From: alessio Date: Wed, 4 Sep 2024 15:48:04 +0000 (+0200) Subject: Remove "port" from source address options X-Git-Tag: v9.21.2~44^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=da0e48b6117481248ceeeb6c13f0e143a478f864;p=thirdparty%2Fbind9.git Remove "port" from source address options Remove the use of "port" when configuring query-source(-v6), transfer-source(-v6), notify-source(-v6), parental-source(-v6), etc. Remove the use of source ports for parental-agents. Also remove the deprecated options use-{v4,v6}-udp-ports and avoid-{v4,v6}udp-ports. --- diff --git a/bin/named/server.c b/bin/named/server.c index 0204c32f969..7f814191d8a 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -7485,43 +7485,6 @@ setoptstring(named_server_t *server, char **field, const cfg_obj_t *obj) { } } -static void -portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports, - bool positive) { - const cfg_listelt_t *element; - - for (element = cfg_list_first(ports); element != NULL; - element = cfg_list_next(element)) - { - const cfg_obj_t *obj = cfg_listelt_value(element); - - if (cfg_obj_isuint32(obj)) { - in_port_t port = (in_port_t)cfg_obj_asuint32(obj); - - if (positive) { - isc_portset_add(portset, port); - } else { - isc_portset_remove(portset, port); - } - } else { - const cfg_obj_t *obj_loport, *obj_hiport; - in_port_t loport, hiport; - - obj_loport = cfg_tuple_get(obj, "loport"); - loport = (in_port_t)cfg_obj_asuint32(obj_loport); - obj_hiport = cfg_tuple_get(obj, "hiport"); - hiport = (in_port_t)cfg_obj_asuint32(obj_hiport); - - if (positive) { - isc_portset_addrange(portset, loport, hiport); - } else { - isc_portset_removerange(portset, loport, - hiport); - } - } - } -} - static isc_result_t removed(dns_zone_t *zone, void *uap) { if (dns_zone_getview(zone) != uap) { @@ -8270,7 +8233,6 @@ load_configuration(const char *filename, named_server_t *server, const cfg_obj_t *maps[3]; const cfg_obj_t *obj; const cfg_obj_t *options; - const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports; const cfg_obj_t *kasps; const cfg_obj_t *keystores; dns_kasp_t *kasp = NULL; @@ -8703,74 +8665,39 @@ load_configuration(const char *filename, named_server_t *server, goto cleanup_v4portset; } - usev4ports = NULL; - usev6ports = NULL; - avoidv4ports = NULL; - avoidv6ports = NULL; - - (void)named_config_get(maps, "use-v4-udp-ports", &usev4ports); - if (usev4ports != NULL) { - portset_fromconf(v4portset, usev4ports, true); - } else { - result = isc_net_getudpportrange(AF_INET, &udpport_low, - &udpport_high); - if (result != ISC_R_SUCCESS) { - isc_log_write(NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "get the default UDP/IPv4 port range: %s", - isc_result_totext(result)); - goto cleanup_v6portset; - } - - if (udpport_low == udpport_high) { - isc_portset_add(v4portset, udpport_low); - } else { - isc_portset_addrange(v4portset, udpport_low, - udpport_high); - } - if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE4)) { - isc_log_write(NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "using default UDP/IPv4 port range: " - "[%d, %d]", - udpport_low, udpport_high); - } + result = isc_net_getudpportrange(AF_INET, &udpport_low, &udpport_high); + if (result != ISC_R_SUCCESS) { + isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, + ISC_LOG_ERROR, + "get the default UDP/IPv4 port range: %s", + isc_result_totext(result)); + goto cleanup_v6portset; } - (void)named_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports); - if (avoidv4ports != NULL) { - portset_fromconf(v4portset, avoidv4ports, false); + + isc_portset_addrange(v4portset, udpport_low, udpport_high); + if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE4)) { + isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, + ISC_LOG_INFO, + "using default UDP/IPv4 port range: " + "[%d, %d]", + udpport_low, udpport_high); } - (void)named_config_get(maps, "use-v6-udp-ports", &usev6ports); - if (usev6ports != NULL) { - portset_fromconf(v6portset, usev6ports, true); - } else { - result = isc_net_getudpportrange(AF_INET6, &udpport_low, - &udpport_high); - if (result != ISC_R_SUCCESS) { - isc_log_write(NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_ERROR, - "get the default UDP/IPv6 port range: %s", - isc_result_totext(result)); - goto cleanup_v6portset; - } - if (udpport_low == udpport_high) { - isc_portset_add(v6portset, udpport_low); - } else { - isc_portset_addrange(v6portset, udpport_low, - udpport_high); - } - if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE6)) { - isc_log_write(NAMED_LOGCATEGORY_GENERAL, - NAMED_LOGMODULE_SERVER, ISC_LOG_INFO, - "using default UDP/IPv6 port range: " - "[%d, %d]", - udpport_low, udpport_high); - } + result = isc_net_getudpportrange(AF_INET6, &udpport_low, &udpport_high); + if (result != ISC_R_SUCCESS) { + isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, + ISC_LOG_ERROR, + "get the default UDP/IPv6 port range: %s", + isc_result_totext(result)); + goto cleanup_v6portset; } - (void)named_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports); - if (avoidv6ports != NULL) { - portset_fromconf(v6portset, avoidv6ports, false); + isc_portset_addrange(v6portset, udpport_low, udpport_high); + if (!ns_server_getoption(server->sctx, NS_SERVER_DISABLE6)) { + isc_log_write(NAMED_LOGCATEGORY_GENERAL, NAMED_LOGMODULE_SERVER, + ISC_LOG_INFO, + "using default UDP/IPv6 port range: " + "[%d, %d]", + udpport_low, udpport_high); } dns_dispatchmgr_setavailports(named_g_dispatchmgr, v4portset, diff --git a/bin/tests/system/checkconf/portrange-good.conf b/bin/tests/system/checkconf/ancient-avoid-v4-udp-ports.conf similarity index 85% rename from bin/tests/system/checkconf/portrange-good.conf rename to bin/tests/system/checkconf/ancient-avoid-v4-udp-ports.conf index c4eb5825997..861c10bd59d 100644 --- a/bin/tests/system/checkconf/portrange-good.conf +++ b/bin/tests/system/checkconf/ancient-avoid-v4-udp-ports.conf @@ -11,12 +11,9 @@ * information regarding copyright ownership. */ +/* + * Ancient options are fatal. + */ options { - avoid-v4-udp-ports { - 1935; - 2605; - 4321; - 6514; - range 8610 8614; - }; + avoid-v4-udp-ports { range 1 1023; }; }; diff --git a/bin/tests/system/checkconf/ancient-avoid-v6-udp-ports.conf b/bin/tests/system/checkconf/ancient-avoid-v6-udp-ports.conf new file mode 100644 index 00000000000..4836ee391fe --- /dev/null +++ b/bin/tests/system/checkconf/ancient-avoid-v6-udp-ports.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Ancient options are fatal. + */ +options { + avoid-v6-udp-ports { range 1 1023; }; +}; diff --git a/bin/tests/system/checkconf/warn-notify-source.conf b/bin/tests/system/checkconf/ancient-notify-source-port.conf similarity index 88% rename from bin/tests/system/checkconf/warn-notify-source.conf rename to bin/tests/system/checkconf/ancient-notify-source-port.conf index 4d840ccce98..8c8368abca5 100644 --- a/bin/tests/system/checkconf/warn-notify-source.conf +++ b/bin/tests/system/checkconf/ancient-notify-source-port.conf @@ -11,12 +11,8 @@ * information regarding copyright ownership. */ -options { - port 5300; -}; - zone example { type secondary; primaries { 1.2.3.4; }; - notify-source 10.53.0.1 port 100; + notify-source 10.53.0.1 port 5300; }; diff --git a/bin/tests/system/checkconf/warn-parental-source.conf b/bin/tests/system/checkconf/ancient-parental-source-port.conf similarity index 100% rename from bin/tests/system/checkconf/warn-parental-source.conf rename to bin/tests/system/checkconf/ancient-parental-source-port.conf diff --git a/bin/tests/system/checkconf/ancient-query-source-port.conf b/bin/tests/system/checkconf/ancient-query-source-port.conf new file mode 100644 index 00000000000..c307bfa910e --- /dev/null +++ b/bin/tests/system/checkconf/ancient-query-source-port.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +server 1.2.3.4 { + query-source 10.10.10.10 port 5353; +}; diff --git a/bin/tests/system/checkconf/warn-transfer-source.conf b/bin/tests/system/checkconf/ancient-transfer-source-port.conf similarity index 100% rename from bin/tests/system/checkconf/warn-transfer-source.conf rename to bin/tests/system/checkconf/ancient-transfer-source-port.conf diff --git a/bin/tests/system/checkconf/ancient-use-v4-udp-ports.conf b/bin/tests/system/checkconf/ancient-use-v4-udp-ports.conf new file mode 100644 index 00000000000..899a37bd740 --- /dev/null +++ b/bin/tests/system/checkconf/ancient-use-v4-udp-ports.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Ancient options are fatal. + */ +options { + use-v4-udp-ports { range 1024 65535; }; +}; diff --git a/bin/tests/system/checkconf/ancient-use-v6-udp-ports.conf b/bin/tests/system/checkconf/ancient-use-v6-udp-ports.conf new file mode 100644 index 00000000000..b580653897a --- /dev/null +++ b/bin/tests/system/checkconf/ancient-use-v6-udp-ports.conf @@ -0,0 +1,19 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * Ancient options are fatal. + */ +options { + use-v6-udp-ports { range 1024 65535; }; +}; diff --git a/bin/tests/system/checkconf/ancient.conf b/bin/tests/system/checkconf/ancient.conf index 98189cc0f04..6eba5b7c8b1 100644 --- a/bin/tests/system/checkconf/ancient.conf +++ b/bin/tests/system/checkconf/ancient.conf @@ -16,4 +16,9 @@ */ options { fake-iquery yes; + + use-v4-udp-ports { range 1024 65535; }; + use-v6-udp-ports { range 1024 65535; }; + avoid-v4-udp-ports { range 1 1023; }; + avoid-v6-udp-ports { range 1 1023; }; }; diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf index 62f9aa919d2..fad10192c85 100644 --- a/bin/tests/system/checkconf/deprecated.conf +++ b/bin/tests/system/checkconf/deprecated.conf @@ -11,19 +11,10 @@ * information regarding copyright ownership. */ -server 1.2.3.4 { - query-source 10.10.10.10 port 5353; -}; - options { dnssec-validation yes; max-zone-ttl 600; - use-v4-udp-ports { range 1024 65535; }; - use-v6-udp-ports { range 1024 65535; }; - avoid-v4-udp-ports { range 1 1023; }; - avoid-v6-udp-ports { range 1 1023; }; - dnssec-must-be-secure mustbesecure.example yes; sortlist { }; diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in index 42b5f0f74f7..bee15b710ab 100644 --- a/bin/tests/system/checkconf/good.conf.in +++ b/bin/tests/system/checkconf/good.conf.in @@ -45,12 +45,6 @@ key-store "hsm" { pkcs11-uri "pkcs11:token=bind9;pin-value=1234"; }; options { - avoid-v4-udp-ports { - 100; - }; - avoid-v6-udp-ports { - 100; - }; blackhole { 10.0.0.0/8; }; @@ -91,7 +85,7 @@ options { transfer-source 0.0.0.0; zone-statistics none; }; -parental-agents "parents" port 5353 source 10.10.10.10 port 5354 source-v6 2001:db8::10 port 5355 { +parental-agents "parents" port 5353 source 10.10.10.10 source-v6 2001:db8::10 { 10.10.10.11; 2001:db8::11; }; @@ -104,7 +98,7 @@ view "first" { file "xxx"; update-policy local; max-ixfr-ratio 20%; - notify-source 10.10.10.10 port 53; + notify-source 10.10.10.10; }; zone "clone" { type primary; @@ -193,7 +187,7 @@ view "fourth" { 1.2.3.5; }; dnssec-policy "test"; - parental-source 10.10.10.10 port 53; + parental-source 10.10.10.10; }; zone "dnssec-default" { type primary; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index daaa93a7d3e..461e4ef4514 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -141,6 +141,20 @@ grep "no longer exists" ancient.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +for ancient_conf in ancient-*.conf; do + ancient_opt="${ancient_conf#ancient-}" + ancient_opt="${ancient_opt%.conf}" + + n=$((n + 1)) + echo_i "checking that ancient \"${ancient_opt}\" option report a fatal error ($n)" + ret=0 + + $CHECKCONF ${ancient_conf} >"${ancient_conf}.out" 2>&1 && ret=1 + grep "no longer exists" "${ancient_conf}.out" >/dev/null || ret=1 + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +done + n=$((n + 1)) echo_i "checking that named-checkconf -z catches missing hint file ($n)" ret=0 @@ -178,13 +192,8 @@ $CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1 grep "option 'managed-keys' is deprecated" /dev/null || ret=1 grep "option 'trusted-keys' is deprecated" /dev/null || ret=1 grep "option 'max-zone-ttl' is deprecated" /dev/null || ret=1 -grep "option 'use-v4-udp-ports' is deprecated" /dev/null || ret=1 -grep "option 'use-v6-udp-ports' is deprecated" /dev/null || ret=1 -grep "option 'avoid-v4-udp-ports' is deprecated" /dev/null || ret=1 -grep "option 'avoid-v6-udp-ports' is deprecated" /dev/null || ret=1 grep "option 'dnssec-must-be-secure' is deprecated" /dev/null || ret=1 grep "option 'sortlist' is deprecated" /dev/null || ret=1 -grep "token 'port' is deprecated" /dev/null || ret=1 if $test_fixed; then grep "rrset-order: order 'fixed' is deprecated" /dev/null || ret=1 else @@ -492,17 +501,6 @@ if [ $ret -ne 0 ]; then fi status=$((status + ret)) -n=$((n + 1)) -echo_i "check that named-checkconf -p properly print a port range ($n)" -ret=0 -$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1 -grep "range 8610 8614;" /dev/null || ret=1 -if [ $ret -ne 0 ]; then - echo_i "failed" - ret=1 -fi -status=$((status + ret)) - n=$((n + 1)) echo_i "check that named-checkconf -z handles in-view ($n)" ret=0 @@ -752,21 +750,6 @@ if [ $ret -ne 0 ]; then fi status=$((status + ret)) -n=$((n + 1)) -echo_i "check that *-source options with specified port generate warnings ($n)" -ret=0 -$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" /dev/null || ret=1 -$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" /dev/null || ret=1 -$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" /dev/null || ret=1 -if [ $ret -ne 0 ]; then - echo_i "failed" - ret=1 -fi -status=$((status + ret)) - n=$((n + 1)) echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" ret=0 diff --git a/bin/tests/system/notify/ns2/named.conf.in b/bin/tests/system/notify/ns2/named.conf.in index a71a799ce1d..71a70559400 100644 --- a/bin/tests/system/notify/ns2/named.conf.in +++ b/bin/tests/system/notify/ns2/named.conf.in @@ -57,7 +57,7 @@ zone x1 { type primary; file "generic.db"; also-notify { 10.53.0.3; }; - notify-source 10.53.0.2 port @EXTRAPORT2@; + notify-source 10.53.0.2; notify primary-only; }; zone x2 { diff --git a/bin/tests/system/notify/ns3/named.conf.in b/bin/tests/system/notify/ns3/named.conf.in index 73338a4a30f..8a744cd6378 100644 --- a/bin/tests/system/notify/ns3/named.conf.in +++ b/bin/tests/system/notify/ns3/named.conf.in @@ -40,5 +40,5 @@ zone "example" { zone "notify-source-port-test" { type primary; file "notify-source-port-test.db"; - notify-source 10.53.0.3 port @EXTRAPORT2@; + notify-source 10.53.0.3; }; diff --git a/bin/tests/system/notify/tests.sh b/bin/tests/system/notify/tests.sh index aa237b91e2e..08ee243562e 100644 --- a/bin/tests/system/notify/tests.sh +++ b/bin/tests/system/notify/tests.sh @@ -207,10 +207,6 @@ grep "sending notify to 10.53.0.5#[0-9]* : TSIG (b)" ns5/named.run >/dev/null || grep "sending notify to 10.53.0.5#[0-9]* : TSIG (c)" ns5/named.run >/dev/null || ret=1 test_end -test_start "checking notify-source uses port option correctly" -grep "10.53.0.3#${EXTRAPORT2}: received notify for zone 'notify-source-port-test'" ns2/named.run >/dev/null || ret=1 -test_end - # notify messages were sent to unresponsive 10.53.10.53 during the tests # above, which should time out at some point; we need to wait for them to # appear in the logs in case the tests run faster than the notify timeouts diff --git a/bin/tests/system/resolver/ns1/named.conf.in b/bin/tests/system/resolver/ns1/named.conf.in index 4467c4bdd79..d1cf906414d 100644 --- a/bin/tests/system/resolver/ns1/named.conf.in +++ b/bin/tests/system/resolver/ns1/named.conf.in @@ -41,13 +41,13 @@ server 10.53.0.3 { server 10.42.23.3/32 { notify-source 10.42.22.1; - query-source address 10.42.22.1 port 0; + query-source address 10.42.22.1; transfer-source 10.42.22.1; }; server fd92:7065:b8e:ffff::1000 { notify-source-v6 fd92:7065:b8e:ffff::1001; - query-source-v6 address fd92:7065:b8e:ffff::1001 port 0; + query-source-v6 address fd92:7065:b8e:ffff::1001; transfer-source-v6 fd92:7065:b8e:ffff::1001; }; diff --git a/bin/tests/system/xfer/ns3/named.conf.in b/bin/tests/system/xfer/ns3/named.conf.in index 1ee07d8bc61..086f17599eb 100644 --- a/bin/tests/system/xfer/ns3/named.conf.in +++ b/bin/tests/system/xfer/ns3/named.conf.in @@ -52,7 +52,7 @@ zone "example" { zone "primary" { type secondary; - transfer-source 10.53.0.3 port @EXTRAPORT1@; + transfer-source 10.53.0.3; primaries { 10.53.0.6; }; file "primary.bk"; }; diff --git a/bin/tests/system/xfer/tests.sh b/bin/tests/system/xfer/tests.sh index a379a6a705f..f75e1d9caf0 100755 --- a/bin/tests/system/xfer/tests.sh +++ b/bin/tests/system/xfer/tests.sh @@ -655,13 +655,6 @@ retry_quiet 10 check_xfer_stats || tmp=1 if test $tmp != 0; then echo_i "failed"; fi status=$((status + tmp)) -n=$((n + 1)) -echo_i "test that transfer-source uses port option correctly ($n)" -tmp=0 -grep "10.53.0.3#${EXTRAPORT1} (primary): query 'primary/SOA/IN' approved" ns6/named.run >/dev/null || tmp=1 -if test $tmp != 0; then echo_i "failed"; fi -status=$((status + tmp)) - wait_for_message() ( nextpartpeek ns6/named.run >wait_for_message.$n grep -F "$1" wait_for_message.$n >/dev/null diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 294276f0466..6767d9076a4 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -174,19 +174,19 @@ the following examples: .. code-block:: none - // dense single-line style - zone "example.com" in{type secondary; file "secondary.example.com"; primaries {10.0.0.1;};}; - // single-statement-per-line style - zone "example.com" in{ - type secondary; - file "secondary.example.com"; - primaries {10.0.0.1;}; - }; - // spot the difference - zone "example.com" in{ - type secondary; - file "sec.secondary.com"; - primaries {10.0.0.1;}; }; + // dense single-line style + zone "example.com" in{type secondary; file "secondary.example.com"; primaries {10.0.0.1;};}; + // single-statement-per-line style + zone "example.com" in{ + type secondary; + file "secondary.example.com"; + primaries {10.0.0.1;}; + }; + // spot the difference + zone "example.com" in{ + type secondary; + file "sec.secondary.com"; + primaries {10.0.0.1;}; }; .. _include_grammar: @@ -324,7 +324,7 @@ file documentation: (3 days, 12 hours). ISO 8601 duration format consists of the letter "P", followed by an - optional series of numbers with unit suffixes "Y" (year), "M" (month), + optional series of numbers with unit suffixes "Y" (year), "M" (month), "W" (week), and "D" (day); this may optionally be followed by the letter "T", and another series of numbers with unit suffixes "H" (hour), "M" (minute), and "S" (second). Examples: "P3M10D" @@ -3268,7 +3268,7 @@ Query Address :short: Controls the IPv6 address from which queries are issued. If the server does not know the answer to a question, it queries other - name servers. :any:`query-source` specifies the address and port used for + name servers. :any:`query-source` specifies the address used for such queries. For queries sent over IPv6, there is a separate :any:`query-source-v6` option. If ``address`` is ``*`` (asterisk) or is omitted, a wildcard IP address (``INADDR_ANY``) is used. @@ -3278,111 +3278,13 @@ Query Address :: - query-source address * port *; - query-source-v6 address * port *; - - .. note:: ``port`` configuration is deprecated. A warning will be logged - when this parameter is used. + query-source address *; + query-source-v6 address *; .. note:: The address specified in the :any:`query-source` option is used for both UDP and TCP queries, but the port applies only to UDP queries. TCP queries always use a random unprivileged port. -.. namedconf:statement:: use-v4-udp-ports - :tags: deprecated - :short: Specifies a list of ports that are valid sources for UDP/IPv4 messages. - -.. namedconf:statement:: use-v6-udp-ports - :tags: deprecated - :short: Specifies a list of ports that are valid sources for UDP/IPv6 messages. - - These statements, which are deprecated and will be removed in a future - release, specify a list of IPv4 and IPv6 UDP ports that are used as - source ports for UDP messages. - - If :term:`port` is ``*`` or is omitted, a random port number from a - pre-configured range is selected and used for each query. The - port range(s) are specified in the :any:`use-v4-udp-ports` (for IPv4) - and :any:`use-v6-udp-ports` (for IPv6) options. - - If :any:`use-v4-udp-ports` or :any:`use-v6-udp-ports` is unspecified, - :iscman:`named` checks whether the operating system provides a programming - interface to retrieve the system's default range for ephemeral ports. If - such an interface is available, :iscman:`named` uses the corresponding - system default range; otherwise, it uses its own defaults: - - :: - - use-v4-udp-ports { range 1024 65535; }; - use-v6-udp-ports { range 1024 65535; }; - -.. namedconf:statement:: avoid-v4-udp-ports - :tags: deprecated - :short: Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv4 messages. - -.. namedconf:statement:: avoid-v6-udp-ports - :tags: deprecated - :short: Specifies the range(s) of ports to be excluded from use as sources for UDP/IPv6 messages. - - These statements, which are deprecated and will be removed in a future - release, indicate ranges of port numbers to exclude from those specified - in the :any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports` - options, respectively. - - The defaults of the :any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports` - options are: - - :: - - avoid-v4-udp-ports {}; - avoid-v6-udp-ports {}; - - For example, with the following configuration: - - :: - - use-v6-udp-ports { range 32768 65535; }; - avoid-v6-udp-ports { 40000; range 50000 60000; }; - - UDP ports of IPv6 messages sent from :iscman:`named` are in one of the - following ranges: 32768 to 39999, 40001 to 49999, or 60001 to 65535. - - :any:`avoid-v4-udp-ports` and :any:`avoid-v6-udp-ports` can be used to prevent - :iscman:`named` from choosing as its random source port a port that is blocked - by a firewall or that is used by other applications; if a - query went out with a source port blocked by a firewall, the answer - would not pass through the firewall and the name server would have to query - again. Note: the desired range can also be represented only with - :any:`use-v4-udp-ports` and :any:`use-v6-udp-ports`, and the ``avoid-`` - options are redundant in that sense; they are provided for backward - compatibility and to possibly simplify the port specification. - - .. note:: Make sure the ranges are sufficiently large for security. A - desirable size depends on several parameters, but we generally recommend - it contain at least 16384 ports (14 bits of entropy). Note also that the - system's default range when used may be too small for this purpose, and - that the range may even be changed while :iscman:`named` is running; the new - range is automatically applied when :iscman:`named` is reloaded. Explicit - configuration of :any:`use-v4-udp-ports` and :any:`use-v6-udp-ports` is encouraged, - so that the ranges are sufficiently large and are reasonably - independent from the ranges used by other applications. - - .. note:: The operational configuration where :iscman:`named` runs may prohibit - the use of some ports. For example, Unix systems do not allow - :iscman:`named`, if run without root privilege, to use ports less than 1024. - If such ports are included in the specified (or detected) set of query - ports, the corresponding query attempts will fail, resulting in - resolution failures or delay. It is therefore important to configure the - set of ports that can be safely used in the expected operational - environment. - - .. warning:: Specifying a single port is discouraged, as it removes a layer of - protection against spoofing errors. - - .. warning:: The configured :term:`port` must not be the same as the listening port. - - .. note:: See also :any:`transfer-source`, :any:`notify-source` and :any:`parental-source`. - .. _zone_transfers: Zone Transfers @@ -3553,25 +3455,17 @@ options apply to zone transfers. :any:`transfer-source` determines which local address is bound to IPv4 TCP connections used to fetch zones transferred inbound by the - server. It also determines the source IPv4 address, and optionally - the UDP port, used for the refresh queries and forwarded dynamic - updates. If not set, it defaults to a system-controlled value which - is usually the address of the interface "closest to" the remote - end. This address must appear in the remote end's :any:`allow-transfer` - option for the zone being transferred, if one is specified. This - statement sets the :any:`transfer-source` for all zones, but can be + server. It also determines the source IPv4 address, used for the refresh + queries and forwarded dynamic updates. If not set, it defaults to a + system-controlled value which is usually the address of the interface + "closest to" the remote end. This address must appear in the remote + end's :any:`allow-transfer` option for the zone being transferred, + if one is specified. + This statement sets the :any:`transfer-source` for all zones, but can be overridden on a per-view or per-zone basis by including a :any:`transfer-source` statement within the :any:`view` or :any:`zone` block in the configuration file. - .. note:: ``port`` configuration is deprecated. A warning will be logged - when this parameter is used. - - .. warning:: Specifying a single port is discouraged, as it removes a layer of - protection against spoofing errors. - - .. warning:: The configured :term:`port` must not be the same as the listening port. - .. namedconf:statement:: transfer-source-v6 :tags: transfer :short: Defines which local IPv6 address(es) are bound to TCP connections used to fetch zones transferred inbound by the server. @@ -3581,23 +3475,15 @@ options apply to zone transfers. .. namedconf:statement:: notify-source :tags: transfer - :short: Defines the IPv4 address (and optional port) to be used for outgoing ``NOTIFY`` messages. - - :any:`notify-source` determines which local source address, and - optionally UDP port, is used to send NOTIFY messages. This - address must appear in the secondary server's :any:`primaries` zone clause or - in an :any:`allow-notify` clause. This statement sets the - :any:`notify-source` for all zones, but can be overridden on a per-zone - or per-view basis by including a :any:`notify-source` statement within - the :any:`zone` or :any:`view` block in the configuration file. - - .. note:: ``port`` configuration is deprecated. A warning will be logged - when this parameter is used. + :short: Defines the IPv4 address to be used for outgoing ``NOTIFY`` messages. - .. warning:: Specifying a single port is discouraged, as it removes a layer of - protection against spoofing errors. - - .. warning:: The configured :term:`port` must not be the same as the listening port. + :any:`notify-source` determines which local source address is used to send + NOTIFY messages. This address must appear in the secondary server's + :any:`primaries` zone clause or in an :any:`allow-notify` clause. + This statement sets the :any:`notify-source` for all zones, but can be + overridden on a per-zone or per-view basis by including a + :any:`notify-source` statement within the :any:`zone` or :any:`view` + block in the configuration file. .. namedconf:statement:: notify-source-v6 :tags: transfer @@ -6678,20 +6564,12 @@ The following options apply to DS queries sent to :any:`parental-agents`: :tags: dnssec :short: Specifies which local IPv4 source address is used to send parental DS queries. - :any:`parental-source` determines which local source address, and optionally - UDP port, is used to send parental DS queries. This statement sets the + :any:`parental-source` determines which local source address + is used to send parental DS queries. This statement sets the :any:`parental-source` for all zones, but can be overridden on a per-zone or per-view basis by including a :any:`parental-source` statement within the :any:`zone` or :any:`view` block in the configuration file. - .. note:: ``port`` configuration is deprecated. A warning will be logged - when this parameter is used. - - .. warning:: Specifying a single port is discouraged, as it removes a layer of - protection against spoofing errors. - - .. warning:: The configured :term:`port` must not be the same as the listening port. - .. namedconf:statement:: parental-source-v6 :tags: dnssec :short: Specifies which local IPv6 source address is used to send parental DS queries. @@ -7844,52 +7722,52 @@ Incoming Zone Transfers this zone. Possible values and their meanings are: ``Needs Refresh`` - The zone needs a refresh, but the process hasn't started yet, - which can be due to different factors, like the retry interval of - the zone. + The zone needs a refresh, but the process hasn't started yet, + which can be due to different factors, like the retry interval of + the zone. ``Pending`` - The zone is flagged for a refresh, but the process is currently - in the queue and will start shortly, or is in a waiting state - because of rate-limiting, see :any:`serial-query-rate`. The - ``Duration (s)`` timer starts before entering this state. + The zone is flagged for a refresh, but the process is currently + in the queue and will start shortly, or is in a waiting state + because of rate-limiting, see :any:`serial-query-rate`. The + ``Duration (s)`` timer starts before entering this state. ``Refresh SOA`` - Sending a refresh SOA query to get the zone serial number, then - initiate a zone transfer, if necessary. If this step is successful, - the ``SOA Query`` and ``Got SOA`` states will be skipped. - Otherwise, the zone transfer procedure can still be initiated, - and the SOA request will be attempted using the same transport as - the zone transfer. The ``Duration (s)`` timer restarts before - entering this state, and for each attempted connection (note that - in UDP mode there can be several retries during one "connection" - attempt). + Sending a refresh SOA query to get the zone serial number, then + initiate a zone transfer, if necessary. If this step is successful, + the ``SOA Query`` and ``Got SOA`` states will be skipped. + Otherwise, the zone transfer procedure can still be initiated, + and the SOA request will be attempted using the same transport as + the zone transfer. The ``Duration (s)`` timer restarts before + entering this state, and for each attempted connection (note that + in UDP mode there can be several retries during one "connection" + attempt). ``Deferred`` - The zone is going to be refreshed, but the process was - deferred due to quota, see :any:`transfers-in` and - :any:`transfers-per-ns`. The ``Duration (s)`` timer restarts before - entering this state. + The zone is going to be refreshed, but the process was + deferred due to quota, see :any:`transfers-in` and + :any:`transfers-per-ns`. The ``Duration (s)`` timer restarts before + entering this state. ``SOA Query`` - Sending SOA query to get the zone serial number, then - follow with a zone transfer, if necessary. The ``Duration (s)`` - timer restarts before entering this state. + Sending SOA query to get the zone serial number, then + follow with a zone transfer, if necessary. The ``Duration (s)`` + timer restarts before entering this state. ``Got SOA`` - An answer for the SOA query from the previous step is - received, initiating a transfer. + An answer for the SOA query from the previous step is + received, initiating a transfer. ``Zone Transfer Request`` - Waiting for the zone transfer to start. The ``Duration (s)`` timer - restarts before entering this state. + Waiting for the zone transfer to start. The ``Duration (s)`` timer + restarts before entering this state. ``First Data`` - Waiting for the first data record of the transfer. + Waiting for the first data record of the transfer. ``Receiving IXFR Data`` - Receiving data for an IXFR type incremental zone - transfer. + Receiving data for an IXFR type incremental zone + transfer. ``Finalizing IXFR`` Finalizing an IXFR type incremental zone transfer. diff --git a/doc/misc/options b/doc/misc/options index 4f19c8f39c1..0480f637dfa 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -85,8 +85,6 @@ options { attach-cache ; auth-nxdomain ; automatic-interface-scan ; - avoid-v4-udp-ports { ; ... }; // deprecated - avoid-v6-udp-ports { ; ... }; // deprecated bindkeys-file ; // test only blackhole { ; ... }; catalog-zones { zone [ default-primaries [ port ] [ source ( | * ) ] [ source-v6 ( | * ) ] { ( | [ port ] | [ port ] ) [ key ] [ tls ]; ... } ] [ zone-directory ] [ in-memory ] [ min-update-interval ]; ... }; @@ -314,8 +312,6 @@ options { udp-send-buffer ; update-check-ksk ; // obsolete update-quota ; - use-v4-udp-ports { ; ... }; // deprecated - use-v6-udp-ports { ; ... }; // deprecated v6-bias ; validate-except { ; ... }; version ( | none ); diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index a51123b5313..31546f3b67c 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -3576,16 +3576,10 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, if (obj != NULL) { in_port_t port = isc_sockaddr_getport(cfg_obj_assockaddr(obj)); - if (port == dnsport) { + if (port != 0) { cfg_obj_log(obj, ISC_LOG_ERROR, - "'%s' cannot specify the " - "DNS listener port (%d)", - sources[i], port); - result = ISC_R_FAILURE; - } else if (port != 0) { - cfg_obj_log(obj, ISC_LOG_WARNING, "'%s': specifying a port is " - "not recommended", + "deprecated", sources[i]); } } diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 9adaec5eef0..666c14713f0 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -1109,92 +1109,6 @@ doc_serverid(cfg_printer_t *pctx, const cfg_type_t *type) { static cfg_type_t cfg_type_serverid = { "serverid", parse_serverid, NULL, doc_serverid, NULL, NULL }; -/*% - * Port list. - */ -static void -print_porttuple(cfg_printer_t *pctx, const cfg_obj_t *obj) { - cfg_print_cstr(pctx, "range "); - cfg_print_tuple(pctx, obj); -} -static cfg_tuplefielddef_t porttuple_fields[] = { - { "loport", &cfg_type_uint32, 0 }, - { "hiport", &cfg_type_uint32, 0 }, - { NULL, NULL, 0 } -}; -static cfg_type_t cfg_type_porttuple = { "porttuple", cfg_parse_tuple, - print_porttuple, cfg_doc_tuple, - &cfg_rep_tuple, porttuple_fields }; - -static isc_result_t -parse_port(cfg_parser_t *pctx, cfg_obj_t **ret) { - isc_result_t result; - - CHECK(cfg_parse_uint32(pctx, NULL, ret)); - if ((*ret)->value.uint32 > 0xffff) { - cfg_parser_error(pctx, CFG_LOG_NEAR, "invalid port"); - cfg_obj_destroy(pctx, ret); - result = ISC_R_RANGE; - } - -cleanup: - return (result); -} - -static isc_result_t -parse_portrange(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { - isc_result_t result; - cfg_obj_t *obj = NULL; - - UNUSED(type); - - CHECK(cfg_peektoken(pctx, ISC_LEXOPT_NUMBER | ISC_LEXOPT_CNUMBER)); - if (pctx->token.type == isc_tokentype_number) { - CHECK(parse_port(pctx, ret)); - } else { - CHECK(cfg_gettoken(pctx, 0)); - if (pctx->token.type != isc_tokentype_string || - strcasecmp(TOKEN_STRING(pctx), "range") != 0) - { - cfg_parser_error(pctx, CFG_LOG_NEAR, - "expected integer or 'range'"); - return (ISC_R_UNEXPECTEDTOKEN); - } - CHECK(cfg_create_tuple(pctx, &cfg_type_porttuple, &obj)); - CHECK(parse_port(pctx, &obj->value.tuple[0])); - CHECK(parse_port(pctx, &obj->value.tuple[1])); - if (obj->value.tuple[0]->value.uint32 > - obj->value.tuple[1]->value.uint32) - { - cfg_parser_error(pctx, CFG_LOG_NOPREP, - "low port '%u' must not be larger " - "than high port", - obj->value.tuple[0]->value.uint32); - result = ISC_R_RANGE; - goto cleanup; - } - *ret = obj; - obj = NULL; - } - -cleanup: - if (obj != NULL) { - cfg_obj_destroy(pctx, &obj); - } - return (result); -} - -static cfg_type_t cfg_type_portrange = { "portrange", parse_portrange, - NULL, cfg_doc_terminal, - NULL, NULL }; - -static cfg_type_t cfg_type_bracketed_portlist = { "bracketed_portlist", - cfg_parse_bracketed_list, - cfg_print_bracketed_list, - cfg_doc_bracketed_list, - &cfg_rep_list, - &cfg_type_portrange }; - static const char *cookiealg_enums[] = { "siphash24", NULL }; static cfg_type_t cfg_type_cookiealg = { "cookiealg", cfg_parse_enum, cfg_print_ustring, cfg_doc_enum, @@ -1314,10 +1228,8 @@ static cfg_type_t cfg_type_fstrm_model = { static cfg_clausedef_t options_clauses[] = { { "answer-cookie", &cfg_type_boolean, 0 }, { "automatic-interface-scan", &cfg_type_boolean, 0 }, - { "avoid-v4-udp-ports", &cfg_type_bracketed_portlist, - CFG_CLAUSEFLAG_DEPRECATED }, - { "avoid-v6-udp-ports", &cfg_type_bracketed_portlist, - CFG_CLAUSEFLAG_DEPRECATED }, + { "avoid-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT }, + { "avoid-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "bindkeys-file", &cfg_type_qstring, CFG_CLAUSEFLAG_TESTONLY }, { "blackhole", &cfg_type_bracketed_aml, 0 }, { "cookie-algorithm", &cfg_type_cookiealg, 0 }, @@ -1456,10 +1368,8 @@ static cfg_clausedef_t options_clauses[] = { { "update-quota", &cfg_type_uint32, 0 }, { "use-id-pool", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "use-ixfr", NULL, CFG_CLAUSEFLAG_ANCIENT }, - { "use-v4-udp-ports", &cfg_type_bracketed_portlist, - CFG_CLAUSEFLAG_DEPRECATED }, - { "use-v6-udp-ports", &cfg_type_bracketed_portlist, - CFG_CLAUSEFLAG_DEPRECATED }, + { "use-v4-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT }, + { "use-v6-udp-ports", NULL, CFG_CLAUSEFLAG_ANCIENT }, { "version", &cfg_type_qstringornone, 0 }, { NULL, NULL, 0 } }; @@ -2389,10 +2299,10 @@ static cfg_clausedef_t zone_clauses[] = { CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR }, { "also-notify", &cfg_type_namesockaddrkeylist, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR }, - { "alt-transfer-source", &cfg_type_sockaddr4wild, + { "alt-transfer-source", NULL, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_CLAUSEFLAG_ANCIENT }, - { "alt-transfer-source-v6", &cfg_type_sockaddr6wild, + { "alt-transfer-source-v6", NULL, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_CLAUSEFLAG_ANCIENT }, { "auto-dnssec", &cfg_type_autodnssec, @@ -2509,7 +2419,7 @@ static cfg_clausedef_t zone_clauses[] = { CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR }, { "update-check-ksk", &cfg_type_boolean, CFG_ZONE_PRIMARY | CFG_ZONE_SECONDARY | CFG_CLAUSEFLAG_OBSOLETE }, - { "use-alt-transfer-source", &cfg_type_boolean, + { "use-alt-transfer-source", NULL, CFG_ZONE_SECONDARY | CFG_ZONE_MIRROR | CFG_ZONE_STUB | CFG_CLAUSEFLAG_ANCIENT }, { "zero-no-soa-ttl", &cfg_type_boolean, @@ -3070,6 +2980,7 @@ parse_maybe_optional_keyvalue(cfg_parser_t *pctx, const cfg_type_t *type, goto cleanup; } } + *ret = obj; cleanup: return (result); @@ -3365,17 +3276,8 @@ parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { have_address++; } else if (strcasecmp(TOKEN_STRING(pctx), "port") == 0) { - /* read "port" */ - if ((pctx->flags & CFG_PCTX_NODEPRECATED) == 0) - { - cfg_parser_warning( - pctx, 0, - "token 'port' is deprecated"); - } - CHECK(cfg_gettoken(pctx, 0)); - CHECK(cfg_parse_rawport(pctx, CFG_ADDR_WILDOK, - &port)); - have_port++; + /* Port has been removed */ + ++have_port; } else if (strcasecmp(TOKEN_STRING(pctx), "tls") == 0) { /* We do not expect TLS here, not parsing. */ ++have_tls; @@ -3394,9 +3296,8 @@ parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { } } - if (have_address > 1 || have_port > 1 || have_address + have_port == 0) - { - cfg_parser_error(pctx, 0, "expected one address and/or port"); + if (have_address != 1) { + cfg_parser_error(pctx, 0, "expected exactly one address"); return (ISC_R_UNEXPECTEDTOKEN); } @@ -3405,6 +3306,11 @@ parse_querysource(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { return (ISC_R_UNEXPECTEDTOKEN); } + if (have_port > 0) { + cfg_parser_error(pctx, 0, "subconfig 'port' no longer exists"); + return (ISC_R_UNEXPECTEDTOKEN); + } + CHECK(cfg_create_obj(pctx, &cfg_type_querysource, &obj)); isc_sockaddr_fromnetaddr(&obj->value.sockaddr, &netaddr, port); *ret = obj; @@ -3422,8 +3328,6 @@ print_querysource(cfg_printer_t *pctx, const cfg_obj_t *obj) { isc_netaddr_fromsockaddr(&na, &obj->value.sockaddr); cfg_print_cstr(pctx, "address "); cfg_print_rawaddr(pctx, &na); - cfg_print_cstr(pctx, " port "); - cfg_print_rawuint(pctx, isc_sockaddr_getport(&obj->value.sockaddr)); } static void diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c index 08502510d72..2de1be33d9b 100644 --- a/lib/isccfg/parser.c +++ b/lib/isccfg/parser.c @@ -3272,6 +3272,8 @@ parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type, int flags, cfg_obj_t *obj = NULL; int have_port = 0; int have_tls = 0; + int is_port_ok = (flags & CFG_ADDR_PORTOK) != 0; + int is_tls_ok = (flags & CFG_ADDR_TLSOK) != 0; CHECK(cfg_create_obj(pctx, type, &obj)); CHECK(cfg_parse_rawaddr(pctx, flags, &netaddr)); @@ -3280,18 +3282,10 @@ parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type, int flags, CHECK(cfg_peektoken(pctx, 0)); if (pctx->token.type == isc_tokentype_string) { if (strcasecmp(TOKEN_STRING(pctx), "port") == 0) { - if ((pctx->flags & CFG_PCTX_NODEPRECATED) == - 0 && - (flags & CFG_ADDR_PORTOK) == 0) - { - cfg_parser_warning( - pctx, 0, - "token 'port' is deprecated"); - } CHECK(cfg_gettoken(pctx, 0)); /* read "port" */ CHECK(cfg_parse_rawport(pctx, flags, &port)); ++have_port; - } else if ((flags & CFG_ADDR_TLSOK) != 0 && + } else if (is_tls_ok && strcasecmp(TOKEN_STRING(pctx), "tls") == 0) { cfg_obj_t *tls = NULL; @@ -3310,6 +3304,11 @@ parse_sockaddrsub(cfg_parser_t *pctx, const cfg_type_t *type, int flags, } } + if (!is_port_ok && have_port > 0) { + cfg_parser_error(pctx, 0, "subconfig 'port' no longer exists"); + result = ISC_R_UNEXPECTEDTOKEN; + goto cleanup; + } if (have_port > 1) { cfg_parser_error(pctx, 0, "expected at most one port"); result = ISC_R_UNEXPECTEDTOKEN; @@ -3330,6 +3329,21 @@ cleanup: return (result); } +static isc_result_t +cfg_parse_sockaddr_generic(cfg_parser_t *pctx, cfg_type_t *klass, + const cfg_type_t *type, cfg_obj_t **ret) { + const unsigned int *flagp; + + REQUIRE(pctx != NULL); + REQUIRE(klass != NULL); + REQUIRE(type != NULL); + REQUIRE(ret != NULL && *ret == NULL); + + flagp = type->of; + + return (parse_sockaddrsub(pctx, klass, *flagp, ret)); +} + static unsigned int sockaddr_flags = CFG_ADDR_V4OK | CFG_ADDR_V6OK | CFG_ADDR_PORTOK; cfg_type_t cfg_type_sockaddr = { "sockaddr", cfg_parse_sockaddr, @@ -3342,32 +3356,31 @@ cfg_type_t cfg_type_sockaddrtls = { "sockaddrtls", cfg_parse_sockaddrtls, cfg_print_sockaddr, cfg_doc_sockaddr, &cfg_rep_sockaddrtls, &sockaddrtls_flags }; +static unsigned int sockaddr_flags_noport = CFG_ADDR_V4OK | CFG_ADDR_V6OK; +cfg_type_t cfg_type_sockaddr_noport = { + "sockaddr", cfg_parse_sockaddr, cfg_print_sockaddr, + cfg_doc_sockaddr, &cfg_rep_sockaddr, &sockaddr_flags_noport +}; + +static unsigned int sockaddrtls_flags_noport = CFG_ADDR_V4OK | CFG_ADDR_V6OK | + CFG_ADDR_TLSOK; +cfg_type_t cfg_type_sockaddrtls_noport = { + "sockaddrtls", cfg_parse_sockaddrtls, cfg_print_sockaddr, + cfg_doc_sockaddr, &cfg_rep_sockaddrtls, &sockaddrtls_flags_noport +}; + isc_result_t cfg_parse_sockaddr(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { - const unsigned int *flagp; - - REQUIRE(pctx != NULL); - REQUIRE(type != NULL); - REQUIRE(ret != NULL && *ret == NULL); - - flagp = type->of; - - return (parse_sockaddrsub(pctx, &cfg_type_sockaddr, *flagp, ret)); + return (cfg_parse_sockaddr_generic(pctx, &cfg_type_sockaddr, type, + ret)); } isc_result_t cfg_parse_sockaddrtls(cfg_parser_t *pctx, const cfg_type_t *type, cfg_obj_t **ret) { - const unsigned int *flagp; - - REQUIRE(pctx != NULL); - REQUIRE(type != NULL); - REQUIRE(ret != NULL && *ret == NULL); - - flagp = type->of; - - return (parse_sockaddrsub(pctx, &cfg_type_sockaddrtls, *flagp, ret)); + return (cfg_parse_sockaddr_generic(pctx, &cfg_type_sockaddrtls, type, + ret)); } void