include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
-PKG_UPSTREAM_VERSION:=2.90
-PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
-PKG_RELEASE:=4
+PKG_UPSTREAM_VERSION:=2.91rc4
+PKG_VERSION:=$(subst test,_alpha,$(subst rc,_beta,$(PKG_UPSTREAM_VERSION)))
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
-PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/
-PKG_HASH:=8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4
+PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/release-candidates
+PKG_HASH:=e5e28f86bcf33d31ed315fa49ddcb469b99dae0e66a49aa286086458b39f7a40
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
+++ /dev/null
-From 1ed783b8d7343c42910a61f12a8fc6237eb80417 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Mon, 19 Feb 2024 12:22:43 +0000
-Subject: Fix spurious "resource limit exceeded" messages.
-
-Replies from upstream with a REFUSED rcode can result in
-log messages stating that a resource limit has been exceeded,
-which is not the case.
-
-Thanks to Dominik Derigs and the Pi-hole project for
-spotting this.
----
- CHANGELOG | 5 +++++
- src/forward.c | 6 +++---
- 2 files changed, 8 insertions(+), 3 deletions(-)
-
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -1,3 +1,8 @@
-+version 2.91
-+ Fix spurious "resource limit exceeded messages". Thanks to
-+ Dominik Derigs for the bug report.
-+
-+
- version 2.90
- Fix reversion in --rev-server introduced in 2.88 which
- caused breakage if the prefix length is not exactly divisible
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec
- status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class,
- !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
- NULL, NULL, NULL, &orig->validate_counter);
-- }
-
-- if (STAT_ISEQUAL(status, STAT_ABANDONED))
-- log_resource = 1;
-+ if (STAT_ISEQUAL(status, STAT_ABANDONED))
-+ log_resource = 1;
-+ }
-
- /* Can't validate, as we're missing key data. Put this
- answer aside, whilst we get that. */
--- /dev/null
+From 717ff6adc34c24fe5aa06cb749765d0bee7061b7 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 10 Feb 2025 12:26:15 +0000
+Subject: [PATCH] Update plen when getting retried query from stash.
+
+They should be equal, but that depends on untrusted data.
+---
+ src/forward.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/forward.c b/src/forward.c
+index c20c557..66b5b92 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -205,6 +205,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr,
+ may fall through below and forward the query in the packet buffer again and we
+ want to use the same case scrambling as the first time. */
+ blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
++ plen = forward->stash_len;
+
+ for (src = &forward->frec_src; src; src = src->next)
+ if (src->orig_id == id &&
+--
+2.39.5
+
+++ /dev/null
-From ccff85ad72d2f858d9743d40525128e4f62d41a8 Mon Sep 17 00:00:00 2001
-From: renmingshuai <renmingshuai@huawei.com>
-Date: Wed, 21 Feb 2024 00:24:25 +0000
-Subject: [PATCH] Fix error introduced in
- 51471cafa5a4fa44d6fe490885d9910bd72a5907
-
-Signed-off-by: renmingshuai <renmingshuai@huawei.com>
----
- src/dnssec.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -1547,7 +1547,7 @@ static int prove_non_existence_nsec3(str
- nsecs[i] = NULL; /* Speculative, will be restored if OK. */
-
- if (!(p = skip_name(nsec3p, header, plen, 15)))
-- return 0; /* bad packet */
-+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
-
- p += 10; /* type, class, TTL, rdlen */
-
-@@ -1640,7 +1640,7 @@ static int prove_non_existence_nsec3(str
- if (!wildname)
- {
- if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest)
-- return 0;
-+ return DNSSEC_FAIL_NONSEC;
-
- wildcard--;
- *wildcard = '*';
+++ /dev/null
-From 8ce27433f8b2e17c557cb55e4f16941d309deeac Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Fri, 17 Jan 2025 17:49:29 +0000
-Subject: [PATCH] Handle DS queries to auth zones.
-Origin: upstream, v2.91test8
-
-When dnsmasq is configured to act as an authoritative server and has
-an authoritative zone configured, and recieves a query for
-that zone _as_forwarder_ it answers the query directly rather
-than forwarding it. This doesn't affect the answer, but it
-saves dnsmasq forwarding the query to the recusor upstream,
-whch then bounces it back to dnsmasq in auth mode. The
-exception should be when the query is for the root of zone, for a DS
-RR. The answer to that has to come from the parent, via the
-recursor, and will typically be a proof-of-nonexistence since
-dnsmasq doesn't support signed zones. This patch suppresses
-local answers and forces forwarding to the upstream recursor
-for such queries. It stops breakage when a DNSSEC validating
-client makes queries to dnsmasq acting as forwarder for a zone
-for which it is authoritative.
-
-[ukleinek: drop changes to CHANGELOG to prevent conflicts]
----
- src/forward.c | 52 +++++++++++++++++++++++++++++++++++++--------------
- 1 file changed, 38 insertions(+), 14 deletions(-)
-
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -1744,15 +1744,27 @@ void receive_query(struct listener *list
- #endif
-
- #ifdef HAVE_AUTH
-- /* find queries for zones we're authoritative for, and answer them directly */
-+ /* Find queries for zones we're authoritative for, and answer them directly.
-+ The exception to this is DS queries for the zone route. They
-+ have to come from the parent zone. Since dnsmasq's auth server
-+ can't do DNSSEC, the zone will be unsigned, and anything using
-+ dnsmasq as a forwarder and doing validation will be expecting to
-+ see the proof of non-existence from the parent. */
- if (!auth_dns && !option_bool(OPT_LOCALISE))
- for (zone = daemon->auth_zones; zone; zone = zone->next)
-- if (in_zone(zone, daemon->namebuff, NULL))
-- {
-- auth_dns = 1;
-- local_auth = 1;
-- break;
-- }
-+ {
-+ char *cut;
-+
-+ if (in_zone(zone, daemon->namebuff, &cut))
-+ {
-+ if (type != T_DS || cut)
-+ {
-+ auth_dns = 1;
-+ local_auth = 1;
-+ }
-+ break;
-+ }
-+ }
- #endif
-
- #ifdef HAVE_LOOP
-@@ -2268,15 +2280,27 @@ unsigned char *tcp_request(int confd, ti
- &peer_addr, auth_dns ? "auth" : "query", qtype);
-
- #ifdef HAVE_AUTH
-- /* find queries for zones we're authoritative for, and answer them directly */
-+ /* Find queries for zones we're authoritative for, and answer them directly.
-+ The exception to this is DS queries for the zone route. They
-+ have to come from the parent zone. Since dnsmasq's auth server
-+ can't do DNSSEC, the zone will be unsigned, and anything using
-+ dnsmasq as a forwarder and doing validation will be expecting to
-+ see the proof of non-existence from the parent. */
- if (!auth_dns && !option_bool(OPT_LOCALISE))
- for (zone = daemon->auth_zones; zone; zone = zone->next)
-- if (in_zone(zone, daemon->namebuff, NULL))
-- {
-- auth_dns = 1;
-- local_auth = 1;
-- break;
-- }
-+ {
-+ char *cut;
-+
-+ if (in_zone(zone, daemon->namebuff, &cut))
-+ {
-+ if (qtype != T_DS || cut)
-+ {
-+ auth_dns = 1;
-+ local_auth = 1;
-+ }
-+ break;
-+ }
-+ }
- #endif
- }
- }
src/util.c | 19 ---------------
4 files changed, 5 insertions(+), 87 deletions(-)
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -105,10 +105,6 @@ int main (int argc, char **argv)
+Index: dnsmasq-2.91test9/src/dnsmasq.c
+===================================================================
+--- dnsmasq-2.91test9.orig/src/dnsmasq.c
++++ dnsmasq-2.91test9/src/dnsmasq.c
+@@ -107,10 +107,6 @@ int main (int argc, char **argv)
read_opts(argc, argv, compile_opts);
if (daemon->edns_pktsz < PACKETSZ)
daemon->edns_pktsz = PACKETSZ;
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1277,7 +1277,7 @@ extern struct daemon {
+Index: dnsmasq-2.91test9/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.91test9.orig/src/dnsmasq.h
++++ dnsmasq-2.91test9/src/dnsmasq.h
+@@ -1279,7 +1279,7 @@ extern struct daemon {
int inotifyfd;
#endif
#if defined(HAVE_LINUX_NETWORK)
#elif defined(HAVE_BSD_NETWORK)
int dhcp_raw_fd, dhcp_icmp_fd, routefd;
#endif
-@@ -1491,9 +1491,6 @@ int read_write(int fd, unsigned char *pa
+@@ -1492,9 +1492,6 @@ int read_write(int fd, unsigned char *pa
void close_fds(long max_fd, int spare1, int spare2, int spare3);
int wildcard_match(const char* wildcard, const char* match);
int wildcard_matchn(const char* wildcard, const char* match, int num);
/* log.c */
void die(char *message, char *arg1, int exit_code) ATTRIBUTE_NORETURN;
---- a/src/ipset.c
-+++ b/src/ipset.c
+Index: dnsmasq-2.91test9/src/ipset.c
+===================================================================
+--- dnsmasq-2.91test9.orig/src/ipset.c
++++ dnsmasq-2.91test9/src/ipset.c
@@ -70,7 +70,7 @@ struct my_nfgenmsg {
#define NL_ALIGN(len) (((len)+3) & ~(3))
if (ret == -1)
my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
---- a/src/util.c
-+++ b/src/util.c
-@@ -866,22 +866,3 @@ int wildcard_matchn(const char* wildcard
+Index: dnsmasq-2.91test9/src/util.c
+===================================================================
+--- dnsmasq-2.91test9.orig/src/util.c
++++ dnsmasq-2.91test9/src/util.c
+@@ -901,22 +901,3 @@ int wildcard_matchn(const char* wildcard
return (!num) || (*wildcard == *match);
}
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -2021,6 +2021,10 @@ static void check_dns_listeners(time_t n
- daemon->pipe_to_parent = pipefd[1];
- }
+Index: dnsmasq-2.91test9/src/dnsmasq.c
+===================================================================
+--- dnsmasq-2.91test9.orig/src/dnsmasq.c
++++ dnsmasq-2.91test9/src/dnsmasq.c
+@@ -2097,6 +2097,10 @@ static void do_tcp_connection(struct lis
+ daemon->pipe_to_parent = pipefd[1];
+ }
+#ifdef HAVE_UBUS
-+ drop_ubus_listeners();
++ drop_ubus_listeners();
+#endif
+
- /* start with no upstream connections. */
- for (s = daemon->servers; s; s = s->next)
- s->tcpfd = -1;
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1670,14 +1670,26 @@ void emit_dbus_signal(int action, struct
+ /* The connected socket inherits non-blocking
+ attribute from the listening socket.
+ Reset that here. */
+Index: dnsmasq-2.91test9/src/dnsmasq.h
+===================================================================
+--- dnsmasq-2.91test9.orig/src/dnsmasq.h
++++ dnsmasq-2.91test9/src/dnsmasq.h
+@@ -1688,14 +1688,26 @@ void emit_dbus_signal(int action, struct
/* ubus.c */
#ifdef HAVE_UBUS
#endif
/* ipset.c */
---- a/src/forward.c
-+++ b/src/forward.c
-@@ -803,7 +803,7 @@ static size_t process_reply(struct dns_h
+Index: dnsmasq-2.91test9/src/forward.c
+===================================================================
+--- dnsmasq-2.91test9.orig/src/forward.c
++++ dnsmasq-2.91test9/src/forward.c
+@@ -735,7 +735,7 @@ static size_t process_reply(struct dns_h
cache_secure = 0;
}
cache_secure = 0;
/* check_for_bogus_wildcard() does it's own caching, so
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
+Index: dnsmasq-2.91test9/src/rfc1035.c
+===================================================================
+--- dnsmasq-2.91test9.orig/src/rfc1035.c
++++ dnsmasq-2.91test9/src/rfc1035.c
@@ -13,8 +13,10 @@
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
+#include <libubox/blobmsg.h>
+#endif
- int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
- char *name, int isExtract, int extrabytes)
-@@ -384,10 +386,65 @@ static int private_net6(struct in6_addr
+ /* EXTR_NAME_EXTRACT -> extract name
+ EXTR_NAME_COMPARE -> compare name, case insensitive
+@@ -409,10 +411,65 @@ static int private_net6(struct in6_addr
((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */
}
int done = 0;
if (!(p = skip_questions(header, qlen)))
-@@ -404,7 +461,7 @@ int do_doctor(struct dns_header *header,
+@@ -429,7 +486,7 @@ int do_doctor(struct dns_header *header,
GETSHORT(qtype, p);
GETSHORT(qclass, p);
GETSHORT(rdlen, p);
if (qclass == C_IN && qtype == T_A)
-@@ -415,6 +472,9 @@ int do_doctor(struct dns_header *header,
+@@ -440,6 +497,9 @@ int do_doctor(struct dns_header *header,
if (!CHECK_LEN(header, p, qlen, INADDRSZ))
return done;
/* alignment */
memcpy(&addr.addr4, p, INADDRSZ);
-@@ -444,6 +504,14 @@ int do_doctor(struct dns_header *header,
+@@ -469,6 +529,14 @@ int do_doctor(struct dns_header *header,
break;
}
}
if (!ADD_RDLEN(header, p, qlen, rdlen))
return done; /* bad packet */
---- a/src/ubus.c
-+++ b/src/ubus.c
+Index: dnsmasq-2.91test9/src/ubus.c
+===================================================================
+--- dnsmasq-2.91test9.orig/src/ubus.c
++++ dnsmasq-2.91test9/src/ubus.c
@@ -72,6 +72,13 @@ static struct ubus_object ubus_object =
.subscribe_cb = ubus_subscribe_cb,
};
projects / openwrt / staging / ldir.git / commitdiff