pemensik pushed to dnsmasq (master). "Randomize ports"

Notification time stamped 2018-10-25 13:32:54 UTC From 8a0901a90e38fb504c3127b7ec382dbf546fda50 Mon Sep 17 00:00:00 2001 From: Petr Menšík <pemensik(a)redhat.com&gt; Date: Oct 24 2018 16:54:52 +0000 Subject: Randomize ports --- diff --git a/dnsmasq-2.79-randomize-ports.patch b/dnsmasq-2.79-randomize-ports.patch new file mode 100644 index 0000000..e37931b --- /dev/null +++ b/dnsmasq-2.79-randomize-ports.patch @@ -0,0 +1,87 @@ +From 6899c5c5b9a32aa2ce0513b5e69356844988c64e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com&gt; +Date: Thu, 9 Aug 2018 18:17:26 +0200 +Subject: [PATCH] Use OS random ports by default + +Unless max-port or min-port is given, let OS allocate random ports for +DNS queries. Randomize similar to --query-port=0, but for each query +separately. Would use port according to system policy. +--- + src/dnsmasq.c | 2 +- + src/network.c | 15 ++++++++++++--- + src/option.c | 4 +++- + 3 files changed, 16 insertions(+), 5 deletions(-) + +diff --git a/src/dnsmasq.c b/src/dnsmasq.c +index 9f6c020..4cd478e 100644 +--- a/src/dnsmasq.c ++++ b/src/dnsmasq.c +@@ -226,7 +226,7 @@ int main (int argc, char **argv) + die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF); + #endif + +- if (daemon->max_port < daemon->min_port) ++ if (daemon->max_port >= 0 && daemon->max_port < daemon->min_port) + die(_("max_port cannot be smaller than min_port"), NULL, EC_BADCONF); + + now = dnsmasq_time(); +diff --git a/src/network.c b/src/network.c +index 0381513..9747d26 100644 +--- a/src/network.c ++++ b/src/network.c +@@ -1138,18 +1138,27 @@ int random_sock(int family) + if ((fd = socket(family, SOCK_DGRAM, 0)) != -1) + { + union mysockaddr addr; +- unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1; +- int tries = ports_avail < 30 ? 3 * ports_avail : 100; ++ unsigned short ports_avail = 0; ++ int tries = 100; ++ unsigned short port = 0; + + memset(&addr, 0, sizeof(addr)); + addr.sa.sa_family = family; + ++ if (daemon->max_port >= 0) ++ { ++ ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1; ++ if (ports_avail < 30) ++ tries = 3 * ports_avail; ++ } ++ + /* don't loop forever if all ports in use. */ + + if (fix_fd(fd)) + while(tries--) + { +- unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail))); ++ if (ports_avail) ++ port = htons(daemon->min_port + (rand16() % ports_avail)); + + if (family == AF_INET) + { +diff --git a/src/option.c b/src/option.c +index d358d99..b7eaff0 100644 +--- a/src/option.c ++++ b/src/option.c +@@ -2602,6 +2602,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma + case LOPT_MINPORT: /* --min-port */ + if (!atoi_check16(arg, &daemon->min_port)) + ret_err(gen_err); ++ if (daemon->max_port < 0) ++ daemon->max_port = MAX_PORT; + break; + + case LOPT_MAXPORT: /* --max-port */ +@@ -4678,7 +4680,7 @@ void read_opts(int argc, char **argv, char *compile_opts) + daemon->soa_refresh = SOA_REFRESH; + daemon->soa_retry = SOA_RETRY; + daemon->soa_expiry = SOA_EXPIRY; +- daemon->max_port = MAX_PORT; ++ daemon->max_port = -1; + daemon->min_port = MIN_PORT; + + #ifndef NO_ID +-- +2.14.4 + diff --git a/dnsmasq.spec b/dnsmasq.spec index f1a5a9f..3319fd7 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.79 -Release: 7%{?extraversion:.%{extraversion}}%{?dist} +Release: 8%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -26,6 +26,7 @@ Source2: dnsmasq-systemd-sysusers.conf Patch1: dnsmasq-2.77-underflow.patch Patch3: dnsmasq-2.78-fips.patch Patch4: dnsmasq-2.80-dnssec.patch +Patch5: dnsmasq-2.79-randomize-ports.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -63,6 +64,7 @@ server's leases. %patch1 -p1 -b .underflow %patch3 -p1 -b .fips %patch4 -p1 -b .dnssec +%patch5 -p1 -b .ports # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -163,6 +165,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf %{_mandir}/man1/dhcp_* %changelog +* Thu Aug 09 2018 Petr Menšík <pemensik(a)redhat.com&gt; - 2.79-8 +- Better randomize ports + * Tue Jul 31 2018 Florian Weimer <fweimer(a)redhat.com&gt; - 2.79-7 - Rebuild with fixed binutils https://src.fedoraproject.org/rpms/dnsmasq/c/8a0901a90e38fb504c3127b7ec38...