[dnsmasq/f19] dnsmasq unit file cleanup
by Tomas Hozza
commit c925f9e48acabceb5418f2ce4d60b3a487edbbee
Author: Tomas Hozza <thozza(a)redhat.com>
Date: Tue Apr 30 17:24:27 2013 +0200
dnsmasq unit file cleanup
- drop forking Type and PIDfile and rather start dnsmasq with "-k" option
- drop After syslog.target as this is by default
Signed-off-by: Tomas Hozza <thozza(a)redhat.com>
dnsmasq.service | 6 ++----
dnsmasq.spec | 7 ++++++-
2 files changed, 8 insertions(+), 5 deletions(-)
---
diff --git a/dnsmasq.service b/dnsmasq.service
index 8ecb7c8..07fa92e 100644
--- a/dnsmasq.service
+++ b/dnsmasq.service
@@ -1,11 +1,9 @@
[Unit]
Description=DNS caching server.
-After=syslog.target network.target
+After=network.target
[Service]
-Type=forking
-PIDFile=/var/run/dnsmasq.pid
-ExecStart=/usr/sbin/dnsmasq
+ExecStart=/usr/sbin/dnsmasq -k
[Install]
WantedBy=multi-user.target
diff --git a/dnsmasq.spec b/dnsmasq.spec
index a49a3e2..f5f41cc 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -11,7 +11,7 @@
Name: dnsmasq
Version: 2.66
-Release: 4%{?extraversion}%{?dist}
+Release: 5%{?extraversion}%{?dist}
Summary: A lightweight DHCP/caching DNS server
Group: System Environment/Daemons
@@ -164,6 +164,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/dhcp_*
%changelog
+* Tue Apr 30 2013 Tomas Hozza <thozza(a)redhat.com> - 2.66-5
+- dnsmasq unit file cleanup
+ - drop forking Type and PIDfile and rather start dnsmasq with "-k" option
+ - drop After syslog.target as this is by default
+
* Thu Apr 25 2013 Tomas Hozza <thozza(a)redhat.com> - 2.66-4
- include several fixes from upstream repo:
- Send TCP DNS messages in one packet
11 years, 1 month
[dnsmasq/f17] dhcp6 support fixes (#867054)
by Tomas Hozza
commit 9a270ea0e2be7cbd027e7ffc7599cb8f8e87fcc2
Author: Tomas Hozza <thozza(a)redhat.com>
Date: Mon Nov 19 10:39:37 2012 +0100
dhcp6 support fixes (#867054)
dnsmasq-2.63-dhcp6-access-control.patch | 91 +++++++++++++++++++++++++++++++
dnsmasq-2.63-ip6-reuseaddr.patch | 36 ++++++++++++
dnsmasq.spec | 12 ++++-
3 files changed, 138 insertions(+), 1 deletions(-)
---
diff --git a/dnsmasq-2.63-dhcp6-access-control.patch b/dnsmasq-2.63-dhcp6-access-control.patch
new file mode 100644
index 0000000..87e900d
--- /dev/null
+++ b/dnsmasq-2.63-dhcp6-access-control.patch
@@ -0,0 +1,91 @@
+diff --git a/src/dhcp6.c b/src/dhcp6.c
+index 718a262..5525ca5 100644
+--- a/src/dhcp6.c
++++ b/src/dhcp6.c
+@@ -21,7 +21,7 @@
+ struct iface_param {
+ struct dhcp_context *current;
+ struct in6_addr fallback;
+- int ind;
++ int ind, addr_match;
+ };
+
+ static int complete_context6(struct in6_addr *local, int prefix,
+@@ -87,7 +87,6 @@ void dhcp6_packet(time_t now)
+ char control6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
+ } control_u;
+ struct sockaddr_in6 from;
+- struct all_addr dest;
+ ssize_t sz;
+ struct ifreq ifr;
+ struct iname *tmp;
+@@ -114,15 +113,15 @@ void dhcp6_packet(time_t now)
+ p.c = CMSG_DATA(cmptr);
+
+ if_index = p.p->ipi6_ifindex;
+- dest.addr.addr6 = p.p->ipi6_addr;
+ }
+
+ if (!indextoname(daemon->dhcp6fd, if_index, ifr.ifr_name))
+ return;
+
+- if (!iface_check(AF_INET6, (struct all_addr *)&dest, ifr.ifr_name))
+- return;
+-
++ for (tmp = daemon->if_except; tmp; tmp = tmp->next)
++ if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
++ return;
++
+ for (tmp = daemon->dhcp_except; tmp; tmp = tmp->next)
+ if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
+ return;
+@@ -136,11 +135,23 @@ void dhcp6_packet(time_t now)
+
+ parm.current = NULL;
+ parm.ind = if_index;
++ parm.addr_match = 0;
+ memset(&parm.fallback, 0, IN6ADDRSZ);
+
+ if (!iface_enumerate(AF_INET6, &parm, complete_context6))
+ return;
+
++ if (daemon->if_names || daemon->if_addrs)
++ {
++
++ for (tmp = daemon->if_names; tmp; tmp = tmp->next)
++ if (tmp->name && (strcmp(tmp->name, ifr.ifr_name) == 0))
++ break;
++
++ if (!tmp && !parm.addr_match)
++ return;
++ }
++
+ lease_prune(NULL, now); /* lose any expired leases */
+
+ port = dhcp6_reply(parm.current, if_index, ifr.ifr_name, &parm.fallback,
+@@ -167,15 +178,23 @@ static int complete_context6(struct in6_addr *local, int prefix,
+ {
+ struct dhcp_context *context;
+ struct iface_param *param = vparam;
+-
++ struct iname *tmp;
++
+ (void)scope; /* warning */
+ (void)dad;
+-
++
+ if (if_index == param->ind &&
+ !IN6_IS_ADDR_LOOPBACK(local) &&
+ !IN6_IS_ADDR_LINKLOCAL(local) &&
+ !IN6_IS_ADDR_MULTICAST(local))
+ {
++ /* if we have --listen-address config, see if the
++ arrival interface has a matching address. */
++ for (tmp = daemon->if_addrs; tmp; tmp = tmp->next)
++ if (tmp->addr.sa.sa_family == AF_INET6 &&
++ IN6_ARE_ADDR_EQUAL(&tmp->addr.in6.sin6_addr, local))
++ param->addr_match = 1;
++
+ /* Determine a globally address on the arrival interface, even
+ if we have no matching dhcp-context, because we're only
+ allocating on remote subnets via relays. This
diff --git a/dnsmasq-2.63-ip6-reuseaddr.patch b/dnsmasq-2.63-ip6-reuseaddr.patch
new file mode 100644
index 0000000..af2f043
--- /dev/null
+++ b/dnsmasq-2.63-ip6-reuseaddr.patch
@@ -0,0 +1,36 @@
+diff -urp dnsmasq-2.63-orig/src/dhcp6.c dnsmasq-2.63/src/dhcp6.c
+--- dnsmasq-2.63-orig/src/dhcp6.c 2012-08-16 09:04:05.000000000 -0400
++++ dnsmasq-2.63/src/dhcp6.c 2012-11-03 07:55:39.293006824 -0400
+@@ -36,15 +36,31 @@ void dhcp6_init(void)
+ #if defined(IPV6_TCLASS) && defined(IPTOS_CLASS_CS6)
+ int class = IPTOS_CLASS_CS6;
+ #endif
+-
++ int oneopt = 1;
++
+ if ((fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP)) == -1 ||
+ #if defined(IPV6_TCLASS) && defined(IPTOS_CLASS_CS6)
+ setsockopt(fd, IPPROTO_IPV6, IPV6_TCLASS, &class, sizeof(class)) == -1 ||
+ #endif
++ setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &oneopt, sizeof(oneopt)) == -1 ||
+ !fix_fd(fd) ||
+ !set_ipv6pktinfo(fd))
+ die (_("cannot create DHCPv6 socket: %s"), NULL, EC_BADNET);
+
++ /* When bind-interfaces is set, there might be more than one dnmsasq
++ instance binding port 547. That's OK if they serve different networks.
++ Need to set REUSEADDR to make this posible, or REUSEPORT on *BSD. */
++ if (option_bool(OPT_NOWILD) || option_bool(OPT_CLEVERBIND))
++ {
++#ifdef SO_REUSEPORT
++ int rc = setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, &oneopt, sizeof(oneopt));
++#else
++ int rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &oneopt, sizeof(oneopt));
++#endif
++ if (rc == -1)
++ die(_("failed to set SO_REUSE{ADDR|PORT} on DHCPv6 socket: %s"), NULL, EC_BADNET);
++ }
++
+ memset(&saddr, 0, sizeof(saddr));
+ #ifdef HAVE_SOCKADDR_SA_LEN
+ saddr.sin6_len = sizeof(struct sockaddr_in6);
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 07d3e60..7360e78 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -11,7 +11,7 @@
Name: dnsmasq
Version: 2.63
-Release: 1%{?extraversion}%{?dist}
+Release: 2%{?extraversion}%{?dist}
Summary: A lightweight DHCP/caching DNS server
Group: System Environment/Daemons
@@ -19,6 +19,10 @@ License: GPLv2
URL: http://www.thekelleys.org.uk/dnsmasq/
Source0: http://www.thekelleys.org.uk/dnsmasq/%{?extrapath}%{name}-%{version}%{?ex...
Source1: %{name}.service
+
+Patch0: dnsmasq-2.63-ip6-reuseaddr.patch
+Patch1: dnsmasq-2.63-dhcp6-access-control.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: dbus-devel
@@ -52,6 +56,9 @@ query/remove a DHCP server's leases.
%prep
%setup -q -n %{name}-%{version}%{?extraversion}
+%patch0 -p1 -b .ip6_reuseaddr
+%patch1 -p1 -b .dhcp6_access_ctrl
+
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
sed -i 's|/var/lib/misc/dnsmasq.leases|/var/lib/dnsmasq/dnsmasq.leases|g' "$file"
@@ -139,6 +146,9 @@ fi
%{_mandir}/man1/dhcp_*
%changelog
+* Mon Nov 19 2012 Tomas Hozza <thozza(a)redhat.com> - 2.63-2
+- dhcp6 support fixes (#867054)
+
* Sat Aug 23 2012 Douglas Schilling Landgraf <dougsland(a)redhat.com> - 2.63-1
- Use .tar.gz compression, in upstream site there is no .lzma anymore
- New version 2.63
11 years, 7 months
[selinux-policy: 1384/3172] add dnsmasq, bug 1524
by Daniel J Walsh
commit 9e725d8a1a992a2c65dd9982ab73cf46c2aeb02b
Author: Chris PeBenito <cpebenito(a)tresys.com>
Date: Tue Apr 25 14:45:14 2006 +0000
add dnsmasq, bug 1524
refpolicy/Changelog | 1 +
refpolicy/policy/modules/services/dnsmasq.fc | 4 +
refpolicy/policy/modules/services/dnsmasq.if | 1 +
refpolicy/policy/modules/services/dnsmasq.te | 103 ++++++++++++++++++++++++++
4 files changed, 109 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index e7a3afb..db784da 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -44,6 +44,7 @@
courier
dante
dpkg (Erich Schubert)
+ dnsmasq
ethereal
evolution
games
diff --git a/refpolicy/policy/modules/services/dnsmasq.fc b/refpolicy/policy/modules/services/dnsmasq.fc
new file mode 100644
index 0000000..aa52c2c
--- /dev/null
+++ b/refpolicy/policy/modules/services/dnsmasq.fc
@@ -0,0 +1,4 @@
+/usr/sbin/dnsmasq -- gen_context(system_u:object_r:dnsmasq_exec_t,s0)
+
+/var/lib/misc/dnsmasq\.leases -- gen_context(system_u:object_r:dnsmasq_lease_t,s0)
+/var/run/dnsmasq\.pid -- gen_context(system_u:object_r:dnsmasq_var_run_t,s0)
diff --git a/refpolicy/policy/modules/services/dnsmasq.if b/refpolicy/policy/modules/services/dnsmasq.if
new file mode 100644
index 0000000..e5b0998
--- /dev/null
+++ b/refpolicy/policy/modules/services/dnsmasq.if
@@ -0,0 +1 @@
+## <summary>dnsmasq DNS forwarder and DHCP server</summary>
diff --git a/refpolicy/policy/modules/services/dnsmasq.te b/refpolicy/policy/modules/services/dnsmasq.te
new file mode 100644
index 0000000..afeb841
--- /dev/null
+++ b/refpolicy/policy/modules/services/dnsmasq.te
@@ -0,0 +1,103 @@
+
+policy_module(dnsmasq,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dnsmasq_t;
+type dnsmasq_exec_t;
+init_daemon_domain(dnsmasq_t,dnsmasq_exec_t)
+
+type dnsmasq_lease_t;
+files_type(dnsmasq_lease_t)
+
+type dnsmasq_var_run_t;
+files_pid_file(dnsmasq_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow dnsmasq_t self:capability { setgid setuid net_bind_service net_raw };
+dontaudit dnsmasq_t self:capability sys_tty_config;
+allow dnsmasq_t self:process signal_perms;
+allow dnsmasq_t self:tcp_socket create_stream_socket_perms;
+allow dnsmasq_t self:udp_socket create_socket_perms;
+allow dnsmasq_t self:packet_socket create_socket_perms;
+allow dnsmasq_t self:rawip_socket create_socket_perms;
+
+# dhcp leases
+allow dnsmasq_t dnsmasq_lease_t:file manage_file_perms;
+files_var_lib_filetrans(dnsmasq_t,dnsmasq_lease_t,file)
+
+allow dnsmasq_t dnsmasq_var_run_t:file create_file_perms;
+allow dnsmasq_t dnsmasq_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(dnsmasq_t,dnsmasq_var_run_t,file)
+
+kernel_read_kernel_sysctls(dnsmasq_t)
+kernel_list_proc(dnsmasq_t)
+kernel_read_proc_symlinks(dnsmasq_t)
+
+corenet_tcp_sendrecv_generic_if(dnsmasq_t)
+corenet_udp_sendrecv_generic_if(dnsmasq_t)
+corenet_raw_sendrecv_generic_if(dnsmasq_t)
+corenet_tcp_sendrecv_all_nodes(dnsmasq_t)
+corenet_udp_sendrecv_all_nodes(dnsmasq_t)
+corenet_raw_sendrecv_all_nodes(dnsmasq_t)
+corenet_tcp_sendrecv_all_ports(dnsmasq_t)
+corenet_udp_sendrecv_all_ports(dnsmasq_t)
+corenet_non_ipsec_sendrecv(dnsmasq_t)
+corenet_tcp_bind_all_nodes(dnsmasq_t)
+corenet_udp_bind_all_nodes(dnsmasq_t)
+corenet_tcp_bind_dns_port(dnsmasq_t)
+corenet_udp_bind_dns_port(dnsmasq_t)
+corenet_udp_bind_dhcpd_port(dnsmasq_t)
+
+dev_read_sysfs(dnsmasq_t)
+dev_read_urand(dnsmasq_t)
+
+domain_use_interactive_fds(dnsmasq_t)
+
+# allow access to dnsmasq.conf
+files_read_etc_files(dnsmasq_t)
+
+fs_getattr_all_fs(dnsmasq_t)
+fs_search_auto_mountpoints(dnsmasq_t)
+
+term_dontaudit_use_console(dnsmasq_t)
+
+init_use_fds(dnsmasq_t)
+init_use_script_ptys(dnsmasq_t)
+
+libs_use_ld_so(dnsmasq_t)
+libs_use_shared_libs(dnsmasq_t)
+
+logging_send_syslog_msg(dnsmasq_t)
+
+miscfiles_read_localization(dnsmasq_t)
+
+sysnet_read_config(dnsmasq_t)
+
+userdom_dontaudit_use_unpriv_user_fds(dnsmasq_t)
+userdom_dontaudit_search_sysadm_home_dirs(dnsmasq_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(dnsmasq_t)
+ term_dontaudit_use_generic_ptys(dnsmasq_t)
+ files_dontaudit_read_root_files(dnsmasq_t)
+')
+
+optional_policy(`
+ nis_use_ypbind(dnsmasq_t)
+')
+
+optional_policy(`
+ seutil_sigchld_newrole(dnsmasq_t)
+')
+
+optional_policy(`
+ udev_read_db(dnsmasq_t)
+')
13 years, 8 months
[libvirt/f17] Fix conflict with NM launched dnsmasq (bz #886663)
by Cole Robinson
commit d4e5211296a00a0cff32e1a1daaa025002add736
Author: Cole Robinson <crobinso(a)redhat.com>
Date: Sun Dec 16 14:45:50 2012 -0500
Fix conflict with NM launched dnsmasq (bz #886663)
...event-dnsmasq-from-listening-on-localhost.patch | 182 ++++++++++++++++++++
libvirt.spec | 8 +-
2 files changed, 189 insertions(+), 1 deletions(-)
---
diff --git a/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch b/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch
new file mode 100644
index 0000000..ffc9d63
--- /dev/null
+++ b/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch
@@ -0,0 +1,182 @@
+From 9eb2b573253626c8c9329140d4ce2043863e417b Mon Sep 17 00:00:00 2001
+Message-Id: <9eb2b573253626c8c9329140d4ce2043863e417b.1355686333.git.crobinso(a)redhat.com>
+From: Laine Stump <laine(a)laine.org>
+Date: Thu, 13 Dec 2012 01:46:40 -0500
+Subject: [PATCH] network: prevent dnsmasq from listening on localhost
+
+This patch resolves the problem reported in:
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=886663
+
+The source of the problem was the fix for CVE 2011-3411:
+
+ https://bugzilla.redhat.com/show_bug.cgi?id=833033
+
+which was originally committed upstream in commit
+753ff83a50263d6975f88d6605d4b5ddfcc97560. That commit improperly
+removed the "--except-interface lo" from dnsmasq commandlines when
+--bind-dynamic was used (based on comments in the latter bug).
+
+It turns out that the problem reported in the CVE could be eliminated
+without removing "--except-interface lo", and removing it actually
+caused each instance of dnsmasq to listen on localhost on port 53,
+which created a new problem:
+
+If another instance of dnsmasq using "bind-interfaces" (instead of
+"bind-dynamic") had already been started (or if another instance
+started later used "bind-dynamic"), this wouldn't have any immediately
+visible ill effects, but if you tried to start another dnsmasq
+instance using "bind-interfaces" *after* starting any libvirt
+networks, the new dnsmasq would fail to start, because there was
+already another process listening on port 53.
+
+This patch changes the network driver to *always* add
+"except-interface=lo" to dnsmasq conf files, regardless of whether we use
+bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
+are listening on localhost (and the CVE is still fixed).
+
+The actual code change is miniscule, but must be propogated through all
+of the test files as well.
+
+(This is *not* a cherry-pick of the upstream commit that fixes the bug
+(commit d66eb7866757dd371560c288dc6201fb9348792a), because subsequent
+to the CVE fix, another patch changed the network driver to put
+dnsmasq options in a conf file rather than directly on the dnsmasq
+commandline preserving the same options), so a cherry-pick is just one
+very large conflict.)
+
+diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
+index 8010797..6053770 100644
+--- a/src/network/bridge_driver.c
++++ b/src/network/bridge_driver.c
+@@ -510,6 +510,9 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
+ /* *no* conf file */
+ virCommandAddArg(cmd, "--conf-file=");
+
++ /* dnsmasq will *always* listen on localhost unless told otherwise */
++ virCommandAddArgList(cmd, "--except-interface", "lo", NULL);
++
+ if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) {
+ /* using --bind-dynamic with only --interface (no
+ * --listen-address) prevents dnsmasq from responding to dns
+@@ -523,10 +526,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
+ "--interface", network->def->bridge,
+ NULL);
+ } else {
+- virCommandAddArgList(cmd,
+- "--bind-interfaces",
+- "--except-interface", "lo",
+- NULL);
++ virCommandAddArg(cmd, "--bind-interfaces");
+ /*
+ * --interface does not actually work with dnsmasq < 2.47,
+ * due to DAD for ipv6 addresses on the interface.
+diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv
+index d629192..d91c730 100644
+--- a/tests/networkxml2argvdata/isolated-network.argv
++++ b/tests/networkxml2argvdata/isolated-network.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-interfaces --except-interface lo \
++--except-interface lo --bind-interfaces \
+ --listen-address 192.168.152.1 \
+ --dhcp-option=3 --no-resolv \
+ --dhcp-range 192.168.152.2,192.168.152.254 \
+diff --git a/tests/networkxml2argvdata/nat-network-dns-hosts.argv b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
+index e5143ac..431e987 100644
+--- a/tests/networkxml2argvdata/nat-network-dns-hosts.argv
++++ b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
+@@ -1,5 +1,5 @@
+ @DNSMASQ@ --strict-order --domain=example.com \
+ --local=/example.com/ --domain-needed \
+ --conf-file= \
+---bind-dynamic --interface virbr0 \
++--except-interface lo --bind-dynamic --interface virbr0 \
+ --expand-hosts --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\
+diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
+index c38b954..9c26f32 100644
+--- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
++++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
+@@ -1,7 +1,7 @@
+ @DNSMASQ@ \
+ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-interfaces --except-interface lo \
++--except-interface lo --bind-interfaces \
+ --listen-address 192.168.122.1 \
+ --listen-address 192.168.123.1 \
+ --listen-address fc00:db8:ac10:fe01::1 \
+diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
+index 311b0d7..ff9c223 100644
+--- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
++++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
+@@ -1,7 +1,7 @@
+ @DNSMASQ@ \
+ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-dynamic --interface virbr0 \
++--except-interface lo --bind-dynamic --interface virbr0 \
+ --srv-host=name.tcp.test-domain-name,.,1024,10,10 \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
+diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
+index cbdf50d..2b133ff 100644
+--- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
++++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-dynamic --interface virbr0 \
++--except-interface lo --bind-dynamic --interface virbr0 \
+ --txt-record=example,example value \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
+diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv
+index 967ca94..1a771d0 100644
+--- a/tests/networkxml2argvdata/nat-network.argv
++++ b/tests/networkxml2argvdata/nat-network.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-dynamic --interface virbr0 \
++--except-interface lo --bind-dynamic --interface virbr0 \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
+ --dhcp-lease-max=253 --dhcp-no-override \
+diff --git a/tests/networkxml2argvdata/netboot-network.argv b/tests/networkxml2argvdata/netboot-network.argv
+index bcd6fad..9f8d114 100644
+--- a/tests/networkxml2argvdata/netboot-network.argv
++++ b/tests/networkxml2argvdata/netboot-network.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order --domain=example.com \
+ --local=/example.com/ --domain-needed --conf-file= \
+---bind-interfaces --except-interface lo --listen-address 192.168.122.1 \
++--except-interface lo --bind-interfaces --listen-address 192.168.122.1 \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
+ --dhcp-lease-max=253 --dhcp-no-override --expand-hosts --enable-tftp \
+diff --git a/tests/networkxml2argvdata/netboot-proxy-network.argv b/tests/networkxml2argvdata/netboot-proxy-network.argv
+index 8c5ef9b..90a31e2 100644
+--- a/tests/networkxml2argvdata/netboot-proxy-network.argv
++++ b/tests/networkxml2argvdata/netboot-proxy-network.argv
+@@ -1,6 +1,6 @@
+ @DNSMASQ@ --strict-order --domain=example.com \
+ --local=/example.com/ --domain-needed --conf-file= \
+---bind-interfaces --except-interface lo \
++--except-interface lo --bind-interfaces \
+ --listen-address 192.168.122.1 \
+ --dhcp-range 192.168.122.2,192.168.122.254 \
+ --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
+diff --git a/tests/networkxml2argvdata/routed-network.argv b/tests/networkxml2argvdata/routed-network.argv
+index eacdf2d..862013e 100644
+--- a/tests/networkxml2argvdata/routed-network.argv
++++ b/tests/networkxml2argvdata/routed-network.argv
+@@ -1,3 +1,3 @@
+ @DNSMASQ@ --strict-order \
+ --local=// --domain-needed --conf-file= \
+---bind-dynamic --interface virbr1\
++--except-interface lo --bind-dynamic --interface virbr1\
+--
+1.8.0.2
+
diff --git a/libvirt.spec b/libvirt.spec
index 644c407..4d529fa 100644
--- a/libvirt.spec
+++ b/libvirt.spec
@@ -274,7 +274,7 @@
Summary: Library providing a simple virtualization API
Name: libvirt
Version: 0.9.11.8
-Release: 1%{?dist}%{?extra_release}
+Release: 2%{?dist}%{?extra_release}
License: LGPLv2+
Group: Development/Libraries
@@ -297,6 +297,8 @@ Patch4: libvirt-sanlock-readonly-option.patch
# Fix LXC domain startup with selinux=disabled (bz 858104)
# keep: non upstream fix that doesn't apply to git head
Patch5: libvirt-lxc-selinux-context-error.patch
+# Fix conflict with NM launched dnsmasq (bz 886663)
+Patch6: 0001-network-prevent-dnsmasq-from-listening-on-localhost.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
@@ -769,6 +771,7 @@ of recent versions of Linux (and other OSes).
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%build
%if ! %{with_xen}
@@ -1500,6 +1503,9 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
%endif
%changelog
+* Sun Dec 16 2012 Cole Robinson <crobinso(a)redhat.com> - 0.9.11.8-2
+- Fix conflict with NM launched dnsmasq (bz #886663)
+
* Sun Dec 09 2012 Cole Robinson <crobinso(a)redhat.com> - 0.9.11.8-1
- Rebased to version 0.9.11.8
- CVE-2012-3411: avoid open DNS proxy with dnsmasq (bz #874702, bz #882309)
11 years, 6 months
pemensik pushed to dnsmasq (master). "Update to 2.77rc2"
by notifications@fedoraproject.org
From 389f40bfd59b1cb9bcb2efd448822ef7da900ccb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
Date: Thu, 11 May 2017 18:05:24 +0200
Subject: Update to 2.77rc2
---
.gitignore | 1 +
dnsmasq-2.76-dns-sleep-resume.patch | 104 -----------------------------
dnsmasq-2.76-libidn2.patch | 128 ------------------------------------
dnsmasq.spec | 30 +++------
sources | 2 +-
5 files changed, 12 insertions(+), 253 deletions(-)
delete mode 100644 dnsmasq-2.76-dns-sleep-resume.patch
delete mode 100644 dnsmasq-2.76-libidn2.patch
diff --git a/.gitignore b/.gitignore
index 2cde38c..bbb4928 100644
--- a/.gitignore
+++ b/.gitignore
@@ -23,3 +23,4 @@ dnsmasq-2.52.tar.lzma
/dnsmasq-2.72.tar.xz
/dnsmasq-2.75.tar.xz
/dnsmasq-2.76.tar.xz
+/dnsmasq-2.77rc2.tar.xz
diff --git a/dnsmasq-2.76-dns-sleep-resume.patch b/dnsmasq-2.76-dns-sleep-resume.patch
deleted file mode 100644
index ef4e920..0000000
--- a/dnsmasq-2.76-dns-sleep-resume.patch
+++ /dev/null
@@ -1,104 +0,0 @@
-diff --git a/src/dnsmasq.h b/src/dnsmasq.h
-index 1896a64..aa5ec84 100644
---- a/src/dnsmasq.h
-+++ b/src/dnsmasq.h
-@@ -487,6 +487,7 @@ struct serverfd {
- int fd;
- union mysockaddr source_addr;
- char interface[IF_NAMESIZE+1];
-+ unsigned int ifindex, used;
- struct serverfd *next;
- };
-
-diff --git a/src/network.c b/src/network.c
-index e7722fd..d87d08f 100644
---- a/src/network.c
-+++ b/src/network.c
-@@ -1204,6 +1204,7 @@ int local_bind(int fd, union mysockaddr *addr, char *intname, int is_tcp)
- static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
- {
- struct serverfd *sfd;
-+ unsigned int ifindex = 0;
- int errsave;
-
- /* when using random ports, servers which would otherwise use
-@@ -1224,11 +1225,15 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
- return NULL;
- #endif
- }
-+
-+ if (intname && strlen(intname) != 0)
-+ ifindex = if_nametoindex(intname); /* index == 0 when not binding to an interface */
-
- /* may have a suitable one already */
- for (sfd = daemon->sfds; sfd; sfd = sfd->next )
- if (sockaddr_isequal(&sfd->source_addr, addr) &&
-- strcmp(intname, sfd->interface) == 0)
-+ strcmp(intname, sfd->interface) == 0 &&
-+ ifindex == sfd->ifindex)
- return sfd;
-
- /* need to make a new one. */
-@@ -1250,11 +1255,13 @@ static struct serverfd *allocate_sfd(union mysockaddr *addr, char *intname)
- errno = errsave;
- return NULL;
- }
--
-+
- strcpy(sfd->interface, intname);
- sfd->source_addr = *addr;
- sfd->next = daemon->sfds;
-+ sfd->ifindex = ifindex;
- daemon->sfds = sfd;
-+
- return sfd;
- }
-
-@@ -1429,12 +1436,16 @@ void check_servers(void)
- {
- struct irec *iface;
- struct server *serv;
-+ struct serverfd *sfd, *tmp, **up;
- int port = 0, count;
-
- /* interface may be new since startup */
- if (!option_bool(OPT_NOWILD))
- enumerate_interfaces(0);
-
-+ for (sfd = daemon->sfds; sfd; sfd = sfd->next)
-+ sfd->used = 0;
-+
- #ifdef HAVE_DNSSEC
- /* Disable DNSSEC validation when using server=/domain/.... servers
- unless there's a configured trust anchor. */
-@@ -1505,6 +1516,9 @@ void check_servers(void)
- serv->flags |= SERV_MARK;
- continue;
- }
-+
-+ if (serv->sfd)
-+ serv->sfd->used = 1;
- }
-
- if (!(serv->flags & SERV_NO_REBIND) && !(serv->flags & SERV_LITERAL_ADDRESS))
-@@ -1547,6 +1561,20 @@ void check_servers(void)
- if (count - 1 > SERVERS_LOGGED)
- my_syslog(LOG_INFO, _("using %d more nameservers"), count - SERVERS_LOGGED - 1);
-
-+ /* Remove unused sfds */
-+ for (sfd = daemon->sfds, up = &daemon->sfds; sfd; sfd = tmp)
-+ {
-+ tmp = sfd->next;
-+ if (!sfd->used)
-+ {
-+ *up = sfd->next;
-+ close(sfd->fd);
-+ free(sfd);
-+ }
-+ else
-+ up = &sfd->next;
-+ }
-+
- cleanup_servers();
- }
-
diff --git a/dnsmasq-2.76-libidn2.patch b/dnsmasq-2.76-libidn2.patch
deleted file mode 100644
index 185ea46..0000000
--- a/dnsmasq-2.76-libidn2.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From 53ba1f8632b1fb09b5bf78e5bc355eebed2bc8b4 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
-Date: Tue, 9 May 2017 18:56:16 +0200
-Subject: [PATCH] Support for libidn2
-
----
- Makefile | 6 ++++--
- src/config.h | 10 +++++++++-
- src/util.c | 19 ++++++++++++++-----
- 3 files changed, 27 insertions(+), 8 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index dd0513b..eacf5d4 100644
---- a/Makefile
-+++ b/Makefile
-@@ -55,6 +55,8 @@ dbus_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG)
- dbus_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DBUS $(PKG_CONFIG) --libs dbus-1`
- idn_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --cflags libidn`
- idn_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_IDN $(PKG_CONFIG) --libs libidn`
-+idn2_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --cflags libidn2`
-+idn2_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LIBIDN2 $(PKG_CONFIG) --libs libidn2`
- ct_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --cflags libnetfilter_conntrack`
- ct_libs = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_CONNTRACK $(PKG_CONFIG) --libs libnetfilter_conntrack`
- lua_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --cflags lua5.1`
-@@ -82,8 +84,8 @@ hdrs = dnsmasq.h config.h dhcp-protocol.h dhcp6-protocol.h \
- all : $(BUILDDIR)
- @cd $(BUILDDIR) && $(MAKE) \
- top="$(top)" \
-- build_cflags="$(version) $(dbus_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
-- build_libs="$(dbus_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \
-+ build_cflags="$(version) $(dbus_cflags) $(idn2_cflags) $(idn_cflags) $(ct_cflags) $(lua_cflags) $(nettle_cflags)" \
-+ build_libs="$(dbus_libs) $(idn2_libs) $(idn_libs) $(ct_libs) $(lua_libs) $(sunos_libs) $(nettle_libs) $(gmp_libs)" \
- -f $(top)/Makefile dnsmasq
-
- mostly_clean :
-diff --git a/src/config.h b/src/config.h
-index 80a50e1..c9e24e5 100644
---- a/src/config.h
-+++ b/src/config.h
-@@ -92,11 +92,14 @@ HAVE_DBUS
- servers via DBus.
-
- HAVE_IDN
-- define this if you want international domain name support.
-+ define this if you want international domain name 2003 support.
- NOTE: for backwards compatibility, IDN support is automatically
- included when internationalisation support is built, using the
- *-i18n makefile targets, even if HAVE_IDN is not explicitly set.
-
-+HAVE_LIBIDN2
-+ define this if you want international domain name 2008 support.
-+
- HAVE_CONNTRACK
- define this to include code which propogates conntrack marks from
- incoming DNS queries to the corresponding upstream queries. This adds
-@@ -173,6 +176,7 @@ RESOLVFILE
- /* #define HAVE_LUASCRIPT */
- /* #define HAVE_DBUS */
- /* #define HAVE_IDN */
-+/* #define HAVE_LIBIDN2 */
- /* #define HAVE_CONNTRACK */
- /* #define HAVE_DNSSEC */
-
-@@ -396,6 +400,10 @@ static char *compile_opts =
- "no-"
- #endif
- "IDN "
-+#if !defined(HAVE_LIBIDN2)
-+"no-"
-+#endif
-+"IDN2 "
- #ifndef HAVE_DHCP
- "no-"
- #endif
-diff --git a/src/util.c b/src/util.c
-index 93b24f5..0d3285f 100644
---- a/src/util.c
-+++ b/src/util.c
-@@ -24,7 +24,9 @@
- #include <sys/times.h>
- #endif
-
--#if defined(LOCALEDIR) || defined(HAVE_IDN)
-+#ifdef HAVE_LIBIDN2
-+#include <idn2.h>
-+#elif defined(LOCALEDIR) || defined(HAVE_IDN)
- #include <idna.h>
- #endif
-
-@@ -134,7 +136,7 @@ static int check_name(char *in)
- else if (isascii((unsigned char)c) && iscntrl((unsigned char)c))
- /* iscntrl only gives expected results for ascii */
- return 0;
--#if !defined(LOCALEDIR) && !defined(HAVE_IDN)
-+#if !defined(LOCALEDIR) && !defined(HAVE_IDN) && !defined(HAVE_LIBIDN2)
- else if (!isascii((unsigned char)c))
- return 0;
- #endif
-@@ -184,7 +186,7 @@ int legal_hostname(char *name)
- char *canonicalise(char *in, int *nomem)
- {
- char *ret = NULL;
--#if defined(LOCALEDIR) || defined(HAVE_IDN)
-+#if defined(LOCALEDIR) || defined(HAVE_IDN) || defined(HAVE_LIBIDN2)
- int rc;
- #endif
-
-@@ -194,8 +196,15 @@ char *canonicalise(char *in, int *nomem)
- if (!check_name(in))
- return NULL;
-
--#if defined(LOCALEDIR) || defined(HAVE_IDN)
-- if ((rc = idna_to_ascii_lz(in, &ret, 0)) != IDNA_SUCCESS)
-+#if defined(LOCALEDIR) || defined(HAVE_IDN) || defined(HAVE_LIBIDN2)
-+#ifdef HAVE_LIBIDN2
-+ rc = idn2_to_ascii_lz(in, &ret, IDN2_NONTRANSITIONAL);
-+ if (rc == IDN2_DISALLOWED)
-+ rc = idn2_to_ascii_lz(in, &ret, IDN2_TRANSITIONAL);
-+#else
-+ rc = idna_to_ascii_lz(in, &ret, 0);
-+#endif
-+ if (rc != IDNA_SUCCESS)
- {
- if (ret)
- free(ret);
---
-2.9.3
-
diff --git a/dnsmasq.spec b/dnsmasq.spec
index 86520f5..dcd03fb 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -1,19 +1,19 @@
%define testrelease 0
-%define releasecandidate 0
+%define releasecandidate 2
%if 0%{testrelease}
%define extrapath test-releases/
- %define extraversion test16
+ %define extraversion test%{testrelease}
%endif
%if 0%{releasecandidate}
%define extrapath release-candidates/
- %define extraversion rc1
+ %define extraversion rc%{releasecandidate}
%endif
%define _hardened_build 1
Name: dnsmasq
-Version: 2.76
-Release: 4%{?dist}
+Version: 2.77
+Release: 1%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
Group: System Environment/Daemons
@@ -22,11 +22,6 @@ URL: http://www.thekelleys.org.uk/dnsmasq/
Source0: http://www.thekelleys.org.uk/dnsmasq/%{?extrapath}%{name}-%{version}%{?ex...
Source1: %{name}.service
-# dns not updated after sleep and resume laptop
-# https://bugzilla.redhat.com/show_bug.cgi?id=1367772
-Patch0: dnsmasq-2.76-dns-sleep-resume.patch
-Patch1: dnsmasq-2.76-libidn2.patch
-
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: dbus-devel
@@ -60,8 +55,6 @@ query/remove a DHCP server's leases.
%prep
%setup -q -n %{name}-%{version}%{?extraversion}
-%patch0 -p1
-%patch1 -p1
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -71,14 +64,8 @@ done
# fix the path to the trust anchor
sed -i 's|%%%%PREFIX%%%%|%{_prefix}|' dnsmasq.conf.example
-#enable dbus
-sed -i 's|/\* #define HAVE_DBUS \*/|#define HAVE_DBUS|g' src/config.h
-
-#enable IDN support
-sed -i 's|/\* #define HAVE_LIBIDN2 \*/|#define HAVE_LIBIDN2|g' src/config.h
-
-#enable DNSSEC support
-sed -i 's|/\* #define HAVE_DNSSEC \*/|#define HAVE_DNSSEC|g' src/config.h
+# optional parts
+sed -i 's|^COPTS[[:space:]]*=|\0 -DHAVE_DBUS -DHAVE_LIBIDN2 -DHAVE_DNSSEC|' Makefile
#enable /etc/dnsmasq.d fix bz 526703, ignore RPM backup files
cat << EOF >> dnsmasq.conf.example
@@ -153,6 +140,9 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/dhcp_*
%changelog
+* Thu May 11 2017 Petr Menšík <pemensik(a)redhat.com> - 2.77-1
+- Update to 2.77rc2
+
* Thu May 11 2017 Petr Menšík <pemensik(a)redhat.com>
- Include dhcp_release6 tool and license in utils
- Support for IDN 2008 (#1449150)
diff --git a/sources b/sources
index 8f74da5..6d4d2fa 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-00f5ee66b4e4b7f14538bf62ae3c9461 dnsmasq-2.76.tar.xz
+SHA512 (dnsmasq-2.77rc2.tar.xz) = d9e5c723dd1de33d6d71194855c1987e9f0541f84663f1dc70bfafe2c6010df4acfc1db4969de70b1f0debbb5471bd97ad943e2f9a9ef507725939badab93a91
--
cgit v1.1
https://src.fedoraproject.org/cgit/dnsmasq.git/commit/?h=master&id=389f40...
7 years, 1 month
psklenar pushed to dnsmasq (main). "Adding tests to fedora"
by notifications@fedoraproject.org
Notification time stamped 2022-01-19 09:33:37 UTC
From a48d6743da2033af697342832595823e869f312b Mon Sep 17 00:00:00 2001
From: Petr Sklenar <psklenar(a)redhat.com>
Date: Jan 19 2022 09:33:23 +0000
Subject: Adding tests to fedora
---
diff --git a/Sanity/NetworkManager/main.fmf b/Sanity/NetworkManager/main.fmf
new file mode 100644
index 0000000..f96698a
--- /dev/null
+++ b/Sanity/NetworkManager/main.fmf
@@ -0,0 +1,27 @@
+summary: Runs tests from Network Manager related to dnsmasq
+description: ''
+contact: Petr Mensik <pemensik(a)redhat.com>
+component:
+ - dnsmasq
+test: ./runtest.sh
+framework: beakerlib
+recommend:
+ - dnsmasq
+ - git-core
+ - iw
+ - ethtool
+ - wireshark-cli
+ - NetworkManager
+ - NetworkManager-openvpn
+ - NetworkManager-ppp
+ - NetworkManager-pptp
+ - NetworkManager-tui
+ - NetworkManager-team
+ - NetworkManager-wifi
+ - NetworkManager-vpnc
+ - NetworkManager-strongswan
+ - NetworkManager-ppp
+duration: 15m
+extra-summary: /CoreOS/dnsmasq/Sanity/NetworkManager
+extra-task: /CoreOS/dnsmasq/Sanity/NetworkManager
+tier: '1'
diff --git a/Sanity/NetworkManager/runtest.sh b/Sanity/NetworkManager/runtest.sh
new file mode 100755
index 0000000..f4a5a2f
--- /dev/null
+++ b/Sanity/NetworkManager/runtest.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# runtest.sh of /CoreOS/dnsmasq/Sanity/NetworkManager
+# Description: Runs tests from Network Manager related to dnsmasq
+# Author: Petr Mensik <pemensik(a)redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Copyright (c) 2019 Red Hat, Inc.
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="dnsmasq"
+
+rlJournalStart
+ rlPhaseStartSetup
+ rlAssertRpm $PACKAGE
+ rlAssertRpm NetworkManager
+ rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+ rlRun "pushd $TmpDir"
+ rlRun "git clone https://github.com/NetworkManager/NetworkManager-ci"
+ rlRun "pushd NetworkManager-ci"
+ rlRun "git log -1" 0 "Show latest commit"
+ rlPhaseEnd
+
+ rlPhaseStartTest
+ if [ "$DEBUG" = y ]; then
+ rlLog "Running with full details on output"
+ rlRun "run/osci/run-tests dnsmasq" 0 "Running Network Managers test for dnsmasq"
+ else
+ rlRun "run/osci/run-tests dnsmasq >& $TmpDir/test.log" 0 "Running Network Managers test for dnsmasq"
+ fi
+ rlPhaseEnd
+
+ rlPhaseStartCleanup
+ rlRun "popd"
+ rlBundleLogs Artifacts /tmp/artifacts/*
+ rlFileSubmit test.log
+ rlRun "popd"
+ rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+ rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
diff --git a/Sanity/dnsmasq-2namespace-dig-check-open-ports/main.fmf b/Sanity/dnsmasq-2namespace-dig-check-open-ports/main.fmf
new file mode 100644
index 0000000..f79c2b9
--- /dev/null
+++ b/Sanity/dnsmasq-2namespace-dig-check-open-ports/main.fmf
@@ -0,0 +1,27 @@
+summary: dnsmasq in running in 2 namespaces
+description: |
+ dnsmasq in running in 2 namespaces
+contact: Petr Sklenar <psklenar(a)redhat.com>
+component:
+ - dnsmasq
+test: ./runtest.sh
+framework: beakerlib
+recommend:
+ - dnsmasq
+ - bind-utils
+ - bind
+ - bind-utils
+ - tcpdump
+duration: 25m
+enabled: true
+tag:
+ - NoRHEL4
+ - NoRHEL5
+ - Tier2
+tier: '1'
+adjust:
+ - enabled: false
+ when: distro == rhel-4, rhel-5
+ continue: false
+extra-summary: /CoreOS/dnsmasq/Regression/dnsmasq-2namespace-dig-check-open-ports
+extra-task: /CoreOS/dnsmasq/Regression/dnsmasq-2namespace-dig-check-open-ports
diff --git a/Sanity/dnsmasq-2namespace-dig-check-open-ports/runtest.sh b/Sanity/dnsmasq-2namespace-dig-check-open-ports/runtest.sh
new file mode 100755
index 0000000..ea733d1
--- /dev/null
+++ b/Sanity/dnsmasq-2namespace-dig-check-open-ports/runtest.sh
@@ -0,0 +1,128 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# runtest.sh of /CoreOS/dnsmasq/Regression/dnsmasq-2namespace-dig-check-open-ports
+# Description: dnsmasq-2namespace-dig-check-open-ports
+# Author: Petr Sklenar <psklenar(a)redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Copyright (c) 2020 Red Hat, Inc.
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="dnsmasq"
+
+rlJournalStart
+ rlPhaseStartSetup
+ rlAssertRpm $PACKAGE
+#to debug when running on one machine again and again
+ps aux | grep -ie dnsmasq | awk '{print "kill -9 " $2}'
+ps aux | grep -ie tcpdump | awk '{print "kill -9 " $2}'
+ps aux | grep -ie dig | awk '{print "kill -9 " $2}'
+ rlPhaseEnd
+
+ rlPhaseStartSetup "namespace"
+# TODO: use rlImport kernel/network or move it to separate library
+# Similar code is already prepared for both IPv4 and IPv6
+IPV6_PREFIX=fc7a:5313:5f5a # /48
+ip link add veth0 type veth peer name veth1
+
+ip netns add vnet0
+ip link set veth0 netns vnet0
+ip -n vnet0 addr add 10.0.1.0/24 dev veth0
+ip -n vnet0 addr add $IPV6_PREFIX:1::/64 dev veth0
+ip -n vnet0 link set veth0 up
+ip -n vnet0 link set lo up
+
+ip netns add vnet1
+ip link set veth1 netns vnet1
+ip -n vnet1 addr add 10.0.2.0/24 dev veth1
+ip -n vnet1 addr add $IPV6_PREFIX:2::/64 dev veth1
+ip -n vnet1 link set veth1 up
+ip -n vnet1 link set lo up
+
+ip -n vnet0 route add 10.0.2.0/24 dev veth0
+ip -n vnet0 route add $IPV6_PREFIX:2::/64 dev veth0
+ip -n vnet1 route add 10.0.1.0/24 dev veth1
+ip -n vnet1 route add $IPV6_PREFIX:1::/64 dev veth1
+
+ rlRun "ip netns exec vnet0 ping -c10 10.0.2.0 -c2"
+ rlRun "ip netns exec vnet1 ping -c10 10.0.1.0 -c2"
+ rlRun "ip netns exec vnet0 ping6 -c10 $IPV6_PREFIX:2:: -c2"
+ rlRun "ip netns exec vnet1 ping6 -c10 $IPV6_PREFIX:1:: -c2"
+ rlPhaseEnd
+
+ rlPhaseStartTest "run dnsmasq"
+ echo -n > dnsmasq-auth.log
+ echo -n > dnsmasq-rec.log
+ rlRun "ip netns exec vnet1 dnsmasq --no-daemon --except-interface=lo --listen-address=10.0.2.0 --bind-interfaces --address=/localhost/127.0.0.1 --no-resolv --log-facility=./dnsmasq-auth.log --pid-file=./dnsmasq-auth.pid &"
+ DNSMASQ_AUTH=$!
+ rlRun "ip netns exec vnet0 dnsmasq --no-daemon --except-interface=lo --listen-address=10.0.1.0 --server=10.0.2.0@veth0 --bind-interfaces --no-resolv --log-queries --log-facility=./dnsmasq-rec.log --pid-file=./dnsmasq-rec.pid &"
+ DNSMASQ_REC=$!
+ sleep 5
+ rlRun "ps u $DNSMASQ_AUTH" 0 "Check authoritative server is running"
+ rlRun "ps u $DNSMASQ_REC" 0 "Check recursive server is running"
+ rlRun "ip netns exec vnet0 dig @10.0.2.0 localhost"
+ rlPhaseEnd
+
+ rlPhaseStartTest "tcpdump in vnet0"
+ rlRun "ip netns exec vnet0 tcpdump -w dns.pcap -i veth0 port domain &"
+ sleep 10
+ TCPDUMP_FWD=$!
+ rlRun "pgrep tcpdump"
+
+ rlPhaseEnd
+
+ rlPhaseStartTest "dig from vnet1 to 10.0.1.0 which is vnet0"
+ for H in test{1..20}.localhost; do
+ ip netns exec vnet0 dig +timeout=2 +short @10.0.1.0 $H
+ done
+ sleep 60 # its really needed, aarch64 needs that
+ rlPhaseEnd
+
+ rlPhaseStartTest "count src ports"
+ rlRun "kill $TCPDUMP_FWD" 0 "kill tcpdump"
+ rlRun "wait $TCPDUMP_FWD" 0 "wait until tcpdump stops"
+ rlRun "tcpdump -r dns.pcap -nn &>dns.tcpdump"
+ sleep 5
+ UNIQUE_PORTS=$(gawk -F' ' '{ print $3 }' dns.tcpdump | gawk -F'.' '{ print $5 }' | grep -v 53 | sort|uniq|wc -l)
+ UNIQUE_IDS=$(awk '{print $6}' dns.tcpdump | grep '[0-9]\++' | sort -u | wc -l)
+ rlLog "WE HAVE ${UNIQUE_PORTS} PORT"
+
+ if [ $UNIQUE_PORTS -gt 17 ]; then
+ rlPass "many PORTs"
+ else
+ rlFail "only $UNIQUE_PORTS ports used"
+ fi
+ rlAssertGreater "Check IDs are unique too" "$UNIQUE_IDS" 17
+ [ "$DEBUG" = y ] && PS1="test-debug $PS1" bash -i
+ rlPhaseEnd
+
+
+ rlPhaseStartCleanup "kill all"
+ killall dnsmasq tcpdump
+ ps aux | grep -ie dnsmasq | awk '{print "kill -9 " $2}'
+ ps aux | grep -ie dig | awk '{print "kill -9 " $2}'
+ rlBundleLogs dnsmasq*.log dns.pcap dns.tcpdump
+ rlLog "test end"
+ rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd
diff --git a/main.fmf b/main.fmf
new file mode 100644
index 0000000..41e2fab
--- /dev/null
+++ b/main.fmf
@@ -0,0 +1,2 @@
+# QE owner
+contact: Petr Sklenar <psklenar(a)redhat.com>
https://src.fedoraproject.org/tests/dnsmasq/c/a48d6743da2033af69734283259...
2 years, 5 months
pemensik pushed to dnsmasq (master). "Randomize ports"
by notifications@fedoraproject.org
Notification time stamped 2018-10-25 13:32:54 UTC
From 8a0901a90e38fb504c3127b7ec382dbf546fda50 Mon Sep 17 00:00:00 2001
From: Petr Menšík <pemensik(a)redhat.com>
Date: Oct 24 2018 16:54:52 +0000
Subject: Randomize ports
---
diff --git a/dnsmasq-2.79-randomize-ports.patch b/dnsmasq-2.79-randomize-ports.patch
new file mode 100644
index 0000000..e37931b
--- /dev/null
+++ b/dnsmasq-2.79-randomize-ports.patch
@@ -0,0 +1,87 @@
+From 6899c5c5b9a32aa2ce0513b5e69356844988c64e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik(a)redhat.com>
+Date: Thu, 9 Aug 2018 18:17:26 +0200
+Subject: [PATCH] Use OS random ports by default
+
+Unless max-port or min-port is given, let OS allocate random ports for
+DNS queries. Randomize similar to --query-port=0, but for each query
+separately. Would use port according to system policy.
+---
+ src/dnsmasq.c | 2 +-
+ src/network.c | 15 ++++++++++++---
+ src/option.c | 4 +++-
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/dnsmasq.c b/src/dnsmasq.c
+index 9f6c020..4cd478e 100644
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -226,7 +226,7 @@ int main (int argc, char **argv)
+ die(_("loop detection not available: set HAVE_LOOP in src/config.h"), NULL, EC_BADCONF);
+ #endif
+
+- if (daemon->max_port < daemon->min_port)
++ if (daemon->max_port >= 0 && daemon->max_port < daemon->min_port)
+ die(_("max_port cannot be smaller than min_port"), NULL, EC_BADCONF);
+
+ now = dnsmasq_time();
+diff --git a/src/network.c b/src/network.c
+index 0381513..9747d26 100644
+--- a/src/network.c
++++ b/src/network.c
+@@ -1138,18 +1138,27 @@ int random_sock(int family)
+ if ((fd = socket(family, SOCK_DGRAM, 0)) != -1)
+ {
+ union mysockaddr addr;
+- unsigned int ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1;
+- int tries = ports_avail < 30 ? 3 * ports_avail : 100;
++ unsigned short ports_avail = 0;
++ int tries = 100;
++ unsigned short port = 0;
+
+ memset(&addr, 0, sizeof(addr));
+ addr.sa.sa_family = family;
+
++ if (daemon->max_port >= 0)
++ {
++ ports_avail = ((unsigned short)daemon->max_port - (unsigned short)daemon->min_port) + 1;
++ if (ports_avail < 30)
++ tries = 3 * ports_avail;
++ }
++
+ /* don't loop forever if all ports in use. */
+
+ if (fix_fd(fd))
+ while(tries--)
+ {
+- unsigned short port = htons(daemon->min_port + (rand16() % ((unsigned short)ports_avail)));
++ if (ports_avail)
++ port = htons(daemon->min_port + (rand16() % ports_avail));
+
+ if (family == AF_INET)
+ {
+diff --git a/src/option.c b/src/option.c
+index d358d99..b7eaff0 100644
+--- a/src/option.c
++++ b/src/option.c
+@@ -2602,6 +2602,8 @@ static int one_opt(int option, char *arg, char *errstr, char *gen_err, int comma
+ case LOPT_MINPORT: /* --min-port */
+ if (!atoi_check16(arg, &daemon->min_port))
+ ret_err(gen_err);
++ if (daemon->max_port < 0)
++ daemon->max_port = MAX_PORT;
+ break;
+
+ case LOPT_MAXPORT: /* --max-port */
+@@ -4678,7 +4680,7 @@ void read_opts(int argc, char **argv, char *compile_opts)
+ daemon->soa_refresh = SOA_REFRESH;
+ daemon->soa_retry = SOA_RETRY;
+ daemon->soa_expiry = SOA_EXPIRY;
+- daemon->max_port = MAX_PORT;
++ daemon->max_port = -1;
+ daemon->min_port = MIN_PORT;
+
+ #ifndef NO_ID
+--
+2.14.4
+
diff --git a/dnsmasq.spec b/dnsmasq.spec
index f1a5a9f..3319fd7 100644
--- a/dnsmasq.spec
+++ b/dnsmasq.spec
@@ -13,7 +13,7 @@
Name: dnsmasq
Version: 2.79
-Release: 7%{?extraversion:.%{extraversion}}%{?dist}
+Release: 8%{?extraversion:.%{extraversion}}%{?dist}
Summary: A lightweight DHCP/caching DNS server
License: GPLv2 or GPLv3
@@ -26,6 +26,7 @@ Source2: dnsmasq-systemd-sysusers.conf
Patch1: dnsmasq-2.77-underflow.patch
Patch3: dnsmasq-2.78-fips.patch
Patch4: dnsmasq-2.80-dnssec.patch
+Patch5: dnsmasq-2.79-randomize-ports.patch
# This is workaround to nettle bug #1549190
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
@@ -63,6 +64,7 @@ server's leases.
%patch1 -p1 -b .underflow
%patch3 -p1 -b .fips
%patch4 -p1 -b .dnssec
+%patch5 -p1 -b .ports
# use /var/lib/dnsmasq instead of /var/lib/misc
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
@@ -163,6 +165,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
%{_mandir}/man1/dhcp_*
%changelog
+* Thu Aug 09 2018 Petr Menšík <pemensik(a)redhat.com> - 2.79-8
+- Better randomize ports
+
* Tue Jul 31 2018 Florian Weimer <fweimer(a)redhat.com> - 2.79-7
- Rebuild with fixed binutils
https://src.fedoraproject.org/rpms/dnsmasq/c/8a0901a90e38fb504c3127b7ec38...
5 years, 8 months