Merge pull request #1098 from NLnetLabs/ipset-pf-support

Ipset pf support

cachedb/cachedb.c

@@ -983,7 +983,7 @@ cachedb_get_mem(struct module_env* env, int id)
  */
 static struct module_func_block cachedb_block = {
 	"cachedb",
-	&cachedb_init, &cachedb_deinit, &cachedb_operate,
+	NULL, NULL, &cachedb_init, &cachedb_deinit, &cachedb_operate,
 	&cachedb_inform_super, &cachedb_clear, &cachedb_get_mem
 };
 

config.h.in

@@ -406,6 +406,9 @@
 /* Define to 1 if you have the <net/if.h> header file. */
 #undef HAVE_NET_IF_H
 
+/* Define to 1 if you have the <net/pfvar.h> header file. */
+#undef HAVE_NET_PFVAR_H
+
 /* Define this to use nghttp2 client. */
 #undef HAVE_NGHTTP2
 

configure

@@ -24317,7 +24317,21 @@ printf "%s\n" "#define USE_IPSET 1" >>confdefs.h
 		IPSET_OBJ="ipset.lo"
 
 
-		# mnl
+		# BSD's pf
+		       for ac_header in net/pfvar.h
+do :
+  ac_fn_c_check_header_compile "$LINENO" "net/pfvar.h" "ac_cv_header_net_pfvar_h" "
+		  #include <netinet/in.h>
+		  #include <net/if.h>
+
+"
+if test "x$ac_cv_header_net_pfvar_h" = xyes
+then :
+  printf "%s\n" "#define HAVE_NET_PFVAR_H 1" >>confdefs.h
+
+else $as_nop
+
+		    # mnl
 
 # Check whether --with-libmnl was given.
 if test ${with_libmnl+y}
@@ -24327,13 +24341,13 @@ else $as_nop
    withval="yes"
 fi
 
-		found_libmnl="no"
-		{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5
+		    found_libmnl="no"
+		    { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for libmnl" >&5
 printf %s "checking for libmnl... " >&6; }
-		if test x_$withval = x_ -o x_$withval = x_yes; then
+		    if test x_$withval = x_ -o x_$withval = x_yes; then
 			withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
-		fi
-		for dir in $withval ; do
+		    fi
+		    for dir in $withval ; do
 			if test -f "$dir/include/libmnl/libmnl.h" -o -f "$dir/include/libmnl/libmnl/libmnl.h"; then
 				found_libmnl="yes"
 								extralibmnl=""
@@ -24351,10 +24365,14 @@ printf "%s\n" "found in $dir" >&6; }
 				LIBS="$LIBS -lmnl"
 				break;
 			fi
-		done
-		if test x_$found_libmnl != x_yes; then
-			as_fn_error $? "Could not find libmnl, libmnl.h" "$LINENO" 5
-		fi
+		    done
+		    if test x_$found_libmnl != x_yes; then
+			  as_fn_error $? "Could not find libmnl, libmnl.h" "$LINENO" 5
+		    fi
+
+fi
+
+done
 		;;
     no|*)
     	# nothing

configure.ac

@@ -1931,15 +1931,17 @@ case "$enable_ipset" in
 		IPSET_OBJ="ipset.lo"
 		AC_SUBST(IPSET_OBJ)
 
-		# mnl
-		AC_ARG_WITH(libmnl, AS_HELP_STRING([--with-libmnl=path],[specify explicit path for libmnl.]),
+		# BSD's pf
+		AC_CHECK_HEADERS([net/pfvar.h], [], [
+		    # mnl
+		    AC_ARG_WITH(libmnl, AS_HELP_STRING([--with-libmnl=path],[specify explicit path for libmnl.]),
 			[ ],[ withval="yes" ])
-		found_libmnl="no"
-		AC_MSG_CHECKING(for libmnl)
-		if test x_$withval = x_ -o x_$withval = x_yes; then
+		    found_libmnl="no"
+		    AC_MSG_CHECKING(for libmnl)
+		    if test x_$withval = x_ -o x_$withval = x_yes; then
 			withval="/usr/local /opt/local /usr/lib /usr/pkg /usr/sfw /usr"
-		fi
-		for dir in $withval ; do
+		    fi
+		    for dir in $withval ; do
 			if test -f "$dir/include/libmnl/libmnl.h" -o -f "$dir/include/libmnl/libmnl/libmnl.h"; then
 				found_libmnl="yes"
 				dnl assume /usr is in default path.
@@ -1957,10 +1959,14 @@ case "$enable_ipset" in
 				LIBS="$LIBS -lmnl"
 				break;
 			fi
-		done
-		if test x_$found_libmnl != x_yes; then
-			AC_MSG_ERROR([Could not find libmnl, libmnl.h])
-		fi
+		    done
+		    if test x_$found_libmnl != x_yes; then
+			  AC_MSG_ERROR([Could not find libmnl, libmnl.h])
+		    fi
+		], [
+		  #include <netinet/in.h>
+		  #include <net/if.h>
+		])
 		;;
     no|*)
     	# nothing

daemon/daemon.c

@@ -344,7 +344,7 @@ static int setup_acl_for_ports(struct acl_list* list,
 	return 1;
 }
 
-int 
+int
 daemon_open_shared_ports(struct daemon* daemon)
 {
 	log_assert(daemon);
@@ -444,6 +444,19 @@ daemon_open_shared_ports(struct daemon* daemon)
 	return 1;
 }
 
+int
+daemon_privileged(struct daemon* daemon)
+{
+	daemon->env->cfg = daemon->cfg;
+	daemon->env->alloc = &daemon->superalloc;
+	daemon->env->worker = NULL;
+	if(!modstack_call_startup(&daemon->mods, daemon->cfg->module_conf,
+		daemon->env)) {
+		fatal_exit("failed to startup modules");
+	}
+	return 1;
+}
+
 /**
  * Setup modules. setup module stack.
  * @param daemon: the daemon
@@ -453,11 +466,15 @@ static void daemon_setup_modules(struct daemon* daemon)
 	daemon->env->cfg = daemon->cfg;
 	daemon->env->alloc = &daemon->superalloc;
 	daemon->env->worker = NULL;
+	if(daemon->mods_inited) {
+		modstack_call_deinit(&daemon->mods, daemon->env);
+	}
 	daemon->env->need_to_validate = 0; /* set by module init below */
-	if(!modstack_setup(&daemon->mods, daemon->cfg->module_conf, 
+	if(!modstack_call_init(&daemon->mods, daemon->cfg->module_conf,
 		daemon->env)) {
-		fatal_exit("failed to setup modules");
+		fatal_exit("failed to init modules");
 	}
+	daemon->mods_inited = 1;
 	log_edns_known_options(VERB_ALGO, daemon->env);
 }
 
@@ -861,7 +878,7 @@ daemon_cleanup(struct daemon* daemon)
 	daemon->views = NULL;
 	if(daemon->env->auth_zones)
 		auth_zones_cleanup(daemon->env->auth_zones);
-	/* key cache is cleared by module desetup during next daemon_fork() */
+	/* key cache is cleared by module deinit during next daemon_fork() */
 	daemon_remote_clear(daemon->rc);
 	for(i=0; i<daemon->num; i++)
 		worker_delete(daemon->workers[i]);
@@ -891,7 +908,9 @@ daemon_delete(struct daemon* daemon)
 	size_t i;
 	if(!daemon)
 		return;
-	modstack_desetup(&daemon->mods, daemon->env);
+	modstack_call_deinit(&daemon->mods, daemon->env);
+	modstack_call_destartup(&daemon->mods, daemon->env);
+	modstack_free(&daemon->mods);
 	daemon_remote_delete(daemon->rc);
 	for(i = 0; i < daemon->num_ports; i++)
 		listening_ports_free(daemon->ports[i]);

daemon/daemon.h

@@ -115,6 +115,8 @@ struct daemon {
 	struct module_env* env;
 	/** stack of module callbacks */
 	struct module_stack mods;
+	/** The module stack has been inited */
+	int mods_inited;
 	/** access control, which client IPs are allowed to connect */
 	struct acl_list* acl;
 	/** access control, which interfaces are allowed to connect */
@@ -162,6 +164,15 @@ struct daemon* daemon_init(void);
  */
 int daemon_open_shared_ports(struct daemon* daemon);
 
+/**
+ * Do daemon setup that needs privileges
+ * like opening privileged ports or opening device files.
+ * The cfg member pointer must have been set for the daemon.
+ * @param daemon: the daemon.
+ * @return: false on error.
+ */
+int daemon_privileged(struct daemon* daemon);
+
 /**
  * Fork workers and start service.
  * When the routine exits, it is no longer forked.

daemon/unbound.c

@@ -473,7 +473,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 #endif
 #ifdef HAVE_GETPWNAM
 	struct passwd *pwd = NULL;
+#endif
 
+	if(!daemon_privileged(daemon))
+		fatal_exit("could not do privileged setup");
+#ifdef HAVE_GETPWNAM
 	if(cfg->username && cfg->username[0]) {
 		if((pwd = getpwnam(cfg->username)) == NULL)
 			fatal_exit("user '%s' does not exist.", cfg->username);

dns64/dns64.c

@@ -1044,8 +1044,8 @@ dns64_get_mem(struct module_env* env, int id)
  */
 static struct module_func_block dns64_block = {
 	"dns64",
-	&dns64_init, &dns64_deinit, &dns64_operate, &dns64_inform_super,
-	&dns64_clear, &dns64_get_mem
+	NULL, NULL, &dns64_init, &dns64_deinit, &dns64_operate,
+	&dns64_inform_super, &dns64_clear, &dns64_get_mem
 };
 
 /**

dynlibmod/dynlibmod.c

@@ -297,8 +297,8 @@ inplace_cb_delete_wrapped(struct module_env* env, enum inplace_cb_list_type type
  */
 static struct module_func_block dynlibmod_block = {
    "dynlib",
-   &dynlibmod_init, &dynlibmod_deinit, &dynlibmod_operate, &dynlibmod_inform_super,
-   &dynlibmod_clear, &dynlibmod_get_mem
+   NULL, NULL, &dynlibmod_init, &dynlibmod_deinit, &dynlibmod_operate,
+   &dynlibmod_inform_super, &dynlibmod_clear, &dynlibmod_get_mem
 };
 
 struct module_func_block* dynlibmod_get_funcblock(void)

edns-subnet/subnetmod.c

@@ -995,7 +995,8 @@ subnetmod_get_mem(struct module_env *env, int id)
  * The module function block 
  */
 static struct module_func_block subnetmod_block = {
-	"subnetcache", &subnetmod_init, &subnetmod_deinit, &subnetmod_operate,
+	"subnetcache",
+	NULL, NULL, &subnetmod_init, &subnetmod_deinit, &subnetmod_operate,
 	&subnetmod_inform_super, &subnetmod_clear, &subnetmod_get_mem
 };
 

ipsecmod/ipsecmod.c

@@ -615,7 +615,7 @@ ipsecmod_get_mem(struct module_env* env, int id)
  */
 static struct module_func_block ipsecmod_block = {
 	"ipsecmod",
-	&ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
+	NULL, NULL, &ipsecmod_init, &ipsecmod_deinit, &ipsecmod_operate,
 	&ipsecmod_inform_super, &ipsecmod_clear, &ipsecmod_get_mem
 };