Merge pull request #469 from pi-hole/release/v5.6

Update documentation for FTL v5.6
pi-hole · Feb 2, 2021 · e1102bf · e1102bf
2 parents 6967168 + 0ab3276
commit e1102bf
Show file tree

Hide file tree

Showing 11 changed files with 338 additions and 44 deletions.
diff --git a/docs/core/pihole-command.md b/docs/core/pihole-command.md
@@ -54,7 +54,7 @@ Example Usage   | [`pihole -regex '^example.com$' '.*\.example2.net'`](https://d
 
 Administrators need to be able to manually add and remove domains for various purposes, and these commands serve that purpose.
 
-See [Regex Blocking](../ftldns/regex/overview.md) for more information about using Regex.
+See [Regex Blocking](../regex/overview.md) for more information about using Regex.
 
 **Basic Script Process**:
 

diff --git a/docs/database/ftl.md b/docs/database/ftl.md
@@ -87,21 +87,24 @@ The FTL table contains some data used by *FTL*DNS for determining which queries
 
 ### Supported query types
 
-ID | Query Type
+ID | Resource Record (a.k.a. query type)
 --- | ---
-1 | A
-2 | AAAA
-3 | ANY
-4 | SRV
-5 | SOA
-6 | PTR
-7 | TXT
-8 | NAPTR
-9 | MX
-10 | DS
-11 | RRSIG
-12 | DNSKEY
-13 | OTHER (any query type not covered above)
+1 | `A`
+2 | `AAAA`
+3 | `ANY`
+4 | `SRV`
+5 | `SOA`
+6 | `PTR`
+7 | `TXT`
+8 | `NAPTR`
+9 | `MX`
+10 | `DS`
+11 | `RRSIG`
+12 | `DNSKEY`
+13 | `NS`
+14 | `OTHER` (any query type not covered elsewhere)
+15 | `SVCB`
+16 | `HTTPS`
 
 
 <!-- ID | 1 | 2 | 3 | 4 | 5 | 6 | 7 -->
@@ -112,18 +115,21 @@ ID | Query Type
 
 ID | Status | | Details
 --- | --- | --- | ---
-0 | Unknown | ❔ | was not answered by forward destination
-1 | Blocked | ❌ | Domain contained in [gravity database](../database/gravity/index.md#gravity-table-gravity)
+0 | Unknown | ❔ | Unknown status (not yet known)
+1 | Blocked | ❌ | Domain contained in [gravity database](gravity/index.md#gravity-table-gravity)
 2 | Allowed | ✅ | Forwarded
 3 | Allowed | ✅ | Known, replied to from cache
-4 | Blocked | ❌ | Domain matched by a [regex blacklist](../database/gravity/index.md#regex-table-regex) filter
-5 | Blocked | ❌ | Domain contained in [exact blacklist](../database/gravity/index.md#blacklist-table-blacklist)
+4 | Blocked | ❌ | Domain matched by a [regex blacklist](gravity/index.md#regex-table-regex) filter
+5 | Blocked | ❌ | Domain contained in [exact blacklist](gravity/index.md#blacklist-table-blacklist)
 6 | Blocked | ❌ | By upstream server (known blocking page IP address)
 7 | Blocked | ❌ | By upstream server (`0.0.0.0` or `::`)
 8 | Blocked | ❌ | By upstream server (`NXDOMAIN` with `RA` bit unset)
-9 | Blocked | ❌ | Domain contained in [gravity database](../database/gravity/index.md#gravity-table-gravity)<br>*Blocked during deep CNAME inspection*
-10 | Blocked | ❌ | Domain matched by a [regex blacklist](../database/gravity/index.md#regex-table-regex) filter<br>*Blocked during deep CNAME inspection*
-11 | Blocked | ❌ | Domain contained in [exact blacklist](../database/gravity/index.md#blacklist-table-blacklist)<br>*Blocked during deep CNAME inspection*
+9 | Blocked | ❌ | Domain contained in [gravity database](gravity/index.md#gravity-table-gravity)<br>*Blocked during deep CNAME inspection*
+10 | Blocked | ❌ | Domain matched by a [regex blacklist](gravity/index.md#regex-table-regex) filter<br>*Blocked during deep CNAME inspection*
+11 | Blocked | ❌ | Domain contained in [exact blacklist](gravity/index.md#blacklist-table-blacklist)<br>*Blocked during deep CNAME inspection*
+12 | Allowed | ✅ | Retried query
+13 | Allowed | ✅ | Retried but ignored query (this may happen during ongoing DNSSEC validation)
+14 | Allowed | ✅ | Already forwarded, not forwarding again
 
 ### Example for interaction with the long-term query database
 

diff --git a/docs/ftldns/compile.md b/docs/ftldns/compile.md
@@ -8,13 +8,13 @@ Install them by running the following command in a terminal:
 ### Debian / Ubuntu / Raspbian
 
 ```bash
-sudo apt install build-essential libgmp-dev m4 cmake libidn11-dev libreadline-dev
+sudo apt install build-essential libgmp-dev m4 cmake libidn11-dev libreadline-dev xxd
 ```
 
 ### Fedora
 
 ```bash
-sudo dnf install gcc gmp-devel gmp-static m4 cmake libidn-devel readline-devel
+sudo dnf install gcc gmp-devel gmp-static m4 cmake libidn-devel readline-devel xxd
 ```
 
 ## Compile `libnettle` from source

diff --git a/docs/ftldns/configfile.md b/docs/ftldns/configfile.md
@@ -22,6 +22,13 @@ Use this option to disable deep CNAME inspection. This might be beneficial for v
 ESNI will obviously cause issues for `pixelserv-tls` which will be unable to generate matching certificates on-the-fly when it cannot read the SNI. Cloudflare and Firefox are already enabling ESNI.
 According to the IEFT draft (link above), we can easily restore `piselserv-tls`'s operation by replying `NXDOMAIN` to `_esni.` subdomains of blocked domains as this mimics a "not configured for this domain" behavior.
 
+#### `EDNS0_ECS=true|false` (PR [#851](https://github.com/pi-hole/FTL/pull/851)) {#block_edns0_ecs data-toc-label='EDNS ECS overwrite'}
+
+Should we overwrite the query source when client information is provided through EDNS0 client subnet (ECS) information?
+This allows Pi-hole to obtain client IPs even if they are hidden behind the NAT of a router.
+
+This feature has been requested and discussed on [Discourse](https://discourse.pi-hole.net/t/support-for-add-subnet-option-from-dnsmasq-ecs-edns0-client-subnet/35940) where further information how to use it can be found.
+
 ---
 
 ### Statistics settings
@@ -69,7 +76,7 @@ Should `FTL` try to resolve IPv4 addresses to hostnames?
 
 #### `DELAY_STARTUP=0` (PR [#716](https://github.com/pi-hole/FTL/pull/716)) {#delay_startup data-toc-label='Delay resolver startup'}
 
-In certain configurations, you may want FTL to wait a given amount of time before trying to start the DNS revolver. This is typically found when network interfaces appear only late during system startup and the interface startup priorities are configured incorrectly. This setting takes any integer value between 0 and 300 seconds
+In certain configurations, you may want FTL to wait a given amount of time before trying to start the DNS revolver. This is typically found when network interfaces appear only late during system startup and the interface startup priorities are configured incorrectly. This setting takes any integer value between 0 and 300 seconds.
 
 #### `NICE=-10` (PR [#798](https://github.com/pi-hole/FTL/pull/798)) {#nice data-toc-label='Set niceness'}
 
@@ -81,6 +88,13 @@ to favor or disfavor a process in scheduling decisions. The range of the nice
 value varies across UNIX systems. On modern Linux, the range is `-20` (high
 priority = not very nice to other processes) to `+19` (low priority).
 
+#### `MAXNETAGE=[MAXDBDAYS]` (PR [#871](https://github.com/pi-hole/FTL/pull/871)) {#maxnetage data-toc-label='Network table cleaning'}
+
+IP addresses (and associated host names) older than the specified number of days
+are removed to avoid dead entries in the network overview table. This setting
+defaults to the same value as `MAXDBDAYS` above but can be changed independently
+if needed.
+
 #### `NAMES_FROM_NETDB=true|false` (PR [#784](https://github.com/pi-hole/FTL/pull/784)) {#names_from_netdb data-toc-label='Load names from network table'}
 
 Control whether FTL should use the fallback option to try to obtain client names
@@ -206,7 +220,7 @@ Controls if *FTL*DNS should print extended details about regex matching into `pi
 Due to legacy reasons, we also support the following setting to be used for enabling the same functionality:<br>
 `REGEX_DEBUGMODE=false|true`
 Note that if one of them is set to `true`, the other one cannot be used to disable this setting again.<br>
-**[More details](regex/overview.md)**
+**[More details](../regex/overview.md)**
 
 #### `DEBUG_API=false|true` {#debug_api data-toc-label='Telnet'}
 

diff --git a/docs/regex/approximate.md b/docs/regex/approximate.md
@@ -0,0 +1,97 @@
+# Approximative matching
+
+You may or not be know `agrep`. It is basically a "forgiving" `grep` and is, for instance, used for searching through (offline) dictionaries. It is tolerant against errors (up to degree you specify). It may be beneficial is you want to match against domains where you don't really know the pattern. It is just an idea, we will have to see if it is actually useful.
+
+This is a somewhat complicated topic, we'll approach it by examples as it is very complicated to get the head around it by just listening to the specifications.
+
+The approximate matching settings for a subpattern can be changed by appending *approx-settings* to the subpattern. Limits for the number of errors can be set and an expression for specifying and limiting the costs can be given:
+
+## Accepted **insertions** (`+`)
+
+Use `(something){+x}` to specify that the regex should still be matching when `x` characters would need it be *inserted* into the sub-expression `something`.
+
+Example:
+
+- `doubleclick.net` is matched by `^doubleclick\.(nt){+1}$`
+
+The missing `e` in `nt` is inserted.
+
+Similarly:
+
+- `doubleclick.net` is matched by `^(doubleclk\.nt){+3}$`
+
+The missing characters in the domain are substituted. The maximum number of insertions spans the entire domain as is wrapped in the sub-expression `(...)`.
+
+## Accepted **deletions** (`-`)
+
+Use `(something){-x}` to specify that the regex should still be matching when `x` characters would need it be *deleted* from the sub-expression `something`:
+
+Example:
+
+- `doubleclick.net` is matched by `^doubleclick\.(neet){-1}$`
+
+The surplus `e` in `neet` is deleted.
+
+Similarly:
+
+- `doubleclick.net` is matched by `^(doubleclicky\.netty){-3}$`
+- `doubleclick.net` is NOT matched by `^(doubleclicky\.nettfy){-3}$`
+
+## Accepted **substitutions** (`#`)
+
+Use `(something){#x}` to specify that the regex should still be matching when `x` characters would need to be *substituted* from the sub-expression `something`:
+
+Example 1:
+
+- `oobargoobaploowap` is matched by `(foobar){#2~2}`
+Hint: `goobap` is `foobar` with two substitutions `f->g` and `r->p`
+
+Example 2:
+
+- `doubleclick.net` is matched by `^doubleclick\.n(tt){#1}$`
+
+The incorrect `t` in `ntt` is substituted. Note that substitutions are necessary when a character needs to be replaced as the corresponding realization with one insertion and one deletion is **not identical**:
+
+`doubleclick.net` is matched by `^doubleclick\.n(tt){+1-1}$`
+
+(`t` is removed, `e` is added), however
+
+- `doubleclick.nt` is ALSO matched by `^doubleclick\.n(tt){+1-1}$`
+
+(the `t` is just removed, nothing had to be added) but
+
+- `doubleclick.nt` is NOT matched by `^doubleclick\.n(tt){#1}$`
+
+doesn't match as substitutions always require characters to be swapped by others.
+
+## Combinations and total error limit (`~`)
+
+All rules from above can be combined like as `{+2-5#6}` allowing (up to!) two insertions, five deletions, and six substitutions. You can enforce an upper limit on the number of tried realizations using the tilde. Even when `{+2-5#6}` can lead to up to 13 operations being tried, this can be limited to (at most) seven tries using `{+2-5#6~7}`.
+
+Example:
+
+- `oobargoobploowap` is matched by `(foobar){+2#2~3}`
+
+    Hint: `goobaap` is `foobar` with
+            - two substitutions `f->g` and `r->p`, and
+            - one addition `a` between `bar` (to have `baap`)
+
+Specifying `~2` instead of `~3` will lead to no match as three errors need to be corrected in total for a match in this example.
+
+## Advanced topic: Cost-equation
+
+You can even weight the "costs" of insertions, deletions or substitutions. This is really an advanced topic and should only be touched when really needed.
+
+A *cost-equation* can be thought of as a mathematical equation, where `i`, `d`, and `s` stand for the number of insertions, deletions, and substitutions, respectively. The equation can have a multiplier for each of `i`, `d`, and `s`.
+The multiplier is the **cost of the error**, and the number after `<` is the maximum allowed total cost of a match. Spaces and pluses can be inserted to make the equation more readable. When specifying only a cost equation, adding a space after the opening `{` is **required** .
+
+Example 1: `{ 2i + 1d + 2s < 5 }`
+
+This sets the cost of an insertion to two, a deletion to one, a substitution to two, and the maximum cost to five.
+
+Example 2: `{+2-5#6, 2i + 1d + 2s < 5 }`
+
+This sets the cost of an insertion to two, a deletion to one, a substitution to two, and the maximum cost to five. Furthermore, it allows only up to 2 insertions (coming at a total cost of 4), five deletions and up to 6 substitutions. As six substitutions would come at a cost of `6*2 = 12`, exeeding the total allowed costs of 5, they cannot all be realized.
+
+
+{!abbreviations.md!}
diff --git a/docs/ftldns/regex/overview.md → docs/regex/overview.md b/docs/ftldns/regex/overview.md → docs/regex/overview.md
@@ -1,7 +1,7 @@
-A regular expression, or RegEx for short, is a pattern that can be used for building arbitrarily complex filter rules in *FTL*DNS.
-We implement the POSIX Extended Regular Expressions similar to the one used by the UNIX `egrep` (or `grep -E`) command.
+A regular expression, or RegEx for short, is a pattern that **can be used for building arbitrarily complex filter** rules in *FTL*DNS.
+We implement the POSIX Extended Regular Expressions similar to the one used by the UNIX `egrep` (or `grep -E`) command. We amend the regex engine by approximate blocking (compare to `agrep`) and other special features like matching to specific query types only.
 
-Our implementation is light and fast as each domain is only checked once for a match (if you query `google.com`, it will be checked against your RegEx. Any subsequent query to the same domain will not be checked again until you restart `pihole-FTL`).
+Our implementation is light and fast as each domain is only checked once for a match. When you query `google.com`, it will be checked against your RegEx. Any subsequent query to the same domain will not be checked again until you restart `pihole-FTL`.
 
 ## Hierarchy of regex filters in *FTL*DNS
 
@@ -13,7 +13,7 @@ There are two locations where regex filters are important:
 
 ## How to use regular expressions for filtering domains
 
-*FTL*DNS reads in regular expression filters from the two [`regex` database views](../../database/gravity/index.md).
+*FTL*DNS reads in regular expression filters from the two [`regex` database views](../database/gravity/index.md).
 To tell *FTL*DNS to reload the list of regex filters, either:
 
 - Execute `pihole restartdns reload-lists` or
@@ -26,7 +26,7 @@ The first command is to be preferred as it ensures that the DNS cache itself rem
 
 To ease the usage of regular expression filters in *FTL*DNS, we offer a regex debugging mode. Set
 
-```
+``` plain
 DEBUG_REGEX=true
 ```