OpenWrt/Lienol-openwrt
1
0
Fork 0
mirror of https://github.com/Lienol/openwrt synced 2025-01-07 03:06:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

dnsmasq: Update to 2.90

Browse Source
This commit is contained in:
Lienol 2024-07-05 16:56:24 +08:00
parent 6652508292
commit 3f9ead3eaf
7 changed files with 161 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
package/network/services/dnsmasq/Makefile
View File

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsmasq
PKG_UPSTREAM_VERSION:=2.89
PKG_UPSTREAM_VERSION:=2.90
PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
PKG_RELEASE:=$(AUTORELEASE)
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/
PKG_HASH:=02bd230346cf0b9d5909f5e151df168b2707103785eb616b56685855adebb609
PKG_HASH:=8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4
PKG_LICENSE:=GPL-2.0
PKG_LICENSE_FILES:=COPYING
@ -24,6 +24,7 @@ PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_UPSTR
PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1
PKG_BUILD_FLAGS:=lto
PKG_ASLR_PIE_REGULAR:=1
PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \
CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6 \
@ -133,9 +134,6 @@ endef
Package/dnsmasq-dhcpv6/conffiles = $(Package/dnsmasq/conffiles)
Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles)
TARGET_CFLAGS += -flto
TARGET_LDFLAGS += -flto=jobserver
COPTS = -DHAVE_UBUS -DHAVE_POLL_H \
$(if $(CONFIG_IPV6),,-DNO_IPV6)

9
package/network/services/dnsmasq/files/dnsmasq.init
View File

@ -557,6 +557,8 @@ dhcp_add() {
config_get leasetime "$cfg" leasetime 12h
config_get options "$cfg" options
config_get_bool dynamicdhcp "$cfg" dynamicdhcp 1
config_get_bool dynamicdhcpv4 "$cfg" dynamicdhcpv4 $dynamicdhcp
config_get_bool dynamicdhcpv6 "$cfg" dynamicdhcpv6 $dynamicdhcp
config_get dhcpv4 "$cfg" dhcpv4
config_get dhcpv6 "$cfg" dhcpv6
@ -586,12 +588,12 @@ dhcp_add() {
# make sure the DHCP range is not empty
if [ "$dhcpv4" != "disabled" ] && eval "$(ipcalc.sh "${subnet%%/*}" "$netmask" "$start" "$limit")" ; then
[ "$dynamicdhcp" = "0" ] && END="static"
[ "$dynamicdhcpv4" = "0" ] && END="static"
xappend "--dhcp-range=$tags$nettag$START,$END,$NETMASK,$leasetime${options:+ $options}"
fi
if [ "$dynamicdhcp" = "0" ] ; then
if [ "$dynamicdhcpv6" = "0" ] ; then
dhcp6range="::,static"
else
dhcp6range="::1000,::ffff"
@ -1215,13 +1217,14 @@ dnsmasq_start()
[ ! -e "$logfacility" ] && touch "$logfacility"
procd_add_jail_mount_rw "$logfacility"
esac
[ -e "$hostsfile" ] && procd_add_jail_mount $hostsfile
procd_close_instance
config_get_bool dns_redirect "$cfg" dns_redirect 0
config_get dns_port "$cfg" port 53
[ $dns_redirect = 1 ] && {
iptables -t nat -w -A PREROUTING -m comment --comment "Dnsmasq" -p udp --dport 53 -j REDIRECT --to-ports $dns_port
iptables -t nat -w -A PREROUTING -m comment --comment "Dnsmasq" -p udp --dport 53 -j REDIRECT --to-ports $dns_port 2>/dev/null
ip6tables -t nat -w -A PREROUTING -m comment --comment "Dnsmasq" -p udp --dport 53 -j REDIRECT --to-ports $dns_port 2>/dev/null
}
}

43
package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch Normal file
View File

@ -0,0 +1,43 @@
From 1ed783b8d7343c42910a61f12a8fc6237eb80417 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 19 Feb 2024 12:22:43 +0000
Subject: Fix spurious "resource limit exceeded" messages.
Replies from upstream with a REFUSED rcode can result in
log messages stating that a resource limit has been exceeded,
which is not the case.
Thanks to Dominik Derigs and the Pi-hole project for
spotting this.
---
CHANGELOG | 5 +++++
src/forward.c | 6 +++---
2 files changed, 8 insertions(+), 3 deletions(-)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+version 2.91
+ Fix spurious "resource limit exceeded messages". Thanks to
+ Dominik Derigs for the bug report.
+
+
version 2.90
Fix reversion in --rev-server introduced in 2.88 which
caused breakage if the prefix length is not exactly divisible
--- a/src/forward.c
+++ b/src/forward.c
@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec
status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class,
!option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC),
NULL, NULL, NULL, &orig->validate_counter);
- }
- if (STAT_ISEQUAL(status, STAT_ABANDONED))
- log_resource = 1;
+ if (STAT_ISEQUAL(status, STAT_ABANDONED))
+ log_resource = 1;
+ }
/* Can't validate, as we're missing key data. Put this
answer aside, whilst we get that. */

31
package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch Normal file
View File

@ -0,0 +1,31 @@
From ccff85ad72d2f858d9743d40525128e4f62d41a8 Mon Sep 17 00:00:00 2001
From: renmingshuai <renmingshuai@huawei.com>
Date: Wed, 21 Feb 2024 00:24:25 +0000
Subject: [PATCH] Fix error introduced in
51471cafa5a4fa44d6fe490885d9910bd72a5907
Signed-off-by: renmingshuai <renmingshuai@huawei.com>
---
src/dnssec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -1547,7 +1547,7 @@ static int prove_non_existence_nsec3(str
nsecs[i] = NULL; /* Speculative, will be restored if OK. */
if (!(p = skip_name(nsec3p, header, plen, 15)))
- return 0; /* bad packet */
+ return DNSSEC_FAIL_BADPACKET; /* bad packet */
p += 10; /* type, class, TTL, rdlen */
@@ -1640,7 +1640,7 @@ static int prove_non_existence_nsec3(str
if (!wildname)
{
if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest)
- return 0;
+ return DNSSEC_FAIL_NONSEC;
wildcard--;
*wildcard = '*';

8
package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch
View File

@ -13,7 +13,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -103,10 +103,6 @@ int main (int argc, char **argv)
@@ -105,10 +105,6 @@ int main (int argc, char **argv)
read_opts(argc, argv, compile_opts);
@ -26,7 +26,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1248,7 +1248,7 @@ extern struct daemon {
@@ -1277,7 +1277,7 @@ extern struct daemon {
int inotifyfd;
#endif
#if defined(HAVE_LINUX_NETWORK)
@ -35,7 +35,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
#elif defined(HAVE_BSD_NETWORK)
int dhcp_raw_fd, dhcp_icmp_fd, routefd;
#endif
@@ -1453,9 +1453,6 @@ int read_write(int fd, unsigned char *pa
@@ -1491,9 +1491,6 @@ int read_write(int fd, unsigned char *pa
void close_fds(long max_fd, int spare1, int spare2, int spare3);
int wildcard_match(const char* wildcard, const char* match);
int wildcard_matchn(const char* wildcard, const char* match, int num);
@ -140,7 +140,7 @@ Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
--- a/src/util.c
+++ b/src/util.c
@@ -855,22 +855,3 @@ int wildcard_matchn(const char* wildcard
@@ -866,22 +866,3 @@ int wildcard_matchn(const char* wildcard
return (!num) || (*wildcard == *match);
}

106
package/network/services/dnsmasq/patches/200-ubus_dns.patch
View File

@ -1,6 +1,19 @@
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -2021,6 +2021,10 @@ static void check_dns_listeners(time_t n
daemon->pipe_to_parent = pipefd[1];
}
+#ifdef HAVE_UBUS
+ drop_ubus_listeners();
+#endif
+
/* start with no upstream connections. */
for (s = daemon->servers; s; s = s->next)
s->tcpfd = -1;
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1631,14 +1631,26 @@ void emit_dbus_signal(int action, struct
@@ -1670,14 +1670,26 @@ void emit_dbus_signal(int action, struct
/* ubus.c */
#ifdef HAVE_UBUS
@ -11,6 +24,7 @@
void set_ubus_listeners(void);
void check_ubus_listeners(void);
+void drop_ubus_listeners(void);
+int ubus_dns_notify_has_subscribers(void);
+struct blob_buf *ubus_dns_notify_prepare(void);
+int ubus_dns_notify(const char *type, ubus_dns_notify_cb cb, void *priv);
void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface);
@ -19,14 +33,24 @@
void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *pattern, const char *ip, u32 ttl);
# endif
+#else
+struct blob_buf;
+static inline struct blob_buf *ubus_dns_notify_prepare(void)
+static inline int ubus_dns_notify_has_subscribers(void)
+{
+ return NULL;
+ return 0;
+}
#endif
/* ipset.c */
--- a/src/forward.c
+++ b/src/forward.c
@@ -803,7 +803,7 @@ static size_t process_reply(struct dns_h
cache_secure = 0;
}
- if (daemon->doctors && do_doctor(header, n, daemon->namebuff))
+ if ((daemon->doctors || ubus_dns_notify_has_subscribers()) && do_doctor(header, n, daemon->namebuff))
cache_secure = 0;
/* check_for_bogus_wildcard() does it's own caching, so
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -13,8 +13,10 @@
@ -41,7 +65,7 @@
int extract_name(struct dns_header *header, size_t plen, unsigned char **pp,
char *name, int isExtract, int extrabytes)
@@ -394,9 +396,64 @@ static int private_net6(struct in6_addr
@@ -384,10 +386,65 @@ static int private_net6(struct in6_addr
((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */
}
@ -100,14 +124,15 @@
+}
+#endif
+
static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, int *doctored)
int do_doctor(struct dns_header *header, size_t qlen, char *namebuff)
{
unsigned char *p;
- int i, qtype, qclass, rdlen;
+ int i, qtype, qclass, rdlen, ttl;
for (i = count; i != 0; i--)
{
@@ -405,7 +462,7 @@ static unsigned char *do_doctor(unsigned
int done = 0;
if (!(p = skip_questions(header, qlen)))
@@ -404,7 +461,7 @@ int do_doctor(struct dns_header *header,
GETSHORT(qtype, p);
GETSHORT(qclass, p);
@ -116,50 +141,31 @@
GETSHORT(rdlen, p);
if (qclass == C_IN && qtype == T_A)
@@ -416,6 +473,9 @@ static unsigned char *do_doctor(unsigned
@@ -415,6 +472,9 @@ int do_doctor(struct dns_header *header,
if (!CHECK_LEN(header, p, qlen, INADDRSZ))
return 0;
return done;
+ if (ubus_dns_doctor(daemon->namebuff, ttl, p, AF_INET))
+ *doctored = 1;
+ header->hb3 &= ~HB3_AA;
+
/* alignment */
memcpy(&addr, p, INADDRSZ);
memcpy(&addr.addr4, p, INADDRSZ);
@@ -433,13 +493,22 @@ static unsigned char *do_doctor(unsigned
addr.s_addr &= ~doctor->mask.s_addr;
addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr);
/* Since we munged the data, the server it came from is no longer authoritative */
- header->hb3 &= ~HB3_AA;
*doctored = 1;
memcpy(p, &addr, INADDRSZ);
@@ -444,6 +504,14 @@ int do_doctor(struct dns_header *header,
break;
}
}
-
+ else if (qclass == C_IN && qtype == T_AAAA)
+ {
+ if (!CHECK_LEN(header, p, qlen, IN6ADDRSZ))
+ return 0;
+
+ if (ubus_dns_doctor(daemon->namebuff, ttl, p, AF_INET6))
+ *doctored = 1;
+ header->hb3 &= ~HB3_AA;
+ }
+
+ if (*doctored)
+ header->hb3 &= ~HB3_AA;
if (!ADD_RDLEN(header, p, qlen, rdlen))
return 0; /* bad packet */
}
@@ -570,7 +639,7 @@ int extract_addresses(struct dns_header
cache_start_insert();
/* find_soa is needed for dns_doctor side effects, so don't call it lazily if there are any. */
- if (daemon->doctors || option_bool(OPT_DNSSEC_VALID))
+ if (daemon->doctors || option_bool(OPT_DNSSEC_VALID) || ubus_dns_notify_prepare())
{
searched_soa = 1;
ttl = find_soa(header, qlen, doctored);
return done; /* bad packet */
--- a/src/ubus.c
+++ b/src/ubus.c
@@ -72,6 +72,13 @@ static struct ubus_object ubus_object =
@ -210,21 +216,24 @@
+ return;
+
+ ubus_free(ubus);
+ ubus = NULL;
+ daemon->ubus = NULL;
+}
+
static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj,
struct ubus_request_data *req, const char *method,
struct blob_attr *msg)
@@ -328,6 +354,50 @@ fail:
@@ -328,6 +354,53 @@ fail:
} \
} while (0)
+int ubus_dns_notify_has_subscribers(void)
+{
+ return (daemon->ubus && ubus_dns_object.has_subscribers);
+}
+
+struct blob_buf *ubus_dns_notify_prepare(void)
+{
+ struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
+
+ if (!ubus || !ubus_dns_object.has_subscribers)
+ if (!ubus_dns_notify_has_subscribers())
+ return NULL;
+
+ blob_buf_init(&b, 0);
@ -267,16 +276,3 @@
void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface)
{
struct ubus_context *ubus = (struct ubus_context *)daemon->ubus;
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -2003,6 +2003,10 @@ static void check_dns_listeners(time_t n
daemon->pipe_to_parent = pipefd[1];
}
+#ifdef HAVE_UBUS
+ drop_ubus_listeners();
+#endif
+
/* start with no upstream connections. */
for (s = daemon->servers; s; s = s->next)
s->tcpfd = -1;

45
package/network/services/dnsmasq/patches/911-filter-https+unknown.patch
View File

@ -34,9 +34,9 @@
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -282,7 +282,9 @@ struct event_desc {
#define OPT_STRIP_MAC 70
#define OPT_NORR 71
#define OPT_NO_IDENT 72
#define OPT_NO_IDENT 70
#define OPT_CACHE_RR 71
#define OPT_LOCALHOST_SERVICE 72
-#define OPT_LAST 73
+#define OPT_FILTER_HTTPS 73
+#define OPT_FILTER_UNKNOWN 74
@ -57,28 +57,28 @@
union all_addr *addr, time_t now,
--- a/src/option.c
+++ b/src/option.c
@@ -186,6 +186,8 @@ struct myoption {
#define LOPT_STALE_CACHE 377
#define LOPT_NORR 378
#define LOPT_NO_IDENT 379
+#define LOPT_FILTER_HTTPS 380
+#define LOPT_FILTER_UNKNOWN 381
@@ -192,6 +192,8 @@ struct myoption {
#define LOPT_NO_DHCP4 383
#define LOPT_MAX_PROCS 384
#define LOPT_DNSSEC_LIMITS 385
+#define LOPT_FILTER_HTTPS 386
+#define LOPT_FILTER_UNKNOWN 387
#ifdef HAVE_GETOPT_LONG
static const struct option opts[] =
@@ -376,6 +378,8 @@ static const struct myoption opts[] =
{ "fast-dns-retry", 2, 0, LOPT_FAST_RETRY },
@@ -388,6 +390,8 @@ static const struct myoption opts[] =
{ "use-stale-cache", 2, 0 , LOPT_STALE_CACHE },
{ "no-ident", 0, 0, LOPT_NO_IDENT },
{ "max-tcp-connections", 1, 0, LOPT_MAX_PROCS },
+ { "filter-https", 0, 0, LOPT_FILTER_HTTPS },
+ { "filter-unknown", 0, 0, LOPT_FILTER_UNKNOWN },
{ NULL, 0, 0, 0 }
};
@@ -573,6 +577,8 @@ static struct {
{ LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL },
{ LOPT_NORR, OPT_NORR, NULL, gettext_noop("Suppress round-robin ordering of DNS records."), NULL },
@@ -591,6 +595,8 @@ static struct {
{ LOPT_NO_IDENT, OPT_NO_IDENT, NULL, gettext_noop("Do not add CHAOS TXT records."), NULL },
{ LOPT_CACHE_RR, ARG_DUP, "<RR-type>", gettext_noop("Cache this DNS resource record type."), NULL },
{ LOPT_MAX_PROCS, ARG_ONE, "<integer>", gettext_noop("Maximum number of concurrent tcp connections."), NULL },
+ { LOPT_FILTER_HTTPS, OPT_FILTER_HTTPS, NULL, gettext_noop("Filter all HTTPS/query type 65 requests."), NULL },
+ { LOPT_FILTER_UNKNOWN, OPT_FILTER_UNKNOWN, NULL, gettext_noop("Filter all unknown query types (known are defined in cache.c)."), NULL },
{ 0, 0, NULL, NULL, NULL }
@ -86,16 +86,16 @@
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -2149,6 +2149,24 @@ size_t answer_request(struct dns_header
@@ -2316,6 +2316,23 @@ size_t answer_request(struct dns_header
}
}
}
+
+ //patch to filter https/query type 65 forwards
+ if (qtype == T_HTTPS && option_bool(OPT_FILTER_HTTPS) ){
+ //return a null reply
+ ans = 1;
+ if (!dryrun) log_query(F_CONFIG | F_IPV4 | F_NEG, name, &addr, NULL, 0);
+ break;
+ log_query(F_CONFIG | F_IPV4 | F_NEG, name, &addr, NULL, 0);
+ }
+ //end of patch
+ //patch to filter all unknown query types
@ -103,11 +103,10 @@
+ if (is_query_type_unknown(qtype) && option_bool(OPT_FILTER_UNKNOWN)) {
+ //return a null reply
+ ans = 1;
+ if (!dryrun) log_query(F_CONFIG | F_NEG, name, NULL, NULL, 0);
+ break;
+ log_query(F_CONFIG | F_NEG, name, NULL, NULL, 0);
+ }
+ //end of patch
+
if (!ans)
return 0; /* failed to answer a question */
}
if (!ans)
return 0; /* failed to answer a question */