diff --git a/.cirrus.yml b/.cirrus.yml --- a/.cirrus.yml +++ b/.cirrus.yml @@ -4,13 +4,13 @@ # gcloud compute images list --project freebsd-org-cloud-dev --no-standard-images platform: freebsd image_project: freebsd-org-cloud-dev - image: freebsd-14-2-release-amd64-ufs + image: freebsd-14-3-release-amd64-ufs cpu: 8 memory: 8G disk: 40 env: - PKG_FORMAT: tar + PKG_LEVEL: 1 task: matrix: @@ -154,13 +154,13 @@ - su user -c "git config --global --add safe.directory $(pwd -P)" build_world_script: - - su user -c "make -j$(sysctl -n hw.ncpu) ${EXTRA_MAKE_FLAGS} CROSS_TOOLCHAIN=${TOOLCHAIN} WITHOUT_TOOLCHAIN=yes buildworld" + - su user -c "make -j$(nproc) ${EXTRA_MAKE_FLAGS} CROSS_TOOLCHAIN=${TOOLCHAIN} WITHOUT_TOOLCHAIN=yes buildworld" build_kernel_script: - - su user -c "make -j$(sysctl -n hw.ncpu) CROSS_TOOLCHAIN=${TOOLCHAIN} WITHOUT_TOOLCHAIN=yes buildkernel" + - su user -c "make -j$(nproc) CROSS_TOOLCHAIN=${TOOLCHAIN} WITHOUT_TOOLCHAIN=yes buildkernel" package_script: - - su user -c "make CROSS_TOOLCHAIN=${TOOLCHAIN} WITHOUT_TOOLCHAIN=yes packages" + - su user -c "make -j$(nproc) CROSS_TOOLCHAIN=${TOOLCHAIN} WITHOUT_TOOLCHAIN=yes packages" package_check_script: - su user -c "/usr/libexec/flua tools/pkgbase/metalog_reader.lua -c /usr/obj/$(pwd -P)/${TARGET}.${TARGET_ARCH}/worldstage/METALOG" diff --git a/.github/workflows/cross-bootstrap-tools.yml b/.github/workflows/cross-bootstrap-tools.yml --- a/.github/workflows/cross-bootstrap-tools.yml +++ b/.github/workflows/cross-bootstrap-tools.yml @@ -22,9 +22,9 @@ include: # TODO: both Ubuntu and macOS have bmake packages, we should try them instead of bootstrapping our own copy. - os: ubuntu-22.04 - compiler: clang-14 - cross-bindir: /usr/lib/llvm-14/bin - pkgs: bmake libarchive-dev clang-14 lld-14 + compiler: clang-15 + cross-bindir: /usr/lib/llvm-15/bin + pkgs: bmake libarchive-dev clang-15 lld-15 - os: ubuntu-24.04 compiler: clang-18 cross-bindir: /usr/lib/llvm-18/bin diff --git a/Makefile b/Makefile --- a/Makefile +++ b/Makefile @@ -175,7 +175,7 @@ create-packages-world create-packages-kernel \ create-packages-kernel-repo create-packages-world-repo \ create-packages-source create-packages \ - update-packages packages installconfig real-packages real-update-packages \ + installconfig real-packages real-update-packages \ sign-packages package-pkg print-dir test-system-compiler test-system-linker \ test-includes @@ -219,6 +219,8 @@ .ORDER: buildworld distribute .ORDER: buildworld distributeworld .ORDER: buildworld buildkernel +.ORDER: buildworld packages +.ORDER: buildworld update-packages .ORDER: distrib-dirs distribute .ORDER: distrib-dirs distributeworld .ORDER: distrib-dirs installworld @@ -232,6 +234,8 @@ .ORDER: buildkernel installkernel.debug .ORDER: buildkernel reinstallkernel .ORDER: buildkernel reinstallkernel.debug +.ORDER: buildkernel packages +.ORDER: buildkernel update-packages .ORDER: kernel-toolchain buildkernel # Only sanitize PATH on FreeBSD. @@ -517,6 +521,9 @@ worlds: .PHONY @cd ${.CURDIR}; ${SUB_MAKE} UNIVERSE_TARGET=buildworld universe +packages update-packages: .PHONY + ${_+_}@cd ${.CURDIR}; ${_MAKE} DISTDIR=/ ${.TARGET} + # # universe # diff --git a/Makefile.inc1 b/Makefile.inc1 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -198,13 +198,18 @@ .endif .if ${.MAKE.OS} != "FreeBSD" -CROSSBUILD_HOST=${.MAKE.OS} +CROSSBUILD_HOST=${.MAKE.OS} # Unset for native FreeBSD builds .if ${.MAKE.OS} != "Linux" && ${.MAKE.OS} != "Darwin" .warning Unsupported crossbuild system: ${.MAKE.OS}. Build will probably fail! .endif +.endif # We need to force NO_ROOT/DB_FROM_SRC builds when building on other operating # systems since the BSD.foo.dist specs contain users and groups that do not -# exist by default on a Linux/MacOS system. +# exist by default on a Linux/MacOS system. The distribute* and package* +# targets used for install media legacy distribution sets also always use and +# require NO_ROOT mode. +.if defined(CROSSBUILD_HOST) || make(distributeworld) || make(packageworld) || \ + make(distributekernel) || make(packagekernel) NO_ROOT:= 1 DB_FROM_SRC:= 1 .export NO_ROOT @@ -518,25 +523,6 @@ .endif .if !defined(_MKSHOWCONFIG) -.if !defined(VCS_REVISION) || empty(VCS_REVISION) -.if !defined(SVNVERSION_CMD) || empty(SVNVERSION_CMD) -. for _D in ${PATH:S,:, ,g} -. if exists(${_D}/svnversion) -SVNVERSION_CMD?=${_D}/svnversion -. endif -. if exists(${_D}/svnliteversion) -SVNVERSION_CMD?=${_D}/svnliteversion -. endif -. endfor -.endif -.if defined(SVNVERSION_CMD) && !empty(SVNVERSION_CMD) -_VCS_REVISION?= $$(eval ${SVNVERSION_CMD} ${SRCDIR}) -. if !empty(_VCS_REVISION) -VCS_REVISION= $$(echo r${_VCS_REVISION}) -.export VCS_REVISION -. endif -.endif -.endif .if !defined(GIT_CMD) || empty(GIT_CMD) . for _P in /usr/bin /usr/local/bin @@ -598,6 +584,7 @@ .if !defined(PKG_VERSION) PKG_VERSION:= ${_PKG_REVISION}${EXTRA_REVISION:C/[[:space:]]//g} .endif + .endif # !defined(_MKSHOWCONFIG) .if make(*package*) @@ -1977,6 +1964,7 @@ PKG_FORMAT?= tzst PKG_LEVEL?= -1 PKG_CLEVEL?= ${"${PKG_FORMAT:Mtar}" != "":?:-l ${PKG_LEVEL}} +PKG_CTHREADS?= 0 PKG_REPO_SIGNING_KEY?= # empty PKG_OUTPUT_DIR?= ${PKG_VERSION} PKG_ABI_FILE?= ${WSTAGEDIR}/usr/bin/uname @@ -2107,6 +2095,7 @@ .ORDER: create-packages-world create-packages-sets .ORDER: create-packages-kernel create-packages-sets +.ORDER: create-packages-source create-packages-sets create-packages-sets: _pkgbootstrap _repodir .PHONY ${_+_}@cd ${.CURDIR}; \ ${MAKE} -f Makefile.inc1 \ @@ -2156,7 +2145,7 @@ ${SSTAGEDIR}/src.ucl ${PKG_CMD} -o ABI=${PKG_ABI} \ -o OSVERSION="${SRCRELDATE}" \ - create -f ${PKG_FORMAT} ${PKG_CLEVEL} \ + create -f ${PKG_FORMAT} ${PKG_CLEVEL} -T${PKG_CTHREADS} \ -M ${SSTAGEDIR}/src.ucl \ -p ${SSTAGEDIR}/src.plist \ -r ${SRCDIR} \ @@ -2182,7 +2171,7 @@ ${SSTAGEDIR}/src-sys.ucl ${PKG_CMD} -o ABI=${PKG_ABI} \ -o OSVERSION="${SRCRELDATE}" \ - create -f ${PKG_FORMAT} ${PKG_CLEVEL} \ + create -f ${PKG_FORMAT} ${PKG_CLEVEL} -T${PKG_CTHREADS} \ -M ${SSTAGEDIR}/src-sys.ucl \ -p ${SSTAGEDIR}/src-sys.plist \ -r ${SRCDIR} \ @@ -2220,12 +2209,9 @@ /^name/ { printf("===> Creating %s-", $$2); next } \ /^version/ { print $$2; next } \ ' ${WSTAGEDIR}/${pkgname}.ucl - @if [ "${pkgname}" == "runtime" ]; then \ - sed -i '' -e "s/%VCS_REVISION%/${VCS_REVISION}/" ${WSTAGEDIR}/${pkgname}.ucl ; \ - fi ${PKG_CMD} -o ABI=${PKG_ABI} -o ALLOW_BASE_SHLIBS=yes \ -o OSVERSION="${SRCRELDATE}" \ - create -f ${PKG_FORMAT} ${PKG_CLEVEL} \ + create -f ${PKG_FORMAT} ${PKG_CLEVEL} -T${PKG_CTHREADS} \ -M ${WSTAGEDIR}/${pkgname}.ucl \ -p ${WSTAGEDIR}/${pkgname}.plist \ -r ${WSTAGEDIR} \ @@ -2244,7 +2230,7 @@ @for manifest in ${WSTAGEDIR}/set-*.ucl; do \ echo "--> Processing manifest: $$manifest"; \ ${PKG_CMD} -o ABI=${PKG_ABI} -o OSVERSION="${SRCRELDATE}" \ - create -f ${PKG_FORMAT} ${PKG_CLEVEL} \ + create -f ${PKG_FORMAT} ${PKG_CLEVEL} -T${PKG_CTHREADS} \ -M $$manifest \ -o "${REPODIR}/${PKG_ABI}/${PKG_OUTPUT_DIR}" \ || exit 1; \ @@ -2256,7 +2242,7 @@ _debug=-dbg . endif -create-dtb-package: +create-dtb-package: .PHONY @if [ -f ${KSTAGEDIR}/${DISTDIR}/dtb.plist ]; then \ ${SRCDIR}/release/packages/generate-ucl.lua \ PKGNAME "dtb" \ @@ -2274,16 +2260,19 @@ ${KSTAGEDIR}/${DISTDIR}/dtb.ucl ; \ ${PKG_CMD} -o ABI=${PKG_ABI} -o ALLOW_BASE_SHLIBS=yes \ -o OSVERSION="${SRCRELDATE}" \ - create -f ${PKG_FORMAT} ${PKG_CLEVEL} \ + create -f ${PKG_FORMAT} ${PKG_CLEVEL} -T${PKG_CTHREADS} \ -M ${KSTAGEDIR}/${DISTDIR}/dtb.ucl \ -p ${KSTAGEDIR}/${DISTDIR}/dtb.plist \ -r ${KSTAGEDIR}/${DISTDIR} \ -o ${REPODIR}/${PKG_ABI}/${PKG_OUTPUT_DIR} ; \ fi -create-kernel-packages: .PHONY +create-kernel-packages: .PHONY create-kernel-flavored-packages create-dtb-package +create-kernel-flavored-packages: .PHONY +.ORDER: create-kernel-flavored-packages create-dtb-package + . for flavor in "" ${_debug} -create-kernel-packages: create-kernel-packages-flavor${flavor:C,^""$,${_default_flavor},} create-dtb-package +create-kernel-flavored-packages: create-kernel-packages-flavor${flavor:C,^""$,${_default_flavor},} create-kernel-packages-flavor${flavor:C,^""$,${_default_flavor},}: _pkgbootstrap .PHONY @cd ${KSTAGEDIR}/${DISTDIR} ; \ ${METALOG_SORT_CMD} ${KSTAGEDIR}/kernel.meta | \ @@ -2308,7 +2297,7 @@ ${KSTAGEDIR}/${DISTDIR}/kernel.${INSTALLKERNEL}${flavor}.ucl ; \ ${PKG_CMD} -o ABI=${PKG_ABI} -o ALLOW_BASE_SHLIBS=yes \ -o OSVERSION="${SRCRELDATE}" \ - create -f ${PKG_FORMAT} ${PKG_CLEVEL} \ + create -f ${PKG_FORMAT} ${PKG_CLEVEL} -T${PKG_CTHREADS} \ -M ${KSTAGEDIR}/${DISTDIR}/kernel.${INSTALLKERNEL}${flavor}.ucl \ -p ${KSTAGEDIR}/${DISTDIR}/kernel.${INSTALLKERNEL}${flavor}.plist \ -r ${KSTAGEDIR}/${DISTDIR} \ @@ -2351,7 +2340,7 @@ ${KSTAGEDIR}/kernel.${_kernel}/kernel.${_kernel}${flavor}.ucl ; \ ${PKG_CMD} -o ABI=${PKG_ABI} -o ALLOW_BASE_SHLIBS=yes \ -o OSVERSION="${SRCRELDATE}" \ - create -f ${PKG_FORMAT} ${PKG_CLEVEL} \ + create -f ${PKG_FORMAT} ${PKG_CLEVEL} -T${PKG_CTHREADS} \ -M ${KSTAGEDIR}/kernel.${_kernel}/kernel.${_kernel}${flavor}.ucl \ -p ${KSTAGEDIR}/kernel.${_kernel}/kernel.${_kernel}${flavor}.plist \ -r ${KSTAGEDIR}/kernel.${_kernel} \ @@ -2543,6 +2532,10 @@ .if ${BOOTSTRAPPING} < 1300059 ${_bt}-libexec/flua: ${_bt}-lib/liblua _flua= lib/liblua libexec/flua +.if ${BOOTSTRAPPING} == 0 +_flua+= lib/libmd lib/libucl lib/libyaml +${_bt}-libexec/flua: ${_bt}-lib/libmd ${_bt}-lib/libucl ${_bt}-lib/libyaml +.endif # BOOTSTRAPPING == 0 .endif # r245440 mtree -N support added @@ -2854,6 +2847,15 @@ ${_mkesdb} \ ${_zic} \ ${LOCAL_BSTOOL_DIRS} +# We don't enforce any particular uniqueness of targets in the above list; it +# may be the case that different bootstrap tools may have shared dependencies +# at different BOOTSTRAPPING points, so we don't object to them using their own +# conditionals and duplicating them into their ${_foo} variable to ease future +# maintenance if we purge some entries. These target names are purposefully +# unique and this is the only place that should be generating commands for them, +# but the target may have been defined earlier to express dependencies -- thus, +# we specifically want commands() here. +.if !commands(${_bt}-${_tool}) ${_bt}-${_tool}: ${_bt}-links .PHONY .MAKE ${_+_}@${ECHODIR} "===> ${_tool} (obj,all,install)"; \ cd ${.CURDIR}/${_tool}; \ @@ -2863,8 +2865,8 @@ fi; \ ${MAKE} DIRPRFX=${_tool}/ all; \ ${MAKE} DIRPRFX=${_tool}/ DESTDIR=${WORLDTMP}/legacy install - bootstrap-tools: ${_bt}-${_tool} +.endif .endfor .if target(${_bt}-lib/libmd) # If we are bootstrapping libmd (e.g. when building on macOS/Linux) add the diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -51,6 +51,20 @@ # xargs -n1 | sort | uniq -d; # done +# 20251006: Remove libnss_tacplus.a (it never should have been installed) +OLD_FILES+=usr/lib/libnss_tacplus.a + +# 20251003: kgdb python scripts moved +OLD_FILES+=usr/libexec/kgdb/acttrace.py +OLD_DIRS+=usr/libexec/kgdb + +# 20251001: test helper sendto-IP_MULTICAST_IF renamed +OLD_FILES+=usr/tests/sys/netinet/sendto-IP_MULTICAST_IF + +# 20250930: Rename wlanstats to wlanstat +OLD_FILES+=usr/sbin/wlanstats +OLD_FILES+=usr/share/man/man8/wlanstats.8.gz + # 20250929: Remove ftpd(8) OLD_FILES+=etc/rc.d/ftpd OLD_FILES+=usr/libexec/ftpd diff --git a/RELNOTES b/RELNOTES --- a/RELNOTES +++ b/RELNOTES @@ -10,6 +10,13 @@ Changes to this file should not be MFCed. +5000d023a446, 03da141d59ae: + Add a "-f" option to "kadmin -l dump" which can be used to + dump the Heimdal KDC database in a format that can be loaded + into the MIT KDC. + See https://wiki.freebsd.org/Kerberos/Heimdal2MIT_KDC_Migration + for how to use "-f" to transfer/convert the KDC database. + 9cab9fde5eda: virtual_oss is imported to base. The audio/virtual_oss port will stop being built from FreeBSD 15.0 onwards. diff --git a/UPDATING b/UPDATING --- a/UPDATING +++ b/UPDATING @@ -27,6 +27,38 @@ world, or to merely disable the most expensive debugging functionality at runtime, run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20251016: + With the migration to OpenZFS in FreeBSD 13.x a number of ZFS sysctls + moved to new locations, but backwards compatibility aliases were + provided. These aliases will be removed in the near future. Please + update /etc/sysctl.conf to reference the new OIDs. For example, + + vfs.zfs.min_auto_ashift=12 + + needs to be changed to + + vfs.zfs.vdev.min_auto_ashift=12 + +20251015: + The "FreeBSD-unbound" package is renamed to "FreeBSD-local-unbound". + If you have set-optional or set-base installed, the new package will + be installed automatically, otherwise you should manually install the + new package and remove the old one. + + This change only affects pkgbase users. + +20251012: + Blacklist has been renamed upstream to Blocklist. If you have it + configured, rename all configuration files, firewall anchors or + sentinel files to reflect the new nomenclature. Old setups will + continue to work emitting a warning. + +20251002: + Audio-related utilities including mixer(8) and virtual_oss(8) have + moved to the new FreeBSD-sound package. If you have set-optional or + set-base installed this package will be installed automatically, + otherwise you should install it manually if you need these utilities. + 20250929: Both drm-kmod and nividia-drm ports had to be updated to either no longer conflict on LinuxKPI vs. native PCI changes and/or to keep @@ -694,7 +726,7 @@ Bump _FreeBSD_version to 1400078 to be able to detect this change. 20221212: - llvm-objump is now always installed as objdump. Previously there was + llvm-objdump is now always installed as objdump. Previously there was no /usr/bin/objdump unless the WITH_LLVM_BINUTILS knob was used. Some LLVM objdump options have a different output format compared to diff --git a/bin/cp/tests/cp_test.sh b/bin/cp/tests/cp_test.sh --- a/bin/cp/tests/cp_test.sh +++ b/bin/cp/tests/cp_test.sh @@ -90,7 +90,7 @@ echo "foo" >foo atf_check cp -l foo bar atf_check -o inline:"foo\n" cat bar - atf_check_equal "$(stat -f%d,%i foo)" "$(stat -f%d,%i bar)" + atf_check test foo -ef bar } atf_test_case hardlink_exists @@ -105,7 +105,7 @@ echo "bar" >bar atf_check -s not-exit:0 -e match:exists cp -l foo bar atf_check -o inline:"bar\n" cat bar - atf_check_not_equal "$(stat -f%d,%i foo)" "$(stat -f%d,%i bar)" + atf_check test ! foo -ef bar } atf_test_case hardlink_exists_force @@ -120,7 +120,7 @@ echo "bar" >bar atf_check cp -fl foo bar atf_check -o inline:"foo\n" cat bar - atf_check_equal "$(stat -f%d,%i foo)" "$(stat -f%d,%i bar)" + atf_check test foo -ef bar } atf_test_case matching_srctgt @@ -389,7 +389,7 @@ files_are_equal() { - atf_check_not_equal "$(stat -f%d,%i "$1")" "$(stat -f%d,%i "$2")" + atf_check test ! "$1" -ef "$2" atf_check cmp "$1" "$2" } diff --git a/bin/ln/tests/ln_test.sh b/bin/ln/tests/ln_test.sh --- a/bin/ln/tests/ln_test.sh +++ b/bin/ln/tests/ln_test.sh @@ -28,7 +28,7 @@ atf_check_same_file() { - atf_check_equal "$(stat -f %d,%i "$1")" "$(stat -f %d,%i "$2")" + atf_check test "$1" -ef "$2" } atf_check_symlink_to() diff --git a/bin/sh/Makefile b/bin/sh/Makefile --- a/bin/sh/Makefile +++ b/bin/sh/Makefile @@ -69,11 +69,4 @@ HAS_TESTS= SUBDIR.${MK_TESTS}+= tests -beforeinstallconfig: - rm -f ${DESTDIR}/.profile - -LINKMODE=${CONFMODE} -afterinstallconfig: - ${INSTALL_LINK} ${TAG_ARGS:D${TAG_ARGS},config} ${DESTDIR}/root/.profile ${DESTDIR}/.profile - .include diff --git a/cddl/lib/libctf/Makefile b/cddl/lib/libctf/Makefile --- a/cddl/lib/libctf/Makefile +++ b/cddl/lib/libctf/Makefile @@ -2,6 +2,8 @@ .PATH: ${SRCTOP}/cddl/contrib/opensolaris/lib/libctf/common .PATH: ${SRCTOP}/sys/cddl/contrib/opensolaris/common/ctf +PACKAGE= ctf +LIB_PACKAGE= LIB= ctf SRCS= ctf_create.c \ ctf_decl.c \ diff --git a/cddl/share/zfs/compatibility.d/Makefile b/cddl/share/zfs/compatibility.d/Makefile --- a/cddl/share/zfs/compatibility.d/Makefile +++ b/cddl/share/zfs/compatibility.d/Makefile @@ -24,6 +24,7 @@ openzfs-2.1-linux \ openzfs-2.2 \ openzfs-2.3 \ + openzfs-2.4 \ zol-0.6.1 \ zol-0.6.4 \ zol-0.6.5 \ @@ -60,7 +61,9 @@ ${FILESDIR}/openzfs-2.2 ${FILESDIR}/openzfs-2.2-linux \ ${FILESDIR}/openzfs-2.2 ${FILESDIR}/openzfs-2.2-freebsd \ ${FILESDIR}/openzfs-2.3 ${FILESDIR}/openzfs-2.3-linux \ - ${FILESDIR}/openzfs-2.3 ${FILESDIR}/openzfs-2.3-freebsd + ${FILESDIR}/openzfs-2.3 ${FILESDIR}/openzfs-2.3-freebsd \ + ${FILESDIR}/openzfs-2.4 ${FILESDIR}/openzfs-2.4-linux \ + ${FILESDIR}/openzfs-2.4 ${FILESDIR}/openzfs-2.4-freebsd LINKMODE= ${NOBINMODE} diff --git a/cddl/usr.bin/ctfconvert/Makefile b/cddl/usr.bin/ctfconvert/Makefile --- a/cddl/usr.bin/ctfconvert/Makefile +++ b/cddl/usr.bin/ctfconvert/Makefile @@ -3,7 +3,7 @@ .PATH: ${SRCTOP}/cddl/contrib/opensolaris/tools/ctf/common .PATH: ${SRCTOP}/cddl/contrib/opensolaris/tools/ctf/cvt -PACKAGE= ctf-tools +PACKAGE= ctf PROG= ctfconvert SRCS= alist.c \ ctf.c \ diff --git a/cddl/usr.bin/ctfdump/Makefile b/cddl/usr.bin/ctfdump/Makefile --- a/cddl/usr.bin/ctfdump/Makefile +++ b/cddl/usr.bin/ctfdump/Makefile @@ -1,7 +1,7 @@ .PATH: ${SRCTOP}/cddl/contrib/opensolaris/tools/ctf/common .PATH: ${SRCTOP}/cddl/contrib/opensolaris/tools/ctf/dump -PACKAGE= ctf-tools +PACKAGE= ctf PROG= ctfdump SRCS= dump.c \ symbol.c \ diff --git a/cddl/usr.bin/ctfmerge/Makefile b/cddl/usr.bin/ctfmerge/Makefile --- a/cddl/usr.bin/ctfmerge/Makefile +++ b/cddl/usr.bin/ctfmerge/Makefile @@ -1,7 +1,7 @@ .PATH: ${SRCTOP}/cddl/contrib/opensolaris/tools/ctf/common .PATH: ${SRCTOP}/cddl/contrib/opensolaris/tools/ctf/cvt -PACKAGE= ctf-tools +PACKAGE= ctf PROG= ctfmerge SRCS= alist.c \ barrier.c \ diff --git a/contrib/blocklist/Makefile b/contrib/blocklist/Makefile --- a/contrib/blocklist/Makefile +++ b/contrib/blocklist/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.2 2015/01/22 17:49:41 christos Exp $ +# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $ SUBDIR = lib .WAIT include bin etc libexec diff --git a/contrib/blocklist/Makefile.inc b/contrib/blocklist/Makefile.inc --- a/contrib/blocklist/Makefile.inc +++ b/contrib/blocklist/Makefile.inc @@ -1,10 +1,11 @@ -# $NetBSD: Makefile.inc,v 1.3 2015/01/23 03:57:22 christos Exp $ +# $NetBSD: Makefile.inc,v 1.3 2025/02/11 17:48:30 christos Exp $ WARNS=6 .if !defined(LIB) -LDADD+= -lblacklist -DPADD+= ${LIBBLACKLIST} +LDADD+= -lblocklist +DPADD+= ${LIBBLOCKLIST} .endif CPPFLAGS+= -I${.CURDIR}/../include CPPFLAGS+=-DHAVE_STRUCT_SOCKADDR_SA_LEN -DHAVE_UTIL_H -DHAVE_DB_H +CPPFLAGS+=-DHAVE_SYS_CDEFS_H diff --git a/contrib/blocklist/README b/contrib/blocklist/README --- a/contrib/blocklist/README +++ b/contrib/blocklist/README @@ -1,21 +1,21 @@ -# $NetBSD: README,v 1.8 2017/04/13 17:59:34 christos Exp $ +# $NetBSD: README,v 1.3 2024/02/09 00:53:30 wiz Exp $ This package contains library that can be used by network daemons to communicate with a packet filter via a daemon to enforce opening and closing ports dynamically based on policy. -The interface to the packet filter is in libexec/blacklistd-helper +The interface to the packet filter is in libexec/blocklistd-helper (this is currently designed for npf) and the configuration file -(inspired from inetd.conf) is in etc/blacklistd.conf. +(inspired from inetd.conf) is in etc/blocklistd.conf. -On NetBSD you can find an example npf.conf and blacklistd.conf in -/usr/share/examples/blacklistd; you need to adjust the interface +On NetBSD you can find an example npf.conf and blocklistd.conf in +/usr/share/examples/blocklistd; you need to adjust the interface in npf.conf and copy both files to /etc; then you just enable -blacklistd=YES in /etc/rc.conf, start it up, and you are all set. +blocklistd=YES in /etc/rc.conf, start it up, and you are all set. -There is also a startup file in etc/rc.d/blacklistd +There is also a startup file in etc/rc.d/blocklistd -Patches to various daemons to add blacklisting capabilitiers are in the +Patches to various daemons to add blocklisting capabilities are in the "diff" directory: - OpenSSH: diff/ssh.diff [tcp socket example] - Bind: diff/named.diff [both tcp and udp] @@ -23,21 +23,21 @@ These patches have been applied to NetBSD-current. -The network daemon (for example sshd) communicates to blacklistd, via -a unix socket like syslog. The library calls are simple and everything +The network daemon (for example sshd) communicates to blocklistd, via +a Unix socket like syslog. The library calls are simple and everything is handled by the library. In the simplest form the only thing the daemon needs to do is to call: - blacklist(action, acceptedfd, message); + blocklist(action, acceptedfd, message); Where: - action = 0 -> successful login clear blacklist state + action = 0 -> successful login clear blocklist state 1 -> failed login, add to the failed count acceptedfd -> the file descriptor where the server is connected to the remote client. It is used to determine the listening socket, and the remote address. This allows any program to - contact the blacklist daemon, since the verification + contact the blocklist daemon, since the verification if the program has access to the listening socket is done by virtue that the port number is retrieved from the kernel. @@ -46,13 +46,13 @@ Unfortunately there is no way to get information about the "peer" from a udp socket, because there is no connection and that information is kept with the server. In that case the daemon can provide the -peer information to blacklistd via: +peer information to blocklistd via: - blacklist_sa(action, acceptedfd, sockaddr, sockaddr_len, message); + blocklist_sa(action, acceptedfd, sockaddr, sockaddr_len, message); The configuration file contains entries of the form: -# Blacklist rule +# Blocklist rule # host/Port type protocol owner name nfail disable 192.168.1.1:ssh stream tcp * -int 10 1m 8.8.8.8:ssh stream tcp * -ext 6 60m @@ -60,18 +60,18 @@ http stream tcp * * 6 60m Here note that owner is * because the connection is done from the -child ssh socket which runs with user privs. We treat ipv4 connections +child ssh socket which runs with user privs. We treat IPv4 connections differently by maintaining two different rules one for the external interface and one from the internal We also register for both tcp and tcp6 since those are different listening sockets and addresses; -we don't bother with ipv6 and separate rules. We use nfail = 6, +we don't bother with IPv6 and separate rules. We use nfail = 6, because ssh allows 3 password attempts per connection, and this will let us have 2 connections before blocking. Finally we block for an hour; we could block forever too by specifying * in the duration column. -blacklistd and the library use syslog(3) to report errors. The -blacklist filter state is persisted automatically in /var/db/blacklistd.db +blocklistd and the library use syslog(3) to report errors. The +blocklist filter state is persisted automatically in /var/db/blocklistd.db so that if the daemon is restarted, it remembers what connections is currently handling. To start from a fresh state (if you restart npf too for example), you can use -f. To watch the daemon at work, @@ -80,27 +80,27 @@ The current control file is designed for npf, and it uses the dynamic rule feature. You need to create a dynamic rule in your /etc/npf.conf on the group referring to the interface you want to block -called blacklistd as follows: +called blocklistd as follows: ext_if=bge0 int_if=sk0 group "external" on $ext_if { ... - ruleset "blacklistd-ext" - ruleset "blacklistd" + ruleset "blocklistd-ext" + ruleset "blocklistd" ... } group "internal" on $int_if { ... - ruleset "blacklistd-int" + ruleset "blocklistd-int" ... } -You can use 'blacklistctl dump -a' to list all the current entries +You can use 'blocklistctl dump -a' to list all the current entries in the database; the ones that have nfail / where urrent ->= otal, should have an id assosiated with them; this means that +>= otal, should have an id associated with them; this means that there is a packet filter rule added for that entry. For npf, you can examine the packet filter dynamic rule entries using 'npfctl rule list'. The number of current entries can exceed diff --git a/contrib/blocklist/TODO b/contrib/blocklist/TODO --- a/contrib/blocklist/TODO +++ b/contrib/blocklist/TODO @@ -1,4 +1,4 @@ -# $NetBSD: TODO,v 1.7 2015/01/23 21:34:01 christos Exp $ +# $NetBSD: TODO,v 1.3 2025/02/05 20:22:26 christos Exp $ - don't poll periodically, find the next timeout - use the socket also for commands? Or separate socket? @@ -17,5 +17,48 @@ -n block unblock -- do we need an api in blacklistctl to perform maintenance -- fix the blacklistctl output to be more user friendly +- do we need an api in blocklistctl to perform maintenance +- fix the blocklistctl output to be more user friendly + +- figure out some way to do distributed operation securely (perhaps with + a helper daemon that authenticates local sockets and then communicates + local DB changes to the central server over a secure channel -- + perhaps blocklistd-helper can have a back-end that can send updates to + a central server) + +- add "blocklistd -l" to enable filter logging on all rules by default + +- add some new options in the config file + + "/all" - block both TCP and UDP (on the proto field?) + + "/log" - enable filter logging (if not the default) (on the name field?) + "/nolog"- disable filter logging (if not the default) (on the name field?) + + The latter two probably require a new parameter for blocklistd-helper. + +- "blocklistd -f" should (also?) be a blocklistctl function!?!?! + +- if blocklistd was started with '-r' then a SIGHUP should also do a + "control flush $rulename" and then re-add all the filter rules? + +- should/could /etc/rc.conf.d/ipfilter be created with the following? + + reload_postcmd=blocklistd_reload + start_postcmd=blocklistd_start + stop_precmd=blocklistd_stop + blocklistd_reload () + { + /etc/rc.d/blocklistd reload # IFF SIGHUP does flush/re-add + # /etc/rc.d/blocklistd restart + } + blocklistd_stop () + { + /etc/rc.d/blocklistd stop + } + blocklistd_start () + { + /etc/rc.d/blocklistd start + } + + or is there a better way? diff --git a/contrib/blocklist/bin/Makefile b/contrib/blocklist/bin/Makefile --- a/contrib/blocklist/bin/Makefile +++ b/contrib/blocklist/bin/Makefile @@ -1,12 +1,12 @@ -# $NetBSD: Makefile,v 1.11 2015/01/27 19:40:36 christos Exp $ +# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:52 christos Exp $ BINDIR=/sbin -PROGS=blacklistd blacklistctl -MAN.blacklistd=blacklistd.8 blacklistd.conf.5 -MAN.blacklistctl=blacklistctl.8 -SRCS.blacklistd = blacklistd.c conf.c run.c state.c support.c internal.c -SRCS.blacklistctl = blacklistctl.c conf.c state.c support.c internal.c +PROGS=blocklistd blocklistctl +MAN.blocklistd=blocklistd.8 blocklistd.conf.5 +MAN.blocklistctl=blocklistctl.8 +SRCS.blocklistd = blocklistd.c conf.c run.c state.c support.c internal.c +SRCS.blocklistctl = blocklistctl.c conf.c state.c support.c internal.c DBG=-g LDADD+=-lutil diff --git a/contrib/blocklist/bin/blacklistctl.8 b/contrib/blocklist/bin/blacklistctl.8 --- a/contrib/blocklist/bin/blacklistctl.8 +++ b/contrib/blocklist/bin/blacklistctl.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistctl.8,v 1.9 2016/06/08 12:48:37 wiz Exp $ +.\" $NetBSD: blocklistctl.8,v 1.4 2025/02/07 01:35:38 kre Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,27 +27,43 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd June 7, 2016 +.Dd January 27, 2025 .Dt BLACKLISTCTL 8 .Os .Sh NAME .Nm blacklistctl -.Nd display and change the state of blacklistd +.Nd display and change the state of the blacklistd database .Sh SYNOPSIS .Nm .Cm dump .Op Fl abdnrw +.Op Fl D Ar dbname .Sh DESCRIPTION .Nm -is a program used to display the state of +is a program used to display and change the state of the .Xr blacklistd 8 +database. +The following sub-commands are supported: +.Ss dump .Pp -The following options are available: +The following options are available for the +.Cm dump +sub-command: .Bl -tag -width indent .It Fl a -Show all database entries, by default it shows only the embryonic ones. +Show all database entries, by default it shows only the active ones. +Inactive entries will be shown with a last-access (or, with +.Fl r , +the remaining) time of +.Ql never . .It Fl b Show only the blocked entries. +.It Fl D Ar dbname +Specify the location of the +.Ic blacklistd +database file to use. +The default is +.Pa /var/db/blocklistd.db . .It Fl d Increase debugging level. .It Fl n @@ -59,9 +75,43 @@ .Fl w flag, makes the display wide enough for IPv6 addresses. .El +.Pp +The output of the +.Cm dump +sub-command consists of a header (unless +.Fl n +was given) and one line for each record in the database, where each line +has the following columns: +.Bl -tag -width indent +.It Ql address/ma:port +The remote address, mask, and local port number of the client connection +associated with the database entry. +.It Ql id +column will show the identifier for the packet filter rule associated +with the database entry, though this may only be the word +.Ql OK +for packet filters which do not creat a unique identifier for each rule. +.It Ql nfail +The number of +.Em failures +reported for the client on the noted port, as well as the number of +failures allowed before blocking (or, with +.Fl a , +an asterisk +.Aq * ) +.It So last access Sc | So remaining time Sc +The last time a the client was reported as attempting access, or, with +.Fl r , +the time remaining before the rule blocking the client will be removed. +.El .Sh SEE ALSO .Xr blacklistd 8 .Sh NOTES +The +.Nm +program has been renamed to +.Xr blocklistctl 8 . +.Pp Sometimes the reported number of failed attempts can exceed the number of attempts that .Xr blacklistd 8 diff --git a/contrib/blocklist/bin/blacklistctl.c b/contrib/blocklist/bin/blacklistctl.c --- a/contrib/blocklist/bin/blacklistctl.c +++ b/contrib/blocklist/bin/blacklistctl.c @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $ */ +/* $NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: blacklistctl.c,v 1.23 2018/05/24 19:21:01 christos Exp $"); +#endif +__RCSID("$NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $"); #include #include @@ -53,7 +55,7 @@ #include "conf.h" #include "state.h" -#include "internal.h" +#include "old_internal.h" #include "support.h" static __dead void @@ -63,7 +65,8 @@ warnx("Missing/unknown command"); else if (c != '?') warnx("Unknown option `%c'", (char)c); - fprintf(stderr, "Usage: %s dump [-abdnrw]\n", getprogname()); + fprintf(stderr, + "Usage: %s dump [-abdnrw] [-D dbname]\n", getprogname()); exit(EXIT_FAILURE); } diff --git a/contrib/blocklist/bin/blacklistd.8 b/contrib/blocklist/bin/blacklistd.8 --- a/contrib/blocklist/bin/blacklistd.8 +++ b/contrib/blocklist/bin/blacklistd.8 @@ -1,4 +1,4 @@ -.\" $NetBSD: blacklistd.8,v 1.23 2020/04/21 13:57:12 christos Exp $ +.\" $NetBSD: blocklistd.8,v 1.8 2025/02/25 22:13:34 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd April 21, 2020 +.Dd February 25, 2025 .Dt BLACKLISTD 8 .Os .Sh NAME @@ -53,18 +53,31 @@ attempts. If no such file is specified, then it only listens to the socket path specified by -.Ar sockspath +.Ar sockpath or if that is not specified to -.Pa /var/run/blacklistd.sock . +.Pa /var/run/blocklistd.sock . Each notification contains an (action, port, protocol, address, owner) tuple that identifies the remote connection and the action. -This tuple is consulted against entries in -.Ar configfile -with syntax specified in +This tuple is consulted against entries from the +.Ar configfile , +with the syntax specified in .Xr blacklistd.conf 5 . If an entry is matched, a state entry is created for that tuple. Each entry contains a number of tries limit and a duration. .Pp +If +.Ar configfile +is a directory, or a directory exists with the same name as +.Ar configfile +with +.Qq .d +appended to it, each file in the directory will be read as configuration file. +If +.Ar configfile +exists as a file it will be processed before the contents of the +.Ar configfile Ns .d +directory if that also exists. +.Pp The way .Nm does configuration entry matching is by having the client side pass the @@ -152,7 +165,7 @@ .It Fl C Ar controlprog Use .Ar controlprog -to communicate with the packet filter, usually +to communicate with the packet filter, instead of the default, which is .Pa /usr/libexec/blacklistd-helper . The following arguments are passed to the control program: .Bl -tag -width protocol @@ -161,7 +174,7 @@ .Dv add , .Dv rem , or -.Dv flush +.Dv flush ; to add, remove or flush a firewall rule. .It name The rule name. @@ -183,13 +196,17 @@ The add command is expected to return the rule identifier string to stdout. .El .It Fl c Ar configuration -The name of the configuration file to read, usually +The name of the configuration file to read. +The default when +.Fl c +is not given is .Pa /etc/blacklistd.conf . .It Fl D Ar dbfile The Berkeley DB file where .Nm -stores its state, usually -.Pa /var/db/blacklistd.db . +stores its state. +It defaults to +.Pa /var/db/blocklistd.db . .It Fl d Normally, .Nm @@ -203,7 +220,7 @@ .Bd -literal -offset indent control flush .Ed -.It Fl P Ar sockspathsfile +.It Fl P Ar sockpathsfile A file containing a list of pathnames, one per line that .Nm will create sockets to listen to. @@ -261,16 +278,23 @@ Shell script invoked to interface with the packet filter. .It Pa /etc/blacklistd.conf Configuration file. -.It Pa /var/db/blacklistd.db +.It Pa /var/db/blocklistd.db Database of current connection entries. -.It Pa /var/run/blacklistd.sock +.It Pa /var/run/blocklistd.sock Socket to receive connection notifications. .El .Sh SEE ALSO .Xr blacklistd.conf 5 , .Xr blacklistctl 8 , +.Xr ipf 8 , +.Xr ipfw 8 , .Xr pfctl 8 , .Xr syslogd 8 +.Sh NOTES +The +.Nm +daemon has been renamed to +.Xr blocklistd 8 . .Sh HISTORY .Nm first appeared in diff --git a/contrib/blocklist/bin/blacklistd.c b/contrib/blocklist/bin/blacklistd.c --- a/contrib/blocklist/bin/blacklistd.c +++ b/contrib/blocklist/bin/blacklistd.c @@ -1,4 +1,4 @@ -/* $NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $ */ +/* $NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -31,8 +31,11 @@ #ifdef HAVE_CONFIG_H #include "config.h" #endif + +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: blacklistd.c,v 1.38 2019/02/27 02:20:18 christos Exp $"); +#endif +__RCSID("$NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $"); #include #include @@ -64,8 +67,8 @@ #include #include -#include "bl.h" -#include "internal.h" +#include "old_bl.h" +#include "old_internal.h" #include "conf.h" #include "run.h" #include "state.h" @@ -175,6 +178,8 @@ struct dbinfo dbi; struct timespec ts; + memset(&dbi, 0, sizeof(dbi)); + memset(&c, 0, sizeof(c)); if (clock_gettime(CLOCK_REALTIME, &ts) == -1) { (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); return; @@ -188,10 +193,11 @@ if (getremoteaddress(bi, &rss, &rsl) == -1) goto out; - if (debug) { + if (debug || bi->bi_msg[0]) { sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss); - (*lfun)(LOG_DEBUG, "processing type=%d fd=%d remote=%s msg=%s" - " uid=%lu gid=%lu", bi->bi_type, bi->bi_fd, rbuf, + (*lfun)(bi->bi_msg[0] ? LOG_INFO : LOG_DEBUG, + "processing type=%d fd=%d remote=%s msg=%s uid=%lu gid=%lu", + bi->bi_type, bi->bi_fd, rbuf, bi->bi_msg, (unsigned long)bi->bi_uid, (unsigned long)bi->bi_gid); } @@ -334,7 +340,7 @@ addfd(struct pollfd **pfdp, bl_t **blp, size_t *nfd, size_t *maxfd, const char *path) { - bl_t bl = bl_create(true, path, vflag ? vdlog : vsyslog); + bl_t bl = bl_create(true, path, vflag ? vdlog : vsyslog_r); if (bl == NULL || !bl_isconnected(bl)) exit(EXIT_FAILURE); if (*nfd >= *maxfd) { @@ -395,15 +401,25 @@ static void rules_restore(void) { + DB *db; struct conf c; struct dbinfo dbi; unsigned int f; - for (f = 1; state_iterate(state, &c, &dbi, f) == 1; f = 0) { + db = state_open(dbfile, O_RDONLY, 0); + if (db == NULL) { + (*lfun)(LOG_ERR, "Can't open `%s' to restore state (%m)", + dbfile); + return; + } + for (f = 1; state_iterate(db, &c, &dbi, f) == 1; f = 0) { if (dbi.id[0] == '\0') continue; (void)run_change("add", &c, dbi.id, sizeof(dbi.id)); + state_put(state, &c, &dbi); } + state_close(db); + state_sync(state); } int diff --git a/contrib/blocklist/bin/blacklistd.conf.5 b/contrib/blocklist/bin/blacklistd.conf.5 --- a/contrib/blocklist/bin/blacklistd.conf.5 +++ b/contrib/blocklist/bin/blacklistd.conf.5 @@ -1,6 +1,6 @@ -.\" $NetBSD: blacklistd.conf.5,v 1.9 2019/11/06 20:33:30 para Exp $ +.\" $NetBSD: blocklistd.conf.5,v 1.7 2025/02/11 17:47:05 christos Exp $ .\" -.\" Copyright (c) 2015 The NetBSD Foundation, Inc. +.\" Copyright (c) 2015, 2025 The NetBSD Foundation, Inc. .\" All rights reserved. .\" .\" This code is derived from software contributed to The NetBSD Foundation @@ -27,7 +27,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd May 18, 2020 +.Dd February 5, 2025 .Dt BLACKLISTD.CONF 5 .Os .Sh NAME @@ -48,34 +48,34 @@ at the beginning of a line. .Pp There are two kinds of configuration lines, -.Va local +.Va [local] and -.Va remote . +.Va [remote] . By default, configuration lines are -.Va local , +.Va [local] , i.e. the address specified refers to the addresses on the local machine. To switch to between -.Va local +.Va [local] and -.Va remote +.Va [remote] configuration lines you can specify the stanzas: .Dq [local] and .Dq [remote] . .Pp On -.Va local +.Va [local] and -.Va remote +.Va [remote] lines .Dq * means use the default, or wildcard match. In addition, for -.Va remote +.Va [remote] lines .Dq = means use the values from the matched -.Va local +.Va [local] configuration line. .Pp The first four fields, @@ -85,9 +85,9 @@ and .Va owner are used to match the -.Va local +.Va [local] or -.Va remote +.Va [remote] addresses, whereas the last 3 fields .Va name , .Va nfail , @@ -110,8 +110,8 @@ can be an IPv4 address in numeric format, an IPv6 address in numeric format and enclosed by square brackets, or an interface name. Mask modifiers are not allowed on interfaces because interfaces -can have multiple addresses in different protocols where the mask has a different -size. +can have multiple addresses in different protocols where the mask has a +different size. .Pp The .Dv mask @@ -143,8 +143,8 @@ field, is the name of the packet filter rule to be used. If the .Va name -starts with a -.Dq - , +starts with a hyphen +.Pq Dq - , then the default rulename is prepended to the given name. If the .Dv name @@ -160,13 +160,13 @@ defaulting to .Dq * meaning never, and the last field -.Va disable +.Va duration specifies the amount of time since the last access that the blocking rule should be active, defaulting to .Dq * meaning forever. The default unit for -.Va disable +.Va duration is seconds, but one can specify suffixes for different units, such as .Dq m for minutes @@ -176,25 +176,31 @@ for days. .Pp Matching is done first by checking the -.Va local +.Va [local] rules individually, in the order of the most specific to the least specific. -If a match is found, then the -.Va remote +If a match is found, then the matching +.Va [remote] rules are applied. The .Va name , .Va nfail , and -.Va disable +.Va duration fields can be altered by the -.Va remote +.Va [remote] rule that matched. .Pp The -.Va remote +.Va [remote] rules can be used for allowing specific addresses, changing the mask -size, the rule that the packet filter uses, the number of failed attempts, -or the block duration. +size (via +.Va name ) , +the rule that the packet filter uses (also via +.Va name ) , +the number of failed attempts (via +.Va nfail ) , +or the duration to block (via +.Va duration ) . .Sh FILES .Bl -tag -width /etc/blacklistd.conf -compact .It Pa /etc/blacklistd.conf @@ -209,13 +215,20 @@ [remote] # Never block 1.2.3.4 1.2.3.4:ssh * * * * * * -# For addresses coming from 8.8.0.0/16 block whole /24 networks instead of +# Never block the example IPv6 subnet either +[2001:db8::]/32:ssh * * * * * * +# For addresses coming from 8.8.0.0/16 block whole /24 networks instead # individual hosts, but keep the rest of the blocking parameters the same. 8.8.0.0/16:ssh * * * /24 = = .Ed .Sh SEE ALSO .Xr blacklistctl 8 , .Xr blacklistd 8 +.Sh NOTES +The +.Nm +file has been renamed to +.Xr blocklistd.conf 8 . .Sh HISTORY .Nm first appeared in diff --git a/contrib/blocklist/bin/blocklistctl.8 b/contrib/blocklist/bin/blocklistctl.8 new file mode 100644 --- /dev/null +++ b/contrib/blocklist/bin/blocklistctl.8 @@ -0,0 +1,131 @@ +.\" $NetBSD: blocklistctl.8,v 1.4 2025/02/07 01:35:38 kre Exp $ +.\" +.\" Copyright (c) 2015 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Christos Zoulas. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd January 27, 2025 +.Dt BLOCKLISTCTL 8 +.Os +.Sh NAME +.Nm blocklistctl +.Nd display and change the state of the blocklistd database +.Sh SYNOPSIS +.Nm +.Cm dump +.Op Fl abdnrw +.Op Fl D Ar dbname +.Sh DESCRIPTION +.Nm +is a program used to display and change the state of the +.Xr blocklistd 8 +database. +The following sub-commands are supported: +.Ss dump +.Pp +The following options are available for the +.Cm dump +sub-command: +.Bl -tag -width indent +.It Fl a +Show all database entries, by default it shows only the active ones. +Inactive entries will be shown with a last-access (or, with +.Fl r , +the remaining) time of +.Ql never . +.It Fl b +Show only the blocked entries. +.It Fl D Ar dbname +Specify the location of the +.Ic blocklistd +database file to use. +The default is +.Pa /var/db/blocklistd.db . +.It Fl d +Increase debugging level. +.It Fl n +Don't display a header. +.It Fl r +Show the remaining blocked time instead of the last activity time. +.It Fl w +Normally the width of addresses is good for IPv4, the +.Fl w +flag, makes the display wide enough for IPv6 addresses. +.El +.Pp +The output of the +.Cm dump +sub-command consists of a header (unless +.Fl n +was given) and one line for each record in the database, where each line +has the following columns: +.Bl -tag -width indent +.It Ql address/ma:port +The remote address, mask, and local port number of the client connection +associated with the database entry. +.It Ql id +column will show the identifier for the packet filter rule associated +with the database entry, though this may only be the word +.Ql OK +for packet filters which do not creat a unique identifier for each rule. +.It Ql nfail +The number of +.Em failures +reported for the client on the noted port, as well as the number of +failures allowed before blocking (or, with +.Fl a , +an asterisk +.Aq * ) +.It So last access Sc | So remaining time Sc +The last time a the client was reported as attempting access, or, with +.Fl r , +the time remaining before the rule blocking the client will be removed. +.El +.Sh SEE ALSO +.Xr blocklistd 8 +.Sh NOTES +Sometimes the reported number of failed attempts can exceed the number +of attempts that +.Xr blocklistd 8 +is configured to block. +This can happen either because the rule has been removed manually, or +because there were more attempts in flight while the rule block was being +added. +This condition is normal; in that case +.Xr blocklistd 8 +will first attempt to remove the existing rule, and then it will re-add +it to make sure that there is only one rule active. +.Sh HISTORY +.Nm +first appeared in +.Nx 7 . +.Fx +support for +.Nm +was implemented in +.Fx 11 . +.Sh AUTHORS +.An Christos Zoulas diff --git a/contrib/blocklist/bin/blocklistctl.c b/contrib/blocklist/bin/blocklistctl.c new file mode 100644 --- /dev/null +++ b/contrib/blocklist/bin/blocklistctl.c @@ -0,0 +1,170 @@ +/* $NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $ */ + +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef HAVE_SYS_CDEFS_H +#include +#endif +__RCSID("$NetBSD: blocklistctl.c,v 1.4 2025/02/11 17:48:30 christos Exp $"); + +#include +#include +#ifdef HAVE_LIBUTIL_H +#include +#endif +#ifdef HAVE_UTIL_H +#include +#endif +#include +#include +#include +#include +#include +#include +#include + +#include "conf.h" +#include "state.h" +#include "internal.h" +#include "support.h" + +static __dead void +usage(int c) +{ + if (c == 0) + warnx("Missing/unknown command"); + else if (c != '?') + warnx("Unknown option `%c'", (char)c); + fprintf(stderr, + "Usage: %s dump [-abdnrw] [-D dbname]\n", getprogname()); + exit(EXIT_FAILURE); +} + +static const char * +star(char *buf, size_t len, int val) +{ + if (val == -1) + return "*"; + snprintf(buf, len, "%d", val); + return buf; +} + +int +main(int argc, char *argv[]) +{ + const char *dbname = _PATH_BLSTATE; + DB *db; + struct conf c; + struct dbinfo dbi; + unsigned int i; + struct timespec ts; + int all, blocked, remain, wide, noheader; + int o; + + noheader = wide = blocked = all = remain = 0; + lfun = dlog; + + if (argc == 1 || strcmp(argv[1], "dump") != 0) + usage(0); + + argc--; + argv++; + + while ((o = getopt(argc, argv, "abD:dnrw")) != -1) + switch (o) { + case 'a': + all = 1; + blocked = 0; + break; + case 'b': + blocked = 1; + break; + case 'D': + dbname = optarg; + break; + case 'd': + debug++; + break; + case 'n': + noheader = 1; + break; + case 'r': + remain = 1; + break; + case 'w': + wide = 1; + break; + default: + usage(o); + } + + db = state_open(dbname, O_RDONLY, 0); + if (db == NULL) + err(EXIT_FAILURE, "Can't open `%s'", dbname); + + clock_gettime(CLOCK_REALTIME, &ts); + wide = wide ? 8 * 4 + 7 : 4 * 3 + 3; + if (!noheader) + printf("%*.*s/ma:port\tid\tnfail\t%s\n", wide, wide, + "address", remain ? "remaining time" : "last access"); + for (i = 1; state_iterate(db, &c, &dbi, i) != 0; i = 0) { + char buf[BUFSIZ]; + char mbuf[64], pbuf[64]; + if (!all) { + if (blocked) { + if (c.c_nfail == -1 || dbi.count < c.c_nfail) + continue; + } else { + if (dbi.count >= c.c_nfail) + continue; + } + } + sockaddr_snprintf(buf, sizeof(buf), "%a", (void *)&c.c_ss); + printf("%*.*s/%s:%s\t", wide, wide, buf, + star(mbuf, sizeof(mbuf), c.c_lmask), + star(pbuf, sizeof(pbuf), c.c_port)); + if (c.c_duration == -1) { + strlcpy(buf, "never", sizeof(buf)); + } else { + if (remain) + fmtydhms(buf, sizeof(buf), + c.c_duration - (ts.tv_sec - dbi.last)); + else + fmttime(buf, sizeof(buf), dbi.last); + } + printf("%s\t%d/%s\t%-s\n", dbi.id, dbi.count, + star(mbuf, sizeof(mbuf), c.c_nfail), buf); + } + state_close(db); + return EXIT_SUCCESS; +} diff --git a/contrib/blocklist/bin/blocklistd.8 b/contrib/blocklist/bin/blocklistd.8 new file mode 100644 --- /dev/null +++ b/contrib/blocklist/bin/blocklistd.8 @@ -0,0 +1,303 @@ +.\" $NetBSD: blocklistd.8,v 1.8 2025/02/25 22:13:34 christos Exp $ +.\" +.\" Copyright (c) 2015 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Christos Zoulas. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd February 25, 2025 +.Dt BLOCKLISTD 8 +.Os +.Sh NAME +.Nm blocklistd +.Nd block and release ports on demand to avoid DoS abuse +.Sh SYNOPSIS +.Nm +.Op Fl dfrv +.Op Fl C Ar controlprog +.Op Fl c Ar configfile +.Op Fl D Ar dbfile +.Op Fl P Ar sockpathsfile +.Op Fl R Ar rulename +.Op Fl s Ar sockpath +.Op Fl t Ar timeout +.Sh DESCRIPTION +.Nm +is a daemon similar to +.Xr syslogd 8 +that listens to sockets at paths specified in the +.Ar sockpathsfile +for notifications from other daemons about successful or failed connection +attempts. +If no such file is specified, then it only listens to the socket path +specified by +.Ar sockpath +or if that is not specified to +.Pa /var/run/blocklistd.sock . +Each notification contains an (action, port, protocol, address, owner) tuple +that identifies the remote connection and the action. +This tuple is consulted against entries from the +.Ar configfile , +with the syntax specified in +.Xr blocklistd.conf 5 . +If an entry is matched, a state entry is created for that tuple. +Each entry contains a number of tries limit and a duration. +.Pp +If +.Ar configfile +is a directory, or a directory exists with the same name as +.Ar configfile +with +.Qq .d +appended to it, each file in the directory will be read as configuration file. +If +.Ar configfile +exists as a file it will be processed before the contents of the +.Ar configfile Ns .d +directory if that also exists. +.Pp +The way +.Nm +does configuration entry matching is by having the client side pass the +file descriptor associated with the connection the client wants to blocklist +as well as passing socket credentials. +.Pp +The file descriptor is used to retrieve information (address and port) +about the remote side with +.Xr getpeername 2 +and the local side with +.Xr getsockname 2 . +.Pp +By examining the port of the local side, +.Nm +can determine if the client program +.Dq owns +the port. +By examining the optional address portion on the local side, it can match +interfaces. +By examining the remote address, it can match specific allow or deny rules. +.Pp +Finally +.Nm +can examine the socket credentials to match the user in the configuration file. +.Pp +While this works well for TCP sockets, it cannot be relied on for unbound +UDP sockets. +It is also less meaningful when it comes to connections using non-privileged +ports. +On the other hand, if we receive a request that has a local endpoint indicating +a UDP privileged port, we can presume that the client was privileged to be +able to acquire that port. +.Pp +Once an entry is matched +.Nm +can perform various actions. +If the action is +.Dq add +and the number of tries limit is reached, then a +control script +.Ar controlprog +is invoked with arguments: +.Bd -literal -offset indent +control add
+.Ed +.Pp +and should invoke a packet filter command to block the connection +specified by the arguments. +The +.Ar rulename +argument can be set from the command line (default +.Dv blocklistd ) . +The script could print a numerical id to stdout as a handle for +the rule that can be used later to remove that connection, but +that is not required as all information to remove the rule is +kept. +.Pp +If the action is +.Dq rem +Then the same control script is invoked as: +.Bd -literal -offset indent +control rem
+.Ed +.Pp +where +.Ar id +is the number returned from the +.Dq add +action. +.Pp +.Nm +maintains a database of known connections in +.Ar dbfile . +On startup it reads entries from that file, and updates its internal state. +.Pp +.Nm +checks the list of active entries every +.Ar timeout +seconds (default +.Dv 15 ) +and removes entries and block rules using the control program as necessary. +.Pp +The following options are available: +.Bl -tag -width indent +.It Fl C Ar controlprog +Use +.Ar controlprog +to communicate with the packet filter, instead of the default, which is +.Pa /usr/libexec/blocklistd-helper . +The following arguments are passed to the control program: +.Bl -tag -width protocol +.It action +The action to perform: +.Dv add , +.Dv rem , +or +.Dv flush ; +to add, remove or flush a firewall rule. +.It name +The rule name. +.It protocol +The optional protocol name (can be empty): +.Dv tcp , +.Dv tcp6 , +.Dv udp , +.Dv udp6 . +.It address +The IPv4 or IPv6 numeric address to be blocked or released. +.It mask +The numeric mask to be applied to the blocked or released address +.It port +The optional numeric port to be blocked (can be empty). +.It id +For packet filters that support removal of rules by rule identifier, the +identifier of the rule to be removed. +The add command is expected to return the rule identifier string to stdout. +.El +.It Fl c Ar configuration +The name of the configuration file to read. +The default when +.Fl c +is not given is +.Pa /etc/blocklistd.conf . +.It Fl D Ar dbfile +The Berkeley DB file where +.Nm +stores its state. +It defaults to +.Pa /var/db/blocklistd.db . +.It Fl d +Normally, +.Nm +disassociates itself from the terminal unless the +.Fl d +flag is specified, in which case it stays in the foreground. +.It Fl f +Truncate the state database and flush all the rules named +.Ar rulename +are deleted by invoking the control script as: +.Bd -literal -offset indent +control flush +.Ed +.It Fl P Ar sockpathsfile +A file containing a list of pathnames, one per line that +.Nm +will create sockets to listen to. +This is useful for chrooted environments. +.It Fl R Ar rulename +Specify the default rule name for the packet filter rules, usually +.Dv blocklistd . +.It Fl r +Re-read the firewall rules from the internal database, then +remove and re-add them. +This helps for packet filters that do not retain state across reboots. +.It Fl s Ar sockpath +Add +.Ar sockpath +to the list of Unix sockets +.Nm +listens to. +.It Fl t Ar timeout +The interval in seconds +.Nm +polls the state file to update the rules. +.It Fl v +Cause +.Nm +to print +diagnostic messages to +.Dv stdout +instead of +.Xr syslogd 8 . +.El +.Sh SIGNAL HANDLING +.Nm +deals with the following signals: +.Bl -tag -width "USR2" +.It Dv HUP +Receipt of this signal causes +.Nm +to re-read the configuration file. +.It Dv INT , Dv TERM & Dv QUIT +These signals tell +.Nm +to exit in an orderly fashion. +.It Dv USR1 +This signal tells +.Nm +to increase the internal debugging level by 1. +.It Dv USR2 +This signal tells +.Nm +to decrease the internal debugging level by 1. +.El +.Sh FILES +.Bl -tag -width /usr/libexec/blocklistd-helper -compact +.It Pa /usr/libexec/blocklistd-helper +Shell script invoked to interface with the packet filter. +.It Pa /etc/blocklistd.conf +Configuration file. +.It Pa /var/db/blocklistd.db +Database of current connection entries. +.It Pa /var/run/blocklistd.sock +Socket to receive connection notifications. +.El +.Sh SEE ALSO +.Xr blocklistd.conf 5 , +.Xr blocklistctl 8 , +.Xr ipf 8 , +.Xr ipfw 8 , +.Xr pfctl 8 , +.Xr syslogd 8 +.Sh HISTORY +.Nm +first appeared in +.Nx 7 . +.Fx +support for +.Nm +was implemented in +.Fx 11 . +.Sh AUTHORS +.An Christos Zoulas diff --git a/contrib/blocklist/bin/blocklistd.c b/contrib/blocklist/bin/blocklistd.c new file mode 100644 --- /dev/null +++ b/contrib/blocklist/bin/blocklistd.c @@ -0,0 +1,592 @@ +/* $NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $ */ + +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef HAVE_SYS_CDEFS_H +#include +#endif +__RCSID("$NetBSD: blocklistd.c,v 1.10 2025/03/26 17:09:35 christos Exp $"); + +#include +#include +#include + +#ifdef HAVE_LIBUTIL_H +#include +#endif +#ifdef HAVE_UTIL_H +#include +#endif +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "bl.h" +#include "internal.h" +#include "conf.h" +#include "run.h" +#include "state.h" +#include "support.h" + +static const char *configfile = _PATH_BLCONF; +static DB *state; +static const char *dbfile = _PATH_BLSTATE; +static sig_atomic_t readconf; +static sig_atomic_t done; +static int vflag; + +static void +sigusr1(int n __unused) +{ + debug++; +} + +static void +sigusr2(int n __unused) +{ + debug--; +} + +static void +sighup(int n __unused) +{ + readconf++; +} + +static void +sigdone(int n __unused) +{ + done++; +} + +static __dead void +usage(int c) +{ + if (c != '?') + warnx("Unknown option `%c'", (char)c); + fprintf(stderr, "Usage: %s [-vdfr] [-c ] [-R ] " + "[-P ] [-C ] [-D ] " + "[-s ] [-t ]\n", getprogname()); + exit(EXIT_FAILURE); +} + +static int +getremoteaddress(bl_info_t *bi, struct sockaddr_storage *rss, socklen_t *rsl) +{ + *rsl = sizeof(*rss); + memset(rss, 0, *rsl); + + if (getpeername(bi->bi_fd, (void *)rss, rsl) != -1) + return 0; + + if (errno != ENOTCONN) { + (*lfun)(LOG_ERR, "getpeername failed (%m)"); + return -1; + } + + if (bi->bi_slen == 0) { + (*lfun)(LOG_ERR, "unconnected socket with no peer in message"); + return -1; + } + + switch (bi->bi_ss.ss_family) { + case AF_INET: + *rsl = sizeof(struct sockaddr_in); + break; + case AF_INET6: + *rsl = sizeof(struct sockaddr_in6); + break; + default: + (*lfun)(LOG_ERR, "bad client passed socket family %u", + (unsigned)bi->bi_ss.ss_family); + return -1; + } + + if (*rsl != bi->bi_slen) { + (*lfun)(LOG_ERR, "bad client passed socket length %u != %u", + (unsigned)*rsl, (unsigned)bi->bi_slen); + return -1; + } + + memcpy(rss, &bi->bi_ss, *rsl); + +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + if (*rsl != rss->ss_len) { + (*lfun)(LOG_ERR, + "bad client passed socket internal length %u != %u", + (unsigned)*rsl, (unsigned)rss->ss_len); + return -1; + } +#endif + return 0; +} + +static void +process(bl_t bl) +{ + struct sockaddr_storage rss; + socklen_t rsl; + char rbuf[BUFSIZ]; + bl_info_t *bi; + struct conf c; + struct dbinfo dbi; + struct timespec ts; + + memset(&dbi, 0, sizeof(dbi)); + memset(&c, 0, sizeof(c)); + if (clock_gettime(CLOCK_REALTIME, &ts) == -1) { + (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); + return; + } + + if ((bi = bl_recv(bl)) == NULL) { + (*lfun)(LOG_ERR, "no message (%m)"); + return; + } + + if (getremoteaddress(bi, &rss, &rsl) == -1) + goto out; + + if (debug || bi->bi_msg[0]) { + sockaddr_snprintf(rbuf, sizeof(rbuf), "%a:%p", (void *)&rss); + (*lfun)(bi->bi_msg[0] ? LOG_INFO : LOG_DEBUG, + "processing type=%d fd=%d remote=%s msg=%s uid=%lu gid=%lu", + bi->bi_type, bi->bi_fd, rbuf, + bi->bi_msg, (unsigned long)bi->bi_uid, + (unsigned long)bi->bi_gid); + } + + if (conf_find(bi->bi_fd, bi->bi_uid, &rss, &c) == NULL) { + (*lfun)(LOG_DEBUG, "no rule matched"); + goto out; + } + + + if (state_get(state, &c, &dbi) == -1) + goto out; + + if (debug) { + char b1[128], b2[128]; + (*lfun)(LOG_DEBUG, "%s: initial db state for %s: count=%d/%d " + "last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail, + fmttime(b1, sizeof(b1), dbi.last), + fmttime(b2, sizeof(b2), ts.tv_sec)); + } + + switch (bi->bi_type) { + case BL_ABUSE: + /* + * If the application has signaled abusive behavior, + * set the number of fails to be one less than the + * configured limit. Fallthrough to the normal BL_ADD + * processing, which will increment the failure count + * to the threshhold, and block the abusive address. + */ + if (c.c_nfail != -1) + dbi.count = c.c_nfail - 1; + /*FALLTHROUGH*/ + case BL_ADD: + dbi.count++; + dbi.last = ts.tv_sec; + if (c.c_nfail != -1 && dbi.count >= c.c_nfail) { + /* + * No point in re-adding the rule. + * It might exist already due to latency in processing + * and removing the rule is the wrong thing to do as + * it allows a window to attack again. + */ + if (dbi.id[0] == '\0') { + int res = run_change("add", &c, + dbi.id, sizeof(dbi.id)); + if (res == -1) + goto out; + } + sockaddr_snprintf(rbuf, sizeof(rbuf), "%a", + (void *)&rss); + (*lfun)(LOG_INFO, + "blocked %s/%d:%d for %d seconds", + rbuf, c.c_lmask, c.c_port, c.c_duration); + } + break; + case BL_DELETE: + if (dbi.last == 0) + goto out; + dbi.count = 0; + dbi.last = 0; + break; + case BL_BADUSER: + /* ignore for now */ + break; + default: + (*lfun)(LOG_ERR, "unknown message %d", bi->bi_type); + } + state_put(state, &c, &dbi); + +out: + close(bi->bi_fd); + + if (debug) { + char b1[128], b2[128]; + (*lfun)(LOG_DEBUG, "%s: final db state for %s: count=%d/%d " + "last=%s now=%s", __func__, rbuf, dbi.count, c.c_nfail, + fmttime(b1, sizeof(b1), dbi.last), + fmttime(b2, sizeof(b2), ts.tv_sec)); + } +} + +static void +update_interfaces(void) +{ + struct ifaddrs *oifas, *nifas; + + if (getifaddrs(&nifas) == -1) + return; + + oifas = ifas; + ifas = nifas; + + if (oifas) + freeifaddrs(oifas); +} + +static void +update(void) +{ + struct timespec ts; + struct conf c; + struct dbinfo dbi; + unsigned int f, n; + char buf[128]; + void *ss = &c.c_ss; + + if (clock_gettime(CLOCK_REALTIME, &ts) == -1) { + (*lfun)(LOG_ERR, "clock_gettime failed (%m)"); + return; + } + +again: + for (n = 0, f = 1; state_iterate(state, &c, &dbi, f) == 1; + f = 0, n++) + { + time_t when = c.c_duration + dbi.last; + if (debug > 1) { + char b1[64], b2[64]; + sockaddr_snprintf(buf, sizeof(buf), "%a:%p", ss); + (*lfun)(LOG_DEBUG, "%s:[%u] %s count=%d duration=%d " + "last=%s " "now=%s", __func__, n, buf, dbi.count, + c.c_duration, fmttime(b1, sizeof(b1), dbi.last), + fmttime(b2, sizeof(b2), ts.tv_sec)); + } + if (c.c_duration == -1 || when >= ts.tv_sec) + continue; + if (dbi.id[0]) { + run_change("rem", &c, dbi.id, 0); + sockaddr_snprintf(buf, sizeof(buf), "%a", ss); + (*lfun)(LOG_INFO, "released %s/%d:%d after %d seconds", + buf, c.c_lmask, c.c_port, c.c_duration); + } + state_del(state, &c); + goto again; + } +} + +static void +addfd(struct pollfd **pfdp, bl_t **blp, size_t *nfd, size_t *maxfd, + const char *path) +{ + bl_t bl = bl_create(true, path, vflag ? vdlog : vsyslog_r); + if (bl == NULL || !bl_isconnected(bl)) + exit(EXIT_FAILURE); + if (*nfd >= *maxfd) { + *maxfd += 10; + *blp = realloc(*blp, sizeof(**blp) * *maxfd); + if (*blp == NULL) + err(EXIT_FAILURE, "malloc"); + *pfdp = realloc(*pfdp, sizeof(**pfdp) * *maxfd); + if (*pfdp == NULL) + err(EXIT_FAILURE, "malloc"); + } + + (*pfdp)[*nfd].fd = bl_getfd(bl); + (*pfdp)[*nfd].events = POLLIN; + (*blp)[*nfd] = bl; + *nfd += 1; +} + +static void +uniqueadd(struct conf ***listp, size_t *nlist, size_t *mlist, struct conf *c) +{ + struct conf **list = *listp; + + if (c->c_name[0] == '\0') + return; + for (size_t i = 0; i < *nlist; i++) { + if (strcmp(list[i]->c_name, c->c_name) == 0) + return; + } + if (*nlist == *mlist) { + *mlist += 10; + void *p = realloc(*listp, *mlist * sizeof(*list)); + if (p == NULL) + err(EXIT_FAILURE, "Can't allocate for rule list"); + list = *listp = p; + } + list[(*nlist)++] = c; +} + +static void +rules_flush(void) +{ + struct conf **list; + size_t nlist, mlist; + + list = NULL; + mlist = nlist = 0; + for (size_t i = 0; i < rconf.cs_n; i++) + uniqueadd(&list, &nlist, &mlist, &rconf.cs_c[i]); + for (size_t i = 0; i < lconf.cs_n; i++) + uniqueadd(&list, &nlist, &mlist, &lconf.cs_c[i]); + + for (size_t i = 0; i < nlist; i++) + run_flush(list[i]); + free(list); +} + +static void +rules_restore(void) +{ + DB *db; + struct conf c; + struct dbinfo dbi; + unsigned int f; + + db = state_open(dbfile, O_RDONLY, 0); + if (db == NULL) { + (*lfun)(LOG_ERR, "Can't open `%s' to restore state (%m)", + dbfile); + return; + } + for (f = 1; state_iterate(db, &c, &dbi, f) == 1; f = 0) { + if (dbi.id[0] == '\0') + continue; + (void)run_change("add", &c, dbi.id, sizeof(dbi.id)); + state_put(state, &c, &dbi); + } + state_close(db); + state_sync(state); +} + +int +main(int argc, char *argv[]) +{ + int c, tout, flags, flush, restore, ret; + const char *spath, **blsock; + size_t nblsock, maxblsock; + + setprogname(argv[0]); + + spath = NULL; + blsock = NULL; + maxblsock = nblsock = 0; + flush = 0; + restore = 0; + tout = 0; + flags = O_RDWR|O_EXCL|O_CLOEXEC; + while ((c = getopt(argc, argv, "C:c:D:dfP:rR:s:t:v")) != -1) { + switch (c) { + case 'C': + controlprog = optarg; + break; + case 'c': + configfile = optarg; + break; + case 'D': + dbfile = optarg; + break; + case 'd': + debug++; + break; + case 'f': + flush++; + break; + case 'P': + spath = optarg; + break; + case 'R': + rulename = optarg; + break; + case 'r': + restore++; + break; + case 's': + if (nblsock >= maxblsock) { + maxblsock += 10; + void *p = realloc(blsock, + sizeof(*blsock) * maxblsock); + if (p == NULL) + err(EXIT_FAILURE, + "Can't allocate memory for %zu sockets", + maxblsock); + blsock = p; + } + blsock[nblsock++] = optarg; + break; + case 't': + tout = atoi(optarg) * 1000; + break; + case 'v': + vflag++; + break; + default: + usage(c); + } + } + + argc -= optind; + if (argc) + usage('?'); + + signal(SIGHUP, sighup); + signal(SIGINT, sigdone); + signal(SIGQUIT, sigdone); + signal(SIGTERM, sigdone); + signal(SIGUSR1, sigusr1); + signal(SIGUSR2, sigusr2); + + openlog(getprogname(), LOG_PID, LOG_DAEMON); + + if (debug) { + lfun = dlog; + if (tout == 0) + tout = 5000; + } else { + if (tout == 0) + tout = 15000; + } + + update_interfaces(); + conf_parse(configfile); + if (flush) { + rules_flush(); + if (!restore) + flags |= O_TRUNC; + } + + struct pollfd *pfd = NULL; + bl_t *bl = NULL; + size_t nfd = 0; + size_t maxfd = 0; + + for (size_t i = 0; i < nblsock; i++) + addfd(&pfd, &bl, &nfd, &maxfd, blsock[i]); + free(blsock); + + if (spath) { + FILE *fp = fopen(spath, "r"); + char *line; + if (fp == NULL) + err(EXIT_FAILURE, "Can't open `%s'", spath); + for (; (line = fparseln(fp, NULL, NULL, NULL, 0)) != NULL; + free(line)) + addfd(&pfd, &bl, &nfd, &maxfd, line); + fclose(fp); + } + if (nfd == 0) + addfd(&pfd, &bl, &nfd, &maxfd, _PATH_BLSOCK); + + state = state_open(dbfile, flags, 0600); + if (state == NULL) + state = state_open(dbfile, flags | O_CREAT, 0600); + if (state == NULL) + return EXIT_FAILURE; + + if (restore) { + if (!flush) + rules_flush(); + rules_restore(); + } + + if (!debug) { + if (daemon(0, 0) == -1) + err(EXIT_FAILURE, "daemon failed"); + if (pidfile(NULL) == -1) + err(EXIT_FAILURE, "Can't create pidfile"); + } + + for (size_t t = 0; !done; t++) { + if (readconf) { + readconf = 0; + conf_parse(configfile); + } + ret = poll(pfd, (nfds_t)nfd, tout); + if (debug) + (*lfun)(LOG_DEBUG, "received %d from poll()", ret); + switch (ret) { + case -1: + if (errno == EINTR) + continue; + (*lfun)(LOG_ERR, "poll (%m)"); + return EXIT_FAILURE; + case 0: + state_sync(state); + break; + default: + for (size_t i = 0; i < nfd; i++) + if (pfd[i].revents & POLLIN) + process(bl[i]); + } + if (t % 100 == 0) + state_sync(state); + if (t % 10000 == 0) + update_interfaces(); + update(); + } + state_close(state); + return 0; +} diff --git a/contrib/blocklist/bin/blocklistd.conf.5 b/contrib/blocklist/bin/blocklistd.conf.5 new file mode 100644 --- /dev/null +++ b/contrib/blocklist/bin/blocklistd.conf.5 @@ -0,0 +1,237 @@ +.\" $NetBSD: blocklistd.conf.5,v 1.7 2025/02/11 17:47:05 christos Exp $ +.\" +.\" Copyright (c) 2015, 2025 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Christos Zoulas. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd February 5, 2025 +.Dt BLOCKLISTD.CONF 5 +.Os +.Sh NAME +.Nm blocklistd.conf +.Nd configuration file format for blocklistd +.Sh DESCRIPTION +The +.Nm +file contains configuration entries for +.Xr blocklistd 8 +in a fashion similar to +.Xr inetd.conf 5 . +Only one entry per line is permitted. +Every entry must have all fields populated. +Each field can be separated by a tab or a space. +Comments are denoted by a +.Dq # +at the beginning of a line. +.Pp +There are two kinds of configuration lines, +.Va [local] +and +.Va [remote] . +By default, configuration lines are +.Va [local] , +i.e. the address specified refers to the addresses on the local machine. +To switch to between +.Va [local] +and +.Va [remote] +configuration lines you can specify the stanzas: +.Dq [local] +and +.Dq [remote] . +.Pp +On +.Va [local] +and +.Va [remote] +lines +.Dq * +means use the default, or wildcard match. +In addition, for +.Va [remote] +lines +.Dq = +means use the values from the matched +.Va [local] +configuration line. +.Pp +The first four fields, +.Va location , +.Va type , +.Va proto , +and +.Va owner +are used to match the +.Va [local] +or +.Va [remote] +addresses, whereas the last 3 fields +.Va name , +.Va nfail , +and +.Va disable +are used to modify the filtering action. +.Pp +The first field denotes the +.Va location +as an address, mask, and port. +The syntax for the +.Va location +is: +.Bd -literal -offset indent + [
|][/][:] +.Ed +.Pp +The +.Dv address +can be an IPv4 address in numeric format, an IPv6 address +in numeric format and enclosed by square brackets, or an interface name. +Mask modifiers are not allowed on interfaces because interfaces +can have multiple addresses in different protocols where the mask has a +different size. +.Pp +The +.Dv mask +is always numeric, but the +.Dv port +can be either numeric or symbolic. +.Pp +The second field is the socket +.Va type : +.Dv stream , +.Dv dgram , +or numeric. +The third field is the +.Va protocol : +.Dv tcp , +.Dv udp , +.Dv tcp6 , +.Dv udp6 , +or numeric. +The fourth field is the effective user +.Va ( owner ) +of the daemon process reporting the event, +either as a username or a userid. +.Pp +The rest of the fields control the behavior of the filter. +.Pp +The +.Va name +field, is the name of the packet filter rule to be used. +If the +.Va name +starts with a hyphen +.Pq Dq - , +then the default rulename is prepended to the given name. +If the +.Dv name +contains a +.Dq / , +the remaining portion of the name is interpreted as the mask to be +applied to the address specified in the rule, causing a single rule violation to +block the entire subnet for the configured prefix. +.Pp +The +.Va nfail +field contains the number of failed attempts before access is blocked, +defaulting to +.Dq * +meaning never, and the last field +.Va duration +specifies the amount of time since the last access that the blocking +rule should be active, defaulting to +.Dq * +meaning forever. +The default unit for +.Va duration +is seconds, but one can specify suffixes for different units, such as +.Dq m +for minutes +.Dq h +for hours and +.Dq d +for days. +.Pp +Matching is done first by checking the +.Va [local] +rules individually, in the order of the most specific to the least specific. +If a match is found, then the matching +.Va [remote] +rules are applied. +The +.Va name , +.Va nfail , +and +.Va duration +fields can be altered by the +.Va [remote] +rule that matched. +.Pp +The +.Va [remote] +rules can be used for allowing specific addresses, changing the mask +size (via +.Va name ) , +the rule that the packet filter uses (also via +.Va name ) , +the number of failed attempts (via +.Va nfail ) , +or the duration to block (via +.Va duration ) . +.Sh FILES +.Bl -tag -width /etc/blocklistd.conf -compact +.It Pa /etc/blocklistd.conf +Configuration file. +.El +.Sh EXAMPLES +.Bd -literal -offset 8n +# Block ssh, after 3 attempts for 6 hours on the bnx0 interface +[local] +# location type proto owner name nfail duration +bnx0:ssh * * * * 3 6h +[remote] +# Never block 1.2.3.4 +1.2.3.4:ssh * * * * * * +# Never block the example IPv6 subnet either +[2001:db8::]/32:ssh * * * * * * +# For addresses coming from 8.8.0.0/16 block whole /24 networks instead +# individual hosts, but keep the rest of the blocking parameters the same. +8.8.0.0/16:ssh * * * /24 = = +.Ed +.Sh SEE ALSO +.Xr blocklistctl 8 , +.Xr blocklistd 8 +.Sh HISTORY +.Nm +first appeared in +.Nx 7 . +.Fx +support for +.Nm +was implemented in +.Fx 11 . +.Sh AUTHORS +.An Christos Zoulas diff --git a/contrib/blocklist/bin/conf.h b/contrib/blocklist/bin/conf.h --- a/contrib/blocklist/bin/conf.h +++ b/contrib/blocklist/bin/conf.h @@ -1,4 +1,4 @@ -/* $NetBSD: conf.h,v 1.6 2015/01/27 19:40:36 christos Exp $ */ +/* $NetBSD: conf.h,v 1.2 2025/02/05 20:09:33 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -34,6 +34,7 @@ #include struct conf { + size_t c_lineno; struct sockaddr_storage c_ss; int c_lmask; int c_port; diff --git a/contrib/blocklist/bin/conf.c b/contrib/blocklist/bin/conf.c --- a/contrib/blocklist/bin/conf.c +++ b/contrib/blocklist/bin/conf.c @@ -1,4 +1,4 @@ -/* $NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: conf.c,v 1.10 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: conf.c,v 1.24 2016/04/04 15:52:56 christos Exp $"); +#endif +__RCSID("$NetBSD: conf.c,v 1.10 2025/02/11 17:48:30 christos Exp $"); #include #ifdef HAVE_LIBUTIL_H @@ -58,6 +60,7 @@ #include #include #include +#include #include "bl.h" #include "internal.h" @@ -261,7 +264,7 @@ if (debug) (*lfun)(LOG_DEBUG, "%s: host6 %s", __func__, p); if (strcmp(p, "*") != 0) { - if (inet_pton(AF_INET6, p, &sin6->sin6_addr) == -1) + if (inet_pton(AF_INET6, p, &sin6->sin6_addr) != 1) goto out; sin6->sin6_family = AF_INET6; #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN @@ -269,6 +272,8 @@ #endif port = &sin6->sin6_port; } + if (!*pstr) + pstr = "*"; } else if (pstr != p || strchr(p, '.') || conf_is_interface(p)) { if (pstr == p) pstr = "*"; @@ -311,7 +316,7 @@ *port = htons((in_port_t)c->c_port); return 0; out: - (*lfun)(LOG_ERR, "%s: %s, %zu: Bad address [%s]", __func__, f, l, pstr); + (*lfun)(LOG_ERR, "%s: %s, %zu: Bad address [%s]", __func__, f, l, p); return -1; out1: (*lfun)(LOG_ERR, "%s: %s, %zu: Can't specify mask %d with " @@ -407,6 +412,8 @@ { int e; + c->c_lineno = l; + while (*p && isspace((unsigned char)*p)) p++; @@ -471,7 +478,6 @@ uint32_t m; int omask = mask; - len >>= 2; switch (mask) { case FSTAR: if (memcmp(v1, v2, len) == 0) @@ -485,7 +491,7 @@ break; } - for (size_t i = 0; i < len; i++) { + for (size_t i = 0; i < (len >> 2); i++) { if (mask > 32) { m = htonl((uint32_t)~0); mask -= 32; @@ -501,7 +507,6 @@ out: if (debug > 1) { char b1[256], b2[256]; - len <<= 2; blhexdump(b1, sizeof(b1), "a1", v1, len); blhexdump(b2, sizeof(b2), "a2", v2, len); (*lfun)(LOG_DEBUG, "%s: %s != %s [0x%x]", __func__, @@ -690,6 +695,25 @@ static int conf_eq(const struct conf *c1, const struct conf *c2) +{ + if (!conf_addr_eq(&c1->c_ss, &c2->c_ss, FSTAR)) + return 0; + +#define CMP(a, b, f) \ + if ((a)->f != (b)->f) \ + return 0; + + CMP(c1, c2, c_port); + CMP(c1, c2, c_proto); + CMP(c1, c2, c_family); + CMP(c1, c2, c_uid); +#undef CMP + + return 1; +} + +static int +conf_match(const struct conf *c1, const struct conf *c2) { if (!conf_addr_eq(&c1->c_ss, &c2->c_ss, c2->c_lmask)) @@ -953,13 +977,54 @@ } static void -confset_replace(struct confset *dc, struct confset *sc) +confset_merge(struct confset *dc, struct confset *sc) { - struct confset tc; - tc = *dc; - *dc = *sc; - confset_init(sc); - confset_free(&tc); + size_t i, j; + char buf[BUFSIZ]; + + /* Check each rule of the src confset (sc) */ + for (i = 0; i < sc->cs_n; i++) { + /* Compare to each rule in the dest confset (dc) */ + for (j = 0; j < dc->cs_n; j++) { + if (conf_eq(&dc->cs_c[j], &sc->cs_c[i])) { + break; + } + } + + if (j == dc->cs_n) { + /* This is a new rule to add to the dest confset. */ + if (confset_full(dc) && confset_grow(dc) == -1) + return; + + *confset_get(dc) = sc->cs_c[i]; + confset_add(dc); + continue; + } + + /* We had a match above. */ + /* + * Check whether the rule from the src confset is more + * restrictive than the existing one. Adjust the + * existing rule if necessary. + */ + if (sc->cs_c[i].c_nfail == dc->cs_c[j].c_nfail && + sc->cs_c[i].c_duration && dc->cs_c[j].c_duration) { + (*lfun)(LOG_DEBUG, "skipping existing rule: %s", + conf_print(buf, sizeof (buf), "", "\t", &sc->cs_c[i])); + continue; + } + + if (sc->cs_c[i].c_nfail < dc->cs_c[j].c_nfail) + dc->cs_c[j].c_nfail = sc->cs_c[i].c_nfail; + + if (sc->cs_c[i].c_duration > dc->cs_c[j].c_duration) + dc->cs_c[j].c_duration = sc->cs_c[i].c_duration; + + (*lfun)(LOG_DEBUG, "adjusted existing rule: %s", + conf_print(buf, sizeof (buf), "", "\t", &dc->cs_c[j])); + } + + confset_free(sc); } static void @@ -990,7 +1055,7 @@ if (debug) (*lfun)(LOG_DEBUG, "%s", conf_print(buf, sizeof(buf), "check:\t", "", &cs->cs_c[i])); - if (conf_eq(c, &cs->cs_c[i])) { + if (conf_match(c, &cs->cs_c[i])) { if (debug) (*lfun)(LOG_DEBUG, "%s", conf_print(buf, sizeof(buf), @@ -1160,21 +1225,14 @@ return cr; } - -void -conf_parse(const char *f) +static void +conf_parsefile(FILE *fp, const char *config_file) { - FILE *fp; char *line; size_t lineno, len; struct confset lc, rc, *cs; - if ((fp = fopen(f, "r")) == NULL) { - (*lfun)(LOG_ERR, "%s: Cannot open `%s' (%m)", __func__, f); - return; - } - - lineno = 1; + lineno = 0; confset_init(&rc); confset_init(&lc); @@ -1197,23 +1255,103 @@ if (confset_grow(cs) == -1) { confset_free(&lc); confset_free(&rc); - fclose(fp); free(line); return; } } - if (conf_parseline(f, lineno, line, confset_get(cs), + if (conf_parseline(config_file, lineno, line, confset_get(cs), cs == &lc) == -1) continue; confset_add(cs); } - fclose(fp); - confset_sort(&lc); - confset_sort(&rc); + confset_merge(&rconf, &rc); + confset_merge(&lconf, &lc); +} + + +static void +conf_parsedir(DIR *dir, const char *config_path) +{ + long path_max; + struct dirent *dent; + char *path; + FILE *fp; + + if ((path_max = pathconf(config_path, _PC_PATH_MAX)) == -1) + path_max = 2048; + + if ((path = malloc((size_t)path_max)) == NULL) { + (*lfun)(LOG_ERR, "%s: Failed to allocate memory for path (%m)", + __func__); + return; + } + + while ((dent = readdir(dir)) != NULL) { + if (strcmp(dent->d_name, ".") == 0 || + strcmp(dent->d_name, "..") == 0) + continue; + + (void) snprintf(path, (size_t)path_max, "%s/%s", config_path, + dent->d_name); + if ((fp = fopen(path, "r")) == NULL) { + (*lfun)(LOG_ERR, "%s: Cannot open `%s' (%m)", __func__, + path); + continue; + } + conf_parsefile(fp, path); + fclose(fp); + } + + free(path); +} + +void +conf_parse(const char *config_path) +{ + char *path; + DIR *dir; + FILE *fp; + + if ((dir = opendir(config_path)) != NULL) { + /* + * If config_path is a directory, parse the configuration files + * in the directory. Then we're done here. + */ + conf_parsedir(dir, config_path); + closedir(dir); + goto out; + } else if ((fp = fopen(config_path, "r")) != NULL) { + /* If config_path is a file, parse it. */ + conf_parsefile(fp, config_path); + fclose(fp); + } + + /* + * Append ".d" to config_path, and if that is a directory, parse the + * configuration files in the directory. + */ + if (asprintf(&path, "%s.d", config_path) < 0) { + (*lfun)(LOG_ERR, "%s: Failed to allocate memory for path (%m)", + __func__); + goto out; + } + + if ((dir = opendir(path)) != NULL) { + conf_parsedir(dir, path); + closedir(dir); + } + free(path); + +out: + if (dir == NULL && fp == NULL) { + (*lfun)(LOG_ERR, "%s: Cannot open `%s' (%m)", __func__, + config_path); + return; + } - confset_replace(&rconf, &rc); - confset_replace(&lconf, &lc); + confset_sort(&lconf); + confset_sort(&rconf); if (debug) { confset_list(&lconf, "local", "target"); diff --git a/contrib/blocklist/bin/internal.h b/contrib/blocklist/bin/internal.h --- a/contrib/blocklist/bin/internal.h +++ b/contrib/blocklist/bin/internal.h @@ -1,4 +1,4 @@ -/* $NetBSD: internal.h,v 1.14 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: internal.h,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,13 +32,13 @@ #define _INTERNAL_H #ifndef _PATH_BLCONF -#define _PATH_BLCONF "/etc/blacklistd.conf" +#define _PATH_BLCONF "/etc/blocklistd.conf" #endif #ifndef _PATH_BLCONTROL -#define _PATH_BLCONTROL "/libexec/blacklistd-helper" +#define _PATH_BLCONTROL "/usr/libexec/blocklistd-helper" #endif #ifndef _PATH_BLSTATE -#define _PATH_BLSTATE "/var/db/blacklistd.db" +#define _PATH_BLSTATE "/var/db/blocklistd.db" #endif extern struct confset rconf, lconf; diff --git a/contrib/blocklist/bin/internal.c b/contrib/blocklist/bin/internal.c --- a/contrib/blocklist/bin/internal.c +++ b/contrib/blocklist/bin/internal.c @@ -1,4 +1,4 @@ -/* $NetBSD: internal.c,v 1.5 2015/01/27 19:40:37 christos Exp $ */ +/* $NetBSD: internal.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: internal.c,v 1.5 2015/01/27 19:40:37 christos Exp $"); +#endif +__RCSID("$NetBSD: internal.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); #include #include @@ -41,7 +43,7 @@ #include "internal.h" int debug; -const char *rulename = "blacklistd"; +const char *rulename = "blocklistd"; const char *controlprog = _PATH_BLCONTROL; struct confset lconf, rconf; struct ifaddrs *ifas; diff --git a/contrib/blocklist/bin/old_internal.h b/contrib/blocklist/bin/old_internal.h new file mode 100644 --- /dev/null +++ b/contrib/blocklist/bin/old_internal.h @@ -0,0 +1,58 @@ +/* $NetBSD: internal.h,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ */ + +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef _OLD_INTERNAL_H +#define _OLD_INTERNAL_H + +#ifndef _PATH_BLCONF +#define _PATH_BLCONF "/etc/blacklistd.conf" +#endif +#ifndef _PATH_BLCONTROL +#define _PATH_BLCONTROL "/usr/libexec/blacklistd-helper" +#endif +#ifndef _PATH_BLSTATE +/* We want the new name, the old one would be incompatible after 24932b6 */ +#define _PATH_BLSTATE "/var/db/blocklistd.db" +#endif + +extern struct confset rconf, lconf; +extern int debug; +extern const char *rulename; +extern const char *controlprog; +extern struct ifaddrs *ifas; + +#if !defined(__syslog_attribute__) && !defined(__syslog__) +#define __syslog__ __printf__ +#endif + +extern void (*lfun)(int, const char *, ...) + __attribute__((__format__(__syslog__, 2, 3))); + +#endif /* _OLD_INTERNAL_H */ diff --git a/contrib/blocklist/bin/old_internal.c b/contrib/blocklist/bin/old_internal.c new file mode 100644 --- /dev/null +++ b/contrib/blocklist/bin/old_internal.c @@ -0,0 +1,50 @@ +/* $NetBSD: internal.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ + +/*- + * Copyright (c) 2015 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef HAVE_SYS_CDEFS_H +#include +#endif +__RCSID("$NetBSD: internal.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); + +#include +#include +#include "conf.h" +#include "old_internal.h" + +int debug; +const char *rulename = "blacklistd"; +const char *controlprog = _PATH_BLCONTROL; +struct confset lconf, rconf; +struct ifaddrs *ifas; +void (*lfun)(int, const char *, ...) = syslog; diff --git a/contrib/blocklist/bin/run.h b/contrib/blocklist/bin/run.h --- a/contrib/blocklist/bin/run.h +++ b/contrib/blocklist/bin/run.h @@ -1,4 +1,4 @@ -/* $NetBSD: run.h,v 1.5 2015/01/27 19:40:37 christos Exp $ */ +/* $NetBSD: run.h,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. diff --git a/contrib/blocklist/bin/run.c b/contrib/blocklist/bin/run.c --- a/contrib/blocklist/bin/run.c +++ b/contrib/blocklist/bin/run.c @@ -1,4 +1,4 @@ -/* $NetBSD: run.c,v 1.14 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: run.c,v 1.3 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: run.c,v 1.14 2016/04/04 15:52:56 christos Exp $"); +#endif +__RCSID("$NetBSD: run.c,v 1.3 2025/02/11 17:48:30 christos Exp $"); #include #ifdef HAVE_LIBUTIL_H @@ -131,7 +133,8 @@ prname = "udp"; break; default: - (*lfun)(LOG_ERR, "%s: bad protocol %d", __func__, c->c_proto); + (*lfun)(LOG_ERR, "%s: bad protocol %d (line %zu)", __func__, + c->c_proto, c->c_lineno); return -1; } diff --git a/contrib/blocklist/bin/state.h b/contrib/blocklist/bin/state.h --- a/contrib/blocklist/bin/state.h +++ b/contrib/blocklist/bin/state.h @@ -1,4 +1,4 @@ -/* $NetBSD: state.h,v 1.5 2015/01/27 19:40:37 christos Exp $ */ +/* $NetBSD: state.h,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. diff --git a/contrib/blocklist/bin/state.c b/contrib/blocklist/bin/state.c --- a/contrib/blocklist/bin/state.c +++ b/contrib/blocklist/bin/state.c @@ -1,4 +1,4 @@ -/* $NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $ */ +/* $NetBSD: state.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: state.c,v 1.19 2016/09/26 19:43:43 christos Exp $"); +#endif +__RCSID("$NetBSD: state.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); #include #include diff --git a/contrib/blocklist/bin/support.h b/contrib/blocklist/bin/support.h --- a/contrib/blocklist/bin/support.h +++ b/contrib/blocklist/bin/support.h @@ -1,4 +1,4 @@ -/* $NetBSD: support.h,v 1.7 2016/04/04 15:52:56 christos Exp $ */ +/* $NetBSD: support.h,v 1.2 2024/08/02 17:11:55 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -34,8 +34,9 @@ __BEGIN_DECLS const char *fmttime(char *, size_t, time_t); const char *fmtydhms(char *, size_t, time_t); -void vdlog(int, const char *, va_list) - __attribute__((__format__(__printf__, 2, 0))); +struct syslog_data; +void vdlog(int, struct syslog_data *, const char *, va_list) + __attribute__((__format__(__printf__, 3, 0))); void dlog(int, const char *, ...) __attribute__((__format__(__printf__, 2, 3))); ssize_t blhexdump(char *, size_t, const char *, const void *, size_t); diff --git a/contrib/blocklist/bin/support.c b/contrib/blocklist/bin/support.c --- a/contrib/blocklist/bin/support.c +++ b/contrib/blocklist/bin/support.c @@ -1,4 +1,4 @@ -/* $NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $ */ +/* $NetBSD: support.c,v 1.3 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: support.c,v 1.9 2018/09/18 22:12:19 christos Exp $"); +#endif +__RCSID("$NetBSD: support.c,v 1.3 2025/02/11 17:48:30 christos Exp $"); #include #include @@ -66,7 +68,8 @@ } void -vdlog(int level __unused, const char *fmt, va_list ap) +vdlog(int level __unused, struct syslog_data *sd __unused, + const char *fmt, va_list ap) { char buf[BUFSIZ]; @@ -81,7 +84,7 @@ va_list ap; va_start(ap, fmt); - vdlog(level, fmt, ap); + vdlog(level, NULL, fmt, ap); va_end(ap); } diff --git a/contrib/blocklist/diff/ftpd.diff b/contrib/blocklist/diff/ftpd.diff --- a/contrib/blocklist/diff/ftpd.diff +++ b/contrib/blocklist/diff/ftpd.diff @@ -2,17 +2,17 @@ +++ pfilter.c 2015-01-23 17:12:02.000000000 -0500 @@ -0,0 +1,24 @@ +#include -+#include ++#include + +#include "pfilter.h" + -+static struct blacklist *blstate; ++static struct blocklist *blstate; + +void +pfilter_open(void) +{ + if (blstate == NULL) -+ blstate = blacklist_open(); ++ blstate = blocklist_open(); +} + +void @@ -23,7 +23,7 @@ + if (blstate == NULL) + return; + -+ blacklist_r(blstate, what, 0, msg); ++ blocklist_r(blstate, what, 0, msg); +} --- /dev/null 2015-01-23 17:30:40.000000000 -0500 +++ pfilter.h 2015-01-23 17:07:25.000000000 -0500 @@ -42,8 +42,8 @@ MLINKS= ftpusers.5 ftpchroot.5 +SRCS+= pfilter.c -+LDADD+= -lblacklist -+DPADD+= ${LIBBLACKLIST} ++LDADD+= -lblocklist ++DPADD+= ${LIBBLOCKLIST} + .if defined(NO_INTERNAL_LS) CPPFLAGS+=-DNO_INTERNAL_LS diff --git a/contrib/blocklist/diff/named.diff b/contrib/blocklist/diff/named.diff --- a/contrib/blocklist/diff/named.diff +++ b/contrib/blocklist/diff/named.diff @@ -8,17 +8,17 @@ +#include +#include + -+#include ++#include + +#include "pfilter.h" + -+static struct blacklist *blstate; ++static struct blocklist *blstate; + +void +pfilter_open(void) +{ + if (blstate == NULL) -+ blstate = blacklist_open(); ++ blstate = blocklist_open(); +} + +#define TCP_CLIENT(c) (((c)->attributes & NS_CLIENTATTR_TCP) != 0) @@ -39,7 +39,7 @@ + } + if (socket == NULL) + return; -+ blacklist_sa_r(blstate, ++ blocklist_sa_r(blstate, + res != ISC_R_SUCCESS, isc_socket_getfd(socket), + &client->peeraddr.type.sa, client->peeraddr.length, msg); +} @@ -63,8 +63,8 @@ + pfilter.c tkeyconf.c tsigconf.c \ update.c xfrout.c zoneconf.c ${SRCS_UNIX} -+LDADD+=-lblacklist -+DPADD+=${LIBBLACKLIST} ++LDADD+=-lblocklist ++DPADD+=${LIBBLOCKLIST} .include Index: dist/bin/named/client.c =================================================================== diff --git a/contrib/blocklist/diff/postfix.diff b/contrib/blocklist/diff/postfix.diff new file mode 100644 --- /dev/null +++ b/contrib/blocklist/diff/postfix.diff @@ -0,0 +1,98 @@ +Index: dist/src/smtpd/pfilter.c +=================================================================== +RCS file: dist/src/smtpd/pfilter.c +diff -N dist/src/smtpd/pfilter.c +--- /dev/null 1 Jan 1970 00:00:00 -0000 ++++ dist/src/smtpd/pfilter.c 1 Feb 2018 03:29:09 -0000 +@@ -0,0 +1,19 @@ ++#include "pfilter.h" ++#include /* for NULL */ ++#include ++ ++static struct blocklist *blstate; ++ ++void ++pfilter_notify(int a, int fd) ++{ ++ if (blstate == NULL) ++ blstate = blocklist_open(); ++ if (blstate == NULL) ++ return; ++ (void)blocklist_r(blstate, a, fd, "smtpd"); ++ if (a == 0) { ++ blocklist_close(blstate); ++ blstate = NULL; ++ } ++} +Index: dist/src/smtpd/pfilter.h +=================================================================== +RCS file: dist/src/smtpd/pfilter.h +diff -N dist/src/smtpd/pfilter.h +--- /dev/null 1 Jan 1970 00:00:00 -0000 ++++ dist/src/smtpd/pfilter.h 1 Feb 2018 03:29:09 -0000 +@@ -0,0 +1,2 @@ ++ ++void pfilter_notify(int, int); +Index: dist/src/smtpd/smtpd.c +=================================================================== +RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v +retrieving revision 1.14 +diff -u -r1.14 smtpd.c +--- dist/src/smtpd/smtpd.c 14 Feb 2017 01:16:48 -0000 1.14 ++++ dist/src/smtpd/smtpd.c 1 Feb 2018 03:29:09 -0000 +@@ -1197,6 +1197,8 @@ + #include + #include + ++#include "pfilter.h" ++ + /* + * Tunable parameters. Make sure that there is some bound on the length of + * an SMTP command, so that the mail system stays in control even when a +@@ -5048,6 +5050,7 @@ + if (state->error_count >= var_smtpd_hard_erlim) { + state->reason = REASON_ERROR_LIMIT; + state->error_mask |= MAIL_ERROR_PROTOCOL; ++ pfilter_notify(1, vstream_fileno(state->client)); + smtpd_chat_reply(state, "421 4.7.0 %s Error: too many errors", + var_myhostname); + break; +Index: libexec/smtpd/Makefile +=================================================================== +RCS file: /cvsroot/src/external/ibm-public/postfix/libexec/smtpd/Makefile,v +retrieving revision 1.6 +diff -u -r1.6 Makefile +--- libexec/smtpd/Makefile 21 May 2017 15:28:40 -0000 1.6 ++++ libexec/smtpd/Makefile 1 Feb 2018 03:29:09 -0000 +@@ -13,11 +13,14 @@ + SRCS= smtpd.c smtpd_token.c smtpd_check.c smtpd_chat.c smtpd_state.c \ + smtpd_peer.c smtpd_sasl_proto.c smtpd_sasl_glue.c smtpd_proxy.c \ + smtpd_xforward.c smtpd_dsn_fix.c smtpd_milter.c smtpd_resolve.c \ +- smtpd_expand.c smtpd_haproxy.c ++ smtpd_expand.c smtpd_haproxy.c pfilter.c + + DPADD+= ${LIBPMASTER} ${LIBPMILTER} ${LIBPGLOBAL} ${LIBPDNS} ${LIBPXSASL} + LDADD+= ${LIBPMASTER} ${LIBPMILTER} ${LIBPGLOBAL} ${LIBPDNS} ${LIBPXSASL} + ++DPADD+= ${LIBBLOCKLIST} ++LDADD+= -lblocklist ++ + DPADD+= ${LIBPTLS} ${LIBSSL} ${LIBCRYPTO} + LDADD+= ${LIBPTLS} -lssl -lcrypto + +Index: dist/src/smtpd/smtpd.c +=================================================================== +RCS file: /cvsroot/src/external/ibm-public/postfix/dist/src/smtpd/smtpd.c,v +retrieving revision 1.17 +diff -u -u -r1.17 smtpd.c +--- dist/src/smtpd/smtpd.c 18 Mar 2020 19:05:20 -0000 1.17 ++++ dist/src/smtpd/smtpd.c 25 Sep 2020 12:51:52 -0000 +@@ -5795,6 +5795,8 @@ + || strcmp(state->reason, REASON_LOST_CONNECTION)) { + msg_info("%s after %s from %s", + state->reason, state->where, state->namaddr); ++ if (strcmp(state->where, SMTPD_CMD_AUTH) == 0) ++ pfilter_notify(1, vstream_fileno(state->client)); + } + } + diff --git a/contrib/blocklist/diff/proftpd.diff b/contrib/blocklist/diff/proftpd.diff --- a/contrib/blocklist/diff/proftpd.diff +++ b/contrib/blocklist/diff/proftpd.diff @@ -1,12 +1,12 @@ --- Make.rules.in.orig 2015-05-27 20:25:54.000000000 -0400 +++ Make.rules.in 2016-01-25 21:48:47.000000000 -0500 @@ -110,3 +110,8 @@ - + FTPWHO_OBJS=ftpwho.o scoreboard.o misc.o BUILD_FTPWHO_OBJS=utils/ftpwho.o utils/scoreboard.o utils/misc.o + -+CPPFLAGS+=-DHAVE_BLACKLIST -+LIBS+=-lblacklist ++CPPFLAGS+=-DHAVE_BLOCKLIST ++LIBS+=-lblocklist +OBJS+= pfilter.o +BUILD_OBJS+= src/pfilter.o --- /dev/null 2016-01-22 17:30:55.000000000 -0500 @@ -84,25 +84,25 @@ +#include "pfilter.h" +#include "conf.h" +#include "privs.h" -+#ifdef HAVE_BLACKLIST -+#include ++#ifdef HAVE_BLOCKLIST ++#include +#endif + -+static struct blacklist *blstate; ++static struct blocklist *blstate; + +void +pfilter_init(void) +{ -+#ifdef HAVE_BLACKLIST ++#ifdef HAVE_BLOCKLIST + if (blstate == NULL) -+ blstate = blacklist_open(); ++ blstate = blocklist_open(); +#endif +} + +void +pfilter_notify(int a) +{ -+#ifdef HAVE_BLACKLIST ++#ifdef HAVE_BLOCKLIST + conn_t *c = session.c; + int fd; + @@ -119,6 +119,6 @@ + pfilter_init(); + if (blstate == NULL) + return; -+ (void)blacklist_r(blstate, a, fd, "proftpd"); ++ (void)blocklist_r(blstate, a, fd, "proftpd"); +#endif +} diff --git a/contrib/blocklist/diff/ssh.diff b/contrib/blocklist/diff/ssh.diff --- a/contrib/blocklist/diff/ssh.diff +++ b/contrib/blocklist/diff/ssh.diff @@ -7,14 +7,14 @@ +#include "packet.h" +#include "log.h" +#include "pfilter.h" -+#include ++#include + -+static struct blacklist *blstate; ++static struct blocklist *blstate; + +void +pfilter_init(void) +{ -+ blstate = blacklist_open(); ++ blstate = blocklist_open(); +} + +void @@ -27,9 +27,9 @@ + return; + // XXX: 3? + fd = packet_connection_is_on_socket() ? packet_get_connection_in() : 3; -+ (void)blacklist_r(blstate, a, fd, "ssh"); ++ (void)blocklist_r(blstate, a, fd, "ssh"); + if (a == 0) { -+ blacklist_close(blstate); ++ blocklist_close(blstate); + blstate = NULL; + } +} @@ -60,8 +60,8 @@ LDADD+= -lwrap DPADD+= ${LIBWRAP} + -+LDADD+= -lblacklist -+DPADD+= ${LIBBLACKLIST} ++LDADD+= -lblocklist ++DPADD+= ${LIBBLOCKLIST} diff -ru openssh-7.7p1/auth-pam.c dist/auth-pam.c --- openssh-7.7p1/auth-pam.c 2018-04-02 01:38:28.000000000 -0400 +++ dist/auth-pam.c 2018-05-23 11:56:22.206661484 -0400 diff --git a/contrib/blocklist/etc/Makefile b/contrib/blocklist/etc/Makefile --- a/contrib/blocklist/etc/Makefile +++ b/contrib/blocklist/etc/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.3 2015/01/26 00:18:40 christos Exp $ +# $NetBSD: Makefile,v 1.2 2025/02/05 20:24:26 christos Exp $ -SUBDIR=rc.d +SUBDIR= rc.d -FILESDIR= /usr/share/examples/blacklist -FILESMODE= 644 -FILES= blacklistd.conf npf.conf +FILESDIR= /usr/share/examples/blocklist +FILESMODE= 644 +FILES= blocklistd.conf ipf.conf npf.conf .include .include diff --git a/contrib/blocklist/etc/blacklistd.conf b/contrib/blocklist/etc/blacklistd.conf deleted file mode 100644 --- a/contrib/blocklist/etc/blacklistd.conf +++ /dev/null @@ -1,14 +0,0 @@ -# Blacklist rule -# adr/mask:port type proto owner name nfail disable -[local] -ssh stream * * * 3 6h -ftp stream * * * 3 6h -domain * * named * 3 12h -#6161 stream tcp6 christos * 2 10m -* * * * * 3 60 - -# adr/mask:port type proto owner name nfail disable -[remote] -#129.168.0.0/16 * * * = * * -#6161 = = = =/24 = = -#* stream tcp * = = = diff --git a/contrib/blocklist/etc/blocklistd.conf b/contrib/blocklist/etc/blocklistd.conf new file mode 100644 --- /dev/null +++ b/contrib/blocklist/etc/blocklistd.conf @@ -0,0 +1,15 @@ +# Blocklist rule +# adr/mask:port type proto owner name nfail duration +[local] +ssh stream * * * 3 6h +ftp stream * * * 3 6h +domain * * named * 3 12h +#6161 stream tcp6 christos * 2 10m +* * * * * 3 60 + +# adr/mask:port type proto owner name nfail duration +[remote] +#129.168.0.0/16 * * * = * * +#[2001:db8::]/32:ssh * * * = * * +#6161 = = = =/24 = = +#* stream tcp * = = = diff --git a/contrib/blocklist/etc/ipf.conf b/contrib/blocklist/etc/ipf.conf new file mode 100644 --- /dev/null +++ b/contrib/blocklist/etc/ipf.conf @@ -0,0 +1,45 @@ +#======================================== +# +# subsection for abuse blocking +# +#======================================== +# +# This section should be included early in the main /etc/ipf.conf file, right +# after any basic generic accounting ("count") rules, and any cleanup rules to +# block invalid fragments, invalid options (e.g. "ssrr"), etc. +# +# Note these will not actually block anything since they don't include the +# "quick" flag, and are thus part of a last-match group. They simply set up a +# group such that any connection logging rule further below won't also match if +# one of the rules in the group matches, no matter when or where the subsequent +# matching rule is added. I.e. all rules in the group are checked for a match +# (and a possible "first match" with "quick") before any subsequent rules +# further below are used. Note group rules can be added at any time, including +# at runtime after all other rules have been added -- they will still belong to +# the group and once added will be checked as part of the group. +# +# head of "blocklistd" group: +# +# The "blocklistd" group will be used by blocklistd(8). +# +block in proto tcp/udp from any to any head blocklistd +# +# head of "attackers" group to block all attackers: +# +# The "attackers" group is intended to be used for manually maintained rules +# e.g. as could be added like this: +# +# echo 'block return-rst in log quick proto tcp from 118.136.0.0/15 to any flags S/SAFR group attackers' >> /etc/ipf.conf +# /etc/rc.d/ipfliter reload +# +# Note the choice in this example is to return RST packets for blocked SYN +# packets to help the other end close. This is not necessary, but it better +# mimics what the kernel does by default, thus perhaps hiding the fact a +# firewall is present. +# +# XXX This example still allows UDP services, but we would need to duplicate +# each rule with "proto udp" (and without "flags blah") due to IPF parsing +# limitations.... +# +block in proto tcp/udp from any to any head attackers +# diff --git a/contrib/blocklist/etc/npf.conf b/contrib/blocklist/etc/npf.conf --- a/contrib/blocklist/etc/npf.conf +++ b/contrib/blocklist/etc/npf.conf @@ -1,4 +1,4 @@ -# Transparent firewall example for blacklistd +# Transparent firewall example for blocklistd $ext_if = "bnx0" @@ -6,7 +6,7 @@ alg "icmp" group "external" on $ext_if { - ruleset "blacklistd" + ruleset "blocklistd" pass final all } diff --git a/contrib/blocklist/etc/rc.d/Makefile b/contrib/blocklist/etc/rc.d/Makefile --- a/contrib/blocklist/etc/rc.d/Makefile +++ b/contrib/blocklist/etc/rc.d/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.1 2015/01/22 17:49:41 christos Exp $ +# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ -SCRIPTS=blacklistd +SCRIPTS=blocklistd SCRIPTSDIR=/etc/rc.d .include diff --git a/contrib/blocklist/etc/rc.d/blacklistd b/contrib/blocklist/etc/rc.d/blacklistd deleted file mode 100644 --- a/contrib/blocklist/etc/rc.d/blacklistd +++ /dev/null @@ -1,57 +0,0 @@ -#!/bin/sh -# -# $NetBSD: blacklistd,v 1.2 2016/10/17 22:47:16 christos Exp $ -# - -# PROVIDE: blacklistd -# REQUIRE: npf -# BEFORE: SERVERS - -$_rc_subr_loaded . /etc/rc.subr - -name="blacklistd" -rcvar=$name -command="/sbin/${name}" -pidfile="/var/run/${name}.pid" -required_files="/etc/${name}.conf" -start_precmd="${name}_precmd" -extra_commands="reload" - -_sockfile="/var/run/${name}.sockets" -_sockname="blacklistd.sock" - -blacklistd_precmd() -{ - # Create default list of blacklistd sockets to watch - # - ( umask 022 ; > $_sockfile ) - - # Find /etc/rc.d scripts with "chrootdir" rcorder(8) keyword, - # and if $${app}_chrootdir is a directory, add appropriate - # blacklistd socket to list of sockets to watch. - # - for _lr in $(rcorder -k chrootdir /etc/rc.d/*); do - ( - _l=${_lr##*/} - load_rc_config ${_l} - eval _ldir=\$${_l}_chrootdir - if checkyesno $_l && [ -n "$_ldir" ]; then - echo "${_ldir}/var/run/${_sockname}" >> $_sockfile - fi - ) - done - - # If other sockets have been provided, change run_rc_command()'s - # internal copy of $blacklistd_flags to force use of specific - # blacklistd sockets. - # - if [ -s $_sockfile ]; then - echo "/var/run/${_sockname}" >> $_sockfile - rc_flags="-P $_sockfile $rc_flags" - fi - - return 0 -} - -load_rc_config $name -run_rc_command "$1" diff --git a/contrib/blocklist/etc/rc.d/blocklistd b/contrib/blocklist/etc/rc.d/blocklistd new file mode 100644 --- /dev/null +++ b/contrib/blocklist/etc/rc.d/blocklistd @@ -0,0 +1,57 @@ +#!/bin/sh +# +# $NetBSD: blocklistd,v 1.2 2021/03/07 00:46:39 christos Exp $ +# + +# PROVIDE: blocklistd +# REQUIRE: npf pf ipfilter +# BEFORE: SERVERS + +$_rc_subr_loaded . /etc/rc.subr + +name="blocklistd" +rcvar=$name +command="/sbin/${name}" +pidfile="/var/run/${name}.pid" +required_files="/etc/${name}.conf" +start_precmd="${name}_precmd" +extra_commands="reload" + +_sockfile="/var/run/${name}.sockets" +_sockname="blocklistd.sock" + +blocklistd_precmd() +{ + # Create default list of blocklistd sockets to watch + # + ( umask 022 ; > $_sockfile ) + + # Find /etc/rc.d scripts with "chrootdir" rcorder(8) keyword, + # and if $${app}_chrootdir is a directory, add appropriate + # blocklistd socket to list of sockets to watch. + # + for _lr in $(rcorder -k chrootdir /etc/rc.d/*); do + ( + _l=${_lr##*/} + load_rc_config ${_l} + eval _ldir=\$${_l}_chrootdir + if checkyesno $_l && [ -n "$_ldir" ]; then + echo "${_ldir}/var/run/${_sockname}" >> $_sockfile + fi + ) + done + + # If other sockets have been provided, change run_rc_command()'s + # internal copy of $blocklistd_flags to force use of specific + # blocklistd sockets. + # + if [ -s $_sockfile ]; then + echo "/var/run/${_sockname}" >> $_sockfile + rc_flags="-P $_sockfile $rc_flags" + fi + + return 0 +} + +load_rc_config $name +run_rc_command "$1" diff --git a/contrib/blocklist/include/Makefile b/contrib/blocklist/include/Makefile --- a/contrib/blocklist/include/Makefile +++ b/contrib/blocklist/include/Makefile @@ -1,10 +1,10 @@ -# $NetBSD: Makefile,v 1.1 2015/01/21 16:16:00 christos Exp $ +# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ # Doing a make includes builds /usr/include NOOBJ= # defined -INCS= blacklist.h +INCS= blocklist.h INCSDIR= /usr/include .include diff --git a/contrib/blocklist/include/bl.h b/contrib/blocklist/include/bl.h --- a/contrib/blocklist/include/bl.h +++ b/contrib/blocklist/include/bl.h @@ -1,4 +1,4 @@ -/* $NetBSD: bl.h,v 1.13 2016/03/11 17:16:40 christos Exp $ */ +/* $NetBSD: bl.h,v 1.2 2024/08/02 17:11:55 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -35,7 +35,7 @@ #include #include #include -#include "blacklist.h" +#include "blocklist.h" typedef enum { BL_INVALID, @@ -58,14 +58,15 @@ #define bi_cred bi_u._bi_cred #ifndef _PATH_BLSOCK -#define _PATH_BLSOCK "/var/run/blacklistd.sock" +#define _PATH_BLSOCK "/var/run/blocklistd.sock" #endif __BEGIN_DECLS -typedef struct blacklist *bl_t; +typedef struct blocklist *bl_t; -bl_t bl_create(bool, const char *, void (*)(int, const char *, va_list)); +bl_t bl_create(bool, const char *, + void (*)(int, struct syslog_data *, const char *, va_list)); void bl_destroy(bl_t); int bl_send(bl_t, bl_type_t, int, const struct sockaddr *, socklen_t, const char *); diff --git a/contrib/blocklist/include/blacklist.h b/contrib/blocklist/include/blacklist.h --- a/contrib/blocklist/include/blacklist.h +++ b/contrib/blocklist/include/blacklist.h @@ -1,4 +1,4 @@ -/* $NetBSD: blacklist.h,v 1.3 2015/01/23 18:48:56 christos Exp $ */ +/* $NetBSD: blocklist.h,v 1.4 2025/02/11 17:42:17 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -32,16 +32,26 @@ #define _BLACKLIST_H #include +#include -__BEGIN_DECLS +#if defined(__cplusplus) +extern "C" { +#endif + +struct syslog_data; struct blacklist *blacklist_open(void); +struct blacklist *blacklist_open2( + void (*)(int, struct syslog_data *, const char *, va_list)); void blacklist_close(struct blacklist *); int blacklist(int, int, const char *); int blacklist_r(struct blacklist *, int, int, const char *); int blacklist_sa(int, int, const struct sockaddr *, socklen_t, const char *); int blacklist_sa_r(struct blacklist *, int, int, const struct sockaddr *, socklen_t, const char *); -__END_DECLS + +#if defined(__cplusplus) +} +#endif /* action values for user applications */ #define BLACKLIST_API_ENUM 1 diff --git a/contrib/blocklist/include/blocklist.h b/contrib/blocklist/include/blocklist.h new file mode 100644 --- /dev/null +++ b/contrib/blocklist/include/blocklist.h @@ -0,0 +1,65 @@ +/* $NetBSD: blocklist.h,v 1.4 2025/02/11 17:42:17 christos Exp $ */ + +/*- + * Copyright (c) 2014 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef _BLOCKLIST_H +#define _BLOCKLIST_H + +#include +#include + +#if defined(__cplusplus) +extern "C" { +#endif + +struct syslog_data; +struct blocklist *blocklist_open(void); +struct blocklist *blocklist_open2( + void (*)(int, struct syslog_data *, const char *, va_list)); +void blocklist_close(struct blocklist *); +int blocklist(int, int, const char *); +int blocklist_r(struct blocklist *, int, int, const char *); +int blocklist_sa(int, int, const struct sockaddr *, socklen_t, const char *); +int blocklist_sa_r(struct blocklist *, int, int, + const struct sockaddr *, socklen_t, const char *); + +#if defined(__cplusplus) +} +#endif + +/* action values for user applications */ +#define BLOCKLIST_API_ENUM 1 +enum { + BLOCKLIST_AUTH_OK = 0, + BLOCKLIST_AUTH_FAIL, + BLOCKLIST_ABUSIVE_BEHAVIOR, + BLOCKLIST_BAD_USER +}; + +#endif /* _BLOCKLIST_H */ diff --git a/contrib/blocklist/include/old_bl.h b/contrib/blocklist/include/old_bl.h new file mode 100644 --- /dev/null +++ b/contrib/blocklist/include/old_bl.h @@ -0,0 +1,80 @@ +/* $NetBSD: bl.h,v 1.2 2024/08/02 17:11:55 christos Exp $ */ + +/*- + * Copyright (c) 2014 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifndef _OLD_BL_H +#define _OLD_BL_H + +#include +#include +#include +#include +#include "blacklist.h" + +typedef enum { + BL_INVALID, + BL_ADD, + BL_DELETE, + BL_ABUSE, + BL_BADUSER +} bl_type_t; + +typedef struct { + bl_type_t bi_type; + int bi_fd; + uid_t bi_uid; + gid_t bi_gid; + socklen_t bi_slen; + struct sockaddr_storage bi_ss; + char bi_msg[1024]; +} bl_info_t; + +#define bi_cred bi_u._bi_cred + +/* We want the new name */ +#ifndef _PATH_BLSOCK +#define _PATH_BLSOCK "/var/run/blocklistd.sock" +#endif + +__BEGIN_DECLS + +typedef struct blacklist *bl_t; + +bl_t bl_create(bool, const char *, + void (*)(int, struct syslog_data *, const char *, va_list)); +void bl_destroy(bl_t); +int bl_send(bl_t, bl_type_t, int, const struct sockaddr *, socklen_t, + const char *); +int bl_getfd(bl_t); +bl_info_t *bl_recv(bl_t); +bool bl_isconnected(bl_t); + +__END_DECLS + +#endif /* _OLD_BL_H */ diff --git a/contrib/blocklist/lib/Makefile b/contrib/blocklist/lib/Makefile --- a/contrib/blocklist/lib/Makefile +++ b/contrib/blocklist/lib/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.7 2019/03/08 20:40:05 christos Exp $ +# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ .include @@ -6,14 +6,14 @@ CPPFLAGS+=-D_REENTRANT #LIBDPLIBS+=pthread ${NETBSDSRCDIR}/lib/libpthread -LIB=blacklist -SRCS=bl.c blacklist.c -MAN=libblacklist.3 -MLINKS+=libblacklist.3 blacklist_open.3 -MLINKS+=libblacklist.3 blacklist_close.3 -MLINKS+=libblacklist.3 blacklist.3 -MLINKS+=libblacklist.3 blacklist_r.3 -MLINKS+=libblacklist.3 blacklist_sa.3 -MLINKS+=libblacklist.3 blacklist_sa_r.3 +LIB=blocklist +SRCS=bl.c blocklist.c +MAN=libblocklist.3 +MLINKS+=libblocklist.3 blocklist_open.3 +MLINKS+=libblocklist.3 blocklist_close.3 +MLINKS+=libblocklist.3 blocklist.3 +MLINKS+=libblocklist.3 blocklist_r.3 +MLINKS+=libblocklist.3 blocklist_sa.3 +MLINKS+=libblocklist.3 blocklist_sa_r.3 .include diff --git a/contrib/blocklist/lib/bl.c b/contrib/blocklist/lib/bl.c --- a/contrib/blocklist/lib/bl.c +++ b/contrib/blocklist/lib/bl.c @@ -1,4 +1,4 @@ -/* $NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $ */ +/* $NetBSD: bl.c,v 1.9 2025/03/30 01:53:59 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: bl.c,v 1.28 2016/07/29 17:13:09 christos Exp $"); +#endif +__RCSID("$NetBSD: bl.c,v 1.9 2025/03/30 01:53:59 christos Exp $"); #include #include @@ -57,6 +59,10 @@ #include #endif +#if defined(SO_RECVUCRED) +#include +#endif + #include "bl.h" typedef struct { @@ -68,7 +74,7 @@ char bl_data[]; } bl_message_t; -struct blacklist { +struct blocklist { #ifdef _REENTRANT pthread_mutex_t b_mutex; # define BL_INIT(b) pthread_mutex_init(&b->b_mutex, NULL) @@ -82,7 +88,8 @@ int b_fd; int b_connected; struct sockaddr_un b_sun; - void (*b_fun)(int, const char *, va_list); + struct syslog_data b_syslog_data; + void (*b_fun)(int, struct syslog_data *, const char *, va_list); bl_info_t b_info; }; @@ -115,14 +122,16 @@ } static void -bl_log(void (*fun)(int, const char *, va_list), int level, - const char *fmt, ...) +bl_log(bl_t b, int level, const char *fmt, ...) { va_list ap; int serrno = errno; + if (b->b_fun == NULL) + return; + va_start(ap, fmt); - (*fun)(level, fmt, ap); + (*b->b_fun)(level, &b->b_syslog_data, fmt, ap); va_end(ap); errno = serrno; } @@ -152,7 +161,7 @@ b->b_fd = socket(PF_LOCAL, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_NOSIGPIPE, 0); if (b->b_fd == -1) { - bl_log(b->b_fun, LOG_ERR, "%s: socket failed (%s)", + bl_log(b, LOG_ERR, "%s: socket failed (%s)", __func__, strerror(errno)); BL_UNLOCK(b); return -1; @@ -186,7 +195,7 @@ rv = connect(b->b_fd, (const void *)sun, (socklen_t)sizeof(*sun)); if (rv == 0) { if (srv) { - bl_log(b->b_fun, LOG_ERR, + bl_log(b, LOG_ERR, "%s: another daemon is handling `%s'", __func__, sun->sun_path); goto out; @@ -199,7 +208,7 @@ * and only log once. */ if (b->b_connected != 1) { - bl_log(b->b_fun, LOG_DEBUG, + bl_log(b, LOG_DEBUG, "%s: connect failed for `%s' (%s)", __func__, sun->sun_path, strerror(errno)); b->b_connected = 1; @@ -207,8 +216,7 @@ BL_UNLOCK(b); return -1; } - bl_log(b->b_fun, LOG_DEBUG, "Connected to blacklist server", - __func__); + bl_log(b, LOG_DEBUG, "Connected to blocklist server", __func__); } if (srv) { @@ -219,8 +227,7 @@ (void)umask(om); errno = serrno; if (rv == -1) { - bl_log(b->b_fun, LOG_ERR, - "%s: bind failed for `%s' (%s)", + bl_log(b, LOG_ERR, "%s: bind failed for `%s' (%s)", __func__, sun->sun_path, strerror(errno)); goto out; } @@ -231,8 +238,8 @@ #if defined(LOCAL_CREDS) #define CRED_LEVEL 0 #define CRED_NAME LOCAL_CREDS -#define CRED_SC_UID sc_euid -#define CRED_SC_GID sc_egid +#define CRED_SC_UID(x) (x)->sc_euid +#define CRED_SC_GID(x) (x)->sc_egid #define CRED_MESSAGE SCM_CREDS #define CRED_SIZE SOCKCREDSIZE(NGROUPS_MAX) #define CRED_TYPE struct sockcred @@ -240,12 +247,21 @@ #elif defined(SO_PASSCRED) #define CRED_LEVEL SOL_SOCKET #define CRED_NAME SO_PASSCRED -#define CRED_SC_UID uid -#define CRED_SC_GID gid +#define CRED_SC_UID(x) (x)->uid +#define CRED_SC_GID(x) (x)->gid #define CRED_MESSAGE SCM_CREDENTIALS #define CRED_SIZE sizeof(struct ucred) #define CRED_TYPE struct ucred #define GOT_CRED 2 +#elif defined(SO_RECVUCRED) +#define CRED_LEVEL SOL_SOCKET +#define CRED_NAME SO_RECVUCRED +#define CRED_SC_UID(x) ucred_geteuid(x) +#define CRED_SC_GID(x) ucred_getegid(x) +#define CRED_MESSAGE SCM_UCRED +#define CRED_SIZE ucred_size() +#define CRED_TYPE ucred_t +#define GOT_CRED 2 #else #define GOT_CRED 0 /* @@ -259,7 +275,7 @@ #ifdef CRED_LEVEL if (setsockopt(b->b_fd, CRED_LEVEL, CRED_NAME, &one, (socklen_t)sizeof(one)) == -1) { - bl_log(b->b_fun, LOG_ERR, "%s: setsockopt %s " + bl_log(b, LOG_ERR, "%s: setsockopt %s " "failed (%s)", __func__, __STRING(CRED_NAME), strerror(errno)); goto out; @@ -275,12 +291,15 @@ } bl_t -bl_create(bool srv, const char *path, void (*fun)(int, const char *, va_list)) +bl_create(bool srv, const char *path, + void (*fun)(int, struct syslog_data *, const char *, va_list)) { + static struct syslog_data sd = SYSLOG_DATA_INIT; bl_t b = calloc(1, sizeof(*b)); if (b == NULL) - goto out; - b->b_fun = fun == NULL ? vsyslog : fun; + return NULL; + b->b_fun = fun; + b->b_syslog_data = sd; b->b_fd = -1; b->b_connected = -1; BL_INIT(b); @@ -295,11 +314,6 @@ bl_init(b, srv); return b; -out: - free(b); - bl_log(fun, LOG_ERR, "%s: malloc failed (%s)", __func__, - strerror(errno)); - return NULL; } void @@ -327,7 +341,7 @@ family = AF_INET6; break; default: - bl_log(b->b_fun, LOG_ERR, "%s: invalid socket len %u (%s)", + bl_log(b, LOG_ERR, "%s: invalid socket len %u (%s)", __func__, (unsigned)slen, ctx); errno = EINVAL; return -1; @@ -336,7 +350,7 @@ memcpy(ss, sa, slen); if (ss->ss_family != family) { - bl_log(b->b_fun, LOG_INFO, + bl_log(b, LOG_INFO, "%s: correcting socket family %d to %d (%s)", __func__, ss->ss_family, family, ctx); ss->ss_family = family; @@ -344,7 +358,7 @@ #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN if (ss->ss_len != slen) { - bl_log(b->b_fun, LOG_INFO, + bl_log(b, LOG_INFO, "%s: correcting socket len %u to %u (%s)", __func__, ss->ss_len, (unsigned)slen, ctx); ss->ss_len = (uint8_t)slen; @@ -424,10 +438,11 @@ union { char ctrl[CMSG_SPACE(sizeof(int)) + CMSG_SPACE(CRED_SIZE)]; uint32_t fd; - CRED_TYPE sc; } ua; struct cmsghdr *cmsg; +#if GOT_CRED != 0 CRED_TYPE *sc; +#endif union { bl_message_t bl; char buf[512]; @@ -450,18 +465,18 @@ msg.msg_flags = 0; msg.msg_control = ua.ctrl; - msg.msg_controllen = sizeof(ua.ctrl) + 100; + msg.msg_controllen = sizeof(ua.ctrl); rlen = recvmsg(b->b_fd, &msg, 0); if (rlen == -1) { - bl_log(b->b_fun, LOG_ERR, "%s: recvmsg failed (%s)", __func__, + bl_log(b, LOG_ERR, "%s: recvmsg failed (%s)", __func__, strerror(errno)); return NULL; } for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { if (cmsg->cmsg_level != SOL_SOCKET) { - bl_log(b->b_fun, LOG_ERR, + bl_log(b, LOG_ERR, "%s: unexpected cmsg_level %d", __func__, cmsg->cmsg_level); continue; @@ -469,10 +484,15 @@ switch (cmsg->cmsg_type) { case SCM_RIGHTS: if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) { - bl_log(b->b_fun, LOG_ERR, + int *fd = (void *)CMSG_DATA(cmsg); + size_t len = cmsg->cmsg_len / sizeof(int); + bl_log(b, LOG_ERR, "%s: unexpected cmsg_len %d != %zu", __func__, cmsg->cmsg_len, - CMSG_LEN(2 * sizeof(int))); + CMSG_LEN(sizeof(int))); + + for (size_t i = 0; i < len; i++) + (void)close(fd[i]); continue; } memcpy(&bi->bi_fd, CMSG_DATA(cmsg), sizeof(bi->bi_fd)); @@ -481,13 +501,13 @@ #ifdef CRED_MESSAGE case CRED_MESSAGE: sc = (void *)CMSG_DATA(cmsg); - bi->bi_uid = sc->CRED_SC_UID; - bi->bi_gid = sc->CRED_SC_GID; + bi->bi_uid = CRED_SC_UID(sc); + bi->bi_gid = CRED_SC_GID(sc); got |= GOT_CRED; break; #endif default: - bl_log(b->b_fun, LOG_ERR, + bl_log(b, LOG_ERR, "%s: unexpected cmsg_type %d", __func__, cmsg->cmsg_type); continue; @@ -496,7 +516,7 @@ } if (got != (GOT_CRED|GOT_FD)) { - bl_log(b->b_fun, LOG_ERR, "message missing %s %s", + bl_log(b, LOG_ERR, "message missing %s %s", #if GOT_CRED != 0 (got & GOT_CRED) == 0 ? "cred" : #endif @@ -506,13 +526,13 @@ rem = (size_t)rlen; if (rem < sizeof(ub.bl)) { - bl_log(b->b_fun, LOG_ERR, "message too short %zd", rlen); + bl_log(b, LOG_ERR, "message too short %zd", rlen); return NULL; } rem -= sizeof(ub.bl); if (ub.bl.bl_version != BL_VERSION) { - bl_log(b->b_fun, LOG_ERR, "bad version %d", ub.bl.bl_version); + bl_log(b, LOG_ERR, "bad version %d", ub.bl.bl_version); return NULL; } @@ -523,10 +543,12 @@ bi->bi_uid = -1; bi->bi_gid = -1; #endif - rem = MIN(sizeof(bi->bi_msg), rem); if (rem == 0) bi->bi_msg[0] = '\0'; - else - strlcpy(bi->bi_msg, ub.bl.bl_data, rem); + else { + rem = MIN(sizeof(bi->bi_msg) - 1, rem); + memcpy(bi->bi_msg, ub.bl.bl_data, rem); + bi->bi_msg[rem] = '\0'; + } return bi; } diff --git a/contrib/blocklist/lib/blacklist.c b/contrib/blocklist/lib/blacklist.c --- a/contrib/blocklist/lib/blacklist.c +++ b/contrib/blocklist/lib/blacklist.c @@ -1,4 +1,4 @@ -/* $NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $ */ +/* $NetBSD: blocklist.c,v 1.4 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 2014 The NetBSD Foundation, Inc. @@ -32,11 +32,13 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: blacklist.c,v 1.5 2015/01/22 16:19:53 christos Exp $"); +#endif +__RCSID("$NetBSD: blocklist.c,v 1.4 2025/02/11 17:48:30 christos Exp $"); #include -#include +#include #include #include @@ -98,7 +100,14 @@ struct blacklist * blacklist_open(void) { - return bl_create(false, NULL, vsyslog); + return bl_create(false, NULL, vsyslog_r); +} + +struct blacklist * +blacklist_open2( + void (*logger)(int, struct syslog_data *, const char *, va_list)) +{ + return bl_create(false, NULL, logger); } void diff --git a/contrib/blocklist/lib/blocklist.c b/contrib/blocklist/lib/blocklist.c new file mode 100644 --- /dev/null +++ b/contrib/blocklist/lib/blocklist.c @@ -0,0 +1,117 @@ +/* $NetBSD: blocklist.c,v 1.4 2025/02/11 17:48:30 christos Exp $ */ + +/*- + * Copyright (c) 2014 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef HAVE_SYS_CDEFS_H +#include +#endif +__RCSID("$NetBSD: blocklist.c,v 1.4 2025/02/11 17:48:30 christos Exp $"); + +#include +#include + +#include +#include +#include +#include +#include + +int +blocklist_sa(int action, int rfd, const struct sockaddr *sa, socklen_t salen, + const char *msg) +{ + struct blocklist *bl; + int rv; + if ((bl = blocklist_open()) == NULL) + return -1; + rv = blocklist_sa_r(bl, action, rfd, sa, salen, msg); + blocklist_close(bl); + return rv; +} + +int +blocklist_sa_r(struct blocklist *bl, int action, int rfd, + const struct sockaddr *sa, socklen_t slen, const char *msg) +{ + bl_type_t internal_action; + + /* internal values are not the same as user application values */ + switch (action) { + case BLOCKLIST_AUTH_FAIL: + internal_action = BL_ADD; + break; + case BLOCKLIST_AUTH_OK: + internal_action = BL_DELETE; + break; + case BLOCKLIST_ABUSIVE_BEHAVIOR: + internal_action = BL_ABUSE; + break; + case BLOCKLIST_BAD_USER: + internal_action = BL_BADUSER; + break; + default: + internal_action = BL_INVALID; + break; + } + return bl_send(bl, internal_action, rfd, sa, slen, msg); +} + +int +blocklist(int action, int rfd, const char *msg) +{ + return blocklist_sa(action, rfd, NULL, 0, msg); +} + +int +blocklist_r(struct blocklist *bl, int action, int rfd, const char *msg) +{ + return blocklist_sa_r(bl, action, rfd, NULL, 0, msg); +} + +struct blocklist * +blocklist_open(void) { + return bl_create(false, NULL, vsyslog_r); +} + +struct blocklist * +blocklist_open2( + void (*logger)(int, struct syslog_data *, const char *, va_list)) +{ + return bl_create(false, NULL, logger); +} + +void +blocklist_close(struct blocklist *bl) +{ + bl_destroy(bl); +} diff --git a/contrib/blocklist/lib/libblacklist.3 b/contrib/blocklist/lib/libblacklist.3 --- a/contrib/blocklist/lib/libblacklist.3 +++ b/contrib/blocklist/lib/libblacklist.3 @@ -1,4 +1,4 @@ -.\" $NetBSD: libblacklist.3,v 1.10 2020/03/30 15:47:15 christos Exp $ +.\" $NetBSD: libblocklist.3,v 1.7 2025/02/05 20:14:30 christos Exp $ .\" .\" Copyright (c) 2015 The NetBSD Foundation, Inc. .\" All rights reserved. @@ -27,11 +27,12 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE .\" POSSIBILITY OF SUCH DAMAGE. .\" -.Dd March 30, 2020 +.Dd February 5, 2025 .Dt LIBBLACKLIST 3 .Os .Sh NAME .Nm blacklist_open , +.Nm blacklist_open2 , .Nm blacklist_close , .Nm blacklist_r , .Nm blacklist , @@ -44,6 +45,8 @@ .In blacklist.h .Ft struct blacklist * .Fn blacklist_open "void" +.Ft struct blacklist * +.Fn blacklist_open2 "void (*logger)(int, struct syslog_data *, va_list)" .Ft void .Fn blacklist_close "struct blacklist *cookie" .Ft int @@ -68,6 +71,19 @@ .Dv NULL on failure. .Pp +The function +.Fn blacklist_open2 +is similar to +.Fn blacklist_open +but allows a +.Fa logger +to be specified. +If the +.Fa logger +is +.Dv NULL , +then no logging is performed. +.Pp The .Fn blacklist_close function frees all memory and resources used. @@ -89,17 +105,17 @@ The .Ar action parameter can take these values: -.Bl -tag -width ".Va BLACKLIST_ABUSIVE_BEHAVIOR" -.It Va BLACKLIST_AUTH_FAIL +.Bl -tag -width ".Dv BLACKLIST_ABUSIVE_BEHAVIOR" +.It Dv BLACKLIST_AUTH_FAIL There was an unsuccessful authentication attempt. -.It Va BLACKLIST_AUTH_OK +.It Dv BLACKLIST_AUTH_OK A user successfully authenticated. -.It Va BLACKLIST_ABUSIVE_BEHAVIOR +.It Dv BLACKLIST_ABUSIVE_BEHAVIOR The sending daemon has detected abusive behavior from the remote system. The remote address should be blocked as soon as possible. -.It Va BLACKLIST_BAD_USER +.It Dv BLACKLIST_BAD_USER The sending daemon has determined the username presented for authentication is invalid. The @@ -108,7 +124,7 @@ usernames and blocks the address immediately if a forbidden username matches. (The -.Ar BLACKLIST_BAD_USER +.Dv BLACKLIST_BAD_USER support is not currently available.) .El .Pp @@ -160,6 +176,11 @@ on failure setting .Dv errno to an appropriate value. +.Sh NOTES +The +.Lb libblacklist +has been renamed to +.Xr libblocklist 3 . .Sh SEE ALSO .Xr blacklistd.conf 5 , .Xr blacklistd 8 diff --git a/contrib/blocklist/lib/libblocklist.3 b/contrib/blocklist/lib/libblocklist.3 new file mode 100644 --- /dev/null +++ b/contrib/blocklist/lib/libblocklist.3 @@ -0,0 +1,183 @@ +.\" $NetBSD: libblocklist.3,v 1.7 2025/02/05 20:14:30 christos Exp $ +.\" +.\" Copyright (c) 2015 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" This code is derived from software contributed to The NetBSD Foundation +.\" by Christos Zoulas. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd February 5, 2025 +.Dt LIBBLOCKLIST 3 +.Os +.Sh NAME +.Nm blocklist_open , +.Nm blocklist_open2 , +.Nm blocklist_close , +.Nm blocklist_r , +.Nm blocklist , +.Nm blocklist_sa , +.Nm blocklist_sa_r +.Nd Blocklistd notification library +.Sh LIBRARY +.Lb libblocklist +.Sh SYNOPSIS +.In blocklist.h +.Ft struct blocklist * +.Fn blocklist_open "void" +.Ft struct blocklist * +.Fn blocklist_open2 "void (*logger)(int, struct syslog_data *, va_list)" +.Ft void +.Fn blocklist_close "struct blocklist *cookie" +.Ft int +.Fn blocklist "int action" "int fd" "const char *msg" +.Ft int +.Fn blocklist_r "struct blocklist *cookie" "int action" "int fd" "const char *msg" +.Ft int +.Fn blocklist_sa "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg" +.Ft int +.Fn blocklist_sa_r "struct blocklist *cookie" "int action" "int fd" "const struct sockaddr *sa" "socklen_t salen" "const char *msg" +.Sh DESCRIPTION +These functions can be used by daemons to notify +.Xr blocklistd 8 +about successful and failed remote connections so that blocklistd can +block or release port access to prevent Denial of Service attacks. +.Pp +The function +.Fn blocklist_open +creates the necessary state to communicate with +.Xr blocklistd 8 +and returns a pointer to it, or +.Dv NULL +on failure. +.Pp +The function +.Fn blocklist_open2 +is similar to +.Fn blocklist_open +but allows a +.Fa logger +to be specified. +If the +.Fa logger +is +.Dv NULL , +then no logging is performed. +.Pp +The +.Fn blocklist_close +function frees all memory and resources used. +.Pp +The +.Fn blocklist +function sends a message to +.Xr blocklistd 8 , +with an integer +.Ar action +argument specifying the type of notification, +a file descriptor +.Ar fd +specifying the accepted file descriptor connected to the client, +and an optional message in the +.Ar msg +argument. +.Pp +The +.Ar action +parameter can take these values: +.Bl -tag -width ".Dv BLOCKLIST_ABUSIVE_BEHAVIOR" +.It Dv BLOCKLIST_AUTH_FAIL +There was an unsuccessful authentication attempt. +.It Dv BLOCKLIST_AUTH_OK +A user successfully authenticated. +.It Dv BLOCKLIST_ABUSIVE_BEHAVIOR +The sending daemon has detected abusive behavior +from the remote system. +The remote address should +be blocked as soon as possible. +.It Dv BLOCKLIST_BAD_USER +The sending daemon has determined the username +presented for authentication is invalid. +The +.Xr blocklistd 8 +daemon compares the username to a configured list of forbidden +usernames and +blocks the address immediately if a forbidden username matches. +(The +.Dv BLOCKLIST_BAD_USER +support is not currently available.) +.El +.Pp +The +.Fn blocklist_r +function is more efficient because it keeps the blocklist state around. +.Pp +The +.Fn blocklist_sa +and +.Fn blocklist_sa_r +functions can be used with unconnected sockets, where +.Xr getpeername 2 +will not work, the server will pass the peer name in the message. +.Pp +In all cases the file descriptor passed in the +.Fa fd +argument must be pointing to a valid socket so that +.Xr blocklistd 8 +can establish ownership of the local endpoint +using +.Xr getsockname 2 . +.Pp +By default, +.Xr syslogd 8 +is used for message logging. +The internal +.Fn bl_create +function can be used to create the required internal +state and specify a custom logging function. +.Sh RETURN VALUES +The function +.Fn blocklist_open +returns a cookie on success and +.Dv NULL +on failure setting +.Dv errno +to an appropriate value. +.Pp +The functions +.Fn blocklist , +.Fn blocklist_sa , +and +.Fn blocklist_sa_r +return +.Dv 0 +on success and +.Dv \-1 +on failure setting +.Dv errno +to an appropriate value. +.Sh SEE ALSO +.Xr blocklistd.conf 5 , +.Xr blocklistd 8 +.Sh AUTHORS +.An Christos Zoulas diff --git a/contrib/blocklist/lib/old_bl.c b/contrib/blocklist/lib/old_bl.c new file mode 100644 --- /dev/null +++ b/contrib/blocklist/lib/old_bl.c @@ -0,0 +1,554 @@ +/* $NetBSD: bl.c,v 1.9 2025/03/30 01:53:59 christos Exp $ */ + +/*- + * Copyright (c) 2014 The NetBSD Foundation, Inc. + * All rights reserved. + * + * This code is derived from software contributed to The NetBSD Foundation + * by Christos Zoulas. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#ifdef HAVE_SYS_CDEFS_H +#include +#endif +__RCSID("$NetBSD: bl.c,v 1.9 2025/03/30 01:53:59 christos Exp $"); + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef _REENTRANT +#include +#endif + +#if defined(SO_RECVUCRED) +#include +#endif + +#include "old_bl.h" + +typedef struct { + uint32_t bl_len; + uint32_t bl_version; + uint32_t bl_type; + uint32_t bl_salen; + struct sockaddr_storage bl_ss; + char bl_data[]; +} bl_message_t; + +struct blacklist { +#ifdef _REENTRANT + pthread_mutex_t b_mutex; +# define BL_INIT(b) pthread_mutex_init(&b->b_mutex, NULL) +# define BL_LOCK(b) pthread_mutex_lock(&b->b_mutex) +# define BL_UNLOCK(b) pthread_mutex_unlock(&b->b_mutex) +#else +# define BL_INIT(b) do {} while(/*CONSTCOND*/0) +# define BL_LOCK(b) BL_INIT(b) +# define BL_UNLOCK(b) BL_INIT(b) +#endif + int b_fd; + int b_connected; + struct sockaddr_un b_sun; + struct syslog_data b_syslog_data; + void (*b_fun)(int, struct syslog_data *, const char *, va_list); + bl_info_t b_info; +}; + +#define BL_VERSION 1 + +bool +bl_isconnected(bl_t b) +{ + return b->b_connected == 0; +} + +int +bl_getfd(bl_t b) +{ + return b->b_fd; +} + +static void +bl_reset(bl_t b, bool locked) +{ + int serrno = errno; + if (!locked) + BL_LOCK(b); + close(b->b_fd); + errno = serrno; + b->b_fd = -1; + b->b_connected = -1; + if (!locked) + BL_UNLOCK(b); +} + +static void +bl_log(bl_t b, int level, const char *fmt, ...) +{ + va_list ap; + int serrno = errno; + + if (b->b_fun == NULL) + return; + + va_start(ap, fmt); + (*b->b_fun)(level, &b->b_syslog_data, fmt, ap); + va_end(ap); + errno = serrno; +} + +static int +bl_init(bl_t b, bool srv) +{ + static int one = 1; + /* AF_UNIX address of local logger */ + mode_t om; + int rv, serrno; + struct sockaddr_un *sun = &b->b_sun; + +#ifndef SOCK_NONBLOCK +#define SOCK_NONBLOCK 0 +#endif +#ifndef SOCK_CLOEXEC +#define SOCK_CLOEXEC 0 +#endif +#ifndef SOCK_NOSIGPIPE +#define SOCK_NOSIGPIPE 0 +#endif + + BL_LOCK(b); + + if (b->b_fd == -1) { + b->b_fd = socket(PF_LOCAL, + SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK|SOCK_NOSIGPIPE, 0); + if (b->b_fd == -1) { + bl_log(b, LOG_ERR, "%s: socket failed (%s)", + __func__, strerror(errno)); + BL_UNLOCK(b); + return -1; + } +#if SOCK_CLOEXEC == 0 + fcntl(b->b_fd, F_SETFD, FD_CLOEXEC); +#endif +#if SOCK_NONBLOCK == 0 + fcntl(b->b_fd, F_SETFL, fcntl(b->b_fd, F_GETFL) | O_NONBLOCK); +#endif +#if SOCK_NOSIGPIPE == 0 +#ifdef SO_NOSIGPIPE + int o = 1; + setsockopt(b->b_fd, SOL_SOCKET, SO_NOSIGPIPE, &o, sizeof(o)); +#else + signal(SIGPIPE, SIG_IGN); +#endif +#endif + } + + if (bl_isconnected(b)) { + BL_UNLOCK(b); + return 0; + } + + /* + * We try to connect anyway even when we are a server to verify + * that no other server is listening to the socket. If we succeed + * to connect and we are a server, someone else owns it. + */ + rv = connect(b->b_fd, (const void *)sun, (socklen_t)sizeof(*sun)); + if (rv == 0) { + if (srv) { + bl_log(b, LOG_ERR, + "%s: another daemon is handling `%s'", + __func__, sun->sun_path); + goto out; + } + } else { + if (!srv) { + /* + * If the daemon is not running, we just try a + * connect, so leave the socket alone until it does + * and only log once. + */ + if (b->b_connected != 1) { + bl_log(b, LOG_DEBUG, + "%s: connect failed for `%s' (%s)", + __func__, sun->sun_path, strerror(errno)); + b->b_connected = 1; + } + BL_UNLOCK(b); + return -1; + } + bl_log(b, LOG_DEBUG, "Connected to blacklist server", __func__); + } + + if (srv) { + (void)unlink(sun->sun_path); + om = umask(0); + rv = bind(b->b_fd, (const void *)sun, (socklen_t)sizeof(*sun)); + serrno = errno; + (void)umask(om); + errno = serrno; + if (rv == -1) { + bl_log(b, LOG_ERR, "%s: bind failed for `%s' (%s)", + __func__, sun->sun_path, strerror(errno)); + goto out; + } + } + + b->b_connected = 0; +#define GOT_FD 1 +#if defined(LOCAL_CREDS) +#define CRED_LEVEL 0 +#define CRED_NAME LOCAL_CREDS +#define CRED_SC_UID(x) (x)->sc_euid +#define CRED_SC_GID(x) (x)->sc_egid +#define CRED_MESSAGE SCM_CREDS +#define CRED_SIZE SOCKCREDSIZE(NGROUPS_MAX) +#define CRED_TYPE struct sockcred +#define GOT_CRED 2 +#elif defined(SO_PASSCRED) +#define CRED_LEVEL SOL_SOCKET +#define CRED_NAME SO_PASSCRED +#define CRED_SC_UID(x) (x)->uid +#define CRED_SC_GID(x) (x)->gid +#define CRED_MESSAGE SCM_CREDENTIALS +#define CRED_SIZE sizeof(struct ucred) +#define CRED_TYPE struct ucred +#define GOT_CRED 2 +#elif defined(SO_RECVUCRED) +#define CRED_LEVEL SOL_SOCKET +#define CRED_NAME SO_RECVUCRED +#define CRED_SC_UID(x) ucred_geteuid(x) +#define CRED_SC_GID(x) ucred_getegid(x) +#define CRED_MESSAGE SCM_UCRED +#define CRED_SIZE ucred_size() +#define CRED_TYPE ucred_t +#define GOT_CRED 2 +#else +#define GOT_CRED 0 +/* + * getpeereid() and LOCAL_PEERCRED don't help here + * because we are not a stream socket! + */ +#define CRED_SIZE 0 +#define CRED_TYPE void * __unused +#endif + +#ifdef CRED_LEVEL + if (setsockopt(b->b_fd, CRED_LEVEL, CRED_NAME, + &one, (socklen_t)sizeof(one)) == -1) { + bl_log(b, LOG_ERR, "%s: setsockopt %s " + "failed (%s)", __func__, __STRING(CRED_NAME), + strerror(errno)); + goto out; + } +#endif + + BL_UNLOCK(b); + return 0; +out: + bl_reset(b, true); + BL_UNLOCK(b); + return -1; +} + +bl_t +bl_create(bool srv, const char *path, + void (*fun)(int, struct syslog_data *, const char *, va_list)) +{ + static struct syslog_data sd = SYSLOG_DATA_INIT; + bl_t b = calloc(1, sizeof(*b)); + if (b == NULL) + return NULL; + b->b_fun = fun; + b->b_syslog_data = sd; + b->b_fd = -1; + b->b_connected = -1; + BL_INIT(b); + + memset(&b->b_sun, 0, sizeof(b->b_sun)); + b->b_sun.sun_family = AF_LOCAL; +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + b->b_sun.sun_len = sizeof(b->b_sun); +#endif + strlcpy(b->b_sun.sun_path, + path ? path : _PATH_BLSOCK, sizeof(b->b_sun.sun_path)); + + bl_init(b, srv); + return b; +} + +void +bl_destroy(bl_t b) +{ + bl_reset(b, false); + free(b); +} + +static int +bl_getsock(bl_t b, struct sockaddr_storage *ss, const struct sockaddr *sa, + socklen_t slen, const char *ctx) +{ + uint8_t family; + + memset(ss, 0, sizeof(*ss)); + + switch (slen) { + case 0: + return 0; + case sizeof(struct sockaddr_in): + family = AF_INET; + break; + case sizeof(struct sockaddr_in6): + family = AF_INET6; + break; + default: + bl_log(b, LOG_ERR, "%s: invalid socket len %u (%s)", + __func__, (unsigned)slen, ctx); + errno = EINVAL; + return -1; + } + + memcpy(ss, sa, slen); + + if (ss->ss_family != family) { + bl_log(b, LOG_INFO, + "%s: correcting socket family %d to %d (%s)", + __func__, ss->ss_family, family, ctx); + ss->ss_family = family; + } + +#ifdef HAVE_STRUCT_SOCKADDR_SA_LEN + if (ss->ss_len != slen) { + bl_log(b, LOG_INFO, + "%s: correcting socket len %u to %u (%s)", + __func__, ss->ss_len, (unsigned)slen, ctx); + ss->ss_len = (uint8_t)slen; + } +#endif + return 0; +} + +int +bl_send(bl_t b, bl_type_t e, int pfd, const struct sockaddr *sa, + socklen_t slen, const char *ctx) +{ + struct msghdr msg; + struct iovec iov; + union { + char ctrl[CMSG_SPACE(sizeof(int))]; + uint32_t fd; + } ua; + struct cmsghdr *cmsg; + union { + bl_message_t bl; + char buf[512]; + } ub; + size_t ctxlen, tried; +#define NTRIES 5 + + ctxlen = strlen(ctx); + if (ctxlen > 128) + ctxlen = 128; + + iov.iov_base = ub.buf; + iov.iov_len = sizeof(bl_message_t) + ctxlen; + ub.bl.bl_len = (uint32_t)iov.iov_len; + ub.bl.bl_version = BL_VERSION; + ub.bl.bl_type = (uint32_t)e; + + if (bl_getsock(b, &ub.bl.bl_ss, sa, slen, ctx) == -1) + return -1; + + + ub.bl.bl_salen = slen; + memcpy(ub.bl.bl_data, ctx, ctxlen); + + msg.msg_name = NULL; + msg.msg_namelen = 0; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_flags = 0; + + msg.msg_control = ua.ctrl; + msg.msg_controllen = sizeof(ua.ctrl); + + cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_len = CMSG_LEN(sizeof(int)); + cmsg->cmsg_level = SOL_SOCKET; + cmsg->cmsg_type = SCM_RIGHTS; + + memcpy(CMSG_DATA(cmsg), &pfd, sizeof(pfd)); + + tried = 0; +again: + if (bl_init(b, false) == -1) + return -1; + + if ((sendmsg(b->b_fd, &msg, 0) == -1) && tried++ < NTRIES) { + bl_reset(b, false); + goto again; + } + return tried >= NTRIES ? -1 : 0; +} + +bl_info_t * +bl_recv(bl_t b) +{ + struct msghdr msg; + struct iovec iov; + union { + char ctrl[CMSG_SPACE(sizeof(int)) + CMSG_SPACE(CRED_SIZE)]; + uint32_t fd; + } ua; + struct cmsghdr *cmsg; +#if GOT_CRED != 0 + CRED_TYPE *sc; +#endif + union { + bl_message_t bl; + char buf[512]; + } ub; + int got; + ssize_t rlen; + size_t rem; + bl_info_t *bi = &b->b_info; + + got = 0; + memset(bi, 0, sizeof(*bi)); + + iov.iov_base = ub.buf; + iov.iov_len = sizeof(ub); + + msg.msg_name = NULL; + msg.msg_namelen = 0; + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + msg.msg_flags = 0; + + msg.msg_control = ua.ctrl; + msg.msg_controllen = sizeof(ua.ctrl); + + rlen = recvmsg(b->b_fd, &msg, 0); + if (rlen == -1) { + bl_log(b, LOG_ERR, "%s: recvmsg failed (%s)", __func__, + strerror(errno)); + return NULL; + } + + for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { + if (cmsg->cmsg_level != SOL_SOCKET) { + bl_log(b, LOG_ERR, + "%s: unexpected cmsg_level %d", + __func__, cmsg->cmsg_level); + continue; + } + switch (cmsg->cmsg_type) { + case SCM_RIGHTS: + if (cmsg->cmsg_len != CMSG_LEN(sizeof(int))) { + int *fd = (void *)CMSG_DATA(cmsg); + size_t len = cmsg->cmsg_len / sizeof(int); + bl_log(b, LOG_ERR, + "%s: unexpected cmsg_len %d != %zu", + __func__, cmsg->cmsg_len, + CMSG_LEN(sizeof(int))); + + for (size_t i = 0; i < len; i++) + (void)close(fd[i]); + continue; + } + memcpy(&bi->bi_fd, CMSG_DATA(cmsg), sizeof(bi->bi_fd)); + got |= GOT_FD; + break; +#ifdef CRED_MESSAGE + case CRED_MESSAGE: + sc = (void *)CMSG_DATA(cmsg); + bi->bi_uid = CRED_SC_UID(sc); + bi->bi_gid = CRED_SC_GID(sc); + got |= GOT_CRED; + break; +#endif + default: + bl_log(b, LOG_ERR, + "%s: unexpected cmsg_type %d", + __func__, cmsg->cmsg_type); + continue; + } + + } + + if (got != (GOT_CRED|GOT_FD)) { + bl_log(b, LOG_ERR, "message missing %s %s", +#if GOT_CRED != 0 + (got & GOT_CRED) == 0 ? "cred" : +#endif + "", (got & GOT_FD) == 0 ? "fd" : ""); + return NULL; + } + + rem = (size_t)rlen; + if (rem < sizeof(ub.bl)) { + bl_log(b, LOG_ERR, "message too short %zd", rlen); + return NULL; + } + rem -= sizeof(ub.bl); + + if (ub.bl.bl_version != BL_VERSION) { + bl_log(b, LOG_ERR, "bad version %d", ub.bl.bl_version); + return NULL; + } + + bi->bi_type = ub.bl.bl_type; + bi->bi_slen = ub.bl.bl_salen; + bi->bi_ss = ub.bl.bl_ss; +#ifndef CRED_MESSAGE + bi->bi_uid = -1; + bi->bi_gid = -1; +#endif + if (rem == 0) + bi->bi_msg[0] = '\0'; + else { + rem = MIN(sizeof(bi->bi_msg) - 1, rem); + memcpy(bi->bi_msg, ub.bl.bl_data, rem); + bi->bi_msg[rem] = '\0'; + } + return bi; +} diff --git a/contrib/blocklist/lib/shlib_version b/contrib/blocklist/lib/shlib_version --- a/contrib/blocklist/lib/shlib_version +++ b/contrib/blocklist/lib/shlib_version @@ -1,2 +1,2 @@ major=0 -minor=0 +minor=1 diff --git a/contrib/blocklist/libexec/Makefile b/contrib/blocklist/libexec/Makefile --- a/contrib/blocklist/libexec/Makefile +++ b/contrib/blocklist/libexec/Makefile @@ -1,6 +1,6 @@ -# $NetBSD: Makefile,v 1.1 2015/01/22 17:49:41 christos Exp $ +# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ -SCRIPTS= blacklistd-helper +SCRIPTS= blocklistd-helper SCRIPTSDIR= /libexec .include diff --git a/contrib/blocklist/libexec/blacklistd-helper b/contrib/blocklist/libexec/blacklistd-helper deleted file mode 100644 --- a/contrib/blocklist/libexec/blacklistd-helper +++ /dev/null @@ -1,134 +0,0 @@ -#!/bin/sh -#echo "run $@" 1>&2 -#set -x -# $1 command -# $2 rulename -# $3 protocol -# $4 address -# $5 mask -# $6 port -# $7 id - -pf= -if [ -f "/etc/ipfw-blacklist.rc" ]; then - pf="ipfw" - . /etc/ipfw-blacklist.rc - ipfw_offset=${ipfw_offset:-2000} -fi - -if [ -z "$pf" ]; then - for f in npf pf ipf; do - if [ -f "/etc/$f.conf" ]; then - pf="$f" - break - fi - done -fi - -if [ -z "$pf" ]; then - echo "$0: Unsupported packet filter" 1>&2 - exit 1 -fi - -if [ -n "$3" ]; then - proto="proto $3" -fi - -if [ -n "$6" ]; then - port="port $6" -fi - -addr="$4" -mask="$5" -case "$4" in -::ffff:*.*.*.*) - if [ "$5" = 128 ]; then - mask=32 - addr=${4#::ffff:} - fi;; -esac - -case "$1" in -add) - case "$pf" in - ipf) - /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 - echo block in quick $proto from $addr/$mask to \ - any port=$6 head port$6 | \ - /sbin/ipf -I -f - -s >/dev/null 2>&1 && echo OK - ;; - ipfw) - # use $ipfw_offset+$port for rule number - rule=$(($ipfw_offset + $6)) - tname="port$6" - /sbin/ipfw table $tname create type addr 2>/dev/null - /sbin/ipfw -q table $tname add "$addr/$mask" - # if rule number $rule does not already exist, create it - /sbin/ipfw show $rule >/dev/null 2>&1 || \ - /sbin/ipfw add $rule drop $3 from \ - table"("$tname")" to any dst-port $6 >/dev/null && \ - echo OK - ;; - npf) - /sbin/npfctl rule "$2" add block in final $proto from \ - "$addr/$mask" to any $port - ;; - pf) - # if the filtering rule does not exist, create it - /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \ - grep -q "" || \ - echo "block in quick $proto from to any $port" | \ - /sbin/pfctl -a "$2/$6" -f - - # insert $ip/$mask into per-protocol/port anchored table - /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \ - /sbin/pfctl -qk "$addr" && echo OK - ;; - esac - ;; -rem) - case "$pf" in - ipf) - /sbin/ipfstat -io | /sbin/ipf -I -f - >/dev/null 2>&1 - echo block in quick $proto from $addr/$mask to \ - any port=$6 head port$6 | \ - /sbin/ipf -I -r -f - -s >/dev/null 2>&1 && echo OK - ;; - ipfw) - /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \ - echo OK - ;; - npf) - /sbin/npfctl rule "$2" rem-id "$7" - ;; - pf) - /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ - echo OK - ;; - esac - ;; -flush) - case "$pf" in - ipf) - /sbin/ipf -Z -I -Fi -s > /dev/null && echo OK - ;; - ipfw) - /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK - ;; - npf) - /sbin/npfctl rule "$2" flush - ;; - pf) - # dynamically determine which anchors exist - for anchor in $(/sbin/pfctl -a "$2" -s Anchors); do - /sbin/pfctl -a $anchor -t "port${anchor##*/}" -T flush - /sbin/pfctl -a $anchor -F rules - done - echo OK - ;; - esac - ;; -*) - echo "$0: Unknown command '$1'" 1>&2 - exit 1 - ;; -esac diff --git a/contrib/blocklist/libexec/blocklistd-helper b/contrib/blocklist/libexec/blocklistd-helper new file mode 100755 --- /dev/null +++ b/contrib/blocklist/libexec/blocklistd-helper @@ -0,0 +1,272 @@ +#!/bin/sh +#echo "run $@" 1>&2 +#set -x +# $1 command +# $2 rulename +# $3 protocol +# $4 address +# $5 mask +# $6 port +# $7 id + +pf= +if [ -f "/etc/ipfw-blocklist.rc" ]; then + pf="ipfw" + . /etc/ipfw-blocklist.rc + ipfw_offset=${ipfw_offset:-2000} +fi + +if [ -z "$pf" ]; then + for f in npf pf ipfilter ipfw; do + if [ -x /etc/rc.d/$f ]; then + if /etc/rc.d/$f status >/dev/null 2>&1; then + pf="$f" + break + fi + elif [ -f "/etc/$f.conf" ]; then + # xxx assume a config file means it can be enabled -- + # and the first one wins! + pf="$f" + break + fi + done +fi + +if [ -z "$pf" -a -x "/sbin/iptables" ]; then + pf="iptables" +fi + +if [ -z "$pf" ]; then + echo "$0: Unsupported packet filter" 1>&2 + exit 1 +fi + +flags= +if [ -n "$3" ]; then + raw_proto="$3" + proto="proto $3" + if [ $3 = "tcp" ]; then + flags="flags S/SAFR" + fi +fi + +if [ -n "$6" ]; then + raw_port="$6" + port="port $6" +fi + +addr="$4" +mask="$5" +case "$4" in +::ffff:*.*.*.*) + if [ "$5" = 128 ]; then + mask=32 + addr=${4#::ffff:} + fi;; +esac + +case "$1" in +add) + case "$pf" in + ipfilter) + # N.B.: If you reload /etc/ipf.conf then you need to stop and + # restart blocklistd (and make sure blocklistd_flags="-r"). + # This should normally already be implemented in + # /etc/rc.d/ipfilter, but if then not add the following lines to + # the end of the ipfilter_reload() function: + # + # if checkyesnox blocklistd; then + # /etc/rc.d/blocklistd restart + # fi + # + # XXX we assume the following rule is present in /etc/ipf.conf: + # (should we check? -- it probably cannot be added dynamically) + # + # block in proto tcp/udp from any to any head blocklistd + # + # where "blocklistd" is the default rulename (i.e. "$2") + # + # This rule can come before any rule that logs connections, + # etc., and should be followed by final rules such as: + # + # # log all as-yet unblocked incoming TCP connection + # # attempts + # log in proto tcp from any to any flags S/SAFR + # # last "pass" match wins for all non-blocked packets + # pass in all + # pass out all + # + # I.e. a "pass" rule which will be the final match and override + # the "block". This way the rules added by blocklistd will + # actually block packets, and prevent logging of them as + # connections, because they include the "quick" flag. + # + # N.b.: $port is not included/used in rules -- abusers are cut + # off completely from all services! + # + # Note RST packets are not returned for blocked SYN packets of + # active attacks, so the port will not appear to be closed. + # This will probably give away the fact that a firewall has been + # triggered to block connections, but it prevents generating + # extra outbound traffic, and it may also slow down the attacker + # somewhat. + # + # Note also that we don't block all packets, just new attempts + # to open connections (see $flags above). This allows us to do + # counterespionage against the attacker (or continue to make use + # of any other services that might be on the same subnet as the + # supposed attacker). However it does not kill any active + # connections -- we rely on the reporting daemon to do its own + # protection and cleanup. + # + # N.B.: The rule generated here must exactly match the + # corresponding rule generated for the "rem" command below! + # + echo block in log quick $proto \ + from $addr/$mask to any $flags group $2 | \ + /sbin/ipf -A -f - >/dev/null 2>&1 && echo OK + ;; + + ipfw) + # use $ipfw_offset+$port for rule number + rule=$(($ipfw_offset + $6)) + tname="port$6" + /sbin/ipfw table $tname create type addr 2>/dev/null + /sbin/ipfw -q table $tname add "$addr/$mask" + # if rule number $rule does not already exist, create it + /sbin/ipfw show $rule >/dev/null 2>&1 || \ + /sbin/ipfw add $rule drop $3 from \ + table"("$tname")" to any dst-port $6 >/dev/null && \ + echo OK + ;; + + iptables) + if ! /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --new-chain "$2" + fi + /sbin/iptables --append INPUT --proto "$raw_proto" \ + --dport "$raw_port" --jump "$2" + /sbin/iptables --append "$2" --proto "$raw_proto" \ + --source "$addr/$mask" --dport "$raw_port" --jump DROP + echo OK + ;; + + npf) + /sbin/npfctl rule "$2" add block in final $proto from \ + "$addr/$mask" to any $port + ;; + + pf) + # if the filtering rule does not exist, create it + /sbin/pfctl -a "$2/$6" -sr 2>/dev/null | \ + grep -q "" || \ + echo "block in quick $proto from to any $port" | \ + /sbin/pfctl -a "$2/$6" -f - + # insert $ip/$mask into per-protocol/port anchored table + /sbin/pfctl -qa "$2/$6" -t "port$6" -T add "$addr/$mask" && \ + /sbin/pfctl -qk "$addr" && echo OK + ;; + + esac + ;; +rem) + case "$pf" in + ipfilter) + # N.B.: The rule generated here must exactly match the + # corresponding rule generated for the "add" command above! + # + echo block in log quick $proto \ + from $addr/$mask to any $flags group $2 | \ + /sbin/ipf -A -r -f - >/dev/null 2>&1 && echo OK + ;; + + ipfw) + /sbin/ipfw table "port$6" delete "$addr/$mask" 2>/dev/null && \ + echo OK + ;; + + iptables) + if /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --delete "$2" --proto "$raw_proto" \ + --source "$addr/$mask" --dport "$raw_port" \ + --jump DROP + fi + echo OK + ;; + + npf) + /sbin/npfctl rule "$2" rem-id "$7" + ;; + + pf) + /sbin/pfctl -qa "$2/$6" -t "port$6" -T delete "$addr/$mask" && \ + echo OK + ;; + + esac + ;; +flush) + case "$pf" in + ipfilter) + # + # N.B. WARNING: This is obviously not reentrant! + # + # First we flush all the rules from the inactive set, then we + # reload the ones that do not belong to the group "$2", and + # finally we swap the active and inactive rule sets. + # + /sbin/ipf -I -F a + # + # "ipf -I -F a" also flushes active accounting rules! + # + # Note that accounting rule groups are unique to accounting + # rules and have nothing to do with filter rules, though of + # course theoretically one could use the same group name for + # them too. + # + # In theory anyone using any such accounting rules should have a + # wrapper /etc/rc.conf.d/blocklistd script (and corresponding + # /etc/rc.conf.d/ipfilter script) that will record and + # consolidate the values accumulated by such accounting rules + # before they are flushed, since otherwise their counts will be + # lost forever. + # + /usr/sbin/ipfstat -io | fgrep -v "group $2" | \ + /sbin/ipf -I -f - >/dev/null 2>&1 + # + # This MUST be done last and separately as "-s" is executed + # _while_ the command arguments are being processed! + # + /sbin/ipf -s && echo OK + ;; + + ipfw) + /sbin/ipfw table "port$6" flush 2>/dev/null && echo OK + ;; + + iptables) + if /sbin/iptables --list "$2" >/dev/null 2>&1; then + /sbin/iptables --flush "$2" + fi + echo OK + ;; + + npf) + /sbin/npfctl rule "$2" flush + ;; + + pf) + # dynamically determine which anchors exist + for anchor in $(/sbin/pfctl -a "$2" -s Anchors 2> /dev/null); do + /sbin/pfctl -a "$anchor" -t "port${anchor##*/}" -T flush 2> /dev/null + /sbin/pfctl -a "$anchor" -F rules + done + echo OK + ;; + esac + ;; +*) + echo "$0: Unknown command '$1'" 1>&2 + exit 1 + ;; +esac diff --git a/contrib/blocklist/port/Makefile.am b/contrib/blocklist/port/Makefile.am --- a/contrib/blocklist/port/Makefile.am +++ b/contrib/blocklist/port/Makefile.am @@ -1,25 +1,39 @@ # ACLOCAL_AMFLAGS = -I m4 -lib_LTLIBRARIES = libblacklist.la -include_HEADERS = ../include/blacklist.h +lib_LTLIBRARIES = libblocklist.la +include_HEADERS = $(srcdir)/../include/blocklist.h -bin_PROGRAMS = blacklistd blacklistctl srvtest cltest +exampledir = $(datarootdir)/examples +example_DATA = $(srcdir)/../etc/blocklistd.conf $(srcdir)/../etc/npf.conf $(srcdir)/../etc/ipf.conf -VPATH = ../bin:../lib:../test:../include +sbin_PROGRAMS = blocklistd blocklistctl +noinst_PROGRAMS = srvtest cltest +libexec_SCRIPTS = $(srcdir)/../libexec/blocklistd-helper -AM_CPPFLAGS = -I../include -DDOT="." +man5_MANS = $(srcdir)/../bin/blocklistd.conf.5 +man8_MANS = $(srcdir)/../bin/blocklistd.8 $(srcdir)/../bin/blocklistctl.8 + +VPATH = $(srcdir)/../port:$(srcdir)/../bin:$(srcdir)/../lib:$(srcdir)/../test:$(srcdir)/../include + +AM_CPPFLAGS = -I$(srcdir)/../include -DDOT="." +AM_CPPFLAGS += -D_PATH_BLCONF=\"$(sysconfdir)/blocklistd.conf\" +AM_CPPFLAGS += -D_PATH_BLCONTROL=\"$(libexecdir)/blocklistd-helper\" +AM_CPPFLAGS += -D_PATH_BLSOCK=\"$(runstatedir)/blocklistd.sock\" +AM_CPPFLAGS += -D_PATH_BLSTATE=\"$(localstatedir)/db/blocklistd.db\" +AM_CPPFLAGS += -std=c99 -D_POSIX_C_SOURCE=200809L -D__EXTENSIONS__ +AM_CPPFLAGS += -D__BSD_VISIBLE=1 AM_CFLAGS = @WARNINGS@ -libblacklist_la_SOURCES = bl.c blacklist.c -libblacklist_la_LDFLAGS = -no-undefined -version-info 0:0:0 -libblacklist_la_LIBADD = $(LTLIBOBJS) +libblocklist_la_SOURCES = bl.c blocklist.c +libblocklist_la_LDFLAGS = -no-undefined -version-info 0:0:0 +libblocklist_la_LIBADD = $(LTLIBOBJS) SRCS = internal.c support.c run.c conf.c state.c -blacklistd_SOURCES = blacklistd.c ${SRCS} -blacklistd_LDADD = libblacklist.la -blacklistctl_SOURCES = blacklistctl.c ${SRCS} -blacklistctl_LDADD = libblacklist.la +blocklistd_SOURCES = blocklistd.c ${SRCS} +blocklistd_LDADD = libblocklist.la +blocklistctl_SOURCES = blocklistctl.c ${SRCS} +blocklistctl_LDADD = libblocklist.la srvtest_SOURCES = srvtest.c ${SRCS} -srvtest_LDADD = libblacklist.la +srvtest_LDADD = libblocklist.la cltest_SOURCES = cltest.c ${SRCS} -cltest_LDADD = libblacklist.la +cltest_LDADD = libblocklist.la diff --git a/contrib/blocklist/port/_strtoi.h b/contrib/blocklist/port/_strtoi.h --- a/contrib/blocklist/port/_strtoi.h +++ b/contrib/blocklist/port/_strtoi.h @@ -1,4 +1,4 @@ -/* $NetBSD: _strtoi.h,v 1.1 2015/01/22 02:15:59 christos Exp $ */ +/* $NetBSD: _strtoi.h,v 1.1.1.1 2020/06/15 01:52:53 christos Exp $ */ /*- * Copyright (c) 1990, 1993 diff --git a/contrib/blocklist/port/configure.ac b/contrib/blocklist/port/configure.ac --- a/contrib/blocklist/port/configure.ac +++ b/contrib/blocklist/port/configure.ac @@ -1,5 +1,5 @@ dnl Process this file with autoconf to produce a configure script. -AC_INIT([blacklistd],[0.1],[christos@netbsd.com]) +AC_INIT([blocklistd],[0.1],[christos@netbsd.com]) AM_INIT_AUTOMAKE([subdir-objects foreign]) m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) @@ -7,9 +7,10 @@ AC_CONFIG_MACRO_DIR([m4]) AC_SUBST(WARNINGS) +AC_SUBST(LINK_NTOA) dnl Checks for programs. -AC_PROG_CC_STDC +AC_PROG_CC AC_USE_SYSTEM_EXTENSIONS AM_PROG_CC_C_O AC_C_BIGENDIAN @@ -18,18 +19,19 @@ LT_INIT([disable-static pic-only]) gl_VISIBILITY dnl Checks for headers -AC_HEADER_STDC AC_HEADER_MAJOR AC_HEADER_SYS_WAIT AC_CHECK_HEADERS(stdint.h fcntl.h stdint.h inttypes.h unistd.h) AC_CHECK_HEADERS(sys/un.h sys/socket.h limits.h) AC_CHECK_HEADERS(arpa/inet.h getopt.h err.h) AC_CHECK_HEADERS(sys/types.h util.h sys/time.h time.h) -AC_CHECK_HEADERS(netatalk/at.h net/if_dl.h db.h db_185.h) +AC_CHECK_HEADERS(netatalk/at.h db.h db_185.h) +AC_CHECK_HEADERS(sys/cdefs.h) AC_CHECK_LIB(rt, clock_gettime) AC_CHECK_LIB(db, __db185_open) AC_CHECK_LIB(util, pidfile) AC_CHECK_LIB(util, sockaddr_snprintf) +AC_SEARCH_LIBS(__xnet_connect, socket) AH_BOTTOM([ #ifndef __NetBSD__ @@ -82,7 +84,7 @@ AC_CHECK_FUNCS(strerror) dnl Provide implementation of some required functions if necessary -AC_REPLACE_FUNCS(strtoi sockaddr_snprintf popenve clock_gettime strlcpy strlcat getprogname fparseln fgetln pidfile) +AC_REPLACE_FUNCS(strtoi sockaddr_snprintf popenve clock_gettime strlcpy strlcat getprogname fparseln fgetln pidfile vsyslog_r) dnl See if we are cross-compiling AM_CONDITIONAL(IS_CROSS_COMPILE, test "$cross_compiling" = yes) diff --git a/contrib/blocklist/port/fgetln.c b/contrib/blocklist/port/fgetln.c --- a/contrib/blocklist/port/fgetln.c +++ b/contrib/blocklist/port/fgetln.c @@ -1,4 +1,4 @@ -/* $NetBSD: fgetln.c,v 1.1 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: fgetln.c,v 1.1.1.1 2020/06/15 01:52:54 christos Exp $ */ /*- * Copyright (c) 1998 The NetBSD Foundation, Inc. diff --git a/contrib/blocklist/port/fparseln.c b/contrib/blocklist/port/fparseln.c --- a/contrib/blocklist/port/fparseln.c +++ b/contrib/blocklist/port/fparseln.c @@ -1,4 +1,4 @@ -/* $NetBSD: fparseln.c,v 1.1 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: fparseln.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ /* * Copyright (c) 1997 Christos Zoulas. All rights reserved. @@ -27,9 +27,11 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include +#endif #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: fparseln.c,v 1.1 2015/01/22 03:48:07 christos Exp $"); +__RCSID("$NetBSD: fparseln.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #include diff --git a/contrib/blocklist/port/pidfile.c b/contrib/blocklist/port/pidfile.c --- a/contrib/blocklist/port/pidfile.c +++ b/contrib/blocklist/port/pidfile.c @@ -1,4 +1,4 @@ -/* $NetBSD: pidfile.c,v 1.2 2016/04/05 12:28:57 christos Exp $ */ +/* $NetBSD: pidfile.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -32,9 +32,11 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include +#endif #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: pidfile.c,v 1.2 2016/04/05 12:28:57 christos Exp $"); +__RCSID("$NetBSD: pidfile.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); #endif #include diff --git a/contrib/blocklist/port/popenve.c b/contrib/blocklist/port/popenve.c --- a/contrib/blocklist/port/popenve.c +++ b/contrib/blocklist/port/popenve.c @@ -1,4 +1,4 @@ -/* $NetBSD: popenve.c,v 1.2 2015/01/22 03:10:50 christos Exp $ */ +/* $NetBSD: popenve.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ /* * Copyright (c) 1988, 1993 @@ -36,12 +36,14 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include +#endif #if defined(LIBC_SCCS) && !defined(lint) #if 0 static char sccsid[] = "@(#)popen.c 8.3 (Berkeley) 5/3/95"; #else -__RCSID("$NetBSD: popenve.c,v 1.2 2015/01/22 03:10:50 christos Exp $"); +__RCSID("$NetBSD: popenve.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); #endif #endif /* LIBC_SCCS and not lint */ diff --git a/contrib/blocklist/port/port.h b/contrib/blocklist/port/port.h --- a/contrib/blocklist/port/port.h +++ b/contrib/blocklist/port/port.h @@ -1,6 +1,7 @@ #ifndef _GNU_SOURCE #define _GNU_SOURCE #endif +#include #include #include #include @@ -15,6 +16,22 @@ #define __dead __attribute__((__noreturn__)) #endif +#ifndef __BEGIN_DECLS +#define __BEGIN_DECLS +#endif + +#ifndef __END_DECLS +#define __END_DECLS +#endif + +#ifndef MIN +#define MIN(a,b) ((a) < (b) ? (a) : (b)) +#endif + +#ifndef MAX +#define MAX(a,b) ((a) > (b) ? (a) : (b)) +#endif + #ifndef __RCSID #define __RCSID(a) #endif @@ -27,6 +44,10 @@ #define __arraycount(a) (sizeof(a) / sizeof(a[0])) #endif +#ifndef __STRING +#define __STRING(x) #x +#endif + #ifndef HAVE_STRLCPY size_t strlcpy(char *, const char *, size_t); #endif @@ -78,9 +99,10 @@ #define CLOCK_REALTIME 0 #endif -#if !defined(__FreeBSD__) -#define _PATH_BLCONF "conf" -#define _PATH_BLCONTROL "control" -#define _PATH_BLSOCK "blacklistd.sock" -#define _PATH_BLSTATE "blacklistd.db" +#ifndef HAVE_VSYSLOG_R +#define SYSLOG_DATA_INIT { 0 } +struct syslog_data { + int dummy; +}; +void vsyslog_r(int, struct syslog_data *, const char *, va_list); #endif diff --git a/contrib/blocklist/port/sockaddr_snprintf.c b/contrib/blocklist/port/sockaddr_snprintf.c --- a/contrib/blocklist/port/sockaddr_snprintf.c +++ b/contrib/blocklist/port/sockaddr_snprintf.c @@ -1,4 +1,4 @@ -/* $NetBSD: sockaddr_snprintf.c,v 1.11 2016/06/01 22:57:51 christos Exp $ */ +/* $NetBSD: sockaddr_snprintf.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ /*- * Copyright (c) 2004 The NetBSD Foundation, Inc. @@ -32,9 +32,11 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include +#endif #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.11 2016/06/01 22:57:51 christos Exp $"); +__RCSID("$NetBSD: sockaddr_snprintf.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #include diff --git a/contrib/blocklist/port/strlcat.c b/contrib/blocklist/port/strlcat.c --- a/contrib/blocklist/port/strlcat.c +++ b/contrib/blocklist/port/strlcat.c @@ -1,4 +1,4 @@ -/* $NetBSD: strlcat.c,v 1.2 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: strlcat.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ /* $OpenBSD: strlcat.c,v 1.10 2003/04/12 21:56:39 millert Exp $ */ /* @@ -22,9 +22,12 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include +#endif + #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: strlcat.c,v 1.2 2015/01/22 03:48:07 christos Exp $"); +__RCSID("$NetBSD: strlcat.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #ifdef _LIBC diff --git a/contrib/blocklist/port/strlcpy.c b/contrib/blocklist/port/strlcpy.c --- a/contrib/blocklist/port/strlcpy.c +++ b/contrib/blocklist/port/strlcpy.c @@ -1,4 +1,4 @@ -/* $NetBSD: strlcpy.c,v 1.2 2015/01/22 03:48:07 christos Exp $ */ +/* $NetBSD: strlcpy.c,v 1.2 2025/02/11 17:48:30 christos Exp $ */ /* $OpenBSD: strlcpy.c,v 1.7 2003/04/12 21:56:39 millert Exp $ */ /* @@ -22,9 +22,12 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include +#endif + #if defined(LIBC_SCCS) && !defined(lint) -__RCSID("$NetBSD: strlcpy.c,v 1.2 2015/01/22 03:48:07 christos Exp $"); +__RCSID("$NetBSD: strlcpy.c,v 1.2 2025/02/11 17:48:30 christos Exp $"); #endif /* LIBC_SCCS and not lint */ #ifdef _LIBC diff --git a/contrib/blocklist/port/strtoi.c b/contrib/blocklist/port/strtoi.c --- a/contrib/blocklist/port/strtoi.c +++ b/contrib/blocklist/port/strtoi.c @@ -1,4 +1,4 @@ -/* $NetBSD: strtoi.c,v 1.3 2015/01/22 03:10:50 christos Exp $ */ +/* $NetBSD: strtoi.c,v 1.2 2025/02/11 17:48:31 christos Exp $ */ /*- * Copyright (c) 2005 The DragonFly Project. All rights reserved. @@ -33,8 +33,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: strtoi.c,v 1.3 2015/01/22 03:10:50 christos Exp $"); +#endif +__RCSID("$NetBSD: strtoi.c,v 1.2 2025/02/11 17:48:31 christos Exp $"); #if defined(_KERNEL) #include diff --git a/contrib/blocklist/port/vsyslog_r.c b/contrib/blocklist/port/vsyslog_r.c new file mode 100644 --- /dev/null +++ b/contrib/blocklist/port/vsyslog_r.c @@ -0,0 +1,13 @@ +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif + +#include +#include + +void +vsyslog_r(int priority, struct syslog_data *sd __unused, const char *fmt, va_list ap) +{ + vsyslog(priority, fmt, ap); +} + diff --git a/contrib/blocklist/test/Makefile b/contrib/blocklist/test/Makefile --- a/contrib/blocklist/test/Makefile +++ b/contrib/blocklist/test/Makefile @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.3 2015/05/30 22:40:38 christos Exp $ +# $NetBSD: Makefile,v 1.1.1.1 2020/06/15 01:52:54 christos Exp $ MKMAN=no diff --git a/contrib/blocklist/test/cltest.c b/contrib/blocklist/test/cltest.c --- a/contrib/blocklist/test/cltest.c +++ b/contrib/blocklist/test/cltest.c @@ -1,4 +1,4 @@ -/* $NetBSD: cltest.c,v 1.6 2015/01/22 05:44:28 christos Exp $ */ +/* $NetBSD: cltest.c,v 1.2 2025/02/11 17:48:31 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: cltest.c,v 1.6 2015/01/22 05:44:28 christos Exp $"); +#endif +__RCSID("$NetBSD: cltest.c,v 1.2 2025/02/11 17:48:31 christos Exp $"); #include #include diff --git a/contrib/blocklist/test/srvtest.c b/contrib/blocklist/test/srvtest.c --- a/contrib/blocklist/test/srvtest.c +++ b/contrib/blocklist/test/srvtest.c @@ -1,4 +1,4 @@ -/* $NetBSD: srvtest.c,v 1.10 2015/05/30 22:40:38 christos Exp $ */ +/* $NetBSD: srvtest.c,v 1.2 2025/02/11 17:43:16 christos Exp $ */ /*- * Copyright (c) 2015 The NetBSD Foundation, Inc. @@ -32,8 +32,10 @@ #include "config.h" #endif +#ifdef HAVE_SYS_CDEFS_H #include -__RCSID("$NetBSD: srvtest.c,v 1.10 2015/05/30 22:40:38 christos Exp $"); +#endif +__RCSID("$NetBSD: srvtest.c,v 1.2 2025/02/11 17:43:16 christos Exp $"); #include #include @@ -48,7 +50,7 @@ #include #include -#include "blacklist.h" +#include "blocklist.h" #ifdef BLDEBUG #include "bl.h" static void *b; @@ -71,9 +73,9 @@ buffer[sizeof(buffer) - 1] = '\0'; printf("%s: sending %d %s\n", getprogname(), afd, buffer); #ifdef BLDEBUG - blacklist_r(b, 1, afd, buffer); + blocklist_r(b, 1, afd, buffer); #else - blacklist(1, afd, buffer); + blocklist(1, afd, buffer); #endif exit(0); } @@ -95,7 +97,7 @@ err(1, "recvfrom"); buffer[sizeof(buffer) - 1] = '\0'; printf("%s: sending %d %s\n", getprogname(), afd, buffer); - blacklist_sa(1, afd, (void *)&ss, slen, buffer); + blocklist_sa(1, afd, (void *)&ss, slen, buffer); exit(0); } static int @@ -167,7 +169,11 @@ usage(int c) { warnx("Unknown option `%c'", (char)c); - fprintf(stderr, "Usage: %s [-u] [-p ]\n", getprogname()); + fprintf(stderr, "Usage: %s [-u] [-p ]" +#ifdef BLDEBUG + " [-s ]" +#endif + "\n", getprogname()); exit(EXIT_FAILURE); } @@ -182,14 +188,16 @@ struct pollfd pfd[NUMFD]; int type = SOCK_STREAM, c; in_port_t port = 6161; - - signal(SIGCHLD, SIG_IGN); - #ifdef BLDEBUG - b = bl_create(false, "blsock", vsyslog); + char *sockpath = "blsock"; + const char *optstr = "up:s:"; +#else + const char *optstr = "up:"; #endif - while ((c = getopt(argc, argv, "up:")) != -1) + signal(SIGCHLD, SIG_IGN); + + while ((c = getopt(argc, argv, optstr)) != -1) switch (c) { case 'u': type = SOCK_DGRAM; @@ -197,10 +205,20 @@ case 'p': port = (in_port_t)atoi(optarg); break; +#ifdef BLDEBUG + case 's': + sockpath = (char *)optarg; + break; +#endif default: usage(c); } +#ifdef BLDEBUG + b = bl_create(false, sockpath, vsyslog_r); +#endif + + pfd[0].fd = cr(AF_INET, type, port); pfd[0].events = POLLIN; #if NUMFD > 1 diff --git a/contrib/bsddialog/.gitignore b/contrib/bsddialog/.gitignore --- a/contrib/bsddialog/.gitignore +++ b/contrib/bsddialog/.gitignore @@ -21,6 +21,7 @@ examples_library/pause examples_library/radiolist examples_library/rangebox +examples_library/textbox examples_library/theme examples_library/timebox examples_library/yesno diff --git a/contrib/bsddialog/CHANGELOG b/contrib/bsddialog/CHANGELOG --- a/contrib/bsddialog/CHANGELOG +++ b/contrib/bsddialog/CHANGELOG @@ -1,11 +1,57 @@ -2024-07-01 1.0.4 +2025-06-22 Version 1.0.5 + + Manual: + * fix: "User-friendly documentation for alternate screen" + https://bugs.freebsd.org/285459. + Improve bsddialog.1: --alternate-screen and --normal-screen. + + NetBSD (tested on amd64) refactoring, no function changes: + * https://gitlab.com/alfix/bsddialog/-/merge_requests/4 + lib: include in lib_util.c. + * https://gitlab.com/alfix/bsddialog/-/merge_requests/5 + a call to curses' refresh() is performed, while a local + variable is also called refresh. + * Makefiles: add install and uninstall targets (both GND and BSD) + https://gitlab.com/alfix/bsddialog/-/merge_requests/3 + + MacOS (tested on amd64) refactoring, no function changes: + * https://gitlab.com/alfix/bsddialog/-/merge_requests/6 + utility: replace u_int with unsigned int. + + Library: + * fix: useless refreshes, https://gitlab.com/alfix/bsddialog/-/issues/8: + "It takes lot of time when running over a 115200 UART". + Not fixed for bsddialog_gauge() because it has to be rewritten. + * change: bsddialog_backtitle() does not update the screen so the + backtitle is not printed. To use if a dialog is built later. + Rationale: see "115200 UART" problem above. + * add: bsddialog_backtitle_rf() to print a top title refreshing the + screen like bsddialog_backtitle() was previously. + * change: forms, ENTER is also a navigation keys in forms fields. + Request: https://bugs.freebsd.org/287592 + If conf.button.always_active is true the form is closes immediatly. + + Library and implicitly utility: + * fix: textbox buttons returned values (was always OK). + Thanks to https://reviews.freebsd.org/D48668. + * change: TAB is a navigation keys in forms. Previously it directly + switched form-fields <-> buttons. + Request: https://bugs.freebsd.org/287592 + + Utility: + * change: forms, ENTER is a also navigation keys in forms fields. + Previously it directly closed the form except with --switch-buttons + Request: https://bugs.freebsd.org/287592 + + +2024-07-01 Version 1.0.4 Utility internal refactoring (no functional change): * change: rename an internal constant to avoid a future conflict because FreeBSD is changing headers files for _FORTIFY_SOURCE. Reported and fixed by Kyle Evans. -2024-05-27 1.0.3 +2024-05-27 Version 1.0.3 Utility: change: --form and --mixedform do not print field value to output fd if diff --git a/contrib/bsddialog/LICENSE b/contrib/bsddialog/LICENSE --- a/contrib/bsddialog/LICENSE +++ b/contrib/bsddialog/LICENSE @@ -1,6 +1,6 @@ BSD 2-Clause License -Copyright (c) 2021-2024, Alfonso Sabato Siciliano +Copyright (c) 2021-2025, Alfonso Sabato Siciliano Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: diff --git a/contrib/bsddialog/Makefile b/contrib/bsddialog/Makefile --- a/contrib/bsddialog/Makefile +++ b/contrib/bsddialog/Makefile @@ -4,7 +4,7 @@ # Written in 2023 by Alfonso Sabato Siciliano OUTPUT = bsddialog -export VERSION=1.0.4 +export VERSION=1.0.5 .CURDIR ?= ${CURDIR} LIBPATH = ${.CURDIR}/lib LIBBSDDIALOG = ${LIBPATH}/libbsddialog.so @@ -22,7 +22,15 @@ export ENABLEDEBUG=${DEBUG} ################### -all : ${OUTPUT} +all: ${OUTPUT} + +install: all + ${MAKE} -C ${LIBPATH} install + ${MAKE} -C ${UTILITYPATH} install + +uninstall: + ${MAKE} -C ${UTILITYPATH} uninstall + ${MAKE} -C ${LIBPATH} uninstall ${OUTPUT}: ${LIBBSDDIALOG} ${MAKE} -C ${UTILITYPATH} LIBPATH=${LIBPATH} @@ -36,3 +44,4 @@ ${MAKE} -C ${UTILITYPATH} clean ${RM} ${OUTPUT} *.core +.PHONY: all install uninstall clean diff --git a/contrib/bsddialog/README.md b/contrib/bsddialog/README.md --- a/contrib/bsddialog/README.md +++ b/contrib/bsddialog/README.md @@ -1,4 +1,4 @@ -# BSDDialog 1.0.4 +# BSDDialog 1.0.5 This project provides **bsddialog** and **libbsddialog**, an utility and a library to build scripts and tools with TUI dialogs and widgets. @@ -129,7 +129,6 @@ - implement global buttons handler. - doc: external tutorial, theming guide. - implement menutype.min\_on. - - improve refresh at startup, avoid dialog refresh before drawing text. - add debug API: bsddialog\_debug(y,x,refresh,"fmt",...). - add mouse support. - use alarm(2) for bsddialog\_pause. @@ -139,4 +138,4 @@ - fix --mixedform "" 0 0 0 Label 1 0 Init 1 12 0 0 2 (with 0 editable field). - add *text* customization to --hmsg *help-message* - check --passwordform *fieldlen* like --form and --mixedform. - + - add manuals to Makefiles installe and uninstall targets. diff --git a/contrib/bsddialog/examples_library/compile b/contrib/bsddialog/examples_library/compile --- a/contrib/bsddialog/examples_library/compile +++ b/contrib/bsddialog/examples_library/compile @@ -8,14 +8,16 @@ # worldwide. This software is distributed without any warranty, see: # . +set -x + libpath=../lib examples="menu checklist radiolist mixedlist theme infobox yesno msgbox \ - datebox form timebox rangebox pause calendar gauge mixedgauge" +datebox form timebox rangebox pause calendar gauge mixedgauge textbox" rm -f $examples for e in $examples do - cc -g -Wall -Wextra -I$libpath ${e}.c -o $e -L$libpath -lbsddialog \ - -Wl,-rpath=$libpath + cc -g -Wall -Wextra -I$libpath ${e}.c -o $e \ + -Wl,-rpath=$libpath -L$libpath -lbsddialog done diff --git a/contrib/bsddialog/examples_library/textbox.c b/contrib/bsddialog/examples_library/textbox.c new file mode 100644 --- /dev/null +++ b/contrib/bsddialog/examples_library/textbox.c @@ -0,0 +1,38 @@ +/*- + * SPDX-License-Identifier: CC0-1.0 + * + * Written in 2025 by Alfonso Sabato Siciliano. + * To the extent possible under law, the author has dedicated all copyright + * and related and neighboring rights to this software to the public domain + * worldwide. This software is distributed without any warranty, see: + * . + */ + +#include +#include + +int main() +{ + int output; + struct bsddialog_conf conf; + + if (bsddialog_init() == BSDDIALOG_ERROR) { + printf("Error: %s\n", bsddialog_geterror()); + return (1); + } + bsddialog_initconf(&conf); + conf.title = "textbox"; + output = bsddialog_textbox(&conf, "./textbox.c", 20, 80); + bsddialog_end(); + + switch (output) { + case BSDDIALOG_ERROR: + printf("Error %s\n", bsddialog_geterror()); + return (1); + case BSDDIALOG_OK: + printf("[Exit]\n"); + break; + } + + return (0); +} diff --git a/contrib/bsddialog/lib/GNUmakefile b/contrib/bsddialog/lib/GNUmakefile --- a/contrib/bsddialog/lib/GNUmakefile +++ b/contrib/bsddialog/lib/GNUmakefile @@ -9,6 +9,7 @@ SOURCES = barbox.c datebox.c formbox.c libbsddialog.c lib_util.c \ menubox.c messagebox.c textbox.c theme.c timebox.c OBJECTS = $(SOURCES:.c=.o) +PREFIX = /usr/local ifneq ($(ENABLEDEBUG),) CFLAGS += -g @@ -21,7 +22,21 @@ RM = rm -f LN = ln -s -f -all : $(LIBRARY) +all: $(LIBRARY) + +install: all + ${INSTALL} -m 0644 bsddialog.h ${DESTDIR}${PREFIX}/include/bsddialog.h + ${INSTALL} -m 0644 bsddialog_progressview.h ${DESTDIR}${PREFIX}/include/bsddialog_progressview.h + ${INSTALL} -m 0644 bsddialog_theme.h ${DESTDIR}${PREFIX}/include/bsddialog_theme.h + ${INSTALL} -m 0755 ${LIBRARY_SO}.${VERSION} ${DESTDIR}${PREFIX}/lib/${LIBRARY_SO}.${VERSION} + ${LN} ${LIBRARY_SO}.${VERSION} ${DESTDIR}${PREFIX}/lib/${LIBRARY_SO} + +uninstall: + ${RM} ${DESTDIR}${PREFIX}/include/bsddialog.h + ${RM} ${DESTDIR}${PREFIX}/include/bsddialog_progressview.h + ${RM} ${DESTDIR}${PREFIX}/include/bsddialog_theme.h + ${RM} ${DESTDIR}${PREFIX}/lib/${LIBRARY_SO}.${VERSION} + ${RM} ${DESTDIR}${PREFIX}/lib/${LIBRARY_SO} $(LIBRARY): $(OBJECTS) $(CC) $(LIBFLAG) $^ -o $(LIBRARY_SO).$(VERSION) $(LDFLAGS) @@ -32,3 +47,5 @@ clean: $(RM) $(LIBRARY_SO)* *.o *~ + +.PHONY: all install uninstall ${LIBRARY} clean diff --git a/contrib/bsddialog/lib/Makefile b/contrib/bsddialog/lib/Makefile --- a/contrib/bsddialog/lib/Makefile +++ b/contrib/bsddialog/lib/Makefile @@ -10,6 +10,7 @@ SOURCES = barbox.c datebox.c formbox.c libbsddialog.c lib_util.c \ menubox.c messagebox.c textbox.c theme.c timebox.c OBJECTS = ${SOURCES:.c=.o} +PREFIX = /usr/local .if defined(DEBUG) CFLAGS += -g @@ -23,7 +24,23 @@ LN = ln -s -f RM = rm -f -all : ${LIBRARY} +all: ${LIBRARY} + +install: all + ${INSTALL} -m 0644 bsddialog.h ${DESTDIR}${PREFIX}/include/bsddialog.h + ${INSTALL} -m 0644 bsddialog_progressview.h ${DESTDIR}${PREFIX}/include/bsddialog_progressview.h + ${INSTALL} -m 0644 bsddialog_theme.h ${DESTDIR}${PREFIX}/include/bsddialog_theme.h + ${INSTALL} -m 0644 ${LIBRARY_A} ${DESTDIR}${PREFIX}/lib/${LIBRARY_A} + ${INSTALL} -m 0755 ${LIBRARY_SO}.${VERSION} ${DESTDIR}${PREFIX}/lib/${LIBRARY_SO}.${VERSION} + ${LN} ${LIBRARY_SO}.${VERSION} ${DESTDIR}${PREFIX}/lib/${LIBRARY_SO} + +uninstall: + ${RM} ${DESTDIR}${PREFIX}/include/bsddialog.h + ${RM} ${DESTDIR}${PREFIX}/include/bsddialog_progressview.h + ${RM} ${DESTDIR}${PREFIX}/include/bsddialog_theme.h + ${RM} ${DESTDIR}${PREFIX}/lib/${LIBRARY_A} + ${RM} ${DESTDIR}${PREFIX}/lib/${LIBRARY_SO}.${VERSION} + ${RM} ${DESTDIR}${PREFIX}/lib/${LIBRARY_SO} ${LIBRARY}: ${LIBRARY_SO} ${LIBRARY_A} @@ -42,3 +59,5 @@ clean: ${RM} ${LIBRARY_SO}* *.o *~ *.gz ${LIBRARY_A} + +.PHONY: all install uninstall ${LIBRARY} clean diff --git a/contrib/bsddialog/lib/barbox.c b/contrib/bsddialog/lib/barbox.c --- a/contrib/bsddialog/lib/barbox.c +++ b/contrib/bsddialog/lib/barbox.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -371,7 +371,7 @@ unsigned int i, mainperc, totaltodo; float readforsec; const char **minilabels; - time_t tstart, told, tnew, refresh; + time_t tstart, told, tnew, trefresh; if ((minilabels = calloc(nminibar, sizeof(char*))) == NULL) RETURN_ERROR("Cannot allocate memory for minilabels"); @@ -385,7 +385,7 @@ minipercs[i] = minibar[i].status; } - refresh = pvconf->refresh == 0 ? 0 : pvconf->refresh - 1; + trefresh = pvconf->refresh == 0 ? 0 : pvconf->refresh - 1; retval = BSDDIALOG_OK; i = 0; update = true; @@ -398,7 +398,7 @@ mainperc = (bsddialog_total_progview * 100) / totaltodo; time(&tnew); - if (update || tnew > told + refresh) { + if (update || tnew > told + trefresh) { retval = do_mixedgauge(conf, text, rows, cols, mainperc, nminibar, minilabels, minipercs, true); if (retval == BSDDIALOG_ERROR) @@ -440,17 +440,18 @@ return (retval); } -static int rangebox_redraw(struct dialog *d, struct bar *b, int *bigchange) +static int +rangebox_redraw(struct dialog *d, bool redraw, struct bar *b, int *bigchange) { - if (d->built) { + if (redraw) { hide_dialog(d); refresh(); /* Important for decreasing screen */ } if (dialog_size_position(d, HBOX, MIN_WBOX, NULL) != 0) return (BSDDIALOG_ERROR); - if (draw_dialog(d) != 0) + if (draw_dialog(d) != 0) /* doupdate() in main loop */ return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ TEXTPAD(d, HBOX + HBUTTONS); @@ -490,7 +491,7 @@ RETURN_ERROR("Cannot build WINDOW bar"); b.y = b.x = 1; b.fmt = "%d"; - if (rangebox_redraw(&d, &b, &bigchange) != 0) + if (rangebox_redraw(&d, false, &b, &bigchange) != 0) return (BSDDIALOG_ERROR); loop = true; @@ -568,12 +569,12 @@ break; if (f1help_dialog(conf) != 0) return (BSDDIALOG_ERROR); - if (rangebox_redraw(&d, &b, &bigchange) != 0) + if (rangebox_redraw(&d, true, &b, &bigchange) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (rangebox_redraw(&d, &b, &bigchange) != 0) + if (rangebox_redraw(&d, true, &b, &bigchange) != 0) return (BSDDIALOG_ERROR); break; default: @@ -594,17 +595,17 @@ return (retval); } -static int pause_redraw(struct dialog *d, struct bar *b) +static int pause_redraw(struct dialog *d, bool redraw, struct bar *b) { - if (d->built) { + if (redraw) { hide_dialog(d); refresh(); /* Important for decreasing screen */ } if (dialog_size_position(d, HBOX, MIN_WBOX, NULL) != 0) return (BSDDIALOG_ERROR); - if (draw_dialog(d) != 0) + if (draw_dialog(d) != 0) /* doupdate() in main loop */ return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ TEXTPAD(d, HBOX + HBUTTONS); @@ -633,7 +634,7 @@ RETURN_ERROR("Cannot build WINDOW bar"); b.y = b.x = 1; b.fmt = "%d"; - if (pause_redraw(&d, &b) != 0) + if (pause_redraw(&d, false, &b) != 0) return (BSDDIALOG_ERROR); tout = *seconds; @@ -687,12 +688,12 @@ break; if (f1help_dialog(conf) != 0) return (BSDDIALOG_ERROR); - if (pause_redraw(&d, &b) != 0) + if (pause_redraw(&d, true, &b) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (pause_redraw(&d, &b) != 0) + if (pause_redraw(&d, true, &b) != 0) return (BSDDIALOG_ERROR); break; default: diff --git a/contrib/bsddialog/lib/bsddialog.h b/contrib/bsddialog/lib/bsddialog.h --- a/contrib/bsddialog/lib/bsddialog.h +++ b/contrib/bsddialog/lib/bsddialog.h @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -30,7 +30,7 @@ #include -#define LIBBSDDIALOG_VERSION "1.0.4" +#define LIBBSDDIALOG_VERSION "1.0.5" /* Return values */ #define BSDDIALOG_ERROR -1 @@ -179,6 +179,7 @@ bool bsddialog_inmode(void); int bsddialog_end(void); int bsddialog_backtitle(struct bsddialog_conf *conf, const char *backtitle); +int bsddialog_backtitle_rf(struct bsddialog_conf *conf, const char *backtitle); int bsddialog_initconf(struct bsddialog_conf *conf); void bsddialog_clear(unsigned int y); void bsddialog_refresh(void); diff --git a/contrib/bsddialog/lib/bsddialog.3 b/contrib/bsddialog/lib/bsddialog.3 --- a/contrib/bsddialog/lib/bsddialog.3 +++ b/contrib/bsddialog/lib/bsddialog.3 @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 2021-2024 Alfonso Sabato Siciliano +.\" Copyright (c) 2021-2025 Alfonso Sabato Siciliano .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -22,11 +22,12 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd March 16, 2024 +.Dd June 22, 2025 .Dt BSDDIALOG 3 .Os .Sh NAME .Nm bsddialog_backtitle , +.Nm bsddialog_backtitle_rf , .Nm bsddialog_calendar , .Nm bsddialog_clear , .Nm bsddialog_color , @@ -65,6 +66,8 @@ .Ft int .Fn bsddialog_backtitle "struct bsddialog_conf *conf" "const char *backtitle" .Ft int +.Fn bsddialog_backtitle_rf "struct bsddialog_conf *conf" "const char *backtitle" +.Ft int .Fo bsddialog_calendar .Fa "struct bsddialog_conf *conf" .Fa "const char *text" @@ -292,7 +295,7 @@ .Dv false otherwise. .Pp -.Fn bsddialog_backtitle +.Fn bsddialog_backtitle_rf prints .Fa backtitle on the top of the screen. @@ -302,6 +305,11 @@ .Fa conf.no_lines described later. .Pp +.Fn bsddialog_backtitle +is like +.Fn bsddialog_backtitle_rf +but it does not update the screen, using if a dialog is built later. +.Pp .Fn bsddialog_error returns a string to describe the last error. The function should be called after a @@ -902,7 +910,7 @@ the labels on buttons are .Dq Yes and -.Dq No . +.Dq &No . .Ss Keys .Bl -tag -width Ds .It Ctrl-l diff --git a/contrib/bsddialog/lib/bsddialog_theme.h b/contrib/bsddialog/lib/bsddialog_theme.h --- a/contrib/bsddialog/lib/bsddialog_theme.h +++ b/contrib/bsddialog/lib/bsddialog_theme.h @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2023 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/contrib/bsddialog/lib/datebox.c b/contrib/bsddialog/lib/datebox.c --- a/contrib/bsddialog/lib/datebox.c +++ b/contrib/bsddialog/lib/datebox.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2022-2024 Alfonso Sabato Siciliano + * Copyright (c) 2022-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -296,20 +296,20 @@ } static int -calendar_redraw(struct dialog *d, WINDOW *yy_win, WINDOW *mm_win, +calendar_draw(struct dialog *d, bool redraw, WINDOW *yy_win, WINDOW *mm_win, WINDOW *dd_win) { int ycal, xcal; - if (d->built) { + if (redraw) { hide_dialog(d); refresh(); /* Important for decreasing screen */ } if (dialog_size_position(d, MINHCAL, MINWCAL, NULL) != 0) return (BSDDIALOG_ERROR); - if (draw_dialog(d) != 0) + if (draw_dialog(d) != 0) /* doupdate in main loop */ return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ TEXTPAD(d, MINHCAL + HBUTTONS); @@ -354,7 +354,7 @@ if ((dd_win = newwin(1, 1, 1, 1)) == NULL) RETURN_ERROR("Cannot build WINDOW for dd"); wbkgd(dd_win, t.dialog.color); - if (calendar_redraw(&d, yy_win, mm_win, dd_win) != 0) + if (calendar_draw(&d, false, yy_win, mm_win, dd_win) != 0) return (BSDDIALOG_ERROR); sel = -1; @@ -503,12 +503,12 @@ break; if (f1help_dialog(conf) != 0) return (BSDDIALOG_ERROR); - if (calendar_redraw(&d, yy_win, mm_win, dd_win) != 0) + if (calendar_draw(&d, true, yy_win, mm_win, dd_win) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (calendar_redraw(&d, yy_win, mm_win, dd_win) != 0) + if (calendar_draw(&d, true, yy_win, mm_win, dd_win) != 0) return (BSDDIALOG_ERROR); break; default: @@ -533,11 +533,11 @@ return (retval); } -static int datebox_redraw(struct dialog *d, struct dateitem *di) +static int datebox_draw(struct dialog *d, bool redraw, struct dateitem *di) { int y, x; - if (d->built) { + if (redraw) { hide_dialog(d); refresh(); /* Important for decreasing screen */ } @@ -545,7 +545,7 @@ return (BSDDIALOG_ERROR); if (draw_dialog(d) != 0) return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ TEXTPAD(d, 3 /*windows*/ + HBUTTONS); @@ -624,7 +624,7 @@ set_buttons(&d, true, OK_LABEL, CANCEL_LABEL); if (build_dateitem(conf->date.format, &yy, &mm, &dd, di) != 0) return (BSDDIALOG_ERROR); - if (datebox_redraw(&d, di) != 0) + if (datebox_draw(&d, false, di) != 0) return (BSDDIALOG_ERROR); sel = -1; @@ -716,12 +716,12 @@ break; if (f1help_dialog(conf) != 0) return (BSDDIALOG_ERROR); - if (datebox_redraw(&d, di) != 0) + if (datebox_draw(&d, true, di) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (datebox_redraw(&d, di) != 0) + if (datebox_draw(&d, true, di) != 0) return (BSDDIALOG_ERROR); break; default: diff --git a/contrib/bsddialog/lib/formbox.c b/contrib/bsddialog/lib/formbox.c --- a/contrib/bsddialog/lib/formbox.c +++ b/contrib/bsddialog/lib/formbox.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -601,11 +601,11 @@ } static int -form_redraw(struct dialog *d, struct privateform *f, bool focusinform) +form_draw(struct dialog *d, bool redraw, struct privateform *f, bool focusinform) { unsigned int i; - if (d->built) { + if (redraw) { hide_dialog(d); refresh(); /* Important for decreasing screen */ } @@ -613,9 +613,9 @@ f->w = f->wmin; if (form_size_position(d, f) != 0) return (BSDDIALOG_ERROR); - if (draw_dialog(d) != 0) + if (draw_dialog(d) != 0) /* doupdate() in main loop */ return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ TEXTPAD(d, 2 /* box borders */ + f->viewrows + HBUTTONS); @@ -707,7 +707,7 @@ } form.formheight = formheight; - if (form_redraw(&d, &form, focusinform) != 0) + if (form_draw(&d, false, &form, focusinform) != 0) return (BSDDIALOG_ERROR); changeitem = switchfocus = false; @@ -719,10 +719,16 @@ switch(input) { case KEY_ENTER: case 10: /* Enter */ - if (focusinform && conf->button.always_active == false) - break; - retval = BUTTONVALUE(d.bs); - loop = false; + if (focusinform && conf->button.always_active == false) { + next = nextitem(form.nitems, form.pritems, form.sel); + if (next > form.sel) + changeitem = true; /* needs next */ + else + switchfocus = true; + } else { + retval = BUTTONVALUE(d.bs); + loop = false; + } break; case 27: /* Esc */ if (conf->key.enable_esc) { @@ -732,7 +738,12 @@ break; case '\t': /* TAB */ if (focusinform) { - switchfocus = true; + next = nextitem(form.nitems, form.pritems, + form.sel); + if (next > form.sel) + changeitem = true; /* needs next */ + else + switchfocus = true; } else { if (d.bs.curr + 1 < (int)d.bs.nbuttons) { d.bs.curr++; @@ -839,12 +850,12 @@ retval = BSDDIALOG_ERROR; loop = false; } - if (form_redraw(&d, &form, focusinform) != 0) + if (form_draw(&d, true, &form, focusinform) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (form_redraw(&d, &form, focusinform) != 0) + if (form_draw(&d, true, &form, focusinform) != 0) return (BSDDIALOG_ERROR); break; default: @@ -884,11 +895,20 @@ conf->button.always_active || !focusinform, !focusinform); wnoutrefresh(d.widget); - DRAWITEM_TRICK(&form, form.sel, focusinform); + if (focusinform == false) + DRAWITEM_TRICK(&form, form.sel, false); + else { + next = firstitem(form.nitems, form.pritems); + if (next == form.sel) + DRAWITEM_TRICK(&form, form.sel, true); + else + changeitem = true; + } switchfocus = false; } if (changeitem) { + /* useless after if(switchfocus) */ DRAWITEM_TRICK(&form, form.sel, false); form.sel = next; item = &form.pritems[form.sel]; diff --git a/contrib/bsddialog/lib/lib_util.h b/contrib/bsddialog/lib/lib_util.h --- a/contrib/bsddialog/lib/lib_util.h +++ b/contrib/bsddialog/lib/lib_util.h @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -62,7 +62,7 @@ RETURN_ERROR("*" #p " is NULL"); \ } while (0) #define CHECK_ARRAY(nitem, a) do { \ - if (nitem > 0 && a == NULL) \ + if (nitem > 0 && a == NULL) \ RETURN_FMTERROR(#nitem " is %d but *" #a " is NULL", nitem); \ } while (0) /* widget utils */ diff --git a/contrib/bsddialog/lib/lib_util.c b/contrib/bsddialog/lib/lib_util.c --- a/contrib/bsddialog/lib/lib_util.c +++ b/contrib/bsddialog/lib/lib_util.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2023 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -25,6 +25,7 @@ * SUCH DAMAGE. */ +#include #include #include #include diff --git a/contrib/bsddialog/lib/libbsddialog.c b/contrib/bsddialog/lib/libbsddialog.c --- a/contrib/bsddialog/lib/libbsddialog.c +++ b/contrib/bsddialog/lib/libbsddialog.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2023 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -114,11 +114,21 @@ mvhline_set(1, 1, WACS_HLINE, SCREENCOLS - 2); } - refresh(); + wnoutrefresh(stdscr); return (BSDDIALOG_OK); } +int bsddialog_backtitle_rf(struct bsddialog_conf *conf, const char *backtitle) +{ + int rv; + + rv = bsddialog_backtitle(conf, backtitle); + doupdate(); + + return (rv); +} + bool bsddialog_inmode(void) { return (in_bsddialog_mode); diff --git a/contrib/bsddialog/lib/menubox.c b/contrib/bsddialog/lib/menubox.c --- a/contrib/bsddialog/lib/menubox.c +++ b/contrib/bsddialog/lib/menubox.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -391,7 +391,7 @@ attron(t.menu.bottomdesccolor); addstr(pritem->bottomdesc); attroff(t.menu.bottomdesccolor); - refresh(); + wnoutrefresh(stdscr); } } } @@ -454,18 +454,18 @@ return (0); } -static int mixedlist_redraw(struct dialog *d, struct privatemenu *m) +static int mixedlist_draw(struct dialog *d, bool redraw, struct privatemenu *m) { - if (d->built) { + if (redraw) { hide_dialog(d); refresh(); /* Important for decreasing screen */ } m->menurows = m->apimenurows; if (menu_size_position(d, m) != 0) return (BSDDIALOG_ERROR); - if (draw_dialog(d) != 0) + if (draw_dialog(d) != 0) /* doupdate() in main loop */ return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ TEXTPAD(d, 2/*bmenu*/ + m->menurows + HBUTTONS); @@ -532,7 +532,7 @@ drawitem(d.conf, &m, m.sel, true); m.ypad = 0; m.apimenurows = menurows; - if (mixedlist_redraw(&d, &m) != 0) + if (mixedlist_draw(&d, false, &m) != 0) return (BSDDIALOG_ERROR); changeitem = false; @@ -575,12 +575,12 @@ break; if (f1help_dialog(conf) != 0) return (BSDDIALOG_ERROR); - if (mixedlist_redraw(&d, &m) != 0) + if (mixedlist_draw(&d, true, &m) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (mixedlist_redraw(&d, &m) != 0) + if (mixedlist_draw(&d, true, &m) != 0) return (BSDDIALOG_ERROR); break; } diff --git a/contrib/bsddialog/lib/messagebox.c b/contrib/bsddialog/lib/messagebox.c --- a/contrib/bsddialog/lib/messagebox.c +++ b/contrib/bsddialog/lib/messagebox.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -69,19 +69,19 @@ return (0); } -static int message_draw(struct dialog *d, struct scroll *s) +static int message_draw(struct dialog *d, bool redraw, struct scroll *s) { int unused; - if (d->built) { + if (redraw) { /* redraw: RESIZE or F1 */ hide_dialog(d); refresh(); /* Important for decreasing screen */ } if (message_size_position(d, &s->htext) != 0) return (BSDDIALOG_ERROR); - if (draw_dialog(d) != 0) + if (draw_dialog(d) != 0) /* doupdate() in main loop */ return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ s->printrows = d->h - BORDER - HBUTTONS - BORDER; @@ -106,7 +106,7 @@ return (BSDDIALOG_ERROR); set_buttons(&d, true, oklabel, cancellabel); s.htext = -1; - if (message_draw(&d, &s) != 0) + if (message_draw(&d, false, &s) != 0) return (BSDDIALOG_ERROR); loop = true; @@ -170,12 +170,12 @@ break; if (f1help_dialog(d.conf) != 0) return (BSDDIALOG_ERROR); - if (message_draw(&d, &s) != 0) + if (message_draw(&d, true, &s) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (message_draw(&d, &s) != 0) + if (message_draw(&d, true, &s) != 0) return (BSDDIALOG_ERROR); break; default: diff --git a/contrib/bsddialog/lib/textbox.c b/contrib/bsddialog/lib/textbox.c --- a/contrib/bsddialog/lib/textbox.c +++ b/contrib/bsddialog/lib/textbox.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -101,17 +101,17 @@ return (0); } -static int textbox_draw(struct dialog *d, struct scrolltext *st) +static int textbox_draw(struct dialog *d, bool redraw, struct scrolltext *st) { - if (d->built) { + if (redraw) { hide_dialog(d); refresh(); /* Important for decreasing screen */ } if (textbox_size_position(d, st) != 0) return (BSDDIALOG_ERROR); - if (draw_dialog(d) != 0) + if (draw_dialog(d) != 0) /* wrefresh() and prefresh() in main loop */ return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ st->ys = d->y + 1; @@ -175,7 +175,7 @@ fclose(fp); set_tabsize(defaulttablen); /* reset because it is curses global */ - if (textbox_draw(&d, &st) != 0) + if (textbox_draw(&d, false, &st) != 0) return (BSDDIALOG_ERROR); loop = true; @@ -254,12 +254,12 @@ break; if (f1help_dialog(conf) != 0) return (BSDDIALOG_ERROR); - if (textbox_draw(&d, &st) != 0) + if (textbox_draw(&d, true, &st) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (textbox_draw(&d, &st) != 0) + if (textbox_draw(&d, true, &st) != 0) return (BSDDIALOG_ERROR); break; } diff --git a/contrib/bsddialog/lib/theme.c b/contrib/bsddialog/lib/theme.c --- a/contrib/bsddialog/lib/theme.c +++ b/contrib/bsddialog/lib/theme.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2023 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -217,7 +217,7 @@ { CHECK_PTR(theme); set_theme(&t, theme); - refresh(); + wnoutrefresh(stdscr); return (BSDDIALOG_OK); } @@ -239,7 +239,7 @@ "to use enum bsddialog_default_theme", newtheme); } - refresh(); + wnoutrefresh(stdscr); return (BSDDIALOG_OK); } diff --git a/contrib/bsddialog/lib/timebox.c b/contrib/bsddialog/lib/timebox.c --- a/contrib/bsddialog/lib/timebox.c +++ b/contrib/bsddialog/lib/timebox.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -62,19 +62,19 @@ wnoutrefresh(win); } -static int timebox_redraw(struct dialog *d, struct clock *c) +static int timebox_draw(struct dialog *d, bool redraw, struct clock *c) { int y, x; - if (d->built) { + if (redraw) { hide_dialog(d); refresh(); /* Important for decreasing screen */ } if (dialog_size_position(d, HBOX, MINWTIME, NULL) != 0) return (BSDDIALOG_ERROR); - if (draw_dialog(d) != 0) + if (draw_dialog(d) != 0) /* doupdate() in mail loop */ return (BSDDIALOG_ERROR); - if (d->built) + if (redraw) refresh(); /* Important to fix grey lines expanding screen */ TEXTPAD(d, HBOX + HBUTTONS); @@ -117,7 +117,7 @@ wbkgd(c[i].win, t.dialog.color); c[i].value = MIN(c[i].value, c[i].max); } - if (timebox_redraw(&d, c) != 0) + if (timebox_draw(&d, false, c) != 0) return (BSDDIALOG_ERROR); sel = -1; @@ -210,12 +210,12 @@ break; if (f1help_dialog(conf) != 0) return (BSDDIALOG_ERROR); - if (timebox_redraw(&d, c) != 0) + if (timebox_draw(&d, true, c) != 0) return (BSDDIALOG_ERROR); break; case KEY_CTRL('l'): case KEY_RESIZE: - if (timebox_redraw(&d, c) != 0) + if (timebox_draw(&d, true, c) != 0) return (BSDDIALOG_ERROR); break; default: diff --git a/contrib/bsddialog/utility/GNUmakefile b/contrib/bsddialog/utility/GNUmakefile --- a/contrib/bsddialog/utility/GNUmakefile +++ b/contrib/bsddialog/utility/GNUmakefile @@ -6,6 +6,7 @@ OUTPUT = bsddialog SOURCES = bsddialog.c util_builders.c util_cli.c util_theme.c OBJECTS = $(SOURCES:.c=.o) +PREFIX = /usr/local ifneq ($(ENABLEDEBUG),) CFLAGS += -g @@ -20,7 +21,13 @@ RM = rm -f -all : $(OUTPUT) +all: $(OUTPUT) + +install: all + ${INSTALL} -m 0755 ${OUTPUT} ${DESTDIR}${PREFIX}/bin/${OUTPUT} + +uninstall: + ${RM} ${DESTDIR}${PREFIX}/bin/${OUTPUT} $(OUTPUT): $(OBJECTS) $(CC) $^ -o $@ $(LDFLAGS) @@ -31,3 +38,5 @@ clean: $(RM) $(OUTPUT) *.o *~ + +.PHONY: all install uninstall clean diff --git a/contrib/bsddialog/utility/Makefile b/contrib/bsddialog/utility/Makefile --- a/contrib/bsddialog/utility/Makefile +++ b/contrib/bsddialog/utility/Makefile @@ -6,6 +6,7 @@ OUTPUT = bsddialog SOURCES = bsddialog.c util_builders.c util_cli.c util_theme.c OBJECTS = ${SOURCES:.c=.o} +PREFIX = /usr/local .if defined(DEBUG) CFLAGS += -g @@ -21,7 +22,13 @@ INSTALL = install RM = rm -f -all : ${OUTPUT} +all: ${OUTPUT} + +install: all + ${INSTALL} -m 0755 ${OUTPUT} ${DESTDIR}${PREFIX}/bin/${OUTPUT} + +uninstall: + ${RM} ${DESTDIR}${PREFIX}/bin/${OUTPUT} ${OUTPUT}: ${OBJECTS} ${CC} ${LDFLAGS} ${OBJECTS} -o ${.PREFIX} @@ -31,3 +38,5 @@ clean: ${RM} ${OUTPUT} *.o *~ *.core *.gz + +.PHONY: all install uninstall clean diff --git a/contrib/bsddialog/utility/bsddialog.1 b/contrib/bsddialog/utility/bsddialog.1 --- a/contrib/bsddialog/utility/bsddialog.1 +++ b/contrib/bsddialog/utility/bsddialog.1 @@ -1,5 +1,5 @@ .\" -.\" Copyright (c) 2021-2024 Alfonso Sabato Siciliano +.\" Copyright (c) 2021-2025 Alfonso Sabato Siciliano .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -22,7 +22,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.Dd May 25, 2024 +.Dd June 22, 2025 .Dt BSDDIALOG 1 .Os .Sh NAME @@ -80,7 +80,14 @@ common to some dialog. .Bl -tag -width Ds .It Fl Fl alternate-screen -If available set alternate screen mode, see +Set alternate screen mode if the terminal and +.Xr curses 3 +provide it. +If enabled bsddialog draws to the alternate screen and restores the main screen +after exit. +See +.Dq smcup +in .Xr terminfo 5 . .It Fl Fl ascii-lines Ascii characters to draw lines. @@ -291,7 +298,11 @@ .Dq Ok button. .It Fl Fl normal-screen -If available set normal screen mode, see +Set normal screen mode. +bsddialog does not restore the previous screen after exit. +See +.Dq rmcup +in .Xr terminfo 5 . .It Fl Fl output-fd Ar fd Print input from user interface to the specified file descriptor. @@ -737,7 +748,7 @@ .It 10 Right2 generic button. .It 11 -Right2 generic button. +Right3 generic button. .El .Sh EXAMPLES Backtitle, title and message: diff --git a/contrib/bsddialog/utility/bsddialog.c b/contrib/bsddialog/utility/bsddialog.c --- a/contrib/bsddialog/utility/bsddialog.c +++ b/contrib/bsddialog/utility/bsddialog.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/contrib/bsddialog/utility/util.h b/contrib/bsddialog/utility/util.h --- a/contrib/bsddialog/utility/util.h +++ b/contrib/bsddialog/utility/util.h @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2023 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/contrib/bsddialog/utility/util_builders.c b/contrib/bsddialog/utility/util_builders.c --- a/contrib/bsddialog/utility/util_builders.c +++ b/contrib/bsddialog/utility/util_builders.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2024 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -82,7 +82,7 @@ perc = 0; if (argc == 1) { - perc = (u_int)strtoul(argv[0], NULL, 10); + perc = (unsigned int)strtoul(argv[0], NULL, 10); perc = perc > 100 ? 100 : perc; } else if (argc > 1) { error_args(opt->name, argc - 1, argv + 1); @@ -106,7 +106,7 @@ exit_error(true, "bad %s pair number [ ]", opt->name); - mainperc = (u_int)strtoul(argv[0], NULL, 10); + mainperc = (unsigned int)strtoul(argv[0], NULL, 10); mainperc = mainperc > 100 ? 100 : mainperc; argc--; argv++; @@ -138,7 +138,7 @@ if (argc > 1) error_args(opt->name, argc - 1, argv + 1); - secs = (u_int)strtoul(argv[0], NULL, 10); + secs = (unsigned int)strtoul(argv[0], NULL, 10); output = bsddialog_pause(conf, text, rows, cols, &secs); return (output); @@ -189,9 +189,9 @@ error_args(opt->name, argc - 3, argv + 3); } else if (argc == 3) { /* lib checks/sets max and min */ - dd = (u_int)strtoul(argv[0], NULL, 10); - mm = (u_int)strtoul(argv[1], NULL, 10); - yy = (u_int)strtoul(argv[2], NULL, 10); + dd = (unsigned int)strtoul(argv[0], NULL, 10); + mm = (unsigned int)strtoul(argv[1], NULL, 10); + yy = (unsigned int)strtoul(argv[2], NULL, 10); } if (strcmp(opt->name, "--datebox") == 0) @@ -259,9 +259,9 @@ if (argc > 3) { error_args("--timebox", argc - 3, argv + 3); } else if (argc == 3) { - hh = (u_int)strtoul(argv[0], NULL, 10); - mm = (u_int)strtoul(argv[1], NULL, 10); - ss = (u_int)strtoul(argv[2], NULL, 10); + hh = (unsigned int)strtoul(argv[0], NULL, 10); + mm = (unsigned int)strtoul(argv[1], NULL, 10); + ss = (unsigned int)strtoul(argv[2], NULL, 10); } output = bsddialog_timebox(conf, text, rows, cols, &hh, &mm, &ss); @@ -315,7 +315,7 @@ for (i = 0; i < *nitems; i++) { (*items)[i].prefix = setprefix ? argv[j++] : ""; (*items)[i].depth = setdepth ? - (u_int)strtoul(argv[j++], NULL, 0) : 0; + (unsigned int)strtoul(argv[j++], NULL, 0) : 0; (*items)[i].name = setname ? argv[j++] : ""; (*items)[i].desc = setdesc ? argv[j++] : ""; if (setstatus) { @@ -436,7 +436,7 @@ if (argc < 1) exit_error(true, "--checklist missing "); - menurows = (u_int)strtoul(argv[0], NULL, 10); + menurows = (unsigned int)strtoul(argv[0], NULL, 10); get_menu_items(argc-1, argv+1, opt->item_prefix, opt->item_depth, true, true, true, opt->item_bottomdesc, &nitems, &items, &focusitem, opt); @@ -461,7 +461,7 @@ if (argc < 1) exit_error(true, "--menu missing "); - menurows = (u_int)strtoul(argv[0], NULL, 10); + menurows = (unsigned int)strtoul(argv[0], NULL, 10); get_menu_items(argc-1, argv+1, opt->item_prefix, opt->item_depth, true, true, false, opt->item_bottomdesc, &nitems, &items, &focusitem, @@ -487,7 +487,7 @@ if (argc < 1) exit_error(true, "--radiolist missing "); - menurows = (u_int)strtoul(argv[0], NULL, 10); + menurows = (unsigned int)strtoul(argv[0], NULL, 10); get_menu_items(argc-1, argv+1, opt->item_prefix, opt->item_depth, true, true, true, opt->item_bottomdesc, &nitems, &items, &focusitem, opt); @@ -512,7 +512,7 @@ if (argc < 1) exit_error(true, "--treeview missing "); - menurows = (u_int)strtoul(argv[0], NULL, 10); + menurows = (unsigned int)strtoul(argv[0], NULL, 10); get_menu_items(argc-1, argv+1, opt->item_prefix, true, true, true, true, opt->item_bottomdesc, &nitems, &items, &focusitem, opt); @@ -595,7 +595,7 @@ if (argc < 1) exit_error(true, "--form missing "); - formheight = (u_int)strtoul(argv[0], NULL, 10); + formheight = (unsigned int)strtoul(argv[0], NULL, 10); argc--; argv++; @@ -609,11 +609,11 @@ j = 0; for (i = 0; i < nitems; i++) { items[i].label = argv[j++]; - items[i].ylabel = (u_int)strtoul(argv[j++], NULL, 10); - items[i].xlabel = (u_int)strtoul(argv[j++], NULL, 10); + items[i].ylabel = (unsigned int)strtoul(argv[j++], NULL, 10); + items[i].xlabel = (unsigned int)strtoul(argv[j++], NULL, 10); items[i].init = argv[j++]; - items[i].yfield = (u_int)strtoul(argv[j++], NULL, 10); - items[i].xfield = (u_int)strtoul(argv[j++], NULL, 10); + items[i].yfield = (unsigned int)strtoul(argv[j++], NULL, 10); + items[i].xfield = (unsigned int)strtoul(argv[j++], NULL, 10); fieldlen = (int)strtol(argv[j++], NULL, 10); if (fieldlen == 0) @@ -621,7 +621,7 @@ else items[i].fieldlen = abs(fieldlen); - items[i].maxvaluelen = (u_int)strtoul(argv[j++], NULL, 10); + items[i].maxvaluelen = (unsigned int)strtoul(argv[j++], NULL, 10); if (items[i].maxvaluelen == 0) items[i].maxvaluelen = items[i].fieldlen; @@ -678,7 +678,7 @@ if (argc < 1) exit_error(true, "--mixedform missing "); - formheight = (u_int)strtoul(argv[0], NULL, 10); + formheight = (unsigned int)strtoul(argv[0], NULL, 10); argc--; argv++; @@ -692,21 +692,21 @@ j = 0; for (i = 0; i < nitems; i++) { items[i].label = argv[j++]; - items[i].ylabel = (u_int)strtoul(argv[j++], NULL, 10); - items[i].xlabel = (u_int)strtoul(argv[j++], NULL, 10); + items[i].ylabel = (unsigned int)strtoul(argv[j++], NULL, 10); + items[i].xlabel = (unsigned int)strtoul(argv[j++], NULL, 10); items[i].init = argv[j++]; - items[i].yfield = (u_int)strtoul(argv[j++], NULL, 10); - items[i].xfield = (u_int)strtoul(argv[j++], NULL, 10); + items[i].yfield = (unsigned int)strtoul(argv[j++], NULL, 10); + items[i].xfield = (unsigned int)strtoul(argv[j++], NULL, 10); fieldlen = (int)strtol(argv[j++], NULL, 10); if (fieldlen == 0) items[i].fieldlen = strcols(items[i].init); else items[i].fieldlen = abs(fieldlen); - items[i].maxvaluelen = (u_int)strtoul(argv[j++], NULL, 10); + items[i].maxvaluelen = (unsigned int)strtoul(argv[j++], NULL, 10); if (items[i].maxvaluelen == 0) items[i].maxvaluelen = items[i].fieldlen; - items[i].flags = (u_int)strtoul(argv[j++], NULL, 10); + items[i].flags = (unsigned int)strtoul(argv[j++], NULL, 10); if (fieldlen <= 0) items[i].flags |= BSDDIALOG_FIELDREADONLY; @@ -765,7 +765,7 @@ if (argc < 1) exit_error(true, "--passwordform missing "); - formheight = (u_int)strtoul(argv[0], NULL, 10); + formheight = (unsigned int)strtoul(argv[0], NULL, 10); argc--; argv++; @@ -780,11 +780,11 @@ j = 0; for (i = 0; i < nitems; i++) { items[i].label = argv[j++]; - items[i].ylabel = (u_int)strtoul(argv[j++], NULL, 10); - items[i].xlabel = (u_int)strtoul(argv[j++], NULL, 10); + items[i].ylabel = (unsigned int)strtoul(argv[j++], NULL, 10); + items[i].xlabel = (unsigned int)strtoul(argv[j++], NULL, 10); items[i].init = argv[j++]; - items[i].yfield = (u_int)strtoul(argv[j++], NULL, 10); - items[i].xfield = (u_int)strtoul(argv[j++], NULL, 10); + items[i].yfield = (unsigned int)strtoul(argv[j++], NULL, 10); + items[i].xfield = (unsigned int)strtoul(argv[j++], NULL, 10); fieldlen = (int)strtol(argv[j++], NULL, 10); items[i].fieldlen = abs(fieldlen); diff --git a/contrib/bsddialog/utility/util_cli.c b/contrib/bsddialog/utility/util_cli.c --- a/contrib/bsddialog/utility/util_cli.c +++ b/contrib/bsddialog/utility/util_cli.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2021-2023 Alfonso Sabato Siciliano + * Copyright (c) 2021-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/contrib/bsddialog/utility/util_theme.c b/contrib/bsddialog/utility/util_theme.c --- a/contrib/bsddialog/utility/util_theme.c +++ b/contrib/bsddialog/utility/util_theme.c @@ -1,7 +1,7 @@ /*- * SPDX-License-Identifier: BSD-2-Clause * - * Copyright (c) 2022-2024 Alfonso Sabato Siciliano + * Copyright (c) 2022-2025 Alfonso Sabato Siciliano * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -279,7 +279,7 @@ break; case BOOL: boolvalue = (strstr(value, "true") != NULL) ? - true :false; + true : false; *((bool*)p[i].value) = boolvalue; break; case COLOR: diff --git a/contrib/kyua/drivers/run_tests.cpp b/contrib/kyua/drivers/run_tests.cpp --- a/contrib/kyua/drivers/run_tests.cpp +++ b/contrib/kyua/drivers/run_tests.cpp @@ -209,7 +209,7 @@ hooks.got_result( *test_result_handle->test_program(), test_result_handle->test_case_name(), - test_result_handle->test_result(), + test_result, result_handle->end_time() - result_handle->start_time()); } diff --git a/contrib/libucl/lua/lua_ucl.c b/contrib/libucl/lua/lua_ucl.c --- a/contrib/libucl/lua/lua_ucl.c +++ b/contrib/libucl/lua/lua_ucl.c @@ -30,6 +30,8 @@ #include "lua_ucl.h" #include +#include "bootstrap.h" + /*** * @module ucl * This lua module allows to parse objects from strings and to store data into @@ -1571,3 +1573,5 @@ return (struct ucl_lua_funcdata*)obj->value.ud; } + +FLUA_MODULE(ucl); diff --git a/contrib/libucl/src/ucl_parser.c b/contrib/libucl/src/ucl_parser.c --- a/contrib/libucl/src/ucl_parser.c +++ b/contrib/libucl/src/ucl_parser.c @@ -164,51 +164,50 @@ } } } - else if (chunk->remain >= 2 && *p == '/') { - if (p[1] == '*') { - beg = p; - ucl_chunk_skipc (chunk, p); - comments_nested ++; - ucl_chunk_skipc (chunk, p); - - while (p < chunk->end) { - if (*p == '"' && *(p - 1) != '\\') { - quoted = !quoted; - } - - if (!quoted) { - if (*p == '*') { - ucl_chunk_skipc (chunk, p); - if (chunk->remain > 0 && *p == '/') { - comments_nested --; - if (comments_nested == 0) { - if (parser->flags & UCL_PARSER_SAVE_COMMENTS) { - ucl_save_comment (parser, beg, p - beg + 1); - beg = NULL; - } - - ucl_chunk_skipc (chunk, p); - goto start; - } - } - ucl_chunk_skipc (chunk, p); - } - else if (p[0] == '/' && chunk->remain >= 2 && p[1] == '*') { - comments_nested ++; - ucl_chunk_skipc (chunk, p); - ucl_chunk_skipc (chunk, p); - continue; + else if (chunk->remain >= 2 && *p == '/' && p[1] == '*') { + beg = p; + comments_nested ++; + ucl_chunk_skipc (chunk, p); + ucl_chunk_skipc (chunk, p); + while (p < chunk->end) { + if (*p == '"' && *(p - 1) != '\\') { + /* begin or end double-quoted string */ + quoted = !quoted; + ucl_chunk_skipc (chunk, p); + } + else if (quoted) { + /* quoted character */ + ucl_chunk_skipc (chunk, p); + } + else if (chunk->remain >= 2 && *p == '*' && p[1] == '/') { + /* end of comment */ + ucl_chunk_skipc (chunk, p); + ucl_chunk_skipc (chunk, p); + comments_nested --; + if (comments_nested == 0) { + if (parser->flags & UCL_PARSER_SAVE_COMMENTS) { + ucl_save_comment (parser, beg, p - beg + 1); + beg = NULL; } + goto start; } - + } + else if (chunk->remain >= 2 && *p == '/' && p[1] == '*') { + /* start of nested comment */ + comments_nested ++; + ucl_chunk_skipc (chunk, p); ucl_chunk_skipc (chunk, p); } - if (comments_nested != 0) { - ucl_set_err (parser, UCL_ENESTED, - "unfinished multiline comment", &parser->err); - return false; + else { + /* anything else */ + ucl_chunk_skipc (chunk, p); } } + if (comments_nested != 0) { + ucl_set_err (parser, UCL_ENESTED, + "unfinished multiline comment", &parser->err); + return false; + } } if (beg && p > beg && (parser->flags & UCL_PARSER_SAVE_COMMENTS)) { diff --git a/contrib/lyaml/ext/yaml/yaml.c b/contrib/lyaml/ext/yaml/yaml.c index 54478610134fec5853580fd232b711074cf2a37f..6a5ddc605e0fd3640955adda8a2d867915524504 GIT binary patch literal 2021 zc${rjTW_mI5PmklV&pv3PC3p+eL2bLQHhOXR16m2q*hg-HLT567|`x=EGx?2?sI1V z$BtXc7wzmf-#0ggn`;BE;lOtJC^5km>y(JKSVb!N z9ww~7d!3nZe|!5CF$5cz)j^7FreQE1;>F!BU+!=3@8Oxr1H6pjh1J`P75@jl{d&pV zaW1&r38h3?fKZTe$uWqnWQFFb2^+~dlp9DgCb!%KT>>i(P;sfypUH;%rT5aQtQe)I@DAbYa)amX@ zWh~EO&AalUxM+rltjEkGg`qUggJ3ySI60(ynepft$IOP%pGL1%V1pCFBJf|Fi9Lb7 z72>&X!mAU_{AC1)2rMsJfj@Fvc_Y6iH44&fJNRH}V_Jj?J+{;+xySc!o#o$#I=%WfIrai9BMS`T{`y;go!n`p6$lVN1`T4LbhST>&zxAsap6MM~?4NK4agD0z8_SZV-KV zzdE69f)zL+Rc0Fa^CnZOE;{)Q54w7GOGK6b+#rO|c^TRtoG`I17wNED-ep6NOfIQ|RX3pUjh@P4JIcO)vZc9LlkLoy*X%#We%|cjtbcA>m!(ElR<-t&Z$!ai zzVfWO-Rt$qqkm?8!3JYBdo2L^xM4>}ux50pCLK=U?!v@pg(A2RB%e2fSU7nn1tr zMz6zQuXgknlD(mMW~`W0X!~qb2`h>gc~uvv)d?BBH*e{>CeZJ@@&0HSSP<8Fimio% zgP{$Kw5)g$Q(0kvr#Qq!I9$6!3>yGiy%=9B`08?pk7VoQ&WvPjl9qgno0`i3inhHn zAvgizs#aMp5WsSReDtp+CWPX8BY2+D^_P2O`GMOS$GhLLNUm`=!`-9tZWvSQ@7$j( KU3)-ki1`J4YHVbiq^PQ_#a{4MW{q~&7ojMByU(35 zCM2{HAKJ4s=ggPKH`f+i!+~wfL1u$5R!e8*!%E0p$PKJ31%A!QhRjCQ?x4h`Fwh(I@#5~6FT>m65T2Mi!1Dl}S-mNk{6Ev%ub0d% z=bWpp&{|Xygoc7EjzMe`lZNLutQF@_tsyIz+Hf081xy}b$CXBhYGs&^lna9l1&I%h zO@U0hTAMvn9PM*pT34B1NC|nB)mttNGbFhdCD+h11&40jdUX4ZPR?0LghB#cpKf6< zOi|Sa6xT+HjA(2$%F4Q_>gl=^ThWS;ds7Qdd`MkuOoalrVO!;5P5->fZ&$BMp|R?@ zAof*l5Yz-_T#^@NbAx@;yljF)5`hUcNuOhE%t&ZQ#WiiYG$H$<+J4SQG*PWT1jIZEBXD5uM2Ry=9KDrp6 z^XR)rHOy}0JKoHOu`_d?+{P`bP5|DbPe1i5mo+kgV2P|i`aeVgt6=RNQd1DE*pAk^8C{f ze0py?1|qT7dY>)g{O4rpIz~fczf=0XOgsr~B|*wqtTo zsm=GJ-i>8lwF3&@=&6*OLGk?)mX~5h*axtz*?+)p+3ez?i&)OrLUNcb183%TI$gTy zet@5`kyy3P(Ez%*P*#feEUoP>_zNd(P4IMs-}ZE-_9@vkjgu(7>!rHi>0PB7eulgL zg~{2XbLnGQnwD5bkG#gERx>}1_y(ds|AJqw*K@o$pwW^%;Pryk2Ks%oI;{=%WJ_-w z)#=+Gz#UT>vCp8+n3PA$t6HK~D`a(EgN5(gK)-L++k<6cL45Bqb>Agq=90210Ht@s8vGFLqmJ@(3m=xmVgYF(59 q4OmGg@BKRxlZEDHEqIyJ^_L;C{J^b@W87_76gRko;qJkDv;GCB!dqAX diff --git a/contrib/sendmail/src/newaliases.1 b/contrib/sendmail/src/newaliases.1 --- a/contrib/sendmail/src/newaliases.1 +++ b/contrib/sendmail/src/newaliases.1 @@ -14,7 +14,7 @@ .TH NEWALIASES 1 "$Date: 2013-11-22 20:51:56 $" .SH NAME newaliases -\- rebuild the data base for the mail aliases file +\- rebuild the data base for the sendmail aliases file .SH SYNOPSIS .B newaliases .SH DESCRIPTION diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in --- a/contrib/unbound/Makefile.in +++ b/contrib/unbound/Makefile.in @@ -449,9 +449,13 @@ $(srcdir)/util/netevent.h $(srcdir)/util/net_help.h \ $(srcdir)/util/locks.h -dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h: $(srcdir)/dnstap/dnstap.proto +# Builds both dnstap/dnstap.pb-c.c and dnstap/dnstap.pb-c.h. +# To avoid double-building we split one target out. +dnstap/dnstap.pb-c.c: $(srcdir)/dnstap/dnstap.proto @-if test ! -d dnstap; then $(INSTALL) -d dnstap; fi $(PROTOC_C) --c_out=. --proto_path=$(srcdir) $(srcdir)/dnstap/dnstap.proto +dnstap/dnstap.pb-c.h: dnstap/dnstap.pb-c.c + touch $@ unbound-dnstap-socket$(EXEEXT): $(DNSTAP_SOCKET_OBJ_LINK) $(LINK) -o $@ $(DNSTAP_SOCKET_OBJ_LINK) $(SSLLIB) $(LIBS) @@ -722,299 +726,338 @@ dns.lo dns.o: $(srcdir)/services/cache/dns.c config.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/val_nsec.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/util/data/msgparse.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h infra.lo infra.o: $(srcdir)/services/cache/infra.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/cache/infra.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/storage/lookup3.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h rrset.lo rrset.o: $(srcdir)/services/cache/rrset.c config.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h as112.lo as112.o: $(srcdir)/util/as112.c $(srcdir)/util/as112.h dname.lo dname.o: $(srcdir)/util/data/dname.c config.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/sldns/sbuffer.h msgencode.lo msgencode.o: $(srcdir)/util/data/msgencode.c config.h $(srcdir)/util/data/msgencode.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/services/view.h -msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h +msgparse.lo msgparse.o: $(srcdir)/util/data/msgparse.c config.h $(srcdir)/util/config_file.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/rfc_1982.h $(srcdir)/util/edns.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h msgreply.lo msgreply.o: $(srcdir)/util/data/msgreply.c config.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/regional.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/respip/respip.h + $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/module.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h packed_rrset.lo packed_rrset.o: $(srcdir)/util/data/packed_rrset.c config.h $(srcdir)/util/data/msgparse.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lookup3.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h iterator.lo iterator.o: $(srcdir)/iterator/iterator.c config.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_utils.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_donotq.h \ $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_scrub.h $(srcdir)/iterator/iter_priv.h \ - $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ - $(srcdir)/util/random.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h + $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h iter_delegpt.lo iter_delegpt.o: $(srcdir)/iterator/iter_delegpt.c config.h $(srcdir)/iterator/iter_delegpt.h \ $(srcdir)/util/log.h $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/sldns/sbuffer.h iter_donotq.lo iter_donotq.o: $(srcdir)/iterator/iter_donotq.c config.h $(srcdir)/iterator/iter_donotq.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h iter_fwd.lo iter_fwd.o: $(srcdir)/iterator/iter_fwd.c config.h $(srcdir)/iterator/iter_fwd.h \ - $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h + $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/iterator/iter_delegpt.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/str2wire.h iter_hints.lo iter_hints.o: $(srcdir)/iterator/iter_hints.c config.h $(srcdir)/iterator/iter_hints.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/sldns/wire2str.h iter_priv.lo iter_priv.o: $(srcdir)/iterator/iter_priv.c config.h $(srcdir)/iterator/iter_priv.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/sbuffer.h iter_resptype.lo iter_resptype.o: $(srcdir)/iterator/iter_resptype.c config.h \ - $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iterator.h $(srcdir)/util/log.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/dname.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h + $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/util/log.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h iter_scrub.lo iter_scrub.o: $(srcdir)/iterator/iter_scrub.c config.h $(srcdir)/iterator/iter_scrub.h \ $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/iterator/iter_priv.h $(srcdir)/util/rbtree.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \ $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/alloc.h $(srcdir)/sldns/sbuffer.h iter_utils.lo iter_utils.o: $(srcdir)/iterator/iter_utils.c config.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/iterator/iter_hints.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/iterator/iter_hints.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_fwd.h \ $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_priv.h \ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outside_network.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/str2wire.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/validator/val_anchor.h \ + $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_sigcrypt.h $(srcdir)/sldns/str2wire.h listen_dnsport.lo listen_dnsport.o: $(srcdir)/services/listen_dnsport.c config.h \ $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/util/timeval_func.h \ + localzone.lo localzone.o: $(srcdir)/services/localzone.c config.h $(srcdir)/services/localzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/as112.h + $(srcdir)/util/data/msgencode.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/as112.h mesh.lo mesh.o: $(srcdir)/services/mesh.c config.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/alloc.h \ - $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h $(srcdir)/services/listen_dnsport.h -modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \ - $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/edns.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/dname.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h +modstack.lo modstack.o: $(srcdir)/services/modstack.c config.h $(srcdir)/services/modstack.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/dns64/dns64.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(PYTHONMOD_HEADER) \ + $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h $(srcdir)/ipsecmod/ipsecmod.h \ + $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h view.lo view.o: $(srcdir)/services/view.c config.h $(srcdir)/services/view.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/respip/respip.h rpz.lo rpz.o: $(srcdir)/services/rpz.c config.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h \ + $(srcdir)/dnstap/dnstap.h +rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c config.h $(srcdir)/util/rfc_1982.h outbound_list.lo outbound_list.o: $(srcdir)/services/outbound_list.c config.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - + $(srcdir)/services/outbound_list.h $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + outside_network.lo outside_network.o: $(srcdir)/services/outside_network.c config.h \ - $(srcdir)/services/outside_network.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/rtt.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ + $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/edns.h $(srcdir)/dnstap/dnstap.h \ + alloc.lo alloc.o: $(srcdir)/util/alloc.c config.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/regional.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h config_file.lo config_file.o: $(srcdir)/util/config_file.c config.h $(srcdir)/util/log.h \ - $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h util/configparser.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/util/configyyrename.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + util/configparser.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/regional.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/rtt.h $(srcdir)/services/cache/infra.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/iana_ports.inc + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/edns-subnet/edns-subnet.h \ + $(srcdir)/util/iana_ports.inc configlexer.lo configlexer.o: util/configlexer.c config.h $(srcdir)/util/configyyrename.h \ - $(srcdir)/util/config_file.h util/configparser.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h util/configparser.h configparser.lo configparser.o: util/configparser.c config.h $(srcdir)/util/configyyrename.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/str2wire.h \ - $(srcdir)/sldns/rrdef.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ + $(srcdir)/util/random.h $(srcdir)/sldns/str2wire.h util/configparser.h shm_main.lo shm_main.o: $(srcdir)/util/shm_side/shm_main.c config.h $(srcdir)/util/shm_side/shm_main.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/services/mesh.h \ - $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/tube.h $(srcdir)/util/timeval_func.h + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ + $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h authzone.lo authzone.o: $(srcdir)/services/authzone.c config.h $(srcdir)/services/authzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \ - $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/services/outside_network.h \ - $(srcdir)/services/listen_dnsport.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \ - $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h $(srcdir)/validator/val_nsec3.h \ - $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/val_sigcrypt.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/regional.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_secalgo.h \ + $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/outside_network.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ - $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_anchor.h \ - $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_neg.h $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/libunbound/unbound-event.h \ - $(srcdir)/libunbound/worker.h $(srcdir)/daemon/remote.h + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_anchor.h \ + $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_neg.h \ + $(srcdir)/validator/autotrust.h $(srcdir)/libunbound/libworker.h $(srcdir)/libunbound/context.h \ + $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h $(srcdir)/daemon/remote.h \ + $(PYTHONMOD_HEADER) $(DYNLIBMOD_HEADER) $(srcdir)/cachedb/cachedb.h \ + $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/ipset/ipset.h $(srcdir)/dnstap/dtstream.h locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h -mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h +mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/ub_event.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/timeval_func.h -proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \ - $(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/tcp_conn_limit.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/proxy_protocol.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/sldns/str2wire.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \ - $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/random.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \ + random.lo random.o: $(srcdir)/util/random.c config.h $(srcdir)/util/random.h $(srcdir)/util/log.h rbtree.lo rbtree.o: $(srcdir)/util/rbtree.c config.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ @@ -1022,442 +1065,609 @@ regional.lo regional.o: $(srcdir)/util/regional.c config.h $(srcdir)/util/log.h $(srcdir)/util/regional.h rtt.lo rtt.o: $(srcdir)/util/rtt.c config.h $(srcdir)/util/rtt.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h -siphash.lo siphash.o: $(srcdir)/util/siphash.c -rfc_1982.lo rfc_1982.o: $(srcdir)/util/rfc_1982.c + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h +siphash.lo siphash.o: $(srcdir)/util/siphash.c config.h $(srcdir)/util/siphash.h edns.lo edns.o: $(srcdir)/util/edns.c config.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/regional.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h + $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/rfc_1982.h \ + $(srcdir)/util/siphash.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/sbuffer.h dnstree.lo dnstree.o: $(srcdir)/util/storage/dnstree.c config.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/net_help.h + $(srcdir)/util/log.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h lookup3.lo lookup3.o: $(srcdir)/util/storage/lookup3.c config.h $(srcdir)/util/storage/lookup3.h lruhash.lo lruhash.o: $(srcdir)/util/storage/lruhash.c config.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h slabhash.lo slabhash.o: $(srcdir)/util/storage/slabhash.c config.h $(srcdir)/util/storage/slabhash.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h tcp_conn_limit.lo tcp_conn_limit.o: $(srcdir)/util/tcp_conn_limit.c config.h $(srcdir)/util/regional.h \ - $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/tcp_conn_limit.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h -timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h -tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \ + $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/locks.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h +timehist.lo timehist.o: $(srcdir)/util/timehist.c config.h $(srcdir)/util/timehist.h $(srcdir)/util/log.h \ + $(srcdir)/util/timeval_func.h +tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h +proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c $(srcdir)/util/proxy_protocol.h config.h +timeval_func.lo timeval_func.o: $(srcdir)/util/timeval_func.c config.h $(srcdir)/util/timeval_func.h ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h $(srcdir)/daemon/remote.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/util/tube.h $(srcdir)/daemon/remote.h \ + $(srcdir)/dnstap/dtstream.h ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \ $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ + $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/random.h $(srcdir)/services/mesh.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/services/mesh.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h + $(srcdir)/validator/val_kcache.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/keyraw.h \ + val_anchor.lo val_anchor.o: $(srcdir)/validator/val_anchor.c config.h $(srcdir)/validator/val_anchor.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/validator/autotrust.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/as112.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/autotrust.h $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/as112.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/sldns/str2wire.h validator.lo validator.o: $(srcdir)/validator/validator.c config.h $(srcdir)/validator/validator.h \ $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kcache.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_nsec.h \ - $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_anchor.h \ + $(srcdir)/validator/val_kcache.h $(srcdir)/util/storage/slabhash.h $(srcdir)/validator/val_kentry.h \ + $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_sigcrypt.h \ $(srcdir)/validator/autotrust.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h val_kcache.lo val_kcache.o: $(srcdir)/validator/val_kcache.c config.h $(srcdir)/validator/val_kcache.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/validator/val_kentry.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h + $(srcdir)/validator/val_kentry.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h val_kentry.lo val_kentry.o: $(srcdir)/validator/val_kentry.c config.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h -val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/rbtree.h $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lookup3.h \ + $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/sldns/keyraw.h \ + +val_neg.lo val_neg.o: $(srcdir)/validator/val_neg.c config.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ + $(srcdir)/validator/val_nsec.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ $(srcdir)/util/config_file.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h val_nsec3.lo val_nsec3.o: $(srcdir)/validator/val_nsec3.c config.h $(srcdir)/validator/val_nsec3.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/validator/val_nsec.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_secalgo.h \ + $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_kentry.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/dname.h \ + $(srcdir)/validator/val_nsec.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h val_nsec.lo val_nsec.o: $(srcdir)/validator/val_nsec.c config.h $(srcdir)/validator/val_nsec.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h + $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h val_secalgo.lo val_secalgo.o: $(srcdir)/validator/val_secalgo.c config.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/validator/val_secalgo.h \ $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/sldns/sbuffer.h + $(srcdir)/sldns/sbuffer.h \ + val_sigcrypt.lo val_sigcrypt.o: $(srcdir)/validator/val_sigcrypt.c config.h \ $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/val_secalgo.h \ - $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/rbtree.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h \ - $(srcdir)/sldns/wire2str.h + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/util/rbtree.h $(srcdir)/util/data/dname.h $(srcdir)/util/rfc_1982.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h \ + $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h $(srcdir)/services/mesh.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + val_utils.lo val_utils.o: $(srcdir)/validator/val_utils.c config.h $(srcdir)/validator/val_utils.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_sigcrypt.h $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h \ - $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h \ - $(srcdir)/sldns/parseutil.h + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_nsec3.h \ + $(srcdir)/util/rbtree.h $(srcdir)/validator/val_kentry.h $(srcdir)/validator/val_sigcrypt.h \ + $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_neg.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/parseutil.h dns64.lo dns64.o: $(srcdir)/dns64/dns64.c config.h $(srcdir)/dns64/dns64.h $(srcdir)/util/module.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/util/config_file.h $(srcdir)/util/fptr_wlist.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h -edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h -subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h + $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h +edns-subnet.lo edns-subnet.o: $(srcdir)/edns-subnet/edns-subnet.c config.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h +subnetmod.lo subnetmod.o: $(srcdir)/edns-subnet/subnetmod.c config.h $(srcdir)/edns-subnet/subnetmod.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/data/dname.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \ + $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/util/regional.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/sldns/wire2str.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/cachedb/cachedb.h addrtree.lo addrtree.o: $(srcdir)/edns-subnet/addrtree.c config.h $(srcdir)/util/log.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/edns-subnet/addrtree.h -subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/edns-subnet/addrtree.h +subnet-whitelist.lo subnet-whitelist.o: $(srcdir)/edns-subnet/subnet-whitelist.c config.h \ + $(srcdir)/edns-subnet/edns-subnet.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h \ + $(srcdir)/edns-subnet/subnet-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h +cachedb.lo cachedb.o: $(srcdir)/cachedb/cachedb.c config.h $(srcdir)/cachedb/cachedb.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/cachedb/redis.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/validator/val_neg.h $(srcdir)/validator/val_secalgo.h \ + $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h $(srcdir)/sldns/parseutil.h \ + $(srcdir)/sldns/wire2str.h +redis.lo redis.o: $(srcdir)/cachedb/redis.c config.h $(srcdir)/cachedb/redis.h $(srcdir)/cachedb/cachedb.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/alloc.h $(srcdir)/util/config_file.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/sldns/sbuffer.h respip.lo respip.o: $(srcdir)/respip/respip.c config.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/services/view.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/modstack.h \ - $(srcdir)/services/rpz.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/dns.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/regional.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/regional.h $(srcdir)/util/data/dname.h checklocks.lo checklocks.o: $(srcdir)/testcode/checklocks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/testcode/checklocks.h -ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h -ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h +dnstap.lo dnstap.o: $(srcdir)/dnstap/dnstap.c config.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ + $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/dnstap/dnstap.h $(srcdir)/dnstap/dtstream.h dnstap/dnstap.pb-c.h +dnstap.pb-c.lo dnstap.pb-c.o: dnstap/dnstap.pb-c.c dnstap/dnstap.pb-c.h +dnstap_fstrm.lo dnstap_fstrm.o: $(srcdir)/dnstap/dnstap_fstrm.c config.h $(srcdir)/dnstap/dnstap_fstrm.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h +dtstream.lo dtstream.o: $(srcdir)/dnstap/dtstream.c config.h $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h \ + $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/outside_network.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/sldns/sbuffer.h \ + +dnscrypt.lo dnscrypt.o: $(srcdir)/dnscrypt/dnscrypt.c config.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ + $(srcdir)/util/random.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/storage/lookup3.h +ipsecmod.lo ipsecmod.o: $(srcdir)/ipsecmod/ipsecmod.c config.h $(srcdir)/ipsecmod/ipsecmod.h \ + $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/rbtree.h \ + $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h \ + $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/services/cache/dns.h $(srcdir)/sldns/wire2str.h +ipsecmod-whitelist.lo ipsecmod-whitelist.o: $(srcdir)/ipsecmod/ipsecmod-whitelist.c config.h \ + $(srcdir)/ipsecmod/ipsecmod.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ + $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/rbtree.h \ + $(srcdir)/ipsecmod/ipsecmod-whitelist.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/regional.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/str2wire.h +ipset.lo ipset.o: $(srcdir)/ipset/ipset.c config.h $(srcdir)/ipset/ipset.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/parseutil.h unitanchor.lo unitanchor.o: $(srcdir)/testcode/unitanchor.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/validator/val_anchor.h $(srcdir)/util/rbtree.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h unitdname.lo unitdname.o: $(srcdir)/testcode/unitdname.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h unitlruhash.lo unitlruhash.o: $(srcdir)/testcode/unitlruhash.c config.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/log.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/storage/slabhash.h -unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h $(srcdir)/iterator/iterator.h \ - $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/libunbound/unbound.h $(srcdir)/services/cache/infra.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/random.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/services/outside_network.h +unitmain.lo unitmain.o: $(srcdir)/testcode/unitmain.c config.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/util/log.h \ + $(srcdir)/testcode/unitmain.h $(srcdir)/util/alloc.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/util/rtt.h $(srcdir)/util/timehist.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/edns.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/respip/respip.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/regional.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h unitmsgparse.lo unitmsgparse.o: $(srcdir)/testcode/unitmsgparse.c config.h $(srcdir)/util/log.h \ $(srcdir)/testcode/unitmain.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/testcode/readhex.h \ - $(srcdir)/testcode/testpkts.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/alloc.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/testcode/readhex.h $(srcdir)/testcode/testpkts.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/sldns/wire2str.h unitneg.lo unitneg.o: $(srcdir)/testcode/unitneg.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/dname.h $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_neg.h $(srcdir)/util/rbtree.h \ - $(srcdir)/sldns/rrdef.h + $(srcdir)/util/random.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/locks.h $(srcdir)/util/data/dname.h $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_neg.h \ + $(srcdir)/util/rbtree.h $(srcdir)/sldns/rrdef.h unitregional.lo unitregional.o: $(srcdir)/testcode/unitregional.c config.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/log.h $(srcdir)/util/regional.h unitslabhash.lo unitslabhash.o: $(srcdir)/testcode/unitslabhash.c config.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/util/log.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h unitverify.lo unitverify.o: $(srcdir)/testcode/unitverify.c config.h $(srcdir)/util/log.h \ $(srcdir)/testcode/unitmain.h $(srcdir)/validator/val_sigcrypt.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ $(srcdir)/validator/val_secalgo.h $(srcdir)/validator/val_nsec.h $(srcdir)/validator/val_nsec3.h \ $(srcdir)/util/rbtree.h $(srcdir)/validator/validator.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/rrdef.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/testcode/testpkts.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/data/msgparse.h $(srcdir)/validator/val_utils.h $(srcdir)/testcode/testpkts.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h $(srcdir)/util/alloc.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \ + readhex.lo readhex.o: $(srcdir)/testcode/readhex.c config.h $(srcdir)/testcode/readhex.h $(srcdir)/util/log.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \ $(srcdir)/sldns/parseutil.h -unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h +unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h $(srcdir)/util/log.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/testcode/unitmain.h $(srcdir)/edns-subnet/addrtree.h \ + $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/services/outbound_list.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/data/dname.h \ + $(srcdir)/edns-subnet/edns-subnet.h unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \ - $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/testcode/unitmain.h \ - $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h \ - $(srcdir)/sldns/wire2str.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/respip/respip.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h unitzonemd.lo unitzonemd.o: $(srcdir)/testcode/unitzonemd.c config.h $(srcdir)/util/log.h \ $(srcdir)/testcode/unitmain.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/services/authzone.h \ $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h $(srcdir)/util/regional.h \ - $(srcdir)/validator/val_anchor.h -unittcpreuse.lo unittcpreuse.o: $(srcdir)/testcode/unittcpreuse.c config.h $(srcdir)/services/outside_network.h \ -$(srcdir)/util/random.h -unitinfra.lo unitinfra.o: $(srcdir)/testcode/unitinfra.c config.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/iterator/iterator.h + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/data/dname.h \ + $(srcdir)/util/regional.h $(srcdir)/validator/val_anchor.h +unittcpreuse.lo unittcpreuse.o: $(srcdir)/testcode/unittcpreuse.c config.h $(srcdir)/testcode/unitmain.h \ + $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/locks.h $(srcdir)/util/rbtree.h $(srcdir)/util/regional.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + +unitdoq.lo unitdoq.o: $(srcdir)/testcode/unitdoq.c config.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/testcode/unitmain.h +unitinfra.lo unitinfra.o: $(srcdir)/testcode/unitinfra.c config.h $(srcdir)/testcode/unitmain.h $(srcdir)/util/log.h \ + $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h -cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h $(srcdir)/daemon/cachedump.h \ - $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/sldns/str2wire.h +cachedump.lo cachedump.o: $(srcdir)/daemon/cachedump.c config.h \ + $(srcdir)/daemon/cachedump.h $(srcdir)/daemon/remote.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/dns.h \ $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/config_file.h $(srcdir)/iterator/iterator.h \ $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h \ $(srcdir)/iterator/iter_resptype.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/util/config_file.h $(srcdir)/services/outside_network.h -daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ - $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ - $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \ - $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h -remote.lo remote.o: $(srcdir)/daemon/remote.c config.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/worker.h \ + $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h +daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \ + $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ + $(srcdir)/daemon/worker.h \ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/alloc.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ + $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \ + $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/cachedb/cachedb.h +remote.lo remote.o: $(srcdir)/daemon/remote.c config.h \ + $(srcdir)/daemon/remote.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ $(srcdir)/services/modstack.h $(srcdir)/daemon/cachedump.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h \ - $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \ - $(srcdir)/validator/val_anchor.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_delegpt.h \ - $(srcdir)/services/outside_network.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/util/edns.h \ - $(srcdir)/util/locks.h $(srcdir)/util/ub_event.h \ - $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h $(srcdir)/validator/val_neg.h \ - $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_priv.h + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/ub_event.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h \ + $(srcdir)/util/rtt.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ + $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/util/data/dname.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_kentry.h \ + $(srcdir)/validator/val_anchor.h $(srcdir)/validator/val_neg.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/iterator/iter_donotq.h $(srcdir)/iterator/iter_priv.h $(srcdir)/services/outside_network.h \ + $(srcdir)/util/regional.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h $(srcdir)/cachedb/cachedb.h \ + $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/tube.h \ - $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h + $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/data/dname.h \ + $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \ + unbound.lo unbound.o: $(srcdir)/daemon/unbound.c config.h $(srcdir)/util/log.h $(srcdir)/daemon/daemon.h \ $(srcdir)/util/locks.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ - $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/util/rbtree.h $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ - $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/ub_event.h + $(srcdir)/daemon/remote.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/services/cache/infra.h \ + $(srcdir)/util/rtt.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/ub_event.h worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ - $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/listen_dnsport.h \ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \ - $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \ - $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h + $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/proxy_protocol.h \ + $(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h $(srcdir)/iterator/iter_fwd.h \ + $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \ + $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h testbound.lo testbound.o: $(srcdir)/testcode/testbound.c config.h $(srcdir)/testcode/testpkts.h \ $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h \ - $(srcdir)/daemon/remote.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/timeval_func.h $(srcdir)/services/modstack.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rtt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h $(srcdir)/util/ub_event.h $(srcdir)/daemon/worker.h + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/daemon/remote.h \ + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/daemon/unbound.c $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/ub_event.h testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcode/testpkts.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h worker.lo worker.o: $(srcdir)/daemon/worker.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ $(srcdir)/util/random.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/timeval_func.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/daemon.h \ - $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/services/modstack.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/regional.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/listen_dnsport.h \ $(srcdir)/services/outside_network.h $(srcdir)/services/outbound_list.h \ $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ $(srcdir)/services/cache/dns.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ $(srcdir)/services/localzone.h $(srcdir)/respip/respip.h $(srcdir)/util/data/msgencode.h \ - $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/edns.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h \ - $(srcdir)/iterator/iter_resptype.h $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h \ - $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h + $(srcdir)/util/data/dname.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/proxy_protocol.h \ + $(srcdir)/util/edns.h $(srcdir)/util/timeval_func.h $(srcdir)/iterator/iter_fwd.h \ + $(srcdir)/iterator/iter_hints.h $(srcdir)/iterator/iter_utils.h $(srcdir)/iterator/iter_resptype.h \ + $(srcdir)/validator/autotrust.h $(srcdir)/validator/val_anchor.h $(srcdir)/libunbound/context.h \ + $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/libworker.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/shm_side/shm_main.h $(srcdir)/dnstap/dtstream.h acl_list.lo acl_list.o: $(srcdir)/daemon/acl_list.c config.h $(srcdir)/daemon/acl_list.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h -daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ - $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ - $(srcdir)/daemon/remote.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ - $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h \ - $(srcdir)/util/edns.h $(srcdir)/services/listen_dnsport.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/respip/respip.h \ - $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h + $(srcdir)/util/log.h $(srcdir)/util/regional.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/module.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/sldns/str2wire.h +daemon.lo daemon.o: $(srcdir)/daemon/daemon.c config.h \ + $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ + $(srcdir)/daemon/worker.h \ + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \ + $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/util/storage/lookup3.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/tcp_conn_limit.h $(srcdir)/util/edns.h \ + $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ + $(srcdir)/services/localzone.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ + $(srcdir)/respip/respip.h $(srcdir)/util/random.h $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h $(srcdir)/cachedb/cachedb.h stats.lo stats.o: $(srcdir)/daemon/stats.c config.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/daemon.h $(srcdir)/services/modstack.h $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/outside_network.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/tube.h \ - $(srcdir)/util/net_help.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ - $(srcdir)/validator/val_kcache.h $(srcdir)/validator/val_neg.h + $(srcdir)/services/outside_network.h $(srcdir)/util/regional.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/tube.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/validator/validator.h \ + $(srcdir)/validator/val_utils.h $(srcdir)/validator/val_nsec3.h $(srcdir)/iterator/iterator.h \ + $(srcdir)/services/outbound_list.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ + $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/validator/val_kcache.h \ + $(srcdir)/validator/val_neg.h $(srcdir)/edns-subnet/subnetmod.h $(srcdir)/util/data/dname.h \ + $(srcdir)/edns-subnet/addrtree.h $(srcdir)/edns-subnet/edns-subnet.h \ + replay.lo replay.o: $(srcdir)/testcode/replay.c config.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/config_file.h $(srcdir)/testcode/replay.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/util/timeval_func.h \ - $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/replay.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h \ + $(srcdir)/testcode/testpkts.h $(srcdir)/util/rbtree.h $(srcdir)/testcode/fake_event.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/util/timeval_func.h fake_event.lo fake_event.o: $(srcdir)/testcode/fake_event.c config.h $(srcdir)/testcode/fake_event.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/locks.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h $(srcdir)/util/config_file.h \ - $(srcdir)/services/listen_dnsport.h $(srcdir)/services/outside_network.h $(srcdir)/util/timeval_func.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/util/edns.h $(srcdir)/util/storage/dnstree.h $(srcdir)/util/rbtree.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ + $(srcdir)/services/view.h \ + $(srcdir)/services/outside_network.h $(srcdir)/util/alloc.h $(srcdir)/util/regional.h \ $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ $(srcdir)/testcode/replay.h $(srcdir)/testcode/testpkts.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/module.h \ $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \ - $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ - $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h $(srcdir)/daemon/remote.h $(srcdir)/util/storage/slabhash.h $(srcdir)/daemon/daemon.h + $(srcdir)/services/localzone.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/daemon/remote.h \ + $(srcdir)/daemon/daemon.h $(srcdir)/util/timeval_func.h lock_verify.lo lock_verify.o: $(srcdir)/testcode/lock_verify.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h pktview.lo pktview.o: $(srcdir)/testcode/pktview.c config.h $(srcdir)/util/log.h $(srcdir)/util/data/dname.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/testcode/unitmain.h $(srcdir)/testcode/readhex.h $(srcdir)/sldns/sbuffer.h \ @@ -1466,133 +1676,156 @@ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/parseutil.h memstats.lo memstats.o: $(srcdir)/testcode/memstats.c config.h $(srcdir)/util/log.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/locks.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h unbound-checkconf.lo unbound-checkconf.o: $(srcdir)/smallapp/unbound-checkconf.c config.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/net_help.h $(srcdir)/util/regional.h \ - $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \ - $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h $(srcdir)/util/storage/dnstree.h \ - $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h $(srcdir)/services/localzone.h \ - $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \ - $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/locks.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + $(srcdir)/util/regional.h $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h \ + $(srcdir)/iterator/iter_fwd.h $(srcdir)/util/rbtree.h $(srcdir)/iterator/iter_hints.h \ + $(srcdir)/util/storage/dnstree.h $(srcdir)/validator/validator.h $(srcdir)/validator/val_utils.h \ + $(srcdir)/validator/val_nsec3.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/services/listen_dnsport.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/daemon/acl_list.h \ + $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h \ + $(srcdir)/sldns/str2wire.h $(PYTHONMOD_HEADER) $(srcdir)/edns-subnet/subnet-whitelist.h worker_cb.lo worker_cb.o: $(srcdir)/smallapp/worker_cb.c config.h $(srcdir)/libunbound/context.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h \ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/tube.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/respip/respip.h $(srcdir)/dnstap/dtstream.h context.lo context.o: $(srcdir)/libunbound/context.c config.h $(srcdir)/libunbound/context.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/net_help.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/config_file.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/rrset.h \ $(srcdir)/util/storage/slabhash.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/util/edns.h \ - $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h + $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/daemon/acl_list.h \ + $(srcdir)/util/edns.h $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h libunbound.lo libunbound.o: $(srcdir)/libunbound/libunbound.c $(srcdir)/libunbound/unbound.h \ $(srcdir)/libunbound/unbound-event.h config.h $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h \ $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/regional.h \ - $(srcdir)/util/random.h $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/tube.h $(srcdir)/util/ub_event.h $(srcdir)/util/edns.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/services/localzone.h $(srcdir)/services/view.h \ $(srcdir)/sldns/sbuffer.h $(srcdir)/services/cache/infra.h $(srcdir)/util/rtt.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/services/cache/rrset.h \ - $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \ - $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/authzone.h \ + $(srcdir)/services/mesh.h $(srcdir)/services/rpz.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h $(srcdir)/daemon/acl_list.h \ $(srcdir)/iterator/iter_fwd.h $(srcdir)/iterator/iter_hints.h -libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h $(srcdir)/libunbound/libworker.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/libunbound/worker.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ - $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ - $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/util/config_file.h \ - $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h \ - $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h $(srcdir)/util/regional.h $(srcdir)/util/random.h \ - $(srcdir)/util/storage/lookup3.h $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h +libworker.lo libworker.o: $(srcdir)/libunbound/libworker.c config.h \ + $(srcdir)/libunbound/libworker.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/libunbound/context.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \ + $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound.h $(srcdir)/libunbound/unbound-event.h \ + $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/outside_network.h \ + $(srcdir)/util/regional.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/data/msgparse.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h \ + $(srcdir)/services/view.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/respip/respip.h $(srcdir)/services/cache/rrset.h \ + $(srcdir)/util/storage/slabhash.h $(srcdir)/services/outbound_list.h $(srcdir)/util/fptr_wlist.h \ + $(srcdir)/util/tube.h $(srcdir)/util/random.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/storage/lookup3.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/data/dname.h $(srcdir)/util/data/msgencode.h $(srcdir)/sldns/str2wire.h \ + $(srcdir)/dnstap/dtstream.h unbound-host.lo unbound-host.o: $(srcdir)/smallapp/unbound-host.c config.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \ + asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/libunbound/context.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/util/rbtree.h \ $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h + $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h \ + streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \ - $(srcdir)/util/net_help.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/util/proxy_protocol.h \ + $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h $(srcdir)/util/storage/lruhash.h \ + $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \ $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h \ + perf.lo perf.o: $(srcdir)/testcode/perf.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ - $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h + $(srcdir)/util/random.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/sldns/str2wire.h delayer.lo delayer.o: $(srcdir)/testcode/delayer.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/sldns/sbuffer.h -unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h $(srcdir)/util/log.h \ - $(srcdir)/util/config_file.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h $(srcdir)/util/shm_side/shm_main.h \ - $(srcdir)/libunbound/unbound.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \ + $(srcdir)/util/random.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/sbuffer.h +unbound-control.lo unbound-control.o: $(srcdir)/smallapp/unbound-control.c config.h \ + $(srcdir)/util/log.h $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/locks.h $(srcdir)/util/net_help.h \ + $(srcdir)/util/random.h $(srcdir)/util/shm_side/shm_main.h $(srcdir)/libunbound/unbound.h \ + $(srcdir)/util/timeval_func.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/sldns/wire2str.h \ $(srcdir)/sldns/pkthdr.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h $(srcdir)/util/rbtree.h \ $(srcdir)/util/storage/dnstree.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h \ - $(srcdir)/services/listen_dnsport.h + $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h $(srcdir)/services/authzone.h $(srcdir)/services/mesh.h \ + $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/services/modstack.h $(srcdir)/respip/respip.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/daemon/acl_list.h \ + unbound-anchor.lo unbound-anchor.o: $(srcdir)/smallapp/unbound-anchor.c config.h $(srcdir)/libunbound/unbound.h \ - $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h -petal.lo petal.o: $(srcdir)/testcode/petal.c config.h + $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \ + +petal.lo petal.o: $(srcdir)/testcode/petal.c config.h \ + unbound-dnstap-socket.lo unbound-dnstap-socket.o: $(srcdir)/dnstap/unbound-dnstap-socket.c config.h \ $(srcdir)/dnstap/dtstream.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/dnstap/dnstap_fstrm.h \ - $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/services/listen_dnsport.h \ + $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/listen_dnsport.h \ $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/config_file.h \ - $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h \ - $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h $(srcdir)/util/data/msgreply.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/daemon/stats.h \ - $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/rbtree.h $(srcdir)/daemon/acl_list.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/pkthdr.h dnstap/dnstap.pb-c.h \ + $(srcdir)/util/config_file.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/packed_rrset.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/alloc.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \ + $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ $(srcdir)/daemon/remote.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ - $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ - $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/services/mesh.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \ $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h $(srcdir)/libunbound/context.h \ $(srcdir)/libunbound/unbound-event.h pythonmod_utils.lo pythonmod_utils.o: $(srcdir)/pythonmod/pythonmod_utils.c config.h \ $(srcdir)/pythonmod/pythonmod_utils.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \ - $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/netevent.h \ - $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/util/net_help.h \ - $(srcdir)/services/cache/dns.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h \ - $(srcdir)/util/regional.h $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h + $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/netevent.h \ + $(srcdir)/dnscrypt/dnscrypt.h $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/services/cache/dns.h \ + $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/util/regional.h \ + $(srcdir)/iterator/iter_delegpt.h $(srcdir)/sldns/sbuffer.h \ + win_svc.lo win_svc.o: $(srcdir)/winrc/win_svc.c config.h $(srcdir)/winrc/win_svc.h $(srcdir)/winrc/w_inst.h \ $(srcdir)/daemon/daemon.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/alloc.h $(srcdir)/services/modstack.h \ $(srcdir)/daemon/worker.h \ $(srcdir)/libunbound/worker.h $(srcdir)/sldns/sbuffer.h $(srcdir)/util/data/packed_rrset.h \ $(srcdir)/util/storage/lruhash.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ - $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/dnscrypt/cert.h \ + $(srcdir)/util/data/msgreply.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h \ $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h \ - $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h \ - $(srcdir)/util/net_help.h + $(srcdir)/dnstap/dnstap.h $(srcdir)/daemon/remote.h \ + $(srcdir)/util/config_file.h $(srcdir)/util/ub_event.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h w_inst.lo w_inst.o: $(srcdir)/winrc/w_inst.c config.h $(srcdir)/winrc/w_inst.h $(srcdir)/winrc/win_svc.h unbound-service-install.lo unbound-service-install.o: $(srcdir)/winrc/unbound-service-install.c config.h \ $(srcdir)/winrc/w_inst.h @@ -1600,12 +1833,14 @@ $(srcdir)/winrc/w_inst.h anchor-update.lo anchor-update.o: $(srcdir)/winrc/anchor-update.c config.h $(srcdir)/libunbound/unbound.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/wire2str.h -keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h $(srcdir)/sldns/rrdef.h +keyraw.lo keyraw.o: $(srcdir)/sldns/keyraw.c config.h $(srcdir)/sldns/keyraw.h \ + $(srcdir)/sldns/rrdef.h \ + sbuffer.lo sbuffer.o: $(srcdir)/sldns/sbuffer.c config.h $(srcdir)/sldns/sbuffer.h wire2str.lo wire2str.o: $(srcdir)/sldns/wire2str.c config.h $(srcdir)/sldns/wire2str.h $(srcdir)/sldns/str2wire.h \ $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/parseutil.h $(srcdir)/sldns/sbuffer.h \ - $(srcdir)/sldns/keyraw.h $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \ - $(srcdir)/util/log.h + $(srcdir)/sldns/keyraw.h \ + $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/log.h parse.lo parse.o: $(srcdir)/sldns/parse.c config.h $(srcdir)/sldns/parse.h $(srcdir)/sldns/parseutil.h \ $(srcdir)/sldns/sbuffer.h parseutil.lo parseutil.o: $(srcdir)/sldns/parseutil.c config.h $(srcdir)/sldns/parseutil.h @@ -1616,8 +1851,23 @@ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/parseutil.h \ $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/storage/lruhash.h \ $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \ - $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h -readzone.lo readzone.o: $(srcdir)/testcode/readzone.c + $(srcdir)/sldns/pkthdr.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h \ + +doqclient.lo doqclient.o: $(srcdir)/testcode/doqclient.c config.h \ + $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/net_help.h $(srcdir)/util/random.h $(srcdir)/sldns/sbuffer.h \ + $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h $(srcdir)/util/data/msgreply.h \ + $(srcdir)/util/storage/lruhash.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgencode.h \ + $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/util/data/dname.h $(srcdir)/util/ub_event.h \ + $(srcdir)/daemon/worker.h $(srcdir)/libunbound/worker.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \ + $(srcdir)/dnscrypt/cert.h $(srcdir)/util/alloc.h $(srcdir)/daemon/stats.h \ + $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/util/module.h $(srcdir)/dnstap/dnstap.h \ + $(srcdir)/daemon/remote.h $(srcdir)/util/fptr_wlist.h $(srcdir)/util/tube.h \ + $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \ + $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \ + $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/respip/respip.h \ + $(srcdir)/libunbound/context.h $(srcdir)/libunbound/unbound-event.h +readzone.lo readzone.o: $(srcdir)/testcode/readzone.c config.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h \ + $(srcdir)/sldns/wire2str.h ctime_r.lo ctime_r.o: $(srcdir)/compat/ctime_r.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h fake-rfc2553.lo fake-rfc2553.o: $(srcdir)/compat/fake-rfc2553.c $(srcdir)/compat/fake-rfc2553.h config.h gmtime_r.lo gmtime_r.o: $(srcdir)/compat/gmtime_r.c config.h @@ -1632,9 +1882,11 @@ strlcpy.lo strlcpy.o: $(srcdir)/compat/strlcpy.c config.h strptime.lo strptime.o: $(srcdir)/compat/strptime.c config.h getentropy_freebsd.lo getentropy_freebsd.o: $(srcdir)/compat/getentropy_freebsd.c -getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h +getentropy_linux.lo getentropy_linux.o: $(srcdir)/compat/getentropy_linux.c config.h \ + getentropy_osx.lo getentropy_osx.o: $(srcdir)/compat/getentropy_osx.c -getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h +getentropy_solaris.lo getentropy_solaris.o: $(srcdir)/compat/getentropy_solaris.c config.h \ + getentropy_win.lo getentropy_win.o: $(srcdir)/compat/getentropy_win.c explicit_bzero.lo explicit_bzero.o: $(srcdir)/compat/explicit_bzero.c config.h arc4random.lo arc4random.o: $(srcdir)/compat/arc4random.c config.h $(srcdir)/compat/chacha_private.h diff --git a/contrib/unbound/cachedb/redis.c b/contrib/unbound/cachedb/redis.c --- a/contrib/unbound/cachedb/redis.c +++ b/contrib/unbound/cachedb/redis.c @@ -46,6 +46,8 @@ #include "cachedb/cachedb.h" #include "util/alloc.h" #include "util/config_file.h" +#include "util/locks.h" +#include "util/timeval_func.h" #include "sldns/sbuffer.h" #ifdef USE_REDIS @@ -75,6 +77,18 @@ /* timeout for connection setup */ struct timeval connect_timeout; struct timeval replica_connect_timeout; + /* the reconnect interval time. */ + struct timeval reconnect_interval; + struct timeval replica_reconnect_interval; + /* reconnect attempts, 0 if connected, counts up failed reconnects. */ + int reconnect_attempts; + int replica_reconnect_attempts; + /* Lock on reconnect_wait time. */ + lock_basic_type wait_lock; + lock_basic_type replica_wait_lock; + /* reconnect wait time, wait until it has passed before reconnect. */ + struct timeval reconnect_wait; + struct timeval replica_reconnect_wait; /* the redis logical database to use */ int logical_db; int replica_logical_db; @@ -82,6 +96,10 @@ int set_with_ex_available; }; +/** The limit on the number of redis connect attempts. After failure if + * the number is exceeded, the reconnects are throttled by the wait time. */ +#define REDIS_RECONNECT_ATTEMPT_LIMIT 3 + static redisReply* redis_command(struct module_env*, struct cachedb_env*, const char*, const uint8_t*, size_t, int); @@ -105,6 +123,8 @@ } free((*moddata)->replica_ctxs); } + lock_basic_destroy(&(*moddata)->wait_lock); + lock_basic_destroy(&(*moddata)->replica_wait_lock); free(*moddata); *moddata = NULL; } @@ -113,10 +133,39 @@ redis_connect(const char* host, int port, const char* path, const char* password, int logical_db, const struct timeval connect_timeout, - const struct timeval command_timeout) + const struct timeval command_timeout, + const struct timeval* reconnect_interval, + int* reconnect_attempts, + struct timeval* reconnect_wait, + lock_basic_type* wait_lock, + struct timeval* now_tv, + const char* infostr) { + struct timeval now_val; redisContext* ctx; + /* See if the redis server is down, and reconnect has to wait. */ + if(*reconnect_attempts > REDIS_RECONNECT_ATTEMPT_LIMIT) { + /* Acquire lock to look at timeval, the integer has atomic + * integrity. */ + struct timeval wait_tv; + if(now_tv) { + now_val = *now_tv; + } else { + if(gettimeofday(&now_val, NULL) < 0) + log_err("redis: gettimeofday: %s", + strerror(errno)); + } + lock_basic_lock(wait_lock); + wait_tv = *reconnect_wait; + lock_basic_unlock(wait_lock); + if(timeval_smaller(&now_val, &wait_tv)) { + verbose(VERB_ALGO, "redis %sdown, reconnect wait", + infostr); + return NULL; + } + } + if(path && path[0]!=0) { ctx = redisConnectUnixWithTimeout(path, connect_timeout); } else { @@ -126,18 +175,18 @@ const char *errstr = "out of memory"; if(ctx) errstr = ctx->errstr; - log_err("failed to connect to redis server: %s", errstr); + log_err("failed to connect to redis %sserver: %s", infostr, errstr); goto fail; } if(redisSetTimeout(ctx, command_timeout) != REDIS_OK) { - log_err("failed to set redis timeout, %s", ctx->errstr); + log_err("failed to set redis %stimeout, %s", infostr, ctx->errstr); goto fail; } if(password && password[0]!=0) { redisReply* rep; rep = redisCommand(ctx, "AUTH %s", password); if(!rep || rep->type == REDIS_REPLY_ERROR) { - log_err("failed to authenticate with password"); + log_err("failed to authenticate %swith password", infostr); freeReplyObject(rep); goto fail; } @@ -147,18 +196,20 @@ redisReply* rep; rep = redisCommand(ctx, "SELECT %d", logical_db); if(!rep || rep->type == REDIS_REPLY_ERROR) { - log_err("failed to set logical database (%d)", - logical_db); + log_err("failed %sto set logical database (%d)", + infostr, logical_db); freeReplyObject(rep); goto fail; } freeReplyObject(rep); } + *reconnect_attempts = 0; if(verbosity >= VERB_OPS) { char port_str[6+1]; port_str[0] = ' '; (void)snprintf(port_str+1, sizeof(port_str)-1, "%d", port); - verbose(VERB_OPS, "Connection to Redis established (%s%s)", + verbose(VERB_OPS, "Connection to Redis %sestablished (%s%s)", + infostr, path&&path[0]!=0?path:host, path&&path[0]!=0?"":port_str); } @@ -167,6 +218,25 @@ fail: if(ctx) redisFree(ctx); + (*reconnect_attempts)++; + if(*reconnect_attempts > REDIS_RECONNECT_ATTEMPT_LIMIT) { + /* Wait for the reconnect interval before trying again. */ + struct timeval tv; + if(now_tv) { + now_val = *now_tv; + } else { + if(gettimeofday(&now_val, NULL) < 0) + log_err("redis: gettimeofday: %s", + strerror(errno)); + } + tv = now_val; + timeval_add(&tv, reconnect_interval); + lock_basic_lock(wait_lock); + *reconnect_wait = tv; + lock_basic_unlock(wait_lock); + verbose(VERB_ALGO, "redis %sreconnect wait until %d.%6.6d", + infostr, (int)tv.tv_sec, (int)tv.tv_usec); + } return NULL; } @@ -191,6 +261,13 @@ log_err("out of memory"); goto fail; } + lock_basic_init(&moddata->wait_lock); + lock_protect(&moddata->wait_lock, &moddata->reconnect_wait, + sizeof(moddata->reconnect_wait)); + lock_basic_init(&moddata->replica_wait_lock); + lock_protect(&moddata->replica_wait_lock, + &moddata->replica_reconnect_wait, + sizeof(moddata->replica_reconnect_wait)); moddata->numctxs = env->cfg->num_threads; /* note: server_host and similar string configuration options are * shallow references to configured strings; we don't have to free them @@ -219,6 +296,8 @@ set_timeout(&moddata->replica_connect_timeout, env->cfg->redis_replica_timeout, env->cfg->redis_replica_connect_timeout); + set_timeout(&moddata->reconnect_interval, 1000, 0); + set_timeout(&moddata->replica_reconnect_interval, 1000, 0); moddata->logical_db = env->cfg->redis_logical_db; moddata->replica_logical_db = env->cfg->redis_replica_logical_db; @@ -245,7 +324,13 @@ moddata->server_password, moddata->logical_db, moddata->connect_timeout, - moddata->command_timeout); + moddata->command_timeout, + &moddata->reconnect_interval, + &moddata->reconnect_attempts, + &moddata->reconnect_wait, + &moddata->wait_lock, + env->now_tv, + ""); if(!ctx) { log_err("redis_init: failed to init redis " "(for thread %d)", i); @@ -263,7 +348,13 @@ moddata->replica_server_password, moddata->replica_logical_db, moddata->replica_connect_timeout, - moddata->replica_command_timeout); + moddata->replica_command_timeout, + &moddata->replica_reconnect_interval, + &moddata->replica_reconnect_attempts, + &moddata->replica_reconnect_wait, + &moddata->replica_wait_lock, + env->now_tv, + "replica "); if(!ctx) { log_err("redis_init: failed to init redis " "replica (for thread %d)", i); @@ -301,7 +392,7 @@ set_with_ex_fail: log_err("redis_init: failure during redis_init, the " "redis-expire-records option requires the SET with EX command " - "(redis >= 2.6.2)"); + "(redis >= 2.6.12)"); return 1; fail: moddata_clean(&moddata); @@ -364,7 +455,13 @@ d->replica_server_password, d->replica_logical_db, d->replica_connect_timeout, - d->replica_command_timeout); + d->replica_command_timeout, + &d->replica_reconnect_interval, + &d->replica_reconnect_attempts, + &d->replica_reconnect_wait, + &d->replica_wait_lock, + env->now_tv, + "replica "); } else { ctx = redis_connect( d->server_host, @@ -373,7 +470,13 @@ d->server_password, d->logical_db, d->connect_timeout, - d->command_timeout); + d->command_timeout, + &d->reconnect_interval, + &d->reconnect_attempts, + &d->reconnect_wait, + &d->wait_lock, + env->now_tv, + ""); } ctx_selector[env->alloc->thread_num] = ctx; } @@ -405,7 +508,14 @@ char* key, struct sldns_buffer* result_buffer) { redisReply* rep; - char cmdbuf[4+(CACHEDB_HASHSIZE/8)*2+1]; /* "GET " + key */ + /* Supported commands: + * - "GET " + key + */ +#define REDIS_LOOKUP_MAX_BUF_LEN \ + 4 /* "GET " */ \ + +(CACHEDB_HASHSIZE/8)*2 /* key hash */ \ + + 1 /* \0 */ + char cmdbuf[REDIS_LOOKUP_MAX_BUF_LEN]; int n; int ret = 0; @@ -465,7 +575,13 @@ * older redis 2.0.0 was "SETEX " + key + " " + ttl + " %b" * - "EXPIRE " + key + " 0" */ - char cmdbuf[6+(CACHEDB_HASHSIZE/8)*2+11+3+1]; +#define REDIS_STORE_MAX_BUF_LEN \ + 7 /* "EXPIRE " */ \ + +(CACHEDB_HASHSIZE/8)*2 /* key hash */ \ + + 7 /* " %b EX " */ \ + + 20 /* ttl (uint64_t) */ \ + + 1 /* \0 */ + char cmdbuf[REDIS_STORE_MAX_BUF_LEN]; if (!set_ttl) { verbose(VERB_ALGO, "redis_store %s (%d bytes)", key, (int)data_len); diff --git a/contrib/unbound/compat/fake-rfc2553.c b/contrib/unbound/compat/fake-rfc2553.c --- a/contrib/unbound/compat/fake-rfc2553.c +++ b/contrib/unbound/compat/fake-rfc2553.c @@ -57,7 +57,7 @@ } if (host != NULL) { - if (flags & NI_NUMERICHOST) { + if ((flags & NI_NUMERICHOST)) { if (strlcpy(host, inet_ntoa(sin->sin_addr), hostlen) >= hostlen) return (EAI_MEMORY); @@ -168,7 +168,7 @@ port = 0; } - if (hints && hints->ai_flags & AI_PASSIVE) { + if (hints && (hints->ai_flags & AI_PASSIVE)) { addr = htonl(0x00000000); if (hostname && inet_aton(hostname, &in) != 0) addr = in.s_addr; @@ -193,7 +193,7 @@ } /* Don't try DNS if AI_NUMERICHOST is set */ - if (hints && hints->ai_flags & AI_NUMERICHOST) + if (hints && (hints->ai_flags & AI_NUMERICHOST)) return (EAI_NONAME); hp = gethostbyname(hostname); diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in --- a/contrib/unbound/config.h.in +++ b/contrib/unbound/config.h.in @@ -173,7 +173,11 @@ 0 if you don't. */ #undef HAVE_DECL_SSL_CTX_SET_ECDH_AUTO -/* Define to 1 if you have the declaration of 'strlcat', and to 0 if you +/* Define to 1 if you have the declaration of `SSL_CTX_set_tmp_ecdh', and to 0 + if you don't. */ +#undef HAVE_DECL_SSL_CTX_SET_TMP_ECDH + +/* Define to 1 if you have the declaration of `strlcat', and to 0 if you don't. */ #undef HAVE_DECL_STRLCAT @@ -477,13 +481,19 @@ 'ngtcp2_crypto_quictls_from_ossl_encryption_level' function. */ #undef HAVE_NGTCP2_CRYPTO_QUICTLS_FROM_OSSL_ENCRYPTION_LEVEL -/* Define to 1 if the system has the type 'ngtcp2_encryption_level'. */ +/* Define to 1 if you have the `ngtcp2_crypto_quictls_init' function. */ +#undef HAVE_NGTCP2_CRYPTO_QUICTLS_INIT + +/* Define to 1 if the system has the type `ngtcp2_encryption_level'. */ #undef HAVE_NGTCP2_ENCRYPTION_LEVEL /* Define to 1 if you have the header file. */ #undef HAVE_NGTCP2_NGTCP2_CRYPTO_OPENSSL_H +/* Define to 1 if you have the header file. */ +#undef HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H + /* Define to 1 if you have the header file. */ #undef HAVE_NGTCP2_NGTCP2_CRYPTO_QUICTLS_H @@ -645,10 +655,7 @@ function. */ #undef HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_EVP_CB -/* Define to 1 if you have the 'SSL_CTX_set_tmp_ecdh' function. */ -#undef HAVE_SSL_CTX_SET_TMP_ECDH - -/* Define to 1 if you have the 'SSL_get0_alpn_selected' function. */ +/* Define to 1 if you have the `SSL_get0_alpn_selected' function. */ #undef HAVE_SSL_GET0_ALPN_SELECTED /* Define to 1 if you have the 'SSL_get0_peername' function. */ @@ -1023,6 +1030,9 @@ /* Define this to enable client TCP Fast Open. */ #undef USE_MSG_FASTOPEN +/* Define this to use ngtcp2_crypto_ossl. */ +#undef USE_NGTCP2_CRYPTO_OSSL + /* Define this to enable client TCP Fast Open. */ #undef USE_OSX_MSG_FASTOPEN diff --git a/contrib/unbound/configure b/contrib/unbound/configure --- a/contrib/unbound/configure +++ b/contrib/unbound/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.72 for unbound 1.23.1. +# Generated by GNU Autoconf 2.71 for unbound 1.24.0. # # Report bugs to . # @@ -615,8 +615,8 @@ # Identity of this package. PACKAGE_NAME='unbound' PACKAGE_TARNAME='unbound' -PACKAGE_VERSION='1.23.1' -PACKAGE_STRING='unbound 1.23.1' +PACKAGE_VERSION='1.24.0' +PACKAGE_STRING='unbound 1.24.0' PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues' PACKAGE_URL='' @@ -679,7 +679,9 @@ ENABLE_DNSTAP PROTOBUFC_LIBS PROTOBUFC_CFLAGS +PROTOC_GEN_C PROTOC_C +PROTOC UBSYMS EXTRALINK COMMON_OBJ_ALL_SYMBOLS @@ -1506,7 +1508,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -'configure' configures unbound 1.23.1 to adapt to many kinds of systems. +\`configure' configures unbound 1.24.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1572,7 +1574,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of unbound 1.23.1:";; + short | recursive ) echo "Configuration of unbound 1.24.0:";; esac cat <<\_ACEOF @@ -1826,8 +1828,8 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -unbound configure 1.23.1 -generated by GNU Autoconf 2.72 +unbound configure 1.24.0 +generated by GNU Autoconf 2.71 Copyright (C) 2023 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation @@ -2504,8 +2506,8 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by unbound $as_me 1.23.1, which was -generated by GNU Autoconf 2.72. Invocation command line was +It was created by unbound $as_me 1.24.0, which was +generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -3284,13 +3286,13 @@ UNBOUND_VERSION_MAJOR=1 -UNBOUND_VERSION_MINOR=23 +UNBOUND_VERSION_MINOR=24 UNBOUND_VERSION_MICRO=1 LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=32 +LIBUNBOUND_REVISION=33 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -3390,6 +3392,7 @@ # 1.22.0 had 9:30:1 # 1.23.0 had 9:31:1 # 1.23.1 had 9:32:1 +# 1.24.0 had 9:33:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -21362,12 +21365,6 @@ printf "%s\n" "#define HAVE_BIO_SET_CALLBACK_EX 1" >>confdefs.h fi -ac_fn_c_check_func "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_func_SSL_CTX_set_tmp_ecdh" -if test "x$ac_cv_func_SSL_CTX_set_tmp_ecdh" = xyes -then : - printf "%s\n" "#define HAVE_SSL_CTX_SET_TMP_ECDH 1" >>confdefs.h - -fi # these check_funcs need -lssl @@ -21529,6 +21526,34 @@ esac fi printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_ECDH_AUTO $ac_have_decl" >>confdefs.h +ac_fn_check_decl "$LINENO" "SSL_CTX_set_tmp_ecdh" "ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" " +$ac_includes_default +#ifdef HAVE_OPENSSL_ERR_H +#include +#endif + +#ifdef HAVE_OPENSSL_RAND_H +#include +#endif + +#ifdef HAVE_OPENSSL_CONF_H +#include +#endif + +#ifdef HAVE_OPENSSL_ENGINE_H +#include +#endif +#include +#include + +" "$ac_c_undeclared_builtin_options" "CFLAGS" +if test "x$ac_cv_have_decl_SSL_CTX_set_tmp_ecdh" = xyes +then : + ac_have_decl=1 +else $as_nop + ac_have_decl=0 +fi +printf "%s\n" "#define HAVE_DECL_SSL_CTX_SET_TMP_ECDH $ac_have_decl" >>confdefs.h if test "$ac_cv_func_HMAC_Init_ex" = "yes"; then @@ -22895,6 +22920,13 @@ then : printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_H 1" >>confdefs.h +fi +ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_ossl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" "$ac_includes_default +" +if test "x$ac_cv_header_ngtcp2_ngtcp2_crypto_ossl_h" = xyes +then : + printf "%s\n" "#define HAVE_NGTCP2_NGTCP2_CRYPTO_OSSL_H 1" >>confdefs.h + fi ac_fn_c_check_header_compile "$LINENO" "ngtcp2/ngtcp2_crypto_openssl.h" "ac_cv_header_ngtcp2_ngtcp2_crypto_openssl_h" "$ac_includes_default " @@ -22937,7 +22969,52 @@ fi printf "%s\n" "#define HAVE_DECL_NGTCP2_CRYPTO_ENCRYPT_CB $ac_have_decl" >>confdefs.h - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl" >&5 +printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_ossl... " >&6; } +if test ${ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb+y} +then : + printf %s "(cached) " >&6 +else $as_nop + ac_check_lib_save_LIBS=$LIBS +LIBS="-lngtcp2_crypto_ossl $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +char ngtcp2_crypto_encrypt_cb (); +int +main (void) +{ +return ngtcp2_crypto_encrypt_cb (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO" +then : + ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=yes +else $as_nop + ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.beam \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&5 +printf "%s\n" "$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" >&6; } +if test "x$ac_cv_lib_ngtcp2_crypto_ossl_ngtcp2_crypto_encrypt_cb" = xyes +then : + + LIBS="$LIBS -lngtcp2_crypto_ossl" + +printf "%s\n" "#define USE_NGTCP2_CRYPTO_OSSL 1" >>confdefs.h + + +else $as_nop + + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl" >&5 printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_openssl... " >&6; } if test ${ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb+y} then : @@ -22983,9 +23060,9 @@ if test "x$ac_cv_lib_ngtcp2_crypto_openssl_ngtcp2_crypto_encrypt_cb" = xyes then : LIBS="$LIBS -lngtcp2_crypto_openssl" -fi +else $as_nop - { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5 + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls" >&5 printf %s "checking for ngtcp2_crypto_encrypt_cb in -lngtcp2_crypto_quictls... " >&6; } if test ${ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb+y} then : @@ -23031,6 +23108,12 @@ if test "x$ac_cv_lib_ngtcp2_crypto_quictls_ngtcp2_crypto_encrypt_cb" = xyes then : LIBS="$LIBS -lngtcp2_crypto_quictls" +fi + + +fi + + fi ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_encrypt_cb" "ac_cv_func_ngtcp2_crypto_encrypt_cb" @@ -23080,6 +23163,12 @@ then : printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_CONFIGURE_CLIENT_CONTEXT 1" >>confdefs.h +fi +ac_fn_c_check_func "$LINENO" "ngtcp2_crypto_quictls_init" "ac_cv_func_ngtcp2_crypto_quictls_init" +if test "x$ac_cv_func_ngtcp2_crypto_quictls_init" = xyes +then : + printf "%s\n" "#define HAVE_NGTCP2_CRYPTO_QUICTLS_INIT 1" >>confdefs.h + fi ac_fn_c_check_func "$LINENO" "ngtcp2_conn_get_num_scid" "ac_cv_func_ngtcp2_conn_get_num_scid" if test "x$ac_cv_func_ngtcp2_conn_get_num_scid" = xyes @@ -23101,6 +23190,10 @@ fi + # these check_funcs need -lssl + BAKLIBS="$LIBS" + LIBS="-lssl $LIBS" + for ac_func in SSL_is_quic do : ac_fn_c_check_func "$LINENO" "SSL_is_quic" "ac_cv_func_SSL_is_quic" @@ -23114,6 +23207,8 @@ fi done + LIBS="$BAKLIBS" + ac_fn_c_check_type "$LINENO" "struct ngtcp2_version_cid" "ac_cv_type_struct_ngtcp2_version_cid" "$ac_includes_default #include @@ -24958,7 +25053,55 @@ if test "x$opt_dnstap" != "xno"; then - # Extract the first word of "protoc-c", so it can be a program name with args. + # Extract the first word of "protoc", so it can be a program name with args. +set dummy protoc; ac_word=$2 +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +printf %s "checking for $ac_word... " >&6; } +if test ${ac_cv_path_PROTOC+y} +then : + printf %s "(cached) " >&6 +else $as_nop + case $PROTOC in + [\\/]* | ?:[\\/]*) + ac_cv_path_PROTOC="$PROTOC" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + case $as_dir in #((( + '') as_dir=./ ;; + */) ;; + *) as_dir=$as_dir/ ;; + esac + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then + ac_cv_path_PROTOC="$as_dir$ac_word$ac_exec_ext" + printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PROTOC=$ac_cv_path_PROTOC +if test -n "$PROTOC"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC" >&5 +printf "%s\n" "$PROTOC" >&6; } +else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } +fi + + + # 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be + # found, try 'protoc-c'. + if test -z "$PROTOC"; then + # Extract the first word of "protoc-c", so it can be a program name with args. set dummy protoc-c; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } @@ -25004,9 +25147,83 @@ fi - if test -z "$PROTOC_C"; then - as_fn_error $? "The protoc-c program was not found. Please install protobuf-c!" "$LINENO" 5 - fi + else + PROTOC_C="$PROTOC" + fi + if test -z "$PROTOC_C"; then + as_fn_error $? "The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c" "$LINENO" 5 + fi + + # Check for protoc-gen-c plugin + # Extract the first word of "protoc-gen-c", so it can be a program name with args. +set dummy protoc-gen-c; ac_word=$2 +{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +printf %s "checking for $ac_word... " >&6; } +if test ${ac_cv_path_PROTOC_GEN_C+y} +then : + printf %s "(cached) " >&6 +else $as_nop + case $PROTOC_GEN_C in + [\\/]* | ?:[\\/]*) + ac_cv_path_PROTOC_GEN_C="$PROTOC_GEN_C" # Let the user override the test with a path. + ;; + *) + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + case $as_dir in #((( + '') as_dir=./ ;; + */) ;; + *) as_dir=$as_dir/ ;; + esac + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then + ac_cv_path_PROTOC_GEN_C="$as_dir$ac_word$ac_exec_ext" + printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + + ;; +esac +fi +PROTOC_GEN_C=$ac_cv_path_PROTOC_GEN_C +if test -n "$PROTOC_GEN_C"; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $PROTOC_GEN_C" >&5 +printf "%s\n" "$PROTOC_GEN_C" >&6; } +else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } +fi + + + if test -z "$PROTOC_GEN_C"; then + as_fn_error $? "The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c" "$LINENO" 5 + fi + + # Test that protoc-gen-c actually works + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if protoc-gen-c plugin works" >&5 +printf %s "checking if protoc-gen-c plugin works... " >&6; } + cat > conftest.proto << EOF +syntax = "proto2"; +message TestMessage { + optional string test_field = 1; +} +EOF + if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +printf "%s\n" "yes" >&6; } + rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h + else + { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 +printf "%s\n" "no" >&6; } + rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h + as_fn_error $? "The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed" "$LINENO" 5 + fi + # Check whether --with-protobuf-c was given. if test ${with_protobuf_c+y} @@ -25823,7 +26040,7 @@ -version=1.23.1 +version=1.24.0 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for build time" >&5 printf %s "checking for build time... " >&6; } @@ -26364,8 +26581,8 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by unbound $as_me 1.23.1, which was -generated by GNU Autoconf 2.72. Invocation command line was +This file was extended by unbound $as_me 1.24.0, which was +generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -26432,8 +26649,8 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -unbound config.status 1.23.1 -configured by $0, generated by GNU Autoconf 2.72, +unbound config.status 1.24.0 +configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" Copyright (C) 2023 Free Software Foundation, Inc. diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac --- a/contrib/unbound/configure.ac +++ b/contrib/unbound/configure.ac @@ -11,15 +11,15 @@ # must be numbers. ac_defun because of later processing m4_define([VERSION_MAJOR],[1]) -m4_define([VERSION_MINOR],[23]) -m4_define([VERSION_MICRO],[1]) +m4_define([VERSION_MINOR],[24]) +m4_define([VERSION_MICRO],[0]) AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound]) AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR]) AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR]) AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO]) LIBUNBOUND_CURRENT=9 -LIBUNBOUND_REVISION=32 +LIBUNBOUND_REVISION=33 LIBUNBOUND_AGE=1 # 1.0.0 had 0:12:0 # 1.0.1 had 0:13:0 @@ -119,6 +119,7 @@ # 1.22.0 had 9:30:1 # 1.23.0 had 9:31:1 # 1.23.1 had 9:32:1 +# 1.24.0 had 9:33:1 # Current -- the number of the binary API that we're implementing # Revision -- which iteration of the implementation of the binary @@ -996,7 +997,7 @@ AC_MSG_RESULT([no]) fi AC_CHECK_HEADERS([openssl/conf.h openssl/engine.h openssl/bn.h openssl/dh.h openssl/dsa.h openssl/rsa.h openssl/core_names.h openssl/param_build.h],,, [AC_INCLUDES_DEFAULT]) -AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex SSL_CTX_set_tmp_ecdh]) +AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_default_properties_is_fips_enabled EVP_MD_CTX_new OpenSSL_add_all_digests OPENSSL_init_crypto EVP_cleanup ENGINE_cleanup ERR_load_crypto_strings CRYPTO_cleanup_all_ex_data ERR_free_strings RAND_cleanup DSA_SIG_set0 EVP_dss1 EVP_DigestVerify EVP_aes_256_cbc EVP_EncryptInit_ex HMAC_Init_ex CRYPTO_THREADID_set_callback EVP_MAC_CTX_set_params OSSL_PARAM_BLD_new BIO_set_callback_ex]) # these check_funcs need -lssl BAKLIBS="$LIBS" @@ -1004,7 +1005,7 @@ AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername X509_VERIFY_PARAM_set1_host SSL_CTX_set_ciphersuites SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_alpn_select_cb SSL_get0_alpn_selected SSL_CTX_set_alpn_protos SSL_get1_peer_certificate]) LIBS="$BAKLIBS" -AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ +AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set_tmp_ecdh], [], [], [ AC_INCLUDES_DEFAULT #ifdef HAVE_OPENSSL_ERR_H #include @@ -1610,17 +1611,29 @@ if test x_$found_libngtcp2 != x_yes; then AC_MSG_ERROR([Could not find libngtcp2, ngtcp2.h]) fi - AC_CHECK_HEADERS([ngtcp2/ngtcp2.h ngtcp2/ngtcp2_crypto_openssl.h ngtcp2/ngtcp2_crypto_quictls.h],,, [AC_INCLUDES_DEFAULT]) + AC_CHECK_HEADERS([ngtcp2/ngtcp2.h ngtcp2/ngtcp2_crypto_ossl.h ngtcp2/ngtcp2_crypto_openssl.h ngtcp2/ngtcp2_crypto_quictls.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_DECLS([ngtcp2_conn_server_new], [], [], [AC_INCLUDES_DEFAULT #include ]) AC_CHECK_DECLS([ngtcp2_crypto_encrypt_cb], [], [], [AC_INCLUDES_DEFAULT #include ]) - AC_CHECK_LIB([ngtcp2_crypto_openssl], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_openssl" ]) - AC_CHECK_LIB([ngtcp2_crypto_quictls], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_quictls" ]) - AC_CHECK_FUNCS([ngtcp2_crypto_encrypt_cb ngtcp2_ccerr_default ngtcp2_conn_in_closing_period ngtcp2_conn_in_draining_period ngtcp2_conn_get_max_local_streams_uni ngtcp2_crypto_quictls_from_ossl_encryption_level ngtcp2_crypto_quictls_configure_server_context ngtcp2_crypto_quictls_configure_client_context ngtcp2_conn_get_num_scid ngtcp2_conn_tls_early_data_rejected ngtcp2_conn_encode_0rtt_transport_params]) + AC_CHECK_LIB([ngtcp2_crypto_ossl], [ngtcp2_crypto_encrypt_cb], [ + LIBS="$LIBS -lngtcp2_crypto_ossl" + AC_DEFINE(USE_NGTCP2_CRYPTO_OSSL, 1, [Define this to use ngtcp2_crypto_ossl.]) + ], [ + AC_CHECK_LIB([ngtcp2_crypto_openssl], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_openssl" ], [ + AC_CHECK_LIB([ngtcp2_crypto_quictls], [ngtcp2_crypto_encrypt_cb], [ LIBS="$LIBS -lngtcp2_crypto_quictls" ]) + ]) + ]) + AC_CHECK_FUNCS([ngtcp2_crypto_encrypt_cb ngtcp2_ccerr_default ngtcp2_conn_in_closing_period ngtcp2_conn_in_draining_period ngtcp2_conn_get_max_local_streams_uni ngtcp2_crypto_quictls_from_ossl_encryption_level ngtcp2_crypto_quictls_configure_server_context ngtcp2_crypto_quictls_configure_client_context ngtcp2_crypto_quictls_init ngtcp2_conn_get_num_scid ngtcp2_conn_tls_early_data_rejected ngtcp2_conn_encode_0rtt_transport_params]) + + # these check_funcs need -lssl + BAKLIBS="$LIBS" + LIBS="-lssl $LIBS" AC_CHECK_FUNCS([SSL_is_quic], [], [AC_MSG_ERROR([No QUIC support detected in OpenSSL. Need OpenSSL version with QUIC support to enable DNS over QUIC with libngtcp2.])]) + LIBS="$BAKLIBS" + AC_CHECK_TYPES([struct ngtcp2_version_cid, ngtcp2_encryption_level],,,[AC_INCLUDES_DEFAULT #include ]) diff --git a/contrib/unbound/contrib/aaaa-filter-iterator.patch b/contrib/unbound/contrib/aaaa-filter-iterator.patch --- a/contrib/unbound/contrib/aaaa-filter-iterator.patch +++ b/contrib/unbound/contrib/aaaa-filter-iterator.patch @@ -1,10 +1,10 @@ diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in -index 5a75e319..c6c6dbe2 100644 +index 172eb26c..2921c87f 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in -@@ -970,6 +970,13 @@ potentially broken nameservers. A lot of domains will not be resolvable when - this option in enabled. Only use if you know what you are doing. - This option only has effect when qname-minimisation is enabled. Default is no. +@@ -2146,6 +2146,13 @@ Default: no + .UNINDENT + .INDENT 0.0 .TP +.B aaaa\-filter: \fI +Activate behavior similar to BIND's AAAA-filter. @@ -13,14 +13,14 @@ +This also causes an additional A query to be sent for each AAAA query. +This breaks DNSSEC! +.TP - .B aggressive\-nsec: \fI - Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN - and other denials, using information from previous NXDOMAINs answers. + .B aggressive\-nsec: \fI\fP + Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN and other + denials, using information from previous NXDOMAINs answers. diff --git a/iterator/iter_scrub.c b/iterator/iter_scrub.c -index f093c1bf..e55a2246 100644 +index 49a5f5da..fbe434fa 100644 --- a/iterator/iter_scrub.c +++ b/iterator/iter_scrub.c -@@ -679,6 +679,32 @@ static int sanitize_nsec_is_overreach(sldns_buffer* pkt, +@@ -849,6 +849,32 @@ scrub_sanitize_rr_length(sldns_buffer* pkt, struct msg_parse* msg, return 0; } @@ -53,15 +53,15 @@ /** * Given a response event, remove suspect RRsets from the response. * "Suspect" rrsets are potentially poison. Note that this routine expects -@@ -698,6 +724,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, +@@ -869,6 +895,7 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, struct query_info* qinfo, uint8_t* zonename, struct module_env* env, - struct iter_env* ie) + struct iter_env* ie, struct module_qstate* qstate) { + int found_a_record = 0; /* ASN: do we have a A record? */ int del_addi = 0; /* if additional-holding rrsets are deleted, we do not trust the normalized additional-A-AAAA any more */ - struct rrset_parse* rrset, *prev; -@@ -733,6 +760,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, + uint8_t* ns_rrset_dname = NULL; +@@ -906,6 +933,13 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, rrset = rrset->rrset_all_next; } @@ -75,9 +75,9 @@ /* At this point, we brutally remove ALL rrsets that aren't * children of the originating zone. The idea here is that, * as far as we know, the server that we contacted is ONLY -@@ -744,6 +778,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, - rrset = msg->rrset_first; - while(rrset) { +@@ -925,6 +959,24 @@ scrub_sanitize(sldns_buffer* pkt, struct msg_parse* msg, + continue; + } + /* ASN: For AAAA records only... */ + if((ie->aaaa_filter) && (rrset->type == LDNS_RR_TYPE_AAAA)) { @@ -101,10 +101,10 @@ if( (rrset->type == LDNS_RR_TYPE_A || rrset->type == LDNS_RR_TYPE_AAAA)) { diff --git a/iterator/iter_utils.c b/iterator/iter_utils.c -index 2482a1f4..bd5ba243 100644 +index 1da21896..6583dd0e 100644 --- a/iterator/iter_utils.c +++ b/iterator/iter_utils.c -@@ -177,6 +177,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) +@@ -250,6 +250,7 @@ iter_apply_cfg(struct iter_env* iter_env, struct config_file* cfg) iter_env->outbound_msg_retry = cfg->outbound_msg_retry; iter_env->max_sent_count = cfg->max_sent_count; iter_env->max_query_restarts = cfg->max_query_restarts; @@ -113,12 +113,12 @@ } diff --git a/iterator/iterator.c b/iterator/iterator.c -index 54006940..768fe202 100644 +index 71e64655..735f4ca0 100644 --- a/iterator/iterator.c +++ b/iterator/iterator.c -@@ -2155,6 +2155,53 @@ processDSNSFind(struct module_qstate* qstate, struct iter_qstate* iq, int id) - - return 0; +@@ -2412,6 +2412,53 @@ check_waiting_queries(struct iter_qstate* iq, struct module_qstate* qstate, + qstate->ext_state[id] = module_wait_reply; + } } + +/** @@ -170,8 +170,8 @@ /** * This is the request event state where the request will be sent to one of -@@ -2216,6 +2263,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, - return error_response(qstate, id, LDNS_RCODE_SERVFAIL); +@@ -2554,6 +2601,13 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq, + } } + /* ASN: If we have a AAAA query, then also query for A records */ @@ -184,7 +184,7 @@ /* Make sure we have a delegation point, otherwise priming failed * or another failure occurred */ if(!iq->dp) { -@@ -3648,6 +3702,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -4178,6 +4232,61 @@ processFinished(struct module_qstate* qstate, struct iter_qstate* iq, return 0; } @@ -246,7 +246,7 @@ /* * Return priming query results to interested super querystates. * -@@ -3667,6 +3776,9 @@ iter_inform_super(struct module_qstate* qstate, int id, +@@ -4197,6 +4306,9 @@ iter_inform_super(struct module_qstate* qstate, int id, else if(super->qinfo.qtype == LDNS_RR_TYPE_DS && ((struct iter_qstate*) super->minfo[id])->state == DSNS_FIND_STATE) processDSNSResponse(qstate, id, super); @@ -256,7 +256,7 @@ else if(qstate->return_rcode != LDNS_RCODE_NOERROR) error_supers(qstate, id, super); else if(qstate->is_priming) -@@ -3704,6 +3816,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq, +@@ -4234,6 +4346,9 @@ iter_handle(struct module_qstate* qstate, struct iter_qstate* iq, case INIT_REQUEST_3_STATE: cont = processInitRequest3(qstate, iq, id); break; @@ -266,7 +266,7 @@ case QUERYTARGETS_STATE: cont = processQueryTargets(qstate, iq, ie, id); break; -@@ -4040,6 +4155,8 @@ iter_state_to_string(enum iter_state state) +@@ -4578,6 +4693,8 @@ iter_state_to_string(enum iter_state state) return "INIT REQUEST STATE (stage 2)"; case INIT_REQUEST_3_STATE: return "INIT REQUEST STATE (stage 3)"; @@ -275,7 +275,7 @@ case QUERYTARGETS_STATE : return "QUERY TARGETS STATE"; case PRIME_RESP_STATE : -@@ -4064,6 +4181,7 @@ iter_state_is_responsestate(enum iter_state s) +@@ -4602,6 +4719,7 @@ iter_state_is_responsestate(enum iter_state s) case INIT_REQUEST_STATE : case INIT_REQUEST_2_STATE : case INIT_REQUEST_3_STATE : @@ -284,10 +284,10 @@ case COLLECT_CLASS_STATE : return 0; diff --git a/iterator/iterator.h b/iterator/iterator.h -index 8b840528..a61c4195 100644 +index ae4b4e45..a44f9d27 100644 --- a/iterator/iterator.h +++ b/iterator/iterator.h -@@ -133,6 +133,9 @@ struct iter_env { +@@ -157,6 +157,9 @@ struct iter_env { */ int* target_fetch_policy; @@ -297,7 +297,7 @@ /** lock on ratelimit counter */ lock_basic_type queries_ratelimit_lock; /** number of queries that have been ratelimited */ -@@ -187,6 +190,14 @@ enum iter_state { +@@ -217,6 +220,14 @@ enum iter_state { */ INIT_REQUEST_3_STATE, @@ -312,9 +312,9 @@ /** * Each time a delegation point changes for a given query or a * query times out and/or wakes up, this state is (re)visited. -@@ -376,6 +387,13 @@ struct iter_qstate { - */ - int refetch_glue; +@@ -434,6 +445,13 @@ struct iter_qstate { + * already so that it is accepted later. */ + int empty_nodata_found; + /** + * ASN: This is a flag that, if true, means that this query is @@ -327,10 +327,10 @@ struct outbound_list outlist; diff --git a/pythonmod/interface.i b/pythonmod/interface.i -index 1ca8686a..d91b19ec 100644 +index 2040fb9e..f073c3dc 100644 --- a/pythonmod/interface.i +++ b/pythonmod/interface.i -@@ -995,6 +995,7 @@ struct config_file { +@@ -1013,6 +1013,7 @@ struct config_file { int harden_dnssec_stripped; int harden_referral_path; int use_caps_bits_for_id; @@ -339,23 +339,23 @@ struct config_strlist* private_domain; size_t unwanted_threshold; diff --git a/util/config_file.c b/util/config_file.c -index 969d664b..8d94b008 100644 +index b1e767b3..5eb3c099 100644 --- a/util/config_file.c +++ b/util/config_file.c -@@ -231,6 +231,7 @@ config_create(void) - cfg->harden_referral_path = 0; +@@ -247,6 +247,7 @@ config_create(void) cfg->harden_algo_downgrade = 0; + cfg->harden_unknown_additional = 0; cfg->use_caps_bits_for_id = 0; + cfg->aaaa_filter = 0; /* ASN: default is disabled */ cfg->caps_whitelist = NULL; cfg->private_address = NULL; cfg->private_domain = NULL; diff --git a/util/config_file.h b/util/config_file.h -index c7c9a0a4..e3aa15b0 100644 +index 44ac036b..1e59ab07 100644 --- a/util/config_file.h +++ b/util/config_file.h -@@ -285,6 +285,8 @@ struct config_file { - int harden_algo_downgrade; +@@ -311,6 +311,8 @@ struct config_file { + int harden_unknown_additional; /** use 0x20 bits in query as random ID bits */ int use_caps_bits_for_id; + /** ASN: enable AAAA filter? */ @@ -364,10 +364,10 @@ struct config_strlist* caps_whitelist; /** strip away these private addrs from answers, no DNS Rebinding */ diff --git a/util/configlexer.lex b/util/configlexer.lex -index 34a0e5dd..c890be2a 100644 +index bc258673..76aab170 100644 --- a/util/configlexer.lex +++ b/util/configlexer.lex -@@ -317,6 +317,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } +@@ -327,6 +327,7 @@ use-caps-for-id{COLON} { YDVAR(1, VAR_USE_CAPS_FOR_ID) } caps-whitelist{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } caps-exempt{COLON} { YDVAR(1, VAR_CAPS_WHITELIST) } unwanted-reply-threshold{COLON} { YDVAR(1, VAR_UNWANTED_REPLY_THRESHOLD) } @@ -376,10 +376,10 @@ private-domain{COLON} { YDVAR(1, VAR_PRIVATE_DOMAIN) } prefetch-key{COLON} { YDVAR(1, VAR_PREFETCH_KEY) } diff --git a/util/configparser.y b/util/configparser.y -index d4f965f9..8cc237c6 100644 +index 82e1d878..dc19bed5 100644 --- a/util/configparser.y +++ b/util/configparser.y -@@ -97,6 +97,7 @@ extern struct config_parser_state* cfg_parser; +@@ -100,6 +100,7 @@ extern struct config_parser_state* cfg_parser; %token VAR_STATISTICS_CUMULATIVE VAR_OUTGOING_PORT_PERMIT %token VAR_OUTGOING_PORT_AVOID VAR_DLV_ANCHOR_FILE VAR_DLV_ANCHOR %token VAR_NEG_CACHE_SIZE VAR_HARDEN_REFERRAL_PATH VAR_PRIVATE_ADDRESS @@ -387,7 +387,7 @@ %token VAR_PRIVATE_DOMAIN VAR_REMOTE_CONTROL VAR_CONTROL_ENABLE %token VAR_CONTROL_INTERFACE VAR_CONTROL_PORT VAR_SERVER_KEY_FILE %token VAR_SERVER_CERT_FILE VAR_CONTROL_KEY_FILE VAR_CONTROL_CERT_FILE -@@ -247,6 +248,7 @@ content_server: server_num_threads | server_verbosity | server_port | +@@ -276,6 +277,7 @@ content_server: server_num_threads | server_verbosity | server_port | server_dlv_anchor_file | server_dlv_anchor | server_neg_cache_size | server_harden_referral_path | server_private_address | server_private_domain | server_extended_statistics | @@ -395,7 +395,7 @@ server_local_data_ptr | server_jostle_timeout | server_unwanted_reply_threshold | server_log_time_ascii | server_domain_insecure | server_val_sig_skew_min | -@@ -1754,6 +1756,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG +@@ -1932,6 +1934,15 @@ server_caps_whitelist: VAR_CAPS_WHITELIST STRING_ARG yyerror("out of memory"); } ; diff --git a/contrib/unbound/contrib/unbound.service.in b/contrib/unbound/contrib/unbound.service.in --- a/contrib/unbound/contrib/unbound.service.in +++ b/contrib/unbound/contrib/unbound.service.in @@ -38,11 +38,17 @@ ; - `LockPersonality=yes` locks down the personality system call so that the ; kernel execution domain may not be changed from the default. ; +; - With /etc/systemd/network/*.network a setting to make sure the network +; is not considered online too early, can reduce network unreachable +; errors on server start: +; [Link] +; RequiredForOnline=routable ; [Unit] Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) After=network-online.target +Wants=network-online.target Before=nss-lookup.target [Install] diff --git a/contrib/unbound/daemon/cachedump.c b/contrib/unbound/daemon/cachedump.c --- a/contrib/unbound/daemon/cachedump.c +++ b/contrib/unbound/daemon/cachedump.c @@ -62,84 +62,231 @@ #include "sldns/wire2str.h" #include "sldns/str2wire.h" +static void spool_txt_printf(struct config_strlist_head* txt, + const char* format, ...) ATTR_FORMAT(printf, 2, 3); + +/** Append to strlist at end, and log error if out of memory. */ +static void +spool_txt_string(struct config_strlist_head* txt, char* str) +{ + if(!cfg_strlist_append(txt, strdup(str))) { + log_err("out of memory in spool text"); + } +} + +/** Spool txt to spool list. */ +static void +spool_txt_vmsg(struct config_strlist_head* txt, const char* format, + va_list args) +{ + char msg[65535]; + vsnprintf(msg, sizeof(msg), format, args); + spool_txt_string(txt, msg); +} + +/** Print item to spool list. On alloc failure the list is as before. */ +static void +spool_txt_printf(struct config_strlist_head* txt, const char* format, ...) +{ + va_list args; + va_start(args, format); + spool_txt_vmsg(txt, format, args); + va_end(args); +} + /** dump one rrset zonefile line */ -static int -dump_rrset_line(RES* ssl, struct ub_packed_rrset_key* k, time_t now, size_t i) +static void +dump_rrset_line(struct config_strlist_head* txt, struct ub_packed_rrset_key* k, + time_t now, size_t i) { char s[65535]; if(!packed_rr_to_string(k, i, now, s, sizeof(s))) { - return ssl_printf(ssl, "BADRR\n"); + spool_txt_string(txt, "BADRR\n"); + return; } - return ssl_printf(ssl, "%s", s); + spool_txt_string(txt, s); } /** dump rrset key and data info */ -static int -dump_rrset(RES* ssl, struct ub_packed_rrset_key* k, +static void +dump_rrset(struct config_strlist_head* txt, struct ub_packed_rrset_key* k, struct packed_rrset_data* d, time_t now) { size_t i; /* rd lock held by caller */ - if(!k || !d) return 1; - if(k->id == 0) return 1; /* deleted */ - if(d->ttl < now) return 1; /* expired */ + if(!k || !d) return; + if(k->id == 0) return; /* deleted */ + if(d->ttl < now) return; /* expired */ /* meta line */ - if(!ssl_printf(ssl, ";rrset%s " ARG_LL "d %u %u %d %d\n", + spool_txt_printf(txt, ";rrset%s " ARG_LL "d %u %u %d %d\n", (k->rk.flags & PACKED_RRSET_NSEC_AT_APEX)?" nsec_apex":"", (long long)(d->ttl - now), (unsigned)d->count, (unsigned)d->rrsig_count, (int)d->trust, (int)d->security - )) - return 0; + ); for(i=0; icount + d->rrsig_count; i++) { - if(!dump_rrset_line(ssl, k, now, i)) + dump_rrset_line(txt, k, now, i); + } +} + +/** Spool strlist to the output. */ +static int +spool_strlist(RES* ssl, struct config_strlist* list) +{ + struct config_strlist* s; + for(s=list; s; s=s->next) { + if(!ssl_printf(ssl, "%s", s->str)) return 0; } return 1; } -/** dump lruhash rrset cache */ +/** dump lruhash cache and call callback for every item. */ static int -dump_rrset_lruhash(RES* ssl, struct lruhash* h, time_t now) +dump_lruhash(struct lruhash* table, + void (*func)(struct lruhash_entry*, struct config_strlist_head*, void*), + RES* ssl, void* arg) { - struct lruhash_entry* e; - /* lruhash already locked by caller */ - /* walk in order of lru; best first */ - for(e=h->lru_start; e; e = e->lru_next) { - lock_rw_rdlock(&e->lock); - if(!dump_rrset(ssl, (struct ub_packed_rrset_key*)e->key, - (struct packed_rrset_data*)e->data, now)) { - lock_rw_unlock(&e->lock); + int just_started = 1; + int not_done = 1; + hashvalue_type hash; + size_t num = 0; /* number of entries processed. */ + size_t max = 2; /* number of entries after which it unlocks. */ + struct config_strlist_head txt; /* Text strings spooled. */ + memset(&txt, 0, sizeof(txt)); + + while(not_done) { + size_t i; /* hash bin. */ + /* Process a number of items. */ + num = 0; + lock_quick_lock(&table->lock); + if(just_started) { + i = 0; + } else { + i = hash&table->size_mask; + } + while(num < max) { + /* Process bin. */ + int found = 0; + size_t num_bin = 0; + struct lruhash_bin* bin = &table->array[i]; + struct lruhash_entry* e; + lock_quick_lock(&bin->lock); + for(e = bin->overflow_list; e; e = e->overflow_next) { + /* Entry e is locked by the func. */ + func(e, &txt, arg); + num_bin++; + } + lock_quick_unlock(&bin->lock); + /* This addition of bin number of entries may take + * it over the max. */ + num += num_bin; + + /* Move to next bin. */ + /* Find one with an entry, with a hash value, so we + * can continue from the hash value. The hash value + * can be indexed also if the array changes size. */ + i++; + while(i < table->size) { + bin = &table->array[i]; + lock_quick_lock(&bin->lock); + if(bin->overflow_list) { + hash = bin->overflow_list->hash; + lock_quick_unlock(&bin->lock); + found = 1; + just_started = 0; + break; + } + lock_quick_unlock(&bin->lock); + i++; + } + if(!found) { + not_done = 0; + break; + } + } + lock_quick_unlock(&table->lock); + /* Print the spooled items, that are collected while the + * locks are locked. The print happens while they are not + * locked. */ + if(txt.first) { + if(!spool_strlist(ssl, txt.first)) { + config_delstrlist(txt.first); + return 0; + } + config_delstrlist(txt.first); + memset(&txt, 0, sizeof(txt)); + } + } + /* Print the final spooled items. */ + if(txt.first) { + if(!spool_strlist(ssl, txt.first)) { + config_delstrlist(txt.first); return 0; } - lock_rw_unlock(&e->lock); + config_delstrlist(txt.first); + } + return 1; +} + +/** dump slabhash cache and call callback for every item. */ +static int +dump_slabhash(struct slabhash* sh, + void (*func)(struct lruhash_entry*, struct config_strlist_head*, void*), + RES* ssl, void* arg) +{ + /* Process a number of items at a time, then unlock the cache, + * so that ordinary processing can continue. Keep an iteration marker + * to continue the loop. That means the cache can change, items + * could be inserted and deleted. And, for example, the hash table + * can grow. */ + size_t slab; + for(slab=0; slabsize; slab++) { + if(!dump_lruhash(sh->array[slab], func, ssl, arg)) + return 0; } return 1; } +/** Struct for dump information. */ +struct dump_info { + /** The worker. */ + struct worker* worker; + /** The printout connection. */ + RES* ssl; +}; + +/** Dump the rrset cache entry */ +static void +dump_rrset_entry(struct lruhash_entry* e, struct config_strlist_head* txt, + void* arg) +{ + struct dump_info* dump_info = (struct dump_info*)arg; + lock_rw_rdlock(&e->lock); + dump_rrset(txt, (struct ub_packed_rrset_key*)e->key, + (struct packed_rrset_data*)e->data, + *dump_info->worker->env.now); + lock_rw_unlock(&e->lock); +} + /** dump rrset cache */ static int dump_rrset_cache(RES* ssl, struct worker* worker) { struct rrset_cache* r = worker->env.rrset_cache; - size_t slab; + struct dump_info dump_info; + dump_info.worker = worker; + dump_info.ssl = ssl; if(!ssl_printf(ssl, "START_RRSET_CACHE\n")) return 0; - for(slab=0; slabtable.size; slab++) { - lock_quick_lock(&r->table.array[slab]->lock); - if(!dump_rrset_lruhash(ssl, r->table.array[slab], - *worker->env.now)) { - lock_quick_unlock(&r->table.array[slab]->lock); - return 0; - } - lock_quick_unlock(&r->table.array[slab]->lock); - } + if(!dump_slabhash(&r->table, &dump_rrset_entry, ssl, &dump_info)) + return 0; return ssl_printf(ssl, "END_RRSET_CACHE\n"); } /** dump message to rrset reference */ -static int -dump_msg_ref(RES* ssl, struct ub_packed_rrset_key* k) +static void +dump_msg_ref(struct config_strlist_head* txt, struct ub_packed_rrset_key* k) { char* nm, *tp, *cl; nm = sldns_wire2str_dname(k->rk.dname, k->rk.dname_len); @@ -149,30 +296,25 @@ free(nm); free(tp); free(cl); - return ssl_printf(ssl, "BADREF\n"); - } - if(!ssl_printf(ssl, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags)) { - free(nm); - free(tp); - free(cl); - return 0; + spool_txt_string(txt, "BADREF\n"); + return; } + spool_txt_printf(txt, "%s %s %s %d\n", nm, cl, tp, (int)k->rk.flags); free(nm); free(tp); free(cl); - - return 1; } /** dump message entry */ -static int -dump_msg(RES* ssl, struct query_info* k, struct reply_info* d, time_t now) +static void +dump_msg(struct config_strlist_head* txt, struct query_info* k, + struct reply_info* d, time_t now) { size_t i; char* nm, *tp, *cl; - if(!k || !d) return 1; - if(d->ttl < now) return 1; /* expired */ - + if(!k || !d) return; + if(d->ttl < now) return; /* expired */ + nm = sldns_wire2str_dname(k->qname, k->qname_len); tp = sldns_wire2str_type(k->qtype); cl = sldns_wire2str_class(k->qclass); @@ -180,45 +322,35 @@ free(nm); free(tp); free(cl); - return 1; /* skip this entry */ + return; /* skip this entry */ } if(!rrset_array_lock(d->ref, d->rrset_count, now)) { /* rrsets have timed out or do not exist */ free(nm); free(tp); free(cl); - return 1; /* skip this entry */ + return; /* skip this entry */ } - + /* meta line */ - if(!ssl_printf(ssl, "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n", - nm, cl, tp, - (int)d->flags, (int)d->qdcount, - (long long)(d->ttl-now), (int)d->security, - (unsigned)d->an_numrrsets, - (unsigned)d->ns_numrrsets, - (unsigned)d->ar_numrrsets, - (int)d->reason_bogus, - d->reason_bogus_str?d->reason_bogus_str:"")) { - free(nm); - free(tp); - free(cl); - rrset_array_unlock(d->ref, d->rrset_count); - return 0; - } + spool_txt_printf(txt, + "msg %s %s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n", + nm, cl, tp, + (int)d->flags, (int)d->qdcount, + (long long)(d->ttl-now), (int)d->security, + (unsigned)d->an_numrrsets, + (unsigned)d->ns_numrrsets, + (unsigned)d->ar_numrrsets, + (int)d->reason_bogus, + d->reason_bogus_str?d->reason_bogus_str:""); free(nm); free(tp); free(cl); for(i=0; irrset_count; i++) { - if(!dump_msg_ref(ssl, d->rrsets[i])) { - rrset_array_unlock(d->ref, d->rrset_count); - return 0; - } + dump_msg_ref(txt, d->rrsets[i]); } rrset_array_unlock(d->ref, d->rrset_count); - - return 1; } /** copy msg to worker pad */ @@ -247,49 +379,40 @@ return (*k)->qname != NULL; } -/** dump lruhash msg cache */ -static int -dump_msg_lruhash(RES* ssl, struct worker* worker, struct lruhash* h) +/** Dump the msg entry. */ +static void +dump_msg_entry(struct lruhash_entry* e, struct config_strlist_head* txt, + void* arg) { - struct lruhash_entry* e; + struct dump_info* dump_info = (struct dump_info*)arg; struct query_info* k; struct reply_info* d; - /* lruhash already locked by caller */ - /* walk in order of lru; best first */ - for(e=h->lru_start; e; e = e->lru_next) { - regional_free_all(worker->scratchpad); - lock_rw_rdlock(&e->lock); - /* make copy of rrset in worker buffer */ - if(!copy_msg(worker->scratchpad, e, &k, &d)) { - lock_rw_unlock(&e->lock); - return 0; - } + regional_free_all(dump_info->worker->scratchpad); + /* Make copy of rrset in worker buffer. */ + lock_rw_rdlock(&e->lock); + if(!copy_msg(dump_info->worker->scratchpad, e, &k, &d)) { lock_rw_unlock(&e->lock); - /* release lock so we can lookup the rrset references - * in the rrset cache */ - if(!dump_msg(ssl, k, d, *worker->env.now)) { - return 0; - } + log_err("out of memory in dump_msg_entry"); + return; } - return 1; + lock_rw_unlock(&e->lock); + /* Release lock so we can lookup the rrset references + * in the rrset cache. */ + dump_msg(txt, k, d, *dump_info->worker->env.now); } /** dump msg cache */ static int dump_msg_cache(RES* ssl, struct worker* worker) { - struct slabhash* sh = worker->env.msg_cache; - size_t slab; + struct dump_info dump_info; + dump_info.worker = worker; + dump_info.ssl = ssl; if(!ssl_printf(ssl, "START_MSG_CACHE\n")) return 0; - for(slab=0; slabsize; slab++) { - lock_quick_lock(&sh->array[slab]->lock); - if(!dump_msg_lruhash(ssl, worker, sh->array[slab])) { - lock_quick_unlock(&sh->array[slab]->lock); - return 0; - } - lock_quick_unlock(&sh->array[slab]->lock); - } + if(!dump_slabhash(worker->env.msg_cache, &dump_msg_entry, ssl, + &dump_info)) + return 0; return ssl_printf(ssl, "END_MSG_CACHE\n"); } @@ -811,12 +934,18 @@ struct ub_packed_rrset_key* k = msg->rep->rrsets[i]; struct packed_rrset_data* d = (struct packed_rrset_data*)k->entry.data; + struct config_strlist_head txt; + memset(&txt, 0, sizeof(txt)); if(d->security == sec_status_bogus) { if(!ssl_printf(ssl, "Address is BOGUS:\n")) return; } - if(!dump_rrset(ssl, k, d, 0)) + dump_rrset(&txt, k, d, 0); + if(!spool_strlist(ssl, txt.first)) { + config_delstrlist(txt.first); return; + } + config_delstrlist(txt.first); } delegpt_count_ns(dp, &n_ns, &n_miss); delegpt_count_addr(dp, &n_addr, &n_res, &n_avail); diff --git a/contrib/unbound/daemon/remote.c b/contrib/unbound/daemon/remote.c --- a/contrib/unbound/daemon/remote.c +++ b/contrib/unbound/daemon/remote.c @@ -101,6 +101,10 @@ #ifdef USE_CACHEDB #include "cachedb/cachedb.h" #endif +#ifdef CLIENT_SUBNET +#include "edns-subnet/subnetmod.h" +#include "edns-subnet/addrtree.h" +#endif #ifdef HAVE_SYS_TYPES_H # include @@ -1148,6 +1152,8 @@ (unsigned long)s->svr.ans_bogus)) return 0; if(!ssl_printf(ssl, "num.rrset.bogus"SQ"%lu\n", (unsigned long)s->svr.rrset_bogus)) return 0; + if(!ssl_printf(ssl, "num.valops"SQ"%lu\n", + (unsigned long)s->svr.val_ops)) return 0; if(!ssl_printf(ssl, "num.query.aggressive.NOERROR"SQ"%lu\n", (unsigned long)s->svr.num_neg_cache_noerror)) return 0; if(!ssl_printf(ssl, "num.query.aggressive.NXDOMAIN"SQ"%lu\n", @@ -1576,7 +1582,7 @@ } if(!v->isfirst) { /* Global local-zone is not used for this view, - * therefore add defaults to this view-specic + * therefore add defaults to this view-specific * local-zone. */ struct config_file lz_cfg; memset(&lz_cfg, 0, sizeof(lz_cfg)); @@ -1740,6 +1746,334 @@ (void)ssl_printf(ssl, "removed %d datas\n", num); } +/** information for the domain search */ +struct cache_lookup_info { + /** The connection to print on. */ + RES* ssl; + /** The worker. */ + struct worker* worker; + /** The domain, in wireformat. */ + uint8_t* nm; + /** The length of nm. */ + size_t nmlen; +}; + +#ifdef CLIENT_SUBNET +static void addrtree_traverse_visit_node(struct addrnode* n, addrkey_t* addr, + size_t addr_size, int is_ipv6, time_t now, struct query_info* q, + void (*func)(struct query_info*, struct reply_info*, addrkey_t*, + size_t, int, addrlen_t, int, time_t, void*), void* arg); + +/** Lookup in subnet addrtree */ +static void +cache_lookup_subnet_addrnode(struct query_info* q, struct reply_info* d, + addrkey_t* addr, size_t addr_size, int is_ipv6, addrlen_t scope, + int only_match_scope_zero, time_t ttl, void* arg) +{ + size_t i; + char s[65535], tp[32], cl[32], rc[32], fg[32], astr[64]; + struct cache_lookup_info* inf = (struct cache_lookup_info*)arg; + if(is_ipv6) { + if(addr_size < 16 || inet_ntop(AF_INET6, addr, astr, + sizeof(astr)) == NULL) + snprintf(astr, sizeof(astr), "(inet6ntoperror)"); + } else { + if(addr_size < 4 || inet_ntop(AF_INET, addr, astr, + sizeof(astr)) == NULL) + snprintf(astr, sizeof(astr), "(inetntoperror)"); + } + sldns_wire2str_dname_buf(q->qname, q->qname_len, s, sizeof(s)); + sldns_wire2str_type_buf(q->qtype, tp, sizeof(tp)); + sldns_wire2str_class_buf(q->qclass, cl, sizeof(cl)); + sldns_wire2str_rcode_buf(FLAGS_GET_RCODE(d->flags), + rc, sizeof(rc)); + snprintf(fg, sizeof(fg), "%s%s%s%s%s%s%s%s", + ((d->flags&BIT_QR)?" QR":""), + ((d->flags&BIT_AA)?" AA":""), + ((d->flags&BIT_TC)?" TC":""), + ((d->flags&BIT_RD)?" RD":""), + ((d->flags&BIT_RA)?" RA":""), + ((d->flags&BIT_Z)?" Z":""), + ((d->flags&BIT_AD)?" AD":""), + ((d->flags&BIT_CD)?" CD":"")); + if(!rrset_array_lock(d->ref, d->rrset_count, + *inf->worker->env.now)) { + /* rrsets have timed out or do not exist */ + return; + } + if(!ssl_printf(inf->ssl, "subnet %s/%d%s %s %s %s " ARG_LL "d\n", astr, + (int)scope, (only_match_scope_zero?" scope_zero":""), + s, cl, tp, (long long)(ttl-*inf->worker->env.now))) { + rrset_array_unlock(d->ref, d->rrset_count); + return; + } + ssl_printf(inf->ssl, + "subnet msg %s %s %s%s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n", + s, cl, tp, fg, rc, + (int)d->flags, (int)d->qdcount, + (long long)(d->ttl-*inf->worker->env.now), + (int)d->security, + (unsigned)d->an_numrrsets, + (unsigned)d->ns_numrrsets, + (unsigned)d->ar_numrrsets, + (int)d->reason_bogus, + d->reason_bogus_str?d->reason_bogus_str:""); + for(i=0; irrset_count; i++) { + struct ub_packed_rrset_key* rk = d->rrsets[i]; + struct packed_rrset_data* rd = (struct packed_rrset_data*)rk->entry.data; + size_t j; + for(j=0; jcount + rd->rrsig_count; j++) { + if(!packed_rr_to_string(rk, j, + *inf->worker->env.now, s, sizeof(s))) { + ssl_printf(inf->ssl, "BADRR\n"); + } else { + ssl_printf(inf->ssl, "%s", s); + } + } + } + rrset_array_unlock(d->ref, d->rrset_count); + ssl_printf(inf->ssl, "\n"); +} + +/** Visit an edge in subnet addrtree traverse */ +static void +addrtree_traverse_visit_edge(struct addredge* edge, addrkey_t* addr, + size_t addr_size, int is_ipv6, time_t now, struct query_info* q, + void (*func)(struct query_info*, struct reply_info*, addrkey_t*, + size_t, int, addrlen_t, int, time_t, void*), void* arg) +{ + size_t n; + addrlen_t addrlen; + if(!edge || !edge->node) + return; + addrlen = edge->len; + /* ceil() */ + n = (size_t)((addrlen / KEYWIDTH) + ((addrlen % KEYWIDTH != 0)?1:0)); + if(n > addr_size) + n = addr_size; + memset(addr, 0, addr_size); + memcpy(addr, edge->str, n); + addrtree_traverse_visit_node(edge->node, addr, addr_size, is_ipv6, + now, q, func, arg); +} + +/** Visit a node in subnet addrtree traverse */ +static void +addrtree_traverse_visit_node(struct addrnode* n, addrkey_t* addr, + size_t addr_size, int is_ipv6, time_t now, struct query_info* q, + void (*func)(struct query_info*, struct reply_info*, addrkey_t*, + size_t, int, addrlen_t, int, time_t, void*), void* arg) +{ + /* If this node has data, and not expired. */ + if(n->elem && n->ttl >= now) { + func(q, (struct reply_info*)n->elem, addr, addr_size, is_ipv6, + n->scope, n->only_match_scope_zero, n->ttl, arg); + } + /* Traverse edges. */ + addrtree_traverse_visit_edge(n->edge[0], addr, addr_size, is_ipv6, + now, q, func, arg); + addrtree_traverse_visit_edge(n->edge[1], addr, addr_size, is_ipv6, + now, q, func, arg); +} + +/** Traverse subnet addrtree */ +static void +addrtree_traverse(struct addrtree* tree, int is_ipv6, time_t now, + struct query_info* q, + void (*func)(struct query_info*, struct reply_info*, addrkey_t*, + size_t, int, addrlen_t, int, time_t, void*), void* arg) +{ + uint8_t addr[16]; /* Large enough for IPv4 and IPv6. */ + memset(addr, 0, sizeof(addr)); + addrtree_traverse_visit_node(tree->root, (addrkey_t*)addr, + sizeof(addr), is_ipv6, now, q, func, arg); +} + +/** Lookup cache_lookup for subnet content. */ +static void +cache_lookup_subnet_msg(struct lruhash_entry* e, void* arg) +{ + struct cache_lookup_info* inf = (struct cache_lookup_info*)arg; + struct msgreply_entry *k = (struct msgreply_entry*)e->key; + struct subnet_msg_cache_data* d = + (struct subnet_msg_cache_data*)e->data; + if(!dname_subdomain_c(k->key.qname, inf->nm)) + return; + + if(d->tree4) { + addrtree_traverse(d->tree4, 0, *inf->worker->env.now, &k->key, + &cache_lookup_subnet_addrnode, inf); + } + if(d->tree6) { + addrtree_traverse(d->tree6, 1, *inf->worker->env.now, &k->key, + &cache_lookup_subnet_addrnode, inf); + } +} +#endif /* CLIENT_SUBNET */ + +static void +cache_lookup_rrset(struct lruhash_entry* e, void* arg) +{ + struct cache_lookup_info* inf = (struct cache_lookup_info*)arg; + struct ub_packed_rrset_key* k = (struct ub_packed_rrset_key*)e->key; + struct packed_rrset_data* d = (struct packed_rrset_data*)e->data; + if(*inf->worker->env.now < d->ttl && + k->id != 0 && /* not deleted */ + dname_subdomain_c(k->rk.dname, inf->nm)) { + size_t i; + for(i=0; icount + d->rrsig_count; i++) { + char s[65535]; + if(!packed_rr_to_string(k, i, *inf->worker->env.now, + s, sizeof(s))) { + ssl_printf(inf->ssl, "BADRR\n"); + return; + } + ssl_printf(inf->ssl, "%s", s); + } + ssl_printf(inf->ssl, "\n"); + } +} + +static void +cache_lookup_msg(struct lruhash_entry* e, void* arg) +{ + struct cache_lookup_info* inf = (struct cache_lookup_info*)arg; + struct msgreply_entry* k = (struct msgreply_entry*)e->key; + struct reply_info* d = (struct reply_info*)e->data; + if(*inf->worker->env.now < d->ttl && + dname_subdomain_c(k->key.qname, inf->nm)) { + size_t i; + char s[65535], tp[32], cl[32], rc[32], fg[32]; + sldns_wire2str_dname_buf(k->key.qname, k->key.qname_len, + s, sizeof(s)); + sldns_wire2str_type_buf(k->key.qtype, tp, sizeof(tp)); + sldns_wire2str_class_buf(k->key.qclass, cl, sizeof(cl)); + sldns_wire2str_rcode_buf(FLAGS_GET_RCODE(d->flags), + rc, sizeof(rc)); + snprintf(fg, sizeof(fg), "%s%s%s%s%s%s%s%s", + ((d->flags&BIT_QR)?" QR":""), + ((d->flags&BIT_AA)?" AA":""), + ((d->flags&BIT_TC)?" TC":""), + ((d->flags&BIT_RD)?" RD":""), + ((d->flags&BIT_RA)?" RA":""), + ((d->flags&BIT_Z)?" Z":""), + ((d->flags&BIT_AD)?" AD":""), + ((d->flags&BIT_CD)?" CD":"")); + if(!rrset_array_lock(d->ref, d->rrset_count, + *inf->worker->env.now)) { + /* rrsets have timed out or do not exist */ + return; + } + ssl_printf(inf->ssl, + "msg %s %s %s%s %s %d %d " ARG_LL "d %d %u %u %u %d %s\n", + s, cl, tp, fg, rc, + (int)d->flags, (int)d->qdcount, + (long long)(d->ttl-*inf->worker->env.now), + (int)d->security, + (unsigned)d->an_numrrsets, + (unsigned)d->ns_numrrsets, + (unsigned)d->ar_numrrsets, + (int)d->reason_bogus, + d->reason_bogus_str?d->reason_bogus_str:""); + for(i=0; irrset_count; i++) { + struct ub_packed_rrset_key* rk = d->rrsets[i]; + struct packed_rrset_data* rd = (struct packed_rrset_data*)rk->entry.data; + size_t j; + for(j=0; jcount + rd->rrsig_count; j++) { + if(!packed_rr_to_string(rk, j, + *inf->worker->env.now, s, sizeof(s))) { + rrset_array_unlock(d->ref, d->rrset_count); + ssl_printf(inf->ssl, "BADRR\n"); + return; + } + ssl_printf(inf->ssl, "%s", s); + } + } + rrset_array_unlock(d->ref, d->rrset_count); + ssl_printf(inf->ssl, "\n"); + } +} + +/** perform cache search for domain */ +static void +do_cache_lookup_domain(RES* ssl, struct worker* worker, uint8_t* nm, + size_t nmlen) +{ +#ifdef CLIENT_SUBNET + int m; + struct subnet_env* sn_env = NULL; +#endif /* CLIENT_SUBNET */ + struct cache_lookup_info inf; + inf.ssl = ssl; + inf.worker = worker; + inf.nm = nm; + inf.nmlen = nmlen; + +#ifdef CLIENT_SUBNET + m = modstack_find(worker->env.modstack, "subnetcache"); + if(m != -1) sn_env = (struct subnet_env*)worker->env.modinfo[m]; + if(sn_env) { + lock_rw_rdlock(&sn_env->biglock); + slabhash_traverse(sn_env->subnet_msg_cache, 0, + &cache_lookup_subnet_msg, &inf); + lock_rw_unlock(&sn_env->biglock); + } +#endif /* CLIENT_SUBNET */ + + slabhash_traverse(&worker->env.rrset_cache->table, 0, + &cache_lookup_rrset, &inf); + slabhash_traverse(worker->env.msg_cache, 0, &cache_lookup_msg, &inf); +} + +/** cache lookup of domain */ +static void +do_cache_lookup(RES* ssl, struct worker* worker, char* arg) +{ + uint8_t nm[LDNS_MAX_DOMAINLEN+1]; + size_t nmlen; + int status; + char* s = arg, *next = NULL; + int allow_long = 0; + + if(arg[0] == '+' && arg[1] == 't' && (arg[2]==' ' || arg[2]=='\t')) { + allow_long = 1; + s = arg+2; + } + + /* Find the commandline arguments of domains. */ + while(s && *s != 0) { + s = skipwhite(s); + if(*s == 0) + break; + if(strchr(s, ' ') || strchr(s, '\t')) { + char* sp = strchr(s, ' '); + if(strchr(s, '\t') != 0 && strchr(s, '\t') < sp) + sp = strchr(s, '\t'); + *sp = 0; + next = sp+1; + } else { + next = NULL; + } + + nmlen = sizeof(nm); + status = sldns_str2wire_dname_buf(s, nm, &nmlen); + if(status != 0) { + ssl_printf(ssl, "error cannot parse name %s at %d: %s\n", s, + LDNS_WIREPARSE_OFFSET(status), + sldns_get_errorstr_parse(status)); + return; + } + if(!allow_long && dname_count_labels(nm) < 3) { + ssl_printf(ssl, "error name too short: '%s'. Need example.com. or longer, short names take very long, use +t to allow them.\n", s); + return; + } + + do_cache_lookup_domain(ssl, worker, nm, nmlen); + + s = next; + } +} + /** cache lookup of nameservers */ static void do_lookup(RES* ssl, struct worker* worker, char* arg) @@ -2887,10 +3221,13 @@ (void)ssl_printf(ssl, "error: no SOA in zone after read %s\n", arg); return; } - if(xfr->have_zone) + if(xfr->have_zone) { xfr->lease_time = *worker->env.now; + xfr->soa_zone_acquired = *worker->env.now; + } lock_basic_unlock(&xfr->lock); } + z->soa_zone_acquired = *worker->env.now; auth_zone_verify_zonemd(z, &worker->env, &worker->env.mesh->mods, &reason, 0, 0); @@ -3039,7 +3376,7 @@ do_list_auth_zones(RES* ssl, struct auth_zones* az) { struct auth_zone* z; - char buf[LDNS_MAX_DOMAINLEN], buf2[256]; + char buf[LDNS_MAX_DOMAINLEN], buf2[256], buf3[256]; lock_rw_rdlock(&az->lock); RBTREE_FOR(z, struct auth_zone*, &az->ztree) { lock_rw_rdlock(&z->lock); @@ -3048,18 +3385,41 @@ snprintf(buf2, sizeof(buf2), "expired"); else { uint32_t serial = 0; - if(auth_zone_get_serial(z, &serial)) + if(auth_zone_get_serial(z, &serial)) { snprintf(buf2, sizeof(buf2), "serial %u", (unsigned)serial); - else snprintf(buf2, sizeof(buf2), "no serial"); + if(z->soa_zone_acquired != 0) { +#if defined(HAVE_STRFTIME) && defined(HAVE_LOCALTIME_R) + char tmbuf[32]; + struct tm tm; + struct tm *tm_p; + tm_p = localtime_r( + &z->soa_zone_acquired, &tm); + if(!strftime(tmbuf, sizeof(tmbuf), "%Y-%m-%dT%H:%M:%S", tm_p)) + snprintf(tmbuf, sizeof(tmbuf), "strftime-err-%u", (unsigned)z->soa_zone_acquired); + snprintf(buf3, sizeof(buf3), + "\t since %u %s", + (unsigned)z->soa_zone_acquired, + tmbuf); +#else + snprintf(buf3, sizeof(buf3), + "\t since %u", + (unsigned)z->soa_zone_acquired); +#endif + } else { + buf3[0]=0; + } + } else { + snprintf(buf2, sizeof(buf2), "no serial"); + buf3[0]=0; + } } - if(!ssl_printf(ssl, "%s\t%s\n", buf, buf2)) { + lock_rw_unlock(&z->lock); + if(!ssl_printf(ssl, "%s\t%s%s\n", buf, buf2, buf3)) { /* failure to print */ - lock_rw_unlock(&z->lock); lock_rw_unlock(&az->lock); return; } - lock_rw_unlock(&z->lock); } lock_rw_unlock(&az->lock); } @@ -3502,6 +3862,30 @@ explicit_bzero(secret_hex, sizeof(secret_hex)); } +/** check that there is no argument after a command that takes no arguments. */ +static int +cmd_no_args(RES* ssl, char* cmd, char* p) +{ + if(p && *p != 0) { + /* cmd contains the command that is called at the start, + * with space or tab after it. */ + char* c = cmd; + if(strchr(c, ' ') && strchr(c, '\t')) { + if(strchr(c, ' ') < strchr(c, '\t')) + *strchr(c, ' ')=0; + else *strchr(c, '\t')=0; + } else if(strchr(c, ' ')) { + *strchr(c, ' ')=0; + } else if(strchr(c, '\t')) { + *strchr(c, '\t')=0; + } + (void)ssl_printf(ssl, "error command %s takes no arguments," + " have '%s'\n", c, p); + return 1; + } + return 0; +} + /** check for name with end-of-string, space or tab after it */ static int cmdcmp(char* p, const char* cmd, size_t len) @@ -3517,27 +3901,41 @@ char* p = skipwhite(cmd); /* compare command */ if(cmdcmp(p, "stop", 4)) { + if(cmd_no_args(ssl, p, skipwhite(p+4))) + return; do_stop(ssl, worker); return; } else if(cmdcmp(p, "reload_keep_cache", 17)) { + if(cmd_no_args(ssl, p, skipwhite(p+17))) + return; do_reload(ssl, worker, 1); return; } else if(cmdcmp(p, "reload", 6)) { + if(cmd_no_args(ssl, p, skipwhite(p+6))) + return; do_reload(ssl, worker, 0); return; } else if(cmdcmp(p, "fast_reload", 11)) { do_fast_reload(ssl, worker, s, skipwhite(p+11)); return; } else if(cmdcmp(p, "stats_noreset", 13)) { + if(cmd_no_args(ssl, p, skipwhite(p+13))) + return; do_stats(ssl, worker, 0); return; } else if(cmdcmp(p, "stats", 5)) { + if(cmd_no_args(ssl, p, skipwhite(p+5))) + return; do_stats(ssl, worker, 1); return; } else if(cmdcmp(p, "status", 6)) { + if(cmd_no_args(ssl, p, skipwhite(p+6))) + return; do_status(ssl, worker); return; } else if(cmdcmp(p, "dump_cache", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; #ifdef THREADS_DISABLED if(worker->daemon->num > 1) { (void)ssl_printf(ssl, "dump_cache/load_cache is not " @@ -3548,6 +3946,8 @@ (void)dump_cache(ssl, worker); return; } else if(cmdcmp(p, "load_cache", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; #ifdef THREADS_DISABLED if(worker->daemon->num > 1) { /* The warning can't be printed when stdin is sending @@ -3558,18 +3958,28 @@ if(load_cache(ssl, worker)) send_ok(ssl); return; } else if(cmdcmp(p, "list_forwards", 13)) { + if(cmd_no_args(ssl, p, skipwhite(p+13))) + return; do_list_forwards(ssl, worker); return; } else if(cmdcmp(p, "list_stubs", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; do_list_stubs(ssl, worker); return; } else if(cmdcmp(p, "list_insecure", 13)) { + if(cmd_no_args(ssl, p, skipwhite(p+13))) + return; do_insecure_list(ssl, worker); return; } else if(cmdcmp(p, "list_local_zones", 16)) { + if(cmd_no_args(ssl, p, skipwhite(p+16))) + return; do_list_local_zones(ssl, worker->daemon->local_zones); return; } else if(cmdcmp(p, "list_local_data", 15)) { + if(cmd_no_args(ssl, p, skipwhite(p+15))) + return; do_list_local_data(ssl, worker, worker->daemon->local_zones); return; } else if(cmdcmp(p, "view_list_local_zones", 21)) { @@ -3585,6 +3995,8 @@ do_ip_ratelimit_list(ssl, worker, p+17); return; } else if(cmdcmp(p, "list_auth_zones", 15)) { + if(cmd_no_args(ssl, p, skipwhite(p+15))) + return; do_list_auth_zones(ssl, worker->env.auth_zones); return; } else if(cmdcmp(p, "auth_zone_reload", 16)) { @@ -3605,14 +4017,21 @@ return; } else if(cmdcmp(p, "flush_stats", 11)) { /* must always distribute this cmd */ + if(cmd_no_args(ssl, p, skipwhite(p+11))) + return; if(rc) distribute_cmd(rc, ssl, cmd); do_flush_stats(ssl, worker); return; } else if(cmdcmp(p, "flush_requestlist", 17)) { /* must always distribute this cmd */ + if(cmd_no_args(ssl, p, skipwhite(p+17))) + return; if(rc) distribute_cmd(rc, ssl, cmd); do_flush_requestlist(ssl, worker); return; + } else if(cmdcmp(p, "cache_lookup", 12)) { + do_cache_lookup(ssl, worker, skipwhite(p+12)); + return; } else if(cmdcmp(p, "lookup", 6)) { do_lookup(ssl, worker, skipwhite(p+6)); return; @@ -3620,15 +4039,23 @@ * Each line needs to be distributed if THREADS_DISABLED. */ } else if(cmdcmp(p, "local_zones_remove", 18)) { + if(cmd_no_args(ssl, p, skipwhite(p+18))) + return; do_zones_remove(rc, ssl, worker); return; } else if(cmdcmp(p, "local_zones", 11)) { + if(cmd_no_args(ssl, p, skipwhite(p+11))) + return; do_zones_add(rc, ssl, worker); return; } else if(cmdcmp(p, "local_datas_remove", 18)) { + if(cmd_no_args(ssl, p, skipwhite(p+18))) + return; do_datas_remove(rc, ssl, worker); return; } else if(cmdcmp(p, "local_datas", 11)) { + if(cmd_no_args(ssl, p, skipwhite(p+11))) + return; do_datas_add(rc, ssl, worker); return; } else if(cmdcmp(p, "view_local_datas_remove", 23)){ @@ -3638,6 +4065,8 @@ do_view_datas_add(rc, ssl, worker, skipwhite(p+16)); return; } else if(cmdcmp(p, "print_cookie_secrets", 20)) { + if(cmd_no_args(ssl, p, skipwhite(p+20))) + return; do_print_cookie_secrets(ssl, worker); return; } @@ -3687,10 +4116,16 @@ } else if(cmdcmp(p, "flush", 5)) { do_flush_name(ssl, worker, skipwhite(p+5)); } else if(cmdcmp(p, "dump_requestlist", 16)) { + if(cmd_no_args(ssl, p, skipwhite(p+16))) + return; do_dump_requestlist(ssl, worker); } else if(cmdcmp(p, "dump_infra", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; do_dump_infra(ssl, worker); } else if(cmdcmp(p, "log_reopen", 10)) { + if(cmd_no_args(ssl, p, skipwhite(p+10))) + return; do_log_reopen(ssl, worker); } else if(cmdcmp(p, "set_option", 10)) { do_set_option(ssl, worker, skipwhite(p+10)); @@ -3707,8 +4142,12 @@ } else if(cmdcmp(p, "add_cookie_secret", 17)) { do_add_cookie_secret(ssl, worker, skipwhite(p+17)); } else if(cmdcmp(p, "drop_cookie_secret", 18)) { + if(cmd_no_args(ssl, p, skipwhite(p+18))) + return; do_drop_cookie_secret(ssl, worker); } else if(cmdcmp(p, "activate_cookie_secret", 22)) { + if(cmd_no_args(ssl, p, skipwhite(p+22))) + return; do_activate_cookie_secret(ssl, worker); } else { (void)ssl_printf(ssl, "error unknown command '%s'\n", p); @@ -4348,37 +4787,45 @@ return 1; } -/** fast reload thread, check if config item has changed, if not add to - * the explanatory string. */ +/** fast reload thread, add incompatible option to the explanatory string */ static void -fr_check_changed_cfg(int cmp, const char* desc, char* str, size_t len) +fr_add_incompatible_option(const char* desc, char* str, size_t len) { - if(cmp) { - size_t slen = strlen(str); - size_t desclen = strlen(desc); - if(slen == 0) { - snprintf(str, len, "%s", desc); - return; - } - if(len - slen < desclen+2) - return; /* It does not fit */ - snprintf(str+slen, len-slen, " %s", desc); + size_t slen = strlen(str); + size_t desclen = strlen(desc); + if(slen == 0) { + snprintf(str, len, "%s", desc); + return; } + if(len - slen < desclen+2) + return; /* It does not fit */ + snprintf(str+slen, len-slen, " %s", desc); } +/** fast reload thread, check if config item has changed; thus incompatible */ +#define FR_CHECK_CHANGED_CFG(desc, var, str) \ +do { \ + if(cfg->var != newcfg->var) { \ + fr_add_incompatible_option(desc, str, sizeof(str)); \ + } \ +} while(0); + /** fast reload thread, check if config string has changed, checks NULLs. */ -static void -fr_check_changed_cfg_str(char* cmp1, char* cmp2, const char* desc, char* str, - size_t len) -{ - if((!cmp1 && cmp2) || - (cmp1 && !cmp2) || - (cmp1 && cmp2 && strcmp(cmp1, cmp2) != 0)) { - fr_check_changed_cfg(1, desc, str, len); - } -} +#define FR_CHECK_CHANGED_CFG_STR(desc, var, str) \ +do { \ + if((!cfg->var && newcfg->var) || \ + (cfg->var && !newcfg->var) || \ + (cfg->var && newcfg->var \ + && strcmp(cfg->var, newcfg->var) != 0)) { \ + fr_add_incompatible_option(desc, str, sizeof(str)); \ + } \ +} while(0); /** fast reload thread, check if config strlist has changed. */ +#define FR_CHECK_CHANGED_CFG_STRLIST(desc, var, str) do { \ + fr_check_changed_cfg_strlist(cfg->var, newcfg->var, desc, str, \ + sizeof(str)); \ + } while(0); static void fr_check_changed_cfg_strlist(struct config_strlist* cmp1, struct config_strlist* cmp2, const char* desc, char* str, size_t len) @@ -4389,18 +4836,22 @@ (p1->str && !p2->str) || (p1->str && p2->str && strcmp(p1->str, p2->str) != 0)) { /* The strlist is different. */ - fr_check_changed_cfg(1, desc, str, len); + fr_add_incompatible_option(desc, str, len); return; } p1 = p1->next; p2 = p2->next; } if((!p1 && p2) || (p1 && !p2)) { - fr_check_changed_cfg(1, desc, str, len); + fr_add_incompatible_option(desc, str, len); } } /** fast reload thread, check if config str2list has changed. */ +#define FR_CHECK_CHANGED_CFG_STR2LIST(desc, var, buff) do { \ + fr_check_changed_cfg_str2list(cfg->var, newcfg->var, desc, buff,\ + sizeof(buff)); \ + } while(0); static void fr_check_changed_cfg_str2list(struct config_str2list* cmp1, struct config_str2list* cmp2, const char* desc, char* str, size_t len) @@ -4411,7 +4862,7 @@ (p1->str && !p2->str) || (p1->str && p2->str && strcmp(p1->str, p2->str) != 0)) { /* The str2list is different. */ - fr_check_changed_cfg(1, desc, str, len); + fr_add_incompatible_option(desc, str, len); return; } if((!p1->str2 && p2->str2) || @@ -4419,14 +4870,14 @@ (p1->str2 && p2->str2 && strcmp(p1->str2, p2->str2) != 0)) { /* The str2list is different. */ - fr_check_changed_cfg(1, desc, str, len); + fr_add_incompatible_option(desc, str, len); return; } p1 = p1->next; p2 = p2->next; } if((!p1 && p2) || (p1 && !p2)) { - fr_check_changed_cfg(1, desc, str, len); + fr_add_incompatible_option(desc, str, len); } } @@ -4440,98 +4891,54 @@ changed_str[0]=0; /* Find incompatible options, and if so, print an error. */ - fr_check_changed_cfg(cfg->num_threads != newcfg->num_threads, - "num-threads", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->do_ip4 != newcfg->do_ip4, - "do-ip4", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->do_ip6 != newcfg->do_ip6, - "do-ip6", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->do_udp != newcfg->do_udp, - "do-udp", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->do_tcp != newcfg->do_tcp, - "do-tcp", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->port != newcfg->port, - "port", changed_str, sizeof(changed_str)); + FR_CHECK_CHANGED_CFG("num-threads", num_threads, changed_str); + FR_CHECK_CHANGED_CFG("do-ip4", do_ip4, changed_str); + FR_CHECK_CHANGED_CFG("do-ip6", do_ip6, changed_str); + FR_CHECK_CHANGED_CFG("do-udp", do_udp, changed_str); + FR_CHECK_CHANGED_CFG("do-tcp", do_tcp, changed_str); + FR_CHECK_CHANGED_CFG("port", port, changed_str); /* But cfg->outgoing_num_ports has been changed at startup, * possibly to reduce it, so do not check it here. */ - fr_check_changed_cfg(cfg->outgoing_num_tcp != newcfg->outgoing_num_tcp, - "outgoing-num-tcp", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->incoming_num_tcp != newcfg->incoming_num_tcp, - "incoming-num-tcp", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->num_out_ifs != newcfg->num_out_ifs, - "outgoing-interface", changed_str, sizeof(changed_str)); + FR_CHECK_CHANGED_CFG("outgoing-num-tcp", outgoing_num_tcp, changed_str); + FR_CHECK_CHANGED_CFG("incoming-num-tcp", incoming_num_tcp, changed_str); + FR_CHECK_CHANGED_CFG("outgoing-interface", num_out_ifs, changed_str); if(cfg->num_out_ifs == newcfg->num_out_ifs) { for(i=0; inum_out_ifs; i++) - fr_check_changed_cfg(strcmp(cfg->out_ifs[i], - newcfg->out_ifs[i]) != 0, "outgoing-interface", - changed_str, sizeof(changed_str)); + FR_CHECK_CHANGED_CFG_STR("outgoing-interface", + out_ifs[i], changed_str); } - fr_check_changed_cfg(cfg->num_ifs != newcfg->num_ifs, - "interface", changed_str, sizeof(changed_str)); + FR_CHECK_CHANGED_CFG("interface", num_ifs, changed_str); if(cfg->num_ifs == newcfg->num_ifs) { for(i=0; inum_ifs; i++) - fr_check_changed_cfg(strcmp(cfg->ifs[i], - newcfg->ifs[i]) != 0, "interface", - changed_str, sizeof(changed_str)); - } - fr_check_changed_cfg(cfg->if_automatic != newcfg->if_automatic, - "interface-automatic", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->so_rcvbuf != newcfg->so_rcvbuf, - "so-rcvbuf", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->so_sndbuf != newcfg->so_sndbuf, - "so-sndbuf", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->so_reuseport != newcfg->so_reuseport, - "so-reuseport", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->ip_transparent != newcfg->ip_transparent, - "ip-transparent", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->ip_freebind != newcfg->ip_freebind, - "ip-freebind", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->udp_connect != newcfg->udp_connect, - "udp-connect", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->msg_buffer_size != newcfg->msg_buffer_size, - "msg-buffer-size", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->do_tcp_keepalive != newcfg->do_tcp_keepalive, - "edns-tcp-keepalive", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->tcp_keepalive_timeout != newcfg->tcp_keepalive_timeout, - "edns-tcp-keepalive-timeout", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->tcp_idle_timeout != newcfg->tcp_idle_timeout, - "tcp-idle-timeout", changed_str, sizeof(changed_str)); + FR_CHECK_CHANGED_CFG_STR("interface", + ifs[i], changed_str); + } + FR_CHECK_CHANGED_CFG("interface-automatic", if_automatic, changed_str); + FR_CHECK_CHANGED_CFG("so-rcvbuf", so_rcvbuf, changed_str); + FR_CHECK_CHANGED_CFG("so-sndbuf", so_sndbuf, changed_str); + FR_CHECK_CHANGED_CFG("so-reuseport", so_reuseport, changed_str); + FR_CHECK_CHANGED_CFG("ip-transparent", ip_transparent, changed_str); + FR_CHECK_CHANGED_CFG("ip-freebind", ip_freebind, changed_str); + FR_CHECK_CHANGED_CFG("udp-connect", udp_connect, changed_str); + FR_CHECK_CHANGED_CFG("msg-buffer-size", msg_buffer_size, changed_str); + FR_CHECK_CHANGED_CFG("edns-tcp-keepalive", do_tcp_keepalive, changed_str); + FR_CHECK_CHANGED_CFG("edns-tcp-keepalive-timeout", tcp_keepalive_timeout, changed_str); + FR_CHECK_CHANGED_CFG("tcp-idle-timeout", tcp_idle_timeout, changed_str); /* Not changed, only if DoH is used, it is then stored in commpoints, * as well as used from cfg. */ - fr_check_changed_cfg( - cfg->harden_large_queries != newcfg->harden_large_queries, - "harden-large-queries", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->http_max_streams != newcfg->http_max_streams, - "http-max-streams", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str(cfg->http_endpoint, newcfg->http_endpoint, - "http-endpoint", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->http_notls_downstream != newcfg->http_notls_downstream, - "http_notls_downstream", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->https_port != newcfg->https_port, - "https-port", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->ssl_port != newcfg->ssl_port, - "tls-port", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str(cfg->ssl_service_key, newcfg->ssl_service_key, - "tls-service-key", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str(cfg->ssl_service_pem, newcfg->ssl_service_pem, - "tls-service-pem", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str(cfg->tls_cert_bundle, newcfg->tls_cert_bundle, - "tls-cert-bundle", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_strlist(cfg->proxy_protocol_port, - newcfg->proxy_protocol_port, "proxy-protocol-port", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg_strlist(cfg->tls_additional_port, - newcfg->tls_additional_port, "tls-additional-port", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str(cfg->if_automatic_ports, - newcfg->if_automatic_ports, "interface-automatic-ports", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->udp_upstream_without_downstream != - newcfg->udp_upstream_without_downstream, - "udp-upstream-without-downstream", changed_str, - sizeof(changed_str)); + FR_CHECK_CHANGED_CFG("harden-large-queries", harden_large_queries, changed_str); + FR_CHECK_CHANGED_CFG("http-max-streams", http_max_streams, changed_str); + FR_CHECK_CHANGED_CFG_STR("http-endpoint", http_endpoint, changed_str); + FR_CHECK_CHANGED_CFG("http_notls_downstream", http_notls_downstream, changed_str); + FR_CHECK_CHANGED_CFG("https-port", https_port, changed_str); + FR_CHECK_CHANGED_CFG("tls-port", ssl_port, changed_str); + FR_CHECK_CHANGED_CFG_STR("tls-service-key", ssl_service_key, changed_str); + FR_CHECK_CHANGED_CFG_STR("tls-service-pem", ssl_service_pem, changed_str); + FR_CHECK_CHANGED_CFG_STR("tls-cert-bundle", tls_cert_bundle, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("proxy-protocol-port", proxy_protocol_port, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("tls-additional-port", tls_additional_port, changed_str); + FR_CHECK_CHANGED_CFG_STR("interface-automatic-ports", if_automatic_ports, changed_str); + FR_CHECK_CHANGED_CFG("udp-upstream-without-downstream", udp_upstream_without_downstream, changed_str); if(changed_str[0] != 0) { /* The new config changes some items that do not work with @@ -4549,7 +4956,7 @@ /** fast reload thread, check nopause config items */ static int -fr_check_nopause_cfg(struct fast_reload_thread* fr, struct config_file* newcfg) +fr_check_nopause_compat_cfg(struct fast_reload_thread* fr, struct config_file* newcfg) { char changed_str[1024]; struct config_file* cfg = fr->worker->env.cfg; @@ -4558,94 +4965,43 @@ changed_str[0]=0; /* Check for iter_env. */ - fr_check_changed_cfg( - cfg->outbound_msg_retry != newcfg->outbound_msg_retry, - "outbound-msg-retry", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->max_sent_count != newcfg->max_sent_count, - "max-sent-count", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->max_query_restarts != newcfg->max_query_restarts, - "max-query-restarts", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(strcmp(cfg->target_fetch_policy, - newcfg->target_fetch_policy) != 0, - "target-fetch-policy", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->donotquery_localhost != newcfg->donotquery_localhost, - "do-not-query-localhost", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_strlist(cfg->donotqueryaddrs, - newcfg->donotqueryaddrs, "do-not-query-localhost", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg_strlist(cfg->private_address, - newcfg->private_address, "private-address", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg_strlist(cfg->private_domain, - newcfg->private_domain, "private-domain", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg_strlist(cfg->caps_whitelist, - newcfg->caps_whitelist, "caps-exempt", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->do_nat64 != newcfg->do_nat64, - "do-nat64", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str(cfg->nat64_prefix, newcfg->nat64_prefix, - "nat64-prefix", changed_str, sizeof(changed_str)); + FR_CHECK_CHANGED_CFG("outbound-msg-retry", outbound_msg_retry, changed_str); + FR_CHECK_CHANGED_CFG("max-sent-count", max_sent_count, changed_str); + FR_CHECK_CHANGED_CFG("max-query-restarts", max_query_restarts, changed_str); + FR_CHECK_CHANGED_CFG_STR("target-fetch-policy", target_fetch_policy, changed_str); + FR_CHECK_CHANGED_CFG("do-not-query-localhost", donotquery_localhost, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("do-not-query-address", donotqueryaddrs, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("private-address", private_address, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("private-domain", private_domain, changed_str); + FR_CHECK_CHANGED_CFG_STRLIST("caps-exempt", caps_whitelist, changed_str); + FR_CHECK_CHANGED_CFG("do-nat64", do_nat64, changed_str); + FR_CHECK_CHANGED_CFG_STR("nat64-prefix", nat64_prefix, changed_str); /* Check for val_env. */ - fr_check_changed_cfg(cfg->bogus_ttl != newcfg->bogus_ttl, - "val-bogus-ttl", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->val_date_override != newcfg->val_date_override, - "val-date-override", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->val_sig_skew_min != newcfg->val_sig_skew_min, - "val-sig-skew-min", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->val_sig_skew_max != newcfg->val_sig_skew_max, - "val-sig-skew-max", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(cfg->val_max_restart != newcfg->val_max_restart, - "val-max-restart", changed_str, sizeof(changed_str)); - fr_check_changed_cfg(strcmp(cfg->val_nsec3_key_iterations, - newcfg->val_nsec3_key_iterations) != 0, - "val-nsec3-keysize-iterations", changed_str, - sizeof(changed_str)); + FR_CHECK_CHANGED_CFG("val-bogus-ttl", bogus_ttl, changed_str); + FR_CHECK_CHANGED_CFG("val-date-override", val_date_override, changed_str); + FR_CHECK_CHANGED_CFG("val-sig-skew-min", val_sig_skew_min, changed_str); + FR_CHECK_CHANGED_CFG("val-sig-skew-max", val_sig_skew_max, changed_str); + FR_CHECK_CHANGED_CFG("val-max-restart", val_max_restart, changed_str); + FR_CHECK_CHANGED_CFG_STR("val-nsec3-keysize-iterations", + val_nsec3_key_iterations, changed_str); /* Check for infra. */ - fr_check_changed_cfg(cfg->host_ttl != newcfg->host_ttl, - "infra-host-ttl", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->infra_keep_probing != newcfg->infra_keep_probing, - "infra-keep-probing", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->ratelimit != newcfg->ratelimit, - "ratelimit", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->ip_ratelimit != newcfg->ip_ratelimit, - "ip-ratelimit", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->ip_ratelimit_cookie != newcfg->ip_ratelimit_cookie, - "ip-ratelimit-cookie", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str2list(cfg->wait_limit_netblock, - newcfg->wait_limit_netblock, "wait-limit-netblock", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str2list(cfg->wait_limit_cookie_netblock, - newcfg->wait_limit_cookie_netblock, - "wait-limit-cookie-netblock", changed_str, - sizeof(changed_str)); - fr_check_changed_cfg_str2list(cfg->ratelimit_below_domain, - newcfg->ratelimit_below_domain, "ratelimit-below-domain", - changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str2list(cfg->ratelimit_for_domain, - newcfg->ratelimit_for_domain, "ratelimit-for-domain", - changed_str, sizeof(changed_str)); + FR_CHECK_CHANGED_CFG("infra-host-ttl", host_ttl, changed_str); + FR_CHECK_CHANGED_CFG("infra-keep-probing", infra_keep_probing, changed_str); + FR_CHECK_CHANGED_CFG("ratelimit", ratelimit, changed_str); + FR_CHECK_CHANGED_CFG("ip-ratelimit", ip_ratelimit, changed_str); + FR_CHECK_CHANGED_CFG("ip-ratelimit-cookie", ip_ratelimit_cookie, changed_str); + FR_CHECK_CHANGED_CFG_STR2LIST("wait-limit-netblock", wait_limit_netblock, changed_str); + FR_CHECK_CHANGED_CFG_STR2LIST("wait-limit-cookie-netblock", wait_limit_cookie_netblock, changed_str); + FR_CHECK_CHANGED_CFG_STR2LIST("ratelimit-below-domain", ratelimit_below_domain, changed_str); + FR_CHECK_CHANGED_CFG_STR2LIST("ratelimit-for-domain", ratelimit_for_domain, changed_str); /* Check for dnstap. */ - fr_check_changed_cfg( - cfg->dnstap_send_identity != newcfg->dnstap_send_identity, - "dnstap-send-identity", changed_str, sizeof(changed_str)); - fr_check_changed_cfg( - cfg->dnstap_send_version != newcfg->dnstap_send_version, - "dnstap-send-version", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str(cfg->dnstap_identity, newcfg->dnstap_identity, - "dnstap-identity", changed_str, sizeof(changed_str)); - fr_check_changed_cfg_str(cfg->dnstap_version, newcfg->dnstap_version, - "dnstap-version", changed_str, sizeof(changed_str)); + FR_CHECK_CHANGED_CFG("dnstap-send-identity", dnstap_send_identity, changed_str); + FR_CHECK_CHANGED_CFG("dnstap-send-version", dnstap_send_version, changed_str); + FR_CHECK_CHANGED_CFG_STR("dnstap-identity", dnstap_identity, changed_str); + FR_CHECK_CHANGED_CFG_STR("dnstap-version", dnstap_version, changed_str); if(changed_str[0] != 0) { /* The new config changes some items that need a pause, @@ -5507,7 +5863,7 @@ COPY_VAR_ptr(tls_cert_bundle); COPY_VAR_int(tls_win_cert); COPY_VAR_ptr(tls_additional_port); - /* The first is used to walk throught the list but last is + /* The first is used to walk through the list but last is * only used during config read. */ COPY_VAR_ptr(tls_session_ticket_keys.first); COPY_VAR_ptr(tls_session_ticket_keys.last); @@ -5694,7 +6050,7 @@ tagname, num_tags */ COPY_VAR_int(remote_control_enable); - /* The first is used to walk throught the list but last is + /* The first is used to walk through the list but last is * only used during config read. */ COPY_VAR_ptr(control_ifs.first); COPY_VAR_ptr(control_ifs.last); @@ -6193,7 +6549,7 @@ config_delete(newcfg); return 0; } - if(!fr_check_nopause_cfg(fr, newcfg)) { + if(!fr_check_nopause_compat_cfg(fr, newcfg)) { config_delete(newcfg); return 0; } @@ -7131,6 +7487,7 @@ xfr->serial = 0; } } + auth_zone_pickup_initial_zone(item->new_z, &worker->env); lock_rw_unlock(&item->new_z->lock); lock_rw_unlock(&worker->env.auth_zones->lock); lock_rw_unlock(&worker->daemon->fast_reload_thread->old_auth_zones->lock); @@ -7257,7 +7614,7 @@ fast_reload_worker_pickup_changes(struct worker* worker) { /* The pickup of changes is called when the fast reload has - * a syncronized moment, and all the threads are paused and the + * a synchronized moment, and all the threads are paused and the * reload has been applied. Then the worker can pick up the new * changes and store them in worker-specific structs. * The pickup is also called when there is no pause, and then diff --git a/contrib/unbound/daemon/stats.c b/contrib/unbound/daemon/stats.c --- a/contrib/unbound/daemon/stats.c +++ b/contrib/unbound/daemon/stats.c @@ -273,6 +273,7 @@ /* add in the values from the mesh */ s->svr.ans_secure += (long long)worker->env.mesh->ans_secure; s->svr.ans_bogus += (long long)worker->env.mesh->ans_bogus; + s->svr.val_ops += (long long)worker->env.mesh->val_ops; s->svr.ans_rcode_nodata += (long long)worker->env.mesh->ans_nodata; s->svr.ans_expired += (long long)worker->env.mesh->ans_expired; for(i=0; isvr.ans_rcode_nodata += a->svr.ans_rcode_nodata; total->svr.ans_secure += a->svr.ans_secure; total->svr.ans_bogus += a->svr.ans_bogus; + total->svr.val_ops += a->svr.val_ops; total->svr.unwanted_replies += a->svr.unwanted_replies; total->svr.unwanted_queries += a->svr.unwanted_queries; total->svr.tcp_accept_usage += a->svr.tcp_accept_usage; diff --git a/contrib/unbound/daemon/unbound.c b/contrib/unbound/daemon/unbound.c --- a/contrib/unbound/daemon/unbound.c +++ b/contrib/unbound/daemon/unbound.c @@ -174,7 +174,7 @@ checkrlimits(struct config_file* cfg) { #ifndef S_SPLINT_S -#ifdef HAVE_GETRLIMIT +#if defined(HAVE_GETRLIMIT) && !defined(unbound_testbound) /* list has number of ports to listen to, ifs number addresses */ int list = ((cfg->do_udp?1:0) + (cfg->do_tcp?1 + (int)cfg->incoming_num_tcp:0)); @@ -463,11 +463,11 @@ #endif /* HAVE_DAEMON */ } +#ifdef HAVE_SSL /* setup a listening ssl context, fatal_exit() on any failure */ static void setup_listen_sslctx(void** ctx, int is_dot, int is_doh, struct config_file* cfg) { -#ifdef HAVE_SSL if(!(*ctx = listen_sslctx_create( cfg->ssl_service_key, cfg->ssl_service_pem, NULL, cfg->tls_ciphers, cfg->tls_ciphersuites, @@ -476,10 +476,8 @@ is_dot, is_doh))) { fatal_exit("could not set up listen SSL_CTX"); } -#else /* HAVE_SSL */ - (void)ctx;(void)is_dot;(void)is_doh;(void)cfg; -#endif /* HAVE_SSL */ } +#endif /* HAVE_SSL */ /* setups the needed ssl contexts, fatal_exit() on any failure */ static void @@ -747,6 +745,7 @@ "the commandline to see more errors, " "or unbound-checkconf", cfgfile); log_warn("Continuing with default config settings"); + config_auto_slab_values(cfg); } apply_settings(daemon, cfg, cmdline_verbose, debug_mode); if(!done_setup) diff --git a/contrib/unbound/daemon/worker.c b/contrib/unbound/daemon/worker.c --- a/contrib/unbound/daemon/worker.c +++ b/contrib/unbound/daemon/worker.c @@ -1707,6 +1707,7 @@ repinfo->client_addrlen, edns.cookie_valid, c->buffer)) { worker->stats.num_queries_ip_ratelimited++; + regional_free_all(worker->scratchpad); comm_point_drop_reply(repinfo); return 0; } @@ -1818,8 +1819,9 @@ goto send_reply; } if(worker->env.auth_zones && - auth_zones_answer(worker->env.auth_zones, &worker->env, - &qinfo, &edns, repinfo, c->buffer, worker->scratchpad)) { + auth_zones_downstream_answer(worker->env.auth_zones, + &worker->env, &qinfo, &edns, repinfo, c->buffer, + worker->scratchpad)) { regional_free_all(worker->scratchpad); if(sldns_buffer_limit(c->buffer) == 0) { comm_point_drop_reply(repinfo); @@ -1872,20 +1874,11 @@ /* If we've found a local alias, replace the qname with the alias * target before resolving it. */ if(qinfo.local_alias) { - struct ub_packed_rrset_key* rrset = qinfo.local_alias->rrset; - struct packed_rrset_data* d = rrset->entry.data; - - /* Sanity check: our current implementation only supports - * a single CNAME RRset as a local alias. */ - if(qinfo.local_alias->next || - rrset->rk.type != htons(LDNS_RR_TYPE_CNAME) || - d->count != 1) { - log_err("assumption failure: unexpected local alias"); + if(!local_alias_shallow_copy_qname(qinfo.local_alias, &qinfo.qname, + &qinfo.qname_len)) { regional_free_all(worker->scratchpad); return 0; /* drop it */ } - qinfo.qname = d->rr_data[0] + 2; - qinfo.qname_len = d->rr_len[0] - 2; } /* If we may apply IP-based actions to the answer, build the client diff --git a/contrib/unbound/dns64/dns64.c b/contrib/unbound/dns64/dns64.c --- a/contrib/unbound/dns64/dns64.c +++ b/contrib/unbound/dns64/dns64.c @@ -631,7 +631,7 @@ /* When an AAAA query completes check if we want to perform DNS64 * synthesis. We skip queries with DNSSEC enabled (!CD) and - * ones generated by us to retrive the A/PTR record to use for + * ones generated by us to retrieve the A/PTR record to use for * synth. */ int could_synth = qstate->qinfo.qtype == LDNS_RR_TYPE_AAAA && diff --git a/contrib/unbound/dnstap/dnstap.c b/contrib/unbound/dnstap/dnstap.c --- a/contrib/unbound/dnstap/dnstap.c +++ b/contrib/unbound/dnstap/dnstap.c @@ -542,7 +542,7 @@ qflags = sldns_buffer_read_u16_at(qmsg, 2); /* type */ - if (qflags & BIT_RD) { + if ((qflags & BIT_RD)) { if (!env->log_forwarder_query_messages) return; dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_QUERY); @@ -599,7 +599,7 @@ qflags = ntohs(qflags); /* type */ - if (qflags & BIT_RD) { + if ((qflags & BIT_RD)) { if (!env->log_forwarder_response_messages) return; dt_msg_init(env, &dm, DNSTAP__MESSAGE__TYPE__FORWARDER_RESPONSE); diff --git a/contrib/unbound/dnstap/dnstap.m4 b/contrib/unbound/dnstap/dnstap.m4 --- a/contrib/unbound/dnstap/dnstap.m4 +++ b/contrib/unbound/dnstap/dnstap.m4 @@ -18,10 +18,41 @@ [opt_dnstap_socket_path="$1"]) if test "x$opt_dnstap" != "xno"; then - AC_PATH_PROG([PROTOC_C], [protoc-c]) - if test -z "$PROTOC_C"; then - AC_MSG_ERROR([The protoc-c program was not found. Please install protobuf-c!]) - fi + AC_PATH_PROG([PROTOC], [protoc]) + # 'protoc-c' is deprecated. We use 'protoc' instead. If it can not be + # found, try 'protoc-c'. + if test -z "$PROTOC"; then + AC_PATH_PROG([PROTOC_C], [protoc-c]) + else + PROTOC_C="$PROTOC" + fi + if test -z "$PROTOC_C"; then + AC_MSG_ERROR([[The protoc or protoc-c program was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c to provide protoc or protoc-c]]) + fi + + # Check for protoc-gen-c plugin + AC_PATH_PROG([PROTOC_GEN_C], [protoc-gen-c]) + if test -z "$PROTOC_GEN_C"; then + AC_MSG_ERROR([[The protoc-gen-c plugin was not found. It is needed for dnstap, use --disable-dnstap, or install protobuf-c-compiler to provide protoc-gen-c]]) + fi + + # Test that protoc-gen-c actually works + AC_MSG_CHECKING([if protoc-gen-c plugin works]) + cat > conftest.proto << EOF +syntax = "proto2"; +message TestMessage { + optional string test_field = 1; +} +EOF + if $PROTOC_C --c_out=. conftest.proto >/dev/null 2>&1; then + AC_MSG_RESULT([yes]) + rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h + else + AC_MSG_RESULT([no]) + rm -f conftest.proto conftest.pb-c.c conftest.pb-c.h + AC_MSG_ERROR([[The protoc-gen-c plugin is not working properly. Please ensure protobuf-c-compiler is properly installed]]) + fi + AC_ARG_WITH([protobuf-c], AS_HELP_STRING([--with-protobuf-c=path], [Path where protobuf-c is installed, for dnstap]), [ diff --git a/contrib/unbound/dnstap/dnstap.proto b/contrib/unbound/dnstap/dnstap.proto --- a/contrib/unbound/dnstap/dnstap.proto +++ b/contrib/unbound/dnstap/dnstap.proto @@ -98,7 +98,7 @@ // rule: the rule matched by the message. // // In a RPZ context, this is the owner name of the rule in - // the Reponse Policy Zone in wire format. + // the Response Policy Zone in wire format. optional bytes rule = 2; // action: the policy action taken in response to the diff --git a/contrib/unbound/dnstap/dtstream.c b/contrib/unbound/dnstap/dtstream.c --- a/contrib/unbound/dnstap/dtstream.c +++ b/contrib/unbound/dnstap/dtstream.c @@ -1509,7 +1509,7 @@ } #endif - if((bits&UB_EV_READ || dtio->ssl_brief_write)) { + if((bits&UB_EV_READ) || dtio->ssl_brief_write) { #ifdef HAVE_SSL if(dtio->ssl_brief_write) (void)dtio_disable_brief_write(dtio); diff --git a/contrib/unbound/doc/Changelog b/contrib/unbound/doc/Changelog --- a/contrib/unbound/doc/Changelog +++ b/contrib/unbound/doc/Changelog @@ -1,3 +1,270 @@ +17 September 2025: Yorgos + - Too many quotes for the EDE message debug printout. + +15 September 2025: Yorgos + - Small debug output improvement when attaching an EDE. + +15 September 2025: Wouter + - Fix to print warning for when so-sndbuf setsockopt is not granted. + +11 September 2025: Wouter + - version set to 1.24.0 for release. + - tag for 1.24.0rc1. + - Update contrib/aaaa-filter-iterator.patch so it applies on 1.24.0. + +9 September 2025: Wouter + - Fix #1332: CNAME chains are sometimes not followed when RPZs add a + local CNAME rewrite. + +8 September 2025: Yorgos + - Update documentation for using "SET ... EX" in Redis. + - Document max buffer sizes for Redis commands. + - Update man pages. + +3 September 2025: Wouter + - For #1328: make depend. + +2 September 2025: Wouter + - Fix #1235: Outdated Python2 code in + unbound/pythonmod/examples/log.py. + - Fix #1324: Memory leak in 'msgparse.c' in + 'parse_edns_options_from_query(...)'. + - Fix indentation in tcp-mss option parsing. + +1 September 2025: Wouter + - Fix for #1324: Fix to free edns options scratch in ratelimit case. + +29 August 2025: Yorgos + - Limit the number of consecutive reads on an HTTP/2 session. + Thanks to Gal Bar Nahum for exposing the possibility of infinite + reads on the session. + +28 August 2025: Wouter + - Fix setup_listen_sslctx warning for nettle compile. + +27 August 2025: Wouter + - Fix unbound-control dump_cache for double unlock of lruhash table. + +26 August 2025: Wouter + - Fix ports workflow to install expat for macos. + +22 August 2025: Wouter + - For #1318: Fix compile warnings for DoH compile on windows. + - Fix sha1 enable environment variable in test code on windows. + - Fix #1319: [FR] zone status for Unbound auth-zones. + - Fix that the zone acquired timestamp is set after the + zonefile is read. + +21 August 2025: Wouter + - Fix to check for extraneous command arguments for unbound-control, + when the command takes no arguments but there are arguments present. + - Fix #1317: Unbound starts too early. Add + Wants=network-online.target under [Unit] in unbound.service. + - Fix for #1317: Fix contrib/unbound.service comment path for + systemd network configuration. + +15 August 2025: Wouter + - unbound-control cache_lookup +t allows tld and root names. And + subnet cache contents are printed. + - Fix cache_lookup subnet printout to wipe zero part of the prefix. + - Fix cache_lookup subnet print to not print messages without rrsets + and perform in-depth check on node in the addrtree. + +14 August 2025: Wouter + - Fix to increase responsiveness of dump_cache. + - Fix to decouple file descriptor activity and cache lookups in + dump_cache. + +13 August 2025: Wouter + - unbound-control cache_lookup prints the cached rrsets + and messages for those. + - Fix to remove debug from cache_lookup. + - Fix to unlock cache_lookup message for malformed records. + +12 August 2025: Wouter + - Fix that unbound-control dump_cache releases the cache locks + every so often, so that the server stays responsive. + +7 August 2025: Wouter + - Fix dname_str for printout of long names. Thanks to Jan Komissar + for the fix. + - Fix that edns-subnet failure to create a subquery errors as + servfail, and not formerror. + - Fix to whitespace in dname_str. + +6 August 2025: Wouter + - Fix edns subnet, so that the subquery without subnet is stored in + global cache if the querier used 0.0.0.0/0 and the name and address + do not receive subnet treatment. If the name and address are + configured for subnet, it is stored in the subnet cache. + +5 August 2025: Wouter + - Fix #1309: incorrectly reclaimed tcp handler can cause data + corruption and segfault. + - Fix to use assertions for consistency checks in #1309 reclaimed + tcp handlers. + +1 August 2025: Wouter + - Fix testbound test program to accurately output packets from hex. + +28 July 2025: Wouter + - Fix redis cachedb module gettimeofday init failure. + +24 July 2025: Wouter + - Redis checks for server down and throttles reconnects. + +17 July 2025: Wouter + - Fix to not set rlimits in the unit tests. + - Fix #1303: [FR] Disable TLSv1.2. + - iana portlist updated. + +16 July 2025: Wouter + - Fix for RebirthDay Attack CVE-2025-5994, reported by Xiang Li + from AOSP Lab Nankai University. + - Tag for 1.23.1 with the release of 1.23.0 and the CVE fix, the + repository continues with the previous fixes, with 1.23.2. + - Add unit tests for non-ecs aggregation. + +12 July 2025: Yorgos + - Merge #1289 from Roland van Rijswijk-Deij: Add extra statistic to + track the number of signature validation operations. + Adds 'num.valops' to extended statistics. + - For #1289: test num.valops in existing stat_values.tdir. + - For #1289: add num.valops in the unbound-control man page. + +11 July 2025: Wouter + - Fix detection of SSL_CTX_set_tmp_ecdh function. + - For #1301: configure cant find SSL_is_quic in OpenSSL 3.5.1. + +8 July 2025: Wouter + - Fix to improve dnstap discovery on Fedora. + +3 July 2025: Wouter + - Fix #1300: Is 'sock-queue-timeout' a linux only feature. + - For #1300: implement sock-queue-timeout for FreeBSD as well. + - Fix layout of comm_point_udp_ancil_callback. + +2 July 2025: Wouter + - Merge #1299: Fix typos. + - Generate ltmain.sh and configure again. + +25 June 2025: Yorgos + - Fix #1247: forward-first: ssl handshake failed on root nameservers. + - For #1247, turn off fetch-policy for delegation when looking into + parent side name servers that may not update the addresses and hit + NXNS limits. + - For #1247, replay test (added tcp_transport to + outnet_serviced_query). + +20 June 2025: Yorgos + - Fix #1293: EDE 6 is attached to insecure cached answers when client + sends the CD bit. + +19 June 2025: Wouter + - Fix #1296: DNS over QUIC depends on a very outdated version of + ngtcp2. Fixed so it works with ngtcp2 1.13.0 and OpenSSL 3.5.0. + - Merge #1297: edns-subnet: fix NULL_AFTER_DEREF on subnetmod. + - Fix rrset cache create allocation failure case. + +17 June 2025: Yorgos + - Fix for consistent use of local zone CNAME alias for configured auth + zones. Now it also applies to downstream configured auth zones. + +16 June 2025: Wouter + - Fix to check control-interface addresses in unbound-checkconf. + - Fix #1295: Windows 32-bit binaries download seems to be missing dll + dependency. + +12 June 2025: Wouter + - Fix header return value description for skip_pkt_rrs and + parse_edns_from_query_pkt. + +11 June 2025: Wouter + - Fix bitwise operators in conditional expressions with parentheses. + - Fix conditional expressions with parentheses for bitwise and. + +5 June 2025: Wouter + - Fix unbound-anchor certificate file read for line ends and end of + file. + - Fix comment for the dname_remove_label_limit_len function. + - iana portlist updated. + +3 June 2025: Yorgos + - Small manpage corrections for the 'disable-dnssec-lame-check' option. + +21 May 2025: Wouter + - Fix #1288: [FR] Improve fuzzing of unbound by adapting the netbound + program. + +20 May 2025: Yorgos + - Merge #1285: RST man pages. It introduces restructuredText man pages + to sync the online and source code man page documentation. + The templated man pages (*.in) are still part of the repo but + generated with docutils from their .rst counterpart. + Documentation on how to generate those (mainly for core developers) + is in README.man. + - Add more checks about respip in unbound-checkconf. + Also fixes #310: unbound-checkconf not reporting RPZ configuration + error. + +19 May 2025: Wouter + - Fix for cname chain length with qtype ANY and qname minimisation. + Thanks to Jim Greenwood from Nominet for the report. + +15 May 2025: Wouter + - Fix config of slab values when there is no config file. + +13 May 2025: Yorgos + - Fix #1284: NULL pointer deref in az_find_nsec_cover() (latent bug) + by adding a log_assert() to safeguard future development. + - Fix #1282: log-destaddr fail on long ipv6 addresses. + +13 May 2025: Wouter + - Change default for so-sndbuf to 1m, to mitigate a cross-layer + issue where the UDP socket send buffers are exhausted waiting + for ARP/NDP resolution. Thanks to Reflyable for the report. + - Adjusted so-sndbuf default to 4m. + +12 May 2025: Yorgos + - Merge #1280: Fix auth nsec3 code. Fixes NSEC3 code to not break on + broken auth zones that include unsigned out of zone (above apex) + data. Could lead to hang while trying to prove a wildcard answer. + +12 May 2025: Wouter + - Fix #1283: Unsafe usage of atoi() while parsing the configuration + file. + +9 May 2025: Wouter + - Fix #1281: forward-zone "name: ." conflicts with auth-zone "name: ." + in 1.23.0, but worked in 1.22.0. + +5 May 2025: Yorgos + - Sync unbound and unbound-checkconf log output for unknown modules. + +29 April 2025: Wouter + - Fix for parallel build of dnstap protoc-c output. + - Fix dnstap to use protoc. + +29 April 2025: Yorgos + - Merge #1276: Auto-configure '-slabs' values. + +28 April 2025: Yorgos + - Merge #1275: Use macros for the fr_check_changed* functions. + +25 April 2025: Wouter + - Fix #1272: assertion failure testcode/unitverify.c:202. + +16 April 2025: Wouter + - Increase default to `num-queries-per-thread: 2048`, when unbound is + compiled with libevent. It makes saturation of the task queue more + resource intensive and less practical. Thanks to Shiming Liu, + Network and Information Security Lab, Tsinghua University for the + report. + +11 April 2025: Wouter + - Tag for 1.23.0rc2. This became the release of 1.23.0 on 24 April + 2025. The code repository continues with 1.23.1 in development. + 11 April 2025: Yorgos - Merge #1265: Fix WSAPoll. @@ -651,7 +918,7 @@ now checks both single and multi process/thread operation. 16 May 2024: Yorgos - - Merge #1070: Fix rtt assignement for low values of + - Merge #1070: Fix rtt assignment for low values of infra-cache-max-rtt. 16 May 2024: Wouter @@ -1059,7 +1326,7 @@ 13 October 2023: George - Better fix for infinite loop when reading multiple lines of input on a broken remote control socket, by treating a zero byte line the - same as transmission end. Addesses #947 and #948. + same as transmission end. Addresses #947 and #948. 12 October 2023: Wouter - Merge #944: Disable EDNS DO. @@ -1082,7 +1349,7 @@ 10 October 2023: George - Fix infinite loop when reading multiple lines of input on a broken - remote control socket. Addesses #947 and #948. + remote control socket. Addresses #947 and #948. 9 October 2023: Wouter - Fix edns subnet so that queries with a source prefix of zero cause @@ -1515,7 +1782,7 @@ - Ignore expired error responses. 11 November 2022: Wouter - - Fix #779: [doc] Missing documention in ub_resolve_event() for + - Fix #779: [doc] Missing documentation in ub_resolve_event() for callback parameter was_ratelimited. 9 November 2022: George @@ -2479,7 +2746,7 @@ not hang. removed trailing slashes from configure paths. Moved iOS tests to allow-failure. - travis, analyzer disabled on test without debug, that does not - run anway. Turn off failing tests except one. Update iOS test + run anyway. Turn off failing tests except one. Update iOS test to xcode image 12.2. 22 March 2021: George @@ -2568,7 +2835,7 @@ - Fix build on Python 3.10. 10 February 2021: Wouter - - Merge PR #420 from dyunwei: DOH not responsing with + - Merge PR #420 from dyunwei: DOH not responding with "http2_query_read_done failure" logged. 9 February 2021: Wouter @@ -2968,7 +3235,7 @@ 6 August 2020: Wouter - Merge PR #284 and Fix #246: Remove DLV entirely from Unbound. - The DLV has been decommisioned and in unbound 1.5.4, in 2015, there + The DLV has been decommissioned and in unbound 1.5.4, in 2015, there was advise to stop using it. The current code base does not contain DLV code any more. The use of dlv options displays a warning. @@ -3517,7 +3784,7 @@ 3 December 2019: Wouter - Merge pull request #124 from rmetrich: Changed log lock from 'quick' to 'basic' because this is an I/O lock. - - Fix text around serial arithmatic used for RRSIG times to refer + - Fix text around serial arithmetic used for RRSIG times to refer to correct RFC number. - Fix Assert Causing DoS in synth_cname(), reported by X41 D-Sec. @@ -3780,7 +4047,7 @@ - For #52 #53, second context does not close logfile override. - Fix #52 #53, fix for example fail program. - Fix to return after failed auth zone http chunk write. - - Fix to remove unused test for task_probe existance. + - Fix to remove unused test for task_probe existence. - Fix to timeval_add for remaining second in microseconds. - Check repinfo in worker_handle_request, if null, drop it. @@ -5037,7 +5304,7 @@ 1 February 2018: Wouter - fix unaligned structure making a false positive in checklock - unitialised memory. + uninitialised memory. 29 January 2018: Ralph - Use NSEC with longest ce to prove wildcard absence. @@ -5640,8 +5907,8 @@ - Remove (now unused) event2 include from dnscrypt code. 24 March 2017: George - - Fix to prevent non-referal query from being cached as referal when the - no_cache_store flag was set. + - Fix to prevent non-referral query from being cached as referral when + the no_cache_store flag was set. 23 March 2017: Wouter - Fix #1239: configure fails to find python distutils if python @@ -5704,7 +5971,7 @@ 7 March 2017: Wouter - Fix #1230: swig version 2.0.0 is required for pythonmod, with - 1.3.40 it crashes when running repeatly unbound-control reload. + 1.3.40 it crashes when running repeatedly unbound-control reload. - Response actions based on IP address from Jinmei Tatuya (Infoblox). 6 March 2017: Wouter @@ -5720,7 +5987,7 @@ known vulns. 27 February 2017: Wouter - - Fix #1227: Fix that Unbound control allows weak ciphersuits. + - Fix #1227: Fix that Unbound control allows weak ciphersuites. - Fix #1226: provide official 32bit binary for windows. 24 February 2017: Wouter @@ -6709,7 +6976,7 @@ - Fix #674: Do not free pointers given by getenv. 29 May 2015: Wouter - - Fix that unparseable error responses are ratelimited. + - Fix that unparsable error responses are ratelimited. - SOA negative TTL is capped at minimumttl in its rdata section. - cache-max-negative-ttl config option, default 3600. @@ -6727,7 +6994,7 @@ 10 May 2015: Wouter - Change syntax of particular validator error to be easier for - machine parse, swap rrset and ip adres info so it looks like: + machine parse, swap rrset and ip address info so it looks like: validation failure : signature crypto failed from 2001:DB8:7:bba4::53 for <*.example.nl. NSEC IN> @@ -8307,7 +8574,7 @@ - fix that --enable-static-exe does not complain about it unknown. 30 June 2011: Wouter - - tag relase 1.4.11, trunk is 1.4.12 development. + - tag release 1.4.11, trunk is 1.4.12 development. - iana portlist updated. - fix bug#395: id bits of other query may leak out under conditions - fix replyaddr count wrong after jostled queries, which leads to @@ -9637,7 +9904,7 @@ 8 June 2009: Wouter - Removed RFC5011 REVOKE flag support. Partial 5011 support may cause - inadvertant behaviour. + inadvertent behaviour. - 1.3.0 tarball for release created. - 1.3.1 development in svn trunk. - iana portlist updated. @@ -9986,7 +10253,7 @@ - initgroups(3) is called to drop secondary group permissions, if applicable. - configure option --with-ldns-builtin forces the use of the - inluded ldns package with the unbound source. The -I include + included ldns package with the unbound source. The -I include is put before the others, so it avoids bad include files from an older ldns install. - daemon(3) posix call is used when available. @@ -10291,7 +10558,7 @@ please ranlib, stop file without symbols warning. - harden referral path now also validates the root after priming. It looks up the root NS authoritatively as well as the root servers - and attemps to validate the entries. + and attempts to validate the entries. 16 October 2008: Wouter - Fixup negative TTL values appearing (reported by Attila Nagy). @@ -11070,7 +11337,7 @@ - please doxygen, put doxygen comment in one place. - asynclook -b blocking mode and test. - refactor asynclook, nicer code. - - fixup race problems from opensll in rand init from library, with + - fixup race problems from openssl in rand init from library, with a mutex around the rand init. - fix pass async_id=NULL to _async resolve(). - rewrote _wait() routine, so that it is threadsafe. @@ -12043,7 +12310,7 @@ 11 June 2007: Wouter - replies on TCP queries have the address field set in replyinfo, for serviced queries, because the initiator does not know that - a TCP fallback has occured. + a TCP fallback has occurred. - omit DNSSEC types from nonDO replies, except if qtype is ANY or if qtype directly queries for the type (and then only show that 'unknown type' in the answer section). diff --git a/contrib/unbound/doc/README b/contrib/unbound/doc/README --- a/contrib/unbound/doc/README +++ b/contrib/unbound/doc/README @@ -1,4 +1,4 @@ -README for Unbound 1.23.1 +README for Unbound 1.24.0 Copyright 2007 NLnet Labs http://unbound.net diff --git a/contrib/unbound/doc/README.man b/contrib/unbound/doc/README.man new file mode 100644 --- /dev/null +++ b/contrib/unbound/doc/README.man @@ -0,0 +1,16 @@ +After Unbound 1.23.0, the source of the man pages is in reStructuredText format. + +This helps with the online documentation at https://unbound.docs.nlnetlabs.nl +and makes it easier to maintain and contribute to the documentation. + +The templated man pages (*.in) are still part of the code repository as to not +alter current procedures that could be in place by users/packagers. + +The templated man pages (*.in) are generated by Sphinx (used for the online +documentation). +The online documentation has its own repository at +https://github.com/NLnetLabs/unbound-manual. + +In the README.md there (branch test-auto for now), there are further simple +instructions on how to generate the templated man pages there and update them +in this repository. diff --git a/contrib/unbound/doc/example.conf.in b/contrib/unbound/doc/example.conf.in --- a/contrib/unbound/doc/example.conf.in +++ b/contrib/unbound/doc/example.conf.in @@ -1,7 +1,7 @@ # # Example configuration file. # -# See unbound.conf(5) man page, version 1.23.1. +# See unbound.conf(5) man page, version 1.24.0. # # this is a comment. @@ -116,8 +116,8 @@ # so-rcvbuf: 0 # buffer size for UDP port 53 outgoing (SO_SNDBUF socket option). - # 0 is system default. Use 4m to handle spikes on very busy servers. - # so-sndbuf: 0 + # 0 is system default. Set larger to handle spikes on very busy servers. + # so-sndbuf: 4m # use SO_REUSEPORT to distribute queries over threads. # at extreme load it could be better to turn it off to distribute even. @@ -163,7 +163,7 @@ # msg-cache-slabs: 4 # the number of queries that a thread gets to service. - # num-queries-per-thread: 1024 + # num-queries-per-thread: 2048 # if very busy, 50% queries run to completion, 50% get timeout in msec # jostle-timeout: 200 @@ -279,7 +279,7 @@ # do-ip6: yes # If running unbound on an IPv6-only host, domains that only have - # IPv4 servers would become unresolveable. If NAT64 is available in + # IPv4 servers would become unresolvable. If NAT64 is available in # the network, unbound can use NAT64 to reach these servers with # the following option. This is NOT needed for enabling DNS64 on a # system that has IPv4 connectivity. diff --git a/contrib/unbound/doc/libunbound.3.in b/contrib/unbound/doc/libunbound.3.in --- a/contrib/unbound/doc/libunbound.3.in +++ b/contrib/unbound/doc/libunbound.3.in @@ -1,335 +1,306 @@ -.TH "libunbound" "3" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1" -.\" -.\" libunbound.3 -- unbound library functions manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B libunbound, -.B unbound.h, -.B ub_ctx, -.B ub_result, -.B ub_callback_type, -.B ub_ctx_create, -.B ub_ctx_delete, -.B ub_ctx_set_option, -.B ub_ctx_get_option, -.B ub_ctx_config, -.B ub_ctx_set_fwd, -.B ub_ctx_set_stub, -.B ub_ctx_set_tls, -.B ub_ctx_resolvconf, -.B ub_ctx_hosts, -.B ub_ctx_add_ta, -.B ub_ctx_add_ta_autr, -.B ub_ctx_add_ta_file, -.B ub_ctx_trustedkeys, -.B ub_ctx_debugout, -.B ub_ctx_debuglevel, -.B ub_ctx_async, -.B ub_poll, -.B ub_wait, -.B ub_fd, -.B ub_process, -.B ub_resolve, -.B ub_resolve_async, -.B ub_cancel, -.B ub_resolve_free, -.B ub_strerror, -.B ub_ctx_print_local_zones, -.B ub_ctx_zone_add, -.B ub_ctx_zone_remove, -.B ub_ctx_data_add, -.B ub_ctx_data_remove -\- Unbound DNS validating resolver 1.23.1 functions. -.SH "SYNOPSIS" -.B #include -.LP -\fIstruct ub_ctx *\fR -\fBub_ctx_create\fR(\fIvoid\fR); -.LP -\fIvoid\fR -\fBub_ctx_delete\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_ctx_set_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar*\fR val); -.LP -\fIint\fR -\fBub_ctx_get_option\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR opt, \fIchar**\fR val); -.LP -\fIint\fR -\fBub_ctx_config\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_set_fwd\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR addr); -.LP -\fIint\fR -\fBub_ctx_set_stub\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone, -\fIchar*\fR addr, -.br - \fIint\fR isprime); -.LP -\fIint\fR -\fBub_ctx_set_tls\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR tls); -.LP -\fIint\fR -\fBub_ctx_resolvconf\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_hosts\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_add_ta\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR ta); -.LP -\fIint\fR -\fBub_ctx_add_ta_autr\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_add_ta_file\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_trustedkeys\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR fname); -.LP -\fIint\fR -\fBub_ctx_debugout\fR(\fIstruct ub_ctx*\fR ctx, \fIFILE*\fR out); -.LP -\fIint\fR -\fBub_ctx_debuglevel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR d); -.LP -\fIint\fR -\fBub_ctx_async\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR dothread); -.LP -\fIint\fR -\fBub_poll\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_wait\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_fd\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_process\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_resolve\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, -.br - \fIint\fR rrtype, \fIint\fR rrclass, \fIstruct ub_result**\fR result); -.LP -\fIint\fR -\fBub_resolve_async\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR name, -.br - \fIint\fR rrtype, \fIint\fR rrclass, \fIvoid*\fR mydata, -.br - \fIub_callback_type\fR callback, \fIint*\fR async_id); -.LP -\fIint\fR -\fBub_cancel\fR(\fIstruct ub_ctx*\fR ctx, \fIint\fR async_id); -.LP -\fIvoid\fR -\fBub_resolve_free\fR(\fIstruct ub_result*\fR result); -.LP -\fIconst char *\fR -\fBub_strerror\fR(\fIint\fR err); -.LP -\fIint\fR -\fBub_ctx_print_local_zones\fR(\fIstruct ub_ctx*\fR ctx); -.LP -\fIint\fR -\fBub_ctx_zone_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name, \fIchar*\fR zone_type); -.LP -\fIint\fR -\fBub_ctx_zone_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR zone_name); -.LP -\fIint\fR -\fBub_ctx_data_add\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data); -.LP -\fIint\fR -\fBub_ctx_data_remove\fR(\fIstruct ub_ctx*\fR ctx, \fIchar*\fR data); -.SH "DESCRIPTION" -.B Unbound -is an implementation of a DNS resolver, that does caching and -DNSSEC validation. This is the library API, for using the \-lunbound library. -The server daemon is described in \fIunbound\fR(8). -The library works independent from a running unbound server, and -can be used to convert hostnames to ip addresses, and back, -and obtain other information from the DNS. The library performs public\-key -validation of results with DNSSEC. -.P -The library uses a variable of type \fIstruct ub_ctx\fR to keep context -between calls. The user must maintain it, creating it with -.B ub_ctx_create -and deleting it with -.B ub_ctx_delete\fR. -It can be created and deleted at any time. Creating it anew removes any -previous configuration (such as trusted keys) and clears any cached results. -.P -The functions are thread\-safe, and a context can be used in a threaded (as -well as in a non\-threaded) environment. Also resolution (and validation) -can be performed blocking and non\-blocking (also called asynchronous). -The async method returns from the call immediately, so that processing -can go on, while the results become available later. -.P +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "LIBUNBOUND" "3" "Sep 18, 2025" "1.24.0" "Unbound" +.SH NAME +libunbound \- Unbound DNS validating resolver 1.24.0 functions. +.SH SYNOPSIS +.sp +\fB#include \fP +.sp +struct ub_ctx * \fBub_ctx_create\fP(void); +.sp +void \fBub_ctx_delete\fP(struct ub_ctx* ctx); +.sp +int \fBub_ctx_set_option\fP(struct ub_ctx* ctx, char* opt, char* val); +.sp +int \fBub_ctx_get_option\fP(struct ub_ctx* ctx, char* opt, char** val); +.sp +int \fBub_ctx_config\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_set_fwd\fP(struct ub_ctx* ctx, char* addr); +.INDENT 0.0 +.TP +int \fBub_ctx_set_stub\fP(struct ub_ctx* ctx, char* zone, char* addr, +int isprime); +.UNINDENT +.sp +int \fBub_ctx_set_tls\fP(struct ub_ctx* ctx, int tls); +.sp +int \fBub_ctx_resolvconf\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_hosts\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_add_ta\fP(struct ub_ctx* ctx, char* ta); +.sp +int \fBub_ctx_add_ta_autr\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_add_ta_file\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_trustedkeys\fP(struct ub_ctx* ctx, char* fname); +.sp +int \fBub_ctx_debugout\fP(struct ub_ctx* ctx, FILE* out); +.sp +int \fBub_ctx_debuglevel\fP(struct ub_ctx* ctx, int d); +.sp +int \fBub_ctx_async\fP(struct ub_ctx* ctx, int dothread); +.sp +int \fBub_poll\fP(struct ub_ctx* ctx); +.sp +int \fBub_wait\fP(struct ub_ctx* ctx); +.sp +int \fBub_fd\fP(struct ub_ctx* ctx); +.sp +int \fBub_process\fP(struct ub_ctx* ctx); +.INDENT 0.0 +.TP +int \fBub_resolve\fP(struct ub_ctx* ctx, char* name, +int rrtype, int rrclass, struct ub_result** result); +.TP +int \fBub_resolve_async\fP(struct ub_ctx* ctx, char* name, +int rrtype, int rrclass, void* mydata, +ub_callback_type* callback, int* async_id); +.UNINDENT +.sp +int \fBub_cancel\fP(struct ub_ctx* ctx, int async_id); +.sp +void \fBub_resolve_free\fP(struct ub_result* result); +.sp +const char * \fBub_strerror\fP(int err); +.sp +int \fBub_ctx_print_local_zones\fP(struct ub_ctx* ctx); +.sp +int \fBub_ctx_zone_add\fP(struct ub_ctx* ctx, char* zone_name, char* zone_type); +.sp +int \fBub_ctx_zone_remove\fP(struct ub_ctx* ctx, char* zone_name); +.sp +int \fBub_ctx_data_add\fP(struct ub_ctx* ctx, char* data); +.sp +int \fBub_ctx_data_remove\fP(struct ub_ctx* ctx, char* data); +.SH DESCRIPTION +.sp +Unbound is an implementation of a DNS resolver, that does caching and DNSSEC +validation. +This is the library API, for using the \fB\-lunbound\fP library. +The server daemon is described in \fI\%unbound(8)\fP\&. +The library works independent from a running unbound server, and can be used to +convert hostnames to ip addresses, and back, and obtain other information from +the DNS. +The library performs public\-key validation of results with DNSSEC. +.sp +The library uses a variable of type \fIstruct ub_ctx\fP to keep context between +calls. +The user must maintain it, creating it with \fBub_ctx_create\fP and deleting it +with \fBub_ctx_delete\fP\&. +It can be created and deleted at any time. +Creating it anew removes any previous configuration (such as trusted keys) and +clears any cached results. +.sp +The functions are thread\-safe, and a context can be used in a threaded (as well +as in a non\-threaded) environment. +Also resolution (and validation) can be performed blocking and non\-blocking +(also called asynchronous). +The async method returns from the call immediately, so that processing can go +on, while the results become available later. +.sp The functions are discussed in turn below. -.SH "FUNCTIONS" -.TP +.SH FUNCTIONS +.INDENT 0.0 +.TP .B ub_ctx_create Create a new context, initialised with defaults. -The information from /etc/resolv.conf and /etc/hosts is not utilised -by default. Use -.B ub_ctx_resolvconf -and -.B ub_ctx_hosts -to read them. -Before you call this, use the openssl functions CRYPTO_set_id_callback and -CRYPTO_set_locking_callback to set up asynchronous operation if you use -lib openssl (the application calls these functions once for initialisation). -Openssl 1.0.0 or later uses the CRYPTO_THREADID_set_callback function. +The information from \fB/etc/resolv.conf\fP and \fB/etc/hosts\fP is +not utilised by default. +Use \fBub_ctx_resolvconf\fP and \fBub_ctx_hosts\fP to read them. +Before you call this, use the openssl functions +\fBCRYPTO_set_id_callback\fP and \fBCRYPTO_set_locking_callback\fP to set +up asynchronous operation if you use lib openssl (the application calls +these functions once for initialisation). +Openssl 1.0.0 or later uses the \fBCRYPTO_THREADID_set_callback\fP +function. .TP .B ub_ctx_delete Delete validation context and free associated resources. -Outstanding async queries are killed and callbacks are not called for them. +Outstanding async queries are killed and callbacks are not called for +them. .TP .B ub_ctx_set_option -A power\-user interface that lets you specify one of the options from the -config file format, see \fIunbound.conf\fR(5). Not all options are -relevant. For some specific options, such as adding trust anchors, special -routines exist. Pass the option name with the trailing ':'. +A power\-user interface that lets you specify one of the options from +the config file format, see \fI\%unbound.conf(5)\fP\&. +Not all options are relevant. +For some specific options, such as adding trust anchors, special +routines exist. +Pass the option name with the trailing \fB\(aq:\(aq\fP\&. .TP .B ub_ctx_get_option -A power\-user interface that gets an option value. Some options cannot be -gotten, and others return a newline separated list. Pass the option name -without trailing ':'. The returned value must be free(2)d by the caller. +A power\-user interface that gets an option value. +Some options cannot be gotten, and others return a newline separated +list. +Pass the option name without trailing \fB\(aq:\(aq\fP\&. +The returned value must be free(2)d by the caller. .TP .B ub_ctx_config -A power\-user interface that lets you specify an unbound config file, see -\fIunbound.conf\fR(5), which is read for configuration. Not all options are -relevant. For some specific options, such as adding trust anchors, special -routines exist. This function is thread\-safe only if a single instance of -ub_ctx* exists in the application. If several instances exist the -application has to ensure that ub_ctx_config is not called in parallel by -the different instances. +A power\-user interface that lets you specify an unbound config file, +see \fI\%unbound.conf(5)\fP, which is read for +configuration. +Not all options are relevant. +For some specific options, such as adding trust anchors, special +routines exist. +This function is thread\-safe only if a single instance of \fBub_ctx\fP* +exists in the application. +If several instances exist the application has to ensure that +\fBub_ctx_config\fP is not called in parallel by the different instances. .TP .B ub_ctx_set_fwd -Set machine to forward DNS queries to, the caching resolver to use. -IP4 or IP6 address. Forwards all DNS requests to that machine, which -is expected to run a recursive resolver. If the proxy is not -DNSSEC capable, validation may fail. Can be called several times, in -that case the addresses are used as backup servers. -At this time it is only possible to set configuration before the -first resolve is done. +Set machine to forward DNS queries to, the caching resolver to use. +IP4 or IP6 address. +Forwards all DNS requests to that machine, which is expected to run a +recursive resolver. +If the proxy is not DNSSEC capable, validation may fail. +Can be called several times, in that case the addresses are used as +backup servers. +At this time it is only possible to set configuration before the first +resolve is done. .TP .B ub_ctx_set_stub -Set a stub zone, authoritative dns servers to use for a particular zone. -IP4 or IP6 address. If the address is NULL the stub entry is removed. -Set isprime true if you configure root hints with it. Otherwise similar to -the stub zone item from unbound's config file. Can be called several times, -for different zones, or to add multiple addresses for a particular zone. -At this time it is only possible to set configuration before the -first resolve is done. +Set a stub zone, authoritative dns servers to use for a particular +zone. +IP4 or IP6 address. +If the address is NULL the stub entry is removed. +Set isprime true if you configure root hints with it. +Otherwise similar to the stub zone item from unbound\(aqs config file. +Can be called several times, for different zones, or to add multiple +addresses for a particular zone. +At this time it is only possible to set configuration before the first +resolve is done. .TP .B ub_ctx_set_tls -Enable DNS over TLS (DoT) for machines set with -.B ub_ctx_set_fwd. -At this time it is only possible to set configuration before the -first resolve is done. +Enable DNS over TLS (DoT) for machines set with \fBub_ctx_set_fwd\fP\&. +At this time it is only possible to set configuration before the first +resolve is done. .TP .B ub_ctx_resolvconf -By default the root servers are queried and full resolver mode is used, but -you can use this call to read the list of nameservers to use from the -filename given. -Usually "/etc/resolv.conf". Uses those nameservers as caching proxies. +By default the root servers are queried and full resolver mode is used, +but you can use this call to read the list of nameservers to use from +the filename given. +Usually \fB\(dq/etc/resolv.conf\(dq\fP\&. +Uses those nameservers as caching proxies. If they do not support DNSSEC, validation may fail. Only nameservers are picked up, the searchdomain, ndots and other -settings from \fIresolv.conf\fR(5) are ignored. -If fname NULL is passed, "/etc/resolv.conf" is used (if on Windows, -the system\-wide configured nameserver is picked instead). -At this time it is only possible to set configuration before the -first resolve is done. +settings from \fIresolv.conf(5)\fP are ignored. +If fname NULL is passed, \fB\(dq/etc/resolv.conf\(dq\fP is used (if on +Windows, the system\-wide configured nameserver is picked instead). +At this time it is only possible to set configuration before the first +resolve is done. .TP .B ub_ctx_hosts Read list of hosts from the filename given. -Usually "/etc/hosts". When queried for, these addresses are not marked -DNSSEC secure. If fname NULL is passed, "/etc/hosts" is used -(if on Windows, etc/hosts from WINDIR is picked instead). -At this time it is only possible to set configuration before the -first resolve is done. -.TP -.B -ub_ctx_add_ta +Usually \fB\(dq/etc/hosts\(dq\fP\&. +When queried for, these addresses are not marked DNSSEC secure. +If fname NULL is passed, \fB\(dq/etc/hosts\(dq\fP is used (if on Windows, +\fBetc/hosts\fP from WINDIR is picked instead). +At this time it is only possible to set configuration before the first +resolve is done. +.TP +.B ub_ctx_add_ta Add a trust anchor to the given context. -At this time it is only possible to add trusted keys before the -first resolve is done. +At this time it is only possible to add trusted keys before the first +resolve is done. The format is a string, similar to the zone\-file format, -[domainname] [type] [rdata contents]. Both DS and DNSKEY records are accepted. +\fB[domainname]\fP \fB[type]\fP \fB[rdata contents]\fP\&. +Both DS and DNSKEY records are accepted. .TP .B ub_ctx_add_ta_autr -Add filename with automatically tracked trust anchor to the given context. -Pass name of a file with the managed trust anchor. You can create this -file with \fIunbound\-anchor\fR(8) for the root anchor. You can also -create it with an initial file with one line with a DNSKEY or DS record. +Add filename with automatically tracked trust anchor to the given +context. +Pass name of a file with the managed trust anchor. +You can create this file with +\fI\%unbound\-anchor(8)\fP for the root anchor. +You can also create it with an initial file with one line with a DNSKEY +or DS record. If the file is writable, it is updated when the trust anchor changes. -At this time it is only possible to add trusted keys before the -first resolve is done. +At this time it is only possible to add trusted keys before the first +resolve is done. .TP .B ub_ctx_add_ta_file Add trust anchors to the given context. Pass name of a file with DS and DNSKEY records in zone file format. -At this time it is only possible to add trusted keys before the -first resolve is done. +At this time it is only possible to add trusted keys before the first +resolve is done. .TP .B ub_ctx_trustedkeys Add trust anchors to the given context. -Pass the name of a bind\-style config file with trusted\-keys{}. -At this time it is only possible to add trusted keys before the -first resolve is done. +Pass the name of a bind\-style config file with \fBtrusted\-keys{}\fP\&. +At this time it is only possible to add trusted keys before the first +resolve is done. .TP .B ub_ctx_debugout -Set debug and error log output to the given stream. Pass NULL to disable -output. Default is stderr. File\-names or using syslog can be enabled -using config options, this routine is for using your own stream. +Set debug and error log output to the given stream. +Pass NULL to disable output. +Default is stderr. +File\-names or using syslog can be enabled using config options, this +routine is for using your own stream. .TP .B ub_ctx_debuglevel -Set debug verbosity for the context. Output is directed to stderr. +Set debug verbosity for the context. +Output is directed to stderr. Higher debug level gives more output. .TP .B ub_ctx_async Set a context behaviour for asynchronous action. -if set to true, enables threading and a call to -.B ub_resolve_async +if set to true, enables threading and a call to \fBub_resolve_async\fP creates a thread to handle work in the background. If false, a process is forked to handle work in the background. -Changes to this setting after -.B ub_resolve_async -calls have been made have no effect (delete and re\-create the context -to change). +Changes to this setting after \fBub_resolve_async\fP calls have been made +have no effect (delete and re\-create the context to change). .TP .B ub_poll Poll a context to see if it has any new results. -Do not poll in a loop, instead extract the fd below to poll for readiness, -and then check, or wait using the wait routine. +Do not poll in a loop, instead extract the \fBfd\fP below to poll for +readiness, and then check, or wait using the wait routine. Returns 0 if nothing to read, or nonzero if a result is available. -If nonzero, call -.B ub_process -to do callbacks. +If nonzero, call \fBub_process\fP to do callbacks. .TP .B ub_wait -Wait for a context to finish with results. Calls -.B ub_process -after the wait for you. After the wait, there are no more outstanding -asynchronous queries. +Wait for a context to finish with results. +Calls \fBub_process\fP after the wait for you. +After the wait, there are no more outstanding asynchronous queries. .TP .B ub_fd -Get file descriptor. Wait for it to become readable, at this point -answers are returned from the asynchronous validating resolver. -Then call the \fBub_process\fR to continue processing. +Get file descriptor. +Wait for it to become readable, at this point answers are returned from +the asynchronous validating resolver. +Then call the \fBub_process\fP to continue processing. .TP .B ub_process Call this routine to continue processing results from the validating -resolver (when the fd becomes readable). +resolver (when the \fBfd\fP becomes readable). Will perform necessary callbacks. .TP .B ub_resolve @@ -340,95 +311,111 @@ .TP .B ub_resolve_async Perform asynchronous resolution and validation of the target name. -Arguments mean the same as for \fBub_resolve\fR except no -data is returned immediately, instead a callback is called later. -The callback receives a copy of the mydata pointer, that you can use to pass -information to the callback. The callback type is a function pointer to -a function declared as -.IP -void my_callback_function(void* my_arg, int err, -.br - struct ub_result* result); -.IP -The async_id is returned so you can (at your option) decide to track it -and cancel the request if needed. If you pass a NULL pointer the async_id -is not returned. +Arguments mean the same as for \fBub_resolve\fP except no data is +returned immediately, instead a callback is called later. +The callback receives a copy of the mydata pointer, that you can use to +pass information to the callback. +The callback type is a function pointer to a function declared as: +.INDENT 7.0 +.INDENT 3.5 +.sp +.nf +.ft C +void my_callback_function(void* my_arg, int err, + struct ub_result* result); +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +The \fBasync_id\fP is returned so you can (at your option) decide to +track it and cancel the request if needed. +If you pass a NULL pointer the \fBasync_id\fP is not returned. .TP .B ub_cancel -Cancel an async query in progress. This may return an error if the query -does not exist, or the query is already being delivered, in that case you -may still get a callback for the query. +Cancel an async query in progress. +This may return an error if the query does not exist, or the query is +already being delivered, in that case you may still get a callback for +the query. .TP .B ub_resolve_free -Free struct ub_result contents after use. +Free struct \fBub_result\fP contents after use. .TP .B ub_strerror -Convert error value from one of the unbound library functions -to a human readable string. +Convert error value from one of the unbound library functions to a +human readable string. .TP .B ub_ctx_print_local_zones Debug printout the local authority information to debug output. .TP .B ub_ctx_zone_add -Add new zone to local authority info, like local\-zone \fIunbound.conf\fR(5) -statement. +Add new zone to local authority info, like local\-zone +\fI\%unbound.conf(5)\fP statement. .TP .B ub_ctx_zone_remove Delete zone from local authority info. .TP .B ub_ctx_data_add Add resource record data to local authority info, like local\-data -\fIunbound.conf\fR(5) statement. +\fI\%unbound.conf(5)\fP statement. .TP .B ub_ctx_data_remove Delete local authority data from the name given. -.SH "RESULT DATA STRUCTURE" -The result of the DNS resolution and validation is returned as -\fIstruct ub_result\fR. The result structure contains the following entries. -.P +.UNINDENT +.SH RESULT DATA STRUCTURE +.sp +The result of the DNS resolution and validation is returned as \fIstruct +ub_result\fP\&. +The result structure contains the following entries: +.INDENT 0.0 +.INDENT 3.5 +.sp .nf - struct ub_result { - char* qname; /* text string, original question */ - int qtype; /* type code asked for */ - int qclass; /* class code asked for */ - char** data; /* array of rdata items, NULL terminated*/ - int* len; /* array with lengths of rdata items */ - char* canonname; /* canonical name of result */ - int rcode; /* additional error code in case of no data */ - void* answer_packet; /* full network format answer packet */ - int answer_len; /* length of packet in octets */ - int havedata; /* true if there is data */ - int nxdomain; /* true if nodata because name does not exist */ - int secure; /* true if result is secure */ - int bogus; /* true if a security failure happened */ - char* why_bogus; /* string with error if bogus */ - int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */ - int ttl; /* number of seconds the result is valid */ - }; +.ft C +struct ub_result { + char* qname; /* text string, original question */ + int qtype; /* type code asked for */ + int qclass; /* class code asked for */ + char** data; /* array of rdata items, NULL terminated*/ + int* len; /* array with lengths of rdata items */ + char* canonname; /* canonical name of result */ + int rcode; /* additional error code in case of no data */ + void* answer_packet; /* full network format answer packet */ + int answer_len; /* length of packet in octets */ + int havedata; /* true if there is data */ + int nxdomain; /* true if nodata because name does not exist */ + int secure; /* true if result is secure */ + int bogus; /* true if a security failure happened */ + char* why_bogus; /* string with error if bogus */ + int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */ + int ttl; /* number of seconds the result is valid */ +}; +.ft P .fi -.P -If both secure and bogus are false, security was not enabled for the -domain of the query. Else, they are not both true, one of them is true. -.SH "RETURN VALUES" -Many routines return an error code. The value 0 (zero) denotes no error -happened. Other values can be passed to -.B ub_strerror -to obtain a readable error string. -.B ub_strerror -returns a zero terminated string. -.B ub_ctx_create -returns NULL on an error (a malloc failure). -.B ub_poll -returns true if some information may be available, false otherwise. -.B ub_fd -returns a file descriptor or \-1 on error. -.B ub_ctx_config -and -.B ub_ctx_resolvconf -attempt to leave errno informative on a function return with file read failure. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). -.SH "AUTHORS" -.B Unbound -developers are mentioned in the CREDITS file in the distribution. +.UNINDENT +.UNINDENT +.sp +If both secure and bogus are false, security was not enabled for the domain of +the query. +Else, they are not both true, one of them is true. +.SH RETURN VALUES +.sp +Many routines return an error code. +The value 0 (zero) denotes no error happened. +Other values can be passed to \fBub_strerror\fP to obtain a readable error +string. +\fBub_strerror\fP returns a zero terminated string. +\fBub_ctx_create\fP returns NULL on an error (a malloc failure). +\fBub_poll\fP returns true if some information may be available, false otherwise. +\fBub_fd\fP returns a file descriptor or \-1 on error. +\fBub_ctx_config\fP and \fBub_ctx_resolvconf\fP attempt to leave errno informative +on a function return with file read failure. +.SH SEE ALSO +.sp +\fI\%unbound.conf(5)\fP, \fI\%unbound(8)\fP\&. +.SH AUTHOR +Unbound developers are mentioned in the CREDITS file in the distribution. +.SH COPYRIGHT +1999-2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/contrib/unbound/doc/libunbound.rst b/contrib/unbound/doc/libunbound.rst new file mode 100644 --- /dev/null +++ b/contrib/unbound/doc/libunbound.rst @@ -0,0 +1,491 @@ +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +libunbound(3) +============= + +Synopsis +-------- + +.. only:: html + + .. code-block:: c + + #include + + struct ub_ctx * ub_ctx_create(void); + + void ub_ctx_delete(struct ub_ctx* ctx); + + int ub_ctx_set_option(struct ub_ctx* ctx, char* opt, char* val); + + int ub_ctx_get_option(struct ub_ctx* ctx, char* opt, char** val); + + int ub_ctx_config(struct ub_ctx* ctx, char* fname); + + int ub_ctx_set_fwd(struct ub_ctx* ctx, char* addr); + + int ub_ctx_set_stub(struct ub_ctx* ctx, char* zone, char* addr, + int isprime); + + int ub_ctx_set_tls(struct ub_ctx* ctx, int tls); + + int ub_ctx_resolvconf(struct ub_ctx* ctx, char* fname); + + int ub_ctx_hosts(struct ub_ctx* ctx, char* fname); + + int ub_ctx_add_ta(struct ub_ctx* ctx, char* ta); + + int ub_ctx_add_ta_autr(struct ub_ctx* ctx, char* fname); + + int ub_ctx_add_ta_file(struct ub_ctx* ctx, char* fname); + + int ub_ctx_trustedkeys(struct ub_ctx* ctx, char* fname); + + int ub_ctx_debugout(struct ub_ctx* ctx, FILE* out); + + int ub_ctx_debuglevel(struct ub_ctx* ctx, int d); + + int ub_ctx_async(struct ub_ctx* ctx, int dothread); + + int ub_poll(struct ub_ctx* ctx); + + int ub_wait(struct ub_ctx* ctx); + + int ub_fd(struct ub_ctx* ctx); + + int ub_process(struct ub_ctx* ctx); + + int ub_resolve(struct ub_ctx* ctx, char* name, int rrtype, + int rrclass, struct ub_result** result); + + int ub_resolve_async(struct ub_ctx* ctx, char* name, int rrtype, + int rrclass, void* mydata, ub_callback_type callback, + int* async_id); + + int ub_cancel(struct ub_ctx* ctx, int async_id); + + void ub_resolve_free(struct ub_result* result); + + const char * ub_strerror(int err); + + int ub_ctx_print_local_zones(struct ub_ctx* ctx); + + int ub_ctx_zone_add(struct ub_ctx* ctx, char* zone_name, char* zone_type); + + int ub_ctx_zone_remove(struct ub_ctx* ctx, char* zone_name); + + int ub_ctx_data_add(struct ub_ctx* ctx, char* data); + + int ub_ctx_data_remove(struct ub_ctx* ctx, char* data); + +.. only:: man + + **#include ** + + struct ub_ctx \* **ub_ctx_create**\ (void); + + void **ub_ctx_delete**\ (struct ub_ctx\* ctx); + + int **ub_ctx_set_option**\ (struct ub_ctx\* ctx, char\* opt, char\* val); + + int **ub_ctx_get_option**\ (struct ub_ctx\* ctx, char\* opt, char\*\* val); + + int **ub_ctx_config**\ (struct ub_ctx\* ctx, char* fname); + + int **ub_ctx_set_fwd**\ (struct ub_ctx\* ctx, char\* addr); + + int **ub_ctx_set_stub**\ (struct ub_ctx\* ctx, char\* zone, char\* addr, + int isprime); + + int **ub_ctx_set_tls**\ (struct ub_ctx\* ctx, int tls); + + int **ub_ctx_resolvconf**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_hosts**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_add_ta**\ (struct ub_ctx\* ctx, char\* ta); + + int **ub_ctx_add_ta_autr**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_add_ta_file**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_trustedkeys**\ (struct ub_ctx\* ctx, char\* fname); + + int **ub_ctx_debugout**\ (struct ub_ctx\* ctx, FILE\* out); + + int **ub_ctx_debuglevel**\ (struct ub_ctx\* ctx, int d); + + int **ub_ctx_async**\ (struct ub_ctx\* ctx, int dothread); + + int **ub_poll**\ (struct ub_ctx\* ctx); + + int **ub_wait**\ (struct ub_ctx\* ctx); + + int **ub_fd**\ (struct ub_ctx\* ctx); + + int **ub_process**\ (struct ub_ctx\* ctx); + + int **ub_resolve**\ (struct ub_ctx\* ctx, char\* name, + int rrtype, int rrclass, struct ub_result\*\* result); + + int **ub_resolve_async**\ (struct ub_ctx\* ctx, char\* name, + int rrtype, int rrclass, void\* mydata, + ub_callback_type\* callback, int\* async_id); + + int **ub_cancel**\ (struct ub_ctx\* ctx, int async_id); + + void **ub_resolve_free**\ (struct ub_result\* result); + + const char \* **ub_strerror**\ (int err); + + int **ub_ctx_print_local_zones**\ (struct ub_ctx\* ctx); + + int **ub_ctx_zone_add**\ (struct ub_ctx\* ctx, char\* zone_name, char\* zone_type); + + int **ub_ctx_zone_remove**\ (struct ub_ctx\* ctx, char\* zone_name); + + int **ub_ctx_data_add**\ (struct ub_ctx\* ctx, char\* data); + + int **ub_ctx_data_remove**\ (struct ub_ctx\* ctx, char\* data); + +Description +----------- + +Unbound is an implementation of a DNS resolver, that does caching and DNSSEC +validation. +This is the library API, for using the ``-lunbound`` library. +The server daemon is described in :doc:`unbound(8)`. +The library works independent from a running unbound server, and can be used to +convert hostnames to ip addresses, and back, and obtain other information from +the DNS. +The library performs public-key validation of results with DNSSEC. + +The library uses a variable of type *struct ub_ctx* to keep context between +calls. +The user must maintain it, creating it with **ub_ctx_create** and deleting it +with **ub_ctx_delete**. +It can be created and deleted at any time. +Creating it anew removes any previous configuration (such as trusted keys) and +clears any cached results. + +The functions are thread-safe, and a context can be used in a threaded (as well +as in a non-threaded) environment. +Also resolution (and validation) can be performed blocking and non-blocking +(also called asynchronous). +The async method returns from the call immediately, so that processing can go +on, while the results become available later. + +The functions are discussed in turn below. + +Functions +--------- + +.. glossary:: + + ub_ctx_create + Create a new context, initialised with defaults. + The information from :file:`/etc/resolv.conf` and :file:`/etc/hosts` is + not utilised by default. + Use **ub_ctx_resolvconf** and **ub_ctx_hosts** to read them. + Before you call this, use the openssl functions + **CRYPTO_set_id_callback** and **CRYPTO_set_locking_callback** to set + up asynchronous operation if you use lib openssl (the application calls + these functions once for initialisation). + Openssl 1.0.0 or later uses the **CRYPTO_THREADID_set_callback** + function. + + ub_ctx_delete + Delete validation context and free associated resources. + Outstanding async queries are killed and callbacks are not called for + them. + + ub_ctx_set_option + A power-user interface that lets you specify one of the options from + the config file format, see :doc:`unbound.conf(5)`. + Not all options are relevant. + For some specific options, such as adding trust anchors, special + routines exist. + Pass the option name with the trailing ``':'``. + + ub_ctx_get_option + A power-user interface that gets an option value. + Some options cannot be gotten, and others return a newline separated + list. + Pass the option name without trailing ``':'``. + The returned value must be free(2)d by the caller. + + ub_ctx_config + A power-user interface that lets you specify an unbound config file, + see :doc:`unbound.conf(5)`, which is read for + configuration. + Not all options are relevant. + For some specific options, such as adding trust anchors, special + routines exist. + This function is thread-safe only if a single instance of **ub_ctx**\* + exists in the application. + If several instances exist the application has to ensure that + **ub_ctx_config** is not called in parallel by the different instances. + + ub_ctx_set_fwd + Set machine to forward DNS queries to, the caching resolver to use. + IP4 or IP6 address. + Forwards all DNS requests to that machine, which is expected to run a + recursive resolver. + If the proxy is not DNSSEC capable, validation may fail. + Can be called several times, in that case the addresses are used as + backup servers. + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_set_stub + Set a stub zone, authoritative dns servers to use for a particular + zone. + IP4 or IP6 address. + If the address is NULL the stub entry is removed. + Set isprime true if you configure root hints with it. + Otherwise similar to the stub zone item from unbound's config file. + Can be called several times, for different zones, or to add multiple + addresses for a particular zone. + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_set_tls + Enable DNS over TLS (DoT) for machines set with **ub_ctx_set_fwd**. + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_resolvconf + By default the root servers are queried and full resolver mode is used, + but you can use this call to read the list of nameservers to use from + the filename given. + Usually :file:`"/etc/resolv.conf"`. + Uses those nameservers as caching proxies. + If they do not support DNSSEC, validation may fail. + Only nameservers are picked up, the searchdomain, ndots and other + settings from *resolv.conf(5)* are ignored. + If fname NULL is passed, :file:`"/etc/resolv.conf"` is used (if on + Windows, the system-wide configured nameserver is picked instead). + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_hosts + Read list of hosts from the filename given. + Usually :file:`"/etc/hosts"`. + When queried for, these addresses are not marked DNSSEC secure. + If fname NULL is passed, :file:`"/etc/hosts"` is used (if on Windows, + :file:`etc/hosts` from WINDIR is picked instead). + At this time it is only possible to set configuration before the first + resolve is done. + + ub_ctx_add_ta + Add a trust anchor to the given context. + At this time it is only possible to add trusted keys before the first + resolve is done. + The format is a string, similar to the zone-file format, + **[domainname]** **[type]** **[rdata contents]**. + Both DS and DNSKEY records are accepted. + + ub_ctx_add_ta_autr + Add filename with automatically tracked trust anchor to the given + context. + Pass name of a file with the managed trust anchor. + You can create this file with + :doc:`unbound-anchor(8)` for the root anchor. + You can also create it with an initial file with one line with a DNSKEY + or DS record. + If the file is writable, it is updated when the trust anchor changes. + At this time it is only possible to add trusted keys before the first + resolve is done. + + ub_ctx_add_ta_file + Add trust anchors to the given context. + Pass name of a file with DS and DNSKEY records in zone file format. + At this time it is only possible to add trusted keys before the first + resolve is done. + + ub_ctx_trustedkeys + Add trust anchors to the given context. + Pass the name of a bind-style config file with ``trusted-keys{}``. + At this time it is only possible to add trusted keys before the first + resolve is done. + + ub_ctx_debugout + Set debug and error log output to the given stream. + Pass NULL to disable output. + Default is stderr. + File-names or using syslog can be enabled using config options, this + routine is for using your own stream. + + ub_ctx_debuglevel + Set debug verbosity for the context. + Output is directed to stderr. + Higher debug level gives more output. + + ub_ctx_async + Set a context behaviour for asynchronous action. + if set to true, enables threading and a call to **ub_resolve_async** + creates a thread to handle work in the background. + If false, a process is forked to handle work in the background. + Changes to this setting after **ub_resolve_async** calls have been made + have no effect (delete and re-create the context to change). + + ub_poll + Poll a context to see if it has any new results. + Do not poll in a loop, instead extract the **fd** below to poll for + readiness, and then check, or wait using the wait routine. + Returns 0 if nothing to read, or nonzero if a result is available. + If nonzero, call **ub_process** to do callbacks. + + ub_wait + Wait for a context to finish with results. + Calls **ub_process** after the wait for you. + After the wait, there are no more outstanding asynchronous queries. + + ub_fd + Get file descriptor. + Wait for it to become readable, at this point answers are returned from + the asynchronous validating resolver. + Then call the **ub_process** to continue processing. + + ub_process + Call this routine to continue processing results from the validating + resolver (when the **fd** becomes readable). + Will perform necessary callbacks. + + ub_resolve + Perform resolution and validation of the target name. + The name is a domain name in a zero terminated text string. + The rrtype and rrclass are DNS type and class codes. + The result structure is newly allocated with the resulting data. + + ub_resolve_async + Perform asynchronous resolution and validation of the target name. + Arguments mean the same as for **ub_resolve** except no data is + returned immediately, instead a callback is called later. + The callback receives a copy of the mydata pointer, that you can use to + pass information to the callback. + The callback type is a function pointer to a function declared as: + + .. code-block:: c + + void my_callback_function(void* my_arg, int err, + struct ub_result* result); + + The **async_id** is returned so you can (at your option) decide to + track it and cancel the request if needed. + If you pass a NULL pointer the **async_id** is not returned. + + ub_cancel + Cancel an async query in progress. + This may return an error if the query does not exist, or the query is + already being delivered, in that case you may still get a callback for + the query. + + ub_resolve_free + Free struct **ub_result** contents after use. + + ub_strerror + Convert error value from one of the unbound library functions to a + human readable string. + + ub_ctx_print_local_zones + Debug printout the local authority information to debug output. + + ub_ctx_zone_add + Add new zone to local authority info, like local-zone + :doc:`unbound.conf(5)` statement. + + ub_ctx_zone_remove + Delete zone from local authority info. + + ub_ctx_data_add + Add resource record data to local authority info, like local-data + :doc:`unbound.conf(5)` statement. + + ub_ctx_data_remove + Delete local authority data from the name given. + +Result Data structure +--------------------- + +The result of the DNS resolution and validation is returned as *struct +ub_result*. +The result structure contains the following entries: + +.. code-block:: c + + struct ub_result { + char* qname; /* text string, original question */ + int qtype; /* type code asked for */ + int qclass; /* class code asked for */ + char** data; /* array of rdata items, NULL terminated*/ + int* len; /* array with lengths of rdata items */ + char* canonname; /* canonical name of result */ + int rcode; /* additional error code in case of no data */ + void* answer_packet; /* full network format answer packet */ + int answer_len; /* length of packet in octets */ + int havedata; /* true if there is data */ + int nxdomain; /* true if nodata because name does not exist */ + int secure; /* true if result is secure */ + int bogus; /* true if a security failure happened */ + char* why_bogus; /* string with error if bogus */ + int was_ratelimited; /* true if the query was ratelimited (SERVFAIL) by unbound */ + int ttl; /* number of seconds the result is valid */ + }; + +If both secure and bogus are false, security was not enabled for the domain of +the query. +Else, they are not both true, one of them is true. + +Return Values +------------- + +Many routines return an error code. +The value 0 (zero) denotes no error happened. +Other values can be passed to **ub_strerror** to obtain a readable error +string. +**ub_strerror** returns a zero terminated string. +**ub_ctx_create** returns NULL on an error (a malloc failure). +**ub_poll** returns true if some information may be available, false otherwise. +**ub_fd** returns a file descriptor or -1 on error. +**ub_ctx_config** and **ub_ctx_resolvconf** attempt to leave errno informative +on a function return with file read failure. + +See Also +-------- + +:doc:`unbound.conf(5)`, :doc:`unbound(8)`. diff --git a/contrib/unbound/doc/unbound-anchor.8.in b/contrib/unbound/doc/unbound-anchor.8.in --- a/contrib/unbound/doc/unbound-anchor.8.in +++ b/contrib/unbound/doc/unbound-anchor.8.in @@ -1,189 +1,300 @@ -.TH "unbound-anchor" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1" -.\" -.\" unbound-anchor.8 -- unbound anchor maintenance utility manual -.\" -.\" Copyright (c) 2008, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -.B unbound\-anchor -\- Unbound anchor utility. -.SH "SYNOPSIS" -.B unbound\-anchor -.RB [ opts ] -.SH "DESCRIPTION" -.B Unbound\-anchor -performs setup or update of the root trust anchor for DNSSEC validation. -The program fetches the trust anchor with the method from RFC7958 when -regular RFC5011 update fails to bring it up to date. +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "UNBOUND-ANCHOR" "8" "Sep 18, 2025" "1.24.0" "Unbound" +.SH NAME +unbound-anchor \- Unbound 1.24.0 anchor utility. +.SH SYNOPSIS +.sp +\fBunbound\-anchor\fP [\fBopts\fP] +.SH DESCRIPTION +.sp +\fBunbound\-anchor\fP performs setup or update of the root trust anchor for DNSSEC +validation. +The program fetches the trust anchor with the method from \fI\%RFC 7958\fP when +regular \fI\%RFC 5011\fP update fails to bring it up to date. It can be run (as root) from the commandline, or run as part of startup -scripts. Before you start the \fIunbound\fR(8) DNS server. -.P +scripts. +Before you start the \fI\%unbound(8)\fP DNS server. +.sp Suggested usage: -.P +.INDENT 0.0 +.INDENT 3.5 +.sp .nf - # in the init scripts. - # provide or update the root anchor (if necessary) - unbound-anchor \-a "@UNBOUND_ROOTKEY_FILE@" - # Please note usage of this root anchor is at your own risk - # and under the terms of our LICENSE (see source). - # - # start validating resolver - # the unbound.conf contains: - # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" - unbound \-c unbound.conf +.ft C +# in the init scripts. +# provide or update the root anchor (if necessary) +unbound\-anchor \-a \(dq@UNBOUND_ROOTKEY_FILE@\(dq +# Please note usage of this root anchor is at your own risk +# and under the terms of our LICENSE (see source). +# +# start validating resolver +# the unbound.conf contains: +# auto\-trust\-anchor\-file: \(dq@UNBOUND_ROOTKEY_FILE@\(dq +unbound \-c unbound.conf +.ft P .fi -.P -This tool provides builtin default contents for the root anchor and root -update certificate files. -.P +.UNINDENT +.UNINDENT +.sp +This tool provides builtin default contents for the root anchor and root update +certificate files. +.sp It tests if the root anchor file works, and if not, and an update is possible, attempts to update the root anchor using the root update certificate. -It performs a https fetch of root-anchors.xml and checks the results (RFC7958), -if all checks are successful, it updates the root anchor file. Otherwise -the root anchor file is unchanged. It performs RFC5011 tracking if the -DNSSEC information available via the DNS makes that possible. -.P -It does not perform an update if the certificate is expired, if the network -is down or other errors occur. -.P +It performs a https fetch of +\fI\%root\-anchors.xml\fP +and checks the results (\fI\%RFC 7958\fP); if all checks are successful, it updates +the root anchor file. +Otherwise the root anchor file is unchanged. +It performs \fI\%RFC 5011\fP tracking if the DNSSEC information available via the +DNS makes that possible. +.sp +It does not perform an update if the certificate is expired, if the network is +down or other errors occur. +.sp The available options are: +.INDENT 0.0 .TP -.B \-a \fIfile +.B \-a The root anchor key file, that is read in and written out. -Default is @UNBOUND_ROOTKEY_FILE@. -If the file does not exist, or is empty, a builtin root key is written to it. +Default is \fB@UNBOUND_ROOTKEY_FILE@\fP\&. +If the file does not exist, or is empty, a builtin root key is written +to it. +.UNINDENT +.INDENT 0.0 .TP -.B \-c \fIfile +.B \-c The root update certificate file, that is read in. -Default is @UNBOUND_ROOTCERT_FILE@. +Default is \fB@UNBOUND_ROOTCERT_FILE@\fP\&. If the file does not exist, or is empty, a builtin certificate is used. +.UNINDENT +.INDENT 0.0 .TP .B \-l List the builtin root key and builtin root update certificate on stdout. +.UNINDENT +.INDENT 0.0 .TP -.B \-u \fIname -The server name, it connects to https://name. Specify without https:// prefix. -The default is "data.iana.org". It connects to the port specified with \-P. +.B \-u +The server name, it connects to \fBhttps://name\fP\&. +Specify without \fBhttps://\fP prefix. +The default is \fB\(dqdata.iana.org\(dq\fP\&. +It connects to the port specified with \fI\%\-P\fP\&. You can pass an IPv4 address or IPv6 address (no brackets) if you want. +.UNINDENT +.INDENT 0.0 .TP .B \-S -Do not use SNI for the HTTPS connection. Default is to use SNI. +Do not use SNI for the HTTPS connection. +Default is to use SNI. +.UNINDENT +.INDENT 0.0 .TP -.B \-b \fIaddress -The source address to bind to for domain resolution and contacting the server -on https. May be either an IPv4 address or IPv6 address (no brackets). +.B \-b
+The source address to bind to for domain resolution and contacting the +server on https. +May be either an IPv4 address or IPv6 address (no brackets). +.UNINDENT +.INDENT 0.0 .TP -.B \-x \fIpath -The pathname to the root\-anchors.xml file on the server. (forms URL with \-u). -The default is /root\-anchors/root\-anchors.xml. +.B \-x +The pathname to the root\-anchors.xml file on the server. +(forms URL with \fI\%\-u\fP). +The default is \fB/root\-anchors/root\-anchors.xml\fP\&. +.UNINDENT +.INDENT 0.0 .TP -.B \-s \fIpath -The pathname to the root\-anchors.p7s file on the server. (forms URL with \-u). -The default is /root\-anchors/root\-anchors.p7s. This file has to be a PKCS7 -signature over the xml file, using the pem file (\-c) as trust anchor. +.B \-s +The pathname to the root\-anchors.p7s file on the server. +(forms URL with \fI\%\-u\fP). +The default is \fB/root\-anchors/root\-anchors.p7s\fP\&. +This file has to be a PKCS7 signature over the xml file, using the pem +file (\fI\%\-c\fP) as trust anchor. +.UNINDENT +.INDENT 0.0 .TP -.B \-n \fIname -The emailAddress for the Subject of the signer's certificate from the p7s -signature file. Only signatures from this name are allowed. default is -dnssec@iana.org. If you pass "" then the emailAddress is not checked. +.B \-n +The emailAddress for the Subject of the signer\(aqs certificate from the +p7s signature file. +Only signatures from this name are allowed. +The default is \fBdnssec@iana.org\fP\&. +If you pass \fB\(dq\(dq\fP then the emailAddress is not checked. +.UNINDENT +.INDENT 0.0 .TP .B \-4 -Use IPv4 for domain resolution and contacting the server on https. Default is -to use IPv4 and IPv6 where appropriate. +Use IPv4 for domain resolution and contacting the server on +https. +Default is to use IPv4 and IPv6 where appropriate. +.UNINDENT +.INDENT 0.0 .TP .B \-6 -Use IPv6 for domain resolution and contacting the server on https. Default is -to use IPv4 and IPv6 where appropriate. -.TP -.B \-f \fIresolv.conf -Use the given resolv.conf file. Not enabled by default, but you could try to -pass /etc/resolv.conf on some systems. It contains the IP addresses of the -recursive nameservers to use. However, since this tool could be used to -bootstrap that very recursive nameserver, it would not be useful (since -that server is not up yet, since we are bootstrapping it). It could be -useful in a situation where you know an upstream cache is deployed (and -running) and in captive portal situations. -.TP -.B \-r \fIroot.hints -Use the given root.hints file (same syntax as the BIND and Unbound root hints -file) to bootstrap domain resolution. By default a list of builtin root -hints is used. Unbound\-anchor goes to the network itself for these roots, -to resolve the server (\-u option) and to check the root DNSKEY records. +Use IPv6 for domain resolution and contacting the server on https. +Default is to use IPv4 and IPv6 where appropriate. +.UNINDENT +.INDENT 0.0 +.TP +.B \-f +Use the given resolv.conf file. +Not enabled by default, but you could try to pass +\fB/etc/resolv.conf\fP on some systems. +It contains the IP addresses of the recursive nameservers to use. +However, since this tool could be used to bootstrap that very recursive +nameserver, it would not be useful (since that server is not up yet, +since we are bootstrapping it). +It could be useful in a situation where you know an upstream cache is +deployed (and running) and in captive portal situations. +.UNINDENT +.INDENT 0.0 +.TP +.B \-r +Use the given root.hints file (same syntax as the BIND and Unbound root +hints file) to bootstrap domain resolution. +By default a list of builtin root hints is used. +unbound\-anchor goes to the network itself for these roots, to resolve +the server (\fI\%\-u\fP option) and to check the root DNSKEY records. It does so, because the tool when used for bootstrapping the recursive -resolver, cannot use that recursive resolver itself because it is bootstrapping -that server. +resolver, cannot use that recursive resolver itself because it is +bootstrapping that server. +.UNINDENT +.INDENT 0.0 .TP .B \-R -Allow fallback from \-f resolv.conf file to direct root servers query. -It allows you to prefer local resolvers, but fallback automatically -to direct root query if they do not respond or do not support DNSSEC. +Allow fallback from \fI\%\-f\fP \fB\fP file to direct root +servers query. +It allows you to prefer local resolvers, but fallback automatically to +direct root query if they do not respond or do not support DNSSEC. +.UNINDENT +.INDENT 0.0 .TP .B \-v -More verbose. Once prints informational messages, multiple times may enable -large debug amounts (such as full certificates or byte\-dumps of downloaded -files). By default it prints almost nothing. It also prints nothing on -errors by default; in that case the original root anchor file is simply -left undisturbed, so that a recursive server can start right after it. +More verbose. +Once prints informational messages, multiple times may enable large +debug amounts (such as full certificates or byte\-dumps of downloaded +files). +By default it prints almost nothing. +It also prints nothing on errors by default; in that case the original +root anchor file is simply left undisturbed, so that a recursive server +can start right after it. +.UNINDENT +.INDENT 0.0 .TP -.B \-C \fIunbound.conf -Debug option to read unbound.conf into the resolver process used. +.B \-C +Debug option to read \fB\fP into the resolver process +used. +.UNINDENT +.INDENT 0.0 .TP -.B \-P \fIport -Set the port number to use for the https connection. The default is 443. +.B \-P +Set the port number to use for the https connection. +The default is 443. +.UNINDENT +.INDENT 0.0 .TP .B \-F -Debug option to force update of the root anchor through downloading the xml -file and verifying it with the certificate. By default it first tries to -update by contacting the DNS, which uses much less bandwidth, is much -faster (200 msec not 2 sec), and is nicer to the deployed infrastructure. -With this option, it still attempts to do so (and may verbosely tell you), -but then ignores the result and goes on to use the xml fallback method. +Debug option to force update of the root anchor through downloading the +xml file and verifying it with the certificate. +By default it first tries to update by contacting the DNS, which uses +much less bandwidth, is much faster (200 msec not 2 sec), and is nicer +to the deployed infrastructure. +With this option, it still attempts to do so (and may verbosely tell +you), but then ignores the result and goes on to use the xml fallback +method. +.UNINDENT +.INDENT 0.0 .TP .B \-h Show the version and commandline option help. -.SH "EXIT CODE" +.UNINDENT +.SH EXIT CODE +.sp This tool exits with value 1 if the root anchor was updated using the -certificate or if the builtin root-anchor was used. It exits with code -0 if no update was necessary, if the update was possible with RFC5011 -tracking, or if an error occurred. -.P +certificate or if the builtin root\-anchor was used. +It exits with code 0 if no update was necessary, if the update was possible +with \fI\%RFC 5011\fP tracking, or if an error occurred. +.sp You can check the exit value in this manner: +.INDENT 0.0 +.INDENT 3.5 +.sp .nf - unbound-anchor \-a "root.key" || logger "Please check root.key" +.ft C +unbound\-anchor \-a \(dqroot.key\(dq || logger \(dqPlease check root.key\(dq +.ft P .fi +.UNINDENT +.UNINDENT +.sp Or something more suitable for your operational environment. -.SH "TRUST" -The root keys and update certificate included in this tool -are provided for convenience and under the terms of our -license (see the LICENSE file in the source distribution or -https://github.com/NLnetLabs/unbound/blob/master/LICENSE) and might be stale or -not suitable to your purpose. -.P -By running "unbound\-anchor \-l" the keys and certificate that are +.SH TRUST +.sp +The root keys and update certificate included in this tool are provided for +convenience and under the terms of our license (see the LICENSE file in the +source distribution or \fI\%https://github.com/NLnetLabs/unbound/blob/master/LICENSE\fP +and might be stale or not suitable to your purpose. +.sp +By running \fI\%unbound\-anchor \-l\fP the keys and certificate that are configured in the code are printed for your convenience. -.P -The build\-in configuration can be overridden by providing a root\-cert -file and a rootkey file. -.SH "FILES" +.sp +The built\-in configuration can be overridden by providing a root\-cert file and +a rootkey file. +.SH FILES +.INDENT 0.0 .TP -.I @UNBOUND_ROOTKEY_FILE@ -The root anchor file, updated with 5011 tracking, and read and written to. +.B @UNBOUND_ROOTKEY_FILE@ +The root anchor file, updated with 5011 tracking, and read and written +to. The file is created if it does not exist. .TP -.I @UNBOUND_ROOTCERT_FILE@ -The trusted self\-signed certificate that is used to verify the downloaded -DNSSEC root trust anchor. You can update it by fetching it from -https://data.iana.org/root\-anchors/icannbundle.pem (and validate it). +.B @UNBOUND_ROOTCERT_FILE@ +The trusted self\-signed certificate that is used to verify the +downloaded DNSSEC root trust anchor. +You can update it by fetching it from +\fI\%https://data.iana.org/root\-anchors/icannbundle.pem\fP (and validate it). If the file does not exist or is empty, a builtin version is used. .TP -.I https://data.iana.org/root\-anchors/root\-anchors.xml +.B \fI\%https://data.iana.org/root\-anchors/root\-anchors.xml\fP Source for the root key information. .TP -.I https://data.iana.org/root\-anchors/root\-anchors.p7s +.B \fI\%https://data.iana.org/root\-anchors/root\-anchors.p7s\fP Signature on the root key information. -.SH "SEE ALSO" -\fIunbound.conf\fR(5), -\fIunbound\fR(8). +.UNINDENT +.SH SEE ALSO +.sp +\fI\%unbound.conf(5)\fP, +\fI\%unbound(8)\fP\&. +.SH AUTHOR +Unbound developers are mentioned in the CREDITS file in the distribution. +.SH COPYRIGHT +1999-2025, NLnet Labs +.\" Generated by docutils manpage writer. +. diff --git a/contrib/unbound/doc/unbound-anchor.rst b/contrib/unbound/doc/unbound-anchor.rst new file mode 100644 --- /dev/null +++ b/contrib/unbound/doc/unbound-anchor.rst @@ -0,0 +1,281 @@ +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. + WHEN EDITING MAKE SURE EACH SENTENCE STARTS ON A NEW LINE + +.. + IT HELPS RENDERERS TO DO THE RIGHT THING WRT SPACE + +.. + IT HELPS PEOPLE DIFFING THE CHANGES + +.. program:: unbound-anchor + +unbound-anchor(8) +================= + +Synopsis +-------- + +**unbound-anchor** [``opts``] + +Description +----------- + +``unbound-anchor`` performs setup or update of the root trust anchor for DNSSEC +validation. +The program fetches the trust anchor with the method from :rfc:`7958` when +regular :rfc:`5011` update fails to bring it up to date. +It can be run (as root) from the commandline, or run as part of startup +scripts. +Before you start the :doc:`unbound(8)` DNS server. + +Suggested usage: + +.. code-block:: text + + # in the init scripts. + # provide or update the root anchor (if necessary) + unbound-anchor -a "@UNBOUND_ROOTKEY_FILE@" + # Please note usage of this root anchor is at your own risk + # and under the terms of our LICENSE (see source). + # + # start validating resolver + # the unbound.conf contains: + # auto-trust-anchor-file: "@UNBOUND_ROOTKEY_FILE@" + unbound -c unbound.conf + +This tool provides builtin default contents for the root anchor and root update +certificate files. + +It tests if the root anchor file works, and if not, and an update is possible, +attempts to update the root anchor using the root update certificate. +It performs a https fetch of +`root-anchors.xml `__ +and checks the results (:rfc:`7958`); if all checks are successful, it updates +the root anchor file. +Otherwise the root anchor file is unchanged. +It performs :rfc:`5011` tracking if the DNSSEC information available via the +DNS makes that possible. + +It does not perform an update if the certificate is expired, if the network is +down or other errors occur. + +The available options are: + +.. option:: -a + + The root anchor key file, that is read in and written out. + Default is :file:`@UNBOUND_ROOTKEY_FILE@`. + If the file does not exist, or is empty, a builtin root key is written + to it. + +.. option:: -c + + The root update certificate file, that is read in. + Default is :file:`@UNBOUND_ROOTCERT_FILE@`. + If the file does not exist, or is empty, a builtin certificate is used. + +.. option:: -l + + List the builtin root key and builtin root update certificate on stdout. + +.. option:: -u + + The server name, it connects to ``https://name``. + Specify without ``https://`` prefix. + The default is ``"data.iana.org"``. + It connects to the port specified with :option:`-P`. + You can pass an IPv4 address or IPv6 address (no brackets) if you want. + +.. option:: -S + + Do not use SNI for the HTTPS connection. + Default is to use SNI. + +.. option:: -b
+ + The source address to bind to for domain resolution and contacting the + server on https. + May be either an IPv4 address or IPv6 address (no brackets). + +.. option:: -x + + The pathname to the root-anchors.xml file on the server. + (forms URL with :option:`-u`). + The default is :file:`/root-anchors/root-anchors.xml`. + +.. option:: -s + + The pathname to the root-anchors.p7s file on the server. + (forms URL with :option:`-u`). + The default is :file:`/root-anchors/root-anchors.p7s`. + This file has to be a PKCS7 signature over the xml file, using the pem + file (:option:`-c`) as trust anchor. + +.. option:: -n + + The emailAddress for the Subject of the signer's certificate from the + p7s signature file. + Only signatures from this name are allowed. + The default is ``dnssec@iana.org``. + If you pass ``""`` then the emailAddress is not checked. + +.. option:: -4 + + Use IPv4 for domain resolution and contacting the server on + https. + Default is to use IPv4 and IPv6 where appropriate. + +.. option:: -6 + + Use IPv6 for domain resolution and contacting the server on https. + Default is to use IPv4 and IPv6 where appropriate. + +.. option:: -f + + Use the given resolv.conf file. + Not enabled by default, but you could try to pass + :file:`/etc/resolv.conf` on some systems. + It contains the IP addresses of the recursive nameservers to use. + However, since this tool could be used to bootstrap that very recursive + nameserver, it would not be useful (since that server is not up yet, + since we are bootstrapping it). + It could be useful in a situation where you know an upstream cache is + deployed (and running) and in captive portal situations. + +.. option:: -r + + Use the given root.hints file (same syntax as the BIND and Unbound root + hints file) to bootstrap domain resolution. + By default a list of builtin root hints is used. + unbound-anchor goes to the network itself for these roots, to resolve + the server (:option:`-u` option) and to check the root DNSKEY records. + It does so, because the tool when used for bootstrapping the recursive + resolver, cannot use that recursive resolver itself because it is + bootstrapping that server. + +.. option:: -R + + Allow fallback from :option:`-f` ```` file to direct root + servers query. + It allows you to prefer local resolvers, but fallback automatically to + direct root query if they do not respond or do not support DNSSEC. + +.. option:: -v + + More verbose. + Once prints informational messages, multiple times may enable large + debug amounts (such as full certificates or byte-dumps of downloaded + files). + By default it prints almost nothing. + It also prints nothing on errors by default; in that case the original + root anchor file is simply left undisturbed, so that a recursive server + can start right after it. + +.. option:: -C + + Debug option to read :file:`` into the resolver process + used. + +.. option:: -P + + Set the port number to use for the https connection. + The default is 443. + +.. option:: -F + + Debug option to force update of the root anchor through downloading the + xml file and verifying it with the certificate. + By default it first tries to update by contacting the DNS, which uses + much less bandwidth, is much faster (200 msec not 2 sec), and is nicer + to the deployed infrastructure. + With this option, it still attempts to do so (and may verbosely tell + you), but then ignores the result and goes on to use the xml fallback + method. + +.. option:: -h + + Show the version and commandline option help. + +Exit Code +--------- + +This tool exits with value 1 if the root anchor was updated using the +certificate or if the builtin root-anchor was used. +It exits with code 0 if no update was necessary, if the update was possible +with :rfc:`5011` tracking, or if an error occurred. + +You can check the exit value in this manner: + +.. code-block:: text + + unbound-anchor -a "root.key" || logger "Please check root.key" + +Or something more suitable for your operational environment. + +Trust +----- + +The root keys and update certificate included in this tool are provided for +convenience and under the terms of our license (see the LICENSE file in the +source distribution or https://github.com/NLnetLabs/unbound/blob/master/LICENSE +and might be stale or not suitable to your purpose. + +By running :option:`unbound-anchor -l` the keys and certificate that are +configured in the code are printed for your convenience. + +The built-in configuration can be overridden by providing a root-cert file and +a rootkey file. + +Files +----- + +@UNBOUND_ROOTKEY_FILE@ + The root anchor file, updated with 5011 tracking, and read and written + to. + The file is created if it does not exist. + +@UNBOUND_ROOTCERT_FILE@ + The trusted self-signed certificate that is used to verify the + downloaded DNSSEC root trust anchor. + You can update it by fetching it from + https://data.iana.org/root-anchors/icannbundle.pem (and validate it). + If the file does not exist or is empty, a builtin version is used. + +https://data.iana.org/root-anchors/root-anchors.xml + Source for the root key information. + +https://data.iana.org/root-anchors/root-anchors.p7s + Signature on the root key information. + +See Also +-------- + +:doc:`unbound.conf(5)`, +:doc:`unbound(8)`. diff --git a/contrib/unbound/doc/unbound-checkconf.8.in b/contrib/unbound/doc/unbound-checkconf.8.in --- a/contrib/unbound/doc/unbound-checkconf.8.in +++ b/contrib/unbound/doc/unbound-checkconf.8.in @@ -1,56 +1,93 @@ -.TH "unbound-checkconf" "8" "Jul 16, 2025" "NLnet Labs" "unbound 1.23.1" -.\" -.\" unbound-checkconf.8 -- unbound configuration checker manual -.\" -.\" Copyright (c) 2007, NLnet Labs. All rights reserved. -.\" -.\" See LICENSE for the license. -.\" -.\" -.SH "NAME" -unbound\-checkconf -\- Check Unbound configuration file for errors. -.SH "SYNOPSIS" -.B unbound\-checkconf -.RB [ \-h ] -.RB [ \-f ] -.RB [ \-q ] -.RB [ \-o -.IR option ] -.RI [ cfgfile ] -.SH "DESCRIPTION" -.B Unbound\-checkconf -checks the configuration file for the -\fIunbound\fR(8) -DNS resolver for syntax and other errors. +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "UNBOUND-CHECKCONF" "8" "Sep 18, 2025" "1.24.0" "Unbound" +.SH NAME +unbound-checkconf \- Check Unbound 1.24.0 configuration file for errors. +.SH SYNOPSIS +.sp +\fBunbound\-checkconf\fP [\fB\-hf\fP] [\fB\-o option\fP] [cfgfile] +.SH DESCRIPTION +.sp +\fBunbound\-checkconf\fP checks the configuration file for the +\fI\%unbound(8)\fP DNS resolver for syntax and other errors. The config file syntax is described in -\fIunbound.conf\fR(5). -.P +\fI\%unbound.conf(5)\fP\&. +.sp The available options are: +.INDENT 0.0 .TP .B \-h Show the version and commandline option help. +.UNINDENT +.INDENT 0.0 .TP .B \-f -Print full pathname, with chroot applied to it. Use with the \-o option. -.TP -.B \-o\fI option -If given, after checking the config file the value of this option is -printed to stdout. For "" (disabled) options an empty line is printed. +Print full pathname, with chroot applied to it. +Use with the \fI\%\-o\fP option. +.UNINDENT +.INDENT 0.0 .TP .B \-q Make the operation quiet, suppress output on success. +.UNINDENT +.INDENT 0.0 +.TP +.B \-o