From: Willem Toorop Date: Sun, 20 Jul 2025 11:30:29 +0000 (+0200) Subject: allow-response: config option X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1250%2Fhead;p=thirdparty%2Funbound.git allow-response: config option --- diff --git a/daemon/remote.c b/daemon/remote.c index c17254bb5..0489cedbf 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -4790,6 +4790,7 @@ config_file_getmem(struct config_file* cfg) m += getmem_config_str3list(cfg->acl_tag_datas); m += getmem_config_str2list(cfg->acl_view); m += getmem_config_str2list(cfg->interface_actions); + m += getmem_config_str2list(cfg->allow_response_list); m += getmem_config_strbytelist(cfg->interface_tags); m += getmem_config_str3list(cfg->interface_tag_actions); m += getmem_config_str3list(cfg->interface_tag_datas); @@ -5597,6 +5598,7 @@ fr_atomic_copy_cfg(struct config_file* oldcfg, struct config_file* cfg, */ COPY_VAR_ptr(acl_view); COPY_VAR_ptr(interface_actions); + COPY_VAR_ptr(allow_response_list); /* These reference tags COPY_VAR_ptr(interface_tags); COPY_VAR_ptr(interface_tag_actions); diff --git a/daemon/worker.c b/daemon/worker.c index d9be36290..f7a2d21d2 100644 --- a/daemon/worker.c +++ b/daemon/worker.c @@ -1613,8 +1613,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error, const char* tsig_name = "\x19""foobar-example-dyn-update\x00"; const char* alg = "\x0b""hmac-sha256\x00"; const char* tsig_secret = - "\x59\x2E\xD3\xD0\x84\xA8\x69\x5F\x8C\xCA\x07\xBE\x1B\xFC\x1E\x98\x74\xE7\xF6\x64\x30\x32\x10\xC6\x33\x09\x93\x94\x9D\xF1\x71\x74\x42\x27\xAB\xF5\x11\x59\x0D\x2E\x52\x2F\xBD\xA8\x7E\xD9\xEA\xD6\x8F\x3D\x6F\xD2\x60\x56\xD8\xD3\xCA\x02\xB7\x16\x1C\x43\x6D\xB8"; - const size_t tsig_secret_len = 64; + "\x59\x2E\xD3\xD0\x84\xA8\x69\x5F\x8C\xCA\x07\xBE\x1B\xFC\x1E\x98\x74\xE7\xF6\x64\x30\x32\x10\xC6\x33\x09\x93\x94\x9D\xF1\x71\x74"; + const size_t tsig_secret_len = 32; if (!worker_check_response(c->buffer, worker)) { verbose(VERB_ALGO, "Bad response"); diff --git a/util/config_file.c b/util/config_file.c index 03f688d56..53d90bee6 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -219,6 +219,7 @@ config_create(void) cfg->ifs = NULL; cfg->num_dist = 0; cfg->dist = NULL; + cfg->allow_response_list = NULL; cfg->num_out_ifs = 0; cfg->out_ifs = NULL; cfg->stubs = NULL; @@ -1109,6 +1110,7 @@ config_get_option(struct config_file* cfg, const char* opt, else O_DEC(opt, "num-threads", num_threads) else O_IFC(opt, "interface", num_ifs, ifs) else O_IFC(opt, "distribute", num_dist, dist) + else O_LS2(opt, "allow-response", allow_response_list) else O_IFC(opt, "outgoing-interface", num_out_ifs, out_ifs) else O_YNO(opt, "interface-automatic", if_automatic) else O_STR(opt, "interface-automatic-ports", if_automatic_ports) @@ -1780,6 +1782,7 @@ config_delete(struct config_file* cfg) } config_del_strarray(cfg->ifs, cfg->num_ifs); config_del_strarray(cfg->dist, cfg->num_dist); + config_deldblstrlist(cfg->allow_response_list); config_del_strarray(cfg->out_ifs, cfg->num_out_ifs); config_delstubs(cfg->stubs); config_delstubs(cfg->forwards); diff --git a/util/config_file.h b/util/config_file.h index 284ebe538..813226344 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -250,6 +250,9 @@ struct config_file { /** distribute description strings (IP addresses) */ char **dist; + /** list of allowed responses, linked list */ + struct config_str2list* allow_response_list; + /** number of outgoing interfaces to open. * If 0 default all interfaces. */ int num_out_ifs; diff --git a/util/configlexer.lex b/util/configlexer.lex index 35a74ccc3..de84b18c1 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex @@ -276,6 +276,7 @@ do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) } interface{COLON} { YDVAR(1, VAR_INTERFACE) } ip-address{COLON} { YDVAR(1, VAR_INTERFACE) } distribute{COLON} { YDVAR(1, VAR_DISTRIBUTE ) } +allow-response{COLON} { YDVAR(2, VAR_ALLOW_RESPONSE) } outgoing-interface{COLON} { YDVAR(1, VAR_OUTGOING_INTERFACE) } interface-automatic{COLON} { YDVAR(1, VAR_INTERFACE_AUTOMATIC) } interface-automatic-ports{COLON} { YDVAR(1, VAR_INTERFACE_AUTOMATIC_PORTS) } diff --git a/util/configparser.y b/util/configparser.y index d45cdbdb7..40db4a1bc 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -75,8 +75,9 @@ extern struct config_parser_state* cfg_parser; %token STRING_ARG %token VAR_FORCE_TOPLEVEL %token VAR_SERVER VAR_VERBOSITY VAR_NUM_THREADS VAR_PORT -%token VAR_OUTGOING_RANGE VAR_INTERFACE VAR_DISTRIBUTE VAR_PREFER_IP4 -%token VAR_DO_IP4 VAR_DO_IP6 VAR_DO_NAT64 VAR_PREFER_IP6 VAR_DO_UDP VAR_DO_TCP +%token VAR_OUTGOING_RANGE VAR_INTERFACE VAR_DISTRIBUTE VAR_ALLOW_RESPONSE +%token VAR_PREFER_IP4 VAR_DO_IP4 VAR_DO_IP6 VAR_DO_NAT64 VAR_PREFER_IP6 +%token VAR_DO_UDP VAR_DO_TCP %token VAR_TCP_MSS VAR_OUTGOING_TCP_MSS VAR_TCP_IDLE_TIMEOUT %token VAR_EDNS_TCP_KEEPALIVE VAR_EDNS_TCP_KEEPALIVE_TIMEOUT %token VAR_SOCK_QUEUE_TIMEOUT @@ -251,7 +252,8 @@ content_server: server_num_threads | server_verbosity | server_port | server_tcp_mss | server_outgoing_tcp_mss | server_tcp_idle_timeout | server_tcp_keepalive | server_tcp_keepalive_timeout | server_sock_queue_timeout | - server_interface | server_distribute | server_chroot | server_username | + server_interface | server_distribute | server_allow_response | + server_chroot | server_username | server_directory | server_logfile | server_pidfile | server_msg_cache_size | server_msg_cache_slabs | server_num_queries_per_thread | server_rrset_cache_size | @@ -827,6 +829,13 @@ server_distribute: VAR_DISTRIBUTE STRING_ARG cfg_parser->cfg->dist[cfg_parser->cfg->num_dist++] = $2; } ; +server_allow_response: VAR_ALLOW_RESPONSE STRING_ARG STRING_ARG + { + OUTYY(("P(allow_response: %s %s)\n", $2, $3)); + if(!cfg_str2list_insert(&cfg_parser->cfg->allow_response_list, $2, $3)) + fatal_exit("out of memory adding acl"); + } + ; server_outgoing_interface: VAR_OUTGOING_INTERFACE STRING_ARG { OUTYY(("P(server_outgoing_interface:%s)\n", $2));