eeload · pull · Oct 24, 2022 · Nov 4, 2022 · Oct 24, 2022 · Jan 6, 2023
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -8,31 +8,32 @@ jobs:
     # well on Windows or Mac.  You can convert this to a matrix build if you need
     # cross-platform coverage.
     # See: https://docs.github.com/en/free-pro-team@latest/actions/learn-github-actions/managing-complex-workflows#using-a-build-matrix
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
 
     strategy:
+      fail-fast: false
       matrix:
-        compiler: [gcc-10, clang-12]
+        compiler: [gcc-13, clang-18]
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@main
 
     - name: Update APT
       run: sudo apt-get update
 
     - name: Setup Dependencies
-      run: sudo apt-get install cmake libc-ares-dev libcurl4-openssl-dev libev-dev build-essential clang-tidy-12 ${{ matrix.compiler }} dnsutils python3-pip
+      run: sudo apt-get install cmake libc-ares-dev libcurl4-openssl-dev libev-dev libsystemd-dev build-essential clang-tidy dnsutils python3-pip python3-venv valgrind ${{ matrix.compiler }}
 
-    - name: Setup Robot Framework
-      run: sudo pip3 install robotframework
+    - name: Setup Python Virtual Environment
+      run: python3 -m venv ${{github.workspace}}/venv
 
-    - name: Set clang-tidy
-      run: sudo update-alternatives --install /usr/bin/clang-tidy clang-tidy /usr/bin/clang-tidy-12 100
+    - name: Setup Robot Framework
+      run: ${{github.workspace}}/venv/bin/pip3 install robotframework
 
     - name: Configure CMake
       env:
         CC: ${{ matrix.compiler }}
-      run: cmake -D CMAKE_BUILD_TYPE=Debug -B ${{github.workspace}}/
+      run: cmake -D CMAKE_BUILD_TYPE=Debug -D PYTHON3_EXE=${{github.workspace}}/venv/bin/python3 -B ${{github.workspace}}/
 
     - name: Build
       env:
@@ -43,8 +44,10 @@ jobs:
     - name: Test
       run: make -C ${{github.workspace}}/ test ARGS="--verbose"
 
-    - uses: actions/upload-artifact@v2
+    - uses: actions/upload-artifact@v4
       if: ${{ success() || failure() }}
       with:
         name: robot-logs-${{ matrix.compiler }}
-        path: ${{github.workspace}}/tests/robot/*.html
+        path: |
+          ${{github.workspace}}/tests/robot/*.html
+          ${{github.workspace}}/tests/robot/valgrind-*.log
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,4 @@
+build/
 CMakeCache.txt
 CTestTestfile.cmake
 CMakeFiles/
@@ -17,3 +18,5 @@ log.html
 output.xml
 report.html
 custom_curl/
+valgrind-*.log
+tests/robot/__pycache__
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1,5 +1,7 @@
+cmake_minimum_required(VERSION 3.10)
 project(HttpsDnsProxy C)
-cmake_minimum_required(VERSION 3.7)
+
+include(CheckIncludeFile)
 
 # FUNCTIONS
 
@@ -25,16 +27,21 @@ if (NOT CMAKE_INSTALL_BINDIR)
   set(CMAKE_INSTALL_BINDIR bin)
 endif()
 
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra --pedantic -Wno-strict-aliasing -Wno-variadic-macros")
-set(CMAKE_C_FLAGS_DEBUG "-g -DDEBUG")
+set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -Wextra -Wpedantic -Wstrict-aliasing -Wformat=2 -Wunused -Wno-variadic-macros -Wnull-dereference -Wshadow -Wconversion -Wsign-conversion -Wfloat-conversion -Wimplicit-fallthrough")
+set(CMAKE_C_FLAGS_DEBUG "-gdwarf-4 -DDEBUG")
 set(CMAKE_C_FLAGS_RELEASE "-O2")
 
-if ((CMAKE_C_COMPILER_ID MATCHES GNU   AND CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL 9) OR
-    (CMAKE_C_COMPILER_ID MATCHES Clang AND CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL 10))
+if (((CMAKE_C_COMPILER_ID MATCHES GNU   AND CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL  9) AND
+     (CMAKE_C_COMPILER_ID MATCHES GNU   AND CMAKE_C_COMPILER_VERSION VERSION_LESS          14)) OR
+    ( CMAKE_C_COMPILER_ID MATCHES Clang AND CMAKE_C_COMPILER_VERSION VERSION_GREATER_EQUAL 10))
 set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wno-gnu-zero-variadic-macro-arguments -Wno-gnu-folding-constant")
 endif()
 
+set(SERVICE_EXTRA_OPTIONS "")
+set(SERVICE_TYPE "simple")
+
 # VERSION
+# It is possible to define external default value like: cmake -DSW_VERSION=1.2-custom
 
 find_package(Git)
 if(Git_FOUND)
@@ -43,19 +50,33 @@ if(Git_FOUND)
     WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}"
     OUTPUT_VARIABLE GIT_VERSION
     OUTPUT_STRIP_TRAILING_WHITESPACE)
-  message(STATUS "Version: ${GIT_VERSION}")
+
+  if(GIT_VERSION)
+    set(SW_VERSION "${GIT_VERSION}")
+  else()
+    message(WARNING "Could not find out version from git command!")
+  endif()
 
   # May not update version in some cases (example: git commit --amend)
   set_property(GLOBAL APPEND
     PROPERTY CMAKE_CONFIGURE_DEPENDS
     "${CMAKE_SOURCE_DIR}/.git/index")
 else()
-  set(GIT_VERSION "UNKNOWN")
-  message(WARNING "Could not find git command! Version is set to: ${GIT_VERSION}")
+  message(WARNING "Could not find git command!")
+endif()
+
+if(NOT SW_VERSION)
+  message(WARNING "Version unset, using hardcoded!")
 endif()
 
 # LIBRARY DEPENDENCIES
 
+# Add Homebrew paths for macOS
+if(APPLE)
+  list(APPEND CMAKE_PREFIX_PATH "/opt/homebrew")
+  link_directories("/opt/homebrew/lib")
+endif()
+
 find_path(LIBCARES_INCLUDE_DIR ares.h)
 find_path(LIBEV_INCLUDE_DIR ev.h)
 
@@ -72,18 +93,33 @@ include_directories(
   ${LIBCARES_INCLUDE_DIR} ${LIBCURL_INCLUDE_DIR}
   ${LIBEV_INCLUDE_DIR} src)
 
+check_include_file("systemd/sd-daemon.h" HAVE_SD_DAEMON_H)
+
+if(HAVE_SD_DAEMON_H)
+  message(STATUS "Using libsystemd")
+  add_definitions(-DHAS_LIBSYSTEMD=1)
+  set(LIBS ${LIBS} systemd)
+  set(SERVICE_TYPE "notify")
+endif()
+
 # CLANG TIDY
 
-find_program(
-  CLANG_TIDY_EXE
-  NAMES "clang-tidy"
-  DOC "Path to clang-tidy executable"
-  )
-if(NOT CLANG_TIDY_EXE)
-  message(STATUS "clang-tidy not found.")
+option(USE_CLANG_TIDY "Use clang-tidy during compilation" ON)
+
+if(USE_CLANG_TIDY)
+  find_program(
+    CLANG_TIDY_EXE
+    NAMES "clang-tidy"
+    DOC "Path to clang-tidy executable"
+    )
+  if(NOT CLANG_TIDY_EXE)
+    message(STATUS "clang-tidy not found.")
+  else()
+    message(STATUS "clang-tidy found: ${CLANG_TIDY_EXE}")
+    set(DO_CLANG_TIDY "${CLANG_TIDY_EXE}" "-fix" "-fix-errors" "-checks=*,-readability-identifier-length,-altera-unroll-loops,-bugprone-easily-swappable-parameters,-concurrency-mt-unsafe,-*magic-numbers,-hicpp-signed-bitwise,-readability-function-cognitive-complexity,-altera-id-dependent-backward-branch,-misc-include-cleaner,-llvmlibc-restrict-system-libc-headers,-clang-analyzer-security.insecureAPI.DeprecatedOrUnsafeBufferHandling")
+  endif()
 else()
-  message(STATUS "clang-tidy found: ${CLANG_TIDY_EXE}")
-  set(DO_CLANG_TIDY "${CLANG_TIDY_EXE}" "-fix" "-checks=*,-clang-analyzer-alpha.*,-misc-unused-parameters,-cert-err34-c,-google-readability-todo,-hicpp-signed-bitwise,-cppcoreguidelines-avoid-magic-numbers,-readability-magic-numbers,-gnu-folding-constant,-gnu-zero-variadic-macro-arguments,-readability-function-cognitive-complexity,-concurrency-mt-unsafe")
+  message(STATUS "Not using clang-tidy.")
 endif()
 
 # BUILD
@@ -99,9 +135,12 @@ set_property(TARGET ${TARGET_NAME} PROPERTY C_STANDARD 11)
 
 define_file_basename_for_sources("https_dns_proxy")
 
-set_source_files_properties(
-  src/main.c src/options.c
-  PROPERTIES COMPILE_FLAGS "-DGIT_VERSION='\"${GIT_VERSION}\"'")
+
+if(SW_VERSION)
+  set_source_files_properties(
+    src/main.c
+    PROPERTIES COMPILE_FLAGS "-DSW_VERSION='\"${SW_VERSION}\"'")
+endif()
 
 if(CLANG_TIDY_EXE)
   set_target_properties(
@@ -114,7 +153,6 @@ endif()
 
 install(TARGETS ${TARGET_NAME} DESTINATION ${CMAKE_INSTALL_BINDIR})
 
-set(SERVICE_EXTRA_OPTIONS "")
 if(IS_DIRECTORY "/etc/munin/plugins" AND
    IS_DIRECTORY "/etc/munin/plugin-conf.d")
   set(SERVICE_EXTRA_OPTIONS "-s 300")
@@ -144,6 +182,14 @@ else()
   message(STATUS "python3 found: ${PYTHON3_EXE}")
 
   enable_testing()
+
+  # Robot framework tests
   add_test(NAME robot COMMAND ${PYTHON3_EXE} -m robot.run functional_tests.robot
-           WORKING_DIRECTORY tests/robot)
+           WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/tests/robot)
 endif()
+
+# Clean target (removes entire build directory)
+add_custom_target(distclean
+  COMMAND ${CMAKE_COMMAND} -E remove_directory ${CMAKE_BINARY_DIR}
+  COMMENT "Removing build directory"
+)
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 `https_dns_proxy` is a light-weight DNS&lt;--&gt;HTTPS, non-caching translation
 proxy for the [RFC 8484][rfc-8484] DNS-over-HTTPS standard. It receives
-regular (UDP) DNS requests and issues them via DoH.
+regular (UDP or TCP) DNS requests and issues them via DoH.
 
 [Google's DNS-over-HTTPS][google-doh] service is default, but
 [Cloudflare's service][cloudflare-doh] also works with trivial commandline flag
@@ -43,11 +43,12 @@ only makes sense if you trust your DoH provider.
 
 ## Build
 
-Depends on `c-ares (>=1.11.0)`, `libcurl (>=7.64.0)`, `libev (>=4.25)`.
+Depends on `c-ares (>=1.11.0)`, `libcurl (>=7.66.0)`, `libev (>=4.25)`.
 
 On Debian-derived systems those are libc-ares-dev,
 libcurl4-{openssl,nss,gnutls}-dev and libev-dev respectively.
 On Redhat-derived systems those are c-ares-devel, libcurl-devel and libev-devel.
+On systems with systemd it is recommended to have libsystemd development package installed.
 
 On MacOS, you may run into issues with curl headers. Others have had success when first installing curl with brew.
 ```
@@ -57,7 +58,7 @@ brew link curl --force
 
 On Ubuntu
 ```
-apt-get install cmake libc-ares-dev libcurl4-openssl-dev libev-dev build-essential
+apt-get install cmake libc-ares-dev libcurl4-openssl-dev libev-dev libsystemd-dev build-essential
 ```
 
 If all pre-requisites are met, you should be able to build with:
@@ -71,14 +72,14 @@ $ make
 * If system libcurl supports it by default nothing else has to be done
 
 * If a custom build of libcurl supports HTTP/3 which is installed in a different location, that can be set when running cmake:
-```
-$ cmake -D CUSTOM_LIBCURL_INSTALL_PATH=/absolute/path/to/custom/libcurl/install .
-```
+  ```
+  $ cmake -D CUSTOM_LIBCURL_INSTALL_PATH=/absolute/path/to/custom/libcurl/install .
+  ```
 
 * Just to test HTTP/3 support for development purpose, simply run the following command and wait for a long time:
-```
-$ ./development_build_with_http3.sh
-```
+  ```
+  $ ./development_build_with_http3.sh
+  ```
 
 ## INSTALL
 
@@ -158,56 +159,89 @@ docker run --name "https-dns-proxy" -p 5053:5053/udp  \
 Just run it as a daemon and point traffic at it. Commandline flags are:
 
 ```
-Usage: ./https_dns_proxy [-a <listen_addr>] [-p <listen_port>]
-        [-d] [-u <user>] [-g <group>] [-b <dns_servers>]
-        [-i <polling_interval>] [-4] [-r <resolver_url>]
-        [-t <proxy_server>] [-l <logfile>] [-c <dscp_codepoint>]
-        [-x] [-q] [-s <statistic_interval>] [-v]+ [-V] [-h]
+Usage: ./https_dns_proxy [-a <listen_addr>] [-p <listen_port>] [-T <tcp_client_limit>]
+        [-b <dns_servers>] [-i <polling_interval>] [-4]
+        [-r <resolver_url>] [-t <proxy_server>] [-S <source_addr>] [-x] [-q] [-C <ca_path>] [-c <dscp_codepoint>]
+        [-d] [-u <user>] [-g <group>]
+        [-v]+ [-l <logfile>] [-s <statistic_interval>] [-F <log_limit>] [-V] [-h]
 
-  -a listen_addr         Local IPv4/v6 address to bind to. (127.0.0.1)
-  -p listen_port         Local port to bind to. (5053)
-  -d                     Daemonize.
-  -u user                Optional user to drop to if launched as root.
-  -g group               Optional group to drop to if launched as root.
+ DNS server
+  -a listen_addr         Local IPv4/v6 address to bind to. (Default: 127.0.0.1)
+  -p listen_port         Local port to bind to. (Default: 5053)
+  -T tcp_client_limit    Number of TCP clients to serve.
+                         (Default: 20, Disabled: 0, Min: 1, Max: 200)
+
+ DNS client
   -b dns_servers         Comma-separated IPv4/v6 addresses and ports (addr:port)
                          of DNS servers to resolve resolver host (e.g. dns.google).
                          When specifying a port for IPv6, enclose the address in [].
-                         (8.8.8.8,1.1.1.1,8.8.4.4,1.0.0.1,145.100.185.15,145.100.185.16,185.49.141.37)
+                         (Default: 8.8.8.8,1.1.1.1,8.8.4.4,1.0.0.1,145.100.185.15,145.100.185.16,185.49.141.37)
   -i polling_interval    Optional polling interval of DNS servers.
                          (Default: 120, Min: 5, Max: 3600)
   -4                     Force IPv4 hostnames for DNS resolvers non IPv6 networks.
-  -r resolver_url        The HTTPS path to the resolver URL. Default: https://dns.google/dns-query
+
+ HTTPS client
+  -r resolver_url        The HTTPS path to the resolver URL. (Default: https://dns.google/dns-query)
   -t proxy_server        Optional HTTP proxy. e.g. socks5://127.0.0.1:1080
                          Remote name resolution will be used if the protocol
                          supports it (http, https, socks4a, socks5h), otherwise
                          initial DNS resolution will still be done via the
                          bootstrap DNS servers.
-  -l logfile             Path to file to log to. ("-")
-  -c dscp_codepoint      Optional DSCP codepoint[0-63] to set on upstream DNS server
-                         connections.
+  -S source_addr         Source IPv4/v6 address for outbound HTTPS and bootstrap DNS.
+                         (Default: system default)
   -x                     Use HTTP/1.1 instead of HTTP/2. Useful with broken
-                         or limited builds of libcurl. (false)
-  -q                     Use HTTP/3 (QUIC) only. (false)
-  -s statistic_interval  Optional statistic printout interval.
-                         (Default: 0, Disabled: 0, Min: 1, Max: 3600)
+                         or limited builds of libcurl.
+  -q                     Use HTTP/3 (QUIC) only.
+  -m max_idle_time       Maximum idle time in seconds allowed for reusing a HTTPS connection.
+                         (Default: 118, Min: 0, Max: 3600)
+  -L conn_loss_time      Time in seconds to tolerate connection timeouts of reused connections.
+                         This option mitigates half-open TCP connection issue (e.g. WAN IP change).
+                         (Default: 15, Min: 5, Max: 60)
+  -C ca_path             Optional file containing CA certificates.
+  -c dscp_codepoint      Optional DSCP codepoint to set on upstream HTTPS server
+                         connections. (Min: 0, Max: 63)
+
+ Process
+  -d                     Daemonize.
+  -u user                Optional user to drop to if launched as root.
+  -g group               Optional group to drop to if launched as root.
+
+ Logging
   -v                     Increase logging verbosity. (Default: error)
                          Levels: fatal, stats, error, warning, info, debug
                          Request issues are logged on warning level.
-  -V                     Print version and exit.
+  -l logfile             Path to file to log to. (Default: standard output)
+  -s statistic_interval  Optional statistic printout interval.
+                         (Default: 0, Disabled: 0, Min: 1, Max: 3600)
+  -F log_limit           Flight recorder: storing desired amount of logs from all levels
+                         in memory and dumping them on fatal error or on SIGUSR2 signal.
+                         (Default: 0, Disabled: 0, Min: 100, Max: 100000)
+  -V                     Print versions and exit.
   -h                     Print help and exit.
 ```
 
 ## Testing
 
 Functional tests can be executed using [Robot Framework](https://robotframework.org/).
 
-dig command is expected to be available.
+dig and valgrind commands are expected to be available.
 
 ```
 pip3 install robotframework
 python3 -m robot.run tests/robot/functional_tests.robot
 ```
 
+## Docker bootstrap DNS test
+
+There is a repeatable Docker-based test suite for validating proxy behavior
+including `-S` source address binding:
+
+```
+tests/docker/run_all_tests.sh
+```
+
+If your Docker CLI is not on `PATH`, you can set `DOCKER_BIN` to its full path.
+
 ## TODO
 
 * Add some tests.
@@ -218,4 +252,3 @@ python3 -m robot.run tests/robot/functional_tests.robot
 * Aaron Drew (aarond10@gmail.com): Original https_dns_proxy.
 * Soumya ([github.com/soumya92](https://github.com/soumya92)): RFC 8484 implementation.
 * baranyaib90 ([github.com/baranyaib90](https://github.com/baranyaib90)): fixes and improvements.
-