do not allow cache snooping by default.

git-svn-id: file:///svn/unbound/trunk@1220 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/daemon/acl_list.c b/daemon/acl_list.c
index ab28bb06676efacba2867a77751d542d3570d422..436dc59e314909f88c0e7ef4f2369a771d03806c 100644 (file)
--- a/daemon/acl_list.c
+++ b/daemon/acl_list.c
@@ -124,6 +124,8 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
                control = acl_deny;
        else if(strcmp(s2, "refuse") == 0)
                control = acl_refuse;
+       else if(strcmp(s2, "allow_snoop") == 0)
+               control = acl_allow_snoop;
        else {
                log_err("access control type %s unknown", str);
                return 0;

diff --git a/daemon/acl_list.h b/daemon/acl_list.h
index 704b5b2ac527bac1689de2e8d8a0b5f9576ae0fd..e6082ad7ea108791962ce2c1b6fed2a228f3be7c 100644 (file)
--- a/daemon/acl_list.h
+++ b/daemon/acl_list.h
@@ -55,8 +55,10 @@ enum acl_access {
        acl_deny = 0,
        /** disallow access, send a polite 'REFUSED' reply */
        acl_refuse,
-       /** allow full access */
-       acl_allow
+       /** allow full access for recursion (+RD) queries */
+       acl_allow,
+       /** allow full access for all queries, recursion and cache snooping */
+       acl_allow_snoop
 };
 
 /**

diff --git a/daemon/worker.c b/daemon/worker.c
index 910ca1eccdb2a998c95f24b1e3cdebd47565ff58..e90508bc3ebbfb2f65dd65c1220fef7c755482c6 100644 (file)
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -785,6 +785,19 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
                c->buffer, worker->scratchpad)) {
                return (ldns_buffer_limit(c->buffer) != 0);
        }
+       if(!(LDNS_RD_WIRE(ldns_buffer_begin(c->buffer))) &&
+               acl != acl_allow_snoop ) {
+               ldns_buffer_set_limit(c->buffer, LDNS_HEADER_SIZE);
+               ldns_buffer_write_at(c->buffer, 4, 
+                       (uint8_t*)"\0\0\0\0\0\0\0\0", 8);
+               LDNS_QR_SET(ldns_buffer_begin(c->buffer));
+               LDNS_RCODE_SET(ldns_buffer_begin(c->buffer), 
+                       LDNS_RCODE_REFUSED);
+               ldns_buffer_flip(c->buffer);
+               log_addr(VERB_ALGO, "refused nonrec (cache snoop) query from",
+                       &repinfo->addr, repinfo->addrlen);
+               return 1;
+       }
        h = query_info_hash(&qinfo);
        if((e=slabhash_lookup(worker->env.msg_cache, h, &qinfo, 0))) {
                /* answer from cache - we have acquired a readlock on it */

diff --git a/doc/Changelog b/doc/Changelog
index 6c550490a43099eca05aed3537a3845320e6fa51..874b19b598b82c22a7a3ca49729cc0afeb03fa11 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+1 September 2008: Wouter
+       - disallow nonrecursive queries for cache snooping by default.
+         You can allow is using access-control: <subnet> allow_snoop.
+         The defaults do allow access no authoritative data without RD bit.
+       - two tests for it and fixups of tests for nonrec refused.
+
 29 August 2008: Wouter
        - version 1.1 number in trunk.
        - harden-referral-path option for query for NS records.

diff --git a/doc/example.conf.in b/doc/example.conf.in
index d1d8f163f46440a0acf9d98ee33463b3ea0330f5..17b01e778be786cdd372f6d5c6d1de61f2c50ff2 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -134,7 +134,8 @@ server:
        # control which clients are allowed to make (recursive) queries
        # to this server. Specify classless netblocks with /size and action.
        # By default everything is refused, except for localhost.
-       # Choose deny (drop message), refuse (polite error reply), allow.
+       # Choose deny (drop message), refuse (polite error reply),
+       # allow (recursive ok), allow_snoop (recursive and nonrecursive ok)
        # access-control: 0.0.0.0/0 refuse
        # access-control: 127.0.0.0/8 allow
        # access-control: ::0/0 refuse

diff --git a/doc/plan b/doc/plan
index 781fcbb803a8debac2615d29c4f35cb0923c172a..a8d3b679f175e628b2c8bd768aa73eb761f8ce9f 100644 (file)
--- a/doc/plan
+++ b/doc/plan
@@ -31,8 +31,6 @@ total 6 of 8 weeks; 2 weeks for maintenance activities.
   because of the added load to 3rd parties.
 * block nonRD queries, acl like.
        what about our authority features, those are allowed.
-       one option that controls on/off of all private space.
-       note in config/man that we may consider turning on by default.
 * DoS vector, flush more.
        50% of max is for run-to-completion
        50% rest is for lifo queue with 100 msec timeout.
@@ -41,6 +39,8 @@ if they have no signer or a different signed. Validate if you can,
 otherwise leave unchecked.
 * block DNS rebinding attacks, block all A records from 1918 IP blocks,
 like dnswall does.  Allow certain subdomains to do it, config options.
+       one option that controls on/off of all private space.
+       note in config/man that we may consider turning on by default.
 
 *** Remote control feature
 * remote control using a TCP unbound-control commandline app.  
@@ -64,6 +64,7 @@ like dnswall does.  Allow certain subdomains to do it, config options.
 *** Requested
 * fallback to noEDNS if all queries are dropped.
 * dnssec lameness fixen. Check to make sure.
+* negative caching to avoid DS queries, NSEC, NSEC3 (w params).
 * SHA256 supported fully.
 * Make stub to localhost on different port work.
 * IPv6 reverse, IP4 reverse local-data shorthand for PTR records (?).

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index af627b37d93d4d6cde66bb4f0d535f79eaa9c760..11a3ec82d263c9db8ca1a0b4c2d2ed2f84526e84 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -238,14 +238,36 @@ a daemon. Default is yes.
 .TP
 .B access\-control: \fI<IP netblock> <action>
 The netblock is given as an IP4 or IP6 address with /size appended for a 
-classless network block. The action can be deny, refuse or allow.
-Deny stops queries from hosts from that netblock.
-Refuse stops queries too, but sends a DNS rcode REFUSED error message back.
-Allow gives access to clients from that netblock.
-By default only localhost is allowed, the rest is refused.
-The default is refused, because that is protocol\-friendly. The DNS protocol
-is not designed to handle dropped packets due to policy, and dropping may 
-result in (possibly excessive) retried queries.
+classless network block. The action can be \fIdeny\fR, \fIrefuse\fR, 
+\fIallow\fR or \fIallow_snoop\fR.
+.IP
+The action \fIdeny\fR stops queries from hosts from that netblock.
+.IP
+The action \fIrefuse\fR stops queries too, but sends a DNS rcode REFUSED 
+error message back.
+.IP
+The action \fIallow\fR gives access to clients from that netblock.  
+It gives only access for recursion clients (which is 
+what almost all clients need).  Nonrecursive queries are refused.
+.IP
+The \fIallow\fR action does allow nonrecursive queries to access the 
+local\-data that is configured.  The reason is that this does not involve
+the unbound server recursive lookup algorithm, and static data is served 
+in the reply.  This supports normal operations where nonrecursive queries 
+are made for the authoritative data.  For nonrecursive queries any replies 
+from the dynamic cache are refused.
+.IP
+The action \fIallow_snoop\fR gives nonrecursive access too.  This give 
+both recursive and non recursive access.  The name \fIallow_snoop\fR refers 
+to cache snooping, a technique to use nonrecursive queries to examine
+the cache contents (for malicious acts).  However, nonrecursive queries can 
+also be a valuable debugging tool (when you want to examine the cache 
+contents). In that case use \fIallow_snoop\fR for your administration host.
+.IP
+By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd.
+The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS 
+protocol is not designed to handle dropped packets due to policy, and 
+dropping may result in (possibly excessive) retried queries.
 .TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the

diff --git a/testcode/fake_event.c b/testcode/fake_event.c
index 06f62a724c4591a177dd5d62864c69b1191eb0cf..70471c9287ba707430179e8fd00edf5017da1526 100644 (file)
--- a/testcode/fake_event.c
+++ b/testcode/fake_event.c
@@ -381,11 +381,13 @@ fake_pending_callback(struct replay_runtime* runtime,
        struct fake_pending* p = runtime->pending_list;
        struct comm_reply repinfo;
        struct comm_point c;
-       void* cb_arg = p->cb_arg;
-       comm_point_callback_t* cb = p->callback;
+       void* cb_arg;
+       comm_point_callback_t* cb;
 
        memset(&c, 0, sizeof(c));
        if(!p) fatal_exit("No pending queries.");
+       cb_arg = p->cb_arg;
+       cb = p->callback;
        log_assert(todo->qname == NULL); /* or find that one */
        c.buffer = ldns_buffer_new(runtime->bufsize);
        c.type = comm_udp;

diff --git a/testdata/fwd.rpl b/testdata/fwd.rpl
index ab843bb33b65849fb70978668cfc2c37ef3a89e2..53b6f9ad1ec053754f27836b90588d451e63f521 100644 (file)
--- a/testdata/fwd.rpl
+++ b/testdata/fwd.rpl
@@ -24,6 +24,7 @@ RANGE_END
 
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END

diff --git a/testdata/fwd_error.rpl b/testdata/fwd_error.rpl
index 73648c57c4bd971f19a2afc639e88074a212fa37..6f5d25a201d9ef16993df9f11753b4701e654bb0 100644 (file)
--- a/testdata/fwd_error.rpl
+++ b/testdata/fwd_error.rpl
@@ -4,6 +4,7 @@ CONFIG_END
 SCENARIO_BEGIN Forwarder and an error happens on server query.
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode qname qtype
 SECTION QUESTION
-REPLY SERVFAIL QR RA
+REPLY SERVFAIL QR RD RA
 MATCH all
 www.example.com. IN A
 ENTRY_END

diff --git a/testdata/fwd_notcached.rpl b/testdata/fwd_notcached.rpl
index c731299ee735d983c8092c4a9194b5a6daf8ad66..d937bb2df527d252c530cc2bae507f1c539c3550 100644 (file)
--- a/testdata/fwd_notcached.rpl
+++ b/testdata/fwd_notcached.rpl
@@ -14,6 +14,7 @@ SCENARIO_BEGIN Query receives answer not from the cache
 
 STEP 1 QUERY
 ENTRY_BEGIN
+       REPLY RD
        SECTION QUESTION
        www.example.com. IN A
 ENTRY_END
@@ -50,6 +51,7 @@ ENTRY_END
 ; another query, different, so not from cache.
 STEP 5 QUERY
 ENTRY_BEGIN
+       REPLY RD
        SECTION QUESTION
        www.example.net. IN A
 ENTRY_END

diff --git a/testdata/fwd_timeout.rpl b/testdata/fwd_timeout.rpl
index c132eb3e62739b9f049fbc7cdeae2056ec5a447b..c42c0caf9b30067bc14b2774bd6a556ca719dbd0 100644 (file)
--- a/testdata/fwd_timeout.rpl
+++ b/testdata/fwd_timeout.rpl
@@ -4,6 +4,7 @@ CONFIG_END
 SCENARIO_BEGIN Forwarder and a timeout happens on server query.
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@@ -18,7 +19,7 @@ STEP 14 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH opcode qname qtype
 SECTION QUESTION
-REPLY SERVFAIL QR RA
+REPLY SERVFAIL QR RA RD
 MATCH all
 www.example.com. IN A
 ENTRY_END

diff --git a/testdata/fwd_two.rpl b/testdata/fwd_two.rpl
index 96ee6e4c0e80f51a1e091a62835c512ea4d55482..5243e331fa4dfa0442ddb58f7eeb90596eb5c1bd 100644 (file)
--- a/testdata/fwd_two.rpl
+++ b/testdata/fwd_two.rpl
@@ -26,6 +26,7 @@ RANGE_END
 
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.com. IN A
 ENTRY_END
@@ -43,6 +44,7 @@ STEP 3 NOTHING
 ; another query
 STEP 4 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 www.example.net. IN A
 ENTRY_END

diff --git a/testdata/local_norec.tpkg b/testdata/local_norec.tpkg
new file mode 100644 (file)
index 0000000..383b7d0
Binary files /dev/null and b/testdata/local_norec.tpkg differ

diff --git a/testdata/local_nosnoop.tpkg b/testdata/local_nosnoop.tpkg
new file mode 100644 (file)
index 0000000..2f07f49
Binary files /dev/null and b/testdata/local_nosnoop.tpkg differ

diff --git a/testdata/val_refer_unsignadd.rpl b/testdata/val_refer_unsignadd.rpl
index 43949681dab8e6c7a707c7ef779a459de415f709..8d174a2d6afc93b5c8129ea1c2bbc927c839b4dc 100644 (file)
--- a/testdata/val_refer_unsignadd.rpl
+++ b/testdata/val_refer_unsignadd.rpl
@@ -4,6 +4,7 @@ server:
        trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
        trust-anchor: "example.net.    3600    IN      DNSKEY  256 3 5 AQPQ41chR9DEHt/aIzIFAqanbDlRflJoRs5yz1jFsoRIT7dWf0r+PeDuewdxkszNH6wnU4QL8pfKFRh5PIYVBLK3 ;{id = 30899 (zsk), size = 512b}"
        val-override-date: "20070916134226"
+       access-control: 127.0.0.1 allow_snoop
 
 stub-zone:
        name: "."

diff --git a/testdata/val_referd.rpl b/testdata/val_referd.rpl
index 614775b14bb3092f88934cd41c022106c758fe7c..26cef9995c11c28bb18d99bb40422ab9e279d512 100644 (file)
--- a/testdata/val_referd.rpl
+++ b/testdata/val_referd.rpl
@@ -4,6 +4,7 @@ server:
        trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
        val-override-date: "20070916134226"
        harden-referral-path: yes
+       access-control: 127.0.0.1 allow_snoop
 
 stub-zone:
        name: "."

diff --git a/testdata/val_referglue.rpl b/testdata/val_referglue.rpl
index 0834f62ebda92c9806f3668b3814d170d6cb3190..c067eae7289e86e4aba3031c6fd0f5585acabfe3 100644 (file)
--- a/testdata/val_referglue.rpl
+++ b/testdata/val_referglue.rpl
@@ -4,6 +4,7 @@ server:
        trust-anchor: "example.com.    3600    IN      DS      2854 3 1 46e4ffc6e9a4793b488954bd3f0cc6af0dfb201b"
        val-override-date: "20070916134226"
        directory: ""
+       access-control: 127.0.0.1 allow_snoop
 
 stub-zone:
        name: "."

diff --git a/testdata/version_bind_hide.rpl b/testdata/version_bind_hide.rpl
index 08ba86a925c644c4da2ab814b8bd8fa3764c0fc4..02376461fa15fae4386312191b16b7fdaf1f5b03 100644 (file)
--- a/testdata/version_bind_hide.rpl
+++ b/testdata/version_bind_hide.rpl
@@ -11,13 +11,14 @@ SCENARIO_BEGIN Test config hide options for identity and version queries
 ; version.bind.
 STEP 1 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 version.bind. CH TXT
 ENTRY_END
 STEP 2 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 version.bind. CH TXT
 ENTRY_END
@@ -25,13 +26,14 @@ ENTRY_END
 ; version.server.
 STEP 3 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 version.server. CH TXT
 ENTRY_END
 STEP 4 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 version.server. CH TXT
 ENTRY_END
@@ -39,13 +41,14 @@ ENTRY_END
 ; hostname.bind.
 STEP 5 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 hostname.bind. CH TXT
 ENTRY_END
 STEP 6 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 hostname.bind. CH TXT
 ENTRY_END
@@ -53,13 +56,14 @@ ENTRY_END
 ; id.server.
 STEP 7 QUERY
 ENTRY_BEGIN
+REPLY RD
 SECTION QUESTION
 id.server. CH TXT
 ENTRY_END
 STEP 8 CHECK_ANSWER
 ENTRY_BEGIN
 MATCH all
-REPLY QR RA REFUSED
+REPLY QR RD RA REFUSED
 SECTION QUESTION
 id.server. CH TXT
 ENTRY_END

diff --git a/util/configparser.c b/util/configparser.c
index f98957cf6a3505e7f2508804e375703bf5a5262e..1acb876ea29c5b0aca9e6ae88b3543bfb18e4e95 100644 (file)
--- a/util/configparser.c
+++ b/util/configparser.c
@@ -666,9 +666,9 @@ static const yytype_uint16 yyrline[] =
      374,   381,   389,   396,   403,   410,   417,   425,   433,   440,
      449,   458,   465,   472,   483,   491,   504,   513,   521,   534,
      543,   552,   561,   570,   583,   590,   600,   610,   620,   630,
-     640,   650,   657,   667,   680,   687,   705,   714,   723,   733,
-     743,   750,   758,   771,   779,   798,   805,   812,   819,   826,
-     833,   840
+     640,   650,   657,   667,   681,   688,   706,   715,   724,   734,
+     744,   751,   759,   772,   780,   799,   806,   813,   820,   827,
+     834,   841
 };
 #endif
 
@@ -2420,9 +2420,10 @@ yyreduce:
     {
                OUTYY(("P(server_access_control:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
                if(strcmp((yyvsp[(3) - (3)].str), "deny")!=0 && strcmp((yyvsp[(3) - (3)].str), "refuse")!=0 &&
-                       strcmp((yyvsp[(3) - (3)].str), "allow")!=0) {
-                       yyerror("expected deny, refuse or allow in "
-                               "access control action");
+                       strcmp((yyvsp[(3) - (3)].str), "allow")!=0 && 
+                       strcmp((yyvsp[(3) - (3)].str), "allow_snoop")!=0) {
+                       yyerror("expected deny, refuse, allow or allow_snoop "
+                               "in access control action");
                } else {
                        if(!cfg_str2list_insert(&cfg_parser->cfg->acls, (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)))
                                fatal_exit("out of memory adding acl");
@@ -2431,7 +2432,7 @@ yyreduce:
     break;
 
   case 144:
-#line 681 "util/configparser.y"
+#line 682 "util/configparser.y"
     {
                OUTYY(("P(server_module_conf:%s)\n", (yyvsp[(2) - (2)].str)));
                free(cfg_parser->cfg->module_conf);
@@ -2440,7 +2441,7 @@ yyreduce:
     break;
 
   case 145:
-#line 688 "util/configparser.y"
+#line 689 "util/configparser.y"
     {
                OUTYY(("P(server_val_override_date:%s)\n", (yyvsp[(2) - (2)].str)));
                if(strlen((yyvsp[(2) - (2)].str)) == 0 || strcmp((yyvsp[(2) - (2)].str), "0") == 0) {
@@ -2460,7 +2461,7 @@ yyreduce:
     break;
 
   case 146:
-#line 706 "util/configparser.y"
+#line 707 "util/configparser.y"
     {
                OUTYY(("P(server_cache_max_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
                if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
@@ -2471,7 +2472,7 @@ yyreduce:
     break;
 
   case 147:
-#line 715 "util/configparser.y"
+#line 716 "util/configparser.y"
     {
                OUTYY(("P(server_bogus_ttl:%s)\n", (yyvsp[(2) - (2)].str)));
                if(atoi((yyvsp[(2) - (2)].str)) == 0 && strcmp((yyvsp[(2) - (2)].str), "0") != 0)
@@ -2482,7 +2483,7 @@ yyreduce:
     break;
 
   case 148:
-#line 724 "util/configparser.y"
+#line 725 "util/configparser.y"
     {
                OUTYY(("P(server_val_clean_additional:%s)\n", (yyvsp[(2) - (2)].str)));
                if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
@@ -2494,7 +2495,7 @@ yyreduce:
     break;
 
   case 149:
-#line 734 "util/configparser.y"
+#line 735 "util/configparser.y"
     {
                OUTYY(("P(server_val_permissive_mode:%s)\n", (yyvsp[(2) - (2)].str)));
                if(strcmp((yyvsp[(2) - (2)].str), "yes") != 0 && strcmp((yyvsp[(2) - (2)].str), "no") != 0)
@@ -2506,7 +2507,7 @@ yyreduce:
     break;
 
   case 150:
-#line 744 "util/configparser.y"
+#line 745 "util/configparser.y"
     {
                OUTYY(("P(server_val_nsec3_keysize_iterations:%s)\n", (yyvsp[(2) - (2)].str)));
                free(cfg_parser->cfg->val_nsec3_key_iterations);
@@ -2515,7 +2516,7 @@ yyreduce:
     break;
 
   case 151:
-#line 751 "util/configparser.y"
+#line 752 "util/configparser.y"
     {
                OUTYY(("P(server_key_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
                if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->key_cache_size))
@@ -2525,7 +2526,7 @@ yyreduce:
     break;
 
   case 152:
-#line 759 "util/configparser.y"
+#line 760 "util/configparser.y"
     {
                OUTYY(("P(server_key_cache_slabs:%s)\n", (yyvsp[(2) - (2)].str)));
                if(atoi((yyvsp[(2) - (2)].str)) == 0)
@@ -2540,7 +2541,7 @@ yyreduce:
     break;
 
   case 153:
-#line 772 "util/configparser.y"
+#line 773 "util/configparser.y"
     {
                OUTYY(("P(server_neg_cache_size:%s)\n", (yyvsp[(2) - (2)].str)));
                if(!cfg_parse_memsize((yyvsp[(2) - (2)].str), &cfg_parser->cfg->neg_cache_size))
@@ -2550,7 +2551,7 @@ yyreduce:
     break;
 
   case 154:
-#line 780 "util/configparser.y"
+#line 781 "util/configparser.y"
     {
                OUTYY(("P(server_local_zone:%s %s)\n", (yyvsp[(2) - (3)].str), (yyvsp[(3) - (3)].str)));
                if(strcmp((yyvsp[(3) - (3)].str), "static")!=0 && strcmp((yyvsp[(3) - (3)].str), "deny")!=0 &&
@@ -2571,7 +2572,7 @@ yyreduce:
     break;
 
   case 155:
-#line 799 "util/configparser.y"
+#line 800 "util/configparser.y"
     {
                OUTYY(("P(server_local_data:%s)\n", (yyvsp[(2) - (2)].str)));
                if(!cfg_strlist_insert(&cfg_parser->cfg->local_data, (yyvsp[(2) - (2)].str)))
@@ -2580,7 +2581,7 @@ yyreduce:
     break;
 
   case 156:
-#line 806 "util/configparser.y"
+#line 807 "util/configparser.y"
     {
                OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
                free(cfg_parser->cfg->stubs->name);
@@ -2589,7 +2590,7 @@ yyreduce:
     break;
 
   case 157:
-#line 813 "util/configparser.y"
+#line 814 "util/configparser.y"
     {
                OUTYY(("P(stub-host:%s)\n", (yyvsp[(2) - (2)].str)));
                if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->hosts, (yyvsp[(2) - (2)].str)))
@@ -2598,7 +2599,7 @@ yyreduce:
     break;
 
   case 158:
-#line 820 "util/configparser.y"
+#line 821 "util/configparser.y"
     {
                OUTYY(("P(stub-addr:%s)\n", (yyvsp[(2) - (2)].str)));
                if(!cfg_strlist_insert(&cfg_parser->cfg->stubs->addrs, (yyvsp[(2) - (2)].str)))
@@ -2607,7 +2608,7 @@ yyreduce:
     break;
 
   case 159:
-#line 827 "util/configparser.y"
+#line 828 "util/configparser.y"
     {
                OUTYY(("P(name:%s)\n", (yyvsp[(2) - (2)].str)));
                free(cfg_parser->cfg->forwards->name);
@@ -2616,7 +2617,7 @@ yyreduce:
     break;
 
   case 160:
-#line 834 "util/configparser.y"
+#line 835 "util/configparser.y"
     {
                OUTYY(("P(forward-host:%s)\n", (yyvsp[(2) - (2)].str)));
                if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->hosts, (yyvsp[(2) - (2)].str)))
@@ -2625,7 +2626,7 @@ yyreduce:
     break;
 
   case 161:
-#line 841 "util/configparser.y"
+#line 842 "util/configparser.y"
     {
                OUTYY(("P(forward-addr:%s)\n", (yyvsp[(2) - (2)].str)));
                if(!cfg_strlist_insert(&cfg_parser->cfg->forwards->addrs, (yyvsp[(2) - (2)].str)))
@@ -2635,7 +2636,7 @@ yyreduce:
 
 
 /* Line 1267 of yacc.c.  */
-#line 2639 "util/configparser.c"
+#line 2640 "util/configparser.c"
       default: break;
     }
   YY_SYMBOL_PRINT ("-> $$ =", yyr1[yyn], &yyval, &yyloc);
@@ -2849,7 +2850,7 @@ yyreturn:
 }
 
 
-#line 847 "util/configparser.y"
+#line 848 "util/configparser.y"
 
 
 /* parse helper routines could be here */

diff --git a/util/configparser.y b/util/configparser.y
index 785652676dd848ac55492cfef034f82d61025ee7..2d597fbeca6d2531dd9bf396a82a512f351f0df2 100644 (file)
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -668,9 +668,10 @@ server_access_control: VAR_ACCESS_CONTROL STRING STRING
        {
                OUTYY(("P(server_access_control:%s %s)\n", $2, $3));
                if(strcmp($3, "deny")!=0 && strcmp($3, "refuse")!=0 &&
-                       strcmp($3, "allow")!=0) {
-                       yyerror("expected deny, refuse or allow in "
-                               "access control action");
+                       strcmp($3, "allow")!=0 && 
+                       strcmp($3, "allow_snoop")!=0) {
+                       yyerror("expected deny, refuse, allow or allow_snoop "
+                               "in access control action");
                } else {
                        if(!cfg_str2list_insert(&cfg_parser->cfg->acls, $2, $3))
                                fatal_exit("out of memory adding acl");