596
595
attrs |= DNS_DISPATCHATTR_IPV6;
600
if (isc_sockaddr_getport(&sa) != 0) {
598
if (isc_sockaddr_getport(&sa) == 0) {
599
attrs |= DNS_DISPATCHATTR_EXCLUSIVE;
600
maxdispatchbuffers = 4096;
601
602
INSIST(obj != NULL);
602
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
603
"using specific query-source port suppresses port "
604
"randomization and can be insecure.");
604
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_INFO,
605
"using specific query-source port "
606
"suppresses port randomization and can be "
609
maxdispatchbuffers = 1000;
1226
1231
result = ns_config_get(maps, "max-cache-size", &obj);
1227
INSIST(result == ISC_R_SUCCESS || result == ISC_R_NOTFOUND);
1228
if (result == ISC_R_NOTFOUND) {
1229
max_cache_size = NS_MAXCACHESIZE_DEFAULT;
1230
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
1231
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
1232
"default max-cache-size (%u) applies%s%s",
1233
max_cache_size, sep, viewname);
1234
} else if (cfg_obj_isstring(obj)) {
1232
INSIST(result == ISC_R_SUCCESS);
1233
if (cfg_obj_isstring(obj)) {
1235
1234
str = cfg_obj_asstring(obj);
1236
INSIST(strcasecmp(str, "unlimited") == 0 ||
1237
strcasecmp(str, "default") == 0);
1238
if (strcasecmp(str, "unlimited") == 0)
1239
max_cache_size = ISC_UINT32_MAX;
1241
max_cache_size = NS_MAXCACHESIZE_DEFAULT;
1235
INSIST(strcasecmp(str, "unlimited") == 0);
1236
max_cache_size = ISC_UINT32_MAX;
1243
1238
isc_resourcevalue_t value;
1244
1239
value = cfg_obj_asuint64(obj);
1282
1277
* XXXRTH Hardwired number of tasks.
1284
CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4));
1285
CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6));
1279
CHECK(get_view_querysource_dispatch(maps, AF_INET, &dispatch4,
1280
ISC_TF(ISC_LIST_PREV(view, link)
1282
CHECK(get_view_querysource_dispatch(maps, AF_INET6, &dispatch6,
1283
ISC_TF(ISC_LIST_PREV(view, link)
1286
1285
if (dispatch4 == NULL && dispatch6 == NULL) {
1287
1286
UNEXPECTED_ERROR(__FILE__, __LINE__,
1288
1287
"unable to obtain neither an IPv4 nor"
1290
1289
result = ISC_R_UNEXPECTED;
1295
(void)ns_config_get(maps, "use-queryport-pool", &obj);
1296
if (obj == NULL || cfg_obj_asboolean(obj)) {
1298
isc_boolean_t logit4 = ISC_FALSE, logit6 = ISC_FALSE;
1300
resopts |= (DNS_RESOLVER_USEDISPATCHPOOL4 |
1301
DNS_RESOLVER_USEDISPATCHPOOL6);
1303
/* Check consistency with query-source(-v6) */
1304
if (dispatch4 == NULL)
1305
resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL4;
1307
result = dns_dispatch_getlocaladdress(dispatch4, &sa);
1308
INSIST(result == ISC_R_SUCCESS);
1309
if (isc_sockaddr_getport(&sa) != 0) {
1311
resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL4;
1315
if (dispatch6 == NULL)
1316
resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL6;
1318
result = dns_dispatch_getlocaladdress(dispatch6, &sa);
1319
INSIST(result == ISC_R_SUCCESS);
1320
if (isc_sockaddr_getport(&sa) != 0) {
1322
resopts &= ~DNS_RESOLVER_USEDISPATCHPOOL6;
1325
if (logit4 && obj != NULL)
1326
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
1327
"specific query-source port "
1328
"cannot coexist with queryport-pool. "
1330
if (logit6 && obj != NULL)
1331
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
1332
"specific query-source-v6 port "
1333
"cannot coexist with queryport-pool. "
1337
1292
CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31,
1338
1293
ns_g_socketmgr, ns_g_timermgr,
1339
1294
resopts, ns_g_dispatchmgr,
1340
1295
dispatch4, dispatch6));
1297
if (resstats == NULL) {
1298
CHECK(dns_generalstats_create(mctx, &resstats,
1299
dns_resstatscounter_max));
1301
dns_view_setresstats(view, resstats);
1302
if (resquerystats == NULL)
1303
CHECK(dns_rdatatypestats_create(mctx, &resquerystats));
1304
dns_view_setresquerystats(view, resquerystats);
1343
1307
* Set the ADB cache size to 1/8th of the max-cache-size.
1646
1610
CHECK(configure_view_sortlist(vconfig, config, actx, ns_g_mctx,
1647
1611
&view->sortlist));
1614
* Configure default allow-transfer, allow-notify, allow-update
1615
* and allow-update-forwarding ACLs, if set, so they can be
1616
* inherited by zones.
1618
if (view->notifyacl == NULL)
1619
CHECK(configure_view_acl(NULL, ns_g_config,
1620
"allow-notify", actx,
1621
ns_g_mctx, &view->notifyacl));
1622
if (view->transferacl == NULL)
1623
CHECK(configure_view_acl(NULL, ns_g_config,
1624
"allow-transfer", actx,
1625
ns_g_mctx, &view->transferacl));
1626
if (view->updateacl == NULL)
1627
CHECK(configure_view_acl(NULL, ns_g_config,
1628
"allow-update", actx,
1629
ns_g_mctx, &view->updateacl));
1630
if (view->upfwdacl == NULL)
1631
CHECK(configure_view_acl(NULL, ns_g_config,
1632
"allow-update-forwarding", actx,
1633
ns_g_mctx, &view->upfwdacl));
1650
1636
result = ns_config_get(maps, "request-ixfr", &obj);
1651
1637
INSIST(result == ISC_R_SUCCESS);
2831
2817
SETLIMIT("files", openfiles, "open files");
2835
portlist_fromconf(dns_portlist_t *portlist, unsigned int family,
2836
const cfg_obj_t *ports)
2821
portset_fromconf(isc_portset_t *portset, const cfg_obj_t *ports,
2822
isc_boolean_t positive)
2838
2824
const cfg_listelt_t *element;
2839
isc_result_t result = ISC_R_SUCCESS;
2841
2826
for (element = cfg_list_first(ports);
2842
2827
element != NULL;
2843
2828
element = cfg_list_next(element)) {
2844
2829
const cfg_obj_t *obj = cfg_listelt_value(element);
2845
in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
2847
result = dns_portlist_add(portlist, family, port);
2848
if (result != ISC_R_SUCCESS)
2831
if (cfg_obj_isuint32(obj)) {
2832
in_port_t port = (in_port_t)cfg_obj_asuint32(obj);
2835
isc_portset_add(portset, port);
2837
isc_portset_remove(portset, port);
2839
const cfg_obj_t *obj_loport, *obj_hiport;
2840
in_port_t loport, hiport;
2842
obj_loport = cfg_tuple_get(obj, "loport");
2843
loport = (in_port_t)cfg_obj_asuint32(obj_loport);
2844
obj_hiport = cfg_tuple_get(obj, "hiport");
2845
hiport = (in_port_t)cfg_obj_asuint32(obj_hiport);
2848
isc_portset_addrange(portset, loport, hiport);
2850
isc_portset_removerange(portset, loport,
2854
2857
static isc_result_t
2888
2891
const cfg_obj_t *maps[3];
2889
2892
const cfg_obj_t *obj;
2890
2893
const cfg_obj_t *options;
2891
const cfg_obj_t *v4ports, *v6ports;
2894
const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
2892
2895
const cfg_obj_t *views;
2893
2896
dns_view_t *view = NULL;
2894
2897
dns_view_t *view_next;
2895
2898
dns_viewlist_t tmpviewlist;
2896
2899
dns_viewlist_t viewlist;
2897
in_port_t listen_port;
2900
in_port_t listen_port, udpport_low, udpport_high;
2899
2902
isc_interval_t interval;
2900
isc_resourcevalue_t files;
2903
isc_portset_t *v4portset = NULL;
2904
isc_portset_t *v6portset = NULL;
2905
isc_resourcevalue_t nfiles;
2901
2906
isc_result_t result;
2902
2907
isc_uint32_t heartbeat_interval;
2903
2908
isc_uint32_t interface_interval;
2904
2909
isc_uint32_t reserved;
2905
2910
isc_uint32_t udpsize;
2911
unsigned int maxsocks;
2907
2913
cfg_aclconfctx_init(&aclconfctx);
2908
2914
ISC_LIST_INIT(viewlist);
2992
2989
set_limits(maps);
2995
* Sanity check on "files" limit.
2992
* Check if max number of open sockets that the system allows is
2993
* sufficiently large. Failing this condition is not necessarily fatal,
2994
* but may cause subsequent runtime failures for a busy recursive
2997
result = isc_resource_curlimit(isc_resource_openfiles, &files);
2998
if (result == ISC_R_SUCCESS && files < FD_SETSIZE) {
2997
result = isc_socketmgr_getmaxsockets(ns_g_socketmgr, &maxsocks);
2998
if (result != ISC_R_SUCCESS)
3000
result = isc_resource_getcurlimit(isc_resource_openfiles, &nfiles);
3001
if (result == ISC_R_SUCCESS && (isc_resourcevalue_t)maxsocks > nfiles) {
2999
3002
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3000
3003
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3001
"the 'files' limit (%" ISC_PRINT_QUADFORMAT "u) "
3002
"is less than FD_SETSIZE (%d), increase "
3003
"'files' in named.conf or recompile with a "
3004
"smaller FD_SETSIZE.", files, FD_SETSIZE);
3005
if (files > FD_SETSIZE)
3004
"max open files (%" ISC_PRINT_QUADFORMAT "u)"
3005
" is smaller than max sockets (%u)",
3011
3010
* Set the number of socket reserved for TCP, stdio etc.
3014
3013
result = ns_config_get(maps, "reserved-sockets", &obj);
3015
3014
INSIST(result == ISC_R_SUCCESS);
3016
3015
reserved = cfg_obj_asuint32(obj);
3017
if (files < 128U) /* Prevent underflow. */
3019
else if (reserved > files - 128U) /* Mimimum UDP space. */
3020
reserved = files - 128;
3021
if (reserved < 128U) /* Mimimum TCP/stdio space. */
3016
if (maxsocks != 0) {
3017
if (maxsocks < 128U) /* Prevent underflow. */
3019
else if (reserved > maxsocks - 128U) /* Minimum UDP space. */
3020
reserved = maxsocks - 128;
3022
/* Minimum TCP/stdio space. */
3023
if (reserved < 128U)
3022
3024
reserved = 128;
3023
if (reserved + 128U > files) {
3025
if (reserved + 128U > maxsocks && maxsocks != 0) {
3024
3026
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3025
3027
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
3026
3028
"less than 128 UDP sockets available after "
3027
"applying 'reserved-sockets' and 'files'");
3029
"applying 'reserved-sockets' and 'maxsockets'");
3029
3031
isc__socketmgr_setreserved(ns_g_socketmgr, reserved);
3055
3057
CHECKM(ns_statschannels_configure(ns_g_server, config, &aclconfctx),
3056
3058
"configuring statistics server(s)");
3060
(void)ns_config_get(maps, "avoid-v4-udp-ports", &v4ports);
3061
(void)ns_config_get(maps, "avoid-v6-udp-ports", &v6ports);
3062
if (v4ports != NULL || v6ports != NULL) {
3063
dns_portlist_t *portlist = NULL;
3064
result = dns_portlist_create(ns_g_mctx, &portlist);
3065
if (result == ISC_R_SUCCESS && v4ports != NULL)
3066
result = portlist_fromconf(portlist, AF_INET, v4ports);
3067
if (result == ISC_R_SUCCESS && v6ports != NULL)
3068
portlist_fromconf(portlist, AF_INET6, v6ports);
3069
if (result == ISC_R_SUCCESS)
3070
dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, portlist);
3071
if (portlist != NULL)
3072
dns_portlist_detach(&portlist);
3075
dns_dispatchmgr_setblackportlist(ns_g_dispatchmgr, NULL);
3061
* Configure sets of UDP query source ports.
3063
CHECKM(isc_portset_create(ns_g_mctx, &v4portset),
3064
"creating UDP port set");
3065
CHECKM(isc_portset_create(ns_g_mctx, &v6portset),
3066
"creating UDP port set");
3070
avoidv4ports = NULL;
3071
avoidv6ports = NULL;
3073
(void)ns_config_get(maps, "use-v4-udp-ports", &usev4ports);
3074
if (usev4ports != NULL)
3075
portset_fromconf(v4portset, usev4ports, ISC_TRUE);
3077
CHECKM(isc_net_getudpportrange(AF_INET, &udpport_low,
3079
"get the default UDP/IPv4 port range");
3080
if (udpport_low == udpport_high)
3081
isc_portset_add(v4portset, udpport_low);
3083
isc_portset_addrange(v4portset, udpport_low,
3086
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3087
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3088
"using default UDP/IPv4 port range: [%d, %d]",
3089
udpport_low, udpport_high);
3091
(void)ns_config_get(maps, "avoid-v4-udp-ports", &avoidv4ports);
3092
if (avoidv4ports != NULL)
3093
portset_fromconf(v4portset, avoidv4ports, ISC_FALSE);
3095
(void)ns_config_get(maps, "use-v6-udp-ports", &usev6ports);
3096
if (usev6ports != NULL)
3097
portset_fromconf(v6portset, usev6ports, ISC_TRUE);
3099
CHECKM(isc_net_getudpportrange(AF_INET6, &udpport_low,
3101
"get the default UDP/IPv6 port range");
3102
if (udpport_low == udpport_high)
3103
isc_portset_add(v6portset, udpport_low);
3105
isc_portset_addrange(v6portset, udpport_low,
3108
isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
3109
NS_LOGMODULE_SERVER, ISC_LOG_INFO,
3110
"using default UDP/IPv6 port range: [%d, %d]",
3111
udpport_low, udpport_high);
3113
(void)ns_config_get(maps, "avoid-v6-udp-ports", &avoidv6ports);
3114
if (avoidv6ports != NULL)
3115
portset_fromconf(v6portset, avoidv6ports, ISC_FALSE);
3117
dns_dispatchmgr_setavailports(ns_g_dispatchmgr, v4portset, v6portset);
3078
3120
* Set the EDNS UDP size when we don't match a view.