diff options
Diffstat (limited to 'contrib/unbound/smallapp/unbound-checkconf.c')
-rw-r--r-- | contrib/unbound/smallapp/unbound-checkconf.c | 60 |
1 files changed, 57 insertions, 3 deletions
diff --git a/contrib/unbound/smallapp/unbound-checkconf.c b/contrib/unbound/smallapp/unbound-checkconf.c index fc4f4f212d0a..f5f0ab332c86 100644 --- a/contrib/unbound/smallapp/unbound-checkconf.c +++ b/contrib/unbound/smallapp/unbound-checkconf.c @@ -316,7 +316,7 @@ warn_hosts(const char* typ, struct config_stub* list) struct config_strlist* h; for(s=list; s; s=s->next) { for(h=s->hosts; h; h=h->next) { - if(extstrtoaddr(h->str, &a, &alen)) { + if(extstrtoaddr(h->str, &a, &alen, UNBOUND_DNS_PORT)) { fprintf(stderr, "unbound-checkconf: warning:" " %s %s: \"%s\" is an IP%s address, " "and when looked up as a host name " @@ -338,6 +338,8 @@ interfacechecks(struct config_file* cfg) int i, j, i2, j2; char*** resif = NULL; int* num_resif = NULL; + char portbuf[32]; + snprintf(portbuf, sizeof(portbuf), "%d", cfg->port); if(cfg->num_ifs != 0) { resif = (char***)calloc(cfg->num_ifs, sizeof(char**)); @@ -359,9 +361,21 @@ interfacechecks(struct config_file* cfg) fatal_exit("could not resolve interface names, for %s", cfg->ifs[i]); } + /* check for port combinations that are not supported */ + if(if_is_pp2(resif[i][0], portbuf, cfg->proxy_protocol_port)) { + if(if_is_dnscrypt(resif[i][0], portbuf, + cfg->dnscrypt_port)) { + fatal_exit("PROXYv2 and DNSCrypt combination not " + "supported!"); + } else if(if_is_https(resif[i][0], portbuf, + cfg->https_port)) { + fatal_exit("PROXYv2 and DoH combination not " + "supported!"); + } + } /* search for duplicates in the returned addresses */ for(j=0; j<num_resif[i]; j++) { - if(!extstrtoaddr(resif[i][j], &a, &alen)) { + if(!extstrtoaddr(resif[i][j], &a, &alen, cfg->port)) { if(strcmp(cfg->ifs[i], resif[i][j]) != 0) fatal_exit("cannot parse interface address '%s' from the interface specified as '%s'", resif[i][j], cfg->ifs[i]); @@ -408,6 +422,28 @@ interfacechecks(struct config_file* cfg) } } +/** check interface-automatic-ports */ +static void +ifautomaticportschecks(char* ifautomaticports) +{ + char* now = ifautomaticports; + while(now && *now) { + char* after; + int extraport; + while(isspace((unsigned char)*now)) + now++; + if(!*now) + break; + after = now; + extraport = (int)strtol(now, &after, 10); + if(extraport < 0 || extraport > 65535) + fatal_exit("interface-automatic-ports: port out of range at position %d in '%s'", (int)(now-ifautomaticports)+1, ifautomaticports); + if(extraport == 0 && now == after) + fatal_exit("interface-automatic-ports: parse error at position %d in '%s'", (int)(now-ifautomaticports)+1, ifautomaticports); + now = after; + } +} + /** check acl ips */ static void aclchecks(struct config_file* cfg) @@ -608,6 +644,7 @@ morechecks(struct config_file* cfg) warn_hosts("stub-host", cfg->stubs); warn_hosts("forward-host", cfg->forwards); interfacechecks(cfg); + ifautomaticportschecks(cfg->if_automatic_ports); aclchecks(cfg); tcpconnlimitchecks(cfg); @@ -670,6 +707,23 @@ morechecks(struct config_file* cfg) cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg); check_chroot_filelist_wild("trusted-keys-file", cfg->trusted_keys_file_list, cfg->chrootdir, cfg); + if(cfg->disable_edns_do && strstr(cfg->module_conf, "validator") + && (cfg->trust_anchor_file_list + || cfg->trust_anchor_list + || cfg->auto_trust_anchor_file_list + || cfg->trusted_keys_file_list)) { + char* key = NULL; + if(cfg->auto_trust_anchor_file_list) + key = cfg->auto_trust_anchor_file_list->str; + if(!key && cfg->trust_anchor_file_list) + key = cfg->trust_anchor_file_list->str; + if(!key && cfg->trust_anchor_list) + key = cfg->trust_anchor_list->str; + if(!key && cfg->trusted_keys_file_list) + key = cfg->trusted_keys_file_list->str; + if(!key) key = ""; + fatal_exit("disable-edns-do does not allow DNSSEC to work, but the validator module uses a trust anchor %s, turn off disable-edns-do or disable validation", key); + } #ifdef USE_IPSECMOD if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) { /* only check hook if enabled */ @@ -677,7 +731,7 @@ morechecks(struct config_file* cfg) cfg->chrootdir, cfg); } #endif - /* remove chroot setting so that modules are not stripping pathnames*/ + /* remove chroot setting so that modules are not stripping pathnames */ free(cfg->chrootdir); cfg->chrootdir = NULL; |