Documentation for interface-* options.

diff --git a/doc/example.conf.in b/doc/example.conf.in
index 2bd106448a7edad54eaeb1d9aa414024befde39a..51e51b58b3a7de7c7f3916cbacf914a2a1c6b148 100644 (file)
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -218,7 +218,8 @@ server:
        # the maximum number of hosts that are cached (roundtrip, EDNS, lame).
        # infra-cache-numhosts: 10000
 
-       # define a number of tags here, use with local-zone, access-control.
+       # define a number of tags here, use with local-zone, access-control,
+       # interface-*.
        # repeat the define-tag statement to add additional tags.
        # define-tag: "tag1 tag2 tag3"
 
@@ -274,9 +275,7 @@ server:
        # allow_snoop (recursive and nonrecursive ok)
        # deny_non_local (drop queries unless can be answered from local-data)
        # refuse_non_local (like deny_non_local but polite error reply).
-       # access-control: 0.0.0.0/0 refuse
        # access-control: 127.0.0.0/8 allow
-       # access-control: ::0/0 refuse
        # access-control: ::1 allow
        # access-control: ::ffff:127.0.0.1 allow
 
@@ -285,7 +284,7 @@ server:
        # are tagged with one of these tags.
        # access-control-tag: 192.0.2.0/24 "tag2 tag3"
 
-       # set action for particular tag for given access control element
+       # set action for particular tag for given access control element.
        # if you have multiple tag values, the tag used to lookup the action
        # is the first tag match between access-control-tag and local-zone-tag
        # where "first" comes from the order of the define-tag values.
@@ -297,6 +296,58 @@ server:
        # Set view for access control element
        # access-control-view: 192.0.2.0/24 viewname
 
+       # Similar to 'access-control:' but for interfaces.
+       # Control which listening interfaces are allowed to accept (recursive)
+       # queries for this server.
+       # The specified interfaces should be the same as the ones specified in
+       # 'interface:' followed by the action.
+       # The actions are the same as 'access-control:' above.
+       # By default all the interfaces configured are refused.
+       # Note: any 'access-control*:' setting overrides all 'interface-*:'
+       # settings for targeted clients.
+       # interface-action: 192.0.2.153 allow
+       # interface-action: 192.0.2.154 allow
+       # interface-action: 192.0.2.154@5003 allow
+       # interface-action: 2001:DB8::5 allow
+       # interface-action: eth0@5003 allow
+
+       # Similar to 'access-control-tag:' but for interfaces.
+       # Tag interfaces with a list of tags (in "" with spaces between).
+       # Interfaces using these tags use localzones that are tagged with one
+       # of these tags.
+       # The specified interfaces should be the same as the ones specified in
+       # 'interface:' followed by the list of tags.
+       # Note: any 'access-control*:' setting overrides all 'interface-*:'
+       # settings for targeted clients.
+       # interface-tag: eth0@5003 "tag2 tag3"
+
+       # Similar to 'access-control-tag-action:' but for interfaces.
+       # Set action for particular tag for a given interface element.
+       # If you have multiple tag values, the tag used to lookup the action
+       # is the first tag match between interface-tag and local-zone-tag
+       # where "first" comes from the order of the define-tag values.
+       # The specified interfaces should be the same as the ones specified in
+       # 'interface:' followed by the tag and action.
+       # Note: any 'access-control*:' setting overrides all 'interface-*:'
+       # settings for targeted clients.
+       # interface-tag-action: eth0@5003 tag3 refuse
+
+       # Similar to 'access-control-tag-data:' but for interfaces.
+       # Set redirect data for a particular tag for an interface element.
+       # The specified interfaces should be the same as the ones specified in
+       # 'interface:' followed by the tag and the redirect data.
+       # Note: any 'access-control*:' setting overrides all 'interface-*:'
+       # settings for targeted clients.
+       # interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
+
+       # Similar to 'access-control-view:' but for interfaces.
+       # Set view for an interface element.
+       # The specified interfaces should be the same as the ones specified in
+       # 'interface:' followed by the view name.
+       # Note: any 'access-control*:' setting overrides all 'interface-*:'
+       # settings for targeted clients.
+       # interface-view: eth0@5003 viewname
+
        # if given, a chroot(2) is done to the given directory.
        # i.e. you can chroot to the working directory, for example,
        # for extra security, but make sure all files are in that directory.

diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 23a0237e688fe9c3d8386aff8269491e1d9c0660..73575d93a2b7fb617ba0d5af86f4c6deeb6fb076 100644 (file)
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -675,7 +675,7 @@ The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
 \fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
 \fIrefuse_non_local\fR.
-The most specific netblock match is used, if none match \fIdeny\fR is used.
+The most specific netblock match is used, if none match \fIrefuse\fR is used.
 The order of the access\-control statements therefore does not matter.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
@@ -741,6 +741,46 @@ Set redirect data for particular tag for given access control element.
 .B access\-control\-view: \fI<IP netblock> <view name>
 Set view for given access control element.
 .TP
+.B interface\-action: \fI<ip address or interface name [@port]> <action>
+Similar to \fBaccess\-control:\fR but for interfaces.
+.IP
+The action is the same as the ones defined under \fBaccess\-control:\fR.
+Interfaces are \fIrefuse\fRd by default.
+By default only localhost (the IP netblock, not the loopback interface) is
+\fIallow\fRed through the default \fBaccess\-control:\fR behavior.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
+Similar to \fBaccess\-control-tag:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
+Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
+Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-view: \fI<ip address or interface name [@port]> <view name>
+Similar to \fBaccess\-control-view:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the