* [PATCH] dnsmasq: latest upstream patches
@ 2015-09-13 19:03 Matthias Fischer
0 siblings, 0 replies; 2+ messages in thread
From: Matthias Fischer @ 2015-09-13 19:03 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 12712 bytes --]
dnsmasq: latest upstream patches
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
lfs/dnsmasq | 6 +++
.../004-fix_behaviour_of_empty_dhcp-option.patch | 38 ++++++++++++++++
...ution_to_ENOMEM_error_with_IPv6_multicast.patch | 50 ++++++++++++++++++++++
...page_on_RDNSS_set_in_router_advertisement.patch | 35 +++++++++++++++
...gned_dangling_CNAME_replies_to_DS_queries.patch | 30 +++++++++++++
...6_option_56_does_not_hold_an_address_list.patch | 25 +++++++++++
...pect_the_--no_resolv_flag_in_inotify_code.patch | 47 ++++++++++++++++++++
7 files changed, 231 insertions(+)
create mode 100644 src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
create mode 100644 src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
create mode 100644 src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
create mode 100644 src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
create mode 100644 src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
create mode 100644 src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index f16c761..db56091 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -76,6 +76,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
diff --git a/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch b/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
new file mode 100644
index 0000000..492ada9
--- /dev/null
+++ b/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
@@ -0,0 +1,38 @@
+From 5e3e464ac4022ee0b3794513abe510817e2cf3ca Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Tue, 25 Aug 2015 23:08:39 +0100
+Subject: [PATCH] Fix behaviour of empty dhcp-option=option6:dns-server, which
+ should inhibit sending option.
+
+---
+ src/rfc3315.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 2665d0d..3f1f9ee 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -1320,15 +1320,16 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
+
+ if (opt_cfg->opt == OPTION6_REFRESH_TIME)
+ done_refresh = 1;
++
++ if (opt_cfg->opt == OPTION6_DNS_SERVER)
++ done_dns = 1;
+
+- if (opt_cfg->flags & DHOPT_ADDR6)
++ /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */
++ if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER)
+ {
+ int len, j;
+ struct in6_addr *a;
+
+- if (opt_cfg->opt == OPTION6_DNS_SERVER)
+- done_dns = 1;
+-
+ for (a = (struct in6_addr *)opt_cfg->val, len = opt_cfg->len, j = 0;
+ j < opt_cfg->len; j += IN6ADDRSZ, a++)
+ if ((IN6_IS_ADDR_ULA_ZERO(a) && IN6_IS_ADDR_UNSPECIFIED(state->ula_addr)) ||
+--
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch b/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
new file mode 100644
index 0000000..c7cee60
--- /dev/null
+++ b/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
@@ -0,0 +1,50 @@
+From 9cdcfe9f19ffd45bac4e5b459879bf7c50a287ed Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 26 Aug 2015 22:38:08 +0100
+Subject: [PATCH] Suggest solution to ENOMEM error with IPv6 multicast.
+
+---
+ src/network.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/network.c b/src/network.c
+index a1d90c8..819302f 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1076,23 +1076,30 @@ void join_multicast(int dienow)
+
+ if ((daemon->doing_dhcp6 || daemon->relay6) &&
+ setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
+- err = 1;
++ err = errno;
+
+ inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr);
+
+ if (daemon->doing_dhcp6 &&
+ setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
+- err = 1;
++ err = errno;
+
+ inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr);
+
+ if (daemon->doing_ra &&
+ setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
+- err = 1;
++ err = errno;
+
+ if (err)
+ {
+ char *s = _("interface %s failed to join DHCPv6 multicast group: %s");
++ errno = err;
++
++#ifdef HAVE_LINUX_NETWORK
++ if (errno == ENOMEM)
++ my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max"));
++#endif
++
+ if (dienow)
+ die(s, iface->name, EC_BADNET);
+ else
+--
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch b/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
new file mode 100644
index 0000000..19c76e6
--- /dev/null
+++ b/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
@@ -0,0 +1,35 @@
+From 20fd11e11a9d09edcea94de135396ae1541fbbab Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 26 Aug 2015 22:48:13 +0100
+Subject: [PATCH] Clarify man page on RDNSS set in router advertisement.
+
+---
+ man/dnsmasq.8 | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index a23c898..d51b10f 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -1687,15 +1687,15 @@ creation are handled by a different protocol. When DHCP is in use,
+ only a subset of this is needed, and dnsmasq can handle it, using
+ existing DHCP configuration to provide most data. When RA is enabled,
+ dnsmasq will advertise a prefix for each dhcp-range, with default
+-router and recursive DNS server as the relevant link-local address on
+-the machine running dnsmasq. By default, he "managed address" bits are set, and
++router as the relevant link-local address on
++the machine running dnsmasq. By default, the "managed address" bits are set, and
+ the "use SLAAC" bit is reset. This can be changed for individual
+ subnets with the mode keywords described in
+ .B --dhcp-range.
+ RFC6106 DNS parameters are included in the advertisements. By default,
+ the relevant link-local address of the machine running dnsmasq is sent
+ as recursive DNS server. If provided, the DHCPv6 options dns-server and
+-domain-search are used for RDNSS and DNSSL.
++domain-search are used for the DNS server (RDNSS) and the domain serach list (DNSSL).
+ .TP
+ .B --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
+ Set non-default values for router advertisements sent via an
+--
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch b/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
new file mode 100644
index 0000000..832a22e
--- /dev/null
+++ b/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
@@ -0,0 +1,30 @@
+From 6de81f1250fd323c9155de065d5a9dc200a6f20b Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Wed, 9 Sep 2015 22:51:13 +0100
+Subject: [PATCH] Handle signed dangling CNAME replies to DS queries.
+
+---
+ src/dnssec.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 4deda24..67ce486 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -1232,11 +1232,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
+
+ /* If we return STAT_NO_SIG, name contains the name of the DS query */
+ if (val == STAT_NO_SIG)
+- {
+- *keyname = 0;
+- return val;
+- }
+-
++ return val;
++
+ /* If the key needed to validate the DS is on the same domain as the DS, we'll
+ loop getting nowhere. Stop that now. This can happen of the DS answer comes
+ from the DS's zone, and not the parent zone. */
+--
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch b/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
new file mode 100644
index 0000000..fdccd0e
--- /dev/null
+++ b/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
@@ -0,0 +1,25 @@
+From 102208df695e886a3086754d32bf7f8c541fbe46 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Thu, 10 Sep 2015 21:50:00 +0100
+Subject: [PATCH] DHCPv6 option 56 does not hold an address list. (RFC 5908).
+
+---
+ src/dhcp-common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcp-common.c b/src/dhcp-common.c
+index bc48f41..8fc171a 100644
+--- a/src/dhcp-common.c
++++ b/src/dhcp-common.c
+@@ -599,7 +599,7 @@ static const struct opttab_t opttab6[] = {
+ { "sntp-server", 31, OT_ADDR_LIST },
+ { "information-refresh-time", 32, OT_TIME },
+ { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME },
+- { "ntp-server", 56, OT_ADDR_LIST },
++ { "ntp-server", 56, 0 },
+ { "bootfile-url", 59, OT_NAME },
+ { "bootfile-param", 60, OT_CSTRING },
+ { NULL, 0, 0 }
+--
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch b/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
new file mode 100644
index 0000000..2014fdb
--- /dev/null
+++ b/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
@@ -0,0 +1,47 @@
+From 77607cbea0ad0f876dfb79c8b2c121ee400d57d0 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Thu, 10 Sep 2015 23:08:43 +0100
+Subject: [PATCH] Respect the --no-resolv flag in inotify code.
+
+---
+ CHANGELOG | 7 ++++++-
+ debian/changelog | 6 ++++++
+ src/inotify.c | 3 +++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index bbc2834..d6e309f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -7,8 +7,13 @@ version 2.76
+
+ Enhance --add-subnet to allow arbitrary subnet addresses.
+ Thanks to Ed Barsley for the patch.
++
++ Respect the --no-resolv flag in inotify code. Fixes bug
++ which caused dnsmasq to fail to start if a resolv-file
++ was a dangling symbolic link, even of --no-resolv set.
++ Thanks to Alexander Kurtz for spotting the problem.
++
+
+-
+ version 2.75
+ Fix reversion on 2.74 which caused 100% CPU use when a
+ dhcp-script is configured. Thanks to Adrian Davey for
+diff --git a/src/inotify.c b/src/inotify.c
+index 52d412f..ef05c58 100644
+--- a/src/inotify.c
++++ b/src/inotify.c
+@@ -90,6 +90,9 @@ void inotify_dnsmasq_init()
+
+ if (daemon->inotifyfd == -1)
+ die(_("failed to create inotify: %s"), NULL, EC_MISC);
++
++ if (option_bool(OPT_NO_RESOLV))
++ return;
+
+ for (res = daemon->resolv_files; res; res = res->next)
+ {
+--
+1.7.10.4
+
--
2.5.2
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH] dnsmasq: latest upstream patches
@ 2015-08-15 7:27 matthias.fischer
0 siblings, 0 replies; 2+ messages in thread
From: matthias.fischer @ 2015-08-15 7:27 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 16131 bytes --]
From: Matthias Fischer <matthias.fischer(a)ipfire.org>
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
lfs/dnsmasq | 4 +
...01-include_0_0_0_0_8_in_DNS_rebind_checks.patch | 41 ++++
...subnet_to_allow_arbitary_subnet_addresses.patch | 271 +++++++++++++++++++++
...h_zones_locally_when_localise_queries_set.patch | 34 +++
4 files changed, 350 insertions(+)
create mode 100644 src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
create mode 100644 src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch
create mode 100644 src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index f327967..f16c761 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -73,7 +73,11 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch
+ cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
+
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
-e 's|/\* #define HAVE_DNSSEC \*/|#define HAVE_DNSSEC|g' \
diff --git a/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch b/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
new file mode 100644
index 0000000..8a2557a
--- /dev/null
+++ b/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
@@ -0,0 +1,41 @@
+From d2aa7dfbb6d1088dcbea9fecc61b9293b320eb95 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Mon, 3 Aug 2015 21:52:12 +0100
+Subject: [PATCH] Include 0.0.0.0/8 in DNS rebind checks.
+
+---
+ CHANGELOG | 7 +++++++
+ src/rfc1035.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 901da47..3f4026d 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -1,3 +1,10 @@
++version 2.76
++ Include 0.0.0.0/8 in DNS rebind checks. This range
++ translates to hosts on the local network, or, at
++ least, 0.0.0.0 accesses the local host, so could
++ be targets for DNS rebinding. See RFC 5735 section 3
++ for details. Thanks to Stephen Röttger for the bug report.
++
+ version 2.75
+ Fix reversion on 2.74 which caused 100% CPU use when a
+ dhcp-script is configured. Thanks to Adrian Davey for
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 56647b0..29e9e65 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -728,7 +728,8 @@ int private_net(struct in_addr addr, int ban_localhost)
+ in_addr_t ip_addr = ntohl(addr.s_addr);
+
+ return
+- (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ ||
++ (((ip_addr & 0xFF000000) == 0x7F000000) && ban_localhost) /* 127.0.0.0/8 (loopback) */ ||
++ ((ip_addr & 0xFF000000) == 0x00000000) /* RFC 5735 section 3. "here" network */ ||
+ ((ip_addr & 0xFFFF0000) == 0xC0A80000) /* 192.168.0.0/16 (private) */ ||
+ ((ip_addr & 0xFF000000) == 0x0A000000) /* 10.0.0.0/8 (private) */ ||
+ ((ip_addr & 0xFFF00000) == 0xAC100000) /* 172.16.0.0/12 (private) */ ||
+--
+1.7.10.4
diff --git a/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch b/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch
new file mode 100644
index 0000000..2d3d6e4
--- /dev/null
+++ b/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch
@@ -0,0 +1,271 @@
+From a7369bef8abd241c3d85633fa9c870943f091e76 Mon Sep 17 00:00:00 2001
+From: Ed Bardsley <ebardsley(a)google.com>
+Date: Wed, 5 Aug 2015 21:17:18 +0100
+Subject: [PATCH] Enhance --add-subnet to allow arbitary subnet addresses.
+
+---
+ CHANGELOG | 4 ++++
+ man/dnsmasq.8 | 32 ++++++++++++++++++++-----------
+ src/dnsmasq.h | 13 ++++++++++---
+ src/option.c | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
+ src/rfc1035.c | 39 +++++++++++++++++++++++++++++++-------
+ 5 files changed, 121 insertions(+), 26 deletions(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 3f4026d..bbc2834 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -4,6 +4,10 @@ version 2.76
+ least, 0.0.0.0 accesses the local host, so could
+ be targets for DNS rebinding. See RFC 5735 section 3
+ for details. Thanks to Stephen Röttger for the bug report.
++
++ Enhance --add-subnet to allow arbitrary subnet addresses.
++ Thanks to Ed Barsley for the patch.
++
+
+ version 2.75
+ Fix reversion on 2.74 which caused 100% CPU use when a
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index c8913b5..a23c898 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -604,17 +604,27 @@ experimental. Also note that exposing MAC addresses in this way may
+ have security and privacy implications. The warning about caching
+ given for --add-subnet applies to --add-mac too.
+ .TP
+-.B --add-subnet[[=<IPv4 prefix length>],<IPv6 prefix length>]
+-Add the subnet address of the requestor to the DNS queries which are
+-forwarded upstream. The amount of the address forwarded depends on the
+-prefix length parameter: 32 (128 for IPv6) forwards the whole address,
+-zero forwards none of it but still marks the request so that no
+-upstream nameserver will add client address information either. The
+-default is zero for both IPv4 and IPv6. Note that upstream nameservers
+-may be configured to return different results based on this
+-information, but the dnsmasq cache does not take account. If a dnsmasq
+-instance is configured such that different results may be encountered,
+-caching should be disabled.
++.B --add-subnet[[=[<IPv4 address>/]<IPv4 prefix length>][,[<IPv6 address>/]<IPv6 prefix length>]]
++Add a subnet address to the DNS queries which are forwarded
++upstream. If an address is specified in the flag, it will be used,
++otherwise, the address of the requestor will be used. The amount of
++the address forwarded depends on the prefix length parameter: 32 (128
++for IPv6) forwards the whole address, zero forwards none of it but
++still marks the request so that no upstream nameserver will add client
++address information either. The default is zero for both IPv4 and
++IPv6. Note that upstream nameservers may be configured to return
++different results based on this information, but the dnsmasq cache
++does not take account. If a dnsmasq instance is configured such that
++different results may be encountered, caching should be disabled.
++
++For example,
++.B --add-subnet=24,96
++will add the /24 and /96 subnets of the requestor for IPv4 and IPv6 requestors, respectively.
++.B --add-subnet=1.2.3.4/24
++will add 1.2.3.0/24 for IPv4 requestors and ::/0 for IPv6 requestors.
++.B --add-subnet=1.2.3.4/24,1.2.3.4/24
++will add 1.2.3.0/24 for both IPv4 and IPv6 requestors.
++
+ .TP
+ .B \-c, --cache-size=<cachesize>
+ Set the size of dnsmasq's cache. The default is 150 names. Setting the cache size to zero disables caching.
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index cf1a782..f42acdb 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -541,6 +541,13 @@ struct iname {
+ struct iname *next;
+ };
+
++/* subnet parameters from command line */
++struct mysubnet {
++ union mysockaddr addr;
++ int addr_used;
++ int mask;
++};
++
+ /* resolv-file parms from command-line */
+ struct resolvc {
+ struct resolvc *next;
+@@ -935,9 +942,9 @@ extern struct daemon {
+ struct auth_zone *auth_zones;
+ struct interface_name *int_names;
+ char *mxtarget;
+- int addr4_netmask;
+- int addr6_netmask;
+- char *lease_file;
++ struct mysubnet *add_subnet4;
++ struct mysubnet *add_subnet6;
++ char *lease_file;
+ char *username, *groupname, *scriptuser;
+ char *luascript;
+ char *authserver, *hostmaster;
+diff --git a/src/option.c b/src/option.c
+index ecc2619..746cd11 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -445,7 +445,7 @@ static struct {
+ { LOPT_PXE_SERV, ARG_DUP, "<service>", gettext_noop("Boot service for PXE menu."), NULL },
+ { LOPT_TEST, 0, NULL, gettext_noop("Check configuration syntax."), NULL },
+ { LOPT_ADD_MAC, OPT_ADD_MAC, NULL, gettext_noop("Add requestor's MAC address to forwarded DNS queries."), NULL },
+- { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add requestor's IP subnet to forwarded DNS queries."), NULL },
++ { LOPT_ADD_SBNET, ARG_ONE, "<v4 pref>[,<v6 pref>]", gettext_noop("Add specified IP subnet to forwarded DNS queries."), NULL },
+ { LOPT_DNSSEC, OPT_DNSSEC_PROXY, NULL, gettext_noop("Proxy DNSSEC validation results from upstream nameservers."), NULL },
+ { LOPT_INCR_ADDR, OPT_CONSEC_ADDR, NULL, gettext_noop("Attempt to allocate sequential IP addresses to DHCP clients."), NULL },
+ { LOPT_CONNTRACK, OPT_CONNTRACK, NULL, gettext_noop("Copy connection-track mark from queries to upstream connections."), NULL },
+@@ -722,6 +722,20 @@ static void do_usage(void)
+
+ #define ret_err(x) do { strcpy(errstr, (x)); return 0; } while (0)
+
++static char *parse_mysockaddr(char *arg, union mysockaddr *addr)
++{
++ if (inet_pton(AF_INET, arg, &addr->in.sin_addr) > 0)
++ addr->sa.sa_family = AF_INET;
++#ifdef HAVE_IPV6
++ else if (inet_pton(AF_INET6, arg, &addr->in6.sin6_addr) > 0)
++ addr->sa.sa_family = AF_INET6;
++#endif
++ else
++ return _("bad address");
++
++ return NULL;
++}
++
+ char *parse_server(char *arg, union mysockaddr *addr, union mysockaddr *source_addr, char *interface, int *flags)
+ {
+ int source_port = 0, serv_port = NAMESERVER_PORT;
+@@ -1585,7 +1599,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ li = match_suffix->next;
+ free(match_suffix->suffix);
+ free(match_suffix);
+- }
++ }
+ break;
+ }
+
+@@ -1593,10 +1607,45 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ set_option_bool(OPT_CLIENT_SUBNET);
+ if (arg)
+ {
++ char *err, *end;
+ comma = split(arg);
+- if (!atoi_check(arg, &daemon->addr4_netmask) ||
+- (comma && !atoi_check(comma, &daemon->addr6_netmask)))
+- ret_err(gen_err);
++
++ struct mysubnet* new = opt_malloc(sizeof(struct mysubnet));
++ if ((end = split_chr(arg, '/')))
++ {
++ /* has subnet+len */
++ err = parse_mysockaddr(arg, &new->addr);
++ if (err)
++ ret_err(err);
++ if (!atoi_check(end, &new->mask))
++ ret_err(gen_err);
++ new->addr_used = 1;
++ }
++ else if (!atoi_check(arg, &new->mask))
++ ret_err(gen_err);
++
++ daemon->add_subnet4 = new;
++
++ new = opt_malloc(sizeof(struct mysubnet));
++ if (comma)
++ {
++ if ((end = split_chr(comma, '/')))
++ {
++ /* has subnet+len */
++ err = parse_mysockaddr(comma, &new->addr);
++ if (err)
++ ret_err(err);
++ if (!atoi_check(end, &new->mask))
++ ret_err(gen_err);
++ new->addr_used = 1;
++ }
++ else
++ {
++ if (!atoi_check(comma, &new->mask))
++ ret_err(gen_err);
++ }
++ }
++ daemon->add_subnet6 = new;
+ }
+ break;
+
+diff --git a/src/rfc1035.c b/src/rfc1035.c
+index 29e9e65..6a51b30 100644
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -629,26 +629,47 @@ struct subnet_opt {
+ #endif
+ };
+
++static void *get_addrp(union mysockaddr *addr, const short family)
++{
++#ifdef HAVE_IPV6
++ if (family == AF_INET6)
++ return &addr->in6.sin6_addr;
++#endif
++
++ return &addr->in.sin_addr;
++}
++
+ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
+ {
+ /* http://tools.ietf.org/html/draft-vandergaast-edns-client-subnet-02 */
+
+ int len;
+ void *addrp;
++ int sa_family = source->sa.sa_family;
+
+ #ifdef HAVE_IPV6
+ if (source->sa.sa_family == AF_INET6)
+ {
+- opt->family = htons(2);
+- opt->source_netmask = daemon->addr6_netmask;
+- addrp = &source->in6.sin6_addr;
++ opt->source_netmask = daemon->add_subnet6->mask;
++ if (daemon->add_subnet6->addr_used)
++ {
++ sa_family = daemon->add_subnet6->addr.sa.sa_family;
++ addrp = get_addrp(&daemon->add_subnet6->addr, sa_family);
++ }
++ else
++ addrp = &source->in6.sin6_addr;
+ }
+ else
+ #endif
+ {
+- opt->family = htons(1);
+- opt->source_netmask = daemon->addr4_netmask;
+- addrp = &source->in.sin_addr;
++ opt->source_netmask = daemon->add_subnet4->mask;
++ if (daemon->add_subnet4->addr_used)
++ {
++ sa_family = daemon->add_subnet4->addr.sa.sa_family;
++ addrp = get_addrp(&daemon->add_subnet4->addr, sa_family);
++ }
++ else
++ addrp = &source->in.sin_addr;
+ }
+
+ opt->scope_netmask = 0;
+@@ -656,6 +677,11 @@ static size_t calc_subnet_opt(struct subnet_opt *opt, union mysockaddr *source)
+
+ if (opt->source_netmask != 0)
+ {
++#ifdef HAVE_IPV6
++ opt->family = htons(sa_family == AF_INET6 ? 2 : 1);
++#else
++ opt->family = htons(1);
++#endif
+ len = ((opt->source_netmask - 1) >> 3) + 1;
+ memcpy(opt->addr, addrp, len);
+ if (opt->source_netmask & 7)
+@@ -2335,4 +2361,3 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
+
+ return len;
+ }
+-
+--
+1.7.10.4
diff --git a/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch b/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
new file mode 100644
index 0000000..cfbcdfb
--- /dev/null
+++ b/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
@@ -0,0 +1,34 @@
+From 3a3965ac21b1b759eab8799b6edb09195b671306 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Sun, 9 Aug 2015 17:45:06 +0100
+Subject: [PATCH] Don't answer non-auth queries for auth zones locally when
+ --localise-queries set.
+
+---
+ src/forward.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index 2731b90..b76a974 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -1365,7 +1365,7 @@ void receive_query(struct listener *listen, time_t now)
+
+ #ifdef HAVE_AUTH
+ /* find queries for zones we're authoritative for, and answer them directly */
+- if (!auth_dns)
++ if (!auth_dns && !option_bool(OPT_LOCALISE))
+ for (zone = daemon->auth_zones; zone; zone = zone->next)
+ if (in_zone(zone, daemon->namebuff, NULL))
+ {
+@@ -1904,7 +1904,7 @@ unsigned char *tcp_request(int confd, time_t now,
+
+ #ifdef HAVE_AUTH
+ /* find queries for zones we're authoritative for, and answer them directly */
+- if (!auth_dns)
++ if (!auth_dns && !option_bool(OPT_LOCALISE))
+ for (zone = daemon->auth_zones; zone; zone = zone->next)
+ if (in_zone(zone, daemon->namebuff, NULL))
+ {
+--
+1.7.10.4
--
2.5.0
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2015-09-13 19:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-09-13 19:03 [PATCH] dnsmasq: latest upstream patches Matthias Fischer
-- strict thread matches above, loose matches on Subject: below --
2015-08-15 7:27 matthias.fischer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox