From: Kevin Darbyshire-Bryant Date: Mon, 3 Apr 2023 07:37:26 +0000 (+0100) Subject: dnsmasq: latest version X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=c59852d3da1598482bd1bb6c2269bb3b74a4d015;p=openwrt%2Fstaging%2Fldir.git dnsmasq: latest version Bring released dnsmasq to dnsmasq HEAD, ie. pre-release of next version --- diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 47a5ae54ae..29a254eb8b 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_UPSTREAM_VERSION:=2.90 -PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) -PKG_RELEASE:=4 +PKG_UPSTREAM_VERSION:=2.91rc4 +PKG_VERSION:=$(subst test,_alpha,$(subst rc,_beta,$(PKG_UPSTREAM_VERSION))) +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz -PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/ -PKG_HASH:=8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4 +PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/release-candidates +PKG_HASH:=e5e28f86bcf33d31ed315fa49ddcb469b99dae0e66a49aa286086458b39f7a40 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch b/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch deleted file mode 100644 index f25ee20413..0000000000 --- a/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 1ed783b8d7343c42910a61f12a8fc6237eb80417 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Mon, 19 Feb 2024 12:22:43 +0000 -Subject: Fix spurious "resource limit exceeded" messages. - -Replies from upstream with a REFUSED rcode can result in -log messages stating that a resource limit has been exceeded, -which is not the case. - -Thanks to Dominik Derigs and the Pi-hole project for -spotting this. ---- - CHANGELOG | 5 +++++ - src/forward.c | 6 +++--- - 2 files changed, 8 insertions(+), 3 deletions(-) - ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -1,3 +1,8 @@ -+version 2.91 -+ Fix spurious "resource limit exceeded messages". Thanks to -+ Dominik Derigs for the bug report. -+ -+ - version 2.90 - Fix reversion in --rev-server introduced in 2.88 which - caused breakage if the prefix length is not exactly divisible ---- a/src/forward.c -+++ b/src/forward.c -@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec - status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class, - !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), - NULL, NULL, NULL, &orig->validate_counter); -- } - -- if (STAT_ISEQUAL(status, STAT_ABANDONED)) -- log_resource = 1; -+ if (STAT_ISEQUAL(status, STAT_ABANDONED)) -+ log_resource = 1; -+ } - - /* Can't validate, as we're missing key data. Put this - answer aside, whilst we get that. */ diff --git a/package/network/services/dnsmasq/patches/0001-Update-plen-when-getting-retried-query-from-stash.patch b/package/network/services/dnsmasq/patches/0001-Update-plen-when-getting-retried-query-from-stash.patch new file mode 100644 index 0000000000..59dd9c8756 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0001-Update-plen-when-getting-retried-query-from-stash.patch @@ -0,0 +1,25 @@ +From 717ff6adc34c24fe5aa06cb749765d0bee7061b7 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Mon, 10 Feb 2025 12:26:15 +0000 +Subject: [PATCH] Update plen when getting retried query from stash. + +They should be equal, but that depends on untrusted data. +--- + src/forward.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/forward.c b/src/forward.c +index c20c557..66b5b92 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -205,6 +205,7 @@ static void forward_query(int udpfd, union mysockaddr *udpaddr, + may fall through below and forward the query in the packet buffer again and we + want to use the same case scrambling as the first time. */ + blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); ++ plen = forward->stash_len; + + for (src = &forward->frec_src; src; src = src->next) + if (src->orig_id == id && +-- +2.39.5 + diff --git a/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch b/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch deleted file mode 100644 index 5c50ae8446..0000000000 --- a/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ccff85ad72d2f858d9743d40525128e4f62d41a8 Mon Sep 17 00:00:00 2001 -From: renmingshuai -Date: Wed, 21 Feb 2024 00:24:25 +0000 -Subject: [PATCH] Fix error introduced in - 51471cafa5a4fa44d6fe490885d9910bd72a5907 - -Signed-off-by: renmingshuai ---- - src/dnssec.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/src/dnssec.c -+++ b/src/dnssec.c -@@ -1547,7 +1547,7 @@ static int prove_non_existence_nsec3(str - nsecs[i] = NULL; /* Speculative, will be restored if OK. */ - - if (!(p = skip_name(nsec3p, header, plen, 15))) -- return 0; /* bad packet */ -+ return DNSSEC_FAIL_BADPACKET; /* bad packet */ - - p += 10; /* type, class, TTL, rdlen */ - -@@ -1640,7 +1640,7 @@ static int prove_non_existence_nsec3(str - if (!wildname) - { - if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest) -- return 0; -+ return DNSSEC_FAIL_NONSEC; - - wildcard--; - *wildcard = '*'; diff --git a/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch b/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch deleted file mode 100644 index bd7270c904..0000000000 --- a/package/network/services/dnsmasq/patches/0003-Handle-DS-queries-to-auth-zones.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 8ce27433f8b2e17c557cb55e4f16941d309deeac Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Fri, 17 Jan 2025 17:49:29 +0000 -Subject: [PATCH] Handle DS queries to auth zones. -Origin: upstream, v2.91test8 - -When dnsmasq is configured to act as an authoritative server and has -an authoritative zone configured, and recieves a query for -that zone _as_forwarder_ it answers the query directly rather -than forwarding it. This doesn't affect the answer, but it -saves dnsmasq forwarding the query to the recusor upstream, -whch then bounces it back to dnsmasq in auth mode. The -exception should be when the query is for the root of zone, for a DS -RR. The answer to that has to come from the parent, via the -recursor, and will typically be a proof-of-nonexistence since -dnsmasq doesn't support signed zones. This patch suppresses -local answers and forces forwarding to the upstream recursor -for such queries. It stops breakage when a DNSSEC validating -client makes queries to dnsmasq acting as forwarder for a zone -for which it is authoritative. - -[ukleinek: drop changes to CHANGELOG to prevent conflicts] ---- - src/forward.c | 52 +++++++++++++++++++++++++++++++++++++-------------- - 1 file changed, 38 insertions(+), 14 deletions(-) - ---- a/src/forward.c -+++ b/src/forward.c -@@ -1744,15 +1744,27 @@ void receive_query(struct listener *list - #endif - - #ifdef HAVE_AUTH -- /* find queries for zones we're authoritative for, and answer them directly */ -+ /* Find queries for zones we're authoritative for, and answer them directly. -+ The exception to this is DS queries for the zone route. They -+ have to come from the parent zone. Since dnsmasq's auth server -+ can't do DNSSEC, the zone will be unsigned, and anything using -+ dnsmasq as a forwarder and doing validation will be expecting to -+ see the proof of non-existence from the parent. */ - if (!auth_dns && !option_bool(OPT_LOCALISE)) - for (zone = daemon->auth_zones; zone; zone = zone->next) -- if (in_zone(zone, daemon->namebuff, NULL)) -- { -- auth_dns = 1; -- local_auth = 1; -- break; -- } -+ { -+ char *cut; -+ -+ if (in_zone(zone, daemon->namebuff, &cut)) -+ { -+ if (type != T_DS || cut) -+ { -+ auth_dns = 1; -+ local_auth = 1; -+ } -+ break; -+ } -+ } - #endif - - #ifdef HAVE_LOOP -@@ -2268,15 +2280,27 @@ unsigned char *tcp_request(int confd, ti - &peer_addr, auth_dns ? "auth" : "query", qtype); - - #ifdef HAVE_AUTH -- /* find queries for zones we're authoritative for, and answer them directly */ -+ /* Find queries for zones we're authoritative for, and answer them directly. -+ The exception to this is DS queries for the zone route. They -+ have to come from the parent zone. Since dnsmasq's auth server -+ can't do DNSSEC, the zone will be unsigned, and anything using -+ dnsmasq as a forwarder and doing validation will be expecting to -+ see the proof of non-existence from the parent. */ - if (!auth_dns && !option_bool(OPT_LOCALISE)) - for (zone = daemon->auth_zones; zone; zone = zone->next) -- if (in_zone(zone, daemon->namebuff, NULL)) -- { -- auth_dns = 1; -- local_auth = 1; -- break; -- } -+ { -+ char *cut; -+ -+ if (in_zone(zone, daemon->namebuff, &cut)) -+ { -+ if (qtype != T_DS || cut) -+ { -+ auth_dns = 1; -+ local_auth = 1; -+ } -+ break; -+ } -+ } - #endif - } - } diff --git a/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch b/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch index 26c1b463b9..f85eda2d6e 100644 --- a/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch +++ b/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch @@ -11,9 +11,11 @@ Signed-off-by: Kevin Darbyshire-Bryant src/util.c | 19 --------------- 4 files changed, 5 insertions(+), 87 deletions(-) ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -105,10 +105,6 @@ int main (int argc, char **argv) +Index: dnsmasq-2.91test9/src/dnsmasq.c +=================================================================== +--- dnsmasq-2.91test9.orig/src/dnsmasq.c ++++ dnsmasq-2.91test9/src/dnsmasq.c +@@ -107,10 +107,6 @@ int main (int argc, char **argv) read_opts(argc, argv, compile_opts); @@ -24,9 +26,11 @@ Signed-off-by: Kevin Darbyshire-Bryant if (daemon->edns_pktsz < PACKETSZ) daemon->edns_pktsz = PACKETSZ; ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1277,7 +1277,7 @@ extern struct daemon { +Index: dnsmasq-2.91test9/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.91test9.orig/src/dnsmasq.h ++++ dnsmasq-2.91test9/src/dnsmasq.h +@@ -1279,7 +1279,7 @@ extern struct daemon { int inotifyfd; #endif #if defined(HAVE_LINUX_NETWORK) @@ -35,7 +39,7 @@ Signed-off-by: Kevin Darbyshire-Bryant #elif defined(HAVE_BSD_NETWORK) int dhcp_raw_fd, dhcp_icmp_fd, routefd; #endif -@@ -1491,9 +1491,6 @@ int read_write(int fd, unsigned char *pa +@@ -1492,9 +1492,6 @@ int read_write(int fd, unsigned char *pa void close_fds(long max_fd, int spare1, int spare2, int spare3); int wildcard_match(const char* wildcard, const char* match); int wildcard_matchn(const char* wildcard, const char* match, int num); @@ -45,8 +49,10 @@ Signed-off-by: Kevin Darbyshire-Bryant /* log.c */ void die(char *message, char *arg1, int exit_code) ATTRIBUTE_NORETURN; ---- a/src/ipset.c -+++ b/src/ipset.c +Index: dnsmasq-2.91test9/src/ipset.c +=================================================================== +--- dnsmasq-2.91test9.orig/src/ipset.c ++++ dnsmasq-2.91test9/src/ipset.c @@ -70,7 +70,7 @@ struct my_nfgenmsg { #define NL_ALIGN(len) (((len)+3) & ~(3)) @@ -138,9 +144,11 @@ Signed-off-by: Kevin Darbyshire-Bryant if (ret == -1) my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno)); ---- a/src/util.c -+++ b/src/util.c -@@ -866,22 +866,3 @@ int wildcard_matchn(const char* wildcard +Index: dnsmasq-2.91test9/src/util.c +=================================================================== +--- dnsmasq-2.91test9.orig/src/util.c ++++ dnsmasq-2.91test9/src/util.c +@@ -901,22 +901,3 @@ int wildcard_matchn(const char* wildcard return (!num) || (*wildcard == *match); } diff --git a/package/network/services/dnsmasq/patches/200-ubus_dns.patch b/package/network/services/dnsmasq/patches/200-ubus_dns.patch index 72acbaeba9..1345a8b006 100644 --- a/package/network/services/dnsmasq/patches/200-ubus_dns.patch +++ b/package/network/services/dnsmasq/patches/200-ubus_dns.patch @@ -1,19 +1,23 @@ ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -2021,6 +2021,10 @@ static void check_dns_listeners(time_t n - daemon->pipe_to_parent = pipefd[1]; - } +Index: dnsmasq-2.91test9/src/dnsmasq.c +=================================================================== +--- dnsmasq-2.91test9.orig/src/dnsmasq.c ++++ dnsmasq-2.91test9/src/dnsmasq.c +@@ -2097,6 +2097,10 @@ static void do_tcp_connection(struct lis + daemon->pipe_to_parent = pipefd[1]; + } +#ifdef HAVE_UBUS -+ drop_ubus_listeners(); ++ drop_ubus_listeners(); +#endif + - /* start with no upstream connections. */ - for (s = daemon->servers; s; s = s->next) - s->tcpfd = -1; ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1670,14 +1670,26 @@ void emit_dbus_signal(int action, struct + /* The connected socket inherits non-blocking + attribute from the listening socket. + Reset that here. */ +Index: dnsmasq-2.91test9/src/dnsmasq.h +=================================================================== +--- dnsmasq-2.91test9.orig/src/dnsmasq.h ++++ dnsmasq-2.91test9/src/dnsmasq.h +@@ -1688,14 +1688,26 @@ void emit_dbus_signal(int action, struct /* ubus.c */ #ifdef HAVE_UBUS @@ -40,9 +44,11 @@ #endif /* ipset.c */ ---- a/src/forward.c -+++ b/src/forward.c -@@ -803,7 +803,7 @@ static size_t process_reply(struct dns_h +Index: dnsmasq-2.91test9/src/forward.c +=================================================================== +--- dnsmasq-2.91test9.orig/src/forward.c ++++ dnsmasq-2.91test9/src/forward.c +@@ -735,7 +735,7 @@ static size_t process_reply(struct dns_h cache_secure = 0; } @@ -51,8 +57,10 @@ cache_secure = 0; /* check_for_bogus_wildcard() does it's own caching, so ---- a/src/rfc1035.c -+++ b/src/rfc1035.c +Index: dnsmasq-2.91test9/src/rfc1035.c +=================================================================== +--- dnsmasq-2.91test9.orig/src/rfc1035.c ++++ dnsmasq-2.91test9/src/rfc1035.c @@ -13,8 +13,10 @@ You should have received a copy of the GNU General Public License along with this program. If not, see . @@ -63,9 +71,9 @@ +#include +#endif - int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, - char *name, int isExtract, int extrabytes) -@@ -384,10 +386,65 @@ static int private_net6(struct in6_addr + /* EXTR_NAME_EXTRACT -> extract name + EXTR_NAME_COMPARE -> compare name, case insensitive +@@ -409,10 +411,65 @@ static int private_net6(struct in6_addr ((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */ } @@ -132,7 +140,7 @@ int done = 0; if (!(p = skip_questions(header, qlen))) -@@ -404,7 +461,7 @@ int do_doctor(struct dns_header *header, +@@ -429,7 +486,7 @@ int do_doctor(struct dns_header *header, GETSHORT(qtype, p); GETSHORT(qclass, p); @@ -141,7 +149,7 @@ GETSHORT(rdlen, p); if (qclass == C_IN && qtype == T_A) -@@ -415,6 +472,9 @@ int do_doctor(struct dns_header *header, +@@ -440,6 +497,9 @@ int do_doctor(struct dns_header *header, if (!CHECK_LEN(header, p, qlen, INADDRSZ)) return done; @@ -151,7 +159,7 @@ /* alignment */ memcpy(&addr.addr4, p, INADDRSZ); -@@ -444,6 +504,14 @@ int do_doctor(struct dns_header *header, +@@ -469,6 +529,14 @@ int do_doctor(struct dns_header *header, break; } } @@ -166,8 +174,10 @@ if (!ADD_RDLEN(header, p, qlen, rdlen)) return done; /* bad packet */ ---- a/src/ubus.c -+++ b/src/ubus.c +Index: dnsmasq-2.91test9/src/ubus.c +=================================================================== +--- dnsmasq-2.91test9.orig/src/ubus.c ++++ dnsmasq-2.91test9/src/ubus.c @@ -72,6 +72,13 @@ static struct ubus_object ubus_object = .subscribe_cb = ubus_subscribe_cb, };