diff options
12 files changed, 1172 insertions, 8 deletions
diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 60ed9ed6fb..7fa61ad04f 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsmasq -PKG_VERSION:=2.79 -PKG_RELEASE:=4 +PKG_VERSION:=2.80test2 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/ -PKG_HASH:=78ad74f5ca14fd85a8bac93f764cd9d60b27579e90eabd3687ca7b030e67861f +PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq/test-releases +PKG_HASH:=e731666094699afcbad947f89f7f8afbf92e5ddc3c915459d4936159d81116f0 PKG_LICENSE:=GPL-2.0 PKG_LICENSE_FILES:=COPYING diff --git a/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch b/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch new file mode 100644 index 0000000000..0924a92e33 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0001-Be-persistent-with-broken-upstream-DNSSEC-warnings.patch @@ -0,0 +1,26 @@ +From f84e674d8aa2316fea8d2145a40fcef0441e3856 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 4 May 2018 16:29:57 +0100 +Subject: [PATCH 01/10] Be persistent with broken-upstream-DNSSEC warnings. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + src/dnssec.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -876,12 +876,7 @@ int dnssec_validate_ds(time_t now, struc + + if (rc == STAT_INSECURE) + { +- static int reported = 0; +- if (!reported) +- { +- reported = 1; +- my_syslog(LOG_WARNING, _("Insecure DS reply received, do upstream DNS servers support DNSSEC?")); +- } ++ my_syslog(LOG_WARNING, _("Insecure DS reply received, do upstream DNS servers support DNSSEC?")); + rc = STAT_BOGUS; + } + diff --git a/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch b/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch new file mode 100644 index 0000000000..12c405945d --- /dev/null +++ b/package/network/services/dnsmasq/patches/0002-Fix-DHCP-broken-ness-when-no-ping-AND-dhcp-sequentia.patch @@ -0,0 +1,35 @@ +From 0669ee7a69a004ce34fed41e50aa575f8e04427b Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 4 May 2018 16:46:24 +0100 +Subject: [PATCH 02/10] Fix DHCP broken-ness when --no-ping AND + --dhcp-sequential-ip are set. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + CHANGELOG | 3 ++- + src/dhcp.c | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -14,7 +14,8 @@ version 2.80 + when the upstream namesevers do not support DNSSEC, and in this + case no DNSSEC validation at all is occuring. + +- ++ Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip ++ are set. Thanks to Daniel Miess for help with this. + + + version 2.79 +--- a/src/dhcp.c ++++ b/src/dhcp.c +@@ -678,7 +678,7 @@ struct ping_result *do_icmp_ping(time_t + if ((count >= max) || option_bool(OPT_NO_PING) || loopback) + { + /* overloaded, or configured not to check, loopback interface, return "not in use" */ +- dummy.hash = 0; ++ dummy.hash = hash; + return &dummy; + } + else if (icmp_ping(addr)) diff --git a/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch b/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch new file mode 100644 index 0000000000..150cd91c6a --- /dev/null +++ b/package/network/services/dnsmasq/patches/0003-Add-logging-for-DNS-error-returns-from-upstream-and-.patch @@ -0,0 +1,184 @@ +From 07ed585c38d8f7c0a18470d2e79cf46ea92ea96a Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 4 May 2018 21:52:22 +0100 +Subject: [PATCH 03/10] Add logging for DNS error returns from upstream and + local configuration. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + src/cache.c | 13 +++++++++++++ + src/dnsmasq.h | 7 ++++++- + src/forward.c | 25 +++++++++++++++++++------ + src/rfc1035.c | 19 ++++++++++++++----- + 4 files changed, 52 insertions(+), 12 deletions(-) + +--- a/src/cache.c ++++ b/src/cache.c +@@ -1598,6 +1598,19 @@ void log_query(unsigned int flags, char + { + if (flags & F_KEYTAG) + sprintf(daemon->addrbuff, arg, addr->addr.log.keytag, addr->addr.log.algo, addr->addr.log.digest); ++ else if (flags & F_RCODE) ++ { ++ unsigned int rcode = addr->addr.rcode.rcode; ++ ++ if (rcode == SERVFAIL) ++ dest = "SERVFAIL"; ++ else if (rcode == REFUSED) ++ dest = "REFUSED"; ++ else if (rcode == NOTIMP) ++ dest = "not implemented"; ++ else ++ sprintf(daemon->addrbuff, "%u", rcode); ++ } + else + { + #ifdef HAVE_IPV6 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -268,7 +268,11 @@ struct all_addr { + /* for log_query */ + struct { + unsigned short keytag, algo, digest; +- } log; ++ } log; ++ /* for log_query */ ++ struct { ++ unsigned int rcode; ++ } rcode; + /* for cache_insert of DNSKEY, DS */ + struct { + unsigned short class, type; +@@ -459,6 +463,7 @@ struct crec { + #define F_IPSET (1u<<26) + #define F_NOEXTRA (1u<<27) + #define F_SERVFAIL (1u<<28) ++#define F_RCODE (1u<<29) + + /* Values of uid in crecs with F_CONFIG bit set. */ + #define SRC_INTERFACE 0 +--- a/src/forward.c ++++ b/src/forward.c +@@ -563,6 +563,7 @@ static size_t process_reply(struct dns_h + unsigned char *pheader, *sizep; + char **sets = 0; + int munged = 0, is_sign; ++ unsigned int rcode = RCODE(header); + size_t plen; + + (void)ad_reqd; +@@ -593,6 +594,9 @@ static size_t process_reply(struct dns_h + + if ((pheader = find_pseudoheader(header, n, &plen, &sizep, &is_sign, NULL))) + { ++ /* Get extended RCODE. */ ++ rcode |= sizep[2] << 4; ++ + if (check_subnet && !check_source(header, plen, pheader, query_source)) + { + my_syslog(LOG_WARNING, _("discarding DNS reply: subnet option mismatch")); +@@ -641,11 +645,20 @@ static size_t process_reply(struct dns_h + if (!is_sign && !option_bool(OPT_DNSSEC_PROXY)) + header->hb4 &= ~HB4_AD; + +- if (OPCODE(header) != QUERY || (RCODE(header) != NOERROR && RCODE(header) != NXDOMAIN)) ++ if (OPCODE(header) != QUERY) + return resize_packet(header, n, pheader, plen); ++ ++ if (rcode != NOERROR && rcode != NXDOMAIN) ++ { ++ struct all_addr a; ++ a.addr.rcode.rcode = rcode; ++ log_query(F_UPSTREAM | F_RCODE, "error", &a, NULL); ++ ++ return resize_packet(header, n, pheader, plen); ++ } + + /* Complain loudly if the upstream server is non-recursive. */ +- if (!(header->hb4 & HB4_RA) && RCODE(header) == NOERROR && ++ if (!(header->hb4 & HB4_RA) && rcode == NOERROR && + server && !(server->flags & SERV_WARNED_RECURSIVE)) + { + prettyprint_addr(&server->addr, daemon->namebuff); +@@ -654,7 +667,7 @@ static size_t process_reply(struct dns_h + server->flags |= SERV_WARNED_RECURSIVE; + } + +- if (daemon->bogus_addr && RCODE(header) != NXDOMAIN && ++ if (daemon->bogus_addr && rcode != NXDOMAIN && + check_for_bogus_wildcard(header, n, daemon->namebuff, daemon->bogus_addr, now)) + { + munged = 1; +@@ -666,7 +679,7 @@ static size_t process_reply(struct dns_h + { + int doctored = 0; + +- if (RCODE(header) == NXDOMAIN && ++ if (rcode == NXDOMAIN && + extract_request(header, n, daemon->namebuff, NULL) && + check_for_local_domain(daemon->namebuff, now)) + { +@@ -1090,7 +1103,7 @@ void reply_query(int fd, int family, tim + if (status == STAT_BOGUS && extract_request(header, n, daemon->namebuff, NULL)) + domain = daemon->namebuff; + +- log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); ++ log_query(F_SECSTAT, domain, NULL, result); + } + + if (status == STAT_SECURE) +@@ -1948,7 +1961,7 @@ unsigned char *tcp_request(int confd, ti + if (status == STAT_BOGUS && extract_request(header, m, daemon->namebuff, NULL)) + domain = daemon->namebuff; + +- log_query(F_KEYTAG | F_SECSTAT, domain, NULL, result); ++ log_query(F_SECSTAT, domain, NULL, result); + + if (status == STAT_BOGUS) + { +--- a/src/rfc1035.c ++++ b/src/rfc1035.c +@@ -926,12 +926,11 @@ unsigned int extract_request(struct dns_ + return F_QUERY; + } + +- + size_t setup_reply(struct dns_header *header, size_t qlen, + struct all_addr *addrp, unsigned int flags, unsigned long ttl) + { + unsigned char *p; +- ++ + if (!(p = skip_questions(header, qlen))) + return 0; + +@@ -948,7 +947,12 @@ size_t setup_reply(struct dns_header *he + else if (flags == F_NXDOMAIN) + SET_RCODE(header, NXDOMAIN); + else if (flags == F_SERVFAIL) +- SET_RCODE(header, SERVFAIL); ++ { ++ struct all_addr a; ++ a.addr.rcode.rcode = SERVFAIL; ++ log_query(F_CONFIG | F_RCODE, "error", &a, NULL); ++ SET_RCODE(header, SERVFAIL); ++ } + else if (flags == F_IPV4) + { /* we know the address */ + SET_RCODE(header, NOERROR); +@@ -966,8 +970,13 @@ size_t setup_reply(struct dns_header *he + } + #endif + else /* nowhere to forward to */ +- SET_RCODE(header, REFUSED); +- ++ { ++ struct all_addr a; ++ a.addr.rcode.rcode = REFUSED; ++ log_query(F_CONFIG | F_RCODE, "error", &a, NULL); ++ SET_RCODE(header, REFUSED); ++ } ++ + return p - (unsigned char *)header; + } + diff --git a/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch b/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch new file mode 100644 index 0000000000..af4020b50b --- /dev/null +++ b/package/network/services/dnsmasq/patches/0004-Add-packet-dump-debugging-facility.patch @@ -0,0 +1,587 @@ +From 6b17335209639a56f214d011eaed4ebcde8dd276 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Tue, 8 May 2018 18:32:14 +0100 +Subject: [PATCH 04/10] Add packet-dump debugging facility. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + CHANGELOG | 6 ++ + Makefile | 2 +- + bld/Android.mk | 3 +- + man/dnsmasq.8 | 7 ++ + src/config.h | 16 ++++- + src/dnsmasq.c | 16 ++++- + src/dnsmasq.h | 29 +++++++- + src/dump.c | 210 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ + src/forward.c | 37 ++++++++-- + src/option.c | 14 ++++ + 10 files changed, 329 insertions(+), 11 deletions(-) + create mode 100644 src/dump.c + +--- a/CHANGELOG ++++ b/CHANGELOG +@@ -17,6 +17,12 @@ version 2.80 + Fix DHCP broken-ness when --no-ping AND --dhcp-sequential-ip + are set. Thanks to Daniel Miess for help with this. + ++ Add a facilty to store DNS packets sent/recieved in a ++ pcap-format file for later debugging. The file location ++ is given by the --dumpfile option, and a bitmap controlling ++ which packets should be dumped is given by the --dumpmask ++ option. ++ + + version 2.79 + Fix parsing of CNAME arguments, which are confused by extra spaces. +--- a/Makefile ++++ b/Makefile +@@ -76,7 +76,7 @@ objs = cache.o rfc1035.o util.o option.o + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \ +- poll.o rrfilter.o edns0.o arp.o crypto.o ++ poll.o rrfilter.o edns0.o arp.o crypto.o dump.o + + hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h +--- a/bld/Android.mk ++++ b/bld/Android.mk +@@ -10,7 +10,8 @@ LOCAL_SRC_FILES := bpf.c cache.c dbus.c + dhcp6.c rfc3315.c dhcp-common.c outpacket.c \ + radv.c slaac.c auth.c ipset.c domain.c \ + dnssec.c dnssec-openssl.c blockdata.c tables.c \ +- loop.c inotify.c poll.c rrfilter.c edns0.c arp.c crypto.c ++ loop.c inotify.c poll.c rrfilter.c edns0.c arp.c \ ++ crypto.c dump.c + + LOCAL_MODULE := dnsmasq + +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -647,6 +647,13 @@ V4 mapped IPv6 addresses, which have a r + The address range can be of the form + <ip address>,<ip address> or <ip address>/<netmask> in both forms of the option. + .TP ++.B --dumpfile=<path/to/file> ++Specify the location of a pcap-format file which dnsmasq uses to dump copies of network packets for debugging purposes. If the file exists when dnsmasq starts, it is not deleted; new packets are added to the end. ++.TP ++.B --dumpmask=<mask> ++Specify which types of packets should be added to the dumpfile. The argument should be the OR of the bitmasks for each type of packet to be dumped: it can be specified in hex by preceding the number with 0x in the normal way. Each time a packet is written to the dumpfile, dnsmasq logs the packet sequence and the mask ++representing its type. The current types are: 0x0001 - DNS queries from clients 0x0002 DNS replies to clients 0x0004 - DNS queries to upstream 0x0008 - DNS replies from upstream 0x0010 - queries send upstream for DNSSEC validation 0x0020 - replies to queries for DNSSEC validation 0x0040 - replies to client queries which fail DNSSEC validation 0x0080 replies to queries for DNSSEC validation which fail validation. ++.TP + .B --add-mac[=base64|text] + Add the MAC address of the requestor to DNS queries which are + forwarded upstream. This may be used to DNS filtering by the upstream +--- a/src/config.h ++++ b/src/config.h +@@ -117,6 +117,9 @@ HAVE_AUTH + HAVE_DNSSEC + include DNSSEC validator. + ++HAVE_DUMPFILE ++ include code to dump packets to a libpcap-format file for debugging. ++ + HAVE_LOOP + include functionality to probe for and remove DNS forwarding loops. + +@@ -132,6 +135,7 @@ NO_DHCP6 + NO_SCRIPT + NO_LARGEFILE + NO_AUTH ++NO_DUMPFILE + NO_INOTIFY + these are available to explicitly disable compile time options which would + otherwise be enabled automatically (HAVE_IPV6, >2Gb file sizes) or +@@ -164,6 +168,7 @@ RESOLVFILE + #define HAVE_AUTH + #define HAVE_IPSET + #define HAVE_LOOP ++#define HAVE_DUMPFILE + + /* Build options which require external libraries. + +@@ -363,6 +368,10 @@ HAVE_SOCKADDR_SA_LEN + #undef HAVE_LOOP + #endif + ++#ifdef NO_DUMPFILE ++#undef HAVE_DUMPFILE ++#endif ++ + #if defined (HAVE_LINUX_NETWORK) && !defined(NO_INOTIFY) + #define HAVE_INOTIFY + #endif +@@ -451,8 +460,11 @@ static char *compile_opts = + #ifndef HAVE_INOTIFY + "no-" + #endif +-"inotify"; +- ++"inotify " ++#ifndef HAVE_DUMPFILE ++"no-" ++#endif ++"dumpfile"; + + #endif + +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -366,7 +366,16 @@ int main (int argc, char **argv) + else + daemon->inotifyfd = -1; + #endif +- ++ ++ if (daemon->dump_file) ++#ifdef HAVE_DUMPFILE ++ dump_init(); ++ else ++ daemon->dumpfd = -1; ++#else ++ die(_("Packet dumps not available: set HAVE_DUMP in src/config.h"), NULL, EC_BADCONF); ++#endif ++ + if (option_bool(OPT_DBUS)) + #ifdef HAVE_DBUS + { +@@ -1424,6 +1433,11 @@ static void async_event(int pipe, time_t + + if (daemon->runfile) + unlink(daemon->runfile); ++ ++#ifdef HAVE_DUMPFILE ++ if (daemon->dumpfd != -1) ++ close(daemon->dumpfd); ++#endif + + my_syslog(LOG_INFO, _("exiting on receipt of SIGTERM")); + flush_log(); +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -119,6 +119,9 @@ typedef unsigned long long u64; + #include <net/if_arp.h> + #include <netinet/in_systm.h> + #include <netinet/ip.h> ++#ifdef HAVE_IPV6 ++#include <netinet/ip6.h> ++#endif + #include <netinet/ip_icmp.h> + #include <sys/uio.h> + #include <syslog.h> +@@ -598,6 +601,16 @@ struct hostsfile { + unsigned int index; /* matches to cache entries for logging */ + }; + ++/* packet-dump flags */ ++#define DUMP_QUERY 0x0001 ++#define DUMP_REPLY 0x0002 ++#define DUMP_UP_QUERY 0x0004 ++#define DUMP_UP_REPLY 0x0008 ++#define DUMP_SEC_QUERY 0x0010 ++#define DUMP_SEC_REPLY 0x0020 ++#define DUMP_BOGUS 0x0040 ++#define DUMP_SEC_BOGUS 0x0080 ++ + + /* DNSSEC status values. */ + #define STAT_SECURE 1 +@@ -1020,14 +1033,14 @@ extern struct daemon { + unsigned int duid_enterprise, duid_config_len; + unsigned char *duid_config; + char *dbus_name; ++ char *dump_file; ++ int dump_mask; + unsigned long soa_sn, soa_refresh, soa_retry, soa_expiry; + #ifdef OPTION6_PREFIX_CLASS + struct prefix_class *prefix_classes; + #endif + #ifdef HAVE_DNSSEC + struct ds_config *ds; +- int dnssec_no_time_check; +- int back_to_the_future; + char *timestamp_file; + #endif + +@@ -1040,6 +1053,8 @@ extern struct daemon { + char *workspacename; /* ditto */ + char *rr_status; /* flags for individual RRs */ + int rr_status_sz; ++ int dnssec_no_time_check; ++ int back_to_the_future; + #endif + unsigned int local_answer, queries_forwarded, auth_answer; + struct frec *frec_list; +@@ -1094,6 +1109,10 @@ extern struct daemon { + char *addrbuff; + char *addrbuff2; /* only allocated when OPT_EXTRALOG */ + ++#ifdef HAVE_DUMPFILE ++ /* file for packet dumps. */ ++ int dumpfd; ++#endif + } *daemon; + + /* cache.c */ +@@ -1588,3 +1607,9 @@ int check_source(struct dns_header *head + /* arp.c */ + int find_mac(union mysockaddr *addr, unsigned char *mac, int lazy, time_t now); + int do_arp_script_run(void); ++ ++/* dump.c */ ++#ifdef HAVE_DUMPFILE ++void dump_init(void); ++void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst); ++#endif +--- /dev/null ++++ b/src/dump.c +@@ -0,0 +1,210 @@ ++/* dnsmasq is Copyright (c) 2000-2018 Simon Kelley ++ ++ This program is free software; you can redistribute it and/or modify ++ it under the terms of the GNU General Public License as published by ++ the Free Software Foundation; version 2 dated June, 1991, or ++ (at your option) version 3 dated 29 June, 2007. ++ ++ This program is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ GNU General Public License for more details. ++ ++ You should have received a copy of the GNU General Public License ++ along with this program. If not, see <http://www.gnu.org/licenses/>. ++*/ ++ ++#include "dnsmasq.h" ++ ++#ifdef HAVE_DUMPFILE ++ ++static u32 packet_count; ++ ++/* https://wiki.wireshark.org/Development/LibpcapFileFormat */ ++struct pcap_hdr_s { ++ u32 magic_number; /* magic number */ ++ u16 version_major; /* major version number */ ++ u16 version_minor; /* minor version number */ ++ u32 thiszone; /* GMT to local correction */ ++ u32 sigfigs; /* accuracy of timestamps */ ++ u32 snaplen; /* max length of captured packets, in octets */ ++ u32 network; /* data link type */ ++}; ++ ++struct pcaprec_hdr_s { ++ u32 ts_sec; /* timestamp seconds */ ++ u32 ts_usec; /* timestamp microseconds */ ++ u32 incl_len; /* number of octets of packet saved in file */ ++ u32 orig_len; /* actual length of packet */ ++}; ++ ++ ++void dump_init(void) ++{ ++ struct stat buf; ++ struct pcap_hdr_s header; ++ struct pcaprec_hdr_s pcap_header; ++ ++ packet_count = 0; ++ ++ if (stat(daemon->dump_file, &buf) == -1) ++ { ++ /* doesn't exist, create and add header */ ++ header.magic_number = 0xa1b2c3d4; ++ header.version_major = 2; ++ header.version_minor = 4; ++ header.thiszone = 0; ++ header.sigfigs = 0; ++ header.snaplen = daemon->edns_pktsz + 200; /* slop for IP/UDP headers */ ++ header.network = 101; /* DLT_RAW http://www.tcpdump.org/linktypes.html */ ++ ++ if (errno != ENOENT || ++ (daemon->dumpfd = creat(daemon->dump_file, S_IRUSR | S_IWUSR)) == -1 || ++ !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 0)) ++ die(_("cannot create %s: %s"), daemon->dump_file, EC_FILE); ++ } ++ else if ((daemon->dumpfd = open(daemon->dump_file, O_APPEND | O_RDWR)) == -1 || ++ !read_write(daemon->dumpfd, (void *)&header, sizeof(header), 1) || ++ header.magic_number != 0xa1b2c3d4) ++ die(_("cannot access %s: %s"), daemon->dump_file, EC_FILE); ++ else ++ { ++ /* count existing records */ ++ while (read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 1)) ++ { ++ lseek(daemon->dumpfd, pcap_header.incl_len, SEEK_CUR); ++ packet_count++; ++ } ++ } ++} ++ ++void dump_packet(int mask, void *packet, size_t len, union mysockaddr *src, union mysockaddr *dst) ++{ ++ struct ip ip; ++#ifdef HAVE_IPV6 ++ struct ip6_hdr ip6; ++ int family; ++#endif ++ struct udphdr { ++ u16 uh_sport; /* source port */ ++ u16 uh_dport; /* destination port */ ++ u16 uh_ulen; /* udp length */ ++ u16 uh_sum; /* udp checksum */ ++ } udp; ++ struct pcaprec_hdr_s pcap_header; ++ struct timeval time; ++ u32 i, sum; ++ void *iphdr; ++ size_t ipsz; ++ int rc; ++ ++ if (daemon->dumpfd == -1 || !(mask & daemon->dump_mask)) ++ return; ++ ++ /* So wireshark can Id the packet. */ ++ udp.uh_sport = udp.uh_dport = htons(NAMESERVER_PORT); ++ ++#ifdef HAVE_IPV6 ++ if (src) ++ family = src->sa.sa_family; ++ else ++ family = dst->sa.sa_family; ++ ++ if (family == AF_INET6) ++ { ++ iphdr = &ip6; ++ ipsz = sizeof(ip6); ++ memset(&ip6, 0, sizeof(ip6)); ++ ++ ip6.ip6_vfc = 6 << 4; ++ ip6.ip6_plen = htons(sizeof(struct udphdr) + len); ++ ip6.ip6_nxt = IPPROTO_UDP; ++ ip6.ip6_hops = 64; ++ ++ if (src) ++ { ++ memcpy(&ip6.ip6_src, &src->in6.sin6_addr, IN6ADDRSZ); ++ udp.uh_sport = src->in6.sin6_port; ++ } ++ ++ if (dst) ++ { ++ memcpy(&ip6.ip6_dst, &dst->in6.sin6_addr, IN6ADDRSZ); ++ udp.uh_dport = dst->in6.sin6_port; ++ } ++ ++ /* start UDP checksum */ ++ for (sum = 0, i = 0; i < IN6ADDRSZ; i++) ++ sum += ((u16 *)&ip6.ip6_src)[i]; ++ } ++ else ++#endif ++ { ++ iphdr = &ip; ++ ipsz = sizeof(ip); ++ memset(&ip, 0, sizeof(ip)); ++ ++ ip.ip_v = IPVERSION; ++ ip.ip_hl = sizeof(struct ip) / 4; ++ ip.ip_len = htons(sizeof(struct ip) + sizeof(struct udphdr) + len); ++ ip.ip_ttl = IPDEFTTL; ++ ip.ip_p = IPPROTO_UDP; ++ ++ if (src) ++ { ++ ip.ip_src = src->in.sin_addr; ++ udp.uh_sport = src->in.sin_port; ++ } ++ ++ if (dst) ++ { ++ ip.ip_dst = dst->in.sin_addr; ++ udp.uh_dport = dst->in.sin_port; ++ } ++ ++ ip.ip_sum = 0; ++ for (sum = 0, i = 0; i < sizeof(struct ip) / 2; i++) ++ sum += ((u16 *)&ip)[i]; ++ while (sum >> 16) ++ sum = (sum & 0xffff) + (sum >> 16); ++ ip.ip_sum = (sum == 0xffff) ? sum : ~sum; ++ ++ /* start UDP checksum */ ++ sum = ip.ip_src.s_addr & 0xffff; ++ sum += (ip.ip_src.s_addr >> 16) & 0xffff; ++ sum += ip.ip_dst.s_addr & 0xffff; ++ sum += (ip.ip_dst.s_addr >> 16) & 0xffff; ++ } ++ ++ if (len & 1) ++ ((unsigned char *)packet)[len] = 0; /* for checksum, in case length is odd. */ ++ ++ udp.uh_sum = 0; ++ udp.uh_ulen = htons(sizeof(struct udphdr) + len); ++ sum += htons(IPPROTO_UDP); ++ sum += htons(sizeof(struct udphdr) + len); ++ for (i = 0; i < sizeof(struct udphdr)/2; i++) ++ sum += ((u16 *)&udp)[i]; ++ for (i = 0; i < (len + 1) / 2; i++) ++ sum += ((u16 *)packet)[i]; ++ while (sum >> 16) ++ sum = (sum & 0xffff) + (sum >> 16); ++ udp.uh_sum = (sum == 0xffff) ? sum : ~sum; ++ ++ rc = gettimeofday(&time, NULL); ++ pcap_header.ts_sec = time.tv_sec; ++ pcap_header.ts_usec = time.tv_usec; ++ pcap_header.incl_len = pcap_header.orig_len = ipsz + sizeof(udp) + len; ++ ++ if (rc == -1 || ++ !read_write(daemon->dumpfd, (void *)&pcap_header, sizeof(pcap_header), 0) || ++ !read_write(daemon->dumpfd, iphdr, ipsz, 0) || ++ !read_write(daemon->dumpfd, (void *)&udp, sizeof(udp), 0) || ++ !read_write(daemon->dumpfd, (void *)packet, len, 0)) ++ my_syslog(LOG_ERR, _("failed to write packet dump")); ++ else ++ my_syslog(LOG_INFO, _("dumping UDP packet %u mask 0x%04x"), ++packet_count, mask); ++ ++} ++ ++#endif +--- a/src/forward.c ++++ b/src/forward.c +@@ -508,6 +508,10 @@ static int forward_query(int udpfd, unio + + if (errno == 0) + { ++#ifdef HAVE_DUMPFILE ++ dump_packet(DUMP_UP_QUERY, (void *)header, plen, NULL, &start->addr); ++#endif ++ + /* Keep info in case we want to re-send this packet */ + daemon->srv_save = start; + daemon->packet_len = plen; +@@ -769,7 +773,7 @@ void reply_query(int fd, int family, tim + #endif + + header = (struct dns_header *)daemon->packet; +- ++ + if (n < (int)sizeof(struct dns_header) || !(header->hb3 & HB3_QR)) + return; + +@@ -796,6 +800,12 @@ void reply_query(int fd, int family, tim + if (!(forward = lookup_frec(ntohs(header->id), hash))) + return; + ++#ifdef HAVE_DUMPFILE ++ dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_REPLY : DUMP_UP_REPLY, ++ (void *)header, n, &serveraddr, NULL); ++#endif ++ ++ + /* log_query gets called indirectly all over the place, so + pass these in global variables - sorry. */ + daemon->log_display_id = forward->log_id; +@@ -934,6 +944,11 @@ void reply_query(int fd, int family, tim + status = dnssec_validate_reply(now, header, n, daemon->namebuff, daemon->keyname, &forward->class, + !option_bool(OPT_DNSSEC_IGN_NS) && (server->flags & SERV_DO_DNSSEC), + NULL, NULL); ++#ifdef HAVE_DUMPFILE ++ if (status == STAT_BOGUS) ++ dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_BOGUS : DUMP_BOGUS, ++ header, (size_t)n, &serveraddr, NULL); ++#endif + } + + /* Can't validate, as we're missing key data. Put this +@@ -1060,6 +1075,11 @@ void reply_query(int fd, int family, tim + setsockopt(fd, SOL_SOCKET, SO_MARK, &mark, sizeof(unsigned int)); + } + #endif ++ ++#ifdef HAVE_DUMPFILE ++ dump_packet(DUMP_SEC_QUERY, (void *)header, (size_t)nn, NULL, &server->addr); ++#endif ++ + while (retry_send(sendto(fd, (char *)header, nn, 0, + &server->addr.sa, + sa_len(&server->addr)))); +@@ -1114,8 +1134,8 @@ void reply_query(int fd, int family, tim + bogusanswer = 1; + } + } +-#endif +- ++#endif ++ + /* restore CD bit to the value in the query */ + if (forward->flags & FREC_CHECKING_DISABLED) + header->hb4 |= HB4_CD; +@@ -1141,6 +1161,11 @@ void reply_query(int fd, int family, tim + nn = resize_packet(header, nn, NULL, 0); + } + #endif ++ ++#ifdef HAVE_DUMPFILE ++ dump_packet(DUMP_REPLY, daemon->packet, (size_t)nn, NULL, &forward->source); ++#endif ++ + send_from(forward->fd, option_bool(OPT_NOWILD) || option_bool (OPT_CLEVERBIND), daemon->packet, nn, + &forward->source, &forward->dest, forward->iface); + } +@@ -1394,7 +1419,11 @@ void receive_query(struct listener *list + pass these in global variables - sorry. */ + daemon->log_display_id = ++daemon->log_id; + daemon->log_source_addr = &source_addr; +- ++ ++#ifdef HAVE_DUMPFILE ++ dump_packet(DUMP_QUERY, daemon->packet, (size_t)n, &source_addr, NULL); ++#endif ++ + if (extract_request(header, (size_t)n, daemon->namebuff, &type)) + { + #ifdef HAVE_AUTH +--- a/src/option.c ++++ b/src/option.c +@@ -161,6 +161,8 @@ struct myoption { + #define LOPT_TFTP_MTU 349 + #define LOPT_REPLY_DELAY 350 + #define LOPT_RAPID_COMMIT 351 ++#define LOPT_DUMPFILE 352 ++#define LOPT_DUMPMASK 353 + + #ifdef HAVE_GETOPT_LONG + static const struct option opts[] = +@@ -327,6 +329,8 @@ static const struct myoption opts[] = + { "dhcp-ttl", 1, 0 , LOPT_DHCPTTL }, + { "dhcp-reply-delay", 1, 0, LOPT_REPLY_DELAY }, + { "dhcp-rapid-commit", 0, 0, LOPT_RAPID_COMMIT }, ++ { "dumpfile", 1, 0, LOPT_DUMPFILE }, ++ { "dumpmask", 1, 0, LOPT_DUMPMASK }, + { NULL, 0, 0, 0 } + }; + +@@ -500,6 +504,8 @@ static struct { + { LOPT_DHCPTTL, ARG_ONE, "<ttl>", gettext_noop("Set TTL in DNS responses with DHCP-derived addresses."), NULL }, + { LOPT_REPLY_DELAY, ARG_ONE, "<integer>", gettext_noop("Delay DHCP replies for at least number of seconds."), NULL }, + { LOPT_RAPID_COMMIT, OPT_RAPID_COMMIT, NULL, gettext_noop("Enables DHCPv4 Rapid Commit option."), NULL }, ++ { LOPT_DUMPFILE, ARG_ONE, "<path>", gettext_noop("Path to debug packet dump file"), NULL }, ++ { LOPT_DUMPMASK, ARG_ONE, "<hex>", gettext_noop("Mask which packets to dump"), NULL }, + { 0, 0, NULL, NULL, NULL } + }; + +@@ -1811,6 +1817,14 @@ static int one_opt(int option, char *arg + ret_err(_("bad MX target")); + break; + ++ case LOPT_DUMPFILE: /* --dumpfile */ ++ daemon->dump_file = opt_string_alloc(arg); ++ break; ++ ++ case LOPT_DUMPMASK: /* --dumpmask */ ++ daemon->dump_mask = strtol(arg, NULL, 0); ++ break; ++ + #ifdef HAVE_DHCP + case 'l': /* --dhcp-leasefile */ + daemon->lease_file = opt_string_alloc(arg); diff --git a/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch b/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch new file mode 100644 index 0000000000..d21f9d4320 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0005-Retry-query-to-other-servers-on-receipt-of-SERVFAIL-.patch @@ -0,0 +1,22 @@ +From 34e26e14c5e0fb2d5f05f67858319c9db2058333 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 10 May 2018 20:54:57 +0100 +Subject: [PATCH 05/10] Retry query to other servers on receipt of SERVFAIL + rcode. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + src/forward.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/forward.c ++++ b/src/forward.c +@@ -817,7 +817,7 @@ void reply_query(int fd, int family, tim + + /* Note: if we send extra options in the EDNS0 header, we can't recreate + the query from the reply. */ +- if (RCODE(header) == REFUSED && ++ if ((RCODE(header) == REFUSED || RCODE(header) == SERVFAIL) && + forward->forwardall == 0 && + !(forward->flags & FREC_HAS_EXTRADATA)) + /* for broken servers, attempt to send to another one. */ diff --git a/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch b/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch new file mode 100644 index 0000000000..b4681af4ff --- /dev/null +++ b/package/network/services/dnsmasq/patches/0006-Handle-query-retry-on-REFUSED-or-SERVFAIL-for-DNSSEC.patch @@ -0,0 +1,87 @@ +From a0088e83640d7d1544127dd668660462e9f78e52 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Thu, 10 May 2018 21:43:14 +0100 +Subject: [PATCH 06/10] Handle query retry on REFUSED or SERVFAIL for + DNSSEC-generated queries. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + src/forward.c | 46 ++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 40 insertions(+), 6 deletions(-) + +--- a/src/forward.c ++++ b/src/forward.c +@@ -298,9 +298,9 @@ static int forward_query(int udpfd, unio + fd = forward->rfd4->fd; + } + +- while (retry_send( sendto(fd, (char *)header, plen, 0, +- &forward->sentto->addr.sa, +- sa_len(&forward->sentto->addr)))); ++ while (retry_send(sendto(fd, (char *)header, plen, 0, ++ &forward->sentto->addr.sa, ++ sa_len(&forward->sentto->addr)))); + + return 1; + } +@@ -804,8 +804,7 @@ void reply_query(int fd, int family, tim + dump_packet((forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ? DUMP_SEC_REPLY : DUMP_UP_REPLY, + (void *)header, n, &serveraddr, NULL); + #endif +- +- ++ + /* log_query gets called indirectly all over the place, so + pass these in global variables - sorry. */ + daemon->log_display_id = forward->log_id; +@@ -826,6 +825,40 @@ void reply_query(int fd, int family, tim + size_t plen; + int is_sign; + ++ /* For DNSSEC originated queries, just retry the query to the same server. */ ++ if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) ++ { ++ blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); ++ plen = forward->stash_len; ++ ++ forward->forwardall = 2; /* only retry once */ ++ ++ if (forward->sentto->addr.sa.sa_family == AF_INET) ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); ++#ifdef HAVE_IPV6 ++ else ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); ++#endif ++ ++ if (forward->sentto->sfd) ++ fd = forward->sentto->sfd->fd; ++ else ++ { ++#ifdef HAVE_IPV6 ++ if (forward->sentto->addr.sa.sa_family == AF_INET6) ++ fd = forward->rfd6->fd; ++ else ++#endif ++ fd = forward->rfd4->fd; ++ } ++ ++ while (retry_send(sendto(fd, (char *)header, plen, 0, ++ &forward->sentto->addr.sa, ++ sa_len(&forward->sentto->addr)))); ++ ++ return; ++ } ++ + /* In strict order mode, there must be a server later in the chain + left to send to, otherwise without the forwardall mechanism, + code further on will cycle around the list forwever if they +@@ -1017,7 +1050,8 @@ void reply_query(int fd, int family, tim + #ifdef HAVE_IPV6 + new->rfd6 = NULL; + #endif +- new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY); ++ new->flags &= ~(FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_HAS_EXTRADATA); ++ new->forwardall = 0; + + new->dependent = forward; /* to find query awaiting new one. */ + forward->blocking_query = new; /* for garbage cleaning */ diff --git a/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch b/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch new file mode 100644 index 0000000000..5756717340 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0007-Retry-SERVFAIL-DNSSEC-queries-to-a-different-server-.patch @@ -0,0 +1,100 @@ +From 1f60a18ea1c64beb8b6cffa0650a2bfad95ac352 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 11 May 2018 16:44:16 +0100 +Subject: [PATCH 07/10] Retry SERVFAIL DNSSEC queries to a different server, if + possible. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + src/forward.c | 53 ++++++++++++++++++++++++++++++++++++++++++----------- + 1 file changed, 42 insertions(+), 11 deletions(-) + +--- a/src/forward.c ++++ b/src/forward.c +@@ -825,9 +825,12 @@ void reply_query(int fd, int family, tim + size_t plen; + int is_sign; + ++#ifdef HAVE_DNSSEC + /* For DNSSEC originated queries, just retry the query to the same server. */ + if (forward->flags & (FREC_DNSKEY_QUERY | FREC_DS_QUERY)) + { ++ struct server *start; ++ + blockdata_retrieve(forward->stash, forward->stash_len, (void *)header); + plen = forward->stash_len; + +@@ -839,26 +842,54 @@ void reply_query(int fd, int family, tim + else + log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); + #endif +- +- if (forward->sentto->sfd) +- fd = forward->sentto->sfd->fd; ++ ++ start = forward->sentto; ++ ++ /* for non-domain specific servers, see if we can find another to try. */ ++ if ((forward->sentto->flags & SERV_TYPE) == 0) ++ while (1) ++ { ++ if (!(start = start->next)) ++ start = daemon->servers; ++ if (start == forward->sentto) ++ break; ++ ++ if ((start->flags & SERV_TYPE) == 0 && ++ (start->flags & SERV_DO_DNSSEC)) ++ break; ++ } ++ ++ ++ if (start->sfd) ++ fd = start->sfd->fd; + else + { + #ifdef HAVE_IPV6 +- if (forward->sentto->addr.sa.sa_family == AF_INET6) +- fd = forward->rfd6->fd; ++ if (start->addr.sa.sa_family == AF_INET6) ++ { ++ /* may have changed family */ ++ if (!forward->rfd6) ++ forward->rfd6 = allocate_rfd(AF_INET6); ++ fd = forward->rfd6->fd; ++ } + else + #endif +- fd = forward->rfd4->fd; ++ { ++ /* may have changed family */ ++ if (!forward->rfd4) ++ forward->rfd4 = allocate_rfd(AF_INET); ++ fd = forward->rfd4->fd; ++ } + } +- ++ + while (retry_send(sendto(fd, (char *)header, plen, 0, +- &forward->sentto->addr.sa, +- sa_len(&forward->sentto->addr)))); ++ &start->addr.sa, ++ sa_len(&start->addr)))); + + return; + } +- ++#endif ++ + /* In strict order mode, there must be a server later in the chain + left to send to, otherwise without the forwardall mechanism, + code further on will cycle around the list forwever if they +@@ -1024,7 +1055,7 @@ void reply_query(int fd, int family, tim + while (1) + { + if (type == (start->flags & (SERV_TYPE | SERV_DO_DNSSEC)) && +- (type != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && ++ ((type & SERV_TYPE) != SERV_HAS_DOMAIN || hostname_isequal(domain, start->domain)) && + !(start->flags & (SERV_LITERAL_ADDRESS | SERV_LOOP))) + { + new_server = start; diff --git a/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch b/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch new file mode 100644 index 0000000000..d5735a25d5 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0008-Fix-logging-in-previous.patch @@ -0,0 +1,41 @@ +From e27825b0ef1e79ab05b1752c8c838cb43ad39d79 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 11 May 2018 17:20:47 +0100 +Subject: [PATCH 08/10] Fix logging in previous. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + src/forward.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/src/forward.c ++++ b/src/forward.c +@@ -835,14 +835,6 @@ void reply_query(int fd, int family, tim + plen = forward->stash_len; + + forward->forwardall = 2; /* only retry once */ +- +- if (forward->sentto->addr.sa.sa_family == AF_INET) +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&forward->sentto->addr.in.sin_addr, "dnssec"); +-#ifdef HAVE_IPV6 +- else +- log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&forward->sentto->addr.in6.sin6_addr, "dnssec"); +-#endif +- + start = forward->sentto; + + /* for non-domain specific servers, see if we can find another to try. */ +@@ -886,6 +878,13 @@ void reply_query(int fd, int family, tim + &start->addr.sa, + sa_len(&start->addr)))); + ++ if (start->addr.sa.sa_family == AF_INET) ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV4, "retry", (struct all_addr *)&start->addr.in.sin_addr, "dnssec"); ++#ifdef HAVE_IPV6 ++ else ++ log_query(F_NOEXTRA | F_DNSSEC | F_IPV6, "retry", (struct all_addr *)&start->addr.in6.sin6_addr, "dnssec"); ++#endif ++ + return; + } + #endif diff --git a/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch b/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch new file mode 100644 index 0000000000..0aaec7edf4 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0009-Do-unsolicited-RAs-for-interfaces-which-appear-after.patch @@ -0,0 +1,44 @@ +From 0a496f059c1e9d75c33cce4c1211d58422ba4f62 Mon Sep 17 00:00:00 2001 +From: Maarten de Vries <maarten+dnsmasq@m.de-vri.es> +Date: Fri, 11 May 2018 23:20:58 +0100 +Subject: [PATCH 09/10] Do unsolicited RAs for interfaces which appear after + dnsmasq startup. + +I noticed that dnsmasq often wasn't sending any unsolicited RAs for me. + +This turned out to happen when the interface (a bridge interface) wasn't +created yet at the time dnsmasq started. When dnsmasq is started after +the interface is created, it sends RAs as expected. I assume this also +extends to other types of virtual interfaces that are created after +dnsmasq starts. + +Digging into the source, it seems to be caused by a missing call to +ra_start_unsolicited for non-template contexts in construct_worker from +src/dhcp6.c. The attached patch adds that call, but only if the +interface index or address changed to prevent doing fast RAs for no reason. + +I tested it on my own server and it appears to work as expected. When +the interface is created and configured, dnsmasq does fast RAs for a +while and then settles into slow RAs. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + src/dhcp6.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/src/dhcp6.c ++++ b/src/dhcp6.c +@@ -647,6 +647,13 @@ static int construct_worker(struct in6_a + is_same_net6(local, &template->start6, template->prefix) && + is_same_net6(local, &template->end6, template->prefix)) + { ++ /* First time found, do fast RA. */ ++ if (template->if_index != if_index || !IN6_ARE_ADDR_EQUAL(&template->local6, local)) ++ { ++ ra_start_unsolicited(param->now, template); ++ param->newone = 1; ++ } ++ + template->if_index = if_index; + template->local6 = *local; + } diff --git a/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch b/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch new file mode 100644 index 0000000000..98df4520a2 --- /dev/null +++ b/package/network/services/dnsmasq/patches/0010-Log-warning-on-very-large-cachesize-config-instead-o.patch @@ -0,0 +1,38 @@ +From 1f1873aadd092a0fab505dd278a484d887ba0ec3 Mon Sep 17 00:00:00 2001 +From: Simon Kelley <simon@thekelleys.org.uk> +Date: Fri, 11 May 2018 23:38:23 +0100 +Subject: [PATCH 10/10] Log warning on very large cachesize config, instead of + truncating it. + +Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> +--- + src/dnsmasq.c | 6 +++++- + src/option.c | 2 -- + 2 files changed, 5 insertions(+), 3 deletions(-) + +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -740,7 +740,11 @@ int main (int argc, char **argv) + else + { + if (daemon->cachesize != 0) +- my_syslog(LOG_INFO, _("started, version %s cachesize %d"), VERSION, daemon->cachesize); ++ { ++ my_syslog(LOG_INFO, _("started, version %s cachesize %d"), VERSION, daemon->cachesize); ++ if (daemon->cachesize > 10000) ++ my_syslog(LOG_WARNING, _("cache size greater than 10000 may cause performance issues, and is unlikely to be useful.")); ++ } + else + my_syslog(LOG_INFO, _("started, version %s cache disabled"), VERSION); + +--- a/src/option.c ++++ b/src/option.c +@@ -2603,8 +2603,6 @@ static int one_opt(int option, char *arg + + if (size < 0) + size = 0; +- else if (size > 10000) +- size = 10000; + + daemon->cachesize = size; + } diff --git a/package/network/services/dnsmasq/patches/240-ubus.patch b/package/network/services/dnsmasq/patches/240-ubus.patch index 415c7a5e4c..5e44f5b61a 100644 --- a/package/network/services/dnsmasq/patches/240-ubus.patch +++ b/package/network/services/dnsmasq/patches/240-ubus.patch @@ -74,7 +74,7 @@ int main (int argc, char **argv) { int bind_fallback = 0; -@@ -928,6 +988,7 @@ int main (int argc, char **argv) +@@ -944,6 +1004,7 @@ int main (int argc, char **argv) set_dbus_listeners(); #endif @@ -82,7 +82,7 @@ #ifdef HAVE_DHCP if (daemon->dhcp || daemon->relay4) { -@@ -1058,6 +1119,8 @@ int main (int argc, char **argv) +@@ -1074,6 +1135,8 @@ int main (int argc, char **argv) check_dbus_listeners(); #endif @@ -104,7 +104,7 @@ mostly_clean : --- a/src/dnsmasq.h +++ b/src/dnsmasq.h -@@ -1415,6 +1415,8 @@ void emit_dbus_signal(int action, struct +@@ -1440,6 +1440,8 @@ void emit_dbus_signal(int action, struct # endif #endif @@ -115,7 +115,7 @@ void ipset_init(void); --- a/src/rfc2131.c +++ b/src/rfc2131.c -@@ -1621,6 +1621,10 @@ static void log_packet(char *type, void +@@ -1636,6 +1636,10 @@ static void log_packet(char *type, void daemon->namebuff, string ? string : "", err ? err : ""); |