[FR] Better logging for refused queries

[ohmantics]

Current behavior
Debugging ACLs is hard.

Describe the desired feature
When a query is refused/denied and sufficiently verbose logging is enabled, the reason why the query is refused should be logged. e.g.

[12345:1] debug: refused query from ip4 1.2.3.4 port 12345 (len 16) because of 'access-control: 0.0.0.0/32 refuse_non_local'

Potential use-case
Configuring these things is hard enough. Adding better logging will aid in debugging.

[ohmantics]

One possibility build be to think of the configuration language as if you're a compiler. Clang and GCC provide diagnostics that indicate file and line number information. This would require tracking the file names for the main config file and each included file. Each interesting token would save a file index and the line number. For the case of ACLs, there would also be a special location for "<built-in>" rules.

In the case that motivated me to write this feature request, I had access-control: 0.0.0.0/32 refuse_non_local when I should have had /0. So the diagnostic for this would be like:

[12345:1] debug: refused query from ip4 1.2.3.4 port 12345 (len 16) because of <built-in>:0:'access-control: 0.0.0.0/0 deny'

As the user, I would then see that the blocking ACL was not among my configured ACLs and see my error. Of course, with an improved diagnostic system like this, I might also have seen:

[12345:1] info: ACL specifies empty range at access_lists.conf:15:'access-control: 0.0.0.0/32 refuse_non_local'

[wcawijngaards]

The fix creates output like this:
dropped query from 127.0.0.1 port 60176 because of 127.0.0.0/8 deny_non_local

The 0.0.0.0/32 example you give is not an empty range, it has one address in it, with zeroes. It is a valid method to put access control onto single addresses. For ipv6 with /128. And this also works for other configuration statements with netblocks.

It does not track the file and location of the definition of the access-control element, but the printout of the netblock is there. Hopefully this helps. Also dropped messages are logged, at high verbosity, of 4 or more.

[ohmantics]

Amazing turnaround. Many thanks!