dnsmasq: Import more patches from upstream

2026-04-12 20:16:49 +02:00 · 2015-03-10 16:21:58 +01:00
parent 4e341f19b0
commit 61c6e9b71d
3 changed files with 398 additions and 0 deletions
--- a/lfs/dnsmasq
+++ b/lfs/dnsmasq
@@ -128,6 +128,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0053-Log-parsing-utils-in-contrib-reverse-dns.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0054-Add-dnssec-timestamp-option-and-facility.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0055-Fix-last-commit-to-not-crash-if-uid-changing-not-con.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
+	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
 	cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
 	cd $(DIR_APP) && sed -i src/config.h \
 		-e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
--- a/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
+++ b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch
@@ -0,0 +1,194 @@
+From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 4 Mar 2015 20:32:26 +0000
+Subject: [PATCH 56/57] New version of contrib/reverse-dns
+
+---
+ contrib/reverse-dns/README             |  22 +++---
+ contrib/reverse-dns/reverse_replace.sh | 131 ++++++++++++++++++++++++++++-----
+ 2 files changed, 125 insertions(+), 28 deletions(-)
+
+diff --git a/contrib/reverse-dns/README b/contrib/reverse-dns/README
+index f87eb77c4c22..2ec4df1f957e 100644
+--- a/contrib/reverse-dns/README
+++ b/contrib/reverse-dns/README
+@@ -1,18 +1,18 @@
+-Hi.
+The script reads stdin and replaces all IP addresses with names before
+outputting it again. IPs from private networks are reverse looked  up
+via dns. Other IP adresses are searched for in the dnsmasq query log.
+This gives names (CNAMEs if I understand DNS correctly) that are closer
+to the name the client originally asked for then the names obtained by
+reverse lookup. Just run
+ 
+-To translate my routers netstat-nat output into names that actually talk
+-to me I have started writing to simple shell scripts. They require 
+netstat -n -4 | ./reverse_replace.sh 
+
+to see what it does. It needs 
+ 
+ log-queries
+ log-facility=/var/log/dnsmasq.log
+ 
+-to be set. With
+-
+-netstat-nat -n -4 | reverse_replace.sh 
+-
+-I get retranslated output.
+-
+-Sincerely,
+-Joachim
+in the dnsmasq configuration.
+ 
+The script runs on debian (with ash installed) and on busybox.
+ 
+diff --git a/contrib/reverse-dns/reverse_replace.sh b/contrib/reverse-dns/reverse_replace.sh
+index a11c164b7f19..5b4aebd71456 100644
+--- a/contrib/reverse-dns/reverse_replace.sh
+++ b/contrib/reverse-dns/reverse_replace.sh
+@@ -1,28 +1,125 @@
+-#!/bin/bash
+-# $Id: reverse_replace.sh 4 2015-02-17 20:14:59Z jo $
+#!/bin/ash
+# $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $
+ #
+ # Usage e.g.: netstat -n -4 | reverse_replace.sh 
+ # Parses stdin for IP4 addresses and replaces them 
+-# with names retrieved by reverse_dns.sh
+# with names retrieved by parsing the dnsmasq log.
+# This currently only gives CNAMEs. But these 
+# usually tell ou more than the mones from reverse 
+# lookups. 
+#
+# This has been tested on debian and asuswrt. Plese
+# report successful tests on other platforms.
+#
+# Author: Joachim Zobel <jz-2014@heute-morgen.de>
+# License: Consider this MIT style licensed. You can 
+#   do as you ike, but you must not remove my name.
+ #
+ 
+-DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )
+-DNS=$DIR/reverse_dns.sh
+LOG=/var/log/dnsmasq.log
+MAX_LINES=15000
+ 
+-# sed regex
+# sed regex do match IPs
+ IP_regex='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}'
+# private IP ranges
+IP_private='\(^127\.\)\|\(^192\.168\.\)\|\(^10\.\)\|\(^172\.1[6-9]\.\)\|\(^172\.2[0-9]\.\)\|\(^172\.3[0-1]\.\)'
+ 
+-while read LINE; do
+-  if grep --quiet $IP_regex <<< "$LINE"; then
+-    IPs=`sed "s#.*\b\($IP_regex\)\b.*#\1 #g" <<< "$LINE"`
+-    IPs=($IPs)
+-    for IP in "${IPs[@]}"
+-    do
+-      NAME=`$DNS $IP`
+-      # echo "$NAME is $IP";
+-      LINE="${LINE/$IP/$NAME}" 
+-    done
+#######################################################################
+# Find Commands
+  
+HOST=nslookup
+if type host > /dev/null 2>&1; then
+  # echo "No need for nslookup, host is there"
+  HOST=host
+fi
+
+#######################################################################
+# Functions
+
+# Use shell variables for an (IP) lookup table
+create_lookup_table()
+{
+  # Parse log into lookup table
+  local CMDS="$( tail -"$MAX_LINES" "$LOG" | \
+    grep " is $IP_regex" | \
+    sed "s#.* \([^ ]*\) is \($IP_regex\).*#set_val \2 \1;#" )"
+
+  local IFS='
+'
+  for CMD in $CMDS
+  do
+    eval $CMD
+  done
+}
+
+set_val()
+{
+  local _IP=$(echo $1 | tr . _)
+  local KEY="__IP__$_IP"
+  eval "$KEY"=$2
+}
+
+get_val()
+{
+  local _IP=$(echo $1 | tr . _)
+  local KEY="__IP__$_IP"
+  eval echo -n '${'"$KEY"'}'
+}
+
+dns_lookup()
+{
+  local IP=$1
+
+  local RTN="$($HOST $IP | \
+        sed 's#\s\+#\n#g' | \
+        grep -v '^$' | \
+        tail -1 | tr -d '\n' | \
+        sed 's#\.$##')"
+  if echo $RTN | grep -q NXDOMAIN; then
+    echo -n $IP
+  else
+    echo -n "$RTN"
+  fi     
+}
+
+reverse_dns()
+{
+  local IP=$1
+
+  # Skip if it is not an IP
+  if ! echo $IP | grep -q "^$IP_regex$"; then
+    echo -n $IP
+    return 
+  fi
+    
+  # Do a dns lookup, if it is a local IP
+  if echo $IP | grep -q $IP_private; then
+    dns_lookup $IP
+    return
+   fi
+    
+  local NAME="$(get_val $IP)"
+  
+  if [ -z "$NAME" ]; then
+    echo -n $IP
+  else
+    echo -n $NAME
+  fi
+}
+
+#######################################################################
+# Main
+create_lookup_table
+
+while read LINE; do
+  for IP in $(echo "$LINE" | \
+              sed "s#\b\($IP_regex\)\b#\n\1\n#g" | \
+              grep $IP_regex) 
+  do
+    NAME=`reverse_dns $IP `
+    # echo "$NAME $IP"
+    LINE=`echo "$LINE" | sed "s#$IP#$NAME#" ` 
+  done
+   echo $LINE
+-done < /dev/stdin
+done
+ 
+-- 
+2.1.0
+
--- a/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
+++ b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch
@@ -0,0 +1,202 @@
+From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Sat, 7 Mar 2015 18:28:06 +0000
+Subject: [PATCH 57/57] Tweak DNSSEC timestamp code to create file later,
+ removing need to chown it.
+
+---
+ man/dnsmasq.8 |  3 ++-
+ src/dnsmasq.c | 35 ++++++++++++++++++++++-------------
+ src/dnsmasq.h |  3 ++-
+ src/dnssec.c  | 18 ++++++++++--------
+ 4 files changed, 36 insertions(+), 23 deletions(-)
+
+diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
+index 097e7d75145c..2db780d90987 100644
+--- a/man/dnsmasq.8
+++ b/man/dnsmasq.8
+@@ -678,7 +678,8 @@ which have not been throughly checked.
+ Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the 
+ system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and 
+ its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried 
+-over system restarts. 
+over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the 
+unprivileged user that dnsmasq runs as.
+ .TP
+ .B --proxy-dnssec
+ Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it.  This is an 
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index 9e05c0e31569..f3e5bcffec4f 100644
+--- a/src/dnsmasq.c
+++ b/src/dnsmasq.c
+@@ -58,9 +58,6 @@ int main (int argc, char **argv)
+   struct dhcp_context *context;
+   struct dhcp_relay *relay;
+ #endif
+-#ifdef HAVE_DNSSEC
+-  int badtime;
+-#endif
+ 
+ #ifdef LOCALEDIR
+   setlocale(LC_ALL, "");
+@@ -156,10 +153,10 @@ int main (int argc, char **argv)
+     {
+ #ifdef HAVE_DNSSEC
+       if (!daemon->ds)
+-	die(_("No trust anchors provided for DNSSEC"), NULL, EC_BADCONF);
+	die(_("no trust anchors provided for DNSSEC"), NULL, EC_BADCONF);
+       
+       if (daemon->cachesize < CACHESIZ)
+-	die(_("Cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
+	die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF);
+ #else 
+       die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF);
+ #endif
+@@ -172,10 +169,10 @@ int main (int argc, char **argv)
+ 
+ #ifdef HAVE_CONNTRACK
+   if (option_bool(OPT_CONNTRACK) && (daemon->query_port != 0 || daemon->osport))
+-    die (_("Cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); 
+    die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); 
+ #else
+   if (option_bool(OPT_CONNTRACK))
+-    die(_("Conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF);
+    die(_("conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF);
+ #endif
+ 
+ #ifdef HAVE_SOLARIS_NETWORK
+@@ -195,7 +192,7 @@ int main (int argc, char **argv)
+ 
+ #ifndef HAVE_LOOP
+   if (option_bool(OPT_LOOP_DETECT))
+-    die(_("Loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
+    die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
+ #endif
+   
+   now = dnsmasq_time();
+@@ -373,10 +370,6 @@ int main (int argc, char **argv)
+   if (baduser)
+     die(_("unknown user or group: %s"), baduser, EC_BADCONF);
+ 
+-#ifdef HAVE_DNSSEC  
+-  badtime = setup_timestamp(ent_pw);
+-#endif
+-
+   /* implement group defaults, "dip" if available, or group associated with uid */
+   if (!daemon->group_set && !gp)
+     {
+@@ -693,10 +686,23 @@ int main (int argc, char **argv)
+ #ifdef HAVE_DNSSEC
+   if (option_bool(OPT_DNSSEC_VALID))
+     {
+      int rc;
+
+      /* Delay creating the timestamp file until here, after we've changed user, so that
+	 it has the correct owner to allow updating the mtime later. 
+	 This means we have to report fatal errors via the pipe. */
+      if ((rc = setup_timestamp()) == -1)
+	{
+	  send_event(err_pipe[1], EVENT_TIME_ERR, errno, daemon->timestamp_file);
+	  _exit(0);
+	}
+      
+       my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
+      
+       if (option_bool(OPT_DNSSEC_TIME))
+ 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
+-      if (badtime)
+      
+      if (rc == 1)
+ 	my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid"));
+     }
+ #endif
+@@ -1170,6 +1176,9 @@ static void fatal_event(struct event_desc *ev, char *msg)
+ 
+     case EVENT_TFTP_ERR:
+       die(_("TFTP directory %s inaccessible: %s"), msg, EC_FILE);
+    
+    case EVENT_TIME_ERR:
+      die(_("cannot create timestamp file %s: %s" ), msg, EC_BADCONF);
+     }
+ }	
+       
+diff --git a/src/dnsmasq.h b/src/dnsmasq.h
+index a451cb4dd03c..fc7259881358 100644
+--- a/src/dnsmasq.h
+++ b/src/dnsmasq.h
+@@ -167,6 +167,7 @@ struct event_desc {
+ #define EVENT_INIT      21
+ #define EVENT_NEWADDR   22
+ #define EVENT_NEWROUTE  23
+#define EVENT_TIME_ERR  24
+ 
+ /* Exit codes. */
+ #define EC_GOOD        0
+@@ -1152,7 +1153,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char
+ int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen);
+ size_t filter_rrsigs(struct dns_header *header, size_t plen);
+ unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name);
+-int setup_timestamp(struct passwd *ent_pw);
+int setup_timestamp(void);
+ 
+ /* util.c */
+ void rand_init(void);
+diff --git a/src/dnssec.c b/src/dnssec.c
+index c60eacf73c6b..ad0d6f072ba2 100644
+--- a/src/dnssec.c
+++ b/src/dnssec.c
+@@ -397,18 +397,21 @@ static int serial_compare_32(unsigned long s1, unsigned long s2)
+ 
+ /* Called at startup. If the timestamp file is configured and exists, put its mtime on
+    timestamp_time. If it doesn't exist, create it, and set the mtime to 1-1-2015.
+-   Change the ownership to the user we'll be running as, so that we can update the mtime.
+   return -1 -> Cannot create file.
+           0 -> not using timestamp, or timestamp exists and is in past.
+           1 -> timestamp exists and is in future.
+ */
+
+ static time_t timestamp_time;
+ static int back_to_the_future;
+ 
+-int setup_timestamp(struct passwd *ent_pw)
+int setup_timestamp(void)
+ {
+   struct stat statbuf;
+   
+   back_to_the_future = 0;
+   
+-  if (!option_bool(OPT_DNSSEC_VALID) || !daemon->timestamp_file)
+  if (!daemon->timestamp_file)
+     return 0;
+   
+   if (stat(daemon->timestamp_file, &statbuf) != -1)
+@@ -428,7 +431,8 @@ int setup_timestamp(struct passwd *ent_pw)
+   
+   if (errno == ENOENT)
+     {
+-      int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK, 0666);
+      /* NB. for explanation of O_EXCL flag, see comment on pidfile in dnsmasq.c */ 
+      int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK | O_EXCL, 0666);
+       if (fd != -1)
+ 	{
+ 	  struct utimbuf timbuf;
+@@ -436,14 +440,12 @@ int setup_timestamp(struct passwd *ent_pw)
+ 	  close(fd);
+ 	  
+ 	  timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */
+-	  if (utime(daemon->timestamp_file, &timbuf) == 0 &&
+-	      (!ent_pw || getuid() != 0 || chown(daemon->timestamp_file, ent_pw->pw_uid, -1) == 0))
+	  if (utime(daemon->timestamp_file, &timbuf) == 0)
+ 	    goto check_and_exit;
+ 	}
+     }
+ 
+-  die(_("Cannot create timestamp file %s: %s" ), daemon->timestamp_file, EC_BADCONF);
+-  return 0;
+  return -1;
+ }
+ 
+ /* Check whether today/now is between date_start and date_end */
+-- 
+2.1.0
+