From aec33b3d63f89d8f98546266f25137a016c9252f Mon Sep 17 00:00:00 2001
From: George Thessalonikefs <george@nlnetlabs.nl>
Date: Fri, 8 Oct 2021 18:08:17 +0200
Subject: [PATCH] Documentation for interface-* options.

---
 doc/example.conf.in   | 59 ++++++++++++++++++++++++++++++++++++++++---
 doc/unbound.conf.5.in | 42 +++++++++++++++++++++++++++++-
 2 files changed, 96 insertions(+), 5 deletions(-)

diff --git a/doc/example.conf.in b/doc/example.conf.in
index 2bd106448..51e51b58b 100644
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -218,7 +218,8 @@ server:
 	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
 	# infra-cache-numhosts: 10000
 
-	# define a number of tags here, use with local-zone, access-control.
+	# define a number of tags here, use with local-zone, access-control,
+	# interface-*.
 	# repeat the define-tag statement to add additional tags.
 	# define-tag: "tag1 tag2 tag3"
 
@@ -274,9 +275,7 @@ server:
 	# allow_snoop (recursive and nonrecursive ok)
 	# deny_non_local (drop queries unless can be answered from local-data)
 	# refuse_non_local (like deny_non_local but polite error reply).
-	# access-control: 0.0.0.0/0 refuse
 	# access-control: 127.0.0.0/8 allow
-	# access-control: ::0/0 refuse
 	# access-control: ::1 allow
 	# access-control: ::ffff:127.0.0.1 allow
 
@@ -285,7 +284,7 @@ server:
 	# are tagged with one of these tags.
 	# access-control-tag: 192.0.2.0/24 "tag2 tag3"
 
-	# set action for particular tag for given access control element
+	# set action for particular tag for given access control element.
 	# if you have multiple tag values, the tag used to lookup the action
 	# is the first tag match between access-control-tag and local-zone-tag
 	# where "first" comes from the order of the define-tag values.
@@ -297,6 +296,58 @@ server:
 	# Set view for access control element
 	# access-control-view: 192.0.2.0/24 viewname
 
+	# Similar to 'access-control:' but for interfaces.
+	# Control which listening interfaces are allowed to accept (recursive)
+	# queries for this server.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the action.
+	# The actions are the same as 'access-control:' above.
+	# By default all the interfaces configured are refused.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-action: 192.0.2.153 allow
+	# interface-action: 192.0.2.154 allow
+	# interface-action: 192.0.2.154@5003 allow
+	# interface-action: 2001:DB8::5 allow
+	# interface-action: eth0@5003 allow
+
+	# Similar to 'access-control-tag:' but for interfaces.
+	# Tag interfaces with a list of tags (in "" with spaces between).
+	# Interfaces using these tags use localzones that are tagged with one
+	# of these tags.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the list of tags.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag: eth0@5003 "tag2 tag3"
+
+	# Similar to 'access-control-tag-action:' but for interfaces.
+	# Set action for particular tag for a given interface element.
+	# If you have multiple tag values, the tag used to lookup the action
+	# is the first tag match between interface-tag and local-zone-tag
+	# where "first" comes from the order of the define-tag values.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the tag and action.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag-action: eth0@5003 tag3 refuse
+
+	# Similar to 'access-control-tag-data:' but for interfaces.
+	# Set redirect data for a particular tag for an interface element.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the tag and the redirect data.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-tag-data: eth0@5003 tag2 "A 127.0.0.1"
+
+	# Similar to 'access-control-view:' but for interfaces.
+	# Set view for an interface element.
+	# The specified interfaces should be the same as the ones specified in
+	# 'interface:' followed by the view name.
+	# Note: any 'access-control*:' setting overrides all 'interface-*:'
+	# settings for targeted clients.
+	# interface-view: eth0@5003 viewname
+
 	# if given, a chroot(2) is done to the given directory.
 	# i.e. you can chroot to the working directory, for example,
 	# for extra security, but make sure all files are in that directory.
diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in
index 23a0237e6..73575d93a 100644
--- a/doc/unbound.conf.5.in
+++ b/doc/unbound.conf.5.in
@@ -675,7 +675,7 @@ The netblock is given as an IP4 or IP6 address with /size appended for a
 classless network block. The action can be \fIdeny\fR, \fIrefuse\fR,
 \fIallow\fR, \fIallow_setrd\fR, \fIallow_snoop\fR, \fIdeny_non_local\fR or
 \fIrefuse_non_local\fR.
-The most specific netblock match is used, if none match \fIdeny\fR is used.
+The most specific netblock match is used, if none match \fIrefuse\fR is used.
 The order of the access\-control statements therefore does not matter.
 .IP
 The action \fIdeny\fR stops queries from hosts from that netblock.
@@ -741,6 +741,46 @@ Set redirect data for particular tag for given access control element.
 .B access\-control\-view: \fI<IP netblock> <view name>
 Set view for given access control element.
 .TP
+.B interface\-action: \fI<ip address or interface name [@port]> <action>
+Similar to \fBaccess\-control:\fR but for interfaces.
+.IP
+The action is the same as the ones defined under \fBaccess\-control:\fR.
+Interfaces are \fIrefuse\fRd by default.
+By default only localhost (the IP netblock, not the loopback interface) is
+\fIallow\fRed through the default \fBaccess\-control:\fR behavior.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag: \fI<ip address or interface name [@port]> <"list of tags">
+Similar to \fBaccess\-control-tag:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag\-action: \fI<ip address or interface name [@port]> <tag> <action>
+Similar to \fBaccess\-control-tag-action:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-tag\-data: \fI<ip address or interface name [@port]> <tag> <"resource record string">
+Similar to \fBaccess\-control-tag-data:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
+.B interface\-view: \fI<ip address or interface name [@port]> <view name>
+Similar to \fBaccess\-control-view:\fR but for interfaces.
+.IP
+Note that the interface needs to be already specified with \fBinterface:\fR
+and that any \fBaccess-control*:\fR setting overrides all \fBinterface-*:\fR
+settings for targeted clients.
+.TP
 .B chroot: \fI<directory>
 If chroot is enabled, you should pass the configfile (from the
 commandline) as a full path from the original root. After the
-- 
2.47.2