cfg_parser->cfg->harden_dnssec_stripped = (strcmp($2, "yes")==0); free($2); } @@ -1693,7 +1753,7 @@ OUTYY(("P(server_harden_below_nxdomain:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_below_nxdomain = + else cfg_parser->cfg->harden_below_nxdomain = (strcmp($2, "yes")==0); free($2); } @@ -1703,7 +1763,7 @@ OUTYY(("P(server_harden_referral_path:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_referral_path = + else cfg_parser->cfg->harden_referral_path = (strcmp($2, "yes")==0); free($2); } @@ -1713,7 +1773,7 @@ OUTYY(("P(server_harden_algo_downgrade:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->harden_algo_downgrade = + else cfg_parser->cfg->harden_algo_downgrade = (strcmp($2, "yes")==0); free($2); } @@ -1723,7 +1783,7 @@ OUTYY(("P(server_use_caps_for_id:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->use_caps_bits_for_id = + else cfg_parser->cfg->use_caps_bits_for_id = (strcmp($2, "yes")==0); free($2); } @@ -1797,7 +1857,7 @@ OUTYY(("P(server_do_not_query_localhost:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->donotquery_localhost = + else cfg_parser->cfg->donotquery_localhost = (strcmp($2, "yes")==0); free($2); } @@ -1805,21 +1865,18 @@ server_access_control: VAR_ACCESS_CONTROL STRING_ARG STRING_ARG { OUTYY(("P(server_access_control:%s %s)\n", $2, $3)); - if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 && - strcmp($3, "deny_non_local")!=0 && - strcmp($3, "refuse_non_local")!=0 && - strcmp($3, "allow_setrd")!=0 && - strcmp($3, "allow")!=0 && - strcmp($3, "allow_snoop")!=0) { - yyerror("expected deny, refuse, deny_non_local, " - "refuse_non_local, allow, allow_setrd or " - "allow_snoop in access control action"); - free($2); - free($3); - } else { - if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3)) - fatal_exit("out of memory adding acl"); - } + validate_acl_action($3); + if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3)) + fatal_exit("out of memory adding acl"); + } + ; +server_interface_action: VAR_INTERFACE_ACTION STRING_ARG STRING_ARG + { + OUTYY(("P(server_interface_action:%s %s)\n", $2, $3)); + validate_acl_action($3); + if(!cfg_str2list_insert( + &cfg_parser->cfg->interface_actions, $2, $3)) + fatal_exit("out of memory adding acl"); } ; server_module_conf: VAR_MODULE_CONF STRING_ARG @@ -1835,7 +1892,7 @@ if(*$2 == '\0' || strcmp($2, "0") == 0) { cfg_parser->cfg->val_date_override = 0; } else if(strlen($2) == 14) { - cfg_parser->cfg->val_date_override = + cfg_parser->cfg->val_date_override = cfg_convert_timeval($2); if(!cfg_parser->cfg->val_date_override) yyerror("bad date/time specification"); @@ -1927,7 +1984,7 @@ OUTYY(("P(server_val_clean_additional:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->val_clean_additional = + else cfg_parser->cfg->val_clean_additional = (strcmp($2, "yes")==0); free($2); } @@ -1937,7 +1994,7 @@ OUTYY(("P(server_val_permissive_mode:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->val_permissive_mode = + else cfg_parser->cfg->val_permissive_mode = (strcmp($2, "yes")==0); free($2); } @@ -2007,6 +2064,15 @@ free($2); } ; +server_ede_serve_expired: VAR_EDE_SERVE_EXPIRED STRING_ARG + { + OUTYY(("P(server_ede_serve_expired:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ede_serve_expired = (strcmp($2, "yes")==0); + free($2); + } + ; server_serve_original_ttl: VAR_SERVE_ORIGINAL_TTL STRING_ARG { OUTYY(("P(server_serve_original_ttl:%s)\n", $2)); @@ -2114,9 +2180,9 @@ server_key_cache_slabs: VAR_KEY_CACHE_SLABS STRING_ARG { OUTYY(("P(server_key_cache_slabs:%s)\n", $2)); - if(atoi($2) == 0) + if(atoi($2) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->key_cache_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->key_cache_slabs)) yyerror("must be a power of 2"); @@ -2148,7 +2214,7 @@ && strcmp($3, "noview")!=0 && strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0 && strcmp($3, "inform_redirect") != 0 - && strcmp($3, "ipset") != 0) { + && strcmp($3, "ipset") != 0) { yyerror("local-zone type: expected static, deny, " "refuse, redirect, transparent, " "typetransparent, inform, inform_deny, " @@ -2165,13 +2231,23 @@ free($3); #ifdef USE_IPSET } else if(strcmp($3, "ipset")==0) { + size_t len = strlen($2); + /* Make sure to add the trailing dot. + * These are str compared to domain names. */ + if($2len-1 != '.') { + if(!($2 = realloc($2, len+2))) { + fatal_exit("out of memory adding local-zone"); + } + $2len = '.'; + $2len+1 = 0; + } if(!cfg_strlist_insert(&cfg_parser->cfg-> local_zones_ipset, $2)) fatal_exit("out of memory adding local-zone"); free($3); #endif } else { - if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, + if(!cfg_str2list_insert(&cfg_parser->cfg->local_zones, $2, $3)) fatal_exit("out of memory adding local-zone"); } @@ -2358,6 +2434,60 @@ } } ; +server_interface_tag: VAR_INTERFACE_TAG STRING_ARG STRING_ARG + { + size_t len = 0; + uint8_t* bitlist = config_parse_taglist(cfg_parser->cfg, $3, + &len); + free($3); + OUTYY(("P(server_interface_tag:%s)\n", $2)); + if(!bitlist) { + yyerror("could not parse tags, (define-tag them first)"); + free($2); + } + if(bitlist) { + if(!cfg_strbytelist_insert( + &cfg_parser->cfg->interface_tags, + $2, bitlist, len)) { + yyerror("out of memory"); + free($2); + } + } + } + ; +server_interface_tag_action: VAR_INTERFACE_TAG_ACTION STRING_ARG STRING_ARG STRING_ARG + { + OUTYY(("P(server_interface_tag_action:%s %s %s)\n", $2, $3, $4)); + if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_actions, + $2, $3, $4)) { + yyerror("out of memory"); + free($2); + free($3); + free($4); + } + } + ; +server_interface_tag_data: VAR_INTERFACE_TAG_DATA STRING_ARG STRING_ARG STRING_ARG + { + OUTYY(("P(server_interface_tag_data:%s %s %s)\n", $2, $3, $4)); + if(!cfg_str3list_insert(&cfg_parser->cfg->interface_tag_datas, + $2, $3, $4)) { + yyerror("out of memory"); + free($2); + free($3); + free($4); + } + } + ; +server_interface_view: VAR_INTERFACE_VIEW STRING_ARG STRING_ARG + { + OUTYY(("P(server_interface_view:%s %s)\n", $2, $3)); + if(!cfg_str2list_insert(&cfg_parser->cfg->interface_view, + $2, $3)) { + yyerror("out of memory"); + } + } + ; server_response_ip_tag: VAR_RESPONSE_IP_TAG STRING_ARG STRING_ARG { size_t len = 0; @@ -2379,19 +2509,18 @@ } } ; -server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG - { - OUTYY(("P(server_ip_ratelimit:%s)\n", $2)); +server_ip_ratelimit: VAR_IP_RATELIMIT STRING_ARG + { + OUTYY(("P(server_ip_ratelimit:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->ip_ratelimit = atoi($2); free($2); } ; - -server_ratelimit: VAR_RATELIMIT STRING_ARG - { - OUTYY(("P(server_ratelimit:%s)\n", $2)); +server_ratelimit: VAR_RATELIMIT STRING_ARG + { + OUTYY(("P(server_ratelimit:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->ratelimit = atoi($2); @@ -2399,13 +2528,13 @@ } ; server_ip_ratelimit_size: VAR_IP_RATELIMIT_SIZE STRING_ARG - { - OUTYY(("P(server_ip_ratelimit_size:%s)\n", $2)); - if(!cfg_parse_memsize($2, &cfg_parser->cfg->ip_ratelimit_size)) - yyerror("memory size expected"); - free($2); - } - ; + { + OUTYY(("P(server_ip_ratelimit_size:%s)\n", $2)); + if(!cfg_parse_memsize($2, &cfg_parser->cfg->ip_ratelimit_size)) + yyerror("memory size expected"); + free($2); + } + ; server_ratelimit_size: VAR_RATELIMIT_SIZE STRING_ARG { OUTYY(("P(server_ratelimit_size:%s)\n", $2)); @@ -2415,24 +2544,24 @@ } ; server_ip_ratelimit_slabs: VAR_IP_RATELIMIT_SLABS STRING_ARG - { - OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", $2)); - if(atoi($2) == 0) - yyerror("number expected"); - else { - cfg_parser->cfg->ip_ratelimit_slabs = atoi($2); - if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs)) - yyerror("must be a power of 2"); - } - free($2); - } - ; + { + OUTYY(("P(server_ip_ratelimit_slabs:%s)\n", $2)); + if(atoi($2) == 0) { + yyerror("number expected"); + } else { + cfg_parser->cfg->ip_ratelimit_slabs = atoi($2); + if(!is_pow2(cfg_parser->cfg->ip_ratelimit_slabs)) + yyerror("must be a power of 2"); + } + free($2); + } + ; server_ratelimit_slabs: VAR_RATELIMIT_SLABS STRING_ARG { OUTYY(("P(server_ratelimit_slabs:%s)\n", $2)); - if(atoi($2) == 0) + if(atoi($2) == 0) { yyerror("number expected"); - else { + } else { cfg_parser->cfg->ratelimit_slabs = atoi($2); if(!is_pow2(cfg_parser->cfg->ratelimit_slabs)) yyerror("must be a power of 2"); @@ -2470,42 +2599,89 @@ } } ; -server_ip_ratelimit_factor: VAR_IP_RATELIMIT_FACTOR STRING_ARG - { - OUTYY(("P(server_ip_ratelimit_factor:%s)\n", $2)); - if(atoi($2) == 0 && strcmp($2, "0") != 0) - yyerror("number expected"); - else cfg_parser->cfg->ip_ratelimit_factor = atoi($2); - free($2); +server_ip_ratelimit_factor: VAR_IP_RATELIMIT_FACTOR STRING_ARG + { + OUTYY(("P(server_ip_ratelimit_factor:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->ip_ratelimit_factor = atoi($2); + free($2); } ; -server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG - { - OUTYY(("P(server_ratelimit_factor:%s)\n", $2)); +server_ratelimit_factor: VAR_RATELIMIT_FACTOR STRING_ARG + { + OUTYY(("P(server_ratelimit_factor:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->ratelimit_factor = atoi($2); free($2); } ; -server_low_rtt: VAR_LOW_RTT STRING_ARG - { +server_ip_ratelimit_backoff: VAR_IP_RATELIMIT_BACKOFF STRING_ARG + { + OUTYY(("P(server_ip_ratelimit_backoff:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ip_ratelimit_backoff = + (strcmp($2, "yes")==0); + free($2); + } + ; +server_ratelimit_backoff: VAR_RATELIMIT_BACKOFF STRING_ARG + { + OUTYY(("P(server_ratelimit_backoff:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ratelimit_backoff = + (strcmp($2, "yes")==0); + free($2); + } + ; +server_outbound_msg_retry: VAR_OUTBOUND_MSG_RETRY STRING_ARG + { + OUTYY(("P(server_outbound_msg_retry:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->outbound_msg_retry = atoi($2); + free($2); + } + ; +server_max_sent_count: VAR_MAX_SENT_COUNT STRING_ARG + { + OUTYY(("P(server_max_sent_count:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->max_sent_count = atoi($2); + free($2); + } + ; +server_max_query_restarts: VAR_MAX_QUERY_RESTARTS STRING_ARG + { + OUTYY(("P(server_max_query_restarts:%s)\n", $2)); + if(atoi($2) == 0 && strcmp($2, "0") != 0) + yyerror("number expected"); + else cfg_parser->cfg->max_query_restarts = atoi($2); + free($2); + } + ; +server_low_rtt: VAR_LOW_RTT STRING_ARG + { OUTYY(("P(low-rtt option is deprecated, use fast-server-num instead)\n")); free($2); } ; -server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG - { - OUTYY(("P(server_fast_server_num:%s)\n", $2)); +server_fast_server_num: VAR_FAST_SERVER_NUM STRING_ARG + { + OUTYY(("P(server_fast_server_num:%s)\n", $2)); if(atoi($2) <= 0) yyerror("number expected"); else cfg_parser->cfg->fast_server_num = atoi($2); free($2); } ; -server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG - { - OUTYY(("P(server_fast_server_permil:%s)\n", $2)); +server_fast_server_permil: VAR_FAST_SERVER_PERMIL STRING_ARG + { + OUTYY(("P(server_fast_server_permil:%s)\n", $2)); if(atoi($2) == 0 && strcmp($2, "0") != 0) yyerror("number expected"); else cfg_parser->cfg->fast_server_permil = atoi($2); @@ -2517,7 +2693,7 @@ OUTYY(("P(server_qname_minimisation:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->qname_minimisation = + else cfg_parser->cfg->qname_minimisation = (strcmp($2, "yes")==0); free($2); } @@ -2527,7 +2703,7 @@ OUTYY(("P(server_qname_minimisation_strict:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->qname_minimisation_strict = + else cfg_parser->cfg->qname_minimisation_strict = (strcmp($2, "yes")==0); free($2); } @@ -2666,7 +2842,22 @@ yyerror("option code must be in interval 0, 65535"); else cfg_parser->cfg->edns_client_string_opcode = atoi($2); free($2); - + } + ; +server_ede: VAR_EDE STRING_ARG + { + OUTYY(("P(server_ede:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->ede = (strcmp($2, "yes")==0); + free($2); + } + ; +server_proxy_protocol_port: VAR_PROXY_PROTOCOL_PORT STRING_ARG + { + OUTYY(("P(server_proxy_protocol_port:%s)\n", $2)); + if(!cfg_strlist_insert(&cfg_parser->cfg->proxy_protocol_port, $2)) + yyerror("out of memory"); } ; stub_name: VAR_NAME STRING_ARG @@ -2716,17 +2907,27 @@ OUTYY(("P(stub-ssl-upstream:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->stubs->ssl_upstream = + else cfg_parser->cfg->stubs->ssl_upstream = (strcmp($2, "yes")==0); free($2); } ; +stub_tcp_upstream: VAR_STUB_TCP_UPSTREAM STRING_ARG + { + OUTYY(("P(stub-tcp-upstream:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->stubs->tcp_upstream = + (strcmp($2, "yes")==0); + free($2); + } + ; stub_prime: VAR_STUB_PRIME STRING_ARG { OUTYY(("P(stub-prime:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->stubs->isprime = + else cfg_parser->cfg->stubs->isprime = (strcmp($2, "yes")==0); free($2); } @@ -2778,11 +2979,21 @@ OUTYY(("P(forward-ssl-upstream:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->forwards->ssl_upstream = + else cfg_parser->cfg->forwards->ssl_upstream = (strcmp($2, "yes")==0); free($2); } ; +forward_tcp_upstream: VAR_FORWARD_TCP_UPSTREAM STRING_ARG + { + OUTYY(("P(forward-tcp-upstream:%s)\n", $2)); + if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) + yyerror("expected yes or no."); + else cfg_parser->cfg->forwards->tcp_upstream = + (strcmp($2, "yes")==0); + free($2); + } + ; auth_name: VAR_NAME STRING_ARG { OUTYY(("P(name:%s)\n", $2)); @@ -2915,6 +3126,16 @@ free($3); #ifdef USE_IPSET } else if(strcmp($3, "ipset")==0) { + size_t len = strlen($2); + /* Make sure to add the trailing dot. + * These are str compared to domain names. */ + if($2len-1 != '.') { + if(!($2 = realloc($2, len+2))) { + fatal_exit("out of memory adding local-zone"); + } + $2len = '.'; + $2len+1 = 0; + } if(!cfg_strlist_insert(&cfg_parser->cfg->views-> local_zones_ipset, $2)) fatal_exit("out of memory adding local-zone"); @@ -2922,7 +3143,7 @@ #endif } else { if(!cfg_str2list_insert( - &cfg_parser->cfg->views->local_zones, + &cfg_parser->cfg->views->local_zones, $2, $3)) fatal_exit("out of memory adding local-zone"); } @@ -2979,11 +3200,12 @@ } ; rcstart: VAR_REMOTE_CONTROL - { - OUTYY(("\nP(remote-control:)\n")); + { + OUTYY(("\nP(remote-control:)\n")); + cfg_parser->started_toplevel = 1; } ; -contents_rc: contents_rc content_rc +contents_rc: contents_rc content_rc | ; content_rc: rc_control_enable | rc_control_interface | rc_control_port | rc_server_key_file | rc_server_cert_file | rc_control_key_file | @@ -2994,7 +3216,7 @@ OUTYY(("P(control_enable:%s)\n", $2)); if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0) yyerror("expected yes or no."); - else cfg_parser->cfg->remote_control_enable = + else cfg_parser->cfg->remote_control_enable = (strcmp($2, "yes")==0); free($2); } @@ -3053,6 +3275,7 @@ dtstart: VAR_DNSTAP { OUTYY(("\nP(dnstap:)\n")); + cfg_parser->started_toplevel = 1; } ; contents_dt: contents_dt content_dt @@ -3233,8 +3456,9 @@ } ; pythonstart: VAR_PYTHON - { - OUTYY(("\nP(python:)\n")); + { + OUTYY(("\nP(python:)\n")); + cfg_parser->started_toplevel = 1; } ; contents_py: contents_py content_py @@ -3250,6 +3474,7 @@ dynlibstart: VAR_DYNLIB { OUTYY(("\nP(dynlib:)\n")); + cfg_parser->started_toplevel = 1; } ; contents_dl: contents_dl content_dl @@ -3299,6 +3524,7 @@ dnscstart: VAR_DNSCRYPT { OUTYY(("\nP(dnscrypt:)\n")); + cfg_parser->started_toplevel = 1; } ; contents_dnsc: contents_dnsc content_dnsc @@ -3365,49 +3591,50 @@ ; dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG { - OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2)); - if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size)) - yyerror("memory size expected"); - free($2); + OUTYY(("P(dnscrypt_shared_secret_cache_size:%s)\n", $2)); + if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_shared_secret_cache_size)) + yyerror("memory size expected"); + free($2); } ; dnsc_dnscrypt_shared_secret_cache_slabs: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS STRING_ARG { - OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2)); - if(atoi($2) == 0) - yyerror("number expected"); - else { - cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2); - if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs)) - yyerror("must be a power of 2"); - } - free($2); + OUTYY(("P(dnscrypt_shared_secret_cache_slabs:%s)\n", $2)); + if(atoi($2) == 0) { + yyerror("number expected"); + } else { + cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs = atoi($2); + if(!is_pow2(cfg_parser->cfg->dnscrypt_shared_secret_cache_slabs)) + yyerror("must be a power of 2"); + } + free($2); } ; dnsc_dnscrypt_nonce_cache_size: VAR_DNSCRYPT_NONCE_CACHE_SIZE STRING_ARG { - OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", $2)); - if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_nonce_cache_size)) - yyerror("memory size expected"); - free($2); + OUTYY(("P(dnscrypt_nonce_cache_size:%s)\n", $2)); + if(!cfg_parse_memsize($2, &cfg_parser->cfg->dnscrypt_nonce_cache_size)) + yyerror("memory size expected"); + free($2); } ; dnsc_dnscrypt_nonce_cache_slabs: VAR_DNSCRYPT_NONCE_CACHE_SLABS STRING_ARG { - OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", $2)); - if(atoi($2) == 0) - yyerror("number expected"); - else { - cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi($2); - if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs)) - yyerror("must be a power of 2"); - } - free($2); + OUTYY(("P(dnscrypt_nonce_cache_slabs:%s)\n", $2)); + if(atoi($2) == 0) { + yyerror("number expected"); + } else { + cfg_parser->cfg->dnscrypt_nonce_cache_slabs = atoi($2); + if(!is_pow2(cfg_parser->cfg->dnscrypt_nonce_cache_slabs)) + yyerror("must be a power of 2"); + } + free($2); } ; cachedbstart: VAR_CACHEDB { OUTYY(("\nP(cachedb:)\n")); + cfg_parser->started_toplevel = 1; } ; contents_cachedb: contents_cachedb content_cachedb @@ -3507,6 +3734,7 @@ ipsetstart: VAR_IPSET { OUTYY(("\nP(ipset:)\n")); + cfg_parser->started_toplevel = 1; } ; contents_ipset: contents_ipset content_ipset @@ -3563,4 +3791,19 @@ } } - +static void +validate_acl_action(const char* action) +{ + if(strcmp(action, "deny")!=0 && + strcmp(action, "refuse")!=0 && + strcmp(action, "deny_non_local")!=0 && + strcmp(action, "refuse_non_local")!=0 && + strcmp(action, "allow_setrd")!=0 && + strcmp(action, "allow")!=0 && + strcmp(action, "allow_snoop")!=0) + { + yyerror("expected deny, refuse, deny_non_local, " + "refuse_non_local, allow, allow_setrd or " + "allow_snoop as access control action"); + } +}
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/data/msgencode.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/data/msgencode.c
Changed
@@ -796,7 +796,10 @@ struct edns_option* opt; if(!edns || !edns->edns_present) return 0; - for(opt = edns->opt_list; opt; opt = opt->next) { + for(opt = edns->opt_list_inplace_cb_out; opt; opt = opt->next) { + rdatalen += 4 + opt->opt_len; + } + for(opt = edns->opt_list_out; opt; opt = opt->next) { rdatalen += 4 + opt->opt_len; } /* domain root '.' + type + class + ttl + rdatalen */ @@ -827,7 +830,17 @@ rdatapos = sldns_buffer_position(pkt); sldns_buffer_write_u16(pkt, 0); /* rdatalen */ /* write rdata */ - for(opt=edns->opt_list; opt; opt=opt->next) { + for(opt=edns->opt_list_inplace_cb_out; opt; opt=opt->next) { + if (opt->opt_code == LDNS_EDNS_PADDING) { + padding_option = opt; + continue; + } + sldns_buffer_write_u16(pkt, opt->opt_code); + sldns_buffer_write_u16(pkt, opt->opt_len); + if(opt->opt_len != 0) + sldns_buffer_write(pkt, opt->opt_data, opt->opt_len); + } + for(opt=edns->opt_list_out; opt; opt=opt->next) { if (opt->opt_code == LDNS_EDNS_PADDING) { padding_option = opt; continue; @@ -860,8 +873,7 @@ sldns_buffer_skip(pkt, pad_sz); } } - if(edns->opt_list) - sldns_buffer_write_u16_at(pkt, rdatapos, + sldns_buffer_write_u16_at(pkt, rdatapos, sldns_buffer_position(pkt)-rdatapos-2); sldns_buffer_flip(pkt); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/data/msgparse.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/data/msgparse.c
Changed
@@ -37,10 +37,12 @@ * Routines for message parsing a packet buffer to a descriptive structure. */ #include "config.h" +#include "util/config_file.h" #include "util/data/msgparse.h" #include "util/data/msgreply.h" #include "util/data/dname.h" #include "util/data/packed_rrset.h" +#include "util/netevent.h" #include "util/storage/lookup3.h" #include "util/regional.h" #include "sldns/rrdef.h" @@ -938,11 +940,40 @@ return 0; } +static int +edns_opt_list_append_keepalive(struct edns_option** list, int msec, + struct regional* region) +{ + uint8_t data2; /* For keepalive value */ + data0 = (uint8_t)((msec >> 8) & 0xff); + data1 = (uint8_t)(msec & 0xff); + return edns_opt_list_append(list, LDNS_EDNS_KEEPALIVE, sizeof(data), + data, region); +} + /** parse EDNS options from EDNS wireformat rdata */ static int -parse_edns_options(uint8_t* rdata_ptr, size_t rdata_len, - struct edns_data* edns, struct regional* region) +parse_edns_options_from_query(uint8_t* rdata_ptr, size_t rdata_len, + struct edns_data* edns, struct config_file* cfg, struct comm_point* c, + struct regional* region) { + /* To respond with a Keepalive option, the client connection must have + * received one message with a TCP Keepalive EDNS option, and that + * option must have 0 length data. Subsequent messages sent on that + * connection will have a TCP Keepalive option. + * + * In the if-statement below, the option is added unsolicited. This + * means that the client has sent an KEEPALIVE option earlier. We know + * here this is true, because c->tcp_keepalive is set. + */ + if (cfg && cfg->do_tcp_keepalive && c && c->type != comm_udp && c->tcp_keepalive) { + if(!edns_opt_list_append_keepalive(&edns->opt_list_out, + c->tcp_timeout_msec / 100, region)) { + log_err("out of memory"); + return LDNS_RCODE_SERVFAIL; + } + } + /* while still more options, and have code+len to read */ /* ignores partial content (i.e. rdata len 3) */ while(rdata_len >= 4) { @@ -952,20 +983,81 @@ rdata_len -= 4; if(opt_len > rdata_len) break; /* option code partial */ - if(!edns_opt_append(edns, region, opt_code, opt_len, - rdata_ptr)) { + + /* handle parse time edns options here */ + switch(opt_code) { + case LDNS_EDNS_NSID: + if (!cfg || !cfg->nsid) + break; + if(!edns_opt_list_append(&edns->opt_list_out, + LDNS_EDNS_NSID, cfg->nsid_len, + cfg->nsid, region)) { + log_err("out of memory"); + return LDNS_RCODE_SERVFAIL; + } + break; + + case LDNS_EDNS_KEEPALIVE: + /* To respond with a Keepalive option, the client + * connection must have received one message with a TCP + * Keepalive EDNS option, and that option must have 0 + * length data. Subsequent messages sent on that + * connection will have a TCP Keepalive option. + * + * This should be the first time the client sends this + * option, so c->tcp_keepalive is not set. + * Besides adding the reply KEEPALIVE option, + * c->tcp_keepalive will be set so that the + * option will be added unsolicited in subsequent + * responses (see the comment above the if-statement + * at the start of this function). + */ + if (!cfg || !cfg->do_tcp_keepalive || !c || + c->type == comm_udp || c->tcp_keepalive) + break; + if(opt_len) { + verbose(VERB_ALGO, "query with bad edns keepalive."); + return LDNS_RCODE_FORMERR; + } + if(!edns_opt_list_append_keepalive(&edns->opt_list_out, + c->tcp_timeout_msec / 100, + region)) { + log_err("out of memory"); + return LDNS_RCODE_SERVFAIL; + } + c->tcp_keepalive = 1; + break; + + case LDNS_EDNS_PADDING: + if(!cfg || !cfg->pad_responses || + !c || c->type != comm_tcp ||!c->ssl) + break; + if(!edns_opt_list_append(&edns->opt_list_out, + LDNS_EDNS_PADDING, + 0, NULL, region)) { + log_err("out of memory"); + return LDNS_RCODE_SERVFAIL; + } + edns->padding_block_size = cfg->pad_responses_block_size; + break; + + default: + break; + } + if(!edns_opt_list_append(&edns->opt_list_in, + opt_code, opt_len, rdata_ptr, region)) { log_err("out of memory"); - return 0; + return LDNS_RCODE_SERVFAIL; } rdata_ptr += opt_len; rdata_len -= opt_len; } - return 1; + return LDNS_RCODE_NOERROR; } int -parse_extract_edns(struct msg_parse* msg, struct edns_data* edns, - struct regional* region) +parse_extract_edns_from_response_msg(struct msg_parse* msg, + struct edns_data* edns, struct regional* region) { struct rrset_parse* rrset = msg->rrset_first; struct rrset_parse* prev = 0; @@ -1019,18 +1111,35 @@ edns->edns_version = found->rr_last->ttl_data1; edns->bits = sldns_read_uint16(&found->rr_last->ttl_data2); edns->udp_size = ntohs(found->rrset_class); - edns->opt_list = NULL; + edns->opt_list_in = NULL; + edns->opt_list_out = NULL; + edns->opt_list_inplace_cb_out = NULL; edns->padding_block_size = 0; /* take the options */ rdata_len = found->rr_first->size-2; rdata_ptr = found->rr_first->ttl_data+6; - if(!parse_edns_options(rdata_ptr, rdata_len, edns, region)) - return 0; - /* ignore rrsigs */ + /* while still more options, and have code+len to read */ + /* ignores partial content (i.e. rdata len 3) */ + while(rdata_len >= 4) { + uint16_t opt_code = sldns_read_uint16(rdata_ptr); + uint16_t opt_len = sldns_read_uint16(rdata_ptr+2); + rdata_ptr += 4; + rdata_len -= 4; + if(opt_len > rdata_len) + break; /* option code partial */ - return 0; + if(!edns_opt_list_append(&edns->opt_list_in, + opt_code, opt_len, rdata_ptr, region)) { + log_err("out of memory"); + break; + } + rdata_ptr += opt_len; + rdata_len -= opt_len; + } + /* ignore rrsigs */ + return LDNS_RCODE_NOERROR; } /** skip RR in packet */ @@ -1048,7 +1157,7 @@ } /** skip RRs from packet */ -static int +int skip_pkt_rrs(sldns_buffer* pkt, int num) { int i; @@ -1060,8 +1169,8 @@ } int -parse_edns_from_pkt(sldns_buffer* pkt, struct edns_data* edns, - struct regional* region) +parse_edns_from_query_pkt(sldns_buffer* pkt, struct edns_data* edns, + struct config_file* cfg, struct comm_point* c, struct regional* region) { size_t rdata_len; uint8_t* rdata_ptr; @@ -1093,7 +1202,9 @@ edns->ext_rcode = sldns_buffer_read_u8(pkt); /* ttl used for bits */ edns->edns_version = sldns_buffer_read_u8(pkt); edns->bits = sldns_buffer_read_u16(pkt); - edns->opt_list = NULL; + edns->opt_list_in = NULL; + edns->opt_list_out = NULL; + edns->opt_list_inplace_cb_out = NULL; edns->padding_block_size = 0; /* take the options */ @@ -1101,12 +1212,9 @@ if(sldns_buffer_remaining(pkt) < rdata_len) return LDNS_RCODE_FORMERR; rdata_ptr = sldns_buffer_current(pkt); - if(!parse_edns_options(rdata_ptr, rdata_len, edns, region)) - return LDNS_RCODE_SERVFAIL; - /* ignore rrsigs */ - - return 0; + return parse_edns_options_from_query(rdata_ptr, rdata_len, edns, cfg, + c, region); } void @@ -1127,3 +1235,4 @@ } } } +
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/data/msgparse.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/data/msgparse.h
Changed
@@ -70,6 +70,8 @@ struct rr_parse; struct regional; struct edns_option; +struct config_file; +struct comm_point; /** number of buckets in parse rrset hash table. Must be power of 2. */ #define PARSE_TABLE_SIZE 32 @@ -225,8 +227,15 @@ uint16_t bits; /** UDP reassembly size. */ uint16_t udp_size; - /** rdata element list, or NULL if none */ - struct edns_option* opt_list; + /** rdata element list of options of an incoming packet created at + * parse time, or NULL if none */ + struct edns_option* opt_list_in; + /** rdata element list of options to encode for outgoing packets, + * or NULL if none */ + struct edns_option* opt_list_out; + /** rdata element list of outgoing edns options from modules + * or NULL if none */ + struct edns_option* opt_list_inplace_cb_out; /** block size to pad */ uint16_t padding_block_size; }; @@ -281,8 +290,17 @@ * @return: 0 on success. or an RCODE on an error. * RCODE formerr if OPT in wrong section, and so on. */ -int parse_extract_edns(struct msg_parse* msg, struct edns_data* edns, - struct regional* region); +int parse_extract_edns_from_response_msg(struct msg_parse* msg, + struct edns_data* edns, struct regional* region); + +/** + * Skip RRs from packet + * @param pkt: the packet. position at start must be right after the query + * section. At end, right after EDNS data or no movement if failed. + * @param num: Limit of the number of records we want to parse. + * @return: 0 on success, 1 on failure. + */ +int skip_pkt_rrs(struct sldns_buffer* pkt, int num); /** * If EDNS data follows a query section, extract it and initialize edns struct. @@ -290,12 +308,14 @@ * section. At end, right after EDNS data or no movement if failed. * @param edns: the edns data allocated by the caller. Does not have to be * initialised. + * @param cfg: the configuration (with nsid value etc.) + * @param c: commpoint to determine transport (if needed) * @param region: region to alloc results in (edns option contents) * @return: 0 on success, or an RCODE on error. * RCODE formerr if OPT is badly formatted and so on. */ -int parse_edns_from_pkt(struct sldns_buffer* pkt, struct edns_data* edns, - struct regional* region); +int parse_edns_from_query_pkt(struct sldns_buffer* pkt, struct edns_data* edns, + struct config_file* cfg, struct comm_point* c, struct regional* region); /** * Calculate hash value for rrset in packet.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/data/msgreply.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/data/msgreply.c
Changed
@@ -117,6 +117,7 @@ rep->ar_numrrsets = ar; rep->rrset_count = total; rep->security = sec; + rep->reason_bogus = LDNS_EDE_NONE; rep->authoritative = 0; /* array starts after the refs */ if(region) @@ -166,6 +167,32 @@ return 1; } +struct reply_info * +make_new_reply_info(const struct reply_info* rep, struct regional* region, + size_t an_numrrsets, size_t copy_rrsets) +{ + struct reply_info* new_rep; + size_t i; + + /* create a base struct. we specify 'insecure' security status as + * the modified response won't be DNSSEC-valid. In our faked response + * the authority and additional sections will be empty (except possible + * EDNS0 OPT RR in the additional section appended on sending it out), + * so the total number of RRsets is an_numrrsets. */ + new_rep = construct_reply_info_base(region, rep->flags, + rep->qdcount, rep->ttl, rep->prefetch_ttl, + rep->serve_expired_ttl, an_numrrsets, 0, 0, an_numrrsets, + sec_status_insecure); + if(!new_rep) + return NULL; + if(!reply_info_alloc_rrset_keys(new_rep, NULL, region)) + return NULL; + for(i=0; i<copy_rrsets; i++) + new_rep->rrsetsi = rep->rrsetsi; + + return new_rep; +} + /** find the minimumttl in the rdata of SOA record */ static time_t soa_find_minttl(struct rr_parse* rr) @@ -196,13 +223,17 @@ * minimum-ttl in the rdata of the SOA record */ if(*rr_ttl > soa_find_minttl(rr)) *rr_ttl = soa_find_minttl(rr); - if(*rr_ttl > MAX_NEG_TTL) - *rr_ttl = MAX_NEG_TTL; } if(!SERVE_ORIGINAL_TTL && (*rr_ttl < MIN_TTL)) *rr_ttl = MIN_TTL; if(!SERVE_ORIGINAL_TTL && (*rr_ttl > MAX_TTL)) *rr_ttl = MAX_TTL; + if(type == LDNS_RR_TYPE_SOA && section == LDNS_SECTION_AUTHORITY) { + /* max neg ttl overrides the min and max ttl of everything + * else, it is for a more specific record */ + if(*rr_ttl > MAX_NEG_TTL) + *rr_ttl = MAX_NEG_TTL; + } if(*rr_ttl < data->ttl) data->ttl = *rr_ttl; @@ -488,14 +519,13 @@ if((ret = parse_packet(pkt, msg, region)) != 0) { return ret; } - if((ret = parse_extract_edns(msg, edns, region)) != 0) + if((ret = parse_extract_edns_from_response_msg(msg, edns, region)) != 0) return ret; /* parse OK, allocate return structures */ /* this also performs dname decompression */ if(!parse_create_msg(pkt, msg, alloc, qinf, rep, NULL)) { query_info_clear(qinf); - reply_info_parsedelete(*rep, alloc); *rep = NULL; return LDNS_RCODE_SERVFAIL; } @@ -960,30 +990,32 @@ return rep; } -int edns_opt_append(struct edns_data* edns, struct regional* region, - uint16_t code, size_t len, uint8_t* data) +int edns_opt_list_append_ede(struct edns_option** list, struct regional* region, + sldns_ede_code code, const char *txt) { struct edns_option** prevp; struct edns_option* opt; + size_t txt_len = txt ? strlen(txt) : 0; /* allocate new element */ opt = (struct edns_option*)regional_alloc(region, sizeof(*opt)); if(!opt) return 0; opt->next = NULL; - opt->opt_code = code; - opt->opt_len = len; - opt->opt_data = NULL; - if(len > 0) { - opt->opt_data = regional_alloc_init(region, data, len); - if(!opt->opt_data) - return 0; - } - + opt->opt_code = LDNS_EDNS_EDE; + opt->opt_len = txt_len + sizeof(uint16_t); + opt->opt_data = regional_alloc(region, txt_len + sizeof(uint16_t)); + if(!opt->opt_data) + return 0; + sldns_write_uint16(opt->opt_data, (uint16_t)code); + if (txt_len) + memmove(opt->opt_data + 2, txt, txt_len); + /* append at end of list */ - prevp = &edns->opt_list; + prevp = list; while(*prevp != NULL) prevp = &((*prevp)->next); + verbose(VERB_ALGO, "attached EDE code: %d with message: %s", code, (txt?txt:"\"\"")); *prevp = opt; return 1; } @@ -1068,7 +1100,7 @@ (void)(*(inplace_cb_reply_func_type*)cb->cb)(qinfo, qstate, rep, rcode, edns, &opt_list_out, repinfo, region, start_time, cb->id, cb->cb_arg); } - edns->opt_list = opt_list_out; + edns->opt_list_inplace_cb_out = opt_list_out; return 1; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/data/msgreply.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/data/msgreply.h
Changed
@@ -43,6 +43,7 @@ #define UTIL_DATA_MSGREPLY_H #include "util/storage/lruhash.h" #include "util/data/packed_rrset.h" +#include "sldns/rrdef.h" struct sldns_buffer; struct comm_reply; struct alloc_cache; @@ -168,6 +169,11 @@ enum sec_status security; /** + * EDE (rfc8914) code with reason for DNSSEC bogus status. + */ + sldns_ede_code reason_bogus; + + /** * Number of RRsets in each section. * The answer section. Add up the RRs in every RRset to calculate * the number of RRs, and the count for the dns packet. @@ -382,6 +388,21 @@ int reply_info_alloc_rrset_keys(struct reply_info* rep, struct alloc_cache* alloc, struct regional* region); +/* + * Create a new reply_info based on 'rep'. The new info is based on + * the passed 'rep', but ignores any rrsets except for the first 'an_numrrsets' + * RRsets in the answer section. These answer rrsets are copied to the + * new info, up to 'copy_rrsets' rrsets (which must not be larger than + * 'an_numrrsets'). If an_numrrsets > copy_rrsets, the remaining rrsets array + * entries will be kept empty so the caller can fill them later. When rrsets + * are copied, they are shallow copied. The caller must ensure that the + * copied rrsets are valid throughout its lifetime and must provide appropriate + * mutex if it can be shared by multiple threads. + */ +struct reply_info * +make_new_reply_info(const struct reply_info* rep, struct regional* region, + size_t an_numrrsets, size_t copy_rrsets); + /** * Copy a parsed rrset into given key, decompressing and allocating rdata. * @param pkt: packet for decompression @@ -504,18 +525,6 @@ struct query_info* qinf); /** - * Append edns option to edns data structure - * @param edns: the edns data structure to append the edns option to. - * @param region: region to allocate the new edns option. - * @param code: the edns option's code. - * @param len: the edns option's length. - * @param data: the edns option's data. - * @return false on failure. - */ -int edns_opt_append(struct edns_data* edns, struct regional* region, - uint16_t code, size_t len, uint8_t* data); - -/** * Append edns option to edns option list * @param list: the edns option list to append the edns option to. * @param code: the edns option's code. @@ -525,7 +534,38 @@ * @return false on failure. */ int edns_opt_list_append(struct edns_option** list, uint16_t code, size_t len, - uint8_t* data, struct regional* region); + uint8_t* data, struct regional* region); + +/** + * Append edns EDE option to edns options list + * @param LIST: the edns option list to append the edns option to. + * @param REGION: region to allocate the new edns option. + * @param CODE: the EDE code. + * @param TXT: Additional text for the option + */ +#define EDNS_OPT_LIST_APPEND_EDE(LIST, REGION, CODE, TXT) \ + do { \ + struct { \ + uint16_t code; \ + char textsizeof(TXT) - 1; \ + } ede = { htons(CODE), TXT }; \ + verbose(VERB_ALGO, "attached EDE code: %d with" \ + " message: %s", CODE, TXT); \ + edns_opt_list_append((LIST), LDNS_EDNS_EDE, \ + sizeof(uint16_t) + sizeof(TXT) - 1, \ + (void *)&ede, (REGION)); \ + } while(0) + +/** + * Append edns EDE option to edns options list + * @param list: the edns option list to append the edns option to. + * @param region: region to allocate the new edns option. + * @param code: the EDE code. + * @param txt: Additional text for the option + * @return false on failure. + */ +int edns_opt_list_append_ede(struct edns_option** list, struct regional* region, + sldns_ede_code code, const char *txt); /** * Remove any option found on the edns option list that matches the code.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/data/packed_rrset.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/data/packed_rrset.h
Changed
@@ -61,6 +61,13 @@ * updated on encoding in a reply. This flag is not expected to be set in * cached data. */ #define PACKED_RRSET_FIXEDTTL 0x80000000 +/** This rrset is from RPZ. It is not real, it is synthesized data to block + * access. The flag makes lookups, from cache in iterator, ignore the fake + * items and only use actual data. Eg. when the iterator looksup NS, CNAME, + * A and AAAA types, it then gets items without this flag that are the + * actual network. But messages with these records in it can be stored in + * the cache and retrieved for a reply. */ +#define PACKED_RRSET_RPZ 0x8 /** number of rrs and rrsets for integer overflow protection. More than * this is not really possible (64K packet has much less RRs and RRsets) in @@ -88,6 +95,7 @@ * o PACKED_RRSET_PARENT_SIDE * o PACKED_RRSET_SOA_NEG * o PACKED_RRSET_FIXEDTTL (not supposed to be cached) + * o PACKED_RRSET_RPZ */ uint32_t flags; /** the rrset type in network format */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/edns.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/edns.c
Changed
@@ -128,53 +128,3 @@ return (struct edns_string_addr*)addr_tree_lookup(tree, addr, addrlen); } -static int edns_keepalive(struct edns_data* edns_out, struct edns_data* edns_in, - struct comm_point* c, struct regional* region) -{ - if(c->type == comm_udp) - return 1; - - /* To respond with a Keepalive option, the client connection - * must have received one message with a TCP Keepalive EDNS option, - * and that option must have 0 length data. Subsequent messages - * sent on that connection will have a TCP Keepalive option. - */ - if(c->tcp_keepalive || - edns_opt_list_find(edns_in->opt_list, LDNS_EDNS_KEEPALIVE)) { - int keepalive = c->tcp_timeout_msec / 100; - uint8_t data2; - data0 = (uint8_t)((keepalive >> 8) & 0xff); - data1 = (uint8_t)(keepalive & 0xff); - if(!edns_opt_list_append(&edns_out->opt_list, LDNS_EDNS_KEEPALIVE, - sizeof(data), data, region)) - return 0; - c->tcp_keepalive = 1; - } - return 1; -} - -int apply_edns_options(struct edns_data* edns_out, struct edns_data* edns_in, - struct config_file* cfg, struct comm_point* c, struct regional* region) -{ - if(cfg->do_tcp_keepalive && - !edns_keepalive(edns_out, edns_in, c, region)) - return 0; - - if (cfg->nsid && edns_opt_list_find(edns_in->opt_list, LDNS_EDNS_NSID) - && !edns_opt_list_append(&edns_out->opt_list, - LDNS_EDNS_NSID, cfg->nsid_len, cfg->nsid, region)) - return 0; - - if(!cfg->pad_responses || c->type != comm_tcp || !c->ssl - || !edns_opt_list_find(edns_in->opt_list, LDNS_EDNS_PADDING)) { - ; /* pass */ - } - - else if(!edns_opt_list_append(&edns_out->opt_list, LDNS_EDNS_PADDING - , 0, NULL, region)) - return 0; - else - edns_out->padding_block_size = cfg->pad_responses_block_size; - - return 1; -}
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/edns.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/edns.h
Changed
@@ -106,16 +106,4 @@ edns_string_addr_lookup(rbtree_type* tree, struct sockaddr_storage* addr, socklen_t addrlen); -/** - * Apply common EDNS options. - * - * @param edns_out: initialised edns information with outbound edns. - * @param edns_in: initialised edns information with received edns. - * @param cfg: configuration. - * @param c: comm channel. - * @param region: the region to allocate the edns options in. - */ -int apply_edns_options(struct edns_data* edns_out, struct edns_data* edns_in, - struct config_file* cfg, struct comm_point* c, struct regional* region); - #endif
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/fptr_wlist.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/fptr_wlist.c
Changed
@@ -138,6 +138,7 @@ else if(fptr == &auth_xfer_probe_timer_callback) return 1; else if(fptr == &auth_xfer_transfer_timer_callback) return 1; else if(fptr == &mesh_serve_expired_callback) return 1; + else if(fptr == &serviced_timer_cb) return 1; #ifdef USE_DNSTAP else if(fptr == &mq_wakeup_cb) return 1; #endif @@ -220,6 +221,7 @@ if(fptr == &mesh_state_compare) return 1; else if(fptr == &mesh_state_ref_compare) return 1; else if(fptr == &addr_tree_compare) return 1; + else if(fptr == &addr_tree_addrport_compare) return 1; else if(fptr == &local_zone_cmp) return 1; else if(fptr == &local_data_cmp) return 1; else if(fptr == &fwd_cmp) return 1; @@ -334,9 +336,10 @@ int fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)( struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, - int nocaps, struct sockaddr_storage* addr, socklen_t addrlen, - uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q)) + int nocaps, int check_ratelimit, struct sockaddr_storage* addr, + socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, + int ssl_upstream, char* tls_auth_name, struct module_qstate* q, + int* was_ratelimited)) { if(fptr == &worker_send_query) return 1; else if(fptr == &libworker_send_query) return 1;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/fptr_wlist.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/fptr_wlist.h
Changed
@@ -211,9 +211,10 @@ */ int fptr_whitelist_modenv_send_query(struct outbound_entry* (*fptr)( struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, - int nocaps, struct sockaddr_storage* addr, socklen_t addrlen, - uint8_t* zone, size_t zonelen, int ssl_upstream, char* tls_auth_name, - struct module_qstate* q)); + int nocaps, int check_ratelimit, struct sockaddr_storage* addr, + socklen_t addrlen, uint8_t* zone, size_t zonelen, int tcp_upstream, + int ssl_upstream, char* tls_auth_name, struct module_qstate* q, + int* was_ratelimited)); /** * Check function pointer whitelist for module_env detach_subs callback values.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/iana_ports.inc -> _service:tar_scm:unbound-1.17.1.tar.gz/util/iana_ports.inc
Changed
@@ -2499,6 +2499,7 @@ 2870, 2871, 2872, +2873, 2874, 2875, 2876, @@ -2916,6 +2917,7 @@ 3297, 3298, 3299, +3301, 3302, 3303, 3304, @@ -3783,6 +3785,7 @@ 4308, 4309, 4310, +4319, 4320, 4321, 4322, @@ -3973,6 +3976,7 @@ 4789, 4790, 4791, +4792, 4800, 4801, 4802, @@ -4053,7 +4057,6 @@ 5026, 5027, 5029, -5030, 5031, 5042, 5043, @@ -4341,6 +4344,13 @@ 5859, 5863, 5900, +5903, +5904, +5905, +5906, +5907, +5908, +5909, 5910, 5911, 5912, @@ -4552,6 +4562,7 @@ 6965, 6966, 6969, +6980, 6997, 6998, 6999, @@ -4829,6 +4840,7 @@ 8403, 8416, 8417, +8433, 8442, 8443, 8444,
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/mini_event.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/mini_event.c
Changed
@@ -337,6 +337,15 @@ FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->writes); FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->ready); FD_CLR(FD_SET_T ev->ev_fd, &ev->ev_base->content); + if(ev->ev_fd == ev->ev_base->maxfd) { + int i = ev->ev_base->maxfd - 1; + for (; i > 3; i--) { + if (NULL != ev->ev_base->fdsi) { + break; + } + } + ev->ev_base->maxfd = i; + } } ev->added = 0; return 0;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/module.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/module.c
Changed
@@ -40,6 +40,10 @@ #include "config.h" #include "util/module.h" #include "sldns/wire2str.h" +#include "util/config_file.h" +#include "util/regional.h" +#include "util/data/dname.h" +#include "util/net_help.h" const char* strextstate(enum module_ext_state s) @@ -71,6 +75,144 @@ return "bad_event_value"; } +void errinf(struct module_qstate* qstate, const char* str) +{ + errinf_ede(qstate, str, LDNS_EDE_NONE); +} + +void errinf_ede(struct module_qstate* qstate, + const char* str, sldns_ede_code reason_bogus) +{ + struct errinf_strlist* p; + if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !str) + return; + p = (struct errinf_strlist*)regional_alloc(qstate->region, sizeof(*p)); + if(!p) { + log_err("malloc failure in validator-error-info string"); + return; + } + p->next = NULL; + p->str = regional_strdup(qstate->region, str); + p->reason_bogus = reason_bogus; + if(!p->str) { + log_err("malloc failure in validator-error-info string"); + return; + } + /* add at end */ + if(qstate->errinf) { + struct errinf_strlist* q = qstate->errinf; + while(q->next) + q = q->next; + q->next = p; + } else qstate->errinf = p; +} + +void errinf_origin(struct module_qstate* qstate, struct sock_list *origin) +{ + struct sock_list* p; + if(qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) + return; + for(p=origin; p; p=p->next) { + char buf256; + if(p == origin) + snprintf(buf, sizeof(buf), "from "); + else snprintf(buf, sizeof(buf), "and "); + if(p->len == 0) + snprintf(buf+strlen(buf), sizeof(buf)-strlen(buf), + "cache"); + else + addr_to_str(&p->addr, p->len, buf+strlen(buf), + sizeof(buf)-strlen(buf)); + errinf(qstate, buf); + } +} + +char* errinf_to_str_bogus(struct module_qstate* qstate) +{ + char buf20480; + char* p = buf; + size_t left = sizeof(buf); + struct errinf_strlist* s; + char dnameLDNS_MAX_DOMAINLEN+1; + char t16, c16; + sldns_wire2str_type_buf(qstate->qinfo.qtype, t, sizeof(t)); + sldns_wire2str_class_buf(qstate->qinfo.qclass, c, sizeof(c)); + dname_str(qstate->qinfo.qname, dname); + snprintf(p, left, "validation failure <%s %s %s>:", dname, t, c); + left -= strlen(p); p += strlen(p); + if(!qstate->errinf) + snprintf(p, left, " misc failure"); + else for(s=qstate->errinf; s; s=s->next) { + snprintf(p, left, " %s", s->str); + left -= strlen(p); p += strlen(p); + } + p = strdup(buf); + if(!p) + log_err("malloc failure in errinf_to_str"); + return p; +} + +sldns_ede_code errinf_to_reason_bogus(struct module_qstate* qstate) +{ + struct errinf_strlist* s; + for(s=qstate->errinf; s; s=s->next) { + if (s->reason_bogus != LDNS_EDE_NONE) { + return s->reason_bogus; + } + } + return LDNS_EDE_NONE; +} + +char* errinf_to_str_servfail(struct module_qstate* qstate) +{ + char buf20480; + char* p = buf; + size_t left = sizeof(buf); + struct errinf_strlist* s; + char dnameLDNS_MAX_DOMAINLEN+1; + char t16, c16; + sldns_wire2str_type_buf(qstate->qinfo.qtype, t, sizeof(t)); + sldns_wire2str_class_buf(qstate->qinfo.qclass, c, sizeof(c)); + dname_str(qstate->qinfo.qname, dname); + snprintf(p, left, "SERVFAIL <%s %s %s>:", dname, t, c); + left -= strlen(p); p += strlen(p); + if(!qstate->errinf) + snprintf(p, left, " misc failure"); + else for(s=qstate->errinf; s; s=s->next) { + snprintf(p, left, " %s", s->str); + left -= strlen(p); p += strlen(p); + } + p = strdup(buf); + if(!p) + log_err("malloc failure in errinf_to_str"); + return p; +} + +void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr) +{ + char buf1024; + char dnameLDNS_MAX_DOMAINLEN+1; + char t16, c16; + if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !rr) + return; + sldns_wire2str_type_buf(ntohs(rr->rk.type), t, sizeof(t)); + sldns_wire2str_class_buf(ntohs(rr->rk.rrset_class), c, sizeof(c)); + dname_str(rr->rk.dname, dname); + snprintf(buf, sizeof(buf), "for <%s %s %s>", dname, t, c); + errinf(qstate, buf); +} + +void errinf_dname(struct module_qstate* qstate, const char* str, uint8_t* dname) +{ + char b1024; + char bufLDNS_MAX_DOMAINLEN+1; + if((qstate->env->cfg->val_log_level < 2 && !qstate->env->cfg->log_servfail) || !str || !dname) + return; + dname_str(dname, buf); + snprintf(b, sizeof(b), "%s %s", str, buf); + errinf(qstate, b); +} + int edns_known_options_init(struct module_env* env) {
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/module.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/module.h
Changed
@@ -187,6 +187,15 @@ /** Maximum number of known edns options */ #define MAX_KNOWN_EDNS_OPTS 256 +struct errinf_strlist { + /** next item in list */ + struct errinf_strlist* next; + /** config option string */ + char* str; + /** EDE code companion to the error str */ + int reason_bogus; +}; + enum inplace_cb_list_type { /* Inplace callbacks for when a resolved reply is ready to be sent to the * front.*/ @@ -350,14 +359,18 @@ * EDNS, the answer is likely to be useless for this domain. * @param nocaps: do not use caps_for_id, use the qname as given. * (ignored if caps_for_id is disabled). + * @param check_ratelimit: if set, will check ratelimit before sending out. * @param addr: where to. * @param addrlen: length of addr. * @param zone: delegation point name. * @param zonelen: length of zone name. + * @param tcp_upstream: use TCP for upstream queries. * @param ssl_upstream: use SSL for upstream queries. * @param tls_auth_name: if ssl_upstream, use this name with TLS * authentication. - * @param q: wich query state to reactivate upon return. + * @param q: which query state to reactivate upon return. + * @param was_ratelimited: it will signal back if the query failed to pass the + * ratelimit check. * @return: false on failure (memory or socket related). no query was * sent. Or returns an outbound entry with qsent and qstate set. * This outbound_entry will be used on later module invocations @@ -365,9 +378,10 @@ */ struct outbound_entry* (*send_query)(struct query_info* qinfo, uint16_t flags, int dnssec, int want_dnssec, int nocaps, + int check_ratelimit, struct sockaddr_storage* addr, socklen_t addrlen, - uint8_t* zone, size_t zonelen, int ssl_upstream, - char* tls_auth_name, struct module_qstate* q); + uint8_t* zone, size_t zonelen, int tcp_upstream, int ssl_upstream, + char* tls_auth_name, struct module_qstate* q, int* was_ratelimited); /** * Detach-subqueries. @@ -619,8 +633,7 @@ /** region for this query. Cleared when query process finishes. */ struct regional* region; /** failure reason information if val-log-level is high */ - struct config_strlist* errinf; - + struct errinf_strlist* errinf; /** which module is executing */ int curmod; /** module states */ @@ -652,6 +665,12 @@ int need_refetch; /** whether the query (or a subquery) was ratelimited */ int was_ratelimited; + /** time when query was started. This is when the qstate is created. + * This is used so that type NS data cannot be overwritten by them + * expiring while the lookup is in progress, using data fetched from + * those servers. By comparing expiry time with qstarttime for type NS. + */ + time_t qstarttime; /** * Attributes of clients that share the qstate that may affect IP-based @@ -662,6 +681,8 @@ /** Extended result of response-ip action processing, mainly * for logging purposes. */ struct respip_action_info* respip_action_info; + /** if the query is rpz passthru, no further rpz processing for it */ + int rpz_passthru; /** whether the reply should be dropped */ int is_drop; @@ -755,6 +776,65 @@ const char* strmodulevent(enum module_ev e); /** + * Append text to the error info for validation. + * @param qstate: query state. + * @param str: copied into query region and appended. + * Failures to allocate are logged. + */ +void errinf(struct module_qstate* qstate, const char* str); +void errinf_ede(struct module_qstate* qstate, const char* str, + sldns_ede_code reason_bogus); + +/** + * Append text to error info: from 1.2.3.4 + * @param qstate: query state. + * @param origin: sock list with origin of trouble. + * Every element added. + * If NULL: nothing is added. + * if 0len element: 'from cache' is added. + */ +void errinf_origin(struct module_qstate* qstate, struct sock_list *origin); + +/** + * Append text to error info: for RRset name type class + * @param qstate: query state. + * @param rr: rrset_key. + */ +void errinf_rrset(struct module_qstate* qstate, struct ub_packed_rrset_key *rr); + +/** + * Append text to error info: str dname + * @param qstate: query state. + * @param str: explanation string + * @param dname: the dname. + */ +void errinf_dname(struct module_qstate* qstate, const char* str, + uint8_t* dname); + +/** + * Create error info in string. For validation failures. + * @param qstate: query state. + * @return string or NULL on malloc failure (already logged). + * This string is malloced and has to be freed by caller. + */ +char* errinf_to_str_bogus(struct module_qstate* qstate); +/** + * Check the sldns_ede_code of the qstate. + * @param qstate: query state. + * @return LDNS_EDE_DNSSEC_BOGUS by default, or the first explicitly set + * sldns_ede_code. + */ +sldns_ede_code errinf_to_reason_bogus(struct module_qstate* qstate); + +/** + * Create error info in string. For other servfails. + * @param qstate: query state. + * @return string or NULL on malloc failure (already logged). + * This string is malloced and has to be freed by caller. + */ +char* errinf_to_str_servfail(struct module_qstate* qstate); + +/** * Initialize the edns known options by allocating the required space. * @param env: the module environment. * @return false on failure (no memory).
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/net_help.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/net_help.c
Changed
@@ -38,6 +38,15 @@ */ #include "config.h" +#ifdef HAVE_SYS_TYPES_H +# include <sys/types.h> +#endif +#ifdef HAVE_NET_IF_H +#include <net/if.h> +#endif +#ifdef HAVE_NETIOAPI_H +#include <netioapi.h> +#endif #include "util/net_help.h" #include "util/log.h" #include "util/data/dname.h" @@ -46,6 +55,7 @@ #include "util/config_file.h" #include "sldns/parseutil.h" #include "sldns/wire2str.h" +#include "sldns/str2wire.h" #include <fcntl.h> #ifdef HAVE_OPENSSL_SSL_H #include <openssl/ssl.h> @@ -223,12 +233,11 @@ else verbose(v, "%s %s port %d", str, dest, (int)port); } -int +int extstrtoaddr(const char* str, struct sockaddr_storage* addr, - socklen_t* addrlen) + socklen_t* addrlen, int port) { char* s; - int port = UNBOUND_DNS_PORT; if((s=strchr(str, '@'))) { char bufMAX_ADDR_STRLEN; if(s-str >= MAX_ADDR_STRLEN) { @@ -245,7 +254,6 @@ return ipstrtoaddr(str, port, addr, addrlen); } - int ipstrtoaddr(const char* ip, int port, struct sockaddr_storage* addr, socklen_t* addrlen) @@ -266,7 +274,10 @@ return 0; (void)strlcpy(buf, ip, sizeof(buf)); bufs-ip=0; - sa->sin6_scope_id = (uint32_t)atoi(s+1); +#ifdef HAVE_IF_NAMETOINDEX + if (!(sa->sin6_scope_id = if_nametoindex(s+1))) +#endif /* HAVE_IF_NAMETOINDEX */ + sa->sin6_scope_id = (uint32_t)atoi(s+1); ip = buf; } if(inet_pton((int)sa->sin6_family, ip, &sa->sin6_addr) <= 0) { @@ -467,6 +478,42 @@ return ipstrtoaddr(str, port, addr, addrlen); } +uint8_t* authextstrtodname(char* str, int* port, char** auth_name) +{ + char* s; + uint8_t* dname; + size_t dname_len; + *port = UNBOUND_DNS_PORT; + *auth_name = NULL; + if((s=strchr(str, '@'))) { + char* hash = strchr(s+1, '#'); + if(hash) { + *auth_name = hash+1; + } else { + *auth_name = NULL; + } + *port = atoi(s+1); + if(*port == 0) { + if(!hash && strcmp(s+1,"0")!=0) + return 0; + if(hash && strncmp(s+1,"0#",2)!=0) + return 0; + } + *s = 0; + dname = sldns_str2wire_dname(str, &dname_len); + *s = '@'; + } else if((s=strchr(str, '#'))) { + *port = UNBOUND_DNS_OVER_TLS_PORT; + *auth_name = s+1; + *s = 0; + dname = sldns_str2wire_dname(str, &dname_len); + *s = '#'; + } else { + dname = sldns_str2wire_dname(str, &dname_len); + } + return dname; +} + /** store port number into sockaddr structure */ void sockaddr_store_port(struct sockaddr_storage* addr, socklen_t addrlen, int port) @@ -881,6 +928,12 @@ BIO_write(bio, &nul, (int)sizeof(nul)); len = BIO_get_mem_data(bio, &pp); if(len != 0 && pp) { + /* reduce size of cert printout */ + char* s; + while((s=strstr(pp, " "))!=NULL) + memmove(s, s+1, strlen(s+1)+1); + while((s=strstr(pp, "\t\t"))!=NULL) + memmove(s, s+1, strlen(s+1)+1); verbose(level, "%s: \n%s", str, pp); } BIO_free(bio); @@ -945,9 +998,12 @@ } #endif #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA) + /* if we detect system-wide crypto policies, use those */ + if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) { /* if we have sha256, set the cipher list to have no known vulns */ - if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) - log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); + if(!SSL_CTX_set_cipher_list(ctx, "TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256")) + log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); + } #endif if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & @@ -1104,10 +1160,11 @@ (const unsigned char **)&pTargetCert->pbCertEncoded, pTargetCert->cbCertEncoded); if (!cert1) { + unsigned long error = ERR_get_error(); /* return error if a cert fails */ verbose(VERB_ALGO, "%s %d:%s", "Unable to parse certificate in memory", - (int)ERR_get_error(), ERR_error_string(ERR_get_error(), NULL)); + (int)error, ERR_error_string(error, NULL)); return 0; } else { @@ -1118,10 +1175,11 @@ /* Ignore error X509_R_CERT_ALREADY_IN_HASH_TABLE which means the * certificate is already in the store. */ if(ERR_GET_LIB(error) != ERR_LIB_X509 || - ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { + ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) { + error = ERR_get_error(); verbose(VERB_ALGO, "%s %d:%s\n", - "Error adding certificate", (int)ERR_get_error(), - ERR_error_string(ERR_get_error(), NULL)); + "Error adding certificate", (int)error, + ERR_error_string(error, NULL)); X509_free(cert1); return 0; } @@ -1172,6 +1230,7 @@ if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) & SSL_OP_NO_RENEGOTIATION) != SSL_OP_NO_RENEGOTIATION) { log_crypto_err("could not set SSL_OP_NO_RENEGOTIATION"); + SSL_CTX_free(ctx); return 0; } #endif @@ -1212,7 +1271,13 @@ } } #else - (void)wincert; + if(wincert) { + if(!SSL_CTX_set_default_verify_paths(ctx)) { + log_crypto_err("error in default_verify_paths"); + SSL_CTX_free(ctx); + return NULL; + } + } #endif SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/net_help.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/net_help.h
Changed
@@ -96,6 +96,11 @@ /** return a random 16-bit number given a random source */ #define GET_RANDOM_ID(rnd) (((unsigned)ub_random(rnd)>>8) & 0xffff) +/** define MSG_DONTWAIT for unsupported platforms */ +#ifndef MSG_DONTWAIT +#define MSG_DONTWAIT 0 +#endif + /** minimal responses when positive answer */ extern int MINIMAL_RESPONSES; @@ -178,10 +183,11 @@ * @param str: the string * @param addr: where to store sockaddr. * @param addrlen: length of stored sockaddr is returned. + * @param port: default port. * @return 0 on error. */ int extstrtoaddr(const char* str, struct sockaddr_storage* addr, - socklen_t* addrlen); + socklen_t* addrlen, int port); /** * Convert ip address string and port to sockaddr. @@ -210,18 +216,31 @@ /** * Convert address string, with "@port" appendix, to sockaddr. * It can also have an "#tls-auth-name" appendix (after the port). - * The returned tls-auth-name string is a pointer into the input string. - * Uses DNS port by default. + * The returned auth_name string is a pointer into the input string. + * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured. * @param str: the string * @param addr: where to store sockaddr. * @param addrlen: length of stored sockaddr is returned. * @param auth_name: returned pointer to tls_auth_name, or NULL if none. * @return 0 on error. */ -int authextstrtoaddr(char* str, struct sockaddr_storage* addr, +int authextstrtoaddr(char* str, struct sockaddr_storage* addr, socklen_t* addrlen, char** auth_name); /** + * Convert domain string, with "@port" appendix, to dname. + * It can also have an "#tls-auth-name" appendix (after the port). + * The return port is the parsed port. + * Uses DNS port by default; TLS port when a "#tls-auth-name" is configured. + * The returned auth_name string is a pointer into the input string. + * @param str: the string + * @param port: pointer to be assigned the parsed port value. + * @param auth_name: returned pointer to tls_auth_name, or NULL if none. + * @return pointer to the dname. + */ +uint8_t* authextstrtodname(char* str, int* port, char** auth_name); + +/** * Store port number into sockaddr structure * @param addr: sockaddr structure, ip4 or ip6. * @param addrlen: length of addr.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/netevent.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/netevent.c
Changed
@@ -45,6 +45,7 @@ #include "util/net_help.h" #include "util/tcp_conn_limit.h" #include "util/fptr_wlist.h" +#include "util/proxy_protocol.h" #include "sldns/pkthdr.h" #include "sldns/sbuffer.h" #include "sldns/str2wire.h" @@ -60,6 +61,9 @@ #ifdef HAVE_NETDB_H #include <netdb.h> #endif +#ifdef HAVE_POLL_H +#include <poll.h> +#endif #ifdef HAVE_OPENSSL_SSL_H #include <openssl/ssl.h> @@ -107,6 +111,9 @@ #define NUM_UDP_PER_SELECT 1 #endif +/** timeout in millisec to wait for write to unblock, packets dropped after.*/ +#define SEND_BLOCKED_WAIT_TIMEOUT 200 + /** * The internal event structure for keeping ub_event info for the event. * Possibly other structures (list, tree) this is part of. @@ -132,6 +139,10 @@ struct ub_event* slow_accept; /** true if slow_accept is enabled */ int slow_accept_enabled; + /** last log time for slow logging of file descriptor errors */ + time_t last_slow_log; + /** last log time for slow logging of write wait failures */ + time_t last_writewait_log; }; /** @@ -300,6 +311,7 @@ case ENETDOWN: # endif case EPERM: + case EACCES: if(verbosity < VERB_ALGO) return 0; default: @@ -366,29 +378,83 @@ * we want to send the answer, and we will wait for * the ethernet interface buffer to have space. */ #ifndef USE_WINSOCK - if(errno == EAGAIN || + if(errno == EAGAIN || errno == EINTR || # ifdef EWOULDBLOCK errno == EWOULDBLOCK || # endif errno == ENOBUFS) { #else if(WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEINTR || WSAGetLastError() == WSAENOBUFS || WSAGetLastError() == WSAEWOULDBLOCK) { #endif - int e; - fd_set_block(c->fd); - if (!is_connected) { - sent = sendto(c->fd, (void*)sldns_buffer_begin(packet), - sldns_buffer_remaining(packet), 0, - addr, addrlen); - } else { - sent = send(c->fd, (void*)sldns_buffer_begin(packet), - sldns_buffer_remaining(packet), 0); + /* if we set the fd blocking, other threads suddenly + * have a blocking fd that they operate on */ + while(sent == -1 && ( +#ifndef USE_WINSOCK + errno == EAGAIN || errno == EINTR || +# ifdef EWOULDBLOCK + errno == EWOULDBLOCK || +# endif + errno == ENOBUFS +#else + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAENOBUFS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + )) { +#if defined(HAVE_POLL) || defined(USE_WINSOCK) + struct pollfd p; + int pret; + memset(&p, 0, sizeof(p)); + p.fd = c->fd; + p.events = POLLOUT | POLLERR | POLLHUP; +# ifndef USE_WINSOCK + pret = poll(&p, 1, SEND_BLOCKED_WAIT_TIMEOUT); +# else + pret = WSAPoll(&p, 1, + SEND_BLOCKED_WAIT_TIMEOUT); +# endif + if(pret == 0) { + /* timer expired */ + struct comm_base* b = c->ev->base; + if(b->eb->last_writewait_log+SLOW_LOG_TIME <= + b->eb->secs) { + b->eb->last_writewait_log = b->eb->secs; + verbose(VERB_OPS, "send udp blocked " + "for long, dropping packet."); + } + return 0; + } else if(pret < 0 && +#ifndef USE_WINSOCK + errno != EAGAIN && errno != EINTR && +# ifdef EWOULDBLOCK + errno != EWOULDBLOCK && +# endif + errno != ENOBUFS +#else + WSAGetLastError() != WSAEINPROGRESS && + WSAGetLastError() != WSAEINTR && + WSAGetLastError() != WSAENOBUFS && + WSAGetLastError() != WSAEWOULDBLOCK +#endif + ) { + log_err("poll udp out failed: %s", + sock_strerror(errno)); + return 0; + } +#endif /* defined(HAVE_POLL) || defined(USE_WINSOCK) */ + if (!is_connected) { + sent = sendto(c->fd, (void*)sldns_buffer_begin(packet), + sldns_buffer_remaining(packet), 0, + addr, addrlen); + } else { + sent = send(c->fd, (void*)sldns_buffer_begin(packet), + sldns_buffer_remaining(packet), 0); + } } - e = errno; - fd_set_nonblock(c->fd); - errno = e; } } if(sent == -1) { @@ -555,22 +621,74 @@ * we want to send the answer, and we will wait for * the ethernet interface buffer to have space. */ #ifndef USE_WINSOCK - if(errno == EAGAIN || + if(errno == EAGAIN || errno == EINTR || # ifdef EWOULDBLOCK errno == EWOULDBLOCK || # endif errno == ENOBUFS) { #else if(WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEINTR || WSAGetLastError() == WSAENOBUFS || WSAGetLastError() == WSAEWOULDBLOCK) { #endif - int e; - fd_set_block(c->fd); - sent = sendmsg(c->fd, &msg, 0); - e = errno; - fd_set_nonblock(c->fd); - errno = e; + while(sent == -1 && ( +#ifndef USE_WINSOCK + errno == EAGAIN || errno == EINTR || +# ifdef EWOULDBLOCK + errno == EWOULDBLOCK || +# endif + errno == ENOBUFS +#else + WSAGetLastError() == WSAEINPROGRESS || + WSAGetLastError() == WSAEINTR || + WSAGetLastError() == WSAENOBUFS || + WSAGetLastError() == WSAEWOULDBLOCK +#endif + )) { +#if defined(HAVE_POLL) || defined(USE_WINSOCK) + struct pollfd p; + int pret; + memset(&p, 0, sizeof(p)); + p.fd = c->fd; + p.events = POLLOUT | POLLERR | POLLHUP; +# ifndef USE_WINSOCK + pret = poll(&p, 1, SEND_BLOCKED_WAIT_TIMEOUT); +# else + pret = WSAPoll(&p, 1, + SEND_BLOCKED_WAIT_TIMEOUT); +# endif + if(pret == 0) { + /* timer expired */ + struct comm_base* b = c->ev->base; + if(b->eb->last_writewait_log+SLOW_LOG_TIME <= + b->eb->secs) { + b->eb->last_writewait_log = b->eb->secs; + verbose(VERB_OPS, "send udp blocked " + "for long, dropping packet."); + } + return 0; + } else if(pret < 0 && +#ifndef USE_WINSOCK + errno != EAGAIN && errno != EINTR && +# ifdef EWOULDBLOCK + errno != EWOULDBLOCK && +# endif + errno != ENOBUFS +#else + WSAGetLastError() != WSAEINPROGRESS && + WSAGetLastError() != WSAEINTR && + WSAGetLastError() != WSAENOBUFS && + WSAGetLastError() != WSAEWOULDBLOCK +#endif + ) { + log_err("poll udp out failed: %s", + sock_strerror(errno)); + return 0; + } +#endif /* defined(HAVE_POLL) || defined(USE_WINSOCK) */ + sent = sendmsg(c->fd, &msg, 0); + } } } if(sent == -1) { @@ -638,6 +756,67 @@ return 1; } +/** Parses the PROXYv2 header from buf and updates the comm_reply struct. + * Returns 1 on success, 0 on failure. */ +static int consume_pp2_header(struct sldns_buffer* buf, struct comm_reply* rep, + int stream) { + size_t size; + struct pp2_header *header = pp2_read_header(buf); + if(header == NULL) return 0; + size = PP2_HEADER_SIZE + ntohs(header->len); + if((header->ver_cmd & 0xF) == PP2_CMD_LOCAL) { + /* A connection from the proxy itself. + * No need to do anything with addresses. */ + goto done; + } + if(header->fam_prot == 0x00) { + /* Unspecified family and protocol. This could be used for + * health checks by proxies. + * No need to do anything with addresses. */ + goto done; + } + /* Read the proxied address */ + switch(header->fam_prot) { + case 0x11: /* AF_INET|STREAM */ + case 0x12: /* AF_INET|DGRAM */ + { + struct sockaddr_in* addr = + (struct sockaddr_in*)&rep->client_addr; + addr->sin_family = AF_INET; + addr->sin_addr.s_addr = header->addr.addr4.src_addr; + addr->sin_port = header->addr.addr4.src_port; + rep->client_addrlen = (socklen_t)sizeof(struct sockaddr_in); + } + /* Ignore the destination address; it should be us. */ + break; + case 0x21: /* AF_INET6|STREAM */ + case 0x22: /* AF_INET6|DGRAM */ + { + struct sockaddr_in6* addr = + (struct sockaddr_in6*)&rep->client_addr; + memset(addr, 0, sizeof(*addr)); + addr->sin6_family = AF_INET6; + memcpy(&addr->sin6_addr, + header->addr.addr6.src_addr, 16); + addr->sin6_port = header->addr.addr6.src_port; + rep->client_addrlen = (socklen_t)sizeof(struct sockaddr_in6); + } + /* Ignore the destination address; it should be us. */ + break; + } + rep->is_proxied = 1; +done: + if(!stream) { + /* We are reading a whole packet; + * Move the rest of the data to overwrite the PROXYv2 header */ + /* XXX can we do better to avoid memmove? */ + memmove(header, ((char*)header)+size, + sldns_buffer_limit(buf)-size); + sldns_buffer_set_limit(buf, sldns_buffer_limit(buf)-size); + } + return 1; +} + void comm_point_udp_ancil_callback(int fd, short event, void* arg) { @@ -664,11 +843,11 @@ ub_comm_base_now(rep.c->ev->base); for(i=0; i<NUM_UDP_PER_SELECT; i++) { sldns_buffer_clear(rep.c->buffer); - rep.addrlen = (socklen_t)sizeof(rep.addr); + rep.remote_addrlen = (socklen_t)sizeof(rep.remote_addr); log_assert(fd != -1); log_assert(sldns_buffer_remaining(rep.c->buffer) > 0); - msg.msg_name = &rep.addr; - msg.msg_namelen = (socklen_t)sizeof(rep.addr); + msg.msg_name = &rep.remote_addr; + msg.msg_namelen = (socklen_t)sizeof(rep.remote_addr); iov0.iov_base = sldns_buffer_begin(rep.c->buffer); iov0.iov_len = sldns_buffer_remaining(rep.c->buffer); msg.msg_iov = iov; @@ -678,7 +857,7 @@ msg.msg_controllen = sizeof(ancil.buf); #endif /* S_SPLINT_S */ msg.msg_flags = 0; - rcv = recvmsg(fd, &msg, 0); + rcv = recvmsg(fd, &msg, MSG_DONTWAIT); if(rcv == -1) { if(errno != EAGAIN && errno != EINTR && udp_recv_needs_log(errno)) { @@ -686,10 +865,11 @@ } return; } - rep.addrlen = msg.msg_namelen; + rep.remote_addrlen = msg.msg_namelen; sldns_buffer_skip(rep.c->buffer, rcv); sldns_buffer_flip(rep.c->buffer); rep.srctype = 0; + rep.is_proxied = 0; #ifndef S_SPLINT_S for(cmsg = CMSG_FIRSTHDR(&msg); cmsg != NULL; cmsg = CMSG_NXTHDR(&msg, cmsg)) { @@ -719,11 +899,24 @@ if(verbosity >= VERB_ALGO) p_ancil("receive_udp on interface", &rep); #endif /* S_SPLINT_S */ + + if(rep.c->pp2_enabled && !consume_pp2_header(rep.c->buffer, + &rep, 0)) { + log_err("proxy_protocol: could not consume PROXYv2 header"); + return; + } + if(!rep.is_proxied) { + rep.client_addrlen = rep.remote_addrlen; + memmove(&rep.client_addr, &rep.remote_addr, + rep.remote_addrlen); + } + fptr_ok(fptr_whitelist_comm_point(rep.c->callback)); if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) { /* send back immediate reply */ (void)comm_point_send_udp_msg_if(rep.c, rep.c->buffer, - (struct sockaddr*)&rep.addr, rep.addrlen, &rep); + (struct sockaddr*)&rep.remote_addr, + rep.remote_addrlen, &rep); } if(!rep.c || rep.c->fd == -1) /* commpoint closed */ break; @@ -754,12 +947,12 @@ ub_comm_base_now(rep.c->ev->base); for(i=0; i<NUM_UDP_PER_SELECT; i++) { sldns_buffer_clear(rep.c->buffer); - rep.addrlen = (socklen_t)sizeof(rep.addr); + rep.remote_addrlen = (socklen_t)sizeof(rep.remote_addr); log_assert(fd != -1); log_assert(sldns_buffer_remaining(rep.c->buffer) > 0); rcv = recvfrom(fd, (void*)sldns_buffer_begin(rep.c->buffer), - sldns_buffer_remaining(rep.c->buffer), 0, - (struct sockaddr*)&rep.addr, &rep.addrlen); + sldns_buffer_remaining(rep.c->buffer), MSG_DONTWAIT, + (struct sockaddr*)&rep.remote_addr, &rep.remote_addrlen); if(rcv == -1) { #ifndef USE_WINSOCK if(errno != EAGAIN && errno != EINTR @@ -779,6 +972,19 @@ sldns_buffer_skip(rep.c->buffer, rcv); sldns_buffer_flip(rep.c->buffer); rep.srctype = 0; + rep.is_proxied = 0; + + if(rep.c->pp2_enabled && !consume_pp2_header(rep.c->buffer, + &rep, 0)) { + log_err("proxy_protocol: could not consume PROXYv2 header"); + return; + } + if(!rep.is_proxied) { + rep.client_addrlen = rep.remote_addrlen; + memmove(&rep.client_addr, &rep.remote_addr, + rep.remote_addrlen); + } + fptr_ok(fptr_whitelist_comm_point(rep.c->callback)); if((*rep.c->callback)(rep.c, rep.c->cb_arg, NETEVENT_NOERROR, &rep)) { /* send back immediate reply */ @@ -788,7 +994,8 @@ buffer = rep.c->buffer; #endif (void)comm_point_send_udp_msg(rep.c, buffer, - (struct sockaddr*)&rep.addr, rep.addrlen, 0); + (struct sockaddr*)&rep.remote_addr, + rep.remote_addrlen, 0); } if(!rep.c || rep.c->fd != fd) /* commpoint closed to -1 or reused for another UDP port. Note rep.c cannot be reused with TCP fd. */ @@ -817,6 +1024,7 @@ #endif c->tcp_is_reading = 1; c->tcp_byte_count = 0; + c->tcp_keepalive = 0; /* if more than half the tcp handlers are in use, use a shorter * timeout for this TCP connection, we need to make space for * other connections to be able to get attention */ @@ -887,6 +1095,16 @@ struct timeval tv; verbose(VERB_ALGO, "out of file descriptors: " "slow accept"); + ub_comm_base_now(b); + if(b->eb->last_slow_log+SLOW_LOG_TIME <= + b->eb->secs) { + b->eb->last_slow_log = b->eb->secs; + verbose(VERB_OPS, "accept failed, " + "slow down accept for %d " + "msec: %s", + NETEVENT_SLOW_ACCEPT_TIME, + sock_strerror(errno)); + } b->eb->slow_accept_enabled = 1; fptr_ok(fptr_whitelist_stop_accept( b->stop_accept)); @@ -907,6 +1125,9 @@ /* we do not want to log here, * error: "event_add failed." */ } + } else { + log_err("accept, with no slow down, " + "failed: %s", sock_strerror(errno)); } return -1; } @@ -942,7 +1163,16 @@ #ifdef USE_WINSOCK static long win_bio_cb(BIO *b, int oper, const char* ATTR_UNUSED(argp), - int ATTR_UNUSED(argi), long argl, long retvalue) +#ifdef HAVE_BIO_SET_CALLBACK_EX + size_t ATTR_UNUSED(len), +#endif + int ATTR_UNUSED(argi), long argl, +#ifndef HAVE_BIO_SET_CALLBACK_EX + long retvalue +#else + int retvalue, size_t* ATTR_UNUSED(processed) +#endif + ) { int wsa_err = WSAGetLastError(); /* store errcode before it is gone */ verbose(VERB_ALGO, "bio_cb %d, %s %s %s", oper, @@ -972,9 +1202,17 @@ { SSL* ssl = (SSL*)thessl; /* set them both just in case, but usually they are the same BIO */ +#ifdef HAVE_BIO_SET_CALLBACK_EX + BIO_set_callback_ex(SSL_get_rbio(ssl), &win_bio_cb); +#else BIO_set_callback(SSL_get_rbio(ssl), &win_bio_cb); +#endif BIO_set_callback_arg(SSL_get_rbio(ssl), (char*)c->ev->ev); +#ifdef HAVE_BIO_SET_CALLBACK_EX + BIO_set_callback_ex(SSL_get_wbio(ssl), &win_bio_cb); +#else BIO_set_callback(SSL_get_wbio(ssl), &win_bio_cb); +#endif BIO_set_callback_arg(SSL_get_wbio(ssl), (char*)c->ev->ev); } #endif @@ -1036,6 +1274,7 @@ /* clear leftover flags from previous use, and then set the * correct event base for the event structure for libevent */ ub_event_free(c_hdl->ev->ev); + c_hdl->ev->ev = NULL; if((c_hdl->type == comm_tcp && c_hdl->tcp_req_info) || c_hdl->type == comm_local || c_hdl->type == comm_raw) c_hdl->tcp_do_toggle_rw = 0; @@ -1072,10 +1311,16 @@ } log_assert(fd != -1); (void)fd; - new_fd = comm_point_perform_accept(c, &c_hdl->repinfo.addr, - &c_hdl->repinfo.addrlen); + new_fd = comm_point_perform_accept(c, &c_hdl->repinfo.remote_addr, + &c_hdl->repinfo.remote_addrlen); if(new_fd == -1) return; + /* Copy remote_address to client_address. + * Simplest way/time for streams to do that. */ + c_hdl->repinfo.client_addrlen = c_hdl->repinfo.remote_addrlen; + memmove(&c_hdl->repinfo.client_addr, + &c_hdl->repinfo.remote_addr, + c_hdl->repinfo.remote_addrlen); if(c->ssl) { c_hdl->ssl = incoming_ssl_fd(c->ssl, new_fd); if(!c_hdl->ssl) { @@ -1092,6 +1337,7 @@ /* grab the tcp handler buffers */ c->cur_tcp_count++; c->tcp_free = c_hdl->tcp_free; + c_hdl->tcp_free = NULL; if(!c->tcp_free) { /* stop accepting incoming queries for now. */ comm_point_stop_listening(c); @@ -1113,9 +1359,11 @@ } comm_point_close(c); if(c->tcp_parent) { - c->tcp_parent->cur_tcp_count--; - c->tcp_free = c->tcp_parent->tcp_free; - c->tcp_parent->tcp_free = c; + if(c != c->tcp_parent->tcp_free) { + c->tcp_parent->cur_tcp_count--; + c->tcp_free = c->tcp_parent->tcp_free; + c->tcp_parent->tcp_free = c; + } if(!c->tcp_free) { /* re-enable listening on accept socket */ comm_point_start_listening(c->tcp_parent, -1, -1); @@ -1123,6 +1371,9 @@ } c->tcp_more_read_again = NULL; c->tcp_more_write_again = NULL; + c->tcp_byte_count = 0; + c->pp2_header_state = pp2_header_none; + sldns_buffer_clear(c->buffer); } /** do the callback when writing is done */ @@ -1184,23 +1435,22 @@ { if(verbosity >= VERB_QUERY) return 0; /* only squelch on low verbosity */ - /* this is very specific, we could filter on ERR_GET_REASON() - * (the third element in ERR_PACK) */ - if(err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTPS_PROXY_REQUEST) || - err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_HTTP_REQUEST) || - err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_GET_RECORD, SSL_R_WRONG_VERSION_NUMBER) || - err == ERR_PACK(ERR_LIB_SSL, SSL_F_SSL3_READ_BYTES, SSL_R_SSLV3_ALERT_BAD_CERTIFICATE) + if(ERR_GET_LIB(err) == ERR_LIB_SSL && + (ERR_GET_REASON(err) == SSL_R_HTTPS_PROXY_REQUEST || + ERR_GET_REASON(err) == SSL_R_HTTP_REQUEST || + ERR_GET_REASON(err) == SSL_R_WRONG_VERSION_NUMBER || + ERR_GET_REASON(err) == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE #ifdef SSL_F_TLS_POST_PROCESS_CLIENT_HELLO - || err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_POST_PROCESS_CLIENT_HELLO, SSL_R_NO_SHARED_CIPHER) + || ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER #endif #ifdef SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO - || err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNKNOWN_PROTOCOL) - || err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_UNSUPPORTED_PROTOCOL) + || ERR_GET_REASON(err) == SSL_R_UNKNOWN_PROTOCOL + || ERR_GET_REASON(err) == SSL_R_UNSUPPORTED_PROTOCOL # ifdef SSL_R_VERSION_TOO_LOW - || err == ERR_PACK(ERR_LIB_SSL, SSL_F_TLS_EARLY_POST_PROCESS_CLIENT_HELLO, SSL_R_VERSION_TOO_LOW) + || ERR_GET_REASON(err) == SSL_R_VERSION_TOO_LOW # endif #endif - ) + )) return 1; return 0; } @@ -1253,6 +1503,12 @@ if(errno == ECONNRESET && verbosity < 2) return 0; /* silence reset by peer */ #endif + if(!tcp_connect_errno_needs_log( + (struct sockaddr*)&c->repinfo.remote_addr, + c->repinfo.remote_addrlen)) + return 0; /* silence connect failures that + show up because after connect this is the + first system call that accesses the socket */ if(errno != 0) log_err("SSL_handshake syscall: %s", strerror(errno)); @@ -1261,8 +1517,9 @@ unsigned long err = ERR_get_error(); if(!squelch_err_ssl_handshake(err)) { log_crypto_err_code("ssl handshake failed", err); - log_addr(VERB_OPS, "ssl handshake failed", &c->repinfo.addr, - c->repinfo.addrlen); + log_addr(VERB_OPS, "ssl handshake failed", + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); } return 0; } @@ -1279,7 +1536,8 @@ if(!x) { log_addr(VERB_ALGO, "SSL connection failed: " "no certificate", - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); return 0; } log_cert(VERB_ALGO, "peer certificate", x); @@ -1289,13 +1547,13 @@ snprintf(buf, sizeof(buf), "SSL connection " "to %s authenticated", SSL_get0_peername(c->ssl)); - log_addr(VERB_ALGO, buf, &c->repinfo.addr, - c->repinfo.addrlen); + log_addr(VERB_ALGO, buf, &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); } else { #endif log_addr(VERB_ALGO, "SSL connection " - "authenticated", &c->repinfo.addr, - c->repinfo.addrlen); + "authenticated", &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); #ifdef HAVE_SSL_GET0_PEERNAME } #endif @@ -1312,14 +1570,15 @@ } log_addr(VERB_ALGO, "SSL connection failed: " "failed to authenticate", - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); return 0; } } else { /* unauthenticated, the verify peer flag was not set * in c->ssl when the ssl object was created from ssl_ctx */ - log_addr(VERB_ALGO, "SSL connection", &c->repinfo.addr, - c->repinfo.addrlen); + log_addr(VERB_ALGO, "SSL connection", &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); } #ifdef HAVE_SSL_GET0_ALPN_SELECTED @@ -1360,6 +1619,142 @@ if(c->ssl_shake_state != comm_ssl_shake_none) return 1; } + if(c->pp2_enabled && c->pp2_header_state != pp2_header_done) { + struct pp2_header* header = NULL; + size_t want_read_size = 0; + size_t current_read_size = 0; + if(c->pp2_header_state == pp2_header_none) { + want_read_size = PP2_HEADER_SIZE; + if(sldns_buffer_remaining(c->buffer)<want_read_size) { + log_err_addr("proxy_protocol: not enough " + "buffer size to read PROXYv2 header", "", + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } + verbose(VERB_ALGO, "proxy_protocol: reading fixed " + "part of PROXYv2 header (len %lu)", + (unsigned long)want_read_size); + current_read_size = want_read_size; + if(c->tcp_byte_count < current_read_size) { + ERR_clear_error(); + if((r=SSL_read(c->ssl, (void*)sldns_buffer_at( + c->buffer, c->tcp_byte_count), + current_read_size - + c->tcp_byte_count)) <= 0) { + int want = SSL_get_error(c->ssl, r); + if(want == SSL_ERROR_ZERO_RETURN) { + if(c->tcp_req_info) + return tcp_req_info_handle_read_close(c->tcp_req_info); + return 0; /* shutdown, closed */ + } else if(want == SSL_ERROR_WANT_READ) { +#ifdef USE_WINSOCK + ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); +#endif + return 1; /* read more later */ + } else if(want == SSL_ERROR_WANT_WRITE) { + c->ssl_shake_state = comm_ssl_shake_hs_write; + comm_point_listen_for_rw(c, 0, 1); + return 1; + } else if(want == SSL_ERROR_SYSCALL) { +#ifdef ECONNRESET + if(errno == ECONNRESET && verbosity < 2) + return 0; /* silence reset by peer */ +#endif + if(errno != 0) + log_err("SSL_read syscall: %s", + strerror(errno)); + return 0; + } + log_crypto_err("could not SSL_read"); + return 0; + } + c->tcp_byte_count += r; + if(c->tcp_byte_count != current_read_size) return 1; + c->pp2_header_state = pp2_header_init; + } + } + if(c->pp2_header_state == pp2_header_init) { + header = pp2_read_header(c->buffer); + if(!header) { + log_err("proxy_protocol: could not parse " + "PROXYv2 header"); + return 0; + } + want_read_size = ntohs(header->len); + if(sldns_buffer_remaining(c->buffer) < + PP2_HEADER_SIZE + want_read_size) { + log_err_addr("proxy_protocol: not enough " + "buffer size to read PROXYv2 header", "", + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } + verbose(VERB_ALGO, "proxy_protocol: reading variable " + "part of PROXYv2 header (len %lu)", + (unsigned long)want_read_size); + current_read_size = PP2_HEADER_SIZE + want_read_size; + if(want_read_size == 0) { + /* nothing more to read; header is complete */ + c->pp2_header_state = pp2_header_done; + } else if(c->tcp_byte_count < current_read_size) { + ERR_clear_error(); + if((r=SSL_read(c->ssl, (void*)sldns_buffer_at( + c->buffer, c->tcp_byte_count), + current_read_size - + c->tcp_byte_count)) <= 0) { + int want = SSL_get_error(c->ssl, r); + if(want == SSL_ERROR_ZERO_RETURN) { + if(c->tcp_req_info) + return tcp_req_info_handle_read_close(c->tcp_req_info); + return 0; /* shutdown, closed */ + } else if(want == SSL_ERROR_WANT_READ) { +#ifdef USE_WINSOCK + ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); +#endif + return 1; /* read more later */ + } else if(want == SSL_ERROR_WANT_WRITE) { + c->ssl_shake_state = comm_ssl_shake_hs_write; + comm_point_listen_for_rw(c, 0, 1); + return 1; + } else if(want == SSL_ERROR_SYSCALL) { +#ifdef ECONNRESET + if(errno == ECONNRESET && verbosity < 2) + return 0; /* silence reset by peer */ +#endif + if(errno != 0) + log_err("SSL_read syscall: %s", + strerror(errno)); + return 0; + } + log_crypto_err("could not SSL_read"); + return 0; + } + c->tcp_byte_count += r; + if(c->tcp_byte_count != current_read_size) return 1; + c->pp2_header_state = pp2_header_done; + } + } + if(c->pp2_header_state != pp2_header_done || !header) { + log_err_addr("proxy_protocol: wrong state for the " + "PROXYv2 header", "", &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } + if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) { + log_err_addr("proxy_protocol: could not consume " + "PROXYv2 header", "", &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } + verbose(VERB_ALGO, "proxy_protocol: successful read of " + "PROXYv2 header"); + /* Clear and reset the buffer to read the following + * DNS packet(s). */ + sldns_buffer_clear(c->buffer); + c->tcp_byte_count = 0; + return 1; + } if(c->tcp_byte_count < sizeof(uint16_t)) { /* read length bytes */ ERR_clear_error(); @@ -1619,16 +2014,18 @@ return ssl_handle_write(c); } -/** Handle tcp reading callback. +/** + * Handle tcp reading callback. * @param fd: file descriptor of socket. * @param c: comm point to read from into buffer. * @param short_ok: if true, very short packets are OK (for comm_local). - * @return: 0 on error + * @return: 0 on error */ static int comm_point_tcp_handle_read(int fd, struct comm_point* c, int short_ok) { ssize_t r; + int recv_initial = 0; log_assert(c->type == comm_tcp || c->type == comm_local); if(c->ssl) return ssl_handle_it(c, 0); @@ -1636,78 +2033,111 @@ return 0; log_assert(fd != -1); + if(c->pp2_enabled && c->pp2_header_state != pp2_header_done) { + struct pp2_header* header = NULL; + size_t want_read_size = 0; + size_t current_read_size = 0; + if(c->pp2_header_state == pp2_header_none) { + want_read_size = PP2_HEADER_SIZE; + if(sldns_buffer_remaining(c->buffer)<want_read_size) { + log_err_addr("proxy_protocol: not enough " + "buffer size to read PROXYv2 header", "", + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } + verbose(VERB_ALGO, "proxy_protocol: reading fixed " + "part of PROXYv2 header (len %lu)", + (unsigned long)want_read_size); + current_read_size = want_read_size; + if(c->tcp_byte_count < current_read_size) { + r = recv(fd, (void*)sldns_buffer_at(c->buffer, + c->tcp_byte_count), + current_read_size-c->tcp_byte_count, MSG_DONTWAIT); + if(r == 0) { + if(c->tcp_req_info) + return tcp_req_info_handle_read_close(c->tcp_req_info); + return 0; + } else if(r == -1) { + goto recv_error_initial; + } + c->tcp_byte_count += r; + if(c->tcp_byte_count != current_read_size) return 1; + c->pp2_header_state = pp2_header_init; + } + } + if(c->pp2_header_state == pp2_header_init) { + header = pp2_read_header(c->buffer); + if(!header) { + log_err("proxy_protocol: could not parse " + "PROXYv2 header"); + return 0; + } + want_read_size = ntohs(header->len); + if(sldns_buffer_remaining(c->buffer) < + PP2_HEADER_SIZE + want_read_size) { + log_err_addr("proxy_protocol: not enough " + "buffer size to read PROXYv2 header", "", + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } + verbose(VERB_ALGO, "proxy_protocol: reading variable " + "part of PROXYv2 header (len %lu)", + (unsigned long)want_read_size); + current_read_size = PP2_HEADER_SIZE + want_read_size; + if(want_read_size == 0) { + /* nothing more to read; header is complete */ + c->pp2_header_state = pp2_header_done; + } else if(c->tcp_byte_count < current_read_size) { + r = recv(fd, (void*)sldns_buffer_at(c->buffer, + c->tcp_byte_count), + current_read_size-c->tcp_byte_count, MSG_DONTWAIT); + if(r == 0) { + if(c->tcp_req_info) + return tcp_req_info_handle_read_close(c->tcp_req_info); + return 0; + } else if(r == -1) { + goto recv_error; + } + c->tcp_byte_count += r; + if(c->tcp_byte_count != current_read_size) return 1; + c->pp2_header_state = pp2_header_done; + } + } + if(c->pp2_header_state != pp2_header_done || !header) { + log_err_addr("proxy_protocol: wrong state for the " + "PROXYv2 header", "", &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } + if(!consume_pp2_header(c->buffer, &c->repinfo, 1)) { + log_err_addr("proxy_protocol: could not consume " + "PROXYv2 header", "", &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } + verbose(VERB_ALGO, "proxy_protocol: successful read of " + "PROXYv2 header"); + /* Clear and reset the buffer to read the following + * DNS packet(s). */ + sldns_buffer_clear(c->buffer); + c->tcp_byte_count = 0; + return 1; + } + if(c->tcp_byte_count < sizeof(uint16_t)) { /* read length bytes */ r = recv(fd,(void*)sldns_buffer_at(c->buffer,c->tcp_byte_count), - sizeof(uint16_t)-c->tcp_byte_count, 0); + sizeof(uint16_t)-c->tcp_byte_count, MSG_DONTWAIT); if(r == 0) { if(c->tcp_req_info) return tcp_req_info_handle_read_close(c->tcp_req_info); return 0; } else if(r == -1) { -#ifndef USE_WINSOCK - if(errno == EINTR || errno == EAGAIN) - return 1; -#ifdef ECONNRESET - if(errno == ECONNRESET && verbosity < 2) - return 0; /* silence reset by peer */ -#endif -#ifdef ECONNREFUSED - if(errno == ECONNREFUSED && verbosity < 2) - return 0; /* silence reset by peer */ -#endif -#ifdef ENETUNREACH - if(errno == ENETUNREACH && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef EHOSTDOWN - if(errno == EHOSTDOWN && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef EHOSTUNREACH - if(errno == EHOSTUNREACH && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef ENETDOWN - if(errno == ENETDOWN && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef EACCES - if(errno == EACCES && verbosity < 2) - return 0; /* silence it */ -#endif -#ifdef ENOTCONN - if(errno == ENOTCONN) { - log_err_addr("read (in tcp s) failed and this could be because TCP Fast Open is enabled --disable-tfo-client --disable-tfo-server but does not work", sock_strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); - return 0; - } -#endif -#else /* USE_WINSOCK */ - if(WSAGetLastError() == WSAECONNREFUSED && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAEHOSTDOWN && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAEHOSTUNREACH && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAENETDOWN && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAENETUNREACH && verbosity < 2) - return 0; - if(WSAGetLastError() == WSAECONNRESET) - return 0; - if(WSAGetLastError() == WSAEINPROGRESS) - return 1; - if(WSAGetLastError() == WSAEWOULDBLOCK) { - ub_winsock_tcp_wouldblock(c->ev->ev, - UB_EV_READ); - return 1; - } -#endif - log_err_addr("read (in tcp s)", sock_strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); - return 0; - } + if(c->pp2_enabled) goto recv_error; + goto recv_error_initial; + } c->tcp_byte_count += r; if(c->tcp_byte_count != sizeof(uint16_t)) return 1; @@ -1716,48 +2146,110 @@ verbose(VERB_QUERY, "tcp: dropped larger than buffer"); return 0; } - sldns_buffer_set_limit(c->buffer, + sldns_buffer_set_limit(c->buffer, sldns_buffer_read_u16_at(c->buffer, 0)); - if(!short_ok && + if(!short_ok && sldns_buffer_limit(c->buffer) < LDNS_HEADER_SIZE) { verbose(VERB_QUERY, "tcp: dropped bogus too short."); return 0; } - verbose(VERB_ALGO, "Reading tcp query of length %d", + verbose(VERB_ALGO, "Reading tcp query of length %d", (int)sldns_buffer_limit(c->buffer)); } if(sldns_buffer_remaining(c->buffer) == 0) - log_err("in comm_point_tcp_handle_read buffer_remaining is not > 0 as expected, continuing with (harmless) 0 length recv"); + log_err("in comm_point_tcp_handle_read buffer_remaining is " + "not > 0 as expected, continuing with (harmless) 0 " + "length recv"); r = recv(fd, (void*)sldns_buffer_current(c->buffer), - sldns_buffer_remaining(c->buffer), 0); + sldns_buffer_remaining(c->buffer), MSG_DONTWAIT); if(r == 0) { if(c->tcp_req_info) return tcp_req_info_handle_read_close(c->tcp_req_info); return 0; } else if(r == -1) { -#ifndef USE_WINSOCK - if(errno == EINTR || errno == EAGAIN) - return 1; -#else /* USE_WINSOCK */ - if(WSAGetLastError() == WSAECONNRESET) - return 0; - if(WSAGetLastError() == WSAEINPROGRESS) - return 1; - if(WSAGetLastError() == WSAEWOULDBLOCK) { - ub_winsock_tcp_wouldblock(c->ev->ev, UB_EV_READ); - return 1; - } -#endif - log_err_addr("read (in tcp r)", sock_strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); - return 0; + goto recv_error; } sldns_buffer_skip(c->buffer, r); if(sldns_buffer_remaining(c->buffer) <= 0) { tcp_callback_reader(c); } return 1; + +recv_error_initial: + recv_initial = 1; +recv_error: +#ifndef USE_WINSOCK + if(errno == EINTR || errno == EAGAIN) + return 1; + if(recv_initial) { +#ifdef ECONNRESET + if(errno == ECONNRESET && verbosity < 2) + return 0; /* silence reset by peer */ +#endif +#ifdef ECONNREFUSED + if(errno == ECONNREFUSED && verbosity < 2) + return 0; /* silence reset by peer */ +#endif +#ifdef ENETUNREACH + if(errno == ENETUNREACH && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef EHOSTDOWN + if(errno == EHOSTDOWN && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef EHOSTUNREACH + if(errno == EHOSTUNREACH && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef ENETDOWN + if(errno == ENETDOWN && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef EACCES + if(errno == EACCES && verbosity < 2) + return 0; /* silence it */ +#endif +#ifdef ENOTCONN + if(errno == ENOTCONN) { + log_err_addr("read (in tcp s) failed and this " + "could be because TCP Fast Open is " + "enabled --disable-tfo-client " + "--disable-tfo-server but does not " + "work", sock_strerror(errno), + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); + return 0; + } +#endif + } +#else /* USE_WINSOCK */ + if(recv_initial) { + if(WSAGetLastError() == WSAECONNREFUSED && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAEHOSTDOWN && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAEHOSTUNREACH && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAENETDOWN && verbosity < 2) + return 0; + if(WSAGetLastError() == WSAENETUNREACH && verbosity < 2) + return 0; + } + if(WSAGetLastError() == WSAECONNRESET) + return 0; + if(WSAGetLastError() == WSAEINPROGRESS) + return 1; + if(WSAGetLastError() == WSAEWOULDBLOCK) { + ub_winsock_tcp_wouldblock(c->ev->ev, + UB_EV_READ); + return 1; + } +#endif + log_err_addr("read (in tcp s)", sock_strerror(errno), + &c->repinfo.remote_addr, c->repinfo.remote_addrlen); + return 0; } /** @@ -1803,7 +2295,8 @@ return 0; /* silence lots of chatter in the logs */ else if(error != 0) { log_err_addr("tcp connect", strerror(error), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); #else /* USE_WINSOCK */ /* examine error */ if(error == WSAEINPROGRESS) @@ -1815,7 +2308,8 @@ return 0; else if(error != 0) { log_err_addr("tcp connect", wsa_strerror(error), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); #endif /* USE_WINSOCK */ return 0; } @@ -1847,8 +2341,8 @@ iov1.iov_len = sldns_buffer_limit(buffer); } log_assert(iov0.iov_len > 0); - msg.msg_name = &c->repinfo.addr; - msg.msg_namelen = c->repinfo.addrlen; + msg.msg_name = &c->repinfo.remote_addr; + msg.msg_namelen = c->repinfo.remote_addrlen; msg.msg_iov = iov; msg.msg_iovlen = 2; r = sendmsg(fd, &msg, MSG_FASTOPEN); @@ -1862,17 +2356,28 @@ if(errno == EINTR || errno == EAGAIN) return 1; /* Not handling EISCONN here as shouldn't ever hit that case.*/ - if(errno != EPIPE && errno != 0 && verbosity < 2) - return 0; /* silence lots of chatter in the logs */ - if(errno != EPIPE && errno != 0) { + if(errno != EPIPE +#ifdef EOPNOTSUPP + /* if /proc/sys/net/ipv4/tcp_fastopen is + * disabled on Linux, sendmsg may return + * 'Operation not supported', if so + * fallthrough to ordinary connect. */ + && errno != EOPNOTSUPP +#endif + && errno != 0) { + if(verbosity < 2) + return 0; /* silence lots of chatter in the logs */ log_err_addr("tcp sendmsg", strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); return 0; } + verbose(VERB_ALGO, "tcp sendmsg for fastopen failed (with %s), try normal connect", strerror(errno)); /* fallthrough to nonFASTOPEN * (MSG_FASTOPEN on Linux 3 produces EPIPE) * we need to perform connect() */ - if(connect(fd, (struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen) == -1) { + if(connect(fd, (struct sockaddr *)&c->repinfo.remote_addr, + c->repinfo.remote_addrlen) == -1) { #ifdef EINPROGRESS if(errno == EINPROGRESS) return 1; /* wait until connect done*/ @@ -1883,9 +2388,12 @@ return 1; /* wait until connect done*/ #endif if(tcp_connect_errno_needs_log( - (struct sockaddr *)&c->repinfo.addr, c->repinfo.addrlen)) { + (struct sockaddr *)&c->repinfo.remote_addr, + c->repinfo.remote_addrlen)) { log_err_addr("outgoing tcp: connect after EPIPE for fastopen", - strerror(errno), &c->repinfo.addr, c->repinfo.addrlen); + strerror(errno), + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); } return 0; } @@ -1950,10 +2458,12 @@ #endif # ifdef HAVE_WRITEV log_err_addr("tcp writev", strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); # else /* HAVE_WRITEV */ log_err_addr("tcp send s", strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); # endif /* HAVE_WRITEV */ #else if(WSAGetLastError() == WSAENOTCONN) @@ -1969,7 +2479,8 @@ return 0; /* silence reset by peer */ log_err_addr("tcp send s", wsa_strerror(WSAGetLastError()), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); #endif return 0; } @@ -2017,7 +2528,8 @@ return 0; /* silence reset by peer */ #endif log_err_addr("tcp send r", sock_strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, + c->repinfo.remote_addrlen); return 0; } if(c->tcp_write_and_read) { @@ -2033,8 +2545,9 @@ return 1; } -/** read again to drain buffers when there could be more to read */ -static void +/** read again to drain buffers when there could be more to read, returns 0 + * on failure which means the comm point is closed. */ +static int tcp_req_info_read_again(int fd, struct comm_point* c) { while(c->tcp_req_info->read_again) { @@ -2051,9 +2564,10 @@ (void)(*c->callback)(c, c->cb_arg, NETEVENT_CLOSED, NULL); } - return; + return 0; } } + return 1; } /** read again to drain buffers when there could be more to read */ @@ -2111,6 +2625,9 @@ log_assert(c->type == comm_tcp); ub_comm_base_now(c->ev->base); + if(c->fd == -1 || c->fd != fd) + return; /* duplicate event, but commpoint closed. */ + #ifdef USE_DNSCRYPT /* Initialize if this is a dnscrypt socket */ if(c->tcp_parent) { @@ -2159,8 +2676,10 @@ } return; } - if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) - tcp_req_info_read_again(fd, c); + if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) { + if(!tcp_req_info_read_again(fd, c)) + return; + } if(moreread && *moreread) tcp_more_read_again(fd, c); return; @@ -2178,8 +2697,10 @@ } return; } - if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) - tcp_req_info_read_again(fd, c); + if(has_tcpq && c->tcp_req_info && c->tcp_req_info->read_again) { + if(!tcp_req_info_read_again(fd, c)) + return; + } if(morewrite && *morewrite) tcp_more_write_again(fd, c); return; @@ -2201,9 +2722,11 @@ } comm_point_close(c); if(c->tcp_parent) { - c->tcp_parent->cur_tcp_count--; - c->tcp_free = c->tcp_parent->tcp_free; - c->tcp_parent->tcp_free = c; + if(c != c->tcp_parent->tcp_free) { + c->tcp_parent->cur_tcp_count--; + c->tcp_free = c->tcp_parent->tcp_free; + c->tcp_parent->tcp_free = c; + } if(!c->tcp_free) { /* re-enable listening on accept socket */ comm_point_start_listening(c->tcp_parent, -1, -1); @@ -2261,7 +2784,7 @@ ssize_t r; log_assert(sldns_buffer_remaining(c->buffer) > 0); r = recv(fd, (void*)sldns_buffer_current(c->buffer), - sldns_buffer_remaining(c->buffer), 0); + sldns_buffer_remaining(c->buffer), MSG_DONTWAIT); if(r == 0) { return 0; } else if(r == -1) { @@ -2279,7 +2802,7 @@ } #endif log_err_addr("read (in http r)", sock_strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, c->repinfo.remote_addrlen); return 0; } verbose(VERB_ALGO, "http read more skip to %d + %d", @@ -2444,7 +2967,7 @@ remainbufferlen = sldns_buffer_capacity(c->buffer) - sldns_buffer_limit(c->buffer); if(remainbufferlen+got_now >= c->tcp_byte_count || - remainbufferlen >= (c->ssl?16384:2048)) { + remainbufferlen >= (size_t)(c->ssl?16384:2048)) { size_t total = sldns_buffer_limit(c->buffer); sldns_buffer_clear(c->buffer); sldns_buffer_set_position(c->buffer, total); @@ -2699,7 +3222,7 @@ } #endif /* HAVE_SSL */ - ret = recv(h2_session->c->fd, buf, len, 0); + ret = recv(h2_session->c->fd, buf, len, MSG_DONTWAIT); if(ret == 0) { return NGHTTP2_ERR_EOF; } else if(ret < 0) { @@ -2711,8 +3234,8 @@ return NGHTTP2_ERR_CALLBACK_FAILURE; #endif log_err_addr("could not http2 recv: %s", strerror(errno), - &h2_session->c->repinfo.addr, - h2_session->c->repinfo.addrlen); + &h2_session->c->repinfo.remote_addr, + h2_session->c->repinfo.remote_addrlen); #else /* USE_WINSOCK */ if(WSAGetLastError() == WSAECONNRESET) return NGHTTP2_ERR_CALLBACK_FAILURE; @@ -2725,8 +3248,8 @@ } log_err_addr("could not http2 recv: %s", wsa_strerror(WSAGetLastError()), - &h2_session->c->repinfo.addr, - h2_session->c->repinfo.addrlen); + &h2_session->c->repinfo.remote_addr, + h2_session->c->repinfo.remote_addrlen); #endif return NGHTTP2_ERR_CALLBACK_FAILURE; } @@ -2748,8 +3271,8 @@ if(ret != NGHTTP2_ERR_EOF && ret != NGHTTP2_ERR_CALLBACK_FAILURE) { char a256; - addr_to_str(&c->repinfo.addr, c->repinfo.addrlen, - a, sizeof(a)); + addr_to_str(&c->repinfo.remote_addr, + c->repinfo.remote_addrlen, a, sizeof(a)); verbose(VERB_QUERY, "http2: session_recv from %s failed, " "error: %s", a, nghttp2_strerror(ret)); } @@ -2897,7 +3420,7 @@ return 0; /* silence lots of chatter in the logs */ else if(error != 0) { log_err_addr("http connect", strerror(error), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, c->repinfo.remote_addrlen); #else /* USE_WINSOCK */ /* examine error */ if(error == WSAEINPROGRESS) @@ -2909,7 +3432,7 @@ return 0; else if(error != 0) { log_err_addr("http connect", wsa_strerror(error), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, c->repinfo.remote_addrlen); #endif /* USE_WINSOCK */ return 0; } @@ -2979,7 +3502,7 @@ } #endif log_err_addr("http send r", sock_strerror(errno), - &c->repinfo.addr, c->repinfo.addrlen); + &c->repinfo.remote_addr, c->repinfo.remote_addrlen); return 0; } sldns_buffer_skip(c->buffer, r); @@ -3043,8 +3566,8 @@ return NGHTTP2_ERR_CALLBACK_FAILURE; #endif log_err_addr("could not http2 write: %s", strerror(errno), - &h2_session->c->repinfo.addr, - h2_session->c->repinfo.addrlen); + &h2_session->c->repinfo.remote_addr, + h2_session->c->repinfo.remote_addrlen); #else /* USE_WINSOCK */ if(WSAGetLastError() == WSAENOTCONN) return NGHTTP2_ERR_WOULDBLOCK; @@ -3059,8 +3582,8 @@ return NGHTTP2_ERR_CALLBACK_FAILURE; log_err_addr("could not http2 write: %s", wsa_strerror(WSAGetLastError()), - &h2_session->c->repinfo.addr, - h2_session->c->repinfo.addrlen); + &h2_session->c->repinfo.remote_addr, + h2_session->c->repinfo.remote_addrlen); #endif return NGHTTP2_ERR_CALLBACK_FAILURE; } @@ -3240,7 +3763,8 @@ struct comm_point* comm_point_create_udp(struct comm_base *base, int fd, sldns_buffer* buffer, - comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) + int pp2_enabled, comm_point_callback_type* callback, + void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -3280,6 +3804,8 @@ c->callback = callback; c->cb_arg = callback_arg; c->socket = socket; + c->pp2_enabled = pp2_enabled; + c->pp2_header_state = pp2_header_none; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3299,8 +3825,8 @@ } struct comm_point* -comm_point_create_udp_ancil(struct comm_base *base, int fd, - sldns_buffer* buffer, +comm_point_create_udp_ancil(struct comm_base *base, int fd, + sldns_buffer* buffer, int pp2_enabled, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, @@ -3341,6 +3867,8 @@ c->callback = callback; c->cb_arg = callback_arg; c->socket = socket; + c->pp2_enabled = pp2_enabled; + c->pp2_header_state = pp2_header_none; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3420,6 +3948,8 @@ c->callback = callback; c->cb_arg = callback_arg; c->socket = socket; + c->pp2_enabled = parent->pp2_enabled; + c->pp2_header_state = pp2_header_none; if(spoolbuf) { c->tcp_req_info = tcp_req_info_create(spoolbuf); if(!c->tcp_req_info) { @@ -3515,6 +4045,8 @@ c->callback = callback; c->cb_arg = callback_arg; c->socket = socket; + c->pp2_enabled = 0; + c->pp2_header_state = pp2_header_none; c->http_min_version = http_version_2; c->http2_stream_max_qbuffer_size = bufsize; @@ -3579,7 +4111,8 @@ uint32_t http_max_streams, char* http_endpoint, struct tcl_list* tcp_conn_limit, size_t bufsize, struct sldns_buffer* spoolbuf, enum listen_type port_type, - comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket) + int pp2_enabled, comm_point_callback_type* callback, + void* callback_arg, struct unbound_socket* socket) { struct comm_point* c = (struct comm_point*)calloc(1, sizeof(struct comm_point)); @@ -3630,6 +4163,8 @@ c->callback = NULL; c->cb_arg = NULL; c->socket = socket; + c->pp2_enabled = (port_type==listen_type_http?0:pp2_enabled); + c->pp2_header_state = pp2_header_none; evbits = UB_EV_READ | UB_EV_PERSIST; /* ub_event stuff */ c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3722,6 +4257,8 @@ c->repinfo.c = c; c->callback = callback; c->cb_arg = callback_arg; + c->pp2_enabled = 0; + c->pp2_header_state = pp2_header_none; evbits = UB_EV_PERSIST | UB_EV_WRITE; c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, comm_point_tcp_handle_callback, c); @@ -3788,6 +4325,8 @@ c->repinfo.c = c; c->callback = callback; c->cb_arg = callback_arg; + c->pp2_enabled = 0; + c->pp2_header_state = pp2_header_none; evbits = UB_EV_PERSIST | UB_EV_WRITE; c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, comm_point_http_handle_callback, c); @@ -3851,6 +4390,8 @@ #endif c->callback = callback; c->cb_arg = callback_arg; + c->pp2_enabled = 0; + c->pp2_header_state = pp2_header_none; /* ub_event stuff */ evbits = UB_EV_PERSIST | UB_EV_READ; c->ev->ev = ub_event_new(base->eb->base, c->fd, evbits, @@ -3912,6 +4453,8 @@ #endif c->callback = callback; c->cb_arg = callback_arg; + c->pp2_enabled = 0; + c->pp2_header_state = pp2_header_none; /* ub_event stuff */ if(writing) evbits = UB_EV_PERSIST | UB_EV_WRITE; @@ -3954,6 +4497,11 @@ tcp_req_info_clear(c->tcp_req_info); if(c->h2_session) http2_session_server_delete(c->h2_session); + /* stop the comm point from reading or writing after it is closed. */ + if(c->tcp_more_read_again && *c->tcp_more_read_again) + *c->tcp_more_read_again = 0; + if(c->tcp_more_write_again && *c->tcp_more_write_again) + *c->tcp_more_write_again = 0; /* close fd after removing from event lists, or epoll.. is messed up */ if(c->fd != -1 && !c->do_not_close) { @@ -4027,20 +4575,21 @@ #endif if(repinfo->c->type == comm_udp) { if(repinfo->srctype) - comm_point_send_udp_msg_if(repinfo->c, - buffer, (struct sockaddr*)&repinfo->addr, - repinfo->addrlen, repinfo); + comm_point_send_udp_msg_if(repinfo->c, buffer, + (struct sockaddr*)&repinfo->remote_addr, + repinfo->remote_addrlen, repinfo); else comm_point_send_udp_msg(repinfo->c, buffer, - (struct sockaddr*)&repinfo->addr, repinfo->addrlen, 0); + (struct sockaddr*)&repinfo->remote_addr, + repinfo->remote_addrlen, 0); #ifdef USE_DNSTAP /* * sending src (client)/dst (local service) addresses over DNSTAP from udp callback */ if(repinfo->c->dtenv != NULL && repinfo->c->dtenv->log_client_response_messages) { log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); - log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen); - dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer); + log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen); + dt_msg_send_client_response(repinfo->c->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, repinfo->c->buffer); } #endif } else { @@ -4050,8 +4599,8 @@ */ if(repinfo->c->tcp_parent->dtenv != NULL && repinfo->c->tcp_parent->dtenv->log_client_response_messages) { log_addr(VERB_ALGO, "from local addr", (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->socket->addr->ai_addrlen); - log_addr(VERB_ALGO, "response to client", &repinfo->addr, repinfo->addrlen); - dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, + log_addr(VERB_ALGO, "response to client", &repinfo->client_addr, repinfo->client_addrlen); + dt_msg_send_client_response(repinfo->c->tcp_parent->dtenv, &repinfo->client_addr, (void*)repinfo->c->socket->addr->ai_addr, repinfo->c->type, ( repinfo->c->tcp_req_info? repinfo->c->tcp_req_info->spool_buffer: repinfo->c->buffer )); } #endif @@ -4140,6 +4689,10 @@ c->timeout->tv_sec = msec/1000; c->timeout->tv_usec = (msec%1000)*1000; #endif /* S_SPLINT_S */ + } else { + if(msec == 0 || !c->timeout) { + ub_event_del_bits(c->ev->ev, UB_EV_TIMEOUT); + } } if(c->type == comm_tcp || c->type == comm_http) { ub_event_del_bits(c->ev->ev, UB_EV_READ|UB_EV_WRITE); @@ -4164,6 +4717,7 @@ } if(ub_event_add(c->ev->ev, msec==0?NULL:c->timeout) != 0) { log_err("event_add failed. in cpsl."); + return; } c->event_added = 1; } @@ -4177,11 +4731,15 @@ } c->event_added = 0; } + if(!c->timeout) { + ub_event_del_bits(c->ev->ev, UB_EV_TIMEOUT); + } ub_event_del_bits(c->ev->ev, UB_EV_READ|UB_EV_WRITE); if(rd) ub_event_add_bits(c->ev->ev, UB_EV_READ); if(wr) ub_event_add_bits(c->ev->ev, UB_EV_WRITE); if(ub_event_add(c->ev->ev, c->timeout) != 0) { log_err("event_add failed. in cplf."); + return; } c->event_added = 1; }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/netevent.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/netevent.h
Changed
@@ -102,6 +102,8 @@ /** timeout to slow accept calls when not possible, in msec. */ #define NETEVENT_SLOW_ACCEPT_TIME 2000 +/** timeout to slow down log print, so it does not spam the logs, in sec */ +#define SLOW_LOG_TIME 10 /** * A communication point dispatcher. Thread specific. @@ -126,10 +128,11 @@ /** the comm_point with fd to send reply on to. */ struct comm_point* c; /** the address (for UDP based communication) */ - struct sockaddr_storage addr; + struct sockaddr_storage remote_addr; /** length of address */ - socklen_t addrlen; - /** return type 0 (none), 4(IP4), 6(IP6) */ + socklen_t remote_addrlen; + /** return type 0 (none), 4(IP4), 6(IP6) + * used only with listen_type_udp_ancil* */ int srctype; /* DnsCrypt context */ #ifdef USE_DNSCRYPT @@ -153,6 +156,13 @@ pktinfo; /** max udp size for udp packets */ size_t max_udp_size; + /* if set, the request came through a proxy */ + int is_proxied; + /** the client address + * the same as remote_addr if not proxied */ + struct sockaddr_storage client_addr; + /** the original address length */ + socklen_t client_addrlen; }; /** @@ -276,6 +286,19 @@ /** variable with type of socket, UDP,TCP-accept,TCP,pipe */ type; + /* -------- PROXYv2 ------- */ + /** if set, PROXYv2 is expected on this connection */ + int pp2_enabled; + /** header state for the PROXYv2 header (for TCP) */ + enum { + /** no header encounter yet */ + pp2_header_none = 0, + /** read the static part of the header */ + pp2_header_init, + /** read the full header */ + pp2_header_done + } pp2_header_state; + /* ---------- Behaviour ----------- */ /** if set the connection is NOT closed on delete. */ int do_not_close; @@ -494,8 +517,9 @@ * Create an UDP comm point. Calls malloc. * setups the structure with the parameters you provide. * @param base: in which base to alloc the commpoint. - * @param fd : file descriptor of open UDP socket. + * @param fd: file descriptor of open UDP socket. * @param buffer: shared buffer by UDP sockets from this thread. + * @param pp2_enabled: if the comm point will support PROXYv2. * @param callback: callback function pointer. * @param callback_arg: will be passed to your callback function. * @param socket: and opened socket properties will be passed to your callback function. @@ -503,7 +527,7 @@ * Sets timeout to NULL. Turns off TCP options. */ struct comm_point* comm_point_create_udp(struct comm_base* base, - int fd, struct sldns_buffer* buffer, + int fd, struct sldns_buffer* buffer, int pp2_enabled, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** @@ -511,8 +535,9 @@ * Uses recvmsg instead of recv to get udp message. * setups the structure with the parameters you provide. * @param base: in which base to alloc the commpoint. - * @param fd : file descriptor of open UDP socket. + * @param fd: file descriptor of open UDP socket. * @param buffer: shared buffer by UDP sockets from this thread. + * @param pp2_enabled: if the comm point will support PROXYv2. * @param callback: callback function pointer. * @param callback_arg: will be passed to your callback function. * @param socket: and opened socket properties will be passed to your callback function. @@ -520,7 +545,7 @@ * Sets timeout to NULL. Turns off TCP options. */ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base, - int fd, struct sldns_buffer* buffer, + int fd, struct sldns_buffer* buffer, int pp2_enabled, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** @@ -542,6 +567,7 @@ * or NULL to not create those structures in the tcp handlers. * @param port_type: the type of port we are creating a TCP listener for. Used * to select handler type to use. + * @param pp2_enabled: if the comm point will support PROXYv2. * @param callback: callback function pointer for TCP handlers. * @param callback_arg: will be passed to your callback function. * @param socket: and opened socket properties will be passed to your callback function. @@ -555,7 +581,7 @@ uint32_t http_max_streams, char* http_endpoint, struct tcl_list* tcp_conn_limit, size_t bufsize, struct sldns_buffer* spoolbuf, - enum listen_type port_type, + enum listen_type port_type, int pp2_enabled, comm_point_callback_type* callback, void* callback_arg, struct unbound_socket* socket); /** @@ -743,7 +769,7 @@ void (*callback)(int, void*), void* cb_arg); /** - * Bind signal struct to catch a signal. A signle comm_signal can be bound + * Bind signal struct to catch a signal. A single comm_signal can be bound * to multiple signals, calling comm_signal_bind multiple times. * @param comsig: the communication point, with callback information. * @param sig: signal number.
View file
_service:tar_scm:unbound-1.17.1.tar.gz/util/proxy_protocol.c
Added
@@ -0,0 +1,139 @@ +/* + * util/proxy_protocol.c - event notification + * + * Copyright (c) 2022, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file contains PROXY protocol functions. + */ +#include "config.h" +#include "util/log.h" +#include "util/proxy_protocol.h" + +int +pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src, + int stream) +{ + int af; + if(!src) return 0; + af = (int)((struct sockaddr_in*)src)->sin_family; + if(sldns_buffer_remaining(buf) < + PP2_HEADER_SIZE + (af==AF_INET?12:36)) { + return 0; + } + /* sig */ + sldns_buffer_write(buf, PP2_SIG, PP2_SIG_LEN); + /* version and command */ + sldns_buffer_write_u8(buf, (PP2_VERSION << 4) | PP2_CMD_PROXY); + if(af==AF_INET) { + /* family and protocol */ + sldns_buffer_write_u8(buf, + (PP2_AF_INET<<4) | + (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM)); + /* length */ + sldns_buffer_write_u16(buf, 12); + /* src addr */ + sldns_buffer_write(buf, + &((struct sockaddr_in*)src)->sin_addr.s_addr, 4); + /* dst addr */ + sldns_buffer_write_u32(buf, 0); + /* src port */ + sldns_buffer_write(buf, + &((struct sockaddr_in*)src)->sin_port, 2); + /* dst port */ + sldns_buffer_write_u16(buf, 0); + } else { + /* family and protocol */ + sldns_buffer_write_u8(buf, + (PP2_AF_INET6<<4) | + (stream?PP2_PROT_STREAM:PP2_PROT_DGRAM)); + /* length */ + sldns_buffer_write_u16(buf, 36); + /* src addr */ + sldns_buffer_write(buf, + &((struct sockaddr_in6*)src)->sin6_addr, 16); + /* dst addr */ + sldns_buffer_set_at(buf, + sldns_buffer_position(buf), 0, 16); + sldns_buffer_skip(buf, 16); + /* src port */ + sldns_buffer_write(buf, + &((struct sockaddr_in6*)src)->sin6_port, 2); + /* dst port */ + sldns_buffer_write_u16(buf, 0); + } + return 1; +} + +struct pp2_header* +pp2_read_header(struct sldns_buffer* buf) +{ + size_t size; + struct pp2_header* header = (struct pp2_header*)sldns_buffer_begin(buf); + /* Try to fail all the unsupported cases first. */ + if(sldns_buffer_remaining(buf) < PP2_HEADER_SIZE) { + log_err("proxy_protocol: not enough space for header"); + return NULL; + } + /* Check for PROXYv2 header */ + if(memcmp(header, PP2_SIG, PP2_SIG_LEN) != 0 || + ((header->ver_cmd & 0xF0)>>4) != PP2_VERSION) { + log_err("proxy_protocol: could not match PROXYv2 header"); + return NULL; + } + /* Check the length */ + size = PP2_HEADER_SIZE + ntohs(header->len); + if(sldns_buffer_remaining(buf) < size) { + log_err("proxy_protocol: not enough space for header"); + return NULL; + } + /* Check for supported commands */ + if((header->ver_cmd & 0xF) != PP2_CMD_LOCAL && + (header->ver_cmd & 0xF) != PP2_CMD_PROXY) { + log_err("proxy_protocol: unsupported command"); + return NULL; + } + /* Check for supported family and protocol */ + if(header->fam_prot != 0x00 /* AF_UNSPEC|UNSPEC */ && + header->fam_prot != 0x11 /* AF_INET|STREAM */ && + header->fam_prot != 0x12 /* AF_INET|DGRAM */ && + header->fam_prot != 0x21 /* AF_INET6|STREAM */ && + header->fam_prot != 0x22 /* AF_INET6|DGRAM */) { + log_err("proxy_protocol: unsupported family and protocol"); + return NULL; + } + /* We have a correct header */ + return header; +}
View file
_service:tar_scm:unbound-1.17.1.tar.gz/util/proxy_protocol.h
Added
@@ -0,0 +1,131 @@ +/* + * util/proxy_protocol.h - PROXY protocol + * + * Copyright (c) 2022, NLnet Labs. All rights reserved. + * + * This software is open source. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * + * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * + * Neither the name of the NLNET LABS nor the names of its contributors may + * be used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED + * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR + * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF + * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/** + * \file + * + * This file contains PROXY protocol structs and functions. + * Only v2 is supported. TLVs are not currently supported. + */ +#ifndef PROXY_PROTOCOL_H +#define PROXY_PROTOCOL_H + +#include "sldns/sbuffer.h" + +/** PROXYv2 minimum header size */ +#define PP2_HEADER_SIZE 16 + +/** PROXYv2 header signature */ +#define PP2_SIG "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A" +#define PP2_SIG_LEN 12 + +/** PROXYv2 version */ +#define PP2_VERSION 0x2 + +/** + * PROXYv2 command. + */ +enum pp2_command { + PP2_CMD_LOCAL = 0x0, + PP2_CMD_PROXY = 0x1 +}; + +/** + * PROXYv2 address family. + */ +enum pp2_af { + PP2_AF_UNSPEC = 0x0, + PP2_AF_INET = 0x1, + PP2_AF_INET6 = 0x2, + PP2_AF_UNIX = 0x3 +}; + +/** + * PROXYv2 protocol. + */ +enum pp2_protocol { + PP2_PROT_UNSPEC = 0x0, + PP2_PROT_STREAM = 0x1, + PP2_PROT_DGRAM = 0x2 +}; + +/** + * PROXYv2 header. + */ +struct pp2_header { + uint8_t sigPP2_SIG_LEN; + uint8_t ver_cmd; + uint8_t fam_prot; + uint16_t len; + union { + struct { /* for TCP/UDP over IPv4, len = 12 */ + uint32_t src_addr; + uint32_t dst_addr; + uint16_t src_port; + uint16_t dst_port; + } addr4; + struct { /* for TCP/UDP over IPv6, len = 36 */ + uint8_t src_addr16; + uint8_t dst_addr16; + uint16_t src_port; + uint16_t dst_port; + } addr6; + struct { /* for AF_UNIX sockets, len = 216 */ + uint8_t src_addr108; + uint8_t dst_addr108; + } addru; + } addr; +}; + +/** + * Write a PROXYv2 header at the current position of the buffer. + * @param buf: the buffer to write to. + * @param src: the source address. + * @param stream: if the protocol is stream or datagram. + * @return 1 on success, 0 on failure. + */ +int pp2_write_to_buf(struct sldns_buffer* buf, struct sockaddr_storage* src, + int stream); + +/** + * Read a PROXYv2 header from the current position of the buffer. + * It does initial validation and returns a pointer to the buffer position on + * success. + * @param buf: the buffer to read from. + * @return the pointer to the buffer position on success, NULL on error. + */ +struct pp2_header* pp2_read_header(struct sldns_buffer* buf); + +#endif /* PROXY_PROTOCOL_H */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/regional.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/regional.c
Changed
@@ -103,6 +103,8 @@ struct regional* regional_create_custom(size_t size) { + if(size < sizeof(struct regional)) + size = sizeof(struct regional); return regional_create_custom_large_object(size, REGIONAL_LARGE_OBJECT_SIZE); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/rtt.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/rtt.c
Changed
@@ -45,6 +45,9 @@ /* overwritten by config: infra_cache_min_rtt: */ int RTT_MIN_TIMEOUT = 50; +/* overwritten by config: infra_cache_max_rtt: */ +int RTT_MAX_TIMEOUT = 120000; + /** calculate RTO from rtt information */ static int calc_rto(const struct rtt_info* rtt)
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/rtt.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/rtt.h
Changed
@@ -58,7 +58,7 @@ /** min retransmit timeout value, in milliseconds */ extern int RTT_MIN_TIMEOUT; /** max retransmit timeout value, in milliseconds */ -#define RTT_MAX_TIMEOUT 120000 +extern int RTT_MAX_TIMEOUT; /** * Initialize RTT estimators.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/shm_side/shm_main.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/shm_side/shm_main.c
Changed
@@ -281,7 +281,7 @@ shm_stat->mem.subnet = 0; #ifdef CLIENT_SUBNET shm_stat->mem.subnet = (long long)mod_get_mem(&worker->env, - "subnet"); + "subnetcache"); #endif /* ipsecmod mem value is available in shm, also when not enabled, * to make the struct easier to memmap by other applications,
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/storage/dnstree.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/storage/dnstree.c
Changed
@@ -71,6 +71,14 @@ return 0; } +int addr_tree_addrport_compare(const void* k1, const void* k2) +{ + struct addr_tree_node* n1 = (struct addr_tree_node*)k1; + struct addr_tree_node* n2 = (struct addr_tree_node*)k2; + return sockaddr_cmp(&n1->addr, n1->addrlen, &n2->addr, + n2->addrlen); +} + void name_tree_init(rbtree_type* tree) { rbtree_init(tree, &name_tree_compare); @@ -81,6 +89,11 @@ rbtree_init(tree, &addr_tree_compare); } +void addr_tree_addrport_init(rbtree_type* tree) +{ + rbtree_init(tree, &addr_tree_addrport_compare); +} + int name_tree_insert(rbtree_type* tree, struct name_tree_node* node, uint8_t* name, size_t len, int labs, uint16_t dclass) {
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/storage/dnstree.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/storage/dnstree.h
Changed
@@ -154,6 +154,13 @@ void addr_tree_init(rbtree_type* tree); /** + * Init addr tree to be empty. + * The comparison function to be used is addr_tree_addrport_compare. + * @param tree: to init. + */ +void addr_tree_addrport_init(rbtree_type* tree); + +/** * insert element into addr tree. * @param tree: addr tree * @param node: node element (at start of a structure that caller @@ -207,4 +214,7 @@ /** compare addr tree nodes */ int addr_tree_compare(const void* k1, const void* k2); +/** compare addr tree nodes (address and port only) */ +int addr_tree_addrport_compare(const void* k1, const void* k2); + #endif /* UTIL_STORAGE_DNSTREE_H */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/tube.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/tube.c
Changed
@@ -45,6 +45,9 @@ #include "util/netevent.h" #include "util/fptr_wlist.h" #include "util/ub_event.h" +#ifdef HAVE_POLL_H +#include <poll.h> +#endif #ifndef USE_WINSOCK /* on unix */ @@ -363,7 +366,11 @@ } d += r; } - log_assert(*len < 65536*2); + if (*len >= 65536*2) { + log_err("tube msg length %u is too big", (unsigned)*len); + (void)fd_set_nonblock(fd); + return 0; + } *buf = (uint8_t*)malloc(*len); if(!*buf) { log_err("tube read out of memory"); @@ -392,20 +399,28 @@ return 1; } -/** perform a select() on the fd */ +/** perform poll() on the fd */ static int pollit(int fd, struct timeval* t) { - fd_set r; + struct pollfd fds; + int pret; + int msec = -1; + memset(&fds, 0, sizeof(fds)); + fds.fd = fd; + fds.events = POLLIN | POLLERR | POLLHUP; #ifndef S_SPLINT_S - FD_ZERO(&r); - FD_SET(FD_SET_T fd, &r); + if(t) + msec = t->tv_sec*1000 + t->tv_usec/1000; #endif - if(select(fd+1, &r, NULL, NULL, t) == -1) { + + pret = poll(&fds, 1, msec); + + if(pret == -1) return 0; - } - errno = 0; - return (int)(FD_ISSET(fd, &r)); + if(pret != 0) + return 1; + return 0; } int tube_poll(struct tube* tube) @@ -420,6 +435,31 @@ return pollit(tube->sr, NULL); } +int tube_wait_timeout(struct tube* tube, int msec) +{ + int ret = 0; + + while(1) { + struct pollfd fds; + memset(&fds, 0, sizeof(fds)); + + fds.fd = tube->sr; + fds.events = POLLIN | POLLERR | POLLHUP; + ret = poll(&fds, 1, msec); + + if(ret == -1) { + if(errno == EAGAIN || errno == EINTR) + continue; + return -1; + } + break; + } + + if(ret != 0) + return 1; + return 0; +} + int tube_read_fd(struct tube* tube) { return tube->sr; @@ -503,6 +543,7 @@ if(tube->event == WSA_INVALID_EVENT) { free(tube); log_err("WSACreateEvent: %s", wsa_strerror(WSAGetLastError())); + return NULL; } if(!WSAResetEvent(tube->event)) { log_err("WSAResetEvent: %s", wsa_strerror(WSAGetLastError())); @@ -645,6 +686,26 @@ return 1; } +int tube_wait_timeout(struct tube* tube, int msec) +{ + /* block on eventhandle */ + DWORD res = WSAWaitForMultipleEvents( + 1 /* one event in array */, + &tube->event /* the event to wait for, our pipe signal */, + 0 /* wait for all events is false */, + msec /* wait for timeout */, + 0 /* we are not alertable for IO completion routines */ + ); + if(res == WSA_WAIT_TIMEOUT) { + return 0; + } + if(res == WSA_WAIT_IO_COMPLETION) { + /* a bit unexpected, since we were not alertable */ + return -1; + } + return 1; +} + int tube_read_fd(struct tube* ATTR_UNUSED(tube)) { /* nothing sensible on Windows */
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/tube.h -> _service:tar_scm:unbound-1.17.1.tar.gz/util/tube.h
Changed
@@ -205,6 +205,14 @@ int tube_wait(struct tube* tube); /** + * Wait for data to be ready with a timeout. + * @param tube: the tube to wait on. + * @param msec: timeout in milliseconds. + * @return 1 if there is something to read within timeout, readability. + * 0 on a timeout. On failures -1, like errors. */ +int tube_wait_timeout(struct tube* tube, int msec); + +/** * Get FD that is readable when new information arrives. * @param tube * @return file descriptor.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/util/ub_event.c -> _service:tar_scm:unbound-1.17.1.tar.gz/util/ub_event.c
Changed
@@ -1,5 +1,5 @@ /* - * util/ub_event.c - directly call libevent (compatability) functions + * util/ub_event.c - directly call libevent (compatibility) functions * * Copyright (c) 2007, NLnet Labs. All rights reserved. *
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/autotrust.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/autotrust.c
Changed
@@ -1203,13 +1203,8 @@ #else llvalue = (unsigned long long)tp; #endif -#ifndef USE_WINSOCK - snprintf(tempf, sizeof(tempf), "%s.%d-%d-%llx", fname, (int)getpid(), + snprintf(tempf, sizeof(tempf), "%s.%d-%d-" ARG_LL "x", fname, (int)getpid(), env->worker?*(int*)env->worker:0, llvalue); -#else - snprintf(tempf, sizeof(tempf), "%s.%d-%d-%I64x", fname, (int)getpid(), - env->worker?*(int*)env->worker:0, llvalue); -#endif #endif /* S_SPLINT_S */ verbose(VERB_ALGO, "autotrust: write to disk: %s", tempf); out = fopen(tempf, "w"); @@ -1268,7 +1263,7 @@ int downprot = env->cfg->harden_algo_downgrade; enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, rrset, tp->ds_rrset, tp->dnskey_rrset, downprot?sigalg:NULL, &reason, - qstate); + NULL, qstate); /* sigalg is ignored, it returns algorithms signalled to exist, but * in 5011 there are no other rrsets to check. if downprot is * enabled, then it checks that the DNSKEY is signed with all @@ -1317,7 +1312,7 @@ /* no algorithm downgrade protection necessary, if it is selfsigned * revoked it can be removed. */ sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, i, - &reason, LDNS_SECTION_ANSWER, qstate); + &reason, NULL, LDNS_SECTION_ANSWER, qstate); return (sec == sec_status_secure); } @@ -2377,7 +2372,9 @@ edns.ext_rcode = 0; edns.edns_version = 0; edns.bits = EDNS_DO; - edns.opt_list = NULL; + edns.opt_list_in = NULL; + edns.opt_list_out = NULL; + edns.opt_list_inplace_cb_out = NULL; edns.padding_block_size = 0; if(sldns_buffer_capacity(buf) < 65535) edns.udp_size = (uint16_t)sldns_buffer_capacity(buf); @@ -2395,7 +2392,7 @@ qinfo.qclass); if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0, - &probe_answer_cb, env)) { + &probe_answer_cb, env, 0)) { log_err("out of memory making 5011 probe"); } }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_kcache.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_kcache.c
Changed
@@ -90,6 +90,7 @@ qstate->env->cfg->val_log_level >= 2) { /* on malloc failure there is simply no reason string */ key_entry_set_reason(k, errinf_to_str_bogus(qstate)); + key_entry_set_reason_bogus(k, errinf_to_reason_bogus(qstate)); } key_entry_hash(k); slabhash_insert(kcache->slab, k->entry.hash, &k->entry,
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_kentry.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_kentry.c
Changed
@@ -244,6 +244,15 @@ d->reason = reason; } +void +key_entry_set_reason_bogus(struct key_entry_key* kkey, sldns_ede_code ede) +{ + struct key_entry_data* d = (struct key_entry_data*)kkey->entry.data; + if (ede != LDNS_EDE_NONE) { /* reason_bogus init is LDNS_EDE_NONE already */ + d->reason_bogus = ede; + } +} + char* key_entry_get_reason(struct key_entry_key* kkey) { @@ -251,6 +260,14 @@ return d->reason; } +sldns_ede_code +key_entry_get_reason_bogus(struct key_entry_key* kkey) +{ + struct key_entry_data* d = (struct key_entry_data*)kkey->entry.data; + return d->reason_bogus; + +} + /** setup key entry in region */ static int key_entry_setup(struct regional* region, @@ -286,6 +303,7 @@ d->ttl = now + ttl; d->isbad = 0; d->reason = NULL; + d->reason_bogus = LDNS_EDE_NONE; d->rrset_type = LDNS_RR_TYPE_DNSKEY; d->rrset_data = NULL; d->algo = NULL; @@ -306,6 +324,7 @@ d->ttl = rd->ttl + now; d->isbad = 0; d->reason = NULL; + d->reason_bogus = LDNS_EDE_NONE; d->rrset_type = ntohs(rrset->rk.type); d->rrset_data = (struct packed_rrset_data*)regional_alloc_init(region, rd, packed_rrset_sizeof(rd)); @@ -332,6 +351,7 @@ d->ttl = now + ttl; d->isbad = 1; d->reason = NULL; + d->reason_bogus = LDNS_EDE_NONE; d->rrset_type = LDNS_RR_TYPE_DNSKEY; d->rrset_data = NULL; d->algo = NULL;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_kentry.h -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_kentry.h
Changed
@@ -45,6 +45,7 @@ struct regional; struct ub_packed_rrset_key; #include "util/storage/lruhash.h" +#include "sldns/rrdef.h" /** * A key entry for the validator. @@ -80,6 +81,8 @@ struct packed_rrset_data* rrset_data; /** not NULL sometimes to give reason why bogus */ char* reason; + /** not NULL to give reason why bogus */ + sldns_ede_code reason_bogus; /** list of algorithms signalled, ends with 0, or NULL */ uint8_t* algo; /** DNS RR type of the rrset data (host order) */ @@ -151,6 +154,15 @@ void key_entry_set_reason(struct key_entry_key* kkey, char* reason); /** + * Set the EDE (RFC8914) code why the key is bad, if it + * exists (so not LDNS_EDE_NONE). + * @param kkey: bad key. + * @param ede: EDE code to attach to this key. + */ +void key_entry_set_reason_bogus(struct key_entry_key* kkey, sldns_ede_code ede); + + +/** * Get reason why a key is bad. * @param kkey: bad key * @return pointer to string. @@ -159,6 +171,13 @@ char* key_entry_get_reason(struct key_entry_key* kkey); /** + * Get the EDE (RFC8914) code why a key is bad. Can return LDNS_EDE_NONE. + * @param kkey: bad key + * @return the ede code. + */ +sldns_ede_code key_entry_get_reason_bogus(struct key_entry_key* kkey); + +/** * Create a null entry, in the given region. * @param region: where to allocate * @param name: the key name
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_nsec.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_nsec.c
Changed
@@ -187,7 +187,7 @@ if(d->security == sec_status_secure) return 1; d->security = val_verify_rrset_entry(env, ve, nsec, kkey, reason, - LDNS_SECTION_AUTHORITY, qstate); + NULL, LDNS_SECTION_AUTHORITY, qstate); if(d->security == sec_status_secure) { rrset_update_sec_status(env->rrset_cache, nsec, *env->now); return 1;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_nsec3.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_nsec3.c
Changed
@@ -1289,7 +1289,8 @@ static int list_is_secure(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, - struct key_entry_key* kkey, char** reason, struct module_qstate* qstate) + struct key_entry_key* kkey, char** reason, sldns_ede_code *reason_bogus, + struct module_qstate* qstate) { struct packed_rrset_data* d; size_t i; @@ -1303,7 +1304,7 @@ if(d->security == sec_status_secure) continue; d->security = val_verify_rrset_entry(env, ve, listi, kkey, - reason, LDNS_SECTION_AUTHORITY, qstate); + reason, reason_bogus, LDNS_SECTION_AUTHORITY, qstate); if(d->security != sec_status_secure) { verbose(VERB_ALGO, "NSEC3 did not verify"); return 0; @@ -1317,7 +1318,7 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, struct query_info* qinfo, struct key_entry_key* kkey, char** reason, - struct module_qstate* qstate) + sldns_ede_code* reason_bogus, struct module_qstate* qstate) { rbtree_type ct; struct nsec3_filter flt; @@ -1330,8 +1331,10 @@ *reason = "no valid NSEC3s"; return sec_status_bogus; /* no valid NSEC3s, bogus */ } - if(!list_is_secure(env, ve, list, num, kkey, reason, qstate)) + if(!list_is_secure(env, ve, list, num, kkey, reason, reason_bogus, qstate)) { + *reason = "not all NSEC3 records secure"; return sec_status_bogus; /* not all NSEC3 records secure */ + } rbtree_init(&ct, &nsec3_hash_cmp); /* init names-to-hash cache */ filter_init(&flt, list, num, qinfo); /* init RR iterator */ if(!flt.zone) {
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_nsec3.h -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_nsec3.h
Changed
@@ -68,6 +68,7 @@ #define VALIDATOR_VAL_NSEC3_H #include "util/rbtree.h" #include "util/data/packed_rrset.h" +#include "sldns/rrdef.h" struct val_env; struct regional; struct module_env; @@ -186,6 +187,7 @@ * @param qinfo: query that is verified for. * @param kkey: key entry that signed the NSEC3s. * @param reason: string for bogus result. + * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. * @param qstate: qstate with region. * @return: * sec_status SECURE of the proposition is proven by the NSEC3 RRs, @@ -197,7 +199,7 @@ nsec3_prove_nods(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key** list, size_t num, struct query_info* qinfo, struct key_entry_key* kkey, char** reason, - struct module_qstate* qstate); + sldns_ede_code* reason_bogus, struct module_qstate* qstate); /** * Prove NXDOMAIN or NODATA.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_secalgo.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_secalgo.c
Changed
@@ -97,6 +97,23 @@ log_err("%s crypto %s", str, buf); } +/** + * Output a libcrypto openssl error to the logfile as a debug message. + * @param level: debug level to use in verbose() call + * @param str: string to add to it. + * @param e: the error to output, error number from ERR_get_error(). + */ +static void +log_crypto_verbose(enum verbosity_value level, const char* str, unsigned long e) +{ + char buf128; + /* or use ERR_error_string if ERR_error_string_n is not avail TODO */ + ERR_error_string_n(e, buf, sizeof(buf)); + /* buf now contains */ + /* error:error code:library name:function name:reason string */ + verbose(level, "%s crypto %s", str, buf); +} + /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) @@ -215,6 +232,10 @@ switch(algo) { case LDNS_SHA1: #if defined(HAVE_EVP_SHA1) && defined(USE_SHA1) +#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + if (EVP_default_properties_is_fips_enabled(NULL)) + return 0; +#endif return SHA_DIGEST_LENGTH; #else if(fake_sha1) return 20; @@ -325,7 +346,11 @@ case LDNS_RSASHA1: case LDNS_RSASHA1_NSEC3: #ifdef USE_SHA1 +#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + return !EVP_default_properties_is_fips_enabled(NULL); +#else return 1; +#endif #else if(fake_sha1) return 1; return 0; @@ -341,15 +366,22 @@ case LDNS_ECDSAP256SHA256: case LDNS_ECDSAP384SHA384: #endif +#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) + return 1; +#endif #ifdef USE_ED25519 case LDNS_ED25519: #endif #ifdef USE_ED448 case LDNS_ED448: #endif -#if (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) || defined(USE_ECDSA) || defined(USE_ED25519) || defined(USE_ED448) +#if defined(USE_ED25519) || defined(USE_ED448) +#ifdef HAVE_EVP_DEFAULT_PROPERTIES_IS_FIPS_ENABLED + return !EVP_default_properties_is_fips_enabled(NULL); +#else return 1; #endif +#endif #ifdef USE_GOST case LDNS_ECC_GOST: @@ -652,6 +684,36 @@ return 1; } +static void +digest_ctx_free(EVP_MD_CTX* ctx, EVP_PKEY *evp_key, + unsigned char* sigblock, int dofree, int docrypto_free) +{ +#ifdef HAVE_EVP_MD_CTX_NEW + EVP_MD_CTX_destroy(ctx); +#else + EVP_MD_CTX_cleanup(ctx); + free(ctx); +#endif + EVP_PKEY_free(evp_key); + if(dofree) free(sigblock); + else if(docrypto_free) OPENSSL_free(sigblock); +} + +static enum sec_status +digest_error_status(const char *str) +{ + unsigned long e = ERR_get_error(); +#ifdef EVP_R_INVALID_DIGEST + if (ERR_GET_LIB(e) == ERR_LIB_EVP && + ERR_GET_REASON(e) == EVP_R_INVALID_DIGEST) { + log_crypto_verbose(VERB_ALGO, str, e); + return sec_status_indeterminate; + } +#endif + log_crypto_verbose(VERB_QUERY, str, e); + return sec_status_unchecked; +} + /** * Check a canonical sig+rrset and signature against a dnskey * @param buf: buffer with data to verify, the first rrsig part and the @@ -663,10 +725,11 @@ * @param keylen: length of keydata. * @param reason: bogus reason in more detail. * @return secure if verification succeeded, bogus on crypto failure, - * unchecked on format errors and alloc failures. + * unchecked on format errors and alloc failures, indeterminate + * if digest is not supported by the crypto library (openssl3+ only). */ enum sec_status -verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, +verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, unsigned int sigblock_len, unsigned char* key, unsigned int keylen, char** reason) { @@ -735,62 +798,36 @@ } #ifndef HAVE_EVP_DIGESTVERIFY if(EVP_DigestInit(ctx, digest_type) == 0) { - verbose(VERB_QUERY, "verify: EVP_DigestInit failed"); -#ifdef HAVE_EVP_MD_CTX_NEW - EVP_MD_CTX_destroy(ctx); -#else - EVP_MD_CTX_cleanup(ctx); - free(ctx); -#endif - EVP_PKEY_free(evp_key); - if(dofree) free(sigblock); - else if(docrypto_free) OPENSSL_free(sigblock); - return sec_status_unchecked; + enum sec_status sec; + sec = digest_error_status("verify: EVP_DigestInit failed"); + digest_ctx_free(ctx, evp_key, sigblock, + dofree, docrypto_free); + return sec; } if(EVP_DigestUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), (unsigned int)sldns_buffer_limit(buf)) == 0) { - verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed"); -#ifdef HAVE_EVP_MD_CTX_NEW - EVP_MD_CTX_destroy(ctx); -#else - EVP_MD_CTX_cleanup(ctx); - free(ctx); -#endif - EVP_PKEY_free(evp_key); - if(dofree) free(sigblock); - else if(docrypto_free) OPENSSL_free(sigblock); + log_crypto_verbose(VERB_QUERY, "verify: EVP_DigestUpdate failed", + ERR_get_error()); + digest_ctx_free(ctx, evp_key, sigblock, + dofree, docrypto_free); return sec_status_unchecked; } res = EVP_VerifyFinal(ctx, sigblock, sigblock_len, evp_key); #else /* HAVE_EVP_DIGESTVERIFY */ if(EVP_DigestVerifyInit(ctx, NULL, digest_type, NULL, evp_key) == 0) { - verbose(VERB_QUERY, "verify: EVP_DigestVerifyInit failed"); -#ifdef HAVE_EVP_MD_CTX_NEW - EVP_MD_CTX_destroy(ctx); -#else - EVP_MD_CTX_cleanup(ctx); - free(ctx); -#endif - EVP_PKEY_free(evp_key); - if(dofree) free(sigblock); - else if(docrypto_free) OPENSSL_free(sigblock); - return sec_status_unchecked; + enum sec_status sec; + sec = digest_error_status("verify: EVP_DigestVerifyInit failed"); + digest_ctx_free(ctx, evp_key, sigblock, + dofree, docrypto_free); + return sec; } res = EVP_DigestVerify(ctx, sigblock, sigblock_len, (unsigned char*)sldns_buffer_begin(buf), sldns_buffer_limit(buf)); #endif -#ifdef HAVE_EVP_MD_CTX_NEW - EVP_MD_CTX_destroy(ctx); -#else - EVP_MD_CTX_cleanup(ctx); - free(ctx); -#endif - EVP_PKEY_free(evp_key); - - if(dofree) free(sigblock); - else if(docrypto_free) OPENSSL_free(sigblock); + digest_ctx_free(ctx, evp_key, sigblock, + dofree, docrypto_free); if(res == 1) { return sec_status_secure;
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_sigcrypt.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_sigcrypt.c
Changed
@@ -513,23 +513,102 @@ int algo_needs_missing(struct algo_needs* n) { - int i; - /* first check if a needed algo was bogus - report that */ - for(i=0; i<ALGO_NEEDS_MAX; i++) + int i, miss = -1; + /* check if a needed algo was bogus - report that; + * check the first missing algo - report that; + * or return 0 */ + for(i=0; i<ALGO_NEEDS_MAX; i++) { if(n->needsi == 2) return 0; - /* now check which algo is missing */ - for(i=0; i<ALGO_NEEDS_MAX; i++) - if(n->needsi == 1) - return i; + if(n->needsi == 1 && miss == -1) + miss = i; + } + if(miss != -1) return miss; return 0; } +/** + * verify rrset, with dnskey rrset, for a specific rrsig in rrset + * @param env: module environment, scratch space is used. + * @param ve: validator environment, date settings. + * @param now: current time for validation (can be overridden). + * @param rrset: to be validated. + * @param dnskey: DNSKEY rrset, keyset to try. + * @param sig_idx: which signature to try to validate. + * @param sortree: reused sorted order. Stored in region. Pass NULL at start, + * and for a new rrset. + * @param reason: if bogus, a string returned, fixed or alloced in scratch. + * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. + * @param section: section of packet where this rrset comes from. + * @param qstate: qstate with region. + * @return secure if any key signs *this* signature. bogus if no key signs it, + * unchecked on error, or indeterminate if all keys are not supported by + * the crypto library (openssl3+ only). + */ +static enum sec_status +dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, + time_t now, struct ub_packed_rrset_key* rrset, + struct ub_packed_rrset_key* dnskey, size_t sig_idx, + struct rbtree_type** sortree, + char** reason, sldns_ede_code *reason_bogus, + sldns_pkt_section section, struct module_qstate* qstate) +{ + /* find matching keys and check them */ + enum sec_status sec = sec_status_bogus; + uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx); + int algo = rrset_get_sig_algo(rrset, sig_idx); + size_t i, num = rrset_get_count(dnskey); + size_t numchecked = 0; + size_t numindeterminate = 0; + int buf_canon = 0; + verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo); + if(!dnskey_algo_id_is_supported(algo)) { + if(reason_bogus) + *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; + verbose(VERB_QUERY, "verify sig: unknown algorithm"); + return sec_status_insecure; + } + + for(i=0; i<num; i++) { + /* see if key matches keytag and algo */ + if(algo != dnskey_get_algo(dnskey, i) || + tag != dnskey_calc_keytag(dnskey, i)) + continue; + numchecked ++; + + /* see if key verifies */ + sec = dnskey_verify_rrset_sig(env->scratch, + env->scratch_buffer, ve, now, rrset, dnskey, i, + sig_idx, sortree, &buf_canon, reason, reason_bogus, + section, qstate); + if(sec == sec_status_secure) + return sec; + else if(sec == sec_status_indeterminate) + numindeterminate ++; + } + if(numchecked == 0) { + *reason = "signatures from unknown keys"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSKEY_MISSING; + verbose(VERB_QUERY, "verify: could not find appropriate key"); + return sec_status_bogus; + } + if(numindeterminate == numchecked) { + *reason = "unsupported algorithm by crypto library"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; + verbose(VERB_ALGO, "verify sig: unsupported algorithm by " + "crypto library"); + return sec_status_indeterminate; + } + return sec_status_bogus; +} + enum sec_status dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, - uint8_t* sigalg, char** reason, sldns_pkt_section section, - struct module_qstate* qstate) + uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus, + sldns_pkt_section section, struct module_qstate* qstate) { enum sec_status sec; size_t i, num; @@ -543,6 +622,8 @@ verbose(VERB_QUERY, "rrset failed to verify due to a lack of " "signatures"); *reason = "no signatures"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_RRSIGS_MISSING; return sec_status_bogus; } @@ -551,12 +632,15 @@ if(algo_needs_num_missing(&needs) == 0) { verbose(VERB_QUERY, "zone has no known algorithms"); *reason = "zone has no known algorithms"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; return sec_status_insecure; } } for(i=0; i<num; i++) { sec = dnskeyset_verify_rrset_sig(env, ve, *env->now, rrset, - dnskey, i, &sortree, reason, section, qstate); + dnskey, i, &sortree, reason, reason_bogus, + section, qstate); /* see which algorithm has been fixed up */ if(sec == sec_status_secure) { if(!sigalg) @@ -594,14 +678,14 @@ *reason = s; } -enum sec_status +enum sec_status dnskey_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, - size_t dnskey_idx, char** reason, sldns_pkt_section section, - struct module_qstate* qstate) + size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus, + sldns_pkt_section section, struct module_qstate* qstate) { enum sec_status sec; - size_t i, num, numchecked = 0; + size_t i, num, numchecked = 0, numindeterminate = 0; rbtree_type* sortree = NULL; int buf_canon = 0; uint16_t tag = dnskey_calc_keytag(dnskey, dnskey_idx); @@ -612,6 +696,8 @@ verbose(VERB_QUERY, "rrset failed to verify due to a lack of " "signatures"); *reason = "no signatures"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_RRSIGS_MISSING; return sec_status_bogus; } for(i=0; i<num; i++) { @@ -620,57 +706,28 @@ tag != rrset_get_sig_keytag(rrset, i)) continue; buf_canon = 0; - sec = dnskey_verify_rrset_sig(env->scratch, + sec = dnskey_verify_rrset_sig(env->scratch, env->scratch_buffer, ve, *env->now, rrset, dnskey, dnskey_idx, i, &sortree, &buf_canon, reason, - section, qstate); + reason_bogus, section, qstate); if(sec == sec_status_secure) return sec; numchecked ++; + if(sec == sec_status_indeterminate) + numindeterminate ++; } verbose(VERB_ALGO, "rrset failed to verify: all signatures are bogus"); - if(!numchecked) *reason = "signature missing"; - return sec_status_bogus; -} - -enum sec_status -dnskeyset_verify_rrset_sig(struct module_env* env, struct val_env* ve, - time_t now, struct ub_packed_rrset_key* rrset, - struct ub_packed_rrset_key* dnskey, size_t sig_idx, - struct rbtree_type** sortree, char** reason, sldns_pkt_section section, - struct module_qstate* qstate) -{ - /* find matching keys and check them */ - enum sec_status sec = sec_status_bogus; - uint16_t tag = rrset_get_sig_keytag(rrset, sig_idx); - int algo = rrset_get_sig_algo(rrset, sig_idx); - size_t i, num = rrset_get_count(dnskey); - size_t numchecked = 0; - int buf_canon = 0; - verbose(VERB_ALGO, "verify sig %d %d", (int)tag, algo); - if(!dnskey_algo_id_is_supported(algo)) { - verbose(VERB_QUERY, "verify sig: unknown algorithm"); - return sec_status_insecure; - } - - for(i=0; i<num; i++) { - /* see if key matches keytag and algo */ - if(algo != dnskey_get_algo(dnskey, i) || - tag != dnskey_calc_keytag(dnskey, i)) - continue; - numchecked ++; - - /* see if key verifies */ - sec = dnskey_verify_rrset_sig(env->scratch, - env->scratch_buffer, ve, now, rrset, dnskey, i, - sig_idx, sortree, &buf_canon, reason, section, qstate); - if(sec == sec_status_secure) - return sec; - } - if(numchecked == 0) { - *reason = "signatures from unknown keys"; - verbose(VERB_QUERY, "verify: could not find appropriate key"); - return sec_status_bogus; + if(!numchecked) { + *reason = "signature missing"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_RRSIGS_MISSING; + } else if(numchecked == numindeterminate) { + verbose(VERB_ALGO, "rrset failed to verify due to algorithm " + "refusal by cryptolib"); + if(reason_bogus) + *reason_bogus = LDNS_EDE_UNSUPPORTED_DNSKEY_ALG; + *reason = "algorithm refused by cryptolib"; + return sec_status_indeterminate; } return sec_status_bogus; } @@ -1361,8 +1418,8 @@ /** check rrsig dates */ static int -check_dates(struct val_env* ve, uint32_t unow, - uint8_t* expi_p, uint8_t* incep_p, char** reason) +check_dates(struct val_env* ve, uint32_t unow, uint8_t* expi_p, + uint8_t* incep_p, char** reason, sldns_ede_code *reason_bogus) { /* read out the dates */ uint32_t expi, incep, now; @@ -1386,6 +1443,14 @@ sigdate_error("verify: inception after expiration, " "signature bad", expi, incep, now); *reason = "signature inception after expiration"; + if(reason_bogus){ + /* from RFC8914 on Signature Not Yet Valid: The resolver + * attempted to perform DNSSEC validation, but no + * signatures are presently valid and at least some are + * not yet valid. */ + *reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID; + } + return 0; } if(compare_1982(incep, now) > 0) { @@ -1397,6 +1462,8 @@ sigdate_error("verify: signature bad, current time is" " before inception date", expi, incep, now); *reason = "signature before inception date"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_SIGNATURE_NOT_YET_VALID; return 0; } sigdate_error("verify warning suspicious signature inception " @@ -1410,6 +1477,8 @@ sigdate_error("verify: signature expired", expi, incep, now); *reason = "signature expired"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_SIGNATURE_EXPIRED; return 0; } sigdate_error("verify warning suspicious signature expiration " @@ -1473,7 +1542,8 @@ struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, size_t sig_idx, - struct rbtree_type** sortree, int* buf_canon, char** reason, + struct rbtree_type** sortree, int* buf_canon, + char** reason, sldns_ede_code *reason_bogus, sldns_pkt_section section, struct module_qstate* qstate) { enum sec_status sec; @@ -1492,12 +1562,16 @@ if(siglen < 2+20) { verbose(VERB_QUERY, "verify: signature too short"); *reason = "signature too short"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; } if(!(dnskey_get_flags(dnskey, dnskey_idx) & DNSKEY_BIT_ZSK)) { verbose(VERB_QUERY, "verify: dnskey without ZSK flag"); *reason = "dnskey without ZSK flag"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_NO_ZONE_KEY_BIT_SET; return sec_status_bogus; } @@ -1505,6 +1579,8 @@ /* RFC 4034 says DNSKEY PROTOCOL MUST be 3 */ verbose(VERB_QUERY, "verify: dnskey has wrong key protocol"); *reason = "dnskey has wrong protocolnumber"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; } @@ -1514,17 +1590,23 @@ if(!signer_len) { verbose(VERB_QUERY, "verify: malformed signer name"); *reason = "signer name malformed"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; /* signer name invalid */ } if(!dname_subdomain_c(rrset->rk.dname, signer)) { verbose(VERB_QUERY, "verify: signer name is off-tree"); *reason = "signer name off-tree"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; /* signer name offtree */ } sigblock = (unsigned char*)signer+signer_len; if(siglen < 2+18+signer_len+1) { verbose(VERB_QUERY, "verify: too short, no signature data"); *reason = "signature too short, no signature data"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; /* sig rdf is < 1 byte */ } sigblock_len = (unsigned int)(siglen - 2 - 18 - signer_len); @@ -1537,6 +1619,8 @@ log_nametypeclass(VERB_QUERY, "the key name is", dnskey->rk.dname, 0, 0); *reason = "signer name mismatches key name"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; } @@ -1545,18 +1629,24 @@ if(memcmp(sig+2, &rrset->rk.type, 2) != 0) { verbose(VERB_QUERY, "verify: wrong type covered"); *reason = "signature covers wrong type"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; } /* verify keytag and sig algo (possibly again) */ if((int)sig2+2 != dnskey_get_algo(dnskey, dnskey_idx)) { verbose(VERB_QUERY, "verify: wrong algorithm"); *reason = "signature has wrong algorithm"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; } ktag = htons(dnskey_calc_keytag(dnskey, dnskey_idx)); if(memcmp(sig+2+16, &ktag, 2) != 0) { verbose(VERB_QUERY, "verify: wrong keytag"); *reason = "signature has wrong keytag"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; } @@ -1564,6 +1654,8 @@ if((int)sig2+3 > dname_signame_label_count(rrset->rk.dname)) { verbose(VERB_QUERY, "verify: labelcount out of range"); *reason = "signature labelcount out of range"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSSEC_BOGUS; return sec_status_bogus; } @@ -1598,7 +1690,8 @@ /* verify inception, expiration dates * Do this last so that if you ignore expired-sigs the * rest is sure to be OK. */ - if(!check_dates(ve, now, sig+2+8, sig+2+12, reason)) { + if(!check_dates(ve, now, sig+2+8, sig+2+12, + reason, reason_bogus)) { return sec_status_bogus; } }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_sigcrypt.h -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_sigcrypt.h
Changed
@@ -45,6 +45,7 @@ #define VALIDATOR_VAL_SIGCRYPT_H #include "util/data/packed_rrset.h" #include "sldns/pkthdr.h" +#include "sldns/rrdef.h" struct val_env; struct module_env; struct module_qstate; @@ -256,6 +257,7 @@ * @param sigalg: if nonNULL provide downgrade protection otherwise one * algorithm is enough. * @param reason: if bogus, a string returned, fixed or alloced in scratch. + * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. * @param section: section of packet where this rrset comes from. * @param qstate: qstate with region. * @return SECURE if one key in the set verifies one rrsig. @@ -264,9 +266,11 @@ */ enum sec_status dnskeyset_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, - struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, char** reason, + struct ub_packed_rrset_key* dnskey, uint8_t* sigalg, + char** reason, sldns_ede_code *reason_bogus, sldns_pkt_section section, struct module_qstate* qstate); + /** * verify rrset against one specific dnskey (from rrset) * @param env: module environment, scratch space is used. @@ -275,39 +279,18 @@ * @param dnskey: DNSKEY rrset, keyset. * @param dnskey_idx: which key from the rrset to try. * @param reason: if bogus, a string returned, fixed or alloced in scratch. + * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. * @param section: section of packet where this rrset comes from. * @param qstate: qstate with region. * @return secure if *this* key signs any of the signatures on rrset. * unchecked on error or and bogus on bad signature. */ -enum sec_status dnskey_verify_rrset(struct module_env* env, - struct val_env* ve, struct ub_packed_rrset_key* rrset, - struct ub_packed_rrset_key* dnskey, size_t dnskey_idx, char** reason, +enum sec_status dnskey_verify_rrset(struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, + size_t dnskey_idx, char** reason, sldns_ede_code *reason_bogus, sldns_pkt_section section, struct module_qstate* qstate); /** - * verify rrset, with dnskey rrset, for a specific rrsig in rrset - * @param env: module environment, scratch space is used. - * @param ve: validator environment, date settings. - * @param now: current time for validation (can be overridden). - * @param rrset: to be validated. - * @param dnskey: DNSKEY rrset, keyset to try. - * @param sig_idx: which signature to try to validate. - * @param sortree: reused sorted order. Stored in region. Pass NULL at start, - * and for a new rrset. - * @param reason: if bogus, a string returned, fixed or alloced in scratch. - * @param section: section of packet where this rrset comes from. - * @param qstate: qstate with region. - * @return secure if any key signs *this* signature. bogus if no key signs it, - * or unchecked on error. - */ -enum sec_status dnskeyset_verify_rrset_sig(struct module_env* env, - struct val_env* ve, time_t now, struct ub_packed_rrset_key* rrset, - struct ub_packed_rrset_key* dnskey, size_t sig_idx, - struct rbtree_type** sortree, char** reason, sldns_pkt_section section, - struct module_qstate* qstate); - -/** * verify rrset, with specific dnskey(from set), for a specific rrsig * @param region: scratch region used for temporary allocation. * @param buf: scratch buffer used for canonicalized rrset data. @@ -323,17 +306,19 @@ * pass false at start. pass old value only for same rrset and same * signature (but perhaps different key) for reuse. * @param reason: if bogus, a string returned, fixed or alloced in scratch. + * @param reason_bogus: EDE (8914) code paired with the reason of failure. * @param section: section of packet where this rrset comes from. * @param qstate: qstate with region. * @return secure if this key signs this signature. unchecked on error or * bogus if it did not validate. */ -enum sec_status dnskey_verify_rrset_sig(struct regional* region, - struct sldns_buffer* buf, struct val_env* ve, time_t now, - struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, - size_t dnskey_idx, size_t sig_idx, - struct rbtree_type** sortree, int* buf_canon, char** reason, - sldns_pkt_section section, struct module_qstate* qstate); +enum sec_status dnskey_verify_rrset_sig(struct regional* region, + struct sldns_buffer* buf, struct val_env* ve, time_t now, + struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* dnskey, + size_t dnskey_idx, size_t sig_idx, + struct rbtree_type** sortree, int* buf_canon, + char** reason, sldns_ede_code *reason_bogus, + sldns_pkt_section section, struct module_qstate* qstate); /** * canonical compare for two tree entries
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_utils.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_utils.c
Changed
@@ -332,11 +332,11 @@ return d->ttl; } -enum sec_status +static enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, - uint8_t* sigalg, char** reason, sldns_pkt_section section, - struct module_qstate* qstate) + uint8_t* sigalg, char** reason, sldns_ede_code *reason_bogus, + sldns_pkt_section section, struct module_qstate* qstate) { enum sec_status sec; struct packed_rrset_data* d = (struct packed_rrset_data*)rrset-> @@ -359,7 +359,7 @@ log_nametypeclass(VERB_ALGO, "verify rrset", rrset->rk.dname, ntohs(rrset->rk.type), ntohs(rrset->rk.rrset_class)); sec = dnskeyset_verify_rrset(env, ve, rrset, keys, sigalg, reason, - section, qstate); + reason_bogus, section, qstate); verbose(VERB_ALGO, "verify result: %s", sec_status_to_string(sec)); regional_free_all(env->scratch); @@ -392,7 +392,8 @@ enum sec_status val_verify_rrset_entry(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, struct key_entry_key* kkey, - char** reason, sldns_pkt_section section, struct module_qstate* qstate) + char** reason, sldns_ede_code *reason_bogus, + sldns_pkt_section section, struct module_qstate* qstate) { /* temporary dnskey rrset-key */ struct ub_packed_rrset_key dnskey; @@ -406,16 +407,16 @@ dnskey.entry.key = &dnskey; dnskey.entry.data = kd->rrset_data; sec = val_verify_rrset(env, ve, rrset, &dnskey, kd->algo, reason, - section, qstate); + reason_bogus, section, qstate); return sec; } /** verify that a DS RR hashes to a key and that key signs the set */ static enum sec_status -verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, - struct ub_packed_rrset_key* dnskey_rrset, +verify_dnskeys_with_ds_rr(struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ds_rrset, size_t ds_idx, char** reason, - struct module_qstate* qstate) + sldns_ede_code *reason_bogus, struct module_qstate* qstate) { enum sec_status sec = sec_status_bogus; size_t i, num, numchecked = 0, numhashok = 0, numsizesupp = 0; @@ -450,14 +451,14 @@ /* Otherwise, we have a match! Make sure that the DNSKEY * verifies *with this key* */ - sec = dnskey_verify_rrset(env, ve, dnskey_rrset, - dnskey_rrset, i, reason, LDNS_SECTION_ANSWER, qstate); + sec = dnskey_verify_rrset(env, ve, dnskey_rrset, dnskey_rrset, + i, reason, reason_bogus, LDNS_SECTION_ANSWER, qstate); if(sec == sec_status_secure) { return sec; } /* If it didn't validate with the DNSKEY, try the next one! */ } - if(numsizesupp != 0) { + if(numsizesupp != 0 || sec == sec_status_indeterminate) { /* there is a working DS, but that DNSKEY is not supported */ return sec_status_insecure; } @@ -488,11 +489,11 @@ return digest_algo; } -enum sec_status +enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, - struct module_qstate* qstate) + sldns_ede_code *reason_bogus, struct module_qstate* qstate) { /* as long as this is false, we can consider this DS rrset to be * equivalent to no DS rrset. */ @@ -529,7 +530,7 @@ } sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, - ds_rrset, i, reason, qstate); + ds_rrset, i, reason, reason_bogus, qstate); if(sec == sec_status_insecure) continue; @@ -571,15 +572,16 @@ return sec_status_bogus; } -struct key_entry_key* +struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region, struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, - struct module_qstate* qstate) + sldns_ede_code *reason_bogus, struct module_qstate* qstate) { uint8_t sigalgALGO_NEEDS_MAX+1; - enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, - dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, qstate); + enum sec_status sec = val_verify_DNSKEY_with_DS(env, ve, + dnskey_rrset, ds_rrset, downprot?sigalg:NULL, reason, + reason_bogus, qstate); if(sec == sec_status_secure) { return key_entry_create_rrset(region, @@ -597,12 +599,12 @@ BOGUS_KEY_TTL, *env->now); } -enum sec_status +enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ta_ds, struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, - struct module_qstate* qstate) + sldns_ede_code *reason_bogus, struct module_qstate* qstate) { /* as long as this is false, we can consider this anchor to be * equivalent to no anchor. */ @@ -617,6 +619,8 @@ verbose(VERB_QUERY, "DNSKEY RRset did not match DS RRset " "by name"); *reason = "DNSKEY RRset did not match DS RRset by name"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSKEY_MISSING; return sec_status_bogus; } if(ta_dnskey && (dnskey_rrset->rk.dname_len != ta_dnskey->rk.dname_len @@ -625,6 +629,8 @@ verbose(VERB_QUERY, "DNSKEY RRset did not match anchor RRset " "by name"); *reason = "DNSKEY RRset did not match anchor RRset by name"; + if(reason_bogus) + *reason_bogus = LDNS_EDE_DNSKEY_MISSING; return sec_status_bogus; } @@ -648,7 +654,7 @@ continue; sec = verify_dnskeys_with_ds_rr(env, ve, dnskey_rrset, - ta_ds, i, reason, qstate); + ta_ds, i, reason, reason_bogus, qstate); if(sec == sec_status_insecure) continue; @@ -688,7 +694,7 @@ has_useful_ta = 1; sec = dnskey_verify_rrset(env, ve, dnskey_rrset, - ta_dnskey, i, reason, LDNS_SECTION_ANSWER, qstate); + ta_dnskey, i, reason, NULL, LDNS_SECTION_ANSWER, qstate); if(sec == sec_status_secure) { if(!sigalg || algo_needs_set_secure(&needs, (uint8_t)dnskey_get_algo(ta_dnskey, i))) { @@ -723,24 +729,24 @@ struct key_entry_key* val_verify_new_DNSKEYs_with_ta(struct regional* region, struct module_env* env, - struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, + struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, struct ub_packed_rrset_key* ta_ds_rrset, struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, - char** reason, struct module_qstate* qstate) + char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate) { uint8_t sigalgALGO_NEEDS_MAX+1; - enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, + enum sec_status sec = val_verify_DNSKEY_with_TA(env, ve, dnskey_rrset, ta_ds_rrset, ta_dnskey_rrset, - downprot?sigalg:NULL, reason, qstate); + downprot?sigalg:NULL, reason, reason_bogus, qstate); if(sec == sec_status_secure) { - return key_entry_create_rrset(region, + return key_entry_create_rrset(region, dnskey_rrset->rk.dname, dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class), dnskey_rrset, downprot?sigalg:NULL, *env->now); } else if(sec == sec_status_insecure) { return key_entry_create_null(region, dnskey_rrset->rk.dname, - dnskey_rrset->rk.dname_len, + dnskey_rrset->rk.dname_len, ntohs(dnskey_rrset->rk.rrset_class), rrset_get_ttl(dnskey_rrset), *env->now); } @@ -749,7 +755,7 @@ BOGUS_KEY_TTL, *env->now); } -int +int val_dsset_isusable(struct ub_packed_rrset_key* ds_rrset) { size_t i; @@ -767,15 +773,16 @@ sldns_lookup_table *lt; char herr64, aerr64; lt = sldns_lookup_by_id(sldns_hashes, - (int)ds_get_digest_algo(ds_rrset, i)); + (int)ds_get_digest_algo(ds_rrset, 0)); if(lt) snprintf(herr, sizeof(herr), "%s", lt->name); else snprintf(herr, sizeof(herr), "%d", - (int)ds_get_digest_algo(ds_rrset, i)); + (int)ds_get_digest_algo(ds_rrset, 0)); lt = sldns_lookup_by_id(sldns_algorithms, - (int)ds_get_key_algo(ds_rrset, i)); + (int)ds_get_key_algo(ds_rrset, 0)); if(lt) snprintf(aerr, sizeof(aerr), "%s", lt->name); else snprintf(aerr, sizeof(aerr), "%d", - (int)ds_get_key_algo(ds_rrset, i)); + (int)ds_get_key_algo(ds_rrset, 0)); + verbose(VERB_ALGO, "DS unsupported, hash %s %s, " "key algorithm %s %s", herr, (ds_digest_algo_is_supported(ds_rrset, 0)?
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/val_utils.h -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/val_utils.h
Changed
@@ -43,6 +43,7 @@ #define VALIDATOR_VAL_UTILS_H #include "util/data/packed_rrset.h" #include "sldns/pkthdr.h" +#include "sldns/rrdef.h" struct query_info; struct reply_info; struct val_env; @@ -114,38 +115,21 @@ size_t cname_skip, uint8_t** signer_name, size_t* signer_len); /** - * Verify RRset with keys - * @param env: module environment (scratch buffer) - * @param ve: validator environment (verification settings) - * @param rrset: what to verify - * @param keys: dnskey rrset to verify with. - * @param sigalg: if nonNULL provide downgrade protection otherwise one - * algorithm is enough. Algo list is constructed in here. - * @param reason: reason of failure. Fixed string or alloced in scratch. - * @param section: section of packet where this rrset comes from. - * @param qstate: qstate with region. - * @return security status of verification. - */ -enum sec_status val_verify_rrset(struct module_env* env, struct val_env* ve, - struct ub_packed_rrset_key* rrset, struct ub_packed_rrset_key* keys, - uint8_t* sigalg, char** reason, sldns_pkt_section section, - struct module_qstate* qstate); - -/** * Verify RRset with keys from a keyset. * @param env: module environment (scratch buffer) * @param ve: validator environment (verification settings) * @param rrset: what to verify * @param kkey: key_entry to verify with. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. * @param section: section of packet where this rrset comes from. * @param qstate: qstate with region. * @return security status of verification. */ enum sec_status val_verify_rrset_entry(struct module_env* env, struct val_env* ve, struct ub_packed_rrset_key* rrset, - struct key_entry_key* kkey, char** reason, sldns_pkt_section section, - struct module_qstate* qstate); + struct key_entry_key* kkey, char** reason, sldns_ede_code *reason_bogus, + sldns_pkt_section section, struct module_qstate* qstate); /** * Verify DNSKEYs with DS rrset. Like val_verify_new_DNSKEYs but @@ -158,15 +142,16 @@ * algorithm is enough. The list of signalled algorithms is returned, * must have enough space for ALGO_NEEDS_MAX+1. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. * @param qstate: qstate with region. * @return: sec_status_secure if a DS matches. * sec_status_insecure if end of trust (i.e., unknown algorithms). * sec_status_bogus if it fails. */ -enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env, - struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, - struct module_qstate* qstate); +enum sec_status val_verify_DNSKEY_with_DS(struct module_env* env, + struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, + struct ub_packed_rrset_key* ds_rrset, uint8_t* sigalg, char** reason, + sldns_ede_code *reason_bogus, struct module_qstate* qstate); /** * Verify DNSKEYs with DS and DNSKEY rrset. Like val_verify_DNSKEY_with_DS @@ -180,16 +165,17 @@ * algorithm is enough. The list of signalled algorithms is returned, * must have enough space for ALGO_NEEDS_MAX+1. * @param reason: reason of failure. Fixed string or alloced in scratch. +* @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. * @param qstate: qstate with region. * @return: sec_status_secure if a DS matches. * sec_status_insecure if end of trust (i.e., unknown algorithms). * sec_status_bogus if it fails. */ -enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env, - struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ta_ds, - struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, - struct module_qstate* qstate); +enum sec_status val_verify_DNSKEY_with_TA(struct module_env* env, + struct val_env* ve, struct ub_packed_rrset_key* dnskey_rrset, + struct ub_packed_rrset_key* ta_ds, + struct ub_packed_rrset_key* ta_dnskey, uint8_t* sigalg, char** reason, + sldns_ede_code *reason_bogus, struct module_qstate* qstate); /** * Verify new DNSKEYs with DS rrset. The DS contains hash values that should @@ -204,6 +190,7 @@ * @param downprot: if true provide downgrade protection otherwise one * algorithm is enough. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. * @param qstate: qstate with region. * @return a KeyEntry. This will either contain the now trusted * dnskey_rrset, a "null" key entry indicating that this DS @@ -215,12 +202,11 @@ * rrset. * if downprot is set, a key entry with an algo list is made. */ -struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region, - struct module_env* env, struct val_env* ve, - struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, - struct module_qstate* qstate); - +struct key_entry_key* val_verify_new_DNSKEYs(struct regional* region, + struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key* dnskey_rrset, + struct ub_packed_rrset_key* ds_rrset, int downprot, char** reason, + sldns_ede_code *reason_bogus, struct module_qstate* qstate); /** * Verify rrset with trust anchor: DS and DNSKEY rrset. @@ -234,6 +220,7 @@ * @param downprot: if true provide downgrade protection otherwise one * algorithm is enough. * @param reason: reason of failure. Fixed string or alloced in scratch. + * @param reason_bogus: EDE (RFC8914) code paired with the reason of failure. * @param qstate: qstate with region. * @return a KeyEntry. This will either contain the now trusted * dnskey_rrset, a "null" key entry indicating that this DS @@ -246,11 +233,11 @@ * if downprot is set, a key entry with an algo list is made. */ struct key_entry_key* val_verify_new_DNSKEYs_with_ta(struct regional* region, - struct module_env* env, struct val_env* ve, - struct ub_packed_rrset_key* dnskey_rrset, - struct ub_packed_rrset_key* ta_ds_rrset, - struct ub_packed_rrset_key* ta_dnskey_rrset, - int downprot, char** reason, struct module_qstate* qstate); + struct module_env* env, struct val_env* ve, + struct ub_packed_rrset_key* dnskey_rrset, + struct ub_packed_rrset_key* ta_ds_rrset, + struct ub_packed_rrset_key* ta_dnskey_rrset, int downprot, + char** reason, sldns_ede_code *reason_bogus, struct module_qstate* qstate); /** * Determine if DS rrset is usable for validator or not.
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/validator.c -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/validator.c
Changed
@@ -69,6 +69,20 @@ struct val_qstate* vq, int id, int rcode, struct dns_msg* msg, struct query_info* qinfo, struct sock_list* origin); + +/* Updates the suplied EDE (RFC8914) code selectively so we don't loose + * a more specific code + */ +static void +update_reason_bogus(struct reply_info* rep, sldns_ede_code reason_bogus) +{ + if (rep->reason_bogus == LDNS_EDE_DNSSEC_BOGUS || + rep->reason_bogus == LDNS_EDE_NONE) { + rep->reason_bogus = reason_bogus; + } +} + + /** fill up nsec3 key iterations config entry */ static int fill_nsec3_iter(struct val_env* ve, char* s, int c) @@ -140,7 +154,7 @@ val_env->max_restart = cfg->val_max_restart; c = cfg_count_numbers(cfg->val_nsec3_key_iterations); if(c < 1 || (c&1)) { - log_err("validator: unparseable or odd nsec3 key " + log_err("validator: unparsable or odd nsec3 key " "iterations: %s", cfg->val_nsec3_key_iterations); return 0; } @@ -230,6 +244,7 @@ vq->orig_msg->rep->flags = (uint16_t)(qstate->return_rcode&0xf) |BIT_QR|BIT_RA|(qstate->query_flags|(BIT_CD|BIT_RD)); vq->orig_msg->rep->qdcount = 1; + vq->orig_msg->rep->reason_bogus = LDNS_EDE_NONE; } else { vq->orig_msg = qstate->return_msg; } @@ -484,7 +499,7 @@ return 0; } - /* Not interrested in subquery response. Restore the ext_state, + /* Not interested in subquery response. Restore the ext_state, * that might be changed by generate_request() */ qstate->ext_stateid = ext_state; @@ -592,6 +607,7 @@ enum sec_status sec; int dname_seen = 0; char* reason = NULL; + sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; /* validate the ANSWER section */ for(i=0; i<chase_reply->an_numrrsets; i++) { @@ -613,20 +629,22 @@ /* Verify the answer rrset */ sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason, - LDNS_SECTION_ANSWER, qstate); + &reason_bogus, LDNS_SECTION_ANSWER, qstate); /* If the (answer) rrset failed to validate, then this * message is BAD. */ if(sec != sec_status_secure) { log_nametypeclass(VERB_QUERY, "validator: response " "has failed ANSWER rrset:", s->rk.dname, ntohs(s->rk.type), ntohs(s->rk.rrset_class)); - errinf(qstate, reason); + errinf_ede(qstate, reason, reason_bogus); if(ntohs(s->rk.type) == LDNS_RR_TYPE_CNAME) errinf(qstate, "for CNAME"); else if(ntohs(s->rk.type) == LDNS_RR_TYPE_DNAME) errinf(qstate, "for DNAME"); errinf_origin(qstate, qstate->reply_origin); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, reason_bogus); + return 0; } @@ -643,17 +661,18 @@ chase_reply->ns_numrrsets; i++) { s = chase_reply->rrsetsi; sec = val_verify_rrset_entry(env, ve, s, key_entry, &reason, - LDNS_SECTION_AUTHORITY, qstate); + &reason_bogus, LDNS_SECTION_AUTHORITY, qstate); /* If anything in the authority section fails to be secure, * we have a bad message. */ if(sec != sec_status_secure) { log_nametypeclass(VERB_QUERY, "validator: response " "has failed AUTHORITY rrset:", s->rk.dname, ntohs(s->rk.type), ntohs(s->rk.rrset_class)); - errinf(qstate, reason); + errinf_ede(qstate, reason, reason_bogus); errinf_origin(qstate, qstate->reply_origin); errinf_rrset(qstate, s); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, reason_bogus); return 0; } } @@ -669,9 +688,10 @@ /* only validate rrs that have signatures with the key */ /* leave others unchecked, those get removed later on too */ val_find_rrset_signer(s, &sname, &slen); + if(sname && query_dname_compare(sname, key_entry->name)==0) (void)val_verify_rrset_entry(env, ve, s, key_entry, - &reason, LDNS_SECTION_ADDITIONAL, qstate); + &reason, NULL, LDNS_SECTION_ADDITIONAL, qstate); /* the additional section can fail to be secure, * it is optional, check signature in case we need * to clean the additional section later. */ @@ -804,6 +824,7 @@ "inconsistent wildcard sigs:", s->rk.dname, ntohs(s->rk.type), ntohs(s->rk.rrset_class)); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } if(wc && !wc_cached && env->cfg->aggressive_nsec) { @@ -861,6 +882,7 @@ "expansion and did not prove original data " "did not exist"); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } @@ -959,6 +981,7 @@ if(verbosity >= VERB_ALGO) log_dns_msg("Failed NODATA", qchase, chase_reply); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } @@ -1045,6 +1068,7 @@ verbose(VERB_QUERY, "NameError response has failed to prove: " "qname does not exist"); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); /* Be lenient with RCODE in NSEC NameError responses */ validate_nodata_response(env, ve, qchase, chase_reply, kkey); if (chase_reply->security == sec_status_secure) @@ -1056,6 +1080,7 @@ verbose(VERB_QUERY, "NameError response has failed to prove: " "covering wildcard does not exist"); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); /* Be lenient with RCODE in NSEC NameError responses */ validate_nodata_response(env, ve, qchase, chase_reply, kkey); if (chase_reply->security == sec_status_secure) @@ -1138,6 +1163,7 @@ if(qchase->qtype != LDNS_RR_TYPE_ANY) { log_err("internal error: ANY validation called for non-ANY"); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } @@ -1154,6 +1180,7 @@ s->rk.dname, ntohs(s->rk.type), ntohs(s->rk.rrset_class)); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } } @@ -1208,6 +1235,7 @@ "expansion and did not prove original data " "did not exist"); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } @@ -1255,6 +1283,7 @@ "inconsistent wildcard sigs:", s->rk.dname, ntohs(s->rk.type), ntohs(s->rk.rrset_class)); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } @@ -1267,6 +1296,7 @@ "wildcarded DNAME:", s->rk.dname, ntohs(s->rk.type), ntohs(s->rk.rrset_class)); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } @@ -1324,6 +1354,7 @@ "expansion and did not prove original data " "did not exist"); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } @@ -1424,6 +1455,7 @@ verbose(VERB_QUERY, "CNAMEchain to noanswer proves that name " "exists and not exists, bogus"); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } if(!nodata_valid_nsec && !nxdomain_valid_nsec && nsec3s_seen) { @@ -1449,6 +1481,7 @@ if(verbosity >= VERB_ALGO) log_dns_msg("Failed CNAMEnoanswer", qchase, chase_reply); chase_reply->security = sec_status_bogus; + update_reason_bogus(chase_reply, LDNS_EDE_DNSSEC_BOGUS); return; } @@ -1492,6 +1525,10 @@ verbose(VERB_ALGO, "restart count exceeded"); return val_error(qstate, id); } + + /* correctly initialize reason_bogus */ + update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_BOGUS); + verbose(VERB_ALGO, "validator classification %s", val_classification_to_string(subtype)); if(subtype == VAL_CLASS_REFERRAL && @@ -1557,6 +1594,7 @@ verbose(VERB_QUERY, "unsigned parent zone denies" " trust anchor, indeterminate"); vq->chase_reply->security = sec_status_indeterminate; + update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_INDETERMINATE); vq->state = VAL_FINISHED_STATE; return 1; } @@ -1588,6 +1626,7 @@ if(vq->key_entry == NULL && anchor == NULL) { /*response isn't under a trust anchor, so we cannot validate.*/ vq->chase_reply->security = sec_status_indeterminate; + update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSSEC_INDETERMINATE); /* go to finished state to cache this result */ vq->state = VAL_FINISHED_STATE; return 1; @@ -1633,16 +1672,25 @@ vq->state = VAL_FINISHED_STATE; return 1; } else if(key_entry_isbad(vq->key_entry)) { + sldns_ede_code ede = LDNS_EDE_DNSSEC_BOGUS; + + /* the key could have a more spefic EDE than just bogus */ + if(key_entry_get_reason_bogus(vq->key_entry) != LDNS_EDE_NONE) { + ede = key_entry_get_reason_bogus(vq->key_entry); + } + /* key is bad, chain is bad, reply is bogus */ errinf_dname(qstate, "key for validation", vq->key_entry->name); - errinf(qstate, "is marked as invalid"); + errinf_ede(qstate, "is marked as invalid", ede); if(key_entry_get_reason(vq->key_entry)) { errinf(qstate, "because of a previous"); errinf(qstate, key_entry_get_reason(vq->key_entry)); } + /* no retries, stop bothering the authority until timeout */ vq->restart_count = ve->max_restart; vq->chase_reply->security = sec_status_bogus; + update_reason_bogus(vq->chase_reply, ede); vq->state = VAL_FINISHED_STATE; return 1; } @@ -1713,9 +1761,10 @@ vq->empty_DS_name) == 0) { /* do not query for empty_DS_name again */ verbose(VERB_ALGO, "Cannot retrieve DS for signature"); - errinf(qstate, "no signatures"); + errinf_ede(qstate, "no signatures", LDNS_EDE_RRSIGS_MISSING); errinf_origin(qstate, qstate->reply_origin); vq->chase_reply->security = sec_status_bogus; + update_reason_bogus(vq->chase_reply, LDNS_EDE_RRSIGS_MISSING); vq->state = VAL_FINISHED_STATE; return 1; } @@ -1848,7 +1897,10 @@ "of trust to keys for", vq->key_entry->name, LDNS_RR_TYPE_DNSKEY, vq->key_entry->key_class); vq->chase_reply->security = sec_status_bogus; - errinf(qstate, "while building chain of trust"); + + update_reason_bogus(vq->chase_reply, LDNS_EDE_DNSKEY_MISSING); + errinf_ede(qstate, "while building chain of trust", + LDNS_EDE_DNSKEY_MISSING); if(vq->restart_count >= ve->max_restart) key_cache_insert(ve->kcache, vq->key_entry, qstate); return 1; @@ -1861,9 +1913,10 @@ "signer name", &vq->qchase); verbose(VERB_DETAIL, "Could not establish validation of " "INSECURE status of unsigned response."); - errinf(qstate, "no signatures"); + errinf_ede(qstate, "no signatures", LDNS_EDE_RRSIGS_MISSING); errinf_origin(qstate, qstate->reply_origin); vq->chase_reply->security = sec_status_bogus; + update_reason_bogus(vq->chase_reply, LDNS_EDE_RRSIGS_MISSING); return 1; } subtype = val_classify_response(qstate->query_flags, &qstate->qinfo, @@ -2001,17 +2054,20 @@ vq->orig_msg->rep, vq->rrset_skip); /* store overall validation result in orig_msg */ - if(vq->rrset_skip == 0) + if(vq->rrset_skip == 0) { vq->orig_msg->rep->security = vq->chase_reply->security; - else if(subtype != VAL_CLASS_REFERRAL || + update_reason_bogus(vq->orig_msg->rep, vq->chase_reply->reason_bogus); + } else if(subtype != VAL_CLASS_REFERRAL || vq->rrset_skip < vq->orig_msg->rep->an_numrrsets + vq->orig_msg->rep->ns_numrrsets) { /* ignore sec status of additional section if a referral * type message skips there and * use the lowest security status as end result. */ - if(vq->chase_reply->security < vq->orig_msg->rep->security) + if(vq->chase_reply->security < vq->orig_msg->rep->security) { vq->orig_msg->rep->security = vq->chase_reply->security; + update_reason_bogus(vq->orig_msg->rep, vq->chase_reply->reason_bogus); + } } if(subtype == VAL_CLASS_REFERRAL) { @@ -2034,6 +2090,7 @@ &vq->rrset_skip)) { verbose(VERB_ALGO, "validator: failed to chase CNAME"); vq->orig_msg->rep->security = sec_status_bogus; + update_reason_bogus(vq->orig_msg->rep, LDNS_EDE_DNSSEC_BOGUS); } else { /* restart process for new qchase at rrset_skip */ log_query_info(VERB_ALGO, "validator: chased to", @@ -2145,7 +2202,7 @@ if(!qstate->no_cache_store) { if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, vq->orig_msg->rep, 0, qstate->prefetch_leeway, 0, NULL, - qstate->query_flags)) { + qstate->query_flags, qstate->qstarttime)) { log_err("out of memory caching validator results"); } } @@ -2154,7 +2211,7 @@ /* and this does not get prefetched, so no leeway */ if(!dns_cache_store(qstate->env, &vq->orig_msg->qinfo, vq->orig_msg->rep, 1, 0, 0, NULL, - qstate->query_flags)) { + qstate->query_flags, qstate->qstarttime)) { log_err("out of memory caching validator results"); } } @@ -2247,9 +2304,11 @@ * queries. If we get here, it is bogus or an internal error */ if(qstate->qinfo.qclass == LDNS_RR_CLASS_ANY) { verbose(VERB_ALGO, "cannot validate classANY: bogus"); - if(qstate->return_msg) + if(qstate->return_msg) { qstate->return_msg->rep->security = sec_status_bogus; + update_reason_bogus(qstate->return_msg->rep, LDNS_EDE_DNSSEC_BOGUS); + } qstate->ext_stateid = module_finished; return; } @@ -2304,6 +2363,7 @@ struct key_entry_key* kkey = NULL; enum sec_status sec = sec_status_unchecked; char* reason = NULL; + sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; int downprot = qstate->env->cfg->harden_algo_downgrade; if(!dnskey_rrset) { @@ -2311,7 +2371,7 @@ "could not fetch DNSKEY rrset", ta->name, LDNS_RR_TYPE_DNSKEY, ta->dclass); if(qstate->env->cfg->harden_dnssec_stripped) { - errinf(qstate, "no DNSKEY rrset"); + errinf_ede(qstate, "no DNSKEY rrset", LDNS_EDE_DNSKEY_MISSING); kkey = key_entry_create_bad(qstate->region, ta->name, ta->namelen, ta->dclass, BOGUS_KEY_TTL, *qstate->env->now); @@ -2327,7 +2387,7 @@ /* attempt to verify with trust anchor DS and DNSKEY */ kkey = val_verify_new_DNSKEYs_with_ta(qstate->region, qstate->env, ve, dnskey_rrset, ta->ds_rrset, ta->dnskey_rrset, downprot, - &reason, qstate); + &reason, &reason_bogus, qstate); if(!kkey) { log_err("out of memory: verifying prime TA"); return NULL; @@ -2346,7 +2406,7 @@ /* NOTE: in this case, we should probably reject the trust * anchor for longer, perhaps forever. */ if(qstate->env->cfg->harden_dnssec_stripped) { - errinf(qstate, reason); + errinf_ede(qstate, reason, reason_bogus); kkey = key_entry_create_bad(qstate->region, ta->name, ta->namelen, ta->dclass, BOGUS_KEY_TTL, *qstate->env->now); @@ -2389,6 +2449,7 @@ { struct val_env* ve = (struct val_env*)qstate->env->modinfoid; char* reason = NULL; + sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; enum val_classification subtype; if(rcode != LDNS_RCODE_NOERROR) { char rc16; @@ -2397,7 +2458,8 @@ /* errors here pretty much break validation */ verbose(VERB_DETAIL, "DS response was error, thus bogus"); errinf(qstate, rc); - errinf(qstate, "no DS"); + errinf_ede(qstate, "no DS", LDNS_EDE_NETWORK_ERROR); + goto return_bogus; } @@ -2411,17 +2473,17 @@ if(!ds) { log_warn("internal error: POSITIVE DS response was " "missing DS."); - errinf(qstate, "no DS record"); + errinf_ede(qstate, "no DS record", LDNS_EDE_DNSSEC_BOGUS); goto return_bogus; } /* Verify only returns BOGUS or SECURE. If the rrset is * bogus, then we are done. */ - sec = val_verify_rrset_entry(qstate->env, ve, ds, - vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate); + sec = val_verify_rrset_entry(qstate->env, ve, ds, + vq->key_entry, &reason, &reason_bogus, LDNS_SECTION_ANSWER, qstate); if(sec != sec_status_secure) { verbose(VERB_DETAIL, "DS rrset in DS response did " "not verify"); - errinf(qstate, reason); + errinf_ede(qstate, reason, reason_bogus); goto return_bogus; } @@ -2430,6 +2492,10 @@ if(!val_dsset_isusable(ds)) { /* If they aren't usable, then we treat it like * there was no DS. */ + + /* TODO add EDE Unsupported DS Digest Type; this needs + * EDE to be added on non SERVFAIL answers. */ + *ke = key_entry_create_null(qstate->region, qinfo->qname, qinfo->qname_len, qinfo->qclass, ub_packed_rrset_ttl(ds), *qstate->env->now); @@ -2452,7 +2518,7 @@ /* make sure there are NSECs or NSEC3s with signatures */ if(!val_has_signed_nsecs(msg->rep, &reason)) { verbose(VERB_ALGO, "no NSECs: %s", reason); - errinf(qstate, reason); + errinf_ede(qstate, reason, LDNS_EDE_NSEC_MISSING); goto return_bogus; } @@ -2493,7 +2559,7 @@ sec = nsec3_prove_nods(qstate->env, ve, msg->rep->rrsets + msg->rep->an_numrrsets, msg->rep->ns_numrrsets, qinfo, vq->key_entry, &reason, - qstate); + &reason_bogus, qstate); switch(sec) { case sec_status_insecure: /* case insecure also continues to unsigned @@ -2515,7 +2581,7 @@ case sec_status_bogus: verbose(VERB_DETAIL, "NSEC3s for the " "referral did not prove no DS."); - errinf(qstate, reason); + errinf_ede(qstate, reason, reason_bogus); goto return_bogus; case sec_status_unchecked: default: @@ -2554,7 +2620,7 @@ goto return_bogus; } sec = val_verify_rrset_entry(qstate->env, ve, cname, - vq->key_entry, &reason, LDNS_SECTION_ANSWER, qstate); + vq->key_entry, &reason, NULL, LDNS_SECTION_ANSWER, qstate); if(sec == sec_status_secure) { verbose(VERB_ALGO, "CNAME validated, " "proof that DS does not exist"); @@ -2685,6 +2751,7 @@ struct ub_packed_rrset_key* dnskey = NULL; int downprot; char* reason = NULL; + sldns_ede_code reason_bogus = LDNS_EDE_DNSSEC_BOGUS; if(rcode == LDNS_RCODE_NOERROR) dnskey = reply_find_answer_rrset(qinfo, msg->rep); @@ -2693,6 +2760,7 @@ /* bad response */ verbose(VERB_DETAIL, "Missing DNSKEY RRset in response to " "DNSKEY query."); + if(vq->restart_count < ve->max_restart) { val_blacklist(&vq->chain_blacklist, qstate->region, origin, 1); @@ -2707,7 +2775,7 @@ log_err("alloc failure in missing dnskey response"); /* key_entry is NULL for failure in Validate */ } - errinf(qstate, "No DNSKEY record"); + errinf_ede(qstate, "No DNSKEY record", LDNS_EDE_DNSKEY_MISSING); errinf_origin(qstate, origin); errinf_dname(qstate, "for key", qinfo->qname); vq->state = VAL_VALIDATE_STATE; @@ -2721,7 +2789,7 @@ } downprot = qstate->env->cfg->harden_algo_downgrade; vq->key_entry = val_verify_new_DNSKEYs(qstate->region, qstate->env, - ve, dnskey, vq->ds_rrset, downprot, &reason, qstate); + ve, dnskey, vq->ds_rrset, downprot, &reason, &reason_bogus, qstate); if(!vq->key_entry) { log_err("out of memory in verify new DNSKEYs"); @@ -2742,7 +2810,7 @@ } verbose(VERB_DETAIL, "Did not match a DS to a DNSKEY, " "thus bogus."); - errinf(qstate, reason); + errinf_ede(qstate, reason, reason_bogus); errinf_origin(qstate, origin); errinf_dname(qstate, "for key", qinfo->qname); }
View file
_service:tar_scm:unbound-1.13.2.tar.gz/validator/validator.h -> _service:tar_scm:unbound-1.17.1.tar.gz/validator/validator.h
Changed
@@ -68,7 +68,7 @@ #define SENTINEL_IS "root-key-sentinel-is-ta-" /** Root key sentinel is not ta preamble */ #define SENTINEL_NOT "root-key-sentinel-not-ta-" -/** Root key sentinal keytag length */ +/** Root key sentinel keytag length */ #define SENTINEL_KEYTAG_LEN 5 /** @@ -93,7 +93,7 @@ int32_t skew_max; /** max number of query restarts, number of IPs to probe */ - int32_t max_restart; + int max_restart; /** TTL for bogus data; used instead of untrusted TTL from data. * Bogus data will not be verified more often than this interval.
View file
_service:tar_scm:unbound.conf
Changed
@@ -5,9 +5,13 @@ # # this is a comment. -#Use this to include other text into the file. +# Use this anywhere in the file to include other text into this file. #include: "otherfile.conf" +# Use this anywhere in the file to include other text, that explicitly starts a +# clause, into this file. Text after this directive needs to start a clause. +#include-toplevel: "otherfile.conf" + # The server clause sets the main parameters. server: # whitespace is not necessary, but looks cleaner. @@ -37,6 +41,11 @@ # Needs to be enabled for munin plugin extended-statistics: yes + # Inhibits selected extended statistics (qtype, qclass, qopcode, rcode, + # rpz-actions) from printing if their value is 0. + # Default on. + # statistics-inhibit-zero: yes + # number of threads to create. 1 disables threading. num-threads: 4 @@ -67,6 +76,10 @@ # NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled interface-automatic: no + # instead of the default port, open additional ports separated by + # spaces when interface-automatic is enabled, by listing them here. + # interface-automatic-ports: "" + # port to answer queries from # port: 53 @@ -86,19 +99,22 @@ # Set this to yes to prefer ipv6 upstream servers over ipv4. # prefer-ip6: no + # Prefer ipv4 upstream servers, even if ipv6 is available. + # prefer-ip4: no + # number of ports to allocate per thread, determines the size of the # port range that can be open simultaneously. About double the # num-queries-per-thread, or, use as many as the OS will allow you. # outgoing-range: 4096 - # permit unbound to use this port number or port range for + # permit Unbound to use this port number or port range for # making outgoing queries, using an outgoing interface. # Only ephemeral ports are allowed by SElinux outgoing-port-permit: 32768-60999 - # deny unbound the use this of port number or port range for + # deny Unbound the use this of port number or port range for # making outgoing queries, using an outgoing interface. - # Use this to make sure unbound does not grab a UDP port that some + # Use this to make sure Unbound does not grab a UDP port that some # other server on this computer needs. The default is to avoid # IANA-assigned port numbers. # If multiple outgoing-port-permit and outgoing-port-avoid options @@ -122,6 +138,7 @@ # so-sndbuf: 0 # use SO_REUSEPORT to distribute queries over threads. + # at extreme load it could be better to turn it off to distribute even. so-reuseport: yes # use IP_TRANSPARENT so the interface: addresses can be non-local @@ -134,9 +151,14 @@ # Linux only. On Linux you also have ip-transparent that is similar. # ip-freebind: no + # the value of the Differentiated Services Codepoint (DSCP) + # in the differentiated services field (DS) of the outgoing + # IP packets + # ip-dscp: 0 + # EDNS reassembly buffer to advertise to UDP peers (the actual buffer - # is set with msg-buffer-size). 1472 can solve fragmentation (timeouts). - # edns-buffer-size: 4096 + # is set with msg-buffer-size). + # edns-buffer-size: 1232 # Maximum UDP response size (not applied to TCP response). # Suggested values are 512 to 4096. Default is 4096. 65536 disables it. @@ -144,6 +166,9 @@ # Helps mitigating DDOS max-udp-size: 3072 + # max memory to use for stream(tcp and tls) waiting result buffers. + # stream-wait-size: 4m + # buffer size for handling DNS data. No messages larger than this # size can be sent or received, by UDP or TCP. In bytes. # msg-buffer-size: 65552 @@ -166,6 +191,26 @@ # msec to wait before close of port on timeout UDP. 0 disables. # delay-close: 0 + # perform connect for UDP sockets to mitigate ICMP side channel. + # udp-connect: yes + + # The number of retries, per upstream nameserver in a delegation, when + # a throwaway response (also timeouts) is received. + # outbound-msg-retry: 5 + + # Hard limit on the number of outgoing queries Unbound will make while + # resolving a name, making sure large NS sets do not loop. + # It resets on query restarts (e.g., CNAME) and referrals. + # max-sent-count: 32 + + # Hard limit on the number of times Unbound is allowed to restart a + # query upon encountering a CNAME record. + # max-query-restarts: 11 + + # msec for waiting for an unknown server to reply. Increase if you + # are behind a slow satellite link, to eg. 1128. + # unknown-server-time-limit: 376 + # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m @@ -193,6 +238,12 @@ # minimum wait time for responses, increase if uplink is long. In msec. # infra-cache-min-rtt: 50 + # maximum wait time for responses. In msec. + # infra-cache-max-rtt: 120000 + + # enable to make server probe down hosts more frequently. + # infra-keep-probing: no + # the number of slabs to use for the Infrastructure cache. # the number of slabs must be a power of 2. # more slabs reduce lock contention, but fragment memory usage. @@ -201,7 +252,8 @@ # the maximum number of hosts that are cached (roundtrip, EDNS, lame). # infra-cache-numhosts: 10000 - # define a number of tags here, use with local-zone, access-control. + # define a number of tags here, use with local-zone, access-control, + # interface-*. # repeat the define-tag statement to add additional tags. # define-tag: "tag1 tag2 tag3" @@ -212,7 +264,7 @@ # do-ip6: yes # Enable UDP, "yes" or "no". - # NOTE: if setting up an unbound on tls443 for public use, you might want to + # NOTE: if setting up an Unbound on tls443 for public use, you might want to # disable UDP to avoid being used in DNS amplification attacks. # do-udp: yes @@ -235,12 +287,23 @@ # Default is 0, system default MSS. # outgoing-tcp-mss: 0 - # Fedora note: do not activate this - can cause a crash + # Idle TCP timeout, connection closed in milliseconds + # tcp-idle-timeout: 30000 + + # Enable EDNS TCP keepalive option. + edns-tcp-keepalive: yes + + # Timeout for EDNS TCP keepalive, in msec. + # edns-tcp-keepalive-timeout: 120000 + + # Fedora note: do not activate this - not compiled in because + # it causes frequent unbound crashes. Also, socket activation + # is bad when you have things like dnsmasq also running with libvirt. # Use systemd socket activation for UDP, TCP, and control sockets. # use-systemd: no # Detach from the terminal, run in background, "yes" or "no". - # Set the value to "no" when unbound runs as systemd service. + # Set the value to "no" when Unbound runs as systemd service. # do-daemonize: yes # control which clients are allowed to make (recursive) queries @@ -251,9 +314,7 @@ # allow_snoop (recursive and nonrecursive ok) # deny_non_local (drop queries unless can be answered from local-data) # refuse_non_local (like deny_non_local but polite error reply). - # access-control: 0.0.0.0/0 refuse # access-control: 127.0.0.0/8 allow - # access-control: ::0/0 refuse # access-control: ::1 allow # access-control: ::ffff:127.0.0.1 allow @@ -262,7 +323,7 @@ # are tagged with one of these tags. # access-control-tag: 192.0.2.0/24 "tag2 tag3" - # set action for particular tag for given access control element + # set action for particular tag for given access control element. # if you have multiple tag values, the tag used to lookup the action # is the first tag match between access-control-tag and local-zone-tag # where "first" comes from the order of the define-tag values. @@ -274,6 +335,58 @@ # Set view for access control element # access-control-view: 192.0.2.0/24 viewname + # Similar to 'access-control:' but for interfaces. + # Control which listening interfaces are allowed to accept (recursive) + # queries for this server. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the action. + # The actions are the same as 'access-control:' above. + # By default all the interfaces configured are refused. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-action: 192.0.2.153 allow + # interface-action: 192.0.2.154 allow + # interface-action: 192.0.2.154@5003 allow + # interface-action: 2001:DB8::5 allow + # interface-action: eth0@5003 allow + + # Similar to 'access-control-tag:' but for interfaces. + # Tag interfaces with a list of tags (in "" with spaces between). + # Interfaces using these tags use localzones that are tagged with one + # of these tags. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the list of tags. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag: eth0@5003 "tag2 tag3" + + # Similar to 'access-control-tag-action:' but for interfaces. + # Set action for particular tag for a given interface element. + # If you have multiple tag values, the tag used to lookup the action + # is the first tag match between interface-tag and local-zone-tag + # where "first" comes from the order of the define-tag values. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and action. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-action: eth0@5003 tag3 refuse + + # Similar to 'access-control-tag-data:' but for interfaces. + # Set redirect data for a particular tag for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the tag and the redirect data. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1" + + # Similar to 'access-control-view:' but for interfaces. + # Set view for an interface element. + # The specified interfaces should be the same as the ones specified in + # 'interface:' followed by the view name. + # Note: any 'access-control*:' setting overrides all 'interface-*:' + # settings for targeted clients. + # interface-view: eth0@5003 viewname + # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. @@ -293,7 +406,7 @@ # The pid file can be absolute and outside of the chroot, it is # written just prior to performing the chroot and dropping permissions. # - # Additionally, unbound may need to access /dev/random (for entropy). + # Additionally, Unbound may need to access /dev/urandom (for entropy). # How to do this is specific to your OS. # # If you give "" no chroot is performed. The path must not end in a /. @@ -334,6 +447,17 @@ # timetoresolve, fromcache and responsesize. # log-replies: no + # log with tag 'query' and 'reply' instead of 'info' for + # filtering log-queries and log-replies from the log. + # log-tag-queryreply: no + + # log the local-zone actions, like local-zone type inform is enabled + # also for the other local zone types. + # log-local-actions: no + + # print log lines that say why queries return SERVFAIL to clients. + # log-servfail: no + # the pid file. Can be an absolute path outside of chroot/work dir. pidfile: "/var/run/unbound/unbound.pid" @@ -350,12 +474,22 @@ # enable to not answer trustanchor.unbound queries. # hide-trustanchor: no + # enable to not set the User-Agent HTTP header. + # hide-http-user-agent: no + # the identity to report. Leave "" or default to return hostname. # identity: "" # the version to report. Leave "" or default to return package version. # version: "" + # NSID identity (hex string, or "ascii_somestring"). default disabled. + # nsid: "aabbccdd" + + # User-Agent HTTP header to use. Leave "" or default to use package name + # and version. + # http-user-agent: "" + # the target fetch policy. # series of integers describing the policy per dependency depth. # The number of values in the list determines the maximum dependency @@ -367,7 +501,7 @@ # target-fetch-policy: "3 2 1 0 0" # Harden against very small EDNS buffer sizes. - # harden-short-bufsize: no + # harden-short-bufsize: yes # Harden against unseemly large queries. # harden-large-queries: no @@ -397,7 +531,7 @@ # Sent minimum amount of information to upstream servers to enhance # privacy. Only sent minimum required labels of the QNAME and set QTYPE - # to NS when possible. + # to A when possible. qname-minimisation: yes # QNAME minimisation in strict mode. Do not fall-back to sending full @@ -416,8 +550,8 @@ # Domains (and domains in them) without support for dns-0x20 and # the fallback fails because they keep sending different answers. - # caps-whitelist: "licdn.com" - # caps-whitelist: "senderbase.org" + # caps-exempt: "licdn.com" + # caps-exempt: "senderbase.org" # Enforce privacy of these addresses. Strips them away from answers. # It may cause DNSSEC validation to additionally mark it as bogus. @@ -458,6 +592,9 @@ # if yes, perform key lookups adjacent to normal lookups. prefetch-key: yes + # deny queries of type ANY with an empty response. + deny-any: yes + # if yes, Unbound rotates RRSet order in response. rrset-roundrobin: yes @@ -470,6 +607,11 @@ # module configuration of the server. A string with identifiers # separated by spaces. Syntax: "dns64 validator iterator" + # most modules have to be listed at the beginning of the line, + # except cachedb(just before iterator), and python (at the beginning, + # or, just before the iterator). + # For redis cachedb use: + # "ipsecmod validator cachedb iterator" module-config: "ipsecmod validator iterator" # File with trusted keys, kept uptodate using RFC5011 probes, @@ -477,7 +619,8 @@ # Use several entries, one per domain name, to track multiple zones. # # If you want to perform DNSSEC validation, run unbound-anchor before - # you start unbound (i.e. in the system boot scripts). And enable: + # you start Unbound (i.e. in the system boot scripts). + # And then enable the auto-trust-anchor-file config item. # Please note usage of unbound-anchor root anchor is at your own risk # and under the terms of our LICENSE (see that file in the source). # auto-trust-anchor-file: "/var/lib/unbound/root.key" @@ -488,11 +631,6 @@ # Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel) root-key-sentinel: yes - # File with DLV trusted keys. Same format as trust-anchor-file. - # There can be only one DLV configured, it is trusted from root down. - # DLV is going to be decommissioned. Please do not use it any more. - # dlv-anchor-file: "dlv.isc.org.key" - # File with trusted keys for validation. Specify more than one file # with several entries, one file per entry. # Zone file format, with DS and DNSKEY entries. @@ -534,6 +672,10 @@ # val-sig-skew-min: 3600 # val-sig-skew-max: 86400 + # The maximum number the validator should restart validation with + # another authority in case of failed validation. + # val-max-restart: 5 + # Should additional section of secure message also be kept clean of # unsecure data. Useful to shield the users of this validator from # potential bogus data in the additional section. All unsigned data @@ -549,13 +691,40 @@ val-permissive-mode: no # Ignore the CD flag in incoming queries and refuse them bogus data. - # Enable it if the only clients of unbound are legacy servers (w2008) + # Enable it if the only clients of Unbound are legacy servers (w2008) # that set CD but cannot validate themselves. # ignore-cd-flag: no - # Serve expired responses from cache, with TTL 0 in the response, - # and then attempt to fetch the data afresh. + # Serve expired responses from cache, with serve-expired-reply-ttl in + # the response, and then attempt to fetch the data afresh. serve-expired: yes + # + # Limit serving of expired responses to configured seconds after + # expiration. 0 disables the limit. + serve-expired-ttl: 14400 + # + # Set the TTL of expired records to the serve-expired-ttl value after a + # failed attempt to retrieve the record from upstream. This makes sure + # that the expired records will be served as long as there are queries + # for it. + # serve-expired-ttl-reset: no + # + # TTL value to use when replying with expired data. + # serve-expired-reply-ttl: 30 + # + # Time in milliseconds before replying to the client with expired data. + # This essentially enables the serve-stale behavior as specified in + # RFC 8767 that first tries to resolve before + # immediately responding with expired data. 0 disables this behavior. + # A recommended value is 1800. + # serve-expired-client-timeout: 0 + + # Return the original TTL as received from the upstream name server rather + # than the decrementing TTL as stored in the cache. Enabling this feature + # does not impact cache expiry, it only changes the TTL Unbound embeds in + # responses to queries. Note that enabling this feature implicitly disables + # enforcement of the configured minimum and maximum TTL. + # serve-original-ttl: no # Have the validator log failed validations for your diagnosis. # 0: off. 1: A line per failed user query. 2: With reason and bad IP. @@ -565,7 +734,10 @@ # keysize. Keep this table very short, as linear search is done. # A message with an NSEC3 with larger count is marked insecure. # List in ascending order the keysize and count values. - # val-nsec3-keysize-iterations: "1024 150 2048 500 4096 2500" + # val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150" + + # if enabled, ZONEMD verification failures do not block the zone. + # zonemd-permissive-mode: no # instruct the auto-trust-anchor-file probing to add anchors after ttl. # add-holddown: 2592000 # 30 days @@ -590,7 +762,7 @@ # more slabs reduce lock contention, but fragment memory usage. # key-cache-slabs: 4 - # the amount of memory to use for the negative cache (used for DLV). + # the amount of memory to use for the negative cache. # plain value in bytes or you can append k, m or G. default is "1Mb". # neg-cache-size: 1m @@ -603,6 +775,7 @@ # local-zone: "localhost." nodefault # local-zone: "127.in-addr.arpa." nodefault # local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault + # local-zone: "home.arpa." nodefault # local-zone: "onion." nodefault # local-zone: "test." nodefault # local-zone: "invalid." nodefault @@ -639,9 +812,12 @@ # local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault # And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa. - # If unbound is running service for the local host then it is useful + # Add example.com into ipset + # local-zone: "example.com" ipset + + # If Unbound is running service for the local host then it is useful # to perform lan-wide lookups to the upstream, and unblock the - # long list of local-zones above. If this unbound is a dns server + # long list of local-zones above. If this Unbound is a dns server # for a network of computers, disabled is better and stops information # leakage of local lan information. # unblock-lan-zones: no @@ -662,8 +838,11 @@ # o typetransparent resolves normally for other types and other names # o inform acts like transparent, but logs client IP address # o inform_deny drops queries and logs client IP address - # o always_transparent, always_refuse, always_nxdomain, resolve in - # that way but ignore local data for that name + # o inform_redirect redirects queries and logs client IP address + # o always_transparent, always_refuse, always_nxdomain, always_nodata, + # always_deny resolve in that way but ignore local data for + # that name + # o always_null returns 0.0.0.0 or ::0 for any name in the zone. # o noview breaks out of that view towards global local-zones. # # defaults are localhost address, reverse for 127.0.0.1 and ::1 @@ -699,14 +878,43 @@ # add a netblock specific override to a localzone, with zone type # local-zone-override: "example.com" 192.0.2.0/24 refuse - # service clients over SSL (on the TCP sockets), with plain DNS inside - # the SSL stream. Give the certificate to use and private key. + # service clients over TLS (on the TCP sockets) with plain DNS inside + # the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484. + # Give the certificate to use and private key. # default is "" (disabled). requires restart to take effect. # tls-service-key: "/etc/unbound/unbound_server.key" # tls-service-pem: "/etc/unbound/unbound_server.pem" # tls-port: 853 - # - # request upstream over SSL (with plain DNS inside the SSL stream). + # https-port: 443 + + # cipher setting for TLSv1.2 + # tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256" + # cipher setting for TLSv1.3 + # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" + # Fedora/RHEL: use system-wide crypto policies + tls-ciphers: "PROFILE=SYSTEM" + # TODO: ask system-wide crypto people what to use here + #tls-ciphersuites: "PROFILE=SYSTEM" # does not work + + # Pad responses to padded queries received over TLS + # pad-responses: yes + + # Padded responses will be padded to the closest multiple of this size. + # pad-responses-block-size: 468 + + # Use the SNI extension for TLS connections. Default is yes. + # Changing the value requires a reload. + # tls-use-sni: yes + + # Add the secret file for TLS Session Ticket. + # Secret file must be 80 bytes of random data. + # First key use to encrypt and decrypt TLS session tickets. + # Other keys use to decrypt only. + # requires restart to take effect. + # tls-session-ticket-keys: "path/to/secret_file1" + # tls-session-ticket-keys: "path/to/secret_file2" + + # request upstream over TLS (with plain DNS inside the TLS stream). # Default is no. Can be turned on and off with unbound-control. # tls-upstream: no @@ -715,14 +923,48 @@ # Add system certs to the cert bundle, from the Windows Cert Store # tls-win-cert: no + # and on other systems, the default openssl certificates + # tls-system-cert: no + + # Pad queries over TLS upstreams + # pad-queries: yes + + # Padded queries will be padded to the closest multiple of this size. + # pad-queries-block-size: 128 # Also serve tls on these port numbers (eg. 443, ...), by listing - # tls-additional-ports: portno for each of the port numbers. + # tls-additional-port: portno for each of the port numbers. + + # HTTP endpoint to provide DNS-over-HTTPS service on. + # http-endpoint: "/dns-query" + + # HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use. + # http-max-streams: 100 + + # Maximum number of bytes used for all HTTP/2 query buffers. + # http-query-buffer-size: 4m + + # Maximum number of bytes used for all HTTP/2 response buffers. + # http-response-buffer-size: 4m + + # Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS + # service. + # http-nodelay: yes + + # Disable TLS for DNS-over-HTTP downstream service. + # http-notls-downstream: no + + # The interfaces that use these listed port numbers will support and + # expect PROXYv2. For UDP and TCP/TLS interfaces. + # proxy-protocol-port: portno for each of the port numbers. # DNS64 prefix. Must be specified when DNS64 is use. # Enable dns64 in module-config. Used to synthesize IPv6 from IPv4. # dns64-prefix: 64:ff9b::0/96 + # DNS64 ignore AAAA records for these domains and use A instead. + # dns64-ignore-aaaa: "example.com" + # ratelimit for uncached, new queries, this limits recursion effort. # ratelimiting is experimental, and may help against randomqueryflood. # if 0(default) it is disabled, otherwise state qps allowed per zone. @@ -736,11 +978,9 @@ # 0 blocks when ratelimited, otherwise let 1/xth traffic through # ratelimit-factor: 10 - # what is considered a low rtt (ping time for upstream server), in msec - # low-rtt: 45 - # select low rtt this many times out of 1000. 0 means the fast server - # select is disabled. prefetches are not sped up. - # low-rtt-permil: 0 + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ratelimit-backoff: no # override the ratelimit for a specific domain name. # give this setting multiple times to have multiple overrides. @@ -762,7 +1002,28 @@ # 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through # ip-ratelimit-factor: 10 - # Specific options for ipsecmod. unbound needs to be configured with + # Aggressive rate limit when the limit is reached and until demand has + # decreased in a 2 second rate window. + # ip-ratelimit-backoff: no + + # Limit the number of connections simultaneous from a netblock + # tcp-connection-limit: 192.0.2.0/24 12 + + # select from the fastest servers this many times out of 1000. 0 means + # the fast server select is disabled. prefetches are not sped up. + # fast-server-permil: 0 + # the number of servers that will be used in the fast server selection. + # fast-server-num: 3 + + # Enable to attach Extended DNS Error codes (RFC8914) to responses. + ede: yes + + # Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale + # Answer as EDNS0 option to expired responses. + # Note that the ede option above needs to be enabled for this to work. + ede-serve-expired: yes + + # Specific options for ipsecmod. Unbound needs to be configured with # --enable-ipsecmod for these to take effect. # # Enable or disable ipsecmod (it still needs to be defined in @@ -776,7 +1037,7 @@ # ipsecmod-hook: "./my_executable" ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook - # When enabled unbound will reply with SERVFAIL if the return value of + # When enabled Unbound will reply with SERVFAIL if the return value of # the ipsecmod-hook is not 0. # ipsecmod-strict: no # @@ -788,18 +1049,38 @@ # ipsecmod-ignore-bogus: no # # Domains for which ipsecmod will be triggered. If not defined (default) - # all domains are treated as being whitelisted. - # ipsecmod-whitelist: "libreswan.org" - # ipsecmod-whitelist: "nlnetlabs.nl" + # all domains are treated as being allowed. + # ipsecmod-allow: "example.com" + # ipsecmod-allow: "nlnetlabs.nl" + + # Timeout for REUSE entries in milliseconds. + # tcp-reuse-timeout: 60000 + # Max number of queries on a reuse connection. + # max-reuse-tcp-queries: 200 + # Timeout in milliseconds for TCP queries to auth servers. + # tcp-auth-query-timeout: 3000 # Python config section. To enable: # o use --with-pythonmodule to configure before compiling. # o list python in the module-config string (above) to enable. +# It can be at the start, it gets validated results, or just before +# the iterator and process before DNSSEC validation. # o and give a python-script to run. python: # Script file to load # python-script: "/etc/unbound/ubmodule-tst.py" +# Dynamic library config section. To enable: +# o use --with-dynlibmodule to configure before compiling. +# o list dynlib in the module-config string (above) to enable. +# It can be placed anywhere, the dynlib module is only a very thin wrapper +# to load modules dynamically. +# o and give a dynlib-file to run. If more than one dynlib entry is listed in +# the module-config then you need one dynlib-file per instance. +dynlib: + # Script file to load + # dynlib-file: "/etc/unbound/dynlib.so" + # Remote control config section. remote-control: # Enable remote control with unbound-control(8) here. @@ -813,16 +1094,22 @@ # what interfaces are listened to for remote control. # give 0.0.0.0 and ::0 to listen to all interfaces. + # set to an absolute path to use a unix local name pipe, certificates + # are not used for that, so key and cert files need not be present. # control-interface: 127.0.0.1 # control-interface: ::1 # port number for remote control operations. # control-port: 8953 - # unbound server key file. + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. + control-use-cert: "no" + + # Unbound server key file. server-key-file: "/etc/unbound/unbound_server.key" - # unbound server certificate file. + # Unbound server certificate file. server-cert-file: "/etc/unbound/unbound_server.pem" # unbound-control key file. @@ -847,7 +1134,9 @@ # stub-addr: 192.0.2.68 # stub-prime: no # stub-first: no +# stub-tcp-upstream: no # stub-tls-upstream: no +# stub-no-cache: no # stub-zone: # name: "example.org" # stub-host: ns.example.com. @@ -867,7 +1156,9 @@ # forward-addr: 192.0.2.68 # forward-addr: 192.0.2.73@5355 # forward to port 5355. # forward-first: no +# forward-tcp-upstream: no # forward-tls-upstream: no +# forward-no-cache: no # forward-zone: # name: "example.org" # forward-host: fwd.example.com @@ -883,21 +1174,36 @@ # has a copy of the root for local usage. The second serves example.org # authoritatively. zonefile: reads from file (and writes to it if you also # download it), master: fetches with AXFR and IXFR, or url to zonefile. +# With allow-notify: you can give additional (apart from masters) sources of +# notifies. auth-zone: name: "." + primary: 199.9.14.201 # b.root-servers.net + primary: 192.33.4.12 # c.root-servers.net + primary: 199.7.91.13 # d.root-servers.net + primary: 192.5.5.241 # f.root-servers.net + primary: 192.112.36.4 # g.root-servers.net + primary: 193.0.14.129 # k.root-servers.net + primary: 192.0.47.132 # xfr.cjr.dns.icann.org + primary: 192.0.32.132 # xfr.lax.dns.icann.org + primary: 2001:500:200::b # b.root-servers.net + primary: 2001:500:2::c # c.root-servers.net + primary: 2001:500:2d::d # d.root-servers.net + primary: 2001:500:2f::f # f.root-servers.net + primary: 2001:500:12::d0d # g.root-servers.net + primary: 2001:7fd::1 # k.root-servers.net + primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org + primary: 2620:0:2d0:202::132 # xfr.lax.dns.icann.org + fallback-enabled: yes for-downstream: no for-upstream: yes - fallback-enabled: yes - master: b.root-servers.net - master: c.root-servers.net - master: e.root-servers.net - master: f.root-servers.net - master: g.root-servers.net - master: k.root-servers.net + # auth-zone: # name: "example.org" # for-downstream: yes # for-upstream: yes +# zonemd-check: no +# zonemd-reject-absence: no # zonefile: "example.org.zone" # Views @@ -911,7 +1217,7 @@ # name: "viewname" # local-zone: "example.com" redirect # local-data: "example.com A 192.0.2.3" -# local-data-ptr: "192.0.2.3 www.example.com" +# local-data-ptr: "192.0.2.3 www.example.com" # view-first: no # view: # name: "anotherview" @@ -921,8 +1227,9 @@ # another crypto library # # DNSCrypt +# o enable, use --enable-dnscrypt to configure before compiling. # Caveats: -# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper +# 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper # for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage # 2. dnscrypt channel attaches to an interface. you MUST set interfaces to # listen on `dnscrypt-port` with the follo0wing snippet: @@ -941,18 +1248,92 @@ # dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert # CacheDB -# Enable external backend DB as auxiliary cache. Specify the backend name +# External backend DB as auxiliary cache. +# To enable, use --enable-cachedb to configure before compiling. +# Specify the backend name # (default is "testframe", which has no use other than for debugging and # testing) and backend-specific options. The 'cachedb' module must be -# included in module-config. +# included in module-config, just before the iterator module. # cachedb: # backend: "testframe" # # secret seed string to calculate hashed keys # secret-seed: "default" +# # # For "redis" backend: +# # (to enable, use --with-libhiredis to configure before compiling) # # redis server's IP address or host name # redis-server-host: 127.0.0.1 # # redis server's TCP port # redis-server-port: 6379 # # timeout (in ms) for communication with the redis server # redis-timeout: 100 +# # set timeout on redis records based on DNS response TTL +# redis-expire-records: no + +# IPSet +# Add specify domain into set via ipset. +# To enable: +# o use --enable-ipset to configure before compiling; +# o Unbound then needs to run as root user. +# ipset: +# # set name for ip v4 addresses +# name-v4: "list-v4" +# # set name for ip v6 addresses +# name-v6: "list-v6" +# + +# Dnstap logging support, if compiled in by using --enable-dnstap to configure. +# To enable, set the dnstap-enable to yes and also some of +# dnstap-log-..-messages to yes. And select an upstream log destination, by +# socket path, TCP or TLS destination. +# dnstap: +# dnstap-enable: no +# # if set to yes frame streams will be used in bidirectional mode +# dnstap-bidirectional: yes +# dnstap-socket-path: "/etc/unbound/dnstap.sock" +# # if "" use the unix socket in dnstap-socket-path, otherwise, +# # set it to "IPaddress@port" of the destination. +# dnstap-ip: "" +# # if set to yes if you want to use TLS to dnstap-ip, no for TCP. +# dnstap-tls: yes +# # name for authenticating the upstream server. or "" disabled. +# dnstap-tls-server-name: "" +# # if "", it uses the cert bundle from the main Unbound config. +# dnstap-tls-cert-bundle: "" +# # key file for client authentication, or "" disabled. +# dnstap-tls-client-key-file: "" +# # cert file for client authentication, or "" disabled. +# dnstap-tls-client-cert-file: "" +# dnstap-send-identity: no +# dnstap-send-version: no +# # if "" it uses the hostname. +# dnstap-identity: "" +# # if "" it uses the package version. +# dnstap-version: "" +# dnstap-log-resolver-query-messages: no +# dnstap-log-resolver-response-messages: no +# dnstap-log-client-query-messages: no +# dnstap-log-client-response-messages: no +# dnstap-log-forwarder-query-messages: no +# dnstap-log-forwarder-response-messages: no + +# Response Policy Zones +# RPZ policies. Applied in order of configuration. QNAME, Response IP +# Address, nsdname, nsip and clientip triggers are supported. Supported +# actions are: NXDOMAIN, NODATA, PASSTHRU, DROP, Local Data, tcp-only +# and drop. Policies can be loaded from a file, or using zone +# transfer, or using HTTP. The respip module needs to be added +# to the module-config, e.g.: module-config: "respip validator iterator". +# rpz: +# name: "rpz.example.com" +# zonefile: "rpz.example.com" +# primary: 192.0.2.0 +# allow-notify: 192.0.2.0/32 +# url: http://www.example.com/rpz.example.org.zone +# rpz-action-override: cname +# rpz-cname-override: www.example.org +# rpz-log: yes +# rpz-log-name: "example policy" +# rpz-signal-nxdomain-ra: no +# for-downstream: no +# tags: "example"
View file
_service:tar_scm:unbound.service
Changed
@@ -1,6 +1,6 @@ Unit Description=Unbound recursive Domain Name Server -After=network.target +After=network-online.target After=unbound-keygen.service Wants=unbound-keygen.service Wants=unbound-anchor.timer @@ -11,7 +11,7 @@ Type=simple EnvironmentFile=-/etc/sysconfig/unbound ExecStartPre=/usr/sbin/unbound-checkconf -ExecStartPre=-/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R +ExecStartPre=/bin/bash -c 'if ! "$DISABLE_UNBOUND_ANCHOR" == "yes" ; then /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R; else echo "Updates of root keys with unbound-anchor is disabled"; fi' ExecStart=/usr/sbin/unbound -d $UNBOUND_OPTIONS ExecReload=/usr/sbin/unbound-control reload
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2