From 2e9785cfb5c752e8a2bed93b6764aeb046377ef1 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Wed, 31 Oct 2007 10:56:31 +0000 Subject: [PATCH] better chroot support, and also default chroot and userchange. git-svn-id: file:///svn/unbound/trunk@723 be551aaa-1e26-0410-a405-d3ace91eadb9 --- Makefile.in | 7 +++-- checkconf/unbound-checkconf.c | 2 +- daemon/daemon.c | 1 - daemon/daemon.h | 2 -- daemon/unbound.c | 49 ++++++++++++++++++-------------- doc/Changelog | 4 +++ doc/TODO | 1 + doc/example.conf | 6 ++-- doc/unbound.conf.5 | 12 +++++--- testcode/lock_verify.c | 2 +- testcode/signit.c | 2 +- testcode/testbound.c | 4 ++- testcode/unitmain.c | 2 +- testdata/fwd_compress_c00c.tpkg | Bin 2074 -> 2086 bytes testdata/fwd_no_edns.tpkg | Bin 1692 -> 1705 bytes testdata/fwd_tcp.tpkg | Bin 1674 -> 1688 bytes testdata/fwd_tcp_tc.tpkg | Bin 1685 -> 1701 bytes testdata/fwd_tcp_tc6.tpkg | Bin 1686 -> 1699 bytes testdata/fwd_three.tpkg | Bin 2012 -> 2023 bytes testdata/fwd_three_service.tpkg | Bin 2000 -> 2012 bytes testdata/fwd_ttlexpire.tpkg | Bin 1703 -> 1716 bytes testdata/fwd_udp.tpkg | Bin 1681 -> 1691 bytes util/config_file.c | 4 +-- util/log.c | 5 +++- util/log.h | 3 +- 25 files changed, 63 insertions(+), 43 deletions(-) diff --git a/Makefile.in b/Makefile.in index 70772d262..a6475fef6 100644 --- a/Makefile.in +++ b/Makefile.in @@ -32,8 +32,8 @@ staticexe=@staticexe@ YACC=@YACC@ LEX=@LEX@ CC=@CC@ -CPPFLAGS=-I. @CPPFLAGS@ @DEFS@ -CFLAGS=-I. @CFLAGS@ +CPPFLAGS=-I$(srcdir) @CPPFLAGS@ @DEFS@ +CFLAGS=@CFLAGS@ LDFLAGS=@LDFLAGS@ LIBS=@LIBS@ LIBOBJS=@LIBOBJS@ @@ -59,7 +59,8 @@ COMMON_SRC=$(patsubst $(srcdir)/%,%, $(wildcard $(srcdir)/services/*.c \ util/configparser.c util/configlexer.c testcode/checklocks.c COMMON_OBJ=$(addprefix $(BUILD),$(COMMON_SRC:.c=.o)) COMPAT_OBJ=$(addprefix $(BUILD)compat/,$(LIBOBJS)) -UNITTEST_SRC=$(patsubst $(srcdir)/%,%, $(wildcard $(srcdir)/testcode/unit*.c)) \ +UNITTEST_SRC=$(patsubst $(srcdir)/%,%, \ + $(wildcard $(srcdir)/testcode/unit*.c)) \ testcode/readhex.c testcode/ldns-testpkts.c checkconf/worker_cb.c \ $(COMMON_SRC) UNITTEST_OBJ=$(addprefix $(BUILD),$(UNITTEST_SRC:.c=.o)) $(COMPAT_OBJ) diff --git a/checkconf/unbound-checkconf.c b/checkconf/unbound-checkconf.c index 8869fbeea..ba4e20a92 100644 --- a/checkconf/unbound-checkconf.c +++ b/checkconf/unbound-checkconf.c @@ -172,7 +172,7 @@ int main(int argc, char* argv[]) { int c; log_ident_set("unbound-checkconf"); - log_init(NULL, 0); + log_init(NULL, 0, NULL); /* parse the options */ while( (c=getopt(argc, argv, "h")) != -1) { switch(c) { diff --git a/daemon/daemon.c b/daemon/daemon.c index c585ef0e3..1ef5f6cd3 100644 --- a/daemon/daemon.c +++ b/daemon/daemon.c @@ -460,7 +460,6 @@ daemon_delete(struct daemon* daemon) infra_delete(daemon->env->infra_cache); } alloc_clear(&daemon->superalloc); - free(daemon->cwd); free(daemon->pidfile); free(daemon->env); free(daemon); diff --git a/daemon/daemon.h b/daemon/daemon.h index bc20abc09..be24f5bad 100644 --- a/daemon/daemon.h +++ b/daemon/daemon.h @@ -58,8 +58,6 @@ struct rrset_cache; struct daemon { /** The config settings */ struct config_file* cfg; - /** current working directory */ - char* cwd; /** pidfile that is used */ char* pidfile; /** port number that has ports opened. */ diff --git a/daemon/unbound.c b/daemon/unbound.c index 3b5149723..953586162 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -110,25 +110,15 @@ checkrlimits(struct config_file* cfg) } } -/** to changedir, logfile */ +/** set verbosity, check rlimits, cache settings */ static void -apply_dir(struct daemon* daemon, struct config_file* cfg, int cmdline_verbose) +apply_settings(struct daemon* daemon, struct config_file* cfg, + int cmdline_verbose) { /* apply if they have changed */ daemon->cfg = cfg; verbosity = cmdline_verbose + cfg->verbosity; config_apply(cfg); - if(cfg->directory && cfg->directory[0]) { - if(!daemon->cwd || strcmp(daemon->cwd, cfg->directory) != 0) { - if(chdir(cfg->directory)) { - log_err("Could not chdir to %s: %s", - cfg->directory, strerror(errno)); - } - free(daemon->cwd); - if(!(daemon->cwd = strdup(cfg->directory))) - log_err("cwd: malloc failed"); - } - } if(!daemon->env->msg_cache || cfg->msg_cache_size != slabhash_get_size(daemon->env->msg_cache) || cfg->msg_cache_slabs != daemon->env->msg_cache->size) { @@ -223,7 +213,12 @@ static void checkoldpid(struct config_file* cfg) { pid_t old; - if((old = readpid(cfg->pidfile)) != -1) { + char* file = cfg->pidfile; + if(cfg->chrootdir && cfg->chrootdir[0] && + strncmp(file, cfg->chrootdir, strlen(cfg->chrootdir))==0) { + file += strlen(cfg->chrootdir); + } + if((old = readpid(file)) != -1) { /* see if it is still alive */ if(kill(old, 0) == 0 || errno == EPERM) log_warn("unbound is already running as pid %u.", @@ -268,9 +263,15 @@ do_chroot(struct daemon* daemon, struct config_file* cfg, int debug_mode) log_assert(cfg); /* daemonize last to be able to print error to user */ + if(cfg->directory && cfg->directory[0]) + if(chdir(cfg->directory)) { + fatal_exit("Could not chdir to %s: %s", + cfg->directory, strerror(errno)); + } if(cfg->chrootdir && cfg->chrootdir[0]) if(chroot(cfg->chrootdir)) - fatal_exit("unable to chroot: %s", strerror(errno)); + fatal_exit("unable to chroot to %s: %s", + cfg->chrootdir, strerror(errno)); if(cfg->username && cfg->username[0]) { struct passwd *pwd; if((pwd = getpwnam(cfg->username)) == NULL) @@ -287,13 +288,17 @@ do_chroot(struct daemon* daemon, struct config_file* cfg, int debug_mode) } /* init logfile just before fork */ - log_init(cfg->logfile, cfg->use_syslog); + log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir); if(!debug_mode && cfg->do_daemonize) { detach(cfg); } if(cfg->pidfile && cfg->pidfile[0]) { - writepid(cfg->pidfile, getpid()); - if(!(daemon->pidfile = strdup(cfg->pidfile))) + char* pf = cfg->pidfile; + if(cfg->chrootdir && cfg->chrootdir[0] && + strncmp(pf, cfg->chrootdir, strlen(cfg->chrootdir))==0) + pf += strlen(cfg->chrootdir); + writepid(pf, getpid()); + if(!(daemon->pidfile = strdup(pf))) log_err("pidf: malloc failed"); } } @@ -324,7 +329,7 @@ run_daemon(char* cfgfile, int cmdline_verbose, int debug_mode) fatal_exit("Could not alloc config defaults"); if(!config_read(cfg, cfgfile)) fatal_exit("Could not read config file: %s", cfgfile); - apply_dir(daemon, cfg, cmdline_verbose); + apply_settings(daemon, cfg, cmdline_verbose); /* prepare */ if(!daemon_open_shared_ports(daemon)) @@ -332,7 +337,7 @@ run_daemon(char* cfgfile, int cmdline_verbose, int debug_mode) if(!done_chroot) { do_chroot(daemon, cfg, debug_mode); done_chroot = 1; - } else log_init(cfg->logfile, cfg->use_syslog); + } else log_init(cfg->logfile, cfg->use_syslog, cfg->chrootdir); /* work */ daemon_fork(daemon); @@ -369,7 +374,7 @@ main(int argc, char* argv[]) /* take debug snapshot of heap */ unbound_start_brk = sbrk(0); - log_init(NULL, 0); + log_init(NULL, 0, NULL); /* parse the options */ while( (c=getopt(argc, argv, "c:dhv")) != -1) { switch(c) { @@ -399,6 +404,6 @@ main(int argc, char* argv[]) } run_daemon(cfgfile, cmdline_verbose, debug_mode); - log_init(NULL, 0); /* close logfile */ + log_init(NULL, 0, NULL); /* close logfile */ return 0; } diff --git a/doc/Changelog b/doc/Changelog index eb937c230..d024105ce 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,10 @@ 31 October 2007: Wouter - cache-max-ttl config option. - building outside sourcedir works again. + - defaults more secure: + username: "unbound" + chroot: "/etc/unbound" + The operator can override them to be less secure ("") if necessary. 30 October 2007: Wouter - fixup assertion failure that relied on compressed names to be diff --git a/doc/TODO b/doc/TODO index 7f6fcf8b7..eb082ccff 100644 --- a/doc/TODO +++ b/doc/TODO @@ -52,3 +52,4 @@ o make timeout backoffs randomized (a couple percent random) to spread traffic. o inspect date on executable, then warn user in log if its more than 1 year. o proactively prime root, stubs and trust anchors, feature. early failure, faster on first query, but more traffic. +o use privilege separation, to change privilege options during reload securely diff --git a/doc/example.conf b/doc/example.conf index 1125b5ba0..a96670758 100644 --- a/doc/example.conf +++ b/doc/example.conf @@ -114,10 +114,12 @@ server: # if given, a chroot(2) is done to the given directory. # i.e. you can chroot to the working directory, for example, # for extra security, but make sure all files are in that directory. - # chroot: "/some/directory" + # If you give "" no chroot is performed. + # chroot: "/etc/unbound" # if given, user privileges are dropped (after binding port), - # and the given username is assumed. Default is nothing "". + # and the given username is assumed. Default is user "unbound". + # If you give "" no priviliges are dropped. # username: "unbound" # the working directory. diff --git a/doc/unbound.conf.5 b/doc/unbound.conf.5 index 6100154d5..a3603339b 100644 --- a/doc/unbound.conf.5 +++ b/doc/unbound.conf.5 @@ -155,10 +155,11 @@ Enable or disable whether UDP queries are answered. Default is yes. .It \fBdo-tcp:\fR Enable or disable whether TCP queries are answered. Default is yes. .It \fBchroot:\fR -If given a chroot is done to the given directory. The default is none (""). +If given a chroot is done to the given directory. The default is +"/etc/unbound". If you give "" no chroot is performed. .It \fBusername:\fR If given, after binding the port the user privileges are dropped. Default is -not to change user, username: "". +"unbound". If you give username: "" no user change is performed. .Pp If this user is not capable of binding the port, reloads (by signal HUP) will still retain the opened ports. @@ -355,13 +356,16 @@ server: .Sh FILES .Bl -tag -width indent .It Pa /etc/unbound -default unbound working directory +default unbound working directory and default +.Xr chroot 2 +location. .It Pa unbound.conf unbound configuration file. .It Pa unbound.pid default unbound pidfile with process ID of the running daemon. .It Pa unbound.log -unbound log file. +unbound log file. default is to log to +.Xr syslog 3 . .El .Sh SEE ALSO .Xr unbound 8 , diff --git a/testcode/lock_verify.c b/testcode/lock_verify.c index 21ec324d7..96fd6ca46 100644 --- a/testcode/lock_verify.c +++ b/testcode/lock_verify.c @@ -385,7 +385,7 @@ main(int argc, char* argv[]) usage(); return 1; } - log_init(NULL, 0); + log_init(NULL, 0, NULL); log_ident_set("lock-verify"); /* init */ all_locks = rbtree_create(order_lock_cmp); diff --git a/testcode/signit.c b/testcode/signit.c index 717b4e2de..3072ffefa 100644 --- a/testcode/signit.c +++ b/testcode/signit.c @@ -236,7 +236,7 @@ process_nsec3(int argc, char* argv[]) /** main program */ int main(int argc, char* argv[]) { - log_init(NULL, 0); + log_init(NULL, 0, NULL); if(argc != 6) { usage(); } diff --git a/testcode/testbound.c b/testcode/testbound.c index 6a45a74ec..c7de18150 100644 --- a/testcode/testbound.c +++ b/testcode/testbound.c @@ -138,6 +138,8 @@ setup_config(FILE* in, char* configfile, int* lineno, /* some basic settings to not pollute the host system */ fprintf(cfg, "server: use-syslog: no\n"); fprintf(cfg, " directory: \"\"\n"); + fprintf(cfg, " chroot: \"\"\n"); + fprintf(cfg, " username: \"\"\n"); while(fgets(line, MAX_LINE_LEN-1, in)) { parse = line; (*lineno)++; @@ -207,7 +209,7 @@ main(int argc, char* argv[]) char* init_optarg = optarg; struct replay_scenario* scen = NULL; - log_init(NULL, 0); + log_init(NULL, 0, NULL); log_info("Start of %s testbound program.", PACKAGE_STRING); /* determine commandline options for the daemon */ cfgfile[0] = 0; diff --git a/testcode/unitmain.c b/testcode/unitmain.c index 0db87f85e..03ff3cfad 100644 --- a/testcode/unitmain.c +++ b/testcode/unitmain.c @@ -228,7 +228,7 @@ rnd_test() int main(int argc, char* argv[]) { - log_init(NULL, 0); + log_init(NULL, 0, NULL); if(argc != 1) { printf("usage: %s\n", argv[0]); printf("\tperforms unit tests.\n"); diff --git a/testdata/fwd_compress_c00c.tpkg b/testdata/fwd_compress_c00c.tpkg index 1bac0886d0491d3252a81aa742c176f5233d7b40..627cf92d497d3e00701c2381471715c17689e8bc 100644 GIT binary patch literal 2086 zc-jFb2-)`^iwFS3Tqs8X1MOLRbJ|D}_rJ`i=*U!@R2HEJ5?&HhCN{bFE(QnV&8F_I zSRoCdHP#SG#PQzlci)~F1d@#ppDV@gUgj4^jHag_^XOKqHM$N4KD(O5G)V@&VfcCw z#?_s#3IkEEJM!196@C}kF^#%u8IEi6ac0dmoE>n!t{LkwPf{-i*tur&l*adu+eH71 zVzhSu@AhKz(K`4BySMf|xBs^3)cO7!HMefKj=N)6hHG0pV0^`S-ivR1|94@xQh~Mm zU8(GnT}aqG_9>(j3Rhl&O8}p7y++}b!u5nk5T<(xr^b~06DlLn^{SrEF2_0!(-$27 zhNn+6L2Kx!Wu72q*`3lPg%OJ(j6k%pGxUb2a^@vT7>yUIiVOuU1ri~>&hg-^+v^{c zpFM+euhlv3p27=oY^Mg#pOcHu>+Z#JNH&5x=w5u#wU_#nCK=5mKMh$VYL;hzt_A39Y+os6>3|HlU+rVotp&g9OHtt|4(<9FJ01LMIQ52M!%_RZ4;CH|a_WUqivMZcfFRc4gMOs9@F)B^8hfZa zAx9`>%;K8{kR#NNF*HgW#2?yALKRJY#5pNWKqA2^V9`Fg2(wx))hBQt(Z#lH4Si z05mXX!rUf|shp#Ec<>riqbpBtj3r3s?nHtcnO1l_~SR=|p%W%2?z=m0!@s z(b5GErr4#7;spVQ3C*FQS*yR7N?cS>Yn1*dA|KA4g zt^Y9o61K$(P)}$m3sCPt)mr7#`vFoA!FY7yx)3MS2>$S}PP1Cly z|JzPY`TsWXQl#ctZAjEzdAY6J?VbGXqyr4QX&9k{=n+kIQttQPf$bUwA?;4T_i^yL zjl;-ktAF$s*vw}Eg-_|t46j@+>9x<^eT4TtXtkizZTEWJ9%&u_{Q|RmpUrLtVL;B? zNBxs-2i{*`?vD*}OD71REds6O_*UoqL%Vlp^!J8QWRO3wZ|IJzTb8Y3nz<5k(SM6m z?SH%@XWy*}Ntv9^x%~C?DA9jrmpBeRM1L^f@R5A}Ek3#I?auMn$!z`?|9`BG4gPP| zOegby%cM}4HPbNV5jOJh+)>?iow|j|?DsBpYrJjP*mCN%<#;=nTo%6hC!%!{T>l;k-GAUBP7_+nI)+{VN%#x>PSn^rIVYOS4#LrB z%@G|l7OYos%o#F0g-$$9$T6FzMI~EHxBhf^X#D4k{a78F^1r%eFXO*!%leO7SMh%v zD0nRJkOuqaz5zTyEiX2|U>^oH0DY>r^c5IcM6?F*pa(qa0S|k?;~wz92R!lt4}DT1 z6jL8vmm(}-1=9I}D;j`|_I{1GYT#fKttjAZUy86%L@@G$r3fo0$C2|g@nX7WUc`HT z@uY|vx57g6>$ZUt;Zt^p%Zb?hHb8rX0x0HY*+d*Uku|!}eAI0rw@ot2z6 zJ=WL)ydgHVO=va&<(HW5sl-atE#Tz z`B81}t3pNCwkdwCdhU0HJx#Uo&#+Bh+f%i=r5bx+eqA++v4|5V0@z!Ii-bn^k9&yz z7sa@6|L^uAb<0*Q)7n#Y)iU%wP`~0j@5ML1|NF3CtwP~` zSF8JEAL4KkxfGHqg=;596ToM**Vvy?SWamGesT~qYDCFDp*jXdsVT|)YNFsUWi{j9 z@bqcQsDO@A7BN!R-3g5o7>5z~0q{0<`pyVN&Yd{+gUL!%enL)4jzmbm+a8|x`h%m& zvu9B0x4P}#8N2|~FzfLAIl1h~jq=U(u51U!*UYw@kl-}iFO-skUU`(YvBQf=$O5q@`9WxF7bzD2hS@ocHkkSXe^@vpA z3>EinO-}cakzW-oiYWk1Sd4gUZTLkn3KxOLPba#?$Z@YG5$hr6{mxODop7a0DtJ>% zhgR{Qn=*ptsyl0`^ga+}?S zuoiAHO7(mXf-n(=d%`(0V^=gj{tFsdyGO``LSjgWXoaaG!C64RahmfNkhbF;m` zQ%O-WKY)CH4&M0~I0M$iCC|esIbf>dUMeKNQII-h`OcJbPGEXc3&maVb03cRA@W^% zue9vJF2}cKp};@-aVK#LkInzQ*xg#j1Non78k_vjHZ-39sg}(Dc7fMUOuHES8+RXn zV>i82dM^w{$jdkn^Z$p)A=Y=V6=_(y*TlXfcsL zWLt|bZ}17qq@3d;m3j^G#_?whl=bJ2caQadmbYvx<01byv|I20x@y@#t=l z5?)7P>?i0>Iw|c#u(+-!Q*>D7KA5PmjG+NM`93BkG{z*v)S$ZRUS-ut!8f^Td=p~= z(7>Dta~nURZo=JEVVO=96R9c>3e{QYI5-tPajF52U&t`1#r~z+QHAo8+X%QmE=eQuIl*~&ge|cXs zTD|;iSY_VW3)p3-cUbb5N_7WO?XmtZ>O0%Xc+mgtdg}k0W*E%>4O2eEZHBW0p zyza`%ZIxdC^lztK2(g>`0Xm2h&_p4X!QdSjmZ}oc=??lIhp#(0jGVOwCvPE~yP-$n zQ*txME8|Q0o%44e;e8)kE$H?-{eG`cTJ67IVwUfQ^P8dXk&DjB;I!9;_m`OaV}sn1 z2^^>kM{7O4)xG%8>E9Xsy{hIXh#xpq71L65-B5JZ+%UNuyv3ysKHlMTXw^BVlu!3U z{5nbyD?f)rfT8{ zt64bK*tRUw)-jp=-lA5WwN(RKrd?l;*UEw?R3r9rg$r80+Cc8(#%kcNs4oRPhde~5 zYO_l8s)!$#`A2}Xv{^&5ch>6BAJY0+9tPQnmI{)835 zMd6!$A}Zowx%Y7B{R53Si)ktC7&#uq{x9@9USntE3~R>Q^T*?YBRUB~uUJHzO-SYB zI`KH+jQJwT3)xw^^{2yQ<3BU@wlW^d|7_h@$A8N(dHu(-W&Ga-avlpTq`{$fr~(U6 z>x;oI*oT1)K$$5mWrL8cB3c7j&;u6rfQ3C^aSvGF0~Yy!g+9R%@~Mxa2o^fm0_p6) zR@6MwaDT8P_QtNg*SG+H48n%#}w<*@S<5-mc@H^aRiGx(?Un}Z9~O{ zuq9ig^+F7G>!Che0OWJCbRni#NP%orA7$$}+n_0njRqs7nX<4RU||Rr0vQ&r()<>q zn1qCcgoK2IgoK2IgoK2IgoK2IgoK2IgoK2IgoK2IgoK2IgoK2I#J7Xr0sOdG)c{Zc E0M-m10RR91 diff --git a/testdata/fwd_no_edns.tpkg b/testdata/fwd_no_edns.tpkg index 1b8e1bedcbda0c58d4a17a0d197323e28989ddec..34962337e01db8a6a1fb5d5141fc7a931131e639 100644 GIT binary patch literal 1705 zc-jG}23GkWiwFS3Tqs8X1ML}WbJ|8QUv2!!J z9iSR?iX=klKJIqc!?`_h*?`(^Alr_gfA$qXK`=Be z{? z$lwOnOQnbGUsMYk+Fvgjs-~+-5$&&QI@(`(66rhOe{TOHIFcmTu(~82ks}D$%(p0n zV+vC6t;`xT8eW`hqnnYa~Ltt;V3!?)ECV7cU^!t+g8MD>wzM zsFmR5OVV$>YWJ5@(#hoFX0>XG#bqikY4>|eS~~BP6R0(2Ag*)FK8aARZtgE$vl5q% zw$0@>L1&E=G&g-4^@r1&-O2>*Ch;k5K%8N$xaV9?;`{m7vBr>#=DiosxV>B=#LMzy zHl_L4vGcc%o6qtYIwW2Nk_XFet$9j36RL=lCu{_T>ahyPvFSqm^ zdDyBa%M7>ZZf-hp+yvDBh;bJ(7%`Z6-$ii)=ePx~QrDc)Dx3$QkDac7f>lEV*?lWu)#-ksqHeRjp0lhF%4WVf=(?mE^Mni!?pjtwpgW5qp>ICEv^)M)-E zRIvJhkP(I4N-HZN!Gz*lsmUU~ck=g|wU&X*ZDCZx1BT}OV;hLICF7JX1!*0IH4V-*Vgw=cB=d^S9m|Ji}{ zBrzT<@v z;vzn=z^DA=n>*nc&rE1GTGynG$1tDNFhgY5n^Cwj7f>jGs+CovT+*Q4yzT*3cm}yL z9XG^3>X*UxWw?>+at*(n-`$ak`~y-)E+ghI%0TLD>fzbxhGkNp+70Sa*A5WB8oj0y zuS`1r`fKo1mULJUZeS5ZdUO*VU8S|zrwhC%InNGWoYXFp3)7j*kn^{Bsy$l&p`xBb z#;*9+i@g5V4P7;iBFC!+ZwVaYe-E&w{$o5b+hYZok&>2tkIDG#(vQD^&0v8Oj zo4XJ(Lc*Ohnef-f9YjM(g|s|LOOXJhJ|?D=Okx@(^h-ubLbPI)$>O)L%TVvJj1o;{ zZ->oe@gLWBUoK;3{HuC${~JoNpz`=HBI*$Tdw?_GHDOvcM%@=)dgt2R%O5UVKtGvN zZ$h!4oysKF>%D=Zt|){wTUbpEUNvzJxvKT*uYq|MvnhNC7ao3crqFM6pwTAXX6Ma2 zc-w_q4KCW+u&5u}+$(tfLg?Ti3JQ_h}tBH`HYC(JS@<0vKa zV6FdnZw35?Tq&TRL`P`KocEBD_FEuE?Yp#D6Fp>lDXS%8YTbe926O6*yrUa;$1;b8 zn2Jf8P4Uw9Pa>g{fTqta76Qj5?JM5Y-AFJVi+|q5dS_ zH-DK3_<73$C&YrgK!hW3XHzL0V@b~oY?TPSmsp0V5l;lv#fV`nN-;L+vJ(MASqc^b z`f?duMg;UIYK2i1FB8EU`;6gqQH*B#Zq#?+Pd1ZW7D^vx)L%%;kc)UEEmG+Z=3)&l zBx^7{g_L62wvQ;aV8{yosNcu`4-mi2g8cvoIKTl8aDW3G;0xg&{CEq604M+ev!hjY literal 1692 zc-jG+24ndjiwFRzKO9E@1ML}WbJ|AGUvN)hc}*2>xuC{H4N2mH_Ne+?wu$ggRgcr#`28l>7qH2xK`g2kzZi#$j?Y<5xI2Nf~XSqm|DVa zXhp3AFJ6#A`*mlq9Fh(u7dNX}ODs-PaY|>o z^l95zZWDCYNI`SMvrvCHyw$5t(QXnS;`qcK#fp2z^(20nPi%7nxoF%6@toVsAwoPY zKVdVPj~zRIYdiTYpOH=CSs=NvT-KVW#3P}GIC;v(P^g`#a1!h8vRTbN%kGXNl7|QO zHZ$%hn9Ld3ok-S48fftR=hu2RRC(Hgw;0}n%q51Jc+IjNCR z=$L`coQTgb<}nQ2=P%$7B3#vf9uB(0e(!x%Eht2|sbBVo{WrbVb+w4ETq=fE;4P{O zobzvZS%utcR*XD5!*Ih#ixELcofKU(r}E$(jXmmum@9}JQOjHOQ{D-u)6`)FAy$>e z916HjE+vN_A}8H?)VMpxC-m7BZ%#%p_?TVFCcEocTWDgGYS|VzEQl5NEaJ?Sol~Rn zpHac;1470Wax1N@g!og6yHb-$eC_0~HES&cncKp|Xhg}814i~aeQV<(>F`I~vdg^S zlrI%+DU)?WK^lVMy(!|Fz|>Q>io1^do{b_WvQ7G+w5(%`{>Cg6_-|io2l!%mEdR57 z^GRgv$p4g*R^<6#p@dmK76DQIrycUYy})b3r)|6yD%mTM{6sw;uY(GxvO=2FH$B@8 zBE&^}Vu45b$v3xy37(nIYPPRQ1CL=osA&Yqt{+mkG8RxMfT~qgy;9Pk(Yo$K0gX?t z4BH9tk9rlbJQ;4}hFr%l`!{E7Ab+1Ukjt2Piwckio4I&)IzfdrW>%BB)UkZTub$q} zsaqjkZ+#m)l_g!~2OC(#kUrf+M^|Y*{Ct7;B&$C6ky&3H_2$k`S#}WwQ7!>@w7QETcqI z+1p|BSp3KJ-9MMHGyc_ba{uc}vB3L(dJ$2F_}>GZ1Fs3wsxj)m@X|Zi>0N$**#`RA zn7LDm1?@~GxqkmG6w8W2NUM$2)bMo+$B?Ufzwri`Ych+%$6(>&Cua(SW*3?r(rb0! zzK3@`sMq15)4OW*dZga`VSu@S$=t=zw#ap>(ZB4p;oSf;1biU#`CPbc3-u+X-oCzR z^_F-+Rpf#q7ZtgrB#UXan_s@JwMDf%xTMY#FKP=?-G(e=m%o4e?~4DYkg+TNbzM#K z|FWj@_%CB3aESkX!2SC_Zp?f`9pG%cF3JefOe1N()xfgHfT1a8Pdkxt?5im=jp-yx ziCkFgKi-=GeaUwezD$=+vj_dz%HoaY_4%H+44>jK|`icQK#B$9BbkQ7LTv|F5hc?*IKj zeDha`fSyny~GMcjd&uUF2)RFQHrrimz@Y0%96kE z(U&XWFe0EwQ8S3Dc$qgqC5Hvl$B=ppX&G42$fOY}{f>1$F2;#E5+VknkWviG@(`sK mbXmb4^;O*U7r)K2`~U|yzyS_$fCC)htHIxam-D~?C;$Lv{8M!R diff --git a/testdata/fwd_tcp.tpkg b/testdata/fwd_tcp.tpkg index cad670dd8b1796c159b0772694805433c0ec0876..bef8747bc560fef3c741136041fe64ca4d3c0485 100644 GIT binary patch literal 1688 zc-jG&250#niwFS3Tqs8X1ML}WbJ|AGUv(SgEgqEk;j-TKAOrRlDN~QQ+ zF0Q?ou%~Mk-Ox&9Lo4iQx=}IoJt%#y31uM)LemG>o3kjS{=?%Q!~aKNl-d8J?fLXc zW$+Cy7mE+=e?iC1*0oYa*Z9N0{V$;Avv>gh=lj18`-%dYomZ57vJU}^e2YRj zp)fN8TsYjJmPXE$!hAwqaKgiYV|_|~0A&QKnpZ>bcC6wsbxH9P92_K!HsDc86d)$; z4rvg=i22~SAllgJm_rolnL*&Vip1g^I1M4hs0E%c#uvjwUT%g)bLxKvN0I7104=xy(h8T;?AQZbT@3;j7U;qq-df!ojdPn>{AcqoFVg$THdC2c{iF)6N8ncSXDN2 zDd0T0lpH=}jvD&ZygkMi+U$xqN23wE&ran&yQ^4RxWy>dc5HB27%T3X;LMes)5Z7? zs9^m8A!7=;l~z_lf+@vS=}RI$ck;*DZl#XQ_rgMNM9IPc#r_<=aqy6Ic@vlHF+V)y zQ^mbh$@)e?;)e1^B=VZT#8NkkyApQKM#6|3i#{kVYuIvdj|v6;+ZWmn{t;}7|Kjug z>0~?-|6u@Ft>hqTHQDA;B61;b!c~5 zydkMiuljfhd5eK#ldD#vf6-~f+w0a9Z;<(XE?u;xdWxyHuWnksv|rLS)zH*} zrWUp3Oj_;c?&$dx*yR6qU_Ggf$NaxoET{gDZ;}5MclqB|;FTHBHacrH35m&f)DJKm ztb(p;q)7wIcf3$^oW~Ihn9y%@F}SpDX$U4p6g~|j-^G_VU8tmiAsHuVnjy07Pa-&{ zLx7i{8`V;!T6hVKRv!$s0di?NZis)>uY&EXaHBTVI=-A=+_8zG0@6SxW9BcaKpJf3 zVHo9xRnnN*P3lqC4zPdKdQGQZm2~~pYIsIVx-1AYJ@`fXG}|R2>3a0x9FIQEr;Bkj zwX5XZbfyt<`+`rFhwlHUl<}DVS1S6-|0}}(4Mgw!e+#f)|A`Z`FQ@{PP1pA^{}k)V z6klqX`HcYs3pE?*$b|QvO_^m*CwN@I(VZnqA=xU#M^x}Ta>fib3PlK&2;h0-G6fH0 zk-{eloA}7&Q!A1QwQlib4d&FBc~vLQkTYSAoQO#h&X~0GtxV`NpviX|Q(E4)OksIp zhlr+@9BCWtzihkyUp9FBU#^sOJPFEW?*9c019twu1-MuLWn1?DjFiOT|4PQ+cKrR= z+ZTvL#u!PkxeJ03B5s}OlrI@)AexE}Nr^HkM+SK9$H)YeDNKoiUdm|cz$;dnD&7Wm z8SFV7&2*!0YZHEZy z02LuAdYI71fA8K23E|+n?KpIrvbLqu?cMI(KJIqcLKY#Fc`R>Vcwam4bQzrO&mXEJQ)5`v3h1_>le!s-~j;OBGdN4-NHSQcC3mP@Z%Z55WIi|A%lWNs!UJBps4N2;9gwD1=iA zb3MR~!yQU#Y}phRQ|f>f9tRBTQ}P2yW02*%9D1{fjKk#BjGy4>C?T{3k6fYvF==;5 zgAm5950(SGjh&W0LYAH$1eP;dvD%!l!DRzQNWaq>_PYH+E%*F6AdRRq(hRyUDDb% zmgxiyl?!O0`zFc{hqwDR+jIhn4RHcujbp(*V{#JTFQ%3;g&ZIEUOZ*`a)=O5%TL`o z&BsQaA6ZU5OJ{76cos+=q{~XJBpwBI{FZHZ0$Tk@g`-$*m#tdvS$1cvW7T+IUvqs% z!El|iHQ^RU0&0Rp;W)^jGrm8b=Z`mJd7M8^@PlqTB3Whzi`q)jiRKvkEZquY3w4M_ zyp;+$az<|CnA{T41xC6toA|7U^!n|Z$gEiwNe(~q$xsP@jf4=?SKV3pq+7_!XrnXp zu~k-v9&VA}LbqbS38;UEeiynhaUt@);(h~XxCACvN1xL=oCTqeuEYi{^w5~r$vAS1 z&~hD4XBg8MM&9!m@GB9n8s86Zdc#5gT}{;#BHT7E2gAYZe*3ysz)!{%T`TmLH3d%D z8_sHwThEF+PfpO?uxYwP5E3Ir6V0j2dB+odiD+sZuOxK}+ z>ttMV_z)RtI+HEo7QBlwVA%6)Rzv9wUd$knt=aNIB!+%ry@2|K6q@gGsZ z>H|zB6mn~+teFHh#a*eZNo?)p_YG~Oj?8pnpf@6CZh%}r$8Rh=BpueoEqksX9WTm^Zn^~ zJQDw509a)4Us)@w*e|RK24jzHAD>&EfUw(br0s2v&dp5;OZ7!4C zVDJVCWkn&R-N6%e_^OR#$W>#|d=0K=xF&@U;nKq=BMLXI9_hDxZ{ES%J~SH8>9+g* zZl5$--`rde@DTErL(3%B?dIUJ+kv+??Q7N`i^W2?>;I!dO$nqtkonWCf`v%z;Lh% zs;rO}4GiD%Lf&x^M=YSjpxMLV(wNZ@bc`r`8b-c@FV9}eq=_LJo6yojBs-W!a6v}^ zFG1C+rAoE%5}NG+XlMiEO1GR4|EOOD)0g2^ZpsaOSwA}y9a#mWi9{x@zpMgjx^oZ1 zC?~9v=G<&ik2+?6{p;3iYI{}E^Vhp!87=9#L73^mFEXInE*?oYqK_AN^f5X;jGL)h zB^SD7M@a1pK3N{R|DTe_WBy;MsB8bPaR1j3z4!kez-Ij?PRzcb3Q#s(Kg9f#?&b zpCoMjBa=_9r%b6a!;>{wP+w$Koj60zggs)yCP_HssoifyLhXPi-yKY8S>Gy!WrZEW zn@Vz|ZLR;hyY>IF#^V2SrL5vfP%bn7FJKt3_x~Nhz51`aWB<=^NgV#qc>HC@Ka9P7 ziAW@jk%YT&fD=N*%(88^Wn2MoN-88J%A_0_;I$tk6HKNs#S3~Vp_K!#NoA^dTgYXw zpOD;i&7HtD|7R7V{M8vyTNHDr-VxAzXT18gyM?GJa|IfuQI6&XS9`>+@ UJ?vo*dw62_0|nhkG5{z507~FB<^TWy diff --git a/testdata/fwd_tcp_tc.tpkg b/testdata/fwd_tcp_tc.tpkg index e061afe5ebbec3b1227a7b4ead79cbf54b4b8a64..1487a253aedc01fe69ebfccbe7207dbd63c573da 100644 GIT binary patch literal 1701 zc-jG_23q+aiwFS3Tqs8X1MOMsbJ|7__gCFtv5^@&8COCQuL(Ac3E;+U3Wx`Q}hU-kN>@UCj*?`x2TR4NqW z?_z%Cdro`0R?-cvP&9OHPt$XGt*{4$ud)1792dkGnT~mbCOtC<9CtW3wYp%%%8H1PPPbW+xoK5KYc>=2BSh31F_5cZ zJ42XGrz-tyPP{QyEjGcqoO?QEmN_0V?h+3&SFKm=t5&1mX?J^fR=~fgl>(*-_s~MQ zWri?jL(U6i!mrTTDsn(vMD7iXT)|i_8ByyNOgETPUnb4~hCcN`)-~18)SRZ~4LLD$ z%7)06!H<~En$fu?qlreQAkNII4PI>B|5(%9#WLS;L zoZY_a%_UgQN-zsBpUdDfB4JihD`YJeZokt^Cbgid&s8!WxwliD}zDvUH=QYWPn-J?*u{hGaq>cft=$o9o{WtS7SZ zSpDbo#l`bq*9~6(hF;p$|2F8A8PJxfr)B8LZ`2PQ=3?Ee8fnnL@*OV}jI+4jz^9=< zYHx=R}cwBq}YiI|m5Z#E;!qszlCh`#r;l{LXhd$@5z{(6>WRs~1 z{yb>Y->;_8W;dI%W|8ARSsqI%$D4nukST!oV$ z^s%7$q^TKNqbeChuEn3=LQg-|(T}|6FW?^{UDST>Uv>Ju?z;-&G$LKs&U^jd>u&S1 zlG8*V4p?B=6jU@g=HGBqfy{DM%se{6qQjw$z(7h;6%#e1^AaA!I5&gv78%v7O+RJb zXgp5RR+__F8`}ZEeR3-q{E)fm2K$fOV;o`TE_HJ;=E2AGR@T*B#@@mZqgC6n5psmF zna9GynncSY0Y!Wc-#BBN?UwN*RV^^MTO z?|pM2NY}R|{?H0VfLX3z5GM!GP^OjUwNNTOi>t=VsmzFO>wfSb6t;QGb z3o+};zP`$)?qTZpF^%;0w;%rp@E_aO?>|MO#OuFQ)JvsYUcCR!7mB<3-v-^qe{9RY z|D>!WknbTIUkv^B<6nDbC`85BV6mwSLJPE4o=04M+ehlN{p literal 1685 zc-jG#25R{qiwFR>KO9E@1ML}WbJ|AGU%6kgku`QQu7o6B6C4;5z>V7&2*!0YZHLIx z0jfc#=n+C6|Gj%B1OkJd4-PX)SsOU*?(N>~0~}0Q6jFaX-(&P|6b7sQPhEyI2%km= zcW^PE-|GKTiTl53Xhz8}42%=Kn9msppgoQHhv9$j|3f%b6j*aRD9Rx@gn&i9MIjtf zn3w_X9zLO|2F{qmbVOZn!sCEbeM)`pYaDA9VLP`&{0biAZ39T z>IcjR#|1G)q+{NqO3w@e#~sd9txj0cvO*%H(`{BHu3D8)o6W?21c_QB22vGlX9&~j zRHdKIi8rRI#U{whv1emund1@TCh#rNwXW9i$NAG8nkYUXb(As` zhX$#$iH9eG8(C^du7t`S2m$~SeA6e;gUuog7oMbR#XGE=<_+h zNu$6HmKxM9lXKG%O%xc?iu+&=$z0r%>Ebo=*I z{dec(dPRQz9OQ1T)o5SB2^4aLJiK^8(iMG0PMFF0&2rWPi_>(Rf~C%amhhc$LR@pN zN=#o#P_3@7FP^hhmy9;?a-U$V3Ip*&810Ab&2D9EyMe-4+<QAJWDh_$+FfDO*epQ(#{ywBOQ)n(_J(w^0V~j zIAT87vbBkMM}hYo*mj8q3Qu5AC>#e_QFQ)(mOWlE=W+Hpp~qFA;7C@QqRwkmK~9{< z$**9o+kq-Xw_>y~^}Ib3@ra3VYg%_hpJP_qN*OP*39EwtRw4+hsRl1G(P9^AGp!&~ z7aPsRJIDJboSIIYJ#kSFA%h`<$ooNL54@VUp}erJ!mA+kF`+oq)C{drl?)=+;&*T% zrytAcN8a-n@Hfd^)_(0@cly2V`-*O8By&@{==FPVy3MOfP7@V6V1i*$P|@I&|H7*Z z$jezV^5g`Q4u>{22AL#OF;Hclr|=-|b7gFA5mC+B^i$T2#^WSxGxN6A#&Q5~om`8I zUlJ$XV*PPtcQ1atXhHe`Cy{%-w~#Ap8X?UV9;E%(P2?e$wO;)V zFwep^5I%-855KukxNdYvx7m679^Q4KR>NKqTJ2`H+wPKDpIJT()#i(7wi;i!F6>!X*7a2uwE?MbLK^Ai z@816p^nYwu?|+I$iRXW*sFzB)ye6Li7K;1)-v!+7|JaV-|D?1eE#E^rzPR-}jNkUm zkcfh@z+zJugdil`IpZ+@Cx`z4Jskt>04M+ejuk*H diff --git a/testdata/fwd_tcp_tc6.tpkg b/testdata/fwd_tcp_tc6.tpkg index f7762488e7ee0d5a252fc7dfc8be071214728634..df45e9e5b4d96cc74274bd1a3002d38cadfbf790 100644 GIT binary patch literal 1699 zc-jG@23+|ciwFS3Tqs8X1ML}WbJ|AGU%6kgkr_J~S3=?;Iyf*UfE%|l5RB_)+76MW z15|@f(Mcin@!z|r2MCPqbYhcf%Z`QacJFrYc5hd^=i$s6_@;}Gu2{C0+j{~~5z6IK z^wx_j?-=$pwXEgUl8(=wsufDAwg;uBSj;*E+&4Ucy%`I9>fJr=A^N`*hHLgu_kGHJ zhkv;YVPJjD?rHn$nl9|G7Ih7eiHi0wYdYFr{c_O{!~fj=$KV)K%BlB}dLRrALwiC= zw$nTN?yL>;lQDHCR5969A=!Ta4HR@$C8X8v_udU&wQvkMulF0Tfw?BLD17keF8&Ip zaM|pVUaR}&9lY&9y$<~bv^%X{uhS#-=J%HueK46jAJ`VTXf^t0oi@C^Y+Z;3nayUI zvv#Jwpw!zJSFPRxpV3q$uPOyqDXQ^eTJ7d%uB+czUDuN=Y6DW+gv_UxzkU1P=l>Qr zA4SGP{$DJWWB<>qD#ikQifVr6|J#692B&RwiVCDGPky8xx0zD`O;Jgca?`V2KSZ1| zZ)SKFc+~giU^~K@;H;~|6unF#4UZaPVAJrC7IS`~6?*pmP`e+379Vz|%$QFV_Z z;{pFKXhk*g|FT*rg#NFUcK*K&*oS>tUUwK--Y5IOS>Txz{4s^8!Ey8O5j7>!1DK7e z1Gaz21r;6aXOM@WC^^M9w1KZl~9;W}iQYY_HyKcFy4lN`+DpUc4Ze?N^=4#gJq$IlWrW zT3~UShEqD1{RJ%oFC9O?kg-!6Vh6)lv81;w4TfOSU za=092>%<;LihCyXB)y-FZF3CSaNK+8SlG)UnP^&W%%(IK9qin-?c~yYhBk?2f$YL! zSs?4T0;a>EhB#%yMv$)^XmAjz@2pwPK1**i6r(T56b^ar zM2P?8BzL%?(!<=suC3?fP zVcv{9fg#;qt15|utwM*1hp8Q*3n`cX+5nVQ=N_aG7W!&4rhiPxloeS zGZ--l+;2h`f|s}ip<0m%*We}hJ@hIuXlD54xJHJ7V~Q_$$Y&7o7zFO~7w`wkoY#LE zTy_VTuU4^ICz-4IS%1)f-D_P`3)mG>(aSJ1sH$)*-te*t+2yPVd31!HhfRx-OeQ(6 zcv`cX@Z;ggqb^9KKEF7y0Du~f9BLRJk0i7QICrbsISlasnp z+(mfq*)Tjrwn^`lmOj`LUz;U;jf!Rm{{-&K|3v6|3>gpAe+6A%yZ_TmSQ75?zb!!I z$rX~p-)qKgAB(L#$?Ss@Ol5zJ;Zzh?7`H?KsX+J@J|P)Y#)x60kYjZGc|{85b26WE zj0Y7Ap(51Dwp&cK^$N@>$Byk$(+{gVg=EaJ#~5;wq>zQ@gf*$?;Uo;j@`r$Wb9ur{ zV=@lQIb=xUpeg^3@f7zEPr`3;CZQOXh2^DGsc0v0hH$crN-22g{`WCtJmmjny|B3d z(F%Ft|GK*K|E<97`Y+1H{zDaDI!E8fq%+)4s`#p5x;KK^Y^J1dyCov9Cm1-w0w`T{ z+!_miB0o$<13xTU61E~`jI(Vnh1q(Nn}wZJ>a?6PrsfS84xdp^617~E45zM(r9@1U zTSikmKS+d5I8FL(%w7d9&Q?V^N5ZDM8vO3P|6$wlf4!it{r^YT^Sk@st-yx+AGT%x zPf1A}{yrI>?fCnVx6hG?j4>HtGY3LONVu^l6R~YvLD-ZvNbV+*dk7xj(2$r=Qq^c! t#V;7euDoQGD&04*OHpsJ+~lM?*uf5Vu!9}!UEo001m`L#O}% literal 1686 zc-jG$25I>piwFR*KO9E@1MOLRbJ|7__rKhy*vO2Xj4L7W5FH#C6Tpqz7zoC7Gi`^+ z(gCVLQgl)j`uOhMJ0TDl+v&t6)0Q=l)9&5w-R}LCz4I`#27&3}TURXG&+R<{sYvB= zDgM@rE8lb4)6_El70RWOwx?=^lBVuK=_w|&P9X~nA7C$X!+`pC_j^eGFQwsH{L{|? zWr4%K+y)P@z83d%{B=zi@h|EcZW9&bU)FSO57aL={V@H{<9`f}F{O<9AE^&K;4ri& zlw>=-v+vH@KtCB%Z$cH*ohl^T@4tb9uBwEz+Wp?U!K)VbA?Nje<2AUR=~@&%1Tzmm zxl*`nc1f?*ee(|9_Ml#eegoQ_RFIAj{`cYE zV&T%jvLv zI$#Hfj7t$+{Sa+Q_txYc%O0 z6m4fTH?=xo#mb6^kY2kv=yrPjYWDea$oA^(X6GD^pj0Ro;l&Gb*?!fzTy#k~lhdo^ zs09~?X*i^F*bw_1hv}w{Ngc7b4hDcUmg?OtinM&38Vk8d#hKS zSPqlpYMt1_*m2LepQQKE*fz(I75&~z$2?vR$;88QV|Pk(@y5l%I$MUAe4aNG)8QP<`4#n&XGKE8y zJK^SkImsQaxb!f0n8^E`MUP~*DJceRAx;9w#V=Qu!%agC!fVl5_&ap2-O#bbrbIMc z8|KZ(=N!`QwW<=|*os85_>fDw%J?!9MNpfw(>_`(BkiXZX6j+1zf2?8;KRtUV+bWh zy$d53Lhl;^A$W;X;I8GBa1CCvz(-W^PLUCq;~E);j>&()g`PpIV-R}JU%($Eb6)>x zaM>MTy;{}sD#={c&-#P@>t5@kTEItc6;XzjK~;rg{tYjykX??7nMX&6JZxGn$z+oK zin}$daU2gvKJ`G#<|WRkPjT6m|{t4Yz|MArI7&aa{{}l?wwfjH4w7dV=4#h~W zkPLoayUY&ou$3p7eQ?659E>rY^1~J8EuKIsAby2UNCurTaxqiLbN2k_6(v~D$!x|j zA5<`f@>D0=UNP0yD=?!BA8enRfjHeMLWBud{t!}sCQn?`n2g1t4Tq6=YLtJ+tcf#q z#Bo)^U))S0F)RxYky53ioy_ZilU?rlEPCkv_c3fdg#WT$Sls_;g*?ZEfLN=!IUBnKce6*48)-& zQOirld9}?XQLQJnnRrN*PRk)ZqA6>T+)X6+5G=&5LYPQWr%`c=UnrVGd8sOObl;#Z gCB3C`6G(ToqaE#NM?2cljvkTz2Bw4&RRAae0MdV2bN~PV diff --git a/testdata/fwd_three.tpkg b/testdata/fwd_three.tpkg index ca8946971d39f70f2dd2e03134ec70e7198b8a34..860b17a777ab694c3827766060ca922b166de541 100644 GIT binary patch literal 2023 zc-jHy2N?JtiwFS3Tqs8X1MOOEbK1rh_E+{-oXAX^Op4G-yi9RmOl;iv-UM8Xn`YV$ zk);JxgQQ3z#O=NRy=PYvk}$++$8o3WK2EIFp53!=XU{%+(5b$sQA4lkdr)jMrHu8xAK+|3wD>gOa2eVq_Fwp6e>8kMe$m4+i@N=bH@#sdC{az-HPz76nwIpZ*FSlfuIanFrf+nu{@`6Rc6H6z z=vt%DwZGdACH@}l^8daUM)%dmUH+eHHSYhL4cct#dV~9aYBZ$(e+cZuex(A%b%#o2 zpX@{EEdz@|G-I$ZLmWJOz?tI51FUAu1t&TPxinzpC#Xz7RjX>`Ur$vmrY1Fhfya+i zMO);>R>bjhM;mJeqHsZdK}7fnY!7Zwh>Fd?_Es(kMJTv-=5s!1?14yDD3nj%oQ%)U zPEfiquNj0(EGmSl1UglleW~EvgozhiGaF*^1SZOa1{?q$ zpT1+yoiJ*@n@j`dgOU`+?3Thiqt3l4{0~CRt1vhStGNPDtscB1m;pXGE|e2phd4x1 zihJp=6Sq2Qdu}%DrF-QqT{|22W&g$CvcGHaIq5CE?4uKbCeMz4Fn0NW%X269)y5tE zU#r!Pjr(6iYv|JdKLldt-y$XaedUEtbkl+w?1MMAK_?}5xu|f1Fzv7fbyD)ZAZo$U z`CvFYA|;%Xspq)UN|HUe9BoPh)19&wSGCR(IxSyhqR}xc@&asCQAo*}1)dkh=_PiJ z6XN)dS9-r>fy2Uz&w`{=Euf-cCAy27KN z@*6rt9CM;xMg6J7wCw=1sNPgH{Gmrjqk$Nc@^!koPu>6TtBpJMzh0va&j0jUL(^%^ z5d4oe<^F#NZ1O)rs~(d7;qKjJb)4oP$w}#;V_spCz8Qw-J^m~WBj9J%6AHx++A)gICa-0L<(iGxMAZC!c2#Auld&mdql2WW|@Lz?n zdC1cDz83+{D+%gG$;2VqJn*?e8-T>m{*@`{B)y>UnAb*{O55c}pQA|Mu1H@i(mzv? zv0ag|R%CERB7}k`TFipKg>ur{%?y1r!ytu~O~)Ir?0WRu%IJkM`qnZ=p^R}~MidGw z+F0FBnh`D95d|lNO=A+7?rn>@t+<{k){BbuZHo2JR@}%G8%4#&HpRvc#sA)$%&zm_ z4y}7@<4*qHsN?xxZ&FQfY7Gs~e@q+l{C^0%FhkZCG@RdYBf0SjX+0Z zAg@iwjqpESMZgYJc%vSxU3@sdx>FNd49PJnnTm@7IrbJl5_mUik>iDZ!hGiP>j}wH zFWKC0k@FxwEY(M%axQKH#c&rHv0|oR2i@hzQ|@h1+c{DXX1BCBg?^J{VwJLA6r zySFy(*#8DKYHR*)7883UoS~{fp~l&84YrW%-(*sfr2W zP8jD8i}!}@x$TCPIONP3l9-c6e4dndtC?fXL;$-te5a%YDXvzXc?(vJ&ANK!xYfKK z)B4IwJ=HC3s%TpNE7OTLQ2IgNgQ*8g{~NJ^ z;CXU|;Bl`GJP)HloYx-Ki>z6POqQ<24{V`l9P1b_{U=Z1cT#%Y{c(JGJ{}F z(wpwtXgqp3>|L}CO$5*Y_gEC%v^6;7Pk7#ja#kzOeD)0Y9mL-)N~yJ?S(Pc@#mSeE zvaaxq>~lkExut~1^A8%xIYcYvh~J4(bcJ-|`VdoSyqRt;Ml*Py@5-jSi+Hy9hZPF8 zV~Z<-n7BtmGoS1-73Ia1VMilV2IXv4vPR;&CQT}dk1_u*tk!x*^R>WRE5nwB0gClG zc;%qCba@ho%tNgQysNmDDk(11`ckOes-hGcOf7Y5a~Hzyy@@a)$6`BM%Nw>5Zq!ob z-xNqlNJvOXNJvOXNJvOXNJvOXNJvOXNJvOXNJvOXNJvOXNJvOXNJxAM`~h5Wf7k#} F007QD@~!{? literal 2012 zc-jHn2P60&iwFSDKO9E@1MOPpq;N3(!2)pmmF-WP#} zXx8h=XQNj5OtD9`CjJ=Bdehj`sG--Jdr!@M!@-brPyTaxF#^l;Z^n)d;hZtQt&@x1@#t*Ohwm?Y z7yN-NmrGhY>zBGKQMZ5brZ-#*N>o#IO*J&NrltMq^-mtAYx=IP=^I_EKX})SU0pLa zy4EOk?eF$OiN6QC;=k{O(S6ytEB;fh#^ZmpL7PooZ}9j}jfRZ>4}pEyuT-G8?og@h zlYI!iIItK*GX@JY#KFS{oGE@hz;ec1aH4~dO9MuJg31I`wW>z`^;E@bYTDu#c>Fk1 zv_)RDB95OsY^)TB$_4cW5#b}SJ-9(3DmDY#Te=_=q2St?&-tLS2ja0pp?v!0WPE;h zg3^U~%^-}ist{%p=u~a?q3Xt1rgt7wu4v-8HkeqzK1P8F6EC=CHYDT;Oq2-?H~>68 zeaD_VVbp#%nFh=UC9RCbEroYRoqJRGAB0#|VQ>&ua}}UkJ$Og30DN#GVJ8VInlzcCUT5xne z7>w{bj*sp0Ie!YV(xv+0*8eap9QJu z7En@(LskiILX43ua53oFUd8nyQTwJc_bhWh!=p>cFib8n;8%Xbu!ke#tQys;s6UgK zwjE#*)tjn@KlJEmG!Q*kzP4cYsr&zZ*|=l>>owZo{7L<1`0JPDTeE^9oJ+W*B1h__H*SoDX|#g`39xFBoCQGzqh29w;5Kohk6F zf|^fuD1;XutpW>F{2Uj;P;t8na<_;vKtB;FluW&4Mu1U^mxT)9ZyDDUFDV`41?wg= zW?dtF43{{Cd^Y&VaSlYVQ;0KxghA#qAWCNUkPpx$r9{`@zY1aVkY(?EF9Kdx64Z^7 zi9^=&z~=^i0MZEjSEito_JYD=-Wq8tZI>T?jv{@#B7LPu|4c>3c16ZYk--&-6bhbb z2@C!f%4u&m3-rwbgA`Ua8*j3*tI=<(qZjJvTk9BwI>voDQ7F7|2%;`&;#UR11aQ>=fs;>KFBQB-VfQ*7)|{Po^scAfurXx*EQJNbX3j^}^9 zNj1HxH8ec`@!62)|3lz~8M3}0$g8y{KVZOcJQr!Vs*w{GT7lz7qTn>)&&5arJYcyN z`v%W)Jf|SNFR0`gKY60(PLn z8}(T2;)nCAJ2lZ_NRCm-R9qCuvA6J%+PhJU953t><};UHPssY|C7b&#avtP|rTR!z z&cz*}nC>DYRxA|kpc{WY<v&OAn)|E4gpGyfZ~d$V!J{x_&mTk(Ix zsEhrtOaA{LxRw76*uRPW4^v{;E^Ox81Ok zq?|cJ5_9s1&y(_QIdiO;NMQGd@05%nCC#ccZ^5dGTUW0fx0=_3oG57}D0bE@uJl{j z{38MAWL%Udg^^~b`EpLPa|7fB>BElUiPSSsJR->#SEzL=Tx6VnKB^uRru3kCkjaz$ zji{0JHYZIJQ$n0AAQwM}V#X6X5MPO>)oiEKTDT8Z^ zQv{tHInQP&msDTRQlT*SvURpN>%TpNOVddz6POk&sK2e!~NPIQc8|H)JMos?d8e;i+)k4M9|ZK`Xe^rm|@8joHMdlzj( z6R9=8Jr)HwZ4D0jCp>RMdEF{0eD)0Y9VFjdlrnEcw<=SpL%DTb})?YVdo?A+J zJpV!iIft-Pj`*DzMOR2St`G4Eop-I9i_s0<=ex40?jo5j{>2If+p)zJK}_5up_xy1 znTq=2%CN)8ltFntD{CXkU6ZDb#FsJuFRa#TNAtD7TPs7$!U4tl9K3QcTDtrZhs;y0 z2fVAemMSSO)ap{G+-jl}3}&9X)!c>fdv79~$g$W?Yk9|3!i`pn{F?#^2?+@a2?+@a u2?+@a2?+@a2?+@a2?+@a2?+@a2?+@a2?+@a2?>cWfjHR diff --git a/testdata/fwd_three_service.tpkg b/testdata/fwd_three_service.tpkg index 65e6148d84c2ecce2d808de0f20791803e9703ed..983e47b7558797f64f58c9e16f2815fea7d7fdb2 100644 GIT binary patch literal 2012 zc-jHn2P60&iwFS3Tqs8X1MOOSciP4h_rL6?m?)e$IjMvmJZ?$gnAoIo8-t5+-JZ6G z$kGC;K~f|U;@;cu-r3ay35(j-C&xKy_UFVbJF_$Un4O*3^>l4dqIp2+B&5Ly$D)eu z1hu_S3Kh|6G~&-@z3`b}Pg7f(t~Q#whJ0GR)okoRAY=N8g`mXgiG%RasQ`PIurqROn*U=R8Jy1X4ICtVJU;oGOSeBu5 zy=D0^c?_Yq3M>lIoWjx!aSGrA&ezmgP*~5Y3r@5jGHO7{uOLrBQEE!$U(FO`Q<4_H z!;>eepb|Q2S%pZ+sv{akF!cg(T;OG_bj(Xs>6>BbxU)o6u|Yvgfken?a5Om`j>etp z)2C1!^#(`76L<~{qfv)v&&c`U)$lxHNtwy(i%qMn7Mp3Qo=)2g)jv!j54s%_|C)=T4m&H#ibf8)ORmVeNo*s zTFNTpKPwdk-K07{Q`unhvsI|feJPza%Zy59a&0>ChGK)l4HwJ5b%UiYuQ#$9;%J+ar}qYQ1P?RgLZH=`5f= zNL5{872TRmKh)gSVv$;Mr4mn-?YR`NpG->?e@TpV8Bp`;1(wj5H?kQS&Eb8%E8F7E z;@QF_My#Cu%_^+ilMf~>=cmd4mr^f=1 zyVyxv9gdE_J01Z2XfFK)I|P>ssgB2Q!Dy-~A^icm%gL)g@{p6>`0x#QzUA2z-bdFy z{$@hSsDJwQ7x-}my&epP{n2PRBE6&U&(Fr_UHt0_I#ligJ32Y*AC8ZQ1Nia0f5r-A zy++d0LXliu0zpmwr~b(NUgaq{B|4^v%F?sb$IFbJQDhdG@1Mno$B%f$>-b^< zI6u5!(ZHeT=P=KAE&2_t!uW=Pat6~@$RU2PrblLksxHu*o#3qN{{gMh)|+izgF_5q zK}W+NC#K^@_@4%Cumc4yltZP5AI=}{%tWmrIYcQlFSu?4IrNr3DsrPXIb7OD)Tgc; zV*RG{hA#XzIStB&$ga7`DIRsDG^{6MT2AC=OKBG{yVRgJ4(u7vI1Bi(Y{8xAHt9Oe4+Ymc0wMGXr+J zpyV$-B*Ll>7M^7;<~%0$q44H#vkAs-5qd?m7k-tJif5O_$vt~0@q79-*5hAtm!_L0 zb81~-_!zEf5MSTp$QQB0y_VP`PaHw!ZbGC~Z+guf%NqV55xNLz`hDOi(k{X+=BIzzJd7n0Tdo)1qz) zZfpeWMZtQRVExX5n;XGKQLs@a*w`WX>&s;Bdj7K~%lqoME&i|TTJi6H@ch@s{m+9S zzWHyH3jV(ILMOtYS|=5EwUp!79fMnqRM=Bt8~CgH0jc0r%sf1b?Gi{PJHF-{}>+EYEZh~ zwc2Cy7(#CqSQMf;g{2wd6u<|Zuc@=3u%1&FoM=B})PRy-pf&|ruFH{sHIuQKob>n& zo;*nzmC#YjDnv?F9nmm?sTY9b0xx5wV_u?2-wZ>?oh71*9STwkBtk}mqsi%TH11TN zK85P2H#i!ez;kHo%?3PsM$QMXhUZz6v@v;ovFVl7VmB4L49~|IEp7Ll5vVoyKq_*~ zf0Llw-PSMevk{k;%G$CuL6hYZv^E19=MS6rN1cW3hBem24T&?2C+-oOC+XdK?pSlE z@^0h56LgUxFT5FO-6twM ziKp@Ss8fBEA1JFx3Ok0mG_NRFo;!7B+~7z^ZKzS$59V$;SF?cCkke7WBQZ0VB~ryN z^|WaX|5+&`=qA*)BENyR-E1=k$~Ua(Ji*@5b&S6uo0IqpL&+8(J?QtL%CtEy~QPiF!3 zL8@vJtLWBk`l0Tw7K_x9E0uVvY|o{DdNL_h{3S8cWkAiV7g$1L-tcB*G>7+jRkqok z#j}M=j8bjK2G@(?iF?F3v&pWiy!}U`s}}T(0jV9h(q?hAlhfD;#$h2xKNO8Na;owsUR@5)KYP0-0r<8Bs*iL zw7g+U;Z`pc__@zKfer2&|HZETell)}|5W_p@qg3M8j7y5_^+iHBK~^_ya49((_?|h zUF@W-4oAn|9}j?jG?)H@9fC`lRLA4DpkszcNPmFta`LK=ZOBP)eE0@D-|}n<@1tuU ze>0|J)IWXuGyE`uUJnMt{%ABDk>1gN&d5zh$Vcmey=A|KCs);r|~3JM({!#orHj1CW!Fru=^= z3AM$_Kf1VoilKCr$IuaD`1dF{R}451zL%MpFl) zW)myu$0#saEPaK!YLX9|NaGxE0C^#)&_{V3uL`2ulQ|8IxZy=C0u z|COe$X7|4hU1$DZZR*1RKLlQxAst}Y*}i!OkRNFfI-c7GRaVFm4XwcOBVO@3zL)^s z9^S8L;865)nCH6|{RUQHe8WI_1JjntA%3u~M`nbgF3_8u;H+!kg4%3rMq5+i5JOnd z&@jk}>9`U8r$HO+K!ywXQ10P}^Se7UQEEsIk;}{ruG>Hky`_(W+^9_sm-Z3$scVN= zzbU<;3%^ZHgR&vAYi@FiM_nlm>&cjw6ZzTFTYY?uM--ECYKG{r+vK(BEYNATzZ7Tq zPxAl!%D83!YYolF@_$v~??1XB-hUnhyW+q2{`Ft<0+hd%=MiBVX(qSqU9g=Qu-gSW zf9W9+R(-JWEORmEF|iMYH;0>DFm{X3E26#dtCW;IyDU!b*+Yrn)2Fc>|B|~j-E^5# z>k7lia7}~w`W{EVh#l^=#2$I#2r_pQBBgTEYv!2O@V^qFi;$+@2VMlMF1fg7?>w7% z@QQx@K2y+5v|x`K*c-!Cl|5+Ofst0uNXr;$cVwiOGtx6gI%5>y!8emA_&ca3+HO~9 z+Z8$~tZX{ocxAKEm$lIfZM4!hdZCT}sf;M(R|GLpC{{0W0|GGH;9|ZBu zf16bB_oWv)5eC&7skp0UEsotWxK&AoJr%Zrzq%ig3Qon$!=tE{R432rc}ifqGs;<^ zJy9#-(YhqXoD(xJ`M7>ssdTIW2h{t^E(f zf7IXQNsNRCb|s~lwv8!-q-rf$!5{S?`Ky2f=_}gc0s;a80s;a80s;a80s;a80s;a8 i0s;a80s;a80s;a80s;a80s;d6I{XFZS)Z2xPyhhlclECT diff --git a/testdata/fwd_ttlexpire.tpkg b/testdata/fwd_ttlexpire.tpkg index 3c3b120fc985f59fafe576d2f053e45b54425745..98e3f21d47efa99998955b7c39de07c44be01e2e 100644 GIT binary patch literal 1716 zc-jH9221%LiwFS3Tqs8X1MM08ciKiQzjA+t>hO~GWj40?@J0$R6zH0*0ZPcSzHN^> z_5ohN=h~)(ef;m!ooz6IjBV*-?S>NYS-O+%bSIr81~a=KhGTl?IX+cv$Il&nbWjnD zVljG_3MikEU((e)qKk;vjAC9p0QDoRZ!7%I_y2_%(3Ux&WmwsF@*VX9 zhq-0Y6qPh+VEK+03dDfs?h<{wV~I04bh+g92de71QHZ9_CUwOKrT$j4e>+$GT6QX*GgTf;luga9hxXDAa&$2Wd6Ji zq|PQDbEzAaNqu5Bs7GBpK>V`xijKW9>G=1TrFgis4hzCHJmN@?t`kDUk=pd`r8B0S zbH@w z4aNYnd`J!B|Xajv!3b(gyG8PO(=N0xVB*Ir-LVy+?5fchjb2j~ubEk;Yt4G>`(bTU$q`$m!ht*q<2mT z>W&=CHv8v#e5{Nu_OIoQ<^6BO_FvrF|4v|&{R^|&rTtHX`=-mI3=vJl?!Yl`P^5>K zuj3B?t{WhoZnGkB(TWs#gv8SjYK<63Rj{2Q%w{u%-kB3`OcjewurJ4+jhSVRN5Um~ zDZ_1ddut=$H{?nIPYT!2f;k35)-A?L!HoJ6aRxB-sRxp#D!QuVRi&Ux$(U0`xap^<@u%bA%@q^|c<>dzr$aWtloU`$a?0sBNGbBGZZ@h58& z{A^dhkYR=}W<$;+kO+Un6RjWy#7pd)IfCrgy?*lWSNy*lJWj^8_%E;NOaHGG4^&;% zjndx#?*dN2#q2Mj{s-zu-c}fIw%tAd`n&~c`zBeQ>g7wSN=UQS>%Q&3Xks67QR~%T z0rMowyQJ3m<_eQOi+S_DW0T8fy?5Sj!J8{g z1+hWUsbtPunc9LK5s>qA5LokU; zPVz6zr8w1i42CF~gksvZk0?zy6czupv$I}XOi0>0hChX^^&g);TE-Up&uhZ|qx&B{ zfT;f#_x0bMz{dKIPyb8VUpG!zD%qz`A=|CB8tn@>fnvT`fM?H0I;W{*lg>mGeBx0H zEDqCf2zt8(E$Mf{2~j?>$}#;WLA82+e$kkvxTLkIFW(b9u3=JyNBv>~d6uJUKzr!={Z9LMAz|cwDm@H{?N7BFO3zM=a~3$>Gh!6#*OL z0l;~3DOvoIIOzssmfKTo;rU(i=43ny@6%Jc&+anP7H%<0wH+Hnk1$f)6Tz7)JFAKQ zq5|=NkRgTaQY%X#Q8`A72l2U+-&b~PVbpvtFyo>qSsXyIKgX{fbeJx0;*xpXbR?c=XK>|qak*ux$^J@^A* KO8todC;$Lx@m7ui literal 1703 zc-jG{23YwYiwFSMKO9E@1ML}WbJ|AGU%6kgkr_J~S3(jGwKy;)KpM9(5E<9av>hT# z2dD;}B8g!7`0w32NjwZ5+Bid#mc>S=-Mihpz1zLrr9X9gQ8c1=z8g@*af95!CkGY5 zC>G;qsj%`);6PIi{N#<2S~^g*f>tUXK=IR0WgRAAWCZ{RQ#Ofc@NmCv^e+_pYx{o> z6WWiK!8f>6C_K3TMODN7FX?I?(M7~-Mlr7)fcgp6w-x^9`~SiUY0DbZGOX-7`GE$Z z%e*pZib@(Zv;)_V1ftJ^sTDYI)#!lbIneFChImj2t_RVOf^FGDO6mc%_>hJbA^U6U zz=bsf_y#nstbScqb*MKlyP)G?AQzVFMfgvHGB|+(*GgTf;lusa8(1hUBz5F6V8N^m zq|U}Z^Qae+$erTDnC4hy3-JmN@~t`j1}k=o?$r8}aW zbH@rp>XgY#%NUA11cuUZeWTcWP9q<3xv z>W&=CHv8v#e5{Nu_OIoQ#ru|sT&|2vssb2Xhn)WLh5M{ zezB{c%djFCu>t21N`$}RiB=E;;w5p;96@&LUO#*IJO1AbA17m5{Fm4Ch5y%z2db{> zMrrT=cLAs1VfGi&-~$a}Z!3&9+cwX?J#WFXeUmIt_3|ZEC8XKvns0kAn%IY2)VlRo zzVn zVuPSl$(*+`wK=8My1Z_h05Z3W?uiXGPc{lcCY?t;LG0r zcLA~Gmq`Y{Z&>I?voh!;a|qsKEJwqDTD+j5k&MrRs0?TP=077DRK|c|C?+T9_Ek5b zU@RwxvkpW^eJS`TC35%fDaijPBCm-@ zqJY&j-$`kT6%We|*_h_yqn*2Pz1%V%%&+26BK1qBwV_tvg-}iNEndNbBa)QMD%mH? z>*I)|@xbatos7pEn0tyqG^7s56pq83xO#p*%N?(1^f-5%(&M{8^hhVWL``leK~DFN zlb^$Szynp7+=$j(;YkXa{=#u%*|&p0RQ#5U3t4>0rCnwGvr|S;T}nbzEiF|67n)i@ zF1>8j7|(9kwKy*cq;Wli0fUMEm9Qaro}|kBhONT$FbdGDc&Diq*~2R7PduCda3lEi zVjjJT|MVIBPBIs@AA47w9){f&O;<_gx^~{}bzhmy%Sv7qS2duSMZv71!YO~k^9p1a zqhjRA37Q@@9gGk%>4C-Ln$@@=_u~>lR+l(pQ6EhYZzib-I2b7a&XY^Y;+MopHyE?r zo?;8n?}9fc<576OJeB+GE@N%s7NbYo5Dy3$P{=N{vJeuN zW3*%tpF8<;Ww+)=&G!N`E{c-H0Tlal{Mto_>G38mna5qne5$yY3R&H#dGSM98zQX; xOi$`YahKxUv%WY)u1z15wtTRq@ZP9>WVVMr>|qak*u&=se*q@}Yvuqb0055mOo9La diff --git a/testdata/fwd_udp.tpkg b/testdata/fwd_udp.tpkg index cb5482090add398607bc25854caa1d3594b94716..d3c3986662c5ed3c2a7832d3d96b0a561345c4af 100644 GIT binary patch delta 1652 zc-jGU28;QT4Vw)IABzY8#9Szm2Pl8gDSCv^$A9nM>49)?+;$wNP1(fgbbGgZx3Akh zO_tUuv|Poqy~5rn0u`ZJE=SKwY2z8go~BkcT`gC1y||}pdQ~s)LHScHC<~z<7#_gh zl7#{F?jCm^{yz$njQ*3h>(K}0!4+I7mG07iQPVZlf4QouXaH3W^-#|kkPy>?~{G-S?HM*f*FN{;p4{P9ZG3p&nYZt)B!s<^f}g}igJ!qgyMTWqC>P5mc=n83b)WaH(jm!Ua(2C*mG{lZ>ApaA^kz8E^%vC zB$CIMLNZjw|7Jo68gYMjRzB$#vNGD}%)D%sm1zW9b4Aw*yj5L=WB!DbI^@^0qRyiubT@x&T8!j!iIJj-<~8oT zlc`5tkn+03I~oOxzAHH4e4ZF=E*FW)Vh#mdC+CvKABm&J9yM-`v4u9frp?i41aGrT zxlQgek`}5Mxmvab4htf|JrR_-u=AQ2{~iUb-N9r^A-|T&nu$NBxGOE5#Me&#*w9w$ z$XpjDdLwcc1}J~@bNJH6AnEWXZrNpCaLAX6x>U%fq9AcY>4PcK2E)Wsx3aqwcF!il zh-{PI$t`Qxl7DL!GW^^J+7A8}Y|H<61bavx_vC+Su~f|D|04g>b$yrrJqARMT_ZXC z9W&n!RyEK`ZXcX*AqO*zu9jcpVT{L<8i)h=l;lttQ-*(mLyo)SlNK?U)5-qI$M8_Y zh>DTV_NW;!59vx6SIwEnSP->wsK-yG=*?m>Mqv4ENWGOjXQnZqF+UJQ;!r97icu7o z8qdKKIG11y%kr=b3r9u8f7)rB8JzAS(#K(I{fBaYNFMk3e?>2$|5vINty(Rir< z)zZ%Y9|M1G)qjj9W{+3_X1F9J-^Y0T<jZ#tN{$EkcJO6(SI0k;2CY7VOf#D^1zBhk3|K_|4^u4ig=M+=Ig+lVf;Y%o1 zRF#lU7b~jK^A3(77tLYo1u)lS7KOLL%Eez!lngrkm#^W~0Gdtc_Bw+>Z$O&uZ?7(g zSb(^zk!_L7PHTAH>%yz6&LwY<<#L%j@8+5*rrEu`?hMlYoTe(esuWeFq{gf0blbZ_ z{-1xsHvhML^Fevs=l`WrHTHiMt*a>Rf6F`ne-wCb__QnX=~(;Zd+PZ%b1>;wRMMut z>Dg`|I?keG8w>}o+I?^h^M(faW`Re8&~xzN&Q}U)Vb#EAw2c7iUQ-Ls=op|1>en?@ ztLbHEb%vm$5s(YRb^`pv5(F$yfor9uH1U67|Kdyy^UCY zwJ$fk+;#pxB#-<2zgj7$=YORv{9mtXJO6(S*v$WM&8gBkEUQl)@4BGRXXIKM-Vuit%1T;C^`wc;gnm%5%Z yqvj0;Rewo6iGR_FZpSlekCd=UE}NsNz3(JK=RQr|yDXD%1{nyr^v0V2C;$LbYdwts delta 1646 zc-jGO29f!j4Ur88ABzY8<3Ajc2Pl7#6rB`8AOF33rw78pb(?XVHf5cl)9u~v-M()3 zG+A1s(DD?^_6vKT2vme>xg0$!rHy9{dzxCszhbqbt9z=ZSBu&nlt0yivJkSs@B#Lg zZWvJi?s50w|D!O;=s#(DK7CLgT)~x6=`Q^jHC;pfm#dnpmMc{a^-#|kkPy>?~{FCZs?m7f*FN{!Eod74y81)=MVO>_GLH2r`4Qv^C`v&I zyql?l!<2Z&&v0;%5ZZ!AE+Ioq+8t09z{K^zc0jbT(>BJ)(lZ#dooUQ!bHWCf4HO}R zZhO@44Tkmn)2EOhG`sEI1ss1txmYg2vuEV0`@DCR4oL=+v+MP&v=^soIHh+rOmWG$ zBaWcv%mrzaV)jjfM&tJSqB(1JNo(6!t`js=A)uw&)_$byJ-F}y6TUHgV%LU zS4r-=c|IHsUko~z^&-AU%fq9AcY>4PcK2E)Wsx3aqwcJEGv z5!oialUvrXC3b5TGW^^J+7A8^Y|H<61bavx_vC+=0BY;}U#s%`Pv`mnF8}-V5IJ^@ zul_VYrWsI}(+mQMzdG4CVeCD!142=V#{42&vTo6C6a1NfcxddZa zmXBRn9x5vSX{Yh|f4Yl19}8RSKh(%W^0?3cD|!k2zruaLTGDmy|3$U5^Z&L|skMF>8VTDK}jIqOAIv@xk;>MoO`Id17qA6>Tlqg9#!a^J> zkO?M}n2LlxB@`z_Yf_mkehaw__5+e4(NrHblx_3>sJ?qR9`~RB{Qj?8!9!my75V*N zxuTYL{{I+o4E&r;Do1ex!%OgdZ*cz2c^Bw=W8r_zDW-%Ah2)3Bmr$&zDj}UNR#c4t*BK0Y1JZ1Ndv!U)0>oR5Y>QlW zTEp{R7hYX;E_s72m&@FFH`h!t&FNDGQFzHuR(x%MxZ7&cVXHgms zh67jaK6r+CLj!!Xz^6gzJNWSCD}}VMYTz^4Mu2p$sRd_r3{VC2>zb<7^fI(ML(tI( z$c14$0shAl1T0^HYo(<$@nQesObz74NDF_7Ohx%XTJFNb+Q12Fq_wcx)T0hBPRP3T zg3i4f>HF*L@GEW77bQkE$st3U?GiadGkkxBv5(W~8;nt_M$Qa-jz@Rx%MCAgo&OKX z<39hdR?6x5UnvX!*Q>kw|50Ew|Bo(azo0Kb+3R{y5hRsHeEr@4%bo%z7fLqMkq9&I zJx#AC#AlG~7l;pL!0$+v0@{d3pAzEy4mrMlXOg(SPcCc4OXeinfra_cache_slabs = 4; cfg->infra_cache_numhosts = 10000; cfg->infra_cache_lame_size = 10240; /* easily 40 or more entries */ - if(!(cfg->username = strdup(""))) goto error_exit; - if(!(cfg->chrootdir = strdup(""))) goto error_exit; + if(!(cfg->username = strdup("unbound"))) goto error_exit; + if(!(cfg->chrootdir = strdup("/etc/unbound"))) goto error_exit; if(!(cfg->directory = strdup("/etc/unbound"))) goto error_exit; if(!(cfg->logfile = strdup(""))) goto error_exit; if(!(cfg->pidfile = strdup("unbound.pid"))) goto error_exit; diff --git a/util/log.c b/util/log.c index a0b33a9ec..a63080947 100644 --- a/util/log.c +++ b/util/log.c @@ -71,7 +71,7 @@ static int log_to_syslog = 0; #endif /* HAVE_SYSLOG_H */ void -log_init(const char* filename, int use_syslog) +log_init(const char* filename, int use_syslog, const char* chrootdir) { FILE *f; if(!key_created) { @@ -103,6 +103,9 @@ log_init(const char* filename, int use_syslog) return; } /* open the file for logging */ + if(chrootdir && chrootdir[0] && strncmp(filename, chrootdir, + strlen(chrootdir)) == 0) + filename += strlen(chrootdir); f = fopen(filename, "a"); if(!f) { log_err("Could not open logfile %s: %s", filename, diff --git a/util/log.h b/util/log.h index f14256f17..fb4096375 100644 --- a/util/log.h +++ b/util/log.h @@ -78,8 +78,9 @@ void verbose(enum verbosity_value level, * call this to initialize logging services. * @param filename: if NULL stderr is used. * @param use_syslog: set to true to ignore filename and use syslog(3). + * @param chrootdir: to which directory we have been chrooted, if any. */ -void log_init(const char* filename, int use_syslog); +void log_init(const char* filename, int use_syslog, const char* chrootdir); /** * Init a thread (will print this number for the thread log entries). -- 2.47.2