diff options
author | Simon Kelley <simon@thekelleys.org.uk> | 2022-07-19 23:40:50 +0100 |
---|---|---|
committer | Simon Kelley <simon@thekelleys.org.uk> | 2022-07-19 23:40:50 +0100 |
commit | ef6efd69edfc87b7a00aaa3b59d8516ab3947ca1 (patch) | |
tree | a66e54460f20dd4025b21a429f4a7f2e5c2da712 | |
parent | 20b4a4ea5b19f3143add1342dde74a0be2b30a86 (diff) | |
parent | 151d7dc5eaabb38a2a7cb2ace72fe8860f4415ae (diff) | |
download | dnsmasq-ef6efd69edfc87b7a00aaa3b59d8516ab3947ca1.tar.gz |
Merge branch 'master' of ssh://thekelleys.org.uk/var/local/git/dnsmasq
-rw-r--r-- | CHANGELOG | 8 | ||||
-rw-r--r-- | COPYING | 43 | ||||
-rw-r--r-- | man/dnsmasq.8 | 9 | ||||
-rw-r--r-- | src/dhcp-common.c | 11 | ||||
-rw-r--r-- | src/dhcp.c | 2 | ||||
-rw-r--r-- | src/dnsmasq.c | 3 | ||||
-rw-r--r-- | src/dnsmasq.h | 2 | ||||
-rw-r--r-- | src/dnssec.c | 2 | ||||
-rw-r--r-- | src/forward.c | 4 | ||||
-rw-r--r-- | src/netlink.c | 11 | ||||
-rw-r--r-- | src/option.c | 10 | ||||
-rw-r--r-- | src/rfc3315.c | 2 |
12 files changed, 73 insertions, 34 deletions
@@ -58,6 +58,14 @@ version 2.87 Fix write-after-free error in DHCPv6 server code. CVE-2022-0934 refers. + Add the ability to specify destination port in + DHCP-relay mode. This change also removes a previous bug + where --dhcp-alternate-port would affect the port used + to relay _to_ as well as the port being listened on. + The new feature allows configuration to provide bug-for-bug + compatibility, if required. Thanks to Damian Kaczkowski + for the feature suggestion. + version 2.86 Handle DHCPREBIND requests in the DHCPv6 server code. @@ -1,12 +1,12 @@ - GNU GENERAL PUBLIC LICENSE - Version 2, June 1991 + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 - Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. - Preamble + Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public @@ -15,7 +15,7 @@ software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by -the GNU Library General Public License instead.) You can apply it to +the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not @@ -55,8 +55,8 @@ patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. - - GNU GENERAL PUBLIC LICENSE + + GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains @@ -110,7 +110,7 @@ above, provided that you also meet all of these conditions: License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) - + These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in @@ -168,7 +168,7 @@ access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. - + 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is @@ -225,7 +225,7 @@ impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. - + 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License @@ -255,7 +255,7 @@ make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. - NO WARRANTY + NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN @@ -277,9 +277,9 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it @@ -291,7 +291,7 @@ convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> - Copyright (C) 19yy <name of author> + Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -303,17 +303,16 @@ the "copyright" line and a pointer to where the full notice is found. MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: - Gnomovision version 69, Copyright (C) 19yy name of author + Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. @@ -336,5 +335,5 @@ necessary. Here is a sample; alter the names: This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the -library. If this is what you want to do, use the GNU Library General +library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index fea89fa..f084757 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -1342,7 +1342,7 @@ DHCP options. This make extra space available in the DHCP packet for options but can, rarely, confuse old or broken clients. This flag forces "simple and safe" behaviour to avoid problems in such a case. .TP -.B --dhcp-relay=<local address>[,<server address>][,<interface] +.B --dhcp-relay=<local address>[,<server address>[#<server port>]][,<interface] Configure dnsmasq to do DHCP relay. The local address is an address allocated to an interface on the host running dnsmasq. All DHCP requests arriving on that interface will we relayed to a remote DHCP @@ -1350,9 +1350,12 @@ server at the server address. It is possible to relay from a single local address to multiple remote servers by using multiple \fB--dhcp-relay\fP configs with the same local address and different server addresses. A server address must be an IP literal address, not a -domain name. If the server address is ommitted, the request will be +domain name. If the server address is omitted, the request will be forwarded by broadcast (IPv4) or multicast (IPv6). In this case the interface -must be given and not be wildcard. +must be given and not be wildcard. The server address may specify a non-standard +port to relay to. If this is used then \fB--dhcp-proxy\fP should likely also be set, +otherwise parts of the DHCP conversation which do not pass through the relay +will be delivered to the wrong port. Access control for DHCP clients has the same rules as for the DHCP server, see \fB--interface\fP, \fB--except-interface\fP, etc. The optional diff --git a/src/dhcp-common.c b/src/dhcp-common.c index 95d41da..ab18342 100644 --- a/src/dhcp-common.c +++ b/src/dhcp-common.c @@ -1017,7 +1017,10 @@ void log_relay(int family, struct dhcp_relay *relay) { int broadcast = relay->server.addr4.s_addr == 0; inet_ntop(family, &relay->local, daemon->addrbuff, ADDRSTRLEN); - inet_ntop(family, &relay->server, daemon->namebuff, ADDRSTRLEN); + inet_ntop(family, &relay->server, daemon->namebuff, ADDRSTRLEN); + + if (family == AF_INET && relay->port != DHCP_SERVER_PORT) + sprintf(daemon->namebuff + strlen(daemon->namebuff), "#%u", relay->port); #ifdef HAVE_DHCP6 struct in6_addr multicast; @@ -1025,7 +1028,11 @@ void log_relay(int family, struct dhcp_relay *relay) inet_pton(AF_INET6, ALL_SERVERS, &multicast); if (family == AF_INET6) - broadcast = IN6_ARE_ADDR_EQUAL(&relay->server.addr6, &multicast); + { + broadcast = IN6_ARE_ADDR_EQUAL(&relay->server.addr6, &multicast); + if (relay->port != DHCPV6_SERVER_PORT) + sprintf(daemon->namebuff + strlen(daemon->namebuff), "#%u", relay->port); + } #endif @@ -1121,7 +1121,7 @@ static int relay_upstream4(int iface_index, struct dhcp_packet *mess, size_t sz) to.sa.sa_family = AF_INET; to.in.sin_addr = relay->server.addr4; - to.in.sin_port = htons(daemon->dhcp_server_port); + to.in.sin_port = htons(relay->port); /* Broadcasting to server. */ if (relay->server.addr4.s_addr == 0) diff --git a/src/dnsmasq.c b/src/dnsmasq.c index 7cfb493..858c731 100644 --- a/src/dnsmasq.c +++ b/src/dnsmasq.c @@ -1665,9 +1665,10 @@ static void poll_resolv(int force, int do_reload, time_t now) else { res->logged = 0; - if (force || (statbuf.st_mtime != res->mtime)) + if (force || (statbuf.st_mtime != res->mtime || statbuf.st_ino != res->ino)) { res->mtime = statbuf.st_mtime; + res->ino = statbuf.st_ino; if (difftime(statbuf.st_mtime, last_change) > 0.0) { last_change = statbuf.st_mtime; diff --git a/src/dnsmasq.h b/src/dnsmasq.h index bfc0fd4..a8937ce 100644 --- a/src/dnsmasq.h +++ b/src/dnsmasq.h @@ -665,6 +665,7 @@ struct resolvc { struct resolvc *next; int is_default, logged; time_t mtime; + ino_t ino; char *name; #ifdef HAVE_INOTIFY int wd; /* inotify watch descriptor */ @@ -1084,6 +1085,7 @@ struct dhcp_relay { union all_addr local, server; char *interface; /* Allowable interface for replies from server, and dest for IPv6 multicast */ int iface_index; /* working - interface in which requests arrived, for return */ + int port; /* Port of relay we forward to. */ #ifdef HAVE_SCRIPT struct snoop_record { struct in6_addr client, prefix; diff --git a/src/dnssec.c b/src/dnssec.c index 9965eea..daf679e 100644 --- a/src/dnssec.c +++ b/src/dnssec.c @@ -1851,7 +1851,7 @@ static int zone_status(char *name, int class, char *keyname, time_t now) STAT_NEED_DS need DS to complete validation (name is returned in keyname) daemon->rr_status points to a char array which corressponds to the RRs in the - answer and auth sections. This is set to 1 for each RR which is validated, and 0 for any which aren't. + answer and auth sections. This is set to >1 for each RR which is validated, and 0 for any which aren't. When validating replies to DS records, we're only interested in the NSEC{3} RRs in the auth section. Other RRs in that section missing sigs will not cause am INSECURE reply. We determine this mode diff --git a/src/forward.c b/src/forward.c index c17541b..b522c1f 100644 --- a/src/forward.c +++ b/src/forward.c @@ -527,8 +527,8 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr, } #ifdef HAVE_DNSSEC else - log_query_mysockaddr(F_NOEXTRA | F_DNSSEC, daemon->namebuff, &srv->addr, - "dnssec-retry", (forward->flags & FREC_DNSKEY_QUERY) ? T_DNSKEY : T_DS); + log_query_mysockaddr(F_NOEXTRA | F_DNSSEC | F_SERVER, daemon->namebuff, &srv->addr, + (forward->flags & FREC_DNSKEY_QUERY) ? "dnssec-retry[DNSKEY]" : "dnssec-retry[DS]", 0); #endif srv->queries++; diff --git a/src/netlink.c b/src/netlink.c index da82943..c156cde 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -258,7 +258,16 @@ int iface_enumerate(int family, void *parm, int (*callback)()) while (RTA_OK(rta, len1)) { - if (rta->rta_type == IFA_ADDRESS) + /* + * Important comment: (from if_addr.h) + * IFA_ADDRESS is prefix address, rather than local interface address. + * It makes no difference for normally configured broadcast interfaces, + * but for point-to-point IFA_ADDRESS is DESTINATION address, + * local address is supplied in IFA_LOCAL attribute. + */ + if (rta->rta_type == IFA_LOCAL) + addrp = ((struct in6_addr *)(rta+1)); + else if (rta->rta_type == IFA_ADDRESS && !addrp) addrp = ((struct in6_addr *)(rta+1)); else if (rta->rta_type == IFA_CACHEINFO) { diff --git a/src/option.c b/src/option.c index 39e1179..c5e8cb4 100644 --- a/src/option.c +++ b/src/option.c @@ -4333,6 +4333,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma { if (inet_pton(AF_INET, arg, &new->local)) { + char *hash = split_chr(two, '#'); + + if (!hash || !atoi_check16(hash, &new->port)) + new->port = DHCP_SERVER_PORT; + if (!inet_pton(AF_INET, two, &new->server)) { new->server.addr4.s_addr = 0; @@ -4351,6 +4356,11 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma #ifdef HAVE_DHCP6 else if (inet_pton(AF_INET6, arg, &new->local)) { + char *hash = split_chr(two, '#'); + + if (!hash || !atoi_check16(hash, &new->port)) + new->port = DHCPV6_SERVER_PORT; + if (!inet_pton(AF_INET6, two, &new->server)) { inet_pton(AF_INET6, ALL_SERVERS, &new->server.addr6); diff --git a/src/rfc3315.c b/src/rfc3315.c index e218d26..6533197 100644 --- a/src/rfc3315.c +++ b/src/rfc3315.c @@ -2170,7 +2170,7 @@ int relay_upstream6(int iface_index, ssize_t sz, to.sa.sa_family = AF_INET6; to.in6.sin6_addr = relay->server.addr6; - to.in6.sin6_port = htons(DHCPV6_SERVER_PORT); + to.in6.sin6_port = htons(relay->port); to.in6.sin6_flowinfo = 0; to.in6.sin6_scope_id = 0; |