Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Herbster0815:HTPC
pi-hole-ftl
_service:tar_scm:pi-hole-ftl.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:pi-hole-ftl.changes of Package pi-hole-ftl
------------------------------------------------------------------- Wed May 15 04:07:37 UTC 2024 - obs-service-tar-scm@invalid - Update to version 6.x+git.20240513T191010~bccfa22: * Update bundled cJSON from 1.7.17 -> 1.7.18 released earlier today * Bump the github_action-dependencies group with 2 updates * Update tests, remove duplicated test * Change database permissions to -rw-r----- (640) * Improve error logging when TCP connections are prematurely closed by remote server * API /clients: Add note that {client} needs to be URI-encoded (if specified) and add documentation of read-only optional {name0} field * Bump actions/checkout * Address review comments * Provide human-readable message about the session status when authenticating * Fix a crash resulting from a bad interaction between PRs #1928 and #1930 * Update embedded SQLite3 to 3.45.3 * Be more verbose in which tables are imported during teleporter importing * Add new CONNECTION_ERROR message to the Pi-hole diagnosis system * Add extra logging around network issues (EDE: network error) * Improve diagnosis message adding subroutine to not require manually typed in number of arguments and do strict testing against the number of given arguments (instead of crashing if fewer are given and ignoring if more are given) * Store message in database as well * Use fragment size when computing filesystem sizes * Show warning when in debug mode and stat() failed to get file system details * Add further debug output concerning disk usage when debug.gc=true * Add proper memory allocation checking in the message formatting subroutines * Reintroduce a workaround for docker on macOS accidentally removed in bd266d6589e95e889bdcbbe1fe4cc0db85e81651 * Fix importing logic for v5 teleporter files * Add further debugging output if files are NOT imported * Simplify v5 gravity table import condition * Bump the github_action-dependencies group with 1 update * Remove two characters TLDs constraint in hostname validation. Empty labels are still forbidden. * Slightly simplify the CI tests * Mark query as allowed when atigravity matches to prevent further checks such as CNAME inspection. This ensures antigravity matches have similar effects than explicitly allowed domains. * Fix a left-over "whitelisted" instead of "allowed" message in debug mode * Further reduce code-duplication by using the new escape_json() function for TOML as well. It is doing the exact same thing. Remove TOML_UTF8 as this has always been the standard encoding anyway. * Define a general function escape_json() similar to the already existing escape_html() * Only check non-empty hostnames * Use cJSON to escape hostnames possibly containing control characters * Ensure cJSON is used in a thread-safe manner and add CI tests ensuring this. Also ensure every JSON parsing is doing error checking and reduce some code duplication. No functional change. * Add new dhcp.logging option * Report the hex-code of the found invalid character * Bump the github_action-dependencies group with 1 update * Update embedded SQLite3 to 3.45.2 * Add validator for webserver.api.client_history_global_max * Work on a copy of the env vars to avoid modifying the original causing issues down the line when FTL restarts internally and re-reads them * Remove obsoleted config option from test/pihole.toml * Remove config option database.DBexport. Its implementation was broken by design as its value was always overwritten by the condition (database.maxDBdays > 0). Replace it with exactly this condition and document the behavior in the config file * Uncomment previously commented line which prevented the domain validator from accepting hostnames with capital letters in * demote warning log message about not being able to open /sys/class/hwmon to the API debug log to prevent it from filling up the log when not available * Add searching for domains and clients in the Query Log. Wildcards (*) are supported everywhere in the search string. * Add missing validator for database.useWAL * Goodbye Adam mode * Add CI tests for deep config validation * Include RISCV64 in GHA job * Bump the github_action-dependencies group with 2 updates * Download documentation in amd64 build and further reduce code duplication * Try direct deployment * Do not try to upload documentation in deferred riscv64 upload step * Reduce code duplication by outsourcing into composite actions * Only add active entries * Use correct variable when migrating possible revServer settings from setupVars.conf to the new multiple-servers-aware JSON string formulation * Independent building of RISCV64 * Build x86 binaries on GHA, only build ARM/RISCV on our self-hosted ARM64 runners * Try building on self-hosted GHA runner * Update config.c fix typo 5335 instead of 5353 * Bump the github_action-dependencies group with 3 updates * Update embedded dnsmasq version to 2.90+1 * Fix spurious "resource limit exceeded" messages. * Use correct index for domains in the Top Lists * Apply the same fix also to /stats/upstreams - this endpoint is actually not affected, however, it has a different logic that all the other endpoints now - fixing this eases maintanance and doesn't require us remembering that upstream destinations are never recycled (because there are only very few) * Improve config migration logging * Restructure API response from /history/clients and /history/database/clients to allow for sparse data. Add new config option webserver.api.client_history_global_max controling if the activities chart should sort and show the *global* (integrated over 24 hours) or the `local` (measured individually in each time slot) most active clients Allow setting webserver.api.maxClients to 0 to always return all clients in /api/history/clients * apply the same fix to other places in the API * Report only as many clients as we have added to the sorting array * Apply code review * Update dnsmasq version to 2.90 * Update expected dnsmasq warnings * Add documentation for automatically added new DNSSEC-related metrics * Reverse suppression of ANY query answer logging. * Add --dnssec-limits option. * Better allocation code for DS digest cache. * Better stats and logging from DNSSEC resource limiting. * Overhaul data checking in NSEC code. * Rework validate-by-DS to avoid DoS vuln without arbitrary limits. * Update EDE code -> text conversion. * Parameterise work limits for DNSSEC validation. * Fix error introduced in 635bc51cac3d5d7dd49ce9e27149cf7e402b7e79 * Measure cryptographic work done by DNSSEC. * Update NSEC3 iterations handling to conform with RFC 9276. * Update header with new EDE values. * Protection against pathalogical DNSSEC domains. * Improve description of GET /auth/app endpoint * Ensure webserver.api.maxClients is honored even in the presence of recycled clients * Set REPLY of queries that failed DNSSEC validation to NONE (if not already set elsehow) * Check for UNKNOWN status and replies during CI testing * Add RFC 8482 filtering (Providing Minimal-Sized Responses to DNS Queries That Have QTYPE=ANY) by default * Allow narrowing down the (ad)list type using the (optional) query parameter ?type={allow,block} * Update embedded dnsmasq version to 2.90test4 * Make --filter-rr=ANY filter the answer to ANY queries. * Tweak logging and special handling of T_ANY in rr-filter code. * Simplify how alias-clients are skipped in api/history/clients * Include forwarded queries in /api/history and count stale-cache queries as cached queries * Add validation for dns.revServers * Bump the github_action-dependencies group with 3 updates * Fix debug.api config options description. * DNSSEC validation should not be enabled by default - it wasn't in v5, either. The reason for this is that it may be causing issues on devices with broken/missing RTCs where NTP time synchronization relies on DNS resolution * Fix failed auto-merge in https://github.com/pi-hole/FTL/pull/1841 * Adjust expected dnsmasq warnings after most recent upstream dnsmasq patch importing * Don't create a useless inotify file desrcriptor when --port=0 * Refactor the accumulated crud of years in process_reply(). * Handle caching SOA for negative PTR queries. * Fix logic error in signed RR handling. * Fix compiler warning. * Cache SOAs and return them with cached NXDOMAIN/NODATA replies. * Update dnsmasq version to v2.90test3 * Fix FTBFS introduced in 2748d4e901193c919614276e42d6d54b11f3232d * Add optional JSON object .import to POST /api/teleporter that allows the user to pick what is to be restored * A dash is allowed as path for files.log.dnsmasq to stderr * Fix failure to build from source on Fedora 39 * Apply suggestions from code review * Update embedded SQLite3 to 3.45.1 * Add new config option database.useWAL defaulting to true making the use of the WAL journal optional for the on-disk query database * Bump the github_action-dependencies group with 1 update * Amend description of expiration field in GET /dhcp/leases: 0 means "infinite". No functional changes * Explicitly log which config item failed to validate. This is useful when a user tries to set multiple values at once (e.g. via the web UI) * Verify that every config option has a validator. Otherwise, return a log error that will fail the CI tests. This will help ensuring we won't forget to add validators for PRs that are merged in parallel or new config options added in the future * Add regex array validation for webserver.api.excludeClients and webserver.api.excludeDomains * Bump the github_action-dependencies group with 1 update * Fix pointer magic going wrong * Apply review comments * Reduce code duplication by factoring out filter regex compilation * Change how Pi-hole generates from self-signing our certificate to first creating a self-signed root certificate authority (CA) and then using this CA to ordinarily sign the server's certificate. This has the advantage of being able to import the CA in places where importing a self-signed certificate is discouraged or not possible (e.g. Firefox browser) * Compile exclude regexes only once, not N^2 times * Change order of objects in documentation (small nit pick) * Return null as version in /api/info/version if not available * Update embedded SQLite 3 to 3.45.0 * Bump copyright to 2024. * Introduce new --local-service=host parameter * Fix --synth-domain NXDOMAIN responses. * Fix problem with domains associated with DHCP hosts at startup. * Bump the github_action-dependencies group with 2 updates * Add new config option to API * Add webserver.api.maxClients setting to set default number of clients to be returned for the client activity graph. This setting can be overwritten at run-time * Adjust webserver.api.exclude{Clients,Domains} description * Only free API data when the API was started * Add Pi-hole v5 -> v6 regex migration for webserver.api.exclude{Domains,Clients} * Remove webserver.api.excludeRegex and instead allow regex to be used in the existing excludeDomains and excludeClients * Remove excludeClients from Client activity over time (/api/history/clients) * Only compare against valid filter strings * Clarify which API endpoints are affected by the exclusion settings * Extend webserver.api.excludeClients and webserver.api.excludeDomains to the Query Log * Further simplify skipping logic * Regex filtering is filtering: We need to do full counting to get the correct number of rows * Don't print double newlines after invalid domains * Do not rely on the old behavior of empty password is always correct when no password is set when changing the latter * Do not accept password login when the system is configured to not require a password * Do not accept DELETE session if no session is used (this also applies to password-less or localhost-no-auth mode) * Extend 204/404 logic to /dhcp/leases/{ip} * Extend 204/404 logic to /config/{element}/{value} * A 204 response must not contain a body (https://tools.ietf.org/html/rfc7231#section-6.3.5) * Extend 204/404 logic to /network/devices/{device_id} * Extend 204/404 logic to /info/messages/{message_id} * A few fixed for the response code documentation of the :batchDelete elements * Fix DELETE API endpoints. They should return 204 when something was deleted and 404 is nothing was found at this resource * Add Location header for newly created groups/clients/domains/lists * Ensure database analysis / MAC vendor update is running also when FTL is frequently restarted (e.g. during development or for users joining a special branch, e.g. during extended bug fixing or a beta release period) * Fix API dns/blocking documentation * Run ANALYZE instead of PRAMGA optimize after some discussion with the SQlite3 developers. Also ensure notices and mere messages are not always logged as errors in FTL's log. Furhtermore, reduce the frequency of running ANALYZE from once per day to once per week. * Account for api-docs * Simplify artifacts download * Use IN where = was used but a multi-value result may occur * Optimize database on close (gravity) or frequently (queries) * Port gravity.db update to version 19 into FTL's testing harness * Recheck statements in forks to avoid edge-case collisions possibly leading to a crash in heavy TCP worker activity * Update bundled cJSON from 1.7.15 -> 1.7.17 released yesterday * Do not check errors on ROLLBACK TRANSACTION when gravityDB_delFromTable() fails. We remove this to avoid overwriting the initial cause of the error. * Translate anti-/gravity list IDs to negative numbers so they can be distinguish from domains rather easily. Users are free to foil this method when they force negative IDs into the database but they will never be automatically created * Rename query_storage.regex_id to query_storage.list_id as it is already now used to also store exact matching domainlist entries by their ID. This commit further extends this to also store the (first) matching anti-/gravity list (if available) * When FTL_check_blocking() is called with a different domain than the one already stored in the query, we have to re-lookup the cache ID. This can happen when a CNAME chain is followed and analyzed * Remove unused upstream recycle check * Also log number of DNS cache records after history import * Simplify recycler debug summary * Move debug messages meant for debug.status from debug.gc over * DNS cache entries were never recycled, possibly causing incorrect blocking of certain domain/client/type combinations * If someone terminates FTL, try to obtain who is the murderer and log it * Allow SQLite3 to start up to four auxiliary worker threads for work-intense prepared statements. This is most useful with complex queries as it allows parallel sorting and indexing. * Add recommended HAVE_FDATASYNC compile-time option * Add recommended HAVE_MALLOC_USABLE_SIZE compile-time option * Add recommended SQLITE_LIKE_DOESNT_MATCH_BLOBS compile-time option * Greatly simplify memory db initialization by defining normal sync mode globally as compile-time option * Set disk.synchronous=NORMAL * Initialize database only after forking * Remove SQLite3 URI feature - we do not need it any longer. It is not part of the regular SQLite3 shell builds. * Attach disk database once when initializing memory database and don't bother detaching it - it will finally be detached when FTL terminates * Use WAL, remove (and strip) SQLite3 shared-cache support * Bump actions/download-artifact from 4.0.0 to 4.1.0 * Fix one-of definition in clients, domains, groups, and lists POST request payloads * Reduce default N from 20 to 10 as experiments suggest that even 10 is at the border of being still readable * Add special client "other clients" summing all client activity that has not been included due to more clients being active than being returned (due to limited N) * Limit the number of clients to return to the number of clients to avoid possible overflows for very large N and add N=0 as special option to return all clients (even if the user does not know how many there are) * Limit number of clients returned by the /api/history/clients endpoint to 20. This can be overwritten at compile-time and at run-time using the query parameter ?N=... * Fix dns.piholePTR description and add another fallback layer for obtaining the DNS domain used by the system (if not specified through Pi-hole) * Update ftl-build container to v2.5 * Adjust workflow for upload/download v4 changes * Add clarifying comments about the rather obscure DNS message compression feature. DNS should have used LZ77 instead of its own sophomoric compression algorithm. * Add static assertion for DNS struct sizes ans work aroung gcc bug on arm32 issusing a warning where there should be none * Bump actions/upload-artifact from 3.1.3 to 4.0.0 * Add CI tests * Implement IP -> hostname resolver * soc_thermal is a suitable CPU temperature sensor * Reduce performance test time, this is still sufficient to be pretty accurate and makes CI builds faster * Fix comment * Add CI tests * Add special non-interactive mode for the embedded sqlite3 engine accessible via "-ni" * Update node version to 20 * Bump actions/stale from 8.0.0 to 9.0.0 * Only include as many domains as we have in the sorted array * Use regex_id instead of regex.id for query log sorting * Apply suggestions from code review * If we have an exact match for pihole-FTL --config <option>, we print only this one * Reduce variable scope * Lenght -1 means users wants to get all queries (no server-side pagination) * Remove undocumented audit feature * Slightly simplify args code, argc is always > 1 so it cannot be < 2 * When using void pointers in calculations, the behaviour may be undefined * Password-related code improvements and fixes * Condition 'fp!=NULL' is always true * Add missing legacy config import code for NICE -> misc.nice * Condition 'hwaddr!=NULL' is always true and reduce amount of allocated memory for synthesized MAC addresses from 324 to 18 bytes * Reduce variable scope * sscanf() without field width limits can crash with huge input data * Local variable 'hostname' shadows outer function * Clarify calculation precedence for '&' and '?' * regextest is always true in these cases * Local variable 'hostname' shadows outer function with the same name * Reduce variable scope * Condition 'web_layout!=NULL' is always true * Fix wrong format in printf() in disabled debugging code * Fix possible resouce leak on errors in the GZIP routines * Fix resource/memory leak on error in teleporter ZIP processing * Use fixed string lengths where available * Reduce code complexity slightly * Reduce number of warnings coming from third-party modules we use shown during compilation * Fix possible deferencing of NULL pointers * Fix missing declaration * Tests: Add CI test for allowing special domains per group * Add migration code from setupVars.conf:GRAVITY_TMPDIR to pihole.toml:files.gravity_tmp * Rename src/{ => config}/setupVars.{c,h} * Change priorities such that special domains (Firefox and Apple at this time) can be explicitly allowed for some clients (per group assignments) while they stay blocked for all others in the network * Implement special POST :batchDelete callbacks for /api/groups, /api/domains/, /api/clients, and /api/lists * Ensure CPU usage check is really run only every ten seconds * Don't even try to start webserver if webserver.port is an empty string * Use resource details obtained from kernel to compute a ten minute average of FTL's CPU utilization * Fix extra logging feature * Simplify debugstr() function * Add priority string in logs (if applicable) * Add allowed values for dns.revServers * Never recycle alias-clients * Add misc.extraLogging to enable log-queries=extra defaulting to false * Add dns.revServers and migrate dns.revServer. This allows multiple reverse servers to be added * Add config option ftl.gravity_tmp * Remove CH TXT privacylevel.pihole entry * Expose dnsmasq metrics * Add information on process-forking for TCP connections to metrics. * Add missing bits to the .gitignore file * Domain comparision should be case-insensitive * Tighten up error checking in --bind-dynamic mode. * Fix standalone SHA256 implementation. * Add CI tests for CHAOS TXT *.api.ftl * Add CHAOS TXT records to dynamically get the available API ports: * Improve shmem comments * Remove obsolete string escaping routines. They have been necessary for the Telnet API, however, this is gone and our JSON functions know how to deal with spaces * Minor tweak ensuring we also decommission UNKNOWN queries properly when they expire * Use case-insensitive matching for the gravity subcommands * Update src/config/dnsmasq_config.c * Fix link from message table to list table * Minor config comment fix * Set imported database query IDs to counter value and fix GC pointer magic (update comment to explain better what happens here) * Remove deprecated dhcp.domain setting * Increase default value of webserver.session.timeout * Disable cache optimizer for any negative TTL * Improve language * Extend escaping to the checkList function * Add comments * Also check wildcards prefixed by "CN=" in the subject name of the certificate * Update embedded SQLite3 engine to version 3.44.2 * Improve API POST /auth documentation * Do not pin SID to one specific IP address * The SAN is not NUL-terminated, we need to use the specified length explicitly * Fix comparison of the final line and add more debug logging during file comparison (debug.config) * Escape invalid domains possibly containing control characters * Fix comment * Implement wildcard X.509 SAN/CN (subject) domain checking * Add extra debug statements * Remove obsolete overTime structure stored for each upstream. This reduces memory consumption per upstream destination from 640 to 56 bytes each * Simplify /api/stats/upstreams to use global upstream counter instead of looping of over the respective overTime structure * Do not allocate too much memory for /api/stats/upstreams * Remove undocumented withzero parameter * Clients with zweo queries should not be returned unless ?withzero=true is set * Warnings about incorrect ENV vars are expected and actually intended during CI testing * Also suggest keys starting with the given key. This can be helpful to, e.g. find misc.privacylevel is misc.priv is entered as the Hamming distance to misc.nice is shorter * Standardize CLI --config exit codes and add tests * Log config file statistics after writing * Also suggest possible alternatives for mistyped config keys on the CLI * Explicitly log why env vars were invalid in the overview * Use WARNING for unknown and ERROR for invalid env vars, also rename "ERR" to "ERROR" when printing errors (we also have INFO, WARNING, DEBUG, NOTICE, ALERT, ...) * Add the (fuzzy) Bitap algorithm and suggest up to three alternatives for typos * Add env vars tests * Log invalid environment variables * Suggest closest env var key when we find unknown keys * Log unused FTLCONF env vars * Store a list of FTLCONF_ environment variables * Move environment variables related functions/definitions into env.{c,h} without any further changes * Include PID of the currently running FTL instance in the logs response. This allows clients to easily detect when FTL is restarted to reset their nextID to zero. * Add SHA256 CI test * Add pihole-FTL sha256sum <file> * Only reload pihole.toml if the content changed * Do not rotate pihole.toml when opening pihole.toml.tmp for writing * Address reviewer's comment * Update embedded SQLite3 engine to version 3.44.1 * Update tests * Also monitor when file was moved to overwrite our watched file * Fix misuse of const pointer in src/nftset.c. * Fix use-after-free in cache_remove_uid(). * Fix crash when DNS disabled, introduced in 416390f9962e455769aa8ab6df0e105cae07ae55 * Add --max-tcp-connections option to make this dynamically configurable. * Fix compile warning introduced by a889c554a7df71ff93a8299ef96037fbe05f2f55 * Add RESINFO RR-type to the table of RR-type names. * Allow multiple hostnames in dns.hosts * Only log number of stored sessions not total number * Check there is no tail in validator routines * Apply suggestions from code review * Improve config file opening logging * Add filepath validation * Add domain validation * Add IP/Port validation * Add CIDR validation * Add validation routines for certain config options * Move the setupVars.conf file to setupVars.conf.old * Log successful processing of pihole.toml on startup * Add ability to get most recent client hostname from network table if specified by MAC address * Only log how many sessions have been restored * Add WEB_PORTS to setupVars.conf when importing v5 Teleporter files * Fix logging when reading the TLS certificate * Fix legacy settings parsing: All the DHCP-related IP addresses are not of type INADDR, not STRING! * Add dedicated function to reset config values to their defaults * Verify we have no default string pointers to NULL * Install safe-guards for string-related functions to not crash when accidentially supplied with a NULL pointer * Add parsing support for NULL-values * Also remove all rotated files in light of the upcoming https://github.com/pi-hole/FTL/pull/1738 * Relax filename constraints in archive type detection * Use new ftl-build container v2.4.1 * Install also remaining files * Add import_json_table() routine that can read, parse, and import <table>.json files from Pi-hole v5.x Teleporter archives * Add CI test for IDN2 conversion * Add CLI IDN2 conversion interface * Switch from libidn to libidn2 to get IDN conversion conforming to IDNA2008 + TR46 specifications (RFC 5890, RFC 5891, RFC 5892, RFC 5893, TR 46) * Test parse adlist.json * Do not compress rotated files - they are not expected to be large * Add "unicode" field to API response for GET /api/domain * Convert IDNs to punycode before validation * Add TAR routines for efficient parsing of a tar archive in memory * Add some rule along which we will decide the user supplied somethings that (superficially) looks like a Teleporter v6 ZIP file * Generalize upload handing scripts to possibly accept other files than ZIP archives * Remove CivetWeb patch which is not needed when authentication_domain is set * Require restarting after domain change - this also re-reads the TLS certificate file * Set civetweb's authentication_domain to config.webserver.domain * The group table's column is called "description" but we expose it in the API as "comment". Adjust internally used SQL to translate between them (this was already implemented and working for comment editing) * Update src/tools/gravity-parseList.c * Update src/config/config.c * Hostnames (non-FQDN) are valid domains in the context of allow/deny domains, too * Validate domains before adding the to the database via /api/list * IPv4 address 0.0.0.0 and IPv6 address :: correspond to empty strings in FTL settings * Explicitly check hint being NULL before trying to free it in send_json_error_free() * Don't call cJSON_free unconditionally on errors in api_list_write() * Use package ipaddress for IP address validation in API tests * Add additional DHCP range tests * Allow TLD blocking using ABP style * Adjust tests * Remove obsolet local.list * Remove additonal spaces in dnsmasq.conf * Stop rotating dnsmasq.conf * Use hostsdir for custom.list to avoid cache flushing on changes * Add deprecation note for dhcp.domain * Impove readability of `dnsmasq.conf` by adding blank lines to group similar settings * Fix hint of dns.cnameRecords * Add restart flag to config items where this is missing * Restart FTL on change of misc.etc_dnsmasq_d * Use thread-safe variant of localtime() * Create dynamic validity period when generating X.509 certificate * Warn if NULL is bound to a message row even when we actually want to bind a blob * Add missing database type definition for CERTIFICATE_DOMAIN_MISMATCH_MESSAGE * Fix escape_html() crashing for NULL input * Use correct type when manipulating domainlist entries * max_sessions can only change across FTL restarts - not while it is running * Move 2FA success message more human-readable and move it to debug printing * Add tests and unify success/error messages across the files we are writing * Remove logging if unchanged config file if not in DEBUG_CONFIG mode * Do not rewrite config file custom.list (dnsmasq) when the content did not change * Do not rewrite config file pihole.conf (dnsmasq) when the content did not change * Do not rewrite config file pihole.toml when the content did not change * Run codespell on push * Spellcheck fixes * Add tests for --read-x509(-key) * Add logging to the Pi-hole diagnosis system when we detect a certificate domain mismatch * Add X.509 certificate/key parser * Always set freed pointers to NULL * Fix free() being used in the wrong page * Tests: Add tests that both /api/history and /api/history/clients return full 24h data * Also always send all history/clients data * Suggest using sudo if insufficient permissions to edit the config file were detected * Move dhcp.domain -> dns.domain * If reading pihole.toml failed, we recreated one from the possibly still existing setupVars.conf, etc. files. However, it arguably makes more sense to instead restore from the last known-to-be-good rotated config file in /etc/pihole/config_backups * Add special reply for reused TOTP tokens * Return 429 Too Many Requests with useful hint when number of available API seats is exceeded, also log currently configured number of API seats in the issues warning * Do not reduce the number of sent timeslots based on the real activity but instead always send everything (even if there are many zeros). This brings https://github.com/pi-hole/FTL/pull/1345 to FTL v6.0 * Fix domain modification. The UNIQUE key in the domainlist table is the combination of domain+type, not domain alone so you can add the same domain, e.g. once as allowed and once as denied entries and assign them to different clients using appropriate groups * Fix error message shown when gravityDB_addToTable() fails * Add config option misc.etc_dnsmasq_d to allow setting whether files in /etc/dnsmasq.d are loaded as additional config files for Pi-hole. This resolves a long standing issue with Pi-hole not being compatible with software that installs custom files with conflicting lines in this directory (e.g., lxc) as well as improve the coexistence of Pi-hole with an already running dnsmasq on the host (by default, we do not share any config files in the future) * Fix OpenAPI checker not being able to discover properties that are returned by FTL but not documented in the OpenAPI specs * Make number of maximum concurrent API sessions adjustable * Changing dns.hosts does not need a full FTL restart but only a cache flush and re-read * Add tests for international local CNAME records * Reject invalid config items (error 400) instead of merely logging a warning to the log * Add string format verification in API checker * Add dhcp.netmask (type IPv4 address) and change the type of dhcp.{start,end,router} from string to IPv4 address to allow detection of invalid settings (e.g., "192.168.1.3000") early on * Only add dhcp.leaseTime if it actually set. If not given, the default lease time is one hour for IPv4 and one day for IPv6 (dnsmasq defaults, see their man page). * Backslashs need to be escaped to avoid invalid escape sequences in the TOML file * Use webserver.domain as "account" in the TOTP QR code * Add authentication via query string * Add tests for international custom DNS records * Declare pihole.toml as UTF-8 document. we add a compile-time switch to use ASCII with UTF-8 escaping instead in case this is a necessity for anyone (I don't really expect this in the third millenial but we also know people are still using Windows XP on the web...) * RapiDoc does not really support schemas without examples, so add a dummy example for /docs * Update test/api/checkAPI.py * Check IPv6 support is not disabled either via the boot command line or at runtime before trying to launch the webserver for the first time * Clarify error wording * Report number of checked endpoints in the result and warn if the number of specified endpoints in FTL and the OpenAPI specs do not match * Fix all docs issues found by the improved API verification excluding the ones fixed by #1722 * Add checking of all endpoints defined in FTL but not in the OpenAPI specs and vice versa * Remove traces of reboot and poweroff * Update embedded SQLite3 engine to version 3.44.0 * Convert Adlist to List in Error Messages * Remove left-over debug output * Ensure %used of zero if no swap is used * Add most recent CivetWeb patch * Allow extended ASCII characters in URIs * Add a comment about the new behavior to the API specs * Convert searched domains to punycode (if applicable) and lowercase them * Fix some macro re-definitions on MacOS when using the system regex ABI. * Hand merge of PR#90 from h3xx/fix-compilation-error-when-using-system-regex.h. This includes some additional changes by trushworth to allow GNU C's refinements to regex.h to build without warnings. * Incorporate most recent changes from upstream tre-regex repository * GET /api/network/devices .devices.X.macVendor may be NULL * Implement deep-recursion of API arrays * Add missing .sessions.app boolean to the docs * Clarify comment on setupVars.conf file * Env var arrays are ;-delimited * PUT and DELETE on config items which are forced by env variable should be rejected with 400 Bad Request + explanation * Managing DHCP leases is only possible when the DHCP server is enabled * Fix small logic bug preventing setting an empty (= no) password via API/CLI/file. So far, it was only possible by directly interacting with .pwhash * Bump actions/setup-node from 3 to 4 * Documentation-only change: Add 401 being returned by the API for unauthorized access to GET /api/auth and add a few more examples * Optimize status and reply handling in the code. Add status object to /api/stats/summary * Do not issue a warning if encountering a recycled client during periodic name resolution * Fix broken internal dnsmasq config test * Return empty object with code as specified in the API when calling PUT/DELETE /api/config/... * Use more precise examples in the API documentation * Free regex after successful test compilation in API lists * Try retry-action * Use UPSERT instead of special REPLACE INTO statements to update existing group, adlist, domainlist, and client rows in the gravity database * Improve recycler reporting * Add app password support * Reuse existing shared clients, domains, and cache memory slots which are not referenced by any active query within the past 24 hours. Furthermore, always scan the shared strings and reuse them before allocating new memory with the same content * Use secure_delete mode to ensure the backed up sessions are overwritten with zeros after restore * Store sessions only momentarily in between FTL restarts * Config items set via environment variables cannot be changed, they remain readonly for the entire lifespan of the FTL process * Add missing CAP_CHOWN to CMakeLists install target * Explicitly chown all rotated files to pihole:pihole * Allow both commans and semicolons for separating array env var entries * Add new config option webserver.api.session.restore defaulting to true and move existing config option webserver.api.sessionTimeout -> webserver.api.session.timeout * Add save/restore of API sessions to the database to avoid a forced logout on FTL restarts. This updated the database to version 15 * Include number of active clients in the response of GET /api/stats/summary * Log restarting reason * Immediately restart FTL if requested, do not wait for the DNS loop * Disable journaling and synchronous mode when building the gravity.db file in parseList * Bump actions/checkout from 4.1.0 to 4.1.1 * Update tests to reflect the new database version 14 * Remove tests/build on debian builders * Subdomains beginning and ending in dash are actually fine (pattern [a-z0-9_-]{0,63}\\.), move the corresponding tests to a concluding TLD check region (pattern [a-z0-9][a-z0-9-]{0,61}[a-z0-9]) * Update comment in src/webserver/x509.c * Implement setting API password via env variable * Also add pi.hole as alternative subject if domain != "pi.hole" * Add SAN filed into self-generated X.509 TLS certificates. It is mandatory since RFCs 2818 and 3280 * Use latest ftl-build containers to incorporate latest mbedtls release * Tweak misc.privacylevel to also accept string numbers. This can happen when using a drowdown select as done, e.g., on the web interface -> System-> Settings -> All settings * Ensure we are using the same constants everywhere for our enums * Fix detection of unchanged password. This fixes a forced invalidation of all currently active API session on every config change because every saving was misinterpreted as a password change. * Add Adam mode for FTLCONF_ENV_ONLY=true * Should check the env's value, not its key * Make FTL read and parse FTLCONF_* environmental variables. If they exist, they take precedence over config file values. The config file is updated from environmental variables so any changes can be followed therein. * Design changes on the API page * Install safety-measured to prevent possible heap overflow in the network table processing * Gravity enforces that there must be at least two labels (i.e. one dot) so TLD-blocking is actually not possible * Add label length check * Reject > 255 character domains * Another minor speed improvement * Make HTTPS scheme the default case and fix paths to allow loading of the favicon * Remove semicolon actually preventing the correct filtering on regex IDs * Include .results.total (will never be clipped) and remove .total (may have been clipped) * Skip empty elements in config arrays both when reading and writing * Add /admin -> /admin/ redirect handler * Add number of matches into /api/search/{domain} results * Add error_pages option to CivetWeb causing the webserver to search in the web interface's root for error pages * Add new CivetWeb patch * Log debug messages to webserver.log when debug.webserver is true * Add debug.webserver * Only hint to checking the webserver log file * Enquote configureable strings * Add hint to check the webserver log (and where to find it) * Add error reporting during library initialization * Update src/api/queries.c * Simplify the authentication handling and fix the logic. The compiler optimizes this explicity away (checked in assembler) * Add new config option webserver.api.searchAPIauth defaulting to false * Fix domain type and kind not being added for certain /api/domains calls This is a regression of https://github.com/pi-hole/FTL/pull/1649 * Implement Query Log sorting (server-side pagination) * Fix wording of info message concerning self-generated TLS certificate. Before this commit, we incorrectly logged that we created a TLS certificate not only when we really did this but also after each restart when simply using it. * Add new option dns.listeningMode = NONE * Update SQLite3 to 3.43.2 * The most recent commit improved config file rereading in such a way that the DNS cache can stay intact for most changes. This needs to be reflected in the tests, expecting only one instead of two compilations of the regex filters. * Restart FTL when privacy lever is decreased but not when it is increased * Be crystal clear that the FLAG_RESTART_DNSMASQ is actually a full FLAG_RESTART_FTL flag (it hasn't always been like that) * Always restart FTL when changing the privacy level * Add descriptions to the ftl database table. This updates the database to version 14 * Simplify timerange filtering and fix total number of queries in the last 24 hours being used even when a limited timeframe has been requested * Update dnsmasq version * Add new dnsmasq warning to CI test * Fix bad reply to DHCPCONFIRM messages (wrong message type). * Work around possible Linux bug with VRF interfaces and DHCPv6. * Add support for sorting Query Log by reply time * Initialize mbedtls with default instead of SuiteB presets * Run parseList without regex * Ensure all database upgrade steps are wrapped into transactions. When the database upgrade is interrupted (FTL is killed, or crashed or power loss, ...), then the rollback journal file is left on disk. The next time another application attempts to open the database file, it notices the presence of the abandoned rollback journal (we call it a "hot journal" in this circumstance) and uses the information in the journal to restore the database to its state prior to the start of the incomplete transaction. This fixes sporadic issues with only partially initialized databases mostly seen on devices with unstable power supply. * Add wildcard support for server-side Query Log (domain, client-ip, client-by-name, upstream) * Cache zero-TTL DNS replies when stale-caching is enabled. * Fix memory leak in arbitrary-RR caching. * Fix endpoint security requirements for /info/login, /auth/totp, /info/client * Allow generating X.509 TLS certificates for arbitrary domain names. When auto-generated, FTL uses the config value webserver.domain defaulting to "pi.hole". The generated certificate may be checked using, e.g. openssl x509 -in /etc/pihole/tls.pem -text -noout * Add /api/info/login and remove some parts from /api/auth * Include processed object only in POST and PUT responses * Adjust tests to include the new https_port property * Add allocation memory explanation as code comments * Add lists_processed to all corresponding OpenAPI elements * Include HTTPS port (if any) in /api/auth response * Add new Civetweb patch * Do not try to guess server hostname in Civetweb when redirecting directory URIs to end with a slash * Remove unnecessary redirection from **/$ -> **$ * Also return a list of items that have been successfully added * Send processed object after list insertion to inform the client how many items have been successfully added, how many have failed and, if, what the individual errors were * Add hint to login rate-limiting logging. We also remove the debug logging as there will always be a WARN * Spellcheck corrections * Searchterm should simply be called domain * Add antigravity and /api/search related CI tests * Add ABP-support for /api/search and add new optional debug parameter * Better scale performance index * Improve the test by setting the T and S costs in the matrix to the same and computing a final average with a reliable error estimate (standard deviation = the square root of the variation of the performance index) * Be more explicit in the variable definition (what is constant) * Add rate-limiting on password login attempts * Run performance test during CI tests run * Add pihole-FTL --perf * Fix memory leak when using --dhcp-optsfile with DHCPv6 options. * Remove two-decade old hack. * Update ftl-build container version * Optimize ABP comparator generation * Check list type for all request methods (not only POST) * Implement correct ABP-syntax for antigravity in performance optimization in parse-list * Allow only @@||^ in antigravity parse-list runs * Use @@||xyz^ instead of ||xyz^ for antigravity list entries * Provide theme details through Lua function pihole.webtheme() now returning a full table instead of only a string. Everything concerning theme definition is moved into api/themes.{c,h} * Bump actions/checkout from 4.0.0 to 4.1.0 * use tagged v2.0 version of ftl-build * Bump docker/build-push-action from 4.2.1 to 5.0.0 * Bump docker/setup-buildx-action from 2.10.0 to 3.0.0 * Further simplify antigravity over gravity priority code * First check against antigravity. Check gravity only if no antogravity match was found * Satisfy foreign key constraints when removing subscribed allowlists by deleting related domains in antigravity * Ensure subscribed list type is (re)stored to/from database table * Add antigravity (subscribed allowlists with wildcard support) * Allow build workflow to be trigged by workflow_dispatch * Add regex filtering support for domains on the Query Log (new config option webserver.api.excludeRegex) * Fix spellcheck error * Ensure we free the row.items object only when we have actually allocated it (not if we are merely using a copy) * Free row.items only after having used row.item one last time * Check eeach element for spaces * Add ability to specify domains, lists, clients and group names as arrays for creating multiple with the same properties (comment, groups, ...) at the same time * Warn about spaces and newlines in domain/URLs when adding new items to Pi-hole's lists * Fix CNAME regex ID propagation * Always set regex_id when available * Apply Pi-hole-specific changes to the SQLite3 engine * Update embedded SQLite3 engine to version 3.43.1 * Bump actions/checkout from 3.6.0 to 4.0.0 * Bump actions/upload-artifact from 3.1.2 to 3.1.3 * Bump docker/build-push-action from 4.1.1 to 4.2.1 * Compare password hashes, not password (we don't store them in memory) * Apply Pi-hole specific changes to SQLite3 code * Update embedded SQLite3 engine to 3.43.0 * Simplify deletion of sessions * Compare password hashes after config reload and invalidate all currently active web sessions if they are different * We do not need to invalidate web sessions on CLI changes as we are not serving the web interface in this case * Fix problem with arbitrary RR caching. * Fix hostname test * Add files.pcap to expose integrated packet (PCAP) dumping to a file * Bump docker/setup-buildx-action from 2.9.1 to 2.10.0 * Bump actions/checkout from 3.5.3 to 3.6.0 * Update src/database/query-table.c * Hard limit for searching the adlists is 10,000 * Improve warning messages printed during query table parsing (history import) * We need to get the MAX(id) from the on-disk database even if database.DBimport is false * Re-add the warning to FTL.log * GET /api/info/sensors should return no error but simply no values when we cannot parse temperature sensors * Fix warning printed when an argument should be floating point but is not a number * Embed missing file API specs file specs/action.yaml * Tidy up * Copy missing information from man pihole-FTL to pihole-FTL -h * Ensure disk database is detached on SQL issues * Change default webport to 80 * Provide regex ID for API * Initialized webserver ports dynamically depending on whether ports 80 and 433 are already taken on a system * Also start TLS webserver by default * Use the right subroutine when upgrading the existing password to BALLOON hash * Remove reboot and poweroff actions from the API * Simplify code and handle case of missing trailing slashes for index pages properly * Tweak criterion we use for deciding if we are filtering on the Query Log or not. This is necessary as DataTables also sends a query string if no filters are applied. This is a direct consequence of PR #1599 which missed this special case * Actually apply TRUNCATED status when found * Use explicitly sized integers (u/int64_t) to ensure consistent operation on both 32 and 64 bit architectures * Use long long for parameter parsing to avoid overflowing for unsigned integers on 32bit architectures * Log warnings when parameters of invalid type are passed to the API (e.g. a numeric parameter receiving an out-of-bounds or non-numeric argument) * Handle index page (= dashboard) correctly * As a consequence of https://github.com/pi-hole/AdminLTE/pull/2655, redirection from the login page to any other page than the dashboard is broken. This PR fixes this in the proper way by redirecting from URIs such as "/admin/queries/" to "/admin/queries" which is where the actual scripts are (they'd have to be in "/admin/queries/index.html" otherwise) * Mount local users .ssh directory into the dev container in order to use SSH keys for signing off git commits * Switch build container image to use new buildx builder * Fix the sum returned for the number of queries in the Query Log when filtering * Add TRUNCATED status to enumeration of valid DNSSEC status codes. Truncated answer can't be validated. If this is an answer to a DNSSEC-generated query, we still need to get the client to retry over TCP, so we return an answer with the TC bit set, even if the actual answer fits into buffer. All the other code is already there, just the display code needs addition. * Prefer other authentication methods over COOKIE (which needs an CORS token in addition) * Use header SID authentication instead of the implicit cookie authentication to circumvent CORS issues * Fix OpenAPI documentation login * Bump actions/checkout from 3.3.0 to 3.5.3 * Bump docker/build-push-action from 4.0.0 to 4.1.1 * Bump docker/setup-buildx-action from 2.5.0 to 2.9.1 * Bump actions/upload-artifact from 3.1.1 to 3.1.2 * Fix logo path to use the embedded SVG icon * Add OpenAPI Authentication and Authorization details for the API. Every endpoint except GET,POST /api/auth needs authentication * Fix SQL used to update existing adlists via the API * Chown config file after writing to avoid file ownership/permission conflicts * Change generated elliptic curve from secp521r1 to secp384r1 because the former is not supported any longer by current Google Chrome (and, presumably, Chromium-based browsers like Edge). The reason for the removal is that NSA Suite B does not *mention* P-521 in the document, leading to Chrome removing support (even though Firefox keeps support for it). Furthermore, FIPS 140-2 also focuses on P-256 and P-384. There is nothing wrong about this curve but with the removal of it, it doesn't make sense to still keep it for automatic certificate generation in Pi-hole. There are debates on the web if P-256 wouldn't be enough as it is somewhat more efficient, but - at the end of the day - the difference is small and it still worth mentioning that even the largest standardized EC at this point is faster than any standardized and trusted non-EC cryptography used today. If you dislike ECC, Pi-hole offers the generation of a 4096 bit RSA key, instead. * Add mg.request_info.is_authenticated to check if a user is authenticated * The new checkOnly argument should be `false` when parsing lists * Fix config output on CLI and add tests for it * Also backup and restore IPv6 ports * Add support for IPv6-only nameserver system configurations * Add enum values for high-cotnrast theme family * Allow defining lines to inject into the generated dnsmasq configuration (misc.dnsmasq_lines) * Add pihole-fTL gravity checkList <file> option * There is a certain level of arbitrariness in how spell-check works ... and behaves different when running locally (act -j spell-check) and online (GHA) * Spell-check fixes (RFC 6891 uses requestor with o so I assume this is a valid word) * Pass new abp_entries number to API * Save number of ABP-style entries in adlist table's new column abp_entries * Add high-contrast themes to list of available themes) * Rename default theme to auto theme * The number of entries on a list should be the sum of domains and ABP-style entries * Verify generated Tleporter ZIP files after creation * Update default HTTP headers * Remove left-over debug output * Add minimum GLIBC version check * Use pi-hole/ftl-build:ftl-build-buildx containers * Add more recent commit to Civetweb patch series * Register CSRF token in conn->request_info * Generate and store CSRF token in the session * Allow fractional delay for blocking mode changes and fix a few smaller memory leaks * Fix "Invalid write/read of size 1" possibly leading to a crash in webserver.c * Fix off-by-one mistake in query type counters * Enforece cookie auth only for API endpoints * Accept cookie authentication only when CSRF header is provided (and correct) * Modify arch-tests, refine how we detect an already running pihole-FTL process and how we get other processes names from proc (the existing method didn't work on alpine:arm) and remove the obsolete struct size checking * sizeof(time_t) is 8 on both 32 and 64 bit with musl * Use new buildx-provided containers * Fix warnings shown when compiling with musl-gcc for 32bit targets * Fix getrandom() for glibc <2.25 * Fix spelling in v6 * !!! BREAKING CHANGE !!! Switch to the proven memory-hard password-hashing alogorithm BALLOON. The stored password hash will be upgraded on the first successdful login. To wave the necessity to implement BALLOON with every client trying to access the API, we remove the existing challenge-response authentication in favor of allowing login straight with the password. This has been avoided in the past, however, seems now acceptable that FTL (even by default) offers secure end-to-end encryption over HTTPS. * Store certificate-only file during X.509 generation * Add webserver.tls.rev_server boolean useful to tell FTL that unencrypted connections are still secure (in the context of Pi-hole solely being reachable through a reverse proxy) * Use mbedTLS PRNG to generate X.509 certificate serial number * Move password-related functions into a dedicated file * Write-only property webserver.api.password should reset all sessions when being used * Add LUA pihole.needLogin(remote_addr) * get_blocked_statuslist() and get_cached_statuslist() are pure functions * Add magic upstream destinations "blocklist" and "cache" * Simplify GET string parsing and ensure we decode URI components where necessary * Fix GC removing too many queries from the in-memory database * Update number of queries in databases when they are changed * Do not lock shm during /api/queries operation * Keep query string when redirecting from /abc.lp to /abc * Update changed indentation of known DNSMASQ warning * =/== typo in last commit. * Behave better when attempting to contact unresponsive TCP servers. * Necessary changed to handle the most recent dnsmasq changes in FTL * Log truncated DNS replies. * Add pihole.webhome() and add settings + group pages deep URI rewrite * Enlarge size of FIFO to 512 lines (before 128 lines). As we reduce the maximul allowed line length from 1024 to 256 bytes, this comes at no extra memory costs * Add new debug.tls option logging any mbedTLS debug output to webserver.log * Add mbedTLS debug logging hook * Add new CivetWeb patch needed for URL rewriting * Add FTL URI rewriting changes to CivetWeb * Implement *.lp URI rewriting * Add to /api/info/ftl if FTL is allowed to perform destructive operations (such as poweroff or reboot) * Allow printing the entire configuration (or parts of it) using, e.g. "pihole-FTL --config debug". Before, --config could only print exact config key matches * Add a setting to block possibly harmful actions * Add /api/action/flush/arp flushing both the network and network_addresses tables in pihole-FTL.db * Add /api/actions/flush/logs * Add dns boolean to /api/auth signalling if the DNS server is up and running * Improve request handler. No ".lp" pages are to be served without authentication (except login.lp). However, static contant as css, images, etc. are always served to allow serving the login page * Fix OpenAPI definition of /api/dns/blocking * Continue to run webserver even when dnsmasq fails to still serve the web interface. Change the type of api/dns/blocking from bool to enum-string to support the new "failure" state * Rely on optimizer to decide whether or not to inline is_term() to restore compatibility with ancient Debian (armv4t) * Add strict_tls property to list of sessions showing if really every connection of this session happened over TLS/SSL * Add new Kepler syntax commit to Civetweb-related patch series * Always Kepler syntax for Lua server pages * Fix SQLite3 history + autocompletion * Extend /info/metrics to show details also about stale cache records * Replace test RSA (4096 bit) by ECDSA (521 bit) self-signed certificate for TLS due to the recent changes of supporting only EC-based ciphers * Type of misc.privacylevel is "enum (unsigned integer)" not "enum (string)" * Changing dns.hosts always need a full dnsmasq restart as it is a single file and not a hostsdir (watched by inotify) component * Conform internal TLS encryption to TLS NSA Suite B Profile (RFC 6460) suitable for protecting national security applications. The distinguishing part is that no RSA or classic DH is used. Instead, this profile is fully based on ECC * Add tls boolean to list of sessions to indicate whether this session was established over a secure (end-to-end encrypted) connection * Improve API config handling. Users may now set all config values whether or not they have changed. FTL takes care for them to properly compare the individual items and acts accordingly (either partial restart, full restart or even nothing at all (when all config options remained exactly the same)) * Preserve gravity-specific quantities when updating lists via the API * Send more gravity-specific quantities in /search/{domain} * Add global object "took" to all API endpoints * Include regex results in domains array when using /search/{domain} * Add method to delete network table entires by their database ID * Start timer thread keeping an eye on timed blocking mode changes * Ensure both type and enabled are returned when requesting domains through the API * Add /api/clients/_suggestions * Allow deleteing multiple messages at once (provide them comma-separated) * Also analyze UDP reply headers * Ensure we always read diagnosis messages from the database * Code tidying. * Fix issue with stale caching. * Improve RFC3315 para 15 packet validation. * Handle SERVFAIL responses to DS queries better. * Simplify redirection when user is already authenticated * Preserve possible query arguments (GET) when routing throught the login page * Move Lua-related functions into dedicated source file * Rename the API endpoint from /logs/http to /logs/webserver for consistency with the config option renameing * Log LUA errors into webserver.log. The CivetWeb documentation is wrong about the default (logging to file) as it is in fact logging to the output where the information might be hidden due to HTML/CSS * Add special handling of time_t for 32bit architectures * Simplify webserver logging routines * Remove PH7 * Add new LUA functions useful for the web interface and define .lp files as index files * Limit data returned by the API for the history endpointy by webserver.api.maxHistory * Move database.maxHistory to webserver.api.maxHistory * Necessary changes due to dnsmasq patch 451bd35ad62c1444b3ef1d204ab606c0098b2fd9 overloading K_KEYTAG with cache record storage status * Log failure to determine MAC address in DHCPv6. * Optimization of socket events handling of dbus. * Fix crash in dbus code. * Fix paren blunder in aaba66efbd3b4e7283993ca3718df47706a8549b * Fix not sending domains that have not been seen on the current timeframe when we blocked no domains * Various memory improvements to (a) avoid crash during the final cleanup (don't allow reusing of pointer to memory that may already have been munmapped) , and (b) ensure we have release all memory after exporting to the on-disk database (finalize all prepared statements in queries_to_database()) * If the DHCP lease time is set to "24", it is interpreted as "24h". This is some relic from the past that may still be present in some setups * Add --no-dhcpv4-interface and --no-dhcpv6-interface options. * Turn "used" member of struct iname into flags in preparation for more. * Missed copyright date. * Make --server=/#/<addr> behave the same as --server=<addr> * Bump copyrights to 2023. * FTL changes related to most recent dnsmasq commits * Fix long-term bug in TCP caching code which would lose NXDOMAIN. * Use a simpler arrangement for the all_addr union to avoid the compiler padding it with an extra 8 bytes. * FTL changes related to most recent dnsmasq commits * Fix copy-n-paste error in 138e1e2a2d918b37cb0274fe310d53be35acf4cf * --domain=# is valid. --synth-domain=# isn't. * Allow --cache-rr=ANY with the obvious meaning. * Optimse memory use for arbitrary-RR caching. * ANY is RRNAME not BLOB after the most recent dnsmasq code changes * Apply necessasry changes to FTL due to most recent dnsmasq patch * Optimise no-action case in rrfilter(). * Add filtering of arbitrary RR-types. * Remove code for caching SRV. * Apply necessasry changes to FTL due to most recent dnsmasq patch * Add --cache-rr to enable caching of arbitrary RR types. * Apply necessasry changes to FTL due to most recent dnsmasq commit * Fold F_NOERR and F_DNSSEC to make space for new F_RR. * Add EDE "filtered" extended error when --filter-A or --filter-AAAA act. * More --filter-AAAA caching improvements. * Improve cache use with --filter-A and --filter-AAAA * Adjust struct sizes * Adjust tests for recent EDNS0 changes * Apply Pi-hole CivetWeb patches * Update CivetWeb to 1.16 * Apply the same logic also for reverse lookups (PTR) * Explicitly set INSECURE status for replies received either from upstream (if they are not already validated as SECURE) or from cache. This is a direct consequence from the previous commit. * Analyse pseudeoheader before it might get stripped off * Log if EDNS header is NULL and we are in debug mode * Only try to interpret EDNS EDE when EDE data is available * Ignore possible EXTRA-TEXT field in EDNS0 EDE data * Use AD bit for IN/SECURE and EDE in SERVFAIL when prox for BOGUSy-dnsmasq option is used * Implement EDNS(0) EDE * Simplify EDNS handling code and also interpret replies received from upstream * Disable zipinfo test * Generate TLS certificate when not present * Only load TLS certificate when the specified file exists and is readable * Add certificate generation command (pihole-FTL --gen-x509 ...) * Now that ZIP is available in the CI environment, use an external tool to check the integrity of Teleporter files * Use v1.27 build containers containing mbed TLS and ZIP * Reimplement DNS cache metrics in the light of arbitrary RRTYPE caching * Use new shortcut cache-rr=ANY to enable caching of all query types * FTL changes related to most recent dnsmasq commits * Fix copy-n-paste error in 138e1e2a2d918b37cb0274fe310d53be35acf4cf * --domain=# is valid. --synth-domain=# isn't. * Allow --cache-rr=ANY with the obvious meaning. * Optimse memory use for arbitrary-RR caching. * ANY is RRNAME not BLOB after the most recent dnsmasq code changes * Apply necessasry changes to FTL due to most recent dnsmasq patch * Optimise no-action case in rrfilter(). * Add filtering of arbitrary RR-types. * Remove code for caching SRV. * Apply necessasry changes to FTL due to most recent dnsmasq patch * Add --cache-rr to enable caching of arbitrary RR types. * Apply necessasry changes to FTL due to most recent dnsmasq commit * Fold F_NOERR and F_DNSSEC to make space for new F_RR. * Add EDE "filtered" extended error when --filter-A or --filter-AAAA act. * More --filter-AAAA caching improvements. * Improve cache use with --filter-A and --filter-AAAA * Merge changes from https://github.com/civetweb/civetweb/pull/1144 to be compatible with mbed TLS v3.4.0 * Add SSL/TLS support (mbedTLS) * inotify.c:event->name is a flexarray and cannot be NULL (fixes RISCV compiler error) * Add option for caching all names RRNAMEs that are not already cached by default * Add "cpu_thermal" as CPU temperature sensor indicator * Do not make any assumptions about sensors being present but simply check for existing sensors * !!! BREAKING CHANGE !!! Reduce default value of database.maxDBdays from 365 to 365/4 == 91 days. In case this option is already set (either in pihole.toml or in the imported setupVars.conf), this value will continue to be used instead. * Delete only up to 1% of the queries in the database in one go to avoid long blocking times with many queries to be deleted. * Even when database.network.parseARPcache is set to false, FTL should be cleaning the network table, adding in clients from its own knowledge (those that sent queries), and add local interfaces * Pass SQLite3 errors when finishing the teleporter transaction commit failed * Rely on ENV var STATIC when compiling musl builds to simplify working in our musl devcontainer (x86_64-musl) * Add API documentation for method to delete session by ID * Add method for deleteing sessions by their IDs * Use cryptographic randomness also for te API challenge and the SID generation * Make webserver.api.temp.unit its own config enum type * Add fallback randomness generation method for glibc older than 2.25 (armv4t builds) * Add --totp option to help text and always return 0 when no TOTP secret is configured * Add TOTP 2FA to web interface and API * Always update last_disk_db_idx after storing queries on disk as sqlite3_changes() sometimes reports to few rows being inserted. This was a rather tedious debugging... * Rename config.files.{http_info => log.webserver, ph7_error => log.ph7} and include file path in /api/logs replies * Add option dhcp.multiDNS * Ensure individual config settings areforced to false when debug.all is false without *all* other options being enabled * Sub-paths in /api/auth are not allowed (except for explicitly existing API endpoints) * Rename /api/auth/session{ => s} * Remember login timestamp of API sessions * Add special debug.all config option * Add info.ftl.uptime (in ms) and move config.{dns => dhcp}.domain * Mark currently active session when listing active sessions * Avoid undefined behaviour with the ctype(3) functions. * Add GET /api/auth/sessions for listing the currently active sessions * Invalidate all currently active sessions when password/pwhash are changed * Add new regex extension ";reply=CNAME,target.domain" suitable for defining CNAME records per-group * Allow removing password by sending a blank value to the magic password item (both via CLI and API) * Change /api/info/cache -> /api/info/metrics and add other metrics such as query reply sources and DHCP metrics * Add dns.cache.optimizer as option to control the usage of expired/stale DNS queries while Pi-hole is looking for new ones. This option has always been available, we just make it more visible by assigning an individual config option for it. * Remove leftover debug output when setting the password via CLI * Return exit code 2 if specified config type is invalid in --config * Do not wrap strings in quotes for the CLI --config option * Add suggested CPU temperature which can be used by the client to display the CPU temperature without having to define selection rules in the clients. Said rules will have to be added in FTL itself, we are not making any assumptions here but only want to identify sensors based on facts. As consequence, the temperature value may be NULL if no reliable detection is possible. Users are asked to raise an issue with FTL in this case so we can have a look together with them on their particular system and add stable detection rules. * Include "source" of hwmon items and individual sensor's "max" and "crit" values (if available) in /api/info/sensors * Add filesystem type in disk usage warning (if available) * Only warn once about disk shortage in case database and log file are on the same device (e.g. both on / ) * Improve disk shortage warning to point out more precisely which filesystem is getting full. We do this by mentioning the mountpoint instead of the filename * Rename dns.reply.host.{overwrite_v => force}{4,6} * Group sensors by the hardware they belong to * Do not include the high number of sensors that have a temperature of 0.0 exactly * Add config->webserver.api.password to OpenAPI specs * Slightly restructure output from /api/info/sensors and include all sensors we can find using the following patterns: * Add pseudo-element config->webserver.api.password which will compute and set webserver.api.pwhash to provide a convenient method of changing the password both via CLI and API * Add quiet CLI config mode (e.g., "pihole-FTL --config -q dns.blocking.active") which makes boolean values accessible via FTL's return code * Ensure no debug output is leaking into the output of pihole-FTL --config ... even when debug.config = true is set * Reload gravity database when 'updated' property in table 'info' has changed * Add DELETE /api/dhcp/leases/{ip} * Add GET /api/dhcp/leases * Make a few more config values camelCase * Integrate former /api/config/_{topic,servers} into /api/config?detailed=true * Allow importing teleporter archives from the CLI * Create new webtheme() PHP function and make the webtheme an enum * Rename config.webserver.{api => }.sessionTimeout and ensure it is also used for the cookie * Ensure config struct is always initialized (also when reading the legacy pihole-FTL.conf config file) * Move /api/{dns -> info}/cache * Implement FTL-provided PHP function fileversion() * Improvements for the query log filter suggestions (increase default number of suggestions from 10 to 30 and differentiate between clients by IP and by name) * Append target=... when redirecting to the login page on failed authentication. This allows the script to go back to the page where the user has been before having been redirected to the login page. * Add {GET,DELETE} /api/info/messages * Add clients.total and gravity.domains_being_blocked to /stats/summary * Also automatically redirect from login.php to index.php when a user is already authenticated (or when authentication is not needed) * Enforce authentication for all PHP files (except login.php) * Use the copy_file_range() system call during log rotation. It performs an in-kernel copy between two file descriptors without the additional cost of transferring data from the kernel to user space and then back into the kernel. The copy_file_range() system call first appeared in Linux 4.5, but glibc 2.27 provides a user-space emulation when it is not available. For earlier versions than 2.27 (the armv4t cross-compiler is currently still at 2.24), we use sendfile() as fallback solution. * Mention how many host lines we have written in custom.list * Copy zeroth-file instead of renaming it during rotation to prevent some (yes, I know, unlikely) file permission issues down the road * Reload config on change of pihole.toml. This is done using an inotify watcher on /etc/pihole. This also means that there is no need to send SIGHUP to FTL after a config change, this is triggered internally. * Place search results into dedicated search object * Update RapiDoc 8.4.3 -> 9.3.4 * API Docs: Automatically log out when FTL is restarted and session has been invalidated * Add /api/search as a batter replacement of the currently existing "pihole -q" command * Add more compiler warnings and fix a few things they pointed out worth improving/being more explicit about. This adds GCC-12 compatibility out of the box. * Remove memory statistics feature from CivetWeb. It makes the webserver somewhat faster and using less memory. We are not using it anyway. * More 32bit compatibility tweaks * Move src/compression -> src/zip * Move src/ph7 -> src/webserver/ph7 * Move src/cJSON -> src/webserver/cJSON * Move src/civetweb -> src/webserver/civetweb * Move src/miniz -> src/compression/miniz * GZIP uncompressor tweak for 32bit * Add test for re-importing the just exported Teleporter file during the tests * Add POST /api/teleporter to upload and install backed up configuration * Add /api/action/reboot and /api/action/poweroff (needs extra capability CAP_SYS_BOOT) * Add /api/action/gravity which can be used to trigger a run of pihole -g. The output is live streamed using HTTP/1.1 chunked encoding. * Add "--teleporter" to "pihole -FTL -h" * Add (a stripped down variant of the) pihole-FTL.db database into the Teleporter archive * Add (a stripped down variant of the) gravity.db database into the Teleporter archive * Add /etc/hosts, /etc/pihole/dhcp.leases (if it exists) and all files in /etc/dnsmasq.d into the Teleporter archive * Add pihole-FTL --teleporter to create Teleporter ZIP file in the current directory. We need to add "zipinfo" as package to our ftl-build containers to be able to verify the fiel independently (this is already done by Python for the ZIP archive received from the API - but it doesn't hurt to test twice) * Fix a small logic quirk preventing us from being able to change config parameters via PATCH /api/config. This issue was created in 4c62a02026b4617a1fb5a44245af202d94098199 * Add GET /api/teleporter * Only change config when new value is different from the current value. This allows to set all config options at once but without restarting dnsmasq when none of its config values are changed * Give hint about where the JSON parser failed when passing invalid JSON. * Mark several config options as "advanced" (will be hidden by default on the future settings page) * Update .github/workflows/openapi-validator.yml to account for "Node.js 12 actions are deprecated" warnings * !!! BREAKING CHANGE !!! Redesign TOML config structure * Add ability to list allowed values (for enums) in JSON form. Add pretty-printing for TOML and update all help test descriptions from the official Pi-hole documentation * Add /config/_server offering DNS server suggestions for the settings page * Rotate config files into /etc/pihole/config_backups instead of cluttering /etc/pihole itself * !!! BREAKING CHANGE !!! Rename pihole-FTL.toml to pihole.toml and it is a Pi-hole wide config file also covering all the dnsmasq settings, etc. * Include FTL version in headers of pihole-FTL.toml and 01-pihole.conf * Remove mictortar, we'll use ZIP instead of TAR.GZ for multi-file archives. This is already available through miniz. * Add Desktop Management Interface (DMI) properties to /api/info/host * Tests: Add test for embedded GZIP compressor * Expose GZIP uncompressor via CLI * Expose GZIP compressor via CLI * Include info.yaml in build * Add line with error on request for setting an invalid dnsmasq configuration to ease debugging * Single out a few items from /api/info/system into /api/info/{sensors,host,ftl} * Move /api/{ftl -> info}/client, /api/ftl/dbinfo -> /api/info/database, /api/ftl/sysinfo -> /api/info/system, and /api/version -> /api/info/version * Add HTTP OPTIONS method processing. Using something like "curl -X OPTIONS -I pi.hole:8080/api/... will return an Allow header specifying which endpoint supports which method. * Add GET /config/_topics which will be helpful when automatically generating a Pi-hole settings page * Add "allowed" as JSON (where applicable) and "type" in /api/config?detailed=true to allow automatic settings page generation * Keep (up to) 15 config files in rotated form. To save space, we leave the most recent 4 uncompressed and compress the remaining files * Manage custom.list through the universal /config/dns/hosts instead of its own interface. This reduces code duplication. * Check if /sys/firmware/devicetree/base/model exists before trying to access it * Also allow all IPv6 addresses in default webserver ACL * Run config file rotation only when writing to the config file * Fix incorrectly returned 404 for existing API endpoints when not logged in * Free regex memory in final cleanup routine to ensure allocated regex do not show up as definitely lost memory in valgrind analysis * Add missing specs/{logs,endpoints}.yaml to pre-compiled logs * Rotate config files away instead of forcefully overwriting them. This allows users to easily revert in case they made unwanted changes. * Further improvements for check_space() * Improve code comments in daemon.c * Add more detailed warning about why writing to or removing the PID file failed (if this is the case) * Fix incorrect union member being used in check_space() * Implement proper testing of dnsmasq options before applying new configuration * Add GET /config/{element} for more specific requests as well as PATCH and DELETE /config/{element}/{value} for direct array manipulation * Materialize the pseudoelement config.port as config.dnsmasq.port (it can now also be changed) * Add ability to query nested config items, e.g. /api/config/dnsmasq/upstreams returning: {"config": { "dnsmasq": { "upstreams": [ "127.0.0.1#5335" ] } } } * Add /api/logs/{ftl,http,ph7} * Fix another memory leak where a payload sent to a non-existing endpoint wasn't freed properly * Rename /api/ftl/logs/dns -> /api/logs/dnsmasq * Rename /api/ftl/endpoints -> /api/endpoints * Add /api/config:dnsmasq.cnames * Configure if endpoints require authentication in a central place for better overview * Group endpoints in /api/ftl/endpoints by supported methods * Modify removing and adding local DNS entries via path instead of payload * Add missing API specs for /api/config:dnsmasq.dhcp.hosts * Add /api/dns/entries for manipulating the custom.list file (viewing, adding, and removing items) * Rename static DHCP leases file to .bck after parsing it. Everything will now be stored in pihole-FTL.toml * Nicely format TOML arrays as multi-line variables * Add config.dnsmasq.dhcp.hosts * Fix more substantial memory leak in the JSON formatter * Fix possibly small memory leak in regex compilation when there are regular expressions with certain errors * Convert swap memory to KB and add %used form RAM and SWAP in /api/ftl/sysinfo * Spawn number of webserver threads porportional to the number of online CPUs. The rule is (2*nprocs if nprocs < 8 else 16) * Check if temperature sensors exist before reading them to avoid spamming the log with "no such file or directory" messages for sensors without labels * Do not warn about not being able to open setupVars.conf - it may simply not exist * Free allocated memory in readTOMLvalue() * Add null values to /api/version if corresponding lines are not present in /etc/pihole/versions * Only add "conf-dir=/etc/dnsmasq.d" to the config if this directory exists * !!! BREAKING CHANGE !!! Use /etc/pihole/dnsmasq.conf as default config file for FTL. Pi-hole will not touch /etc/dnsmasq.conf or any files in /etc/dnsmasq.d/ any longer. They are solely reserved for user-provided scripts. This also adds the ability to easily have a separate dnsmasq instance running on the same host (using anther port or binding to other interfaces, of course) * Add /config dnsmasq.logging (bool) * Add /api/versions docker.{local,remote} * Rename new option -c to --config to avoid possible ambiguity * Remove extra system.hostname property from /api/sysinfo. It is already contained as system.uname.nodename of the very same API endpoint * Add config getter and setter for the CLI * Add system.hostname and ftl.{pid,%cpu,%mem} to /api/ftl/sysinfo * Use NO_DLOPEN extension in civetweb * Add civetweb patch to disable DLOPEN * Add NO_DLOPEN option to civetweb's LUA routines * !!! Another breaking change !!! Inline 06-rfc6761.conf into FTLs generated config file, too. The symlink should be now be /etc/pihole/dnsmasq.conf -> /etc/dnsmasq.conf * Add LUA support into embedded webserver * Update microtar (using the version from https://github.com/DL6ER/microtar): We now have support for large files and in-memory processing * Further debug logging for setupVars.conf importing * Add library miniz - a lossless, high performance data compression library in a single source file that implements the zlib (RFC 1950) and Deflate (RFC 1951) compressed data format specification standards * Add library microtar - A lightweight tar library written in ANSI C * Add misc.temp.unit and move misc.temp_limit to misc.temp.limit * Add build.sh ci option to allow for easier co-operation of native and devcontainer builds in the same workspace * !!! BREAKING CHANGE !!! Create new dnsmasq config file and test it. * Add config.dnsmasq and routines to write dnsmasq config files * Add new config items to the test TOML file * Modify /version to match the new /etc/pihole/versions file format * Add config.http.interface.boxed and config.http.interface.theme primed by setupVars.conf:WEBUIBOXEDLAYOUT and WEBTHEME, respectively * Add config.misc.temp_limit setting primed by setupVars.conf:TEMPERATURE_LIMIT (if available) used to signal beyond which temperature the frontend should consider the temperature "hot" * Do not store the payload on the stack but allocate heap memory for it. Using dozens of KB for each API connection is dangerous, hundreds of KB large payloads is surely a very bad idea. (rmemeber, the answer to how-much-it-too-much is the rather vague: too much is when the stack overflows) * Tests: Set api.pwhash and dns.blocking.mode using PATCH /api/config * Add "uname" object to /ftl/sysinfo containing the nodename, domainname, architecture and other details from uname * Automatically migrate the API password hash and the lists of clients and domains to be excluded from setupVars.conf * Ensure checkAPI.py also accepts situations with localAPIauth = false * Add PATCH /config which allows modifying all FTL config values. Changed values go into effect *immediately* and the config file is updated. * Update ftl-build containers * Calculate percentage of blocked queries only of there is at least one blocked query to prevent division-by-zero issues (leading to None) * Implement login for python API checking script * Ensure dhcp-discover and regex-test do not overwrite the config file after parsing * Transform log_debug() into a function-like macro to save some time when we are not in debugging mode (the function is not called in this case) * Fix debug flag parsing after changing from bit-wise flags to individual bools * Rewrite the entire config-related code to allow for changing data without having to restart. Hereby, we greatly reduce code duplication in the TOML routines so we won't have to touch tme in the future when adding additional options. * Add checkAPI.py to test suite * Update node from 12.x to 19.x for the openapi-validator * Use table query_storage instead of view queries in all places (well, except one which will be covered at a later time) * Add example verification when (possibly multiple) global examples are provided below the schema level * Also verify endpoint structure: Query endpoints from FTL and check if all properties mentioned in the docs are present (and of correct type) and that there are no extra properties we forgot to document. Furthermore, also verify that the provided examples are of correct type, too. * Add /api/stats/database/summary documentation * Add /api/stats/query_types and /api/stats/database/query_types documentation * Add /api/stats/top_clients and /api/stats/database/top_clients documentation * Add /api/stats/top_domains and /api/stats/database/top_domains documentation * Add /api/stats/recent_blocked documentation * Add /history/database/clients documentation * Add /api/history/database documentation * Add /api/stats/upstreams and /api/stats/database/upstreams documentation * Add documentation for /api/queries/suggestions * Remove /api/settings/web * Move /api/ftl/gateway -> /api/network/gateway, /api/ftl/interfaces -> /api/network/interfaces, /api/ftl/network -> /api/network/devices, and /api/ftl/config -> /api/config and add documentation for /api/network/devices * Improve checkAPI.py script (add handling of {kind} URI variables) * Order network devices descending by lastQuery * Move /api/network to /api/ftl/network * Tests: Update expected ConfigStruct size * Accelerate checkAPI script by ensuring we parse each YAML at most once * Also rename config options in test pihole-FTL.toml * Add API checking script * Add /api/ftl/config which can be used to retrieve the entire configuration of FTL. This endpoint only supports GET so far, however, we will add POST in the future so that configuration values can be changed through the API * Update ftl-build containers * Add /api/ftl/interfaces documentation * Add /api/ftl/gateway documentation * Remove gateway object from /api/ftl/interfaces * Rename JSON macros * Move /api/endpoints to /api/ftl/endpoints and add /api/ftl/endpoints documentation * Add /dns/port documentation * Onlycompile outdated documentation file to speed-up the compilation process * Add /api/endpoints * Update embedded civetweb to 1.15 * Add civetweb patches * Update actions/upload-artifact * Resolve missed merge conflict on Github workflow * Improve temperature computation and sensor name reading * Add device.model to sysinfo object * Ensure temperature sensor labels are read correctly * Adjust expected 32bit struct sizes * Re-read blocking mode from pihole-FTL.toml on receipt of SIGHUP * Locally refused queries should not be considered an error when configured like this using regex;reply=REFUSED * Warn if invalid IPv4/IPv6 addresses are specified in the config file * Lock shared memory before storing queries to database * Add dns.reply.own_host.IPv4/6 and dns.reply.ip_blocking.IPv4/6 to pihole-FTL.toml * pihole-FTL.log was renamed to FTL.log * Change default log file path (consequence of https://github.com/pi-hole/FTL/pull/1346) * Remove some incompatible tests * Remove newdb and directly store in memdb to avoid database complexity and unnecessary in-memory data duplication * Remove upload steps from CircleCI and add documentation upload step to Github Actions * Reset rate-limiting only when rate_limit.interval > 0 to reduce log noise in debug mode * Open database only if we are going to perform actions * TOML: Move check into [misc] * Use correct pointer for regex * Change wording of routine * Print if there was a match we might have ignored due to other settings in regex debug mode * Use get_query_reply_str() routine instead of reply_status_str object. * Fix singular/plural when reporting regex client(s) * Blocking mode is read when the first query is checked for blocking state. RELOAD_BLOCKINGMODE is set when reloading the DNS cache (also initially) * Include full dig in CI output * Static analysis improvements * Update cJSON to v1.7.15 * Ensure HTTP server is started * Update tests * Ensure database permissions are correct * Extend version information by CivetWeb, cJSON and PH7 * Add new file src/cache_info.h * Fix two incorrect search-and-replace * Also upload pihole.log on CI test fail * Tests: Include warnings and errors in the test result if we found them. * Use POSIX interfaces get/setpriority() instead of nice() * Tests: Cannot change niceness of pihole-FTL on CircleCI * Report debug setting if enabled * Implement TOML config file reader/writer and a converter of the pre-v6.0 config file format. * Update embedded civetweb 1.13 -> 1.14 * Fix possible ressource deadlock in DB_read_queries() * Improve indentation in remaining source files. * Undefine obsolete logg() routine. * Fix indentation of refactored log routines. * New logging style gravity-db.c * Fix common.c * Remove duplicate wording common.h * New logging style network-table.c * New logging style common.h * New logging common.c * Tests: Fix double-start detection test * Tests: Fix regex CLI tests * Tests: Improve "No ERRORS in log" test * Use specific log routines in webserver/*.c * Use specific log routines in syscalls/*.c * Use specific log routines in hooks/accept.c * Use specific log routines in hooks/upstream_error.c * Use specific log routines in hooks/tcp_workers.c * Use specific log routines in hooks/set_reply.c * Use specific log routines in hooks/query_in_progress.c * Use specific log routines in hooks/new_query.c * Use specific log routines in hooks/multiple_replies.c * Use specific log routines in hooks/iface.c * Use specific log routines in hooks/header_analysis.c * Use specific log routines in hooks/forwarding_failed.c * Use specific log routines in hooks/forwarded.c * Use specific log routines in hooks/fork_and_bind.c * Use specific log routines in hooks/extract_question_flags.c * Use specific log routines in hooks/dnssec.c * Use specific log routines in hooks/dnsmasq_reload.c * Use specific log routines in hooks/detect_blocked_IP.c * Use specific log routines in hooks/CNAME.c * Use specific log routines in hooks/check_blocking.c * Use specific log routines in hooks/receive_reply.c * Use specific log routines in hooks/cache.c * Adjust tests * Use specific log routines in database/message-table.c * Use specific log routines in database/database-thread.c * Use specific log routines in api/stats.c * Use specific log routines in dnsmasq code * Use specific log routines in database/sqlite3-ext.c * Use specific log routines in database/aliasclients.c * Use specific log routines in api/stats_database.c * Use specific log routines in api/queries.c * Use specific log routines in api/network.c * Use specific log routines in api/api.c and api/auth.c * Use specific log routines in vector.c * Use specific log routines in database/query-table.c * Use specific log routines in timers.c * Use specific log routines in signals.c * Use specific log routines in shmem.c * Use specific log routines in setupVars.c * Use specific log routines in resolve.c * Use specific log routines in regex.c * Use specific log routines in procps.c * Use specific log routines in overTime.c * Use specific log routines in main.c * Use specific log routines in log.c * Include which debug option leads to a DEBUG output and skip logging if this debug option is not enabled * Use specific log routines in gc.c * Use specific log routines in files.c * Use specific log routines in events.c * Use specific log routines in edns0.c * Use printf instead of specific log routines routines in dhcp-discover.c * Use specific log routines in datastructure.c * Use specific log routines in daemon.c * Tests: Check against the new priority strings. * Use specific log routines in config.c * Use specific log routines in capabilities.c * Adjust tests for new logging facility * Add in-built syslog facility. It can be selected by specifying an empty string for LOGFILE= (pihole-FTL.conf). This changes the format of the pihole-FTL.log file. * Update tests to database version 10 * Fix upstreamsData size of 32bit targets * Add option to request query data from the on-disk database instead. * Finish Query Log server-side pagination implementation * Store in and restore from long-term database: reply type, DNSSEC type, reply delay (if applicable), client hostname (if applicable), TTL and regex ID (if applicable) * Split monolothic dnsmasq_interface.c file into individual hook units. * Add upstreams, types, status, replies, and dnssec to /api/queries/suggestions * Rename sum property to total in /api/stats * Fix type handling to not offset by 1 * Update tests * Move queries into their own API endpoint and prepare an endpoint with search field suggestions to be used with the Query Log * Update .gitignore and add VSCode workspace exclude-settings * Add DBID to /api/history/queries * Implement Query Log server-side processing * Changes for query log implementation * Implement new fields added to the adlist table * Add a second in-memory database to ensure non-blocking operation at all times * Upload documentation to binary bucket * Remove queries from in-memory table during garbage collection * Add in-memory database for queries * Make domain hosting the web interface customizable through the settings (for modifying the auto-redirect to admin/) * Set HttpOnly on sid cookie for XSS protection * Change timestamps from integer to double for (up to) nanosecond accuracy. * Also allow authentication by sending SID via HEADER * Add example validation * Rename routes.{c,g} -> api.{c,h} and reduce locking where this is not needed to gain more speed for the API * Tests: Log intermediate steps during authentication trial * Also use OpenAPI-enforcer to check the OpenAPI specs in addition * Run GHA on every push * Tests: Add failed and successful login attempts * Add OpenAPI schema validation (npm test) * Fix regex-test mode * Update build containers to v1.9 to have xxd and jq available * API docs: Some general fixes for the specs * Add authentication support to the API documentation * Move /api/stats/history to /api/history/queries * Add /api/history documentation * Add /api/stats/summary documentation * Add /api/version documentation * Add /api/auth documentation, change expected payload from form to JSON for consistency * Add /api/ftl documentation * Add /api/dns documentation * Embed API documentation into FTL. This ensures it is (a) always available locally, and (b) always corresponds to the API you have available locally. * Our JSON targets are NULL-tolerant. * Store comments for groups as well * Groups don't have the groups property * Improve error reporting for missing/incorrect sets of payload/URI arguments * Split type and kind into two fields for domains * Improving error reporting of the API * Improve URI matching algorithm * Move id, date_added, date_modified into extra database object * POST should not include the target to get pushed * Test compile regex before adding to the database (we may want to reject it) * Rename /api/adlists -> /api/lists * Fix a bug in CivetWeb server * Implement /api/clients * Actually reload gravity data on list add/edit/remove * Send domains/clients/groups/adlists counts in a new ftl object * Remove obsolete ping/pong test * Shorten history JSON keys * Introduce new ftl_conn struct that makes it easier to share stuff across processing subroutines in the same thread. * Extract payload only once * Rename /api/list -> /api/domains, /api/adlist -> /api/adlists, /api/group -> /api/groups, added /api/clients * Set table columns comment/description to NULL if empty * Implement changing group assignments through the API * Allow domains/groups/adlists to be removed from the database * http_get_payload(): Extract body payload also for PUT and PATCH * Include system object in /api/stats/summary to need one AJAX call less * Improve format of overTime replies. * Tests: No login needed when there is no password * Use SameSite=Strict as defense against some classes of cross-site request forgery (CSRF) attacks. This ensures the session cookie will only be sent in a first-party (i.e., Pi-hole) context and NOT be sent along with requests initiated by third party websites. * Get memory details directly from the kernel as we cannot rely on the information provided by sysinfo() [there sin't anything we need to compute the proper amount of used = unclaimable memory] * Tests: GET /api/auth results in a challange being returned to us * On 2017-08-27 (after v3.3, before v3.4), nettle changed the type of destination from uint_8t* to char* in all base64 and base16 functions (armor-signedness branch). This is a breaking change as this is a change in signedness causing issues when compiling FTL against older versions of nettle. * Add fallback label for temperature sensors in case they don't have their own label * Use payload in form-format when adding/modifying lists * Add /api/adlist endpoint to read/add/modify/delete adlists * Add /api/group endpoint to read/add/modify/delete groups * Return type and group_id array for domains * Rename {white,black} to {allow,deny} * Localhost should be able to request all ressources if this is set via a config option * Add /api/ftl/system?full=true for sourceing even more information (thinking of third-party applications) * Add /api/ftl/system for information about CPU, memory and temperature (if available) * Implement login as POST to /api/auth, logout as DELETE to /api/auth * Ensure every auth object has the session object * Always report success when there is no password set * Improve used randomness generator * Request challange over /api/auth/login * Improve log file locking * Improve shared memory lock mutexes * Retore errno in FTL's pthread syscall * Increase web service thread count to 16 * Require authentication for api_stats_query_types * Implement challenge-response authentication * Upload HTTP and PH7 logs to Tricorder on errors in tests * Use seperate lock for web log to avoid dead-locking with FTL's main lock (e.g. when a syscalls needs to lock an error in between) * Update civetweb v1.12 -> v1.13 (and simplify auth-cookie handling) * Restructure root redirection handler * Add more API debugging output * Redirect pi.hole/ -> pi.hole/admin * Update cJSON from 1.7.13 to 1.7.14 (released 3 September 2020). The structure of linkedlist has been changed to improve the efficiency of adding items to arrays/objects. * Move the API from http://pi.hole:8080/admin/api to http://pi.hole:8080/api * Return null for domain comment if this is what is stored in the database. * Delete running blocking status timer when requesting the same blocking mode as already active. * Zero-initialize memory on the stack to avoid picking up outdated content * Improve database statistics endpoint * Simplify request variable extraction * Ensure we use the same reply type in /api/stats/summary as in /api/dns/status * Improve /api/version endpoint. * Implement proper error handling for network table IP address sub-query * Put FIFO log into its own unit (out of the API code) * Return SQL error to user if sourcing data from the network table fails * Avoid buffer overflow. * Rename /api/ftl/clientIP to /api/ftl/client as we return more data than just the IP address (this is mostly a testing endpoint) * Differentiate between POST (error on existing) and PUT, PATCH (replace if existing) for domain lists. Also return GET style reponse on success. * Use booleans instead of string for controlling the blocking status. Return the GET response after a successful PATCH request. * Add filtering for domainlist endpoints * Uniform GET and POST keys and rename /dns/status to /dns/blocking to avoid misunderstandings * Move white- and blacklist endpoints one level up * Streamline /api/dns endpoints while writing the documentation for them * Improve cmake system. * Simplify error report messages. * Add request handler for directories (try /index.php) * Disable directory listings. * Add two new log files for HTTP infos (incl. access logs if in API debug mode) and PH7 engine errors and messages. * Pass HTTP head to PH7 so it can extract header variables (, , , ...) * Redirect PH7 errors into pihole-FTL.log (instead of showing in the browser output) and define gethostname() PHP function. * gcc-9 optimizations. * Use embedded PH7 instead of external PHP-CGI interpreter. * Generally assume authentication to ease the development phase until we are actually able to add authentication. * Add NAPTR support for /api/stats/summary * Remove React-specific index page rerouting. * Add PHP support in Pi-hole' HTTP server. * Finish transition to cmake on the new/http branch. * Update Civetweb server to 1.12 * Update cJSON to 1.7.13 * Add const attribute to new sqrt routines. * Exclude database lookup time from computed forward destination delay. * Compute average response times for used upstream destinations. * Fix failed git auto-merge. * Minor optimizations to domain list handling routines (reading, adding, and removing) * Fix forwarded queries counting logic quirk. * Make JSON string macros robust against being called with NULL strings. * Add /api/stats/database/upstreams * Add /api/stats/database/query_types * Add /api/stats/database/overTime/clients * Add /api/stats/database/summary * Add /api/stats/database/top_clients by generalizing the top-domains into a top-items function that can process both. * Add /api/stats/database/top_domains and /api/stats/database/top_blocked * Relock shared memory before returning an error message. * Add /admin/api/stats/database/overTime/history - this allows users to select a different time interval on the dash board than only "last 24 hours". * A few output optimizations for /api/dns/cacheinfo * Add /api/dns/cacheinfo * Only walk known IP addresses when SELECT query succeeded * Add /api/ftl/network * Keep up to 64 lines of dnsmasq messages in the FIFO buffer. * Add API_PRETTY_JSON config option as run-time (instead of compile-time) option for human-friendy API output. * Send all details we have about a domain (excluding the database ID, because we don't need it). See PR web#440 for the necessary changes in NG web. * Read directly from domainlist table instead of using the views. This allows us to read also disabled domains plus to get all the corresponding data: date_added, date_modified, comment, enabled. They are now available in FTL, however the JSON format expected by the web interface needs to be changed to be able to send this information over. * Implement transition from individual domain lists into a unified domainlist (see core PR #3015). * Reread index.html on receipt of real-time signal 1. * Ensure shared memory is locked when reloading the DNS cache. * Send 200 queries for the query log at once. With this, the clients will always have some pages of the table in their cache. * Actively free expired user sessions to make room for new ones. * Automatically log in users when there is no (or an empty) password set in setupVars.conf * Make HTTP/API session timeout configurable through pihole-FTL.conf * Update user cookie when session is still running. * Update timestamp of known client when we see them again. * Refresh in-memory index.html on receipt of SIGHUP. This allows replacing the content of /admin without having to restart FTL. * /api/stats/history: Only use cursor when it is a numeric value, skip if "null". * Add NULL cursor in history result when privacy level is too high. * Reduce memory consumption of the FIFO log. * Lock SHM during API access. * Lock SHM during FIFO buffer activity. * Move FIFO buffer into shared memory to ensure all spawned TCP children can add entries to it. * Remove unused variable. * Don't send ID field, it is not neded by the client. And even if it would be, it could easily be computed from nextID. * Code around known gcc-arm bug. * Send correct frames if FIFO is not yet completely filled. * Do not send unused slots from the FIFO buffer. * Add option for whether authentication is needed for localhost requests. Defaults to false. (API_AUTH_FOR_LOCALHOST) * Add FIFO buffer endpoint at /admin/api/ftl/dnsmasq_log. This is a FIFO buffer collecting and returning up to 32 messages from memory (compile-time option). The API endpoint can be continuously polled with the last returned ID to only show new messages that can be appended to a log on the web interface. * Copy what dnsmasq would log even when there is no logging destination configures. This is an experimental feature at this time and can (temporarily) enabled by settting DEBUG_AP=true in pihole-FTL.conf. This feature will likely be moves into a new API endpoint /admin/api/log (TBD) when it turns out to be useful. * Rename send_http_error() to send_http_internal_error(). * Disable test that does not apply without a hosted web interface and add two new tests for /api/auth. * A test should do what is written in its description * Remove dead function http_send(). * Add --slient to the curl commands to suppress the output of curl's progress bar during the tests. They are confusing bats. * Ensure minimum required data is sent by the API even when privacy levels are applied. Sending simply empty responses violates the expectations of the NG web interface. * Improve additional headers as suggested by a security checker site. * Add Content-Security-Policy header to resolve CPS issues seen in Firefox when hosted on a machine different than localhost. The critical part is 'unsafe-inline' which is necessary for the inline Javascript found in index.html. * Use curl instead of wget for the HTTP API tests. * Directly return without buffering in the API handler. * Add tests for JSON/normal error 404. * Send JSON 404 error if an undefined path has been requested insode /api/... Elsewhere in the web interface we still send the usual 404 page. * Add more convenience functions and return 400 Bad Request responses when invalid parameters are given to the /api/stats endpoints. * Remove deprecated feature to return forward destinations without sorting. This was never offered for any other type of data so it is mroe consistent to completely remove it. * Add send_json_success() as yet another short convenience function. * Add new send_json_error() and send_json_unauthorized() routines everywhere we are sending an error. * Allow password-less login if WEBPASSWORD is not set or set to an empty string in setupVars.conf. * Rename api/http.{c,h} to api/http-common.{c,h}. Separate routing function into api/routes.c. * Implement correct API response for failed auth requests. * ACL: Set default to allow all access. * Do not consider ERROR index.html as fatal during the tests + typo fixes. * Move detection of API debugging mode into a dedicated subroutine to ensure DEBUG_API can also be enabled during a running FTL session. * Log HTTP server errors into pihole-FTL.log. Plus log all access to the server when DEBUG_API=true * Add Access Control List support for the web server. * Remove additional_headers line. * Print reason for Auth Failure. * Improve error handling in read_indexfile(). Memory errors are worrying but not fatal at this point. * Insert <base href='...'> tag on-the-fly. * Load content of index.html into and serve it from memory. * Implement rerouting from all paths without file ending onto index.html. This removes the requirment that FTL needs to know all the endpoints in advance. * Add support for a webhome. This defaults to serving the web interface in /admin now, not / (as before). * Add authentication requirement for most API endpoints. Some endpoints are special, e.g., /api/status where GET is allowed for anyone, however, POST is only allowed for authenticated users. * Add attribute malloc as the returned pointer cannot alias any other pointer valid when the function returns. * Read actual password from setupVars.conf instead of always substituting 'A'. * Remove debugging statement which worked only on 64 Bit architectures. * Add rewrite-rules to support targets like "pi.hole:8080/dashboard/" which need to be handled by "pi.hole:8080/index.html". * Remove fake "api" object from /api/versions * Add CORS header "Access-Control-Allow-Origin: *" * Directly use prepared integer value instead of trying to cast a double into an int. * Do the same thing just without calling it 'floor' to please the arm architecture. * Reduce number of concurrent HTTP workers from 50 (default) to a more sane number of four. This should be totally sufficient. * Add support for time-delayed blocking enable/disable actions. * Add support for enabling/disabling blocking through the FTL HTTP API. * Add /api/settings/ftldb * Disable automatic URI-decoding. Otherwise, we cannot delete domains or regular expressions containing "/". Although such domains/filters make no sense, they are not explicitly forbidden so users might add them. If they can add them, then it should also be possible to remove them. * Simplify api_dns_somelist_read() * Add support for removing domains through the FTL HTTP API. * Add support for adding domains through the FTL HTTP API. * Implement DELETE for /api/auth to allow users to actually log out. * Only allow login with correct password. * Add /api/auth/salt * Implement client validation in the API. Both, the IP address and the set cookie have to be correct, otherwise the authorization is denied. We also check for the validity of the cookie before permitting the user. * Add simple /api/auth implementation. Currently, all passwords are accepted and a login session is valid for 5 minutes. * Greatly reduce code duplication by using a common function for exact/regex white-/blacklist requests. * Add /api/version * Add /api/dns/whitelist, /api/dns/whitelist/exact, /api/dns/whitelist/regex, /api/dns/blacklist, /api/dns/blacklist/exact, and /api/dns/blacklist/regex * Restructure files in /src/api * Implement server-side pagination support for the Query Log. This makes browsing log even with millions of queries quick. * Explicitly cast to show we want to compare these numbers. The long term goal would be to move all the non-negative query->... elements to unsigned types. * Remove obsolete prototypes and unused parameters. * Add new /api/stats/recent_blocked * Remove legacy function getQueryTypesOverTime(). * Add parameter to request fewer than all queries for api/stats/history * Add client filtering for api/stats/history * Add domain filtering for api/stats/history * Add forward destination filtering for api/stats/history * Add query type filtering for api/stats/history * Add time filtering for api/stats/history * Prevent TypeErrors in teh NG web interface when no query/client is known to FTL (yet). * Add /api/stats/history * Implement special features of top_domains and top_clients that were also available in the telnet interface. * Add ability to request an arbitrary number of results from top_domains and top_clients * Add /api/stats/top_clients and /api/stats/top_blocked_clients * Add /api/stats/top_domains and /api/stats/top_blocked * Add /api/stats/upstreams * Comment "not found" as it causes the NG web interface to show an error when receiving something unexpected for still undefined handlers. To be reverted later. * Add /api/stats/query_types * Add /api/stats/overTime/clients * Add /api/stats/overTime/history * Split string macro in two: One that just references a string (no copying needed) and one that actually copies a temporary string (and takes care of freeing it after having sent the JSON output). * Use cJSON macros to build JSON object. This has several benefits such as automatic character escaping and an overall clearer code structure. * Add a very simple handler for paths which are not defined. * Remove two old and (not documented) debugging functions. * Fix off-by-one error in query type array. * Add /api/ftl/db * Add /api/ftl/version * Added /api/dns/status and /api/stats/summary This allows the Pi-hole NG web interface with minimal functionality. * Remove rusty Telnet API. Note that this intermediate version of FTL has NO API at all. * Remove Unix socket support * Add hook for testing sending a chunked response. * Reduce code duplication. * Use correct content type for JSON. * Print local URI in response to /api requests. * Use bandwidth-friendly variant for the testing hook that does not include additional whitespace for formatting. * Add listening on IPv6 address * Add JSON formatting and parsing support to FTL * Use wget instead of curl in the tests * Add ping callback and pong test for CI. * Add FTL http wrapper. * Change absolute vs. relative path of included file. * Add HTTP server implementation to FTL. ------------------------------------------------------------------- Sun Sep 10 07:48:35 UTC 2023 - Robert Herb <proletheus@freenet.de> - switch to prerelease version 6 ------------------------------------------------------------------- Fri Dec 9 07:38:38 UTC 2022 - Robert Herb <proletheus@freenet.de> - fix syntax error in permissions file ------------------------------------------------------------------- Sun Nov 27 07:43:10 UTC 2022 - Robert Herb <proletheus@freenet.de> - show correct arch in webgui ------------------------------------------------------------------- Wed Nov 16 10:25:34 UTC 2022 - Robert Herb <proletheus@freenet.de> - show correct gcc version ------------------------------------------------------------------- Wed Nov 2 07:32:31 UTC 2022 - Robert Herb <proletheus@freenet.de> - removed permissions stuff from pi-hole-ftl.service - updated capabilities in pi-hole-ftl.service ------------------------------------------------------------------- Mon Oct 24 08:41:45 UTC 2022 - Robert Herb <proletheus@freenet.de> - update required capabilities ------------------------------------------------------------------- Sat Oct 15 06:16:51 UTC 2022 - Robert Herb <proletheus@freenet.de> - added dependency to time-sync.target ------------------------------------------------------------------- Tue Oct 11 12:56:39 UTC 2022 - Robert Herb <proletheus@freenet.de> - update to 5.18.2 ------------------------------------------------------------------- Tue Oct 11 12:32:52 UTC 2022 - Robert Herb <proletheus@freenet.de> - update permissions of /var/log/pihole ------------------------------------------------------------------- Sun Oct 9 07:08:30 UTC 2022 - Robert Herb <proletheus@freenet.de> - remove dependency for chkstat ------------------------------------------------------------------- Sat Oct 8 13:37:03 UTC 2022 - Robert Herb <proletheus@freenet.de> - remove unnecessary %posttrans message ------------------------------------------------------------------- Tue Oct 4 10:47:43 UTC 2022 - Axel Braun <axel.braun@gmx.de> - change SUSE.readme -> openSUSE.readme correct service name in readme ------------------------------------------------------------------- Wed Jul 6 07:40:44 UTC 2022 - Robert Herb <proletheus@freenet.de> - - based on https://build.opensuse.org/package/show/home:Smar:pi-hole/pihole-ftl - rebuild for Leap 15 - update to latest git version * Sat Oct 2 2021 Samu Voutilainen <smar@smar.fi> - Only enable malloc error muting on Tumbleweed. * Sat Oct 2 2021 Samu Voutilainen <smar@smar.fi> - Use -Wno-error=suggest-attribute=malloc as build flag to fix Tumbleweed building. * Sat Oct 2 2021 pihole-suse-packages@smar.fi - Update to version v5.10.2 + Move SFTP xfer to happen before attach to release. Seeing some SSL errors in the github-action-publish-binaries action. + Fix REPLY_ADDR{4,6} address overwriting for pi.hole and <hostname> + Fix confusion in DNS retries and --strict-order. + Fix FTBFS when CONNTRACK and UBUS but not DNSSEC compile options selected. + dnsmasq_time: avoid signed integer overflow when HAVE_BROKEN_RTC + Do not fail hard when rev-server has a non-zero final address part + Update embedded dnsmasq version to 2.87test3 * Thu Sep 30 2021 Samu Voutilainen <smar@smar.fi> - Removed unnecessary patches: + ftl-2.8.1-build-fix.patch + ignore-shmem.c-strncpy-error.patch * Thu Sep 30 2021 pihole-suse-packages@smar.fi - Update to version v5.10.1 + Fix specific NOERR/NXDOMAIN confusion. + Reduce code duplication by merging FTL_cache() into FTL_reply() + Also process automatically generated queries, e.g. for DNSSEC validation + Add option to suppress automatically generated DNSSEC queries from being analyzed and shown (legacy behavior) + Fix bug in 6860cf932baeaf1c2f09c2a58e38be189ae394de + Fix bug introduced in 6860cf932baeaf1c2f09c2a58e38be189ae394de + Don't print flags multiple times in debug mode. + Log client requesting automatically generated DS/DNSKEY queries explicitly as "pi.hole" + Further work from a0a3b8ad3e91db5181023fceea6732eb6c6f0759 + Connection track mark based DNS query filtering. + Use correct packet-size limit in make_local_answer() + Include EDNS0 in connmark REFUSED replies. + Rename replyt ype 11 DNSKEY -> DNSSEC + Add src/dnsmasq/pattern.c to src/dnsmasq/CMakeList.txt + Update SQLite engine to 3.36.0 + Also cancel other threads when terminating + Ensure API threads can be canceled asynchronously + Add limit of maximum threads to warning + Add explicit limit logging also in the second place. + If DELAY_STARTUP is set, we can delay earlier to have this option being useful for misbehaving fake hwclocks as well. + Correct domain search algorithm. + Analyze which upstream server sent us the reply + Store real over-time counts of forwarded queries. So far, we counted only the first server a query was sent to. + Change upstream associated with a query if it is different than the first server we sent a query to + Log resolution of pi.hole and hostname as "internal" instead of the last blocking reason (e.g. "gravity blocked"). + Tests: Debug messages do now include the port a client sent the query from + Add more debugging output to short-circuited replies + Fix automatic IP hostname responding for blocking modes NXDOMAIN, NODATA and NODATA-IPv6 + Simplify logic in FTL_make_answer() + Fix error in try to make outer SHM lock consistent on dead of previous owner + Initial changes for extended DNS error codes. + Rationalise --server parsing and datastructure building. + Deprecate DEBUG_DNSMASQ_LINES (now included in DEBUG_FLAGS) + Initial implementation of RFC-8914 extended DNS errors. + Implement Extended DNS Errors (ERE, RFC 8914) in FTL + Don't re-use datastructures for --address and --local. + Rationalise domain parsing for --rev-server and --domain. + Fix problem with re-allocation of serverarray. + Include EDE in telnet API getAllQueries + Tidy up interface to dbus and ubus modules. + Compiler warnings. + Fix trivial breakage of DBUS done by 85bc7534dae7711f6c82742feaa7dacb41af3f36 + Fix compiler warning. + Tidy up name buffer use in report_addresses(). + Treat failure of ubus_add_object() in ubus_init() as retry-able. + Revert "Treat failure of ubus_add_object() in ubus_init() as retry-able." + Fix ipset support. + Reduce memory footprint of FTL by 11%%. We don't store the rowid of a query in memory because we don't really need that. + Further reduce memory footprint of FTL by about 12%%. We don't store the char pointer of the extended DNS errors because we can get this at any time. + Reuse workspace bit in struct server ->flags. + Allow wildcards in domain patterns. + Fix oversight in build_server_array(). + Rationalise SERV_MARK use. + Modify and propagate changed lease. + Hide "unknown" EDE in API + Implement special handling of the Mozilla canary domain to disable Firefox auto-DoH + Initialize over-time data only after a possible startup delay + Tidy domain parsing, make --server=/*/1.2.3.4 equivalent to --server=1.2.3.4 + Make --rebind-localhost-ok apply to :: and 0.0.0.0 + Support IPv6 in --bogus-nxdomian and --ignore-address + Fix order of calls to resize-packet() and add_pseudoheader(). + Add calls to dump internally generated answers for dumpmask=0x0002 + Fix logical error in d0ae3f5a4dc094e8fe2a3c607028c1c59f42f473 + Fix thinko in a92c6d77dcd475579c39bdff141f5eb128e2a048 + Include interface name in more errors printed by dhcp-discover + Check lock ownership only when debugging shared memory locks. This increases the general execution speed because getting PID and TID is a slow process. + Subtle change to priority of --server types. + Propagate dnsmasq defines into target FTL + Simplify FTL_iface() + Add pi.hole PTR record if requested IP matches the address of a local interface + Add config option PIHOLE_PTR to control the new auto-PTR behavior. + Do not reply with "pi.hole" to loopback PTRs + Add EDE return when no matching key found. + Add --quiet-tftp. + Fix forcing of reply type in regex replies only being done in debug mode (this never had any adverse effect) + Ensure shared memory is locked when reloading dnsmasq + Allow shorter IPv6 prefix lengths in (some) --synth-domain options. + --synth-domain now works in auth mode. + Return REFUSED in auth mode when we are not authoritative for the query. + Checks on prefix-length in --domain --synth-domain and --rev-server. + canonicalise_opt must always return heap memory. + Fix argument checking for --dhcp-match. + Detect malformed --dhcp-relay option. + Handle empty hostmaster in --auth-soa + Typo in new EDE code. + Add UINT32_MAX if not defined by system. + Add config option ADDR2LINE=true|false + Better fix than f2266d9678d71633d62d70238be3782ea74019c9 + Add additional checks for validity of data before trying to access it. Fixes #1151 + Properly handle edge-case when a query comes in at the exact end of the last overTime interval + Add further cache metrics + Warn about clients reaching rate-limit. Only warn once per interval and client to avoid log spamming. + Log for how many more seconds we rate-limit a client when this happens + Log rate-limiting of clients to the message table + Reload blockingmode on receipt of real-time signal 0 (a.k.a. pihole restartdns reload-lists) + Set extended DNS error to UNSET (-1) when importing from the database + Log how many queries have been saved in the final query storing + CONNTRACK needs CAP_NET_ADMIN. + Simplify linux capability check output + Fix NOERR/NXDOMAIN in answers configured by --domain-needed. + There was a `notify` variable to keep track whether a subscriber is observing our UBus object. However, it was not properly cleaned up in `ubus_destroy`, potentially becoming stale over UBus reconnections. The variable was removed and the current state is examined when sending notifications, similarly as is done in other existing OpenWrt code. + Re-order UBus teardown logic. + Remove remaining uses of deprecated inet_addr() function. + Remove remaining uses of deprecated inet_ntoa() + dhcp_buff2 not availble in log_packet, use daemon->addrbuff + Fiz sizeof() confusion in 527c3c7d0d3bb4bf5fad699f10cf0d1a45a54692 + Define order of reading files when --addn-hosts given a directory. + Revert "Re-order UBus teardown logic." + Revert "There was a `notify` variable to keep track whether a subscriber is" + Handle UBus serialization errors. + Eliminate redundant UBus `notify` variable. + Re-order UBus teardown logic. + Adjust logging levels for connmark patterns. + Make comment style consistent. + Use getnameinfo() instead of deprecated gethostbyaddr() for internal name resolving. + Log if hostname was imported from the network database. + Lookup IP addresses in local /etc/hosts file before sending out PTR requests + Allow users to configure how FTL reacts to queries when the gravity database is not available + Ensure we are not sending empty replies when we actually want to drop the entire answer + Ensure busy blocking is also done when database was not available initially (incl. when forking a TCP worker) + Log when adding entries to FTLs DNS cache (DEBUG_QUERIES) + Correct upstream->overTime when queries are blocked after they have already been forwarded upstream (e.g., during CNAME inspection) + Explicitly log when a retried query was a DNSSEC query. + Always count forwardings upstream, even if this was done for a (partially) cached CNAME + Remove redundant upstream->count + Some DEBUG_NETWORKING enhancements + Copy interface name before skipping when REPLY_ADDR is configured manually + Fix empty domain in server option parsing when more than one domain is given + Add BLOB reply type + Handle queries generated by FTL_make_answer() (i.e., blocked queries) as queries served from cache, not upstream (because they were never upstreamed) + Empty replies generated by FTL are NODATA (instead of BLOB) + Tests: DNS reply analysis test (using netmeister.org records) + Hard-code 8.8.8.8 as upstream server for the tests. It turned out to be more reliable as the CircleCI-provided DNS server tends to show a few timeouts on certain query types. + Tests: Use 1.1.1.1 as upstream as 8.8.8.8 SERVFAILs the HTTPS and SVCB tests domains + 1.1.1.1 rejects ANY queries... + Support limited wildcards in the input tags for --tag-if. + Rationalise query-reply logging. + Store validation result of internally generated DNSSEC queries + Store validation result of queries answered from cache + Avoid duplicated NXDOMAIN PTR queries. There is no no need to temporarily force FTL as system resolver when it is already the primary sytem resolver + Tests: Adjust for DNSSEC status now included for cache replies + Final logging tweaks. + Skip DNSSEC analysis if DNSSEC validation is disabled. Add new DEBUG_DNSSEC flag. + Tests: We want extra logging enabled in pihole.log during the tests + Tests: Never lauch DNS resolver thread when names are not to be resolved (e.g., on the CI) + Tests: Use pihole-FTL.pid when reloading to ensure the signal is not sent to a TCP worker (which would just ignore it altogether) + Tests: Use OpenDNS only for dig tests, use Google DNS for everything else. + Tests: Enable DNSSEC for query validation during the CI tests + Only open database when really necessary. This may reduce disk activity slightly and save a bit of CPU time. + Update DB counters still within the running TRANSACTION to reduce disk I/O + dhcp-discover: Implement Classless Static Route Option (options 121 and 249) + Get logging of DNSSEC status right when Checking Disabled bit set. + Add RFC 4833 DHCP options "posix-timezone" and "tzdb-timezone". + Prevent a possible deadlock in dhcp-discover. + Also check for capabilities CAP_IPC_LOCK and CAP_CHOWN + Tests: Adjust for newly added capability warnings. + Improvements suggested by cppcheck + Ensure we can the correct error string when "ip neigh show" or "ip address show" fails. Before, we picked up the error from the logg() which was likely always a not ver helpful "Success" message + Abort database routines early if database is known to be broken due to database file corruption. + Treat ANY queries the same as CNAME queries WRT to DNSSEC on CNAME targets. + Add regex extension ";reply=NXDOMAIN,NODATA,REFUSED,IP,NONE" + Tests: Add new regex extension tests + Implement support for custom redirection targets in regex extension, e.g., "someregex;reply=1.2.3.4;reply=fe80::1234" + Tests: Add tests for regex extension "reply=1.2.3.4", "reply=fe80:1234", and "reply=1.2.3.4;reply=fe80:1234" + Caching cleanup. Use cached NXDOMAIN to answer queries of any type. + Skip ascii-only names IDN processing + Revert "Skip ascii-only names IDN processing" + check_name() determines if IDN processing is needed. + Add all current RR types to the table of type names used for query logging. + Required FTL changes due to the preceding dnsmasq commit. + Small sanity check in wildcard tag matching code. + Retry on interrupted error in tftp + Add safety checks to places pointed by Coverity + Fix bunch of warnings in auth.c + Fix coverity formats issues in blockdata + Retry dhcp6 ping on interrupts + Fix coverity warnings on dbus + Address coverity issues detected in util.c + Fix coverity detected issues in option.c + Fix coverity detected issue in radv.c + Fix coverity detected issues in cache.c + Tests: "TYPE5" is now "[CNAME]" + Add NEG flag when replying to queries with forced NXDOMAIN. This ensures logging is correct and that the web interface will show the correct status. + Tests: Check Mozilla canary domain is blocked and logged correctly + Add PIHOLE_PTR=HOSTNAME allowing users to specify that Pi-hole should respond with the device's hostname (instead of "pi.hole") for local interface IP address PTR requests. + Valid option values for PIHOLE_PTR are now "PI.HOLE" (default), "HOSTNAME" or "NONE" + Add final newline + Trim excess whitespace + Add handling for "pi.hole.<local_domain>" and "<hostname>.<local_domain>". This fixes #1168 + Ensure virtual interfaces are recognized as distinct interfaces when finding their bound addresses + Reply with NODATA (instead of 0.0.0.0 or ::) if the interface we received a query on doesn't have the requested address type (e.g. virtual interfaces only configured with one IPv6 but no IPv6 address) + Fix coverity issues detected in domain-match.c + Fix coverity detected issues in dnsmasq.c + Fix coverity issues in dnssec.c + Fix confusion is server=/domain/# combined with server|address=/domain/.... + Add support for arbitrary prefix lengths in --rev-server and --domain=....,local + Thinko in immediately previous commit. + Optimize inserting records into server list. + Improvements based on static-analysis of source code + Fix --address=/#/...... which was lost in 2.86 + Correcly warn if dynamic directory is actually no directory + Make TTL served for blocked queries independent from local-tll setting in dnsmasq's config. + Improve last patch by splitting the previously combined if + Make --rebind-domain-ok work with IDN. + Change database permission to 664 + Set database permissions everytime the database is initialized + Change test suite to reflect changed file permissions + Fix indentation + Add special handling of iCloud Private Relay domains + Improve empty domain name handling + Add GitHub Actions integration + Add --nftset option, like --ipset but for the newer nftables. + Update embedded dnsmasq version to v2.87test2 + Tweak expected result for line 8 in "Get all queries shows expected content" + Ready GHA to take over from circle... + Fix a test that was already fixed, but then unfixed by a dodgy merge commit + Add in upload to our server + Single * is not enough it seems * Sat Sep 11 2021 Samu Voutilainen <smar@smar.fi> - Added patch ftl-2.8.1-build-fix.patch. Fixes Tumbleweed build. - Miscellaneous fixes to spec. * Sun May 16 2021 Samu Voutilainen <smar@smar.fi> - systemd service needs to clean up SHM files manually in order to avoid a failure in FTL restart. * Wed May 5 2021 pihole-suse-packages@smar.fi - Update to version v5.8.1 + Retried queries due to missing DNSSEC valdiation have no upstream server (the related DNSSEC queries where retried, not this one). Hence, we shouldn't update the counts of any upstream here. This silences an incorrect "FATAL: Trying to access upstream ID -1" warning in the logs. + Do not terminate threads which may not be running. They'll be cleaned up at process termination anyway. + Ensure we clean up always behind us. Also when FTL crashes + Also clean up when crashing + Improve process-already-running detection + Tests: Update tests for new expected output on two concurrent instances + Terminate threads before closing database connections and finishing shared memory + Clean up after dnsmasq errors (port not available config errors, etc.) + Do not detach threads we want to be able to cancel and add logfile log to shared memory locks. Other forks may want to log as well. + Change to refreshed logo. + Give the images some space. + Center vortex. + Remove incorrect informaion. + Use dropshadowed logo + Escape DHCP options if necessary + Print raw bytes for unknown DHCP options + Implement DHCPv4 PCP Option (RFC 7291) + Resize shared memory only when locking. This ensures all shm pointers are invariant inside locks. + Preallocate one pagesize (usually 4K) for per-client-regex data. + Reduce code-duplication by using an array of shared memory pointers we can iterate on when chown-ing or deleteing. + Fix incorrect printf format identifier + Fix problem with DNS retries in 2.83/2.84. + Simplify preceding fix. + The preceeding commit changes the handling of retried queries. The logic is now changed so that distinct requests for repeated queries still get merged into a single ID/source port, but they now always trigger a re-try upstream. This effectively removes our IN-PROGRESS status so we remove the code handling this as well. + dhcp-host selection fix for v4/v6. + Correct occasional --bind-dynamic synchronization break + Always use <poll.h> + Move flags to recvmsg function in netlink + Obtain MTU of interface only when it would be used + Update embedded SQLite engine to 3.35.0 + Update .gitignore and add VSCode workspace exclude-settings + Add --dynamic-host option. + Add --log-debug option and MS_DEBUG flag to my_syslog(). + Only log changes to DNS listeners when --log-debug is set. + Log creation of listeners and enable dnsmasq log-debug when any FTL debug option is set. + Fix a memory leak when re-opening the databases (when forking or reloading the lists). The memory leak is on the order of a few bytes but scales quickly with the number of clients. It is caused by SQLite3 not being able to clean up behind itself when we're not finalizing and closing everything explicitly. + Avoid jump depending on uninitialized bytes (only relevant in debug mode). + Join canceled threads on exit to ensure they exited properly before we exit from the main process. This includes waiting for them to clean up their own stack memory, etc. + Ensure we close FTL database connection when exiting the main process. This has no consequences else than silencing some meomry-lost complaints by valgrind (any allocated memory is release on process exit anyway) + Ensure shared memory strings bucket is large enough when locking. Do not resize it when we are holding the lock. Also, optimize FTL-domains size + Don't try to finalize gravity statements two times + More fine-grained locking in network table processing should decrease delays in DNS resolution on very slow machines + Reduce rate-limiting checking to once per second (rather than every 100 msec) + Simplify locking during network table processing and generalize spacial handling for virtual interfaces (hwaddr 00:00:00:00:00:00) + Simplify signal handling and catch SIGABRT in addition + tftp warning fix. + Teach --bogus-nxdomain and --ignore-address to take a subnet argument. + Use random source ports where possible if source addresses/interfaces in use. + Update SQLite3 from 3.35.0 to 3.35.2 + Do not skip remapping if the size hasn't changed + Avoid leaking memory if dbquery() fails + Automatically reply with IP address a query came in from when in blockingmode=IP + Scan through local interfaces to find IPv4/IPv6 addresses to reply with in IP blocking mode + Add fallback in case docker does not reveal the interface we're running in + Simplify and unify interface address derivation + Do not close FTL database connection when forking TCP workers + Open database after forking + Add timeout to joining of threads + Remove additional log file locking + Open individual database connections where we need them. Do not use global pointers anywhere. This may mean we have more than one connection open at the sae time. SQLite3 will take care of thread-safety. + Fix FTBS on FreeBSD due to Linux-specific optimisation of if_nametoindex() + Always set database pointer to NULL, even when closing failed + Prepare for dnsmasq code refactoring patches. This commit needs to be undone later. + Reduce few repetitions in forward code + Create common function for forward dump, log and send + Move repeated test pattern to server_test_type + If the first argument ends in ".lua", we immediately start the embedded LUA engine. Same for ".db" and ".sql" files which are directly routed into the embedded SQLite3 engine. + Add tests for new feature + Favor ULA and GUA addresses over LL when picking an IP address for replying to blocked AAAA queries. + MUSL and GNU C define the substructure of in6_addr differently so we cannot rely on being able to access the substructure directly. + Use properly-sized buffer for format_time() + Fix thinko in 51f7bc924cbcdeb09cbb83249b70c121d1ffa31e + Change the method of allocation of random source ports for DNS. + Scale the DNS random scket pool on the value of dns-forward-max. + Update SQLite3 from 3.35.2 to 3.35.3 + Ensure FTL can be compiled from source archives offered by GitHub for each release + Print special notice when no version can be obtained + Improve error reporting in network table routines + Also log ignored extra regex extensions to the message database table + Prevent forks from adding regex compilation errors to the message table + mpid() should return PID even if we are not forking at all + Log correct database index on regex warnings + Correct missing SERV_DO_DNSSEC flag, add new spot + Enable DNSSEC compilation on nettle 2.7.1 + Replace ad-hoc libnettle version detecion with MIN_VERSION macro. + Fix spacing in translatable strings. + Re-add FTL hooks into dnsmasq's forward code + Update dnsmasq version string to 2.85 + Circle CI: skip uploading build artifacts on forks + TFTP tweak. + Update SQLite3 from 3.35.3 to 3.35.4 + Do not flag query as retried when we decide ourselves that it should be retried without any new query triggering this. Deprecate DEBUG_EXTBLOCKED (now covered by DEBUG_QUERIES and add DEBUG_STATUS) + Ignore duplicated replies to the same query. This is useful in general and also happens to circumvent a dnsmasq bug (we already reported this one upstream). + Subtly change behaviour on repeated DNS query. + Simplify status and reply type handling in FTL + Ensure we always set the status of cached queries + Assert size of countersStruct + Combine queries for the same DNS name if close in time. + Handle resource exhaustion of struct frec_src same as struct frec. + Ensure reply type is always stored for cached queries + Re-add IN_PROGRESS query status + Do not try to log if no log file is defined + Prevent a possible infitite loop in the inunterruptible syscalls. + Queries read from the database need to be counted as unknown before restoring the query status + Add missing newline after "Notice: Found no readable FTL config file" + Add config options REPLY_ADDR4 and REPLY_ADDR6 to overwrite automatic IP detection in IP blocking mode. + Use MAXLOGAGE to control which queries get deleted by GC + Tidy error logging in 961daf8f921503457d1f539f79b3a2def7d479e2 + Work around warning on tag build due to && logic. + Fix database update to version 7 reporting error when there is none. This is not a critical bug as the issue resolves itself on the next start of FTL. + Test: Add test for "database not available" messages indicating failed database updates and creations. + Give threads a bit more time to reach a point where cancellation is safe. We cannot give them too much time because, otherwise, the proces trying to TERMinate FTL may decide to KILL it instead. We should avoid this to be able to properly cleanup. + Don't try to terminate threads when we never launched them. * Wed Apr 14 2021 pihole-suse-packages@smar.fi - Update to version v5.7 + Fix incorrect "FATAL" error message during garbage collection + Fix incorrect "FATAL" error message during garbage collection + Move fd into frec_src, fixes 15b60ddf935a531269bb8c68198de012a4967156 + Fix to 75e2f0aec33e58ef5b8d4d107d821c215a52827c + Optimise sort_rrset for the case where the RR type no canonicalisation. + Fix for 12af2b171de0d678d98583e2190789e544440e02 + Don't display unrelated CNAME queries when filtering for specific domain + dnsmasq-v2.83 forwards multiple queries to the same destination only once and stores the other queries as duplicates. They do receive the answer later on, however, this is usually not logged (when log-queries=extra is enabled, there will be a warning about the duplicate). This commit handles such duplicates and introduces a new reply type 14 = "already forwarded" + When seeing duplicated queries, the original query may have been blocked during CNAME inspection. In this case, we need to change the status from "OK (already forwarded)" to the correspondig blocked status. The "already forwarded" information is lost but that seems okay. + Check source query for its status when checking if we need to update the duplicated ones + Tidy initialisation in hash_questions.c + Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH. + Bump copyright notices for 2021. Happy New Year! + Fix possible free-memory ref in e75069f79aa6b8a61034a9a4db9b6265b8be8ae4 + Fixes incorrect "Found unknown status 14 in long term database" warning in the logs. We change the code to use a enum-based struct so we cannot forget to update this in the future when adding further query status types. + Add per-client rate-limiting. The default limit is 1000 queries in 60 seconds. + Add output of how much memory in /dev/shm is used by FTL itself + Try to create shared memory objects before reading the settings + Do not try to delete existing shmem objects on start - that may cause running FTL instances to crash when it tries to access them. Instead, new instances should properly fail to start. + Tests: Running a second instance is detected and prevented, FTL continues to work as expected afterwards + Do not explicitly request a lease time in our DHCPREQUEST as this may lead to incorrect responses. Also, when sending a request to lo, we should send it to the interface address instead of the broadcast (lo doesn't support broadcast destinations). + Fix queries sent upstream being counted incorrectly when modified later on (blocked externally, blocked during CNAME inspection). This also applies to queries loaded from the database. + Increment forward counters when immporting QUERY_RETRIED or QUERY_RETRIED_DNSSEC fromthe database + Retain EDNS0 bits from incoming queries when blocking requests * Tue Jan 19 2021 pihole-suse-packages@smar.fi - Update to version v5.5 + Detect and handle interface changes of clients with the same IP + Update SQLite3 to 3.34.0 and expose sqlite3 shell as 'pihole-FTL sqlite3' (drop-in replacement is available as well) + mend + Added missing NS query type to getQueryTypes() + Log date/time of FTL in header just as SQLite3 does as well + Test for embedded SQLite3 shell available and functional + Modified test for NS type + Fix for errno not being set by posix_fallocate() in contrast to fallocte() who did set it. + Add new query types SVCB and HTTPS + Tests: Add SVCB and HTTPS as expected query types + Implement support for displaying exact type instead of the catch-them-all category OTHER. The OTHER category is still used when it comes to computing statistics to ensure your chart's legend does not explode. + We cannot really decide whether local configuration lines are meant for blocking or something else. Just record such queries as replied to from cache because this is what they are. This code made sense at the time where wildcards were implemented as dnsmasq config lines, however, we've advanced to our own regex engine since then and all config lines should have also been auto-migrated. + Clarify comment + Only return regex index when allowed by privacy settings. This may leak information, otherwise. + Check for validity if iface pointe before dereferencing it. + Don't show retried queries when filtering for blocked queries. + Optimize datastructures using bitfields and item re-arrangement (to minimize padding). This reduces the size of query, client, and regex records by 8 bytes per item. Note that this optimization was done on x86_64 and may not apply for other architectures (32bit architectures already used less padding). + Statically assert struct sizes are what we expect. This prevents us from increasing the memory needs unintentionally (e.g. due to sub-optimal padding) + Store blocked property in query flags. + Use blocked property in API code. Make query->upstreamID = -1 the new default to differentiate easily what was forwarded (ID will be >= 0) and what not (ID == -1). Store the upstream server also for other query types that were forwarded (like queries blocked during CNAME inspection). + Add MAXDBDAYS=-1 to disable auto-cleaning and ensure overflow cannot happen (we just enforce the maximum in this case) + pxe: support pxe clients with custom vendor-class + Use the values of --min-port and --max-port in TCP connections. + Fix remote buffer overflow CERT VU#434904 + Check destination of DNS UDP query replies. + Use SHA-256 to provide security against DNS cache poisoning. + Optimse RR digest calculation in DNSSEC. + Fix DNS reply when asking for DNSSEC and a validated CNAME is already cached. + Add missing check for NULL return from allocate_rfd(). + Handle multiple identical near simultaneous DNS queries better. + Handle caching with EDNS options better. + Support hash function from nettle (only) + Small cleanups in frec_src datastucture handling. + Adapt for change in struct forward to forward->frec_src + Update dnsmasq version string + Fix warning message logic. + Update to new struct frec fields in conntrack code. * Tue Jan 12 2021 pihole-suse-packages@smar.fi - Update to version v5.3.4 + Show BOOTP server and file strings used by TFTP + Update dnsmasq version to 2.82 + Use fork-private regex substructure because each regex has an opaque structure (once compiled) and cannot be kept globally available through shared memory (at least not with any realistic effort) + We have to explicitly set conflinebuffersize to zero when freeing the buffer itself to avoid getline() crashing in some special edge-cases + Rename memory.c -> syscalls.c + Factor out syscalls for calloc, free, realloc and strdup into dedicated syscalls/{}.c files + Add interrupt-safe fprintf() and printf() routines + Add interrupt-safe vfprintf() and vprintf() routines + Make calloc(), realloc() and strdup() interrupt-safe + Add interrupt-safe write() routine + Add interrupt-safe accept() routine + Avoid redundant error reporting + Improve printf(), fprintf(), vprintf(), and vfprintf() error reporting + Add interrupt-safe recv() routine + Add interrupt-safe recvfrom() routine + Add interrupt-safe pthread_mutex_lock() routine + Add interrupt-safe select() routine + Add interrupt-safe fopen() routine + Add interrupt-safe sendto() routine + Backup and restore errno in real-time signal handler. + Add interrupt-safe vsnprintf() routine + Add interrupt-safe snprintf() routine + Add interrupt-safe vsprintf() routine + Add interrupt-safe sprintf() routine + Show complete list of args when complaining about unsupported argument + Adjust test for unknown argument to support the new format + Expose lua-interpreter as virtual pihole-lua binary + Add drop-in support for lua binary + Add drop-in replacement support for luac as well + Fix freeing regex pointers to set the global not the local object to NULL after free(). + Add interrupt-safe asprintf() and vasprintf() routines + Add more debugging output for domain reloading (on receipt of SIGHUP) + Add REFRESH_HOSTNAMES=UNKNWON to support only refreshing recently active clients with unknown hostnames + Force refreshing of hostnames (according to REFRESH_HOSTNAMES config) on receipt of SIGRT4 + Give explicit reason for skipping in debug message + Fall back to using ftruncate() when fallocate() return with "Operation not supported". This may happen if the kernel is older than 2.6.23 or glibc older than 2.10. ftruncate() has its own disadvantages, however, it is POSIX compliant (POSIX.1-2001) so should be supported even by ancient kernels. + Add new DEBUG_EXTRA flag used for special (temporary) debugging + Update src/resolve.c + num_regex is not in counters any more + Enable extra logging only when DEBUG_EXTRA is set + docs: fix simple typo, timestemp -> timestamp + Add interrupt-safe fallocate() routine, due to the special nature of the fallocate() macro, we hav to use a modified name fTLallocate() to implement this function + Prevent possible deadlock if log is not writable (e.g., permission denied) + Don't fail when trying to free(NULL) + Fix Unix socket error handling + Do not print user change information if there is no user change + Reply with configured BLOCKINGMODE to blocked CNAME requests + Revert "Improve compatibility with old (ancient) kernels" + Analyze original question and use it to decide whether we mock an A or AAAA reply when blocking + Don't iterate over all clients every minute trying to find new ones but only do this when the RESOLVE_NEW_HOSTNAMES event is set + Add DEBUG_EXTRA flag (#994) + Escape spaces by ~ + Do not sync after executing regular expression on a domain - Use proper version handling in spec * Sat Dec 5 2020 pihole-suse-packages@smar.fi - Refreshed patch shared_libraries.patch - gmp needs to be statically linked for Tumbleweed - Update to version v5.3.2 + Add additional_info column to test database (query table) + All queries: Hide UNKNOWN queries when not requesting both query status types + Add ability to connect to shared memory of the running FTL process + Bundle lua library "inspect" + Automatically load bundled libraries and make them available globally. + Test: Automatically loaded libraries + Add pihole.query([idx]) + Test: pihole.query(0) returns details of the first query + Include FTL's prototypes in LUA + Remove shm data sourcing. We will query such data through the API with Pi-hole v6.0 + Add support for ECS subnet parsing in FTL. + Log previously seen client when interpreting EDNS0 client subnet information + Evaluate possible EDNS data before analyzing a new query + Analyse ECS information only if EDNS0_ECS is enabled (enabled by default) + Add support for EDNS(0) CPE-ID (Common Platform Enumeration Identifier) + Protect against possible buffer overflow due to a malicious/malformed EDNS(0) payload + Add support for EDNS(0) MAC in BYTE format (dnsmasq option add-mac) + Add support for EDNS(0) MAC in TEXT format (dnsmasq option add-mac=text) + Add partial support for EDNS(0) MAC in BASE64 format (dnsmasq option add-mac=base64) + Correct name is EDNS(0) not EDNS0. + EDNS(0) debug message fine-tuning + Use preprocessor constants for OPTCODES to improve readability of the code + Add partial support for EDNS(0) COOKIES + Tests: EDNS(0) analysis + Make EDNS MAC available for FTL_new_query() + Tests: Simplify EDNS(0) tests + Use %%z to print size_t for both 32 and 64 bit compatibility + The version of dig in the CI containers is too old for the option +cookie. Simulate the same with +ednsopt + Improve regex engine. This adds new features such as in-code comments, approximate matching (fuzzy matching) + Add regex-test mode + Allow test-regex mode to be started without log ans shared memory (alleviates write permission issues when running pihole-FTL as a different user) + Reduce overall costs by not always calling the approximate matching algorithm. + Add 26 regex tests (following https://discourse.pi-hole.net/t/regex-engine-improvements/34751) + Make regex-text output more user-friendly + Tests: Bats ignored empty lines + Mark all the new cli_{}() functions as ((const)) to make them subject to common subexpression elimination. + Use info box for step reporting + Adjust empty lines + Tests: Add tests for useful error hints for incorrect regex. + Mark get_regex_from_rowid as pure. + Modify regex-test mode for better batch-processing capabilities + Add quiet regex test mode for inclusion in pihole -q + Make quiet mode really quiet. However, speak up when there are regex errors + Tests: Test quiet regex-test mode + Simplify memory structure of regular expressions inside FTL. This allows for future regex extensions. + Add ;querytype=AAAA option + Case-insensitive query type checking in regex extra instructions + Add ;invert option + Make querytype string available everywhere in FTL. + Add ;querytype=!A option for INVERTED query type filtering. + Add tests for ";querytype=A", ";querytype=!A" and ";invert". Add explicit support for query type NS. + Terminate running FTL instance (if any) before starting tests. + Log invalid querytype as warning to the Pi-hole diagnosis system + Only print time/ID string when not in direct user interaction (CLI mode) + Fix API computation error introduced in e0609f14eee7903bca93020371576dad0ca93338 + Blocking PTR requests may have been done unintentionally, print a warning about this + Warn if specified more than one querytype option (the last one wins) + Add tests for new ;querytype sanity check warnings. + Undo PTR blocking warning + Try to obtain MAC address from dnsmasq's cache (also ask the kernel) instead of only relying on the database content (may not be fully up-to-date) + Tests: Need to test also for the interface being specified in the log + Remove left-over debugging output + Tests: Tweak test to recognize new debug output format + Implement super-client infrastructure + Try to obtain MAC address from dnsmasq's cache (also ask the kernel) instead of only relying on the database content (may not be fully up-to-date) + Read superclients from new FTL database table + Import super-clients during start (before all other clients are added) + Implement client-based Query Log filtering for super-clients and ensure we always count both the normal and the super-client when there is a new query / garbage collection + Rename table from "superclients" to "superclient". + Tests: Database has been updated to version 9 + Change concept of super-clients from MAC-based to index-based. We append a new column to the network table which can be used to assign super-clients to multiple devices. This can both cover automatic grouping (whenever MAC addresses are available) and also situations where this is not possible (when MAC addresses are not available, e.g., due to network layer separation). Real-time signal 3 causes FTL to re-import super-clients from the database without affecting anything else. + Move signal handling into a thread to avoid possible lock race-collisions + Tests: Test for correct import and assignment of super-client + Ensure we cannot end up in a self-locking state when opening the database. + Explicitly case time_t to (long long) before printing to address the musl-decision to make time_t 64 bit on 32 bit machines + Show also possible IPv6 nameservers. They are stored in an auxiliary (external) structure so they were not included in the debug outputs (even when they were used) + Use EDNS(0) MAC address for the network table (if available) + Do not try to locate a previously used mock device when EDNS(0) MAC data is available. + Add more debugging output to network table processing + Ensure mock-devices which are not assigned to any addresses any more (they have been converted to "real" devices), are removed at this point + Do not re-open gravity database when not forking for TCP workers (debug mode) and simplify network table routines (remove code duplication and prevent possible dead-locks when trying to resolve host names) + A small fix ensuring that we can determing the interface a query came in for all clients (also localhost) + Unify network table debug messages + Parse the kernel's Internet protocol address management to get information about local interfaces. + Delete addresses from network_addresses table which have not be seen for 7 days + Only try to resolve host names of upstream servers which were recently active. The current limit for "recently active" is hard-coded to two hours. + Fix error displaying if the upstream server replied with REFUSED or SERVFAIL + Extend domain filtering to also check the CNAME domain for domain-filtering (if this is indicated by the query status) + Improve API filtering for domains + Try to obtain host names from another address of the same device when there is none for the exact address (may happen, e.g., for IPv6 addresses) + Use already existing (but by default disabled) cleaning. The interval is customizable and defaults to MAXDBDAYS. + Fix syntax error + Remove duplicate function getDatabaseHostname() + Add explicit event queue to avoid possible race collisions when many signals arrive at the same time (or very very close to each other) + Fix subdirectory include paths. This is only to be explicit, the relative search finds them otherwise as well + Signals are not handled asynchroneously. Add additional delays in the tests to avoid them failing due to aksing too early for a result. + Add new dhcp-discover command + Implement multi-threaded scanning (constant scanning time regardless of the number of interfaces) + Increase timout to 10 seconds and ensure logging cannot be interrupted (for readability) + Be a bit more specific about binding errors + Also send DHCPREQUEST on unconfigured interfaces + Use unsigned 32bit variable for the XID everywhere + Implement DHCP options 44 and 252 (non-standard WPAD extension). Improve human-readable time formatter. + Do not print WPAD path if it is a control squence. + Fix GCC9 regression for printing the same buffer into itself in sprintf() + Request a lease with validity of 1 second in the DHCPDISCOVER packet + Do not try to free NULL pointer in resolveAndAddHostname + Show debug messages only in debug mode + Do not block shared memory when inactive clients are skipped. + Upload FTL log to tricorder.pi-hole.net instead of printing directly into the container output + Add more debug logging to getDatabaseHostname() + Do not skip recently inactive clients in ARP/neighbor table processing as they may still need properties to be updated (like host names, etc.) + Add real-time signal 4 to re-resolve all host names (clients + upstream servers) + Add real-time signal 5 to request ARP/neighbor parsing + Reset actions after the threads picked up the new real-time signals + Handling of clients not in ARP has been moved into add_FTL_clients_to_network_table() + Add more verbose version output (./pihole-FTL -vv) + Do not block shared memory when inactive upstreams are skipped. This was missed in #889 + Rename resolveForwardDestinations() to resolveUpstreams() and make private functions static. + Every time FTL allocates more memory, we explicitly log how much (out of how much) space is used in /dev/shm + Explicitly warn users if space tends to be running out in /dev/shm + Handle SIGBUS, SIGILL and SIGFPE events in our crash reporter. Give human-readable explanations of why this happened where possible. + Only use stsvfs data is the function returned no error. + Explicitly cast the block counts to unsigned long long to avoid overflowing with drives larger than 4 GB on 32bit systems + Reopening the FTL database may lead to rare race-collisions in SQLite3. We avoid them by keeping the database connection open all the time. + Open database for history-reading + Improve checking boundaries of the shm_per_client_regex shmem object + Make realloc_shm message more informative + Add more comments to the code + Ensure to remap the per-client-regex struct when it is changed in a fork. + Use posix_fallocate() instead of ftruncate() when resizing and/or creating shared memory objects. This ensures we reserve the requested memory exclusively for ourselves. + Exit immediately if fatal memory errors happen + Add new status RETRIED (12) to be used for queries which were retried. If a query was retried five times before it suceeded, queries 1-4 will be marked as RETRIED and only query 5 will stay in status FORWARDED. + Use new armv4, armv5, armv6hf, armv7hf containers to build the corresponding binaries + Also handle retry events when the retry happened in the small timeframe of when we already have the upstream response but DNSSEC validation is still ongoing + Retried DNSSEC queries are ignored, we have to flag themselves. Retried normal queries take over, we have to flat the original query. + Move call to resolveNetworkTableNames() from resolver into database thread + Make timer output at termination of FTL human readable (days/hours/minutes/seconds). + Mark database as being available when creating a new database to avoid FTL skipping adding the tables thinking the database connection isn't ready. + Ignore ECS loopback addresses to avoid rewriting the client IP to a (useless because distant) localhost + Improve query interface origin determination + Add tests for ECS loopback ignoring + Upload binaries into writable html-subdirectory and download+verify uploaded binaries in an additional CI step. + Add new DEBUG_HELPER option. It logs any helper activity (and possible errors) to pihole-FTL.log + CMake install: update setcap to add the CAP_SYS_NICE capability + Log information about the user FTL is running as and if we're dropping to another user (such as nobody/nogroup) + Include upstream details in all-queries API response + Make FTL upstream destination port-aware + Rename super-clients ---> alias-clients + Catch fatal dnsmasq errors caused by incorrect config lines and print it in pihole-FTL.log + Store fatal dnsmasq message in message table so it can be used by the Pi-hole dashboard diagnosis system. + Add attribute gnu_printf to the new function FTL_log_dnsmasq_fatal() + Define default script path in /opt/pihole/libs and always build READLINE support if static libraries are available on the system + Download and install LUA script during test runs + Only print history debug messages when in debug mode + Update LUA 5.4.0 -> 5.4.1 + Print hint that readline isn't available only in debug output. Otherwise, this output might leak into script executions when readline support is not compiled into the binary (missing libraries at build time). + Add API callback to remove DHCP leases without the need for a restart of the DNS/DHCP server + Add API debug messages + Skip clients with no active counts at all (may be old IPv6 addresses) + Keep upper case characters in host names because they may make them more readable (like FritzBox, WDMyCloud, or VacuumRobot) + Clarify that disabling the database only disables storing queries in the database. We still use the database for storing messages (such as regex syntax warnings) and alias-clients. + Silence warning about copying a NULL pointer for DHCP clients without a hostname + Print hint when database query importing is enabled but exporting is disabled - this may not what the user want. + Analyze all DHCP options dnsmasq is aware of + Convert numbers from net to host order before displaying them + Implement special handling for "pihole-FTL -- --help dhcp" and "pihole-FTL -- --help dhcp6" + Remove buster-specific binary test output + Downgrade expected glibc version and expect that stretch does not build a v5TE binary explicitly (instead, it does v4T) + Use new stretch-based ftl-build:v1.8 containers + Fix compatibility with GCC 10. + Add -fno-common to HARDENING_FLAGS. + Do not warn about query status 12 and 13 on import (retried queries) + Catch all real-time signals, decide later which one we handle and which one we ignore. + Check for memory allocation erros in parse_FTLconf() + Respect settings RESOLVE_IPV4 and RESOLVE_IPv6 also when trying to resolve host names from the database (network table) + Do not try to resolve IPs for records without hostnames in the network_addresses table. + Add new REFRESH_HOSTNAMES option + Use case-insensitive comparison of MAC address to ensure capitilization does not play a role. + Tweak code to restore compatibility with Gentoo gcc 10.2.0-r3 + Always try to resolve hostnames when seeing a client/upstream serer for the first time. Also when it wasn't recently active (may happen on re-import from database history). + Add more debugging output and ensure refreshing rules are really only used when refreshing * Tue Sep 15 2020 pihole-suse-packages@smar.fi - Update to version v5.2 + Move counters definition from memory.c to shmem.c magically clears a lot of (wrong) VSCode errors. Doing this on request of a user as it is harmless. + Import unknown clients from ARP table + Explicitly set prepared statements to NULL when they are finalized. + Explicitly log if we had to make assumptions because the gravity database was not available. + Add DELAY_STARTUP setting to delay startup of the embedded dnsmasq. + Remove option FORCE_LOCAL_RESOLVER as we do not need it. + Add more comments, only print debugging output when DEBUG_DATABASE is enabled. + Simplify SQLite 3 database extension + Convert recently found (at most 1 hour old) mock-devices into "real" when we gather ARP/neigh information about them. + Fix nameserver list in auth mode. + Allow overriding of ubus service name. + CircleCI has an unforseeable number of devices in its ARP cache. Do not check for a strict number of clients during the tests. No changes to the source code. + Ensure blocking also works when the long-term database is not used. This was broken before as we returned too early (the SQLite3 engine was not yet fully initialized) when the long-term database was disabled. + Fix possible memory leak in config.c + Some general tweaks + Explicitly log failures in creating the new sqlite3 function. + Ensure we don't loose memory after ARP cache parsing. + Also return NO MATCH when invoking subnet_match() with non-TEXT arguments. + Add a comment that gethostbyaddr() may leak memory (only once, not seen leakage of more than 110 bytes) + Check arguments are of type SQLITE3_TEXT + Initialize resolver subroutines if trying to resolve for the first time + Only check/set client status when size of the array is not exceeded. Skip otherwise. + Do not import unknown clients from the ARP cache into FTL's memory. It is not our job to care about them if they are not doing any DNS queries. + Ensure ARP strings are NULL-terminated + Exiting instead of aborting may be benefitial in FTL forks. + Print arguments passed to embedded dnsmasq when at least one DEBUG flag is set. + Re-open gravity database (and re-prepare database statements) before accessing the database in case FTL forked. + Memorize PID of this thread to avoid re-opening the gravity database connection multiple times for the same fork + Implement process-private prepared gravity database client statements. This fixes an incompatibility across forks when serving TCP traffic using dedicated workers. + Silently increase size of vector if trying to read out-of-bounds + Explicitly include type definition of int16_t in config.h as needed by the musl-compiler + Remove append and delete instructions as we will always identify clients exactly by their IDs + Musl's realloc() does not zero any memory. Do this manually. + Free allocated memory after ordinary termination of TCP workers (TCP connection closed) + Fix rare problem allocating frec for DNSSEC. + Tweak to DNSSEC logging. + Restored astrisk match for auditlog + Correct, indent and simplify wildcard-compatible auditlog SQL logic. + Modify FTL's internal resolver to work in two phases: First, try to obtain a host name by using the internal resolver (i.e., FTL). In a second step, when FTL didn't know the answer, ask the resolvers as configured by resolv.conf. We've seen that the latter is necessary to get proper name resolution in docker environments. + Convert port from host to network byte order + src/dnsmasq/dnsmasq.c: Labeled a lonely #endif + Update dnsmasq version to pi-hole-v2.81 + Don't try setsockopt of non-existing NETLINK_NO_ENOBUFS option (fixes qemu issue). + Revert "Don't try setsockopt of non-existing NETLINK_NO_ENOBUFS option (fixes qemu issue)." + Convert failure of setsockopt(..., SOL_NETLINK, NETLINK_NO_ENOBUFS, ...) into warning. + Make regex matching case-insensitive by default and remove config option to control this. + Automatically block _esni.* subdomains of blocked domains. This can be disabled by setting BLOCK_ESNI=false in pihole-FTL.conf + Simplify blocking metadata forcing code. + Add full drop-in replacement mode pihole-FTL can use to mimic the dnsmasq binary. + Add a shortcut for dnsmasq syntax test + Do not decide whether we are blocking or not based on the gravity count (pre-v5.0 measure) but use the dedicated blockingstatus variable. + Use /run instead of /var/run for FTL runtime files + Deleted Swag store affiliate link + Invoking free_sqlite3_stmt_vec() on a NULL pointer should be a harmless no-op. + Check for validity of prepared statements before trying to use their get property. + Create "message" table and log regex errors in there. + Fix bit-order in subnet mask generation. + Bump build container version. + Use BLOBs as datatype for the custom columns to keep this feature as generic as possible. We can always append more columns to the end of the table whenever needed. + Store message type as string instead of enum values. + Ensure message table is also flushed on receipt of real-time signals. + Always chose most suitable (= maximum) subnet for clients. This allows to configure specific settings for a whole range of devices but still exclude others. Complain softly (no error) if multiple configured subnets match with the same number of relevant bits. + Ensure to finalize statement before closing the database connection. + Explicitly include limits.h in src/files.c to improve ppc64le support on Alpine. This fixes #751 + Store subnet warnings in the message table. + Add User-Agent to macvendor.py + Process cached SRV records + Simple optimizations + Skip CircleCI Upload step on foreign PRs. + Add addr2line output into our self-generated backtraces. + Only compile print_addr2line() when we can actually generate backtraces. + Add comment + Remove unneeded inet_ntop + Fix indentation + Fix indentation + Reload the privacy level when reloading the lists + Bump to v1.2 build images. + Add NAMES_FROM_NETDB option. + Store client group information in shared memory. + Add checks for the compiled binary for all supported CI platforms. + Don't need to call inet_ntop here + Also check result of "file pihole-FTL" to do some further checks on the generated binary. This now includes a check for the minimum supported Linux version. + Add cmake build + Implement install step to be the same as the Makefile build + Default install prefix to /usr + Put runtime output, i.e. pihole-FTL, in the root of the build dir + Move sqlite3-ext to the database target + Fix build of sqlite3. Move sqlite3 defines to the top level so they are on all. + Add "not stripped" to arm-qemu test + Reduce README.md + Fix static build + Really, really fix static build + Add boolean to be able to store if we decided which groups to be used (an empty string can actually mean no groups as a special case) + Fix broken RESOLVE_IPV{4,6} setting. + Fix possible memory issue by obtaining pointer only when it is guaranteed that the pointer will not change. + Remove Makefile + Add license headers to CMake files + Use cmake on CI to generate FTL binaries. + Lower needed cmake version to 2.8.12 + Add CI build script. + Add a build script for users. FTL can be build by simply running "./build.sh" + Use cmake ENV{} to actually aquire the env variables + Clarify comment + Also check REVOLCE_IPV{4,6} setting when trying to derive a host name from the FTL database. + Improve build.sh script. Add "install" and "clean" targets. Also ensure successive builds are possible to speed up the entire process. + Allow no/false and yes/true for all config options. + Re-aquire client and upstream pointers after a name resolution. As we're leaving the locked area for the resolve, we cannot control if the shared memory object changed meanwhile. If it did, then the pointers will point into nowhere, leading to a SEGV_MAPERR. + Set nice value of pihole-FTL (configurable) to increase DNS server performance. + Add CAP_SYS_NICE for the tests + Ignore missing CAP_SYS_NICE in the CI tests as we are not allowed to change the nicencess. + Add warning for invalid hostnames to FTL message table. + Only open FTL database for storing a message when there is not already an open connection. + Clarify warning that the check found AT LEAST one invalid character. + Ensure host name errors do not accumulate. + Close database on any erros to ensure nothing stays locked. + Do not listen to real-time signals in helper processes + Ignore real-time signals outside of the main process (such as in TCP forks) + Fix #805. This fixes a buffer overflow when handling TCP requests. Details are on the dnsmasq mailing list. + Ensure main process is terminated orderly when a fork fails miserably. + Send real-time signal 2 from forks to main process to signal it should terminate with EXIT_FAILURE. + Improve logging for forks and thread by including further details to the log ID + Include thread names in crash reports to ease debugging. + Print at least addresses when the addrline conversion wasn't successful. + Bind to socket in thread instead of main process to ensure forks do not inherit sockets they shouldn't. + Show fork created/terminated if any debug mode is enabled. Log reason for TCP worker termination (either client disconnected or connection timeout). + Remove portfile not used by the current web interface any longer. + Add support for additional query types: "A", "AAAA", "ANY", "SRV", "SOA", "PTR", "TXT", "NAPTR", "MX", "DS", "RRSIG", "DNSKEY" and "OTHER" (summing up all other possible DNS types) + Tests: Test for new query types + Don't use fshort-enums as it may make objects files incompatible. + Always re-open gravity database handle when forking + Children inherit file descriptors from their parents. As we don't need the API sockets in the forks, we clean them up after forking + Thorough clean-up following 8270648da1eae77db381b848a47d79b85c206e29. + Be explicit about if we count or query the number of domains. This simplifes the logic and makes it more readable. + Do not assume a query to google.com returns only one fixed AAAA record. + Remove privacy level 4. Systems currently running level 4 will automatically pick up the highest available level (which is now 3). Also tidy up enums into a dedicated file. + Add additional_info column to queries table. We fill it with the domain that caused blocking the entire CNAME chain. + Log CNAME blocking to pihole.log + Include new column in database schema test + Load domain causing the blocking in a CNAME inspection from the database during import. This ensures restarting FTL does not mean we lost this information. + Store + import ID of regex used for blocking in additional_info field + Fix an edge-case where CNAME blocking can be foiled when parts of the CNAME chain are already in the cache + Fix incorrect attribution of the blocked status to the wrong domain. This also simplifies the terminology in the CNAME inspection routine. + Revert "Remove portfile not used by the current web interface any longer." + Tweak revert commit. We should add the port after configuring it and independtly from opening IPv4 and/or IPv6 sockets. Also, we cannot delete the port in close_telnet_port() as this function is called by TCP workers since v5.1 so we'd loose the port file when the first TCP query comes in. + Test: Check port file exists and contains the expected number (4711) + Skip second termiantion if there is already a termination event in progress. This has been observed with clients clsoing their connection exactly at the same time when dnsmasq wants to close the connection itself due to a timeout (it thinks this client is stale). + Include the information for which client we have forked. Examplary message: "TCP worker forked for client 192.168.0.42 on interface enp0s25 (192.168.0.12)" + Double time until TCP worker timeout from 150 seconds to 300 seconds. RFC 1035 says: "If the server needs to close a dormant connection to reclaim resources, it should wait until the connection has been idle for a period on the order of two minutes." We are unlikely to run into a limit here as the total number of allowed TCP workers is fixed as well. + Increase limit for concurrently active TCP workers from 20 to 60. We've seen reports where 20 wasn't sufficient in user networks. Given that TCP workers do not really consume all that much more memory, this limit may even be increased further in case we recognize that 60 still isn't sufficient. + Use atomic_flag_test_and_set to ensure that FTL_TCP_worker_terminating() cannot run two times even when called exactly at the same time. + Wrap gravity reopening in locking to avoid a race collision with API requests (performed from independent threads). + Do not loop over known domains in addition to looping over all FTL-DNS-cache entries. + Factor out FTL sources into a separate object. This slightly enhances compilation speed. + Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in --dhcp-option. + Workaround for reported recvmsg() ignoring MSG_PEEK. + Log listening on new interfaces + Explicitly mark address port not used + Compare address and interface index for allowed interface + Cleanup interfaces no longer available + Handle listening on duplicate addresses + Remove duplicate address family from listener + Suppress logging of listen addresses during startup. + Apply floor of 60s to TTL of DNSKEY and DS records in cache. + Change default lease time for DHCPv6 to one day. + Do not try to bind a value when we should actually read one. This glitch was harmless, however, it prevented regex ID from being loaded from the database. + Create and use a temporary copy of the domain string during the analysis * Sun Jan 19 2020 Samu Voutilainen <smar@smar.fi> - Remove comments from pihole-FTL.conf * Sat Jan 18 2020 Samu Voutilainen <smar@smar.fi> - Apply ignore-shmem.c-strncpy-error.patch only for Tumbleweed * Sat Jan 18 2020 Samu Voutilainen <smar@smar.fi> - Added patch fix-build-after-y2038-changes-in-glib.patch * Modified from upstream to adjust to filename changes. - Added patch ignore-shmem.c-strncpy-error.patch * The code adds null byte, so that is not a problem - Added patch fix-build-with-libnettle-3.5.patch * Modified from upstream to adjust to filename changes. * Sat Jan 18 2020 Samu Voutilainen <smar@smar.fi> - Comment cleanup - Ignore version.h caused macro-in-comment - Change to arch specific package * Mon Jan 13 2020 Samu Voutilainen <smar@smar.fi> - Changed pid path to point to real pid in service file * Mon Jan 13 2020 Samu Voutilainen <smar@smar.fi> - Added noreplace to config clauses * Mon Jan 13 2020 Samu Voutilainen <smar@smar.fi> - AdminLTE reads pihole-FTL.conf using PHP’s ini syntax * Fri Jan 10 2020 Samu Voutilainen <smar@smar.fi> - Added SUSE.readme for real * Fri Jan 10 2020 Samu Voutilainen <smar@smar.fi> - Added creation of /run/pihole via tmpfiles * Fri Jan 10 2020 Samu Voutilainen <smar@smar.fi> - Added undocumented file paths to supplied pihole-FTL.conf * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - Added commented /etc/permissions.d/pihole-ftl to instruct user about easy way of setting the permissions. * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - Added default pihole-FTL.conf * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - Patch Makefile to ignore the errors - Patch Makefile to contain dynamic libs * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - Generate version.h on the fly * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - Correct libnettle dependency * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - Removed comments * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - Added systemd service file * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - First version to build * Wed Jan 8 2020 Samu Voutilainen <smar@smar.fi> - Initial version
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
