From 644cea096a07ee94769adb4a144e18515272060c Mon Sep 17 00:00:00 2001 From: =?utf8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= Date: Mon, 22 Jul 2024 13:42:35 +0200 Subject: [PATCH] doc+NEWS for the buffering changes --- NEWS | 9 ++++++++- daemon/bindings/net_buffering.rst | 25 +++++++++++++++++++++++++ doc/config-network.rst | 9 +++++++++ doc/daemon-bindings-net_buffering.rst | 1 + modules/workarounds/README.rst | 2 +- 5 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 daemon/bindings/net_buffering.rst create mode 120000 doc/daemon-bindings-net_buffering.rst diff --git a/NEWS b/NEWS index c1fe235b4..cf84aaac1 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,13 @@ -Knot Resolver 5.7.4 (2024-0m-dd) +Knot Resolver 5.7.4 (2024-07-23) ================================ +Security +-------- +- reduce buffering of transmitted data, especially TCP-based in userspace + Also expose some of the new tweaks in lua: + (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000 + (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv} + Improvements ------------ - add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556) diff --git a/daemon/bindings/net_buffering.rst b/daemon/bindings/net_buffering.rst new file mode 100644 index 000000000..946fc28e6 --- /dev/null +++ b/daemon/bindings/net_buffering.rst @@ -0,0 +1,25 @@ +.. SPDX-License-Identifier: GPL-3.0-or-later + +Buffering tweaks +---------------- + +We (can) set various server-side socket options that affect buffering. +The values are stored in C structures without real Lua bindings, +so setting them is a bit long. + +.. py:data:: (require 'ffi').C.the_worker.engine.net.tcp.user_timeout + + On TCP-based server-side sockets we set ``TCP_USER_TIMEOUT`` option if available (~Linux). + We use default 1000, i.e. one second. For details see the definition in ``man tcp.7``. + +.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_tcp_buflens.snd +.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_tcp_buflens.rcv +.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_udp_buflens.snd +.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_udp_buflens.rcv + + If overridden to nonzero, these variables instruct the OS to modify kernel-space buffers + for server-side sockets. We split the setting for UDP vs. TCP and sending vs. receiving. + + For details see ``SO_SNDBUF`` and ``SO_RCVBUF`` in ``man socket.7``. + There is no user-space buffering beyond immediate manipulation, only the OS keeps some. + diff --git a/doc/config-network.rst b/doc/config-network.rst index 2faac0e36..1e69a6f5d 100644 --- a/doc/config-network.rst +++ b/doc/config-network.rst @@ -62,3 +62,12 @@ DNS protocol tweaks :maxdepth: 2 daemon-bindings-net_dns_tweaks + +Buffering tweaks +================ + +.. toctree:: + :maxdepth: 2 + + daemon-bindings-net_buffering + diff --git a/doc/daemon-bindings-net_buffering.rst b/doc/daemon-bindings-net_buffering.rst new file mode 120000 index 000000000..558d3a97f --- /dev/null +++ b/doc/daemon-bindings-net_buffering.rst @@ -0,0 +1 @@ +../daemon/bindings/net_buffering.rst \ No newline at end of file diff --git a/modules/workarounds/README.rst b/modules/workarounds/README.rst index fcb04aa31..f456c6c13 100644 --- a/modules/workarounds/README.rst +++ b/modules/workarounds/README.rst @@ -2,7 +2,7 @@ .. _mod-workarounds: -Module `workarounds` resolver behavior on specific broken sub-domains. +Module `workarounds` tweaks resolver behavior on specific broken sub-domains. Currently it mainly disables case randomization. .. code-block:: lua -- 2.47.3