[source] dnsmasq: update to dnsmasq 2.77test1
LEDE Commits
lede-commits at lists.infradead.org
Sun Feb 5 13:26:31 PST 2017
jow pushed a commit to source.git, branch master:
https://git.lede-project.org/3bef96ef18a6fb20401313dfa6e88057d56b16ad
commit 3bef96ef18a6fb20401313dfa6e88057d56b16ad
Author: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
AuthorDate: Thu Feb 2 16:07:03 2017 +0000
dnsmasq: update to dnsmasq 2.77test1
Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76
and allows dropping of 2 LEDE carried patches.
Notable fix in rrfilter code when talking to Nominum's DNS servers
especially with DNSSEC.
A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses
from dns servers is also included. This mean dnsmasq tries all
configured servers before giving up.
A 'localise queries' enhancement has also been backported (it will
appear in test2/rc'n') this is especially important if using the
recently imported to LEDE 'use dnsmasq standalone' feature 9525743c
I have been following dnsmasq HEAD ever since 2.76 release.
Compile & Run tested: ar71xx, Archer C7 v2
Tested-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
---
package/network/services/dnsmasq/Makefile | 8 +-
...localise-queries-apply-to-interface-names.patch | 99 ++++++++++++++
.../patches/100-fix-dhcp-no-address-warning.patch | 47 -------
.../110-ipset-remove-old-kernel-support.patch | 69 ++--------
.../120-dnsmasq-compile-time-option-NO_ID.patch | 149 ---------------------
.../patches/220-try-all-servers-on-fail.patch | 30 +++++
6 files changed, 145 insertions(+), 257 deletions(-)
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index a6689d1..17643a8 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
-PKG_VERSION:=2.76
-PKG_RELEASE:=8
+PKG_VERSION:=2.77test1
+PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
-PKG_HASH:=4b92698dee19ca0cb2a8f2e48f1d2dffd01a21eb15d1fbed4cf085630c8c9f96
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
+PKG_HASH:=be89f1ab7b5b85dc31a982e73f9e9b8a65da6b9dfbdef30eede5284a8f832105
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
diff --git a/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch b/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch
new file mode 100644
index 0000000..2a77727
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch
@@ -0,0 +1,99 @@
+From d42d4706bbcce3b5a40ad778a5a356a997db6b34 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon at thekelleys.org.uk>
+Date: Thu, 2 Feb 2017 16:52:06 +0000
+Subject: [PATCH] Make --localise-queries apply to names from
+ --interface-name.
+
+---
+ CHANGELOG | 7 +++++++
+ man/dnsmasq.8 | 9 +++++----
+ src/rfc1035.c | 21 ++++++++++++++++++++-
+ 3 files changed, 32 insertions(+), 5 deletions(-)
+
+--- a/CHANGELOG
++++ b/CHANGELOG
+@@ -58,6 +58,13 @@ version 2.77
+ this is Nominum's. Thanks to Dave Täht for spotting the
+ bug and assisting in the fix.
+
++ Fix the manpage which lied that only the primary address
++ of an interface is used by --interface-name.
++
++ Make --localise-queries apply to names from --interface-name.
++ Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
++ for pushing this.
++
+
+ version 2.76
+ Include 0.0.0.0/8 in DNS rebind checks. This range
+--- a/man/dnsmasq.8
++++ b/man/dnsmasq.8
+@@ -289,8 +289,8 @@ option requires non-standard networking
+ under Linux. On other platforms it falls-back to --bind-interfaces mode.
+ .TP
+ .B \-y, --localise-queries
+-Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was
+-received. If a name in /etc/hosts has more than one address associated with
++Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was
++received. If a name has more than one address associated with
+ it, and at least one of those addresses is on the same subnet as the
+ interface to which the query was sent, then return only the
+ address(es) on that subnet. This allows for a server to have multiple
+@@ -604,7 +604,7 @@ given by the hex data, which may be of t
+ 012345 or any mixture of these.
+ .TP
+ .B --interface-name=<name>,<interface>[/4|/6]
+-Return a DNS record associating the name with the primary address on
++Return DNS records associating the name with the address(es) of
+ the given interface. This flag specifies an A or AAAA record for the given
+ name in the same way as an /etc/hosts line, except that the address is
+ not constant, but taken from the given interface. The interface may be
+@@ -614,7 +614,8 @@ down, not configured or non-existent, an
+ matching PTR record is also created, mapping the interface address to
+ the name. More than one name may be associated with an interface
+ address by repeating the flag; in that case the first instance is used
+-for the reverse address-to-name mapping.
++for the reverse address-to-name mapping. Note that a name used in
++--interface-name may not appear in /etc/hosts.
+ .TP
+ .B --synth-domain=<domain>,<address range>[,<prefix>]
+ Create artificial A/AAAA and PTR records for an address range. The
+--- a/src/rfc1035.c
++++ b/src/rfc1035.c
+@@ -1516,9 +1516,24 @@ size_t answer_request(struct dns_header
+ if (intr)
+ {
+ struct addrlist *addrlist;
+- int gotit = 0;
++ int gotit = 0, localise = 0;
+
+ enumerate_interfaces(0);
++
++ /* See if a putative address is on the network from which we recieved
++ the query, is so we'll filter other answers. */
++ if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && type == T_A)
++ for (intr = daemon->int_names; intr; intr = intr->next)
++ if (hostname_isequal(name, intr->name))
++ for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
++#ifdef HAVE_IPV6
++ if (!(addrlist->flags & ADDRLIST_IPV6))
++#endif
++ if (is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask))
++ {
++ localise = 1;
++ break;
++ }
+
+ for (intr = daemon->int_names; intr; intr = intr->next)
+ if (hostname_isequal(name, intr->name))
+@@ -1528,6 +1543,10 @@ size_t answer_request(struct dns_header
+ if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
+ #endif
+ {
++ if (localise &&
++ !is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask))
++ continue;
++
+ #ifdef HAVE_IPV6
+ if (addrlist->flags & ADDRLIST_REVONLY)
+ continue;
diff --git a/package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch b/package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch
deleted file mode 100644
index 5fc62ff..0000000
--- a/package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch
+++ /dev/null
@@ -1,47 +0,0 @@
---- a/src/dhcp.c
-+++ b/src/dhcp.c
-@@ -147,7 +147,7 @@ void dhcp_packet(time_t now, int pxe_fd)
- ssize_t sz;
- int iface_index = 0, unicast_dest = 0, is_inform = 0;
- int rcvd_iface_index;
-- struct in_addr iface_addr;
-+ struct in_addr iface_addr, *addrp = NULL;
- struct iface_param parm;
- #ifdef HAVE_LINUX_NETWORK
- struct arpreq arp_req;
-@@ -277,11 +277,9 @@ void dhcp_packet(time_t now, int pxe_fd)
- {
- ifr.ifr_addr.sa_family = AF_INET;
- if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1 )
-- iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
-- else
- {
-- my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
-- return;
-+ addrp = &iface_addr;
-+ iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
- }
-
- for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
-@@ -300,7 +298,7 @@ void dhcp_packet(time_t now, int pxe_fd)
- parm.relay_local.s_addr = 0;
- parm.ind = iface_index;
-
-- if (!iface_check(AF_INET, (struct all_addr *)&iface_addr, ifr.ifr_name, NULL))
-+ if (!iface_check(AF_INET, (struct all_addr *)addrp, ifr.ifr_name, NULL))
- {
- /* If we failed to match the primary address of the interface, see if we've got a --listen-address
- for a secondary */
-@@ -320,6 +318,12 @@ void dhcp_packet(time_t now, int pxe_fd)
- complete_context(match.addr, iface_index, NULL, match.netmask, match.broadcast, &parm);
- }
-
-+ if (!addrp)
-+ {
-+ my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
-+ return;
-+ }
-+
- if (!iface_enumerate(AF_INET, &parm, complete_context))
- return;
-
diff --git a/package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch b/package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch
index 61b09d5..88e334b 100644
--- a/package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch
+++ b/package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch
@@ -44,67 +44,22 @@
(buffer = safe_malloc(BUFF_SZ)) &&
(ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&
(bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
-@@ -168,62 +149,16 @@ static int new_add_to_ipset(const char *
- }
-
-
--static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
--{
-- socklen_t size;
-- struct ip_set_req_adt_get {
-- unsigned op;
-- unsigned version;
-- union {
-- char name[IPSET_MAXNAMELEN];
-- uint16_t index;
-- } set;
-- char typename[IPSET_MAXNAMELEN];
-- } req_adt_get;
-- struct ip_set_req_adt {
-- unsigned op;
-- uint16_t index;
-- uint32_t ip;
-- } req_adt;
--
-- if (strlen(setname) >= sizeof(req_adt_get.set.name))
-- {
-- errno = ENAMETOOLONG;
-- return -1;
-- }
--
-- req_adt_get.op = 0x10;
-- req_adt_get.version = 3;
-- strcpy(req_adt_get.set.name, setname);
-- size = sizeof(req_adt_get);
-- if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0)
-- return -1;
-- req_adt.op = remove ? 0x102 : 0x101;
-- req_adt.index = req_adt_get.set.index;
-- req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
-- if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
-- return -1;
--
-- return 0;
--}
--
--
--
- int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
- {
- int af = AF_INET;
-
- #ifdef HAVE_IPV6
+@@ -217,17 +198,10 @@ int add_to_ipset(const char *setname, co
if (flags & F_IPV6)
-- {
+ {
af = AF_INET6;
- /* old method only supports IPv4 */
- if (old_kernel)
-- return -1;
-- }
+- {
+- errno = EAFNOSUPPORT ;
+- ret = -1;
+- }
+ }
#endif
-- return old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
-+ return new_add_to_ipset(setname, ipaddr, af, remove);
- }
+- if (ret != -1)
+- ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
++ ret = new_add_to_ipset(setname, ipaddr, af, remove);
- #endif
+ if (ret == -1)
+ my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
diff --git a/package/network/services/dnsmasq/patches/120-dnsmasq-compile-time-option-NO_ID.patch b/package/network/services/dnsmasq/patches/120-dnsmasq-compile-time-option-NO_ID.patch
deleted file mode 100644
index 152d1a7..0000000
--- a/package/network/services/dnsmasq/patches/120-dnsmasq-compile-time-option-NO_ID.patch
+++ /dev/null
@@ -1,149 +0,0 @@
-From f6bea86c78ba9efbd01da3dd2fb18764ec806290 Mon Sep 17 00:00:00 2001
-From: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
-Date: Wed, 7 Sep 2016 09:35:07 +0100
-Subject: [PATCH] dnsmasq: compile time option NO_ID
-
-Some consider it good practice to obscure software version numbers to
-clients. Compiling with -DNO_ID removes the *.bind info structure.
-This includes: version, author, copyright, cachesize, cache insertions,
-evictions, misses & hits, auth & servers.
-
-Signed-off-by: Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
----
- src/cache.c | 2 ++
- src/config.h | 5 +++++
- src/dnsmasq.h | 4 ++++
- src/option.c | 8 ++++++--
- src/rfc1035.c | 3 ++-
- 5 files changed, 19 insertions(+), 3 deletions(-)
-
---- a/src/cache.c
-+++ b/src/cache.c
-@@ -1290,6 +1290,7 @@ void cache_add_dhcp_entry(char *host_nam
- }
- #endif
-
-+#ifndef NO_ID
- int cache_make_stat(struct txt_record *t)
- {
- static char *buff = NULL;
-@@ -1385,6 +1386,7 @@ int cache_make_stat(struct txt_record *t
- *buff = len;
- return 1;
- }
-+#endif
-
- /* There can be names in the cache containing control chars, don't
- mess up logging or open security holes. */
---- a/src/config.h
-+++ b/src/config.h
-@@ -120,6 +120,8 @@ HAVE_LOOP
- HAVE_INOTIFY
- use the Linux inotify facility to efficiently re-read configuration files.
-
-+NO_ID
-+ Don't report *.bind CHAOS info to clients.
- NO_IPV6
- NO_TFTP
- NO_DHCP
-@@ -434,6 +436,9 @@ static char *compile_opts =
- "no-"
- #endif
- "DNSSEC "
-+#ifdef NO_ID
-+"no-ID "
-+#endif
- #ifndef HAVE_LOOP
- "no-"
- #endif
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -286,6 +286,7 @@ struct naptr {
- struct naptr *next;
- };
-
-+#ifndef NO_ID
- #define TXT_STAT_CACHESIZE 1
- #define TXT_STAT_INSERTS 2
- #define TXT_STAT_EVICTIONS 3
-@@ -293,6 +294,7 @@ struct naptr {
- #define TXT_STAT_HITS 5
- #define TXT_STAT_AUTH 6
- #define TXT_STAT_SERVERS 7
-+#endif
-
- struct txt_record {
- char *name;
-@@ -1078,7 +1080,9 @@ void cache_add_dhcp_entry(char *host_nam
- struct in_addr a_record_from_hosts(char *name, time_t now);
- void cache_unhash_dhcp(void);
- void dump_cache(time_t now);
-+#ifndef NO_ID
- int cache_make_stat(struct txt_record *t);
-+#endif
- char *cache_get_name(struct crec *crecp);
- char *cache_get_cname_target(struct crec *crecp);
- struct crec *cache_enumerate(int init);
---- a/src/option.c
-+++ b/src/option.c
-@@ -657,7 +657,8 @@ static int atoi_check8(char *a, int *res
- return 1;
- }
- #endif
--
-+
-+#ifndef NO_ID
- static void add_txt(char *name, char *txt, int stat)
- {
- struct txt_record *r = opt_malloc(sizeof(struct txt_record));
-@@ -670,13 +671,14 @@ static void add_txt(char *name, char *tx
- *(r->txt) = len;
- memcpy((r->txt)+1, txt, len);
- }
--
-+
- r->stat = stat;
- r->name = opt_string_alloc(name);
- r->next = daemon->txt;
- daemon->txt = r;
- r->class = C_CHAOS;
- }
-+#endif
-
- static void do_usage(void)
- {
-@@ -4515,6 +4517,7 @@ void read_opts(int argc, char **argv, ch
- daemon->soa_expiry = SOA_EXPIRY;
- daemon->max_port = MAX_PORT;
-
-+#ifndef NO_ID
- add_txt("version.bind", "dnsmasq-" VERSION, 0 );
- add_txt("authors.bind", "Simon Kelley", 0);
- add_txt("copyright.bind", COPYRIGHT, 0);
-@@ -4527,6 +4530,7 @@ void read_opts(int argc, char **argv, ch
- add_txt("auth.bind", NULL, TXT_STAT_AUTH);
- #endif
- add_txt("servers.bind", NULL, TXT_STAT_SERVERS);
-+#endif
-
- while (1)
- {
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1264,6 +1264,7 @@ size_t answer_request(struct dns_header
- unsigned long ttl = daemon->local_ttl;
- int ok = 1;
- log_query(F_CONFIG | F_RRNAME, name, NULL, "<TXT>");
-+#ifndef NO_ID
- /* Dynamically generate stat record */
- if (t->stat != 0)
- {
-@@ -1271,7 +1272,7 @@ size_t answer_request(struct dns_header
- if (!cache_make_stat(t))
- ok = 0;
- }
--
-+#endif
- if (ok && add_resource_record(header, limit, &trunc, nameoffset, &ansp,
- ttl, NULL,
- T_TXT, t->class, "t", t->len, t->txt))
diff --git a/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch b/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch
new file mode 100644
index 0000000..501eefe
--- /dev/null
+++ b/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch
@@ -0,0 +1,30 @@
+From 94a8815892f538b334d640012eebcafc2c7fa284 Mon Sep 17 00:00:00 2001
+From: Martin Wetterwald <martin.wetterwald at corp.ovh.com>
+Date: Thu, 27 Oct 2016 12:17:03 +0200
+Subject: [PATCH] Consider SERVFAIL as a non-successful response
+
+Treat Servfail as a recoverable error instead of a hard error.
+
+A misconfigured dns forwarder upstream can return a Servfail faster than
+a correctly configured one.
+
+In the case of a dnssec misbehaving, it will misbehave on all correctly
+configured upstreams. In the case of a normal DNS query, the original
+behavior of dnsmasq here was more robust.
+
+---
+ src/forward.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -853,7 +853,8 @@ void reply_query(int fd, int family, tim
+ we get a good reply from another server. Kill it when we've
+ had replies from all to avoid filling the forwarding table when
+ everything is broken */
+- if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED)
++ if (forward->forwardall == 0 || --forward->forwardall == 1
++ || (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
+ {
+ int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
+
More information about the lede-commits
mailing list