From 46c45ec5b56c91c1f24eff78ac0001a6c2dbe0a3 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Marek=20Vavrus=CC=8Ca?= <mvavrusa@cloudflare.com>
Date: Fri, 1 Dec 2017 18:25:45 -0800
Subject: [PATCH] daemon: allow binding to either UDP or TCP

Previously it would bind to UDP and TCP, or TLS.
Now it can bind to either TLS, UDP, TCP, UDP and TCP.
---
 daemon/README.rst | 12 ++++++++----
 daemon/bindings.c | 21 ++++++++++++++++++---
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/daemon/README.rst b/daemon/README.rst
index 1d891e6c4..06dffc5d4 100644
--- a/daemon/README.rst
+++ b/daemon/README.rst
@@ -509,7 +509,7 @@ For when listening on ``localhost`` just doesn't cut it.
 
    Enable/disable using IPv4 for recursion.
 
-.. function:: net.listen(addresses, [port = 53, flags = {tls = (port == 853)}])
+.. function:: net.listen(addresses, [port = 53, flags = {tls = true|false, tcp = true|false, udp = true|false}])
 
    :return: boolean
 
@@ -519,13 +519,17 @@ For when listening on ``localhost`` just doesn't cut it.
    The command can be given multiple times, but note that it silently skips
    any addresses that have already been bound.
 
+   The DNS over TLS is implicitly enabled if the port is equal to 853.
+   Otherwise both UDP and TCP are enabled unless explicitly disabled in flags.
+
    Examples:
 
    .. code-block:: lua
 
-	net.listen('::1')
-	net.listen(net.lo, 5353)
-	net.listen({net.eth0, '127.0.0.1'}, 53853, {tls = true})
+  net.listen('::1')
+  net.listen(net.lo, 5353)
+  net.listen({net.eth0, '127.0.0.1'}, 53853, {tls = true})
+  net.listen({net.eth0, '127.0.0.1'}, 53853, {tcp = true, udp = false})
 
 .. function:: net.close(address, [port = 53])
 
diff --git a/daemon/bindings.c b/daemon/bindings.c
index bde8d7a31..b308a9ae9 100644
--- a/daemon/bindings.c
+++ b/daemon/bindings.c
@@ -228,7 +228,7 @@ static int net_listen(lua_State *L)
 	int n = lua_gettop(L);
 	if (n < 1 || n > 3) {
 		format_error(L, "expected one to three arguments; usage:\n"
-			     "net.listen(addressses, [port = " xstr(KR_DNS_PORT) ", flags = {tls = (port == " xstr(KR_DNS_TLS_PORT) ")}])\n");
+		                "net.listen(addresses, [port = " xstr(KR_DNS_PORT) ", flags = {tls = true|false, udp = true|false, tcp = true|false}])\n");
 		lua_error(L);
 	}
 
@@ -237,11 +237,26 @@ static int net_listen(lua_State *L)
 		port = lua_tointeger(L, 2);
 	}
 
+	int flags = 0;
 	bool tls = (port == KR_DNS_TLS_PORT);
 	if (n > 2 && lua_istable(L, 3)) {
-		tls = table_get_flag(L, 3, "tls", tls);
+		// DNS over TLS is mutually exclusive with either "udp" or "tcp"
+		// It's not possible to listen on both encrypted and non-encrypted traffic on the same port
+		if (table_get_flag(L, 3, "tls", false)) {
+			flags = NET_TCP|NET_TLS;
+		} else {
+			// Both UDP and TCP are enabled unless explicitly disabled
+			if (table_get_flag(L, 3, "udp", true)) {
+				flags |= NET_UDP;
+			}
+			if (table_get_flag(L, 3, "tcp", true)) {
+				flags |= NET_TCP;
+			}
+		}
+	} else {
+		// If the flags are not specified, decide default based on port number
+		flags = tls ? (NET_TCP|NET_TLS) : (NET_TCP|NET_UDP);
 	}
-	int flags = tls ? (NET_TCP|NET_TLS) : (NET_TCP|NET_UDP);
 	
 	/* Now focus on the first argument. */
 	lua_pop(L, n - 1);
-- 
2.47.2