From 0247314f7d4b0db1ce3db0971201bfd41e496a54 Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Mon, 6 Feb 2017 21:45:41 +0000 Subject: [PATCH] dnsmasq: bump to dnsmasq v2.77test3 New test release (since test1) includes 2 LEDE patches that are upstream and may be dropped, along with many spelling fixes. Add forthcoming 2017 root zone trust anchor to trust-anchors.conf. Backport 2 patches that just missed test3: Reduce logspam of those domains handled locally 'local addresses only' Implement RFC-6842 (Client-ids in DHCP replies) Compile & run tested Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant --- package/network/services/dnsmasq/Makefile | 4 +- ...ise-queries-apply-to-interface-names.patch | 99 ------------- .../dnsmasq/patches/010-reduce-logging.patch | 83 +++++++++++ .../patches/020-implement-RFC6842.patch | 132 ++++++++++++++++++ .../patches/220-try-all-servers-on-fail.patch | 30 ---- 5 files changed, 217 insertions(+), 131 deletions(-) delete mode 100644 package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch create mode 100644 package/network/services/dnsmasq/patches/010-reduce-logging.patch create mode 100644 package/network/services/dnsmasq/patches/020-implement-RFC6842.patch delete mode 100644 package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 17643a8786..c686e8c7da 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_VERSION:=2.77test1 +PKG_VERSION:=2.77test3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases -PKG_HASH:=be89f1ab7b5b85dc31a982e73f9e9b8a65da6b9dfbdef30eede5284a8f832105 +PKG_HASH:=a5cd2b78048c0b16a9cbd2486430039c7d91b958c395edf3233cd9ae1a9eb8c1 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch b/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch deleted file mode 100644 index 2a77727a24..0000000000 --- a/package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch +++ /dev/null @@ -1,99 +0,0 @@ -From d42d4706bbcce3b5a40ad778a5a356a997db6b34 Mon Sep 17 00:00:00 2001 -From: Simon Kelley -Date: Thu, 2 Feb 2017 16:52:06 +0000 -Subject: [PATCH] Make --localise-queries apply to names from - --interface-name. - ---- - CHANGELOG | 7 +++++++ - man/dnsmasq.8 | 9 +++++---- - src/rfc1035.c | 21 ++++++++++++++++++++- - 3 files changed, 32 insertions(+), 5 deletions(-) - ---- a/CHANGELOG -+++ b/CHANGELOG -@@ -58,6 +58,13 @@ version 2.77 - this is Nominum's. Thanks to Dave Täht for spotting the - bug and assisting in the fix. - -+ Fix the manpage which lied that only the primary address -+ of an interface is used by --interface-name. -+ -+ Make --localise-queries apply to names from --interface-name. -+ Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen -+ for pushing this. -+ - - version 2.76 - Include 0.0.0.0/8 in DNS rebind checks. This range ---- a/man/dnsmasq.8 -+++ b/man/dnsmasq.8 -@@ -289,8 +289,8 @@ option requires non-standard networking - under Linux. On other platforms it falls-back to --bind-interfaces mode. - .TP - .B \-y, --localise-queries --Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was --received. If a name in /etc/hosts has more than one address associated with -+Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was -+received. If a name has more than one address associated with - it, and at least one of those addresses is on the same subnet as the - interface to which the query was sent, then return only the - address(es) on that subnet. This allows for a server to have multiple -@@ -604,7 +604,7 @@ given by the hex data, which may be of t - 012345 or any mixture of these. - .TP - .B --interface-name=,[/4|/6] --Return a DNS record associating the name with the primary address on -+Return DNS records associating the name with the address(es) of - the given interface. This flag specifies an A or AAAA record for the given - name in the same way as an /etc/hosts line, except that the address is - not constant, but taken from the given interface. The interface may be -@@ -614,7 +614,8 @@ down, not configured or non-existent, an - matching PTR record is also created, mapping the interface address to - the name. More than one name may be associated with an interface - address by repeating the flag; in that case the first instance is used --for the reverse address-to-name mapping. -+for the reverse address-to-name mapping. Note that a name used in -+--interface-name may not appear in /etc/hosts. - .TP - .B --synth-domain=,
[,] - Create artificial A/AAAA and PTR records for an address range. The ---- a/src/rfc1035.c -+++ b/src/rfc1035.c -@@ -1516,9 +1516,24 @@ size_t answer_request(struct dns_header - if (intr) - { - struct addrlist *addrlist; -- int gotit = 0; -+ int gotit = 0, localise = 0; - - enumerate_interfaces(0); -+ -+ /* See if a putative address is on the network from which we recieved -+ the query, is so we'll filter other answers. */ -+ if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && type == T_A) -+ for (intr = daemon->int_names; intr; intr = intr->next) -+ if (hostname_isequal(name, intr->name)) -+ for (addrlist = intr->addr; addrlist; addrlist = addrlist->next) -+#ifdef HAVE_IPV6 -+ if (!(addrlist->flags & ADDRLIST_IPV6)) -+#endif -+ if (is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask)) -+ { -+ localise = 1; -+ break; -+ } - - for (intr = daemon->int_names; intr; intr = intr->next) - if (hostname_isequal(name, intr->name)) -@@ -1528,6 +1543,10 @@ size_t answer_request(struct dns_header - if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type) - #endif - { -+ if (localise && -+ !is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask)) -+ continue; -+ - #ifdef HAVE_IPV6 - if (addrlist->flags & ADDRLIST_REVONLY) - continue; diff --git a/package/network/services/dnsmasq/patches/010-reduce-logging.patch b/package/network/services/dnsmasq/patches/010-reduce-logging.patch new file mode 100644 index 0000000000..9141a135a4 --- /dev/null +++ b/package/network/services/dnsmasq/patches/010-reduce-logging.patch @@ -0,0 +1,83 @@ +From 3e2496fb16fb78cb95fffdac80f967310a34b1fa Mon Sep 17 00:00:00 2001 +From: Hannu Nyman +Date: Sat, 11 Feb 2017 13:44:08 +0000 +Subject: [PATCH] Decrease the number of individual sites listed in log. + +By default 30 first servers are listed individually to system log, and +then a count of the remaining items. With e.g. a NXDOMAIN based adblock +service, dnsmasq lists 30 unnecessary ad sites every time when dnsmasq +evaluates the list. But the actual nameservers in use are evaluated last +and are not displayed as they get included in the "remaining items" total. + +Handle the "local addresses only" separately and list only a few of them. +Remove the "local addresses only" from the general count. +--- + CHANGELOG | 4 ++++ + src/config.h | 1 + + src/network.c | 9 ++++++++- + 3 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/CHANGELOG b/CHANGELOG +index 788aaf9..f7f5125 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -69,6 +69,10 @@ version 2.77 + servers. Specifically, be prepared to open a new TCP + connection when we want to make multiple queries + but the upstream server accepts fewer queries per connection. ++ ++ Improve logging of upstream servers when there are a lot ++ of "local addresses only" entries. Thanks to Hannu Nyman for ++ the patch. + + + version 2.76 +diff --git a/src/config.h b/src/config.h +index be9cf05..cf527b3 100644 +--- a/src/config.h ++++ b/src/config.h +@@ -27,6 +27,7 @@ + #define FORWARD_TEST 50 /* try all servers every 50 queries */ + #define FORWARD_TIME 20 /* or 20 seconds */ + #define SERVERS_LOGGED 30 /* Only log this many servers when logging state */ ++#define LOCALS_LOGGED 8 /* Only log this many local addresses when logging state */ + #define RANDOM_SOCKS 64 /* max simultaneous random ports */ + #define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */ + #define CACHESIZ 150 /* default cache size */ +diff --git a/src/network.c b/src/network.c +index 770558a..eb41624 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -1438,6 +1438,7 @@ void check_servers(void) + struct server *serv; + struct serverfd *sfd, *tmp, **up; + int port = 0, count; ++ int locals = 0; + + /* interface may be new since startup */ + if (!option_bool(OPT_NOWILD)) +@@ -1541,7 +1542,11 @@ void check_servers(void) + s1 = _("domain"), s2 = serv->domain; + + if (serv->flags & SERV_NO_ADDR) +- my_syslog(LOG_INFO, _("using local addresses only for %s %s"), s1, s2); ++ { ++ count--; ++ if (++locals <= LOCALS_LOGGED) ++ my_syslog(LOG_INFO, _("using local addresses only for %s %s"), s1, s2); ++ } + else if (serv->flags & SERV_USE_RESOLV) + my_syslog(LOG_INFO, _("using standard nameservers for %s %s"), s1, s2); + else +@@ -1558,6 +1563,8 @@ void check_servers(void) + } + } + ++ if (locals > LOCALS_LOGGED) ++ my_syslog(LOG_INFO, _("using %d more local addresses"), locals - LOCALS_LOGGED); + if (count - 1 > SERVERS_LOGGED) + my_syslog(LOG_INFO, _("using %d more nameservers"), count - SERVERS_LOGGED - 1); + +-- +1.7.10.4 + diff --git a/package/network/services/dnsmasq/patches/020-implement-RFC6842.patch b/package/network/services/dnsmasq/patches/020-implement-RFC6842.patch new file mode 100644 index 0000000000..905e40b8ca --- /dev/null +++ b/package/network/services/dnsmasq/patches/020-implement-RFC6842.patch @@ -0,0 +1,132 @@ +From 88a77a78ad27adc3ed87b7ee603643d26cb896ee Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sat, 11 Feb 2017 17:02:02 +0000 +Subject: [PATCH] Implement RFC-6842 (Client-ids in DHCP replies.) + +--- + CHANGELOG | 5 ++++- + src/rfc2131.c | 33 ++++++++++++++++++++++----------- + 2 files changed, 26 insertions(+), 12 deletions(-) + +diff --git a/CHANGELOG b/CHANGELOG +index f7f5125..a4ee280 100644 +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -74,7 +74,10 @@ version 2.77 + of "local addresses only" entries. Thanks to Hannu Nyman for + the patch. + +- ++ Implement RFC 6842. Thanks to Reddeiah Raju Konduru for ++ pointing out that this was missing. ++ ++ + version 2.76 + Include 0.0.0.0/8 in DNS rebind checks. This range + translates to hosts on the local network, or, at +diff --git a/src/rfc2131.c b/src/rfc2131.c +index 978c8dc..3e97402 100644 +--- a/src/rfc2131.c ++++ b/src/rfc2131.c +@@ -38,7 +38,7 @@ static void log_packet(char *type, void *addr, unsigned char *ext_mac, + static unsigned char *option_find(struct dhcp_packet *mess, size_t size, int opt_type, int minsize); + static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt, int minsize); + static size_t dhcp_packet_size(struct dhcp_packet *mess, unsigned char *agent_id, unsigned char *real_end); +-static void clear_packet(struct dhcp_packet *mess, unsigned char *end); ++static void clear_packet(struct dhcp_packet *mess, unsigned char *end, unsigned int sz); + static int in_list(unsigned char *list, int opt); + static void do_options(struct dhcp_context *context, + struct dhcp_packet *mess, +@@ -611,7 +611,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + now); + lease_set_interface(lease, int_index, now); + +- clear_packet(mess, end); ++ clear_packet(mess, end, 0); + do_options(context, mess, end, NULL, hostname, get_domain(mess->yiaddr), + netid, subnet_addr, 0, 0, -1, NULL, vendor_class_len, now, 0xffffffff, 0); + } +@@ -814,7 +814,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + if (!service || !service->basename || !context) + return 0; + +- clear_packet(mess, end); ++ clear_packet(mess, end, sz); + + mess->yiaddr = mess->ciaddr; + mess->ciaddr.s_addr = 0; +@@ -882,7 +882,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + mess->flags |= htons(0x8000); /* broadcast */ + } + +- clear_packet(mess, end); ++ clear_packet(mess, end, sz); + + /* Redirect EFI clients to port 4011 */ + if (pxearch >= 6) +@@ -1062,7 +1062,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + log_packet("DHCPOFFER" , &mess->yiaddr, emac, emac_len, iface_name, NULL, NULL, mess->xid); + + time = calc_time(context, config, option_find(mess, sz, OPTION_LEASE_TIME, 4)); +- clear_packet(mess, end); ++ clear_packet(mess, end, sz); + option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPOFFER); + option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, ntohl(server_id(context, override, fallback).s_addr)); + option_put(mess, end, OPTION_LEASE_TIME, 4, time); +@@ -1245,7 +1245,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + log_packet("DHCPNAK", &mess->yiaddr, emac, emac_len, iface_name, NULL, message, mess->xid); + + mess->yiaddr.s_addr = 0; +- clear_packet(mess, end); ++ clear_packet(mess, end, sz); + option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPNAK); + option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, ntohl(server_id(context, override, fallback).s_addr)); + option_put_string(mess, end, OPTION_MESSAGE, message, borken_opt); +@@ -1401,7 +1401,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + + log_packet("DHCPACK", &mess->yiaddr, emac, emac_len, iface_name, hostname, NULL, mess->xid); + +- clear_packet(mess, end); ++ clear_packet(mess, end, sz); + option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPACK); + option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, ntohl(server_id(context, override, fallback).s_addr)); + option_put(mess, end, OPTION_LEASE_TIME, 4, time); +@@ -1452,7 +1452,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index, + override = lease->override; + } + +- clear_packet(mess, end); ++ clear_packet(mess, end, sz); + option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPACK); + option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, ntohl(server_id(context, override, fallback).s_addr)); + +@@ -2180,12 +2180,23 @@ static struct dhcp_opt *pxe_opts(int pxe_arch, struct dhcp_netid *netid, struct + + return ret; + } +- +-static void clear_packet(struct dhcp_packet *mess, unsigned char *end) ++ ++static void clear_packet(struct dhcp_packet *mess, unsigned char *end, unsigned int sz) + { ++ unsigned char *opt; ++ unsigned int clid_tot = 0; ++ ++ /* If sz is non-zero, save any client-id option by copying it as the first ++ option in the new packet */ ++ if (sz != 0 && (opt = option_find(mess, sz, OPTION_CLIENT_ID, 1))) ++ { ++ clid_tot = option_len(opt) + 2u; ++ memmove(&mess->options[0] + sizeof(u32), opt, clid_tot); ++ } ++ + memset(mess->sname, 0, sizeof(mess->sname)); + memset(mess->file, 0, sizeof(mess->file)); +- memset(&mess->options[0] + sizeof(u32), 0, end - (&mess->options[0] + sizeof(u32))); ++ memset(&mess->options[0] + sizeof(u32) + clid_tot, 0, end - (&mess->options[0] + sizeof(u32) + clid_tot)); + mess->siaddr.s_addr = 0; + } + +-- +1.7.10.4 + diff --git a/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch b/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch deleted file mode 100644 index 501eefebb5..0000000000 --- a/package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 94a8815892f538b334d640012eebcafc2c7fa284 Mon Sep 17 00:00:00 2001 -From: Martin Wetterwald -Date: Thu, 27 Oct 2016 12:17:03 +0200 -Subject: [PATCH] Consider SERVFAIL as a non-successful response - -Treat Servfail as a recoverable error instead of a hard error. - -A misconfigured dns forwarder upstream can return a Servfail faster than -a correctly configured one. - -In the case of a dnssec misbehaving, it will misbehave on all correctly -configured upstreams. In the case of a normal DNS query, the original -behavior of dnsmasq here was more robust. - ---- - src/forward.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - ---- a/src/forward.c -+++ b/src/forward.c -@@ -853,7 +853,8 @@ void reply_query(int fd, int family, tim - we get a good reply from another server. Kill it when we've - had replies from all to avoid filling the forwarding table when - everything is broken */ -- if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED) -+ if (forward->forwardall == 0 || --forward->forwardall == 1 -+ || (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL)) - { - int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0; -