doc+NEWS for the buffering changes

diff --git a/NEWS b/NEWS
index 28c6a1c9ad73978d52a119c47e653fe15cdff65b..5803058a562a870923dee1ee3e9553a0a0db0186 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,13 @@
-Knot Resolver 6.0.8 (2024-0m-dd)
+Knot Resolver 6.0.8 (2024-07-23)
 ================================
 
+Security
+--------
+- reduce buffering of transmitted data, especially TCP-based in userspace
+  Also expose some of the new tweaks in lua:
+   (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
+   (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
+
 Improvements
 ------------
 - TLS (DoT, DoH): respect crypto policy overrides in OS (!1526)
@@ -115,9 +122,16 @@ https://www.knot-resolver.cz/documentation/latest/upgrading-to-6.html
 5.x branch longterm support
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Knot Resolver 5.7.4 (2024-0m-dd)
+Knot Resolver 5.7.4 (2024-07-23)
 ================================
 
+Security
+--------
+- reduce buffering of transmitted data, especially TCP-based in userspace
+  Also expose some of the new tweaks in lua:
+   (require 'ffi').C.the_worker.engine.net.tcp.user_timeout = 1000
+   (require 'ffi').C.the_worker.engine.net.listen_{tcp,udp}_buflens.{snd,rcv}
+
 Improvements
 ------------
 - add the fresh DNSSEC root key "KSK-2024" already, Key ID 38696 (!1556)

diff --git a/daemon/bindings/net_buffering.rst b/daemon/bindings/net_buffering.rst
new file mode 100644 (file)
index 0000000..946fc28
--- /dev/null
+++ b/daemon/bindings/net_buffering.rst
@@ -0,0 +1,25 @@
+.. SPDX-License-Identifier: GPL-3.0-or-later
+
+Buffering tweaks
+----------------
+
+We (can) set various server-side socket options that affect buffering.
+The values are stored in C structures without real Lua bindings,
+so setting them is a bit long.
+
+.. py:data:: (require 'ffi').C.the_worker.engine.net.tcp.user_timeout
+ 
+   On TCP-based server-side sockets we set ``TCP_USER_TIMEOUT`` option if available (~Linux).
+   We use default 1000, i.e. one second.  For details see the definition in ``man tcp.7``.
+
+.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_tcp_buflens.snd
+.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_tcp_buflens.rcv
+.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_udp_buflens.snd
+.. py:data:: (require 'ffi').C.the_worker.engine.net.listen_udp_buflens.rcv
+
+   If overridden to nonzero, these variables instruct the OS to modify kernel-space buffers
+   for server-side sockets.  We split the setting for UDP vs. TCP and sending vs. receiving.
+
+   For details see ``SO_SNDBUF`` and ``SO_RCVBUF`` in ``man socket.7``.
+   There is no user-space buffering beyond immediate manipulation, only the OS keeps some.
+

diff --git a/doc/dev/config-lua-network.rst b/doc/dev/config-lua-network.rst
index 241b67ff70f58d3696e72482688dff2ede936f48..d4f806460535de3762faa670eb745d00cf3c624c 100644 (file)
--- a/doc/dev/config-lua-network.rst
+++ b/doc/dev/config-lua-network.rst
@@ -61,3 +61,12 @@ DNS protocol tweaks
    :maxdepth: 2
 
    daemon-bindings-net_dns_tweaks
+
+Buffering tweaks
+================
+
+.. toctree::
+   :maxdepth: 2
+
+   daemon-bindings-net_buffering
+

diff --git a/doc/dev/daemon-bindings-net_buffering.rst b/doc/dev/daemon-bindings-net_buffering.rst
new file mode 120000 (symlink)
index 0000000..9386a5f
--- /dev/null
+++ b/doc/dev/daemon-bindings-net_buffering.rst
@@ -0,0 +1 @@
+../../daemon/bindings/net_buffering.rst
\ No newline at end of file

diff --git a/modules/workarounds/README.rst b/modules/workarounds/README.rst
index fcb04aa3120233f984b48056121daf3143a2f470..f456c6c13c401b945a3e9ae38c07e2c2e34ad55e 100644 (file)
--- a/modules/workarounds/README.rst
+++ b/modules/workarounds/README.rst
@@ -2,7 +2,7 @@
 
 .. _mod-workarounds:
 
-Module `workarounds` resolver behavior on specific broken sub-domains.
+Module `workarounds` tweaks resolver behavior on specific broken sub-domains.
 Currently it mainly disables case randomization.
 
 .. code-block:: lua