Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/dnsmasq | 4 +- ..._IPv6_addresses_sanely_for_--synth-domain.patch | 101 ++++++++++++++ ...ode_to_remove_blatant_copyright_violation.patch | 149 +++++++++++++++++++++ 3 files changed, 253 insertions(+), 1 deletion(-) create mode 100644 src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch create mode 100644 src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch
diff --git a/lfs/dnsmasq b/lfs/dnsmasq index 474dacc..7a11061 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2016 Michael Tremer & Christian Schmidt # +# Copyright (C) 2007-2016 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -87,6 +87,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \ diff --git a/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch b/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch new file mode 100644 index 0000000..7ebef83 --- /dev/null +++ b/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch @@ -0,0 +1,101 @@ +From 6d95099c56a926d672e0407d6017fef9714f40c4 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Thu, 11 Aug 2016 23:38:54 +0100 +Subject: [PATCH] Handle v4-mapped IPv6 addresses sanely for --synth-domain. + +--- + CHANGELOG | 7 ++++++- + man/dnsmasq.8 | 2 ++ + src/domain.c | 34 ++++++++++++++++++++++++---------- + 3 files changed, 32 insertions(+), 11 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 4f89799..2731cc4 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -24,7 +24,12 @@ version 2.77 + Bump zone serial on reloading /etc/hosts and friends + when providing authoritative DNS. Thanks to Harrald + Dunkel for spotting this. +- ++ ++ Handle v4-mapped IPv6 addresses sanely in --synth-domain. ++ These have standard representation like ::ffff:1.2.3.4 ++ and are now converted to names like ++ <prefix>--ffff-1-2-3-4.<domain> ++ + + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 8910947..91fe672 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -619,6 +619,8 @@ but IPv6 addresses may start with '::' + but DNS labels may not start with '-' so in this case if no prefix is + configured a zero is added in front of the label. ::1 becomes 0--1. + ++V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4 ++ + The address range can be of the form + <ip address>,<ip address> or <ip address>/<netmask> + .TP +diff --git a/src/domain.c b/src/domain.c +index 1dd5027..a007acd 100644 +--- a/src/domain.c ++++ b/src/domain.c +@@ -77,18 +77,31 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr) + + *p = 0; + +- /* swap . or : for - */ +- for (p = tail; *p; p++) +- if (*p == '-') +- { +- if (prot == AF_INET) ++ #ifdef HAVE_IPV6 ++ if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail) ++ { ++ /* special hack for v4-mapped. */ ++ memcpy(tail, "::ffff:", 7); ++ for (p = tail + 7; *p; p++) ++ if (*p == '-') + *p = '.'; ++ } ++ else ++#endif ++ { ++ /* swap . or : for - */ ++ for (p = tail; *p; p++) ++ if (*p == '-') ++ { ++ if (prot == AF_INET) ++ *p = '.'; + #ifdef HAVE_IPV6 +- else +- *p = ':'; ++ else ++ *p = ':'; + #endif +- } +- ++ } ++ } ++ + if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr)) + { + if (prot == AF_INET) +@@ -169,8 +182,9 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name) + inet_ntop(AF_INET6, &addr->addr.addr6, name+1, ADDRSTRLEN); + } + ++ /* V4-mapped have periods.... */ + for (p = name; *p; p++) +- if (*p == ':') ++ if (*p == ':' || *p == '.') + *p = '-'; + + strncat(name, ".", MAXDNAME); +-- +1.7.10.4 + diff --git a/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch b/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch new file mode 100644 index 0000000..db27f90 --- /dev/null +++ b/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch @@ -0,0 +1,149 @@ +From 396750cef533cf72c7e6a72e47a9c93e2e431cb7 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 13 Aug 2016 22:34:11 +0100 +Subject: [PATCH] Refactor openBSD pftables code to remove blatant copyright + violation. + +--- + src/tables.c | 90 +++++++++++++++++++++------------------------------------- + 1 file changed, 32 insertions(+), 58 deletions(-) + +diff --git a/src/tables.c b/src/tables.c +index aae1252..4fa3487 100644 +--- a/src/tables.c ++++ b/src/tables.c +@@ -53,52 +53,6 @@ static char *pfr_strerror(int errnum) + } + } + +-static int pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags) +-{ +- struct pfioc_table io; +- +- if (size < 0 || (size && tbl == NULL)) +- { +- errno = EINVAL; +- return (-1); +- } +- bzero(&io, sizeof io); +- io.pfrio_flags = flags; +- io.pfrio_buffer = tbl; +- io.pfrio_esize = sizeof(*tbl); +- io.pfrio_size = size; +- if (ioctl(dev, DIOCRADDTABLES, &io)) +- return (-1); +- if (nadd != NULL) +- *nadd = io.pfrio_nadd; +- return (0); +-} +- +-static int fill_addr(const struct all_addr *ipaddr, int flags, struct pfr_addr* addr) { +- if ( !addr || !ipaddr) +- { +- my_syslog(LOG_ERR, _("error: fill_addr missused")); +- return -1; +- } +- bzero(addr, sizeof(*addr)); +-#ifdef HAVE_IPV6 +- if (flags & F_IPV6) +- { +- addr->pfra_af = AF_INET6; +- addr->pfra_net = 0x80; +- memcpy(&(addr->pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr)); +- } +- else +-#endif +- { +- addr->pfra_af = AF_INET; +- addr->pfra_net = 0x20; +- addr->pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr; +- } +- return 1; +-} +- +-/*****************************************************************************/ + + void ipset_init(void) + { +@@ -111,14 +65,13 @@ void ipset_init(void) + } + + int add_to_ipset(const char *setname, const struct all_addr *ipaddr, +- int flags, int remove) ++ int flags, int remove) + { + struct pfr_addr addr; + struct pfioc_table io; + struct pfr_table table; +- int n = 0, rc = 0; + +- if ( dev == -1 ) ++ if (dev == -1) + { + my_syslog(LOG_ERR, _("warning: no opened pf devices %s"), pf_device); + return -1; +@@ -126,31 +79,52 @@ int add_to_ipset(const char *setname, const struct all_addr *ipaddr, + + bzero(&table, sizeof(struct pfr_table)); + table.pfrt_flags |= PFR_TFLAG_PERSIST; +- if ( strlen(setname) >= PF_TABLE_NAME_SIZE ) ++ if (strlen(setname) >= PF_TABLE_NAME_SIZE) + { + my_syslog(LOG_ERR, _("error: cannot use table name %s"), setname); + errno = ENAMETOOLONG; + return -1; + } + +- if ( strlcpy(table.pfrt_name, setname, +- sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) ++ if (strlcpy(table.pfrt_name, setname, ++ sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) + { + my_syslog(LOG_ERR, _("error: cannot strlcpy table name %s"), setname); + return -1; + } + +- if ((rc = pfr_add_tables(&table, 1, &n, 0))) ++ bzero(&io, sizeof io); ++ io.pfrio_flags = 0; ++ io.pfrio_buffer = &table; ++ io.pfrio_esize = sizeof(table); ++ io.pfrio_size = 1; ++ if (ioctl(dev, DIOCRADDTABLES, &io)) + { +- my_syslog(LOG_WARNING, _("warning: pfr_add_tables: %s(%d)"), +- pfr_strerror(errno),rc); ++ my_syslog(LOG_WARNING, _("IPset: error:%s"), pfr_strerror(errno)); ++ + return -1; + } ++ + table.pfrt_flags &= ~PFR_TFLAG_PERSIST; +- if (n) ++ if (io.pfrio_nadd) + my_syslog(LOG_INFO, _("info: table created")); +- +- fill_addr(ipaddr,flags,&addr); ++ ++ bzero(&addr, sizeof(addr)); ++#ifdef HAVE_IPV6 ++ if (flags & F_IPV6) ++ { ++ addr.pfra_af = AF_INET6; ++ addr.pfra_net = 0x80; ++ memcpy(&(addr.pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr)); ++ } ++ else ++#endif ++ { ++ addr.pfra_af = AF_INET; ++ addr.pfra_net = 0x20; ++ addr.pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr; ++ } ++ + bzero(&io, sizeof(io)); + io.pfrio_flags = 0; + io.pfrio_table = table; +-- +1.7.10.4 +