[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 1ca232eb4c2655de8ca2adacb41fdc4c8e8f60ca - IPFire-SCM

14 Sep 2015

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
       via  1ca232eb4c2655de8ca2adacb41fdc4c8e8f60ca (commit)
       via  f62ac3224c89a42f2d4dcff5e83b6731820a9b4d (commit)
       via  c97b3aa372ac888208043834204c9387c0fa3946 (commit)
       via  6ee104aeb793aad605e6978708e88059274ea143 (commit)
      from  253983268e74482b0e032daf398625544c3a370e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1ca232eb4c2655de8ca2adacb41fdc4c8e8f60ca
Merge: f62ac32 2539832
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Mon Sep 14 23:32:51 2015 +0100
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next
commit f62ac3224c89a42f2d4dcff5e83b6731820a9b4d
Author: Matthias Fischer matthias.fischer@ipfire.org
Date:   Sun Sep 13 21:03:38 2015 +0200
dnsmasq: latest upstream patches
dnsmasq: latest upstream patches
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
    Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit c97b3aa372ac888208043834204c9387c0fa3946
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Mon Sep 14 23:21:32 2015 +0100
core94: Add changed snort initscript
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 6ee104aeb793aad605e6978708e88059274ea143
Author: Douglas Duckworth planningbfun@gmail.com
Date:   Sat Sep 12 11:27:17 2015 -0500
snort: Remove trailing slash in pid path
Fixes: https://bugzilla.ipfire.org/show_bug.cgi?id=10924
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 config/rootfiles/core/94/filelists/files           |  1 +
 lfs/dnsmasq                                        |  6 +++
 src/initscripts/init.d/snort                       |  2 +-
 .../004-fix_behaviour_of_empty_dhcp-option.patch   | 38 ++++++++++++++++
 ...ution_to_ENOMEM_error_with_IPv6_multicast.patch | 50 ++++++++++++++++++++++
 ...page_on_RDNSS_set_in_router_advertisement.patch | 35 +++++++++++++++
 ...gned_dangling_CNAME_replies_to_DS_queries.patch | 30 +++++++++++++
 ...6_option_56_does_not_hold_an_address_list.patch | 25 +++++++++++
 ...pect_the_--no_resolv_flag_in_inotify_code.patch | 47 ++++++++++++++++++++
 9 files changed, 233 insertions(+), 1 deletion(-)
 create mode 100644 src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
 create mode 100644 src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
 create mode 100644 src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
 create mode 100644 src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
 create mode 100644 src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
 create mode 100644 src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
Difference in files:

diff --git a/config/rootfiles/core/94/filelists/files b/config/rootfiles/core/94/filelists/files
index 9b08114..8ea8582 100644
--- a/config/rootfiles/core/94/filelists/files
+++ b/config/rootfiles/core/94/filelists/files
@@ -1,5 +1,6 @@
 etc/system-release
 etc/issue
+etc/rc.d/init.d/snort
 etc/rc.d/init.d/sshd
 srv/web/ipfire/cgi-bin/logs.cgi/log.dat
 srv/web/ipfire/cgi-bin/mail.cgi
diff --git a/lfs/dnsmasq b/lfs/dnsmasq
index f16c761..db56091 100644
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -76,6 +76,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-include_0_0_0_0_8_in_DNS_rebind_checks.patch
    cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-enhance_add_subnet_to_allow_arbitary_subnet_addresses.patch
    cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-dont_answer_non_auth_queries_for_auth_zones_locally_when_localise_queries_set.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
    cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && sed -i src/config.h \
diff --git a/src/initscripts/init.d/snort b/src/initscripts/init.d/snort
index 42968d8..e03c80f 100644
--- a/src/initscripts/init.d/snort
+++ b/src/initscripts/init.d/snort
@@ -74,7 +74,7 @@ case "$1" in
for DEVICE in $DEVICES; do
                         boot_mesg "Starting Intrusion Detection System on $DEVICE..."
-                        /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run/
+                        /usr/sbin/snort -c /etc/snort/snort.conf -i $DEVICE -D -l /var/log/snort --create-pidfile --nolock-pidfile --pid-path /var/run
                         evaluate_retval
    		sleep 1
                         chmod 644 /var/run/snort_$DEVICE.pid
diff --git a/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch b/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
new file mode 100644
index 0000000..492ada9
--- /dev/null
+++ b/src/patches/dnsmasq/004-fix_behaviour_of_empty_dhcp-option.patch
@@ -0,0 +1,38 @@
+From 5e3e464ac4022ee0b3794513abe510817e2cf3ca Mon Sep 17 00:00:00 2001
+From: Simon Kelley simon@thekelleys.org.uk
+Date: Tue, 25 Aug 2015 23:08:39 +0100
+Subject: [PATCH] Fix behaviour of empty dhcp-option=option6:dns-server, which
+ should inhibit sending option.
+
+---
+ src/rfc3315.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/rfc3315.c b/src/rfc3315.c
+index 2665d0d..3f1f9ee 100644
+--- a/src/rfc3315.c
++++ b/src/rfc3315.c
+@@ -1320,15 +1320,16 @@ static struct dhcp_netid *add_options(struct state *state, int do_refresh)
+       
+       if (opt_cfg->opt == OPTION6_REFRESH_TIME)
+ 	done_refresh = 1;
++       
++      if (opt_cfg->opt == OPTION6_DNS_SERVER)
++	done_dns = 1;
+       
+-      if (opt_cfg->flags & DHOPT_ADDR6)
++      /* Empty DNS_SERVER option will not set DHOPT_ADDR6 */
++      if ((opt_cfg->flags & DHOPT_ADDR6) || opt_cfg->opt == OPTION6_DNS_SERVER)
+ 	{
+ 	  int len, j;
+ 	  struct in6_addr *a;
+ 	  
+-	  if (opt_cfg->opt == OPTION6_DNS_SERVER)
+-	    done_dns = 1;
+-	  
+ 	  for (a = (struct in6_addr *)opt_cfg->val, len = opt_cfg->len, j = 0; 
+ 	       j < opt_cfg->len; j += IN6ADDRSZ, a++)
+ 	    if ((IN6_IS_ADDR_ULA_ZERO(a) && IN6_IS_ADDR_UNSPECIFIED(state->ula_addr)) ||
+-- 
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch b/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
new file mode 100644
index 0000000..c7cee60
--- /dev/null
+++ b/src/patches/dnsmasq/005-suggest_solution_to_ENOMEM_error_with_IPv6_multicast.patch
@@ -0,0 +1,50 @@
+From 9cdcfe9f19ffd45bac4e5b459879bf7c50a287ed Mon Sep 17 00:00:00 2001
+From: Simon Kelley simon@thekelleys.org.uk
+Date: Wed, 26 Aug 2015 22:38:08 +0100
+Subject: [PATCH] Suggest solution to ENOMEM error with IPv6 multicast.
+
+---
+ src/network.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/network.c b/src/network.c
+index a1d90c8..819302f 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1076,23 +1076,30 @@ void join_multicast(int dienow)
+ 	    
+ 	    if ((daemon->doing_dhcp6 || daemon->relay6) &&
+ 		setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
+-	      err = 1;
++	      err = errno;
+ 	    
+ 	    inet_pton(AF_INET6, ALL_SERVERS, &mreq.ipv6mr_multiaddr);
+ 	    
+ 	    if (daemon->doing_dhcp6 && 
+ 		setsockopt(daemon->dhcp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
+-	      err = 1;
++	      err = errno;
+ 	    
+ 	    inet_pton(AF_INET6, ALL_ROUTERS, &mreq.ipv6mr_multiaddr);
+ 	    
+ 	    if (daemon->doing_ra &&
+ 		setsockopt(daemon->icmp6fd, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq, sizeof(mreq)) == -1)
+-	      err = 1;
++	      err = errno;
+ 	    
+ 	    if (err)
+ 	      {
+ 		char *s = _("interface %s failed to join DHCPv6 multicast group: %s");
++		errno = err;
++
++#ifdef HAVE_LINUX_NETWORK
++		if (errno == ENOMEM)
++		  my_syslog(LOG_ERR, _("try increasing /proc/sys/net/core/optmem_max"));
++#endif
++
+ 		if (dienow)
+ 		  die(s, iface->name, EC_BADNET);
+ 		else
+-- 
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch b/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
new file mode 100644
index 0000000..19c76e6
--- /dev/null
+++ b/src/patches/dnsmasq/006-clarify_man_page_on_RDNSS_set_in_router_advertisement.patch
@@ -0,0 +1,35 @@
+From 20fd11e11a9d09edcea94de135396ae1541fbbab Mon Sep 17 00:00:00 2001
+From: Simon Kelley simon@thekelleys.org.uk
+Date: Wed, 26 Aug 2015 22:48:13 +0100
+Subject: [PATCH] Clarify man page on RDNSS set in router advertisement.
+
+---
+ man/dnsmasq.8 |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index a23c898..d51b10f 100644
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -1687,15 +1687,15 @@ creation are handled by a different protocol. When DHCP is in use,
+ only a subset of this is needed, and dnsmasq can handle it, using
+ existing DHCP configuration to provide most data. When RA is enabled,
+ dnsmasq will advertise a prefix for each dhcp-range, with default
+-router and recursive DNS server as the relevant link-local address on 
+-the machine running dnsmasq. By default, he "managed address" bits are set, and
++router  as the relevant link-local address on 
++the machine running dnsmasq. By default, the "managed address" bits are set, and
+ the "use SLAAC" bit is reset. This can be changed for individual
+ subnets with the mode keywords described in
+ .B --dhcp-range.
+ RFC6106 DNS parameters are included in the advertisements. By default,
+ the relevant link-local address of the machine running dnsmasq is sent
+ as recursive DNS server. If provided, the DHCPv6 options dns-server and
+-domain-search are used for RDNSS and DNSSL.
++domain-search are used for the DNS server (RDNSS) and the domain serach list (DNSSL).
+ .TP
+ .B --ra-param=<interface>,[high|low],[[<ra-interval>],<router lifetime>]
+ Set non-default values for router advertisements sent via an
+-- 
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch b/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
new file mode 100644
index 0000000..832a22e
--- /dev/null
+++ b/src/patches/dnsmasq/007-handle_signed_dangling_CNAME_replies_to_DS_queries.patch
@@ -0,0 +1,30 @@
+From 6de81f1250fd323c9155de065d5a9dc200a6f20b Mon Sep 17 00:00:00 2001
+From: Simon Kelley simon@thekelleys.org.uk
+Date: Wed, 9 Sep 2015 22:51:13 +0100
+Subject: [PATCH] Handle signed dangling CNAME replies to DS queries.
+
+---
+ src/dnssec.c |    7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 4deda24..67ce486 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -1232,11 +1232,8 @@ int dnssec_validate_ds(time_t now, struct dns_header *header, size_t plen, char
+    
+   /* If we return STAT_NO_SIG, name contains the name of the DS query */
+   if (val == STAT_NO_SIG)
+-    {
+-      *keyname = 0;
+-      return val;
+-    }  
+-
++    return val;
++  
+   /* If the key needed to validate the DS is on the same domain as the DS, we'll
+      loop getting nowhere. Stop that now. This can happen of the DS answer comes
+      from the DS's zone, and not the parent zone. */
+-- 
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch b/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
new file mode 100644
index 0000000..fdccd0e
--- /dev/null
+++ b/src/patches/dnsmasq/008-DHCPv6_option_56_does_not_hold_an_address_list.patch
@@ -0,0 +1,25 @@
+From 102208df695e886a3086754d32bf7f8c541fbe46 Mon Sep 17 00:00:00 2001
+From: Simon Kelley simon@thekelleys.org.uk
+Date: Thu, 10 Sep 2015 21:50:00 +0100
+Subject: [PATCH] DHCPv6 option 56 does not hold an address list. (RFC 5908).
+
+---
+ src/dhcp-common.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dhcp-common.c b/src/dhcp-common.c
+index bc48f41..8fc171a 100644
+--- a/src/dhcp-common.c
++++ b/src/dhcp-common.c
+@@ -599,7 +599,7 @@ static const struct opttab_t opttab6[] = {
+   { "sntp-server", 31,  OT_ADDR_LIST },
+   { "information-refresh-time", 32, OT_TIME },
+   { "FQDN", 39, OT_INTERNAL | OT_RFC1035_NAME },
+-  { "ntp-server", 56,  OT_ADDR_LIST },
++  { "ntp-server", 56,  0 },
+   { "bootfile-url", 59, OT_NAME },
+   { "bootfile-param", 60, OT_CSTRING },
+   { NULL, 0, 0 }
+-- 
+1.7.10.4
+
diff --git a/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch b/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
new file mode 100644
index 0000000..2014fdb
--- /dev/null
+++ b/src/patches/dnsmasq/009-Respect_the_--no_resolv_flag_in_inotify_code.patch
@@ -0,0 +1,47 @@
+From 77607cbea0ad0f876dfb79c8b2c121ee400d57d0 Mon Sep 17 00:00:00 2001
+From: Simon Kelley simon@thekelleys.org.uk
+Date: Thu, 10 Sep 2015 23:08:43 +0100
+Subject: [PATCH] Respect the --no-resolv flag in inotify code.
+
+---
+ CHANGELOG        |    7 ++++++-
+ debian/changelog |    6 ++++++
+ src/inotify.c    |    3 +++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+
+diff --git a/CHANGELOG b/CHANGELOG
+index bbc2834..d6e309f 100644
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -7,8 +7,13 @@ version 2.76
+ 
+ 	    Enhance --add-subnet to allow arbitrary subnet addresses.
+             Thanks to Ed Barsley for the patch.
++
++	    Respect the --no-resolv flag in inotify code. Fixes bug
++	    which caused dnsmasq to fail to start if a resolv-file 
++	    was a dangling symbolic link, even of --no-resolv set.
++	    Thanks to Alexander Kurtz for spotting the problem.
++
+ 	
+-	    
+ version 2.75
+             Fix reversion on 2.74 which caused 100% CPU use when a 
+ 	    dhcp-script is configured. Thanks to Adrian Davey for
+diff --git a/src/inotify.c b/src/inotify.c
+index 52d412f..ef05c58 100644
+--- a/src/inotify.c
++++ b/src/inotify.c
+@@ -90,6 +90,9 @@ void inotify_dnsmasq_init()
+   
+   if (daemon->inotifyfd == -1)
+     die(_("failed to create inotify: %s"), NULL, EC_MISC);
++
++  if (option_bool(OPT_NO_RESOLV))
++    return;
+   
+   for (res = daemon->resolv_files; res; res = res->next)
+     {
+-- 
+1.7.10.4
+
hooks/post-receive
--
IPFire 2.x development tree

    