hak5/wifipineapple-openwrt
1
0
Fork 0
mirror of https://github.com/hak5/wifipineapple-openwrt.git synced 2025-10-29 16:57:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

dnsmasq: update to dnsmasq 2.77test1

Browse Source 
Bump to dnsmasq 2.77test1 - this includes a number of fixes since 2.76
and allows dropping of 2 LEDE carried patches.

Notable fix in rrfilter code when talking to Nominum's DNS servers
especially with DNSSEC.

A patch to switch dnsmasq back to 'soft fail' for SERVFAIL responses
from dns servers is also included.  This mean dnsmasq tries all
configured servers before giving up.

A 'localise queries' enhancement has also been backported (it will
appear in test2/rc'n') this is especially important if using the
recently imported to LEDE 'use dnsmasq standalone' feature 9525743c

I have been following dnsmasq HEAD ever since 2.76 release.
Compile & Run tested: ar71xx, Archer C7 v2

Tested-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
This commit is contained in:
Kevin Darbyshire-Bryant
2017-08-31 12:32:32 +02:00
committed by Zoltan HERPAI
parent 84da27181f
commit a1b00385a2
7 changed files with 164 additions and 109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
package/network/services/dnsmasq/Makefile
View File

@@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_VERSION:=2.75
PKG_VERSION:=2.77test1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
PKG_MD5SUM:=887236f1ddde6eb57cdb9d01916c9f72
PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases
PKG_MD5SUM:=1e07d46ed3b9b81fa16ceed7f7e92c87
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING

99
package/network/services/dnsmasq/patches/010-localise-queries-apply-to-interface-names.patch Normal file
View File

@@ -0,0 +1,99 @@
From d42d4706bbcce3b5a40ad778a5a356a997db6b34 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 2 Feb 2017 16:52:06 +0000
Subject: [PATCH] Make --localise-queries apply to names from
--interface-name.
---
CHANGELOG | 7 +++++++
man/dnsmasq.8 | 9 +++++----
src/rfc1035.c | 21 ++++++++++++++++++++-
3 files changed, 32 insertions(+), 5 deletions(-)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -58,6 +58,13 @@ version 2.77
this is Nominum's. Thanks to Dave Täht for spotting the
bug and assisting in the fix.
+ Fix the manpage which lied that only the primary address
+ of an interface is used by --interface-name.
+
+ Make --localise-queries apply to names from --interface-name.
+ Thanks to Kevin Darbyshire-Bryant and Eric Luehrsen
+ for pushing this.
+
version 2.76
Include 0.0.0.0/8 in DNS rebind checks. This range
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -289,8 +289,8 @@ option requires non-standard networking
under Linux. On other platforms it falls-back to --bind-interfaces mode.
.TP
.B \-y, --localise-queries
-Return answers to DNS queries from /etc/hosts which depend on the interface over which the query was
-received. If a name in /etc/hosts has more than one address associated with
+Return answers to DNS queries from /etc/hosts and --interface-name which depend on the interface over which the query was
+received. If a name has more than one address associated with
it, and at least one of those addresses is on the same subnet as the
interface to which the query was sent, then return only the
address(es) on that subnet. This allows for a server to have multiple
@@ -604,7 +604,7 @@ given by the hex data, which may be of t
012345 or any mixture of these.
.TP
.B --interface-name=<name>,<interface>[/4|/6]
-Return a DNS record associating the name with the primary address on
+Return DNS records associating the name with the address(es) of
the given interface. This flag specifies an A or AAAA record for the given
name in the same way as an /etc/hosts line, except that the address is
not constant, but taken from the given interface. The interface may be
@@ -614,7 +614,8 @@ down, not configured or non-existent, an
matching PTR record is also created, mapping the interface address to
the name. More than one name may be associated with an interface
address by repeating the flag; in that case the first instance is used
-for the reverse address-to-name mapping.
+for the reverse address-to-name mapping. Note that a name used in
+--interface-name may not appear in /etc/hosts.
.TP
.B --synth-domain=<domain>,<address range>[,<prefix>]
Create artificial A/AAAA and PTR records for an address range. The
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1516,9 +1516,24 @@ size_t answer_request(struct dns_header
if (intr)
{
struct addrlist *addrlist;
- int gotit = 0;
+ int gotit = 0, localise = 0;
enumerate_interfaces(0);
+
+ /* See if a putative address is on the network from which we recieved
+ the query, is so we'll filter other answers. */
+ if (local_addr.s_addr != 0 && option_bool(OPT_LOCALISE) && type == T_A)
+ for (intr = daemon->int_names; intr; intr = intr->next)
+ if (hostname_isequal(name, intr->name))
+ for (addrlist = intr->addr; addrlist; addrlist = addrlist->next)
+#ifdef HAVE_IPV6
+ if (!(addrlist->flags & ADDRLIST_IPV6))
+#endif
+ if (is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask))
+ {
+ localise = 1;
+ break;
+ }
for (intr = daemon->int_names; intr; intr = intr->next)
if (hostname_isequal(name, intr->name))
@@ -1528,6 +1543,10 @@ size_t answer_request(struct dns_header
if (((addrlist->flags & ADDRLIST_IPV6) ? T_AAAA : T_A) == type)
#endif
{
+ if (localise &&
+ !is_same_net(*((struct in_addr *)&addrlist->addr), local_addr, local_netmask))
+ continue;
+
#ifdef HAVE_IPV6
if (addrlist->flags & ADDRLIST_REVONLY)
continue;

47
package/network/services/dnsmasq/patches/100-fix-dhcp-no-address-warning.patch
View File

@@ -1,47 +0,0 @@
--- a/src/dhcp.c
+++ b/src/dhcp.c
@@ -146,7 +146,7 @@ void dhcp_packet(time_t now, int pxe_fd)
struct iovec iov;
ssize_t sz;
int iface_index = 0, unicast_dest = 0, is_inform = 0;
- struct in_addr iface_addr;
+ struct in_addr iface_addr, *addrp = NULL;
struct iface_param parm;
#ifdef HAVE_LINUX_NETWORK
struct arpreq arp_req;
@@ -275,11 +275,9 @@ void dhcp_packet(time_t now, int pxe_fd)
{
ifr.ifr_addr.sa_family = AF_INET;
if (ioctl(daemon->dhcpfd, SIOCGIFADDR, &ifr) != -1 )
- iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
- else
{
- my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
- return;
+ addrp = &iface_addr;
+ iface_addr = ((struct sockaddr_in *) &ifr.ifr_addr)->sin_addr;
}
for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
@@ -298,7 +296,7 @@ void dhcp_packet(time_t now, int pxe_fd)
parm.relay_local.s_addr = 0;
parm.ind = iface_index;
- if (!iface_check(AF_INET, (struct all_addr *)&iface_addr, ifr.ifr_name, NULL))
+ if (!iface_check(AF_INET, (struct all_addr *)addrp, ifr.ifr_name, NULL))
{
/* If we failed to match the primary address of the interface, see if we've got a --listen-address
for a secondary */
@@ -318,6 +316,12 @@ void dhcp_packet(time_t now, int pxe_fd)
complete_context(match.addr, iface_index, NULL, match.netmask, match.broadcast, &parm);
}
+ if (!addrp)
+ {
+ my_syslog(MS_DHCP | LOG_WARNING, _("DHCP packet received on %s which has no address"), ifr.ifr_name);
+ return;
+ }
+
if (!iface_enumerate(AF_INET, &parm, complete_context))
return;

69
package/network/services/dnsmasq/patches/110-ipset-remove-old-kernel-support.patch
View File

@@ -44,67 +44,22 @@
(buffer = safe_malloc(BUFF_SZ)) &&
(ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&
(bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
@@ -168,62 +149,16 @@ static int new_add_to_ipset(const char *
}
-static int old_add_to_ipset(const char *setname, const struct all_addr *ipaddr, int remove)
-{
- socklen_t size;
- struct ip_set_req_adt_get {
- unsigned op;
- unsigned version;
- union {
- char name[IPSET_MAXNAMELEN];
- uint16_t index;
- } set;
- char typename[IPSET_MAXNAMELEN];
- } req_adt_get;
- struct ip_set_req_adt {
- unsigned op;
- uint16_t index;
- uint32_t ip;
- } req_adt;
-
- if (strlen(setname) >= sizeof(req_adt_get.set.name))
- {
- errno = ENAMETOOLONG;
- return -1;
- }
-
- req_adt_get.op = 0x10;
- req_adt_get.version = 3;
- strcpy(req_adt_get.set.name, setname);
- size = sizeof(req_adt_get);
- if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0)
- return -1;
- req_adt.op = remove ? 0x102 : 0x101;
- req_adt.index = req_adt_get.set.index;
- req_adt.ip = ntohl(ipaddr->addr.addr4.s_addr);
- if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
- return -1;
-
- return 0;
-}
-
-
-
int add_to_ipset(const char *setname, const struct all_addr *ipaddr, int flags, int remove)
{
int af = AF_INET;
#ifdef HAVE_IPV6
@@ -217,17 +198,10 @@ int add_to_ipset(const char *setname, co
if (flags & F_IPV6)
- {
{
af = AF_INET6;
- /* old method only supports IPv4 */
- if (old_kernel)
- return -1;
- }
- {
- errno = EAFNOSUPPORT ;
- ret = -1;
- }
}
#endif
- return old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
+ return new_add_to_ipset(setname, ipaddr, af, remove);
}
- if (ret != -1)
- ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
+ ret = new_add_to_ipset(setname, ipaddr, af, remove);
#endif
if (ret == -1)
my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));

4
package/network/services/dnsmasq/patches/210-dnssec-improve-timestamp-heuristic.patch
View File

@@ -10,7 +10,7 @@ Signed-off-by: Steven Barth <steven@midlink.org>
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -429,17 +429,24 @@ static time_t timestamp_time;
@@ -462,17 +462,24 @@ static time_t timestamp_time;
int setup_timestamp(void)
{
struct stat statbuf;
@@ -36,7 +36,7 @@ Signed-off-by: Steven Barth <steven@midlink.org>
{
/* time already OK, update timestamp, and do key checking from the start. */
if (utime(daemon->timestamp_file, NULL) == -1)
@@ -460,7 +467,7 @@ int setup_timestamp(void)
@@ -493,7 +500,7 @@ int setup_timestamp(void)
close(fd);

30
package/network/services/dnsmasq/patches/220-try-all-servers-on-fail.patch Normal file
View File

@@ -0,0 +1,30 @@
From 94a8815892f538b334d640012eebcafc2c7fa284 Mon Sep 17 00:00:00 2001
From: Martin Wetterwald <martin.wetterwald@corp.ovh.com>
Date: Thu, 27 Oct 2016 12:17:03 +0200
Subject: [PATCH] Consider SERVFAIL as a non-successful response
Treat Servfail as a recoverable error instead of a hard error.
A misconfigured dns forwarder upstream can return a Servfail faster than
a correctly configured one.
In the case of a dnssec misbehaving, it will misbehave on all correctly
configured upstreams. In the case of a normal DNS query, the original
behavior of dnsmasq here was more robust.
---
src/forward.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/src/forward.c
+++ b/src/forward.c
@@ -853,7 +853,8 @@ void reply_query(int fd, int family, tim
we get a good reply from another server. Kill it when we've
had replies from all to avoid filling the forwarding table when
everything is broken */
- if (forward->forwardall == 0 || --forward->forwardall == 1 || RCODE(header) != REFUSED)
+ if (forward->forwardall == 0 || --forward->forwardall == 1
+ || (RCODE(header) != REFUSED && RCODE(header) != SERVFAIL))
{
int check_rebind = 0, no_cache_dnssec = 0, cache_secure = 0, bogusanswer = 0;

18
package/network/services/dnsmasq/patches/230-fix-poll-h-include-warning-on-musl.patch Normal file
View File

@@ -0,0 +1,18 @@
dnsmasq: fix warning with poll.h include on musl
Warning is:
#warning redirecting incorrect #include <sys/poll.h> to <poll.h>
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -82,7 +82,7 @@ typedef unsigned long long u64;
#if defined(HAVE_SOLARIS_NETWORK)
# include <sys/sockio.h>
#endif
-#include <sys/poll.h>
+#include <poll.h>
#include <sys/wait.h>
#include <sys/time.h>
#include <sys/un.h>