These are chat archives for CZ-NIC/knot-resolver

8th
Jan 2019
bhanupratapys
@bhanupratapys
Jan 08 16:20
Hello guys , is it possible to predefine the custom name while exporting the metrics with graphite module instead of using the hostname ? If i use hostname then metronome doesnt recognise the metrics.
Vladimír Čunát
@vcunat
Jan 08 16:24
@bhanupratapys: that's the prefix thing in the example in docs, isn't it? https://knot-resolver.readthedocs.io/en/stable/modules.html#graphite-module
bhanupratapys
@bhanupratapys
Jan 08 16:24
Yes !
That doesn't work , if i change anything to prefix value then knot doesn't start
Jonathan Coetzee
@jcoetzee
Jan 08 17:54
What's the cleanest/simplest way to reset the policy rules? Unload and reload the module?
My config uses two rules, one RPZ to deny a blocklist and second to forward to upstream resolver. I've modified to use cqueues to watch my RPZ file and reload the blocklist when the file changes.
Figure reloading the module is easier than tracking the rule ids?
Vladimír Čunát
@vcunat
Jan 08 18:11
@jcoetzee: hehe, right, it might be easiest to reload the module and re-run your list of policy.add() commands (factored-out into a function).
Jonathan Coetzee
@jcoetzee
Jan 08 18:11
Seems like unloading and reloading doesn't work as I expected
[tls_client] error: hostname '1dot1dot1dot1.cloudflare-dns.com' for address '1.1.1.1#00853' already was set, ignoring
[tls_client] error: system ca for address '1.1.1.1#00853' already was set, ignoring
[tls_client] error: hostname '1dot1dot1dot1.cloudflare-dns.com' for address '1.0.0.1#00853' already was set, ignoring
[tls_client] error: system ca for address '1.0.0.1#00853' already was set, ignoring
Vladimír Čunát
@vcunat
Jan 08 18:12
These should be harmless warnings, though perhaps annoying.
Jonathan Coetzee
@jcoetzee
Jan 08 18:13
Doesn't it imply that the rules weren't reset though?
Is there a function to list all rules in policy?
To make sure I'm not just uselessly appending onto the end.
Vladimír Čunát
@vcunat
Jan 08 18:15
It's a table. But a table of general functions - you can't really introspect that.
policy.rules
I had in mind a variant of policy.rpz() that auto-reloads the file when it changes, via those cqueues bindings, but it's not scheduled anytime soon.
Jonathan Coetzee
@jcoetzee
Jan 08 18:18
Yeah, no problem, I'm 90% there. Will have to test if those warnings are harmless or indication that the old rules are still present.
Vladimír Čunát
@vcunat
Jan 08 18:18
The mapping between address for TLS forwarding and associated parameters is a global table, basically, and attempts to re-define the mapping are currently handled like this.
I guess it could at least be silent if the parameters are equal.
Jonathan Coetzee
@jcoetzee
Jan 08 18:19
Ah.
Okay, I can live with that.
Jonathan Coetzee
@jcoetzee
Jan 08 18:30
Something's getting in the way. This snippet doesn't work as expected, requests are still forwarded but queries that should be blocked aren't
policy.add(policy.all(policy.TLS_FORWARD(provider_config)))

modules.unload('policy')
modules.load('policy')

policy.add(policy.rpz(policy.DENY, "ad+malware.list.rpz"))
policy.add(policy.all(policy.TLS_FORWARD(provider_config)))
I may have to resort to tracking rule ids.
Vladimír Čunát
@vcunat
Jan 08 19:42
you can simply keep the return value of policy.add
and rewrite its .cb by new rule: foo.cb = policy.rpz(policy.DENY, "ad+malware.list.rpz")
(well, I think so, I've never done such stuff)