aboutsummaryrefslogtreecommitdiff
path: root/util/configparser.y
diff options
context:
space:
mode:
Diffstat (limited to 'util/configparser.y')
-rw-r--r--util/configparser.y137
1 files changed, 127 insertions, 10 deletions
diff --git a/util/configparser.y b/util/configparser.y
index 1f72c73b08d8..7e23fca16823 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -109,7 +109,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES
%token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
-%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM
+%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
%token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
%token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
%token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
@@ -141,9 +141,10 @@ extern struct config_parser_state* cfg_parser;
%token VAR_ACCESS_CONTROL_TAG_DATA VAR_VIEW VAR_ACCESS_CONTROL_VIEW
%token VAR_VIEW_FIRST VAR_SERVE_EXPIRED VAR_FAKE_DSA VAR_FAKE_SHA1
%token VAR_LOG_IDENTITY VAR_HIDE_TRUSTANCHOR VAR_TRUST_ANCHOR_SIGNALING
-%token VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
+%token VAR_AGGRESSIVE_NSEC VAR_USE_SYSTEMD VAR_SHM_ENABLE VAR_SHM_KEY
%token VAR_DNSCRYPT VAR_DNSCRYPT_ENABLE VAR_DNSCRYPT_PORT VAR_DNSCRYPT_PROVIDER
%token VAR_DNSCRYPT_SECRET_KEY VAR_DNSCRYPT_PROVIDER_CERT
+%token VAR_DNSCRYPT_PROVIDER_CERT_ROTATED
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE
%token VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS
%token VAR_DNSCRYPT_NONCE_CACHE_SIZE
@@ -151,16 +152,17 @@ extern struct config_parser_state* cfg_parser;
%token VAR_IPSECMOD_ENABLED VAR_IPSECMOD_HOOK VAR_IPSECMOD_IGNORE_BOGUS
%token VAR_IPSECMOD_MAX_TTL VAR_IPSECMOD_WHITELIST VAR_IPSECMOD_STRICT
%token VAR_CACHEDB VAR_CACHEDB_BACKEND VAR_CACHEDB_SECRETSEED
-%token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM
+%token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
+%token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
+%token VAR_FALLBACK_ENABLED
%%
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
toplevelvar: serverstart contents_server | stubstart contents_stub |
forwardstart contents_forward | pythonstart contents_py |
- rcstart contents_rc | dtstart contents_dt | viewstart
- contents_view |
- dnscstart contents_dnsc |
- cachedbstart contents_cachedb
+ rcstart contents_rc | dtstart contents_dt | viewstart contents_view |
+ dnscstart contents_dnsc | cachedbstart contents_cachedb |
+ authstart contents_auth
;
/* server: declaration */
@@ -241,7 +243,8 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ipsecmod_enabled | server_ipsecmod_hook |
server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
server_ipsecmod_whitelist | server_ipsecmod_strict |
- server_udp_upstream_without_downstream
+ server_udp_upstream_without_downstream | server_aggressive_nsec |
+ server_tls_cert_bundle
;
stubstart: VAR_STUB_ZONE
{
@@ -296,6 +299,27 @@ contents_view: contents_view content_view
content_view: view_name | view_local_zone | view_local_data | view_first |
view_response_ip | view_response_ip_data | view_local_data_ptr
;
+authstart: VAR_AUTH_ZONE
+ {
+ struct config_auth* s;
+ OUTYY(("\nP(auth_zone:)\n"));
+ s = (struct config_auth*)calloc(1, sizeof(struct config_auth));
+ if(s) {
+ s->next = cfg_parser->cfg->auths;
+ cfg_parser->cfg->auths = s;
+ /* defaults for auth zone */
+ s->for_downstream = 1;
+ s->for_upstream = 1;
+ s->fallback_enabled = 0;
+ } else
+ yyerror("out of memory");
+ }
+ ;
+contents_auth: contents_auth content_auth
+ | ;
+content_auth: auth_name | auth_zonefile | auth_master | auth_url |
+ auth_for_downstream | auth_for_upstream | auth_fallback_enabled
+ ;
server_num_threads: VAR_NUM_THREADS STRING_ARG
{
OUTYY(("P(server_num_threads:%s)\n", $2));
@@ -651,6 +675,13 @@ server_ssl_port: VAR_SSL_PORT STRING_ARG
free($2);
}
;
+server_tls_cert_bundle: VAR_TLS_CERT_BUNDLE STRING_ARG
+ {
+ OUTYY(("P(server_tls_cert_bundle:%s)\n", $2));
+ free(cfg_parser->cfg->tls_cert_bundle);
+ cfg_parser->cfg->tls_cert_bundle = $2;
+ }
+ ;
server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
{
OUTYY(("P(server_use_systemd:%s)\n", $2));
@@ -1367,6 +1398,17 @@ server_val_permissive_mode: VAR_VAL_PERMISSIVE_MODE STRING_ARG
free($2);
}
;
+server_aggressive_nsec: VAR_AGGRESSIVE_NSEC STRING_ARG
+ {
+ OUTYY(("P(server_aggressive_nsec:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else
+ cfg_parser->cfg->aggressive_nsec =
+ (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
server_ignore_cd_flag: VAR_IGNORE_CD_FLAG STRING_ARG
{
OUTYY(("P(server_ignore_cd_flag:%s)\n", $2));
@@ -1502,12 +1544,13 @@ server_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
&& strcmp($3, "always_transparent")!=0
&& strcmp($3, "always_refuse")!=0
&& strcmp($3, "always_nxdomain")!=0
+ && strcmp($3, "noview")!=0
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0)
yyerror("local-zone type: expected static, deny, "
"refuse, redirect, transparent, "
"typetransparent, inform, inform_deny, "
"always_transparent, always_refuse, "
- "always_nxdomain or nodefault");
+ "always_nxdomain, noview or nodefault");
else if(strcmp($3, "nodefault")==0) {
if(!cfg_strlist_insert(&cfg_parser->cfg->
local_zones_nodefault, $2))
@@ -1998,6 +2041,67 @@ forward_ssl_upstream: VAR_FORWARD_SSL_UPSTREAM STRING_ARG
free($2);
}
;
+auth_name: VAR_NAME STRING_ARG
+ {
+ OUTYY(("P(name:%s)\n", $2));
+ if(cfg_parser->cfg->auths->name)
+ yyerror("auth name override, there must be one name "
+ "for one auth-zone");
+ free(cfg_parser->cfg->auths->name);
+ cfg_parser->cfg->auths->name = $2;
+ }
+ ;
+auth_zonefile: VAR_ZONEFILE STRING_ARG
+ {
+ OUTYY(("P(zonefile:%s)\n", $2));
+ free(cfg_parser->cfg->auths->zonefile);
+ cfg_parser->cfg->auths->zonefile = $2;
+ }
+ ;
+auth_master: VAR_MASTER STRING_ARG
+ {
+ OUTYY(("P(master:%s)\n", $2));
+ if(!cfg_strlist_insert(&cfg_parser->cfg->auths->masters, $2))
+ yyerror("out of memory");
+ }
+ ;
+auth_url: VAR_URL STRING_ARG
+ {
+ OUTYY(("P(url:%s)\n", $2));
+ if(!cfg_strlist_insert(&cfg_parser->cfg->auths->urls, $2))
+ yyerror("out of memory");
+ }
+ ;
+auth_for_downstream: VAR_FOR_DOWNSTREAM STRING_ARG
+ {
+ OUTYY(("P(for-downstream:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->auths->for_downstream =
+ (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
+auth_for_upstream: VAR_FOR_UPSTREAM STRING_ARG
+ {
+ OUTYY(("P(for-upstream:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->auths->for_upstream =
+ (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
+auth_fallback_enabled: VAR_FALLBACK_ENABLED STRING_ARG
+ {
+ OUTYY(("P(fallback-enabled:%s)\n", $2));
+ if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+ yyerror("expected yes or no.");
+ else cfg_parser->cfg->auths->fallback_enabled =
+ (strcmp($2, "yes")==0);
+ free($2);
+ }
+ ;
view_name: VAR_NAME STRING_ARG
{
OUTYY(("P(name:%s)\n", $2));
@@ -2018,12 +2122,13 @@ view_local_zone: VAR_LOCAL_ZONE STRING_ARG STRING_ARG
&& strcmp($3, "always_transparent")!=0
&& strcmp($3, "always_refuse")!=0
&& strcmp($3, "always_nxdomain")!=0
+ && strcmp($3, "noview")!=0
&& strcmp($3, "inform")!=0 && strcmp($3, "inform_deny")!=0)
yyerror("local-zone type: expected static, deny, "
"refuse, redirect, transparent, "
"typetransparent, inform, inform_deny, "
"always_transparent, always_refuse, "
- "always_nxdomain or nodefault");
+ "always_nxdomain, noview or nodefault");
else if(strcmp($3, "nodefault")==0) {
if(!cfg_strlist_insert(&cfg_parser->cfg->views->
local_zones_nodefault, $2))
@@ -2339,6 +2444,7 @@ contents_dnsc: contents_dnsc content_dnsc
content_dnsc:
dnsc_dnscrypt_enable | dnsc_dnscrypt_port | dnsc_dnscrypt_provider |
dnsc_dnscrypt_secret_key | dnsc_dnscrypt_provider_cert |
+ dnsc_dnscrypt_provider_cert_rotated |
dnsc_dnscrypt_shared_secret_cache_size |
dnsc_dnscrypt_shared_secret_cache_slabs |
dnsc_dnscrypt_nonce_cache_size |
@@ -2374,13 +2480,24 @@ dnsc_dnscrypt_provider: VAR_DNSCRYPT_PROVIDER STRING_ARG
dnsc_dnscrypt_provider_cert: VAR_DNSCRYPT_PROVIDER_CERT STRING_ARG
{
OUTYY(("P(dnsc_dnscrypt_provider_cert:%s)\n", $2));
+ if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_provider_cert, $2))
+ log_warn("dnscrypt-provider-cert %s is a duplicate", $2);
if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert, $2))
fatal_exit("out of memory adding dnscrypt-provider-cert");
}
;
+dnsc_dnscrypt_provider_cert_rotated: VAR_DNSCRYPT_PROVIDER_CERT_ROTATED STRING_ARG
+ {
+ OUTYY(("P(dnsc_dnscrypt_provider_cert_rotated:%s)\n", $2));
+ if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert_rotated, $2))
+ fatal_exit("out of memory adding dnscrypt-provider-cert-rotated");
+ }
+ ;
dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG
{
OUTYY(("P(dnsc_dnscrypt_secret_key:%s)\n", $2));
+ if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_secret_key, $2))
+ log_warn("dnscrypt-secret-key: %s is a duplicate", $2);
if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_secret_key, $2))
fatal_exit("out of memory adding dnscrypt-secret-key");
}
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-12 15:04:18 +0000