This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 5fba8a0b1ebcb29340e225707193c0147c4cb64a (commit) via b658a451fbb2f551f4e2765ab14eac34e0eca7b1 (commit) via b4255d757f98cc5bd6cf60ac245c60b78871849f (commit) via 47c3e83253693f80a5ef38af6e9cdd276bf9a5da (commit) via 6302a24890f8530924e4468daca575e7336f4a87 (commit) via 1b4f2493a5beeb38336c6d98a4dd3bc6a24b1aa4 (commit) via df7340d2f3232a87ae6e3e11a6cb4e15b74e55a3 (commit) via 9625be6f24f73a40f987b9a79657f026405f9c29 (commit) via 61b4250af56cdd8cb97187098ed5b4b6b93acb85 (commit) via b8f5eda86b6d1c7270e858214a96e5eded18876a (commit) via 0fbd7c3c81ca0740cf8e6f4c47253ff4dd48e7df (commit) via cb21683968ddc0d5eab4c131c69aa665ff5d7dc8 (commit) via c648dd88f57309f08d2703bdb4596aaa75d776aa (commit) via 76f5c54236fdb2714fbb6d890a7b079d5aa4f9fc (commit) via 89b0810b240967e4ae4101ad2736b74792a3c80a (commit) via 08f6cdcf828aa6e03e59b9054b68eede80a13ebe (commit) via d0e5f71f77e5bcbeef1edbded3ca0a0bd564a34f (commit) from 3364c93e37c65ed8544066ed55afe1941b2b6f8d (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 5fba8a0b1ebcb29340e225707193c0147c4cb64a Merge: 3364c93 b658a45 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Sep 8 19:50:45 2016 +0100
Merge branch 'unbound' into next
commit b658a451fbb2f551f4e2765ab14eac34e0eca7b1 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Sep 8 19:46:43 2016 +0100
unbound: Automatically scale configuration to system
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b4255d757f98cc5bd6cf60ac245c60b78871849f Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Aug 7 15:02:08 2016 +0100
Rootfile update
Forgot to commit this one
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 47c3e83253693f80a5ef38af6e9cdd276bf9a5da Author: Michael Tremer michael.tremer@ipfire.org Date: Sun Aug 7 12:45:11 2016 +0100
unbound is not supposed to be a package
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6302a24890f8530924e4468daca575e7336f4a87 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 20:58:50 2016 +0100
make.sh: Unbound depends on libevent
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 1b4f2493a5beeb38336c6d98a4dd3bc6a24b1aa4 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 19:41:27 2016 +0100
unbound: Update dynamically configured DNS servers after connecting RED
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit df7340d2f3232a87ae6e3e11a6cb4e15b74e55a3 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 19:32:34 2016 +0100
Add unboundctrl
Control binary to relaunch unbound from the web user interface
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 9625be6f24f73a40f987b9a79657f026405f9c29 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 19:30:14 2016 +0100
webinterface: Replace dnsmasq with unbound
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 61b4250af56cdd8cb97187098ed5b4b6b93acb85 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 19:25:48 2016 +0100
Drop dnsmasq
This will be replaced by unbound
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b8f5eda86b6d1c7270e858214a96e5eded18876a Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 19:20:27 2016 +0100
unbound: Rewrite configuration and initscript
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 0fbd7c3c81ca0740cf8e6f4c47253ff4dd48e7df Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 16:48:39 2016 +0100
Import Unbound DHCP Lease Bridge
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit cb21683968ddc0d5eab4c131c69aa665ff5d7dc8 Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 15:24:00 2016 +0100
unbound: Ship ICANN's certificates for trust anchor validation
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c648dd88f57309f08d2703bdb4596aaa75d776aa Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 15:20:07 2016 +0100
unbound: Update trust anchor once a day
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 76f5c54236fdb2714fbb6d890a7b079d5aa4f9fc Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 15:12:01 2016 +0100
unbound: Install trust anchor in /var/lib/unbound
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 89b0810b240967e4ae4101ad2736b74792a3c80a Author: Michael Tremer michael.tremer@ipfire.org Date: Sat Aug 6 14:43:47 2016 +0100
python-daemon: New package
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 08f6cdcf828aa6e03e59b9054b68eede80a13ebe Author: Michael Tremer michael.tremer@ipfire.org Date: Fri Aug 5 13:33:47 2016 +0100
New package: python inotify
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit d0e5f71f77e5bcbeef1edbded3ca0a0bd564a34f Author: Marcel Lorenz marcel.lorenz@ipfire.org Date: Tue Aug 2 20:48:17 2016 +0200
New package: unbound 1.5.9
Unbound is a validating, recursive, and caching DNS resolver.
Signed-off-by: Marcel Lorenz marcel.lorenz@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cron/crontab | 3 + config/etc/group | 1 - config/etc/passwd | 1 - config/rootfiles/common/armv5tel/initscripts | 5 +- config/rootfiles/common/dnsmasq | 2 - config/rootfiles/common/i586/initscripts | 5 +- config/rootfiles/common/misc-progs | 2 +- config/rootfiles/common/python-daemon | 19 ++ config/rootfiles/common/python-docutils | 320 ++++++++++++++++++ config/rootfiles/common/python-inotify | 20 ++ config/rootfiles/common/unbound | 62 ++++ config/rootfiles/common/x86_64/initscripts | 5 +- config/unbound/icannbundle.pem | 317 ++++++++++++++++++ config/unbound/root.hints | 90 +++++ config/unbound/root.key | 1 + config/unbound/unbound-dhcp-leases-bridge | 354 ++++++++++++++++++++ config/unbound/unbound.conf | 94 ++++++ html/cgi-bin/dnsforward.cgi | 12 +- html/cgi-bin/logs.cgi/log.dat | 2 +- html/cgi-bin/services.cgi | 2 +- lfs/dnsmasq | 104 ------ lfs/initscripts | 2 - lfs/{python-xattr => python-daemon} | 15 +- lfs/{python-xattr => python-docutils} | 15 +- lfs/{python-xattr => python-inotify} | 15 +- lfs/{bird => unbound} | 46 ++- make.sh | 9 +- src/initscripts/init.d/dnsmasq | 145 -------- src/initscripts/init.d/network | 9 - .../networking/red.down/05-update-dns-forwarders | 4 + .../networking/red.up/05-update-dns-forwarders | 4 + src/initscripts/init.d/unbound | 226 +++++++++++++ src/misc-progs/Makefile | 2 +- src/misc-progs/{dnsmasqctrl.c => unboundctrl.c} | 6 +- ...q-Add-support-to-read-ISC-DHCP-lease-file.patch | 363 --------------------- ...late_length_of_TFTP_error_reply_correctly.patch | 65 ---- .../dnsmasq/002-Zero_newly_malloc_ed_memory.patch | 36 -- .../003-Check_return_of_expand_always.patch | 44 --- .../004-Fix_editing_error_on_man_page.patch | 40 --- src/patches/dnsmasq/005-Manpage_typo.patch | 25 -- ...aviour_with_some_DHCP_option_arrangements.patch | 49 --- ...007-Fix_logic_error_in_Linux_netlink_code.patch | 55 ---- .../008-Fix_problem_with_--dnssec-timestamp.patch | 93 ------ .../009-malloc_memset_calloc_for_efficiency.patch | 46 --- ...put_to_reduce_risk_of_information_leakage.patch | 169 ---------- ...on_transmission_in_case_of_retransmission.patch | 54 --- ...n_buffer_sizes_for_leasefile_parsing_code.patch | 103 ------ ...allow_to_exclude_ip_addresses_from_answer.patch | 184 ----------- ...rial_when_reloading_etc_hosts_and_friends.patch | 41 --- ..._IPv6_addresses_sanely_for_--synth-domain.patch | 101 ------ ...ode_to_remove_blatant_copyright_violation.patch | 149 --------- 51 files changed, 1584 insertions(+), 1952 deletions(-) delete mode 100644 config/rootfiles/common/dnsmasq create mode 100644 config/rootfiles/common/python-daemon create mode 100644 config/rootfiles/common/python-docutils create mode 100644 config/rootfiles/common/python-inotify create mode 100644 config/rootfiles/common/unbound create mode 100644 config/unbound/icannbundle.pem create mode 100644 config/unbound/root.hints create mode 100644 config/unbound/root.key create mode 100644 config/unbound/unbound-dhcp-leases-bridge create mode 100644 config/unbound/unbound.conf delete mode 100644 lfs/dnsmasq copy lfs/{python-xattr => python-daemon} (93%) copy lfs/{python-xattr => python-docutils} (93%) copy lfs/{python-xattr => python-inotify} (93%) copy lfs/{bird => unbound} (73%) delete mode 100644 src/initscripts/init.d/dnsmasq create mode 100644 src/initscripts/init.d/networking/red.down/05-update-dns-forwarders create mode 100644 src/initscripts/init.d/networking/red.up/05-update-dns-forwarders create mode 100644 src/initscripts/init.d/unbound rename src/misc-progs/{dnsmasqctrl.c => unboundctrl.c} (74%) delete mode 100644 src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch delete mode 100644 src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch delete mode 100644 src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch delete mode 100644 src/patches/dnsmasq/003-Check_return_of_expand_always.patch delete mode 100644 src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch delete mode 100644 src/patches/dnsmasq/005-Manpage_typo.patch delete mode 100644 src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch delete mode 100644 src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch delete mode 100644 src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch delete mode 100644 src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch delete mode 100644 src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch delete mode 100644 src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch delete mode 100644 src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch delete mode 100644 src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch delete mode 100644 src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch delete mode 100644 src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch delete mode 100644 src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch
Difference in files: diff --git a/config/cron/crontab b/config/cron/crontab index c42c650..c6d8a72 100644 --- a/config/cron/crontab +++ b/config/cron/crontab @@ -67,3 +67,6 @@ HOME=/
# Cleanup the mail spool directory %weekly * * /usr/sbin/dma-cleanup-spool + +# Update DNS trust anchor +%daily,random * * @runas(nobody) /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem diff --git a/config/etc/group b/config/etc/group index 51334aa..e4897db 100644 --- a/config/etc/group +++ b/config/etc/group @@ -30,7 +30,6 @@ nobody:x:99: users:x:100: snort:x:101: logwatch:x:102: -dnsmasq:x:103: cron:x:104: syslogd:x:105: klogd:x:106: diff --git a/config/etc/passwd b/config/etc/passwd index 0c2527c..542e3bf 100644 --- a/config/etc/passwd +++ b/config/etc/passwd @@ -14,7 +14,6 @@ nobody:x:99:99:Nobody:/home/nobody:/bin/false postfix:x:100:100::/var/spool/postfix:/bin/false snort:x:101:101:ftp:/var/log/snort:/bin/false logwatch:x:102:102::/var/log/logwatch:/bin/false -dnsmasq:x:103:103::/:/bin/false cron:x:104:104::/:/bin/false syslogd:x:105:105:/var/empty:/bin/false klogd:x:106:106:/var/empty:/bin/false diff --git a/config/rootfiles/common/armv5tel/initscripts b/config/rootfiles/common/armv5tel/initscripts index 29b3290..a429d2c 100644 --- a/config/rootfiles/common/armv5tel/initscripts +++ b/config/rootfiles/common/armv5tel/initscripts @@ -26,7 +26,6 @@ etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay #etc/rc.d/init.d/dnsdist -etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/fcron #etc/rc.d/init.d/fetchmail etc/rc.d/init.d/fireinfo @@ -76,7 +75,7 @@ etc/rc.d/init.d/networking/green etc/rc.d/init.d/networking/orange etc/rc.d/init.d/networking/red #etc/rc.d/init.d/networking/red.down -etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn @@ -84,7 +83,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup -etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes diff --git a/config/rootfiles/common/dnsmasq b/config/rootfiles/common/dnsmasq deleted file mode 100644 index 1e90012..0000000 --- a/config/rootfiles/common/dnsmasq +++ /dev/null @@ -1,2 +0,0 @@ -usr/sbin/dnsmasq -#usr/share/man/man8/dnsmasq.8 diff --git a/config/rootfiles/common/i586/initscripts b/config/rootfiles/common/i586/initscripts index ee5a4ab..2053bd9 100644 --- a/config/rootfiles/common/i586/initscripts +++ b/config/rootfiles/common/i586/initscripts @@ -27,7 +27,6 @@ etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay #etc/rc.d/init.d/dnsdist -etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/fcron #etc/rc.d/init.d/fetchmail etc/rc.d/init.d/fireinfo @@ -78,7 +77,7 @@ etc/rc.d/init.d/networking/green etc/rc.d/init.d/networking/orange etc/rc.d/init.d/networking/red #etc/rc.d/init.d/networking/red.down -etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn @@ -86,7 +85,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup -etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes diff --git a/config/rootfiles/common/misc-progs b/config/rootfiles/common/misc-progs index 1917884..63a0051 100644 --- a/config/rootfiles/common/misc-progs +++ b/config/rootfiles/common/misc-progs @@ -5,7 +5,6 @@ usr/local/bin/backupctrl usr/local/bin/collectdctrl usr/local/bin/ddnsctrl usr/local/bin/dhcpctrl -usr/local/bin/dnsmasqctrl usr/local/bin/extrahdctrl usr/local/bin/fireinfoctrl usr/local/bin/getconntracktable @@ -33,6 +32,7 @@ usr/local/bin/sshctrl usr/local/bin/syslogdctrl usr/local/bin/timectrl #usr/local/bin/torctrl +usr/local/bin/unboundctrl usr/local/bin/updxlratorctrl usr/local/bin/upnpctrl usr/local/bin/urlfilterctrl diff --git a/config/rootfiles/common/python-daemon b/config/rootfiles/common/python-daemon new file mode 100644 index 0000000..34d36a4 --- /dev/null +++ b/config/rootfiles/common/python-daemon @@ -0,0 +1,19 @@ +#usr/lib/python2.7/site-packages/daemon +usr/lib/python2.7/site-packages/daemon/__init__.py +usr/lib/python2.7/site-packages/daemon/__init__.pyc +usr/lib/python2.7/site-packages/daemon/_metadata.py +usr/lib/python2.7/site-packages/daemon/_metadata.pyc +usr/lib/python2.7/site-packages/daemon/daemon.py +usr/lib/python2.7/site-packages/daemon/daemon.pyc +usr/lib/python2.7/site-packages/daemon/pidfile.py +usr/lib/python2.7/site-packages/daemon/pidfile.pyc +usr/lib/python2.7/site-packages/daemon/runner.py +usr/lib/python2.7/site-packages/daemon/runner.pyc +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/PKG-INFO +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/SOURCES.txt +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/dependency_links.txt +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/not-zip-safe +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/requires.txt +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/top_level.txt +#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/version_info.json diff --git a/config/rootfiles/common/python-docutils b/config/rootfiles/common/python-docutils new file mode 100644 index 0000000..45038dd --- /dev/null +++ b/config/rootfiles/common/python-docutils @@ -0,0 +1,320 @@ +#usr/bin/rst2html.py +#usr/bin/rst2latex.py +#usr/bin/rst2man.py +#usr/bin/rst2odt.py +#usr/bin/rst2odt_prepstyles.py +#usr/bin/rst2pseudoxml.py +#usr/bin/rst2s5.py +#usr/bin/rst2xetex.py +#usr/bin/rst2xml.py +#usr/bin/rstpep2html.py +#usr/lib/python2.7/site-packages/docutils +#usr/lib/python2.7/site-packages/docutils-0.12-py2.7.egg-info +#usr/lib/python2.7/site-packages/docutils/__init__.py +#usr/lib/python2.7/site-packages/docutils/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/_compat.py +#usr/lib/python2.7/site-packages/docutils/_compat.pyc +#usr/lib/python2.7/site-packages/docutils/core.py +#usr/lib/python2.7/site-packages/docutils/core.pyc +#usr/lib/python2.7/site-packages/docutils/examples.py +#usr/lib/python2.7/site-packages/docutils/examples.pyc +#usr/lib/python2.7/site-packages/docutils/frontend.py +#usr/lib/python2.7/site-packages/docutils/frontend.pyc +#usr/lib/python2.7/site-packages/docutils/io.py +#usr/lib/python2.7/site-packages/docutils/io.pyc +#usr/lib/python2.7/site-packages/docutils/languages +#usr/lib/python2.7/site-packages/docutils/languages/__init__.py +#usr/lib/python2.7/site-packages/docutils/languages/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/languages/af.py +#usr/lib/python2.7/site-packages/docutils/languages/af.pyc +#usr/lib/python2.7/site-packages/docutils/languages/ca.py +#usr/lib/python2.7/site-packages/docutils/languages/ca.pyc +#usr/lib/python2.7/site-packages/docutils/languages/cs.py +#usr/lib/python2.7/site-packages/docutils/languages/cs.pyc +#usr/lib/python2.7/site-packages/docutils/languages/da.py +#usr/lib/python2.7/site-packages/docutils/languages/da.pyc +#usr/lib/python2.7/site-packages/docutils/languages/de.py +#usr/lib/python2.7/site-packages/docutils/languages/de.pyc +#usr/lib/python2.7/site-packages/docutils/languages/en.py +#usr/lib/python2.7/site-packages/docutils/languages/en.pyc +#usr/lib/python2.7/site-packages/docutils/languages/eo.py +#usr/lib/python2.7/site-packages/docutils/languages/eo.pyc +#usr/lib/python2.7/site-packages/docutils/languages/es.py +#usr/lib/python2.7/site-packages/docutils/languages/es.pyc +#usr/lib/python2.7/site-packages/docutils/languages/fi.py +#usr/lib/python2.7/site-packages/docutils/languages/fi.pyc +#usr/lib/python2.7/site-packages/docutils/languages/fr.py +#usr/lib/python2.7/site-packages/docutils/languages/fr.pyc +#usr/lib/python2.7/site-packages/docutils/languages/gl.py +#usr/lib/python2.7/site-packages/docutils/languages/gl.pyc +#usr/lib/python2.7/site-packages/docutils/languages/he.py +#usr/lib/python2.7/site-packages/docutils/languages/he.pyc +#usr/lib/python2.7/site-packages/docutils/languages/it.py +#usr/lib/python2.7/site-packages/docutils/languages/it.pyc +#usr/lib/python2.7/site-packages/docutils/languages/ja.py +#usr/lib/python2.7/site-packages/docutils/languages/ja.pyc +#usr/lib/python2.7/site-packages/docutils/languages/lt.py +#usr/lib/python2.7/site-packages/docutils/languages/lt.pyc +#usr/lib/python2.7/site-packages/docutils/languages/nl.py +#usr/lib/python2.7/site-packages/docutils/languages/nl.pyc +#usr/lib/python2.7/site-packages/docutils/languages/pl.py +#usr/lib/python2.7/site-packages/docutils/languages/pl.pyc +#usr/lib/python2.7/site-packages/docutils/languages/pt_br.py +#usr/lib/python2.7/site-packages/docutils/languages/pt_br.pyc +#usr/lib/python2.7/site-packages/docutils/languages/ru.py +#usr/lib/python2.7/site-packages/docutils/languages/ru.pyc +#usr/lib/python2.7/site-packages/docutils/languages/sk.py +#usr/lib/python2.7/site-packages/docutils/languages/sk.pyc +#usr/lib/python2.7/site-packages/docutils/languages/sv.py +#usr/lib/python2.7/site-packages/docutils/languages/sv.pyc +#usr/lib/python2.7/site-packages/docutils/languages/zh_cn.py +#usr/lib/python2.7/site-packages/docutils/languages/zh_cn.pyc +#usr/lib/python2.7/site-packages/docutils/languages/zh_tw.py +#usr/lib/python2.7/site-packages/docutils/languages/zh_tw.pyc +#usr/lib/python2.7/site-packages/docutils/nodes.py +#usr/lib/python2.7/site-packages/docutils/nodes.pyc +#usr/lib/python2.7/site-packages/docutils/parsers +#usr/lib/python2.7/site-packages/docutils/parsers/__init__.py +#usr/lib/python2.7/site-packages/docutils/parsers/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/null.py +#usr/lib/python2.7/site-packages/docutils/parsers/null.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst +#usr/lib/python2.7/site-packages/docutils/parsers/rst/__init__.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/__init__.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/admonitions.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/admonitions.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/body.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/body.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/html.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/html.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/images.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/images.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/misc.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/misc.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/parts.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/parts.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/references.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/references.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/tables.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/tables.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/README.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsa.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsb.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsc.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsn.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamso.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsr.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isobox.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isocyr1.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isocyr2.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isodia.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk1.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk2.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk3.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk4-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk4.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isolat1.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isolat2.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomfrk-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomfrk.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomopf-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomopf.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomscr-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomscr.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isonum.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isopub.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isotech.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlalias.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlextra-wide.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlextra.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/s5defs.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-lat1.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-special.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-symbol.txt +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/__init__.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/af.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/af.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ca.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ca.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/cs.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/cs.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/da.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/da.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/de.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/de.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/en.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/en.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/eo.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/eo.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/es.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/es.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fi.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fi.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fr.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fr.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/gl.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/gl.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/he.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/he.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/it.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/it.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ja.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ja.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/lt.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/lt.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/nl.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/nl.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pl.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pl.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pt_br.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pt_br.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ru.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ru.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sk.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sk.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sv.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sv.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_cn.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_cn.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_tw.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_tw.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/roles.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/roles.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/states.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/states.pyc +#usr/lib/python2.7/site-packages/docutils/parsers/rst/tableparser.py +#usr/lib/python2.7/site-packages/docutils/parsers/rst/tableparser.pyc +#usr/lib/python2.7/site-packages/docutils/readers +#usr/lib/python2.7/site-packages/docutils/readers/__init__.py +#usr/lib/python2.7/site-packages/docutils/readers/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/readers/doctree.py +#usr/lib/python2.7/site-packages/docutils/readers/doctree.pyc +#usr/lib/python2.7/site-packages/docutils/readers/pep.py +#usr/lib/python2.7/site-packages/docutils/readers/pep.pyc +#usr/lib/python2.7/site-packages/docutils/readers/standalone.py +#usr/lib/python2.7/site-packages/docutils/readers/standalone.pyc +#usr/lib/python2.7/site-packages/docutils/statemachine.py +#usr/lib/python2.7/site-packages/docutils/statemachine.pyc +#usr/lib/python2.7/site-packages/docutils/transforms +#usr/lib/python2.7/site-packages/docutils/transforms/__init__.py +#usr/lib/python2.7/site-packages/docutils/transforms/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/components.py +#usr/lib/python2.7/site-packages/docutils/transforms/components.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/frontmatter.py +#usr/lib/python2.7/site-packages/docutils/transforms/frontmatter.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/misc.py +#usr/lib/python2.7/site-packages/docutils/transforms/misc.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/parts.py +#usr/lib/python2.7/site-packages/docutils/transforms/parts.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/peps.py +#usr/lib/python2.7/site-packages/docutils/transforms/peps.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/references.py +#usr/lib/python2.7/site-packages/docutils/transforms/references.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/universal.py +#usr/lib/python2.7/site-packages/docutils/transforms/universal.pyc +#usr/lib/python2.7/site-packages/docutils/transforms/writer_aux.py +#usr/lib/python2.7/site-packages/docutils/transforms/writer_aux.pyc +#usr/lib/python2.7/site-packages/docutils/utils +#usr/lib/python2.7/site-packages/docutils/utils/__init__.py +#usr/lib/python2.7/site-packages/docutils/utils/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/utils/code_analyzer.py +#usr/lib/python2.7/site-packages/docutils/utils/code_analyzer.pyc +#usr/lib/python2.7/site-packages/docutils/utils/error_reporting.py +#usr/lib/python2.7/site-packages/docutils/utils/error_reporting.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math +#usr/lib/python2.7/site-packages/docutils/utils/math/__init__.py +#usr/lib/python2.7/site-packages/docutils/utils/math/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math/latex2mathml.py +#usr/lib/python2.7/site-packages/docutils/utils/math/latex2mathml.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math/math2html.py +#usr/lib/python2.7/site-packages/docutils/utils/math/math2html.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math/tex2unichar.py +#usr/lib/python2.7/site-packages/docutils/utils/math/tex2unichar.pyc +#usr/lib/python2.7/site-packages/docutils/utils/math/unichar2tex.py +#usr/lib/python2.7/site-packages/docutils/utils/math/unichar2tex.pyc +#usr/lib/python2.7/site-packages/docutils/utils/punctuation_chars.py +#usr/lib/python2.7/site-packages/docutils/utils/punctuation_chars.pyc +#usr/lib/python2.7/site-packages/docutils/utils/roman.py +#usr/lib/python2.7/site-packages/docutils/utils/roman.pyc +#usr/lib/python2.7/site-packages/docutils/utils/smartquotes.py +#usr/lib/python2.7/site-packages/docutils/utils/smartquotes.pyc +#usr/lib/python2.7/site-packages/docutils/utils/urischemes.py +#usr/lib/python2.7/site-packages/docutils/utils/urischemes.pyc +#usr/lib/python2.7/site-packages/docutils/writers +#usr/lib/python2.7/site-packages/docutils/writers/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/docutils_xml.py +#usr/lib/python2.7/site-packages/docutils/writers/docutils_xml.pyc +#usr/lib/python2.7/site-packages/docutils/writers/html4css1 +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/html4css1.css +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/math.css +#usr/lib/python2.7/site-packages/docutils/writers/html4css1/template.txt +#usr/lib/python2.7/site-packages/docutils/writers/latex2e +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/default.tex +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/titlepage.tex +#usr/lib/python2.7/site-packages/docutils/writers/latex2e/xelatex.tex +#usr/lib/python2.7/site-packages/docutils/writers/manpage.py +#usr/lib/python2.7/site-packages/docutils/writers/manpage.pyc +#usr/lib/python2.7/site-packages/docutils/writers/null.py +#usr/lib/python2.7/site-packages/docutils/writers/null.pyc +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/pygmentsformatter.py +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/pygmentsformatter.pyc +#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/styles.odt +#usr/lib/python2.7/site-packages/docutils/writers/pep_html +#usr/lib/python2.7/site-packages/docutils/writers/pep_html/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/pep_html/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/pep_html/pep.css +#usr/lib/python2.7/site-packages/docutils/writers/pep_html/template.txt +#usr/lib/python2.7/site-packages/docutils/writers/pseudoxml.py +#usr/lib/python2.7/site-packages/docutils/writers/pseudoxml.pyc +#usr/lib/python2.7/site-packages/docutils/writers/s5_html +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/__init__.pyc +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/README.txt +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/__base__ +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/blank.gif +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/iepngfix.htc +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/opera.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/outline.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/print.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/s5-core.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/slides.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/slides.js +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black/__base__ +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black/__base__ +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white/framing.css +#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white/pretty.css +#usr/lib/python2.7/site-packages/docutils/writers/xetex +#usr/lib/python2.7/site-packages/docutils/writers/xetex/__init__.py +#usr/lib/python2.7/site-packages/docutils/writers/xetex/__init__.pyc diff --git a/config/rootfiles/common/python-inotify b/config/rootfiles/common/python-inotify new file mode 100644 index 0000000..5fc062a --- /dev/null +++ b/config/rootfiles/common/python-inotify @@ -0,0 +1,20 @@ +#usr/lib/python2.7/site-packages/inotify +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/PKG-INFO +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/SOURCES.txt +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/dependency_links.txt +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/not-zip-safe +#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/top_level.txt +usr/lib/python2.7/site-packages/inotify/__init__.py +usr/lib/python2.7/site-packages/inotify/__init__.pyc +usr/lib/python2.7/site-packages/inotify/adapters.py +usr/lib/python2.7/site-packages/inotify/adapters.pyc +usr/lib/python2.7/site-packages/inotify/calls.py +usr/lib/python2.7/site-packages/inotify/calls.pyc +usr/lib/python2.7/site-packages/inotify/constants.py +usr/lib/python2.7/site-packages/inotify/constants.pyc +usr/lib/python2.7/site-packages/inotify/library.py +usr/lib/python2.7/site-packages/inotify/library.pyc +#usr/lib/python2.7/site-packages/inotify/resources +#usr/lib/python2.7/site-packages/inotify/resources/README.rst +#usr/lib/python2.7/site-packages/inotify/resources/requirements.txt diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound new file mode 100644 index 0000000..94eeba7 --- /dev/null +++ b/config/rootfiles/common/unbound @@ -0,0 +1,62 @@ +etc/rc.d/init.d/unbound +#etc/unbound +etc/unbound/dhcp-leases.conf +etc/unbound/forward.conf +etc/unbound/icannbundle.pem +etc/unbound/local.d +etc/unbound/root.hints +etc/unbound/root.key +etc/unbound/unbound.conf +#usr/include/unbound.h +#usr/lib/libunbound.la +#usr/lib/libunbound.so +usr/lib/libunbound.so.2 +usr/lib/libunbound.so.2.4.1 +usr/sbin/unbound +usr/sbin/unbound-anchor +usr/sbin/unbound-checkconf +usr/sbin/unbound-dhcp-leases-bridge +usr/sbin/unbound-control +usr/sbin/unbound-control-setup +usr/sbin/unbound-switch +usr/sbin/unbound-zone +#usr/share/man/man1/unbound-host.1 +#usr/share/man/man3/libunbound.3 +#usr/share/man/man3/ub_cancel.3 +#usr/share/man/man3/ub_ctx.3 +#usr/share/man/man3/ub_ctx_add_ta.3 +#usr/share/man/man3/ub_ctx_add_ta_file.3 +#usr/share/man/man3/ub_ctx_async.3 +#usr/share/man/man3/ub_ctx_config.3 +#usr/share/man/man3/ub_ctx_create.3 +#usr/share/man/man3/ub_ctx_data_add.3 +#usr/share/man/man3/ub_ctx_data_remove.3 +#usr/share/man/man3/ub_ctx_debuglevel.3 +#usr/share/man/man3/ub_ctx_debugout.3 +#usr/share/man/man3/ub_ctx_delete.3 +#usr/share/man/man3/ub_ctx_get_option.3 +#usr/share/man/man3/ub_ctx_hosts.3 +#usr/share/man/man3/ub_ctx_print_local_zones.3 +#usr/share/man/man3/ub_ctx_resolvconf.3 +#usr/share/man/man3/ub_ctx_set_fwd.3 +#usr/share/man/man3/ub_ctx_set_option.3 +#usr/share/man/man3/ub_ctx_trustedkeys.3 +#usr/share/man/man3/ub_ctx_zone_add.3 +#usr/share/man/man3/ub_ctx_zone_remove.3 +#usr/share/man/man3/ub_fd.3 +#usr/share/man/man3/ub_poll.3 +#usr/share/man/man3/ub_process.3 +#usr/share/man/man3/ub_resolve.3 +#usr/share/man/man3/ub_resolve_async.3 +#usr/share/man/man3/ub_resolve_free.3 +#usr/share/man/man3/ub_result.3 +#usr/share/man/man3/ub_strerror.3 +#usr/share/man/man3/ub_wait.3 +#usr/share/man/man5/unbound.conf.5 +#usr/share/man/man8/unbound-anchor.8 +#usr/share/man/man8/unbound-checkconf.8 +#usr/share/man/man8/unbound-control-setup.8 +#usr/share/man/man8/unbound-control.8 +#usr/share/man/man8/unbound.8 +var/lib/unbound +var/lib/unbound/root.key diff --git a/config/rootfiles/common/x86_64/initscripts b/config/rootfiles/common/x86_64/initscripts index ee5a4ab..2053bd9 100644 --- a/config/rootfiles/common/x86_64/initscripts +++ b/config/rootfiles/common/x86_64/initscripts @@ -27,7 +27,6 @@ etc/rc.d/init.d/console etc/rc.d/init.d/dhcp etc/rc.d/init.d/dhcrelay #etc/rc.d/init.d/dnsdist -etc/rc.d/init.d/dnsmasq etc/rc.d/init.d/fcron #etc/rc.d/init.d/fetchmail etc/rc.d/init.d/fireinfo @@ -78,7 +77,7 @@ etc/rc.d/init.d/networking/green etc/rc.d/init.d/networking/orange etc/rc.d/init.d/networking/red #etc/rc.d/init.d/networking/red.down -etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders etc/rc.d/init.d/networking/red.down/10-ipsec etc/rc.d/init.d/networking/red.down/10-miniupnpd etc/rc.d/init.d/networking/red.down/10-ovpn @@ -86,7 +85,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes etc/rc.d/init.d/networking/red.down/20-firewall #etc/rc.d/init.d/networking/red.up etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup -etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq +etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders etc/rc.d/init.d/networking/red.up/10-miniupnpd etc/rc.d/init.d/networking/red.up/10-multicast etc/rc.d/init.d/networking/red.up/10-static-routes diff --git a/config/unbound/icannbundle.pem b/config/unbound/icannbundle.pem new file mode 100644 index 0000000..48941de --- /dev/null +++ b/config/unbound/icannbundle.pem @@ -0,0 +1,317 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:19:12 2009 GMT + Not After : Dec 18 04:19:12 2029 GMT + Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15: + bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0: + 9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82: + 27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd: + fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84: + 22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14: + e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb: + d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e: + e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02: + 1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c: + 39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e: + ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6: + 7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb: + 31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74: + 9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36: + 09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3: + 04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52: + 85:41 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + Signature Algorithm: sha256WithRSAEncryption + 0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b: + 3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7: + c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26: + b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c: + 7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d: + 9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c: + 90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c: + 84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a: + 98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81: + 5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8: + c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf: + 1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2: + 90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16: + 70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31: + e7:40:61:a4 +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX +DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O +IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB +MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb +cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S +G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg +ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2 +paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7 +MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29 +iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B +Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3 +DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH +6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD +2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h +15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF +0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg +j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 04:45:04 2009 GMT + Not After : Dec 22 04:45:04 2014 GMT + Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dnssec@icann.org + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64: + 5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e: + 9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c: + 7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25: + b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a: + b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87: + b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59: + 3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6: + f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be: + 73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70: + 29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45: + 48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a: + c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d: + 66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6: + e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7: + 6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03: + 84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6: + e9:05 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22 + Signature Algorithm: sha256WithRSAEncryption + 4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45: + 92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15: + d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33: + f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c: + f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75: + e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd: + 04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73: + 4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13: + cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20: + 23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb: + 38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79: + c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e: + a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2: + 01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48: + e5:8d:06:73 +-----BEGIN CERTIFICATE----- +MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX +DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O +IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ +JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7 +YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI +aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F +SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd +OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA +AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw +FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA +pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI +89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN ++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE +UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ +bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP +oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 05:21:16 2009 GMT + Not After : Dec 22 05:21:16 2014 GMT + Subject: O=ICANN, CN=ICANN EMAIL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75: + 8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba: + c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9: + 57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01: + 4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6: + fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e: + a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6: + 6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01: + db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95: + d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65: + 7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f: + 20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78: + b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22: + d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23: + 2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21: + fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5: + 7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a: + 4d:b1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4 + Signature Algorithm: sha256WithRSAEncryption + 50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf: + b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76: + 99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b: + 01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7: + 37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd: + 9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb: + 7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32: + c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a: + 94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43: + a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3: + d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94: + 7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed: + 75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0: + 48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed: + ed:42:eb:2f +-----BEGIN CERTIFICATE----- +MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX +DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O +IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz +9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3 +jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6 +LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8 +ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK +VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI +QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE +AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU +ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj +vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK +TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7 +06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL +aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68 +y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57 +dMvE7e1C6y8= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US + Validity + Not Before: Dec 23 05:07:29 2009 GMT + Not After : Dec 22 05:07:29 2014 GMT + Subject: O=ICANN, CN=ICANN SSL CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60: + 7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d: + 73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35: + e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89: + 81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61: + 17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca: + dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28: + 9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d: + f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d: + d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68: + f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0: + 3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa: + 94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40: + 3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85: + e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b: + 09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b: + 20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8: + e2:c5 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign + X509v3 Authority Key Identifier: + keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50 + + X509v3 Subject Key Identifier: + 6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8 + Signature Algorithm: sha256WithRSAEncryption + 18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43: + 2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6: + 57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd: + fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9: + 20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93: + 3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34: + af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9: + af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e: + bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c: + 6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b: + 93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85: + fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa: + 21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af: + aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd: + 2c:fe:c0:ed +-----BEGIN CERTIFICATE----- +MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO +TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV +BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX +DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O +IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z +K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3 +VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo +nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz +kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4 +yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H +kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53 +qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ +TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM +fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb +pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS +uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW +vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey +EN0s/sDt +-----END CERTIFICATE----- diff --git a/config/unbound/root.hints b/config/unbound/root.hints new file mode 100644 index 0000000..3c82146 --- /dev/null +++ b/config/unbound/root.hints @@ -0,0 +1,90 @@ +; This file holds the information on root name servers needed to +; initialize cache of Internet domain name servers +; (e.g. reference this file in the "cache . <file>" +; configuration file of BIND domain name servers). +; +; This file is made available by InterNIC +; under anonymous FTP as +; file /domain/named.cache +; on server FTP.INTERNIC.NET +; -OR- RS.INTERNIC.NET +; +; last update: March 23, 2016 +; related version of root zone: 2016032301 +; +; formerly NS.INTERNIC.NET +; +. 3600000 NS A.ROOT-SERVERS.NET. +A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 +A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30 +; +; FORMERLY NS1.ISI.EDU +; +. 3600000 NS B.ROOT-SERVERS.NET. +B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 +B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b +; +; FORMERLY C.PSI.NET +; +. 3600000 NS C.ROOT-SERVERS.NET. +C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 +C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c +; +; FORMERLY TERP.UMD.EDU +; +. 3600000 NS D.ROOT-SERVERS.NET. +D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 +D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d +; +; FORMERLY NS.NASA.GOV +; +. 3600000 NS E.ROOT-SERVERS.NET. +E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 +; +; FORMERLY NS.ISC.ORG +; +. 3600000 NS F.ROOT-SERVERS.NET. +F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 +F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f +; +; FORMERLY NS.NIC.DDN.MIL +; +. 3600000 NS G.ROOT-SERVERS.NET. +G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 +; +; FORMERLY AOS.ARL.ARMY.MIL +; +. 3600000 NS H.ROOT-SERVERS.NET. +H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53 +H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53 +; +; FORMERLY NIC.NORDU.NET +; +. 3600000 NS I.ROOT-SERVERS.NET. +I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 +I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53 +; +; OPERATED BY VERISIGN, INC. +; +. 3600000 NS J.ROOT-SERVERS.NET. +J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 +J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30 +; +; OPERATED BY RIPE NCC +; +. 3600000 NS K.ROOT-SERVERS.NET. +K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 +K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1 +; +; OPERATED BY ICANN +; +. 3600000 NS L.ROOT-SERVERS.NET. +L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 +L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42 +; +; OPERATED BY WIDE +; +. 3600000 NS M.ROOT-SERVERS.NET. +M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 +M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35 +; End of file diff --git a/config/unbound/root.key b/config/unbound/root.key new file mode 100644 index 0000000..0c36abe --- /dev/null +++ b/config/unbound/root.key @@ -0,0 +1 @@ +. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} diff --git a/config/unbound/unbound-dhcp-leases-bridge b/config/unbound/unbound-dhcp-leases-bridge new file mode 100644 index 0000000..61bd5d0 --- /dev/null +++ b/config/unbound/unbound-dhcp-leases-bridge @@ -0,0 +1,354 @@ +#!/usr/bin/python +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2016 Michael Tremer # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +import argparse +import datetime +import daemon +import logging +import logging.handlers +import re +import signal +import subprocess + +import inotify.adapters + +def setup_logging(loglevel=logging.INFO): + log = logging.getLogger("dhcp") + log.setLevel(loglevel) + + handler = logging.handlers.SysLogHandler(address="/dev/log", facility="daemon") + handler.setLevel(loglevel) + + formatter = logging.Formatter("%(name)s[%(process)d]: %(message)s") + handler.setFormatter(formatter) + + log.addHandler(handler) + + return log + +log = logging.getLogger("dhcp") + +class UnboundDHCPLeasesBridge(object): + def __init__(self, dhcp_leases_file, unbound_leases_file): + self.leases_file = dhcp_leases_file + + self.unbound = UnboundConfigWriter(unbound_leases_file) + self.running = False + + def run(self): + log.info("Unbound DHCP Leases Bridge started on %s" % self.leases_file) + self.running = True + + # Initially read leases file + self.update_dhcp_leases() + + i = inotify.adapters.Inotify([self.leases_file]) + + for event in i.event_gen(): + # End if we are requested to terminate + if not self.running: + break + + if event is None: + continue + + header, type_names, watch_path, filename = event + + # Update leases after leases file has been modified + if "IN_MODIFY" in type_names: + self.update_dhcp_leases() + + log.info("Unbound DHCP Leases Bridge terminated") + + def update_dhcp_leases(self): + log.info("Reading DHCP leases from %s" % self.leases_file) + + leases = DHCPLeases(self.leases_file) + self.unbound.update_dhcp_leases(leases) + + def terminate(self): + self.running = False + + +class DHCPLeases(object): + regex_leaseblock = re.compile(r"lease (?P<ipaddr>\d+.\d+.\d+.\d+) {(?P<config>[\s\S]+?)\n}") + + def __init__(self, path): + self.path = path + + self._leases = self._parse() + + def __iter__(self): + return iter(self._leases) + + def _parse(self): + leases = [] + + with open(self.path) as f: + # Read entire leases file + data = f.read() + + for match in self.regex_leaseblock.finditer(data): + block = match.groupdict() + + ipaddr = block.get("ipaddr") + config = block.get("config") + + properties = self._parse_block(config) + + # Skip any abandoned leases + if not "hardware" in properties: + continue + + lease = Lease(ipaddr, properties) + + # Check if a lease for this Ethernet address already + # exists in the list of known leases. If so replace + # if with the most recent lease + for i, l in enumerate(leases): + if l.hwaddr == lease.hwaddr: + leases[i] = max(lease, l) + break + + else: + leases.append(lease) + + return leases + + def _parse_block(self, block): + properties = {} + + for line in block.splitlines(): + if not line: + continue + + # Remove trailing ; from line + if line.endswith(";"): + line = line[:-1] + + # Invalid line if it doesn't end with ; + else: + continue + + # Remove any leading whitespace + line = line.lstrip() + + # We skip all options and sets + if line.startswith("option") or line.startswith("set"): + continue + + # Split by first space + key, val = line.split(" ", 1) + properties[key] = val + + return properties + + +class Lease(object): + def __init__(self, ipaddr, properties): + self.ipaddr = ipaddr + self._properties = properties + + def __repr__(self): + return "<%s %s for %s (%s)>" % (self.__class__.__name__, + self.ipaddr, self.hwaddr, self.hostname) + + def __eq__(self, other): + return self.ipaddr == other.ipaddr and self.hwaddr == other.hwaddr + + def __gt__(self, other): + if not self.ipaddr == other.ipaddr: + return + + if not self.hwaddr == other.hwaddr: + return + + return self.time_starts > other.time_starts + + @property + def binding_state(self): + state = self._properties.get("binding") + + if state: + state = state.split(" ", 1) + return state[1] + + @property + def active(self): + return self.binding_state == "active" + + @property + def hwaddr(self): + hardware = self._properties.get("hardware") + + if not hardware: + return + + ethernet, address = hardware.split(" ", 1) + + return address + + @property + def hostname(self): + hostname = self._properties.get("client-hostname") + + # Remove any "" + if hostname: + hostname = hostname.replace(""", "") + + return hostname + + @property + def domain(self): + return "local" # XXX + + @property + def fqdn(self): + return "%s.%s" % (self.hostname, self.domain) + + @staticmethod + def _parse_time(s): + return datetime.datetime.strptime(s, "%w %Y/%m/%d %H:%M:%S") + + @property + def time_starts(self): + starts = self._properties.get("starts") + + if starts: + return self._parse_time(starts) + + @property + def time_ends(self): + ends = self._properties.get("ends") + + if not ends or ends == "never": + return + + return self._parse_time(ends) + + @property + def expired(self): + if not self.time_ends: + return self.time_starts > datetime.datetime.utcnow() + + return self.time_starts > datetime.datetime.utcnow() > self.time_ends + + @property + def rrset(self): + return [ + # Forward record + (self.fqdn, "IN A", self.ipaddr), + + # Reverse record + (self.ipaddr, "IN PTR", self.fqdn), + ] + + +class UnboundConfigWriter(object): + def __init__(self, path): + self.path = path + + self._cached_leases = [] + + def update_dhcp_leases(self, leases): + # Strip all non-active or expired leases + leases = [l for l in leases if l.active and not l.expired] + + # Find any leases that have expired or do not exist any more + removed_leases = [l for l in self._cached_leases if l.expired or l not in leases] + + # Find any leases that have been added + new_leases = [l for l in leases if l not in self._cached_leases] + + # End here if nothing has changed + if not new_leases and not removed_leases: + return + + self._cached_leases = leases + + # Write out all leases + self.write_dhcp_leases(leases) + + # Update unbound about changes + for l in removed_leases: + self._control("local_data_remove", l.fqdn) + + for l in new_leases: + for rr in l.rrset: + self._control("local_data", *rr) + + + def write_dhcp_leases(self, leases): + with open(self.path, "w") as f: + for l in leases: + for rr in l.rrset: + f.write("local-data: "%s"\n" % " ".join(rr)) + + def _control(self, *args): + command = ["unbound-control", "-q"] + command.extend(args) + + try: + subprocess.check_call(command) + + # Log any errors + except subprocess.CalledProcessError as e: + log.critical("Could not run %s, error code: %s: %s" % ( + " ".join(command), e.returncode, e.output)) + + +if __name__ == "__main__": + parser = argparse.ArgumentParser(description="Bridge for DHCP Leases and Unbound DNS") + + # Daemon Stuff + parser.add_argument("--daemon", "-d", action="store_true", + help="Launch as daemon in background") + parser.add_argument("--verbose", "-v", action="count", help="Be more verbose") + + # Paths + parser.add_argument("--dhcp-leases", default="/var/state/dhcp/dhcpd.leases", + metavar="PATH", help="Path to the DHCPd leases file") + parser.add_argument("--unbound-leases", default="/etc/unbound/dhcp-leases.conf", + metavar="PATH", help="Path to the unbound configuration file") + + # Parse command line arguments + args = parser.parse_args() + + # Setup logging + if args.verbose == 1: + loglevel = logging.INFO + elif args.verbose >= 2: + loglevel = logging.DEBUG + else: + loglevel = logging.WARN + + setup_logging(loglevel) + + bridge = UnboundDHCPLeasesBridge(args.dhcp_leases, args.unbound_leases) + + ctx = daemon.DaemonContext(detach_process=args.daemon) + ctx.signal_map = { + signal.SIGHUP : bridge.update_dhcp_leases, + signal.SIGTERM : bridge.terminate, + } + + with ctx: + bridge.run() diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf new file mode 100644 index 0000000..6d8a7f2 --- /dev/null +++ b/config/unbound/unbound.conf @@ -0,0 +1,94 @@ +# +# Unbound configuration file for IPFire +# +# The full documentation is available at: +# https://www.unbound.net/documentation/unbound.conf.html +# + +server: + # Common Server Options + chroot: "" + directory: "/etc/unbound" + username: "nobody" + port: 53 + do-ip4: yes + do-ip6: no + do-udp: yes + do-tcp: yes + so-reuseport: yes + do-not-query-localhost: yes + + # System Tuning + include: "/etc/unbound/tuning.conf" + + # Logging Options + verbosity: 1 + use-syslog: yes + log-time-ascii: yes + log-queries: no + + # Unbound Statistics + statistics-interval: 0 + statistics-cumulative: yes + extended-statistics: yes + + # Prefetching + prefetch: yes + prefetch-key: yes + + # Randomise any cached responses + rrset-roundrobin: yes + + # Privacy Options + hide-identity: yes + hide-version: yes + qname-minimisation: yes + minimal-responses: yes + + # DNSSEC + auto-trust-anchor-file: "/var/lib/unbound/root.key" + val-permissive-mode: no + val-clean-additional: yes + val-log-level: 1 + + # Hardening Options + harden-glue: yes + harden-short-bufsize: no + harden-large-queries: yes + harden-dnssec-stripped: yes + harden-below-nxdomain: yes + harden-referral-path: yes + harden-algo-downgrade: no + use-caps-for-id: no + + # Deny access from everywhere + access-control: 0.0.0.0/0 refuse + + # Listen on localhost + interface: 127.0.0.1 + access-control: 127.0.0.0/8 allow + + # Bootstrap root servers + root-hints: "/etc/unbound/root.hints" + + # IPFire interface configuration + include: "/etc/unbound/interfaces.conf" + interface-automatic: no + + # Include DHCP leases + include: "/etc/unbound/dhcp-leases.conf" + + # Include any forward zones + include: "/etc/unbound/forward.conf" + +remote-control: + control-enable: yes + control-use-cert: yes + control-interface: 127.0.0.1 + server-key-file: "/etc/unbound/unbound_server.key" + server-cert-file: "/etc/unbound/unbound_server.pem" + control-key-file: "/etc/unbound/unbound_control.key" + control-cert-file: "/etc/unbound/unbound_control.pem" + +# Import any local configurations +include: "/etc/unbound/local.d/*.conf" diff --git a/html/cgi-bin/dnsforward.cgi b/html/cgi-bin/dnsforward.cgi index 1afc55f..ee63c6d 100644 --- a/html/cgi-bin/dnsforward.cgi +++ b/html/cgi-bin/dnsforward.cgi @@ -106,8 +106,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) $cgiparams{'ID'} = $cgiparams{'EDITING'}; } } - # Restart dnsmasq. - system('/usr/local/bin/dnsmasqctrl restart >/dev/null'); + # Restart unbound + system('/usr/local/bin/unboundctrl restart >/dev/null'); }
### @@ -124,8 +124,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; } } close(FILE); - # Restart dnsmasq. - system('/usr/local/bin/dnsmasqctrl restart >/dev/null'); + # Restart unbound. + system('/usr/local/bin/unboundctrl restart >/dev/null'); }
### @@ -148,8 +148,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) } } close(FILE); - # Restart dnsmasq. - system('/usr/local/bin/dnsmasqctrl restart >/dev/null'); + # Restart unbound. + system('/usr/local/bin/unboundctrl restart >/dev/null'); }
### diff --git a/html/cgi-bin/logs.cgi/log.dat b/html/cgi-bin/logs.cgi/log.dat index f954213..82b6aa0 100644 --- a/html/cgi-bin/logs.cgi/log.dat +++ b/html/cgi-bin/logs.cgi/log.dat @@ -52,7 +52,7 @@ my %sections = ( 'ipfire' => '(ipfire: )', 'red' => '(red:|pppd[.*]: |chat[.*]|pppoe[.*]|pptp[.*]|pppoa[.*]|pppoa3[.*]|pppoeci[.*]|ipppd|ipppd[.*]|kernel: ippp\d|kernel: isdn.*|ibod[.*]|dhcpcd[.*]|modem_run[.*])', 'ddns' => '(ddns[\d+]:)', - 'dns' => '(dnsmasq[.*]: )', + 'dns' => '(dnsmasq[.*]: |unbound[.*]: )', 'dma' => '(dma[.*]: )', 'dhcp' => '(dhcpd: )', 'clamav' => '(clamd[.*]: |freshclam[.*]: )', diff --git a/html/cgi-bin/services.cgi b/html/cgi-bin/services.cgi index 76bd9ed..64fdbba 100644 --- a/html/cgi-bin/services.cgi +++ b/html/cgi-bin/services.cgi @@ -49,7 +49,7 @@ my %servicenames =( $Lang::tr{'dhcp server'} => 'dhcpd', $Lang::tr{'web server'} => 'httpd', $Lang::tr{'cron server'} => 'fcron', - $Lang::tr{'dns proxy server'} => 'dnsmasq', + $Lang::tr{'dns proxy server'} => 'unbound', $Lang::tr{'logging server'} => 'syslogd', $Lang::tr{'kernel logging server'} => 'klogd', $Lang::tr{'ntp server'} => 'ntpd', diff --git a/lfs/dnsmasq b/lfs/dnsmasq deleted file mode 100644 index 7a11061..0000000 --- a/lfs/dnsmasq +++ /dev/null @@ -1,104 +0,0 @@ -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007-2016 IPFire Team info@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -############################################################################### -# Definitions -############################################################################### - -include Config - -VER = 2.76 - -THISAPP = dnsmasq-$(VER) -DL_FILE = $(THISAPP).tar.xz -DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/$(THISAPP) -TARGET = $(DIR_INFO)/$(THISAPP) - -# We cannot use INOTIFY because our ISC reader code does not support that -COPTS = -DHAVE_ISC_READER -DNO_INOTIFY - -############################################################################### -# Top-level Rules -############################################################################### - -objects = $(DL_FILE) - -$(DL_FILE) = $(DL_FROM)/$(DL_FILE) - -$(DL_FILE)_MD5 = 00f5ee66b4e4b7f14538bf62ae3c9461 - -install : $(TARGET) - -check : $(patsubst %,$(DIR_CHK)/%,$(objects)) - -download :$(patsubst %,$(DIR_DL)/%,$(objects)) - -md5 : $(subst %,%_MD5,$(objects)) - -############################################################################### -# Downloading, checking, md5sum -############################################################################### - -$(patsubst %,$(DIR_CHK)/%,$(objects)) : - @$(CHECK) - -$(patsubst %,$(DIR_DL)/%,$(objects)) : - @$(LOAD) - -$(subst %,%_MD5,$(objects)) : - @$(MD5) - -############################################################################### -# Installation Details -############################################################################### - -$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) - @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_return_of_expand_always.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-Manpage_typo.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch - cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch - - cd $(DIR_APP) && sed -i src/config.h \ - -e 's|/* #define HAVE_IDN */|#define HAVE_IDN|g' \ - -e 's|/* #define HAVE_DNSSEC */|#define HAVE_DNSSEC|g' \ - -e 's|#define HAVE_DHCP|//#define HAVE_DHCP|g' \ - -e 's|#define HAVE_DHCP6|//#define HAVE_DHCP6|g' \ - -e 's|#define HAVE_TFTP|//#define HAVE_TFTP|g' - - cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" COPTS="$(COPTS)" \ - PREFIX=/usr all install - @rm -rf $(DIR_APP) - @$(POSTBUILD) diff --git a/lfs/initscripts b/lfs/initscripts index e731d7f..5e2cd24 100644 --- a/lfs/initscripts +++ b/lfs/initscripts @@ -185,13 +185,11 @@ $(TARGET) : ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient ln -sf ../init.d/wlanclient /etc/rc.d/rc6.d/K82wlanclient
- ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq ln -sf ../../../../../usr/local/bin/snortctrl \ /etc/rc.d/init.d/networking/red.up/23-RS-snort ln -sf ../../../../../usr/local/bin/qosctrl \ /etc/rc.d/init.d/networking/red.up/24-RS-qos ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid - ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
for i in green blue orange; do \ ln -sf any /etc/rc.d/init.d/networking/$$i; \ diff --git a/lfs/python-daemon b/lfs/python-daemon new file mode 100644 index 0000000..c96ec55 --- /dev/null +++ b/lfs/python-daemon @@ -0,0 +1,75 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2011 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 2.1.1 + +THISAPP = python-daemon-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 72e2acf2c3d69c7fa75a6625d06adfd0 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && python setup.py install --root=/ + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/python-docutils b/lfs/python-docutils new file mode 100644 index 0000000..13f7ef1 --- /dev/null +++ b/lfs/python-docutils @@ -0,0 +1,75 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2011 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.12 + +THISAPP = docutils-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 4622263b62c5c771c03502afa3157768 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && python setup.py install --root=/ + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/python-inotify b/lfs/python-inotify new file mode 100644 index 0000000..ea8a960 --- /dev/null +++ b/lfs/python-inotify @@ -0,0 +1,75 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2011 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 0.2.7 + +THISAPP = inotify-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = ced4c0469f9fd64170d9d907e4aec208 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && python setup.py install --root=/ + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/lfs/unbound b/lfs/unbound new file mode 100644 index 0000000..9c85893 --- /dev/null +++ b/lfs/unbound @@ -0,0 +1,109 @@ +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2016 IPFire Team info@ipfire.org # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see http://www.gnu.org/licenses/. # +# # +############################################################################### + +############################################################################### +# Definitions +############################################################################### + +include Config + +VER = 1.5.9 + +THISAPP = unbound-$(VER) +DL_FILE = $(THISAPP).tar.gz +DL_FROM = $(URL_IPFIRE) +DIR_APP = $(DIR_SRC)/$(THISAPP) +TARGET = $(DIR_INFO)/$(THISAPP) + +############################################################################### +# Top-level Rules +############################################################################### + +objects = $(DL_FILE) + +$(DL_FILE) = $(DL_FROM)/$(DL_FILE) + +$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3 + +install : $(TARGET) + +check : $(patsubst %,$(DIR_CHK)/%,$(objects)) + +download :$(patsubst %,$(DIR_DL)/%,$(objects)) + +md5 : $(subst %,%_MD5,$(objects)) + +############################################################################### +# Downloading, checking, md5sum +############################################################################### + +$(patsubst %,$(DIR_CHK)/%,$(objects)) : + @$(CHECK) + +$(patsubst %,$(DIR_DL)/%,$(objects)) : + @$(LOAD) + +$(subst %,%_MD5,$(objects)) : + @$(MD5) + +############################################################################### +# Installation Details +############################################################################### + +$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) + @$(PREBUILD) + @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) + cd $(DIR_APP) && \ + ./configure \ + --prefix=/usr \ + --sysconfdir=/etc \ + --with-pidfile=/var/run/unbound.pid \ + --with-rootkey-file=/var/lib/unbound/root.key \ + --disable-static \ + --with-libevent + cd $(DIR_APP) && make $(MAKETUNING) + cd $(DIR_APP) && make install + + # Install configuration + install -v -m 644 $(DIR_SRC)/config/unbound/unbound.conf \ + /etc/unbound/unbound.conf + touch /etc/unbound/{dhcp-leases,forward}.conf + -mkdir -pv /etc/unbound/local.d + + # Install root hints + install -v -m 644 $(DIR_SRC)/config/unbound/root.hints \ + /etc/unbound/root.hints + + # Install DHCP leases bridge + install -v -m 755 $(DIR_SRC)/config/unbound/unbound-dhcp-leases-bridge \ + /usr/sbin/unbound-dhcp-leases-bridge + + # Install key + -mkdir -pv /var/lib/unbound + install -v -m 644 $(DIR_SRC)/config/unbound/root.key \ + /var/lib/unbound/root.key + chown -Rv nobody.nobody /var/lib/unbound + + # Ship ICANN's certificates to validate DNS trust anchors + install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \ + /etc/unbound/icannbundle.pem + + @rm -rf $(DIR_APP) + @$(POSTBUILD) diff --git a/make.sh b/make.sh index 1c832d0..73feacb 100755 --- a/make.sh +++ b/make.sh @@ -537,7 +537,9 @@ buildipfire() { ipfiremake beep ipfiremake dvdrtools ipfiremake nettle - ipfiremake dnsmasq + ipfiremake libevent + ipfiremake libevent2 + ipfiremake unbound ipfiremake dosfstools ipfiremake reiserfsprogs ipfiremake xfsprogs @@ -603,6 +605,9 @@ buildipfire() { ipfiremake python-mechanize ipfiremake python-feedparser ipfiremake python-rssdler + ipfiremake python-inotify + ipfiremake python-docutils + ipfiremake python-daemon ipfiremake glib ipfiremake GeoIP ipfiremake fwhits @@ -678,8 +683,6 @@ buildipfire() { ipfiremake gnump3d ipfiremake rsync ipfiremake tcpwrapper - ipfiremake libevent - ipfiremake libevent2 ipfiremake libtirpc ipfiremake rpcbind ipfiremake nfs diff --git a/src/initscripts/init.d/dnsmasq b/src/initscripts/init.d/dnsmasq deleted file mode 100644 index 059ffac..0000000 --- a/src/initscripts/init.d/dnsmasq +++ /dev/null @@ -1,145 +0,0 @@ -#!/bin/sh -######################################################################## -# Begin $rc_base/init.d/dnsmasq -# -# Description : dnsmasq init script -# -# Authors : Michael Tremer - mitch@ipfire.org -# -# Version : 01.00 -# -# Notes : -# -######################################################################## - -. /etc/sysconfig/rc -. ${rc_functions} - -CACHE_SIZE=2500 -ENABLE_DNSSEC=1 -SHOW_SRV=1 -TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5" -TIMESTAMP_FILE="/var/ipfire/dns/dnssec-timestamp" - -# Pull custom configuration file -if [ -e "/etc/sysconfig/dnsmasq" ]; then - . /etc/sysconfig/dnsmasq -fi - -function dnssec_args() { - local cmdline="--dnssec --dnssec-timestamp ${TIMESTAMP_FILE}" - - if [ -n "${TRUST_ANCHOR}" ]; then - cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}" - fi - - echo "${cmdline}" -} - -function dns_forward_args() { - local file="${1}" - - # Do nothing if file is empty. - [ -s "${file}" ] || return - - local cmdline - - local enabled zone server remark - while IFS="," read -r enabled zone server remark; do - # Line must be enabled. - [ "${enabled}" = "on" ] || continue - - cmdline="${cmdline} --server=/${zone}/${server}" - done < ${file} - - echo "${cmdline}" -} - -function dns_leases_args() { - eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) - - # If the DHCP server is enabled and DNS Update (RFC2136) is - # enabled, too, we won't overlay the internal domain with - # the dynamic/static leases. - - if ([ "${ENABLE_GREEN}" = "on" ] || [ "${ENABLE_BLUE}" = "on" ]) \ - && [ "${DNS_UPDATE_ENABLED}" = "on" ]; then - return - fi - - echo "-l /var/state/dhcp/dhcpd.leases" -} - -case "${1}" in - start) - # kill already running copy of dnsmasq... - killproc /usr/sbin/dnsmasq 2>&1 > /dev/null - - boot_mesg "Starting Domain Name Service Proxy..." - - eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) - ARGS="$CUSTOM_ARGS" - [ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN" - - # DHCP configuration - ARGS="${ARGS} $(dns_leases_args)" - - echo > /var/ipfire/red/resolv.conf # Clear it - if [ -e "/var/ipfire/red/dns1" ]; then - DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null) - if [ ! -z ${DNS1} ]; then - echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf - fi - fi - if [ -e "/var/ipfire/red/dns2" ]; then - DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null) - if [ ! -z ${DNS2} ]; then - echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf - fi - fi - [ -e "/var/ipfire/red/active" ] && ARGS="$ARGS -r /var/ipfire/red/resolv.conf" - - ARGS="$ARGS --domain=`cat /var/ipfire/main/settings |grep DOMAIN |cut -d = -f 2`" - - # Add custom forward dns zones. - ARGS="${ARGS} $(dns_forward_args /var/ipfire/dnsforward/config)" - - # Enabled DNSSEC validation - if [ "${ENABLE_DNSSEC}" -eq 1 ]; then - ARGS="${ARGS} $(dnssec_args)" - fi - - if [ -n "${CACHE_SIZE}" ]; then - ARGS="${ARGS} --cache-size=${CACHE_SIZE}" - fi - - loadproc /usr/sbin/dnsmasq ${ARGS} - - if [ "${SHOW_SRV}" -eq 1 ] && [ "${DNS1}" != "" -o "${DNS2}" != "" ]; then - boot_mesg "Using DNS server(s): ${DNS1} ${DNS2}" - boot_mesg_flush - fi - ;; - - stop) - boot_mesg "Stopping Domain Name Service Proxy..." - killproc /usr/sbin/dnsmasq - ;; - - restart) - ${0} stop - sleep 1 - ${0} start - ;; - - status) - statusproc /usr/sbin/dnsmasq - ;; - - *) - echo "Usage: ${0} {start|stop|restart|status}" - exit 1 - ;; -esac - -# End $rc_base/init.d/dnsmasq diff --git a/src/initscripts/init.d/network b/src/initscripts/init.d/network index 9182e98..b29ca2c 100644 --- a/src/initscripts/init.d/network +++ b/src/initscripts/init.d/network @@ -16,10 +16,6 @@ . ${rc_functions} eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-init_networking() { - /etc/rc.d/init.d/dnsmasq start -} - DO="${1}" shift
@@ -46,8 +42,6 @@ done
case "${DO}" in start) - [ "${ALL}" == "1" ] && init_networking - # Starting interfaces... # GREEN [ "$green" == "1" ] && /etc/rc.d/init.d/networking/green start @@ -92,9 +86,6 @@ case "${DO}" in fi fi
- # Stopping dnsmasq if network all networks shutdown - [ "${ALL}" == "1" ] && /etc/rc.d/init.d/dnsmasq stop - exit 0 ;;
diff --git a/src/initscripts/init.d/networking/red.down/05-update-dns-forwarders b/src/initscripts/init.d/networking/red.down/05-update-dns-forwarders new file mode 100644 index 0000000..7f35696 --- /dev/null +++ b/src/initscripts/init.d/networking/red.down/05-update-dns-forwarders @@ -0,0 +1,4 @@ +#!/bin/bash + +# Update DNS forwarders for unbound +exec /etc/init.d/unbound update-forwarders diff --git a/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders b/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders new file mode 100644 index 0000000..7f35696 --- /dev/null +++ b/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders @@ -0,0 +1,4 @@ +#!/bin/bash + +# Update DNS forwarders for unbound +exec /etc/init.d/unbound update-forwarders diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound new file mode 100644 index 0000000..f3d35cf --- /dev/null +++ b/src/initscripts/init.d/unbound @@ -0,0 +1,226 @@ +#!/bin/sh +# Begin $rc_base/init.d/unbound + +# Description : Unbound DNS resolver boot script for IPfire +# Author : Marcel Lorenz marcel.lorenz@ipfire.org +# +# Comment : This init script additional starts the dhcpd watcher daemon +# if DNS-Update (RFC2136) in web interface enabled + +. /etc/sysconfig/rc +. ${rc_functions} + +USE_FORWARDERS=1 + +# Load optional configuration +[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound + +function cidr() { + local cidr nbits IFS; + IFS=. read -r i1 i2 i3 i4 <<< ${1} + IFS=. read -r m1 m2 m3 m4 <<< ${2} + cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))") + nbits=0 + IFS=. + for dec in $2 ; do + case $dec in + 255) let nbits+=8;; + 254) let nbits+=7;; + 252) let nbits+=6;; + 248) let nbits+=5;; + 240) let nbits+=4;; + 224) let nbits+=3;; + 192) let nbits+=2;; + 128) let nbits+=1;; + 0);; + *) echo "Error: $dec is not recognised"; exit 1 + esac + done + echo "${cidr}/${nbits}" +} + +read_name_servers() { + local i + for i in 1 2; do + echo "$(</var/ipfire/red/dns${i})" + done | xargs echo +} + +config_header() { + echo "# This file is automatically generated and any changes" + echo "# will be overwritten. DO NOT EDIT!" + echo +} + +update_forwarders() { + local forwarders="$(read_name_servers)" + + if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then + boot_mesg "Using Name Server(s): ${forwarders}" + boot_mesg_flush + + unbound-control -q forward ${forwarders} + + # If forwarders cannot be used we run in recursor mode + else + unbound-control -q forward off + fi +} + +write_interfaces_conf() { + ( + config_header + + if [ -n "${GREEN_ADDRESS}" ]; then + echo "# GREEN" + echo "interface: ${GREEN_ADDRESS}" + echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow" + fi + + if [ -n "${BLUE_ADDRESS}" ]; then + echo "# BLUE" + echo "interface: ${BLUE_ADDRESS}" + echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow" + fi + ) > /etc/unbound/interfaces.conf +} + +write_forward_conf() { + ( + config_header + + local enabled zone server remark + while IFS="," read -r enabled zone server remark; do + # Line must be enabled. + [ "${enabled}" = "on" ] || continue + + echo "forward-zone:" + echo " name: ${zone}" + echo " forward-addr: ${server}" + echo + done < /var/ipfire/dnsforward/config + ) > /etc/unbound/forward.conf +} + +write_tuning_conf() { + # https://www.unbound.net/documentation/howto_optimise.html + + # Determine number of online processors + local processors=$(getconf _NPROCESSORS_ONLN) + + # Determine number of slabs + local slabs=1 + while [ ${slabs} -lt ${processors} ]; do + slabs=$(( ${slabs} * 2 )) + done + + # Determine amount of system memory + local mem=$(get_memory_amount) + + # In the worst case scenario, unbound can use double the + # amount of memory allocated to a cache due to malloc overhead + + # Large systems with more than 2GB of RAM + if [ ${mem} -ge 2048 ]; then + mem=128 + + # Small systems with less than 256MB of RAM + elif [ ${mem} -le 256 ]; then + mem=8 + + # Everything else + else + mem=32 + fi + + ( + config_header + + # We run one thread per processor + echo "num-threads: ${processors}" + + # Adjust number of slabs + echo "infra-cache-slabs: ${slabs}" + echo "key-cache-slabs: ${slabs}" + echo "msg-cache-slabs: ${slabs}" + echo "rrset-cache-slabs: ${slabs}" + + # Slice up the cache + echo "rrset-cache-size: $(( ${mem} / 2 ))m" + echo "msg-cache-size: $(( ${mem} / 4 ))m" + echo "key-cache-size: $(( ${mem} / 4 ))m" + ) > /etc/unbound/tuning.conf +} + +get_memory_amount() { + local key val unit + + while read -r key val unit; do + case "${key}" in + MemTotal:*) + # Convert to MB + echo "$(( ${val} / 1024 ))" + break + ;; + esac + done < /proc/meminfo +} + +case "$1" in + start) + eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings) + eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings) + + # Create control keys at first run + if [ ! -r "/etc/unbound/unbound_control.key" ]; then + unbound-control-setup -d /etc/unbound &>/dev/null + fi + + # Update configuration files + write_tuning_conf + write_interfaces_conf + write_forward_conf + + boot_mesg "Starting Unbound DNS Proxy..." + loadproc /usr/sbin/unbound || exit $? + + # Update any known forwarding name servers + update_forwarders + + # Start Unbound DHCP Lease Bridge unless RFC2136 is used + if [ "${DNS_UPDATE_ENABLED}" != on ]; then + boot_mesg "Starting Unbound DHCP Leases Bridge..." + loadproc /usr/sbin/unbound-dhcp-leases-bridge -d + fi + ;; + + stop) + boot_mesg "Stopping Unbound DHCP Leases Bridge..." + killproc /usr/sbin/unbound-dhcp-leases-bridge + + boot_mesg "Stopping Unbound DNS Proxy..." + killproc /usr/sbin/unbound + ;; + + restart) + $0 stop + sleep 1 + $0 start + ;; + + status) + statusproc /usr/sbin/unbound + statusproc /usr/sbin/unbound-dhcp-leases-bridge + ;; + + update-forwarders) + update_forwarders + ;; + + *) + echo "Usage: $0 {start|stop|restart|status|update-forwarders}" + exit 1 + ;; +esac + +# End $rc_base/init.d/unbound diff --git a/src/misc-progs/Makefile b/src/misc-progs/Makefile index ff775da..08a4e37 100644 --- a/src/misc-progs/Makefile +++ b/src/misc-progs/Makefile @@ -31,7 +31,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \ redctrl syslogdctrl extrahdctrl sambactrl upnpctrl \ smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \ setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \ - getconntracktable wirelessclient dnsmasqctrl torctrl ddnsctrl + getconntracktable wirelessclient torctrl ddnsctrl unboundctrl SUID_UPDX = updxsetperms
OBJS = $(patsubst %,%.o,$(PROGS) $(SUID_PROGS)) diff --git a/src/misc-progs/dnsmasqctrl.c b/src/misc-progs/dnsmasqctrl.c deleted file mode 100644 index 8ac3360..0000000 --- a/src/misc-progs/dnsmasqctrl.c +++ /dev/null @@ -1,34 +0,0 @@ -/* This file is part of the IPFire Firewall. - * - * This program is distributed under the terms of the GNU General Public - * Licence. See the file COPYING for details. - * - */ - -#include <stdlib.h> -#include <stdio.h> -#include <string.h> -#include <unistd.h> -#include <sys/types.h> -#include <fcntl.h> -#include "setuid.h" - -int main(int argc, char *argv[]) { - - if (!(initsetuid())) - exit(1); - - if (argc < 2) { - fprintf(stderr, "\nNo argument given.\n\ndnsmasqctrl (restart)\n\n"); - exit(1); - } - - if (strcmp(argv[1], "restart") == 0) { - safe_system("/etc/rc.d/init.d/dnsmasq restart"); - } else { - fprintf(stderr, "\nBad argument given.\n\ndnsmasqctrl (restart)\n\n"); - exit(1); - } - - return 0; -} diff --git a/src/misc-progs/unboundctrl.c b/src/misc-progs/unboundctrl.c new file mode 100644 index 0000000..fea81c6 --- /dev/null +++ b/src/misc-progs/unboundctrl.c @@ -0,0 +1,34 @@ +/* This file is part of the IPFire Firewall. + * + * This program is distributed under the terms of the GNU General Public + * Licence. See the file COPYING for details. + * + */ + +#include <stdlib.h> +#include <stdio.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <fcntl.h> +#include "setuid.h" + +int main(int argc, char *argv[]) { + + if (!(initsetuid())) + exit(1); + + if (argc < 2) { + fprintf(stderr, "\nNo argument given.\n\nunboundctrl (restart)\n\n"); + exit(1); + } + + if (strcmp(argv[1], "restart") == 0) { + safe_system("/etc/rc.d/init.d/unbound restart"); + } else { + fprintf(stderr, "\nBad argument given.\n\nunboundctrl (restart)\n\n"); + exit(1); + } + + return 0; +} diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch deleted file mode 100644 index 97b7749..0000000 --- a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch +++ /dev/null @@ -1,363 +0,0 @@ ---- a/src/cache.c Wed Dec 16 19:24:12 2015 -+++ b/src/cache.c Wed Dec 16 19:37:37 2015 -@@ -17,7 +17,7 @@ - #include "dnsmasq.h" - - static struct crec *cache_head = NULL, *cache_tail = NULL, **hash_table = NULL; --#ifdef HAVE_DHCP -+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER) - static struct crec *dhcp_spare = NULL; - #endif - static struct crec *new_chain = NULL; -@@ -217,6 +217,9 @@ - crecp->flags &= ~F_BIGNAME; - } - -+ if (crecp->flags & F_DHCP) -+ free(crecp->name.namep); -+ - #ifdef HAVE_DNSSEC - cache_blockdata_free(crecp); - #endif -@@ -1138,7 +1141,7 @@ - - } - --#ifdef HAVE_DHCP -+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER) - struct in_addr a_record_from_hosts(char *name, time_t now) - { - struct crec *crecp = NULL; -@@ -1281,7 +1284,11 @@ - else - crec->ttd = ttd; - crec->addr.addr = *host_address; -+#ifdef HAVE_ISC_READER -+ crec->name.namep = strdup(host_name); -+#else - crec->name.namep = host_name; -+#endif - crec->uid = next_uid(); - cache_hash(crec); - ---- a/src/dnsmasq.c Thu Jul 30 20:59:06 2015 -+++ b/src/dnsmasq.c Wed Dec 16 19:38:32 2015 -@@ -1017,6 +1017,11 @@ - - poll_resolv(0, daemon->last_resolv != 0, now); - daemon->last_resolv = now; -+ -+#ifdef HAVE_ISC_READER -+ if (daemon->lease_file && !daemon->dhcp) -+ load_dhcp(now); -+#endif - } - #endif - ---- a/src/dnsmasq.h Wed Dec 16 19:24:12 2015 -+++ b/src/dnsmasq.h Wed Dec 16 19:40:11 2015 -@@ -1516,6 +1516,11 @@ - void poll_listen(int fd, short event); - int do_poll(int timeout); - -+/* isc.c */ -+#ifdef HAVE_ISC_READER -+void load_dhcp(time_t now); -+#endif -+ - /* rrfilter.c */ - size_t rrfilter(struct dns_header *header, size_t plen, int mode); - u16 *rrfilter_desc(int type); - int expand_workspace(unsigned char ***wkspc, int *szp, int new); -- ---- /dev/null Wed Dec 16 19:48:08 2015 -+++ b/src/isc.c Wed Dec 16 19:41:35 2015 -@@ -0,0 +1,266 @@ -+/* dnsmasq is Copyright (c) 2014 John Volpe, Simon Kelley and -+ Michael Tremer -+ -+ This program is free software; you can redistribute it and/or modify -+ it under the terms of the GNU General Public License as published by -+ the Free Software Foundation; version 2 dated June, 1991, or -+ (at your option) version 3 dated 29 June, 2007. -+ -+ This program is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ GNU General Public License for more details. -+ -+ You should have received a copy of the GNU General Public License -+ along with this program. If not, see http://www.gnu.org/licenses/. -+ -+ Code in this file is based on contributions by John Volpe and -+ Simon Kelley. Updated for recent versions of dnsmasq by -+ Michael Tremer. -+*/ -+ -+ -+#define _GNU_SOURCE -+ -+#include <assert.h> -+#include <stdio.h> -+ -+#include "dnsmasq.h" -+ -+#ifdef HAVE_ISC_READER -+#define MAXTOK 50 -+ -+struct isc_dhcp_lease { -+ char* name; -+ char* fqdn; -+ time_t expires; -+ struct in_addr addr; -+ struct isc_dhcp_lease* next; -+}; -+ -+static struct isc_dhcp_lease* dhcp_lease_new(const char* hostname) { -+ struct isc_dhcp_lease* lease = whine_malloc(sizeof(*lease)); -+ if (!lease) -+ return NULL; -+ -+ lease->name = strdup(hostname); -+ if (daemon->domain_suffix) { -+ int r = asprintf(&lease->fqdn, "%s.%s", hostname, daemon->domain_suffix); -+ -+ // Handle OOM -+ if (r < 0) { -+ free(lease); -+ return NULL; -+ } -+ } -+ lease->expires = 0; -+ lease->next = NULL; -+ -+ return lease; -+} -+ -+static void dhcp_lease_free(struct isc_dhcp_lease* lease) { -+ if (!lease) -+ return; -+ -+ if (lease->name) -+ free(lease->name); -+ if (lease->fqdn) -+ free(lease->fqdn); -+ free(lease); -+} -+ -+static int next_token(char* token, int buffsize, FILE* fp) { -+ int c, count = 0; -+ char* cp = token; -+ -+ while ((c = getc(fp)) != EOF) { -+ if (c == '#') { -+ do { -+ c = getc(fp); -+ } while (c != '\n' && c != EOF); -+ } -+ -+ if (c == ' ' || c == '\t' || c == '\n' || c == ';') { -+ if (count) -+ break; -+ } else if ((c != '"') && (count < buffsize - 1)) { -+ *cp++ = c; -+ count++; -+ } -+ } -+ -+ *cp = 0; -+ return count ? 1 : 0; -+} -+ -+static long get_utc_offset() { -+ time_t t = time(NULL); -+ struct tm* time_struct = localtime(&t); -+ -+ return time_struct->tm_gmtoff; -+} -+ -+static time_t parse_lease_time(const char* token_date, const char* token_time) { -+ time_t time = (time_t)(-1); -+ struct tm lease_time; -+ -+ if (sscanf(token_date, "%d/%d/%d", &lease_time.tm_year, &lease_time.tm_mon, &lease_time.tm_mday) == 3) { -+ lease_time.tm_year -= 1900; -+ lease_time.tm_mon -= 1; -+ -+ if (sscanf(token_time, "%d:%d:%d", &lease_time.tm_hour, &lease_time.tm_min, &lease_time.tm_sec) == 3) { -+ time = mktime(&lease_time) + get_utc_offset(); -+ } -+ } -+ -+ return time; -+} -+ -+static struct isc_dhcp_lease* find_lease(const char* hostname, struct isc_dhcp_lease* leases) { -+ struct isc_dhcp_lease* lease = leases; -+ -+ while (lease) { -+ if (strcmp(hostname, lease->name) == 0) { -+ return lease; -+ } -+ lease = lease->next; -+ } -+ -+ return NULL; -+} -+ -+static off_t lease_file_size = (off_t)0; -+static ino_t lease_file_inode = (ino_t)0; -+ -+void load_dhcp(time_t now) { -+ struct isc_dhcp_lease* leases = NULL; -+ -+ struct stat statbuf; -+ if (stat(daemon->lease_file, &statbuf) == -1) { -+ return; -+ } -+ -+ /* Do nothing if the lease file has not changed. */ -+ if ((statbuf.st_size <= lease_file_size) && (statbuf.st_ino == lease_file_inode)) -+ return; -+ -+ lease_file_size = statbuf.st_size; -+ lease_file_inode = statbuf.st_ino; -+ -+ FILE* fp = fopen(daemon->lease_file, "r"); -+ if (!fp) { -+ my_syslog(LOG_ERR, _("failed to load %s:%s"), daemon->lease_file, strerror(errno)); -+ return; -+ } -+ -+ my_syslog(LOG_INFO, _("reading %s"), daemon->lease_file); -+ -+ char* hostname = daemon->namebuff; -+ struct in_addr host_address; -+ time_t time_starts = -1; -+ time_t time_ends = -1; -+ int nomem; -+ -+ char token[MAXTOK]; -+ while ((next_token(token, MAXTOK, fp))) { -+ if (strcmp(token, "lease") == 0) { -+ hostname[0] = '\0'; -+ -+ if (next_token(token, MAXTOK, fp) && ((host_address.s_addr = inet_addr(token)) != (in_addr_t)-1)) { -+ if (next_token(token, MAXTOK, fp) && *token == '{') { -+ while (next_token(token, MAXTOK, fp) && *token != '}') { -+ if ((strcmp(token, "client-hostname") == 0) || (strcmp(token, "hostname") == 0)) { -+ if (next_token(hostname, MAXDNAME, fp)) { -+ if (!canonicalise(hostname, &nomem)) { -+ *hostname = 0; -+ my_syslog(LOG_ERR, _("bad name in %s"), daemon->lease_file); -+ } -+ } -+ } else if ((strcmp(token, "starts") == 0) || (strcmp(token, "ends") == 0)) { -+ char token_date[MAXTOK]; -+ char token_time[MAXTOK]; -+ -+ int is_starts = strcmp(token, "starts") == 0; -+ -+ // Throw away the weekday and parse the date. -+ if (next_token(token, MAXTOK, fp) && next_token(token_date, MAXTOK, fp) && next_token(token_time, MAXTOK, fp)) { -+ time_t time = parse_lease_time(token_date, token_time); -+ -+ if (is_starts) -+ time_starts = time; -+ else -+ time_ends = time; -+ } -+ } -+ } -+ -+ if (!*hostname) -+ continue; -+ -+ if ((time_starts == -1) || (time_ends == -1)) -+ continue; -+ -+ if (difftime(now, time_ends) > 0) -+ continue; -+ -+ char* dot = strchr(hostname, '.'); -+ if (dot) { -+ if (!daemon->domain_suffix || hostname_isequal(dot + 1, daemon->domain_suffix)) { -+ my_syslog(LOG_WARNING, -+ _("Ignoring DHCP lease for %s because it has an illegal domain part"), -+ hostname); -+ continue; -+ } -+ *dot = 0; -+ } -+ -+ // Search for an existing lease in the list -+ // with the given host name and update the data -+ // if needed. -+ struct isc_dhcp_lease* lease = find_lease(hostname, leases); -+ -+ // If no lease already exists, we create a new one -+ // and append it to the list. -+ if (!lease) { -+ lease = dhcp_lease_new(hostname); -+ assert(lease); -+ -+ lease->next = leases; -+ leases = lease; -+ } -+ -+ // Only update more recent leases. -+ if (lease->expires > time_ends) -+ continue; -+ -+ lease->addr = host_address; -+ lease->expires = time_ends; -+ } -+ } -+ } -+ } -+ -+ fclose(fp); -+ -+ // Drop all entries. -+ cache_unhash_dhcp(); -+ -+ while (leases) { -+ struct isc_dhcp_lease *lease = leases; -+ leases = lease->next; -+ -+ if (lease->fqdn) { -+ cache_add_dhcp_entry(lease->fqdn, AF_INET, (struct all_addr*)&lease->addr.s_addr, lease->expires); -+ } -+ -+ if (lease->name) { -+ cache_add_dhcp_entry(lease->name, AF_INET, (struct all_addr*)&lease->addr.s_addr, lease->expires); -+ } -+ -+ // Cleanup -+ dhcp_lease_free(lease); -+ } -+} -+ -+#endif ---- a/src/option.c Wed Dec 16 19:24:12 2015 -+++ b/src/option.c Wed Dec 16 19:42:48 2015 -@@ -1771,7 +1771,7 @@ - ret_err(_("bad MX target")); - break; - --#ifdef HAVE_DHCP -+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER) - case 'l': /* --dhcp-leasefile */ - daemon->lease_file = opt_string_alloc(arg); - break; ---- a/Makefile Wed Dec 16 19:24:12 2015 -+++ b/Makefile Wed Dec 16 19:28:45 2015 -@@ -74,7 +74,7 @@ - helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ - dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ - domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ -- poll.o rrfilter.o edns0.o arp.o -+ poll.o rrfilter.o edns0.o arp.o isc.o - - hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ - dns-protocol.h radv-protocol.h ip6addr.h diff --git a/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch deleted file mode 100644 index 43ac068..0000000 --- a/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 294d36df4749e01199ab220d44c170e7db2b0c05 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Wed, 6 Jul 2016 21:30:25 +0100 -Subject: [PATCH] Calculate length of TFTP error reply correctly. - ---- - CHANGELOG | 14 ++++++++++++++ - src/tftp.c | 7 +++++-- - 2 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 04ff3f0..0559a6f 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -1,3 +1,17 @@ -+version 2.77 -+ Calculate the length of TFTP error reply packet -+ correctly. This fixes a problem when the error -+ message in a TFTP packet exceeds the arbitrary -+ limit of 500 characters. The message was correctly -+ truncated, but not the packet length, so -+ extra data was appended. This is a possible -+ security risk, since the extra data comes from -+ a buffer which is also used for DNS, so that -+ previous DNS queries or replies may be leaked. -+ Thanks to Mozilla for funding the security audit -+ which spotted this bug. -+ -+ - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range - translates to hosts on the local network, or, at -diff --git a/src/tftp.c b/src/tftp.c -index 5e4a32a..3e1b5c5 100644 ---- a/src/tftp.c -+++ b/src/tftp.c -@@ -652,20 +652,23 @@ static void sanitise(char *buf) - - } - -+#define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely smaller than buffer */ - static ssize_t tftp_err(int err, char *packet, char *message, char *file) - { - struct errmess { - unsigned short op, err; - char message[]; - } *mess = (struct errmess *)packet; -- ssize_t ret = 4; -+ ssize_t len, ret = 4; - char *errstr = strerror(errno); - - sanitise(file); - - mess->op = htons(OP_ERR); - mess->err = htons(err); -- ret += (snprintf(mess->message, 500, message, file, errstr) + 1); -+ len = snprintf(mess->message, MAXMESSAGE, message, file, errstr); -+ ret += (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminating zero */ -+ - my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message); - - return ret; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch b/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch deleted file mode 100644 index b748db8..0000000 --- a/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch +++ /dev/null @@ -1,36 +0,0 @@ -From d55f81f5fd53b1dfc2c4b3249b542f2d9679e236 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Wed, 6 Jul 2016 21:33:56 +0100 -Subject: [PATCH] Zero newly malloc'ed memory. - ---- - src/util.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/src/util.c b/src/util.c -index 93b24f5..82443c9 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -248,6 +248,8 @@ void *safe_malloc(size_t size) - - if (!ret) - die(_("could not get memory"), NULL, EC_NOMEM); -+ else -+ memset(ret, 0, size); - - return ret; - } -@@ -266,7 +268,9 @@ void *whine_malloc(size_t size) - - if (!ret) - my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size); -- -+ else -+ memset(ret, 0, size); -+ - return ret; - } - --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/003-Check_return_of_expand_always.patch b/src/patches/dnsmasq/003-Check_return_of_expand_always.patch deleted file mode 100644 index a69f4ce..0000000 --- a/src/patches/dnsmasq/003-Check_return_of_expand_always.patch +++ /dev/null @@ -1,44 +0,0 @@ -From ce7845bf5429bd2962c9b2e7d75e2659f3b5c1a8 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Wed, 6 Jul 2016 21:42:27 +0100 -Subject: [PATCH] Check return of expand() always. - ---- - src/radv.c | 4 +++- - src/slaac.c | 5 ++++- - 2 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/src/radv.c b/src/radv.c -index 749b666..faa0f6d 100644 ---- a/src/radv.c -+++ b/src/radv.c -@@ -262,7 +262,9 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad - parm.prio = calc_prio(ra_param); - - save_counter(0); -- ra = expand(sizeof(struct ra_packet)); -+ -+ if (!(ra = expand(sizeof(struct ra_packet)))) -+ return; - - ra->type = ND_ROUTER_ADVERT; - ra->code = 0; -diff --git a/src/slaac.c b/src/slaac.c -index 8034805..07b8ba4 100644 ---- a/src/slaac.c -+++ b/src/slaac.c -@@ -147,7 +147,10 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) - struct sockaddr_in6 addr; - - save_counter(0); -- ping = expand(sizeof(struct ping_packet)); -+ -+ if (!(ping = expand(sizeof(struct ping_packet)))) -+ continue; -+ - ping->type = ICMP6_ECHO_REQUEST; - ping->code = 0; - ping->identifier = ping_id; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch b/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch deleted file mode 100644 index f4d0d20..0000000 --- a/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 5874f3e9222397d82aabd9884d9bf5ce7e4109b0 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Sun, 10 Jul 2016 22:12:08 +0100 -Subject: [PATCH] Fix editing error on man page. - -Thanks to Eric Westbrook for spotting this. ---- - man/dnsmasq.8 | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index 0521534..bd8c0b3 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -1037,6 +1037,10 @@ is given, then read all the files contained in that directory. The advantage of - using this option is the same as for --dhcp-hostsfile: the - dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that - it is possible to encode the information in a -+.B --dhcp-boot -+flag as DHCP options, using the options names bootfile-name, -+server-ip-address and tftp-server. This allows these to be included -+in a dhcp-optsfile. - .TP - .B --dhcp-hostsdir=<path> - This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a -@@ -1048,11 +1052,6 @@ is restarted; ie host records are only added dynamically. - .TP - .B --dhcp-optsdir=<path> - This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir. --.TP --.B --dhcp-boot --flag as DHCP options, using the options names bootfile-name, --server-ip-address and tftp-server. This allows these to be included --in a dhcp-optsfile. - .TP - .B -Z, --read-ethers - Read /etc/ethers for information about hosts for the DHCP server. The --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/005-Manpage_typo.patch b/src/patches/dnsmasq/005-Manpage_typo.patch deleted file mode 100644 index 52f16de..0000000 --- a/src/patches/dnsmasq/005-Manpage_typo.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 907efeb2dc712603271093bce8a93c7c3e6fe64d Mon Sep 17 00:00:00 2001 -From: Kristjan Onu jeixav@gmail.com -Date: Sun, 10 Jul 2016 22:37:57 +0100 -Subject: [PATCH] Manpage typo. - ---- - man/dnsmasq.8 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index bd8c0b3..ac8d921 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -242,7 +242,7 @@ addresses associated with the interface. - .B --local-service - Accept DNS queries only from hosts whose address is on a local subnet, - ie a subnet for which an interface exists on the server. This option --only has effect is there are no --interface --except-interface, -+only has effect if there are no --interface --except-interface, - --listen-address or --auth-server options. It is intended to be set as - a default on installation, to allow unconfigured installations to be - useful but also safe from being used for DNS amplification attacks. --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch b/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch deleted file mode 100644 index ec17115..0000000 --- a/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Mon, 11 Jul 2016 18:18:42 +0100 -Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements. - -The check that there's enough space to store the DHCP agent-id -at the end of the packet could succeed when it should fail -if the END option is in either of the oprion-overload areas. -That could overwrite legit options in the request and cause -bad behaviour. It's highly unlikely that any sane DHCP client -would trigger this bug, and it's never been seen, but this -fixes the problem. - -Also fix off-by-one in bounds checking of option processing. -Worst case scenario on that is a read one byte beyond the -end off a buffer with a crafted packet, and maybe therefore -a SIGV crash if the memory after the buffer is not mapped. - -Thanks to Timothy Becker for spotting these. ---- - src/rfc2131.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/rfc2131.c b/src/rfc2131.c -index b7c167e..8b99d4b 100644 ---- a/src/rfc2131.c -+++ b/src/rfc2131.c -@@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, - be enough free space at the end of the packet to copy the option. */ - unsigned char *sopt; - unsigned int total = option_len(opt) + 2; -- unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0); -+ unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz, -+ OPTION_END, 0); - if (last_opt && last_opt < end - total) - { - end -= total; -@@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt - { - while (1) - { -- if (p > end) -+ if (p >= end) - return NULL; - else if (*p == OPTION_END) - return opt == OPTION_END ? p : NULL; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch b/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch deleted file mode 100644 index 6a79eac..0000000 --- a/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 1d07667ac77c55b9de56b1b2c385167e0e0ec27a Mon Sep 17 00:00:00 2001 -From: Ivan Kokshaysky ink@jurassic.park.msu.ru -Date: Mon, 11 Jul 2016 18:36:05 +0100 -Subject: [PATCH] Fix logic error in Linux netlink code. - -This could cause dnsmasq to enter a tight loop on systems -with a very large number of network interfaces. ---- - CHANGELOG | 6 ++++++ - src/netlink.c | 8 +++++++- - 2 files changed, 13 insertions(+), 1 deletion(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 0559a6f..59c9c49 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -11,6 +11,12 @@ version 2.77 - Thanks to Mozilla for funding the security audit - which spotted this bug. - -+ Fix logic error in Linux netlink code. This could -+ cause dnsmasq to enter a tight loop on systems -+ with a very large number of network interfaces. -+ Thanks to Ivan Kokshaysky for the diagnosis and -+ patch. -+ - - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range -diff --git a/src/netlink.c b/src/netlink.c -index 049247b..8cd51af 100644 ---- a/src/netlink.c -+++ b/src/netlink.c -@@ -188,11 +188,17 @@ int iface_enumerate(int family, void *parm, int (*callback)()) - } - - for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len)) -- if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR) -+ if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR) - { - /* May be multicast arriving async */ - nl_async(h); - } -+ else if (h->nlmsg_seq != seq) -+ { -+ /* May be part of incomplete response to previous request after -+ ENOBUFS. Drop it. */ -+ continue; -+ } - else if (h->nlmsg_type == NLMSG_DONE) - return callback_ok; - else if (h->nlmsg_type == RTM_NEWADDR && family != AF_UNSPEC && family != AF_LOCAL) --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch b/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch deleted file mode 100644 index b32d17a..0000000 --- a/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 06093a9a845bb597005d892d5d1bc7859933ada4 Mon Sep 17 00:00:00 2001 -From: Kevin Darbyshire-Bryant kevin@darbyshire-bryant.me.uk -Date: Mon, 11 Jul 2016 21:03:27 +0100 -Subject: [PATCH] Fix problem with --dnssec-timestamp whereby receipt of - SIGHUP would erroneously engage timestamp checking. - ---- - CHANGELOG | 4 ++++ - src/dnsmasq.c | 7 ++++--- - src/dnsmasq.h | 1 + - src/dnssec.c | 5 +++-- - 4 files changed, 12 insertions(+), 5 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 59c9c49..9f1e404 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -17,6 +17,10 @@ version 2.77 - Thanks to Ivan Kokshaysky for the diagnosis and - patch. - -+ Fix problem with --dnssec-timestamp whereby receipt -+ of SIGHUP would erroneously engage timestamp checking. -+ Thanks to Kevin Darbyshire-Bryant for this work. -+ - - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range -diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index 045ec53..a47273f 100644 ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -750,7 +750,8 @@ int main (int argc, char **argv) - - my_syslog(LOG_INFO, _("DNSSEC validation enabled")); - -- if (option_bool(OPT_DNSSEC_TIME)) -+ daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME); -+ if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future) - my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); - - if (rc == 1) -@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now) - { - case EVENT_RELOAD: - #ifdef HAVE_DNSSEC -- if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) -+ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) - { - my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps")); -- reset_option_bool(OPT_DNSSEC_TIME); -+ daemon->dnssec_no_time_check = 0; - } - #endif - /* fall through */ -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 1896a64..be27ae0 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -992,6 +992,7 @@ extern struct daemon { - #endif - #ifdef HAVE_DNSSEC - struct ds_config *ds; -+ int dnssec_no_time_check; - int back_to_the_future; - char *timestamp_file; - #endif -diff --git a/src/dnssec.c b/src/dnssec.c -index 3c77c7d..64358fa 100644 ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end) - if (utime(daemon->timestamp_file, NULL) != 0) - my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno)); - -+ my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps.")); - daemon->back_to_the_future = 1; -- set_option_bool(OPT_DNSSEC_TIME); -+ daemon->dnssec_no_time_check = 0; - queue_event(EVENT_RELOAD); /* purge cache */ - } - - if (daemon->back_to_the_future == 0) - return 1; - } -- else if (option_bool(OPT_DNSSEC_TIME)) -+ else if (daemon->dnssec_no_time_check) - return 1; - - /* We must explicitly check against wanted values, because of SERIAL_UNDEF */ --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch b/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch deleted file mode 100644 index 0300853..0000000 --- a/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch +++ /dev/null @@ -1,46 +0,0 @@ -From d6dce53e08b3a06be16d43e1bf566c6c1988e4a9 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Mon, 11 Jul 2016 21:34:31 +0100 -Subject: [PATCH] malloc(); memset() -> calloc() for efficiency. - ---- - src/util.c | 10 +++------- - 1 file changed, 3 insertions(+), 7 deletions(-) - -diff --git a/src/util.c b/src/util.c -index 82443c9..211690e 100644 ---- a/src/util.c -+++ b/src/util.c -@@ -244,13 +244,11 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval) - /* for use during startup */ - void *safe_malloc(size_t size) - { -- void *ret = malloc(size); -+ void *ret = calloc(1, size); - - if (!ret) - die(_("could not get memory"), NULL, EC_NOMEM); -- else -- memset(ret, 0, size); -- -+ - return ret; - } - -@@ -264,12 +262,10 @@ void safe_pipe(int *fd, int read_noblock) - - void *whine_malloc(size_t size) - { -- void *ret = malloc(size); -+ void *ret = calloc(1, size); - - if (!ret) - my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size); -- else -- memset(ret, 0, size); - - return ret; - } --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch b/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch deleted file mode 100644 index a8c10a4..0000000 --- a/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch +++ /dev/null @@ -1,169 +0,0 @@ -From fa78573778cb23337f67f5d0c9de723169919047 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Fri, 22 Jul 2016 20:56:01 +0100 -Subject: [PATCH] Zero packet buffers before building output, to reduce risk - of information leakage. - ---- - src/auth.c | 5 +++++ - src/dnsmasq.h | 1 + - src/outpacket.c | 10 ++++++++++ - src/radv.c | 2 +- - src/rfc1035.c | 5 +++++ - src/rfc3315.c | 6 +++--- - src/slaac.c | 2 +- - src/tftp.c | 5 ++++- - 8 files changed, 30 insertions(+), 6 deletions(-) - -diff --git a/src/auth.c b/src/auth.c -index 198572d..3c5c37f 100644 ---- a/src/auth.c -+++ b/src/auth.c -@@ -101,6 +101,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n - struct all_addr addr; - struct cname *a; - -+ /* Clear buffer beyond request to avoid risk of -+ information disclosure. */ -+ memset(((char *)header) + qlen, 0, -+ (limit - ((char *)header)) - qlen); -+ - if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY ) - return 0; - -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index be27ae0..2bda5d0 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1471,6 +1471,7 @@ void log_relay(int family, struct dhcp_relay *relay); - /* outpacket.c */ - #ifdef HAVE_DHCP6 - void end_opt6(int container); -+void reset_counter(void); - int save_counter(int newval); - void *expand(size_t headroom); - int new_opt6(int opt); -diff --git a/src/outpacket.c b/src/outpacket.c -index a414efa..2caacd9 100644 ---- a/src/outpacket.c -+++ b/src/outpacket.c -@@ -29,9 +29,19 @@ void end_opt6(int container) - PUTSHORT(len, p); - } - -+void reset_counter(void) -+{ -+ /* Clear out buffer when starting from begining */ -+ if (daemon->outpacket.iov_base) -+ memset(daemon->outpacket.iov_base, 0, daemon->outpacket.iov_len); -+ -+ save_counter(0); -+} -+ - int save_counter(int newval) - { - int ret = outpacket_counter; -+ - if (newval != -1) - outpacket_counter = newval; - -diff --git a/src/radv.c b/src/radv.c -index faa0f6d..39c9217 100644 ---- a/src/radv.c -+++ b/src/radv.c -@@ -261,7 +261,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad - parm.adv_interval = calc_interval(ra_param); - parm.prio = calc_prio(ra_param); - -- save_counter(0); -+ reset_counter(); - - if (!(ra = expand(sizeof(struct ra_packet)))) - return; -diff --git a/src/rfc1035.c b/src/rfc1035.c -index 24d08c1..9e730a9 100644 ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1209,6 +1209,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, - int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1; - struct mx_srv_record *rec; - size_t len; -+ -+ /* Clear buffer beyond request to avoid risk of -+ information disclosure. */ -+ memset(((char *)header) + qlen, 0, -+ (limit - ((char *)header)) - qlen); - - if (ntohs(header->ancount) != 0 || - ntohs(header->nscount) != 0 || -diff --git a/src/rfc3315.c b/src/rfc3315.c -index 3f4d69c..e1271a1 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -89,7 +89,7 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if - for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next) - vendor->netid.next = &vendor->netid; - -- save_counter(0); -+ reset_counter(); - state.context = context; - state.interface = interface; - state.iface_name = iface_name; -@@ -2084,7 +2084,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, - if (hopcount > 32) - return; - -- save_counter(0); -+ reset_counter(); - - if ((header = put_opt6(NULL, 34))) - { -@@ -2161,7 +2161,7 @@ unsigned short relay_reply6(struct sockaddr_in6 *peer, ssize_t sz, char *arrival - (!relay->interface || wildcard_match(relay->interface, arrival_interface))) - break; - -- save_counter(0); -+ reset_counter(); - - if (relay) - { -diff --git a/src/slaac.c b/src/slaac.c -index 07b8ba4..bd6c9b4 100644 ---- a/src/slaac.c -+++ b/src/slaac.c -@@ -146,7 +146,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) - struct ping_packet *ping; - struct sockaddr_in6 addr; - -- save_counter(0); -+ reset_counter(); - - if (!(ping = expand(sizeof(struct ping_packet)))) - continue; -diff --git a/src/tftp.c b/src/tftp.c -index 3e1b5c5..618c406 100644 ---- a/src/tftp.c -+++ b/src/tftp.c -@@ -662,8 +662,9 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file) - ssize_t len, ret = 4; - char *errstr = strerror(errno); - -+ memset(packet, 0, daemon->packet_buff_sz); - sanitise(file); -- -+ - mess->op = htons(OP_ERR); - mess->err = htons(err); - len = snprintf(mess->message, MAXMESSAGE, message, file, errstr); -@@ -684,6 +685,8 @@ static ssize_t tftp_err_oops(char *packet, char *file) - /* return -1 for error, zero for done. */ - static ssize_t get_block(char *packet, struct tftp_transfer *transfer) - { -+ memset(packet, 0, daemon->packet_buff_sz); -+ - if (transfer->block == 0) - { - /* send OACK */ --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch b/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch deleted file mode 100644 index ab8ba28..0000000 --- a/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6b1c464d6de3d7d2afc9b53afe78cda6d6e3316f Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Fri, 22 Jul 2016 20:59:16 +0100 -Subject: [PATCH] Don't reset packet length on transmission, in case of - retransmission. - ---- - src/radv.c | 2 +- - src/rfc3315.c | 2 +- - src/slaac.c | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/radv.c b/src/radv.c -index 39c9217..ffc37f2 100644 ---- a/src/radv.c -+++ b/src/radv.c -@@ -528,7 +528,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad - } - - while (retry_send(sendto(daemon->icmp6fd, daemon->outpacket.iov_base, -- save_counter(0), 0, (struct sockaddr *)&addr, -+ save_counter(-1), 0, (struct sockaddr *)&addr, - sizeof(addr)))); - - } -diff --git a/src/rfc3315.c b/src/rfc3315.c -index e1271a1..c7bf46f 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -2127,7 +2127,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz, - my_syslog(MS_DHCP | LOG_ERR, _("Cannot multicast to DHCPv6 server without correct interface")); - } - -- send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(0), &to, &from, 0); -+ send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(-1), &to, &from, 0); - - if (option_bool(OPT_LOG_OPTS)) - { -diff --git a/src/slaac.c b/src/slaac.c -index bd6c9b4..7ecf127 100644 ---- a/src/slaac.c -+++ b/src/slaac.c -@@ -164,7 +164,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases) - addr.sin6_port = htons(IPPROTO_ICMPV6); - addr.sin6_addr = slaac->addr; - -- if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(0), 0, -+ if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-1), 0, - (struct sockaddr *)&addr, sizeof(addr)) == -1 && - errno == EHOSTUNREACH) - slaac->ping_time = 0; /* Give up */ --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch b/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch deleted file mode 100644 index c71f470..0000000 --- a/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch +++ /dev/null @@ -1,103 +0,0 @@ -From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Fri, 22 Jul 2016 21:37:59 +0100 -Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing - code. - ---- - src/dhcp-common.c | 16 ++++++++-------- - src/dhcp-protocol.h | 4 ++++ - src/lease.c | 9 ++++++++- - src/rfc3315.c | 2 +- - 4 files changed, 21 insertions(+), 10 deletions(-) - -diff --git a/src/dhcp-common.c b/src/dhcp-common.c -index 08528e8..ecc752b 100644 ---- a/src/dhcp-common.c -+++ b/src/dhcp-common.c -@@ -20,11 +20,11 @@ - - void dhcp_common_init(void) - { -- /* These each hold a DHCP option max size 255 -- and get a terminating zero added */ -- daemon->dhcp_buff = safe_malloc(256); -- daemon->dhcp_buff2 = safe_malloc(256); -- daemon->dhcp_buff3 = safe_malloc(256); -+ /* These each hold a DHCP option max size 255 -+ and get a terminating zero added */ -+ daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ); -+ daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ); -+ daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ); - - /* dhcp_packet is used by v4 and v6, outpacket only by v6 - sizeof(struct dhcp_packet) is as good an initial size as any, -@@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *context) - if (context->flags & CONTEXT_RA_STATELESS) - { - if (context->flags & CONTEXT_TEMPLATE) -- strncpy(daemon->dhcp_buff, context->template_interface, 256); -+ strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ); - else - strcpy(daemon->dhcp_buff, daemon->addrbuff); - } - else - #endif -- inet_ntop(family, start, daemon->dhcp_buff, 256); -- inet_ntop(family, end, daemon->dhcp_buff3, 256); -+ inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ); -+ inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ); - my_syslog(MS_DHCP | LOG_INFO, - (context->flags & CONTEXT_RA_STATELESS) ? - _("%s stateless on %s%.0s%.0s%s") : -diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h -index a31d829..0ea449b 100644 ---- a/src/dhcp-protocol.h -+++ b/src/dhcp-protocol.h -@@ -19,6 +19,10 @@ - #define DHCP_CLIENT_ALTPORT 1068 - #define PXE_PORT 4011 - -+/* These each hold a DHCP option max size 255 -+ and get a terminating zero added */ -+#define DHCP_BUFF_SZ 256 -+ - #define BOOTREQUEST 1 - #define BOOTREPLY 2 - #define DHCP_COOKIE 0x63825363 -diff --git a/src/lease.c b/src/lease.c -index 20cac90..ca62cc5 100644 ---- a/src/lease.c -+++ b/src/lease.c -@@ -65,7 +65,14 @@ void lease_init(time_t now) - } - - /* client-id max length is 255 which is 255*2 digits + 254 colons -- borrow DNS packet buffer which is always larger than 1000 bytes */ -+ borrow DNS packet buffer which is always larger than 1000 bytes -+ -+ Check various buffers are big enough for the code below */ -+ -+#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ < 764) -+# error Buffer size breakage in leasfile parsing. -+#endif -+ - if (leasestream) - while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2) - { -diff --git a/src/rfc3315.c b/src/rfc3315.c -index c7bf46f..568b0c8 100644 ---- a/src/rfc3315.c -+++ b/src/rfc3315.c -@@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr, - - if (addr) - { -- inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255); -+ inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1); - strcat(daemon->dhcp_buff2, " "); - } - else --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch b/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch deleted file mode 100644 index bb5fe5d..0000000 --- a/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch +++ /dev/null @@ -1,184 +0,0 @@ -From 094bfaeb4ff69cae99387bc2ea07ff57632c89f5 Mon Sep 17 00:00:00 2001 -From: Mathias Kresin dev@kresin.me -Date: Sun, 24 Jul 2016 14:15:22 +0100 -Subject: [PATCH] auth-zone: allow to exclude ip addresses from answer. - ---- - man/dnsmasq.8 | 6 +++++- - src/auth.c | 61 ++++++++++++++++++++++++++++++++++++--------------------- - src/dnsmasq.h | 1 + - src/option.c | 21 ++++++++++++++++++-- - 4 files changed, 64 insertions(+), 25 deletions(-) - -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index ac8d921..8910947 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -739,7 +739,7 @@ a return code of SERVFAIL. Note that - setting this may affect DNS behaviour in bad ways, it is not an - extra-logging flag and should not be set in production. - .TP --.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....]] -+.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....][,exclude:<subnet>[/<prefix length>]].....] - Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain - will be served. If subnet(s) are given, A and AAAA records must be in one of the - specified subnets. -@@ -756,6 +756,10 @@ appear in the zone, but RFC1918 IPv4 addresses which should not. - Interface-name and address-literal subnet specifications may be used - freely in the same --auth-zone declaration. - -+It's possible to exclude certain IP addresses from responses. It can be -+used, to make sure that answers contain only global routeable IP -+addresses (by excluding loopback, RFC1918 and ULA addresses). -+ - The subnet(s) are also used to define in-addr.arpa and - ip6.arpa domains which are served for reverse-DNS queries. If not - specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6. -diff --git a/src/auth.c b/src/auth.c -index 3c5c37f..f1ca2f5 100644 ---- a/src/auth.c -+++ b/src/auth.c -@@ -18,36 +18,53 @@ - - #ifdef HAVE_AUTH - --static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u) -+static struct addrlist *find_addrlist(struct addrlist *list, int flag, struct all_addr *addr_u) - { -- struct addrlist *subnet; -- -- for (subnet = zone->subnet; subnet; subnet = subnet->next) -- { -- if (!(subnet->flags & ADDRLIST_IPV6)) -- { -- struct in_addr netmask, addr = addr_u->addr.addr4; -- -- if (!(flag & F_IPV4)) -- continue; -- -- netmask.s_addr = htonl(~(in_addr_t)0 << (32 - subnet->prefixlen)); -- -- if (is_same_net(addr, subnet->addr.addr.addr4, netmask)) -- return subnet; -- } -+ do { -+ if (!(list->flags & ADDRLIST_IPV6)) -+ { -+ struct in_addr netmask, addr = addr_u->addr.addr4; -+ -+ if (!(flag & F_IPV4)) -+ continue; -+ -+ netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen)); -+ -+ if (is_same_net(addr, list->addr.addr.addr4, netmask)) -+ return list; -+ } - #ifdef HAVE_IPV6 -- else if (is_same_net6(&(addr_u->addr.addr6), &subnet->addr.addr.addr6, subnet->prefixlen)) -- return subnet; -+ else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, list->prefixlen)) -+ return list; - #endif -- -- } -+ -+ } while ((list = list->next)); -+ - return NULL; - } - -+static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u) -+{ -+ if (!zone->subnet) -+ return NULL; -+ -+ return find_addrlist(zone->subnet, flag, addr_u); -+} -+ -+static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct all_addr *addr_u) -+{ -+ if (!zone->exclude) -+ return NULL; -+ -+ return find_addrlist(zone->exclude, flag, addr_u); -+} -+ - static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u) - { -- /* No zones specified, no filter */ -+ if (find_exclude(zone, flag, addr_u)) -+ return 0; -+ -+ /* No subnets specified, no filter */ - if (!zone->subnet) - return 1; - -diff --git a/src/dnsmasq.h b/src/dnsmasq.h -index 2bda5d0..27385a9 100644 ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -340,6 +340,7 @@ struct auth_zone { - struct auth_name_list *next; - } *interface_names; - struct addrlist *subnet; -+ struct addrlist *exclude; - struct auth_zone *next; - }; - -diff --git a/src/option.c b/src/option.c -index d8c57d6..6cedef3 100644 ---- a/src/option.c -+++ b/src/option.c -@@ -1906,6 +1906,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - new = opt_malloc(sizeof(struct auth_zone)); - new->domain = opt_string_alloc(arg); - new->subnet = NULL; -+ new->exclude = NULL; - new->interface_names = NULL; - new->next = daemon->auth_zones; - daemon->auth_zones = new; -@@ -1913,6 +1914,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - while ((arg = comma)) - { - int prefixlen = 0; -+ int is_exclude = 0; - char *prefix; - struct addrlist *subnet = NULL; - struct all_addr addr; -@@ -1923,6 +1925,12 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - if (prefix && !atoi_check(prefix, &prefixlen)) - ret_err(gen_err); - -+ if (strstr(arg, "exclude:") == arg) -+ { -+ is_exclude = 1; -+ arg = arg+8; -+ } -+ - if (inet_pton(AF_INET, arg, &addr.addr.addr4)) - { - subnet = opt_malloc(sizeof(struct addrlist)); -@@ -1960,8 +1968,17 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma - if (subnet) - { - subnet->addr = addr; -- subnet->next = new->subnet; -- new->subnet = subnet; -+ -+ if (is_exclude) -+ { -+ subnet->next = new->exclude; -+ new->exclude = subnet; -+ } -+ else -+ { -+ subnet->next = new->subnet; -+ new->subnet = subnet; -+ } - } - } - break; --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch b/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch deleted file mode 100644 index 054323b..0000000 --- a/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c8328ecde896575b3cb81cf537747df531f90771 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Fri, 5 Aug 2016 16:54:58 +0100 -Subject: [PATCH] Bump auth zone serial when reloading /etc/hosts and friends. - ---- - CHANGELOG | 4 ++++ - src/dnsmasq.c | 2 ++ - 2 files changed, 6 insertions(+) - -diff --git a/CHANGELOG b/CHANGELOG -index 9f1e404..4f89799 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -20,6 +20,10 @@ version 2.77 - Fix problem with --dnssec-timestamp whereby receipt - of SIGHUP would erroneously engage timestamp checking. - Thanks to Kevin Darbyshire-Bryant for this work. -+ -+ Bump zone serial on reloading /etc/hosts and friends -+ when providing authoritative DNS. Thanks to Harrald -+ Dunkel for spotting this. - - - version 2.76 -diff --git a/src/dnsmasq.c b/src/dnsmasq.c -index a47273f..3580bea 100644 ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -1226,6 +1226,8 @@ static void async_event(int pipe, time_t now) - switch (ev.event) - { - case EVENT_RELOAD: -+ daemon->soa_sn++; /* Bump zone serial, as it may have changed. */ -+ - #ifdef HAVE_DNSSEC - if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME)) - { --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch b/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch deleted file mode 100644 index 7ebef83..0000000 --- a/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 6d95099c56a926d672e0407d6017fef9714f40c4 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Thu, 11 Aug 2016 23:38:54 +0100 -Subject: [PATCH] Handle v4-mapped IPv6 addresses sanely for --synth-domain. - ---- - CHANGELOG | 7 ++++++- - man/dnsmasq.8 | 2 ++ - src/domain.c | 34 ++++++++++++++++++++++++---------- - 3 files changed, 32 insertions(+), 11 deletions(-) - -diff --git a/CHANGELOG b/CHANGELOG -index 4f89799..2731cc4 100644 ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -24,7 +24,12 @@ version 2.77 - Bump zone serial on reloading /etc/hosts and friends - when providing authoritative DNS. Thanks to Harrald - Dunkel for spotting this. -- -+ -+ Handle v4-mapped IPv6 addresses sanely in --synth-domain. -+ These have standard representation like ::ffff:1.2.3.4 -+ and are now converted to names like -+ <prefix>--ffff-1-2-3-4.<domain> -+ - - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range -diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 -index 8910947..91fe672 100644 ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -619,6 +619,8 @@ but IPv6 addresses may start with '::' - but DNS labels may not start with '-' so in this case if no prefix is - configured a zero is added in front of the label. ::1 becomes 0--1. - -+V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4 -+ - The address range can be of the form - <ip address>,<ip address> or <ip address>/<netmask> - .TP -diff --git a/src/domain.c b/src/domain.c -index 1dd5027..a007acd 100644 ---- a/src/domain.c -+++ b/src/domain.c -@@ -77,18 +77,31 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr) - - *p = 0; - -- /* swap . or : for - */ -- for (p = tail; *p; p++) -- if (*p == '-') -- { -- if (prot == AF_INET) -+ #ifdef HAVE_IPV6 -+ if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail) -+ { -+ /* special hack for v4-mapped. */ -+ memcpy(tail, "::ffff:", 7); -+ for (p = tail + 7; *p; p++) -+ if (*p == '-') - *p = '.'; -+ } -+ else -+#endif -+ { -+ /* swap . or : for - */ -+ for (p = tail; *p; p++) -+ if (*p == '-') -+ { -+ if (prot == AF_INET) -+ *p = '.'; - #ifdef HAVE_IPV6 -- else -- *p = ':'; -+ else -+ *p = ':'; - #endif -- } -- -+ } -+ } -+ - if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr)) - { - if (prot == AF_INET) -@@ -169,8 +182,9 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name) - inet_ntop(AF_INET6, &addr->addr.addr6, name+1, ADDRSTRLEN); - } - -+ /* V4-mapped have periods.... */ - for (p = name; *p; p++) -- if (*p == ':') -+ if (*p == ':' || *p == '.') - *p = '-'; - - strncat(name, ".", MAXDNAME); --- -1.7.10.4 - diff --git a/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch b/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch deleted file mode 100644 index db27f90..0000000 --- a/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch +++ /dev/null @@ -1,149 +0,0 @@ -From 396750cef533cf72c7e6a72e47a9c93e2e431cb7 Mon Sep 17 00:00:00 2001 -From: Simon Kelley simon@thekelleys.org.uk -Date: Sat, 13 Aug 2016 22:34:11 +0100 -Subject: [PATCH] Refactor openBSD pftables code to remove blatant copyright - violation. - ---- - src/tables.c | 90 +++++++++++++++++++++------------------------------------- - 1 file changed, 32 insertions(+), 58 deletions(-) - -diff --git a/src/tables.c b/src/tables.c -index aae1252..4fa3487 100644 ---- a/src/tables.c -+++ b/src/tables.c -@@ -53,52 +53,6 @@ static char *pfr_strerror(int errnum) - } - } - --static int pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags) --{ -- struct pfioc_table io; -- -- if (size < 0 || (size && tbl == NULL)) -- { -- errno = EINVAL; -- return (-1); -- } -- bzero(&io, sizeof io); -- io.pfrio_flags = flags; -- io.pfrio_buffer = tbl; -- io.pfrio_esize = sizeof(*tbl); -- io.pfrio_size = size; -- if (ioctl(dev, DIOCRADDTABLES, &io)) -- return (-1); -- if (nadd != NULL) -- *nadd = io.pfrio_nadd; -- return (0); --} -- --static int fill_addr(const struct all_addr *ipaddr, int flags, struct pfr_addr* addr) { -- if ( !addr || !ipaddr) -- { -- my_syslog(LOG_ERR, _("error: fill_addr missused")); -- return -1; -- } -- bzero(addr, sizeof(*addr)); --#ifdef HAVE_IPV6 -- if (flags & F_IPV6) -- { -- addr->pfra_af = AF_INET6; -- addr->pfra_net = 0x80; -- memcpy(&(addr->pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr)); -- } -- else --#endif -- { -- addr->pfra_af = AF_INET; -- addr->pfra_net = 0x20; -- addr->pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr; -- } -- return 1; --} -- --/*****************************************************************************/ - - void ipset_init(void) - { -@@ -111,14 +65,13 @@ void ipset_init(void) - } - - int add_to_ipset(const char *setname, const struct all_addr *ipaddr, -- int flags, int remove) -+ int flags, int remove) - { - struct pfr_addr addr; - struct pfioc_table io; - struct pfr_table table; -- int n = 0, rc = 0; - -- if ( dev == -1 ) -+ if (dev == -1) - { - my_syslog(LOG_ERR, _("warning: no opened pf devices %s"), pf_device); - return -1; -@@ -126,31 +79,52 @@ int add_to_ipset(const char *setname, const struct all_addr *ipaddr, - - bzero(&table, sizeof(struct pfr_table)); - table.pfrt_flags |= PFR_TFLAG_PERSIST; -- if ( strlen(setname) >= PF_TABLE_NAME_SIZE ) -+ if (strlen(setname) >= PF_TABLE_NAME_SIZE) - { - my_syslog(LOG_ERR, _("error: cannot use table name %s"), setname); - errno = ENAMETOOLONG; - return -1; - } - -- if ( strlcpy(table.pfrt_name, setname, -- sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) -+ if (strlcpy(table.pfrt_name, setname, -+ sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) - { - my_syslog(LOG_ERR, _("error: cannot strlcpy table name %s"), setname); - return -1; - } - -- if ((rc = pfr_add_tables(&table, 1, &n, 0))) -+ bzero(&io, sizeof io); -+ io.pfrio_flags = 0; -+ io.pfrio_buffer = &table; -+ io.pfrio_esize = sizeof(table); -+ io.pfrio_size = 1; -+ if (ioctl(dev, DIOCRADDTABLES, &io)) - { -- my_syslog(LOG_WARNING, _("warning: pfr_add_tables: %s(%d)"), -- pfr_strerror(errno),rc); -+ my_syslog(LOG_WARNING, _("IPset: error:%s"), pfr_strerror(errno)); -+ - return -1; - } -+ - table.pfrt_flags &= ~PFR_TFLAG_PERSIST; -- if (n) -+ if (io.pfrio_nadd) - my_syslog(LOG_INFO, _("info: table created")); -- -- fill_addr(ipaddr,flags,&addr); -+ -+ bzero(&addr, sizeof(addr)); -+#ifdef HAVE_IPV6 -+ if (flags & F_IPV6) -+ { -+ addr.pfra_af = AF_INET6; -+ addr.pfra_net = 0x80; -+ memcpy(&(addr.pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr)); -+ } -+ else -+#endif -+ { -+ addr.pfra_af = AF_INET; -+ addr.pfra_net = 0x20; -+ addr.pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr; -+ } -+ - bzero(&io, sizeof(io)); - io.pfrio_flags = 0; - io.pfrio_table = table; --- -1.7.10.4 -
hooks/post-receive -- IPFire 2.x development tree