dnsmasq: bump to v2.80
authorKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Sun, 19 Aug 2018 18:52:00 +0000 (20:52 +0200)
committerKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Mon, 22 Oct 2018 19:25:27 +0000 (20:25 +0100)
Cherry-picked & squashed from relevant commits from master:

dnsmasq v2.80 release

Change from rc1:

91421cb Fix compiler warning.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 6c4d3d705a0d6e508de94dc49736c250ecdae27c)

dnsmasq: remove creation of /etc/ethers

Remove creation of file /etc/ethers in dnsmasq init script as the
file is now created by default in the base-files package by
commit fa3301a28e

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 6c227e45cb6a97c61d9fa2ffa35cebee2a048739)

dnsmasq: bump to dnsmasq v2.80test5

Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)

Upstream commits since last bump:

da8b651 Implement --address=/example.com/#
c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 3d377f4375c6e4a66c6741bbd2549ad53ef671b3)

dnsmasq: bump to dnsmasq 2.80test6

Refresh patches

Changes since latest bump:

af3bd07 Man page typo.
d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 43d4b8e89e68fcab00698ee3b70a58c74813a6a7)

dnsmasq: Handle memory allocation failure in make_non_terminals()

Backport upstream commit:

ea6cc33 Handle memory allocation failure in make_non_terminals()

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 687168ccd9154b1fb7a470fa8f42ce64a135f51d)

dnsmasq: Change behavior when RD bit unset in queries.

Backport upstream commit

Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 6c4cbe94bd940b5c061e27744eb78805764d6b34)

dnsmasq: bump to v2.80test7

Bump to latest test release:

3a610a0 Finesse allocation of memory for "struct crec" cache entries.
48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely).
4139298 Change behavior when RD bit unset in queries.
51cc10f Add warning about 0.0.0.0 and :: addresses to man page.
ea6cc33 Handle memory allocation failure in make_non_terminals()
ad03967 Add debian/tmpfiles.conf
f4fd07d Debian bugfix.
e3c08a3 Debian packaging fix. (restorecon)
118011f Debian packaging fix. (tmpfiles.d)

Delete our own backports of ea6cc33 & 4139298, so the only real changes
here, since we don't care about the Debian stuff are 48b090c & 3a610a0

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit d9a37d8d1eb7d117d5aa44924064a4a3b5517ddd)

dnsmasq: bump to v2.80test8

e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 30cc5b0bf4f3cdfe950ca7fc380a34c81dd9d7e4)

dnsmasq: add dhcp-ignore-names support - CERT VU#598349

dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames.  Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.

Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.

/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.

dhcp-name-match=set:dhcp_bogus_hostname,localhost

Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.

To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit a45f4f50e16cd2d0370a4470c3ede0c6c7754ba9)

dnsmasq: fix compile issue

Fix compile issue in case HAVE_BROKEN_RTC is enabled

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit 39e5e17045aceb2bfbd6b5c6ecfd6cfbce2f3311)

dnsmasq: bump to v2.80rc1

53792c9 fix typo
df07182 Update German translation.

Remove local patch 001-fix-typo which is a backport of the above 53792c9

There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit b8bc672f247a68bc6f72f08f9352cd7aaa5cb9c4)

dnsmasq: fix dnsmasq failure to start when ujail'd

This patch fixes jailed dnsmasq running into the following issue:

|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash

Fixes: a45f4f50e16 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit 583466bb5b374b29b6b7cba6f065e97c4734f742)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
package/network/services/dnsmasq/Makefile
package/network/services/dnsmasq/files/dhcpbogushostname.conf [new file with mode: 0644]
package/network/services/dnsmasq/files/dnsmasq.init
package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch
package/network/services/dnsmasq/patches/240-ubus.patch [deleted file]

index 7b95d5dccff46d3a2bd0ebecddfdaef015f387f5..5e76579e4b02a1bffe19ec8aeaa44b45ac7dbd0f 100644 (file)
@@ -8,12 +8,12 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
-PKG_VERSION:=2.80test3
+PKG_VERSION:=2.80
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
-PKG_HASH:=af9f6fd13e0d6c5a68059bcf8634c2784c0533017fd48fbaf59cd2955342d301
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
+PKG_HASH:=cdaba2785e92665cf090646cba6f94812760b9d7d8c8d0cfb07ac819377a63bb
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
@@ -124,7 +124,8 @@ Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles)
 TARGET_CFLAGS += -ffunction-sections -fdata-sections
 TARGET_LDFLAGS += -Wl,--gc-sections
 
-COPTS = $(if $(CONFIG_IPV6),,-DNO_IPV6)
+COPTS = -DHAVE_UBUS \
+       $(if $(CONFIG_IPV6),,-DNO_IPV6)
 
 ifeq ($(BUILD_VARIANT),nodhcpv6)
        COPTS += -DNO_DHCP6
@@ -165,6 +166,7 @@ define Package/dnsmasq/install
        $(INSTALL_DIR) $(1)/etc/hotplug.d/tftp
        $(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
        $(INSTALL_DIR) $(1)/usr/share/dnsmasq
+       $(INSTALL_DATA) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/
        $(INSTALL_DATA) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/
        $(INSTALL_DIR) $(1)/usr/lib/dnsmasq
        $(INSTALL_BIN) ./files/dhcp-script.sh $(1)/usr/lib/dnsmasq/dhcp-script.sh
diff --git a/package/network/services/dnsmasq/files/dhcpbogushostname.conf b/package/network/services/dnsmasq/files/dhcpbogushostname.conf
new file mode 100644 (file)
index 0000000..e83b697
--- /dev/null
@@ -0,0 +1,8 @@
+# dhcpbogushostname.conf included configuration file for dnsmasq
+#
+# includes a list of hostnames that should not be associated with dhcp leases
+# in response to CERT VU#598349
+# file included by default, option dhcpbogushostname 0  to disable
+
+dhcp-name-match=set:dhcp_bogus_hostname,localhost
+dhcp-name-match=set:dhcp_bogus_hostname,wpad
index c1ae0934fd2c466687c80f7ae7f6fa567e4474fa..9c922eec6cf9f76c22d91d00d68671903f4edd5b 100644 (file)
@@ -16,6 +16,7 @@ BASEHOSTFILE="/tmp/hosts/dhcp"
 TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
 TIMEVALIDFILE="/var/state/dnsmasqsec"
 BASEDHCPSTAMPFILE="/var/run/dnsmasq"
+DHCPBOGUSHOSTNAMEFILE="/usr/share/dnsmasq/dhcpbogushostname.conf"
 RFC6761FILE="/usr/share/dnsmasq/rfc6761.conf"
 DHCPSCRIPT="/usr/lib/dnsmasq/dhcp-script.sh"
 
@@ -813,6 +814,7 @@ dnsmasq_start()
        append_bool "$cfg" localise_queries "--localise-queries"
        append_bool "$cfg" readethers "--read-ethers"
        append_bool "$cfg" dbus "--enable-dbus"
+       append_bool "$cfg" ubus "--enable-ubus" 1
        append_bool "$cfg" expandhosts "--expand-hosts"
        config_get tftp_root "$cfg" "tftp_root"
        [ -n "$tftp_root" ] && mkdir -p "$tftp_root" && append_bool "$cfg" enable_tftp "--enable-tftp"
@@ -869,9 +871,6 @@ dnsmasq_start()
                ADD_LOCAL_FQDN="$ADD_LOCAL_HOSTNAME"
        fi
 
-       config_get_bool readethers "$cfg" readethers
-       [ "$readethers" = "1" -a \! -e "/etc/ethers" ] && touch /etc/ethers
-
        config_get user_dhcpscript $cfg dhcpscript
        if has_handler || [ -n "$user_dhcpscript" ]; then
                xappend "--dhcp-script=$DHCPSCRIPT"
@@ -958,6 +957,13 @@ dnsmasq_start()
 
        config_foreach filter_dnsmasq host dhcp_host_add "$cfg"
        echo >> $CONFIGFILE_TMP
+
+       config_get_bool dhcpbogushostname "$cfg" dhcpbogushostname 1
+       [ "$dhcpbogushostname" -gt 0 ] && {
+               xappend "--dhcp-ignore-names=tag:dhcp_bogus_hostname"
+               [ -r "$DHCPBOGUSHOSTNAMEFILE" ] && xappend "--conf-file=$DHCPBOGUSHOSTNAMEFILE"
+       }
+
        config_foreach filter_dnsmasq boot dhcp_boot_add "$cfg"
        config_foreach filter_dnsmasq mac dhcp_mac_add "$cfg"
        config_foreach filter_dnsmasq tag dhcp_tag_add "$cfg"
@@ -1022,7 +1028,7 @@ dnsmasq_start()
        procd_set_param respawn
 
        procd_add_jail dnsmasq ubus log
-       procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT
+       procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE $DHCPBOGUSHOSTNAMEFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT
        procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
 
        procd_close_instance
index 37b11abc1de075a87196e8e5609d56eea9f400cc..2501079b3fd7d37b8be25ba8374581ce1b26afc6 100644 (file)
@@ -7,7 +7,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
 
 --- a/src/dnsmasq.h
 +++ b/src/dnsmasq.h
-@@ -88,7 +88,7 @@ typedef unsigned long long u64;
+@@ -95,7 +95,7 @@ typedef unsigned long long u64;
  #if defined(HAVE_SOLARIS_NETWORK)
  #  include <sys/sockio.h>
  #endif
diff --git a/package/network/services/dnsmasq/patches/240-ubus.patch b/package/network/services/dnsmasq/patches/240-ubus.patch
deleted file mode 100644 (file)
index 2fa9f48..0000000
+++ /dev/null
@@ -1,128 +0,0 @@
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -19,6 +19,8 @@
- #include "dnsmasq.h"
-+#include <libubus.h>
-+
- struct daemon *daemon;
- static volatile pid_t pid = 0;
-@@ -32,6 +34,64 @@ static void fatal_event(struct event_des
- static int read_event(int fd, struct event_desc *evp, char **msg);
- static void poll_resolv(int force, int do_reload, time_t now);
-+static struct ubus_context *ubus;
-+static struct blob_buf b;
-+
-+static struct ubus_object_type ubus_object_type = {
-+      .name = "dnsmasq",
-+};
-+
-+static struct ubus_object ubus_object = {
-+      .name = "dnsmasq",
-+      .type = &ubus_object_type,
-+};
-+
-+void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface)
-+{
-+      if (!ubus || !ubus_object.has_subscribers)
-+              return;
-+
-+      blob_buf_init(&b, 0);
-+      if (mac)
-+              blobmsg_add_string(&b, "mac", mac);
-+      if (ip)
-+              blobmsg_add_string(&b, "ip", ip);
-+      if (name)
-+              blobmsg_add_string(&b, "name", name);
-+      if (interface)
-+              blobmsg_add_string(&b, "interface", interface);
-+      ubus_notify(ubus, &ubus_object, type, b.head, -1);
-+}
-+
-+static void set_ubus_listeners(void)
-+{
-+      if (!ubus)
-+              return;
-+
-+      poll_listen(ubus->sock.fd, POLLIN);
-+      poll_listen(ubus->sock.fd, POLLERR);
-+      poll_listen(ubus->sock.fd, POLLHUP);
-+}
-+
-+static void check_ubus_listeners()
-+{
-+      if (!ubus) {
-+              ubus = ubus_connect(NULL);
-+              if (ubus)
-+                      ubus_add_object(ubus, &ubus_object);
-+              else
-+                      return;
-+      }
-+
-+      if (poll_check(ubus->sock.fd, POLLIN))
-+              ubus_handle_event(ubus);
-+
-+      if (poll_check(ubus->sock.fd, POLLHUP)) {
-+              ubus_free(ubus);
-+              ubus = NULL;
-+      }
-+}
-+
- int main (int argc, char **argv)
- {
-   int bind_fallback = 0;
-@@ -949,6 +1009,7 @@ int main (int argc, char **argv)
-       set_dbus_listeners();
- #endif        
-   
-+      set_ubus_listeners();
- #ifdef HAVE_DHCP
-       if (daemon->dhcp || daemon->relay4)
-       {
-@@ -1079,6 +1140,8 @@ int main (int argc, char **argv)
-       check_dbus_listeners();
- #endif
-       
-+      check_ubus_listeners();
-+
-       check_dns_listeners(now);
- #ifdef HAVE_TFTP
---- a/Makefile
-+++ b/Makefile
-@@ -85,7 +85,7 @@ all : $(BUILDDIR)
-       @cd $(BUILDDIR) && $(MAKE) \
-  top="$(top)" \
-  build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
-- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \
-+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) -lubox -lubus" \
-  -f $(top)/Makefile dnsmasq 
- mostly_clean :
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1445,6 +1445,8 @@ void emit_dbus_signal(int action, struct
- #  endif
- #endif
-+void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface);
-+
- /* ipset.c */
- #ifdef HAVE_IPSET
- void ipset_init(void);
---- a/src/rfc2131.c
-+++ b/src/rfc2131.c
-@@ -1636,6 +1636,10 @@ static void log_packet(char *type, void
-             daemon->namebuff,
-             string ? string : "",
-             err ? err : "");
-+  if (!strcmp(type, "DHCPACK"))
-+        ubus_event_bcast("dhcp.ack", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface);
-+  else if (!strcmp(type, "DHCPRELEASE"))
-+        ubus_event_bcast("dhcp.release", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface);
- }
- static void log_options(unsigned char *start, u32 xid)