git: 865f46b25559 - main - unbound: Reapply Vendor import 1.17.0

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Sun, 16 Oct 2022 21:09:14 UTC
The branch main has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=865f46b255599c4a645e84a4cbb5ea7abdc0e207

commit 865f46b255599c4a645e84a4cbb5ea7abdc0e207
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2022-10-16 21:04:22 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2022-10-16 21:08:33 +0000

    unbound: Reapply Vendor import 1.17.0
    
    Reapply 643f9a0581e8aac7eb790ced1164748939829826. 64d318ea98b7 was a
    mismerge during fake rebase. Let's reapply it.
    
    Changes include: Added ACL per interface, proxy protocol and bug fixes.
    
    Announcement:   https://nlnetlabs.nl/news/2022/Oct/13/unbound-1.17.0-released/
    
    Merge commit '643f9a0581e8aac7eb790ced1164748939829826' into main
---
 contrib/unbound/Makefile.in                        |   8 +-
 contrib/unbound/acx_nlnetlabs.m4                   |   6 +-
 contrib/unbound/compat/arc4random.c                |   8 +-
 contrib/unbound/config.guess                       |   8 +-
 contrib/unbound/config.h.in                        |  15 +
 contrib/unbound/config.sub                         |  27 +-
 contrib/unbound/configure                          | 100 ++-
 contrib/unbound/configure.ac                       |  13 +-
 contrib/unbound/daemon/acl_list.c                  | 447 +++++++++--
 contrib/unbound/daemon/acl_list.h                  |  39 +-
 contrib/unbound/daemon/daemon.c                    |  61 +-
 contrib/unbound/daemon/daemon.h                    |   2 +
 contrib/unbound/daemon/remote.c                    |   6 +-
 contrib/unbound/daemon/stats.c                     |  27 +-
 contrib/unbound/daemon/worker.c                    | 152 ++--
 contrib/unbound/daemon/worker.h                    |   4 +
 contrib/unbound/dnstap/dtstream.c                  |   4 +-
 contrib/unbound/dnstap/unbound-dnstap-socket.c     |   4 +-
 contrib/unbound/doc/Changelog                      | 107 +++
 contrib/unbound/doc/README                         |   2 +-
 contrib/unbound/doc/example.conf.in                |  68 +-
 contrib/unbound/doc/libunbound.3.in                |   4 +-
 contrib/unbound/doc/unbound-anchor.8.in            |   2 +-
 contrib/unbound/doc/unbound-checkconf.8.in         |   2 +-
 contrib/unbound/doc/unbound-control.8.in           |   2 +-
 contrib/unbound/doc/unbound-host.1.in              |   2 +-
 contrib/unbound/doc/unbound.8.in                   |   4 +-
 contrib/unbound/doc/unbound.conf.5.in              |  63 +-
 contrib/unbound/edns-subnet/addrtree.c             |   9 +-
 contrib/unbound/edns-subnet/addrtree.h             |   7 +-
 contrib/unbound/edns-subnet/subnetmod.c            |  43 +-
 contrib/unbound/iterator/iter_hints.c              |   2 +-
 contrib/unbound/iterator/iter_resptype.c           |   6 +-
 contrib/unbound/iterator/iterator.c                | 105 ++-
 contrib/unbound/iterator/iterator.h                |   2 +-
 contrib/unbound/libunbound/libunbound.c            |   4 +-
 contrib/unbound/respip/respip.c                    |  10 +-
 contrib/unbound/respip/respip.h                    |   6 +-
 contrib/unbound/services/authzone.c                |   6 +-
 contrib/unbound/services/cache/infra.c             |  37 +-
 contrib/unbound/services/cache/infra.h             |   7 +-
 contrib/unbound/services/listen_dnsport.c          | 134 ++--
 contrib/unbound/services/listen_dnsport.h          |  14 +-
 contrib/unbound/services/localzone.c               |  12 +-
 contrib/unbound/services/mesh.c                    |  13 +-
 contrib/unbound/services/outside_network.c         | 162 ++--
 contrib/unbound/services/outside_network.h         |  24 +
 contrib/unbound/services/rpz.c                     |  28 +-
 contrib/unbound/services/view.c                    |   5 +-
 contrib/unbound/smallapp/unbound-checkconf.c       |  18 +-
 contrib/unbound/smallapp/unbound-control.c         |   4 +-
 contrib/unbound/testdata/iter_ghost_sub.rpl        | 309 --------
 contrib/unbound/testdata/iter_ghost_timewindow.rpl | 391 ----------
 contrib/unbound/util/config_file.c                 |  54 +-
 contrib/unbound/util/config_file.h                 |  20 +
 contrib/unbound/util/configlexer.lex               |   6 +
 contrib/unbound/util/configparser.y                | 129 +++-
 contrib/unbound/util/fptr_wlist.c                  |   1 +
 contrib/unbound/util/net_help.c                    |   6 +-
 contrib/unbound/util/net_help.h                    |   8 +-
 contrib/unbound/util/netevent.c                    | 836 ++++++++++++++++-----
 contrib/unbound/util/netevent.h                    |  42 +-
 contrib/unbound/util/proxy_protocol.c              | 139 ++++
 contrib/unbound/util/proxy_protocol.h              | 131 ++++
 contrib/unbound/util/storage/dnstree.c             |  13 +
 contrib/unbound/util/storage/dnstree.h             |  10 +
 contrib/unbound/util/tube.c                        |  42 ++
 contrib/unbound/util/tube.h                        |   8 +
 lib/libunbound/Makefile                            |   3 +-
 usr.sbin/unbound/config.h                          |   6 +-
 70 files changed, 2668 insertions(+), 1331 deletions(-)

diff --git a/contrib/unbound/Makefile.in b/contrib/unbound/Makefile.in
index 3189731ad52f..e7c76c2588aa 100644
--- a/contrib/unbound/Makefile.in
+++ b/contrib/unbound/Makefile.in
@@ -130,7 +130,7 @@ util/fptr_wlist.c util/locks.c util/log.c util/mini_event.c util/module.c \
 util/netevent.c util/net_help.c util/random.c util/rbtree.c util/regional.c \
 util/rtt.c util/edns.c util/storage/dnstree.c util/storage/lookup3.c \
 util/storage/lruhash.c util/storage/slabhash.c util/tcp_conn_limit.c \
-util/timehist.c util/tube.c \
+util/timehist.c util/tube.c util/proxy_protocol.c \
 util/ub_event.c util/ub_event_pluggable.c util/winsock_event.c \
 validator/autotrust.c validator/val_anchor.c validator/validator.c \
 validator/val_kcache.c validator/val_kentry.c validator/val_neg.c \
@@ -148,7 +148,7 @@ outbound_list.lo alloc.lo config_file.lo configlexer.lo configparser.lo \
 fptr_wlist.lo edns.lo locks.lo log.lo mini_event.lo module.lo net_help.lo \
 random.lo rbtree.lo regional.lo rtt.lo dnstree.lo lookup3.lo lruhash.lo \
 slabhash.lo tcp_conn_limit.lo timehist.lo tube.lo winsock_event.lo \
-autotrust.lo val_anchor.lo rpz.lo \
+autotrust.lo val_anchor.lo rpz.lo proxy_protocol.lo \
 validator.lo val_kcache.lo val_kentry.lo val_neg.lo val_nsec3.lo val_nsec.lo \
 val_secalgo.lo val_sigcrypt.lo val_utils.lo dns64.lo $(CACHEDB_OBJ) authzone.lo \
 $(SUBNET_OBJ) $(PYTHONMOD_OBJ) $(CHECKLOCK_OBJ) $(DNSTAP_OBJ) $(DNSCRYPT_OBJ) \
@@ -984,6 +984,8 @@ netevent.lo netevent.o: $(srcdir)/util/netevent.c config.h $(srcdir)/util/neteve
  $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
  $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/sldns/str2wire.h \
  $(srcdir)/dnstap/dnstap.h  $(srcdir)/services/listen_dnsport.h
+proxy_protocol.lo proxy_protocol.o: $(srcdir)/util/proxy_protocol.c config.h \
+ $(srcdir)/util/proxy_protocol.h $(srcdir)/sldns/sbuffer.h
 net_help.lo net_help.o: $(srcdir)/util/net_help.c config.h $(srcdir)/util/net_help.h $(srcdir)/util/log.h \
  $(srcdir)/util/data/dname.h $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h $(srcdir)/util/module.h \
  $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/msgparse.h \
@@ -1512,7 +1514,7 @@ asynclook.lo asynclook.o: $(srcdir)/testcode/asynclook.c config.h $(srcdir)/libu
  $(srcdir)/services/modstack.h $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/rrdef.h
 streamtcp.lo streamtcp.o: $(srcdir)/testcode/streamtcp.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h \
- $(srcdir)/util/net_help.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
+ $(srcdir)/util/net_help.h $(srcdir)/util/proxy_protocol.h $(srcdir)/util/data/msgencode.h $(srcdir)/util/data/msgparse.h \
  $(srcdir)/util/storage/lruhash.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/data/msgreply.h \
  $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/data/dname.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
diff --git a/contrib/unbound/acx_nlnetlabs.m4 b/contrib/unbound/acx_nlnetlabs.m4
index 1574f97bfe02..cf436ec54bb6 100644
--- a/contrib/unbound/acx_nlnetlabs.m4
+++ b/contrib/unbound/acx_nlnetlabs.m4
@@ -2,7 +2,8 @@
 # Copyright 2009, Wouter Wijngaards, NLnet Labs.   
 # BSD licensed.
 #
-# Version 43
+# Version 44
+# 2022-09-01 fix checking if nonblocking sockets work on OpenBSD.
 # 2021-08-17 fix sed script in ssldir split handling.
 # 2021-08-17 fix for openssl to detect split version, with ssldir_include
 # 	     and ssldir_lib output directories.
@@ -963,6 +964,9 @@ AC_LANG_SOURCE([[
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
diff --git a/contrib/unbound/compat/arc4random.c b/contrib/unbound/compat/arc4random.c
index b536d3143d42..486ab89c68d8 100644
--- a/contrib/unbound/compat/arc4random.c
+++ b/contrib/unbound/compat/arc4random.c
@@ -57,6 +57,8 @@
 #define BLOCKSZ	64
 #define RSBUFSZ	(16*BLOCKSZ)
 
+#define REKEY_BASE	(1024*1024) /* NB. should be a power of 2 */
+
 /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */
 static struct {
 	size_t		rs_have;	/* valid bytes at end of rs_buf */
@@ -179,6 +181,7 @@ static void
 _rs_stir(void)
 {
 	u_char rnd[KEYSZ + IVSZ];
+	uint32_t rekey_fuzz = 0;
 
 	if (getentropy(rnd, sizeof rnd) == -1) {
 		if(errno != ENOSYS ||
@@ -201,7 +204,10 @@ _rs_stir(void)
 	rs->rs_have = 0;
 	memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf));
 
-	rs->rs_count = 1600000;
+	/* rekey interval should not be predictable */
+	chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz,
+	    (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz));
+	rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE);
 }
 
 static inline void
diff --git a/contrib/unbound/config.guess b/contrib/unbound/config.guess
index a419d8643b62..980b02083815 100755
--- a/contrib/unbound/config.guess
+++ b/contrib/unbound/config.guess
@@ -4,7 +4,7 @@
 
 # shellcheck disable=SC2006,SC2268 # see below for rationale
 
-timestamp='2022-08-01'
+timestamp='2022-09-17'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -966,6 +966,12 @@ EOF
 	GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'`
 	GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC
 	;;
+    x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*)
+	GUESS="$UNAME_MACHINE-pc-managarm-mlibc"
+	;;
+    *:[Mm]anagarm:*:*)
+	GUESS="$UNAME_MACHINE-unknown-managarm-mlibc"
+	;;
     *:Minix:*:*)
 	GUESS=$UNAME_MACHINE-unknown-minix
 	;;
diff --git a/contrib/unbound/config.h.in b/contrib/unbound/config.h.in
index cc1fbe864818..2caecf30d040 100644
--- a/contrib/unbound/config.h.in
+++ b/contrib/unbound/config.h.in
@@ -298,6 +298,9 @@
 /* Define to 1 if you have the `getrlimit' function. */
 #undef HAVE_GETRLIMIT
 
+/* Define to 1 if you have the `gettid' function. */
+#undef HAVE_GETTID
+
 /* Define to 1 if you have the `glob' function. */
 #undef HAVE_GLOB
 
@@ -457,6 +460,12 @@
 /* Define to 1 if you have the `OSSL_PARAM_BLD_new' function. */
 #undef HAVE_OSSL_PARAM_BLD_NEW
 
+/* Define to 1 if you have the `poll' function. */
+#undef HAVE_POLL
+
+/* Define to 1 if you have the <poll.h> header file. */
+#undef HAVE_POLL_H
+
 /* Define if you have POSIX threads libraries and header files. */
 #undef HAVE_PTHREAD
 
@@ -800,12 +809,18 @@
 /* Shared data */
 #undef SHARE_DIR
 
+/* The size of `pthread_t', as computed by sizeof. */
+#undef SIZEOF_PTHREAD_T
+
 /* The size of `size_t', as computed by sizeof. */
 #undef SIZEOF_SIZE_T
 
 /* The size of `time_t', as computed by sizeof. */
 #undef SIZEOF_TIME_T
 
+/* The size of `unsigned long', as computed by sizeof. */
+#undef SIZEOF_UNSIGNED_LONG
+
 /* define if (v)snprintf does not return length needed, (but length used) */
 #undef SNPRINTF_RET_BROKEN
 
diff --git a/contrib/unbound/config.sub b/contrib/unbound/config.sub
index fbaa37f2352d..baf1512b3c03 100755
--- a/contrib/unbound/config.sub
+++ b/contrib/unbound/config.sub
@@ -4,7 +4,7 @@
 
 # shellcheck disable=SC2006,SC2268 # see below for rationale
 
-timestamp='2022-08-01'
+timestamp='2022-09-17'
 
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
@@ -145,7 +145,7 @@ case $1 in
 			nto-qnx* | linux-* | uclinux-uclibc* \
 			| uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \
 			| netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \
-			| storm-chaos* | os2-emx* | rtmk-nova*)
+			| storm-chaos* | os2-emx* | rtmk-nova* | managarm-*)
 				basic_machine=$field1
 				basic_os=$maybe_os
 				;;
@@ -1341,6 +1341,10 @@ EOF
 		kernel=linux
 		os=`echo "$basic_os" | sed -e 's|linux|gnu|'`
 		;;
+	managarm*)
+		kernel=managarm
+		os=`echo "$basic_os" | sed -e 's|managarm|mlibc|'`
+		;;
 	*)
 		kernel=
 		os=$basic_os
@@ -1754,7 +1758,7 @@ case $os in
 	     | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \
 	     | midnightbsd* | amdhsa* | unleashed* | emscripten* | wasi* \
 	     | nsk* | powerunix* | genode* | zvmoe* | qnx* | emx* | zephyr* \
-	     | fiwix* )
+	     | fiwix* | mlibc* )
 		;;
 	# This one is extra strict with allowed versions
 	sco3.2v2 | sco3.2v[4-9]* | sco5v6*)
@@ -1762,6 +1766,9 @@ case $os in
 		;;
 	none)
 		;;
+	kernel* )
+		# Restricted further below
+		;;
 	*)
 		echo Invalid configuration \`"$1"\': OS \`"$os"\' not recognized 1>&2
 		exit 1
@@ -1772,16 +1779,26 @@ esac
 # (given a valid OS), if there is a kernel.
 case $kernel-$os in
 	linux-gnu* | linux-dietlibc* | linux-android* | linux-newlib* \
-		   | linux-musl* | linux-relibc* | linux-uclibc* )
+		   | linux-musl* | linux-relibc* | linux-uclibc* | linux-mlibc* )
 		;;
 	uclinux-uclibc* )
 		;;
-	-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* )
+	managarm-mlibc* | managarm-kernel* )
+		;;
+	-dietlibc* | -newlib* | -musl* | -relibc* | -uclibc* | -mlibc* )
 		# These are just libc implementations, not actual OSes, and thus
 		# require a kernel.
 		echo "Invalid configuration \`$1': libc \`$os' needs explicit kernel." 1>&2
 		exit 1
 		;;
+	-kernel* )
+		echo "Invalid configuration \`$1': \`$os' needs explicit kernel." 1>&2
+		exit 1
+		;;
+	*-kernel* )
+		echo "Invalid configuration \`$1': \`$kernel' does not support \`$os'." 1>&2
+		exit 1
+		;;
 	kfreebsd*-gnu* | kopensolaris*-gnu*)
 		;;
 	vxworks-simlinux | vxworks-simwindows | vxworks-spe)
diff --git a/contrib/unbound/configure b/contrib/unbound/configure
index f40187910ecc..a2837d18553b 100755
--- a/contrib/unbound/configure
+++ b/contrib/unbound/configure
@@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for unbound 1.16.3.
+# Generated by GNU Autoconf 2.69 for unbound 1.17.0.
 #
 # Report bugs to <unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues>.
 #
@@ -591,8 +591,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='unbound'
 PACKAGE_TARNAME='unbound'
-PACKAGE_VERSION='1.16.3'
-PACKAGE_STRING='unbound 1.16.3'
+PACKAGE_VERSION='1.17.0'
+PACKAGE_STRING='unbound 1.17.0'
 PACKAGE_BUGREPORT='unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues'
 PACKAGE_URL=''
 
@@ -1477,7 +1477,7 @@ if test "$ac_init_help" = "long"; then
   # Omit some internal or obsolete options to make the list less imposing.
   # This message is too long to be a string in the A/UX 3.1 sh.
   cat <<_ACEOF
-\`configure' configures unbound 1.16.3 to adapt to many kinds of systems.
+\`configure' configures unbound 1.17.0 to adapt to many kinds of systems.
 
 Usage: $0 [OPTION]... [VAR=VALUE]...
 
@@ -1543,7 +1543,7 @@ fi
 
 if test -n "$ac_init_help"; then
   case $ac_init_help in
-     short | recursive ) echo "Configuration of unbound 1.16.3:";;
+     short | recursive ) echo "Configuration of unbound 1.17.0:";;
    esac
   cat <<\_ACEOF
 
@@ -1785,7 +1785,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
   cat <<\_ACEOF
-unbound configure 1.16.3
+unbound configure 1.17.0
 generated by GNU Autoconf 2.69
 
 Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2494,7 +2494,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.
 
-It was created by unbound $as_me 1.16.3, which was
+It was created by unbound $as_me 1.17.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   $ $0 $@
@@ -2844,13 +2844,13 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
 
 UNBOUND_VERSION_MAJOR=1
 
-UNBOUND_VERSION_MINOR=16
+UNBOUND_VERSION_MINOR=17
 
-UNBOUND_VERSION_MICRO=3
+UNBOUND_VERSION_MICRO=0
 
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=19
+LIBUNBOUND_REVISION=20
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -2937,6 +2937,7 @@ LIBUNBOUND_AGE=1
 # 1.16.1 had 9:17:1
 # 1.16.2 had 9:18:1
 # 1.16.3 had 9:19:1
+# 1.17.0 had 9:20:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -14772,7 +14773,7 @@ fi
 fi
 
 # Checks for header files.
-for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h
+for ac_header in stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h
 do :
   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default
@@ -16031,6 +16032,9 @@ else
 #ifdef HAVE_SYS_TYPES_H
 #include <sys/types.h>
 #endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
 #ifdef HAVE_SYS_SOCKET_H
 #include <sys/socket.h>
 #endif
@@ -17101,6 +17105,72 @@ _ACEOF
 
 fi
 
+		# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of unsigned long" >&5
+$as_echo_n "checking size of unsigned long... " >&6; }
+if ${ac_cv_sizeof_unsigned_long+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (unsigned long))" "ac_cv_sizeof_unsigned_long"        "$ac_includes_default"; then :
+
+else
+  if test "$ac_cv_type_unsigned_long" = yes; then
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (unsigned long)
+See \`config.log' for more details" "$LINENO" 5; }
+   else
+     ac_cv_sizeof_unsigned_long=0
+   fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_unsigned_long" >&5
+$as_echo "$ac_cv_sizeof_unsigned_long" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_UNSIGNED_LONG $ac_cv_sizeof_unsigned_long
+_ACEOF
+
+
+		# The cast to long int works around a bug in the HP C Compiler
+# version HP92453-01 B.11.11.23709.GP, which incorrectly rejects
+# declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'.
+# This bug is HP SR number 8606223364.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking size of pthread_t" >&5
+$as_echo_n "checking size of pthread_t... " >&6; }
+if ${ac_cv_sizeof_pthread_t+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (pthread_t))" "ac_cv_sizeof_pthread_t"        "$ac_includes_default"; then :
+
+else
+  if test "$ac_cv_type_pthread_t" = yes; then
+     { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "cannot compute sizeof (pthread_t)
+See \`config.log' for more details" "$LINENO" 5; }
+   else
+     ac_cv_sizeof_pthread_t=0
+   fi
+fi
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_pthread_t" >&5
+$as_echo "$ac_cv_sizeof_pthread_t" >&6; }
+
+
+
+cat >>confdefs.h <<_ACEOF
+#define SIZEOF_PTHREAD_T $ac_cv_sizeof_pthread_t
+_ACEOF
+
+
 
 		if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then
 		{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if -pthread unused during linking" >&5
@@ -20591,7 +20661,7 @@ if test "$ac_res" != no; then :
 
 fi
 
-for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex
+for ac_func in tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -22015,7 +22085,7 @@ _ACEOF
 
 
 
-version=1.16.3
+version=1.17.0
 
 date=`date +'%b %e, %Y'`
 
@@ -22534,7 +22604,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by unbound $as_me 1.16.3, which was
+This file was extended by unbound $as_me 1.17.0, which was
 generated by GNU Autoconf 2.69.  Invocation command line was
 
   CONFIG_FILES    = $CONFIG_FILES
@@ -22600,7 +22670,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-unbound config.status 1.16.3
+unbound config.status 1.17.0
 configured by $0, generated by GNU Autoconf 2.69,
   with options \\"\$ac_cs_config\\"
 
diff --git a/contrib/unbound/configure.ac b/contrib/unbound/configure.ac
index bf8aa9d8cdb0..57cc7e604b1e 100644
--- a/contrib/unbound/configure.ac
+++ b/contrib/unbound/configure.ac
@@ -10,15 +10,15 @@ sinclude(dnscrypt/dnscrypt.m4)
 
 # must be numbers. ac_defun because of later processing
 m4_define([VERSION_MAJOR],[1])
-m4_define([VERSION_MINOR],[16])
-m4_define([VERSION_MICRO],[3])
+m4_define([VERSION_MINOR],[17])
+m4_define([VERSION_MICRO],[0])
 AC_INIT([unbound],m4_defn([VERSION_MAJOR]).m4_defn([VERSION_MINOR]).m4_defn([VERSION_MICRO]),[unbound-bugs@nlnetlabs.nl or https://github.com/NLnetLabs/unbound/issues],[unbound])
 AC_SUBST(UNBOUND_VERSION_MAJOR, [VERSION_MAJOR])
 AC_SUBST(UNBOUND_VERSION_MINOR, [VERSION_MINOR])
 AC_SUBST(UNBOUND_VERSION_MICRO, [VERSION_MICRO])
 
 LIBUNBOUND_CURRENT=9
-LIBUNBOUND_REVISION=19
+LIBUNBOUND_REVISION=20
 LIBUNBOUND_AGE=1
 # 1.0.0 had 0:12:0
 # 1.0.1 had 0:13:0
@@ -105,6 +105,7 @@ LIBUNBOUND_AGE=1
 # 1.16.1 had 9:17:1
 # 1.16.2 had 9:18:1
 # 1.16.3 had 9:19:1
+# 1.17.0 had 9:20:1
 
 #   Current  -- the number of the binary API that we're implementing
 #   Revision -- which iteration of the implementation of the binary
@@ -397,7 +398,7 @@ PKG_PROG_PKG_CONFIG
 fi
 
 # Checks for header files.
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h netinet/tcp.h sys/param.h sys/select.h sys/socket.h sys/un.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h login_cap.h winsock2.h ws2tcpip.h endian.h sys/endian.h libkern/OSByteOrder.h sys/ipc.h sys/shm.h ifaddrs.h poll.h],,, [AC_INCLUDES_DEFAULT])
 # net/if.h portability for Darwin see:
 # https://www.gnu.org/software/autoconf/manual/autoconf-2.69/html_node/Header-Portability.html
 AC_CHECK_HEADERS([net/if.h],,, [
@@ -607,6 +608,8 @@ if test x_$withval != x_no; then
 		CC="$PTHREAD_CC"
 		ub_have_pthreads=yes
 		AC_CHECK_TYPES([pthread_spinlock_t, pthread_rwlock_t],,,[#include <pthread.h>])
+		AC_CHECK_SIZEOF([unsigned long])
+		AC_CHECK_SIZEOF(pthread_t)
 
 		if echo "$CFLAGS" | $GREP -e "-pthread" >/dev/null; then
 		AC_MSG_CHECKING([if -pthread unused during linking])
@@ -1644,7 +1647,7 @@ AC_LINK_IFELSE([AC_LANG_PROGRAM([
   AC_MSG_RESULT(no))
 
 AC_SEARCH_LIBS([setusercontext], [util])
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam endpwent getrlimit setrlimit setsid chroot kill chown sleep usleep random srandom recvmsg sendmsg writev socketpair glob initgroups strftime localtime_r setusercontext _beginthreadex endservent endprotoent fsync shmget accept4 getifaddrs if_nametoindex poll gettid])
 AC_CHECK_FUNCS([setresuid],,[AC_CHECK_FUNCS([setreuid])])
 AC_CHECK_FUNCS([setresgid],,[AC_CHECK_FUNCS([setregid])])
 
diff --git a/contrib/unbound/daemon/acl_list.c b/contrib/unbound/daemon/acl_list.c
index aecb3e0c6437..f3961dbbb7ad 100644
--- a/contrib/unbound/daemon/acl_list.c
+++ b/contrib/unbound/daemon/acl_list.c
@@ -46,9 +46,10 @@
 #include "util/config_file.h"
 #include "util/net_help.h"
 #include "services/localzone.h"
+#include "services/listen_dnsport.h"
 #include "sldns/str2wire.h"
 
-struct acl_list* 
+struct acl_list*
 acl_list_create(void)
 {
 	struct acl_list* acl = (struct acl_list*)calloc(1,
@@ -63,10 +64,10 @@ acl_list_create(void)
 	return acl;
 }
 
-void 
+void
 acl_list_delete(struct acl_list* acl)
 {
-	if(!acl) 
+	if(!acl)
 		return;
 	regional_destroy(acl->region);
 	free(acl);
@@ -74,8 +75,8 @@ acl_list_delete(struct acl_list* acl)
 
 /** insert new address into acl_list structure */
 static struct acl_addr*
-acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr, 
-	socklen_t addrlen, int net, enum acl_access control, 
+acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
+	socklen_t addrlen, int net, enum acl_access control,
 	int complain_duplicates)
 {
 	struct acl_addr* node = regional_alloc_zero(acl->region,
@@ -90,6 +91,31 @@ acl_list_insert(struct acl_list* acl, struct sockaddr_storage* addr,
 	return node;
 }
 
+/** parse str to acl_access enum */
+static int
+parse_acl_access(const char* str, enum acl_access* control)
+{
+	if(strcmp(str, "allow") == 0)
+		*control = acl_allow;
+	else if(strcmp(str, "deny") == 0)
+		*control = acl_deny;
+	else if(strcmp(str, "refuse") == 0)
+		*control = acl_refuse;
+	else if(strcmp(str, "deny_non_local") == 0)
+		*control = acl_deny_non_local;
+	else if(strcmp(str, "refuse_non_local") == 0)
+		*control = acl_refuse_non_local;
+	else if(strcmp(str, "allow_snoop") == 0)
+		*control = acl_allow_snoop;
+	else if(strcmp(str, "allow_setrd") == 0)
+		*control = acl_allow_setrd;
+	else {
+		log_err("access control type %s unknown", str);
+		return 0;
+	}
+	return 1;
+}
+
 /** apply acl_list string */
 static int
 acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
@@ -99,29 +125,14 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
 	int net;
 	socklen_t addrlen;
 	enum acl_access control;
-	if(strcmp(s2, "allow") == 0)
-		control = acl_allow;
-	else if(strcmp(s2, "deny") == 0)
-		control = acl_deny;
-	else if(strcmp(s2, "refuse") == 0)
-		control = acl_refuse;
-	else if(strcmp(s2, "deny_non_local") == 0)
-		control = acl_deny_non_local;
-	else if(strcmp(s2, "refuse_non_local") == 0)
-		control = acl_refuse_non_local;
-	else if(strcmp(s2, "allow_snoop") == 0)
-		control = acl_allow_snoop;
-	else if(strcmp(s2, "allow_setrd") == 0)
-		control = acl_allow_setrd;
-	else {
-		log_err("access control type %s unknown", str);
+	if(!parse_acl_access(s2, &control)) {
 		return 0;
 	}
 	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
 		log_err("cannot parse access control: %s %s", str, s2);
 		return 0;
 	}
-	if(!acl_list_insert(acl, &addr, addrlen, net, control, 
+	if(!acl_list_insert(acl, &addr, addrlen, net, control,
 		complain_duplicates)) {
 		log_err("out of memory");
 		return 0;
@@ -131,19 +142,27 @@ acl_list_str_cfg(struct acl_list* acl, const char* str, const char* s2,
 
 /** find or create node (NULL on parse or error) */
 static struct acl_addr*
-acl_find_or_create(struct acl_list* acl, const char* str)
+acl_find_or_create_str2addr(struct acl_list* acl, const char* str,
+	int is_interface, int port)
 {
 	struct acl_addr* node;
 	struct sockaddr_storage addr;
-	int net;
 	socklen_t addrlen;
-	if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
-		log_err("cannot parse netblock: %s", str);
-		return NULL;
+	int net = (str_is_ip6(str)?128:32);
+	if(is_interface) {
+		if(!extstrtoaddr(str, &addr, &addrlen, port)) {
+			log_err("cannot parse interface: %s", str);
+			return NULL;
+		}
+	} else {
+		if(!netblockstrtoaddr(str, UNBOUND_DNS_PORT, &addr, &addrlen, &net)) {
+			log_err("cannot parse netblock: %s", str);
+			return NULL;
+		}
 	}
 	/* find or create node */
 	if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, &addr,
-		addrlen, net))) {
+		addrlen, net)) && !is_interface) {
 		/* create node, type 'allow' since otherwise tags are
 		 * pointless, can override with specific access-control: cfg */
 		if(!(node=(struct acl_addr*)acl_list_insert(acl, &addr,
@@ -155,14 +174,65 @@ acl_find_or_create(struct acl_list* acl, const char* str)
 	return node;
 }
 
+/** find or create node (NULL on error) */
+static struct acl_addr*
+acl_find_or_create(struct acl_list* acl, struct sockaddr_storage* addr,
+	socklen_t addrlen, enum acl_access control)
+{
+	struct acl_addr* node;
+	int net = (addr_is_ip6(addr, addrlen)?128:32);
+	/* find or create node */
+	if(!(node=(struct acl_addr*)addr_tree_find(&acl->tree, addr,
+		addrlen, net))) {
+		/* create node;
+		 * can override with specific access-control: cfg */
+		if(!(node=(struct acl_addr*)acl_list_insert(acl, addr,
+			addrlen, net, control, 1))) {
+			log_err("out of memory");
+			return NULL;
+		}
+	}
+	return node;
+}
+
+/** apply acl_interface string */
+static int
+acl_interface_str_cfg(struct acl_list* acl_interface, const char* iface,
+	const char* s2, int port)
+{
+	struct acl_addr* node;
+	enum acl_access control;
+	if(!parse_acl_access(s2, &control)) {
+		return 0;
+	}
+	if(!(node=acl_find_or_create_str2addr(acl_interface, iface, 1, port))) {
+		log_err("cannot update ACL on non-configured interface: %s %d",
+			iface, port);
+		return 0;
+	}
+	node->control = control;
+	return 1;
+}
+
+struct acl_addr*
+acl_interface_insert(struct acl_list* acl_interface,
+	struct sockaddr_storage* addr, socklen_t addrlen,
+	enum acl_access control)
+{
+	return acl_find_or_create(acl_interface, addr, addrlen, control);
+}
+
 /** apply acl_tag string */
 static int
 acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
-	size_t bitmaplen)
+	size_t bitmaplen, int is_interface, int port)
 {
 	struct acl_addr* node;
-	if(!(node=acl_find_or_create(acl, str)))
+	if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
+		if(is_interface)
+			log_err("non-configured interface: %s", str);
 		return 0;
+	}
 	node->taglen = bitmaplen;
 	node->taglist = regional_alloc_init(acl->region, bitmap, bitmaplen);
 	if(!node->taglist) {
@@ -175,11 +245,14 @@ acl_list_tags_cfg(struct acl_list* acl, const char* str, uint8_t* bitmap,
 /** apply acl_view string */
 static int
 acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2,
-	struct views* vs)
+	struct views* vs, int is_interface, int port)
 {
 	struct acl_addr* node;
-	if(!(node=acl_find_or_create(acl, str)))
+	if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
+		if(is_interface)
+			log_err("non-configured interface: %s", str);
 		return 0;
+	}
 	node->view = views_find_view(vs, str2, 0 /* get read lock*/);
 	if(!node->view) {
 		log_err("no view with name: %s", str2);
@@ -192,13 +265,17 @@ acl_list_view_cfg(struct acl_list* acl, const char* str, const char* str2,
 /** apply acl_tag_action string */
 static int
 acl_list_tag_action_cfg(struct acl_list* acl, struct config_file* cfg,
-	const char* str, const char* tag, const char* action)
+	const char* str, const char* tag, const char* action,
+	int is_interface, int port)
 {
 	struct acl_addr* node;
 	int tagid;
 	enum localzone_type t;
-	if(!(node=acl_find_or_create(acl, str)))
+	if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
+		if(is_interface)
+			log_err("non-configured interface: %s", str);
 		return 0;
+	}
 	/* allocate array if not yet */
 	if(!node->tag_actions) {
 		node->tag_actions = (uint8_t*)regional_alloc_zero(acl->region,
@@ -281,13 +358,17 @@ check_data(const char* data, const struct config_strlist* head)
 /** apply acl_tag_data string */
 static int
 acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
-	const char* str, const char* tag, const char* data)
+	const char* str, const char* tag, const char* data,
+	int is_interface, int port)
 {
 	struct acl_addr* node;
 	int tagid;
 	char* dupdata;
-	if(!(node=acl_find_or_create(acl, str)))
+	if(!(node=acl_find_or_create_str2addr(acl, str, is_interface, port))) {
+		if(is_interface)
+			log_err("non-configured interface: %s", str);
 		return 0;
+	}
 	/* allocate array if not yet */
 	if(!node->tag_datas) {
 		node->tag_datas = (struct config_strlist**)regional_alloc_zero(
@@ -329,11 +410,11 @@ acl_list_tag_data_cfg(struct acl_list* acl, struct config_file* cfg,
 }
 
 /** read acl_list config */
-static int 
-read_acl_list(struct acl_list* acl, struct config_file* cfg)
+static int
+read_acl_list(struct acl_list* acl, struct config_str2list* acls)
 {
 	struct config_str2list* p;
-	for(p = cfg->acls; p; p = p->next) {
+	for(p = acls; p; p = p->next) {
 		log_assert(p->str && p->str2);
 		if(!acl_list_str_cfg(acl, p->str, p->str2, 1))
 			return 0;
@@ -341,16 +422,17 @@ read_acl_list(struct acl_list* acl, struct config_file* cfg)
 	return 1;
 }
 
-/** read acl tags config */
-static int 
-read_acl_tags(struct acl_list* acl, struct config_file* cfg)
+/** read acl view config */
+static int
+read_acl_view(struct acl_list* acl, struct config_str2list** acl_view,
+	struct views* v)
 {
-	struct config_strbytelist* np, *p = cfg->acl_tags;
-	cfg->acl_tags = NULL;
+	struct config_str2list* np, *p = *acl_view;
+	*acl_view = NULL;
 	while(p) {
 		log_assert(p->str && p->str2);
-		if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len)) {
-			config_del_strbytelist(p);
+		if(!acl_list_view_cfg(acl, p->str, p->str2, v, 0, 0)) {
+			config_deldblstrlist(p);
 			return 0;
 		}
 		/* free the items as we go to free up memory */
@@ -363,15 +445,16 @@ read_acl_tags(struct acl_list* acl, struct config_file* cfg)
 	return 1;
 }
 
-/** read acl view config */
-static int 
-read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v)
+/** read acl tags config */
+static int
+read_acl_tags(struct acl_list* acl, struct config_strbytelist** acl_tags)
 {
-	struct config_str2list* np, *p = cfg->acl_view;
-	cfg->acl_view = NULL;
+	struct config_strbytelist* np, *p = *acl_tags;
+	*acl_tags = NULL;
 	while(p) {
 		log_assert(p->str && p->str2);
-		if(!acl_list_view_cfg(acl, p->str, p->str2, v)) {
+		if(!acl_list_tags_cfg(acl, p->str, p->str2, p->str2len, 0, 0)) {
+			config_del_strbytelist(p);
 			return 0;
 		}
 		/* free the items as we go to free up memory */
@@ -385,16 +468,17 @@ read_acl_view(struct acl_list* acl, struct config_file* cfg, struct views* v)
 }
 
 /** read acl tag actions config */
-static int 
-read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
+static int
+read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg,
+	struct config_str3list** acl_tag_actions)
 {
 	struct config_str3list* p, *np;
-	p = cfg->acl_tag_actions;
-	cfg->acl_tag_actions = NULL;
+	p = *acl_tag_actions;
+	*acl_tag_actions = NULL;
 	while(p) {
 		log_assert(p->str && p->str2 && p->str3);
 		if(!acl_list_tag_action_cfg(acl, cfg, p->str, p->str2,
-			p->str3)) {
+			p->str3, 0, 0)) {
 			config_deltrplstrlist(p);
 			return 0;
 		}
@@ -410,15 +494,17 @@ read_acl_tag_actions(struct acl_list* acl, struct config_file* cfg)
 }
 
 /** read acl tag datas config */
-static int 
-read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
+static int
+read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg,
+	struct config_str3list** acl_tag_datas)
 {
 	struct config_str3list* p, *np;
-	p = cfg->acl_tag_datas;
-	cfg->acl_tag_datas = NULL;
+	p = *acl_tag_datas;
+	*acl_tag_datas = NULL;
 	while(p) {
 		log_assert(p->str && p->str2 && p->str3);
-		if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3)) {
+		if(!acl_list_tag_data_cfg(acl, cfg, p->str, p->str2, p->str3,
+			0, 0)) {
 			config_deltrplstrlist(p);
 			return 0;
 		}
@@ -433,30 +519,27 @@ read_acl_tag_datas(struct acl_list* acl, struct config_file* cfg)
 	return 1;
*** 6364 LINES SKIPPED ***