From 3f9ead3eafd1fc8f6beed4c634d8b10322715f3a Mon Sep 17 00:00:00 2001 From: Lienol <23146169+Lienol@users.noreply.github.com> Date: Fri, 5 Jul 2024 16:56:24 +0800 Subject: [PATCH] dnsmasq: Update to 2.90 --- package/network/services/dnsmasq/Makefile | 10 +- .../services/dnsmasq/files/dnsmasq.init | 9 +- ...ous-resource-limit-exceeded-messages.patch | 43 +++++++ ...introduced-in-51471cafa5a4fa44d6fe49.patch | 31 +++++ ...00-remove-old-runtime-kernel-support.patch | 8 +- .../dnsmasq/patches/200-ubus_dns.patch | 106 +++++++++--------- .../patches/911-filter-https+unknown.patch | 45 ++++---- 7 files changed, 161 insertions(+), 91 deletions(-) create mode 100644 package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch create mode 100644 package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 7fd293432a..384c03d7ae 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_UPSTREAM_VERSION:=2.89 +PKG_UPSTREAM_VERSION:=2.90 PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION))) -PKG_RELEASE:=$(AUTORELEASE) +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz PKG_SOURCE_URL:=https://thekelleys.org.uk/dnsmasq/ -PKG_HASH:=02bd230346cf0b9d5909f5e151df168b2707103785eb616b56685855adebb609 +PKG_HASH:=8e50309bd837bfec9649a812e066c09b6988b73d749b7d293c06c57d46a109e4 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING @@ -24,6 +24,7 @@ PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_UPSTR PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 +PKG_BUILD_FLAGS:=lto PKG_ASLR_PIE_REGULAR:=1 PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \ CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6 \ @@ -133,9 +134,6 @@ endef Package/dnsmasq-dhcpv6/conffiles = $(Package/dnsmasq/conffiles) Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles) -TARGET_CFLAGS += -flto -TARGET_LDFLAGS += -flto=jobserver - COPTS = -DHAVE_UBUS -DHAVE_POLL_H \ $(if $(CONFIG_IPV6),,-DNO_IPV6) diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init index 664d16a06d..7c1ebbb0c2 100644 --- a/package/network/services/dnsmasq/files/dnsmasq.init +++ b/package/network/services/dnsmasq/files/dnsmasq.init @@ -557,6 +557,8 @@ dhcp_add() { config_get leasetime "$cfg" leasetime 12h config_get options "$cfg" options config_get_bool dynamicdhcp "$cfg" dynamicdhcp 1 + config_get_bool dynamicdhcpv4 "$cfg" dynamicdhcpv4 $dynamicdhcp + config_get_bool dynamicdhcpv6 "$cfg" dynamicdhcpv6 $dynamicdhcp config_get dhcpv4 "$cfg" dhcpv4 config_get dhcpv6 "$cfg" dhcpv6 @@ -586,12 +588,12 @@ dhcp_add() { # make sure the DHCP range is not empty if [ "$dhcpv4" != "disabled" ] && eval "$(ipcalc.sh "${subnet%%/*}" "$netmask" "$start" "$limit")" ; then - [ "$dynamicdhcp" = "0" ] && END="static" + [ "$dynamicdhcpv4" = "0" ] && END="static" xappend "--dhcp-range=$tags$nettag$START,$END,$NETMASK,$leasetime${options:+ $options}" fi - if [ "$dynamicdhcp" = "0" ] ; then + if [ "$dynamicdhcpv6" = "0" ] ; then dhcp6range="::,static" else dhcp6range="::1000,::ffff" @@ -1215,13 +1217,14 @@ dnsmasq_start() [ ! -e "$logfacility" ] && touch "$logfacility" procd_add_jail_mount_rw "$logfacility" esac + [ -e "$hostsfile" ] && procd_add_jail_mount $hostsfile procd_close_instance config_get_bool dns_redirect "$cfg" dns_redirect 0 config_get dns_port "$cfg" port 53 [ $dns_redirect = 1 ] && { - iptables -t nat -w -A PREROUTING -m comment --comment "Dnsmasq" -p udp --dport 53 -j REDIRECT --to-ports $dns_port + iptables -t nat -w -A PREROUTING -m comment --comment "Dnsmasq" -p udp --dport 53 -j REDIRECT --to-ports $dns_port 2>/dev/null ip6tables -t nat -w -A PREROUTING -m comment --comment "Dnsmasq" -p udp --dport 53 -j REDIRECT --to-ports $dns_port 2>/dev/null } } diff --git a/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch b/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch new file mode 100644 index 0000000000..f25ee20413 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0001-Fix-spurious-resource-limit-exceeded-messages.patch @@ -0,0 +1,43 @@ +From 1ed783b8d7343c42910a61f12a8fc6237eb80417 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Mon, 19 Feb 2024 12:22:43 +0000 +Subject: Fix spurious "resource limit exceeded" messages. + +Replies from upstream with a REFUSED rcode can result in +log messages stating that a resource limit has been exceeded, +which is not the case. + +Thanks to Dominik Derigs and the Pi-hole project for +spotting this. +--- + CHANGELOG | 5 +++++ + src/forward.c | 6 +++--- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -1,3 +1,8 @@ ++version 2.91 ++ Fix spurious "resource limit exceeded messages". Thanks to ++ Dominik Derigs for the bug report. ++ ++ + version 2.90 + Fix reversion in --rev-server introduced in 2.88 which + caused breakage if the prefix length is not exactly divisible +--- a/src/forward.c ++++ b/src/forward.c +@@ -937,10 +937,10 @@ static void dnssec_validate(struct frec + status = dnssec_validate_reply(now, header, plen, daemon->namebuff, daemon->keyname, &forward->class, + !option_bool(OPT_DNSSEC_IGN_NS) && (forward->sentto->flags & SERV_DO_DNSSEC), + NULL, NULL, NULL, &orig->validate_counter); +- } + +- if (STAT_ISEQUAL(status, STAT_ABANDONED)) +- log_resource = 1; ++ if (STAT_ISEQUAL(status, STAT_ABANDONED)) ++ log_resource = 1; ++ } + + /* Can't validate, as we're missing key data. Put this + answer aside, whilst we get that. */ diff --git a/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch b/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch new file mode 100644 index 0000000000..5c50ae8446 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0002-PATCH-Fix-error-introduced-in-51471cafa5a4fa44d6fe49.patch @@ -0,0 +1,31 @@ +From ccff85ad72d2f858d9743d40525128e4f62d41a8 Mon Sep 17 00:00:00 2001 +From: renmingshuai +Date: Wed, 21 Feb 2024 00:24:25 +0000 +Subject: [PATCH] Fix error introduced in + 51471cafa5a4fa44d6fe490885d9910bd72a5907 + +Signed-off-by: renmingshuai +--- + src/dnssec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -1547,7 +1547,7 @@ static int prove_non_existence_nsec3(str + nsecs[i] = NULL; /* Speculative, will be restored if OK. */ + + if (!(p = skip_name(nsec3p, header, plen, 15))) +- return 0; /* bad packet */ ++ return DNSSEC_FAIL_BADPACKET; /* bad packet */ + + p += 10; /* type, class, TTL, rdlen */ + +@@ -1640,7 +1640,7 @@ static int prove_non_existence_nsec3(str + if (!wildname) + { + if (!(wildcard = strchr(next_closest, '.')) || wildcard == next_closest) +- return 0; ++ return DNSSEC_FAIL_NONSEC; + + wildcard--; + *wildcard = '*'; diff --git a/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch b/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch index 59b8d02c0e..26c1b463b9 100644 --- a/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch +++ b/package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch @@ -13,7 +13,7 @@ Signed-off-by: Kevin Darbyshire-Bryant --- a/src/dnsmasq.c +++ b/src/dnsmasq.c -@@ -103,10 +103,6 @@ int main (int argc, char **argv) +@@ -105,10 +105,6 @@ int main (int argc, char **argv) read_opts(argc, argv, compile_opts); @@ -26,7 +26,7 @@ Signed-off-by: Kevin Darbyshire-Bryant --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1248,7 +1248,7 @@ extern struct daemon { +@@ -1277,7 +1277,7 @@ extern struct daemon { int inotifyfd; #endif #if defined(HAVE_LINUX_NETWORK) @@ -35,7 +35,7 @@ Signed-off-by: Kevin Darbyshire-Bryant #elif defined(HAVE_BSD_NETWORK) int dhcp_raw_fd, dhcp_icmp_fd, routefd; #endif -@@ -1453,9 +1453,6 @@ int read_write(int fd, unsigned char *pa +@@ -1491,9 +1491,6 @@ int read_write(int fd, unsigned char *pa void close_fds(long max_fd, int spare1, int spare2, int spare3); int wildcard_match(const char* wildcard, const char* match); int wildcard_matchn(const char* wildcard, const char* match, int num); @@ -140,7 +140,7 @@ Signed-off-by: Kevin Darbyshire-Bryant my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno)); --- a/src/util.c +++ b/src/util.c -@@ -855,22 +855,3 @@ int wildcard_matchn(const char* wildcard +@@ -866,22 +866,3 @@ int wildcard_matchn(const char* wildcard return (!num) || (*wildcard == *match); } diff --git a/package/network/services/dnsmasq/patches/200-ubus_dns.patch b/package/network/services/dnsmasq/patches/200-ubus_dns.patch index 8a70bb8bdf..72acbaeba9 100644 --- a/package/network/services/dnsmasq/patches/200-ubus_dns.patch +++ b/package/network/services/dnsmasq/patches/200-ubus_dns.patch @@ -1,6 +1,19 @@ +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -2021,6 +2021,10 @@ static void check_dns_listeners(time_t n + daemon->pipe_to_parent = pipefd[1]; + } + ++#ifdef HAVE_UBUS ++ drop_ubus_listeners(); ++#endif ++ + /* start with no upstream connections. */ + for (s = daemon->servers; s; s = s->next) + s->tcpfd = -1; --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1631,14 +1631,26 @@ void emit_dbus_signal(int action, struct +@@ -1670,14 +1670,26 @@ void emit_dbus_signal(int action, struct /* ubus.c */ #ifdef HAVE_UBUS @@ -11,6 +24,7 @@ void set_ubus_listeners(void); void check_ubus_listeners(void); +void drop_ubus_listeners(void); ++int ubus_dns_notify_has_subscribers(void); +struct blob_buf *ubus_dns_notify_prepare(void); +int ubus_dns_notify(const char *type, ubus_dns_notify_cb cb, void *priv); void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface); @@ -19,14 +33,24 @@ void ubus_event_bcast_connmark_allowlist_resolved(u32 mark, const char *pattern, const char *ip, u32 ttl); # endif +#else -+struct blob_buf; -+static inline struct blob_buf *ubus_dns_notify_prepare(void) ++static inline int ubus_dns_notify_has_subscribers(void) +{ -+ return NULL; ++ return 0; +} #endif /* ipset.c */ +--- a/src/forward.c ++++ b/src/forward.c +@@ -803,7 +803,7 @@ static size_t process_reply(struct dns_h + cache_secure = 0; + } + +- if (daemon->doctors && do_doctor(header, n, daemon->namebuff)) ++ if ((daemon->doctors || ubus_dns_notify_has_subscribers()) && do_doctor(header, n, daemon->namebuff)) + cache_secure = 0; + + /* check_for_bogus_wildcard() does it's own caching, so --- a/src/rfc1035.c +++ b/src/rfc1035.c @@ -13,8 +13,10 @@ @@ -41,7 +65,7 @@ int extract_name(struct dns_header *header, size_t plen, unsigned char **pp, char *name, int isExtract, int extrabytes) -@@ -394,9 +396,64 @@ static int private_net6(struct in6_addr +@@ -384,10 +386,65 @@ static int private_net6(struct in6_addr ((u32 *)a)[0] == htonl(0x20010db8); /* RFC 6303 4.6 */ } @@ -100,14 +124,15 @@ +} +#endif + - static unsigned char *do_doctor(unsigned char *p, int count, struct dns_header *header, size_t qlen, int *doctored) + int do_doctor(struct dns_header *header, size_t qlen, char *namebuff) { + unsigned char *p; - int i, qtype, qclass, rdlen; + int i, qtype, qclass, rdlen, ttl; - - for (i = count; i != 0; i--) - { -@@ -405,7 +462,7 @@ static unsigned char *do_doctor(unsigned + int done = 0; + + if (!(p = skip_questions(header, qlen))) +@@ -404,7 +461,7 @@ int do_doctor(struct dns_header *header, GETSHORT(qtype, p); GETSHORT(qclass, p); @@ -116,50 +141,31 @@ GETSHORT(rdlen, p); if (qclass == C_IN && qtype == T_A) -@@ -416,6 +473,9 @@ static unsigned char *do_doctor(unsigned +@@ -415,6 +472,9 @@ int do_doctor(struct dns_header *header, if (!CHECK_LEN(header, p, qlen, INADDRSZ)) - return 0; + return done; + if (ubus_dns_doctor(daemon->namebuff, ttl, p, AF_INET)) -+ *doctored = 1; ++ header->hb3 &= ~HB3_AA; + /* alignment */ - memcpy(&addr, p, INADDRSZ); + memcpy(&addr.addr4, p, INADDRSZ); -@@ -433,13 +493,22 @@ static unsigned char *do_doctor(unsigned - addr.s_addr &= ~doctor->mask.s_addr; - addr.s_addr |= (doctor->out.s_addr & doctor->mask.s_addr); - /* Since we munged the data, the server it came from is no longer authoritative */ -- header->hb3 &= ~HB3_AA; - *doctored = 1; - memcpy(p, &addr, INADDRSZ); +@@ -444,6 +504,14 @@ int do_doctor(struct dns_header *header, break; } } -- + else if (qclass == C_IN && qtype == T_AAAA) + { + if (!CHECK_LEN(header, p, qlen, IN6ADDRSZ)) + return 0; + + if (ubus_dns_doctor(daemon->namebuff, ttl, p, AF_INET6)) -+ *doctored = 1; ++ header->hb3 &= ~HB3_AA; + } -+ -+ if (*doctored) -+ header->hb3 &= ~HB3_AA; + if (!ADD_RDLEN(header, p, qlen, rdlen)) - return 0; /* bad packet */ - } -@@ -570,7 +639,7 @@ int extract_addresses(struct dns_header - cache_start_insert(); - - /* find_soa is needed for dns_doctor side effects, so don't call it lazily if there are any. */ -- if (daemon->doctors || option_bool(OPT_DNSSEC_VALID)) -+ if (daemon->doctors || option_bool(OPT_DNSSEC_VALID) || ubus_dns_notify_prepare()) - { - searched_soa = 1; - ttl = find_soa(header, qlen, doctored); + return done; /* bad packet */ --- a/src/ubus.c +++ b/src/ubus.c @@ -72,6 +72,13 @@ static struct ubus_object ubus_object = @@ -210,21 +216,24 @@ + return; + + ubus_free(ubus); -+ ubus = NULL; ++ daemon->ubus = NULL; +} + static int ubus_handle_metrics(struct ubus_context *ctx, struct ubus_object *obj, struct ubus_request_data *req, const char *method, struct blob_attr *msg) -@@ -328,6 +354,50 @@ fail: +@@ -328,6 +354,53 @@ fail: } \ } while (0) ++int ubus_dns_notify_has_subscribers(void) ++{ ++ return (daemon->ubus && ubus_dns_object.has_subscribers); ++} ++ +struct blob_buf *ubus_dns_notify_prepare(void) +{ -+ struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; -+ -+ if (!ubus || !ubus_dns_object.has_subscribers) ++ if (!ubus_dns_notify_has_subscribers()) + return NULL; + + blob_buf_init(&b, 0); @@ -267,16 +276,3 @@ void ubus_event_bcast(const char *type, const char *mac, const char *ip, const char *name, const char *interface) { struct ubus_context *ubus = (struct ubus_context *)daemon->ubus; ---- a/src/dnsmasq.c -+++ b/src/dnsmasq.c -@@ -2003,6 +2003,10 @@ static void check_dns_listeners(time_t n - daemon->pipe_to_parent = pipefd[1]; - } - -+#ifdef HAVE_UBUS -+ drop_ubus_listeners(); -+#endif -+ - /* start with no upstream connections. */ - for (s = daemon->servers; s; s = s->next) - s->tcpfd = -1; diff --git a/package/network/services/dnsmasq/patches/911-filter-https+unknown.patch b/package/network/services/dnsmasq/patches/911-filter-https+unknown.patch index 6e3b2e0124..772d6c1b48 100644 --- a/package/network/services/dnsmasq/patches/911-filter-https+unknown.patch +++ b/package/network/services/dnsmasq/patches/911-filter-https+unknown.patch @@ -34,9 +34,9 @@ --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -282,7 +282,9 @@ struct event_desc { - #define OPT_STRIP_MAC 70 - #define OPT_NORR 71 - #define OPT_NO_IDENT 72 + #define OPT_NO_IDENT 70 + #define OPT_CACHE_RR 71 + #define OPT_LOCALHOST_SERVICE 72 -#define OPT_LAST 73 +#define OPT_FILTER_HTTPS 73 +#define OPT_FILTER_UNKNOWN 74 @@ -57,28 +57,28 @@ union all_addr *addr, time_t now, --- a/src/option.c +++ b/src/option.c -@@ -186,6 +186,8 @@ struct myoption { - #define LOPT_STALE_CACHE 377 - #define LOPT_NORR 378 - #define LOPT_NO_IDENT 379 -+#define LOPT_FILTER_HTTPS 380 -+#define LOPT_FILTER_UNKNOWN 381 +@@ -192,6 +192,8 @@ struct myoption { + #define LOPT_NO_DHCP4 383 + #define LOPT_MAX_PROCS 384 + #define LOPT_DNSSEC_LIMITS 385 ++#define LOPT_FILTER_HTTPS 386 ++#define LOPT_FILTER_UNKNOWN 387 #ifdef HAVE_GETOPT_LONG static const struct option opts[] = -@@ -376,6 +378,8 @@ static const struct myoption opts[] = - { "fast-dns-retry", 2, 0, LOPT_FAST_RETRY }, +@@ -388,6 +390,8 @@ static const struct myoption opts[] = { "use-stale-cache", 2, 0 , LOPT_STALE_CACHE }, { "no-ident", 0, 0, LOPT_NO_IDENT }, + { "max-tcp-connections", 1, 0, LOPT_MAX_PROCS }, + { "filter-https", 0, 0, LOPT_FILTER_HTTPS }, + { "filter-unknown", 0, 0, LOPT_FILTER_UNKNOWN }, { NULL, 0, 0, 0 } }; -@@ -573,6 +577,8 @@ static struct { - { LOPT_QUIET_TFTP, OPT_QUIET_TFTP, NULL, gettext_noop("Do not log routine TFTP."), NULL }, - { LOPT_NORR, OPT_NORR, NULL, gettext_noop("Suppress round-robin ordering of DNS records."), NULL }, +@@ -591,6 +595,8 @@ static struct { { LOPT_NO_IDENT, OPT_NO_IDENT, NULL, gettext_noop("Do not add CHAOS TXT records."), NULL }, + { LOPT_CACHE_RR, ARG_DUP, "", gettext_noop("Cache this DNS resource record type."), NULL }, + { LOPT_MAX_PROCS, ARG_ONE, "", gettext_noop("Maximum number of concurrent tcp connections."), NULL }, + { LOPT_FILTER_HTTPS, OPT_FILTER_HTTPS, NULL, gettext_noop("Filter all HTTPS/query type 65 requests."), NULL }, + { LOPT_FILTER_UNKNOWN, OPT_FILTER_UNKNOWN, NULL, gettext_noop("Filter all unknown query types (known are defined in cache.c)."), NULL }, { 0, 0, NULL, NULL, NULL } @@ -86,16 +86,16 @@ --- a/src/rfc1035.c +++ b/src/rfc1035.c -@@ -2149,6 +2149,24 @@ size_t answer_request(struct dns_header +@@ -2316,6 +2316,23 @@ size_t answer_request(struct dns_header } } - + } ++ + //patch to filter https/query type 65 forwards + if (qtype == T_HTTPS && option_bool(OPT_FILTER_HTTPS) ){ + //return a null reply + ans = 1; -+ if (!dryrun) log_query(F_CONFIG | F_IPV4 | F_NEG, name, &addr, NULL, 0); -+ break; ++ log_query(F_CONFIG | F_IPV4 | F_NEG, name, &addr, NULL, 0); + } + //end of patch + //patch to filter all unknown query types @@ -103,11 +103,10 @@ + if (is_query_type_unknown(qtype) && option_bool(OPT_FILTER_UNKNOWN)) { + //return a null reply + ans = 1; -+ if (!dryrun) log_query(F_CONFIG | F_NEG, name, NULL, NULL, 0); -+ break; ++ log_query(F_CONFIG | F_NEG, name, NULL, NULL, 0); + } + //end of patch + - if (!ans) - return 0; /* failed to answer a question */ - } + + if (!ans) + return 0; /* failed to answer a question */