--- bind9-9.9.3.dfsg.P2.orig/aclocal.m4 +++ bind9-9.9.3.dfsg.P2/aclocal.m4 @@ -1,5 +1,8620 @@ -sinclude(libtool.m4/libtool.m4)dnl -sinclude(libtool.m4/ltoptions.m4)dnl -sinclude(libtool.m4/ltsugar.m4)dnl -sinclude(libtool.m4/ltversion.m4)dnl -sinclude(libtool.m4/lt~obsolete.m4)dnl +# generated automatically by aclocal 1.11.3 -*- Autoconf -*- + +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, +# 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, +# Inc. +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +# libtool.m4 - Configure libtool for the host system. -*-Autoconf-*- +# +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, +# 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. +# Written by Gordon Matzigkeit, 1996 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +m4_define([_LT_COPYING], [dnl +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, +# 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. +# Written by Gordon Matzigkeit, 1996 +# +# This file is part of GNU Libtool. +# +# GNU Libtool is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2 of +# the License, or (at your option) any later version. +# +# As a special exception to the GNU General Public License, +# if you distribute this file as part of a program or library that +# is built using GNU Libtool, you may include this file under the +# same distribution terms that you use for the rest of that program. +# +# GNU Libtool is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GNU Libtool; see the file COPYING. If not, a copy +# can be downloaded from http://www.gnu.org/licenses/gpl.html, or +# obtained by writing to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. +]) + +# serial 57 LT_INIT + + +# LT_PREREQ(VERSION) +# ------------------ +# Complain and exit if this libtool version is less that VERSION. +m4_defun([LT_PREREQ], +[m4_if(m4_version_compare(m4_defn([LT_PACKAGE_VERSION]), [$1]), -1, + [m4_default([$3], + [m4_fatal([Libtool version $1 or higher is required], + 63)])], + [$2])]) + + +# _LT_CHECK_BUILDDIR +# ------------------ +# Complain if the absolute build directory name contains unusual characters +m4_defun([_LT_CHECK_BUILDDIR], +[case `pwd` in + *\ * | *\ *) + AC_MSG_WARN([Libtool does not cope well with whitespace in `pwd`]) ;; +esac +]) + + +# LT_INIT([OPTIONS]) +# ------------------ +AC_DEFUN([LT_INIT], +[AC_PREREQ([2.58])dnl We use AC_INCLUDES_DEFAULT +AC_REQUIRE([AC_CONFIG_AUX_DIR_DEFAULT])dnl +AC_BEFORE([$0], [LT_LANG])dnl +AC_BEFORE([$0], [LT_OUTPUT])dnl +AC_BEFORE([$0], [LTDL_INIT])dnl +m4_require([_LT_CHECK_BUILDDIR])dnl + +dnl Autoconf doesn't catch unexpanded LT_ macros by default: +m4_pattern_forbid([^_?LT_[A-Z_]+$])dnl +m4_pattern_allow([^(_LT_EOF|LT_DLGLOBAL|LT_DLLAZY_OR_NOW|LT_MULTI_MODULE)$])dnl +dnl aclocal doesn't pull ltoptions.m4, ltsugar.m4, or ltversion.m4 +dnl unless we require an AC_DEFUNed macro: +AC_REQUIRE([LTOPTIONS_VERSION])dnl +AC_REQUIRE([LTSUGAR_VERSION])dnl +AC_REQUIRE([LTVERSION_VERSION])dnl +AC_REQUIRE([LTOBSOLETE_VERSION])dnl +m4_require([_LT_PROG_LTMAIN])dnl + +_LT_SHELL_INIT([SHELL=${CONFIG_SHELL-/bin/sh}]) + +dnl Parse OPTIONS +_LT_SET_OPTIONS([$0], [$1]) + +# This can be used to rebuild libtool when needed +LIBTOOL_DEPS="$ltmain" + +# Always use our own libtool. +LIBTOOL='$(SHELL) $(top_builddir)/libtool' +AC_SUBST(LIBTOOL)dnl + +_LT_SETUP + +# Only expand once: +m4_define([LT_INIT]) +])# LT_INIT + +# Old names: +AU_ALIAS([AC_PROG_LIBTOOL], [LT_INIT]) +AU_ALIAS([AM_PROG_LIBTOOL], [LT_INIT]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_PROG_LIBTOOL], []) +dnl AC_DEFUN([AM_PROG_LIBTOOL], []) + + +# _LT_CC_BASENAME(CC) +# ------------------- +# Calculate cc_basename. Skip known compiler wrappers and cross-prefix. +m4_defun([_LT_CC_BASENAME], +[for cc_temp in $1""; do + case $cc_temp in + compile | *[[\\/]]compile | ccache | *[[\\/]]ccache ) ;; + distcc | *[[\\/]]distcc | purify | *[[\\/]]purify ) ;; + \-*) ;; + *) break;; + esac +done +cc_basename=`$ECHO "$cc_temp" | $SED "s%.*/%%; s%^$host_alias-%%"` +]) + + +# _LT_FILEUTILS_DEFAULTS +# ---------------------- +# It is okay to use these file commands and assume they have been set +# sensibly after `m4_require([_LT_FILEUTILS_DEFAULTS])'. +m4_defun([_LT_FILEUTILS_DEFAULTS], +[: ${CP="cp -f"} +: ${MV="mv -f"} +: ${RM="rm -f"} +])# _LT_FILEUTILS_DEFAULTS + + +# _LT_SETUP +# --------- +m4_defun([_LT_SETUP], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_CANONICAL_BUILD])dnl +AC_REQUIRE([_LT_PREPARE_SED_QUOTE_VARS])dnl +AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH])dnl + +_LT_DECL([], [PATH_SEPARATOR], [1], [The PATH separator for the build system])dnl +dnl +_LT_DECL([], [host_alias], [0], [The host system])dnl +_LT_DECL([], [host], [0])dnl +_LT_DECL([], [host_os], [0])dnl +dnl +_LT_DECL([], [build_alias], [0], [The build system])dnl +_LT_DECL([], [build], [0])dnl +_LT_DECL([], [build_os], [0])dnl +dnl +AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([LT_PATH_LD])dnl +AC_REQUIRE([LT_PATH_NM])dnl +dnl +AC_REQUIRE([AC_PROG_LN_S])dnl +test -z "$LN_S" && LN_S="ln -s" +_LT_DECL([], [LN_S], [1], [Whether we need soft or hard links])dnl +dnl +AC_REQUIRE([LT_CMD_MAX_LEN])dnl +_LT_DECL([objext], [ac_objext], [0], [Object file suffix (normally "o")])dnl +_LT_DECL([], [exeext], [0], [Executable file suffix (normally "")])dnl +dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_CHECK_SHELL_FEATURES])dnl +m4_require([_LT_PATH_CONVERSION_FUNCTIONS])dnl +m4_require([_LT_CMD_RELOAD])dnl +m4_require([_LT_CHECK_MAGIC_METHOD])dnl +m4_require([_LT_CHECK_SHAREDLIB_FROM_LINKLIB])dnl +m4_require([_LT_CMD_OLD_ARCHIVE])dnl +m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl +m4_require([_LT_WITH_SYSROOT])dnl + +_LT_CONFIG_LIBTOOL_INIT([ +# See if we are running on zsh, and set the options which allow our +# commands through without removal of \ escapes INIT. +if test -n "\${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST +fi +]) +if test -n "${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST +fi + +_LT_CHECK_OBJDIR + +m4_require([_LT_TAG_COMPILER])dnl + +case $host_os in +aix3*) + # AIX sometimes has problems with the GCC collect2 program. For some + # reason, if we set the COLLECT_NAMES environment variable, the problems + # vanish in a puff of smoke. + if test "X${COLLECT_NAMES+set}" != Xset; then + COLLECT_NAMES= + export COLLECT_NAMES + fi + ;; +esac + +# Global variables: +ofile=libtool +can_build_shared=yes + +# All known linkers require a `.a' archive for static linking (except MSVC, +# which needs '.lib'). +libext=a + +with_gnu_ld="$lt_cv_prog_gnu_ld" + +old_CC="$CC" +old_CFLAGS="$CFLAGS" + +# Set sane defaults for various variables +test -z "$CC" && CC=cc +test -z "$LTCC" && LTCC=$CC +test -z "$LTCFLAGS" && LTCFLAGS=$CFLAGS +test -z "$LD" && LD=ld +test -z "$ac_objext" && ac_objext=o + +_LT_CC_BASENAME([$compiler]) + +# Only perform the check for file, if the check method requires it +test -z "$MAGIC_CMD" && MAGIC_CMD=file +case $deplibs_check_method in +file_magic*) + if test "$file_magic_cmd" = '$MAGIC_CMD'; then + _LT_PATH_MAGIC + fi + ;; +esac + +# Use C for the default configuration in the libtool script +LT_SUPPORTED_TAG([CC]) +_LT_LANG_C_CONFIG +_LT_LANG_DEFAULT_CONFIG +_LT_CONFIG_COMMANDS +])# _LT_SETUP + + +# _LT_PREPARE_SED_QUOTE_VARS +# -------------------------- +# Define a few sed substitution that help us do robust quoting. +m4_defun([_LT_PREPARE_SED_QUOTE_VARS], +[# Backslashify metacharacters that are still active within +# double-quoted strings. +sed_quote_subst='s/\([["`$\\]]\)/\\\1/g' + +# Same as above, but do not quote variable references. +double_quote_subst='s/\([["`\\]]\)/\\\1/g' + +# Sed substitution to delay expansion of an escaped shell variable in a +# double_quote_subst'ed string. +delay_variable_subst='s/\\\\\\\\\\\$/\\\\\\$/g' + +# Sed substitution to delay expansion of an escaped single quote. +delay_single_quote_subst='s/'\''/'\'\\\\\\\'\''/g' + +# Sed substitution to avoid accidental globbing in evaled expressions +no_glob_subst='s/\*/\\\*/g' +]) + +# _LT_PROG_LTMAIN +# --------------- +# Note that this code is called both from `configure', and `config.status' +# now that we use AC_CONFIG_COMMANDS to generate libtool. Notably, +# `config.status' has no value for ac_aux_dir unless we are using Automake, +# so we pass a copy along to make sure it has a sensible value anyway. +m4_defun([_LT_PROG_LTMAIN], +[m4_ifdef([AC_REQUIRE_AUX_FILE], [AC_REQUIRE_AUX_FILE([ltmain.sh])])dnl +_LT_CONFIG_LIBTOOL_INIT([ac_aux_dir='$ac_aux_dir']) +ltmain="$ac_aux_dir/ltmain.sh" +])# _LT_PROG_LTMAIN + + + +# So that we can recreate a full libtool script including additional +# tags, we accumulate the chunks of code to send to AC_CONFIG_COMMANDS +# in macros and then make a single call at the end using the `libtool' +# label. + + +# _LT_CONFIG_LIBTOOL_INIT([INIT-COMMANDS]) +# ---------------------------------------- +# Register INIT-COMMANDS to be passed to AC_CONFIG_COMMANDS later. +m4_define([_LT_CONFIG_LIBTOOL_INIT], +[m4_ifval([$1], + [m4_append([_LT_OUTPUT_LIBTOOL_INIT], + [$1 +])])]) + +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_INIT]) + + +# _LT_CONFIG_LIBTOOL([COMMANDS]) +# ------------------------------ +# Register COMMANDS to be passed to AC_CONFIG_COMMANDS later. +m4_define([_LT_CONFIG_LIBTOOL], +[m4_ifval([$1], + [m4_append([_LT_OUTPUT_LIBTOOL_COMMANDS], + [$1 +])])]) + +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS]) + + +# _LT_CONFIG_SAVE_COMMANDS([COMMANDS], [INIT_COMMANDS]) +# ----------------------------------------------------- +m4_defun([_LT_CONFIG_SAVE_COMMANDS], +[_LT_CONFIG_LIBTOOL([$1]) +_LT_CONFIG_LIBTOOL_INIT([$2]) +]) + + +# _LT_FORMAT_COMMENT([COMMENT]) +# ----------------------------- +# Add leading comment marks to the start of each line, and a trailing +# full-stop to the whole comment if one is not present already. +m4_define([_LT_FORMAT_COMMENT], +[m4_ifval([$1], [ +m4_bpatsubst([m4_bpatsubst([$1], [^ *], [# ])], + [['`$\]], [\\\&])]m4_bmatch([$1], [[!?.]$], [], [.]) +)]) + + + + + +# _LT_DECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION], [IS-TAGGED?]) +# ------------------------------------------------------------------- +# CONFIGNAME is the name given to the value in the libtool script. +# VARNAME is the (base) name used in the configure script. +# VALUE may be 0, 1 or 2 for a computed quote escaped value based on +# VARNAME. Any other value will be used directly. +m4_define([_LT_DECL], +[lt_if_append_uniq([lt_decl_varnames], [$2], [, ], + [lt_dict_add_subkey([lt_decl_dict], [$2], [libtool_name], + [m4_ifval([$1], [$1], [$2])]) + lt_dict_add_subkey([lt_decl_dict], [$2], [value], [$3]) + m4_ifval([$4], + [lt_dict_add_subkey([lt_decl_dict], [$2], [description], [$4])]) + lt_dict_add_subkey([lt_decl_dict], [$2], + [tagged?], [m4_ifval([$5], [yes], [no])])]) +]) + + +# _LT_TAGDECL([CONFIGNAME], VARNAME, VALUE, [DESCRIPTION]) +# -------------------------------------------------------- +m4_define([_LT_TAGDECL], [_LT_DECL([$1], [$2], [$3], [$4], [yes])]) + + +# lt_decl_tag_varnames([SEPARATOR], [VARNAME1...]) +# ------------------------------------------------ +m4_define([lt_decl_tag_varnames], +[_lt_decl_filter([tagged?], [yes], $@)]) + + +# _lt_decl_filter(SUBKEY, VALUE, [SEPARATOR], [VARNAME1..]) +# --------------------------------------------------------- +m4_define([_lt_decl_filter], +[m4_case([$#], + [0], [m4_fatal([$0: too few arguments: $#])], + [1], [m4_fatal([$0: too few arguments: $#: $1])], + [2], [lt_dict_filter([lt_decl_dict], [$1], [$2], [], lt_decl_varnames)], + [3], [lt_dict_filter([lt_decl_dict], [$1], [$2], [$3], lt_decl_varnames)], + [lt_dict_filter([lt_decl_dict], $@)])[]dnl +]) + + +# lt_decl_quote_varnames([SEPARATOR], [VARNAME1...]) +# -------------------------------------------------- +m4_define([lt_decl_quote_varnames], +[_lt_decl_filter([value], [1], $@)]) + + +# lt_decl_dquote_varnames([SEPARATOR], [VARNAME1...]) +# --------------------------------------------------- +m4_define([lt_decl_dquote_varnames], +[_lt_decl_filter([value], [2], $@)]) + + +# lt_decl_varnames_tagged([SEPARATOR], [VARNAME1...]) +# --------------------------------------------------- +m4_define([lt_decl_varnames_tagged], +[m4_assert([$# <= 2])dnl +_$0(m4_quote(m4_default([$1], [[, ]])), + m4_ifval([$2], [[$2]], [m4_dquote(lt_decl_tag_varnames)]), + m4_split(m4_normalize(m4_quote(_LT_TAGS)), [ ]))]) +m4_define([_lt_decl_varnames_tagged], +[m4_ifval([$3], [lt_combine([$1], [$2], [_], $3)])]) + + +# lt_decl_all_varnames([SEPARATOR], [VARNAME1...]) +# ------------------------------------------------ +m4_define([lt_decl_all_varnames], +[_$0(m4_quote(m4_default([$1], [[, ]])), + m4_if([$2], [], + m4_quote(lt_decl_varnames), + m4_quote(m4_shift($@))))[]dnl +]) +m4_define([_lt_decl_all_varnames], +[lt_join($@, lt_decl_varnames_tagged([$1], + lt_decl_tag_varnames([[, ]], m4_shift($@))))dnl +]) + + +# _LT_CONFIG_STATUS_DECLARE([VARNAME]) +# ------------------------------------ +# Quote a variable value, and forward it to `config.status' so that its +# declaration there will have the same value as in `configure'. VARNAME +# must have a single quote delimited value for this to work. +m4_define([_LT_CONFIG_STATUS_DECLARE], +[$1='`$ECHO "$][$1" | $SED "$delay_single_quote_subst"`']) + + +# _LT_CONFIG_STATUS_DECLARATIONS +# ------------------------------ +# We delimit libtool config variables with single quotes, so when +# we write them to config.status, we have to be sure to quote all +# embedded single quotes properly. In configure, this macro expands +# each variable declared with _LT_DECL (and _LT_TAGDECL) into: +# +# ='`$ECHO "$" | $SED "$delay_single_quote_subst"`' +m4_defun([_LT_CONFIG_STATUS_DECLARATIONS], +[m4_foreach([_lt_var], m4_quote(lt_decl_all_varnames), + [m4_n([_LT_CONFIG_STATUS_DECLARE(_lt_var)])])]) + + +# _LT_LIBTOOL_TAGS +# ---------------- +# Output comment and list of tags supported by the script +m4_defun([_LT_LIBTOOL_TAGS], +[_LT_FORMAT_COMMENT([The names of the tagged configurations supported by this script])dnl +available_tags="_LT_TAGS"dnl +]) + + +# _LT_LIBTOOL_DECLARE(VARNAME, [TAG]) +# ----------------------------------- +# Extract the dictionary values for VARNAME (optionally with TAG) and +# expand to a commented shell variable setting: +# +# # Some comment about what VAR is for. +# visible_name=$lt_internal_name +m4_define([_LT_LIBTOOL_DECLARE], +[_LT_FORMAT_COMMENT(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], + [description])))[]dnl +m4_pushdef([_libtool_name], + m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [libtool_name])))[]dnl +m4_case(m4_quote(lt_dict_fetch([lt_decl_dict], [$1], [value])), + [0], [_libtool_name=[$]$1], + [1], [_libtool_name=$lt_[]$1], + [2], [_libtool_name=$lt_[]$1], + [_libtool_name=lt_dict_fetch([lt_decl_dict], [$1], [value])])[]dnl +m4_ifval([$2], [_$2])[]m4_popdef([_libtool_name])[]dnl +]) + + +# _LT_LIBTOOL_CONFIG_VARS +# ----------------------- +# Produce commented declarations of non-tagged libtool config variables +# suitable for insertion in the LIBTOOL CONFIG section of the `libtool' +# script. Tagged libtool config variables (even for the LIBTOOL CONFIG +# section) are produced by _LT_LIBTOOL_TAG_VARS. +m4_defun([_LT_LIBTOOL_CONFIG_VARS], +[m4_foreach([_lt_var], + m4_quote(_lt_decl_filter([tagged?], [no], [], lt_decl_varnames)), + [m4_n([_LT_LIBTOOL_DECLARE(_lt_var)])])]) + + +# _LT_LIBTOOL_TAG_VARS(TAG) +# ------------------------- +m4_define([_LT_LIBTOOL_TAG_VARS], +[m4_foreach([_lt_var], m4_quote(lt_decl_tag_varnames), + [m4_n([_LT_LIBTOOL_DECLARE(_lt_var, [$1])])])]) + + +# _LT_TAGVAR(VARNAME, [TAGNAME]) +# ------------------------------ +m4_define([_LT_TAGVAR], [m4_ifval([$2], [$1_$2], [$1])]) + + +# _LT_CONFIG_COMMANDS +# ------------------- +# Send accumulated output to $CONFIG_STATUS. Thanks to the lists of +# variables for single and double quote escaping we saved from calls +# to _LT_DECL, we can put quote escaped variables declarations +# into `config.status', and then the shell code to quote escape them in +# for loops in `config.status'. Finally, any additional code accumulated +# from calls to _LT_CONFIG_LIBTOOL_INIT is expanded. +m4_defun([_LT_CONFIG_COMMANDS], +[AC_PROVIDE_IFELSE([LT_OUTPUT], + dnl If the libtool generation code has been placed in $CONFIG_LT, + dnl instead of duplicating it all over again into config.status, + dnl then we will have config.status run $CONFIG_LT later, so it + dnl needs to know what name is stored there: + [AC_CONFIG_COMMANDS([libtool], + [$SHELL $CONFIG_LT || AS_EXIT(1)], [CONFIG_LT='$CONFIG_LT'])], + dnl If the libtool generation code is destined for config.status, + dnl expand the accumulated commands and init code now: + [AC_CONFIG_COMMANDS([libtool], + [_LT_OUTPUT_LIBTOOL_COMMANDS], [_LT_OUTPUT_LIBTOOL_COMMANDS_INIT])]) +])#_LT_CONFIG_COMMANDS + + +# Initialize. +m4_define([_LT_OUTPUT_LIBTOOL_COMMANDS_INIT], +[ + +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +sed_quote_subst='$sed_quote_subst' +double_quote_subst='$double_quote_subst' +delay_variable_subst='$delay_variable_subst' +_LT_CONFIG_STATUS_DECLARATIONS +LTCC='$LTCC' +LTCFLAGS='$LTCFLAGS' +compiler='$compiler_DEFAULT' + +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +\$[]1 +_LTECHO_EOF' +} + +# Quote evaled strings. +for var in lt_decl_all_varnames([[ \ +]], lt_decl_quote_varnames); do + case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in + *[[\\\\\\\`\\"\\\$]]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED \\"\\\$sed_quote_subst\\"\\\`\\\\\\"" + ;; + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" + ;; + esac +done + +# Double-quote double-evaled strings. +for var in lt_decl_all_varnames([[ \ +]], lt_decl_dquote_varnames); do + case \`eval \\\\\$ECHO \\\\""\\\\\$\$var"\\\\"\` in + *[[\\\\\\\`\\"\\\$]]*) + eval "lt_\$var=\\\\\\"\\\`\\\$ECHO \\"\\\$\$var\\" | \\\$SED -e \\"\\\$double_quote_subst\\" -e \\"\\\$sed_quote_subst\\" -e \\"\\\$delay_variable_subst\\"\\\`\\\\\\"" + ;; + *) + eval "lt_\$var=\\\\\\"\\\$\$var\\\\\\"" + ;; + esac +done + +_LT_OUTPUT_LIBTOOL_INIT +]) + +# _LT_GENERATED_FILE_INIT(FILE, [COMMENT]) +# ------------------------------------ +# Generate a child script FILE with all initialization necessary to +# reuse the environment learned by the parent script, and make the +# file executable. If COMMENT is supplied, it is inserted after the +# `#!' sequence but before initialization text begins. After this +# macro, additional text can be appended to FILE to form the body of +# the child script. The macro ends with non-zero status if the +# file could not be fully written (such as if the disk is full). +m4_ifdef([AS_INIT_GENERATED], +[m4_defun([_LT_GENERATED_FILE_INIT],[AS_INIT_GENERATED($@)])], +[m4_defun([_LT_GENERATED_FILE_INIT], +[m4_require([AS_PREPARE])]dnl +[m4_pushdef([AS_MESSAGE_LOG_FD])]dnl +[lt_write_fail=0 +cat >$1 <<_ASEOF || lt_write_fail=1 +#! $SHELL +# Generated by $as_me. +$2 +SHELL=\${CONFIG_SHELL-$SHELL} +export SHELL +_ASEOF +cat >>$1 <<\_ASEOF || lt_write_fail=1 +AS_SHELL_SANITIZE +_AS_PREPARE +exec AS_MESSAGE_FD>&1 +_ASEOF +test $lt_write_fail = 0 && chmod +x $1[]dnl +m4_popdef([AS_MESSAGE_LOG_FD])])])# _LT_GENERATED_FILE_INIT + +# LT_OUTPUT +# --------- +# This macro allows early generation of the libtool script (before +# AC_OUTPUT is called), incase it is used in configure for compilation +# tests. +AC_DEFUN([LT_OUTPUT], +[: ${CONFIG_LT=./config.lt} +AC_MSG_NOTICE([creating $CONFIG_LT]) +_LT_GENERATED_FILE_INIT(["$CONFIG_LT"], +[# Run this file to recreate a libtool stub with the current configuration.]) + +cat >>"$CONFIG_LT" <<\_LTEOF +lt_cl_silent=false +exec AS_MESSAGE_LOG_FD>>config.log +{ + echo + AS_BOX([Running $as_me.]) +} >&AS_MESSAGE_LOG_FD + +lt_cl_help="\ +\`$as_me' creates a local libtool stub from the current configuration, +for use in further configure time tests before the real libtool is +generated. + +Usage: $[0] [[OPTIONS]] + + -h, --help print this help, then exit + -V, --version print version number, then exit + -q, --quiet do not print progress messages + -d, --debug don't remove temporary files + +Report bugs to ." + +lt_cl_version="\ +m4_ifset([AC_PACKAGE_NAME], [AC_PACKAGE_NAME ])config.lt[]dnl +m4_ifset([AC_PACKAGE_VERSION], [ AC_PACKAGE_VERSION]) +configured by $[0], generated by m4_PACKAGE_STRING. + +Copyright (C) 2011 Free Software Foundation, Inc. +This config.lt script is free software; the Free Software Foundation +gives unlimited permision to copy, distribute and modify it." + +while test $[#] != 0 +do + case $[1] in + --version | --v* | -V ) + echo "$lt_cl_version"; exit 0 ;; + --help | --h* | -h ) + echo "$lt_cl_help"; exit 0 ;; + --debug | --d* | -d ) + debug=: ;; + --quiet | --q* | --silent | --s* | -q ) + lt_cl_silent=: ;; + + -*) AC_MSG_ERROR([unrecognized option: $[1] +Try \`$[0] --help' for more information.]) ;; + + *) AC_MSG_ERROR([unrecognized argument: $[1] +Try \`$[0] --help' for more information.]) ;; + esac + shift +done + +if $lt_cl_silent; then + exec AS_MESSAGE_FD>/dev/null +fi +_LTEOF + +cat >>"$CONFIG_LT" <<_LTEOF +_LT_OUTPUT_LIBTOOL_COMMANDS_INIT +_LTEOF + +cat >>"$CONFIG_LT" <<\_LTEOF +AC_MSG_NOTICE([creating $ofile]) +_LT_OUTPUT_LIBTOOL_COMMANDS +AS_EXIT(0) +_LTEOF +chmod +x "$CONFIG_LT" + +# configure is writing to config.log, but config.lt does its own redirection, +# appending to config.log, which fails on DOS, as config.log is still kept +# open by configure. Here we exec the FD to /dev/null, effectively closing +# config.log, so it can be properly (re)opened and appended to by config.lt. +lt_cl_success=: +test "$silent" = yes && + lt_config_lt_args="$lt_config_lt_args --quiet" +exec AS_MESSAGE_LOG_FD>/dev/null +$SHELL "$CONFIG_LT" $lt_config_lt_args || lt_cl_success=false +exec AS_MESSAGE_LOG_FD>>config.log +$lt_cl_success || AS_EXIT(1) +])# LT_OUTPUT + + +# _LT_CONFIG(TAG) +# --------------- +# If TAG is the built-in tag, create an initial libtool script with a +# default configuration from the untagged config vars. Otherwise add code +# to config.status for appending the configuration named by TAG from the +# matching tagged config vars. +m4_defun([_LT_CONFIG], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +_LT_CONFIG_SAVE_COMMANDS([ + m4_define([_LT_TAG], m4_if([$1], [], [C], [$1]))dnl + m4_if(_LT_TAG, [C], [ + # See if we are running on zsh, and set the options which allow our + # commands through without removal of \ escapes. + if test -n "${ZSH_VERSION+set}" ; then + setopt NO_GLOB_SUBST + fi + + cfgfile="${ofile}T" + trap "$RM \"$cfgfile\"; exit 1" 1 2 15 + $RM "$cfgfile" + + cat <<_LT_EOF >> "$cfgfile" +#! $SHELL + +# `$ECHO "$ofile" | sed 's%^.*/%%'` - Provide generalized library-building support services. +# Generated automatically by $as_me ($PACKAGE$TIMESTAMP) $VERSION +# Libtool was configured on host `(hostname || uname -n) 2>/dev/null | sed 1q`: +# NOTE: Changes made to this file will be lost: look at ltmain.sh. +# +_LT_COPYING +_LT_LIBTOOL_TAGS + +# ### BEGIN LIBTOOL CONFIG +_LT_LIBTOOL_CONFIG_VARS +_LT_LIBTOOL_TAG_VARS +# ### END LIBTOOL CONFIG + +_LT_EOF + + case $host_os in + aix3*) + cat <<\_LT_EOF >> "$cfgfile" +# AIX sometimes has problems with the GCC collect2 program. For some +# reason, if we set the COLLECT_NAMES environment variable, the problems +# vanish in a puff of smoke. +if test "X${COLLECT_NAMES+set}" != Xset; then + COLLECT_NAMES= + export COLLECT_NAMES +fi +_LT_EOF + ;; + esac + + _LT_PROG_LTMAIN + + # We use sed instead of cat because bash on DJGPP gets confused if + # if finds mixed CR/LF and LF-only lines. Since sed operates in + # text mode, it properly converts lines to CR/LF. This bash problem + # is reportedly fixed, but why not run on old versions too? + sed '$q' "$ltmain" >> "$cfgfile" \ + || (rm -f "$cfgfile"; exit 1) + + _LT_PROG_REPLACE_SHELLFNS + + mv -f "$cfgfile" "$ofile" || + (rm -f "$ofile" && cp "$cfgfile" "$ofile" && rm -f "$cfgfile") + chmod +x "$ofile" +], +[cat <<_LT_EOF >> "$ofile" + +dnl Unfortunately we have to use $1 here, since _LT_TAG is not expanded +dnl in a comment (ie after a #). +# ### BEGIN LIBTOOL TAG CONFIG: $1 +_LT_LIBTOOL_TAG_VARS(_LT_TAG) +# ### END LIBTOOL TAG CONFIG: $1 +_LT_EOF +])dnl /m4_if +], +[m4_if([$1], [], [ + PACKAGE='$PACKAGE' + VERSION='$VERSION' + TIMESTAMP='$TIMESTAMP' + RM='$RM' + ofile='$ofile'], []) +])dnl /_LT_CONFIG_SAVE_COMMANDS +])# _LT_CONFIG + + +# LT_SUPPORTED_TAG(TAG) +# --------------------- +# Trace this macro to discover what tags are supported by the libtool +# --tag option, using: +# autoconf --trace 'LT_SUPPORTED_TAG:$1' +AC_DEFUN([LT_SUPPORTED_TAG], []) + + +# C support is built-in for now +m4_define([_LT_LANG_C_enabled], []) +m4_define([_LT_TAGS], []) + + +# LT_LANG(LANG) +# ------------- +# Enable libtool support for the given language if not already enabled. +AC_DEFUN([LT_LANG], +[AC_BEFORE([$0], [LT_OUTPUT])dnl +m4_case([$1], + [C], [_LT_LANG(C)], + [C++], [_LT_LANG(CXX)], + [Go], [_LT_LANG(GO)], + [Java], [_LT_LANG(GCJ)], + [Fortran 77], [_LT_LANG(F77)], + [Fortran], [_LT_LANG(FC)], + [Windows Resource], [_LT_LANG(RC)], + [m4_ifdef([_LT_LANG_]$1[_CONFIG], + [_LT_LANG($1)], + [m4_fatal([$0: unsupported language: "$1"])])])dnl +])# LT_LANG + + +# _LT_LANG(LANGNAME) +# ------------------ +m4_defun([_LT_LANG], +[m4_ifdef([_LT_LANG_]$1[_enabled], [], + [LT_SUPPORTED_TAG([$1])dnl + m4_append([_LT_TAGS], [$1 ])dnl + m4_define([_LT_LANG_]$1[_enabled], [])dnl + _LT_LANG_$1_CONFIG($1)])dnl +])# _LT_LANG + + +m4_ifndef([AC_PROG_GO], [ +# NOTE: This macro has been submitted for inclusion into # +# GNU Autoconf as AC_PROG_GO. When it is available in # +# a released version of Autoconf we should remove this # +# macro and use it instead. # +m4_defun([AC_PROG_GO], +[AC_LANG_PUSH(Go)dnl +AC_ARG_VAR([GOC], [Go compiler command])dnl +AC_ARG_VAR([GOFLAGS], [Go compiler flags])dnl +_AC_ARG_VAR_LDFLAGS()dnl +AC_CHECK_TOOL(GOC, gccgo) +if test -z "$GOC"; then + if test -n "$ac_tool_prefix"; then + AC_CHECK_PROG(GOC, [${ac_tool_prefix}gccgo], [${ac_tool_prefix}gccgo]) + fi +fi +if test -z "$GOC"; then + AC_CHECK_PROG(GOC, gccgo, gccgo, false) +fi +])#m4_defun +])#m4_ifndef + + +# _LT_LANG_DEFAULT_CONFIG +# ----------------------- +m4_defun([_LT_LANG_DEFAULT_CONFIG], +[AC_PROVIDE_IFELSE([AC_PROG_CXX], + [LT_LANG(CXX)], + [m4_define([AC_PROG_CXX], defn([AC_PROG_CXX])[LT_LANG(CXX)])]) + +AC_PROVIDE_IFELSE([AC_PROG_F77], + [LT_LANG(F77)], + [m4_define([AC_PROG_F77], defn([AC_PROG_F77])[LT_LANG(F77)])]) + +AC_PROVIDE_IFELSE([AC_PROG_FC], + [LT_LANG(FC)], + [m4_define([AC_PROG_FC], defn([AC_PROG_FC])[LT_LANG(FC)])]) + +dnl The call to [A][M_PROG_GCJ] is quoted like that to stop aclocal +dnl pulling things in needlessly. +AC_PROVIDE_IFELSE([AC_PROG_GCJ], + [LT_LANG(GCJ)], + [AC_PROVIDE_IFELSE([A][M_PROG_GCJ], + [LT_LANG(GCJ)], + [AC_PROVIDE_IFELSE([LT_PROG_GCJ], + [LT_LANG(GCJ)], + [m4_ifdef([AC_PROG_GCJ], + [m4_define([AC_PROG_GCJ], defn([AC_PROG_GCJ])[LT_LANG(GCJ)])]) + m4_ifdef([A][M_PROG_GCJ], + [m4_define([A][M_PROG_GCJ], defn([A][M_PROG_GCJ])[LT_LANG(GCJ)])]) + m4_ifdef([LT_PROG_GCJ], + [m4_define([LT_PROG_GCJ], defn([LT_PROG_GCJ])[LT_LANG(GCJ)])])])])]) + +AC_PROVIDE_IFELSE([AC_PROG_GO], + [LT_LANG(GO)], + [m4_define([AC_PROG_GO], defn([AC_PROG_GO])[LT_LANG(GO)])]) + +AC_PROVIDE_IFELSE([LT_PROG_RC], + [LT_LANG(RC)], + [m4_define([LT_PROG_RC], defn([LT_PROG_RC])[LT_LANG(RC)])]) +])# _LT_LANG_DEFAULT_CONFIG + +# Obsolete macros: +AU_DEFUN([AC_LIBTOOL_CXX], [LT_LANG(C++)]) +AU_DEFUN([AC_LIBTOOL_F77], [LT_LANG(Fortran 77)]) +AU_DEFUN([AC_LIBTOOL_FC], [LT_LANG(Fortran)]) +AU_DEFUN([AC_LIBTOOL_GCJ], [LT_LANG(Java)]) +AU_DEFUN([AC_LIBTOOL_RC], [LT_LANG(Windows Resource)]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_CXX], []) +dnl AC_DEFUN([AC_LIBTOOL_F77], []) +dnl AC_DEFUN([AC_LIBTOOL_FC], []) +dnl AC_DEFUN([AC_LIBTOOL_GCJ], []) +dnl AC_DEFUN([AC_LIBTOOL_RC], []) + + +# _LT_TAG_COMPILER +# ---------------- +m4_defun([_LT_TAG_COMPILER], +[AC_REQUIRE([AC_PROG_CC])dnl + +_LT_DECL([LTCC], [CC], [1], [A C compiler])dnl +_LT_DECL([LTCFLAGS], [CFLAGS], [1], [LTCC compiler flags])dnl +_LT_TAGDECL([CC], [compiler], [1], [A language specific compiler])dnl +_LT_TAGDECL([with_gcc], [GCC], [0], [Is the compiler the GNU compiler?])dnl + +# If no C compiler was specified, use CC. +LTCC=${LTCC-"$CC"} + +# If no C compiler flags were specified, use CFLAGS. +LTCFLAGS=${LTCFLAGS-"$CFLAGS"} + +# Allow CC to be a program name with arguments. +compiler=$CC +])# _LT_TAG_COMPILER + + +# _LT_COMPILER_BOILERPLATE +# ------------------------ +# Check for compiler boilerplate output or warnings with +# the simple compiler test code. +m4_defun([_LT_COMPILER_BOILERPLATE], +[m4_require([_LT_DECL_SED])dnl +ac_outfile=conftest.$ac_objext +echo "$lt_simple_compile_test_code" >conftest.$ac_ext +eval "$ac_compile" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_compiler_boilerplate=`cat conftest.err` +$RM conftest* +])# _LT_COMPILER_BOILERPLATE + + +# _LT_LINKER_BOILERPLATE +# ---------------------- +# Check for linker boilerplate output or warnings with +# the simple link test code. +m4_defun([_LT_LINKER_BOILERPLATE], +[m4_require([_LT_DECL_SED])dnl +ac_outfile=conftest.$ac_objext +echo "$lt_simple_link_test_code" >conftest.$ac_ext +eval "$ac_link" 2>&1 >/dev/null | $SED '/^$/d; /^ *+/d' >conftest.err +_lt_linker_boilerplate=`cat conftest.err` +$RM -r conftest* +])# _LT_LINKER_BOILERPLATE + +# _LT_REQUIRED_DARWIN_CHECKS +# ------------------------- +m4_defun_once([_LT_REQUIRED_DARWIN_CHECKS],[ + case $host_os in + rhapsody* | darwin*) + AC_CHECK_TOOL([DSYMUTIL], [dsymutil], [:]) + AC_CHECK_TOOL([NMEDIT], [nmedit], [:]) + AC_CHECK_TOOL([LIPO], [lipo], [:]) + AC_CHECK_TOOL([OTOOL], [otool], [:]) + AC_CHECK_TOOL([OTOOL64], [otool64], [:]) + _LT_DECL([], [DSYMUTIL], [1], + [Tool to manipulate archived DWARF debug symbol files on Mac OS X]) + _LT_DECL([], [NMEDIT], [1], + [Tool to change global to local symbols on Mac OS X]) + _LT_DECL([], [LIPO], [1], + [Tool to manipulate fat objects and archives on Mac OS X]) + _LT_DECL([], [OTOOL], [1], + [ldd/readelf like tool for Mach-O binaries on Mac OS X]) + _LT_DECL([], [OTOOL64], [1], + [ldd/readelf like tool for 64 bit Mach-O binaries on Mac OS X 10.4]) + + AC_CACHE_CHECK([for -single_module linker flag],[lt_cv_apple_cc_single_mod], + [lt_cv_apple_cc_single_mod=no + if test -z "${LT_MULTI_MODULE}"; then + # By default we will add the -single_module flag. You can override + # by either setting the environment variable LT_MULTI_MODULE + # non-empty at configure time, or by adding -multi_module to the + # link flags. + rm -rf libconftest.dylib* + echo "int foo(void){return 1;}" > conftest.c + echo "$LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ +-dynamiclib -Wl,-single_module conftest.c" >&AS_MESSAGE_LOG_FD + $LTCC $LTCFLAGS $LDFLAGS -o libconftest.dylib \ + -dynamiclib -Wl,-single_module conftest.c 2>conftest.err + _lt_result=$? + # If there is a non-empty error log, and "single_module" + # appears in it, assume the flag caused a linker warning + if test -s conftest.err && $GREP single_module conftest.err; then + cat conftest.err >&AS_MESSAGE_LOG_FD + # Otherwise, if the output was created with a 0 exit code from + # the compiler, it worked. + elif test -f libconftest.dylib && test $_lt_result -eq 0; then + lt_cv_apple_cc_single_mod=yes + else + cat conftest.err >&AS_MESSAGE_LOG_FD + fi + rm -rf libconftest.dylib* + rm -f conftest.* + fi]) + + AC_CACHE_CHECK([for -exported_symbols_list linker flag], + [lt_cv_ld_exported_symbols_list], + [lt_cv_ld_exported_symbols_list=no + save_LDFLAGS=$LDFLAGS + echo "_main" > conftest.sym + LDFLAGS="$LDFLAGS -Wl,-exported_symbols_list,conftest.sym" + AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])], + [lt_cv_ld_exported_symbols_list=yes], + [lt_cv_ld_exported_symbols_list=no]) + LDFLAGS="$save_LDFLAGS" + ]) + + AC_CACHE_CHECK([for -force_load linker flag],[lt_cv_ld_force_load], + [lt_cv_ld_force_load=no + cat > conftest.c << _LT_EOF +int forced_loaded() { return 2;} +_LT_EOF + echo "$LTCC $LTCFLAGS -c -o conftest.o conftest.c" >&AS_MESSAGE_LOG_FD + $LTCC $LTCFLAGS -c -o conftest.o conftest.c 2>&AS_MESSAGE_LOG_FD + echo "$AR cru libconftest.a conftest.o" >&AS_MESSAGE_LOG_FD + $AR cru libconftest.a conftest.o 2>&AS_MESSAGE_LOG_FD + echo "$RANLIB libconftest.a" >&AS_MESSAGE_LOG_FD + $RANLIB libconftest.a 2>&AS_MESSAGE_LOG_FD + cat > conftest.c << _LT_EOF +int main() { return 0;} +_LT_EOF + echo "$LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a" >&AS_MESSAGE_LOG_FD + $LTCC $LTCFLAGS $LDFLAGS -o conftest conftest.c -Wl,-force_load,./libconftest.a 2>conftest.err + _lt_result=$? + if test -s conftest.err && $GREP force_load conftest.err; then + cat conftest.err >&AS_MESSAGE_LOG_FD + elif test -f conftest && test $_lt_result -eq 0 && $GREP forced_load conftest >/dev/null 2>&1 ; then + lt_cv_ld_force_load=yes + else + cat conftest.err >&AS_MESSAGE_LOG_FD + fi + rm -f conftest.err libconftest.a conftest conftest.c + rm -rf conftest.dSYM + ]) + case $host_os in + rhapsody* | darwin1.[[012]]) + _lt_dar_allow_undefined='${wl}-undefined ${wl}suppress' ;; + darwin1.*) + _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; + darwin*) # darwin 5.x on + # if running on 10.5 or later, the deployment target defaults + # to the OS version, if on x86, and 10.4, the deployment + # target defaults to 10.4. Don't you love it? + case ${MACOSX_DEPLOYMENT_TARGET-10.0},$host in + 10.0,*86*-darwin8*|10.0,*-darwin[[91]]*) + _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; + 10.[[012]]*) + _lt_dar_allow_undefined='${wl}-flat_namespace ${wl}-undefined ${wl}suppress' ;; + 10.*) + _lt_dar_allow_undefined='${wl}-undefined ${wl}dynamic_lookup' ;; + esac + ;; + esac + if test "$lt_cv_apple_cc_single_mod" = "yes"; then + _lt_dar_single_mod='$single_module' + fi + if test "$lt_cv_ld_exported_symbols_list" = "yes"; then + _lt_dar_export_syms=' ${wl}-exported_symbols_list,$output_objdir/${libname}-symbols.expsym' + else + _lt_dar_export_syms='~$NMEDIT -s $output_objdir/${libname}-symbols.expsym ${lib}' + fi + if test "$DSYMUTIL" != ":" && test "$lt_cv_ld_force_load" = "no"; then + _lt_dsymutil='~$DSYMUTIL $lib || :' + else + _lt_dsymutil= + fi + ;; + esac +]) + + +# _LT_DARWIN_LINKER_FEATURES([TAG]) +# --------------------------------- +# Checks for linker and compiler features on darwin +m4_defun([_LT_DARWIN_LINKER_FEATURES], +[ + m4_require([_LT_REQUIRED_DARWIN_CHECKS]) + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_automatic, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported + if test "$lt_cv_ld_force_load" = "yes"; then + _LT_TAGVAR(whole_archive_flag_spec, $1)='`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience ${wl}-force_load,$conv\"; done; func_echo_all \"$new_convenience\"`' + m4_case([$1], [F77], [_LT_TAGVAR(compiler_needs_object, $1)=yes], + [FC], [_LT_TAGVAR(compiler_needs_object, $1)=yes]) + else + _LT_TAGVAR(whole_archive_flag_spec, $1)='' + fi + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(allow_undefined_flag, $1)="$_lt_dar_allow_undefined" + case $cc_basename in + ifort*) _lt_dar_can_shared=yes ;; + *) _lt_dar_can_shared=$GCC ;; + esac + if test "$_lt_dar_can_shared" = "yes"; then + output_verbose_link_cmd=func_echo_all + _LT_TAGVAR(archive_cmds, $1)="\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring $_lt_dar_single_mod${_lt_dsymutil}" + _LT_TAGVAR(module_cmds, $1)="\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dsymutil}" + _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \$libobjs \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring ${_lt_dar_single_mod}${_lt_dar_export_syms}${_lt_dsymutil}" + _LT_TAGVAR(module_expsym_cmds, $1)="sed -e 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC \$allow_undefined_flag -o \$lib -bundle \$libobjs \$deplibs \$compiler_flags${_lt_dar_export_syms}${_lt_dsymutil}" + m4_if([$1], [CXX], +[ if test "$lt_cv_apple_cc_single_mod" != "yes"; then + _LT_TAGVAR(archive_cmds, $1)="\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dsymutil}" + _LT_TAGVAR(archive_expsym_cmds, $1)="sed 's,^,_,' < \$export_symbols > \$output_objdir/\${libname}-symbols.expsym~\$CC -r -keep_private_externs -nostdlib -o \${lib}-master.o \$libobjs~\$CC -dynamiclib \$allow_undefined_flag -o \$lib \${lib}-master.o \$deplibs \$compiler_flags -install_name \$rpath/\$soname \$verstring${_lt_dar_export_syms}${_lt_dsymutil}" + fi +],[]) + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi +]) + +# _LT_SYS_MODULE_PATH_AIX([TAGNAME]) +# ---------------------------------- +# Links a minimal program and checks the executable +# for the system default hardcoded library path. In most cases, +# this is /usr/lib:/lib, but when the MPI compilers are used +# the location of the communication and MPI libs are included too. +# If we don't find anything, use the default library path according +# to the aix ld manual. +# Store the results from the different compilers for each TAGNAME. +# Allow to override them for all tags through lt_cv_aix_libpath. +m4_defun([_LT_SYS_MODULE_PATH_AIX], +[m4_require([_LT_DECL_SED])dnl +if test "${lt_cv_aix_libpath+set}" = set; then + aix_libpath=$lt_cv_aix_libpath +else + AC_CACHE_VAL([_LT_TAGVAR([lt_cv_aix_libpath_], [$1])], + [AC_LINK_IFELSE([AC_LANG_PROGRAM],[ + lt_aix_libpath_sed='[ + /Import File Strings/,/^$/ { + /^0/ { + s/^0 *\([^ ]*\) *$/\1/ + p + } + }]' + _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -H conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + # Check for a 64-bit object if we didn't find anything. + if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then + _LT_TAGVAR([lt_cv_aix_libpath_], [$1])=`dump -HX64 conftest$ac_exeext 2>/dev/null | $SED -n -e "$lt_aix_libpath_sed"` + fi],[]) + if test -z "$_LT_TAGVAR([lt_cv_aix_libpath_], [$1])"; then + _LT_TAGVAR([lt_cv_aix_libpath_], [$1])="/usr/lib:/lib" + fi + ]) + aix_libpath=$_LT_TAGVAR([lt_cv_aix_libpath_], [$1]) +fi +])# _LT_SYS_MODULE_PATH_AIX + + +# _LT_SHELL_INIT(ARG) +# ------------------- +m4_define([_LT_SHELL_INIT], +[m4_divert_text([M4SH-INIT], [$1 +])])# _LT_SHELL_INIT + + + +# _LT_PROG_ECHO_BACKSLASH +# ----------------------- +# Find how we can fake an echo command that does not interpret backslash. +# In particular, with Autoconf 2.60 or later we add some code to the start +# of the generated configure script which will find a shell with a builtin +# printf (which we can use as an echo command). +m4_defun([_LT_PROG_ECHO_BACKSLASH], +[ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO +ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO + +AC_MSG_CHECKING([how to print strings]) +# Test print first, because it will be a builtin if present. +if test "X`( print -r -- -n ) 2>/dev/null`" = X-n && \ + test "X`print -r -- $ECHO 2>/dev/null`" = "X$ECHO"; then + ECHO='print -r --' +elif test "X`printf %s $ECHO 2>/dev/null`" = "X$ECHO"; then + ECHO='printf %s\n' +else + # Use this function as a fallback that always works. + func_fallback_echo () + { + eval 'cat <<_LTECHO_EOF +$[]1 +_LTECHO_EOF' + } + ECHO='func_fallback_echo' +fi + +# func_echo_all arg... +# Invoke $ECHO with all args, space-separated. +func_echo_all () +{ + $ECHO "$*" +} + +case "$ECHO" in + printf*) AC_MSG_RESULT([printf]) ;; + print*) AC_MSG_RESULT([print -r]) ;; + *) AC_MSG_RESULT([cat]) ;; +esac + +m4_ifdef([_AS_DETECT_SUGGESTED], +[_AS_DETECT_SUGGESTED([ + test -n "${ZSH_VERSION+set}${BASH_VERSION+set}" || ( + ECHO='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' + ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO + ECHO=$ECHO$ECHO$ECHO$ECHO$ECHO$ECHO + PATH=/empty FPATH=/empty; export PATH FPATH + test "X`printf %s $ECHO`" = "X$ECHO" \ + || test "X`print -r -- $ECHO`" = "X$ECHO" )])]) + +_LT_DECL([], [SHELL], [1], [Shell to use when invoking shell scripts]) +_LT_DECL([], [ECHO], [1], [An echo program that protects backslashes]) +])# _LT_PROG_ECHO_BACKSLASH + + +# _LT_WITH_SYSROOT +# ---------------- +AC_DEFUN([_LT_WITH_SYSROOT], +[AC_MSG_CHECKING([for sysroot]) +AC_ARG_WITH([sysroot], +[ --with-sysroot[=DIR] Search for dependent libraries within DIR + (or the compiler's sysroot if not specified).], +[], [with_sysroot=no]) + +dnl lt_sysroot will always be passed unquoted. We quote it here +dnl in case the user passed a directory name. +lt_sysroot= +case ${with_sysroot} in #( + yes) + if test "$GCC" = yes; then + lt_sysroot=`$CC --print-sysroot 2>/dev/null` + fi + ;; #( + /*) + lt_sysroot=`echo "$with_sysroot" | sed -e "$sed_quote_subst"` + ;; #( + no|'') + ;; #( + *) + AC_MSG_RESULT([${with_sysroot}]) + AC_MSG_ERROR([The sysroot must be an absolute path.]) + ;; +esac + + AC_MSG_RESULT([${lt_sysroot:-no}]) +_LT_DECL([], [lt_sysroot], [0], [The root where to search for ]dnl +[dependent libraries, and in which our libraries should be installed.])]) + +# _LT_ENABLE_LOCK +# --------------- +m4_defun([_LT_ENABLE_LOCK], +[AC_ARG_ENABLE([libtool-lock], + [AS_HELP_STRING([--disable-libtool-lock], + [avoid locking (might break parallel builds)])]) +test "x$enable_libtool_lock" != xno && enable_libtool_lock=yes + +# Some flags need to be propagated to the compiler or linker for good +# libtool support. +case $host in +ia64-*-hpux*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.$ac_objext` in + *ELF-32*) + HPUX_IA64_MODE="32" + ;; + *ELF-64*) + HPUX_IA64_MODE="64" + ;; + esac + fi + rm -rf conftest* + ;; +*-*-irix6*) + # Find out which ABI we are using. + echo '[#]line '$LINENO' "configure"' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + if test "$lt_cv_prog_gnu_ld" = yes; then + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -melf32bsmip" + ;; + *N32*) + LD="${LD-ld} -melf32bmipn32" + ;; + *64-bit*) + LD="${LD-ld} -melf64bmip" + ;; + esac + else + case `/usr/bin/file conftest.$ac_objext` in + *32-bit*) + LD="${LD-ld} -32" + ;; + *N32*) + LD="${LD-ld} -n32" + ;; + *64-bit*) + LD="${LD-ld} -64" + ;; + esac + fi + fi + rm -rf conftest* + ;; + +x86_64-*kfreebsd*-gnu|x86_64-*linux*|ppc*-*linux*|powerpc*-*linux*| \ +s390*-*linux*|s390*-*tpf*|sparc*-*linux*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.o` in + *32-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_i386_fbsd" + ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_i386" + ;; + ppc64-*linux*|powerpc64-*linux*) + LD="${LD-ld} -m elf32ppclinux" + ;; + s390x-*linux*) + LD="${LD-ld} -m elf_s390" + ;; + sparc64-*linux*) + LD="${LD-ld} -m elf32_sparc" + ;; + esac + ;; + *64-bit*) + case $host in + x86_64-*kfreebsd*-gnu) + LD="${LD-ld} -m elf_x86_64_fbsd" + ;; + x86_64-*linux*) + LD="${LD-ld} -m elf_x86_64" + ;; + ppc*-*linux*|powerpc*-*linux*) + LD="${LD-ld} -m elf64ppc" + ;; + s390*-*linux*|s390*-*tpf*) + LD="${LD-ld} -m elf64_s390" + ;; + sparc*-*linux*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + ;; + esac + fi + rm -rf conftest* + ;; + +*-*-sco3.2v5*) + # On SCO OpenServer 5, we need -belf to get full-featured binaries. + SAVE_CFLAGS="$CFLAGS" + CFLAGS="$CFLAGS -belf" + AC_CACHE_CHECK([whether the C compiler needs -belf], lt_cv_cc_needs_belf, + [AC_LANG_PUSH(C) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[]],[[]])],[lt_cv_cc_needs_belf=yes],[lt_cv_cc_needs_belf=no]) + AC_LANG_POP]) + if test x"$lt_cv_cc_needs_belf" != x"yes"; then + # this is probably gcc 2.8.0, egcs 1.0 or newer; no need for -belf + CFLAGS="$SAVE_CFLAGS" + fi + ;; +*-*solaris*) + # Find out which ABI we are using. + echo 'int i;' > conftest.$ac_ext + if AC_TRY_EVAL(ac_compile); then + case `/usr/bin/file conftest.o` in + *64-bit*) + case $lt_cv_prog_gnu_ld in + yes*) + case $host in + i?86-*-solaris*) + LD="${LD-ld} -m elf_x86_64" + ;; + sparc*-*-solaris*) + LD="${LD-ld} -m elf64_sparc" + ;; + esac + # GNU ld 2.21 introduced _sol2 emulations. Use them if available. + if ${LD-ld} -V | grep _sol2 >/dev/null 2>&1; then + LD="${LD-ld}_sol2" + fi + ;; + *) + if ${LD-ld} -64 -r -o conftest2.o conftest.o >/dev/null 2>&1; then + LD="${LD-ld} -64" + fi + ;; + esac + ;; + esac + fi + rm -rf conftest* + ;; +esac + +need_locks="$enable_libtool_lock" +])# _LT_ENABLE_LOCK + + +# _LT_PROG_AR +# ----------- +m4_defun([_LT_PROG_AR], +[AC_CHECK_TOOLS(AR, [ar], false) +: ${AR=ar} +: ${AR_FLAGS=cru} +_LT_DECL([], [AR], [1], [The archiver]) +_LT_DECL([], [AR_FLAGS], [1], [Flags to create an archive]) + +AC_CACHE_CHECK([for archiver @FILE support], [lt_cv_ar_at_file], + [lt_cv_ar_at_file=no + AC_COMPILE_IFELSE([AC_LANG_PROGRAM], + [echo conftest.$ac_objext > conftest.lst + lt_ar_try='$AR $AR_FLAGS libconftest.a @conftest.lst >&AS_MESSAGE_LOG_FD' + AC_TRY_EVAL([lt_ar_try]) + if test "$ac_status" -eq 0; then + # Ensure the archiver fails upon bogus file names. + rm -f conftest.$ac_objext libconftest.a + AC_TRY_EVAL([lt_ar_try]) + if test "$ac_status" -ne 0; then + lt_cv_ar_at_file=@ + fi + fi + rm -f conftest.* libconftest.a + ]) + ]) + +if test "x$lt_cv_ar_at_file" = xno; then + archiver_list_spec= +else + archiver_list_spec=$lt_cv_ar_at_file +fi +_LT_DECL([], [archiver_list_spec], [1], + [How to feed a file listing to the archiver]) +])# _LT_PROG_AR + + +# _LT_CMD_OLD_ARCHIVE +# ------------------- +m4_defun([_LT_CMD_OLD_ARCHIVE], +[_LT_PROG_AR + +AC_CHECK_TOOL(STRIP, strip, :) +test -z "$STRIP" && STRIP=: +_LT_DECL([], [STRIP], [1], [A symbol stripping program]) + +AC_CHECK_TOOL(RANLIB, ranlib, :) +test -z "$RANLIB" && RANLIB=: +_LT_DECL([], [RANLIB], [1], + [Commands used to install an old-style archive]) + +# Determine commands to create old-style static archives. +old_archive_cmds='$AR $AR_FLAGS $oldlib$oldobjs' +old_postinstall_cmds='chmod 644 $oldlib' +old_postuninstall_cmds= + +if test -n "$RANLIB"; then + case $host_os in + openbsd*) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB -t \$tool_oldlib" + ;; + *) + old_postinstall_cmds="$old_postinstall_cmds~\$RANLIB \$tool_oldlib" + ;; + esac + old_archive_cmds="$old_archive_cmds~\$RANLIB \$tool_oldlib" +fi + +case $host_os in + darwin*) + lock_old_archive_extraction=yes ;; + *) + lock_old_archive_extraction=no ;; +esac +_LT_DECL([], [old_postinstall_cmds], [2]) +_LT_DECL([], [old_postuninstall_cmds], [2]) +_LT_TAGDECL([], [old_archive_cmds], [2], + [Commands used to build an old-style archive]) +_LT_DECL([], [lock_old_archive_extraction], [0], + [Whether to use a lock for old archive extraction]) +])# _LT_CMD_OLD_ARCHIVE + + +# _LT_COMPILER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, +# [OUTPUT-FILE], [ACTION-SUCCESS], [ACTION-FAILURE]) +# ---------------------------------------------------------------- +# Check whether the given compiler option works +AC_DEFUN([_LT_COMPILER_OPTION], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_SED])dnl +AC_CACHE_CHECK([$1], [$2], + [$2=no + m4_if([$4], , [ac_outfile=conftest.$ac_objext], [ac_outfile=$4]) + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + lt_compiler_flag="$3" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + # The option is referenced via a variable to avoid confusing sed. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$lt_compile" 2>conftest.err) + ac_status=$? + cat conftest.err >&AS_MESSAGE_LOG_FD + echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + if (exit $ac_status) && test -s "$ac_outfile"; then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings other than the usual output. + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' >conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if test ! -s conftest.er2 || diff conftest.exp conftest.er2 >/dev/null; then + $2=yes + fi + fi + $RM conftest* +]) + +if test x"[$]$2" = xyes; then + m4_if([$5], , :, [$5]) +else + m4_if([$6], , :, [$6]) +fi +])# _LT_COMPILER_OPTION + +# Old name: +AU_ALIAS([AC_LIBTOOL_COMPILER_OPTION], [_LT_COMPILER_OPTION]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_COMPILER_OPTION], []) + + +# _LT_LINKER_OPTION(MESSAGE, VARIABLE-NAME, FLAGS, +# [ACTION-SUCCESS], [ACTION-FAILURE]) +# ---------------------------------------------------- +# Check whether the given linker option works +AC_DEFUN([_LT_LINKER_OPTION], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_SED])dnl +AC_CACHE_CHECK([$1], [$2], + [$2=no + save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS $3" + echo "$lt_simple_link_test_code" > conftest.$ac_ext + if (eval $ac_link 2>conftest.err) && test -s conftest$ac_exeext; then + # The linker can only warn and ignore the option if not recognized + # So say no if there are warnings + if test -s conftest.err; then + # Append any errors to the config.log. + cat conftest.err 1>&AS_MESSAGE_LOG_FD + $ECHO "$_lt_linker_boilerplate" | $SED '/^$/d' > conftest.exp + $SED '/^$/d; /^ *+/d' conftest.err >conftest.er2 + if diff conftest.exp conftest.er2 >/dev/null; then + $2=yes + fi + else + $2=yes + fi + fi + $RM -r conftest* + LDFLAGS="$save_LDFLAGS" +]) + +if test x"[$]$2" = xyes; then + m4_if([$4], , :, [$4]) +else + m4_if([$5], , :, [$5]) +fi +])# _LT_LINKER_OPTION + +# Old name: +AU_ALIAS([AC_LIBTOOL_LINKER_OPTION], [_LT_LINKER_OPTION]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_LINKER_OPTION], []) + + +# LT_CMD_MAX_LEN +#--------------- +AC_DEFUN([LT_CMD_MAX_LEN], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +# find the maximum length of command line arguments +AC_MSG_CHECKING([the maximum length of command line arguments]) +AC_CACHE_VAL([lt_cv_sys_max_cmd_len], [dnl + i=0 + teststring="ABCD" + + case $build_os in + msdosdjgpp*) + # On DJGPP, this test can blow up pretty badly due to problems in libc + # (any single argument exceeding 2000 bytes causes a buffer overrun + # during glob expansion). Even if it were fixed, the result of this + # check would be larger than it should be. + lt_cv_sys_max_cmd_len=12288; # 12K is about right + ;; + + gnu*) + # Under GNU Hurd, this test is not required because there is + # no limit to the length of command line arguments. + # Libtool will interpret -1 as no limit whatsoever + lt_cv_sys_max_cmd_len=-1; + ;; + + cygwin* | mingw* | cegcc*) + # On Win9x/ME, this test blows up -- it succeeds, but takes + # about 5 minutes as the teststring grows exponentially. + # Worse, since 9x/ME are not pre-emptively multitasking, + # you end up with a "frozen" computer, even though with patience + # the test eventually succeeds (with a max line length of 256k). + # Instead, let's just punt: use the minimum linelength reported by + # all of the supported platforms: 8192 (on NT/2K/XP). + lt_cv_sys_max_cmd_len=8192; + ;; + + mint*) + # On MiNT this can take a long time and run out of memory. + lt_cv_sys_max_cmd_len=8192; + ;; + + amigaos*) + # On AmigaOS with pdksh, this test takes hours, literally. + # So we just punt and use a minimum line length of 8192. + lt_cv_sys_max_cmd_len=8192; + ;; + + netbsd* | freebsd* | openbsd* | darwin* | dragonfly*) + # This has been around since 386BSD, at least. Likely further. + if test -x /sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/sbin/sysctl -n kern.argmax` + elif test -x /usr/sbin/sysctl; then + lt_cv_sys_max_cmd_len=`/usr/sbin/sysctl -n kern.argmax` + else + lt_cv_sys_max_cmd_len=65536 # usable default for all BSDs + fi + # And add a safety zone + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + ;; + + interix*) + # We know the value 262144 and hardcode it with a safety zone (like BSD) + lt_cv_sys_max_cmd_len=196608 + ;; + + os2*) + # The test takes a long time on OS/2. + lt_cv_sys_max_cmd_len=8192 + ;; + + osf*) + # Dr. Hans Ekkehard Plesser reports seeing a kernel panic running configure + # due to this test when exec_disable_arg_limit is 1 on Tru64. It is not + # nice to cause kernel panics so lets avoid the loop below. + # First set a reasonable default. + lt_cv_sys_max_cmd_len=16384 + # + if test -x /sbin/sysconfig; then + case `/sbin/sysconfig -q proc exec_disable_arg_limit` in + *1*) lt_cv_sys_max_cmd_len=-1 ;; + esac + fi + ;; + sco3.2v5*) + lt_cv_sys_max_cmd_len=102400 + ;; + sysv5* | sco5v6* | sysv4.2uw2*) + kargmax=`grep ARG_MAX /etc/conf/cf.d/stune 2>/dev/null` + if test -n "$kargmax"; then + lt_cv_sys_max_cmd_len=`echo $kargmax | sed 's/.*[[ ]]//'` + else + lt_cv_sys_max_cmd_len=32768 + fi + ;; + *) + lt_cv_sys_max_cmd_len=`(getconf ARG_MAX) 2> /dev/null` + if test -n "$lt_cv_sys_max_cmd_len"; then + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 4` + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \* 3` + else + # Make teststring a little bigger before we do anything with it. + # a 1K string should be a reasonable start. + for i in 1 2 3 4 5 6 7 8 ; do + teststring=$teststring$teststring + done + SHELL=${SHELL-${CONFIG_SHELL-/bin/sh}} + # If test is not a shell built-in, we'll probably end up computing a + # maximum length that is only half of the actual maximum length, but + # we can't tell. + while { test "X"`env echo "$teststring$teststring" 2>/dev/null` \ + = "X$teststring$teststring"; } >/dev/null 2>&1 && + test $i != 17 # 1/2 MB should be enough + do + i=`expr $i + 1` + teststring=$teststring$teststring + done + # Only check the string length outside the loop. + lt_cv_sys_max_cmd_len=`expr "X$teststring" : ".*" 2>&1` + teststring= + # Add a significant safety factor because C++ compilers can tack on + # massive amounts of additional arguments before passing them to the + # linker. It appears as though 1/2 is a usable value. + lt_cv_sys_max_cmd_len=`expr $lt_cv_sys_max_cmd_len \/ 2` + fi + ;; + esac +]) +if test -n $lt_cv_sys_max_cmd_len ; then + AC_MSG_RESULT($lt_cv_sys_max_cmd_len) +else + AC_MSG_RESULT(none) +fi +max_cmd_len=$lt_cv_sys_max_cmd_len +_LT_DECL([], [max_cmd_len], [0], + [What is the maximum length of a command?]) +])# LT_CMD_MAX_LEN + +# Old name: +AU_ALIAS([AC_LIBTOOL_SYS_MAX_CMD_LEN], [LT_CMD_MAX_LEN]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_SYS_MAX_CMD_LEN], []) + + +# _LT_HEADER_DLFCN +# ---------------- +m4_defun([_LT_HEADER_DLFCN], +[AC_CHECK_HEADERS([dlfcn.h], [], [], [AC_INCLUDES_DEFAULT])dnl +])# _LT_HEADER_DLFCN + + +# _LT_TRY_DLOPEN_SELF (ACTION-IF-TRUE, ACTION-IF-TRUE-W-USCORE, +# ACTION-IF-FALSE, ACTION-IF-CROSS-COMPILING) +# ---------------------------------------------------------------- +m4_defun([_LT_TRY_DLOPEN_SELF], +[m4_require([_LT_HEADER_DLFCN])dnl +if test "$cross_compiling" = yes; then : + [$4] +else + lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 + lt_status=$lt_dlunknown + cat > conftest.$ac_ext <<_LT_EOF +[#line $LINENO "configure" +#include "confdefs.h" + +#if HAVE_DLFCN_H +#include +#endif + +#include + +#ifdef RTLD_GLOBAL +# define LT_DLGLOBAL RTLD_GLOBAL +#else +# ifdef DL_GLOBAL +# define LT_DLGLOBAL DL_GLOBAL +# else +# define LT_DLGLOBAL 0 +# endif +#endif + +/* We may have to define LT_DLLAZY_OR_NOW in the command line if we + find out it does not work in some platform. */ +#ifndef LT_DLLAZY_OR_NOW +# ifdef RTLD_LAZY +# define LT_DLLAZY_OR_NOW RTLD_LAZY +# else +# ifdef DL_LAZY +# define LT_DLLAZY_OR_NOW DL_LAZY +# else +# ifdef RTLD_NOW +# define LT_DLLAZY_OR_NOW RTLD_NOW +# else +# ifdef DL_NOW +# define LT_DLLAZY_OR_NOW DL_NOW +# else +# define LT_DLLAZY_OR_NOW 0 +# endif +# endif +# endif +# endif +#endif + +/* When -fvisbility=hidden is used, assume the code has been annotated + correspondingly for the symbols needed. */ +#if defined(__GNUC__) && (((__GNUC__ == 3) && (__GNUC_MINOR__ >= 3)) || (__GNUC__ > 3)) +int fnord () __attribute__((visibility("default"))); +#endif + +int fnord () { return 42; } +int main () +{ + void *self = dlopen (0, LT_DLGLOBAL|LT_DLLAZY_OR_NOW); + int status = $lt_dlunknown; + + if (self) + { + if (dlsym (self,"fnord")) status = $lt_dlno_uscore; + else + { + if (dlsym( self,"_fnord")) status = $lt_dlneed_uscore; + else puts (dlerror ()); + } + /* dlclose (self); */ + } + else + puts (dlerror ()); + + return status; +}] +_LT_EOF + if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext} 2>/dev/null; then + (./conftest; exit; ) >&AS_MESSAGE_LOG_FD 2>/dev/null + lt_status=$? + case x$lt_status in + x$lt_dlno_uscore) $1 ;; + x$lt_dlneed_uscore) $2 ;; + x$lt_dlunknown|x*) $3 ;; + esac + else : + # compilation failed + $3 + fi +fi +rm -fr conftest* +])# _LT_TRY_DLOPEN_SELF + + +# LT_SYS_DLOPEN_SELF +# ------------------ +AC_DEFUN([LT_SYS_DLOPEN_SELF], +[m4_require([_LT_HEADER_DLFCN])dnl +if test "x$enable_dlopen" != xyes; then + enable_dlopen=unknown + enable_dlopen_self=unknown + enable_dlopen_self_static=unknown +else + lt_cv_dlopen=no + lt_cv_dlopen_libs= + + case $host_os in + beos*) + lt_cv_dlopen="load_add_on" + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ;; + + mingw* | pw32* | cegcc*) + lt_cv_dlopen="LoadLibrary" + lt_cv_dlopen_libs= + ;; + + cygwin*) + lt_cv_dlopen="dlopen" + lt_cv_dlopen_libs= + ;; + + darwin*) + # if libdl is installed we need to link against it + AC_CHECK_LIB([dl], [dlopen], + [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"],[ + lt_cv_dlopen="dyld" + lt_cv_dlopen_libs= + lt_cv_dlopen_self=yes + ]) + ;; + + *) + AC_CHECK_FUNC([shl_load], + [lt_cv_dlopen="shl_load"], + [AC_CHECK_LIB([dld], [shl_load], + [lt_cv_dlopen="shl_load" lt_cv_dlopen_libs="-ldld"], + [AC_CHECK_FUNC([dlopen], + [lt_cv_dlopen="dlopen"], + [AC_CHECK_LIB([dl], [dlopen], + [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-ldl"], + [AC_CHECK_LIB([svld], [dlopen], + [lt_cv_dlopen="dlopen" lt_cv_dlopen_libs="-lsvld"], + [AC_CHECK_LIB([dld], [dld_link], + [lt_cv_dlopen="dld_link" lt_cv_dlopen_libs="-ldld"]) + ]) + ]) + ]) + ]) + ]) + ;; + esac + + if test "x$lt_cv_dlopen" != xno; then + enable_dlopen=yes + else + enable_dlopen=no + fi + + case $lt_cv_dlopen in + dlopen) + save_CPPFLAGS="$CPPFLAGS" + test "x$ac_cv_header_dlfcn_h" = xyes && CPPFLAGS="$CPPFLAGS -DHAVE_DLFCN_H" + + save_LDFLAGS="$LDFLAGS" + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $export_dynamic_flag_spec\" + + save_LIBS="$LIBS" + LIBS="$lt_cv_dlopen_libs $LIBS" + + AC_CACHE_CHECK([whether a program can dlopen itself], + lt_cv_dlopen_self, [dnl + _LT_TRY_DLOPEN_SELF( + lt_cv_dlopen_self=yes, lt_cv_dlopen_self=yes, + lt_cv_dlopen_self=no, lt_cv_dlopen_self=cross) + ]) + + if test "x$lt_cv_dlopen_self" = xyes; then + wl=$lt_prog_compiler_wl eval LDFLAGS=\"\$LDFLAGS $lt_prog_compiler_static\" + AC_CACHE_CHECK([whether a statically linked program can dlopen itself], + lt_cv_dlopen_self_static, [dnl + _LT_TRY_DLOPEN_SELF( + lt_cv_dlopen_self_static=yes, lt_cv_dlopen_self_static=yes, + lt_cv_dlopen_self_static=no, lt_cv_dlopen_self_static=cross) + ]) + fi + + CPPFLAGS="$save_CPPFLAGS" + LDFLAGS="$save_LDFLAGS" + LIBS="$save_LIBS" + ;; + esac + + case $lt_cv_dlopen_self in + yes|no) enable_dlopen_self=$lt_cv_dlopen_self ;; + *) enable_dlopen_self=unknown ;; + esac + + case $lt_cv_dlopen_self_static in + yes|no) enable_dlopen_self_static=$lt_cv_dlopen_self_static ;; + *) enable_dlopen_self_static=unknown ;; + esac +fi +_LT_DECL([dlopen_support], [enable_dlopen], [0], + [Whether dlopen is supported]) +_LT_DECL([dlopen_self], [enable_dlopen_self], [0], + [Whether dlopen of programs is supported]) +_LT_DECL([dlopen_self_static], [enable_dlopen_self_static], [0], + [Whether dlopen of statically linked programs is supported]) +])# LT_SYS_DLOPEN_SELF + +# Old name: +AU_ALIAS([AC_LIBTOOL_DLOPEN_SELF], [LT_SYS_DLOPEN_SELF]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_DLOPEN_SELF], []) + + +# _LT_COMPILER_C_O([TAGNAME]) +# --------------------------- +# Check to see if options -c and -o are simultaneously supported by compiler. +# This macro does not hard code the compiler like AC_PROG_CC_C_O. +m4_defun([_LT_COMPILER_C_O], +[m4_require([_LT_DECL_SED])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_TAG_COMPILER])dnl +AC_CACHE_CHECK([if $compiler supports -c -o file.$ac_objext], + [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)], + [_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=no + $RM -r conftest 2>/dev/null + mkdir conftest + cd conftest + mkdir out + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + lt_compiler_flag="-o out/conftest2.$ac_objext" + # Insert the option either (1) after the last *FLAGS variable, or + # (2) before a word containing "conftest.", or (3) at the end. + # Note that $ac_compile itself does not contain backslashes and begins + # with a dollar sign (not a hyphen), so the echo should work correctly. + lt_compile=`echo "$ac_compile" | $SED \ + -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ + -e 's: [[^ ]]*conftest\.: $lt_compiler_flag&:; t' \ + -e 's:$: $lt_compiler_flag:'` + (eval echo "\"\$as_me:$LINENO: $lt_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$lt_compile" 2>out/conftest.err) + ac_status=$? + cat out/conftest.err >&AS_MESSAGE_LOG_FD + echo "$as_me:$LINENO: \$? = $ac_status" >&AS_MESSAGE_LOG_FD + if (exit $ac_status) && test -s out/conftest2.$ac_objext + then + # The compiler can only warn and ignore the option if not recognized + # So say no if there are warnings + $ECHO "$_lt_compiler_boilerplate" | $SED '/^$/d' > out/conftest.exp + $SED '/^$/d; /^ *+/d' out/conftest.err >out/conftest.er2 + if test ! -s out/conftest.er2 || diff out/conftest.exp out/conftest.er2 >/dev/null; then + _LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes + fi + fi + chmod u+w . 2>&AS_MESSAGE_LOG_FD + $RM conftest* + # SGI C++ compiler will create directory out/ii_files/ for + # template instantiation + test -d out/ii_files && $RM out/ii_files/* && rmdir out/ii_files + $RM out/* && rmdir out + cd .. + $RM -r conftest + $RM conftest* +]) +_LT_TAGDECL([compiler_c_o], [lt_cv_prog_compiler_c_o], [1], + [Does compiler simultaneously support -c and -o options?]) +])# _LT_COMPILER_C_O + + +# _LT_COMPILER_FILE_LOCKS([TAGNAME]) +# ---------------------------------- +# Check to see if we can do hard links to lock some files if needed +m4_defun([_LT_COMPILER_FILE_LOCKS], +[m4_require([_LT_ENABLE_LOCK])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +_LT_COMPILER_C_O([$1]) + +hard_links="nottested" +if test "$_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)" = no && test "$need_locks" != no; then + # do not overwrite the value of need_locks provided by the user + AC_MSG_CHECKING([if we can lock with hard links]) + hard_links=yes + $RM conftest* + ln conftest.a conftest.b 2>/dev/null && hard_links=no + touch conftest.a + ln conftest.a conftest.b 2>&5 || hard_links=no + ln conftest.a conftest.b 2>/dev/null && hard_links=no + AC_MSG_RESULT([$hard_links]) + if test "$hard_links" = no; then + AC_MSG_WARN([`$CC' does not support `-c -o', so `make -j' may be unsafe]) + need_locks=warn + fi +else + need_locks=no +fi +_LT_DECL([], [need_locks], [1], [Must we lock files when doing compilation?]) +])# _LT_COMPILER_FILE_LOCKS + + +# _LT_CHECK_OBJDIR +# ---------------- +m4_defun([_LT_CHECK_OBJDIR], +[AC_CACHE_CHECK([for objdir], [lt_cv_objdir], +[rm -f .libs 2>/dev/null +mkdir .libs 2>/dev/null +if test -d .libs; then + lt_cv_objdir=.libs +else + # MS-DOS does not allow filenames that begin with a dot. + lt_cv_objdir=_libs +fi +rmdir .libs 2>/dev/null]) +objdir=$lt_cv_objdir +_LT_DECL([], [objdir], [0], + [The name of the directory that contains temporary libtool files])dnl +m4_pattern_allow([LT_OBJDIR])dnl +AC_DEFINE_UNQUOTED(LT_OBJDIR, "$lt_cv_objdir/", + [Define to the sub-directory in which libtool stores uninstalled libraries.]) +])# _LT_CHECK_OBJDIR + + +# _LT_LINKER_HARDCODE_LIBPATH([TAGNAME]) +# -------------------------------------- +# Check hardcoding attributes. +m4_defun([_LT_LINKER_HARDCODE_LIBPATH], +[AC_MSG_CHECKING([how to hardcode library paths into programs]) +_LT_TAGVAR(hardcode_action, $1)= +if test -n "$_LT_TAGVAR(hardcode_libdir_flag_spec, $1)" || + test -n "$_LT_TAGVAR(runpath_var, $1)" || + test "X$_LT_TAGVAR(hardcode_automatic, $1)" = "Xyes" ; then + + # We can hardcode non-existent directories. + if test "$_LT_TAGVAR(hardcode_direct, $1)" != no && + # If the only mechanism to avoid hardcoding is shlibpath_var, we + # have to relink, otherwise we might link with an installed library + # when we should be linking with a yet-to-be-installed one + ## test "$_LT_TAGVAR(hardcode_shlibpath_var, $1)" != no && + test "$_LT_TAGVAR(hardcode_minus_L, $1)" != no; then + # Linking always hardcodes the temporary library directory. + _LT_TAGVAR(hardcode_action, $1)=relink + else + # We can link without hardcoding, and we can hardcode nonexisting dirs. + _LT_TAGVAR(hardcode_action, $1)=immediate + fi +else + # We cannot hardcode anything, or else we can only hardcode existing + # directories. + _LT_TAGVAR(hardcode_action, $1)=unsupported +fi +AC_MSG_RESULT([$_LT_TAGVAR(hardcode_action, $1)]) + +if test "$_LT_TAGVAR(hardcode_action, $1)" = relink || + test "$_LT_TAGVAR(inherit_rpath, $1)" = yes; then + # Fast installation is not supported + enable_fast_install=no +elif test "$shlibpath_overrides_runpath" = yes || + test "$enable_shared" = no; then + # Fast installation is not necessary + enable_fast_install=needless +fi +_LT_TAGDECL([], [hardcode_action], [0], + [How to hardcode a shared library path into an executable]) +])# _LT_LINKER_HARDCODE_LIBPATH + + +# _LT_CMD_STRIPLIB +# ---------------- +m4_defun([_LT_CMD_STRIPLIB], +[m4_require([_LT_DECL_EGREP]) +striplib= +old_striplib= +AC_MSG_CHECKING([whether stripping libraries is possible]) +if test -n "$STRIP" && $STRIP -V 2>&1 | $GREP "GNU strip" >/dev/null; then + test -z "$old_striplib" && old_striplib="$STRIP --strip-debug" + test -z "$striplib" && striplib="$STRIP --strip-unneeded" + AC_MSG_RESULT([yes]) +else +# FIXME - insert some real tests, host_os isn't really good enough + case $host_os in + darwin*) + if test -n "$STRIP" ; then + striplib="$STRIP -x" + old_striplib="$STRIP -S" + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + fi + ;; + *) + AC_MSG_RESULT([no]) + ;; + esac +fi +_LT_DECL([], [old_striplib], [1], [Commands to strip libraries]) +_LT_DECL([], [striplib], [1]) +])# _LT_CMD_STRIPLIB + + +# _LT_SYS_DYNAMIC_LINKER([TAG]) +# ----------------------------- +# PORTME Fill in your ld.so characteristics +m4_defun([_LT_SYS_DYNAMIC_LINKER], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_OBJDUMP])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_CHECK_SHELL_FEATURES])dnl +AC_MSG_CHECKING([dynamic linker characteristics]) +m4_if([$1], + [], [ +if test "$GCC" = yes; then + case $host_os in + darwin*) lt_awk_arg="/^libraries:/,/LR/" ;; + *) lt_awk_arg="/^libraries:/" ;; + esac + case $host_os in + mingw* | cegcc*) lt_sed_strip_eq="s,=\([[A-Za-z]]:\),\1,g" ;; + *) lt_sed_strip_eq="s,=/,/,g" ;; + esac + lt_search_path_spec=`$CC -print-search-dirs | awk $lt_awk_arg | $SED -e "s/^libraries://" -e $lt_sed_strip_eq` + case $lt_search_path_spec in + *\;*) + # if the path contains ";" then we assume it to be the separator + # otherwise default to the standard path separator (i.e. ":") - it is + # assumed that no part of a normal pathname contains ";" but that should + # okay in the real world where ";" in dirpaths is itself problematic. + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED 's/;/ /g'` + ;; + *) + lt_search_path_spec=`$ECHO "$lt_search_path_spec" | $SED "s/$PATH_SEPARATOR/ /g"` + ;; + esac + # Ok, now we have the path, separated by spaces, we can step through it + # and add multilib dir if necessary. + lt_tmp_lt_search_path_spec= + lt_multi_os_dir=`$CC $CPPFLAGS $CFLAGS $LDFLAGS -print-multi-os-directory 2>/dev/null` + for lt_sys_path in $lt_search_path_spec; do + if test -d "$lt_sys_path/$lt_multi_os_dir"; then + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path/$lt_multi_os_dir" + else + test -d "$lt_sys_path" && \ + lt_tmp_lt_search_path_spec="$lt_tmp_lt_search_path_spec $lt_sys_path" + fi + done + lt_search_path_spec=`$ECHO "$lt_tmp_lt_search_path_spec" | awk ' +BEGIN {RS=" "; FS="/|\n";} { + lt_foo=""; + lt_count=0; + for (lt_i = NF; lt_i > 0; lt_i--) { + if ($lt_i != "" && $lt_i != ".") { + if ($lt_i == "..") { + lt_count++; + } else { + if (lt_count == 0) { + lt_foo="/" $lt_i lt_foo; + } else { + lt_count--; + } + } + } + } + if (lt_foo != "") { lt_freq[[lt_foo]]++; } + if (lt_freq[[lt_foo]] == 1) { print lt_foo; } +}'` + # AWK program above erroneously prepends '/' to C:/dos/paths + # for these hosts. + case $host_os in + mingw* | cegcc*) lt_search_path_spec=`$ECHO "$lt_search_path_spec" |\ + $SED 's,/\([[A-Za-z]]:\),\1,g'` ;; + esac + sys_lib_search_path_spec=`$ECHO "$lt_search_path_spec" | $lt_NL2SP` +else + sys_lib_search_path_spec="/lib /usr/lib /usr/local/lib" +fi]) +library_names_spec= +libname_spec='lib$name' +soname_spec= +shrext_cmds=".so" +postinstall_cmds= +postuninstall_cmds= +finish_cmds= +finish_eval= +shlibpath_var= +shlibpath_overrides_runpath=unknown +version_type=none +dynamic_linker="$host_os ld.so" +sys_lib_dlsearch_path_spec="/lib /usr/lib" +need_lib_prefix=unknown +hardcode_into_libs=no + +# when you set need_version to no, make sure it does not cause -set_version +# flags to be left without arguments +need_version=unknown + +case $host_os in +aix3*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='${libname}${release}${shared_ext}$versuffix $libname.a' + shlibpath_var=LIBPATH + + # AIX 3 has no versioning support, so we append a major version to the name. + soname_spec='${libname}${release}${shared_ext}$major' + ;; + +aix[[4-9]]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + hardcode_into_libs=yes + if test "$host_cpu" = ia64; then + # AIX 5 supports IA64 + library_names_spec='${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext}$versuffix $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + else + # With GCC up to 2.95.x, collect2 would create an import file + # for dependence libraries. The import file would start with + # the line `#! .'. This would cause the generated library to + # depend on `.', always an invalid library. This was fixed in + # development snapshots of GCC prior to 3.0. + case $host_os in + aix4 | aix4.[[01]] | aix4.[[01]].*) + if { echo '#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 97)' + echo ' yes ' + echo '#endif'; } | ${CC} -E - | $GREP yes > /dev/null; then + : + else + can_build_shared=no + fi + ;; + esac + # AIX (on Power*) has no versioning support, so currently we can not hardcode correct + # soname into executable. Probably we can add versioning support to + # collect2, so additional links can be useful in future. + if test "$aix_use_runtimelinking" = yes; then + # If using run time linking (on AIX 4.2 or later) use lib.so + # instead of lib.a to let people know that these are not + # typical AIX shared libraries. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + else + # We preserve .a as extension for shared libraries through AIX4.2 + # and later when we are not doing run time linking. + library_names_spec='${libname}${release}.a $libname.a' + soname_spec='${libname}${release}${shared_ext}$major' + fi + shlibpath_var=LIBPATH + fi + ;; + +amigaos*) + case $host_cpu in + powerpc) + # Since July 2007 AmigaOS4 officially supports .so libraries. + # When compiling the executable, add -use-dynld -Lsobjs: to the compileline. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + ;; + m68k) + library_names_spec='$libname.ixlibrary $libname.a' + # Create ${libname}_ixlibrary.a entries in /sys/libs. + finish_eval='for lib in `ls $libdir/*.ixlibrary 2>/dev/null`; do libname=`func_echo_all "$lib" | $SED '\''s%^.*/\([[^/]]*\)\.ixlibrary$%\1%'\''`; test $RM /sys/libs/${libname}_ixlibrary.a; $show "cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a"; cd /sys/libs && $LN_S $lib ${libname}_ixlibrary.a || exit 1; done' + ;; + esac + ;; + +beos*) + library_names_spec='${libname}${shared_ext}' + dynamic_linker="$host_os ld.so" + shlibpath_var=LIBRARY_PATH + ;; + +bsdi[[45]]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + finish_cmds='PATH="\$PATH:/sbin" ldconfig $libdir' + shlibpath_var=LD_LIBRARY_PATH + sys_lib_search_path_spec="/shlib /usr/lib /usr/X11/lib /usr/contrib/lib /lib /usr/local/lib" + sys_lib_dlsearch_path_spec="/shlib /usr/lib /usr/local/lib" + # the default ld.so.conf also contains /usr/contrib/lib and + # /usr/X11R6/lib (/usr/X11 is a link to /usr/X11R6), but let us allow + # libtool to hard-code these into programs + ;; + +cygwin* | mingw* | pw32* | cegcc*) + version_type=windows + shrext_cmds=".dll" + need_version=no + need_lib_prefix=no + + case $GCC,$cc_basename in + yes,*) + # gcc + library_names_spec='$libname.dll.a' + # DLL is installed to $(libdir)/../bin by postinstall_cmds + postinstall_cmds='base_file=`basename \${file}`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname~ + chmod a+x \$dldir/$dlname~ + if test -n '\''$stripme'\'' && test -n '\''$striplib'\''; then + eval '\''$striplib \$dldir/$dlname'\'' || exit \$?; + fi' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + shlibpath_overrides_runpath=yes + + case $host_os in + cygwin*) + # Cygwin DLLs use 'cyg' prefix rather than 'lib' + soname_spec='`echo ${libname} | sed -e 's/^lib/cyg/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' +m4_if([$1], [],[ + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/lib/w32api"]) + ;; + mingw* | cegcc*) + # MinGW DLLs use traditional 'lib' prefix + soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' + ;; + pw32*) + # pw32 DLLs use 'pw' prefix rather than 'lib' + library_names_spec='`echo ${libname} | sed -e 's/^lib/pw/'``echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' + ;; + esac + dynamic_linker='Win32 ld.exe' + ;; + + *,cl*) + # Native MSVC + libname_spec='$name' + soname_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext}' + library_names_spec='${libname}.dll.lib' + + case $build_os in + mingw*) + sys_lib_search_path_spec= + lt_save_ifs=$IFS + IFS=';' + for lt_path in $LIB + do + IFS=$lt_save_ifs + # Let DOS variable expansion print the short 8.3 style file name. + lt_path=`cd "$lt_path" 2>/dev/null && cmd //C "for %i in (".") do @echo %~si"` + sys_lib_search_path_spec="$sys_lib_search_path_spec $lt_path" + done + IFS=$lt_save_ifs + # Convert to MSYS style. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | sed -e 's|\\\\|/|g' -e 's| \\([[a-zA-Z]]\\):| /\\1|g' -e 's|^ ||'` + ;; + cygwin*) + # Convert to unix form, then to dos form, then back to unix form + # but this time dos style (no spaces!) so that the unix form looks + # like /cygdrive/c/PROGRA~1:/cygdr... + sys_lib_search_path_spec=`cygpath --path --unix "$LIB"` + sys_lib_search_path_spec=`cygpath --path --dos "$sys_lib_search_path_spec" 2>/dev/null` + sys_lib_search_path_spec=`cygpath --path --unix "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + ;; + *) + sys_lib_search_path_spec="$LIB" + if $ECHO "$sys_lib_search_path_spec" | [$GREP ';[c-zC-Z]:/' >/dev/null]; then + # It is most probably a Windows format PATH. + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e 's/;/ /g'` + else + sys_lib_search_path_spec=`$ECHO "$sys_lib_search_path_spec" | $SED -e "s/$PATH_SEPARATOR/ /g"` + fi + # FIXME: find the short name or the path components, as spaces are + # common. (e.g. "Program Files" -> "PROGRA~1") + ;; + esac + + # DLL is installed to $(libdir)/../bin by postinstall_cmds + postinstall_cmds='base_file=`basename \${file}`~ + dlpath=`$SHELL 2>&1 -c '\''. $dir/'\''\${base_file}'\''i; echo \$dlname'\''`~ + dldir=$destdir/`dirname \$dlpath`~ + test -d \$dldir || mkdir -p \$dldir~ + $install_prog $dir/$dlname \$dldir/$dlname' + postuninstall_cmds='dldll=`$SHELL 2>&1 -c '\''. $file; echo \$dlname'\''`~ + dlpath=$dir/\$dldll~ + $RM \$dlpath' + shlibpath_overrides_runpath=yes + dynamic_linker='Win32 link.exe' + ;; + + *) + # Assume MSVC wrapper + library_names_spec='${libname}`echo ${release} | $SED -e 's/[[.]]/-/g'`${versuffix}${shared_ext} $libname.lib' + dynamic_linker='Win32 ld.exe' + ;; + esac + # FIXME: first we should search . and the directory the executable is in + shlibpath_var=PATH + ;; + +darwin* | rhapsody*) + dynamic_linker="$host_os dyld" + version_type=darwin + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${major}$shared_ext ${libname}$shared_ext' + soname_spec='${libname}${release}${major}$shared_ext' + shlibpath_overrides_runpath=yes + shlibpath_var=DYLD_LIBRARY_PATH + shrext_cmds='`test .$module = .yes && echo .so || echo .dylib`' +m4_if([$1], [],[ + sys_lib_search_path_spec="$sys_lib_search_path_spec /usr/local/lib"]) + sys_lib_dlsearch_path_spec='/usr/local/lib /lib /usr/lib' + ;; + +dgux*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname$shared_ext' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + ;; + +freebsd* | dragonfly*) + # DragonFly does not have aout. When/if they implement a new + # versioning mechanism, adjust this. + if test -x /usr/bin/objformat; then + objformat=`/usr/bin/objformat` + else + case $host_os in + freebsd[[23]].*) objformat=aout ;; + *) objformat=elf ;; + esac + fi + version_type=freebsd-$objformat + case $version_type in + freebsd-elf*) + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' + need_version=no + need_lib_prefix=no + ;; + freebsd-*) + library_names_spec='${libname}${release}${shared_ext}$versuffix $libname${shared_ext}$versuffix' + need_version=yes + ;; + esac + shlibpath_var=LD_LIBRARY_PATH + case $host_os in + freebsd2.*) + shlibpath_overrides_runpath=yes + ;; + freebsd3.[[01]]* | freebsdelf3.[[01]]*) + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + freebsd3.[[2-9]]* | freebsdelf3.[[2-9]]* | \ + freebsd4.[[0-5]] | freebsdelf4.[[0-5]] | freebsd4.1.1 | freebsdelf4.1.1) + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + *) # from 4.6 on, and DragonFly + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + esac + ;; + +gnu*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + +haiku*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + dynamic_linker="$host_os runtime_loader" + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}${major} ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LIBRARY_PATH + shlibpath_overrides_runpath=yes + sys_lib_dlsearch_path_spec='/boot/home/config/lib /boot/common/lib /boot/system/lib' + hardcode_into_libs=yes + ;; + +hpux9* | hpux10* | hpux11*) + # Give a soname corresponding to the major version so that dld.sl refuses to + # link against other versions. + version_type=sunos + need_lib_prefix=no + need_version=no + case $host_cpu in + ia64*) + shrext_cmds='.so' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.so" + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + if test "X$HPUX_IA64_MODE" = X32; then + sys_lib_search_path_spec="/usr/lib/hpux32 /usr/local/lib/hpux32 /usr/local/lib" + else + sys_lib_search_path_spec="/usr/lib/hpux64 /usr/local/lib/hpux64" + fi + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + hppa*64*) + shrext_cmds='.sl' + hardcode_into_libs=yes + dynamic_linker="$host_os dld.sl" + shlibpath_var=LD_LIBRARY_PATH # How should we handle SHLIB_PATH + shlibpath_overrides_runpath=yes # Unless +noenvvar is specified. + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + sys_lib_search_path_spec="/usr/lib/pa20_64 /usr/ccs/lib/pa20_64" + sys_lib_dlsearch_path_spec=$sys_lib_search_path_spec + ;; + *) + shrext_cmds='.sl' + dynamic_linker="$host_os dld.sl" + shlibpath_var=SHLIB_PATH + shlibpath_overrides_runpath=no # +s is required to enable SHLIB_PATH + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + ;; + esac + # HP-UX runs *really* slowly unless shared libraries are mode 555, ... + postinstall_cmds='chmod 555 $lib' + # or fails outright, so override atomically: + install_override_mode=555 + ;; + +interix[[3-9]]*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + dynamic_linker='Interix 3.x ld.so.1 (PE, like ELF)' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + +irix5* | irix6* | nonstopux*) + case $host_os in + nonstopux*) version_type=nonstopux ;; + *) + if test "$lt_cv_prog_gnu_ld" = yes; then + version_type=linux # correct to gnu/linux during the next big refactor + else + version_type=irix + fi ;; + esac + need_lib_prefix=no + need_version=no + soname_spec='${libname}${release}${shared_ext}$major' + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${release}${shared_ext} $libname${shared_ext}' + case $host_os in + irix5* | nonstopux*) + libsuff= shlibsuff= + ;; + *) + case $LD in # libtool.m4 will add one of these switches to LD + *-32|*"-32 "|*-melf32bsmip|*"-melf32bsmip ") + libsuff= shlibsuff= libmagic=32-bit;; + *-n32|*"-n32 "|*-melf32bmipn32|*"-melf32bmipn32 ") + libsuff=32 shlibsuff=N32 libmagic=N32;; + *-64|*"-64 "|*-melf64bmip|*"-melf64bmip ") + libsuff=64 shlibsuff=64 libmagic=64-bit;; + *) libsuff= shlibsuff= libmagic=never-match;; + esac + ;; + esac + shlibpath_var=LD_LIBRARY${shlibsuff}_PATH + shlibpath_overrides_runpath=no + sys_lib_search_path_spec="/usr/lib${libsuff} /lib${libsuff} /usr/local/lib${libsuff}" + sys_lib_dlsearch_path_spec="/usr/lib${libsuff} /lib${libsuff}" + hardcode_into_libs=yes + ;; + +# No shared lib support for Linux oldld, aout, or coff. +linux*oldld* | linux*aout* | linux*coff*) + dynamic_linker=no + ;; + +# This must be glibc/ELF. +linux* | k*bsd*-gnu | kopensolaris*-gnu) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -n $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + + # Some binutils ld are patched to set DT_RUNPATH + AC_CACHE_VAL([lt_cv_shlibpath_overrides_runpath], + [lt_cv_shlibpath_overrides_runpath=no + save_LDFLAGS=$LDFLAGS + save_libdir=$libdir + eval "libdir=/foo; wl=\"$_LT_TAGVAR(lt_prog_compiler_wl, $1)\"; \ + LDFLAGS=\"\$LDFLAGS $_LT_TAGVAR(hardcode_libdir_flag_spec, $1)\"" + AC_LINK_IFELSE([AC_LANG_PROGRAM([],[])], + [AS_IF([ ($OBJDUMP -p conftest$ac_exeext) 2>/dev/null | grep "RUNPATH.*$libdir" >/dev/null], + [lt_cv_shlibpath_overrides_runpath=yes])]) + LDFLAGS=$save_LDFLAGS + libdir=$save_libdir + ]) + shlibpath_overrides_runpath=$lt_cv_shlibpath_overrides_runpath + + # This implies no fast_install, which is unacceptable. + # Some rework will be needed to allow for fast_install + # before this can be enabled. + hardcode_into_libs=yes + + # Append ld.so.conf contents to the search path + if test -f /etc/ld.so.conf; then + lt_ld_extra=`awk '/^include / { system(sprintf("cd /etc; cat %s 2>/dev/null", \[$]2)); skip = 1; } { if (!skip) print \[$]0; skip = 0; }' < /etc/ld.so.conf | $SED -e 's/#.*//;/^[ ]*hwcap[ ]/d;s/[:, ]/ /g;s/=[^=]*$//;s/=[^= ]* / /g;s/"//g;/^$/d' | tr '\n' ' '` + sys_lib_dlsearch_path_spec="/lib /usr/lib $lt_ld_extra" + fi + + # We used to test for /lib/ld.so.1 and disable shared libraries on + # powerpc, because MkLinux only supported shared libraries with the + # GNU dynamic linker. Since this was broken with cross compilers, + # most powerpc-linux boxes support dynamic linking these days and + # people can always --disable-shared, the test was removed, and we + # assume the GNU/Linux dynamic linker is in use. + dynamic_linker='GNU/Linux ld.so' + ;; + +netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='NetBSD ld.elf_so' + ;; + +netbsd*) + version_type=sunos + need_lib_prefix=no + need_version=no + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + dynamic_linker='NetBSD (a.out) ld.so' + else + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + dynamic_linker='NetBSD ld.elf_so' + fi + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + ;; + +newsos6) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + ;; + +*nto* | *qnx*) + version_type=qnx + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='ldqnx.so' + ;; + +openbsd*) + version_type=sunos + sys_lib_dlsearch_path_spec="/usr/lib" + need_lib_prefix=no + # Some older versions of OpenBSD (3.3 at least) *do* need versioned libs. + case $host_os in + openbsd3.3 | openbsd3.3.*) need_version=yes ;; + *) need_version=no ;; + esac + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' + finish_cmds='PATH="\$PATH:/sbin" ldconfig -m $libdir' + shlibpath_var=LD_LIBRARY_PATH + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + case $host_os in + openbsd2.[[89]] | openbsd2.[[89]].*) + shlibpath_overrides_runpath=no + ;; + *) + shlibpath_overrides_runpath=yes + ;; + esac + else + shlibpath_overrides_runpath=yes + fi + ;; + +os2*) + libname_spec='$name' + shrext_cmds=".dll" + need_lib_prefix=no + library_names_spec='$libname${shared_ext} $libname.a' + dynamic_linker='OS/2 ld.exe' + shlibpath_var=LIBPATH + ;; + +osf3* | osf4* | osf5*) + version_type=osf + need_lib_prefix=no + need_version=no + soname_spec='${libname}${release}${shared_ext}$major' + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + sys_lib_search_path_spec="/usr/shlib /usr/ccs/lib /usr/lib/cmplrs/cc /usr/lib /usr/local/lib /var/shlib" + sys_lib_dlsearch_path_spec="$sys_lib_search_path_spec" + ;; + +rdos*) + dynamic_linker=no + ;; + +solaris*) + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + # ldd complains unless libraries are executable + postinstall_cmds='chmod +x $lib' + ;; + +sunos4*) + version_type=sunos + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${shared_ext}$versuffix' + finish_cmds='PATH="\$PATH:/usr/etc" ldconfig $libdir' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + if test "$with_gnu_ld" = yes; then + need_lib_prefix=no + fi + need_version=yes + ;; + +sysv4 | sysv4.3*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + case $host_vendor in + sni) + shlibpath_overrides_runpath=no + need_lib_prefix=no + runpath_var=LD_RUN_PATH + ;; + siemens) + need_lib_prefix=no + ;; + motorola) + need_lib_prefix=no + need_version=no + shlibpath_overrides_runpath=no + sys_lib_search_path_spec='/lib /usr/lib /usr/ccs/lib' + ;; + esac + ;; + +sysv4*MP*) + if test -d /usr/nec ;then + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='$libname${shared_ext}.$versuffix $libname${shared_ext}.$major $libname${shared_ext}' + soname_spec='$libname${shared_ext}.$major' + shlibpath_var=LD_LIBRARY_PATH + fi + ;; + +sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + version_type=freebsd-elf + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext} $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=yes + hardcode_into_libs=yes + if test "$with_gnu_ld" = yes; then + sys_lib_search_path_spec='/usr/local/lib /usr/gnu/lib /usr/ccs/lib /usr/lib /lib' + else + sys_lib_search_path_spec='/usr/ccs/lib /usr/lib' + case $host_os in + sco3.2v5*) + sys_lib_search_path_spec="$sys_lib_search_path_spec /lib" + ;; + esac + fi + sys_lib_dlsearch_path_spec='/usr/lib' + ;; + +tpf*) + # TPF is a cross-target only. Preferred cross-host = GNU/Linux. + version_type=linux # correct to gnu/linux during the next big refactor + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + ;; + +uts4*) + version_type=linux # correct to gnu/linux during the next big refactor + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major $libname${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + ;; + +*) + dynamic_linker=no + ;; +esac +AC_MSG_RESULT([$dynamic_linker]) +test "$dynamic_linker" = no && can_build_shared=no + +variables_saved_for_relink="PATH $shlibpath_var $runpath_var" +if test "$GCC" = yes; then + variables_saved_for_relink="$variables_saved_for_relink GCC_EXEC_PREFIX COMPILER_PATH LIBRARY_PATH" +fi + +if test "${lt_cv_sys_lib_search_path_spec+set}" = set; then + sys_lib_search_path_spec="$lt_cv_sys_lib_search_path_spec" +fi +if test "${lt_cv_sys_lib_dlsearch_path_spec+set}" = set; then + sys_lib_dlsearch_path_spec="$lt_cv_sys_lib_dlsearch_path_spec" +fi + +_LT_DECL([], [variables_saved_for_relink], [1], + [Variables whose values should be saved in libtool wrapper scripts and + restored at link time]) +_LT_DECL([], [need_lib_prefix], [0], + [Do we need the "lib" prefix for modules?]) +_LT_DECL([], [need_version], [0], [Do we need a version for libraries?]) +_LT_DECL([], [version_type], [0], [Library versioning type]) +_LT_DECL([], [runpath_var], [0], [Shared library runtime path variable]) +_LT_DECL([], [shlibpath_var], [0],[Shared library path variable]) +_LT_DECL([], [shlibpath_overrides_runpath], [0], + [Is shlibpath searched before the hard-coded library search path?]) +_LT_DECL([], [libname_spec], [1], [Format of library name prefix]) +_LT_DECL([], [library_names_spec], [1], + [[List of archive names. First name is the real one, the rest are links. + The last name is the one that the linker finds with -lNAME]]) +_LT_DECL([], [soname_spec], [1], + [[The coded name of the library, if different from the real name]]) +_LT_DECL([], [install_override_mode], [1], + [Permission mode override for installation of shared libraries]) +_LT_DECL([], [postinstall_cmds], [2], + [Command to use after installation of a shared archive]) +_LT_DECL([], [postuninstall_cmds], [2], + [Command to use after uninstallation of a shared archive]) +_LT_DECL([], [finish_cmds], [2], + [Commands used to finish a libtool library installation in a directory]) +_LT_DECL([], [finish_eval], [1], + [[As "finish_cmds", except a single script fragment to be evaled but + not shown]]) +_LT_DECL([], [hardcode_into_libs], [0], + [Whether we should hardcode library paths into libraries]) +_LT_DECL([], [sys_lib_search_path_spec], [2], + [Compile-time system search path for libraries]) +_LT_DECL([], [sys_lib_dlsearch_path_spec], [2], + [Run-time system search path for libraries]) +])# _LT_SYS_DYNAMIC_LINKER + + +# _LT_PATH_TOOL_PREFIX(TOOL) +# -------------------------- +# find a file program which can recognize shared library +AC_DEFUN([_LT_PATH_TOOL_PREFIX], +[m4_require([_LT_DECL_EGREP])dnl +AC_MSG_CHECKING([for $1]) +AC_CACHE_VAL(lt_cv_path_MAGIC_CMD, +[case $MAGIC_CMD in +[[\\/*] | ?:[\\/]*]) + lt_cv_path_MAGIC_CMD="$MAGIC_CMD" # Let the user override the test with a path. + ;; +*) + lt_save_MAGIC_CMD="$MAGIC_CMD" + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR +dnl $ac_dummy forces splitting on constant user-supplied paths. +dnl POSIX.2 word splitting is done only on the output of word expansions, +dnl not every word. This closes a longstanding sh security hole. + ac_dummy="m4_if([$2], , $PATH, [$2])" + for ac_dir in $ac_dummy; do + IFS="$lt_save_ifs" + test -z "$ac_dir" && ac_dir=. + if test -f $ac_dir/$1; then + lt_cv_path_MAGIC_CMD="$ac_dir/$1" + if test -n "$file_magic_test_file"; then + case $deplibs_check_method in + "file_magic "*) + file_magic_regex=`expr "$deplibs_check_method" : "file_magic \(.*\)"` + MAGIC_CMD="$lt_cv_path_MAGIC_CMD" + if eval $file_magic_cmd \$file_magic_test_file 2> /dev/null | + $EGREP "$file_magic_regex" > /dev/null; then + : + else + cat <<_LT_EOF 1>&2 + +*** Warning: the command libtool uses to detect shared libraries, +*** $file_magic_cmd, produces output that libtool cannot recognize. +*** The result is that libtool may fail to recognize shared libraries +*** as such. This will affect the creation of libtool libraries that +*** depend on shared libraries, but programs linked with such libtool +*** libraries will work regardless of this problem. Nevertheless, you +*** may want to report the problem to your system manager and/or to +*** bug-libtool@gnu.org + +_LT_EOF + fi ;; + esac + fi + break + fi + done + IFS="$lt_save_ifs" + MAGIC_CMD="$lt_save_MAGIC_CMD" + ;; +esac]) +MAGIC_CMD="$lt_cv_path_MAGIC_CMD" +if test -n "$MAGIC_CMD"; then + AC_MSG_RESULT($MAGIC_CMD) +else + AC_MSG_RESULT(no) +fi +_LT_DECL([], [MAGIC_CMD], [0], + [Used to examine libraries when file_magic_cmd begins with "file"])dnl +])# _LT_PATH_TOOL_PREFIX + +# Old name: +AU_ALIAS([AC_PATH_TOOL_PREFIX], [_LT_PATH_TOOL_PREFIX]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_PATH_TOOL_PREFIX], []) + + +# _LT_PATH_MAGIC +# -------------- +# find a file program which can recognize a shared library +m4_defun([_LT_PATH_MAGIC], +[_LT_PATH_TOOL_PREFIX(${ac_tool_prefix}file, /usr/bin$PATH_SEPARATOR$PATH) +if test -z "$lt_cv_path_MAGIC_CMD"; then + if test -n "$ac_tool_prefix"; then + _LT_PATH_TOOL_PREFIX(file, /usr/bin$PATH_SEPARATOR$PATH) + else + MAGIC_CMD=: + fi +fi +])# _LT_PATH_MAGIC + + +# LT_PATH_LD +# ---------- +# find the pathname to the GNU or non-GNU linker +AC_DEFUN([LT_PATH_LD], +[AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_CANONICAL_BUILD])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_PROG_ECHO_BACKSLASH])dnl + +AC_ARG_WITH([gnu-ld], + [AS_HELP_STRING([--with-gnu-ld], + [assume the C compiler uses GNU ld @<:@default=no@:>@])], + [test "$withval" = no || with_gnu_ld=yes], + [with_gnu_ld=no])dnl + +ac_prog=ld +if test "$GCC" = yes; then + # Check if gcc -print-prog-name=ld gives a path. + AC_MSG_CHECKING([for ld used by $CC]) + case $host in + *-*-mingw*) + # gcc leaves a trailing carriage return which upsets mingw + ac_prog=`($CC -print-prog-name=ld) 2>&5 | tr -d '\015'` ;; + *) + ac_prog=`($CC -print-prog-name=ld) 2>&5` ;; + esac + case $ac_prog in + # Accept absolute paths. + [[\\/]]* | ?:[[\\/]]*) + re_direlt='/[[^/]][[^/]]*/\.\./' + # Canonicalize the pathname of ld + ac_prog=`$ECHO "$ac_prog"| $SED 's%\\\\%/%g'` + while $ECHO "$ac_prog" | $GREP "$re_direlt" > /dev/null 2>&1; do + ac_prog=`$ECHO $ac_prog| $SED "s%$re_direlt%/%"` + done + test -z "$LD" && LD="$ac_prog" + ;; + "") + # If it fails, then pretend we aren't using GCC. + ac_prog=ld + ;; + *) + # If it is relative, then search for the first ld in PATH. + with_gnu_ld=unknown + ;; + esac +elif test "$with_gnu_ld" = yes; then + AC_MSG_CHECKING([for GNU ld]) +else + AC_MSG_CHECKING([for non-GNU ld]) +fi +AC_CACHE_VAL(lt_cv_path_LD, +[if test -z "$LD"; then + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR + for ac_dir in $PATH; do + IFS="$lt_save_ifs" + test -z "$ac_dir" && ac_dir=. + if test -f "$ac_dir/$ac_prog" || test -f "$ac_dir/$ac_prog$ac_exeext"; then + lt_cv_path_LD="$ac_dir/$ac_prog" + # Check to see if the program is GNU ld. I'd rather use --version, + # but apparently some variants of GNU ld only accept -v. + # Break only if it was the GNU/non-GNU ld that we prefer. + case `"$lt_cv_path_LD" -v 2>&1 &1 /dev/null 2>&1; then + lt_cv_deplibs_check_method='file_magic ^x86 archive import|^x86 DLL' + lt_cv_file_magic_cmd='func_win32_libid' + else + # Keep this pattern in sync with the one in func_win32_libid. + lt_cv_deplibs_check_method='file_magic file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' + lt_cv_file_magic_cmd='$OBJDUMP -f' + fi + ;; + +cegcc*) + # use the weaker test based on 'objdump'. See mingw*. + lt_cv_deplibs_check_method='file_magic file format pe-arm-.*little(.*architecture: arm)?' + lt_cv_file_magic_cmd='$OBJDUMP -f' + ;; + +darwin* | rhapsody*) + lt_cv_deplibs_check_method=pass_all + ;; + +freebsd* | dragonfly*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + case $host_cpu in + i*86 ) + # Not sure whether the presence of OpenBSD here was a mistake. + # Let's accept both of them until this is cleared up. + lt_cv_deplibs_check_method='file_magic (FreeBSD|OpenBSD|DragonFly)/i[[3-9]]86 (compact )?demand paged shared library' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so.*` + ;; + esac + else + lt_cv_deplibs_check_method=pass_all + fi + ;; + +gnu*) + lt_cv_deplibs_check_method=pass_all + ;; + +haiku*) + lt_cv_deplibs_check_method=pass_all + ;; + +hpux10.20* | hpux11*) + lt_cv_file_magic_cmd=/usr/bin/file + case $host_cpu in + ia64*) + lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|ELF-[[0-9]][[0-9]]) shared object file - IA64' + lt_cv_file_magic_test_file=/usr/lib/hpux32/libc.so + ;; + hppa*64*) + [lt_cv_deplibs_check_method='file_magic (s[0-9][0-9][0-9]|ELF[ -][0-9][0-9])(-bit)?( [LM]SB)? shared object( file)?[, -]* PA-RISC [0-9]\.[0-9]'] + lt_cv_file_magic_test_file=/usr/lib/pa20_64/libc.sl + ;; + *) + lt_cv_deplibs_check_method='file_magic (s[[0-9]][[0-9]][[0-9]]|PA-RISC[[0-9]]\.[[0-9]]) shared library' + lt_cv_file_magic_test_file=/usr/lib/libc.sl + ;; + esac + ;; + +interix[[3-9]]*) + # PIC code is broken on Interix 3.x, that's why |\.a not |_pic\.a here + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|\.a)$' + ;; + +irix5* | irix6* | nonstopux*) + case $LD in + *-32|*"-32 ") libmagic=32-bit;; + *-n32|*"-n32 ") libmagic=N32;; + *-64|*"-64 ") libmagic=64-bit;; + *) libmagic=never-match;; + esac + lt_cv_deplibs_check_method=pass_all + ;; + +# This must be glibc/ELF. +linux* | k*bsd*-gnu | kopensolaris*-gnu) + lt_cv_deplibs_check_method=pass_all + ;; + +netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so|_pic\.a)$' + fi + ;; + +newos6*) + lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (executable|dynamic lib)' + lt_cv_file_magic_cmd=/usr/bin/file + lt_cv_file_magic_test_file=/usr/lib/libnls.so + ;; + +*nto* | *qnx*) + lt_cv_deplibs_check_method=pass_all + ;; + +openbsd*) + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|\.so|_pic\.a)$' + else + lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' + fi + ;; + +osf3* | osf4* | osf5*) + lt_cv_deplibs_check_method=pass_all + ;; + +rdos*) + lt_cv_deplibs_check_method=pass_all + ;; + +solaris*) + lt_cv_deplibs_check_method=pass_all + ;; + +sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX* | sysv4*uw2*) + lt_cv_deplibs_check_method=pass_all + ;; + +sysv4 | sysv4.3*) + case $host_vendor in + motorola) + lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[ML]]SB (shared object|dynamic lib) M[[0-9]][[0-9]]* Version [[0-9]]' + lt_cv_file_magic_test_file=`echo /usr/lib/libc.so*` + ;; + ncr) + lt_cv_deplibs_check_method=pass_all + ;; + sequent) + lt_cv_file_magic_cmd='/bin/file' + lt_cv_deplibs_check_method='file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB (shared object|dynamic lib )' + ;; + sni) + lt_cv_file_magic_cmd='/bin/file' + lt_cv_deplibs_check_method="file_magic ELF [[0-9]][[0-9]]*-bit [[LM]]SB dynamic lib" + lt_cv_file_magic_test_file=/lib/libc.so + ;; + siemens) + lt_cv_deplibs_check_method=pass_all + ;; + pc) + lt_cv_deplibs_check_method=pass_all + ;; + esac + ;; + +tpf*) + lt_cv_deplibs_check_method=pass_all + ;; +esac +]) + +file_magic_glob= +want_nocaseglob=no +if test "$build" = "$host"; then + case $host_os in + mingw* | pw32*) + if ( shopt | grep nocaseglob ) >/dev/null 2>&1; then + want_nocaseglob=yes + else + file_magic_glob=`echo aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ | $SED -e "s/\(..\)/s\/[[\1]]\/[[\1]]\/g;/g"` + fi + ;; + esac +fi + +file_magic_cmd=$lt_cv_file_magic_cmd +deplibs_check_method=$lt_cv_deplibs_check_method +test -z "$deplibs_check_method" && deplibs_check_method=unknown + +_LT_DECL([], [deplibs_check_method], [1], + [Method to check whether dependent libraries are shared objects]) +_LT_DECL([], [file_magic_cmd], [1], + [Command to use when deplibs_check_method = "file_magic"]) +_LT_DECL([], [file_magic_glob], [1], + [How to find potential files when deplibs_check_method = "file_magic"]) +_LT_DECL([], [want_nocaseglob], [1], + [Find potential files using nocaseglob when deplibs_check_method = "file_magic"]) +])# _LT_CHECK_MAGIC_METHOD + + +# LT_PATH_NM +# ---------- +# find the pathname to a BSD- or MS-compatible name lister +AC_DEFUN([LT_PATH_NM], +[AC_REQUIRE([AC_PROG_CC])dnl +AC_CACHE_CHECK([for BSD- or MS-compatible name lister (nm)], lt_cv_path_NM, +[if test -n "$NM"; then + # Let the user override the test. + lt_cv_path_NM="$NM" +else + lt_nm_to_check="${ac_tool_prefix}nm" + if test -n "$ac_tool_prefix" && test "$build" = "$host"; then + lt_nm_to_check="$lt_nm_to_check nm" + fi + for lt_tmp_nm in $lt_nm_to_check; do + lt_save_ifs="$IFS"; IFS=$PATH_SEPARATOR + for ac_dir in $PATH /usr/ccs/bin/elf /usr/ccs/bin /usr/ucb /bin; do + IFS="$lt_save_ifs" + test -z "$ac_dir" && ac_dir=. + tmp_nm="$ac_dir/$lt_tmp_nm" + if test -f "$tmp_nm" || test -f "$tmp_nm$ac_exeext" ; then + # Check to see if the nm accepts a BSD-compat flag. + # Adding the `sed 1q' prevents false positives on HP-UX, which says: + # nm: unknown option "B" ignored + # Tru64's nm complains that /dev/null is an invalid object file + case `"$tmp_nm" -B /dev/null 2>&1 | sed '1q'` in + */dev/null* | *'Invalid file or object type'*) + lt_cv_path_NM="$tmp_nm -B" + break + ;; + *) + case `"$tmp_nm" -p /dev/null 2>&1 | sed '1q'` in + */dev/null*) + lt_cv_path_NM="$tmp_nm -p" + break + ;; + *) + lt_cv_path_NM=${lt_cv_path_NM="$tmp_nm"} # keep the first match, but + continue # so that we can try to find one that supports BSD flags + ;; + esac + ;; + esac + fi + done + IFS="$lt_save_ifs" + done + : ${lt_cv_path_NM=no} +fi]) +if test "$lt_cv_path_NM" != "no"; then + NM="$lt_cv_path_NM" +else + # Didn't find any BSD compatible name lister, look for dumpbin. + if test -n "$DUMPBIN"; then : + # Let the user override the test. + else + AC_CHECK_TOOLS(DUMPBIN, [dumpbin "link -dump"], :) + case `$DUMPBIN -symbols /dev/null 2>&1 | sed '1q'` in + *COFF*) + DUMPBIN="$DUMPBIN -symbols" + ;; + *) + DUMPBIN=: + ;; + esac + fi + AC_SUBST([DUMPBIN]) + if test "$DUMPBIN" != ":"; then + NM="$DUMPBIN" + fi +fi +test -z "$NM" && NM=nm +AC_SUBST([NM]) +_LT_DECL([], [NM], [1], [A BSD- or MS-compatible name lister])dnl + +AC_CACHE_CHECK([the name lister ($NM) interface], [lt_cv_nm_interface], + [lt_cv_nm_interface="BSD nm" + echo "int some_variable = 0;" > conftest.$ac_ext + (eval echo "\"\$as_me:$LINENO: $ac_compile\"" >&AS_MESSAGE_LOG_FD) + (eval "$ac_compile" 2>conftest.err) + cat conftest.err >&AS_MESSAGE_LOG_FD + (eval echo "\"\$as_me:$LINENO: $NM \\\"conftest.$ac_objext\\\"\"" >&AS_MESSAGE_LOG_FD) + (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) + cat conftest.err >&AS_MESSAGE_LOG_FD + (eval echo "\"\$as_me:$LINENO: output\"" >&AS_MESSAGE_LOG_FD) + cat conftest.out >&AS_MESSAGE_LOG_FD + if $GREP 'External.*some_variable' conftest.out > /dev/null; then + lt_cv_nm_interface="MS dumpbin" + fi + rm -f conftest*]) +])# LT_PATH_NM + +# Old names: +AU_ALIAS([AM_PROG_NM], [LT_PATH_NM]) +AU_ALIAS([AC_PROG_NM], [LT_PATH_NM]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_PROG_NM], []) +dnl AC_DEFUN([AC_PROG_NM], []) + +# _LT_CHECK_SHAREDLIB_FROM_LINKLIB +# -------------------------------- +# how to determine the name of the shared library +# associated with a specific link library. +# -- PORTME fill in with the dynamic library characteristics +m4_defun([_LT_CHECK_SHAREDLIB_FROM_LINKLIB], +[m4_require([_LT_DECL_EGREP]) +m4_require([_LT_DECL_OBJDUMP]) +m4_require([_LT_DECL_DLLTOOL]) +AC_CACHE_CHECK([how to associate runtime and link libraries], +lt_cv_sharedlib_from_linklib_cmd, +[lt_cv_sharedlib_from_linklib_cmd='unknown' + +case $host_os in +cygwin* | mingw* | pw32* | cegcc*) + # two different shell functions defined in ltmain.sh + # decide which to use based on capabilities of $DLLTOOL + case `$DLLTOOL --help 2>&1` in + *--identify-strict*) + lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib + ;; + *) + lt_cv_sharedlib_from_linklib_cmd=func_cygming_dll_for_implib_fallback + ;; + esac + ;; +*) + # fallback: assume linklib IS sharedlib + lt_cv_sharedlib_from_linklib_cmd="$ECHO" + ;; +esac +]) +sharedlib_from_linklib_cmd=$lt_cv_sharedlib_from_linklib_cmd +test -z "$sharedlib_from_linklib_cmd" && sharedlib_from_linklib_cmd=$ECHO + +_LT_DECL([], [sharedlib_from_linklib_cmd], [1], + [Command to associate shared and link libraries]) +])# _LT_CHECK_SHAREDLIB_FROM_LINKLIB + + +# _LT_PATH_MANIFEST_TOOL +# ---------------------- +# locate the manifest tool +m4_defun([_LT_PATH_MANIFEST_TOOL], +[AC_CHECK_TOOL(MANIFEST_TOOL, mt, :) +test -z "$MANIFEST_TOOL" && MANIFEST_TOOL=mt +AC_CACHE_CHECK([if $MANIFEST_TOOL is a manifest tool], [lt_cv_path_mainfest_tool], + [lt_cv_path_mainfest_tool=no + echo "$as_me:$LINENO: $MANIFEST_TOOL '-?'" >&AS_MESSAGE_LOG_FD + $MANIFEST_TOOL '-?' 2>conftest.err > conftest.out + cat conftest.err >&AS_MESSAGE_LOG_FD + if $GREP 'Manifest Tool' conftest.out > /dev/null; then + lt_cv_path_mainfest_tool=yes + fi + rm -f conftest*]) +if test "x$lt_cv_path_mainfest_tool" != xyes; then + MANIFEST_TOOL=: +fi +_LT_DECL([], [MANIFEST_TOOL], [1], [Manifest tool])dnl +])# _LT_PATH_MANIFEST_TOOL + + +# LT_LIB_M +# -------- +# check for math library +AC_DEFUN([LT_LIB_M], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +LIBM= +case $host in +*-*-beos* | *-*-cegcc* | *-*-cygwin* | *-*-haiku* | *-*-pw32* | *-*-darwin*) + # These system don't have libm, or don't need it + ;; +*-ncr-sysv4.3*) + AC_CHECK_LIB(mw, _mwvalidcheckl, LIBM="-lmw") + AC_CHECK_LIB(m, cos, LIBM="$LIBM -lm") + ;; +*) + AC_CHECK_LIB(m, cos, LIBM="-lm") + ;; +esac +AC_SUBST([LIBM]) +])# LT_LIB_M + +# Old name: +AU_ALIAS([AC_CHECK_LIBM], [LT_LIB_M]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_CHECK_LIBM], []) + + +# _LT_COMPILER_NO_RTTI([TAGNAME]) +# ------------------------------- +m4_defun([_LT_COMPILER_NO_RTTI], +[m4_require([_LT_TAG_COMPILER])dnl + +_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + +if test "$GCC" = yes; then + case $cc_basename in + nvcc*) + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -Xcompiler -fno-builtin' ;; + *) + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' ;; + esac + + _LT_COMPILER_OPTION([if $compiler supports -fno-rtti -fno-exceptions], + lt_cv_prog_compiler_rtti_exceptions, + [-fno-rtti -fno-exceptions], [], + [_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)="$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1) -fno-rtti -fno-exceptions"]) +fi +_LT_TAGDECL([no_builtin_flag], [lt_prog_compiler_no_builtin_flag], [1], + [Compiler flag to turn off builtin functions]) +])# _LT_COMPILER_NO_RTTI + + +# _LT_CMD_GLOBAL_SYMBOLS +# ---------------------- +m4_defun([_LT_CMD_GLOBAL_SYMBOLS], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_PROG_CC])dnl +AC_REQUIRE([AC_PROG_AWK])dnl +AC_REQUIRE([LT_PATH_NM])dnl +AC_REQUIRE([LT_PATH_LD])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_TAG_COMPILER])dnl + +# Check for command to grab the raw symbol name followed by C symbol from nm. +AC_MSG_CHECKING([command to parse $NM output from $compiler object]) +AC_CACHE_VAL([lt_cv_sys_global_symbol_pipe], +[ +# These are sane defaults that work on at least a few old systems. +# [They come from Ultrix. What could be older than Ultrix?!! ;)] + +# Character class describing NM global symbol codes. +symcode='[[BCDEGRST]]' + +# Regexp to match symbols that can be accessed directly from C. +sympat='\([[_A-Za-z]][[_A-Za-z0-9]]*\)' + +# Define system-specific variables. +case $host_os in +aix*) + symcode='[[BCDT]]' + ;; +cygwin* | mingw* | pw32* | cegcc*) + symcode='[[ABCDGISTW]]' + ;; +hpux*) + if test "$host_cpu" = ia64; then + symcode='[[ABCDEGRST]]' + fi + ;; +irix* | nonstopux*) + symcode='[[BCDEGRST]]' + ;; +osf*) + symcode='[[BCDEGQRST]]' + ;; +solaris*) + symcode='[[BDRT]]' + ;; +sco3.2v5*) + symcode='[[DT]]' + ;; +sysv4.2uw2*) + symcode='[[DT]]' + ;; +sysv5* | sco5v6* | unixware* | OpenUNIX*) + symcode='[[ABDT]]' + ;; +sysv4) + symcode='[[DFNSTU]]' + ;; +esac + +# If we're using GNU nm, then use its standard symbol codes. +case `$NM -V 2>&1` in +*GNU* | *'with BFD'*) + symcode='[[ABCDGIRSTW]]' ;; +esac + +# Transform an extracted symbol line into a proper C declaration. +# Some systems (esp. on ia64) link data and code symbols differently, +# so use this general approach. +lt_cv_sys_global_symbol_to_cdecl="sed -n -e 's/^T .* \(.*\)$/extern int \1();/p' -e 's/^$symcode* .* \(.*\)$/extern char \1;/p'" + +# Transform an extracted symbol line into symbol name and symbol address +lt_cv_sys_global_symbol_to_c_name_address="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"\2\", (void *) \&\2},/p'" +lt_cv_sys_global_symbol_to_c_name_address_lib_prefix="sed -n -e 's/^: \([[^ ]]*\)[[ ]]*$/ {\\\"\1\\\", (void *) 0},/p' -e 's/^$symcode* \([[^ ]]*\) \(lib[[^ ]]*\)$/ {\"\2\", (void *) \&\2},/p' -e 's/^$symcode* \([[^ ]]*\) \([[^ ]]*\)$/ {\"lib\2\", (void *) \&\2},/p'" + +# Handle CRLF in mingw tool chain +opt_cr= +case $build_os in +mingw*) + opt_cr=`$ECHO 'x\{0,1\}' | tr x '\015'` # option cr in regexp + ;; +esac + +# Try without a prefix underscore, then with it. +for ac_symprfx in "" "_"; do + + # Transform symcode, sympat, and symprfx into a raw symbol and a C symbol. + symxfrm="\\1 $ac_symprfx\\2 \\2" + + # Write the raw and C identifiers. + if test "$lt_cv_nm_interface" = "MS dumpbin"; then + # Fake it for dumpbin and say T for any non-static function + # and D for any global variable. + # Also find C++ and __fastcall symbols from MSVC++, + # which start with @ or ?. + lt_cv_sys_global_symbol_pipe="$AWK ['"\ +" {last_section=section; section=\$ 3};"\ +" /^COFF SYMBOL TABLE/{for(i in hide) delete hide[i]};"\ +" /Section length .*#relocs.*(pick any)/{hide[last_section]=1};"\ +" \$ 0!~/External *\|/{next};"\ +" / 0+ UNDEF /{next}; / UNDEF \([^|]\)*()/{next};"\ +" {if(hide[section]) next};"\ +" {f=0}; \$ 0~/\(\).*\|/{f=1}; {printf f ? \"T \" : \"D \"};"\ +" {split(\$ 0, a, /\||\r/); split(a[2], s)};"\ +" s[1]~/^[@?]/{print s[1], s[1]; next};"\ +" s[1]~prfx {split(s[1],t,\"@\"); print t[1], substr(t[1],length(prfx))}"\ +" ' prfx=^$ac_symprfx]" + else + lt_cv_sys_global_symbol_pipe="sed -n -e 's/^.*[[ ]]\($symcode$symcode*\)[[ ]][[ ]]*$ac_symprfx$sympat$opt_cr$/$symxfrm/p'" + fi + lt_cv_sys_global_symbol_pipe="$lt_cv_sys_global_symbol_pipe | sed '/ __gnu_lto/d'" + + # Check to see that the pipe works correctly. + pipe_works=no + + rm -f conftest* + cat > conftest.$ac_ext <<_LT_EOF +#ifdef __cplusplus +extern "C" { +#endif +char nm_test_var; +void nm_test_func(void); +void nm_test_func(void){} +#ifdef __cplusplus +} +#endif +int main(){nm_test_var='a';nm_test_func();return(0);} +_LT_EOF + + if AC_TRY_EVAL(ac_compile); then + # Now try to grab the symbols. + nlist=conftest.nm + if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then + # Try sorting and uniquifying the output. + if sort "$nlist" | uniq > "$nlist"T; then + mv -f "$nlist"T "$nlist" + else + rm -f "$nlist"T + fi + + # Make sure that we snagged all the symbols we need. + if $GREP ' nm_test_var$' "$nlist" >/dev/null; then + if $GREP ' nm_test_func$' "$nlist" >/dev/null; then + cat <<_LT_EOF > conftest.$ac_ext +/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ +#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE) +/* DATA imports from DLLs on WIN32 con't be const, because runtime + relocations are performed -- see ld's documentation on pseudo-relocs. */ +# define LT@&t@_DLSYM_CONST +#elif defined(__osf__) +/* This system does not cope well with relocations in const data. */ +# define LT@&t@_DLSYM_CONST +#else +# define LT@&t@_DLSYM_CONST const +#endif + +#ifdef __cplusplus +extern "C" { +#endif + +_LT_EOF + # Now generate the symbol file. + eval "$lt_cv_sys_global_symbol_to_cdecl"' < "$nlist" | $GREP -v main >> conftest.$ac_ext' + + cat <<_LT_EOF >> conftest.$ac_ext + +/* The mapping between symbol names and symbols. */ +LT@&t@_DLSYM_CONST struct { + const char *name; + void *address; +} +lt__PROGRAM__LTX_preloaded_symbols[[]] = +{ + { "@PROGRAM@", (void *) 0 }, +_LT_EOF + $SED "s/^$symcode$symcode* \(.*\) \(.*\)$/ {\"\2\", (void *) \&\2},/" < "$nlist" | $GREP -v main >> conftest.$ac_ext + cat <<\_LT_EOF >> conftest.$ac_ext + {0, (void *) 0} +}; + +/* This works around a problem in FreeBSD linker */ +#ifdef FREEBSD_WORKAROUND +static const void *lt_preloaded_setup() { + return lt__PROGRAM__LTX_preloaded_symbols; +} +#endif + +#ifdef __cplusplus +} +#endif +_LT_EOF + # Now try linking the two files. + mv conftest.$ac_objext conftstm.$ac_objext + lt_globsym_save_LIBS=$LIBS + lt_globsym_save_CFLAGS=$CFLAGS + LIBS="conftstm.$ac_objext" + CFLAGS="$CFLAGS$_LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)" + if AC_TRY_EVAL(ac_link) && test -s conftest${ac_exeext}; then + pipe_works=yes + fi + LIBS=$lt_globsym_save_LIBS + CFLAGS=$lt_globsym_save_CFLAGS + else + echo "cannot find nm_test_func in $nlist" >&AS_MESSAGE_LOG_FD + fi + else + echo "cannot find nm_test_var in $nlist" >&AS_MESSAGE_LOG_FD + fi + else + echo "cannot run $lt_cv_sys_global_symbol_pipe" >&AS_MESSAGE_LOG_FD + fi + else + echo "$progname: failed program was:" >&AS_MESSAGE_LOG_FD + cat conftest.$ac_ext >&5 + fi + rm -rf conftest* conftst* + + # Do not use the global_symbol_pipe unless it works. + if test "$pipe_works" = yes; then + break + else + lt_cv_sys_global_symbol_pipe= + fi +done +]) +if test -z "$lt_cv_sys_global_symbol_pipe"; then + lt_cv_sys_global_symbol_to_cdecl= +fi +if test -z "$lt_cv_sys_global_symbol_pipe$lt_cv_sys_global_symbol_to_cdecl"; then + AC_MSG_RESULT(failed) +else + AC_MSG_RESULT(ok) +fi + +# Response file support. +if test "$lt_cv_nm_interface" = "MS dumpbin"; then + nm_file_list_spec='@' +elif $NM --help 2>/dev/null | grep '[[@]]FILE' >/dev/null; then + nm_file_list_spec='@' +fi + +_LT_DECL([global_symbol_pipe], [lt_cv_sys_global_symbol_pipe], [1], + [Take the output of nm and produce a listing of raw symbols and C names]) +_LT_DECL([global_symbol_to_cdecl], [lt_cv_sys_global_symbol_to_cdecl], [1], + [Transform the output of nm in a proper C declaration]) +_LT_DECL([global_symbol_to_c_name_address], + [lt_cv_sys_global_symbol_to_c_name_address], [1], + [Transform the output of nm in a C name address pair]) +_LT_DECL([global_symbol_to_c_name_address_lib_prefix], + [lt_cv_sys_global_symbol_to_c_name_address_lib_prefix], [1], + [Transform the output of nm in a C name address pair when lib prefix is needed]) +_LT_DECL([], [nm_file_list_spec], [1], + [Specify filename containing input files for $NM]) +]) # _LT_CMD_GLOBAL_SYMBOLS + + +# _LT_COMPILER_PIC([TAGNAME]) +# --------------------------- +m4_defun([_LT_COMPILER_PIC], +[m4_require([_LT_TAG_COMPILER])dnl +_LT_TAGVAR(lt_prog_compiler_wl, $1)= +_LT_TAGVAR(lt_prog_compiler_pic, $1)= +_LT_TAGVAR(lt_prog_compiler_static, $1)= + +m4_if([$1], [CXX], [ + # C++ specific cases for pic, static, wl, etc. + if test "$GXX" = yes; then + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + + case $host_os in + aix*) + # All AIX code is PIC. + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + m68k) + # FIXME: we need at least 68020 code to build shared libraries, but + # adding the `-m68020' flag to GCC prevents building anything better, + # like `-m68040'. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' + ;; + esac + ;; + + beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + mingw* | cygwin* | os2* | pw32* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + # Although the cygwin gcc ignores -fPIC, still need this for old-style + # (--disable-auto-import) libraries + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + ;; + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' + ;; + *djgpp*) + # DJGPP does not support shared libraries at all + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + ;; + haiku*) + # PIC is the default for Haiku. + # The "-static" flag exists, but is broken. + _LT_TAGVAR(lt_prog_compiler_static, $1)= + ;; + interix[[3-9]]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic + fi + ;; + hpux*) + # PIC is the default for 64-bit PA HP-UX, but not for 32-bit + # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag + # sets the default TLS model and affects inlining. + case $host_cpu in + hppa*64*) + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + ;; + *qnx* | *nto*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + else + case $host_os in + aix[[4-9]]*) + # All AIX code is PIC. + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + else + _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' + fi + ;; + chorus*) + case $cc_basename in + cxch68*) + # Green Hills C++ Compiler + # _LT_TAGVAR(lt_prog_compiler_static, $1)="--no_auto_instantiation -u __main -u __premain -u _abort -r $COOL_DIR/lib/libOrb.a $MVME_DIR/lib/CC/libC.a $MVME_DIR/lib/classix/libcx.s.a" + ;; + esac + ;; + mingw* | cygwin* | os2* | pw32* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + ;; + dgux*) + case $cc_basename in + ec++*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + ;; + ghcx*) + # Green Hills C++ Compiler + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + *) + ;; + esac + ;; + freebsd* | dragonfly*) + # FreeBSD uses GNU C++ + ;; + hpux9* | hpux10* | hpux11*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' + if test "$host_cpu" != ia64; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + fi + ;; + aCC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' + case $host_cpu in + hppa*64*|ia64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + ;; + esac + ;; + *) + ;; + esac + ;; + interix*) + # This is c89, which is MS Visual C++ (no shared libs) + # Anyone wants to do a port? + ;; + irix5* | irix6* | nonstopux*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + # CC pic flag -KPIC is the default. + ;; + *) + ;; + esac + ;; + linux* | k*bsd*-gnu | kopensolaris*-gnu) + case $cc_basename in + KCC*) + # KAI C++ Compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + ecpc* ) + # old Intel C++ for x86_64 which still supported -KPIC. + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + icpc* ) + # Intel C++, used to be incompatible with GCC. + # ICC 10 doesn't accept -KPIC any more. + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + pgCC* | pgcpp*) + # Portland Group C++ compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + cxx*) + # Compaq C++ + # Make sure the PIC flag is empty. It appears that all Alpha + # Linux and Compaq Tru64 Unix objects are PIC. + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + xlc* | xlC* | bgxl[[cC]]* | mpixl[[cC]]*) + # IBM XL 8.0, 9.0 on PPC and BlueGene + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink' + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C++ 5.9 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; + esac + ;; + esac + ;; + lynxos*) + ;; + m88k*) + ;; + mvs*) + case $cc_basename in + cxx*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-W c,exportall' + ;; + *) + ;; + esac + ;; + netbsd* | netbsdelf*-gnu) + ;; + *qnx* | *nto*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + osf3* | osf4* | osf5*) + case $cc_basename in + KCC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='--backend -Wl,' + ;; + RCC*) + # Rational C++ 2.4.1 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + cxx*) + # Digital/Compaq C++ + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # Make sure the PIC flag is empty. It appears that all Alpha + # Linux and Compaq Tru64 Unix objects are PIC. + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + *) + ;; + esac + ;; + psos*) + ;; + solaris*) + case $cc_basename in + CC* | sunCC*) + # Sun C++ 4.2, 5.x and Centerline C++ + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; + gcx*) + # Green Hills C++ Compiler + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + ;; + *) + ;; + esac + ;; + sunos4*) + case $cc_basename in + CC*) + # Sun C++ 4.x + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + lcc*) + # Lucid + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + ;; + *) + ;; + esac + ;; + sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) + case $cc_basename in + CC*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + esac + ;; + tandem*) + case $cc_basename in + NCC*) + # NonStop-UX NCC 3.20 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + ;; + *) + ;; + esac + ;; + vxworks*) + ;; + *) + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; + esac + fi +], +[ + if test "$GCC" = yes; then + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + + case $host_os in + aix*) + # All AIX code is PIC. + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + m68k) + # FIXME: we need at least 68020 code to build shared libraries, but + # adding the `-m68020' flag to GCC prevents building anything better, + # like `-m68040'. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-m68020 -resident32 -malways-restore-a4' + ;; + esac + ;; + + beos* | irix5* | irix6* | nonstopux* | osf3* | osf4* | osf5*) + # PIC is the default for these OSes. + ;; + + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + # Although the cygwin gcc ignores -fPIC, still need this for old-style + # (--disable-auto-import) libraries + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + ;; + + darwin* | rhapsody*) + # PIC is the default on this platform + # Common symbols not allowed in MH_DYLIB files + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fno-common' + ;; + + haiku*) + # PIC is the default for Haiku. + # The "-static" flag exists, but is broken. + _LT_TAGVAR(lt_prog_compiler_static, $1)= + ;; + + hpux*) + # PIC is the default for 64-bit PA HP-UX, but not for 32-bit + # PA HP-UX. On IA64 HP-UX, PIC is the default but the pic flag + # sets the default TLS model and affects inlining. + case $host_cpu in + hppa*64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + ;; + + interix[[3-9]]*) + # Interix 3.x gcc -fpic/-fPIC options generate broken code. + # Instead, we relocate shared libraries at runtime. + ;; + + msdosdjgpp*) + # Just because we use GCC doesn't mean we suddenly get shared libraries + # on systems that don't support them. + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + enable_shared=no + ;; + + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)=-Kconform_pic + fi + ;; + + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + ;; + esac + + case $cc_basename in + nvcc*) # Cuda Compiler Driver 2.2 + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Xlinker ' + if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then + _LT_TAGVAR(lt_prog_compiler_pic, $1)="-Xcompiler $_LT_TAGVAR(lt_prog_compiler_pic, $1)" + fi + ;; + esac + else + # PORTME Check for flag to pass linker flags through the system compiler. + case $host_os in + aix*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + if test "$host_cpu" = ia64; then + # AIX 5 now supports IA64 processor + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + else + _LT_TAGVAR(lt_prog_compiler_static, $1)='-bnso -bI:/lib/syscalls.exp' + fi + ;; + + mingw* | cygwin* | pw32* | os2* | cegcc*) + # This hack is so that the source file can tell whether it is being + # built for inclusion in a dll (and should export symbols for example). + m4_if([$1], [GCJ], [], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)='-DDLL_EXPORT']) + ;; + + hpux9* | hpux10* | hpux11*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # PIC is the default for IA64 HP-UX and 64-bit HP-UX, but + # not for PA HP-UX. + case $host_cpu in + hppa*64*|ia64*) + # +Z the default + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='+Z' + ;; + esac + # Is there a better lt_prog_compiler_static that works with the bundled CC? + _LT_TAGVAR(lt_prog_compiler_static, $1)='${wl}-a ${wl}archive' + ;; + + irix5* | irix6* | nonstopux*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # PIC (with -KPIC) is the default. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + + linux* | k*bsd*-gnu | kopensolaris*-gnu) + case $cc_basename in + # old Intel for x86_64 which still supported -KPIC. + ecc*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + # icc used to be incompatible with GCC. + # ICC 10 doesn't accept -KPIC any more. + icc* | ifort*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + # Lahey Fortran 8.1. + lf95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='--shared' + _LT_TAGVAR(lt_prog_compiler_static, $1)='--static' + ;; + nagfor*) + # NAG Fortran compiler + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,-Wl,,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + pgcc* | pgf77* | pgf90* | pgf95* | pgfortran*) + # Portland Group compilers (*not* the Pentium gcc compiler, + # which looks to be a dead project) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + ccc*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # All Alpha code is PIC. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + xl* | bgxl* | bgf* | mpixl*) + # IBM XL C 8.0/Fortran 10.1, 11.1 on PPC and BlueGene + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-qpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-qstaticlink' + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ Ceres\ Fortran* | *Sun*Fortran*\ [[1-7]].* | *Sun*Fortran*\ 8.[[0-3]]*) + # Sun Fortran 8.3 passes all unrecognized flags to the linker + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='' + ;; + *Sun\ F* | *Sun*Fortran*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + ;; + *Sun\ C*) + # Sun C 5.9 + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + ;; + *Intel*\ [[CF]]*Compiler*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; + *Portland\ Group*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fpic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + esac + ;; + esac + ;; + + newsos6) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + *nto* | *qnx*) + # QNX uses GNU C++, but need to define -shared option too, otherwise + # it will coredump. + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC -shared' + ;; + + osf3* | osf4* | osf5*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + # All OSF/1 code is PIC. + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + + rdos*) + _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' + ;; + + solaris*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + case $cc_basename in + f77* | f90* | f95* | sunf77* | sunf90* | sunf95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ';; + *) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,';; + esac + ;; + + sunos4*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Qoption ld ' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-PIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + sysv4 | sysv4.2uw2* | sysv4.3*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + sysv4*MP*) + if test -d /usr/nec ;then + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-Kconform_pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + fi + ;; + + sysv5* | unixware* | sco3.2v5* | sco5v6* | OpenUNIX*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + unicos*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; + + uts4*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-pic' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-Bstatic' + ;; + + *) + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no + ;; + esac + fi +]) +case $host_os in + # For platforms which do not support PIC, -DPIC is meaningless: + *djgpp*) + _LT_TAGVAR(lt_prog_compiler_pic, $1)= + ;; + *) + _LT_TAGVAR(lt_prog_compiler_pic, $1)="$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])" + ;; +esac + +AC_CACHE_CHECK([for $compiler option to produce PIC], + [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)], + [_LT_TAGVAR(lt_cv_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_prog_compiler_pic, $1)]) +_LT_TAGVAR(lt_prog_compiler_pic, $1)=$_LT_TAGVAR(lt_cv_prog_compiler_pic, $1) + +# +# Check to make sure the PIC flag actually works. +# +if test -n "$_LT_TAGVAR(lt_prog_compiler_pic, $1)"; then + _LT_COMPILER_OPTION([if $compiler PIC flag $_LT_TAGVAR(lt_prog_compiler_pic, $1) works], + [_LT_TAGVAR(lt_cv_prog_compiler_pic_works, $1)], + [$_LT_TAGVAR(lt_prog_compiler_pic, $1)@&t@m4_if([$1],[],[ -DPIC],[m4_if([$1],[CXX],[ -DPIC],[])])], [], + [case $_LT_TAGVAR(lt_prog_compiler_pic, $1) in + "" | " "*) ;; + *) _LT_TAGVAR(lt_prog_compiler_pic, $1)=" $_LT_TAGVAR(lt_prog_compiler_pic, $1)" ;; + esac], + [_LT_TAGVAR(lt_prog_compiler_pic, $1)= + _LT_TAGVAR(lt_prog_compiler_can_build_shared, $1)=no]) +fi +_LT_TAGDECL([pic_flag], [lt_prog_compiler_pic], [1], + [Additional compiler flags for building library objects]) + +_LT_TAGDECL([wl], [lt_prog_compiler_wl], [1], + [How to pass a linker flag through the compiler]) +# +# Check to make sure the static flag actually works. +# +wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) eval lt_tmp_static_flag=\"$_LT_TAGVAR(lt_prog_compiler_static, $1)\" +_LT_LINKER_OPTION([if $compiler static flag $lt_tmp_static_flag works], + _LT_TAGVAR(lt_cv_prog_compiler_static_works, $1), + $lt_tmp_static_flag, + [], + [_LT_TAGVAR(lt_prog_compiler_static, $1)=]) +_LT_TAGDECL([link_static_flag], [lt_prog_compiler_static], [1], + [Compiler flag to prevent dynamic linking]) +])# _LT_COMPILER_PIC + + +# _LT_LINKER_SHLIBS([TAGNAME]) +# ---------------------------- +# See if the linker supports building shared libraries. +m4_defun([_LT_LINKER_SHLIBS], +[AC_REQUIRE([LT_PATH_LD])dnl +AC_REQUIRE([LT_PATH_NM])dnl +m4_require([_LT_PATH_MANIFEST_TOOL])dnl +m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_DECL_SED])dnl +m4_require([_LT_CMD_GLOBAL_SYMBOLS])dnl +m4_require([_LT_TAG_COMPILER])dnl +AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) +m4_if([$1], [CXX], [ + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'] + case $host_os in + aix[[4-9]]*) + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to AIX nm, but means don't demangle with GNU nm + # Also, AIX nm treats weak defined symbols like other global defined + # symbols, whereas GNU nm marks them as "W". + if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + else + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + fi + ;; + pw32*) + _LT_TAGVAR(export_symbols_cmds, $1)="$ltdll_cmds" + ;; + cygwin* | mingw* | cegcc*) + case $cc_basename in + cl*) + _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' + ;; + *) + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'] + ;; + esac + ;; + linux* | k*bsd*-gnu | gnu*) + _LT_TAGVAR(link_all_deplibs, $1)=no + ;; + *) + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + ;; + esac +], [ + runpath_var= + _LT_TAGVAR(allow_undefined_flag, $1)= + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(archive_cmds, $1)= + _LT_TAGVAR(archive_expsym_cmds, $1)= + _LT_TAGVAR(compiler_needs_object, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + _LT_TAGVAR(export_dynamic_flag_spec, $1)= + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(hardcode_automatic, $1)=no + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(hardcode_libdir_separator, $1)= + _LT_TAGVAR(hardcode_minus_L, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported + _LT_TAGVAR(inherit_rpath, $1)=no + _LT_TAGVAR(link_all_deplibs, $1)=unknown + _LT_TAGVAR(module_cmds, $1)= + _LT_TAGVAR(module_expsym_cmds, $1)= + _LT_TAGVAR(old_archive_from_new_cmds, $1)= + _LT_TAGVAR(old_archive_from_expsyms_cmds, $1)= + _LT_TAGVAR(thread_safe_flag_spec, $1)= + _LT_TAGVAR(whole_archive_flag_spec, $1)= + # include_expsyms should be a list of space-separated symbols to be *always* + # included in the symbol list + _LT_TAGVAR(include_expsyms, $1)= + # exclude_expsyms can be an extended regexp of symbols to exclude + # it will be wrapped by ` (' and `)$', so one must not match beginning or + # end of line. Example: `a|bc|.*d.*' will exclude the symbols `a' and `bc', + # as well as any symbol that contains `d'. + _LT_TAGVAR(exclude_expsyms, $1)=['_GLOBAL_OFFSET_TABLE_|_GLOBAL__F[ID]_.*'] + # Although _GLOBAL_OFFSET_TABLE_ is a valid symbol C name, most a.out + # platforms (ab)use it in PIC code, but their linkers get confused if + # the symbol is explicitly referenced. Since portable code cannot + # rely on this symbol name, it's probably fine to never include it in + # preloaded symbol tables. + # Exclude shared library initialization/finalization symbols. +dnl Note also adjust exclude_expsyms for C++ above. + extract_expsyms_cmds= + + case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + # FIXME: the MSVC++ port hasn't been tested in a loooong time + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + if test "$GCC" != yes; then + with_gnu_ld=no + fi + ;; + interix*) + # we just hope/assume this is gcc and not c89 (= MSVC++) + with_gnu_ld=yes + ;; + openbsd*) + with_gnu_ld=no + ;; + linux* | k*bsd*-gnu | gnu*) + _LT_TAGVAR(link_all_deplibs, $1)=no + ;; + esac + + _LT_TAGVAR(ld_shlibs, $1)=yes + + # On some targets, GNU ld is compatible enough with the native linker + # that we're better off using the native interface for both. + lt_use_gnu_ld_interface=no + if test "$with_gnu_ld" = yes; then + case $host_os in + aix*) + # The AIX port of GNU ld has always aspired to compatibility + # with the native linker. However, as the warning in the GNU ld + # block says, versions before 2.19.5* couldn't really create working + # shared libraries, regardless of the interface used. + case `$LD -v 2>&1` in + *\ \(GNU\ Binutils\)\ 2.19.5*) ;; + *\ \(GNU\ Binutils\)\ 2.[[2-9]]*) ;; + *\ \(GNU\ Binutils\)\ [[3-9]]*) ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + ;; + *) + lt_use_gnu_ld_interface=yes + ;; + esac + fi + + if test "$lt_use_gnu_ld_interface" = yes; then + # If archive_cmds runs LD, not CC, wlarc should be empty + wlarc='${wl}' + + # Set some defaults for GNU ld with shared library support. These + # are reset later if shared libraries are not supported. Putting them + # here allows them to be overridden if necessary. + runpath_var=LD_RUN_PATH + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + # ancient GNU ld didn't support --whole-archive et. al. + if $LD --help 2>&1 | $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + supports_anon_versioning=no + case `$LD -v 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 + *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... + *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... + *\ 2.11.*) ;; # other 2.11 versions + *) supports_anon_versioning=yes ;; + esac + + # See if GNU ld supports shared libraries. + case $host_os in + aix[[3-9]]*) + # On AIX/PPC, the GNU linker is very broken + if test "$host_cpu" != ia64; then + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + +*** Warning: the GNU linker, at least up to release 2.19, is reported +*** to be unable to reliably create shared libraries on AIX. +*** Therefore, libtool is disabling shared libraries support. If you +*** really care for shared libraries, you may want to install binutils +*** 2.20 or above, or modify your PATH so that a non-GNU linker is found. +*** You will then need to restart the configuration process. + +_LT_EOF + fi + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='' + ;; + m68k) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + ;; + + beos*) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Joseph Beckenbach says some releases of gcc + # support --undefined. This deserves some investigation. FIXME + _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + cygwin* | mingw* | pw32* | cegcc*) + # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, + # as there is no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1 DATA/;s/^.*[[ ]]__nm__\([[^ ]]*\)[[ ]][[^ ]]*/\1 DATA/;/^I[[ ]]/d;/^[[AITW]][[ ]]/s/.* //'\'' | sort | uniq > $export_symbols' + _LT_TAGVAR(exclude_expsyms, $1)=['[_]+GLOBAL_OFFSET_TABLE_|[_]+GLOBAL__[FID]_.*|[_]+head_[A-Za-z0-9_]+_dll|[A-Za-z0-9_]+_dll_iname'] + + if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + # If the export-symbols file already is a .def file (1st line + # is EXPORTS), use it as is; otherwise, prepend... + _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then + cp $export_symbols $output_objdir/$soname.def; + else + echo EXPORTS > $output_objdir/$soname.def; + cat $export_symbols >> $output_objdir/$soname.def; + fi~ + $CC -shared $output_objdir/$soname.def $libobjs $deplibs $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + haiku*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + + interix[[3-9]]*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by + # default) and relocated if they conflict, which is a slow very memory + # consuming and fragmenting process. To avoid this, we pick a random, + # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link + # time. Moving up from 0x10000000 also allows more sbrk(2) space. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + + gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) + tmp_diet=no + if test "$host_os" = linux-dietlibc; then + case $cc_basename in + diet\ *) tmp_diet=yes;; # linux-dietlibc with static linking (!diet-dyn) + esac + fi + if $LD --help 2>&1 | $EGREP ': supported targets:.* elf' > /dev/null \ + && test "$tmp_diet" = no + then + tmp_addflag=' $pic_flag' + tmp_sharedflag='-shared' + case $cc_basename,$host_cpu in + pgcc*) # Portland Group C compiler + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' + tmp_addflag=' $pic_flag' + ;; + pgf77* | pgf90* | pgf95* | pgfortran*) + # Portland Group f77 and f90 compilers + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' + tmp_addflag=' $pic_flag -Mnomain' ;; + ecc*,ia64* | icc*,ia64*) # Intel C compiler on ia64 + tmp_addflag=' -i_dynamic' ;; + efc*,ia64* | ifort*,ia64*) # Intel Fortran compiler on ia64 + tmp_addflag=' -i_dynamic -nofor_main' ;; + ifc* | ifort*) # Intel Fortran compiler + tmp_addflag=' -nofor_main' ;; + lf95*) # Lahey Fortran 8.1 + _LT_TAGVAR(whole_archive_flag_spec, $1)= + tmp_sharedflag='--shared' ;; + xl[[cC]]* | bgxl[[cC]]* | mpixl[[cC]]*) # IBM XL C 8.0 on PPC (deal with xlf below) + tmp_sharedflag='-qmkshrobj' + tmp_addflag= ;; + nvcc*) # Cuda Compiler Driver 2.2 + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' + _LT_TAGVAR(compiler_needs_object, $1)=yes + ;; + esac + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) # Sun C 5.9 + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' + _LT_TAGVAR(compiler_needs_object, $1)=yes + tmp_sharedflag='-G' ;; + *Sun\ F*) # Sun Fortran 8.3 + tmp_sharedflag='-G' ;; + esac + _LT_TAGVAR(archive_cmds, $1)='$CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + + if test "x$supports_anon_versioning" = xyes; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC '"$tmp_sharedflag""$tmp_addflag"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi + + case $cc_basename in + xlf* | bgf* | bgxlf* | mpixlf*) + # IBM XL Fortran 10.1 on PPC cannot create shared libs itself + _LT_TAGVAR(whole_archive_flag_spec, $1)='--whole-archive$convenience --no-whole-archive' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(archive_cmds, $1)='$LD -shared $libobjs $deplibs $linker_flags -soname $soname -o $lib' + if test "x$supports_anon_versioning" = xyes; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $LD -shared $libobjs $deplibs $linker_flags -soname $soname -version-script $output_objdir/$libname.ver -o $lib' + fi + ;; + esac + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' + wlarc= + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + fi + ;; + + solaris*) + if $LD -v 2>&1 | $GREP 'BFD 2\.8' > /dev/null; then + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + +*** Warning: The releases 2.8.* of the GNU linker cannot reliably +*** create shared libraries on Solaris systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.9.1 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. + +_LT_EOF + elif $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + sysv5* | sco3.2v5* | sco5v6* | unixware* | OpenUNIX*) + case `$LD -v 2>&1` in + *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.1[[0-5]].*) + _LT_TAGVAR(ld_shlibs, $1)=no + cat <<_LT_EOF 1>&2 + +*** Warning: Releases of the GNU linker prior to 2.16.91.0.3 can not +*** reliably create shared libraries on SCO systems. Therefore, libtool +*** is disabling shared libraries support. We urge you to upgrade GNU +*** binutils to release 2.16.91.0.3 or newer. Another option is to modify +*** your PATH or compiler configuration so that the native linker is +*** used, and then restart. + +_LT_EOF + ;; + *) + # For security reasons, it is highly recommended that you always + # use absolute paths for naming shared libraries, and exclude the + # DT_RUNPATH tag from executables and libraries. But doing so + # requires that you compile everything twice, which is a pain. + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + sunos4*) + _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bshareable -o $lib $libobjs $deplibs $linker_flags' + wlarc= + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + *) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + + if test "$_LT_TAGVAR(ld_shlibs, $1)" = no; then + runpath_var= + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)= + _LT_TAGVAR(export_dynamic_flag_spec, $1)= + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + else + # PORTME fill in a description of your system's linker (not GNU ld) + case $host_os in + aix3*) + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=yes + _LT_TAGVAR(archive_expsym_cmds, $1)='$LD -o $output_objdir/$soname $libobjs $deplibs $linker_flags -bE:$export_symbols -T512 -H512 -bM:SRE~$AR $AR_FLAGS $lib $output_objdir/$soname' + # Note: this linker hardcodes the directories in LIBPATH if there + # are no directories specified by -L. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + if test "$GCC" = yes && test -z "$lt_prog_compiler_static"; then + # Neither direct hardcoding nor static linking is supported with a + # broken collect2. + _LT_TAGVAR(hardcode_direct, $1)=unsupported + fi + ;; + + aix[[4-9]]*) + if test "$host_cpu" = ia64; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + exp_sym_flag='-Bexport' + no_entry_flag="" + else + # If we're using GNU nm, then we don't want the "-C" option. + # -C means demangle to AIX nm, but means don't demangle with GNU nm + # Also, AIX nm treats weak defined symbols like other global + # defined symbols, whereas GNU nm marks them as "W". + if $NM -V 2>&1 | $GREP 'GNU' > /dev/null; then + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -Bpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B") || (\$ 2 == "W")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + else + _LT_TAGVAR(export_symbols_cmds, $1)='$NM -BCpg $libobjs $convenience | awk '\''{ if (((\$ 2 == "T") || (\$ 2 == "D") || (\$ 2 == "B")) && ([substr](\$ 3,1,1) != ".")) { print \$ 3 } }'\'' | sort -u > $export_symbols' + fi + aix_use_runtimelinking=no + + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # need to do runtime linking. + case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*) + for ld_flag in $LDFLAGS; do + if (test $ld_flag = "-brtl" || test $ld_flag = "-Wl,-brtl"); then + aix_use_runtimelinking=yes + break + fi + done + ;; + esac + + exp_sym_flag='-bexport' + no_entry_flag='-bnoentry' + fi + + # When large executables or shared objects are built, AIX ld can + # have problems creating the table of contents. If linking a library + # or program results in "error TOC overflow" add -mminimal-toc to + # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not + # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. + + _LT_TAGVAR(archive_cmds, $1)='' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='${wl}-f,' + + if test "$GCC" = yes; then + case $host_os in aix4.[[012]]|aix4.[[012]].*) + # We only want to do this on AIX 4.2 and lower, the check + # below for broken collect2 doesn't work under 4.3+ + collect2name=`${CC} -print-prog-name=collect2` + if test -f "$collect2name" && + strings "$collect2name" | $GREP resolve_lib_name >/dev/null + then + # We have reworked collect2 + : + else + # We have old collect2 + _LT_TAGVAR(hardcode_direct, $1)=unsupported + # It fails to find uninstalled libraries when the uninstalled + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)= + fi + ;; + esac + shared_flag='-shared' + if test "$aix_use_runtimelinking" = yes; then + shared_flag="$shared_flag "'${wl}-G' + fi + _LT_TAGVAR(link_all_deplibs, $1)=no + else + # not using gcc + if test "$host_cpu" = ia64; then + # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release + # chokes on -Wl,-G. The following line is correct: + shared_flag='-G' + else + if test "$aix_use_runtimelinking" = yes; then + shared_flag='${wl}-G' + else + shared_flag='${wl}-bM:SRE' + fi + fi + fi + + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall' + # It seems that -bexpall does not export symbols beginning with + # underscore (_), so it is better to generate a list of symbols to export. + _LT_TAGVAR(always_export_symbols, $1)=yes + if test "$aix_use_runtimelinking" = yes; then + # Warning - without using the other runtime loading flags (-brtl), + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(allow_undefined_flag, $1)='-berok' + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX([$1]) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" + else + if test "$host_cpu" = ia64; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' + _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs" + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" + else + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX([$1]) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' + if test "$with_gnu_ld" = yes; then + # We only use this code for GNU lds that support --whole-archive. + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' + else + # Exported symbols can be pulled into shared objects from archives + _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + # This is similar to how AIX traditionally builds its shared libraries. + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' + fi + fi + ;; + + amigaos*) + case $host_cpu in + powerpc) + # see comment about AmigaOS4 .so support + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='' + ;; + m68k) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/a2ixlibrary.data~$ECHO "#define NAME $libname" > $output_objdir/a2ixlibrary.data~$ECHO "#define LIBRARY_ID 1" >> $output_objdir/a2ixlibrary.data~$ECHO "#define VERSION $major" >> $output_objdir/a2ixlibrary.data~$ECHO "#define REVISION $revision" >> $output_objdir/a2ixlibrary.data~$AR $AR_FLAGS $lib $libobjs~$RANLIB $lib~(cd $output_objdir && a2ixlibrary -32)' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + ;; + + bsdi[[45]]*) + _LT_TAGVAR(export_dynamic_flag_spec, $1)=-rdynamic + ;; + + cygwin* | mingw* | pw32* | cegcc*) + # When not using gcc, we currently assume that we are using + # Microsoft Visual C++. + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + case $cc_basename in + cl*) + # Native MSVC + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='@' + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=".dll" + # FIXME: Setting linknames here is a bad hack. + _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames=' + _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then + sed -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp; + else + sed -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp; + fi~ + $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ + linknames=' + # The linker will not automatically build a static lib if we build a DLL. + # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + _LT_TAGVAR(exclude_expsyms, $1)='_NULL_IMPORT_DESCRIPTOR|_IMPORT_DESCRIPTOR_.*' + _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED -e '\''/^[[BCDGRS]][[ ]]/s/.*[[ ]]\([[^ ]]*\)/\1,DATA/'\'' | $SED -e '\''/^[[AITW]][[ ]]/s/.*[[ ]]//'\'' | sort | uniq > $export_symbols' + # Don't use ranlib + _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib' + _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~ + lt_tool_outputfile="@TOOL_OUTPUT@"~ + case $lt_outputfile in + *.exe|*.EXE) ;; + *) + lt_outputfile="$lt_outputfile.exe" + lt_tool_outputfile="$lt_tool_outputfile.exe" + ;; + esac~ + if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then + $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; + $RM "$lt_outputfile.manifest"; + fi' + ;; + *) + # Assume MSVC wrapper + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=".dll" + # FIXME: Setting linknames here is a bad hack. + _LT_TAGVAR(archive_cmds, $1)='$CC -o $lib $libobjs $compiler_flags `func_echo_all "$deplibs" | $SED '\''s/ -lc$//'\''` -link -dll~linknames=' + # The linker will automatically build a .lib file if we build a DLL. + _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' + # FIXME: Should let the user specify the lib program. + _LT_TAGVAR(old_archive_cmds, $1)='lib -OUT:$oldlib$oldobjs$old_deplibs' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + ;; + esac + ;; + + darwin* | rhapsody*) + _LT_DARWIN_LINKER_FEATURES($1) + ;; + + dgux*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + # FreeBSD 2.2.[012] allows us to include c++rt0.o to get C++ constructor + # support. Future versions do this automatically, but an explicit c++rt0.o + # does not break anything, and helps significantly (at the cost of a little + # extra space). + freebsd2.2*) + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags /usr/lib/c++rt0.o' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + # Unfortunately, older versions of FreeBSD 2 do not have this feature. + freebsd2.*) + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + # FreeBSD 3 and greater uses gcc -shared to do shared libraries. + freebsd* | dragonfly*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + hpux9*) + if test "$GCC" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $libobjs $deplibs $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + else + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$LD -b +b $install_libdir -o $output_objdir/$soname $libobjs $deplibs $linker_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_direct, $1)=yes + + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + ;; + + hpux10*) + if test "$GCC" = yes && test "$with_gnu_ld" = no; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags' + fi + if test "$with_gnu_ld" = no; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + fi + ;; + + hpux11*) + if test "$GCC" = yes && test "$with_gnu_ld" = no; then + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + else + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + m4_if($1, [], [ + # Older versions of the 11.00 compiler do not understand -b yet + # (HP92453-01 A.11.01.20 doesn't, HP92453-01 B.11.X.35175-35176.GP does) + _LT_LINKER_OPTION([if $CC understands -b], + _LT_TAGVAR(lt_cv_prog_compiler__b, $1), [-b], + [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags'], + [_LT_TAGVAR(archive_cmds, $1)='$LD -b +h $soname +b $install_libdir -o $lib $libobjs $deplibs $linker_flags'])], + [_LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $libobjs $deplibs $compiler_flags']) + ;; + esac + fi + if test "$with_gnu_ld" = no; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + case $host_cpu in + hppa*64*|ia64*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + *) + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + + # hardcode_minus_L: Not really in the search PATH, + # but as the default location of the library. + _LT_TAGVAR(hardcode_minus_L, $1)=yes + ;; + esac + fi + ;; + + irix5* | irix6* | nonstopux*) + if test "$GCC" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + # Try to use the -exported_symbol ld option, if it does not + # work, assume that -exports_file does not work either and + # implicitly export all symbols. + # This should be the same for all languages, so no per-tag cache variable. + AC_CACHE_CHECK([whether the $host_os linker accepts -exported_symbol], + [lt_cv_irix_exported_symbol], + [save_LDFLAGS="$LDFLAGS" + LDFLAGS="$LDFLAGS -shared ${wl}-exported_symbol ${wl}foo ${wl}-update_registry ${wl}/dev/null" + AC_LINK_IFELSE( + [AC_LANG_SOURCE( + [AC_LANG_CASE([C], [[int foo (void) { return 0; }]], + [C++], [[int foo (void) { return 0; }]], + [Fortran 77], [[ + subroutine foo + end]], + [Fortran], [[ + subroutine foo + end]])])], + [lt_cv_irix_exported_symbol=yes], + [lt_cv_irix_exported_symbol=no]) + LDFLAGS="$save_LDFLAGS"]) + if test "$lt_cv_irix_exported_symbol" = yes; then + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations ${wl}-exports_file ${wl}$export_symbols -o $lib' + fi + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -exports_file $export_symbols -o $lib' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(inherit_rpath, $1)=yes + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + + netbsd* | netbsdelf*-gnu) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out + else + _LT_TAGVAR(archive_cmds, $1)='$LD -shared -o $lib $libobjs $deplibs $linker_flags' # ELF + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + newsos6) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + *nto* | *qnx*) + ;; + + openbsd*) + if test -f /usr/libexec/ld.so; then + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + if test -z "`echo __ELF__ | $CC -E - | $GREP __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags ${wl}-retain-symbols-file,$export_symbols' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + else + case $host_os in + openbsd[[01]].* | openbsd2.[[0-7]] | openbsd2.[[0-7]].*) + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + ;; + esac + fi + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + os2*) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(archive_cmds, $1)='$ECHO "LIBRARY $libname INITINSTANCE" > $output_objdir/$libname.def~$ECHO "DESCRIPTION \"$libname\"" >> $output_objdir/$libname.def~echo DATA >> $output_objdir/$libname.def~echo " SINGLE NONSHARED" >> $output_objdir/$libname.def~echo EXPORTS >> $output_objdir/$libname.def~emxexp $libobjs >> $output_objdir/$libname.def~$CC -Zdll -Zcrtdll -o $lib $libobjs $deplibs $compiler_flags $output_objdir/$libname.def' + _LT_TAGVAR(old_archive_from_new_cmds, $1)='emximp -o $output_objdir/$libname.a $output_objdir/$libname.def' + ;; + + osf3*) + if test "$GCC" = yes; then + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + else + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + ;; + + osf4* | osf5*) # as osf3* with the addition of -msym flag + if test "$GCC" = yes; then + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $pic_flag $libobjs $deplibs $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + else + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $libobjs $deplibs $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done; printf "%s\\n" "-hidden">> $lib.exp~ + $CC -shared${allow_undefined_flag} ${wl}-input ${wl}$lib.exp $compiler_flags $libobjs $deplibs -soname $soname `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~$RM $lib.exp' + + # Both c and cxx compiler support -rpath directly + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)='no' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + ;; + + solaris*) + _LT_TAGVAR(no_undefined_flag, $1)=' -z defs' + if test "$GCC" = yes; then + wlarc='${wl}' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -shared $pic_flag ${wl}-z ${wl}text ${wl}-M ${wl}$lib.exp ${wl}-h ${wl}$soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + else + case `$CC -V 2>&1` in + *"Compilers 5.0"*) + wlarc='' + _LT_TAGVAR(archive_cmds, $1)='$LD -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $LD -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $linker_flags~$RM $lib.exp' + ;; + *) + wlarc='${wl}' + _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h $soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G${allow_undefined_flag} -M $lib.exp -h $soname -o $lib $libobjs $deplibs $compiler_flags~$RM $lib.exp' + ;; + esac + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + # The compiler driver will combine and reorder linker options, + # but understands `-z linker_flag'. GCC discards it without `$wl', + # but is careful enough not to reorder. + # Supported since Solaris 2.6 (maybe 2.5.1?) + if test "$GCC" = yes; then + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' + fi + ;; + esac + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + + sunos4*) + if test "x$host_vendor" = xsequent; then + # Use $CC to link under sequent, because it throws in some extra .o + # files that make .init and .fini sections work. + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h $soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$LD -assert pure-text -Bstatic -o $lib $libobjs $deplibs $linker_flags' + fi + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + sysv4) + case $host_vendor in + sni) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=yes # is this really true??? + ;; + siemens) + ## LD is ld it makes a PLAMLIB + ## CC just makes a GrossModule. + _LT_TAGVAR(archive_cmds, $1)='$LD -G -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(reload_cmds, $1)='$CC -r -o $output$reload_objs' + _LT_TAGVAR(hardcode_direct, $1)=no + ;; + motorola) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_direct, $1)=no #Motorola manual says yes, but my tests say they lie + ;; + esac + runpath_var='LD_RUN_PATH' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + sysv4.3*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(export_dynamic_flag_spec, $1)='-Bexport' + ;; + + sysv4*MP*) + if test -d /usr/nec; then + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var=LD_RUN_PATH + hardcode_runpath_var=yes + _LT_TAGVAR(ld_shlibs, $1)=yes + fi + ;; + + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) + _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var='LD_RUN_PATH' + + if test "$GCC" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; + + sysv5* | sco3.2v5* | sco5v6*) + # Note: We can NOT use -z defs as we might desire, because we do not + # link with -lc, and that would cause any symbols used from libc to + # always be unresolved, which means just about no library would + # ever link correctly. If we're not using GNU ld we use -z text + # though, which does catch some bad symbols but isn't as heavy-handed + # as -z defs. + _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' + runpath_var='LD_RUN_PATH' + + if test "$GCC" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + fi + ;; + + uts4*) + _LT_TAGVAR(archive_cmds, $1)='$LD -G -h $soname -o $lib $libobjs $deplibs $linker_flags' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + + *) + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + + if test x$host_vendor = xsni; then + case $host in + sysv4 | sysv4.2uw2* | sysv4.3* | sysv5*) + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Blargedynsym' + ;; + esac + fi + fi +]) +AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)]) +test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no + +_LT_TAGVAR(with_gnu_ld, $1)=$with_gnu_ld + +_LT_DECL([], [libext], [0], [Old archive suffix (normally "a")])dnl +_LT_DECL([], [shrext_cmds], [1], [Shared library suffix (normally ".so")])dnl +_LT_DECL([], [extract_expsyms_cmds], [2], + [The commands to extract the exported symbol list from a shared archive]) + +# +# Do we need to explicitly link libc? +# +case "x$_LT_TAGVAR(archive_cmds_need_lc, $1)" in +x|xyes) + # Assume -lc should be added + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + + if test "$enable_shared" = yes && test "$GCC" = yes; then + case $_LT_TAGVAR(archive_cmds, $1) in + *'~'*) + # FIXME: we may have to deal with multi-command sequences. + ;; + '$CC '*) + # Test whether the compiler implicitly links with -lc since on some + # systems, -lgcc has to come before -lc. If gcc already passes -lc + # to ld, don't add -lc before -lgcc. + AC_CACHE_CHECK([whether -lc should be explicitly linked in], + [lt_cv_]_LT_TAGVAR(archive_cmds_need_lc, $1), + [$RM conftest* + echo "$lt_simple_compile_test_code" > conftest.$ac_ext + + if AC_TRY_EVAL(ac_compile) 2>conftest.err; then + soname=conftest + lib=conftest + libobjs=conftest.$ac_objext + deplibs= + wl=$_LT_TAGVAR(lt_prog_compiler_wl, $1) + pic_flag=$_LT_TAGVAR(lt_prog_compiler_pic, $1) + compiler_flags=-v + linker_flags=-v + verstring= + output_objdir=. + libname=conftest + lt_save_allow_undefined_flag=$_LT_TAGVAR(allow_undefined_flag, $1) + _LT_TAGVAR(allow_undefined_flag, $1)= + if AC_TRY_EVAL(_LT_TAGVAR(archive_cmds, $1) 2\>\&1 \| $GREP \" -lc \" \>/dev/null 2\>\&1) + then + lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=no + else + lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1)=yes + fi + _LT_TAGVAR(allow_undefined_flag, $1)=$lt_save_allow_undefined_flag + else + cat conftest.err 1>&5 + fi + $RM conftest* + ]) + _LT_TAGVAR(archive_cmds_need_lc, $1)=$lt_cv_[]_LT_TAGVAR(archive_cmds_need_lc, $1) + ;; + esac + fi + ;; +esac + +_LT_TAGDECL([build_libtool_need_lc], [archive_cmds_need_lc], [0], + [Whether or not to add -lc for building shared libraries]) +_LT_TAGDECL([allow_libtool_libs_with_static_runtimes], + [enable_shared_with_static_runtimes], [0], + [Whether or not to disallow shared libs when runtime libs are static]) +_LT_TAGDECL([], [export_dynamic_flag_spec], [1], + [Compiler flag to allow reflexive dlopens]) +_LT_TAGDECL([], [whole_archive_flag_spec], [1], + [Compiler flag to generate shared objects directly from archives]) +_LT_TAGDECL([], [compiler_needs_object], [1], + [Whether the compiler copes with passing no objects directly]) +_LT_TAGDECL([], [old_archive_from_new_cmds], [2], + [Create an old-style archive from a shared archive]) +_LT_TAGDECL([], [old_archive_from_expsyms_cmds], [2], + [Create a temporary old-style archive to link instead of a shared archive]) +_LT_TAGDECL([], [archive_cmds], [2], [Commands used to build a shared archive]) +_LT_TAGDECL([], [archive_expsym_cmds], [2]) +_LT_TAGDECL([], [module_cmds], [2], + [Commands used to build a loadable module if different from building + a shared archive.]) +_LT_TAGDECL([], [module_expsym_cmds], [2]) +_LT_TAGDECL([], [with_gnu_ld], [1], + [Whether we are building with GNU ld or not]) +_LT_TAGDECL([], [allow_undefined_flag], [1], + [Flag that allows shared libraries with undefined symbols to be built]) +_LT_TAGDECL([], [no_undefined_flag], [1], + [Flag that enforces no undefined symbols]) +_LT_TAGDECL([], [hardcode_libdir_flag_spec], [1], + [Flag to hardcode $libdir into a binary during linking. + This must work even if $libdir does not exist]) +_LT_TAGDECL([], [hardcode_libdir_separator], [1], + [Whether we need a single "-rpath" flag with a separated argument]) +_LT_TAGDECL([], [hardcode_direct], [0], + [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes + DIR into the resulting binary]) +_LT_TAGDECL([], [hardcode_direct_absolute], [0], + [Set to "yes" if using DIR/libNAME${shared_ext} during linking hardcodes + DIR into the resulting binary and the resulting library dependency is + "absolute", i.e impossible to change by setting ${shlibpath_var} if the + library is relocated]) +_LT_TAGDECL([], [hardcode_minus_L], [0], + [Set to "yes" if using the -LDIR flag during linking hardcodes DIR + into the resulting binary]) +_LT_TAGDECL([], [hardcode_shlibpath_var], [0], + [Set to "yes" if using SHLIBPATH_VAR=DIR during linking hardcodes DIR + into the resulting binary]) +_LT_TAGDECL([], [hardcode_automatic], [0], + [Set to "yes" if building a shared library automatically hardcodes DIR + into the library and all subsequent libraries and executables linked + against it]) +_LT_TAGDECL([], [inherit_rpath], [0], + [Set to yes if linker adds runtime paths of dependent libraries + to runtime path list]) +_LT_TAGDECL([], [link_all_deplibs], [0], + [Whether libtool must link a program against all its dependency libraries]) +_LT_TAGDECL([], [always_export_symbols], [0], + [Set to "yes" if exported symbols are required]) +_LT_TAGDECL([], [export_symbols_cmds], [2], + [The commands to list exported symbols]) +_LT_TAGDECL([], [exclude_expsyms], [1], + [Symbols that should not be listed in the preloaded symbols]) +_LT_TAGDECL([], [include_expsyms], [1], + [Symbols that must always be exported]) +_LT_TAGDECL([], [prelink_cmds], [2], + [Commands necessary for linking programs (against libraries) with templates]) +_LT_TAGDECL([], [postlink_cmds], [2], + [Commands necessary for finishing linking programs]) +_LT_TAGDECL([], [file_list_spec], [1], + [Specify filename containing input files]) +dnl FIXME: Not yet implemented +dnl _LT_TAGDECL([], [thread_safe_flag_spec], [1], +dnl [Compiler flag to generate thread safe objects]) +])# _LT_LINKER_SHLIBS + + +# _LT_LANG_C_CONFIG([TAG]) +# ------------------------ +# Ensure that the configuration variables for a C compiler are suitably +# defined. These variables are subsequently used by _LT_CONFIG to write +# the compiler configuration to `libtool'. +m4_defun([_LT_LANG_C_CONFIG], +[m4_require([_LT_DECL_EGREP])dnl +lt_save_CC="$CC" +AC_LANG_PUSH(C) + +# Source file extension for C test sources. +ac_ext=c + +# Object file extension for compiled C test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="int some_variable = 0;" + +# Code to be used in simple link tests +lt_simple_link_test_code='int main(){return(0);}' + +_LT_TAG_COMPILER +# Save the default compiler, since it gets overwritten when the other +# tags are being tested, and _LT_TAGVAR(compiler, []) is a NOP. +compiler_DEFAULT=$CC + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + LT_SYS_DLOPEN_SELF + _LT_CMD_STRIPLIB + + # Report which library types will actually be built + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) + + AC_MSG_CHECKING([whether to build shared libraries]) + test "$can_build_shared" = "no" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test "$enable_shared" = yes && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + + aix[[4-9]]*) + if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then + test "$enable_shared" = yes && enable_static=no + fi + ;; + esac + AC_MSG_RESULT([$enable_shared]) + + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test "$enable_shared" = yes || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_CONFIG($1) +fi +AC_LANG_POP +CC="$lt_save_CC" +])# _LT_LANG_C_CONFIG + + +# _LT_LANG_CXX_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for a C++ compiler are suitably +# defined. These variables are subsequently used by _LT_CONFIG to write +# the compiler configuration to `libtool'. +m4_defun([_LT_LANG_CXX_CONFIG], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +m4_require([_LT_DECL_EGREP])dnl +m4_require([_LT_PATH_MANIFEST_TOOL])dnl +if test -n "$CXX" && ( test "X$CXX" != "Xno" && + ( (test "X$CXX" = "Xg++" && `g++ -v >/dev/null 2>&1` ) || + (test "X$CXX" != "Xg++"))) ; then + AC_PROG_CXXCPP +else + _lt_caught_CXX_error=yes +fi + +AC_LANG_PUSH(C++) +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(compiler_needs_object, $1)=no +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_shlibpath_var, $1)=unsupported +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + +# Source file extension for C++ test sources. +ac_ext=cpp + +# Object file extension for compiled C++ test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the CXX compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test "$_lt_caught_CXX_error" != yes; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="int some_variable = 0;" + + # Code to be used in simple link tests + lt_simple_link_test_code='int main(int, char *[[]]) { return(0); }' + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC=$CC + lt_save_CFLAGS=$CFLAGS + lt_save_LD=$LD + lt_save_GCC=$GCC + GCC=$GXX + lt_save_with_gnu_ld=$with_gnu_ld + lt_save_path_LD=$lt_cv_path_LD + if test -n "${lt_cv_prog_gnu_ldcxx+set}"; then + lt_cv_prog_gnu_ld=$lt_cv_prog_gnu_ldcxx + else + $as_unset lt_cv_prog_gnu_ld + fi + if test -n "${lt_cv_path_LDCXX+set}"; then + lt_cv_path_LD=$lt_cv_path_LDCXX + else + $as_unset lt_cv_path_LD + fi + test -z "${LDCXX+set}" || LD=$LDCXX + CC=${CXX-"c++"} + CFLAGS=$CXXFLAGS + compiler=$CC + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + + if test -n "$compiler"; then + # We don't want -fno-exception when compiling C++ code, so set the + # no_builtin_flag separately + if test "$GXX" = yes; then + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)=' -fno-builtin' + else + _LT_TAGVAR(lt_prog_compiler_no_builtin_flag, $1)= + fi + + if test "$GXX" = yes; then + # Set up default GNU C++ configuration + + LT_PATH_LD + + # Check if GNU C++ uses GNU ld as the underlying linker, since the + # archiving commands below assume that GNU ld is being used. + if test "$with_gnu_ld" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC $pic_flag -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + + # If archive_cmds runs LD, not CC, wlarc should be empty + # XXX I think wlarc can be eliminated in ltcf-cxx, but I need to + # investigate it a little bit more. (MM) + wlarc='${wl}' + + # ancient GNU ld didn't support --whole-archive et. al. + if eval "`$CC -print-prog-name=ld` --help 2>&1" | + $GREP 'no-whole-archive' > /dev/null; then + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + else + _LT_TAGVAR(whole_archive_flag_spec, $1)= + fi + else + with_gnu_ld=no + wlarc= + + # A generic and very simple default shared library creation + # command for GNU C++ for the case where it uses the native + # linker, instead of GNU ld. If possible, this setting should + # overridden to take advantage of the native linker features on + # the platform it is being used on. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + fi + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + + else + GXX=no + with_gnu_ld=no + wlarc= + fi + + # PORTME: fill in a description of your system's C++ link characteristics + AC_MSG_CHECKING([whether the $compiler linker ($LD) supports shared libraries]) + _LT_TAGVAR(ld_shlibs, $1)=yes + case $host_os in + aix3*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + aix[[4-9]]*) + if test "$host_cpu" = ia64; then + # On IA64, the linker does run time linking by default, so we don't + # have to do anything special. + aix_use_runtimelinking=no + exp_sym_flag='-Bexport' + no_entry_flag="" + else + aix_use_runtimelinking=no + + # Test if we are trying to use run time linking or normal + # AIX style linking. If -brtl is somewhere in LDFLAGS, we + # need to do runtime linking. + case $host_os in aix4.[[23]]|aix4.[[23]].*|aix[[5-9]]*) + for ld_flag in $LDFLAGS; do + case $ld_flag in + *-brtl*) + aix_use_runtimelinking=yes + break + ;; + esac + done + ;; + esac + + exp_sym_flag='-bexport' + no_entry_flag='-bnoentry' + fi + + # When large executables or shared objects are built, AIX ld can + # have problems creating the table of contents. If linking a library + # or program results in "error TOC overflow" add -mminimal-toc to + # CXXFLAGS/CFLAGS for g++/gcc. In the cases where that is not + # enough to fix the problem, add -Wl,-bbigtoc to LDFLAGS. + + _LT_TAGVAR(archive_cmds, $1)='' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='${wl}-f,' + + if test "$GXX" = yes; then + case $host_os in aix4.[[012]]|aix4.[[012]].*) + # We only want to do this on AIX 4.2 and lower, the check + # below for broken collect2 doesn't work under 4.3+ + collect2name=`${CC} -print-prog-name=collect2` + if test -f "$collect2name" && + strings "$collect2name" | $GREP resolve_lib_name >/dev/null + then + # We have reworked collect2 + : + else + # We have old collect2 + _LT_TAGVAR(hardcode_direct, $1)=unsupported + # It fails to find uninstalled libraries when the uninstalled + # path is not listed in the libpath. Setting hardcode_minus_L + # to unsupported forces relinking + _LT_TAGVAR(hardcode_minus_L, $1)=yes + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)= + fi + esac + shared_flag='-shared' + if test "$aix_use_runtimelinking" = yes; then + shared_flag="$shared_flag "'${wl}-G' + fi + else + # not using gcc + if test "$host_cpu" = ia64; then + # VisualAge C++, Version 5.5 for AIX 5L for IA-64, Beta 3 Release + # chokes on -Wl,-G. The following line is correct: + shared_flag='-G' + else + if test "$aix_use_runtimelinking" = yes; then + shared_flag='${wl}-G' + else + shared_flag='${wl}-bM:SRE' + fi + fi + fi + + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-bexpall' + # It seems that -bexpall does not export symbols beginning with + # underscore (_), so it is better to generate a list of symbols to + # export. + _LT_TAGVAR(always_export_symbols, $1)=yes + if test "$aix_use_runtimelinking" = yes; then + # Warning - without using the other runtime loading flags (-brtl), + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(allow_undefined_flag, $1)='-berok' + # Determine the default libpath from the value encoded in an empty + # executable. + _LT_SYS_MODULE_PATH_AIX([$1]) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" + + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags `if test "x${allow_undefined_flag}" != "x"; then func_echo_all "${wl}${allow_undefined_flag}"; else :; fi` '"\${wl}$exp_sym_flag:\$export_symbols $shared_flag" + else + if test "$host_cpu" = ia64; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $libdir:/usr/lib:/lib' + _LT_TAGVAR(allow_undefined_flag, $1)="-z nodefs" + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs '"\${wl}$no_entry_flag"' $compiler_flags ${wl}${allow_undefined_flag} '"\${wl}$exp_sym_flag:\$export_symbols" + else + # Determine the default libpath from the value encoded in an + # empty executable. + _LT_SYS_MODULE_PATH_AIX([$1]) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-blibpath:$libdir:'"$aix_libpath" + # Warning - without using the other run time loading flags, + # -berok will link without error, but may produce a broken library. + _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-bernotok' + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-berok' + if test "$with_gnu_ld" = yes; then + # We only use this code for GNU lds that support --whole-archive. + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' + else + # Exported symbols can be pulled into shared objects from archives + _LT_TAGVAR(whole_archive_flag_spec, $1)='$convenience' + fi + _LT_TAGVAR(archive_cmds_need_lc, $1)=yes + # This is similar to how AIX traditionally builds its shared + # libraries. + _LT_TAGVAR(archive_expsym_cmds, $1)="\$CC $shared_flag"' -o $output_objdir/$soname $libobjs $deplibs ${wl}-bnoentry $compiler_flags ${wl}-bE:$export_symbols${allow_undefined_flag}~$AR $AR_FLAGS $output_objdir/$libname$release.a $output_objdir/$soname' + fi + fi + ;; + + beos*) + if $LD --help 2>&1 | $GREP ': supported targets:.* elf' > /dev/null; then + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + # Joseph Beckenbach says some releases of gcc + # support --undefined. This deserves some investigation. FIXME + _LT_TAGVAR(archive_cmds, $1)='$CC -nostart $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + chorus*) + case $cc_basename in + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + cygwin* | mingw* | pw32* | cegcc*) + case $GXX,$cc_basename in + ,cl* | no,cl*) + # Native MSVC + # hardcode_libdir_flag_spec is actually meaningless, as there is + # no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)=' ' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=yes + _LT_TAGVAR(file_list_spec, $1)='@' + # Tell ltmain to make .lib files, not .a files. + libext=lib + # Tell ltmain to make .dll files, not .so files. + shrext_cmds=".dll" + # FIXME: Setting linknames here is a bad hack. + _LT_TAGVAR(archive_cmds, $1)='$CC -o $output_objdir/$soname $libobjs $compiler_flags $deplibs -Wl,-dll~linknames=' + _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then + $SED -n -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' -e '1\\\!p' < $export_symbols > $output_objdir/$soname.exp; + else + $SED -e 's/\\\\\\\(.*\\\\\\\)/-link\\\ -EXPORT:\\\\\\\1/' < $export_symbols > $output_objdir/$soname.exp; + fi~ + $CC -o $tool_output_objdir$soname $libobjs $compiler_flags $deplibs "@$tool_output_objdir$soname.exp" -Wl,-DLL,-IMPLIB:"$tool_output_objdir$libname.dll.lib"~ + linknames=' + # The linker will not automatically build a static lib if we build a DLL. + # _LT_TAGVAR(old_archive_from_new_cmds, $1)='true' + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + # Don't use ranlib + _LT_TAGVAR(old_postinstall_cmds, $1)='chmod 644 $oldlib' + _LT_TAGVAR(postlink_cmds, $1)='lt_outputfile="@OUTPUT@"~ + lt_tool_outputfile="@TOOL_OUTPUT@"~ + case $lt_outputfile in + *.exe|*.EXE) ;; + *) + lt_outputfile="$lt_outputfile.exe" + lt_tool_outputfile="$lt_tool_outputfile.exe" + ;; + esac~ + func_to_tool_file "$lt_outputfile"~ + if test "$MANIFEST_TOOL" != ":" && test -f "$lt_outputfile.manifest"; then + $MANIFEST_TOOL -manifest "$lt_tool_outputfile.manifest" -outputresource:"$lt_tool_outputfile" || exit 1; + $RM "$lt_outputfile.manifest"; + fi' + ;; + *) + # g++ + # _LT_TAGVAR(hardcode_libdir_flag_spec, $1) is actually meaningless, + # as there is no search path for DLLs. + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-L$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-all-symbols' + _LT_TAGVAR(allow_undefined_flag, $1)=unsupported + _LT_TAGVAR(always_export_symbols, $1)=no + _LT_TAGVAR(enable_shared_with_static_runtimes, $1)=yes + + if $LD --help 2>&1 | $GREP 'auto-import' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + # If the export-symbols file already is a .def file (1st line + # is EXPORTS), use it as is; otherwise, prepend... + _LT_TAGVAR(archive_expsym_cmds, $1)='if test "x`$SED 1q $export_symbols`" = xEXPORTS; then + cp $export_symbols $output_objdir/$soname.def; + else + echo EXPORTS > $output_objdir/$soname.def; + cat $export_symbols >> $output_objdir/$soname.def; + fi~ + $CC -shared -nostdlib $output_objdir/$soname.def $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $output_objdir/$soname ${wl}--enable-auto-image-base -Xlinker --out-implib -Xlinker $lib' + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + darwin* | rhapsody*) + _LT_DARWIN_LINKER_FEATURES($1) + ;; + + dgux*) + case $cc_basename in + ec++*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + ghcx*) + # Green Hills C++ Compiler + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + freebsd2.*) + # C++ shared libraries reported to be fairly broken before + # switch to ELF + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + freebsd-elf*) + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + ;; + + freebsd* | dragonfly*) + # FreeBSD 3 and later use GNU C++ and GNU ld with standard ELF + # conventions + _LT_TAGVAR(ld_shlibs, $1)=yes + ;; + + gnu*) + ;; + + haiku*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + + hpux9*) + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, + # but as the default + # location of the library. + + case $cc_basename in + CC*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + aCC*) + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -b ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + ;; + *) + if test "$GXX" = yes; then + _LT_TAGVAR(archive_cmds, $1)='$RM $output_objdir/$soname~$CC -shared -nostdlib $pic_flag ${wl}+b ${wl}$install_libdir -o $output_objdir/$soname $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~test $output_objdir/$soname = $lib || mv $output_objdir/$soname $lib' + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + hpux10*|hpux11*) + if test $with_gnu_ld = no; then + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}+b ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + case $host_cpu in + hppa*64*|ia64*) + ;; + *) + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + ;; + esac + fi + case $host_cpu in + hppa*64*|ia64*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + ;; + *) + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(hardcode_minus_L, $1)=yes # Not in the search PATH, + # but as the default + # location of the library. + ;; + esac + + case $cc_basename in + CC*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + aCC*) + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -b ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + esac + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + ;; + *) + if test "$GXX" = yes; then + if test $with_gnu_ld = no; then + case $host_cpu in + hppa*64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib -fPIC ${wl}+h ${wl}$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + ia64*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+nodefaultrpath -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib $pic_flag ${wl}+h ${wl}$soname ${wl}+b ${wl}$install_libdir -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + ;; + esac + fi + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + interix[[3-9]]*) + _LT_TAGVAR(hardcode_direct, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + # Hack: On Interix 3.x, we cannot compile PIC because of a broken gcc. + # Instead, shared libraries are loaded at an image base (0x10000000 by + # default) and relocated if they conflict, which is a slow very memory + # consuming and fragmenting process. To avoid this, we pick a random, + # 256 KiB-aligned image base between 0x50000000 and 0x6FFC0000 at link + # time. Moving up from 0x10000000 also allows more sbrk(2) space. + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' + ;; + irix5* | irix6*) + case $cc_basename in + CC*) + # SGI C++ + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -all -multigot $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' + + # Archives containing C++ object files must be created using + # "CC -ar", where "CC" is the IRIX C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -ar -WR,-u -o $oldlib $oldobjs' + ;; + *) + if test "$GXX" = yes; then + if test "$with_gnu_ld" = no; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + else + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` -o $lib' + fi + fi + _LT_TAGVAR(link_all_deplibs, $1)=yes + ;; + esac + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + _LT_TAGVAR(inherit_rpath, $1)=yes + ;; + + linux* | k*bsd*-gnu | kopensolaris*-gnu) + case $cc_basename in + KCC*) + # Kuck and Associates, Inc. (KAI) C++ Compiler + + # KCC will only create a shared library if the output file + # ends with ".so" (or ".sl" for HP-UX), so rename the library + # to its proper name (with version) after linking. + _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo $lib | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib ${wl}-retain-symbols-file,$export_symbols; mv \$templib $lib' + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 | $GREP "ld"`; rm -f libconftest$shared_ext; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + + # Archives containing C++ object files must be created using + # "CC -Bstatic", where "CC" is the KAI C++ compiler. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' + ;; + icpc* | ecpc* ) + # Intel C++ + with_gnu_ld=yes + # version 8.0 and above of icpc choke on multiply defined symbols + # if we add $predep_objects and $postdep_objects, however 7.1 and + # earlier do not add the objects themselves. + case `$CC -V 2>&1` in + *"Version 7."*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + ;; + *) # Version 8.0 or newer + tmp_idyn= + case $host_cpu in + ia64*) tmp_idyn=' -i_dynamic';; + esac + _LT_TAGVAR(archive_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared'"$tmp_idyn"' $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-retain-symbols-file $wl$export_symbols -o $lib' + ;; + esac + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive$convenience ${wl}--no-whole-archive' + ;; + pgCC* | pgcpp*) + # Portland Group C++ compiler + case `$CC -V` in + *pgCC\ [[1-5]].* | *pgcpp\ [[1-5]].*) + _LT_TAGVAR(prelink_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $objs $libobjs $compile_deplibs~ + compile_command="$compile_command `find $tpldir -name \*.o | sort | $NL2SP`"' + _LT_TAGVAR(old_archive_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $oldobjs$old_deplibs~ + $AR $AR_FLAGS $oldlib$oldobjs$old_deplibs `find $tpldir -name \*.o | sort | $NL2SP`~ + $RANLIB $oldlib' + _LT_TAGVAR(archive_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~ + $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='tpldir=Template.dir~ + rm -rf $tpldir~ + $CC --prelink_objects --instantiation_dir $tpldir $predep_objects $libobjs $deplibs $convenience $postdep_objects~ + $CC -shared $pic_flag $predep_objects $libobjs $deplibs `find $tpldir -name \*.o | sort | $NL2SP` $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib' + ;; + *) # Version 6 and above use weak symbols + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname ${wl}-retain-symbols-file ${wl}$export_symbols -o $lib' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}--rpath ${wl}$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`for conv in $convenience\"\"; do test -n \"$conv\" && new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' + ;; + cxx*) + # Compaq C++ + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $wl$soname -o $lib ${wl}-retain-symbols-file $wl$export_symbols' + + runpath_var=LD_RUN_PATH + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld .*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "X$list" | $Xsed' + ;; + xl* | mpixl* | bgxl*) + # IBM XL 8.0 on PPC, with GNU ld + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}--export-dynamic' + _LT_TAGVAR(archive_cmds, $1)='$CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname -o $lib' + if test "x$supports_anon_versioning" = xyes; then + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $output_objdir/$libname.ver~ + cat $export_symbols | sed -e "s/\(.*\)/\1;/" >> $output_objdir/$libname.ver~ + echo "local: *; };" >> $output_objdir/$libname.ver~ + $CC -qmkshrobj $libobjs $deplibs $compiler_flags ${wl}-soname $wl$soname ${wl}-version-script ${wl}$output_objdir/$libname.ver -o $lib' + fi + ;; + *) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C++ 5.9 + _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs' + _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file ${wl}$export_symbols' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}--whole-archive`new_convenience=; for conv in $convenience\"\"; do test -z \"$conv\" || new_convenience=\"$new_convenience,$conv\"; done; func_echo_all \"$new_convenience\"` ${wl}--no-whole-archive' + _LT_TAGVAR(compiler_needs_object, $1)=yes + + # Not sure whether something based on + # $CC $CFLAGS -v conftest.$objext -o libconftest$shared_ext 2>&1 + # would be better. + output_verbose_link_cmd='func_echo_all' + + # Archives containing C++ object files must be created using + # "CC -xar", where "CC" is the Sun C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' + ;; + esac + ;; + esac + ;; + + lynxos*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + m88k*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + mvs*) + case $cc_basename in + cxx*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + netbsd*) + if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $predep_objects $libobjs $deplibs $postdep_objects $linker_flags' + wlarc= + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + fi + # Workaround some broken pre-1.5 toolchains + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP conftest.$objext | $SED -e "s:-lgcc -lc -lgcc::"' + ;; + + *nto* | *qnx*) + _LT_TAGVAR(ld_shlibs, $1)=yes + ;; + + openbsd2*) + # C++ shared libraries are fairly broken + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + openbsd*) + if test -f /usr/libexec/ld.so; then + _LT_TAGVAR(hardcode_direct, $1)=yes + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_direct_absolute, $1)=yes + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + if test -z "`echo __ELF__ | $CC -E - | grep __ELF__`" || test "$host_os-$host_cpu" = "openbsd2.8-powerpc"; then + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared $pic_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-retain-symbols-file,$export_symbols -o $lib' + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-E' + _LT_TAGVAR(whole_archive_flag_spec, $1)="$wlarc"'--whole-archive$convenience '"$wlarc"'--no-whole-archive' + fi + output_verbose_link_cmd=func_echo_all + else + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + + osf3* | osf4* | osf5*) + case $cc_basename in + KCC*) + # Kuck and Associates, Inc. (KAI) C++ Compiler + + # KCC will only create a shared library if the output file + # ends with ".so" (or ".sl" for HP-UX), so rename the library + # to its proper name (with version) after linking. + _LT_TAGVAR(archive_cmds, $1)='tempext=`echo $shared_ext | $SED -e '\''s/\([[^()0-9A-Za-z{}]]\)/\\\\\1/g'\''`; templib=`echo "$lib" | $SED -e "s/\${tempext}\..*/.so/"`; $CC $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags --soname $soname -o \$templib; mv \$templib $lib' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Archives containing C++ object files must be created using + # the KAI C++ compiler. + case $host in + osf3*) _LT_TAGVAR(old_archive_cmds, $1)='$CC -Bstatic -o $oldlib $oldobjs' ;; + *) _LT_TAGVAR(old_archive_cmds, $1)='$CC -o $oldlib $oldobjs' ;; + esac + ;; + RCC*) + # Rational C++ 2.4.1 + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + cxx*) + case $host in + osf3*) + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname $soname `test -n "$verstring" && func_echo_all "${wl}-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + ;; + *) + _LT_TAGVAR(allow_undefined_flag, $1)=' -expect_unresolved \*' + _LT_TAGVAR(archive_cmds, $1)='$CC -shared${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname `test -n "$verstring" && func_echo_all "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='for i in `cat $export_symbols`; do printf "%s %s\\n" -exported_symbol "\$i" >> $lib.exp; done~ + echo "-hidden">> $lib.exp~ + $CC -shared$allow_undefined_flag $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags -msym -soname $soname ${wl}-input ${wl}$lib.exp `test -n "$verstring" && $ECHO "-set_version $verstring"` -update_registry ${output_objdir}/so_locations -o $lib~ + $RM $lib.exp' + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-rpath $libdir' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + # + # There doesn't appear to be a way to prevent this compiler from + # explicitly linking system object files so we need to strip them + # from the output so that they don't get included in the library + # dependencies. + output_verbose_link_cmd='templist=`$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP "ld" | $GREP -v "ld:"`; templist=`func_echo_all "$templist" | $SED "s/\(^.*ld.*\)\( .*ld.*$\)/\1/"`; list=""; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + ;; + *) + if test "$GXX" = yes && test "$with_gnu_ld" = no; then + _LT_TAGVAR(allow_undefined_flag, $1)=' ${wl}-expect_unresolved ${wl}\*' + case $host in + osf3*) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib ${allow_undefined_flag} $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-msym ${wl}-soname ${wl}$soname `test -n "$verstring" && func_echo_all "${wl}-set_version ${wl}$verstring"` ${wl}-update_registry ${wl}${output_objdir}/so_locations -o $lib' + ;; + esac + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-rpath ${wl}$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=: + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + + else + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + fi + ;; + esac + ;; + + psos*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + sunos4*) + case $cc_basename in + CC*) + # Sun C++ 4.x + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + lcc*) + # Lucid + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + solaris*) + case $cc_basename in + CC* | sunCC*) + # Sun C++ 4.2, 5.x and Centerline C++ + _LT_TAGVAR(archive_cmds_need_lc,$1)=yes + _LT_TAGVAR(no_undefined_flag, $1)=' -zdefs' + _LT_TAGVAR(archive_cmds, $1)='$CC -G${allow_undefined_flag} -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G${allow_undefined_flag} ${wl}-M ${wl}$lib.exp -h$soname -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='-R$libdir' + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + # The compiler driver will combine and reorder linker options, + # but understands `-z linker_flag'. + # Supported since Solaris 2.6 (maybe 2.5.1?) + _LT_TAGVAR(whole_archive_flag_spec, $1)='-z allextract$convenience -z defaultextract' + ;; + esac + _LT_TAGVAR(link_all_deplibs, $1)=yes + + output_verbose_link_cmd='func_echo_all' + + # Archives containing C++ object files must be created using + # "CC -xar", where "CC" is the Sun C++ compiler. This is + # necessary to make sure instantiated templates are included + # in the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC -xar -o $oldlib $oldobjs' + ;; + gcx*) + # Green Hills C++ Compiler + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' + + # The C++ compiler must be used to create the archive. + _LT_TAGVAR(old_archive_cmds, $1)='$CC $LDFLAGS -archive -o $oldlib $oldobjs' + ;; + *) + # GNU C++ compiler with Solaris linker + if test "$GXX" = yes && test "$with_gnu_ld" = no; then + _LT_TAGVAR(no_undefined_flag, $1)=' ${wl}-z ${wl}defs' + if $CC --version | $GREP -v '^2\.7' > /dev/null; then + _LT_TAGVAR(archive_cmds, $1)='$CC -shared $pic_flag -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -shared $pic_flag -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + else + # g++ 2.7 appears to require `-G' NOT `-shared' on this + # platform. + _LT_TAGVAR(archive_cmds, $1)='$CC -G -nostdlib $LDFLAGS $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags ${wl}-h $wl$soname -o $lib' + _LT_TAGVAR(archive_expsym_cmds, $1)='echo "{ global:" > $lib.exp~cat $export_symbols | $SED -e "s/\(.*\)/\1;/" >> $lib.exp~echo "local: *; };" >> $lib.exp~ + $CC -G -nostdlib ${wl}-M $wl$lib.exp -o $lib $predep_objects $libobjs $deplibs $postdep_objects $compiler_flags~$RM $lib.exp' + + # Commands to make compiler produce verbose output that lists + # what "hidden" libraries, object files and flags are used when + # linking a shared library. + output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + fi + + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R $wl$libdir' + case $host_os in + solaris2.[[0-5]] | solaris2.[[0-5]].*) ;; + *) + _LT_TAGVAR(whole_archive_flag_spec, $1)='${wl}-z ${wl}allextract$convenience ${wl}-z ${wl}defaultextract' + ;; + esac + fi + ;; + esac + ;; + + sysv4*uw2* | sysv5OpenUNIX* | sysv5UnixWare7.[[01]].[[10]]* | unixware7* | sco3.2v5.0.[[024]]*) + _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + runpath_var='LD_RUN_PATH' + + case $cc_basename in + CC*) + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + ;; + + sysv5* | sco3.2v5* | sco5v6*) + # Note: We can NOT use -z defs as we might desire, because we do not + # link with -lc, and that would cause any symbols used from libc to + # always be unresolved, which means just about no library would + # ever link correctly. If we're not using GNU ld we use -z text + # though, which does catch some bad symbols but isn't as heavy-handed + # as -z defs. + _LT_TAGVAR(no_undefined_flag, $1)='${wl}-z,text' + _LT_TAGVAR(allow_undefined_flag, $1)='${wl}-z,nodefs' + _LT_TAGVAR(archive_cmds_need_lc, $1)=no + _LT_TAGVAR(hardcode_shlibpath_var, $1)=no + _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='${wl}-R,$libdir' + _LT_TAGVAR(hardcode_libdir_separator, $1)=':' + _LT_TAGVAR(link_all_deplibs, $1)=yes + _LT_TAGVAR(export_dynamic_flag_spec, $1)='${wl}-Bexport' + runpath_var='LD_RUN_PATH' + + case $cc_basename in + CC*) + _LT_TAGVAR(archive_cmds, $1)='$CC -G ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -G ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(old_archive_cmds, $1)='$CC -Tprelink_objects $oldobjs~ + '"$_LT_TAGVAR(old_archive_cmds, $1)" + _LT_TAGVAR(reload_cmds, $1)='$CC -Tprelink_objects $reload_objs~ + '"$_LT_TAGVAR(reload_cmds, $1)" + ;; + *) + _LT_TAGVAR(archive_cmds, $1)='$CC -shared ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + _LT_TAGVAR(archive_expsym_cmds, $1)='$CC -shared ${wl}-Bexport:$export_symbols ${wl}-h,$soname -o $lib $libobjs $deplibs $compiler_flags' + ;; + esac + ;; + + tandem*) + case $cc_basename in + NCC*) + # NonStop-UX NCC 3.20 + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + ;; + + vxworks*) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + + *) + # FIXME: insert proper C++ library support + _LT_TAGVAR(ld_shlibs, $1)=no + ;; + esac + + AC_MSG_RESULT([$_LT_TAGVAR(ld_shlibs, $1)]) + test "$_LT_TAGVAR(ld_shlibs, $1)" = no && can_build_shared=no + + _LT_TAGVAR(GCC, $1)="$GXX" + _LT_TAGVAR(LD, $1)="$LD" + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_SYS_HIDDEN_LIBDEPS($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + CC=$lt_save_CC + CFLAGS=$lt_save_CFLAGS + LDCXX=$LD + LD=$lt_save_LD + GCC=$lt_save_GCC + with_gnu_ld=$lt_save_with_gnu_ld + lt_cv_path_LDCXX=$lt_cv_path_LD + lt_cv_path_LD=$lt_save_path_LD + lt_cv_prog_gnu_ldcxx=$lt_cv_prog_gnu_ld + lt_cv_prog_gnu_ld=$lt_save_with_gnu_ld +fi # test "$_lt_caught_CXX_error" != yes + +AC_LANG_POP +])# _LT_LANG_CXX_CONFIG + + +# _LT_FUNC_STRIPNAME_CNF +# ---------------------- +# func_stripname_cnf prefix suffix name +# strip PREFIX and SUFFIX off of NAME. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +# +# This function is identical to the (non-XSI) version of func_stripname, +# except this one can be used by m4 code that may be executed by configure, +# rather than the libtool script. +m4_defun([_LT_FUNC_STRIPNAME_CNF],[dnl +AC_REQUIRE([_LT_DECL_SED]) +AC_REQUIRE([_LT_PROG_ECHO_BACKSLASH]) +func_stripname_cnf () +{ + case ${2} in + .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;; + *) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;; + esac +} # func_stripname_cnf +])# _LT_FUNC_STRIPNAME_CNF + +# _LT_SYS_HIDDEN_LIBDEPS([TAGNAME]) +# --------------------------------- +# Figure out "hidden" library dependencies from verbose +# compiler output when linking a shared library. +# Parse the compiler output and extract the necessary +# objects, libraries and library flags. +m4_defun([_LT_SYS_HIDDEN_LIBDEPS], +[m4_require([_LT_FILEUTILS_DEFAULTS])dnl +AC_REQUIRE([_LT_FUNC_STRIPNAME_CNF])dnl +# Dependencies to place before and after the object being linked: +_LT_TAGVAR(predep_objects, $1)= +_LT_TAGVAR(postdep_objects, $1)= +_LT_TAGVAR(predeps, $1)= +_LT_TAGVAR(postdeps, $1)= +_LT_TAGVAR(compiler_lib_search_path, $1)= + +dnl we can't use the lt_simple_compile_test_code here, +dnl because it contains code intended for an executable, +dnl not a library. It's possible we should let each +dnl tag define a new lt_????_link_test_code variable, +dnl but it's only used here... +m4_if([$1], [], [cat > conftest.$ac_ext <<_LT_EOF +int a; +void foo (void) { a = 0; } +_LT_EOF +], [$1], [CXX], [cat > conftest.$ac_ext <<_LT_EOF +class Foo +{ +public: + Foo (void) { a = 0; } +private: + int a; +}; +_LT_EOF +], [$1], [F77], [cat > conftest.$ac_ext <<_LT_EOF + subroutine foo + implicit none + integer*4 a + a=0 + return + end +_LT_EOF +], [$1], [FC], [cat > conftest.$ac_ext <<_LT_EOF + subroutine foo + implicit none + integer a + a=0 + return + end +_LT_EOF +], [$1], [GCJ], [cat > conftest.$ac_ext <<_LT_EOF +public class foo { + private int a; + public void bar (void) { + a = 0; + } +}; +_LT_EOF +], [$1], [GO], [cat > conftest.$ac_ext <<_LT_EOF +package foo +func foo() { +} +_LT_EOF +]) + +_lt_libdeps_save_CFLAGS=$CFLAGS +case "$CC $CFLAGS " in #( +*\ -flto*\ *) CFLAGS="$CFLAGS -fno-lto" ;; +*\ -fwhopr*\ *) CFLAGS="$CFLAGS -fno-whopr" ;; +*\ -fuse-linker-plugin*\ *) CFLAGS="$CFLAGS -fno-use-linker-plugin" ;; +esac + +dnl Parse the compiler output and extract the necessary +dnl objects, libraries and library flags. +if AC_TRY_EVAL(ac_compile); then + # Parse the compiler output and extract the necessary + # objects, libraries and library flags. + + # Sentinel used to keep track of whether or not we are before + # the conftest object file. + pre_test_object_deps_done=no + + for p in `eval "$output_verbose_link_cmd"`; do + case ${prev}${p} in + + -L* | -R* | -l*) + # Some compilers place space between "-{L,R}" and the path. + # Remove the space. + if test $p = "-L" || + test $p = "-R"; then + prev=$p + continue + fi + + # Expand the sysroot to ease extracting the directories later. + if test -z "$prev"; then + case $p in + -L*) func_stripname_cnf '-L' '' "$p"; prev=-L; p=$func_stripname_result ;; + -R*) func_stripname_cnf '-R' '' "$p"; prev=-R; p=$func_stripname_result ;; + -l*) func_stripname_cnf '-l' '' "$p"; prev=-l; p=$func_stripname_result ;; + esac + fi + case $p in + =*) func_stripname_cnf '=' '' "$p"; p=$lt_sysroot$func_stripname_result ;; + esac + if test "$pre_test_object_deps_done" = no; then + case ${prev} in + -L | -R) + # Internal compiler library paths should come after those + # provided the user. The postdeps already come after the + # user supplied libs so there is no need to process them. + if test -z "$_LT_TAGVAR(compiler_lib_search_path, $1)"; then + _LT_TAGVAR(compiler_lib_search_path, $1)="${prev}${p}" + else + _LT_TAGVAR(compiler_lib_search_path, $1)="${_LT_TAGVAR(compiler_lib_search_path, $1)} ${prev}${p}" + fi + ;; + # The "-l" case would never come before the object being + # linked, so don't bother handling this case. + esac + else + if test -z "$_LT_TAGVAR(postdeps, $1)"; then + _LT_TAGVAR(postdeps, $1)="${prev}${p}" + else + _LT_TAGVAR(postdeps, $1)="${_LT_TAGVAR(postdeps, $1)} ${prev}${p}" + fi + fi + prev= + ;; + + *.lto.$objext) ;; # Ignore GCC LTO objects + *.$objext) + # This assumes that the test object file only shows up + # once in the compiler output. + if test "$p" = "conftest.$objext"; then + pre_test_object_deps_done=yes + continue + fi + + if test "$pre_test_object_deps_done" = no; then + if test -z "$_LT_TAGVAR(predep_objects, $1)"; then + _LT_TAGVAR(predep_objects, $1)="$p" + else + _LT_TAGVAR(predep_objects, $1)="$_LT_TAGVAR(predep_objects, $1) $p" + fi + else + if test -z "$_LT_TAGVAR(postdep_objects, $1)"; then + _LT_TAGVAR(postdep_objects, $1)="$p" + else + _LT_TAGVAR(postdep_objects, $1)="$_LT_TAGVAR(postdep_objects, $1) $p" + fi + fi + ;; + + *) ;; # Ignore the rest. + + esac + done + + # Clean up. + rm -f a.out a.exe +else + echo "libtool.m4: error: problem compiling $1 test program" +fi + +$RM -f confest.$objext +CFLAGS=$_lt_libdeps_save_CFLAGS + +# PORTME: override above test on systems where it is broken +m4_if([$1], [CXX], +[case $host_os in +interix[[3-9]]*) + # Interix 3.5 installs completely hosed .la files for C++, so rather than + # hack all around it, let's just trust "g++" to DTRT. + _LT_TAGVAR(predep_objects,$1)= + _LT_TAGVAR(postdep_objects,$1)= + _LT_TAGVAR(postdeps,$1)= + ;; + +linux*) + case `$CC -V 2>&1 | sed 5q` in + *Sun\ C*) + # Sun C++ 5.9 + + # The more standards-conforming stlport4 library is + # incompatible with the Cstd library. Avoid specifying + # it if it's in CXXFLAGS. Ignore libCrun as + # -library=stlport4 depends on it. + case " $CXX $CXXFLAGS " in + *" -library=stlport4 "*) + solaris_use_stlport4=yes + ;; + esac + + if test "$solaris_use_stlport4" != yes; then + _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun' + fi + ;; + esac + ;; + +solaris*) + case $cc_basename in + CC* | sunCC*) + # The more standards-conforming stlport4 library is + # incompatible with the Cstd library. Avoid specifying + # it if it's in CXXFLAGS. Ignore libCrun as + # -library=stlport4 depends on it. + case " $CXX $CXXFLAGS " in + *" -library=stlport4 "*) + solaris_use_stlport4=yes + ;; + esac + + # Adding this requires a known-good setup of shared libraries for + # Sun compiler versions before 5.6, else PIC objects from an old + # archive will be linked into the output, leading to subtle bugs. + if test "$solaris_use_stlport4" != yes; then + _LT_TAGVAR(postdeps,$1)='-library=Cstd -library=Crun' + fi + ;; + esac + ;; +esac +]) + +case " $_LT_TAGVAR(postdeps, $1) " in +*" -lc "*) _LT_TAGVAR(archive_cmds_need_lc, $1)=no ;; +esac + _LT_TAGVAR(compiler_lib_search_dirs, $1)= +if test -n "${_LT_TAGVAR(compiler_lib_search_path, $1)}"; then + _LT_TAGVAR(compiler_lib_search_dirs, $1)=`echo " ${_LT_TAGVAR(compiler_lib_search_path, $1)}" | ${SED} -e 's! -L! !g' -e 's!^ !!'` +fi +_LT_TAGDECL([], [compiler_lib_search_dirs], [1], + [The directories searched by this compiler when creating a shared library]) +_LT_TAGDECL([], [predep_objects], [1], + [Dependencies to place before and after the objects being linked to + create a shared library]) +_LT_TAGDECL([], [postdep_objects], [1]) +_LT_TAGDECL([], [predeps], [1]) +_LT_TAGDECL([], [postdeps], [1]) +_LT_TAGDECL([], [compiler_lib_search_path], [1], + [The library search path used internally by the compiler when linking + a shared library]) +])# _LT_SYS_HIDDEN_LIBDEPS + + +# _LT_LANG_F77_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for a Fortran 77 compiler are +# suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_F77_CONFIG], +[AC_LANG_PUSH(Fortran 77) +if test -z "$F77" || test "X$F77" = "Xno"; then + _lt_disable_F77=yes +fi + +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + +# Source file extension for f77 test sources. +ac_ext=f + +# Object file extension for compiled f77 test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the F77 compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test "$_lt_disable_F77" != yes; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="\ + subroutine t + return + end +" + + # Code to be used in simple link tests + lt_simple_link_test_code="\ + program t + end +" + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC="$CC" + lt_save_GCC=$GCC + lt_save_CFLAGS=$CFLAGS + CC=${F77-"f77"} + CFLAGS=$FFLAGS + compiler=$CC + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + GCC=$G77 + if test -n "$compiler"; then + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) + + AC_MSG_CHECKING([whether to build shared libraries]) + test "$can_build_shared" = "no" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test "$enable_shared" = yes && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + aix[[4-9]]*) + if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then + test "$enable_shared" = yes && enable_static=no + fi + ;; + esac + AC_MSG_RESULT([$enable_shared]) + + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test "$enable_shared" = yes || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_TAGVAR(GCC, $1)="$G77" + _LT_TAGVAR(LD, $1)="$LD" + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + GCC=$lt_save_GCC + CC="$lt_save_CC" + CFLAGS="$lt_save_CFLAGS" +fi # test "$_lt_disable_F77" != yes + +AC_LANG_POP +])# _LT_LANG_F77_CONFIG + + +# _LT_LANG_FC_CONFIG([TAG]) +# ------------------------- +# Ensure that the configuration variables for a Fortran compiler are +# suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_FC_CONFIG], +[AC_LANG_PUSH(Fortran) + +if test -z "$FC" || test "X$FC" = "Xno"; then + _lt_disable_FC=yes +fi + +_LT_TAGVAR(archive_cmds_need_lc, $1)=no +_LT_TAGVAR(allow_undefined_flag, $1)= +_LT_TAGVAR(always_export_symbols, $1)=no +_LT_TAGVAR(archive_expsym_cmds, $1)= +_LT_TAGVAR(export_dynamic_flag_spec, $1)= +_LT_TAGVAR(hardcode_direct, $1)=no +_LT_TAGVAR(hardcode_direct_absolute, $1)=no +_LT_TAGVAR(hardcode_libdir_flag_spec, $1)= +_LT_TAGVAR(hardcode_libdir_separator, $1)= +_LT_TAGVAR(hardcode_minus_L, $1)=no +_LT_TAGVAR(hardcode_automatic, $1)=no +_LT_TAGVAR(inherit_rpath, $1)=no +_LT_TAGVAR(module_cmds, $1)= +_LT_TAGVAR(module_expsym_cmds, $1)= +_LT_TAGVAR(link_all_deplibs, $1)=unknown +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds +_LT_TAGVAR(no_undefined_flag, $1)= +_LT_TAGVAR(whole_archive_flag_spec, $1)= +_LT_TAGVAR(enable_shared_with_static_runtimes, $1)=no + +# Source file extension for fc test sources. +ac_ext=${ac_fc_srcext-f} + +# Object file extension for compiled fc test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# No sense in running all these tests if we already determined that +# the FC compiler isn't working. Some variables (like enable_shared) +# are currently assumed to apply to all compilers on this platform, +# and will be corrupted by setting them based on a non-working compiler. +if test "$_lt_disable_FC" != yes; then + # Code to be used in simple compile tests + lt_simple_compile_test_code="\ + subroutine t + return + end +" + + # Code to be used in simple link tests + lt_simple_link_test_code="\ + program t + end +" + + # ltmain only uses $CC for tagged configurations so make sure $CC is set. + _LT_TAG_COMPILER + + # save warnings/boilerplate of simple test code + _LT_COMPILER_BOILERPLATE + _LT_LINKER_BOILERPLATE + + # Allow CC to be a program name with arguments. + lt_save_CC="$CC" + lt_save_GCC=$GCC + lt_save_CFLAGS=$CFLAGS + CC=${FC-"f95"} + CFLAGS=$FCFLAGS + compiler=$CC + GCC=$ac_cv_fc_compiler_gnu + + _LT_TAGVAR(compiler, $1)=$CC + _LT_CC_BASENAME([$compiler]) + + if test -n "$compiler"; then + AC_MSG_CHECKING([if libtool supports shared libraries]) + AC_MSG_RESULT([$can_build_shared]) + + AC_MSG_CHECKING([whether to build shared libraries]) + test "$can_build_shared" = "no" && enable_shared=no + + # On AIX, shared libraries and static libraries use the same namespace, and + # are all built from PIC. + case $host_os in + aix3*) + test "$enable_shared" = yes && enable_static=no + if test -n "$RANLIB"; then + archive_cmds="$archive_cmds~\$RANLIB \$lib" + postinstall_cmds='$RANLIB $lib' + fi + ;; + aix[[4-9]]*) + if test "$host_cpu" != ia64 && test "$aix_use_runtimelinking" = no ; then + test "$enable_shared" = yes && enable_static=no + fi + ;; + esac + AC_MSG_RESULT([$enable_shared]) + + AC_MSG_CHECKING([whether to build static libraries]) + # Make sure either enable_shared or enable_static is yes. + test "$enable_shared" = yes || enable_static=yes + AC_MSG_RESULT([$enable_static]) + + _LT_TAGVAR(GCC, $1)="$ac_cv_fc_compiler_gnu" + _LT_TAGVAR(LD, $1)="$LD" + + ## CAVEAT EMPTOR: + ## There is no encapsulation within the following macros, do not change + ## the running order or otherwise move them around unless you know exactly + ## what you are doing... + _LT_SYS_HIDDEN_LIBDEPS($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_SYS_DYNAMIC_LINKER($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) + fi # test -n "$compiler" + + GCC=$lt_save_GCC + CC=$lt_save_CC + CFLAGS=$lt_save_CFLAGS +fi # test "$_lt_disable_FC" != yes + +AC_LANG_POP +])# _LT_LANG_FC_CONFIG + + +# _LT_LANG_GCJ_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for the GNU Java Compiler compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_GCJ_CONFIG], +[AC_REQUIRE([LT_PROG_GCJ])dnl +AC_LANG_SAVE + +# Source file extension for Java test sources. +ac_ext=java + +# Object file extension for compiled Java test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="class foo {}" + +# Code to be used in simple link tests +lt_simple_link_test_code='public class conftest { public static void main(String[[]] argv) {}; }' + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC=$CC +lt_save_CFLAGS=$CFLAGS +lt_save_GCC=$GCC +GCC=yes +CC=${GCJ-"gcj"} +CFLAGS=$GCJFLAGS +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_TAGVAR(LD, $1)="$LD" +_LT_CC_BASENAME([$compiler]) + +# GCJ did not exist at the time GCC didn't implicitly link libc in. +_LT_TAGVAR(archive_cmds_need_lc, $1)=no + +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds + +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) +fi + +AC_LANG_RESTORE + +GCC=$lt_save_GCC +CC=$lt_save_CC +CFLAGS=$lt_save_CFLAGS +])# _LT_LANG_GCJ_CONFIG + + +# _LT_LANG_GO_CONFIG([TAG]) +# -------------------------- +# Ensure that the configuration variables for the GNU Go compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_GO_CONFIG], +[AC_REQUIRE([LT_PROG_GO])dnl +AC_LANG_SAVE + +# Source file extension for Go test sources. +ac_ext=go + +# Object file extension for compiled Go test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code="package main; func main() { }" + +# Code to be used in simple link tests +lt_simple_link_test_code='package main; func main() { }' + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC=$CC +lt_save_CFLAGS=$CFLAGS +lt_save_GCC=$GCC +GCC=yes +CC=${GOC-"gccgo"} +CFLAGS=$GOFLAGS +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_TAGVAR(LD, $1)="$LD" +_LT_CC_BASENAME([$compiler]) + +# Go did not exist at the time GCC didn't implicitly link libc in. +_LT_TAGVAR(archive_cmds_need_lc, $1)=no + +_LT_TAGVAR(old_archive_cmds, $1)=$old_archive_cmds +_LT_TAGVAR(reload_flag, $1)=$reload_flag +_LT_TAGVAR(reload_cmds, $1)=$reload_cmds + +if test -n "$compiler"; then + _LT_COMPILER_NO_RTTI($1) + _LT_COMPILER_PIC($1) + _LT_COMPILER_C_O($1) + _LT_COMPILER_FILE_LOCKS($1) + _LT_LINKER_SHLIBS($1) + _LT_LINKER_HARDCODE_LIBPATH($1) + + _LT_CONFIG($1) +fi + +AC_LANG_RESTORE + +GCC=$lt_save_GCC +CC=$lt_save_CC +CFLAGS=$lt_save_CFLAGS +])# _LT_LANG_GO_CONFIG + + +# _LT_LANG_RC_CONFIG([TAG]) +# ------------------------- +# Ensure that the configuration variables for the Windows resource compiler +# are suitably defined. These variables are subsequently used by _LT_CONFIG +# to write the compiler configuration to `libtool'. +m4_defun([_LT_LANG_RC_CONFIG], +[AC_REQUIRE([LT_PROG_RC])dnl +AC_LANG_SAVE + +# Source file extension for RC test sources. +ac_ext=rc + +# Object file extension for compiled RC test sources. +objext=o +_LT_TAGVAR(objext, $1)=$objext + +# Code to be used in simple compile tests +lt_simple_compile_test_code='sample MENU { MENUITEM "&Soup", 100, CHECKED }' + +# Code to be used in simple link tests +lt_simple_link_test_code="$lt_simple_compile_test_code" + +# ltmain only uses $CC for tagged configurations so make sure $CC is set. +_LT_TAG_COMPILER + +# save warnings/boilerplate of simple test code +_LT_COMPILER_BOILERPLATE +_LT_LINKER_BOILERPLATE + +# Allow CC to be a program name with arguments. +lt_save_CC="$CC" +lt_save_CFLAGS=$CFLAGS +lt_save_GCC=$GCC +GCC= +CC=${RC-"windres"} +CFLAGS= +compiler=$CC +_LT_TAGVAR(compiler, $1)=$CC +_LT_CC_BASENAME([$compiler]) +_LT_TAGVAR(lt_cv_prog_compiler_c_o, $1)=yes + +if test -n "$compiler"; then + : + _LT_CONFIG($1) +fi + +GCC=$lt_save_GCC +AC_LANG_RESTORE +CC=$lt_save_CC +CFLAGS=$lt_save_CFLAGS +])# _LT_LANG_RC_CONFIG + + +# LT_PROG_GCJ +# ----------- +AC_DEFUN([LT_PROG_GCJ], +[m4_ifdef([AC_PROG_GCJ], [AC_PROG_GCJ], + [m4_ifdef([A][M_PROG_GCJ], [A][M_PROG_GCJ], + [AC_CHECK_TOOL(GCJ, gcj,) + test "x${GCJFLAGS+set}" = xset || GCJFLAGS="-g -O2" + AC_SUBST(GCJFLAGS)])])[]dnl +]) + +# Old name: +AU_ALIAS([LT_AC_PROG_GCJ], [LT_PROG_GCJ]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_GCJ], []) + + +# LT_PROG_GO +# ---------- +AC_DEFUN([LT_PROG_GO], +[AC_CHECK_TOOL(GOC, gccgo,) +]) + + +# LT_PROG_RC +# ---------- +AC_DEFUN([LT_PROG_RC], +[AC_CHECK_TOOL(RC, windres,) +]) + +# Old name: +AU_ALIAS([LT_AC_PROG_RC], [LT_PROG_RC]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_RC], []) + + +# _LT_DECL_EGREP +# -------------- +# If we don't have a new enough Autoconf to choose the best grep +# available, choose the one first in the user's PATH. +m4_defun([_LT_DECL_EGREP], +[AC_REQUIRE([AC_PROG_EGREP])dnl +AC_REQUIRE([AC_PROG_FGREP])dnl +test -z "$GREP" && GREP=grep +_LT_DECL([], [GREP], [1], [A grep program that handles long lines]) +_LT_DECL([], [EGREP], [1], [An ERE matcher]) +_LT_DECL([], [FGREP], [1], [A literal string matcher]) +dnl Non-bleeding-edge autoconf doesn't subst GREP, so do it here too +AC_SUBST([GREP]) +]) + + +# _LT_DECL_OBJDUMP +# -------------- +# If we don't have a new enough Autoconf to choose the best objdump +# available, choose the one first in the user's PATH. +m4_defun([_LT_DECL_OBJDUMP], +[AC_CHECK_TOOL(OBJDUMP, objdump, false) +test -z "$OBJDUMP" && OBJDUMP=objdump +_LT_DECL([], [OBJDUMP], [1], [An object symbol dumper]) +AC_SUBST([OBJDUMP]) +]) + +# _LT_DECL_DLLTOOL +# ---------------- +# Ensure DLLTOOL variable is set. +m4_defun([_LT_DECL_DLLTOOL], +[AC_CHECK_TOOL(DLLTOOL, dlltool, false) +test -z "$DLLTOOL" && DLLTOOL=dlltool +_LT_DECL([], [DLLTOOL], [1], [DLL creation program]) +AC_SUBST([DLLTOOL]) +]) + +# _LT_DECL_SED +# ------------ +# Check for a fully-functional sed program, that truncates +# as few characters as possible. Prefer GNU sed if found. +m4_defun([_LT_DECL_SED], +[AC_PROG_SED +test -z "$SED" && SED=sed +Xsed="$SED -e 1s/^X//" +_LT_DECL([], [SED], [1], [A sed program that does not truncate output]) +_LT_DECL([], [Xsed], ["\$SED -e 1s/^X//"], + [Sed that helps us avoid accidentally triggering echo(1) options like -n]) +])# _LT_DECL_SED + +m4_ifndef([AC_PROG_SED], [ +# NOTE: This macro has been submitted for inclusion into # +# GNU Autoconf as AC_PROG_SED. When it is available in # +# a released version of Autoconf we should remove this # +# macro and use it instead. # + +m4_defun([AC_PROG_SED], +[AC_MSG_CHECKING([for a sed that does not truncate output]) +AC_CACHE_VAL(lt_cv_path_SED, +[# Loop through the user's path and test for sed and gsed. +# Then use that list of sed's as ones to test for truncation. +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for lt_ac_prog in sed gsed; do + for ac_exec_ext in '' $ac_executable_extensions; do + if $as_executable_p "$as_dir/$lt_ac_prog$ac_exec_ext"; then + lt_ac_sed_list="$lt_ac_sed_list $as_dir/$lt_ac_prog$ac_exec_ext" + fi + done + done +done +IFS=$as_save_IFS +lt_ac_max=0 +lt_ac_count=0 +# Add /usr/xpg4/bin/sed as it is typically found on Solaris +# along with /bin/sed that truncates output. +for lt_ac_sed in $lt_ac_sed_list /usr/xpg4/bin/sed; do + test ! -f $lt_ac_sed && continue + cat /dev/null > conftest.in + lt_ac_count=0 + echo $ECHO_N "0123456789$ECHO_C" >conftest.in + # Check for GNU sed and select it if it is found. + if "$lt_ac_sed" --version 2>&1 < /dev/null | grep 'GNU' > /dev/null; then + lt_cv_path_SED=$lt_ac_sed + break + fi + while true; do + cat conftest.in conftest.in >conftest.tmp + mv conftest.tmp conftest.in + cp conftest.in conftest.nl + echo >>conftest.nl + $lt_ac_sed -e 's/a$//' < conftest.nl >conftest.out || break + cmp -s conftest.out conftest.nl || break + # 10000 chars as input seems more than enough + test $lt_ac_count -gt 10 && break + lt_ac_count=`expr $lt_ac_count + 1` + if test $lt_ac_count -gt $lt_ac_max; then + lt_ac_max=$lt_ac_count + lt_cv_path_SED=$lt_ac_sed + fi + done +done +]) +SED=$lt_cv_path_SED +AC_SUBST([SED]) +AC_MSG_RESULT([$SED]) +])#AC_PROG_SED +])#m4_ifndef + +# Old name: +AU_ALIAS([LT_AC_PROG_SED], [AC_PROG_SED]) +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([LT_AC_PROG_SED], []) + + +# _LT_CHECK_SHELL_FEATURES +# ------------------------ +# Find out whether the shell is Bourne or XSI compatible, +# or has some other useful features. +m4_defun([_LT_CHECK_SHELL_FEATURES], +[AC_MSG_CHECKING([whether the shell understands some XSI constructs]) +# Try some XSI features +xsi_shell=no +( _lt_dummy="a/b/c" + test "${_lt_dummy##*/},${_lt_dummy%/*},${_lt_dummy#??}"${_lt_dummy%"$_lt_dummy"}, \ + = c,a/b,b/c, \ + && eval 'test $(( 1 + 1 )) -eq 2 \ + && test "${#_lt_dummy}" -eq 5' ) >/dev/null 2>&1 \ + && xsi_shell=yes +AC_MSG_RESULT([$xsi_shell]) +_LT_CONFIG_LIBTOOL_INIT([xsi_shell='$xsi_shell']) + +AC_MSG_CHECKING([whether the shell understands "+="]) +lt_shell_append=no +( foo=bar; set foo baz; eval "$[1]+=\$[2]" && test "$foo" = barbaz ) \ + >/dev/null 2>&1 \ + && lt_shell_append=yes +AC_MSG_RESULT([$lt_shell_append]) +_LT_CONFIG_LIBTOOL_INIT([lt_shell_append='$lt_shell_append']) + +if ( (MAIL=60; unset MAIL) || exit) >/dev/null 2>&1; then + lt_unset=unset +else + lt_unset=false +fi +_LT_DECL([], [lt_unset], [0], [whether the shell understands "unset"])dnl + +# test EBCDIC or ASCII +case `echo X|tr X '\101'` in + A) # ASCII based system + # \n is not interpreted correctly by Solaris 8 /usr/ucb/tr + lt_SP2NL='tr \040 \012' + lt_NL2SP='tr \015\012 \040\040' + ;; + *) # EBCDIC based system + lt_SP2NL='tr \100 \n' + lt_NL2SP='tr \r\n \100\100' + ;; +esac +_LT_DECL([SP2NL], [lt_SP2NL], [1], [turn spaces into newlines])dnl +_LT_DECL([NL2SP], [lt_NL2SP], [1], [turn newlines into spaces])dnl +])# _LT_CHECK_SHELL_FEATURES + + +# _LT_PROG_FUNCTION_REPLACE (FUNCNAME, REPLACEMENT-BODY) +# ------------------------------------------------------ +# In `$cfgfile', look for function FUNCNAME delimited by `^FUNCNAME ()$' and +# '^} FUNCNAME ', and replace its body with REPLACEMENT-BODY. +m4_defun([_LT_PROG_FUNCTION_REPLACE], +[dnl { +sed -e '/^$1 ()$/,/^} # $1 /c\ +$1 ()\ +{\ +m4_bpatsubsts([$2], [$], [\\], [^\([ ]\)], [\\\1]) +} # Extended-shell $1 implementation' "$cfgfile" > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") +test 0 -eq $? || _lt_function_replace_fail=: +]) + + +# _LT_PROG_REPLACE_SHELLFNS +# ------------------------- +# Replace existing portable implementations of several shell functions with +# equivalent extended shell implementations where those features are available.. +m4_defun([_LT_PROG_REPLACE_SHELLFNS], +[if test x"$xsi_shell" = xyes; then + _LT_PROG_FUNCTION_REPLACE([func_dirname], [dnl + case ${1} in + */*) func_dirname_result="${1%/*}${2}" ;; + * ) func_dirname_result="${3}" ;; + esac]) + + _LT_PROG_FUNCTION_REPLACE([func_basename], [dnl + func_basename_result="${1##*/}"]) + + _LT_PROG_FUNCTION_REPLACE([func_dirname_and_basename], [dnl + case ${1} in + */*) func_dirname_result="${1%/*}${2}" ;; + * ) func_dirname_result="${3}" ;; + esac + func_basename_result="${1##*/}"]) + + _LT_PROG_FUNCTION_REPLACE([func_stripname], [dnl + # pdksh 5.2.14 does not do ${X%$Y} correctly if both X and Y are + # positional parameters, so assign one to ordinary parameter first. + func_stripname_result=${3} + func_stripname_result=${func_stripname_result#"${1}"} + func_stripname_result=${func_stripname_result%"${2}"}]) + + _LT_PROG_FUNCTION_REPLACE([func_split_long_opt], [dnl + func_split_long_opt_name=${1%%=*} + func_split_long_opt_arg=${1#*=}]) + + _LT_PROG_FUNCTION_REPLACE([func_split_short_opt], [dnl + func_split_short_opt_arg=${1#??} + func_split_short_opt_name=${1%"$func_split_short_opt_arg"}]) + + _LT_PROG_FUNCTION_REPLACE([func_lo2o], [dnl + case ${1} in + *.lo) func_lo2o_result=${1%.lo}.${objext} ;; + *) func_lo2o_result=${1} ;; + esac]) + + _LT_PROG_FUNCTION_REPLACE([func_xform], [ func_xform_result=${1%.*}.lo]) + + _LT_PROG_FUNCTION_REPLACE([func_arith], [ func_arith_result=$(( $[*] ))]) + + _LT_PROG_FUNCTION_REPLACE([func_len], [ func_len_result=${#1}]) +fi + +if test x"$lt_shell_append" = xyes; then + _LT_PROG_FUNCTION_REPLACE([func_append], [ eval "${1}+=\\${2}"]) + + _LT_PROG_FUNCTION_REPLACE([func_append_quoted], [dnl + func_quote_for_eval "${2}" +dnl m4 expansion turns \\\\ into \\, and then the shell eval turns that into \ + eval "${1}+=\\\\ \\$func_quote_for_eval_result"]) + + # Save a `func_append' function call where possible by direct use of '+=' + sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1+="%g' $cfgfile > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") + test 0 -eq $? || _lt_function_replace_fail=: +else + # Save a `func_append' function call even when '+=' is not available + sed -e 's%func_append \([[a-zA-Z_]]\{1,\}\) "%\1="$\1%g' $cfgfile > $cfgfile.tmp \ + && mv -f "$cfgfile.tmp" "$cfgfile" \ + || (rm -f "$cfgfile" && cp "$cfgfile.tmp" "$cfgfile" && rm -f "$cfgfile.tmp") + test 0 -eq $? || _lt_function_replace_fail=: +fi + +if test x"$_lt_function_replace_fail" = x":"; then + AC_MSG_WARN([Unable to substitute extended shell functions in $ofile]) +fi +]) + +# _LT_PATH_CONVERSION_FUNCTIONS +# ----------------------------- +# Determine which file name conversion functions should be used by +# func_to_host_file (and, implicitly, by func_to_host_path). These are needed +# for certain cross-compile configurations and native mingw. +m4_defun([_LT_PATH_CONVERSION_FUNCTIONS], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +AC_REQUIRE([AC_CANONICAL_BUILD])dnl +AC_MSG_CHECKING([how to convert $build file names to $host format]) +AC_CACHE_VAL(lt_cv_to_host_file_cmd, +[case $host in + *-*-mingw* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_host_file_cmd=func_convert_file_msys_to_w32 + ;; + *-*-cygwin* ) + lt_cv_to_host_file_cmd=func_convert_file_cygwin_to_w32 + ;; + * ) # otherwise, assume *nix + lt_cv_to_host_file_cmd=func_convert_file_nix_to_w32 + ;; + esac + ;; + *-*-cygwin* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_host_file_cmd=func_convert_file_msys_to_cygwin + ;; + *-*-cygwin* ) + lt_cv_to_host_file_cmd=func_convert_file_noop + ;; + * ) # otherwise, assume *nix + lt_cv_to_host_file_cmd=func_convert_file_nix_to_cygwin + ;; + esac + ;; + * ) # unhandled hosts (and "normal" native builds) + lt_cv_to_host_file_cmd=func_convert_file_noop + ;; +esac +]) +to_host_file_cmd=$lt_cv_to_host_file_cmd +AC_MSG_RESULT([$lt_cv_to_host_file_cmd]) +_LT_DECL([to_host_file_cmd], [lt_cv_to_host_file_cmd], + [0], [convert $build file names to $host format])dnl + +AC_MSG_CHECKING([how to convert $build file names to toolchain format]) +AC_CACHE_VAL(lt_cv_to_tool_file_cmd, +[#assume ordinary cross tools, or native build. +lt_cv_to_tool_file_cmd=func_convert_file_noop +case $host in + *-*-mingw* ) + case $build in + *-*-mingw* ) # actually msys + lt_cv_to_tool_file_cmd=func_convert_file_msys_to_w32 + ;; + esac + ;; +esac +]) +to_tool_file_cmd=$lt_cv_to_tool_file_cmd +AC_MSG_RESULT([$lt_cv_to_tool_file_cmd]) +_LT_DECL([to_tool_file_cmd], [lt_cv_to_tool_file_cmd], + [0], [convert $build files to toolchain format])dnl +])# _LT_PATH_CONVERSION_FUNCTIONS + +# Helper functions for option handling. -*- Autoconf -*- +# +# Copyright (C) 2004, 2005, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# Written by Gary V. Vaughan, 2004 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 7 ltoptions.m4 + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTOPTIONS_VERSION], [m4_if([1])]) + + +# _LT_MANGLE_OPTION(MACRO-NAME, OPTION-NAME) +# ------------------------------------------ +m4_define([_LT_MANGLE_OPTION], +[[_LT_OPTION_]m4_bpatsubst($1__$2, [[^a-zA-Z0-9_]], [_])]) + + +# _LT_SET_OPTION(MACRO-NAME, OPTION-NAME) +# --------------------------------------- +# Set option OPTION-NAME for macro MACRO-NAME, and if there is a +# matching handler defined, dispatch to it. Other OPTION-NAMEs are +# saved as a flag. +m4_define([_LT_SET_OPTION], +[m4_define(_LT_MANGLE_OPTION([$1], [$2]))dnl +m4_ifdef(_LT_MANGLE_DEFUN([$1], [$2]), + _LT_MANGLE_DEFUN([$1], [$2]), + [m4_warning([Unknown $1 option `$2'])])[]dnl +]) + + +# _LT_IF_OPTION(MACRO-NAME, OPTION-NAME, IF-SET, [IF-NOT-SET]) +# ------------------------------------------------------------ +# Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. +m4_define([_LT_IF_OPTION], +[m4_ifdef(_LT_MANGLE_OPTION([$1], [$2]), [$3], [$4])]) + + +# _LT_UNLESS_OPTIONS(MACRO-NAME, OPTION-LIST, IF-NOT-SET) +# ------------------------------------------------------- +# Execute IF-NOT-SET unless all options in OPTION-LIST for MACRO-NAME +# are set. +m4_define([_LT_UNLESS_OPTIONS], +[m4_foreach([_LT_Option], m4_split(m4_normalize([$2])), + [m4_ifdef(_LT_MANGLE_OPTION([$1], _LT_Option), + [m4_define([$0_found])])])[]dnl +m4_ifdef([$0_found], [m4_undefine([$0_found])], [$3 +])[]dnl +]) + + +# _LT_SET_OPTIONS(MACRO-NAME, OPTION-LIST) +# ---------------------------------------- +# OPTION-LIST is a space-separated list of Libtool options associated +# with MACRO-NAME. If any OPTION has a matching handler declared with +# LT_OPTION_DEFINE, dispatch to that macro; otherwise complain about +# the unknown option and exit. +m4_defun([_LT_SET_OPTIONS], +[# Set options +m4_foreach([_LT_Option], m4_split(m4_normalize([$2])), + [_LT_SET_OPTION([$1], _LT_Option)]) + +m4_if([$1],[LT_INIT],[ + dnl + dnl Simply set some default values (i.e off) if boolean options were not + dnl specified: + _LT_UNLESS_OPTIONS([LT_INIT], [dlopen], [enable_dlopen=no + ]) + _LT_UNLESS_OPTIONS([LT_INIT], [win32-dll], [enable_win32_dll=no + ]) + dnl + dnl If no reference was made to various pairs of opposing options, then + dnl we run the default mode handler for the pair. For example, if neither + dnl `shared' nor `disable-shared' was passed, we enable building of shared + dnl archives by default: + _LT_UNLESS_OPTIONS([LT_INIT], [shared disable-shared], [_LT_ENABLE_SHARED]) + _LT_UNLESS_OPTIONS([LT_INIT], [static disable-static], [_LT_ENABLE_STATIC]) + _LT_UNLESS_OPTIONS([LT_INIT], [pic-only no-pic], [_LT_WITH_PIC]) + _LT_UNLESS_OPTIONS([LT_INIT], [fast-install disable-fast-install], + [_LT_ENABLE_FAST_INSTALL]) + ]) +])# _LT_SET_OPTIONS + + + +# _LT_MANGLE_DEFUN(MACRO-NAME, OPTION-NAME) +# ----------------------------------------- +m4_define([_LT_MANGLE_DEFUN], +[[_LT_OPTION_DEFUN_]m4_bpatsubst(m4_toupper([$1__$2]), [[^A-Z0-9_]], [_])]) + + +# LT_OPTION_DEFINE(MACRO-NAME, OPTION-NAME, CODE) +# ----------------------------------------------- +m4_define([LT_OPTION_DEFINE], +[m4_define(_LT_MANGLE_DEFUN([$1], [$2]), [$3])[]dnl +])# LT_OPTION_DEFINE + + +# dlopen +# ------ +LT_OPTION_DEFINE([LT_INIT], [dlopen], [enable_dlopen=yes +]) + +AU_DEFUN([AC_LIBTOOL_DLOPEN], +[_LT_SET_OPTION([LT_INIT], [dlopen]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the `dlopen' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_DLOPEN], []) + + +# win32-dll +# --------- +# Declare package support for building win32 dll's. +LT_OPTION_DEFINE([LT_INIT], [win32-dll], +[enable_win32_dll=yes + +case $host in +*-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-cegcc*) + AC_CHECK_TOOL(AS, as, false) + AC_CHECK_TOOL(DLLTOOL, dlltool, false) + AC_CHECK_TOOL(OBJDUMP, objdump, false) + ;; +esac + +test -z "$AS" && AS=as +_LT_DECL([], [AS], [1], [Assembler program])dnl + +test -z "$DLLTOOL" && DLLTOOL=dlltool +_LT_DECL([], [DLLTOOL], [1], [DLL creation program])dnl + +test -z "$OBJDUMP" && OBJDUMP=objdump +_LT_DECL([], [OBJDUMP], [1], [Object dumper program])dnl +])# win32-dll + +AU_DEFUN([AC_LIBTOOL_WIN32_DLL], +[AC_REQUIRE([AC_CANONICAL_HOST])dnl +_LT_SET_OPTION([LT_INIT], [win32-dll]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the `win32-dll' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_WIN32_DLL], []) + + +# _LT_ENABLE_SHARED([DEFAULT]) +# ---------------------------- +# implement the --enable-shared flag, and supports the `shared' and +# `disable-shared' LT_INIT options. +# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. +m4_define([_LT_ENABLE_SHARED], +[m4_define([_LT_ENABLE_SHARED_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([shared], + [AS_HELP_STRING([--enable-shared@<:@=PKGS@:>@], + [build shared libraries @<:@default=]_LT_ENABLE_SHARED_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_shared=yes ;; + no) enable_shared=no ;; + *) + enable_shared=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_shared=yes + fi + done + IFS="$lt_save_ifs" + ;; + esac], + [enable_shared=]_LT_ENABLE_SHARED_DEFAULT) + + _LT_DECL([build_libtool_libs], [enable_shared], [0], + [Whether or not to build shared libraries]) +])# _LT_ENABLE_SHARED + +LT_OPTION_DEFINE([LT_INIT], [shared], [_LT_ENABLE_SHARED([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-shared], [_LT_ENABLE_SHARED([no])]) + +# Old names: +AC_DEFUN([AC_ENABLE_SHARED], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[shared]) +]) + +AC_DEFUN([AC_DISABLE_SHARED], +[_LT_SET_OPTION([LT_INIT], [disable-shared]) +]) + +AU_DEFUN([AM_ENABLE_SHARED], [AC_ENABLE_SHARED($@)]) +AU_DEFUN([AM_DISABLE_SHARED], [AC_DISABLE_SHARED($@)]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_ENABLE_SHARED], []) +dnl AC_DEFUN([AM_DISABLE_SHARED], []) + + + +# _LT_ENABLE_STATIC([DEFAULT]) +# ---------------------------- +# implement the --enable-static flag, and support the `static' and +# `disable-static' LT_INIT options. +# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. +m4_define([_LT_ENABLE_STATIC], +[m4_define([_LT_ENABLE_STATIC_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([static], + [AS_HELP_STRING([--enable-static@<:@=PKGS@:>@], + [build static libraries @<:@default=]_LT_ENABLE_STATIC_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_static=yes ;; + no) enable_static=no ;; + *) + enable_static=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_static=yes + fi + done + IFS="$lt_save_ifs" + ;; + esac], + [enable_static=]_LT_ENABLE_STATIC_DEFAULT) + + _LT_DECL([build_old_libs], [enable_static], [0], + [Whether or not to build static libraries]) +])# _LT_ENABLE_STATIC + +LT_OPTION_DEFINE([LT_INIT], [static], [_LT_ENABLE_STATIC([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-static], [_LT_ENABLE_STATIC([no])]) + +# Old names: +AC_DEFUN([AC_ENABLE_STATIC], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[static]) +]) + +AC_DEFUN([AC_DISABLE_STATIC], +[_LT_SET_OPTION([LT_INIT], [disable-static]) +]) + +AU_DEFUN([AM_ENABLE_STATIC], [AC_ENABLE_STATIC($@)]) +AU_DEFUN([AM_DISABLE_STATIC], [AC_DISABLE_STATIC($@)]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AM_ENABLE_STATIC], []) +dnl AC_DEFUN([AM_DISABLE_STATIC], []) + + + +# _LT_ENABLE_FAST_INSTALL([DEFAULT]) +# ---------------------------------- +# implement the --enable-fast-install flag, and support the `fast-install' +# and `disable-fast-install' LT_INIT options. +# DEFAULT is either `yes' or `no'. If omitted, it defaults to `yes'. +m4_define([_LT_ENABLE_FAST_INSTALL], +[m4_define([_LT_ENABLE_FAST_INSTALL_DEFAULT], [m4_if($1, no, no, yes)])dnl +AC_ARG_ENABLE([fast-install], + [AS_HELP_STRING([--enable-fast-install@<:@=PKGS@:>@], + [optimize for fast installation @<:@default=]_LT_ENABLE_FAST_INSTALL_DEFAULT[@:>@])], + [p=${PACKAGE-default} + case $enableval in + yes) enable_fast_install=yes ;; + no) enable_fast_install=no ;; + *) + enable_fast_install=no + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for pkg in $enableval; do + IFS="$lt_save_ifs" + if test "X$pkg" = "X$p"; then + enable_fast_install=yes + fi + done + IFS="$lt_save_ifs" + ;; + esac], + [enable_fast_install=]_LT_ENABLE_FAST_INSTALL_DEFAULT) + +_LT_DECL([fast_install], [enable_fast_install], [0], + [Whether or not to optimize for fast installation])dnl +])# _LT_ENABLE_FAST_INSTALL + +LT_OPTION_DEFINE([LT_INIT], [fast-install], [_LT_ENABLE_FAST_INSTALL([yes])]) +LT_OPTION_DEFINE([LT_INIT], [disable-fast-install], [_LT_ENABLE_FAST_INSTALL([no])]) + +# Old names: +AU_DEFUN([AC_ENABLE_FAST_INSTALL], +[_LT_SET_OPTION([LT_INIT], m4_if([$1], [no], [disable-])[fast-install]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you put +the `fast-install' option into LT_INIT's first parameter.]) +]) + +AU_DEFUN([AC_DISABLE_FAST_INSTALL], +[_LT_SET_OPTION([LT_INIT], [disable-fast-install]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you put +the `disable-fast-install' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_ENABLE_FAST_INSTALL], []) +dnl AC_DEFUN([AM_DISABLE_FAST_INSTALL], []) + + +# _LT_WITH_PIC([MODE]) +# -------------------- +# implement the --with-pic flag, and support the `pic-only' and `no-pic' +# LT_INIT options. +# MODE is either `yes' or `no'. If omitted, it defaults to `both'. +m4_define([_LT_WITH_PIC], +[AC_ARG_WITH([pic], + [AS_HELP_STRING([--with-pic@<:@=PKGS@:>@], + [try to use only PIC/non-PIC objects @<:@default=use both@:>@])], + [lt_p=${PACKAGE-default} + case $withval in + yes|no) pic_mode=$withval ;; + *) + pic_mode=default + # Look at the argument we got. We use all the common list separators. + lt_save_ifs="$IFS"; IFS="${IFS}$PATH_SEPARATOR," + for lt_pkg in $withval; do + IFS="$lt_save_ifs" + if test "X$lt_pkg" = "X$lt_p"; then + pic_mode=yes + fi + done + IFS="$lt_save_ifs" + ;; + esac], + [pic_mode=default]) + +test -z "$pic_mode" && pic_mode=m4_default([$1], [default]) + +_LT_DECL([], [pic_mode], [0], [What type of objects to build])dnl +])# _LT_WITH_PIC + +LT_OPTION_DEFINE([LT_INIT], [pic-only], [_LT_WITH_PIC([yes])]) +LT_OPTION_DEFINE([LT_INIT], [no-pic], [_LT_WITH_PIC([no])]) + +# Old name: +AU_DEFUN([AC_LIBTOOL_PICMODE], +[_LT_SET_OPTION([LT_INIT], [pic-only]) +AC_DIAGNOSE([obsolete], +[$0: Remove this warning and the call to _LT_SET_OPTION when you +put the `pic-only' option into LT_INIT's first parameter.]) +]) + +dnl aclocal-1.4 backwards compatibility: +dnl AC_DEFUN([AC_LIBTOOL_PICMODE], []) + + +m4_define([_LTDL_MODE], []) +LT_OPTION_DEFINE([LTDL_INIT], [nonrecursive], + [m4_define([_LTDL_MODE], [nonrecursive])]) +LT_OPTION_DEFINE([LTDL_INIT], [recursive], + [m4_define([_LTDL_MODE], [recursive])]) +LT_OPTION_DEFINE([LTDL_INIT], [subproject], + [m4_define([_LTDL_MODE], [subproject])]) + +m4_define([_LTDL_TYPE], []) +LT_OPTION_DEFINE([LTDL_INIT], [installable], + [m4_define([_LTDL_TYPE], [installable])]) +LT_OPTION_DEFINE([LTDL_INIT], [convenience], + [m4_define([_LTDL_TYPE], [convenience])]) + +# ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*- +# +# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc. +# Written by Gary V. Vaughan, 2004 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 6 ltsugar.m4 + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTSUGAR_VERSION], [m4_if([0.1])]) + + +# lt_join(SEP, ARG1, [ARG2...]) +# ----------------------------- +# Produce ARG1SEPARG2...SEPARGn, omitting [] arguments and their +# associated separator. +# Needed until we can rely on m4_join from Autoconf 2.62, since all earlier +# versions in m4sugar had bugs. +m4_define([lt_join], +[m4_if([$#], [1], [], + [$#], [2], [[$2]], + [m4_if([$2], [], [], [[$2]_])$0([$1], m4_shift(m4_shift($@)))])]) +m4_define([_lt_join], +[m4_if([$#$2], [2], [], + [m4_if([$2], [], [], [[$1$2]])$0([$1], m4_shift(m4_shift($@)))])]) + + +# lt_car(LIST) +# lt_cdr(LIST) +# ------------ +# Manipulate m4 lists. +# These macros are necessary as long as will still need to support +# Autoconf-2.59 which quotes differently. +m4_define([lt_car], [[$1]]) +m4_define([lt_cdr], +[m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])], + [$#], 1, [], + [m4_dquote(m4_shift($@))])]) +m4_define([lt_unquote], $1) + + +# lt_append(MACRO-NAME, STRING, [SEPARATOR]) +# ------------------------------------------ +# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'. +# Note that neither SEPARATOR nor STRING are expanded; they are appended +# to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked). +# No SEPARATOR is output if MACRO-NAME was previously undefined (different +# than defined and empty). +# +# This macro is needed until we can rely on Autoconf 2.62, since earlier +# versions of m4sugar mistakenly expanded SEPARATOR but not STRING. +m4_define([lt_append], +[m4_define([$1], + m4_ifdef([$1], [m4_defn([$1])[$3]])[$2])]) + + + +# lt_combine(SEP, PREFIX-LIST, INFIX, SUFFIX1, [SUFFIX2...]) +# ---------------------------------------------------------- +# Produce a SEP delimited list of all paired combinations of elements of +# PREFIX-LIST with SUFFIX1 through SUFFIXn. Each element of the list +# has the form PREFIXmINFIXSUFFIXn. +# Needed until we can rely on m4_combine added in Autoconf 2.62. +m4_define([lt_combine], +[m4_if(m4_eval([$# > 3]), [1], + [m4_pushdef([_Lt_sep], [m4_define([_Lt_sep], m4_defn([lt_car]))])]]dnl +[[m4_foreach([_Lt_prefix], [$2], + [m4_foreach([_Lt_suffix], + ]m4_dquote(m4_dquote(m4_shift(m4_shift(m4_shift($@)))))[, + [_Lt_sep([$1])[]m4_defn([_Lt_prefix])[$3]m4_defn([_Lt_suffix])])])])]) + + +# lt_if_append_uniq(MACRO-NAME, VARNAME, [SEPARATOR], [UNIQ], [NOT-UNIQ]) +# ----------------------------------------------------------------------- +# Iff MACRO-NAME does not yet contain VARNAME, then append it (delimited +# by SEPARATOR if supplied) and expand UNIQ, else NOT-UNIQ. +m4_define([lt_if_append_uniq], +[m4_ifdef([$1], + [m4_if(m4_index([$3]m4_defn([$1])[$3], [$3$2$3]), [-1], + [lt_append([$1], [$2], [$3])$4], + [$5])], + [lt_append([$1], [$2], [$3])$4])]) + + +# lt_dict_add(DICT, KEY, VALUE) +# ----------------------------- +m4_define([lt_dict_add], +[m4_define([$1($2)], [$3])]) + + +# lt_dict_add_subkey(DICT, KEY, SUBKEY, VALUE) +# -------------------------------------------- +m4_define([lt_dict_add_subkey], +[m4_define([$1($2:$3)], [$4])]) + + +# lt_dict_fetch(DICT, KEY, [SUBKEY]) +# ---------------------------------- +m4_define([lt_dict_fetch], +[m4_ifval([$3], + m4_ifdef([$1($2:$3)], [m4_defn([$1($2:$3)])]), + m4_ifdef([$1($2)], [m4_defn([$1($2)])]))]) + + +# lt_if_dict_fetch(DICT, KEY, [SUBKEY], VALUE, IF-TRUE, [IF-FALSE]) +# ----------------------------------------------------------------- +m4_define([lt_if_dict_fetch], +[m4_if(lt_dict_fetch([$1], [$2], [$3]), [$4], + [$5], + [$6])]) + + +# lt_dict_filter(DICT, [SUBKEY], VALUE, [SEPARATOR], KEY, [...]) +# -------------------------------------------------------------- +m4_define([lt_dict_filter], +[m4_if([$5], [], [], + [lt_join(m4_quote(m4_default([$4], [[, ]])), + lt_unquote(m4_split(m4_normalize(m4_foreach(_Lt_key, lt_car([m4_shiftn(4, $@)]), + [lt_if_dict_fetch([$1], _Lt_key, [$2], [$3], [_Lt_key ])])))))])[]dnl +]) + +# ltversion.m4 -- version numbers -*- Autoconf -*- +# +# Copyright (C) 2004 Free Software Foundation, Inc. +# Written by Scott James Remnant, 2004 +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# @configure_input@ + +# serial 3337 ltversion.m4 +# This file is part of GNU Libtool + +m4_define([LT_PACKAGE_VERSION], [2.4.2]) +m4_define([LT_PACKAGE_REVISION], [1.3337]) + +AC_DEFUN([LTVERSION_VERSION], +[macro_version='2.4.2' +macro_revision='1.3337' +_LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?]) +_LT_DECL(, macro_revision, 0) +]) + +# lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*- +# +# Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc. +# Written by Scott James Remnant, 2004. +# +# This file is free software; the Free Software Foundation gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. + +# serial 5 lt~obsolete.m4 + +# These exist entirely to fool aclocal when bootstrapping libtool. +# +# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN) +# which have later been changed to m4_define as they aren't part of the +# exported API, or moved to Autoconf or Automake where they belong. +# +# The trouble is, aclocal is a bit thick. It'll see the old AC_DEFUN +# in /usr/share/aclocal/libtool.m4 and remember it, then when it sees us +# using a macro with the same name in our local m4/libtool.m4 it'll +# pull the old libtool.m4 in (it doesn't see our shiny new m4_define +# and doesn't know about Autoconf macros at all.) +# +# So we provide this file, which has a silly filename so it's always +# included after everything else. This provides aclocal with the +# AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything +# because those macros already exist, or will be overwritten later. +# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. +# +# Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here. +# Yes, that means every name once taken will need to remain here until +# we give up compatibility with versions before 1.7, at which point +# we need to keep only those names which we still refer to. + +# This is to help aclocal find these macros, as it can't see m4_define. +AC_DEFUN([LTOBSOLETE_VERSION], [m4_if([1])]) + +m4_ifndef([AC_LIBTOOL_LINKER_OPTION], [AC_DEFUN([AC_LIBTOOL_LINKER_OPTION])]) +m4_ifndef([AC_PROG_EGREP], [AC_DEFUN([AC_PROG_EGREP])]) +m4_ifndef([_LT_AC_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_AC_PROG_ECHO_BACKSLASH])]) +m4_ifndef([_LT_AC_SHELL_INIT], [AC_DEFUN([_LT_AC_SHELL_INIT])]) +m4_ifndef([_LT_AC_SYS_LIBPATH_AIX], [AC_DEFUN([_LT_AC_SYS_LIBPATH_AIX])]) +m4_ifndef([_LT_PROG_LTMAIN], [AC_DEFUN([_LT_PROG_LTMAIN])]) +m4_ifndef([_LT_AC_TAGVAR], [AC_DEFUN([_LT_AC_TAGVAR])]) +m4_ifndef([AC_LTDL_ENABLE_INSTALL], [AC_DEFUN([AC_LTDL_ENABLE_INSTALL])]) +m4_ifndef([AC_LTDL_PREOPEN], [AC_DEFUN([AC_LTDL_PREOPEN])]) +m4_ifndef([_LT_AC_SYS_COMPILER], [AC_DEFUN([_LT_AC_SYS_COMPILER])]) +m4_ifndef([_LT_AC_LOCK], [AC_DEFUN([_LT_AC_LOCK])]) +m4_ifndef([AC_LIBTOOL_SYS_OLD_ARCHIVE], [AC_DEFUN([AC_LIBTOOL_SYS_OLD_ARCHIVE])]) +m4_ifndef([_LT_AC_TRY_DLOPEN_SELF], [AC_DEFUN([_LT_AC_TRY_DLOPEN_SELF])]) +m4_ifndef([AC_LIBTOOL_PROG_CC_C_O], [AC_DEFUN([AC_LIBTOOL_PROG_CC_C_O])]) +m4_ifndef([AC_LIBTOOL_SYS_HARD_LINK_LOCKS], [AC_DEFUN([AC_LIBTOOL_SYS_HARD_LINK_LOCKS])]) +m4_ifndef([AC_LIBTOOL_OBJDIR], [AC_DEFUN([AC_LIBTOOL_OBJDIR])]) +m4_ifndef([AC_LTDL_OBJDIR], [AC_DEFUN([AC_LTDL_OBJDIR])]) +m4_ifndef([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH], [AC_DEFUN([AC_LIBTOOL_PROG_LD_HARDCODE_LIBPATH])]) +m4_ifndef([AC_LIBTOOL_SYS_LIB_STRIP], [AC_DEFUN([AC_LIBTOOL_SYS_LIB_STRIP])]) +m4_ifndef([AC_PATH_MAGIC], [AC_DEFUN([AC_PATH_MAGIC])]) +m4_ifndef([AC_PROG_LD_GNU], [AC_DEFUN([AC_PROG_LD_GNU])]) +m4_ifndef([AC_PROG_LD_RELOAD_FLAG], [AC_DEFUN([AC_PROG_LD_RELOAD_FLAG])]) +m4_ifndef([AC_DEPLIBS_CHECK_METHOD], [AC_DEFUN([AC_DEPLIBS_CHECK_METHOD])]) +m4_ifndef([AC_LIBTOOL_PROG_COMPILER_NO_RTTI], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_NO_RTTI])]) +m4_ifndef([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE], [AC_DEFUN([AC_LIBTOOL_SYS_GLOBAL_SYMBOL_PIPE])]) +m4_ifndef([AC_LIBTOOL_PROG_COMPILER_PIC], [AC_DEFUN([AC_LIBTOOL_PROG_COMPILER_PIC])]) +m4_ifndef([AC_LIBTOOL_PROG_LD_SHLIBS], [AC_DEFUN([AC_LIBTOOL_PROG_LD_SHLIBS])]) +m4_ifndef([AC_LIBTOOL_POSTDEP_PREDEP], [AC_DEFUN([AC_LIBTOOL_POSTDEP_PREDEP])]) +m4_ifndef([LT_AC_PROG_EGREP], [AC_DEFUN([LT_AC_PROG_EGREP])]) +m4_ifndef([LT_AC_PROG_SED], [AC_DEFUN([LT_AC_PROG_SED])]) +m4_ifndef([_LT_CC_BASENAME], [AC_DEFUN([_LT_CC_BASENAME])]) +m4_ifndef([_LT_COMPILER_BOILERPLATE], [AC_DEFUN([_LT_COMPILER_BOILERPLATE])]) +m4_ifndef([_LT_LINKER_BOILERPLATE], [AC_DEFUN([_LT_LINKER_BOILERPLATE])]) +m4_ifndef([_AC_PROG_LIBTOOL], [AC_DEFUN([_AC_PROG_LIBTOOL])]) +m4_ifndef([AC_LIBTOOL_SETUP], [AC_DEFUN([AC_LIBTOOL_SETUP])]) +m4_ifndef([_LT_AC_CHECK_DLFCN], [AC_DEFUN([_LT_AC_CHECK_DLFCN])]) +m4_ifndef([AC_LIBTOOL_SYS_DYNAMIC_LINKER], [AC_DEFUN([AC_LIBTOOL_SYS_DYNAMIC_LINKER])]) +m4_ifndef([_LT_AC_TAGCONFIG], [AC_DEFUN([_LT_AC_TAGCONFIG])]) +m4_ifndef([AC_DISABLE_FAST_INSTALL], [AC_DEFUN([AC_DISABLE_FAST_INSTALL])]) +m4_ifndef([_LT_AC_LANG_CXX], [AC_DEFUN([_LT_AC_LANG_CXX])]) +m4_ifndef([_LT_AC_LANG_F77], [AC_DEFUN([_LT_AC_LANG_F77])]) +m4_ifndef([_LT_AC_LANG_GCJ], [AC_DEFUN([_LT_AC_LANG_GCJ])]) +m4_ifndef([AC_LIBTOOL_LANG_C_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_C_CONFIG])]) +m4_ifndef([_LT_AC_LANG_C_CONFIG], [AC_DEFUN([_LT_AC_LANG_C_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_CXX_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_CXX_CONFIG])]) +m4_ifndef([_LT_AC_LANG_CXX_CONFIG], [AC_DEFUN([_LT_AC_LANG_CXX_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_F77_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_F77_CONFIG])]) +m4_ifndef([_LT_AC_LANG_F77_CONFIG], [AC_DEFUN([_LT_AC_LANG_F77_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_GCJ_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_GCJ_CONFIG])]) +m4_ifndef([_LT_AC_LANG_GCJ_CONFIG], [AC_DEFUN([_LT_AC_LANG_GCJ_CONFIG])]) +m4_ifndef([AC_LIBTOOL_LANG_RC_CONFIG], [AC_DEFUN([AC_LIBTOOL_LANG_RC_CONFIG])]) +m4_ifndef([_LT_AC_LANG_RC_CONFIG], [AC_DEFUN([_LT_AC_LANG_RC_CONFIG])]) +m4_ifndef([AC_LIBTOOL_CONFIG], [AC_DEFUN([AC_LIBTOOL_CONFIG])]) +m4_ifndef([_LT_AC_FILE_LTDLL_C], [AC_DEFUN([_LT_AC_FILE_LTDLL_C])]) +m4_ifndef([_LT_REQUIRED_DARWIN_CHECKS], [AC_DEFUN([_LT_REQUIRED_DARWIN_CHECKS])]) +m4_ifndef([_LT_AC_PROG_CXXCPP], [AC_DEFUN([_LT_AC_PROG_CXXCPP])]) +m4_ifndef([_LT_PREPARE_SED_QUOTE_VARS], [AC_DEFUN([_LT_PREPARE_SED_QUOTE_VARS])]) +m4_ifndef([_LT_PROG_ECHO_BACKSLASH], [AC_DEFUN([_LT_PROG_ECHO_BACKSLASH])]) +m4_ifndef([_LT_PROG_F77], [AC_DEFUN([_LT_PROG_F77])]) +m4_ifndef([_LT_PROG_FC], [AC_DEFUN([_LT_PROG_FC])]) +m4_ifndef([_LT_PROG_CXX], [AC_DEFUN([_LT_PROG_CXX])]) + --- bind9-9.9.3.dfsg.P2.orig/bin/named/client.c +++ bind9-9.9.3.dfsg.P2/bin/named/client.c @@ -994,6 +994,11 @@ } if (result != ISC_R_SUCCESS) goto done; + /* + * Stop after the question if TC was set for rate limiting. + */ + if ((client->message->flags & DNS_MESSAGEFLAG_TC) != 0) + goto renderend; result = dns_message_rendersection(client->message, DNS_SECTION_ANSWER, DNS_MESSAGERENDER_PARTIAL | @@ -1134,6 +1139,51 @@ #endif /* + * Try to rate limit error responses. + */ + if (client->view != NULL && client->view->rrl != NULL) { + isc_boolean_t wouldlog; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + dns_rrl_result_t rrl_result; + + INSIST(rcode != dns_rcode_noerror && + rcode != dns_rcode_nxdomain); + wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP); + rrl_result = dns_rrl(client->view, &client->peeraddr, + TCP_CLIENT(client), + dns_rdataclass_in, dns_rdatatype_none, + NULL, result, client->now, + wouldlog, log_buf, sizeof(log_buf)); + if (rrl_result != DNS_RRL_RESULT_OK) { + /* + * Log dropped errors in the query category + * so that they are not lost in silence. + * Starts of rate-limited bursts are logged in + * NS_LOGCATEGORY_RRL. + */ + if (wouldlog) { + ns_client_log(client, + NS_LOGCATEGORY_QUERY_EERRORS, + NS_LOGMODULE_CLIENT, + DNS_RRL_LOG_DROP, + "%s", log_buf); + } + /* + * Some error responses cannot be 'slipped', + * so don't try to slip any error responses. + */ + if (!client->view->rrl->log_only) { + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_ratedropped); + isc_stats_increment(ns_g_server->nsstats, + dns_nsstatscounter_dropped); + ns_client_next(client, DNS_R_DROP); + return; + } + } + } + + /* * Message may be an in-progress reply that we had trouble * with, in which case QR will be set. We need to clear QR before * calling dns_message_reply() to avoid triggering an assertion. --- bind9-9.9.3.dfsg.P2.orig/bin/named/config.c +++ bind9-9.9.3.dfsg.P2/bin/named/config.c @@ -144,6 +144,8 @@ lame-ttl 600;\n\ max-ncache-ttl 10800; /* 3 hours */\n\ max-cache-ttl 604800; /* 1 week */\n\ + min-ncache-ttl 0; /* 0 hours */\n\ + min-cache-ttl 0; /* 0 seconds */\n\ transfer-format many-answers;\n\ max-cache-size 0;\n\ check-names master fail;\n\ @@ -228,6 +230,13 @@ notify no;\n\ allow-new-zones no;\n\ \n\ + # Prevent use of this zone in DNS amplified reflection DoS attacks\n\ + rate-limit {\n\ + responses-per-second 3;\n\ + slip 0;\n\ + min-table-size 10;\n\ + };\n\ +\n\ zone \"version.bind\" chaos {\n\ type master;\n\ database \"_builtin version\";\n\ --- bind9-9.9.3.dfsg.P2.orig/bin/named/include/named/query.h +++ bind9-9.9.3.dfsg.P2/bin/named/include/named/query.h @@ -85,6 +85,7 @@ #define NS_QUERYATTR_CACHEACLOK 0x2000 #define NS_QUERYATTR_DNS64 0x4000 #define NS_QUERYATTR_DNS64EXCLUDE 0x8000 +#define NS_QUERYATTR_RRL_CHECKED 0x10000 isc_result_t --- bind9-9.9.3.dfsg.P2.orig/bin/named/include/named/server.h +++ bind9-9.9.3.dfsg.P2/bin/named/include/named/server.h @@ -167,7 +167,10 @@ dns_nsstatscounter_rpz_rewrites = 36, - dns_nsstatscounter_max = 37 + dns_nsstatscounter_ratedropped = 37, + dns_nsstatscounter_rateslipped = 38, + + dns_nsstatscounter_max = 39 }; void --- bind9-9.9.3.dfsg.P2.orig/bin/named/main.c +++ bind9-9.9.3.dfsg.P2/bin/named/main.c @@ -643,14 +643,6 @@ ISC_LOG_INFO, "using up to %u sockets", socks); } - result = isc_entropy_create(ns_g_mctx, &ns_g_entropy); - if (result != ISC_R_SUCCESS) { - UNEXPECTED_ERROR(__FILE__, __LINE__, - "isc_entropy_create() failed: %s", - isc_result_totext(result)); - return (ISC_R_UNEXPECTED); - } - result = isc_hash_create(ns_g_mctx, ns_g_entropy, DNS_NAME_MAXWIRE); if (result != ISC_R_SUCCESS) { UNEXPECTED_ERROR(__FILE__, __LINE__, @@ -666,10 +658,6 @@ destroy_managers(void) { ns_lwresd_shutdown(); - isc_entropy_detach(&ns_g_entropy); - if (ns_g_fallbackentropy != NULL) - isc_entropy_detach(&ns_g_fallbackentropy); - /* * isc_taskmgr_destroy() will block until all tasks have exited, */ @@ -770,6 +758,21 @@ } #endif + result = isc_entropy_create(ns_g_mctx, &ns_g_entropy); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("isc_entropy_create() failed: %s", + isc_result_totext(result)); + + /* + * DST may load additional libraries, which must be done before + * chroot + */ + result = dst_lib_init2(ns_g_mctx, ns_g_entropy, + ns_g_engine, ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + ns_main_earlyfatal("dst_lib_init2() failed: %s", + isc_result_totext(result)); + #ifdef ISC_PLATFORM_USETHREADS /* * Check for the number of cpu's before ns_os_chroot(). @@ -936,6 +939,12 @@ ns_builtin_deinit(); + dst_lib_destroy(); + + isc_entropy_detach(&ns_g_entropy); + if (ns_g_fallbackentropy != NULL) + isc_entropy_detach(&ns_g_fallbackentropy); + /* * Add calls to unregister sdb drivers here. */ --- bind9-9.9.3.dfsg.P2.orig/bin/named/query.c +++ bind9-9.9.3.dfsg.P2/bin/named/query.c @@ -193,7 +193,7 @@ #ifdef NEWSTATS /* Do query type statistics * - * We only increment per-type if we're using the authoriative + * We only increment per-type if we're using the authoritative * answer counter, preventing double-counting. */ if (counter == dns_nsstatscounter_authans) { @@ -879,11 +879,11 @@ static void rpz_log_rewrite(ns_client_t *client, isc_boolean_t disabled, dns_rpz_policy_t policy, dns_rpz_type_t type, - dns_zone_t *zone, dns_name_t *rpz_qname) + dns_zone_t *p_zone, dns_name_t *p_name) { isc_stats_t *zonestats; char qname_buf[DNS_NAME_FORMATSIZE]; - char rpz_qname_buf[DNS_NAME_FORMATSIZE]; + char p_name_buf[DNS_NAME_FORMATSIZE]; /* * Count enabled rewrites in the global counter. @@ -893,8 +893,8 @@ isc_stats_increment(ns_g_server->nsstats, dns_nsstatscounter_rpz_rewrites); } - if (zone != NULL) { - zonestats = dns_zone_getrequeststats(zone); + if (p_zone != NULL) { + zonestats = dns_zone_getrequeststats(p_zone); if (zonestats != NULL) isc_stats_increment(zonestats, dns_nsstatscounter_rpz_rewrites); @@ -904,68 +904,73 @@ return; dns_name_format(client->query.qname, qname_buf, sizeof(qname_buf)); - dns_name_format(rpz_qname, rpz_qname_buf, sizeof(rpz_qname_buf)); + dns_name_format(p_name, p_name_buf, sizeof(p_name_buf)); ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_INFO_LEVEL, "%srpz %s %s rewrite %s via %s", disabled ? "disabled " : "", dns_rpz_type2str(type), dns_rpz_policy2str(policy), - qname_buf, rpz_qname_buf); + qname_buf, p_name_buf); } static void -rpz_log_fail(ns_client_t *client, int level, - dns_rpz_type_t rpz_type, dns_name_t *name, - const char *str, isc_result_t result) +rpz_log_fail(ns_client_t *client, int level, dns_name_t *p_name, + dns_rpz_type_t rpz_type, const char *str, isc_result_t result) { - char namebuf1[DNS_NAME_FORMATSIZE]; - char namebuf2[DNS_NAME_FORMATSIZE]; + char qnamebuf[DNS_NAME_FORMATSIZE]; + char p_namebuf[DNS_NAME_FORMATSIZE]; + const char *failed; if (!isc_log_wouldlog(ns_g_lctx, level)) return; /* - * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed" for problems. */ - dns_name_format(client->query.qname, namebuf1, sizeof(namebuf1)); - dns_name_format(name, namebuf2, sizeof(namebuf2)); + if (level <= DNS_RPZ_DEBUG_LEVEL1) + failed = "failed: "; + else + failed = ": "; + dns_name_format(client->query.qname, qnamebuf, sizeof(qnamebuf)); + dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); ns_client_log(client, NS_LOGCATEGORY_QUERY_EERRORS, NS_LOGMODULE_QUERY, level, - "rpz %s rewrite %s via %s %sfailed: %s", + "rpz %s rewrite %s via %s%s%s%s", dns_rpz_type2str(rpz_type), - namebuf1, namebuf2, str, isc_result_totext(result)); + qnamebuf, p_namebuf, + str, failed, isc_result_totext(result)); } /* * Get a policy rewrite zone database. */ static isc_result_t -rpz_getdb(ns_client_t *client, dns_rpz_type_t rpz_type, dns_name_t *rpz_qname, +rpz_getdb(ns_client_t *client, dns_name_t *p_name, dns_rpz_type_t rpz_type, dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp) { - char namebuf1[DNS_NAME_FORMATSIZE]; - char namebuf2[DNS_NAME_FORMATSIZE]; + char qnamebuf[DNS_NAME_FORMATSIZE]; + char p_namebuf[DNS_NAME_FORMATSIZE]; dns_dbversion_t *rpz_version = NULL; isc_result_t result; - result = query_getzonedb(client, rpz_qname, dns_rdatatype_any, + result = query_getzonedb(client, p_name, dns_rdatatype_any, DNS_GETDB_IGNOREACL, zonep, dbp, &rpz_version); if (result == ISC_R_SUCCESS) { if (isc_log_wouldlog(ns_g_lctx, DNS_RPZ_DEBUG_LEVEL2)) { - dns_name_format(client->query.qname, namebuf1, - sizeof(namebuf1)); - dns_name_format(rpz_qname, namebuf2, sizeof(namebuf2)); + dns_name_format(client->query.qname, qnamebuf, + sizeof(qnamebuf)); + dns_name_format(p_name, p_namebuf, sizeof(p_namebuf)); ns_client_log(client, DNS_LOGCATEGORY_RPZ, NS_LOGMODULE_QUERY, DNS_RPZ_DEBUG_LEVEL2, "try rpz %s rewrite %s via %s", dns_rpz_type2str(rpz_type), - namebuf1, namebuf2); + qnamebuf, p_namebuf); } *versionp = rpz_version; return (ISC_R_SUCCESS); } - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, rpz_qname, - "query_getzonedb() ", result); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, + " query_getzonedb()", result); return (result); } @@ -3913,7 +3918,7 @@ dns_rdataset_disassociate(*rdatasetp); } -static void +static inline void rpz_match_clear(dns_rpz_st_t *st) { rpz_clean(&st->m.zone, &st->m.db, &st->m.node, &st->m.rdataset); @@ -3921,16 +3926,16 @@ } static inline isc_result_t -rpz_ready(ns_client_t *client, dns_zone_t **zonep, dns_db_t **dbp, - dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp) +rpz_ready(ns_client_t *client, dns_rdataset_t **rdatasetp) { REQUIRE(rdatasetp != NULL); - rpz_clean(zonep, dbp, nodep, rdatasetp); if (*rdatasetp == NULL) { *rdatasetp = query_newrdataset(client); if (*rdatasetp == NULL) return (DNS_R_SERVFAIL); + } else if (dns_rdataset_isassociated(*rdatasetp)) { + dns_rdataset_disassociate(*rdatasetp); } return (ISC_R_SUCCESS); } @@ -3959,13 +3964,83 @@ st->m.policy = DNS_RPZ_POLICY_MISS; } +static dns_rpz_zbits_t +rpz_get_zbits(ns_client_t *client, + dns_rdatatype_t ip_type, dns_rpz_type_t rpz_type) +{ + dns_rpz_zones_t *rpzs; + dns_rpz_st_t *st; + dns_rpz_zbits_t zbits; + + rpzs = client->view->rpzs; + + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits = rpzs->have.client_ip; + break; + case DNS_RPZ_TYPE_QNAME: + zbits = rpzs->have.qname; + break; + case DNS_RPZ_TYPE_IP: + if (ip_type == dns_rdatatype_a) { + zbits = rpzs->have.ipv4; + } else if (ip_type == dns_rdatatype_aaaa) { + zbits = rpzs->have.ipv6; + } else { + zbits = rpzs->have.ip; + } + break; + case DNS_RPZ_TYPE_NSDNAME: + zbits = rpzs->have.nsdname; + break; + case DNS_RPZ_TYPE_NSIP: + if (ip_type == dns_rdatatype_a) { + zbits = rpzs->have.nsipv4; + } else if (ip_type == dns_rdatatype_aaaa) { + zbits = rpzs->have.nsipv6; + } else { + zbits = rpzs->have.nsip; + } + break; + default: + INSIST(0); + break; + } + + st = client->query.rpz_st; + + /* + * Choose + * the earliest configured policy zone (rpz->num) + * QNAME over IP over NSDNAME over NSIP (rpz_type) + * the smallest name, + * the longest IP address prefix, + * the lexically smallest address. + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.type >= rpz_type) { + zbits &= DNS_RPZ_ZMASK(st->m.rpz->num); + } else{ + zbits &= DNS_RPZ_ZMASK(st->m.rpz->num) >> 1; + } + } + + /* + * If the client wants recursion, allow only compatible policies. + */ + if (!RECURSIONOK(client)) + zbits &= rpzs->p.no_rd_ok; + + return (zbits); +} + /* - * Get NS, A, or AAAA rrset for response policy zone checks. + * Get an NS, A, or AAAA rrset related to the response for the client + * to check the contents of that rrset for hits by eligible policy zones. */ static isc_result_t -rpz_rrset_find(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_name_t *name, dns_rdatatype_t type, - dns_db_t **dbp, dns_dbversion_t *version, +rpz_rrset_find(ns_client_t *client, dns_name_t *name, dns_rdatatype_t type, + dns_rpz_type_t rpz_type, dns_db_t **dbp, dns_dbversion_t *version, dns_rdataset_t **rdatasetp, isc_boolean_t resuming) { dns_rpz_st_t *st; @@ -3977,15 +4052,13 @@ dns_clientinfomethods_t cm; dns_clientinfo_t ci; - dns_clientinfomethods_init(&cm, ns_client_sourceip); - dns_clientinfo_init(&ci, client); - st = client->query.rpz_st; if ((st->state & DNS_RPZ_RECURSING) != 0) { INSIST(st->r.r_type == type); INSIST(dns_name_equal(name, st->r_name)); INSIST(*rdatasetp == NULL || !dns_rdataset_isassociated(*rdatasetp)); + INSIST(*dbp == NULL); st->state &= ~DNS_RPZ_RECURSING; *dbp = st->r.db; st->r.db = NULL; @@ -3995,16 +4068,15 @@ st->r.r_rdataset = NULL; result = st->r.r_result; if (result == DNS_R_DELEGATION) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, name, - "rpz_rrset_find(1) ", result); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, " rpz_rrset_find(1)", result); st->m.policy = DNS_RPZ_POLICY_ERROR; result = DNS_R_SERVFAIL; } return (result); } - result = rpz_ready(client, NULL, NULL, NULL, rdatasetp); + result = rpz_ready(client, rdatasetp); if (result != ISC_R_SUCCESS) { st->m.policy = DNS_RPZ_POLICY_ERROR; return (result); @@ -4019,9 +4091,8 @@ result = query_getdb(client, name, type, 0, &zone, dbp, &version, &is_zone); if (result != ISC_R_SUCCESS) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, name, - "rpz_rrset_find(2) ", result); + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, " rpz_rrset_find(2)", result); st->m.policy = DNS_RPZ_POLICY_ERROR; if (zone != NULL) dns_zone_detach(&zone); @@ -4034,6 +4105,8 @@ node = NULL; dns_fixedname_init(&fixed); found = dns_fixedname_name(&fixed); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client); result = dns_db_findext(*dbp, name, version, type, DNS_DBFIND_GLUEOK, client->now, &node, found, &cm, &ci, *rdatasetp, NULL); @@ -4072,177 +4145,97 @@ } /* - * Check the IP address in an A or AAAA rdataset against - * the IP or NSIP response policy rules of a view. + * Compute a policy owner name, p_name, in a policy zone given the needed + * policy type and the trigger name. */ static isc_result_t -rpz_rewrite_ip(ns_client_t *client, dns_rdataset_t *rdataset, - dns_rpz_type_t rpz_type) -{ - dns_rpz_st_t *st; - dns_dbversion_t *version; - dns_zone_t *zone; - dns_db_t *db; - dns_rpz_zone_t *rpz; +rpz_get_p_name(ns_client_t *client, dns_name_t *p_name, + dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_name_t *trig_name) +{ + dns_offsets_t prefix_offsets; + dns_name_t prefix, *suffix; + unsigned int first, labels; isc_result_t result; - st = client->query.rpz_st; - if (st->m.rdataset == NULL) { - st->m.rdataset = query_newrdataset(client); - if (st->m.rdataset == NULL) - return (DNS_R_SERVFAIL); - } - zone = NULL; - db = NULL; - for (rpz = ISC_LIST_HEAD(client->view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) { - if (!RECURSIONOK(client) && rpz->recursive_only) - continue; - - /* - * Do not check policy zones that cannot replace a policy - * already known to match. - */ - if (st->m.policy != DNS_RPZ_POLICY_MISS) { - if (st->m.rpz->num < rpz->num) - break; - if (st->m.rpz->num == rpz->num && - st->m.type < rpz_type) - continue; - } - - /* - * Find the database for this policy zone to get its radix tree. - */ - version = NULL; - result = rpz_getdb(client, rpz_type, &rpz->origin, - &zone, &db, &version); - if (result != ISC_R_SUCCESS) { - rpz_clean(&zone, &db, NULL, NULL); - continue; - } - /* - * Look for a better (e.g. longer prefix) hit for an IP address - * in this rdataset in this radix tree than than the previous - * hit, if any. Note the domain name and quality of the - * best hit. - */ - dns_db_rpz_findips(rpz, rpz_type, zone, db, version, - rdataset, st, client->query.rpz_st->qname); - rpz_clean(&zone, &db, NULL, NULL); - } - return (ISC_R_SUCCESS); -} - -/* - * Look for an A or AAAA rdataset - * and check for IP or NSIP rewrite policy rules. - */ -static isc_result_t -rpz_rewrite_rrset(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_rdatatype_t type, dns_name_t *name, - dns_db_t **dbp, dns_dbversion_t *version, - dns_rdataset_t **rdatasetp, isc_boolean_t resuming) -{ - isc_result_t result; - - result = rpz_rrset_find(client, rpz_type, name, type, dbp, version, - rdatasetp, resuming); - switch (result) { - case ISC_R_SUCCESS: - case DNS_R_GLUE: - case DNS_R_ZONECUT: - result = rpz_rewrite_ip(client, *rdatasetp, rpz_type); + /* + * The policy owner name consists of a suffix depending on the type + * and policy zone and a prefix that is the longest possible string + * from the trigger name that keesp the resulting policy owner name + * from being too long. + */ + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + suffix = &rpz->client_ip; break; - case DNS_R_EMPTYNAME: - case DNS_R_EMPTYWILD: - case DNS_R_NXDOMAIN: - case DNS_R_NCACHENXDOMAIN: - case DNS_R_NXRRSET: - case DNS_R_NCACHENXRRSET: - case ISC_R_NOTFOUND: - result = ISC_R_SUCCESS; + case DNS_RPZ_TYPE_QNAME: + suffix = &rpz->origin; break; - case DNS_R_DELEGATION: - case DNS_R_DUPLICATE: - case DNS_R_DROP: + case DNS_RPZ_TYPE_IP: + suffix = &rpz->ip; break; - case DNS_R_CNAME: - case DNS_R_DNAME: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, rpz_type, - name, "NS address rewrite rrset ", result); - result = ISC_R_SUCCESS; + case DNS_RPZ_TYPE_NSDNAME: + suffix = &rpz->nsdname; break; - default: - if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { - client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR; - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, - name, "NS address rewrite rrset ", result); - } + case DNS_RPZ_TYPE_NSIP: + suffix = &rpz->nsip; break; + default: + INSIST(0); } - return (result); -} -/* - * Look for both A and AAAA rdatasets - * and check for IP or NSIP rewrite policy rules. - * Look only for addresses that will be in the ANSWER section - * when checking for IP rules. - */ -static isc_result_t -rpz_rewrite_rrsets(ns_client_t *client, dns_rpz_type_t rpz_type, - dns_name_t *name, dns_rdatatype_t type, - dns_rdataset_t **rdatasetp, isc_boolean_t resuming) -{ - dns_rpz_st_t *st; - dns_dbversion_t *version; - dns_db_t *ipdb; - isc_result_t result; - - st = client->query.rpz_st; - version = NULL; - ipdb = NULL; - if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && - ((rpz_type == DNS_RPZ_TYPE_NSIP) ? - (st->state & DNS_RPZ_HAVE_NSIPv4) : - (st->state & DNS_RPZ_HAVE_IP)) != 0 && - (type == dns_rdatatype_any || type == dns_rdatatype_a)) { - result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_a, - name, &ipdb, version, rdatasetp, - resuming); + /* + * Start with relative version of the full trigger name, + * and trim enough allow the addition of the suffix. + */ + dns_name_init(&prefix, prefix_offsets); + labels = dns_name_countlabels(trig_name); + first = 0; + for (;;) { + dns_name_getlabelsequence(trig_name, first, labels-first-1, + &prefix); + result = dns_name_concatenate(&prefix, suffix, p_name, NULL); if (result == ISC_R_SUCCESS) - st->state |= DNS_RPZ_DONE_IPv4; - } else { - result = ISC_R_SUCCESS; - } - if (result == ISC_R_SUCCESS && - ((rpz_type == DNS_RPZ_TYPE_NSIP) ? - (st->state & DNS_RPZ_HAVE_NSIPv6) : - (st->state & DNS_RPZ_HAVE_IP)) != 0 && - (type == dns_rdatatype_any || type == dns_rdatatype_aaaa)) { - result = rpz_rewrite_rrset(client, rpz_type, dns_rdatatype_aaaa, - name, &ipdb, version, rdatasetp, - resuming); + return (ISC_R_SUCCESS); + INSIST(result == DNS_R_NAMETOOLONG); + /* + * Trim the trigger name until the combination is not too long. + */ + if (labels-first < 2) { + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, suffix, + rpz_type, " concatentate()", result); + return (ISC_R_FAILURE); + } + /* + * Complain once about trimming the trigger name. + */ + if (first == 0) { + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, suffix, + rpz_type, " concatentate()", result); + } + ++first; } - if (ipdb != NULL) - dns_db_detach(&ipdb); - return (result); } /* - * Get the rrset from a response policy zone. + * Look in policy zone rpz for a policy of rpz_type by p_name. + * The self-name (usually the client qname or an NS name) is compared with + * the target of a CNAME policy for the old style passthru encoding. + * If found, the policy is recorded in *zonep, *dbp, *versionp, *nodep, + * *rdatasetp, and *policyp. + * The target DNS type, qtype, chooses the best rdataset for *rdatasetp. + * The caller must decide if the found policy is most suitable, including + * better than a previously found policy. + * If it is best, the caller records it in client->query.rpz_st->m. */ static isc_result_t -rpz_find(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qnamef, - dns_name_t *sname, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, - dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, - dns_rpz_policy_t *policyp) +rpz_find_p(ns_client_t *client, dns_name_t *self_name, dns_rdatatype_t qtype, + dns_name_t *p_name, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_zone_t **zonep, dns_db_t **dbp, dns_dbversion_t **versionp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_rpz_policy_t *policyp) { - dns_rpz_policy_t policy; - dns_fixedname_t fixed; + dns_fixedname_t foundf; dns_name_t *found; isc_result_t result; dns_clientinfomethods_t cm; @@ -4250,31 +4243,28 @@ REQUIRE(nodep != NULL); - dns_clientinfomethods_init(&cm, ns_client_sourceip); - dns_clientinfo_init(&ci, client); - - result = rpz_ready(client, zonep, dbp, nodep, rdatasetp); - if (result != ISC_R_SUCCESS) { - *policyp = DNS_RPZ_POLICY_ERROR; - return (result); - } - /* - * Try to get either a CNAME or the type of record demanded by the + * Try to find either a CNAME or the type of record demanded by the * request from the policy zone. */ + rpz_clean(zonep, dbp, nodep, rdatasetp); + result = rpz_ready(client, rdatasetp); + if (result != ISC_R_SUCCESS) + return (DNS_R_SERVFAIL); *versionp = NULL; - result = rpz_getdb(client, rpz_type, qnamef, zonep, dbp, versionp); - if (result != ISC_R_SUCCESS) { - *policyp = DNS_RPZ_POLICY_MISS; + result = rpz_getdb(client, p_name, rpz_type, zonep, dbp, versionp); + if (result != ISC_R_SUCCESS) return (DNS_R_NXDOMAIN); - } - - dns_fixedname_init(&fixed); - found = dns_fixedname_name(&fixed); - result = dns_db_findext(*dbp, qnamef, *versionp, dns_rdatatype_any, 0, + dns_fixedname_init(&foundf); + found = dns_fixedname_name(&foundf); + dns_clientinfomethods_init(&cm, ns_client_sourceip); + dns_clientinfo_init(&ci, client); + result = dns_db_findext(*dbp, p_name, *versionp, dns_rdatatype_any, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); + /* + * Choose the best rdataset if we found something. + */ if (result == ISC_R_SUCCESS) { dns_rdatasetiter_t *rdsiter; @@ -4282,10 +4272,8 @@ result = dns_db_allrdatasets(*dbp, *nodep, *versionp, 0, &rdsiter); if (result != ISC_R_SUCCESS) { - dns_db_detachnode(*dbp, nodep); - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, - qnamef, "allrdatasets() ", result); - *policyp = DNS_RPZ_POLICY_ERROR; + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, + rpz_type, " allrdatasets()", result); return (DNS_R_SERVFAIL); } for (result = dns_rdatasetiter_first(rdsiter); @@ -4301,9 +4289,8 @@ if (result != ISC_R_SUCCESS) { if (result != ISC_R_NOMORE) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, qnamef, "rdatasetiter ", - result); - *policyp = DNS_RPZ_POLICY_ERROR; + p_name, rpz_type, + " rdatasetiter", result); return (DNS_R_SERVFAIL); } /* @@ -4318,7 +4305,7 @@ qtype == dns_rdatatype_sig) result = DNS_R_NXRRSET; else - result = dns_db_findext(*dbp, qnamef, *versionp, + result = dns_db_findext(*dbp, p_name, *versionp, qtype, 0, client->now, nodep, found, &cm, &ci, *rdatasetp, NULL); @@ -4327,162 +4314,476 @@ switch (result) { case ISC_R_SUCCESS: if ((*rdatasetp)->type != dns_rdatatype_cname) { - policy = DNS_RPZ_POLICY_RECORD; + *policyp = DNS_RPZ_POLICY_RECORD; } else { - policy = dns_rpz_decode_cname(rpz, *rdatasetp, sname); - if ((policy == DNS_RPZ_POLICY_RECORD || - policy == DNS_RPZ_POLICY_WILDCNAME) && + *policyp = dns_rpz_decode_cname(rpz, *rdatasetp, + self_name); + if ((*policyp == DNS_RPZ_POLICY_RECORD || + *policyp == DNS_RPZ_POLICY_WILDCNAME) && qtype != dns_rdatatype_cname && qtype != dns_rdatatype_any) - result = DNS_R_CNAME; + return (DNS_R_CNAME); } - break; + return (ISC_R_SUCCESS); case DNS_R_NXRRSET: - policy = DNS_RPZ_POLICY_NODATA; - break; + *policyp = DNS_RPZ_POLICY_NODATA; + return (result); case DNS_R_DNAME: /* * DNAME policy RRs have very few if any uses that are not - * better served with simple wildcards. Making the work would + * better served with simple wildcards. Making them work would * require complications to get the number of labels matched * in the name or the found name to the main DNS_R_DNAME case - * in query_find(). - */ - dns_rdataset_disassociate(*rdatasetp); - dns_db_detachnode(*dbp, nodep); - /* - * Fall through to treat it as a miss. + * in query_find(). The domain also does not appear in the + * summary database at the right level, so this happens only + * with a single policy zone when we have no summary database. + * Treat it as a miss. */ case DNS_R_NXDOMAIN: case DNS_R_EMPTYNAME: - /* - * If we don't get a qname hit, - * see if it is worth looking for other types. - */ - (void)dns_db_rpz_enabled(*dbp, client->query.rpz_st); - dns_db_detach(dbp); - dns_zone_detach(zonep); - result = DNS_R_NXDOMAIN; - policy = DNS_RPZ_POLICY_MISS; - break; + return (DNS_R_NXDOMAIN); default: - dns_db_detach(dbp); - dns_zone_detach(zonep); - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, rpz_type, qnamef, + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, p_name, rpz_type, "", result); return (DNS_R_SERVFAIL); } +} - *policyp = policy; - return (result); +static void +rpz_save_p(dns_rpz_st_t *st, dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, + dns_rpz_policy_t policy, dns_name_t *p_name, dns_rpz_prefix_t prefix, + isc_result_t result, dns_zone_t **zonep, dns_db_t **dbp, + dns_dbnode_t **nodep, dns_rdataset_t **rdatasetp, + dns_dbversion_t *version) +{ + dns_rdataset_t *trdataset; + + rpz_match_clear(st); + st->m.rpz = rpz; + st->m.type = rpz_type; + st->m.policy = policy; + dns_name_copy(p_name, st->p_name, NULL); + st->m.prefix = prefix; + st->m.result = result; + st->m.zone = *zonep; + *zonep = NULL; + st->m.db = *dbp; + *dbp = NULL; + st->m.node = *nodep; + *nodep = NULL; + if (*rdatasetp != NULL && dns_rdataset_isassociated(*rdatasetp)) { + /* + * Save the replacement rdataset from the policy + * and make the previous replacement rdataset scratch. + */ + trdataset = st->m.rdataset; + st->m.rdataset = *rdatasetp; + *rdatasetp = trdataset; + st->m.ttl = ISC_MIN(st->m.rdataset->ttl, rpz->max_policy_ttl); + } else { + st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, rpz->max_policy_ttl); + } + st->m.version = version; } /* - * Build and look for a QNAME or NSDNAME owner name in a response policy zone. + * Check this address in every eligible policy zone. */ static isc_result_t -rpz_rewrite_name(ns_client_t *client, dns_rdatatype_t qtype, dns_name_t *qname, - dns_rpz_type_t rpz_type, dns_rdataset_t **rdatasetp) +rpz_rewrite_ip(ns_client_t *client, const isc_netaddr_t *netaddr, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_rdataset_t **p_rdatasetp) { + dns_rpz_zones_t *rpzs; dns_rpz_st_t *st; dns_rpz_zone_t *rpz; - dns_fixedname_t prefixf, rpz_qnamef; - dns_name_t *prefix, *suffix, *rpz_qname; - dns_zone_t *zone; - dns_db_t *db; - dns_dbversion_t *version; - dns_dbnode_t *node; + dns_rpz_prefix_t prefix; + dns_rpz_num_t rpz_num; + dns_fixedname_t ip_namef, p_namef; + dns_name_t *ip_name, *p_name; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbversion_t *p_version; + dns_dbnode_t *p_node; dns_rpz_policy_t policy; - unsigned int labels; isc_result_t result; - st = client->query.rpz_st; - zone = NULL; - db = NULL; - node = NULL; + dns_fixedname_init(&ip_namef); + ip_name = dns_fixedname_name(&ip_namef); - for (rpz = ISC_LIST_HEAD(client->view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) { - if (!RECURSIONOK(client) && rpz->recursive_only) - continue; + p_zone = NULL; + p_db = NULL; + p_node = NULL; + + rpzs = client->view->rpzs; + st = client->query.rpz_st; + while (zbits != 0) { + rpz_num = dns_rpz_find_ip(rpzs, rpz_type, zbits, netaddr, + ip_name, &prefix); + if (rpz_num == DNS_RPZ_INVALID_NUM) + break; + zbits &= (DNS_RPZ_ZMASK(rpz_num) >> 1); /* - * Do not check policy zones that cannot replace a policy - * already known to match. + * Do not try applying policy zones that cannot replace a + * previously found policy zone. + * Stop looking if the next best choice cannot + * replace what we already have. */ + rpz = rpzs->zones[rpz_num]; if (st->m.policy != DNS_RPZ_POLICY_MISS) { if (st->m.rpz->num < rpz->num) break; if (st->m.rpz->num == rpz->num && - st->m.type < rpz_type) - continue; + (st->m.type < rpz_type || + st->m.prefix > prefix)) + break; } + /* - * Construct the policy's owner name. + * Get the policy for a prefix at least as long + * as the prefix of the entry we had before. */ - dns_fixedname_init(&prefixf); - prefix = dns_fixedname_name(&prefixf); - dns_name_split(qname, 1, prefix, NULL); - if (rpz_type == DNS_RPZ_TYPE_NSDNAME) - suffix = &rpz->nsdname; - else - suffix = &rpz->origin; - dns_fixedname_init(&rpz_qnamef); - rpz_qname = dns_fixedname_name(&rpz_qnamef); - for (;;) { - result = dns_name_concatenate(prefix, suffix, - rpz_qname, NULL); - if (result == ISC_R_SUCCESS) - break; - INSIST(result == DNS_R_NAMETOOLONG); + dns_fixedname_init(&p_namef); + p_name = dns_fixedname_name(&p_namef); + result = rpz_get_p_name(client, p_name, rpz, rpz_type, ip_name); + if (result != ISC_R_SUCCESS) + continue; + result = rpz_find_p(client, ip_name, qtype, + p_name, rpz, rpz_type, + &p_zone, &p_db, &p_version, &p_node, + p_rdatasetp, &policy); + switch (result) { + case DNS_R_NXDOMAIN: /* - * Trim the name until it is not too long. + * Continue after a policy record that is missing + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. */ - labels = dns_name_countlabels(prefix); - if (labels < 2) { - rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - rpz_type, suffix, - "concatentate() ", result); - return (ISC_R_SUCCESS); - } - if (labels+1 == dns_name_countlabels(qname)) { - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, - rpz_type, suffix, - "concatentate() ", result); + continue; + case DNS_R_SERVFAIL: + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); + st->m.policy = DNS_RPZ_POLICY_ERROR; + return (DNS_R_SERVFAIL); + default: + /* + * Forget this policy if it is not preferable + * to the previously found policy. + * If this policy is not good, then stop looking + * because none of the later policy zones would work. + * + * With more than one applicable policy, prefer + * the earliest configured policy, + * client-IP over QNAME over IP over NSDNAME over NSIP, + * the longest prefix + * the lexically smallest address. + * dns_rpz_find_ip() ensures st->m.rpz->num >= rpz->num. + * We can compare new and current p_name because + * both are of the same type and in the same zone. + * The tests above eliminate other reasons to + * reject this policy. If this policy can't work, + * then neither can later zones. + */ + if (st->m.policy != DNS_RPZ_POLICY_MISS && + rpz->num == st->m.rpz->num && + (st->m.type == rpz_type && + st->m.prefix == prefix && + 0 > dns_name_rdatacompare(st->p_name, p_name))) + break; + + /* + * Stop checking after saving an enabled hit in this + * policy zone. The radix tree in the policy zone + * ensures that we found the longest match. + */ + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + rpz_save_p(st, rpz, rpz_type, + policy, p_name, prefix, result, + &p_zone, &p_db, &p_node, + p_rdatasetp, p_version); + break; } - dns_name_split(prefix, labels - 1, NULL, prefix); + + /* + * Log DNS_RPZ_POLICY_DISABLED zones + * and try the next eligible policy zone. + */ + rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type, + p_zone, p_name); + } + } + + rpz_clean(&p_zone, &p_db, &p_node, p_rdatasetp); + return (ISC_R_SUCCESS); +} + +/* + * Check the IP addresses in the A or AAAA rrsets for name against + * all eligible rpz_type (IP or NSIP) response policy rewrite rules. + */ +static isc_result_t +rpz_rewrite_ip_rrset(ns_client_t *client, + dns_name_t *name, dns_rdatatype_t qtype, + dns_rpz_type_t rpz_type, dns_rdatatype_t ip_type, + dns_db_t **ip_dbp, dns_dbversion_t *ip_version, + dns_rdataset_t **ip_rdatasetp, + dns_rdataset_t **p_rdatasetp, isc_boolean_t resuming) +{ + dns_rpz_zbits_t zbits; + isc_netaddr_t netaddr; + struct in_addr ina; + struct in6_addr in6a; + isc_result_t result; + + zbits = rpz_get_zbits(client, ip_type, rpz_type); + if (zbits == 0) + return (ISC_R_SUCCESS); + + /* + * Get the A or AAAA rdataset. + */ + result = rpz_rrset_find(client, name, ip_type, rpz_type, ip_dbp, + ip_version, ip_rdatasetp, resuming); + switch (result) { + case ISC_R_SUCCESS: + case DNS_R_GLUE: + case DNS_R_ZONECUT: + break; + case DNS_R_EMPTYNAME: + case DNS_R_EMPTYWILD: + case DNS_R_NXDOMAIN: + case DNS_R_NCACHENXDOMAIN: + case DNS_R_NXRRSET: + case DNS_R_NCACHENXRRSET: + case ISC_R_NOTFOUND: + return (ISC_R_SUCCESS); + case DNS_R_DELEGATION: + case DNS_R_DUPLICATE: + case DNS_R_DROP: + return (result); + case DNS_R_CNAME: + case DNS_R_DNAME: + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, name, rpz_type, + " NS address rewrite rrset", result); + return (ISC_R_SUCCESS); + default: + if (client->query.rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { + client->query.rpz_st->m.policy = DNS_RPZ_POLICY_ERROR; + rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, name, + rpz_type, " NS address rewrite rrset", + result); + } + return (DNS_R_SERVFAIL); + } + + /* + * Check all of the IP addresses in the rdataset. + */ + for (result = dns_rdataset_first(*ip_rdatasetp); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(*ip_rdatasetp)) { + + dns_rdata_t rdata = DNS_RDATA_INIT; + dns_rdataset_current(*ip_rdatasetp, &rdata); + switch (rdata.type) { + case dns_rdatatype_a: + INSIST(rdata.length == 4); + memcpy(&ina.s_addr, rdata.data, 4); + isc_netaddr_fromin(&netaddr, &ina); + break; + case dns_rdatatype_aaaa: + INSIST(rdata.length == 16); + memcpy(in6a.s6_addr, rdata.data, 16); + isc_netaddr_fromin6(&netaddr, &in6a); + break; + default: + continue; + } + + result = rpz_rewrite_ip(client, &netaddr, qtype, rpz_type, + zbits, p_rdatasetp); + if (result != ISC_R_SUCCESS) + return (result); + } + + return (ISC_R_SUCCESS); +} + +/* + * Look for IP addresses in A and AAAA rdatasets + * that trigger all eligible IP or NSIP policy rules. + */ +static isc_result_t +rpz_rewrite_ip_rrsets(ns_client_t *client, dns_name_t *name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rdataset_t **ip_rdatasetp, isc_boolean_t resuming) +{ + dns_rpz_st_t *st; + dns_dbversion_t *ip_version; + dns_db_t *ip_db; + dns_rdataset_t *p_rdataset; + isc_result_t result; + + st = client->query.rpz_st; + ip_version = NULL; + ip_db = NULL; + p_rdataset = NULL; + if ((st->state & DNS_RPZ_DONE_IPv4) == 0 && + (qtype == dns_rdatatype_a || + qtype == dns_rdatatype_any || + rpz_type == DNS_RPZ_TYPE_NSIP)) { + /* + * Rewrite based on an IPv4 address that will appear + * in the ANSWER section or if we are checking IP addresses. + */ + result = rpz_rewrite_ip_rrset(client, name, qtype, + rpz_type, dns_rdatatype_a, + &ip_db, ip_version, ip_rdatasetp, + &p_rdataset, resuming); + if (result == ISC_R_SUCCESS) + st->state |= DNS_RPZ_DONE_IPv4; + } else { + result = ISC_R_SUCCESS; + } + if (result == ISC_R_SUCCESS && + (qtype == dns_rdatatype_aaaa || + qtype == dns_rdatatype_any || + rpz_type == DNS_RPZ_TYPE_NSIP)) { + /* + * Rewrite based on IPv6 addresses that will appear + * in the ANSWER section or if we are checking IP addresses. + */ + result = rpz_rewrite_ip_rrset(client, name, qtype, + rpz_type, dns_rdatatype_aaaa, + &ip_db, ip_version, ip_rdatasetp, + &p_rdataset, resuming); + } + if (ip_db != NULL) + dns_db_detach(&ip_db); + query_putrdataset(client, &p_rdataset); + return (result); +} + +/* + * Try to rewrite a request for a qtype rdataset based on the trigger name + * trig_name and rpz_type (DNS_RPZ_TYPE_QNAME or DNS_RPZ_TYPE_NSDNAME). + * Record the results including the replacement rdataset if any + * in client->query.rpz_st. + * *rdatasetp is a scratch rdataset. + */ +static isc_result_t +rpz_rewrite_name(ns_client_t *client, dns_name_t *trig_name, + dns_rdatatype_t qtype, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t allowed_zbits, dns_rdataset_t **rdatasetp) +{ + dns_rpz_zone_t *rpz; + dns_rpz_st_t *st; + dns_fixedname_t p_namef; + dns_name_t *p_name; + dns_rpz_zbits_t zbits; + dns_rpz_num_t rpz_num; + dns_zone_t *p_zone; + dns_db_t *p_db; + dns_dbversion_t *p_version; + dns_dbnode_t *p_node; + dns_rpz_policy_t policy; + isc_result_t result; + + zbits = rpz_get_zbits(client, qtype, rpz_type); + zbits &= allowed_zbits; + if (zbits == 0) + return (ISC_R_SUCCESS); + + /* + * If there is only one eligible policy zone, just check it. + * If more than one, then use the summary database to find + * the bit mask of policy zones with policies for this trigger name. + * x&-x is the least significant bit set in x + */ + if (zbits != (zbits & (~zbits + 1))) { + zbits = dns_rpz_find_name(client->view->rpzs, + rpz_type, zbits, trig_name); + if (zbits == 0) + return (ISC_R_SUCCESS); + } + + dns_fixedname_init(&p_namef); + p_name = dns_fixedname_name(&p_namef); + + p_zone = NULL; + p_db = NULL; + p_node = NULL; + + st = client->query.rpz_st; + + /* + * Check the trigger name in every policy zone that the summary data + * says has a hit for the trigger name. + * Most of the time there are no eligible zones and the summary data + * keeps us from getting this far. + * We check the most eligible zone first and so usually check only + * one policy zone. + */ + for (rpz_num = 0; + zbits != 0; + ++rpz_num, zbits >>= 1) { + if ((zbits & 1) == 0) { + INSIST(rpz_num <= client->view->rpzs->p.num_zones); + continue; } /* - * See if the policy record exists and get its policy. + * Do not check policy zones that cannot replace a previously + * found policy. */ - result = rpz_find(client, qtype, rpz_qname, qname, rpz, - rpz_type, &zone, &db, &version, &node, - rdatasetp, &policy); + rpz = client->view->rpzs->zones[rpz_num]; + if (st->m.policy != DNS_RPZ_POLICY_MISS) { + if (st->m.rpz->num < rpz->num) + break; + if (st->m.rpz->num == rpz->num && + st->m.type < rpz_type) + break; + } + + /* + * Get the next policy zone's record for this trigger name. + */ + result = rpz_get_p_name(client, p_name, rpz, rpz_type, + trig_name); + if (result != ISC_R_SUCCESS) + continue; + result = rpz_find_p(client, trig_name, qtype, p_name, + rpz, rpz_type, + &p_zone, &p_db, &p_version, &p_node, + rdatasetp, &policy); switch (result) { case DNS_R_NXDOMAIN: - break; + /* + * Continue after a missing policy record + * contrary to the summary data. The summary + * data can out of date during races with and among + * policy zone updates. + */ + continue; case DNS_R_SERVFAIL: - rpz_clean(&zone, &db, &node, rdatasetp); + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); st->m.policy = DNS_RPZ_POLICY_ERROR; return (DNS_R_SERVFAIL); default: /* - * We are dealing with names here. * With more than one applicable policy, prefer * the earliest configured policy, - * QNAME over IP over NSDNAME over NSIP, + * client-IP over QNAME over IP over NSDNAME over NSIP, * and the smallest name. - * Because of the testing above, - * we known st->m.rpz->num >= rpz->num and either + * We known st->m.rpz->num >= rpz->num and either * st->m.rpz->num > rpz->num or st->m.type >= rpz_type */ if (st->m.policy != DNS_RPZ_POLICY_MISS && rpz->num == st->m.rpz->num && (st->m.type < rpz_type || (st->m.type == rpz_type && - 0 >= dns_name_compare(rpz_qname, st->qname)))) + 0 >= dns_name_compare(p_name, st->p_name)))) continue; #if 0 /* @@ -4505,11 +4806,12 @@ * names in TLDs that start with "rpz-" should * ICANN ever allow such TLDs. */ - labels = dns_name_countlabels(qname); + unsigned int labels; + labels = dns_name_countlabels(trig_name); if (labels >= 2) { dns_label_t label; - dns_name_getlabel(qname, labels-2, &label); + dns_name_getlabel(trig_name, labels-2, &label); if (label.length >= sizeof(DNS_RPZ_PREFIX)-1 && strncasecmp((const char *)label.base+1, DNS_RPZ_PREFIX, @@ -4517,46 +4819,29 @@ continue; } #endif + if (rpz->policy != DNS_RPZ_POLICY_DISABLED) { + rpz_save_p(st, rpz, rpz_type, + policy, p_name, 0, result, + &p_zone, &p_db, &p_node, + rdatasetp, p_version); + /* + * After a hit, higher numbered policy zones + * are irrelevant + */ + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); + return (ISC_R_SUCCESS); + } /* - * Merely log DNS_RPZ_POLICY_DISABLED hits. + * Log DNS_RPZ_POLICY_DISABLED zones + * and try the next eligible policy zone. */ - if (rpz->policy == DNS_RPZ_POLICY_DISABLED) { - rpz_log_rewrite(client, ISC_TRUE, policy, - rpz_type, zone, rpz_qname); - continue; - } - - rpz_match_clear(st); - st->m.rpz = rpz; - st->m.type = rpz_type; - st->m.prefix = 0; - st->m.policy = policy; - st->m.result = result; - dns_name_copy(rpz_qname, st->qname, NULL); - if (*rdatasetp != NULL && - dns_rdataset_isassociated(*rdatasetp)) { - dns_rdataset_t *trdataset; - - trdataset = st->m.rdataset; - st->m.rdataset = *rdatasetp; - *rdatasetp = trdataset; - st->m.ttl = ISC_MIN(st->m.rdataset->ttl, - rpz->max_policy_ttl); - } else { - st->m.ttl = ISC_MIN(DNS_RPZ_TTL_DEFAULT, - rpz->max_policy_ttl); - } - st->m.node = node; - node = NULL; - st->m.db = db; - db = NULL; - st->m.version = version; - st->m.zone = zone; - zone = NULL; + rpz_log_rewrite(client, ISC_TRUE, policy, rpz_type, + p_zone, p_name); + break; } } - rpz_clean(&zone, &db, &node, rdatasetp); + rpz_clean(&p_zone, &p_db, &p_node, rdatasetp); return (ISC_R_SUCCESS); } @@ -4569,7 +4854,7 @@ st = client->query.rpz_st; if (str != NULL) - rpz_log_fail(client, level, DNS_RPZ_TYPE_NSIP, nsname, + rpz_log_fail(client, level, nsname, DNS_RPZ_TYPE_NSIP, str, result); if (st->r.ns_rdataset != NULL && dns_rdataset_isassociated(st->r.ns_rdataset)) @@ -4589,7 +4874,8 @@ dns_rdataset_t *rdataset; dns_fixedname_t nsnamef; dns_name_t *nsname; - isc_boolean_t ck_ip; + int qresult_type; + dns_rpz_zbits_t zbits; isc_result_t result; st = client->query.rpz_st; @@ -4603,10 +4889,10 @@ st->m.policy = DNS_RPZ_POLICY_MISS; memset(&st->r, 0, sizeof(st->r)); memset(&st->q, 0, sizeof(st->q)); - dns_fixedname_init(&st->_qnamef); + dns_fixedname_init(&st->_p_namef); dns_fixedname_init(&st->_r_namef); dns_fixedname_init(&st->_fnamef); - st->qname = dns_fixedname_name(&st->_qnamef); + st->p_name = dns_fixedname_name(&st->_p_namef); st->r_name = dns_fixedname_name(&st->_r_namef); st->fname = dns_fixedname_name(&st->_fnamef); client->query.rpz_st = st; @@ -4619,7 +4905,7 @@ case ISC_R_SUCCESS: case DNS_R_GLUE: case DNS_R_ZONECUT: - ck_ip = ISC_TRUE; + qresult_type = 0; break; case DNS_R_EMPTYNAME: case DNS_R_NXRRSET: @@ -4629,73 +4915,155 @@ case DNS_R_NCACHENXRRSET: case DNS_R_CNAME: case DNS_R_DNAME: - ck_ip = ISC_FALSE; + qresult_type = 1; break; case DNS_R_DELEGATION: case ISC_R_NOTFOUND: - return (ISC_R_SUCCESS); + /* + * If recursion is on, do only tentative rewriting. + * If recursion is off, this the normal and only time we + * can rewrite. + */ + if (RECURSIONOK(client)) + qresult_type = 2; + else + qresult_type = 1; + break; case ISC_R_FAILURE: case ISC_R_TIMEDOUT: case DNS_R_BROKENCHAIN: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, DNS_RPZ_TYPE_QNAME, - client->query.qname, - "stop on qresult in rpz_rewrite() ", - qresult); + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL3, client->query.qname, + DNS_RPZ_TYPE_QNAME, + " stop on qresult in rpz_rewrite()", qresult); return (ISC_R_SUCCESS); default: - rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, DNS_RPZ_TYPE_QNAME, - client->query.qname, - "stop on unrecognized qresult in rpz_rewrite() ", + rpz_log_fail(client, DNS_RPZ_DEBUG_LEVEL1, client->query.qname, + DNS_RPZ_TYPE_QNAME, + " stop on unrecognized qresult in rpz_rewrite()", qresult); return (ISC_R_SUCCESS); } rdataset = NULL; - if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { + + if ((st->state & (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) != + (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME)) { + isc_netaddr_t netaddr; + dns_rpz_zbits_t allowed; + + if (qresult_type == 2) { + /* + * This request needs recursion that has not been done. + * Get bits for the policy zones that do not need + * to wait for the results of recursion. + */ + allowed = client->view->rpzs->have.qname_skip_recurse; + if (allowed == 0) + return (ISC_R_SUCCESS); + } else { + allowed = DNS_RPZ_ALL_ZBITS; + } + /* - * Check rules for the query name if this is the first time - * for the current qname, i.e. we've not been recursing. - * There is a first time for each name in a CNAME chain. + * Check once for triggers for the client IP address. */ - result = rpz_rewrite_name(client, qtype, client->query.qname, - DNS_RPZ_TYPE_QNAME, &rdataset); - if (result != ISC_R_SUCCESS) - goto cleanup; + if ((st->state & DNS_RPZ_DONE_CLIENT_IP) == 0) { + zbits = rpz_get_zbits(client, dns_rdatatype_none, + DNS_RPZ_TYPE_CLIENT_IP); + zbits &= allowed; + if (zbits != 0) { + isc_netaddr_fromsockaddr(&netaddr, + &client->peeraddr); + result = rpz_rewrite_ip(client, &netaddr, qtype, + DNS_RPZ_TYPE_CLIENT_IP, + zbits, &rdataset); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + } + + /* + * Check triggers for the query name if this is the first time + * for the current qname. + * There is a first time for each name in a CNAME chain + */ + if ((st->state & DNS_RPZ_DONE_QNAME) == 0) { + result = rpz_rewrite_name(client, client->query.qname, + qtype, DNS_RPZ_TYPE_QNAME, + allowed, &rdataset); + if (result != ISC_R_SUCCESS) + goto cleanup; + + /* + * Check IPv4 addresses in A RRs next. + * Reset to the start of the NS names. + */ + st->r.label = dns_name_countlabels(client->query.qname); + st->state &= ~(DNS_RPZ_DONE_QNAME_IP | + DNS_RPZ_DONE_IPv4); - st->r.label = dns_name_countlabels(client->query.qname); + } - st->state &= ~(DNS_RPZ_DONE_QNAME_IP | DNS_RPZ_DONE_IPv4); - st->state |= DNS_RPZ_DONE_QNAME; + /* + * Quit if this was an attempt to find a qname or + * client-IP trigger before recursion. + * We will be back if no pre-recursion triggers hit. + * For example, consider 2 policy zones, both with qname and + * IP address triggers. If the qname misses the 1st zone, + * then we cannot know whether a hit for the qname in the + * 2nd zone matters until after recursing to get the A RRs and + * testing them in the first zone. + * Do not bother saving the work from this attempt, + * because recusion is so slow. + */ + if (qresult_type == 2) + goto cleanup; + + /* + * DNS_RPZ_DONE_QNAME but not DNS_RPZ_DONE_CLIENT_IP + * is reset at the end of dealing with each CNAME. + */ + st->state |= (DNS_RPZ_DONE_CLIENT_IP | DNS_RPZ_DONE_QNAME); } /* - * Check known IP addresses for the query name. + * Check known IP addresses for the query name if the database + * lookup resulted in some addresses (qresult_type == 0) + * and if we have not already checked them. * Any recursion required for the query has already happened. * Do not check addresses that will not be in the ANSWER section. */ - if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && - (st->state & DNS_RPZ_HAVE_IP) != 0 && ck_ip) { - result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_IP, - client->query.qname, qtype, - &rdataset, resuming); + if ((st->state & DNS_RPZ_DONE_QNAME_IP) == 0 && qresult_type == 0 && + rpz_get_zbits(client, qtype, DNS_RPZ_TYPE_IP) != 0) { + result = rpz_rewrite_ip_rrsets(client, + client->query.qname, qtype, + DNS_RPZ_TYPE_IP, + &rdataset, resuming); if (result != ISC_R_SUCCESS) goto cleanup; - st->state &= ~DNS_RPZ_DONE_IPv4; + /* + * We are finished checking the IP addresses for the qname. + * Start with IPv4 if we will check NS IP addesses. + */ st->state |= DNS_RPZ_DONE_QNAME_IP; + st->state &= ~DNS_RPZ_DONE_IPv4; } /* - * Stop looking for rules if there are none of the other kinds. + * Stop looking for rules if there are none of the other kinds + * that could override what we already have. */ - if ((st->state & (DNS_RPZ_HAVE_NSIPv4 | DNS_RPZ_HAVE_NSIPv6 | - DNS_RPZ_HAVE_NSDNAME)) == 0) { + if (rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSDNAME) == 0 && + rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSIP) == 0) { result = ISC_R_SUCCESS; goto cleanup; } dns_fixedname_init(&nsnamef); dns_name_clone(client->query.qname, dns_fixedname_name(&nsnamef)); - while (st->r.label > client->view->rpz_min_ns_labels) { + while (st->r.label > client->view->rpzs->p.min_ns_labels) { /* * Get NS rrset for each domain in the current qname. */ @@ -4709,8 +5077,8 @@ if (st->r.ns_rdataset == NULL || !dns_rdataset_isassociated(st->r.ns_rdataset)) { dns_db_t *db = NULL; - result = rpz_rrset_find(client, DNS_RPZ_TYPE_NSDNAME, - nsname, dns_rdatatype_ns, + result = rpz_rrset_find(client, nsname, dns_rdatatype_ns, + DNS_RPZ_TYPE_NSDNAME, &db, NULL, &st->r.ns_rdataset, resuming); if (db != NULL) @@ -4744,12 +5112,12 @@ case ISC_R_FAILURE: rpz_rewrite_ns_skip(client, nsname, result, DNS_RPZ_DEBUG_LEVEL3, - "NS db_find() "); + " NS db_find()"); continue; default: rpz_rewrite_ns_skip(client, nsname, result, DNS_RPZ_INFO_LEVEL, - "unrecognized NS db_find() "); + " unrecognized NS db_find()"); continue; } } @@ -4765,8 +5133,8 @@ dns_rdata_reset(&nsrdata); if (result != ISC_R_SUCCESS) { rpz_log_fail(client, DNS_RPZ_ERROR_LEVEL, - DNS_RPZ_TYPE_NSIP, nsname, - "rdata_tostruct() ", result); + nsname, DNS_RPZ_TYPE_NSIP, + " rdata_tostruct()", result); st->m.policy = DNS_RPZ_POLICY_ERROR; goto cleanup; } @@ -4782,11 +5150,11 @@ * Check this NS name if we did not handle it * during a previous recursion. */ - if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0 && - (st->state & DNS_RPZ_HAVE_NSDNAME) != 0) { - result = rpz_rewrite_name(client, qtype, - &ns.name, + if ((st->state & DNS_RPZ_DONE_NSDNAME) == 0) { + result = rpz_rewrite_name(client, &ns.name, + qtype, DNS_RPZ_TYPE_NSDNAME, + DNS_RPZ_ALL_ZBITS, &rdataset); if (result != ISC_R_SUCCESS) { dns_rdata_freestruct(&ns); @@ -4797,9 +5165,9 @@ /* * Check all IP addresses for this NS name. */ - result = rpz_rewrite_rrsets(client, DNS_RPZ_TYPE_NSIP, - &ns.name, dns_rdatatype_any, - &rdataset, resuming); + result = rpz_rewrite_ip_rrsets(client, &ns.name, qtype, + DNS_RPZ_TYPE_NSIP, + &rdataset, resuming); dns_rdata_freestruct(&ns); if (result != ISC_R_SUCCESS) goto cleanup; @@ -4809,10 +5177,16 @@ } while (result == ISC_R_SUCCESS); dns_rdataset_disassociate(st->r.ns_rdataset); st->r.label--; + + if (rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSDNAME) == 0 && + rpz_get_zbits(client, dns_rdatatype_any, + DNS_RPZ_TYPE_NSIP) == 0) + break; } /* - * Use the best, if any, hit. + * Use the best hit, if any. */ result = ISC_R_SUCCESS; @@ -4827,7 +5201,7 @@ if (st->m.policy == DNS_RPZ_POLICY_PASSTHRU && result != DNS_R_DELEGATION) rpz_log_rewrite(client, ISC_FALSE, st->m.policy, - st->m.type, st->m.zone, st->qname); + st->m.type, st->m.zone, st->p_name); rpz_match_clear(st); } if (st->m.policy == DNS_RPZ_POLICY_ERROR) { @@ -4846,19 +5220,25 @@ * by the client in DNSSEC or a lack of signatures. */ static isc_boolean_t -rpz_ck_dnssec(ns_client_t *client, isc_result_t result, +rpz_ck_dnssec(ns_client_t *client, isc_result_t qresult, dns_rdataset_t *rdataset, dns_rdataset_t *sigrdataset) { dns_fixedname_t fixed; dns_name_t *found; dns_rdataset_t trdataset; dns_rdatatype_t type; + isc_result_t result; - if (client->view->rpz_break_dnssec) + if (client->view->rpzs->p.break_dnssec || !WANTDNSSEC(client)) return (ISC_TRUE); + /* - * sigrdataset == NULL if and only !WANTDNSSEC(client) + * We do not know if there are signatures if we have not recursed + * for them. */ + if (qresult == DNS_R_DELEGATION || qresult == ISC_R_NOTFOUND) + return (ISC_FALSE); + if (sigrdataset == NULL) return (ISC_TRUE); if (dns_rdataset_isassociated(sigrdataset)) @@ -4938,7 +5318,7 @@ if (result != ISC_R_SUCCESS) return (result); rpz_log_rewrite(client, ISC_FALSE, st->m.policy, - st->m.type, st->m.zone, st->qname); + st->m.type, st->m.zone, st->p_name); ns_client_qnamereplace(client, fname); /* * Turn off DNSSEC because the results of a @@ -5865,13 +6245,140 @@ resume: CTRACE("query_find: resume"); - if (!ISC_LIST_EMPTY(client->view->rpz_zones) && - (RECURSIONOK(client) || !client->view->rpz_recursive_only) && + /* + * Rate limit these responses to this client. + * Do not delay counting and handling obvious referrals, + * since those won't come here again. + * Delay handling delegations for which we are certain to recurse and + * return here (DNS_R_DELEGATION, not a child of one of our + * own zones, and recursion enabled) + * Don't mess with responses rewritten by RPZ + * Count each response at most once. + */ + if (client->view->rrl != NULL && + ((fname != NULL && dns_name_isabsolute(fname)) || + (result == ISC_R_NOTFOUND && !RECURSIONOK(client))) && + !(result == DNS_R_DELEGATION && !is_zone && RECURSIONOK(client)) && + (client->query.rpz_st == NULL || + (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0)&& + (client->query.attributes & NS_QUERYATTR_RRL_CHECKED) == 0) { + dns_rdataset_t nc_rdataset; + isc_boolean_t wouldlog; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + isc_result_t nc_result, resp_result; + dns_rrl_result_t rrl_result; + + client->query.attributes |= NS_QUERYATTR_RRL_CHECKED; + + wouldlog = isc_log_wouldlog(ns_g_lctx, DNS_RRL_LOG_DROP); + tname = fname; + if (result == DNS_R_NXDOMAIN) { + /* + * Use the database origin name to rate limit NXDOMAIN + */ + if (db != NULL) + tname = dns_db_origin(db); + resp_result = result; + } else if (result == DNS_R_NCACHENXDOMAIN && + rdataset != NULL && + dns_rdataset_isassociated(rdataset) && + (rdataset->attributes & + DNS_RDATASETATTR_NEGATIVE) != 0) { + /* + * Try to use owner name in the negative cache SOA. + */ + dns_fixedname_init(&fixed); + dns_rdataset_init(&nc_rdataset); + for (nc_result = dns_rdataset_first(rdataset); + nc_result == ISC_R_SUCCESS; + nc_result = dns_rdataset_next(rdataset)) { + dns_ncache_current(rdataset, + dns_fixedname_name(&fixed), + &nc_rdataset); + if (nc_rdataset.type == dns_rdatatype_soa) { + dns_rdataset_disassociate(&nc_rdataset); + tname = dns_fixedname_name(&fixed); + break; + } + dns_rdataset_disassociate(&nc_rdataset); + } + resp_result = DNS_R_NXDOMAIN; + } else if (result == DNS_R_NXRRSET || + result == DNS_R_EMPTYNAME) { + resp_result = DNS_R_NXRRSET; + } else if (result == DNS_R_DELEGATION) { + resp_result = result; + } else if (result == ISC_R_NOTFOUND) { + /* + * Handle referral to ".", including when recursion + * is off or not requested and the hints have not + * been loaded or we have "additional-from-cache no". + */ + tname = dns_rootname; + resp_result = DNS_R_DELEGATION; + } else { + resp_result = ISC_R_SUCCESS; + } + rrl_result = dns_rrl(client->view, &client->peeraddr, + ISC_TF((client->attributes + & NS_CLIENTATTR_TCP) != 0), + client->message->rdclass, qtype, tname, + resp_result, client->now, + wouldlog, log_buf, sizeof(log_buf)); + if (rrl_result != DNS_RRL_RESULT_OK) { + /* + * Log dropped or slipped responses in the query + * category so that requests are not silently lost. + * Starts of rate-limited bursts are logged in + * DNS_LOGCATEGORY_RRL. + * + * Dropped responses are counted with dropped queries + * in QryDropped while slipped responses are counted + * with other truncated responses in RespTruncated. + */ + if (wouldlog) { + ns_client_log(client, + NS_LOGCATEGORY_QUERY_EERRORS, + NS_LOGMODULE_QUERY, + DNS_RRL_LOG_DROP, + "%s", log_buf); + } + if (!client->view->rrl->log_only) { + if (rrl_result == DNS_RRL_RESULT_DROP) { + /* + * These will also be counted in + * dns_nsstatscounter_dropped + */ + inc_stats(client, + dns_nsstatscounter_ratedropped); + QUERY_ERROR(DNS_R_DROP); + } else { + /* + * These will also be counted in + * dns_nsstatscounter_truncatedresp + */ + inc_stats(client, + dns_nsstatscounter_rateslipped); + client->message->flags |= + DNS_MESSAGEFLAG_TC; + if (resp_result == DNS_R_NXDOMAIN) + client->message->rcode = + dns_rcode_nxdomain; + } + goto cleanup; + } + } + } + + if (client->view->rpzs != NULL && + client->view->rpzs->p.num_zones != 0 && + (RECURSIONOK(client) || client->view->rpzs->p.no_rd_ok != 0) && rpz_ck_dnssec(client, result, rdataset, sigrdataset) && !RECURSING(client) && (client->query.rpz_st == NULL || (client->query.rpz_st->state & DNS_RPZ_REWRITTEN) == 0) && - !dns_name_equal(client->query.qname, dns_rootname)) { + !dns_name_equal(client->query.qname, dns_rootname)) + { isc_result_t rresult; rresult = rpz_rewrite(client, qtype, result, resuming); @@ -5909,12 +6416,17 @@ rpz_st->state |= DNS_RPZ_REWRITTEN; if (rpz_st->m.policy != DNS_RPZ_POLICY_MISS && rpz_st->m.policy != DNS_RPZ_POLICY_PASSTHRU && + (rpz_st->m.policy != DNS_RPZ_POLICY_TCP_ONLY || + (client->attributes & NS_CLIENTATTR_TCP) == 0) && rpz_st->m.policy != DNS_RPZ_POLICY_ERROR) { - if (rpz_st->m.type == DNS_RPZ_TYPE_QNAME) { - result = dns_name_copy(client->query.qname, - fname, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); - } + /* We got a hit and are going to answer with our + * fiction. Ensure that we answer with the name + * we looked up even if we were stopped short + * in recursion or for a deferral. + */ + rresult = dns_name_copy(client->query.qname, + fname, NULL); + RUNTIME_CHECK(rresult == ISC_R_SUCCESS); rpz_clean(&zone, &db, &node, NULL); if (rpz_st->m.rdataset != NULL) { query_putrdataset(client, &rdataset); @@ -5934,6 +6446,23 @@ rpz_st->m.zone = NULL; switch (rpz_st->m.policy) { + case DNS_RPZ_POLICY_TCP_ONLY: + client->message->flags |= DNS_MESSAGEFLAG_TC; + if (result == DNS_R_NXDOMAIN || + result == DNS_R_NCACHENXDOMAIN) + client->message->rcode = + dns_rcode_nxdomain; + else + result = ISC_R_SUCCESS; + rpz_log_rewrite(client, ISC_FALSE, + rpz_st->m.policy, + rpz_st->m.type, zone, + rpz_st->p_name); + goto cleanup; + case DNS_RPZ_POLICY_DROP: + result = ISC_R_SUCCESS; + QUERY_ERROR(DNS_R_DROP); + break; case DNS_RPZ_POLICY_NXDOMAIN: result = DNS_R_NXDOMAIN; break; @@ -5946,8 +6475,8 @@ result != DNS_R_CNAME) { /* * We will add all of the rdatasets of - * the node by iterating, setting the - * TTL then. + * the node by iterating later, + * and set the TTL then. */ if (dns_rdataset_isassociated(rdataset)) dns_rdataset_disassociate(rdataset); @@ -6002,7 +6531,7 @@ rpz_st->q.is_zone = is_zone; is_zone = ISC_TRUE; rpz_log_rewrite(client, ISC_FALSE, rpz_st->m.policy, - rpz_st->m.type, zone, rpz_st->qname); + rpz_st->m.type, zone, rpz_st->p_name); } } @@ -7318,12 +7847,14 @@ } if (eresult != ISC_R_SUCCESS && - (!PARTIALANSWER(client) || WANTRECURSION(client))) { + (!PARTIALANSWER(client) || WANTRECURSION(client) + || eresult == DNS_R_DROP)) { if (eresult == DNS_R_DUPLICATE || eresult == DNS_R_DROP) { /* * This was a duplicate query that we are - * recursing on. Don't send a response now. - * The original query will still cause a response. + * recursing on or the result of rate limiting. + * Don't send a response now for a duplicate query, + * because the original will still cause a response. */ query_next(client, eresult); } else { --- bind9-9.9.3.dfsg.P2.orig/bin/named/server.c +++ bind9-9.9.3.dfsg.P2/bin/named/server.c @@ -373,7 +373,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - cfg_aclconfctx_t *aclconf, isc_boolean_t added); + cfg_aclconfctx_t *aclconf, isc_boolean_t added, + isc_boolean_t old_rpz_ok); static isc_result_t add_keydata_zone(dns_view_t *view, const char *directory, isc_mem_t *mctx); @@ -1082,6 +1083,8 @@ mode = DNS_RDATASETATTR_FIXEDORDER; else if (!strcasecmp(str, "random")) mode = DNS_RDATASETATTR_RANDOMIZE; + else if (!strcasecmp(str, "random_1")) + mode = DNS_RDATASETATTR_RANDOMIZE|DNS_RDATASETATTR_SINGLE; else if (!strcasecmp(str, "cyclic")) mode = 0; else @@ -1549,17 +1552,24 @@ } static isc_result_t -configure_rpz(dns_view_t *view, const cfg_listelt_t *element, - isc_boolean_t recursive_only_def, dns_ttl_t ttl_def) +configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element, + isc_boolean_t recursive_only_def, dns_ttl_t ttl_def, + const dns_rpz_zone_t *old, isc_boolean_t *old_rpz_okp) { const cfg_obj_t *rpz_obj, *obj; const char *str; - dns_rpz_zone_t *old, *new; + dns_rpz_zone_t *new; isc_result_t result; + dns_rpz_num_t rpz_num; + + REQUIRE(old != NULL || !*old_rpz_okp); rpz_obj = cfg_listelt_value(element); - new = isc_mem_get(view->mctx, sizeof(*new)); + if (view->rpzs->p.num_zones >= DNS_RPZ_MAX_ZONES) + return (ISC_R_NOMEMORY); + + new = isc_mem_get(view->rpzs->mctx, sizeof(*new)); if (new == NULL) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "no memory for response policy zones"); @@ -1567,20 +1577,29 @@ } memset(new, 0, sizeof(*new)); + result = isc_refcount_init(&new->refs, 1); + if (result != ISC_R_SUCCESS) { + isc_mem_put(view->rpzs->mctx, new, sizeof(*new)); + return (result); + } dns_name_init(&new->origin, NULL); + dns_name_init(&new->client_ip, NULL); + dns_name_init(&new->ip, NULL); dns_name_init(&new->nsdname, NULL); + dns_name_init(&new->nsip, NULL); dns_name_init(&new->passthru, NULL); + dns_name_init(&new->drop, NULL); + dns_name_init(&new->tcp_only, NULL); dns_name_init(&new->cname, NULL); - ISC_LIST_INITANDAPPEND(view->rpz_zones, new, link); + new->num = view->rpzs->p.num_zones++; + view->rpzs->zones[new->num] = new; obj = cfg_tuple_get(rpz_obj, "recursive-only"); - if (cfg_obj_isvoid(obj)) { - new->recursive_only = recursive_only_def; + if (cfg_obj_isvoid(obj) ? recursive_only_def : cfg_obj_asboolean(obj)) { + view->rpzs->p.no_rd_ok &= ~DNS_RPZ_ZBIT(new->num); } else { - new->recursive_only = cfg_obj_asboolean(obj); + view->rpzs->p.no_rd_ok |= DNS_RPZ_ZBIT(new->num); } - if (!new->recursive_only) - view->rpz_recursive_only = ISC_FALSE; obj = cfg_tuple_get(rpz_obj, "max-policy-ttl"); if (cfg_obj_isuint32(obj)) { @@ -1588,6 +1607,8 @@ } else { new->max_policy_ttl = ttl_def; } + if (*old_rpz_okp && new->max_policy_ttl != old->max_policy_ttl) + *old_rpz_okp = ISC_FALSE; str = cfg_obj_asstring(cfg_tuple_get(rpz_obj, "zone name")); result = configure_rpz_name(view, rpz_obj, &new->origin, str, "zone"); @@ -1598,25 +1619,50 @@ "invalid zone name '%s'", str); return (DNS_R_EMPTYLABEL); } - for (old = ISC_LIST_HEAD(view->rpz_zones); - old != new; - old = ISC_LIST_NEXT(old, link)) { - ++new->num; - if (dns_name_equal(&old->origin, &new->origin)) { + for (rpz_num = 0; rpz_num < view->rpzs->p.num_zones-1; ++rpz_num) { + if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin, + &new->origin)) { cfg_obj_log(rpz_obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, "duplicate '%s'", str); result = DNS_R_DUPLICATE; return (result); } } + if (*old_rpz_okp && !dns_name_equal(&old->origin, &new->origin)) + *old_rpz_okp = ISC_FALSE; + + result = configure_rpz_name2(view, rpz_obj, &new->client_ip, + DNS_RPZ_CLIENT_IP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name2(view, rpz_obj, &new->ip, + DNS_RPZ_IP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); result = configure_rpz_name2(view, rpz_obj, &new->nsdname, DNS_RPZ_NSDNAME_ZONE, &new->origin); if (result != ISC_R_SUCCESS) return (result); + result = configure_rpz_name2(view, rpz_obj, &new->nsip, + DNS_RPZ_NSIP_ZONE, &new->origin); + if (result != ISC_R_SUCCESS) + return (result); + result = configure_rpz_name(view, rpz_obj, &new->passthru, - DNS_RPZ_PASSTHRU_ZONE, "zone"); + DNS_RPZ_PASSTHRU_NAME, "name"); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name(view, rpz_obj, &new->drop, + DNS_RPZ_DROP_NAME, "name"); + if (result != ISC_R_SUCCESS) + return (result); + + result = configure_rpz_name(view, rpz_obj, &new->tcp_only, + DNS_RPZ_TCP_ONLY_NAME, "name"); if (result != ISC_R_SUCCESS) return (result); @@ -1635,10 +1681,282 @@ return (result); } } + if (*old_rpz_okp && (new->policy != old->policy || + !dns_name_equal(&old->cname, &new->cname))) + *old_rpz_okp = ISC_FALSE; + + return (ISC_R_SUCCESS); +} + +static isc_result_t +configure_rpz(dns_view_t *view, const cfg_obj_t *rpz_obj, + isc_boolean_t *old_rpz_okp) +{ + const cfg_listelt_t *zone_element; + const cfg_obj_t *sub_obj; + isc_boolean_t recursive_only_def; + dns_ttl_t ttl_def; + dns_rpz_zones_t *new; + const dns_rpz_zones_t *old; + dns_view_t *pview; + const dns_rpz_zone_t *old_zone; + isc_result_t result; + int i; + + *old_rpz_okp = ISC_FALSE; + + zone_element = cfg_list_first(cfg_tuple_get(rpz_obj, "zone list")); + if (zone_element == NULL) + return (ISC_R_SUCCESS); + + result = dns_rpz_new_zones(&view->rpzs, view->mctx); + if (result != ISC_R_SUCCESS) + return (result); + new = view->rpzs; + + sub_obj = cfg_tuple_get(rpz_obj, "recursive-only"); + if (!cfg_obj_isvoid(sub_obj) && + !cfg_obj_asboolean(sub_obj)) + recursive_only_def = ISC_FALSE; + else + recursive_only_def = ISC_TRUE; + + sub_obj = cfg_tuple_get(rpz_obj, "break-dnssec"); + if (!cfg_obj_isvoid(sub_obj) && + cfg_obj_asboolean(sub_obj)) + new->p.break_dnssec = ISC_TRUE; + else + new->p.break_dnssec = ISC_FALSE; + + sub_obj = cfg_tuple_get(rpz_obj, "max-policy-ttl"); + if (cfg_obj_isuint32(sub_obj)) + ttl_def = cfg_obj_asuint32(sub_obj); + else + ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; + + sub_obj = cfg_tuple_get(rpz_obj, "min-ns-dots"); + if (cfg_obj_isuint32(sub_obj)) + new->p.min_ns_labels = cfg_obj_asuint32(sub_obj) + 1; + else + new->p.min_ns_labels = 2; + + sub_obj = cfg_tuple_get(rpz_obj, "qname-wait-recurse"); + if (cfg_obj_isvoid(sub_obj) || cfg_obj_asboolean(sub_obj)) + new->p.qname_wait_recurse = ISC_TRUE; + else + new->p.qname_wait_recurse = ISC_FALSE; + + pview = NULL; + result = dns_viewlist_find(&ns_g_server->viewlist, + view->name, view->rdclass, &pview); + if (result == ISC_R_SUCCESS) { + old = pview->rpzs; + } else { + old = NULL; + } + if (old == NULL) + *old_rpz_okp = ISC_FALSE; + else + *old_rpz_okp = ISC_TRUE; + + for (i = 0; + zone_element != NULL; + ++i, zone_element = cfg_list_next(zone_element)) { + if (*old_rpz_okp && i < old->p.num_zones) { + old_zone = old->zones[i]; + } else { + *old_rpz_okp = ISC_FALSE; + old_zone = NULL; + } + result = configure_rpz_zone(view, zone_element, + recursive_only_def, ttl_def, + old_zone, old_rpz_okp); + if (result != ISC_R_SUCCESS) { + if (pview != NULL) + dns_view_detach(&pview); + return (result); + } + } + + /* + * If this is a reloading and the parameters and list of policy + * zones are unchanged, then use the same policy data. + * Data for individual zones that must be reloaded will be merged. + */ + if (old != NULL && memcmp(&old->p, &new->p, sizeof(new->p)) != 0) + *old_rpz_okp = ISC_FALSE; + if (*old_rpz_okp) { + dns_rpz_detach_rpzs(&view->rpzs); + dns_rpz_attach_rpzs(pview->rpzs, &view->rpzs); + } + if (pview != NULL) + dns_view_detach(&pview); return (ISC_R_SUCCESS); } +#define CHECK_RRL(cond, pat, val1, val2) \ + do { \ + if (!(cond)) { \ + cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR, \ + pat, val1, val2); \ + result = ISC_R_RANGE; \ + goto cleanup; \ + } \ + } while (0) + +#define CHECK_RRL_RATE(rate, def, max_rate, name) \ + do { \ + obj = NULL; \ + rrl->rate.str = name; \ + result = cfg_map_get(map, name, &obj); \ + if (result == ISC_R_SUCCESS) { \ + rrl->rate.r = cfg_obj_asuint32(obj); \ + CHECK_RRL(rrl->rate.r <= max_rate, \ + name" %d > %d", \ + rrl->rate.r, max_rate); \ + } else { \ + rrl->rate.r = def; \ + } \ + rrl->rate.scaled = rrl->rate.r; \ + } while (0) + +static isc_result_t +configure_rrl(dns_view_t *view, const cfg_obj_t *config, const cfg_obj_t *map) { + const cfg_obj_t *obj; + dns_rrl_t *rrl; + isc_result_t result; + int min_entries, i, j; + + /* + * Most DNS servers have few clients, but intentinally open + * recursive and authoritative servers often have many. + * So start with a small number of entries unless told otherwise + * to reduce cold-start costs. + */ + min_entries = 500; + obj = NULL; + result = cfg_map_get(map, "min-table-size", &obj); + if (result == ISC_R_SUCCESS) { + min_entries = cfg_obj_asuint32(obj); + if (min_entries < 1) + min_entries = 1; + } + result = dns_rrl_init(&rrl, view, min_entries); + if (result != ISC_R_SUCCESS) + return (result); + + i = ISC_MAX(20000, min_entries); + obj = NULL; + result = cfg_map_get(map, "max-table-size", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= min_entries, + "max-table-size %d < min-table-size %d", + i, min_entries); + } + rrl->max_entries = i; + + CHECK_RRL_RATE(responses_per_second, 0, DNS_RRL_MAX_RATE, + "responses-per-second"); + CHECK_RRL_RATE(referrals_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "referrals-per-second"); + CHECK_RRL_RATE(nodata_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "nodata-per-second"); + CHECK_RRL_RATE(nxdomains_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "nxdomains-per-second"); + CHECK_RRL_RATE(errors_per_second, + rrl->responses_per_second.r, DNS_RRL_MAX_RATE, + "errors-per-second"); + + CHECK_RRL_RATE(all_per_second, 0, DNS_RRL_MAX_RATE, + "all-per-second"); + + CHECK_RRL_RATE(slip, 2, DNS_RRL_MAX_SLIP, + "slip"); + + i = 15; + obj = NULL; + result = cfg_map_get(map, "window", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 1 && i <= DNS_RRL_MAX_WINDOW, + "window %d < 1 or > %d", i, DNS_RRL_MAX_WINDOW); + } + rrl->window = i; + + i = 0; + obj = NULL; + result = cfg_map_get(map, "qps-scale", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 1, "invalid 'qps-scale %d'%s", i, ""); + } + rrl->qps_scale = i; + rrl->qps = 1.0; + + i = 24; + obj = NULL; + result = cfg_map_get(map, "ipv4-prefix-length", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 8 && i <= 32, + "invalid 'ipv4-prefix-length %d'%s", i, ""); + } + rrl->ipv4_prefixlen = i; + if (i == 32) + rrl->ipv4_mask = 0xffffffff; + else + rrl->ipv4_mask = htonl(0xffffffff << (32-i)); + + i = 56; + obj = NULL; + result = cfg_map_get(map, "ipv6-prefix-length", &obj); + if (result == ISC_R_SUCCESS) { + i = cfg_obj_asuint32(obj); + CHECK_RRL(i >= 16 && i <= DNS_RRL_MAX_PREFIX, + "ipv6-prefix-length %d < 16 or > %d", + i, DNS_RRL_MAX_PREFIX); + } + rrl->ipv6_prefixlen = i; + for (j = 0; j < 4; ++j) { + if (i <= 0) { + rrl->ipv6_mask[j] = 0; + } else if (i < 32) { + rrl->ipv6_mask[j] = htonl(0xffffffff << (32-i)); + } else { + rrl->ipv6_mask[j] = 0xffffffff; + } + i -= 32; + } + + obj = NULL; + result = cfg_map_get(map, "exempt-clients", &obj); + if (result == ISC_R_SUCCESS) { + result = cfg_acl_fromconfig(obj, config, ns_g_lctx, + ns_g_aclconfctx, ns_g_mctx, + 0, &rrl->exempt); + CHECK_RRL(result == ISC_R_SUCCESS, + "invalid %s%s", "address match list", ""); + } + + obj = NULL; + result = cfg_map_get(map, "log-only", &obj); + if (result == ISC_R_SUCCESS && cfg_obj_asboolean(obj)) + rrl->log_only = ISC_TRUE; + else + rrl->log_only = ISC_FALSE; + + return (ISC_R_SUCCESS); + + cleanup: + dns_rrl_view_destroy(view); + return (result); +} + /* * Configure 'view' according to 'vconfig', taking defaults from 'config' * where values are missing in 'vconfig'. @@ -1705,7 +2023,7 @@ dns_acl_t *clients = NULL, *mapped = NULL, *excluded = NULL; unsigned int query_timeout, ndisp; struct cfg_context *nzctx; - dns_rpz_zone_t *rpz; + isc_boolean_t old_rpz_ok = ISC_FALSE; REQUIRE(DNS_VIEW_VALID(view)); @@ -1810,44 +2128,7 @@ obj = NULL; if (view->rdclass == dns_rdataclass_in && need_hints && ns_config_get(maps, "response-policy", &obj) == ISC_R_SUCCESS) { - const cfg_obj_t *rpz_obj; - isc_boolean_t recursive_only_def; - dns_ttl_t ttl_def; - - rpz_obj = cfg_tuple_get(obj, "recursive-only"); - if (!cfg_obj_isvoid(rpz_obj) && - !cfg_obj_asboolean(rpz_obj)) - recursive_only_def = ISC_FALSE; - else - recursive_only_def = ISC_TRUE; - - rpz_obj = cfg_tuple_get(obj, "break-dnssec"); - if (!cfg_obj_isvoid(rpz_obj) && - cfg_obj_asboolean(rpz_obj)) - view->rpz_break_dnssec = ISC_TRUE; - else - view->rpz_break_dnssec = ISC_FALSE; - - rpz_obj = cfg_tuple_get(obj, "max-policy-ttl"); - if (cfg_obj_isuint32(rpz_obj)) - ttl_def = cfg_obj_asuint32(rpz_obj); - else - ttl_def = DNS_RPZ_MAX_TTL_DEFAULT; - - rpz_obj = cfg_tuple_get(obj, "min-ns-dots"); - if (cfg_obj_isuint32(rpz_obj)) - view->rpz_min_ns_labels = cfg_obj_asuint32(rpz_obj) + 1; - else - view->rpz_min_ns_labels = 2; - - element = cfg_list_first(cfg_tuple_get(obj, "zone list")); - while (element != NULL) { - result = configure_rpz(view, element, - recursive_only_def, ttl_def); - if (result != ISC_R_SUCCESS) - goto cleanup; - element = cfg_list_next(element); - } + CHECK(configure_rpz(view, obj, &old_rpz_ok)); } /* @@ -1868,22 +2149,29 @@ { const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, - actx, ISC_FALSE)); + actx, ISC_FALSE, old_rpz_ok)); } - for (rpz = ISC_LIST_HEAD(view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) - { - if (!rpz->defined) { - char namebuf[DNS_NAME_FORMATSIZE]; + /* + * Check that a master or slave zone was found for each + * zone named in the response policy statement. + */ + if (view->rpzs != NULL) { + dns_rpz_num_t n; - dns_name_format(&rpz->origin, namebuf, sizeof(namebuf)); - cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, - "'%s' is not a master or slave zone", - namebuf); - result = ISC_R_NOTFOUND; - goto cleanup; + for (n = 0; n < view->rpzs->p.num_zones; ++n) + { + if ((view->rpzs->defined & DNS_RPZ_ZBIT(n)) == 0) { + char namebuf[DNS_NAME_FORMATSIZE]; + + dns_name_format(&view->rpzs->zones[n]->origin, + namebuf, sizeof(namebuf)); + cfg_obj_log(obj, ns_g_lctx, DNS_RPZ_ERROR_LEVEL, + "'%s' is not a master or slave zone", + namebuf); + result = ISC_R_NOTFOUND; + goto cleanup; + } } } @@ -1909,7 +2197,7 @@ const cfg_obj_t *zconfig = cfg_listelt_value(element); CHECK(configure_zone(config, zconfig, vconfig, mctx, view, actx, - ISC_TRUE)); + ISC_TRUE, ISC_FALSE)); } } @@ -2144,6 +2432,18 @@ if (view->maxncachettl > 7 * 24 * 3600) view->maxncachettl = 7 * 24 * 3600; + obj = NULL; + result = ns_config_get(maps, "min-cache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->mincachettl = cfg_obj_asuint32(obj); + + obj = NULL; + result = ns_config_get(maps, "min-ncache-ttl", &obj); + INSIST(result == ISC_R_SUCCESS); + view->minncachettl = cfg_obj_asuint32(obj); + if (view->minncachettl > 7 * 24 * 3600) + view->minncachettl = 7 * 24 * 3600; + /* * Configure the view's cache. * @@ -3043,6 +3343,14 @@ } } + obj = NULL; + result = ns_config_get(maps, "rate-limit", &obj); + if (result == ISC_R_SUCCESS) { + result = configure_rrl(view, config, obj); + if (result != ISC_R_SUCCESS) + goto cleanup; + } + result = ISC_R_SUCCESS; cleanup: @@ -3375,7 +3683,8 @@ static isc_result_t configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view, - cfg_aclconfctx_t *aclconf, isc_boolean_t added) + cfg_aclconfctx_t *aclconf, isc_boolean_t added, + isc_boolean_t old_rpz_ok) { dns_view_t *pview = NULL; /* Production view */ dns_zone_t *zone = NULL; /* New or reused zone */ @@ -3396,8 +3705,7 @@ const char *zname; dns_rdataclass_t zclass; const char *ztypestr; - isc_boolean_t is_rpz; - dns_rpz_zone_t *rpz; + dns_rpz_num_t rpz_num; options = NULL; (void)cfg_map_get(config, "options", &options); @@ -3559,18 +3867,15 @@ INSIST(dupzone == NULL); /* - * Note whether this is a response policy zone. + * Note whether this is a response policy zone and which one if so. */ - is_rpz = ISC_FALSE; - for (rpz = ISC_LIST_HEAD(view->rpz_zones); - rpz != NULL; - rpz = ISC_LIST_NEXT(rpz, link)) - { - if (dns_name_equal(&rpz->origin, origin)) { - is_rpz = ISC_TRUE; - rpz->defined = ISC_TRUE; + for (rpz_num = 0; ; ++rpz_num) { + if (view->rpzs == NULL || rpz_num >= view->rpzs->p.num_zones) { + rpz_num = DNS_RPZ_INVALID_NUM; break; } + if (dns_name_equal(&view->rpzs->zones[rpz_num]->origin, origin)) + break; } /* @@ -3581,7 +3886,9 @@ * - The zone is compatible with the config * options (e.g., an existing master zone cannot * be reused if the options specify a slave zone) - * - The zone was and is or was not and is not a policy zone + * - The zone was not and is still not a response policy zone + * or the zone is a policy zone with an unchanged number + * and we are using the old policy zone summary data. */ result = dns_viewlist_find(&ns_g_server->viewlist, view->name, view->rdclass, &pview); @@ -3595,7 +3902,8 @@ if (zone != NULL && !ns_zone_reusable(zone, zconfig)) dns_zone_detach(&zone); - if (zone != NULL && is_rpz != dns_zone_get_rpz(zone)) + if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) || + (rpz_num != DNS_RPZ_INVALID_NUM && !old_rpz_ok))) dns_zone_detach(&zone); if (zone != NULL) { @@ -3620,8 +3928,8 @@ dns_zone_setstats(zone, ns_g_server->zonestats); } - if (is_rpz) { - result = dns_zone_rpz_enable(zone); + if (rpz_num != DNS_RPZ_INVALID_NUM) { + result = dns_zone_rpz_enable(zone, view->rpzs, rpz_num); if (result != ISC_R_SUCCESS) { isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL, NS_LOGMODULE_SERVER, ISC_LOG_ERROR, @@ -5730,10 +6038,6 @@ ISC_R_NOMEMORY : ISC_R_SUCCESS, "allocating reload event"); - CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, - ns_g_engine, ISC_ENTROPY_GOODONLY), - "initializing DST"); - server->tkeyctx = NULL; CHECKFATAL(dns_tkeyctx_create(ns_g_mctx, ns_g_entropy, &server->tkeyctx), @@ -5880,8 +6184,6 @@ if (server->tkeyctx != NULL) dns_tkeyctx_destroy(&server->tkeyctx); - dst_lib_destroy(); - isc_event_free(&server->reload_event); INSIST(ISC_LIST_EMPTY(server->viewlist)); @@ -7834,7 +8136,8 @@ RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_view_thaw(view); result = configure_zone(cfg->config, parms, vconfig, - server->mctx, view, cfg->actx, ISC_FALSE); + server->mctx, view, cfg->actx, ISC_FALSE, + ISC_FALSE); dns_view_freeze(view); isc_task_endexclusive(server->task); if (result != ISC_R_SUCCESS) --- bind9-9.9.3.dfsg.P2.orig/bin/named/statschannel.c +++ bind9-9.9.3.dfsg.P2/bin/named/statschannel.c @@ -206,6 +206,10 @@ SET_NSSTATDESC(updatebadprereq, "updates rejected due to prerequisite failure", "UpdateBadPrereq"); + SET_NSSTATDESC(ratedropped, "responses dropped for rate limits", + "RateDropped"); + SET_NSSTATDESC(rateslipped, "responses truncated for rate limits", + "RateSlipped"); SET_NSSTATDESC(rpz_rewrites, "response policy zone rewrites", "RPZRewrites"); INSIST(i == dns_nsstatscounter_max); --- bind9-9.9.3.dfsg.P2.orig/bin/tests/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/named.conf @@ -54,6 +54,7 @@ memstatistics-file "named.memstats"; // _PATH_MEMSTATS max-cache-ttl 999; + min-cache-ttl 666; auth-nxdomain yes; // always set AA on NXDOMAIN. // don't set this to 'no' unless // you know what you're doing -- older @@ -155,6 +156,7 @@ min-refresh-time 777; max-ncache-ttl 333; + min-ncache-ttl 222; min-roots 15; serial-queries 34; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/Makefile.in +++ bind9-9.9.3.dfsg.P2/bin/tests/system/Makefile.in @@ -21,7 +21,7 @@ @BIND9_MAKE_INCLUDES@ -SUBDIRS = dlzexternal filter-aaaa lwresd rpz rsabigexponent tkey tsiggss +SUBDIRS = filter-aaaa lwresd rpz rsabigexponent tkey tsiggss TARGETS = @BIND9_MAKE_RULES@ --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/README +++ bind9-9.9.3.dfsg.P2/bin/tests/system/README @@ -17,6 +17,7 @@ nsupdate/ Dynamic update and IXFR tests resolver/ Regression tests for resolver bugs that have been fixed (not a complete resolver test suite) + rrl/ query rate limiting rpz/ Tests of response policy zone (RPZ) rewriting stub/ Tests of stub zone functionality unknown/ Unknown type and class tests --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/conf.sh.in +++ bind9-9.9.3.dfsg.P2/bin/tests/system/conf.sh.in @@ -62,7 +62,7 @@ database dlv dlvauto dlz dlzexternal dname dns64 dnssec ecdsa formerr forward glue gost ixfr inline limits logfileconfig lwresd masterfile masterformat metadata notify nsupdate pending - pkcs11 redirect resolver rndc rpz rrsetorder rsabigexponent + pkcs11 redirect resolver rndc rpz rrl rrsetorder rsabigexponent smartsign sortlist spf staticstub stub tkey tsig tsiggss unknown upforwd verify views wildcard xfer xferquota zonechecks" --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/Makefile +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/Makefile @@ -0,0 +1,478 @@ +# Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + + +srcdir = . + +top_srcdir = ../../../.. + +VERSION=9.10.0pre-alpha + +# Copyright (C) 2004, 2005, 2007, 2012 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1999-2001 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id: includes.in,v 1.21 2007/06/19 23:47:24 tbox Exp $ + +# Search for machine-generated header files in the build tree, +# and for normal headers in the source tree (${top_srcdir}). +# We only need to look in OS-specific subdirectories for the +# latter case, because there are no machine-generated OS-specific +# headers. + +ISC_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/isc/include \ + -I${top_srcdir}/lib/isc \ + -I${top_srcdir}/lib/isc/include \ + -I${top_srcdir}/lib/isc/unix/include \ + -I${top_srcdir}/lib/isc/pthreads/include \ + -I${top_srcdir}/lib/isc/x86_32/include + +ISCCC_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/isccc/include \ + -I${top_srcdir}/lib/isccc/include + +ISCCFG_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/isccfg/include \ + -I${top_srcdir}/lib/isccfg/include + +DNS_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/dns/include \ + -I${top_srcdir}/lib/dns/include + +LWRES_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/lwres/include \ + -I${top_srcdir}/lib/lwres/unix/include \ + -I${top_srcdir}/lib/lwres/include + +BIND9_INCLUDES = -I/usr/home/vjs/isc/work/rpz3/lib/bind9/include \ + -I${top_srcdir}/lib/bind9/include + +TEST_INCLUDES = \ + -I${top_srcdir}/lib/tests/include + +CINCLUDES = + +CDEFINES = +CWARNINGS = + +DNSLIBS = +ISCLIBS = . + +DNSDEPLIBS = +ISCDEPLIBS = + +DEPLIBS = + +LIBS = -L/usr/local/lib -lxml2 -lz -L/usr/local/lib -liconv -lm + +TARGETS = rpz + +RPZOBJS = rpz.o + +SRCS = rpz.c + +# Copyright (C) 2004-2009, 2011-2013 Internet Systems Consortium, Inc. ("ISC") +# Copyright (C) 1998-2003 Internet Software Consortium. +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +# $Id$ + +### +### Common Makefile rules for BIND 9. +### + +### +### Paths +### +### Note: paths that vary by Makefile MUST NOT be listed +### here, or they won't get expanded correctly. + +prefix = /usr +exec_prefix = ${prefix} +bindir = ${exec_prefix}/bin +sbindir = ${exec_prefix}/sbin +includedir = ${prefix}/include +libdir = ${exec_prefix}/lib +sysconfdir = /etc/namedb +localstatedir = ${prefix}/var +mandir = ${datarootdir}/man +datarootdir = ${prefix}/share + +DESTDIR = + + + +top_builddir = /usr/home/vjs/isc/work/rpz3 + +### +### All +### +### Makefile may define: +### TARGETS + +all: subdirs ${TARGETS} testdirs + +### +### Subdirectories +### +### Makefile may define: +### SUBDIRS + +ALL_SUBDIRS = ${SUBDIRS} nulldir +ALL_TESTDIRS = ${TESTDIRS} nulldir + +# +# We use a single-colon rule so that additional dependencies of +# subdirectories can be specified after the inclusion of this file. +# The "depend" and "testdirs" targets are treated the same way. +# +subdirs: + @for i in ${ALL_SUBDIRS}; do \ + if [ "$$i" != "nulldir" -a -d $$i ]; then \ + echo "making all in `pwd`/$$i"; \ + (cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \ + fi; \ + done + +# +# Tests are built after the targets instead of before +# +testdirs: + @for i in ${ALL_TESTDIRS}; do \ + if [ "$$i" != "nulldir" -a -d $$i ]; then \ + echo "making all in `pwd`/$$i"; \ + (cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" all) || exit 1; \ + fi; \ + done + +install:: all + +install clean distclean maintainer-clean doc docclean man manclean:: + @for i in ${ALL_SUBDIRS} ${ALL_TESTDIRS}; do \ + if [ "$$i" != "nulldir" -a -d $$i ]; then \ + echo "making $@ in `pwd`/$$i"; \ + (cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \ + fi; \ + done + +### +### C Programs +### +### Makefile must define +### CC +### Makefile may define +### CFLAGS +### LDFLAGS +### CINCLUDES +### CDEFINES +### CWARNINGS +### User may define externally +### EXT_CFLAGS + +CC = gcc -pthread +CFLAGS = -g -I/usr/local/include/libxml2 -I/usr/local/include +LDFLAGS = +STD_CINCLUDES = +STD_CDEFINES = -D_THREAD_SAFE +STD_CWARNINGS = -W -Wall -Wmissing-prototypes -Wcast-qual -Wwrite-strings -Wformat -Wpointer-arith -fno-strict-aliasing + +BUILD_CC = gcc -pthread +BUILD_CFLAGS = -g -I/usr/local/include/libxml2 -I/usr/local/include +BUILD_CPPFLAGS = +BUILD_LDFLAGS = +BUILD_LIBS = -L/usr/local/lib -lxml2 -lz -L/usr/local/lib -liconv -lm + +.SUFFIXES: +.SUFFIXES: .c .o + +ALWAYS_INCLUDES = -I${top_builddir} +ALWAYS_DEFINES = -D_REENTRANT +ALWAYS_WARNINGS = + +ALL_CPPFLAGS = \ + ${ALWAYS_INCLUDES} ${CINCLUDES} ${STD_CINCLUDES} \ + ${ALWAYS_DEFINES} ${CDEFINES} ${STD_CDEFINES} + +ALL_CFLAGS = ${EXT_CFLAGS} ${ALL_CPPFLAGS} ${CFLAGS} \ + ${ALWAYS_WARNINGS} ${STD_CWARNINGS} ${CWARNINGS} + +.c.o: + ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c $< + +SHELL = /bin/sh +LIBTOOL = +LIBTOOL_MODE_COMPILE = ${LIBTOOL} +LIBTOOL_MODE_INSTALL = ${LIBTOOL} +LIBTOOL_MODE_LINK = ${LIBTOOL} +PURIFY = + +MKDEP = ${SHELL} ${top_builddir}/make/mkdep + +### +### This is a template compound command to build an executable binary with +### an internal symbol table. +### This process is tricky. We first link all objects including a tentative +### empty symbol table, then get a tentative list of symbols from the resulting +### binary ($@tmp0). Next, we re-link all objects, but this time with the +### symbol table just created ($tmp@1). The set of symbols should be the same, +### but the corresponding addresses would be changed due to the difference on +### the size of symbol tables. So we create the symbol table and re-create the +### objects once again. Finally, we check the symbol table embedded in the +### final binaryis consistent with the binary itself; otherwise the process is +### terminated. +### +### To minimize the overhead of creating symbol tables, the autoconf switch +### --enable-symtable takes an argument so that the symbol table can be created +### on a per application basis: unless the argument is set to "all", the symbol +### table is created only when a shell (environment) variable "MAKE_SYMTABLE" is +### set to a non-null value in the rule to build the executable binary. +### +### Each Makefile.in that uses this macro is expected to define "LIBS" and +### "NOSYMLIBS"; the former includes libisc with an empty symbol table, and +### the latter includes libisc without the definition of a symbol table. +### The rule to make the executable binary will look like this +### binary: ${OBJS} +### #export MAKE_SYMTABLE="yes"; \ <- enable if symtable is always needed +### export BASEOBJS="${OBJS}"; \ +### ${FINALBUILDCMD} +### +### Normally, ${LIBS} includes all necessary libraries to build the binary; +### there are some exceptions however, where the rule lists some of the +### necessary libraries explicitly in addition to (or instead of) ${LIBS}, +### like this: +### binary: ${OBJS} +### cc -o $@ ${OBJS} ${OTHERLIB1} ${OTHERLIB2} ${lIBS} +### in order to modify such a rule to use this compound command, a separate +### variable "LIBS0" should be deinfed for the explicitly listed libraries, +### while making sure ${LIBS} still includes libisc. So the above rule would +### be modified as follows: +### binary: ${OBJS} +### export BASEOBJS="${OBJS}"; \ +### export LIBS0="${OTHERLIB1} ${OTHERLIB2}"; \ +### ${FINALBUILDCMD} +### See bin/check/Makefile.in for a complete example of the use of LIBS0. +### +FINALBUILDCMD = if [ X"${MKSYMTBL_PROGRAM}" = X -o X"$${MAKE_SYMTABLE:-${ALWAYS_MAKE_SYMTABLE}}" = X ] ; then \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@ $${BASEOBJS} $${LIBS0} ${LIBS}; \ + else \ + rm -f $@tmp0; \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@tmp0 $${BASEOBJS} $${LIBS0} ${LIBS} || exit 1; \ + rm -f $@-symtbl.c $@-symtbl.o; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl.c $@tmp0 || exit 1; \ + $(MAKE) $@-symtbl.o || exit 1; \ + rm -f $@tmp1; \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@tmp1 $${BASEOBJS} $@-symtbl.o $${LIBS0} ${NOSYMLIBS} || exit 1; \ + rm -f $@-symtbl.c $@-symtbl.o; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl.c $@tmp1 || exit 1; \ + $(MAKE) $@-symtbl.o || exit 1; \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} ${LDFLAGS} \ + -o $@tmp2 $${BASEOBJS} $@-symtbl.o $${LIBS0} ${NOSYMLIBS}; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl2.c $@tmp2; \ + count=0; \ + until diff $@-symtbl.c $@-symtbl2.c > /dev/null ; \ + do \ + count=`expr $$count + 1` ; \ + test $$count = 42 && exit 1 ; \ + rm -f $@-symtbl.c $@-symtbl.o; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl.c $@tmp2 || exit 1; \ + $(MAKE) $@-symtbl.o || exit 1; \ + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${ALL_CFLAGS} \ + ${LDFLAGS} -o $@tmp2 $${BASEOBJS} $@-symtbl.o \ + $${LIBS0} ${NOSYMLIBS}; \ + ${MKSYMTBL_PROGRAM} ${top_srcdir}/util/mksymtbl.pl \ + -o $@-symtbl2.c $@tmp2; \ + done ; \ + mv $@tmp2 $@; \ + rm -f $@tmp0 $@tmp1 $@tmp2 $@-symtbl2.c; \ + fi + +cleandir: distclean +superclean: maintainer-clean + +clean distclean maintainer-clean:: + rm -f *.o *.o *.lo *.la core *.core *-symtbl.c *tmp0 *tmp1 *tmp2 + rm -rf .depend .libs + +distclean maintainer-clean:: + rm -f Makefile + +depend: + @for i in ${ALL_SUBDIRS}; do \ + if [ "$$i" != "nulldir" -a -d $$i ]; then \ + echo "making depend in `pwd`/$$i"; \ + (cd $$i; ${MAKE} ${MAKEDEFS} DESTDIR="${DESTDIR}" $@) || exit 1; \ + fi; \ + done + @if [ X"${srcdir}" != X. ] ; then \ + if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \ + echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + echo ${MKDEP} -vpath ${srcdir} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${MKDEP} -vpath ${srcdir} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${DEPENDEXTRA} \ + elif [ X"${SRCS}" != X ] ; then \ + echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${DEPENDEXTRA} \ + elif [ X"${PSRCS}" != X ] ; then \ + echo ${MKDEP} -vpath ${srcdir} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${MKDEP} -vpath ${srcdir} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${DEPENDEXTRA} \ + fi \ + else \ + if [ X"${SRCS}" != X -a X"${PSRCS}" != X ] ; then \ + echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + echo ${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${MKDEP} -ap ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${DEPENDEXTRA} \ + elif [ X"${SRCS}" != X ] ; then \ + echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${SRCS}; \ + ${DEPENDEXTRA} \ + elif [ X"${PSRCS}" != X ] ; then \ + echo ${MKDEP} ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${MKDEP} -p ${ALL_CPPFLAGS} ${ALL_CFLAGS} ${PSRCS}; \ + ${DEPENDEXTRA} \ + fi \ + fi + +FORCE: + +### +### Libraries +### + +AR = /usr/local/bin/ar +ARFLAGS = cruv +RANLIB = ranlib + +### +### Installation +### + +INSTALL = /usr/bin/install -c +INSTALL_PROGRAM = ${INSTALL} +LINK_PROGRAM = ln -s +INSTALL_SCRIPT = ${INSTALL} +INSTALL_DATA = ${INSTALL} -m 644 + +### +### Programs used when generating documentation. It's ok for these +### not to exist when not generating documentation. +### + +XSLTPROC = xsltproc --novalid --xinclude --nonet +PERL = /usr/local/bin/perl5 +LATEX = latex +PDFLATEX = pdflatex +W3M = w3m + +### +### Script language program used to create internal symbol tables +### +MKSYMTBL_PROGRAM = /usr/local/bin/perl5 + +### +### Switch to create internal symbol table selectively +### +ALWAYS_MAKE_SYMTABLE = + +### +### DocBook -> HTML +### DocBook -> man page +### + +.SUFFIXES: .docbook .html .1 .2 .3 .4 .5 .6 .7 .8 + +.docbook.html: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-docbook-html.xsl $< + +.docbook.1: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.2: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.3: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.4: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.5: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.6: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.7: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +.docbook.8: + ${XSLTPROC} -o $@ ${top_srcdir}/doc/xsl/isc-manpage.xsl $< + +### +### Python executable +### +.SUFFIXES: .py +.py: + cp -f $< $@ + chmod +x $@ + + +all: rpz + +rpz: ${RPZOBJS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ ${RPZOBJS} ${LIBS} + +clean distclean:: + rm -f ${TARGETS} + +# DO NOT DELETE THIS LINE -- mkdep uses it. +# DO NOT PUT ANYTHING AFTER THIS LINE, IT WILL GO AWAY. + +rpz.o: rpz.c /usr/home/vjs/isc/work/rpz3/config.h /usr/include/stdlib.h \ + /usr/include/sys/cdefs.h /usr/include/sys/_null.h \ + /usr/include/sys/_types.h /usr/include/machine/_types.h \ + /usr/include/stdio.h /usr/include/string.h /usr/include/strings.h + +# IF YOU PUT ANYTHING HERE IT WILL GO AWAY --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns1/root.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns1/root.db @@ -38,3 +38,6 @@ ; performance test tld5. NS ns.tld5. ns.tld5. A 10.53.0.5 + +; generate SERVFAIL +servfail NS ns.tld2. --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns2/bl.tld2.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns2/bl.tld2.db @@ -0,0 +1,27 @@ +; Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + +; $Id$ + + + +; master for slave RPZ zone + +$TTL 3600 +@ SOA rpz.tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns +ns A 10.53.0.2 + A 10.53.0.3 + +32.1.7.168.192.rpz-ip CNAME . --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns2/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns2/named.conf @@ -44,3 +44,5 @@ zone "subsub.sub3.tld2." {type master; file "tld2.db";}; zone "tld2s." {type master; file "tld2s.db";}; + +zone "bl.tld2." {type master; file "bl.tld2.db";}; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns2/tld2.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns2/tld2.db @@ -111,6 +111,9 @@ A 192.168.5.2 TXT "a5-1-2 tld2 text" +a5-2 A 192.168.5.2 + TXT "a5-2 tld2 text" + a5-3 A 192.168.5.3 TXT "a5-3 tld2 text" @@ -121,3 +124,6 @@ TXT "a6-1 tld2 text" a6-2 A 192.168.6.2 TXT "a6-2 tld2 text" + +a7-1 A 192.168.7.1 + TXT "a7-1 tld2 text" --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns3/base.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns3/base.db @@ -21,30 +21,7 @@ ; Its contents are also changed with nsupdate -$TTL 120 +$TTL 300 @ SOA blx. hostmaster.ns.blx. ( 1 3600 1200 604800 60 ) - NS ns -ns A 10.53.0.3 + NS ns.tld3. -; Poke the radix tree a little. -128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip CNAME . -128.1111.2222.3333.4444.5555.6666.zz.rpz-ip CNAME . -128.1111.2222.3333.4444.5555.zz.8888.rpz-ip CNAME . -128.1111.2222.3333.4444.zz.8888.rpz-ip CNAME . -128.zz.3333.4444.0.0.8888.rpz-ip CNAME . -128.zz.3333.4444.0.7777.8888.rpz-ip CNAME . -128.zz.3333.4444.0.8777.8888.rpz-ip CNAME . -127.zz.3333.4444.0.8777.8888.rpz-ip CNAME . - - -; regression testing for some old crashes -redirect A 127.0.0.1 -*.redirect A 127.0.0.1 -*.credirect CNAME google.com. - - -; names in the RPZ TLDs that some say should not be rewritten. -; This is not a bug, because any data leaked by writing 24.4.3.2.10.rpz-ip -; (or whatever) is available by publishing "foo A 10.2.3.4" and then -; resolving foo. -32.3.2.1.127.rpz-ip CNAME walled.invalid. --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns3/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns3/named.conf @@ -46,19 +46,24 @@ zone "bl-cname" policy cname txt-only.tld2.; zone "bl-wildcname" policy cname *.tld4.; zone "bl-garden" policy cname a12.tld2.; - } min-ns-dots 0; + zone "bl-drop" policy drop; + zone "bl-tcp-only" policy tcp-only; + zone "bl.tld2"; + } + min-ns-dots 0 + qname-wait-recurse yes + ; }; key rndc_key { secret "1234abcd8765"; - algorithm hmac-md5; + algorithm hmac-sha256; }; controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; }; -// include "../trusted.conf"; zone "." { type hint; file "hints"; }; zone "bl." {type master; file "bl.db"; @@ -83,6 +88,13 @@ allow-update {any;};}; zone "bl-garden." {type master; file "bl-garden.db"; allow-update {any;};}; +zone "bl-drop." {type master; file "bl-drop.db"; + allow-update {any;};}; +zone "bl-tcp-only." {type master; file "bl-tcp-only.db"; + allow-update {any;};}; + +zone "bl.tld2." {type slave; file "bl.tld2.db"; masters {10.53.0.2;}; + masterfile-format text;}; zone "crash1.tld2" {type master; file "crash1";}; zone "crash2.tld3." {type master; file "crash2";}; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns5/named.args +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns5/named.args @@ -1,3 +1,3 @@ # run the performace test close to real life --c named.conf -g +-c named.conf -gd3 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns5/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns5/named.conf @@ -40,7 +40,7 @@ key rndc_key { secret "1234abcd8765"; - algorithm hmac-md5; + algorithm hmac-sha256; }; controls { inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; @@ -56,3 +56,20 @@ zone "bl0." {type master; file "bl.db"; }; zone "bl1." {type master; file "bl.db"; }; zone "bl2." {type master; file "bl.db"; }; +zone "bl3." {type master; file "bl.db"; }; +zone "bl4." {type master; file "bl.db"; }; +zone "bl5." {type master; file "bl.db"; }; +zone "bl6." {type master; file "bl.db"; }; +zone "bl7." {type master; file "bl.db"; }; +zone "bl8." {type master; file "bl.db"; }; +zone "bl9." {type master; file "bl.db"; }; +zone "bl10." {type master; file "bl.db"; }; +zone "bl11." {type master; file "bl.db"; }; +zone "bl12." {type master; file "bl.db"; }; +zone "bl13." {type master; file "bl.db"; }; +zone "bl14." {type master; file "bl.db"; }; +zone "bl15." {type master; file "bl.db"; }; +zone "bl16." {type master; file "bl.db"; }; +zone "bl17." {type master; file "bl.db"; }; +zone "bl18." {type master; file "bl.db"; }; +zone "bl19." {type master; file "bl.db"; }; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/ns5/tld5.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/ns5/tld5.db @@ -22,42 +22,10 @@ NS ns1 NS ns2 NS ns3 - NS ns4 - NS ns5 - NS ns6 - NS ns7 - NS ns8 - NS ns9 - NS ns10 - NS ns11 - NS ns12 - NS ns13 - NS ns14 - NS ns15 - NS ns16 - NS ns17 - NS ns18 - NS ns19 ns A 10.53.0.5 ns1 A 10.53.0.5 ns2 A 10.53.0.5 ns3 A 10.53.0.5 -ns4 A 10.53.0.5 -ns5 A 10.53.0.5 -ns6 A 10.53.0.5 -ns7 A 10.53.0.5 -ns8 A 10.53.0.5 -ns9 A 10.53.0.5 -ns10 A 10.53.0.5 -ns11 A 10.53.0.5 -ns12 A 10.53.0.5 -ns13 A 10.53.0.5 -ns14 A 10.53.0.5 -ns15 A 10.53.0.5 -ns16 A 10.53.0.5 -ns17 A 10.53.0.5 -ns18 A 10.53.0.5 -ns19 A 10.53.0.5 $ORIGIN example.tld5. --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/setup.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/setup.sh @@ -26,11 +26,13 @@ sh clean.sh -# set up test policy zones. bl-2 is used to check competing zones. -# bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden} -# are used to check policy overrides in named.conf. -# NO-OP is an obsolete synonym for PASSHTRU -for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden; do +# set up test policy zones. +# bl is the main test zone +# bl-2 is used to check competing zones. +# bl-{given,disabled,passthru,no-data,nxdomain,cname,wildcard,garden, +# drop,tcp-only} are used to check policy overrides in named.conf. +# NO-OP is an obsolete synonym for PASSHTRU +for NM in '' -2 -given -disabled -passthru -no-op -nodata -nxdomain -cname -wildcname -garden -drop -tcp-only; do sed -e "/SOA/s/blx/bl$NM/g" ns3/base.db >ns3/bl$NM.db done @@ -48,18 +50,22 @@ signzone ns2 tld2s. base-tld2s.db tld2s.db -# Performance checks. +# Performance and a few other checks. cat <ns5/rpz-switch response-policy { - zone "bl0"; zone "bl1"; zone "bl2"; + zone "bl0"; zone "bl1"; zone "bl2"; zone "bl3"; zone "bl4"; + zone "bl5"; zone "bl6"; zone "bl7"; zone "bl8"; zone "bl9"; + zone "bl10"; zone "bl11"; zone "bl12"; zone "bl13"; zone "bl14"; + zone "bl15"; zone "bl16"; zone "bl17"; zone "bl18"; zone "bl19"; } recursive-only no - max-policy-ttl 90 - # min-ns-dots 0 - break-dnssec yes; + max-policy-ttl 90 + break-dnssec yes + qname-wait-recurse no + ; EOF cat <ns5/example.db -\$TTL 120 +\$TTL 300 @ SOA . hostmaster.ns.example.tld5. ( 1 3600 1200 604800 60 ) NS ns NS ns1 @@ -68,15 +74,16 @@ EOF cat <ns5/bl.db -\$TTL 120 +\$TTL 300 @ SOA . hostmaster.ns.blperf. ( 1 3600 1200 604800 60 ) - NS ns -ns A 10.53.0.5 + NS ns.tld5. -; used only in failure for "recursive-only no" in #8 test5 -a3-5.tld2 CNAME *. +; for "qname-wait-recurse no" in #35 test1 +x.servfail A 35.35.35.35 +; for "recursive-only no" in #8 test5 +a3-5.tld2 CNAME . ; for "break-dnssec" in #9 & #10 test5 -a3-5.tld2s CNAME *. +a3-5.tld2s CNAME . ; for "max-policy-ttl 90" in #17 test5 a3-17.tld2 500 A 17.17.17.17 @@ -85,8 +92,7 @@ EOF if test -n "$QPERF"; then - # do not build the full zones if we will not use them to avoid the long - # time otherwise required to shut down the server + # Do not build the full zones if we will not use them. $PERL -e 'for ($val = 1; $val <= 65535; ++$val) { printf("host-%05d\tA 192.168.%d.%d\n", $val, $val/256, $val%256); }' >>ns5/example.db --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/test1 +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/test1 @@ -24,13 +24,13 @@ ; QNAME tests ; NXDOMAIN -; 2, 20, 25 +; 2, 25 update add a0-1.tld2.bl. 300 CNAME . ; NODATA -; 3, 21 +; 3 update add a3-1.tld2.bl. 300 CNAME *. ; and no assert-botch -; 4, 5, 22, 23 +; 4, 5 update add a3-2.tld2.bl. 300 DNAME example.com. ; ; NXDOMAIN for a4-2-cname.tld2 via its target a4-2.tld2. @@ -77,6 +77,14 @@ ; 19 update add a4-6.tld2.bl. 300 CNAME . update add a4-6-cname.tld2.bl. 300 A 127.0.0.17 +; no change instead of NXDOMAIN because +norecurse +; 20 +update add a5-2.tld2.bl. 300 CNAME . +; no change instead of NODATA because +norecurse +; 21 +update add a5-3.tld2.bl. 300 CNAME *. +; 22, 23 +update add a5-4.tld2.bl. 300 DNAME example.com. ; ; assert in rbtdb.c ; 24 @@ -84,4 +92,10 @@ ; DO=1 without signatures, DO=0 with signatures are rewritten ; 26 - 27 update add a0-1.tld2s.bl. 300 CNAME . +; 32 +update add a3-8.tld2.bl. 300 CNAME rpz-drop. +; 33 +update add a3-9.tld2.bl. 300 CNAME rpz-tcp-only. +; 34 qname-wait-recurse yes +update add x.servfail.bl. 300 A 127.0.0.34 send --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/test2 +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/test2 @@ -58,7 +58,7 @@ send ; prefer QNAME to IP for a5-4.tld2 -; 13 +; 13, 14 update add 32.4.5.168.192.rpz-ip.bl 300 CNAME a12.tld2. update add a5-4.tld2.bl 300 CNAME a14.tld4. ; @@ -72,3 +72,8 @@ send update add c2.crash2.tld3.bl-2 300 A 127.0.0.16 send + +; client-IP address trigger +; 17 +update add 32.1.0.53.10.rpz-client-ip.bl 300 A 127.0.0.17 +send --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/test5 +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/test5 @@ -35,10 +35,8 @@ ; 4 update add a3-4.tld2.bl-disabled. 300 A 127.0.0.4 send -; 5 - 8 +; 5 - 7 update add a3-5.tld2.bl-nodata. 300 A 127.0.0.5 -; 9 - 10 -update add a3-5.tld2s.bl-nodata. 300 A 127.0.0.9 send ; 11 update add a3-6.tld2.bl-nxdomain. 300 A 127.0.0.11 @@ -57,3 +55,9 @@ ; 16 update add a3-16.tld2.bl. 300 A 127.0.0.16 send +; 18 +update add a3-18.tld2.bl-drop. 300 A 127.0.0.18 +send +; 19 +update add a3-19.tld2.bl-tcp-only. 300 A 127.0.0.19 +send --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/test6 +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/test6 @@ -0,0 +1,40 @@ +; Copyright (C) 2011-2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; Use comment lines instead of blank lines to combine update requests into +; single requests +; Separate update requests for distinct TLDs with blank lines or 'send' +; End the file with a blank line or 'send' + +server 10.53.0.3 5300 + +; Poke the radix tree a little. +update add 128.1111.2222.3333.4444.5555.6666.7777.8888.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.5555.6666.zz.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.5555.zz.8888.rpz-ip.bl. 300 CNAME . +update add 128.1111.2222.3333.4444.zz.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.0.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.7777.8888.rpz-ip.bl. 300 CNAME . +update add 128.zz.3333.4444.0.8777.8888.rpz-ip.bl. 300 CNAME . +update add 127.zz.3333.4444.0.8777.8888.rpz-ip.bl. 300 CNAME . +; +; +; regression testing for some old crashes +update add redirect.bl. 300 A 127.0.0.1 +update add *.redirect.bl. 300 A 127.0.0.1 +update add *.credirect.bl. 300 CNAME google.com. +; +send --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rpz/tests.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rpz/tests.sh @@ -21,15 +21,15 @@ . $SYSTEMTESTTOP/conf.sh ns=10.53.0 -ns1=$ns.1 # root, defining the others -ns2=$ns.2 # server whose answers are rewritten -ns3=$ns.3 # resolve that does the rewriting -ns4=$ns.4 # another server that is rewritten -ns5=$ns.5 # check performance with this server +ns1=$ns.1 # root, defining the others +ns2=$ns.2 # authoritative server whose records are rewritten +ns3=$ns.3 # main rewriting resolver +ns4=$ns.4 # another authoritative server that is rewritten +ns5=$ns.5 # another rewriting resolver HAVE_CORE= SAVE_RESULTS= -NS3_STATS=47 + USAGE="$0: [-x]" while getopts "x" c; do @@ -57,11 +57,16 @@ RNDCCMD="$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s" digcmd () { - digcmd_args="+noadd +time=1 +tries=1 -p 5300 $*" - expr "$digcmd_args" : '.*@' >/dev/null || \ - digcmd_args="$digcmd_args @$ns3" - expr "$digcmd_args" : '.*+[no]*auth' >/dev/null || \ - digcmd_args="+noauth $digcmd_args" + if test "$1" = TCP; then + shift + fi + # Default to +noauth and @$ns3 + # Also default to -bX where X is the @value so that OS X will choose + # the right IP source address. + digcmd_args=`echo "+noadd +time=1 +tries=1 -p 5300 $*" | \ + sed -e "/@/!s/.*/& @$ns3/" \ + -e '/-b/!s/@\([^ ]*\)/@\1 -b\1/' \ + -e '/+n?o?auth/!s/.*/+noauth &/'` #echo I:dig $digcmd_args 1>&2 $DIG $digcmd_args } @@ -87,10 +92,13 @@ # (re)load the reponse policy zones with the rules in the file $TEST_FILE load_db () { if test -n "$TEST_FILE"; then - $NSUPDATE -v $TEST_FILE || { + if $NSUPDATE -v $TEST_FILE; then : + $RNDCCMD $ns3 sync + else echo "I:failed to update policy zone with $TEST_FILE" + $RNDCCMD $ns3 sync exit 1 - } + fi fi } @@ -133,15 +141,20 @@ return 1 } -# check that statistics for $1 in $2 = $3 ckstats () { - $RNDCCMD $1 stats - CNT=`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ - $2/named.stats` - CNT=`expr 0$CNT + 0` - if test "$CNT" -ne $3; then - setret "I:wrong $2 statistics of $CNT instead of $3" + HOST=$1 + LABEL="$2" + NSDIR="$3" + EXPECTED="$4" + $RNDCCMD $HOST stats + NEW_CNT=0`sed -n -e 's/[ ]*\([0-9]*\).response policy.*/\1/p' \ + $NSDIR/named.stats | tail -1` + eval "OLD_CNT=0\$${NSDIR}_CNT" + GOT=`expr $NEW_CNT - $OLD_CNT` + if test "$GOT" -ne "$EXPECTED"; then + setret "I:wrong $LABEL $NSDIR statistics of $GOT instead of $EXPECTED" fi + eval "${NSDIR}_CNT=$NEW_CNT" } # $1=message $2=optional test file name @@ -178,6 +191,12 @@ ckresult () { #ckalive "$1" "I:server crashed by 'dig $1'" || return 1 if $PERL $SYSTEMTESTTOP/digcomp.pl $DIGNM $2 >/dev/null; then + NEED_TCP=`echo "$1" | sed -n -e 's/[Tt][Cc][Pp].*/TCP/p'` + RESULT_TCP=`sed -n -e 's/.*Truncated, retrying in TCP.*/TCP/p' $DIGNM` + if test "$NEED_TCP" != "$RESULT_TCP"; then + setret "I:'dig $1' wrong; no or unexpected truncation in $DIGNM" + return 1 + fi clean_result ${DIGNM}* return 0 fi @@ -234,12 +253,14 @@ clean_result ${DIGNM}* } -# check that a response is not rewritten -# $1=target domain $2=optional query type +# Check that a response is not rewritten +# Use $ns1 instead of the authority for most test domains, $ns2 to prevent +# spurious differences for `dig +norecurse` +# $1=optional "TCP" remaining args for dig nochange () { make_dignm digcmd $* >$DIGNM - digcmd $* @$ns2 >${DIGNM}_OK + digcmd $* @$ns1 >${DIGNM}_OK ckresult "$*" ${DIGNM}_OK && clean_result ${DIGNM}_OK } @@ -251,6 +272,20 @@ ckresult "$*" ${DIGNM}_OK } +# check dropped response +DROPPED='^;; connection timed out; no servers could be reached' +drop () { + make_dignm + digcmd $* >$DIGNM + if grep "$DROPPED" $DIGNM >/dev/null; then + clean_result ${DIGNM}* + return 0 + fi + setret "I:'dig $1' wrong; response in $DIGNM" + return 1 +} + + # make prototype files to check against rewritten results digcmd nonexistent @$ns2 >proto.nxdomain digcmd txt-only.tld2 @$ns2 >proto.nodata @@ -278,19 +313,27 @@ addr 57.57.57.57 a3-7.sub1.tld2 # 17 wildcard CNAME addr 127.0.0.16 a4-5-cname3.tld2 # 18 CNAME chain addr 127.0.0.17 a4-6-cname3.tld2 # 19 stop short in CNAME chain -nochange a0-1.tld2 +norecurse # 20 check that RD=1 is required -nochange a3-1.tld2 +norecurse # 21 -nochange a3-2.tld2 +norecurse # 22 -nochange sub.a3-2.tld2 +norecurse # 23 +nochange a5-2.tld2 +norecurse # 20 check that RD=1 is required +nochange a5-3.tld2 +norecurse # 21 +nochange a5-4.tld2 +norecurse # 22 +nochange sub.a5-4.tld2 +norecurse # 23 nxdomain c1.crash2.tld3 # 24 assert in rbtdb.c nxdomain a0-1.tld2 +dnssec # 25 simple DO=1 without signatures -nxdomain a0-1.tld2s # 26 simple DO=0 with signatures +nxdomain a0-1.tld2s +nodnssec # 26 simple DO=0 with signatures nochange a0-1.tld2s +dnssec # 27 simple DO=1 with signatures nxdomain a0-1s-cname.tld2s +dnssec # 28 DNSSEC too early in CNAME chain nochange a0-1-scname.tld2 +dnssec # 29 DNSSEC on target in CNAME chain -nochange a0-1.tld2s srv +auth +dnssec # 30 no write for +DNSSEC and no record -nxdomain a0-1.tld2s srv # 31 +nochange a0-1.tld2s srv +auth +dnssec # 30 no write for DNSSEC and no record +nxdomain a0-1.tld2s srv +nodnssec # 31 +drop a3-8.tld2 # 32 drop +nochange tcp a3-9.tld2 # 33 tcp-only +here x.servfail <<'EOF' # 34 qname-wait-recurse yes + ;; status: SERVFAIL, x +EOF +addr 35.35.35.35 "x.servfail @$ns5" # 35 qname-wait-recurse no end_group +ckstats $ns3 test1 ns3 22 +ckstats $ns5 test1 ns5 1 start_group "IP rewrites" test2 nodata a3-1.tld2 # 1 NODATA @@ -305,11 +348,14 @@ nochange a4-1-aaaa.tld2 -taaaa # 10 addr 127.0.0.1 a5-1-2.tld2 # 11 prefer smallest policy address addr 127.0.0.1 a5-3.tld2 # 12 prefer first conflicting IP zone -addr 14.14.14.14 a5-4.tld2 # 13 prefer QNAME to IP -nochange a5-4.tld2 +norecurse # 14 check that RD=1 is required +nochange a5-4.tld2 +norecurse # 13 check that RD=1 is required for #14 +addr 14.14.14.14 a5-4.tld2 # 14 prefer QNAME to IP nochange a4-4.tld2 # 15 PASSTHRU nxdomain c2.crash2.tld3 # 16 assert in rbtdb.c +addr 127.0.0.17 "a4-4.tld2 -b $ns1" # 17 client-IP address trigger +nxdomain a7-1.tld2 # 18 slave policy zone (RT34450) end_group +ckstats $ns3 test2 ns3 11 # check that IP addresses for previous group were deleted from the radix tree start_group "radix tree deletions" @@ -325,6 +371,7 @@ nochange a4-1-aaaa.tld2 -tAAAA nochange a5-1-2.tld2 end_group +ckstats $ns3 'radix tree deletions' ns3 0 if ./rpz nsdname; then # these tests assume "min-ns-dots 0" @@ -342,7 +389,7 @@ addr 127.0.0.2 a3-1.subsub.sub3.tld2 nxdomain xxx.crash1.tld2 # 12 dns_db_detachnode() crash end_group - NS3_STATS=`expr $NS3_STATS + 7` + ckstats $ns3 test3 ns3 7 else echo "I:NSDNAME not checked; named configured with --disable-rpz-nsdname" fi @@ -356,15 +403,15 @@ nochange a3-1.tld4 # 4 different NS IP address end_group -# start_group "walled garden NSIP rewrites" test4a -# addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 -# addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 -# here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 -# ;; status: NOERROR, x -# a3-1.tld2. x IN TXT "NSIP walled garden" -#EOF -# end_group - NS3_STATS=`expr $NS3_STATS + 1` + start_group "walled garden NSIP rewrites" test4a + addr 41.41.41.41 a3-1.tld2 # 1 walled garden for all of tld2 + addr 2041::41 'a3-1.tld2 AAAA' # 2 walled garden for all of tld2 + here a3-1.tld2 TXT <<'EOF' # 3 text message for all of tld2 + ;; status: NOERROR, x + a3-1.tld2. x IN TXT "NSIP walled garden" +EOF + end_group + ckstats $ns3 test4 ns3 4 else echo "I:NSIP not checked; named configured with --disable-rpz-nsip" fi @@ -376,12 +423,12 @@ nochange a3-2.tld2 # 2 bl-passthru nochange a3-3.tld2 # 3 bl-no-op obsolete for passthru nochange a3-4.tld2 # 4 bl-disabled -nodata a3-5.tld2 # 5 bl-nodata -nodata a3-5.tld2 +norecurse # 6 bl-nodata recursive-only no -nodata a3-5.tld2 # 7 bl-nodata -nodata a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata recursive-only no -nodata a3-5.tld2s @$ns5 # 9 bl-nodata -nodata a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata break-dnssec +nodata a3-5.tld2 # 5 bl-nodata zone recursive-only no +nodata a3-5.tld2 +norecurse # 6 bl-nodata zone recursive-only no +nodata a3-5.tld2 # 7 bl-nodata not needed +nxdomain a3-5.tld2 +norecurse @$ns5 # 8 bl-nodata global recursive-only no +nxdomain a3-5.tld2s @$ns5 # 9 bl-nodata global break-dnssec +nxdomain a3-5.tld2s +dnssec @$ns5 # 10 bl-nodata global break-dnssec nxdomain a3-6.tld2 # 11 bl-nxdomain here a3-7.tld2 -tany <<'EOF' ;; status: NOERROR, x @@ -393,10 +440,15 @@ addr 12.12.12.12 a3-15.tld2 # 15 bl-garden via CNAME to a12.tld2 addr 127.0.0.16 a3-16.tld2 100 # 16 bl max-policy-ttl 100 addr 17.17.17.17 "a3-17.tld2 @$ns5" 90 # 17 ns5 bl max-policy-ttl 90 +drop a3-18.tld2 # 18 bl-drop +nxdomain TCP a3-19.tld2 # 19 bl-tcp-only end_group +ckstats $ns3 test5 ns3 12 +ckstats $ns5 test5 ns5 4 + # check that miscellaneous bugs are still absent -start_group "crashes" +start_group "crashes" test6 for Q in RRSIG SIG ANY 'ANY +dnssec'; do nocrash a3-1.tld2 -t$Q nocrash a3-2.tld2 -t$Q @@ -410,6 +462,8 @@ # resolving foo. # nxdomain 32.3.2.1.127.rpz-ip end_group +ckstats $ns3 bugs ns3 8 + # superficial test for major performance bugs @@ -422,6 +476,7 @@ $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >/dev/null comment "before real test $1" PFILE="ns5/$2.perf" + $RNDCCMD $ns5 notrace $QPERF -c -1 -l30 -d ns5/requests -s $ns5 -p 5300 >$PFILE comment "after test $1" X=`sed -n -e 's/.*Returned *\([^ ]*:\) *\([0-9]*\) .*/\1\2/p' $PFILE \ @@ -436,17 +491,17 @@ } # get qps with rpz - perf 'with rpz' rpz 'NOERROR:2900 NXDOMAIN:100 ' + perf 'with RPZ' rpz 'NOERROR:2900 NXDOMAIN:100 ' RPZ=`trim rpz` # turn off rpz and measure qps again - echo "# rpz off" >ns5/rpz-switch + echo "# RPZ off" >ns5/rpz-switch RNDCCMD_OUT=`$RNDCCMD $ns5 reload` - perf 'without rpz' norpz 'NOERROR:3000 ' + perf 'without RPZ' norpz 'NOERROR:3000 ' NORPZ=`trim norpz` PERCENT=`expr \( "$RPZ" \* 100 + \( $NORPZ / 2 \) \) / $NORPZ` - echo "I:$RPZ qps with rpz is $PERCENT% of $NORPZ qps without rpz" + echo "I:$RPZ qps with RPZ is $PERCENT% of $NORPZ qps without RPZ" MIN_PERCENT=30 if test "$PERCENT" -lt $MIN_PERCENT; then @@ -457,15 +512,13 @@ setret "I:$RPZ qps with RPZ or $PERCENT% of $NORPZ qps without RPZ is too high" fi - ckstats $ns5 ns5 203 + ckstats $ns5 performance ns5 200 else echo "I:performance not checked; queryperf not available" fi -ckstats $ns3 ns3 55 - # restart the main test RPZ server to see if that creates a core file if test -z "$HAVE_CORE"; then $PERL $SYSTEMTESTTOP/stop.pl . ns3 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/clean.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/clean.sh @@ -0,0 +1,21 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + + +# Clean up after rrl tests. + +rm -f dig.out* +rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns1/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns1/named.conf @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; +}; + +zone "." {type master; file "root.db";}; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns1/root.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns1/root.db @@ -0,0 +1,31 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + +$TTL 120 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 + +; limit responses from here +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; limit recursion to here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; generate SERVFAIL +tld4. NS ns.tld3. --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns2/hints +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns2/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns2/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns2/named.conf @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + + // small enough to force a table expansion + min-table-size 75; + }; + + additional-from-cache no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld2."{ type master; file "tld2.db"; }; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns2/tld2.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns2/tld2.db @@ -0,0 +1,47 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns3/hints +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns3/hints @@ -0,0 +1,18 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns3/named.conf +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns3/named.conf @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify no; + + // check that all of the options are parsed without limiting anything + rate-limit { + responses-per-second 200; + referrals-per-second 220; + nodata-per-second 230; + nxdomains-per-second 240; + errors-per-second 250; + all-per-second 700; + ipv4-prefix-length 24; + ipv6-prefix-length 64; + qps-scale 10; + window 1; + max-table-size 1000; + }; + +}; + +zone "." { type hint; file "hints"; }; + +zone "tld3."{ type master; file "tld3.db"; }; --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/ns3/tld3.db +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/ns3/tld3.db @@ -0,0 +1,25 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.3 + +*.a3 A 192.0.3.3 --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/setup.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh + --- bind9-9.9.3.dfsg.P2.orig/bin/tests/system/rrl/tests.sh +++ bind9-9.9.3.dfsg.P2/bin/tests/system/rrl/tests.sh @@ -0,0 +1,258 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +# test response rate limiting + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +#set -x + +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns7=10.53.0.7 # whitelisted client + +USAGE="$0: [-x]" +while getopts "x" c; do + case $c in + x) set -x;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + + +ret=0 +setret () { + ret=1 + echo "$*" +} + + +# Wait until soon after the start of a second to make results consistent. +# The start of a second credits a rate limit. +# This would be far easier in C or by assuming a modern version of perl. +sec_start () { + START=`date` + while true; do + NOW=`date` + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done +} + + +# turn off ${HOME}/.digrc +HOME=/dev/null; export HOME + +# $1=result name $2=domain name $3=dig options +digcmd () { + OFILE=$1; shift + DIG_DOM=$1; shift + ARGS="+nosearch +time=1 +tries=1 +ignore -p 5300 $* $DIG_DOM @$ns2" + #echo I:dig $ARGS 1>&2 + START=`date +%y%m%d%H%M.%S` + RESULT=`$DIG $ARGS 2>&1 | tee $OFILE=TEMP \ + | sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/;; connection timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' \ + | tr -d '\n'` + mv "$OFILE=TEMP" "$OFILE=$RESULT" + touch -t $START "$OFILE=$RESULT" +} + + +# $1=number of tests $2=target domain $3=dig options +QNUM=1 +burst () { + BURST_LIMIT=$1; shift + BURST_DOM_BASE="$1"; shift + while test "$BURST_LIMIT" -ge 1; do + CNT=`expr "00$QNUM" : '.*\(...\)'` + eval BURST_DOM="$BURST_DOM_BASE" + FILE="dig.out-$BURST_DOM-$CNT" + digcmd $FILE $BURST_DOM $* & + QNUM=`expr $QNUM + 1` + BURST_LIMIT=`expr "$BURST_LIMIT" - 1` + done +} + + +# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop +# $6=NXDOMAIN $7=SERVFAIL or other errors +ck_result() { + BAD= + wait + ADDRS=`ls dig.out-$1-*=$2 2>/dev/null | wc -l` + # count simple truncated and truncated NXDOMAIN as TC + TC=`ls dig.out-$1-*=TC dig.out-$1-*=NXDOMAINTC 2>/dev/null | wc -l` + DROP=`ls dig.out-$1-*=drop 2>/dev/null | wc -l` + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN dig.out-$1-*=NXDOMAINTC 2>/dev/null \ + | wc -l` + SERVFAIL=`ls dig.out-$1-*=SERVFAIL 2>/dev/null | wc -l` + if test $ADDRS -ne "$3"; then + setret "I:"$ADDRS" instead of $3 '$2' responses for $1" + BAD=yes + fi + if test $TC -ne "$4"; then + setret "I:"$TC" instead of $4 truncation responses for $1" + BAD=yes + fi + if test $DROP -ne "$5"; then + setret "I:"$DROP" instead of $5 dropped responses for $1" + BAD=yes + fi + if test $NXDOMAIN -ne "$6"; then + setret "I:"$NXDOMAIN" instead of $6 NXDOMAIN responses for $1" + BAD=yes + fi + if test $SERVFAIL -ne "$7"; then + setret "I:"$SERVFAIL" instead of $7 error responses for $1" + BAD=yes + fi + if test -z "$BAD"; then + rm -f dig.out-$1-* + fi +} + + +ckstats () { + LABEL="$1"; shift + TYPE="$1"; shift + EXPECTED="$1"; shift + C=`sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \ + ns2/named.stats | tail -1` + C=`expr 0$C + 0` + if test "$C" -ne $EXPECTED; then + setret "I:wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" + fi +} + + +######### +sec_start + +# Tests of referrals to "." must be done before the hints are loaded +# or with "additional-from-cache no" +burst 5 a1.tld3 +norec +# basic rate limiting +burst 3 a1.tld2 +# 1 second delay allows an additional response. +sleep 1 +burst 10 a1.tld2 +# Request 30 different qnames to try a wildcard. +burst 30 'x$CNT.a2.tld2' +# These should be counted and limited but are not. See RT33138. +burst 10 'y.x$CNT.a2.tld2' + +# IP TC drop NXDOMAIN SERVFAIL +# referrals to "." +ck_result a1.tld3 '' 2 1 2 0 0 +# check 13 results including 1 second delay that allows an additional response +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 + +# Check the wild card answers. +# The parent name of the 30 requests is counted. +ck_result 'x*.a2.tld2' 192.0.2.2 2 10 18 0 0 + +# These should be limited but are not. See RT33138. +ck_result 'y.x*.a2.tld2' 192.0.2.2 10 0 0 0 0 + +######### +sec_start + +burst 10 'x.a3.tld3' +burst 10 'y$CNT.a3.tld3' +burst 10 'z$CNT.a4.tld2' + +# 10 identical recursive responses are limited +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 + +# 10 different recursive responses are not limited +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 + +# 10 different NXDOMAIN responses are limited based on the parent name. +# We count 13 responses because we count truncated NXDOMAIN responses +# as both truncated and NXDOMAIN. +ck_result 'z*.a4.tld2' x 0 3 5 5 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats first dropped 36 +ckstats first truncated 21 + + +######### +sec_start + +burst 10 a5.tld2 +tcp +burst 10 a6.tld2 -b $ns7 +burst 10 a7.tld4 +burst 2 a8.tld2 AAAA +burst 2 a8.tld2 TXT +burst 2 a8.tld2 SPF + +# IP TC drop NXDOMAIN SERVFAIL +# TCP responses are not rate limited +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 + +# whitelisted client is not rate limited +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 + +# Errors such as SERVFAIL are rate limited. +ck_result a7.tld4 x 0 0 8 0 2 + +# NODATA responses are counted as the same regardless of qtype. +ck_result a8.tld2 '' 2 2 2 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats second dropped 46 +ckstats second truncated 23 + + +######### +sec_start + +# IP TC drop NXDOMAIN SERVFAIL +# all-per-second +# The qnames are all unique but the client IP address is constant. +QNUM=101 +burst 60 'all$CNT.a9.tld2' + +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats final dropped 56 +ckstats final truncated 23 + + +echo "I:exit status: $ret" +# exit $ret +[ $ret -ne 0 ] && echo "I:test failure overridden" +exit 0 --- bind9-9.9.3.dfsg.P2.orig/bind9-resolvconf.service +++ bind9-9.9.3.dfsg.P2/bind9-resolvconf.service @@ -0,0 +1,13 @@ +[Unit] +Description=local BIND via resolvconf +Documentation=man:named(8) man:resolvconf(8) +Requires=bind9.service +After=bind9.service +ConditionFileIsExecutable=/sbin/resolvconf + +[Service] +ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.named' +ExecStop=/sbin/resolvconf -d lo.named + +[Install] +WantedBy=bind9.service --- bind9-9.9.3.dfsg.P2.orig/bind9.service +++ bind9-9.9.3.dfsg.P2/bind9.service @@ -0,0 +1,12 @@ +[Unit] +Description=BIND Domain Name Server +Documentation=man:named(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/named -f -u bind +ExecReload=/usr/sbin/rndc reload +ExecStop=/usr/sbin/rndc stop + +[Install] +WantedBy=multi-user.target --- bind9-9.9.3.dfsg.P2.orig/bind9.tmpfile +++ bind9-9.9.3.dfsg.P2/bind9.tmpfile @@ -0,0 +1 @@ +d /run/named 0775 root bind - - --- bind9-9.9.3.dfsg.P2.orig/clean.sh +++ bind9-9.9.3.dfsg.P2/clean.sh @@ -0,0 +1,21 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + + +# Clean up after rrl tests. + +rm -f dig.out* +rm -f */named.memstats */named.run */named.stats */log-* */session.key +rm -f ns3/bl*.db */*.jnl */*.core */*.pid --- bind9-9.9.3.dfsg.P2.orig/config.h.in +++ bind9-9.9.3.dfsg.P2/config.h.in @@ -184,6 +184,9 @@ MSVC and with C++ compilers. */ #undef FLEXIBLE_ARRAY_MEMBER +/* Defined if GeoIP supports IPv6 lookups */ +#undef GEOIP_V6 + /* Define to 1 if you have the `chroot' function. */ #undef HAVE_CHROOT @@ -421,6 +424,9 @@ /* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS +/* Define if you want GeoIP support. */ +#undef SUPPORT_GEOIP + /* Define to 1 if you can safely include both and . */ #undef TIME_WITH_SYS_TIME --- bind9-9.9.3.dfsg.P2.orig/configure +++ bind9-9.9.3.dfsg.P2/configure @@ -519,10 +519,12 @@ # # From configure.in Revision: 1.533 . # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69. +# Generated by GNU Autoconf 2.68. # # -# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, +# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software +# Foundation, Inc. # # # This configure script is free software; the Free Software Foundation @@ -651,31 +653,6 @@ # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH -# Use a proper internal environment variable to ensure we don't fall - # into an infinite loop, continuously re-executing ourselves. - if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then - _as_can_reexec=no; export _as_can_reexec; - # We cannot yet assume a decent shell, so we have to provide a -# neutralization value for shells without unset; and this also -# works around shells that cannot unset nonexistent variables. -# Preserve -v and -x to the replacement shell. -BASH_ENV=/dev/null -ENV=/dev/null -(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; -esac -exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -# Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. -$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -as_fn_exit 255 - fi - # We don't want this to propagate to other subprocesses. - { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh @@ -709,8 +686,7 @@ else exitcode=1; echo positional parameters were not saved. fi -test x\$exitcode = x0 || exit 1 -test -x / || exit 1" +test x\$exitcode = x0 || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && @@ -763,25 +739,21 @@ if test "x$CONFIG_SHELL" != x; then : - export CONFIG_SHELL - # We cannot yet assume a decent shell, so we have to provide a -# neutralization value for shells without unset; and this also -# works around shells that cannot unset nonexistent variables. -# Preserve -v and -x to the replacement shell. -BASH_ENV=/dev/null -ENV=/dev/null -(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; -esac -exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -# Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. -$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -exit 255 + # We cannot yet assume a decent shell, so we have to provide a + # neutralization value for shells without unset; and this also + # works around shells that cannot unset nonexistent variables. + # Preserve -v and -x to the replacement shell. + BASH_ENV=/dev/null + ENV=/dev/null + (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV + export CONFIG_SHELL + case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; + esac + exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} fi if test x$as_have_required = xno; then : @@ -883,14 +855,6 @@ } # as_fn_mkdir_p - -# as_fn_executable_p FILE -# ----------------------- -# Test if FILE is an executable regular file. -as_fn_executable_p () -{ - test -f "$1" && test -x "$1" -} # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take @@ -1012,10 +976,6 @@ chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } - # If we had to re-execute with $CONFIG_SHELL, we're ensured to have - # already done that, so ensure we don't try to do so again and fall - # in an infinite loop. This has already happened in practice. - _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). @@ -1050,16 +1010,16 @@ # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. + # In both cases, we have to default to `cp -p'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -pR' + as_ln_s='cp -p' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else - as_ln_s='cp -pR' + as_ln_s='cp -p' fi else - as_ln_s='cp -pR' + as_ln_s='cp -p' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null @@ -1071,8 +1031,28 @@ as_mkdir_p=false fi -as_test_x='test -x' -as_executable_p=as_fn_executable_p +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in #( + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" @@ -1326,6 +1306,7 @@ OPENSSLGOSTLINKOBJS DST_OPENSSL_INC USE_OPENSSL +GEOIP_LIBS LWRES_PLATFORM_NEEDSYSSELECTH ISC_PLATFORM_NEEDSYSSELECTH ISC_PLATFORM_HAVEDEVPOLL @@ -1459,6 +1440,7 @@ enable_openssl_version_check with_ecdsa with_gost +with_geoip enable_openssl_hash with_pkcs11 with_gssapi @@ -1966,6 +1948,8 @@ if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe + $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. + If a cross compiler is detected then cross compile mode will be used" >&2 elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi @@ -2170,6 +2154,7 @@ (Required for DNSSEC) --with-ecdsa OpenSSL ECDSA --with-gost OpenSSL GOST + --with-geoip=PATH Specify path for system-supplied GeoIP --with-pkcs11=PATH Build with PKCS11 support yes|no|path (PATH is for the PKCS11 provider) --with-gssapi=PATH Specify path for system-supplied GSSAPI [default=yes] @@ -2286,9 +2271,9 @@ if $ac_init_version; then cat <<\_ACEOF configure -generated by GNU Autoconf 2.69 +generated by GNU Autoconf 2.68 -Copyright (C) 2012 Free Software Foundation, Inc. +Copyright (C) 2010 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF @@ -2364,7 +2349,7 @@ test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || - test -x conftest$ac_exeext + $as_test_x conftest$ac_exeext }; then : ac_retval=0 else @@ -2718,8 +2703,7 @@ main () { static int test_array [1 - 2 * !(($2) >= 0)]; -test_array [0] = 0; -return test_array [0]; +test_array [0] = 0 ; return 0; @@ -2735,8 +2719,7 @@ main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; -test_array [0] = 0; -return test_array [0]; +test_array [0] = 0 ; return 0; @@ -2762,8 +2745,7 @@ main () { static int test_array [1 - 2 * !(($2) < 0)]; -test_array [0] = 0; -return test_array [0]; +test_array [0] = 0 ; return 0; @@ -2779,8 +2761,7 @@ main () { static int test_array [1 - 2 * !(($2) >= $ac_mid)]; -test_array [0] = 0; -return test_array [0]; +test_array [0] = 0 ; return 0; @@ -2814,8 +2795,7 @@ main () { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; -test_array [0] = 0; -return test_array [0]; +test_array [0] = 0 ; return 0; @@ -2888,7 +2868,7 @@ running configure, to aid debugging if configure makes a mistake. It was created by $as_me, which was -generated by GNU Autoconf 2.69. Invocation command line was +generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ @@ -3502,7 +3482,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3542,7 +3522,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3595,7 +3575,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3636,7 +3616,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue @@ -3694,7 +3674,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -3738,7 +3718,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4184,7 +4164,8 @@ /* end confdefs.h. */ #include #include -struct stat; +#include +#include /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); @@ -4291,7 +4272,7 @@ for ac_prog in sed gsed; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_SED="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_SED" || continue + { test -f "$ac_path_SED" && $as_test_x "$ac_path_SED"; } || continue # Check for GNU ac_path_SED and select it if it is found. # Check for GNU $ac_path_SED case `"$ac_path_SED" --version 2>&1` in @@ -4367,7 +4348,7 @@ for ac_prog in grep ggrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_GREP" || continue + { test -f "$ac_path_GREP" && $as_test_x "$ac_path_GREP"; } || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in @@ -4433,7 +4414,7 @@ for ac_prog in egrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_EGREP" || continue + { test -f "$ac_path_EGREP" && $as_test_x "$ac_path_EGREP"; } || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in @@ -4500,7 +4481,7 @@ for ac_prog in fgrep; do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_FGREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_FGREP" || continue + { test -f "$ac_path_FGREP" && $as_test_x "$ac_path_FGREP"; } || continue # Check for GNU ac_path_FGREP and select it if it is found. # Check for GNU $ac_path_FGREP case `"$ac_path_FGREP" --version 2>&1` in @@ -4756,7 +4737,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DUMPBIN="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -4800,7 +4781,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DUMPBIN="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5224,7 +5205,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5264,7 +5245,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OBJDUMP="objdump" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5436,7 +5417,7 @@ lt_cv_deplibs_check_method=pass_all ;; -netbsd*) +netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[^/]+(\.so\.[0-9]+\.[0-9]+|_pic\.a)$' else @@ -5570,7 +5551,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DLLTOOL="${ac_tool_prefix}dlltool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5610,7 +5591,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DLLTOOL="dlltool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5714,7 +5695,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AR="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5758,7 +5739,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_AR="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5883,7 +5864,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5923,7 +5904,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -5982,7 +5963,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6022,7 +6003,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_RANLIB="ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6126,7 +6107,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AWK="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6713,7 +6694,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_MANIFEST_TOOL="${ac_tool_prefix}mt" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6753,7 +6734,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_MANIFEST_TOOL="mt" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6833,7 +6814,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DSYMUTIL="${ac_tool_prefix}dsymutil" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6873,7 +6854,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_DSYMUTIL="dsymutil" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6925,7 +6906,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_NMEDIT="${ac_tool_prefix}nmedit" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -6965,7 +6946,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_NMEDIT="nmedit" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7017,7 +6998,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_LIPO="${ac_tool_prefix}lipo" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7057,7 +7038,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_LIPO="lipo" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7109,7 +7090,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OTOOL="${ac_tool_prefix}otool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7149,7 +7130,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OTOOL="otool" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7201,7 +7182,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_OTOOL64="${ac_tool_prefix}otool64" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -7241,7 +7222,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_OTOOL64="otool64" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -8185,10 +8166,6 @@ $RM -r conftest* -## CAVEAT EMPTOR: -## There is no encapsulation within the following macros, do not change -## the running order or otherwise move them around unless you know exactly -## what you are doing... if test -n "$compiler"; then lt_prog_compiler_no_builtin_flag= @@ -8879,6 +8856,9 @@ openbsd*) with_gnu_ld=no ;; + linux* | k*bsd*-gnu | gnu*) + link_all_deplibs=no + ;; esac ld_shlibs=yes @@ -9100,7 +9080,7 @@ fi ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -9277,6 +9257,7 @@ if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi + link_all_deplibs=no else # not using gcc if test "$host_cpu" = ia64; then @@ -9730,7 +9711,7 @@ link_all_deplibs=yes ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then archive_cmds='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else @@ -10758,6 +10739,18 @@ dynamic_linker='GNU/Linux ld.so' ;; +netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='NetBSD ld.elf_so' + ;; + netbsd*) version_type=sunos need_lib_prefix=no @@ -11765,7 +11758,7 @@ # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then + if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. @@ -11902,7 +11895,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_AR="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -11966,7 +11959,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_ETAGS="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12035,7 +12028,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_PERL="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12103,7 +12096,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12150,7 +12143,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_PYTHON="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12357,7 +12350,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12397,7 +12390,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12450,7 +12443,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12491,7 +12484,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue @@ -12549,7 +12542,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12593,7 +12586,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -12789,7 +12782,8 @@ /* end confdefs.h. */ #include #include -struct stat; +#include +#include /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); @@ -12912,7 +12906,7 @@ # as it breaks how the two halves (Basic and Advanced) of the IPv6 # Socket API were designed to be used but we have to live with it. # Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API. - *-linux* | *-kfreebsd*-gnu) + *-linux*|*-gnu*) STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE" CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE" ;; @@ -13069,11 +13063,11 @@ int main () { - +/* FIXME: Include the comments suggested by Paul. */ #ifndef __cplusplus - /* Ultrix mips cc rejects this sort of thing. */ + /* Ultrix mips cc rejects this. */ typedef int charset[2]; - const charset cs = { 0, 0 }; + const charset cs; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; @@ -13090,9 +13084,8 @@ ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; - { /* SCO 3.2v4 cc rejects this sort of thing. */ - char tx; - char *t = &tx; + { /* SCO 3.2v4 cc rejects this. */ + char *t; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; @@ -13108,10 +13101,10 @@ iptr p = 0; ++p; } - { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying + { /* AIX XL C 1.02.0.0 rejects this saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ - struct s { int j; const int *ap[3]; } bx; - struct s *b = &bx; b->j = 5; + struct s { int j; const int *ap[3]; }; + struct s *b; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; @@ -14388,6 +14381,147 @@ esac # +# Check for GeoIP - if yes enable it +# + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP library" >&5 +$as_echo_n "checking for GeoIP library... " >&6; } + +# Check whether --with-geoip was given. +if test "${with_geoip+set}" = set; then : + withval=$with_geoip; use_geoip="$withval" +else + use_geoip="no" +fi + + +#geoipdirs="/usr/local /usr/pkg /usr/kerberos /usr" +# +#if test "$use_geoip" = "yes" +#then +# for d in $geoipdirs +# do +# if test -f $d/include/include/GeoIP.h -o -f $d/include/GeoIP.h +# then +# use_geoip=$d +# break +# fi +# done +#fi + + +$as_echo "#define GEOIP_V6 1" >>confdefs.h + +case "$use_geoip" in + no) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5 +$as_echo "disabled" >&6; } + USE_GEOIP='' + ;; +# yes) +# AC_MSG_ERROR([--with-geoip must specify a path]) +# ;; + *) + ac_fn_c_check_header_mongrel "$LINENO" "GeoIP.h" "ac_cv_header_GeoIP_h" "$ac_includes_default" +if test "x$ac_cv_header_GeoIP_h" = xyes; then : + +else + as_fn_error $? "GeoIP library header files not found" "$LINENO" 5 + +fi + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for GeoIP_open in -lGeoIP" >&5 +$as_echo_n "checking for GeoIP_open in -lGeoIP... " >&6; } +if ${ac_cv_lib_GeoIP_GeoIP_open+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lGeoIP $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char GeoIP_open (); +int +main () +{ +return GeoIP_open (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_GeoIP_GeoIP_open=yes +else + ac_cv_lib_GeoIP_GeoIP_open=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_GeoIP_GeoIP_open" >&5 +$as_echo "$ac_cv_lib_GeoIP_GeoIP_open" >&6; } +if test "x$ac_cv_lib_GeoIP_GeoIP_open" = xyes; then : + + +$as_echo "#define SUPPORT_GEOIP 1" >>confdefs.h + + +else + + as_fn_error $? "GeoIP library header files were found but the library was not found" "$LINENO" 5 + +fi + + GEOIP_LIBS="-lGeoIP" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for for GeoIP IPv6 support" >&5 +$as_echo_n "checking for for GeoIP IPv6 support... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include +#include + +int +main () +{ + + +extern const struct in6_addr in6addr_loopback; +static GeoIP *geoip = NULL; + +const char* value = value = GeoIP_country_name_by_ipnum_v6(geoip, (geoipv6_t)in6addr_loopback); + + + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + GEOIP_V6="#define GEOIP_V6 1" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + GEOIP_V6="#undef GEOIP_V6" +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +$as_echo "#define GEOIP_V6 1" >>confdefs.h + + ;; +esac + + + +# # This would include the system openssl path (and linker options to use # it as needed) if it is found. # @@ -15653,7 +15787,7 @@ # LinuxThreads requires some changes to the way we # deal with signals. # - *-linux*) + *-linux*|*-kfreebsd*-gnu) $as_echo "#define HAVE_LINUXTHREADS 1" >>confdefs.h ;; @@ -16120,7 +16254,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_purify_path="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -18739,7 +18873,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_LATEX="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -18787,7 +18921,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_PDFLATEX="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -18839,7 +18973,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_W3M="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -18889,7 +19023,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_XSLTPROC="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -18936,7 +19070,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_XMLLINT="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -18983,7 +19117,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_DOXYGEN="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -19520,7 +19654,7 @@ BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\"" -BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}" +BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}-$(dpkg-vendor --query Vendor)-$(dpkg-parsechangelog | awk '/^Version/ {print $2}')" BIND9_SRCID="SRCID=unset" @@ -19798,7 +19932,7 @@ IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_path_PG_CONFIG="$as_dir/$ac_word$ac_exec_ext" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 @@ -20941,16 +21075,16 @@ # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. + # In both cases, we have to default to `cp -p'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -pR' + as_ln_s='cp -p' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else - as_ln_s='cp -pR' + as_ln_s='cp -p' fi else - as_ln_s='cp -pR' + as_ln_s='cp -p' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null @@ -21010,16 +21144,28 @@ as_mkdir_p=false fi - -# as_fn_executable_p FILE -# ----------------------- -# Test if FILE is an executable regular file. -as_fn_executable_p () -{ - test -f "$1" && test -x "$1" -} # as_fn_executable_p -as_test_x='test -x' -as_executable_p=as_fn_executable_p +if test -x / >/dev/null 2>&1; then + as_test_x='test -x' +else + if ls -dL / >/dev/null 2>&1; then + as_ls_L_option=L + else + as_ls_L_option= + fi + as_test_x=' + eval sh -c '\'' + if test -d "$1"; then + test -d "$1/."; + else + case $1 in #( + -*)set "./$1";; + esac; + case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( + ???[sx]*):;;*)false;;esac;fi + '\'' sh + ' +fi +as_executable_p=$as_test_x # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" @@ -21041,7 +21187,7 @@ # values after options handling. ac_log=" This file was extended by $as_me, which was -generated by GNU Autoconf 2.69. Invocation command line was +generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -21107,10 +21253,10 @@ ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ config.status -configured by $0, generated by GNU Autoconf 2.69, +configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" -Copyright (C) 2012 Free Software Foundation, Inc. +Copyright (C) 2010 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." @@ -21200,7 +21346,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then - set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' --- bind9-9.9.3.dfsg.P2.orig/configure.in +++ bind9-9.9.3.dfsg.P2/configure.in @@ -349,7 +349,7 @@ # as it breaks how the two halves (Basic and Advanced) of the IPv6 # Socket API were designed to be used but we have to live with it. # Define _GNU_SOURCE to pull in the IPv6 Advanced Socket API. - *-linux* | *-kfreebsd*-gnu) + *-linux*|*-gnu*) STD_CDEFINES="$STD_CDEFINES -D_GNU_SOURCE" CPPFLAGS="$CPPFLAGS -D_GNU_SOURCE" ;; @@ -905,6 +905,74 @@ esac # +# Check for GeoIP - if yes enable it +# + +AC_MSG_CHECKING(for GeoIP library) +AC_ARG_WITH(geoip, +[ --with-geoip=PATH Specify path for system-supplied GeoIP], + use_geoip="$withval", use_geoip="no") + +#geoipdirs="/usr/local /usr/pkg /usr/kerberos /usr" +# +#if test "$use_geoip" = "yes" +#then +# for d in $geoipdirs +# do +# if test -f $d/include/include/GeoIP.h -o -f $d/include/GeoIP.h +# then +# use_geoip=$d +# break +# fi +# done +#fi + +AC_DEFINE([GEOIP_V6], [1], [Defined if GeoIP supports IPv6 lookups]) +case "$use_geoip" in + no) + AC_MSG_RESULT(disabled) + USE_GEOIP='' + ;; +# yes) +# AC_MSG_ERROR([--with-geoip must specify a path]) +# ;; + *) + AC_CHECK_HEADER(GeoIP.h,, + [AC_MSG_ERROR([GeoIP library header files not found])] + ) + AC_CHECK_LIB(GeoIP, GeoIP_open, + [ + AC_DEFINE(SUPPORT_GEOIP, 1, Define if you want GeoIP support.) + ], + [ + AC_MSG_ERROR([GeoIP library header files were found but the library was not found]) + ]) + GEOIP_LIBS="-lGeoIP" + AC_MSG_CHECKING(for for GeoIP IPv6 support) + AC_TRY_COMPILE([ +#include +#include +], +[ + +extern const struct in6_addr in6addr_loopback; +static GeoIP *geoip = NULL; + +const char* value = value = GeoIP_country_name_by_ipnum_v6(geoip, (geoipv6_t)in6addr_loopback); + +] +, + [AC_MSG_RESULT(yes) + GEOIP_V6="#define GEOIP_V6 1"], + [AC_MSG_RESULT(no) + GEOIP_V6="#undef GEOIP_V6"]) +AC_DEFINE(GEOIP_V6) + ;; +esac + +AC_SUBST(GEOIP_LIBS) + +# # This would include the system openssl path (and linker options to use # it as needed) if it is found. # @@ -1319,7 +1387,7 @@ # LinuxThreads requires some changes to the way we # deal with signals. # - *-linux*) + *-linux*|*-kfreebsd*-gnu) AC_DEFINE(HAVE_LINUXTHREADS) ;; # @@ -3346,7 +3414,7 @@ AC_SUBST(BIND9_PRODUCT) BIND9_DESCRIPTION="DESCRIPTION=\"${DESCRIPTION}\"" AC_SUBST(BIND9_DESCRIPTION) -BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}" +BIND9_VERSION="VERSION=${MAJORVER}.${MINORVER}${PATCHVER:+.}${PATCHVER}${RELEASETYPE}${RELEASEVER}-$(dpkg-vendor --query Vendor)-$(dpkg-parsechangelog | awk '/^Version/ {print $2}')" AC_SUBST(BIND9_VERSION) BIND9_SRCID="SRCID=unset" --- bind9-9.9.3.dfsg.P2.orig/contrib/idn/idnkit-1.0-src/config.guess +++ bind9-9.9.3.dfsg.P2/contrib/idn/idnkit-1.0-src/config.guess @@ -1,9 +1,9 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. -timestamp='2001-09-04' +timestamp='2009-01-17' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -24,8 +24,9 @@ # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. -# Written by Per Bothner . -# Please send patches to . +# Originally written by Per Bothner . +# Please send patches to . Submit a context +# diff and a properly formatted ChangeLog entry. # # This script attempts to guess a canonical system name similar to # config.sub. If it succeeds, it prints the system name on stdout, and @@ -52,7 +53,7 @@ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -87,30 +88,42 @@ exit 1 fi +trap 'exit 1' 1 2 15 -dummy=dummy-$$ -trap 'rm -f $dummy.c $dummy.o $dummy.rel $dummy; exit 1' 1 2 15 +# CC_FOR_BUILD -- compiler used by this script. Note that the use of a +# compiler to aid in system detection is discouraged as it requires +# temporary files to be created and, as you can see below, it is a +# headache to deal with in a portable fashion. -# CC_FOR_BUILD -- compiler used by this script. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. -set_cc_for_build='case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int dummy(){}" > $dummy.c ; - for c in cc gcc c89 ; do - ($c $dummy.c -c -o $dummy.o) >/dev/null 2>&1 ; - if test $? = 0 ; then +# Portable tmp directory creation inspired by the Autoconf team. + +set_cc_for_build=' +trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; +trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; +: ${TMPDIR=/tmp} ; + { tmp=`(umask 077 && mktemp -d -q "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; +dummy=$tmp/dummy ; +tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; +case $CC_FOR_BUILD,$HOST_CC,$CC in + ,,) echo "int x;" > $dummy.c ; + for c in cc gcc c89 c99 ; do + if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; - rm -f $dummy.c $dummy.o $dummy.rel ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac' +esac ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) @@ -127,29 +140,30 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) - # Netbsd (nbsd) targets should (where applicable) match one or - # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, + # NetBSD (nbsd) targets should (where applicable) match one or + # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. - # Determine the machine/vendor (is the vendor relevant). - case "${UNAME_MACHINE}" in - amiga) machine=m68k-unknown ;; - arm32) machine=arm-unknown ;; - atari*) machine=m68k-atari ;; - sun3*) machine=m68k-sun ;; - mac68k) machine=m68k-apple ;; - macppc) machine=powerpc-apple ;; - hp3[0-9][05]) machine=m68k-hp ;; - ibmrt|romp-ibm) machine=romp-ibm ;; - *) machine=${UNAME_MACHINE}-unknown ;; + # + # Note: NetBSD doesn't particularly care about the vendor + # portion of the name. We always set it to "unknown". + sysctl="sysctl -n hw.machine_arch" + UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ + /usr/sbin/$sysctl 2>/dev/null || echo unknown)` + case "${UNAME_MACHINE_ARCH}" in + armeb) machine=armeb-unknown ;; + arm*) machine=arm-unknown ;; + sh3el) machine=shl-unknown ;; + sh3eb) machine=sh-unknown ;; + *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. - case "${UNAME_MACHINE}" in - i386|sparc|amiga|arm*|hp300|mvme68k|vax|atari|luna68k|mac68k|news68k|next68k|pc532|sun3*|x68k) + case "${UNAME_MACHINE_ARCH}" in + arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep __ELF__ >/dev/null @@ -166,74 +180,123 @@ ;; esac # The OS release - release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + # Debian GNU/NetBSD machines have a different userland, and + # thus, need a distinct triplet. However, they do not need + # kernel version information, so it can be replaced with a + # suitable tag, in the style of linux-gnu. + case "${UNAME_VERSION}" in + Debian*) + release='-gnu' + ;; + *) + release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` + ;; + esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit 0 ;; + amd64:OpenBSD:*:*) + echo x86_64-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + amiga:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + cats:OpenBSD:*:*) + echo arm-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + hp300:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + luna88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mac68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + macppc:OpenBSD:*:*) + echo powerpc-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme68k:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvme88k:OpenBSD:*:*) + echo m88k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + mvmeppc:OpenBSD:*:*) + echo powerpc-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + sgi:OpenBSD:*:*) + echo mips64-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + sun3:OpenBSD:*:*) + echo m68k-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:OpenBSD:*:*) + echo ${UNAME_MACHINE}-unknown-openbsd${UNAME_RELEASE} + exit 0 ;; + *:ekkoBSD:*:*) + echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + exit 0 ;; + macppc:MirBSD:*:*) + echo powerppc-unknown-mirbsd${UNAME_RELEASE} + exit 0 ;; + *:MirBSD:*:*) + echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + exit 0 ;; alpha:OSF1:*:*) - if test $UNAME_RELEASE = "V4.0"; then + case $UNAME_RELEASE in + *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` - fi + ;; + *5.*) + UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` + ;; + esac + # According to Compaq, /usr/sbin/psrinfo has been available on + # OSF/1 and Tru64 systems produced since 1995. I hope that + # covers most systems running today. This code pipes the CPU + # types through head -n 1, so we only detect the type of CPU 0. + ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` + case "$ALPHA_CPU_TYPE" in + "EV4 (21064)") + UNAME_MACHINE="alpha" ;; + "EV4.5 (21064)") + UNAME_MACHINE="alpha" ;; + "LCA4 (21066/21068)") + UNAME_MACHINE="alpha" ;; + "EV5 (21164)") + UNAME_MACHINE="alphaev5" ;; + "EV5.6 (21164A)") + UNAME_MACHINE="alphaev56" ;; + "EV5.6 (21164PC)") + UNAME_MACHINE="alphapca56" ;; + "EV5.7 (21164PC)") + UNAME_MACHINE="alphapca57" ;; + "EV6 (21264)") + UNAME_MACHINE="alphaev6" ;; + "EV6.7 (21264A)") + UNAME_MACHINE="alphaev67" ;; + "EV6.8CB (21264C)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8AL (21264B)") + UNAME_MACHINE="alphaev68" ;; + "EV6.8CX (21264D)") + UNAME_MACHINE="alphaev68" ;; + "EV6.9A (21264/EV69A)") + UNAME_MACHINE="alphaev69" ;; + "EV7 (21364)") + UNAME_MACHINE="alphaev7" ;; + "EV7.9 (21364A)") + UNAME_MACHINE="alphaev79" ;; + esac + # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - cat <$dummy.s - .data -\$Lformat: - .byte 37,100,45,37,120,10,0 # "%d-%x\n" - - .text - .globl main - .align 4 - .ent main -main: - .frame \$30,16,\$26,0 - ldgp \$29,0(\$27) - .prologue 1 - .long 0x47e03d80 # implver \$0 - lda \$2,-1 - .long 0x47e20c21 # amask \$2,\$1 - lda \$16,\$Lformat - mov \$0,\$17 - not \$1,\$18 - jsr \$26,printf - ldgp \$29,0(\$26) - mov 0,\$16 - jsr \$26,exit - .end main -EOF - eval $set_cc_for_build - $CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null - if test "$?" = 0 ; then - case `./$dummy` in - 0-0) - UNAME_MACHINE="alpha" - ;; - 1-0) - UNAME_MACHINE="alphaev5" - ;; - 1-1) - UNAME_MACHINE="alphaev56" - ;; - 1-101) - UNAME_MACHINE="alphapca56" - ;; - 2-303) - UNAME_MACHINE="alphaev6" - ;; - 2-307) - UNAME_MACHINE="alphaev67" - ;; - 2-1307) - UNAME_MACHINE="alphaev68" - ;; - esac - fi - rm -f $dummy.s $dummy - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` + echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` exit 0 ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? @@ -247,33 +310,18 @@ Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit 0;; - amiga:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos exit 0 ;; - arc64:OpenBSD:*:*) - echo mips64el-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - arc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - hkmips:OpenBSD:*:*) - echo mips-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - pmax:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - sgi:OpenBSD:*:*) - echo mips-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - wgrisc:OpenBSD:*:*) - echo mipsel-unknown-openbsd${UNAME_RELEASE} + *:[Mm]orph[Oo][Ss]:*:*) + echo ${UNAME_MACHINE}-unknown-morphos exit 0 ;; *:OS/390:*:*) echo i370-ibm-openedition exit 0 ;; + *:OS400:*:*) + echo powerpc-ibm-os400 + exit 0 ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit 0;; @@ -291,6 +339,13 @@ NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit 0 ;; + DRS?6000:unix:4.0:6*) + echo sparc-icl-nx6 + exit 0 ;; + DRS?6000:UNIX_SV:4.2*:7*) + case `/usr/bin/uname -p` in + sparc) echo sparc-icl-nx7 && exit 0 ;; + esac ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit 0 ;; @@ -319,7 +374,7 @@ echo m68k-sun-sunos${UNAME_RELEASE} exit 0 ;; sun*:*:4.2BSD:*) - UNAME_RELEASE=`(head -1 /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` + UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) @@ -333,12 +388,6 @@ aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} exit 0 ;; - sparc*:NetBSD:*) - echo `uname -p`-unknown-netbsd${UNAME_RELEASE} - exit 0 ;; - atari*:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor @@ -365,17 +414,8 @@ *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} exit 0 ;; - sun3*:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mac68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme68k:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} - exit 0 ;; - mvme88k:OpenBSD:*:*) - echo m88k-unknown-openbsd${UNAME_RELEASE} + m68k:machten:*:*) + echo m68k-apple-machten${UNAME_RELEASE} exit 0 ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} @@ -415,15 +455,20 @@ exit (-1); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy \ - && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ - && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c \ + && $dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \ + && exit 0 echo mips-mips-riscos${UNAME_RELEASE} exit 0 ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit 0 ;; + Motorola:*:4.3:PL8-*) + echo powerpc-harris-powermax + exit 0 ;; + Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) + echo powerpc-harris-powermax + exit 0 ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit 0 ;; @@ -496,8 +541,7 @@ exit(0); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 echo rs6000-ibm-aix3.2.5 elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 @@ -506,7 +550,7 @@ fi exit 0 ;; *:AIX:*:[45]) - IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | head -1 | awk '{ print $1 }'` + IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else @@ -546,10 +590,8 @@ 9000/31? ) HP_ARCH=m68000 ;; 9000/[34]?? ) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) - case "${HPUX_REV}" in - 11.[0-9][0-9]) - if [ -x /usr/bin/getconf ]; then - sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` + if [ -x /usr/bin/getconf ]; then + sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 @@ -558,13 +600,13 @@ case "${sc_kernel_bits}" in 32) HP_ARCH="hppa2.0n" ;; 64) HP_ARCH="hppa2.0w" ;; + '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 esac ;; esac - fi ;; - esac - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + fi + if [ "${HP_ARCH}" = "" ]; then + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c #define _HPUX_SOURCE #include @@ -597,11 +639,21 @@ exit (0); } EOF - (CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy` - if test -z "$HP_ARCH"; then HP_ARCH=hppa; fi - rm -f $dummy.c $dummy - fi ;; + (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + test -z "$HP_ARCH" && HP_ARCH=hppa + fi ;; esac + if [ ${HP_ARCH} = "hppa2.0w" ] + then + # avoid double evaluation of $set_cc_for_build + test -n "$CC_FOR_BUILD" || eval $set_cc_for_build + if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E -) | grep __LP64__ >/dev/null + then + HP_ARCH="hppa2.0w" + else + HP_ARCH="hppa64" + fi + fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit 0 ;; ia64:HP-UX:*:*) @@ -635,8 +687,7 @@ exit (0); } EOF - $CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + $CC_FOR_BUILD -o $dummy $dummy.c && $dummy && exit 0 echo unknown-hitachi-hiuxwe2 exit 0 ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) @@ -664,9 +715,6 @@ parisc*:Lites*:*:*) echo hppa1.1-hp-lites exit 0 ;; - hppa*:OpenBSD:*:*) - echo hppa-unknown-openbsd - exit 0 ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd exit 0 ;; @@ -685,9 +733,6 @@ C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd exit 0 ;; - CRAY*X-MP:*:*:*) - echo xmp-cray-unicos - exit 0 ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; @@ -700,26 +745,25 @@ CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; - CRAY*T3D:*:*:*) - echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' - exit 0 ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit 0 ;; - CRAY-2:*:*:*) - echo cray2-cray-unicos - exit 0 ;; + *:UNICOS/mp:*:*) + echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + exit 0 ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit 0 ;; - hp300:OpenBSD:*:*) - echo m68k-unknown-openbsd${UNAME_RELEASE} + 5000:UNIX_System_V:4.*:*) + FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` + FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` + echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit 0 ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} @@ -733,9 +777,6 @@ *:FreeBSD:*:*) echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit 0 ;; - *:OpenBSD:*:*) - echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` - exit 0 ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit 0 ;; @@ -745,11 +786,17 @@ i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit 0 ;; + x86:Interix*:[34]*) + echo i586-pc-interix${UNAME_RELEASE}|sed -e 's/\..*//' + exit 0 ;; + [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) + echo i${UNAME_MACHINE}-pc-mks + exit 0 ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? - echo i386-pc-interix + echo i586-pc-interix exit 0 ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin @@ -761,25 +808,74 @@ echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit 0 ;; *:GNU:*:*) + # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit 0 ;; + *:GNU/*:*:*) + # other systems with GNU libc and userland + echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu + exit 0 ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit 0 ;; arm*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; + cris:Linux:*:*) + echo cris-axis-linux-gnu + exit 0 ;; + crisv32:Linux:*:*) + echo crisv32-axis-linux-gnu + exit 0 ;; + frv:Linux:*:*) + echo frv-unknown-linux-gnu + exit 0 ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit 0 ;; + m32r*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; mips:Linux:*:*) - case `sed -n '/^byte/s/^.*: \(.*\) endian/\1/p' < /proc/cpuinfo` in - big) echo mips-unknown-linux-gnu && exit 0 ;; - little) echo mipsel-unknown-linux-gnu && exit 0 ;; - esac + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips + #undef mipsel + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mipsel + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 + ;; + mips64:Linux:*:*) + eval $set_cc_for_build + sed 's/^ //' << EOF >$dummy.c + #undef CPU + #undef mips64 + #undef mips64el + #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) + CPU=mips64el + #else + #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) + CPU=mips64 + #else + CPU= + #endif + #endif +EOF + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^CPU=` + test x"${CPU}" != x && echo "${CPU}-unknown-linux-gnu" && exit 0 ;; ppc:Linux:*:*) echo powerpc-unknown-linux-gnu @@ -815,6 +911,9 @@ s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux exit 0 ;; + sh64*:Linux:*:*) + echo ${UNAME_MACHINE}-unknown-linux-gnu + exit 0 ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit 0 ;; @@ -828,7 +927,8 @@ # The BFD linker knows what the default object file format is, so # first see if it will tell us. cd to the root directory to prevent # problems with other programs or directories called `ld' in the path. - ld_supported_targets=`cd /; ld --help 2>&1 \ + # Set LC_ALL=C to ensure ld outputs messages in English. + ld_supported_targets=`cd /; LC_ALL=C ld --help 2>&1 \ | sed -ne '/supported targets:/!d s/[ ][ ]*/ /g s/.*supported targets: *// @@ -840,7 +940,7 @@ ;; a.out-i386-linux) echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit 0 ;; + exit 0 ;; coff-i386) echo "${UNAME_MACHINE}-pc-linux-gnucoff" exit 0 ;; @@ -852,32 +952,31 @@ esac # Determine whether the default compiler is a.out or elf eval $set_cc_for_build - cat >$dummy.c < -#ifdef __cplusplus -#include /* for printf() prototype */ - int main (int argc, char *argv[]) { -#else - int main (argc, argv) int argc; char *argv[]; { -#endif -#ifdef __ELF__ -# ifdef __GLIBC__ -# if __GLIBC__ >= 2 - printf ("%s-pc-linux-gnu\n", argv[1]); -# else - printf ("%s-pc-linux-gnulibc1\n", argv[1]); -# endif -# else - printf ("%s-pc-linux-gnulibc1\n", argv[1]); -# endif -#else - printf ("%s-pc-linux-gnuaout\n", argv[1]); -#endif - return 0; -} + sed 's/^ //' << EOF >$dummy.c + #include + #ifdef __ELF__ + # ifdef __GLIBC__ + # if __GLIBC__ >= 2 + LIBC=gnu + # else + LIBC=gnulibc1 + # endif + # else + LIBC=gnulibc1 + # endif + #else + #ifdef __INTEL_COMPILER + LIBC=gnu + #else + LIBC=gnuaout + #endif + #endif + #ifdef __dietlibc__ + LIBC=dietlibc + #endif EOF - $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm -f $dummy.c $dummy && exit 0 - rm -f $dummy.c $dummy + eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep ^LIBC=` + test x"${LIBC}" != x && echo "${UNAME_MACHINE}-pc-linux-${LIBC}" && exit 0 test x"${TENTATIVE}" != x && echo "${TENTATIVE}" && exit 0 ;; i*86:DYNIX/ptx:4*:*) @@ -894,6 +993,26 @@ # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit 0 ;; + i*86:OS/2:*:*) + # If we were able to find `uname', then EMX Unix compatibility + # is probably installed. + echo ${UNAME_MACHINE}-pc-os2-emx + exit 0 ;; + i*86:XTS-300:*:STOP) + echo ${UNAME_MACHINE}-unknown-stop + exit 0 ;; + i*86:atheos:*:*) + echo ${UNAME_MACHINE}-unknown-atheos + exit 0 ;; + i*86:syllable:*:*) + echo ${UNAME_MACHINE}-pc-syllable + exit 0 ;; + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + echo i386-unknown-lynxos${UNAME_RELEASE} + exit 0 ;; + i*86:*DOS:*:*) + echo ${UNAME_MACHINE}-pc-msdosdjgpp + exit 0 ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then @@ -915,22 +1034,19 @@ UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then - UNAME_REL=`(/bin/uname -X|egrep Release|sed -e 's/.*= //')` - (/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486 - (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \ + UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` + (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 + (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 - (/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \ + (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 - (/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \ + (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit 0 ;; - i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp - exit 0 ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about @@ -954,9 +1070,15 @@ # "miniframe" echo m68010-convergent-sysv exit 0 ;; - M68*:*:R3V[567]*:*) + mc68k:UNIX:SYSTEM5:3.51m) + echo m68k-convergent-sysv + exit 0 ;; + M680?0:D-NIX:5.3:*) + echo m68k-diab-dnix + exit 0 ;; + M68*:*:R3V[5678]*:*) test -r /sysV68 && echo 'm68k-motorola-sysv' && exit 0 ;; - 3[34]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 4850:*:4.0:3.0) + 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` @@ -973,9 +1095,6 @@ mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit 0 ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} - exit 0 ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit 0 ;; @@ -1047,6 +1166,9 @@ SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit 0 ;; + SX-6:SUPER-UX:*:*) + echo sx6-nec-superux${UNAME_RELEASE} + exit 0 ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit 0 ;; @@ -1054,18 +1176,25 @@ echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit 0 ;; *:Darwin:*:*) - echo `uname -p`-apple-darwin${UNAME_RELEASE} + UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown + case $UNAME_PROCESSOR in + *86) UNAME_PROCESSOR=i686 ;; + unknown) UNAME_PROCESSOR=powerpc ;; + esac + echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit 0 ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) - if test "${UNAME_MACHINE}" = "x86pc"; then + UNAME_PROCESSOR=`uname -p` + if test "$UNAME_PROCESSOR" = "x86"; then + UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi - echo `uname -p`-${UNAME_MACHINE}-nto-qnx + echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} exit 0 ;; *:QNX:*:4*) echo i386-pc-qnx exit 0 ;; - NSR-[KW]:NONSTOP_KERNEL:*:*) + NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit 0 ;; *:NonStop-UX:*:*) @@ -1088,11 +1217,6 @@ fi echo ${UNAME_MACHINE}-unknown-plan9 exit 0 ;; - i*86:OS/2:*:*) - # If we were able to find `uname', then EMX Unix compatibility - # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx - exit 0 ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit 0 ;; @@ -1111,12 +1235,19 @@ *:ITS:*:*) echo pdp10-unknown-its exit 0 ;; - i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop + SEI:*:*:SEIUX) + echo mips-sei-seiux${UNAME_RELEASE} exit 0 ;; - i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos + *:DragonFly:*:*) + echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit 0 ;; + *:*VMS:*:*) + UNAME_MACHINE=`(uname -p) 2>/dev/null` + case "${UNAME_MACHINE}" in + A*) echo alpha-dec-vms && exit 0 ;; + I*) echo ia64-dec-vms && exit 0 ;; + V*) echo vax-dec-vms && exit 0 ;; + esac esac #echo '(No uname command or uname output not recognized.)' 1>&2 @@ -1237,8 +1368,7 @@ } EOF -$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm -f $dummy.c $dummy && exit 0 -rm -f $dummy.c $dummy +$CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && $dummy && exit 0 # Apollos put the system type in the environment. --- bind9-9.9.3.dfsg.P2.orig/contrib/idn/idnkit-1.0-src/config.sub +++ bind9-9.9.3.dfsg.P2/contrib/idn/idnkit-1.0-src/config.sub @@ -1,9 +1,9 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 -# Free Software Foundation, Inc. +# Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, +# 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. -timestamp='2001-09-07' +timestamp='2004-08-29' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -29,7 +29,8 @@ # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. -# Please send patches to . +# Please send patches to . Submit a context +# diff and a properly formatted ChangeLog entry. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. @@ -69,7 +70,7 @@ version="\ GNU config.sub ($timestamp) -Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001 +Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO @@ -117,7 +118,8 @@ # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in - nto-qnx* | linux-gnu* | storm-chaos* | os2-emx* | windows32-*) + nto-qnx* | linux-gnu* | linux-dietlibc | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | \ + kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* | storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; @@ -143,7 +145,7 @@ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis) + -apple | -axis | -knuth | -cray) os= basic_machine=$1 ;; @@ -226,32 +228,46 @@ 1750a | 580 \ | a29k \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ + | am33_2.0 \ | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr \ | c4x | clipper \ - | d10v | d30v | dsp16xx \ - | fr30 \ + | d10v | d30v | dlx | dsp16xx \ + | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ - | m32r | m68000 | m68k | m88k | mcore \ - | mips16 | mips64 | mips64el | mips64orion | mips64orionel \ - | mips64vr4100 | mips64vr4100el | mips64vr4300 \ - | mips64vr4300el | mips64vr5000 | mips64vr5000el \ - | mipsbe | mipseb | mipsel | mipsle | mipstx39 | mipstx39el \ - | mipsisa32 \ + | ip2k | iq2000 \ + | m32r | m32rle | m68000 | m68k | m88k | mcore \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64vr | mips64vrel \ + | mips64orion | mips64orionel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ + | msp430 \ | ns16k | ns32k \ - | openrisc \ + | openrisc | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle | ppcbe \ | pyramid \ - | s390 | s390x \ - | sh | sh[34] | sh[34]eb | shbe | shle \ - | sparc | sparc64 | sparclet | sparclite | sparcv9 | sparcv9b \ - | stormy16 | strongarm \ - | tahoe | thumb | tic80 | tron \ - | v850 \ + | sh | sh[1234] | sh[23]e | sh[34]eb | shbe | shle | sh[1234]le | sh3ele \ + | sh64 | sh64le \ + | sparc | sparc64 | sparc86x | sparclet | sparclite | sparcv8 | sparcv9 | sparcv9b \ + | strongarm \ + | tahoe | thumb | tic4x | tic80 | tron \ + | v850 | v850e \ | we32k \ - | x86 | xscale \ + | x86 | xscale | xstormy16 | xtensa \ | z8k) basic_machine=$basic_machine-unknown ;; @@ -278,38 +294,57 @@ 580-* \ | a29k-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alphapca5[67]-* | arc-* \ - | arm-* | armbe-* | armle-* | armv*-* \ + | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ + | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ + | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ + | avr-* \ | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c54x-* \ - | clipper-* | cray2-* | cydra-* \ - | d10v-* | d30v-* \ + | c[123]* | c30-* | [cjt]90-* | c4x-* | c54x-* | c55x-* | c6x-* \ + | clipper-* | craynv-* | cydra-* \ + | d10v-* | d30v-* | dlx-* \ | elxsi-* \ - | f30[01]-* | f700-* | fr30-* | fx80-* \ + | f30[01]-* | f700-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | i*86-* | i860-* | i960-* | ia64-* \ - | m32r-* \ - | m68000-* | m680[01234]0-* | m68360-* | m683?2-* | m68k-* \ + | ip2k-* | iq2000-* \ + | m32r-* | m32rle-* \ + | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | mcore-* \ - | mips-* | mips16-* | mips64-* | mips64el-* | mips64orion-* \ - | mips64orionel-* | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* | mipsbe-* | mipseb-* \ - | mipsle-* | mipsel-* | mipstx39-* | mipstx39el-* \ + | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ + | mips16-* \ + | mips64-* | mips64el-* \ + | mips64vr-* | mips64vrel-* \ + | mips64orion-* | mips64orionel-* \ + | mips64vr4100-* | mips64vr4100el-* \ + | mips64vr4300-* | mips64vr4300el-* \ + | mips64vr5000-* | mips64vr5000el-* \ + | mipsisa32-* | mipsisa32el-* \ + | mipsisa32r2-* | mipsisa32r2el-* \ + | mipsisa64-* | mipsisa64el-* \ + | mipsisa64r2-* | mipsisa64r2el-* \ + | mipsisa64sb1-* | mipsisa64sb1el-* \ + | mipsisa64sr71k-* | mipsisa64sr71kel-* \ + | mipstx39-* | mipstx39el-* \ + | mmix-* \ + | msp430-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* | ppcbe-* \ | pyramid-* \ | romp-* | rs6000-* \ - | s390-* | s390x-* \ - | sh-* | sh[34]-* | sh[34]eb-* | shbe-* | shle-* \ - | sparc-* | sparc64-* | sparc86x-* | sparclite-* \ - | sparcv9-* | sparcv9b-* | stormy16-* | strongarm-* | sv1-* \ - | t3e-* | tahoe-* | thumb-* | tic30-* | tic54x-* | tic80-* | tron-* \ - | v850-* | vax-* \ + | sh-* | sh[1234]-* | sh[23]e-* | sh[34]eb-* | shbe-* \ + | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ + | sparc-* | sparc64-* | sparc86x-* | sparclet-* | sparclite-* \ + | sparcv8-* | sparcv9-* | sparcv9b-* | strongarm-* | sv1-* | sx?-* \ + | tahoe-* | thumb-* \ + | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ + | tron-* \ + | v850-* | v850e-* | vax-* \ | we32k-* \ - | x86-* | x86_64-* | xmp-* | xps100-* | xscale-* \ + | x86-* | x86_64-* | xps100-* | xscale-* | xstormy16-* \ + | xtensa-* \ | ymp-* \ | z8k-*) ;; @@ -329,6 +364,9 @@ basic_machine=a29k-amd os=-udi ;; + abacus) + basic_machine=abacus-unknown + ;; adobe68k) basic_machine=m68010-adobe os=-scout @@ -343,6 +381,12 @@ basic_machine=a29k-none os=-bsd ;; + amd64) + basic_machine=x86_64-pc + ;; + amd64-*) + basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; amdahl) basic_machine=580-amdahl os=-sysv @@ -374,6 +418,10 @@ basic_machine=ns32k-sequent os=-dynix ;; + c90) + basic_machine=c90-cray + os=-unicos + ;; convex-c1) basic_machine=c1-convex os=-bsd @@ -394,30 +442,45 @@ basic_machine=c38-convex os=-bsd ;; - cray | ymp) - basic_machine=ymp-cray + cray | j90) + basic_machine=j90-cray os=-unicos ;; - cray2) - basic_machine=cray2-cray - os=-unicos + craynv) + basic_machine=craynv-cray + os=-unicosmp ;; - [cjt]90) - basic_machine=${basic_machine}-cray - os=-unicos + cr16c) + basic_machine=cr16c-unknown + os=-elf ;; crds | unos) basic_machine=m68k-crds ;; + crisv32 | crisv32-* | etraxfs*) + basic_machine=crisv32-axis + ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; + crx) + basic_machine=crx-unknown + os=-elf + ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; + decsystem10* | dec10*) + basic_machine=pdp10-dec + os=-tops10 + ;; + decsystem20* | dec20*) + basic_machine=pdp10-dec + os=-tops20 + ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola @@ -598,28 +661,20 @@ basic_machine=m68k-atari os=-mint ;; - mipsel*-linux*) - basic_machine=mipsel-unknown - os=-linux-gnu - ;; - mips*-linux*) - basic_machine=mips-unknown - os=-linux-gnu - ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; - mmix*) - basic_machine=mmix-knuth - os=-mmixware - ;; monitor) basic_machine=m68k-rom68k os=-coff ;; + morphos) + basic_machine=powerpc-unknown + os=-morphos + ;; msdos) basic_machine=i386-pc os=-msdos @@ -699,6 +754,14 @@ basic_machine=hppa1.1-oki os=-proelf ;; + or32 | or32-*) + basic_machine=or32-unknown + os=-coff + ;; + os400) + basic_machine=powerpc-ibm + os=-os400 + ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose @@ -721,49 +784,55 @@ pbb) basic_machine=m68k-tti ;; - pc532 | pc532-*) + pc532 | pc532-*) basic_machine=ns32k-pc532 ;; - pentium | p5 | k5 | k6 | nexgen) + pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; - pentiumpro | p6 | 6x86 | athlon) + pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; - pentiumii | pentium2) + pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; - pentium-* | p5-* | k5-* | k6-* | nexgen-*) + pentium4) + basic_machine=i786-pc + ;; + pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; - pentiumii-* | pentium2-*) + pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; + pentium4-*) + basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc) basic_machine=powerpc-unknown - ;; + ;; ppc-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown - ;; + ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown - ;; + ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown - ;; + ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; @@ -784,10 +853,26 @@ rtpc | rtpc-*) basic_machine=romp-ibm ;; + s390 | s390-*) + basic_machine=s390-ibm + ;; + s390x | s390x-*) + basic_machine=s390x-ibm + ;; sa29200) basic_machine=a29k-amd os=-udi ;; + sb1) + basic_machine=mipsisa64sb1-unknown + ;; + sb1el) + basic_machine=mipsisa64sb1el-unknown + ;; + sei) + basic_machine=mips-sei + os=-seiux + ;; sequent) basic_machine=i386-sequent ;; @@ -795,7 +880,10 @@ basic_machine=sh-hitachi os=-hms ;; - sparclite-wrs) + sh64) + basic_machine=sh64-unknown + ;; + sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; @@ -862,22 +950,42 @@ os=-dynix ;; t3e) - basic_machine=t3e-cray + basic_machine=alphaev5-cray + os=-unicos + ;; + t90) + basic_machine=t90-cray os=-unicos ;; tic54x | c54x*) basic_machine=tic54x-unknown os=-coff ;; + tic55x | c55x*) + basic_machine=tic55x-unknown + os=-coff + ;; + tic6x | c6x*) + basic_machine=tic6x-unknown + os=-coff + ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; + toad1) + basic_machine=pdp10-xkl + os=-tops20 + ;; tower | tower-32) basic_machine=m68k-ncr ;; + tpf) + basic_machine=s390x-ibm + os=-tpf + ;; udi29k) basic_machine=a29k-amd os=-udi @@ -899,8 +1007,8 @@ os=-vms ;; vpp*|vx|vx-*) - basic_machine=f301-fujitsu - ;; + basic_machine=f301-fujitsu + ;; vxworks960) basic_machine=i960-wrs os=-vxworks @@ -921,17 +1029,13 @@ basic_machine=hppa1.1-winbond os=-proelf ;; - windows32) - basic_machine=i386-pc - os=-windows32-msvcrt + xps | xps100) + basic_machine=xps100-honeywell ;; - xmp) - basic_machine=xmp-cray + ymp) + basic_machine=ymp-cray os=-unicos ;; - xps | xps100) - basic_machine=xps100-honeywell - ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim @@ -952,16 +1056,12 @@ op60c) basic_machine=hppa1.1-oki ;; - mips) - if [ x$os = x-linux-gnu ]; then - basic_machine=mips-unknown - else - basic_machine=mips-mips - fi - ;; romp) basic_machine=romp-ibm ;; + mmix) + basic_machine=mmix-knuth + ;; rs6000) basic_machine=rs6000-ibm ;; @@ -978,13 +1078,16 @@ we32k) basic_machine=we32k-att ;; - sh3 | sh4 | sh3eb | sh4eb) + sh3 | sh4 | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; - sparc | sparcv9 | sparcv9b) + sh64) + basic_machine=sh64-unknown + ;; + sparc | sparcv8 | sparcv9 | sparcv9b) basic_machine=sparc-sun ;; - cydra) + cydra) basic_machine=cydra-cydrome ;; orion) @@ -999,10 +1102,6 @@ pmac | pmac-mpw) basic_machine=powerpc-apple ;; - c4x*) - basic_machine=c4x-none - os=-coff - ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; @@ -1058,17 +1157,20 @@ | -aos* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \ - | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ + | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* | -openbsd* \ + | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ + | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* \ | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \ - | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \ + | -mingw32* | -linux-gnu* | -linux-uclibc* | -uxpv* | -beos* | -mpeix* | -udk* \ + | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ - | -os2* | -vos*) + | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ + | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ + | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) @@ -1080,8 +1182,10 @@ ;; esac ;; + -nto-qnx*) + ;; -nto*) - os=-nto-qnx + os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* \ @@ -1090,6 +1194,9 @@ -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; + -linux-dietlibc) + os=-linux-dietlibc + ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; @@ -1102,6 +1209,9 @@ -opened*) os=-openedition ;; + -os400*) + os=-os400 + ;; -wince*) os=-wince ;; @@ -1120,14 +1230,23 @@ -acis*) os=-aos ;; + -atheos*) + os=-atheos + ;; + -syllable*) + os=-syllable + ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; + -nova*) + os=-rtmk-nova + ;; -ns2 ) - os=-nextstep2 + os=-nextstep2 ;; -nsk*) os=-nsk @@ -1139,6 +1258,9 @@ -sinix*) os=-sysv4 ;; + -tpf*) + os=-tpf + ;; -triton*) os=-sysv3 ;; @@ -1166,8 +1288,14 @@ -xenix) os=-xenix ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint + -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + os=-mint + ;; + -aros*) + os=-aros + ;; + -kaos*) + os=-kaos ;; -none) ;; @@ -1200,10 +1328,14 @@ arm*-semi) os=-aout ;; + c4x-* | tic4x-*) + os=-coff + ;; + # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; - pdp11-*) + pdp11-*) os=-none ;; *-dec | vax-*) @@ -1230,6 +1362,9 @@ mips*-*) os=-elf ;; + or32-*) + os=-coff + ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; @@ -1242,6 +1377,9 @@ *-ibm) os=-aix ;; + *-knuth) + os=-mmixware + ;; *-wec) os=-proelf ;; @@ -1293,19 +1431,19 @@ *-next) os=-nextstep3 ;; - *-gould) + *-gould) os=-sysv ;; - *-highlevel) + *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; - *-sgi) + *-sgi) os=-irix ;; - *-siemens) + *-siemens) os=-sysv4 ;; *-masscomp) @@ -1374,10 +1512,16 @@ -mvs* | -opened*) vendor=ibm ;; + -os400*) + vendor=ibm + ;; -ptx*) vendor=sequent ;; - -vxsim* | -vxworks*) + -tpf*) + vendor=ibm + ;; + -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) --- bind9-9.9.3.dfsg.P2.orig/debian/README.Debian +++ bind9-9.9.3.dfsg.P2/debian/README.Debian @@ -0,0 +1,178 @@ +DNSSEC validation turned on by default as of BIND 9.8.1 +------------------------------------------------------- +As of version 9.8.1.dfsg-1, BIND ships with DNSSEC validation turned on +by default. As the keys get changed over time, this means that a fresh +install of BIND will require that the admin manually upgrade bind.keys +to account for the change, before BIND will be able to resolve hosts in +DNSSEC validated zones. + + +Upgrading from BIND 8.X: +----------------------- + +If you are upgrading an authoritative server from BIND 8.X, please install +the bind9-doc package and read /usr/share/doc/bind9-doc/misc/migration.gz, +which contains a set of notes from the BIND maintainers on what changed +that is likely to need your attention during an upgrade. + + +Upgrading from earlier bind9 packages: +------------------------------------- + +If you installed an early version of the Debian bind9 packages, prior to +version 1:9.2.0-2 to be more precise, you may have an /etc/bind/rndc.conf +configuration file still on your system. There's nothing wrong with that, +and if you've explicitly configured keys for using rndc you may well want to +leave things exactly as they are! + +However, since 9.2.0 BIND 9.X has supported an rndc.key file that both named +and rndc will read to obtain a shared key for rndc use against a daemon on +the same host. The rndc-confgen program will easily create a suitable key +file. To take advantage of this mechanism, you may want to: + + remove the /etc/bind/rndc.conf file + remove the rndc key specification in the /etc/bind/named.conf file + + rndc-confgen -r /dev/urandom -a + +Alternatively, you can 'purge' the bind9 packages and reinstall them and you +will end up with the new behavior since it is now the default. + +This is more secure than using a static key that isn't generated on a per-host +basis, and is an easy alternative to more complex key schemes if you only need +to use rndc to talk to named on the same host. + + +Known Issues: +------------ + +I've had a report that lwresd, at least, fails to work with some recent 2.5 +kernels. If you see something in your logs like + + loading configuration from '/etc/bind/lwresd.conf' + none:0: open: /etc/bind/lwresd.conf: permission denied + +Try rebuilding with --disable-linux-caps added to the configure call in the +rules file. I'm hoping this is a temporary problem in the 2.5 kernel series, +but we'll see. + + +Configuration Schema: +-------------------- + +The Debian BIND package ships with a config that will work for the majority +of leaf servers with no user input required. + +The named configuration file named.conf is located in /etc/bind, so that all +static configuration files relating to bind are in one place. If you really +really don't want named.conf in /etc/bind, then the best way to handle it is +probably to replace /etc/bind/named.conf with a symlink to the location you +want to use. You could also use an option to named in the init.d script, +but that only works for named, not for things like ndc. + +Zone data files for the root servers, and the forward and reverse localhost +zones are also provided in /etc/bind. + +The working directory for named is now /var/cache/bind. Thus, any transient +files generated by named, such as database files for zones the daemon is +secondary for, will be written to the /var filesystem, where they belong. + +To make this work, the named.conf provided uses explicitly fully-qualified +pathnames to reference the files in /etc/bind. + +Unlike previous BIND packages for Debian, the named.conf and provided db.* +files are tagged as conffiles. Thus, if you just want a "caching mostly" +server configuration for a server that does not need to be authoritative for +anything else, you can run the provided configuration as-is. If you want to +hack on named.conf, or even the init.d fragment, you can feel free to. Future +package upgrades will treat your configuration changes sanely, as all Debian +packages should. + +While you are free to craft whatever structure you wish for servers which need +to be authoritative for additional zones, what we suggest is that you put the +db files for any zones you are master for in /etc/bind (perhaps even in a +subdirectory structure depending on complexity), using full pathnames in the +named.conf file. Any zones you are secondary for should be configured in +named.conf with simple filenames (relative to /var/cache/bind), so the data +files will be stored in BIND's working directory (defaults to /var/cache/bind). +Zones subject to automatic updates (such as via DHCP and/or nsupdate) should be +stored in /var/lib/bind, and specified with full pathnames. + + +Running Chroot'ed: +----------------- + +Several users have asked for Debian BIND to run in a "chroot jail". There are +various issues associated with making this the default configuration for the +package in Debian. In the meantime, reasonable instructions on how to do +this yourself are available on the web from: + + http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO.html + + +Running Non-Root: +----------------- + +Recent versions of named can be invoked with options that specify a non-root +user and/or group for named. Read the named man page for more information. +Note that when running named as a user other than root, it will not be able +to find new interfaces that appear dynamically, such as during a PCMCIA card +insertion, or if you're running some flavors of IPSEC and/or IP over IP +tunnels. If you cannot live with those limitations, feel free to edit the +/etc/init.d/bind9 script to change the invocation of named. + +The default is now to run as the user 'bind' (which is automatically created +in the group 'bind', if it doesn't exist), unless named.conf has been changed. +To change this, edit /etc/default/bind9 + +Please note that 'ndc restart' doesn't honor all the original command line +options to named, so we explicitly don't use it in the init.d script provided +with the package, and you should be careful about using it if you decide to +run named non-root. + + +PPP Control Script: +----------------- + +Unfortunately, 'ndc reload' will not honor any command line options that were +fed to named on the initial invocation. If you can live with that, and +want to wiggle your DNS configuration when your PPP link goes up or down, the +following script fragment from Francesco Potorti` may be helpful +to you: + + I suggest adding this as bot /etc/ppp/ip-up.d/bind and + /etc/ppp/ip-down.d/bind: + + ================================================================ + #!/bin/sh + if [ -x /usr/sbin/ndc -a -x /usr/sbin/named ] + then + /usr/sbin/ndc reload > /dev/null + fi + ================================================================ + + This should cause no harm in any case, and should be helpful in these + cases: + - you configure bind as a forwarder. When ppp is down, it cannot access + the network. As soon as ppp is up, it is forced by the script to try + again, and it succeeds. + - someone writes a clever script that, coupled with the `usepeerdns' + command of pppd, makes a forwarding-only bind use the right servers by + rewriting the configuration file after ppp goes up. Then the script + above makes bind reload the configuration. + + Now, someone should write that clever script :-) + + By the way, this is a badly wanted feature, that should help setting up + a ppp connection automatically. Currently, setting up a ppp connection + is much easier on a windows system than on linux, and there is really no + reason why it should be so, given that all the tools are there. + + +Apparmor Profile +---------------- +If your system uses apparmor, please note that the shipped enforcing profile +works with the default installation, and changes in your configuration may +require changes to the installed apparmor profile. Please see +https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this +software. --- bind9-9.9.3.dfsg.P2.orig/debian/apparmor-profile +++ bind9-9.9.3.dfsg.P2/debian/apparmor-profile @@ -0,0 +1,53 @@ +# vim:syntax=apparmor +# Last Modified: Fri Jun 1 16:43:22 2007 +#include + +/usr/sbin/named { + #include + #include + + capability net_bind_service, + capability setgid, + capability setuid, + capability sys_chroot, + capability sys_resource, + + # /etc/bind should be read-only for bind + # /var/lib/bind is for dynamically updated zone (and journal) files. + # /var/cache/bind is for slave/stub data, since we're not the origin of it. + # See /usr/share/doc/bind9/README.Debian.gz + /etc/bind/** r, + /var/lib/bind/** rw, + /var/lib/bind/ rw, + /var/cache/bind/** lrw, + /var/cache/bind/ rw, + + # gssapi + /etc/krb5.keytab kr, + /etc/bind/krb5.keytab kr, + + # ssl + /etc/ssl/openssl.cnf r, + + # GeoIP data files for GeoIP ACLs + /usr/share/GeoIP/** r, + + # dnscvsutil package + /var/lib/dnscvsutil/compiled/** rw, + + /proc/net/if_inet6 r, + /proc/*/net/if_inet6 r, + /usr/sbin/named mr, + /{,var/}run/named/named.pid w, + /{,var/}run/named/session.key w, + # support for resolvconf + /{,var/}run/named/named.options r, + + # some people like to put logs in /var/log/named/ instead of having + # syslog do the heavy lifting. + /var/log/named/** rw, + /var/log/named/ rw, + + # Site-specific additions and overrides. See local/README for details. + #include +} --- bind9-9.9.3.dfsg.P2.orig/debian/apparmor-profile.local +++ bind9-9.9.3.dfsg.P2/debian/apparmor-profile.local @@ -0,0 +1,2 @@ +# Site-specific additions and overrides for usr.sbin.named. +# For more details, please see /etc/apparmor.d/local/README. --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-doc.dirs +++ bind9-9.9.3.dfsg.P2/debian/bind9-doc.dirs @@ -0,0 +1 @@ +usr/share/doc/bind9-doc/arm --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-doc.docs +++ bind9-9.9.3.dfsg.P2/debian/bind9-doc.docs @@ -0,0 +1 @@ +doc/misc --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-host.dirs +++ bind9-9.9.3.dfsg.P2/debian/bind9-host.dirs @@ -0,0 +1,2 @@ +usr/bin +usr/share/man/man1 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-host.install +++ bind9-9.9.3.dfsg.P2/debian/bind9-host.install @@ -0,0 +1,2 @@ +usr/bin/host +usr/share/man/man1/host.1* --- bind9-9.9.3.dfsg.P2.orig/debian/bind9-resolvconf.service +++ bind9-9.9.3.dfsg.P2/debian/bind9-resolvconf.service @@ -0,0 +1,13 @@ +[Unit] +Description=local BIND via resolvconf +Documentation=man:named(8) man:resolvconf(8) +Requires=bind9.service +After=bind9.service +ConditionFileIsExecutable=/sbin/resolvconf + +[Service] +ExecStart=/bin/sh -c 'echo nameserver 127.0.0.1 | /sbin/resolvconf -a lo.named' +ExecStop=/sbin/resolvconf -d lo.named + +[Install] +WantedBy=bind9.service --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.NEWS +++ bind9-9.9.3.dfsg.P2/debian/bind9.NEWS @@ -0,0 +1,14 @@ +bind9 (1:9.4.0-1) experimental; urgency=low + + As of bind 9.4, allow-query-cache and allow-recursion default to the + builtin acls 'localnets' and 'localhost'. If you are setting up a + name server for a network, you will almost certainly need to change + this. + + The change in default has been done to make caching servers less + attractive as reflective amplifying targets for spoofed traffic. + This still leaves authoritative servers exposed. + + The best fix is for full BCP 38 deployment to remove spoofed traffic. + + -- LaMont Jones Wed, 03 Oct 2007 00:52:44 -0600 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.apport +++ bind9-9.9.3.dfsg.P2/debian/bind9.apport @@ -0,0 +1,36 @@ +#!/usr/bin/python + +'''apport hook for bind9 + +(c) 2010 Andres Rodriguez. +Author: Andres Rodriguez + +This program is free software; you can redistribute it and/or modify it +under the terms of the GNU General Public License as published by the +Free Software Foundation; either version 2 of the License, or (at your +option) any later version. See http://www.gnu.org/copyleft/gpl.html for +the full text of the license. +''' + +from apport.hookutils import * +import re + +def add_info(report, ui): + response = ui.yesno("The contents of your /etc/bind/named.conf file " + "may help developers diagnose your bug more " + "quickly. However, it may contain sensitive " + "information. Do you want to include it in your " + "bug report?") + + if response == None: # user cancelled + raise StopIteration + elif response == True: + attach_conffiles(report,'bind9') + + # getting syslog stuff + report['SyslogBind9'] = recent_syslog(re.compile(r'named\[')) + + # Attaching related packages info + attach_related_packages(report, ['bind9utils', 'apparmor']) + + attach_mac_events(report, '/usr/sbin/named') --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.config +++ bind9-9.9.3.dfsg.P2/debian/bind9.config @@ -0,0 +1,14 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +db_input low bind9/start-as-user || true +db_go + +db_input low bind9/different-configuration-file || true +db_go + +db_input low bind9/run-resolvconf || true +db_go --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.dirs +++ bind9-9.9.3.dfsg.P2/debian/bind9.dirs @@ -0,0 +1,13 @@ +etc/ufw/applications.d +etc/apparmor.d/force-complain +etc/apparmor.d/local +etc/bind +usr/bin +usr/sbin +var/cache/bind +var/run/named +usr/share/bind9 +etc/ppp/ip-up.d +etc/ppp/ip-down.d +etc/network/if-up.d +etc/network/if-down.d --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.docs +++ bind9-9.9.3.dfsg.P2/debian/bind9.docs @@ -0,0 +1,2 @@ +FAQ +README --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.init +++ bind9-9.9.3.dfsg.P2/debian/bind9.init @@ -0,0 +1,145 @@ +#!/bin/sh -e + +### BEGIN INIT INFO +# Provides: bind9 +# Required-Start: $remote_fs +# Required-Stop: $remote_fs +# Should-Start: $network $syslog +# Should-Stop: $network $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start and stop bind9 +# Description: bind9 is a Domain Name Server (DNS) +# which translates ip addresses to and from internet names +### END INIT INFO + +PATH=/sbin:/bin:/usr/sbin:/usr/bin + +# for a chrooted server: "-u bind -t /var/lib/named" +# Don't modify this line, change or create /etc/default/bind9. +OPTIONS="" +RESOLVCONF=no + +test -f /etc/default/bind9 && . /etc/default/bind9 + +test -x /usr/sbin/rndc || exit 0 + +. /lib/lsb/init-functions +PIDFILE=/var/run/named/named.pid + +check_network() { + if [ -x /usr/bin/uname ] && [ "X$(/usr/bin/uname -o)" = XSolaris ]; then + IFCONFIG_OPTS="-au" + else + IFCONFIG_OPTS="" + fi + if [ -z "$(/sbin/ifconfig $IFCONFIG_OPTS)" ]; then + #log_action_msg "No networks configured." + return 1 + fi + return 0 +} + +case "$1" in + start) + log_daemon_msg "Starting domain name service..." "bind9" + + modprobe capability >/dev/null 2>&1 || true + + # dirs under /var/run can go away on reboots. + mkdir -p /var/run/named + chmod 775 /var/run/named + chown root:bind /var/run/named >/dev/null 2>&1 || true + + if [ ! -x /usr/sbin/named ]; then + log_action_msg "named binary missing - not starting" + log_end_msg 1 + fi + + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + if start-stop-daemon --start --oknodo --quiet --exec /usr/sbin/named \ + --pidfile ${PIDFILE} -- $OPTIONS; then + if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then + echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.named + fi + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + stop) + log_daemon_msg "Stopping domain name service..." "bind9" + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + if [ "X$RESOLVCONF" != "Xno" ] && [ -x /sbin/resolvconf ] ; then + /sbin/resolvconf -d lo.named + fi + pid=$(/usr/sbin/rndc stop -p | awk '/^pid:/ {print $2}') || true + if [ -z "$pid" ]; then # no pid found, so either not running, or error + pid=$(pgrep -f ^/usr/sbin/named) || true + start-stop-daemon --stop --oknodo --quiet --exec /usr/sbin/named \ + --pidfile ${PIDFILE} -- $OPTIONS + fi + if [ -n "$pid" ]; then + sig=0 + n=1 + while kill -$sig $pid 2>/dev/null; do + if [ $n -eq 1 ]; then + echo "waiting for pid $pid to die" + fi + if [ $n -eq 11 ]; then + echo "giving up on pid $pid with kill -0; trying -9" + sig=9 + fi + if [ $n -gt 20 ]; then + echo "giving up on pid $pid" + break + fi + n=$(($n+1)) + sleep 1 + done + fi + log_end_msg 0 + ;; + + reload|force-reload) + log_daemon_msg "Reloading domain name service..." "bind9" + if ! check_network; then + log_action_msg "no networks configured" + log_end_msg 1 + fi + + /usr/sbin/rndc reload >/dev/null && log_end_msg 0 || log_end_msg 1 + ;; + + restart) + if ! check_network; then + log_action_msg "no networks configured" + exit 1 + fi + + $0 stop + $0 start + ;; + + status) + ret=0 + status_of_proc -p ${PIDFILE} /usr/sbin/named bind9 2>/dev/null || ret=$? + exit $ret + ;; + + *) + log_action_msg "Usage: /etc/init.d/bind9 {start|stop|reload|restart|force-reload|status}" + exit 1 + ;; +esac + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.postinst +++ bind9-9.9.3.dfsg.P2/debian/bind9.postinst @@ -0,0 +1,169 @@ +#!/bin/sh + +set -e + +. /usr/share/debconf/confmodule + +if [ "$1" = configure ]; then + lastversion="$2"; + + # lets give them a bind user/group in all cases. + getent group bind >/dev/null 2>&1 || addgroup --system bind + getent passwd bind >/dev/null 2>&1 || + adduser --system --home /var/cache/bind --no-create-home \ + --disabled-password --ingroup bind bind + + if [ -z "$lastversion" ] || dpkg --compare-versions "$lastversion" lt 1:9.4.2-2 ; then + mkdir -p /var/lib/bind + chown root:bind /var/lib/bind + chmod 775 /var/lib/bind + fi + + if [ ! -s /etc/bind/rndc.key ] && [ ! -s /etc/bind/rndc.conf ]; then + rndc-confgen -r /dev/urandom -a + fi + + # no sumfile means you get the default + [ -f /var/lib/bind/bind9-default.md5sum ] || + echo "2cfcfb7bf1b99c7930fd475907e38be7 /etc/default/bind9" > /var/lib/bind/bind9-default.md5sum + + if [ -f /etc/default/bind9 ] && \ + [ "$(cat /var/lib/bind/bind9-default.md5sum)" = "$(md5sum /etc/default/bind9)" ]; then + config="/etc/default/bind9" + elif [ ! -e /etc/default/bind9 ]; then + config="/etc/default/bind9" + else + config="/etc/default/bind9.dpkg-dist" + fi + + + # On a fresh install, or if we are upgrading from pre-9.8, think about dnssec + if [ -z "$lastversion" ] || dpkg --compare-versions "$lastversion" lt 1:9.8.1.dfsg-1 ; then + UPDATE_OPTS="n" + if [ -f /etc/bind/named.conf.options ]; then + case $(md5sum /etc/bind/named.conf.options | sed 's/ .*$//') in + d6b678ac90fd6ab163d74dfe5d68c2c9) UPDATE_OPTS=y;; # 9.4.2ish + 0367900f381d5c83cf34009440f3d211) UPDATE_OPTS=y;; # 9.6 and later + 56919cbc0d819c9a303a8bdeb306b5f1) UPDATE_OPTS=ok;; # 9.8 + esac + case $UPDATE_OPTS in + y) + echo Updating named.conf.options to include DNSSEC enablement + cp /usr/share/bind9/named.conf.options /etc/bind/named.conf.options + chmod 644 /etc/bind/named.conf.options + ;; + n) + echo NOT updating named.conf.options to include DNSSEC enablement + ;; + esac + else + cp /usr/share/bind9/named.conf.options /etc/bind/named.conf.options + chmod 644 /etc/bind/named.conf.options + fi + fi + + localconf="" + if [ ! -f $config ]; then + CONF=/etc/bind/named.conf + for file in ${CONF} ${CONF}.local ${CONF}.default-zones; do + if [ -f ${file} ]; then + theirs=$(md5sum $file | sed 's/ .*$//') + mine=$(dpkg --status bind9 | grep "^ $file " | sed -n 's/.* //p') + if [ "$mine" != "$theirs" ]; then + localconf="y" + fi + else + localconf="y" + fi + done + if [ -n "$localconf" ]; then + db_reset bind9/start-as-user + else + db_set bind9/start-as-user bind || true + fi + + echo '#' + echo '# run resolvconf?' >> $config + db_get bind9/run-resolvconf + if [ ! -z "$RET" ] && [ "$RET" = "true" ]; then + echo "RESOLVCONF=yes" >> $config + else + echo "RESOLVCONF=no" >> $config + fi + + db_get bind9/start-as-user + USER=$RET + db_get bind9/different-configuration-file + CONFFILE=$RET + + echo '' >> $config + echo '# startup options for the server' >> $config + if [ ! -z "$USER" ] && [ ! -z "$CONFFILE" ]; then + echo "OPTIONS=\"-u $USER -c $CONFFILE\"" >> $config + elif [ ! -z "$USER" ]; then + echo "OPTIONS=\"-u $USER\"" >> $config + elif [ ! -z "$CONFFILE" ]; then + echo "OPTIONS=\"-c $CONFFILE\"" >> $config + else + echo "OPTIONS=\"\"" >> $config + fi + else + db_get bind9/run-resolvconf + if [ ! -z "$RET" ] && [ "$RET" = "true" ]; then + sed -e "s#^\([[:space:]]*\)\(RESOLVCONF=[[:space:]]*\)[^ ]*#\1\2yes#g" -i $config + else + sed -e "s#^\([[:space:]]*\)\(RESOLVCONF=[[:space:]]*\)[^ ]*#\1\2no#g" -i $config + fi + db_get bind9/start-as-user + if [ ! -z "$RET" ]; then + if [ ! -z "`grep OPTIONS $config`" ]; then + if [ ! -z "`grep OPTIONS $config | grep '\-u'`" ]; then + sed -e "s#\([[:space:]]*OPTIONS[[:space:]]*\)=\"\([^\"]*\)-u[[:space:]]*[^\" ]*\([^\"]*\)\"#\1=\"\2-u $RET\3\"#g" -i $config + else + sed -e "s#\([[:space:]]*OPTIONS[[:space:]]*\)=\"\([^\"]*\)\"#\1=\"\2 -u $RET\"#g" -i $config + fi + else + echo "OPTIONS=\"-u $RET\"" + fi + fi + db_get bind9/different-configuration-file + if [ ! -z "$RET" ]; then + if [ ! -z "`grep OPTIONS $config | grep '\-c'`" ]; then + sed -e "s#\([[:space:]]*OPTIONS[[:space:]]*\)=\"\([^\"]*\)-c[[:space:]]*[^\" ]*\([^\"]*\)\"#\1=\"\2-c $RET\3\"#g" -i $config + else + sed -e "s#\([[:space:]]*OPTIONS[[:space:]]*\)=\"\([^\"]*\)\"#\1=\"\2 -c $RET\"#g" -i $config + fi + fi + fi + + if [ "$config" = "/etc/default/bind9" ]; then + md5sum /etc/default/bind9 > /var/lib/bind/bind9-default.md5sum + fi + + uid=$(ls -ln /etc/bind/rndc.key | awk '{print $3}') + if [ "$uid" = "0" ]; then + [ -n "$localconf" ] || chown bind /etc/bind/rndc.key + chgrp bind /etc/bind + chmod g+s /etc/bind + chgrp bind /etc/bind/rndc.key /var/cache/bind + chgrp bind /etc/bind/named.conf* || true + chmod g+r /etc/bind/rndc.key /etc/bind/named.conf* || true + chmod g+rwx /var/cache/bind + fi + + # Reload AppArmor profile + APP_PROFILE="/etc/apparmor.d/usr.sbin.named" + if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then + apparmor_parser -r "$APP_PROFILE" || true + fi + + if pidof /usr/sbin/named >/dev/null 2>&1; then + invoke-rc.d bind9 restart + else + invoke-rc.d bind9 start + fi +fi + +db_stop + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.postrm +++ bind9-9.9.3.dfsg.P2/debian/bind9.postrm @@ -0,0 +1,16 @@ +#!/bin/sh + +#DEBHELPER# + +if [ "$1" = "purge" ]; then + rm -f /etc/bind/rndc.key /etc/bind/named.conf.options /etc/default/bind9 + rmdir /etc/bind >/dev/null 2>&1 || true + rm -f /etc/apparmor.d/force-complain/usr.sbin.named >/dev/null 2>&1 || true + rm -f /var/lib/bind/bind9-default.md5sum + rmdir /var/lib/bind + # delete bind daemon user, if it exists + if getent passwd bind > /dev/null ; then + echo "Deleting bind user" + deluser --quiet bind > /dev/null || true + fi +fi --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.preinst +++ bind9-9.9.3.dfsg.P2/debian/bind9.preinst @@ -0,0 +1,44 @@ +#!/bin/sh +# pre install script for the Debian bind9 package + +set -e + +# Check if we are upgrading while running a kernel before 2.2.18. If so abort +# immediately since we don't support those kernels anymore. +if [ "$1" = "upgrade" ] && dpkg --compare-versions "`uname -r`" lt 2.2.18 ; then + cat </dev/null || true + if dpkg --compare-versions $2 lt 1:9.3.4-2ubuntu2 ; then + # force-complain for pre-apparmor upgrades + ln -sf $APP_CONFFILE $APP_COMPLAIN + elif dpkg --compare-versions $2 lt 1:9.4.2-3ubuntu1 ; then + if [ -e "$APP_CONFFILE" ]; then + md5sum="`md5sum \"$APP_CONFFILE\" | sed -e \"s/ .*//\"`" + pkg_md5sum="`sed -n -e \"/^Conffiles:/,/^[^ ]/{\\\\' $APP_CONFFILE'{s/.* //;p}}\" /var/lib/dpkg/status`" + if [ "$md5sum" = "$pkg_md5sum" ]; then + # force-complain when upgrade from pre-shipped profile and an existing + # profile is same as in conffiles + ln -sf $APP_CONFFILE $APP_COMPLAIN + fi + else + # force-complain on upgrade from pre-shipped profile and + # there is no existing profile + ln -sf $APP_CONFFILE $APP_COMPLAIN + fi + fi +fi + + +#DEBHELPER# +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.prerm +++ bind9-9.9.3.dfsg.P2/debian/bind9.prerm @@ -0,0 +1,30 @@ +#!/bin/sh +set -e + +case "$1" in + remove) + # if bind is running, stop it before removing + if pidof named >/dev/null 2>&1; then + # test if invoke-rc.d command is present on this system + if command -v invoke-rc.d >/dev/null 2>&1; then + invoke-rc.d bind9 stop + # if really not, use initscript + else + /etc/init.d/bind9 stop + fi + fi + ;; + + upgrade) + # leave bind running during the upgrade + ;; + + *) + echo "prerm called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.service +++ bind9-9.9.3.dfsg.P2/debian/bind9.service @@ -0,0 +1,12 @@ +[Unit] +Description=BIND Domain Name Server +Documentation=man:named(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/named -f -u bind +ExecReload=/usr/sbin/rndc reload +ExecStop=/usr/sbin/rndc stop + +[Install] +WantedBy=multi-user.target --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.tmpfile +++ bind9-9.9.3.dfsg.P2/debian/bind9.tmpfile @@ -0,0 +1 @@ +d /run/named 0775 root bind - - --- bind9-9.9.3.dfsg.P2.orig/debian/bind9.ufw.profile +++ bind9-9.9.3.dfsg.P2/debian/bind9.ufw.profile @@ -0,0 +1,5 @@ +[Bind9] +title=Internet Domain Name Server +description=The Berkeley Internet Name Domain (BIND) implements an Internet domain name server. +ports=53 + --- bind9-9.9.3.dfsg.P2.orig/debian/bind9utils.dirs +++ bind9-9.9.3.dfsg.P2/debian/bind9utils.dirs @@ -0,0 +1,3 @@ +usr +usr/sbin +usr/share/man/man8 --- bind9-9.9.3.dfsg.P2.orig/debian/bind9utils.install +++ bind9-9.9.3.dfsg.P2/debian/bind9utils.install @@ -0,0 +1,24 @@ +usr/sbin/dnssec-checkds +usr/sbin/dnssec-dsfromkey +usr/sbin/dnssec-keyfromlabel +usr/sbin/dnssec-keygen +usr/sbin/dnssec-revoke +usr/sbin/dnssec-settime +usr/sbin/dnssec-signzone +usr/sbin/dnssec-verify +usr/sbin/named-checkconf +usr/sbin/named-checkzone +usr/sbin/named-compilezone +usr/sbin/rndc +usr/sbin/rndc-confgen +usr/share/man/man8/dnssec-dsfromkey.8 +usr/share/man/man8/dnssec-keyfromlabel.8 +usr/share/man/man8/dnssec-keygen.8 +usr/share/man/man8/dnssec-revoke.8 +usr/share/man/man8/dnssec-settime.8 +usr/share/man/man8/dnssec-signzone.8 +usr/share/man/man8/named-checkconf.8 +usr/share/man/man8/named-checkzone.8 +usr/share/man/man8/named-compilezone.8 +usr/share/man/man8/rndc-confgen.8 +usr/share/man/man8/rndc.8 --- bind9-9.9.3.dfsg.P2.orig/debian/changelog +++ bind9-9.9.3.dfsg.P2/debian/changelog @@ -0,0 +1,2013 @@ +bind9 (1:9.9.3.dfsg.P2-4ubuntu2) trusty; urgency=medium + + * Use dh-autoreconf to update libtool and configure for new ports. + + -- Adam Conrad Wed, 18 Dec 2013 04:42:22 -0700 + +bind9 (1:9.9.3.dfsg.P2-4ubuntu1) saucy; urgency=low + + * Use dh_autotools-dev to update config.{sub,guess} for new ports. + + -- Adam Conrad Mon, 07 Oct 2013 23:09:45 -0600 + +bind9 (1:9.9.3.dfsg.P2-4) unstable; urgency=low + + [Peter Marschall] + + * If rndc.conf exists, skip creation of rndc.key. Closes: #620394 + + [Al Tarakanoff] + + * properly quote check of pid in bind9 init.d. LP: #1092243 + + [LaMont Jones] + + * include distro and package version in version string + * apparmor: allow GeoIP data file access. LP: #834901 + * enable filter-aaaa. Closes: #701704 LP: #1115168 + + -- LaMont Jones Thu, 29 Aug 2013 16:22:29 -0600 + +bind9 (1:9.9.3.dfsg.P2-3) unstable; urgency=low + + [Michael Stapelberg] + + * add systemd service file. Closes: #718212 + + [LaMont Jones] + + * deliver more dnssec-* tools in bind9utils. Closes: #713026 + * support parallel=N DEB_BUILD_OPTIONS, fix -j build. Closes: #713025 + * deliver rrl.h and stat.h Closes: #692483, #720813 + + -- LaMont Jones Tue, 27 Aug 2013 10:06:37 -0600 + +bind9 (1:9.9.3.dfsg.P2-2build1) saucy; urgency=low + + [Marc Deslauriers] + + * 9.9.2.dfsg.P1-2ubuntu1: fixed in 9.9.3b1 + * 9.9.2.dfsg.P1-2ubuntu3: fixed in 9.9.3-P2 + + [Robie Basak] + + * 9.9.2.dfsg.P1-2ubuntu2: fixed in 9.9.3b1 + + [LaMont Jones] + + * Merge ubuntu changes, except: autoconf files are generated as part + of the source packagee creation, not on the build host. NAK + * deliver more dnssec-* tools in bind9utils. Closes: #713026 + * support parallel=N DEB_BUILD_OPTIONS, fix -j build + + [Michael Stapelberg] + + * add systemd service file. Closes: #718212 + + -- LaMont Jones Thu, 22 Aug 2013 10:57:17 -0600 + +bind9 (1:9.9.3.dfsg.P2-2) unstable; urgency=low + + * ack NMUs of 9.8.4 + - upstream 9.9.3-P2 fixes: CVE-2013-4854, CVE-2012-5689, + CVE-2013-2266 + - deliver rrl.h + + [LaMont Jones] + + * Use ISC's bin/tests + * Diff cleanup and rationalization to 9.9.3 upstream + + -- LaMont Jones Sat, 17 Aug 2013 07:09:54 -0600 + +bind9 (1:9.9.3.dfsg.P2-1) unstable; urgency=low + + + [Internet Software Consortium, Inc] + + * 9.9.3-P2 + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + [LaMont Jones] + + * soname changes + + [Paul Vixie] + + * Reapply rpz/rrl patches from http://www.redbarn.org/dns/ratelimits + + -- LaMont Jones Wed, 14 Aug 2013 10:38:59 -0600 + +bind9 (1:9.9.2.dfsg.P1-3) experimental; urgency=low + + [LaMont Jones] + + * Merge 1:9.8.4.dfsg.P1-6 + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + -- LaMont Jones Mon, 04 Mar 2013 09:30:50 -0700 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu3) saucy; urgency=low + + * SECURITY UPDATE: denial of service via incorrect bounds checking on + private type 'keydata' + - lib/dns/rdata/generic/keydata_65533.c: check for correct length. + - Patch backported from 9.9.3-P2 + - CVE-2013-4854 + + -- Marc Deslauriers Sun, 28 Jul 2013 10:13:06 -0400 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu2) raring; urgency=low + + * configure.in: detect libxml 2.9 as well as 2.[678] (LP: #1164475). + * debian/control: add Build-Depends on dh-autoreconf. + * debian/rules: use dh_autoreconf and dh_autoreconf_clean. + + -- Robie Basak Wed, 10 Apr 2013 16:50:28 +0000 + +bind9 (1:9.9.2.dfsg.P1-2ubuntu1) raring; urgency=low + + * SECURITY UPDATE: denial of service via regex syntax checking + - configure,configure.in,config.h.in: remove check for regex.h to + disable regex syntax checking. + - CVE-2013-2266 + + -- Marc Deslauriers Thu, 28 Mar 2013 15:04:57 -0400 + +bind9 (1:9.9.2.dfsg.P1-2) experimental; urgency=low + + [Michael Gilbert] + + * Use /var/lib/bind for state file. Closes: #689332 + + [LaMont Jones] + + * zone transfers now involve link(), update the apparmor profile + * Update db.root with new IP for D.root-servers.net. Closes: #697352 + * re-drop dlzexternal test + * Reduce log level for "sucessfully validated after lower casing" dnssec + based on mail from Mark Andrews. Closes: #697681 + * remove /var/lib/bind/bind9-default.md5sum in postrm + * remove /etc/bind/named.conf.options on purge. Closes: #668801 + + [Sebastian Wiesinger] + + * Build and deliver dnssec-checkds and dnssec-verify in bind9utils + + -- LaMont Jones Wed, 09 Jan 2013 10:09:40 -0700 + +bind9 (1:9.8.4.dfsg.P1-6+nmu3) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * CVE-2013-4854: A specially crafted query that includes malformed rdata can + cause named to terminate with an assertion failure while rejecting the + malformed query. (Closes: #717936). + + -- Salvatore Bonaccorso Sat, 27 Jul 2013 10:24:07 +0200 + +bind9 (1:9.8.4.dfsg.P1-6+nmu2) unstable; urgency=medium + + * Non-maintainer upload. + * Install /usr/include/dns/rrl.h (closes: #699834). + + -- Michael Gilbert Tue, 16 Apr 2013 01:59:05 +0000 + +bind9 (1:9.8.4.dfsg.P1-6+nmu1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix cve-2012-5689: issue in nameservers using DNS64 to perform a AAAA + lookup for a record with an A record overwrite rule in a Response Policy + Zone (closes: #699145). + * Fix cve-2013-2266: issues in regular expression handling (closes: #704174). + + -- Michael Gilbert Fri, 29 Mar 2013 00:47:25 +0000 + +bind9 (1:9.8.4.dfsg.P1-6) unstable; urgency=low + + [Ben Hutchings] + + * Initialise OpenSSL before calling chroot(). Closes: #696661 + + -- LaMont Jones Fri, 01 Mar 2013 08:23:27 -0700 + +bind9 (1:9.8.4.dfsg.P1-5) unstable; urgency=low + + [LaMont Jones] + + * Properly acknowledge 1:9.8.1.dfsg.P1-4.4: [Philipp Kern] + - Fix CVE-2012-4244. Thanks to Moritz Mühlenhoff for providing the patch. + + [Paul Vixie] + + * Include rpz/rrl patches from http://www.redbarn.org/dns/ratelimits. + Closes: #698641 + + -- LaMont Jones Wed, 30 Jan 2013 14:04:35 -0700 + +bind9 (1:9.8.4.dfsg.P1-4) unstable; urgency=high + + * The rest of the dnssec validation logspam removal. Closes: #697681 + + -- LaMont Jones Mon, 21 Jan 2013 13:18:53 -0700 + +bind9 (1:9.8.4.dfsg.P1-3) unstable; urgency=low + + [Marc Deslauriers] + + * debian/bind9.apport: Add AppArmor info and logs to apport hook. + + [LaMont Jones] + + * Reduce log level for "sucessfully validated after lower casing" dnssec + based on mail from Mark Andrews. Closes: #697681 + * remove /var/lib/bind/bind9-default.md5sum in postrm + * remove /etc/bind/named.conf.options on purge. Closes: #668801 + + -- LaMont Jones Wed, 09 Jan 2013 09:47:24 -0700 + +bind9 (1:9.9.2.dfsg.P1-1) experimental; urgency=low + + * Named could die on specific queries with dns64 enabled. + [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] + CVE-2012-5688 Closes: #695192 + + -- LaMont Jones Wed, 05 Dec 2012 05:27:18 -0700 + +bind9 (1:9.8.4.dfsg.P1-2) unstable; urgency=low + + [Michael Gilbert] + + * Use /var/lib/bind for state file. Closes: #689332 + + [LaMont Jones] + + * Re-enable dlopen, do not build the test that fails. Closes: #692416 + * Update db.root with new IP for D.root-servers.net. Closes: #697352 + + -- LaMont Jones Mon, 07 Jan 2013 06:50:25 -0700 + +bind9 (1:9.8.4.dfsg.P1-1) unstable; urgency=low + + * Named could die on specific queries with dns64 enabled. + [Addressed in change #3388 for BIND 9.8.5 and 9.9.3.] + CVE-2012-5688 Closes: #695192 + + -- LaMont Jones Wed, 05 Dec 2012 05:22:06 -0700 + +bind9 (1:9.9.2.dfsg-1) experimental; urgency=low + + [Matthew Grant] + + * Turn off dlopen as it was causing test compile failures. + * Add missing library .postrm files for debhelper + + [LaMont Jones] + + * New upstream version 9.9.2 + * soname fixes + + -- LaMont Jones Thu, 01 Nov 2012 08:59:57 -0600 + +bind9 (1:9.9.1.dfsg.P1-1) unstable; urgency=low + + [LaMont Jones] + + * New upstream 9.9.1-P1 + + -- LaMont Jones Wed, 13 Jun 2012 08:22:15 -0600 + +bind9 (1:9.9.0.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.9.0 release + + [Christoph Egger] + + * define _GNU_SOURCE on kfreebsd et al. Closes: #658201 + + [LaMont Jones] + + * chmod typo in postinst. LP: #980798 + * Correctly order debhelper bits in postrm. Closes: #661040 + + -- LaMont Jones Mon, 23 Apr 2012 09:52:51 -0600 + +bind9 (1:9.9.0.dfsg~rc4-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream release + + [LaMont Jones] + + * soname changes for new release + + -- LaMont Jones Fri, 17 Feb 2012 17:51:39 -0700 + +bind9 (1:9.8.4.dfsg-1ubuntu2) raring; urgency=low + + * SECURITY UPDATE: denial of service via DNS64 and crafted query + - bin/named/query.c: init rdataset before cleanup. + - Patch backported from 9.8.4-P1 + - CVE-2012-5688 + + -- Marc Deslauriers Wed, 05 Dec 2012 15:42:08 -0500 + +bind9 (1:9.8.4.dfsg-1ubuntu1) raring; urgency=low + + * Merge from Debian unstable. Remaining changes: + - debian/bind9.apport: Add AppArmor info and logs to apport hook. + + -- Marc Deslauriers Fri, 23 Nov 2012 08:13:50 -0500 + +bind9 (1:9.8.4.dfsg-1) unstable; urgency=low + + [Matthew Grant] + + * Turn off dlopen as it was causing test compile failures. + * Add missing library .postrm files for debhelper + + [LaMont Jones] + + * New upstream version + * soname fixup + * Ack NMUs + + -- LaMont Jones Mon, 29 Oct 2012 08:37:49 -0600 + +bind9 (1:9.8.1.dfsg.P1-4.4) testing-proposed-updates; urgency=low + + * Non-maintainer upload. + * Fix CVE-2012-4244. Thanks to Moritz Mühlenhoff for providing + the patch. + + -- Philipp Kern Sat, 03 Nov 2012 20:43:43 +0100 + +bind9 (1:9.8.1.dfsg.P1-4.3) unstable; urgency=medium + + [ Philipp Kern ] + * Non-maintainer upload. + + [ Marc Deslauriers ] + * SECURITY UPDATE: denial of service via specific combinations of RDATA + - bin/named/query.c: fix logic + - Patch backported from 9.8.3-P4 + - CVE-2012-5166 + + -- Philipp Kern Sun, 28 Oct 2012 20:28:11 +0100 + +bind9 (1:9.8.1.dfsg.P1-4.2) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * Fix denial of service vulnerability triggered + through an assert because of using bad cache + (CVE-2012-3817; Closes: #683259). + + -- Nico Golde Mon, 30 Jul 2012 20:56:10 +0200 + +bind9 (1:9.8.1.dfsg.P1-4.1) unstable; urgency=high + + * Non-maintainer upload by the Security Team. + * SECURITY UPDATE: ghost domain names attack + - lib/dns/rbtdb.c: Restrict the TTL of NS RRset to no more than that + of the old NS RRset when replacing it. + - Patch backported from 9.8.2. + - CVE-2012-1033 + * SECURITY UPDATE: denial of service via zero length rdata handling + - lib/dns/rdata.c,lib/dns/rdataslab.c: use sentinel pointer for + duplicate rdata. + - Patch backported from 9.8.3-P1. + - CVE-2012-1667 + + -- Luk Claes Wed, 20 Jun 2012 15:26:09 -0400 + +bind9 (1:9.8.1.dfsg.P1-4) unstable; urgency=low + + [Christoph Egger] + + * define _GNU_SOURCE on kfreebsd et al. Closes: #658201 + + [LaMont Jones] + + * chmod typo in postinst. LP: #980798 + * Correctly order debhelper bits in postrm. Closes: #661040 + + -- LaMont Jones Fri, 13 Apr 2012 12:09:24 -0600 + +bind9 (1:9.8.1.dfsg.P1-3) unstable; urgency=low + + [Zlatan Todoric] + + * fixed Serbian latin translation of debconf template. Closes: #634951 + + [Peter Eisentraut] + + * Add support for "status" action to lwresd init script. Closes: #651540 + + [Bjørn Steensrud] + + * NB Translations. Closes: #654454 + + [LaMont Jones] + + * Default to run_resolvconf=false. LP: #933723 + * Deliver named.conf.options on fresh install. Closes: #657042 LP: #920202 + * Do not deliver /usr/share/bind9/bind9-default.md5sum in the bind9 deb. + Closes: #620007 LP: #681536 + * Deliver and use /etc/apparmor.d/local/usr.sbin.named for local overrides. + LP: #929563 + + -- LaMont Jones Fri, 17 Feb 2012 14:40:29 -0800 + +bind9 (1:9.8.1.dfsg.P1-2) unstable; urgency=low + + * Deliver named.conf.options on fresh install. Closes: #657042 LP: #920202 + + -- LaMont Jones Wed, 25 Jan 2012 03:55:21 -0700 + +bind9 (1:9.8.1.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.8.1-P1 + - Cache lookup could return RRSIG data associated with nonexistent + records, leading to an assertion failure. + + [LaMont Jones] + + * add a readme entry for DNSSEC-by-default + * Failed to install due to chgrp on non-existant directory. Closes: #647598 + * ack NMU: l10n issues + + -- LaMont Jones Wed, 18 Jan 2012 10:44:14 -0700 + +bind9 (1:9.8.1.dfsg-1.1) unstable; urgency=low + + * Non-maintainer upload. + * Fix pending l10n issues. Debconf translations: + - Danish (Joe Hansen). Closes: #619302 + - Korean (강민지). Closes: #632006, #632016 + - Serbian (FULL NAME). Closes: #634886 + + -- Christian Perrier Sat, 03 Dec 2011 17:22:12 +0100 + +bind9 (1:9.8.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream release + + [LaMont Jones] + + * cleanup the messages around killing named + * enable dnssec validation: deliver named.conf.options outside of + conffiledom, and update if able, complain and do not update if not + Closes: #516979 + * typo in min-ncache-ttl processing + * disable dlz until we get a patch to make it build again + + [Jay Ford] + + * Fix "waiting for pid $pid to die" loop to not be infinite. Closes: #570852 + + -- LaMont Jones Tue, 01 Nov 2011 16:39:19 -0600 + +bind9 (1:9.8.0.dfsg.P1-0) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.8.0-P1 + + [LaMont Jones] + + * soname changes + + -- LaMont Jones Fri, 13 May 2011 03:46:22 -0600 + +bind9 (1:9.7.4.dfsg-0) unstable; urgency=low + + * New upstream + + -- LaMont Jones Sun, 21 Aug 2011 04:43:16 -0600 + +bind9 (1:9.7.3.dfsg-1ubuntu4) oneiric; urgency=low + + * debian/apparmor-profile: Allow /var/run and /run. (LP: #810270) + + -- Martin Pitt Thu, 14 Jul 2011 15:15:45 +0200 + +bind9 (1:9.7.3.dfsg-1ubuntu3) oneiric; urgency=low + + * SECURITY UPDATE: denial of service via specially crafted packet + - lib/dns/include/dns/rdataset.h, lib/dns/{masterdump,message,ncache, + nsec3,rbtdb,rdataset,resolver,validator}.c: Use an rdataset attribute + flag to indicate negative-cache records rather than using rrtype 0. + - Patch backported from 9.7.3-P3. + - CVE-2011-2464 + + -- Marc Deslauriers Tue, 05 Jul 2011 08:33:30 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu2.1) natty-security; urgency=low + + * SECURITY UPDATE: denial of service via off-by-one + - lib/dns/ncache.c: correctly validate length. + - Patch backported from 9.7.3-P1. + - CVE-2011-1910 + + -- Marc Deslauriers Fri, 27 May 2011 12:50:40 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu2) natty; urgency=low + + * debian/rules, configure, contrib/dlz/config.dlz.in: use + DEB_HOST_MULTIARCH so we can find multiarch libraries and fix FTBFS. + (LP: #745642) + + -- Marc Deslauriers Wed, 30 Mar 2011 10:19:37 -0400 + +bind9 (1:9.7.3.dfsg-1ubuntu1) natty; urgency=low + + * debian/bind9-default.md5sum: + - updated to reflect the default md5sum in maverick and natty, this + avoids a bogus /etc/default/bind9.dpkg-dist file + (LP: #556332) + + -- Michael Vogt Tue, 29 Mar 2011 10:13:11 +0200 + +bind9 (1:9.7.3.dfsg-1) unstable; urgency=low + + [Peter Palfrader] + + * Add db-4.6 to bdb_libnames in dlz/config.dlz.in so that it finds the right + db. + + [Internet Systems Consortium, Inc] + + * 9.7.3 - Closes: #612287 + + [Mahyuddin Susanto] + + * Updated Indonesian debconf templates. Closes: #608559 + + [LaMont Jones] + + * soname changes + + -- LaMont Jones Wed, 23 Feb 2011 09:14:36 -0700 + +bind9 (1:9.7.3.dfsg~rc1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * New upstream + + [Peter Palfrader] + + * Add db-4.6 to bdb_libnames in dlz/config.dlz.in so that it finds the right + db. + + [Mahyuddin Susanto] + + * Updated Indonesian debconf templates. Closes: #608559 + + [LaMont Jones] + + * soname changes for new upstream + + -- LaMont Jones Fri, 04 Feb 2011 21:20:05 -0700 + +bind9 (1:9.7.2.dfsg.P3-1) unstable; urgency=high + + [ISC] + * Fix denial of service via ncache entry and a rrsig for the + same type (CVE-2010-3613) + * answers were incorrectly marked as insecure during key algorithm + rollover (CVE-2010-3614) + * Using "allow-query" in the "options" or "view" statements to + restrict access to authoritative zones had no effect. + (CVE-2010-3615) + + [LaMont Jones] + + * Adjust indentation for dpkg change. Closes: #597171 + + -- LaMont Jones Wed, 01 Dec 2010 16:32:48 -0700 + +bind9 (1:9.7.2.dfsg.P2-3) unstable; urgency=low + + [LaMont Jones] + + * Adjust indentation for dpkg change. Closes: #597171 + * acknowledge and incorporate ubuntu change. + + -- LaMont Jones Fri, 26 Nov 2010 05:18:43 -0700 + +bind9 (1:9.7.2.dfsg.P2-2ubuntu1) natty; urgency=low + + [ Andres Rodriguez ] + * Add apport hook (LP: #533601): + - debian/bind9.apport: Added. + + [ Martin Pitt ] + * debian/rules: Install Apport hook when building on Ubuntu. + + -- Martin Pitt Fri, 26 Nov 2010 10:50:17 +0100 + +bind9 (1:9.7.2.dfsg.P2-2) unstable; urgency=low + + [Roy Jamison] + + * lib/isc/unix/resource.c was missing inttypes.h include. LP: #674199 + + -- LaMont Jones Fri, 12 Nov 2010 10:52:32 -0700 + +bind9 (1:9.7.2.dfsg.P2-1) unstable; urgency=low + + [Joe Dalton] + + * Add Danish translation of debconf templates. Closes: #599431 + + [Internet Software Consortium, Inc] + + * v9.7.2-P2 + + [José Figueiredo] + + * Add Brazilian Portuguese debconf templates translation. Closes: #597616 + + [LaMont Jones] + + * drop this v3 (quilt) source format idea. Closes: #589916 + + -- LaMont Jones Sun, 10 Oct 2010 19:01:57 -0600 + +bind9 (1:9.7.1.dfsg.P2-2) unstable; urgency=low + + * Correct conflicts for bind9-host + + -- LaMont Jones Fri, 16 Jul 2010 05:24:38 -0600 + +bind9 (1:9.7.1.dfsg.P2-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * Temporarily and partially disable change 2864 because it would cause + inifinite attempts of RRSIG queries. This is an urgent care fix; we'll + revisit the issue and complete the fix later. [RT #21710] + * Temporarially rollback change 2748. [RT #21594] + * Named failed to accept uncachable negative responses from insecure zones. + [RT# 21555] + + [LaMont Jones] + + * freshen copyright file + + -- LaMont Jones Thu, 15 Jul 2010 15:07:54 -0600 + +bind9 (1:9.7.1.dfsg.0-1) unstable; urgency=low + + * Repack to drop zkt/doc/{draft,rfc}* Closes: #588055 + + -- LaMont Jones Mon, 05 Jul 2010 07:21:34 -0600 + +bind9 (1:9.7.1.dfsg-2) unstable; urgency=low + + [Regid Ichira] + + * explicitly add nsupdate to dynamic updates in README.Debian. + Closes: #577398 + + [LaMont Jones] + + * Cleanup bind9-host description. Closes: #579421 + * switch to 3.0 (quilt) source format, but not to quilt. Closes: #578210 + + [Stephen Gran] + + * updated geoip patch for ipv6, based on work by John 'Warthog9' Hawley + . Closes: #584603 + + -- LaMont Jones Fri, 02 Jul 2010 08:19:29 -0600 + +bind9 (1:9.7.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.1 + + [LaMont Jones] + + * Add freebsd support. Closes: #578447 + * soname changes + * freshen root cache. LP: #596363 + + -- LaMont Jones Mon, 21 Jun 2010 09:53:30 -0600 + +bind9 (1:9.7.0.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0-P1 + - 2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619] + + -- LaMont Jones Wed, 17 Mar 2010 08:06:42 -0600 + +bind9 (1:9.7.0.dfsg.1-1) unstable; urgency=low + + [Niko Tyni] + + * fix mips/mipsel startup. Closes: #516616 + + [LaMont Jones] + + * ignore failures due to a lack of /etc/bind/named.conf*. LP: #422968 + * ldap API changed regarding % sign. LP: #227344 + * Drop more rfc and draft files. Closes: #572606 + * update config.guess, config.sub. Closes: #572528 + + -- LaMont Jones Fri, 12 Mar 2010 14:56:08 -0700 + +bind9 (1:9.7.0.dfsg-2) unstable; urgency=low + + [Aurelien Jarno] + + * kfreebsd has linux threads. Closes: #470500 + + [LaMont Jones] + + * do not error out on initial install. Closes: #572443 + + -- LaMont Jones Thu, 04 Mar 2010 09:32:13 -0700 + +bind9 (1:9.7.0.dfsg-1) unstable; urgency=low + + * New upstream release + + -- LaMont Jones Wed, 17 Feb 2010 14:53:36 -0700 + +bind9 (1:9.7.0.dfsg~rc2-1) experimental; urgency=low + + * New upstream release + + -- LaMont Jones Thu, 28 Jan 2010 05:46:50 -0700 + +bind9 (1:9.7.0.dfsg~b3-2) experimental; urgency=low + + * merge changes from 9.6.1.dfsg.P2-1 + * meta: drop verisoned depends from library packages, for less upgrade pain + * apparmor: allow named to create /var/run/named/session.key + + -- LaMont Jones Sun, 06 Dec 2009 11:46:17 -0700 + +bind9 (1:9.7.0.dfsg~b3-1) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0b3 + + [LaMont Jones] + + * Merge remote branch 'origin/master' + * soname changes + + -- LaMont Jones Mon, 30 Nov 2009 21:07:58 -0700 + +bind9 (1:9.6.1.dfsg.P2-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.1-P2 + - When validating, track whether pending data was from the + additional section or not and only return it if validates + as secure. [RT #20438] CVE-2009-4022 + + [LaMont Jones] + + * prerm: do not stop named on upgrade. Closes: #542888 + * Drop some RFCs that crept into the diff. + * meta: add ${misc:Depends} + * lintian: update config.guess, config.sub in idnkit-1.0 tree + * dnsutils: remove pre-sarge dpkg-divert calls in postinst + * meta: soname changes + * l10n: missing newline in pofile. + + -- LaMont Jones Fri, 27 Nov 2009 10:07:10 -0700 + +bind9 (1:9.7.0.dfsg~b2-2) experimental; urgency=low + + * dnsutils: remove pre-sarge dpkg-divert calls in postinst + + -- LaMont Jones Tue, 17 Nov 2009 22:42:40 -0600 + +bind9 (1:9.7.0.dfsg~b2-1) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0b2 + + [LaMont Jones] + + * /etc/bind/bind.keys need not be executable. + * bind9: drop old stale code from postinst + * prerm: do not stop named on upgrade. Closes: #542888 + * Drop some RFCs that crept into the diff. + * meta: add ${misc:Depends} + * lintian: update config.guess, config.sub in idnkit-1.0 tree + * l10n: missing newline in pofile. + + -- LaMont Jones Mon, 16 Nov 2009 18:53:24 -0700 + +bind9 (1:9.7.0~a1.dfsg-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.7.0a1 + + -- LaMont Jones Wed, 24 Jun 2009 15:10:08 -0600 + +bind9 (1:9.6.1.dfsg.P1-3) unstable; urgency=low + + * Build-Depend on the fixed libgeoip-dev. Closes: #540973 + + -- LaMont Jones Mon, 17 Aug 2009 06:53:11 -0600 + +bind9 (1:9.6.1.dfsg.P1-2) unstable; urgency=low + + [Jamie Strandboge] + + * reload individual named profile, not all of apparmor. LP: #412751 + + [Guillaume Delacour] + + * bind9 did not purge cleanly. Closes: #497959 + + [LaMont Jones] + + * postinst: do not append a blank line to /etc/default/bind9. + Closes: #541469 + * init.d stop needs to not error out. LP: #398033 + * meta: fix build-depends. Closes: #539230 + + -- LaMont Jones Fri, 14 Aug 2009 17:03:31 -0600 + +bind9 (1:9.6.1.dfsg.P1-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * A specially crafted update packet will cause named to exit. + CVE-2009-0696, CERT VU#725188. Closes: #538975 + + [InterNIC] + + * Update db.root hints file. + + [LaMont Jones] + + * Move default zone definitions from named.conf to named.conf.default-zones. + Closes: #492308 + * use start-stop-daemon if rndc stop fails. Closes: #536487 + * lwresd: pidfile name was wrong in init script. Closes: #527137 + + -- LaMont Jones Tue, 28 Jul 2009 22:03:14 -0600 + +bind9 (1:9.6.1.dfsg-2) unstable; urgency=low + + * ia64: fix atomic.h + + -- LaMont Jones Tue, 23 Jun 2009 01:56:35 -0600 + +bind9 (1:9.6.1.dfsg-1) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.1 + + -- LaMont Jones Mon, 22 Jun 2009 14:33:20 -0600 + +bind9 (1:9.6.0.dfsg.P1-3) unstable; urgency=low + + [Martin Zobel-Helas] + + * GEO-IP Patch from + git://git.kernel.org/pub/scm/network/bind/bind-geodns.git. Closes: #395191 + + [LaMont Jones] + + * Remove /var/lib/bind on purge. Closes: #527613 + * Build-Depend: libdb-dev (>4.6). Closes: #527877, #528772 + * init.d: detect rndc errors better. LP: #380962 + * init.d: clean up exit status. Closes: #523454 + * Enable pkcs11 support, and then Revert - causes assertion failures + c.f.: #516552 + + -- LaMont Jones Mon, 22 Jun 2009 13:58:32 -0600 + +bind9 (1:9.6.0.dfsg.P1-2) unstable; urgency=low + + * random_1 broke memory usage assertions. + + -- LaMont Jones Thu, 23 Apr 2009 05:15:45 -0600 + +bind9 (1:9.6.0.dfsg.P1-1) experimental; urgency=low + + [Michael Milligan] + + * Add min-cache-ttl and min-ncache-ttl keywords + + [LaMont Jones] + + * Fix merge errors from 9.6.0.dfsg.P1-0 + + -- LaMont Jones Fri, 20 Mar 2009 15:50:50 -0600 + +bind9 (1:9.6.0.dfsg.P1-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.6.0-P1 + + [LaMont Jones] + + * meta: fix override disparity + * meta: soname package fixups for 9.6.0 + * meta: update Standards-Version: 3.7.3.0 + * upstream now uses a bind subdir. Closes: #212659 + + [Sven Joachim] + + * meta: pass host and build into configure for hybrid build machines. + Closes: #515110 + + -- LaMont Jones Fri, 20 Mar 2009 11:54:55 -0600 + +bind9 (1:9.5.1.dfsg.P1-3) unstable; urgency=low + + * package -2 for unstable + + -- LaMont Jones Wed, 18 Mar 2009 09:40:18 -0600 + +bind9 (1:9.5.1.dfsg.P1-2) stable; urgency=low + + [Juhana Helovuo] + + * fix atomic operations on alpha. Closes: #512285 + + [Dann Frazier] + + * fix atomic operations on ia64. Closes: #520179 + + [LaMont Jones] + + * build-conflict: libdb4.2-dev. Closes: #515074, #507013 + + [localization folks] + + * l10n: Basque debconf template. Closes: #516549 (Piarres Beobide) + + -- LaMont Jones Wed, 18 Mar 2009 05:30:22 -0600 + +bind9 (1:9.5.1.dfsg.P1-1) unstable; urgency=low + + * New upstream patch release + - supportable version of fix from 9.5.0.dfsg.P2-5.1 + - CVE-2009-0025: Closes: #511936 + - 2475: Overly agressive cache entry removal. Closes: #511768 + - other bug fixes worthy of patch-release inclusion + + -- LaMont Jones Mon, 26 Jan 2009 10:33:42 -0700 + +bind9 (1:9.5.0.dfsg.P2-5.1) unstable; urgency=low + + * Non-maintainer upload. + * Apply upstream ACL fixes from 9.5.1 to fix RC bug. Patch was provided + by Evan Hunt (upstream bind9 developer) after Emmanuel Bouthenot + contacted him. Closes: #496954, #501800. + * Remove obsolete dh_installmanpages invocation which was adding + unwanted manual pages to bind9. Closes: #486196. + + -- Ben Hutchings Fri, 02 Jan 2009 16:51:42 +0000 + +bind9 (1:9.5.0.dfsg.P2-5) unstable; urgency=low + + [ISC] + + * 2463: IPv6 Advanced Socket API broken on linux. LP: #249824 + + [Jamie Strandboge] + + * apparmor: add capability sys_resource + * apparmor: add krb keytab access. LP: #277370 + + [LaMont Jones] + + * apparmor: allow proc/*/net/if_inet6 read access too. LP: #289060 + * apparmor: add /var/log/named/* entries. LP: #294935 + + [Ben Hutchings] + + * meta: Add dependency of bind9 on net-tools (ifconfig used in init script) + * meta: Fix bind9utils Depends. + * meta: fix typo in package description + + [localization folks] + + * l10n: add polish debconf translations. Closes: #506856 (L) + + -- LaMont Jones Sun, 07 Dec 2008 21:03:29 -0700 + +bind9 (1:9.5.0.dfsg.P2-4) unstable; urgency=low + + * meta: fix typo in Depends: lsb-base. Closes: #501365 + + -- LaMont Jones Tue, 07 Oct 2008 17:20:11 -0600 + +bind9 (1:9.5.0.dfsg.P2-3) unstable; urgency=low + + [LaMont Jones] + + * enable largefile support. Closes: #497040 + + [localization folks] + + * l10n: Dutch translation. Closes: #499977 (Paul Gevers) + * l10n: simplified chinese debconf template. Closes: #501103 (LI Daobing) + * l10n: Update spanish template. Closes: #493775 (Ignacio Mondino) + + -- LaMont Jones Sun, 05 Oct 2008 20:20:00 -0600 + +bind9 (1:9.5.0.dfsg.P2-2) unstable; urgency=low + + [Kees Cook] + + * debian/{control,rules}: enable PIE hardening (from -1ubuntu1) + + [Nicolas Valcárcel] + + * Add ufw integration (from -1ubuntu2) + + [Dustin Kirkland] + + * use pid file in init.d/bind9 status. LP: #247084 + + [LaMont Jones] + + * dig: add -DDIG_SIGCHASE to compile options. LP: #257682 + * apparmor profile: add /var/log/named + + [Nikita Ofitserov] + + * ipv6 support requires _GNU_SOURCE definition. LP: #249824 + + -- LaMont Jones Thu, 28 Aug 2008 23:08:36 -0600 + +bind9 (1:9.5.0.dfsg.P2-1) unstable; urgency=low + + [LaMont Jones] + + * default to using resolvconf if it is installed + * fix sonames and dependencies. Closes: #149259, #492418 + * Do not build-depend libcap2-dev on non-linux. Closes: #493392 + * drop unused query-loc manpage. Closes: #492564 + * lwresd: Deliver /etc/bind directory. Closes: #490027 + * fix query-source comment in default install + + [Internet Software Consortium, Inc] + + * 9.5.0-P2. Closes: #492949 + + [localization folks] + + * l10n: Spanish debconf translation. Closes: #492425 (Ignacio Mondino) + * l10n: Swedish debconf templates. Closes: #491369 (Martin Ã…gren) + * l10n: Japanese debconf translations. Closes: #492048 (Hideki Yamane + (Debian-JP)) + * l10n: Finnish translation. Closes: #490630 (Esko Arajärvi) + * l10n: Italian debconf translations. Closes: #492587 (Alessandro Vietta) + + -- LaMont Jones Sat, 02 Aug 2008 14:20:20 -0600 + +bind9 (1:9.5.0.dfsg.P1-2) unstable; urgency=low + + * Revert "meta: merge the mess of single-lib packages back into one large + one." - That way lies madness and pain. + * init.d/bind9: implement status function. LP: #203169 + + -- LaMont Jones Tue, 08 Jul 2008 21:56:58 -0600 + +bind9 (1:9.5.0.dfsg.P1-1) unstable; urgency=low + + * Repackage 9.5.0.dfsg-5 with the -P1 tarball. + + -- LaMont Jones Tue, 08 Jul 2008 15:06:07 -0600 + +bind9 (1:9.5.0.dfsg-5) unstable; urgency=low + + [Internet Software Consortium, Inc] + + * Randomize UDP query source ports to improve forgery resilience. + (CVE-2008-1447) + + [LaMont Jones] + + * add build-depends: texlive-latex-base, xsltproc, remove Bv9ARM.pdf in clean + * fix sonames + * drop unneeded build-deps, since we do not actually deliver B9vARM.pdf + * meta: cleanup libbind9-41 Provides/Conflicts + * build: fix sonames for new libraries + * postinst: really restart bind/lwresd in postinst + + -- LaMont Jones Sun, 06 Jul 2008 21:34:18 -0600 + +bind9 (1:9.5.0.dfsg-4) unstable; urgency=low + + [LaMont Jones] + + * control: fix dnsutils description to avoid list reformatting. + Closes: #480317 + * lwresd: restart in postinst. Closes: #486481 + * meta: merge the mess of single-lib packages back into one large one. + * apparmor: allow bind to create files in /var/{lib,cache}/bind + * build: drop .la files. Closes: #486969 + * build: drop the extra lib path from the library-package merge + * meta: liblwres40 does not conflict with the libbind9-40-provided libbind0 + + [localization folks] + + * l10n: German debconf translation. Closes: #486547 (Helge Kreutzmann) + * l10n: Indonesian debconf translations. Closes: #486503 (Arief S Fitrianto) + * l10n: Slovak po-debconf translation Closes: #488905 (helix84) + * l10n: Turkish debconf template. Closes: #486479 (Mert Dirik) + + -- LaMont Jones Mon, 30 Jun 2008 11:22:05 -0600 + +bind9 (1:9.4.2-12) unstable; urgency=low + + * apparmor: allow bind to create files in /var/{lib,cache}/bind + + -- LaMont Jones Mon, 30 Jun 2008 11:17:53 -0600 + +bind9 (1:9.4.2-11) unstable; urgency=low + + * apparmor: add dnscvsutil package files + * lwresd Depends: adduser + * control: fix dnsutils description to avoid list reformatting. + Closes: #480317 + + -- LaMont Jones Tue, 17 Jun 2008 21:30:12 -0600 + +bind9 (1:9.5.0.dfsg-3) unstable; urgency=low + + [LaMont Jones] + + * bind9utils Depends: libbind9-40. Closes: #486194 + * bind9 should not deliver manpages for nonexistant binaries. + Closes: #486196 + + [localization folks] + + * l10n: Vietnamese debconf templates translation update. Closes: #486185 + (Clytie Siddall) + * l10n: Russian debconf templates translation. Closes: #486191 (Yuri Kozlov) + * l10n: Galician debconf template. Closes: #486215 (Jacobo Tarrio) + * l10n: French debconf templates. Closes: #486325 (CALARESU Luc) + * l10n: Czech debconf translation. Closes: #486337 (Miroslav Kure) + * l10n: Updated Portuguese translation. Closes: #486267 (Traduz - + Portuguese Translation Team) + + -- LaMont Jones Sun, 15 Jun 2008 18:25:02 -0600 + +bind9 (1:9.5.0.dfsg-2) unstable; urgency=low + + [Tim Spriggs] + + * init.d: Nexenta has different ifconfig arguments + + [LaMont Jones] + + * templates rework from debian-l10n-english + * reload named when an interface goes up or down. LP: #226495 + * build: need to create the directories for interface restart triggering + * Build-Depends: libcap2-dev. Closes: #485747 + * Leave named running during update. Closes: #453765 + * Fix path to uname, cleaning up the nexenta checks. + * l10n: avoid double-question in templates. + + [localization folks] + + * l10n: Vietnamese debconf translations. Closes: #483911 (Clytie Siddall) + * l10n: Portuguese debconf translations. Closes: #483872 (Traduz - + Portuguese Translation Team) + + -- LaMont Jones Fri, 13 Jun 2008 16:54:42 -0600 + +bind9 (1:9.5.0.dfsg-1) unstable; urgency=low + + [LaMont Jones] + + * manpages: fix references that should say /etc/bind + * meta: build-depend libxml2-dev for statistics support + + -- LaMont Jones Sat, 31 May 2008 12:17:21 -0600 + +bind9 (1:9.5.0.dfsg-0) experimental; urgency=low + + [Internet Software Consortium, Inc] + + * 9.5.0 release + + [LaMont Jones] + + * Only use capabilities if they are present: reprise. Closes: #360339, #212226 + * control: fix dnsutils description to avoid list reformatting. Closes: #480317 + * build: use the correct directories in dh_shlibdeps invocation + * build: turn on dlz. No pgsql or mysql support yet. LP: #227344 + + -- LaMont Jones Thu, 29 May 2008 22:05:19 -0600 + +bind9 (1:9.5.0~rc1-2~0ubuntu2) intrepid; urgency=low + + * build: use the correct directories in dh_shlibdeps invocation + * build: turn on dlz. LP: #227344 + + -- LaMont Jones Tue, 27 May 2008 21:43:06 -0600 + +bind9 (1:9.5.0~rc1-2~0ubuntu1) intrepid; urgency=low + + * Upload what will become (maybe an ancestor of) -2 to intrepid. + - Only use capabilities if they are present: reprise. Closes: #360339, #212226 + - control: fix dnsutils description to avoid list reformatting. Closes: #480317 + + -- LaMont Jones Mon, 26 May 2008 11:46:27 -0600 + +bind9 (1:9.5.0~rc1-1) experimental; urgency=low + + [Patrick Winnertz] + + * postinst: make add debconf support. Closes: #473460 + + [Jamie Strandboge] + + * debian/bind9.preinst: Apparmor force-complain on upgrade without + existing profile. LP: #204658 + + [LaMont Jones] + + * bind9utils: fix typos in .install + * host: manpage inaccurately describes default query. LP: #203087 + * apparmor: add dnscvsutil package files + * Revert "Only use capabilities if they are present." for merge of 9.5.0rc1. + * soname: libdns41 -> 42 + * fix typos in debconf patch, #473460 + * cleanup more files in clean target + * lwresd Depends: adduser + + -- LaMont Jones Thu, 15 May 2008 17:59:54 -0600 + +bind9 (1:9.5.0~b2-2) experimental; urgency=low + + * meta: add bind9utils binary package, with various useful utilities. Closes: #151957, #130445, #160483 + + -- LaMont Jones Thu, 03 Apr 2008 07:01:42 -0600 + +bind9 (1:9.4.2-10) unstable; urgency=low + + [Jamie Strandboge] + + * debian/bind9.preinst: AA force-complain on upgrade without existing + profile. LP: #204658 + + [LaMont Jones] + + * host: manpage inaccurately describes default query. LP: #203087 + + -- LaMont Jones Tue, 08 Apr 2008 22:45:57 -0600 + +bind9 (1:9.4.2-9) unstable; urgency=low + + * apparmor: allow subdirs in {/etc,/var/cache,/var/lib}/bind + * apparmor: make profile match README.Debian + + -- LaMont Jones Tue, 01 Apr 2008 21:13:05 -0600 + +bind9 (1:9.4.2-8) unstable; urgency=low + + [ISC] + + * CVE-2008-0122: off by one error in (unused) inet_network function. + Closes: #462783 LP: #203476 + + [Michael Milligan] + + * Fix min-cache-ttl and min-ncache-ttl keywords + + [Jamie Strandboge] + + * apparmor: force complain-mode for apparmor on certain upgrades. LP: #203528 + * debian/bind9.postrm: purge /etc/apparmor.d/force-complain/usr.sbin.named + + -- LaMont Jones Tue, 18 Mar 2008 18:35:15 -0600 + +bind9 (1:9.4.2-7) unstable; urgency=low + + [Jamie Strandboge] + + * Allow rw access to /var/lib/bind/* in apparmor-profile. LP: #201954 + + [LaMont Jones] + + * Drop root-delegation comments from named.conf. Closes: #217829, #297219 + + -- LaMont Jones Sat, 15 Mar 2008 09:48:10 -0600 + +bind9 (1:9.4.2-6) unstable; urgency=low + + * Correct apparmor profile filename. LP: #200739 + + -- LaMont Jones Mon, 10 Mar 2008 14:28:01 -0600 + +bind9 (1:9.4.2-5) unstable; urgency=low + + * add "order random_1" support (return one random RR) + * Fix doc pathnames in README.Debian. Closes: #266891 + * Add AAAA ::1 entry to db.local. Closes: #230088 + + -- LaMont Jones Mon, 10 Mar 2008 13:51:28 -0600 + +bind9 (1:9.5.0~b2-1) experimental; urgency=low + + [Thiemo Seufer] + + * mips:atomic.h: improve implementation of atomic ops, fix mips{el,64} + + [LaMont Jones] + + * manpages: call it /etc/bind/named.conf throughout, and typos. Closes: #419750 + * named.conf.5: correct filename. Closes: #428015 + * manpages: fix typo errors. Closes: #395834 + * Makefile.in: be explicit about library paths + * build: Turn on GSS-TSIG support. LP: #158197 + * build: soname changes + * db.root: include AAAA RRs. Closes: #464111 + * soname: lib{dns,isc}40 -> 41 + * meta: use binary:Version instead of Source-Version + + [Andreas John] + + * Only use capabilities if they are present. Closes: #360339, #212226 + + -- LaMont Jones Sat, 23 Feb 2008 08:06:17 -0700 + +bind9 (1:9.4.2-4) unstable; urgency=low + + * incorporate ubuntu apparmor change from Jamie Strandboge, + with changes: + - Add apparmor profile, reload apparmor profile on config + - Add a note about apparmor to README.Debian + - conflicts/replaces old apparmor versions + * db.root: include AAAA RRs. Closes: #464111 + * Don't die when /var/lib/bind already exists. LP: #191685 + * build: turn on optimization. Closes: #435194 + + -- LaMont Jones Fri, 22 Feb 2008 22:05:25 -0700 + +bind9 (1:9.4.2-3ubuntu1) hardy; urgency=low + + * add AppArmor profile + + debian/apparmor-profile + + debian/bind9.postinst: Reload AA profile on configuration + * updated debian/README.Debian for note on AppArmor + * debian/control: Replaces apparmor-profiles << 2.1+1075-0ubuntu4 as we + should now take control + * debian/control: Conflicts with apparmor-profiles << 2.1+1075-0ubuntu4 + to make sure that if earlier version of apparmor-profiles gets installed + it won't overwrite our profile + * Modify Maintainer value to match the DebianMaintainerField + specification. + + -- Jamie Strandboge Wed, 13 Feb 2008 17:30:45 +0000 + +bind9 (1:9.4.2-3) unstable; urgency=low + + * don't run rndc-confgen when it's not there. Closes: #459551 + * control: drop use of ${Source-Version} + + -- LaMont Jones Mon, 07 Jan 2008 10:16:06 -0700 + +bind9 (1:9.4.2-2) unstable; urgency=low + + * init.d: add --oknodo to start-stop-daemon. Closes: #411881 + * init: LSB dependency info. Closes: #459421, #448006 + * meta: bind9 Suggests: resolvconf. Closes: #252285 + * bind9: deliver /var/lib/bind directory, and document. + Closes: #248771, #200253, #202981, #209022 + * lwresd: create bind user/group and rndc key if needed, at install. + Closes: #190742 + * dnsutils: update long description. Closes: #236901 + + -- LaMont Jones Sun, 06 Jan 2008 12:25:31 -0700 + +bind9 (1:9.4.2-1) unstable; urgency=low + + [Mike O'Connor] + + * bind9.init: LSB compliance. Closes: #448006 + + [Internet Software Consortium, Inc] + + * New release: 9.4.2 + + [LaMont Jones] + + * soname shifts for new release + + -- LaMont Jones Sat, 17 Nov 2007 10:50:07 -0700 + +bind9 (1:9.4.2~rc2-1) experimental; urgency=low + + * New upstream release + + -- LaMont Jones Fri, 12 Oct 2007 18:33:57 -0600 + +bind9 (1:9.4.1-P1-4) unstable; urgency=low + + [Thomas Antepoth] + + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + [LaMont Jones] + + * document git repositories + * db.root: l.root-servers.net changed IP address. Closes: #449148 LP: #160176 + * init.d: if there are no networks configured, error out quickly + + -- LaMont Jones Thu, 08 Nov 2007 21:31:55 -0700 + +bind9 (1:9.4.1-P1-3) unstable; urgency=low + + * Only deliver upstream changes with bind9-doc + + -- LaMont Jones Thu, 04 Oct 2007 08:30:55 -0600 + +bind9 (1:9.4.1-P1-2) unstable; urgency=low + + * manpages: fix typo errors. Closes: #395834 + * manpages: call it /etc/bind/named.conf throughout, and typos. Closes: #419750 + * named.conf.5: correct filename. Closes: #428015 + * bind9.NEWS: update version for ACL change doc. Closes: #435225 + * build: don't have dnsutils deliver man pages that it shouldn't. LP: #82178 + * nslookup.1: some of the manpage was not visible. LP: #131415 + * document git repositories + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + -- LaMont Jones Wed, 03 Oct 2007 01:10:59 -0600 + +bind9 (1:9.4.1-P1-1) unstable; urgency=high + + * New upstream version, addresses CVE-2007-2926 and CVE-2007-2925 + + -- Bdale Garbee Thu, 26 Jul 2007 16:41:50 -0600 + +bind9 (1:9.4.1-1) unstable; urgency=low + + * New upstream version + + -- LaMont Jones Mon, 30 Apr 2007 16:59:05 -0600 + +bind9 (1:9.4.0-2) unstable; urgency=low + + * upload to unstable + + -- LaMont Jones Tue, 10 Apr 2007 11:12:16 -0600 + +bind9 (1:9.4.0-1) experimental; urgency=low + + * New upstream version + * more mipsel patch. Closes: #406409 + + -- LaMont Jones Sun, 25 Feb 2007 11:44:11 -0700 + +bind9 (1:9.4.0~rc2-1) experimental; urgency=low + + * New upstream version. Addresses CVE-2007-0493 CVE-2007-0494 + + -- LaMont Jones Thu, 25 Jan 2007 14:26:12 -0700 + +bind9 (1:9.4.0~rc1.0-3) experimental; urgency=low + + * add NEWS file talking about the change in defaults: + As of bind 9.4, allow-query-cache and allow-recursion default to the + builtin acls 'localnets' and 'localhost'. If you are setting up a + name server for a network, you will almost certainly need to change + this. + + The change in default has been done to make caching servers less + attractive as reflective amplifying targets for spoofed traffic. + This still leaves authoritative servers exposed. + + -- LaMont Jones Wed, 24 Jan 2007 09:35:06 -0700 + +bind9 (1:9.4.0~rc1.0-2) experimental; urgency=low + + * Fix mips64. Closes: #406409 + + -- LaMont Jones Sun, 21 Jan 2007 15:32:27 -0700 + +bind9 (1:9.4.0~rc1.0-1) experimental; urgency=low + + * Broken orig.tar.gz. + + -- LaMont Jones Thu, 28 Dec 2006 23:04:05 -0700 + +bind9 (1:9.4.0~rc1-1) experimental; urgency=low + + * New upstream + + -- LaMont Jones Thu, 28 Dec 2006 19:00:37 -0700 + +bind9 (1:9.3.4-2etch2) stable-proposed-updates; urgency=low + + [Thomas Antepoth] + + * unix/socket.c: don't send to a socket with pending_send. Closes: #430065 + + [LaMont Jones] + + * document git repositories + * db.root: l.root-servers.net changed IP address. Closes: #449148 + + -- LaMont Jones Mon, 05 Nov 2007 19:48:23 -0700 + +bind9 (1:9.3.4-2etch1) stable-security; urgency=high + + * Fix DNS cache poisoning through predictable query IDs. (CVE-2007-2926) + + -- Moritz Muehlenhoff Tue, 24 Jul 2007 22:09:35 +0000 + +bind9 (1:9.3.4-2) unstable; urgency=high + + * Actually really do the merge of 9.3.4. Sigh. Closes: #408925 + + -- LaMont Jones Mon, 29 Jan 2007 06:09:03 -0700 + +bind9 (1:9.3.4-1) unstable; urgency=high + + * New upstream version. Addresses CVE-2007-0493 CVE-2007-0494 + + -- LaMont Jones Thu, 25 Jan 2007 14:31:09 -0700 + +bind9 (1:9.3.3-1) unstable; urgency=low + + * New upstream version + + -- LaMont Jones Tue, 12 Dec 2006 23:31:51 -0700 + +bind9 (1:9.3.2-P1.0-1) unstable; urgency=low + + * Fix README.Debian to point to the URL. Closes: #387437 + * Strip rfc's from orig.tar.gz. Closes: #393359 + + -- LaMont Jones Mon, 16 Oct 2006 06:38:22 -0600 + +bind9 (1:9.3.2-P1-2) unstable; urgency=low + + * Fix init script output. Closes: #354192 + Thanks to Joey Hess for the patch. + * Default install should listen on ipv6 interfaces. Closes: #382438 + + -- LaMont Jones Sat, 9 Sep 2006 19:01:53 -0600 + +bind9 (1:9.3.2-P1-1) unstable; urgency=high + + * New upstream, fixes CVE-2006-4095 and CVE-2006-4096. + Closes: #386237, #386245 + * Drop gcc-3.4 [powerpc] dependency. Closes: #342957, #372203 + * Add -fno-strict-aliasing for type-punned pointer aliasing issues + Closes: #386224 + * Use getent in postinst instead of chown/chgrp. Closes: #386091, #239665 + * Drop redundant update-rc.d calls. Closes: #356914 + + -- LaMont Jones Wed, 6 Sep 2006 08:07:13 -0600 + +bind9 (1:9.3.2-2) unstable; urgency=low + + * correct force-reload. Closes: #333841 + * Fix init.d's usage message. Closes: #331090 + * resolvconf tweaks. Closes: #252232, #275412 + + -- LaMont Jones Mon, 16 Jan 2006 15:17:04 -0700 + +bind9 (1:9.3.2-1) unstable; urgency=low + + * New upstream + * use lsb-base for start/stop messages in init.d. + * switch to debhelper 4 + + -- LaMont Jones Thu, 5 Jan 2006 12:29:28 -0700 + +bind9 (1:9.3.1-2) unstable; urgency=low + + * Getting good reports from experimental, uploading to sid. + Release team, please consider this package for sarge. Thanks. + * correct pidfile name in init.d/lwresd. Closes: #298100 + + -- LaMont Jones Sat, 19 Mar 2005 17:46:31 -0700 + +bind9 (1:9.3.1-1) experimental; urgency=low + + * Build with gcc-3.4 on powerpc, to work around #292958. + + -- LaMont Jones Sat, 19 Mar 2005 11:40:06 -0700 + +bind9 (1:9.3.1-0) experimental; urgency=low + + * New upstream version. + + -- LaMont Jones Sun, 13 Mar 2005 21:44:57 -0700 + +bind9 (1:9.3.0+9.3.1beta2-1) experimental; urgency=low + + * new upstream version + + -- LaMont Jones Tue, 25 Jan 2005 14:21:51 -0700 + +bind9 (1:9.3.0-1) experimental; urgency=low + + * New upstream version + + -- LaMont Jones Sat, 25 Sep 2004 21:35:46 -0600 + +bind9 (1:9.2.4-1) unstable; urgency=high + + * New upstream version. Closes: #269157 and others. + * Version debhelper build-dep. Closes: #262720 + + -- LaMont Jones Thu, 23 Sep 2004 09:11:37 -0600 + +bind9 (1:9.2.3+9.2.4-rc7-1) unstable; urgency=low + + * New upstream + + -- LaMont Jones Wed, 1 Sep 2004 00:04:55 -0600 + +bind9 (1:9.2.3+9.2.4-rc6-1) unstable; urgency=low + + * New upstream. + * Comment out delegation-only directives in named.conf + + -- LaMont Jones Mon, 2 Aug 2004 10:00:38 -0600 + +bind9 (1:9.2.3+9.2.4-rc5-1) unstable; urgency=low + + * New upstream release candidate + + -- LaMont Jones Thu, 17 Jun 2004 19:50:37 -0600 + +bind9 (1:9.2.3+9.2.4-rc2-1) unstable; urgency=low + + * New upstream release candidate + * Remove shared library symlinks in clean. Closes: #243109 + * Deal with capset being a module. Closes: #245043, #240874, #241605 + * deliver /var/run/bind/run in lwresd as well. Closes: #186569 + + -- LaMont Jones Thu, 22 Apr 2004 12:20:05 -0600 + +bind9 (1:9.2.3-3) unstable; urgency=low + + * new IP for b.root-servers.net. Closes: #234278 + * Fix RC linkages to match bind8. Closes: #218007 + + -- LaMont Jones Mon, 1 Mar 2004 15:00:44 -0700 + +bind9 (1:9.2.3-2) unstable; urgency=low + + * Rebuild autoconf files for mips. Closes: #221419 + + -- LaMont Jones Tue, 18 Nov 2003 06:33:34 -0700 + +bind9 (1:9.2.3-1) unstable; urgency=low + + * New upstream. + * cleanup zones.rfc1918/db.empty stuff. + * Fix Makefiles to work even if the build environment is unclean. + Closes: #211503 + * Add comments about root-delegation-only to named.conf. Closes: #212243 + * Add resolvconf support. Closes: #199255 + * more SO_BSDCOMPAT hacks for linux. Closes: #220735, #214460 + + -- LaMont Jones Mon, 17 Nov 2003 21:30:33 -0700 + +bind9 (1:9.2.2+9.2.3rc4-1) unstable; urgency=low + + * Yet another new upstream release. + + -- LaMont Jones Mon, 22 Sep 2003 09:39:50 -0600 + +bind9 (1:9.2.2+9.2.3rc3-1) unstable; urgency=low + + * New upstream. Closes: #211752. #211503. #211496, #211520 + + -- LaMont Jones Sat, 20 Sep 2003 12:22:59 -0600 + +bind9 (1:9.2.2+9.2.3rc2-4) unstable; urgency=low + + * Really fix versioned depends. Closes: #211590 + + -- LaMont Jones Thu, 18 Sep 2003 17:29:47 -0600 + +bind9 (1:9.2.2+9.2.3rc2-3) unstable; urgency=low + + * Version depends for all the libraries. sigh. Closes: #211412,#210293 + + -- LaMont Jones Wed, 17 Sep 2003 10:56:36 -0600 + +bind9 (1:9.2.2+9.2.3rc2-2) unstable; urgency=low + + * Need a versioned depend. sigh. + + -- LaMont Jones Wed, 17 Sep 2003 10:25:35 -0600 + +bind9 (1:9.2.2+9.2.3rc2-1) unstable; urgency=low + + * New upstream release. Closes: #211373 + * Remove RFC's from package, per policy. + * Make com and net zones delegation-only by default. + + -- LaMont Jones Wed, 17 Sep 2003 07:15:37 -0600 + +bind9 (1:9.2.2+9.2.3rc1-3) unstable; urgency=low + + * A bit more cleanup of descriptions. + * fix package sections + * Fix b0rkage with dependencies. + + -- LaMont Jones Sun, 14 Sep 2003 09:05:10 -0600 + +bind9 (1:9.2.2+9.2.3rc1-2) unstable; urgency=low + + * Explicitly link libraries. Closes: #210653 + * Fix descriptions. Closes: #209563, #209853, #210063 + + -- LaMont Jones Sat, 13 Sep 2003 19:29:05 -0600 + +bind9 (1:9.2.2+9.2.3rc1-1) unstable; urgency=low + + * New upstream release candidate. + * Quit using SO_BSDCOMPAT (why is it still in the header files??) so + that the kernel will shut up about it's advertised, obsolete option. + Closes: #201293, #204282, #205590 + + -- LaMont Jones Thu, 28 Aug 2003 14:44:28 -0600 + +bind9 (1:9.2.2-2) unstable; urgency=low + + * Fix libtool.m4. Closes: #183791 + * move lib packages into Section: libs. Closes: #184788 + * make sure it's libssl0.9.7. Closes: #182363 + * Add /etc/default/lwresd. Closes: #169727 + * Add fakeroot dir to dh_shlibdeps. Closes: #169622 + * Fix rndc manpage. Closes: #179353 + * Deliver /usr/bin/isc-config.sh (in libbind-dev). Closes: #178186 + + -- LaMont Jones Sat, 15 Mar 2003 16:34:15 -0700 + +bind9 (1:9.2.2-1) unstable; urgency=low + + * New upstream version + * Document /etc/default/bind9 in init.d script. Closes: #170267 + + -- LaMont Jones Tue, 4 Mar 2003 22:43:58 -0700 + +bind9 (1:9.2.1-7) unstable; urgency=low + + * One more overrides disparity. + * Fix bashism in postinst. Closes: #169531 + + -- LaMont Jones Sun, 17 Nov 2002 19:22:58 -0700 + +bind9 (1:9.2.1-6) unstable; urgency=low + + * The "I give up for now" release. + * Only convert to running as bind if named.conf hasn't been modified. + * Closes: #163552, #164352 + * Fix overrides + * Cleanup README.Debian wrt non-root-by-default. + * Make sure that /var/run/bind/run exists in init.d script. Closes: #168912 + * New IP for j.root-servers.net. Closes: #167818 + * Check for 2.2.18 kernel in preinst. Closes: #164349 + * Move local options to /etc/default/bind9. Closes: #169132, #163073 + * Cleanup old bugs (fixed in -5, really). Closes: #165864 + * Add /etc/bind/named.conf.local, included from named.conf. Closes: #129576 + * Do options definitions in /etc/bind/named.conf.options, makes life + easier in the face of named.conf changes from upstream. + * Add missing Depends: adduser + + -- LaMont Jones Sat, 16 Nov 2002 17:05:45 -0700 + +bind9 (1:9.2.1-5) unstable; urgency=low + + * Run named a non-privileged user by default. Closes: #149059 + + -- LaMont Jones Thu, 12 Sep 2002 16:57:37 -0600 + +bind9 (1:9.2.1-4) unstable; urgency=low + + * swap maintainer/uploader status so LaMont is primary and Bdale is backup + * Deal with bind/bind9 collisions better. Closes: #149580 + * Fix some documentation. Closes: #151579 + + -- LaMont Jones Wed, 4 Sep 2002 23:25:33 -0600 + +bind9 (1:9.2.1-3) unstable; urgency=high + + * fold in lib/bind/resolv from 8.3.3 to resolve buffer overlow issue in + resolver library, closes: #151342, #151431 + + -- Bdale Garbee Mon, 1 Jul 2002 00:16:31 -0600 + +bind9 (1:9.2.1-1.woody.1) testing-security woody-proposed-updates; urgency=high + + * backport to woody (simple rebuild) since 9.2.1 resolves a security issue + + -- Bdale Garbee Tue, 4 Jun 2002 10:30:57 -0600 + +bind9 (1:9.2.1-2) unstable; urgency=low + + * don't include nslint man page, closes: #148695 + * fix typo in rndc.8, closes: #139602 + * add a section to README.Debian explaining the rndc key mode that has been + our default since 9.2.0-2, closes: #129849 + * fix paths for named.conf in named.8 to reflect our default, closes: #143443 + * upstream fixed the nsupdate man page at some point, closes: #121108 + + -- Bdale Garbee Mon, 3 Jun 2002 15:44:37 -0600 + +bind9 (1:9.2.1-1) unstable; urgency=medium + + * new upstream version + * have bind9-host provide host, closes: #140174 + * move bind9-host to priority standard since dnsutils depends on it or host, + and we prefer bind9-host over host. + * move libdns5 and libisc4 to priority standard since dnsutils depends on + them and is priority standard + + -- Bdale Garbee Thu, 30 May 2002 10:38:39 -0600 + +bind9 (1:9.2.0-6) unstable; urgency=low + + * move to US main! Yippee! Closes: #123969 + * add info to README.Debian about 2.5 kernels vs --disable-linux-caps + + -- Bdale Garbee Sat, 23 Mar 2002 00:18:05 -0700 + +bind9 (1:9.2.0-5) unstable; urgency=medium + + * clean up various issues in the rules file + * make bind9-host conflict/replace old dnsutils as host does, otherwise we + can have problems upgrading from potato to woody, closes: #136686 + * use /dev/urandom for rndc-confgen in postinst, it should be good enough for + this purpose, and will keep the postinst from blocking arbitrarily. + closes: #130372 + * add fresh pointers to chroot howto to README.Debian, closes: #135774 + + -- Bdale Garbee Sun, 3 Mar 2002 16:47:12 -0700 + +bind9 (1:9.2.0-4) unstable; urgency=low + + * bind9-host needs to conflict with host, closes: #127395 + + -- Bdale Garbee Tue, 1 Jan 2002 20:12:14 -0700 + +bind9 (1:9.2.0-3) unstable; urgency=low + + * force removal of old diverted files, closes: #126236 + * change priority of liblwres1 from optional to standard per ftp admins + * add a bind9-host package so that the 'host' provided with the BIND 9.X + source tree can be an alternative to the aging NIKHEF version packaged + separately. Update dnsutils dependencies to depend on one of the two, + with preference to this one since it has fewer bugs (but fewer features, + too). + + -- Bdale Garbee Sun, 23 Dec 2001 00:59:15 -0700 + +bind9 (1:9.2.0-2) unstable; urgency=medium + + * change rc.d links to ensure daemon starts before and stops after other + daemons that may fail if name service is not working (bug was filed + against 8.X bind packages, but is just as relevant here!) + * use rndc for daemon shutdown instead of start-stop-daemon, closes: #111935 + * add a postinst to dnsutils to remove any lingering diversions from old + dnsutils packages, closes: #122227 + * not much point in delivering zone2ldap.1 since we aren't delivering + zone2ldap right now (though we might someday?), closes: #124058 + * be more verbose with shared library descriptions, closes: #123426, #123428 + * 9.2.0 added a new rndc.key file that both named and rndc will read to + obtain a shared key, and rndc-confgen will easily create this file with + a unique-per-system key. Modify named.conf and remove rndc.conf + to take advantage of this mechanism and stop delivering a pre-determined + static key to all Debian systems (which has been a mild security risk). + Create the key in postinst if the key file doesn't already exist, and + remove the file in postrm if purging. + Closes: #86718, #87208 + + -- Bdale Garbee Fri, 21 Dec 2001 04:04:30 -0700 + +bind9 (1:9.2.0-1) unstable; urgency=low + + * new upstream version, closes: #108243, #112266, #114250, #119506, #120657 + * /etc/bind/rndc.conf is now a conffile + * minor hacks to the README.Debian since the chroot instructions it points + to are 8.X specific, part of addressing bug 111868. + * libomapi is gone, replaced by libisccc and libisccfg + * a few lintian-motivated cosmetic cleanups + * lose task-dns-server meta package, since tasksel doesn't need it now + * dig problem not reproducible in this version, closes: #89526 + * named-checkconf now uses $sysconfdir, closes: #107835 + * no longer deliver man pages for contributed binaries we're not including + in dnsutils, closes: #108220 + * fix section in nslookup man page, though that's the least of the man + page's problems... glitch reported is unreproducible + closes: #103630, #120946 + * update libbind-dev README.Debian, closes: #121050 + + -- Bdale Garbee Tue, 27 Nov 2001 01:41:00 -0700 + +bind9 (1:9.1.3-1) unstable; urgency=low + + * new upstream version, closes: #96483, #99824, #100647, #101568, #103429 + * update config.sub/guess for hppa/ia64 support + * small init.d patch from Marco d'Itri to ease adding options on invocation + * stop having bind9-doc conflict/replace bind-doc since they don't really + conflict and there's no reason to prevent having both installed at the + same time, closes: #90994 + * the CHANGES file documents fixes since 9.1.1 that probably cured the + reported assertion failure. If it turns out that I'm wrong, the bug can + be re-opened or a new one filed. I can't see any way to reproduce the bug + in a test case here. Closes: #99352 + * have libbind-dev depend on the runtime library packages it delivers + compile-time symlinks for, closes: #100898, #103855 + * fix lwres man pages to source man3/* instead of * so all the page content + can actually be found, closes: #85450, #103865 + + -- Bdale Garbee Mon, 9 Jul 2001 11:30:39 -0600 + +bind9 (1:9.1.1-1) unstable; urgency=low + + * new upstream release + * update build-depends for libssl-dev + * add build-depends on bison, closes: #90150, #90752, #90159 + * split up libbind0 since libdns is changing so numbers + * downgrade rblcheck from a depends to a suggests, closes: #90783 + * bind9 mkdep creates files in the current working directory, closes: #58353 + + -- Bdale Garbee Wed, 25 Apr 2001 22:53:21 -0600 + +bind9 (1:9.1.0-3) unstable; urgency=low + + * merge patch from Zack Weinberg that solves compilation problem, and + reduces the memory footprint of applications by making configure.in + smarter. Closes: #86776, #86910 + * the bind-doc package includes all relevant documentation from the bind9 + source tree, including HTML content in /usr/share/doc/bind9-doc/arm, + closes: #85718 + * default named.conf and rndc.conf to not world-readable. This is an + interim step towards addressing the concerns about security raised by + bugs 86718 and closes: #86836 A better long-term solution would be for + rndc.conf to allow includes, so that both named.conf and rndc.conf could + include a key file built on the fly during installation while themselves + retaining conffile status. The required functionality has been requested + of the bind9 upstream, this will limit vulnerability in the meantime. + * add replaces logic to the dnsutils package to avoid complaints about the + delivery of nsupdate.8.gz, closes: #86759 + * move a couple of man pages back from dnsutils to bind9 that really belong + there. sigh. + + -- Bdale Garbee Thu, 22 Feb 2001 16:39:02 -0700 + +bind9 (1:9.1.0-2) unstable; urgency=low + + * merge patch from Luca Filipozzi - thanks! + + bind9: ships with a working rndc.conf file, closes: #84572 + + bind9: init.d calls rndc rather than ndc on reload, closes: #85481 + + bind9: named.conf ships with 'key' and 'control' sections + + bind9: correctly creates /var/cache/bind, closes: #85457 + + lwresd: lwresd is split off into its own package, closes: #85627 + * nsupdate is delivered by the dnsutils package, but the (wrong) man page + was accidentally also included in the bind9 package, closes: #85717 + * freshen config.sub and config.guess for ia64 and hppa support + + -- Bdale Garbee Mon, 12 Feb 2001 23:43:55 -0700 + +bind9 (1:9.1.0-1) unstable; urgency=low + + * Initial packaging of BIND 9.1.0. Must use epoch so that meta packages + retain their sequencing from the bind 8 package version stream. + * snarf a couple of man pages from the 8.X tree for now + + -- Bdale Garbee Thu, 1 Feb 2001 16:30:35 -0700 + --- bind9-9.9.3.dfsg.P2.orig/debian/compat +++ bind9-9.9.3.dfsg.P2/debian/compat @@ -0,0 +1 @@ +5 --- bind9-9.9.3.dfsg.P2.orig/debian/control +++ bind9-9.9.3.dfsg.P2/debian/control @@ -0,0 +1,174 @@ +Source: bind9 +Section: net +Priority: optional +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: LaMont Jones +Uploaders: Bdale Garbee +Build-Depends: libkrb5-dev, debhelper (>= 5), libssl-dev, libtool, bison, libdb-dev (>>4.6), libldap2-dev, libxml2-dev, libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386], hardening-wrapper, libgeoip-dev (>= 1.4.6.dfsg-5), dpkg-dev (>= 1.15.5), python, python-argparse, dh-systemd, autotools-dev, dh-autoreconf +Build-Conflicts: libdb4.2-dev +Standards-Version: 3.7.3.0 +XS-Vcs-Browser: http://git.debian.org/?p=users/lamont/bind9.git +XS-Vcs-Git: git://git.debian.org/~lamont/bind9.git + +Package: bind9 +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, debconf | debconf-2.0, netbase, adduser, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), libisccc90 (=${binary:Version}), lsb-base (>= 3.2-14), bind9utils (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}), net-tools +Conflicts: bind, apparmor-profiles (<< 2.1+1075-0ubuntu4) +Replaces: bind, dnsutils (<< 1:9.1.0-3), apparmor-profiles (<< 2.1+1075-0ubuntu4), bind9utils (<< 1:9.9.3.dfsg.P2-3) +Suggests: dnsutils, bind9-doc, resolvconf, ufw +Description: Internet Domain Name Server + ${Description} + . + This package provides the server and related configuration files. + +Package: bind9utils +Architecture: any +Replaces: bind9 (<= 1:9.5.0~b2-1) +Depends: ${shlibs:Depends}, ${misc:Depends}, python, python-argparse +Description: Utilities for BIND + This package provides various utilities that are useful for maintaining a + working BIND installation. + +Package: bind9-doc +Architecture: all +Section: doc +Depends: ${misc:Depends} +Description: Documentation for BIND + This package provides various documents that are useful for maintaining a + working BIND installation. + +Package: host +Priority: standard +Architecture: all +Depends: ${misc:Depends}, bind9-host +Description: Transitional package + This dummy package is provided for a smooth transition from the previous + host package. It may safely be removed after installation. + +Package: bind9-host +Priority: standard +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}) +Conflicts: host (<<1:9.7.0), dnsutils (<< 1:9.0.0) +Replaces: dnsutils (<< 1:9.0.0), host (<< 1:9.7.0) +Provides: host +Description: Version of 'host' bundled with BIND 9.X + This package provides the 'host' program in the form that is bundled with + the BIND 9.X sources. + +Package: libbind-dev +Section: libdevel +Architecture: any +Conflicts: bind-dev +Replaces: bind-dev +Depends: ${shlibs:Depends}, ${misc:Depends}, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}) +Description: Static Libraries and Headers used by BIND + This package delivers archive-style libraries, header files, and API man + pages for libbind, libdns, libisc, and liblwres. These are only needed + if you want to compile other packages that need more nameserver API than the + resolver code provided in libc. + +Package: libbind9-90 +Section: libs +Priority: standard +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libdns99, libisccfg90, libisc95 +Description: BIND9 Shared Library used by BIND + ${Description} + . + This package delivers the libbind9 shared library used by BIND's daemons and + clients. + +Package: libdns99 +Section: libs +Priority: standard +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libisc95 +Description: DNS Shared Library used by BIND + ${Description} + . + This package delivers the libdns shared library used by BIND's daemons and + clients. + +Package: libisc95 +Section: libs +Priority: standard +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: ISC Shared Library used by BIND + ${Description} + . + This package delivers the libisc shared library used by BIND's daemons and + clients. + +Package: liblwres90 +Section: libs +Priority: standard +Architecture: any +Replaces: libbind0 +Conflicts: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends} +Description: Lightweight Resolver Library used by BIND + ${Description} + . + This package delivers the liblwres shared library used by BIND's daemons + and clients. + +Package: libisccc90 +Section: libs +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libisc95 +Description: Command Channel Library used by BIND + ${Description} + . + This package delivers the libisccc shared library used by BIND's daemons + and clients, particularly rndc. + +Package: libisccfg90 +Section: libs +Architecture: any +Conflicts: libbind0, libbind9-41 +Replaces: libbind0 +Depends: ${shlibs:Depends}, ${misc:Depends}, libdns99, libisccc90, libisc95 +Description: Config File Handling Library used by BIND + ${Description} + . + This package delivers the libisccfg shared library used by BIND's daemons + and clients to read and write ISC-style configuration files like named.conf + and rndc.conf. + +Package: dnsutils +Priority: standard +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, bind9-host | host, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisc95 (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}) +Suggests: rblcheck +Conflicts: netstd (<< 2.00) +Replaces: bind, bind9 (<< 1:9.1.0-3) +Description: Clients provided with BIND + ${Description} + . + This package delivers various client programs related to DNS that are + derived from the BIND source tree. + . + - dig - query the DNS in various ways + - nslookup - the older way to do it + - nsupdate - perform dynamic updates (See RFC2136) + +Package: lwresd +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, adduser, libdns99 (=${binary:Version}), libisccfg90 (=${binary:Version}), libisccc90 (=${binary:Version}), libisc95 (=${binary:Version}), liblwres90 (=${binary:Version}), libbind9-90 (=${binary:Version}) +Recommends: libnss-lwres +Suggests: bind9utils +Description: Lightweight Resolver Daemon + lwresd is the daemon providing name lookup services to clients that use + the BIND 9 lightweight resolver library. It is essentially a stripped- + down, caching-only name server that answers queries using the BIND 9 + lightweight resolver protocol rather than the DNS protocol. --- bind9-9.9.3.dfsg.P2.orig/debian/copyright +++ bind9-9.9.3.dfsg.P2/debian/copyright @@ -0,0 +1,121 @@ +This package was debianized by Bdale Garbee on +Tue, 12 Dec 2000 02:42:56 -0700. + +It was downloaded from http://www.isc.org/products/BIND/ and can be fetched +from git with: + git clone git://git.debian.org/users/lamont/bind9.git +ISC releases can be cloned from git with: + git clone git://git.debian.org/users/lamont/bind9-isc.git + +Upstream Author: Internet Systems Consortium, Inc. ("ISC") + +Copyright: + +Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC") +Copyright (C) 1996-2003 Internet Software Consortium. + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. + +Portions Copyright (C) 1996-2001 Nominum, Inc. + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND NOMINUM DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL NOMINUM BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT +OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +Portions Copyright (c) 2000 Japan Network Information Center. All rights reserved. + +By using this file, you agree to the terms and conditions set forth bellow. + + LICENSE TERMS AND CONDITIONS + +The following License Terms and Conditions apply, unless a different +license is obtained from Japan Network Information Center ("JPNIC"), +a Japanese association, Kokusai-Kougyou-Kanda Bldg 6F, 2-3-4 Uchi-Kanda, +Chiyoda-ku, Tokyo 101-0047, Japan. + +1. Use, Modification and Redistribution (including distribution of any + modified or derived work) in source and/or binary forms is permitted + under this License Terms and Conditions. + +2. Redistribution of source code must retain the copyright notices as they + appear in each source code file, this License Terms and Conditions. + +3. Redistribution in binary form must reproduce the Copyright Notice, + this License Terms and Conditions, in the documentation and/or other + materials provided with the distribution. For the purposes of binary + distribution the "Copyright Notice" refers to the following language: + "Copyright (c) 2000-2002 Japan Network Information Center. All rights reserved." + +4. The name of JPNIC may not be used to endorse or promote products + derived from this Software without specific prior written approval of + JPNIC. + +5. Disclaimer/Limitation of Liability: THIS SOFTWARE IS PROVIDED BY JPNIC + "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A + PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL JPNIC BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. + +Portions Copyright (c) 2005 - 2008, Holger Zuleger HZnet. All rights reserved. + +This software is open source. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions +are met: + +Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +Redistributions in binary form must reproduce the above copyright notice, +this list of conditions and the following disclaimer in the documentation +and/or other materials provided with the distribution. + +Neither the name of Holger Zuleger HZnet nor the names of its contributors may +be used to endorse or promote products derived from this software without +specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE +LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. + +Portions Copyright(C) Jason Vas Dias, Red Hat Inc., 2005 +Modified by Adam Tkac, Red Hat Inc., 2007 + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation at + http://www.fsf.org/licensing/licenses/gpl.txt +and found in /usr/share/common-licenses. --- bind9-9.9.3.dfsg.P2.orig/debian/db.0 +++ bind9-9.9.3.dfsg.P2/debian/db.0 @@ -0,0 +1,12 @@ +; +; BIND reverse data file for broadcast zone +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. --- bind9-9.9.3.dfsg.P2.orig/debian/db.127 +++ bind9-9.9.3.dfsg.P2/debian/db.127 @@ -0,0 +1,13 @@ +; +; BIND reverse data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +1.0.0 IN PTR localhost. --- bind9-9.9.3.dfsg.P2.orig/debian/db.empty +++ bind9-9.9.3.dfsg.P2/debian/db.empty @@ -0,0 +1,14 @@ +; BIND reverse data file for empty rfc1918 zone +; +; DO NOT EDIT THIS FILE - it is used for multiple zones. +; Instead, copy it, edit named.conf, and use that copy. +; +$TTL 86400 +@ IN SOA localhost. root.localhost. ( + 1 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 86400 ) ; Negative Cache TTL +; +@ IN NS localhost. --- bind9-9.9.3.dfsg.P2.orig/debian/db.local +++ bind9-9.9.3.dfsg.P2/debian/db.local @@ -0,0 +1,14 @@ +; +; BIND data file for local loopback interface +; +$TTL 604800 +@ IN SOA localhost. root.localhost. ( + 2 ; Serial + 604800 ; Refresh + 86400 ; Retry + 2419200 ; Expire + 604800 ) ; Negative Cache TTL +; +@ IN NS localhost. +@ IN A 127.0.0.1 +@ IN AAAA ::1 --- bind9-9.9.3.dfsg.P2.orig/debian/db.root +++ bind9-9.9.3.dfsg.P2/debian/db.root @@ -0,0 +1,88 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . " +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: Jan 3, 2013 +; related version of root zone: 2013010300 +; +; formerly NS.INTERNIC.NET +; +. 3600000 IN NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 +; End of File --- bind9-9.9.3.dfsg.P2.orig/debian/dnsutils.dirs +++ bind9-9.9.3.dfsg.P2/debian/dnsutils.dirs @@ -0,0 +1,3 @@ +usr/bin +usr/share/doc/dnsutils +usr/share/man/man1 --- bind9-9.9.3.dfsg.P2.orig/debian/dnsutils.install +++ bind9-9.9.3.dfsg.P2/debian/dnsutils.install @@ -0,0 +1,6 @@ +usr/bin/dig +usr/bin/nslookup +usr/bin/nsupdate +usr/share/man/man1/dig.1* +usr/share/man/man1/nslookup.1* +usr/share/man/man1/nsupdate.1* --- bind9-9.9.3.dfsg.P2.orig/debian/dnsutils.postinst +++ bind9-9.9.3.dfsg.P2/debian/dnsutils.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/ip-down.d +++ bind9-9.9.3.dfsg.P2/debian/ip-down.d @@ -0,0 +1,15 @@ +#!/bin/sh -e +# Called when an interface disconnects +# Written by LaMont Jones + +# kick named as needed + +# If /usr isn't mounted yet, silently bail. +if [ ! -d /usr/sbin ]; then + exit 0 +fi + +# if named is running, reconfig it. +rndc reconfig >/dev/null 2>&1 || true + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/ip-up.d +++ bind9-9.9.3.dfsg.P2/debian/ip-up.d @@ -0,0 +1,15 @@ +#!/bin/sh -e +# Called when a new interface comes up +# Written by LaMont Jones + +# kick named as needed + +# If /usr isn't mounted yet, silently bail. +if [ ! -d /usr/sbin ]; then + exit 0 +fi + +# if named is running, reconfig it. +rndc reconfig >/dev/null 2>&1 || true + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libbind-dev.README.Debian +++ bind9-9.9.3.dfsg.P2/debian/libbind-dev.README.Debian @@ -0,0 +1,9 @@ +The include files for BIND are in /usr/include/{isc,dns,dst,lwres}. If +you're compiling something that uses them, use something like + + '-I/usr/include/isc' + +and so on in the call to the compiler to pick up the BIND versions before +the normal system versions for files that have conflicting filenames. + + --- bind9-9.9.3.dfsg.P2.orig/debian/libbind-dev.dirs +++ bind9-9.9.3.dfsg.P2/debian/libbind-dev.dirs @@ -0,0 +1,2 @@ +usr/include +usr/lib --- bind9-9.9.3.dfsg.P2.orig/debian/libbind-dev.install +++ bind9-9.9.3.dfsg.P2/debian/libbind-dev.install @@ -0,0 +1,15 @@ +usr/include +usr/lib/libbind9.a +usr/lib/libbind9.so +usr/lib/libdns.a +usr/lib/libdns.so +usr/lib/libisc.a +usr/lib/libisc.so +usr/lib/liblwres.a +usr/lib/liblwres.so +usr/lib/libisccc.a +usr/lib/libisccc.so +usr/lib/libisccfg.a +usr/lib/libisccfg.so +usr/share/man/man3 +usr/bin/isc-config.sh --- bind9-9.9.3.dfsg.P2.orig/debian/libbind9-90.install +++ bind9-9.9.3.dfsg.P2/debian/libbind9-90.install @@ -0,0 +1 @@ +usr/lib/libbind9.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/libbind9-90.postinst +++ bind9-9.9.3.dfsg.P2/debian/libbind9-90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libbind9-90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libbind9-90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libdns99.install +++ bind9-9.9.3.dfsg.P2/debian/libdns99.install @@ -0,0 +1 @@ +usr/lib/libdns.so.99* --- bind9-9.9.3.dfsg.P2.orig/debian/libdns99.postinst +++ bind9-9.9.3.dfsg.P2/debian/libdns99.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libdns99.postrm +++ bind9-9.9.3.dfsg.P2/debian/libdns99.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libirs90.install +++ bind9-9.9.3.dfsg.P2/debian/libirs90.install @@ -0,0 +1 @@ +usr/lib/libirs.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/libirs90.postinst +++ bind9-9.9.3.dfsg.P2/debian/libirs90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libirs90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libirs90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libisc95.install +++ bind9-9.9.3.dfsg.P2/debian/libisc95.install @@ -0,0 +1 @@ +usr/lib/libisc.so.95* --- bind9-9.9.3.dfsg.P2.orig/debian/libisc95.postinst +++ bind9-9.9.3.dfsg.P2/debian/libisc95.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libisc95.postrm +++ bind9-9.9.3.dfsg.P2/debian/libisc95.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libisccc90.install +++ bind9-9.9.3.dfsg.P2/debian/libisccc90.install @@ -0,0 +1 @@ +usr/lib/libisccc.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/libisccc90.postinst +++ bind9-9.9.3.dfsg.P2/debian/libisccc90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libisccc90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libisccc90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/libisccfg90.install +++ bind9-9.9.3.dfsg.P2/debian/libisccfg90.install @@ -0,0 +1 @@ +usr/lib/libisccfg.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/libisccfg90.postinst +++ bind9-9.9.3.dfsg.P2/debian/libisccfg90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libisccfg90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libisccfg90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/liblwres90.install +++ bind9-9.9.3.dfsg.P2/debian/liblwres90.install @@ -0,0 +1 @@ +usr/lib/liblwres.so.90* --- bind9-9.9.3.dfsg.P2.orig/debian/liblwres90.postinst +++ bind9-9.9.3.dfsg.P2/debian/liblwres90.postinst @@ -0,0 +1,5 @@ +#!/bin/sh + +set -e + +#DEBHELPER# --- bind9-9.9.3.dfsg.P2.orig/debian/libwres90.postrm +++ bind9-9.9.3.dfsg.P2/debian/libwres90.postrm @@ -0,0 +1,10 @@ +#!/bin/sh +# postrm script for #PACKAGE# +# +# see: dh_installdeb(1) + +set -e + +#DEBHELPER# + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.dirs +++ bind9-9.9.3.dfsg.P2/debian/lwresd.dirs @@ -0,0 +1,5 @@ +etc/bind +usr/sbin +usr/share/man/man8 +usr/share/doc/lwresd +var/run/named --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.init +++ bind9-9.9.3.dfsg.P2/debian/lwresd.init @@ -0,0 +1,72 @@ +#!/bin/sh + +### BEGIN INIT INFO +# Provides: lwresd +# Required-Start: $remote_fs +# Should-Start: $syslog $network +# Required-Stop: $remote_fs +# Should-Stop: $syslog $network +# Default-Start: 2 3 4 5 +# Default-Stop: 0 1 6 +# Short-Description: Start and stop the Lightweight Resolver Daemon. +### END INIT INFO + +. /lib/lsb/init-functions + +PATH=/sbin:/bin:/usr/sbin:/usr/bin +NAME=lwresd +DAEMON=/usr/sbin/lwresd +PIDFILE=/var/run/lwresd/lwresd.pid + +# Don't modify this line, change or create /etc/default/lwresd. +OPTIONS="" + +test -f /etc/default/lwresd && . /etc/default/lwresd + +test -x $DAEMON || exit 0 + +case "$1" in + start) + modprobe capability >/dev/null 2>&1 || true + + # dirs under /var/run can go away on reboots. + mkdir -p ${PIDFILE%/*} + chmod 775 ${PIDFILE%/*} + chown root:bind ${PIDFILE%/*} >/dev/null 2>&1 || true + + log_daemon_msg "Starting domain name service" $NAME + if start-stop-daemon --start --quiet --exec $DAEMON -- $OPTIONS; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + stop) + log_daemon_msg "Stopping domain name service" $NAME + if start-stop-daemon --stop --quiet \ + --pidfile ${PIDFILE} --exec $DAEMON; then + log_end_msg 0 + else + log_end_msg 1 + fi + ;; + + status) + status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $? + ;; + + + restart|force-reload) + $0 stop + sleep 2 + $0 start + ;; + + *) + log_action_msg "Usage: /etc/init.d/$NAME {start|stop|restart|force-reload}" + exit 1 + ;; +esac + +exit 0 --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.install +++ bind9-9.9.3.dfsg.P2/debian/lwresd.install @@ -0,0 +1,2 @@ +usr/sbin/lwresd +usr/share/man/man8/lwresd.8* --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.postinst +++ bind9-9.9.3.dfsg.P2/debian/lwresd.postinst @@ -0,0 +1,40 @@ +#!/bin/sh +set -e + +#DEBHELPER# + +case "$1" in + configure) + OLDVERSION="$2" + # see below + ;; + + abort-upgrade) + exit 0 + ;; + + abort-remove|abort-deconfigure) + exit 0 + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 1 + ;; +esac + +# lets give them a bind user/group in all cases. +getent group bind >/dev/null 2>&1 || addgroup --system bind +getent passwd bind >/dev/null 2>&1 || + adduser --system --home /var/cache/bind --no-create-home \ + --disabled-password --ingroup bind bind + +if [ ! -s /etc/bind/rndc.key ] && [ -x /usr/sbin/rndc-confgen ]; then + rndc-confgen -r /dev/urandom -a +fi + +if pidof /usr/sbin/lwresd >/dev/null 2>&1; then + invoke-rc.d lwresd restart +else + invoke-rc.d lwresd start +fi --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.service +++ bind9-9.9.3.dfsg.P2/debian/lwresd.service @@ -0,0 +1,10 @@ +[Unit] +Description=Lightweight Resolver Daemon +Documentation=man:lwresd(8) +After=network.target + +[Service] +ExecStart=/usr/sbin/lwresd -f + +[Install] +WantedBy=multi-user.target --- bind9-9.9.3.dfsg.P2.orig/debian/lwresd.tmpfile +++ bind9-9.9.3.dfsg.P2/debian/lwresd.tmpfile @@ -0,0 +1 @@ +d /run/lwresd 0775 root bind - - --- bind9-9.9.3.dfsg.P2.orig/debian/named.conf +++ bind9-9.9.3.dfsg.P2/debian/named.conf @@ -0,0 +1,11 @@ +// This is the primary configuration file for the BIND DNS server named. +// +// Please read /usr/share/doc/bind9/README.Debian.gz for information on the +// structure of BIND configuration files in Debian, *BEFORE* you customize +// this configuration file. +// +// If you are just adding zones, please do that in /etc/bind/named.conf.local + +include "/etc/bind/named.conf.options"; +include "/etc/bind/named.conf.local"; +include "/etc/bind/named.conf.default-zones"; --- bind9-9.9.3.dfsg.P2.orig/debian/named.conf.default-zones +++ bind9-9.9.3.dfsg.P2/debian/named.conf.default-zones @@ -0,0 +1,30 @@ +// prime the server with knowledge of the root servers +zone "." { + type hint; + file "/etc/bind/db.root"; +}; + +// be authoritative for the localhost forward and reverse zones, and for +// broadcast zones as per RFC 1912 + +zone "localhost" { + type master; + file "/etc/bind/db.local"; +}; + +zone "127.in-addr.arpa" { + type master; + file "/etc/bind/db.127"; +}; + +zone "0.in-addr.arpa" { + type master; + file "/etc/bind/db.0"; +}; + +zone "255.in-addr.arpa" { + type master; + file "/etc/bind/db.255"; +}; + + --- bind9-9.9.3.dfsg.P2.orig/debian/named.conf.local +++ bind9-9.9.3.dfsg.P2/debian/named.conf.local @@ -0,0 +1,8 @@ +// +// Do any local configuration here +// + +// Consider adding the 1918 zones here, if they are not used in your +// organization +//include "/etc/bind/zones.rfc1918"; + --- bind9-9.9.3.dfsg.P2.orig/debian/named.conf.options +++ bind9-9.9.3.dfsg.P2/debian/named.conf.options @@ -0,0 +1,26 @@ +options { + directory "/var/cache/bind"; + + // If there is a firewall between you and nameservers you want + // to talk to, you may need to fix the firewall to allow multiple + // ports to talk. See http://www.kb.cert.org/vuls/id/800113 + + // If your ISP provided one or more IP addresses for stable + // nameservers, you probably want to use them as forwarders. + // Uncomment the following block, and insert the addresses replacing + // the all-0's placeholder. + + // forwarders { + // 0.0.0.0; + // }; + + //======================================================================== + // If BIND logs error messages about the root key being expired, + // you will need to update your keys. See https://www.isc.org/bind-keys + //======================================================================== + dnssec-validation auto; + + auth-nxdomain no; # conform to RFC1035 + listen-on-v6 { any; }; +}; + --- bind9-9.9.3.dfsg.P2.orig/debian/nslookup.1 +++ bind9-9.9.3.dfsg.P2/debian/nslookup.1 @@ -0,0 +1,536 @@ +.\" +.\" ++Copyright++ 1985, 1989 +.\" - +.\" Copyright (c) 1985, 1989 +.\" The Regents of the University of California. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. All advertising materials mentioning features or use of this software +.\" must display the following acknowledgement: +.\" This product includes software developed by the University of +.\" California, Berkeley and its contributors. +.\" 4. Neither the name of the University nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" - +.\" Portions Copyright (c) 1993 by Digital Equipment Corporation. +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies, and that +.\" the name of Digital Equipment Corporation not be used in advertising or +.\" publicity pertaining to distribution of the document or software without +.\" specific, written prior permission. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL +.\" WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT +.\" CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS +.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS +.\" SOFTWARE. +.\" - +.\" --Copyright-- +.\" +.\" @(#)nslookup.8 5.3 (Berkeley) 6/24/90 +.\" +.Dd June 24, 1990 +.Dt NSLOOKUP 1 +.Os BSD 4 +.Sh NAME +.Nm nslookup +.Nd query Internet name servers interactively +.Sh SYNOPSIS +.Nm nslookup +.Op Fl option Ar ... +.Op Ar host-to-find | Fl Op Ar server +.Sh DESCRIPTION +.Ic Nslookup +is a program to query Internet domain name servers. +.Ic Nslookup +has two modes: interactive and non-interactive. +Interactive mode allows the user to query name servers for +information about various hosts and domains or to print a list of hosts +in a domain. +Non-interactive mode is used to print just the name and requested information +for a host or domain. +.Sh ARGUMENTS +Interactive mode is entered in the following cases: +.Bl -tag -width "a) " +.It a) +when no arguments are given (the default name server will be used), +.It b) +when the first argument is a hyphen (-) and the second argument +is the host name or Internet address of a name server. +.El +.Pp +Non-interactive mode is used when the name or Internet address +of the host to be looked up +is given as the first argument. The optional second argument specifies +the host name or address of a name server. +.Pp +The options listed under the +.Dq Li set +command below can be specified in +the +.Pa .nslookuprc +file in the user's home directory if they are listed +one per line. Options can also be specified +on the command line if they precede the arguments and are prefixed with +a hyphen. For example, to change the default query type to host information, +and the initial timeout to 10 seconds, type: +.Bd -literal -offset indent + nslookup -query=hinfo -timeout=10 +.Ed +.Sh INTERACTIVE COMMANDS +Commands may be interrupted at any time by typing a control-C. +To exit, type a control-D +.Pq Dv EOF +or type +.Li exit . +The command line length must be less than 256 characters. +To treat a built-in command as a host name, +precede it with an escape character +.Pq .&\\ . +.Sy N.B.: An unrecognized command will be interpreted as a host name. +.Bl -tag -width "lserver" +.It Ar host Op Ar server +Look up information for +.Ar host +using the current default server or using +.Ar server , +if specified. +If +.Ar host +is an Internet address and the query type is +.Dv A +or +.Dv PTR , +the name of the host is returned. +If +.Ar host +is a name and does not have a trailing period, the default +domain name is appended to the name. (This behavior depends on the state of the +.Ic set +options +.Ic domain , srchlist , defname , +and +.Ic search . ) +.Pp +To look up a host not in the current domain, append a period to +the name. +.It Ic server Ar domain +.It Ic lserver Ar domain +Change the default server to +.Ar domain ; +.Ic lserver +uses the initial server to look up information about +.Ar domain , +while +.Ic server +uses the current default server. +If an authoritative answer can't be found, the names of servers +that might have the answer are returned. +.It Ic root +Changes the default server to the server for the root of the domain name space. +Currently, the host +.Li ns.internic.net +is used. +(This command is a synonym for +.Dq Ic lserver ns.internic.net . ) +The name of the root server can be changed with the +.Dq Ic set root +command. +.It Xo Ic finger Op Ar name +.Op Ic > Ar filename +.Xc +.It Xo Ic finger Op Ar name +.Op Ic >> Ar filename +.Xc +Connects with the finger server on the current host. +The current host is defined when a previous lookup for a host +was successful and returned address information (see the +.Dq Ic set querytype=A +command). +The +.Ar name +is optional. +.Ic > +and +.Ic >> +can be used to redirect output in the usual manner. +.It Xo Ic ls Op Ar option +.Ar domain Op Ic > Ar filename +.Xc +.It Xo Ic ls Op Ar option +.Ar domain Op Ic >> Ar filename +.Xc +List the information available for +.Ar domain , +optionally creating or appending to +.Ar filename . +The default output contains host names and their Internet addresses. +.Ar Option +can be one of the following: +.Bl -tag -width "-a " +.It Fl t Ar querytype +lists all records of the specified type (see +.Ar querytype +below). +.It Fl a +lists aliases of hosts in the domain; +synonym for +.Dq Fl t Dv CNAME . +.It Fl d +lists all records for the domain; +synonym for +.Dq Fl t Dv ANY . +.It Fl h +lists CPU and operating system information for the domain; +synonym for +.Dq Fl t Dv HINFO . +.It Fl s +lists well-known services of hosts in the domain; +synonym for +.Dq Fl t Dv WKS . +.El +.Pp +When output is directed to a file, hash marks are printed for every +50 records received from the server. +.It Ic view Ar filename +Sorts and lists the output of previous +.Ic ls +command(s) with +.Xr more @CMD_EXT@ . +.It Ic help +.It Ic ? +Prints a brief summary of commands. +.It Ic exit +Exits the program. +.It Xo Ic set Ar keyword +.Ns Op = Ns Ar value +.Xc +This command is used to change state information that affects the lookups. +Valid keywords are: +.Bl -tag -width "class=v" +.It Ic all +Prints the current values of the frequently-used options to +.Ic set . +Information about the current default server and host is also printed. +.It Ic class= Ns Ar value +Change the query class to one of: +.Bl -tag -width "HESIOD " +.It Dv IN +the Internet class +.It Dv CHAOS +the Chaos class +.It Dv HESIOD +the MIT Athena Hesiod class +.It Dv ANY +wildcard (any of the above) +.El +.Pp +The class specifies the protocol group of the information. +.Pp +(Default = +.Dv IN ; +abbreviation = +.Ic cl ) +.It Xo Op Ic no +.Ns Ic debug +.Xc +Turn debugging mode on. A lot more information is printed about the +packet sent to the server and the resulting answer. +.Pp +(Default = +.Ic nodebug ; +abbreviation = +.Xo Op Ic no +.Ns Ic deb ) +.Xc +.It Xo Op Ic no +.Ns Ic d2 +.Xc +Turn exhaustive debugging mode on. +Essentially all fields of every packet are printed. +.Pp +(Default = +.Ic nod2 ) +.It Ic domain= Ns Ar name +Change the default domain name to +.Ar name . +The default domain name is appended to a lookup request depending on the +state of the +.Ic defname +and +.Ic search +options. +The domain search list contains the parents of the default domain if it has +at least two components in its name. +For example, if the default domain +is CC.Berkeley.EDU, the search list is CC.Berkeley.EDU and Berkeley.EDU. +Use the +.Dq Ic set srchlist +command to specify a different list. +Use the +.Dq Ic set all +command to display the list. +.Pp +(Default = value from +.Xr hostname @CMD_EXT@ , +.Pa /etc/resolv.conf , +or +.Ev LOCALDOMAIN; +abbreviation = +.Ic do ) +.It Ic srchlist= Ns Ar name1/name2/... +Change the default domain name to +.Ar name1 +and the domain search list +to +.Ar name1 , name2 , +etc. A maximum of 6 names separated by slashes (/) +can be specified. +For example, +.Bd -literal -offset indent +set srchlist=lcs.MIT.EDU/ai.MIT.EDU/MIT.EDU +.Ed +.Pp +sets the domain to lcs.MIT.EDU and the search list to the three names. +This command overrides the +default domain name and search list of the +.Dq Ic set domain +command. +Use the +.Dq Ic set all +command to display the list. +.Pp +(Default = value based on +.Xr hostname @CMD_EXT@ , +.Pa /etc/resolv.conf , +or +.Ev LOCALDOMAIN; +abbreviation = +.Ic srchl ) +.It Xo Op Ic no +.Ns Ic defname +.Xc +If set, append the default domain name to a single-component lookup request +(i.e., one that does not contain a period). +.Pp +(Default = +.Ic defname ; +abbreviation = +.Xo Op Ic no +.Ns Ic defname ) +.Xc +.It Xo Op Ic no +.Ns Ic search +.Xc +If the lookup request contains at least one period but +.Em doesn't +end with a trailing period, append the domain names in the domain search list +to the request until an answer is received. +.Pp +(Default = +.Ic search ; +abbreviation = +.Xo Op Ic no +.Ns Ic sea ) +.Xc +.It Ic port= Ns Ar value +Change the default TCP/UDP name server port to +.Ar value . +.Pp +(Default = 53; +abbreviation = +.Ic \&po ) +.It Ic querytype= Ns Ar value +.It Ic type= Ns Ar value +Change the type of information query to one of: +.Bl -tag -width "HINFO " +.It Dv A +the host's Internet address. +.It Dv CNAME +the canonical name for an alias. +.It Dv HINFO +the host CPU and operating system type. +.It Dv MINFO +the mailbox or mail list information. +.It Dv MX +the mail exchanger. +.It Dv NS +the name server for the named zone. +.It Dv PTR +the host name if the query is an Internet address; +otherwise, the pointer to other information. +.It Dv SOA +the domain's +.Dq start-of-authority +information. +.It Dv TXT +the text information. +.It Dv UINFO +the user information. +.It Dv WKS +the supported well-known services. +.El +.Pp +Other types +.Pq Dv ANY, AXFR, MB, MD, MF, NULL +are described in the RFC-1035 document. +.Pp +(Default = +.Dv A ; +abbreviations = +.Ic q , ty ) +.It Xo Op Ic no +.Ns Ic recurse +.Xc +Tell the name server to query other servers if it does not have the +information. +.Pp +(Default = +.Ic recurse ; +abbreviation = +.Xo Op Ic no +.Ns Ic rec ) +.Xc +.It Ic retry= Ns Ar number +Set the number of retries to +.Ar number . +When a reply to a request is not received within a certain +amount of time (changed with +.Dq Ic set timeout ) , +the timeout period is doubled and the request is resent. +The retry value controls how many times a request is resent before giving up. +.Pp +(Default = 4, abbreviation = +.Ic ret ) +.It Ic root= Ns Ar host +Change the name of the root server to +.Ar host . +This affects the +.Dq Ic root +command. +.Pp +(Default = +.Ic ns.internic.net. ; +abbreviation = +.Ic ro ) +.It Ic timeout= Ns Ar number +Change the initial timeout interval for waiting for a reply to +.Ar number +seconds. Each retry doubles the timeout period. +.Pp +(Default = 5 seconds; abbreviation = +.Ic ti ) +.It Xo Op Ic no +.Ns Ic vc +.Xc +Always use a virtual circuit when sending requests to the server. +.Pp +(Default = +.Ic novc ; +abbreviation = +.Xo Op Ic no +.Ns Ic v ) +.Xc +.It Xo Op Ic no +.Ns Ic ignoretc +.Xc +Ignore packet truncation errors. +.Pp +(Default = +.Ic noignoretc ; +abbreviation = +.Xo Op Ic no +.Ns Ic ig ) +.Xc +.El +.El +.Sh DIAGNOSTICS +If the lookup request was not successful, an error message is printed. +Possible errors are: +.Bl -tag -width "Timed" +.It Li Timed out +The server did not respond to a request after a certain amount of +time (changed with +.Dq Ic set timeout= Ns Ar value ) +and a certain number of retries (changed with +.Dq Ic set retry= Ns Ar value ) . +.It Li \&No response from server +No name server is running on the server machine. +.It Li \&No records +The server does not have resource records of the current query type for the +host, although the host name is valid. +The query type is specified with the +.Dq Ic set querytype +command. +.It Li Non-existent domain +The host or domain name does not exist. +.It Li Connection refused +.It Li Network is unreachable +The connection to the name or finger server could not be made +at the current time. +This error commonly occurs with +.Ic ls +and +.Ic finger +requests. +.It Li Server failure +The name server found an internal inconsistency in its database +and could not return a valid answer. +.It Li Refused +The name server refused to service the request. +.It Li Format error +The name server found that the request packet was not in the proper format. +It may indicate an error in +.Nm nslookup . +.El +.Sh FILES +.Bl -tag -width "/usr/share/misc/nslookup.helpXXX" -compact +.It Pa /etc/resolv.conf +initial domain name and name server addresses +.It Pa $HOME/.nslookuprc +user's initial options +.It Pa /usr/share/misc/nslookup.help +summary of commands +.El +.Sh ENVIRONMENT +.Bl -tag -width "HOSTALIASESXXXX" -compact +.It Ev HOSTALIASES +file containing host aliases +.It Ev LOCALDOMAIN +overrides default domain +.El +.Sh SEE ALSO +.Xr @INDOT@named @SYS_OPS_EXT@ , +.Xr resolver @LIB_NETWORK_EXT@ , +.Xr resolver @FORMAT_EXT@ ; +RFC-1034, +.Dq Domain Names - Concepts and Facilities ; +RFC-1035, +.Dq Domain Names - Implementation and Specification . +.Sh AUTHOR +Andrew Cherenson --- bind9-9.9.3.dfsg.P2.orig/debian/po/POTFILES.in +++ bind9-9.9.3.dfsg.P2/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] templates --- bind9-9.9.3.dfsg.P2.orig/debian/po/cs.po +++ bind9-9.9.3.dfsg.P2/debian/po/cs.po @@ -0,0 +1,67 @@ +# Czech translation of bind9 debconf messages. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the bind9 package. +# Miroslav Kure , 2008 +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-15 14:38+0200\n" +"Last-Translator: Miroslav Kure \n" +"Language-Team: Czech \n" +"Language: cs\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Uživatelský úÄet pro bÄ›h daemona BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Ve výchozím nastavení se daemon BINDu9 (named) spouÅ¡tí pod úÄtem uživatele " +"„bind“. Pro použití jiného úÄtu zadejte jeho jméno." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Další spouÅ¡tÄ›cí parametry pro named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Zadejte prosím případné další parametry (mimo uživatelského úÄtu), které se " +"mají pÅ™edat daemonu BINDu9 (named) pÅ™i každém spuÅ¡tÄ›ní." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Má se pÅ™epsat nastavení v resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"RozhodnÄ›te se, zda se má pÅ™epsat nastavení resolveru tak, aby vždy používal " +"lokální daemon BINDu9 (named) namísto serveru, který doporuÄí aktuální " +"pÅ™ipojení." --- bind9-9.9.3.dfsg.P2.orig/debian/po/da.po +++ bind9-9.9.3.dfsg.P2/debian/po/da.po @@ -0,0 +1,67 @@ +# Danish translation bind9. +# Copyright (C) 2010 bind9 & Joe Hansen. +# This file is distributed under the same license as the bind9 package. +# Joe Hansen , 2010. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2010-10-07 17:30+01:00\n" +"Last-Translator: Joe Hansen \n" +"Language-Team: Danish \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Brugerkonto til kørsel af BIND9-dæmonen:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standarden er at køre BIND9-dæmonen (navngivet) under brugerkontoen »bind«. " +"For at bruge en anden konto, sÃ¥ indtast venligst et passende brugernavn." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Andre opstartsindstillinger for navngivet:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Angiv venligst eventuelle yderligere indstillinger (udover brugernavnet) som " +"skal videresendes til BIND9-dæmonen (navngivet) ved opstart." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Skal opsætningen af resolv.conf overskrives?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Vælg venligst hvorvidt opløseren skal tvinges til at bruge den lokale BIND9-" +"dæmon (navngivet), frem for hvad den aktuelle forbindelse anbefaler, nÃ¥r " +"denne maskine flytter rundt." --- bind9-9.9.3.dfsg.P2.orig/debian/po/de.po +++ bind9-9.9.3.dfsg.P2/debian/po/de.po @@ -0,0 +1,84 @@ +# Translation of bind9 debconf templates to German +# (C) Helge Kreutzmann , 2008. +# This file is distributed under the same license as the bind9 package. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9 1:9.5.0.dfsg-2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-16 20:22+0200\n" +"Last-Translator: Helge Kreutzmann \n" +"Language-Team: de \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=iso-8859-15\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Benutzerkonto, unter dessen Kennung der BIND9-Daemon laufen soll:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standardmäßig wird der BIND9-Daemon (Named) unter der Kennung des Benutzers " +"»bind« betrieben. Um ein anderes Benutzerkonto auszuwählen, geben Sie bitte " +"den entsprechenden Benutzernamen ein." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Weitere Optionen für den Start des Named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Bitte geben Sie hier die zusätzlichen Optionen (außer dem Benutzernamen) " +"ein, die dem Bind9-Daemon (Named) beim Starten übergeben werden sollen." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Sollen die Einstellungen in resolv.conf ignoriert werden?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Bitte wählen Sie aus, ob der Namensauflöser (Resolver) dazu gezwungen werden " +"soll, den lokalen BIND9-Daemon (Named) zu verwenden, statt den aktuellen " +"Verbindungsempfehlungen zu folgen, wenn diese Maschine bewegt wird." + +#~ msgid "Options that should be passed at startup to bind9" +#~ msgstr "Optionen, die beim Starten an Bind9 weitergegeben werden sollen" + +#~ msgid "which user should bind9 run as?" +#~ msgstr "Unter welcher Benutzerkennung soll Bind9 laufen?" + +#~ msgid "" +#~ "The default is to start bind9 as bind user, if you would like to change " +#~ "that, please give here the username as which bind9 should start as." +#~ msgstr "" +#~ "Standardmäßig startet Bind9 unter der Benutzerkennung »bind«. Falls Sie " +#~ "dies ändern möchten geben Sie hier bitte den Benutzernamen ein, unter " +#~ "dessen Kennung Bind9 starten soll." + +#~ msgid "Should resolvconf run when bind9 starts up?" +#~ msgstr "Soll Resolvconf laufen, wenn Bind9 startet?" --- bind9-9.9.3.dfsg.P2.orig/debian/po/es.po +++ bind9-9.9.3.dfsg.P2/debian/po/es.po @@ -0,0 +1,86 @@ +# bind9 translation to spanish +# Copyright (C) 2008 Software in the Public Interest +# This file is distributed under the same license as the bind9 package. +# Changes: +# - Initial translation +# Ignacio Mondino , 2008 +# Traductores, si no conoce el formato PO, merece la pena leer la +# documentación de gettext, especialmente las secciones dedicadas a este +# formato, por ejemplo ejecutando: +# info -n '(gettext)PO Files' +# info -n '(gettext)Header Entry' +# Equipo de traducción al español, por favor lean antes de traducir +# los siguientes documentos: +# - El proyecto de traducción de Debian al español +# http://www.debian.org/intl/spanish +# especialmente las notas de traducción en +# http://www.debian.org/intl/spanish/notas +# - La guía de traducción de po's de debconf: +# /usr/share/doc/po-debconf/README-trans +# o http://www.debian.org/intl/l10n/po-debconf/README-trans +# +# +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg-3\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-08 20:18-0300\n" +"Last-Translator: Ignacio Mondino \n" +"Language-Team: Debian Spanish team \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Cuenta de usuario que ejecuta el demonio BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"La cuenta de usuario por omisión que ejecuta el demonio BIND9 («named») es " +"«bind». Para usar una cuenta diferente, por favor ingrese el nombre de " +"usuario apropiado." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Otras opciones de inicio para «named»:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Ingrese cualquier opción adicional (además del nombre de usuario) que " +"debiera pasarse como parámetro al demonio BIND9 («named») al inicio del " +"sistema." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "¿Debería sobreescribirse el archivo «resolv.conf»?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Indique si se debería forzar al cliente a utilizar el demonio BIND9 " +"(«named») local en lugar de lo que la conexión actual recomiende, cuando " +"este equipo este en movimiento." --- bind9-9.9.3.dfsg.P2.orig/debian/po/eu.po +++ bind9-9.9.3.dfsg.P2/debian/po/eu.po @@ -0,0 +1,68 @@ +# translation of eu.po to Euskara +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Piarres Beobide , 2009. +msgid "" +msgstr "" +"Project-Id-Version: eu\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2009-02-22 10:36+0100\n" +"Last-Translator: Piarres Beobide \n" +"Language-Team: Euskara \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "BIND9 exekutatuko duen erabiltzaile kontua:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Lehenetsia BIND9 deabrua (named) 'bind' erabiltzaile kontuarekin exekutatzea " +"da. Beste kontu bat erabiltzeko, idatzi dagokion erabiltzaile-izena" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Beste abio aukera batzuek named-rentzat:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Mesedez zehaztu BIND9 deabruari abioan pasa behar zaizkion beste aukera " +"gehigarriak (erabiltzaile-izenaz beste)." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "resolv.conf ezarpenak gainidatzi behar al dira?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Mesedez hautatu ebazlea nola behartu behar den BIND9 deabru kopia lokala " +"erabiltzeko ekipo hau mugitzen ari denean konexioak gomendatzen dionaren " +"ordez." --- bind9-9.9.3.dfsg.P2.orig/debian/po/fi.po +++ bind9-9.9.3.dfsg.P2/debian/po/fi.po @@ -0,0 +1,64 @@ +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-13 08:08-0000\n" +"Last-Translator: Esko Arajärvi \n" +"Language-Team: Finnish \n" +"Language: fi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Finnish\n" +"X-Poedit-Country: FINLAND\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Käyttäjätunnus, jolla BIND9-taustaohjelmaa ajetaan:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Oletuksena BIND9-taustaohjelmaa (named) ajetaan käyttäjätunnuksella â€bindâ€. " +"Jos halutaan käyttää jotain muuta tunnusta, syötä se tähän." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Ohjelman named muut käynnistysvalitsimet:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Anna mahdolliset muut valitsimet (muut kuin käyttäjätunnus), jotka BIND9-" +"taustaohjelmalle (named) tulisi antaa käynnistyksessä." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Tulisiko tiedoston resolv.conf asetukset jättää huomioitta?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Valitse tulisiko selvittäjä pakottaa käyttämään paikallista BIND9-" +"taustaohjelmaa (named) sen sijaan mitä nykyinen yhteys suosittelee, kun " +"konetta siirrellään eri paikkoihin." --- bind9-9.9.3.dfsg.P2.orig/debian/po/fr.po +++ bind9-9.9.3.dfsg.P2/debian/po/fr.po @@ -0,0 +1,69 @@ +# Translation of bind9 debconf templates to French +# Copyright (C) 2008 CALARESU Luc +# This file is distributed under the same license as the bind9 package. +# CALARESU Luc , 2008. +# +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 14:26+0200\n" +"Last-Translator: CALARESU Luc \n" +"Language-Team: French \n" +"Language: fr\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Identifiant pour l'exécution du démon de BIND9 :" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Par défaut, le démon de BIND9 est lancé avec les privilèges de l'identifiant " +"« bind ». Si vous souhaitez utiliser un autre identifiant, veuillez " +"l'indiquer ici." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Autres options à transmettre pour « named » :" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Veuillez indiquer toute option supplémentaire (autre que l'identifiant) qui " +"doit être transmise au démarrage du démon de BIND9 (« named »)." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Faut-il écraser les paramètres de resolv.conf ?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Veuillez choisir si la résolution de noms doit utiliser le démon BIND9 local " +"(« named ») plutôt que les paramètres recommandés pour la connexion " +"actuelle, lorsque cette machine est déplacée." --- bind9-9.9.3.dfsg.P2.orig/debian/po/gl.po +++ bind9-9.9.3.dfsg.P2/debian/po/gl.po @@ -0,0 +1,66 @@ +# Galician translation of bind9's debconf templates +# This file is distributed under the same license as the bind9 package. +# Jacobo Tarrio , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 11:36+0100\n" +"Last-Translator: Jacobo Tarrio \n" +"Language-Team: Galician \n" +"Language: gl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Conta de usuario que executa o servizo de BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"A elección por defecto é executar o servizo de BIND9 (named) baixo a conta " +"de usuario \"bind\". Para empregar unha conta diferente, introduza o nome." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Outras opcións de inicio para named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Forneza as opcións adicionais (que non sexan o nome de usuario) que se deban " +"pasar ao servizo de BIND9 (named) no inicio." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "¿Quere substituír a configuración de resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Indique se quere forzar o resolvedor a que empregue o servizo de BIND9 local " +"(named) no canto do que recomenda a conexión actual, cando esta máquina " +"estea en movemento." --- bind9-9.9.3.dfsg.P2.orig/debian/po/id.po +++ bind9-9.9.3.dfsg.P2/debian/po/id.po @@ -0,0 +1,51 @@ +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: \n" +"Last-Translator: Mahyuddin Susanto \n" +"Language-Team: Debian Indonesia Translator \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Indonesian\n" +"X-Poedit-Country: INDONESIA\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Akun pengguna untuk menjalankan daemon BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "The default is to run the BIND9 daemon (named) under the 'bind' user account. To use a different account, please enter the appropriate username." +msgstr "Bawaan dari daemon BIND9 adalah menjalankan dengan user akun 'bind'. Untuk menggunakan akun berbeda, silakan masukkan nama pengguna yang sesuai." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Opsi lain startup untuk named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Please provide any additional options (other than username) that should be passed to the BIND9 daemon (named) on startup." +msgstr "Harap menyediakan opsi tambahan (selain nama pengguna) yang digunakan daemon BIND9 untuk startup" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "haruskah resolv.conf ditimpa?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Please choose whether the resolver should be forced to use the local BIND9 daemon (named) rather than what the current connection recommends, when this machine moves around." +msgstr "Silakan tentukan resolver mana yang akan digunakan untuk daemon lokal BIND9 (named) dari koneksi sekarang yang digunakan, ketika mesin ini berjalan" + --- bind9-9.9.3.dfsg.P2.orig/debian/po/it.po +++ bind9-9.9.3.dfsg.P2/debian/po/it.po @@ -0,0 +1,69 @@ +# translation of bind9_1:9.5.0.dfsg.P1-2_templates.po to Italian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Alex , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg.P1-2_templates\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-27 16:10+0200\n" +"Last-Translator: Alex \n" +"Language-Team: Italian \n" +"Language: it\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Account utente con cui eseguire il demone BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"L'opzione predefinita prevede l'esecuzione del demone BIND9 (named) " +"utilizzando l'utente 'bind'. Se si desidera utilizzare un differente account " +"utente, inserire il nome corrispondente." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Altre opzioni di avvio per named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Inserire qualsiasi opzione addizionale (differente dal nome utente) che " +"dovrebbe essere inviata al demone BIND9 (named) durante l'avvio." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Si desidera non tener conto delle impostazioni in resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Scegliere se si desidera forzare la risoluzione di tutte le query DNS con il " +"demone BIND9 locale (named) non utilizzando i server raccomandati dalla " +"connessione attiva." --- bind9-9.9.3.dfsg.P2.orig/debian/po/ja.po +++ bind9-9.9.3.dfsg.P2/debian/po/ja.po @@ -0,0 +1,66 @@ +# Copyright (C) 2008 LaMont Jones +# This file is distributed under the same license as the bind9 package. +# Hideki Yamane , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9 1:9.5.0.dfsg.P1-2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-22 00:03+0900\n" +"Last-Translator: Hideki Yamane (Debian-JP) \n" +"Language-Team: Japanese \n" +"Language: ja\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "BIND9 デーモンã®å‹•ä½œã«ä½¿ã†ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚«ã‚¦ãƒ³ãƒˆ:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"デフォルトã§ã¯ BIND9 デーモン (named) ã¯ã€Œbindã€ãƒ¦ãƒ¼ã‚¶ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã§å‹•ä½œã—ã¾" +"ã™ã€‚ç•°ãªã‚‹ã‚¢ã‚«ã‚¦ãƒ³ãƒˆã‚’使ã„ãŸã„å ´åˆã¯ã€é©åˆ‡ãªãƒ¦ãƒ¼ã‚¶åを入力ã—ã¦ãã ã•ã„。" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "起動時㫠named ã«æŒ‡å®šã™ã‚‹ã‚ªãƒ—ション:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"BIND9 デーモン (named) ã®èµ·å‹•æ™‚ã«æŒ‡å®šã—ãŸã„ (ユーザå以外ã®) 追加オプションを" +"入力ã—ã¦ãã ã•ã„。" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "resolv.conf ã®è¨­å®šã‚’上書ãã—ã¾ã™ã‹?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"ã“ã®ãƒžã‚·ãƒ³ã‚’移動ã—ãŸéš›ã€ãƒªã‚¾ãƒ«ãƒãŒãƒ­ãƒ¼ã‚«ãƒ«ã® BIND9 デーモン (named) を使ã†ã‚ˆ" +"ã†ã«ã™ã‚‹ã‹ã€ç¾åœ¨ã®æŽ¥ç¶šå…ˆã§æŽ¨å¥¨ã•ã‚Œã‚‹ãƒãƒ¼ãƒ ã‚µãƒ¼ãƒã‚’使ã†ã‚ˆã†ã«ã™ã‚‹ã‹ã‚’é¸ã‚“ã§ã" +"ã ã•ã„。" --- bind9-9.9.3.dfsg.P2.orig/debian/po/ko.po +++ bind9-9.9.3.dfsg.P2/debian/po/ko.po @@ -0,0 +1,69 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: debconf template\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2011-06-24 18:37+0900\n" +"Last-Translator: 강민지 \n" +"Language-Team: opensource \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Poedit-Language: Korean\n" +"X-Poedit-Country: KOREA, REPUBLIC OF\n" +"X-Poedit-SourceCharset: utf-8\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "BIND9 ë°ëª¬ì„ 실행하기 위한 ì‚¬ìš©ìž ê³„ì •:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"ê¸°ë³¸ê°’ì€ 'ë°”ì¸ë“œ' ì‚¬ìš©ìž ê³„ì •ì—ì„œ BIND9 ë°ëª¬(ì§€ì •ëœ ì´ë¦„)ì„ ì‹¤í–‰í•©ë‹ˆë‹¤. 다른 " +"ê³„ì •ì„ ì‚¬ìš©í•˜ë ¤ë©´ 해당 ì‚¬ìš©ìž ì´ë¦„ì„ ìž…ë ¥í•˜ì„¸ìš”." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "ì§€ëª…ëœ ë‹¤ë¥¸ 시작 옵션:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"BIND9 ë°ëª¬(ì§€ì •ëœ ì´ë¦„)ì´ ì‹¤í–‰ìœ¼ë¡œ 전달ë˜ê¸° 위해서 추가옵션(ì‚¬ìš©ìž ì´ë¦„ ì´ì™¸)" +"ì„ ìž…ë ¥í•˜ì„¸ìš”." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "resolv.conf ì„¤ì •ì€ ìž¬ì •ì˜ ë˜ì–´ì•¼í•˜ëŠ”ê°€?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"ì´ ê¸°ê³„ê°€ 근처로 ì´ë™ë  ë•Œ í•´ê²°ìžëŠ” í˜„ìž¬ì˜ ì—°ê²°ì„ ê¶Œìž¥í•˜ëŠ” 것보다 로컬 BIND9 " +"ë°ëª¬(ì§€ì •ëœ ì´ë¦„)ì„ ì‚¬ìš©í•˜ë„ë¡ ê°•ìš”í•´ì•¼í•˜ëŠ”ì§€ 여부를 ì„ íƒí•˜ì„¸ìš”." --- bind9-9.9.3.dfsg.P2.orig/debian/po/nb.po +++ bind9-9.9.3.dfsg.P2/debian/po/nb.po @@ -0,0 +1,69 @@ +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Bjørn Steensrud , 2012. +msgid "" +msgstr "" +"Project-Id-Version: \n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2012-01-03 21:33+0100\n" +"Last-Translator: Bjørn Steensrud \n" +"Language-Team: Norwegian BokmÃ¥l \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Language: nb\n" +"X-Generator: Lokalize 1.2\n" +"Plural-Forms: nplurals=2; plural=n != 1;\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Brukerkonto for Ã¥ kjøre BIND9-daemonen:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standard er Ã¥ kjøre BIND8-daemonen (named) under brukerkontoen «bind». Skriv " +"inn et passende navn for Ã¥ bruke en annen konto." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Andre oppstartsvalg for named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Skriv inn flere valg (annet enn brukernavn) som skal sendes over til " +"BIND9-daemonen (named) ved oppstart." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Skal innstillingene i resolv.conf oveerstyres?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Velg om adresseløseren skal tvinges til Ã¥ bruke den lokale BIND9-daemonen " +"(named) i stedet for det den gjeldende tilkoblingen anbefaler, nÃ¥r denne " +"maskinen flyttes omkring." + --- bind9-9.9.3.dfsg.P2.orig/debian/po/nl.po +++ bind9-9.9.3.dfsg.P2/debian/po/nl.po @@ -0,0 +1,72 @@ +# translation of bind9_1:9.5.0.dfsg.P2-1_nl.po to Dutch +# translation of bind9 debconf template to Dutch +# Copyright (C) 2008 THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the bind9 package. +# +# Paul Gevers , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg.P2-1_nl\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-09-17 21:15-0500\n" +"Last-Translator: Paul Gevers \n" +"Language-Team: Dutch \n" +"Language: nl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "" +"Gebruikersaccount waaronder de BIND9 achtergronddienst dient te draaien:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standaard wordt 'named', de BIND9-achtergronddienst, uitgevoerd onder de " +"'bind' gebruikersaccount. Als u een andere account wilt gebruiken kunt hier " +"de geschikte gebruikersnaam invullen." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Andere opstartopties voor 'named':" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Welke aanvullende opties (anders dan de gebruikersnaam) wilt u bij het " +"opstarten meegeven aan 'named', de BIND9 achtergronddienst?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Wilt u dat de 'resolv.conf' instellingen omzeild worden?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Wilt u afdwingen dat de 'resolver' gebruik maakt van de lokale BIND9 " +"achtergronddienst (named), in plaats van de aanbevelingen van de huidige " +"connectie. Bijvoorbeeld, wanneer deze computer veel verplaatst wordt." --- bind9-9.9.3.dfsg.P2.orig/debian/po/pl.po +++ bind9-9.9.3.dfsg.P2/debian/po/pl.po @@ -0,0 +1,68 @@ +# debconf templates for bind9 package +# Polish translation +# Copyright (C) 2008 +# This file is distributed under the same license as the bind9 package. +# Åukasz Paździora , 2008 +# +msgid "" +msgstr "" +"Project-Id-Version: bind9 9.5.0.dfsg.P2-4\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-11-24 18:30+0100\n" +"Last-Translator: Åukasz Paździora \n" +"Language-Team: Polish \n" +"Language: pl\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Konto użytkownika, jako który powinien dziaÅ‚ać BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"DomyÅ›lnie demon BIND9 (named) dziaÅ‚a jako użytkownik 'bind'. Aby użyć innego " +"konta podaj innÄ… nazwÄ™ użytkownika." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Inne opcje startowe dla named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"ProszÄ™ podać dodatkowe opcje (inne niż nazwa użytkownika), które powinny " +"zostać podane demonowi BIND9 (named) przy starcie." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Czy ustawienia resolv.conf majÄ… zostać nadpisane?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"ProszÄ™ wybrać czy do rozwiÄ…zywania nazw powinna być używana lokalna usÅ‚uga " +"BIND9 (named), kiedy maszyna zmienia miejsce, czy też powinien korzystać z " +"zalecanych ustawieÅ„ aktualnego poÅ‚Ä…czenia." --- bind9-9.9.3.dfsg.P2.orig/debian/po/pt.po +++ bind9-9.9.3.dfsg.P2/debian/po/pt.po @@ -0,0 +1,69 @@ +# translation of bind9_1:9.5.0.dfsg-2_pt debconf to Portuguese +# Copyright (C) 2008 Américo Monteiro +# This file is distributed under the same license as the bind9 package. +# +# Américo Monteiro , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg-2_pt\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 11:55+0100\n" +"Last-Translator: Américo Monteiro \n" +"Language-Team: Portuguese \n" +"Language: pt\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Conta de utilizador para correr o deamon BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"A pré-definição é correr o deamon BIND9 (named) sob a conta de utilizador " +"'bind'. Para usar uma conta diferente, por favor indique o nome de " +"utilizador apropriado." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Outras opções de arranque para o named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Por favor forneça quaisquer opções adicionais (além do nome de utilizador) " +"que deverão ser enviadas ao deamon BIND9 (named) durante o arranque. " + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Devem as configurações de resolv.conf ser substituidas?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Por favor escolha se a resolução de nomes deverá ser forçada a usar o deamon " +"local BIND9 (named) em vez do que a corrente ligação recomenda, quando esta " +"máquina está ligada." --- bind9-9.9.3.dfsg.P2.orig/debian/po/pt_BR.po +++ bind9-9.9.3.dfsg.P2/debian/po/pt_BR.po @@ -0,0 +1,71 @@ +# bind9 Brazilian Portuguese translation +# Copyright (C) 2009 bind9's COPYRIGHT HOLDER +# This file is distributed under the same license as the bind9 package. +# Luís Gustavo Pessoa Sales , 2009. +# José Figueiredo , 2010. +# +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2010-09-10 22:37-0300\n" +"Last-Translator: José de Figueiredo \n" +"Language-Team: Brazilian Portuguese \n" +"Language: pt_BR\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"pt_BR utf-8\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Conta de usuário para execução do daemon do BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"O padrão é executar o daemon do BIND9 (named) com a conta de usuário 'bind'. " +"Para usar uma conta diferente, por favor informe o nome do usuário." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Outras opções de inicialização para o named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Por favor, forneça outras opções adicionais (além de nome de usuário), que " +"devam ser passadas ao daemon do BIND9 (named) na inicialização." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "As configurações do resolv.conf devem ser sobrescritas?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Por favor, escolha se o resolvedor de nomes deve ser forçado a usar o daemon " +"do BIND9 local (named) em vez daquele que a conexão atual recomendar, quando " +"esta máquina for movida." --- bind9-9.9.3.dfsg.P2.orig/debian/po/ru.po +++ bind9-9.9.3.dfsg.P2/debian/po/ru.po @@ -0,0 +1,70 @@ +# translation of ru.po to Russian +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# +# Yuri Kozlov , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9 1:9.5.0.dfsg-2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 11:08+0400\n" +"Last-Translator: Yuri Kozlov \n" +"Language-Team: Russian \n" +"Language: ru\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && n" +"%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Ð£Ñ‡Ñ‘Ñ‚Ð½Ð°Ñ Ð·Ð°Ð¿Ð¸ÑÑŒ Ð´Ð»Ñ Ð·Ð°Ð¿ÑƒÑка Ñлужбы BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"По умолчанию, Ñлужба BIND9 (файл named) запуÑкаетÑÑ Ñ Ð¿Ñ€Ð°Ð²Ð°Ð¼Ð¸ учётной запиÑи " +"'bind'. ЕÑли вы хотите иÑпользовать другую учётную запиÑÑŒ, то введите Ñто " +"Ð¸Ð¼Ñ Ð·Ð´ÐµÑÑŒ." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Другие параметры запуÑка named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Укажите любые дополнительные параметры (кроме имени учётной запиÑи), которые " +"нужно передать Ñлужбе BIND9 (файлу named) при запуÑке." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "ПерепиÑать наÑтройки resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Укажите, хотите ли вы, чтобы определитель имён машины иÑпользовал локальную " +"Ñлужбу BIND9 (named), а не наÑтройки имеющегоÑÑ Ð¿Ð¾Ð´ÐºÐ»ÑŽÑ‡ÐµÐ½Ð¸Ñ." --- bind9-9.9.3.dfsg.P2.orig/debian/po/sk.po +++ bind9-9.9.3.dfsg.P2/debian/po/sk.po @@ -0,0 +1,67 @@ +# Slovak translation of bind9 +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the bind9 package. +# Ivan Masár , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: \n" +"Last-Translator: Ivan Masár \n" +"Language-Team: \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Používateľský úÄet démona BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Å tandardne sa démon BIND9 (named) spúšťa s používateľským úÄtom „bindâ€. Ak " +"chcete použiÅ¥ iný úÄet, prosím zadajte prísluÅ¡ný názov úÄtu." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "ÄŽalÅ¡ie spúšťacie voľby pre named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Zadajte ÄalÅ¡ie voľby (okrem používateľského mena), ktoré sa majú odovzdaÅ¥ " +"démonovi BIND9 (named) pri spustení." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Má sa nastaviÅ¥ priorita pred resolv.conf?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Zvoľte, Äi má sa má vynútiÅ¥, aby prekladaÄ adries používal lokálneho démona " +"BIND9 (named) namiesto toho, Äo odporúÄa aktuálne pripojenie, keÄ sa " +"umiestnenie tohto poÄítaÄa mení." --- bind9-9.9.3.dfsg.P2.orig/debian/po/sr.po +++ bind9-9.9.3.dfsg.P2/debian/po/sr.po @@ -0,0 +1,66 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: Zlatan Todoric \n" +"Language-Team: Serbian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "КориÑнички налог за покретање BIND9 процеÑа у позадини:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Подразумијевано је да Ñе BIND9 Ð¿Ñ€Ð¾Ñ†ÐµÑ Ñƒ позадини (Named) покреће под 'bind'" +"кориÑничким налогом. Да биÑте кориÑтили другачији налог, унеÑите адекватно кориÑничко име." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Друге опције приликом покретања за (Named):" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Молимо Ð²Ð°Ñ Ð¾Ð±ÐµÐ·Ð±Ñ˜ÐµÐ´Ð¸Ñ‚Ðµ додатне опције (оÑим кориÑничког имена) који би требали" +"бити проÑлијеђени BIND9 процеÑу у позадини (Named) приликом покретања." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Желите ли поништити поÑтојећа resolv.conf подешавања?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Одаберите желите ли да аутоматÑки помагач (Resolver) буде приÑиљен кориÑтити " +"локални BIND9 Ð¿Ñ€Ð¾Ñ†ÐµÑ Ñƒ позадини (Named) умјеÑто препорука тренутне мреже, када " +"ова машина буде помјерана." --- bind9-9.9.3.dfsg.P2.orig/debian/po/sr@latin.po +++ bind9-9.9.3.dfsg.P2/debian/po/sr@latin.po @@ -0,0 +1,66 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) 2011 +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , 2011. +# +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: Zlatan Todorić \n" +"Language-Team: Serbian \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "KorisniÄki nalog za pokretanje BIND9 procesa u pozadini:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Podrazumijevano je da se BIND9 proces u pozadini (Named) pokreće pod 'bind'" +"korisniÄkim nalogom. Da biste koristili drugaÄiji nalog, unesite adekvatno korisniÄko ime." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Druge opcije prilikom pokretanja za (Named):" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Molimo vas obezbjedite dodatne opcije (osim korisniÄkog imena) koji bi trebali" +"biti proslijeÄ‘eni BIND9 procesu u pozadini (Named) prilikom pokretanja." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Želite li poniÅ¡titi postojeća resolv.conf podeÅ¡avanja?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Odaberite želite li da automatski pomagaÄ (Resolver) bude prisiljen koristiti" +"lokalni BIND9 proces u pozadini umjesto preporuka trenutne mreže, kada ova" +"maÅ¡ina bude pomjerana." --- bind9-9.9.3.dfsg.P2.orig/debian/po/sv.po +++ bind9-9.9.3.dfsg.P2/debian/po/sv.po @@ -0,0 +1,69 @@ +# translation of bind9_1:9.5.0.dfsg.P1-2_sv.po to Swedish +# Copyright (C) 2008 +# This file is distributed under the same license as the bind9 package. +# +# Martin Ã…gren , 2008. +msgid "" +msgstr "" +"Project-Id-Version: bind9_1:9.5.0.dfsg.P1-2_sv\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-07-18 19:24+0200\n" +"Last-Translator: Martin Ã…gren \n" +"Language-Team: Swedish \n" +"Language: sv\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"X-Generator: KBabel 1.11.4\n" +"Plural-Forms: nplurals=2; plural=(n != 1);\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Användarkonto att köra BIND9-demonen under:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Standardvalet är att köra BIND9-demonen (named) under användarkontot 'bind'. " +"För att använda ett annat konto, var vänlig ange användarnamnet." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Övriga uppstartsval för named:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Var vänlig ange eventuella ytterligare val (förutom användarnamn) som ska " +"skickas till BIND9-demonen (named) vid uppstart." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Ska resolv.conf-inställningar hoppas över?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Var vänlig välj huruvida uppslagaren ska tvingas använda den lokala BIND9-" +"demonen (named) snarare än vad den aktuella uppkopplingen rekommenderar när " +"den här maskinen flyttar runt." --- bind9-9.9.3.dfsg.P2.orig/debian/po/templates.pot +++ bind9-9.9.3.dfsg.P2/debian/po/templates.pot @@ -0,0 +1,60 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: PACKAGE VERSION\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" --- bind9-9.9.3.dfsg.P2.orig/debian/po/tr.po +++ bind9-9.9.3.dfsg.P2/debian/po/tr.po @@ -0,0 +1,70 @@ +# turkish translation of bind9 debconf template +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the PACKAGE package. +# Mert Dirik , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-15 23:31+0200\n" +"Last-Translator: Mert Dirik \n" +"Language-Team: Debian L10n Turkish \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=utf-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Poedit-Language: Turkish\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "BIND9 bekletici programının (named) kullanacağı kullanıcı hesabı:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Öntanımlı olarak BIND9 bekletici (daemon) programı 'bind' kullanıcı " +"hesabıyla çalışır. Farklı bir hesap kullanmak için kullanmak istediÄŸiniz " +"hesabın adını girin." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "'named'in kullanacağı diÄŸer baÅŸlatma seçenekleri:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Lütfen BIND9 bekletici programına (named) geçilmesini istediÄŸiniz, kullanıcı " +"adı dışındaki ek seçenekleri yazın." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "'resolv.conf' ayarları ezilmeli mi (override)?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Lütfen bu makine gezerken; çözümleyicinin o anda kullanılan baÄŸlantının " +"önerdiÄŸi sunucu yerine yerel BIND9 bekletici programını (named) kullanmaya " +"zorlanması gerekip gerekmediÄŸini seçin." --- bind9-9.9.3.dfsg.P2.orig/debian/po/vi.po +++ bind9-9.9.3.dfsg.P2/debian/po/vi.po @@ -0,0 +1,67 @@ +# Vietnamese translation for Bind 9. +# Copyright © 2008 Free Software Foundation, Inc. +# Clytie Siddall , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind9 1:9.5.0.dfsg-2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-06-14 15:35+0930\n" +"Last-Translator: Clytie Siddall \n" +"Language-Team: Vietnamese \n" +"Language: vi\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=1; plural=0;\n" +"X-Generator: LocFactoryEditor 1.7b3\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "Tài khoản ngÆ°á»i dùng để chạy trình ná»n BIND9:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"Mặc định là chạy trình ná»n BIND9 (đặt tên) dÆ°á»›i tài khoản ngÆ°á»i dùng « bind " +"». Äể sá»­ dụng tài khoản khác, hãy nhập tên ngÆ°á»i dùng thích hợp." + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "Tùy chá»n khởi chạy khác cần đặt tên:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "" +"Hãy nhập vào đây bất kỳ tùy chá»n bổ sung (khác vá»›i tên ngÆ°á»i dùng) nên gá»­i " +"cho trình ná»n BIND9 vào lúc khởi chạy." + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "Co nên ghi đè lên thiết lập « resolv.conf » không?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"Hãy chá»n có nên ép buá»™c trình giải quyết sá»­ dụng trình ná»n BIND9 cục bá»™ (đặt " +"tên) hÆ¡n là kết nối hiện thá»i Ä‘á» nghị gì khi máy này ở nÆ¡i khác." --- bind9-9.9.3.dfsg.P2.orig/debian/po/zh_CN.po +++ bind9-9.9.3.dfsg.P2/debian/po/zh_CN.po @@ -0,0 +1,64 @@ +# Chinese translations for bind package. +# Copyright (C) 2008 THE bind'S COPYRIGHT HOLDER +# This file is distributed under the same license as the bind package. +# LI Daobing , 2008. +# +msgid "" +msgstr "" +"Project-Id-Version: bind 9-9.5.0.dfsg.P2\n" +"Report-Msgid-Bugs-To: Source: bind9@packages.debian.org\n" +"POT-Creation-Date: 2008-06-13 16:56-0600\n" +"PO-Revision-Date: 2008-10-04 14:36+0800\n" +"Last-Translator: LI Daobing \n" +"Language-Team: Chinese (simplified)\n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "User account for running the BIND9 daemon:" +msgstr "è¿è¡Œ BIND9 æœåŠ¡çš„用户账å·:" + +#. Type: string +#. Description +#: ../templates:1001 +msgid "" +"The default is to run the BIND9 daemon (named) under the 'bind' user " +"account. To use a different account, please enter the appropriate username." +msgstr "" +"缺çœä½¿ç”¨ 'bind' 用户æ¥è¿è¡Œ BIND9 æœåŠ¡(named)。 想使用其他的账å·, 请输入åˆé€‚çš„" +"用户å。" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "Other startup options for named:" +msgstr "named 的其他å¯åŠ¨é€‰é¡¹:" + +#. Type: string +#. Description +#: ../templates:2001 +msgid "" +"Please provide any additional options (other than username) that should be " +"passed to the BIND9 daemon (named) on startup." +msgstr "请æ供需è¦ä¼ ç»™ BIND9 æœåŠ¡(named)çš„å¯åŠ¨é€‰é¡¹(用户å除外)。" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "Should resolv.conf settings be overridden?" +msgstr "是å¦è¦†ç›– resolv.conf 的设置?" + +#. Type: boolean +#. Description +#: ../templates:3001 +msgid "" +"Please choose whether the resolver should be forced to use the local BIND9 " +"daemon (named) rather than what the current connection recommends, when this " +"machine moves around." +msgstr "" +"请选择是å¦å¼ºåˆ¶ä½¿ç”¨æœ¬åœ° BIND9 æœåŠ¡(named)æ¥åšåŸŸå解æž, 而ä¸æ˜¯ä½¿ç”¨å½“å‰è¿žæŽ¥æ‰€æŽ¨" +"è的域å解æžæœåŠ¡å™¨, 特别是当机器需è¦ç§»åŠ¨æ—¶ã€‚" --- bind9-9.9.3.dfsg.P2.orig/debian/rules +++ bind9-9.9.3.dfsg.P2/debian/rules @@ -0,0 +1,191 @@ +#!/usr/bin/make -f +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +export DEB_BUILD_HARDENING=1 +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +ifndef DEB_HOST_ARCH +DEB_BUILD_ARCH := $(shell dpkg --print-architecture) +endif +export arch = $(DEB_HOST_ARCH) + +DEB_HOST_MULTIARCH := $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) +DEBUG = -g +endif + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) +OPT = +else +OPT = -O2 +endif + +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) +export MAKEFLAGS += -j$(NUMJOBS) +endif + +export CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE $(DEBUG) $(OPT) + +ifeq ($(DEB_HOST_ARCH_OS),kfreebsd) +EXTRA_FEATURES=--disable-linux-caps --disable-threads +endif + +configure: configure-stamp +configure-stamp: + dh_testdir + dh_autotools-dev_updateconfig + dh_autoreconf + ./configure --prefix=/usr \ + --mandir=\$${prefix}/share/man \ + --infodir=\$${prefix}/share/info \ + --sysconfdir=/etc/bind \ + --localstatedir=/var \ + --enable-threads \ + --enable-largefile \ + --with-libtool \ + --enable-shared \ + --enable-static \ + --with-openssl=/usr \ + --with-gssapi=/usr \ + --with-gnu-ld \ + --with-geoip=/usr \ + --with-atf=no \ + --enable-ipv6 \ + --enable-filter-aaaa \ + $(EXTRA_FEATURES) + + touch $@ + +build: build-stamp +build-stamp: configure-stamp + dh_testdir + LD_LIBRARY_PATH=$$(pwd)/lib/isc/.libs:$$(pwd)/lib/isccc/.libs:$$(pwd)/isccfg/.libs:$${LD_LIBRARY_PATH} $(MAKE) + touch $@ + +autofiles: + libtoolize --automake --copy --force + aclocal + #automake + autoheader + autoconf + rm -rf autom4te.cache + cp config.guess config.sub contrib/idn/idnkit-1.0-src/ + +clean: + dh_testdir + dh_testroot + -$(MAKE) distclean + find . -name \*.o -exec rm {} \; + rm -f build-stamp configure-stamp + rm -f debian/substvars lib/bind/include/isc/platform.h + rm -f contrib/dlz/bin/dlzbdb/Makefile contrib/dlz/drivers/rules + rm -f doc/arm/Bv9ARM.pdf + dh_autoreconf_clean + dh_autotools-dev_restoreconfig + dh_clean + +newtemplate: + debconf-updatepo + +msgstats: + @cd debian/po && for i in *.po; do x=$$(msgfmt --statistics $$i 2>&1); echo $$i $$x; done; rm -f messages.mo *.po~ + +msg-email: + @podebconf-report-po + +ETCBIND=debian/bind9/etc/bind +ETCAPP=debian/bind9/etc/apparmor.d +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + $(MAKE) install DESTDIR=`pwd`/debian/bind9 + rm -f debian/bind9/usr/lib/*.la + install -c -o bin -g bin -m 444 debian/db.0 ${ETCBIND}/db.0 + install -c -o bin -g bin -m 444 debian/db.0 ${ETCBIND}/db.255 + install -c -o bin -g bin -m 444 debian/db.empty ${ETCBIND} + install -c -o bin -g bin -m 444 debian/zones.rfc1918 ${ETCBIND} + install -c -o bin -g bin -m 444 debian/db.127 ${ETCBIND} + install -c -o bin -g bin -m 444 debian/db.local ${ETCBIND} + install -c -o bin -g bin -m 444 debian/db.root ${ETCBIND} + install -c -o bin -g bin -m 440 debian/named.conf ${ETCBIND} + install -c -o bin -g bin -m 440 debian/named.conf.local ${ETCBIND} + install -c -o bin -g bin -m 440 debian/named.conf.default-zones ${ETCBIND} + install -c -o bin -g bin -m 440 bind.keys ${ETCBIND} + install -c -o bin -g bin -m 440 debian/named.conf.options debian/bind9/usr/share/bind9/ + cp doc/arm/*.html debian/bind9-doc/usr/share/doc/bind9-doc/arm + install -m 644 -o root -g root debian/apparmor-profile ${ETCAPP}/usr.sbin.named + install -m 644 -o root -g root debian/apparmor-profile.local ${ETCAPP}/local/usr.sbin.named + rmdir debian/bind9/var/run/named debian/lwresd/var/run/named || true + + install debian/ip-up.d debian/bind9/etc/ppp/ip-up.d/bind9 + install debian/ip-down.d debian/bind9/etc/ppp/ip-down.d/bind9 + install debian/ip-up.d debian/bind9/etc/network/if-up.d/bind9 + install debian/ip-down.d debian/bind9/etc/network/if-down.d/bind9 + install -m644 debian/bind9.ufw.profile debian/bind9/etc/ufw/applications.d/bind9 + +# Build architecture-independent files here. +binary-indep: build install + dh_testdir -i + dh_testroot -i + dh_installdocs -i + dh_installexamples -i + dh_installmenu -i + dh_installcron -i + dh_installinfo -i + dh_installchangelogs -i # CHANGES # upstream changelog only in bind9-doc + dh_installchangelogs -pbind9-doc CHANGES + dh_link -i + dh_compress -i + dh_fixperms -i + dh_installdeb -i + for i in $$(sed -n '/^Package:/s/^.* //p' debian/control); do cat debian/vars.in >> debian/$$i.substvars; done + cat debian/vars.in >> debian/substvars + dh_gencontrol -i + dh_md5sums -i + dh_builddeb -i + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir -a + dh_testroot -a + dh_installdocs -a + dh_installexamples -a + dh_installmenu -a + dh_systemd_enable -pbind9 --no-enable bind9-resolvconf.service + dh_systemd_enable -pbind9 bind9.service + dh_systemd_enable -plwresd lwresd.service + dh_installinit -a --no-start -- defaults 15 85 + # Ship the extra service file for resolvconf integration manually. + cp debian/bind9-resolvconf.service debian/bind9/lib/systemd/system + dh_installcron -a + dh_installdebconf -pbind9 + dh_installinfo -a + dh_installchangelogs -a # CHANGES # upstream changelog only in bind9-doc + dh_install --sourcedir=debian/bind9 -a + (cd debian/bind9/ && rm -rf $$(cat ../*.install) ) + rm -f debian/bind9/usr/share/man/man1/query-loc.1 + # install apport hook on Ubuntu + if dpkg-vendor --is ubuntu; then \ + install -m 644 -D debian/bind9.apport debian/bind9/usr/share/apport/package-hooks/bind9.py; \ + fi + dh_link -a + dh_strip -a + dh_compress -a + dh_fixperms -a + dh_makeshlibs -a + dh_installdeb -a + dh_shlibdeps -l"debian/libbind9-90/usr/lib:debian/libbind-dev/usr/lib:debian/libdns99/usr/lib:debian/libisc95/usr/lib:debian/libisccc90/usr/lib:debian/libisccfg90/usr/lib:debian/liblwres90/usr/lib:/usr/lib/libfakeroot" -a + for i in $$(sed -n '/^Package:/s/^.* //p' debian/control); do cat debian/vars.in >> debian/$$i.substvars; done + cat debian/vars.in >> debian/substvars + dh_gencontrol -a + dh_md5sums -a + dh_builddeb -a + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure --- bind9-9.9.3.dfsg.P2.orig/debian/source/format +++ bind9-9.9.3.dfsg.P2/debian/source/format @@ -0,0 +1 @@ +1.0 --- bind9-9.9.3.dfsg.P2.orig/debian/templates +++ bind9-9.9.3.dfsg.P2/debian/templates @@ -0,0 +1,21 @@ +Template: bind9/start-as-user +Type: string +Default: bind +_Description: User account for running the BIND9 daemon: + The default is to run the BIND9 daemon (named) under the 'bind' + user account. To use a different account, please enter the + appropriate username. + +Template: bind9/different-configuration-file +Type: string +_Description: Other startup options for named: + Please provide any additional options (other than username) that should + be passed to the BIND9 daemon (named) on startup. + +Template: bind9/run-resolvconf +Type: boolean +Default: false +_Description: Should resolv.conf settings be overridden? + Please choose whether the resolver should be forced to use the + local BIND9 daemon (named) rather than what the current connection + recommends, when this machine moves around. --- bind9-9.9.3.dfsg.P2.orig/debian/vars.in +++ bind9-9.9.3.dfsg.P2/debian/vars.in @@ -0,0 +1 @@ +Description=The Berkeley Internet Name Domain (BIND) implements an Internet domain${Newline}name server. BIND is the most widely-used name server software on the${Newline}Internet, and is supported by the Internet Software Consortium, www.isc.org. --- bind9-9.9.3.dfsg.P2.orig/debian/zones.rfc1918 +++ bind9-9.9.3.dfsg.P2/debian/zones.rfc1918 @@ -0,0 +1,20 @@ +zone "10.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "16.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; + +zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; }; --- bind9-9.9.3.dfsg.P2.orig/doc/arm/Bv9ARM-book.xml +++ bind9-9.9.3.dfsg.P2/doc/arm/Bv9ARM-book.xml @@ -4818,6 +4818,32 @@ + + + rate-limit + + + + The start, periodic, and final notices of the + rate limiting of a stream of responses are logged at + info severity in this category. + These messages include a hash value of the domain name + of the response and the name itself, + except when there is insufficient memory to record + the name for the final notice + The final notice is normally delayed until about one + minute after rate limit stops. + A lack of memory can hurry the final notice, + in which case it starts with an asterisk (*). + Various internal events are logged at debug 1 level + and higher. + + + Rate limiting of individual requests + is logged in the query-errors category. + + + @@ -5318,7 +5344,7 @@ match-mapped-addresses yes_or_no; filter-aaaa-on-v4 ( yes_or_no | break-dnssec ); filter-aaaa { address_match_list }; - dns64 IPv6-prefix { + dns64 ipv6-prefix { clients { address_match_list }; mapped { address_match_list }; exclude { address_match_list }; @@ -5351,8 +5377,25 @@ resolver-query-timeout number ; deny-answer-addresses { address_match_list } except-from { namelist } ; deny-answer-aliases { namelist } except-from { namelist } ; + rate-limit { + responses-per-second number ; + referrals-per-second number ; + nodata-per-second number ; + nxdomains-per-second number ; + errors-per-second number ; + all-per-second number ; + window number ; + log-only yes_or_no ; + qps-scale number ; + ipv4-prefix-length number ; + ipv6-prefix-length number ; + slip number ; + exempt-clients { address_match_list } ; + max-table-size number ; + min-table-size number ; + } ; response-policy { zone_name - policy given | disabled | passthru | nxdomain | nodata | cname domain + policy given | disabled | passthru | drop | nxdomain | nodata | cname domain recursive-only yes_or_no max-policy-ttl number ; } recursive-only yes_or_no max-policy-ttl number break-dnssec yes_or_no min-ns-dots number ; @@ -9645,77 +9688,122 @@ Response policy zones are named in the response-policy option for the view or among the global options if there is no response-policy option for the view. - RPZs are ordinary DNS zones containing RRsets + Response policy zones are ordinary DNS zones containing RRsets that can be queried normally if allowed. It is usually best to restrict those queries with something like allow-query { localhost; };. - Four policy triggers are encoded in RPZ records, QNAME, IP, NSIP, - and NSDNAME. - QNAME RPZ records triggered by query names of requests and targets - of CNAME records resolved to generate the response. - The owner name of a QNAME RPZ record is the query name relativized - to the RPZ. - + Five policy triggers can be encoded in RPZ records. + + + RPZ-CLIENT-IP + + + IP records are triggered by the IP address of the + DNS client. + Client IP address triggers are encoded in records that have + owner names that are subdomains of + rpz-client-ip relativized to the + policy zone origin name + and encode an address or address block. + IPv4 addresses are represented as + prefixlength.B4.B3.B2.B1.rpz-ip. + The IPv4 prefix length must be between 1 and 32. + All four bytes, B4, B3, B2, and B1, must be present. + B4 is the decimal value of the least significant byte of the + IPv4 address as in IN-ADDR.ARPA. + - - The second kind of RPZ trigger is an IP address in an A and AAAA - record in the ANSWER section of a response. - IP address triggers are encoded in records that have owner names - that are subdomains of rpz-ip relativized - to the RPZ origin name and encode an IP address or address block. - IPv4 trigger addresses are represented as - prefixlength.B4.B3.B2.B1.rpz-ip. - The prefix length must be between 1 and 32. - All four bytes, B4, B3, B2, and B1, must be present. - B4 is the decimal value of the least significant byte of the - IPv4 address as in IN-ADDR.ARPA. - IPv6 addresses are encoded in a format similar to the standard - IPv6 text representation, - prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip. - Each of W8,...,W1 is a one to four digit hexadecimal number - representing 16 bits of the IPv6 address as in the standard text - representation of IPv6 addresses, but reversed as in IN-ADDR.ARPA. - All 8 words must be present except when consecutive - zero words are replaced with .zz. - analogous to double colons (::) in standard IPv6 text encodings. - The prefix length must be between 1 and 128. - + + IPv6 addresses are encoded in a format similar + to the standard IPv6 text representation, + prefixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip. + Each of W8,...,W1 is a one to four digit hexadecimal number + representing 16 bits of the IPv6 address as in the standard + text representation of IPv6 addresses, + but reversed as in IN-ADDR.ARPA. + All 8 words must be present except when one set of consecutive + zero words is replaced with .zz. + analogous to double colons (::) in standard IPv6 text + encodings. + The IPv6 prefix length must be between 64 and 128. + + + - - NSDNAME triggers match names of authoritative servers - for the query name, a parent of the query name, a CNAME for - query name, or a parent of a CNAME. - They are encoded as subdomains of - rpz-nsdomain relativized - to the RPZ origin name. - NSIP triggers match IP addresses in A and - AAAA RRsets for domains that can be checked against NSDNAME - policy records. - NSIP triggers are encoded like IP triggers except as subdomains of - rpz-nsip. - NSDNAME and NSIP triggers are checked only for names with at - least min-ns-dots dots. - The default value of min-ns-dots is 1 to - exclude top level domains. - + + QNAME + + + QNAME policy records are triggered by query names of + requests and targets of CNAME records resolved to generate + the response. + The owner name of a QNAME policy record is + the query name relativized to the policy zone. + + + + + + RPZ-IP + + + IP triggers are IP addresses in an + A or AAAA record in the ANSWER section of a response. + They are encoded like client-IP triggers except as + subdomains of rpz-ip. + + + + + + RPZ-NSDNAME + + + NSDNAME triggers match names of authoritative servers + for the query name, a parent of the query name, a CNAME for + query name, or a parent of a CNAME. + They are encoded as subdomains of + rpz-nsdname relativized + to the RPZ origin name. + NSIP triggers match IP addresses in A and + AAAA RRsets for domains that can be checked against NSDNAME + policy records. + + + + + + RPZ-NSIP + + + NSIP triggers are encoded like IP triggers except as + subdomains of rpz-nsip. + NSDNAME and NSIP triggers are checked only for names with at + least min-ns-dots dots. + The default value of min-ns-dots is 1 to + exclude top level domains. + + + + - The query response is checked against all RPZs, so - two or more policy records can be triggered by a response. - Because DNS responses can be rewritten according to at most one + The query response is checked against all response policy zones, + so two or more policy records can be triggered by a response. + Because DNS responses are rewritten according to at most one policy record, a single record encoding an action (other than DISABLED actions) must be chosen. - Triggers or the records that encode them are chosen in - the following order: + Triggers or the records that encode them are chosen for the + rewriting in the following order: Choose the triggered record in the zone that appears - first in the response-policy option. + first in the response-policy option. - Prefer QNAME to IP to NSDNAME to NSIP triggers - in a single zone. + Prefer CLIENT-IP to QNAME to IP to NSDNAME to NSIP + triggers in a single zone. Among NSDNAME triggers, prefer the trigger that matches the smallest name under the DNSSEC ordering. @@ -9734,83 +9822,168 @@ When the processing of a response is restarted to resolve DNAME or CNAME records and a policy record set has not been triggered, - all RPZs are again consulted for the DNAME or CNAME names - and addresses. + all response policy zones are again consulted for the + DNAME or CNAME names and addresses. - RPZ record sets are sets of any types of DNS record except - DNAME or DNSSEC that encode actions or responses to queries. - - The NXDOMAIN response is encoded - by a CNAME whose target is the root domain (.) - - A CNAME whose target is the wildcard top-level - domain (*.) specifies the NODATA action, - which rewrites the response to NODATA or ANCOUNT=1. - - The Local Data action is - represented by a set ordinary DNS records that are used - to answer queries. Queries for record types not the - set are answered with NODATA. - - A special form of local data is a CNAME whose target is a - wildcard such as *.example.com. - It is used as if were an ordinary CNAME after the astrisk (*) - has been replaced with the query name. - The purpose for this special form is query logging in the - walled garden's authority DNS server. - - The PASSTHRU policy is specified - by a CNAME whose target is rpz-passthru. - It causes the response to not be rewritten - and is most often used to "poke holes" in policies for - CIDR blocks. - (A CNAME whose target is the variable part of its owner name - is an obsolete specification of the PASSTHRU policy.) - - + RPZ record sets are any types of DNS record except + DNAME or DNSSEC that encode actions or responses to + individual queries. + Any of the policies can be used with any of the triggers. + For example, while the TCP-only policy is + commonly used with client-IP triggers, + it cn be used with any type of trigger to force the use of + TCP for responses with owner names in a zone. + + + PASSTHRU + + + The whitelist policy is specified + by a CNAME whose target is rpz-passthru. + It causes the response to not be rewritten + and is most often used to "poke holes" in policies for + CIDR blocks. + + + + + + DROP + + + The blacklist policy is specified + by a CNAME whose target is rpz-drop. + It causes the response to be discarded. + Nothing is sent to the DNS client. + + + + + + TCP-Only + + + The "slip" policy is specified + by a CNAME whose target is rpz-tcp-only. + It changes UDP responses to short, truncated DNS responses + that require the DNS client to try again with TCP. + It is used to mitigate distributed DNS reflection attacks. + + + + + + NXDOMAIN + + + The domain undefined response is encoded + by a CNAME whose target is the root domain (.) + + + + + + NODATA + + + The empty set of resource records is specified by + CNAME whose target is the wildcard top-level + domain (*.). + It rewrites the response to NODATA or ANCOUNT=1. + + + + + + Local Data + + + A set of ordinary DNS records can be used to answer queries. + Queries for record types not the set are answered with + NODATA. + + + + A special form of local data is a CNAME whose target is a + wildcard such as *.example.com. + It is used as if were an ordinary CNAME after the astrisk (*) + has been replaced with the query name. + The purpose for this special form is query logging in the + walled garden's authority DNS server. + + + + - The actions specified in an RPZ can be overridden with a - policy clause in the + All of the actions specified in all of the individual records + in a policy zone + can be overridden with a policy clause in the response-policy option. - An organization using an RPZ provided by another organization might - use this mechanism to redirect domains to its own walled garden. - - GIVEN says "do not override but - perform the action specified in the zone." - - DISABLED causes policy records to do - nothing but log what they might have done. - The response to the DNS query will be written according to - any triggered policy records that are not disabled. - Disabled policy zones should appear first, - because they will often not be logged - if a higher precedence trigger is found first. - - PASSTHRU causes all policy records - to act as if they were CNAME records with targets the variable - part of their owner name. They protect the response from - being changed. - - NXDOMAIN causes all RPZ records - to specify NXDOMAIN policies. - - NODATA overrides with the - NODATA policy - - CNAME domain causes all RPZ - policy records to act as if they were "cname domain" records. - - + An organization using a policy zone provided by another + organization might use this mechanism to redirect domains + to its own walled garden. + + + GIVEN + + The placeholder policy says "do not override but + perform the action specified in the zone." + + + + + + DISABLED + + + The testing override policy causes policy zone records to do + nothing but log what they would have done if the + policy zone were not disabled. + The response to the DNS query will be written (or not) + according to any triggered policy records that are not + disabled. + Disabled policy zones should appear first, + because they will often not be logged + if a higher precedence trigger is found first. + + + + + + PASSTHRU, + DROP, + TCP-Only, + NXDOMAIN, + and + NODATA + + + override with the corresponding per-record policy. + + + + + + CNAME domain + + + causes all RPZ policy records to act as if they were + "cname domain" records. + + + + - By default, the actions encoded in an RPZ are applied - only to queries that ask for recursion (RD=1). - That default can be changed for a single RPZ or all RPZs in a view + By default, the actions encoded in a response policy zone + are applied only to queries that ask for recursion (RD=1). + That default can be changed for a single policy zone or + all response policy zones in a view with a recursive-only no clause. This feature is useful for serving the same zone files both inside and outside an RFC 1918 cloud and using RPZ to @@ -9819,15 +9992,43 @@ - Also by default, RPZ actions are applied only to DNS requests that - either do not request DNSSEC metadata (DO=0) or when no DNSSEC - records are available for request name in the original zone (not - the response policy zone). - This default can be changed for all RPZs in a view with a - break-dnssec yes clause. - In that case, RPZ actions are applied regardless of DNSSEC. - The name of the clause option reflects the fact that results - rewritten by RPZ actions cannot verify. + Also by default, RPZ actions are applied only to DNS requests + that either do not request DNSSEC metadata (DO=0) or when no + DNSSEC records are available for request name in the original + zone (not the response policy zone). This default can be + changed for all response policy zones in a view with a + break-dnssec yes clause. In that case, RPZ + actions are applied regardless of DNSSEC. The name of the + clause option reflects the fact that results rewritten by RPZ + actions cannot verify. + + + + No DNS records are needed for a QNAME or Client-IP trigger. + The name or IP address itself is sufficient, + so in principle the query name need not be recursively resolved. + However, not resolving the requested + name can leak the fact that response policy rewriting is in use + and that the name is listed in a policy zone to operators of + servers for listed names. To prevent that information leak, by + default any recursion needed for a request is done before any + policy triggers are considered. Because listed domains often + have slow authoritative servers, this default behavior can cost + significant time. + The qname-wait-recurse no option + overrides that default behavior when recursion cannot + change a non-error response. + The option does not affect QNAME or client-IP triggers + in policy zones listed + after other zones containing IP, NSIP and NSDNAME triggers, because + those may depend on the A, AAAA, and NS records that would be + found during recursive resolution. It also does not affect + DNSSEC requests (DO=1) unless break-dnssec yes + is in use, because the response would depend on whether or not + RRSIG records were found during resolution. + The option can cause appear to rewrite error responses + such as SERVFAIL when no recursion is done to discover problems + at the authoritative server. @@ -9855,26 +10056,38 @@ ; QNAME policy records. There are no periods (.) after the owner names. nxdomain.domain.com CNAME . ; NXDOMAIN policy +*.nxdomain.domain.com CNAME . ; NXDOMAIN policy nodata.domain.com CNAME *. ; NODATA policy +*.nodata.domain.com CNAME *. ; NODATA policy bad.domain.com A 10.0.0.1 ; redirect to a walled garden AAAA 2001:2::1 +bzone.domain.com CNAME garden.example.com. ; do not rewrite (PASSTHRU) OK.DOMAIN.COM ok.domain.com CNAME rpz-passthru. -bzone.domain.com CNAME garden.example.com. - ; redirect x.bzone.domain.com to x.bzone.domain.com.garden.example.com *.bzone.domain.com CNAME *.garden.example.com. -; IP policy records that rewrite all answers for 127/8 except 127.0.0.1 +; IP policy records that rewrite all responses containing A records in 127/8 +; except 127.0.0.1 8.0.0.0.127.rpz-ip CNAME . 32.1.0.0.127.rpz-ip CNAME rpz-passthru. ; NSDNAME and NSIP policy records ns.domain.com.rpz-nsdname CNAME . 48.zz.2.2001.rpz-nsip CNAME . + +; blacklist and whitelist some DNS clients +112.zz.2001.rpz-client-ip CNAME rpz-drop. +8.0.0.0.127.rpz-client-ip CNAME rpz-drop. + +; force some DNS clients and responses in the example.com zone to TCP +16.0.0.1.10.rpz-client-ip CNAME rpz-tcp-only. +example.com CNAME rpz-tcp-only. +*.example.com CNAME rpz-tcp-only. + RPZ can affect server performance. @@ -9897,6 +10110,223 @@ RPZRewrites statistics. + + + Response Rate Limiting + + Excessive almost-identical UDP responses + can be controlled by configuring a + rate-limit clause in an + options or view statement. + This mechanism keeps authoritative BIND 9 from being used + in amplifying reflection denial of service (DoS) attacks. + Short truncated (TC=1) responses can be sent to provide + rate-limited responses to legitimate clients within + a range of forged, attacked IP addresses. + Legitimate clients react to dropped or truncated response + by retrying with UDP or with TCP respectively. + + + + This mechanism is intended for authoritative DNS servers. + It can be used on recursive servers but can slow + applications such as SMTP servers (mail receivers) and + HTTP clients (web browsers) that repeatedly request the + same domains. + When possible, closing "open" recursive servers is better. + + + + Response rate limiting uses a "credit" or "token bucket" scheme. + Each combination of identical response and client + has a conceptual account that earns a specified number + of credits every second. + A prospective response debits its account by one. + Responses are dropped or truncated + while the account is negative. + Responses are tracked within a rolling window of time + which defaults to 15 seconds, but can be configured with + the window option to any value from + 1 to 3600 seconds (1 hour). + The account cannot become more positive than + the per-second limit + or more negative than window + times the per-second limit. + When the specified number of credits for a class of + responses is set to 0, those responses are not rate limited. + + + + The notions of "identical response" and "DNS client" + for rate limiting are not simplistic. + All responses to an address block are counted as if to a + single client. + The prefix lengths of addresses blocks are + specified with ipv4-prefix-length (default 24) + and ipv6-prefix-length (default 56). + + + + All non-empty responses for a valid domain name (qname) + and record type (qtype) are identical and have a limit specified + with responses-per-second + (default 0 or no limit). + All empty (NODATA) responses for a valid domain, + regardless of query type, are identical. + Responses in the NODATA class are limited by + nodata-per-second + (default responses-per-second). + Requests for any and all undefined subdomains of a given + valid domain result in NXDOMAIN errors, and are identical + regardless of query type. + They are limited by nxdomain-per-second + (default responses-per-second). + This controls some attacks using random names, but + can be relaxed or turned off (set to 0) + on servers that expect many legitimate + NXDOMAIN responses, such as from anti-spam blacklists. + Referrals or delegations to the server of a given + domain are identical and are limited by + referrals-per-second + (default responses-per-second). + + + + Responses generated from local wildcards are counted and limited + as if they were for the parent domain name. + This controls flooding using random.wild.example.com. + + + + All requests that result in DNS errors other + than NXDOMAIN, such as SERVFAIL and FORMERR, are identical + regardless of requested name (qname) or record type (qtype). + This controls attacks using invalid requests or distant, + broken authoritative servers. + By default the limit on errors is the same as the + responses-per-second value, + but it can be set separately with + errors-per-second. + + + + Many attacks using DNS involve UDP requests with forged source + addresses. + Rate limiting prevents the use of BIND 9 to flood a network + with responses to requests with forged source addresses, + but could let a third party block responses to legitimate requests. + There is a mechanism that can answer some legitimate + requests from a client whose address is being forged in a flood. + Setting slip to 2 (its default) causes every + other UDP request to be answered with a small truncated (TC=1) + response. + The small size and reduced frequency, and so lack of + amplification, of "slipped" responses make them unattractive + for reflection DoS attacks. + slip must be between 0 and 10. + A value of 0 does not "slip"; + no truncated responses are sent due to rate limiting. + Some error responses including REFUSED and SERVFAIL + cannot be replaced with truncated responses and are instead + leaked at the slip rate. + + + + When the approximate query per second rate exceeds + the qps-scale value, + then the responses-per-second, + errors-per-second, + nxdomains-per-second and + all-per-second values are reduced by the + ratio of the current rate to the qps-scale value. + This feature can tighten defenses during attacks. + For example, with + qps-scale 250; responses-per-second 20; and + a total query rate of 1000 queries/second for all queries from + all DNS clients including via TCP, + then the effective responses/second limit changes to + (250/1000)*20 or 5. + Responses sent via TCP are not limited + but are counted to compute the query per second rate. + + + + Communities of DNS clients can be given their own parameters or no + rate limiting by putting + rate-limit statements in view + statements instead of the global option + statement. + A rate-limit statement in a view replaces, + rather than supplementing, a rate-limit + statement among the main options. + DNS clients within a view can be exempted from rate limits + with the exempt-clients clause. + + + + UDP responses of all kinds can be limited with the + all-per-second phrase. + This rate limiting is unlike the rate limiting provided by + responses-per-second, + errors-per-second, and + nxdomains-per-second on a DNS server + which are often invisible to the victim of a DNS reflection attack. + Unless the forged requests of the attack are the same as the + legitimate requests of the victim, the victim's requests are + not affected. + Responses affected by an all-per-second limit + are always dropped; the slip value has no + effect. + An all-per-second limit should be + at least 4 times as large as the other limits, + because single DNS clients often send bursts of legitimate + requests. + For example, the receipt of a single mail message can prompt + requests from an SMTP server for NS, PTR, A, and AAAA records + as the incoming SMTP/TCP/IP connection is considered. + The SMTP server can need additional NS, A, AAAA, MX, TXT, and SPF + records as it considers the STMP Mail From + command. + Web browsers often repeatedly resolve the same names that + are repeated in HTML <IMG> tags in a page. + All-per-second is similar to the + rate limiting offered by firewalls but often inferior. + Attacks that justify ignoring the + contents of DNS responses are likely to be attacks on the + DNS server itself. + They usually should be discarded before the DNS server + spends resources make TCP connections or parsing DNS requesets, + but that rate limiting must be done before the + DNS server sees the requests. + + + + The maximum size of the table used to track requests and + rate limit responses is set with max-table-size. + Each entry in the table is between 40 and 80 bytes. + The table needs approximately as many entries as the number + of requests received per second. + The default is 20,000. + To reduce the cold start of growing the table, + min-table-size (default 500) + can set the minimum table size. + Enable rate-limit category logging to monitor + expansions of the table and inform + choices for the initial and maximum table size. + + + + Use log-only yes to test rate limiting parameters + without actually dropping any requests. + + + + Responses dropped by rate limits are included in the + RateDropped and QryDropped + statistics. + Responses that truncated by rate limits are included in + RateSlipped and RespTruncated. + @@ -14649,6 +15079,32 @@ + + + RateDropped + + + + + + + Responses dropped by rate limits. + + + + + + RateSlipped + + + + + + + Responses truncated by rate limits. + + + --- bind9-9.9.3.dfsg.P2.orig/hints +++ bind9-9.9.3.dfsg.P2/hints @@ -0,0 +1,36 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +. 0 NS ns1. +ns1. 0 A 10.53.0.1 --- bind9-9.9.3.dfsg.P2.orig/lib/bind9/check.c +++ bind9-9.9.3.dfsg.P2/lib/bind9/check.c @@ -131,6 +131,7 @@ "compilation time"); #endif } else if (strcasecmp(cfg_obj_asstring(obj), "random") != 0 && + strcasecmp(cfg_obj_asstring(obj), "random_1") != 0 && strcasecmp(cfg_obj_asstring(obj), "cyclic") != 0) { cfg_obj_log(obj, logctx, ISC_LOG_ERROR, "rrset-order: invalid order '%s'", --- bind9-9.9.3.dfsg.P2.orig/lib/dns/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/dns/Makefile.in @@ -42,7 +42,7 @@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ -LIBS = @LIBS@ +LIBS = @LIBS@ -L../../lib/isc -lcrypto @GEOIP_LIBS@ # Alphabetically @@ -67,8 +67,8 @@ portlist.@O@ private.@O@ \ rbt.@O@ rbtdb.@O@ rbtdb64.@O@ rcode.@O@ rdata.@O@ \ rdatalist.@O@ rdataset.@O@ rdatasetiter.@O@ rdataslab.@O@ \ - request.@O@ resolver.@O@ result.@O@ rootns.@O@ rpz.@O@ \ - rriterator.@O@ sdb.@O@ \ + request.@O@ resolver.@O@ result.@O@ rootns.@O@ \ + rpz.@O@ rrl.@O@ rriterator.@O@ sdb.@O@ \ sdlz.@O@ soa.@O@ ssu.@O@ ssu_external.@O@ \ stats.@O@ tcpmsg.@O@ time.@O@ timer.@O@ tkey.@O@ \ tsec.@O@ tsig.@O@ ttl.@O@ update.@O@ validator.@O@ \ @@ -95,7 +95,7 @@ name.c ncache.c nsec.c nsec3.c order.c peer.c portlist.c \ rbt.c rbtdb.c rbtdb64.c rcode.c rdata.c rdatalist.c \ rdataset.c rdatasetiter.c rdataslab.c request.c \ - resolver.c result.c rootns.c rpz.c rriterator.c \ + resolver.c result.c rootns.c rpz.c rrl.c rriterator.c \ sdb.c sdlz.c soa.c ssu.c ssu_external.c \ stats.c tcpmsg.c time.c timer.c tkey.c \ tsec.c tsig.c ttl.c update.c validator.c \ @@ -130,6 +130,7 @@ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libdns.la -rpath ${libdir} \ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${ISCLIBS} @DNS_CRYPTO_LIBS@ ${LIBS} + ln -sf .libs/libdns.so . timestamp: libdns.@A@ touch timestamp @@ -144,6 +145,7 @@ rm -f libdns.@A@ timestamp rm -f gen code.h include/dns/enumtype.h include/dns/enumclass.h rm -f include/dns/rdatastruct.h + rm -f libdns.so newrr:: rm -f code.h include/dns/enumtype.h include/dns/enumclass.h --- bind9-9.9.3.dfsg.P2.orig/lib/dns/acl.c +++ bind9-9.9.3.dfsg.P2/lib/dns/acl.c @@ -21,10 +21,15 @@ #include +#ifdef SUPPORT_GEOIP +#include +#endif + #include #include #include #include +#include #include #include @@ -320,6 +325,13 @@ dest->elements[nelem + i].node_num = source->elements[i].node_num + dest->node_count; +#ifdef SUPPORT_GEOIP + /* Country */ + if (source->elements[i].type == dns_aclelementtype_ipcountry && + source->elements[i].country != NULL) { + strncpy(dest->elements[nelem + i].country, source->elements[i].country, 3); + } +#endif /* Duplicate nested acl. */ if (source->elements[i].type == dns_aclelementtype_nestedacl && source->elements[i].nestedacl != NULL) @@ -379,7 +391,68 @@ int indirectmatch; isc_result_t result; + #ifdef SUPPORT_GEOIP + static GeoIP *geoip = NULL; + static isc_boolean_t geoip_init_tried = ISC_FALSE; + #ifdef GEOIP_V6 + static GeoIP *geoip6 = NULL; + static isc_boolean_t geoip6_init_tried = ISC_FALSE; + #endif + #endif + switch (e->type) { +#ifdef SUPPORT_GEOIP + case dns_aclelementtype_ipcountry: + /* Country match */ + if (NULL == geoip && !geoip_init_tried) { + geoip_init_tried = ISC_TRUE; + if (GeoIP_db_avail(GEOIP_COUNTRY_EDITION)) { + geoip = GeoIP_open_type(GEOIP_COUNTRY_EDITION, GEOIP_MEMORY_CACHE); + if (NULL == geoip) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_ACL, ISC_LOG_NOTICE, + "Failed to open geoip database for ipv4"); + } else { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_ACL, ISC_LOG_NOTICE, + "geoip database for ipv4 is not available"); + } + } +#ifdef GEOIP_V6 + if (NULL == geoip6 && !geoip6_init_tried) { + geoip6_init_tried = ISC_TRUE; + if (GeoIP_db_avail(GEOIP_COUNTRY_EDITION_V6)) { + geoip6 = GeoIP_open_type(GEOIP_COUNTRY_EDITION_V6, GEOIP_MEMORY_CACHE); + if (NULL == geoip6) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_ACL, ISC_LOG_NOTICE, + "Failed to open geoip database for ipv6"); + } else { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_ACL, ISC_LOG_NOTICE, + "geoip database for ipv6 is not available"); + } + } +#endif + + const char *value = NULL; + + if (reqaddr->family == AF_INET && geoip) { + value = GeoIP_country_code_by_addr(geoip,inet_ntoa(reqaddr->type.in)); +#ifdef GEOIP_V6 + } else if (reqaddr->family == AF_INET6 && geoip6) { + value = GeoIP_country_code_by_ipnum_v6(geoip6, (geoipv6_t)reqaddr->type.in6); +#endif + } + + if ((NULL != value) && (2 == strlen(value))) { + if ((e->country[0] == value[0]) && (e->country[1] == value[1])) { + return (ISC_TRUE); + } + } + return (ISC_FALSE); +#endif + case dns_aclelementtype_keyname: if (reqsigner != NULL && dns_name_equal(reqsigner, &e->keyname)) { --- bind9-9.9.3.dfsg.P2.orig/lib/dns/db.c +++ bind9-9.9.3.dfsg.P2/lib/dns/db.c @@ -1007,21 +1007,23 @@ (db->methods->resigned)(db, rdataset, version); } -isc_result_t -dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st) -{ - if (db->methods->rpz_enabled != NULL) - return ((db->methods->rpz_enabled)(db, st)); - return (ISC_R_SUCCESS); +/* + * Attach a database to policy zone databases. + * This should only happen when the caller has already ensured that + * it is dealing with a database that understands response policy zones. + */ +void +dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) { + REQUIRE(db->methods->rpz_attach != NULL); + (db->methods->rpz_attach)(db, rpzs, rpz_num); } -void -dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname) -{ - if (db->methods->rpz_findips != NULL) - (db->methods->rpz_findips)(rpz, rpz_type, zone, db, version, - ardataset, st, query_qname); +/* + * Finish loading a response policy zone. + */ +isc_result_t +dns_db_rpz_ready(dns_db_t *db) { + if (db->methods->rpz_ready == NULL) + return (ISC_R_SUCCESS); + return ((db->methods->rpz_ready)(db)); } --- bind9-9.9.3.dfsg.P2.orig/lib/dns/ecdb.c +++ bind9-9.9.3.dfsg.P2/lib/dns/ecdb.c @@ -582,8 +582,8 @@ NULL, /* resigned */ NULL, /* isdnssec */ NULL, /* getrrsetstats */ - NULL, /* rpz_enabled */ - NULL, /* rpz_findips */ + NULL, /* rpz_attach */ + NULL, /* rpz_ready */ NULL, /* findnodeext */ NULL /* findext */ }; --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/acl.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/acl.h @@ -53,8 +53,16 @@ dns_aclelementtype_localhost, dns_aclelementtype_localnets, dns_aclelementtype_any +#ifdef SUPPORT_GEOIP + , + dns_aclelementtype_ipcountry +#endif } dns_aclelemettype_t; +#ifdef SUPPORT_GEOIP +typedef char dns_aclipcountry[3]; +#endif + typedef struct dns_aclipprefix dns_aclipprefix_t; struct dns_aclipprefix { @@ -68,6 +76,9 @@ dns_name_t keyname; dns_acl_t *nestedacl; int node_num; +#ifdef SUPPORT_GEOIP + dns_aclipcountry country; +#endif }; struct dns_acl { --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/db.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/db.h @@ -172,14 +172,9 @@ dns_dbversion_t *version); isc_boolean_t (*isdnssec)(dns_db_t *db); dns_stats_t *(*getrrsetstats)(dns_db_t *db); - isc_result_t (*rpz_enabled)(dns_db_t *db, dns_rpz_st_t *st); - void (*rpz_findips)(dns_rpz_zone_t *rpz, - dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, - dns_dbversion_t *version, - dns_rdataset_t *ardataset, - dns_rpz_st_t *st, - dns_name_t *query_qname); + void (*rpz_attach)(dns_db_t *db, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num); + isc_result_t (*rpz_ready)(dns_db_t *db); isc_result_t (*findnodeext)(dns_db_t *db, dns_name_t *name, isc_boolean_t create, dns_clientinfomethods_t *methods, @@ -1542,30 +1537,17 @@ * dns_rdatasetstats_create(); otherwise NULL. */ -isc_result_t -dns_db_rpz_enabled(dns_db_t *db, dns_rpz_st_t *st); +void +dns_db_rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num); /*%< - * Mark a database for response policy rewriting - * or find which RPZ data is available. + * Attach the response policy information for a view to a database for a + * zone for the view. */ -void -dns_db_rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname); -/*%< - * Search the CDIR block tree of a response policy tree of trees for the best - * match to any of the IP addresses in an A or AAAA rdataset. - * - * Requires: - * \li search in policy zone 'rpz' for a match of 'rpz_type' either - * DNS_RPZ_TYPE_IP or DNS_RPZ_TYPE_NSIP - * \li 'zone' and 'db' are the database corresponding to 'rpz' - * \li 'version' is the required version of the database - * \li 'ardataset' is an A or AAAA rdataset of addresses to check - * \li 'found' specifies the previous best match if any or - * or NULL, an empty name, 0, DNS_RPZ_POLICY_MISS, and 0 +isc_result_t +dns_db_rpz_ready(dns_db_t *db); +/*%< + * Finish loading a response policy zone. */ ISC_LANG_ENDDECLS --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/log.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/log.h @@ -43,6 +43,7 @@ #define DNS_LOGCATEGORY_DELEGATION_ONLY (&dns_categories[10]) #define DNS_LOGCATEGORY_EDNS_DISABLED (&dns_categories[11]) #define DNS_LOGCATEGORY_RPZ (&dns_categories[12]) +#define DNS_LOGCATEGORY_RRL (&dns_categories[13]) /* Backwards compatibility. */ #define DNS_LOGCATEGORY_GENERAL ISC_LOGCATEGORY_GENERAL --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/ncache.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/ncache.h @@ -61,12 +61,12 @@ isc_result_t dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, dns_rdataset_t *addedrdataset); isc_result_t dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, dns_rdataset_t *addedrdataset); /*%< * Convert the authority data from 'message' into a negative cache --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/rdataset.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/rdataset.h @@ -206,6 +206,8 @@ #define DNS_RDATASETATTR_OPTOUT 0x00100000 /*%< OPTOUT proof */ #define DNS_RDATASETATTR_NEGATIVE 0x00200000 +#define DNS_RDATASETATTR_SINGLE 0x10000000 /* Only return 1 answer */ + /*% * _OMITDNSSEC: * Omit DNSSEC records when rendering ncache records. --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/rpz.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/rpz.h @@ -25,19 +25,31 @@ #include #include #include +#include ISC_LANG_BEGINDECLS #define DNS_RPZ_PREFIX "rpz-" +/* + * Sub-zones of various trigger types. + */ +#define DNS_RPZ_CLIENT_IP_ZONE DNS_RPZ_PREFIX"client-ip" #define DNS_RPZ_IP_ZONE DNS_RPZ_PREFIX"ip" #define DNS_RPZ_NSIP_ZONE DNS_RPZ_PREFIX"nsip" #define DNS_RPZ_NSDNAME_ZONE DNS_RPZ_PREFIX"nsdname" -#define DNS_RPZ_PASSTHRU_ZONE DNS_RPZ_PREFIX"passthru" +/* + * Special policies. + */ +#define DNS_RPZ_PASSTHRU_NAME DNS_RPZ_PREFIX"passthru" +#define DNS_RPZ_DROP_NAME DNS_RPZ_PREFIX"drop" +#define DNS_RPZ_TCP_ONLY_NAME DNS_RPZ_PREFIX"tcp-only" -typedef isc_uint8_t dns_rpz_cidr_bits_t; + +typedef isc_uint8_t dns_rpz_prefix_t; typedef enum { DNS_RPZ_TYPE_BAD, + DNS_RPZ_TYPE_CLIENT_IP, DNS_RPZ_TYPE_QNAME, DNS_RPZ_TYPE_IP, DNS_RPZ_TYPE_NSDNAME, @@ -45,45 +57,151 @@ } dns_rpz_type_t; /* - * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_NXDOMAIN < - * DNS_RPZ_POLICY_NODATA < DNS_RPZ_POLICY_CNAME to choose among competing - * policies. + * Require DNS_RPZ_POLICY_PASSTHRU < DNS_RPZ_POLICY_DROP + * < DNS_RPZ_POLICY_TCP_ONLY DNS_RPZ_POLICY_NXDOMAIN < DNS_RPZ_POLICY_NODATA + * < DNS_RPZ_POLICY_CNAME to choose among competing policies. */ typedef enum { DNS_RPZ_POLICY_GIVEN = 0, /* 'given': what policy record says */ - DNS_RPZ_POLICY_DISABLED = 1, /* 'cname x': answer with x's rrsets */ + DNS_RPZ_POLICY_DISABLED = 1, /* log what would have happened */ DNS_RPZ_POLICY_PASSTHRU = 2, /* 'passthru': do not rewrite */ - DNS_RPZ_POLICY_NXDOMAIN = 3, /* 'nxdomain': answer with NXDOMAIN */ - DNS_RPZ_POLICY_NODATA = 4, /* 'nodata': answer with ANCOUNT=0 */ - DNS_RPZ_POLICY_CNAME = 5, /* 'cname x': answer with x's rrsets */ + DNS_RPZ_POLICY_DROP = 3, /* 'drop': do not respond */ + DNS_RPZ_POLICY_TCP_ONLY = 4, /* 'tcp-only': answer UDP with TC=1 */ + DNS_RPZ_POLICY_NXDOMAIN = 5, /* 'nxdomain': answer with NXDOMAIN */ + DNS_RPZ_POLICY_NODATA = 6, /* 'nodata': answer with ANCOUNT=0 */ + DNS_RPZ_POLICY_CNAME = 7, /* 'cname x': answer with x's rrsets */ DNS_RPZ_POLICY_RECORD, DNS_RPZ_POLICY_WILDCNAME, DNS_RPZ_POLICY_MISS, DNS_RPZ_POLICY_ERROR } dns_rpz_policy_t; +typedef isc_uint8_t dns_rpz_num_t; + +#define DNS_RPZ_MAX_ZONES 32 +#if DNS_RPZ_MAX_ZONES > 32 +# if DNS_RPZ_MAX_ZONES > 64 +# error "rpz zone bit masks must fit in a word" +# endif +typedef isc_uint64_t dns_rpz_zbits_t; +#else +typedef isc_uint32_t dns_rpz_zbits_t; +#endif + +#define DNS_RPZ_ALL_ZBITS ((dns_rpz_zbits_t)-1) + +#define DNS_RPZ_INVALID_NUM DNS_RPZ_MAX_ZONES + +#define DNS_RPZ_ZBIT(n) (((dns_rpz_zbits_t)1) << (dns_rpz_num_t)(n)) + /* - * Specify a response policy zone. + * Mask of the specified and higher numbered policy zones + * Avoid hassles with (1<<33) or (1<<65) */ -typedef struct dns_rpz_zone dns_rpz_zone_t; +#define DNS_RPZ_ZMASK(n) ((dns_rpz_zbits_t)((((n) >= DNS_RPZ_MAX_ZONES-1) ? \ + 0 : (1<<((n)+1))) -1)) +/* + * The number of triggers of each type in a response policy zone. + */ +typedef struct dns_rpz_triggers dns_rpz_triggers_t; +struct dns_rpz_triggers { + int client_ipv4; + int client_ipv6; + int qname; + int ipv4; + int ipv6; + int nsdname; + int nsipv4; + int nsipv6; +}; +/* + * A single response policy zone. + */ +typedef struct dns_rpz_zone dns_rpz_zone_t; struct dns_rpz_zone { - ISC_LINK(dns_rpz_zone_t) link; - int num; /* ordinal in list of policy zones */ - dns_name_t origin; /* Policy zone name */ - dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ - dns_name_t passthru;/* DNS_RPZ_PASSTHRU_ZONE. */ - dns_name_t cname; /* override value for ..._CNAME */ - dns_ttl_t max_policy_ttl; - dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ - isc_boolean_t recursive_only; - isc_boolean_t defined; + isc_refcount_t refs; + dns_rpz_num_t num; /* ordinal in list of policy zones */ + dns_name_t origin; /* Policy zone name */ + dns_name_t client_ip; /* DNS_RPZ_CLIENT_IP_ZONE.origin. */ + dns_name_t ip; /* DNS_RPZ_IP_ZONE.origin. */ + dns_name_t nsdname; /* DNS_RPZ_NSDNAME_ZONE.origin */ + dns_name_t nsip; /* DNS_RPZ_NSIP_ZONE.origin. */ + dns_name_t passthru; /* DNS_RPZ_PASSTHRU_NAME. */ + dns_name_t drop; /* DNS_RPZ_DROP_NAME. */ + dns_name_t tcp_only; /* DNS_RPZ_TCP_ONLY_NAME. */ + dns_name_t cname; /* override value for ..._CNAME */ + dns_ttl_t max_policy_ttl; + dns_rpz_policy_t policy; /* DNS_RPZ_POLICY_GIVEN or override */ }; /* - * Radix trees for response policy IP addresses. + * Radix tree node for response policy IP addresses + */ +typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; + +/* + * Response policy zones known to a view. */ -typedef struct dns_rpz_cidr dns_rpz_cidr_t; +typedef struct dns_rpz_zones dns_rpz_zones_t; +struct dns_rpz_zones { + struct { + dns_rpz_zbits_t no_rd_ok; + isc_boolean_t break_dnssec; + isc_boolean_t qname_wait_recurse; + unsigned int min_ns_labels; + dns_rpz_num_t num_zones; + } p; + dns_rpz_zone_t *zones[DNS_RPZ_MAX_ZONES]; + dns_rpz_triggers_t triggers[DNS_RPZ_MAX_ZONES]; + + dns_rpz_zbits_t defined; + + /* + * The set of records for a policy zone are in one of these states: + * never loaded load_begun=0 have=0 + * during initial loading load_begun=1 have=0 + * and rbtdb->rpzsp == rbtdb->load_rpzsp + * after good load load_begun=1 have!=0 + * after failed initial load load_begun=1 have=0 + * and rbtdb->load_rpzsp == NULL + * reloading after failure load_begun=1 have=0 + * reloading after success + * main rpzs load_begun=1 have!=0 + * load rpzs load_begun=1 have=0 + */ + dns_rpz_zbits_t load_begun; + struct { + dns_rpz_zbits_t client_ipv4; + dns_rpz_zbits_t client_ipv6; + dns_rpz_zbits_t client_ip; + dns_rpz_zbits_t qname; + dns_rpz_zbits_t ipv4; + dns_rpz_zbits_t ipv6; + dns_rpz_zbits_t ip; + dns_rpz_zbits_t nsdname; + dns_rpz_zbits_t nsipv4; + dns_rpz_zbits_t nsipv6; + dns_rpz_zbits_t nsip; + dns_rpz_zbits_t qname_skip_recurse; + } have; + dns_rpz_triggers_t total_triggers; + + isc_mem_t *mctx; + isc_refcount_t refs; + /* + * One lock for short term read-only search that guarantees the + * consistency of the pointers. + * A second lock for maintenance that guarantees no other thread + * is adding or deleting nodes. + */ + isc_mutex_t search_lock; + isc_mutex_t maint_lock; + + dns_rpz_cidr_node_t *cidr; + dns_rbt_t *rbt; +}; + /* * context for finding the best policy @@ -91,22 +209,19 @@ typedef struct { unsigned int state; # define DNS_RPZ_REWRITTEN 0x0001 -# define DNS_RPZ_DONE_QNAME 0x0002 /* qname checked */ -# define DNS_RPZ_DONE_QNAME_IP 0x0004 /* IP addresses of qname checked */ -# define DNS_RPZ_DONE_NSDNAME 0x0008 /* NS name missed; checking addresses */ -# define DNS_RPZ_DONE_IPv4 0x0010 -# define DNS_RPZ_RECURSING 0x0020 -# define DNS_RPZ_HAVE_IP 0x0040 /* a policy zone has IP addresses */ -# define DNS_RPZ_HAVE_NSIPv4 0x0080 /* IPv4 NISP addresses */ -# define DNS_RPZ_HAVE_NSIPv6 0x0100 /* IPv6 NISP addresses */ -# define DNS_RPZ_HAVE_NSDNAME 0x0200 /* NS names */ +# define DNS_RPZ_DONE_CLIENT_IP 0x0002 /* client IP address checked */ +# define DNS_RPZ_DONE_QNAME 0x0004 /* qname checked */ +# define DNS_RPZ_DONE_QNAME_IP 0x0008 /* IP addresses of qname checked */ +# define DNS_RPZ_DONE_NSDNAME 0x0010 /* NS name missed; checking addresses */ +# define DNS_RPZ_DONE_IPv4 0x0020 +# define DNS_RPZ_RECURSING 0x0040 /* * Best match so far. */ struct { dns_rpz_type_t type; dns_rpz_zone_t *rpz; - dns_rpz_cidr_bits_t prefix; + dns_rpz_prefix_t prefix; dns_rpz_policy_t policy; dns_ttl_t ttl; isc_result_t result; @@ -141,10 +256,15 @@ dns_rdataset_t *sigrdataset; dns_rdatatype_t qtype; } q; - dns_name_t *qname; + /* + * p_name: current policy owner name + * r_name: recursing for this name to possible policy triggers + * f_name: saved found name from before recursion + */ + dns_name_t *p_name; dns_name_t *r_name; dns_name_t *fname; - dns_fixedname_t _qnamef; + dns_fixedname_t _p_namef; dns_fixedname_t _r_namef; dns_fixedname_t _fnamef; } dns_rpz_st_t; @@ -171,32 +291,41 @@ const char * dns_rpz_policy2str(dns_rpz_policy_t policy); -void -dns_rpz_cidr_free(dns_rpz_cidr_t **cidr); - -void -dns_rpz_view_destroy(dns_view_t *view); +dns_rpz_policy_t +dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, + dns_name_t *selfname); isc_result_t -dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, - dns_rpz_cidr_t **rbtdb_cidr); -void -dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st); +dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx); void -dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name); +dns_rpz_attach_rpzs(dns_rpz_zones_t *source, dns_rpz_zones_t **target); void -dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name); +dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp); isc_result_t -dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, - dns_rpz_type_t type, dns_name_t *canon_name, - dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix); +dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, + dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num); -dns_rpz_policy_t -dns_rpz_decode_cname(dns_rpz_zone_t *rpz, dns_rdataset_t *rdataset, - dns_name_t *selfname); +isc_result_t +dns_rpz_ready(dns_rpz_zones_t *rpzs, + dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num); + +isc_result_t +dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); + +void +dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *name); + +dns_rpz_num_t +dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, + dns_name_t *ip_name, dns_rpz_prefix_t *prefixp); + +dns_rpz_zbits_t +dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_name_t *trig_name); ISC_LANG_ENDDECLS --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/rrl.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/rrl.h @@ -0,0 +1,278 @@ +/* + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +#ifndef DNS_RRL_H +#define DNS_RRL_H 1 + +/* + * Rate limit DNS responses. + */ + +#include + +#include +#include +#include + +ISC_LANG_BEGINDECLS + + +/* + * Memory allocation or other failures. + */ +#define DNS_RRL_LOG_FAIL ISC_LOG_WARNING +/* + * dropped or slipped responses. + */ +#define DNS_RRL_LOG_DROP ISC_LOG_INFO +/* + * Major events in dropping or slipping. + */ +#define DNS_RRL_LOG_DEBUG1 ISC_LOG_DEBUG(3) +/* + * Limit computations. + */ +#define DNS_RRL_LOG_DEBUG2 ISC_LOG_DEBUG(4) +/* + * Even less interesting. + */ +#define DNS_RRL_LOG_DEBUG3 ISC_LOG_DEBUG(9) + + +#define DNS_RRL_LOG_ERR_LEN 64 +#define DNS_RRL_LOG_BUF_LEN (sizeof("would continue limiting") + \ + DNS_RRL_LOG_ERR_LEN + \ + sizeof(" responses to ") + \ + ISC_NETADDR_FORMATSIZE + \ + sizeof("/128 for IN ") + \ + DNS_RDATATYPE_FORMATSIZE + \ + DNS_NAME_FORMATSIZE) + + +typedef struct dns_rrl_hash dns_rrl_hash_t; + +/* + * Response types. + */ +typedef enum { + DNS_RRL_RTYPE_FREE = 0, + DNS_RRL_RTYPE_QUERY, + DNS_RRL_RTYPE_REFERRAL, + DNS_RRL_RTYPE_NODATA, + DNS_RRL_RTYPE_NXDOMAIN, + DNS_RRL_RTYPE_ERROR, + DNS_RRL_RTYPE_ALL, + DNS_RRL_RTYPE_TCP, +} dns_rrl_rtype_t; + +/* + * A rate limit bucket key. + * This should be small to limit the total size of the database. + * The hash of the qname should be wide enough to make the probability + * of collisions among requests from a single IP address block less than 50%. + * We need a 32-bit hash value for 10000 qps (e.g. random qnames forged + * by attacker) to collide with legitimate qnames from the target with + * probability at most 1%. + */ +#define DNS_RRL_MAX_PREFIX 64 +typedef union dns_rrl_key dns_rrl_key_t; +union dns_rrl_key { + struct { + isc_uint32_t ip[DNS_RRL_MAX_PREFIX/32]; + isc_uint32_t qname_hash; + dns_rdatatype_t qtype; + isc_uint8_t qclass; + dns_rrl_rtype_t rtype :4; /* 3 bits + sign bit */ + isc_boolean_t ipv6 :1; + } s; + isc_uint16_t w[1]; +}; + +/* + * A rate-limit entry. + * This should be small to limit the total size of the table of entries. + */ +typedef struct dns_rrl_entry dns_rrl_entry_t; +typedef ISC_LIST(dns_rrl_entry_t) dns_rrl_bin_t; +struct dns_rrl_entry { + ISC_LINK(dns_rrl_entry_t) lru; + ISC_LINK(dns_rrl_entry_t) hlink; + dns_rrl_key_t key; +# define DNS_RRL_RESPONSE_BITS 24 + signed int responses :DNS_RRL_RESPONSE_BITS; +# define DNS_RRL_QNAMES_BITS 8 + unsigned int log_qname :DNS_RRL_QNAMES_BITS; + +# define DNS_RRL_TS_GEN_BITS 2 + unsigned int ts_gen :DNS_RRL_TS_GEN_BITS; + isc_boolean_t ts_valid :1; +# define DNS_RRL_HASH_GEN_BITS 1 + unsigned int hash_gen :DNS_RRL_HASH_GEN_BITS; + isc_boolean_t logged :1; +# define DNS_RRL_LOG_BITS 11 + unsigned int log_secs :DNS_RRL_LOG_BITS; + +# define DNS_RRL_TS_BITS 12 + unsigned int ts :DNS_RRL_TS_BITS; + +# define DNS_RRL_MAX_SLIP 10 + unsigned int slip_cnt :4; +}; + +#define DNS_RRL_MAX_TIME_TRAVEL 5 +#define DNS_RRL_FOREVER (1<= DNS_RRL_MAX_TS +#error "DNS_RRL_MAX_WINDOW is too large" +#endif +#define DNS_RRL_MAX_RATE 1000 +#if DNS_RRL_MAX_RATE >= (DNS_RRL_MAX_RESPONSES / DNS_RRL_MAX_WINDOW) +#error "DNS_RRL_MAX_rate is too large" +#endif + +#if (1<= DNS_RRL_FOREVER +#error DNS_RRL_LOG_BITS is too big +#endif +#define DNS_RRL_MAX_LOG_SECS 1800 +#if DNS_RRL_MAX_LOG_SECS >= (1<= (1< #include +#include #include #include #include @@ -142,10 +143,13 @@ dns_rbt_t * answeracl_exclude; dns_rbt_t * denyanswernames; dns_rbt_t * answernames_exclude; + dns_rrl_t * rrl; isc_boolean_t provideixfr; isc_boolean_t requestnsid; dns_ttl_t maxcachettl; dns_ttl_t maxncachettl; + dns_ttl_t mincachettl; + dns_ttl_t minncachettl; in_port_t dstport; dns_aclenv_t aclenv; dns_rdatatype_t preferred_glue; @@ -162,10 +166,7 @@ dns_acl_t * v4_aaaa_acl; dns_dns64list_t dns64; unsigned int dns64cnt; - ISC_LIST(dns_rpz_zone_t) rpz_zones; - isc_boolean_t rpz_recursive_only; - isc_boolean_t rpz_break_dnssec; - unsigned int rpz_min_ns_labels; + dns_rpz_zones_t *rpzs; /* * Configurable data for server use only, --- bind9-9.9.3.dfsg.P2.orig/lib/dns/include/dns/zone.h +++ bind9-9.9.3.dfsg.P2/lib/dns/include/dns/zone.h @@ -2081,13 +2081,20 @@ */ isc_result_t -dns_zone_rpz_enable(dns_zone_t *zone); +dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num); /*% * Set the response policy associated with a zone. */ -isc_boolean_t -dns_zone_get_rpz(dns_zone_t *zone); +isc_result_t +dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db); +/*% + * If a zone is a response policy zone, mark its new database. + */ + +dns_rpz_num_t +dns_zone_get_rpz_num(dns_zone_t *zone); void dns_zone_setstatlevel(dns_zone_t *zone, dns_zonestat_level_t level); --- bind9-9.9.3.dfsg.P2.orig/lib/dns/log.c +++ bind9-9.9.3.dfsg.P2/lib/dns/log.c @@ -45,6 +45,7 @@ { "delegation-only", 0 }, { "edns-disabled", 0 }, { "rpz", 0 }, + { "rate-limit", 0 }, { NULL, 0 } }; --- bind9-9.9.3.dfsg.P2.orig/lib/dns/ncache.c +++ bind9-9.9.3.dfsg.P2/lib/dns/ncache.c @@ -49,7 +49,7 @@ static isc_result_t addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, isc_boolean_t secure, dns_rdataset_t *addedrdataset); @@ -99,26 +99,26 @@ isc_result_t dns_ncache_add(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, dns_rdataset_t *addedrdataset) { - return (addoptout(message, cache, node, covers, now, maxttl, + return (addoptout(message, cache, node, covers, now, minttl, maxttl, ISC_FALSE, ISC_FALSE, addedrdataset)); } isc_result_t dns_ncache_addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, dns_rdataset_t *addedrdataset) { - return (addoptout(message, cache, node, covers, now, maxttl, + return (addoptout(message, cache, node, covers, now, minttl, maxttl, optout, ISC_TRUE, addedrdataset)); } static isc_result_t addoptout(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, isc_boolean_t secure, dns_rdataset_t *addedrdataset) { @@ -187,6 +187,8 @@ type == dns_rdatatype_nsec3) { if (ttl > rdataset->ttl) ttl = rdataset->ttl; + if (ttl < minttl) + ttl = minttl; if (trust > rdataset->trust) trust = rdataset->trust; /* --- bind9-9.9.3.dfsg.P2.orig/lib/dns/order.c +++ bind9-9.9.3.dfsg.P2/lib/dns/order.c @@ -89,6 +89,7 @@ REQUIRE(DNS_ORDER_VALID(order)); REQUIRE(mode == DNS_RDATASETATTR_RANDOMIZE || mode == DNS_RDATASETATTR_FIXEDORDER || + mode == (DNS_RDATASETATTR_RANDOMIZE|DNS_RDATASETATTR_SINGLE) || mode == 0 /* DNS_RDATASETATTR_CYCLIC */ ); ent = isc_mem_get(order->mctx, sizeof(*ent)); --- bind9-9.9.3.dfsg.P2.orig/lib/dns/rbtdb.c +++ bind9-9.9.3.dfsg.P2/lib/dns/rbtdb.c @@ -453,7 +453,9 @@ dns_rbt_t * tree; dns_rbt_t * nsec; dns_rbt_t * nsec3; - dns_rpz_cidr_t * rpz_cidr; + dns_rpz_zones_t *rpzs; + dns_rpz_num_t rpz_num; + dns_rpz_zones_t *load_rpzs; /* Unlocked */ unsigned int quantum; @@ -972,8 +974,18 @@ dns_stats_detach(&rbtdb->rrsetstats); #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_free(&rbtdb->rpz_cidr); + if (rbtdb->load_rpzs != NULL) { + /* + * We must be cleaning up after a failed zone loading. + */ + REQUIRE(rbtdb->rpzs != NULL && + rbtdb->rpz_num < rbtdb->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&rbtdb->load_rpzs); + } + if (rbtdb->rpzs != NULL) { + REQUIRE(rbtdb->rpz_num < rbtdb->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&rbtdb->rpzs); + } #endif isc_mem_put(rbtdb->common.mctx, rbtdb->node_locks, @@ -1515,11 +1527,11 @@ switch (node->nsec) { case DNS_RBT_NSEC_NORMAL: #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) { + if (rbtdb->rpzs != NULL) { dns_fixedname_init(&fname); name = dns_fixedname_name(&fname); dns_rbt_fullnamefromnode(node, name); - dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name); + dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name); } #endif result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); @@ -1555,11 +1567,11 @@ isc_result_totext(result)); } } + result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); #ifdef BIND9 - if (rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_deleteip(rbtdb->rpz_cidr, name); + if (rbtdb->rpzs != NULL) + dns_rpz_delete(rbtdb->rpzs, rbtdb->rpz_num, name); #endif - result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE); break; case DNS_RBT_NSEC_NSEC: result = dns_rbt_deletenode(rbtdb->nsec, node, ISC_FALSE); @@ -1573,7 +1585,7 @@ DNS_LOGCATEGORY_DATABASE, DNS_LOGMODULE_CACHE, ISC_LOG_WARNING, - "delete_cnode(): " + "delete_node(): " "dns_rbt_deletenode: %s", isc_result_totext(result)); } @@ -2538,14 +2550,15 @@ result = dns_rbt_addnode(tree, name, &node); if (result == ISC_R_SUCCESS) { #ifdef BIND9 - if (tree == rbtdb->tree && rbtdb->rpz_cidr != NULL) { + if (rbtdb->rpzs != NULL && tree == rbtdb->tree) { dns_fixedname_t fnamef; dns_name_t *fname; dns_fixedname_init(&fnamef); fname = dns_fixedname_name(&fnamef); dns_rbt_fullnamefromnode(node, fname); - dns_rpz_cidr_addip(rbtdb->rpz_cidr, fname); + result = dns_rpz_add(rbtdb->rpzs, + rbtdb->rpz_num, fname); } #endif dns_rbt_namefromnode(node, &nodename); @@ -4547,228 +4560,45 @@ return (result); } +#ifdef BIND9 /* - * Mark a database for response policy rewriting - * or find which RPZ data is available. + * Connect this RBTDB to the response policy zone summary data for the view. */ -#ifdef BIND9 -static isc_result_t -rpz_enabled(dns_db_t *db, dns_rpz_st_t *st) -{ - dns_rbtdb_t *rbtdb; - isc_result_t result; +static void +rpz_attach(dns_db_t *db, dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) { + dns_rbtdb_t * rbtdb; - result = ISC_R_SUCCESS; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); - RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - if (st != NULL) { - dns_rpz_enabled_get(rbtdb->rpz_cidr, st); - } else { - result = dns_rpz_new_cidr(rbtdb->common.mctx, - &rbtdb->common.origin, - &rbtdb->rpz_cidr); - } - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - return (result); + + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + REQUIRE(rbtdb->rpzs == NULL && rbtdb->rpz_num == DNS_RPZ_INVALID_NUM); + dns_rpz_attach_rpzs(rpzs, &rbtdb->rpzs); + rbtdb->rpz_num = rpz_num; + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); } /* - * Search the CDIR block tree of a response policy tree of trees for all of - * the IP addresses in an A or AAAA rdataset. - * Among the policies for all IPv4 and IPv6 addresses for a name, choose - * the earliest configured policy, - * QNAME over IP over NSDNAME over NSIP, - * the longest prefix, - * the lexically smallest address. - * The caller must have already checked that any existing policy was not - * configured earlier than this policy zone and does not have a higher - * precedence type. + * Enable this RBTDB as a response policy zone. */ -static void -rpz_findips(dns_rpz_zone_t *rpz, dns_rpz_type_t rpz_type, - dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, - dns_rdataset_t *ardataset, dns_rpz_st_t *st, - dns_name_t *query_qname) -{ - dns_rbtdb_t *rbtdb; - struct in_addr ina; - struct in6_addr in6a; - isc_netaddr_t netaddr; - dns_fixedname_t selfnamef, qnamef; - dns_name_t *selfname, *qname; - dns_rbtnode_t *node; - dns_rdataset_t zrdataset; - dns_rpz_cidr_bits_t prefix; +static isc_result_t +rpz_ready(dns_db_t *db) { + dns_rbtdb_t * rbtdb; isc_result_t result; - dns_rpz_policy_t rpz_policy; - dns_ttl_t ttl; rbtdb = (dns_rbtdb_t *)db; REQUIRE(VALID_RBTDB(rbtdb)); - RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - - if (rbtdb->rpz_cidr == NULL) { - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); - return; - } - - dns_fixedname_init(&selfnamef); - dns_fixedname_init(&qnamef); - selfname = dns_fixedname_name(&selfnamef); - qname = dns_fixedname_name(&qnamef); - - for (result = dns_rdataset_first(ardataset); - result == ISC_R_SUCCESS; - result = dns_rdataset_next(ardataset)) { - dns_rdata_t rdata = DNS_RDATA_INIT; - dns_rdataset_current(ardataset, &rdata); - switch (rdata.type) { - case dns_rdatatype_a: - INSIST(rdata.length == 4); - memcpy(&ina.s_addr, rdata.data, 4); - isc_netaddr_fromin(&netaddr, &ina); - break; - case dns_rdatatype_aaaa: - INSIST(rdata.length == 16); - memcpy(in6a.s6_addr, rdata.data, 16); - isc_netaddr_fromin6(&netaddr, &in6a); - break; - default: - continue; - } - result = dns_rpz_cidr_find(rbtdb->rpz_cidr, &netaddr, rpz_type, - selfname, qname, &prefix); - if (result != ISC_R_SUCCESS) - continue; - - /* - * If we already have a rule, discard this new rule if - * is not better. - * The caller has checked that st->m.rpz->num > rpz->num - * or st->m.rpz->num == rpz->num and st->m.type >= rpz_type - */ - if (st->m.policy != DNS_RPZ_POLICY_MISS && - st->m.rpz->num == rpz->num && - (st->m.type < rpz_type || - (st->m.type == rpz_type && - (st->m.prefix > prefix || - (st->m.prefix == prefix && - 0 > dns_name_rdatacompare(st->qname, qname)))))) - continue; - - /* - * We have rpz_st an entry with a prefix at least as long as - * the prefix of the entry we had before. Find the node - * corresponding to CDIR tree entry. - */ - node = NULL; - result = dns_rbt_findnode(rbtdb->tree, qname, NULL, - &node, NULL, 0, NULL, NULL); - if (result != ISC_R_SUCCESS) { - char namebuf[DNS_NAME_FORMATSIZE]; - - dns_name_format(qname, namebuf, sizeof(namebuf)); - isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, - DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "rpz_findips findnode(%s) failed: %s", - namebuf, isc_result_totext(result)); - continue; - } - /* - * First look for a simple rewrite of the IP address. - * If that fails, look for a CNAME. If we cannot find - * a CNAME or the CNAME is neither of the special forms - * "*" or ".", treat it like a real CNAME. - */ - dns_rdataset_init(&zrdataset); - result = dns_db_findrdataset(db, node, version, ardataset->type, - 0, 0, &zrdataset, NULL); - if (result != ISC_R_SUCCESS) - result = dns_db_findrdataset(db, node, version, - dns_rdatatype_cname, - 0, 0, &zrdataset, NULL); - if (result == ISC_R_SUCCESS) { - if (zrdataset.type != dns_rdatatype_cname) { - rpz_policy = DNS_RPZ_POLICY_RECORD; - } else { - rpz_policy = dns_rpz_decode_cname(rpz, - &zrdataset, - selfname); - if (rpz_policy == DNS_RPZ_POLICY_RECORD || - rpz_policy == DNS_RPZ_POLICY_WILDCNAME) - result = DNS_R_CNAME; - } - ttl = zrdataset.ttl; - } else { - rpz_policy = DNS_RPZ_POLICY_RECORD; - result = DNS_R_NXRRSET; - ttl = DNS_RPZ_TTL_DEFAULT; - } - - /* - * Use an overriding action specified in the configuration file - */ - if (rpz->policy != DNS_RPZ_POLICY_GIVEN) { - /* - * only log DNS_RPZ_POLICY_DISABLED hits - */ - if (rpz->policy == DNS_RPZ_POLICY_DISABLED) { - if (isc_log_wouldlog(dns_lctx, - DNS_RPZ_INFO_LEVEL)) { - char qname_buf[DNS_NAME_FORMATSIZE]; - char rpz_qname_buf[DNS_NAME_FORMATSIZE]; - dns_name_format(query_qname, qname_buf, - sizeof(qname_buf)); - dns_name_format(qname, rpz_qname_buf, - sizeof(rpz_qname_buf)); - - isc_log_write(dns_lctx, - DNS_LOGCATEGORY_RPZ, - DNS_LOGMODULE_RBTDB, - DNS_RPZ_INFO_LEVEL, - "disabled rpz %s %s rewrite" - " %s via %s", - dns_rpz_type2str(rpz_type), - dns_rpz_policy2str(rpz_policy), - qname_buf, rpz_qname_buf); - } - continue; - } - - rpz_policy = rpz->policy; - } - - if (dns_rdataset_isassociated(st->m.rdataset)) - dns_rdataset_disassociate(st->m.rdataset); - if (st->m.node != NULL) - dns_db_detachnode(st->m.db, &st->m.node); - if (st->m.db != NULL) - dns_db_detach(&st->m.db); - if (st->m.zone != NULL) - dns_zone_detach(&st->m.zone); - st->m.rpz = rpz; - st->m.type = rpz_type; - st->m.prefix = prefix; - st->m.policy = rpz_policy; - st->m.ttl = ISC_MIN(ttl, rpz->max_policy_ttl); - st->m.result = result; - dns_name_copy(qname, st->qname, NULL); - if ((rpz_policy == DNS_RPZ_POLICY_RECORD || - rpz_policy == DNS_RPZ_POLICY_WILDCNAME) && - result != DNS_R_NXRRSET) { - dns_rdataset_clone(&zrdataset,st->m.rdataset); - dns_db_attachnode(db, node, &st->m.node); - } - dns_db_attach(db, &st->m.db); - st->m.version = version; - dns_zone_attach(zone, &st->m.zone); - if (dns_rdataset_isassociated(&zrdataset)) - dns_rdataset_disassociate(&zrdataset); + RWLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + if (rbtdb->rpzs == NULL) { + INSIST(rbtdb->rpz_num == DNS_RPZ_INVALID_NUM); + result = ISC_R_SUCCESS; + } else { + result = dns_rpz_ready(rbtdb->rpzs, &rbtdb->load_rpzs, + rbtdb->rpz_num); } - - RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_read); + RWUNLOCK(&rbtdb->tree_lock, isc_rwlocktype_write); + return (result); } #endif @@ -6874,8 +6704,9 @@ noderesult = dns_rbt_addnode(rbtdb->tree, name, nodep); #ifdef BIND9 - if (noderesult == ISC_R_SUCCESS && rbtdb->rpz_cidr != NULL) - dns_rpz_cidr_addip(rbtdb->rpz_cidr, name); + if (rbtdb->rpzs != NULL && noderesult == ISC_R_SUCCESS) + noderesult = dns_rpz_add(rbtdb->load_rpzs, rbtdb->rpz_num, + name); #endif if (!hasnsec) @@ -7060,6 +6891,20 @@ RBTDB_LOCK(&rbtdb->lock, isc_rwlocktype_write); +#ifdef BIND9 + if (rbtdb->rpzs != NULL) { + isc_result_t result; + + result = dns_rpz_beginload(&rbtdb->load_rpzs, + rbtdb->rpzs, rbtdb->rpz_num); + if (result != ISC_R_SUCCESS) { + isc_mem_put(rbtdb->common.mctx, loadctx, + sizeof(*loadctx)); + return (result); + } + } +#endif + REQUIRE((rbtdb->attributes & (RBTDB_ATTR_LOADED|RBTDB_ATTR_LOADING)) == 0); rbtdb->attributes |= RBTDB_ATTR_LOADING; @@ -7461,8 +7306,8 @@ isdnssec, NULL, #ifdef BIND9 - rpz_enabled, - rpz_findips, + rpz_attach, + rpz_ready, #else NULL, NULL, @@ -7776,6 +7621,9 @@ } rbtdb->attributes = 0; rbtdb->task = NULL; + rbtdb->rpzs = NULL; + rbtdb->load_rpzs = NULL; + rbtdb->rpz_num = DNS_RPZ_INVALID_NUM; /* * Version Initialization. --- bind9-9.9.3.dfsg.P2.orig/lib/dns/rdataset.c +++ bind9-9.9.3.dfsg.P2/lib/dns/rdataset.c @@ -297,6 +297,7 @@ #define MAX_SHUFFLE 32 #define WANT_FIXED(r) (((r)->attributes & DNS_RDATASETATTR_FIXEDORDER) != 0) #define WANT_RANDOM(r) (((r)->attributes & DNS_RDATASETATTR_RANDOMIZE) != 0) +#define WANT_SINGLE(r) (((r)->attributes & DNS_RDATASETATTR_SINGLE) != 0) struct towire_sort { int key; @@ -321,6 +322,7 @@ isc_region_t r; isc_result_t result; unsigned int i, count = 0, added, choice; + unsigned int real_count; isc_buffer_t savedbuffer, rdlen, rrbuffer; unsigned int headlen; isc_boolean_t question = ISC_FALSE; @@ -362,6 +364,7 @@ if (result != ISC_R_SUCCESS) return (result); } + real_count = count; /* * Do we want to shuffle this answer? @@ -430,6 +433,9 @@ sorted[i].key = 0; /* Unused */ sorted[i].rdata = &shuffled[i]; } + if (count > 1 && WANT_SINGLE(rdataset)) { + count = 1; + } } else { /* * "Cyclic" order. @@ -550,9 +556,9 @@ cleanup: if (sorted != NULL && sorted != sorted_fixed) - isc_mem_put(cctx->mctx, sorted, count * sizeof(*sorted)); + isc_mem_put(cctx->mctx, sorted, real_count * sizeof(*sorted)); if (shuffled != NULL && shuffled != shuffled_fixed) - isc_mem_put(cctx->mctx, shuffled, count * sizeof(*shuffled)); + isc_mem_put(cctx->mctx, shuffled, real_count * sizeof(*shuffled)); return (result); } --- bind9-9.9.3.dfsg.P2.orig/lib/dns/resolver.c +++ bind9-9.9.3.dfsg.P2/lib/dns/resolver.c @@ -470,7 +470,9 @@ static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, dns_rdatatype_t covers, - isc_stdtime_t now, dns_ttl_t maxttl, + isc_stdtime_t now, + dns_ttl_t minttl, + dns_ttl_t maxttl, isc_boolean_t optout, isc_boolean_t secure, dns_rdataset_t *ardataset, @@ -4197,7 +4199,7 @@ ttl = 0; result = ncache_adderesult(fctx->rmessage, fctx->cache, node, - covers, now, ttl, vevent->optout, + covers, now, fctx->res->view->minncachettl, ttl, vevent->optout, vevent->secure, ardataset, &eresult); if (result != ISC_R_SUCCESS) goto noanswer_response; @@ -4652,6 +4654,12 @@ */ if (rdataset->ttl > res->view->maxcachettl) rdataset->ttl = res->view->maxcachettl; + + /* + * Enforce configured minimum cache TTL. + */ + if (rdataset->ttl < res->view->mincachettl) + rdataset->ttl = res->view->mincachettl; /* * Find the SIG for this rdataset, if we have it. @@ -4979,7 +4987,7 @@ */ static isc_result_t ncache_adderesult(dns_message_t *message, dns_db_t *cache, dns_dbnode_t *node, - dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t maxttl, + dns_rdatatype_t covers, isc_stdtime_t now, dns_ttl_t minttl, dns_ttl_t maxttl, isc_boolean_t optout, isc_boolean_t secure, dns_rdataset_t *ardataset, isc_result_t *eresultp) { @@ -4992,10 +5000,10 @@ } if (secure) result = dns_ncache_addoptout(message, cache, node, covers, - now, maxttl, optout, ardataset); + now, minttl, maxttl, optout, ardataset); else result = dns_ncache_add(message, cache, node, covers, now, - maxttl, ardataset); + minttl, maxttl, ardataset); if (result == DNS_R_UNCHANGED || result == ISC_R_SUCCESS) { /* * If the cache now contains a negative entry and we @@ -5161,7 +5169,7 @@ ttl = 0; result = ncache_adderesult(fctx->rmessage, fctx->cache, node, - covers, now, ttl, ISC_FALSE, + covers, now, fctx->res->view->minncachettl, ttl, ISC_FALSE, ISC_FALSE, ardataset, &eresult); if (result != ISC_R_SUCCESS) goto unlock; --- bind9-9.9.3.dfsg.P2.orig/lib/dns/rpz.c +++ bind9-9.9.3.dfsg.P2/lib/dns/rpz.c @@ -37,6 +37,7 @@ #include #include #include +#include #include #include @@ -44,9 +45,13 @@ /* * Parallel radix trees for databases of response policy IP addresses * - * The radix or Patricia trees are somewhat specialized to handle response - * policy addresses by representing the two test of IP IP addresses and name - * server IP addresses in a single tree. + * The radix or patricia trees are somewhat specialized to handle response + * policy addresses by representing the two sets of IP addresses and name + * server IP addresses in a single tree. One set of IP addresses is + * for rpz-ip policies or policies triggered by addresses in A or + * AAAA records in responses. + * The second set is for rpz-nsip policies or policies triggered by addresses + * in A or AAAA records for NS records that are authorities for responses. * * Each leaf indicates that an IP address is listed in the IP address or the * name server IP address policy sub-zone (or both) of the corresponding @@ -55,7 +60,8 @@ * tree, the node in the policy zone's database is found by converting * the IP address to a domain name in a canonical form. * - * The response policy zone canonical form of IPv6 addresses is one of: + * + * The response policy zone canonical form of an IPv6 address is one of: * prefix.W.W.W.W.W.W.W.W * prefix.WORDS.zz * prefix.WORDS.zz.WORDS @@ -72,7 +78,7 @@ * prefix is the prefix length of the address between 1 and 32 * B is a number between 0 and 255 * - * IPv4 addresses are distinguished from IPv6 addresses by having + * Names for IPv4 addresses are distinguished from IPv6 addresses by having * 5 labels all of which are numbers, and a prefix between 1 and 32. */ @@ -90,43 +96,89 @@ } dns_rpz_cidr_key_t; #define ADDR_V4MAPPED 0xffff +#define KEY_IS_IPV4(prefix,ip) ((prefix) >= 96 && (ip)->w[0] == 0 && \ + (ip)->w[1] == 0 && (ip)->w[2] == ADDR_V4MAPPED) + +#define DNS_RPZ_WORD_MASK(b) ((b) == 0 ? (dns_rpz_cidr_word_t)(-1) \ + : ((dns_rpz_cidr_word_t)(-1) \ + << (DNS_RPZ_CIDR_WORD_BITS - (b)))) + +/* + * Get bit #n from the array of words of an IP address. + */ +#define DNS_RPZ_IP_BIT(ip, n) (1 & ((ip)->w[(n)/DNS_RPZ_CIDR_WORD_BITS] >> \ + (DNS_RPZ_CIDR_WORD_BITS \ + - 1 - ((n) % DNS_RPZ_CIDR_WORD_BITS)))) -#define DNS_RPZ_WORD_MASK(b) \ - ((b) == 0 ? (dns_rpz_cidr_word_t)(-1) \ - : ((dns_rpz_cidr_word_t)(-1) \ - << (DNS_RPZ_CIDR_WORD_BITS - (b)))) - -#define DNS_RPZ_IP_BIT(ip, bitno) \ - (1 & ((ip)->w[(bitno)/DNS_RPZ_CIDR_WORD_BITS] >> \ - (DNS_RPZ_CIDR_WORD_BITS - 1 - ((bitno) % DNS_RPZ_CIDR_WORD_BITS)))) +/* + * A triplet of arrays of bits flagging the existence of + * client-IP, IP, and NSIP policy triggers. + */ +typedef struct dns_rpz_addr_zbits dns_rpz_addr_zbits_t; +struct dns_rpz_addr_zbits { + dns_rpz_zbits_t client_ip; + dns_rpz_zbits_t ip; + dns_rpz_zbits_t nsip; +}; -typedef struct dns_rpz_cidr_node dns_rpz_cidr_node_t; -typedef isc_uint8_t dns_rpz_cidr_flags_t; +/* + * A CIDR or radix tree node. + */ struct dns_rpz_cidr_node { - dns_rpz_cidr_node_t *parent; - dns_rpz_cidr_node_t *child[2]; - dns_rpz_cidr_key_t ip; - dns_rpz_cidr_bits_t bits; - dns_rpz_cidr_flags_t flags; -#define DNS_RPZ_CIDR_FG_IP 0x01 /* has IP data or is parent of IP */ -#define DNS_RPZ_CIDR_FG_IP_DATA 0x02 /* has IP data */ -#define DNS_RPZ_CIDR_FG_NSIPv4 0x04 /* has or is parent of NSIPv4 data */ -#define DNS_RPZ_CIDR_FG_NSIPv6 0x08 /* has or is parent of NSIPv6 data */ -#define DNS_RPZ_CIDR_FG_NSIP_DATA 0x10 /* has NSIP data */ + dns_rpz_cidr_node_t *parent; + dns_rpz_cidr_node_t *child[2]; + dns_rpz_cidr_key_t ip; + dns_rpz_prefix_t prefix; + dns_rpz_addr_zbits_t set; + dns_rpz_addr_zbits_t sum; +}; + +/* + * The data in a RBT node has two pairs of bits for policy zones. + * One pair is for the corresponding name of the node such as example.com + * and the other pair is for a wildcard child such as *.example.com. + */ +/* + * A pair of arrays of bits flagging the existence of + * QNAME and NSDNAME policy triggers. + */ +typedef struct dns_rpz_nm_zbits dns_rpz_nm_zbits_t; +struct dns_rpz_nm_zbits { + dns_rpz_zbits_t qname; + dns_rpz_zbits_t ns; }; -struct dns_rpz_cidr { - isc_mem_t *mctx; - isc_boolean_t have_nsdname; /* zone has NSDNAME record */ - dns_rpz_cidr_node_t *root; - dns_name_t ip_name; /* RPZ_IP_ZONE.origin. */ - dns_name_t nsip_name; /* RPZ_NSIP_ZONE.origin. */ - dns_name_t nsdname_name; /* RPZ_NSDNAME_ZONE.origin */ +typedef struct dns_rpz_nm_data dns_rpz_nm_data_t; +struct dns_rpz_nm_data { + dns_rpz_nm_zbits_t set; + dns_rpz_nm_zbits_t wild; }; +#if 0 +/* + * Catch a name while debugging. + */ +static void +catch_name(const dns_name_t *src_name, const char *tgt, const char *str) { + dns_fixedname_t tgt_namef; + dns_name_t *tgt_name; + + dns_fixedname_init(&tgt_namef); + tgt_name = dns_fixedname_name(&tgt_namef); + dns_name_fromstring(tgt_name, tgt, DNS_NAME_DOWNCASE, NULL); + if (dns_name_equal(src_name, tgt_name)) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz hit failed: %s %s", str, tgt); + } +} +#endif + const char * dns_rpz_type2str(dns_rpz_type_t type) { switch (type) { + case DNS_RPZ_TYPE_CLIENT_IP: + return ("CLIENT-IP"); case DNS_RPZ_TYPE_QNAME: return ("QNAME"); case DNS_RPZ_TYPE_IP: @@ -138,32 +190,34 @@ case DNS_RPZ_TYPE_BAD: break; } - FATAL_ERROR(__FILE__, __LINE__, - "impossible rpz type %d", type); + FATAL_ERROR(__FILE__, __LINE__, "impossible rpz type %d", type); return ("impossible"); } dns_rpz_policy_t dns_rpz_str2policy(const char *str) { + static struct { + const char *str; + dns_rpz_policy_t policy; + } tbl[] = { + {"given", DNS_RPZ_POLICY_GIVEN}, + {"disabled", DNS_RPZ_POLICY_DISABLED}, + {"passthru", DNS_RPZ_POLICY_PASSTHRU}, + {"drop", DNS_RPZ_POLICY_DROP}, + {"tcp-only", DNS_RPZ_POLICY_TCP_ONLY}, + {"nxdomain", DNS_RPZ_POLICY_NXDOMAIN}, + {"nodata", DNS_RPZ_POLICY_NODATA}, + {"cname", DNS_RPZ_POLICY_CNAME}, + {"no-op", DNS_RPZ_POLICY_PASSTHRU}, /* old passthru */ + }; + unsigned int n; + if (str == NULL) return (DNS_RPZ_POLICY_ERROR); - if (!strcasecmp(str, "given")) - return (DNS_RPZ_POLICY_GIVEN); - if (!strcasecmp(str, "disabled")) - return (DNS_RPZ_POLICY_DISABLED); - if (!strcasecmp(str, "passthru")) - return (DNS_RPZ_POLICY_PASSTHRU); - if (!strcasecmp(str, "nxdomain")) - return (DNS_RPZ_POLICY_NXDOMAIN); - if (!strcasecmp(str, "nodata")) - return (DNS_RPZ_POLICY_NODATA); - if (!strcasecmp(str, "cname")) - return (DNS_RPZ_POLICY_CNAME); - /* - * Obsolete - */ - if (!strcasecmp(str, "no-op")) - return (DNS_RPZ_POLICY_PASSTHRU); + for (n = 0; n < sizeof(tbl)/sizeof(tbl[0]); ++n) { + if (!strcasecmp(tbl[n].str, str)) + return (tbl[n].policy); + } return (DNS_RPZ_POLICY_ERROR); } @@ -175,6 +229,12 @@ case DNS_RPZ_POLICY_PASSTHRU: str = "PASSTHRU"; break; + case DNS_RPZ_POLICY_DROP: + str = "DROP"; + break; + case DNS_RPZ_POLICY_TCP_ONLY: + str = "TCP-ONLY"; + break; case DNS_RPZ_POLICY_NXDOMAIN: str = "NXDOMAIN"; break; @@ -196,243 +256,274 @@ return (str); } -/* - * Free the radix tree of a response policy database. - */ -void -dns_rpz_cidr_free(dns_rpz_cidr_t **cidrp) { - dns_rpz_cidr_node_t *cur, *child, *parent; - dns_rpz_cidr_t *cidr; - - REQUIRE(cidrp != NULL); - - cidr = *cidrp; - if (cidr == NULL) - return; - - cur = cidr->root; - while (cur != NULL) { - /* Depth first. */ - child = cur->child[0]; - if (child != NULL) { - cur = child; - continue; - } - child = cur->child[1]; - if (child != NULL) { - cur = child; - continue; - } +static int +zbit_to_num(dns_rpz_zbits_t zbit) { + dns_rpz_num_t rpz_num; - /* Delete this leaf and go up. */ - parent = cur->parent; - if (parent == NULL) - cidr->root = NULL; - else - parent->child[parent->child[1] == cur] = NULL; - isc_mem_put(cidr->mctx, cur, sizeof(*cur)); - cur = parent; + INSIST(zbit != 0); + rpz_num = 0; +#if DNS_RPZ_MAX_ZONES > 32 + if ((zbit & 0xffffffff00000000L) != 0) { + zbit >>= 32; + rpz_num += 32; } - - dns_name_free(&cidr->ip_name, cidr->mctx); - dns_name_free(&cidr->nsip_name, cidr->mctx); - dns_name_free(&cidr->nsdname_name, cidr->mctx); - isc_mem_put(cidr->mctx, cidr, sizeof(*cidr)); - *cidrp = NULL; +#endif + if ((zbit & 0xffff0000) != 0) { + zbit >>= 16; + rpz_num += 16; + } + if ((zbit & 0xff00) != 0) { + zbit >>= 8; + rpz_num += 8; + } + if ((zbit & 0xf0) != 0) { + zbit >>= 4; + rpz_num += 4; + } + if ((zbit & 0xc) != 0) { + zbit >>= 2; + rpz_num += 2; + } + if ((zbit & 2) != 0) + ++rpz_num; + return (rpz_num); } /* - * Forget a view's list of policy zones. + * Make a set of bit masks given one or more bits and their type. */ -void -dns_rpz_view_destroy(dns_view_t *view) { - dns_rpz_zone_t *zone; - - REQUIRE(view != NULL); +static void +make_addr_set(dns_rpz_addr_zbits_t *tgt_set, dns_rpz_zbits_t zbits, + dns_rpz_type_t type) +{ + switch (type) { + case DNS_RPZ_TYPE_CLIENT_IP: + tgt_set->client_ip = zbits; + tgt_set->ip = 0; + tgt_set->nsip = 0; + break; + case DNS_RPZ_TYPE_IP: + tgt_set->client_ip = 0; + tgt_set->ip = zbits; + tgt_set->nsip = 0; + break; + case DNS_RPZ_TYPE_NSIP: + tgt_set->client_ip = 0; + tgt_set->ip = 0; + tgt_set->nsip = zbits; + break; + default: + INSIST(0); + break; + } +} - while (!ISC_LIST_EMPTY(view->rpz_zones)) { - zone = ISC_LIST_HEAD(view->rpz_zones); - ISC_LIST_UNLINK(view->rpz_zones, zone, link); - if (dns_name_dynamic(&zone->origin)) - dns_name_free(&zone->origin, view->mctx); - if (dns_name_dynamic(&zone->passthru)) - dns_name_free(&zone->passthru, view->mctx); - if (dns_name_dynamic(&zone->nsdname)) - dns_name_free(&zone->nsdname, view->mctx); - if (dns_name_dynamic(&zone->cname)) - dns_name_free(&zone->cname, view->mctx); - isc_mem_put(view->mctx, zone, sizeof(*zone)); +static void +make_nm_set(dns_rpz_nm_zbits_t *tgt_set, + dns_rpz_num_t rpz_num, dns_rpz_type_t type) +{ + switch (type) { + case DNS_RPZ_TYPE_QNAME: + tgt_set->qname = DNS_RPZ_ZBIT(rpz_num); + tgt_set->ns = 0; + break; + case DNS_RPZ_TYPE_NSDNAME: + tgt_set->qname = 0; + tgt_set->ns = DNS_RPZ_ZBIT(rpz_num); + break; + default: + INSIST(0); + break; } } /* - * Start a new radix tree for a response policy zone. + * Mark a node and all of its parents as having client-IP, IP, or NSIP data */ -isc_result_t -dns_rpz_new_cidr(isc_mem_t *mctx, dns_name_t *origin, - dns_rpz_cidr_t **rbtdb_cidr) -{ - isc_result_t result; - dns_rpz_cidr_t *cidr; - - REQUIRE(rbtdb_cidr != NULL && *rbtdb_cidr == NULL); - - cidr = isc_mem_get(mctx, sizeof(*cidr)); - if (cidr == NULL) - return (ISC_R_NOMEMORY); - memset(cidr, 0, sizeof(*cidr)); - cidr->mctx = mctx; +static void +set_sum_pair(dns_rpz_cidr_node_t *cnode) { + dns_rpz_cidr_node_t *child; + dns_rpz_addr_zbits_t sum; - dns_name_init(&cidr->ip_name, NULL); - result = dns_name_fromstring2(&cidr->ip_name, DNS_RPZ_IP_ZONE, origin, - DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + do { + sum = cnode->set; - dns_name_init(&cidr->nsip_name, NULL); - result = dns_name_fromstring2(&cidr->nsip_name, DNS_RPZ_NSIP_ZONE, - origin, DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - dns_name_free(&cidr->ip_name, mctx); - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + child = cnode->child[0]; + if (child != NULL) { + sum.client_ip |= child->sum.client_ip; + sum.ip |= child->sum.ip; + sum.nsip |= child->sum.nsip; + } - dns_name_init(&cidr->nsdname_name, NULL); - result = dns_name_fromstring2(&cidr->nsdname_name, DNS_RPZ_NSDNAME_ZONE, - origin, DNS_NAME_DOWNCASE, mctx); - if (result != ISC_R_SUCCESS) { - dns_name_free(&cidr->nsip_name, mctx); - dns_name_free(&cidr->ip_name, mctx); - isc_mem_put(mctx, cidr, sizeof(*cidr)); - return (result); - } + child = cnode->child[1]; + if (child != NULL) { + sum.client_ip |= child->sum.client_ip; + sum.ip |= child->sum.ip; + sum.nsip |= child->sum.nsip; + } - *rbtdb_cidr = cidr; - return (ISC_R_SUCCESS); + if (cnode->sum.client_ip == sum.client_ip && + cnode->sum.ip == sum.ip && + cnode->sum.nsip == sum.nsip) + break; + cnode->sum = sum; + cnode = cnode->parent; + } while (cnode != NULL); } -/* - * See if a policy zone has IP, NSIP, or NSDNAME rules or records. - */ -void -dns_rpz_enabled_get(dns_rpz_cidr_t *cidr, dns_rpz_st_t *st) { - if (cidr == NULL) - return; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_IP) != 0) - st->state |= DNS_RPZ_HAVE_IP; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv4) != 0) - st->state |= DNS_RPZ_HAVE_NSIPv4; - if (cidr->root != NULL && - (cidr->root->flags & DNS_RPZ_CIDR_FG_NSIPv6) != 0) - st->state |= DNS_RPZ_HAVE_NSIPv6; - if (cidr->have_nsdname) - st->state |= DNS_RPZ_HAVE_NSDNAME; -} - -static inline dns_rpz_cidr_flags_t -get_flags(const dns_rpz_cidr_key_t *ip, dns_rpz_cidr_bits_t prefix, - dns_rpz_type_t rpz_type) -{ - if (rpz_type == DNS_RPZ_TYPE_NSIP) { - if (prefix >= 96 && - ip->w[0] == 0 && ip->w[1] == 0 && - ip->w[2] == ADDR_V4MAPPED) - return (DNS_RPZ_CIDR_FG_NSIP_DATA | - DNS_RPZ_CIDR_FG_NSIPv4); - else - return (DNS_RPZ_CIDR_FG_NSIP_DATA | - DNS_RPZ_CIDR_FG_NSIPv6); +static void +fix_qname_skip_recurse(dns_rpz_zones_t *rpzs) { + dns_rpz_zbits_t zbits; + + /* + * Get a mask covering all policy zones that are not subordinate to + * other policy zones containing triggers that require that the + * qname be resolved before they can be checked. + */ + if (rpzs->p.qname_wait_recurse) { + zbits = 0; } else { - return (DNS_RPZ_CIDR_FG_IP | DNS_RPZ_CIDR_FG_IP_DATA); + zbits = (rpzs->have.ipv4 || rpzs->have.ipv6 || + rpzs->have.nsdname || + rpzs->have.nsipv4 || rpzs->have.nsipv6); + if (zbits == 0) { + zbits = DNS_RPZ_ALL_ZBITS; + } else { + zbits = DNS_RPZ_ZMASK(zbit_to_num(zbits)); + } } + rpzs->have.qname_skip_recurse = zbits; + + rpzs->have.client_ip = rpzs->have.client_ipv4 | rpzs->have.client_ipv6; + rpzs->have.ip = rpzs->have.ipv4 | rpzs->have.ipv6; + rpzs->have.nsip = rpzs->have.nsipv4 | rpzs->have.nsipv6; } -/* - * Mark a node as having IP or NSIP data and all of its parents - * as members of the IP or NSIP tree. - */ static void -set_node_flags(dns_rpz_cidr_node_t *node, dns_rpz_type_t rpz_type) { - dns_rpz_cidr_flags_t flags; +adj_trigger_cnt(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, + const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + isc_boolean_t inc) +{ + int *cnt; + dns_rpz_zbits_t *have; - flags = get_flags(&node->ip, node->bits, rpz_type); - node->flags |= flags; - flags &= ~(DNS_RPZ_CIDR_FG_NSIP_DATA | DNS_RPZ_CIDR_FG_IP_DATA); - for (;;) { - node = node->parent; - if (node == NULL) - return; - node->flags |= flags; + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpzs->triggers[rpz_num].client_ipv4; + have = &rpzs->have.client_ipv4; + } else { + cnt = &rpzs->triggers[rpz_num].client_ipv6; + have = &rpzs->have.client_ipv6; + } + break; + case DNS_RPZ_TYPE_QNAME: + cnt = &rpzs->triggers[rpz_num].qname; + have = &rpzs->have.qname; + break; + case DNS_RPZ_TYPE_IP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpzs->triggers[rpz_num].ipv4; + have = &rpzs->have.ipv4; + } else { + cnt = &rpzs->triggers[rpz_num].ipv6; + have = &rpzs->have.ipv6; + } + break; + case DNS_RPZ_TYPE_NSDNAME: + cnt = &rpzs->triggers[rpz_num].nsdname; + have = &rpzs->have.nsdname; + break; + case DNS_RPZ_TYPE_NSIP: + REQUIRE(tgt_ip != NULL); + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { + cnt = &rpzs->triggers[rpz_num].nsipv4; + have = &rpzs->have.nsipv4; + } else { + cnt = &rpzs->triggers[rpz_num].nsipv6; + have = &rpzs->have.nsipv6; + } + break; + default: + INSIST(0); + } + + if (inc) { + if (++*cnt == 1) { + *have |= DNS_RPZ_ZBIT(rpz_num); + fix_qname_skip_recurse(rpzs); + } + } else { + REQUIRE(*cnt > 0); + if (--*cnt == 0) { + *have &= ~DNS_RPZ_ZBIT(rpz_num); + fix_qname_skip_recurse(rpzs); + } } } -/* - * Make a radix tree node. - */ static dns_rpz_cidr_node_t * -new_node(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *ip, - dns_rpz_cidr_bits_t bits, dns_rpz_cidr_flags_t flags) +new_node(dns_rpz_zones_t *rpzs, + const dns_rpz_cidr_key_t *ip, dns_rpz_prefix_t prefix, + const dns_rpz_cidr_node_t *child) { - dns_rpz_cidr_node_t *node; + dns_rpz_cidr_node_t *new; int i, words, wlen; - node = isc_mem_get(cidr->mctx, sizeof(*node)); - if (node == NULL) + new = isc_mem_get(rpzs->mctx, sizeof(*new)); + if (new == NULL) return (NULL); - memset(node, 0, sizeof(*node)); + memset(new, 0, sizeof(*new)); - node->flags = flags & ~(DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); + if (child != NULL) + new->sum = child->sum; - node->bits = bits; - words = bits / DNS_RPZ_CIDR_WORD_BITS; - wlen = bits % DNS_RPZ_CIDR_WORD_BITS; + new->prefix = prefix; + words = prefix / DNS_RPZ_CIDR_WORD_BITS; + wlen = prefix % DNS_RPZ_CIDR_WORD_BITS; i = 0; while (i < words) { - node->ip.w[i] = ip->w[i]; + new->ip.w[i] = ip->w[i]; ++i; } if (wlen != 0) { - node->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen); + new->ip.w[i] = ip->w[i] & DNS_RPZ_WORD_MASK(wlen); ++i; } while (i < DNS_RPZ_CIDR_WORDS) - node->ip.w[i++] = 0; + new->ip.w[i++] = 0; - return (node); + return (new); } static void badname(int level, dns_name_t *name, const char *str1, const char *str2) { - char printname[DNS_NAME_FORMATSIZE]; + char namebuf[DNS_NAME_FORMATSIZE]; /* * bin/tests/system/rpz/tests.sh looks for "invalid rpz". */ - if (level < DNS_RPZ_DEBUG_QUIET - && isc_log_wouldlog(dns_lctx, level)) { - dns_name_format(name, printname, sizeof(printname)); + if (level < DNS_RPZ_DEBUG_QUIET && + isc_log_wouldlog(dns_lctx, level)) { + dns_name_format(name, namebuf, sizeof(namebuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, level, "invalid rpz IP address \"%s\"%s%s", - printname, str1, str2); + namebuf, str1, str2); } } /* * Convert an IP address from radix tree binary (host byte order) to - * to its canonical response policy domain name and its name in the + * to its canonical response policy domain name without the origin of the * policy zone. */ static isc_result_t -ip2name(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type, - dns_name_t *canon_name, dns_name_t *search_name) +ip2name(const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + dns_name_t *base_name, dns_name_t *ip_name) { #ifndef INET6_ADDRSTRLEN #define INET6_ADDRSTRLEN 46 @@ -440,22 +531,18 @@ int w[DNS_RPZ_CIDR_WORDS*2]; char str[1+8+1+INET6_ADDRSTRLEN+1]; isc_buffer_t buffer; - dns_name_t *name; isc_result_t result; isc_boolean_t zeros; int i, n, len; - if (tgt_prefix > 96 && - tgt_ip->w[0] == 0 && - tgt_ip->w[1] == 0 && - tgt_ip->w[2] == ADDR_V4MAPPED) { + if (KEY_IS_IPV4(tgt_prefix, tgt_ip)) { len = snprintf(str, sizeof(str), "%d.%d.%d.%d.%d", tgt_prefix - 96, tgt_ip->w[3] & 0xff, (tgt_ip->w[3]>>8) & 0xff, (tgt_ip->w[3]>>16) & 0xff, (tgt_ip->w[3]>>24) & 0xff); - if (len == -1 || len > (int)sizeof(str)) + if (len < 0 || len > (int)sizeof(str)) return (ISC_R_FAILURE); } else { for (i = 0; i < DNS_RPZ_CIDR_WORDS; i++) { @@ -469,9 +556,9 @@ return (ISC_R_FAILURE); i = 0; while (i < DNS_RPZ_CIDR_WORDS * 2) { - if (w[i] != 0 || zeros - || i >= DNS_RPZ_CIDR_WORDS * 2 - 1 - || w[i+1] != 0) { + if (w[i] != 0 || zeros || + i >= DNS_RPZ_CIDR_WORDS * 2 - 1 || + w[i+1] != 0) { INSIST((size_t)len <= sizeof(str)); n = snprintf(&str[len], sizeof(str) - len, ".%x", w[i++]); @@ -495,48 +582,31 @@ } } - if (canon_name != NULL) { - isc__buffer_init(&buffer, str, sizeof(str)); - isc__buffer_add(&buffer, len); - result = dns_name_fromtext(canon_name, &buffer, - dns_rootname, 0, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - if (search_name != NULL) { - isc__buffer_init(&buffer, str, sizeof(str)); - isc__buffer_add(&buffer, len); - if (type == DNS_RPZ_TYPE_NSIP) - name = &cidr->nsip_name; - else - name = &cidr->ip_name; - result = dns_name_fromtext(search_name, &buffer, name, 0, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } - return (ISC_R_SUCCESS); + isc__buffer_init(&buffer, str, sizeof(str)); + isc__buffer_add(&buffer, len); + result = dns_name_fromtext(ip_name, &buffer, base_name, 0, NULL); + return (result); } /* - * Decide which kind of IP address response policy zone a name is in. + * Determine the type a of a name in a response policy zone. */ static dns_rpz_type_t -set_type(dns_rpz_cidr_t *cidr, dns_name_t *name) { +type_from_name(dns_rpz_zone_t *rpz, dns_name_t *name) { - if (dns_name_issubdomain(name, &cidr->ip_name)) + if (dns_name_issubdomain(name, &rpz->ip)) return (DNS_RPZ_TYPE_IP); - /* - * Require `./configure --enable-rpz-nsip` and nsdname - * until consistency problems are resolved. - */ + if (dns_name_issubdomain(name, &rpz->client_ip)) + return (DNS_RPZ_TYPE_CLIENT_IP); + #ifdef ENABLE_RPZ_NSIP - if (dns_name_issubdomain(name, &cidr->nsip_name)) + if (dns_name_issubdomain(name, &rpz->nsip)) return (DNS_RPZ_TYPE_NSIP); #endif #ifdef ENABLE_RPZ_NSDNAME - if (dns_name_issubdomain(name, &cidr->nsdname_name)) + if (dns_name_issubdomain(name, &rpz->nsdname)) return (DNS_RPZ_TYPE_NSDNAME); #endif @@ -545,73 +615,80 @@ /* * Convert an IP address from canonical response policy domain name form - * to radix tree binary (host byte order). + * to radix tree binary (host byte order) for adding or deleting IP or NSIP + * data. */ static isc_result_t -name2ipkey(dns_rpz_cidr_t *cidr, int level, dns_name_t *src_name, - dns_rpz_type_t type, dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t *tgt_prefix) +name2ipkey(int log_level, + const dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name, + dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t *tgt_prefix, + dns_rpz_addr_zbits_t *new_set) { - isc_result_t result; - dns_fixedname_t fname; - dns_name_t *ipname; - char ipstr[DNS_NAME_FORMATSIZE]; + dns_rpz_zone_t *rpz; + char ip_str[DNS_NAME_FORMATSIZE]; + dns_offsets_t ip_name_offsets; + dns_fixedname_t ip_name2f; + dns_name_t ip_name, *ip_name2; const char *prefix_str, *cp, *end; char *cp2; int ip_labels; - dns_rpz_cidr_bits_t bits; - unsigned long prefix, l; + dns_rpz_prefix_t prefix; + unsigned long prefix_num, l; + isc_result_t result; int i; - /* - * Need at least enough labels for the shortest name, - * :: or 128.*.RPZ_x_ZONE.rpz.LOCALHOST. - */ + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + make_addr_set(new_set, DNS_RPZ_ZBIT(rpz_num), rpz_type); + ip_labels = dns_name_countlabels(src_name); - ip_labels -= dns_name_countlabels(&cidr->ip_name); - ip_labels--; - if (ip_labels < 1) { - badname(level, src_name, "; too short", ""); + if (rpz_type == DNS_RPZ_TYPE_QNAME) + ip_labels -= dns_name_countlabels(&rpz->origin); + else + ip_labels -= dns_name_countlabels(&rpz->nsdname); + if (ip_labels < 2) { + badname(log_level, src_name, "; too short", ""); return (ISC_R_FAILURE); } + dns_name_init(&ip_name, ip_name_offsets); + dns_name_getlabelsequence(src_name, 0, ip_labels, &ip_name); /* * Get text for the IP address */ - dns_fixedname_init(&fname); - ipname = dns_fixedname_name(&fname); - dns_name_split(src_name, dns_name_countlabels(&cidr->ip_name), - ipname, NULL); - dns_name_format(ipname, ipstr, sizeof(ipstr)); - end = &ipstr[strlen(ipstr)+1]; - prefix_str = ipstr; + dns_name_format(&ip_name, ip_str, sizeof(ip_str)); + end = &ip_str[strlen(ip_str)+1]; + prefix_str = ip_str; - prefix = strtoul(prefix_str, &cp2, 10); + prefix_num = strtoul(prefix_str, &cp2, 10); if (*cp2 != '.') { - badname(level, src_name, + badname(log_level, src_name, "; invalid leading prefix length", ""); return (ISC_R_FAILURE); } *cp2 = '\0'; - if (prefix < 1U || prefix > 128U) { - badname(level, src_name, + if (prefix_num < 1U || prefix_num > 128U) { + badname(log_level, src_name, "; invalid prefix length of ", prefix_str); return (ISC_R_FAILURE); } cp = cp2+1; - if (ip_labels == 4 && !strchr(cp, 'z')) { + if (--ip_labels == 4 && !strchr(cp, 'z')) { /* * Convert an IPv4 address * from the form "prefix.w.z.y.x" */ - if (prefix > 32U) { - badname(level, src_name, + if (prefix_num > 32U) { + badname(log_level, src_name, "; invalid IPv4 prefix length of ", prefix_str); return (ISC_R_FAILURE); } - prefix += 96; - *tgt_prefix = (dns_rpz_cidr_bits_t)prefix; + prefix_num += 96; + *tgt_prefix = (dns_rpz_prefix_t)prefix_num; tgt_ip->w[0] = 0; tgt_ip->w[1] = 0; tgt_ip->w[2] = ADDR_V4MAPPED; @@ -621,7 +698,7 @@ if (l > 255U || (*cp2 != '.' && *cp2 != '\0')) { if (*cp2 == '.') *cp2 = '\0'; - badname(level, src_name, + badname(log_level, src_name, "; invalid IPv4 octet ", cp); return (ISC_R_FAILURE); } @@ -632,7 +709,7 @@ /* * Convert a text IPv6 address. */ - *tgt_prefix = (dns_rpz_cidr_bits_t)prefix; + *tgt_prefix = (dns_rpz_prefix_t)prefix_num; for (i = 0; ip_labels > 0 && i < DNS_RPZ_CIDR_WORDS * 2; ip_labels--) { @@ -651,7 +728,7 @@ (*cp2 != '.' && *cp2 != '\0')) { if (*cp2 == '.') *cp2 = '\0'; - badname(level, src_name, + badname(log_level, src_name, "; invalid IPv6 word ", cp); return (ISC_R_FAILURE); } @@ -665,36 +742,37 @@ } } if (cp != end) { - badname(level, src_name, "", ""); + badname(log_level, src_name, "", ""); return (ISC_R_FAILURE); } /* * Check for 1s after the prefix length. */ - bits = (dns_rpz_cidr_bits_t)prefix; - while (bits < DNS_RPZ_CIDR_KEY_BITS) { + prefix = (dns_rpz_prefix_t)prefix_num; + while (prefix < DNS_RPZ_CIDR_KEY_BITS) { dns_rpz_cidr_word_t aword; - i = bits % DNS_RPZ_CIDR_WORD_BITS; - aword = tgt_ip->w[bits / DNS_RPZ_CIDR_WORD_BITS]; + i = prefix % DNS_RPZ_CIDR_WORD_BITS; + aword = tgt_ip->w[prefix / DNS_RPZ_CIDR_WORD_BITS]; if ((aword & ~DNS_RPZ_WORD_MASK(i)) != 0) { - badname(level, src_name, + badname(log_level, src_name, "; too small prefix length of ", prefix_str); return (ISC_R_FAILURE); } - bits -= i; - bits += DNS_RPZ_CIDR_WORD_BITS; + prefix -= i; + prefix += DNS_RPZ_CIDR_WORD_BITS; } /* - * Convert the address back to a canonical policy domain name - * to ensure that it is in canonical form. + * Convert the address back to a canonical domain name + * to ensure that the original name is in canonical form. */ - result = ip2name(cidr, tgt_ip, (dns_rpz_cidr_bits_t) prefix, - type, NULL, ipname); - if (result != ISC_R_SUCCESS || !dns_name_equal(src_name, ipname)) { - badname(level, src_name, "; not canonical", ""); + dns_fixedname_init(&ip_name2f); + ip_name2 = dns_fixedname_name(&ip_name2f); + result = ip2name(tgt_ip, (dns_rpz_prefix_t)prefix_num, NULL, ip_name2); + if (result != ISC_R_SUCCESS || !dns_name_equal(&ip_name, ip_name2)) { + badname(log_level, src_name, "; not canonical", ""); return (ISC_R_FAILURE); } @@ -702,10 +780,54 @@ } /* - * Find first differing bit. + * Get trigger name and data bits for adding or deleting summary NSDNAME + * or QNAME data. */ -static int -ffbit(dns_rpz_cidr_word_t w) { +static void +name2data(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, const dns_name_t *src_name, + dns_name_t *trig_name, dns_rpz_nm_data_t *new_data) +{ + dns_rpz_zone_t *rpz; + dns_offsets_t tmp_name_offsets; + dns_name_t tmp_name; + unsigned int prefix_len, n; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + /* + * Handle wildcards by putting only the parent into the + * summary RBT. The summary database only causes a check of the + * real policy zone where wildcards will be handled. + */ + if (dns_name_iswildcard(src_name)) { + prefix_len = 1; + memset(&new_data->set, 0, sizeof(new_data->set)); + make_nm_set(&new_data->wild, rpz_num, rpz_type); + } else { + prefix_len = 0; + make_nm_set(&new_data->set, rpz_num, rpz_type); + memset(&new_data->wild, 0, sizeof(new_data->wild)); + } + + dns_name_init(&tmp_name, tmp_name_offsets); + n = dns_name_countlabels(src_name); + n -= prefix_len; + if (rpz_type == DNS_RPZ_TYPE_QNAME) + n -= dns_name_countlabels(&rpz->origin); + else + n -= dns_name_countlabels(&rpz->nsdname); + dns_name_getlabelsequence(src_name, prefix_len, n, &tmp_name); + (void)dns_name_concatenate(&tmp_name, dns_rootname, trig_name, NULL); +} + +/* + * Find the first differing bit in a key (IP address) word. + */ +static inline int +ffs_keybit(dns_rpz_cidr_word_t w) { int bit; bit = DNS_RPZ_CIDR_WORD_BITS-1; @@ -731,17 +853,17 @@ } /* - * Find the first differing bit in two keys. + * Find the first differing bit in two keys (IP addresses). */ static int -diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_cidr_bits_t bits1, - const dns_rpz_cidr_key_t *key2, dns_rpz_cidr_bits_t bits2) +diff_keys(const dns_rpz_cidr_key_t *key1, dns_rpz_prefix_t prefix1, + const dns_rpz_cidr_key_t *key2, dns_rpz_prefix_t prefix2) { dns_rpz_cidr_word_t delta; - dns_rpz_cidr_bits_t maxbit, bit; + dns_rpz_prefix_t maxbit, bit; int i; - maxbit = ISC_MIN(bits1, bits2); + maxbit = ISC_MIN(prefix1, prefix2); /* * find the first differing words @@ -751,7 +873,7 @@ i++, bit += DNS_RPZ_CIDR_WORD_BITS) { delta = key1->w[i] ^ key2->w[i]; if (delta != 0) { - bit += ffbit(delta); + bit += ffs_keybit(delta); break; } } @@ -759,133 +881,170 @@ } /* + * Given a hit while searching the radix trees, + * clear all bits for higher numbered zones. + */ +static inline dns_rpz_zbits_t +trim_zbits(dns_rpz_zbits_t zbits, dns_rpz_zbits_t found) { + dns_rpz_zbits_t x; + + /* + * Isolate the first or smallest numbered hit bit. + * Make a mask of that bit and all smaller numbered bits. + */ + x = zbits & found; + x &= (~x + 1); + x = (x << 1) - 1; + return (zbits &= x); +} + +/* * Search a radix tree for an IP address for ordinary lookup * or for a CIDR block adding or deleting an entry - * The tree read (for simple search) or write lock must be held by the caller. * - * Return ISC_R_SUCCESS, ISC_R_NOTFOUND, DNS_R_PARTIALMATCH, ISC_R_EXISTS, - * ISC_R_NOMEMORY + * Return ISC_R_SUCCESS, DNS_R_PARTIALMATCH, ISC_R_NOTFOUND, + * and *found=longest match node + * or with create==ISC_TRUE, ISC_R_EXISTS or ISC_R_NOMEMORY */ static isc_result_t -search(dns_rpz_cidr_t *cidr, const dns_rpz_cidr_key_t *tgt_ip, - dns_rpz_cidr_bits_t tgt_prefix, dns_rpz_type_t type, - isc_boolean_t create, - dns_rpz_cidr_node_t **found) /* NULL or longest match node */ +search(dns_rpz_zones_t *rpzs, + const dns_rpz_cidr_key_t *tgt_ip, dns_rpz_prefix_t tgt_prefix, + const dns_rpz_addr_zbits_t *tgt_set, isc_boolean_t create, + dns_rpz_cidr_node_t **found) { dns_rpz_cidr_node_t *cur, *parent, *child, *new_parent, *sibling; + dns_rpz_addr_zbits_t set; int cur_num, child_num; - dns_rpz_cidr_bits_t dbit; - dns_rpz_cidr_flags_t flags, data_flag; + dns_rpz_prefix_t dbit; isc_result_t find_result; - flags = get_flags(tgt_ip, tgt_prefix, type); - data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); - + set = *tgt_set; find_result = ISC_R_NOTFOUND; - if (found != NULL) - *found = NULL; - cur = cidr->root; + *found = NULL; + cur = rpzs->cidr; parent = NULL; cur_num = 0; for (;;) { if (cur == NULL) { /* - * No child so we cannot go down. Fail or - * add the target as a child of the current parent. + * No child so we cannot go down. + * Quit with whatever we already found + * or add the target as a child of the current parent. */ if (!create) return (find_result); - child = new_node(cidr, tgt_ip, tgt_prefix, 0); + child = new_node(rpzs, tgt_ip, tgt_prefix, NULL); if (child == NULL) return (ISC_R_NOMEMORY); if (parent == NULL) - cidr->root = child; + rpzs->cidr = child; else parent->child[cur_num] = child; child->parent = parent; - set_node_flags(child, type); - if (found != NULL) - *found = cur; + child->set.client_ip |= tgt_set->client_ip; + child->set.ip |= tgt_set->ip; + child->set.nsip |= tgt_set->nsip; + set_sum_pair(child); + *found = cur; return (ISC_R_SUCCESS); } - /* - * Pretend a node not in the correct tree does not exist - * if we are not adding to the tree, - * If we are adding, then continue down to eventually - * add a node and mark/put this node in the correct tree. - */ - if ((cur->flags & flags) == 0 && !create) - return (find_result); + if ((cur->sum.client_ip & set.client_ip) == 0 && + (cur->sum.ip & set.ip) == 0 && + (cur->sum.nsip & set.nsip) == 0) { + /* + * This node has no relevant data + * and is in none of the target trees. + * Pretend it does not exist if we are not adding. + * + * If we are adding, continue down to eventually add + * a node and mark/put this node in the correct tree. + */ + if (!create) + return (find_result); + } - dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->bits); + dbit = diff_keys(tgt_ip, tgt_prefix, &cur->ip, cur->prefix); /* - * dbit <= tgt_prefix and dbit <= cur->bits always. + * dbit <= tgt_prefix and dbit <= cur->prefix always. * We are finished searching if we matched all of the target. */ if (dbit == tgt_prefix) { - if (tgt_prefix == cur->bits) { + if (tgt_prefix == cur->prefix) { /* - * The current node matches the target exactly. - * It is the answer if it has data. + * The node's key matches the target exactly. */ - if ((cur->flags & data_flag) != 0) { - if (create) - return (ISC_R_EXISTS); - if (found != NULL) - *found = cur; - return (ISC_R_SUCCESS); + if ((cur->set.client_ip & set.client_ip) != 0 || + (cur->set.ip & set.ip) != 0 || + (cur->set.nsip & set.nsip) != 0) { + /* + * It is the answer if it has data. + */ + *found = cur; + if (create) { + find_result = ISC_R_EXISTS; + } else { + find_result = ISC_R_SUCCESS; + } } else if (create) { /* - * The node had no data but does now. + * The node lacked relevant data, + * but will have it now. */ - set_node_flags(cur, type); - if (found != NULL) - *found = cur; - return (ISC_R_SUCCESS); + cur->set.client_ip |= tgt_set->client_ip; + cur->set.ip |= tgt_set->ip; + cur->set.nsip |= tgt_set->nsip; + set_sum_pair(cur); + *found = cur; + find_result = ISC_R_SUCCESS; } return (find_result); } /* - * We know tgt_prefix < cur_bits which means that + * We know tgt_prefix < cur->prefix which means that * the target is shorter than the current node. * Add the target as the current node's parent. */ if (!create) return (find_result); - new_parent = new_node(cidr, tgt_ip, tgt_prefix, - cur->flags); + new_parent = new_node(rpzs, tgt_ip, tgt_prefix, cur); if (new_parent == NULL) return (ISC_R_NOMEMORY); new_parent->parent = parent; if (parent == NULL) - cidr->root = new_parent; + rpzs->cidr = new_parent; else parent->child[cur_num] = new_parent; child_num = DNS_RPZ_IP_BIT(&cur->ip, tgt_prefix+1); new_parent->child[child_num] = cur; cur->parent = new_parent; - set_node_flags(new_parent, type); - if (found != NULL) - *found = new_parent; + new_parent->set = *tgt_set; + set_sum_pair(new_parent); + *found = new_parent; return (ISC_R_SUCCESS); } - if (dbit == cur->bits) { - /* - * We have a partial match by matching of all of the - * current node but only part of the target. - * Try to go down. - */ - if ((cur->flags & data_flag) != 0) { + if (dbit == cur->prefix) { + if ((cur->set.client_ip & set.client_ip) != 0 || + (cur->set.ip & set.ip) != 0 || + (cur->set.nsip & set.nsip) != 0) { + /* + * We have a partial match between of all of the + * current node but only part of the target. + * Continue searching for other hits in the + * same or lower numbered trees. + */ find_result = DNS_R_PARTIALMATCH; - if (found != NULL) - *found = cur; + *found = cur; + set.client_ip = trim_zbits(set.ip, + cur->set.client_ip); + set.ip = trim_zbits(set.ip, + cur->set.ip); + set.nsip = trim_zbits(set.nsip, + cur->set.nsip); } - parent = cur; cur_num = DNS_RPZ_IP_BIT(tgt_ip, dbit); cur = cur->child[cur_num]; @@ -894,7 +1053,7 @@ /* - * dbit < tgt_prefix and dbit < cur->bits, + * dbit < tgt_prefix and dbit < cur->prefix, * so we failed to match both the target and the current node. * Insert a fork of a parent above the current node and * add the target as a sibling of the current node @@ -902,17 +1061,17 @@ if (!create) return (find_result); - sibling = new_node(cidr, tgt_ip, tgt_prefix, 0); + sibling = new_node(rpzs, tgt_ip, tgt_prefix, NULL); if (sibling == NULL) return (ISC_R_NOMEMORY); - new_parent = new_node(cidr, tgt_ip, dbit, cur->flags); + new_parent = new_node(rpzs, tgt_ip, dbit, cur); if (new_parent == NULL) { - isc_mem_put(cidr->mctx, sibling, sizeof(*sibling)); + isc_mem_put(rpzs->mctx, sibling, sizeof(*sibling)); return (ISC_R_NOMEMORY); } new_parent->parent = parent; if (parent == NULL) - cidr->root = new_parent; + rpzs->cidr = new_parent; else parent->child[cur_num] = new_parent; child_num = DNS_RPZ_IP_BIT(tgt_ip, dbit); @@ -920,129 +1079,670 @@ new_parent->child[1-child_num] = cur; cur->parent = new_parent; sibling->parent = new_parent; - set_node_flags(sibling, type); - if (found != NULL) - *found = sibling; + sibling->set = *tgt_set; + set_sum_pair(sibling); + *found = sibling; return (ISC_R_SUCCESS); } } /* - * Add an IP address to the radix tree of a response policy database. - * The tree write lock must be held by the caller. + * Add an IP address to the radix tree. */ -void -dns_rpz_cidr_addip(dns_rpz_cidr_t *cidr, dns_name_t *name) { - isc_result_t result; +static isc_result_t +add_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ dns_rpz_cidr_key_t tgt_ip; - dns_rpz_cidr_bits_t tgt_prefix; - dns_rpz_type_t type; - - REQUIRE(cidr != NULL); + dns_rpz_prefix_t tgt_prefix; + dns_rpz_addr_zbits_t set; + dns_rpz_cidr_node_t *found; + isc_result_t result; + result = name2ipkey(DNS_RPZ_ERROR_LEVEL, rpzs, rpz_num, rpz_type, + src_name, &tgt_ip, &tgt_prefix, &set); /* - * No worries if the new name is not an IP address. + * Log complaints about bad owner names but let the zone load. */ - type = set_type(cidr, name); - switch (type) { - case DNS_RPZ_TYPE_IP: - case DNS_RPZ_TYPE_NSIP: - break; - case DNS_RPZ_TYPE_NSDNAME: - cidr->have_nsdname = ISC_TRUE; - return; - case DNS_RPZ_TYPE_QNAME: - case DNS_RPZ_TYPE_BAD: - return; - } - result = name2ipkey(cidr, DNS_RPZ_ERROR_LEVEL, name, - type, &tgt_ip, &tgt_prefix); if (result != ISC_R_SUCCESS) - return; + return (ISC_R_SUCCESS); - result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_TRUE, NULL); - if (result == ISC_R_EXISTS && - isc_log_wouldlog(dns_lctx, DNS_RPZ_ERROR_LEVEL)) - { - char printname[DNS_NAME_FORMATSIZE]; + result = search(rpzs, &tgt_ip, tgt_prefix, &set, ISC_TRUE, &found); + if (result != ISC_R_SUCCESS) { + char namebuf[DNS_NAME_FORMATSIZE]; /* * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". */ - dns_name_format(name, printname, sizeof(printname)); + dns_name_format(src_name, namebuf, sizeof(namebuf)); isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, - "rpz add failed; \"%s\" is a duplicate name", - printname); + "rpz add_cidr(%s) failed: %s", + namebuf, isc_result_totext(result)); + return (result); } + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_TRUE); + return (result); } -/* - * Delete an IP address from the radix tree of a response policy database. - * The tree write lock must be held by the caller. - */ -void -dns_rpz_cidr_deleteip(dns_rpz_cidr_t *cidr, dns_name_t *name) { +static isc_result_t +add_nm(dns_rpz_zones_t *rpzs, dns_name_t *trig_name, + const dns_rpz_nm_data_t *new_data) +{ + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data; isc_result_t result; - dns_rpz_cidr_key_t tgt_ip; - dns_rpz_cidr_bits_t tgt_prefix; - dns_rpz_type_t type; - dns_rpz_cidr_node_t *tgt = NULL, *parent, *child; - dns_rpz_cidr_flags_t flags, data_flag; - if (cidr == NULL) - return; + nmnode = NULL; + result = dns_rbt_addnode(rpzs->rbt, trig_name, &nmnode); + switch (result) { + case ISC_R_SUCCESS: + case ISC_R_EXISTS: + nm_data = nmnode->data; + if (nm_data == NULL) { + nm_data = isc_mem_get(rpzs->mctx, sizeof(*nm_data)); + if (nm_data == NULL) + return (ISC_R_NOMEMORY); + *nm_data = *new_data; + nmnode->data = nm_data; + return (ISC_R_SUCCESS); + } + break; + default: + return (result); + } /* - * Decide which kind of policy zone IP address it is, if either - * and then find its node. + * Do not count bits that are already present */ - type = set_type(cidr, name); - switch (type) { - case DNS_RPZ_TYPE_IP: - case DNS_RPZ_TYPE_NSIP: - break; - case DNS_RPZ_TYPE_NSDNAME: + if ((nm_data->set.qname & new_data->set.qname) != 0 || + (nm_data->set.ns & new_data->set.ns) != 0 || + (nm_data->wild.qname & new_data->wild.qname) != 0 || + (nm_data->wild.ns & new_data->wild.ns) != 0) { + char namebuf[DNS_NAME_FORMATSIZE]; + /* - * We cannot easily count nsdnames because - * internal rbt nodes get deleted. + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". */ - return; + dns_name_format(trig_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz add_nm(%s): bits already set", namebuf); + return (ISC_R_EXISTS); + } + + nm_data->set.qname |= new_data->set.qname; + nm_data->set.ns |= new_data->set.ns; + nm_data->wild.qname |= new_data->wild.qname; + nm_data->wild.ns |= new_data->wild.ns; + return (ISC_R_SUCCESS); +} + +static isc_result_t +add_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + dns_rpz_nm_data_t new_data; + dns_fixedname_t trig_namef; + dns_name_t *trig_name; + isc_result_t result; + + dns_fixedname_init(&trig_namef); + trig_name = dns_fixedname_name(&trig_namef); + name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &new_data); + + result = add_nm(rpzs, trig_name, &new_data); + if (result == ISC_R_SUCCESS) + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_TRUE); + return (result); +} + +/* + * Callback to free the data for a node in the summary RBT database. + */ +static void +rpz_node_deleter(void *nm_data, void *mctx) { + isc_mem_put(mctx, nm_data, sizeof(dns_rpz_nm_data_t)); +} + +/* + * Get ready for a new set of policy zones. + */ +isc_result_t +dns_rpz_new_zones(dns_rpz_zones_t **rpzsp, isc_mem_t *mctx) { + dns_rpz_zones_t *new; + isc_result_t result; + + REQUIRE(rpzsp != NULL && *rpzsp == NULL); + + *rpzsp = NULL; + + new = isc_mem_get(mctx, sizeof(*new)); + if (new == NULL) + return (ISC_R_NOMEMORY); + memset(new, 0, sizeof(*new)); + + result = isc_mutex_init(&new->search_lock); + if (result != ISC_R_SUCCESS) { + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = isc_mutex_init(&new->maint_lock); + if (result != ISC_R_SUCCESS) { + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = isc_refcount_init(&new->refs, 1); + if (result != ISC_R_SUCCESS) { + DESTROYLOCK(&new->maint_lock); + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + result = dns_rbt_create(mctx, rpz_node_deleter, mctx, &new->rbt); + if (result != ISC_R_SUCCESS) { + isc_refcount_decrement(&new->refs, NULL); + isc_refcount_destroy(&new->refs); + DESTROYLOCK(&new->maint_lock); + DESTROYLOCK(&new->search_lock); + isc_mem_put(mctx, new, sizeof(*new)); + return (result); + } + + isc_mem_attach(mctx, &new->mctx); + + *rpzsp = new; + return (ISC_R_SUCCESS); +} + +/* + * Free the radix tree of a response policy database. + */ +static void +cidr_free(dns_rpz_zones_t *rpzs) { + dns_rpz_cidr_node_t *cur, *child, *parent; + + cur = rpzs->cidr; + while (cur != NULL) { + /* Depth first. */ + child = cur->child[0]; + if (child != NULL) { + cur = child; + continue; + } + child = cur->child[1]; + if (child != NULL) { + cur = child; + continue; + } + + /* Delete this leaf and go up. */ + parent = cur->parent; + if (parent == NULL) + rpzs->cidr = NULL; + else + parent->child[parent->child[1] == cur] = NULL; + isc_mem_put(rpzs->mctx, cur, sizeof(*cur)); + cur = parent; + } +} + +/* + * Discard a response policy zone blob + * before discarding the overall rpz structure. + */ +static void +rpz_detach(dns_rpz_zone_t **rpzp, dns_rpz_zones_t *rpzs) { + dns_rpz_zone_t *rpz; + unsigned int refs; + + rpz = *rpzp; + *rpzp = NULL; + isc_refcount_decrement(&rpz->refs, &refs); + if (refs != 0) + return; + isc_refcount_destroy(&rpz->refs); + + if (dns_name_dynamic(&rpz->origin)) + dns_name_free(&rpz->origin, rpzs->mctx); + if (dns_name_dynamic(&rpz->client_ip)) + dns_name_free(&rpz->client_ip, rpzs->mctx); + if (dns_name_dynamic(&rpz->ip)) + dns_name_free(&rpz->ip, rpzs->mctx); + if (dns_name_dynamic(&rpz->nsdname)) + dns_name_free(&rpz->nsdname, rpzs->mctx); + if (dns_name_dynamic(&rpz->nsip)) + dns_name_free(&rpz->nsip, rpzs->mctx); + if (dns_name_dynamic(&rpz->passthru)) + dns_name_free(&rpz->passthru, rpzs->mctx); + if (dns_name_dynamic(&rpz->drop)) + dns_name_free(&rpz->drop, rpzs->mctx); + if (dns_name_dynamic(&rpz->tcp_only)) + dns_name_free(&rpz->tcp_only, rpzs->mctx); + if (dns_name_dynamic(&rpz->cname)) + dns_name_free(&rpz->cname, rpzs->mctx); + + isc_mem_put(rpzs->mctx, rpz, sizeof(*rpz)); +} + +void +dns_rpz_attach_rpzs(dns_rpz_zones_t *rpzs, dns_rpz_zones_t **rpzsp) { + REQUIRE(rpzsp != NULL && *rpzsp == NULL); + isc_refcount_increment(&rpzs->refs, NULL); + *rpzsp = rpzs; +} + +/* + * Forget a view's policy zones. + */ +void +dns_rpz_detach_rpzs(dns_rpz_zones_t **rpzsp) { + dns_rpz_zones_t *rpzs; + dns_rpz_zone_t *rpz; + dns_rpz_num_t rpz_num; + unsigned int refs; + + REQUIRE(rpzsp != NULL); + rpzs = *rpzsp; + REQUIRE(rpzs != NULL); + + *rpzsp = NULL; + isc_refcount_decrement(&rpzs->refs, &refs); + + /* + * Forget the last of view's rpz machinery after the last reference. + */ + if (refs == 0) { + for (rpz_num = 0; rpz_num < DNS_RPZ_MAX_ZONES; ++rpz_num) { + rpz = rpzs->zones[rpz_num]; + rpzs->zones[rpz_num] = NULL; + if (rpz != NULL) + rpz_detach(&rpz, rpzs); + } + + cidr_free(rpzs); + dns_rbt_destroy(&rpzs->rbt); + DESTROYLOCK(&rpzs->maint_lock); + DESTROYLOCK(&rpzs->search_lock); + isc_refcount_destroy(&rpzs->refs); + isc_mem_putanddetach(&rpzs->mctx, rpzs, sizeof(*rpzs)); + } +} + +/* + * Create empty summary database to load one zone. + * The RBTDB write tree lock must be held. + */ +isc_result_t +dns_rpz_beginload(dns_rpz_zones_t **load_rpzsp, + dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) +{ + dns_rpz_zones_t *load_rpzs; + dns_rpz_zone_t *rpz; + dns_rpz_zbits_t tgt; + isc_result_t result; + + REQUIRE(rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + /* + * When reloading a zone, there are usually records among the summary + * data for the zone. Some of those records might be deleted by the + * reloaded zone data. To deal with that case: + * reload the new zone data into a new blank summary database + * if the reload fails, discard the new summary database + * if the new zone data is acceptable, copy the records for the + * other zones into the new summary database and replace the + * old summary database with the new. + * + * At the first attempt to load a zone, there is no summary data + * for the zone and so no records that need to be deleted. + * This is also the most common case of policy zone loading. + * Most policy zone maintenance should be by incremental changes + * and so by the addition and deletion of individual records. + * Detect that case and load records the first time into the + * operational summary database + */ + tgt = DNS_RPZ_ZBIT(rpz_num); + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + if ((rpzs->load_begun & tgt) == 0) { + /* + * There is no existing version of the target zone. + */ + rpzs->load_begun |= tgt; + dns_rpz_attach_rpzs(rpzs, load_rpzsp); + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + + } else { + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + + result = dns_rpz_new_zones(load_rpzsp, rpzs->mctx); + if (result != ISC_R_SUCCESS) + return (result); + load_rpzs = *load_rpzsp; + load_rpzs->p.num_zones = rpzs->p.num_zones; + load_rpzs->total_triggers = rpzs->total_triggers; + memcpy(load_rpzs->triggers, rpzs->triggers, + sizeof(load_rpzs->triggers)); + memset(&load_rpzs->triggers[rpz_num], 0, + sizeof(load_rpzs->triggers[rpz_num])); + load_rpzs->zones[rpz_num] = rpz; + isc_refcount_increment(&rpz->refs, NULL); + } + + return (ISC_R_SUCCESS); +} + +static void +fix_triggers(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num) { + dns_rpz_num_t n; + const dns_rpz_zone_t *rpz; + dns_rpz_triggers_t old_totals; + dns_rpz_zbits_t zbit; + char namebuf[DNS_NAME_FORMATSIZE]; + +# define SET_TRIG(n, zbit, type) \ + if (rpzs->triggers[n].type == 0) { \ + rpzs->have.type &= ~zbit; \ + } else { \ + rpzs->total_triggers.type += rpzs->triggers[n].type; \ + rpzs->have.type |= zbit; \ + } + + memcpy(&old_totals, &rpzs->total_triggers, sizeof(old_totals)); + memset(&rpzs->total_triggers, 0, sizeof(rpzs->total_triggers)); + for (n = 0; n < rpzs->p.num_zones; ++n) { + rpz = rpzs->zones[n]; + zbit = DNS_RPZ_ZBIT(n); + SET_TRIG(n, zbit, client_ipv4); + SET_TRIG(n, zbit, client_ipv6); + SET_TRIG(n, zbit, qname); + SET_TRIG(n, zbit, ipv4); + SET_TRIG(n, zbit, ipv6); + SET_TRIG(n, zbit, nsdname); + SET_TRIG(n, zbit, nsipv4); + SET_TRIG(n, zbit, nsipv6); + } + + fix_qname_skip_recurse(rpzs); + + dns_name_format(&rpzs->zones[rpz_num]->origin, + namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_INFO_LEVEL, + "(re)loading policy zone '%s' changed from" + " %d to %d qname, %d to %d nsdname," + " %d to %d IP, %d to %d NSIP entries", + namebuf, + old_totals.qname, rpzs->total_triggers.qname, + old_totals.nsdname, rpzs->total_triggers.nsdname, + old_totals.ipv4 + old_totals.ipv6, + rpzs->total_triggers.ipv4 + rpzs->total_triggers.ipv6, + old_totals.nsipv4 + old_totals.nsipv6, + rpzs->total_triggers.nsipv4 + rpzs->total_triggers.nsipv6); + +# undef SET_TRIG +} + +/* + * Finish loading one zone. + * The RBTDB write tree lock must be held. + */ +isc_result_t +dns_rpz_ready(dns_rpz_zones_t *rpzs, + dns_rpz_zones_t **load_rpzsp, dns_rpz_num_t rpz_num) +{ + dns_rpz_zones_t *load_rpzs; + const dns_rpz_cidr_node_t *cnode, *next_cnode, *parent_cnode; + dns_rpz_cidr_node_t *found; + dns_rpz_zbits_t new_bit; + dns_rpz_addr_zbits_t new_ip; + dns_rbt_t *rbt; + dns_rbtnodechain_t chain; + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data, new_data; + dns_fixedname_t labelf, originf, namef; + dns_name_t *label, *origin, *name; + isc_result_t result; + + INSIST(rpzs != NULL); + LOCK(&rpzs->maint_lock); + load_rpzs = *load_rpzsp; + INSIST(load_rpzs != NULL); + + if (load_rpzs == rpzs) { + /* + * This is a successful initial zone loading, + * perhaps for a new instance of a view. + */ + fix_triggers(rpzs, rpz_num); + UNLOCK(&rpzs->maint_lock); + dns_rpz_detach_rpzs(load_rpzsp); + return (ISC_R_SUCCESS); + } + + LOCK(&load_rpzs->maint_lock); + LOCK(&load_rpzs->search_lock); + + /* + * Unless there is only one policy zone, copy the other policy zones + * from the old policy structure to the new summary databases. + */ + if (rpzs->p.num_zones > 1) { + new_bit = ~DNS_RPZ_ZBIT(rpz_num); + + /* + * Copy to the radix tree. + */ + for (cnode = rpzs->cidr; cnode != NULL; cnode = next_cnode) { + new_ip.ip = cnode->set.ip & new_bit; + new_ip.client_ip = cnode->set.client_ip & new_bit; + new_ip.nsip = cnode->set.nsip & new_bit; + if (new_ip.client_ip != 0 || + new_ip.ip != 0 || + new_ip.nsip != 0) { + result = search(load_rpzs, + &cnode->ip, cnode->prefix, + &new_ip, ISC_TRUE, &found); + if (result == ISC_R_NOMEMORY) + goto unlock_and_detach; + INSIST(result == ISC_R_SUCCESS); + } + /* + * Do down and to the left as far as possible. + */ + next_cnode = cnode->child[0]; + if (next_cnode != NULL) + continue; + /* + * Go up until we find a branch to the right where + * we previously took the branch to the left. + */ + for (;;) { + parent_cnode = cnode->parent; + if (parent_cnode == NULL) + break; + if (parent_cnode->child[0] == cnode) { + next_cnode = parent_cnode->child[1]; + if (next_cnode != NULL) + break; + } + cnode = parent_cnode; + } + } + + /* + * Copy to the summary RBT. + */ + dns_fixedname_init(&namef); + name = dns_fixedname_name(&namef); + dns_fixedname_init(&labelf); + label = dns_fixedname_name(&labelf); + dns_fixedname_init(&originf); + origin = dns_fixedname_name(&originf); + dns_rbtnodechain_init(&chain, NULL); + result = dns_rbtnodechain_first(&chain, rpzs->rbt, NULL, NULL); + while (result == DNS_R_NEWORIGIN || result == ISC_R_SUCCESS) { + result = dns_rbtnodechain_current(&chain, label, origin, + &nmnode); + INSIST(result == ISC_R_SUCCESS); + nm_data = nmnode->data; + if (nm_data != NULL) { + new_data.set.qname = (nm_data->set.qname & + new_bit); + new_data.set.ns = nm_data->set.ns & new_bit; + new_data.wild.qname = (nm_data->wild.qname & + new_bit); + new_data.wild.ns = nm_data->wild.ns & new_bit; + if (new_data.set.qname != 0 || + new_data.set.ns != 0 || + new_data.wild.qname != 0 || + new_data.wild.ns != 0) { + result = dns_name_concatenate(label, + origin, name, NULL); + INSIST(result == ISC_R_SUCCESS); + result = add_nm(load_rpzs, name, + &new_data); + if (result != ISC_R_SUCCESS) + goto unlock_and_detach; + } + } + result = dns_rbtnodechain_next(&chain, NULL, NULL); + } + if (result != ISC_R_NOMORE && result != ISC_R_NOTFOUND) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "dns_rpz_ready(): unexpected %s", + isc_result_totext(result)); + goto unlock_and_detach; + } + } + + fix_triggers(load_rpzs, rpz_num); + + /* + * Exchange the summary databases. + */ + LOCK(&rpzs->search_lock); + + found = rpzs->cidr; + rpzs->cidr = load_rpzs->cidr; + load_rpzs->cidr = found; + + rbt = rpzs->rbt; + rpzs->rbt = load_rpzs->rbt; + load_rpzs->rbt = rbt; + + rpzs->total_triggers = load_rpzs->total_triggers; + + UNLOCK(&rpzs->search_lock); + + result = ISC_R_SUCCESS; + + unlock_and_detach: + UNLOCK(&rpzs->maint_lock); + UNLOCK(&load_rpzs->search_lock); + UNLOCK(&load_rpzs->maint_lock); + dns_rpz_detach_rpzs(load_rpzsp); + return (result); +} + +/* + * Add an IP address to the radix tree or a name to the summary database. + */ +isc_result_t +dns_rpz_add(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, dns_name_t *src_name) +{ + dns_rpz_zone_t *rpz; + dns_rpz_type_t rpz_type; + isc_result_t result = ISC_R_FAILURE; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + rpz_type = type_from_name(rpz, src_name); + + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + + switch (rpz_type) { case DNS_RPZ_TYPE_QNAME: + case DNS_RPZ_TYPE_NSDNAME: + result = add_name(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_CLIENT_IP: + case DNS_RPZ_TYPE_IP: + case DNS_RPZ_TYPE_NSIP: + result = add_cidr(rpzs, rpz_num, rpz_type, src_name); + break; case DNS_RPZ_TYPE_BAD: - return; + break; } + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); + return (result); +} + +/* + * Remove an IP address from the radix tree. + */ +static void +del_cidr(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + isc_result_t result; + dns_rpz_cidr_key_t tgt_ip; + dns_rpz_prefix_t tgt_prefix; + dns_rpz_addr_zbits_t tgt_set; + dns_rpz_cidr_node_t *tgt, *parent, *child; + /* - * Do not get excited about the deletion of interior rbt nodes. + * Do not worry about invalid rpz IP address names. If we + * are here, then something relevant was added and so was + * valid. Invalid names here are usually internal RBTDB nodes. */ - result = name2ipkey(cidr, DNS_RPZ_DEBUG_QUIET, name, - type, &tgt_ip, &tgt_prefix); + result = name2ipkey(DNS_RPZ_DEBUG_QUIET, rpzs, rpz_num, rpz_type, + src_name, &tgt_ip, &tgt_prefix, &tgt_set); if (result != ISC_R_SUCCESS) return; - result = search(cidr, &tgt_ip, tgt_prefix, type, ISC_FALSE, &tgt); + result = search(rpzs, &tgt_ip, tgt_prefix, &tgt_set, ISC_FALSE, &tgt); if (result != ISC_R_SUCCESS) { - badname(DNS_RPZ_ERROR_LEVEL, name, "; missing rpz node", ""); + INSIST(result == ISC_R_NOTFOUND || + result == DNS_R_PARTIALMATCH); + /* + * Do not worry about missing summary RBT nodes that probably + * correspond to RBTDB nodes that were implicit RBT nodes + * that were later added for (often empty) wildcards + * and then to the RBTDB deferred cleanup list. + */ return; } /* * Mark the node and its parents to reflect the deleted IP address. + * Do not count bits that are already clear for internal RBTDB nodes. */ - flags = get_flags(&tgt_ip, tgt_prefix, type); - data_flag = flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA); - tgt->flags &= ~data_flag; - for (parent = tgt; parent != NULL; parent = parent->parent) { - if ((parent->flags & data_flag) != 0 || - (parent->child[0] != NULL && - (parent->child[0]->flags & flags) != 0) || - (parent->child[1] != NULL && - (parent->child[1]->flags & flags) != 0)) - break; - parent->flags &= ~flags; - } + tgt_set.client_ip &= tgt->set.client_ip; + tgt_set.ip &= tgt->set.ip; + tgt_set.nsip &= tgt->set.nsip; + tgt->set.client_ip &= ~tgt_set.client_ip; + tgt->set.ip &= ~tgt_set.ip; + tgt->set.nsip &= ~tgt_set.nsip; + set_sum_pair(tgt); + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, &tgt_ip, tgt_prefix, ISC_FALSE); /* * We might need to delete 2 nodes. @@ -1054,13 +1754,14 @@ */ if ((child = tgt->child[0]) != NULL) { if (tgt->child[1] != NULL) - return; + break; } else { child = tgt->child[1]; } - if ((tgt->flags & (DNS_RPZ_CIDR_FG_IP_DATA | - DNS_RPZ_CIDR_FG_NSIP_DATA)) != 0) - return; + if (tgt->set.client_ip != 0 || + tgt->set.ip != 0 || + tgt->set.nsip != 0) + break; /* * Replace the pointer to this node in the parent with @@ -1068,7 +1769,7 @@ */ parent = tgt->parent; if (parent == NULL) { - cidr->root = child; + rpzs->cidr = child; } else { parent->child[parent->child[1] == tgt] = child; } @@ -1077,26 +1778,144 @@ */ if (child != NULL) child->parent = parent; - isc_mem_put(cidr->mctx, tgt, sizeof(*tgt)); + isc_mem_put(rpzs->mctx, tgt, sizeof(*tgt)); tgt = parent; } while (tgt != NULL); } +static void +del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_rpz_type_t rpz_type, dns_name_t *src_name) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + dns_fixedname_t trig_namef; + dns_name_t *trig_name; + dns_rbtnode_t *nmnode; + dns_rpz_nm_data_t *nm_data, del_data; + isc_result_t result; + + dns_fixedname_init(&trig_namef); + trig_name = dns_fixedname_name(&trig_namef); + name2data(rpzs, rpz_num, rpz_type, src_name, trig_name, &del_data); + + /* + * No need for a summary database of names with only 1 policy zone. + */ + if (rpzs->p.num_zones <= 1) { + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE); + return; + } + + nmnode = NULL; + result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, 0, + NULL, NULL); + if (result != ISC_R_SUCCESS) { + /* + * Do not worry about missing summary RBT nodes that probably + * correspond to RBTDB nodes that were implicit RBT nodes + * that were later added for (often empty) wildcards + * and then to the RBTDB deferred cleanup list. + */ + if (result == ISC_R_NOTFOUND) + return; + dns_name_format(src_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz del_name(%s) node search failed: %s", + namebuf, isc_result_totext(result)); + return; + } + + nm_data = nmnode->data; + INSIST(nm_data != NULL); + + /* + * Do not count bits that next existed for RBT nodes that would we + * would not have found in a summary for a single RBTDB tree. + */ + del_data.set.qname &= nm_data->set.qname; + del_data.set.ns &= nm_data->set.ns; + del_data.wild.qname &= nm_data->wild.qname; + del_data.wild.ns &= nm_data->wild.ns; + + nm_data->set.qname &= ~del_data.set.qname; + nm_data->set.ns &= ~del_data.set.ns; + nm_data->wild.qname &= ~del_data.wild.qname; + nm_data->wild.ns &= ~del_data.wild.ns; + + if (nm_data->set.qname == 0 && nm_data->set.ns == 0 && + nm_data->wild.qname == 0 && nm_data->wild.ns == 0) { + result = dns_rbt_deletenode(rpzs->rbt, nmnode, ISC_FALSE); + if (result != ISC_R_SUCCESS) { + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + dns_name_format(src_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz del_name(%s) node delete failed: %s", + namebuf, isc_result_totext(result)); + } + } + + adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE); +} + /* - * Caller must hold tree lock. - * Return ISC_R_NOTFOUND - * or ISC_R_SUCCESS and the found entry's canonical and search names - * and its prefix length + * Remove an IP address from the radix tree or a name from the summary database. */ -isc_result_t -dns_rpz_cidr_find(dns_rpz_cidr_t *cidr, const isc_netaddr_t *netaddr, - dns_rpz_type_t type, dns_name_t *canon_name, - dns_name_t *search_name, dns_rpz_cidr_bits_t *prefix) +void +dns_rpz_delete(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num, + dns_name_t *src_name) { + dns_rpz_zone_t *rpz; + dns_rpz_type_t rpz_type; + + REQUIRE(rpzs != NULL && rpz_num < rpzs->p.num_zones); + rpz = rpzs->zones[rpz_num]; + REQUIRE(rpz != NULL); + + rpz_type = type_from_name(rpz, src_name); + + LOCK(&rpzs->maint_lock); + LOCK(&rpzs->search_lock); + + switch (rpz_type) { + case DNS_RPZ_TYPE_QNAME: + case DNS_RPZ_TYPE_NSDNAME: + del_name(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_CLIENT_IP: + case DNS_RPZ_TYPE_IP: + case DNS_RPZ_TYPE_NSIP: + del_cidr(rpzs, rpz_num, rpz_type, src_name); + break; + case DNS_RPZ_TYPE_BAD: + break; + } + + UNLOCK(&rpzs->search_lock); + UNLOCK(&rpzs->maint_lock); +} + +/* + * Search the summary radix tree to get a relative owner name in a + * policy zone relevant to a triggering IP address. + * rpz_type and zbits limit the search for IP address netaddr + * return the policy zone's number or DNS_RPZ_INVALID_NUM + * ip_name is the relative owner name found and + * *prefixp is its prefix length. + */ +dns_rpz_num_t +dns_rpz_find_ip(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, const isc_netaddr_t *netaddr, + dns_name_t *ip_name, dns_rpz_prefix_t *prefixp) { dns_rpz_cidr_key_t tgt_ip; - isc_result_t result; + dns_rpz_addr_zbits_t tgt_set; dns_rpz_cidr_node_t *found; + isc_result_t result; + dns_rpz_num_t rpz_num; int i; /* @@ -1107,29 +1926,163 @@ tgt_ip.w[1] = 0; tgt_ip.w[2] = ADDR_V4MAPPED; tgt_ip.w[3] = ntohl(netaddr->type.in.s_addr); + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits &= rpzs->have.client_ipv4; + break; + case DNS_RPZ_TYPE_IP: + zbits &= rpzs->have.ipv4; + break; + case DNS_RPZ_TYPE_NSIP: + zbits &= rpzs->have.nsipv4; + break; + default: + INSIST(0); + break; + } } else if (netaddr->family == AF_INET6) { dns_rpz_cidr_key_t src_ip6; /* * Given the int aligned struct in_addr member of netaddr->type * one could cast netaddr->type.in6 to dns_rpz_cidr_key_t *, - * but there are objections. + * but some people object. */ memcpy(src_ip6.w, &netaddr->type.in6, sizeof(src_ip6.w)); for (i = 0; i < 4; i++) { tgt_ip.w[i] = ntohl(src_ip6.w[i]); } + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + zbits &= rpzs->have.client_ipv6; + break; + case DNS_RPZ_TYPE_IP: + zbits &= rpzs->have.ipv6; + break; + case DNS_RPZ_TYPE_NSIP: + zbits &= rpzs->have.nsipv6; + break; + default: + INSIST(0); + break; + } } else { - return (ISC_R_NOTFOUND); + return (DNS_RPZ_INVALID_NUM); } - result = search(cidr, &tgt_ip, 128, type, ISC_FALSE, &found); - if (result != ISC_R_SUCCESS && result != DNS_R_PARTIALMATCH) - return (result); + if (zbits == 0) + return (DNS_RPZ_INVALID_NUM); + make_addr_set(&tgt_set, zbits, rpz_type); + + LOCK(&rpzs->search_lock); + result = search(rpzs, &tgt_ip, 128, &tgt_set, ISC_FALSE, &found); + if (result == ISC_R_NOTFOUND) { + /* + * There are no eligible zones for this IP address. + */ + UNLOCK(&rpzs->search_lock); + return (DNS_RPZ_INVALID_NUM); + } - *prefix = found->bits; - return (ip2name(cidr, &found->ip, found->bits, type, - canon_name, search_name)); + /* + * Construct the trigger name for the longest matching trigger + * in the first eligible zone with a match. + */ + *prefixp = found->prefix; + switch (rpz_type) { + case DNS_RPZ_TYPE_CLIENT_IP: + rpz_num = zbit_to_num(found->set.client_ip & tgt_set.client_ip); + break; + case DNS_RPZ_TYPE_IP: + rpz_num = zbit_to_num(found->set.ip & tgt_set.ip); + break; + case DNS_RPZ_TYPE_NSIP: + rpz_num = zbit_to_num(found->set.nsip & tgt_set.nsip); + break; + default: + INSIST(0); + break; + } + result = ip2name(&found->ip, found->prefix, dns_rootname, ip_name); + UNLOCK(&rpzs->search_lock); + if (result != ISC_R_SUCCESS) { + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "rpz ip2name() failed: %s", + isc_result_totext(result)); + return (DNS_RPZ_INVALID_NUM); + } + return (rpz_num); +} + +/* + * Search the summary radix tree for policy zones with triggers matching + * a name. + */ +dns_rpz_zbits_t +dns_rpz_find_name(dns_rpz_zones_t *rpzs, dns_rpz_type_t rpz_type, + dns_rpz_zbits_t zbits, dns_name_t *trig_name) +{ + char namebuf[DNS_NAME_FORMATSIZE]; + dns_rbtnode_t *nmnode; + const dns_rpz_nm_data_t *nm_data; + dns_rpz_zbits_t found_zbits; + isc_result_t result; + + if (zbits == 0) + return (0); + + found_zbits = 0; + + LOCK(&rpzs->search_lock); + + nmnode = NULL; + result = dns_rbt_findnode(rpzs->rbt, trig_name, NULL, &nmnode, NULL, + DNS_RBTFIND_EMPTYDATA, NULL, NULL); + switch (result) { + case ISC_R_SUCCESS: + nm_data = nmnode->data; + if (nm_data != NULL) { + if (rpz_type == DNS_RPZ_TYPE_QNAME) + found_zbits = nm_data->set.qname; + else + found_zbits = nm_data->set.ns; + } + nmnode = nmnode->parent; + /* fall thru */ + case DNS_R_PARTIALMATCH: + while (nmnode != NULL) { + nm_data = nmnode->data; + if (nm_data != NULL) { + if (rpz_type == DNS_RPZ_TYPE_QNAME) + found_zbits |= nm_data->wild.qname; + else + found_zbits |= nm_data->wild.ns; + } + nmnode = nmnode->parent; + } + break; + + case ISC_R_NOTFOUND: + break; + + default: + /* + * bin/tests/system/rpz/tests.sh looks for "rpz.*failed". + */ + dns_name_format(trig_name, namebuf, sizeof(namebuf)); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RPZ, + DNS_LOGMODULE_RBTDB, DNS_RPZ_ERROR_LEVEL, + "dns_rpz_find_name(%s) failed: %s", + namebuf, isc_result_totext(result)); + break; + } + + UNLOCK(&rpzs->search_lock); + return (zbits & found_zbits); } /* @@ -1144,10 +2097,10 @@ isc_result_t result; result = dns_rdataset_first(rdataset); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + INSIST(result == ISC_R_SUCCESS); dns_rdataset_current(rdataset, &rdata); result = dns_rdata_tostruct(&rdata, &cname, NULL); - RUNTIME_CHECK(result == ISC_R_SUCCESS); + INSIST(result == ISC_R_SUCCESS); dns_rdata_reset(&rdata); /* @@ -1174,7 +2127,19 @@ } /* - * CNAME PASSTHRU.origin means "do not rewrite. + * CNAME rpz-tcp-only. means "send truncated UDP responses." + */ + if (dns_name_equal(&cname.cname, &rpz->tcp_only)) + return (DNS_RPZ_POLICY_TCP_ONLY); + + /* + * CNAME rpz-drop. means "do not respond." + */ + if (dns_name_equal(&cname.cname, &rpz->drop)) + return (DNS_RPZ_POLICY_DROP); + + /* + * CNAME rpz-passthru. means "do not rewrite." */ if (dns_name_equal(&cname.cname, &rpz->passthru)) return (DNS_RPZ_POLICY_PASSTHRU); --- bind9-9.9.3.dfsg.P2.orig/lib/dns/rrl.c +++ bind9-9.9.3.dfsg.P2/lib/dns/rrl.c @@ -0,0 +1,1324 @@ +/* + * Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/*! \file */ + +/* + * Rate limit DNS responses. + */ + +/* #define ISC_LIST_CHECKINIT */ + +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include + +static void +log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_boolean_t early, + char *log_buf, unsigned int log_buf_len); + +/* + * Get a modulus for a hash function that is tolerably likely to be + * relatively prime to most inputs. Of course, we get a prime for for initial + * values not larger than the square of the last prime. We often get a prime + * after that. + * This works well in practice for hash tables up to at least 100 + * times the square of the last prime and better than a multiplicative hash. + */ +static int +hash_divisor(unsigned int initial) { + static isc_uint16_t primes[] = { + 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, + 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, +#if 0 + 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, + 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, + 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, + 293, 307, 311, 313, 317, 331, 337, 347, 349, 353, 359, 367, + 373, 379, 383, 389, 397, 401, 409, 419, 421, 431, 433, 439, + 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509, + 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, + 601, 607, 613, 617, 619, 631, 641, 643, 647, 653, 659, 661, + 673, 677, 683, 691, 701, 709, 719, 727, 733, 739, 743, 751, + 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829, + 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, + 929, 937, 941, 947, 953, 967, 971, 977, 983, 991, 997,1009, +#endif + }; + int divisions, tries; + unsigned int result; + isc_uint16_t *pp, p; + + result = initial; + + if (primes[sizeof(primes)/sizeof(primes[0])-1] >= result) { + pp = primes; + while (*pp < result) + ++pp; + return (*pp); + } + + if ((result & 1) == 0) + ++result; + + divisions = 0; + tries = 1; + pp = primes; + do { + p = *pp++; + ++divisions; + if ((result % p) == 0) { + ++tries; + result += 2; + pp = primes; + } + } while (pp < &primes[sizeof(primes) / sizeof(primes[0])]); + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3, + "%d hash_divisor() divisions in %d tries" + " to get %d from %d", + divisions, tries, result, initial); + + return (result); +} + +/* + * Convert a timestamp to a number of seconds in the past. + */ +static inline int +delta_rrl_time(isc_stdtime_t ts, isc_stdtime_t now) { + int delta; + + delta = now - ts; + if (delta >= 0) + return (delta); + + /* + * The timestamp is in the future. That future might result from + * re-ordered requests, because we use timestamps on requests + * instead of consulting a clock. Timestamps in the distant future are + * assumed to result from clock changes. When the clock changes to + * the past, make existing timestamps appear to be in the past. + */ + if (delta < -DNS_RRL_MAX_TIME_TRAVEL) + return (DNS_RRL_FOREVER); + return (0); +} + +static inline int +get_age(const dns_rrl_t *rrl, const dns_rrl_entry_t *e, isc_stdtime_t now) { + if (!e->ts_valid) + return (DNS_RRL_FOREVER); + return (delta_rrl_time(e->ts + rrl->ts_bases[e->ts_gen], now)); +} + +static inline void +set_age(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_stdtime_t now) { + dns_rrl_entry_t *e_old; + unsigned int ts_gen; + int i, ts; + + ts_gen = rrl->ts_gen; + ts = now - rrl->ts_bases[ts_gen]; + if (ts < 0) { + if (ts < -DNS_RRL_MAX_TIME_TRAVEL) + ts = DNS_RRL_FOREVER; + else + ts = 0; + } + + /* + * Make a new timestamp base if the current base is too old. + * All entries older than DNS_RRL_MAX_WINDOW seconds are ancient, + * useless history. Their timestamps can be treated as if they are + * all the same. + * We only do arithmetic on more recent timestamps, so bases for + * older timestamps can be recycled provided the old timestamps are + * marked as ancient history. + * This loop is almost always very short because most entries are + * recycled after one second and any entries that need to be marked + * are older than (DNS_RRL_TS_BASES)*DNS_RRL_MAX_TS seconds. + */ + if (ts >= DNS_RRL_MAX_TS) { + ts_gen = (ts_gen + 1) % DNS_RRL_TS_BASES; + for (e_old = ISC_LIST_TAIL(rrl->lru), i = 0; + e_old != NULL && (e_old->ts_gen == ts_gen || + !ISC_LINK_LINKED(e_old, hlink)); + e_old = ISC_LIST_PREV(e_old, lru), ++i) + { + e_old->ts_valid = ISC_FALSE; + } + if (i != 0) + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1, + "rrl new time base scanned %d entries" + " at %d for %d %d %d %d", + i, now, rrl->ts_bases[ts_gen], + rrl->ts_bases[(ts_gen + 1) % + DNS_RRL_TS_BASES], + rrl->ts_bases[(ts_gen + 2) % + DNS_RRL_TS_BASES], + rrl->ts_bases[(ts_gen + 3) % + DNS_RRL_TS_BASES]); + rrl->ts_gen = ts_gen; + rrl->ts_bases[ts_gen] = now; + ts = 0; + } + + e->ts_gen = ts_gen; + e->ts = ts; + e->ts_valid = ISC_TRUE; +} + +static isc_result_t +expand_entries(dns_rrl_t *rrl, int new) { + unsigned int bsize; + dns_rrl_block_t *b; + dns_rrl_entry_t *e; + double rate; + int i; + + if (rrl->num_entries+new >= rrl->max_entries && rrl->max_entries != 0) { + if (rrl->num_entries >= rrl->max_entries) + return (ISC_R_SUCCESS); + new = rrl->max_entries - rrl->num_entries; + if (new <= 0) + return (ISC_R_NOMEMORY); + } + + /* + * Log expansions so that the user can tune max-table-size + * and min-table-size. + */ + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && + rrl->hash != NULL) { + rate = rrl->probes; + if (rrl->searches != 0) + rate /= rrl->searches; + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "increase from %d to %d RRL entries with" + " %d bins; average search length %.1f", + rrl->num_entries, rrl->num_entries+new, + rrl->hash->length, rate); + } + + bsize = sizeof(dns_rrl_block_t) + (new-1)*sizeof(dns_rrl_entry_t); + b = isc_mem_get(rrl->mctx, bsize); + if (b == NULL) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_FAIL, + "isc_mem_get(%d) failed for RRL entries", + bsize); + return (ISC_R_NOMEMORY); + } + memset(b, 0, bsize); + b->size = bsize; + + e = b->entries; + for (i = 0; i < new; ++i, ++e) { + ISC_LINK_INIT(e, hlink); + ISC_LIST_INITANDAPPEND(rrl->lru, e, lru); + } + rrl->num_entries += new; + ISC_LIST_INITANDAPPEND(rrl->blocks, b, link); + + return (ISC_R_SUCCESS); +} + +static inline dns_rrl_bin_t * +get_bin(dns_rrl_hash_t *hash, unsigned int hval) { + return (&hash->bins[hval % hash->length]); +} + +static void +free_old_hash(dns_rrl_t *rrl) { + dns_rrl_hash_t *old_hash; + dns_rrl_bin_t *old_bin; + dns_rrl_entry_t *e, *e_next; + + old_hash = rrl->old_hash; + for (old_bin = &old_hash->bins[0]; + old_bin < &old_hash->bins[old_hash->length]; + ++old_bin) + { + for (e = ISC_LIST_HEAD(*old_bin); e != NULL; e = e_next) { + e_next = ISC_LIST_NEXT(e, hlink); + ISC_LINK_INIT(e, hlink); + } + } + + isc_mem_put(rrl->mctx, old_hash, + sizeof(*old_hash) + + (old_hash->length - 1) * sizeof(old_hash->bins[0])); + rrl->old_hash = NULL; +} + +static isc_result_t +expand_rrl_hash(dns_rrl_t *rrl, isc_stdtime_t now) { + dns_rrl_hash_t *hash; + int old_bins, new_bins, hsize; + double rate; + + if (rrl->old_hash != NULL) + free_old_hash(rrl); + + /* + * Most searches fail and so go to the end of the chain. + * Use a small hash table load factor. + */ + old_bins = (rrl->hash == NULL) ? 0 : rrl->hash->length; + new_bins = old_bins/8 + old_bins; + if (new_bins < rrl->num_entries) + new_bins = rrl->num_entries; + new_bins = hash_divisor(new_bins); + + hsize = sizeof(dns_rrl_hash_t) + (new_bins-1)*sizeof(hash->bins[0]); + hash = isc_mem_get(rrl->mctx, hsize); + if (hash == NULL) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_FAIL, + "isc_mem_get(%d) failed for" + " RRL hash table", + hsize); + return (ISC_R_NOMEMORY); + } + memset(hash, 0, hsize); + hash->length = new_bins; + rrl->hash_gen ^= 1; + hash->gen = rrl->hash_gen; + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP) && old_bins != 0) { + rate = rrl->probes; + if (rrl->searches != 0) + rate /= rrl->searches; + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "increase from %d to %d RRL bins for" + " %d entries; average search length %.1f", + old_bins, new_bins, rrl->num_entries, rate); + } + + rrl->old_hash = rrl->hash; + if (rrl->old_hash != NULL) + rrl->old_hash->check_time = now; + rrl->hash = hash; + + return (ISC_R_SUCCESS); +} + +static void +ref_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, int probes, isc_stdtime_t now) { + /* + * Make the entry most recently used. + */ + if (ISC_LIST_HEAD(rrl->lru) != e) { + if (e == rrl->last_logged) + rrl->last_logged = ISC_LIST_PREV(e, lru); + ISC_LIST_UNLINK(rrl->lru, e, lru); + ISC_LIST_PREPEND(rrl->lru, e, lru); + } + + /* + * Expand the hash table if it is time and necessary. + * This will leave the newly referenced entry in a chain in the + * old hash table. It will migrate to the new hash table the next + * time it is used or be cut loose when the old hash table is destroyed. + */ + rrl->probes += probes; + ++rrl->searches; + if (rrl->searches > 100 && + delta_rrl_time(rrl->hash->check_time, now) > 1) { + if (rrl->probes/rrl->searches > 2) + expand_rrl_hash(rrl, now); + rrl->hash->check_time = now; + rrl->probes = 0; + rrl->searches = 0; + } +} + +static inline isc_boolean_t +key_cmp(const dns_rrl_key_t *a, const dns_rrl_key_t *b) { + if (memcmp(a, b, sizeof(dns_rrl_key_t)) == 0) + return (ISC_TRUE); + return (ISC_FALSE); +} + +static inline isc_uint32_t +hash_key(const dns_rrl_key_t *key) { + isc_uint32_t hval; + int i; + + hval = key->w[0]; + for (i = sizeof(*key) / sizeof(key->w[0]) - 1; i >= 0; --i) { + hval = key->w[i] + (hval<<1); + } + return (hval); +} + +/* + * Construct the hash table key. + * Use a hash of the DNS query name to save space in the database. + * Collisions result in legitimate rate limiting responses for one + * query name also limiting responses for other names to the + * same client. This is rare and benign enough given the large + * space costs compared to keeping the entire name in the database + * entry or the time costs of dynamic allocation. + */ +static void +make_key(const dns_rrl_t *rrl, dns_rrl_key_t *key, + const isc_sockaddr_t *client_addr, + dns_rdatatype_t qtype, dns_name_t *qname, dns_rdataclass_t qclass, + dns_rrl_rtype_t rtype) +{ + dns_name_t base; + dns_offsets_t base_offsets; + int labels, i; + + memset(key, 0, sizeof(*key)); + + key->s.rtype = rtype; + if (rtype == DNS_RRL_RTYPE_QUERY) { + key->s.qtype = qtype; + key->s.qclass = qclass & 0xff; + } else if (rtype == DNS_RRL_RTYPE_REFERRAL || + rtype == DNS_RRL_RTYPE_NODATA) { + /* + * Because there is no qtype in the empty answer sections of + * referral and NODATA responses, count them as the same. + */ + key->s.qclass = qclass & 0xff; + } + + if (qname != NULL && qname->labels != 0) { + /* + * Ignore the first label of wildcards. + */ + if ((qname->attributes & DNS_NAMEATTR_WILDCARD) != 0 && + (labels = dns_name_countlabels(qname)) > 1) + { + dns_name_init(&base, base_offsets); + dns_name_getlabelsequence(qname, 1, labels-1, &base); + key->s.qname_hash = dns_name_hashbylabel(&base, + ISC_FALSE); + } else { + key->s.qname_hash = dns_name_hashbylabel(qname, + ISC_FALSE); + } + } + + switch (client_addr->type.sa.sa_family) { + case AF_INET: + key->s.ip[0] = (client_addr->type.sin.sin_addr.s_addr & + rrl->ipv4_mask); + break; + case AF_INET6: + key->s.ipv6 = ISC_TRUE; + memcpy(key->s.ip, &client_addr->type.sin6.sin6_addr, + sizeof(key->s.ip)); + for (i = 0; i < DNS_RRL_MAX_PREFIX/32; ++i) + key->s.ip[i] &= rrl->ipv6_mask[i]; + break; + } +} + +static inline dns_rrl_rate_t * +get_rate(dns_rrl_t *rrl, dns_rrl_rtype_t rtype) { + switch (rtype) { + case DNS_RRL_RTYPE_QUERY: + return (&rrl->responses_per_second); + case DNS_RRL_RTYPE_REFERRAL: + return (&rrl->referrals_per_second); + case DNS_RRL_RTYPE_NODATA: + return (&rrl->nodata_per_second); + case DNS_RRL_RTYPE_NXDOMAIN: + return (&rrl->nxdomains_per_second); + case DNS_RRL_RTYPE_ERROR: + return (&rrl->errors_per_second); + case DNS_RRL_RTYPE_ALL: + return (&rrl->all_per_second); + default: + INSIST(0); + } + return (NULL); +} + +static int +response_balance(dns_rrl_t *rrl, const dns_rrl_entry_t *e, int age) { + dns_rrl_rate_t *ratep; + int balance, rate; + + if (e->key.s.rtype == DNS_RRL_RTYPE_TCP) { + rate = 1; + } else { + ratep = get_rate(rrl, e->key.s.rtype); + rate = ratep->scaled; + } + + balance = e->responses + age * rate; + if (balance > rate) + balance = rate; + return (balance); +} + +/* + * Search for an entry for a response and optionally create it. + */ +static dns_rrl_entry_t * +get_entry(dns_rrl_t *rrl, const isc_sockaddr_t *client_addr, + dns_rdataclass_t qclass, dns_rdatatype_t qtype, dns_name_t *qname, + dns_rrl_rtype_t rtype, isc_stdtime_t now, isc_boolean_t create, + char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_key_t key; + isc_uint32_t hval; + dns_rrl_entry_t *e; + dns_rrl_hash_t *hash; + dns_rrl_bin_t *new_bin, *old_bin; + int probes, age; + + make_key(rrl, &key, client_addr, qtype, qname, qclass, rtype); + hval = hash_key(&key); + + /* + * Look for the entry in the current hash table. + */ + new_bin = get_bin(rrl->hash, hval); + probes = 1; + e = ISC_LIST_HEAD(*new_bin); + while (e != NULL) { + if (key_cmp(&e->key, &key)) { + ref_entry(rrl, e, probes, now); + return (e); + } + ++probes; + e = ISC_LIST_NEXT(e, hlink); + } + + /* + * Look in the old hash table. + */ + if (rrl->old_hash != NULL) { + old_bin = get_bin(rrl->old_hash, hval); + e = ISC_LIST_HEAD(*old_bin); + while (e != NULL) { + if (key_cmp(&e->key, &key)) { + ISC_LIST_UNLINK(*old_bin, e, hlink); + ISC_LIST_PREPEND(*new_bin, e, hlink); + e->hash_gen = rrl->hash_gen; + ref_entry(rrl, e, probes, now); + return (e); + } + e = ISC_LIST_NEXT(e, hlink); + } + + /* + * Discard prevous hash table when all of its entries are old. + */ + age = delta_rrl_time(rrl->old_hash->check_time, now); + if (age > rrl->window) + free_old_hash(rrl); + } + + if (!create) + return (NULL); + + /* + * The entry does not exist, so create it by finding a free entry. + * Keep currently penalized and logged entries. + * Try to make more entries if none are idle. + * Steal the oldest entry if we cannot create more. + */ + for (e = ISC_LIST_TAIL(rrl->lru); + e != NULL; + e = ISC_LIST_PREV(e, lru)) + { + if (!ISC_LINK_LINKED(e, hlink)) + break; + age = get_age(rrl, e, now); + if (age <= 1) { + e = NULL; + break; + } + if (!e->logged && response_balance(rrl, e, age) > 0) + break; + } + if (e == NULL) { + expand_entries(rrl, ISC_MIN((rrl->num_entries+1)/2, 1000)); + e = ISC_LIST_TAIL(rrl->lru); + } + if (e->logged) + log_end(rrl, e, ISC_TRUE, log_buf, log_buf_len); + if (ISC_LINK_LINKED(e, hlink)) { + if (e->hash_gen == rrl->hash_gen) + hash = rrl->hash; + else + hash = rrl->old_hash; + old_bin = get_bin(hash, hash_key(&e->key)); + ISC_LIST_UNLINK(*old_bin, e, hlink); + } + ISC_LIST_PREPEND(*new_bin, e, hlink); + e->hash_gen = rrl->hash_gen; + e->key = key; + e->ts_valid = ISC_FALSE; + ref_entry(rrl, e, probes, now); + return (e); +} + +static void +debit_log(const dns_rrl_entry_t *e, int age, const char *action) { + char buf[sizeof("age=12345678")]; + const char *age_str; + + if (age == DNS_RRL_FOREVER) { + age_str = ""; + } else { + snprintf(buf, sizeof(buf), "age=%d", age); + age_str = buf; + } + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG3, + "rrl %08x %6s responses=%-3d %s", + hash_key(&e->key), age_str, e->responses, action); +} + +static inline dns_rrl_result_t +debit_rrl_entry(dns_rrl_t *rrl, dns_rrl_entry_t *e, double qps, double scale, + const isc_sockaddr_t *client_addr, isc_stdtime_t now, + char *log_buf, unsigned int log_buf_len) +{ + int rate, new_rate, slip, new_slip, age, log_secs, min; + dns_rrl_rate_t *ratep; + dns_rrl_entry_t const *credit_e; + + /* + * Pick the rate counter. + * Optionally adjust the rate by the estimated query/second rate. + */ + ratep = get_rate(rrl, e->key.s.rtype); + rate = ratep->r; + if (rate == 0) + return (DNS_RRL_RESULT_OK); + + if (scale < 1.0) { + /* + * The limit for clients that have used TCP is not scaled. + */ + credit_e = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_TCP, now, ISC_FALSE, + log_buf, log_buf_len); + if (credit_e != NULL) { + age = get_age(rrl, e, now); + if (age < rrl->window) + scale = 1.0; + } + } + if (scale < 1.0) { + new_rate = (int) (rate * scale); + if (new_rate < 1) + new_rate = 1; + if (ratep->scaled != new_rate) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG1, + "%d qps scaled %s by %.2f" + " from %d to %d", + (int)qps, ratep->str, scale, + rate, new_rate); + rate = new_rate; + ratep->scaled = rate; + } + } + + min = -rrl->window * rate; + + /* + * Treat time jumps into the recent past as no time. + * Treat entries older than the window as if they were just created + * Credit other entries. + */ + age = get_age(rrl, e, now); + if (age > 0) { + /* + * Credit tokens earned during elapsed time. + */ + if (age > rrl->window) { + e->responses = rate; + e->slip_cnt = 0; + } else { + e->responses += rate*age; + if (e->responses > rate) { + e->responses = rate; + e->slip_cnt = 0; + } + } + /* + * Find the seconds since last log message without overflowing + * small counter. This counter is reset when an entry is + * created. It is not necessarily reset when some requests + * are answered provided other requests continue to be dropped + * or slipped. This can happen when the request rate is just + * at the limit. + */ + if (e->logged) { + log_secs = e->log_secs; + log_secs += age; + if (log_secs > DNS_RRL_MAX_LOG_SECS || log_secs < 0) + log_secs = DNS_RRL_MAX_LOG_SECS; + e->log_secs = log_secs; + } + } + set_age(rrl, e, now); + + /* + * Debit the entry for this response. + */ + if (--e->responses >= 0) { + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, ""); + return (DNS_RRL_RESULT_OK); + } + + if (e->responses < min) + e->responses = min; + + /* + * Drop this response unless it should slip or leak. + */ + slip = rrl->slip.r; + if (slip > 2 && scale < 1.0) { + new_slip = (int) (slip * scale); + if (new_slip < 2) + new_slip = 2; + if (rrl->slip.scaled != new_slip) { + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG1, + "%d qps scaled slip" + " by %.2f from %d to %d", + (int)qps, scale, + slip, new_slip); + slip = new_slip; + rrl->slip.scaled = slip; + } + } + if (slip != 0 && e->key.s.rtype != DNS_RRL_RTYPE_ALL) { + if (e->slip_cnt++ == 0) { + if ((int) e->slip_cnt >= slip) + e->slip_cnt = 0; + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, "slip"); + return (DNS_RRL_RESULT_SLIP); + } else if ((int) e->slip_cnt >= slip) { + e->slip_cnt = 0; + } + } + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG3)) + debit_log(e, age, "drop"); + return (DNS_RRL_RESULT_DROP); +} + +static inline dns_rrl_qname_buf_t * +get_qname(dns_rrl_t *rrl, const dns_rrl_entry_t *e) { + dns_rrl_qname_buf_t *qbuf; + + qbuf = rrl->qnames[e->log_qname]; + if (qbuf == NULL || qbuf->e != e) + return (NULL); + return (qbuf); +} + +static inline void +free_qname(dns_rrl_t *rrl, dns_rrl_entry_t *e) { + dns_rrl_qname_buf_t *qbuf; + + qbuf = get_qname(rrl, e); + if (qbuf != NULL) { + qbuf->e = NULL; + ISC_LIST_APPEND(rrl->qname_free, qbuf, link); + } +} + +static void +add_log_str(isc_buffer_t *lb, const char *str, unsigned int str_len) { + isc_region_t region; + + isc_buffer_availableregion(lb, ®ion); + if (str_len >= region.length) { + if (region.length <= 0) + return; + str_len = region.length; + } + memcpy(region.base, str, str_len); + isc_buffer_add(lb, str_len); +} + +#define ADD_LOG_CSTR(eb, s) add_log_str(eb, s, sizeof(s)-1) + +/* + * Build strings for the logs + */ +static void +make_log_buf(dns_rrl_t *rrl, dns_rrl_entry_t *e, + const char *str1, const char *str2, isc_boolean_t plural, + dns_name_t *qname, isc_boolean_t save_qname, + dns_rrl_result_t rrl_result, isc_result_t resp_result, + char *log_buf, unsigned int log_buf_len) +{ + isc_buffer_t lb; + dns_rrl_qname_buf_t *qbuf; + isc_netaddr_t cidr; + char strbuf[ISC_MAX(sizeof("/123"), sizeof(" (12345678)"))]; + const char *rstr; + isc_result_t msg_result; + + if (log_buf_len <= 1) { + if (log_buf_len == 1) + log_buf[0] = '\0'; + return; + } + isc_buffer_init(&lb, log_buf, log_buf_len-1); + + if (str1 != NULL) + add_log_str(&lb, str1, strlen(str1)); + if (str2 != NULL) + add_log_str(&lb, str2, strlen(str2)); + + switch (rrl_result) { + case DNS_RRL_RESULT_OK: + break; + case DNS_RRL_RESULT_DROP: + ADD_LOG_CSTR(&lb, "drop "); + break; + case DNS_RRL_RESULT_SLIP: + ADD_LOG_CSTR(&lb, "slip "); + break; + default: + INSIST(0); + break; + } + + switch (e->key.s.rtype) { + case DNS_RRL_RTYPE_QUERY: + break; + case DNS_RRL_RTYPE_REFERRAL: + ADD_LOG_CSTR(&lb, "referral "); + break; + case DNS_RRL_RTYPE_NODATA: + ADD_LOG_CSTR(&lb, "NODATA "); + break; + case DNS_RRL_RTYPE_NXDOMAIN: + ADD_LOG_CSTR(&lb, "NXDOMAIN "); + break; + case DNS_RRL_RTYPE_ERROR: + if (resp_result == ISC_R_SUCCESS) { + ADD_LOG_CSTR(&lb, "error "); + } else { + rstr = isc_result_totext(resp_result); + add_log_str(&lb, rstr, strlen(rstr)); + ADD_LOG_CSTR(&lb, " error "); + } + break; + case DNS_RRL_RTYPE_ALL: + ADD_LOG_CSTR(&lb, "all "); + break; + default: + INSIST(0); + } + + if (plural) + ADD_LOG_CSTR(&lb, "responses to "); + else + ADD_LOG_CSTR(&lb, "response to "); + + memset(&cidr, 0, sizeof(cidr)); + if (e->key.s.ipv6) { + snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv6_prefixlen); + cidr.family = AF_INET6; + memset(&cidr.type.in6, 0, sizeof(cidr.type.in6)); + memcpy(&cidr.type.in6, e->key.s.ip, sizeof(e->key.s.ip)); + } else { + snprintf(strbuf, sizeof(strbuf), "/%d", rrl->ipv4_prefixlen); + cidr.family = AF_INET; + cidr.type.in.s_addr = e->key.s.ip[0]; + } + msg_result = isc_netaddr_totext(&cidr, &lb); + if (msg_result != ISC_R_SUCCESS) + ADD_LOG_CSTR(&lb, "?"); + add_log_str(&lb, strbuf, strlen(strbuf)); + + if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY || + e->key.s.rtype == DNS_RRL_RTYPE_REFERRAL || + e->key.s.rtype == DNS_RRL_RTYPE_NODATA || + e->key.s.rtype == DNS_RRL_RTYPE_NXDOMAIN) { + qbuf = get_qname(rrl, e); + if (save_qname && qbuf == NULL && + qname != NULL && dns_name_isabsolute(qname)) { + /* + * Capture the qname for the "stop limiting" message. + */ + qbuf = ISC_LIST_TAIL(rrl->qname_free); + if (qbuf != NULL) { + ISC_LIST_UNLINK(rrl->qname_free, qbuf, link); + } else if (rrl->num_qnames < DNS_RRL_QNAMES) { + qbuf = isc_mem_get(rrl->mctx, sizeof(*qbuf)); + if (qbuf != NULL) { + memset(qbuf, 0, sizeof(*qbuf)); + ISC_LINK_INIT(qbuf, link); + qbuf->index = rrl->num_qnames; + rrl->qnames[rrl->num_qnames++] = qbuf; + } else { + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_FAIL, + "isc_mem_get(%d)" + " failed for RRL qname", + (int)sizeof(*qbuf)); + } + } + if (qbuf != NULL) { + e->log_qname = qbuf->index; + qbuf->e = e; + dns_fixedname_init(&qbuf->qname); + dns_name_copy(qname, + dns_fixedname_name(&qbuf->qname), + NULL); + } + } + if (qbuf != NULL) + qname = dns_fixedname_name(&qbuf->qname); + if (qname != NULL) { + ADD_LOG_CSTR(&lb, " for "); + (void)dns_name_totext(qname, ISC_TRUE, &lb); + } else { + ADD_LOG_CSTR(&lb, " for (?)"); + } + if (e->key.s.rtype != DNS_RRL_RTYPE_NXDOMAIN) { + ADD_LOG_CSTR(&lb, " "); + (void)dns_rdataclass_totext(e->key.s.qclass, &lb); + if (e->key.s.rtype == DNS_RRL_RTYPE_QUERY) { + ADD_LOG_CSTR(&lb, " "); + (void)dns_rdatatype_totext(e->key.s.qtype, &lb); + } + } + snprintf(strbuf, sizeof(strbuf), " (%08x)", + e->key.s.qname_hash); + add_log_str(&lb, strbuf, strlen(strbuf)); + } + + /* + * We saved room for '\0'. + */ + log_buf[isc_buffer_usedlength(&lb)] = '\0'; +} + +static void +log_end(dns_rrl_t *rrl, dns_rrl_entry_t *e, isc_boolean_t early, + char *log_buf, unsigned int log_buf_len) +{ + if (e->logged) { + make_log_buf(rrl, e, + early ? "*" : NULL, + rrl->log_only ? "would stop limiting " + : "stop limiting ", + ISC_TRUE, NULL, ISC_FALSE, + DNS_RRL_RESULT_OK, ISC_R_SUCCESS, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "%s", log_buf); + free_qname(rrl, e); + e->logged = ISC_FALSE; + --rrl->num_logged; + } +} + +/* + * Log messages for streams that have stopped being rate limited. + */ +static void +log_stops(dns_rrl_t *rrl, isc_stdtime_t now, int limit, + char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_entry_t *e; + int age; + + for (e = rrl->last_logged; e != NULL; e = ISC_LIST_PREV(e, lru)) { + if (!e->logged) + continue; + if (now != 0) { + age = get_age(rrl, e, now); + if (age < DNS_RRL_STOP_LOG_SECS || + response_balance(rrl, e, age) < 0) + break; + } + + log_end(rrl, e, now == 0, log_buf, log_buf_len); + if (rrl->num_logged <= 0) + break; + + /* + * Too many messages could stall real work. + */ + if (--limit < 0) { + rrl->last_logged = ISC_LIST_PREV(e, lru); + return; + } + } + if (e == NULL) { + INSIST(rrl->num_logged == 0); + rrl->log_stops_time = now; + } + rrl->last_logged = e; +} + +/* + * Main rate limit interface. + */ +dns_rrl_result_t +dns_rrl(dns_view_t *view, + const isc_sockaddr_t *client_addr, isc_boolean_t is_tcp, + dns_rdataclass_t qclass, dns_rdatatype_t qtype, + dns_name_t *qname, isc_result_t resp_result, isc_stdtime_t now, + isc_boolean_t wouldlog, char *log_buf, unsigned int log_buf_len) +{ + dns_rrl_t *rrl; + dns_rrl_rtype_t rtype; + dns_rrl_entry_t *e; + isc_netaddr_t netclient; + int secs; + double qps, scale; + int exempt_match; + isc_result_t result; + dns_rrl_result_t rrl_result; + + INSIST(log_buf != NULL && log_buf_len > 0); + + rrl = view->rrl; + if (rrl->exempt != NULL) { + isc_netaddr_fromsockaddr(&netclient, client_addr); + result = dns_acl_match(&netclient, NULL, rrl->exempt, + &view->aclenv, &exempt_match, NULL); + if (result == ISC_R_SUCCESS && exempt_match > 0) + return (DNS_RRL_RESULT_OK); + } + + LOCK(&rrl->lock); + + /* + * Estimate total query per second rate when scaling by qps. + */ + if (rrl->qps_scale == 0) { + qps = 0.0; + scale = 1.0; + } else { + ++rrl->qps_responses; + secs = delta_rrl_time(rrl->qps_time, now); + if (secs <= 0) { + qps = rrl->qps; + } else { + qps = (1.0*rrl->qps_responses) / secs; + if (secs >= rrl->window) { + if (isc_log_wouldlog(dns_lctx, + DNS_RRL_LOG_DEBUG3)) + isc_log_write(dns_lctx, + DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, + DNS_RRL_LOG_DEBUG3, + "%d responses/%d seconds" + " = %d qps", + rrl->qps_responses, secs, + (int)qps); + rrl->qps = qps; + rrl->qps_responses = 0; + rrl->qps_time = now; + } else if (qps < rrl->qps) { + qps = rrl->qps; + } + } + scale = rrl->qps_scale / qps; + } + + /* + * Do maintenance once per second. + */ + if (rrl->num_logged > 0 && rrl->log_stops_time != now) + log_stops(rrl, now, 8, log_buf, log_buf_len); + + /* + * Notice TCP responses when scaling limits by qps. + * Do not try to rate limit TCP responses. + */ + if (is_tcp) { + if (scale < 1.0) { + e = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_TCP, now, ISC_TRUE, + log_buf, log_buf_len); + if (e != NULL) { + e->responses = -(rrl->window+1); + set_age(rrl, e, now); + } + } + UNLOCK(&rrl->lock); + return (ISC_R_SUCCESS); + } + + /* + * Find the right kind of entry, creating it if necessary. + * If that is impossible, then nothing more can be done + */ + switch (resp_result) { + case ISC_R_SUCCESS: + rtype = DNS_RRL_RTYPE_QUERY; + break; + case DNS_R_DELEGATION: + rtype = DNS_RRL_RTYPE_REFERRAL; + break; + case DNS_R_NXRRSET: + rtype = DNS_RRL_RTYPE_NODATA; + break; + case DNS_R_NXDOMAIN: + rtype = DNS_RRL_RTYPE_NXDOMAIN; + break; + default: + rtype = DNS_RRL_RTYPE_ERROR; + break; + } + e = get_entry(rrl, client_addr, qclass, qtype, qname, rtype, + now, ISC_TRUE, log_buf, log_buf_len); + if (e == NULL) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + + if (isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DEBUG1)) { + /* + * Do not worry about speed or releasing the lock. + * This message appears before messages from debit_rrl_entry(). + */ + make_log_buf(rrl, e, "consider limiting ", NULL, ISC_FALSE, + qname, ISC_FALSE, DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DEBUG1, + "%s", log_buf); + } + + rrl_result = debit_rrl_entry(rrl, e, qps, scale, client_addr, now, + log_buf, log_buf_len); + + if (rrl->all_per_second.r != 0) { + /* + * We must debit the all-per-second token bucket if we have + * an all-per-second limit for the IP address. + * The all-per-second limit determines the log message + * when both limits are hit. + * The response limiting must continue if the + * all-per-second limiting lapses. + */ + dns_rrl_entry_t *e_all; + dns_rrl_result_t rrl_all_result; + + e_all = get_entry(rrl, client_addr, + 0, dns_rdatatype_none, NULL, + DNS_RRL_RTYPE_ALL, now, ISC_TRUE, + log_buf, log_buf_len); + if (e_all == NULL) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + rrl_all_result = debit_rrl_entry(rrl, e_all, qps, scale, + client_addr, now, + log_buf, log_buf_len); + if (rrl_all_result != DNS_RRL_RESULT_OK) { + int level; + + e = e_all; + rrl_result = rrl_all_result; + if (rrl_result == DNS_RRL_RESULT_OK) + level = DNS_RRL_LOG_DEBUG2; + else + level = DNS_RRL_LOG_DEBUG1; + if (isc_log_wouldlog(dns_lctx, level)) { + make_log_buf(rrl, e, + "prefer all-per-second limiting ", + NULL, ISC_TRUE, qname, ISC_FALSE, + DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, level, + "%s", log_buf); + } + } + } + + if (rrl_result == DNS_RRL_RESULT_OK) { + UNLOCK(&rrl->lock); + return (DNS_RRL_RESULT_OK); + } + + /* + * Log occassionally in the rate-limit category. + */ + if ((!e->logged || e->log_secs >= DNS_RRL_MAX_LOG_SECS) && + isc_log_wouldlog(dns_lctx, DNS_RRL_LOG_DROP)) { + make_log_buf(rrl, e, rrl->log_only ? "would " : NULL, + e->logged ? "continue limiting " : "limit ", + ISC_TRUE, qname, ISC_TRUE, + DNS_RRL_RESULT_OK, resp_result, + log_buf, log_buf_len); + if (!e->logged) { + e->logged = ISC_TRUE; + if (++rrl->num_logged <= 1) + rrl->last_logged = e; + } + e->log_secs = 0; + + /* + * Avoid holding the lock. + */ + if (!wouldlog) { + UNLOCK(&rrl->lock); + e = NULL; + } + isc_log_write(dns_lctx, DNS_LOGCATEGORY_RRL, + DNS_LOGMODULE_REQUEST, DNS_RRL_LOG_DROP, + "%s", log_buf); + } + + /* + * Make a log message for the caller. + */ + if (wouldlog) + make_log_buf(rrl, e, + rrl->log_only ? "would rate limit " : "rate limit ", + NULL, ISC_FALSE, qname, ISC_FALSE, + rrl_result, resp_result, log_buf, log_buf_len); + + if (e != NULL) { + /* + * Do not save the qname unless we might need it for + * the ending log message. + */ + if (!e->logged) + free_qname(rrl, e); + UNLOCK(&rrl->lock); + } + + return (rrl_result); +} + +void +dns_rrl_view_destroy(dns_view_t *view) { + dns_rrl_t *rrl; + dns_rrl_block_t *b; + dns_rrl_hash_t *h; + char log_buf[DNS_RRL_LOG_BUF_LEN]; + int i; + + rrl = view->rrl; + if (rrl == NULL) + return; + view->rrl = NULL; + + /* + * Assume the caller takes care of locking the view and anything else. + */ + + if (rrl->num_logged > 0) + log_stops(rrl, 0, ISC_INT32_MAX, log_buf, sizeof(log_buf)); + + for (i = 0; i < DNS_RRL_QNAMES; ++i) { + if (rrl->qnames[i] == NULL) + break; + isc_mem_put(rrl->mctx, rrl->qnames[i], sizeof(*rrl->qnames[i])); + } + + if (rrl->exempt != NULL) + dns_acl_detach(&rrl->exempt); + + DESTROYLOCK(&rrl->lock); + + while (!ISC_LIST_EMPTY(rrl->blocks)) { + b = ISC_LIST_HEAD(rrl->blocks); + ISC_LIST_UNLINK(rrl->blocks, b, link); + isc_mem_put(rrl->mctx, b, b->size); + } + + h = rrl->hash; + if (h != NULL) + isc_mem_put(rrl->mctx, h, + sizeof(*h) + (h->length - 1) * sizeof(h->bins[0])); + + h = rrl->old_hash; + if (h != NULL) + isc_mem_put(rrl->mctx, h, + sizeof(*h) + (h->length - 1) * sizeof(h->bins[0])); + + isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl)); +} + +isc_result_t +dns_rrl_init(dns_rrl_t **rrlp, dns_view_t *view, int min_entries) { + dns_rrl_t *rrl; + isc_result_t result; + + *rrlp = NULL; + + rrl = isc_mem_get(view->mctx, sizeof(*rrl)); + if (rrl == NULL) + return (ISC_R_NOMEMORY); + memset(rrl, 0, sizeof(*rrl)); + isc_mem_attach(view->mctx, &rrl->mctx); + result = isc_mutex_init(&rrl->lock); + if (result != ISC_R_SUCCESS) { + isc_mem_putanddetach(&rrl->mctx, rrl, sizeof(*rrl)); + return (result); + } + isc_stdtime_get(&rrl->ts_bases[0]); + + view->rrl = rrl; + + result = expand_entries(rrl, min_entries); + if (result != ISC_R_SUCCESS) { + dns_rrl_view_destroy(view); + return (result); + } + result = expand_rrl_hash(rrl, 0); + if (result != ISC_R_SUCCESS) { + dns_rrl_view_destroy(view); + return (result); + } + + *rrlp = rrl; + return (ISC_R_SUCCESS); +} --- bind9-9.9.3.dfsg.P2.orig/lib/dns/view.c +++ bind9-9.9.3.dfsg.P2/lib/dns/view.c @@ -49,6 +49,7 @@ #include #include #include +#include #include #include #include @@ -184,6 +185,7 @@ view->answeracl_exclude = NULL; view->denyanswernames = NULL; view->answernames_exclude = NULL; + view->rrl = NULL; view->provideixfr = ISC_TRUE; view->maxcachettl = 7 * 24 * 3600; view->maxncachettl = 3 * 3600; @@ -195,9 +197,7 @@ view->maxbits = 0; view->v4_aaaa = dns_v4_aaaa_ok; view->v4_aaaa_acl = NULL; - ISC_LIST_INIT(view->rpz_zones); - view->rpz_recursive_only = ISC_TRUE; - view->rpz_break_dnssec = ISC_FALSE; + view->rpzs = NULL; dns_fixedname_init(&view->dlv_fixed); view->managed_keys = NULL; view->redirect = NULL; @@ -334,10 +334,13 @@ dns_acache_putdb(view->acache, view->cachedb); dns_acache_detach(&view->acache); } - dns_rpz_view_destroy(view); + if (view->rpzs != NULL) + dns_rpz_detach_rpzs(&view->rpzs); + dns_rrl_view_destroy(view); #else INSIST(view->acache == NULL); - INSIST(ISC_LIST_EMPTY(view->rpz_zones)); + INSIST(view->rpzs == NULL); + INSIST(view->rrl == NULL); #endif if (view->requestmgr != NULL) dns_requestmgr_detach(&view->requestmgr); --- bind9-9.9.3.dfsg.P2.orig/lib/dns/win32/libdns.def +++ bind9-9.9.3.dfsg.P2/lib/dns/win32/libdns.def @@ -130,8 +130,8 @@ dns_db_overmem dns_db_printnode dns_db_register -dns_db_rpz_enabled -dns_db_rpz_findips +dns_db_rpz_attach +dns_db_rpz_ready dns_db_subtractrdataset dns_db_unregister dns_dbiterator_current @@ -639,17 +639,22 @@ dns_result_torcode dns_result_totext dns_rootns_create +dns_rpz_add +dns_rpz_attach_rpzs +dns_rpz_beginload dns_rpz_cidr_addip -dns_rpz_cidr_deleteip dns_rpz_cidr_find -dns_rpz_cidr_free dns_rpz_decode_cname -dns_rpz_enabled_get -dns_rpz_new_cidr +dns_rpz_delete +dns_rpz_delete_node +dns_rpz_detach_rpzs +dns_rpz_find_ip +dns_rpz_find_name +dns_rpz_new_zones dns_rpz_policy2str +dns_rpz_ready dns_rpz_str2policy dns_rpz_type2str -dns_rpz_view_destroy dns_rriterator_current dns_rriterator_destroy dns_rriterator_first @@ -657,6 +662,9 @@ dns_rriterator_next dns_rriterator_nextrrset dns_rriterator_pause +dns_rrl +dns_rrl_init +dns_rrl_view_destroy dns_sdb_putnamedrr dns_sdb_putrdata dns_sdb_putrr @@ -806,7 +814,7 @@ dns_zone_forcereload dns_zone_forwardupdate dns_zone_fulldumptostream -dns_zone_get_rpz +dns_zone_get_rpz_num dns_zone_getadded dns_zone_getchecknames dns_zone_getclass @@ -834,6 +842,7 @@ dns_zone_getqueryonacl dns_zone_getraw dns_zone_getrequeststats +dns_zone_getrpz_num dns_zone_getserial dns_zone_getserial2 dns_zone_getserialupdatemethod @@ -871,6 +880,7 @@ dns_zone_refresh dns_zone_rekey dns_zone_replacedb +dns_zone_rpz_attach dns_zone_rpz_enable dns_zone_setacache dns_zone_setadded --- bind9-9.9.3.dfsg.P2.orig/lib/dns/win32/libdns.dsp +++ bind9-9.9.3.dfsg.P2/lib/dns/win32/libdns.dsp @@ -346,6 +346,10 @@ # End Source File # Begin Source File +SOURCE=..\include\dns\rrl.h +# End Source File +# Begin Source File + SOURCE=..\include\dns\rriterator.h # End Source File # Begin Source File @@ -650,6 +654,10 @@ # End Source File # Begin Source File +SOURCE=..\rrl.c +# End Source File +# Begin Source File + SOURCE=..\rriterator.c # End Source File # Begin Source File --- bind9-9.9.3.dfsg.P2.orig/lib/dns/win32/libdns.mak +++ bind9-9.9.3.dfsg.P2/lib/dns/win32/libdns.mak @@ -184,6 +184,7 @@ -@erase "$(INTDIR)\result.obj" -@erase "$(INTDIR)\rootns.obj" -@erase "$(INTDIR)\rpz.obj" + -@erase "$(INTDIR)\rrl.obj" -@erase "$(INTDIR)\sdb.obj" -@erase "$(INTDIR)\sdlz.obj" -@erase "$(INTDIR)\soa.obj" @@ -309,6 +310,7 @@ "$(INTDIR)\result.obj" \ "$(INTDIR)\rootns.obj" \ "$(INTDIR)\rpz.obj" \ + "$(INTDIR)\rrl.obj" \ "$(INTDIR)\rriterator.obj" \ "$(INTDIR)\sdb.obj" \ "$(INTDIR)\sdlz.obj" \ @@ -505,6 +507,8 @@ -@erase "$(INTDIR)\rootns.sbr" -@erase "$(INTDIR)\rpz.obj" -@erase "$(INTDIR)\rpz.sbr" + -@erase "$(INTDIR)\rrl.obj" + -@erase "$(INTDIR)\rrl.sbr" -@erase "$(INTDIR)\rriterator.obj" -@erase "$(INTDIR)\rriterator.sbr" -@erase "$(INTDIR)\sdb.obj" @@ -651,6 +655,7 @@ "$(INTDIR)\result.sbr" \ "$(INTDIR)\rootns.sbr" \ "$(INTDIR)\rpz.sbr" \ + "$(INTDIR)\rrl.sbr" \ "$(INTDIR)\rriterator.sbr" \ "$(INTDIR)\sdb.sbr" \ "$(INTDIR)\sdlz.sbr" \ @@ -748,6 +753,7 @@ "$(INTDIR)\result.obj" \ "$(INTDIR)\rootns.obj" \ "$(INTDIR)\rpz.obj" \ + "$(INTDIR)\rrl.obj" \ "$(INTDIR)\rriterator.obj" \ "$(INTDIR)\sdb.obj" \ "$(INTDIR)\sdlz.obj" \ @@ -1724,6 +1730,24 @@ $(CPP) $(CPP_PROJ) $(SOURCE) +!ENDIF + +SOURCE=..\rrl.c + +!IF "$(CFG)" == "libdns - Win32 Release" + + +"$(INTDIR)\rrl.obj" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + +!ELSEIF "$(CFG)" == "libdns - Win32 Debug" + + +"$(INTDIR)\rrl.obj" "$(INTDIR)\rrl.sbr" : $(SOURCE) "$(INTDIR)" + $(CPP) $(CPP_PROJ) $(SOURCE) + + !ENDIF SOURCE=..\rriterator.c --- bind9-9.9.3.dfsg.P2.orig/lib/dns/xfrin.c +++ bind9-9.9.3.dfsg.P2/lib/dns/xfrin.c @@ -270,13 +270,19 @@ static isc_result_t axfr_makedb(dns_xfrin_ctx_t *xfr, dns_db_t **dbp) { - return (dns_db_create(xfr->mctx, /* XXX */ - "rbt", /* XXX guess */ - &xfr->name, - dns_dbtype_zone, - xfr->rdclass, - 0, NULL, /* XXX guess */ - dbp)); + isc_result_t result; + + result = dns_db_create(xfr->mctx, /* XXX */ + "rbt", /* XXX guess */ + &xfr->name, + dns_dbtype_zone, + xfr->rdclass, + 0, NULL, /* XXX guess */ + dbp); + if (result != ISC_R_SUCCESS) + return (result); + result = dns_zone_rpz_enable_db(xfr->zone, *dbp); + return (result); } static isc_result_t --- bind9-9.9.3.dfsg.P2.orig/lib/dns/zone.c +++ bind9-9.9.3.dfsg.P2/lib/dns/zone.c @@ -346,9 +346,10 @@ isc_boolean_t added; /*% - * whether this is a response policy zone + * response policy data to be relayed to the database */ - isc_boolean_t is_rpz; + dns_rpz_zones_t *rpzs; + dns_rpz_num_t rpz_num; /*% * Serial number update method. @@ -917,7 +918,8 @@ zone->nodes = 100; zone->privatetype = (dns_rdatatype_t)0xffffU; zone->added = ISC_FALSE; - zone->is_rpz = ISC_FALSE; + zone->rpzs = NULL; + zone->rpz_num = DNS_RPZ_INVALID_NUM; ISC_LIST_INIT(zone->forwards); zone->raw = NULL; zone->secure = NULL; @@ -1021,6 +1023,13 @@ zone_detachdb(zone); if (zone->acache != NULL) dns_acache_detach(&zone->acache); +#ifdef BIND9 + if (zone->rpzs != NULL) { + REQUIRE(zone->rpz_num < zone->rpzs->p.num_zones); + dns_rpz_detach_rpzs(&zone->rpzs); + zone->rpz_num = DNS_RPZ_INVALID_NUM; + } +#endif zone_freedbargs(zone); RUNTIME_CHECK(dns_zone_setmasterswithkeys(zone, NULL, NULL, 0) == ISC_R_SUCCESS); @@ -1513,7 +1522,9 @@ * Set the response policy index and information for a zone. */ isc_result_t -dns_zone_rpz_enable(dns_zone_t *zone) { +dns_zone_rpz_enable(dns_zone_t *zone, dns_rpz_zones_t *rpzs, + dns_rpz_num_t rpz_num) +{ /* * Only RBTDB zones can be used for response policy zones, * because only they have the code to load the create the summary data. @@ -1524,14 +1535,26 @@ strcmp(zone->db_argv[0], "rbt64") != 0) return (ISC_R_NOTIMPLEMENTED); - zone->is_rpz = ISC_TRUE; + /* + * This must happen only once or be redundant. + */ + LOCK_ZONE(zone); + if (zone->rpzs != NULL) { + REQUIRE(zone->rpzs == rpzs && zone->rpz_num == rpz_num); + } else { + REQUIRE(zone->rpz_num == DNS_RPZ_INVALID_NUM); + dns_rpz_attach_rpzs(rpzs, &zone->rpzs); + zone->rpz_num = rpz_num; + } + rpzs->defined |= DNS_RPZ_ZBIT(rpz_num); + UNLOCK_ZONE(zone); return (ISC_R_SUCCESS); } -isc_boolean_t -dns_zone_get_rpz(dns_zone_t *zone) { - return (zone->is_rpz); +dns_rpz_num_t +dns_zone_get_rpz_num(dns_zone_t *zone) { + return (zone->rpz_num); } static isc_result_t @@ -1987,13 +2010,9 @@ isc_result_t tresult; unsigned int options; -#ifdef BIND9 - if (zone->is_rpz) { - result = dns_db_rpz_enabled(db, NULL); - if (result != ISC_R_SUCCESS) - return (result); - } -#endif + result = dns_zone_rpz_enable_db(zone, db); + if (result != ISC_R_SUCCESS) + return (result); options = get_master_options(zone); if (DNS_ZONE_OPTION(zone, DNS_ZONEOPT_MANYERRORS)) @@ -2069,6 +2088,19 @@ return (result); } +/* + * If a zone is a response policy zone, mark its new database. + */ +isc_result_t +dns_zone_rpz_enable_db(dns_zone_t *zone, dns_db_t *db) { + if (zone->rpz_num != DNS_RPZ_INVALID_NUM) { + REQUIRE(zone->rpzs != NULL); + dns_db_rpz_attach(db, zone->rpzs, zone->rpz_num); + } + + return (ISC_R_SUCCESS); +} + static isc_boolean_t zone_check_mx(dns_zone_t *zone, dns_db_t *db, dns_name_t *name, dns_name_t *owner) @@ -4120,6 +4152,11 @@ if (result != ISC_R_SUCCESS) goto cleanup; } else { +#ifdef BIND9 + result = dns_db_rpz_ready(db); + if (result != ISC_R_SUCCESS) + goto cleanup; +#endif zone_attachdb(zone, db); ZONEDB_UNLOCK(&zone->dblock, isc_rwlocktype_write); DNS_ZONE_SETFLAG(zone, @@ -13047,6 +13084,12 @@ REQUIRE(DNS_ZONE_VALID(zone)); REQUIRE(LOCKED_ZONE(zone)); +#ifdef BIND9 + result = dns_db_rpz_ready(db); + if (result != ISC_R_SUCCESS) + return (result); +#endif + result = zone_get_from_db(zone, db, &nscount, &soacount, NULL, NULL, NULL, NULL, NULL, NULL); if (result == ISC_R_SUCCESS) { --- bind9-9.9.3.dfsg.P2.orig/lib/export/dns/include/dns/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/export/dns/include/dns/Makefile.in @@ -31,7 +31,7 @@ peer.h portlist.h \ rbt.h rcode.h rdata.h rdataclass.h \ rdatalist.h rdataset.h rdatasetiter.h rdataslab.h rdatatype.h \ - request.h resolver.h result.h \ + request.h resolver.h result.h rrl.h \ secalg.h secproto.h soa.h stats.h \ tcpmsg.h time.h tsec.h tsig.h ttl.h types.h \ validator.h version.h view.h --- bind9-9.9.3.dfsg.P2.orig/lib/export/isc/include/isc/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/export/isc/include/isc/Makefile.in @@ -37,7 +37,7 @@ print.h quota.h radix.h random.h ratelimiter.h \ refcount.h regex.h region.h resource.h \ result.h resultclass.h rwlock.h serial.h sha1.h sha2.h \ - sockaddr.h socket.h stdio.h stdlib.h string.h \ + sockaddr.h socket.h stat.h stdio.h stdlib.h string.h \ symtab.h \ task.h taskpool.h timer.h types.h util.h version.h \ xml.h --- bind9-9.9.3.dfsg.P2.orig/lib/isc/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/isc/Makefile.in @@ -114,12 +114,14 @@ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc.la -rpath ${libdir} \ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${SYMTBLOBJS} ${LIBS} + ln -sf .libs/libisc.so . libisc-nosymtbl.la: ${OBJS} ${LIBTOOL_MODE_LINK} \ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisc-nosymtbl.la -rpath ${libdir} \ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${LIBS} + ln -sf .libs/libisc-nosymtbl.so . timestamp: libisc.@A@ libisc-nosymtbl.@A@ touch timestamp @@ -133,3 +135,4 @@ clean distclean:: rm -f libisc.@A@ libisc-nosymtbl.@A@ libisc.la \ libisc-nosymtbl.la timestamp + rm -f libisc.so libisc-nosymtbl.so --- bind9-9.9.3.dfsg.P2.orig/lib/isc/mips/include/isc/atomic.h +++ bind9-9.9.3.dfsg.P2/lib/isc/mips/include/isc/atomic.h @@ -31,18 +31,20 @@ isc_atomic_xadd(isc_int32_t *p, int val) { isc_int32_t orig; - /* add is a cheat, since MIPS has no mov instruction */ - __asm__ volatile ( - "1:" - "ll $3, %1\n" - "add %0, $0, $3\n" - "add $3, $3, %2\n" - "sc $3, %1\n" - "beq $3, 0, 1b" - : "=&r"(orig) - : "m"(*p), "r"(val) - : "memory", "$3" - ); + __asm__ __volatile__ ( + " .set push \n" + " .set mips2 \n" + " .set noreorder \n" + " .set noat \n" + "1: ll $1, %1 \n" + " addu %0, $1, %2 \n" + " sc %0, %1 \n" + " beqz %0, 1b \n" + " move %0, $1 \n" + " .set pop \n" + : "=&r" (orig), "+R" (*p) + : "r" (val) + : "memory"); return (orig); } @@ -52,16 +54,7 @@ */ static inline void isc_atomic_store(isc_int32_t *p, isc_int32_t val) { - __asm__ volatile ( - "1:" - "ll $3, %0\n" - "add $3, $0, %1\n" - "sc $3, %0\n" - "beq $3, 0, 1b" - : - : "m"(*p), "r"(val) - : "memory", "$3" - ); + *p = val; } /* @@ -72,20 +65,23 @@ static inline isc_int32_t isc_atomic_cmpxchg(isc_int32_t *p, int cmpval, int val) { isc_int32_t orig; + isc_int32_t tmp; - __asm__ volatile( - "1:" - "ll $3, %1\n" - "add %0, $0, $3\n" - "bne $3, %2, 2f\n" - "add $3, $0, %3\n" - "sc $3, %1\n" - "beq $3, 0, 1b\n" - "2:" - : "=&r"(orig) - : "m"(*p), "r"(cmpval), "r"(val) - : "memory", "$3" - ); + __asm__ __volatile__ ( + " .set push \n" + " .set mips2 \n" + " .set noreorder \n" + " .set noat \n" + "1: ll $1, %1 \n" + " bne $1, %3, 2f \n" + " move %2, %4 \n" + " sc %2, %1 \n" + " beqz %2, 1b \n" + "2: move %0, $1 \n" + " .set pop \n" + : "=&r"(orig), "+R" (*p), "=r" (tmp) + : "r"(cmpval), "r"(val) + : "memory"); return (orig); } --- bind9-9.9.3.dfsg.P2.orig/lib/isc/unix/resource.c +++ bind9-9.9.3.dfsg.P2/lib/isc/unix/resource.c @@ -29,6 +29,7 @@ #include #ifdef __linux__ +#include #include /* To get the large NR_OPEN. */ #endif --- bind9-9.9.3.dfsg.P2.orig/lib/isccc/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/isccc/Makefile.in @@ -36,7 +36,7 @@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCCCDEPLIBS = libisccc.@A@ -LIBS = @LIBS@ +LIBS = @LIBS@ -L../../lib/isc SUBDIRS = include @@ -72,6 +72,7 @@ ${CC} ${ALL_CFLAGS} ${LDFLAGS} -o libisccc.la -rpath ${libdir} \ -version-info ${LIBINTERFACE}:${LIBREVISION}:${LIBAGE} \ ${OBJS} ${ISCLIBS} ${LIBS} + ln -sf .libs/libisccc.so . timestamp: libisccc.@A@ touch timestamp @@ -84,3 +85,4 @@ clean distclean:: rm -f libisccc.@A@ timestamp + rm -f libisccc.so --- bind9-9.9.3.dfsg.P2.orig/lib/isccfg/Makefile.in +++ bind9-9.9.3.dfsg.P2/lib/isccfg/Makefile.in @@ -38,7 +38,7 @@ ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCCFGDEPLIBS = libisccfg.@A@ -LIBS = @LIBS@ +LIBS = @LIBS@ -L../dns -L../isc -L../isccc SUBDIRS = include --- bind9-9.9.3.dfsg.P2.orig/lib/isccfg/aclconf.c +++ bind9-9.9.3.dfsg.P2/lib/isccfg/aclconf.c @@ -247,6 +247,9 @@ } else if (cfg_obj_isstring(ce)) { const char *name = cfg_obj_asstring(ce); if (strcasecmp(name, "localhost") == 0 || +#ifdef SUPPORT_GEOIP + strncasecmp(name, "country_", 8) == 0 || +#endif strcasecmp(name, "localnets") == 0) { n++; } else if (strcasecmp(name, "any") != 0 && @@ -441,6 +444,14 @@ de->negative = !neg; } else continue; +#ifdef SUPPORT_GEOIP + } else if ((0 == (strncmp("country_", name, 8))) && (10 == strlen(name))) { + /* It is a country code */ + de->type = dns_aclelementtype_ipcountry; + de->country[0] = name[8]; + de->country[1] = name[9]; + de->country[2] = '\0'; +#endif } else if (strcasecmp(name, "localhost") == 0) { de->type = dns_aclelementtype_localhost; de->negative = neg; --- bind9-9.9.3.dfsg.P2.orig/lib/isccfg/namedconf.c +++ bind9-9.9.3.dfsg.P2/lib/isccfg/namedconf.c @@ -1054,11 +1054,12 @@ /*% * response-policy { - * zone [ policy (given|disabled|passthru| + * zone [ policy (given|disabled|passthru|drop|tcp-only| * nxdomain|nodata|cname ) ] * [ recursive-only yes|no ] [ max-policy-ttl number ] ; * } [ recursive-only yes|no ] [ max-policy-ttl number ] ; - * [ break-dnssec yes|no ] [ min-ns-dots number ] ; + * [ break-dnssec yes|no ] [ min-ns-dots number ] + * [ qname-wait-recurse yes|no ] */ static void @@ -1083,7 +1084,7 @@ /* * Parse - * given|disabled|passthru|nxdomain|nodata|cname + * given|disabled|passthru|drop|tcp-only|nxdomain|nodata|cname */ static isc_result_t cfg_parse_rpz_policy(cfg_parser_t *pctx, const cfg_type_t *type, @@ -1214,9 +1215,12 @@ doc_keyvalue, &cfg_rep_string, &zone_kw }; +/* + * "no-op" is an obsolete equivalent of "passthru". + */ static const char *rpz_policies[] = { - "given", "disabled", "passthru", "no-op", "nxdomain", "nodata", - "cname", NULL + "given", "disabled", "passthru", "no-op", "drop", "tcp-only", + "nxdomain", "nodata", "cname", NULL }; static cfg_type_t cfg_type_rpz_policy_name = { "policy name", cfg_parse_enum, cfg_print_ustring, @@ -1261,6 +1265,7 @@ { "break-dnssec", &cfg_type_boolean, 0 }, { "max-policy-ttl", &cfg_type_uint32, 0 }, { "min-ns-dots", &cfg_type_uint32, 0 }, + { "qname-wait-recurse", &cfg_type_boolean, 0 }, { NULL, NULL, 0 } }; static cfg_type_t cfg_type_rpz = { @@ -1270,6 +1275,40 @@ }; +/* + * rate-limit + */ +static cfg_clausedef_t rrl_clauses[] = { + { "responses-per-second", &cfg_type_uint32, 0 }, + { "referrals-per-second", &cfg_type_uint32, 0 }, + { "nodata-per-second", &cfg_type_uint32, 0 }, + { "nxdomains-per-second", &cfg_type_uint32, 0 }, + { "errors-per-second", &cfg_type_uint32, 0 }, + { "all-per-second", &cfg_type_uint32, 0 }, + { "slip", &cfg_type_uint32, 0 }, + { "window", &cfg_type_uint32, 0 }, + { "log-only", &cfg_type_boolean, 0 }, + { "qps-scale", &cfg_type_uint32, 0 }, + { "ipv4-prefix-length", &cfg_type_uint32, 0 }, + { "ipv6-prefix-length", &cfg_type_uint32, 0 }, + { "exempt-clients", &cfg_type_bracketed_aml, 0 }, + { "max-table-size", &cfg_type_uint32, 0 }, + { "min-table-size", &cfg_type_uint32, 0 }, + { NULL, NULL, 0 } +}; + +static cfg_clausedef_t *rrl_clausesets[] = { + rrl_clauses, + NULL +}; + +static cfg_type_t cfg_type_rrl = { + "rate-limit", cfg_parse_map, cfg_print_map, cfg_doc_map, + &cfg_rep_map, rrl_clausesets +}; + + + /*% * dnssec-lookaside */ @@ -1387,6 +1426,8 @@ { "max-clients-per-query", &cfg_type_uint32, 0 }, { "max-ncache-ttl", &cfg_type_uint32, 0 }, { "max-udp-size", &cfg_type_uint32, 0 }, + { "min-cache-ttl", &cfg_type_uint32, 0 }, + { "min-ncache-ttl", &cfg_type_uint32, 0 }, { "min-roots", &cfg_type_uint32, CFG_CLAUSEFLAG_NOTIMP }, { "minimal-responses", &cfg_type_boolean, 0 }, { "preferred-glue", &cfg_type_astring, 0 }, @@ -1423,6 +1464,7 @@ CFG_CLAUSEFLAG_NOTCONFIGURED }, #endif { "response-policy", &cfg_type_rpz, 0 }, + { "rate-limit", &cfg_type_rrl, 0 }, { NULL, NULL, 0 } }; --- bind9-9.9.3.dfsg.P2.orig/libtool.m4/libtool.m4 +++ bind9-9.9.3.dfsg.P2/libtool.m4/libtool.m4 @@ -2684,6 +2684,18 @@ dynamic_linker='GNU/Linux ld.so' ;; +netbsdelf*-gnu) + version_type=linux + need_lib_prefix=no + need_version=no + library_names_spec='${libname}${release}${shared_ext}$versuffix ${libname}${release}${shared_ext}$major ${libname}${shared_ext}' + soname_spec='${libname}${release}${shared_ext}$major' + shlibpath_var=LD_LIBRARY_PATH + shlibpath_overrides_runpath=no + hardcode_into_libs=yes + dynamic_linker='NetBSD ld.elf_so' + ;; + netbsd*) version_type=sunos need_lib_prefix=no @@ -3289,7 +3301,7 @@ lt_cv_deplibs_check_method=pass_all ;; -netbsd*) +netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ > /dev/null; then lt_cv_deplibs_check_method='match_pattern /lib[[^/]]+(\.so\.[[0-9]]+\.[[0-9]]+|_pic\.a)$' else @@ -4101,7 +4113,7 @@ ;; esac ;; - netbsd*) + netbsd* | netbsdelf*-gnu) ;; *qnx* | *nto*) # QNX uses GNU C++, but need to define -shared option too, otherwise @@ -4578,6 +4590,9 @@ ;; esac ;; + linux* | k*bsd*-gnu | gnu*) + _LT_TAGVAR(link_all_deplibs, $1)=no + ;; *) _LT_TAGVAR(export_symbols_cmds, $1)='$NM $libobjs $convenience | $global_symbol_pipe | $SED '\''s/.* //'\'' | sort | uniq > $export_symbols' ;; @@ -4640,6 +4655,9 @@ openbsd*) with_gnu_ld=no ;; + linux* | k*bsd*-gnu | gnu*) + _LT_TAGVAR(link_all_deplibs, $1)=no + ;; esac _LT_TAGVAR(ld_shlibs, $1)=yes @@ -4861,7 +4879,7 @@ fi ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable $libobjs $deplibs $linker_flags -o $lib' wlarc= @@ -5038,6 +5056,7 @@ if test "$aix_use_runtimelinking" = yes; then shared_flag="$shared_flag "'${wl}-G' fi + _LT_TAGVAR(link_all_deplibs, $1)=no else # not using gcc if test "$host_cpu" = ia64; then @@ -5342,7 +5361,7 @@ _LT_TAGVAR(link_all_deplibs, $1)=yes ;; - netbsd*) + netbsd* | netbsdelf*-gnu) if echo __ELF__ | $CC -E - | $GREP __ELF__ >/dev/null; then _LT_TAGVAR(archive_cmds, $1)='$LD -Bshareable -o $lib $libobjs $deplibs $linker_flags' # a.out else --- bind9-9.9.3.dfsg.P2.orig/ltmain.sh +++ bind9-9.9.3.dfsg.P2/ltmain.sh @@ -70,7 +70,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 +# $progname: (GNU libtool) 2.4.2 Debian-2.4.2-1ubuntu1 # automake: $automake_version # autoconf: $autoconf_version # @@ -80,7 +80,7 @@ PROGRAM=libtool PACKAGE=libtool -VERSION=2.4.2 +VERSION="2.4.2 Debian-2.4.2-1ubuntu1" TIMESTAMP="" package_revision=1.3337 @@ -1375,21 +1375,6 @@ func_infer_tag () { $opt_debug - - # FreeBSD-specific: where we install compilers with non-standard names - tag_compilers_CC="*cc cc* *gcc gcc* clang" - tag_compilers_CXX="*c++ c++* *g++ g++* clang++" - base_compiler=`set -- "$@"; echo $1` - - # If $tagname isn't set, then try to infer if the default "CC" tag applies - if test -z "$tagname"; then - for zp in $tag_compilers_CC; do - case $base_compiler in - $zp) tagname="CC"; break;; - esac - done - fi - if test -n "$available_tags" && test -z "$tagname"; then CC_quoted= for arg in $CC; do @@ -1426,22 +1411,7 @@ break ;; esac - - # FreeBSD-specific: try compilers based on inferred tag - if test -z "$tagname"; then - eval "tag_compilers=\$tag_compilers_${z}" - if test -n "$tag_compilers"; then - for zp in $tag_compilers; do - case $base_compiler in - $zp) tagname=$z; break;; - esac - done - if test -n "$tagname"; then - break - fi - fi - fi - fi + fi done # If $tagname still isn't set, then no tagged configuration # was found and let the user know that the "--tag" command @@ -3547,9 +3517,6 @@ ;; esac ;; - *-*-freebsd*) - # FreeBSD doesn't need this... - ;; *) func_fatal_error "unknown suffix for \`$my_dlsyms'" ;; @@ -5628,7 +5595,6 @@ esac ;; esac - deplibs="$deplibs $arg" continue ;; @@ -6158,7 +6124,10 @@ case $pass in dlopen) libs="$dlfiles" ;; dlpreopen) libs="$dlprefiles" ;; - link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; + link) + libs="$deplibs %DEPLIBS%" + test "X$link_all_deplibs" != Xno && libs="$libs $dependency_libs" + ;; esac fi if test "$linkmode,$pass" = "lib,dlpreopen"; then @@ -6201,30 +6170,13 @@ finalize_deplibs="$deplib $finalize_deplibs" else func_append compiler_flags " $deplib" - fi - - case $linkmode in - lib) - deplibs="$deplib $deplibs" - test "$pass" = conv && continue - newdependency_libs="$deplib $newdependency_libs" - ;; - prog) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - if test "$pass" = scan; then - deplibs="$deplib $deplibs" - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" + if test "$linkmode" = lib ; then + case "$new_inherited_linker_flags " in + *" $deplib "*) ;; + * ) func_append new_inherited_linker_flags " $deplib" ;; + esac fi - ;; - *) - ;; - esac # linkmode - + fi continue ;; -l*) @@ -6495,19 +6447,19 @@ # It is a libtool convenience library, so add in its objects. func_append convenience " $ladir/$objdir/$old_library" func_append old_convenience " $ladir/$objdir/$old_library" + tmp_libs= + for deplib in $dependency_libs; do + deplibs="$deplib $deplibs" + if $opt_preserve_dup_deps ; then + case "$tmp_libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append tmp_libs " $deplib" + done elif test "$linkmode" != prog && test "$linkmode" != lib; then func_fatal_error "\`$lib' is not a convenience library" fi - tmp_libs= - for deplib in $dependency_libs; do - deplibs="$deplib $deplibs" - if $opt_preserve_dup_deps ; then - case "$tmp_libs " in - *" $deplib "*) func_append specialdeplibs " $deplib" ;; - esac - fi - func_append tmp_libs " $deplib" - done continue fi # $pass = conv @@ -7400,6 +7352,9 @@ revision="$number_minor" lt_irix_increment=no ;; + *) + func_fatal_configuration "$modename: unknown library version type \`$version_type'" + ;; esac ;; no) --- bind9-9.9.3.dfsg.P2.orig/named.conf +++ bind9-9.9.3.dfsg.P2/named.conf @@ -0,0 +1,153 @@ +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + notify no; + + // check that all of the options are parsed without limiting anything + rate-limit { + responses-per-second 200; + referrals-per-second 220; + nodata-per-second 230; + nxdomains-per-second 240; + errors-per-second 250; + all-per-second 700; + ipv4-prefix-length 24; + ipv6-prefix-length 64; + qps-scale 10; + window 1; + max-table-size 1000; + }; + +}; + +zone "." { type hint; file "hints"; }; + +zone "tld3."{ type master; file "tld3.db"; }; +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + statistics-file "named.stats"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + notify no; + + rate-limit { + responses-per-second 2; + all-per-second 50; + slip 3; + exempt-clients { 10.53.0.7; }; + + // small enough to force a table expansion + min-table-size 75; + }; + + additional-from-cache no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-md5; +}; +controls { + inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; +}; + +/* + * These log settings have no effect unless "-g" is removed from ../../start.pl + */ +logging { + channel debug { + file "log-debug"; + print-category yes; print-severity yes; severity debug 10; + }; + channel queries { + file "log-queries"; + print-category yes; print-severity yes; severity info; + }; + category rate-limit { debug; queries; }; + category queries { debug; queries; }; +}; + +zone "." { type hint; file "hints"; }; + +zone "tld2."{ type master; file "tld2.db"; }; +/* + * Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + + +controls { /* empty */ }; + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port 5300; + session-keyfile "session.key"; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + notify no; +}; + +zone "." {type master; file "root.db";}; --- bind9-9.9.3.dfsg.P2.orig/root.db +++ bind9-9.9.3.dfsg.P2/root.db @@ -0,0 +1,31 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + +$TTL 120 +@ SOA ns. hostmaster.ns. ( 1 3600 1200 604800 60 ) +@ NS ns. +ns. A 10.53.0.1 +. A 10.53.0.1 + +; limit responses from here +tld2. NS ns.tld2. +ns.tld2. A 10.53.0.2 + +; limit recursion to here +tld3. NS ns.tld3. +ns.tld3. A 10.53.0.3 + +; generate SERVFAIL +tld4. NS ns.tld3. --- bind9-9.9.3.dfsg.P2.orig/setup.sh +++ bind9-9.9.3.dfsg.P2/setup.sh @@ -0,0 +1,21 @@ +#!/bin/sh +# +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh +. ./clean.sh + --- bind9-9.9.3.dfsg.P2.orig/tests.sh +++ bind9-9.9.3.dfsg.P2/tests.sh @@ -0,0 +1,258 @@ +# Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + + +# test response rate limiting + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +#set -x + +ns1=10.53.0.1 # root, defining the others +ns2=10.53.0.2 # test server +ns3=10.53.0.3 # secondary test server +ns7=10.53.0.7 # whitelisted client + +USAGE="$0: [-x]" +while getopts "x" c; do + case $c in + x) set -x;; + *) echo "$USAGE" 1>&2; exit 1;; + esac +done +shift `expr $OPTIND - 1 || true` +if test "$#" -ne 0; then + echo "$USAGE" 1>&2 + exit 1 +fi +# really quit on control-C +trap 'exit 1' 1 2 15 + + +ret=0 +setret () { + ret=1 + echo "$*" +} + + +# Wait until soon after the start of a second to make results consistent. +# The start of a second credits a rate limit. +# This would be far easier in C or by assuming a modern version of perl. +sec_start () { + START=`date` + while true; do + NOW=`date` + if test "$START" != "$NOW"; then + return + fi + $PERL -e 'select(undef, undef, undef, 0.05)' || true + done +} + + +# turn off ${HOME}/.digrc +HOME=/dev/null; export HOME + +# $1=result name $2=domain name $3=dig options +digcmd () { + OFILE=$1; shift + DIG_DOM=$1; shift + ARGS="+nosearch +time=1 +tries=1 +ignore -p 5300 $* $DIG_DOM @$ns2" + #echo I:dig $ARGS 1>&2 + START=`date +%y%m%d%H%M.%S` + RESULT=`$DIG $ARGS 2>&1 | tee $OFILE=TEMP \ + | sed -n -e '/^;; AUTHORITY/,/^$/d' \ + -e '/^;; ADDITIONAL/,/^$/d' \ + -e 's/^[^;].* \([^ ]\{1,\}\)$/\1/p' \ + -e 's/;; flags.* tc .*/TC/p' \ + -e 's/;; .* status: NXDOMAIN.*/NXDOMAIN/p' \ + -e 's/;; .* status: SERVFAIL.*/SERVFAIL/p' \ + -e 's/;; connection timed out.*/drop/p' \ + -e 's/;; communications error to.*/drop/p' \ + | tr -d '\n'` + mv "$OFILE=TEMP" "$OFILE=$RESULT" + touch -t $START "$OFILE=$RESULT" +} + + +# $1=number of tests $2=target domain $3=dig options +QNUM=1 +burst () { + BURST_LIMIT=$1; shift + BURST_DOM_BASE="$1"; shift + while test "$BURST_LIMIT" -ge 1; do + CNT=`expr "00$QNUM" : '.*\(...\)'` + eval BURST_DOM="$BURST_DOM_BASE" + FILE="dig.out-$BURST_DOM-$CNT" + digcmd $FILE $BURST_DOM $* & + QNUM=`expr $QNUM + 1` + BURST_LIMIT=`expr "$BURST_LIMIT" - 1` + done +} + + +# $1=domain $2=IP address $3=# of IP addresses $4=TC $5=drop +# $6=NXDOMAIN $7=SERVFAIL or other errors +ck_result() { + BAD= + wait + ADDRS=`ls dig.out-$1-*=$2 2>/dev/null | wc -l` + # count simple truncated and truncated NXDOMAIN as TC + TC=`ls dig.out-$1-*=TC dig.out-$1-*=NXDOMAINTC 2>/dev/null | wc -l` + DROP=`ls dig.out-$1-*=drop 2>/dev/null | wc -l` + # count NXDOMAIN and truncated NXDOMAIN as NXDOMAIN + NXDOMAIN=`ls dig.out-$1-*=NXDOMAIN dig.out-$1-*=NXDOMAINTC 2>/dev/null \ + | wc -l` + SERVFAIL=`ls dig.out-$1-*=SERVFAIL 2>/dev/null | wc -l` + if test $ADDRS -ne "$3"; then + setret "I:"$ADDRS" instead of $3 '$2' responses for $1" + BAD=yes + fi + if test $TC -ne "$4"; then + setret "I:"$TC" instead of $4 truncation responses for $1" + BAD=yes + fi + if test $DROP -ne "$5"; then + setret "I:"$DROP" instead of $5 dropped responses for $1" + BAD=yes + fi + if test $NXDOMAIN -ne "$6"; then + setret "I:"$NXDOMAIN" instead of $6 NXDOMAIN responses for $1" + BAD=yes + fi + if test $SERVFAIL -ne "$7"; then + setret "I:"$SERVFAIL" instead of $7 error responses for $1" + BAD=yes + fi + if test -z "$BAD"; then + rm -f dig.out-$1-* + fi +} + + +ckstats () { + LABEL="$1"; shift + TYPE="$1"; shift + EXPECTED="$1"; shift + C=`sed -n -e "s/[ ]*\([0-9]*\).responses $TYPE for rate limits.*/\1/p" \ + ns2/named.stats | tail -1` + C=`expr 0$C + 0` + if test "$C" -ne $EXPECTED; then + setret "I:wrong $LABEL $TYPE statistics of $C instead of $EXPECTED" + fi +} + + +######### +sec_start + +# Tests of referrals to "." must be done before the hints are loaded +# or with "additional-from-cache no" +burst 5 a1.tld3 +norec +# basic rate limiting +burst 3 a1.tld2 +# 1 second delay allows an additional response. +sleep 1 +burst 10 a1.tld2 +# Request 30 different qnames to try a wildcard. +burst 30 'x$CNT.a2.tld2' +# These should be counted and limited but are not. See RT33138. +burst 10 'y.x$CNT.a2.tld2' + +# IP TC drop NXDOMAIN SERVFAIL +# referrals to "." +ck_result a1.tld3 '' 2 1 2 0 0 +# check 13 results including 1 second delay that allows an additional response +ck_result a1.tld2 192.0.2.1 3 4 6 0 0 + +# Check the wild card answers. +# The parent name of the 30 requests is counted. +ck_result 'x*.a2.tld2' 192.0.2.2 2 10 18 0 0 + +# These should be limited but are not. See RT33138. +ck_result 'y.x*.a2.tld2' 192.0.2.2 10 0 0 0 0 + +######### +sec_start + +burst 10 'x.a3.tld3' +burst 10 'y$CNT.a3.tld3' +burst 10 'z$CNT.a4.tld2' + +# 10 identical recursive responses are limited +ck_result 'x.a3.tld3' 192.0.3.3 2 3 5 0 0 + +# 10 different recursive responses are not limited +ck_result 'y*.a3.tld3' 192.0.3.3 10 0 0 0 0 + +# 10 different NXDOMAIN responses are limited based on the parent name. +# We count 13 responses because we count truncated NXDOMAIN responses +# as both truncated and NXDOMAIN. +ck_result 'z*.a4.tld2' x 0 3 5 5 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats first dropped 36 +ckstats first truncated 21 + + +######### +sec_start + +burst 10 a5.tld2 +tcp +burst 10 a6.tld2 -b $ns7 +burst 10 a7.tld4 +burst 2 a8.tld2 AAAA +burst 2 a8.tld2 TXT +burst 2 a8.tld2 SPF + +# IP TC drop NXDOMAIN SERVFAIL +# TCP responses are not rate limited +ck_result a5.tld2 192.0.2.5 10 0 0 0 0 + +# whitelisted client is not rate limited +ck_result a6.tld2 192.0.2.6 10 0 0 0 0 + +# Errors such as SERVFAIL are rate limited. +ck_result a7.tld4 x 0 0 8 0 2 + +# NODATA responses are counted as the same regardless of qtype. +ck_result a8.tld2 '' 2 2 2 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats second dropped 46 +ckstats second truncated 23 + + +######### +sec_start + +# IP TC drop NXDOMAIN SERVFAIL +# all-per-second +# The qnames are all unique but the client IP address is constant. +QNUM=101 +burst 60 'all$CNT.a9.tld2' + +ck_result 'a*.a9.tld2' 192.0.2.8 50 0 10 0 0 + +$RNDC -c $SYSTEMTESTTOP/common/rndc.conf -p 9953 -s $ns2 stats +ckstats final dropped 56 +ckstats final truncated 23 + + +echo "I:exit status: $ret" +# exit $ret +[ $ret -ne 0 ] && echo "I:test failure overridden" +exit 0 --- bind9-9.9.3.dfsg.P2.orig/tld2.db +++ bind9-9.9.3.dfsg.P2/tld2.db @@ -0,0 +1,47 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld2. hostmaster.ns.tld2. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.2 + +; basic rate limiting +a1 A 192.0.2.1 + +; wildcards +*.a2 A 192.0.2.2 + +; a3 is in tld3 + +; a4 does not exist to give NXDOMAIN + +; a5 for TCP requests +a5 A 192.0.2.5 + +; a6 for whitelisted clients +a6 A 192.0.2.6 + +; a7 for SERVFAIL + +; a8 for NODATA +a8 A 192.0.2.8 + +; a9 for all-per-second limit +$GENERATE 101-180 all$.a9 A 192.0.2.8 --- bind9-9.9.3.dfsg.P2.orig/tld3.db +++ bind9-9.9.3.dfsg.P2/tld3.db @@ -0,0 +1,25 @@ +; Copyright (C) 2012, 2013 Internet Systems Consortium, Inc. ("ISC") +; +; Permission to use, copy, modify, and/or distribute this software for any +; purpose with or without fee is hereby granted, provided that the above +; copyright notice and this permission notice appear in all copies. +; +; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +; PERFORMANCE OF THIS SOFTWARE. + + + +; rate limit response from this zone + +$TTL 120 +@ SOA tld3. hostmaster.ns.tld3. ( 1 3600 1200 604800 60 ) + NS ns + NS . +ns A 10.53.0.3 + +*.a3 A 192.0.3.3 --- bind9-9.9.3.dfsg.P2.orig/version +++ bind9-9.9.3.dfsg.P2/version @@ -7,6 +7,6 @@ DESCRIPTION="(Extended Support Version)" MAJORVER=9 MINORVER=9 -PATCHVER=3 +PATCHVER=3-rpz2+rl.13214.22 RELEASETYPE=-P RELEASEVER=2