Example:
  assert(require('ffi').C.kr_view_insert_action(
  		'127.0.0.0/24', 'policy.DENY_MSG("message")'
	) == 0)

Picked up old work, rebase-squashed after many months;
then fixed up a little as needed in this newer version.
(and later many minor fixes got squashed in)

Oto Šťáva authored 2 years ago and Vladimír Čunát committed 2 years ago

Until now, kresd would refuse to start when a log_groups Lua call
contained a non-existent group. After this change, only a warning is
printed, which helps during development while switching between branches
with new logging groups. I don't think changing the configuration all
the time just for a logging group is warranted.

When a whole packet is cached (instead of individual RRs),
let's simplify the way the packet's TTL gets computed.

The previous mechanism came from commit 5b383a2b,
probably a misunderstanding of:
https://datatracker.ietf.org/doc/html/rfc2308#section-5
Anyway, I see no motivation to do it, and this way we should
get rid of some weird cases where we might extend TTL of some records,
except if they were below the cache.min_ttl() setting (5s default).

Our strategy was (and remains) that the in-header QNAME is overwritten
in-place, so most of our code was already (correctly) assuming that
knot_pkt_qname() returns lower-case only.  That simplifies this commit.

Héctor Molinero Fernández authored 2 years ago and Vladimír Čunát committed 2 years ago

Fixes a regression on Meson 0.57.0 that produces a timeout in config.ta_bootstrap test.

WARNING: You should add the boolean check kwarg to the run_command call.
         It currently defaults to false,
         but it will default to true in future releases of meson.
         See also: https://github.com/mesonbuild/meson/issues/9300

In almost all cases we already check the return code explicitly
and throw a more descriptive message than what would be the default.

I was diffing logs from different runs and got annoyed by the shuffles.

Oto Šťáva authored 3 years ago and Vladimír Čunát committed 3 years ago

Also change the return type of kr_pkt_has_dnssec() and lua's :dobit()

We can always easily add groups when needed.

The approach of the code was rather hacky, simulating some packets
arriving from upstream and making the module stack CONSUME that.
Instead we take a direct approach now: use the simplified validator API
and then insert into cache directly.

One effect is improved performance, and consequently roughly halving
the lag which happens when prefill module invokes this.
(With root zone the lag goes down to 0.1 s from over 0.2 s,
 on my relatively fast CPU.  Fortunately it's just once a day.)

The following actions will now be logged in debug level (or request
tracing): ANSWER, DENY, DENY_MSG, DROP, REFUSE, TC

This can be useful for RPZ and other policy debugging.

Purposefully ommitted actions:
PASS - since it's the same as normal processing
REROUTE - the action itself comes from renumber module
STUB,FORWARD,TLS_FORWARD - this could be more confusing than useful
  (e.g. when response comes from cache)

Add a utility function for simpler lua API when setting extended errors.

Version 2.9 isn't supported anymore anyway, but 3.0.2 is needed for
extended error constants.

Credit for code goes to Vladimír Čunát

Tomas Krizek authored 3 years ago and Vladimír Čunát committed 3 years ago

Answers to EDNS requests from certain lua policies that use the
answer_clear() function would lack OPT RR and thus violate the MUST
condition in RFC6891.6.1.1.

Josh Soref authored 3 years ago and Tomas Krizek committed 3 years ago

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

sandbox.lua:72: attempt to call global 'log_notice' (a nil value)
Broken by commit 39dd89db (MR !1208)

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

NSEC* params were not being stashed by this function.  For prefilling
it's useful, but doing it on *every* NSEC* record would be quite a waste,
so we introduce a parameter to select this.

Implementation: there were good reasons not to implement this until
needed - it wasn't straightforward at all.

Tomas Krizek authored 3 years ago and Vladimír Čunát committed 3 years ago

By default, notice level is set. Thus, if users want to use log() in the
same way as pre-5.4, they'd have to increase the log level. This bumps
the log level of log() function to keep the same behavior.

It's not a perfect solution and with the future policy engine it will
hopefully be better, but it's really trivial to add this already.
(should've done that years ago)

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

It's special: always on and not shown in log_groups() output.

It's been quite a long fight to find how to best deal with such
a special case (from user perspective; code itself is easy).

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

The result gets logged as a single multi-line message,
so let's not repeat any prefix on (some of) those in-the-middle lines.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Systemd docs say:
> Those arguments must contain valid journal entries including
> the variable name, e.g. "CODE_FILE=src/foo.c", [...]

I tried that passing all three strings empty (without variable name)
wouldn't result into the line getting logged; the suggested style does.