+3 April 2025: Wouter
+ - Fix #1263: Exempt loopback addresses from wait-limit.
+
2 April 2025: Yorgos
- Merge #1262 from markyang92, fix build with
'gcc-15 -Wbuiltin-declaration-mismatch' error in compat/malloc.c.
# Apart from the default, the wait limit with cookie can be adjusted.
# wait-limit-cookie-netblock: 192.0.2.0/24 50000
+ # Defaults for loopback, it has no wait limit.
+ # wait-limit-netblock: 127.0.0.0/8 -1
+ # wait-limit-netblock: ::1/128 -1
+ # wait-limit-cookie-netblock: 127.0.0.0/8 -1
+ # wait-limit-cookie-netblock: ::1/128 -1
+
# the amount of memory to use for the RRset cache.
# plain value in bytes or you can append k, m or G. default is "4Mb".
# rrset-cache-size: 4m
used. The most specific netblock is used to determine the limit. Useful for
overriding the default for a specific, group or individual, server.
The value -1 disables wait limits for the netblock.
+By default the loopback has a wait limit netblock of -1, it is not limited,
+because it is separated from the rest of network for spoofed packets.
+The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
.TP
.B wait\-limit\-cookie\-netblock: \fI<netblock> <number>
The wait limit for the netblock, when the query has a DNS cookie.
If not given, the wait\-limit\-cookie value is used.
The value -1 disables wait limits for the netblock.
+The loopback addresses 127.0.0.0/8 and ::1/128 are default at -1.
.TP
.B so\-rcvbuf: \fI<number>
If not 0, then set the SO_RCVBUF socket option to get more buffer
return 1;
}
+/** Add a default wait limit netblock */
+static int
+wait_limit_netblock_default(struct rbtree_type* tree, char* str, int limit)
+{
+ struct wait_limit_netblock_info* d;
+ d = wait_limit_netblock_findcreate(tree, str);
+ if(!d)
+ return 0;
+ d->limit = limit;
+ return 1;
+}
+
int
setup_wait_limits(rbtree_type* wait_limits_netblock,
rbtree_type* wait_limits_cookie_netblock, struct config_file* cfg)
{
addr_tree_init(wait_limits_netblock);
addr_tree_init(wait_limits_cookie_netblock);
+
+ /* Insert defaults */
+ /* The loopback address is separated from the rest of the network. */
+ /* wait-limit-netblock: 127.0.0.0/8 -1 */
+ if(!wait_limit_netblock_default(wait_limits_netblock, "127.0.0.0/8",
+ -1))
+ return 0;
+ /* wait-limit-netblock: ::1/128 -1 */
+ if(!wait_limit_netblock_default(wait_limits_netblock, "::1/128", -1))
+ return 0;
+ /* wait-limit-cookie-netblock: 127.0.0.0/8 -1 */
+ if(!wait_limit_netblock_default(wait_limits_cookie_netblock,
+ "127.0.0.0/8", -1))
+ return 0;
+ /* wait-limit-cookie-netblock: ::1/128 -1 */
+ if(!wait_limit_netblock_default(wait_limits_cookie_netblock,
+ "::1/128", -1))
+ return 0;
+
if(!infra_wait_limit_netblock_insert(wait_limits_netblock,
wait_limits_cookie_netblock, cfg))
return 0;
projects / thirdparty / unbound.git / commitdiff
