From 29c1d590ec7f455fbbd929bf115736da5d321d2c Mon Sep 17 00:00:00 2001 From: zyppe <210hcl@gmail.com> Date: Wed, 7 Feb 2024 22:44:37 +0800 Subject: [PATCH] Initialize for dnsmasq --- .dnsmasq.metadata | 1 + .gitignore | 1 + dnsmasq-2.86.tar.xz.asc | 16 + dnsmasq-CVE-2022-0934.patch | 179 +++++ dnsmasq-groups.patch | 16 + dnsmasq-resolv-conf.patch | 31 + dnsmasq-rpmlintrc | 4 + dnsmasq.changes | 1345 +++++++++++++++++++++++++++++++++++ dnsmasq.keyring | 116 +++ dnsmasq.reg | 12 + dnsmasq.service | 30 + dnsmasq.spec | 221 ++++++ rc.dnsmasq-suse | 90 +++ system-user-dnsmasq.conf | 3 + 14 files changed, 2065 insertions(+) create mode 100644 .dnsmasq.metadata create mode 100644 .gitignore create mode 100644 dnsmasq-2.86.tar.xz.asc create mode 100644 dnsmasq-CVE-2022-0934.patch create mode 100644 dnsmasq-groups.patch create mode 100644 dnsmasq-resolv-conf.patch create mode 100644 dnsmasq-rpmlintrc create mode 100644 dnsmasq.changes create mode 100644 dnsmasq.keyring create mode 100644 dnsmasq.reg create mode 100644 dnsmasq.service create mode 100644 dnsmasq.spec create mode 100644 rc.dnsmasq-suse create mode 100644 system-user-dnsmasq.conf diff --git a/.dnsmasq.metadata b/.dnsmasq.metadata new file mode 100644 index 0000000..28ecf2f --- /dev/null +++ b/.dnsmasq.metadata @@ -0,0 +1 @@ +a620004c8321f7517d66127a55d543da1d995a9522283e5e16102a7d5484077f dnsmasq-2.86.tar.xz diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fc93faa --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +dnsmasq-2.86.tar.xz diff --git a/dnsmasq-2.86.tar.xz.asc b/dnsmasq-2.86.tar.xz.asc new file mode 100644 index 0000000..9d39c31 --- /dev/null +++ b/dnsmasq-2.86.tar.xz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmE5MDYACgkQFc3aauGR +NaKtqA//W2QQv/K6l009r6LBQdUxrYwygJ/TXKsZLb6JlpVSCgLJ0FvK95wJnt9S +YxeTbMogr/Pd2jbZJAnPz2mTxfqZAv1Xob+qaXfn/K772tMyjzgUCIfdsBSRKmUS +RYxln8NiMwahI8uYLBWLtSPBpaYLiHEp5W+wV6OHu4OGfCG1qyhlem4Hs1UJy2KN +I6UjLXYJYJBp1UBqsakEuNe4dzUp0v0OI4VYYRUriyTsmptcLFZMUAtdq6EJ9eUX +0p8zhxWotJCzkZrF/t6Myb8ydudwLkUqICA6a9PTw5o34KxZ2VKWtu6NQoWaT8WK +5c7gbk/UprlPhKEDMOuGNC5JHSpm+2Fhq8c8PkIn6zPYv0Wvb/M+2DYLjptfbodl +VHhuzngnneFOdNK+XzPCG37cG1qpzey1mLWtsl5Ji0d1hBLnlk9vl8Hqb5ozLAJC +rMlhIB85hyt6VAj29Ye3DnObNLRSmfDiN4frptmQssqMqO1+eI2b/8zvrxIByYG+ +HboOt5/gotVavAmZwPfesbpje50PaPVTgFjQjc8BAwXEhFsn98MVRdz7Iwc5xQmG +upOd+44HC3at+So9+X9ocVofvItuDn7wYVnoZU7LcF5Isnoz3FhRMAusm8EsfJkI +lQr7vsg5/oUBU2Dr/NCBjbe/cYX4/+BEdnnQkLvG33pF8xTiyAQ= +=XpGA +-----END PGP SIGNATURE----- diff --git a/dnsmasq-CVE-2022-0934.patch b/dnsmasq-CVE-2022-0934.patch new file mode 100644 index 0000000..1f703d7 --- /dev/null +++ b/dnsmasq-CVE-2022-0934.patch @@ -0,0 +1,179 @@ +From 03345ecefeb0d82e3c3a4c28f27c3554f0611b39 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Thu, 31 Mar 2022 21:35:20 +0100 +Subject: [PATCH] Fix write-after-free error in DHCPv6 code. CVE-2022-0934 + refers. + +--- + CHANGELOG | 3 +++ + src/rfc3315.c | 48 +++++++++++++++++++++++++++--------------------- + 2 files changed, 30 insertions(+), 21 deletions(-) + +--- CHANGELOG.orig ++++ CHANGELOG +@@ -1,3 +1,8 @@ ++ ++ Fix write-after-free error in DHCPv6 server code. ++ CVE-2022-0934 refers. ++ ++ + version 2.86 + Handle DHCPREBIND requests in the DHCPv6 server code. + Thanks to Aichun Li for spotting this omission, and the initial +--- src/rfc3315.c.orig ++++ src/rfc3315.c +@@ -33,9 +33,9 @@ struct state { + unsigned int mac_len, mac_type; + }; + +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now); +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now); ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now); + static void log6_opts(int nest, unsigned int xid, void *start_opts, void *end_opts); + static void log6_packet(struct state *state, char *type, struct in6_addr *addr, char *string); + static void log6_quiet(struct state *state, char *type, struct in6_addr *addr, char *string); +@@ -104,12 +104,12 @@ unsigned short dhcp6_reply(struct dhcp_c + } + + /* This cost me blood to write, it will probably cost you blood to understand - srk. */ +-static int dhcp6_maybe_relay(struct state *state, void *inbuff, size_t sz, ++static int dhcp6_maybe_relay(struct state *state, unsigned char *inbuff, size_t sz, + struct in6_addr *client_addr, int is_unicast, time_t now) + { + void *end = inbuff + sz; + void *opts = inbuff + 34; +- int msg_type = *((unsigned char *)inbuff); ++ int msg_type = *inbuff; + unsigned char *outmsgtypep; + void *opt; + struct dhcp_vendor *vendor; +@@ -259,15 +259,15 @@ static int dhcp6_maybe_relay(struct stat + return 1; + } + +-static int dhcp6_no_relay(struct state *state, int msg_type, void *inbuff, size_t sz, int is_unicast, time_t now) ++static int dhcp6_no_relay(struct state *state, int msg_type, unsigned char *inbuff, size_t sz, int is_unicast, time_t now) + { + void *opt; +- int i, o, o1, start_opts; ++ int i, o, o1, start_opts, start_msg; + struct dhcp_opt *opt_cfg; + struct dhcp_netid *tagif; + struct dhcp_config *config = NULL; + struct dhcp_netid known_id, iface_id, v6_id; +- unsigned char *outmsgtypep; ++ unsigned char outmsgtype; + struct dhcp_vendor *vendor; + struct dhcp_context *context_tmp; + struct dhcp_mac *mac_opt; +@@ -296,12 +296,13 @@ static int dhcp6_no_relay(struct state * + v6_id.next = state->tags; + state->tags = &v6_id; + +- /* copy over transaction-id, and save pointer to message type */ +- if (!(outmsgtypep = put_opt6(inbuff, 4))) ++ start_msg = save_counter(-1); ++ /* copy over transaction-id */ ++ if (!put_opt6(inbuff, 4)) + return 0; + start_opts = save_counter(-1); +- state->xid = outmsgtypep[3] | outmsgtypep[2] << 8 | outmsgtypep[1] << 16; +- ++ state->xid = inbuff[3] | inbuff[2] << 8 | inbuff[1] << 16; ++ + /* We're going to be linking tags from all context we use. + mark them as unused so we don't link one twice and break the list */ + for (context_tmp = state->context; context_tmp; context_tmp = context_tmp->current) +@@ -347,7 +348,7 @@ static int dhcp6_no_relay(struct state * + (msg_type == DHCP6REQUEST || msg_type == DHCP6RENEW || msg_type == DHCP6RELEASE || msg_type == DHCP6DECLINE)) + + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + o1 = new_opt6(OPTION6_STATUS_CODE); + put_opt6_short(DHCP6USEMULTI); + put_opt6_string("Use multicast"); +@@ -619,11 +620,11 @@ static int dhcp6_no_relay(struct state * + struct dhcp_netid *solicit_tags; + struct dhcp_context *c; + +- *outmsgtypep = DHCP6ADVERTISE; ++ outmsgtype = DHCP6ADVERTISE; + + if (opt6_find(state->packet_options, state->end, OPTION6_RAPID_COMMIT, 0)) + { +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + o = new_opt6(OPTION6_RAPID_COMMIT); + end_opt6(o); +@@ -809,7 +810,7 @@ static int dhcp6_no_relay(struct state * + int start = save_counter(-1); + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + state->lease_allocate = 1; + + log6_quiet(state, "DHCPREQUEST", NULL, ignore ? _("ignored") : NULL); +@@ -924,7 +925,7 @@ static int dhcp6_no_relay(struct state * + int address_assigned = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, msg_type == DHCP6RENEW ? "DHCPRENEW" : "DHCPREBIND", NULL, NULL); + +@@ -1057,7 +1058,7 @@ static int dhcp6_no_relay(struct state * + int good_addr = 0; + + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPCONFIRM", NULL, NULL); + +@@ -1121,7 +1122,7 @@ static int dhcp6_no_relay(struct state * + log6_quiet(state, "DHCPINFORMATION-REQUEST", NULL, ignore ? _("ignored") : state->hostname); + if (ignore) + return 0; +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + tagif = add_options(state, 1); + break; + } +@@ -1130,7 +1131,7 @@ static int dhcp6_no_relay(struct state * + case DHCP6RELEASE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPRELEASE", NULL, NULL); + +@@ -1195,7 +1196,7 @@ static int dhcp6_no_relay(struct state * + case DHCP6DECLINE: + { + /* set reply message type */ +- *outmsgtypep = DHCP6REPLY; ++ outmsgtype = DHCP6REPLY; + + log6_quiet(state, "DHCPDECLINE", NULL, NULL); + +@@ -1275,7 +1276,12 @@ static int dhcp6_no_relay(struct state * + } + + } +- ++ ++ /* Fill in the message type. Note that we store the offset, ++ not a direct pointer, since the packet memory may have been ++ reallocated. */ ++ ((unsigned char *)(daemon->outpacket.iov_base))[start_msg] = outmsgtype; ++ + log_tags(tagif, state->xid); + log6_opts(0, state->xid, daemon->outpacket.iov_base + start_opts, daemon->outpacket.iov_base + save_counter(-1)); + diff --git a/dnsmasq-groups.patch b/dnsmasq-groups.patch new file mode 100644 index 0000000..96898cc --- /dev/null +++ b/dnsmasq-groups.patch @@ -0,0 +1,16 @@ +--- src/dnsmasq.c.orig ++++ src/dnsmasq.c +@@ -581,11 +581,10 @@ int main (int argc, char **argv) + if (!option_bool(OPT_DEBUG) && getuid() == 0) + { + int bad_capabilities = 0; +- gid_t dummy; + +- /* remove all supplementary groups */ ++ /* set the supplementary groups of the daemon user */ + if (gp && +- (setgroups(0, &dummy) == -1 || ++ (initgroups(daemon->username, gp->gr_gid) == -1 || + setgid(gp->gr_gid) == -1)) + { + send_event(err_pipe[1], EVENT_GROUP_ERR, errno, daemon->groupname); diff --git a/dnsmasq-resolv-conf.patch b/dnsmasq-resolv-conf.patch new file mode 100644 index 0000000..31f0fb7 --- /dev/null +++ b/dnsmasq-resolv-conf.patch @@ -0,0 +1,31 @@ +From d290630d31f4517ab26392d00753d1397f9a4114 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 6 Oct 2021 22:31:06 +0100 +Subject: [PATCH] Fix crash after re-reading an empty resolv.conf file. + +If dnsmasq re-reads a resolv file, and it's empty, it will +retry after a delay. In the meantime, the old servers from the +resolv file have been deleted, but the servers_array doesn't +get updated, leading to dangling pointers and crashes. + +Thanks to Brad Jorsch for finding and analysing this bug. + +This problem was introduced in 2.86. +--- + src/dnsmasq.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- src/dnsmasq.c.orig ++++ src/dnsmasq.c +@@ -1668,6 +1668,11 @@ static void poll_resolv(int force, int d + } + else + { ++ /* If we're delaying things, we don't call check_servers(), but ++ reload_servers() may have deleted some servers, rendering the server_array ++ invalid, so just rebuild that here. Once reload_servers() succeeds, ++ we call check_servers() above, which calls build_server_array itself. */ ++ build_server_array(); + latest->mtime = 0; + if (!warned) + { diff --git a/dnsmasq-rpmlintrc b/dnsmasq-rpmlintrc new file mode 100644 index 0000000..9f7a022 --- /dev/null +++ b/dnsmasq-rpmlintrc @@ -0,0 +1,4 @@ +# This are example scripts +addFilter("doc-file-dependency") +# This is correct user +addFilter("non-standard-uid") diff --git a/dnsmasq.changes b/dnsmasq.changes new file mode 100644 index 0000000..c731267 --- /dev/null +++ b/dnsmasq.changes @@ -0,0 +1,1345 @@ +* Tue Apr 5 2022 max@suse.com +- bsc#1197872, CVE-2022-0934, dnsmasq-CVE-2022-0934.patch: + Heap use after free in dhcp6_no_relay +* Thu Nov 18 2021 max@suse.com +- bsc#1192529, dnsmasq-resolv-conf.patch: + Fix a segfault when re-reading an empty resolv.conf +- Remove "nogroup" membership from the dnsmasq user. +* Wed Oct 20 2021 gmbr3@opensuse.org +- Use systemd-sysusers from 15.3 onwards +* Thu Sep 23 2021 max@suse.com +- jsc#SLE-17936: Sync this state from Factory to SLE-15-SP1. +- SLE bugs that got fixed upstream between 2.79 and 2.86, but for + which we need to keep references when syncing: + * bsc#1176076: dnsmasq-servfail.patch + * bsc#1156543: dnsmasq-siocgstamp.patch + * bsc#1138743: dnsmasq-cache-size.patch + * bsc#1076958: CVE-2017-15107, dnsmasq-CVE-2017-15107.patch + * bsc#1180914: Open inotify socket only when used. + * removed dnsmasq-dnspooq.patch +- bsc#1173646, CVE-2020-14312: Set --local-service by default. +* Fri Sep 17 2021 max@suse.com +- Update to 2.86: + * Handle DHCPREBIND requests in the DHCPv6 server code. + * Fix bug which caused dnsmasq to lose track of processes forked + to handle TCP DNS connections under heavy load. + * Major rewrite of the DNS server and domain handling code. This + should be largely transparent, but it drastically improves + performance and reduces memory foot-print when configuring + large numbers of domains. + * Revise resource handling for number of concurrent DNS queries. + * Improve efficiency of DNSSEC. + * Connection track mark based DNS query filtering. + * Allow smaller than 64 prefix lengths in synth-domain, with + caveats. + - -synth-domain=1234:4567::/56,example.com is now valid. + * Make domains generated by --synth-domain appear in replies + when in authoritative mode. + * Ensure CAP_NET_ADMIN capability is available when conntrack + is configured. + * When --dhcp-hostsfile --dhcp-optsfile and --addn-hosts are + given a directory as argument, define the order in which files + within that directory are read (alphabetical order of filename). +* Tue Sep 14 2021 jsegitz@suse.com +- Added hardening to systemd service(s) (bsc#1181400). +* Sun Jun 13 2021 gmbr3@opensuse.org +- Add now working CONFIG parameter to sysusers generator +* Wed Jun 2 2021 gmbr3@opensuse.org +- Change to using systemd-sysusers on TW +* Mon Apr 19 2021 max@suse.com +- Update to 2.85: + * Fix problem with DNS retries in 2.83/2.84. + * Tweak sort order of tags in get-version. + * Avoid treating a --dhcp-host which has an IPv6 address as + eligible for use with DHCPv4 on the grounds that it has + no address, and vice-versa. + * Add --dynamic-host option: A and AAAA records which take their + network part from the network of a local interface. Useful + for routers with dynamically prefixes. + * Teach --bogus-nxdomain and --ignore-address to take an IPv4 + subnet. + * CVE-2021-3448, bsc#1183709: Use random source ports where + possible if source addresses/interfaces in use. + * Change the method of allocation of random source ports for DNS. + * Scale the size of the DNS random-port pool based on the + value of the --dns-forward-max configuration. + * Tweak TFTP code to check sender of all received packets, as + specified in RFC 1350 para 4. +* Mon Feb 8 2021 dmueller@suse.com +- update to 2.84: + * Change HAVE_NETTLEHASH compile-time to HAVE_CRYPTOHASH + * Tidy initialisation in hash_questions.c + * Optimise sort_rrset for the case where the RR type + * Move fd into frec_src +* Wed Jan 27 2021 gmbr3@opensuse.org +- Fix building with lua54 +* Tue Jan 19 2021 max@suse.com +- Update to 2.83: + * bsc#1177077: Fixed DNSpooq vulnerabilities + * Use the values of --min-port and --max-port in outgoing + TCP connections to upstream DNS servers. + * Fix a remote buffer overflow problem in the DNSSEC code. + Any dnsmasq with DNSSEC compiled in and enabled is vulnerable + to this, referenced by CVE-2020-25681, CVE-2020-25682, + CVE-2020-25683 CVE-2020-25687. + * Be sure to only accept UDP DNS query replies at the address + from which the query was originated. This keeps as much + entropy in the {query-ID, random-port} tuple as possible, to + help defeat cache poisoning attacks. Refer: CVE-2020-25684. + * Use the SHA-256 hash function to verify that DNS answers + received are for the questions originally asked. This replaces + the slightly insecure SHA-1 (when compiled with DNSSEC) or + the very insecure CRC32 (otherwise). Refer: CVE-2020-25685 + * Handle multiple identical near simultaneous DNS queries better. + Previously, such queries would all be forwarded independently. + This is, in theory, inefficent but in practise not a problem, + _except_ that is means that an answer for any of the forwarded + queries will be accepted and cached. + An attacker can send a query multiple times, and for each + repeat, another {port, ID} becomes capable of accepting the + answer he is sending in the blind, to random IDs and ports. + The chance of a succesful attack is therefore multiplied by the + number of repeats of the query. The new behaviour detects + repeated queries and merely stores the clients sending repeats + so that when the first query completes, the answer can be sent + to all the clients who asked. Refer: CVE-2020-25686. +* Tue Jul 28 2020 mrey@suse.com +- Update to 2.82: + * Improve behaviour in the face of network interfaces which come + and go and change index. + * Convert hard startup failure on NETLINK_NO_ENOBUFS under + qemu-user to a warning. + * Allow IPv6 addresses ofthe form [::ffff:1.2.3.4] in + - -dhcp-option. + * Fix crash under heavy TCP connection load introduced in 2.81. + * Change default lease time for DHCPv6 to one day. + * Alter calculation of preferred and valid times in router + advertisements, so that these do not have a floor applied of + the lease time in the dhcp-range if this is not explicitly + specified and is merely the default. +- Reformat spec file with spec-cleaner +* Tue May 5 2020 info@paolostivanin.com +- Update to 2.81: + * Improve cache behaviour for TCP connections + * Remove the NO_FORK compile-time option, and support for uclinux + * Fix line-counting when reading /etc/hosts and friends + * Fix bug in DNS non-terminal code, added in 2.80, which could + sometimes cause a NODATA rather than an NXDOMAIN reply. + * Support TCP-fastopen (RFC-7413) on both incoming and + outgoing TCP connections, if supported and enabled in the OS. + * Improve kernel-capability manipulation code under Linux + * Add --shared-network config. This enables allocation of addresses + by the DHCP server in subnets where the server (or relay) does not + have an interface on the network in that subnet. Many thanks to + kamp.de for sponsoring this feature. + * Fix broken contrib/lease_tools/dhcp_lease_time.c. A packet + validation check got borked in commit 2b38e382 and release 2.80. + Thanks to Tomasz Szajner for spotting this. + * Fix compilation against nettle version 3.5 and later. + * Fix spurious DNSSEC validation failures when the auth section + of a reply contains unsigned RRs from a signed zone, + with the exception that NSEC and NSEC3 RRs must always be signed. + Thanks to Tore Anderson for spotting and diagnosing the bug. + * Add --dhcp-ignore-clid. This disables reading of DHCP client + identifier option (option 61), so clients are only identified by + MAC addresses. + * Fix a bug which stopped --dhcp-name-match from working when a hostname + is supplied in --dhcp-host. Thanks to James Feeney for spotting this. + * Fix bug which caused very rarely caused zero-length DHCPv6 packets. + Thanks to Dereck Higgins for spotting this. + * Add --tftp-single-port option. + * Enhance --conf-dir to load files in a deterministic order + * Add filtering by tag of --dhcp-host directives + * Remove DSA signature verification from DNSSEC, as specified in + RFC 8624 + * Add --script-on-renewal option. +- Remove Fix-build-with-libnettle-3.5.patch +- Remove 0001-fix-build-after-y2038-changes-in-glibc.patch +- Remove dnsmasq-CVE-2019-14834.patch +* Sat Nov 30 2019 dimstar@opensuse.org +- Remove redundant %%else without meaning (if/else/else/endif?) +* Wed Nov 13 2019 max@suse.com +- bsc#1154849, CVE-2019-14834, dnsmasq-CVE-2019-14834.patch: + memory leak in the create_helper() function in /src/helper.c +- bsc#1143454: Require user(tftp) instead of creating it ourselves. +- Package contrib/lease-tools/dhcp_release6. +- bsc#1152539: include config files from /etc/dnsmasq.d/*.conf . +* Wed Sep 4 2019 stefan.bruens@rwth-aachen.de +- Add Fix-build-with-libnettle-3.5.patch +* Tue Jul 23 2019 matthias.gerstner@suse.com +- removal of SuSEfirewall2 service, since SuSEfirewall2 has been replaced by + firewalld, see [1]. + [1]: https://lists.opensuse.org/opensuse-factory/2019-01/msg00490.html +* Wed Jul 10 2019 jslaby@suse.com +- add 0001-fix-build-after-y2038-changes-in-glibc.patch +* Tue Jun 11 2019 dimstar@opensuse.org +- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to + shortcut the build queues by allowing usage of systemd-mini +* Fri Feb 22 2019 fbui@suse.com +- Drop use of $FIRST_ARG in .spec + The use of $FIRST_ARG was probably required because of the + %%service_* rpm macros were playing tricks with the shell positional + parameters. This is bad practice and error prones so let's assume + that no macros should do that anymore and hence it's safe to assume + that positional parameters remains unchanged after any rpm macro + call. +* Wed Jan 23 2019 crrodriguez@opensuse.org +- libidn should not be used anymore, switch to libidn2 +* Mon Oct 22 2018 jengelh@inai.de +- Ensure neutrality of descriptions. / Replace description with + new upstream description. +- Do not hide failures from user/group additions. +- Replace old $RPM_* shell vars by macros. +* Sun Oct 21 2018 sean@suspend.net +- Updated to dnsmasq 2.80 + * Add support for RFC 4039 DHCP rapid commit + * Alter the default for dnssec-check-unsigned + * Fix DHCP when --no-ping and --dhcp-sequential-ip are set + * Allow zone transfer in authoritative mode if auth-peer is specified + * FIx missing fatal errors with some malformed options + * Fix crash on startup with a --synth-domain which has no prefix +* Fri Oct 19 2018 cgoll@suse.com +- enabled lua scripting interface (FATE#327143). +* Wed Aug 29 2018 dmueller@suse.com +- add missing prereq on the group to be created (bsc#1106446) +* Mon Jul 16 2018 kukuk@suse.de +- Don't require systemd explicit, fix spec file to handle both + cases correct. In containers we don't have systemd. +- Adjust pre/post install for transactional updates. +- Use %%license instead of %%doc [bsc#1082318] +* Mon Dec 4 2017 idonmez@suse.com +- Update keyring +* Fri Dec 1 2017 cbosdonnat@suse.com +- Get rid of python dependency due to examples. (fate#323526) +* Mon Oct 2 2017 max@suse.com +- Security update to version 2.78: + * bsc#1060354, CVE-2017-14491: 2 byte heap based overflow. + * bsc#1060355, CVE-2017-14492: heap based overflow. + * bsc#1060360, CVE-2017-14493: stack based overflow. + * bsc#1060361, CVE-2017-14494: DHCP - info leak. + * bsc#1060362, CVE-2017-14495: DNS - OOM DoS. + * bsc#1060364, CVE-2017-14496: DNS - DoS Integer underflow. + * Fix DHCP relaying, broken in 2.76 and 2.77. + * For other changes, see + http://www.thekelleys.org.uk/dnsmasq/CHANGELOG +- Obsoleted patches: + * Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch + * Handle-binding-upstream-servers-to-an-interface.patch +* Tue Sep 12 2017 tchvatal@suse.com +- Fix /srv/tftpboot permissions wrt bsc#940608 +* Fri Aug 18 2017 dmueller@suse.com +- reload system dbus to pick up policy change on install (bsc#1054429) +* Wed Jan 4 2017 martin.wilck@suse.com +- Handle binding upstream servers to an interface if interface + is destroyed and recreated (boo#1018160) + Added two patches from upstream: + * added Handle-binding-upstream-servers-to-an-interface.patch + * added Fix-crash-introduced-in-2675f2061525bc954be14988d643.patch +* Wed Aug 3 2016 max@suse.com +- Update to 2.76: + * Include 0.0.0.0/8 in DNS rebind checks. + * Enhance --add-subnet to allow arbitrary subnet addresses. + * Respect the --no-resolv flag in inotify code. Fixes bug + which caused dnsmasq to fail to start if a resolv-file + was a dangling symbolic link, even of --no-resolv set. + * Fix crash when an A or AAAA record is defined locally, + in a hosts file, and an upstream server sends a reply + that the same name is empty (CVE-2015-8899, bsc#983273). + * Fix failure to correctly calculate cache-size when reading a + hosts-file fails. + * Fix wrong answer to simple name query when --domain-needed + set, but no upstream servers configured. + * Return REFUSED when running out of forwarding table slots, + not SERVFAIL. + * Add --max-port configuration. + * Add --script-arp and two new functions for the dhcp-script. + * Extend --add-mac to allow a new encoding of the MAC address + as base64, by configurting --add-mac=base64 + * Add --add-cpe-id option. + * Don't crash with divide-by-zero if an IPv6 dhcp-range is + declared as a whole /64. + (ie xx::0 to xx::ffff:ffff:ffff:ffff) + * Add support for a TTL parameter in --host-record and --cname. + * Add --dhcp-ttl option. + * Add --tftp-mtu option. + * Check return-code of inet_pton() when parsing dhcp-option. + * Fix wrong value for EDNS UDP packet size when using + - -servers-file to define upstream DNS servers. + * Add dhcp_release6 to contrib/lease-tools. +* Thu Jun 16 2016 max@suse.com +- dnsmasq-groups.patch: Initialize the supplementary groups of the + dnsmasq user (bsc#859298). +* Tue Feb 2 2016 mpluskal@suse.com +- Add gpg signature +* Mon Aug 24 2015 stefan.bruens@rwth-aachen.de +- spec file cleanup, get rid of redifinition warnings +* Tue Aug 11 2015 stefan.bruens@rwth-aachen.de +- Update to 2.75, announce message: + Fix reversion on 2.74 which caused 100%% CPU use when a + dhcp-script is configured. Thanks to Adrian Davey for + reporting the bug and testing the fix. +- Update to 2.74, announce message: + Fix reversion in 2.73 where --conf-file would attempt to + read the default file, rather than no file. + Fix inotify code to handle dangling symlinks better and + not SEGV in some circumstances. + DNSSEC fix. In the case of a signed CNAME generated by a + wildcard which pointed to an unsigned domain, the wrong + status would be logged, and some necessary checks omitted. +- Update to 2.73, announce message: + Fix crash at startup when an empty suffix is supplied to + - -conf-dir, also trivial memory leak. Thanks to + Tomas Hozza for spotting this. + Remove floor of 4096 on advertised EDNS0 packet size when + DNSSEC in use, the original rationale for this has long gone. + Thanks to Anders Kaseorg for spotting this. + Use inotify for checking on updates to /etc/resolv.conf and + friends under Linux. This fixes race conditions when the files are + updated rapidly and saves CPU by noy polling. To build + a binary that runs on old Linux kernels without inotify, + use make COPTS=-DNO_INOTIFY + Fix breakage of --domain=,,local - only reverse + queries were intercepted. THis appears to have been broken + since 2.69. Thanks to Josh Stone for finding the bug. + Eliminate IPv6 privacy addresses and deprecated addresses from + the answers given by --interface-name. Note that reverse queries + (ie looking for names, given addresses) are not affected. + Thanks to Michael Gorbach for the suggestion. + Fix crash in DNSSEC code with long RRs. Thanks to Marco Davids + for the bug report. + Add --ignore-address option. Ignore replies to A-record + queries which include the specified address. No error is + generated, dnsmasq simply continues to listen for another + reply. This is useful to defeat blocking strategies which + rely on quickly supplying a forged answer to a DNS + request for certain domains, before the correct answer can + arrive. Thanks to Glen Huang for the patch. + Revisit the part of DNSSEC validation which determines if an + unsigned answer is legit, or is in some part of the DNS + tree which should be signed. Dnsmasq now works from the + DNS root downward looking for the limit of signed + delegations, rather than working bottom up. This is + both more correct, and less likely to trip over broken + nameservers in the unsigned parts of the DNS tree + which don't respond well to DNSSEC queries. + Add --log-queries=extra option, which makes logs easier + to search automatically. + Add --min-cache-ttl option. I've resisted this for a long + time, on the grounds that disbelieving TTLs is never a + good idea, but I've been persuaded that there are + sometimes reasons to do it. (Step forward, GFW). + To avoid misuse, there's a hard limit on the TTL + floor of one hour. Thansk to RinSatsuki for the patch. + Cope with multiple interfaces with the same link-local + address. (IPv6 addresses are scoped, so this is allowed.) + Thanks to Cory Benfield for help with this. + Add --dhcp-hostsdir. This allows addition of new host + configurations to a running dnsmasq instance much more + cheaply than having dnsmasq re-read all its existing + configuration each time. + Don't reply to DHCPv6 SOLICIT messages if we're not + configured to do stateful DHCPv6. Thanks to Win King Wan + for the patch. + Fix broken DNSSEC validation of ECDSA signatures. + Add --dnssec-timestamp option, which provides an automatic + way to detect when the system time becomes valid after + boot on systems without an RTC, whilst allowing DNS + queries before the clock is valid so that NTP can run. + Thanks to Kevin Darbyshire-Bryant for developing this idea. + Add --tftp-no-fail option. Thanks to Stefan Tomanek for + the patch. + Fix crash caused by looking up servers.bind, CHAOS text + record, when more than about five --servers= lines are + in the dnsmasq config. This causes memory corruption + which causes a crash later. Thanks to Matt Coddington for + sterling work chasing this down. + Fix crash on receipt of certain malformed DNS requests. + Thanks to Nick Sampanis for spotting the problem. + Note that this is could allow the dnsmasq process's + memory to be read by an attacker under certain + circumstances, so it has a CVE, CVE-2015-3294 + Fix crash in authoritative DNS code, if a .arpa zone + is declared as authoritative, and then a PTR query which + is not to be treated as authoritative arrived. Normally, + directly declaring .arpa zone as authoritative is not + done, so this crash wouldn't be seen. Instead the + relevant .arpa zone should be specified as a subnet + in the auth-zone declaration. Thanks to Johnny S. Lee + for the bugreport and initial patch. + Fix authoritative DNS code to correctly reply to NS + and SOA queries for .arpa zones for which we are + declared authoritative by means of a subnet in auth-zone. + Previously we provided correct answers to PTR queries + in such zones (including NS and SOA) but not direct + NS and SOA queries. Thanks to Johnny S. Lee for + pointing out the problem. + Fix logging of DHCPREPLY which should be suppressed + by quiet-dhcp6. Thanks to J. Pablo Abonia for + spotting the problem. + Try and handle net connections with broken fragmentation + that lose large UDP packets. If a server times out, + reduce the maximum UDP packet size field in the EDNS0 + header to 1280 bytes. If it then answers, make that + change permanent. + Check IPv4-mapped IPv6 addresses when --stop-rebind + is active. Thanks to Jordan Milne for spotting this. + Allow DHCPv4 options T1 and T2 to be set using --dhcp-option. + Thanks to Kevin Benton for patches and work on this. + Fix code for DHCPCONFIRM DHCPv6 messages to confirm addresses + in the correct subnet, even of not in dynamic address + allocation range. Thanks to Steve Hirsch for spotting + the problem. + Add AddDhcpLease and DeleteDhcpLease DBus methods. Thanks + to Nicolas Cavallari for the patch. + Allow configuration of router advertisements without the + "on-link" bit set. Thanks to Neil Jerram for the patch. + Extend --bridge-interface to DHCPv6 and router + advertisements. Thanks to Neil Jerram for the patch. +* Wed Jun 17 2015 crrodriguez@opensuse.org +- dnsmasq.service: Order Before=nss-lookup.target and + Wants=nss-lookup.target as this service may provide + name resolution even for the localhost. +* Mon Apr 20 2015 abergmann@suse.com +- Move trust-anchors.conf into /etc/dnsmasq.d to be AppArmor conform. + (bnc#908137) +* Tue Jan 6 2015 jslaby@suse.com +- The change from Wed Dec 24 messed group w/ user IDs. Switch them + back and be more careful w/ what is changed. +* Mon Dec 29 2014 dimstar@opensuse.org +- Fix symlink of rcFOO to /usr/sbin/service, resolving a dangling + symlink lint warning (and remove the same from rpmlintrc). +* Thu Dec 25 2014 nemysis@gmx.ch +- Remove from spec group_and_isc.patch, forgotten in previous commit +* Wed Dec 24 2014 nemysis@gmx.ch +- Update to 2.72, announce message: + Add ra-advrouter mode, for RFC-3775 mobile IPv6 support. + Add support for "ipsets" in *BSD, using pf. Thanks to + Sven Falempim for the patch. + Fix race condition which could lock up dnsmasq when an + interface goes down and up rapidly. Thanks to Conrad + Kostecki for helping to chase this down. + Add DBus methods SetFilterWin2KOption and SetBogusPrivOption + Thanks to the Smoothwall project for the patch. + Fix failure to build against Nettle-3.0. Thanks to Steven + Barth for spotting this and finding the fix. + When assigning existing DHCP leases to intefaces by comparing + networks, handle the case that two or more interfaces have the + same network part, but different prefix lengths (favour the + longer prefix length.) Thanks to Lung-Pin Chang for the + patch. + Add a mode which detects and removes DNS forwarding loops, ie + a query sent to an upstream server returns as a new query to + dnsmasq, and would therefore be forwarded again, resulting in + a query which loops many times before being dropped. Upstream + servers which loop back are disabled and this event is logged. + Thanks to Smoothwall for their sponsorship of this feature. + Extend --conf-dir to allow filtering of files. So + - -conf-dir=/etc/dnsmasq.d,\*.conf + will load all the files in /etc/dnsmasq.d which end in .conf + Fix bug when resulted in NXDOMAIN answers instead of NODATA in + some circumstances. + Fix bug which caused dnsmasq to become unresponsive if it + failed to send packets due to a network interface disappearing. + Thanks to Niels Peen for spotting this. + Fix problem with --local-service option on big-endian platforms + Thanks to Richard Genoud for the patch. +- Add dnsmasq-rpmlintrc, for false positive scripts and symlink +- Add BuildRequires for dos2unix +- Use sed instead of simple patch group_and_isc.patch +* Sun Nov 9 2014 seife+obs@b1-systems.com +- fix logging, PrivateDevices=yes kills it (bnc#902511, bnc#904537) +* Tue Aug 26 2014 dsterba@suse.cz +- enable DNSSEC + - require libnettle + - package trust-anchors.conf +- spec fixes: + - define HAVE_ flags on commandline, otherwise 'dnsmasq --version' + will not correctly reflect the feature status +* Fri Aug 22 2014 meissner@suse.com +- actually build with relro and pie. (bnc#893057) +* Wed Aug 6 2014 vwallfahrer@suse.com +- Removed Suse and all other OS/Distribution related subdirs from + contrib, so only the rest gets packaged. The subdirs are not + necessary anymore (bnc#889028). +* Tue Aug 5 2014 vwallfahrer@suse.com +- Removed README.SUSE file, it was to confusing and not necessary (bnc#889972). + Information is already present in the upstream documentation. +- Split up vendor-files.tar.bz2 into single files +- Comply with systemd packaging guidlines +* Thu Jun 12 2014 cdenicolo@suse.com +- license update: GPL-2.0 or GPL-3.0 + correct license is dual GPL-2.0 or GPL-3.0; please add COPYING-v3-file to + RPM. +* Wed Jun 11 2014 dmueller@suse.com +- update to 2.71: + Subtle change to error handling to help DNSSEC validation + when servers fail to provide NODATA answers for + non-existent DS records. + Tweak code which removes DNSSEC records from answers when + not required. Fixes broken answers when additional section + has real records in it. Thanks to Marco Davids for the bug + report. + Fix DNSSEC validation of ANY queries. Thanks to Marco Davids + for spotting that too. + Fix total DNS failure and 100%% CPU use if cachesize set to zero, + regression introduced in 2.69. Thanks to James Hunt and + the Ubuntu crowd for assistance in fixing this. + Fix crash, introduced in 2.69, on TCP request when dnsmasq + compiled with DNSSEC support, but running without DNSSEC + enabled. Thanks to Manish Sing for spotting that one. + Fix regression which broke ipset functionality. Thanks to + Wang Jian for the bug report. + Implement dynamic interface discovery on *BSD. This allows + the contructor: syntax to be used in dhcp-range for DHCPv6 + on the BSD platform. Thanks to Matthias Andree for + valuable research on how to implement this. + Fix infinite loop associated with some --bogus-nxdomain + configs. Thanks fogobogo for the bug report. + Fix missing RA RDNS option with configuration like + - -dhcp-option=option6:23,[::] Thanks to Tsachi Kimeldorfer + for spotting the problem. + Add [fd00::] and [fe80::] as special addresses in DHCPv6 + options, analogous to [::]. [fd00::] is replaced with the + actual ULA of the interface on the machine running + dnsmasq, [fe80::] with the link-local address. + Thanks to Tsachi Kimeldorfer for championing this. + DNSSEC validation and caching. Dnsmasq needs to be + compiled with this enabled, with + make dnsmasq COPTS=-DHAVE_DNSSEC + this add dependencies on the nettle crypto library and the + gmp maths library. It's possible to have these linked + statically with + make dnsmasq COPTS='-DHAVE_DNSSEC -DHAVE_DNSSEC_STATIC' + which bloats the dnsmasq binary, but saves the size of + the shared libraries which are much bigger. + To enable, DNSSEC, you will need a set of + trust-anchors. Now that the TLDs are signed, this can be + the keys for the root zone, and for convenience they are + included in trust-anchors.conf in the dnsmasq + distribution. You should of course check that these are + legitimate and up-to-date. So, adding + conf-file=/path/to/trust-anchors.conf + dnssec + to your config is all thats needed to get things + working. The upstream nameservers have to be DNSSEC-capable + too, of course. Many ISP nameservers aren't, but the + Google public nameservers (8.8.8.8 and 8.8.4.4) are. + When DNSSEC is configured, dnsmasq validates any queries + for domains which are signed. Query results which are + bogus are replaced with SERVFAIL replies, and results + which are correctly signed have the AD bit set. In + addition, and just as importantly, dnsmasq supplies + correct DNSSEC information to clients which are doing + their own validation, and caches DNSKEY, DS and RRSIG + records, which significantly improve the performance of + downstream validators. Setting --log-queries will show + DNSSEC in action. + If a domain is returned from an upstream nameserver without + DNSSEC signature, dnsmasq by default trusts this. This + means that for unsigned zone (still the majority) there + is effectively no cost for having DNSSEC enabled. Of course + this allows an attacker to replace a signed record with a + false unsigned record. This is addressed by the + - -dnssec-check-unsigned flag, which instructs dnsmasq + to prove that an unsigned record is legitimate, by finding + a secure proof that the zone containing the record is not + signed. Doing this has costs (typically one or two extra + upstream queries). It also has a nasty failure mode if + dnsmasq's upstream nameservers are not DNSSEC capable. + Without --dnssec-check-unsigned using such an upstream + server will simply result in not queries being validated; + with --dnssec-check-unsigned enabled and a + DNSSEC-ignorant upstream server, _all_ queries will fail. + Note that DNSSEC requires that the local time is valid and + accurate, if not then DNSSEC validation will fail. NTP + should be running. This presents a problem for routers + without a battery-backed clock. To set the time needs NTP + to do DNS lookups, but lookups will fail until NTP has run. + To address this, there's a flag, --dnssec-no-timecheck + which disables the time checks (only) in DNSSEC. When dnsmasq + is started and the clock is not synced, this flag should + be used. As soon as the clock is synced, SIGHUP dnsmasq. + The SIGHUP clears the cache of partially-validated data and + resets the no-timecheck flag, so that all DNSSEC checks + henceforward will be complete. + The development of DNSSEC in dnsmasq was started by + Giovanni Bajo, to whom huge thanks are owed. It has been + supported by Comcast, whose techfund grant has allowed for + an invaluable period of full-time work to get it to + a workable state. + Add --rev-server. Thanks to Dave Taht for suggesting this. + Add --servers-file. Allows dynamic update of upstream servers + full access to configuration. + Add --local-service. Accept DNS queries only from hosts + whose address is on a local subnet, ie a subnet for which + an interface exists on the server. This option + only has effect if there are no --interface --except-interface, + - -listen-address or --auth-server options. It is intended + to be set as a default on installation, to allow + unconfigured installations to be useful but also safe from + being used for DNS amplification attacks. + Fix crashes in cache_get_cname_target() when dangling CNAMEs + encountered. Thanks to Andy and the rt-n56u project for + find this and helping to chase it down. + Fix wrong RCODE in authoritative DNS replies to PTR queries. The + correct answer was included, but the RCODE was set to NXDOMAIN. + Thanks to Craig McQueen for spotting this. + Make statistics available as DNS queries in the .bind TLD as + well as logging them. + Use random addresses for DHCPv6 temporary address + allocations, instead of algorithmically determined stable + addresses. + Fix bug which meant that the DHCPv6 DUID was not available + in DHCP script runs during the lifetime of the dnsmasq + process which created the DUID de-novo. Once the DUID was + created and stored in the lease file and dnsmasq + restarted, this bug disappeared. + Fix bug introduced in 2.67 which could result in erroneous + NXDOMAIN returns to CNAME queries. + Fix build failures on MacOS X and openBSD. + Allow subnet specifications in --auth-zone to be interface + names as well as address literals. This makes it possible + to configure authoritative DNS when local address ranges + are dynamic and works much better than the previous + work-around which exempted contructed DHCP ranges from the + IP address filtering. As a consequence, that work-around + is removed. Under certain circumstances, this change wil + break existing configuration: if you're relying on the + contructed-range exception, you need to change --auth-zone + to specify the same interface as is used to construct your + DHCP ranges, probably with a trailing "/6" like this: + - -auth-zone=example.com,eth0/6 to limit the addresses to + IPv6 addresses of eth0. + Fix problems when advertising deleted IPv6 prefixes. If + the prefix is deleted (rather than replaced), it doesn't + get advertised with zero preferred time. Thanks to Tsachi + for the bug report. + Fix segfault with some locally configured CNAMEs. Thanks + to Andrew Childs for spotting the problem. + Fix memory leak on re-reading /etc/hosts and friends, + introduced in 2.67. + Check the arrival interface of incoming DNS and TFTP + requests via IPv6, even in --bind-interfaces mode. This + isn't possible for IPv4 and can generate scary warnings, + but as it's always possible for IPv6 (the API always + exists) then we should do it always. + Tweak the rules on prefix-lengths in --dhcp-range for + IPv6. The new rule is that the specified prefix length + must be larger than or equal to the prefix length of the + corresponding address on the local interface. + Fix crash if upstream server returns SERVFAIL when + - -conntrack in use. Thanks to Giacomo Tazzari for finding + this and supplying the patch. + Repair regression in 2.64. That release stopped sending + lease-time information in the reply to DHCPINFORM + requests, on the correct grounds that it was a standards + violation. However, this broke the dnsmasq-specific + dhcp_lease_time utility. Now, DHCPINFORM returns + lease-time only if it's specifically requested + (maintaining standards) and the dhcp_lease_time utility + has been taught to ask for it (restoring functionality). + Fix --dhcp-match, --dhcp-vendorclass and --dhcp-userclass + to work with BOOTP and well as DHCP. Thanks to Peter + Korsgaard for spotting the problem. + Add --synth-domain. Thanks to Vishvananda Ishaya for + suggesting this. + Fix failure to compile ipset.c if old kernel headers are + in use. Thanks to Eugene Rudoy for pointing this out. + Handle IPv4 interface-address labels in Linux. These are + often used to emulate the old IP-alias addresses. Before, + using --interface=eth0 would service all the addresses of + eth0, including ones configured as aliases, which appear + in ifconfig as eth0:0. Now, only addresses with the label + eth0 are active. This is not backwards compatible: if you + want to continue to bind the aliases too, you need to add + eg. --interface=eth0:0 to the config. + Fix "failed to set SO_BINDTODEVICE on DHCP socket: Socket + operation on non-socket" error on startup with + configurations which have exactly one --interface option + and do RA but _not_ DHCPv6. Thanks to Trever Adams for the + bug report. + Generalise --interface-name to cope with IPv6 addresses + and multiple addresses per interface per address family. + Fix option parsing for --dhcp-host, which was generating a + spurious error when all seven possible items were + included. Thanks to Zhiqiang Wang for the bug report. + Remove restriction on prefix-length in --auth-zone. Thanks + to Toke Hoiland-Jorgensen for suggesting this. + Log when the maximum number of concurrent DNS queries is + reached. Thanks to Marcelo Salhab Brogliato for the patch. + If wildcards are used in --interface, don't assume that + there will only ever be one available interface for DHCP + just because there is one at start-up. More may appear, so + we can't use SO_BINDTODEVICE. Thanks to Natrio for the bug + report. + Increase timeout/number of retries in TFTP to accomodate + AudioCodes Voice Gateways doing streaming writes to flash. + Thanks to Damian Kaczkowski for spotting the problem. + Fix crash with empty DHCP string options when adding zero + terminator. Thanks to Patrick McLean for the bug report. + Allow hostnames to start with a number, as allowed in + RFC-1123. Thanks to Kyle Mestery for the patch. + Fixes to DHCP FQDN option handling: don't terminate FQDN + if domain not known and allow a FQDN option with blank + name to request that a FQDN option is returned in the + reply. Thanks to Roy Marples for the patch. + Make --clear-on-reload apply to setting upstream servers + via DBus too. + When the address which triggered the construction of an + advertised IPv6 prefix disappears, continue to advertise + the prefix for up to 2 hours, with the preferred lifetime + set to zero. This satisfies RFC 6204 4.3 L-13 and makes + things work better if a prefix disappears without being + deprecated first. Thanks to Uwe Schindler for persuasively + arguing for this. + Fix MAC address enumeration on *BSD. Thanks to Brad Smith + for the bug report. + Support RFC-4242 information-refresh-time options in the + reply to DHCPv6 information-request. The lease time of the + smallest valid dhcp-range is sent. Thanks to Uwe Schindler + for suggesting this. + Make --listen-address higher priority than --except-interface + in all circumstances. Thanks to Thomas Hood for the bugreport. + Provide independent control over which interfaces get TFTP + service. If enable-tftp is given a list of interfaces, then TFTP + is provided on those. Without the list, the previous behaviour + (provide TFTP to the same interfaces we provide DHCP to) + is retained. Thanks to Lonnie Abelbeck for the suggestion. + Add --dhcp-relay config option. Many thanks to vtsl.net + for sponsoring this development. + Fix crash with empty tag: in --dhcp-range. Thanks to + Kaspar Schleiser for the bug report. + Add "baseline" and "bloatcheck" makefile targets, for + revealing size changes during development. Thanks to + Vladislav Grishenko for the patch. + Cope with DHCPv6 clients which send REQUESTs without + address options - treat them as SOLICIT with rapid commit. + Support identification of clients by MAC address in + DHCPv6. When using a relay, the relay must support RFC + 6939 for this to work. It always works for directly + connected clients. Thanks to Vladislav Grishenko + for prompting this feature. + Remove the rule for constructed DHCP ranges that the local + address must be either the first or last address in the + range. This was originally to avoid SLAAC addresses, but + we now explicitly autoconfig and privacy addresses instead. + Update Polish translation. Thanks to Jan Psota. + Fix problem in DHCPv6 vendorclass/userclass matching + code. Thanks to Tanguy Bouzeloc for the patch. + Update Spanish transalation. Thanks to Vicente Soriano. + Add --ra-param option. Thanks to Vladislav Grishenko for + inspiration on this. + Add --add-subnet configuration, to tell upstream DNS + servers where the original client is. Thanks to DNSthingy + for sponsoring this feature. + Add --quiet-dhcp, --quiet-dhcp6 and --quiet-ra. Thanks to + Kevin Darbyshire-Bryant for the initial patch. + Allow A/AAAA records created by --interface-name to be the + target of --cname. Thanks to Hadmut Danisch for the + suggestion. + Avoid treating a --dhcp-host which has an IPv6 address + as eligable for use with DHCPv4 on the grounds that it has + no address, and vice-versa. Thanks to Yury Konovalov for + spotting the problem. + Do a better job caching dangling CNAMEs. Thanks to Yves + Dorfsman for spotting the problem. + Add the ability to act as an authoritative DNS + server. Dnsmasq can now answer queries from the wider 'net + with local data, as long as the correct NS records are set + up. Only local data is provided, to avoid creating an open + DNS relay. Zone transfer is supported, to allow secondary + servers to be configured. + Add "constructed DHCP ranges" for DHCPv6. This is intended + for IPv6 routers which get prefixes dynamically via prefix + delegation. With suitable configuration, stateful DHCPv6 + and RA can happen automatically as prefixes are delegated + and then deprecated, without having to re-write the + dnsmasq configuration file or restart the daemon. Thanks to + Steven Barth for extensive testing and development work on + this idea. + Fix crash on startup on Solaris 11. Regression probably + introduced in 2.61. Thanks to Geoff Johnstone for the + patch. + Add code to make behaviour for TCP DNS requests that same + as for UDP requests, when a request arrives for an allowed + address, but via a banned interface. This change is only + active on Linux, since the relevant API is missing (AFAIK) + on other platforms. Many thanks to Tomas Hozza for + spotting the problem, and doing invaluable discovery of + the obscure and undocumented API required for the solution. + Don't send the default DHCP option advertising dnsmasq as + the local DNS server if dnsmasq is configured to not act + as DNS server, or it's configured to a non-standard port. + Add DNSMASQ_CIRCUIT_ID, DNSMASQ_SUBCRIBER_ID, + DNSMASQ_REMOTE_ID variables to the environment of the + lease-change script (and the corresponding Lua). These hold + information inserted into the DHCP request by a DHCP relay + agent. Thanks to Lakefield Communications for providing a + bounty for this addition. + Fixed crash, introduced in 2.64, whilst handling DHCPv6 + information-requests with some common configurations. + Thanks to Robert M. Albrecht for the bug report and + chasing the problem. + Add --ipset option. Thanks to Jason A. Donenfeld for the + patch. + Don't erroneously reject some option names in --dhcp-match + options. Thanks to Benedikt Hochstrasser for the bug report. + Allow a trailing '*' wildcard in all interface-name + configurations. Thanks to Christian Parpart for the patch. + Handle the situation where libc headers define + SO_REUSEPORT, but the kernel in use doesn't, to cope with + the introduction of this option to Linux. Thanks to Rich + Felker for the bug report. + Update Polish translation. Thanks to Jan Psota. + Fix crash if the configured DHCP lease limit is + reached. Regression occurred in 2.61. Thanks to Tsachi for + the bug report. + Update the French translation. Thanks to Gildas le Nadan. +* Wed Mar 26 2014 crrodriguez@opensuse.org +- dnsmasq.service: Set PrivateDevices=yes so we run in a + separate namespace with the bare minimum device nodes isolated + from the host. +* Mon Apr 22 2013 meissner@suse.com +- reintroduced /sbin/rcdnsmasq as /sbin/service link. +* Sat Apr 20 2013 crrodriguez@opensuse.org +- Do not order after syslog.target which it is neither + required not recommended and currently no longer even exists. +* Sat Apr 13 2013 coolo@suse.com +- sync /srv/tftpboot directory attributes with atftp package +* Wed Apr 3 2013 crrodriguez@opensuse.org +- remove all sysvinit support +* Tue Mar 12 2013 vuntz@suse.com +- Create a utils subpackage to include DHCP lease management utils + (that are living in contrib/wrt): + + Explicitly build them in %%build and install the files in + %%install. + + Summary and description of the new subpackage are taken from + Fedora. +* Fri Feb 22 2013 rmilasan@suse.com +- Install dnsmasq.service accordingly (/usr/lib/systemd for 12.3 + and up or /lib/systemd for older versions). +* Fri Dec 14 2012 toganm@opensuse.org +- Update to version 2.65. For other changes relating to other + versions in between please see the CHANGELOG + * Fix regression which broke forwarding orgf queries sent via + TCP which are not for A and AAAA and which were directed to + non-default servers. Thanks to Niax for the bug reportst. + Fix failure to build with DHCP support excluded. Thanks to + Gustavo Zacarias for the patch. + Fix nasty regression in 27.64 which completely broke cacheing. +- renamed group_and_isc.diff to group_and_isc.patch rebasinp to -p1 + level as outlined in the documentation at + http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines +* Thu Oct 4 2012 cfarrell@suse.com +- license update: GPL-2.0 + Most of the source code files give a choice of either GPL-2.0 or GPL-3.0 + (not GPL-2.0+). The website states that the COPYING file in the + distribution is the official license - in this case it is GPL-2.0. This + is consistent with what Fedora state about the package. Accordingly, I^d + be ok with License: GPL-2.0 or License: (GPL-2.0 or GPL-3.0) but not + License: GPL-2.0+ +* Sun Jun 24 2012 crrodriguez@opensuse.org +- Update to version 2.62, misc bugfixes +- Fix CFLAGS/LDFLAGS usage +- fix the small cache size problem in a different way by tweaking + the build config instead. +* Sat Jun 23 2012 crrodriguez@opensuse.org +- The default cache size is way too small (150 entries) use a sane + default of 2000 as used in *WRT embeeded routers which is still + very conservative for a desktop/server machine. +- use async logging +* Sun Apr 29 2012 pascal.bleser@opensuse.org +- update to 2.61: + * add ra-names, ra-stateless and slaac keywords for DHCPv6: dnsmasq can now + synthesise AAAA records for dual-stack hosts which get IPv6 addresses via + SLAAC; it is also now possible to use SLAAC and stateless DHCPv6, and to + tell clients to use SLAAC addresses as well as DHCP ones + * add --dhcp-duid to allow DUID-EN uids to be used + * explicity send DHCPv6 replies to the correct port, instead of relying on + clients to send requests with the correct source address, since at least + one client in the wild gets this wrong + * send a preference value of 255 in DHCPv6 replies when --dhcp-authoritative + is in effect: his tells clients not to wait around for other DHCP servers + * better logging of DHCPv6 options + * add --host-record + * invoke the DHCP script with action "tftp" when a TFTP file transfer + completes: the size of the file, address to which it was sent and complete + pathname are supplied; note that version 2.60 introduced some script + incompatibilties associated with DHCPv6, and this is a further change; to + be safe, scripts should ignore unknown actions, and if not IPv6-aware, + should exit if the environment variable DNSMASQ_IAID is set; the use-case + for this is to track netboot/install + * update contrib/port-forward/dnsmasq-portforward to reflect the above + * set the environment variable DNSMASQ_LOG_DHCP when running the script id + - -log-dhcp is in effect, so that script can taylor their logging verbosity + * arrange that addresses specified with --listen-address work even if there + is no interface carrying the address; this is chiefly useful for IPv4 + loopback addresses, where any address in 127.0.0.0/8 is a valid loopback + address, but normally only 127.0.0.1 appears on the lo interface + * fix crash, introduced in 2.60, when a DHCPINFORM is received from a network + which has no valid dhcp-range + * add a new DHCP lease time keyword, "deprecated" for --dhcp-range: this is + only valid for IPv6, and sets the preffered lease time for both DHCP and RA + to zero; the effect is that clients can continue to use the address for + existing connections, but new connections will use other addresses, if they + exist; this makes hitless renumbering at least possible + * fix bug in address6_available() which caused DHCPv6 lease aquistion to fail + if more than one dhcp-range in use + * provide RDNSS and DNSSL data in router advertisements, using the settings + provided for DHCP options option6:domain-search and option6:dns-server + * don't cache data from non-recursive nameservers, since it may erroneously + look like a valid CNAME to a non-exitant name + * call SO_BINDTODEVICE on the DHCP socket(s) when doing DHCP on exacly one + interface and --bind-interfaces is set; this makes the OpenStack use-case + of one dnsmasq per virtual interface work + * give correct from-cache answers to explict CNAME queries + * add --tftp-lowercase option + * ensure that the DBus DhcpLeaseUpdated events are generated when a lease + goes through INIT_REBOOT state, even if the dhcp-script is not in use +* Tue Mar 6 2012 ug@suse.de +- some dhcp fixes +- Add Lua integration +- Set TOS on DHCP sockets +- Improve start-up speed when reading large hosts files +- Fix problem if dnsmasq is started without the stdin +- Allow the TFP server or boot server in --pxe-service +- Support DHCPv6. Support is there for the sort of things + the existing v4 server does, including tags, options, + static addresses and relay support +- Support IPv6 router advertisements +- Fix long-standing wrinkle with --localise-queries that + could result in wrong answers when DNS packets arrive + via an interface other than the expected one +- 2.60 +* Wed Feb 8 2012 ug@suse.de +- added correct group for tftp + (bnc#738905) +* Mon Feb 6 2012 crrodriguez@opensuse.org +- Use systemd macros correctly +- build with PIE and full RELRO. +* Thu Jan 19 2012 crrodriguez@opensuse.org +- --enable-dbus must be explicit in systemd unit +- default user is provided in config file or takes defaults on + group_and_isc.diff +* Wed Jan 18 2012 crrodriguez@opensuse.org +- dnsmasq has dbus support, use it for systemd service. +* Fri Nov 25 2011 ug@suse.de +- removed systemd config for pre-12.1 +* Thu Nov 24 2011 crrodriguez@opensuse.org +- Must be of type forking and change uid to dnsmasq +* Thu Nov 24 2011 crrodriguez@opensuse.org +- Add systemd startup script +* Thu Oct 20 2011 ug@suse.de +- dnsmasq still announced itself as 2.59-RC1 + no other code changes than just the correct version string +* Tue Oct 18 2011 ug@suse.de +- fixed binding to IPv6 link-local addresses + (regression from 2.58) +- 2.59 +* Sun Sep 18 2011 jengelh@medozas.de +- Remove redundant tags/sections from specfile + (cf. packaging guidelines) +- Use %%_smp_mflags for parallel build +* Fri Aug 26 2011 ug@suse.de +- Support scope-ids in IPv6 addresses of nameservers from + /etc/resolv.conf and in --server options +- Fix bug which resulted in truncated files and timeouts for + some TFTP transfers +- Allow the TFTP-server address in --dhcp-boot to be a + domain-name which is looked up in /etc/hosts +- Tweak the behaviour of --domain-needed +- Add support for Linux conntrack connection marking +- Don't return NXDOMAIN to an AAAA query if we have CNAME + which points to an A record only +- logging fixes +- many DHCP fixes and features (see Changelog) +- update to 2.58 +* Wed Mar 2 2011 ug@suse.de +- Add IPv6 support to the TFTP server +- Log DNS queries at level LOG_INFO +- Add --add-mac option +- some logging fixes +- Don't complain about strings longer than + 255 characters in txt records +- extended the --domain option +- Never cache DNS replies which have the 'cd' bit set +- Add --proxy-dnssec flag +- Allow a filename of "-" for --conf-file +- some smaller bugfixes +- update to 2.57 +* Tue Jun 8 2010 ug@suse.de + * Fix crash when /etc/ethers is in use. + * Fix crash in netlink_multicast(). + * Allow the empty domain "." in dhcp domain-search (119) + options. + * 2.55 (there was no 2.54) +* Mon Jun 7 2010 ug@suse.de + * Fixed bug which caused bad things to happen if a + resolv.conf file which exists is subsequently removed + * Rationalised the DHCP tag system + * Added --tag-if to allow boolean operations on tags + * Add broadcast/unicast information to DHCP logging + * Allow --dhcp-broadcast to be unconditional + * Fixed incorrect behaviour with NOT conditionals in + dhcp-options + * If we send vendor-class encapsulated options based on the + vendor-class supplied by the client, and no explicit + vendor-class option is given, echo back the vendor-class + from the client. + * Fix bug which stopped dnsmasq from matching both a + circuitid and a remoteid + * Add --dhcp-proxy + * Added interface: part to dhcp-range + * and a lot more ... checke the CHANGELOG in the package + * 2.53 +* Mon Jan 25 2010 ug@suse.de + * adds support for RFC 3925 vendor identifying vendor + options. + * has some minor enhancements to the PXE subsystem and external + hooks for tracking DHCP leases. + * 2.52 +* Fri Nov 20 2009 ug@suse.de + * Add support for internationalised DNS. + * Add two more environment variables for lease-change scripts: + First, DNSMASQ_SUPPLIED_HOSTNAME; this is set to the hostname + supplied by a client, even if the actual hostname used is + over-ridden by dhcp-host or dhcp-ignore-names directives. + Also DNSMASQ_RELAY_ADDRESS which gives the address of + a DHCP relay, if used. + * Fix regression which broke echo of relay-agent + options. Thanks to Michael Rack for spotting this. + * Don't treat option 67 as being interchangeable with + dhcp-boot parameters if it's specified as + dhcp-option-force. + * Make the code to call scripts on lease-change compile-time + optional. It can be switched off by editing src/config.h + or building with "make COPTS=-DNO_SCRIPT". + * Make the TFTP server cope with filenames from Windows/DOS + which use '\' as pathname separator. Thanks to Ralf for + the patch. + * Warn if an IP address is duplicated in /etc/ethers. + * Teach --conf-dir to take an option list of file suffices + which will be ignored when scanning the directory. Useful + for backup files etc. Thanks to Helmut Hullen for the + suggestion. + * Add new DHCP option named tftpserver-address + * Don't do any PXE processing, even for clients with the + correct vendorclass, unless at least one pxe-prompt or + pxe-service option is given. + * Limit the blocksize used for TFTP transfers to a value + which avoids packet fragmentation, based on the MTU of the + local interface. Many netboot ROMs can't cope with + fragmented packets. + * Honour dhcp-ignore configuration for PXE and proxy-PXE + requests. + * 2.51 +* Tue Nov 3 2009 coolo@novell.com +- updated patches to apply with fuzz=0 +* Tue Sep 1 2009 ug@suse.de +- Fix security problem which allowed any host permitted to + do TFTP to possibly compromise dnsmasq by remote buffer + overflow when TFTP enabled. +- version 2.50 +* Tue Jun 16 2009 ug@suse.de +- Fix regression in 2.48 which disables the lease-change + script +- version 2.49 +* Fri Jun 5 2009 ug@suse.de +-Fixed bug which broke binding of servers to physical + interfaces when interface names were longer than four + characters. +- Fixed netlink code +- Don't read included configuration files more than once +- Mark log messages from the various subsystems in dnsmasq +- Fix possible infinite DHCP protocol loop when an IP + address nailed to a hostname +- Allow --addn-hosts to take a directory +- Support --bridge-interface on all platforms +- Added support for advanced PXE functions +- Improvements to DHCP logging +- Added --test command-line switch +- version 2.48 +* Mon Mar 16 2009 ug@suse.de +- dbus documentation added +* Tue Mar 10 2009 ug@suse.de +- Enable dbus support by jnelson +* Fri Feb 6 2009 ug@suse.de +- Handle duplicate address detection on IPv6 more + intelligently +- Add DBus introspection +- Update Dbus configuration file +- Support arbitrarily encapsulated DHCP options +- dhcp-option = encap:175, 190, "iscsi-client0" +- dhcp-option = encap:175, 191, "iscsi-client0-secret" +- Enhance --dhcp-match to allow testing of the contents of a + client-sent option, as well as its presence +- No longer complain about blank lines in + /etc/ethers +- Fix binding of servers to physical devices +- Reply to DHCPINFORM requests even when the supplied ciaddr + doesn't fall in any dhcp-range +- Allow the source address of an alias to be a range +- version 2.47 +* Tue Nov 11 2008 kukuk@suse.de +- Add /usr/sbin/useradd to PreReq +* Fri Sep 12 2008 mrueckert@suse.de +- fix manpage.diff to actually apply +- mark files below /etc as config +- do not install README.SUSE in %%install as %%doc will clean the + directory anyway. +* Fri Sep 12 2008 ug@suse.de +- user dnsmasq moved to group nogroup (bnc#401648) +- added README.SUSE +- added warning to init script when /etc/ppp is in use + since it's not readable anymore +* Tue Aug 19 2008 ug@suse.de +- init script fixed +* Mon Aug 11 2008 ug@suse.de +- Fix crash when unknown client attempts to renew a DHCP + lease, problem introduced in version 2.43. Thanks to + Carlos Carvalho for help chasing this down. +- Fix potential crash when a host which doesn't have a lease + does DHCPINFORM. Again introduced in 2.43. This bug has + never been reported in the wild. +- Fix crash in netlink code introduced in 2.43. Thanks to + Jean Wolter for finding this. +- Change implementation of min_port to work even if min-port + as large. +- 2.4.45 +* Mon Jul 14 2008 ug@suse.de +- This release fixes the DNS spoofing vulnerabilities announced in + CERT VU#800113. It adds source port randomization for communication with + upstream nameservers and replaces the C library PRNG with stronger code. It + makes failure to drop root privileges a hard error (previous versions would + log the error and continue, running as root.) Other changes include an + update to avoid triggering Linux kernel messages about an out-of-date + capabilities ABI, support for NAPTR records, and RFC 5107 + server-id-override. +- 2.43 +* Thu Jun 19 2008 ug@suse.de +- running as user dnsmasq now (bnc#401643) +* Thu Jun 5 2008 ug@suse.de + * Add --dhcp-alternate-port option. Thanks to Jan Psota for + the suggestion. + * Updated Polish translations - thank to Jan Psota. + * Provide --dhcp-bridge on all BSD variants. + * Define _LARGEFILE_SOURCE which removes an arbitrary 2GB + limit on logfiles. Thanks to Paul Chambers for spotting + the problem. + * Fix RFC3046 agent-id echo code, broken for many + releases. Thanks to Jeremy Laine for spotting the problem + and providing a patch. + * Add --dhcp-scriptuser option. + * Support new capability interface on suitable Linux + kernels, removes "legacy support in use" messages. Thanks + to Jorge Bastos for pointing this out. + * Fix subtle bug in cache code which could cause dnsmasq to + lock spinning CPU in rare circumstances. Thanks to Alex + Chekholko for bug reports and help debugging. + * Support netascii transfer mode for TFTP. +- 2.42 +* Wed Feb 13 2008 ug@suse.de +- Allow the DNS function to be completely disabled, by + setting the port to zero "--port=0" +- Fix a bug where NXDOMAIN could be returned for a query + even if the name's value was known for a different query + type. +- Fixed possible crash bug in DBus IPv6 code +- Add --dhcp-no-override option +- Add --tftp-port-range option +- Add --stop-dns-rebind option +- Added --all-servers option +- Add --dhcp-optsfile option +- Fixed broken --alias functionality +- Add --dhcp-match flag +- Added --dhcp-broadcast, to force broadcast replies +- multiple bugs fixed +- 2.41 +* Fri Jan 4 2008 crrodriguez@suse.de +- bzip tarball +- use find_lang macro. +* Thu Dec 6 2007 ug@suse.de +- version 2.40 +- Fix handling of fully-qualified names in --dhcp-host +- Fixed error in manpage +- Fixed misaligned memory access which caused problems on + Blackfin CPUs +- lots of new options (see changelog for details) +* Wed May 2 2007 ug@suse.de +- version 2.39 +- names like "localhost." in /etc/hosts with trailing period + are treated as fully-qualified. +- Tolerate and ignore spaces around commas in the + configuration file in all circumstances +- /a is no longer a valid escape in quoted strings. +- Added symbolic DHCP option names +- Overhauled the log code +- --log-facility can now take a file-name +- Added --log-dhcp flag +- Added 127.0.0.0/8 and 169.254.0.0/16 to the address + ranges affected by --bogus-priv +- Fixed failure of TFTP server with --listen-address +- Added --dhcp-circuitid and --dhcp-remoteid for RFC3046 +- Added --dhcp-subscrid for RFC3993 subscriber-id relay +- Corrected garbage-collection +- Allow absolute paths for TFTP transfers even when + - -tftp-root is set, as long as the path matches the root +- Updated translations +- Added --interface-name option +* Thu Mar 15 2007 ug@suse.de +- SuSEFirewall service files fixed and enhanced +* Tue Mar 6 2007 ug@suse.de +- SuSEFirewall service file added +* Tue Feb 13 2007 ug@suse.de +- version 2.38 + Don't send length zero DHCP option 43 and cope with + encapsulated options whose total length exceeds 255 octets + by splitting them into multiple option 43 pieces. + Avoid queries being retried forever when --strict-order is + set and an upstream server returns a SERVFAIL + error. Thanks to Johannes Stezenbach for spotting this. + Fix BOOTP support, broken in version 2.37. + Add example dhcp-options for Etherboot. + Add \e (for ASCII ESCape) to the set of valid escapes + in config-file strings. + Added --dhcp-option-force flag and examples in the + configuration file which use this to control PXELinux. + Added --tftp-no-blocksize option. + Set netid tag "bootp" when BOOTP (rather than DHCP) is in + use. This makes it easy to customise which options are + sent to BOOTP clients. (BOOTP allows only 64 octets for + options, so it can be necessary to trim things.) + Fix rare hang in cache code, a 2.37 regression. This + probably needs an infinite DHCP lease and some bad luck to + trigger. Thanks to Detlef Reichelt for bug reports and + testing. +* Mon Feb 5 2007 ug@suse.de + Add better support for RFC-2855 DHCP-over-firewire and RFC +-4390 DHCP-over-InfiniBand. A good suggestion from Karl Svec. + Some efficiency tweaks to the cache code for very large + /etc/hosts files. Should improve reverse (address->name) + lookups and garbage collection. Thanks to Jan 'RedBully' + Seiffert for input on this. + Fix regression in 2.36 which made bogus-nxdomain + and DNS caching unreliable. Thanks to Dennis DeDonatis + and Jan Seiffert for bug reports. + Make DHCP encapsulated vendor-class options sane. Be + warned that some conceivable existing configurations + using these may break, but they work in a much + simpler and more logical way now. Prepending + "vendor:" to an option encapsulates it + in option 43, and the option is sent only if the + client-supplied vendor-class substring-matches with + the given client-id. Thanks to Dennis DeDonatis for + help with this. + Apply patch from Jan Seiffert to tidy up tftp.c + Add support for overloading the filename and servername + fields in DHCP packet. This gives extra option-space when + these fields are not being used or with a modern client + which supports moving them into options. + Added a LIMITS section to the man-page, with guidance on + maximum numbers of clients, file sizes and tuning. +- version 2.37 +* Mon Jan 22 2007 ug@suse.de +- version 2.36 +* Mon Oct 30 2006 ug@suse.de +- version 2.35 +- better performance on parsing huge /etc/hosts files +* Tue Oct 17 2006 ug@suse.de +- version 2.34 +- Tweak network-determination code +- Improve handling of high DNS loads +- Fixed intermittent infinite loop when re-reading + /etc/ethers after SIGHUP +- Provide extra information to the lease-change script +- Run the lease change script as root +- Add contrib/port-forward/* which is a script to set up + port-forwards using the DHCP lease-change script +- Fix unaligned access problem +- Fixed problem with DHCPRELEASE +- Updated French translation +- Upgraded the name hash function in the DNS cache +- Added --clear-on-reload flag +- Treat a nameserver address of 0.0.0.0 as "nothing" +- Added Webmin module in contrib/webmin +* Fri Aug 11 2006 ug@suse.de +- init-script more LSB conform + patch by Matthias Andree +* Mon Aug 7 2006 ug@suse.de +- version 2.33 +- Provide extra information to lease-change script +- Fix breakage with some DHCP relay implementations +- compilation warning fixes +- minor DNS and DHCP fixes and enhancements +* Mon Jun 12 2006 ug@suse.de +- version 2.32 +* Wed May 17 2006 ug@suse.de +- version 2.31 +* Wed Jan 25 2006 mls@suse.de +- converted neededforbuild to BuildRequires +* Mon Jan 23 2006 ug@suse.de +- Fixed crash when attempting to send a DHCP NAK to a host + which believes it has a lease on an unknown network. + That bug was invented in 2.25 +- version 2.26 +* Mon Jan 16 2006 ug@suse.de +- moved dnsmasq.no to dnsmasq.np + see bug #42748 +* Mon Jan 16 2006 ug@suse.de +- version update to 2.25 +* Mon Nov 28 2005 ug@suse.de +- version update to 2.24 +* Mon Oct 17 2005 ug@suse.de +- "-fno-strict-aliasing" now +* Wed Oct 12 2005 ug@suse.de +- version update to 2.23 +* Wed Aug 24 2005 ug@suse.de +- Fix DNS query forwarding for empty queries and forward + queries even when the recursion-desired bit is clear. + This allows "dig +trace" to work + Bug #106717 +* Fri Aug 5 2005 cthiel@suse.de +- update to version 2.22 +* Wed Apr 13 2005 mls@suse.de +- fix slp registration +* Mon Jan 24 2005 ug@suse.de +- version update from 2.19 to 2.20 +- Allow more than one instance of dnsmasq to run on a + machine, each providing DHCP service on a different + interface +- Protect against overlong names and overlong + labels in configuration and from DHCP. +- Fix interesting corner case in CNAME handling. This occurs + when a CNAME has a target which "shadowed" by a name in + /etc/hosts or from DHCP +- Added support for SRV records +- Fixed sign confusion in the vendor-id matching code +- Added the ability to match the netid tag in a + dhcp-range +- Added preference values for MX records +- Added the --localise-queries option. +* Fri Jan 21 2005 ug@suse.de +- version update to 2.19 +- minor fixes in IPV6 and DHCP Code +* Fri Nov 26 2004 ug@suse.de +- version update to 2.18 +- lots of DHCP fixes +- some IPV6 fixes +* Fri Nov 19 2004 ug@suse.de +- SLP support via /etc/slp.reg.d/dnsmasq.reg file added +* Fri Aug 20 2004 ug@suse.de +- version update from 2.11 to 2.13 +- Added extra checks to ensure that DHCP created DNS entries + cannot generate multiple DNS address->name entries. +- Don't set the the filterwin2k option in the example config + file and add warnings that is breaks Kerberos. +- Log types of incoming queries as well as source and domain. +- Log NODATA replies generated as a result of the filterwin2k + option. +* Mon Aug 9 2004 ug@suse.de +- version update from 2.8 to 2.11 +* Tue Jun 1 2004 ug@suse.de +- chgrp to "dialout" and not to "dip" +- backward compatibility turned off +* Mon May 24 2004 ug@suse.de +- added to distribution diff --git a/dnsmasq.keyring b/dnsmasq.keyring new file mode 100644 index 0000000..8135f95 --- /dev/null +++ b/dnsmasq.keyring @@ -0,0 +1,116 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFMbjUMBEACsU1Xk8+uu/EsGVJTh9Tn31C2e0ycd0voBVT7cTdtXpzeiNR+o +/zUAi95ds7FiecpZJp1nRO4vNzvaaAPZhFsFVLzZYyIVABgTXsskT88xbZvzb4W5 +KKRWVhoTQxVDgj1+dXLUXULTB6rg02WEhqnix/qf/zFdM9I4/3pRHJn9k+3XKygR +on+nYtljfn3AKBelCo1y28istC6wCncoH11b/qdQtlfxVXaJY4HF27V0MqFFmDMg +cuhOHR7DnhymeDh7GmLfTHJ4LUFG+TecqCjiYhyWcuv2wuSb0EPXUKHJQVViQ8qg +KyPm1ly6uFP0CYdVavO7/oJwKFBIChECrj7BQ4GsImMHeuSzfWno7qy6Fxoxx2+g +0F9cdXWvcxFDGPQsL5vXp8KYNwBrzmijRzQ2ZAnrbG+ilFCkJCbxXcrhzpd4tKwE +0dgcyPL1Ma/lrznhL4ZuOzjVMgLNne7WiPpBNRqI1GoT0pUn6as4pU3En8B+K7zy +MLVfHvI1+iH45fP5bZwYSbXCa85v4+xqljYrzs9giaROEsXe/tsXvuc6JPCcmJXk +CUO3c3QVxqDFt9OYuTHIR8hqehDPLgFgzKqVuoAwMkhTf/zZNGlsy4jvKXQNcZ50 +uD4mWO3e+gykNW/OH+88IoCR0rgjQ6trMLOceZFnrtvxwRL//lMndGCTYQARAQAB +tB1TaW1vbiBLZWxsZXkgPHNya0BkZWJpYW4ub3JnPohGBBARCAAGBQJTIekzAAoJ +ECnhT5k5Gzkoj68AoLY6cFPxNnlydNDCV5iyFSzEl12RAKCl5yuxvzKxW1q7uVcG +CsD9f9Z5/YhGBBARCAAGBQJTL0SDAAoJEBbi9PX8geFZnAsAnAs9JR/9UxY1QnWF +HA2j7uSlQYt1AJ4zM23PcfSyZ9SfzgJJEEVggkMiEIkCHAQQAQgABgUCUyHp8gAK +CRAC0CBFCPsO9xaxD/9IX6DfMxFh5n6o0LebuyWJsk0I90wKJ53TmjBl83qgeF8F +pENzucALqZJ3AUXvqKt3n9tKDYfNHpOniEjL/kzlZcW/iO2b7QpdgqcOMe/Xb3ux +IAsWhgqWbgriWcTtP+omSdz+YaUtZ9abljmNX9B9X1nDG/KRPk6HnHHN42I52+SZ +XikIKT5u3Xm0YPSkgjaf9Mw9V8NUAMuWGtYGsGnuVorKfpDlW8jgaJUGcdKIqwZU +RpfTJS4NjMZlJTZEtokbgE80eqUepJBi+zKjpAc+keDQrq9ZZkWmAU5ceUtgw0n3 +U1L4NfsGqUSJvad1ZCoJjNm2BFQkr8N3obqvZ7rT/kI+focLCpBmvUxF1jq8QlL0 +ul3m4Yg55AVMQMFnbalxQBvbRxk10rUn4GCKV9W4y8sCzZbt8A3Eu0Aexd00K+WS +qvryh0wjwLrDdl3hHpcvi1+hheX16Y4qI3lKIKkr0cck3FIC5fq8feVPJH7+wbWF +rGe27hOfVPbMElGCHYOIq4ksfqGefsXul/V9kRRQT8DpVJ9uan5roJd+f2a+CcXn +VDKUqQUJq5eFXlay6wS1aU0AJ4mMpcGD53wuQDoWYl5wxthnMFN1xo3k7At9dGkC +QKw4NaTaVck2WE6e2ZV9rowsOeWXrhL/eP7XCco4eKF/5zZ7FEzLl5AJQrCpVIkC +HAQQAQgABgUCUy9EqgAKCRBjziC6xJxBSJJ/EAC41IxcJQazTbF0m+dBFzXQeQnG +b/CDtieBVrhZl916rI/a1A6NN1/rk4xIg4Iit+lYc8Oxwl+w/d+NseiMV/HzWImc +WY53HH1qoH0oPXkUPhaGCr4TKTxOI9lQQeJVT1FHw3pP/uYh76VU0noZnWJKTb0P +WDr6gznoajHZ3fLRzwWcIrVOzoPWl5GIiIyr6CMZxx1UnKKb/JkjdarMe+6X/9aZ +0QXPCBeqHTfBvHeJBLbNd2/CDIH6AFtWmT7prE4hti6kC9M1dhBX0fPiKZagMWVc +Z1jMIzNvpDIfjpE2B8SUBvxRwKSdCMvCdrACNc8QeCsfrJqu5hH0fUsEvFggcDig +FhAJTGafgCsMs4XqRnrx4zx58HFW7i4C2SWKX1fw1TKeHIj0MNYmhARPnZ6SiO06 +vfU0JccK1SZORhs8TAnEA5EwF/ckQ+XPZusZGBxJtpwkblEThDDaF8olM5BOI2Tg +OkvBisKEsrwK2adFLuMBm2HdTZbsWpzs4V8qzfO6j/ZFFEIbd+M5Vftog6ngKehu ++TQ3FcOES1Skx4/Sjuo9bw53GsXJDdgKjG73iLHVLp1rebXjc66N2aUzQazsBzJ6 +rhs3cWiQvOszFyKg7qzBfOCH1EYLMyRGsHO1aASldB/w9twGWIX6wNXZph6sYE32 +qZs30VffQgoZpadCwokCNwQTAQgAIQUCUyDDdAIbAwULCQgHAwUVCgkICwUWAgMB +AAIeAQIXgAAKCRAVzdpq4ZE1oqFGD/9LkbZFigc1jbZ5zIbmGkGvfniWp1mJhEcp +gKNfb2MMiu1lKULccIvfVyIY5WDrrpoPnHLnhYA9OXHcwVADGBayoVOQgIePrMV0 +V24uYjUh9+9zGRwQrCLo0rl/l07GKH0S1dxDUeyhJRYZGYEqW2+3XDJqIbfsDzSm +PNCyjVvqSvkkt0YyuNbH0+cVEoJ1Q2HmfEhvgd4LlHZDyhMVqKlKmlnCa8DmhwK+ +EyzJgLKITqjxBO3NOqPmYZlp8irLXyHAH1sDafaBwRjV9cNX2TLTwn3wDdUmoAwM +z1jopi/61A0kEglENYaa+NH/UnqfWOo7riXuZNwGVP/F/KlMV+JdXMY34fcSIQMW +k9cpxzhpuOJjwhoK7g/yq8q9578QXv4VR6ndH+LeHDRrm2Ftnih/Ut8unqqDteMJ +nd3YxSK3Ep78WgVBL9y2Qo3CyKY6VSXlshWZokwyrwVS8uLqIGAUzLwsKTYi1nms +Db7mQZqUbPBxYN2mrroD7Pr1/XAV8oNxw6l84nzfzObEKvNZLFtWctNpFJXhWhtm +/AeQBdkYKcMyTrwQt9Q0XMYKUGE05U+oAdtTvgCRJLltqzmt5yMpTPncNmXVoA5Y +vEVdCU6/Gxpn3Aea8ckBmIqxxQY1QFdEr2nvxPNASbkvHDNDr9XUlKQDqjherurK +BIBEiKCMnLQmU2ltb24gS2VsbGV5IDxzaW1vbkB0aGVrZWxsZXlzLm9yZy51az6I +RgQQEQgABgUCUxuNwQAKCRAo/IaaKJuCt0K1AJ9VX7VMWs0ECf4+hyf6d0qGutHy +cgCeMSyQgaaL/XbiUbhPaxdTgWjGQ3iIRgQQEQgABgUCUyHpMwAKCRAp4U+ZORs5 +KMjoAJ463imlnHBKRGUmZ45Z3OwxJx7kvgCePl6vO1lSo/XCdOaPE0UpCsSWJRCI +RgQQEQgABgUCUy9EgwAKCRAW4vT1/IHhWQW1AJ0dyPzHcxuJAbQnnMHj8zLynSkt +UgCfQshlIc2/HKFEbTM2yJR/Re45ui+JAhwEEAEIAAYFAlMh6fIACgkQAtAgRQj7 +Dvch0g//cWB0hAsMJ3jBQDuJxBh8gEJ4b8g8190brWXl9faXPqjpuYi1A/tRFcfP +gL408NN9+8iBzmuZ2SNwqYJgYZo9fEPbxIJrWZ+hDF2kRAr3nbEY1End0OfghdAF +G6NSUKmYVVHWCxGWHL3zYBJipeiKFR8D/JqB/3MQxXOWOhnZRQHicpcpz3Wdy2/e +AxMmvFUHNpkhvC+sumQ1vMn+jPJ6UBu39XMiW/ZTySapR2WhZ6Stg39Q7ziVwfPB +UB9alvvsPbiKLM3VowzkhpsDrmsztxjJqX2TyT5B+ZV6BVyjeQTv5f4LxENY7Jqd +eFWRyanXDux0R5LC0C7zQ0Eot2puKJNsZtyp9ja8idStkJlARq1ruArcGm4L4aCh +sa9BgAwkCVZS6kQgvlCKfeydJDrGY/BWI8ANyNVOcPMCYklKsPLvvDgghRpta0ul +0Mv8Gxgz8GYwmZ2jRyAko/M3lxPWJIU39nzLP0vDS0FD8rtYN/yKCBjZ2nRE8xJg +HdNhSZ3FJVKNOcgwHFYPyKsIDPGrSUKhFi2BNEB63Kjlonmggiffn8diocSp0aqS +gF0qL/jNCmA5CFfTkBPioqBs8XZazdmRZm3yCiy2DMB9LMTJICY224T/CoX8QyFK +EpMvYFE8MMq6SVYypF2esjRaUqPjLZ/Dhy9dpy6s8kDjU8Gnq8eJAhwEEAEIAAYF +AlMvRKQACgkQY84gusScQUi4WA//agQcVXsdp8Wr6zFeFXdAIWCWuYiNePDW6g+x +GS57gg1sIvsK6p3zItE6FB5YdS6d+r13dOlvCckhyIgMS9Mw6aurXU+uX+ojk0We +lusbnm8SoKgt5GbMXBM3HmEdXTgipUYUALGe0PQST/2Wn0g/zTptrMXTzp3mJvCA +OEF8Fg1Tmsq1fBTiAwZAS5j4ZtQRjRK3YQgQmLL6mEje4BSQTbM13IjTCbQZl1jc +k7B7TQHiiELsxEYGAgtvy7kziJaHiOs+pjO5lWbj7K2qkWuYhiE7xiOKnkM4k6fs +aiLvGD0KxOu4kDKkmWQsb92oXooiXdOpeBRaRGBIOR+BTA/SVuK752sS8F3PMdf2 +VUEIcpboIXrRPY+6D0GwN+d6MlAggLpHeFIjWLVCzQm2c3ynSghQmo5yHyGPCKjR +rlr5roylYgwJNu2yJSkHsjShMSMfCZK+Fj0ASxZlwpE/o2EDCcf0ekqDcK6WudEq +H00/svuNxqUkOeXtyn35MtEmZPjv5u6Fu4Cj48M4f1Ji7Dm/SDVyd4GEvwg0938A +PlLAAPoF53k9yMoGKn1PHZ5NrpldtICJvKv0kGIsoTDPj2QpCl3h8qHlP0mzu9g1 +isP2bWSP9W/cV67nNRwSif1FzTyUcqByIuHWfwEUP85PN/W3gTJxptALAdctfpXk +5azWTOaJAjoEEwEIACQCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlMgw44C +GQEACgkQFc3aauGRNaLaZg/+PR41J3P7omGv6XD+TiAXfJQoR5RfzQoeLNUQEnir +/XBulg45203cYHEurchEhSTn2f4WVtFgxJrgId7XGYdf8oIZIjBd82fpwdMwhbfc +v/6iqzWL0+2vaPmBqE7iwDTatI888q5TyXppGe8L5/VjX0aBvmVIPyEE9BFQas+v +v5byUkU542FxPApGsv0W0P1pKabLl0F7ItPFPuaD0+K1kwBrWbuGhBKMV9jGHB4q +dX/21FBczgAf3J9yJ22vm6orCwwhptxde+DSn7vqZNjDtHGrkUWDzKAQBy1g4BmT +l6IoVgYKZXAVBGMtYUjS+80VV+QE9meVqmtX1aJJEnf0/BRdv9CeD46hZArwXwi/ +AWFs300pEfzwcC+9T5xc3jlSdYdWxeQDV7XwK2VCOhxjFqTm+ehP2Gh14Wfpc34j +N9jMJ3OowxzN5iZxGYzkHLFhM+0IKEeWEjxRWOoJgV5PmNvG7IBbzt8O9xo550h7 +JmXZVsfSpkFpzJPy0Puz1JeyH/niCeDwKkhEHXQTk/4O+EODRxruJbwIYGeO2lNf +Pn2Hcb1aHvSclx7GGOYDzI4jN0UcYroJpvHZU+0X2ClpCTAW5IshgHkOkdUQ1c7S ++5zPTeLbW+pxTlbWClA0NYMbSn68//i/DMstyBEwtTWYJLmg5V3HWzRd/6BwKZfD +Suu5Ag0EUyDDoQEQAMfQfa2tw3+OJFGMQEzLJSoXYN8/HnZEgKNlcMuYzhheQLgu +/MfcQJ7mnCIdn6xdPaalfLmYx63tM47/NGEM1+MSEvovPiRG0OLxzSgwei9DiGeN +EgsPTLXSZ5EVSXCM1+e9mT1ExT9aGLNnpCd6kIyWIcKCVMot+XC70R9prWLeyKSh +0FAZ0Pwv9i23osJVGOtJjND+WZ0uCeN29ocfN0b64yF4nPRc9IbcmYIDgNU3RybK +2Z/dupbthTisRjHRI3iX3/tiymXF3J0sSvsCluWIJWmyltS3Xyk/wfKVJz6OouiJ +jTj5utXVnCGptCDw+DCcj89vx1N0+0Dhm1cQcNZvXjMbVDTsuU+eVpJbxU6y8N+n +XpAXjEw4jMi3zNpqKtkyv2YpoqY5HhGLybgrY0zwSQOyMNf9lZ5J7znq5gEmiMXn +G9OPEw7PPSvm6QfbHPY/jAOgxsu7Fme7k303D5KkyGkkbzQiYyEtMZvbOMH/uECi +2uHGB72qiGpEYjMtHhihaRCBl+0bY8sH83He690qNQHSdStjaKXcecduE/v5iO0m +OYIHdsEHhKlWsE1GXXVLofBr68UBhYV6/AGXko4Pr+dXLzauN4kALDx6WltFu3qU +voD+uEoLq7IXULMo5Pyd7bO4qGQMKykaXTb5o6dqdu4GzWIUw1fr9kLEmo29ABEB +AAGJAh8EGAEIAAkFAlMgw6ECGwwACgkQFc3aauGRNaIjqA/+PXuaM6JHuudLycmB +0iKAwyB5csOFGpF3b9FgMR68TC4jzi5J5hJZASl0cO/e0ytQsrDUBbH74y+WaA4l +dwBVYr0j/2hqzIjrnGMtgWeHFPLV3sKw8DGuNx1/cOoljJXzi1WWSHIwDvaj3uZ9 +CwHt+4/abR7kdvMcnFhQVA4zuzZWFqpp+CDkkJNVwB9zxtAQwGTGF4cQ0IvTkhCo +6DQhZZVTeyn+nBKxzzWijniWc0LyRsum03MxZ6E7UVIInCTjdXTalnO8wColwIx5 +FV4nTMxdsKKgnIXmLexBdd03bW9TkowWf2C2XfDN+pDS8X3MzO6zAyogqJhAiBFj +nRzkOw0cw1VTL00o8uiWdMeu7OKOKeQbUilMAn4MweKB57mc582kjeGmwdZgWFA4 +BJ2eiH7HwjxiynwMdZwQEBdOTNLbggHk3/mScF8U1KcJhjAFf7Ne+Z0feG/8GgKl +5aj3ucl821+dfpzB79lLo+kmd1qkDyDiUR5yN6P8l8k6IAUJz2KUe0BjtO6VFFw0 +xni05dkrXdfo7IO79ictHmEn+g3QO8ZLUGRwdtZ1cMhTkm7FhH8Bdby0y4Soqluv +Hbri++cC91i1I3a92kHi/8O45rnLhVt+sOfxY1QnSIYh5OFwGMqMCNDTEL7ESiFa +FhSXkmzzVntlyvOBMlgz3IGh2hA= +=00xm +-----END PGP PUBLIC KEY BLOCK----- diff --git a/dnsmasq.reg b/dnsmasq.reg new file mode 100644 index 0000000..7ed31bf --- /dev/null +++ b/dnsmasq.reg @@ -0,0 +1,12 @@ +############################################################################# +# +# OpenSLP registration file +# +# register domain name service (DNS) daemon +# +############################################################################# + +service:domain://$HOSTNAME:53,en,65535 +watch-port-udp=53 +description=Domain Name Service + diff --git a/dnsmasq.service b/dnsmasq.service new file mode 100644 index 0000000..24f9070 --- /dev/null +++ b/dnsmasq.service @@ -0,0 +1,30 @@ +[Unit] +Description=DNS caching server. +After=network.target +Wants=nss-lookup.target +Before=nss-lookup.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +Type=dbus +BusName=uk.org.thekelleys.dnsmasq +ExecStartPre=/usr/sbin/dnsmasq --test +ExecStart=/usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground +ExecReload=/bin/kill -HUP $MAINPID +#### kills logging, so not enabled +# PrivateDevices=yes +#### + +[Install] +WantedBy=multi-user.target diff --git a/dnsmasq.spec b/dnsmasq.spec new file mode 100644 index 0000000..033f612 --- /dev/null +++ b/dnsmasq.spec @@ -0,0 +1,221 @@ +# +# spec file for package dnsmasq +# +# Copyright (c) 2022-2023 ZhuningOS +# + + +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150300 +%bcond_without tftp_user_package +%else +%bcond_with tftp_user_package +%endif +Name: dnsmasq +Version: 2.86 +Release: 150400.14.3 +Summary: DNS Forwarder and DHCP Server +License: GPL-2.0-only OR GPL-3.0-only +Group: Productivity/Networking/DNS/Servers +URL: https://thekelleys.org.uk/dnsmasq/ +Source0: https://thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz +Source1: https://thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz.asc +Source2: %{name}.keyring +Source3: dnsmasq.reg +Source4: dnsmasq.service +Source5: rc.dnsmasq-suse +Source6: system-user-dnsmasq.conf +Source8: %{name}-rpmlintrc +Patch0: dnsmasq-groups.patch +Patch1: dnsmasq-resolv-conf.patch +Patch2: dnsmasq-CVE-2022-0934.patch +BuildRequires: dbus-1-devel +BuildRequires: dos2unix +BuildRequires: libidn2-devel +BuildRequires: libnettle-devel +BuildRequires: lua-devel +BuildRequires: pkgconfig +BuildRequires: pkgconfig(libnetfilter_conntrack) +BuildRequires: pkgconfig(systemd) +Requires(pre): group(nogroup) +Provides: dns_daemon +%if %{with tftp_user_package} +BuildRequires: sysuser-tools +Requires(pre): user(tftp) +%sysusers_requires +%else +Requires(pre): %{_sbindir}/useradd +%endif + +%description +Dnsmasq provides network infrastructure for small networks: DNS, +DHCP, router advertisement and network boot. + +The DNS subsystem supprots forwarding of all query types, and caching +of common record types, DNSSEC included. The DHCP subsystem supports +DHCPv4, DHCPv6, BOOTP and PXE. RA can be used stand-alone or in +conjunction with DHCPv6. + +%package utils +Summary: Utilities for manipulating DHCP server leases +Group: Productivity/Networking/DNS/Servers + +%description utils +Utilities that use the standard DHCP protocol to query/remove a DHCP +server's leases. + +%prep +%setup -q +%patch0 +%patch1 +%patch2 + +# Remove the executable bit from python example files to +# avoid unwanted automatic dependencies +find contrib -name *.py -exec chmod a-x '{}' + + +# Some docs have the DOS line ends +dos2unix contrib/systemd/dbus_activation + +# SED-FIX-UPSTREAM -- Fix paths +sed -i -e 's|\(PREFIX *= *\)%{_prefix}/local|\1/usr|; + s|$(LDFLAGS)|$(CFLAGS) $(LDFLAGS)|' \ + Makefile + +# use lua5.3 instead of lua5.2 +sed -i -e 's|lua5.2|lua%{lua_version}|' Makefile + +# SED-FIX-UPSTREAM -- Fix man page +sed -i -e 's|The default is "dip",|The default is "nogroup",|' \ + man/dnsmasq.8 + +# SED-FIX-UPSTREAM -- Fix cachesize, group and user +sed -i -e 's|CACHESIZ 150|CACHESIZ 2000|; + s|CHUSER "nobody"|CHUSER "dnsmasq"|; + s|CHGRP "dip"|CHGRP "nogroup"|' \ + src/config.h + +# Tweaks to the default configuration: +# - Fix trust-anchor.conf location +# - Include /etc/dnsmasq.d/*.conf by default +# - Only answer queries coming from the local network +sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \ + -e '/conf-dir=.*conf/s/^\#//' \ + -e '0,/^$/{/^$/a \ +# Accept DNS queries only from hosts whose address is on a local\ +# subnet, ie a subnet for which an interface exists on the server.\ +# It is intended to be set as a default on installation, to allow\ +# unconfigured installations to be useful but also safe from being\ +# used for DNS amplification attacks.\ +local-service\ + +}' \ + dnsmasq.conf.example + +%build +mv po/no.po po/nb.po +export CFLAGS="%{optflags} -std=gnu99 -fPIC -DPIC -fpie" +export LDFLAGS="-Wl,-z,relro,-z,now -pie" +# the dnsmasq make system hashes the configuration flags, so we have to supply the +# same flags for make and make install, else everything gets recompiled +%define _copts "-DHAVE_DBUS -DHAVE_CONNTRACK -DHAVE_LIBIDN2 -DHAVE_DNSSEC -DHAVE_LUASCRIPT" +%make_build AWK=gawk all-i18n CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" COPTS=%{_copts} +%if %{with tftp_user_package} +%sysusers_generate_pre %{SOURCE6} dnsmasq system-user-dnsmasq.conf +%endif + +%if %{without tftp_user_package} +%pre +if ! %{_bindir}/getent group tftp >/dev/null; then + %{_sbindir}/groupadd -r tftp +fi +if ! %{_bindir}/getent passwd tftp >/dev/null; then + %{_sbindir}/useradd -c "TFTP account" -d /srv/tftpboot -G tftp -g tftp \ + -r -s /bin/false tftp +fi +if ! %{_bindir}/getent passwd dnsmasq >/dev/null; then + %{_sbindir}/useradd -r -d %{_localstatedir}/lib/empty -s /bin/false -c "dnsmasq" -g nogroup -G tftp dnsmasq +fi +%else + +%pre -f dnsmasq.pre +%endif +%service_add_pre %{name}.service + +%post +%service_add_post %{name}.service +# reload dbus after install or upgrade to apply new policies +if [ -z "${TRANSACTIONAL_UPDATE}" -a -x %{_bindir}/systemctl ]; then + %{_bindir}/systemctl reload dbus.service 2>/dev/null || : +fi + +%preun +%service_del_preun %{name}.service + +%postun +%service_del_postun %{name}.service +# reload dbus after uninstall, our policies are gone again +if [ $1 -eq 0 -a -z "${TRANSACTIONAL_UPDATE}" \ + -a -x %{_bindir}/systemctl ]; then + %{_bindir}/systemctl reload dbus.service 2>/dev/null || : +fi + +%install +make install-i18n DESTDIR=%{buildroot} PREFIX=%{_prefix} AWK=gawk COPTS=%{_copts} +install -d -m 755 %{buildroot}/%{_sysconfdir}/slp.reg.d +install -m 644 dnsmasq.conf.example %{buildroot}/%{_sysconfdir}/dnsmasq.conf +install -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/slp.reg.d/ +install -d 755 %{buildroot}%{_sysconfdir}/dbus-1/system.d/ +install -m 644 dbus/dnsmasq.conf %{buildroot}%{_sysconfdir}/dbus-1/system.d/dnsmasq.conf +install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/dnsmasq.service +%if %{without tftp_user_package} +install -d -m 0755 %{buildroot}/srv/tftpboot +%else +mkdir -p %{buildroot}%{_sysusersdir} +install -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/ +%endif +ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcdnsmasq +install -d -m 755 %{buildroot}/%{_sysconfdir}/dnsmasq.d +install -m 644 trust-anchors.conf %{buildroot}/%{_sysconfdir}/dnsmasq.d/trust-anchors.conf + +# utils subpackage +mkdir -p %{buildroot}/%{_bindir} %{buildroot}/%{_mandir}/man1 +make -C contrib/lease-tools %{?_smp_mflags} +install -m 755 contrib/lease-tools/dhcp_release %{buildroot}/%{_bindir}/dhcp_release +install -m 644 contrib/lease-tools/dhcp_release.1 %{buildroot}/%{_mandir}/man1/dhcp_release.1 +install -m 755 contrib/lease-tools/dhcp_release6 %{buildroot}/%{_bindir}/dhcp_release6 +install -m 644 contrib/lease-tools/dhcp_release6.1 %{buildroot}/%{_mandir}/man1/dhcp_release6.1 +install -m 755 contrib/lease-tools/dhcp_lease_time %{buildroot}/%{_bindir}/dhcp_lease_time +install -m 644 contrib/lease-tools/dhcp_lease_time.1 %{buildroot}/%{_mandir}/man1/dhcp_lease_time.1 +make -C contrib/lease-tools clean +rm -rf contrib/Suse +rm -rf contrib/Solaris10 +rm -rf contrib/dnsmasq_MacOSX-pre10.4 +rm -rf contrib/slackware-dnsmasq +rm -rf contrib/MacOSX-launchd + +%find_lang %{name} --with-man + +%files -f %{name}.lang +%license COPYING COPYING-v3 +%doc CHANGELOG FAQ doc.html setup.html dnsmasq.conf.example contrib dbus +%config(noreplace) %{_sysconfdir}/dnsmasq.conf +%{_sbindir}/dnsmasq +%{_sbindir}/rcdnsmasq +%dir %{_sysconfdir}/slp.reg.d/ +%config %attr(0644,root,root) /%{_sysconfdir}/slp.reg.d/dnsmasq.reg +%{_mandir}/man8/dnsmasq.8%{?ext_man} +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/dnsmasq.conf +%{_unitdir}/dnsmasq.service +%dir %{_sysconfdir}/dnsmasq.d +%config(noreplace) %{_sysconfdir}/dnsmasq.d/trust-anchors.conf +%if %{without tftp_user_package} +%dir %attr(0755,tftp,tftp) /srv/tftpboot +%else +%{_sysusersdir}/system-user-dnsmasq.conf +%endif + +%files utils +%{_bindir}/dhcp_* +%{_mandir}/man1/dhcp_* + +%changelog diff --git a/rc.dnsmasq-suse b/rc.dnsmasq-suse new file mode 100644 index 0000000..082a7ba --- /dev/null +++ b/rc.dnsmasq-suse @@ -0,0 +1,90 @@ +#! /bin/sh +# +# init.d/dnsmasq +# +### BEGIN INIT INFO +# Provides: dnsmasq +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $remote_fs $syslog +# Default-Start: 3 5 +# Default-Stop: +# Description: Starts internet name service masq caching server (DNS) +### END INIT INFO + +NAMED_BIN=/usr/sbin/dnsmasq +NAMED_PID=/var/run/dnsmasq.pid +NAMED_CONF=/etc/dnsmasq.conf + +if [ ! -x $NAMED_BIN ] ; then + echo -n "dnsmasq not installed! " + exit 5 +fi + +. /etc/rc.status +rc_reset + +case "$1" in + start) + if grep "^[^#].*/etc/ppp/" /etc/dnsmasq.conf >/dev/null 2>&1; then + echo + echo "Warning! dnsmasq can not read the /etc/ppp directory anymore"; + echo " but /etc/ppp seems to be used in your config"; + echo " use /var/run/ instead like /var/run/dnsmasq-forwarders.conf"; + echo + fi + echo -n "Starting name service masq caching server " + checkproc -p $NAMED_PID $NAMED_BIN + if [ $? -eq 0 ] ; then + echo -n "- Warning: dnsmasq already running! " + else + [ -e $NAMED_PID ] && echo -n "- Warning: $NAMED_PID exists! " + fi + startproc -p $NAMED_PID $NAMED_BIN -u dnsmasq + rc_status -v + ;; + stop) + echo -n "Shutting name service masq caching server " + checkproc -p $NAMED_PID $NAMED_BIN + [ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running! " + killproc -p $NAMED_PID -TERM $NAMED_BIN + rc_status -v + ;; + try-restart|force-reload) + if $0 status ; then + $0 restart + else + rc_reset + fi + rc_status + ;; + restart) + if checkproc -p $NAMED_PID $NAMED_BIN ; then + $0 stop + fi + $0 start + rc_status + ;; + reload) + echo -n "Reloading name service masq caching server unsupported " + rc_failed 3 + rc_status -v + ;; + sighup) + echo -n "Sending SIGHUP to name service masq caching server " + killproc -p $NAMED_PID -HUP $NAMED_BIN + rc_status -v + ;; + status) + echo -n "Checking for name service masq caching server " + checkproc -p $NAMED_PID $NAMED_BIN + rc_status -v + ;; + probe) + test $NAMED_CONF -nt $NAMED_PID && echo reload + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|sighup|probe}" + exit 1 + ;; +esac +rc_exit diff --git a/system-user-dnsmasq.conf b/system-user-dnsmasq.conf new file mode 100644 index 0000000..1c58931 --- /dev/null +++ b/system-user-dnsmasq.conf @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +u dnsmasq - "dnsmasq" /var/lib/empty - +m dnsmasq tftp - - -