We need to track the pid of the connecting control connection to be
able to send answers back to the correct client in case two are
connecting at the same time. We also need to pass the pid around to
the resolver process so that it can hand it back to us.
Debugged by deraadt and dlg who noticed that answers would always
arrive on the first control connection.

deraadt@ points out that tracking the pid is not the best choice in
case one process wants to hold open two connections but at least this
brings us in line with all the other privsep daemons with control
tools. If we change this we should change it in all daemons.

Move control_state and ctl_conns to control.c, it's not needed
elsewhere and unbreaks -fno-common.
Inspired by claudio
Problem reported by mortimer

Implement unwindctl status memory to show chache memory usage.
testing by otto & pamela as part of a larger diff

Turn opportunistic DoT into their own strategies.
This is beneficial since we prefer strategies according to their
performance.
Previously name servers were upgraded to opportunistic DoT if it was
available even if the round trip times went through the roof and there
was no way to got back to plain udp/53 DNS.
To make up a bit of space in the unwindctl status output, name servers
learned via DHCP or SLAAC are printed in a new subcommand.
The status output will be further improved shortly.
Input & OK otto

No more status subcommands; ok florian@

Nuke http captive portal detection; something better is coming.
OK otto

Implement DNS proposals to learn nameservers from network
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Pass verbosity changes to captive portal process.

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Captive portal detection for unwind(8).

Remove a log statement used for debug

ok florian@

restrict commands reload and log to root only

tweaks and ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

unwind(8) traces its ancestry to rad(8) and inherited all of its include
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@

Move control_state and ctl_conns to control.c, it's not needed
elsewhere and unbreaks -fno-common.
Inspired by claudio
Problem reported by mortimer

Implement unwindctl status memory to show chache memory usage.
testing by otto & pamela as part of a larger diff

Turn opportunistic DoT into their own strategies.
This is beneficial since we prefer strategies according to their
performance.
Previously name servers were upgraded to opportunistic DoT if it was
available even if the round trip times went through the roof and there
was no way to got back to plain udp/53 DNS.
To make up a bit of space in the unwindctl status output, name servers
learned via DHCP or SLAAC are printed in a new subcommand.
The status output will be further improved shortly.
Input & OK otto

No more status subcommands; ok florian@

Nuke http captive portal detection; something better is coming.
OK otto

Implement DNS proposals to learn nameservers from network
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Pass verbosity changes to captive portal process.

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Captive portal detection for unwind(8).

Remove a log statement used for debug

ok florian@

restrict commands reload and log to root only

tweaks and ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

unwind(8) traces its ancestry to rad(8) and inherited all of its include
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@

Implement unwindctl status memory to show chache memory usage.
testing by otto & pamela as part of a larger diff

Turn opportunistic DoT into their own strategies.
This is beneficial since we prefer strategies according to their
performance.
Previously name servers were upgraded to opportunistic DoT if it was
available even if the round trip times went through the roof and there
was no way to got back to plain udp/53 DNS.
To make up a bit of space in the unwindctl status output, name servers
learned via DHCP or SLAAC are printed in a new subcommand.
The status output will be further improved shortly.
Input & OK otto

No more status subcommands; ok florian@

Nuke http captive portal detection; something better is coming.
OK otto

Implement DNS proposals to learn nameservers from network
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Pass verbosity changes to captive portal process.

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Captive portal detection for unwind(8).

Remove a log statement used for debug

ok florian@

restrict commands reload and log to root only

tweaks and ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

unwind(8) traces its ancestry to rad(8) and inherited all of its include
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@

Turn opportunistic DoT into their own strategies.
This is beneficial since we prefer strategies according to their
performance.
Previously name servers were upgraded to opportunistic DoT if it was
available even if the round trip times went through the roof and there
was no way to got back to plain udp/53 DNS.
To make up a bit of space in the unwindctl status output, name servers
learned via DHCP or SLAAC are printed in a new subcommand.
The status output will be further improved shortly.
Input & OK otto

No more status subcommands; ok florian@

Nuke http captive portal detection; something better is coming.
OK otto

Implement DNS proposals to learn nameservers from network
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Pass verbosity changes to captive portal process.

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Captive portal detection for unwind(8).

Remove a log statement used for debug

ok florian@

restrict commands reload and log to root only

tweaks and ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

unwind(8) traces its ancestry to rad(8) and inherited all of its include
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@

No more status subcommands; ok florian@

Nuke http captive portal detection; something better is coming.
OK otto

Implement DNS proposals to learn nameservers from network
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Pass verbosity changes to captive portal process.

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Captive portal detection for unwind(8).

Remove a log statement used for debug

ok florian@

restrict commands reload and log to root only

tweaks and ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

unwind(8) traces its ancestry to rad(8) and inherited all of its include
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@

Nuke http captive portal detection; something better is coming.
OK otto

Implement DNS proposals to learn nameservers from network
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Pass verbosity changes to captive portal process.

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Captive portal detection for unwind(8).

Remove a log statement used for debug

ok florian@

restrict commands reload and log to root only

tweaks and ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

unwind(8) traces its ancestry to rad(8) and inherited all of its include
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@

Implement DNS proposals to learn nameservers from network
autoconfiguration daemons. Currently only slaacd is switched over so
we need to keep the lease file parsing.

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Pass verbosity changes to captive portal process.

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Captive portal detection for unwind(8).

Remove a log statement used for debug

ok florian@

restrict commands reload and log to root only

tweaks and ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

unwind(8) traces its ancestry to rad(8) and inherited all of its include
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@

Due to the way we build libunbound inside of unwind .o files collide in
the obj directory. Previously this was solved by keeping the libunbound
file name (to be able to keep in sync with upstream) and prefixing
the source filename of colliding .o files in unwind with uw_.

However, these files are shared through out our tree (namely parse.y,
log.c and log.h) and we try to keep them in sync.

Move files back to their original name and instead symlink colliding source
files in libunbound to unique filenames by prefixing them with the directory
they live in:
obj/sldns_parse.c -> /usr/src/sbin/unwind/libunbound/sldns/parse.c
obj/util_log.c -> /usr/src/sbin/unwind/libunbound/util/log.c

Idea to use symlinks deraadt@ via jsg@
OK benno

Introduce IMSG_DATA_SIZE() macro to to replace reoccuring math on
imsg.hdr.len and shorten code.
Input & OK pamela

Pass verbosity changes to captive portal process.

s/unwind_/uw_/ to save screen real estate; fix style(9) issues while here

Captive portal detection for unwind(8).

Remove a log statement used for debug

ok florian@

restrict commands reload and log to root only

tweaks and ok florian@

Make imsg processing much more paranoid.

If it comes from one of our processes and the size does not match what
we expect call fatalx to crash and burn. We either hit a logic bug or
something is fishy on the other end and we can't trust that process
any longer. Not that we trust those processes to begin with.

This also applies to receiving resources that we don't expect. For
example if we have an open UDP listen socket and get a new one passed
from the main process something is wrong and we should crash and burn.

The only place where we are more lenient is on the control socket. We
just ignore wrong sized messages so that users can't bring down
unwind.

unwind(8) traces its ancestry to rad(8) and inherited all of its include
directives, some of them no longer necessary.
Cleanup by Caspar Schutijser, thank you very much!

Import unwind(8).

unwind(8) is a hybrid validating stub & recursive resolver.

It actively observes the local net to decide how to best resolve
names. It can chose to recurse on it's own or talk to dhcp
provided forwardes or statically defined forwarders in the
config file.

The intention is to be able to run it on localhost on every machine.

"toss it in man" deraadt@