rpms
/
dnsmasq
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

merge into: rpms:i10cs
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta
...
pull from: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i10cs
rpms:cs10
rpms:i8c
rpms:c8
rpms:i9c
rpms:c9
rpms:i8c-beta
rpms:c8-beta
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'i10cs' and 'c9' have entirely different histories.
i10cs ... c9

22 changed files with 3766 additions and 205 deletions
Show Stats

2
.dnsmasq.metadata
Unescape View File

@ -1 +1 @@
864374a3e573d4997753b34290d50072463570c9 SOURCES/dnsmasq-2.90.tar.xz 256ec628587ab2b20bba3fc2773046dab8f2874c SOURCES/dnsmasq-2.85.tar.xz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/dnsmasq-2.90.tar.xz SOURCES/dnsmasq-2.85.tar.xz

42
SOURCES/dnsmasq-2.77-underflow.patch
Unescape View File

@ -1,18 +1,19 @@
From 6fda9cd7cba519a8aa96b43ebc34cb6c46b3bfe7 Mon Sep 17 00:00:00 2001 From 684bede049a006a0a47ce88f017ada9f73bf4430 Mon Sep 17 00:00:00 2001
From: Doran Moppert <dmoppert@redhat.com> From: Doran Moppert <dmoppert@redhat.com>
Date: Tue, 26 Sep 2017 14:48:20 +0930 Date: Tue, 26 Sep 2017 14:48:20 +0930
Subject: [PATCH] google patch hand-applied Subject: [PATCH] google patch hand-applied
--- ---
src/edns0.c | 10 +++++----- src/edns0.c | 10 +++++-----
src/rfc1035.c | 5 ++++- src/forward.c | 4 ++++
2 files changed, 9 insertions(+), 6 deletions(-) src/rfc1035.c | 3 +++
3 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/src/edns0.c b/src/edns0.c diff --git a/src/edns0.c b/src/edns0.c
index 598478f..72127e5 100644 index d75d3cc..7d8cf7f 100644
--- a/src/edns0.c --- a/src/edns0.c
+++ b/src/edns0.c +++ b/src/edns0.c
@@ -209,11 +209,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l @@ -212,11 +212,11 @@ size_t add_pseudoheader(struct dns_header *header, size_t plen, unsigned char *l
/* Copy back any options */ /* Copy back any options */
if (buff) if (buff)
{ {
@ -29,22 +30,35 @@ index 598478f..72127e5 100644
memcpy(p, buff, rdlen); memcpy(p, buff, rdlen);
free(buff); free(buff);
p += rdlen; p += rdlen;
diff --git a/src/forward.c b/src/forward.c
index ed9c8f6..77059ed 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -1542,6 +1542,10 @@ void receive_query(struct listener *listen, time_t now)
udp_size = PACKETSZ; /* Sanity check - can't reduce below default. RFC 6891 6.2.3 */
}
+ // Make sure the udp size is not smaller than the incoming message so that we
+ // do not underflow
+ if (udp_size < n) udp_size = n;
+
#ifdef HAVE_AUTH
if (auth_dns)
{
diff --git a/src/rfc1035.c b/src/rfc1035.c diff --git a/src/rfc1035.c b/src/rfc1035.c
index 387d894..7fb1468 100644 index f1edc45..15041cc 100644
--- a/src/rfc1035.c --- a/src/rfc1035.c
+++ b/src/rfc1035.c +++ b/src/rfc1035.c
@@ -1581,7 +1581,10 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen, @@ -1326,6 +1326,9 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
size_t len; size_t len;
int rd_bit = (header->hb3 & HB3_RD); int rd_bit = (header->hb3 & HB3_RD);
int count = 255; /* catch loops */
-
+
+ // Make sure we do not underflow here too. + // Make sure we do not underflow here too.
+ if (qlen > (limit - ((char *)header))) return 0; + if (qlen > (limit - ((char *)header))) return 0;
+ +
if (stale) /* never answer queries with RD unset, to avoid cache snooping. */
*stale = 0; if (ntohs(header->ancount) != 0 ||
ntohs(header->nscount) != 0 ||
-- --
2.43.0 2.21.1

99
SOURCES/dnsmasq-2.79-server-domain-fixup.patch
Unescape View File

@ -0,0 +1,99 @@
From b027daaa8ef168122a712e5e4ec71642964d8f4d Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Mon, 22 Aug 2022 21:59:42 +0200
Subject: [PATCH] Ensure also server_domains_cleanup is called always
Fixes issue in patch dnsmasq-2.79-server-domain-rh1919894.patch.
When /etc/resolv.conf is changed, dnsmasq reloads used servers. But it
does not call cleanup of server domains in this case. It might cause
serv_domain->last_server to become non-null, but pointing released
server. Ensure it is checked before any cleanup_servers() action always
and from all other places, like dbus setting.
Caused unending loop in forward_query function, rhbz#2106361.
---
src/network.c | 49 +++++++++++++++++++++++++------------------------
1 file changed, 25 insertions(+), 24 deletions(-)
diff --git a/src/network.c b/src/network.c
index 1fa81ff..cf2f2e2 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1511,10 +1511,35 @@ void mark_servers(int flag)
}
}
+static void server_domains_cleanup(void)
+{
+ struct server_domain *sd, *tmp, **up;
+
+ /* unlink and free anything still marked. */
+ for (up = &daemon->server_domains, sd=*up; sd; sd = tmp)
+ {
+ tmp = sd->next;
+ if (sd->flags & SERV_MARK)
+ {
+ *up = sd->next;
+ if (sd->domain)
+ free(sd->domain);
+ free(sd);
+ }
+ else {
+ up = &sd->next;
+ if (sd->last_server && (sd->last_server->flags & SERV_MARK))
+ sd->last_server = NULL;
+ }
+ }
+}
+
void cleanup_servers(void)
{
struct server *serv, *tmp, **up;
+ server_domains_cleanup();
+
/* unlink and free anything still marked. */
for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp)
{
@@ -1537,29 +1562,6 @@ void cleanup_servers(void)
#endif
}
-static void server_domains_cleanup(void)
-{
- struct server_domain *sd, *tmp, **up;
-
- /* unlink and free anything still marked. */
- for (up = &daemon->server_domains, sd=*up; sd; sd = tmp)
- {
- tmp = sd->next;
- if (sd->flags & SERV_MARK)
- {
- *up = sd->next;
- if (sd->domain)
- free(sd->domain);
- free(sd);
- }
- else {
- up = &sd->next;
- if (sd->last_server && (sd->last_server->flags & SERV_MARK))
- sd->last_server = NULL;
- }
- }
-}
-
void add_update_server(int flags,
union mysockaddr *addr,
union mysockaddr *source_addr,
@@ -1849,7 +1851,6 @@ void check_servers(void)
up = &sfd->next;
}
- server_domains_cleanup();
cleanup_servers();
}
--
2.37.2

471
SOURCES/dnsmasq-2.79-server-domain-rh1919894.patch
Unescape View File

@ -0,0 +1,471 @@
From 5747d7b3dffdcd45d4410bb380e466818734cb27 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 19 Apr 2021 13:56:23 +0200
Subject: [PATCH] Use load-balancing also for --server=/domains/
Do not (yet) move servers to server_domain structure. Instead use
separate server_domains to store just last_server and requests count and
time.
Introduces domain information duplicity, but minimizes required changes
to daemon->servers usage.
Optimize server domain record
Set pointer to domain record when struct server is created. When
searching for domain pointer, use this pointer to make it quick.
---
src/dnsmasq.h | 18 +++++++--
src/forward.c | 52 ++++++++++++++++----------
src/network.c | 101 ++++++++++++++++++++++++++++++++++++++++++++++----
src/option.c | 5 +++
4 files changed, 146 insertions(+), 30 deletions(-)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1e21005..b6dcc50 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -559,6 +559,17 @@ struct randfd_list {
struct randfd_list *next;
};
+/* contains domain specific set of servers.
+ * If domain is NULL, just normal servers. */
+struct server_domain {
+ char *domain;
+ struct server *last_server;
+ time_t forwardtime;
+ int forwardcount;
+ unsigned int flags; /* server.flags alternative */
+ struct server_domain *next;
+};
+
struct server {
union mysockaddr addr, source_addr;
char interface[IF_NAMESIZE+1];
@@ -571,6 +582,7 @@ struct server {
#ifdef HAVE_LOOP
u32 uid;
#endif
+ struct server_domain *serv_domain;
struct server *next;
};
@@ -1053,6 +1065,7 @@ extern struct daemon {
struct iname *if_names, *if_addrs, *if_except, *dhcp_except, *auth_peers, *tftp_interfaces;
struct bogus_addr *bogus_addr, *ignore_addr;
struct server *servers;
+ struct server_domain *server_domains;
struct ipsets *ipsets;
int log_fac; /* log facility */
char *log_file; /* optional log file */
@@ -1121,9 +1134,6 @@ extern struct daemon {
struct serverfd *sfds;
struct irec *interfaces;
struct listener *listeners;
- struct server *last_server;
- time_t forwardtime;
- int forwardcount;
struct server *srv_save; /* Used for resend on DoD */
size_t packet_len; /* " " */
int fd_save; /* " " */
@@ -1394,6 +1404,8 @@ int label_exception(int index, int family, union all_addr *addr);
int fix_fd(int fd);
int tcp_interface(int fd, int af);
int set_ipv6pktinfo(int fd);
+struct server_domain *server_domain_find_domain(const char *domain);
+struct server_domain *server_domain_new(struct server *serv);
#ifdef HAVE_DHCP6
void join_multicast(int dienow);
#endif
diff --git a/src/forward.c b/src/forward.c
index 9322b6a..b09dc96 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -107,7 +107,8 @@ int send_from(int fd, int nowild, char *packet, size_t len,
}
static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned int qtype,
- char *qdomain, int *type, char **domain, int *norebind)
+ char *qdomain, int *type, char **domain, int *norebind,
+ struct server_domain **serv_domain)
{
/* If the query ends in the domain in one of our servers, set
@@ -120,6 +121,9 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
unsigned int flags = 0;
static union all_addr zero;
+ if (serv_domain)
+ *serv_domain = NULL;
+
for (serv = daemon->servers; serv; serv=serv->next)
if (qtype == F_DNSSECOK && !(serv->flags & SERV_DO_DNSSEC))
continue;
@@ -187,6 +191,8 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
{
*type = serv->flags & (SERV_HAS_DOMAIN | SERV_USE_RESOLV | SERV_NO_REBIND | SERV_DO_DNSSEC);
*domain = serv->domain;
+ if (serv_domain)
+ *serv_domain = serv->serv_domain;
matchlen = domainlen;
if (serv->flags & SERV_NO_ADDR)
flags = F_NXDOMAIN;
@@ -243,6 +249,8 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
*type = 0; /* use normal servers for this domain */
*domain = NULL;
}
+ if (serv_domain && !*serv_domain)
+ *serv_domain = server_domain_find_domain(*domain);
return flags;
}
@@ -304,6 +312,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
unsigned int flags = 0;
unsigned int fwd_flags = 0;
struct server *start = NULL;
+ struct server_domain *sd = NULL;
void *hash = hash_questions(header, plen, daemon->namebuff);
#ifdef HAVE_DNSSEC
int do_dnssec = 0;
@@ -422,8 +431,10 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
forward->sentto->failed_queries++;
if (!option_bool(OPT_ORDER) && old_src)
{
+ sd = forward->sentto->serv_domain;
forward->forwardall = 1;
- daemon->last_server = NULL;
+ if (sd)
+ sd->last_server = NULL;
}
type = forward->sentto->flags & SERV_TYPE;
#ifdef HAVE_DNSSEC
@@ -439,8 +450,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
/* new query */
if (gotname)
- flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
-
+ flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind, &sd);
+
#ifdef HAVE_DNSSEC
do_dnssec = type & SERV_DO_DNSSEC;
#endif
@@ -482,18 +493,18 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
always try all the available servers,
otherwise, use the one last known to work. */
- if (type == 0)
+ if (sd)
{
if (option_bool(OPT_ORDER))
start = daemon->servers;
- else if (!(start = daemon->last_server) ||
- daemon->forwardcount++ > FORWARD_TEST ||
- difftime(now, daemon->forwardtime) > FORWARD_TIME)
+ else if (!(start = sd->last_server) ||
+ sd->forwardcount++ > FORWARD_TEST ||
+ difftime(now, sd->forwardtime) > FORWARD_TIME)
{
start = daemon->servers;
forward->forwardall = 1;
- daemon->forwardcount = 0;
- daemon->forwardtime = now;
+ sd->forwardcount = 0;
+ sd->forwardtime = now;
}
}
else
@@ -844,6 +855,7 @@ void reply_query(int fd, time_t now)
size_t nn;
struct server *server;
void *hash;
+ struct server_domain *sd;
/* packet buffer overwritten */
daemon->srv_save = NULL;
@@ -968,7 +980,8 @@ void reply_query(int fd, time_t now)
}
server = forward->sentto;
- if ((forward->sentto->flags & SERV_TYPE) == 0)
+ sd = server->serv_domain;
+ if (sd)
{
if (RCODE(header) == REFUSED)
server = NULL;
@@ -986,7 +999,7 @@ void reply_query(int fd, time_t now)
}
}
if (!option_bool(OPT_ALL_SERVERS))
- daemon->last_server = server;
+ sd->last_server = server;
}
/* We tried resending to this server with a smaller maximum size and got an answer.
@@ -1093,7 +1106,7 @@ void reply_query(int fd, time_t now)
/* Find server to forward to. This will normally be the
same as for the original query, but may be another if
servers for domains are involved. */
- if (search_servers(now, NULL, F_DNSSECOK, daemon->keyname, &type, &domain, NULL) == 0)
+ if (search_servers(now, NULL, F_DNSSECOK, daemon->keyname, &type, &domain, NULL, &sd) == 0)
{
struct server *start, *new_server = NULL;
start = server = forward->sentto;
@@ -1664,7 +1677,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
/* Find server to forward to. This will normally be the
same as for the original query, but may be another if
servers for domains are involved. */
- if (search_servers(now, NULL, F_DNSSECOK, keyname, &type, &domain, NULL) != 0)
+ if (search_servers(now, NULL, F_DNSSECOK, keyname, &type, &domain, NULL, NULL) != 0)
{
new_status = STAT_ABANDONED;
break;
@@ -1944,12 +1957,13 @@ unsigned char *tcp_request(int confd, time_t now,
union all_addr *addrp = NULL;
int type = SERV_DO_DNSSEC;
char *domain = NULL;
+ struct server_domain *sd = NULL;
unsigned char *oph = find_pseudoheader(header, size, NULL, NULL, NULL, NULL);
size = add_edns0_config(header, size, ((unsigned char *) header) + 65536, &peer_addr, now, &check_subnet, &cacheable);
if (gotname)
- flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind);
+ flags = search_servers(now, &addrp, gotname, daemon->namebuff, &type, &domain, &norebind, &sd);
#ifdef HAVE_DNSSEC
if (option_bool(OPT_DNSSEC_VALID) && (type & SERV_DO_DNSSEC))
@@ -1970,10 +1984,10 @@ unsigned char *tcp_request(int confd, time_t now,
type &= ~SERV_DO_DNSSEC;
- if (type != 0 || option_bool(OPT_ORDER) || !daemon->last_server)
+ if (!sd || option_bool(OPT_ORDER) || !sd->last_server)
last_server = daemon->servers;
else
- last_server = daemon->last_server;
+ last_server = sd->last_server;
if (!flags && last_server)
{
@@ -2567,9 +2581,7 @@ void server_gone(struct server *server)
if (daemon->randomsocks[i].refcount != 0 && daemon->randomsocks[i].serv == server)
daemon->randomsocks[i].serv = NULL;
- if (daemon->last_server == server)
- daemon->last_server = NULL;
-
+ /* last_server cleared by server_domains_cleanup */
if (daemon->srv_save == server)
daemon->srv_save = NULL;
}
diff --git a/src/network.c b/src/network.c
index 3600250..1fa81ff 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1537,6 +1537,29 @@ void cleanup_servers(void)
#endif
}
+static void server_domains_cleanup(void)
+{
+ struct server_domain *sd, *tmp, **up;
+
+ /* unlink and free anything still marked. */
+ for (up = &daemon->server_domains, sd=*up; sd; sd = tmp)
+ {
+ tmp = sd->next;
+ if (sd->flags & SERV_MARK)
+ {
+ *up = sd->next;
+ if (sd->domain)
+ free(sd->domain);
+ free(sd);
+ }
+ else {
+ up = &sd->next;
+ if (sd->last_server && (sd->last_server->flags & SERV_MARK))
+ sd->last_server = NULL;
+ }
+ }
+}
+
void add_update_server(int flags,
union mysockaddr *addr,
union mysockaddr *source_addr,
@@ -1616,10 +1639,72 @@ void add_update_server(int flags,
}
}
+static const char *server_get_domain(const struct server *serv)
+{
+ const char *domain = serv->domain;
+
+ if (serv->flags & SERV_HAS_DOMAIN)
+ /* .example.com is valid */
+ while (*domain == '.')
+ domain++;
+
+ return domain;
+}
+
+struct server_domain *server_domain_find_domain(const char *domain)
+{
+ struct server_domain *sd;
+ for (sd = daemon->server_domains; sd; sd = sd->next)
+ if ((!domain && sd->domain == domain) || (domain && sd->domain && hostname_isequal(domain, sd->domain)))
+ return sd;
+ return NULL;
+}
+
+/**< Test structure has already set domain pointer.
+ *
+ * If not, create a new record. */
+struct server_domain *server_domain_new(struct server *serv)
+{
+ struct server_domain *sd;
+
+ if ((sd = whine_malloc(sizeof(struct server_domain))))
+ {
+ const char *domain = server_get_domain(serv);
+
+ /* Ensure all serv->domain values have own record in server_domain.
+ * Add a new record. */
+ if (domain)
+ {
+ size_t len = strlen(domain)+1;
+ sd->domain = whine_malloc(len);
+ if (sd->domain)
+ memcpy(sd->domain, domain, len);
+ }
+ sd->next = daemon->server_domains;
+ serv->serv_domain = sd;
+ daemon->server_domains = sd;
+ }
+ return sd;
+}
+
+/**< Test structure has already set domain pointer.
+ *
+ * If not, create a new record. */
+static void server_domain_check(struct server *serv)
+{
+ struct server_domain *sd = serv->serv_domain;
+
+ if (sd)
+ sd->flags &= (~SERV_MARK); /* found domain, mark active */
+ else
+ server_domain_new(serv);
+}
+
void check_servers(void)
{
struct irec *iface;
struct server *serv;
+ struct server_domain *sd;
struct serverfd *sfd, *tmp, **up;
int port = 0, count;
int locals = 0;
@@ -1632,10 +1717,14 @@ void check_servers(void)
for (sfd = daemon->sfds; sfd; sfd = sfd->next)
sfd->used = sfd->preallocated;
+ for (sd = daemon->server_domains; sd; sd = sd->next)
+ sd->flags |= SERV_MARK;
+
for (count = 0, serv = daemon->servers; serv; serv = serv->next)
{
if (!(serv->flags & (SERV_LITERAL_ADDRESS | SERV_NO_ADDR | SERV_USE_RESOLV | SERV_NO_REBIND)))
{
+
/* Init edns_pktsz for newly created server records. */
if (serv->edns_pktsz == 0)
serv->edns_pktsz = daemon->edns_pktsz;
@@ -1651,12 +1740,8 @@ void check_servers(void)
if (serv->flags & SERV_HAS_DOMAIN)
{
struct ds_config *ds;
- char *domain = serv->domain;
-
- /* .example.com is valid */
- while (*domain == '.')
- domain++;
-
+ const char *domain = server_get_domain(serv);
+
for (ds = daemon->ds; ds; ds = ds->next)
if (ds->name[0] != 0 && hostname_isequal(domain, ds->name))
break;
@@ -1666,7 +1751,6 @@ void check_servers(void)
}
}
#endif
-
port = prettyprint_addr(&serv->addr, daemon->namebuff);
/* 0.0.0.0 is nothing, the stack treats it like 127.0.0.1 */
@@ -1701,6 +1785,8 @@ void check_servers(void)
if (serv->sfd)
serv->sfd->used = 1;
+
+ server_domain_check(serv);
}
if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
@@ -1763,6 +1849,7 @@ void check_servers(void)
up = &sfd->next;
}
+ server_domains_cleanup();
cleanup_servers();
}
diff --git a/src/option.c b/src/option.c
index 6de5914..e4e3182 100644
--- a/src/option.c
+++ b/src/option.c
@@ -928,6 +928,7 @@ static struct server *add_rev4(struct in_addr addr, int msize)
p += sprintf(p, "in-addr.arpa");
serv->flags = SERV_HAS_DOMAIN;
+ server_domain_new(serv);
serv->next = daemon->servers;
daemon->servers = serv;
@@ -952,6 +953,7 @@ static struct server *add_rev6(struct in6_addr *addr, int msize)
p += sprintf(p, "ip6.arpa");
serv->flags = SERV_HAS_DOMAIN;
+ server_domain_new(serv);
serv->next = daemon->servers;
daemon->servers = serv;
@@ -2292,6 +2294,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
memset(serv, 0, sizeof(struct server));
serv->domain = d;
serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
+ server_domain_new(serv);
serv->next = daemon->servers;
daemon->servers = serv;
}
@@ -2335,6 +2338,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
memset(serv, 0, sizeof(struct server));
serv->domain = d;
serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
+ server_domain_new(serv);
serv->next = daemon->servers;
daemon->servers = serv;
}
@@ -2587,6 +2591,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
newlist = serv;
serv->domain = domain;
serv->flags = domain ? SERV_HAS_DOMAIN : SERV_FOR_NODOTS;
+ server_domain_new(serv);
arg = end;
if (rebind)
break;
--
2.34.1

39
SOURCES/dnsmasq-2.81-configuration.patch
Unescape View File

@ -1,4 +1,4 @@
From cba77f08dbded8af45de2ee985200b12de7c8d13 Mon Sep 17 00:00:00 2001 From 3a593d133f91c5126105efd03246b3f61f103dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com> From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Tue, 30 Jun 2020 18:06:29 +0200 Date: Tue, 30 Jun 2020 18:06:29 +0200
Subject: [PATCH] Modify upstream configuration to safe defaults Subject: [PATCH] Modify upstream configuration to safe defaults
@ -7,11 +7,11 @@ Most important change would be to listen only on localhost. Default
configuration should not listen to request from remote hosts. Match also configuration should not listen to request from remote hosts. Match also
user and paths to directories shipped in Fedora. user and paths to directories shipped in Fedora.
--- ---
dnsmasq.conf.example | 28 ++++++++++++++++++++++++---- dnsmasq.conf.example | 24 +++++++++++++++++++-----
1 file changed, 24 insertions(+), 4 deletions(-) 1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example
index 0cbf572..6c47c3c 100644 index bf19424..36fba33 100644
--- a/dnsmasq.conf.example --- a/dnsmasq.conf.example
+++ b/dnsmasq.conf.example +++ b/dnsmasq.conf.example
@@ -22,7 +22,7 @@ @@ -22,7 +22,7 @@
@ -23,7 +23,7 @@ index 0cbf572..6c47c3c 100644
#dnssec #dnssec
# Replies which are not DNSSEC signed may be legitimate, because the domain # Replies which are not DNSSEC signed may be legitimate, because the domain
@@ -106,8 +106,8 @@ @@ -96,14 +96,16 @@
# If you want dnsmasq to change uid and gid to something other # If you want dnsmasq to change uid and gid to something other
# than the default, edit the following lines. # than the default, edit the following lines.
@ -34,38 +34,39 @@ index 0cbf572..6c47c3c 100644
# If you want dnsmasq to listen for DHCP and DNS requests only on # If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the # specified interfaces (and the loopback) give the name of the
@@ -124,6 +124,14 @@ # interface (eg eth0) here.
# Repeat the line for more than one interface.
#interface=
+# Listen only on localhost by default
+interface=lo
# Or you can specify which interface _not_ to listen on
#except-interface=
# Or which to listen on by address (remember to include 127.0.0.1 if
@@ -114,6 +116,10 @@
# disable DHCP and TFTP on it. # disable DHCP and TFTP on it.
#no-dhcp-interface= #no-dhcp-interface=
+# Serve DNS and DHCP only to networks directly connected to this machine. +# Serve DNS and DHCP only to networks directly connected to this machine.
+# Any interface= line will override it. +# Any interface= line will override it.
+#local-service +#local-service
+# Accept queries in default configuration only from localhost
+# Comment out following option or explicitly configure interfaces or
+# listen-address
+local-service=host
+ +
# On systems which support it, dnsmasq binds the wildcard address, # On systems which support it, dnsmasq binds the wildcard address,
# even when it is listening on only some interfaces. It then discards # even when it is listening on only some interfaces. It then discards
# requests that it shouldn't reply to. This has the advantage of # requests that it shouldn't reply to. This has the advantage of
@@ -131,7 +139,15 @@ @@ -121,7 +127,11 @@
# want dnsmasq to really bind only the interfaces it is listening on, # want dnsmasq to really bind only the interfaces it is listening on,
# uncomment this option. About the only time you may need this is when # uncomment this option. About the only time you may need this is when
# running another nameserver on the same machine. # running another nameserver on the same machine.
-#bind-interfaces
+# +#
+# To listen only on localhost and do not receive packets on other +# To listen only on localhost and do not receive packets on other
+# interfaces, bind only to lo device. Comment out to bind on single +# interfaces, bind only to lo device. Comment out to bind on single
+# wildcard socket. +# wildcard socket.
#bind-interfaces +bind-interfaces
+# Comment out above line and uncoment following 2 lines.
+# Update interface name, use ip link to get its name.
+#bind-dynamic
+#interface=eno1
# If you don't want dnsmasq to read /etc/hosts, uncomment the # If you don't want dnsmasq to read /etc/hosts, uncomment the
# following line. # following line.
@@ -545,7 +561,7 @@ @@ -535,7 +545,7 @@
# The DHCP server needs somewhere on disk to keep its lease database. # The DHCP server needs somewhere on disk to keep its lease database.
# This defaults to a sane location, but if you want to change it, use # This defaults to a sane location, but if you want to change it, use
# the line below. # the line below.
@ -74,7 +75,7 @@ index 0cbf572..6c47c3c 100644
# Set the DHCP server to authoritative mode. In this mode it will barge in # Set the DHCP server to authoritative mode. In this mode it will barge in
# and take over the lease for any client which broadcasts on the network, # and take over the lease for any client which broadcasts on the network,
@@ -683,7 +699,11 @@ @@ -673,7 +683,11 @@
# Include all files in a directory which end in .conf # Include all files in a directory which end in .conf
#conf-dir=/etc/dnsmasq.d/,*.conf #conf-dir=/etc/dnsmasq.d/,*.conf
@ -87,5 +88,5 @@ index 0cbf572..6c47c3c 100644
#dhcp-ignore-names=tag:wpad-ignore #dhcp-ignore-names=tag:wpad-ignore
+ +
-- --
2.43.0 2.26.2

106
SOURCES/dnsmasq-2.85-domain-blocklist-speedup.patch
Unescape View File

@ -0,0 +1,106 @@
From e046f32d882b6acf2090cbe8830c2dea6279aa8e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 9 Jun 2023 22:11:01 +0200
Subject: [PATCH] Use serv_domain only for regular servers
Do not try to use it for --local=/x/ or --address=/x/#. Some users use
quite long list of blocks, which slows down walking trough domain list
considerably. But searching by server_domain_find_domain is needed only
for normal servers, which may store there last used server and number
of recent forwarded queries. Local addresses overrides store there no
useful information, avoid searching and adding new domains for such
records.
Would also speed up searching servers when blocklists are used, because
only domains of servers are tested.
Resolves: rhbz#2209031
---
src/forward.c | 2 +-
src/option.c | 15 +++++++++------
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/src/forward.c b/src/forward.c
index fffab7a..3d1227b 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -249,7 +249,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
*type = 0; /* use normal servers for this domain */
*domain = NULL;
}
- if (serv_domain && !*serv_domain)
+ if (serv_domain && !*serv_domain && (*type & SERV_HAS_DOMAIN)==0)
*serv_domain = server_domain_find_domain(NULL);
return flags;
}
diff --git a/src/option.c b/src/option.c
index e4e3182..25680c0 100644
--- a/src/option.c
+++ b/src/option.c
@@ -928,7 +928,7 @@ static struct server *add_rev4(struct in_addr addr, int msize)
p += sprintf(p, "in-addr.arpa");
serv->flags = SERV_HAS_DOMAIN;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
serv->next = daemon->servers;
daemon->servers = serv;
@@ -953,7 +953,7 @@ static struct server *add_rev6(struct in6_addr *addr, int msize)
p += sprintf(p, "ip6.arpa");
serv->flags = SERV_HAS_DOMAIN;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
serv->next = daemon->servers;
daemon->servers = serv;
@@ -2294,7 +2294,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
memset(serv, 0, sizeof(struct server));
serv->domain = d;
serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
serv->next = daemon->servers;
daemon->servers = serv;
}
@@ -2338,7 +2338,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
memset(serv, 0, sizeof(struct server));
serv->domain = d;
serv->flags = SERV_HAS_DOMAIN | SERV_NO_ADDR;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
serv->next = daemon->servers;
daemon->servers = serv;
}
@@ -2591,7 +2591,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
newlist = serv;
serv->domain = domain;
serv->flags = domain ? SERV_HAS_DOMAIN : SERV_FOR_NODOTS;
- server_domain_new(serv);
+ serv->serv_domain = NULL;
arg = end;
if (rebind)
break;
@@ -2639,6 +2639,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
server_list_free(newlist);
ret_err(err);
}
+ if ((newlist->flags & SERV_LITERAL_ADDRESS)==0)
+ server_domain_new(newlist);
}
serv = newlist;
@@ -2682,7 +2684,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
serv = add_rev6(&addr6, size);
else
ret_err(gen_err);
-
+
+ server_domain_new(serv);
string = parse_server(comma, &serv->addr, &serv->source_addr, serv->interface, &serv->flags);
if (string)
--
2.40.1

50
SOURCES/dnsmasq-2.85-search_servers-rhbz2182342.patch
Unescape View File

@ -0,0 +1,50 @@
From d75a9691edaa2b2efd8b51f2de492c62cb57c629 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 5 May 2023 17:51:56 +0200
Subject: [PATCH] Ensure search_servers domain is set on dnssec
When dnssec validation is enabled the domain variable used when fetching
dnssec key or domain were not properly initialized always. It were read
anyway inside search_servers. Because it is changed only sometime, do
not use its value on the end of function. domain can be NULL only at
that point, use that value right away.
Include also TCP.
---
src/forward.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/forward.c b/src/forward.c
index b09dc96..fffab7a 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -250,7 +250,7 @@ static unsigned int search_servers(time_t now, union all_addr **addrpp, unsigned
*domain = NULL;
}
if (serv_domain && !*serv_domain)
- *serv_domain = server_domain_find_domain(*domain);
+ *serv_domain = server_domain_find_domain(NULL);
return flags;
}
@@ -1097,7 +1097,7 @@ void reply_query(int fd, time_t now)
{
int querytype, fd, type = SERV_DO_DNSSEC;
struct frec *next = new->next;
- char *domain;
+ char *domain = NULL;
*new = *forward; /* copy everything, then overwrite */
new->next = next;
@@ -1633,7 +1633,7 @@ static int tcp_key_recurse(time_t now, int status, struct dns_header *header, si
while (1)
{
int type = SERV_DO_DNSSEC;
- char *domain;
+ char *domain = NULL;
size_t m;
unsigned char c1, c2;
struct server *firstsendto = NULL;
--
2.40.1

83
SOURCES/dnsmasq-2.85-serv_domain-rh2186481-2.patch
Unescape View File

@ -0,0 +1,83 @@
From 4650d0aef20db4b7e129895ffcb93ca4609e6347 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 10 May 2023 12:57:17 +0200
Subject: [PATCH] fixup! Correct releasing of serv_domain
---
src/dnsmasq.h | 2 +-
src/network.c | 20 +++++++++++---------
2 files changed, 12 insertions(+), 10 deletions(-)
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index b6dcc50..c62c3d0 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1405,7 +1405,7 @@ int fix_fd(int fd);
int tcp_interface(int fd, int af);
int set_ipv6pktinfo(int fd);
struct server_domain *server_domain_find_domain(const char *domain);
-struct server_domain *server_domain_new(struct server *serv);
+void server_domain_new(struct server *serv);
#ifdef HAVE_DHCP6
void join_multicast(int dienow);
#endif
diff --git a/src/network.c b/src/network.c
index 8152cac..e42220c 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1653,6 +1653,7 @@ void add_update_server(int flags,
serv->addr = *addr;
if (source_addr)
serv->source_addr = *source_addr;
+ server_domain_new(serv);
}
}
@@ -1680,14 +1681,20 @@ struct server_domain *server_domain_find_domain(const char *domain)
/**< Test structure has already set domain pointer.
*
* If not, create a new record. */
-struct server_domain *server_domain_new(struct server *serv)
+void server_domain_new(struct server *serv)
{
struct server_domain *sd;
+ const char *domain = server_get_domain(serv);
- if ((sd = whine_malloc(sizeof(struct server_domain))))
+ sd = server_domain_find_domain(domain);
+ if (sd)
{
- const char *domain = server_get_domain(serv);
+ serv->serv_domain = sd;
+ return;
+ }
+ if ((sd = whine_malloc(sizeof(struct server_domain))))
+ {
/* Ensure all serv->domain values have own record in server_domain.
* Add a new record. */
if (domain)
@@ -1701,7 +1708,6 @@ struct server_domain *server_domain_new(struct server *serv)
serv->serv_domain = sd;
daemon->server_domains = sd;
}
- return sd;
}
/**< Test structure has already set domain pointer.
@@ -1714,11 +1720,7 @@ static void server_domain_check(struct server *serv)
if (sd)
sd->flags &= (~SERV_MARK); /* found domain, mark active */
else
- {
- sd = server_domain_find_domain(serv->domain);
- if (!sd)
- server_domain_new(serv);
- }
+ server_domain_new(serv);
}
void check_servers(void)
--
2.40.1

108
SOURCES/dnsmasq-2.85-serv_domain-rh2186481.patch
Unescape View File

@ -0,0 +1,108 @@
From c0e0202736f55195104dad9fec98c20d0d15df21 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 21 Apr 2023 17:04:53 +0200
Subject: [PATCH] Correct releasing of serv_domain
In case the server->serv_domain points to domain also when it is not the
last server used, ensure the reference to last_server is always reset.
Some records might reference the server_domain, but cannot ever become
last_server. Such as server=/example.com/#
Correct detection of used server_domains for standard resolvers case.
Mark domain used even in that case, so it is not freed during
resolv.conf reading or other nameservers change.
---
src/network.c | 40 +++++++++++++++++++++++++++++++---------
1 file changed, 31 insertions(+), 9 deletions(-)
diff --git a/src/network.c b/src/network.c
index cf2f2e2..8152cac 100644
--- a/src/network.c
+++ b/src/network.c
@@ -1511,7 +1511,18 @@ void mark_servers(int flag)
}
}
-static void server_domains_cleanup(void)
+static void server_domains_pre_cleanup(void)
+{
+ struct server_domain *sd;
+
+ /* reset removed last_server. */
+ for (sd = daemon->server_domains; sd; sd = sd->next)
+ if ((sd->flags & SERV_MARK) == 0 && sd->last_server &&
+ (sd->last_server->flags & SERV_MARK) != 0)
+ sd->last_server = NULL;
+}
+
+static void server_domains_post_cleanup(void)
{
struct server_domain *sd, *tmp, **up;
@@ -1528,8 +1539,6 @@ static void server_domains_cleanup(void)
}
else {
up = &sd->next;
- if (sd->last_server && (sd->last_server->flags & SERV_MARK))
- sd->last_server = NULL;
}
}
}
@@ -1538,7 +1547,7 @@ void cleanup_servers(void)
{
struct server *serv, *tmp, **up;
- server_domains_cleanup();
+ server_domains_pre_cleanup();
/* unlink and free anything still marked. */
for (serv = daemon->servers, up = &daemon->servers; serv; serv = tmp)
@@ -1552,10 +1561,16 @@ void cleanup_servers(void)
free(serv->domain);
free(serv);
}
- else
- up = &serv->next;
+ else
+ {
+ up = &serv->next;
+ if (serv->serv_domain && (serv->serv_domain->flags & SERV_MARK) != 0)
+ serv->serv_domain = NULL;
+ }
}
+ server_domains_post_cleanup();
+
#ifdef HAVE_LOOP
/* Now we have a new set of servers, test for loops. */
loop_send_probes();
@@ -1699,7 +1714,11 @@ static void server_domain_check(struct server *serv)
if (sd)
sd->flags &= (~SERV_MARK); /* found domain, mark active */
else
- server_domain_new(serv);
+ {
+ sd = server_domain_find_domain(serv->domain);
+ if (!sd)
+ server_domain_new(serv);
+ }
}
void check_servers(void)
@@ -1808,8 +1827,11 @@ void check_servers(void)
else if (strlen(serv->domain) == 0)
s1 = _("default"), s2 = "";
else
- s1 = _("domain"), s2 = serv->domain;
-
+ {
+ s1 = _("domain"), s2 = serv->domain;
+ server_domain_check(serv);
+ }
+
if (serv->flags & SERV_NO_ADDR)
{
count--;
--
2.39.2

16
SOURCES/dnsmasq-2.85.tar.xz.asc
Unescape View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmBuGPsACgkQFc3aauGR
NaIg6A//Xfcu62aItiHf/jTeFHUSqHrdqanDqLRWSpgdeKO2adk+s66p5CqVHC8K
JfxPo6eTUj8uX53Idy5oiwUz4d40iiOjfxHs4Nme0ozyIAHGw/Tfwx7/+NV882vi
+rtqhjF83dRsnqIR95FD17tVI+cR0sq6XKzwBtPicjmPt79sQ2UtkBo7I+IS9B5g
o+i21gGYm34EgY6EavveWfGkKgJLz+cF59h4i16lc1eRGNsy5clURDxiJ65Zz0zb
ZARLudEclbFNdoUu/4idmOUhZCGWrqf9o+rQDYW3vN85saxCPbTChqqy1VC6OBnX
VLN3cAJlk1hS5X0HzewhXkOqulzjg81KWRQ8EYATdOQP7u6apv4q87hnmr+uL9E8
0VZ3ECyhH7n6qNXfqNS2Fp3Yp0sm1hgRy+6bu/IgVTPs/Ro22HqTiw5YXZQkPMbe
A4acAep59nIV9dEB5DYF1N0S0P6OcVtUsZAFlGS1cD0owFuI44W/lg8w9xA9gyJv
uqZvZqkQDM8bi9zJ2d7fjf65pjS+7S9ISxDoPHp34lLMB7D/rAuW8GVBkL1KxMWb
sRHIBDKM01CXZeRBlbxAYHlH7s2QehRk/t57ksTmPtT3IAVMSajEG0+1YElUGg8s
2gqLtCLdmB6Lwl4RFripSERvPzYOAsd8DiqDL9wYOECBStUGuEw=
=W3WM
-----END PGP SIGNATURE-----

107
SOURCES/dnsmasq-2.86-alternative-lease.patch
Unescape View File

@ -0,0 +1,107 @@
From 268080fc19990711a1d1e1acd68a50aa2f6cb5fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Fri, 17 Sep 2021 20:12:21 +0200
Subject: [PATCH] Offer alternative DHCPv6 address if requested is taken
In some cases multiple requests might arrive from single DUID. It may
happen just one address is offered to different IAID requests. When
the first request confirms lease, another would be offered alternative
address instead of address in use error.
Includes check on such Rapid commit equivalents and returns NotOnLink
error, required by RFC 8145, if requested address were not on any
supported prefix.
---
src/rfc3315.c | 39 ++++++++++++++++++++++++++++-----------
1 file changed, 28 insertions(+), 11 deletions(-)
diff --git a/src/rfc3315.c b/src/rfc3315.c
index 5c2ff97..d1534ad 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -614,7 +614,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
case DHCP6SOLICIT:
{
- int address_assigned = 0;
+ int address_assigned = 0, ia_invalid = 0;
/* tags without all prefix-class tags */
struct dhcp_netid *solicit_tags;
struct dhcp_context *c;
@@ -697,6 +697,8 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
get_context_tag(state, c);
address_assigned = 1;
}
+ else
+ ia_invalid++;
}
/* Suggest configured address(es) */
@@ -782,11 +784,26 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
tagif = add_options(state, 0);
}
else
- {
+ {
+ char *errmsg;
/* no address, return error */
o1 = new_opt6(OPTION6_STATUS_CODE);
- put_opt6_short(DHCP6NOADDRS);
- put_opt6_string(_("no addresses available"));
+ if (state->lease_allocate && ia_invalid)
+ {
+ /* RFC 8415, Section 18.3.2:
+ If any of the prefixes of the included addresses are not
+ appropriate for the link to which the client is connected,
+ the server MUST return the IA to the client with a Status
+ Code option with the value NotOnLink. */
+ put_opt6_short(DHCP6NOTONLINK);
+ errmsg = _("not on link");
+ }
+ else
+ {
+ put_opt6_short(DHCP6NOADDRS);
+ errmsg = _("no addresses available");
+ }
+ put_opt6_string(errmsg);
end_opt6(o1);
/* Some clients will ask repeatedly when we're not giving
@@ -795,7 +812,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
for (c = state->context; c; c = c->current)
if (!(c->flags & CONTEXT_RA_STATELESS))
{
- log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, _("no addresses available"));
+ log6_packet(state, state->lease_allocate ? "DHCPREPLY" : "DHCPADVERTISE", NULL, errmsg);
break;
}
}
@@ -831,7 +848,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
/* If we get a request with an IA_*A without addresses, treat it exactly like
a SOLICT with rapid commit set. */
save_counter(start);
- goto request_no_address;
+ goto request_no_address;
}
o = build_ia(state, &t1cntr);
@@ -861,11 +878,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
}
else if (!check_address(state, &req_addr))
{
- /* Address leased to another DUID/IAID */
- o1 = new_opt6(OPTION6_STATUS_CODE);
- put_opt6_short(DHCP6UNSPEC);
- put_opt6_string(_("address in use"));
- end_opt6(o1);
+ /* Address leased to another DUID/IAID.
+ Find another address for the client, treat it exactly like
+ a SOLICT with rapid commit set. */
+ save_counter(start);
+ goto request_no_address;
}
else
{
--
2.31.1

28
SOURCES/dnsmasq-2.86-dhcpv6-client-arch.patch
Unescape View File

@ -0,0 +1,28 @@
From 4272580bb586180e596e5ed30b68455826acc8c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 22 Sep 2021 14:54:01 +0200
Subject: [PATCH] Add support for option6 names of RFC 5970
Client Network Interface Identifier and Client System Architecture Type
options were not understood by dnsmasq. Add it to supported option
types.
---
src/dhcp-common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/dhcp-common.c b/src/dhcp-common.c
index 36bc38a..528e8e7 100644
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -659,6 +659,8 @@ static const struct opttab_t opttab6[] = {
{ "ntp-server", 56, 0 /* OT_ADDR_LIST | OT_RFC1035_NAME */ },
{ "bootfile-url", 59, OT_NAME },
{ "bootfile-param", 60, OT_CSTRING },
+ { "client-arch", 61, 2 | OT_DEC }, /* RFC 5970 */
+ { "client-interface-id", 62, 1 | OT_DEC }, /* RFC 5970 */
{ NULL, 0, 0 }
};
#endif
--
2.31.1

113
SOURCES/dnsmasq-2.86-tcp-free-fd-rh2188443.patch
Unescape View File

@ -0,0 +1,113 @@
From 32e0e81715f60ca35738818370f5d3aacf9e2d2c Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 9 Apr 2021 16:08:05 +0100
Subject: [PATCH] Fix bug in TCP process handling.
Fix bug which caused dnsmasq to lose track of processes forked
to handle TCP DNS connections under heavy load. The code
checked that at least one free process table slot was
available before listening on TCP sockets, but didn't take
into account that more than one TCP connection could
arrive, so that check was not sufficient to ensure that
there would be slots for all new processes. It compounded
this error by silently failing to store the process when
it did run out of slots. Even when this bug is triggered,
all the right things happen, and answers are still returned.
Only under very exceptional circumstances, does the bug
manifest itself: see
https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q2/014976.html
Thanks to Tijs Van Buggenhout for finding the conditions under
which the bug manifests itself, and then working out
exactly what was going on.
(cherry picked from commit ad90eb075dfeeb1936e8bc0f323fcc23f89364d4)
---
src/dnsmasq.c | 44 +++++++++++++++++++++++++-------------------
1 file changed, 25 insertions(+), 19 deletions(-)
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 979e33d..af9132f 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1720,22 +1720,24 @@ static int set_dns_listeners(time_t now)
for (rfl = daemon->rfl_poll; rfl; rfl = rfl->next)
poll_listen(rfl->rfd->fd, POLLIN);
+ /* check to see if we have free tcp process slots. */
+ for (i = MAX_PROCS - 1; i >= 0; i--)
+ if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
+ break;
+
for (listener = daemon->listeners; listener; listener = listener->next)
{
/* only listen for queries if we have resources */
if (listener->fd != -1 && wait == 0)
poll_listen(listener->fd, POLLIN);
- /* death of a child goes through the select loop, so
- we don't need to explicitly arrange to wake up here */
- if (listener->tcpfd != -1)
- for (i = 0; i < MAX_PROCS; i++)
- if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
- {
- poll_listen(listener->tcpfd, POLLIN);
- break;
- }
-
+ /* Only listen for TCP connections when a process slot
+ is available. Death of a child goes through the select loop, so
+ we don't need to explicitly arrange to wake up here,
+ we'll be called again when a slot becomes available. */
+ if (listener->tcpfd != -1 && i >= 0)
+ poll_listen(listener->tcpfd, POLLIN);
+
#ifdef HAVE_TFTP
/* tftp == 0 in single-port mode. */
if (tftp <= daemon->tftp_max && listener->tftpfd != -1)
@@ -1801,7 +1803,16 @@ static void check_dns_listeners(time_t now)
tftp_request(listener, now);
#endif
- if (listener->tcpfd != -1 && poll_check(listener->tcpfd, POLLIN))
+ /* check to see if we have a free tcp process slot.
+ Note that we can't assume that because we had
+ at least one a poll() time, that we still do.
+ There may be more waiting connections after
+ poll() returns then free process slots. */
+ for (i = MAX_PROCS - 1; i >= 0; i--)
+ if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
+ break;
+
+ if (listener->tcpfd != -1 && i >= 0 && poll_check(listener->tcpfd, POLLIN))
{
int confd, client_ok = 1;
struct irec *iface = NULL;
@@ -1891,7 +1902,6 @@ static void check_dns_listeners(time_t now)
close(pipefd[0]);
else
{
- int i;
#ifdef HAVE_LINUX_NETWORK
/* The child process inherits the netlink socket,
which it never uses, but when the parent (us)
@@ -1911,13 +1921,9 @@ static void check_dns_listeners(time_t now)
read_write(pipefd[0], &a, 1, 1);
#endif
- for (i = 0; i < MAX_PROCS; i++)
- if (daemon->tcp_pids[i] == 0 && daemon->tcp_pipes[i] == -1)
- {
- daemon->tcp_pids[i] = p;
- daemon->tcp_pipes[i] = pipefd[0];
- break;
- }
+ /* i holds index of free slot */
+ daemon->tcp_pids[i] = p;
+ daemon->tcp_pipes[i] = pipefd[0];
}
close(confd);
--
2.40.1

172
SOURCES/dnsmasq-2.87-CVE-2022-0934.patch
Unescape View File

@ -0,0 +1,172 @@
From 5d1b75b542f128f757606668a44ce60ebb3c47f0 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 31 Mar 2022 21:35:20 +0100
Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934
refers.
---
src/rfc3315.c | 48 +++++++++++++++++++++++++++---------------------
1 file changed, 27 insertions(+), 21 deletions(-)
diff --git a/src/rfc3315.c b/src/rfc3315.c
index fbb6876..d2ebf15 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -33,9 +33,9 @@ struct state {
unsigned int mac_len, mac_type;
};
-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
struct in6_addr *client_addr, int is_unicast, time_t now);
-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now);
+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now);
static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts);
static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string);
static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string);
@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
}
/* This cost me blood to write, it will probably cost you blood to understand - srk. */
-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
+static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz,
struct in6_addr *client_addr, int is_unicast, time_t now)
{
void *end = inbuff + sz;
void *opts = inbuff + 34;
- int msg_type = *((unsigned char *)inbuff);
+ int msg_type = *inbuff;
unsigned char *outmsgtypep;
void *opt;
struct dhcp_vendor *vendor;
@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz,
return 1;
}
-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now)
+static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now)
{
void *opt;
- int i, o, o1, start_opts;
+ int i, o, o1, start_opts, start_msg;
struct dhcp_opt *opt_cfg;
struct dhcp_netid *tagif;
struct dhcp_config *config = NULL;
struct dhcp_netid known_id, iface_id, v6_id;
- unsigned char *outmsgtypep;
+ unsigned char outmsgtype;
struct dhcp_vendor *vendor;
struct dhcp_context *context_tmp;
struct dhcp_mac *mac_opt;
@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
v6_id.next = state->tags;
state->tags = &v6_id;
- /* copy over transaction-id, and save pointer to message type */
- if (!(outmsgtypep = put_opt6(inbuff, 4)))
+ start_msg = save_counter(-1);
+ /* copy over transaction-id */
+ if (!put_opt6(inbuff, 4))
return 0;
start_opts = save_counter(-1);
- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16;
-
+ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16;
+
/* We're going to be linking tags from all context we use.
mark them as unused so we don't link one twice and break the list */
for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current)
@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
(msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE))
{
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
o1 = new_opt6(OPTION6_STATUS_CODE);
put_opt6_short(DHCP6USEMULTI);
put_opt6_string("Use multicast");
@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
struct dhcp_netid *solicit_tags;
struct dhcp_context *c;
- *outmsgtypep = DHCP6ADVERTISE;
+ outmsgtype = DHCP6ADVERTISE;
if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0))
{
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
state->lease_allocate = 1;
o = new_opt6(OPTION6_RAPID_COMMIT);
end_opt6(o);
@@ -826,7 +827,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
int start = save_counter(-1);
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
state->lease_allocate = 1;
log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL);
@@ -938,7 +939,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
case DHCP6RENEW:
{
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPRENEW", NULL, NULL);
@@ -1050,7 +1051,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
int good_addr = 0;
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPCONFIRM", NULL, NULL);
@@ -1114,7 +1115,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname);
if (ignore)
return 0;
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
tagif = add_options(state, 1);
break;
}
@@ -1123,7 +1124,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
case DHCP6RELEASE:
{
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPRELEASE", NULL, NULL);
@@ -1188,7 +1189,7 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
case DHCP6DECLINE:
{
/* set reply message type */
- *outmsgtypep = DHCP6REPLY;
+ outmsgtype = DHCP6REPLY;
log6_quiet(state, "DHCPDECLINE", NULL, NULL);
@@ -1268,7 +1269,12 @@ static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_
}
}
-
+
+ /* Fill in the message type. Note that we store the offset,
+ not a direct pointer, since the packet memory may have been
+ reallocated. */
+ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype;
+
log_tags(tagif, state->xid);
log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1));
--
2.39.1

77
SOURCES/dnsmasq-2.87-coverity-forward-cache.patch
Unescape View File

@ -0,0 +1,77 @@
From 2f45670951d2159ebf588e1e4943c0bc9e1cd20b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Wed, 18 Aug 2021 14:59:23 +0200
Subject: [PATCH] Add safety checks to places pointed by Coverity
GCC Analyzer (experimental)
1. dnsmasq-2.85/src/forward.c:0: scope_hint: In function 'allocate_rfd.part.0'
2. dnsmasq-2.85/src/forward.c:2321:18: warning[-Wanalyzer-null-dereference]: dereference of NULL 'rfd'
# 2319| *fdlp = rfl;
# 2320|
# 2321|-> return rfl->rfd->fd;
# 2322| }
# 2323|
1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'log_query'
2. dnsmasq-2.85/src/cache.c:1969:20: warning[-Wanalyzer-null-dereference]: dereference of NULL 'name'
# 1967| source = "cached";
# 1968|
# 1969|-> if (strlen(name) == 0)
# 1970| name = ".";
# 1971|
1. dnsmasq-2.85/src/cache.c:0: scope_hint: In function 'cache_scan_free'
2. dnsmasq-2.85/src/cache.c:436:20: warning[-Wanalyzer-null-argument]: use of NULL 'addr' where non-null expected
40. /usr/include/sys/un.h:37: included_from: Included from here.
41. dnsmasq-2.85/src/dnsmasq.h:101: included_from: Included from here.
42. dnsmasq-2.85/src/cache.c:17: included_from: Included from here.
43. /usr/include/string.h:64:12: note: argument 2 of 'memcmp' must be non-null
# 434| (flags & crecp->flags & F_REVERSE) &&
# 435| (flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
# 436|-> memcmp(&crecp->addr, addr, addrlen) == 0)
# 437| {
# 438| *up = crecp->hash_next;
---
src/cache.c | 4 ++--
src/forward.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/cache.c b/src/cache.c
index b3b3c7c..8f97947 100644
--- a/src/cache.c
+++ b/src/cache.c
@@ -483,7 +483,7 @@ static struct crec *cache_scan_free(char *name, union all_addr *addr, unsigned s
else if (!(crecp->flags & (F_HOSTS | F_DHCP | F_CONFIG)) &&
(flags & crecp->flags & F_REVERSE) &&
(flags & crecp->flags & (F_IPV4 | F_IPV6)) &&
- memcmp(&crecp->addr, addr, addrlen) == 0)
+ addr && memcmp(&crecp->addr, addr, addrlen) == 0)
{
*up = crecp->hash_next;
cache_unlink(crecp);
@@ -2067,7 +2067,7 @@ void log_query(unsigned int flags, char *name, union all_addr *addr, char *arg,
else
source = "cached";
- if (strlen(name) == 0)
+ if (name && !name[0])
name = ".";
if (option_bool(OPT_EXTRALOG))
diff --git a/src/forward.c b/src/forward.c
index 434ba77..f3c38d7 100644
--- a/src/forward.c
+++ b/src/forward.c
@@ -2274,7 +2274,7 @@ int allocate_rfd(struct randfd_list **fdlp, struct server *serv)
}
}
- if (j == daemon->numrrand)
+ if (!rfd) /* should be when j == daemon->numrrand */
{
struct randfd_list *rfl_poll;
--
2.41.0

64
SOURCES/dnsmasq-2.87-log-root-writeable.patch
Unescape View File

@ -0,0 +1,64 @@
From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Mon, 10 Jan 2022 12:34:42 +0100
Subject: [PATCH] Add root group writeable flag to log file
Some systems strips even root process capability of writing to different
users file. That include systemd under Fedora. When
log-facility=/var/log/dnsmasq.log is used, log file with mode 0640
is created. But restart then fails, because such log file can be used
only when created new. Existing file cannot be opened by root when
starting, causing fatal error. Avoid that by adding root group writeable flag.
Ensure group is always root when granting write access. If it is
anything else, administrator has to configure correct rights.
(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c)
---
src/log.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/src/log.c b/src/log.c
index 1ec3447..bcd6e52 100644
--- a/src/log.c
+++ b/src/log.c
@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd)
/* If we're running as root and going to change uid later,
change the ownership here so that the file is always owned by
the dnsmasq user. Then logrotate can just copy the owner.
- Failure of the chown call is OK, (for instance when started as non-root) */
- if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 &&
- fchown(log_fd, ent_pw->pw_uid, -1) != 0)
- ret = errno;
+ Failure of the chown call is OK, (for instance when started as non-root).
+
+ If we've created a file with group-id root, we also make
+ the file group-writable. This gives processes in the root group
+ write access to the file and avoids the problem that on some systems,
+ once the file is owned by the dnsmasq user, it can't be written
+ whilst dnsmasq is running as root during startup.
+ */
+ if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0)
+ {
+ struct stat ls;
+ if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 &&
+ (ls.st_mode & S_IWGRP) == 0)
+ (void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
+ if (fchown(log_fd, ent_pw->pw_uid, -1) != 0)
+ ret = errno;
+ }
return ret;
}
@@ -118,7 +131,7 @@ int log_reopen(char *log_file)
/* NOTE: umask is set to 022 by the time this gets called */
if (log_file)
- log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
+ log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
else
{
#if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__)
--
2.40.1

45
SOURCES/dnsmasq-2.89-edns0-size.patch
Unescape View File

@ -0,0 +1,45 @@
From 9d8270be2e2b31437684f2d87add9a28a41f0c75 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000
Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
http://www.dnsflagday.net/2020/ refers.
Thanks to Xiang Li for the prompt.
(cherry picked from commit eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5)
---
man/dnsmasq.8 | 3 ++-
src/config.h | 2 +-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index fce580f..4b0b180 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -171,7 +171,8 @@ to zero completely disables DNS function, leaving only DHCP and/or TFTP.
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
diff --git a/src/config.h b/src/config.h
index 8c41943..62b7fa1 100644
--- a/src/config.h
+++ b/src/config.h
@@ -19,7 +19,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1280 /* "go anywhere" UDP packet size */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */
--
2.39.2

2091
SOURCES/dnsmasq-2.90-CVE-2023-50387-CVE-2023-50868.patch
View File

File diff suppressed because it is too large Load Diff

16
SOURCES/dnsmasq-2.90.tar.xz.asc
Unescape View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmXLc7MACgkQFc3aauGR
NaKwug/7BIZ9TOBB65sR/rBg0JU/4jBG1WQglmEckSkK7NWagXVbjlVVl0F1AUZo
JBaW6qIvFZ9q7OlOB50gpZNC0wvIYRa8bdvicWjktxW/KFC/NZo5iI6DHH0p6LK2
pymMCGyRkAgVc8Yxv3BDTqw70ld4gA8WamNWQsfS14n0VF/abOv/A0x70XkHPdIc
U9ZZX+1/Zn6s08arzUSEAnuR3+SW6Amq6MJKwCT8eVDNvTG35o0+HWAmyo+EjRmo
PdiIa1fmOcY8V80E5Xs2V11kMZeAZymD/GzCUTwW4Q2T7WW3OsMc9KlH35bAhfvI
iiBDbmYqI6AgLi6rIB1X6CKZ5V3VR93nxbSieaocZ145BAukxFOLuBTqjR1jhZt7
63HfbYv3aViwMX2Ggk0XIh/OvIr6dFAsqiD6n+pYKLOVs1nyhXK1UP+J/9BhvJfx
4Dzx38K1iFilyR35tUiRosiZHgEHiZtJJ2u4B+nVENHpcVPG1cZQ92x7b2UDBfL4
wcZ2U4guxdN4iBE7zzCseJNFL7NZ0U476RWEG9NybAnGGlpDY8m5AuQ5nHT0AjV7
d+Fq0EaKr0rfjDk1bjYf88VRW0Khx4Fz5IsmnGw/p+09xBEhQftK+M42FpIbbscx
uZQ5i7CNkMAsft/lUGYEdLcTi5HuDWBtbXjVMLvzFRPz7W9l0J0=
=iZdM
-----END PGP SIGNATURE-----

4
SOURCES/dnsmasq.service
Unescape View File

@ -1,10 +1,6 @@
[Unit] [Unit]
Description=DNS caching server. Description=DNS caching server.
Before=nss-lookup.target
Wants=nss-lookup.target
After=network.target After=network.target
; Use bind-dynamic or uncomment following to listen on non-local IP address
;After=network-online.target
[Service] [Service]
ExecStart=/usr/sbin/dnsmasq ExecStart=/usr/sbin/dnsmasq

236
SPECS/dnsmasq.spec
Unescape View File

@ -1,5 +1,3 @@
%bcond_without i18n
%define testrelease 0 %define testrelease 0
%define releasecandidate 0 %define releasecandidate 0
%if 0%{testrelease} %if 0%{testrelease}
@ -13,23 +11,20 @@
%define _hardened_build 1 %define _hardened_build 1
# path to upstream git repository # path to upstream git repository
%global forgeurl0 git://thekelleys.org.uk/dnsmasq.git %global git_upstream git://thekelleys.org.uk/dnsmasq.git
# tag of selected version # tag of selected version
%global gittag v%{version}%{?extraversion} %global gittag v%{version}%{?extraversion}
# Attempt to prepare source-git with downstream repos # Attempt to prepare source-git with downstream repos
%bcond_with sourcegit %bcond_with sourcegit
Name: dnsmasq Name: dnsmasq
Version: 2.90 Version: 2.85
Release: 4%{?extraversion:.%{extraversion}}%{?dist} Release: 16%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server Summary: A lightweight DHCP/caching DNS server
# SPDX identifiers already License: GPLv2 or GPLv3
License: GPL-2.0-only OR GPL-3.0-only
URL: http://www.thekelleys.org.uk/dnsmasq/ URL: http://www.thekelleys.org.uk/dnsmasq/
VCS: git:%{forgeurl0}
Source0: %{url}%{?extrapath}%{name}-%{version}%{?extraversion}.tar.xz Source0: %{url}%{?extrapath}%{name}-%{version}%{?extraversion}.tar.xz
Source1: %{name}.service Source1: %{name}.service
Source2: dnsmasq-systemd-sysusers.conf Source2: dnsmasq-systemd-sysusers.conf
@ -46,28 +41,57 @@ Patch1: dnsmasq-2.77-underflow.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1852373 # https://bugzilla.redhat.com/show_bug.cgi?id=1852373
Patch2: dnsmasq-2.81-configuration.patch Patch2: dnsmasq-2.81-configuration.patch
Patch3: dnsmasq-2.78-fips.patch Patch3: dnsmasq-2.78-fips.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=1919894
# Similar functionality is implemented since 2.86 in upstream, but introduced
Requires: nettle Patch4: dnsmasq-2.79-server-domain-rh1919894.patch
# https://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2021q3/015640.html
Patch5: dnsmasq-2.86-alternative-lease.patch
Patch6: dnsmasq-2.86-dhcpv6-client-arch.patch
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=03345ecefeb0d82e3c3a4c28f27c3554f0611b39
Patch7: dnsmasq-2.87-CVE-2022-0934.patch
# Downstream only patch; fixes Patch4 change
Patch8: dnsmasq-2.79-server-domain-fixup.patch
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5
Patch9: dnsmasq-2.89-edns0-size.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
# Fixes issue in Patch4
Patch10: dnsmasq-2.85-serv_domain-rh2186481.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2182342
# Another issue in Patch4
Patch11: dnsmasq-2.85-search_servers-rhbz2182342.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
# complements patch10
Patch12: dnsmasq-2.85-serv_domain-rh2186481-2.patch
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c
Patch13: dnsmasq-2.87-log-root-writeable.patch
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2209031
# complements patch12
Patch14: dnsmasq-2.85-domain-blocklist-speedup.patch
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=9bbf098a970c9e5fa251939208e25fb21064d1be
Patch15: dnsmasq-2.87-coverity-forward-cache.patch
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;h=ad90eb075dfeeb1936e8bc0f323fcc23f89364d4
Patch16: dnsmasq-2.86-tcp-free-fd-rh2188443.patch
# https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=214a046f47b9f7dd56f5eef3a8678ccbd6e973b7
Patch17: dnsmasq-2.90-CVE-2023-50387-CVE-2023-50868.patch
# This is workaround to nettle bug #1549190
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
Requires: nettle >= 3.4
BuildRequires: dbus-devel BuildRequires: dbus-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: libidn2-devel BuildRequires: libidn2-devel
BuildRequires: pkgconfig(libnetfilter_conntrack)
BuildRequires: nettle-devel BuildRequires: nettle-devel
Buildrequires: gcc Buildrequires: gcc
BuildRequires: gnupg2 BuildRequires: gnupg2
BuildRequires: systemd BuildRequires: systemd
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
%{?systemd_ordering} %{?systemd_requires}
%if %{with sourcegit} %if %{with sourcegit}
BuildRequires: git-core BuildRequires: git-core
%endif %endif
BuildRequires: make BuildRequires: make
%if %{with i18n}
BuildRequires: gettext
%endif
%description %description
Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server. Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server.
@ -76,7 +100,7 @@ It can serve the names of local machines which are not in the global
DNS. The DHCP server integrates with the DNS server and allows machines DNS. The DHCP server integrates with the DNS server and allows machines
with DHCP-allocated addresses to appear in the DNS with names configured with DHCP-allocated addresses to appear in the DNS with names configured
either in each host or in a central configuration file. Dnsmasq supports either in each host or in a central configuration file. Dnsmasq supports
static and dynamic DHCP leases and BOOTP for network booting of disk-less static and dynamic DHCP leases and BOOTP for network booting of diskless
machines. machines.
%package utils %package utils
@ -86,19 +110,6 @@ Summary: Utilities for manipulating DHCP server leases
Utilities that use the standard DHCP protocol to query/remove a DHCP Utilities that use the standard DHCP protocol to query/remove a DHCP
server's leases. server's leases.
%if %{with i18n}
%package langpack
Summary: Translations for few languages
License: LicenseRef-Fedora-Public-Domain AND GPL-2.0-or-later
BuildArch: noarch
Requires: %{name} = %{version}-%{release}
# Will not do separate packages for every single language, those translations are small enough
Supplements: (%{name} = %{version}-%{release} and (langpacks-de or langpacks-es or langpacks-fi or langpacks-fr or langpacks-id or langpacks-it or langpacks-ka or langpacks-no or langpacks-pl or langpacks-pt_BR or langpacks-ro) )
%description langpack
Translations for few languages on dnsmasq.
%endif
%prep %prep
%if 0%{?fedora} %if 0%{?fedora}
@ -112,7 +123,7 @@ Translations for few languages on dnsmasq.
# But using %%setup changes used directories in %%build and %%install # But using %%setup changes used directories in %%build and %%install
rm -rf %{_builddir}/%{name}-%{version}%{?extraversion} rm -rf %{_builddir}/%{name}-%{version}%{?extraversion}
cd %{_builddir} cd %{_builddir}
git clone -b %{gittag} %{forgeurl0} %{name}-%{version}%{?extraversion} git clone -b %{gittag} %{git_upstream} %{name}-%{version}%{?extraversion}
cd %{name}-%{version}%{?extraversion} cd %{name}-%{version}%{?extraversion}
git checkout -b rpmbuild git checkout -b rpmbuild
%else %else
@ -132,17 +143,13 @@ sed -i 's|#define CHGRP "dip"|#define CHGRP "dnsmasq"|' src/config.h
sed -i "s|\(#\s*define RUNFILE\) \"/var/run/dnsmasq.pid\"|\1 \"%{_rundir}/dnsmasq.pid\"|" src/config.h sed -i "s|\(#\s*define RUNFILE\) \"/var/run/dnsmasq.pid\"|\1 \"%{_rundir}/dnsmasq.pid\"|" src/config.h
# optional parts # optional parts
sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC -DHAVE_CONNTRACK|' Makefile sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|' Makefile
%build %build
%make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" \ %make_build CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
%if %{with i18n}
all-i18n
%else
all
%endif
%make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS" %make_build -C contrib/lease-tools CFLAGS="$RPM_OPT_FLAGS" LDFLAGS="$RPM_LD_FLAGS"
%install %install
# normally i'd do 'make install'...it's a bit messy, though # normally i'd do 'make install'...it's a bit messy, though
mkdir -p $RPM_BUILD_ROOT%{_sbindir} \ mkdir -p $RPM_BUILD_ROOT%{_sbindir} \
@ -174,11 +181,6 @@ rm -rf %{buildroot}%{_initrddir}
#install systemd sysuser file #install systemd sysuser file
install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%if %{with i18n}
%make_install PREFIX=/usr install-i18n
%find_lang %{name} --with-man
%endif
%pre %pre
#precreate users so that rpm can install files owned by that user #precreate users so that rpm can install files owned by that user
%sysusers_create_compat %{SOURCE2} %sysusers_create_compat %{SOURCE2}
@ -195,9 +197,11 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%files %files
%doc CHANGELOG FAQ doc.html setup.html dbus/DBus-interface %doc CHANGELOG FAQ doc.html setup.html dbus/DBus-interface
%license COPYING COPYING-v3 %license COPYING COPYING-v3
%defattr(0644,root,dnsmasq,0755)
%config(noreplace) %{_sysconfdir}/dnsmasq.conf %config(noreplace) %{_sysconfdir}/dnsmasq.conf
%dir %{_sysconfdir}/dnsmasq.d %dir %{_sysconfdir}/dnsmasq.d
%dir %attr(0755,root,dnsmasq) %{_var}/lib/dnsmasq %dir %{_var}/lib/dnsmasq
%defattr(-,root,root,-)
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/dnsmasq.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/dnsmasq.conf
%{_unitdir}/%{name}.service %{_unitdir}/%{name}.service
%{_sbindir}/dnsmasq %{_sbindir}/dnsmasq
@ -211,130 +215,62 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}.conf
%{_bindir}/dhcp_* %{_bindir}/dhcp_*
%{_mandir}/man1/dhcp_* %{_mandir}/man1/dhcp_*
%if %{with i18n}
%files langpack -f %{name}.lang
%endif
%changelog %changelog
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.90-4 * Fri Mar 15 2024 Tomas Korbar <tkorbar@redhat.com> - 2.85-16
- Bump release for October 2024 mass rebuild: - Fix CVE 2023-50387 and CVE 2023-50868
Resolves: RHEL-64018 - Resolves: RHEL-25639
- Resolves: RHEL-25675
* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 2.90-3
- Rebuilt for MSVSphere 10
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.90-3
- Bump release for June 2024 mass rebuild
* Thu May 09 2024 Petr Menšík <pemensik@redhat.com> - 2.90-2
- Update SPDX in license tag to use uppercase conjunction
* Tue Feb 13 2024 Petr Menšík <pemensik@redhat.com> - 2.90-1 * Fri Jul 28 2023 Petr Menšík <pemensik@redhat.com> - 2.85-15
- Update to 2.90 (#2264049) - Attempt to use TCP pipe only if a free is available (#2188443)
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.89-9 * Fri Jul 28 2023 Petr Menšík <pemensik@redhat.com> - 2.85-14
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - Backport Coverity fix to hide detected issue (#2156789)
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.89-8 * Thu Jul 20 2023 Petr Menšík <pemensik@redhat.com> - 2.85-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - Rebuild with modified gating settings
* Fri Jan 12 2024 Petr Menšík <pemensik@redhat.com> - 2.89-7 * Wed Jun 14 2023 Petr Menšík <pemensik@redhat.com> - 2.85-12
- Use local-service=host for initial configuration (#2258062) - Make create logfile writeable by root (#2156789)
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.89-6 * Fri Jun 09 2023 Petr Menšík <pemensik@redhat.com> - 2.85-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - Do not create and search --local and --address=/x/# domains (#2209031)
* Thu Apr 27 2023 Petr Menšík <pemensik@redhat.com> - 2.89-5 * Wed May 10 2023 Petr Menšík <pemensik@redhat.com> - 2.85-10
- Prevent crash on dbus reconnection (#2186468) - Fix also dynamically set resolvers over dbus (#2186481)
* Thu Apr 27 2023 Petr Menšík <pemensik@redhat.com> - 2.89-4 * Fri May 05 2023 Petr Menšík <pemensik@redhat.com> - 2.85-9
- Actually enable localization support in dnsmasq (#2131681) - Properly initialize domain parameter in dnssec mode (#2182342)
* Wed Apr 05 2023 Petr Menšík <pemensik@redhat.com> - 2.89-3 * Fri Apr 21 2023 Petr Menšík <pemensik@redhat.com> - 2.85-8
- Add separate SPDX licenses also to translations - Correct possible crashes when server=/example.net/# is used (#2188712)
- Include localized man pages simpler way, make them noarch
* Mon Apr 03 2023 Petr Menšík <pemensik@redhat.com> - 2.89-2 * Mon Apr 03 2023 Petr Menšík <pemensik@redhat.com> - 2.85-7
- Limit offered EDNS0 size 1232 (CVE-2023-28450) - Limit offered EDNS0 size 1232 (CVE-2023-28450)
* Mon Feb 13 2023 Petr Menšík <pemensik@redhat.com> - 2.89-1 * Thu Jan 26 2023 Petr Menšík <pemensik@redhat.com> - 2.85-6
- Update to 2.89 (#2167121) - Use upstream change for CVE-2022-0934 (#2126586)
* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.88-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Thu Dec 08 2022 Petr Menšík <pemensik@redhat.com> - 2.88-2
- Create dnsmasq-langpack subpackage with translations (#2131681)
* Tue Dec 06 2022 Petr Menšík <pemensik@redhat.com> - 2.88-1
- Update to 2.88 (#2150667)
* Fri Nov 25 2022 Petr Menšík <pemensik@redhat.com> - 2.87-3
- Fix regression removing config statements on DBus change (#2148301)
* Fri Sep 30 2022 Petr Menšík <pemensik@redhat.com> - 2.87-2
- Update License tag to SPDX identifier
* Tue Sep 27 2022 Petr Menšík <pemensik@redhat.com> - 2.87-1
- Update to 2.87 (#2129658)
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.86-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Fri Jul 08 2022 Petr Menšík <pemensik@redhat.com> - 2.86-10
- Do not own configuration by dnsmasq group (#2104973)
* Fri Jun 17 2022 Petr Menšík <pemensik@redhat.com> - 2.86-9
- Do not drop static forwarders on DBus reconfiguration (#2061944)
* Fri Apr 29 2022 Anssi Hannula <anssi.hannula@iki.fi> - 2.86-8
- Enable conntrack support
* Fri Apr 29 2022 Petr Menšík <pemensik@redhat.com> - 2.86-7
- Correct GNU address in license file
* Wed Feb 23 2022 Petr Menšík <pemensik@redhat.com> - 2.86-6
- Fix errors on server reload
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.86-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Sun Jan 16 2022 Petr Menšík <pemensik@redhat.com> - 2.86-4
- Add writeable group flag to log file (#2024166)
* Thu Oct 14 2021 Petr Menšík <pemensik@redhat.com> - 2.86-3
- Rebuild server_array on any server change (#2009975)
- Compare case-insensitive also TCP queries (#2014019)
* Thu Sep 23 2021 Petr Menšík <pemensik@redhat.com> - 2.86-2
- Attempt to fix regression found on recent release (#2006367)
* Thu Sep 09 2021 Petr Menšík <pemensik@redhat.com> - 2.86-1
- Update to 2.86 (#2002475)
- Apply coverity detected issues patches
* Wed Aug 04 2021 Petr Menšík <pemensik@redhat.com> - 2.85-6
- Do not require systemd
* Thu Jul 22 2021 Petr Menšík <pemensik@redhat.com> - 2.85-5 * Mon Aug 22 2022 Petr Menšík <pemensik@redhat.com> - 2.85-5
- Start before nss-lookup.target, hint modification to listen on IP (#1984618) - Prevent endless loop in forward_query (#2120711)
* Thu Jul 22 2021 Petr Menšík <pemensik@redhat.com> - 2.85-4 * Fri Mar 25 2022 Petr Menšík <pemensik@redhat.com> - 2.85-4
- Update lease if hostname is assigned to a new lease (#1978718) - Prevent use after free in dhcp6_no_relay (CVE-2022-0934)
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.85-3 * Thu Jan 27 2022 Petr Menšík <pemensik@redhat.com> - 2.85-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild - Send queries only to best domain-specific server (#2047510)
- Offer alternate DHCPv6 address if requested is already leased (#1998448)
* Thu Apr 08 2021 Petr Menšík <pemensik@redhat.com> - 2.85-2 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.85-2
- Update to 2.85 (#1947198) - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Mar 31 2021 Petr Menšík <pemensik@redhat.com> - 2.85-1.rc2 * Thu Apr 15 2021 Petr Menšík <pemensik@redhat.com> - 2.85-1
- Update to 2.85rc2 (CVE-2021-3448) - Update to 2.85 (#1978728)
- Switch systemd unit to forking, reports error on startup (#1774028) - Switch systemd unit to forking, reports error on startup (#1774028)
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 2.84-2 * Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.84-2
- Rebuilt for updated systemd-rpm-macros - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
See https://pagure.io/fesco/issue/2583.
* Tue Jan 26 2021 Petr Menšík <pemensik@redhat.com> - 2.84-1 * Tue Jan 26 2021 Petr Menšík <pemensik@redhat.com> - 2.84-1
- Update to 2.84 - Update to 2.84

Write Preview
Loading…
Cancel
Save