DNSTAP logging in Unbound-1.11.0 #365
Comments
|
You have to use Other than those initial review comments, it looks okay! I can make those changes, or you can if you feel like it, and then it needs a bit more time from me to get a more detailed review. Thanks for the re-submit of this with the bugs fixed that you found. |
|
Ohh, yes! It was my stupid mistake about freeaddrinfo(). |
issue #365 https://github.com/NLnetLabs/unbound/files/5659923/patches.tar.gz from iruzanov. The merge conflicts are fixed, but no changes are made to the patched code.
|
I have created a branch and pull request at #367 . There I imported the patches you linked in the tar.gz file, and then made the changes and some merge fixes and bug fixes. You can review the code there. A tarball with the code repository of today with the state of that code now is here https://nlnetlabs.nl/~wouter/unbound-1.13.1_20201209.tar.gz The diff for the updated patches can be downloaded in this link https://patch-diff.githubusercontent.com/raw/NLnetLabs/unbound/pull/367.diff |
|
Great work, Wouter! And i looked into my patches for your changes and understood that mk_local_addr() was just like a ballast in the code :)) I completely forgot that we can pass repinfo->c->socket->addr directly to dt_msg_send_client_* functions. And also there are more accurate callocs/free in listen_dnsport.c source code. Looks great! Thank you very much! Also i have made the same patches for NSD-4.2.2. There is more simplier code. And later i will send you the patchset to ask you to review the code for its correctness and optimality. |
|
Applied your contributed code with review from my colleague @gthess from the linked pull request. Thanks for the contribution! |
* nlnet/master: (103 commits) - Fix: Resolve interface names on control-interface too. - Fix for NLnetLabs#367: rc_ports don't have ub_sock; skip cleaning up. - Fix to allow rpz with wildcard that applies to all TLDs at once. Changelog note for NLnetLabs#365, NLnetLabs#367 and NLnetLabs#368. - Merge PR NLnetLabs#367 : DNSTAP log local address. With code from PR NLnetLabs#365 and fixes NLnetLabs#368 : dnstap does not log the DNS message ID for FORWARDER_QUERY. Fix comment item. Fix to use a simple pointer in the call of make_sock and make_sock_port. - spelling fix in header. - Fix unit test for added ulimit checks. - Fix function documentation. - On startup of unbound it checks if rlimits on memory size look sufficient for the configured cache size, and logs warning if not. - ipsecmod: Better logging for detecting a cycle when attaching the A/AAAA subquery. - Fix NLnetLabs#384: (1) A minor request to improve the log (2) A minor bug in one log message. - Fix for zonemd, do not reject insecure result from trust anchor validation step in dnssec chain of trust. - Fix for zonemd, that domain-insecure zones work without dnssec. Spelling fix. - Fix for zonemd, that nxdomain for the chain of trust is allowed for island zones, it is treates as an insecure zone for verification. - Fix NLnetLabs#431: Squelch permission denied errors for tcp connect - rpz skip nsec3param records, and nicer log for unsupported actions. - Fix NLnetLabs#429: rpz: url: with https: broken (regression in 1.13.1). - Fix doxygen and pydoc warnings. ...
Hello, Wouter!
As i said earlier i have made patches set for Unbound-1.11.0 to log over DNSTAP both addresses - source (from client) address and destination (local or service) one. My core idea is to introduce NSD-like structure called unbound_socket and use it in comm_points of netevent code. So please look in my patches, i hope they will be reasonable and secure for application.
And only one TODO that i have to do in future - right now i can log only the front side, i.e. client requests and responses. Upstream side is currently logged as 0.0.0.0 local address. Its a question of some rework of outside_network code.
All the patches are in attached tarball.
Thank you in advance!
patches.tar.gz
The text was updated successfully, but these errors were encountered: