Merge branch 'unbound' into next
authorMichael Tremer <michael.tremer@ipfire.org>
Thu, 8 Sep 2016 18:50:45 +0000 (19:50 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Thu, 8 Sep 2016 18:50:45 +0000 (19:50 +0100)
50 files changed:
config/cron/crontab
config/etc/group
config/etc/passwd
config/rootfiles/common/armv5tel/initscripts
config/rootfiles/common/dnsmasq [deleted file]
config/rootfiles/common/i586/initscripts
config/rootfiles/common/misc-progs
config/rootfiles/common/python-daemon [new file with mode: 0644]
config/rootfiles/common/python-docutils [new file with mode: 0644]
config/rootfiles/common/python-inotify [new file with mode: 0644]
config/rootfiles/common/unbound [new file with mode: 0644]
config/rootfiles/common/x86_64/initscripts
config/unbound/icannbundle.pem [new file with mode: 0644]
config/unbound/root.hints [new file with mode: 0644]
config/unbound/root.key [new file with mode: 0644]
config/unbound/unbound-dhcp-leases-bridge [new file with mode: 0644]
config/unbound/unbound.conf [new file with mode: 0644]
html/cgi-bin/dnsforward.cgi
html/cgi-bin/logs.cgi/log.dat
html/cgi-bin/services.cgi
lfs/initscripts
lfs/python-daemon [new file with mode: 0644]
lfs/python-docutils [new file with mode: 0644]
lfs/python-inotify [new file with mode: 0644]
lfs/unbound [moved from lfs/dnsmasq with 51% similarity]
make.sh
src/initscripts/init.d/dnsmasq [deleted file]
src/initscripts/init.d/network
src/initscripts/init.d/networking/red.down/05-update-dns-forwarders [new file with mode: 0644]
src/initscripts/init.d/networking/red.up/05-update-dns-forwarders [new file with mode: 0644]
src/initscripts/init.d/unbound [new file with mode: 0644]
src/misc-progs/Makefile
src/misc-progs/unboundctrl.c [moved from src/misc-progs/dnsmasqctrl.c with 74% similarity]
src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch [deleted file]
src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch [deleted file]
src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch [deleted file]
src/patches/dnsmasq/003-Check_return_of_expand_always.patch [deleted file]
src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch [deleted file]
src/patches/dnsmasq/005-Manpage_typo.patch [deleted file]
src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch [deleted file]
src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch [deleted file]
src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch [deleted file]
src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch [deleted file]
src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch [deleted file]
src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch [deleted file]
src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch [deleted file]
src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch [deleted file]
src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch [deleted file]
src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch [deleted file]
src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch [deleted file]

index c42c650..c6d8a72 100644 (file)
@@ -67,3 +67,6 @@ HOME=/
 
 # Cleanup the mail spool directory
 %weekly * * /usr/sbin/dma-cleanup-spool
+
+# Update DNS trust anchor
+%daily,random * * @runas(nobody) /usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem
index 51334aa..e4897db 100644 (file)
@@ -30,7 +30,6 @@ nobody:x:99:
 users:x:100:
 snort:x:101:
 logwatch:x:102:
-dnsmasq:x:103:
 cron:x:104:
 syslogd:x:105:
 klogd:x:106:
index 0c2527c..542e3bf 100644 (file)
@@ -14,7 +14,6 @@ nobody:x:99:99:Nobody:/home/nobody:/bin/false
 postfix:x:100:100::/var/spool/postfix:/bin/false
 snort:x:101:101:ftp:/var/log/snort:/bin/false
 logwatch:x:102:102::/var/log/logwatch:/bin/false
-dnsmasq:x:103:103::/:/bin/false
 cron:x:104:104::/:/bin/false
 syslogd:x:105:105:/var/empty:/bin/false
 klogd:x:106:106:/var/empty:/bin/false
index 29b3290..a429d2c 100644 (file)
@@ -26,7 +26,6 @@ etc/rc.d/init.d/console
 etc/rc.d/init.d/dhcp
 etc/rc.d/init.d/dhcrelay
 #etc/rc.d/init.d/dnsdist
-etc/rc.d/init.d/dnsmasq
 etc/rc.d/init.d/fcron
 #etc/rc.d/init.d/fetchmail
 etc/rc.d/init.d/fireinfo
@@ -76,7 +75,7 @@ etc/rc.d/init.d/networking/green
 etc/rc.d/init.d/networking/orange
 etc/rc.d/init.d/networking/red
 #etc/rc.d/init.d/networking/red.down
-etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
+etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders
 etc/rc.d/init.d/networking/red.down/10-ipsec
 etc/rc.d/init.d/networking/red.down/10-miniupnpd
 etc/rc.d/init.d/networking/red.down/10-ovpn
@@ -84,7 +83,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes
 etc/rc.d/init.d/networking/red.down/20-firewall
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
-etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
+etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/rootfiles/common/dnsmasq b/config/rootfiles/common/dnsmasq
deleted file mode 100644 (file)
index 1e90012..0000000
+++ /dev/null
@@ -1,2 +0,0 @@
-usr/sbin/dnsmasq
-#usr/share/man/man8/dnsmasq.8
index ee5a4ab..2053bd9 100644 (file)
@@ -27,7 +27,6 @@ etc/rc.d/init.d/console
 etc/rc.d/init.d/dhcp
 etc/rc.d/init.d/dhcrelay
 #etc/rc.d/init.d/dnsdist
-etc/rc.d/init.d/dnsmasq
 etc/rc.d/init.d/fcron
 #etc/rc.d/init.d/fetchmail
 etc/rc.d/init.d/fireinfo
@@ -78,7 +77,7 @@ etc/rc.d/init.d/networking/green
 etc/rc.d/init.d/networking/orange
 etc/rc.d/init.d/networking/red
 #etc/rc.d/init.d/networking/red.down
-etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
+etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders
 etc/rc.d/init.d/networking/red.down/10-ipsec
 etc/rc.d/init.d/networking/red.down/10-miniupnpd
 etc/rc.d/init.d/networking/red.down/10-ovpn
@@ -86,7 +85,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes
 etc/rc.d/init.d/networking/red.down/20-firewall
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
-etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
+etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
index 1917884..63a0051 100644 (file)
@@ -5,7 +5,6 @@ usr/local/bin/backupctrl
 usr/local/bin/collectdctrl
 usr/local/bin/ddnsctrl
 usr/local/bin/dhcpctrl
-usr/local/bin/dnsmasqctrl
 usr/local/bin/extrahdctrl
 usr/local/bin/fireinfoctrl
 usr/local/bin/getconntracktable
@@ -33,6 +32,7 @@ usr/local/bin/sshctrl
 usr/local/bin/syslogdctrl
 usr/local/bin/timectrl
 #usr/local/bin/torctrl
+usr/local/bin/unboundctrl
 usr/local/bin/updxlratorctrl
 usr/local/bin/upnpctrl
 usr/local/bin/urlfilterctrl
diff --git a/config/rootfiles/common/python-daemon b/config/rootfiles/common/python-daemon
new file mode 100644 (file)
index 0000000..34d36a4
--- /dev/null
@@ -0,0 +1,19 @@
+#usr/lib/python2.7/site-packages/daemon
+usr/lib/python2.7/site-packages/daemon/__init__.py
+usr/lib/python2.7/site-packages/daemon/__init__.pyc
+usr/lib/python2.7/site-packages/daemon/_metadata.py
+usr/lib/python2.7/site-packages/daemon/_metadata.pyc
+usr/lib/python2.7/site-packages/daemon/daemon.py
+usr/lib/python2.7/site-packages/daemon/daemon.pyc
+usr/lib/python2.7/site-packages/daemon/pidfile.py
+usr/lib/python2.7/site-packages/daemon/pidfile.pyc
+usr/lib/python2.7/site-packages/daemon/runner.py
+usr/lib/python2.7/site-packages/daemon/runner.pyc
+#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info
+#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/PKG-INFO
+#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/SOURCES.txt
+#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/dependency_links.txt
+#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/not-zip-safe
+#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/requires.txt
+#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/top_level.txt
+#usr/lib/python2.7/site-packages/python_daemon-2.1.1-py2.7.egg-info/version_info.json
diff --git a/config/rootfiles/common/python-docutils b/config/rootfiles/common/python-docutils
new file mode 100644 (file)
index 0000000..45038dd
--- /dev/null
@@ -0,0 +1,320 @@
+#usr/bin/rst2html.py
+#usr/bin/rst2latex.py
+#usr/bin/rst2man.py
+#usr/bin/rst2odt.py
+#usr/bin/rst2odt_prepstyles.py
+#usr/bin/rst2pseudoxml.py
+#usr/bin/rst2s5.py
+#usr/bin/rst2xetex.py
+#usr/bin/rst2xml.py
+#usr/bin/rstpep2html.py
+#usr/lib/python2.7/site-packages/docutils
+#usr/lib/python2.7/site-packages/docutils-0.12-py2.7.egg-info
+#usr/lib/python2.7/site-packages/docutils/__init__.py
+#usr/lib/python2.7/site-packages/docutils/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/_compat.py
+#usr/lib/python2.7/site-packages/docutils/_compat.pyc
+#usr/lib/python2.7/site-packages/docutils/core.py
+#usr/lib/python2.7/site-packages/docutils/core.pyc
+#usr/lib/python2.7/site-packages/docutils/examples.py
+#usr/lib/python2.7/site-packages/docutils/examples.pyc
+#usr/lib/python2.7/site-packages/docutils/frontend.py
+#usr/lib/python2.7/site-packages/docutils/frontend.pyc
+#usr/lib/python2.7/site-packages/docutils/io.py
+#usr/lib/python2.7/site-packages/docutils/io.pyc
+#usr/lib/python2.7/site-packages/docutils/languages
+#usr/lib/python2.7/site-packages/docutils/languages/__init__.py
+#usr/lib/python2.7/site-packages/docutils/languages/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/af.py
+#usr/lib/python2.7/site-packages/docutils/languages/af.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/ca.py
+#usr/lib/python2.7/site-packages/docutils/languages/ca.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/cs.py
+#usr/lib/python2.7/site-packages/docutils/languages/cs.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/da.py
+#usr/lib/python2.7/site-packages/docutils/languages/da.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/de.py
+#usr/lib/python2.7/site-packages/docutils/languages/de.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/en.py
+#usr/lib/python2.7/site-packages/docutils/languages/en.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/eo.py
+#usr/lib/python2.7/site-packages/docutils/languages/eo.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/es.py
+#usr/lib/python2.7/site-packages/docutils/languages/es.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/fi.py
+#usr/lib/python2.7/site-packages/docutils/languages/fi.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/fr.py
+#usr/lib/python2.7/site-packages/docutils/languages/fr.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/gl.py
+#usr/lib/python2.7/site-packages/docutils/languages/gl.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/he.py
+#usr/lib/python2.7/site-packages/docutils/languages/he.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/it.py
+#usr/lib/python2.7/site-packages/docutils/languages/it.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/ja.py
+#usr/lib/python2.7/site-packages/docutils/languages/ja.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/lt.py
+#usr/lib/python2.7/site-packages/docutils/languages/lt.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/nl.py
+#usr/lib/python2.7/site-packages/docutils/languages/nl.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/pl.py
+#usr/lib/python2.7/site-packages/docutils/languages/pl.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/pt_br.py
+#usr/lib/python2.7/site-packages/docutils/languages/pt_br.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/ru.py
+#usr/lib/python2.7/site-packages/docutils/languages/ru.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/sk.py
+#usr/lib/python2.7/site-packages/docutils/languages/sk.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/sv.py
+#usr/lib/python2.7/site-packages/docutils/languages/sv.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/zh_cn.py
+#usr/lib/python2.7/site-packages/docutils/languages/zh_cn.pyc
+#usr/lib/python2.7/site-packages/docutils/languages/zh_tw.py
+#usr/lib/python2.7/site-packages/docutils/languages/zh_tw.pyc
+#usr/lib/python2.7/site-packages/docutils/nodes.py
+#usr/lib/python2.7/site-packages/docutils/nodes.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers
+#usr/lib/python2.7/site-packages/docutils/parsers/__init__.py
+#usr/lib/python2.7/site-packages/docutils/parsers/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/null.py
+#usr/lib/python2.7/site-packages/docutils/parsers/null.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/__init__.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/__init__.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/admonitions.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/admonitions.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/body.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/body.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/html.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/html.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/images.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/images.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/misc.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/misc.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/parts.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/parts.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/references.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/references.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/tables.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/directives/tables.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/README.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsa.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsb.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsc.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsn.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamso.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isoamsr.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isobox.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isocyr1.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isocyr2.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isodia.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk1.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk2.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk3.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk4-wide.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isogrk4.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isolat1.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isolat2.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomfrk-wide.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomfrk.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomopf-wide.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomopf.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomscr-wide.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isomscr.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isonum.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isopub.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/isotech.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlalias.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlextra-wide.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/mmlextra.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/s5defs.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-lat1.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-special.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/include/xhtml1-symbol.txt
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/__init__.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/af.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/af.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ca.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ca.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/cs.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/cs.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/da.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/da.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/de.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/de.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/en.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/en.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/eo.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/eo.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/es.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/es.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fi.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fi.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fr.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/fr.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/gl.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/gl.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/he.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/he.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/it.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/it.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ja.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ja.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/lt.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/lt.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/nl.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/nl.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pl.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pl.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pt_br.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/pt_br.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ru.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/ru.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sk.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sk.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sv.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/sv.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_cn.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_cn.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_tw.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/languages/zh_tw.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/roles.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/roles.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/states.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/states.pyc
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/tableparser.py
+#usr/lib/python2.7/site-packages/docutils/parsers/rst/tableparser.pyc
+#usr/lib/python2.7/site-packages/docutils/readers
+#usr/lib/python2.7/site-packages/docutils/readers/__init__.py
+#usr/lib/python2.7/site-packages/docutils/readers/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/readers/doctree.py
+#usr/lib/python2.7/site-packages/docutils/readers/doctree.pyc
+#usr/lib/python2.7/site-packages/docutils/readers/pep.py
+#usr/lib/python2.7/site-packages/docutils/readers/pep.pyc
+#usr/lib/python2.7/site-packages/docutils/readers/standalone.py
+#usr/lib/python2.7/site-packages/docutils/readers/standalone.pyc
+#usr/lib/python2.7/site-packages/docutils/statemachine.py
+#usr/lib/python2.7/site-packages/docutils/statemachine.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms
+#usr/lib/python2.7/site-packages/docutils/transforms/__init__.py
+#usr/lib/python2.7/site-packages/docutils/transforms/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms/components.py
+#usr/lib/python2.7/site-packages/docutils/transforms/components.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms/frontmatter.py
+#usr/lib/python2.7/site-packages/docutils/transforms/frontmatter.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms/misc.py
+#usr/lib/python2.7/site-packages/docutils/transforms/misc.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms/parts.py
+#usr/lib/python2.7/site-packages/docutils/transforms/parts.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms/peps.py
+#usr/lib/python2.7/site-packages/docutils/transforms/peps.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms/references.py
+#usr/lib/python2.7/site-packages/docutils/transforms/references.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms/universal.py
+#usr/lib/python2.7/site-packages/docutils/transforms/universal.pyc
+#usr/lib/python2.7/site-packages/docutils/transforms/writer_aux.py
+#usr/lib/python2.7/site-packages/docutils/transforms/writer_aux.pyc
+#usr/lib/python2.7/site-packages/docutils/utils
+#usr/lib/python2.7/site-packages/docutils/utils/__init__.py
+#usr/lib/python2.7/site-packages/docutils/utils/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/code_analyzer.py
+#usr/lib/python2.7/site-packages/docutils/utils/code_analyzer.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/error_reporting.py
+#usr/lib/python2.7/site-packages/docutils/utils/error_reporting.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/math
+#usr/lib/python2.7/site-packages/docutils/utils/math/__init__.py
+#usr/lib/python2.7/site-packages/docutils/utils/math/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/math/latex2mathml.py
+#usr/lib/python2.7/site-packages/docutils/utils/math/latex2mathml.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/math/math2html.py
+#usr/lib/python2.7/site-packages/docutils/utils/math/math2html.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/math/tex2unichar.py
+#usr/lib/python2.7/site-packages/docutils/utils/math/tex2unichar.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/math/unichar2tex.py
+#usr/lib/python2.7/site-packages/docutils/utils/math/unichar2tex.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/punctuation_chars.py
+#usr/lib/python2.7/site-packages/docutils/utils/punctuation_chars.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/roman.py
+#usr/lib/python2.7/site-packages/docutils/utils/roman.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/smartquotes.py
+#usr/lib/python2.7/site-packages/docutils/utils/smartquotes.pyc
+#usr/lib/python2.7/site-packages/docutils/utils/urischemes.py
+#usr/lib/python2.7/site-packages/docutils/utils/urischemes.pyc
+#usr/lib/python2.7/site-packages/docutils/writers
+#usr/lib/python2.7/site-packages/docutils/writers/__init__.py
+#usr/lib/python2.7/site-packages/docutils/writers/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/docutils_xml.py
+#usr/lib/python2.7/site-packages/docutils/writers/docutils_xml.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/html4css1
+#usr/lib/python2.7/site-packages/docutils/writers/html4css1/__init__.py
+#usr/lib/python2.7/site-packages/docutils/writers/html4css1/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/html4css1/html4css1.css
+#usr/lib/python2.7/site-packages/docutils/writers/html4css1/math.css
+#usr/lib/python2.7/site-packages/docutils/writers/html4css1/template.txt
+#usr/lib/python2.7/site-packages/docutils/writers/latex2e
+#usr/lib/python2.7/site-packages/docutils/writers/latex2e/__init__.py
+#usr/lib/python2.7/site-packages/docutils/writers/latex2e/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/latex2e/default.tex
+#usr/lib/python2.7/site-packages/docutils/writers/latex2e/titlepage.tex
+#usr/lib/python2.7/site-packages/docutils/writers/latex2e/xelatex.tex
+#usr/lib/python2.7/site-packages/docutils/writers/manpage.py
+#usr/lib/python2.7/site-packages/docutils/writers/manpage.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/null.py
+#usr/lib/python2.7/site-packages/docutils/writers/null.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/odf_odt
+#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/__init__.py
+#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/pygmentsformatter.py
+#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/pygmentsformatter.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/odf_odt/styles.odt
+#usr/lib/python2.7/site-packages/docutils/writers/pep_html
+#usr/lib/python2.7/site-packages/docutils/writers/pep_html/__init__.py
+#usr/lib/python2.7/site-packages/docutils/writers/pep_html/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/pep_html/pep.css
+#usr/lib/python2.7/site-packages/docutils/writers/pep_html/template.txt
+#usr/lib/python2.7/site-packages/docutils/writers/pseudoxml.py
+#usr/lib/python2.7/site-packages/docutils/writers/pseudoxml.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/__init__.py
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/__init__.pyc
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/README.txt
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/__base__
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/framing.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-black/pretty.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white/framing.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/big-white/pretty.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/blank.gif
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/framing.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/iepngfix.htc
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/opera.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/outline.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/pretty.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/print.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/s5-core.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/slides.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/default/slides.js
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black/__base__
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-black/pretty.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white/framing.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/medium-white/pretty.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black/__base__
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-black/pretty.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white/framing.css
+#usr/lib/python2.7/site-packages/docutils/writers/s5_html/themes/small-white/pretty.css
+#usr/lib/python2.7/site-packages/docutils/writers/xetex
+#usr/lib/python2.7/site-packages/docutils/writers/xetex/__init__.py
+#usr/lib/python2.7/site-packages/docutils/writers/xetex/__init__.pyc
diff --git a/config/rootfiles/common/python-inotify b/config/rootfiles/common/python-inotify
new file mode 100644 (file)
index 0000000..5fc062a
--- /dev/null
@@ -0,0 +1,20 @@
+#usr/lib/python2.7/site-packages/inotify
+#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info
+#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/PKG-INFO
+#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/SOURCES.txt
+#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/dependency_links.txt
+#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/not-zip-safe
+#usr/lib/python2.7/site-packages/inotify-0.2.7-py2.7.egg-info/top_level.txt
+usr/lib/python2.7/site-packages/inotify/__init__.py
+usr/lib/python2.7/site-packages/inotify/__init__.pyc
+usr/lib/python2.7/site-packages/inotify/adapters.py
+usr/lib/python2.7/site-packages/inotify/adapters.pyc
+usr/lib/python2.7/site-packages/inotify/calls.py
+usr/lib/python2.7/site-packages/inotify/calls.pyc
+usr/lib/python2.7/site-packages/inotify/constants.py
+usr/lib/python2.7/site-packages/inotify/constants.pyc
+usr/lib/python2.7/site-packages/inotify/library.py
+usr/lib/python2.7/site-packages/inotify/library.pyc
+#usr/lib/python2.7/site-packages/inotify/resources
+#usr/lib/python2.7/site-packages/inotify/resources/README.rst
+#usr/lib/python2.7/site-packages/inotify/resources/requirements.txt
diff --git a/config/rootfiles/common/unbound b/config/rootfiles/common/unbound
new file mode 100644 (file)
index 0000000..94eeba7
--- /dev/null
@@ -0,0 +1,62 @@
+etc/rc.d/init.d/unbound
+#etc/unbound
+etc/unbound/dhcp-leases.conf
+etc/unbound/forward.conf
+etc/unbound/icannbundle.pem
+etc/unbound/local.d
+etc/unbound/root.hints
+etc/unbound/root.key
+etc/unbound/unbound.conf
+#usr/include/unbound.h
+#usr/lib/libunbound.la
+#usr/lib/libunbound.so
+usr/lib/libunbound.so.2
+usr/lib/libunbound.so.2.4.1
+usr/sbin/unbound
+usr/sbin/unbound-anchor
+usr/sbin/unbound-checkconf
+usr/sbin/unbound-dhcp-leases-bridge
+usr/sbin/unbound-control
+usr/sbin/unbound-control-setup
+usr/sbin/unbound-switch
+usr/sbin/unbound-zone
+#usr/share/man/man1/unbound-host.1
+#usr/share/man/man3/libunbound.3
+#usr/share/man/man3/ub_cancel.3
+#usr/share/man/man3/ub_ctx.3
+#usr/share/man/man3/ub_ctx_add_ta.3
+#usr/share/man/man3/ub_ctx_add_ta_file.3
+#usr/share/man/man3/ub_ctx_async.3
+#usr/share/man/man3/ub_ctx_config.3
+#usr/share/man/man3/ub_ctx_create.3
+#usr/share/man/man3/ub_ctx_data_add.3
+#usr/share/man/man3/ub_ctx_data_remove.3
+#usr/share/man/man3/ub_ctx_debuglevel.3
+#usr/share/man/man3/ub_ctx_debugout.3
+#usr/share/man/man3/ub_ctx_delete.3
+#usr/share/man/man3/ub_ctx_get_option.3
+#usr/share/man/man3/ub_ctx_hosts.3
+#usr/share/man/man3/ub_ctx_print_local_zones.3
+#usr/share/man/man3/ub_ctx_resolvconf.3
+#usr/share/man/man3/ub_ctx_set_fwd.3
+#usr/share/man/man3/ub_ctx_set_option.3
+#usr/share/man/man3/ub_ctx_trustedkeys.3
+#usr/share/man/man3/ub_ctx_zone_add.3
+#usr/share/man/man3/ub_ctx_zone_remove.3
+#usr/share/man/man3/ub_fd.3
+#usr/share/man/man3/ub_poll.3
+#usr/share/man/man3/ub_process.3
+#usr/share/man/man3/ub_resolve.3
+#usr/share/man/man3/ub_resolve_async.3
+#usr/share/man/man3/ub_resolve_free.3
+#usr/share/man/man3/ub_result.3
+#usr/share/man/man3/ub_strerror.3
+#usr/share/man/man3/ub_wait.3
+#usr/share/man/man5/unbound.conf.5
+#usr/share/man/man8/unbound-anchor.8
+#usr/share/man/man8/unbound-checkconf.8
+#usr/share/man/man8/unbound-control-setup.8
+#usr/share/man/man8/unbound-control.8
+#usr/share/man/man8/unbound.8
+var/lib/unbound
+var/lib/unbound/root.key
index ee5a4ab..2053bd9 100644 (file)
@@ -27,7 +27,6 @@ etc/rc.d/init.d/console
 etc/rc.d/init.d/dhcp
 etc/rc.d/init.d/dhcrelay
 #etc/rc.d/init.d/dnsdist
-etc/rc.d/init.d/dnsmasq
 etc/rc.d/init.d/fcron
 #etc/rc.d/init.d/fetchmail
 etc/rc.d/init.d/fireinfo
@@ -78,7 +77,7 @@ etc/rc.d/init.d/networking/green
 etc/rc.d/init.d/networking/orange
 etc/rc.d/init.d/networking/red
 #etc/rc.d/init.d/networking/red.down
-etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
+etc/rc.d/init.d/networking/red.down/05-update-dns-forwarders
 etc/rc.d/init.d/networking/red.down/10-ipsec
 etc/rc.d/init.d/networking/red.down/10-miniupnpd
 etc/rc.d/init.d/networking/red.down/10-ovpn
@@ -86,7 +85,7 @@ etc/rc.d/init.d/networking/red.down/10-static-routes
 etc/rc.d/init.d/networking/red.down/20-firewall
 #etc/rc.d/init.d/networking/red.up
 etc/rc.d/init.d/networking/red.up/01-conntrack-cleanup
-etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
+etc/rc.d/init.d/networking/red.up/05-update-dns-forwarders
 etc/rc.d/init.d/networking/red.up/10-miniupnpd
 etc/rc.d/init.d/networking/red.up/10-multicast
 etc/rc.d/init.d/networking/red.up/10-static-routes
diff --git a/config/unbound/icannbundle.pem b/config/unbound/icannbundle.pem
new file mode 100644 (file)
index 0000000..48941de
--- /dev/null
@@ -0,0 +1,317 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 1 (0x1)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+        Validity
+            Not Before: Dec 23 04:19:12 2009 GMT
+            Not After : Dec 18 04:19:12 2029 GMT
+        Subject: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:a0:db:70:b8:4f:34:da:9c:d4:d0:7e:bb:ea:15:
+                    bc:e9:c9:11:2a:1f:61:2f:6a:b9:bd:3f:3d:76:a0:
+                    9a:0a:f7:ee:93:6e:6e:55:53:84:8c:f2:2c:f1:82:
+                    27:c8:0f:9a:cf:52:1b:54:da:28:d2:2c:30:8e:dd:
+                    fb:92:20:33:2d:d6:c8:f1:0e:10:21:88:71:fa:84:
+                    22:4b:5d:47:56:16:7c:9b:9f:5d:c3:11:79:9c:14:
+                    e2:ff:c0:74:ac:dd:39:d7:e0:38:d8:b0:73:aa:fb:
+                    d1:db:84:af:52:22:a8:f6:d5:9b:94:f4:e6:5d:5e:
+                    e8:3f:87:90:0b:c7:1a:77:f5:2e:d3:8f:1a:ce:02:
+                    1d:07:69:21:47:32:da:46:ae:00:4c:b6:a5:a2:9c:
+                    39:c1:c0:4a:f6:d3:1c:ae:d3:6d:bb:c7:18:f0:7e:
+                    ed:f6:80:ce:d0:01:2e:89:de:12:ba:ee:11:cb:a6:
+                    7a:d7:0d:7c:f3:08:8d:72:9d:bf:55:75:13:70:bb:
+                    31:22:4a:cb:e8:c0:aa:a4:09:aa:36:68:40:60:74:
+                    9d:e7:19:81:43:22:52:fe:c9:2b:52:0f:41:13:36:
+                    09:72:65:95:cc:89:ae:6f:56:17:16:34:73:52:a3:
+                    04:ed:bd:88:82:8a:eb:d7:dc:82:52:9c:06:e1:52:
+                    85:41
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+            X509v3 Subject Key Identifier: 
+                BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
+    Signature Algorithm: sha256WithRSAEncryption
+        0f:f1:e9:82:a2:0a:87:9f:2d:94:60:5a:b2:c0:4b:a1:2f:2b:
+        3b:47:d5:0a:99:86:38:b2:ec:c6:3b:89:e4:6e:07:cf:14:c7:
+        c7:e8:cf:99:8f:aa:30:c3:19:70:b9:e6:6d:d6:3f:c8:68:26:
+        b2:a0:a5:37:42:ca:d8:62:80:d1:a2:5a:48:2e:1f:85:3f:0c:
+        7b:c2:c7:94:11:5f:19:2a:95:ac:a0:3a:03:d8:91:5b:2e:0d:
+        9c:7c:1f:2e:fc:e9:44:e1:16:26:73:1c:45:4a:65:c1:83:4c:
+        90:f3:f2:28:42:df:db:c4:e7:04:12:18:62:43:5e:bc:1f:6c:
+        84:e6:bc:49:32:df:61:d7:99:ee:e4:90:52:7b:0a:c2:91:8a:
+        98:62:66:b1:c8:e0:b7:5a:b5:46:7c:76:71:54:8e:cc:a4:81:
+        5c:19:db:d2:6f:66:b5:bb:2b:ae:6b:c9:74:04:a8:24:de:e8:
+        c5:d3:fc:2c:1c:d7:8f:db:6a:8d:c9:53:be:5d:50:73:ac:cf:
+        1f:93:c0:52:50:5b:a2:4f:fe:ad:65:36:17:46:d1:2d:e5:a2:
+        90:66:05:db:29:4e:5d:50:5d:e3:4f:da:a0:8f:f0:6b:e4:16:
+        70:dd:7f:f3:77:7d:b9:4e:f9:ec:c3:33:02:d7:e9:63:2f:31:
+        e7:40:61:a4
+-----BEGIN CERTIFICATE-----
+MIIDdzCCAl+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0MTkxMloX
+DTI5MTIxODA0MTkxMlowXTEOMAwGA1UEChMFSUNBTk4xJjAkBgNVBAsTHUlDQU5O
+IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRYwFAYDVQQDEw1JQ0FOTiBSb290IENB
+MQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKDb
+cLhPNNqc1NB+u+oVvOnJESofYS9qub0/PXagmgr37pNublVThIzyLPGCJ8gPms9S
+G1TaKNIsMI7d+5IgMy3WyPEOECGIcfqEIktdR1YWfJufXcMReZwU4v/AdKzdOdfg
+ONiwc6r70duEr1IiqPbVm5T05l1e6D+HkAvHGnf1LtOPGs4CHQdpIUcy2kauAEy2
+paKcOcHASvbTHK7TbbvHGPB+7faAztABLoneErruEcumetcNfPMIjXKdv1V1E3C7
+MSJKy+jAqqQJqjZoQGB0necZgUMiUv7JK1IPQRM2CXJllcyJrm9WFxY0c1KjBO29
+iIKK69fcglKcBuFShUECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8B
+Af8EBAMCAf4wHQYDVR0OBBYEFLpS6UmDJIZSL8eZzfyNa2kITcBQMA0GCSqGSIb3
+DQEBCwUAA4IBAQAP8emCogqHny2UYFqywEuhLys7R9UKmYY4suzGO4nkbgfPFMfH
+6M+Zj6owwxlwueZt1j/IaCayoKU3QsrYYoDRolpILh+FPwx7wseUEV8ZKpWsoDoD
+2JFbLg2cfB8u/OlE4RYmcxxFSmXBg0yQ8/IoQt/bxOcEEhhiQ168H2yE5rxJMt9h
+15nu5JBSewrCkYqYYmaxyOC3WrVGfHZxVI7MpIFcGdvSb2a1uyuua8l0BKgk3ujF
+0/wsHNeP22qNyVO+XVBzrM8fk8BSUFuiT/6tZTYXRtEt5aKQZgXbKU5dUF3jT9qg
+j/Br5BZw3X/zd325TvnswzMC1+ljLzHnQGGk
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 2 (0x2)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+        Validity
+            Not Before: Dec 23 04:45:04 2009 GMT
+            Not After : Dec 22 04:45:04 2014 GMT
+        Subject: O=ICANN, CN=ICANN DNSSEC CA/emailAddress=dnssec@icann.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:c0:bf:e2:b4:ee:12:46:36:3b:7c:d2:46:21:64:
+                    5a:93:e1:e3:02:10:25:bb:a5:30:70:19:89:98:7e:
+                    9e:db:8e:0f:ac:c8:48:66:0e:1a:f8:81:e5:2d:3c:
+                    7b:39:39:76:28:8f:ee:0a:a7:dd:64:e9:5f:87:25:
+                    b1:64:e5:59:03:fc:bc:29:3b:63:37:c8:d7:46:9a:
+                    b6:ce:87:55:cd:cf:e2:ab:e9:c7:8a:53:2e:25:87:
+                    b0:98:d6:20:a3:a8:ec:87:b0:39:a3:c4:c5:75:59:
+                    3c:fb:91:03:fa:ee:7f:e9:2b:b6:70:88:69:2c:e6:
+                    f1:4f:fc:d0:47:b4:e9:a0:2c:fa:0c:c3:84:eb:be:
+                    73:5a:bc:16:ed:d0:83:02:2d:eb:6a:21:02:51:70:
+                    29:1e:4f:c9:69:03:9f:91:32:5c:2c:1a:9f:5e:45:
+                    48:2a:50:ee:72:14:ec:17:29:fc:20:95:7d:22:6a:
+                    c6:6f:83:a2:58:8e:b1:64:c8:73:23:54:6c:69:1d:
+                    66:1f:df:f8:4f:24:a1:a8:ae:00:7f:e9:89:41:a6:
+                    e3:88:1d:3a:e1:b3:3a:ef:29:45:32:9b:94:2e:b7:
+                    6c:1e:fe:31:40:13:e1:bd:52:67:d0:d8:c3:3e:03:
+                    84:48:72:9d:bd:8a:48:a0:f2:72:35:b6:03:4b:c6:
+                    e9:05
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+            X509v3 Authority Key Identifier: 
+                keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
+
+            X509v3 Subject Key Identifier: 
+                8F:B2:42:69:C3:9D:E4:3C:FA:13:B9:FF:F2:C0:A4:EF:D8:0F:E8:22
+    Signature Algorithm: sha256WithRSAEncryption
+        4a:78:a2:47:7e:3f:2e:4d:78:68:ab:06:5c:ff:da:01:04:45:
+        92:20:20:88:f3:dc:4e:70:01:9b:cb:f3:13:61:34:04:09:15:
+        d0:be:99:1c:be:fc:97:e9:2d:73:e1:b3:2b:a6:b9:3a:41:33:
+        f3:83:3d:64:1b:64:95:bf:ae:cd:20:df:18:e0:62:8d:fa:9c:
+        f7:d8:a9:3c:25:2b:8e:cf:10:e5:29:b9:af:1a:7f:62:64:75:
+        e7:c6:fd:9b:6d:71:c0:a9:b3:0f:9a:b7:7a:fe:53:04:18:cd:
+        04:06:d9:bf:01:0e:cc:04:84:84:51:a3:e9:06:2a:a3:25:73:
+        4e:8d:62:19:13:25:5b:de:0b:dc:d0:69:01:ca:41:0a:96:13:
+        cf:6a:11:fe:2b:9a:3f:fd:56:3d:73:3d:58:49:c2:71:83:20:
+        23:6d:46:99:6e:37:91:9f:76:2a:9c:b0:69:3f:64:9f:05:bb:
+        38:c8:1e:ca:d8:6c:fd:56:3e:a6:85:a2:53:80:c6:42:b6:79:
+        c6:43:0b:e0:6c:ea:9f:cf:b0:2a:2c:01:50:c3:d8:0f:a0:7e:
+        a1:73:a8:5c:84:27:5b:c9:4b:5a:13:e9:69:25:1c:59:11:d2:
+        01:dc:da:e7:c8:44:34:a2:e4:99:25:b4:c3:23:b5:f8:2d:48:
+        e5:8d:06:73
+-----BEGIN CERTIFICATE-----
+MIIDhjCCAm6gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA0NDUwNFoX
+DTE0MTIyMjA0NDUwNFowSzEOMAwGA1UEChMFSUNBTk4xGDAWBgNVBAMTD0lDQU5O
+IEROU1NFQyBDQTEfMB0GCSqGSIb3DQEJARMQZG5zc2VjQGljYW5uLm9yZzCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMC/4rTuEkY2O3zSRiFkWpPh4wIQ
+JbulMHAZiZh+ntuOD6zISGYOGviB5S08ezk5diiP7gqn3WTpX4clsWTlWQP8vCk7
+YzfI10aats6HVc3P4qvpx4pTLiWHsJjWIKOo7IewOaPExXVZPPuRA/ruf+krtnCI
+aSzm8U/80Ee06aAs+gzDhOu+c1q8Fu3QgwIt62ohAlFwKR5PyWkDn5EyXCwan15F
+SCpQ7nIU7Bcp/CCVfSJqxm+DoliOsWTIcyNUbGkdZh/f+E8koaiuAH/piUGm44gd
+OuGzOu8pRTKblC63bB7+MUAT4b1SZ9DYwz4DhEhynb2KSKDycjW2A0vG6QUCAwEA
+AaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAf4wHwYDVR0jBBgw
+FoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFI+yQmnDneQ8+hO5//LA
+pO/YD+giMA0GCSqGSIb3DQEBCwUAA4IBAQBKeKJHfj8uTXhoqwZc/9oBBEWSICCI
+89xOcAGby/MTYTQECRXQvpkcvvyX6S1z4bMrprk6QTPzgz1kG2SVv67NIN8Y4GKN
++pz32Kk8JSuOzxDlKbmvGn9iZHXnxv2bbXHAqbMPmrd6/lMEGM0EBtm/AQ7MBISE
+UaPpBiqjJXNOjWIZEyVb3gvc0GkBykEKlhPPahH+K5o//VY9cz1YScJxgyAjbUaZ
+bjeRn3YqnLBpP2SfBbs4yB7K2Gz9Vj6mhaJTgMZCtnnGQwvgbOqfz7AqLAFQw9gP
+oH6hc6hchCdbyUtaE+lpJRxZEdIB3NrnyEQ0ouSZJbTDI7X4LUjljQZz
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 6 (0x6)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+        Validity
+            Not Before: Dec 23 05:21:16 2009 GMT
+            Not After : Dec 22 05:21:16 2014 GMT
+        Subject: O=ICANN, CN=ICANN EMAIL CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:d2:19:1e:22:69:33:f6:a4:d2:76:c5:80:11:75:
+                    8e:d0:e8:6f:bf:89:f8:2a:6a:da:8a:85:28:40:ba:
+                    c5:23:5f:47:ed:72:e2:8e:d3:5c:c8:8a:3a:99:a9:
+                    57:2c:0a:2b:22:f3:54:7b:8b:f7:8c:21:a2:50:01:
+                    4f:8b:af:34:df:72:fc:78:31:d0:1d:eb:bc:9b:e6:
+                    fa:c1:84:d0:05:07:8a:74:53:a5:60:9e:eb:75:9e:
+                    a8:5d:32:c8:02:32:e4:bf:cb:97:9b:7a:fa:2c:f6:
+                    6a:1d:b8:57:ad:e3:03:22:93:d0:f4:4f:a8:b8:01:
+                    db:82:33:98:b6:87:ed:3d:67:40:00:27:2e:d5:95:
+                    d2:ad:36:46:14:c6:17:79:65:7f:65:f3:88:80:65:
+                    7c:22:67:08:23:3c:cf:a5:10:38:72:30:97:92:6f:
+                    20:4a:ba:24:4c:4a:c8:4a:a5:dc:2a:44:a1:29:78:
+                    b4:9f:fe:84:ff:27:5b:3a:72:ea:31:c1:ad:06:22:
+                    d6:44:a0:4a:57:32:9c:f2:46:47:d0:89:6e:20:23:
+                    2c:ea:b0:83:7e:c1:f3:ea:da:dd:e3:63:59:97:21:
+                    fa:1b:11:39:27:cf:82:8b:56:15:d4:36:92:0c:a5:
+                    7e:80:e0:18:c9:50:08:42:0a:df:97:3c:9c:b8:0a:
+                    4d:b1
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+            X509v3 Authority Key Identifier: 
+                keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
+
+            X509v3 Subject Key Identifier: 
+                7B:3F:BA:CE:A1:B3:A6:13:2E:5A:82:84:D4:D2:EA:A5:24:F1:CD:B4
+    Signature Algorithm: sha256WithRSAEncryption
+        50:07:a5:61:39:e4:3b:e3:bc:1c:b4:a7:b2:ab:a1:fb:47:bf:
+        b4:1c:32:ac:3c:46:b0:02:26:2f:16:3e:89:70:e2:87:e9:76:
+        99:61:0b:91:c5:48:7a:e5:aa:24:0b:39:e0:4f:26:03:d4:5b:
+        01:8a:4d:b6:98:cc:16:fa:e2:12:4a:88:b9:53:bb:50:2d:c7:
+        37:b8:a3:82:2d:52:05:3e:46:a7:db:97:82:73:8d:7d:ed:dd:
+        9e:37:73:68:6b:90:cd:62:d8:77:ff:32:53:bb:d3:a1:b9:cb:
+        7d:32:29:70:fb:2e:90:4b:27:12:6d:99:a5:e6:d4:ef:13:32:
+        c1:2f:b5:ae:6e:11:0e:50:56:a4:56:5b:76:b0:c0:99:2e:5a:
+        94:17:ee:2b:c1:b6:9c:8b:68:ac:55:95:31:8c:66:2b:35:43:
+        a5:13:04:1b:50:44:1c:55:7f:4c:d0:1a:50:80:53:45:a8:e3:
+        d3:a8:74:ad:7d:6a:d6:e9:9a:d3:25:7d:83:e2:57:64:1a:94:
+        7e:bc:cb:ef:79:b5:54:6a:f1:b0:c3:81:26:90:e5:40:87:ed:
+        75:7d:83:63:5b:ab:45:c0:34:04:27:e8:d8:12:26:7c:5e:c0:
+        48:b6:33:7d:4b:db:23:8a:f7:13:24:bc:be:7b:74:cb:c4:ed:
+        ed:42:eb:2f
+-----BEGIN CERTIFICATE-----
+MIIDZDCCAkygAwIBAgIBBjANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MjExNloX
+DTE0MTIyMjA1MjExNlowKTEOMAwGA1UEChMFSUNBTk4xFzAVBgNVBAMTDklDQU5O
+IEVNQUlMIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0hkeImkz
+9qTSdsWAEXWO0Ohvv4n4KmraioUoQLrFI19H7XLijtNcyIo6malXLAorIvNUe4v3
+jCGiUAFPi68033L8eDHQHeu8m+b6wYTQBQeKdFOlYJ7rdZ6oXTLIAjLkv8uXm3r6
+LPZqHbhXreMDIpPQ9E+ouAHbgjOYtoftPWdAACcu1ZXSrTZGFMYXeWV/ZfOIgGV8
+ImcIIzzPpRA4cjCXkm8gSrokTErISqXcKkShKXi0n/6E/ydbOnLqMcGtBiLWRKBK
+VzKc8kZH0IluICMs6rCDfsHz6trd42NZlyH6GxE5J8+Ci1YV1DaSDKV+gOAYyVAI
+QgrflzycuApNsQIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
+AwIB/jAfBgNVHSMEGDAWgBS6UulJgySGUi/Hmc38jWtpCE3AUDAdBgNVHQ4EFgQU
+ez+6zqGzphMuWoKE1NLqpSTxzbQwDQYJKoZIhvcNAQELBQADggEBAFAHpWE55Dvj
+vBy0p7KroftHv7QcMqw8RrACJi8WPolw4ofpdplhC5HFSHrlqiQLOeBPJgPUWwGK
+TbaYzBb64hJKiLlTu1Atxze4o4ItUgU+Rqfbl4JzjX3t3Z43c2hrkM1i2Hf/MlO7
+06G5y30yKXD7LpBLJxJtmaXm1O8TMsEvta5uEQ5QVqRWW3awwJkuWpQX7ivBtpyL
+aKxVlTGMZis1Q6UTBBtQRBxVf0zQGlCAU0Wo49OodK19atbpmtMlfYPiV2QalH68
+y+95tVRq8bDDgSaQ5UCH7XV9g2Nbq0XANAQn6NgSJnxewEi2M31L2yOK9xMkvL57
+dMvE7e1C6y8=
+-----END CERTIFICATE-----
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 3 (0x3)
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: O=ICANN, OU=ICANN Certification Authority, CN=ICANN Root CA, C=US
+        Validity
+            Not Before: Dec 23 05:07:29 2009 GMT
+            Not After : Dec 22 05:07:29 2014 GMT
+        Subject: O=ICANN, CN=ICANN SSL CA
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+            RSA Public Key: (2048 bit)
+                Modulus (2048 bit):
+                    00:dd:c6:ab:bf:7c:66:9d:b3:2b:96:00:14:c7:60:
+                    7a:8d:62:5b:26:4b:30:d7:b3:4c:82:69:c6:4d:4d:
+                    73:f3:d4:91:21:5d:ab:35:f0:c8:04:0e:f4:a3:35:
+                    e2:e1:18:a9:98:12:03:58:f8:9f:eb:77:54:5b:89:
+                    81:26:c9:aa:c2:f4:c9:0c:82:57:2a:5e:05:e9:61:
+                    17:cc:19:18:71:eb:35:83:c1:86:9d:ec:f1:6b:ca:
+                    dd:a1:96:0b:95:d4:e1:0f:9e:24:6f:dc:3c:d0:28:
+                    9e:f2:53:47:2b:a1:ad:32:03:c8:3f:0d:80:80:7d:
+                    f0:02:d2:6e:5a:2c:44:21:9b:09:50:15:3f:a1:3d:
+                    d3:c9:c8:24:e7:ea:4e:92:2f:94:90:2e:de:e7:68:
+                    f6:c6:b3:90:1f:bc:c9:7b:a2:65:d7:11:e9:8b:f0:
+                    3a:5a:b7:17:07:df:69:e3:6e:b9:54:6a:8e:3a:aa:
+                    94:7f:2c:0a:a1:ad:ba:b7:d9:60:62:27:a7:71:40:
+                    3b:8e:b0:84:7b:b8:c8:67:ef:66:ba:3d:ac:c3:85:
+                    e5:86:bb:a7:9c:fd:b6:e1:c0:10:53:3d:d4:7e:1b:
+                    09:e6:9f:22:5c:a7:27:09:7e:27:12:33:fa:df:9b:
+                    20:2f:14:f7:17:c0:e4:1e:07:91:1f:f9:9a:cd:a8:
+                    e2:c5
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement, Certificate Sign, CRL Sign
+            X509v3 Authority Key Identifier: 
+                keyid:BA:52:E9:49:83:24:86:52:2F:C7:99:CD:FC:8D:6B:69:08:4D:C0:50
+
+            X509v3 Subject Key Identifier: 
+                6E:77:A8:40:10:4A:D8:9C:0C:F2:B7:5A:3A:A5:2F:79:4A:61:14:D8
+    Signature Algorithm: sha256WithRSAEncryption
+        18:42:62:df:aa:8e:44:e6:87:10:4d:d9:a6:b2:c3:97:37:43:
+        2e:ce:f3:e0:3c:c2:2f:e1:78:60:41:a9:2b:5d:f4:24:f5:f6:
+        57:a2:08:ec:9c:89:e5:54:50:a8:30:c6:20:e5:8a:c7:8b:bd:
+        fd:98:b6:0c:7d:1a:1f:01:a1:4a:4e:ec:0d:2a:aa:9f:fd:a9:
+        20:0d:b3:5c:0f:36:c0:2c:2b:c6:75:22:29:66:a3:34:bd:93:
+        3d:f6:28:da:90:d5:7e:91:df:d3:06:f6:69:8b:80:9b:a5:34:
+        af:6a:02:5b:e4:52:7d:56:4d:99:6e:fe:e9:d0:36:99:58:d9:
+        af:cd:79:9b:e5:d2:4c:35:90:d3:e0:68:b2:88:2b:18:39:2e:
+        bc:0b:d9:82:84:7f:24:12:92:d2:b9:13:4f:64:bc:46:e1:5c:
+        6a:ed:f7:b0:d4:66:27:25:21:86:b4:3a:5e:19:a3:c7:8b:4b:
+        93:b9:2e:37:e2:6d:8b:46:ee:68:39:21:75:e8:fe:2a:a7:85:
+        fd:68:26:96:bd:dd:f9:f1:fe:99:5f:b4:a4:97:1b:50:18:fa:
+        21:90:54:0c:8b:30:28:94:70:19:34:9e:5c:e1:e5:48:93:af:
+        aa:a3:b4:95:b2:f5:4c:97:50:44:58:97:e1:ff:e7:b2:10:dd:
+        2c:fe:c0:ed
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBdMQ4wDAYDVQQKEwVJQ0FO
+TjEmMCQGA1UECxMdSUNBTk4gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxFjAUBgNV
+BAMTDUlDQU5OIFJvb3QgQ0ExCzAJBgNVBAYTAlVTMB4XDTA5MTIyMzA1MDcyOVoX
+DTE0MTIyMjA1MDcyOVowJzEOMAwGA1UEChMFSUNBTk4xFTATBgNVBAMTDElDQU5O
+IFNTTCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN3Gq798Zp2z
+K5YAFMdgeo1iWyZLMNezTIJpxk1Nc/PUkSFdqzXwyAQO9KM14uEYqZgSA1j4n+t3
+VFuJgSbJqsL0yQyCVypeBelhF8wZGHHrNYPBhp3s8WvK3aGWC5XU4Q+eJG/cPNAo
+nvJTRyuhrTIDyD8NgIB98ALSblosRCGbCVAVP6E908nIJOfqTpIvlJAu3udo9saz
+kB+8yXuiZdcR6YvwOlq3FwffaeNuuVRqjjqqlH8sCqGturfZYGInp3FAO46whHu4
+yGfvZro9rMOF5Ya7p5z9tuHAEFM91H4bCeafIlynJwl+JxIz+t+bIC8U9xfA5B4H
+kR/5ms2o4sUCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+Af4wHwYDVR0jBBgwFoAUulLpSYMkhlIvx5nN/I1raQhNwFAwHQYDVR0OBBYEFG53
+qEAQSticDPK3WjqlL3lKYRTYMA0GCSqGSIb3DQEBCwUAA4IBAQAYQmLfqo5E5ocQ
+TdmmssOXN0MuzvPgPMIv4XhgQakrXfQk9fZXogjsnInlVFCoMMYg5YrHi739mLYM
+fRofAaFKTuwNKqqf/akgDbNcDzbALCvGdSIpZqM0vZM99ijakNV+kd/TBvZpi4Cb
+pTSvagJb5FJ9Vk2Zbv7p0DaZWNmvzXmb5dJMNZDT4GiyiCsYOS68C9mChH8kEpLS
+uRNPZLxG4Vxq7few1GYnJSGGtDpeGaPHi0uTuS434m2LRu5oOSF16P4qp4X9aCaW
+vd358f6ZX7SklxtQGPohkFQMizAolHAZNJ5c4eVIk6+qo7SVsvVMl1BEWJfh/+ey
+EN0s/sDt
+-----END CERTIFICATE-----
diff --git a/config/unbound/root.hints b/config/unbound/root.hints
new file mode 100644 (file)
index 0000000..3c82146
--- /dev/null
@@ -0,0 +1,90 @@
+;       This file holds the information on root name servers needed to
+;       initialize cache of Internet domain name servers
+;       (e.g. reference this file in the "cache  .  <file>"
+;       configuration file of BIND domain name servers).
+;
+;       This file is made available by InterNIC 
+;       under anonymous FTP as
+;           file                /domain/named.cache
+;           on server           FTP.INTERNIC.NET
+;       -OR-                    RS.INTERNIC.NET
+;
+;       last update:    March 23, 2016
+;       related version of root zone:   2016032301
+;
+; formerly NS.INTERNIC.NET
+;
+.                        3600000      NS    A.ROOT-SERVERS.NET.
+A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
+A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:ba3e::2:30
+;
+; FORMERLY NS1.ISI.EDU
+;
+.                        3600000      NS    B.ROOT-SERVERS.NET.
+B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
+B.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:84::b
+;
+; FORMERLY C.PSI.NET
+;
+.                        3600000      NS    C.ROOT-SERVERS.NET.
+C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
+C.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2::c
+;
+; FORMERLY TERP.UMD.EDU
+;
+.                        3600000      NS    D.ROOT-SERVERS.NET.
+D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
+D.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2d::d
+;
+; FORMERLY NS.NASA.GOV
+;
+.                        3600000      NS    E.ROOT-SERVERS.NET.
+E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
+;
+; FORMERLY NS.ISC.ORG
+;
+.                        3600000      NS    F.ROOT-SERVERS.NET.
+F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
+F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2f::f
+;
+; FORMERLY NS.NIC.DDN.MIL
+;
+.                        3600000      NS    G.ROOT-SERVERS.NET.
+G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
+;
+; FORMERLY AOS.ARL.ARMY.MIL
+;
+.                        3600000      NS    H.ROOT-SERVERS.NET.
+H.ROOT-SERVERS.NET.      3600000      A     198.97.190.53
+H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::53
+;
+; FORMERLY NIC.NORDU.NET
+;
+.                        3600000      NS    I.ROOT-SERVERS.NET.
+I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
+I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fe::53
+;
+; OPERATED BY VERISIGN, INC.
+;
+.                        3600000      NS    J.ROOT-SERVERS.NET.
+J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
+J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:c27::2:30
+;
+; OPERATED BY RIPE NCC
+;
+.                        3600000      NS    K.ROOT-SERVERS.NET.
+K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
+K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7fd::1
+;
+; OPERATED BY ICANN
+;
+.                        3600000      NS    L.ROOT-SERVERS.NET.
+L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
+L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:9f::42
+;
+; OPERATED BY WIDE
+;
+.                        3600000      NS    M.ROOT-SERVERS.NET.
+M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
+M.ROOT-SERVERS.NET.      3600000      AAAA  2001:dc3::35
+; End of file
diff --git a/config/unbound/root.key b/config/unbound/root.key
new file mode 100644 (file)
index 0000000..0c36abe
--- /dev/null
@@ -0,0 +1 @@
+.      172800  IN      DNSKEY  257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b}
diff --git a/config/unbound/unbound-dhcp-leases-bridge b/config/unbound/unbound-dhcp-leases-bridge
new file mode 100644 (file)
index 0000000..61bd5d0
--- /dev/null
@@ -0,0 +1,354 @@
+#!/usr/bin/python
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2016  Michael Tremer                                          #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+import argparse
+import datetime
+import daemon
+import logging
+import logging.handlers
+import re
+import signal
+import subprocess
+
+import inotify.adapters
+
+def setup_logging(loglevel=logging.INFO):
+       log = logging.getLogger("dhcp")
+       log.setLevel(loglevel)
+
+       handler = logging.handlers.SysLogHandler(address="/dev/log", facility="daemon")
+       handler.setLevel(loglevel)
+
+       formatter = logging.Formatter("%(name)s[%(process)d]: %(message)s")
+       handler.setFormatter(formatter)
+
+       log.addHandler(handler)
+
+       return log
+
+log = logging.getLogger("dhcp")
+
+class UnboundDHCPLeasesBridge(object):
+       def __init__(self, dhcp_leases_file, unbound_leases_file):
+               self.leases_file = dhcp_leases_file
+
+               self.unbound = UnboundConfigWriter(unbound_leases_file)
+               self.running = False
+
+       def run(self):
+               log.info("Unbound DHCP Leases Bridge started on %s" % self.leases_file)
+               self.running = True
+
+               # Initially read leases file
+               self.update_dhcp_leases()
+
+               i = inotify.adapters.Inotify([self.leases_file])
+
+               for event in i.event_gen():
+                       # End if we are requested to terminate
+                       if not self.running:
+                               break
+
+                       if event is None:
+                               continue
+
+                       header, type_names, watch_path, filename = event
+
+                       # Update leases after leases file has been modified
+                       if "IN_MODIFY" in type_names:
+                               self.update_dhcp_leases()
+
+               log.info("Unbound DHCP Leases Bridge terminated")
+
+       def update_dhcp_leases(self):
+               log.info("Reading DHCP leases from %s" % self.leases_file)
+
+               leases = DHCPLeases(self.leases_file)
+               self.unbound.update_dhcp_leases(leases)
+
+       def terminate(self):
+               self.running = False
+
+
+class DHCPLeases(object):
+       regex_leaseblock = re.compile(r"lease (?P<ipaddr>\d+\.\d+\.\d+\.\d+) {(?P<config>[\s\S]+?)\n}")
+
+       def __init__(self, path):
+               self.path = path
+
+               self._leases = self._parse()
+
+       def __iter__(self):
+               return iter(self._leases)
+
+       def _parse(self):
+               leases = []
+
+               with open(self.path) as f:
+                       # Read entire leases file
+                       data = f.read()
+
+                       for match in self.regex_leaseblock.finditer(data):
+                               block = match.groupdict()
+
+                               ipaddr = block.get("ipaddr")
+                               config = block.get("config")
+
+                               properties = self._parse_block(config)
+
+                               # Skip any abandoned leases
+                               if not "hardware" in properties:
+                                       continue
+
+                               lease = Lease(ipaddr, properties)
+
+                               # Check if a lease for this Ethernet address already
+                               # exists in the list of known leases. If so replace
+                               # if with the most recent lease
+                               for i, l in enumerate(leases):
+                                       if l.hwaddr == lease.hwaddr:
+                                               leases[i] = max(lease, l)
+                                               break
+
+                               else:
+                                       leases.append(lease)
+
+               return leases
+
+       def _parse_block(self, block):
+               properties = {}
+
+               for line in block.splitlines():
+                       if not line:
+                               continue
+
+                       # Remove trailing ; from line
+                       if line.endswith(";"):
+                               line = line[:-1]
+
+                       # Invalid line if it doesn't end with ;
+                       else:
+                               continue
+
+                       # Remove any leading whitespace
+                       line = line.lstrip()
+
+                       # We skip all options and sets
+                       if line.startswith("option") or line.startswith("set"):
+                               continue
+
+                       # Split by first space
+                       key, val = line.split(" ", 1)
+                       properties[key] = val
+
+               return properties
+
+
+class Lease(object):
+       def __init__(self, ipaddr, properties):
+               self.ipaddr = ipaddr
+               self._properties = properties
+
+       def __repr__(self):
+               return "<%s %s for %s (%s)>" % (self.__class__.__name__,
+                       self.ipaddr, self.hwaddr, self.hostname)
+
+       def __eq__(self, other):
+               return self.ipaddr == other.ipaddr and self.hwaddr == other.hwaddr
+
+       def __gt__(self, other):
+               if not self.ipaddr == other.ipaddr:
+                       return
+
+               if not self.hwaddr == other.hwaddr:
+                       return
+
+               return self.time_starts > other.time_starts
+
+       @property
+       def binding_state(self):
+               state = self._properties.get("binding")
+
+               if state:
+                       state = state.split(" ", 1)
+                       return state[1]
+
+       @property
+       def active(self):
+               return self.binding_state == "active"
+
+       @property
+       def hwaddr(self):
+               hardware = self._properties.get("hardware")
+
+               if not hardware:
+                       return
+
+               ethernet, address = hardware.split(" ", 1)
+
+               return address
+
+       @property
+       def hostname(self):
+               hostname = self._properties.get("client-hostname")
+
+               # Remove any ""
+               if hostname:
+                       hostname = hostname.replace("\"", "")
+
+               return hostname
+
+       @property
+       def domain(self):
+               return "local" # XXX
+
+       @property
+       def fqdn(self):
+               return "%s.%s" % (self.hostname, self.domain)
+
+       @staticmethod
+       def _parse_time(s):
+               return datetime.datetime.strptime(s, "%w %Y/%m/%d %H:%M:%S")
+
+       @property
+       def time_starts(self):
+               starts = self._properties.get("starts")
+
+               if starts:
+                       return self._parse_time(starts)
+
+       @property
+       def time_ends(self):
+               ends = self._properties.get("ends")
+
+               if not ends or ends == "never":
+                       return
+
+               return self._parse_time(ends)
+
+       @property
+       def expired(self):
+               if not self.time_ends:
+                       return self.time_starts > datetime.datetime.utcnow()
+
+               return self.time_starts > datetime.datetime.utcnow() > self.time_ends
+
+       @property
+       def rrset(self):
+               return [
+                       # Forward record
+                       (self.fqdn, "IN A", self.ipaddr),
+
+                       # Reverse record
+                       (self.ipaddr, "IN PTR", self.fqdn),
+               ]
+
+
+class UnboundConfigWriter(object):
+       def __init__(self, path):
+               self.path = path
+
+               self._cached_leases = []
+
+       def update_dhcp_leases(self, leases):
+               # Strip all non-active or expired leases
+               leases = [l for l in leases if l.active and not l.expired]
+
+               # Find any leases that have expired or do not exist any more 
+               removed_leases = [l for l in self._cached_leases if l.expired or l not in leases]
+
+               # Find any leases that have been added
+               new_leases = [l for l in leases if l not in self._cached_leases]
+
+               # End here if nothing has changed
+               if not new_leases and not removed_leases:
+                       return
+
+               self._cached_leases = leases
+
+               # Write out all leases
+               self.write_dhcp_leases(leases)
+
+               # Update unbound about changes
+               for l in removed_leases:
+                       self._control("local_data_remove", l.fqdn)
+
+               for l in new_leases:
+                       for rr in l.rrset:
+                               self._control("local_data", *rr)
+
+
+       def write_dhcp_leases(self, leases):
+               with open(self.path, "w") as f:
+                       for l in leases:
+                               for rr in l.rrset:
+                                       f.write("local-data: \"%s\"\n" % " ".join(rr))
+
+       def _control(self, *args):
+               command = ["unbound-control", "-q"]
+               command.extend(args)
+
+               try:
+                       subprocess.check_call(command)
+
+               # Log any errors
+               except subprocess.CalledProcessError as e:
+                       log.critical("Could not run %s, error code: %s: %s" % (
+                               " ".join(command), e.returncode, e.output))
+
+
+if __name__ == "__main__":
+       parser = argparse.ArgumentParser(description="Bridge for DHCP Leases and Unbound DNS")
+
+       # Daemon Stuff
+       parser.add_argument("--daemon", "-d", action="store_true",
+               help="Launch as daemon in background")
+       parser.add_argument("--verbose", "-v", action="count", help="Be more verbose")
+
+       # Paths
+       parser.add_argument("--dhcp-leases", default="/var/state/dhcp/dhcpd.leases",
+               metavar="PATH", help="Path to the DHCPd leases file")
+       parser.add_argument("--unbound-leases", default="/etc/unbound/dhcp-leases.conf",
+               metavar="PATH", help="Path to the unbound configuration file")
+
+       # Parse command line arguments
+       args = parser.parse_args()
+
+       # Setup logging
+       if args.verbose == 1:
+               loglevel = logging.INFO
+       elif args.verbose >= 2:
+               loglevel = logging.DEBUG
+       else:
+               loglevel = logging.WARN
+
+       setup_logging(loglevel)
+
+       bridge = UnboundDHCPLeasesBridge(args.dhcp_leases, args.unbound_leases)
+
+       ctx = daemon.DaemonContext(detach_process=args.daemon)
+       ctx.signal_map = {
+               signal.SIGHUP  : bridge.update_dhcp_leases,
+               signal.SIGTERM : bridge.terminate,
+       }
+
+       with ctx:
+               bridge.run()
diff --git a/config/unbound/unbound.conf b/config/unbound/unbound.conf
new file mode 100644 (file)
index 0000000..6d8a7f2
--- /dev/null
@@ -0,0 +1,94 @@
+#
+# Unbound configuration file for IPFire
+#
+# The full documentation is available at:
+# https://www.unbound.net/documentation/unbound.conf.html
+#
+
+server:
+       # Common Server Options
+       chroot: ""
+       directory: "/etc/unbound"
+       username: "nobody"
+       port: 53
+       do-ip4: yes
+       do-ip6: no
+       do-udp: yes
+       do-tcp: yes
+       so-reuseport: yes
+       do-not-query-localhost: yes
+
+       # System Tuning
+       include: "/etc/unbound/tuning.conf"
+
+       # Logging Options
+       verbosity: 1
+       use-syslog: yes
+       log-time-ascii: yes
+       log-queries: no
+
+       # Unbound Statistics
+       statistics-interval: 0
+       statistics-cumulative: yes
+       extended-statistics: yes
+
+       # Prefetching
+       prefetch: yes
+       prefetch-key: yes
+
+       # Randomise any cached responses
+       rrset-roundrobin: yes
+
+       # Privacy Options
+       hide-identity: yes
+       hide-version: yes
+       qname-minimisation: yes
+       minimal-responses: yes
+
+       # DNSSEC
+       auto-trust-anchor-file: "/var/lib/unbound/root.key"
+       val-permissive-mode: no
+       val-clean-additional: yes
+       val-log-level: 1
+
+       # Hardening Options
+       harden-glue: yes
+       harden-short-bufsize: no
+       harden-large-queries: yes
+       harden-dnssec-stripped: yes
+       harden-below-nxdomain: yes
+       harden-referral-path: yes
+       harden-algo-downgrade: no
+       use-caps-for-id: no
+
+       # Deny access from everywhere
+       access-control: 0.0.0.0/0 refuse
+
+       # Listen on localhost
+       interface: 127.0.0.1
+       access-control: 127.0.0.0/8 allow
+
+       # Bootstrap root servers
+       root-hints: "/etc/unbound/root.hints"
+
+       # IPFire interface configuration
+       include: "/etc/unbound/interfaces.conf"
+       interface-automatic: no
+
+       # Include DHCP leases
+       include: "/etc/unbound/dhcp-leases.conf"
+
+       # Include any forward zones
+       include: "/etc/unbound/forward.conf"
+
+remote-control:
+       control-enable: yes
+       control-use-cert: yes
+       control-interface: 127.0.0.1
+       server-key-file: "/etc/unbound/unbound_server.key"
+       server-cert-file: "/etc/unbound/unbound_server.pem"
+       control-key-file: "/etc/unbound/unbound_control.key"
+       control-cert-file: "/etc/unbound/unbound_control.pem"
+
+# Import any local configurations
+include: "/etc/unbound/local.d/*.conf"
index 1afc55f..ee63c6d 100644 (file)
@@ -106,8 +106,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'})
                        $cgiparams{'ID'} = $cgiparams{'EDITING'};
                }
        }
-       # Restart dnsmasq.
-       system('/usr/local/bin/dnsmasqctrl restart >/dev/null');
+       # Restart unbound
+       system('/usr/local/bin/unboundctrl restart >/dev/null');
 }
 
 ###
@@ -124,8 +124,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'})
                unless ($cgiparams{'ID'} eq $id) { print FILE "$line"; }
        }
        close(FILE);
-       # Restart dnsmasq.
-       system('/usr/local/bin/dnsmasqctrl restart >/dev/null');
+       # Restart unbound.
+       system('/usr/local/bin/unboundctrl restart >/dev/null');
 }
 
 ###
@@ -148,8 +148,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'})
                }
        }
        close(FILE);
-       # Restart dnsmasq.
-       system('/usr/local/bin/dnsmasqctrl restart >/dev/null');
+       # Restart unbound.
+       system('/usr/local/bin/unboundctrl restart >/dev/null');
 }
 
 ###
index f954213..82b6aa0 100644 (file)
@@ -52,7 +52,7 @@ my %sections = (
         'ipfire' => '(ipfire: )',
         'red' => '(red:|pppd\[.*\]: |chat\[.*\]|pppoe\[.*\]|pptp\[.*\]|pppoa\[.*\]|pppoa3\[.*\]|pppoeci\[.*\]|ipppd|ipppd\[.*\]|kernel: ippp\d|kernel: isdn.*|ibod\[.*\]|dhcpcd\[.*\]|modem_run\[.*\])',
         'ddns' => '(ddns\[\d+\]:)',
-        'dns' => '(dnsmasq\[.*\]: )',
+        'dns' => '(dnsmasq\[.*\]: |unbound\[.*\]: )',
         'dma' => '(dma\[.*\]: )',
         'dhcp' => '(dhcpd: )',
         'clamav' => '(clamd\[.*\]: |freshclam\[.*\]: )',
index 76bd9ed..64fdbba 100644 (file)
@@ -49,7 +49,7 @@ my %servicenames =(
        $Lang::tr{'dhcp server'} => 'dhcpd',
        $Lang::tr{'web server'} => 'httpd',
        $Lang::tr{'cron server'} => 'fcron',
-       $Lang::tr{'dns proxy server'} => 'dnsmasq',
+       $Lang::tr{'dns proxy server'} => 'unbound',
        $Lang::tr{'logging server'} => 'syslogd',
        $Lang::tr{'kernel logging server'} => 'klogd',
        $Lang::tr{'ntp server'} => 'ntpd',
index e731d7f..5e2cd24 100644 (file)
@@ -185,13 +185,11 @@ $(TARGET) :
        ln -sf ../init.d/wlanclient  /etc/rc.d/rc3.d/S19wlanclient
        ln -sf ../init.d/wlanclient  /etc/rc.d/rc6.d/K82wlanclient
 
-       ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.up/05-RS-dnsmasq
        ln -sf ../../../../../usr/local/bin/snortctrl \
                /etc/rc.d/init.d/networking/red.up/23-RS-snort
        ln -sf ../../../../../usr/local/bin/qosctrl \
                /etc/rc.d/init.d/networking/red.up/24-RS-qos
        ln -sf ../../squid /etc/rc.d/init.d/networking/red.up/27-RS-squid
-       ln -sf ../../dnsmasq /etc/rc.d/init.d/networking/red.down/05-RS-dnsmasq
 
        for i in green blue orange; do \
                ln -sf any /etc/rc.d/init.d/networking/$$i; \
diff --git a/lfs/python-daemon b/lfs/python-daemon
new file mode 100644 (file)
index 0000000..c96ec55
--- /dev/null
@@ -0,0 +1,75 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2011  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 2.1.1
+
+THISAPP    = python-daemon-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 72e2acf2c3d69c7fa75a6625d06adfd0
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+       @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+       @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+       @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+       @$(PREBUILD)
+       @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+       cd $(DIR_APP) && python setup.py install --root=/
+       @rm -rf $(DIR_APP)
+       @$(POSTBUILD)
diff --git a/lfs/python-docutils b/lfs/python-docutils
new file mode 100644 (file)
index 0000000..13f7ef1
--- /dev/null
@@ -0,0 +1,75 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2011  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 0.12
+
+THISAPP    = docutils-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = 4622263b62c5c771c03502afa3157768
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+       @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+       @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+       @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+       @$(PREBUILD)
+       @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+       cd $(DIR_APP) && python setup.py install --root=/
+       @rm -rf $(DIR_APP)
+       @$(POSTBUILD)
diff --git a/lfs/python-inotify b/lfs/python-inotify
new file mode 100644 (file)
index 0000000..ea8a960
--- /dev/null
@@ -0,0 +1,75 @@
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2011  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
+
+###############################################################################
+# Definitions
+###############################################################################
+
+include Config
+
+VER        = 0.2.7
+
+THISAPP    = inotify-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
+DL_FROM    = $(URL_IPFIRE)
+DIR_APP    = $(DIR_SRC)/$(THISAPP)
+TARGET     = $(DIR_INFO)/$(THISAPP)
+
+###############################################################################
+# Top-level Rules
+###############################################################################
+
+objects = $(DL_FILE)
+
+$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
+
+$(DL_FILE)_MD5 = ced4c0469f9fd64170d9d907e4aec208
+
+install : $(TARGET)
+
+check : $(patsubst %,$(DIR_CHK)/%,$(objects))
+
+download :$(patsubst %,$(DIR_DL)/%,$(objects))
+
+md5 : $(subst %,%_MD5,$(objects))
+
+###############################################################################
+# Downloading, checking, md5sum
+###############################################################################
+
+$(patsubst %,$(DIR_CHK)/%,$(objects)) :
+       @$(CHECK)
+
+$(patsubst %,$(DIR_DL)/%,$(objects)) :
+       @$(LOAD)
+
+$(subst %,%_MD5,$(objects)) :
+       @$(MD5)
+
+###############################################################################
+# Installation Details
+###############################################################################
+
+$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
+       @$(PREBUILD)
+       @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
+       cd $(DIR_APP) && python setup.py install --root=/
+       @rm -rf $(DIR_APP)
+       @$(POSTBUILD)
similarity index 51%
rename from lfs/dnsmasq
rename to lfs/unbound
index 7a11061..9c85893 100644 (file)
 
 include Config
 
-VER        = 2.76
+VER        = 1.5.9
 
-THISAPP    = dnsmasq-$(VER)
-DL_FILE    = $(THISAPP).tar.xz
+THISAPP    = unbound-$(VER)
+DL_FILE    = $(THISAPP).tar.gz
 DL_FROM    = $(URL_IPFIRE)
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
-# We cannot use INOTIFY because our ISC reader code does not support that
-COPTS      = -DHAVE_ISC_READER -DNO_INOTIFY
-
 ###############################################################################
 # Top-level Rules
 ###############################################################################
@@ -43,7 +40,7 @@ objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = 00f5ee66b4e4b7f14538bf62ae3c9461
+$(DL_FILE)_MD5 = 0cefa62c1690b4db18583db84bff00e3
 
 install : $(TARGET)
 
@@ -73,32 +70,40 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
        @$(PREBUILD)
        @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/003-Check_return_of_expand_always.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/005-Manpage_typo.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch
-       cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
-
-       cd $(DIR_APP) && sed -i src/config.h \
-               -e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \
-               -e 's|/\* #define HAVE_DNSSEC \*/|#define HAVE_DNSSEC|g' \
-               -e 's|#define HAVE_DHCP|//#define HAVE_DHCP|g' \
-               -e 's|#define HAVE_DHCP6|//#define HAVE_DHCP6|g' \
-               -e 's|#define HAVE_TFTP|//#define HAVE_TFTP|g'
-
-       cd $(DIR_APP) && make CFLAGS="$(CFLAGS)" COPTS="$(COPTS)" \
-               PREFIX=/usr all install
+       cd $(DIR_APP) && \
+               ./configure \
+                       --prefix=/usr \
+                       --sysconfdir=/etc \
+                       --with-pidfile=/var/run/unbound.pid \
+                       --with-rootkey-file=/var/lib/unbound/root.key \
+                       --disable-static \
+                       --with-libevent
+       cd $(DIR_APP) && make $(MAKETUNING)
+       cd $(DIR_APP) && make install
+
+       # Install configuration
+       install -v -m 644 $(DIR_SRC)/config/unbound/unbound.conf \
+               /etc/unbound/unbound.conf
+       touch /etc/unbound/{dhcp-leases,forward}.conf
+       -mkdir -pv /etc/unbound/local.d
+
+       # Install root hints
+       install -v -m 644 $(DIR_SRC)/config/unbound/root.hints \
+               /etc/unbound/root.hints
+
+       # Install DHCP leases bridge
+       install -v -m 755 $(DIR_SRC)/config/unbound/unbound-dhcp-leases-bridge \
+               /usr/sbin/unbound-dhcp-leases-bridge
+
+       # Install key
+       -mkdir -pv /var/lib/unbound
+       install -v -m 644 $(DIR_SRC)/config/unbound/root.key \
+               /var/lib/unbound/root.key
+       chown -Rv nobody.nobody /var/lib/unbound
+
+       # Ship ICANN's certificates to validate DNS trust anchors
+       install -v -m 644 $(DIR_SRC)/config/unbound/icannbundle.pem \
+               /etc/unbound/icannbundle.pem
+
        @rm -rf $(DIR_APP)
        @$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 1c832d0..73feacb 100755 (executable)
--- a/make.sh
+++ b/make.sh
@@ -537,7 +537,9 @@ buildipfire() {
   ipfiremake beep
   ipfiremake dvdrtools
   ipfiremake nettle
-  ipfiremake dnsmasq
+  ipfiremake libevent
+  ipfiremake libevent2
+  ipfiremake unbound
   ipfiremake dosfstools
   ipfiremake reiserfsprogs
   ipfiremake xfsprogs
@@ -603,6 +605,9 @@ buildipfire() {
   ipfiremake python-mechanize
   ipfiremake python-feedparser
   ipfiremake python-rssdler
+  ipfiremake python-inotify
+  ipfiremake python-docutils
+  ipfiremake python-daemon
   ipfiremake glib
   ipfiremake GeoIP
   ipfiremake fwhits
@@ -678,8 +683,6 @@ buildipfire() {
   ipfiremake gnump3d
   ipfiremake rsync
   ipfiremake tcpwrapper
-  ipfiremake libevent
-  ipfiremake libevent2
   ipfiremake libtirpc
   ipfiremake rpcbind
   ipfiremake nfs
diff --git a/src/initscripts/init.d/dnsmasq b/src/initscripts/init.d/dnsmasq
deleted file mode 100644 (file)
index 059ffac..0000000
+++ /dev/null
@@ -1,145 +0,0 @@
-#!/bin/sh
-########################################################################
-# Begin $rc_base/init.d/dnsmasq
-#
-# Description : dnsmasq init script
-#
-# Authors     : Michael Tremer - mitch@ipfire.org
-#
-# Version     : 01.00
-#
-# Notes       :
-#
-########################################################################
-
-. /etc/sysconfig/rc
-. ${rc_functions}
-
-CACHE_SIZE=2500
-ENABLE_DNSSEC=1
-SHOW_SRV=1
-TRUST_ANCHOR=".,19036,8,2,49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5"
-TIMESTAMP_FILE="/var/ipfire/dns/dnssec-timestamp"
-
-# Pull custom configuration file
-if [ -e "/etc/sysconfig/dnsmasq" ]; then
-       . /etc/sysconfig/dnsmasq
-fi
-
-function dnssec_args() {
-       local cmdline="--dnssec --dnssec-timestamp ${TIMESTAMP_FILE}"
-
-       if [ -n "${TRUST_ANCHOR}" ]; then
-               cmdline="${cmdline} --trust-anchor=${TRUST_ANCHOR}"
-       fi
-
-       echo "${cmdline}"
-}
-
-function dns_forward_args() {
-       local file="${1}"
-
-       # Do nothing if file is empty.
-       [ -s "${file}" ] || return
-
-       local cmdline
-
-       local enabled zone server remark
-       while IFS="," read -r enabled zone server remark; do
-               # Line must be enabled.
-               [ "${enabled}" = "on" ] || continue
-
-               cmdline="${cmdline} --server=/${zone}/${server}"
-       done < ${file}
-
-       echo "${cmdline}"
-}
-
-function dns_leases_args() {
-       eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
-
-       # If the DHCP server is enabled and DNS Update (RFC2136) is
-       # enabled, too, we won't overlay the internal domain with
-       # the dynamic/static leases.
-
-       if ([ "${ENABLE_GREEN}" = "on" ] || [ "${ENABLE_BLUE}" = "on" ]) \
-                       && [ "${DNS_UPDATE_ENABLED}" = "on" ]; then
-               return
-       fi
-
-       echo "-l /var/state/dhcp/dhcpd.leases"
-}
-
-case "${1}" in
-       start)
-               # kill already running copy of dnsmasq...
-               killproc /usr/sbin/dnsmasq 2>&1 > /dev/null
-
-               boot_mesg "Starting Domain Name Service Proxy..."
-               
-               eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
-               ARGS="$CUSTOM_ARGS"
-               [ "$DOMAIN_NAME_GREEN" != "" ] && ARGS="$ARGS -s $DOMAIN_NAME_GREEN"
-
-               # DHCP configuration
-               ARGS="${ARGS} $(dns_leases_args)"
-
-               echo > /var/ipfire/red/resolv.conf # Clear it
-               if [ -e "/var/ipfire/red/dns1" ]; then
-                   DNS1=$(cat /var/ipfire/red/dns1 2>/dev/null)
-                   if [ ! -z ${DNS1} ]; then
-                       echo "nameserver ${DNS1}" >> /var/ipfire/red/resolv.conf
-                   fi
-               fi
-               if [ -e "/var/ipfire/red/dns2" ]; then
-                   DNS2=$(cat /var/ipfire/red/dns2 2>/dev/null)
-                   if [ ! -z ${DNS2} ]; then
-                       echo "nameserver ${DNS2}" >> /var/ipfire/red/resolv.conf
-                   fi
-               fi
-               [ -e "/var/ipfire/red/active" ] && ARGS="$ARGS -r /var/ipfire/red/resolv.conf"
-       
-               ARGS="$ARGS --domain=`cat /var/ipfire/main/settings |grep DOMAIN |cut -d = -f 2`"
-
-               # Add custom forward dns zones.
-               ARGS="${ARGS} $(dns_forward_args /var/ipfire/dnsforward/config)"
-
-               # Enabled DNSSEC validation
-               if [ "${ENABLE_DNSSEC}" -eq 1 ]; then
-                       ARGS="${ARGS} $(dnssec_args)"
-               fi
-
-               if [ -n "${CACHE_SIZE}" ]; then
-                       ARGS="${ARGS} --cache-size=${CACHE_SIZE}"
-               fi
-
-               loadproc /usr/sbin/dnsmasq ${ARGS}
-               
-               if [ "${SHOW_SRV}" -eq 1 ] && [ "${DNS1}" != "" -o "${DNS2}" != "" ]; then
-                   boot_mesg "Using DNS server(s): ${DNS1} ${DNS2}"
-                   boot_mesg_flush
-               fi
-               ;;
-
-       stop)
-               boot_mesg "Stopping Domain Name Service Proxy..."
-               killproc /usr/sbin/dnsmasq
-               ;;
-
-       restart)
-               ${0} stop
-               sleep 1
-               ${0} start
-               ;;
-
-       status)
-               statusproc /usr/sbin/dnsmasq
-               ;;
-
-       *)
-               echo "Usage: ${0} {start|stop|restart|status}"
-               exit 1
-               ;;
-esac
-
-# End $rc_base/init.d/dnsmasq
index 9182e98..b29ca2c 100644 (file)
 . ${rc_functions}
 eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 
-init_networking() {
-       /etc/rc.d/init.d/dnsmasq start
-}
-
 DO="${1}"
 shift
 
@@ -46,8 +42,6 @@ done
 
 case "${DO}" in
        start)
-               [ "${ALL}" == "1" ] && init_networking
-
                # Starting interfaces...
                # GREEN
                [ "$green" == "1" ] && /etc/rc.d/init.d/networking/green start
@@ -92,9 +86,6 @@ case "${DO}" in
                        fi
                fi
 
-               # Stopping dnsmasq if network all networks shutdown
-               [ "${ALL}" == "1" ] && /etc/rc.d/init.d/dnsmasq stop
-
                exit 0
                ;;
 
diff --git a/src/initscripts/init.d/networking/red.down/05-update-dns-forwarders b/src/initscripts/init.d/networking/red.down/05-update-dns-forwarders
new file mode 100644 (file)
index 0000000..7f35696
--- /dev/null
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Update DNS forwarders for unbound
+exec /etc/init.d/unbound update-forwarders
diff --git a/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders b/src/initscripts/init.d/networking/red.up/05-update-dns-forwarders
new file mode 100644 (file)
index 0000000..7f35696
--- /dev/null
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+# Update DNS forwarders for unbound
+exec /etc/init.d/unbound update-forwarders
diff --git a/src/initscripts/init.d/unbound b/src/initscripts/init.d/unbound
new file mode 100644 (file)
index 0000000..f3d35cf
--- /dev/null
@@ -0,0 +1,226 @@
+#!/bin/sh
+# Begin $rc_base/init.d/unbound
+
+# Description : Unbound DNS resolver boot script for IPfire
+# Author      : Marcel Lorenz <marcel.lorenz@ipfire.org>
+#
+# Comment     : This init script additional starts the dhcpd watcher daemon
+#               if DNS-Update (RFC2136) in web interface enabled
+
+. /etc/sysconfig/rc
+. ${rc_functions}
+
+USE_FORWARDERS=1
+
+# Load optional configuration
+[ -e "/etc/sysconfig/unbound" ] && . /etc/sysconfig/unbound
+
+function cidr() {
+    local cidr nbits IFS;
+    IFS=. read -r i1 i2 i3 i4 <<< ${1}
+    IFS=. read -r m1 m2 m3 m4 <<< ${2}
+    cidr=$(printf "%d.%d.%d.%d\n" "$((i1 & m1))" "$((i2 & m2))" "$((i3 & m3))" "$((i4 & m4))")
+    nbits=0
+    IFS=.
+    for dec in $2 ; do
+        case $dec in
+            255) let nbits+=8;;
+            254) let nbits+=7;;
+            252) let nbits+=6;;
+            248) let nbits+=5;;
+            240) let nbits+=4;;
+            224) let nbits+=3;;
+            192) let nbits+=2;;
+            128) let nbits+=1;;
+            0);;
+            *) echo "Error: $dec is not recognised"; exit 1
+        esac
+    done
+    echo "${cidr}/${nbits}"
+}
+
+read_name_servers() {
+       local i
+       for i in 1 2; do
+               echo "$(</var/ipfire/red/dns${i})"
+       done | xargs echo
+}
+
+config_header() {
+       echo "# This file is automatically generated and any changes"
+       echo "# will be overwritten. DO NOT EDIT!"
+       echo
+}
+
+update_forwarders() {
+       local forwarders="$(read_name_servers)"
+
+       if [ "${USE_FORWARDERS}" = "1" ] && [ -n "${forwarders}" ]; then
+               boot_mesg "Using Name Server(s): ${forwarders}"
+               boot_mesg_flush
+
+               unbound-control -q forward ${forwarders}
+
+       # If forwarders cannot be used we run in recursor mode
+       else
+               unbound-control -q forward off
+       fi
+}
+
+write_interfaces_conf() {
+       (
+               config_header
+
+               if [ -n "${GREEN_ADDRESS}" ]; then
+                       echo "# GREEN"
+                       echo "interface: ${GREEN_ADDRESS}"
+                       echo "access-control: $(cidr ${GREEN_NETADDRESS} ${GREEN_NETMASK}) allow"
+               fi
+
+               if [ -n "${BLUE_ADDRESS}" ]; then
+                       echo "# BLUE"
+                       echo "interface: ${BLUE_ADDRESS}"
+                       echo "access-control: $(cidr ${BLUE_NETADDRESS} ${BLUE_NETMASK}) allow"
+               fi
+       ) > /etc/unbound/interfaces.conf
+}
+
+write_forward_conf() {
+       (
+               config_header
+
+               local enabled zone server remark
+               while IFS="," read -r enabled zone server remark; do
+                       # Line must be enabled.
+                       [ "${enabled}" = "on" ] || continue
+
+                       echo "forward-zone:"
+                       echo "  name: ${zone}"
+                       echo "  forward-addr: ${server}"
+                       echo
+               done < /var/ipfire/dnsforward/config
+       ) > /etc/unbound/forward.conf
+}
+
+write_tuning_conf() {
+       # https://www.unbound.net/documentation/howto_optimise.html
+
+       # Determine number of online processors
+       local processors=$(getconf _NPROCESSORS_ONLN)
+
+       # Determine number of slabs
+       local slabs=1
+       while [ ${slabs} -lt ${processors} ]; do
+               slabs=$(( ${slabs} * 2 ))
+       done
+
+       # Determine amount of system memory
+       local mem=$(get_memory_amount)
+
+       # In the worst case scenario, unbound can use double the
+       # amount of memory allocated to a cache due to malloc overhead
+
+       # Large systems with more than 2GB of RAM
+       if [ ${mem} -ge 2048 ]; then
+               mem=128
+
+       # Small systems with less than 256MB of RAM
+       elif [ ${mem} -le 256 ]; then
+               mem=8
+
+       # Everything else
+       else
+               mem=32
+       fi
+
+       (
+               config_header
+
+               # We run one thread per processor
+               echo "num-threads: ${processors}"
+
+               # Adjust number of slabs
+               echo "infra-cache-slabs: ${slabs}"
+               echo "key-cache-slabs: ${slabs}"
+               echo "msg-cache-slabs: ${slabs}"
+               echo "rrset-cache-slabs: ${slabs}"
+
+               # Slice up the cache
+               echo "rrset-cache-size: $(( ${mem} / 2 ))m"
+               echo "msg-cache-size: $(( ${mem} / 4 ))m"
+               echo "key-cache-size: $(( ${mem} / 4 ))m"
+       ) > /etc/unbound/tuning.conf
+}
+
+get_memory_amount() {
+       local key val unit
+
+       while read -r key val unit; do
+               case "${key}" in
+                       MemTotal:*)
+                               # Convert to MB
+                               echo "$(( ${val} / 1024 ))"
+                               break
+                               ;;
+               esac
+       done < /proc/meminfo
+}
+
+case "$1" in
+       start)
+               eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+               eval $(/usr/local/bin/readhash /var/ipfire/dhcp/settings)
+
+               # Create control keys at first run
+               if [ ! -r "/etc/unbound/unbound_control.key" ]; then
+                       unbound-control-setup -d /etc/unbound &>/dev/null
+               fi
+
+               # Update configuration files
+               write_tuning_conf
+               write_interfaces_conf
+               write_forward_conf
+
+               boot_mesg "Starting Unbound DNS Proxy..."
+               loadproc /usr/sbin/unbound || exit $?
+
+               # Update any known forwarding name servers
+               update_forwarders
+
+               # Start Unbound DHCP Lease Bridge unless RFC2136 is used
+               if [ "${DNS_UPDATE_ENABLED}" != on ]; then
+                       boot_mesg "Starting Unbound DHCP Leases Bridge..."
+                       loadproc /usr/sbin/unbound-dhcp-leases-bridge -d
+               fi
+               ;;
+
+       stop)
+               boot_mesg "Stopping Unbound DHCP Leases Bridge..."
+               killproc /usr/sbin/unbound-dhcp-leases-bridge
+
+               boot_mesg "Stopping Unbound DNS Proxy..."
+               killproc /usr/sbin/unbound
+               ;;
+
+       restart)
+               $0 stop
+               sleep 1
+               $0 start
+               ;;
+
+       status)
+               statusproc /usr/sbin/unbound
+               statusproc /usr/sbin/unbound-dhcp-leases-bridge
+               ;;
+
+       update-forwarders)
+               update_forwarders
+               ;;
+
+       *)
+               echo "Usage: $0 {start|stop|restart|status|update-forwarders}"
+               exit 1
+               ;;
+esac
+
+# End $rc_base/init.d/unbound
index ff775da..08a4e37 100644 (file)
@@ -31,7 +31,7 @@ SUID_PROGS = squidctrl sshctrl ipfirereboot \
        redctrl syslogdctrl extrahdctrl sambactrl upnpctrl \
        smartctrl clamavctrl addonctrl pakfire mpfirectrl wlanapctrl \
        setaliases urlfilterctrl updxlratorctrl fireinfoctrl rebuildroutes \
-       getconntracktable wirelessclient dnsmasqctrl torctrl ddnsctrl
+       getconntracktable wirelessclient torctrl ddnsctrl unboundctrl
 SUID_UPDX = updxsetperms
 
 OBJS = $(patsubst %,%.o,$(PROGS) $(SUID_PROGS))
similarity index 74%
rename from src/misc-progs/dnsmasqctrl.c
rename to src/misc-progs/unboundctrl.c
index 8ac3360..fea81c6 100644 (file)
@@ -19,14 +19,14 @@ int main(int argc, char *argv[]) {
                exit(1);
 
        if (argc < 2) {
-               fprintf(stderr, "\nNo argument given.\n\ndnsmasqctrl (restart)\n\n");
+               fprintf(stderr, "\nNo argument given.\n\nunboundctrl (restart)\n\n");
                exit(1);
        }
 
        if (strcmp(argv[1], "restart") == 0) {
-               safe_system("/etc/rc.d/init.d/dnsmasq restart");
+               safe_system("/etc/rc.d/init.d/unbound restart");
        } else {
-               fprintf(stderr, "\nBad argument given.\n\ndnsmasqctrl (restart)\n\n");
+               fprintf(stderr, "\nBad argument given.\n\nunboundctrl (restart)\n\n");
                exit(1);
        }
 
diff --git a/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch b/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch
deleted file mode 100644 (file)
index 97b7749..0000000
+++ /dev/null
@@ -1,363 +0,0 @@
---- a/src/cache.c      Wed Dec 16 19:24:12 2015
-+++ b/src/cache.c      Wed Dec 16 19:37:37 2015
-@@ -17,7 +17,7 @@
- #include "dnsmasq.h"
- static struct crec *cache_head = NULL, *cache_tail = NULL, **hash_table = NULL;
--#ifdef HAVE_DHCP
-+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER)
- static struct crec *dhcp_spare = NULL;
- #endif
- static struct crec *new_chain = NULL;
-@@ -217,6 +217,9 @@
-       crecp->flags &= ~F_BIGNAME;
-     }
-+  if (crecp->flags & F_DHCP)
-+    free(crecp->name.namep);
-+
- #ifdef HAVE_DNSSEC
-   cache_blockdata_free(crecp);
- #endif
-@@ -1138,7 +1141,7 @@
-   
- } 
--#ifdef HAVE_DHCP
-+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER)
- struct in_addr a_record_from_hosts(char *name, time_t now)
- {
-   struct crec *crecp = NULL;
-@@ -1281,7 +1284,11 @@
-       else
-       crec->ttd = ttd;
-       crec->addr.addr = *host_address;
-+#ifdef HAVE_ISC_READER
-+      crec->name.namep = strdup(host_name);
-+#else
-       crec->name.namep = host_name;
-+#endif
-       crec->uid = next_uid();
-       cache_hash(crec);
---- a/src/dnsmasq.c    Thu Jul 30 20:59:06 2015
-+++ b/src/dnsmasq.c    Wed Dec 16 19:38:32 2015
-@@ -1017,6 +1017,11 @@
-         poll_resolv(0, daemon->last_resolv != 0, now);          
-         daemon->last_resolv = now;
-+
-+#ifdef HAVE_ISC_READER
-+        if (daemon->lease_file && !daemon->dhcp)
-+          load_dhcp(now);
-+#endif
-       }
- #endif
---- a/src/dnsmasq.h    Wed Dec 16 19:24:12 2015
-+++ b/src/dnsmasq.h    Wed Dec 16 19:40:11 2015
-@@ -1516,6 +1516,11 @@
- void poll_listen(int fd, short event);
- int do_poll(int timeout);
-+/* isc.c */
-+#ifdef HAVE_ISC_READER
-+void load_dhcp(time_t now);
-+#endif
-+
- /* rrfilter.c */
- size_t rrfilter(struct dns_header *header, size_t plen, int mode);
- u16 *rrfilter_desc(int type);
- int expand_workspace(unsigned char ***wkspc, int *szp, int new);
--
---- /dev/null  Wed Dec 16 19:48:08 2015
-+++ b/src/isc.c        Wed Dec 16 19:41:35 2015
-@@ -0,0 +1,266 @@
-+/* dnsmasq is Copyright (c) 2014 John Volpe, Simon Kelley and
-+     Michael Tremer
-+
-+  This program is free software; you can redistribute it and/or modify
-+  it under the terms of the GNU General Public License as published by
-+  the Free Software Foundation; version 2 dated June, 1991, or
-+  (at your option) version 3 dated 29 June, 2007.
-+
-+  This program is distributed in the hope that it will be useful,
-+  but WITHOUT ANY WARRANTY; without even the implied warranty of
-+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-+  GNU General Public License for more details.
-+  
-+  You should have received a copy of the GNU General Public License
-+  along with this program.  If not, see <http://www.gnu.org/licenses/>.
-+
-+  Code in this file is based on contributions by John Volpe and
-+  Simon Kelley. Updated for recent versions of dnsmasq by
-+  Michael Tremer.
-+*/
-+
-+
-+#define _GNU_SOURCE
-+
-+#include <assert.h>
-+#include <stdio.h>
-+
-+#include "dnsmasq.h"
-+
-+#ifdef HAVE_ISC_READER
-+#define MAXTOK 50
-+
-+struct isc_dhcp_lease {
-+      char* name;
-+      char* fqdn;
-+      time_t expires;
-+      struct in_addr addr;
-+      struct isc_dhcp_lease* next;
-+};
-+
-+static struct isc_dhcp_lease* dhcp_lease_new(const char* hostname) {
-+      struct isc_dhcp_lease* lease = whine_malloc(sizeof(*lease));
-+       if (!lease)
-+               return NULL;
-+
-+      lease->name = strdup(hostname);
-+      if (daemon->domain_suffix) {
-+               int r = asprintf(&lease->fqdn, "%s.%s", hostname, daemon->domain_suffix);
-+
-+               // Handle OOM
-+               if (r < 0) {
-+                       free(lease);
-+                       return NULL;
-+               }
-+      }
-+      lease->expires = 0;
-+      lease->next = NULL;
-+
-+      return lease;
-+}
-+
-+static void dhcp_lease_free(struct isc_dhcp_lease* lease) {
-+      if (!lease)
-+              return;
-+
-+      if (lease->name)
-+              free(lease->name);
-+      if (lease->fqdn)
-+              free(lease->fqdn);
-+      free(lease);
-+}
-+
-+static int next_token(char* token, int buffsize, FILE* fp) {
-+      int c, count = 0;
-+      char* cp = token;
-+
-+      while ((c = getc(fp)) != EOF) {
-+              if (c == '#') {
-+                      do {
-+                              c = getc(fp);
-+                      } while (c != '\n' && c != EOF);
-+              }
-+
-+              if (c == ' ' || c == '\t' || c == '\n' || c == ';') {
-+                      if (count)
-+                              break;
-+              } else if ((c != '"') && (count < buffsize - 1)) {
-+                      *cp++ = c;
-+                      count++;
-+              }
-+      }
-+
-+      *cp = 0;
-+      return count ? 1 : 0;
-+}
-+
-+static long get_utc_offset() {
-+      time_t t = time(NULL);
-+      struct tm* time_struct = localtime(&t);
-+
-+      return time_struct->tm_gmtoff;
-+}
-+
-+static time_t parse_lease_time(const char* token_date, const char* token_time) {
-+      time_t time = (time_t)(-1);
-+      struct tm lease_time;
-+
-+      if (sscanf(token_date, "%d/%d/%d", &lease_time.tm_year, &lease_time.tm_mon, &lease_time.tm_mday) == 3) {
-+              lease_time.tm_year -= 1900;
-+              lease_time.tm_mon -= 1;
-+
-+              if (sscanf(token_time, "%d:%d:%d", &lease_time.tm_hour, &lease_time.tm_min, &lease_time.tm_sec) == 3) {
-+                      time = mktime(&lease_time) + get_utc_offset();
-+              }
-+      }
-+
-+      return time;
-+}
-+
-+static struct isc_dhcp_lease* find_lease(const char* hostname, struct isc_dhcp_lease* leases) {
-+      struct isc_dhcp_lease* lease = leases;
-+
-+      while (lease) {
-+              if (strcmp(hostname, lease->name) == 0) {
-+                      return lease;
-+              }
-+              lease = lease->next;
-+      }
-+
-+      return NULL;
-+}
-+
-+static off_t lease_file_size = (off_t)0;
-+static ino_t lease_file_inode = (ino_t)0;
-+
-+void load_dhcp(time_t now) {
-+      struct isc_dhcp_lease* leases = NULL;
-+
-+      struct stat statbuf;
-+      if (stat(daemon->lease_file, &statbuf) == -1) {
-+              return;
-+      }
-+
-+      /* Do nothing if the lease file has not changed. */
-+      if ((statbuf.st_size <= lease_file_size) && (statbuf.st_ino == lease_file_inode))
-+              return;
-+
-+      lease_file_size = statbuf.st_size;
-+      lease_file_inode = statbuf.st_ino;
-+
-+      FILE* fp = fopen(daemon->lease_file, "r");
-+      if (!fp) {
-+              my_syslog(LOG_ERR, _("failed to load %s:%s"), daemon->lease_file, strerror(errno));
-+              return;
-+      }
-+
-+      my_syslog(LOG_INFO, _("reading %s"), daemon->lease_file);
-+
-+      char* hostname = daemon->namebuff;
-+      struct in_addr host_address;
-+      time_t time_starts = -1;
-+      time_t time_ends = -1;
-+      int nomem;
-+
-+      char token[MAXTOK];
-+      while ((next_token(token, MAXTOK, fp))) {
-+              if (strcmp(token, "lease") == 0) {
-+                      hostname[0] = '\0';
-+
-+                      if (next_token(token, MAXTOK, fp) && ((host_address.s_addr = inet_addr(token)) != (in_addr_t)-1)) {
-+                              if (next_token(token, MAXTOK, fp) && *token == '{') {
-+                                      while (next_token(token, MAXTOK, fp) && *token != '}') {
-+                                              if ((strcmp(token, "client-hostname") == 0) || (strcmp(token, "hostname") == 0)) {
-+                                                      if (next_token(hostname, MAXDNAME, fp)) {
-+                                                              if (!canonicalise(hostname, &nomem)) {
-+                                                                      *hostname = 0;
-+                                                                      my_syslog(LOG_ERR, _("bad name in %s"), daemon->lease_file);
-+                                                              }
-+                                                      }
-+                                              } else if ((strcmp(token, "starts") == 0) || (strcmp(token, "ends") == 0)) {
-+                                                      char token_date[MAXTOK];
-+                                                      char token_time[MAXTOK];
-+
-+                                                      int is_starts = strcmp(token, "starts") == 0;
-+
-+                                                      // Throw away the weekday and parse the date.
-+                                                      if (next_token(token, MAXTOK, fp) && next_token(token_date, MAXTOK, fp) && next_token(token_time, MAXTOK, fp)) {
-+                                                              time_t time = parse_lease_time(token_date, token_time);
-+
-+                                                              if (is_starts)
-+                                                                      time_starts = time;
-+                                                              else
-+                                                                      time_ends = time;
-+                                                      }
-+                                              }
-+                                      }
-+
-+                                      if (!*hostname)
-+                                              continue;
-+
-+                                      if ((time_starts == -1) || (time_ends == -1))
-+                                              continue;
-+
-+                                      if (difftime(now, time_ends) > 0)
-+                                              continue;
-+
-+                                      char* dot = strchr(hostname, '.');
-+                                      if (dot) {
-+                                              if (!daemon->domain_suffix || hostname_isequal(dot + 1, daemon->domain_suffix)) {
-+                                                      my_syslog(LOG_WARNING,
-+                                                              _("Ignoring DHCP lease for %s because it has an illegal domain part"),
-+                                                              hostname);
-+                                                      continue;
-+                                              }
-+                                              *dot = 0;
-+                                      }
-+
-+                                      // Search for an existing lease in the list
-+                                      // with the given host name and update the data
-+                                      // if needed.
-+                                      struct isc_dhcp_lease* lease = find_lease(hostname, leases);
-+
-+                                      // If no lease already exists, we create a new one
-+                                      // and append it to the list.
-+                                      if (!lease) {
-+                                              lease = dhcp_lease_new(hostname);
-+                                              assert(lease);
-+
-+                                              lease->next = leases;
-+                                              leases = lease;
-+                                      }
-+
-+                                      // Only update more recent leases.
-+                                      if (lease->expires > time_ends)
-+                                              continue;
-+
-+                                      lease->addr = host_address;
-+                                      lease->expires = time_ends;
-+                              }
-+                      }
-+              }
-+      }
-+
-+      fclose(fp);
-+
-+      // Drop all entries.
-+      cache_unhash_dhcp();
-+
-+      while (leases) {
-+              struct isc_dhcp_lease *lease = leases;
-+              leases = lease->next;
-+
-+              if (lease->fqdn) {
-+                      cache_add_dhcp_entry(lease->fqdn, AF_INET, (struct all_addr*)&lease->addr.s_addr, lease->expires);
-+              }
-+
-+              if (lease->name) {
-+                      cache_add_dhcp_entry(lease->name, AF_INET, (struct all_addr*)&lease->addr.s_addr, lease->expires);
-+              }
-+
-+              // Cleanup
-+              dhcp_lease_free(lease);
-+      }
-+}
-+
-+#endif
---- a/src/option.c     Wed Dec 16 19:24:12 2015
-+++ b/src/option.c     Wed Dec 16 19:42:48 2015
-@@ -1771,7 +1771,7 @@
-       ret_err(_("bad MX target"));
-       break;
--#ifdef HAVE_DHCP      
-+#if (defined HAVE_DHCP) || (defined HAVE_ISC_READER)
-     case 'l':  /* --dhcp-leasefile */
-       daemon->lease_file = opt_string_alloc(arg);
-       break;
---- a/Makefile Wed Dec 16 19:24:12 2015
-+++ b/Makefile Wed Dec 16 19:28:45 2015
-@@ -74,7 +74,7 @@
-        helper.o tftp.o log.o conntrack.o dhcp6.o rfc3315.o \
-        dhcp-common.o outpacket.o radv.o slaac.o auth.o ipset.o \
-        domain.o dnssec.o blockdata.o tables.o loop.o inotify.o \
--       poll.o rrfilter.o edns0.o arp.o
-+       poll.o rrfilter.o edns0.o arp.o isc.o
- hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
-        dns-protocol.h radv-protocol.h ip6addr.h
diff --git a/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch b/src/patches/dnsmasq/001-Calculate_length_of_TFTP_error_reply_correctly.patch
deleted file mode 100644 (file)
index 43ac068..0000000
+++ /dev/null
@@ -1,65 +0,0 @@
-From 294d36df4749e01199ab220d44c170e7db2b0c05 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Wed, 6 Jul 2016 21:30:25 +0100
-Subject: [PATCH] Calculate length of TFTP error reply correctly.
-
----
- CHANGELOG  |   14 ++++++++++++++
- src/tftp.c |    7 +++++--
- 2 files changed, 19 insertions(+), 2 deletions(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index 04ff3f0..0559a6f 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -1,3 +1,17 @@
-+version 2.77
-+          Calculate the length of TFTP error reply packet 
-+          correctly. This fixes a problem when the error 
-+          message in a TFTP packet exceeds the arbitrary 
-+          limit of 500 characters. The message was correctly
-+          truncated, but not the packet length, so 
-+          extra data was appended. This is a possible
-+          security risk, since the extra data comes from
-+          a buffer which is also used for DNS, so that
-+          previous DNS queries or replies may be leaked.
-+          Thanks to Mozilla for funding the security audit 
-+          which spotted this bug.
-+
-+
- version 2.76
-             Include 0.0.0.0/8 in DNS rebind checks. This range 
-           translates to hosts on  the local network, or, at 
-diff --git a/src/tftp.c b/src/tftp.c
-index 5e4a32a..3e1b5c5 100644
---- a/src/tftp.c
-+++ b/src/tftp.c
-@@ -652,20 +652,23 @@ static void sanitise(char *buf)
- }
-+#define MAXMESSAGE 500 /* limit to make packet < 512 bytes and definitely smaller than buffer */ 
- static ssize_t tftp_err(int err, char *packet, char *message, char *file)
- {
-   struct errmess {
-     unsigned short op, err;
-     char message[];
-   } *mess = (struct errmess *)packet;
--  ssize_t ret = 4;
-+  ssize_t len, ret = 4;
-   char *errstr = strerror(errno);
-   
-   sanitise(file);
-   mess->op = htons(OP_ERR);
-   mess->err = htons(err);
--  ret += (snprintf(mess->message, 500,  message, file, errstr) + 1);
-+  len = snprintf(mess->message, MAXMESSAGE,  message, file, errstr);
-+  ret += (len < MAXMESSAGE) ? len + 1 : MAXMESSAGE; /* include terminating zero */
-+  
-   my_syslog(MS_TFTP | LOG_ERR, "%s", mess->message);
-   
-   return  ret;
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch b/src/patches/dnsmasq/002-Zero_newly_malloc_ed_memory.patch
deleted file mode 100644 (file)
index b748db8..0000000
+++ /dev/null
@@ -1,36 +0,0 @@
-From d55f81f5fd53b1dfc2c4b3249b542f2d9679e236 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Wed, 6 Jul 2016 21:33:56 +0100
-Subject: [PATCH] Zero newly malloc'ed memory.
-
----
- src/util.c |    6 +++++-
- 1 file changed, 5 insertions(+), 1 deletion(-)
-
-diff --git a/src/util.c b/src/util.c
-index 93b24f5..82443c9 100644
---- a/src/util.c
-+++ b/src/util.c
-@@ -248,6 +248,8 @@ void *safe_malloc(size_t size)
-   
-   if (!ret)
-     die(_("could not get memory"), NULL, EC_NOMEM);
-+  else
-+    memset(ret, 0, size);
-      
-   return ret;
- }    
-@@ -266,7 +268,9 @@ void *whine_malloc(size_t size)
-   if (!ret)
-     my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size);
--
-+  else
-+    memset(ret, 0, size);
-+  
-   return ret;
- }
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/003-Check_return_of_expand_always.patch b/src/patches/dnsmasq/003-Check_return_of_expand_always.patch
deleted file mode 100644 (file)
index a69f4ce..0000000
+++ /dev/null
@@ -1,44 +0,0 @@
-From ce7845bf5429bd2962c9b2e7d75e2659f3b5c1a8 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Wed, 6 Jul 2016 21:42:27 +0100
-Subject: [PATCH] Check return of expand() always.
-
----
- src/radv.c  |    4 +++-
- src/slaac.c |    5 ++++-
- 2 files changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/radv.c b/src/radv.c
-index 749b666..faa0f6d 100644
---- a/src/radv.c
-+++ b/src/radv.c
-@@ -262,7 +262,9 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
-   parm.prio = calc_prio(ra_param);
-   
-   save_counter(0);
--  ra = expand(sizeof(struct ra_packet));
-+  
-+  if (!(ra = expand(sizeof(struct ra_packet))))
-+    return;
-   
-   ra->type = ND_ROUTER_ADVERT;
-   ra->code = 0;
-diff --git a/src/slaac.c b/src/slaac.c
-index 8034805..07b8ba4 100644
---- a/src/slaac.c
-+++ b/src/slaac.c
-@@ -147,7 +147,10 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
-           struct sockaddr_in6 addr;
-  
-           save_counter(0);
--          ping = expand(sizeof(struct ping_packet));
-+
-+          if (!(ping = expand(sizeof(struct ping_packet))))
-+            continue;
-+
-           ping->type = ICMP6_ECHO_REQUEST;
-           ping->code = 0;
-           ping->identifier = ping_id;
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch b/src/patches/dnsmasq/004-Fix_editing_error_on_man_page.patch
deleted file mode 100644 (file)
index f4d0d20..0000000
+++ /dev/null
@@ -1,40 +0,0 @@
-From 5874f3e9222397d82aabd9884d9bf5ce7e4109b0 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Sun, 10 Jul 2016 22:12:08 +0100
-Subject: [PATCH] Fix editing error on man page.
-
-Thanks to Eric Westbrook for spotting this.
----
- man/dnsmasq.8 |    9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
-index 0521534..bd8c0b3 100644
---- a/man/dnsmasq.8
-+++ b/man/dnsmasq.8
-@@ -1037,6 +1037,10 @@ is given, then read all the files contained in that directory. The advantage of
- using this option is the same as for --dhcp-hostsfile: the
- dhcp-optsfile will be re-read when dnsmasq receives SIGHUP. Note that
- it is possible to encode the information in a
-+.B --dhcp-boot
-+flag as DHCP options, using the options names bootfile-name,
-+server-ip-address and tftp-server. This allows these to be included
-+in a dhcp-optsfile.
- .TP
- .B --dhcp-hostsdir=<path>
- This is equivalent to dhcp-hostsfile, except for the following. The path MUST be a
-@@ -1048,11 +1052,6 @@ is restarted; ie host records are only added dynamically.
- .TP
- .B --dhcp-optsdir=<path>
- This is equivalent to dhcp-optsfile, with the differences noted for --dhcp-hostsdir.
--.TP
--.B --dhcp-boot
--flag as DHCP options, using the options names bootfile-name,
--server-ip-address and tftp-server. This allows these to be included
--in a dhcp-optsfile.
- .TP 
- .B \-Z, --read-ethers
- Read /etc/ethers for information about hosts for the DHCP server. The
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/005-Manpage_typo.patch b/src/patches/dnsmasq/005-Manpage_typo.patch
deleted file mode 100644 (file)
index 52f16de..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
-From 907efeb2dc712603271093bce8a93c7c3e6fe64d Mon Sep 17 00:00:00 2001
-From: Kristjan Onu <jeixav@gmail.com>
-Date: Sun, 10 Jul 2016 22:37:57 +0100
-Subject: [PATCH] Manpage typo.
-
----
- man/dnsmasq.8 |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
-index bd8c0b3..ac8d921 100644
---- a/man/dnsmasq.8
-+++ b/man/dnsmasq.8
-@@ -242,7 +242,7 @@ addresses associated with the interface.
- .B --local-service
- Accept DNS queries only from hosts whose address is on a local subnet,
- ie a subnet for which an interface exists on the server. This option
--only has effect is there are no --interface --except-interface,
-+only has effect if there are no --interface --except-interface,
- --listen-address or --auth-server options. It is intended to be set as
- a default on installation, to allow unconfigured installations to be
- useful but also safe from being used for DNS amplification attacks.
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch b/src/patches/dnsmasq/006-Fix_bad_behaviour_with_some_DHCP_option_arrangements.patch
deleted file mode 100644 (file)
index ec17115..0000000
+++ /dev/null
@@ -1,49 +0,0 @@
-From 591ed1e90503817938ccf5f127e677a8dd48b6d8 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Mon, 11 Jul 2016 18:18:42 +0100
-Subject: [PATCH] Fix bad behaviour with some DHCP option arrangements.
-
-The check that there's enough space to store the DHCP agent-id
-at the end of the packet could succeed when it should fail
-if the END option is in either of the oprion-overload areas.
-That could overwrite legit options in the request and cause
-bad behaviour. It's highly unlikely that any sane DHCP client
-would trigger this bug, and it's never been seen, but this
-fixes the problem.
-
-Also fix off-by-one in bounds checking of option processing.
-Worst case scenario on that is a read one byte beyond the
-end off a buffer with a crafted packet, and maybe therefore
-a SIGV crash if the memory after the buffer is not mapped.
-
-Thanks to Timothy Becker for spotting these.
----
- src/rfc2131.c |    5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/src/rfc2131.c b/src/rfc2131.c
-index b7c167e..8b99d4b 100644
---- a/src/rfc2131.c
-+++ b/src/rfc2131.c
-@@ -186,7 +186,8 @@ size_t dhcp_reply(struct dhcp_context *context, char *iface_name, int int_index,
-            be enough free space at the end of the packet to copy the option. */
-         unsigned char *sopt;
-         unsigned int total = option_len(opt) + 2;
--        unsigned char *last_opt = option_find(mess, sz, OPTION_END, 0);
-+        unsigned char *last_opt = option_find1(&mess->options[0] + sizeof(u32), ((unsigned char *)mess) + sz,
-+                                               OPTION_END, 0);
-         if (last_opt && last_opt < end - total)
-           {
-             end -= total;
-@@ -1606,7 +1607,7 @@ static unsigned char *option_find1(unsigned char *p, unsigned char *end, int opt
- {
-   while (1) 
-     {
--      if (p > end)
-+      if (p >= end)
-       return NULL;
-       else if (*p == OPTION_END)
-       return opt == OPTION_END ? p : NULL;
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch b/src/patches/dnsmasq/007-Fix_logic_error_in_Linux_netlink_code.patch
deleted file mode 100644 (file)
index 6a79eac..0000000
+++ /dev/null
@@ -1,55 +0,0 @@
-From 1d07667ac77c55b9de56b1b2c385167e0e0ec27a Mon Sep 17 00:00:00 2001
-From: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
-Date: Mon, 11 Jul 2016 18:36:05 +0100
-Subject: [PATCH] Fix logic error in Linux netlink code.
-
-This could cause dnsmasq to enter a tight loop on systems
-with a very large number of network interfaces.
----
- CHANGELOG     |    6 ++++++
- src/netlink.c |    8 +++++++-
- 2 files changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index 0559a6f..59c9c49 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -11,6 +11,12 @@ version 2.77
-           Thanks to Mozilla for funding the security audit 
-           which spotted this bug.
-+          Fix logic error in Linux netlink code. This could
-+          cause dnsmasq to enter a tight loop on systems
-+          with a very large number of network interfaces.
-+          Thanks to Ivan Kokshaysky for the diagnosis and
-+          patch.
-+
- version 2.76
-             Include 0.0.0.0/8 in DNS rebind checks. This range 
-diff --git a/src/netlink.c b/src/netlink.c
-index 049247b..8cd51af 100644
---- a/src/netlink.c
-+++ b/src/netlink.c
-@@ -188,11 +188,17 @@ int iface_enumerate(int family, void *parm, int (*callback)())
-       }
-       for (h = (struct nlmsghdr *)iov.iov_base; NLMSG_OK(h, (size_t)len); h = NLMSG_NEXT(h, len))
--      if (h->nlmsg_seq != seq || h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR)
-+      if (h->nlmsg_pid != netlink_pid || h->nlmsg_type == NLMSG_ERROR)
-         {
-           /* May be multicast arriving async */
-           nl_async(h);
-         }
-+      else if (h->nlmsg_seq != seq)
-+        {
-+          /* May be part of incomplete response to previous request after
-+             ENOBUFS. Drop it. */
-+          continue;
-+        }
-       else if (h->nlmsg_type == NLMSG_DONE)
-         return callback_ok;
-       else if (h->nlmsg_type == RTM_NEWADDR && family != AF_UNSPEC && family != AF_LOCAL)
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch b/src/patches/dnsmasq/008-Fix_problem_with_--dnssec-timestamp.patch
deleted file mode 100644 (file)
index b32d17a..0000000
+++ /dev/null
@@ -1,93 +0,0 @@
-From 06093a9a845bb597005d892d5d1bc7859933ada4 Mon Sep 17 00:00:00 2001
-From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
-Date: Mon, 11 Jul 2016 21:03:27 +0100
-Subject: [PATCH] Fix problem with --dnssec-timestamp whereby receipt of
- SIGHUP would erroneously engage timestamp checking.
-
----
- CHANGELOG     |    4 ++++
- src/dnsmasq.c |    7 ++++---
- src/dnsmasq.h |    1 +
- src/dnssec.c  |    5 +++--
- 4 files changed, 12 insertions(+), 5 deletions(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index 59c9c49..9f1e404 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -17,6 +17,10 @@ version 2.77
-           Thanks to Ivan Kokshaysky for the diagnosis and
-           patch.
-+          Fix problem with --dnssec-timestamp whereby receipt
-+            of SIGHUP would erroneously engage timestamp checking.
-+          Thanks to Kevin Darbyshire-Bryant for this work.
-+      
- version 2.76
-             Include 0.0.0.0/8 in DNS rebind checks. This range 
-diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index 045ec53..a47273f 100644
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -750,7 +750,8 @@ int main (int argc, char **argv)
-       
-       my_syslog(LOG_INFO, _("DNSSEC validation enabled"));
-       
--      if (option_bool(OPT_DNSSEC_TIME))
-+      daemon->dnssec_no_time_check = option_bool(OPT_DNSSEC_TIME);
-+      if (option_bool(OPT_DNSSEC_TIME) && !daemon->back_to_the_future)
-       my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload"));
-       
-       if (rc == 1)
-@@ -1226,10 +1227,10 @@ static void async_event(int pipe, time_t now)
-       {
-       case EVENT_RELOAD:
- #ifdef HAVE_DNSSEC
--      if (option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
-+      if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
-         {
-           my_syslog(LOG_INFO, _("now checking DNSSEC signature timestamps"));
--          reset_option_bool(OPT_DNSSEC_TIME);
-+          daemon->dnssec_no_time_check = 0;
-         } 
- #endif
-       /* fall through */
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 1896a64..be27ae0 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -992,6 +992,7 @@ extern struct daemon {
- #endif
- #ifdef HAVE_DNSSEC
-   struct ds_config *ds;
-+  int dnssec_no_time_check;
-   int back_to_the_future;
-   char *timestamp_file;
- #endif
-diff --git a/src/dnssec.c b/src/dnssec.c
-index 3c77c7d..64358fa 100644
---- a/src/dnssec.c
-+++ b/src/dnssec.c
-@@ -522,15 +522,16 @@ static int check_date_range(u32 date_start, u32 date_end)
-         if (utime(daemon->timestamp_file, NULL) != 0)
-           my_syslog(LOG_ERR, _("failed to update mtime on %s: %s"), daemon->timestamp_file, strerror(errno));
-         
-+        my_syslog(LOG_INFO, _("system time considered valid, now checking DNSSEC signature timestamps."));
-         daemon->back_to_the_future = 1;
--        set_option_bool(OPT_DNSSEC_TIME);
-+        daemon->dnssec_no_time_check = 0;
-         queue_event(EVENT_RELOAD); /* purge cache */
-       } 
-       if (daemon->back_to_the_future == 0)
-       return 1;
-     }
--  else if (option_bool(OPT_DNSSEC_TIME))
-+  else if (daemon->dnssec_no_time_check)
-     return 1;
-   
-   /* We must explicitly check against wanted values, because of SERIAL_UNDEF */
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch b/src/patches/dnsmasq/009-malloc_memset_calloc_for_efficiency.patch
deleted file mode 100644 (file)
index 0300853..0000000
+++ /dev/null
@@ -1,46 +0,0 @@
-From d6dce53e08b3a06be16d43e1bf566c6c1988e4a9 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Mon, 11 Jul 2016 21:34:31 +0100
-Subject: [PATCH] malloc(); memset()  -> calloc() for efficiency.
-
----
- src/util.c |   10 +++-------
- 1 file changed, 3 insertions(+), 7 deletions(-)
-
-diff --git a/src/util.c b/src/util.c
-index 82443c9..211690e 100644
---- a/src/util.c
-+++ b/src/util.c
-@@ -244,13 +244,11 @@ unsigned char *do_rfc1035_name(unsigned char *p, char *sval)
- /* for use during startup */
- void *safe_malloc(size_t size)
- {
--  void *ret = malloc(size);
-+  void *ret = calloc(1, size);
-   
-   if (!ret)
-     die(_("could not get memory"), NULL, EC_NOMEM);
--  else
--    memset(ret, 0, size);
--     
-+      
-   return ret;
- }    
-@@ -264,12 +262,10 @@ void safe_pipe(int *fd, int read_noblock)
- void *whine_malloc(size_t size)
- {
--  void *ret = malloc(size);
-+  void *ret = calloc(1, size);
-   if (!ret)
-     my_syslog(LOG_ERR, _("failed to allocate %d bytes"), (int) size);
--  else
--    memset(ret, 0, size);
-   
-   return ret;
- }
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch b/src/patches/dnsmasq/010-Zero_packet_buffers_before_building_output_to_reduce_risk_of_information_leakage.patch
deleted file mode 100644 (file)
index a8c10a4..0000000
+++ /dev/null
@@ -1,169 +0,0 @@
-From fa78573778cb23337f67f5d0c9de723169919047 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Fri, 22 Jul 2016 20:56:01 +0100
-Subject: [PATCH] Zero packet buffers before building output, to reduce risk
- of information leakage.
-
----
- src/auth.c      |    5 +++++
- src/dnsmasq.h   |    1 +
- src/outpacket.c |   10 ++++++++++
- src/radv.c      |    2 +-
- src/rfc1035.c   |    5 +++++
- src/rfc3315.c   |    6 +++---
- src/slaac.c     |    2 +-
- src/tftp.c      |    5 ++++-
- 8 files changed, 30 insertions(+), 6 deletions(-)
-
-diff --git a/src/auth.c b/src/auth.c
-index 198572d..3c5c37f 100644
---- a/src/auth.c
-+++ b/src/auth.c
-@@ -101,6 +101,11 @@ size_t answer_auth(struct dns_header *header, char *limit, size_t qlen, time_t n
-   struct all_addr addr;
-   struct cname *a;
-   
-+  /* Clear buffer beyond request to avoid risk of
-+     information disclosure. */
-+  memset(((char *)header) + qlen, 0, 
-+       (limit - ((char *)header)) - qlen);
-+  
-   if (ntohs(header->qdcount) == 0 || OPCODE(header) != QUERY )
-     return 0;
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index be27ae0..2bda5d0 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -1471,6 +1471,7 @@ void log_relay(int family, struct dhcp_relay *relay);
- /* outpacket.c */
- #ifdef HAVE_DHCP6
- void end_opt6(int container);
-+void reset_counter(void);
- int save_counter(int newval);
- void *expand(size_t headroom);
- int new_opt6(int opt);
-diff --git a/src/outpacket.c b/src/outpacket.c
-index a414efa..2caacd9 100644
---- a/src/outpacket.c
-+++ b/src/outpacket.c
-@@ -29,9 +29,19 @@ void end_opt6(int container)
-    PUTSHORT(len, p);
- }
-+void reset_counter(void)
-+{
-+  /* Clear out buffer when starting from begining */
-+  if (daemon->outpacket.iov_base)
-+    memset(daemon->outpacket.iov_base, 0, daemon->outpacket.iov_len);
-+ 
-+  save_counter(0);
-+}
-+
- int save_counter(int newval)
- {
-   int ret = outpacket_counter;
-+  
-   if (newval != -1)
-     outpacket_counter = newval;
-diff --git a/src/radv.c b/src/radv.c
-index faa0f6d..39c9217 100644
---- a/src/radv.c
-+++ b/src/radv.c
-@@ -261,7 +261,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
-   parm.adv_interval = calc_interval(ra_param);
-   parm.prio = calc_prio(ra_param);
-   
--  save_counter(0);
-+  reset_counter();
-   
-   if (!(ra = expand(sizeof(struct ra_packet))))
-     return;
-diff --git a/src/rfc1035.c b/src/rfc1035.c
-index 24d08c1..9e730a9 100644
---- a/src/rfc1035.c
-+++ b/src/rfc1035.c
-@@ -1209,6 +1209,11 @@ size_t answer_request(struct dns_header *header, char *limit, size_t qlen,
-   int nxdomain = 0, auth = 1, trunc = 0, sec_data = 1;
-   struct mx_srv_record *rec;
-   size_t len;
-+
-+  /* Clear buffer beyond request to avoid risk of
-+     information disclosure. */
-+  memset(((char *)header) + qlen, 0, 
-+       (limit - ((char *)header)) - qlen);
-   
-   if (ntohs(header->ancount) != 0 ||
-       ntohs(header->nscount) != 0 ||
-diff --git a/src/rfc3315.c b/src/rfc3315.c
-index 3f4d69c..e1271a1 100644
---- a/src/rfc3315.c
-+++ b/src/rfc3315.c
-@@ -89,7 +89,7 @@ unsigned short dhcp6_reply(struct dhcp_context *context, int interface, char *if
-   for (vendor = daemon->dhcp_vendors; vendor; vendor = vendor->next)
-     vendor->netid.next = &vendor->netid;
-   
--  save_counter(0);
-+  reset_counter();
-   state.context = context;
-   state.interface = interface;
-   state.iface_name = iface_name;
-@@ -2084,7 +2084,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
-   if (hopcount > 32)
-     return;
--  save_counter(0);
-+  reset_counter();
-   if ((header = put_opt6(NULL, 34)))
-     {
-@@ -2161,7 +2161,7 @@ unsigned short relay_reply6(struct sockaddr_in6 *peer, ssize_t sz, char *arrival
-       (!relay->interface || wildcard_match(relay->interface, arrival_interface)))
-       break;
-       
--  save_counter(0);
-+  reset_counter();
-   if (relay)
-     {
-diff --git a/src/slaac.c b/src/slaac.c
-index 07b8ba4..bd6c9b4 100644
---- a/src/slaac.c
-+++ b/src/slaac.c
-@@ -146,7 +146,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
-           struct ping_packet *ping;
-           struct sockaddr_in6 addr;
-  
--          save_counter(0);
-+          reset_counter();
-           if (!(ping = expand(sizeof(struct ping_packet))))
-             continue;
-diff --git a/src/tftp.c b/src/tftp.c
-index 3e1b5c5..618c406 100644
---- a/src/tftp.c
-+++ b/src/tftp.c
-@@ -662,8 +662,9 @@ static ssize_t tftp_err(int err, char *packet, char *message, char *file)
-   ssize_t len, ret = 4;
-   char *errstr = strerror(errno);
-   
-+  memset(packet, 0, daemon->packet_buff_sz);
-   sanitise(file);
--
-+  
-   mess->op = htons(OP_ERR);
-   mess->err = htons(err);
-   len = snprintf(mess->message, MAXMESSAGE,  message, file, errstr);
-@@ -684,6 +685,8 @@ static ssize_t tftp_err_oops(char *packet, char *file)
- /* return -1 for error, zero for done. */
- static ssize_t get_block(char *packet, struct tftp_transfer *transfer)
- {
-+  memset(packet, 0, daemon->packet_buff_sz);
-+  
-   if (transfer->block == 0)
-     {
-       /* send OACK */
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch b/src/patches/dnsmasq/011-Dont_reset_packet_length_on_transmission_in_case_of_retransmission.patch
deleted file mode 100644 (file)
index ab8ba28..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
-From 6b1c464d6de3d7d2afc9b53afe78cda6d6e3316f Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Fri, 22 Jul 2016 20:59:16 +0100
-Subject: [PATCH] Don't reset packet length on transmission, in case of
- retransmission.
-
----
- src/radv.c    |    2 +-
- src/rfc3315.c |    2 +-
- src/slaac.c   |    2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/radv.c b/src/radv.c
-index 39c9217..ffc37f2 100644
---- a/src/radv.c
-+++ b/src/radv.c
-@@ -528,7 +528,7 @@ static void send_ra_alias(time_t now, int iface, char *iface_name, struct in6_ad
-     }
-   
-   while (retry_send(sendto(daemon->icmp6fd, daemon->outpacket.iov_base, 
--                         save_counter(0), 0, (struct sockaddr *)&addr, 
-+                         save_counter(-1), 0, (struct sockaddr *)&addr, 
-                          sizeof(addr))));
-   
- }
-diff --git a/src/rfc3315.c b/src/rfc3315.c
-index e1271a1..c7bf46f 100644
---- a/src/rfc3315.c
-+++ b/src/rfc3315.c
-@@ -2127,7 +2127,7 @@ void relay_upstream6(struct dhcp_relay *relay, ssize_t sz,
-               my_syslog(MS_DHCP | LOG_ERR, _("Cannot multicast to DHCPv6 server without correct interface"));
-           }
-               
--        send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(0), &to, &from, 0);
-+        send_from(daemon->dhcp6fd, 0, daemon->outpacket.iov_base, save_counter(-1), &to, &from, 0);
-         
-         if (option_bool(OPT_LOG_OPTS))
-           {
-diff --git a/src/slaac.c b/src/slaac.c
-index bd6c9b4..7ecf127 100644
---- a/src/slaac.c
-+++ b/src/slaac.c
-@@ -164,7 +164,7 @@ time_t periodic_slaac(time_t now, struct dhcp_lease *leases)
-           addr.sin6_port = htons(IPPROTO_ICMPV6);
-           addr.sin6_addr = slaac->addr;
-           
--          if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(0), 0,
-+          if (sendto(daemon->icmp6fd, daemon->outpacket.iov_base, save_counter(-1), 0,
-                      (struct sockaddr *)&addr,  sizeof(addr)) == -1 &&
-               errno == EHOSTUNREACH)
-             slaac->ping_time = 0; /* Give up */ 
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch b/src/patches/dnsmasq/012-Compile-time_check_on_buffer_sizes_for_leasefile_parsing_code.patch
deleted file mode 100644 (file)
index c71f470..0000000
+++ /dev/null
@@ -1,103 +0,0 @@
-From bf4e62c19e619f7edf8d03d58d33a5752f190bfd Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Fri, 22 Jul 2016 21:37:59 +0100
-Subject: [PATCH] Compile-time check on buffer sizes for leasefile parsing
- code.
-
----
- src/dhcp-common.c   |   16 ++++++++--------
- src/dhcp-protocol.h |    4 ++++
- src/lease.c         |    9 ++++++++-
- src/rfc3315.c       |    2 +-
- 4 files changed, 21 insertions(+), 10 deletions(-)
-
-diff --git a/src/dhcp-common.c b/src/dhcp-common.c
-index 08528e8..ecc752b 100644
---- a/src/dhcp-common.c
-+++ b/src/dhcp-common.c
-@@ -20,11 +20,11 @@
- void dhcp_common_init(void)
- {
--    /* These each hold a DHCP option max size 255
--       and get a terminating zero added */
--  daemon->dhcp_buff = safe_malloc(256);
--  daemon->dhcp_buff2 = safe_malloc(256); 
--  daemon->dhcp_buff3 = safe_malloc(256);
-+  /* These each hold a DHCP option max size 255
-+     and get a terminating zero added */
-+  daemon->dhcp_buff = safe_malloc(DHCP_BUFF_SZ);
-+  daemon->dhcp_buff2 = safe_malloc(DHCP_BUFF_SZ); 
-+  daemon->dhcp_buff3 = safe_malloc(DHCP_BUFF_SZ);
-   
-   /* dhcp_packet is used by v4 and v6, outpacket only by v6 
-      sizeof(struct dhcp_packet) is as good an initial size as any,
-@@ -855,14 +855,14 @@ void log_context(int family, struct dhcp_context *context)
-       if (context->flags & CONTEXT_RA_STATELESS)
-       {
-         if (context->flags & CONTEXT_TEMPLATE)
--          strncpy(daemon->dhcp_buff, context->template_interface, 256);
-+          strncpy(daemon->dhcp_buff, context->template_interface, DHCP_BUFF_SZ);
-         else
-           strcpy(daemon->dhcp_buff, daemon->addrbuff);
-       }
-       else 
- #endif
--      inet_ntop(family, start, daemon->dhcp_buff, 256);
--      inet_ntop(family, end, daemon->dhcp_buff3, 256);
-+      inet_ntop(family, start, daemon->dhcp_buff, DHCP_BUFF_SZ);
-+      inet_ntop(family, end, daemon->dhcp_buff3, DHCP_BUFF_SZ);
-       my_syslog(MS_DHCP | LOG_INFO, 
-               (context->flags & CONTEXT_RA_STATELESS) ? 
-               _("%s stateless on %s%.0s%.0s%s") :
-diff --git a/src/dhcp-protocol.h b/src/dhcp-protocol.h
-index a31d829..0ea449b 100644
---- a/src/dhcp-protocol.h
-+++ b/src/dhcp-protocol.h
-@@ -19,6 +19,10 @@
- #define DHCP_CLIENT_ALTPORT 1068
- #define PXE_PORT 4011
-+/* These each hold a DHCP option max size 255
-+   and get a terminating zero added */
-+#define DHCP_BUFF_SZ 256
-+
- #define BOOTREQUEST              1
- #define BOOTREPLY                2
- #define DHCP_COOKIE              0x63825363
-diff --git a/src/lease.c b/src/lease.c
-index 20cac90..ca62cc5 100644
---- a/src/lease.c
-+++ b/src/lease.c
-@@ -65,7 +65,14 @@ void lease_init(time_t now)
-     }
-   
-   /* client-id max length is 255 which is 255*2 digits + 254 colons 
--     borrow DNS packet buffer which is always larger than 1000 bytes */
-+     borrow DNS packet buffer which is always larger than 1000 bytes 
-+  
-+     Check various buffers are big enough for the code below */
-+
-+#if (DHCP_BUFF_SZ < 255) || (MAXDNAME < 64) || (PACKETSZ+MAXDNAME+RRFIXEDSZ  < 764)
-+# error Buffer size breakage in leasfile parsing. 
-+#endif
-+
-   if (leasestream)
-     while (fscanf(leasestream, "%255s %255s", daemon->dhcp_buff3, daemon->dhcp_buff2) == 2)
-       {
-diff --git a/src/rfc3315.c b/src/rfc3315.c
-index c7bf46f..568b0c8 100644
---- a/src/rfc3315.c
-+++ b/src/rfc3315.c
-@@ -1975,7 +1975,7 @@ static void log6_packet(struct state *state, char *type, struct in6_addr *addr,
-   if (addr)
-     {
--      inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, 255);
-+      inet_ntop(AF_INET6, addr, daemon->dhcp_buff2, DHCP_BUFF_SZ - 1);
-       strcat(daemon->dhcp_buff2, " ");
-     }
-   else
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch b/src/patches/dnsmasq/013-auth-zone_allow_to_exclude_ip_addresses_from_answer.patch
deleted file mode 100644 (file)
index bb5fe5d..0000000
+++ /dev/null
@@ -1,184 +0,0 @@
-From 094bfaeb4ff69cae99387bc2ea07ff57632c89f5 Mon Sep 17 00:00:00 2001
-From: Mathias Kresin <dev@kresin.me>
-Date: Sun, 24 Jul 2016 14:15:22 +0100
-Subject: [PATCH] auth-zone: allow to exclude ip addresses from answer.
-
----
- man/dnsmasq.8 |    6 +++++-
- src/auth.c    |   61 ++++++++++++++++++++++++++++++++++++---------------------
- src/dnsmasq.h |    1 +
- src/option.c  |   21 ++++++++++++++++++--
- 4 files changed, 64 insertions(+), 25 deletions(-)
-
-diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
-index ac8d921..8910947 100644
---- a/man/dnsmasq.8
-+++ b/man/dnsmasq.8
-@@ -739,7 +739,7 @@ a return code of SERVFAIL. Note that
- setting this may affect DNS behaviour in bad ways, it is not an
- extra-logging flag and should not be set in production.
- .TP
--.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....]]
-+.B --auth-zone=<domain>[,<subnet>[/<prefix length>][,<subnet>[/<prefix length>].....][,exclude:<subnet>[/<prefix length>]].....]
- Define a DNS zone for which dnsmasq acts as authoritative server. Locally defined DNS records which are in the domain
- will be served. If subnet(s) are given, A and AAAA records must be in one of the
- specified subnets.
-@@ -756,6 +756,10 @@ appear in the zone, but RFC1918 IPv4 addresses which should not.
- Interface-name and address-literal subnet specifications may be used
- freely in the same --auth-zone declaration.
-+It's possible to exclude certain IP addresses from responses. It can be
-+used, to make sure that answers contain only global routeable IP
-+addresses (by excluding loopback, RFC1918 and ULA addresses).
-+
- The subnet(s) are also used to define in-addr.arpa and
- ip6.arpa domains which are served for reverse-DNS queries. If not
- specified, the prefix length defaults to 24 for IPv4 and 64 for IPv6.
-diff --git a/src/auth.c b/src/auth.c
-index 3c5c37f..f1ca2f5 100644
---- a/src/auth.c
-+++ b/src/auth.c
-@@ -18,36 +18,53 @@
- #ifdef HAVE_AUTH
--static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
-+static struct addrlist *find_addrlist(struct addrlist *list, int flag, struct all_addr *addr_u)
- {
--  struct addrlist *subnet;
--
--  for (subnet = zone->subnet; subnet; subnet = subnet->next)
--    {
--      if (!(subnet->flags & ADDRLIST_IPV6))
--      {
--        struct in_addr netmask, addr = addr_u->addr.addr4;
--
--        if (!(flag & F_IPV4))
--          continue;
--        
--        netmask.s_addr = htonl(~(in_addr_t)0 << (32 - subnet->prefixlen));
--        
--        if  (is_same_net(addr, subnet->addr.addr.addr4, netmask))
--          return subnet;
--      }
-+  do {
-+    if (!(list->flags & ADDRLIST_IPV6))
-+      {
-+      struct in_addr netmask, addr = addr_u->addr.addr4;
-+      
-+      if (!(flag & F_IPV4))
-+        continue;
-+      
-+      netmask.s_addr = htonl(~(in_addr_t)0 << (32 - list->prefixlen));
-+      
-+      if  (is_same_net(addr, list->addr.addr.addr4, netmask))
-+        return list;
-+      }
- #ifdef HAVE_IPV6
--      else if (is_same_net6(&(addr_u->addr.addr6), &subnet->addr.addr.addr6, subnet->prefixlen))
--      return subnet;
-+    else if (is_same_net6(&(addr_u->addr.addr6), &list->addr.addr.addr6, list->prefixlen))
-+      return list;
- #endif
--
--    }
-+    
-+  } while ((list = list->next));
-+  
-   return NULL;
- }
-+static struct addrlist *find_subnet(struct auth_zone *zone, int flag, struct all_addr *addr_u)
-+{
-+  if (!zone->subnet)
-+    return NULL;
-+  
-+  return find_addrlist(zone->subnet, flag, addr_u);
-+}
-+
-+static struct addrlist *find_exclude(struct auth_zone *zone, int flag, struct all_addr *addr_u)
-+{
-+  if (!zone->exclude)
-+    return NULL;
-+  
-+  return find_addrlist(zone->exclude, flag, addr_u);
-+}
-+
- static int filter_zone(struct auth_zone *zone, int flag, struct all_addr *addr_u)
- {
--  /* No zones specified, no filter */
-+  if (find_exclude(zone, flag, addr_u))
-+    return 0;
-+
-+  /* No subnets specified, no filter */
-   if (!zone->subnet)
-     return 1;
-   
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 2bda5d0..27385a9 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -340,6 +340,7 @@ struct auth_zone {
-     struct auth_name_list *next;
-   } *interface_names;
-   struct addrlist *subnet;
-+  struct addrlist *exclude;
-   struct auth_zone *next;
- };
-diff --git a/src/option.c b/src/option.c
-index d8c57d6..6cedef3 100644
---- a/src/option.c
-+++ b/src/option.c
-@@ -1906,6 +1906,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
-       new = opt_malloc(sizeof(struct auth_zone));
-       new->domain = opt_string_alloc(arg);
-       new->subnet = NULL;
-+      new->exclude = NULL;
-       new->interface_names = NULL;
-       new->next = daemon->auth_zones;
-       daemon->auth_zones = new;
-@@ -1913,6 +1914,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
-       while ((arg = comma))
-         {
-           int prefixlen = 0;
-+          int is_exclude = 0;
-           char *prefix;
-           struct addrlist *subnet =  NULL;
-           struct all_addr addr;
-@@ -1923,6 +1925,12 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
-           if (prefix && !atoi_check(prefix, &prefixlen))
-             ret_err(gen_err);
-           
-+          if (strstr(arg, "exclude:") == arg)
-+            {
-+                  is_exclude = 1;
-+                  arg = arg+8;
-+            }
-+
-           if (inet_pton(AF_INET, arg, &addr.addr.addr4))
-             {
-               subnet = opt_malloc(sizeof(struct addrlist));
-@@ -1960,8 +1968,17 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
-           if (subnet)
-             {
-               subnet->addr = addr;
--              subnet->next = new->subnet;
--              new->subnet = subnet;
-+
-+              if (is_exclude)
-+                {
-+                  subnet->next = new->exclude;
-+                  new->exclude = subnet;
-+                }
-+              else
-+                {
-+                  subnet->next = new->subnet;
-+                  new->subnet = subnet;
-+                }
-             }
-         }
-       break;
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch b/src/patches/dnsmasq/014-Bump_auth_zone_serial_when_reloading_etc_hosts_and_friends.patch
deleted file mode 100644 (file)
index 054323b..0000000
+++ /dev/null
@@ -1,41 +0,0 @@
-From c8328ecde896575b3cb81cf537747df531f90771 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Fri, 5 Aug 2016 16:54:58 +0100
-Subject: [PATCH] Bump auth zone serial when reloading /etc/hosts and friends.
-
----
- CHANGELOG     |    4 ++++
- src/dnsmasq.c |    2 ++
- 2 files changed, 6 insertions(+)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index 9f1e404..4f89799 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -20,6 +20,10 @@ version 2.77
-           Fix problem with --dnssec-timestamp whereby receipt
-             of SIGHUP would erroneously engage timestamp checking.
-           Thanks to Kevin Darbyshire-Bryant for this work.
-+
-+          Bump zone serial on reloading /etc/hosts and friends
-+          when providing authoritative DNS. Thanks to Harrald
-+          Dunkel for spotting this.
-       
- version 2.76
-diff --git a/src/dnsmasq.c b/src/dnsmasq.c
-index a47273f..3580bea 100644
---- a/src/dnsmasq.c
-+++ b/src/dnsmasq.c
-@@ -1226,6 +1226,8 @@ static void async_event(int pipe, time_t now)
-     switch (ev.event)
-       {
-       case EVENT_RELOAD:
-+      daemon->soa_sn++; /* Bump zone serial, as it may have changed. */
-+
- #ifdef HAVE_DNSSEC
-       if (daemon->dnssec_no_time_check && option_bool(OPT_DNSSEC_VALID) && option_bool(OPT_DNSSEC_TIME))
-         {
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch b/src/patches/dnsmasq/015-Handle_v4-mapped_IPv6_addresses_sanely_for_--synth-domain.patch
deleted file mode 100644 (file)
index 7ebef83..0000000
+++ /dev/null
@@ -1,101 +0,0 @@
-From 6d95099c56a926d672e0407d6017fef9714f40c4 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Thu, 11 Aug 2016 23:38:54 +0100
-Subject: [PATCH] Handle v4-mapped IPv6 addresses sanely for --synth-domain.
-
----
- CHANGELOG     |    7 ++++++-
- man/dnsmasq.8 |    2 ++
- src/domain.c  |   34 ++++++++++++++++++++++++----------
- 3 files changed, 32 insertions(+), 11 deletions(-)
-
-diff --git a/CHANGELOG b/CHANGELOG
-index 4f89799..2731cc4 100644
---- a/CHANGELOG
-+++ b/CHANGELOG
-@@ -24,7 +24,12 @@ version 2.77
-           Bump zone serial on reloading /etc/hosts and friends
-           when providing authoritative DNS. Thanks to Harrald
-           Dunkel for spotting this.
--      
-+
-+          Handle v4-mapped IPv6 addresses sanely in --synth-domain.
-+          These have standard representation like ::ffff:1.2.3.4
-+          and are now converted to names like
-+          <prefix>--ffff-1-2-3-4.<domain>
-+
- version 2.76
-             Include 0.0.0.0/8 in DNS rebind checks. This range 
-diff --git a/man/dnsmasq.8 b/man/dnsmasq.8
-index 8910947..91fe672 100644
---- a/man/dnsmasq.8
-+++ b/man/dnsmasq.8
-@@ -619,6 +619,8 @@ but IPv6 addresses may start with '::'
- but DNS labels may not start with '-' so in this case if no prefix is
- configured a zero is added in front of the label. ::1 becomes 0--1.
-+V4 mapped IPv6 addresses, which have a representation like ::ffff:1.2.3.4 are handled specially, and become like 0--ffff-1-2-3-4
-+
- The address range can be of the form
- <ip address>,<ip address> or <ip address>/<netmask>
- .TP
-diff --git a/src/domain.c b/src/domain.c
-index 1dd5027..a007acd 100644
---- a/src/domain.c
-+++ b/src/domain.c
-@@ -77,18 +77,31 @@ int is_name_synthetic(int flags, char *name, struct all_addr *addr)
-       
-       *p = 0; 
-       
--      /* swap . or : for - */
--      for (p = tail; *p; p++)
--      if (*p == '-')
--        {
--          if (prot == AF_INET)
-+ #ifdef HAVE_IPV6
-+      if (prot == AF_INET6 && strstr(tail, "--ffff-") == tail)
-+      {
-+        /* special hack for v4-mapped. */
-+        memcpy(tail, "::ffff:", 7);
-+        for (p = tail + 7; *p; p++)
-+          if (*p == '-')
-             *p = '.';
-+      }
-+      else
-+#endif
-+      {
-+        /* swap . or : for - */
-+        for (p = tail; *p; p++)
-+          if (*p == '-')
-+            {
-+              if (prot == AF_INET)
-+                *p = '.';
- #ifdef HAVE_IPV6
--          else
--            *p = ':';
-+              else
-+                *p = ':';
- #endif
--        }
--      
-+            }
-+      }
-+
-       if (hostname_isequal(c->domain, p+1) && inet_pton(prot, tail, addr))
-       {
-         if (prot == AF_INET)
-@@ -169,8 +182,9 @@ int is_rev_synth(int flag, struct all_addr *addr, char *name)
-          inet_ntop(AF_INET6, &addr->addr.addr6, name+1, ADDRSTRLEN);
-        }
-+       /* V4-mapped have periods.... */
-        for (p = name; *p; p++)
--       if (*p == ':')
-+       if (*p == ':' || *p == '.')
-          *p = '-';
-        strncat(name, ".", MAXDNAME);
--- 
-1.7.10.4
-
diff --git a/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch b/src/patches/dnsmasq/016-Refactor_openBSD_pftables_code_to_remove_blatant_copyright_violation.patch
deleted file mode 100644 (file)
index db27f90..0000000
+++ /dev/null
@@ -1,149 +0,0 @@
-From 396750cef533cf72c7e6a72e47a9c93e2e431cb7 Mon Sep 17 00:00:00 2001
-From: Simon Kelley <simon@thekelleys.org.uk>
-Date: Sat, 13 Aug 2016 22:34:11 +0100
-Subject: [PATCH] Refactor openBSD pftables code to remove blatant copyright
- violation.
-
----
- src/tables.c |   90 +++++++++++++++++++++-------------------------------------
- 1 file changed, 32 insertions(+), 58 deletions(-)
-
-diff --git a/src/tables.c b/src/tables.c
-index aae1252..4fa3487 100644
---- a/src/tables.c
-+++ b/src/tables.c
-@@ -53,52 +53,6 @@ static char *pfr_strerror(int errnum)
-     }
- }
--static int pfr_add_tables(struct pfr_table *tbl, int size, int *nadd, int flags)
--{
--  struct pfioc_table io;
--  
--  if (size < 0 || (size && tbl == NULL)) 
--    {
--      errno = EINVAL;
--      return (-1);
--    }
--  bzero(&io, sizeof io);
--  io.pfrio_flags = flags;
--  io.pfrio_buffer = tbl;
--  io.pfrio_esize = sizeof(*tbl);
--  io.pfrio_size = size;
--  if (ioctl(dev, DIOCRADDTABLES, &io))
--    return (-1);
--  if (nadd != NULL)
--    *nadd = io.pfrio_nadd;
--  return (0);
--}
--
--static int fill_addr(const struct all_addr *ipaddr, int flags, struct pfr_addr* addr) {
--  if ( !addr || !ipaddr)
--    {
--      my_syslog(LOG_ERR, _("error: fill_addr missused"));
--      return -1;
--    }
--  bzero(addr, sizeof(*addr));
--#ifdef HAVE_IPV6
--  if (flags & F_IPV6) 
--    {
--      addr->pfra_af = AF_INET6;
--      addr->pfra_net = 0x80;
--      memcpy(&(addr->pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr));
--    } 
--  else 
--#endif
--    {
--      addr->pfra_af = AF_INET;
--      addr->pfra_net = 0x20;
--      addr->pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr;
--    }
--  return 1;
--}
--
--/*****************************************************************************/
- void ipset_init(void) 
- {
-@@ -111,14 +65,13 @@ void ipset_init(void)
- }
- int add_to_ipset(const char *setname, const struct all_addr *ipaddr,
--                    int flags, int remove)
-+               int flags, int remove)
- {
-   struct pfr_addr addr;
-   struct pfioc_table io;
-   struct pfr_table table;
--  int n = 0, rc = 0;
--  if ( dev == -1 ) 
-+  if (dev == -1) 
-     {
-       my_syslog(LOG_ERR, _("warning: no opened pf devices %s"), pf_device);
-       return -1;
-@@ -126,31 +79,52 @@ int add_to_ipset(const char *setname, const struct all_addr *ipaddr,
-   bzero(&table, sizeof(struct pfr_table));
-   table.pfrt_flags |= PFR_TFLAG_PERSIST;
--  if ( strlen(setname) >= PF_TABLE_NAME_SIZE )
-+  if (strlen(setname) >= PF_TABLE_NAME_SIZE)
-     {
-       my_syslog(LOG_ERR, _("error: cannot use table name %s"), setname);
-       errno = ENAMETOOLONG;
-       return -1;
-     }
-   
--  if ( strlcpy(table.pfrt_name, setname,
--               sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) 
-+  if (strlcpy(table.pfrt_name, setname,
-+            sizeof(table.pfrt_name)) >= sizeof(table.pfrt_name)) 
-     {
-       my_syslog(LOG_ERR, _("error: cannot strlcpy table name %s"), setname);
-       return -1;
-     }
-   
--  if ((rc = pfr_add_tables(&table, 1, &n, 0))) 
-+  bzero(&io, sizeof io);
-+  io.pfrio_flags = 0;
-+  io.pfrio_buffer = &table;
-+  io.pfrio_esize = sizeof(table);
-+  io.pfrio_size = 1;
-+  if (ioctl(dev, DIOCRADDTABLES, &io))
-     {
--      my_syslog(LOG_WARNING, _("warning: pfr_add_tables: %s(%d)"),
--              pfr_strerror(errno),rc);
-+      my_syslog(LOG_WARNING, _("IPset: error:%s"), pfr_strerror(errno));
-+      
-       return -1;
-     }
-+  
-   table.pfrt_flags &= ~PFR_TFLAG_PERSIST;
--  if (n)
-+  if (io.pfrio_nadd)
-     my_syslog(LOG_INFO, _("info: table created"));
--  
--  fill_addr(ipaddr,flags,&addr);
-+ 
-+  bzero(&addr, sizeof(addr));
-+#ifdef HAVE_IPV6
-+  if (flags & F_IPV6) 
-+    {
-+      addr.pfra_af = AF_INET6;
-+      addr.pfra_net = 0x80;
-+      memcpy(&(addr.pfra_ip6addr), &(ipaddr->addr), sizeof(struct in6_addr));
-+    } 
-+  else 
-+#endif
-+    {
-+      addr.pfra_af = AF_INET;
-+      addr.pfra_net = 0x20;
-+      addr.pfra_ip4addr.s_addr = ipaddr->addr.addr4.s_addr;
-+    }
-+
-   bzero(&io, sizeof(io));
-   io.pfrio_flags = 0;
-   io.pfrio_table = table;
--- 
-1.7.10.4
-