From 9acb9eb162ab31ca7d23350c508b207a775da79f Mon Sep 17 00:00:00 2001 From: Seonah Moon Date: Thu, 7 Apr 2016 14:01:07 +0900 Subject: [PATCH] Update to 2.74 Change-Id: Ic7e94612466be7786c3d2b0724d745c7720e01c9 Signed-off-by: Seonah Moon --- CHANGELOG | 1073 +++++++++++ CMakeLists.txt | 23 +- FAQ | 133 +- Makefile | 174 +- VERSION | 1 + bld/Android.mk | 8 +- bld/bloat-o-meter | 130 ++ bld/get-version | 31 + bld/install-man | 2 +- bld/install-mo | 2 +- bld/pkg-wrapper | 37 +- contrib/conntrack/README | 54 + contrib/dbus-test/dbus-test.py | 43 + contrib/mactable/macscript | 36 + contrib/port-forward/dnsmasq-portforward | 10 + contrib/reverse-dns/README | 18 + contrib/reverse-dns/reverse_replace.sh | 125 ++ contrib/systemd/README | 16 + contrib/systemd/dbus_activation | 57 + contrib/systemd/dnsmasq.service | 12 + contrib/try-all-ns/dnsmasq-2.68-try-all-ns | 29 + contrib/wrt/dhcp_lease_time.1 | 25 + contrib/wrt/dhcp_lease_time.c | 9 +- contrib/wrt/dhcp_release.1 | 37 + contrib/wrt/dhcp_release.c | 11 +- dbus/DBus-interface | 153 +- dnsmasq.conf.example | 121 +- doc.html | 156 +- logo/favicon.ico | Bin 1406 -> 1406 bytes man/dnsmasq.8 | 1081 ++++++++++-- man/es/dnsmasq.8 | 12 +- man/fr/dnsmasq.8 | 1019 +++++++++-- packaging/dnsmasq.spec | 4 +- po/de.po | 1614 ++++++++++++----- po/es.po | 1745 ++++++++++++------ po/fi.po | 1452 +++++++++++---- po/fr.po | 1558 +++++++++++----- po/id.po | 1607 ++++++++++++----- po/it.po | 1452 +++++++++++---- po/no.po | 1529 +++++++++++----- po/pl.po | 2059 +++++++++++++++------- po/pt_BR.po | 1452 +++++++++++---- po/ro.po | 1529 +++++++++++----- setup.html | 2 +- src/auth.c | 829 +++++++++ src/blockdata.c | 151 ++ src/bpf.c | 321 +++- src/cache.c | 964 +++++++--- src/config.h | 397 +++-- src/conntrack.c | 90 + src/dbus.c | 668 +++++-- src/dhcp-common.c | 905 ++++++++++ src/{dhcp_protocol.h => dhcp-protocol.h} | 7 +- src/dhcp.c | 768 ++++---- src/dhcp6-protocol.h | 75 + src/dhcp6.c | 806 +++++++++ src/{dns_protocol.h => dns-protocol.h} | 61 +- src/dnsmasq.c | 1112 ++++++++---- src/dnsmasq.h | 784 +++++++-- src/dnssec.c | 2544 ++++++++++++++++++++++++++ src/domain.c | 232 +++ src/forward.c | 1797 ++++++++++++++++--- src/helper.c | 630 +++++-- src/inotify.c | 288 +++ src/ip6addr.h | 34 + src/ipset.c | 229 +++ src/lease.c | 725 +++++++- src/log.c | 41 +- src/loop.c | 117 ++ src/netlink.c | 191 +- src/network.c | 1291 ++++++++++---- src/option.c | 2646 ++++++++++++++++++++-------- src/outpacket.c | 108 ++ src/poll.c | 125 ++ src/radv-protocol.h | 58 + src/radv.c | 976 ++++++++++ src/rfc1035.c | 1242 +++++++++---- src/rfc2131.c | 930 +++++----- src/rfc3315.c | 2183 +++++++++++++++++++++++ src/slaac.c | 209 +++ src/tables.c | 173 ++ src/tftp.c | 252 ++- src/util.c | 279 ++- trust-anchors.conf | 9 + 84 files changed, 36820 insertions(+), 9068 deletions(-) create mode 100644 VERSION create mode 100755 bld/bloat-o-meter create mode 100755 bld/get-version create mode 100644 contrib/conntrack/README create mode 100755 contrib/dbus-test/dbus-test.py create mode 100755 contrib/mactable/macscript create mode 100644 contrib/reverse-dns/README create mode 100644 contrib/reverse-dns/reverse_replace.sh create mode 100644 contrib/systemd/README create mode 100644 contrib/systemd/dbus_activation create mode 100644 contrib/systemd/dnsmasq.service create mode 100644 contrib/try-all-ns/dnsmasq-2.68-try-all-ns create mode 100644 contrib/wrt/dhcp_lease_time.1 create mode 100644 contrib/wrt/dhcp_release.1 create mode 100644 src/auth.c create mode 100644 src/blockdata.c create mode 100644 src/conntrack.c create mode 100644 src/dhcp-common.c rename src/{dhcp_protocol.h => dhcp-protocol.h} (94%) create mode 100644 src/dhcp6-protocol.h create mode 100644 src/dhcp6.c rename src/{dns_protocol.h => dns-protocol.h} (61%) create mode 100644 src/dnssec.c create mode 100644 src/domain.c create mode 100644 src/inotify.c create mode 100644 src/ip6addr.h create mode 100644 src/ipset.c create mode 100644 src/loop.c create mode 100644 src/outpacket.c create mode 100644 src/poll.c create mode 100644 src/radv-protocol.h create mode 100644 src/radv.c create mode 100644 src/rfc3315.c create mode 100644 src/slaac.c create mode 100644 src/tables.c create mode 100644 trust-anchors.conf diff --git a/CHANGELOG b/CHANGELOG index fb15e3d..7c621e2 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,1076 @@ +version 2.74 + Fix reversion in 2.73 where --conf-file would attempt to + read the default file, rather than no file. + + Fix inotify code to handle dangling symlinks better and + not SEGV in some circumstances. + + DNSSEC fix. In the case of a signed CNAME generated by a + wildcard which pointed to an unsigned domain, the wrong + status would be logged, and some necessary checks omitted. + + +version 2.73 + Fix crash at startup when an empty suffix is supplied to + --conf-dir, also trivial memory leak. Thanks to + Tomas Hozza for spotting this. + + Remove floor of 4096 on advertised EDNS0 packet size when + DNSSEC in use, the original rationale for this has long gone. + Thanks to Anders Kaseorg for spotting this. + + Use inotify for checking on updates to /etc/resolv.conf and + friends under Linux. This fixes race conditions when the files are + updated rapidly and saves CPU by noy polling. To build + a binary that runs on old Linux kernels without inotify, + use make COPTS=-DNO_INOTIFY + + Fix breakage of --domain=,,local - only reverse + queries were intercepted. THis appears to have been broken + since 2.69. Thanks to Josh Stone for finding the bug. + + Eliminate IPv6 privacy addresses and deprecated addresses from + the answers given by --interface-name. Note that reverse queries + (ie looking for names, given addresses) are not affected. + Thanks to Michael Gorbach for the suggestion. + + Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids + for the bug report. + + Add --ignore-address option. Ignore replies to A-record + queries which include the specified address. No error is + generated, dnsmasq simply continues to listen for another + reply. This is useful to defeat blocking strategies which + rely on quickly supplying a forged answer to a DNS + request for certain domains, before the correct answer can + arrive. Thanks to Glen Huang for the patch. + + Revisit the part of DNSSEC validation which determines if an + unsigned answer is legit, or is in some part of the DNS + tree which should be signed. Dnsmasq now works from the + DNS root downward looking for the limit of signed + delegations, rather than working bottom up. This is + both more correct, and less likely to trip over broken + nameservers in the unsigned parts of the DNS tree + which don't respond well to DNSSEC queries. + + Add --log-queries=extra option, which makes logs easier + to search automatically. + + Add --min-cache-ttl option. I've resisted this for a long + time, on the grounds that disbelieving TTLs is never a + good idea, but I've been persuaded that there are + sometimes reasons to do it. (Step forward, GFW). + To avoid misuse, there's a hard limit on the TTL + floor of one hour. Thansk to RinSatsuki for the patch. + + Cope with multiple interfaces with the same link-local + address. (IPv6 addresses are scoped, so this is allowed.) + Thanks to Cory Benfield for help with this. + + Add --dhcp-hostsdir. This allows addition of new host + configurations to a running dnsmasq instance much more + cheaply than having dnsmasq re-read all its existing + configuration each time. + + Don't reply to DHCPv6 SOLICIT messages if we're not + configured to do stateful DHCPv6. Thanks to Win King Wan + for the patch. + + Fix broken DNSSEC validation of ECDSA signatures. + + Add --dnssec-timestamp option, which provides an automatic + way to detect when the system time becomes valid after + boot on systems without an RTC, whilst allowing DNS + queries before the clock is valid so that NTP can run. + Thanks to Kevin Darbyshire-Bryant for developing this idea. + + Add --tftp-no-fail option. Thanks to Stefan Tomanek for + the patch. + + Fix crash caused by looking up servers.bind, CHAOS text + record, when more than about five --servers= lines are + in the dnsmasq config. This causes memory corruption + which causes a crash later. Thanks to Matt Coddington for + sterling work chasing this down. + + Fix crash on receipt of certain malformed DNS requests. + Thanks to Nick Sampanis for spotting the problem. + Note that this is could allow the dnsmasq process's + memory to be read by an attacker under certain + circumstances, so it has a CVE, CVE-2015-3294 + + Fix crash in authoritative DNS code, if a .arpa zone + is declared as authoritative, and then a PTR query which + is not to be treated as authoritative arrived. Normally, + directly declaring .arpa zone as authoritative is not + done, so this crash wouldn't be seen. Instead the + relevant .arpa zone should be specified as a subnet + in the auth-zone declaration. Thanks to Johnny S. Lee + for the bugreport and initial patch. + + Fix authoritative DNS code to correctly reply to NS + and SOA queries for .arpa zones for which we are + declared authoritative by means of a subnet in auth-zone. + Previously we provided correct answers to PTR queries + in such zones (including NS and SOA) but not direct + NS and SOA queries. Thanks to Johnny S. Lee for + pointing out the problem. + + Fix logging of DHCPREPLY which should be suppressed + by quiet-dhcp6. Thanks to J. Pablo Abonia for + spotting the problem. + + Try and handle net connections with broken fragmentation + that lose large UDP packets. If a server times out, + reduce the maximum UDP packet size field in the EDNS0 + header to 1280 bytes. If it then answers, make that + change permanent. + + Check IPv4-mapped IPv6 addresses when --stop-rebind + is active. Thanks to Jordan Milne for spotting this. + + Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. + Thanks to Kevin Benton for patches and work on this. + + Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses + in the correct subnet, even of not in dynamic address + allocation range. Thanks to Steve Hirsch for spotting + the problem. + + Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks + to Nicolas Cavallari for the patch. + + Allow configuration of router advertisements without the + "on-link" bit set. Thanks to Neil Jerram for the patch. + + Extend --bridge-interface to DHCPv6 and router + advertisements. Thanks to Neil Jerram for the patch. + + +version 2.72 + Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. + + Add support for "ipsets" in *BSD, using pf. Thanks to + Sven Falempim for the patch. + + Fix race condition which could lock up dnsmasq when an + interface goes down and up rapidly. Thanks to Conrad + Kostecki for helping to chase this down. + + Add DBus methods SetFilterWin2KOption and SetBogusPrivOption + Thanks to the Smoothwall project for the patch. + + Fix failure to build against Nettle-3.0. Thanks to Steven + Barth for spotting this and finding the fix. + + When assigning existing DHCP leases to intefaces by comparing + networks, handle the case that two or more interfaces have the + same network part, but different prefix lengths (favour the + longer prefix length.) Thanks to Lung-Pin Chang for the + patch. + + Add a mode which detects and removes DNS forwarding loops, ie + a query sent to an upstream server returns as a new query to + dnsmasq, and would therefore be forwarded again, resulting in + a query which loops many times before being dropped. Upstream + servers which loop back are disabled and this event is logged. + Thanks to Smoothwall for their sponsorship of this feature. + + Extend --conf-dir to allow filtering of files. So + --conf-dir=/etc/dnsmasq.d,\*.conf + will load all the files in /etc/dnsmasq.d which end in .conf + + Fix bug when resulted in NXDOMAIN answers instead of NODATA in + some circumstances. + + Fix bug which caused dnsmasq to become unresponsive if it + failed to send packets due to a network interface disappearing. + Thanks to Niels Peen for spotting this. + + Fix problem with --local-service option on big-endian platforms + Thanks to Richard Genoud for the patch. + + +version 2.71 + Subtle change to error handling to help DNSSEC validation + when servers fail to provide NODATA answers for + non-existent DS records. + + Tweak code which removes DNSSEC records from answers when + not required. Fixes broken answers when additional section + has real records in it. Thanks to Marco Davids for the bug + report. + + Fix DNSSEC validation of ANY queries. Thanks to Marco Davids + for spotting that too. + + Fix total DNS failure and 100% CPU use if cachesize set to zero, + regression introduced in 2.69. Thanks to James Hunt and + the Ubuntu crowd for assistance in fixing this. + + +version 2.70 + Fix crash, introduced in 2.69, on TCP request when dnsmasq + compiled with DNSSEC support, but running without DNSSEC + enabled. Thanks to Manish Sing for spotting that one. + + Fix regression which broke ipset functionality. Thanks to + Wang Jian for the bug report. + + +version 2.69 + Implement dynamic interface discovery on *BSD. This allows + the contructor: syntax to be used in dhcp-range for DHCPv6 + on the BSD platform. Thanks to Matthias Andree for + valuable research on how to implement this. + + Fix infinite loop associated with some --bogus-nxdomain + configs. Thanks fogobogo for the bug report. + + Fix missing RA RDNS option with configuration like + --dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer + for spotting the problem. + + Add [fd00::] and [fe80::] as special addresses in DHCPv6 + options, analogous to [::]. [fd00::] is replaced with the + actual ULA of the interface on the machine running + dnsmasq, [fe80::] with the link-local address. + Thanks to Tsachi Kimeldorfer for championing this. + + DNSSEC validation and caching. Dnsmasq needs to be + compiled with this enabled, with + + make dnsmasq COPTS=-DHAVE_DNSSEC + + this add dependencies on the nettle crypto library and the + gmp maths library. It's possible to have these linked + statically with + + make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' + + which bloats the dnsmasq binary, but saves the size of + the shared libraries which are much bigger. + + To enable, DNSSEC, you will need a set of + trust-anchors. Now that the TLDs are signed, this can be + the keys for the root zone, and for convenience they are + included in trust-anchors.conf in the dnsmasq + distribution. You should of course check that these are + legitimate and up-to-date. So, adding + + conf-file=/path/to/trust-anchors.conf + dnssec + + to your config is all thats needed to get things + working. The upstream nameservers have to be DNSSEC-capable + too, of course. Many ISP nameservers aren't, but the + Google public nameservers (8.8.8.8 and 8.8.4.4) are. + When DNSSEC is configured, dnsmasq validates any queries + for domains which are signed. Query results which are + bogus are replaced with SERVFAIL replies, and results + which are correctly signed have the AD bit set. In + addition, and just as importantly, dnsmasq supplies + correct DNSSEC information to clients which are doing + their own validation, and caches DNSKEY, DS and RRSIG + records, which significantly improve the performance of + downstream validators. Setting --log-queries will show + DNSSEC in action. + + If a domain is returned from an upstream nameserver without + DNSSEC signature, dnsmasq by default trusts this. This + means that for unsigned zone (still the majority) there + is effectively no cost for having DNSSEC enabled. Of course + this allows an attacker to replace a signed record with a + false unsigned record. This is addressed by the + --dnssec-check-unsigned flag, which instructs dnsmasq + to prove that an unsigned record is legitimate, by finding + a secure proof that the zone containing the record is not + signed. Doing this has costs (typically one or two extra + upstream queries). It also has a nasty failure mode if + dnsmasq's upstream nameservers are not DNSSEC capable. + Without --dnssec-check-unsigned using such an upstream + server will simply result in not queries being validated; + with --dnssec-check-unsigned enabled and a + DNSSEC-ignorant upstream server, _all_ queries will fail. + + Note that DNSSEC requires that the local time is valid and + accurate, if not then DNSSEC validation will fail. NTP + should be running. This presents a problem for routers + without a battery-backed clock. To set the time needs NTP + to do DNS lookups, but lookups will fail until NTP has run. + To address this, there's a flag, --dnssec-no-timecheck + which disables the time checks (only) in DNSSEC. When dnsmasq + is started and the clock is not synced, this flag should + be used. As soon as the clock is synced, SIGHUP dnsmasq. + The SIGHUP clears the cache of partially-validated data and + resets the no-timecheck flag, so that all DNSSEC checks + henceforward will be complete. + + The development of DNSSEC in dnsmasq was started by + Giovanni Bajo, to whom huge thanks are owed. It has been + supported by Comcast, whose techfund grant has allowed for + an invaluable period of full-time work to get it to + a workable state. + + Add --rev-server. Thanks to Dave Taht for suggesting this. + + Add --servers-file. Allows dynamic update of upstream servers + full access to configuration. + + Add --local-service. Accept DNS queries only from hosts + whose address is on a local subnet, ie a subnet for which + an interface exists on the server. This option + only has effect if there are no --interface --except-interface, + --listen-address or --auth-server options. It is intended + to be set as a default on installation, to allow + unconfigured installations to be useful but also safe from + being used for DNS amplification attacks. + + Fix crashes in cache_get_cname_target() when dangling CNAMEs + encountered. Thanks to Andy and the rt-n56u project for + find this and helping to chase it down. + + Fix wrong RCODE in authoritative DNS replies to PTR queries. The + correct answer was included, but the RCODE was set to NXDOMAIN. + Thanks to Craig McQueen for spotting this. + + Make statistics available as DNS queries in the .bind TLD as + well as logging them. + + +version 2.68 + Use random addresses for DHCPv6 temporary address + allocations, instead of algorithmically determined stable + addresses. + + Fix bug which meant that the DHCPv6 DUID was not available + in DHCP script runs during the lifetime of the dnsmasq + process which created the DUID de-novo. Once the DUID was + created and stored in the lease file and dnsmasq + restarted, this bug disappeared. + + Fix bug introduced in 2.67 which could result in erroneous + NXDOMAIN returns to CNAME queries. + + Fix build failures on MacOS X and openBSD. + + Allow subnet specifications in --auth-zone to be interface + names as well as address literals. This makes it possible + to configure authoritative DNS when local address ranges + are dynamic and works much better than the previous + work-around which exempted contructed DHCP ranges from the + IP address filtering. As a consequence, that work-around + is removed. Under certain circumstances, this change wil + break existing configuration: if you're relying on the + contructed-range exception, you need to change --auth-zone + to specify the same interface as is used to construct your + DHCP ranges, probably with a trailing "/6" like this: + --auth-zone=example.com,eth0/6 to limit the addresses to + IPv6 addresses of eth0. + + Fix problems when advertising deleted IPv6 prefixes. If + the prefix is deleted (rather than replaced), it doesn't + get advertised with zero preferred time. Thanks to Tsachi + for the bug report. + + Fix segfault with some locally configured CNAMEs. Thanks + to Andrew Childs for spotting the problem. + + Fix memory leak on re-reading /etc/hosts and friends, + introduced in 2.67. + + Check the arrival interface of incoming DNS and TFTP + requests via IPv6, even in --bind-interfaces mode. This + isn't possible for IPv4 and can generate scary warnings, + but as it's always possible for IPv6 (the API always + exists) then we should do it always. + + Tweak the rules on prefix-lengths in --dhcp-range for + IPv6. The new rule is that the specified prefix length + must be larger than or equal to the prefix length of the + corresponding address on the local interface. + + +version 2.67 + Fix crash if upstream server returns SERVFAIL when + --conntrack in use. Thanks to Giacomo Tazzari for finding + this and supplying the patch. + + Repair regression in 2.64. That release stopped sending + lease-time information in the reply to DHCPINFORM + requests, on the correct grounds that it was a standards + violation. However, this broke the dnsmasq-specific + dhcp_lease_time utility. Now, DHCPINFORM returns + lease-time only if it's specifically requested + (maintaining standards) and the dhcp_lease_time utility + has been taught to ask for it (restoring functionality). + + Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass + to work with BOOTP and well as DHCP. Thanks to Peter + Korsgaard for spotting the problem. + + Add --synth-domain. Thanks to Vishvananda Ishaya for + suggesting this. + + Fix failure to compile ipset.c if old kernel headers are + in use. Thanks to Eugene Rudoy for pointing this out. + + Handle IPv4 interface-address labels in Linux. These are + often used to emulate the old IP-alias addresses. Before, + using --interface=eth0 would service all the addresses of + eth0, including ones configured as aliases, which appear + in ifconfig as eth0:0. Now, only addresses with the label + eth0 are active. This is not backwards compatible: if you + want to continue to bind the aliases too, you need to add + eg. --interface=eth0:0 to the config. + + Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket + operation on non-socket" error on startup with + configurations which have exactly one --interface option + and do RA but _not_ DHCPv6. Thanks to Trever Adams for the + bug report. + + Generalise --interface-name to cope with IPv6 addresses + and multiple addresses per interface per address family. + + Fix option parsing for --dhcp-host, which was generating a + spurious error when all seven possible items were + included. Thanks to Zhiqiang Wang for the bug report. + + Remove restriction on prefix-length in --auth-zone. Thanks + to Toke Hoiland-Jorgensen for suggesting this. + + Log when the maximum number of concurrent DNS queries is + reached. Thanks to Marcelo Salhab Brogliato for the patch. + + If wildcards are used in --interface, don't assume that + there will only ever be one available interface for DHCP + just because there is one at start-up. More may appear, so + we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug + report. + + Increase timeout/number of retries in TFTP to accomodate + AudioCodes Voice Gateways doing streaming writes to flash. + Thanks to Damian Kaczkowski for spotting the problem. + + Fix crash with empty DHCP string options when adding zero + terminator. Thanks to Patrick McLean for the bug report. + + Allow hostnames to start with a number, as allowed in + RFC-1123. Thanks to Kyle Mestery for the patch. + + Fixes to DHCP FQDN option handling: don't terminate FQDN + if domain not known and allow a FQDN option with blank + name to request that a FQDN option is returned in the + reply. Thanks to Roy Marples for the patch. + + Make --clear-on-reload apply to setting upstream servers + via DBus too. + + When the address which triggered the construction of an + advertised IPv6 prefix disappears, continue to advertise + the prefix for up to 2 hours, with the preferred lifetime + set to zero. This satisfies RFC 6204 4.3 L-13 and makes + things work better if a prefix disappears without being + deprecated first. Thanks to Uwe Schindler for persuasively + arguing for this. + + Fix MAC address enumeration on *BSD. Thanks to Brad Smith + for the bug report. + + Support RFC-4242 information-refresh-time options in the + reply to DHCPv6 information-request. The lease time of the + smallest valid dhcp-range is sent. Thanks to Uwe Schindler + for suggesting this. + + Make --listen-address higher priority than --except-interface + in all circumstances. Thanks to Thomas Hood for the bugreport. + + Provide independent control over which interfaces get TFTP + service. If enable-tftp is given a list of interfaces, then TFTP + is provided on those. Without the list, the previous behaviour + (provide TFTP to the same interfaces we provide DHCP to) + is retained. Thanks to Lonnie Abelbeck for the suggestion. + + Add --dhcp-relay config option. Many thanks to vtsl.net + for sponsoring this development. + + Fix crash with empty tag: in --dhcp-range. Thanks to + Kaspar Schleiser for the bug report. + + Add "baseline" and "bloatcheck" makefile targets, for + revealing size changes during development. Thanks to + Vladislav Grishenko for the patch. + + Cope with DHCPv6 clients which send REQUESTs without + address options - treat them as SOLICIT with rapid commit. + + Support identification of clients by MAC address in + DHCPv6. When using a relay, the relay must support RFC + 6939 for this to work. It always works for directly + connected clients. Thanks to Vladislav Grishenko + for prompting this feature. + + Remove the rule for constructed DHCP ranges that the local + address must be either the first or last address in the + range. This was originally to avoid SLAAC addresses, but + we now explicitly autoconfig and privacy addresses instead. + + Update Polish translation. Thanks to Jan Psota. + + Fix problem in DHCPv6 vendorclass/userclass matching + code. Thanks to Tanguy Bouzeloc for the patch. + + Update Spanish transalation. Thanks to Vicente Soriano. + + Add --ra-param option. Thanks to Vladislav Grishenko for + inspiration on this. + + Add --add-subnet configuration, to tell upstream DNS + servers where the original client is. Thanks to DNSthingy + for sponsoring this feature. + + Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to + Kevin Darbyshire-Bryant for the initial patch. + + Allow A/AAAA records created by --interface-name to be the + target of --cname. Thanks to Hadmut Danisch for the + suggestion. + + Avoid treating a --dhcp-host which has an IPv6 address + as eligable for use with DHCPv4 on the grounds that it has + no address, and vice-versa. Thanks to Yury Konovalov for + spotting the problem. + + Do a better job caching dangling CNAMEs. Thanks to Yves + Dorfsman for spotting the problem. + + +version 2.66 + Add the ability to act as an authoritative DNS + server. Dnsmasq can now answer queries from the wider 'net + with local data, as long as the correct NS records are set + up. Only local data is provided, to avoid creating an open + DNS relay. Zone transfer is supported, to allow secondary + servers to be configured. + + Add "constructed DHCP ranges" for DHCPv6. This is intended + for IPv6 routers which get prefixes dynamically via prefix + delegation. With suitable configuration, stateful DHCPv6 + and RA can happen automatically as prefixes are delegated + and then deprecated, without having to re-write the + dnsmasq configuration file or restart the daemon. Thanks to + Steven Barth for extensive testing and development work on + this idea. + + Fix crash on startup on Solaris 11. Regression probably + introduced in 2.61. Thanks to Geoff Johnstone for the + patch. + + Add code to make behaviour for TCP DNS requests that same + as for UDP requests, when a request arrives for an allowed + address, but via a banned interface. This change is only + active on Linux, since the relevant API is missing (AFAIK) + on other platforms. Many thanks to Tomas Hozza for + spotting the problem, and doing invaluable discovery of + the obscure and undocumented API required for the solution. + + Don't send the default DHCP option advertising dnsmasq as + the local DNS server if dnsmasq is configured to not act + as DNS server, or it's configured to a non-standard port. + + Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID, + DNSMASQ_REMOTE_ID variables to the environment of the + lease-change script (and the corresponding Lua). These hold + information inserted into the DHCP request by a DHCP relay + agent. Thanks to Lakefield Communications for providing a + bounty for this addition. + + Fixed crash, introduced in 2.64, whilst handling DHCPv6 + information-requests with some common configurations. + Thanks to Robert M. Albrecht for the bug report and + chasing the problem. + + Add --ipset option. Thanks to Jason A. Donenfeld for the + patch. + + Don't erroneously reject some option names in --dhcp-match + options. Thanks to Benedikt Hochstrasser for the bug report. + + Allow a trailing '*' wildcard in all interface-name + configurations. Thanks to Christian Parpart for the patch. + + Handle the situation where libc headers define + SO_REUSEPORT, but the kernel in use doesn't, to cope with + the introduction of this option to Linux. Thanks to Rich + Felker for the bug report. + + Update Polish translation. Thanks to Jan Psota. + + Fix crash if the configured DHCP lease limit is + reached. Regression occurred in 2.61. Thanks to Tsachi for + the bug report. + + Update the French translation. Thanks to Gildas le Nadan. + + +version 2.65 + Fix regression which broke forwarding of queries sent via + TCP which are not for A and AAAA and which were directed to + non-default servers. Thanks to Niax for the bug report. + + Fix failure to build with DHCP support excluded. Thanks to + Gustavo Zacarias for the patch. + + Fix nasty regression in 2.64 which completely broke cacheing. + + +version 2.64 + Handle DHCP FQDN options with all flag bits zero and + --dhcp-client-update set. Thanks to Bernd Krumbroeck for + spotting the problem. + + Finesse the check for /etc/hosts names which conflict with + DHCP names. Previously a name/address pair in /etc/hosts + which didn't match the name/address of a DHCP lease would + generate a warning. Now that only happesn if there is not + also a match. This allows multiple addresses for a name in + /etc/hosts with one of them assigned via DHCP. + + Fix broken vendor-option processing for BOOTP. Thanks to + Hans-Joachim Baader for the bug report. + + Don't report spurious netlink errors, regression in + 2.63. Thanks to Vladislav Grishenko for the patch. + + Flag DHCP or DHCPv6 in starup logging. Thanks to + Vladislav Grishenko for the patch. + + Add SetServersEx method in DBus interface. Thanks to Dan + Williams for the patch. + + Add SetDomainServers method in DBus interface. Thanks to + Roy Marples for the patch. + + Fix build with later Lua libraries. Thansk to Cristian + Rodriguez for the patch. + + Add --max-cache-ttl option. Thanks to Dennis Kaarsemaker + for the patch. + + Fix breakage of --host-record parsing, resulting in + infinte loop at startup. Regression in 2.63. Thanks to + Haim Gelfenbeyn for spotting this. + + Set SO_REUSEADDRESS and SO_V6ONLY options on the DHCPv6 + socket, this allows multiple instances of dnsmasq on a + single machine, in the same way as for DHCPv4. Thanks to + Gene Czarcinski and Vladislav Grishenko for work on this. + + Fix DHCPv6 to do access control correctly when it's + configured with --listen-address. Thanks to + Gene Czarcinski for sorting this out. + + Add a "wildcard" dhcp-range which works for any IPv6 + subnet, --dhcp-range=::,static Useful for Stateless + DHCPv6. Thanks to Vladislav Grishenko for the patch. + + Don't include lease-time in DHCPACK replies to DHCPINFORM + queries, since RFC-2131 says we shouldn't. Thanks to + Wouter Ibens for pointing this out. + + Makefile tweak to do dependency checking on header files. + Thanks to Johan Peeters for the patch. + + Check interface for outgoing unsolicited router + advertisements, rather than relying on interface address + configuration. Thanks to Gene Czarinski for the patch. + + Handle better attempts to transmit on interfaces which are + still doing DAD, and specifically do not just transmit + without setting source address and interface, since this + can cause very puzzling effects when a router + advertisement goes astray. Thanks again to Gene Czarinski. + + Get RA timers right when there is more than one + dhcp-range on a subnet. + + +version 2.63 + Do duplicate dhcp-host address check in --test mode. + + Check that tftp-root directories are accessible before + start-up. Thanks to Daniel Veillard for the initial patch. + + Allow more than one --tfp-root flag. The per-interface + stuff is pointless without that. + + Add --bind-dynamic. A hybrid mode between the default and + --bind-interfaces which copes with dynamically created + interfaces. + + A couple of fixes to the build system for Android. Thanks + to Metin Kaya for the patches. + + Remove the interface: argument in --dhcp-range, and + the interface argument to --enable-tftp. These were a + still-born attempt to allow automatic isolated + configuration by libvirt, but have never (to my knowledge) + been used, had very strange semantics, and have been + superceded by other mechanisms. + + Fixed bug logging filenames when duplicate dhcp-host + addresses are found. Thanks to John Hanks for the patch. + + Fix regression in 2.61 which broke caching of CNAME + chains. Thanks to Atul Gupta for the bug report. + + Allow the target of a --cname flag to be another --cname. + + Teach DHCPv6 about the RFC 4242 information-refresh-time + option, and add parsing if the minutes, hours and days + format for options. Thanks to Francois-Xavier Le Bail for + the suggestion. + + Allow "w" (for week) as multiplier in lease times, as well + as seconds, minutes, hours and days. Álvaro Gámez Machado + spotted the ommission. + + Update French translation. Thanks to Gildas Le Nadan. + + Allow a DBus service name to be given with --enable-dbus + which overrides the default, + uk.org.thekelleys.dnsmasq. Thanks to Mathieu + Trudel-Lapierre for the patch. + + Set the "prefix on-link" bit in Router + Advertisements. Thanks to Gui Iribarren for the patch. + + +version 2.62 + Update German translation. Thanks to Conrad Kostecki. + + Cope with router-solict packets wich don't have a valid + source address. Thanks to Vladislav Grishenko for the patch. + + Fixed bug which caused missing periodic router + advertisements with some configurations. Thanks to + Vladislav Grishenko for the patch. + + Fixed bug which broke DHCPv6/RA with prefix lengths + which are not divisible by 8. Thanks to Andre Coetzee + for spotting this. + + Fix non-response to router-solicitations when + router-advertisement configured, but DHCPv6 not + configured. Thanks to Marien Zwart for the patch. + + Add --dns-rr, to allow arbitrary DNS resource records. + + Fixed bug which broke RA scheduling when an interface had + two addresses in the same network. Thanks to Jim Bos for + his help nailing this. + +version 2.61 + Re-write interface discovery code on *BSD to use + getifaddrs. This is more portable, more straightforward, + and allows us to find the prefix length for IPv6 + addresses. + + Add ra-names, ra-stateless and slaac keywords for DHCPv6. + Dnsmasq can now synthesise AAAA records for dual-stack + hosts which get IPv6 addresses via SLAAC. It is also now + possible to use SLAAC and stateless DHCPv6, and to + tell clients to use SLAAC addresses as well as DHCP ones. + Thanks to Dave Taht for help with this. + + Add --dhcp-duid to allow DUID-EN uids to be used. + + Explicity send DHCPv6 replies to the correct port, instead + of relying on clients to send requests with the correct + source address, since at least one client in the wild gets + this wrong. Thanks to Conrad Kostecki for help tracking + this down. + + Send a preference value of 255 in DHCPv6 replies when + --dhcp-authoritative is in effect. This tells clients not + to wait around for other DHCP servers. + + Better logging of DHCPv6 options. + + Add --host-record. Thanks to Rob Zwissler for the + suggestion. + + Invoke the DHCP script with action "tftp" when a TFTP file + transfer completes. The size of the file, address to which + it was sent and complete pathname are supplied. Note that + version 2.60 introduced some script incompatibilties + associated with DHCPv6, and this is a further change. To + be safe, scripts should ignore unknown actions, and if + not IPv6-aware, should exit if the environment + variable DNSMASQ_IAID is set. The use-case for this is + to track netboot/install. Suggestion from Shantanu + Gadgil. + + Update contrib/port-forward/dnsmasq-portforward to reflect + the above. + + Set the environment variable DNSMASQ_LOG_DHCP when running + the script id --log-dhcp is in effect, so that script can + taylor their logging verbosity. Suggestion from Malte + Forkel. + + Arrange that addresses specified with --listen-address + work even if there is no interface carrying the + address. This is chiefly useful for IPv4 loopback + addresses, where any address in 127.0.0.0/8 is a valid + loopback address, but normally only 127.0.0.1 appears on + the lo interface. Thanks to Mathieu Trudel-Lapierre for + the idea and initial patch. + + Fix crash, introduced in 2.60, when a DHCPINFORM is + received from a network which has no valid dhcp-range. + Thanks to Stephane Glondu for the bug report. + + Add a new DHCP lease time keyword, "deprecated" for + --dhcp-range. This is only valid for IPv6, and sets the + preffered lease time for both DHCP and RA to zero. The + effect is that clients can continue to use the address + for existing connections, but new connections will use + other addresses, if they exist. This makes hitless + renumbering at least possible. + + Fix bug in address6_available() which caused DHCPv6 lease + aquisition to fail if more than one dhcp-range in use. + + Provide RDNSS and DNSSL data in router advertisements, + using the settings provided for DHCP options + option6:domain-search and option6:dns-server. + + Tweak logo/favicon.ico to add some transparency. Thanks to + SamLT for work on this. + + Don't cache data from non-recursive nameservers, since it + may erroneously look like a valid CNAME to a non-exitant + name. Thanks to Ben Winslow for finding this. + + Call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP + on exactly one interface and --bind-interfaces is set. This + makes the OpenStack use-case of one dnsmasq per virtual + interface work. This is only available on Linux; it's not + supported on other platforms. Thanks to Vishvananda Ishaya + and the OpenStack team for the suggestion. + + Updated French translation. Thanks to Gildas Le Nadan. + + Give correct from-cache answers to explict CNAME queries. + Thanks to Rob Zwissler for spotting this. + + Add --tftp-lowercase option. Thanks to Oliver Rath for the + patch. + + Ensure that the DBus DhcpLeaseUpdated events are generated + when a lease goes through INIT_REBOOT state, even if the + dhcp-script is not in use. Thanks to Antoaneta-Ecaterina + Ene for the patch. + + Fix failure of TFTP over IPv4 on OpenBSD platform. Thanks + to Brad Smith for spotting this. + + +version 2.60 + Fix compilation problem in Mac OS X Lion. Thanks to Olaf + Flebbe for the patch. + + Fix DHCP when using --listen-address with an IP address + which is not the primary address of an interface. + + Add --dhcp-client-update option. + + Add Lua integration. Dnsmasq can now execute a DHCP + lease-change script written in Lua. This needs to be + enabled at compile time by setting HAVE_LUASCRIPT in + src/config.h or running "make COPTS=-DHAVE_LUASCRIPT" + Thanks to Jan-Piet Mens for the idea and proof-of-concept + implementation. + + Tidied src/config.h to distinguish between + platform-dependent compile-time options which are selected + automatically, and builder-selectable compile time + options. Document the latter better, and describe how to + set them from the make command line. + + Tidied up IPPROTO_IP/SOL_IP (and IPv6 equivalent) + confusion. IPPROTO_IP works everywhere now. + + Set TOS on DHCP sockets, this improves things on busy + wireless networks. Thanks to Dave Taht for the patch. + + Determine VERSION automatically based on git magic: + release tags or hash values. + + Improve start-up speed when reading large hosts files + containing many distinct addresses. + + Fix problem if dnsmasq is started without the stdin, + stdout and stderr file descriptors open. This can manifest + itself as 100% CPU use. Thanks to Chris Moore for finding + this. + + Fix shell-scripting bug in bld/pkg-wrapper. Thanks to + Mark Mitchell for the patch. + + Allow the TFP server or boot server in --pxe-service, to + be a domain name instead of an IP address. This allows for + round-robin to multiple servers, in the same way as + --dhcp-boot. A good suggestion from Cristiano Cumer. + + Support BUILDDIR variable in the Makefile. Allows builds + for multiple archs from the same source tree with eg. + make BUILDDIR=linux (relative to dnsmasq tree) + make BUILDDIR=/tmp/openbsd (absolute path) + If BUILDDIR is not set, compilation happens in the src + directory, as before. Suggestion from Mark Mitchell. + + Support DHCPv6. Support is there for the sort of things + the existing v4 server does, including tags, options, + static addresses and relay support. Missing is prefix + delegation, which is probably not required in the dnsmasq + niche, and an easy way to accept prefix delegations from + an upstream DHCPv6 server, which is. Future plans include + support for DHCPv6 router option and MAC address option + (to make selecting clients by MAC address work like IPv4). + These will be added as the standards mature. + This code has been tested, but this is the first release, + so don't bet the farm on it just yet. Many thanks to all + testers who have got it this far. + + Support IPv6 router advertisements. This is a + simple-minded implementation, aimed at providing the + vestigial RA needed to go alongside IPv6. Is picks up + configuration from the DHCPv6 conf, and should just need + enabling with --enable-ra. + + Fix long-standing wrinkle with --localise-queries that + could result in wrong answers when DNS packets arrive + via an interface other than the expected one. Thanks to + Lorenzo Milesi and John Hanks for spotting this one. + + Update French translation. Thanks to Gildas Le Nadan. + + Update Polish translation. Thanks to Jan Psota. + + +version 2.59 + Fix regression in 2.58 which caused failure to start up + with some combinations of dnsmasq config and IPv6 kernel + network config. Thanks to Brielle Bruns for the bug + report. + + Improve dnsmasq's behaviour when network interfaces are + still doing duplicate address detection (DAD). Previously, + dnsmasq would wait up to 20 seconds at start-up for the + DAD state to terminate. This is broken for bridge + interfaces on recent Linux kernels, which don't start DAD + until the bridge comes up, and so can take arbitrary + time. The new behaviour lets dnsmasq poll for an arbitrary + time whilst providing service on other interfaces. Thanks + to Stephen Hemminger for pointing out the problem. + + +version 2.58 + Provide a definition of the SA_SIZE macro where it's + missing. Fixes build failure on openBSD. + + Don't include a zero terminator at the end of messages + sent to /dev/log when /dev/log is a datagram socket. + Thanks to Didier Rabound for spotting the problem. + + Add --dhcp-sequential-ip flag, to force allocation of IP + addresses in ascending order. Note that the default + pseudo-random mode is in general better but some + server-deployment applications need this. + + Fix problem where a server-id of 0.0.0.0 is sent to a + client when a dhcp-relay is in use if a client renews a + lease after dnsmasq restart and before any clients on the + subnet get a new lease. Thanks to Mike Ruiz for assistance + in chasing this one down. + + Don't return NXDOMAIN to an AAAA query if we have CNAME + which points to an A record only: NODATA is the correct + reply in this case. Thanks to Tom Fernandes for spotting + the problem. + + Relax the need to supply a netmask in --dhcp-range for + networks which use a DHCP relay. Whilst this is still + desireable, in the absence of a netmask dnsmasq will use + a default based on the class (A, B, or C) of the address. + This should at least remove a cause of mysterious failure + for people using RFC1918 addresses and relays. + + Add support for Linux conntrack connection marking. If + enabled with --conntrack, the connection mark for incoming + DNS queries will be copied to the outgoing connections + used to answer those queries. This allows clever firewall + and accounting stuff. Only available if dnsmasq is + compiled with HAVE_CONNTRACK and adds a dependency on + libnetfilter-conntrack. Thanks to Ed Wildgoose for the + initial idea, testing and sponsorship of this function. + + Provide a sane error message when someone attempts to + match a tag in --dhcp-host. + + Tweak the behaviour of --domain-needed, to avoid problems + with recursive nameservers downstream of dnsmasq. The new + behaviour only stops A and AAAA queries, and returns + NODATA rather than NXDOMAIN replies. + + Efficiency fix for very large DHCP configurations, thanks + to James Gartrell and Mike Ruiz for help with this. + + Allow the TFTP-server address in --dhcp-boot to be a + domain-name which is looked up in /etc/hosts. This can + give multiple IP addresses which are used round-robin, + thus doing TFTP server load-balancing. Thanks to Sushil + Agrawal for the patch. + + When two tagged dhcp-options for a particular option + number are both valid, use the one which is valid without + a tag from the dhcp-range. Allows overriding of the value + of a DHCP option for a particular host as well as + per-network values. So + --dhcp-range=set:interface1,...... + --dhcp-host=set:myhost,..... + --dhcp-option=tag:interface1,option:nis-domain,"domain1" + --dhcp-option=tag:myhost,option:nis-domain,"domain2" + will set the NIS-domain to domain1 for hosts in the range, but + override that to domain2 for a particular host. + + Fix bug which resulted in truncated files and timeouts for + some TFTP transfers. The bug only occurs with netascii + transfers and needs an unfortunate relationship between + file size, blocksize and the number of newlines in the + last block before it manifests itself. Many thanks to + Alkis Georgopoulos for spotting the problem and providing + a comprehensive test-case. + + Fix regression in TFTP server on *BSD platforms introduced + in version 2.56, due to confusion with sockaddr + length. Many thanks to Loic Pefferkorn for finding this. + + Support scope-ids in IPv6 addresses of nameservers from + /etc/resolv.conf and in --server options. Eg + nameserver fe80::202:a412:4512:7bbf%eth0 or + server=fe80::202:a412:4512:7bbf%eth0. Thanks to + Michael Stapelberg for the suggestion. + + Update Polish translation, thanks to Jan Psota. + + Update French translation. Thanks to Gildas Le Nadan. + + version 2.57 Add patches to allow build under Android. diff --git a/CMakeLists.txt b/CMakeLists.txt index aca7e76..39869a9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,25 +1,40 @@ CMAKE_MINIMUM_REQUIRED(VERSION 2.6) PROJECT(dnsmasq C) -SET(SRCS src/bpf.c +SET(SRCS src/auth.c + src/blockdata.c + src/bpf.c src/cache.c + src/conntrack.c src/dbus.c + src/dhcp6.c src/dhcp.c + src/dhcp-common.c src/dnsmasq.c + src/dnssec.c + src/domain.c src/forward.c src/helper.c + src/inotify.c + src/ipset.c src/lease.c src/log.c + src/loop.c src/netlink.c src/network.c src/option.c + src/outpacket.c + src/poll.c + src/radv.c src/rfc1035.c src/rfc2131.c + src/rfc3315.c + src/slaac.c + src/tables.c src/tftp.c src/util.c ) -SET(VENDOR "samsung") SET(PACKAGE ${PROJECT_NAME}) SET(PKGNAME ${PACKAGE}) SET(PREFIX ${CMAKE_INSTALL_PREFIX}) @@ -40,12 +55,10 @@ FOREACH(flag ${pkgs_CFLAGS}) ENDFOREACH(flag) SET(EXTRA_CFLAGS "${EXTRA_CFLAGS} -fvisibility=hidden") -SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_CFLAGS} -fPIE") +SET(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} ${EXTRA_CFLAGS}") SET(CMAKE_C_FLAGS_DEBUG "-O0 -g") SET(CMAKE_C_FLAGS_RELEASE "-O2") -SET(CMAKE_EXE_LINKER_FLAGS "-Wl,--as-needed -pie") -ADD_DEFINITIONS("-DVENDOR=\"${VENDOR}\"") ADD_DEFINITIONS("-DPACKAGE=\"${PACKAGE}\"") ADD_DEFINITIONS("-DPACKAGE_NAME=\"${PKGNAME}\"") ADD_DEFINITIONS("-DPREFIX=\"${PREFIX}\"") diff --git a/FAQ b/FAQ index a930516..ec71691 100644 --- a/FAQ +++ b/FAQ @@ -22,7 +22,7 @@ A: The high ports that dnsmasq opens are for replies from the upstream now uses a new, randomly selected, port for each query. The old default behaviour (use one port allocated by the OS) is available by setting --query-port=0, and setting the query port to a positive - value is still works. You should think hard and know what you are + value still works. You should think hard and know what you are doing before using either of these options. Q: Why doesn't dnsmasq support DNS queries over TCP? Don't the RFC's specify @@ -112,7 +112,7 @@ A: Resolver code sometime does strange things when given names without hostname will fix things. (ie "ping myhost" fails, but "ping myhost." works. The solution is to make sure that all your hosts have a domain set ("domain" in resolv.conf, or set a domain in - your DHCP server, see below fr Windows XP and Mac OS X). + your DHCP server, see below for Windows XP and Mac OS X). Any domain will do, but "localnet" is traditional. Now when you resolve "myhost" the resolver will attempt to look up "myhost.localnet" so you need to have dnsmasq reply to that name. @@ -236,53 +236,70 @@ Q: What network types are supported by the DHCP server? A: Ethernet (and 802.11 wireless) are supported on all platforms. On Linux all network types (including FireWire) are supported. -Q: What is this strange "bind-interface" option? - -A: The DNS spec says that the reply to a DNS query must come from the - same address it was sent to. The traditional way to write an UDP - server to do this is to find all of the addresses belonging to the - machine (ie all the interfaces on the machine) and then create a - socket for each interface which is bound to the address of the - interface. Then when a packet is sent to address A, it is received - on the socket bound to address A and when the reply is also sent - via that socket, the source address is set to A by the kernel and - everything works. This is the how dnsmasq works when - "bind-interfaces" is set, with the obvious extension that is misses - out creating sockets for some interfaces depending on the - --interface, --address and --except-interface flags. The - disadvantage of this approach is that it breaks if interfaces don't - exist or are not configured when the daemon starts and does the - socket creation step. In a hotplug-aware world this is a real - problem. - - The alternative approach is to have only one socket, which is bound - to the correct port and the wildcard IP address (0.0.0.0). That - socket will receive _all_ packets sent to port 53, no matter what - destination address they have. This solves the problem of - interfaces which are created or reconfigured after daemon - start-up. To make this work is more complicated because of the - "reply source address" problem. When a UDP packet is sent by a - socket bound to 0.0.0.0 its source address will be set to the - address of one of the machine's interfaces, but which one is not - determined and can vary depending on the OS being run. To get round - this it is neccessary to use a scary advanced API to determine the - address to which a query was sent, and force that to be the source - address in the reply. For IPv4 this stuff in non-portable and quite - often not even available (It's different between FreeBSD 5.x and - Linux, for instance, and FreeBSD 4.x, Linux 2.0.x and OpenBSD don't - have it at all.) Hence "bind-interfaces" has to always be available - as a fall back. For IPv6 the API is standard and universally - available. - - It could be argued that if the --interface or --address flags are - used then binding interfaces is more appropriate, but using - wildcard binding means that dnsmasq will quite happily start up - after being told to use interfaces which don't exist, but which are - created later. Wildcard binding breaks the scenario when dnsmasq is - listening on one interface and another server (most probably BIND) - is listening on another. It's not possible for BIND to bind to an - (address,port) pair when dnsmasq has bound (wildcard,port), hence - the ability to explicitly turn off wildcard binding. +Q: What are these strange "bind-interface" and "bind-dynamic" options? + +A: Dnsmasq from v2.63 can operate in one of three different "networking + modes". This is unfortunate as it requires users configuring dnsmasq + to take into account some rather bizzare contraints and select the + mode which best fits the requirements of a particular installation. + The origin of these are deficiencies in the Unix networking + model and APIs and each mode has different advantages and + problems. Just to add to the confusion, not all modes are available on + all platforms (due the to lack of supporting network APIs).To further + add to the confusion, the rules for the DHCP subsystem on dnsmasq are + different to the rules for the DNS and TFTP subsystems. + + The three modes are "wildcard", "bind-interfaces" and "bind-dynamic". + + In "wildcard" mode, dnsmasq binds the wildcard IP address (0.0.0.0 or + ::). This allows it to recieve all the packets sent to the server on + the relevant port. Access control (--interface, --except-interface, + --listen-address, etc) is implemented by dnsmasq: it queries the + kernel to determine the interface on which a packet was recieved and + the address to which it was sent, and applies the configured + rules. Wildcard mode is the default if neither of the other modes are + specified. + + In "bind-interfaces" mode, dnsmasq runs through all the network + interfaces available when it starts, finds the set of IP addresses on + those interfaces, filters that set using the access control + configuration, and then binds the set of IP addresses. Only packets + sent to the allowed addresses are delivered by the kernel to dnsmasq. + + In "bind-dynamic" mode, access control filtering is done both by + binding individual IP addresses, as for bind-interfaces, and by + inspecting individual packets on arrival as for wildcard mode. In + addition, dnsmasq notices when new interfaces appear or new addresses + appear on existing interfaces, and the resulting IP addresses are + bound automatically without having to restart dnsmasq. + + The mode chosen has four different effects: co-existence with other + servers, semantics of --interface access control, effect of new + interfaces, and legality of --interface specifications for + non-existent inferfaces. We will deal with these in order. + + A dnsmasq instance running in wildcard mode precludes a machine from + running a second instance of dnsmasq or any other DNS, TFTP or DHCP + server. Attempts to do so will fail with an "address in use" error. + Dnsmasq running in --bind-interfaces or bind-dynamic mode allow other + instances of dnsmasq or other servers, as long as no two servers are + configured to listen on the same interface address. + + The semantics of --interface varies subtly between wildcard or + bind-dynamic mode and bind-interfaces mode. The situation where this + matters is a request which arrives via one interface (A), but with a + destination address of a second interface (B) and when dnsmasq is + configured to listen only on B. In wildcard or bind-dynamic mode, such + a request will be ignored, in bind-interfaces mode, it will be + accepted. + + The creation of new network interfaces after dnsmasq starts is ignored + by dnsmasq when in --bind-interfaces mode. In wildcard or bind-dynamic + mode, such interfaces are handled normally. + + A --interface specification for a non-existent interface is a fatal + error at start-up when in --bind-interfaces mode, by just generates a + warning in wildcard or bind-dynamic mode. Q: Why doesn't Kerberos work/why can't I get sensible answers to queries for SRV records. @@ -303,7 +320,7 @@ A: Yes, new releases of dnsmasq are always announced through Q: What does the dhcp-authoritative option do? -A: See http://www.isc.org/index.pl?/sw/dhcp/authoritative.php - that's +A: See http://www.isc.org/files/auth.html - that's for the ISC daemon, but the same applies to dnsmasq. Q: Why does my Gentoo box pause for a minute before getting a new @@ -381,7 +398,7 @@ A: Probably the nameserver is an authoritative nameserver for a Q: Does the dnsmasq DHCP server probe addresses before allocating them, as recommended in RFC2131? -A: Yes, dynmaically allocated IP addresses are checked by sending an +A: Yes, dynamically allocated IP addresses are checked by sending an ICMP echo request (ping). If a reply is received, then dnsmasq assumes that the address is in use, and attempts to allocate an different address. The wait for a reply is between two and three @@ -467,8 +484,18 @@ A: The DHCP client on windows Vista (and possibly later versions) work). - - +Q: DHCP doesn't work with windows 7 but everything else is fine. + +A: There seems to be a problem if Windows 7 doesn't get a value for + DHCP option 252 in DHCP packets it gets from the server. The + symtoms have beeen variously reported as continual DHCPINFORM + requests in an attempt to get an option-252, or even ignoring DHCP + offers completely (and failing to get an IP address) if there is no + option-252 supplied. DHCP option 252 is for WPAD, WWW Proxy + Auto Detection and if you don't want or need to use that, then + simplest fix seems to be to supply an empty option with: + + dhcp-option=252,"\n" diff --git a/Makefile b/Makefile index 16c69e4..4c87ea9 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -# dnsmasq is Copyright (c) 2000-2011 Simon Kelley +# dnsmasq is Copyright (c) 2000-2015 Simon Kelley # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -13,87 +13,155 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -PREFIX = /usr/local -BINDIR = ${PREFIX}/sbin -MANDIR = ${PREFIX}/share/man -LOCALEDIR = ${PREFIX}/share/locale +# NOTE: Building the i18n targets requires GNU-make -PKG_CONFIG = pkg-config -INSTALL = install -MSGMERGE = msgmerge -MSGFMT = msgfmt -XGETTEXT = xgettext -CFLAGS = -Wall -W -O2 +# Variables you may well want to override. + +PREFIX = /usr/local +BINDIR = $(PREFIX)/sbin +MANDIR = $(PREFIX)/share/man +LOCALEDIR = $(PREFIX)/share/locale +BUILDDIR = $(SRC) +DESTDIR = +CFLAGS = -Wall -W -O2 +LDFLAGS = +COPTS = +RPM_OPT_FLAGS = +LIBS = ################################################################# +# Variables you might want to override. + +PKG_CONFIG = pkg-config +INSTALL = install +MSGMERGE = msgmerge +MSGFMT = msgfmt +XGETTEXT = xgettext + SRC = src -PO = po +PO = po MAN = man -DNSMASQ_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` -DNSMASQ_LIBS= `echo $(COPTS) | ../bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` -IDN_CFLAGS=`echo $(COPTS) | ../bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` -IDN_LIBS= `echo $(COPTS) | ../bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` -SUNOS_LIBS= `if uname | grep SunOS 2>&1 >/dev/null; then echo -lsocket -lnsl -lposix4; fi` +################################################################# -OBJS = cache.o rfc1035.o util.o option.o forward.o network.o \ +# pmake way. (NB no spaces to keep gmake 3.82 happy) +top!=pwd +# GNU make way. +top?=$(CURDIR) + +dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --cflags dbus-1` +dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1` +idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn` +idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn` +ct_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack` +ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack` +lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.1` +lua_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1` +nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed` +nettle_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed` +gmp_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp` +sunos_libs = `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi` +version = -DVERSION='\"`$(top)/bld/get-version $(top)`\"' + +sum?=$(shell $(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ') +sum!=$(CC) -DDNSMASQ_COMPILE_OPTS $(COPTS) -E $(top)/$(SRC)/dnsmasq.h | ( md5sum 2>/dev/null || md5 ) | cut -f 1 -d ' ' +copts_conf = .copts_$(sum) + +objs = cache.o rfc1035.o util.o option.o forward.o network.o \ dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o \ - helper.o tftp.o log.o + helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \ + dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \ + domain.o dnssec.o blockdata.o tables.o loop.o inotify.o poll.o + +hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \ + dns-protocol.h radv-protocol.h ip6addr.h + +all : $(BUILDDIR) + @cd $(BUILDDIR) && $(MAKE) \ + top="$(top)" \ + build_cflags="$(version) $(dbus_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \ + build_libs="$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \ + -f $(top)/Makefile dnsmasq -all : - @cd $(SRC) && $(MAKE) \ - BUILD_CFLAGS="$(DNSMASQ_CFLAGS) $(IDN_CFLAGS)" \ - BUILD_LIBS="$(DNSMASQ_LIBS) $(IDN_LIBS) $(SUNOS_LIBS)" \ - -f ../Makefile dnsmasq +mostly_clean : + rm -f $(BUILDDIR)/*.mo $(BUILDDIR)/*.pot + rm -f $(BUILDDIR)/.copts_* $(BUILDDIR)/*.o $(BUILDDIR)/dnsmasq.a $(BUILDDIR)/dnsmasq -clean : - rm -f *~ $(SRC)/*.mo contrib/*/*~ */*~ $(SRC)/*.pot - rm -f $(SRC)/*.o $(SRC)/dnsmasq.a $(SRC)/dnsmasq core */core +clean : mostly_clean + rm -f $(BUILDDIR)/dnsmasq_baseline + rm -f core */core + rm -f *~ contrib/*/*~ */*~ install : all install-common install-common : $(INSTALL) -d $(DESTDIR)$(BINDIR) -d $(DESTDIR)$(MANDIR)/man8 $(INSTALL) -m 644 $(MAN)/dnsmasq.8 $(DESTDIR)$(MANDIR)/man8 - $(INSTALL) -m 755 $(SRC)/dnsmasq $(DESTDIR)$(BINDIR) - -all-i18n : - @cd $(SRC) && $(MAKE) \ - I18N=-DLOCALEDIR='\"$(LOCALEDIR)\"' \ - BUILD_CFLAGS="$(DNSMASQ_CFLAGS) `$(PKG_CONFIG) --cflags libidn`" \ - BUILD_LIBS="$(DNSMASQ_LIBS) $(SUNOS_LIBS) `$(PKG_CONFIG) --libs libidn`" \ - -f ../Makefile dnsmasq - @cd $(PO); for f in *.po; do \ - cd ../$(SRC) && $(MAKE) \ - -f ../Makefile $${f%.po}.mo; \ + $(INSTALL) -m 755 $(BUILDDIR)/dnsmasq $(DESTDIR)$(BINDIR) + +all-i18n : $(BUILDDIR) + @cd $(BUILDDIR) && $(MAKE) \ + top="$(top)" \ + i18n=-DLOCALEDIR=\'\"$(LOCALEDIR)\"\' \ + build_cflags="$(version) $(dbus_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags) `$(PKG_CONFIG) --cflags libidn`" \ + build_libs="$(dbus_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs) `$(PKG_CONFIG) --libs libidn`" \ + -f $(top)/Makefile dnsmasq + for f in `cd $(PO); echo *.po`; do \ + cd $(top) && cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile $${f%.po}.mo; \ done install-i18n : all-i18n install-common - cd $(SRC); ../bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL) + cd $(BUILDDIR); $(top)/bld/install-mo $(DESTDIR)$(LOCALEDIR) $(INSTALL) cd $(MAN); ../bld/install-man $(DESTDIR)$(MANDIR) $(INSTALL) -merge : - @cd $(SRC) && $(MAKE) -f ../Makefile dnsmasq.pot - @cd $(PO); for f in *.po; do \ - echo -n msgmerge $$f && $(MSGMERGE) --no-wrap -U $$f ../$(SRC)/dnsmasq.pot; \ +merge : + @cd $(BUILDDIR) && $(MAKE) top="$(top)" -f $(top)/Makefile dnsmasq.pot + for f in `cd $(PO); echo *.po`; do \ + echo -n msgmerge $(PO)/$$f && $(MSGMERGE) --no-wrap -U $(PO)/$$f $(BUILDDIR)/dnsmasq.pot; \ done +# Cannonicalise .po file. +%.po : + @cd $(BUILDDIR) && $(MAKE) -f $(top)/Makefile dnsmasq.pot + mv $(PO)/$*.po $(PO)/$*.po.orig && $(MSGMERGE) --no-wrap $(PO)/$*.po.orig $(BUILDDIR)/dnsmasq.pot >$(PO)/$*.po; -# rules below are targets in recusive makes with cwd=$(SRC) +$(BUILDDIR): + mkdir -p $(BUILDDIR) -.c.o: - $(CC) $(CFLAGS) $(COPTS) $(I18N) $(BUILD_CFLAGS) $(RPM_OPT_FLAGS) -c $< +# rules below are helpers for size tracking + +baseline : mostly_clean all + @cd $(BUILDDIR) && \ + mv dnsmasq dnsmasq_baseline + +bloatcheck : $(BUILDDIR)/dnsmasq_baseline mostly_clean all + @cd $(BUILDDIR) && \ + $(top)/bld/bloat-o-meter dnsmasq_baseline dnsmasq; \ + size dnsmasq_baseline dnsmasq + +# rules below are targets in recusive makes with cwd=$(BUILDDIR) -dnsmasq : $(OBJS) - $(CC) $(LDFLAGS) -o $@ $(OBJS) $(BUILD_LIBS) $(LIBS) +$(copts_conf): $(hdrs) + @rm -f *.o .copts_* + @touch $@ + +$(objs:.o=.c) $(hdrs): + ln -s $(top)/$(SRC)/$@ . + +$(objs): $(copts_conf) $(hdrs) + +.c.o: + $(CC) $(CFLAGS) $(COPTS) $(i18n) $(build_cflags) $(RPM_OPT_FLAGS) -c $< -dnsmasq.pot : $(OBJS:.o=.c) dnsmasq.h config.h - $(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(OBJS:.o=.c) +dnsmasq : $(objs) + $(CC) $(LDFLAGS) -o $@ $(objs) $(build_libs) $(LIBS) -%.mo : ../po/%.po dnsmasq.pot - $(MSGMERGE) -o - ../po/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo - +dnsmasq.pot : $(objs:.o=.c) $(hdrs) + $(XGETTEXT) -d dnsmasq --foreign-user --omit-header --keyword=_ -o $@ -i $(objs:.o=.c) +%.mo : $(top)/$(PO)/%.po dnsmasq.pot + $(MSGMERGE) -o - $(top)/$(PO)/$*.po dnsmasq.pot | $(MSGFMT) -o $*.mo - -.PHONY : all clean install install-common all-i18n install-i18n merge +.PHONY : all clean mostly_clean install install-common all-i18n install-i18n merge baseline bloatcheck diff --git a/VERSION b/VERSION new file mode 100644 index 0000000..4b5d0ac --- /dev/null +++ b/VERSION @@ -0,0 +1 @@ + (HEAD, tag: v2.74, origin/master, origin/HEAD, master) diff --git a/bld/Android.mk b/bld/Android.mk index 373a783..5364ee7 100644 --- a/bld/Android.mk +++ b/bld/Android.mk @@ -6,7 +6,11 @@ include $(CLEAR_VARS) LOCAL_SRC_FILES := bpf.c cache.c dbus.c dhcp.c dnsmasq.c \ forward.c helper.c lease.c log.c \ netlink.c network.c option.c rfc1035.c \ - rfc2131.c tftp.c util.c + rfc2131.c tftp.c util.c conntrack.c \ + dhcp6.c rfc3315.c dhcp-common.c outpacket.c \ + radv.c slaac.c auth.c ipset.c domain.c \ + dnssec.c dnssec-openssl.c blockdata.c tables.c \ + loop.c inotify.c poll.c LOCAL_MODULE := dnsmasq @@ -15,4 +19,6 @@ LOCAL_C_INCLUDES := external/dnsmasq/src LOCAL_CFLAGS := -O2 -g -W -Wall -D__ANDROID__ -DNO_IPV6 -DNO_TFTP -DNO_SCRIPT LOCAL_SYSTEM_SHARED_LIBRARIES := libc libcutils +LOCAL_LDLIBS := -L$(SYSROOT)/usr/lib -llog + include $(BUILD_EXECUTABLE) diff --git a/bld/bloat-o-meter b/bld/bloat-o-meter new file mode 100755 index 0000000..6db2a5e --- /dev/null +++ b/bld/bloat-o-meter @@ -0,0 +1,130 @@ +#!/usr/bin/env python +# +# Copyright 2004 Matt Mackall +# +# Inspired by perl Bloat-O-Meter (c) 1997 by Andi Kleen +# +# This software may be used and distributed according to the terms +# of the GNU General Public License, incorporated herein by reference. + +import sys, os#, re + +def usage(): + sys.stderr.write("usage: %s [-t] file1 file2\n" % sys.argv[0]) + sys.exit(-1) + +f1, f2 = (None, None) +flag_timing, dashes = (False, False) + +for f in sys.argv[1:]: + if f.startswith("-"): + if f == "--": # sym_args + dashes = True + break + if f == "-t": # timings + flag_timing = True + else: + if not os.path.exists(f): + sys.stderr.write("Error: file '%s' does not exist\n" % f) + usage() + if f1 is None: + f1 = f + elif f2 is None: + f2 = f +if flag_timing: + import time +if f1 is None or f2 is None: + usage() + +sym_args = " ".join(sys.argv[3 + flag_timing + dashes:]) +def getsizes(file): + sym, alias, lut = {}, {}, {} + for l in os.popen("readelf -W -s %s %s" % (sym_args, file)).readlines(): + l = l.strip() + if not (len(l) and l[0].isdigit() and len(l.split()) == 8): + continue + num, value, size, typ, bind, vis, ndx, name = l.split() + if ndx == "UND": continue # skip undefined + if typ in ["SECTION", "FILES"]: continue # skip sections and files + if "." in name: name = "static." + name.split(".")[0] + value = int(value, 16) + size = int(size, 16) if size.startswith('0x') else int(size) + if vis != "DEFAULT" and bind != "GLOBAL": # see if it is an alias + alias[(value, size)] = {"name" : name} + else: + sym[name] = {"addr" : value, "size": size} + lut[(value, size)] = 0 + for addr, sz in iter(alias.keys()): + # If the non-GLOBAL sym has an implementation elsewhere then + # it's an alias, disregard it. + if not (addr, sz) in lut: + # If this non-GLOBAL sym does not have an implementation at + # another address, then treat it as a normal symbol. + sym[alias[(addr, sz)]["name"]] = {"addr" : addr, "size": sz} + for l in os.popen("readelf -W -S " + file).readlines(): + x = l.split() + if len(x)<6: continue + # Should take these into account too! + #if x[1] not in [".text", ".rodata", ".symtab", ".strtab"]: continue + if x[1] not in [".rodata"]: continue + sym[x[1]] = {"addr" : int(x[3], 16), "size" : int(x[5], 16)} + return sym + +if flag_timing: + start_t1 = int(time.time() * 1e9) +old = getsizes(f1) +if flag_timing: + end_t1 = int(time.time() * 1e9) + start_t2 = int(time.time() * 1e9) +new = getsizes(f2) +if flag_timing: + end_t2 = int(time.time() * 1e9) + start_t3 = int(time.time() * 1e9) +grow, shrink, add, remove, up, down = 0, 0, 0, 0, 0, 0 +delta, common = [], {} + +for name in iter(old.keys()): + if name in new: + common[name] = 1 + +for name in old: + if name not in common: + remove += 1 + sz = old[name]["size"] + down += sz + delta.append((-sz, name)) + +for name in new: + if name not in common: + add += 1 + sz = new[name]["size"] + up += sz + delta.append((sz, name)) + +for name in common: + d = new[name].get("size", 0) - old[name].get("size", 0) + if d>0: grow, up = grow+1, up+d + elif d<0: shrink, down = shrink+1, down-d + else: + continue + delta.append((d, name)) + +delta.sort() +delta.reverse() +if flag_timing: + end_t3 = int(time.time() * 1e9) + +print("%-48s %7s %7s %+7s" % ("function", "old", "new", "delta")) +for d, n in delta: + if d: + old_sz = old.get(n, {}).get("size", "-") + new_sz = new.get(n, {}).get("size", "-") + print("%-48s %7s %7s %+7d" % (n, old_sz, new_sz, d)) +print("-"*78) +total="(add/remove: %s/%s grow/shrink: %s/%s up/down: %s/%s)%%sTotal: %s bytes"\ + % (add, remove, grow, shrink, up, -down, up-down) +print(total % (" "*(80-len(total)))) +if flag_timing: + print("\n%d/%d; %d Parse origin/new; processing nsecs" % + (end_t1-start_t1, end_t2-start_t2, end_t3-start_t3)) + print("total nsecs: %d" % (end_t3-start_t1)) diff --git a/bld/get-version b/bld/get-version new file mode 100755 index 0000000..5372869 --- /dev/null +++ b/bld/get-version @@ -0,0 +1,31 @@ +#!/bin/sh + +# Determine the version string to build into a binary. +# When building in the git repository, we can use the output +# of "git describe" which gives an unequivocal answer. +# +# Failing that, we use the contents of the VERSION file +# which has a set of references substituted into it by git. +# If we can find one which matches $v[0-9].* then we assume it's +# a version-number tag, else we just use the whole string. +# If there is more than one v[0-9].* tag, sort them and use the +# first. This favours, eg v2.63 over 2.63rc6. + +if which git >/dev/null 2>&1 && \ + ([ -d $1/.git ] || grep '^gitdir:' $1/.git >/dev/null 2>&1); then + cd $1; git describe | sed 's/^v//' +elif grep '\$Format:%d\$' $1/VERSION >/dev/null 2>&1; then +# unsubstituted VERSION, but no git available. + echo UNKNOWN +else + vers=`cat $1/VERSION | sed 's/[(), ]/,/ g' | tr ',' '\n' | grep ^v[0-9]` + + if [ $? -eq 0 ]; then + echo "${vers}" | sort -r | head -n 1 | sed 's/^v//' + else + cat $1/VERSION + fi +fi + +exit 0 + diff --git a/bld/install-man b/bld/install-man index f4cf3dc..420c9b1 100755 --- a/bld/install-man +++ b/bld/install-man @@ -4,6 +4,6 @@ for f in *; do if [ -d $f ]; then $2 -m 755 -d $1/$f/man8 $2 -m 644 $f/dnsmasq.8 $1/$f/man8 - echo installing $1/$f/man8/dnsmasq.8 + echo installing $f/man8/dnsmasq.8 fi done diff --git a/bld/install-mo b/bld/install-mo index d11fa9f..ab54301 100755 --- a/bld/install-mo +++ b/bld/install-mo @@ -3,7 +3,7 @@ for f in *.mo; do $2 -m 755 -d $1/${f%.mo}/LC_MESSAGES $2 -m 644 $f $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo - echo installing $1/${f%.mo}/LC_MESSAGES/dnsmasq.mo + echo installing ${f%.mo}/LC_MESSAGES/dnsmasq.mo done diff --git a/bld/pkg-wrapper b/bld/pkg-wrapper index 4f3b76b..0ddb678 100755 --- a/bld/pkg-wrapper +++ b/bld/pkg-wrapper @@ -2,10 +2,39 @@ search=$1 shift +pkg=$1 +shift +op=$1 +shift -if grep "^\#.*define.*$search" config.h 2>&1 >/dev/null || \ - grep $search 2>&1 >/dev/null ; then - exec $* -fi +in=`cat` +if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \ + echo $in | grep $search >/dev/null 2>&1; then +# Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP + if [ $op = "--copy" ]; then + if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \ + echo $in | grep $pkg >/dev/null 2>&1; then + pkg="" + else + pkg="$*" + fi + elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ + echo $in | grep ${search}_STATIC >/dev/null 2>&1; then + pkg=`$pkg --static $op $*` + else + pkg=`$pkg $op $*` + fi + + if grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \ + echo $in | grep ${search}_STATIC >/dev/null 2>&1; then + if [ $op = "--libs" ] || [ $op = "--copy" ]; then + echo "-Wl,-Bstatic $pkg -Wl,-Bdynamic" + else + echo "$pkg" + fi + else + echo "$pkg" + fi +fi diff --git a/contrib/conntrack/README b/contrib/conntrack/README new file mode 100644 index 0000000..c0d17aa --- /dev/null +++ b/contrib/conntrack/README @@ -0,0 +1,54 @@ +Linux iptables includes that ability to mark individual network packets +with a "firewall mark". Additionally there is a component called +"conntrack" which tries to string sequences of related packets together +into a "connection" (it even relates sequences of UDP and ICMP packets). + There is a related mark for a connection called a "connection mark". +Marks can be copied freely between the firewall and connection marks + +Using these two features it become possible to tag all related traffic +in arbitrary ways, eg authenticated users, traffic from a particular IP, +port, etc. Unfortunately any kind of "proxy" breaks this relationship +because network packets go in one side of the proxy and a completely new +connection comes out of the other side. However, sometimes, we want to +maintain that relationship through the proxy and continue the connection +mark on packets upstream of our proxy + +DNSMasq includes such a feature enabled by the --conntrack +option. This allows, for example, using iptables to mark traffic from +a particular IP, and that mark to be persisted to requests made *by* +DNSMasq. Such a feature could be useful for bandwidth accounting, +captive portals and the like. Note a similar feature has been +implemented in Squid 2.2 + + +As an example consider the following iptables rules: + + +1) iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark +2) iptables -t mangle -A PREROUTING -m mark --mark 0 -s 192.168.111.137 +-j MARK --set-mark 137 +3) iptables -t mangle -A PREROUTING -j CONNMARK --save-mark + +4) iptables -t mangle -A OUTPUT -m mark ! --mark 0 -j CONNMARK --save-mark + +1-3) are all applied to the PREROUTING table and affect all packets +entering the firewall. + +1) copies any existing connection mark into the firewall mark. 2) Checks +the packet not already marked and if not applies an arbitrary mark based +on IP address. 3) Saves the firewall mark back to the connection mark +(which will persist it across related packets) + +4) is applied to the OUTPUT table, which is where we first see packets +generated locally. DNSMasq will have already copied the firewall mark +from the request, across to the new packet, and so all that remains is +for iptables to copy it to the connection mark so it's persisted across +packets. + +Note: iptables can be quite confusing to the beginner. The following +diagram is extremely helpful in understanding the flows + http://linux-ip.net/nf/nfk-traversal.png +Additionally the following URL contains a useful "starting guide" on +linux connection tracking/marking + http://home.regit.org/netfilter-en/netfilter-connmark/ + diff --git a/contrib/dbus-test/dbus-test.py b/contrib/dbus-test/dbus-test.py new file mode 100755 index 0000000..25d8881 --- /dev/null +++ b/contrib/dbus-test/dbus-test.py @@ -0,0 +1,43 @@ +#!/usr/bin/python +import dbus + +bus = dbus.SystemBus() +p = bus.get_object("uk.org.thekelleys.dnsmasq", "/uk/org/thekelleys/dnsmasq") +l = dbus.Interface(p, dbus_interface="uk.org.thekelleys.dnsmasq") + +# The new more flexible SetServersEx method +array = dbus.Array() +array.append(["1.2.3.5"]) +array.append(["1.2.3.4#664", "foobar.com"]) +array.append(["1003:1234:abcd::1%eth0", "eng.mycorp.com", "lab.mycorp.com"]) +print l.SetServersEx(array) + +# Must create a new object for dnsmasq as the introspection gives the wrong +# signature for SetServers (av) while the code only expects a bunch of arguments +# instead of an array of variants +p = bus.get_object("uk.org.thekelleys.dnsmasq", "/uk/org/thekelleys/dnsmasq", introspect=False) +l = dbus.Interface(p, dbus_interface="uk.org.thekelleys.dnsmasq") + +# The previous method; all addresses in machine byte order +print l.SetServers(dbus.UInt32(16909060), # 1.2.3.5 + dbus.UInt32(16909061), # 1.2.3.4 + "foobar.com", + dbus.Byte(0x10), # 1003:1234:abcd::1 + dbus.Byte(0x03), + dbus.Byte(0x12), + dbus.Byte(0x34), + dbus.Byte(0xab), + dbus.Byte(0xcd), + dbus.Byte(0x00), + dbus.Byte(0x00), + dbus.Byte(0x00), + dbus.Byte(0x00), + dbus.Byte(0x00), + dbus.Byte(0x00), + dbus.Byte(0x00), + dbus.Byte(0x00), + dbus.Byte(0x00), + dbus.Byte(0x01), + "eng.mycorp.com", + "lab.mycorp.com") + diff --git a/contrib/mactable/macscript b/contrib/mactable/macscript new file mode 100755 index 0000000..44a4477 --- /dev/null +++ b/contrib/mactable/macscript @@ -0,0 +1,36 @@ +#!/bin/bash + +STATUS_FILE="/tmp/dnsmasq-ip-mac.status" + +# Script for dnsmasq lease-change hook. +# Maintains the above file with a IP address/MAC address pairs, +# one lease per line. Works with IPv4 and IPv6 leases, file is +# atomically updated, so no races for users of the data. + +action="$1" +mac="$2" # IPv4 +ip="$3" + +# ensure it always exists. + +if [ ! -f "$STATUS_FILE" ]; then + touch "$STATUS_FILE" +fi + +if [ -n "$DNSMASQ_IAID" ]; then + mac="$DNSMASQ_MAC" # IPv6 +fi + +# worry about an add or old action when the MAC address is not known: +# leave any old one in place in that case. + +if [ "$action" = "add" -o "$action" = "old" -o "$action" = "del" ]; then + if [ -n "$mac" -o "$action" = "del" ]; then + sed "/^${ip//./\.} / d" "$STATUS_FILE" > "$STATUS_FILE".new + + if [ "$action" = "add" -o "$action" = "old" ]; then + echo "$ip $mac" >> "$STATUS_FILE".new + fi + mv "$STATUS_FILE".new "$STATUS_FILE" # atomic update. + fi +fi diff --git a/contrib/port-forward/dnsmasq-portforward b/contrib/port-forward/dnsmasq-portforward index f9bb857..c2c634f 100755 --- a/contrib/port-forward/dnsmasq-portforward +++ b/contrib/port-forward/dnsmasq-portforward @@ -34,11 +34,21 @@ if [ ${DNSMASQ_OLD_HOSTNAME} ] && [ ${action} = old ] ; then hostname=${DNSMASQ_OLD_HOSTNAME} fi +# IPv6 leases are not our concern. no NAT there! +if [ ${DNSMASQ_IAID} ] ; then + exit 0 +fi + # action init is not relevant, and will only be seen when leasefile-ro is set. if [ ${action} = init ] ; then exit 0 fi +# action tftp is not relevant. +if [ ${action} = tftp ] ; then + exit 0 +fi + if [ ${hostname} ]; then ports=$(sed -n -e "/^${hostname}\ .*/ s/^.* //p" ${PORTSFILE}) diff --git a/contrib/reverse-dns/README b/contrib/reverse-dns/README new file mode 100644 index 0000000..2ec4df1 --- /dev/null +++ b/contrib/reverse-dns/README @@ -0,0 +1,18 @@ +The script reads stdin and replaces all IP addresses with names before +outputting it again. IPs from private networks are reverse looked up +via dns. Other IP adresses are searched for in the dnsmasq query log. +This gives names (CNAMEs if I understand DNS correctly) that are closer +to the name the client originally asked for then the names obtained by +reverse lookup. Just run + +netstat -n -4 | ./reverse_replace.sh + +to see what it does. It needs + +log-queries +log-facility=/var/log/dnsmasq.log + +in the dnsmasq configuration. + +The script runs on debian (with ash installed) and on busybox. + diff --git a/contrib/reverse-dns/reverse_replace.sh b/contrib/reverse-dns/reverse_replace.sh new file mode 100644 index 0000000..5b4aebd --- /dev/null +++ b/contrib/reverse-dns/reverse_replace.sh @@ -0,0 +1,125 @@ +#!/bin/ash +# $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $ +# +# Usage e.g.: netstat -n -4 | reverse_replace.sh +# Parses stdin for IP4 addresses and replaces them +# with names retrieved by parsing the dnsmasq log. +# This currently only gives CNAMEs. But these +# usually tell ou more than the mones from reverse +# lookups. +# +# This has been tested on debian and asuswrt. Plese +# report successful tests on other platforms. +# +# Author: Joachim Zobel +# License: Consider this MIT style licensed. You can +# do as you ike, but you must not remove my name. +# + +LOG=/var/log/dnsmasq.log +MAX_LINES=15000 + +# sed regex do match IPs +IP_regex='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' +# private IP ranges +IP_private='\(^127\.\)\|\(^192\.168\.\)\|\(^10\.\)\|\(^172\.1[6-9]\.\)\|\(^172\.2[0-9]\.\)\|\(^172\.3[0-1]\.\)' + +####################################################################### +# Find Commands + +HOST=nslookup +if type host > /dev/null 2>&1; then + # echo "No need for nslookup, host is there" + HOST=host +fi + +####################################################################### +# Functions + +# Use shell variables for an (IP) lookup table +create_lookup_table() +{ + # Parse log into lookup table + local CMDS="$( tail -"$MAX_LINES" "$LOG" | \ + grep " is $IP_regex" | \ + sed "s#.* \([^ ]*\) is \($IP_regex\).*#set_val \2 \1;#" )" + + local IFS=' +' + for CMD in $CMDS + do + eval $CMD + done +} + +set_val() +{ + local _IP=$(echo $1 | tr . _) + local KEY="__IP__$_IP" + eval "$KEY"=$2 +} + +get_val() +{ + local _IP=$(echo $1 | tr . _) + local KEY="__IP__$_IP" + eval echo -n '${'"$KEY"'}' +} + +dns_lookup() +{ + local IP=$1 + + local RTN="$($HOST $IP | \ + sed 's#\s\+#\n#g' | \ + grep -v '^$' | \ + tail -1 | tr -d '\n' | \ + sed 's#\.$##')" + if echo $RTN | grep -q NXDOMAIN; then + echo -n $IP + else + echo -n "$RTN" + fi +} + +reverse_dns() +{ + local IP=$1 + + # Skip if it is not an IP + if ! echo $IP | grep -q "^$IP_regex$"; then + echo -n $IP + return + fi + + # Do a dns lookup, if it is a local IP + if echo $IP | grep -q $IP_private; then + dns_lookup $IP + return + fi + + local NAME="$(get_val $IP)" + + if [ -z "$NAME" ]; then + echo -n $IP + else + echo -n $NAME + fi +} + +####################################################################### +# Main +create_lookup_table + +while read LINE; do + for IP in $(echo "$LINE" | \ + sed "s#\b\($IP_regex\)\b#\n\1\n#g" | \ + grep $IP_regex) + do + NAME=`reverse_dns $IP ` + # echo "$NAME $IP" + LINE=`echo "$LINE" | sed "s#$IP#$NAME#" ` + done + echo $LINE +done + diff --git a/contrib/systemd/README b/contrib/systemd/README new file mode 100644 index 0000000..c8046c2 --- /dev/null +++ b/contrib/systemd/README @@ -0,0 +1,16 @@ +Hello, + +I created a systemd service file for dnsmasq. +systemd is a sysvinit replacement (see [1] for more information). +One of the goals of systemd is to encourage standardization between different +distributions. This means, while I also submitted a ticket in Debian GNU/Linux, +I would like to ask you to accept this service file as the upstream +distributor, so that other distributions can use the same service file and +don’t have to ship their own. + +Please include this file in your next release (just like in init script). + + +[1] http://en.wikipedia.org/wiki/Systemd + + diff --git a/contrib/systemd/dbus_activation b/contrib/systemd/dbus_activation new file mode 100644 index 0000000..38f0822 --- /dev/null +++ b/contrib/systemd/dbus_activation @@ -0,0 +1,57 @@ +To: dnsmasq-discuss@lists.thekelleys.org.uk +From: Alex Elsayed +Date: Tue, 15 May 2012 01:53:54 -0700 +Subject: [Dnsmasq-discuss] [PATCH] Support dbus activation + +Introduce dbus service file and turn dbus on in the systemd +unit. + +Note to packagers: +To add support for dbus activation, you must install the dbus +service file (dbus/uk.org.thekelleys.dnsmasq.service) into +$DATADIR/dbus-1/system-services. + +--- + contrib/systemd/dnsmasq.service | 2 +- + dbus/uk.org.thekelleys.dnsmasq.service | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + create mode 100644 dbus/uk.org.thekelleys.dnsmasq.service + +diff --git a/contrib/systemd/dnsmasq.service +b/contrib/systemd/dnsmasq.service +index a27fe6d..4a784d3 100644 +--- a/contrib/systemd/dnsmasq.service ++++ b/contrib/systemd/dnsmasq.service +@@ -5,7 +5,7 @@ Description=A lightweight DHCP and caching DNS server + Type=dbus + BusName=uk.org.thekelleys.dnsmasq + ExecStartPre=/usr/sbin/dnsmasq --test +-ExecStart=/usr/sbin/dnsmasq -k ++ExecStart=/usr/sbin/dnsmasq -k -1 + ExecReload=/bin/kill -HUP $MAINPID + + [Install] +diff --git a/dbus/uk.org.thekelleys.dnsmasq.service +b/dbus/uk.org.thekelleys.dnsmasq.service +new file mode 100644 +index 0000000..f5fe98d +--- /dev/null ++++ b/dbus/uk.org.thekelleys.dnsmasq.service +@@ -0,0 +1,7 @@ ++[D-BUS Service] ++Name=uk.org.thekelleys.dnsmasq ++Exec=/usr/sbin/dnsmasq -k -1 ++User=root ++SystemdService=dnsmasq.service ++ ++ +-- +1.7.10.2 + + + +_______________________________________________ +Dnsmasq-discuss mailing list +Dnsmasq-discuss@lists.thekelleys.org.uk +http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss + diff --git a/contrib/systemd/dnsmasq.service b/contrib/systemd/dnsmasq.service new file mode 100644 index 0000000..c70b144 --- /dev/null +++ b/contrib/systemd/dnsmasq.service @@ -0,0 +1,12 @@ +[Unit] +Description=dnsmasq - A lightweight DHCP and caching DNS server + +[Service] +Type=dbus +BusName=uk.org.thekelleys.dnsmasq +ExecStartPre=/usr/sbin/dnsmasq --test +ExecStart=/usr/sbin/dnsmasq -k +ExecReload=/bin/kill -HUP $MAINPID + +[Install] +WantedBy=multi-user.target diff --git a/contrib/try-all-ns/dnsmasq-2.68-try-all-ns b/contrib/try-all-ns/dnsmasq-2.68-try-all-ns new file mode 100644 index 0000000..66a41f6 --- /dev/null +++ b/contrib/try-all-ns/dnsmasq-2.68-try-all-ns @@ -0,0 +1,29 @@ +From: Jesse Glick +To: dnsmasq-discuss@lists.thekelleys.org.uk +Subject: Re: [Dnsmasq-discuss] Ability to delegate to one server but fall + back to another after NXDOMAIN? + + +On Wed, Jan 15, 2014 at 12:30 PM, Simon Kelley wrote: +> > There's a (very old) patch in contrib/try-all-ns that would make a starting point +This does not apply against trunk, so I tried to rework it. The +following appears to do what I expect: + +diff --git a/src/forward.c b/src/forward.c +index 8167229..76070b5 100644 +--- a/src/forward.c ++++ b/src/forward.c +@@ -610,7 +610,11 @@ void reply_query(int fd, int family, time_t now) + + if ((RCODE(header) == SERVFAIL || RCODE(header) == REFUSED) && + !option_bool(OPT_ORDER) && +- forward->forwardall == 0) ++ forward->forwardall == 0 || ++ /* try each in turn */ ++ RCODE(header) == NXDOMAIN && ++ option_bool(OPT_ORDER) && ++ server->next != NULL) + /* for broken servers, attempt to send to another one. */ + { + unsigned char *pheader; + diff --git a/contrib/wrt/dhcp_lease_time.1 b/contrib/wrt/dhcp_lease_time.1 new file mode 100644 index 0000000..2fa78d3 --- /dev/null +++ b/contrib/wrt/dhcp_lease_time.1 @@ -0,0 +1,25 @@ +.TH DHCP_LEASE_TIME 1 +.SH NAME +dhcp_lease_time \- Query remaining time of a lease on a the local dnsmasq DHCP server. +.SH SYNOPSIS +.B dhcp_lease_time
+.SH "DESCRIPTION" +Send a DHCPINFORM message to a dnsmasq server running on the local host +and print (to stdout) the time remaining in any lease for the given +address. The time is given as string printed to stdout. + +If an error occurs or no lease exists for the given address, +nothing is sent to stdout a message is sent to stderr and a +non-zero error code is returned. + +Requires dnsmasq 2.67 or later and may not work with other DHCP servers. + +The address argument is a dotted-quad IP addresses and mandatory. +.SH LIMITATIONS +Only works with IPv4 addresses and DHCP leases. +.SH SEE ALSO +.BR dnsmasq (8) +.SH AUTHOR +This manual page was written by Simon Kelley . + + diff --git a/contrib/wrt/dhcp_lease_time.c b/contrib/wrt/dhcp_lease_time.c index 2866bb5..b438ef7 100644 --- a/contrib/wrt/dhcp_lease_time.c +++ b/contrib/wrt/dhcp_lease_time.c @@ -20,7 +20,7 @@ nothing is sent to stdout a message is sent to stderr and a non-zero error code is returned. - Requires dnsmasq 2.40 or later. + This version requires dnsmasq 2.67 or later. */ #include @@ -46,6 +46,7 @@ #define OPTION_LEASE_TIME 51 #define OPTION_OVERLOAD 52 #define OPTION_MESSAGE_TYPE 53 +#define OPTION_REQUESTED_OPTIONS 55 #define OPTION_END 255 #define DHCPINFORM 8 #define DHCP_SERVER_PORT 67 @@ -167,6 +168,12 @@ int main(int argc, char **argv) *(p++) = 1; *(p++) = DHCPINFORM; + /* Explicity request the lease time, it won't be sent otherwise: + this is a dnsmasq extension, not standard. */ + *(p++) = OPTION_REQUESTED_OPTIONS; + *(p++) = 1; + *(p++) = OPTION_LEASE_TIME; + *(p++) = OPTION_END; dest.sin_family = AF_INET; diff --git a/contrib/wrt/dhcp_release.1 b/contrib/wrt/dhcp_release.1 new file mode 100644 index 0000000..e71aba0 --- /dev/null +++ b/contrib/wrt/dhcp_release.1 @@ -0,0 +1,37 @@ +.TH DHCP_RELEASE 1 +.SH NAME +dhcp_release \- Release a DHCP lease on a the local dnsmasq DHCP server. +.SH SYNOPSIS +.B dhcp_release
+.SH "DESCRIPTION" +A utility which forces the DHCP server running on this machine to release a +DHCP lease. +.PP +Send a DHCPRELEASE message via the specified interface to tell the +local DHCP server to delete a particular lease. + +The interface argument is the interface in which a DHCP +request _would_ be received if it was coming from the client, +rather than being faked up here. + +The address argument is a dotted-quad IP addresses and mandatory. + +The MAC address is colon separated hex, and is mandatory. It may be +prefixed by an address-type byte followed by -, eg + +10-11:22:33:44:55:66 + +but if the address-type byte is missing it is assumed to be 1, the type +for ethernet. This encoding is the one used in dnsmasq lease files. + +The client-id is optional. If it is "*" then it treated as being missing. +.SH NOTES +MUST be run as root - will fail otherwise. +.SH LIMITATIONS +Only usable on IPv4 DHCP leases. +.SH SEE ALSO +.BR dnsmasq (8) +.SH AUTHOR +This manual page was written by Simon Kelley . + + diff --git a/contrib/wrt/dhcp_release.c b/contrib/wrt/dhcp_release.c index c66d3a0..a51f04b 100644 --- a/contrib/wrt/dhcp_release.c +++ b/contrib/wrt/dhcp_release.c @@ -178,7 +178,7 @@ static int is_same_net(struct in_addr a, struct in_addr b, struct in_addr mask) return (a.s_addr & mask.s_addr) == (b.s_addr & mask.s_addr); } -static struct in_addr find_interface(struct in_addr client, int fd, int index) +static struct in_addr find_interface(struct in_addr client, int fd, unsigned int index) { struct sockaddr_nl addr; struct nlmsghdr *h; @@ -255,10 +255,6 @@ int main(int argc, char **argv) struct ifreq ifr; int fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP); int nl = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); - struct iovec iov; - - iov.iov_len = 200; - iov.iov_base = malloc(iov.iov_len); if (argc < 4 || argc > 5) { @@ -281,6 +277,11 @@ int main(int argc, char **argv) exit(1); } + if (inet_addr(argv[2]) == INADDR_NONE) + { + perror("invalid ip address"); + exit(1); + } lease.s_addr = inet_addr(argv[2]); server = find_interface(lease, nl, if_nametoindex(argv[1])); diff --git a/dbus/DBus-interface b/dbus/DBus-interface index 8d578ca..2db5c30 100644 --- a/dbus/DBus-interface +++ b/dbus/DBus-interface @@ -19,7 +19,8 @@ and avoids startup races with the provider of nameserver information. Dnsmasq provides one service on the DBus: uk.org.thekelleys.dnsmasq -and a single object: /uk/org/thekelleys/dnsmasq +and a single object: /uk/org/thekelleys/dnsmasq +The name of the service may be changed by giving an argument to --enable-dbus. 1. METHODS ---------- @@ -39,6 +40,14 @@ ClearCache Returns nothing. Clears the domain name cache and re-reads /etc/hosts. The same as sending dnsmasq a HUP signal. +SetFilterWin2KOption +-------------------- +Takes boolean, sets or resets the --filterwin2k option. + +SetBogusPrivOption +------------------ +Takes boolean, sets or resets the --bogus-priv option. + SetServers ---------- Returns nothing. Takes a set of arguments representing the new @@ -94,6 +103,148 @@ Each call to SetServers completely replaces the set of servers specified by via the DBus, but it leaves any servers specified via the command line or /etc/dnsmasq.conf or /etc/resolv.conf alone. +SetServersEx +------------ + +This function is more flexible and the SetServers function, in that it can +handle address scoping, port numbers, and is easier for clients to use. + +Returns nothing. Takes a set of arguments representing the new +upstream DNS servers to be used by dnsmasq. All addresses (both IPv4 and IPv6) +are represented as STRINGS. Each server address may be followed by one or more +STRINGS, which are the domains for which the preceding server should be used. + +This function takes an array of STRING arrays, where each inner array represents +a set of DNS servers and domains for which those servers may be used. Each +string represents a list of upstream DNS servers first, and domains second. +Mixing of domains and servers within a the string array is not allowed. + +Examples. + +[ + ["1.2.3.4", "foobar.com"], + ["1003:1234:abcd::1%eth0", "eng.mycorp.com", "lab.mycorp.com"] +] + +is equivalent to + +--server=/foobar.com/1.2.3.4 \ + --server=/eng.mycorp.com/lab.mycorp.com/1003:1234:abcd::1%eth0 + +An IPv4 address of 0.0.0.0 is interpreted as "no address, local only", +so + +[ ["0.0.0.0", "local.domain"] ] + +is equivalent to + +--local=/local.domain/ + + +Each call to SetServersEx completely replaces the set of servers +specified by via the DBus, but it leaves any servers specified via the +command line or /etc/dnsmasq.conf or /etc/resolv.conf alone. + + +SetDomainServers +---------------- + +Yes another variation for setting DNS servers, with the capability of +SetServersEx, but without using arrays of arrays, which are not +sendable with dbus-send. The arguments are an array of strings which +are identical to the equivalent arguments --server, so the example +for SetServersEx is represented as + +[ + "/foobar.com/1.2.3.4" + "/eng.mycorp.com/lab.mycorp.com/1003:1234:abcd::1%eth0" +] + +GetLoopServers +-------------- + +(Only available if dnsmasq compiled with HAVE_LOOP) + +Return an array of strings, each string is the IP address of an upstream +server which has been found to loop queries back to this dnsmasq instance, and +it therefore not being used. + +AddDhcpLease +------------ + +Returns nothing. Adds or updates a DHCP or DHCPv6 lease to the internal lease +database, as if a client requested and obtained a lease. + +If a lease for the IPv4 or IPv6 address already exist, it is overwritten. + +Note that this function will trigger the DhcpLeaseAdded or DhcpLeaseUpdated +D-Bus signal and will run the configured DHCP lease script accordingly. + +This function takes many arguments which are the lease parameters: +- A string with the textual representation of the IPv4 or IPv6 address of the + client. + + Examples: + "192.168.1.115" + "1003:1234:abcd::1%eth0" + "2001:db8:abcd::1" + +- A string representing the hardware address of the client, using the same + format as the one used in the lease database. + + Examples: + + "00:23:45:67:89:ab" + "06-00:20:e0:3b:13:af" (token ring) + +- The hostname of the client, as an array of bytes (so there is no problem + with non-ASCII character encoding). May be empty. + + Example (for "hostname.or.fqdn"): + [104, 111, 115, 116, 110, 97, 109, 101, 46, 111, 114, 46, 102, 113, 100, 110] + +- The client identifier (IPv4) or DUID (IPv6) as an array of bytes. May be + empty. + + Examples: + + DHCPv6 DUID: + [0, 3, 0, 1, 0, 35, 69, 103, 137, 171] + DHCPv4 client identifier: + [255, 12, 34, 56, 78, 0, 1, 0, 1, 29, 9, 99, 190, 35, 69, 103, 137, 171] + +- The duration of the lease, in seconds. If the lease is updated, then + the duration replaces the previous duration. + + Example: + + 7200 + +- The IAID (Identity association identifier) of the DHCPv6 lease, as a network + byte-order unsigned integer. For DHCPv4 leases, this must be set to 0. + + Example (for IPv6): + + 203569230 + +- A boolean which, if true, indicates that the DHCPv6 lease is for a temporary + address (IA_TA). If false, the DHCPv6 lease is for a non-temporary address + (IA_NA). For DHCPv4 leases, this must be set to false. + +RemoveDhcpLease +--------------- + +Returns nothing. Removes a DHCP or DHCPv6 lease to the internal lease +database, as if a client sent a release message to abandon a lease. + +This function takes only one parameter: the text representation of the +IPv4 or IPv6 address of the lease to remove. + +Note that this function will trigger the DhcpLeaseRemoved signal and the +configured DHCP lease script will be run with the "del" action. + + + 2. SIGNALS ---------- diff --git a/dnsmasq.conf.example b/dnsmasq.conf.example index 719dcff..590f217 100644 --- a/dnsmasq.conf.example +++ b/dnsmasq.conf.example @@ -4,6 +4,11 @@ # as the long options legal on the command line. See # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details. +# Listen on this specific port instead of the standard DNS port +# (53). Setting this to zero completely disables DNS function, +# leaving only DHCP and/or TFTP. +#port=5353 + # The following two options make you a better netizen, since they # tell dnsmasq to filter out queries which the public DNS cannot # answer, and which load the servers (especially the root servers) @@ -15,6 +20,18 @@ # Never forward addresses in the non-routed address spaces. #bogus-priv +# Uncomment these to enable DNSSEC validation and caching: +# (Requires dnsmasq to be built with DNSSEC option.) +#conf-file=%%PREFIX%%/share/dnsmasq/trust-anchors.conf +#dnssec + +# Replies which are not DNSSEC signed may be legitimate, because the domain +# is unsigned, or may be forgeries. Setting this option tells dnsmasq to +# check that an unsigned reply is OK, by finding a secure proof that a DS +# record somewhere between the root and the domain does not exist. +# The cost of setting this is that even queries in unsigned domains will need +# one or more extra DNS queries to verify. +#dnssec-check-unsigned # Uncomment this to filter useless windows-originated DNS requests # which can trigger dial-on-demand links needlessly. @@ -64,6 +81,10 @@ # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 +# Add the IPs of all queries to yahoo.com, google.com, and their +# subdomains to the vpn and search ipsets: +#ipset=/yahoo.com/google.com/vpn,search + # You can control how dnsmasq talks to a server: this forces # queries to 10.1.2.3 to be routed via eth1 # server=10.1.2.3@eth1 @@ -157,6 +178,44 @@ # an explicit netmask instead. #dhcp-range=192.168.0.0,static +# Enable DHCPv6. Note that the prefix-length does not need to be specified +# and defaults to 64 if missing/ +#dhcp-range=1234::2, 1234::500, 64, 12h + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +#dhcp-range=1234::, ra-only + +# Do Router Advertisements, BUT NOT DHCP for this subnet, also try and +# add names to the DNS for the IPv6 address of SLAAC-configured dual-stack +# hosts. Use the DHCPv4 lease to derive the name, network segment and +# MAC address and assume that the host will also have an +# IPv6 address calculated using the SLAAC alogrithm. +#dhcp-range=1234::, ra-names + +# Do Router Advertisements, BUT NOT DHCP for this subnet. +# Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.) +#dhcp-range=1234::, ra-only, 48h + +# Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA +# so that clients can use SLAAC addresses as well as DHCP ones. +#dhcp-range=1234::2, 1234::500, slaac + +# Do Router Advertisements and stateless DHCP for this subnet. Clients will +# not get addresses from DHCP, but they will get other configuration information. +# They will use SLAAC for addresses. +#dhcp-range=1234::, ra-stateless + +# Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses +# from DHCPv4 leases. +#dhcp-range=1234::, ra-stateless, ra-names + +# Do router advertisements for all subnets where we're doing DHCPv6 +# Unless overriden by ra-stateless, ra-names, et al, the router +# advertisements will have the M and O bits set, so that the clients +# get addresses and configuration from DHCPv6, and the A bit reset, so the +# clients don't use SLAAC addresses. +#enable-ra + # Supply parameters for specified hosts using DHCP. There are lots # of valid alternatives, so we will give examples of each. Note that # IP addresses DO NOT have to be in the range given above, they just @@ -192,6 +251,13 @@ # the IP address 192.168.0.60 #dhcp-host=id:01:02:02:04,192.168.0.60 +# Always give the Infiniband interface with hardware address +# 80:00:00:48:fe:80:00:00:00:00:00:00:f4:52:14:03:00:28:05:81 the +# ip address 192.168.0.61. The client id is derived from the prefix +# ff:00:00:00:00:00:02:00:00:02:c9:00 and the last 8 pairs of +# hex digits of the hardware address. +#dhcp-host=id:ff:00:00:00:00:00:02:00:00:02:c9:00:f4:52:14:03:00:28:05:81,192.168.0.61 + # Always give the host with client identifier "marjorie" # the IP address 192.168.0.60 #dhcp-host=id:marjorie,192.168.0.60 @@ -219,7 +285,13 @@ # any machine with Ethernet address starting 11:22:33: #dhcp-host=11:22:33:*:*:*,set:red -# Ignore any clients which are specified in dhcp-host lines +# Give a fixed IPv6 address and name to client with +# DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2 +# Note the MAC addresses CANNOT be used to identify DHCPv6 clients. +# Note also the they [] around the IPv6 address are obilgatory. +#dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5] + +# Ignore any clients which are not specified in dhcp-host lines # or /etc/ethers. Equivalent to ISC "deny unknown-clients". # This relies on the special "known" tag which is set when # a host is matched. @@ -270,6 +342,24 @@ # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5 #dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5 +# Send DHCPv6 option. Note [] around IPv6 addresses. +#dhcp-option=option6:dns-server,[1234::77],[1234::88] + +# Send DHCPv6 option for namservers as the machine running +# dnsmasq and another. +#dhcp-option=option6:dns-server,[::],[1234::88] + +# Ask client to poll for option changes every six hours. (RFC4242) +#dhcp-option=option6:information-refresh-time,6h + +# Set option 58 client renewal time (T1). Defaults to half of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T1:1m + +# Set option 59 rebinding time (T2). Defaults to 7/8 of the +# lease time if not specified. (RFC2132) +#dhcp-option=option:T2:2m + # Set the NTP time server address to be the same machine as # is running dnsmasq #dhcp-option=42,0.0.0.0 @@ -304,6 +394,9 @@ #dhcp-option=45,0.0.0.0 # netbios datagram distribution server #dhcp-option=46,8 # netbios node type +# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave. +#dhcp-option=252,"\n" + # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client # probably doesn't support this...... #dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com @@ -348,6 +441,9 @@ # external one. (See below for how to enable the TFTP server.) #dhcp-boot=pxelinux.0 +# The same as above, but use custom tftp-server instead machine running dnsmasq +#dhcp-boot=pxelinux,server.name,192.168.1.100 + # Boot for Etherboot gPXE. The idea is to send two different # filenames, the first loads gPXE, and the second tells gPXE what to # load. The dhcp-match sets the gpxe tag for requests from gPXE. @@ -405,6 +501,9 @@ # Set the root directory for files available via FTP. #tftp-root=/var/ftpd +# Do not abort if the tftp-root is unavailable +#tftp-no-fail + # Make the TFTP server more secure: with this set, only files owned by # the user dnsmasq is running as will be send over the net. #tftp-secure @@ -415,13 +514,21 @@ #tftp-no-blocksize # Set the boot file name only when the "red" tag is set. -#dhcp-boot=net:red,pxelinux.red-net +#dhcp-boot=tag:red,pxelinux.red-net # An example of dhcp-boot with an external TFTP server: the name and IP # address of the server are given after the filename. # Can fail with old PXE ROMS. Overridden by --pxe-service. #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3 +# If there are multiple external tftp servers having a same name +# (using /etc/hosts) then that name can be specified as the +# tftp_servername (the third option to dhcp-boot) and in that +# case dnsmasq resolves this name and returns the resultant IP +# addresses in round robin fasion. This facility can be used to +# load balance the tftp load among a set of servers. +#dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name + # Set the limit on DHCP leases, the default is 150 #dhcp-lease-max=150 @@ -452,7 +559,7 @@ # If you want to disable negative caching, uncomment this. #no-negcache -# Normally responses which come form /etc/hosts and the DHCP lease +# Normally responses which come from /etc/hosts and the DHCP lease # file have Time-To-Live set as zero, which conventionally means # do not cache further. If you are happy to trade lower load on the # server for potentially stale date, you can set a time-to-live (in @@ -548,6 +655,12 @@ # Log lots of extra information about DHCP transactions. #log-dhcp -# Include a another lot of configuration options. +# Include another lot of configuration options. #conf-file=/etc/dnsmasq.more.conf #conf-dir=/etc/dnsmasq.d + +# Include all the files in a directory except those ending in .bak +#conf-dir=/etc/dnsmasq.d,.bak + +# Include all files in a directory which end in .conf +#conf-dir=/etc/dnsmasq.d/,*.conf diff --git a/doc.html b/doc.html index 0a73083..54f59bb 100644 --- a/doc.html +++ b/doc.html @@ -1,8 +1,7 @@ - Dnsmasq - a DNS forwarder for NAT firewalls. - + Dnsmasq - network services for small networks. + @@ -11,111 +10,88 @@

Dnsmasq
+Dnsmasq provides network infrastructure for small networks: DNS, DHCP, router advertisement and network boot. It is designed to be +lightweight and have a small footprint, suitable for resource constrained routers and firewalls. It has also been widely used +for tethering on smartphones and portable hotspots, and to support virtual networking in virtualisation frameworks. +Supported platforms include Linux (with glibc and uclibc), Android, *BSD, and Mac OS X. Dnsmasq is included in most +Linux distributions and the ports systems of FreeBSD, OpenBSD and NetBSD. Dnsmasq provides full IPv6 support. -Dnsmasq is a lightweight, easy to configure DNS forwarder and DHCP - server. It is designed to provide DNS and, optionally, DHCP, to a - small network. It can serve the names of local machines which are - not in the global DNS. The DHCP server integrates with the DNS - server and allows machines with DHCP-allocated addresses - to appear in the DNS with names configured either in each host or - in a central configuration file. Dnsmasq supports static and dynamic - DHCP leases and BOOTP/TFTP/PXE for network booting of diskless machines.

- Dnsmasq is targeted at home networks using NAT and -connected to the internet via a modem, cable-modem or ADSL -connection but would be a good choice for any smallish network (up to -1000 clients is known to work) where low -resource use and ease of configuration are important. -

-Supported platforms include Linux (with glibc and uclibc), *BSD, -Solaris and Mac OS X. -Dnsmasq is included in at least the following Linux distributions: -Gentoo, Debian, Slackware, Suse, Fedora, -Smoothwall, IP-Cop, floppyfw, Firebox, LEAF, Freesco, fli4l, -CoyoteLinux, Endian Firewall and -Clarkconnect. It is also available as FreeBSD, OpenBSD and NetBSD ports and is used in -Linksys wireless routers (dd-wrt, openwrt and the stock firmware) and the m0n0wall project. +The DNS subsystem provides a local DNS server for the network, with forwarding of all query types to upstream recursive DNS servers and +cacheing of common record types (A, AAAA, CNAME and PTR, also DNSKEY and DS when DNSSEC is enabled). +

+
  • Local DNS names can be defined by reading /etc/hosts, by importing names from the DHCP subsystem, or by configuration of a wide range of useful record types.
    • +
  • Upstream servers can be configured in a variety of convenient ways, including dynamic configuration as these change on moving upstream network. +
  • Authoritative DNS mode allows local DNS names may be exported to zone in the global DNS. Dnsmasq acts as authoritative server for this zone, and also provides +zone transfer to secondaries for the zone, if required.
    • +
  • DNSSEC validation may be performed on DNS replies from upstream nameservers, providing security against spoofing and cache poisoning.
    • +
  • Specified sub-domains can be directed to their own upstream DNS servers, making VPN configuration easy.
    • +
  • Internationalised domain names are supported. +
    •

    -Dnsmasq provides the following features: +The DHCP subsystem supports DHCPv4, DHCPv6, BOOTP and PXE.

    - -
  • -The DNS configuration of machines behind the firewall is simple and -doesn't depend on the details of the ISP's dns servers -
  • -Clients which try to do DNS lookups while a modem link to the -internet is down will time out immediately. -
    • -
  • -Dnsmasq will serve names from the /etc/hosts file on the firewall -machine: If the names of local machines are there, then they can all -be addressed without having to maintain /etc/hosts on each machine. -
    • -
  • -The integrated DHCP server supports static and dynamic DHCP leases and -multiple networks and IP ranges. It works across BOOTP relays and -supports DHCP options including RFC3397 DNS search lists. -Machines which are configured by DHCP have their names automatically +
  • Both static and dynamic DHCP leases are supported, along with stateless mode in DHCPv6.
    • +
  • The PXE system is a full PXE server, supporting netboot menus and multiple architecture support. It +includes proxy-mode, where the PXE system co-operates with another DHCP server.
    • +
  • There is a built in read-only TFTP server to support netboot.
    • +
  • Machines which are configured by DHCP have their names automatically included in the DNS and the names can specified by each machine or -centrally by associating a name with a MAC address in the dnsmasq -config file. -
    • -
  • -Dnsmasq caches internet addresses (A records and AAAA records) and address-to-name -mappings (PTR records), reducing the load on upstream servers and -improving performance (especially on modem connections). -
    • -
  • -Dnsmasq can be configured to automatically pick up the addresses of -its upstream nameservers from ppp or dhcp configuration. It will -automatically reload this information if it changes. This facility -will be of particular interest to maintainers of Linux firewall -distributions since it allows dns configuration to be made automatic. -
    • -
  • -On IPv6-enabled boxes, dnsmasq can both talk to upstream servers via IPv6 -and offer DNS service via IPv6. On dual-stack (IPv4 and IPv6) boxes it talks -both protocols and can even act as IPv6-to-IPv4 or IPv4-to-IPv6 forwarder. -
    • -
  • -Dnsmasq can be configured to send queries for certain domains to -upstream servers handling only those domains. This makes integration -with private DNS systems easy. -
    • -
  • -Dnsmasq supports MX and SRV records and can be configured to return MX records -for any or all local machines. -
    • +centrally by associating a name with a MAC address or UID in the dnsmasq +configuration file. +     +

    +The Router Advertisement subsystem provides basic autoconfiguration for IPv6 hosts. It can be used stand-alone or in conjunction with DHCPv6. +

    +
  • The M and O bits are configurable, to control hosts' use of DHCPv6.
    • +
  • Router advertisements can include the RDNSS option.
    • +
  • There is a mode which uses name information from DHCPv4 configuration to provide DNS entries + for autoconfigured IPv6 addresses which would otherwise be anonymous.
    •  +

    + +For extra compactness, unused features may be omitted at compile time. + -

    Download.

    +

    Get code.

    - Download dnsmasq here. +Download dnsmasq here. The tarball includes this documentation, source, and manpage. There is also a CHANGELOG and a FAQ. -Dnsmasq is part of the Debian distribution, it can be downloaded from - here or installed using apt. -

    Links.

    -Damien Raude-Morvan has an article in French at http://www.drazzib.com/docs-dnsmasq.html -There is a good article about dnsmasq at http://www.enterprisenetworkingplanet.com/netos/article.php/3377351 -and another at http://www.linux.com/articles/149040 -and Ilya Evseev has an article in Russian about dnsmasq to be found at - -http://ilya-evseev.narod.ru/articles/dnsmasq. Ismael Ull has an -article about dnsmasq in Spanish at http://www.mey-online.com.ar/blog/index.php/archives/guia-rapida-de-dnsmasq +Dnsmasq has a git repository which contains the complete release +history of version 2 and development history from 2.60. You can +browse +the repo, or get a copy using git protocol with the command + +
    git clone git://thekelleys.org.uk/dnsmasq.git
    +

    License.

    -Dnsmasq is distributed under the GPL. See the file COPYING in the distribution +Dnsmasq is distributed under the GPL, version 2 or version 3 at your discretion. See the files COPYING and COPYING-v3 in the distribution for details.

    Contact.

    There is a dnsmasq mailing list at http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss which should be the -first location for queries, bugreports, suggestions etc. -Dnsmasq was written by Simon Kelley. You can contact me at +https://www.mail-archive.com/dnsmasq-discuss@lists.thekelleys.org.uk/. +You can contact me at simon@thekelleys.org.uk. + +

    Donations.

    +Dnsmasq is mainly written and maintained by Simon Kelley. For most of its life, dnsmasq has been a spare-time project. +These days I'm working on it as my main activity. +I don't have an employer or anyone who pays me regularly to work on dnsmasq. If you'd like to make +a contribution towards my expenses, please use the donation button below. +
    + + + + +
    + + diff --git a/logo/favicon.ico b/logo/favicon.ico index 1c7e8f8e4c84359f85f949eb467b4c526d739c2c..71bc934d4eba58cedf42ade9fc2acbaa9fda9e32 100644 GIT binary patch literal 1406 zcmZQzU<5(|0R|w+!H~hqz#zuJz@P!dKp_SNAO?x!0$Um47}hbQGOS@pV^|BsYZ%gj zbUMRE#$<+djA;z388aBx0P#}Je1@f51q>Ux^B5NM7BkEjC}Ef-R>?3!qK09rOg+O? z*?NX)a&-*bWGfhU%T+L}l&@jv)@Wy#tkc2JW;l^ypLqwv0gDcXR_iGYRra$O4m$KQ z9CGYssCJnHr281k+!rwPxX)!c>^70%u=_-YW1f>43jLQb9P^pNa6Di-!>OR@43~qZ zGGvBsWH=N)hv8)SY=-mUvltR%HZz=yn!|7*b}qw3AYK-~oFP7O7eiIbW`>tV|1N{&w1*7Vvz{>6uX)Shv-LHD*PgEo!H2)$3ZhZ*(GVE6 zA>d3hu(Pv+=z%bt6!^qJB6fB%{DOAQPO@yQ%xt_mrjiWItSsDiP8_VvK)}k%0wh@& zb!gd7}{7+D1z9ITjGgzcoHC9ECP8Ckh39Sj)RbsUt{R7F^rpn%iP*}+U(Pg6x+ zPEl1uOAKVQor8(Fp|O#^u89TIAx?IVb~g4fXOZTi|Nj{nVEFiB28PB)>`~po$iQ%b NnStR0KSDi79{`1Pq%Hse literal 1406 zcmeH^do0xf6vsceQXVP2rmr4(n5QUN(k$1RWd0qEr>oKh%i>-y`m3h^TYO7nb zq)BXaOW2UM)U1ase>DDRi;d|LGy3)T!@o^``ktM~&Ohgz&jFEOMn(ux7ljTO16G0y zEi489)&DKgpER>pS3l;iVG^pu8mdGJUf5+bG@|8=temU11+;k;)6@SIc~(6+R#~*V z7gB0|iI7_#x#(8TGxKEBdS_5{Xi?_W^D6izbwrXYtw4F>6EE$vc|-zL$axo0fyy|A zsi`R@CnxFlFF~z;mWhc8s);A?S|?G_jSLM9an9!+Ew1@w+7!|fTu!@h8D4eYC^1c^ z)4z;rksL==KLg*#&}cMVklw*JrJeZ1rvzm-aor@1{P&~Oh+@fY>Y~Uxn}!&*u#23^ z-Z5IGg>(h0aIPAp#^AItE03@Y4Uy?}q{h|asnPOK;32E+#-X5>Y=Oo7s0XCWpD;Z= zjhFfZw~fv-K0c0CtHq)83nL>VG`r-{*VjjA+Yc^x50dnHn0m8h;r;{~KMxR_)x=wY zLy1{BR~(D+OKGNKc#2AkG}=6hhz_qs8B{|+>nIHk4TM$nAj^18sJ04*T}=+ zyCvd%wk!5H$qY{{Fxl^>zeyrqc2XH9*|BJsaqPiR*_ywazs>Bx5sQ^u7at1Td{B3L sj3UU}J9_mz$AxPnoVOhF3JF*ztZ%Mk=f2a!WqH^}U$cL{X0{Z60uBuLhX4Qo diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 index 511f57f..c8913b5 100644 --- a/man/dnsmasq.8 +++ b/man/dnsmasq.8 @@ -6,24 +6,31 @@ dnsmasq \- A lightweight DHCP and caching DNS server. .I [OPTION]... .SH "DESCRIPTION" .BR dnsmasq -is a lightweight DNS, TFTP and DHCP server. It is intended to provide +is a lightweight DNS, TFTP, PXE, router advertisement and DHCP server. It is intended to provide coupled DNS and DHCP service to a LAN. .PP Dnsmasq accepts DNS queries and either answers them from a small, local, cache or forwards them to a real, recursive, DNS server. It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers -DNS queries for DHCP configured hosts. +DNS queries for DHCP configured hosts. It can also act as the +authoritative DNS server for one or more domains, allowing local names +to appear in the global DNS. It can be configured to do DNSSEC +validation. .PP The dnsmasq DHCP server supports static address assignments and multiple networks. It automatically sends a sensible default set of DHCP options, and can be configured to send any desired set of DHCP options, including vendor-encapsulated options. It includes a secure, read-only, -TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP. +TFTP server to allow net/PXE boot of DHCP hosts and also supports BOOTP. The PXE support is full featured, and includes a proxy mode which supplies PXE information to clients whilst DHCP address allocation is done by another server. .PP -Dnsmasq -supports IPv6 for DNS and TFTP, but not DHCP. +The dnsmasq DHCPv6 server provides the same set of features as the +DHCPv4 server, and in addition, it includes router advertisements and +a neat feature which allows nameing for clients which use DHCPv4 and +stateless autoconfiguration only for IPv6 configuration. There is support for doing address allocation (both DHCPv6 and RA) from subnets which are dynamically delegated via DHCPv6 prefix delegation. +.PP +Dnsmasq is coded with small embedded systems in mind. It aims for the smallest possible memory footprint compatible with the supported functions, and allows uneeded functions to be omitted from the compiled binary. .SH OPTIONS Note that in general missing parameters are allowed and switch off functions, for instance "--pid-file" disables writing a PID file. On @@ -43,6 +50,10 @@ Additional hosts file. Read the specified file as well as /etc/hosts. If -h is g only the specified file. This option may be repeated for more than one additional hosts file. If a directory is given, then read all the files contained in that directory. .TP +.B --hostsdir= +Read all the hosts files contained in the directory. New or changed files +are read automatically. See --dhcp-hostsdir for details. +.TP .B \-E, --expand-hosts Add the domain to simple names (without a period) in /etc/hosts in the same way as for DHCP-derived names. Note that this does not @@ -51,7 +62,7 @@ apply to domain names in cnames, PTR records, TXT records etc. .B \-T, --local-ttl=