-
-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pi-hole FTL v5.0 #747
Merged
Merged
Pi-hole FTL v5.0 #747
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: DL6ER <dl6er@dl6er.de>
Per-client blocking rules, intermediate CNAME path blocking and some more
…to disable deep CNAME inspection. This might be beneficial for very low-end devices. Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
…ular query is only seen by this client). Signed-off-by: DL6ER <dl6er@dl6er.de>
Add CNAME_DEEP_INSPECT config option
…are never untrusted data, so not security problem. Thanks to Klaus Eisentraut <klaus.eisentraut@web.de> for finding this. Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
…onally leads to false-negatives during the CI testing (the CI cannot always resolve the hostnames). Signed-off-by: DL6ER <dl6er@dl6er.de>
Do not try to resolve client host names during the tests
Add group zero support
Signed-off-by: DL6ER <dl6er@dl6er.de>
Thanks to Klaus Eisentraut <klaus.eisentraut@web.de> for finding this. Signed-off-by: DL6ER <dl6er@dl6er.de>
Calling lease_update_file() _can_ result in a call to periodic_ra() Since both the DHCPv6 and RA subsystems use the same packet buffer this can overwrite the DHCPv6 packet. To avoid this we ensure the DHCPv6 packet has been sent before calling lease_update_file(). Signed-off-by: DL6ER <dl6er@dl6er.de>
… chain, the originally queried domain itself was not counted as blocked (but as (permitted). Later in the chain, when we find that this is a bad guy, we short-circuit it. We need to correct the domain counter of the domain at the head of the chain, otherwise, the data for the top lists is misleading. For this, we go back the entire path and change the original request to blocked by increasing the blocked count of this domain by one. Fortunately, each CNAME path can easily be tracked back to the original head in FTL's data so we do not need to search it. This makes the change able to happen without causing any delay. Signed-off-by: DL6ER <dl6er@dl6er.de>
… this information during possible later CNAME inspection. This avoids the necessity to check the whitelist filters multiple times. Signed-off-by: DL6ER <dl6er@dl6er.de>
…ermitted property during an entire CNAME inspection process. Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
…FTL. Signed-off-by: DL6ER <dl6er@dl6er.de>
Change ownership of all shared memory objects before switching user
Tweak CNAME whitelisting behavior
Fix two testing errors
Top lists fix for deeply blocked CNAME chains
…an be used by TCP and UDP clients avoiding any doubled amount of work. Signed-off-by: DL6ER <dl6er@dl6er.de>
…now the same details about client/regex combinations. This commit also fixes an issue with regex group associations for configured clients that have no assigned group. Signed-off-by: DL6ER <dl6er@dl6er.de>
…rsion 9. Signed-off-by: DL6ER <dl6er@dl6er.de>
…t for domains and clients. Signed-off-by: DL6ER <dl6er@dl6er.de>
Update embedded dnsmasq to v2.81
… qemu issue). Signed-off-by: DL6ER <dl6er@dl6er.de>
Don't try setsockopt of non-existing NETLINK_NO_ENOBUFS option (fixes…
…n (fixes qemu issue)." This reverts commit e119ef8. Signed-off-by: DL6ER <dl6er@dl6er.de>
…..) into warning. We call this, which avoids POLLERR returns from netlink on a loaded system, if the kernel is new enough to support it. Sadly, qemu-user doesn't support the socket option, so if it fails despite the kernel being new enough to support it, we just emit a warning, rather than failing hard. Signed-off-by: DL6ER <dl6er@dl6er.de>
…ion to control this. Signed-off-by: DL6ER <dl6er@dl6er.de>
…e disabled by setting BLOCK_ESNI=false in pihole-FTL.conf Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
…masq binary. Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
…nt (pre-v5.0 measure) but use the dedicated blockingstatus variable. Signed-off-by: DL6ER <dl6er@dl6er.de>
Fix API summary status report
Automatically block _esni.* subdomains of blocked domains
…d7774e870d4cc1c Install proper qemu fix
Make regex matching case-insensitive by default
Add dnsmasq drop-in replacement support
Signed-off-by: Adam Warner <me@adamwarner.co.uk>
Remove swag store link from readme
…ss no-op. Signed-off-by: DL6ER <dl6er@dl6er.de>
…get property. Signed-off-by: DL6ER <dl6er@dl6er.de>
Fix FTL crash on closing handle to corrupted databases
Signed-off-by: DL6ER <dl6er@dl6er.de>
Fix bit-order in subnet mask generation
PromoFaux
approved these changes
May 9, 2020
dschaper
approved these changes
May 10, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Highlights
dnsmasq
to v2.81 Update embedded dnsmasq to v2.81 #652More may be found in the release notes.