Add rlm_unbound a wrapper around libunbound

raddb/mods-available/unbound

@@ -0,0 +1,4 @@
+unbound dns {
+	# filename = "${raddbdir}/mods-config/unbound/default.conf"
+	# xlat_timeout = 3000
+}

raddb/mods-config/unbound/default.conf

@@ -0,0 +1,2 @@
+server:
+ num-threads: 2

src/modules/rlm_unbound/all.mk.in

@@ -0,0 +1,13 @@
+TARGETNAME	:= @targetname@
+
+ifneq "$(TARGETNAME)" ""
+TARGET		:= $(TARGETNAME).a
+endif
+
+SOURCES		:= $(TARGETNAME).c
+
+SRC_CFLAGS	:= @mod_cflags@
+TGT_LDLIBS	:= @mod_ldflags@
+
+MAN		:= rlm_unbound.5
+

src/modules/rlm_unbound/configure.ac

@@ -0,0 +1,54 @@
+AC_PREREQ([2.53])
+AC_INIT(rlm_unbound.c)
+AC_REVISION($Revision$)
+AC_DEFUN(modname,[rlm_unbound])
+
+if test x$with_[]modname != xno; then
+	AC_PROG_CC
+	AC_PROG_CPP
+
+	FR_SMART_CHECK_LIB(unbound, ub_ctx_create)
+        	if test "x$ac_cv_lib_unbound_ub_ctx_create" != "xyes"; then
+		fail="$fail libunbound"
+	fi
+
+	FR_SMART_CHECK_INCLUDE(unbound.h)
+	if test "$ac_cv_header_unbound_h" != "yes"; then
+		fail="$fail unbound.h"
+	fi
+
+dnl # This needs work as libunbound could be using NSS or various other
+dnl # mixes of incompatible options and header/lib availability may occur.
+dnl # Since libunbound needs openssl locking set up, and may be
+dnl # linked against openssl even when we are not, play it safe.
+	FR_SMART_CHECK_INCLUDE(openssl/crypto.h)
+	if test "$ac_cv_header_openssl_crypto_h" != "yes"; then
+		fail="$fail openssl/crypto.h"
+	fi
+
+	targetname=modname
+else
+	targetname=
+	echo \*\*\* module modname is disabled.
+fi
+
+if test x"$fail" != x""; then
+	if test x"${enable_strict_dependencies}" = x"yes"; then
+		AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.])
+	else
+		AC_MSG_WARN([silently not building ]modname[.])
+		AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]);
+		targetname=""
+	fi
+fi
+
+mod_ldflags="${SMART_LIBS}"
+mod_cflags="${SMART_CFLAGS}"
+
+AC_SUBST(mod_cflags)
+AC_SUBST(mod_ldflags)
+
+AC_CONFIG_HEADER(config.h)
+
+AC_SUBST(targetname)
+AC_OUTPUT(all.mk)

src/modules/rlm_unbound/rlm_unbound.5

@@ -0,0 +1,75 @@
+.\"     # DS - begin display
+.de DS
+.RS
+.nf
+.sp
+..
+.\"     # DE - end display
+.de DE
+.fi
+.RE
+.sp
+..
+.TH rlm_unbound 5 "8 July 2013" "" "FreeRADIUS Module"
+.SH NAME
+rlm_unbound \- FreeRADIUS Module
+.SH DESCRIPTION
+Each instance of \fIrlm_unbound\fP provides an embedded DNS client
+for performing DNS lookups.  Each instance may be configured separately
+to query different DNS horizons, change DNSSEC options, etc.
+.PP
+The module is primarily intended for use by other modules through
+internal APIs, and so, instances should be initialized earlier than
+those modules which use them.  Each instance does also provide some
+xlat functionalities for general use and for troubleshooting.
+.PP
+Each instance of rlm_unbound may take the following parameters:
+.IP filename
+This file must exist and must point to a valid libunbound configuration file.
+The default is ${raddbdir}/mods-config/unbound/default.conf.
+.IP xlat_timeout
+While libunbound provides an asyncronous API for internal use, using any xlat
+is done syncronously from the perspective of unlang.  This value limits the
+amount of time a request will wait for DNS to respond, after which the xlat
+will fail.  The default is 3000 milliseconds.  This setting is independent of
+any libunbound configuration values.
+.PP
+An instance named, for example, "dns" will provide the following xlat
+functionalities:
+.IP %{dns-a:<owner>}
+Performs an A lookup for the owner name, returning a stringified IPv4
+address.  Only the first A record in the RRSET will be returned.
+.IP %{dns-aaaa:<owner>}
+Performs an AAAA lookup for the owner name, returning a stringified IPv6
+address.  Only the first AAAA record in the RRSET will be returned.
+.IP %{dns-ptr:<owner>}
+Performs a PTR lookup for the owner.
+.PP
+.SH CAVEATS
+Logging from rlm_unbound can be problematic, especialy if more than one
+instantiation of the module is used.  This is due to the need for additional
+features in the underlying libunbound which hopefully will be enhanced over
+time.
+.PP
+There is a potential for a FreeRADIUS server using rlm_unbound to either
+fail to terminate cleanly (leaving zombie processes, failing to clean up
+other modules, and hanging after a SIGTERM until a SIGKILL is sent) or
+to fail valgrind checks during termination when run with -m.  Likewise this
+problem will rely on upstream enhancements before it can be fixed, and the
+exact behavior may change in interim releases until then.
+.PP
+The logging behavior of rlm_unbound may vary depending on whether
+FreeRADIUS is compiled with support for threads.
+.PP
+.SH FILES
+.I /etc/raddb/modules-available/rlm_unbound
+.I /etc/raddb/modules-config/unbound/
+.PP
+.SH "SEE ALSO"
+.BR radiusd (8),
+.BR radiusd.conf (5)
+.BR libunbound (3)
+.BR unbound.conf (5)
+.SH AUTHOR
+Brian S. Julin, bjulin@clarku.edu
+