From mboxrd@z Thu Jan  1 00:00:00 1970
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] dnsmasq 2.76: latest patches (013-014)
Date: Sun, 07 Aug 2016 15:09:18 +0100
Message-ID: <1470578958.2710.479.camel@ipfire.org>
In-Reply-To: <20160807110939.3286-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============7681216883046351408=="
List-Id: <development.lists.ipfire.org>

--===============7681216883046351408==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi,

thank you. This has been merged as well.

However, since we still have some trouble with dnsmasq (it is still a little =
bit
unstable and on only one installation it is always falling back to TCP for
DNSSEC signed zones and I have no idea why), Marcel has started looking at
unbound.

It is unknown when, but if everything is working out well, we are going to
replace dnsmasq with unbound.

So maybe you want to join in working on that and test that a bit. I hope that=
 we
can aim for 105, but it could be a bit later, too. So please do not put too m=
uch
effort into maintaining dnsmasq in IPFire any more.

But you have done a great job and I hope you can also put that into unbound :)

Best,
-Michael

On Sun, 2016-08-07 at 13:09 +0200, Matthias Fischer wrote:
> Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
> ---
> =C2=A0lfs/dnsmasq=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=
=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A0=C2=A02 +
> =C2=A0...allow_to_exclude_ip_addresses_from_answer.patch | 184
> +++++++++++++++++++++
> =C2=A0...rial_when_reloading_etc_hosts_and_friends.patch |=C2=A0=C2=A041 ++=
+++
> =C2=A03 files changed, 227 insertions(+)
> =C2=A0create mode 100644 src/patches/dnsmasq/013-auth-
> zone_allow_to_exclude_ip_addresses_from_answer.patch
> =C2=A0create mode 100644 src/patches/dnsmasq/014-
> Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
>=20
> diff --git a/lfs/dnsmasq b/lfs/dnsmasq
> index eb0f0ba..474dacc 100644
> --- a/lfs/dnsmasq
> +++ b/lfs/dnsmasq
> @@ -85,6 +85,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
> =C2=A0	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-
> Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_le=
aka
> ge.patch
> =C2=A0	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-
> Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
> =C2=A0	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-
> Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
> +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-
> auth-zone_allow_to_exclude_ip_addresses_from_answer.patch
> +	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-
> Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
> =C2=A0	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-
> support-to-read-ISC-DHCP-lease-file.patch
> =C2=A0
> =C2=A0	cd $(DIR_APP) && sed -i src/config.h \
> diff --git a/src/patches/dnsmasq/013-auth-
> zone_allow_to_exclude_ip_addresses_from_answer.patch
> b/src/patches/dnsmasq/013-auth-
> zone_allow_to_exclude_ip_addresses_from_answer.patch
> new file mode 100644
> index 0000000..bb5fe5d
> --- /dev/null
> +++ b/src/patches/dnsmasq/013-auth-
> zone_allow_to_exclude_ip_addresses_from_answer.patch
> @@ -0,0 +1,184 @@
> +From 094bfaeb4ff69cae99387bc2ea07ff57632c89f5 Mon Sep 17 00:00:00 2001
> +From: Mathias Kresin <dev(a)kresin.me>
> +Date: Sun, 24 Jul 2016 14:15:22 +0100
> +Subject: [PATCH] auth-zone: allow to exclude ip addresses from answer.
> +
> +---
> + man/dnsmasq.8 |=C2=A0=C2=A0=C2=A0=C2=A06 +++++-
> + src/auth.c=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A0=C2=A061 +++++++++++++++++=
+++++++++++++++++++-------------------
> --
> + src/dnsmasq.h |=C2=A0=C2=A0=C2=A0=C2=A01 +
> + src/option.c=C2=A0=C2=A0|=C2=A0=C2=A0=C2=A021 ++++++++++++++++++--
> + 4 files changed, 64 insertions(+), 25 deletions(-)
> +
> +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
> +index ac8d921..8910947 100644
> +--- a/man/dnsmasq.8
> ++++ b/man/dnsmasq.8
> +@@ -739,7 +739,7 @@ a return code of SERVFAIL. Note that
> + setting this may affect DNS behaviour in bad ways, it is not an
> + extra-logging flag and should not be set in production.
> + .TP
> +-.B --auth-zone=3D<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix
> length>].....]]
> ++.B --auth-zone=3D<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix
> length>].....][,exclude:<subnet>[/<prefix length>]].....]
> + Define a DNS zone for which dnsmasq acts as authoritative server. Locally
> defined DNS records which are in the domain
> + will be served. If subnet(s) are given, A and AAAA records must be in one=
 of
> the
> + specified subnets.
> +@@ -756,6 +756,10 @@ appear in the zone, but RFC1918 IPv4 addresses which
> should not.
> + Interface-name and address-literal subnet specifications may be used
> + freely in the same --auth-zone declaration.
> +=C2=A0
> ++It's possible to exclude certain IP addresses from responses. It can be
> ++used, to make sure that answers contain only global routeable IP
> ++addresses (by excluding loopback, RFC1918 and ULA addresses).
> ++
> + The subnet(s) are also used to define in-addr.arpa and
> + ip6.arpa domains which are served for reverse-DNS queries. If not
> + specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
> +diff --git a/src/auth.c b/src/auth.c
> +index 3c5c37f..f1ca2f5 100644
> +--- a/src/auth.c
> ++++ b/src/auth.c
> +@@ -18,36 +18,53 @@
> +=C2=A0
> + #ifdef HAVE_AUTH
> +=C2=A0
> +-static struct addrlist *find_subnet(struct auth_zone *zone, int flag, str=
uct
> all_addr *addr_u)
> ++static struct addrlist *find_addrlist(struct addrlist *list, int flag,
> struct all_addr *addr_u)
> + {
> +-=C2=A0=C2=A0struct addrlist *subnet;
> +-
> +-=C2=A0=C2=A0for (subnet =3D zone->subnet; subnet; subnet =3D subnet->next)
> +-=C2=A0=C2=A0=C2=A0=C2=A0{
> +-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0if (!(subnet->flags & ADDRLIST_IPV6))
> +-	{
> +-	=C2=A0=C2=A0struct in_addr netmask, addr =3D addr_u->addr.addr4;
> +-
> +-	=C2=A0=C2=A0if (!(flag & F_IPV4))
> +-	=C2=A0=C2=A0=C2=A0=C2=A0continue;
> +-	=C2=A0=C2=A0
> +-	=C2=A0=C2=A0netmask.s_addr =3D htonl(~(in_addr_t)0 << (32 - subnet->pref=
ixlen));
> +-	=C2=A0=C2=A0
> +-	=C2=A0=C2=A0if=C2=A0=C2=A0(is_same_net(addr, subnet->addr.addr.addr4, ne=
tmask))
> +-	=C2=A0=C2=A0=C2=A0=C2=A0return subnet;
> +-	}
> ++=C2=A0=C2=A0do {
> ++=C2=A0=C2=A0=C2=A0=C2=A0if (!(list->flags & ADDRLIST_IPV6))
> ++=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0{
> ++	struct in_addr netmask, addr =3D addr_u->addr.addr4;
> ++=09
> ++	if (!(flag & F_IPV4))
> ++	=C2=A0=C2=A0continue;
> ++=09
> ++	netmask.s_addr =3D htonl(~(in_addr_t)0 << (32 - list->prefixlen));
> ++=09
> ++	if=C2=A0=C2=A0(is_same_net(addr, list->addr.addr.addr4, netmask))
> ++	=C2=A0=C2=A0return list;
> ++=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0}
> + #ifdef HAVE_IPV6
> +-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0else if (is_same_net6(&(addr_u->addr.=
addr6), &subnet->addr.addr.addr6,=20
> subnet->prefixlen))
> +-	return subnet;
> ++=C2=A0=C2=A0=C2=A0=C2=A0else if (is_same_net6(&(addr_u->addr.addr6), &lis=
t->addr.addr.addr6,
> list->prefixlen))
> ++=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0return list;
> + #endif
> +-
> +-=C2=A0=C2=A0=C2=A0=C2=A0}
> ++=C2=A0=C2=A0=C2=A0=C2=A0
> ++=C2=A0=C2=A0} while ((list =3D list->next));
> ++=C2=A0=C2=A0
> +=C2=A0=C2=A0=C2=A0return NULL;
> + }
> +=C2=A0
> ++static struct addrlist *find_subnet(struct auth_zone *zone, int flag, str=
uct
> all_addr *addr_u)
> ++{
> ++=C2=A0=C2=A0if (!zone->subnet)
> ++=C2=A0=C2=A0=C2=A0=C2=A0return NULL;
> ++=C2=A0=C2=A0
> ++=C2=A0=C2=A0return find_addrlist(zone->subnet, flag, addr_u);
> ++}
> ++
> ++static struct addrlist *find_exclude(struct auth_zone *zone, int flag,
> struct all_addr *addr_u)
> ++{
> ++=C2=A0=C2=A0if (!zone->exclude)
> ++=C2=A0=C2=A0=C2=A0=C2=A0return NULL;
> ++=C2=A0=C2=A0
> ++=C2=A0=C2=A0return find_addrlist(zone->exclude, flag, addr_u);
> ++}
> ++
> + static int filter_zone(struct auth_zone *zone, int flag, struct all_addr
> *addr_u)
> + {
> +-=C2=A0=C2=A0/* No zones specified, no filter */
> ++=C2=A0=C2=A0if (find_exclude(zone, flag, addr_u))
> ++=C2=A0=C2=A0=C2=A0=C2=A0return 0;
> ++
> ++=C2=A0=C2=A0/* No subnets specified, no filter */
> +=C2=A0=C2=A0=C2=A0if (!zone->subnet)
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0return 1;
> +=C2=A0=C2=A0=C2=A0
> +diff --git a/src/dnsmasq.h b/src/dnsmasq.h
> +index 2bda5d0..27385a9 100644
> +--- a/src/dnsmasq.h
> ++++ b/src/dnsmasq.h
> +@@ -340,6 +340,7 @@ struct auth_zone {
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0struct auth_name_list *next;
> +=C2=A0=C2=A0=C2=A0} *interface_names;
> +=C2=A0=C2=A0=C2=A0struct addrlist *subnet;
> ++=C2=A0=C2=A0struct addrlist *exclude;
> +=C2=A0=C2=A0=C2=A0struct auth_zone *next;
> + };
> +=C2=A0
> +diff --git a/src/option.c b/src/option.c
> +index d8c57d6..6cedef3 100644
> +--- a/src/option.c
> ++++ b/src/option.c
> +@@ -1906,6 +1906,7 @@ static int one_opt(int option, char *arg, char *errs=
tr,
> char *gen_err, int comma
> +=C2=A0	new =3D opt_malloc(sizeof(struct auth_zone));
> +=C2=A0	new->domain =3D opt_string_alloc(arg);
> +=C2=A0	new->subnet =3D NULL;
> ++	new->exclude =3D NULL;
> +=C2=A0	new->interface_names =3D NULL;
> +=C2=A0	new->next =3D daemon->auth_zones;
> +=C2=A0	daemon->auth_zones =3D new;
> +@@ -1913,6 +1914,7 @@ static int one_opt(int option, char *arg, char *errs=
tr,
> char *gen_err, int comma
> +=C2=A0	while ((arg =3D comma))
> +=C2=A0	=C2=A0=C2=A0{
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0int prefixlen =3D 0;
> ++	=C2=A0=C2=A0=C2=A0=C2=A0int is_exclude =3D 0;
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0char *prefix;
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0struct addrlist *subnet =3D=C2=A0=C2=A0NULL;
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0struct all_addr addr;
> +@@ -1923,6 +1925,12 @@ static int one_opt(int option, char *arg, char
> *errstr, char *gen_err, int comma
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0if (prefix && !atoi_check(prefix, &prefixle=
n))
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0ret_err(gen_err);
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0
> ++	=C2=A0=C2=A0=C2=A0=C2=A0if (strstr(arg, "exclude:") =3D=3D arg)
> ++	=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0{
> ++		=C2=A0=C2=A0=C2=A0=C2=A0is_exclude =3D 1;
> ++		=C2=A0=C2=A0=C2=A0=C2=A0arg =3D arg+8;
> ++	=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0}
> ++
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0if (inet_pton(AF_INET, arg, &addr.addr.addr=
4))
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0{
> +=C2=A0		subnet =3D opt_malloc(sizeof(struct addrlist));
> +@@ -1960,8 +1968,17 @@ static int one_opt(int option, char *arg, char
> *errstr, char *gen_err, int comma
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0if (subnet)
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0{
> +=C2=A0		subnet->addr =3D addr;
> +-		subnet->next =3D new->subnet;
> +-		new->subnet =3D subnet;
> ++
> ++		if (is_exclude)
> ++		=C2=A0=C2=A0{
> ++		=C2=A0=C2=A0=C2=A0=C2=A0subnet->next =3D new->exclude;
> ++		=C2=A0=C2=A0=C2=A0=C2=A0new->exclude =3D subnet;
> ++		=C2=A0=C2=A0}
> ++		else
> ++		=C2=A0=C2=A0{
> ++		=C2=A0=C2=A0=C2=A0=C2=A0subnet->next =3D new->subnet;
> ++		=C2=A0=C2=A0=C2=A0=C2=A0new->subnet =3D subnet;
> ++		=C2=A0=C2=A0}
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0}
> +=C2=A0	=C2=A0=C2=A0}
> +=C2=A0	break;
> +--=C2=A0
> +1.7.10.4
> +
> diff --git a/src/patches/dnsmasq/014-
> Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
> b/src/patches/dnsmasq/014-
> Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
> new file mode 100644
> index 0000000..054323b
> --- /dev/null
> +++ b/src/patches/dnsmasq/014-
> Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
> @@ -0,0 +1,41 @@
> +From c8328ecde896575b3cb81cf537747df531f90771 Mon Sep 17 00:00:00 2001
> +From: Simon Kelley <simon(a)thekelleys.org.uk>
> +Date: Fri, 5 Aug 2016 16:54:58 +0100
> +Subject: [PATCH] Bump auth zone serial when reloading /etc/hosts and frien=
ds.
> +
> +---
> + CHANGELOG=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0|=C2=A0=C2=A0=C2=A0=C2=A04 ++++
> + src/dnsmasq.c |=C2=A0=C2=A0=C2=A0=C2=A02 ++
> + 2 files changed, 6 insertions(+)
> +
> +diff --git a/CHANGELOG b/CHANGELOG
> +index 9f1e404..4f89799 100644
> +--- a/CHANGELOG
> ++++ b/CHANGELOG
> +@@ -20,6 +20,10 @@ version 2.77
> +=C2=A0=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0Fix problem with --dnssec-timestamp w=
hereby receipt
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0of SIGHUP would erroneously engage timestamp checking.
> +=C2=A0	=C2=A0=C2=A0=C2=A0=C2=A0Thanks to Kevin Darbyshire-Bryant for this =
work.
> ++
> ++	=C2=A0=C2=A0=C2=A0=C2=A0Bump zone serial on reloading /etc/hosts and fri=
ends
> ++	=C2=A0=C2=A0=C2=A0=C2=A0when providing authoritative DNS. Thanks to Harr=
ald
> ++	=C2=A0=C2=A0=C2=A0=C2=A0Dunkel for spotting this.
> +=C2=A0=09
> +=C2=A0
> + version 2.76
> +diff --git a/src/dnsmasq.c b/src/dnsmasq.c
> +index a47273f..3580bea 100644
> +--- a/src/dnsmasq.c
> ++++ b/src/dnsmasq.c
> +@@ -1226,6 +1226,8 @@ static void async_event(int pipe, time_t now)
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0switch (ev.event)
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0{
> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0case EVENT_RELOAD:
> ++	daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
> ++
> + #ifdef HAVE_DNSSEC
> +=C2=A0	if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) &&
> option_bool(OPT_DNSSEC_TIME))
> +=C2=A0	=C2=A0=C2=A0{
> +--=C2=A0
> +1.7.10.4
> +

--===============7681216883046351408==
Content-Type: application/pgp-signature
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="signature.asc"
MIME-Version: 1.0

LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjIKCmlRSWNCQUFC
Q2dBR0JRSlhwMEVPQUFvSkVJQjU4UDl2a0FrSGEyQVFBTEN5SGx1eGVNeXY5ZWsySnFPQWErZHAK
ay8vQzlldEs1Y082TExMbmNhOVVQM0E0Y3JkNmFUQzVqTTVneWg1RlNjZTdvNC9QdnBwMXJtQ0NI
U2VmTFkwKwoxZHh1aWZmZVFtSlFhWWY5MURlb1NDREg1K3pqZFVMUDdzamhMNnZ5akVoZ1dueEdw
Y2R1STFOWEhZRWluT3diCnFSZytnYUwvVEE2WTh1RE5zdFNqWFhDUmhoanlWa3lhZnF5UzhDdzRR
RXhDRlRNZEZrMDdiaUw2QnVlaGdycGUKdTdUZTNHcjRXUktxS2RKMVpXY3hKL0JRVDZzRVlidVF1
cFRaOFV5WU9pdnA2SllOVEpDNkNxNW9kd3dmZklEdQo1YnoxTHZGRDRJN3djWlVVcm5QNW5OeTBZ
MCtzblphTVFMbjU5N1dWYUpqVEg5OFJWUWdOSjVRa1lXcUEwbUw1CmllelpLZmpLMGwzTklza1lB
NkFpV0R3NjBFUWZ3aWZ5SmdqUlJ5NlBnM3o2Qk1yS3ozS2N5c3Y3cUQyejNyU0IKTy9XK2hBd3FQ
MDRNN0RrWkl5U0pueVhDUUloMThpWGpERGl3MGlkMGF2T2NyWlFRVHJYL05qa3pEajJQU3JZWQp0
bURNbWF6VG1XM2poTVdMQURwc2JnYWxtZEVhc3BYcENmNFBPd2wwT1pZTmJQWmNqZ09CaFk1S2hi
T1lENzFECjlTaGNtbmJ6c3grYll3bkZsYTNQY2FNTWd6OCtZTVpsKzEwdVhuWDFQcnh1K1A5SzFy
ajVZRGxXaFp0ZUI1VjUKZ0c1aTJiNURWMGZFTk40VGhPZXVtR3R5Z0hvT1lLdjRzdVYxNnM2a3VC
UENxZ2V0UlptcTFDS0hNYTgxdlczbQpTdC9aeUhvYlZIaTBqZTcxTjkzNwo9eGhSagotLS0tLUVO
RCBQR1AgU0lHTkFUVVJFLS0tLS0K

--===============7681216883046351408==--