From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matthias Fischer <matthias.fischer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] dnsmasq 2.76: latest patches (013-014)
Date: Sun, 07 Aug 2016 13:09:39 +0200
Message-ID: <20160807110939.3286-1-matthias.fischer@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3492273253033305182=="
List-Id: <development.lists.ipfire.org>

--===============3492273253033305182==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
---
 lfs/dnsmasq                                        |   2 +
 ...allow_to_exclude_ip_addresses_from_answer.patch | 184 +++++++++++++++++++=
++
 ...rial_when_reloading_etc_hosts_and_friends.patch |  41 +++++
 3 files changed, 227 insertions(+)
 create mode 100644 src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_add=
resses_from_answer.patch
 create mode 100644 src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reload=
ing_etc_hosts_and_friends.patch

diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index eb0f0ba..474dacc 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -85,6 +85,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Zero_pack=
et_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Dont_rese=
t_packet_length_on_transmission_in_case_of_retransmission.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-t=
ime_check_on_buffer_sizes_for_leasefile_parsing_code.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-auth-zone=
_allow_to_exclude_ip_addresses_from_answer.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Bump_auth=
_zone_serial_when_reloading_etc_hosts_and_friends.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-t=
o-read-ISC-DHCP-lease-file.patch
=20
 	cd $(DIR_APP) && sed -i src/config.h \
diff --git a/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_=
from_answer.patch b/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_add=
resses_from_answer.patch
new file mode 100644
index 0000000..bb5fe5d
--- /dev/null
+++ b/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_an=
swer.patch
@@ -0,0 +1,184 @@
+From 094bfaeb4ff69cae99387bc2ea07ff57632c89f5 Mon Sep 17 00:00:00 2001
+From: Mathias Kresin <dev(a)kresin.me>
+Date: Sun, 24 Jul 2016 14:15:22 +0100
+Subject: [PATCH] auth-zone: allow to exclude ip addresses from answer.
+
+---
+ man/dnsmasq.8 |    6 +++++-
+ src/auth.c    |   61 ++++++++++++++++++++++++++++++++++++------------------=
---
+ src/dnsmasq.h |    1 +
+ src/option.c  |   21 ++++++++++++++++++--
+ 4 files changed, 64 insertions(+), 25 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index ac8d921..8910947 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -739,7 +739,7 @@ a return code of SERVFAIL. Note that
+ setting this may affect DNS behaviour in bad ways, it is not an
+ extra-logging flag and should not be set in production.
+ .TP
+-.B --auth-zone=3D<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix le=
ngth>].....]]
++.B --auth-zone=3D<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix le=
ngth>].....][,exclude:<subnet>[/<prefix length>]].....]
+ Define a DNS zone for which dnsmasq acts as authoritative server. Locally d=
efined DNS records which are in the domain
+ will be served. If subnet(s) are given, A and AAAA records must be in one o=
f the
+ specified subnets.
+@@ -756,6 +756,10 @@ appear in the zone, but RFC1918 IPv4 addresses which sh=
ould not.
+ Interface-name and address-literal subnet specifications may be used
+ freely in the same --auth-zone declaration.
+=20
++It's possible to exclude certain IP addresses from responses. It can be
++used, to make sure that answers contain only global routeable IP
++addresses (by excluding loopback, RFC1918 and ULA addresses).
++
+ The subnet(s) are also used to define in-addr.arpa and
+ ip6.arpa domains which are served for reverse-DNS queries. If not
+ specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
+diff --git a/src/auth.c b/src/auth.c
+index 3c5c37f..f1ca2f5 100644
+--- a/src/auth.c
++++ b/src/auth.c
+@@ -18,36 +18,53 @@
+=20
+ #ifdef HAVE_AUTH
+=20
+-static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struc=
t all_addr *addr_u)
++static struct addrlist *find_addrlist(struct addrlist *list, int flag, stru=
ct all_addr *addr_u)
+ {
+-  struct addrlist *subnet;
+-
+-  for (subnet =3D zone->subnet; subnet; subnet =3D subnet->next)
+-    {
+-      if (!(subnet->flags & ADDRLIST_IPV6))
+-	{
+-	  struct in_addr netmask, addr =3D addr_u->addr.addr4;
+-
+-	  if (!(flag & F_IPV4))
+-	    continue;
+-	 =20
+-	  netmask.s_addr =3D htonl(~(in_addr_t)0 << (32 - subnet->prefixlen));
+-	 =20
+-	  if  (is_same_net(addr, subnet->addr.addr.addr4, netmask))
+-	    return subnet;
+-	}
++  do {
++    if (!(list->flags & ADDRLIST_IPV6))
++      {
++	struct in_addr netmask, addr =3D addr_u->addr.addr4;
++=09
++	if (!(flag & F_IPV4))
++	  continue;
++=09
++	netmask.s_addr =3D htonl(~(in_addr_t)0 << (32 - list->prefixlen));
++=09
++	if  (is_same_net(addr, list->addr.addr.addr4, netmask))
++	  return list;
++      }
+ #ifdef HAVE_IPV6
+-      else if (is_same_net6(&(addr_u->addr.addr6), &subnet->addr.addr.addr6=
, subnet->prefixlen))
+-	return subnet;
++    else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, li=
st->prefixlen))
++      return list;
+ #endif
+-
+-    }
++   =20
++  } while ((list =3D list->next));
++ =20
+   return NULL;
+ }
+=20
++static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struc=
t all_addr *addr_u)
++{
++  if (!zone->subnet)
++    return NULL;
++ =20
++  return find_addrlist(zone->subnet, flag, addr_u);
++}
++
++static struct addrlist *find_exclude(struct auth_zone *zone, int flag, stru=
ct all_addr *addr_u)
++{
++  if (!zone->exclude)
++    return NULL;
++ =20
++  return find_addrlist(zone->exclude, flag, addr_u);
++}
++
+ static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *a=
ddr_u)
+ {
+-  /* No zones specified, no filter */
++  if (find_exclude(zone, flag, addr_u))
++    return 0;
++
++  /* No subnets specified, no filter */
+   if (!zone->subnet)
+     return 1;
+  =20
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index 2bda5d0..27385a9 100644
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -340,6 +340,7 @@ struct auth_zone {
+     struct auth_name_list *next;
+   } *interface_names;
+   struct addrlist *subnet;
++  struct addrlist *exclude;
+   struct auth_zone *next;
+ };
+=20
+diff --git a/src/option.c b/src/option.c
+index d8c57d6..6cedef3 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -1906,6 +1906,7 @@ static int one_opt(int option, char *arg, char *errstr=
, char *gen_err, int comma
+ 	new =3D opt_malloc(sizeof(struct auth_zone));
+ 	new->domain =3D opt_string_alloc(arg);
+ 	new->subnet =3D NULL;
++	new->exclude =3D NULL;
+ 	new->interface_names =3D NULL;
+ 	new->next =3D daemon->auth_zones;
+ 	daemon->auth_zones =3D new;
+@@ -1913,6 +1914,7 @@ static int one_opt(int option, char *arg, char *errstr=
, char *gen_err, int comma
+ 	while ((arg =3D comma))
+ 	  {
+ 	    int prefixlen =3D 0;
++	    int is_exclude =3D 0;
+ 	    char *prefix;
+ 	    struct addrlist *subnet =3D  NULL;
+ 	    struct all_addr addr;
+@@ -1923,6 +1925,12 @@ static int one_opt(int option, char *arg, char *errst=
r, char *gen_err, int comma
+ 	    if (prefix && !atoi_check(prefix, &prefixlen))
+ 	      ret_err(gen_err);
+ 	   =20
++	    if (strstr(arg, "exclude:") =3D=3D arg)
++	      {
++		    is_exclude =3D 1;
++		    arg =3D arg+8;
++	      }
++
+ 	    if (inet_pton(AF_INET, arg, &addr.addr.addr4))
+ 	      {
+ 		subnet =3D opt_malloc(sizeof(struct addrlist));
+@@ -1960,8 +1968,17 @@ static int one_opt(int option, char *arg, char *errst=
r, char *gen_err, int comma
+ 	    if (subnet)
+ 	      {
+ 		subnet->addr =3D addr;
+-		subnet->next =3D new->subnet;
+-		new->subnet =3D subnet;
++
++		if (is_exclude)
++		  {
++		    subnet->next =3D new->exclude;
++		    new->exclude =3D subnet;
++		  }
++		else
++		  {
++		    subnet->next =3D new->subnet;
++		    new->subnet =3D subnet;
++		  }
+ 	      }
+ 	  }
+ 	break;
+--=20
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc=
_hosts_and_friends.patch b/src/patches/dnsmasq/014-Bump_auth_zone_serial_when=
_reloading_etc_hosts_and_friends.patch
new file mode 100644
index 0000000..054323b
--- /dev/null
+++ b/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_=
and_friends.patch
@@ -0,0 +1,41 @@
+From c8328ecde896575b3cb81cf537747df531f90771 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon(a)thekelleys.org.uk>
+Date: Fri, 5 Aug 2016 16:54:58 +0100
+Subject: [PATCH] Bump auth zone serial when reloading /etc/hosts and friends.
+
+---
+ CHANGELOG     |    4 ++++
+ src/dnsmasq.c |    2 ++
+ 2 files changed, 6 insertions(+)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index 9f1e404..4f89799 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -20,6 +20,10 @@ version 2.77
+  	    Fix problem with --dnssec-timestamp whereby receipt
+             of SIGHUP would erroneously engage timestamp checking.
+ 	    Thanks to Kevin Darbyshire-Bryant for this work.
++
++	    Bump zone serial on reloading /etc/hosts and friends
++	    when providing authoritative DNS. Thanks to Harrald
++	    Dunkel for spotting this.
+ =09
+=20
+ version 2.76
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index a47273f..3580bea 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -1226,6 +1226,8 @@ static void async_event(int pipe, time_t now)
+     switch (ev.event)
+       {
+       case EVENT_RELOAD:
++	daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
++
+ #ifdef HAVE_DNSSEC
+ 	if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && optio=
n_bool(OPT_DNSSEC_TIME))
+ 	  {
+--=20
+1.7.10.4
+
--=20
2.9.2


--===============3492273253033305182==--