Fred Morcos [Wed, 10 Apr 2024 08:59:52 +0000 (10:59 +0200)]
Meson: Support pdns-auth and ixfrdist service files
Service files are treated like a config.h.in file. This adds support for a common base of
service file configuration options containing basic systemd feature checks.
Then, each of pdns-auth and ixfrdist have their own "general" and "instance" service files
that are generated from a common service file. This is why things like @Description@,
@ConfigName@ and @Config@ are made generic so that each version of the service file can
use it own string.
Fred Morcos [Tue, 9 Apr 2024 11:15:30 +0000 (13:15 +0200)]
Meson: Add systemd feature support for service files
This moves things around a bit. Moves libsystem detection to
meson/libsystem/meson.build and uses meson/systemd/meson.build for
systemd/systemctl version and feature detection
dnsdist: Fix a crash in the Downstream TCP handler
when we are looking for an existing TCP connection to a backend to
reuse, we routinely (every 60s by default) clean up existing
connections from the cache. 7b5f590ee72fecf54c0c40b24e98ba03a406af53 removes a connection
from the cache more aggressively when it has failed, but I did not
notice that the same function might be called from the cache cleaning
algorithm. It caused the cache cleanup function to call this function
which in turns tried to remove the connection from the same cache,
invalidating the iterator of the cache algorithm, and causing a crash
when the function returned.
ci: Enable LeakSanitizer during dnsdist and recursor unit tests
We need to fix some one-time allocations in the authoritative server
that are reported as leaked memory before we can enabled it there.
See:
- https://github.com/PowerDNS/pdns/pull/14028
- https://github.com/PowerDNS/pdns/pull/14029
There is also a leak in the remotebackend unit tests that I will
investigate after https://github.com/PowerDNS/pdns/pull/13960 has
been merged.
auth: Properly finalize PKCS11 modules before releasing them
This gets rid of two leaks reported by LeakSanitizer when running our
unit tests:
```
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x5fe6c6e7d099 in malloc (/pdns/pdns/testrunner+0x220099) (BuildId: 08d4c369b5f2f19f183aa5d6ab931a6653b70ab9)
#1 0x7e6cdc6a0964 (/usr/lib/libp11-kit.so.0+0x36964) (BuildId: 307da6c0b5c7d87a1b0fd0a63e0bda93c9375e8a)
Indirect leak of 72 byte(s) in 1 object(s) allocated from:
#0 0x5fe6c6e7d401 in calloc (/pdns/pdns/testrunner+0x220401) (BuildId: 08d4c369b5f2f19f183aa5d6ab931a6653b70ab9)
#1 0x7e6cdc6a09b6 (/usr/lib/libp11-kit.so.0+0x369b6) (BuildId: 307da6c0b5c7d87a1b0fd0a63e0bda93c9375e8a)
```
Eli Schwartz [Mon, 11 Dec 2023 23:18:11 +0000 (18:18 -0500)]
configure: remove broken bashism
In a configure check that was carefully written for pre-unix-wars
versions of the bourne shell, some code which was only valid using GNU
bash was included.
The `==` operator is a bash-specific alias for `=`. It behaves exactly
the same, except more confusing. It contains no added functionality,
other than making an otherwise /bin/sh compatible script only work when
/bin/sh is a symlink to /bin/bash.
Remi Gacogne [Fri, 8 Mar 2024 15:14:17 +0000 (16:14 +0100)]
dnsdist: Add a new query rules chain triggered after a cache miss
This new chain of rules allows postponing the decision of what to
do with the query to after a cache-lookup has been done. This is
particularly useful when dealing with abuse: we might want to allow
cache hits to be processed normally since they are cheap while dropping/
refusing/routing to a different pool queries that result in a cache
miss.
Remi Gacogne [Fri, 29 Mar 2024 14:14:55 +0000 (15:14 +0100)]
FDWrapper: Do not try to close negative file descriptors
It turns out that some of the BPF helper functions return
a negative `errno` value in case of failure, and since we
wrap the return value into a `FDWrapper` right away this
led to a warning from Valgrind about trying to close an
invalid file descriptor.
Remi Gacogne [Fri, 29 Mar 2024 13:22:40 +0000 (14:22 +0100)]
dnsdist: Release incoming TCP connection right away on backend failure
We used to keep a shared pointer to the incoming TCP connection around
in `TCPConnectionToBackend::d_currentQuery.d_sender` even after all queries
sent to the backend failed, which prevented the incoming TCP connection
from being closed as soon as it should have.
Remi Gacogne [Fri, 29 Mar 2024 13:12:29 +0000 (14:12 +0100)]
dnsdist: Fix a null-deref in incoming DoH w/ nghttp2
When an incoming DoH connection using the `nghttp2` provider is waiting
for a response from a backend that results in a I/O error or timeout,
and the incoming connection also fails due to a I/O error or timeout,
dnsdist could in some cases try to dereference a null pointer, leading
to a crash.
Remi Gacogne [Thu, 28 Mar 2024 09:27:15 +0000 (10:27 +0100)]
dnsdist: Increase the HTTP/1.1 query counter when DoH with 1.1 ALPN
This way we can keep track of how many HTTP/1.1 connections attempt
we see. We will not actually process the DNS over HTTP/1.1 payload
anyway when the `nghttp2` provider is used.