From: Yorgos Thessalonikefs Date: Fri, 12 Jul 2024 14:29:44 +0000 (+0200) Subject: - For #1102: clearer text for using interface-* options for the X-Git-Tag: release-1.21.0rc1~28^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7083d58c6bcbd7fbe6ba39782af0945a43820518;p=thirdparty%2Funbound.git - For #1102: clearer text for using interface-* options for the loopback interface. --- diff --git a/doc/Changelog b/doc/Changelog index bc71af26d..f304ecb27 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,5 +1,7 @@ 12 July 2024: Yorgos - Add RPZ tag tests in acl_interface.tdir. + - For #1102: clearer text for using interface-* options for the + loopback interface. 12 July 2024: Wouter - Fix #1103: unbound 1.20.0 segmentation fault with nghttp2. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 34e61d69f..390706af7 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -788,7 +788,8 @@ transports, regardless of the presence of an DNS Cookie and regardless of the UDP queries without a DNS Cookie receive REFUSED responses with the TC flag set, that may trigger fall back to TCP for those clients. .IP -By default only localhost is \fIallow\fRed, the rest is \fIrefuse\fRd. +By default only localhost (the 127.0.0.0/8 IP netblock, not the loopback +interface) is implicitly \fIallow\fRed, the rest is \fIrefuse\fRd. The default is \fIrefuse\fRd, because that is protocol\-friendly. The DNS protocol is not designed to handle dropped packets due to policy, and dropping may result in (possibly excessive) retried queries. @@ -824,8 +825,12 @@ Similar to \fBaccess\-control:\fR but for interfaces. .IP The action is the same as the ones defined under \fBaccess\-control:\fR. Interfaces are \fIrefuse\fRd by default. -By default only localhost (the IP netblock, not the loopback interface) is -\fIallow\fRed through the default \fBaccess\-control:\fR behavior. +By default only localhost (the 127.0.0.0/8 IP netblock, not the loopback +interface) is implicitly \fIallow\fRed through the default +\fBaccess\-control:\fR behavior. +This also means that any attempt to use the \fBinterface-*:\fR options for the +loopback interface will not work as they will be overridden by the implicit +default "\fBaccess\-control:\fR 127.0.0.0/8 allow" option. .IP Note that the interface needs to be already specified with \fBinterface:\fR and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR