Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pi-hole FTL v5.0 #747

Merged
merged 822 commits into from
May 10, 2020
Merged

Pi-hole FTL v5.0 #747

merged 822 commits into from
May 10, 2020

Conversation

DL6ER
Copy link
Member

@DL6ER DL6ER commented May 6, 2020

Highlights

More may be found in the release notes.

DL6ER and others added 30 commits December 11, 2019 21:31
@DL6ER
Merge branch 'development' of github.com:pi-hole/FTL into development
841719e
@DL6ER
Merge branch 'development' into new/internal-blocking
c2755d8 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Merge pull request #642 from pi-hole/new/internal-blocking
dc2c3c9 
Per-client blocking rules, intermediate CNAME path blocking and some more
@DL6ER
Add CNAME_DEEP_INSPECT config option (default: true). It can be used …
699f25d 
…to disable deep CNAME inspection. This might be beneficial for very low-end devices.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Add group zero support.
33940f2 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Update FTL gravity.db.sql template to gravity database version 7.
5637d13 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Add new zero-group-specific tests (domain associated ONLY to a partic…
8058478 
…ular query is only seen by this client).

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Merge pull request #663 from pi-hole/new/CNAME_DEEP_INSPECT
83018ac 
Add CNAME_DEEP_INSPECT config option
@simonkelley @DL6ER
Fix buffer overflow checking in parse_hex(). The inputs to parse_hex …
d59b05f 
…are never untrusted data, so not security problem.

Thanks to Klaus Eisentraut <klaus.eisentraut@web.de> for finding this.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Merge branch 'development' into update/dnsmasq
60c0e10 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Do not try to resolve client host names during the tests. This occasi…
d752539 
…onally leads to false-negatives during the CI testing (the CI cannot always resolve the hostnames).

Signed-off-by: DL6ER <dl6er@dl6er.de>
@AzureMarker
Merge pull request #666 from pi-hole/tweak/no_resolve
b536bf0 
Do not try to resolve client host names during the tests
@DL6ER
Merge pull request #664 from pi-hole/new/group_zero
bb9f25c 
Add group zero support
@DL6ER
Merge branch 'development' into update/dnsmasq
99ff0c5
@DL6ER
Fix two testing errors.
b6d74c7 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@simonkelley @DL6ER
Fix crash in DHCP option parsing.
baa69a8 
Thanks to Klaus Eisentraut <klaus.eisentraut@web.de> for finding this.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@simonkelley @DL6ER
Avoid RA code trampling on DHCPv6 messages.
44ef1bb 
Calling lease_update_file() _can_ result in a call to  periodic_ra()

Since both the DHCPv6 and RA subsystems use the same packet buffer
this can overwrite the DHCPv6 packet. To avoid this we ensure the
DHCPv6 packet has been sent before calling lease_update_file().

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
If we find during a CNAME inspection that we want to block the entire…
e15d950 
… chain, the originally queried domain itself was not counted as blocked (but as (permitted). Later in the chain, when we find that this is a bad guy, we short-circuit it. We need to correct the domain counter of the domain at the head of the chain, otherwise, the data for the top lists is misleading. For this, we go back the entire path and change the original request to blocked by increasing the blocked count of this domain by one. Fortunately, each CNAME path can easily be tracked back to the original head in FTL's data so we do not need to search it. This makes the change able to happen without causing any delay.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Explicitly store domains as being whitelisted in FTLs cache for using…
36c4917 
… this information during possible later CNAME inspection. This avoids the necessity to check the whitelist filters multiple times.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Implement a query-wide whitelisted property that can hold the to-be-p…
a4f4a09 
…ermitted property during an entire CNAME inspection process.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Change ownership of all shared memory objects before switching user.
8604804 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Set query as whitelist permitted when the domain is already known to …
b0f0e9a 
…FTL.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Merge pull request #671 from pi-hole/fix/chown/shm-files
bdfd955 
Change ownership of all shared memory objects before switching user
@DL6ER
Merge pull request #670 from pi-hole/tweak/CNAME_inspection
9cc4e0d 
Tweak CNAME whitelisting behavior
@DL6ER
Merge pull request #667 from pi-hole/fix/test_suite
8e46afc 
Fix two testing errors
@DL6ER
Merge pull request #668 from pi-hole/fix/deep_CNAME_blocking_top_lists
45b5b0e 
Top lists fix for deeply blocked CNAME chains
@DL6ER
Add shared DNS cache for FTL. This cache is shared across forks and c…
c9c7c27 
…an be used by TCP and UDP clients avoiding any doubled amount of work.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Add shared per-client regex array. This ensures TCP and UDP workers k…
4c74a29 
…now the same details about client/regex combinations. This commit also fixes an issue with regex group associations for configured clients that have no assigned group.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Adjust tests after the last bugfix, bring gravity.db.sql schema to ve…
abf0e4c 
…rsion 9.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Memory alignment optimizations leading to a slightly reduced footprin…
e81faf3 
…t for domains and clients.

Signed-off-by: DL6ER <dl6er@dl6er.de>
PromoFaux and others added 21 commits April 12, 2020 14:17
@PromoFaux
Merge pull request #652 from pi-hole/update/dnsmasq
853261b 
Update embedded dnsmasq to v2.81
@DL6ER
Don't try setsockopt of non-existing NETLINK_NO_ENOBUFS option (fixes…
e119ef8 
… qemu issue).

Signed-off-by: DL6ER <dl6er@dl6er.de>
@PromoFaux
Merge pull request #730 from pi-hole/fix/docker_issues
5ad55e8 
Don't try setsockopt of non-existing NETLINK_NO_ENOBUFS option (fixes…
@DL6ER
Revert "Don't try setsockopt of non-existing NETLINK_NO_ENOBUFS optio…
bdc5ae7 
…n (fixes qemu issue)."

This reverts commit e119ef8.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@simonkelley @DL6ER
Convert failure of setsockopt(..., SOL_NETLINK, NETLINK_NO_ENOBUFS, .…
73acc1a 
…..) into warning.

We call this, which avoids POLLERR returns from netlink on a loaded system,
if the kernel is new enough to support it. Sadly, qemu-user doesn't support
the socket option, so if it fails despite the kernel being new enough to
support it, we just emit a warning, rather than failing hard.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Make regex matching case-insensitive by default and remove config opt…
bcb4789 
…ion to control this.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Automatically block _esni.* subdomains of blocked domains. This can b…
1bdb5ce 
…e disabled by setting BLOCK_ESNI=false in pihole-FTL.conf

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Simplify blocking metadata forcing code.
83bf576 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Add full drop-in replacement mode pihole-FTL can use to mimic the dns…
a30e5f3 
…masq binary.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Add a shortcut for dnsmasq syntax test
894a3c7 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Do not decide whether we are blocking or not based on the gravity cou…
fb5cfe0 
…nt (pre-v5.0 measure) but use the dedicated blockingstatus variable.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Merge pull request #735 from pi-hole/fix/summary_status
30ea4e0 
Fix API summary status report
@DL6ER
Merge pull request #733 from pi-hole/new/block_esni
06e3a70 
Automatically block _esni.* subdomains of blocked domains
@DL6ER
Merge pull request #731 from pi-hole/revert/e119ef8ace49bcc1d0c099257…
de5f041 
…d7774e870d4cc1c

Install proper qemu fix
@DL6ER
Merge pull request #732 from pi-hole/tweak/regex_caseinsensitive
fe97633 
Make regex matching case-insensitive by default
@DL6ER
Merge pull request #736 from pi-hole/new/dnsmasq_dropin_replacement
5b0cfb5 
Add dnsmasq drop-in replacement support
@ArcherN9 @PromoFaux
Deleted Swag store affiliate link
a00fdfe 
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
@DL6ER
Merge pull request #742 from pi-hole/tweak/dakshsrivastava
a4b26c3 
Remove swag store link from readme
@DL6ER
Invoking free_sqlite3_stmt_vec() on a NULL pointer should be a harmle…
61fd420 
…ss no-op.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Check for validity of prepared statements before trying to use their …
4750f65 
…get property.

Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Merge pull request #744 from pi-hole/fix/free_sqlite3_stmt_vec_NULL
01332f6 
Fix FTL crash on closing handle to corrupted databases
@DL6ER DL6ER added the Release label May 6, 2020
@DL6ER DL6ER added this to the v5.0 milestone May 6, 2020
@DL6ER DL6ER requested a review from a team May 6, 2020 06:06
DL6ER and others added 2 commits May 8, 2020 11:26
@DL6ER
Fix bit-order in subnet mask generation.
b2bea81 
Signed-off-by: DL6ER <dl6er@dl6er.de>
@DL6ER
Merge pull request #749 from pi-hole/fix/network-byteorder
c499c17 
Fix bit-order in subnet mask generation
@PromoFaux PromoFaux merged commit 3d7c095 into master May 10, 2020
@DL6ER DL6ER deleted the release/v5.0 branch September 10, 2021 06:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PromoFaux PromoFaux PromoFaux approved these changes

@dschaper dschaper dschaper approved these changes

Assignees
No one assigned
Labels
Release
Projects
None yet
Milestone
v5.0
Development

Successfully merging this pull request may close these issues.