Marek Vavrusa [Wed, 20 Jul 2016 04:36:20 +0000 (21:36 -0700)]
daemon: lower minimum allowed edns bufsize to 512
there are cases where switches or middle-boxes
block DNS/UDP answers >512 octets completely,
this gives user an option to mitigate that.
however, there are authoritatives serving
large answers that don't support TCP, so it's
a compromise as always
Marek Vavrusa [Mon, 18 Jul 2016 04:02:02 +0000 (21:02 -0700)]
daemon: always refetch CNAME target in 'strict' mode
in normal mode, only final CNAME target is refetched, but
not intermediate CNAMEs. intermediate CNAMEs are *never* cached,
but they are used to get final name for requery. in strict mode now,
every CNAME target is explicitly fetched even if it's a chained CNAME.
Marek Vavrusa [Wed, 6 Jul 2016 17:43:32 +0000 (10:43 -0700)]
daemon/network: allow listening on part of interfaces
when whole interface is passed and some of the addresses are not bindable,
the daemon will print them, but will continue to bind to the rest of the
addresses
Marek Vavrusa [Tue, 5 Jul 2016 07:35:15 +0000 (00:35 -0700)]
modules: http, graphite, policy, daf support map()
all relevant modules now support running in
forked mode and polling workers for information.
for example graphite module can poll stats from
all workers and then aggregate before sending,
or HTTP module can run on the process group leader
only and then poll workers for information.
Marek Vavrusa [Tue, 5 Jul 2016 07:32:42 +0000 (00:32 -0700)]
daemon: workers are interconnected with IPC pipes
forks are connected with IPC pipes to process
group leader and can execute expressions on its
behalf. so running commands over all workers
is easy now:
> hostname() -- single
localhost
> map 'hostname()' -- all
localhost
localhost
localhost
Marek Vavrusa [Fri, 24 Jun 2016 23:23:30 +0000 (16:23 -0700)]
modules/http: reworked metrics interface
* the dygraphs are now leveraged for drawing as
canvas based drawing is much faster than
svg based rickshaw
* refreshed theme and layouts, code cleanup
Marek Vavrusa [Thu, 23 Jun 2016 06:12:38 +0000 (23:12 -0700)]
daemon/worker: reverted inbound deduping
the e638f9fb6e5aa20e090ebfa52255abc36a619bfd introduced deduplication
for queries over UDP, the idea is to track same queries and answer
only once, however that introduces both constant processing and
memory overhead and could break clients who count packet loss
by queries sent/received. disabling for now.
Marek Vavrusa [Thu, 23 Jun 2016 05:48:31 +0000 (22:48 -0700)]
modules/http: keep history of last 120 datapoints
* the http module collects stats snapshots on one
central location and then streams it to clients
* history of last 120 datapoints (at least 2min)
is kept for convenience
* rules may now be chained if the rule action
doesn't return next state. in this case, next
matching rule will be executed. this is useful
for snooping actions
* rules now may be paused/deleted
* implemented a new action for query mirroring to
given destination
Marek Vavrusa [Thu, 16 Jun 2016 17:39:07 +0000 (10:39 -0700)]
daemon/worker: track query in BEGIN and dst addr
* in the begin() layer, the incoming query is
exposed as req->qsource.packet, it is invalidated
after begin() and should not be modified
* the destination address (local interface) is
also tracked for filtering purposes
Marek Vavrusa [Mon, 13 Jun 2016 17:18:28 +0000 (10:18 -0700)]
modules/http: new bootstrap3 based web interface
this is going to be the building block for visual
ui as it provides many useful semantic objects and
style classes. since we already provide the
snippet system, it's possible to add subpages to
the ui without hacking everything inside
Marek Vavrusa [Mon, 13 Jun 2016 16:56:13 +0000 (09:56 -0700)]
modules/policy: unique ids for rules, match counter
these are used as a handle to patch/modify rules
later in their lifetime, also added a rule match
counter to find out which rules match inbound
traffic
Marek Vavrusa [Thu, 9 Jun 2016 07:42:59 +0000 (00:42 -0700)]
modules/daf: support for first firewall rules
the format of rules resembles libpcap filters,
but it also requires action that should be taken
when the filter(s) match.
the action can be anything the policy module
supports, and the filters can be both policy
module or view module based (so it's possible to
filter on source address and packet contents at
the same time)
Marek Vavrusa [Thu, 9 Jun 2016 07:38:26 +0000 (00:38 -0700)]
modules/policy: now can reroute/rewrite responses
* REROUTE action rewrites all addresses in
final answers matching given subnet to
addresses in target subnet (or single address)
* REWRITE action rewrites rdata in final answers
matching given owner and type (only works on
A/AAAA now)
Marek Vavrusa [Wed, 8 Jun 2016 07:26:13 +0000 (00:26 -0700)]
modules/daf: trivial rule compiler implemented
the fw can now parse simple rules such as:
'qname = *.example.com AND src = 127.0.0.1/8 deny'
and turn it into filter actions.
this is a building block for custom firewall rules
based on query/answer contents that leverage
existing policy/view modules, but turn those into
easier to write (and eventually persistent) rule
sets
Marek Vavrusa [Wed, 8 Jun 2016 07:23:18 +0000 (00:23 -0700)]
modules/stats: stats.upstreams()
the new function returns a list of upstream
authoritative servers that resolver contacted
recently and the RTT information for them,
this is useful for sampling information about
the quality of outbound connections for speculative
keepalive and other purposes
Marek Vavrusa [Wed, 8 Jun 2016 07:08:13 +0000 (00:08 -0700)]
lib/resolve: store auth addr/rtt in consume() layer
during the consume step, the information about
upstream authoritative (address and current rtt)
is exposed in the request structure, just like
information about current query
* http embeds modified lua-http server code that
reuses single cqueue for all h2 client sockets,
this is also because the API in upstream is unstable
* http embeds rickshaw for real-time graphs over
websockets, it displays latency heatmap by default
and can show several other metrics
* http shows a world map with pinned recently contacted
authoritatives, where diameter represents number
of queries sent and colour its average RTT, so
you can see where the queries are going
* http now exports several endpoints and websockets:
/stats for statistics in JSON, and /metrics for
metrics in Prometheus text format
Marek Vavrusa [Wed, 1 Jun 2016 07:08:00 +0000 (00:08 -0700)]
modules/http: doc, auto-tls, cert renewal, ...
added documentation, many fixes in the H2 fallback
code and H2 stream handling, TLS is enabled by
default using ephemeral key and certificate that
is automatically renewed, but custom certificates
are also supported
this also allows other modules to place code
snippets on the webpage
Marek Vavrusa [Sun, 29 May 2016 20:27:19 +0000 (13:27 -0700)]
daemon/io: freed handle could be touched in libuv
the daemon wrongly freed handle that returned 0,
as in "no more data". this socket is going to be
closed, but it still could be touched by libuv
so it must be freed wit uv_close() handler
Marek Vavrusa [Mon, 23 May 2016 00:56:50 +0000 (17:56 -0700)]
daemon: support event.socket(fd, cb) for I/O events
this allows embedding other event loops or just
asynchronous events triggered by socket activity.
this is required for things like cooperative
HTTP server, monitoring endpoint or remote
configuration daemon/controller
Marek Vavrusa [Sun, 22 May 2016 03:58:11 +0000 (20:58 -0700)]
worker: fixed corruption when follower timeouts, early free
* when enqueued task terminated earlier than leader
task because of timeout, it wasn't dequeued from
the waitlist immediately, but it didn't have any
outstanding outbound queries. when leader task
terminated, it removed this task and updated its
outbound query, which didn't exist. this triggered
a 16B write in undefined location
* fixed timeout timer being scheduled for closing
without holding reference to parent task
projects / thirdparty / knot-resolver.git / log
