New test release (since test1) includes 2 LEDE patches that are upstream and may be dropped, along with many spelling fixes. Add forthcoming 2017 root zone trust anchor to trust-anchors.conf. Backport 2 patches that just missed test3: Reduce logspam of those domains handled locally 'local addresses only' Implement RFC-6842 (Client-ids in DHCP replies) Compile & run tested Archer C7 v2 Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>master
Kevin Darbyshire-Bryant
8 years ago
committed by
Hans Dedecker
parent
3ee793f601
commit
0247314f7d
@ -1,99 +0,0 @@ |
||||
From d42d4706bbcce3b5a40ad778a5a356a997db6b34 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Thu, 2 Feb 2017 16:52:06 +0000
|
||||
Subject: [PATCH] Make --localise-queries apply to names from
|
||||
--interface-name.
|
||||
|
||||
---
|
||||
CHANGELOG | 7 +++++++
|
||||
man/dnsmasq.8 | 9 +++++----
|
||||
src/rfc1035.c | 21 ++++++++++++++++++++-
|
||||
3 files changed, 32 insertions(+), 5 deletions(-)
|
||||
|
||||
--- a/CHANGELOG
|
||||
+++ b/CHANGELOG
|
||||
@@ -58,6 +58,13 @@ version 2.77
|
||||
this is Nominum's. Thanks to Dave Täht for spotting the
|
||||
bug and assisting in the fix.
|
||||
|
||||
+ Fix the manpage which lied that only the primary address
|
||||
+ of an interface is used by --interface-name.
|
||||
+
|
||||
+ Make --localise-queries apply to names from --interface-name.
|
||||
+ Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
|
||||
+ for pushing this.
|
||||
+
|
||||
|
||||
version 2.76
|
||||
Include 0.0.0.0/8 in DNS rebind checks. This range
|
||||
--- a/man/dnsmasq.8
|
||||
+++ b/man/dnsmasq.8
|
||||
@@ -289,8 +289,8 @@ option requires non-standard networking
|
||||
under Linux. On other platforms it falls-back to --bind-interfaces mode.
|
||||
.TP
|
||||
.B \-y, --localise-queries
|
||||
-Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was
|
||||
-received. If a name in /etc/hosts has more than one address associated with
|
||||
+Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was
|
||||
+received. If a name has more than one address associated with
|
||||
it, and at least one of those addresses is on the same subnet as the
|
||||
interface to which the query was sent, then return only the
|
||||
address(es) on that subnet. This allows for a server to have multiple
|
||||
@@ -604,7 +604,7 @@ given by the hex data, which may be of t
|
||||
012345 or any mixture of these.
|
||||
.TP
|
||||
.B --interface-name=<name>,<interface>[/4|/6]
|
||||
-Return a DNS record associating the name with the primary address on
|
||||
+Return DNS records associating the name with the address(es) of
|
||||
the given interface. This flag specifies an A or AAAA record for the given
|
||||
name in the same way as an /etc/hosts line, except that the address is
|
||||
not constant, but taken from the given interface. The interface may be
|
||||
@@ -614,7 +614,8 @@ down, not configured or non-existent, an
|
||||
matching PTR record is also created, mapping the interface address to
|
||||
the name. More than one name may be associated with an interface
|
||||
address by repeating the flag; in that case the first instance is used
|
||||
-for the reverse address-to-name mapping.
|
||||
+for the reverse address-to-name mapping. Note that a name used in
|
||||
+--interface-name may not appear in /etc/hosts.
|
||||
.TP
|
||||
.B --synth-domain=<domain>,<address range>[,<prefix>]
|
||||
Create artificial A/AAAA and PTR records for an address range. The
|
||||
--- a/src/rfc1035.c
|
||||
+++ b/src/rfc1035.c
|
||||
@@ -1516,9 +1516,24 @@ size_t answer_request(struct dns_header
|
||||
if (intr)
|
||||
{
|
||||
struct addrlist *addrlist;
|
||||
- int gotit = 0;
|
||||
+ int gotit = 0, localise = 0;
|
||||
|
||||
enumerate_interfaces(0);
|
||||
+
|
||||
+ /* See if a putative address is on the network from which we recieved
|
||||
+ the query, is so we'll filter other answers. */
|
||||
+ if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && type == T_A)
|
||||
+ for (intr = daemon->int_names; intr; intr = intr->next)
|
||||
+ if (hostname_isequal(name, intr->name))
|
||||
+ for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
|
||||
+#ifdef HAVE_IPV6
|
||||
+ if (!(addrlist->flags & ADDRLIST_IPV6))
|
||||
+#endif
|
||||
+ if (is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask))
|
||||
+ {
|
||||
+ localise = 1;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
for (intr = daemon->int_names; intr; intr = intr->next)
|
||||
if (hostname_isequal(name, intr->name))
|
||||
@@ -1528,6 +1543,10 @@ size_t answer_request(struct dns_header
|
||||
if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
|
||||
#endif
|
||||
{
|
||||
+ if (localise &&
|
||||
+ !is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask))
|
||||
+ continue;
|
||||
+
|
||||
#ifdef HAVE_IPV6
|
||||
if (addrlist->flags & ADDRLIST_REVONLY)
|
||||
continue;
|
||||
@ -0,0 +1,83 @@ |
||||
From 3e2496fb16fb78cb95fffdac80f967310a34b1fa Mon Sep 17 00:00:00 2001
|
||||
From: Hannu Nyman <hannu.nyman@iki.fi>
|
||||
Date: Sat, 11 Feb 2017 13:44:08 +0000
|
||||
Subject: [PATCH] Decrease the number of individual sites listed in log.
|
||||
|
||||
By default 30 first servers are listed individually to system log, and
|
||||
then a count of the remaining items. With e.g. a NXDOMAIN based adblock
|
||||
service, dnsmasq lists 30 unnecessary ad sites every time when dnsmasq
|
||||
evaluates the list. But the actual nameservers in use are evaluated last
|
||||
and are not displayed as they get included in the "remaining items" total.
|
||||
|
||||
Handle the "local addresses only" separately and list only a few of them.
|
||||
Remove the "local addresses only" from the general count.
|
||||
---
|
||||
CHANGELOG | 4 ++++
|
||||
src/config.h | 1 +
|
||||
src/network.c | 9 ++++++++-
|
||||
3 files changed, 13 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/CHANGELOG b/CHANGELOG
|
||||
index 788aaf9..f7f5125 100644
|
||||
--- a/CHANGELOG
|
||||
+++ b/CHANGELOG
|
||||
@@ -69,6 +69,10 @@ version 2.77
|
||||
servers. Specifically, be prepared to open a new TCP
|
||||
connection when we want to make multiple queries
|
||||
but the upstream server accepts fewer queries per connection.
|
||||
+
|
||||
+ Improve logging of upstream servers when there are a lot
|
||||
+ of "local addresses only" entries. Thanks to Hannu Nyman for
|
||||
+ the patch.
|
||||
|
||||
|
||||
version 2.76
|
||||
diff --git a/src/config.h b/src/config.h
|
||||
index be9cf05..cf527b3 100644
|
||||
--- a/src/config.h
|
||||
+++ b/src/config.h
|
||||
@@ -27,6 +27,7 @@
|
||||
#define FORWARD_TEST 50 /* try all servers every 50 queries */
|
||||
#define FORWARD_TIME 20 /* or 20 seconds */
|
||||
#define SERVERS_LOGGED 30 /* Only log this many servers when logging state */
|
||||
+#define LOCALS_LOGGED 8 /* Only log this many local addresses when logging state */
|
||||
#define RANDOM_SOCKS 64 /* max simultaneous random ports */
|
||||
#define LEASE_RETRY 60 /* on error, retry writing leasefile after LEASE_RETRY seconds */
|
||||
#define CACHESIZ 150 /* default cache size */
|
||||
diff --git a/src/network.c b/src/network.c
|
||||
index 770558a..eb41624 100644
|
||||
--- a/src/network.c
|
||||
+++ b/src/network.c
|
||||
@@ -1438,6 +1438,7 @@ void check_servers(void)
|
||||
struct server *serv;
|
||||
struct serverfd *sfd, *tmp, **up;
|
||||
int port = 0, count;
|
||||
+ int locals = 0;
|
||||
|
||||
/* interface may be new since startup */
|
||||
if (!option_bool(OPT_NOWILD))
|
||||
@@ -1541,7 +1542,11 @@ void check_servers(void)
|
||||
s1 = _("domain"), s2 = serv->domain;
|
||||
|
||||
if (serv->flags & SERV_NO_ADDR)
|
||||
- my_syslog(LOG_INFO, _("using local addresses only for %s %s"), s1, s2);
|
||||
+ {
|
||||
+ count--;
|
||||
+ if (++locals <= LOCALS_LOGGED)
|
||||
+ my_syslog(LOG_INFO, _("using local addresses only for %s %s"), s1, s2);
|
||||
+ }
|
||||
else if (serv->flags & SERV_USE_RESOLV)
|
||||
my_syslog(LOG_INFO, _("using standard nameservers for %s %s"), s1, s2);
|
||||
else
|
||||
@@ -1558,6 +1563,8 @@ void check_servers(void)
|
||||
}
|
||||
}
|
||||
|
||||
+ if (locals > LOCALS_LOGGED)
|
||||
+ my_syslog(LOG_INFO, _("using %d more local addresses"), locals - LOCALS_LOGGED);
|
||||
if (count - 1 > SERVERS_LOGGED)
|
||||
my_syslog(LOG_INFO, _("using %d more nameservers"), count - SERVERS_LOGGED - 1);
|
||||
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
@ -0,0 +1,132 @@ |
||||
From 88a77a78ad27adc3ed87b7ee603643d26cb896ee Mon Sep 17 00:00:00 2001
|
||||
From: Simon Kelley <simon@thekelleys.org.uk>
|
||||
Date: Sat, 11 Feb 2017 17:02:02 +0000
|
||||
Subject: [PATCH] Implement RFC-6842 (Client-ids in DHCP replies.)
|
||||
|
||||
---
|
||||
CHANGELOG | 5 ++++-
|
||||
src/rfc2131.c | 33 ++++++++++++++++++++++-----------
|
||||
2 files changed, 26 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/CHANGELOG b/CHANGELOG
|
||||
index f7f5125..a4ee280 100644
|
||||
--- a/CHANGELOG
|
||||
+++ b/CHANGELOG
|
||||
@@ -74,7 +74,10 @@ version 2.77
|
||||
of "local addresses only" entries. Thanks to Hannu Nyman for
|
||||
the patch.
|
||||
|
||||
-
|
||||
+ Implement RFC 6842. Thanks to Reddeiah Raju Konduru for
|
||||
+ pointing out that this was missing.
|
||||
+
|
||||
+
|
||||
version 2.76
|
||||
Include 0.0.0.0/8 in DNS rebind checks. This range
|
||||
translates to hosts on the local network, or, at
|
||||
diff --git a/src/rfc2131.c b/src/rfc2131.c
|
||||
index 978c8dc..3e97402 100644
|
||||
--- a/src/rfc2131.c
|
||||
+++ b/src/rfc2131.c
|
||||
@@ -38,7 +38,7 @@ static void log_packet(char *type, void *addr, unsigned char *ext_mac,
|
||||
static unsigned char *option_find(struct dhcp_packet *mess, size_t size, int opt_type, int minsize);
|
||||
static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt, int minsize);
|
||||
static size_t dhcp_packet_size(struct dhcp_packet *mess, unsigned char *agent_id, unsigned char *real_end);
|
||||
-static void clear_packet(struct dhcp_packet *mess, unsigned char *end);
|
||||
+static void clear_packet(struct dhcp_packet *mess, unsigned char *end, unsigned int sz);
|
||||
static int in_list(unsigned char *list, int opt);
|
||||
static void do_options(struct dhcp_context *context,
|
||||
struct dhcp_packet *mess,
|
||||
@@ -611,7 +611,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
||||
now);
|
||||
lease_set_interface(lease, int_index, now);
|
||||
|
||||
- clear_packet(mess, end);
|
||||
+ clear_packet(mess, end, 0);
|
||||
do_options(context, mess, end, NULL, hostname, get_domain(mess->yiaddr),
|
||||
netid, subnet_addr, 0, 0, -1, NULL, vendor_class_len, now, 0xffffffff, 0);
|
||||
}
|
||||
@@ -814,7 +814,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
||||
if (!service || !service->basename || !context)
|
||||
return 0;
|
||||
|
||||
- clear_packet(mess, end);
|
||||
+ clear_packet(mess, end, sz);
|
||||
|
||||
mess->yiaddr = mess->ciaddr;
|
||||
mess->ciaddr.s_addr = 0;
|
||||
@@ -882,7 +882,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
||||
mess->flags |= htons(0x8000); /* broadcast */
|
||||
}
|
||||
|
||||
- clear_packet(mess, end);
|
||||
+ clear_packet(mess, end, sz);
|
||||
|
||||
/* Redirect EFI clients to port 4011 */
|
||||
if (pxearch >= 6)
|
||||
@@ -1062,7 +1062,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
||||
log_packet("DHCPOFFER" , &mess->yiaddr, emac, emac_len, iface_name, NULL, NULL, mess->xid);
|
||||
|
||||
time = calc_time(context, config, option_find(mess, sz, OPTION_LEASE_TIME, 4));
|
||||
- clear_packet(mess, end);
|
||||
+ clear_packet(mess, end, sz);
|
||||
option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPOFFER);
|
||||
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, ntohl(server_id(context, override, fallback).s_addr));
|
||||
option_put(mess, end, OPTION_LEASE_TIME, 4, time);
|
||||
@@ -1245,7 +1245,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
||||
log_packet("DHCPNAK", &mess->yiaddr, emac, emac_len, iface_name, NULL, message, mess->xid);
|
||||
|
||||
mess->yiaddr.s_addr = 0;
|
||||
- clear_packet(mess, end);
|
||||
+ clear_packet(mess, end, sz);
|
||||
option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPNAK);
|
||||
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, ntohl(server_id(context, override, fallback).s_addr));
|
||||
option_put_string(mess, end, OPTION_MESSAGE, message, borken_opt);
|
||||
@@ -1401,7 +1401,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
||||
|
||||
log_packet("DHCPACK", &mess->yiaddr, emac, emac_len, iface_name, hostname, NULL, mess->xid);
|
||||
|
||||
- clear_packet(mess, end);
|
||||
+ clear_packet(mess, end, sz);
|
||||
option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPACK);
|
||||
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, ntohl(server_id(context, override, fallback).s_addr));
|
||||
option_put(mess, end, OPTION_LEASE_TIME, 4, time);
|
||||
@@ -1452,7 +1452,7 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
|
||||
override = lease->override;
|
||||
}
|
||||
|
||||
- clear_packet(mess, end);
|
||||
+ clear_packet(mess, end, sz);
|
||||
option_put(mess, end, OPTION_MESSAGE_TYPE, 1, DHCPACK);
|
||||
option_put(mess, end, OPTION_SERVER_IDENTIFIER, INADDRSZ, ntohl(server_id(context, override, fallback).s_addr));
|
||||
|
||||
@@ -2180,12 +2180,23 @@ static struct dhcp_opt *pxe_opts(int pxe_arch, struct dhcp_netid *netid, struct
|
||||
|
||||
return ret;
|
||||
}
|
||||
-
|
||||
-static void clear_packet(struct dhcp_packet *mess, unsigned char *end)
|
||||
+
|
||||
+static void clear_packet(struct dhcp_packet *mess, unsigned char *end, unsigned int sz)
|
||||
{
|
||||
+ unsigned char *opt;
|
||||
+ unsigned int clid_tot = 0;
|
||||
+
|
||||
+ /* If sz is non-zero, save any client-id option by copying it as the first
|
||||
+ option in the new packet */
|
||||
+ if (sz != 0 && (opt = option_find(mess, sz, OPTION_CLIENT_ID, 1)))
|
||||
+ {
|
||||
+ clid_tot = option_len(opt) + 2u;
|
||||
+ memmove(&mess->options[0] + sizeof(u32), opt, clid_tot);
|
||||
+ }
|
||||
+
|
||||
memset(mess->sname, 0, sizeof(mess->sname));
|
||||
memset(mess->file, 0, sizeof(mess->file));
|
||||
- memset(&mess->options[0] + sizeof(u32), 0, end - (&mess->options[0] + sizeof(u32)));
|
||||
+ memset(&mess->options[0] + sizeof(u32) + clid_tot, 0, end - (&mess->options[0] + sizeof(u32) + clid_tot));
|
||||
mess->siaddr.s_addr = 0;
|
||||
}
|
||||
|
||||
--
|
||||
1.7.10.4
|
||||
|
||||
@ -1,30 +0,0 @@ |
||||
From 94a8815892f538b334d640012eebcafc2c7fa284 Mon Sep 17 00:00:00 2001
|
||||
From: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
|
||||
Date: Thu, 27 Oct 2016 12:17:03 +0200
|
||||
Subject: [PATCH] Consider SERVFAIL as a non-successful response
|
||||
|
||||
Treat Servfail as a recoverable error instead of a hard error.
|
||||
|
||||
A misconfigured dns forwarder upstream can return a Servfail faster than
|
||||
a correctly configured one.
|
||||
|
||||
In the case of a dnssec misbehaving, it will misbehave on all correctly
|
||||
configured upstreams. In the case of a normal DNS query, the original
|
||||
behavior of dnsmasq here was more robust.
|
||||
|
||||
---
|
||||
src/forward.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/src/forward.c
|
||||
+++ b/src/forward.c
|
||||
@@ -853,7 +853,8 @@ void reply_query(int fd, int family, tim
|
||||
we get a good reply from another server. Kill it when we've
|
||||
had replies from all to avoid filling the forwarding table when
|
||||
everything is broken */
|
||||
- if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED)
|
||||
+ if (forward->forwardall == 0 || --forward->forwardall == 1
|
||||
+ || (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
|
||||
{
|
||||
int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;
|
||||
|
||||
Loading…
Reference in new issue