From c2ca679f5c6f0f9ddc65a4075e717f6e98bfc556 Mon Sep 17 00:00:00 2001 From: "W.C.A. Wijngaards" Date: Thu, 3 Apr 2025 09:45:36 +0200 Subject: [PATCH] - Fix #1263: Exempt loopback addresses from wait-limit. --- doc/Changelog | 3 +++ doc/example.conf.in | 6 ++++++ doc/unbound.conf.5.in | 4 ++++ services/cache/infra.c | 31 +++++++++++++++++++++++++++++++ 4 files changed, 44 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 167a2ce42..80b6d2404 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +3 April 2025: Wouter + - Fix #1263: Exempt loopback addresses from wait-limit. + 2 April 2025: Yorgos - Merge #1262 from markyang92, fix build with 'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c. diff --git a/doc/example.conf.in b/doc/example.conf.in index de73d0044..7aa7bfa6c 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -215,6 +215,12 @@ server: # Apart from the default, the wait limit with cookie can be adjusted. # wait-limit-cookie-netblock: 192.0.2.0/24 50000 + # Defaults for loopback, it has no wait limit. + # wait-limit-netblock: 127.0.0.0/8 -1 + # wait-limit-netblock: ::1/128 -1 + # wait-limit-cookie-netblock: 127.0.0.0/8 -1 + # wait-limit-cookie-netblock: ::1/128 -1 + # the amount of memory to use for the RRset cache. # plain value in bytes or you can append k, m or G. default is "4Mb". # rrset-cache-size: 4m diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 2e8c87e40..1c0e26ce5 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -326,11 +326,15 @@ The wait limit for the netblock. If not given the wait\-limit value is used. The most specific netblock is used to determine the limit. Useful for overriding the default for a specific, group or individual, server. The value -1 disables wait limits for the netblock. +By default the loopback has a wait limit netblock of -1, it is not limited, +because it is separated from the rest of network for spoofed packets. +The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1. .TP .B wait\-limit\-cookie\-netblock: \fI The wait limit for the netblock, when the query has a DNS cookie. If not given, the wait\-limit\-cookie value is used. The value -1 disables wait limits for the netblock. +The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1. .TP .B so\-rcvbuf: \fI If not 0, then set the SO_RCVBUF socket option to get more buffer diff --git a/services/cache/infra.c b/services/cache/infra.c index 9c3e4de43..cf999422d 100644 --- a/services/cache/infra.c +++ b/services/cache/infra.c @@ -297,12 +297,43 @@ infra_wait_limit_netblock_insert(rbtree_type* wait_limits_netblock, return 1; } +/** Add a default wait limit netblock */ +static int +wait_limit_netblock_default(struct rbtree_type* tree, char* str, int limit) +{ + struct wait_limit_netblock_info* d; + d = wait_limit_netblock_findcreate(tree, str); + if(!d) + return 0; + d->limit = limit; + return 1; +} + int setup_wait_limits(rbtree_type* wait_limits_netblock, rbtree_type* wait_limits_cookie_netblock, struct config_file* cfg) { addr_tree_init(wait_limits_netblock); addr_tree_init(wait_limits_cookie_netblock); + + /* Insert defaults */ + /* The loopback address is separated from the rest of the network. */ + /* wait-limit-netblock: 127.0.0.0/8 -1 */ + if(!wait_limit_netblock_default(wait_limits_netblock, "127.0.0.0/8", + -1)) + return 0; + /* wait-limit-netblock: ::1/128 -1 */ + if(!wait_limit_netblock_default(wait_limits_netblock, "::1/128", -1)) + return 0; + /* wait-limit-cookie-netblock: 127.0.0.0/8 -1 */ + if(!wait_limit_netblock_default(wait_limits_cookie_netblock, + "127.0.0.0/8", -1)) + return 0; + /* wait-limit-cookie-netblock: ::1/128 -1 */ + if(!wait_limit_netblock_default(wait_limits_cookie_netblock, + "::1/128", -1)) + return 0; + if(!infra_wait_limit_netblock_insert(wait_limits_netblock, wait_limits_cookie_netblock, cfg)) return 0; -- 2.47.3