git: f727ae28aad8 - main - dns/dnsmasq: pull in three more upstream fixes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 11 Dec 2021 09:51:52 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=f727ae28aad85b8545ca5e2ee1752c006d63aa47
commit f727ae28aad85b8545ca5e2ee1752c006d63aa47
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2021-12-11 09:48:02 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2021-12-11 09:51:28 +0000
dns/dnsmasq: pull in three more upstream fixes
Cherry-pick these Git commits from the upstream:
--local should behave as --server, not as --address [...]
Fix confusion in DNS retries and --strict-order.
Fix confusion with log-IDs and DNS retries.
loosely prompted by Olivier's
PR: 260331
---
dns/dnsmasq/Makefile | 2 +-
...tch-zg-089a11f3400485f215f5e29c77e41d7730f2c806 | 36 ++++++++
...tch-zg-2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2 | 63 ++++++++++++++
...tch-zg-ed96efd865132dd9aa256c7873c6cdd5e985ee23 | 95 ++++++++++++++++++++++
4 files changed, 195 insertions(+), 1 deletion(-)
diff --git a/dns/dnsmasq/Makefile b/dns/dnsmasq/Makefile
index 844e485854c7..e1e27b455636 100644
--- a/dns/dnsmasq/Makefile
+++ b/dns/dnsmasq/Makefile
@@ -3,7 +3,7 @@
PORTNAME= dnsmasq
DISTVERSION= 2.86
# Leave the PORTREVISION in even if 0 to avoid accidental PORTEPOCH bumps:
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH= 1
CATEGORIES= dns
MASTER_SITES= https://www.thekelleys.org.uk/dnsmasq/ \
diff --git a/dns/dnsmasq/files/patch-zg-089a11f3400485f215f5e29c77e41d7730f2c806 b/dns/dnsmasq/files/patch-zg-089a11f3400485f215f5e29c77e41d7730f2c806
new file mode 100644
index 000000000000..5f9ec816b4b1
--- /dev/null
+++ b/dns/dnsmasq/files/patch-zg-089a11f3400485f215f5e29c77e41d7730f2c806
@@ -0,0 +1,36 @@
+From 089a11f3400485f215f5e29c77e41d7730f2c806 Mon Sep 17 00:00:00 2001
+From: DL6ER <dl6er@dl6er.de>
+Date: Tue, 5 Oct 2021 10:15:21 +0200
+Subject: [PATCH] --local should behave as --server, not as --address according
+ to the man page
+
+Signed-off-by: DL6ER <dl6er@dl6er.de>
+---
+ src/option.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/option.c b/src/option.c
+index 5307f01..dc1efd3 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -2758,7 +2758,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+
+ if (!arg || !*arg)
+ flags = SERV_LITERAL_ADDRESS;
+- else if (option != 'S')
++ else if (option == 'A')
+ {
+ /* # as literal address means return zero address for 4 and 6 */
+ if (strcmp(arg, "#") == 0)
+@@ -2790,7 +2790,7 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ flags &= ~SERV_FOR_NODOTS;
+
+ /* address=/#/ matches the same as without domain */
+- if (option != 'S' && domain[0] == '#' && domain[1] == 0)
++ if (option == 'A' && domain[0] == '#' && domain[1] == 0)
+ domain[0] = 0;
+ }
+
+--
+2.20.1
+
diff --git a/dns/dnsmasq/files/patch-zg-2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2 b/dns/dnsmasq/files/patch-zg-2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2
new file mode 100644
index 000000000000..7de1f6d44912
--- /dev/null
+++ b/dns/dnsmasq/files/patch-zg-2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2
@@ -0,0 +1,63 @@
+From 2561f9fe0eb9c0be1df48da1e2bd3d3feaa138c2 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Mon, 27 Sep 2021 22:37:02 +0100
+Subject: [PATCH] Fix confusion in DNS retries and --strict-order.
+
+Behaviour to stop infinite loops when all servers return REFUSED
+was wrongly activated on client retries, resulting in
+incorrect REFUSED replies to client retries.
+
+Thanks to Johannes Stezenbach for finding the problem.
+---
+ src/forward.c | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index b921168..ceecfcd 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -173,7 +173,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ unsigned int gotname = extract_request(header, plen, daemon->namebuff, NULL);
+ void *hash = hash_questions(header, plen, daemon->namebuff);
+ unsigned char *oph = find_pseudoheader(header, plen, NULL, NULL, NULL, NULL);
+- int old_src = 0;
++ int old_src = 0, old_reply = 0;
+ int first, last, start = 0;
+ int subnet, cacheable, forwarded = 0;
+ size_t edns0_len;
+@@ -199,7 +199,10 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ Similarly FREC_NO_CACHE is never set in flags, so a query which is
+ contigent on a particular source address EDNS0 option will never be matched. */
+ if (forward)
+- old_src = 1;
++ {
++ old_src = 1;
++ old_reply = 1;
++ }
+ else if ((forward = lookup_frec_by_query(hash, fwd_flags,
+ FREC_CHECKING_DISABLED | FREC_AD_QUESTION | FREC_DO_QUESTION |
+ FREC_HAS_PHEADER | FREC_DNSKEY_QUERY | FREC_DS_QUERY | FREC_NO_CACHE)))
+@@ -376,9 +379,18 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ /* In strict order mode, there must be a server later in the list
+ left to send to, otherwise without the forwardall mechanism,
+ code further on will cycle around the list forwever if they
+- all return REFUSED. If at the last, give up. */
++ all return REFUSED. If at the last, give up.
++ Note that we can get here EITHER because a client retried,
++ or an upstream server returned REFUSED. The above only
++ applied in the later case. For client retries,
++ keep tyring the last server.. */
+ if (++start == last)
+- goto reply;
++ {
++ if (old_reply)
++ goto reply;
++ else
++ start--;
++ }
+ }
+ }
+ }
+--
+2.20.1
+
diff --git a/dns/dnsmasq/files/patch-zg-ed96efd865132dd9aa256c7873c6cdd5e985ee23 b/dns/dnsmasq/files/patch-zg-ed96efd865132dd9aa256c7873c6cdd5e985ee23
new file mode 100644
index 000000000000..f042376ad019
--- /dev/null
+++ b/dns/dnsmasq/files/patch-zg-ed96efd865132dd9aa256c7873c6cdd5e985ee23
@@ -0,0 +1,95 @@
+From ed96efd865132dd9aa256c7873c6cdd5e985ee23 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 1 Dec 2021 16:34:41 +0000
+Subject: [PATCH] Fix confusion with log-IDs and DNS retries.
+
+The IDs logged when --log-queries=extra is in effect
+can be wrong in three cases.
+
+1) When query is retried in response to a a SERVFAIL or REFUSED
+answer from upstream. In this case the ID of an unrelated query will
+appear in the answer log lines.
+
+2) When the same query arrives from two clients. The query is
+sent upstream once, as designed, and the result returned to both clients,
+as designed, but the reply to the first client gets the log-ID of the
+second query in error.
+
+3) When a query arrives, is sent upstream, and the reply comes back,
+but the transaction is blocked awaiting a DNSSEC query needed to validate
+the reply. If the client retries the query in this state, the blocking
+DNSSEC query will be resent, as designed, but that send will be logged with
+the ID of the original, currently blocked, query.
+
+Thanks to Dominik Derigs for his analysis of this problem.
+---
+ src/forward.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+diff --git a/src/forward.c b/src/forward.c
+index 5c0173c..163da09 100644
+--- a/src/forward.c
++++ b/src/forward.c
+@@ -215,7 +215,11 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ break;
+
+ if (src)
+- old_src = 1;
++ {
++ old_src = 1;
++ /* If a query is retried, use the log_id for the retry when logging the answer. */
++ src->log_id = daemon->log_id;
++ }
+ else
+ {
+ /* Existing query, but from new source, just add this
+@@ -286,6 +290,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ goto reply;
+ /* table full - flags == 0, return REFUSED */
+
++ forward->frec_src.log_id = daemon->log_id;
+ forward->frec_src.source = *udpaddr;
+ forward->frec_src.orig_id = ntohs(header->id);
+ forward->frec_src.dest = *dst_addr;
+@@ -329,7 +334,6 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ }
+ else
+ {
+- /* retry on existing query, from original source. Send to all available servers */
+ #ifdef HAVE_DNSSEC
+ /* If we've already got an answer to this query, but we're awaiting keys for validation,
+ there's no point retrying the query, retry the key query instead...... */
+@@ -340,7 +344,10 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+
+ while (forward->blocking_query)
+ forward = forward->blocking_query;
+-
++
++ /* log_id should match previous DNSSEC query. */
++ daemon->log_display_id = forward->frec_src.log_id;
++
+ blockdata_retrieve(forward->stash, forward->stash_len, (void *)header);
+ plen = forward->stash_len;
+ /* get query for logging. */
+@@ -383,7 +390,7 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ Note that we can get here EITHER because a client retried,
+ or an upstream server returned REFUSED. The above only
+ applied in the later case. For client retries,
+- keep tyring the last server.. */
++ keep trying the last server.. */
+ if (++start == last)
+ {
+ if (old_reply)
+@@ -402,9 +409,6 @@ static int forward_query(int udpfd, union mysockaddr *udpaddr,
+ forward->flags |= FREC_TEST_PKTSZ;
+ }
+
+- /* If a query is retried, use the log_id for the retry when logging the answer. */
+- forward->frec_src.log_id = daemon->log_id;
+-
+ /* We may be resending a DNSSEC query here, for which the below processing is not necessary. */
+ if (!is_dnssec)
+ {
+--
+2.20.1
+