This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via b8a97bd9436f3494745b95868dc5b0774d0c40e8 (commit) via 61c6e9b71da9f623bf74f8cb2bab6cf311e7df45 (commit) from 4e341f19b076e906c493347c8a11af5c45efc976 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit b8a97bd9436f3494745b95868dc5b0774d0c40e8 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 10 16:22:09 2015 +0100
dnsmasq: Enable DNSSEC timestamp feature
This disables DNSSEC until the system clock has been set correctly. There is a circular dependency on working DNS and being able to resolve DNS records in order to reach a time server. Systems without a RTC or empty RTC battery will start up with time way in the past in which all DNSSEC signatures are invalid.
commit 61c6e9b71da9f623bf74f8cb2bab6cf311e7df45 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Mar 10 16:21:58 2015 +0100
dnsmasq: Import more patches from upstream
-----------------------------------------------------------------------
Summary of changes: lfs/dnsmasq | 2 + src/initscripts/init.d/dnsmasq | 2 +- .../0056-New-version-of-contrib-reverse-dns.patch | 194 ++++++++++++++++++++ ...C-timestamp-code-to-create-file-later-rem.patch | 202 +++++++++++++++++++++ 4 files changed, 399 insertions(+), 1 deletion(-) create mode 100644 src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch create mode 100644 src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
Difference in files: diff --git a/lfs/dnsmasq b/lfs/dnsmasq index c256f75..4bb7f9f 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -128,6 +128,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0053-Log-parsing-utils-in-contrib-reverse-dns.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0054-Add-dnssec-timestamp-option-and-facility.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0055-Fix-last-commit-to-not-crash-if-uid-changing-not-con.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ -e 's|/* #define HAVE_IDN */|#define HAVE_IDN|g' \ diff --git a/src/initscripts/init.d/dnsmasq b/src/initscripts/init.d/dnsmasq index 48b9d19..4e37925 100644 --- a/src/initscripts/init.d/dnsmasq +++ b/src/initscripts/init.d/dnsmasq @@ -26,7 +26,7 @@ SHOW_SRV=1 TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
function dnssec_args() { - local cmdline="--dnssec" + local cmdline="--dnssec --dnssec-timestamp"
if [ -n "${TRUST_ANCHOR}" ]; then cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}" diff --git a/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch new file mode 100644 index 0000000..9a05215 --- /dev/null +++ b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch @@ -0,0 +1,194 @@ +From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Wed, 4 Mar 2015 20:32:26 +0000 +Subject: [PATCH 56/57] New version of contrib/reverse-dns + +--- + contrib/reverse-dns/README | 22 +++--- + contrib/reverse-dns/reverse_replace.sh | 131 ++++++++++++++++++++++++++++----- + 2 files changed, 125 insertions(+), 28 deletions(-) + +diff --git a/contrib/reverse-dns/README b/contrib/reverse-dns/README +index f87eb77c4c22..2ec4df1f957e 100644 +--- a/contrib/reverse-dns/README ++++ b/contrib/reverse-dns/README +@@ -1,18 +1,18 @@ +-Hi. ++The script reads stdin and replaces all IP addresses with names before ++outputting it again. IPs from private networks are reverse looked up ++via dns. Other IP adresses are searched for in the dnsmasq query log. ++This gives names (CNAMEs if I understand DNS correctly) that are closer ++to the name the client originally asked for then the names obtained by ++reverse lookup. Just run + +-To translate my routers netstat-nat output into names that actually talk +-to me I have started writing to simple shell scripts. They require ++netstat -n -4 | ./reverse_replace.sh ++ ++to see what it does. It needs + + log-queries + log-facility=/var/log/dnsmasq.log + +-to be set. With +- +-netstat-nat -n -4 | reverse_replace.sh +- +-I get retranslated output. +- +-Sincerely, +-Joachim ++in the dnsmasq configuration. + ++The script runs on debian (with ash installed) and on busybox. + +diff --git a/contrib/reverse-dns/reverse_replace.sh b/contrib/reverse-dns/reverse_replace.sh +index a11c164b7f19..5b4aebd71456 100644 +--- a/contrib/reverse-dns/reverse_replace.sh ++++ b/contrib/reverse-dns/reverse_replace.sh +@@ -1,28 +1,125 @@ +-#!/bin/bash +-# $Id: reverse_replace.sh 4 2015-02-17 20:14:59Z jo $ ++#!/bin/ash ++# $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $ + # + # Usage e.g.: netstat -n -4 | reverse_replace.sh + # Parses stdin for IP4 addresses and replaces them +-# with names retrieved by reverse_dns.sh ++# with names retrieved by parsing the dnsmasq log. ++# This currently only gives CNAMEs. But these ++# usually tell ou more than the mones from reverse ++# lookups. ++# ++# This has been tested on debian and asuswrt. Plese ++# report successful tests on other platforms. ++# ++# Author: Joachim Zobel jz-2014@heute-morgen.de ++# License: Consider this MIT style licensed. You can ++# do as you ike, but you must not remove my name. + # + +-DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +-DNS=$DIR/reverse_dns.sh ++LOG=/var/log/dnsmasq.log ++MAX_LINES=15000 + +-# sed regex ++# sed regex do match IPs + IP_regex='[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' ++# private IP ranges ++IP_private='(^127.)|(^192.168.)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)' + +-while read LINE; do +- if grep --quiet $IP_regex <<< "$LINE"; then +- IPs=`sed "s#.*\b($IP_regex)\b.*#\1 #g" <<< "$LINE"` +- IPs=($IPs) +- for IP in "${IPs[@]}" +- do +- NAME=`$DNS $IP` +- # echo "$NAME is $IP"; +- LINE="${LINE/$IP/$NAME}" +- done ++####################################################################### ++# Find Commands ++ ++HOST=nslookup ++if type host > /dev/null 2>&1; then ++ # echo "No need for nslookup, host is there" ++ HOST=host ++fi ++ ++####################################################################### ++# Functions ++ ++# Use shell variables for an (IP) lookup table ++create_lookup_table() ++{ ++ # Parse log into lookup table ++ local CMDS="$( tail -"$MAX_LINES" "$LOG" | \ ++ grep " is $IP_regex" | \ ++ sed "s#.* ([^ ]*) is ($IP_regex).*#set_val \2 \1;#" )" ++ ++ local IFS=' ++' ++ for CMD in $CMDS ++ do ++ eval $CMD ++ done ++} ++ ++set_val() ++{ ++ local _IP=$(echo $1 | tr . _) ++ local KEY="__IP__$_IP" ++ eval "$KEY"=$2 ++} ++ ++get_val() ++{ ++ local _IP=$(echo $1 | tr . _) ++ local KEY="__IP__$_IP" ++ eval echo -n '${'"$KEY"'}' ++} ++ ++dns_lookup() ++{ ++ local IP=$1 ++ ++ local RTN="$($HOST $IP | \ ++ sed 's#\s+#\n#g' | \ ++ grep -v '^$' | \ ++ tail -1 | tr -d '\n' | \ ++ sed 's#.$##')" ++ if echo $RTN | grep -q NXDOMAIN; then ++ echo -n $IP ++ else ++ echo -n "$RTN" ++ fi ++} ++ ++reverse_dns() ++{ ++ local IP=$1 ++ ++ # Skip if it is not an IP ++ if ! echo $IP | grep -q "^$IP_regex$"; then ++ echo -n $IP ++ return ++ fi ++ ++ # Do a dns lookup, if it is a local IP ++ if echo $IP | grep -q $IP_private; then ++ dns_lookup $IP ++ return + fi ++ ++ local NAME="$(get_val $IP)" ++ ++ if [ -z "$NAME" ]; then ++ echo -n $IP ++ else ++ echo -n $NAME ++ fi ++} ++ ++####################################################################### ++# Main ++create_lookup_table ++ ++while read LINE; do ++ for IP in $(echo "$LINE" | \ ++ sed "s#\b($IP_regex)\b#\n\1\n#g" | \ ++ grep $IP_regex) ++ do ++ NAME=`reverse_dns $IP ` ++ # echo "$NAME $IP" ++ LINE=`echo "$LINE" | sed "s#$IP#$NAME#" ` ++ done + echo $LINE +-done < /dev/stdin ++done + +-- +2.1.0 + diff --git a/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch new file mode 100644 index 0000000..df47cd0 --- /dev/null +++ b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch @@ -0,0 +1,202 @@ +From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001 +From: Simon Kelley simon@thekelleys.org.uk +Date: Sat, 7 Mar 2015 18:28:06 +0000 +Subject: [PATCH 57/57] Tweak DNSSEC timestamp code to create file later, + removing need to chown it. + +--- + man/dnsmasq.8 | 3 ++- + src/dnsmasq.c | 35 ++++++++++++++++++++++------------- + src/dnsmasq.h | 3 ++- + src/dnssec.c | 18 ++++++++++-------- + 4 files changed, 36 insertions(+), 23 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 097e7d75145c..2db780d90987 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -678,7 +678,8 @@ which have not been throughly checked. + Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the + system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and + its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried +-over system restarts. ++over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the ++unprivileged user that dnsmasq runs as. + .TP + .B --proxy-dnssec + Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 9e05c0e31569..f3e5bcffec4f 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -58,9 +58,6 @@ int main (int argc, char **argv) + struct dhcp_context *context; + struct dhcp_relay *relay; + #endif +-#ifdef HAVE_DNSSEC +- int badtime; +-#endif + + #ifdef LOCALEDIR + setlocale(LC_ALL, ""); +@@ -156,10 +153,10 @@ int main (int argc, char **argv) + { + #ifdef HAVE_DNSSEC + if (!daemon->ds) +- die(_("No trust anchors provided for DNSSEC"), NULL, EC_BADCONF); ++ die(_("no trust anchors provided for DNSSEC"), NULL, EC_BADCONF); + + if (daemon->cachesize < CACHESIZ) +- die(_("Cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); ++ die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); + #else + die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF); + #endif +@@ -172,10 +169,10 @@ int main (int argc, char **argv) + + #ifdef HAVE_CONNTRACK + if (option_bool(OPT_CONNTRACK) && (daemon->query_port != 0 || daemon->osport)) +- die (_("Cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); ++ die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); + #else + if (option_bool(OPT_CONNTRACK)) +- die(_("Conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF); ++ die(_("conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF); + #endif + + #ifdef HAVE_SOLARIS_NETWORK +@@ -195,7 +192,7 @@ int main (int argc, char **argv) + + #ifndef HAVE_LOOP + if (option_bool(OPT_LOOP_DETECT)) +- die(_("Loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); ++ die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); + #endif + + now = dnsmasq_time(); +@@ -373,10 +370,6 @@ int main (int argc, char **argv) + if (baduser) + die(_("unknown user or group: %s"), baduser, EC_BADCONF); + +-#ifdef HAVE_DNSSEC +- badtime = setup_timestamp(ent_pw); +-#endif +- + /* implement group defaults, "dip" if available, or group associated with uid */ + if (!daemon->group_set && !gp) + { +@@ -693,10 +686,23 @@ int main (int argc, char **argv) + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID)) + { ++ int rc; ++ ++ /* Delay creating the timestamp file until here, after we've changed user, so that ++ it has the correct owner to allow updating the mtime later. ++ This means we have to report fatal errors via the pipe. */ ++ if ((rc = setup_timestamp()) == -1) ++ { ++ send_event(err_pipe[1], EVENT_TIME_ERR, errno, daemon->timestamp_file); ++ _exit(0); ++ } ++ + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); ++ + if (option_bool(OPT_DNSSEC_TIME)) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); +- if (badtime) ++ ++ if (rc == 1) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid")); + } + #endif +@@ -1170,6 +1176,9 @@ static void fatal_event(struct event_desc *ev, char *msg) + + case EVENT_TFTP_ERR: + die(_("TFTP directory %s inaccessible: %s"), msg, EC_FILE); ++ ++ case EVENT_TIME_ERR: ++ die(_("cannot create timestamp file %s: %s" ), msg, EC_BADCONF); + } + } + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index a451cb4dd03c..fc7259881358 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -167,6 +167,7 @@ struct event_desc { + #define EVENT_INIT 21 + #define EVENT_NEWADDR 22 + #define EVENT_NEWROUTE 23 ++#define EVENT_TIME_ERR 24 + + /* Exit codes. */ + #define EC_GOOD 0 +@@ -1152,7 +1153,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char + int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); + unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); +-int setup_timestamp(struct passwd *ent_pw); ++int setup_timestamp(void); + + /* util.c */ + void rand_init(void); +diff --git a/src/dnssec.c b/src/dnssec.c +index c60eacf73c6b..ad0d6f072ba2 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -397,18 +397,21 @@ static int serial_compare_32(unsigned long s1, unsigned long s2) + + /* Called at startup. If the timestamp file is configured and exists, put its mtime on + timestamp_time. If it doesn't exist, create it, and set the mtime to 1-1-2015. +- Change the ownership to the user we'll be running as, so that we can update the mtime. ++ return -1 -> Cannot create file. ++ 0 -> not using timestamp, or timestamp exists and is in past. ++ 1 -> timestamp exists and is in future. + */ ++ + static time_t timestamp_time; + static int back_to_the_future; + +-int setup_timestamp(struct passwd *ent_pw) ++int setup_timestamp(void) + { + struct stat statbuf; + + back_to_the_future = 0; + +- if (!option_bool(OPT_DNSSEC_VALID) || !daemon->timestamp_file) ++ if (!daemon->timestamp_file) + return 0; + + if (stat(daemon->timestamp_file, &statbuf) != -1) +@@ -428,7 +431,8 @@ int setup_timestamp(struct passwd *ent_pw) + + if (errno == ENOENT) + { +- int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK, 0666); ++ /* NB. for explanation of O_EXCL flag, see comment on pidfile in dnsmasq.c */ ++ int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK | O_EXCL, 0666); + if (fd != -1) + { + struct utimbuf timbuf; +@@ -436,14 +440,12 @@ int setup_timestamp(struct passwd *ent_pw) + close(fd); + + timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */ +- if (utime(daemon->timestamp_file, &timbuf) == 0 && +- (!ent_pw || getuid() != 0 || chown(daemon->timestamp_file, ent_pw->pw_uid, -1) == 0)) ++ if (utime(daemon->timestamp_file, &timbuf) == 0) + goto check_and_exit; + } + } + +- die(_("Cannot create timestamp file %s: %s" ), daemon->timestamp_file, EC_BADCONF); +- return 0; ++ return -1; + } + + /* Check whether today/now is between date_start and date_end */ +-- +2.1.0 +
hooks/post-receive -- IPFire 2.x development tree