Merge remote-tracking branch 'nlnet/master'

* nlnet/master: (22 commits) Nicer spelling and layout. - For NLnetLabs#45, check that 127.0.0.1 and ::1 are not used in unbound.conf when do-not-query-localhost is turned on, or at default on, unbound-checkconf prints a warning if it is found in forward-addr or stub-addr statements. - Fix memleak in unit test, reported from the clang 8.0 static analyzer. - Fix python dict reference and double free in config. - Merge PR NLnetLabs#6: Python module: support multiple instances - Merge PR NLnetLabs#5: Python module: define constant MODULE_RESTART_NEXT - Merge PR NLnetLabs#4: Python module: assign something useful to the per-query data store 'qdata' Noted in Changelog. - Added documentation to the ipset files (for doxygen output). - make depend - Fix to make unbound-control with ipset, remove unused variable, use unsigned type because of comparison, and assign null instead of compare with it. Remade lex and yacc output. - PR NLnetLabs#28: IPSet module, by Kevin Chou. Created a module to support the ipset that could add the domain's ip to a list easily. Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md. - Fix to omit RRSIGs from addition to the ipset. - Fix for NLnetLabs#24: Fix abort due to scan of auth zone masters using old address from previous scan. - Fix NLnetLabs#39: In libunbound, leftover logfile is close()d unpredictably. - Master contains version 1.9.3 in development. fix segmentation fault rollback the code bugfix performance improvement edit config parser to support ipset Add support for ipset Document how to configure multiple python modules Support multiple python module instances ...
jedisct1 · Jun 29, 2019 · 4edb15b · 4edb15b
2 parents f5e3a85 + 36819ad
commit 4edb15b
Show file tree

Hide file tree

Showing 25 changed files with 4,528 additions and 3,498 deletions.
diff --git a/Makefile.in b/Makefile.in
diff --git a/config.h.in b/config.h.in
@@ -775,6 +775,9 @@
 /* Define to 1 to use ipsecmod support. */
 #undef USE_IPSECMOD
 
+/* Define to 1 to use ipset support */
+#undef USE_IPSET
+
 /* Define if you want to use internal select based events */
 #undef USE_MINI_EVENT
 

diff --git a/configure b/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.9.2.
+# Generated by GNU Autoconf 2.69 for unbound 1.9.3.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl>.
 #
@@ -590,8 +590,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.9.2'
-PACKAGE_STRING='unbound 1.9.2'
+PACKAGE_VERSION='1.9.3'
+PACKAGE_STRING='unbound 1.9.3'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl'
 PACKAGE_URL=''
 
@@ -638,6 +638,8 @@ INSTALLTARGET
 ALLTARGET
 SOURCEFILE
 SOURCEDETERMINE
+IPSET_OBJ
+IPSET_SRC
 IPSECMOD_HEADER
 IPSECMOD_OBJ
 DNSCRYPT_OBJ
@@ -878,6 +880,8 @@ enable_dnscrypt
 with_libsodium
 enable_cachedb
 enable_ipsecmod
+enable_ipset
+with_libmnl
 with_libunbound_only
 '
       ac_precious_vars='build_alias
@@ -1440,7 +1444,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.9.2 to adapt to many kinds of systems.
+\`configure' configures unbound 1.9.3 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1505,7 +1509,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.9.2:";;
+     short | recursive ) echo "Configuration of unbound 1.9.3:";;
    esac
   cat <<\_ACEOF
 
@@ -1565,6 +1569,7 @@ Optional Features:
                           storage
   --enable-ipsecmod       Enable ipsecmod module that facilitates
                           opportunistic IPsec
+  --enable-ipset          enable ipset module
 
 Optional Packages:
   --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
@@ -1619,6 +1624,7 @@ Optional Packages:
   --with-protobuf-c=path  Path where protobuf-c is installed, for dnstap
   --with-libfstrm=path    Path where libfstrm is installed, for dnstap
   --with-libsodium=path   Path where libsodium is installed, for dnscrypt
+  --with-libmnl=path      specify explicit path for libmnl.
   --with-libunbound-only  do not build daemon and tool programs
 
 Some influential environment variables:
@@ -1722,7 +1728,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.9.2
+unbound configure 1.9.3
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2431,7 +2437,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.9.2, which was
+It was created by unbound $as_me 1.9.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2783,11 +2789,11 @@ UNBOUND_VERSION_MAJOR=1
 
 UNBOUND_VERSION_MINOR=9
 
-UNBOUND_VERSION_MICRO=2
+UNBOUND_VERSION_MICRO=3
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2857,6 +2863,7 @@ LIBUNBOUND_AGE=1
 # 1.9.0 had 9:0:1 # add ub_ctx_set_tls
 # 1.9.1 had 9:1:1
 # 1.9.2 had 9:2:1
+# 1.9.3 had 9:3:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -21049,6 +21056,59 @@ $as_echo "#define USE_IPSECMOD 1" >>confdefs.h
 		;;
 esac
 
+# check for ipset if requested
+# Check whether --enable-ipset was given.
+if test "${enable_ipset+set}" = set; then :
+  enableval=$enable_ipset;
+fi
+
+case "$enable_ipset" in
+    yes)
+
+$as_echo "#define USE_IPSET 1" >>confdefs.h
+
+		IPSET_SRC="ipset/ipset.c"
+
+		IPSET_OBJ="ipset.lo"
+
+
+		# mnl
+
+# Check whether --with-libmnl was given.
+if test "${with_libmnl+set}" = set; then :
+  withval=$with_libmnl;
+else
+   withval="yes"
+fi
+
+		found_libmnl="no"
+		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5
+$as_echo_n "checking for libmnl... " >&6; }
+		if test x_$withval = x_ -o x_$withval = x_yes; then
+			withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
+		fi
+		for dir in $withval ; do
+			if test -f "$dir/include/libmnl/libmnl.h"; then
+				found_libmnl="yes"
+								if test "$dir" != "/usr"; then
+					CPPFLAGS="$CPPFLAGS -I$dir/include"
+					LDFLAGS="$LDFLAGS -L$dir/lib"
+				fi
+				{ $as_echo "$as_me:${as_lineno-$LINENO}: result: found in $dir" >&5
+$as_echo "found in $dir" >&6; }
+				LIBS="$LIBS -lmnl"
+				break;
+			fi
+		done
+		if test x_$found_libmnl != x_yes; then
+			as_fn_error $? "Could not find libmnl, libmnl.h" "$LINENO" 5
+		fi
+		;;
+    no|*)
+    	# nothing
+		;;
+esac
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking if ${MAKE:-make} supports $< with implicit rule in scope" >&5
 $as_echo_n "checking if ${MAKE:-make} supports $< with implicit rule in scope... " >&6; }
 # on openBSD, the implicit rule make $< work.
@@ -21204,7 +21264,7 @@ _ACEOF
 
 
 
-version=1.9.2
+version=1.9.3
 
 date=`date +'%b %e, %Y'`
 
@@ -21723,7 +21783,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.9.2, which was
+This file was extended by unbound $as_me 1.9.3, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -21789,7 +21849,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.9.2
+unbound config.status 1.9.3
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 

diff --git a/configure.ac b/configure.ac
@@ -11,14 +11,14 @@ sinclude(dnscrypt/dnscrypt.m4)
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
 m4_define([VERSION_MINOR],[9])
-m4_define([VERSION_MICRO],[2])
+m4_define([VERSION_MICRO],[3])
 AC_INIT(unbound, m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]), unbound-bugs@nlnetlabs.nl, unbound)
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=2
+LIBUNBOUND_REVISION=3
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -88,6 +88,7 @@ LIBUNBOUND_AGE=1
 # 1.9.0 had 9:0:1 # add ub_ctx_set_tls
 # 1.9.1 had 9:1:1
 # 1.9.2 had 9:2:1
+# 1.9.3 had 9:3:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -1603,6 +1604,47 @@ case "$enable_ipsecmod" in
 		;;
 esac
 
+# check for ipset if requested
+AC_ARG_ENABLE(ipset, AC_HELP_STRING([--enable-ipset], [enable ipset module]))
+case "$enable_ipset" in
+    yes)
+		AC_DEFINE([USE_IPSET], [1], [Define to 1 to use ipset support])
+		IPSET_SRC="ipset/ipset.c"
+		AC_SUBST(IPSET_SRC)
+		IPSET_OBJ="ipset.lo"
+		AC_SUBST(IPSET_OBJ)
+
+		# mnl
+		AC_ARG_WITH(libmnl, AC_HELP_STRING([--with-libmnl=path],
+			[specify explicit path for libmnl.]),
+			[ ],[ withval="yes" ])
+		found_libmnl="no"
+		AC_MSG_CHECKING(for libmnl)
+		if test x_$withval = x_ -o x_$withval = x_yes; then
+			withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
+		fi
+		for dir in $withval ; do
+			if test -f "$dir/include/libmnl/libmnl.h"; then
+				found_libmnl="yes"
+				dnl assume /usr is in default path.
+				if test "$dir" != "/usr"; then
+					CPPFLAGS="$CPPFLAGS -I$dir/include"
+					LDFLAGS="$LDFLAGS -L$dir/lib"
+				fi
+				AC_MSG_RESULT(found in $dir)
+				LIBS="$LIBS -lmnl"
+				break;
+			fi
+		done
+		if test x_$found_libmnl != x_yes; then
+			AC_ERROR([Could not find libmnl, libmnl.h])
+		fi
+		;;
+    no|*)
+    	# nothing
+		;;
+esac
+
 AC_MSG_CHECKING([if ${MAKE:-make} supports $< with implicit rule in scope])
 # on openBSD, the implicit rule make $< work.
 # on Solaris, it does not work ($? is changed sources, $^ lists dependencies).

diff --git a/doc/Changelog b/doc/Changelog
@@ -1,6 +1,38 @@
+25 June 2019: Wouter
+	- For #45, check that 127.0.0.1 and ::1 are not used in unbound.conf
+	  when do-not-query-localhost is turned on, or at default on,
+	  unbound-checkconf prints a warning if it is found in forward-addr or
+	  stub-addr statements.
+
+24 June 2019: Wouter
+	- Fix memleak in unit test, reported from the clang 8.0 static analyzer.
+
+18 June 2019: Wouter
+	- PR #28: IPSet module, by Kevin Chou.  Created a module to support
+	  the ipset that could add the domain's ip to a list easily.
+	  Needs libmnl, and --enable-ipset and config it, doc/README.ipset.md.
+	- Fix to omit RRSIGs from addition to the ipset.
+	- Fix to make unbound-control with ipset, remove unused variable,
+	  use unsigned type because of comparison, and assign null instead
+	  of compare with it.  Remade lex and yacc output.
+	- make depend
+	- Added documentation to the ipset files (for doxygen output).
+	- Merge PR #6: Python module: support multiple instances
+	- Merge PR #5: Python module: define constant MODULE_RESTART_NEXT
+	- Merge PR #4: Python module: assign something useful to the
+	  per-query data store 'qdata' 
+	- Fix python dict reference and double free in config.
+
+17 June 2019: Wouter
+	- Master contains version 1.9.3 in development.
+	- Fix #39: In libunbound, leftover logfile is close()d unpredictably.
+	- Fix for #24: Fix abort due to scan of auth zone masters using old
+	  address from previous scan.
+
 12 June 2019: Wouter
 	- Fix another spoolbuf storage code point, in prefetch.
-	- 1.9.2rc3 release candidate tag.
+	- 1.9.2rc3 release candidate tag.  Which became the 1.9.2 release
+	  on 17 June 2019.
 
 11 June 2019: Wouter
 	- Fix that fixes the Fix that spoolbuf is not used to store tcp

diff --git a/doc/README.ipset.md b/doc/README.ipset.md
@@ -0,0 +1,65 @@
+## Created a module to support the ipset that could add the domain's ip to a list easily.
+
+### Purposes:
+* In my case, I can't access the facebook, twitter, youtube and thousands web site for some reason. VPN is a solution. But the internet too slow whether all traffics pass through the vpn.
+So, I set up a transparent proxy to proxy the traffic which has been blocked only.
+At the final step, I need to install a dns service which would work with ipset well to launch the system.
+I did some research for this. Unfortunately, Unbound, My favorite dns service doesn't support ipset yet. So, I decided to implement it by my self and contribute the patch. It's good for me and the community.
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "facebook.com" ipset
+  local-zone: "twitter.com" ipset
+  local-zone: "instagram.com" ipset
+  more social website
+
+ipset:
+  name-v4: "gfwlist"
+```
+```
+# iptables
+iptables -A PREROUTING -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
+iptables -A OUTPUT -p tcp -m set --match-set gfwlist dst -j REDIRECT --to-ports 10800
+```
+
+* This patch could work with iptables rules to batch block the IPs.
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "facebook.com" ipset
+  local-zone: "twitter.com" ipset
+  local-zone: "instagram.com" ipset
+  more social website
+
+ipset:
+  name-v4: "blacklist"
+  name-v6: "blacklist6"
+```
+```
+# iptables
+iptables -A INPUT -m set --set blacklist src -j DROP
+ip6tables -A INPUT -m set --set blacklist6 src -j DROP
+```
+
+### Notes:
+* To enable this module the root privileges is required.
+* Please create a set with ipset command first. eg. **ipset -N blacklist iphash**
+
+### How to use:
+```
+./configure --enable-ipset
+make && make install
+```
+
+### Configuration:
+```
+# unbound.conf
+server:
+  ...
+  local-zone: "example.com" ipset
+
+ipset:
+  name-v4: "blacklist"
+```