pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/net/dnsdist



Module Name:    pkgsrc
Committed By:   jperkin
Date:           Mon Oct 24 11:08:15 UTC 2022

Modified Files:
        pkgsrc/net/dnsdist: Makefile distinfo
        pkgsrc/net/dnsdist/files: dnsdist.sh
        pkgsrc/net/dnsdist/files/smf: manifest.xml
        pkgsrc/net/dnsdist/patches: patch-qtype.hh

Log Message:
dnsdist: Update to 1.7.2.

pkgsrc changes:
  * Fix NetBSD rc.d script that cannot have previously worked.
  * Use readline support instead of hardcoding editline, and fix buildlink
    variables that cannot have previously worked.
  * Enable nghttp2 support.

1.7.2
 Released: 14th of June 2022
 * Improvements
   Scan the UDP buckets only when we have outstanding queries
   Only allocate the health-check mplexer when needed
   Add Lua bindings to access the DNS payload as a string
 * Bug Fixes
   Fix invalid proxy protocol payload on a DoH TC to TCP retry
   Fix a crash on a invalid protocol in DoH forwarded-for header
   Add missing descriptions for prometheus metrics

1.7.1
 Released: 25th of April 2022
 * Improvements
   Remove the leak warning with GnuTLS >= 3.7.3
   Fix compilation with OpenSSL 3.0.0
   Docker images: remove capability requirements
   Docker image: install ca-certificates
   Work around a compiler bug seen on OpenBSD/amd64 using clang-13
   Stop using the now deprecated and useless std::binary_function
   Add a ‘getAddressAndPort()’ method to DOHFrontend and TLSFrontend objects
 * Bug Fixes
   Fix the health-check timeout for outgoing DoH connections
   Set Server Name Indication on outgoing TLS connections (DoT, DoH)
   Fix the latency-count metric
   Fix a use-after-free in case of a network error in the middle of a XFR query
   Properly use eBPF when the DynBlock is not set
   Fix ‘inConfigCheck()’
   Use the correct outgoing protocol in our ring buffers
   Raise the number of entries in a packet cache to at least 1
   Fix wrong eBPF values (qtype, counter) being inserted for qnames
   The check interval applies to health-check, not timeouts

1.7.0
 Released: 17th of January 2022
 * Bug Fixes
   Test the correct member in DynBlockRatioRule::warningRatioExceeded (Doug Freed)

1.7.0-rc1
 Released: 22nd of December 2021
 * Improvements
   Reuse and save the TLS session tickets in DoT healthchecks
 * Bug Fixes
   Fix a double-free when a DoH cross-protocol response is dropped
   Check the size of the query when re-sending a DoH query

1.7.0-beta2
 Released: 29th of November 2021
 * Improvements
   Add a function to know how many TLS sessions are currently cached
   Warn that GnuTLS 3.7.x leaks memory when validating certs
   Add a function to set the UDP recv/snd buffer sizes
   Add ‘showWebserverConfig’
 * Bug Fixes
   Fix a memory leak when reusing TLS tickets for outgoing connections
   Fix compiler/static analyzer warnings
   Fix Lua parameters bound checks
   Add missing visibility attribute on dnsdist_ffi_dnsquestion_get_qname_hash

1.7.0-beta1
 Released: 16th of November 2021
 * New Features
   Implement filesystem pinning for eBPF maps, drop and truncate via XDP (Pierre Grié)
   Add range support for dynamic blocks
   Add the ability to retain select capabilities at runtime
 * Improvements
   Read as many DoH responses as possible before yielding
   Stop over-allocating for DoH queries
   Support DoT, DoH and DNSCrypt transports for protobuf and dnstap
   Use the same outgoing TCP connection for different clients
   Convert make_pair to emplace (Rosen Penev)
   Add syslog identifier to service file
   Get rid of make_pair (Rosen Penev)
   Use make_unique instead of new (Rosen Penev)
   Handle existing EDNS content for SetMacAddrAction/SetEDNSOptionAction
 * Bug Fixes
   Keep watching idle DoH backend connections
   Fix the cleaning of TCP, DoT and DoH connections to the backend
   Properly handle I/O exceptions in the health checker
   NetmaskTree: Drop the ‘noexcept’ qualifier on the TreeNode ctor
   Fix build without nghttp2
   Remove debug print line flooding logs (Eugen Mayer)
   Credentials: EVP_PKEY_CTX_set1_scrypt_salt() takes an unsigned char*

1.7.0-alpha2
 Released: 19th of October 2021
 * New Features
   Add lua support for SetEDNSOptionAction
   Rule for basing decisions on outstanding queries in a pool (phonedph1)
 * Improvements
   Disable TLS renegotiation, release buffers for outgoing TLS
   Don’t create SSLKEYLOGFILE files with wide permissions
   Update existing tags when calling setTagAction and setTagResponseAction
   Fix the unit tests to handle v4-only or v6-only connectivity
 * Improve the coverage of the outgoing DoH code
   Allow skipping arbitrary EDNS options when computing packet hash
   Add incoming and outgoing protocols to grepq
   Allow setting the block reason from the SMT callback
   Clear the UDP states of TCP-only backends
   Replace shared by unique ptrs, reduce structs size
 * Bug Fixes
   Better handling of outgoing DoH workers
   Properly cache UDP queries passed to a TCP/DoT/DoH backend
   Use per-thread credentials for GnuTLS client connections
   Only set recursion protection once we know we do not return

1.7.0-alpha1
 Released: 23rd of September 2021
 * New Features
   Implementation of DoH between dnsdist and the backend
   Implement cross-protocol queries, including outgoing DNS over TLS
   Add support for Lua per-thread FFI rules and actions
   Add FFI functions to spoof multiple raw values
   Add support for range-based lookups into a Key-Value store
   Implement SpoofSVCAction to return SVC responses
 * Improvements
   Don’t look up the LMDB dbi by name for every query
   Move to hashed passwords for the web interface
   Fix ‘temporary used in loop’ warnings reported by g++ 11.1.0
   Skip some memory allocations in client mode to reduce memory usage
   Support multiple ip addresses for dnsdist-resolver lua script (Wim)
   Make DNSDist XFR aware when transfer is finished (Dimitrios Mavrommatis)
   Do not report latency metrics of down upstream servers (Holger Hoffstätte)
   Carry the exact incoming protocol (Do53, DNSCrypt, DoT, DoH) in DQ
   Implement ‘reload()’ to rotate Log(Response)Action’s log file
   Document that setECSOverride has its drawbacks (Andreas Jakum)
   Convert dnsdist and the recursor to LockGuarded
   Handle waiting for a descriptor to become readable OR writable
   Clean up a bit of “cast from type […] casts away qualifiers” warnings
   Reorganize the IDState and Rings fields to reduce memory usage
 * Bug Fixes
   Catch FDMultiplexerException in IOStateHandler’s destructor
   Resizing LMDB map size while there might be open transactions is unsafe
   Ignore TCAction over TCP
   Stop raising the number of TCP workers to the number of TCP binds
   Handle exception raised in IOStateGuard’s destructor

1.6.1
 Released: 15th of September 2021
 * New Features
   Add the missing DOHFronted::loadNewCertificatesAndKeys()
   Implement a web endpoint to get metrics for only one pool
 * Bug Fixes
   Set the dnstap/protobuf transport to TCP for DoH queries
   Backport a missing mutex header
   Properly handle ECS for queries with ancount or nscount > 0
   Catch FDMultiplexerException in IOStateHandler’s destructor
   Fix outstanding counter issue on TCP error

1.6.0
 Released: 11th of May 2021

1.5.2
 Released: 10th of May 2021
 * Bug Fixes
   Fix a crash when a DoH responses map is updated at runtime
   Fix SNI on resumed sessions by acknowledging the name sent by the client
   Fix the DNSName move assignment operator
   Fix a typo in prometheus metrics dnsdist_frontend_tlshandshakefailures #9728 (AppliedPrivacy)
   Make: two fixes
   Fix eBPF filtering of long qnames
   Fix a hang when removing a server with more than one socket
   Fix Dynamic Block RCode rules messing up the queries count
   Fix EDNS in ServFail generated when no server is available
   Prevent a crash with DynBPF objects in client mode
   Add missing getEDNSOptions and getDO bindings for DNSResponse

1.6.0-rc2
 Released: 4th of May 2021
 * Improvements
   Make the backend queryLoad and dropRate values atomic
 * Bug Fixes
   Fix missing locks in DNSCrypt certificates management
   Only use eBPF for “drop” actions, clean up more often

1.6.0-rc1
 Released: 20th of April 2021
 * Improvements
   Replace pthread_rwlock with std::shared_mutex
   Also disable PMTU for v6
 * Bug Fixes
   Lua: don’t destroy keys during table iteration
   Add missing getEDNSOptions and getDO bindings for DNSResponse
   Fix some issues reported by Thread Sanitizer

1.6.0-alpha3
 Released: 29th of March 2021
 * Improvements
   Set OpenSSL to release buffers when idle, saves 35 kB per connection
   Unify certificate reloading syntaxes
   Disable TLS renegotiation by default
 * Improve TCP connection reuse, add metrics
   Using DATA to report memory usage is unreliable, start using RES instead, as it seems reliable and relevant
   Add a metric for TCP listen queue full events
   Enable sharding by default, greater pipe buffer sizes
   Add limits for cached TCP connections, metrics
 * Bug Fixes
   Fix the handling of DoH queries with a non-zero ID
   Fix the TCP connect timeout, add metrics

1.6.0-alpha2
 Released: 4th of March 2021
 * New Features
   Add option to spoofRawAction to spoof multiple answers (Sander Hoentjen)
   Add ‘spoof’ and ‘spoofRaw’ Lua bindings
 * Improvements
   Make NetmaskTree::fork() a bit easier to understand
   Do not update the TCP error counters on idle states
   Bind __tostring instead of toString for Lua, so that conversion to string works automatically (Aki Tuomi)
 * Bug Fixes
   Remove forgotten debug line in the web server
   Create TCP worker threads before acceptors ones
   Prevent a crash with DynBPF objects in client mode
   Fix several bugs in the TCP code path, add unit tests
   Fix size check during trailing data addition, regression tests
   Clean up expired entries from all the packet cache’s shards

1.6.0-alpha1
 Released: 2nd of February 2021
 * New Features
   Add per-thread Lua FFI load-balancing policies
   Implement Lua custom web endpoints
   Implement TCP out-of-order
   Add support for incoming Proxy Protocol
   Add SkipCacheResponseAction
 * Improvements
   Use more of systemd’s sandboxing options when available
   Add an option to allow sub-paths for DoH
   Prioritize ChaCha20-Poly1305 when client does (Sukhbir Singh)
   Start all TCP worker threads on startup
   Use protozero for Protocol Buffer operations
   Speed up the round robin policy
   Avoid unnecessary allocations and copies with DNSName::toDNSString()
   Get rid of allocations in the packet cache’s fast path
   Fix the DNSName move assignment operator
   Don’t copy the policy for every query
   UUID: Use the non-cryptographic variant of the boost::uuid
   Use an eBPF filter for Dynamic blocks when available
   Limit the number of concurrent console and web connections
   Add prometheus metrics for top Dynamic Blocks entries
   Add per connection queries count and duration stats for DoH
   Add Lua bindings to get a server’s latency
   Wrap more FILE objects in smart pointers
   Set the default EDNS buffer size on generated answers to 1232
   Add support for FreeBSD’s SO_REUSEPORT_LB
   Accept string in DNSDistPacketCache:expungeByName
   DNSName: add toDNSString convenience function
   Skip EDNS Cookies in the packet cache
   Add the query payload size to the verbose log over TCP
   Add the response code in the packet cache dump
   Add an optional name to rules
   Add the ability to set ACL from a file (Matti Hiljanen)
   Add a Lua binding for the number of queries dropped by a server
   Move to c++17
   Fix warnings on autoconf 2.70
   Reduce diff to upstream yahttp, fixing a few CodeQL reports
   Handle syslog facility as string, document the numerical one
   Deprecate parameters to webserver(), add ‘statsRequireAuthentication’ parameter
   Add a counter for queries truncated because of a rule
   Replace offensive terms in our code and documentation
   Use aligned atomics to prevent false sharing
   Unify non-terminal actions as SetXXXAction()
   Accept a NMG to fill DynBlockRulesGroup ranges
   Silence clang 12 warning
   Fix a few warnings reported by clang’s static analyzer and cppcheck
 * Bug Fixes
   Fix a crash when a DoH responses map is updated at runtime
   Fix SNI on resumed sessions by acknowledging the name sent by the client
   Use toStringWithPort instead of manual addr/port concat (Mischan Toosarani-Hausberger)
   Force a reconnection when a downstream transitions to the UP state (Nuitari, Stephane Bakhos)
   Handle EINTR in DelayPipe
   Handle empty DNSNames in grepq()
   Make: two fixes
   Fix eBPF filtering of long qnames
 * Improve const-correctness of Lua bindings (Georgeto)
   Fix a hang when removing a server with more than one socket
   Appease clang++ 12 ASAN on MacOS
   Bunch of signed vs unsigned warnings
   Send a NotImp answer on empty (qdcount=0) queries
   Don’t apply QPS to backend server on cache hits
   Fix EDNS in ServFail generated when no server is available
 * Removals
   Rename topRule() and friends
   Remove useless second argument for SpoofAction


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/dnsdist/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/net/dnsdist/distinfo
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/dnsdist/files/dnsdist.sh
cvs rdiff -u -r1.2 -r1.3 pkgsrc/net/dnsdist/files/smf/manifest.xml
cvs rdiff -u -r1.1 -r1.2 pkgsrc/net/dnsdist/patches/patch-qtype.hh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/dnsdist/Makefile
diff -u pkgsrc/net/dnsdist/Makefile:1.17 pkgsrc/net/dnsdist/Makefile:1.18
--- pkgsrc/net/dnsdist/Makefile:1.17    Sat Aug  6 17:21:05 2022
+++ pkgsrc/net/dnsdist/Makefile Mon Oct 24 11:08:14 2022
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.17 2022/08/06 17:21:05 he Exp $
+# $NetBSD: Makefile,v 1.18 2022/10/24 11:08:14 jperkin Exp $
 
-DISTNAME=      dnsdist-1.5.1
-PKGREVISION=   3
+DISTNAME=      dnsdist-1.7.2
 CATEGORIES=    net
 MASTER_SITES=  https://downloads.powerdns.com/releases/
 EXTRACT_SUFX=  .tar.bz2
@@ -31,14 +30,16 @@ CONF_FILES+=        share/examples/dnsdist/dnsd
 
 CONFIGURE_ARGS+=       --enable-dns-over-tls
 CONFIGURE_ARGS+=       --enable-dnscrypt
-CONFIGURE_ARGS+=       --enable-fstrm
+CONFIGURE_ARGS+=       --enable-dnstap
 CONFIGURE_ARGS+=       --with-libsodium
 CONFIGURE_ARGS+=       --with-libssl
-CONFIGURE_ARGS+=       --with-protobuf
+CONFIGURE_ARGS+=       --with-lua
+CONFIGURE_ARGS+=       --with-nghttp2
 CONFIGURE_ARGS+=       --with-re2
 CONFIGURE_ARGS+=       --without-net-snmp
-CONFIGURE_ENV+=                LIBEDIT_CFLAGS="-I${BUILDLINK_PREFIX.libedit}/include"
-CONFIGURE_ENV+=                LIBEDIT_LIBS="-L${BUILDLINK_PREFIX.libedit}/lib -ledit"
+
+CONFIGURE_ENV+=                LIBEDIT_CFLAGS="-I${BUILDLINK_PREFIX.editlinereadline}/include"
+CONFIGURE_ENV+=                LIBEDIT_LIBS="-L${BUILDLINK_PREFIX.editlinereadline}/lib ${BUILDLINK_LDADD.editlinereadline}"
 
 INSTALLATION_DIRS+=    share/examples/dnsdist
 RCD_SCRIPTS+=          dnsdist
@@ -48,12 +49,12 @@ post-install:
                ${DESTDIR}${PREFIX}/share/examples/dnsdist
 
 .include "../../devel/boost-headers/buildlink3.mk"
-.include "../../devel/editline/buildlink3.mk"
-.include "../../devel/protobuf/buildlink3.mk"
 .include "../../devel/re2/buildlink3.mk"
 .include "../../lang/lua/buildlink3.mk"
+.include "../../mk/atomic64.mk"
+.include "../../mk/readline.buildlink3.mk"
 .include "../../net/fstrm/buildlink3.mk"
 .include "../../security/libsodium/buildlink3.mk"
 .include "../../security/openssl/buildlink3.mk"
-.include "../../mk/atomic64.mk"
+.include "../../www/nghttp2/buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"

Index: pkgsrc/net/dnsdist/distinfo
diff -u pkgsrc/net/dnsdist/distinfo:1.12 pkgsrc/net/dnsdist/distinfo:1.13
--- pkgsrc/net/dnsdist/distinfo:1.12    Tue Oct 26 11:05:32 2021
+++ pkgsrc/net/dnsdist/distinfo Mon Oct 24 11:08:14 2022
@@ -1,10 +1,10 @@
-$NetBSD: distinfo,v 1.12 2021/10/26 11:05:32 nia Exp $
+$NetBSD: distinfo,v 1.13 2022/10/24 11:08:14 jperkin Exp $
 
-BLAKE2s (dnsdist-1.5.1.tar.bz2) = 8dc7c02091a7bb0af51fa23990f8cdac2f360b1d19f40a0a4eb91760b09cc255
-SHA512 (dnsdist-1.5.1.tar.bz2) = 68fe5f55fd081ed80a620933af9f8310be0e21c86ba449a9c557975b5c83f4b64e3002e6032dc002582d081e70e1ec2ff080c5d8389fd46a9896bdafd5a41f9f
-Size (dnsdist-1.5.1.tar.bz2) = 1068061 bytes
+BLAKE2s (dnsdist-1.7.2.tar.bz2) = 0daadb638e58c3142ed9cfe160b2f879fed1dd033aa3e4640e154c3002141fb0
+SHA512 (dnsdist-1.7.2.tar.bz2) = 2048ac0f861547fb103da1a128fd39a35ed689ccbf3c080232a3bd0550c9e7c7e01c95864d61e065e341a9f4111c974d2db2aba73eb8f7cba9bf8273da39b8a6
+Size (dnsdist-1.7.2.tar.bz2) = 1391588 bytes
 SHA1 (patch-dnsdist-console.cc) = 4675ca40e738e3d9e15d9a3c6993e1adce102a30
 SHA1 (patch-dnsdist.cc) = 8d3f167e38b6b67bb4d9b7f06dcc0245cf6c904f
 SHA1 (patch-ext_json11_json11.cpp) = 9fb12578d80103b8b92e984a483cbda98fd83db8
 SHA1 (patch-iputils.hh) = 09207cd894162d634cd832f12209e38a0c253624
-SHA1 (patch-qtype.hh) = 4551be1e303a31d34030c363849398923f5ff987
+SHA1 (patch-qtype.hh) = c4db69a8f0c818789607e190bb400791b3707a50

Index: pkgsrc/net/dnsdist/files/dnsdist.sh
diff -u pkgsrc/net/dnsdist/files/dnsdist.sh:1.1 pkgsrc/net/dnsdist/files/dnsdist.sh:1.2
--- pkgsrc/net/dnsdist/files/dnsdist.sh:1.1     Fri Mar 31 20:49:51 2017
+++ pkgsrc/net/dnsdist/files/dnsdist.sh Mon Oct 24 11:08:15 2022
@@ -1,6 +1,6 @@
 #!@RCD_SCRIPTS_SHELL@
 #
-# $NetBSD: dnsdist.sh,v 1.1 2017/03/31 20:49:51 fhajny Exp $
+# $NetBSD: dnsdist.sh,v 1.2 2022/10/24 11:08:15 jperkin Exp $
 #
 # PROVIDE: dnsdist 
 # REQUIRE: DAEMON network
@@ -13,7 +13,7 @@ fi
 name="dnsdist"
 rcvar=$name
 command="@PREFIX@/bin/dnsdist"
-dnsdist_flags="${dnsdist_flags:- -d -u @DNSDIST_USER@ -g @DNSDIST@ -C @PKG_SYSCONFDIR@/dnsdist.conf}"
+dnsdist_flags="${dnsdist_flags:- -u @DNSDIST_USER@ -g @DNSDIST_GROUP@ -C @PKG_SYSCONFDIR@/dnsdist.conf}"
 
 if [ -f /etc/rc.subr ]; then
         load_rc_config $name

Index: pkgsrc/net/dnsdist/files/smf/manifest.xml
diff -u pkgsrc/net/dnsdist/files/smf/manifest.xml:1.2 pkgsrc/net/dnsdist/files/smf/manifest.xml:1.3
--- pkgsrc/net/dnsdist/files/smf/manifest.xml:1.2       Tue Feb 20 16:59:55 2018
+++ pkgsrc/net/dnsdist/files/smf/manifest.xml   Mon Oct 24 11:08:15 2022
@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
 <service_bundle type="manifest" name="export">
-  <service name="@SMF_PREFIX@/dnsdist" type="service" version="1">
+  <service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1">
     <create_default_instance enabled="false" />
     <single_instance />
     <dependency name="network" grouping="require_all" restart_on="error" type="service">
@@ -10,7 +10,7 @@
     <dependency name="filesystem" grouping="require_all" restart_on="error" type="service">
       <service_fmri value="svc:/system/filesystem/local" />
     </dependency>
-    <exec_method type="method" name="start" exec="@PREFIX@/bin/dnsdist -d -u @DNSDIST_USER@ -g @DNSDIST_GROUP@ -C %{config_file}" timeout_seconds="60" />
+    <exec_method type="method" name="start" exec="@PREFIX@/bin/dnsdist --supervised -u @DNSDIST_USER@ -g @DNSDIST_GROUP@ -C %{config_file}" timeout_seconds="60" />
     <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60" />
     <property_group name="startd" type="framework">
       <propval name="duration" type="astring" value="contract" />

Index: pkgsrc/net/dnsdist/patches/patch-qtype.hh
diff -u pkgsrc/net/dnsdist/patches/patch-qtype.hh:1.1 pkgsrc/net/dnsdist/patches/patch-qtype.hh:1.2
--- pkgsrc/net/dnsdist/patches/patch-qtype.hh:1.1       Fri Mar 31 20:49:51 2017
+++ pkgsrc/net/dnsdist/patches/patch-qtype.hh   Mon Oct 24 11:08:15 2022
@@ -1,11 +1,11 @@
-$NetBSD: patch-qtype.hh,v 1.1 2017/03/31 20:49:51 fhajny Exp $
+$NetBSD: patch-qtype.hh,v 1.2 2022/10/24 11:08:15 jperkin Exp $
 
 Avoid symbol pollution on SunOS.
 
---- qtype.hh.orig      2017-01-17 08:43:49.000000000 +0000
+--- qtype.hh.orig      2022-06-10 13:48:12.000000000 +0000
 +++ qtype.hh
-@@ -26,6 +26,10 @@
- #include <vector>
+@@ -22,6 +22,10 @@
+ #pragma once
  #include "namespaces.hh"
  
 +#if defined(__sun) && defined(DS)



Home | Main Index | Thread Index | Old Index