the format of rules resembles libpcap filters,
but it also requires action that should be taken
when the filter(s) match.

the action can be anything the policy module
supports, and the filters can be both policy
module or view module based (so it's possible to
filter on source address and packet contents at
the same time)

* REROUTE action rewrites all addresses in
  final answers matching given subnet to
  addresses in target subnet (or single address)
* REWRITE action rewrites rdata in final answers
  matching given owner and type (only works on
  A/AAAA now)

the fw can now parse simple rules such as:
'qname = *.example.com AND src = 127.0.0.1/8 deny'

and turn it into filter actions.

this is a building block for custom firewall rules
based on query/answer contents that leverage
existing policy/view modules, but turn those into
easier to write (and eventually persistent) rule
sets

the new function returns a list of upstream
authoritative servers that resolver contacted
recently and the RTT information for them,
this is useful for sampling information about
the quality of outbound connections for speculative
keepalive and other purposes

now including <1ms, <50ms, <250ms, <500ms, <1.5s

during the consume step, the information about
upstream authoritative (address and current rtt)
is exposed in the request structure, just like
information about current query

* http embeds modified lua-http server code that
  reuses single cqueue for all h2 client sockets,
  this is also because the API in upstream is unstable
* http embeds rickshaw for real-time graphs over
  websockets, it displays latency heatmap by default
  and can show several other metrics
* http shows a world map with pinned recently contacted
  authoritatives, where diameter represents number
  of queries sent and colour its average RTT, so
  you can see where the queries are going
* http now exports several endpoints and websockets:
  /stats for statistics in JSON, and /metrics for
  metrics in Prometheus text format

added documentation, many fixes in the H2 fallback
code and H2 stream handling, TLS is enabled by
default using ephemeral key and certificate that
is automatically renewed, but custom certificates
are also supported

this also allows other modules to place code
snippets on the webpage

this allows for efficient variable-interval
running events, so that the timer doesn't have
to be closed and recreated for each iteration

Daemons should be in sbin, make destination variables overridable

According to FHS the 'Non-essential system binaries, e.g., daemons for various network-services.' should be installed in /usr/sbin

Also changed `:=` to `?=` to allow variable override without patching `config.mk`.

See merge request !32

fixed incorrect tagging in rrmap where secure rank would overflow

found by @gdemidov

build: clean tests/mock_cmodule.o



See merge request !30

fixes #77

* SOA MINTTL always preferred for negative answers
* only SOA used for negative answers

refs #75

this is required to avoid REFUSED loops if the origin doesn't handle
minimisation well

previously the buffer for TCP pkt reassembly was
not correctly cleared and fragmented answers
were rejected 

previously, if no subnet was given (127.0.0.0),
it was treated as 127.0.0.0/0. now it is treated
as full address length, e.g. 127.0.0.0/32

After=network.target is still needed because we don't have IP_FREEBIND.

Release cleanup

Write a comment or drag your files here...

See merge request !28

the daemon wrongly freed handle that returned 0,
as in "no more data". this socket is going to be
closed, but it still could be touched by libuv
so it must be freed wit uv_close() handler