struct Configuration
{
+ std::set<std::string> d_capabilitiesToRetain;
std::string d_consoleKey;
#ifdef __linux__
// On Linux this gives us 128k pending queries (default is 8192 queries),
}
#ifdef SO_BINDTODEVICE
/* we need to retain CAP_NET_RAW to be able to set SO_BINDTODEVICE in the health checks */
- g_capabilitiesToRetain.insert("CAP_NET_RAW");
+ dnsdist::configuration::updateImmutableConfiguration([](dnsdist::configuration::Configuration& config) {
+ config.d_capabilitiesToRetain.insert("CAP_NET_RAW");
+ });
#endif
}
else {
#endif /* HAVE_LIBSSL && HAVE_OCSP_BASIC_SIGN && !DISABLE_OCSP_STAPLING */
luaCtx.writeFunction("addCapabilitiesToRetain", [](LuaTypeOrArrayOf<std::string> caps) {
- if (!checkConfigurationTime("addCapabilitiesToRetain")) {
- return;
- }
- setLuaSideEffect();
- if (caps.type() == typeid(std::string)) {
- g_capabilitiesToRetain.insert(boost::get<std::string>(caps));
+ try {
+ dnsdist::configuration::updateImmutableConfiguration([&caps](dnsdist::configuration::Configuration& config) {
+ if (caps.type() == typeid(std::string)) {
+ config.d_capabilitiesToRetain.insert(boost::get<std::string>(caps));
+ }
+ else if (caps.type() == typeid(LuaArray<std::string>)) {
+ for (const auto& cap : boost::get<LuaArray<std::string>>(caps)) {
+ config.d_capabilitiesToRetain.insert(cap.second);
+ }
+ }
+ });
+ setLuaSideEffect();
}
- else if (caps.type() == typeid(LuaArray<std::string>)) {
- for (const auto& cap : boost::get<LuaArray<std::string>>(caps)) {
- g_capabilitiesToRetain.insert(cap.second);
- }
+ catch (const std::exception& exp) {
+ g_outputBuffer = "addCapabilitiesToRetain cannot be used at runtime!\n";
+ errlog("addCapabilitiesToRetain cannot be used at runtime!");
}
});
GlobalStateHolder<servers_t> g_dstates;
-std::set<std::string> g_capabilitiesToRetain;
-
// we are not willing to receive a bigger UDP response than that, no matter what
static constexpr size_t s_maxUDPResponsePacketSize{4096U};
static size_t const s_initialUDPPacketBufferSize = s_maxUDPResponsePacketSize + DNSCRYPT_MAX_RESPONSE_PADDING_AND_MAC_SIZE;
}
bool retainedCapabilities = true;
- if (!g_capabilitiesToRetain.empty() && (getegid() != newgid || geteuid() != newuid)) {
+ if (!dnsdist::configuration::getImmutableConfiguration().d_capabilitiesToRetain.empty() && (getegid() != newgid || geteuid() != newuid)) {
retainedCapabilities = keepCapabilitiesAfterSwitchingIDs();
}
or as an unprivileged user with ambient
capabilities like CAP_NET_BIND_SERVICE.
*/
- dropCapabilities(g_capabilitiesToRetain);
+ dropCapabilities(dnsdist::configuration::getImmutableConfiguration().d_capabilitiesToRetain);
}
catch (const std::exception& e) {
warnlog("%s", e.what());
bool handleDNSCryptQuery(PacketBuffer& packet, DNSCryptQuery& query, bool tcp, time_t now, PacketBuffer& response);
bool checkDNSCryptQuery(const ClientState& clientState, PacketBuffer& query, std::unique_ptr<DNSCryptQuery>& dnsCryptQuery, time_t now, bool tcp);
-extern std::set<std::string> g_capabilitiesToRetain;
-
enum class ProcessQueryResult : uint8_t
{
Drop,
projects / thirdparty / pdns.git / commitdiff
