- Apr 14, 2020
-
-
- Apr 02, 2020
-
-
Vladimír Čunát authored
Some rules need it and it was nil until now.
-
Vladimír Čunát authored
DENY, DENY_MSG, DROP, REFUSE and TC will now clear the _selected RRs. I believe that's what people usually expect of these actions anyway.
-
- Mar 25, 2020
-
-
Petr Špaček authored
This new approach uses per-request variables in Lua and creates new callback for each DEBUG_IF call instead of each request.
-
Petr Špaček authored
It creates new callback functions for every request which uses "callback chaining" but these should be rare.
-
Petr Špaček authored
It seems there is no reason to keep this function private in policy module.
-
Petr Špaček authored
-
Petr Špaček authored
DEBUG_IF accepts user-supplied function which decides which requests should be logged.
-
Petr Špaček authored
Attempt to avoid duplicating ten lines in debug_logfinish_cb lead me to splitting kr_log_qverbose_impl into two functions kr_log_q and kr_log_req. This is another minor change to API exposed to modules.
-
Petr Špaček authored
Formerly both logs used slightly different formats and duplicated code. From now on verbose log and request tracing are generated using the same code. This required a small change to request trace_log_f definition so it might affect external modules.
-
- Mar 09, 2020
-
-
Tomas Krizek authored
-
- Feb 25, 2020
-
-
These files did not have GNU GPL v3 boilderplate in them so I've added machine readable tag with appropriate license.
-
- Jan 23, 2020
-
-
Vladimír Čunát authored
In finish() phase DONE is (almost?) always set, so it didn't make sense. The mistake came from c16728f5 !678.
-
- Dec 20, 2019
-
-
- Dec 02, 2019
-
-
Running the full special-domain checks is relatively expensive.
-
- Nov 28, 2019
-
-
Vladimír Čunát authored
I've never seen anyone use postrules.
-
- Sep 20, 2019
-
-
- home.arpa.: 4. from https://tools.ietf.org/html/rfc8375#section-4 - local.: 4. from https://tools.ietf.org/html/rfc6762#section-22.1 Well, it's just an approximation... if the user specifies a forwarding policy, any special names will also get forwarded, even though the RFC says not to. And this code will also reply NXDOMAIN to home.arpa. DS. Some of these DENY rules are perhaps unnecessary, but for now we keep the same approach. For arguments see the MR 855 thread and linked ML.
-
- Aug 05, 2019
-
-
Tomas Krizek authored
-
- Jun 13, 2019
-
-
Vladimír Čunát authored
Thanks to changes in this branch the functions are called with correctly typed parameters already, so these weird casts can be deleted.
-
- Apr 11, 2019
-
-
"Unfortunately", for FFI-bound C functions there it doesn't hold that missing parameters would be converted to nil/NULL. Still, this function seems unlikely to have been used outside the repo.
-
- Mar 12, 2019
-
-
Tomas Krizek authored
-
Tomas Krizek authored
-
- Mar 05, 2019
-
-
Vladimír Čunát authored
-
- Feb 25, 2019
-
-
Vladimír Čunát authored
and deduplicate the parsing logic.
-
Petr Špaček authored
-
- Feb 22, 2019
-
-
It's mainly about the way we parse and validate them. Almost all of the parts of validation that were being done in modules/policy/policy.lua and daemon/tls.c got moved to daemon/bindings/net.c, so it's easier to follow that. Also more checks are being done now, e.g. contents of .pin_sha256 and .hostname strings.
-
In https world it's standard to do that, and it's relied on. Real-life example: 8.8.8.8#853 over TLSv1.3 won't send a certificate if we don't send SNI (no idea why; also they do send it with TLSv1.2). As a consequence, we no longer allow multiple hostnames per address-port tuple, but that didn't seem useful.
-
- Feb 06, 2019
-
-
Vladimír Čunát authored
- logging - watch by default - in Fedora we need to depend on the version for lua 5.1
-
vcunat squashed this, rebased, etc.
-
- Dec 13, 2018
-
-
Not all actions are destructive, but it seems generally expected that if an earlier module or other code already transitioned the request into a FAIL or DONE state, we don't want to apply rules anymore. In particular, later rule actions would "overwrite" what previous actions did.
-
- Dec 04, 2018
-
-
Petr Špaček authored
-
- Dec 03, 2018
-
-
Vladimír Čunát authored
Continuation of the parent commit. In particular, kr_nsrep_set() can't be used to create NS list "with holes".
-
-
- Aug 14, 2018
-
-
Vladimír Čunát authored
-
- Jun 07, 2018
-
-
Grigorii Demidov authored
-
- Jun 06, 2018
-
-
daemon/tls: system CA's are used by default with TLS_FORWARD policy when ca_file parameter is omitted
-
- Jun 01, 2018
-
-
Fixes: #337
-
- Feb 15, 2018