Example:
  assert(require('ffi').C.kr_view_insert_action(
  		'127.0.0.0/24', 'policy.DENY_MSG("message")'
	) == 0)

Also switch the localhost rule there, finishing migration
of all special names from the policy module.

Picked up old work, rebase-squashed after many months;
then fixed up a little as needed in this newer version.
(and later many minor fixes got squashed in)

Christopher Ng authored 2 years ago and Vladimír Čunát committed 2 years ago

This commit adds support for building on Cygwin/MSYS2.

Signed-off-by: Christopher Ng <facboy@gmail.com>

This reverts commit 0b9524b7.

The hack shouldn't be needed anymore:
https://github.com/Homebrew/homebrew-core/commit/4369052170f4360b7ad545f23b8a01a4ccb37683#diff-59a7902ada251dd9dba99b5bd323c1dba1d102d244ce766c06ce00097fb82e8fL71

This isn't an exact revert, but differences are minor.

- apply to first (uncached) answer already
- don't extend over signature validity

Nit: the tests were using too high TTL (RFCs disallow the "sign bit").
It was working because (manual) cache-insertion was applying bounds,
but now the bounds don't get applied anymore, so it would fail.

In particular, avoids unintentional NXDOMAIN on grafted subtrees.
Consequently the users can drop 'NO_CACHE' flag and get caching.

I broke this in 54ab3f78 or closely around, so this never worked well
since 5.4.1, and maybe structured logging (5.4.0) had related issues.

Cleanup before introduction of new packaging tests.

See: #612

Oto Šťáva authored 2 years ago and Vladimír Čunát committed 2 years ago

Fixes #760.

Also removes a warning in policy.REROUTE that is no longer true.

WARNING: You should add the boolean check kwarg to the run_command call.
         It currently defaults to false,
         but it will default to true in future releases of meson.
         See also: https://github.com/mesonbuild/meson/issues/9300

In almost all cases we already check the return code explicitly
and throw a more descriptive message than what would be the default.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

We've been notified about possibility of "cache poisoning" this way,
so let's document this drawback to make the expectations clearer.

The following actions will now be logged in debug level (or request
tracing): ANSWER, DENY, DENY_MSG, DROP, REFUSE, TC

This can be useful for RPZ and other policy debugging.

Purposefully ommitted actions:
PASS - since it's the same as normal processing
REROUTE - the action itself comes from renumber module
STUB,FORWARD,TLS_FORWARD - this could be more confusing than useful
  (e.g. when response comes from cache)

To allow for easier debugging, each origin of an extended DNS error has
a unique 4-byte identifier that is included in the extra_text message.

The identifiers are random 4-letter base32 strings, generated with:
base32 /dev/random | head -c 4

Tomas Krizek authored 3 years ago and Vladimír Čunát committed 3 years ago

Answers to EDNS requests from certain lua policies that use the
answer_clear() function would lack OPT RR and thus violate the MUST
condition in RFC6891.6.1.1.

Vladimír Čunát authored 3 years ago and Oto Šťáva committed 3 years ago

Overriding records makes more sense on a particular name
than in a whole sub-tree.

Josh Soref authored 3 years ago and Tomas Krizek committed 3 years ago

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Issues affecting functionality of the RPZ should NOT be hidden
by default.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

Partly to document changes from recent changes,
partly to fix long-lasting issues in the descriptions.
Hopefully it will be easier to understand now.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

The logs can be triggered from policy actions, in per-request fashion:
- they're on LOG_DEBUG level but always sent, regardless of log config
- those messages will show double group tags: "[reqdbg][foo   ]"
  (but they lack proper meta-data - about location of the log's origin)
- reqdbg is *in addition* to normal logs, so the lines may be duplicated
  if that's how the logging was configured

Using a single function to get/set values is more consistent with our
existing lua API rather than having two separate set and get functions.

Vladimír Čunát authored 3 years ago and Tomas Krizek committed 3 years ago

It's mainly in tests.