From ca01c1bf59140e7bee13a4da8c91c759f9eec069 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 13 Jun 2023 17:48:27 +0200
Subject: [PATCH] dnsdist: Split in two packages `dnsdist` and `dnsdist-full`

`dnsdist-full` has all optional features enabled, but is a big package
in term of both flash and memory footprint.
`dnsdist` only keeps the features that make the most sense
on embeded devices, but can also be customised to match the
user's needs, up to the point where it matches `dnsdist-full`.

Signed-off-by: Remi Gacogne <remi.gacogne@powerdns.com>
---
 net/dnsdist/Makefile | 319 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 261 insertions(+), 58 deletions(-)

diff --git a/net/dnsdist/Makefile b/net/dnsdist/Makefile
index 33ff21eeac..b060105f62 100644
--- a/net/dnsdist/Makefile
+++ b/net/dnsdist/Makefile
@@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsdist
 PKG_VERSION:=1.8.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=https://downloads.powerdns.com/releases/
@@ -16,7 +16,6 @@ PKG_CPE_ID:=cpe:/a:powerdns:dnsdist
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
 
-PKG_ASLR_PIE:=0
 PKG_BUILD_DEPENDS:=boost
 
 PKG_CONFIG_DEPENDS:= \
@@ -25,6 +24,35 @@ PKG_CONFIG_DEPENDS:= \
 
 include $(INCLUDE_DIR)/package.mk
 
+define Package/dnsdist/Default
+  SECTION:=net
+  CATEGORY:=Network
+  SUBMENU:=IP Addresses and Names
+  TITLE:=dnsdist DNS-, DOS- and abuse-aware loadbalancer $(2)
+  USERID:=dnsdist:dnsdist
+  DEPENDS:= \
+	  +ca-bundle \
+	  +libatomic \
+	  +libcap \
+	  +libstdcpp \
+	  +luajit
+  URL:=https://dnsdist.org/
+  VARIANT:=$(1)
+  PROVIDES:=dnsdist
+endef
+
+define Package/dnsdist/description/Default
+  dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life
+  is to route traffic to the best server, delivering top performance to legitimate
+  users while shunting or blocking abusive traffic.
+endef
+
+define Package/dnsdist/conffiles/Default
+/etc/dnsdist.conf
+/etc/config/dnsdist
+/etc/init.d/dnsdist
+endef
+
 define Package/dnsdist/config
 menu "Configuration"
 	depends on PACKAGE_dnsdist
@@ -34,12 +62,12 @@ menu "Configuration"
 		prompt "Selected SSL library"
 		default DNSDIST_OPENSSL
 
-		config DNSDIST_OPENSSL
-			bool "OpenSSL"
-
 		config DNSDIST_GNUTLS
 			bool "GnuTLS"
 
+		config DNSDIST_OPENSSL
+			bool "OpenSSL"
+
 		config DNSDIST_NOSSL
 			bool "No SSL support"
 
@@ -57,6 +85,7 @@ menu "Configuration"
 		default y
 
 	config DNSDIST_DNS_OVER_HTTPS_OUTGOING
+	depends on DNSDIST_OPENSSL
 	depends on !DNSDIST_NOSSL
 		bool "Outgoing DNS over HTTPS Support"
 		help
@@ -70,100 +99,274 @@ menu "Configuration"
 			"Enabled DNS over TLS Support for dnsdist"
 		default y
 
+	config DNSDIST_CARBON
+		bool "CARBON support"
+		help
+			"Enable Carbon (Graphite) support for dnsdist"
+		default n
+
+	config DNSDIST_LMDB
+		bool "LMDB support"
+		help
+			"Enable LMDB support for dnsdist"
+		default n
+
+	config DNSDIST_COMPLETION
+		bool "Console completion support"
+		help
+			"Enable console completion for dnsdist"
+		default n
+
+	config DNSDIST_DEBUG_SYMBOLS
+		bool "Debug symbols"
+		help
+			"Enable debug symbols in the dnsdist binary"
+		default n
+
+	config DNSDIST_DELAY_PIPE
+		bool "Delay action support"
+		help
+			"Enable delay action support for dnsdist"
+		default n
+
+	config DNSDIST_DYNBLOCKS
+		bool "Dynamic blocks support"
+		help
+			"Enable dynamic blocks support for dnsdist"
+		default n
+
+	config DNSDIST_DNSTAP
+		bool "DNSTAP support"
+		help
+			"Enable DNSTAP support for dnsdist"
+		default n
+
+	config DNSDIST_EBPF
+		bool "eBPF support"
+		help
+			"Enable eBPF support for dnsdist"
+		default n
+
+	config DNSDIST_ECS_ACTIONS
+		bool "ECS actions"
+		help
+			"Enable actions that control EDNS Client Subnet support for dnsdist"
+		default n
+
+	config DNSDIST_HASHED
+		bool "Hashed credentials"
+		help
+			"Enable credentials hashing support for dnsdist"
+		default n
+
+	config DNSDIST_IPCIPHER
+		bool "IP cipher support"
+		help
+			"Enable IP cipher support for dnsdist"
+		default n
+
+	config DNSDIST_LIBEDIT
+		bool "Build with libedit"
+		help
+			"Build with libedit - for completion, history and line editing"
+		default n
+
+	config DNSDIST_LMDB
+		bool "LMDB support"
+		help
+			"Enable LMDB support for dnsdist"
+		default n
+
+	config DNSDIST_LUA_ADVANCED
+		bool "Lua advanced bindings"
+		help
+			"Enable Lua bindings for queries and responses manipulation in dnsdist"
+		default n
+
+	config DNSDIST_MAC
+		bool "MAC address support"
+		help
+			"Enable MAC address in ring buffers support for dnsdist"
+		default y
+
 	config DNSDIST_NET_SNMP
 		bool "Net-SNMP support"
 		help
 			"Enable Net-SNMP support for dnsdist"
-		default y
+		default n
+
+	config DNSDIST_OCSP_STAPLING
+		bool "OCSP Stapling support"
+		help
+			"Enable OCSP Stapling support for dnsdist"
+		default n
+
+	config DNSDIST_PIE
+		bool "Position Independent Executable"
+		help
+			"Build dnsdist as a Position-Independent executable. This is required to benefit from ASLR, but significantly increases the required disk space and memory usage"
+		default n
+
+	config DNSDIST_PROTOBUF
+		bool "Protobuf support"
+		help
+			"Enable exporting queries and responses over Protocol Buffer for dnsdist"
+		default n
+
+	config DNSDIST_PROMETHEUS
+		bool "Prometheus support"
+		help
+			"Enable Prometheus support for dnsdist"
+		default n
 
 	config DNSDIST_RE2
 		bool "RE2 support"
 		help
 			"Enable RE2 support for dnsdist"
-		default y
+		default n
 
-	config DNSDIST_DNSTAP
-		bool "DNSTAP support"
+	config DNSDIST_RULES_ALTER
+		bool "Rules altering queries"
 		help
-			"Enable DNSTAP support for dnsdist"
-		default y
+			"Enable rules altering queries for dnsdist"
+		default n
+
+	config DNSDIST_SECPOLL
+		bool "Security polling"
+		help
+			"Enable security polling support for dnsdist"
+		default n
 
 	config DNSDIST_SODIUM
 		bool "Build with libsodium"
 		help
 			"Build with libsodium - for encrypted console connections, and DNSCrypt"
-		default y
+		default n
+
+	config DNSDIST_TOP_N
+		bool "Top N bindings"
+		help
+			"Enable bindings to get the top N queries and responses in dnsdist"
+		default n
+
+	config DNSDIST_WEB
+		bool "Internal web server"
+		help
+			"Enable support for the internal web server in dnsdist"
+		default n
+
 endmenu
 endef
 
+define Package/dnsdist/install/Default
+	$(INSTALL_DIR) $(1)/etc
+	$(INSTALL_DIR) $(1)/etc/dnsdist.conf.d
+	$(INSTALL_CONF) ./files/dnsdist.conf $(1)/etc/dnsdist.conf
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/dnsdist.config $(1)/etc/config/dnsdist
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/dnsdist.init $(1)/etc/init.d/dnsdist
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dnsdist $(1)/usr/bin/
+endef
+
 define Package/dnsdist
-  SECTION:=net
-  CATEGORY:=Network
-  SUBMENU:=IP Addresses and Names
-  TITLE:=dnsdist DNS-, DOS- and abuse-aware loadbalancer
-  DEPENDS:= \
+  $(call Package/dnsdist/Default,mini,- minimal version with a restricted feature set)
+  DEPENDS+= \
+	  +DNSDIST_LIBEDIT:libedit \
+	  +DNSDIST_DNSTAP:libfstrm \
+	  +DNSDIST_GNUTLS:libgnutls \
 	  +DNSDIST_DNS_OVER_HTTPS:libh2o-evloop \
+	  +DNSDIST_NET_SNMP:libnetsnmp \
 	  +DNSDIST_DNS_OVER_HTTPS_OUTGOING:libnghttp2 \
-	  +DNSDIST_GNUTLS:libgnutls \
 	  +DNSDIST_OPENSSL:libopenssl \
-	  +DNSDIST_NET_SNMP:libnetsnmp \
-	  +DNSDIST_RE2:re2 \
-	  +DNSDIST_DNSTAP:libfstrm \
 	  +DNSDIST_SODIUM:libsodium \
-	  +libatomic \
-	  +libcap \
-	  +libedit \
-	  +libstdcpp \
-	  +lmdb \
-	  +luajit \
-	  +tinycdb
-  URL:=https://dnsdist.org/
+	  +DNSDIST_LMDB:lmdb \
+	  +DNSDIST_CDB:tinycdb \
+	  +DNSDIST_RE2:re2
 endef
 
-define Package/dnsdist/description
-  dnsdist is a highly DNS-, DoS- and abuse-aware loadbalancer. Its goal in life
-  is to route traffic to the best server, delivering top performance to legitimate
-  users while shunting or blocking abusive traffic.
-endef
+Package/dnsdist/description=$(call Package/dnsdist/description/Default)
+Package/dnsdist/conffiles=$(call Package/dnsdist/conffiles/Default)
+Package/dnsdist/install=$(call Package/dnsdist/install/Default,$1)
 
-define Package/dnsdist/conffiles
-/etc/dnsdist.conf
-/etc/config/dnsdist
-/etc/init.d/dnsdist
+define Package/dnsdist-full
+  $(call Package/dnsdist/Default,full,- full version with all the features built in)
+  DEPENDS+= \
+	  +libedit \
+	  +libfstrm \
+	  +libgnutls \
+	  +libh2o-evloop \
+	  +libnetsnmp \
+	  +libnghttp2 \
+	  +libopenssl \
+	  +libsodium \
+	  +lmdb \
+	  +tinycdb \
+	  +re2
 endef
+Package/dnsdist-full/description=$(call Package/dnsdist/description/Default)
+Package/dnsdist-full/conffiles=$(call Package/dnsdist/conffiles/Default)
+Package/dnsdist-full/install=$(call Package/dnsdist/install/Default,$1)
 
 # not everything groks --disable-nls
 DISABLE_NLS:=
 
+# disable PIE for this package, see CONFIG_DNSDIST_PIE
+PKG_ASLR_PIE:=0
+
+ifneq ($(CONFIG_DNSDIST_DEBUG_SYMBOLS),)
+	RSTRIP:=:
+	STRIP:=:
+endif
+
+IsEnabled = $(or $(filter full,$(BUILD_VARIANT)),$(CONFIG_$(1)))
+
 # OpenWRT's setting of CXX destroys dnsdist's -std=c++17
 # --with-re2 compensates for that because it compensates for a bug in re2.pc that also destroys it
 # so this addition is for the --without-re2 case
 #
 # none of this is pretty
 TARGET_CXX+=-std=c++17
+TARGET_CFLAGS+=-Os -fvisibility=hidden -flto -fno-ipa-cp -DNDEBUG
+TARGET_CXXFLAGS+=-Os -fvisibility=hidden -flto -fno-ipa-cp -DNDEBUG \
+	-DDISABLE_DEPRECATED_DYNBLOCK -DDISABLE_RECVMMSG -DDISABLE_NPN -DDISABLE_FALSE_SHARING_PADDING -DUSE_SINGLE_ACCEPTOR_THREAD -DOPENSSL_NO_ENGINE -DDISABLE_OPENSSL_ERROR_STRINGS \
+	$(if $(call IsEnabled,DNSDIST_CARBON),,-DDISABLE_CARBON) \
+	$(if $(call IsEnabled,DNSDIST_COMPLETION),,-DDISABLE_COMPLETION) \
+	$(if $(call IsEnabled,DNSDIST_DEBUG_SYMBOLS),-g3,) \
+	$(if $(call IsEnabled,DNSDIST_DELAY_PIPE),,-DDISABLE_DELAY_PIPE) \
+	$(if $(call IsEnabled,DNSDIST_DYNBLOCKS),,-DDISABLE_DYNBLOCKS) \
+	$(if $(call IsEnabled,DNSDIST_ECS_ACTIONS),,-DDISABLE_ECS_ACTIONS) \
+	$(if $(call IsEnabled,DNSDIST_HASHED),,-DDISABLE_HASHED_CREDENTIALS) \
+	$(if $(call IsEnabled,DNSDIST_LUA_ADVANCED),,-DDISABLE_NON_FFI_DQ_BINDINGS -DDISABLE_POLICIES_BINDINGS -DDISABLE_DOWNSTREAM_BINDINGS -DDISABLE_DNSHEADER_BINDINGS -DDISABLE_COMBO_ADDR_BINDINGS -DDISABLE_QPS_LIMITER_BINDINGS -DDISABLE_PACKETCACHE_BINDINGS -DDISABLE_CLIENT_STATE_BINDINGS -DDISABLE_DNSPACKET_BINDINGS -DDISABLE_LUA_BINDINGS_RINGS) \
+	$(if $(call IsEnabled,DNSDIST_MAC),-DDNSDIST_RINGS_WITH_MACADDRESS,) \
+	$(if $(call IsEnabled,DNSDIST_OCSP_STAPLING),,-DDISABLE_OCSP_STAPLING) \
+	$(if $(call IsEnabled,DNSDIST_PROTOBUF),,-DDISABLE_PROTOBUF) \
+	$(if $(call IsEnabled,DNSDIST_PROMETHEUS),,-DDISABLE_PROMETHEUS) \
+	$(if $(call IsEnabled,DNSDIST_RULES_ALTER),,-DDISABLE_RULES_ALTERING_QUERIES) \
+	$(if $(call IsEnabled,DNSDIST_SECPOLL),,-DDISABLE_SECPOLL) \
+	$(if $(call IsEnabled,DNSDIST_TOP_N),,-DDISABLE_TOP_N_BINDINGS) \
+	$(if $(call IsEnabled,DNSDIST_WEB),,-DDISABLE_WEB_CONFIG -DDISABLE_BUILTIN_HTML -DDISABLE_LUA_WEB_HANDLERS)
 
 CONFIGURE_ARGS+= \
 	--with-pic \
 	--with-lua=luajit \
-	$(if $(CONFIG_DNSDIST_SODIUM),--enable-dnscrypt --with-libsodium,--disable-dnscrypt --without-libsodium) \
-	$(if $(CONFIG_DNSDIST_DNSTAP),--enable-dnstap=yes,--enable-dnstap=no) \
-	$(if $(CONFIG_DNSDIST_RE2),--with,--without)-re2 \
-	$(if $(CONFIG_DNSDIST_NET_SNMP),--with,--without)-net-snmp \
-	$(if $(CONFIG_DNSDIST_GNUTLS),--with,--without)-gnutls \
-	$(if $(CONFIG_DNSDIST_OPENSSL),--with,--without)-libssl \
-	$(if $(CONFIG_DNSDIST_DNS_OVER_TLS),--enable-dns-over-tls,) \
-	$(if $(CONFIG_DNSDIST_DNS_OVER_HTTPS),--enable-dns-over-https,) \
-	$(if $(CONFIG_DNSDIST_DNS_OVER_HTTPS_OUTGOING),--with,--without)-nghttp2
-
-define Package/dnsdist/install
-	$(INSTALL_DIR) $(1)/etc
-	$(INSTALL_CONF) ./files/dnsdist.conf $(1)/etc/dnsdist.conf
-	$(INSTALL_DIR) $(1)/etc/config
-	$(INSTALL_CONF) ./files/dnsdist.config $(1)/etc/config/dnsdist
-	$(INSTALL_DIR) $(1)/etc/init.d
-	$(INSTALL_BIN) ./files/dnsdist.init $(1)/etc/init.d/dnsdist
-	$(INSTALL_DIR) $(1)/usr/bin
-	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dnsdist $(1)/usr/bin/
-endef
+	--with-libcap \
+	$(if $(call IsEnabled,DNSDIST_PIE),,--disable-hardening) \
+	$(if $(call IsEnabled,DNSDIST_SODIUM),--enable-dnscrypt --with-libsodium,--disable-dnscrypt --without-libsodium) \
+	$(if $(call IsEnabled,DNSDIST_DNSTAP),--enable-dnstap=yes,--enable-dnstap=no) \
+	$(if $(call IsEnabled,DNSDIST_RE2),--with,--without)-re2 \
+	$(if $(call IsEnabled,DNSDIST_NET_SNMP),--with,--without)-net-snmp \
+	$(if $(call IsEnabled,DNSDIST_GNUTLS),--with,--without)-gnutls \
+	$(if $(call IsEnabled,DNSDIST_OPENSSL),--with,--without)-libssl \
+	$(if $(call IsEnabled,DNSDIST_DNS_OVER_TLS),--enable-dns-over-tls,) \
+	$(if $(call IsEnabled,DNSDIST_CDB),--with,--without)-cdb \
+	$(if $(call IsEnabled,DNSDIST_LMDB),--with,--without)-lmdb \
+	$(if $(call IsEnabled,DNSDIST_LIBEDIT),--with,--without)-libedit \
+	$(if $(call IsEnabled,DNSDIST_IPCIPHER),--enable,--disable)-ipcipher \
+	$(if $(call IsEnabled,DNSDIST_EBPF),--with,--without)-ebpf \
+	$(if $(call IsEnabled,DNSDIST_DNS_OVER_HTTPS),--enable-dns-over-https,) \
+	$(if $(call IsEnabled,DNSDIST_DNS_OVER_HTTPS_OUTGOING),--with,--without)-nghttp2
 
 $(eval $(call BuildPackage,dnsdist))
+$(eval $(call BuildPackage,dnsdist-full))
-- 
2.30.2