forks are connected with IPC pipes to process
group leader and can execute expressions on its
behalf. so running commands over all workers
is easy now:

> hostname() -- single
localhost

> map 'hostname()' -- all
localhost
localhost
localhost

* the dygraphs are now leveraged for drawing as
  canvas based drawing is much faster than
  svg based rickshaw
* refreshed theme and layouts, code cleanup

the e638f9fb introduced deduplication
for queries over UDP, the idea is to track same queries and answer
only once, however that introduces both constant processing and
memory overhead and could break clients who count packet loss
by queries sent/received. disabling for now.

* the http module collects stats snapshots on one
  central location and then streams it to clients
* history of last 120 datapoints (at least 2min)
  is kept for convenience

* rules may now be chained if the rule action
  doesn't return next state. in this case, next
  matching rule will be executed. this is useful
  for snooping actions
* rules now may be paused/deleted
* implemented a new action for query mirroring to
  given destination

* in the begin() layer, the incoming query is
  exposed as req->qsource.packet, it is invalidated
  after begin() and should not be modified
* the destination address (local interface) is
  also tracked for filtering purposes

the interface has a declarative rule builder that
assists in building and validating rules, as well
as seeing how much traffic do they match

this is going to be the building block for visual
ui as it provides many useful semantic objects and
style classes. since we already provide the
snippet system, it's possible to add subpages to
the ui without hacking everything inside

these are used as a handle to patch/modify rules
later in their lifetime, also added a rule match
counter to find out which rules match inbound
traffic

string encoded integers are treated as possible
numbers, so a more strict typecheck is needed

the format of rules resembles libpcap filters,
but it also requires action that should be taken
when the filter(s) match.

the action can be anything the policy module
supports, and the filters can be both policy
module or view module based (so it's possible to
filter on source address and packet contents at
the same time)

* REROUTE action rewrites all addresses in
  final answers matching given subnet to
  addresses in target subnet (or single address)
* REWRITE action rewrites rdata in final answers
  matching given owner and type (only works on
  A/AAAA now)

the fw can now parse simple rules such as:
'qname = *.example.com AND src = 127.0.0.1/8 deny'

and turn it into filter actions.

this is a building block for custom firewall rules
based on query/answer contents that leverage
existing policy/view modules, but turn those into
easier to write (and eventually persistent) rule
sets

the new function returns a list of upstream
authoritative servers that resolver contacted
recently and the RTT information for them,
this is useful for sampling information about
the quality of outbound connections for speculative
keepalive and other purposes

now including <1ms, <50ms, <250ms, <500ms, <1.5s

during the consume step, the information about
upstream authoritative (address and current rtt)
is exposed in the request structure, just like
information about current query

* http embeds modified lua-http server code that
  reuses single cqueue for all h2 client sockets,
  this is also because the API in upstream is unstable
* http embeds rickshaw for real-time graphs over
  websockets, it displays latency heatmap by default
  and can show several other metrics
* http shows a world map with pinned recently contacted
  authoritatives, where diameter represents number
  of queries sent and colour its average RTT, so
  you can see where the queries are going
* http now exports several endpoints and websockets:
  /stats for statistics in JSON, and /metrics for
  metrics in Prometheus text format

added documentation, many fixes in the H2 fallback
code and H2 stream handling, TLS is enabled by
default using ephemeral key and certificate that
is automatically renewed, but custom certificates
are also supported

this also allows other modules to place code
snippets on the webpage

this allows for efficient variable-interval
running events, so that the timer doesn't have
to be closed and recreated for each iteration

Daemons should be in sbin, make destination variables overridable

According to FHS the 'Non-essential system binaries, e.g., daemons for various network-services.' should be installed in /usr/sbin

Also changed `:=` to `?=` to allow variable override without patching `config.mk`.

See merge request !32

fixed incorrect tagging in rrmap where secure rank would overflow

found by @gdemidov