From 3a9aed24d1db62be8bb8d2c76e6bf208e8403f0c Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Sun, 19 Aug 2018 20:52:00 +0200 Subject: [PATCH] dnsmasq: bump to v2.80 Cherry-picked & squashed from relevant commits from master: dnsmasq v2.80 release Change from rc1: 91421cb Fix compiler warning. Signed-off-by: Kevin Darbyshire-Bryant (cherry picked from commit 6c4d3d705a0d6e508de94dc49736c250ecdae27c) dnsmasq: remove creation of /etc/ethers Remove creation of file /etc/ethers in dnsmasq init script as the file is now created by default in the base-files package by commit fa3301a28e Signed-off-by: Hans Dedecker (cherry picked from commit 6c227e45cb6a97c61d9fa2ffa35cebee2a048739) dnsmasq: bump to dnsmasq v2.80test5 Refresh patches Remove 240-ubus patch as upstream accepted. Add uci option ubus which allows to enable/disable ubus support (enabled by default) Upstream commits since last bump: da8b651 Implement --address=/example.com/# c5db8f9 Tidy 7f876b64c22b2b18412e2e3d8506ee33e42db7c 974a6d0 Add --caa-record b758b67 Improve logging of RRs from --dns-rr. 9bafdc6 Tidy up file parsing code. 97f876b Properly deal with unaligned addresses in DHCPv6 packets. cbfbd17 Fix broken DNSSEC records in previous. b6f926f Don't return NXDOMAIN to empty non-terminals. c822620 Add --dhcp-name-match 397c050 Handle case of --auth-zone but no --auth-server. 1682d15 Add missing EDNS0 section. EDNS0 section missing in replies to EDNS0-containing queries where answer generated from --local=// dd33e98 Fix crash parsing a --synth-domain with no prefix. Problem introduced in 2.79/6b2b564ac34cb3c862f168e6b1457f9f0b9ca69c c16d966 Add copyright to src/metrics.h 1dfed16 Remove C99 only code. 6f835ed Format fixes - ubus.c 9d6fd17 dnsmasq.c fix OPT_UBUS option usage 8c1b6a5 New metrics and ubus files. 8dcdb33 Add --enable-ubus option. aba8bbb Add collection of metrics caf4d57 Add OpenWRT ubus patch Signed-off-by: Hans Dedecker (cherry picked from commit 3d377f4375c6e4a66c6741bbd2549ad53ef671b3) dnsmasq: bump to dnsmasq 2.80test6 Refresh patches Changes since latest bump: af3bd07 Man page typo. d682099 Picky changes to 47b45b2967c931fed3c89a2e6a8df9f9183a5789 47b45b2 Fix lengths of interface names 2b38e38 Minor improvements in lease-tools 282eab7 Mark die function as never returning c346f61 Handle ANY queries in context of da8b6517decdac593e7ce24bde2824dd841725c8 03212e5 Manpage typo. Signed-off-by: Hans Dedecker (cherry picked from commit 43d4b8e89e68fcab00698ee3b70a58c74813a6a7) dnsmasq: Handle memory allocation failure in make_non_terminals() Backport upstream commit: ea6cc33 Handle memory allocation failure in make_non_terminals() Signed-off-by: Kevin Darbyshire-Bryant (cherry picked from commit 687168ccd9154b1fb7a470fa8f42ce64a135f51d) dnsmasq: Change behavior when RD bit unset in queries. Backport upstream commit Change anti cache-snooping behaviour with queries with the recursion-desired bit unset. Instead to returning SERVFAIL, we now always forward, and never answer from the cache. This allows "dig +trace" command to work. Signed-off-by: Kevin Darbyshire-Bryant (cherry picked from commit 6c4cbe94bd940b5c061e27744eb78805764d6b34) dnsmasq: bump to v2.80test7 Bump to latest test release: 3a610a0 Finesse allocation of memory for "struct crec" cache entries. 48b090c Fix b6f926fbefcd2471699599e44f32b8d25b87b471 to not SEGV on startup (rarely). 4139298 Change behavior when RD bit unset in queries. 51cc10f Add warning about 0.0.0.0 and :: addresses to man page. ea6cc33 Handle memory allocation failure in make_non_terminals() ad03967 Add debian/tmpfiles.conf f4fd07d Debian bugfix. e3c08a3 Debian packaging fix. (restorecon) 118011f Debian packaging fix. (tmpfiles.d) Delete our own backports of ea6cc33 & 4139298, so the only real changes here, since we don't care about the Debian stuff are 48b090c & 3a610a0 Signed-off-by: Kevin Darbyshire-Bryant (cherry picked from commit d9a37d8d1eb7d117d5aa44924064a4a3b5517ddd) dnsmasq: bump to v2.80test8 e1791f3 Fix logging of DNSSEC queries in TCP mode. Destination server address was misleading. 0fdf3c1 Fix dhcp-match-name to match hostname, not complete FQDN. ee1df06 Tweak strategy for confirming SLAAC addresses. 1e87eba Clarify manpage for --auth-sec-servers 0893347 Make interface spec optional in --auth-server. 7cbf497 Example config file fix for CERT Vulnerability VU#598349. Signed-off-by: Kevin Darbyshire-Bryant (cherry picked from commit 30cc5b0bf4f3cdfe950ca7fc380a34c81dd9d7e4) dnsmasq: add dhcp-ignore-names support - CERT VU#598349 dnsmasq v2.80test8 adds the ability to ignore dhcp client's requests for specific hostnames. Clients claiming certain hostnames and thus claiming DNS namespace represent a potential security risk. e.g. a malicious host could claim 'wpad' for itself and redirect other web client requests to it for nefarious purpose. See CERT VU#598349 for more details. Some Samsung TVs are claiming the hostname 'localhost', it is believed not (yet) for nefarious purposes. /usr/share/dnsmasq/dhcpbogushostname.conf contains a list of hostnames in correct syntax to be excluded. e.g. dhcp-name-match=set:dhcp_bogus_hostname,localhost Inclusion of this file is controlled by uci option dhcpbogushostname which is enabled by default. To be absolutely clear, DHCP leases to these requesting hosts are still permitted, but they do NOT get to claim ownership of the hostname itself and hence put into DNS for other hosts to be confused/manipulate by. Signed-off-by: Kevin Darbyshire-Bryant (cherry picked from commit a45f4f50e16cd2d0370a4470c3ede0c6c7754ba9) dnsmasq: fix compile issue Fix compile issue in case HAVE_BROKEN_RTC is enabled Signed-off-by: Hans Dedecker (cherry picked from commit 39e5e17045aceb2bfbd6b5c6ecfd6cfbce2f3311) dnsmasq: bump to v2.80rc1 53792c9 fix typo df07182 Update German translation. Remove local patch 001-fix-typo which is a backport of the above 53792c9 There is no practical difference between our test8 release and this rc release, but this does at least say 'release candidate' Signed-off-by: Kevin Darbyshire-Bryant (cherry picked from commit b8bc672f247a68bc6f72f08f9352cd7aaa5cb9c4) dnsmasq: fix dnsmasq failure to start when ujail'd This patch fixes jailed dnsmasq running into the following issue: |dnsmasq[1]: cannot read /usr/share/dnsmasq/dhcpbogushostname.conf: No such file or directory |dnsmasq[1]: FAILED to start up |procd: Instance dnsmasq::cfg01411c s in a crash loop 6 crashes, 0 seconds since last crash Fixes: a45f4f50e16 ("dnsmasq: add dhcp-ignore-names support - CERT VU#598349") Signed-off-by: Christian Lamparter [bump package release] Signed-off-by: Kevin Darbyshire-Bryant (cherry picked from commit 583466bb5b374b29b6b7cba6f065e97c4734f742) Signed-off-by: Kevin Darbyshire-Bryant --- package/network/services/dnsmasq/Makefile | 10 +- .../dnsmasq/files/dhcpbogushostname.conf | 8 ++ .../services/dnsmasq/files/dnsmasq.init | 14 +- ...0-fix-poll-h-include-warning-on-musl.patch | 2 +- .../services/dnsmasq/patches/240-ubus.patch | 128 ------------------ 5 files changed, 25 insertions(+), 137 deletions(-) create mode 100644 package/network/services/dnsmasq/files/dhcpbogushostname.conf delete mode 100644 package/network/services/dnsmasq/patches/240-ubus.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 7b95d5dccf..5e76579e4b 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_VERSION:=2.80test3 +PKG_VERSION:=2.80 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases -PKG_HASH:=af9f6fd13e0d6c5a68059bcf8634c2784c0533017fd48fbaf59cd2955342d301 +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq +PKG_HASH:=cdaba2785e92665cf090646cba6f94812760b9d7d8c8d0cfb07ac819377a63bb PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING @@ -124,7 +124,8 @@ Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles) TARGET_CFLAGS += -ffunction-sections -fdata-sections TARGET_LDFLAGS += -Wl,--gc-sections -COPTS = $(if $(CONFIG_IPV6),,-DNO_IPV6) +COPTS = -DHAVE_UBUS \ + $(if $(CONFIG_IPV6),,-DNO_IPV6) ifeq ($(BUILD_VARIANT),nodhcpv6) COPTS += -DNO_DHCP6 @@ -165,6 +166,7 @@ define Package/dnsmasq/install $(INSTALL_DIR) $(1)/etc/hotplug.d/tftp $(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec $(INSTALL_DIR) $(1)/usr/share/dnsmasq + $(INSTALL_DATA) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/ $(INSTALL_DATA) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/ $(INSTALL_DIR) $(1)/usr/lib/dnsmasq $(INSTALL_BIN) ./files/dhcp-script.sh $(1)/usr/lib/dnsmasq/dhcp-script.sh diff --git a/package/network/services/dnsmasq/files/dhcpbogushostname.conf b/package/network/services/dnsmasq/files/dhcpbogushostname.conf new file mode 100644 index 0000000000..e83b6975d0 --- /dev/null +++ b/package/network/services/dnsmasq/files/dhcpbogushostname.conf @@ -0,0 +1,8 @@ +# dhcpbogushostname.conf included configuration file for dnsmasq +# +# includes a list of hostnames that should not be associated with dhcp leases +# in response to CERT VU#598349 +# file included by default, option dhcpbogushostname 0 to disable + +dhcp-name-match=set:dhcp_bogus_hostname,localhost +dhcp-name-match=set:dhcp_bogus_hostname,wpad diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index c1ae0934fd..9c922eec6c 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -16,6 +16,7 @@ BASEHOSTFILE="/tmp/hosts/dhcp" TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf" TIMEVALIDFILE="/var/state/dnsmasqsec" BASEDHCPSTAMPFILE="/var/run/dnsmasq" +DHCPBOGUSHOSTNAMEFILE="/usr/share/dnsmasq/dhcpbogushostname.conf" RFC6761FILE="/usr/share/dnsmasq/rfc6761.conf" DHCPSCRIPT="/usr/lib/dnsmasq/dhcp-script.sh" @@ -813,6 +814,7 @@ dnsmasq_start() append_bool "$cfg" localise_queries "--localise-queries" append_bool "$cfg" readethers "--read-ethers" append_bool "$cfg" dbus "--enable-dbus" + append_bool "$cfg" ubus "--enable-ubus" 1 append_bool "$cfg" expandhosts "--expand-hosts" config_get tftp_root "$cfg" "tftp_root" [ -n "$tftp_root" ] && mkdir -p "$tftp_root" && append_bool "$cfg" enable_tftp "--enable-tftp" @@ -869,9 +871,6 @@ dnsmasq_start() ADD_LOCAL_FQDN="$ADD_LOCAL_HOSTNAME" fi - config_get_bool readethers "$cfg" readethers - [ "$readethers" = "1" -a \! -e "/etc/ethers" ] && touch /etc/ethers - config_get user_dhcpscript $cfg dhcpscript if has_handler || [ -n "$user_dhcpscript" ]; then xappend "--dhcp-script=$DHCPSCRIPT" @@ -958,6 +957,13 @@ dnsmasq_start() config_foreach filter_dnsmasq host dhcp_host_add "$cfg" echo >> $CONFIGFILE_TMP + + config_get_bool dhcpbogushostname "$cfg" dhcpbogushostname 1 + [ "$dhcpbogushostname" -gt 0 ] && { + xappend "--dhcp-ignore-names=tag:dhcp_bogus_hostname" + [ -r "$DHCPBOGUSHOSTNAMEFILE" ] && xappend "--conf-file=$DHCPBOGUSHOSTNAMEFILE" + } + config_foreach filter_dnsmasq boot dhcp_boot_add "$cfg" config_foreach filter_dnsmasq mac dhcp_mac_add "$cfg" config_foreach filter_dnsmasq tag dhcp_tag_add "$cfg" @@ -1022,7 +1028,7 @@ dnsmasq_start() procd_set_param respawn procd_add_jail dnsmasq ubus log - procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT + procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE $RFC6761FILE $DHCPBOGUSHOSTNAMEFILE /etc/passwd /etc/group /etc/TZ /dev/null /dev/urandom $dnsmasqconffile $dnsmasqconfdir $resolvfile $user_dhcpscript /etc/hosts /etc/ethers /sbin/hotplug-call $EXTRA_MOUNT $DHCPSCRIPT procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile procd_close_instance diff --git a/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch b/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch index 37b11abc1d..2501079b3f 100644 --- a/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch +++ b/package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch @@ -7,7 +7,7 @@ Signed-off-by: Kevin Darbyshire-Bryant --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -88,7 +88,7 @@ typedef unsigned long long u64; +@@ -95,7 +95,7 @@ typedef unsigned long long u64; #if defined(HAVE_SOLARIS_NETWORK) # include #endif diff --git a/package/network/services/dnsmasq/patches/240-ubus.patch b/package/network/services/dnsmasq/patches/240-ubus.patch deleted file mode 100644 index 2fa9f48d12..0000000000 --- a/package/network/services/dnsmasq/patches/240-ubus.patch +++ /dev/null @@ -1,128 +0,0 @@ ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -19,6 +19,8 @@ - - #include "dnsmasq.h" - -+#include -+ - struct daemon *daemon; - - static volatile pid_t pid = 0; -@@ -32,6 +34,64 @@ static void fatal_event(struct event_des - static int read_event(int fd, struct event_desc *evp, char **msg); - static void poll_resolv(int force, int do_reload, time_t now); - -+static struct ubus_context *ubus; -+static struct blob_buf b; -+ -+static struct ubus_object_type ubus_object_type = { -+ .name = "dnsmasq", -+}; -+ -+static struct ubus_object ubus_object = { -+ .name = "dnsmasq", -+ .type = &ubus_object_type, -+}; -+ -+void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface) -+{ -+ if (!ubus || !ubus_object.has_subscribers) -+ return; -+ -+ blob_buf_init(&b, 0); -+ if (mac) -+ blobmsg_add_string(&b, "mac", mac); -+ if (ip) -+ blobmsg_add_string(&b, "ip", ip); -+ if (name) -+ blobmsg_add_string(&b, "name", name); -+ if (interface) -+ blobmsg_add_string(&b, "interface", interface); -+ ubus_notify(ubus, &ubus_object, type, b.head, -1); -+} -+ -+static void set_ubus_listeners(void) -+{ -+ if (!ubus) -+ return; -+ -+ poll_listen(ubus->sock.fd, POLLIN); -+ poll_listen(ubus->sock.fd, POLLERR); -+ poll_listen(ubus->sock.fd, POLLHUP); -+} -+ -+static void check_ubus_listeners() -+{ -+ if (!ubus) { -+ ubus = ubus_connect(NULL); -+ if (ubus) -+ ubus_add_object(ubus, &ubus_object); -+ else -+ return; -+ } -+ -+ if (poll_check(ubus->sock.fd, POLLIN)) -+ ubus_handle_event(ubus); -+ -+ if (poll_check(ubus->sock.fd, POLLHUP)) { -+ ubus_free(ubus); -+ ubus = NULL; -+ } -+} -+ - int main (int argc, char **argv) - { - int bind_fallback = 0; -@@ -949,6 +1009,7 @@ int main (int argc, char **argv) - set_dbus_listeners(); - #endif - -+ set_ubus_listeners(); - #ifdef HAVE_DHCP - if (daemon->dhcp || daemon->relay4) - { -@@ -1079,6 +1140,8 @@ int main (int argc, char **argv) - check_dbus_listeners(); - #endif - -+ check_ubus_listeners(); -+ - check_dns_listeners(now); - - #ifdef HAVE_TFTP ---- a/Makefile -+++ b/Makefile -@@ -85,7 +85,7 @@ all : $(BUILDDIR) - @cd $(BUILDDIR) && $(MAKE) \ - top="$(top)" \ - build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \ -- build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \ -+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) -lubox -lubus" \ - -f $(top)/Makefile dnsmasq - - mostly_clean : ---- a/src/dnsmasq.h -+++ b/src/dnsmasq.h -@@ -1445,6 +1445,8 @@ void emit_dbus_signal(int action, struct - # endif - #endif - -+void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface); -+ - /* ipset.c */ - #ifdef HAVE_IPSET - void ipset_init(void); ---- a/src/rfc2131.c -+++ b/src/rfc2131.c -@@ -1636,6 +1636,10 @@ static void log_packet(char *type, void - daemon->namebuff, - string ? string : "", - err ? err : ""); -+ if (!strcmp(type, "DHCPACK")) -+ ubus_event_bcast("dhcp.ack", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface); -+ else if (!strcmp(type, "DHCPRELEASE")) -+ ubus_event_bcast("dhcp.release", daemon->namebuff, addr ? inet_ntoa(a) : NULL, string ? string : NULL, interface); - } - - static void log_options(unsigned char *start, u32 xid) -- 2.30.2