- Fix #259: Fix unbound-checkconf does not check view existence.

  unbound-checkconf checks access-control-view, access-control-tags,
  access-control-tag-actions and access-control-tag-datas.
- Fix offset of error printout for access-control-tag-datas.

diff --git a/daemon/acl_list.c b/daemon/acl_list.c
index c16a920d99ee648c4438b63363fb7d98f18bc39b..84324575e7189ecc283c3b8ea05f4d9ad670424c 100644 (file)
--- a/daemon/acl_list.c
+++ b/daemon/acl_list.c
@@ -273,7 +273,7 @@ check_data(const char* data, const struct config_strlist* head)
        if(res == 0)
                return 1;
        log_err("rr data [char %d] parse error %s",
-               (int)LDNS_WIREPARSE_OFFSET(res)-13,
+               (int)LDNS_WIREPARSE_OFFSET(res)-2,
                sldns_get_errorstr_parse(res));
        return 0;
 }

diff --git a/doc/Changelog b/doc/Changelog
index 58f0493bdf3b154daebe56ea9b9acd112c1cdf24..93d69d94513cc8f6821755f1cd1b3c0281fed085 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,9 @@
+7 July 2020: Wouter
+       - Fix #259: Fix unbound-checkconf does not check view existence.
+         unbound-checkconf checks access-control-view, access-control-tags,
+         access-control-tag-actions and access-control-tag-datas.
+       - Fix offset of error printout for access-control-tag-datas.
+
 6 July 2020: Wouter
        - run_vm cleanup better and removes trailing slash on single argument.
 

diff --git a/smallapp/unbound-checkconf.c b/smallapp/unbound-checkconf.c
index 54a0ab78c8f736e908cd657121a2bf0bf656fadb..409d29fea4de4c412da772c246810c4d08d8e993 100644 (file)
--- a/smallapp/unbound-checkconf.c
+++ b/smallapp/unbound-checkconf.c
@@ -58,6 +58,7 @@
 #include "services/authzone.h"
 #include "respip/respip.h"
 #include "sldns/sbuffer.h"
+#include "sldns/str2wire.h"
 #ifdef HAVE_GETOPT_H
 #include <getopt.h>
 #endif
@@ -194,6 +195,94 @@ localzonechecks(struct config_file* cfg)
        local_zones_delete(zs);
 }
 
+/** checks for acl and views */
+static void
+acl_view_checks(struct config_file* cfg, struct views* views)
+{
+       int d;
+       struct sockaddr_storage a;
+       socklen_t alen;
+       struct config_str2list* acl;
+       struct config_str3list* s3;
+       struct config_strbytelist* sb;
+       struct view* v;
+
+       /* acl_view */
+       for(acl=cfg->acl_view; acl; acl = acl->next) {
+               if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
+                       &d)) {
+                       fatal_exit("cannot parse access-control-view "
+                               "address %s %s", acl->str, acl->str2);
+               }
+               v = views_find_view(views, acl->str2, 0);
+               if(!v) {
+                       fatal_exit("cannot find view for "
+                               "access-control-view: %s %s",
+                               acl->str, acl->str2);
+               }
+               lock_rw_unlock(&v->lock);
+       }
+
+       /* acl_tags */
+       for(sb=cfg->acl_tags; sb; sb = sb->next) {
+               if(!netblockstrtoaddr(sb->str, UNBOUND_DNS_PORT, &a, &alen,
+                       &d)) {
+                       fatal_exit("cannot parse access-control-tags "
+                               "address %s", sb->str);
+               }
+       }
+
+       /* acl_tag_actions */
+       for(s3=cfg->acl_tag_actions; s3; s3 = s3->next) {
+               enum localzone_type t;
+               if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen,
+                       &d)) {
+                       fatal_exit("cannot parse access-control-tag-actions "
+                               "address %s %s %s",
+                               s3->str, s3->str2, s3->str3);
+               }
+               if(find_tag_id(cfg, s3->str2) == -1) {
+                       fatal_exit("cannot parse tag %s (define-tag it), "
+                               "for access-control-tag-actions: %s %s %s",
+                               s3->str2, s3->str, s3->str2, s3->str3);
+               }
+               if(!local_zone_str2type(s3->str3, &t)) {
+                       fatal_exit("cannot parse access control action type %s"
+                               " for access-control-tag-actions: %s %s %s",
+                               s3->str3, s3->str, s3->str2, s3->str3);
+               }
+       }
+
+       /* acl_tag_datas */
+       for(s3=cfg->acl_tag_datas; s3; s3 = s3->next) {
+               char buf[65536];
+               uint8_t rr[LDNS_RR_BUF_SIZE];
+               size_t len = sizeof(rr);
+               int res;
+               if(!netblockstrtoaddr(s3->str, UNBOUND_DNS_PORT, &a, &alen,
+                       &d)) {
+                       fatal_exit("cannot parse access-control-tag-datas address %s %s '%s'",
+                               s3->str, s3->str2, s3->str3);
+               }
+               if(find_tag_id(cfg, s3->str2) == -1) {
+                       fatal_exit("cannot parse tag %s (define-tag it), "
+                               "for access-control-tag-datas: %s %s '%s'",
+                               s3->str2, s3->str, s3->str2, s3->str3);
+               }
+               /* '.' is sufficient for validation, and it makes the call to
+                * sldns_wirerr_get_type() simpler below. */
+               snprintf(buf, sizeof(buf), "%s %s", ".", s3->str3);
+               res = sldns_str2wire_rr_buf(buf, rr, &len, NULL, 3600, NULL,
+                       0, NULL, 0);
+               if(res != 0) {
+                       fatal_exit("cannot parse rr data [char %d] parse error %s, for access-control-tag-datas: %s %s '%s'",
+                               (int)LDNS_WIREPARSE_OFFSET(res)-2,
+                               sldns_get_errorstr_parse(res),
+                               s3->str, s3->str2, s3->str3);
+               }
+       }
+}
+
 /** check view and response-ip configuration */
 static void
 view_and_respipchecks(struct config_file* cfg)
@@ -211,6 +300,7 @@ view_and_respipchecks(struct config_file* cfg)
                fatal_exit("Could not setup respip set");
        if(!respip_views_apply_cfg(views, cfg, &ignored))
                fatal_exit("Could not setup per-view respip sets");
+       acl_view_checks(cfg, views);
        views_delete(views);
        respip_set_delete(respip);
 }