Example:
  assert(require('ffi').C.kr_view_insert_action(
  		'127.0.0.0/24', 'policy.DENY_MSG("message")'
	) == 0)

Picked up old work, rebase-squashed after many months;
then fixed up a little as needed in this newer version.
(and later many minor fixes got squashed in)

I don't expect this matters, but why not fix this
to do what was intended (by the comment).
Discovered by Daniel Salzman <daniel.salzman@nic.cz>

Oto Šťáva authored 2 years ago and Vladimír Čunát committed 2 years ago

Until now, kresd would refuse to start when a log_groups Lua call
contained a non-existent group. After this change, only a warning is
printed, which helps during development while switching between branches
with new logging groups. I don't think changing the configuration all
the time just for a logging group is warranted.

Vladimír Čunát authored 2 years ago and Aleš Mrázek committed 2 years ago

On most fundamental issues like DNS message not parsing,
we did not call this.  Selection needs such information.

(and minor other changes)

- apply to first (uncached) answer already
- don't extend over signature validity

Nit: the tests were using too high TTL (RFCs disallow the "sign bit").
It was working because (manual) cache-insertion was applying bounds,
but now the bounds don't get applied anymore, so it would fail.

Allowing too much seems to have more risk than benefit.  For example,
the 2-day TTL on DS records in .com zone (e.g. Slack issue months ago).

When a whole packet is cached (instead of individual RRs),
let's simplify the way the packet's TTL gets computed.

The previous mechanism came from commit 5b383a2b,
probably a misunderstanding of:
https://datatracker.ietf.org/doc/html/rfc2308#section-5
Anyway, I see no motivation to do it, and this way we should
get rid of some weird cases where we might extend TTL of some records,
except if they were below the cache.min_ttl() setting (5s default).

The separate function wasn't really doing anything.
Also add a debug log.

And by default do so iff jemalloc is found.

I chose the simplicity of adding the chosen allocator just
in the single binary.  Other sbin/* don't matter really,
and dynamic libs (e.g. modules) will just follow whoever loaded them.

As the web is now, combination without www doesn't redirect https
(only http).  So let's switch to the final URL; apex is problematic.

We're the same as knotd in this; it evolved a bit
with libknot and kernel versions.  Taken from:
https://www.knot-dns.cz/docs/3.2/singlehtml/#mode-xdp-pre-requisites

Reproducible by listening on an interface by name, ASAN reports a
heap-buffer-overflow. This was a regression caused by !1286, which did
not account for null-terminators properly.

Cleanup before introduction of new packaging tests.

See: #612

This fixes config_tests on aarch64 macOS.
The key difference is that they use 16k pages,
so LMDB space usage also behaves a bit different.

Enums are more like ints anyway (in standard),
even when drawn from a small subset.

So far the message wasn't pointing to freebind at all:
[net   ] bind to '::1@53' (UDP): Operation not supported

I used preprocessor to avoid duplication and unused warnings.

Another way would be to ignore the freebind option if not supported,
but I think it's better to convince users not to specify it.

This caused a huge increase in real memory usage in case of queries
arriving to kresd while being disconnected from internet.
The usage was slowly creeping up, even over 2G.

Interesting past commits: b350d38d and two preceding.

There apparently was no real memory leak.  I assume that reusal of
long-living mempools is risky in terms of memory fragmentation,
though the extent of the issue surprised me very much.
The issue seemed the same with normal glibc and jemalloc.

I generally dislike ad-hoc optimization attempts like these freelists.
Now the allocator can better decide *itself* how to reuse memory.

- introduction subsection created

Our strategy was (and remains) that the in-header QNAME is overwritten
in-place, so most of our code was already (correctly) assuming that
knot_pkt_qname() returns lower-case only.  That simplifies this commit.

Héctor Molinero Fernández authored 2 years ago and Vladimír Čunát committed 2 years ago

Fixes a regression on Meson 0.57.0 that produces a timeout in config.ta_bootstrap test.

Oto Šťáva authored 2 years ago and Vladimír Čunát committed 2 years ago

The double-free may have happened in some cases when the upstream
resolver was stopped while answering a forwarded query. I was reliably
reproducing it by running resperf on two kresd instances with one forwarded
to the other, and killing the upstream one.

The `check_uri()` function now only checks that the endpoint is either
`/doh` or `/dns-query`. Parameter checks were moved into
`process_uri_path()` so that the check only takes place for GET
requests. POST requests now do not care about parameters at all.

https://clangd.llvm.org/design/include-cleaner
Though somehow I'm all the time getting false positives for
"daemon/bindings/impl.h"

It provides more information and the condition is typically
easier to read, too.

WARNING: You should add the boolean check kwarg to the run_command call.
         It currently defaults to false,
         but it will default to true in future releases of meson.
         See also: https://github.com/mesonbuild/meson/issues/9300

In almost all cases we already check the return code explicitly
and throw a more descriptive message than what would be the default.

Oto Šťáva authored 2 years ago and Vladimír Čunát committed 2 years ago

The nghttp2 documentation states that we must not send data from inside
of its callbacks. It may result in crashes.