Cherry-picked & squashed from relevant commits from master:
dnsmasq v2.80 release
Change from rc1:
91421cb Fix compiler warning.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit
6c4d3d705a0d6e508de94dc49736c250ecdae27c)
dnsmasq: remove creation of /etc/ethers
Remove creation of file /etc/ethers in dnsmasq init script as the
file is now created by default in the base-files package by
commit
fa3301a28e
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit
6c227e45cb6a97c61d9fa2ffa35cebee2a048739)
dnsmasq: bump to dnsmasq v2.80test5
Refresh patches
Remove 240-ubus patch as upstream accepted.
Add uci option ubus which allows to enable/disable ubus support (enabled
by default)
Upstream commits since last bump:
da8b651 Implement --address=/example.com/#
c5db8f9 Tidy
7f876b64c22b2b18412e2e3d8506ee33e42db7c
974a6d0 Add --caa-record
b758b67 Improve logging of RRs from --dns-rr.
9bafdc6 Tidy up file parsing code.
97f876b Properly deal with unaligned addresses in DHCPv6 packets.
cbfbd17 Fix broken DNSSEC records in previous.
b6f926f Don't return NXDOMAIN to empty non-terminals.
c822620 Add --dhcp-name-match
397c050 Handle case of --auth-zone but no --auth-server.
1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=/<domain>/
dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/
6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c
c16d966 Add copyright to src/metrics.h
1dfed16 Remove C99 only code.
6f835ed Format fixes - ubus.c
9d6fd17 dnsmasq.c fix OPT_UBUS option usage
8c1b6a5 New metrics and ubus files.
8dcdb33 Add --enable-ubus option.
aba8bbb Add collection of metrics
caf4d57 Add OpenWRT ubus patch
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit
3d377f4375c6e4a66c6741bbd2549ad53ef671b3)
dnsmasq: bump to dnsmasq 2.80test6
Refresh patches
Changes since latest bump:
af3bd07 Man page typo.
d682099 Picky changes to
47b45b2967c931fed3c89a2e6a8df9f9183a5789
47b45b2 Fix lengths of interface names
2b38e38 Minor improvements in lease-tools
282eab7 Mark die function as never returning
c346f61 Handle ANY queries in context of
da8b6517decdac593e7ce24bde2824dd841725c8
03212e5 Manpage typo.
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit
43d4b8e89e68fcab00698ee3b70a58c74813a6a7)
dnsmasq: Handle memory allocation failure in make_non_terminals()
Backport upstream commit:
ea6cc33 Handle memory allocation failure in make_non_terminals()
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit
687168ccd9154b1fb7a470fa8f42ce64a135f51d)
dnsmasq: Change behavior when RD bit unset in queries.
Backport upstream commit
Change anti cache-snooping behaviour with queries with the
recursion-desired bit unset. Instead to returning SERVFAIL, we
now always forward, and never answer from the cache. This
allows "dig +trace" command to work.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit
6c4cbe94bd940b5c061e27744eb78805764d6b34)
dnsmasq: bump to v2.80test7
Bump to latest test release:
3a610a0 Finesse allocation of memory for "struct crec" cache entries.
48b090c Fix
b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely).
4139298 Change behavior when RD bit unset in queries.
51cc10f Add warning about 0.0.0.0 and :: addresses to man page.
ea6cc33 Handle memory allocation failure in make_non_terminals()
ad03967 Add debian/tmpfiles.conf
f4fd07d Debian bugfix.
e3c08a3 Debian packaging fix. (restorecon)
118011f Debian packaging fix. (tmpfiles.d)
Delete our own backports of
ea6cc33 &
4139298, so the only real changes
here, since we don't care about the Debian stuff are
48b090c &
3a610a0
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit
d9a37d8d1eb7d117d5aa44924064a4a3b5517ddd)
dnsmasq: bump to v2.80test8
e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading.
0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN.
ee1df06 Tweak strategy for confirming SLAAC addresses.
1e87eba Clarify manpage for --auth-sec-servers
0893347 Make interface spec optional in --auth-server.
7cbf497 Example config file fix for CERT Vulnerability VU#598349.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit
30cc5b0bf4f3cdfe950ca7fc380a34c81dd9d7e4)
dnsmasq: add dhcp-ignore-names support - CERT VU#598349
dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for
specific hostnames. Clients claiming certain hostnames and thus
claiming DNS namespace represent a potential security risk. e.g. a
malicious host could claim 'wpad' for itself and redirect other web
client requests to it for nefarious purpose. See CERT VU#598349 for more
details.
Some Samsung TVs are claiming the hostname 'localhost', it is believed
not (yet) for nefarious purposes.
/usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames
in correct syntax to be excluded. e.g.
dhcp-name-match=set:dhcp_bogus_hostname,localhost
Inclusion of this file is controlled by uci option dhcpbogushostname
which is enabled by default.
To be absolutely clear, DHCP leases to these requesting hosts are still
permitted, but they do NOT get to claim ownership of the hostname
itself and hence put into DNS for other hosts to be confused/manipulate by.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit
a45f4f50e16cd2d0370a4470c3ede0c6c7754ba9)
dnsmasq: fix compile issue
Fix compile issue in case HAVE_BROKEN_RTC is enabled
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
(cherry picked from commit
39e5e17045aceb2bfbd6b5c6ecfd6cfbce2f3311)
dnsmasq: bump to v2.80rc1
53792c9 fix typo
df07182 Update German translation.
Remove local patch 001-fix-typo which is a backport of the above
53792c9
There is no practical difference between our test8 release and this rc
release, but this does at least say 'release candidate'
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit
b8bc672f247a68bc6f72f08f9352cd7aaa5cb9c4)
dnsmasq: fix dnsmasq failure to start when ujail'd
This patch fixes jailed dnsmasq running into the following issue:
|dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory
|dnsmasq[1]: FAILED to start up
|procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash
Fixes: a45f4f50e16 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[bump package release]
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
(cherry picked from commit
583466bb5b374b29b6b7cba6f065e97c4734f742)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
-PKG_VERSION:=2.80test3
+PKG_VERSION:=2.80
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
-PKG_HASH:=af9f6fd13e0d6c5a68059bcf8634c2784c0533017fd48fbaf59cd2955342d301
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
+PKG_HASH:=cdaba2785e92665cf090646cba6f94812760b9d7d8c8d0cfb07ac819377a63bb
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
TARGET_CFLAGS += -ffunction-sections -fdata-sections
TARGET_LDFLAGS += -Wl,--gc-sections
-COPTS = $(if $(CONFIG_IPV6),,-DNO_IPV6)
+COPTS = -DHAVE_UBUS \
+ $(if $(CONFIG_IPV6),,-DNO_IPV6)
ifeq ($(BUILD_VARIANT),nodhcpv6)
COPTS += -DNO_DHCP6
$(INSTALL_DIR) $(1)/etc/hotplug.d/tftp
$(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
$(INSTALL_DIR) $(1)/usr/share/dnsmasq
+ $(INSTALL_DATA) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/
$(INSTALL_DATA) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/
$(INSTALL_DIR) $(1)/usr/lib/dnsmasq
$(INSTALL_BIN) ./files/dhcp-script.sh $(1)/usr/lib/dnsmasq/dhcp-script.sh
--- /dev/null
+# dhcpbogushostname.conf included configuration file for dnsmasq
+#
+# includes a list of hostnames that should not be associated with dhcp leases
+# in response to CERT VU#598349
+# file included by default, option dhcpbogushostname 0 to disable
+
+dhcp-name-match=set:dhcp_bogus_hostname,localhost
+dhcp-name-match=set:dhcp_bogus_hostname,wpad
TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
TIMEVALIDFILE="/var/state/dnsmasqsec"
BASEDHCPSTAMPFILE="/var/run/dnsmasq"
+DHCPBOGUSHOSTNAMEFILE="/usr/share/dnsmasq/dhcpbogushostname.conf"
RFC6761FILE="/usr/share/dnsmasq/rfc6761.conf"
DHCPSCRIPT="/usr/lib/dnsmasq/dhcp-script.sh"
append_bool "$cfg" localise_queries "--localise-queries"
append_bool "$cfg" readethers "--read-ethers"
append_bool "$cfg" dbus "--enable-dbus"
+ append_bool "$cfg" ubus "--enable-ubus" 1
append_bool "$cfg" expandhosts "--expand-hosts"
config_get tftp_root "$cfg" "tftp_root"
[ -n "$tftp_root" ] && mkdir -p "$tftp_root" && append_bool "$cfg" enable_tftp "--enable-tftp"
ADD_LOCAL_FQDN="$ADD_LOCAL_HOSTNAME"
fi
- config_get_bool readethers "$cfg" readethers
- [ "$readethers" = "1" -a \! -e "/etc/ethers" ] && touch /etc/ethers
-
config_get user_dhcpscript $cfg dhcpscript
if has_handler || [ -n "$user_dhcpscript" ]; then
xappend "--dhcp-script=$DHCPSCRIPT"
config_foreach filter_dnsmasq host dhcp_host_add "$cfg"
echo >> $CONFIGFILE_TMP
+
+ config_get_bool dhcpbogushostname "$cfg" dhcpbogushostname 1
+ [ "$dhcpbogushostname" -gt 0 ] && {
+ xappend "--dhcp-ignore-names=tag:dhcp_bogus_hostname"
+ [ -r "$DHCPBOGUSHOSTNAMEFILE" ] && xappend "--conf-file=$DHCPBOGUSHOSTNAMEFILE"
+ }
+
config_foreach filter_dnsmasq boot dhcp_boot_add "$cfg"
config_foreach filter_dnsmasq mac dhcp_mac_add "$cfg"
config_foreach filter_dnsmasq tag dhcp_tag_add "$cfg"
procd_set_param respawn
procd_add_jail dnsmasq ubus log
- procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT
+ procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE $DHCPBOGUSHOSTNAMEFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT
procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
procd_close_instance
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
-@@ -88,7 +88,7 @@ typedef unsigned long long u64;
+@@ -95,7 +95,7 @@ typedef unsigned long long u64;
#if defined(HAVE_SOLARIS_NETWORK)
# include <sys/sockio.h>
#endif
+++ /dev/null
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -19,6 +19,8 @@
-
- #include "dnsmasq.h"
-
-+#include <libubus.h>
-+
- struct daemon *daemon;
-
- static volatile pid_t pid = 0;
-@@ -32,6 +34,64 @@ static void fatal_event(struct event_des
- static int read_event(int fd, struct event_desc *evp, char **msg);
- static void poll_resolv(int force, int do_reload, time_t now);
-
-+static struct ubus_context *ubus;
-+static struct blob_buf b;
-+
-+static struct ubus_object_type ubus_object_type = {
-+ .name = "dnsmasq",
-+};
-+
-+static struct ubus_object ubus_object = {
-+ .name = "dnsmasq",
-+ .type = &ubus_object_type,
-+};
-+
-+void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface)
-+{
-+ if (!ubus || !ubus_object.has_subscribers)
-+ return;
-+
-+ blob_buf_init(&b, 0);
-+ if (mac)
-+ blobmsg_add_string(&b, "mac", mac);
-+ if (ip)
-+ blobmsg_add_string(&b, "ip", ip);
-+ if (name)
-+ blobmsg_add_string(&b, "name", name);
-+ if (interface)
-+ blobmsg_add_string(&b, "interface", interface);
-+ ubus_notify(ubus, &ubus_object, type, b.head, -1);
-+}
-+
-+static void set_ubus_listeners(void)
-+{
-+ if (!ubus)
-+ return;
-+
-+ poll_listen(ubus->sock.fd, POLLIN);
-+ poll_listen(ubus->sock.fd, POLLERR);
-+ poll_listen(ubus->sock.fd, POLLHUP);
-+}
-+
-+static void check_ubus_listeners()
-+{
-+ if (!ubus) {
-+ ubus = ubus_connect(NULL);
-+ if (ubus)
-+ ubus_add_object(ubus, &ubus_object);
-+ else
-+ return;
-+ }
-+
-+ if (poll_check(ubus->sock.fd, POLLIN))
-+ ubus_handle_event(ubus);
-+
-+ if (poll_check(ubus->sock.fd, POLLHUP)) {
-+ ubus_free(ubus);
-+ ubus = NULL;
-+ }
-+}
-+
- int main (int argc, char **argv)
- {
- int bind_fallback = 0;
-@@ -949,6 +1009,7 @@ int main (int argc, char **argv)
- set_dbus_listeners();
- #endif
-
-+ set_ubus_listeners();
- #ifdef HAVE_DHCP
- if (daemon->dhcp || daemon->relay4)
- {
-@@ -1079,6 +1140,8 @@ int main (int argc, char **argv)
- check_dbus_listeners();
- #endif
-
-+ check_ubus_listeners();
-+
- check_dns_listeners(now);
-
- #ifdef HAVE_TFTP
---- a/Makefile
-+++ b/Makefile
-@@ -85,7 +85,7 @@ all : $(BUILDDIR)
- @cd $(BUILDDIR) && $(MAKE) \
- top="$(top)" \
- build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
-- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \
-+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) -lubox -lubus" \
- -f $(top)/Makefile dnsmasq
-
- mostly_clean :
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1445,6 +1445,8 @@ void emit_dbus_signal(int action, struct
- # endif
- #endif
-
-+void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface);
-+
- /* ipset.c */
- #ifdef HAVE_IPSET
- void ipset_init(void);
---- a/src/rfc2131.c
-+++ b/src/rfc2131.c
-@@ -1636,6 +1636,10 @@ static void log_packet(char *type, void
- daemon->namebuff,
- string ? string : "",
- err ? err : "");
-+ if (!strcmp(type, "DHCPACK"))
-+ ubus_event_bcast("dhcp.ack", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface);
-+ else if (!strcmp(type, "DHCPRELEASE"))
-+ ubus_event_bcast("dhcp.release", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface);
- }
-
- static void log_options(unsigned char *start, u32 xid)