Revisions of pihole-ftl
Samu Voutilainen (Smar)
committed
(revision 20)
- Removed unnecessary patches: + ftl-2.8.1-build-fix.patch + ignore-shmem.c-strncpy-error.patch
Samu Voutilainen (Smar)
committed
(revision 19)
-------------------------------------------------------------------- - Update to version v5.10.1 + Fix specific NOERR/NXDOMAIN confusion. + Reduce code duplication by merging FTL_cache() into FTL_reply() + Also process automatically generated queries, e.g. for DNSSEC validation + Add option to suppress automatically generated DNSSEC queries from being analyzed and shown (legacy behavior) + Fix bug in 6860cf932baeaf1c2f09c2a58e38be189ae394de + Fix bug introduced in 6860cf932baeaf1c2f09c2a58e38be189ae394de + Don't print flags multiple times in debug mode. + Log client requesting automatically generated DS/DNSKEY queries explicitly as "pi.hole" + Further work from a0a3b8ad3e91db5181023fceea6732eb6c6f0759 + Connection track mark based DNS query filtering. + Use correct packet-size limit in make_local_answer() + Include EDNS0 in connmark REFUSED replies. + Rename replyt ype 11 DNSKEY -> DNSSEC + Add src/dnsmasq/pattern.c to src/dnsmasq/CMakeList.txt + Update SQLite engine to 3.36.0 + Also cancel other threads when terminating + Ensure API threads can be canceled asynchronously + Add limit of maximum threads to warning + Add explicit limit logging also in the second place. + If DELAY_STARTUP is set, we can delay earlier to have this option being useful for misbehaving fake hwclocks as well. + Correct domain search algorithm. + Analyze which upstream server sent us the reply + Store real over-time counts of forwarded queries. So far, we counted only the first server a query was sent to. + Change upstream associated with a query if it is different than the first server we sent a query to + Log resolution of pi.hole and hostname as "internal" instead of the last blocking reason (e.g. "gravity blocked"). + Tests: Debug messages do now include the port a client sent the query from + Add more debugging output to short-circuited replies + Fix automatic IP hostname responding for blocking modes NXDOMAIN, NODATA and NODATA-IPv6
Samu Voutilainen (Smar)
committed
(revision 17)
- Added patch ftl-2.8.1-build-fix.patch. Fixes Tumbleweed build.
Samu Voutilainen (Smar)
committed
(revision 16)
- systemd service needs to clean up SHM files manually in order to avoid a failure in FTL restart.
Samu Voutilainen (Smar)
committed
(revision 15)
-------------------------------------------------------------------- - Update to version v5.8.1 + Retried queries due to missing DNSSEC valdiation have no upstream server (the related DNSSEC queries where retried, not this one). Hence, we shouldn't update the counts of any upstream here. This silences an incorrect "FATAL: Trying to access upstream ID -1" warning in the logs. + Do not terminate threads which may not be running. They'll be cleaned up at process termination anyway. + Ensure we clean up always behind us. Also when FTL crashes + Also clean up when crashing + Improve process-already-running detection + Tests: Update tests for new expected output on two concurrent instances + Terminate threads before closing database connections and finishing shared memory + Clean up after dnsmasq errors (port not available config errors, etc.) + Do not detach threads we want to be able to cancel and add logfile log to shared memory locks. Other forks may want to log as well. + Change to refreshed logo. + Give the images some space. + Center vortex. + Remove incorrect informaion. + Use dropshadowed logo + Escape DHCP options if necessary + Print raw bytes for unknown DHCP options + Implement DHCPv4 PCP Option (RFC 7291) + Resize shared memory only when locking. This ensures all shm pointers are invariant inside locks. + Preallocate one pagesize (usually 4K) for per-client-regex data. + Reduce code-duplication by using an array of shared memory pointers we can iterate on when chown-ing or deleteing. + Fix incorrect printf format identifier + Fix problem with DNS retries in 2.83/2.84. + Simplify preceding fix. + The preceeding commit changes the handling of retried queries. The logic is now changed so that distinct requests for repeated queries still get merged into a single ID/source port, but they now always trigger a re-try upstream. This effectively removes our IN-PROGRESS status so we remove the code handling this as well. + dhcp-host selection fix for v4/v6. + Correct occasional --bind-dynamic synchronization break + Always use <poll.h> + Move flags to recvmsg function in netlink
Samu Voutilainen (Smar)
committed
(revision 12)
-------------------------------------------------------------------- - Update to version v5.7 + Fix incorrect "FATAL" error message during garbage collection + Fix incorrect "FATAL" error message during garbage collection + Move fd into frec_src, fixes 15b60ddf935a531269bb8c68198de012a4967156 + Fix to 75e2f0aec33e58ef5b8d4d107d821c215a52827c + Optimise sort_rrset for the case where the RR type no canonicalisation. + Fix for 12af2b171de0d678d98583e2190789e544440e02 + Don't display unrelated CNAME queries when filtering for specific domain + dnsmasq-v2.83 forwards multiple queries to the same destination only once and stores the other queries as duplicates. They do receive the answer later on, however, this is usually not logged (when log-queries=extra is enabled, there will be a warning about the duplicate). This commit handles such duplicates and introduces a new reply type 14 = "already forwarded" + When seeing duplicated queries, the original query may have been blocked during CNAME inspection. In this case, we need to change the status from "OK (already forwarded)" to the correspondig blocked status. The "already forwarded" information is lost but that seems okay. + Check source query for its status when checking if we need to update the duplicated ones + Tidy initialisation in hash_questions.c + Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH. + Bump copyright notices for 2021. Happy New Year! + Fix possible free-memory ref in e75069f79aa6b8a61034a9a4db9b6265b8be8ae4 + Fixes incorrect "Found unknown status 14 in long term database" warning in the logs. We change the code to use a enum-based struct so we cannot forget to update this in the future when adding further query status types. + Add per-client rate-limiting. The default limit is 1000 queries in 60 seconds. + Add output of how much memory in /dev/shm is used by FTL itself + Try to create shared memory objects before reading the settings + Do not try to delete existing shmem objects on start - that may cause running FTL instances to crash when it tries to access them. Instead, new instances should properly fail to start. + Tests: Running a second instance is detected and prevented, FTL continues to work as expected afterwards + Do not explicitly request a lease time in our DHCPREQUEST as this may lead to incorrect responses. Also, when sending a request to lo, we should send it to the interface address instead of the broadcast (lo doesn't support broadcast destinations). + Fix queries sent upstream being counted incorrectly when modified later on (blocked externally, blocked during CNAME inspection). This also applies to queries loaded from the database. + Increment forward counters when immporting QUERY_RETRIED or QUERY_RETRIED_DNSSEC fromthe database + Retain EDNS0 bits from incoming queries when blocking requests
Samu Voutilainen (Smar)
committed
(revision 11)
-------------------------------------------------------------------- - Update to version v5.5 + Detect and handle interface changes of clients with the same IP + Update SQLite3 to 3.34.0 and expose sqlite3 shell as 'pihole-FTL sqlite3' (drop-in replacement is available as well) + mend + Added missing NS query type to getQueryTypes() + Log date/time of FTL in header just as SQLite3 does as well + Test for embedded SQLite3 shell available and functional + Modified test for NS type + Fix for errno not being set by posix_fallocate() in contrast to fallocte() who did set it. + Add new query types SVCB and HTTPS + Tests: Add SVCB and HTTPS as expected query types + Implement support for displaying exact type instead of the catch-them-all category OTHER. The OTHER category is still used when it comes to computing statistics to ensure your chart's legend does not explode. + We cannot really decide whether local configuration lines are meant for blocking or something else. Just record such queries as replied to from cache because this is what they are. This code made sense at the time where wildcards were implemented as dnsmasq config lines, however, we've advanced to our own regex engine since then and all config lines should have also been auto-migrated. + Clarify comment + Only return regex index when allowed by privacy settings. This may leak information, otherwise. + Check for validity if iface pointe before dereferencing it. + Don't show retried queries when filtering for blocked queries. + Optimize datastructures using bitfields and item re-arrangement (to minimize padding). This reduces the size of query, client, and regex records by 8 bytes per item. Note that this optimization was done on x86_64 and may not apply for other architectures (32bit architectures already used less padding). + Statically assert struct sizes are what we expect. This prevents us from increasing the memory needs unintentionally (e.g. due to sub-optimal padding) + Store blocked property in query flags. + Use blocked property in API code. Make query->upstreamID = -1 the new default to differentiate easily what was forwarded (ID will be >= 0) and what not (ID == -1). Store the upstream server also for other query types that were forwarded (like queries blocked during CNAME inspection). + Add MAXDBDAYS=-1 to disable auto-cleaning and ensure overflow cannot happen (we just enforce the maximum in this case) + pxe: support pxe clients with custom vendor-class + Use the values of --min-port and --max-port in TCP connections. + Fix remote buffer overflow CERT VU#434904 + Check destination of DNS UDP query replies. + Use SHA-256 to provide security against DNS cache poisoning. + Optimse RR digest calculation in DNSSEC. + Fix DNS reply when asking for DNSSEC and a validated CNAME is already cached.
Samu Voutilainen (Smar)
committed
(revision 10)
--------------------------------------------------------------------
- Update to version v5.3.4
+ Show BOOTP server and file strings used by TFTP
+ Update dnsmasq version to 2.82
+ Use fork-private regex substructure because each regex has an opaque structure (once compiled) and cannot be kept globally available through shared memory (at least not with any realistic effort)
+ We have to explicitly set conflinebuffersize to zero when freeing the buffer itself to avoid getline() crashing in some special edge-cases
+ Rename memory.c -> syscalls.c
+ Factor out syscalls for calloc, free, realloc and strdup into dedicated syscalls/{}.c files
+ Add interrupt-safe fprintf() and printf() routines
+ Add interrupt-safe vfprintf() and vprintf() routines
+ Make calloc(), realloc() and strdup() interrupt-safe
+ Add interrupt-safe write() routine
+ Add interrupt-safe accept() routine
+ Avoid redundant error reporting
+ Improve printf(), fprintf(), vprintf(), and vfprintf() error reporting
+ Add interrupt-safe recv() routine
+ Add interrupt-safe recvfrom() routine
+ Add interrupt-safe pthread_mutex_lock() routine
+ Add interrupt-safe select() routine
+ Add interrupt-safe fopen() routine
+ Add interrupt-safe sendto() routine
+ Backup and restore errno in real-time signal handler.
+ Add interrupt-safe vsnprintf() routine
+ Add interrupt-safe snprintf() routine
+ Add interrupt-safe vsprintf() routine
+ Add interrupt-safe sprintf() routine
+ Show complete list of args when complaining about unsupported argument
+ Adjust test for unknown argument to support the new format
+ Expose lua-interpreter as virtual pihole-lua binary
+ Add drop-in support for lua binary
Samu Voutilainen (Smar)
committed
(revision 9)
--------------------------------------------------------------------
- Refreshed patch shared_libraries.patch
- gmp needs to be statically linked for Tumbleweed
- Update to version v5.3.2
+ Add additional_info column to test database (query table)
+ All queries: Hide UNKNOWN queries when not requesting both query status types
+ Add ability to connect to shared memory of the running FTL process
+ Bundle lua library "inspect"
+ Automatically load bundled libraries and make them available globally.
+ Test: Automatically loaded libraries
+ Add pihole.query([idx])
+ Test: pihole.query(0) returns details of the first query
+ Include FTL's prototypes in LUA
+ Remove shm data sourcing. We will query such data through the API with Pi-hole v6.0
+ Add support for ECS subnet parsing in FTL.
+ Log previously seen client when interpreting EDNS0 client subnet information
+ Evaluate possible EDNS data before analyzing a new query
+ Analyse ECS information only if EDNS0_ECS is enabled (enabled by default)
+ Add support for EDNS(0) CPE-ID (Common Platform Enumeration Identifier)
+ Protect against possible buffer overflow due to a malicious/malformed EDNS(0) payload
+ Add support for EDNS(0) MAC in BYTE format (dnsmasq option add-mac)
+ Add support for EDNS(0) MAC in TEXT format (dnsmasq option add-mac=text)
+ Add partial support for EDNS(0) MAC in BASE64 format (dnsmasq option add-mac=base64)
+ Correct name is EDNS(0) not EDNS0.
+ EDNS(0) debug message fine-tuning
+ Use preprocessor constants for OPTCODES to improve readability of the code
+ Add partial support for EDNS(0) COOKIES
+ Tests: EDNS(0) analysis
+ Make EDNS MAC available for FTL_new_query()
+ Tests: Simplify EDNS(0) tests
Samu Voutilainen (Smar)
committed
(revision 7)
osc copypac from project:home:Smar:pi-hole package:pihole-ftl revision:35, using expand, using client side copy
Samu Voutilainen (Smar)
committed
(revision 6)
osc copypac from project:home:Smar:pi-hole package:pihole-ftl revision:35, using expand, using client side copy
Samu Voutilainen (Smar)
committed
(revision 5)
Samu Voutilainen (Smar)
committed
(revision 2)
-------------------------------------------------------------------- - Update to version v5.2 + Move counters definition from memory.c to shmem.c magically clears a lot of (wrong) VSCode errors. Doing this on request of a user as it is harmless. + Import unknown clients from ARP table + Explicitly set prepared statements to NULL when they are finalized. + Explicitly log if we had to make assumptions because the gravity database was not available. + Add DELAY_STARTUP setting to delay startup of the embedded dnsmasq. + Remove option FORCE_LOCAL_RESOLVER as we do not need it. + Add more comments, only print debugging output when DEBUG_DATABASE is enabled. + Simplify SQLite 3 database extension + Convert recently found (at most 1 hour old) mock-devices into "real" when we gather ARP/neigh information about them. + Fix nameserver list in auth mode. + Allow overriding of ubus service name. + CircleCI has an unforseeable number of devices in its ARP cache. Do not check for a strict number of clients during the tests. No changes to the source code. + Ensure blocking also works when the long-term database is not used. This was broken before as we returned too early (the SQLite3 engine was not yet fully initialized) when the long-term database was disabled. + Fix possible memory leak in config.c + Some general tweaks + Explicitly log failures in creating the new sqlite3 function. + Ensure we don't loose memory after ARP cache parsing. + Also return NO MATCH when invoking subnet_match() with non-TEXT arguments. + Add a comment that gethostbyaddr() may leak memory (only once, not seen leakage of more than 110 bytes) + Check arguments are of type SQLITE3_TEXT + Initialize resolver subroutines if trying to resolve for the first time + Only check/set client status when size of the array is not exceeded. Skip otherwise. + Do not import unknown clients from the ARP cache into FTL's memory. It is not our job to care about them if they are not doing any DNS queries. + Ensure ARP strings are NULL-terminated + Exiting instead of aborting may be benefitial in FTL forks. + Print arguments passed to embedded dnsmasq when at least one DEBUG flag is set. + Re-open gravity database (and re-prepare database statements) before accessing the database in case FTL forked. + Memorize PID of this thread to avoid re-opening the gravity database connection multiple times for the same fork
Samu Voutilainen (Smar)
committed
(revision 1)
osc copypac from project:home:Smar:pi-hole package:pihole-ftl revision:1
Displaying revisions 21 - 40 of 40