From e5f58910c522420511f793e84282343b2e6506a6 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 10 Mar 2015 16:21:58 +0100 Subject: [PATCH] dnsmasq: Import more patches from upstream --- lfs/dnsmasq | 2 + ...6-New-version-of-contrib-reverse-dns.patch | 194 +++++++++++++++++ ...estamp-code-to-create-file-later-rem.patch | 202 ++++++++++++++++++ 3 files changed, 398 insertions(+) create mode 100644 src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch create mode 100644 src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch diff --git a/lfs/dnsmasq b/lfs/dnsmasq index c256f75b49..4bb7f9f0d1 100644 --- a/lfs/dnsmasq +++ b/lfs/dnsmasq @@ -128,6 +128,8 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0053-Log-parsing-utils-in-contrib-reverse-dns.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0054-Add-dnssec-timestamp-option-and-facility.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0055-Fix-last-commit-to-not-crash-if-uid-changing-not-con.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch + cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/dnsmasq-Add-support-to-read-ISC-DHCP-lease-file.patch cd $(DIR_APP) && sed -i src/config.h \ -e 's|/\* #define HAVE_IDN \*/|#define HAVE_IDN|g' \ diff --git a/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch new file mode 100644 index 0000000000..9a052152c2 --- /dev/null +++ b/src/patches/dnsmasq/0056-New-version-of-contrib-reverse-dns.patch @@ -0,0 +1,194 @@ +From 4c960fa90a975d20f75a1ecabd217247f1922c8f Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Wed, 4 Mar 2015 20:32:26 +0000 +Subject: [PATCH 56/57] New version of contrib/reverse-dns + +--- + contrib/reverse-dns/README | 22 +++--- + contrib/reverse-dns/reverse_replace.sh | 131 ++++++++++++++++++++++++++++----- + 2 files changed, 125 insertions(+), 28 deletions(-) + +diff --git a/contrib/reverse-dns/README b/contrib/reverse-dns/README +index f87eb77c4c22..2ec4df1f957e 100644 +--- a/contrib/reverse-dns/README ++++ b/contrib/reverse-dns/README +@@ -1,18 +1,18 @@ +-Hi. ++The script reads stdin and replaces all IP addresses with names before ++outputting it again. IPs from private networks are reverse looked up ++via dns. Other IP adresses are searched for in the dnsmasq query log. ++This gives names (CNAMEs if I understand DNS correctly) that are closer ++to the name the client originally asked for then the names obtained by ++reverse lookup. Just run + +-To translate my routers netstat-nat output into names that actually talk +-to me I have started writing to simple shell scripts. They require ++netstat -n -4 | ./reverse_replace.sh ++ ++to see what it does. It needs + + log-queries + log-facility=/var/log/dnsmasq.log + +-to be set. With +- +-netstat-nat -n -4 | reverse_replace.sh +- +-I get retranslated output. +- +-Sincerely, +-Joachim ++in the dnsmasq configuration. + ++The script runs on debian (with ash installed) and on busybox. + +diff --git a/contrib/reverse-dns/reverse_replace.sh b/contrib/reverse-dns/reverse_replace.sh +index a11c164b7f19..5b4aebd71456 100644 +--- a/contrib/reverse-dns/reverse_replace.sh ++++ b/contrib/reverse-dns/reverse_replace.sh +@@ -1,28 +1,125 @@ +-#!/bin/bash +-# $Id: reverse_replace.sh 4 2015-02-17 20:14:59Z jo $ ++#!/bin/ash ++# $Id: reverse_replace.sh 18 2015-03-01 16:12:35Z jo $ + # + # Usage e.g.: netstat -n -4 | reverse_replace.sh + # Parses stdin for IP4 addresses and replaces them +-# with names retrieved by reverse_dns.sh ++# with names retrieved by parsing the dnsmasq log. ++# This currently only gives CNAMEs. But these ++# usually tell ou more than the mones from reverse ++# lookups. ++# ++# This has been tested on debian and asuswrt. Plese ++# report successful tests on other platforms. ++# ++# Author: Joachim Zobel ++# License: Consider this MIT style licensed. You can ++# do as you ike, but you must not remove my name. + # + +-DIR=$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd ) +-DNS=$DIR/reverse_dns.sh ++LOG=/var/log/dnsmasq.log ++MAX_LINES=15000 + +-# sed regex ++# sed regex do match IPs + IP_regex='[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' ++# private IP ranges ++IP_private='\(^127\.\)\|\(^192\.168\.\)\|\(^10\.\)\|\(^172\.1[6-9]\.\)\|\(^172\.2[0-9]\.\)\|\(^172\.3[0-1]\.\)' + +-while read LINE; do +- if grep --quiet $IP_regex <<< "$LINE"; then +- IPs=`sed "s#.*\b\($IP_regex\)\b.*#\1 #g" <<< "$LINE"` +- IPs=($IPs) +- for IP in "${IPs[@]}" +- do +- NAME=`$DNS $IP` +- # echo "$NAME is $IP"; +- LINE="${LINE/$IP/$NAME}" +- done ++####################################################################### ++# Find Commands ++ ++HOST=nslookup ++if type host > /dev/null 2>&1; then ++ # echo "No need for nslookup, host is there" ++ HOST=host ++fi ++ ++####################################################################### ++# Functions ++ ++# Use shell variables for an (IP) lookup table ++create_lookup_table() ++{ ++ # Parse log into lookup table ++ local CMDS="$( tail -"$MAX_LINES" "$LOG" | \ ++ grep " is $IP_regex" | \ ++ sed "s#.* \([^ ]*\) is \($IP_regex\).*#set_val \2 \1;#" )" ++ ++ local IFS=' ++' ++ for CMD in $CMDS ++ do ++ eval $CMD ++ done ++} ++ ++set_val() ++{ ++ local _IP=$(echo $1 | tr . _) ++ local KEY="__IP__$_IP" ++ eval "$KEY"=$2 ++} ++ ++get_val() ++{ ++ local _IP=$(echo $1 | tr . _) ++ local KEY="__IP__$_IP" ++ eval echo -n '${'"$KEY"'}' ++} ++ ++dns_lookup() ++{ ++ local IP=$1 ++ ++ local RTN="$($HOST $IP | \ ++ sed 's#\s\+#\n#g' | \ ++ grep -v '^$' | \ ++ tail -1 | tr -d '\n' | \ ++ sed 's#\.$##')" ++ if echo $RTN | grep -q NXDOMAIN; then ++ echo -n $IP ++ else ++ echo -n "$RTN" ++ fi ++} ++ ++reverse_dns() ++{ ++ local IP=$1 ++ ++ # Skip if it is not an IP ++ if ! echo $IP | grep -q "^$IP_regex$"; then ++ echo -n $IP ++ return ++ fi ++ ++ # Do a dns lookup, if it is a local IP ++ if echo $IP | grep -q $IP_private; then ++ dns_lookup $IP ++ return + fi ++ ++ local NAME="$(get_val $IP)" ++ ++ if [ -z "$NAME" ]; then ++ echo -n $IP ++ else ++ echo -n $NAME ++ fi ++} ++ ++####################################################################### ++# Main ++create_lookup_table ++ ++while read LINE; do ++ for IP in $(echo "$LINE" | \ ++ sed "s#\b\($IP_regex\)\b#\n\1\n#g" | \ ++ grep $IP_regex) ++ do ++ NAME=`reverse_dns $IP ` ++ # echo "$NAME $IP" ++ LINE=`echo "$LINE" | sed "s#$IP#$NAME#" ` ++ done + echo $LINE +-done < /dev/stdin ++done + +-- +2.1.0 + diff --git a/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch new file mode 100644 index 0000000000..df47cd0e3a --- /dev/null +++ b/src/patches/dnsmasq/0057-Tweak-DNSSEC-timestamp-code-to-create-file-later-rem.patch @@ -0,0 +1,202 @@ +From 360f2513ab12a9bf1e262d388dd2ea8a566590a3 Mon Sep 17 00:00:00 2001 +From: Simon Kelley +Date: Sat, 7 Mar 2015 18:28:06 +0000 +Subject: [PATCH 57/57] Tweak DNSSEC timestamp code to create file later, + removing need to chown it. + +--- + man/dnsmasq.8 | 3 ++- + src/dnsmasq.c | 35 ++++++++++++++++++++++------------- + src/dnsmasq.h | 3 ++- + src/dnssec.c | 18 ++++++++++-------- + 4 files changed, 36 insertions(+), 23 deletions(-) + +diff --git a/man/dnsmasq.8 b/man/dnsmasq.8 +index 097e7d75145c..2db780d90987 100644 +--- a/man/dnsmasq.8 ++++ b/man/dnsmasq.8 +@@ -678,7 +678,8 @@ which have not been throughly checked. + Enables an alternative way of checking the validity of the system time for DNSSEC (see --dnssec-no-timecheck). In this case, the + system time is considered to be valid once it becomes later than the timestamp on the specified file. The file is created and + its timestamp set automatically by dnsmasq. The file must be stored on a persistent filesystem, so that it and its mtime are carried +-over system restarts. ++over system restarts. The timestamp file is created after dnsmasq has dropped root, so it must be in a location writable by the ++unprivileged user that dnsmasq runs as. + .TP + .B --proxy-dnssec + Copy the DNSSEC Authenticated Data bit from upstream servers to downstream clients and cache it. This is an +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 9e05c0e31569..f3e5bcffec4f 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -58,9 +58,6 @@ int main (int argc, char **argv) + struct dhcp_context *context; + struct dhcp_relay *relay; + #endif +-#ifdef HAVE_DNSSEC +- int badtime; +-#endif + + #ifdef LOCALEDIR + setlocale(LC_ALL, ""); +@@ -156,10 +153,10 @@ int main (int argc, char **argv) + { + #ifdef HAVE_DNSSEC + if (!daemon->ds) +- die(_("No trust anchors provided for DNSSEC"), NULL, EC_BADCONF); ++ die(_("no trust anchors provided for DNSSEC"), NULL, EC_BADCONF); + + if (daemon->cachesize < CACHESIZ) +- die(_("Cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); ++ die(_("cannot reduce cache size from default when DNSSEC enabled"), NULL, EC_BADCONF); + #else + die(_("DNSSEC not available: set HAVE_DNSSEC in src/config.h"), NULL, EC_BADCONF); + #endif +@@ -172,10 +169,10 @@ int main (int argc, char **argv) + + #ifdef HAVE_CONNTRACK + if (option_bool(OPT_CONNTRACK) && (daemon->query_port != 0 || daemon->osport)) +- die (_("Cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); ++ die (_("cannot use --conntrack AND --query-port"), NULL, EC_BADCONF); + #else + if (option_bool(OPT_CONNTRACK)) +- die(_("Conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF); ++ die(_("conntrack support not available: set HAVE_CONNTRACK in src/config.h"), NULL, EC_BADCONF); + #endif + + #ifdef HAVE_SOLARIS_NETWORK +@@ -195,7 +192,7 @@ int main (int argc, char **argv) + + #ifndef HAVE_LOOP + if (option_bool(OPT_LOOP_DETECT)) +- die(_("Loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); ++ die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); + #endif + + now = dnsmasq_time(); +@@ -373,10 +370,6 @@ int main (int argc, char **argv) + if (baduser) + die(_("unknown user or group: %s"), baduser, EC_BADCONF); + +-#ifdef HAVE_DNSSEC +- badtime = setup_timestamp(ent_pw); +-#endif +- + /* implement group defaults, "dip" if available, or group associated with uid */ + if (!daemon->group_set && !gp) + { +@@ -693,10 +686,23 @@ int main (int argc, char **argv) + #ifdef HAVE_DNSSEC + if (option_bool(OPT_DNSSEC_VALID)) + { ++ int rc; ++ ++ /* Delay creating the timestamp file until here, after we've changed user, so that ++ it has the correct owner to allow updating the mtime later. ++ This means we have to report fatal errors via the pipe. */ ++ if ((rc = setup_timestamp()) == -1) ++ { ++ send_event(err_pipe[1], EVENT_TIME_ERR, errno, daemon->timestamp_file); ++ _exit(0); ++ } ++ + my_syslog(LOG_INFO, _("DNSSEC validation enabled")); ++ + if (option_bool(OPT_DNSSEC_TIME)) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until first cache reload")); +- if (badtime) ++ ++ if (rc == 1) + my_syslog(LOG_INFO, _("DNSSEC signature timestamps not checked until system time valid")); + } + #endif +@@ -1170,6 +1176,9 @@ static void fatal_event(struct event_desc *ev, char *msg) + + case EVENT_TFTP_ERR: + die(_("TFTP directory %s inaccessible: %s"), msg, EC_FILE); ++ ++ case EVENT_TIME_ERR: ++ die(_("cannot create timestamp file %s: %s" ), msg, EC_BADCONF); + } + } + +diff --git a/src/dnsmasq.h b/src/dnsmasq.h +index a451cb4dd03c..fc7259881358 100644 +--- a/src/dnsmasq.h ++++ b/src/dnsmasq.h +@@ -167,6 +167,7 @@ struct event_desc { + #define EVENT_INIT 21 + #define EVENT_NEWADDR 22 + #define EVENT_NEWROUTE 23 ++#define EVENT_TIME_ERR 24 + + /* Exit codes. */ + #define EC_GOOD 0 +@@ -1152,7 +1153,7 @@ int dnssec_chase_cname(time_t now, struct dns_header *header, size_t plen, char + int dnskey_keytag(int alg, int flags, unsigned char *rdata, int rdlen); + size_t filter_rrsigs(struct dns_header *header, size_t plen); + unsigned char* hash_questions(struct dns_header *header, size_t plen, char *name); +-int setup_timestamp(struct passwd *ent_pw); ++int setup_timestamp(void); + + /* util.c */ + void rand_init(void); +diff --git a/src/dnssec.c b/src/dnssec.c +index c60eacf73c6b..ad0d6f072ba2 100644 +--- a/src/dnssec.c ++++ b/src/dnssec.c +@@ -397,18 +397,21 @@ static int serial_compare_32(unsigned long s1, unsigned long s2) + + /* Called at startup. If the timestamp file is configured and exists, put its mtime on + timestamp_time. If it doesn't exist, create it, and set the mtime to 1-1-2015. +- Change the ownership to the user we'll be running as, so that we can update the mtime. ++ return -1 -> Cannot create file. ++ 0 -> not using timestamp, or timestamp exists and is in past. ++ 1 -> timestamp exists and is in future. + */ ++ + static time_t timestamp_time; + static int back_to_the_future; + +-int setup_timestamp(struct passwd *ent_pw) ++int setup_timestamp(void) + { + struct stat statbuf; + + back_to_the_future = 0; + +- if (!option_bool(OPT_DNSSEC_VALID) || !daemon->timestamp_file) ++ if (!daemon->timestamp_file) + return 0; + + if (stat(daemon->timestamp_file, &statbuf) != -1) +@@ -428,7 +431,8 @@ int setup_timestamp(struct passwd *ent_pw) + + if (errno == ENOENT) + { +- int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK, 0666); ++ /* NB. for explanation of O_EXCL flag, see comment on pidfile in dnsmasq.c */ ++ int fd = open(daemon->timestamp_file, O_WRONLY | O_CREAT | O_NONBLOCK | O_EXCL, 0666); + if (fd != -1) + { + struct utimbuf timbuf; +@@ -436,14 +440,12 @@ int setup_timestamp(struct passwd *ent_pw) + close(fd); + + timestamp_time = timbuf.actime = timbuf.modtime = 1420070400; /* 1-1-2015 */ +- if (utime(daemon->timestamp_file, &timbuf) == 0 && +- (!ent_pw || getuid() != 0 || chown(daemon->timestamp_file, ent_pw->pw_uid, -1) == 0)) ++ if (utime(daemon->timestamp_file, &timbuf) == 0) + goto check_and_exit; + } + } + +- die(_("Cannot create timestamp file %s: %s" ), daemon->timestamp_file, EC_BADCONF); +- return 0; ++ return -1; + } + + /* Check whether today/now is between date_start and date_end */ +-- +2.1.0 + -- 2.39.2