webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-13 12:32:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'unbound' into next

Browse Source
This commit is contained in:
Michael Tremer
2016-09-08 19:50:45 +01:00
parent 3364c93e37 b658a451fb
commit 5fba8a0b1e
50 changed files with 1801 additions and 1834 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
config/cron/crontab
View File

@@ -67,3 +67,6 @@ HOME=/
# Cleanup the mail spool directory
%weekly * * /usr/sbin/dma-cleanup-spool
# Update DNS trust anchor
%daily,random * * @runas(nobody) /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem

1
config/etc/group
View File

@@ -30,7 +30,6 @@ nobody:x:99:
users:x:100:
snort:x:101:
logwatch:x:102:
dnsmasq:x:103:
cron:x:104:
syslogd:x:105:
klogd:x:106:

1
config/etc/passwd
View File

@@ -14,7 +14,6 @@ nobody:x:99:99:Nobody:/home/nobody:/bin/false
postfix:x:100:100::/var/spool/postfix:/bin/false
snort:x:101:101:ftp:/var/log/snort:/bin/false
logwatch:x:102:102::/var/log/logwatch:/bin/false
dnsmasq:x:103:103::/:/bin/false
cron:x:104:104::/:/bin/false
syslogd:x:105:105:/var/empty:/bin/false
klogd:x:106:106:/var/empty:/bin/false

5
config/rootfiles/common/armv5tel/initscripts
View File

@@ -26,7 +26,6 @@ etc/rc.d/init.d/console
etc/rc.d/init.d/dhcp
etc/rc.d/init.d/dhcrelay
#etc/rc.d/init.d/dnsdist
etc/rc.d/init.d/dnsmasq
etc/rc.d/init.d/fcron
#etc/rc.d/init.d/fetchmail
etc/rc.d/init.d/fireinfo
@@ -76,7 +75,7 @@ etc/rc.d/init.d/networking/green
etc/rc.d/init.d/networking/orange
etc/rc.d/init.d/networking/red
#etc/rc.d/init.d/networking/red.down
etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders
etc/rc.d/init.d/networking/red.down/10-ipsec
etc/rc.d/init.d/networking/red.down/10-miniupnpd
etc/rc.d/init.d/networking/red.down/10-ovpn
@@ -84,7 +83,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes
etc/rc.d/init.d/networking/red.down/20-firewall
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes

2
config/rootfiles/common/dnsmasq
View File

@@ -1,2 +0,0 @@
usr/sbin/dnsmasq
#usr/share/man/man8/dnsmasq.8

5
config/rootfiles/common/i586/initscripts
View File

@@ -27,7 +27,6 @@ etc/rc.d/init.d/console
etc/rc.d/init.d/dhcp
etc/rc.d/init.d/dhcrelay
#etc/rc.d/init.d/dnsdist
etc/rc.d/init.d/dnsmasq
etc/rc.d/init.d/fcron
#etc/rc.d/init.d/fetchmail
etc/rc.d/init.d/fireinfo
@@ -78,7 +77,7 @@ etc/rc.d/init.d/networking/green
etc/rc.d/init.d/networking/orange
etc/rc.d/init.d/networking/red
#etc/rc.d/init.d/networking/red.down
etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders
etc/rc.d/init.d/networking/red.down/10-ipsec
etc/rc.d/init.d/networking/red.down/10-miniupnpd
etc/rc.d/init.d/networking/red.down/10-ovpn
@@ -86,7 +85,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes
etc/rc.d/init.d/networking/red.down/20-firewall
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes

2
config/rootfiles/common/misc-progs
View File

@@ -5,7 +5,6 @@ usr/local/bin/backupctrl
usr/local/bin/collectdctrl
usr/local/bin/ddnsctrl
usr/local/bin/dhcpctrl
usr/local/bin/dnsmasqctrl
usr/local/bin/extrahdctrl
usr/local/bin/fireinfoctrl
usr/local/bin/getconntracktable
@@ -33,6 +32,7 @@ usr/local/bin/sshctrl
usr/local/bin/syslogdctrl
usr/local/bin/timectrl
#usr/local/bin/torctrl
usr/local/bin/unboundctrl
usr/local/bin/updxlratorctrl
usr/local/bin/upnpctrl
usr/local/bin/urlfilterctrl

19
config/rootfiles/common/python-daemon Normal file
View File

@@ -0,0 +1,19 @@
#usr/lib/python2.7/site-packages/daemon
usr/lib/python2.7/site-packages/daemon/__init__.py
usr/lib/python2.7/site-packages/daemon/__init__.pyc
usr/lib/python2.7/site-packages/daemon/_metadata.py
usr/lib/python2.7/site-packages/daemon/_metadata.pyc
usr/lib/python2.7/site-packages/daemon/daemon.py
usr/lib/python2.7/site-packages/daemon/daemon.pyc
usr/lib/python2.7/site-packages/daemon/pidfile.py
usr/lib/python2.7/site-packages/daemon/pidfile.pyc
usr/lib/python2.7/site-packages/daemon/runner.py
usr/lib/python2.7/site-packages/daemon/runner.pyc
#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info
#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/PKG-INFO
#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/SOURCES.txt
#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/dependency_links.txt
#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/not-zip-safe
#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/requires.txt
#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/top_level.txt
#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/version_info.json

320
config/rootfiles/common/python-docutils Normal file
View File

@@ -0,0 +1,320 @@
#usr/bin/rst2html.py
#usr/bin/rst2latex.py
#usr/bin/rst2man.py
#usr/bin/rst2odt.py
#usr/bin/rst2odt_prepstyles.py
#usr/bin/rst2pseudoxml.py
#usr/bin/rst2s5.py
#usr/bin/rst2xetex.py
#usr/bin/rst2xml.py
#usr/bin/rstpep2html.py
#usr/lib/python2.7/site-packages/docutils
#usr/lib/python2.7/site-packages/docutils-0.12-py2.7.egg-info
#usr/lib/python2.7/site-packages/docutils/__init__.py
#usr/lib/python2.7/site-packages/docutils/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/_compat.py
#usr/lib/python2.7/site-packages/docutils/_compat.pyc
#usr/lib/python2.7/site-packages/docutils/core.py
#usr/lib/python2.7/site-packages/docutils/core.pyc
#usr/lib/python2.7/site-packages/docutils/examples.py
#usr/lib/python2.7/site-packages/docutils/examples.pyc
#usr/lib/python2.7/site-packages/docutils/frontend.py
#usr/lib/python2.7/site-packages/docutils/frontend.pyc
#usr/lib/python2.7/site-packages/docutils/io.py
#usr/lib/python2.7/site-packages/docutils/io.pyc
#usr/lib/python2.7/site-packages/docutils/languages
#usr/lib/python2.7/site-packages/docutils/languages/__init__.py
#usr/lib/python2.7/site-packages/docutils/languages/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/languages/af.py
#usr/lib/python2.7/site-packages/docutils/languages/af.pyc
#usr/lib/python2.7/site-packages/docutils/languages/ca.py
#usr/lib/python2.7/site-packages/docutils/languages/ca.pyc
#usr/lib/python2.7/site-packages/docutils/languages/cs.py
#usr/lib/python2.7/site-packages/docutils/languages/cs.pyc
#usr/lib/python2.7/site-packages/docutils/languages/da.py
#usr/lib/python2.7/site-packages/docutils/languages/da.pyc
#usr/lib/python2.7/site-packages/docutils/languages/de.py
#usr/lib/python2.7/site-packages/docutils/languages/de.pyc
#usr/lib/python2.7/site-packages/docutils/languages/en.py
#usr/lib/python2.7/site-packages/docutils/languages/en.pyc
#usr/lib/python2.7/site-packages/docutils/languages/eo.py
#usr/lib/python2.7/site-packages/docutils/languages/eo.pyc
#usr/lib/python2.7/site-packages/docutils/languages/es.py
#usr/lib/python2.7/site-packages/docutils/languages/es.pyc
#usr/lib/python2.7/site-packages/docutils/languages/fi.py
#usr/lib/python2.7/site-packages/docutils/languages/fi.pyc
#usr/lib/python2.7/site-packages/docutils/languages/fr.py
#usr/lib/python2.7/site-packages/docutils/languages/fr.pyc
#usr/lib/python2.7/site-packages/docutils/languages/gl.py
#usr/lib/python2.7/site-packages/docutils/languages/gl.pyc
#usr/lib/python2.7/site-packages/docutils/languages/he.py
#usr/lib/python2.7/site-packages/docutils/languages/he.pyc
#usr/lib/python2.7/site-packages/docutils/languages/it.py
#usr/lib/python2.7/site-packages/docutils/languages/it.pyc
#usr/lib/python2.7/site-packages/docutils/languages/ja.py
#usr/lib/python2.7/site-packages/docutils/languages/ja.pyc
#usr/lib/python2.7/site-packages/docutils/languages/lt.py
#usr/lib/python2.7/site-packages/docutils/languages/lt.pyc
#usr/lib/python2.7/site-packages/docutils/languages/nl.py
#usr/lib/python2.7/site-packages/docutils/languages/nl.pyc
#usr/lib/python2.7/site-packages/docutils/languages/pl.py
#usr/lib/python2.7/site-packages/docutils/languages/pl.pyc
#usr/lib/python2.7/site-packages/docutils/languages/pt_br.py
#usr/lib/python2.7/site-packages/docutils/languages/pt_br.pyc
#usr/lib/python2.7/site-packages/docutils/languages/ru.py
#usr/lib/python2.7/site-packages/docutils/languages/ru.pyc
#usr/lib/python2.7/site-packages/docutils/languages/sk.py
#usr/lib/python2.7/site-packages/docutils/languages/sk.pyc
#usr/lib/python2.7/site-packages/docutils/languages/sv.py
#usr/lib/python2.7/site-packages/docutils/languages/sv.pyc
#usr/lib/python2.7/site-packages/docutils/languages/zh_cn.py
#usr/lib/python2.7/site-packages/docutils/languages/zh_cn.pyc
#usr/lib/python2.7/site-packages/docutils/languages/zh_tw.py
#usr/lib/python2.7/site-packages/docutils/languages/zh_tw.pyc
#usr/lib/python2.7/site-packages/docutils/nodes.py
#usr/lib/python2.7/site-packages/docutils/nodes.pyc
#usr/lib/python2.7/site-packages/docutils/parsers
#usr/lib/python2.7/site-packages/docutils/parsers/__init__.py
#usr/lib/python2.7/site-packages/docutils/parsers/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/null.py
#usr/lib/python2.7/site-packages/docutils/parsers/null.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst
#usr/lib/python2.7/site-packages/docutils/parsers/rst/__init__.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/__init__.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/admonitions.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/admonitions.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/body.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/body.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/html.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/html.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/images.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/images.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/misc.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/misc.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/parts.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/parts.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/references.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/references.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/tables.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/tables.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/README.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsa.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsb.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsc.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsn.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamso.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsr.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isobox.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isocyr1.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isocyr2.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isodia.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk1.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk2.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk3.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk4-wide.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk4.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isolat1.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isolat2.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomfrk-wide.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomfrk.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomopf-wide.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomopf.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomscr-wide.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomscr.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isonum.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isopub.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isotech.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlalias.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlextra-wide.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlextra.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/s5defs.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-lat1.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-special.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-symbol.txt
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/__init__.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/af.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/af.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ca.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ca.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/cs.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/cs.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/da.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/da.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/de.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/de.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/en.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/en.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/eo.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/eo.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/es.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/es.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fi.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fi.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fr.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fr.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/gl.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/gl.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/he.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/he.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/it.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/it.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ja.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ja.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/lt.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/lt.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/nl.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/nl.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pl.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pl.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pt_br.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pt_br.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ru.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ru.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sk.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sk.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sv.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sv.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_cn.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_cn.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_tw.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_tw.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/roles.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/roles.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/states.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/states.pyc
#usr/lib/python2.7/site-packages/docutils/parsers/rst/tableparser.py
#usr/lib/python2.7/site-packages/docutils/parsers/rst/tableparser.pyc
#usr/lib/python2.7/site-packages/docutils/readers
#usr/lib/python2.7/site-packages/docutils/readers/__init__.py
#usr/lib/python2.7/site-packages/docutils/readers/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/readers/doctree.py
#usr/lib/python2.7/site-packages/docutils/readers/doctree.pyc
#usr/lib/python2.7/site-packages/docutils/readers/pep.py
#usr/lib/python2.7/site-packages/docutils/readers/pep.pyc
#usr/lib/python2.7/site-packages/docutils/readers/standalone.py
#usr/lib/python2.7/site-packages/docutils/readers/standalone.pyc
#usr/lib/python2.7/site-packages/docutils/statemachine.py
#usr/lib/python2.7/site-packages/docutils/statemachine.pyc
#usr/lib/python2.7/site-packages/docutils/transforms
#usr/lib/python2.7/site-packages/docutils/transforms/__init__.py
#usr/lib/python2.7/site-packages/docutils/transforms/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/transforms/components.py
#usr/lib/python2.7/site-packages/docutils/transforms/components.pyc
#usr/lib/python2.7/site-packages/docutils/transforms/frontmatter.py
#usr/lib/python2.7/site-packages/docutils/transforms/frontmatter.pyc
#usr/lib/python2.7/site-packages/docutils/transforms/misc.py
#usr/lib/python2.7/site-packages/docutils/transforms/misc.pyc
#usr/lib/python2.7/site-packages/docutils/transforms/parts.py
#usr/lib/python2.7/site-packages/docutils/transforms/parts.pyc
#usr/lib/python2.7/site-packages/docutils/transforms/peps.py
#usr/lib/python2.7/site-packages/docutils/transforms/peps.pyc
#usr/lib/python2.7/site-packages/docutils/transforms/references.py
#usr/lib/python2.7/site-packages/docutils/transforms/references.pyc
#usr/lib/python2.7/site-packages/docutils/transforms/universal.py
#usr/lib/python2.7/site-packages/docutils/transforms/universal.pyc
#usr/lib/python2.7/site-packages/docutils/transforms/writer_aux.py
#usr/lib/python2.7/site-packages/docutils/transforms/writer_aux.pyc
#usr/lib/python2.7/site-packages/docutils/utils
#usr/lib/python2.7/site-packages/docutils/utils/__init__.py
#usr/lib/python2.7/site-packages/docutils/utils/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/utils/code_analyzer.py
#usr/lib/python2.7/site-packages/docutils/utils/code_analyzer.pyc
#usr/lib/python2.7/site-packages/docutils/utils/error_reporting.py
#usr/lib/python2.7/site-packages/docutils/utils/error_reporting.pyc
#usr/lib/python2.7/site-packages/docutils/utils/math
#usr/lib/python2.7/site-packages/docutils/utils/math/__init__.py
#usr/lib/python2.7/site-packages/docutils/utils/math/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/utils/math/latex2mathml.py
#usr/lib/python2.7/site-packages/docutils/utils/math/latex2mathml.pyc
#usr/lib/python2.7/site-packages/docutils/utils/math/math2html.py
#usr/lib/python2.7/site-packages/docutils/utils/math/math2html.pyc
#usr/lib/python2.7/site-packages/docutils/utils/math/tex2unichar.py
#usr/lib/python2.7/site-packages/docutils/utils/math/tex2unichar.pyc
#usr/lib/python2.7/site-packages/docutils/utils/math/unichar2tex.py
#usr/lib/python2.7/site-packages/docutils/utils/math/unichar2tex.pyc
#usr/lib/python2.7/site-packages/docutils/utils/punctuation_chars.py
#usr/lib/python2.7/site-packages/docutils/utils/punctuation_chars.pyc
#usr/lib/python2.7/site-packages/docutils/utils/roman.py
#usr/lib/python2.7/site-packages/docutils/utils/roman.pyc
#usr/lib/python2.7/site-packages/docutils/utils/smartquotes.py
#usr/lib/python2.7/site-packages/docutils/utils/smartquotes.pyc
#usr/lib/python2.7/site-packages/docutils/utils/urischemes.py
#usr/lib/python2.7/site-packages/docutils/utils/urischemes.pyc
#usr/lib/python2.7/site-packages/docutils/writers
#usr/lib/python2.7/site-packages/docutils/writers/__init__.py
#usr/lib/python2.7/site-packages/docutils/writers/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/writers/docutils_xml.py
#usr/lib/python2.7/site-packages/docutils/writers/docutils_xml.pyc
#usr/lib/python2.7/site-packages/docutils/writers/html4css1
#usr/lib/python2.7/site-packages/docutils/writers/html4css1/__init__.py
#usr/lib/python2.7/site-packages/docutils/writers/html4css1/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/writers/html4css1/html4css1.css
#usr/lib/python2.7/site-packages/docutils/writers/html4css1/math.css
#usr/lib/python2.7/site-packages/docutils/writers/html4css1/template.txt
#usr/lib/python2.7/site-packages/docutils/writers/latex2e
#usr/lib/python2.7/site-packages/docutils/writers/latex2e/__init__.py
#usr/lib/python2.7/site-packages/docutils/writers/latex2e/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/writers/latex2e/default.tex
#usr/lib/python2.7/site-packages/docutils/writers/latex2e/titlepage.tex
#usr/lib/python2.7/site-packages/docutils/writers/latex2e/xelatex.tex
#usr/lib/python2.7/site-packages/docutils/writers/manpage.py
#usr/lib/python2.7/site-packages/docutils/writers/manpage.pyc
#usr/lib/python2.7/site-packages/docutils/writers/null.py
#usr/lib/python2.7/site-packages/docutils/writers/null.pyc
#usr/lib/python2.7/site-packages/docutils/writers/odf_odt
#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/__init__.py
#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/pygmentsformatter.py
#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/pygmentsformatter.pyc
#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/styles.odt
#usr/lib/python2.7/site-packages/docutils/writers/pep_html
#usr/lib/python2.7/site-packages/docutils/writers/pep_html/__init__.py
#usr/lib/python2.7/site-packages/docutils/writers/pep_html/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/writers/pep_html/pep.css
#usr/lib/python2.7/site-packages/docutils/writers/pep_html/template.txt
#usr/lib/python2.7/site-packages/docutils/writers/pseudoxml.py
#usr/lib/python2.7/site-packages/docutils/writers/pseudoxml.pyc
#usr/lib/python2.7/site-packages/docutils/writers/s5_html
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/__init__.py
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/__init__.pyc
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/README.txt
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/__base__
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/framing.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/pretty.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white/framing.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white/pretty.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/blank.gif
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/framing.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/iepngfix.htc
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/opera.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/outline.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/pretty.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/print.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/s5-core.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/slides.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/slides.js
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black/__base__
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black/pretty.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white/framing.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white/pretty.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black/__base__
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black/pretty.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white/framing.css
#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white/pretty.css
#usr/lib/python2.7/site-packages/docutils/writers/xetex
#usr/lib/python2.7/site-packages/docutils/writers/xetex/__init__.py
#usr/lib/python2.7/site-packages/docutils/writers/xetex/__init__.pyc

20
config/rootfiles/common/python-inotify Normal file
View File

@@ -0,0 +1,20 @@
#usr/lib/python2.7/site-packages/inotify
#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info
#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/PKG-INFO
#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/SOURCES.txt
#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/dependency_links.txt
#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/not-zip-safe
#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/top_level.txt
usr/lib/python2.7/site-packages/inotify/__init__.py
usr/lib/python2.7/site-packages/inotify/__init__.pyc
usr/lib/python2.7/site-packages/inotify/adapters.py
usr/lib/python2.7/site-packages/inotify/adapters.pyc
usr/lib/python2.7/site-packages/inotify/calls.py
usr/lib/python2.7/site-packages/inotify/calls.pyc
usr/lib/python2.7/site-packages/inotify/constants.py
usr/lib/python2.7/site-packages/inotify/constants.pyc
usr/lib/python2.7/site-packages/inotify/library.py
usr/lib/python2.7/site-packages/inotify/library.pyc
#usr/lib/python2.7/site-packages/inotify/resources
#usr/lib/python2.7/site-packages/inotify/resources/README.rst
#usr/lib/python2.7/site-packages/inotify/resources/requirements.txt

62
config/rootfiles/common/unbound Normal file
View File

@@ -0,0 +1,62 @@
etc/rc.d/init.d/unbound
#etc/unbound
etc/unbound/dhcp-leases.conf
etc/unbound/forward.conf
etc/unbound/icannbundle.pem
etc/unbound/local.d
etc/unbound/root.hints
etc/unbound/root.key
etc/unbound/unbound.conf
#usr/include/unbound.h
#usr/lib/libunbound.la
#usr/lib/libunbound.so
usr/lib/libunbound.so.2
usr/lib/libunbound.so.2.4.1
usr/sbin/unbound
usr/sbin/unbound-anchor
usr/sbin/unbound-checkconf
usr/sbin/unbound-dhcp-leases-bridge
usr/sbin/unbound-control
usr/sbin/unbound-control-setup
usr/sbin/unbound-switch
usr/sbin/unbound-zone
#usr/share/man/man1/unbound-host.1
#usr/share/man/man3/libunbound.3
#usr/share/man/man3/ub_cancel.3
#usr/share/man/man3/ub_ctx.3
#usr/share/man/man3/ub_ctx_add_ta.3
#usr/share/man/man3/ub_ctx_add_ta_file.3
#usr/share/man/man3/ub_ctx_async.3
#usr/share/man/man3/ub_ctx_config.3
#usr/share/man/man3/ub_ctx_create.3
#usr/share/man/man3/ub_ctx_data_add.3
#usr/share/man/man3/ub_ctx_data_remove.3
#usr/share/man/man3/ub_ctx_debuglevel.3
#usr/share/man/man3/ub_ctx_debugout.3
#usr/share/man/man3/ub_ctx_delete.3
#usr/share/man/man3/ub_ctx_get_option.3
#usr/share/man/man3/ub_ctx_hosts.3
#usr/share/man/man3/ub_ctx_print_local_zones.3
#usr/share/man/man3/ub_ctx_resolvconf.3
#usr/share/man/man3/ub_ctx_set_fwd.3
#usr/share/man/man3/ub_ctx_set_option.3
#usr/share/man/man3/ub_ctx_trustedkeys.3
#usr/share/man/man3/ub_ctx_zone_add.3
#usr/share/man/man3/ub_ctx_zone_remove.3
#usr/share/man/man3/ub_fd.3
#usr/share/man/man3/ub_poll.3
#usr/share/man/man3/ub_process.3
#usr/share/man/man3/ub_resolve.3
#usr/share/man/man3/ub_resolve_async.3
#usr/share/man/man3/ub_resolve_free.3
#usr/share/man/man3/ub_result.3
#usr/share/man/man3/ub_strerror.3
#usr/share/man/man3/ub_wait.3
#usr/share/man/man5/unbound.conf.5
#usr/share/man/man8/unbound-anchor.8
#usr/share/man/man8/unbound-checkconf.8
#usr/share/man/man8/unbound-control-setup.8
#usr/share/man/man8/unbound-control.8
#usr/share/man/man8/unbound.8
var/lib/unbound
var/lib/unbound/root.key

5
config/rootfiles/common/x86_64/initscripts
View File

@@ -27,7 +27,6 @@ etc/rc.d/init.d/console
etc/rc.d/init.d/dhcp
etc/rc.d/init.d/dhcrelay
#etc/rc.d/init.d/dnsdist
etc/rc.d/init.d/dnsmasq
etc/rc.d/init.d/fcron
#etc/rc.d/init.d/fetchmail
etc/rc.d/init.d/fireinfo
@@ -78,7 +77,7 @@ etc/rc.d/init.d/networking/green
etc/rc.d/init.d/networking/orange
etc/rc.d/init.d/networking/red
#etc/rc.d/init.d/networking/red.down
etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders
etc/rc.d/init.d/networking/red.down/10-ipsec
etc/rc.d/init.d/networking/red.down/10-miniupnpd
etc/rc.d/init.d/networking/red.down/10-ovpn
@@ -86,7 +85,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes
etc/rc.d/init.d/networking/red.down/20-firewall
#etc/rc.d/init.d/networking/red.up
etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
etc/rc.d/init.d/networking/red.up/10-miniupnpd
etc/rc.d/init.d/networking/red.up/10-multicast
etc/rc.d/init.d/networking/red.up/10-static-routes

317
config/unbound/icannbundle.pem Normal file
View File

@@ -0,0 +1,317 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 04:19:12 2009 GMT
Not After : Dec 18 04:19:12 2029 GMT
Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
85:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
Signature Algorithm: sha256WithRSAEncryption
0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
e7:40:61:a4
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 04:45:04 2009 GMT
Not After : Dec 22 04:45:04 2014 GMT
Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dnssec@icann.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64:
5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e:
9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c:
7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25:
b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a:
b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87:
b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59:
3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6:
f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be:
73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70:
29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45:
48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a:
c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d:
66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6:
e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7:
6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03:
84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6:
e9:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22
Signature Algorithm: sha256WithRSAEncryption
4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45:
92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15:
d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33:
f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c:
f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75:
e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd:
04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73:
4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13:
cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20:
23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb:
38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79:
c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e:
a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2:
01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48:
e5:8d:06:73
-----BEGIN CERTIFICATE-----
MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX
DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O
IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ
JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7
YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI
aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F
SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd
OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA
AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw
FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA
pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI
89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN
+pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE
UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ
bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP
oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 6 (0x6)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 05:21:16 2009 GMT
Not After : Dec 22 05:21:16 2014 GMT
Subject: O=ICANN, CN=ICANN EMAIL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
4d:b1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
Signature Algorithm: sha256WithRSAEncryption
50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf:
b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76:
99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b:
01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7:
37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd:
9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb:
7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32:
c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a:
94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43:
a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3:
d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94:
7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed:
75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0:
48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed:
ed:42:eb:2f
-----BEGIN CERTIFICATE-----
MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX
DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj
vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK
TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7
06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL
aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68
y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57
dMvE7e1C6y8=
-----END CERTIFICATE-----
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
Validity
Not Before: Dec 23 05:07:29 2009 GMT
Not After : Dec 22 05:07:29 2014 GMT
Subject: O=ICANN, CN=ICANN SSL CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
e2:c5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
X509v3 Authority Key Identifier:
keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
X509v3 Subject Key Identifier:
6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
Signature Algorithm: sha256WithRSAEncryption
18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43:
2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6:
57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd:
fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9:
20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93:
3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34:
af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9:
af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e:
bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c:
6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b:
93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85:
fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa:
21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af:
aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd:
2c:fe:c0:ed
-----BEGIN CERTIFICATE-----
MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX
DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ
TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM
fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb
pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS
uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW
vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey
EN0s/sDt
-----END CERTIFICATE-----

90
config/unbound/root.hints Normal file
View File

@@ -0,0 +1,90 @@
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: March 23, 2016
; related version of root zone: 2016032301
;
; formerly NS.INTERNIC.NET
;
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:ba3e::2:30
;
; FORMERLY NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
B.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:84::b
;
; FORMERLY C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
C.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2::c
;
; FORMERLY TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13
D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2d::d
;
; FORMERLY NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2f::f
;
; FORMERLY NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 198.97.190.53
H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::53
;
; FORMERLY NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fe::53
;
; OPERATED BY VERISIGN, INC.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:c27::2:30
;
; OPERATED BY RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7fd::1
;
; OPERATED BY ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42
L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:9f::42
;
; OPERATED BY WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 AAAA 2001:dc3::35
; End of file

1
config/unbound/root.key Normal file
View File

@@ -0,0 +1 @@
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}

354
config/unbound/unbound-dhcp-leases-bridge Normal file
View File

@@ -0,0 +1,354 @@
#!/usr/bin/python
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2016 Michael Tremer #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
import argparse
import datetime
import daemon
import logging
import logging.handlers
import re
import signal
import subprocess
import inotify.adapters
def setup_logging(loglevel=logging.INFO):
log = logging.getLogger("dhcp")
log.setLevel(loglevel)
handler = logging.handlers.SysLogHandler(address="/dev/log", facility="daemon")
handler.setLevel(loglevel)
formatter = logging.Formatter("%(name)s[%(process)d]: %(message)s")
handler.setFormatter(formatter)
log.addHandler(handler)
return log
log = logging.getLogger("dhcp")
class UnboundDHCPLeasesBridge(object):
def __init__(self, dhcp_leases_file, unbound_leases_file):
self.leases_file = dhcp_leases_file
self.unbound = UnboundConfigWriter(unbound_leases_file)
self.running = False
def run(self):
log.info("Unbound DHCP Leases Bridge started on %s" % self.leases_file)
self.running = True
# Initially read leases file
self.update_dhcp_leases()
i = inotify.adapters.Inotify([self.leases_file])
for event in i.event_gen():
# End if we are requested to terminate
if not self.running:
break
if event is None:
continue
header, type_names, watch_path, filename = event
# Update leases after leases file has been modified
if "IN_MODIFY" in type_names:
self.update_dhcp_leases()
log.info("Unbound DHCP Leases Bridge terminated")
def update_dhcp_leases(self):
log.info("Reading DHCP leases from %s" % self.leases_file)
leases = DHCPLeases(self.leases_file)
self.unbound.update_dhcp_leases(leases)
def terminate(self):
self.running = False
class DHCPLeases(object):
regex_leaseblock = re.compile(r"lease (?P<ipaddr>\d+\.\d+\.\d+\.\d+) {(?P<config>[\s\S]+?)\n}")
def __init__(self, path):
self.path = path
self._leases = self._parse()
def __iter__(self):
return iter(self._leases)
def _parse(self):
leases = []
with open(self.path) as f:
# Read entire leases file
data = f.read()
for match in self.regex_leaseblock.finditer(data):
block = match.groupdict()
ipaddr = block.get("ipaddr")
config = block.get("config")
properties = self._parse_block(config)
# Skip any abandoned leases
if not "hardware" in properties:
continue
lease = Lease(ipaddr, properties)
# Check if a lease for this Ethernet address already
# exists in the list of known leases. If so replace
# if with the most recent lease
for i, l in enumerate(leases):
if l.hwaddr == lease.hwaddr:
leases[i] = max(lease, l)
break
else:
leases.append(lease)
return leases
def _parse_block(self, block):
properties = {}
for line in block.splitlines():
if not line:
continue
# Remove trailing ; from line
if line.endswith(";"):
line = line[:-1]
# Invalid line if it doesn't end with ;
else:
continue
# Remove any leading whitespace
line = line.lstrip()
# We skip all options and sets
if line.startswith("option") or line.startswith("set"):
continue
# Split by first space
key, val = line.split(" ", 1)
properties[key] = val
return properties
class Lease(object):
def __init__(self, ipaddr, properties):
self.ipaddr = ipaddr
self._properties = properties
def __repr__(self):
return "<%s %s for %s (%s)>" % (self.__class__.__name__,
self.ipaddr, self.hwaddr, self.hostname)
def __eq__(self, other):
return self.ipaddr == other.ipaddr and self.hwaddr == other.hwaddr
def __gt__(self, other):
if not self.ipaddr == other.ipaddr:
return
if not self.hwaddr == other.hwaddr:
return
return self.time_starts > other.time_starts
@property
def binding_state(self):
state = self._properties.get("binding")
if state:
state = state.split(" ", 1)
return state[1]
@property
def active(self):
return self.binding_state == "active"
@property
def hwaddr(self):
hardware = self._properties.get("hardware")
if not hardware:
return
ethernet, address = hardware.split(" ", 1)
return address
@property
def hostname(self):
hostname = self._properties.get("client-hostname")
# Remove any ""
if hostname:
hostname = hostname.replace("\"", "")
return hostname
@property
def domain(self):
return "local" # XXX
@property
def fqdn(self):
return "%s.%s" % (self.hostname, self.domain)
@staticmethod
def _parse_time(s):
return datetime.datetime.strptime(s, "%w %Y/%m/%d %H:%M:%S")
@property
def time_starts(self):
starts = self._properties.get("starts")
if starts:
return self._parse_time(starts)
@property
def time_ends(self):
ends = self._properties.get("ends")
if not ends or ends == "never":
return
return self._parse_time(ends)
@property
def expired(self):
if not self.time_ends:
return self.time_starts > datetime.datetime.utcnow()
return self.time_starts > datetime.datetime.utcnow() > self.time_ends
@property
def rrset(self):
return [
# Forward record
(self.fqdn, "IN A", self.ipaddr),
# Reverse record
(self.ipaddr, "IN PTR", self.fqdn),
]
class UnboundConfigWriter(object):
def __init__(self, path):
self.path = path
self._cached_leases = []
def update_dhcp_leases(self, leases):
# Strip all non-active or expired leases
leases = [l for l in leases if l.active and not l.expired]
# Find any leases that have expired or do not exist any more
removed_leases = [l for l in self._cached_leases if l.expired or l not in leases]
# Find any leases that have been added
new_leases = [l for l in leases if l not in self._cached_leases]
# End here if nothing has changed
if not new_leases and not removed_leases:
return
self._cached_leases = leases
# Write out all leases
self.write_dhcp_leases(leases)
# Update unbound about changes
for l in removed_leases:
self._control("local_data_remove", l.fqdn)
for l in new_leases:
for rr in l.rrset:
self._control("local_data", *rr)
def write_dhcp_leases(self, leases):
with open(self.path, "w") as f:
for l in leases:
for rr in l.rrset:
f.write("local-data: \"%s\"\n" % " ".join(rr))
def _control(self, *args):
command = ["unbound-control", "-q"]
command.extend(args)
try:
subprocess.check_call(command)
# Log any errors
except subprocess.CalledProcessError as e:
log.critical("Could not run %s, error code: %s: %s" % (
" ".join(command), e.returncode, e.output))
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="Bridge for DHCP Leases and Unbound DNS")
# Daemon Stuff
parser.add_argument("--daemon", "-d", action="store_true",
help="Launch as daemon in background")
parser.add_argument("--verbose", "-v", action="count", help="Be more verbose")
# Paths
parser.add_argument("--dhcp-leases", default="/var/state/dhcp/dhcpd.leases",
metavar="PATH", help="Path to the DHCPd leases file")
parser.add_argument("--unbound-leases", default="/etc/unbound/dhcp-leases.conf",
metavar="PATH", help="Path to the unbound configuration file")
# Parse command line arguments
args = parser.parse_args()
# Setup logging
if args.verbose == 1:
loglevel = logging.INFO
elif args.verbose >= 2:
loglevel = logging.DEBUG
else:
loglevel = logging.WARN
setup_logging(loglevel)
bridge = UnboundDHCPLeasesBridge(args.dhcp_leases, args.unbound_leases)
ctx = daemon.DaemonContext(detach_process=args.daemon)
ctx.signal_map = {
signal.SIGHUP : bridge.update_dhcp_leases,
signal.SIGTERM : bridge.terminate,
}
with ctx:
bridge.run()

94
config/unbound/unbound.conf Normal file
View File

@@ -0,0 +1,94 @@
#
# Unbound configuration file for IPFire
#
# The full documentation is available at:
# https://www.unbound.net/documentation/unbound.conf.html
#
server:
# Common Server Options
chroot: ""
directory: "/etc/unbound"
username: "nobody"
port: 53
do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes
so-reuseport: yes
do-not-query-localhost: yes
# System Tuning
include: "/etc/unbound/tuning.conf"
# Logging Options
verbosity: 1
use-syslog: yes
log-time-ascii: yes
log-queries: no
# Unbound Statistics
statistics-interval: 0
statistics-cumulative: yes
extended-statistics: yes
# Prefetching
prefetch: yes
prefetch-key: yes
# Randomise any cached responses
rrset-roundrobin: yes
# Privacy Options
hide-identity: yes
hide-version: yes
qname-minimisation: yes
minimal-responses: yes
# DNSSEC
auto-trust-anchor-file: "/var/lib/unbound/root.key"
val-permissive-mode: no
val-clean-additional: yes
val-log-level: 1
# Hardening Options
harden-glue: yes
harden-short-bufsize: no
harden-large-queries: yes
harden-dnssec-stripped: yes
harden-below-nxdomain: yes
harden-referral-path: yes
harden-algo-downgrade: no
use-caps-for-id: no
# Deny access from everywhere
access-control: 0.0.0.0/0 refuse
# Listen on localhost
interface: 127.0.0.1
access-control: 127.0.0.0/8 allow
# Bootstrap root servers
root-hints: "/etc/unbound/root.hints"
# IPFire interface configuration
include: "/etc/unbound/interfaces.conf"
interface-automatic: no
# Include DHCP leases
include: "/etc/unbound/dhcp-leases.conf"
# Include any forward zones
include: "/etc/unbound/forward.conf"
remote-control:
control-enable: yes
control-use-cert: yes
control-interface: 127.0.0.1
server-key-file: "/etc/unbound/unbound_server.key"
server-cert-file: "/etc/unbound/unbound_server.pem"
control-key-file: "/etc/unbound/unbound_control.key"
control-cert-file: "/etc/unbound/unbound_control.pem"
# Import any local configurations
include: "/etc/unbound/local.d/*.conf"

12
html/cgi-bin/dnsforward.cgi
View File

@@ -106,8 +106,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'})
$cgiparams{'ID'} = $cgiparams{'EDITING'};
}
}
# Restart dnsmasq.
system('/usr/local/bin/dnsmasqctrl restart >/dev/null');
# Restart unbound
system('/usr/local/bin/unboundctrl restart >/dev/null');
}
###
@@ -124,8 +124,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'})
unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; }
}
close(FILE);
# Restart dnsmasq.
system('/usr/local/bin/dnsmasqctrl restart >/dev/null');
# Restart unbound.
system('/usr/local/bin/unboundctrl restart >/dev/null');
}
###
@@ -148,8 +148,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'})
}
}
close(FILE);
# Restart dnsmasq.
system('/usr/local/bin/dnsmasqctrl restart >/dev/null');
# Restart unbound.
system('/usr/local/bin/unboundctrl restart >/dev/null');
}
###

2
html/cgi-bin/logs.cgi/log.dat
View File

@@ -52,7 +52,7 @@ my %sections = (
'ipfire' => '(ipfire: )',
'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',
'ddns' => '(ddns\[\d+\]:)',
'dns' => '(dnsmasq\[.*\]: )',
'dns' => '(dnsmasq\[.*\]: |unbound\[.*\]: )',
'dma' => '(dma\[.*\]: )',
'dhcp' => '(dhcpd: )',
'clamav' => '(clamd\[.*\]: |freshclam\[.*\]: )',

2
html/cgi-bin/services.cgi
View File

@@ -49,7 +49,7 @@ my %servicenames =(
$Lang::tr{'dhcp server'} => 'dhcpd',
$Lang::tr{'web server'} => 'httpd',
$Lang::tr{'cron server'} => 'fcron',
$Lang::tr{'dns proxy server'} => 'dnsmasq',
$Lang::tr{'dns proxy server'} => 'unbound',
$Lang::tr{'logging server'} => 'syslogd',
$Lang::tr{'kernel logging server'} => 'klogd',
$Lang::tr{'ntp server'} => 'ntpd',

2
lfs/initscripts
View File

@@ -185,13 +185,11 @@ $(TARGET) :
ln -sf ../init.d/wlanclient /etc/rc.d/rc3.d/S19wlanclient
ln -sf ../init.d/wlanclient /etc/rc.d/rc6.d/K82wlanclient
ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
ln -sf ../../../../../usr/local/bin/snortctrl \
/etc/rc.d/init.d/networking/red.up/23-RS-snort
ln -sf ../../../../../usr/local/bin/qosctrl \
/etc/rc.d/init.d/networking/red.up/24-RS-qos
ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
for i in green blue orange; do \
ln -sf any /etc/rc.d/init.d/networking/$$i; \

75
lfs/python-daemon Normal file
View File

@@ -0,0 +1,75 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2011 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 2.1.1
THISAPP = python-daemon-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 72e2acf2c3d69c7fa75a6625d06adfd0
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && python setup.py install --root=/
@rm -rf $(DIR_APP)
@$(POSTBUILD)

75
lfs/python-docutils Normal file
View File

@@ -0,0 +1,75 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2011 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 0.12
THISAPP = docutils-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 4622263b62c5c771c03502afa3157768
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && python setup.py install --root=/
@rm -rf $(DIR_APP)
@$(POSTBUILD)

75
lfs/python-inotify Normal file
View File

@@ -0,0 +1,75 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2011 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 0.2.7
THISAPP = inotify-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = ced4c0469f9fd64170d9d907e4aec208
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && python setup.py install --root=/
@rm -rf $(DIR_APP)
@$(POSTBUILD)

69
lfs/dnsmasq → lfs/unbound
View File

@@ -24,17 +24,14 @@
include Config
VER = 2.76
VER = 1.5.9
THISAPP = dnsmasq-$(VER)
DL_FILE = $(THISAPP).tar.xz
THISAPP = unbound-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
# We cannot use INOTIFY because our ISC reader code does not support that
COPTS = -DHAVE_ISC_READER -DNO_INOTIFY
###############################################################################
# Top-level Rules
###############################################################################
@@ -43,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 00f5ee66b4e4b7f14538bf62ae3c9461
$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3
install : $(TARGET)
@@ -73,32 +70,40 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_return_of_expand_always.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-Manpage_typo.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
cd $(DIR_APP) && \
./configure \
--prefix=/usr \
--sysconfdir=/etc \
--with-pidfile=/var/run/unbound.pid \
--with-rootkey-file=/var/lib/unbound/root.key \
--disable-static \
--with-libevent
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
cd $(DIR_APP) && sed -i src/config.h \
-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
-e 's|/\* #define HAVE_DNSSEC \*/|#define HAVE_DNSSEC|g' \
-e 's|#define HAVE_DHCP|//#define HAVE_DHCP|g' \
-e 's|#define HAVE_DHCP6|//#define HAVE_DHCP6|g' \
-e 's|#define HAVE_TFTP|//#define HAVE_TFTP|g'
# Install configuration
install -v -m 644 $(DIR_SRC)/config/unbound/unbound.conf \
/etc/unbound/unbound.conf
touch /etc/unbound/{dhcp-leases,forward}.conf
-mkdir -pv /etc/unbound/local.d
# Install root hints
install -v -m 644 $(DIR_SRC)/config/unbound/root.hints \
/etc/unbound/root.hints
# Install DHCP leases bridge
install -v -m 755 $(DIR_SRC)/config/unbound/unbound-dhcp-leases-bridge \
/usr/sbin/unbound-dhcp-leases-bridge
# Install key
-mkdir -pv /var/lib/unbound
install -v -m 644 $(DIR_SRC)/config/unbound/root.key \
/var/lib/unbound/root.key
chown -Rv nobody.nobody /var/lib/unbound
# Ship ICANN's certificates to validate DNS trust anchors
install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \
/etc/unbound/icannbundle.pem
cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" COPTS="$(COPTS)" \
PREFIX=/usr all install
@rm -rf $(DIR_APP)
@$(POSTBUILD)

9
make.sh
View File

@@ -537,7 +537,9 @@ buildipfire() {
ipfiremake beep
ipfiremake dvdrtools
ipfiremake nettle
ipfiremake dnsmasq
ipfiremake libevent
ipfiremake libevent2
ipfiremake unbound
ipfiremake dosfstools
ipfiremake reiserfsprogs
ipfiremake xfsprogs
@@ -603,6 +605,9 @@ buildipfire() {
ipfiremake python-mechanize
ipfiremake python-feedparser
ipfiremake python-rssdler
ipfiremake python-inotify
ipfiremake python-docutils
ipfiremake python-daemon
ipfiremake glib
ipfiremake GeoIP
ipfiremake fwhits
@@ -678,8 +683,6 @@ buildipfire() {
ipfiremake gnump3d
ipfiremake rsync
ipfiremake tcpwrapper
ipfiremake libevent
ipfiremake libevent2
ipfiremake libtirpc
ipfiremake rpcbind
ipfiremake nfs

145
src/initscripts/init.d/dnsmasq
View File

@@ -1,145 +0,0 @@
#!/bin/sh
########################################################################
# Begin $rc_base/init.d/dnsmasq
#
# Description : dnsmasq init script
#
# Authors : Michael Tremer - mitch@ipfire.org
#
# Version : 01.00
#
# Notes :
#
########################################################################
. /etc/sysconfig/rc
. ${rc_functions}
CACHE_SIZE=2500
ENABLE_DNSSEC=1
SHOW_SRV=1
TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
TIMESTAMP_FILE="/var/ipfire/dns/dnssec-timestamp"
# Pull custom configuration file
if [ -e "/etc/sysconfig/dnsmasq" ]; then
. /etc/sysconfig/dnsmasq
fi
function dnssec_args() {
local cmdline="--dnssec --dnssec-timestamp ${TIMESTAMP_FILE}"
if [ -n "${TRUST_ANCHOR}" ]; then
cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}"
fi
echo "${cmdline}"
}
function dns_forward_args() {
local file="${1}"
# Do nothing if file is empty.
[ -s "${file}" ] || return
local cmdline
local enabled zone server remark
while IFS="," read -r enabled zone server remark; do
# Line must be enabled.
[ "${enabled}" = "on" ] || continue
cmdline="${cmdline} --server=/${zone}/${server}"
done < ${file}
echo "${cmdline}"
}
function dns_leases_args() {
eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
# If the DHCP server is enabled and DNS Update (RFC2136) is
# enabled, too, we won't overlay the internal domain with
# the dynamic/static leases.
if ([ "${ENABLE_GREEN}" = "on" ] || [ "${ENABLE_BLUE}" = "on" ]) \
&& [ "${DNS_UPDATE_ENABLED}" = "on" ]; then
return
fi
echo "-l /var/state/dhcp/dhcpd.leases"
}
case "${1}" in
start)
# kill already running copy of dnsmasq...
killproc /usr/sbin/dnsmasq 2>&1 > /dev/null
boot_mesg "Starting Domain Name Service Proxy..."
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
ARGS="$CUSTOM_ARGS"
[ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN"
# DHCP configuration
ARGS="${ARGS} $(dns_leases_args)"
echo > /var/ipfire/red/resolv.conf # Clear it
if [ -e "/var/ipfire/red/dns1" ]; then
DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null)
if [ ! -z ${DNS1} ]; then
echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf
fi
fi
if [ -e "/var/ipfire/red/dns2" ]; then
DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null)
if [ ! -z ${DNS2} ]; then
echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf
fi
fi
[ -e "/var/ipfire/red/active" ] && ARGS="$ARGS -r /var/ipfire/red/resolv.conf"
ARGS="$ARGS --domain=`cat /var/ipfire/main/settings |grep DOMAIN |cut -d = -f 2`"
# Add custom forward dns zones.
ARGS="${ARGS} $(dns_forward_args /var/ipfire/dnsforward/config)"
# Enabled DNSSEC validation
if [ "${ENABLE_DNSSEC}" -eq 1 ]; then
ARGS="${ARGS} $(dnssec_args)"
fi
if [ -n "${CACHE_SIZE}" ]; then
ARGS="${ARGS} --cache-size=${CACHE_SIZE}"
fi
loadproc /usr/sbin/dnsmasq ${ARGS}
if [ "${SHOW_SRV}" -eq 1 ] && [ "${DNS1}" != "" -o "${DNS2}" != "" ]; then
boot_mesg "Using DNS server(s): ${DNS1} ${DNS2}"
boot_mesg_flush
fi
;;
stop)
boot_mesg "Stopping Domain Name Service Proxy..."
killproc /usr/sbin/dnsmasq
;;
restart)
${0} stop
sleep 1
${0} start
;;
status)
statusproc /usr/sbin/dnsmasq
;;
*)
echo "Usage: ${0} {start|stop|restart|status}"
exit 1
;;
esac
# End $rc_base/init.d/dnsmasq

9
src/initscripts/init.d/network
View File

@@ -16,10 +16,6 @@
. ${rc_functions}
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
init_networking() {
/etc/rc.d/init.d/dnsmasq start
}
DO="${1}"
shift
@@ -46,8 +42,6 @@ done
case "${DO}" in
start)
[ "${ALL}" == "1" ] && init_networking
# Starting interfaces...
# GREEN
[ "$green" == "1" ] && /etc/rc.d/init.d/networking/green start
@@ -92,9 +86,6 @@ case "${DO}" in
fi
fi
# Stopping dnsmasq if network all networks shutdown
[ "${ALL}" == "1" ] && /etc/rc.d/init.d/dnsmasq stop
exit 0
;;

4
src/initscripts/init.d/networking/red.down/05-update-dns-forwarders Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/bash
# Update DNS forwarders for unbound
exec /etc/init.d/unbound update-forwarders

4
src/initscripts/init.d/networking/red.up/05-update-dns-forwarders Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/bash
# Update DNS forwarders for unbound
exec /etc/init.d/unbound update-forwarders

226
src/initscripts/init.d/unbound Normal file
View File

@@ -0,0 +1,226 @@
#!/bin/sh
# Begin $rc_base/init.d/unbound
# Description : Unbound DNS resolver boot script for IPfire
# Author : Marcel Lorenz <marcel.lorenz@ipfire.org>
#
# Comment : This init script additional starts the dhcpd watcher daemon
# if DNS-Update (RFC2136) in web interface enabled
. /etc/sysconfig/rc
. ${rc_functions}
USE_FORWARDERS=1
# Load optional configuration
[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
function cidr() {
local cidr nbits IFS;
IFS=. read -r i1 i2 i3 i4 <<< ${1}
IFS=. read -r m1 m2 m3 m4 <<< ${2}
cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
nbits=0
IFS=.
for dec in $2 ; do
case $dec in
255) let nbits+=8;;
254) let nbits+=7;;
252) let nbits+=6;;
248) let nbits+=5;;
240) let nbits+=4;;
224) let nbits+=3;;
192) let nbits+=2;;
128) let nbits+=1;;
0);;
*) echo "Error: $dec is not recognised"; exit 1
esac
done
echo "${cidr}/${nbits}"
}
read_name_servers() {
local i
for i in 1 2; do
echo "$(</var/ipfire/red/dns${i})"
done | xargs echo
}
config_header() {
echo "# This file is automatically generated and any changes"
echo "# will be overwritten. DO NOT EDIT!"
echo
}
update_forwarders() {
local forwarders="$(read_name_servers)"
if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then
boot_mesg "Using Name Server(s): ${forwarders}"
boot_mesg_flush
unbound-control -q forward ${forwarders}
# If forwarders cannot be used we run in recursor mode
else
unbound-control -q forward off
fi
}
write_interfaces_conf() {
(
config_header
if [ -n "${GREEN_ADDRESS}" ]; then
echo "# GREEN"
echo "interface: ${GREEN_ADDRESS}"
echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
fi
if [ -n "${BLUE_ADDRESS}" ]; then
echo "# BLUE"
echo "interface: ${BLUE_ADDRESS}"
echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
fi
) > /etc/unbound/interfaces.conf
}
write_forward_conf() {
(
config_header
local enabled zone server remark
while IFS="," read -r enabled zone server remark; do
# Line must be enabled.
[ "${enabled}" = "on" ] || continue
echo "forward-zone:"
echo " name: ${zone}"
echo " forward-addr: ${server}"
echo
done < /var/ipfire/dnsforward/config
) > /etc/unbound/forward.conf
}
write_tuning_conf() {
# https://www.unbound.net/documentation/howto_optimise.html
# Determine number of online processors
local processors=$(getconf _NPROCESSORS_ONLN)
# Determine number of slabs
local slabs=1
while [ ${slabs} -lt ${processors} ]; do
slabs=$(( ${slabs} * 2 ))
done
# Determine amount of system memory
local mem=$(get_memory_amount)
# In the worst case scenario, unbound can use double the
# amount of memory allocated to a cache due to malloc overhead
# Large systems with more than 2GB of RAM
if [ ${mem} -ge 2048 ]; then
mem=128
# Small systems with less than 256MB of RAM
elif [ ${mem} -le 256 ]; then
mem=8
# Everything else
else
mem=32
fi
(
config_header
# We run one thread per processor
echo "num-threads: ${processors}"
# Adjust number of slabs
echo "infra-cache-slabs: ${slabs}"
echo "key-cache-slabs: ${slabs}"
echo "msg-cache-slabs: ${slabs}"
echo "rrset-cache-slabs: ${slabs}"
# Slice up the cache
echo "rrset-cache-size: $(( ${mem} / 2 ))m"
echo "msg-cache-size: $(( ${mem} / 4 ))m"
echo "key-cache-size: $(( ${mem} / 4 ))m"
) > /etc/unbound/tuning.conf
}
get_memory_amount() {
local key val unit
while read -r key val unit; do
case "${key}" in
MemTotal:*)
# Convert to MB
echo "$(( ${val} / 1024 ))"
break
;;
esac
done < /proc/meminfo
}
case "$1" in
start)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
# Create control keys at first run
if [ ! -r "/etc/unbound/unbound_control.key" ]; then
unbound-control-setup -d /etc/unbound &>/dev/null
fi
# Update configuration files
write_tuning_conf
write_interfaces_conf
write_forward_conf
boot_mesg "Starting Unbound DNS Proxy..."
loadproc /usr/sbin/unbound || exit $?
# Update any known forwarding name servers
update_forwarders
# Start Unbound DHCP Lease Bridge unless RFC2136 is used
if [ "${DNS_UPDATE_ENABLED}" != on ]; then
boot_mesg "Starting Unbound DHCP Leases Bridge..."
loadproc /usr/sbin/unbound-dhcp-leases-bridge -d
fi
;;
stop)
boot_mesg "Stopping Unbound DHCP Leases Bridge..."
killproc /usr/sbin/unbound-dhcp-leases-bridge
boot_mesg "Stopping Unbound DNS Proxy..."
killproc /usr/sbin/unbound
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
statusproc /usr/sbin/unbound
statusproc /usr/sbin/unbound-dhcp-leases-bridge
;;
update-forwarders)
update_forwarders
;;
*)
echo "Usage: $0 {start|stop|restart|status|update-forwarders}"
exit 1
;;
esac
# End $rc_base/init.d/unbound

2
src/misc-progs/Makefile
View File

@@ -31,7 +31,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
redctrl syslogdctrl extrahdctrl sambactrl upnpctrl \
smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
getconntracktable wirelessclient dnsmasqctrl torctrl ddnsctrl
getconntracktable wirelessclient torctrl ddnsctrl unboundctrl
SUID_UPDX = updxsetperms
OBJS = $(patsubst %,%.o,$(PROGS) $(SUID_PROGS))

6
src/misc-progs/dnsmasqctrl.c → src/misc-progs/unboundctrl.c
View File

@@ -19,14 +19,14 @@ int main(int argc, char *argv[]) {
exit(1);
if (argc < 2) {
fprintf(stderr, "\nNo argument given.\n\ndnsmasqctrl (restart)\n\n");
fprintf(stderr, "\nNo argument given.\n\nunboundctrl (restart)\n\n");
exit(1);
}
if (strcmp(argv[1], "restart") == 0) {
safe_system("/etc/rc.d/init.d/dnsmasq restart");
safe_system("/etc/rc.d/init.d/unbound restart");
} else {
fprintf(stderr, "\nBad argument given.\n\ndnsmasqctrl (restart)\n\n");
fprintf(stderr, "\nBad argument given.\n\nunboundctrl (restart)\n\n");
exit(1);
}

363
src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
View File

@@ -1,363 +0,0 @@
--- a/src/cache.c Wed Dec 16 19:24:12 2015
+++ b/src/cache.c Wed Dec 16 19:37:37 2015
@@ -17,7 +17,7 @@
#include "dnsmasq.h"
static struct crec *cache_head = NULL, *cache_tail = NULL, **hash_table = NULL;
-#ifdef HAVE_DHCP
+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER)
static struct crec *dhcp_spare = NULL;
#endif
static struct crec *new_chain = NULL;
@@ -217,6 +217,9 @@
crecp->flags &= ~F_BIGNAME;
}
+ if (crecp->flags & F_DHCP)
+ free(crecp->name.namep);
+
#ifdef HAVE_DNSSEC
cache_blockdata_free(crecp);
#endif
@@ -1138,7 +1141,7 @@
}
-#ifdef HAVE_DHCP
+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER)
struct in_addr a_record_from_hosts(char *name, time_t now)
{
struct crec *crecp = NULL;
@@ -1281,7 +1284,11 @@
else
crec->ttd = ttd;
crec->addr.addr = *host_address;
+#ifdef HAVE_ISC_READER
+ crec->name.namep = strdup(host_name);
+#else
crec->name.namep = host_name;
+#endif
crec->uid = next_uid();
cache_hash(crec);
--- a/src/dnsmasq.c Thu Jul 30 20:59:06 2015
+++ b/src/dnsmasq.c Wed Dec 16 19:38:32 2015
@@ -1017,6 +1017,11 @@
poll_resolv(0, daemon->last_resolv != 0, now);
daemon->last_resolv = now;
+
+#ifdef HAVE_ISC_READER
+ if (daemon->lease_file && !daemon->dhcp)
+ load_dhcp(now);
+#endif
}
#endif
--- a/src/dnsmasq.h Wed Dec 16 19:24:12 2015
+++ b/src/dnsmasq.h Wed Dec 16 19:40:11 2015
@@ -1516,6 +1516,11 @@
void poll_listen(int fd, short event);
int do_poll(int timeout);
+/* isc.c */
+#ifdef HAVE_ISC_READER
+void load_dhcp(time_t now);
+#endif
+
/* rrfilter.c */
size_t rrfilter(struct dns_header *header, size_t plen, int mode);
u16 *rrfilter_desc(int type);
int expand_workspace(unsigned char ***wkspc, int *szp, int new);
-
--- /dev/null Wed Dec 16 19:48:08 2015
+++ b/src/isc.c Wed Dec 16 19:41:35 2015
@@ -0,0 +1,266 @@
+/* dnsmasq is Copyright (c) 2014 John Volpe, Simon Kelley and
+ Michael Tremer
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 dated June, 1991, or
+ (at your option) version 3 dated 29 June, 2007.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+ Code in this file is based on contributions by John Volpe and
+ Simon Kelley. Updated for recent versions of dnsmasq by
+ Michael Tremer.
+*/
+
+
+#define _GNU_SOURCE
+
+#include <assert.h>
+#include <stdio.h>
+
+#include "dnsmasq.h"
+
+#ifdef HAVE_ISC_READER
+#define MAXTOK 50
+
+struct isc_dhcp_lease {
+ char* name;
+ char* fqdn;
+ time_t expires;
+ struct in_addr addr;
+ struct isc_dhcp_lease* next;
+};
+
+static struct isc_dhcp_lease* dhcp_lease_new(const char* hostname) {
+ struct isc_dhcp_lease* lease = whine_malloc(sizeof(*lease));
+ if (!lease)
+ return NULL;
+
+ lease->name = strdup(hostname);
+ if (daemon->domain_suffix) {
+ int r = asprintf(&lease->fqdn, "%s.%s", hostname, daemon->domain_suffix);
+
+ // Handle OOM
+ if (r < 0) {
+ free(lease);
+ return NULL;
+ }
+ }
+ lease->expires = 0;
+ lease->next = NULL;
+
+ return lease;
+}
+
+static void dhcp_lease_free(struct isc_dhcp_lease* lease) {
+ if (!lease)
+ return;
+
+ if (lease->name)
+ free(lease->name);
+ if (lease->fqdn)
+ free(lease->fqdn);
+ free(lease);
+}
+
+static int next_token(char* token, int buffsize, FILE* fp) {
+ int c, count = 0;
+ char* cp = token;
+
+ while ((c = getc(fp)) != EOF) {
+ if (c == '#') {
+ do {
+ c = getc(fp);
+ } while (c != '\n' && c != EOF);
+ }
+
+ if (c == ' ' || c == '\t' || c == '\n' || c == ';') {
+ if (count)
+ break;
+ } else if ((c != '"') && (count < buffsize - 1)) {
+ *cp++ = c;
+ count++;
+ }
+ }
+
+ *cp = 0;
+ return count ? 1 : 0;
+}
+
+static long get_utc_offset() {
+ time_t t = time(NULL);
+ struct tm* time_struct = localtime(&t);
+
+ return time_struct->tm_gmtoff;
+}
+
+static time_t parse_lease_time(const char* token_date, const char* token_time) {
+ time_t time = (time_t)(-1);
+ struct tm lease_time;
+
+ if (sscanf(token_date, "%d/%d/%d", &lease_time.tm_year, &lease_time.tm_mon, &lease_time.tm_mday) == 3) {
+ lease_time.tm_year -= 1900;
+ lease_time.tm_mon -= 1;
+
+ if (sscanf(token_time, "%d:%d:%d", &lease_time.tm_hour, &lease_time.tm_min, &lease_time.tm_sec) == 3) {
+ time = mktime(&lease_time) + get_utc_offset();
+ }
+ }
+
+ return time;
+}
+
+static struct isc_dhcp_lease* find_lease(const char* hostname, struct isc_dhcp_lease* leases) {
+ struct isc_dhcp_lease* lease = leases;
+
+ while (lease) {
+ if (strcmp(hostname, lease->name) == 0) {
+ return lease;
+ }
+ lease = lease->next;
+ }
+
+ return NULL;
+}
+
+static off_t lease_file_size = (off_t)0;
+static ino_t lease_file_inode = (ino_t)0;
+
+void load_dhcp(time_t now) {
+ struct isc_dhcp_lease* leases = NULL;
+
+ struct stat statbuf;
+ if (stat(daemon->lease_file, &statbuf) == -1) {
+ return;
+ }
+
+ /* Do nothing if the lease file has not changed. */
+ if ((statbuf.st_size <= lease_file_size) && (statbuf.st_ino == lease_file_inode))
+ return;
+
+ lease_file_size = statbuf.st_size;
+ lease_file_inode = statbuf.st_ino;
+
+ FILE* fp = fopen(daemon->lease_file, "r");
+ if (!fp) {
+ my_syslog(LOG_ERR, _("failed to load %s:%s"), daemon->lease_file, strerror(errno));
+ return;
+ }
+
+ my_syslog(LOG_INFO, _("reading %s"), daemon->lease_file);
+
+ char* hostname = daemon->namebuff;
+ struct in_addr host_address;
+ time_t time_starts = -1;
+ time_t time_ends = -1;
+ int nomem;
+
+ char token[MAXTOK];
+ while ((next_token(token, MAXTOK, fp))) {
+ if (strcmp(token, "lease") == 0) {
+ hostname[0] = '\0';
+
+ if (next_token(token, MAXTOK, fp) && ((host_address.s_addr = inet_addr(token)) != (in_addr_t)-1)) {
+ if (next_token(token, MAXTOK, fp) && *token == '{') {
+ while (next_token(token, MAXTOK, fp) && *token != '}') {
+ if ((strcmp(token, "client-hostname") == 0) || (strcmp(token, "hostname") == 0)) {
+ if (next_token(hostname, MAXDNAME, fp)) {
+ if (!canonicalise(hostname, &nomem)) {
+ *hostname = 0;
+ my_syslog(LOG_ERR, _("bad name in %s"), daemon->lease_file);
+ }
+ }
+ } else if ((strcmp(token, "starts") == 0) || (strcmp(token, "ends") == 0)) {
+ char token_date[MAXTOK];
+ char token_time[MAXTOK];
+
+ int is_starts = strcmp(token, "starts") == 0;
+
+ // Throw away the weekday and parse the date.
+ if (next_token(token, MAXTOK, fp) && next_token(token_date, MAXTOK, fp) && next_token(token_time, MAXTOK, fp)) {
+ time_t time = parse_lease_time(token_date, token_time);
+
+ if (is_starts)
+ time_starts = time;
+ else
+ time_ends = time;
+ }
+ }
+ }
+
+ if (!*hostname)
+ continue;
+
+ if ((time_starts == -1) || (time_ends == -1))
+ continue;
+
+ if (difftime(now, time_ends) > 0)
+ continue;
+
+ char* dot = strchr(hostname, '.');
+ if (dot) {
+ if (!daemon->domain_suffix || hostname_isequal(dot + 1, daemon->domain_suffix)) {
+ my_syslog(LOG_WARNING,
+ _("Ignoring DHCP lease for %s because it has an illegal domain part"),
+ hostname);
+ continue;
+ }
+ *dot = 0;
+ }
+
+ // Search for an existing lease in the list
+ // with the given host name and update the data
+ // if needed.
+ struct isc_dhcp_lease* lease = find_lease(hostname, leases);
+
+ // If no lease already exists, we create a new one
+ // and append it to the list.
+ if (!lease) {
+ lease = dhcp_lease_new(hostname);
+ assert(lease);
+
+ lease->next = leases;
+ leases = lease;
+ }
+
+ // Only update more recent leases.
+ if (lease->expires > time_ends)
+ continue;
+
+ lease->addr = host_address;
+ lease->expires = time_ends;
+ }
+ }
+ }
+ }
+
+ fclose(fp);
+
+ // Drop all entries.
+ cache_unhash_dhcp();
+
+ while (leases) {
+ struct isc_dhcp_lease *lease = leases;
+ leases = lease->next;
+
+ if (lease->fqdn) {
+ cache_add_dhcp_entry(lease->fqdn, AF_INET, (struct all_addr*)&lease->addr.s_addr, lease->expires);
+ }
+
+ if (lease->name) {
+ cache_add_dhcp_entry(lease->name, AF_INET, (struct all_addr*)&lease->addr.s_addr, lease->expires);
+ }
+
+ // Cleanup
+ dhcp_lease_free(lease);
+ }
+}
+
+#endif
--- a/src/option.c Wed Dec 16 19:24:12 2015
+++ b/src/option.c Wed Dec 16 19:42:48 2015
@@ -1771,7 +1771,7 @@
ret_err(_("bad MX target"));
break;
-#ifdef HAVE_DHCP
+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER)
case 'l': /* --dhcp-leasefile */
daemon->lease_file = opt_string_alloc(arg);
break;
--- a/Makefile Wed Dec 16 19:24:12 2015
+++ b/Makefile Wed Dec 16 19:28:45 2015
@@ -74,7 +74,7 @@
helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
- poll.o rrfilter.o edns0.o arp.o
+ poll.o rrfilter.o edns0.o arp.o isc.o
hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
dns-protocol.h radv-protocol.h ip6addr.h

65
src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch
View File

@@ -1,65 +0,0 @@
From 294d36df4749e01199ab220d44c170e7db2b0c05 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 6 Jul 2016 21:30:25 +0100
Subject: [PATCH] Calculate length of TFTP error reply correctly.
---
CHANGELOG | 14 ++++++++++++++
src/tftp.c | 7 +++++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 04ff3f0..0559a6f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,17 @@
+version 2.77
+ Calculate the length of TFTP error reply packet
+ correctly. This fixes a problem when the error
+ message in a TFTP packet exceeds the arbitrary
+ limit of 500 characters. The message was correctly
+ truncated, but not the packet length, so
+ extra data was appended. This is a possible
+ security risk, since the extra data comes from
+ a buffer which is also used for DNS, so that
+ previous DNS queries or replies may be leaked.
+ Thanks to Mozilla for funding the security audit
+ which spotted this bug.
+
+
version 2.76
Include 0.0.0.0/8 in DNS rebind checks. This range
translates to hosts on the local network, or, at
diff --git a/src/tftp.c b/src/tftp.c
index 5e4a32a..3e1b5c5 100644
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -652,20 +652,23 @@ static void sanitise(char *buf)
}
+#define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely smaller than buffer */
static ssize_t tftp_err(int err, char *packet, char *message, char *file)
{
struct errmess {
unsigned short op, err;
char message[];
} *mess = (struct errmess *)packet;
- ssize_t ret = 4;
+ ssize_t len, ret = 4;
char *errstr = strerror(errno);
sanitise(file);
mess->op = htons(OP_ERR);
mess->err = htons(err);
- ret += (snprintf(mess->message, 500, message, file, errstr) + 1);
+ len = snprintf(mess->message, MAXMESSAGE, message, file, errstr);
+ ret += (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminating zero */
+
my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message);
return ret;
--
1.7.10.4

36
src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch
View File

@@ -1,36 +0,0 @@
From d55f81f5fd53b1dfc2c4b3249b542f2d9679e236 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 6 Jul 2016 21:33:56 +0100
Subject: [PATCH] Zero newly malloc'ed memory.
---
src/util.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/src/util.c b/src/util.c
index 93b24f5..82443c9 100644
--- a/src/util.c
+++ b/src/util.c
@@ -248,6 +248,8 @@ void *safe_malloc(size_t size)
if (!ret)
die(_("could not get memory"), NULL, EC_NOMEM);
+ else
+ memset(ret, 0, size);
return ret;
}
@@ -266,7 +268,9 @@ void *whine_malloc(size_t size)
if (!ret)
my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size);
-
+ else
+ memset(ret, 0, size);
+
return ret;
}
--
1.7.10.4

44
src/patches/dnsmasq/003-Check_return_of_expand_always.patch
View File

@@ -1,44 +0,0 @@
From ce7845bf5429bd2962c9b2e7d75e2659f3b5c1a8 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Wed, 6 Jul 2016 21:42:27 +0100
Subject: [PATCH] Check return of expand() always.
---
src/radv.c | 4 +++-
src/slaac.c | 5 ++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/radv.c b/src/radv.c
index 749b666..faa0f6d 100644
--- a/src/radv.c
+++ b/src/radv.c
@@ -262,7 +262,9 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
parm.prio = calc_prio(ra_param);
save_counter(0);
- ra = expand(sizeof(struct ra_packet));
+
+ if (!(ra = expand(sizeof(struct ra_packet))))
+ return;
ra->type = ND_ROUTER_ADVERT;
ra->code = 0;
diff --git a/src/slaac.c b/src/slaac.c
index 8034805..07b8ba4 100644
--- a/src/slaac.c
+++ b/src/slaac.c
@@ -147,7 +147,10 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
struct sockaddr_in6 addr;
save_counter(0);
- ping = expand(sizeof(struct ping_packet));
+
+ if (!(ping = expand(sizeof(struct ping_packet))))
+ continue;
+
ping->type = ICMP6_ECHO_REQUEST;
ping->code = 0;
ping->identifier = ping_id;
--
1.7.10.4

40
src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch
View File

@@ -1,40 +0,0 @@
From 5874f3e9222397d82aabd9884d9bf5ce7e4109b0 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sun, 10 Jul 2016 22:12:08 +0100
Subject: [PATCH] Fix editing error on man page.
Thanks to Eric Westbrook for spotting this.
---
man/dnsmasq.8 | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 0521534..bd8c0b3 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -1037,6 +1037,10 @@ is given, then read all the files contained in that directory. The advantage of
using this option is the same as for --dhcp-hostsfile: the
dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
it is possible to encode the information in a
+.B --dhcp-boot
+flag as DHCP options, using the options names bootfile-name,
+server-ip-address and tftp-server. This allows these to be included
+in a dhcp-optsfile.
.TP
.B --dhcp-hostsdir=<path>
This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a
@@ -1048,11 +1052,6 @@ is restarted; ie host records are only added dynamically.
.TP
.B --dhcp-optsdir=<path>
This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir.
-.TP
-.B --dhcp-boot
-flag as DHCP options, using the options names bootfile-name,
-server-ip-address and tftp-server. This allows these to be included
-in a dhcp-optsfile.
.TP
.B \-Z, --read-ethers
Read /etc/ethers for information about hosts for the DHCP server. The
--
1.7.10.4

25
src/patches/dnsmasq/005-Manpage_typo.patch
View File

@@ -1,25 +0,0 @@
From 907efeb2dc712603271093bce8a93c7c3e6fe64d Mon Sep 17 00:00:00 2001
From: Kristjan Onu <jeixav@gmail.com>
Date: Sun, 10 Jul 2016 22:37:57 +0100
Subject: [PATCH] Manpage typo.
---
man/dnsmasq.8 | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index bd8c0b3..ac8d921 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -242,7 +242,7 @@ addresses associated with the interface.
.B --local-service
Accept DNS queries only from hosts whose address is on a local subnet,
ie a subnet for which an interface exists on the server. This option
-only has effect is there are no --interface --except-interface,
+only has effect if there are no --interface --except-interface,
--listen-address or --auth-server options. It is intended to be set as
a default on installation, to allow unconfigured installations to be
useful but also safe from being used for DNS amplification attacks.
--
1.7.10.4

49
src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch
View File

@@ -1,49 +0,0 @@
From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 11 Jul 2016 18:18:42 +0100
Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements.
The check that there's enough space to store the DHCP agent-id
at the end of the packet could succeed when it should fail
if the END option is in either of the oprion-overload areas.
That could overwrite legit options in the request and cause
bad behaviour. It's highly unlikely that any sane DHCP client
would trigger this bug, and it's never been seen, but this
fixes the problem.
Also fix off-by-one in bounds checking of option processing.
Worst case scenario on that is a read one byte beyond the
end off a buffer with a crafted packet, and maybe therefore
a SIGV crash if the memory after the buffer is not mapped.
Thanks to Timothy Becker for spotting these.
---
src/rfc2131.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/rfc2131.c b/src/rfc2131.c
index b7c167e..8b99d4b 100644
--- a/src/rfc2131.c
+++ b/src/rfc2131.c
@@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
be enough free space at the end of the packet to copy the option. */
unsigned char *sopt;
unsigned int total = option_len(opt) + 2;
- unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0);
+ unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz,
+ OPTION_END, 0);
if (last_opt && last_opt < end - total)
{
end -= total;
@@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
{
while (1)
{
- if (p > end)
+ if (p >= end)
return NULL;
else if (*p == OPTION_END)
return opt == OPTION_END ? p : NULL;
--
1.7.10.4

55
src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch
View File

@@ -1,55 +0,0 @@
From 1d07667ac77c55b9de56b1b2c385167e0e0ec27a Mon Sep 17 00:00:00 2001
From: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Date: Mon, 11 Jul 2016 18:36:05 +0100
Subject: [PATCH] Fix logic error in Linux netlink code.
This could cause dnsmasq to enter a tight loop on systems
with a very large number of network interfaces.
---
CHANGELOG | 6 ++++++
src/netlink.c | 8 +++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG b/CHANGELOG
index 0559a6f..59c9c49 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -11,6 +11,12 @@ version 2.77
Thanks to Mozilla for funding the security audit
which spotted this bug.
+ Fix logic error in Linux netlink code. This could
+ cause dnsmasq to enter a tight loop on systems
+ with a very large number of network interfaces.
+ Thanks to Ivan Kokshaysky for the diagnosis and
+ patch.
+
version 2.76
Include 0.0.0.0/8 in DNS rebind checks. This range
diff --git a/src/netlink.c b/src/netlink.c
index 049247b..8cd51af 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -188,11 +188,17 @@ int iface_enumerate(int family, void *parm, int (*callback)())
}
for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
- if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR)
+ if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR)
{
/* May be multicast arriving async */
nl_async(h);
}
+ else if (h->nlmsg_seq != seq)
+ {
+ /* May be part of incomplete response to previous request after
+ ENOBUFS. Drop it. */
+ continue;
+ }
else if (h->nlmsg_type == NLMSG_DONE)
return callback_ok;
else if (h->nlmsg_type == RTM_NEWADDR && family != AF_UNSPEC && family != AF_LOCAL)
--
1.7.10.4

93
src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch
View File

@@ -1,93 +0,0 @@
From 06093a9a845bb597005d892d5d1bc7859933ada4 Mon Sep 17 00:00:00 2001
From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Date: Mon, 11 Jul 2016 21:03:27 +0100
Subject: [PATCH] Fix problem with --dnssec-timestamp whereby receipt of
SIGHUP would erroneously engage timestamp checking.
---
CHANGELOG | 4 ++++
src/dnsmasq.c | 7 ++++---
src/dnsmasq.h | 1 +
src/dnssec.c | 5 +++--
4 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 59c9c49..9f1e404 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -17,6 +17,10 @@ version 2.77
Thanks to Ivan Kokshaysky for the diagnosis and
patch.
+ Fix problem with --dnssec-timestamp whereby receipt
+ of SIGHUP would erroneously engage timestamp checking.
+ Thanks to Kevin Darbyshire-Bryant for this work.
+
version 2.76
Include 0.0.0.0/8 in DNS rebind checks. This range
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index 045ec53..a47273f 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -750,7 +750,8 @@ int main (int argc, char **argv)
my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
- if (option_bool(OPT_DNSSEC_TIME))
+ daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
+ if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
if (rc == 1)
@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now)
{
case EVENT_RELOAD:
#ifdef HAVE_DNSSEC
- if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
+ if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
{
my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
- reset_option_bool(OPT_DNSSEC_TIME);
+ daemon->dnssec_no_time_check = 0;
}
#endif
/* fall through */
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 1896a64..be27ae0 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -992,6 +992,7 @@ extern struct daemon {
#endif
#ifdef HAVE_DNSSEC
struct ds_config *ds;
+ int dnssec_no_time_check;
int back_to_the_future;
char *timestamp_file;
#endif
diff --git a/src/dnssec.c b/src/dnssec.c
index 3c77c7d..64358fa 100644
--- a/src/dnssec.c
+++ b/src/dnssec.c
@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end)
if (utime(daemon->timestamp_file, NULL) != 0)
my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
+ my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps."));
daemon->back_to_the_future = 1;
- set_option_bool(OPT_DNSSEC_TIME);
+ daemon->dnssec_no_time_check = 0;
queue_event(EVENT_RELOAD); /* purge cache */
}
if (daemon->back_to_the_future == 0)
return 1;
}
- else if (option_bool(OPT_DNSSEC_TIME))
+ else if (daemon->dnssec_no_time_check)
return 1;
/* We must explicitly check against wanted values, because of SERIAL_UNDEF */
--
1.7.10.4

46
src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch
View File

@@ -1,46 +0,0 @@
From d6dce53e08b3a06be16d43e1bf566c6c1988e4a9 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Mon, 11 Jul 2016 21:34:31 +0100
Subject: [PATCH] malloc(); memset() -> calloc() for efficiency.
---
src/util.c | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/src/util.c b/src/util.c
index 82443c9..211690e 100644
--- a/src/util.c
+++ b/src/util.c
@@ -244,13 +244,11 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
/* for use during startup */
void *safe_malloc(size_t size)
{
- void *ret = malloc(size);
+ void *ret = calloc(1, size);
if (!ret)
die(_("could not get memory"), NULL, EC_NOMEM);
- else
- memset(ret, 0, size);
-
+
return ret;
}
@@ -264,12 +262,10 @@ void safe_pipe(int *fd, int read_noblock)
void *whine_malloc(size_t size)
{
- void *ret = malloc(size);
+ void *ret = calloc(1, size);
if (!ret)
my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size);
- else
- memset(ret, 0, size);
return ret;
}
--
1.7.10.4

169
src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
View File

@@ -1,169 +0,0 @@
From fa78573778cb23337f67f5d0c9de723169919047 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 22 Jul 2016 20:56:01 +0100
Subject: [PATCH] Zero packet buffers before building output, to reduce risk
of information leakage.
---
src/auth.c | 5 +++++
src/dnsmasq.h | 1 +
src/outpacket.c | 10 ++++++++++
src/radv.c | 2 +-
src/rfc1035.c | 5 +++++
src/rfc3315.c | 6 +++---
src/slaac.c | 2 +-
src/tftp.c | 5 ++++-
8 files changed, 30 insertions(+), 6 deletions(-)
diff --git a/src/auth.c b/src/auth.c
index 198572d..3c5c37f 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -101,6 +101,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
struct all_addr addr;
struct cname *a;
+ /* Clear buffer beyond request to avoid risk of
+ information disclosure. */
+ memset(((char *)header) + qlen, 0,
+ (limit - ((char *)header)) - qlen);
+
if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
return 0;
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index be27ae0..2bda5d0 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -1471,6 +1471,7 @@ void log_relay(int family, struct dhcp_relay *relay);
/* outpacket.c */
#ifdef HAVE_DHCP6
void end_opt6(int container);
+void reset_counter(void);
int save_counter(int newval);
void *expand(size_t headroom);
int new_opt6(int opt);
diff --git a/src/outpacket.c b/src/outpacket.c
index a414efa..2caacd9 100644
--- a/src/outpacket.c
+++ b/src/outpacket.c
@@ -29,9 +29,19 @@ void end_opt6(int container)
PUTSHORT(len, p);
}
+void reset_counter(void)
+{
+ /* Clear out buffer when starting from begining */
+ if (daemon->outpacket.iov_base)
+ memset(daemon->outpacket.iov_base, 0, daemon->outpacket.iov_len);
+
+ save_counter(0);
+}
+
int save_counter(int newval)
{
int ret = outpacket_counter;
+
if (newval != -1)
outpacket_counter = newval;
diff --git a/src/radv.c b/src/radv.c
index faa0f6d..39c9217 100644
--- a/src/radv.c
+++ b/src/radv.c
@@ -261,7 +261,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
parm.adv_interval = calc_interval(ra_param);
parm.prio = calc_prio(ra_param);
- save_counter(0);
+ reset_counter();
if (!(ra = expand(sizeof(struct ra_packet))))
return;
diff --git a/src/rfc1035.c b/src/rfc1035.c
index 24d08c1..9e730a9 100644
--- a/src/rfc1035.c
+++ b/src/rfc1035.c
@@ -1209,6 +1209,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
struct mx_srv_record *rec;
size_t len;
+
+ /* Clear buffer beyond request to avoid risk of
+ information disclosure. */
+ memset(((char *)header) + qlen, 0,
+ (limit - ((char *)header)) - qlen);
if (ntohs(header->ancount) != 0 ||
ntohs(header->nscount) != 0 ||
diff --git a/src/rfc3315.c b/src/rfc3315.c
index 3f4d69c..e1271a1 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -89,7 +89,7 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next)
vendor->netid.next = &vendor->netid;
- save_counter(0);
+ reset_counter();
state.context = context;
state.interface = interface;
state.iface_name = iface_name;
@@ -2084,7 +2084,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
if (hopcount > 32)
return;
- save_counter(0);
+ reset_counter();
if ((header = put_opt6(NULL, 34)))
{
@@ -2161,7 +2161,7 @@ unsigned short relay_reply6(struct sockaddr_in6 *peer, ssize_t sz, char *arrival
(!relay->interface || wildcard_match(relay->interface, arrival_interface)))
break;
- save_counter(0);
+ reset_counter();
if (relay)
{
diff --git a/src/slaac.c b/src/slaac.c
index 07b8ba4..bd6c9b4 100644
--- a/src/slaac.c
+++ b/src/slaac.c
@@ -146,7 +146,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
struct ping_packet *ping;
struct sockaddr_in6 addr;
- save_counter(0);
+ reset_counter();
if (!(ping = expand(sizeof(struct ping_packet))))
continue;
diff --git a/src/tftp.c b/src/tftp.c
index 3e1b5c5..618c406 100644
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -662,8 +662,9 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file)
ssize_t len, ret = 4;
char *errstr = strerror(errno);
+ memset(packet, 0, daemon->packet_buff_sz);
sanitise(file);
-
+
mess->op = htons(OP_ERR);
mess->err = htons(err);
len = snprintf(mess->message, MAXMESSAGE, message, file, errstr);
@@ -684,6 +685,8 @@ static ssize_t tftp_err_oops(char *packet, char *file)
/* return -1 for error, zero for done. */
static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
{
+ memset(packet, 0, daemon->packet_buff_sz);
+
if (transfer->block == 0)
{
/* send OACK */
--
1.7.10.4

54
src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
View File

@@ -1,54 +0,0 @@
From 6b1c464d6de3d7d2afc9b53afe78cda6d6e3316f Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 22 Jul 2016 20:59:16 +0100
Subject: [PATCH] Don't reset packet length on transmission, in case of
retransmission.
---
src/radv.c | 2 +-
src/rfc3315.c | 2 +-
src/slaac.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/radv.c b/src/radv.c
index 39c9217..ffc37f2 100644
--- a/src/radv.c
+++ b/src/radv.c
@@ -528,7 +528,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
}
while (retry_send(sendto(daemon->icmp6fd, daemon->outpacket.iov_base,
- save_counter(0), 0, (struct sockaddr *)&addr,
+ save_counter(-1), 0, (struct sockaddr *)&addr,
sizeof(addr))));
}
diff --git a/src/rfc3315.c b/src/rfc3315.c
index e1271a1..c7bf46f 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -2127,7 +2127,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
my_syslog(MS_DHCP | LOG_ERR, _("Cannot multicast to DHCPv6 server without correct interface"));
}
- send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(0), &to, &from, 0);
+ send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(-1), &to, &from, 0);
if (option_bool(OPT_LOG_OPTS))
{
diff --git a/src/slaac.c b/src/slaac.c
index bd6c9b4..7ecf127 100644
--- a/src/slaac.c
+++ b/src/slaac.c
@@ -164,7 +164,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
addr.sin6_port = htons(IPPROTO_ICMPV6);
addr.sin6_addr = slaac->addr;
- if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(0), 0,
+ if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-1), 0,
(struct sockaddr *)&addr, sizeof(addr)) == -1 &&
errno == EHOSTUNREACH)
slaac->ping_time = 0; /* Give up */
--
1.7.10.4

103
src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
View File

@@ -1,103 +0,0 @@
From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 22 Jul 2016 21:37:59 +0100
Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing
code.
---
src/dhcp-common.c | 16 ++++++++--------
src/dhcp-protocol.h | 4 ++++
src/lease.c | 9 ++++++++-
src/rfc3315.c | 2 +-
4 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/src/dhcp-common.c b/src/dhcp-common.c
index 08528e8..ecc752b 100644
--- a/src/dhcp-common.c
+++ b/src/dhcp-common.c
@@ -20,11 +20,11 @@
void dhcp_common_init(void)
{
- /* These each hold a DHCP option max size 255
- and get a terminating zero added */
- daemon->dhcp_buff = safe_malloc(256);
- daemon->dhcp_buff2 = safe_malloc(256);
- daemon->dhcp_buff3 = safe_malloc(256);
+ /* These each hold a DHCP option max size 255
+ and get a terminating zero added */
+ daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ);
+ daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ);
+ daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ);
/* dhcp_packet is used by v4 and v6, outpacket only by v6
sizeof(struct dhcp_packet) is as good an initial size as any,
@@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *context)
if (context->flags & CONTEXT_RA_STATELESS)
{
if (context->flags & CONTEXT_TEMPLATE)
- strncpy(daemon->dhcp_buff, context->template_interface, 256);
+ strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ);
else
strcpy(daemon->dhcp_buff, daemon->addrbuff);
}
else
#endif
- inet_ntop(family, start, daemon->dhcp_buff, 256);
- inet_ntop(family, end, daemon->dhcp_buff3, 256);
+ inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ);
+ inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ);
my_syslog(MS_DHCP | LOG_INFO,
(context->flags & CONTEXT_RA_STATELESS) ?
_("%s stateless on %s%.0s%.0s%s") :
diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h
index a31d829..0ea449b 100644
--- a/src/dhcp-protocol.h
+++ b/src/dhcp-protocol.h
@@ -19,6 +19,10 @@
#define DHCP_CLIENT_ALTPORT 1068
#define PXE_PORT 4011
+/* These each hold a DHCP option max size 255
+ and get a terminating zero added */
+#define DHCP_BUFF_SZ 256
+
#define BOOTREQUEST 1
#define BOOTREPLY 2
#define DHCP_COOKIE 0x63825363
diff --git a/src/lease.c b/src/lease.c
index 20cac90..ca62cc5 100644
--- a/src/lease.c
+++ b/src/lease.c
@@ -65,7 +65,14 @@ void lease_init(time_t now)
}
/* client-id max length is 255 which is 255*2 digits + 254 colons
- borrow DNS packet buffer which is always larger than 1000 bytes */
+ borrow DNS packet buffer which is always larger than 1000 bytes
+
+ Check various buffers are big enough for the code below */
+
+#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ < 764)
+# error Buffer size breakage in leasfile parsing.
+#endif
+
if (leasestream)
while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2)
{
diff --git a/src/rfc3315.c b/src/rfc3315.c
index c7bf46f..568b0c8 100644
--- a/src/rfc3315.c
+++ b/src/rfc3315.c
@@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr,
if (addr)
{
- inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255);
+ inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1);
strcat(daemon->dhcp_buff2, " ");
}
else
--
1.7.10.4

184
src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch
View File

@@ -1,184 +0,0 @@
From 094bfaeb4ff69cae99387bc2ea07ff57632c89f5 Mon Sep 17 00:00:00 2001
From: Mathias Kresin <dev@kresin.me>
Date: Sun, 24 Jul 2016 14:15:22 +0100
Subject: [PATCH] auth-zone: allow to exclude ip addresses from answer.
---
man/dnsmasq.8 | 6 +++++-
src/auth.c | 61 ++++++++++++++++++++++++++++++++++++---------------------
src/dnsmasq.h | 1 +
src/option.c | 21 ++++++++++++++++++--
4 files changed, 64 insertions(+), 25 deletions(-)
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index ac8d921..8910947 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -739,7 +739,7 @@ a return code of SERVFAIL. Note that
setting this may affect DNS behaviour in bad ways, it is not an
extra-logging flag and should not be set in production.
.TP
-.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....]]
+.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....][,exclude:<subnet>[/<prefix length>]].....]
Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain
will be served. If subnet(s) are given, A and AAAA records must be in one of the
specified subnets.
@@ -756,6 +756,10 @@ appear in the zone, but RFC1918 IPv4 addresses which should not.
Interface-name and address-literal subnet specifications may be used
freely in the same --auth-zone declaration.
+It's possible to exclude certain IP addresses from responses. It can be
+used, to make sure that answers contain only global routeable IP
+addresses (by excluding loopback, RFC1918 and ULA addresses).
+
The subnet(s) are also used to define in-addr.arpa and
ip6.arpa domains which are served for reverse-DNS queries. If not
specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
diff --git a/src/auth.c b/src/auth.c
index 3c5c37f..f1ca2f5 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -18,36 +18,53 @@
#ifdef HAVE_AUTH
-static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+static struct addrlist *find_addrlist(struct addrlist *list, int flag, struct all_addr *addr_u)
{
- struct addrlist *subnet;
-
- for (subnet = zone->subnet; subnet; subnet = subnet->next)
- {
- if (!(subnet->flags & ADDRLIST_IPV6))
- {
- struct in_addr netmask, addr = addr_u->addr.addr4;
-
- if (!(flag & F_IPV4))
- continue;
-
- netmask.s_addr = htonl(~(in_addr_t)0 << (32 - subnet->prefixlen));
-
- if (is_same_net(addr, subnet->addr.addr.addr4, netmask))
- return subnet;
- }
+ do {
+ if (!(list->flags & ADDRLIST_IPV6))
+ {
+ struct in_addr netmask, addr = addr_u->addr.addr4;
+
+ if (!(flag & F_IPV4))
+ continue;
+
+ netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen));
+
+ if (is_same_net(addr, list->addr.addr.addr4, netmask))
+ return list;
+ }
#ifdef HAVE_IPV6
- else if (is_same_net6(&(addr_u->addr.addr6), &subnet->addr.addr.addr6, subnet->prefixlen))
- return subnet;
+ else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, list->prefixlen))
+ return list;
#endif
-
- }
+
+ } while ((list = list->next));
+
return NULL;
}
+static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+{
+ if (!zone->subnet)
+ return NULL;
+
+ return find_addrlist(zone->subnet, flag, addr_u);
+}
+
+static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct all_addr *addr_u)
+{
+ if (!zone->exclude)
+ return NULL;
+
+ return find_addrlist(zone->exclude, flag, addr_u);
+}
+
static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u)
{
- /* No zones specified, no filter */
+ if (find_exclude(zone, flag, addr_u))
+ return 0;
+
+ /* No subnets specified, no filter */
if (!zone->subnet)
return 1;
diff --git a/src/dnsmasq.h b/src/dnsmasq.h
index 2bda5d0..27385a9 100644
--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
@@ -340,6 +340,7 @@ struct auth_zone {
struct auth_name_list *next;
} *interface_names;
struct addrlist *subnet;
+ struct addrlist *exclude;
struct auth_zone *next;
};
diff --git a/src/option.c b/src/option.c
index d8c57d6..6cedef3 100644
--- a/src/option.c
+++ b/src/option.c
@@ -1906,6 +1906,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
new = opt_malloc(sizeof(struct auth_zone));
new->domain = opt_string_alloc(arg);
new->subnet = NULL;
+ new->exclude = NULL;
new->interface_names = NULL;
new->next = daemon->auth_zones;
daemon->auth_zones = new;
@@ -1913,6 +1914,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
while ((arg = comma))
{
int prefixlen = 0;
+ int is_exclude = 0;
char *prefix;
struct addrlist *subnet = NULL;
struct all_addr addr;
@@ -1923,6 +1925,12 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
if (prefix && !atoi_check(prefix, &prefixlen))
ret_err(gen_err);
+ if (strstr(arg, "exclude:") == arg)
+ {
+ is_exclude = 1;
+ arg = arg+8;
+ }
+
if (inet_pton(AF_INET, arg, &addr.addr.addr4))
{
subnet = opt_malloc(sizeof(struct addrlist));
@@ -1960,8 +1968,17 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
if (subnet)
{
subnet->addr = addr;
- subnet->next = new->subnet;
- new->subnet = subnet;
+
+ if (is_exclude)
+ {
+ subnet->next = new->exclude;
+ new->exclude = subnet;
+ }
+ else
+ {
+ subnet->next = new->subnet;
+ new->subnet = subnet;
+ }
}
}
break;
--
1.7.10.4

41
src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
View File

@@ -1,41 +0,0 @@
From c8328ecde896575b3cb81cf537747df531f90771 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Fri, 5 Aug 2016 16:54:58 +0100
Subject: [PATCH] Bump auth zone serial when reloading /etc/hosts and friends.
---
CHANGELOG | 4 ++++
src/dnsmasq.c | 2 ++
2 files changed, 6 insertions(+)
diff --git a/CHANGELOG b/CHANGELOG
index 9f1e404..4f89799 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -20,6 +20,10 @@ version 2.77
Fix problem with --dnssec-timestamp whereby receipt
of SIGHUP would erroneously engage timestamp checking.
Thanks to Kevin Darbyshire-Bryant for this work.
+
+ Bump zone serial on reloading /etc/hosts and friends
+ when providing authoritative DNS. Thanks to Harrald
+ Dunkel for spotting this.
version 2.76
diff --git a/src/dnsmasq.c b/src/dnsmasq.c
index a47273f..3580bea 100644
--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
@@ -1226,6 +1226,8 @@ static void async_event(int pipe, time_t now)
switch (ev.event)
{
case EVENT_RELOAD:
+ daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
+
#ifdef HAVE_DNSSEC
if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
{
--
1.7.10.4

101
src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch
View File

@@ -1,101 +0,0 @@
From 6d95099c56a926d672e0407d6017fef9714f40c4 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Thu, 11 Aug 2016 23:38:54 +0100
Subject: [PATCH] Handle v4-mapped IPv6 addresses sanely for --synth-domain.
---
CHANGELOG | 7 ++++++-
man/dnsmasq.8 | 2 ++
src/domain.c | 34 ++++++++++++++++++++++++----------
3 files changed, 32 insertions(+), 11 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index 4f89799..2731cc4 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -24,7 +24,12 @@ version 2.77
Bump zone serial on reloading /etc/hosts and friends
when providing authoritative DNS. Thanks to Harrald
Dunkel for spotting this.
-
+
+ Handle v4-mapped IPv6 addresses sanely in --synth-domain.
+ These have standard representation like ::ffff:1.2.3.4
+ and are now converted to names like
+ <prefix>--ffff-1-2-3-4.<domain>
+
version 2.76
Include 0.0.0.0/8 in DNS rebind checks. This range
diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
index 8910947..91fe672 100644
--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
@@ -619,6 +619,8 @@ but IPv6 addresses may start with '::'
but DNS labels may not start with '-' so in this case if no prefix is
configured a zero is added in front of the label. ::1 becomes 0--1.
+V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4
+
The address range can be of the form
<ip address>,<ip address> or <ip address>/<netmask>
.TP
diff --git a/src/domain.c b/src/domain.c
index 1dd5027..a007acd 100644
--- a/src/domain.c
+++ b/src/domain.c
@@ -77,18 +77,31 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
*p = 0;
- /* swap . or : for - */
- for (p = tail; *p; p++)
- if (*p == '-')
- {
- if (prot == AF_INET)
+ #ifdef HAVE_IPV6
+ if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail)
+ {
+ /* special hack for v4-mapped. */
+ memcpy(tail, "::ffff:", 7);
+ for (p = tail + 7; *p; p++)
+ if (*p == '-')
*p = '.';
+ }
+ else
+#endif
+ {
+ /* swap . or : for - */
+ for (p = tail; *p; p++)
+ if (*p == '-')
+ {
+ if (prot == AF_INET)
+ *p = '.';
#ifdef HAVE_IPV6
- else
- *p = ':';
+ else
+ *p = ':';
#endif
- }
-
+ }
+ }
+
if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr))
{
if (prot == AF_INET)
@@ -169,8 +182,9 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name)
inet_ntop(AF_INET6, &addr->addr.addr6, name+1, ADDRSTRLEN);
}
+ /* V4-mapped have periods.... */
for (p = name; *p; p++)
- if (*p == ':')
+ if (*p == ':' || *p == '.')
*p = '-';
strncat(name, ".", MAXDNAME);
--
1.7.10.4

149
src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch
View File

@@ -1,149 +0,0 @@
From 396750cef533cf72c7e6a72e47a9c93e2e431cb7 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Sat, 13 Aug 2016 22:34:11 +0100
Subject: [PATCH] Refactor openBSD pftables code to remove blatant copyright
violation.
---
src/tables.c | 90 +++++++++++++++++++++-------------------------------------
1 file changed, 32 insertions(+), 58 deletions(-)
diff --git a/src/tables.c b/src/tables.c
index aae1252..4fa3487 100644
--- a/src/tables.c
+++ b/src/tables.c
@@ -53,52 +53,6 @@ static char *pfr_strerror(int errnum)
}
}
-static int pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
-{
- struct pfioc_table io;
-
- if (size < 0 || (size && tbl == NULL))
- {
- errno = EINVAL;
- return (-1);
- }
- bzero(&io, sizeof io);
- io.pfrio_flags = flags;
- io.pfrio_buffer = tbl;
- io.pfrio_esize = sizeof(*tbl);
- io.pfrio_size = size;
- if (ioctl(dev, DIOCRADDTABLES, &io))
- return (-1);
- if (nadd != NULL)
- *nadd = io.pfrio_nadd;
- return (0);
-}
-
-static int fill_addr(const struct all_addr *ipaddr, int flags, struct pfr_addr* addr) {
- if ( !addr || !ipaddr)
- {
- my_syslog(LOG_ERR, _("error: fill_addr missused"));
- return -1;
- }
- bzero(addr, sizeof(*addr));
-#ifdef HAVE_IPV6
- if (flags & F_IPV6)
- {
- addr->pfra_af = AF_INET6;
- addr->pfra_net = 0x80;
- memcpy(&(addr->pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr));
- }
- else
-#endif
- {
- addr->pfra_af = AF_INET;
- addr->pfra_net = 0x20;
- addr->pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr;
- }
- return 1;
-}
-
-/*****************************************************************************/
void ipset_init(void)
{
@@ -111,14 +65,13 @@ void ipset_init(void)
}
int add_to_ipset(const char *setname, const struct all_addr *ipaddr,
- int flags, int remove)
+ int flags, int remove)
{
struct pfr_addr addr;
struct pfioc_table io;
struct pfr_table table;
- int n = 0, rc = 0;
- if ( dev == -1 )
+ if (dev == -1)
{
my_syslog(LOG_ERR, _("warning: no opened pf devices %s"), pf_device);
return -1;
@@ -126,31 +79,52 @@ int add_to_ipset(const char *setname, const struct all_addr *ipaddr,
bzero(&table, sizeof(struct pfr_table));
table.pfrt_flags |= PFR_TFLAG_PERSIST;
- if ( strlen(setname) >= PF_TABLE_NAME_SIZE )
+ if (strlen(setname) >= PF_TABLE_NAME_SIZE)
{
my_syslog(LOG_ERR, _("error: cannot use table name %s"), setname);
errno = ENAMETOOLONG;
return -1;
}
- if ( strlcpy(table.pfrt_name, setname,
- sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name))
+ if (strlcpy(table.pfrt_name, setname,
+ sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name))
{
my_syslog(LOG_ERR, _("error: cannot strlcpy table name %s"), setname);
return -1;
}
- if ((rc = pfr_add_tables(&table, 1, &n, 0)))
+ bzero(&io, sizeof io);
+ io.pfrio_flags = 0;
+ io.pfrio_buffer = &table;
+ io.pfrio_esize = sizeof(table);
+ io.pfrio_size = 1;
+ if (ioctl(dev, DIOCRADDTABLES, &io))
{
- my_syslog(LOG_WARNING, _("warning: pfr_add_tables: %s(%d)"),
- pfr_strerror(errno),rc);
+ my_syslog(LOG_WARNING, _("IPset: error:%s"), pfr_strerror(errno));
+
return -1;
}
+
table.pfrt_flags &= ~PFR_TFLAG_PERSIST;
- if (n)
+ if (io.pfrio_nadd)
my_syslog(LOG_INFO, _("info: table created"));
-
- fill_addr(ipaddr,flags,&addr);
+
+ bzero(&addr, sizeof(addr));
+#ifdef HAVE_IPV6
+ if (flags & F_IPV6)
+ {
+ addr.pfra_af = AF_INET6;
+ addr.pfra_net = 0x80;
+ memcpy(&(addr.pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr));
+ }
+ else
+#endif
+ {
+ addr.pfra_af = AF_INET;
+ addr.pfra_net = 0x20;
+ addr.pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr;
+ }
+
bzero(&io, sizeof(io));
io.pfrio_flags = 0;
io.pfrio_table = table;
--
1.7.10.4