Sync from SUSE:SLFO:Main dnsmasq revision 0237bfabcdc9255c5a8966576d9c63f0

This commit is contained in:
Adrian Schröter 2024-05-03 12:06:52 +02:00
commit ec5f7e589c
12 changed files with 2616 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

BIN
dnsmasq-2.89.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

16
dnsmasq-2.89.tar.xz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE1urL1u5GuDQkjRESFc3aauGRNaIFAmPe36kACgkQFc3aauGR
NaLJZg/+K/gk5uLUH48BCNAVNtffC1jGLIxQ2usJbXvJ02n9WcidN3dX6MlVBYNq
s5ouNuDZdIgydJjFWgIIqxtsVdeYhJ6sd9fSDX+8iT4zDLw0N1puDE5YZvvqHxFD
0gYuIcu4ukr5tsBL5ClWoVtTDGEi8NZ+PaGCZrnPVuZWPAnNrf3MbiUqPaJxCgA6
GNnfqm9LKEL5sPwQlErhf1GLFG7UOPXyjfIQilI6+ShCajDmDjvsPs8Y3JqC66rt
6OEFDKbNVoZQDVA53PswLa1mb5gryB6r7gU5ofwS6jr34BNFfkBGFk6wjhZfZenu
OGU3Adk36l5HykAH5fjDs95bVBLoq+N+gG1Yor4qgUmdgSlLvh8lwArXwweWW2Q5
k/Nkk/MZaIEL+3nqdIMptfGG82rhCuS1jse2DyYcTmJiJdew2Mv+AQAVIm/Km7oa
3HrpxQJ88LLRtWwfKbW9yRipt+JkzrrZun5VftQ85Xn9nELgU5n5rdHUCzXrpu0r
/dFw5JoTfcIsPGQ8a2IIMW6SyWOEkv8EWAq+10mNokpnQMv5RFHmZoGQhx1PmHWy
+mqHh9T2B9KYGHKRjP4apQkX+JSuqmsdLt1sNfzcnwjQQ0nEq0FMub2hNJ8V0S/4
h/QpdO6qLn9RYSx0Be31BTAZNq71ow6HPjV62i4l+xTpYq9q1Ik=
=yXEY
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,54 @@
From eb92fb32b746f2104b0f370b5b295bb8dd4bd5e5 Mon Sep 17 00:00:00 2001
From: Simon Kelley <simon@thekelleys.org.uk>
Date: Tue, 7 Mar 2023 22:07:46 +0000
Subject: [PATCH] Set the default maximum DNS UDP packet size to 1232.
http://www.dnsflagday.net/2020/ refers.
Thanks to Xiang Li for the prompt.
---
CHANGELOG | 9 ++++++++-
man/dnsmasq.8 | 3 ++-
src/config.h | 2 +-
3 files changed, 11 insertions(+), 3 deletions(-)
--- CHANGELOG.orig
+++ CHANGELOG
@@ -11,7 +11,14 @@ version 2.89
for reporting the bug and for his great efforts in chasing
it down.
+ Set the default maximum DNS UDP packet sice to 1232. This
+ has been the recommended value since 2020 because it's the
+ largest value that avoid fragmentation, and fragmentation
+ is just not reliable on the modern internet, especially
+ for IPv6. It's still possible to override this with
+ --edns-packet-max for special circumstances.
+
version 2.88
Fix bug in --dynamic-host when an interface has /16 IPv4
address. Thanks to Mark Dietzer for spotting this.
--- man/dnsmasq.8.orig
+++ man/dnsmasq.8
@@ -183,7 +183,8 @@ to zero completely disables DNS function
.TP
.B \-P, --edns-packet-max=<size>
Specify the largest EDNS.0 UDP packet which is supported by the DNS
-forwarder. Defaults to 4096, which is the RFC5625-recommended size.
+forwarder. Defaults to 1232, which is the recommended size following the
+DNS flag day in 2020. Only increase if you know what you are doing.
.TP
.B \-Q, --query-port=<query_port>
Send outbound DNS queries from, and listen for their replies on, the
--- src/config.h.orig
+++ src/config.h
@@ -19,7 +19,7 @@
#define CHILD_LIFETIME 150 /* secs 'till terminated (RFC1035 suggests > 120s) */
#define TCP_MAX_QUERIES 100 /* Maximum number of queries per incoming TCP connection */
#define TCP_BACKLOG 32 /* kernel backlog limit for TCP connections */
-#define EDNS_PKTSZ 4096 /* default max EDNS.0 UDP packet from RFC5625 */
+#define EDNS_PKTSZ 1232 /* default max EDNS.0 UDP packet from from /dnsflagday.net/2020 */
#define SAFE_PKTSZ 1232 /* "go anywhere" UDP packet size, see https://dnsflagday.net/2020/ */
#define KEYBLOCK_LEN 40 /* choose to minimise fragmentation when storing DNSSEC keys */
#define DNSSEC_WORK 50 /* Max number of queries to validate one question */

16
dnsmasq-groups.patch Normal file
View File

@ -0,0 +1,16 @@
--- src/dnsmasq.c.orig
+++ src/dnsmasq.c
@@ -731,11 +731,10 @@ int main (int argc, char **argv)
if (!option_bool(OPT_DEBUG) && getuid() == 0)
{
int bad_capabilities = 0;
- gid_t dummy;
- /* remove all supplementary groups */
+ /* set the supplementary groups of the daemon user */
if (gp &&
- (setgroups(0, &dummy) == -1 ||
+ (initgroups(daemon->username, gp->gr_gid) == -1 ||
setgid(gp->gr_gid) == -1))
{
send_event(err_pipe[1], EVENT_GROUP_ERR, errno, daemon->groupname);

2026
dnsmasq.changes Normal file

File diff suppressed because it is too large Load Diff

116
dnsmasq.keyring Normal file
View File

@ -0,0 +1,116 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFMbjUMBEACsU1Xk8+uu/EsGVJTh9Tn31C2e0ycd0voBVT7cTdtXpzeiNR+o
/zUAi95ds7FiecpZJp1nRO4vNzvaaAPZhFsFVLzZYyIVABgTXsskT88xbZvzb4W5
KKRWVhoTQxVDgj1+dXLUXULTB6rg02WEhqnix/qf/zFdM9I4/3pRHJn9k+3XKygR
on+nYtljfn3AKBelCo1y28istC6wCncoH11b/qdQtlfxVXaJY4HF27V0MqFFmDMg
cuhOHR7DnhymeDh7GmLfTHJ4LUFG+TecqCjiYhyWcuv2wuSb0EPXUKHJQVViQ8qg
KyPm1ly6uFP0CYdVavO7/oJwKFBIChECrj7BQ4GsImMHeuSzfWno7qy6Fxoxx2+g
0F9cdXWvcxFDGPQsL5vXp8KYNwBrzmijRzQ2ZAnrbG+ilFCkJCbxXcrhzpd4tKwE
0dgcyPL1Ma/lrznhL4ZuOzjVMgLNne7WiPpBNRqI1GoT0pUn6as4pU3En8B+K7zy
MLVfHvI1+iH45fP5bZwYSbXCa85v4+xqljYrzs9giaROEsXe/tsXvuc6JPCcmJXk
CUO3c3QVxqDFt9OYuTHIR8hqehDPLgFgzKqVuoAwMkhTf/zZNGlsy4jvKXQNcZ50
uD4mWO3e+gykNW/OH+88IoCR0rgjQ6trMLOceZFnrtvxwRL//lMndGCTYQARAQAB
tB1TaW1vbiBLZWxsZXkgPHNya0BkZWJpYW4ub3JnPohGBBARCAAGBQJTIekzAAoJ
ECnhT5k5Gzkoj68AoLY6cFPxNnlydNDCV5iyFSzEl12RAKCl5yuxvzKxW1q7uVcG
CsD9f9Z5/YhGBBARCAAGBQJTL0SDAAoJEBbi9PX8geFZnAsAnAs9JR/9UxY1QnWF
HA2j7uSlQYt1AJ4zM23PcfSyZ9SfzgJJEEVggkMiEIkCHAQQAQgABgUCUyHp8gAK
CRAC0CBFCPsO9xaxD/9IX6DfMxFh5n6o0LebuyWJsk0I90wKJ53TmjBl83qgeF8F
pENzucALqZJ3AUXvqKt3n9tKDYfNHpOniEjL/kzlZcW/iO2b7QpdgqcOMe/Xb3ux
IAsWhgqWbgriWcTtP+omSdz+YaUtZ9abljmNX9B9X1nDG/KRPk6HnHHN42I52+SZ
XikIKT5u3Xm0YPSkgjaf9Mw9V8NUAMuWGtYGsGnuVorKfpDlW8jgaJUGcdKIqwZU
RpfTJS4NjMZlJTZEtokbgE80eqUepJBi+zKjpAc+keDQrq9ZZkWmAU5ceUtgw0n3
U1L4NfsGqUSJvad1ZCoJjNm2BFQkr8N3obqvZ7rT/kI+focLCpBmvUxF1jq8QlL0
ul3m4Yg55AVMQMFnbalxQBvbRxk10rUn4GCKV9W4y8sCzZbt8A3Eu0Aexd00K+WS
qvryh0wjwLrDdl3hHpcvi1+hheX16Y4qI3lKIKkr0cck3FIC5fq8feVPJH7+wbWF
rGe27hOfVPbMElGCHYOIq4ksfqGefsXul/V9kRRQT8DpVJ9uan5roJd+f2a+CcXn
VDKUqQUJq5eFXlay6wS1aU0AJ4mMpcGD53wuQDoWYl5wxthnMFN1xo3k7At9dGkC
QKw4NaTaVck2WE6e2ZV9rowsOeWXrhL/eP7XCco4eKF/5zZ7FEzLl5AJQrCpVIkC
HAQQAQgABgUCUy9EqgAKCRBjziC6xJxBSJJ/EAC41IxcJQazTbF0m+dBFzXQeQnG
b/CDtieBVrhZl916rI/a1A6NN1/rk4xIg4Iit+lYc8Oxwl+w/d+NseiMV/HzWImc
WY53HH1qoH0oPXkUPhaGCr4TKTxOI9lQQeJVT1FHw3pP/uYh76VU0noZnWJKTb0P
WDr6gznoajHZ3fLRzwWcIrVOzoPWl5GIiIyr6CMZxx1UnKKb/JkjdarMe+6X/9aZ
0QXPCBeqHTfBvHeJBLbNd2/CDIH6AFtWmT7prE4hti6kC9M1dhBX0fPiKZagMWVc
Z1jMIzNvpDIfjpE2B8SUBvxRwKSdCMvCdrACNc8QeCsfrJqu5hH0fUsEvFggcDig
FhAJTGafgCsMs4XqRnrx4zx58HFW7i4C2SWKX1fw1TKeHIj0MNYmhARPnZ6SiO06
vfU0JccK1SZORhs8TAnEA5EwF/ckQ+XPZusZGBxJtpwkblEThDDaF8olM5BOI2Tg
OkvBisKEsrwK2adFLuMBm2HdTZbsWpzs4V8qzfO6j/ZFFEIbd+M5Vftog6ngKehu
+TQ3FcOES1Skx4/Sjuo9bw53GsXJDdgKjG73iLHVLp1rebXjc66N2aUzQazsBzJ6
rhs3cWiQvOszFyKg7qzBfOCH1EYLMyRGsHO1aASldB/w9twGWIX6wNXZph6sYE32
qZs30VffQgoZpadCwokCNwQTAQgAIQUCUyDDdAIbAwULCQgHAwUVCgkICwUWAgMB
AAIeAQIXgAAKCRAVzdpq4ZE1oqFGD/9LkbZFigc1jbZ5zIbmGkGvfniWp1mJhEcp
gKNfb2MMiu1lKULccIvfVyIY5WDrrpoPnHLnhYA9OXHcwVADGBayoVOQgIePrMV0
V24uYjUh9+9zGRwQrCLo0rl/l07GKH0S1dxDUeyhJRYZGYEqW2+3XDJqIbfsDzSm
PNCyjVvqSvkkt0YyuNbH0+cVEoJ1Q2HmfEhvgd4LlHZDyhMVqKlKmlnCa8DmhwK+
EyzJgLKITqjxBO3NOqPmYZlp8irLXyHAH1sDafaBwRjV9cNX2TLTwn3wDdUmoAwM
z1jopi/61A0kEglENYaa+NH/UnqfWOo7riXuZNwGVP/F/KlMV+JdXMY34fcSIQMW
k9cpxzhpuOJjwhoK7g/yq8q9578QXv4VR6ndH+LeHDRrm2Ftnih/Ut8unqqDteMJ
nd3YxSK3Ep78WgVBL9y2Qo3CyKY6VSXlshWZokwyrwVS8uLqIGAUzLwsKTYi1nms
Db7mQZqUbPBxYN2mrroD7Pr1/XAV8oNxw6l84nzfzObEKvNZLFtWctNpFJXhWhtm
/AeQBdkYKcMyTrwQt9Q0XMYKUGE05U+oAdtTvgCRJLltqzmt5yMpTPncNmXVoA5Y
vEVdCU6/Gxpn3Aea8ckBmIqxxQY1QFdEr2nvxPNASbkvHDNDr9XUlKQDqjherurK
BIBEiKCMnLQmU2ltb24gS2VsbGV5IDxzaW1vbkB0aGVrZWxsZXlzLm9yZy51az6I
RgQQEQgABgUCUxuNwQAKCRAo/IaaKJuCt0K1AJ9VX7VMWs0ECf4+hyf6d0qGutHy
cgCeMSyQgaaL/XbiUbhPaxdTgWjGQ3iIRgQQEQgABgUCUyHpMwAKCRAp4U+ZORs5
KMjoAJ463imlnHBKRGUmZ45Z3OwxJx7kvgCePl6vO1lSo/XCdOaPE0UpCsSWJRCI
RgQQEQgABgUCUy9EgwAKCRAW4vT1/IHhWQW1AJ0dyPzHcxuJAbQnnMHj8zLynSkt
UgCfQshlIc2/HKFEbTM2yJR/Re45ui+JAhwEEAEIAAYFAlMh6fIACgkQAtAgRQj7
Dvch0g//cWB0hAsMJ3jBQDuJxBh8gEJ4b8g8190brWXl9faXPqjpuYi1A/tRFcfP
gL408NN9+8iBzmuZ2SNwqYJgYZo9fEPbxIJrWZ+hDF2kRAr3nbEY1End0OfghdAF
G6NSUKmYVVHWCxGWHL3zYBJipeiKFR8D/JqB/3MQxXOWOhnZRQHicpcpz3Wdy2/e
AxMmvFUHNpkhvC+sumQ1vMn+jPJ6UBu39XMiW/ZTySapR2WhZ6Stg39Q7ziVwfPB
UB9alvvsPbiKLM3VowzkhpsDrmsztxjJqX2TyT5B+ZV6BVyjeQTv5f4LxENY7Jqd
eFWRyanXDux0R5LC0C7zQ0Eot2puKJNsZtyp9ja8idStkJlARq1ruArcGm4L4aCh
sa9BgAwkCVZS6kQgvlCKfeydJDrGY/BWI8ANyNVOcPMCYklKsPLvvDgghRpta0ul
0Mv8Gxgz8GYwmZ2jRyAko/M3lxPWJIU39nzLP0vDS0FD8rtYN/yKCBjZ2nRE8xJg
HdNhSZ3FJVKNOcgwHFYPyKsIDPGrSUKhFi2BNEB63Kjlonmggiffn8diocSp0aqS
gF0qL/jNCmA5CFfTkBPioqBs8XZazdmRZm3yCiy2DMB9LMTJICY224T/CoX8QyFK
EpMvYFE8MMq6SVYypF2esjRaUqPjLZ/Dhy9dpy6s8kDjU8Gnq8eJAhwEEAEIAAYF
AlMvRKQACgkQY84gusScQUi4WA//agQcVXsdp8Wr6zFeFXdAIWCWuYiNePDW6g+x
GS57gg1sIvsK6p3zItE6FB5YdS6d+r13dOlvCckhyIgMS9Mw6aurXU+uX+ojk0We
lusbnm8SoKgt5GbMXBM3HmEdXTgipUYUALGe0PQST/2Wn0g/zTptrMXTzp3mJvCA
OEF8Fg1Tmsq1fBTiAwZAS5j4ZtQRjRK3YQgQmLL6mEje4BSQTbM13IjTCbQZl1jc
k7B7TQHiiELsxEYGAgtvy7kziJaHiOs+pjO5lWbj7K2qkWuYhiE7xiOKnkM4k6fs
aiLvGD0KxOu4kDKkmWQsb92oXooiXdOpeBRaRGBIOR+BTA/SVuK752sS8F3PMdf2
VUEIcpboIXrRPY+6D0GwN+d6MlAggLpHeFIjWLVCzQm2c3ynSghQmo5yHyGPCKjR
rlr5roylYgwJNu2yJSkHsjShMSMfCZK+Fj0ASxZlwpE/o2EDCcf0ekqDcK6WudEq
H00/svuNxqUkOeXtyn35MtEmZPjv5u6Fu4Cj48M4f1Ji7Dm/SDVyd4GEvwg0938A
PlLAAPoF53k9yMoGKn1PHZ5NrpldtICJvKv0kGIsoTDPj2QpCl3h8qHlP0mzu9g1
isP2bWSP9W/cV67nNRwSif1FzTyUcqByIuHWfwEUP85PN/W3gTJxptALAdctfpXk
5azWTOaJAjoEEwEIACQCGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlMgw44C
GQEACgkQFc3aauGRNaLaZg/+PR41J3P7omGv6XD+TiAXfJQoR5RfzQoeLNUQEnir
/XBulg45203cYHEurchEhSTn2f4WVtFgxJrgId7XGYdf8oIZIjBd82fpwdMwhbfc
v/6iqzWL0+2vaPmBqE7iwDTatI888q5TyXppGe8L5/VjX0aBvmVIPyEE9BFQas+v
v5byUkU542FxPApGsv0W0P1pKabLl0F7ItPFPuaD0+K1kwBrWbuGhBKMV9jGHB4q
dX/21FBczgAf3J9yJ22vm6orCwwhptxde+DSn7vqZNjDtHGrkUWDzKAQBy1g4BmT
l6IoVgYKZXAVBGMtYUjS+80VV+QE9meVqmtX1aJJEnf0/BRdv9CeD46hZArwXwi/
AWFs300pEfzwcC+9T5xc3jlSdYdWxeQDV7XwK2VCOhxjFqTm+ehP2Gh14Wfpc34j
N9jMJ3OowxzN5iZxGYzkHLFhM+0IKEeWEjxRWOoJgV5PmNvG7IBbzt8O9xo550h7
JmXZVsfSpkFpzJPy0Puz1JeyH/niCeDwKkhEHXQTk/4O+EODRxruJbwIYGeO2lNf
Pn2Hcb1aHvSclx7GGOYDzI4jN0UcYroJpvHZU+0X2ClpCTAW5IshgHkOkdUQ1c7S
+5zPTeLbW+pxTlbWClA0NYMbSn68//i/DMstyBEwtTWYJLmg5V3HWzRd/6BwKZfD
Suu5Ag0EUyDDoQEQAMfQfa2tw3+OJFGMQEzLJSoXYN8/HnZEgKNlcMuYzhheQLgu
/MfcQJ7mnCIdn6xdPaalfLmYx63tM47/NGEM1+MSEvovPiRG0OLxzSgwei9DiGeN
EgsPTLXSZ5EVSXCM1+e9mT1ExT9aGLNnpCd6kIyWIcKCVMot+XC70R9prWLeyKSh
0FAZ0Pwv9i23osJVGOtJjND+WZ0uCeN29ocfN0b64yF4nPRc9IbcmYIDgNU3RybK
2Z/dupbthTisRjHRI3iX3/tiymXF3J0sSvsCluWIJWmyltS3Xyk/wfKVJz6OouiJ
jTj5utXVnCGptCDw+DCcj89vx1N0+0Dhm1cQcNZvXjMbVDTsuU+eVpJbxU6y8N+n
XpAXjEw4jMi3zNpqKtkyv2YpoqY5HhGLybgrY0zwSQOyMNf9lZ5J7znq5gEmiMXn
G9OPEw7PPSvm6QfbHPY/jAOgxsu7Fme7k303D5KkyGkkbzQiYyEtMZvbOMH/uECi
2uHGB72qiGpEYjMtHhihaRCBl+0bY8sH83He690qNQHSdStjaKXcecduE/v5iO0m
OYIHdsEHhKlWsE1GXXVLofBr68UBhYV6/AGXko4Pr+dXLzauN4kALDx6WltFu3qU
voD+uEoLq7IXULMo5Pyd7bO4qGQMKykaXTb5o6dqdu4GzWIUw1fr9kLEmo29ABEB
AAGJAh8EGAEIAAkFAlMgw6ECGwwACgkQFc3aauGRNaIjqA/+PXuaM6JHuudLycmB
0iKAwyB5csOFGpF3b9FgMR68TC4jzi5J5hJZASl0cO/e0ytQsrDUBbH74y+WaA4l
dwBVYr0j/2hqzIjrnGMtgWeHFPLV3sKw8DGuNx1/cOoljJXzi1WWSHIwDvaj3uZ9
CwHt+4/abR7kdvMcnFhQVA4zuzZWFqpp+CDkkJNVwB9zxtAQwGTGF4cQ0IvTkhCo
6DQhZZVTeyn+nBKxzzWijniWc0LyRsum03MxZ6E7UVIInCTjdXTalnO8wColwIx5
FV4nTMxdsKKgnIXmLexBdd03bW9TkowWf2C2XfDN+pDS8X3MzO6zAyogqJhAiBFj
nRzkOw0cw1VTL00o8uiWdMeu7OKOKeQbUilMAn4MweKB57mc582kjeGmwdZgWFA4
BJ2eiH7HwjxiynwMdZwQEBdOTNLbggHk3/mScF8U1KcJhjAFf7Ne+Z0feG/8GgKl
5aj3ucl821+dfpzB79lLo+kmd1qkDyDiUR5yN6P8l8k6IAUJz2KUe0BjtO6VFFw0
xni05dkrXdfo7IO79ictHmEn+g3QO8ZLUGRwdtZ1cMhTkm7FhH8Bdby0y4Soqluv
Hbri++cC91i1I3a92kHi/8O45rnLhVt+sOfxY1QnSIYh5OFwGMqMCNDTEL7ESiFa
FhSXkmzzVntlyvOBMlgz3IGh2hA=
=00xm
-----END PGP PUBLIC KEY BLOCK-----

12
dnsmasq.reg Normal file
View File

@ -0,0 +1,12 @@
#############################################################################
#
# OpenSLP registration file
#
# register domain name service (DNS) daemon
#
#############################################################################
service:domain://$HOSTNAME:53,en,65535
watch-port-udp=53
description=Domain Name Service

30
dnsmasq.service Normal file
View File

@ -0,0 +1,30 @@
[Unit]
Description=DNS caching server.
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target
[Service]
# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions
Type=dbus
BusName=uk.org.thekelleys.dnsmasq
ExecStartPre=/usr/sbin/dnsmasq --test
ExecStart=/usr/sbin/dnsmasq --log-async --enable-dbus --keep-in-foreground
ExecReload=/bin/kill -HUP $MAINPID
#### kills logging, so not enabled
# PrivateDevices=yes
####
[Install]
WantedBy=multi-user.target

227
dnsmasq.spec Normal file
View File

@ -0,0 +1,227 @@
#
# spec file for package dnsmasq
#
# Copyright (c) 2023 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150300
%bcond_without tftp_user_package
%else
%bcond_with tftp_user_package
%endif
Name: dnsmasq
Version: 2.89
Release: 0
Summary: DNS Forwarder and DHCP Server
License: GPL-2.0-only OR GPL-3.0-only
Group: Productivity/Networking/DNS/Servers
URL: https://thekelleys.org.uk/dnsmasq/
Source0: https://thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz
Source1: https://thekelleys.org.uk/%{name}/%{name}-%{version}.tar.xz.asc
Source2: %{name}.keyring
Source3: dnsmasq.reg
Source4: dnsmasq.service
Source5: rc.dnsmasq-suse
Source6: system-user-dnsmasq.conf
Patch0: dnsmasq-groups.patch
Patch1: dnsmasq-CVE-2023-28450.patch
BuildRequires: dbus-1-devel
BuildRequires: dos2unix
BuildRequires: libidn2-devel
BuildRequires: libnettle-devel
BuildRequires: lua-devel
BuildRequires: pkgconfig
BuildRequires: pkgconfig(libnetfilter_conntrack)
BuildRequires: pkgconfig(systemd)
Provides: dns_daemon
%if %{with tftp_user_package}
BuildRequires: sysuser-tools
Requires(pre): user(tftp)
%sysusers_requires
%else
Requires(pre): %{_sbindir}/useradd
%endif
%description
Dnsmasq provides network infrastructure for small networks: DNS,
DHCP, router advertisement and network boot.
The DNS subsystem supprots forwarding of all query types, and caching
of common record types, DNSSEC included. The DHCP subsystem supports
DHCPv4, DHCPv6, BOOTP and PXE. RA can be used stand-alone or in
conjunction with DHCPv6.
%package utils
Summary: Utilities for manipulating DHCP server leases
Group: Productivity/Networking/DNS/Servers
%description utils
Utilities that use the standard DHCP protocol to query/remove a DHCP
server's leases.
%prep
%autosetup -p0
# Remove the executable bit from python example files to
# avoid unwanted automatic dependencies
find contrib -name *.py -exec chmod a-x '{}' +
# Some docs have the DOS line ends
dos2unix contrib/systemd/dbus_activation
# SED-FIX-UPSTREAM -- Fix paths
sed -i -e 's|\(PREFIX *= *\)%{_prefix}/local|\1/usr|;
s|$(LDFLAGS)|$(CFLAGS) $(LDFLAGS)|' \
Makefile
# use lua5.3 instead of lua5.2
sed -i -e 's|lua5.2|lua%{lua_version}|' Makefile
# SED-FIX-UPSTREAM -- Fix man page
sed -i -e 's|The default is "dip",|The default is "dnsmasq",|' \
man/dnsmasq.8
# SED-FIX-UPSTREAM -- Fix cachesize, group , user and pid location
sed -i -e 's|CACHESIZ 150|CACHESIZ 2000|;
s|CHUSER "nobody"|CHUSER "dnsmasq"|;
s|CHGRP "dip"|CHGRP "dnsmasq"|;
s|RUNFILE "/var/run/dnsmasq.pid"|RUNFILE "%{_rundir}/dnsmasq.pid"|' \
src/config.h
# Tweaks to the default configuration:
# - Fix trust-anchor.conf location
# - Include /etc/dnsmasq.d/*.conf by default
# - Only answer queries coming from the local network
sed -i -e '/trust-anchors.conf/c\#conf-file=%{_sysconfdir}/dnsmasq.d/trust-anchors.conf' \
-e '/conf-dir=.*conf/s/^\#//' \
-e '0,/^$/{/^$/a \
# Accept DNS queries only from hosts whose address is on a local\
# subnet, ie a subnet for which an interface exists on the server.\
# It is intended to be set as a default on installation, to allow\
# unconfigured installations to be useful but also safe from being\
# used for DNS amplification attacks.\
local-service\
}' \
dnsmasq.conf.example
%build
mv po/no.po po/nb.po
export CFLAGS="%{optflags} -std=gnu99 -fPIC -DPIC -fpie"
export LDFLAGS="-Wl,-z,relro,-z,now -pie"
# the dnsmasq make system hashes the configuration flags, so we have to supply the
# same flags for make and make install, else everything gets recompiled
%define _copts "-DHAVE_DBUS -DHAVE_CONNTRACK -DHAVE_LIBIDN2 -DHAVE_DNSSEC -DHAVE_LUASCRIPT"
%make_build AWK=gawk all-i18n CFLAGS="$CFLAGS" LDFLAGS="$LDFLAGS" COPTS=%{_copts}
%if %{with tftp_user_package}
%sysusers_generate_pre %{SOURCE6} dnsmasq system-user-dnsmasq.conf
%endif
%if %{without tftp_user_package}
%pre
if ! %{_bindir}/getent group tftp >/dev/null; then
%{_sbindir}/groupadd -r tftp
fi
if ! %{_bindir}/getent passwd tftp >/dev/null; then
%{_sbindir}/useradd -c "TFTP account" -d /srv/tftpboot -G tftp -g tftp \
-r -s /bin/false tftp
fi
if ! %{_bindir}/getent passwd dnsmasq >/dev/null; then
%{_sbindir}/useradd -r -d %{_localstatedir}/lib/empty -s /bin/false -c "dnsmasq" -g nogroup -G tftp dnsmasq
fi
%else
%pre -f dnsmasq.pre
%endif
%service_add_pre %{name}.service
%post
%service_add_post %{name}.service
# reload dbus after install or upgrade to apply new policies
if [ -z "${TRANSACTIONAL_UPDATE}" -a -x %{_bindir}/systemctl ]; then
%{_bindir}/systemctl reload dbus.service 2>/dev/null || :
fi
%preun
%service_del_preun %{name}.service
%postun
%service_del_postun %{name}.service
# reload dbus after uninstall, our policies are gone again
if [ $1 -eq 0 -a -z "${TRANSACTIONAL_UPDATE}" \
-a -x %{_bindir}/systemctl ]; then
%{_bindir}/systemctl reload dbus.service 2>/dev/null || :
fi
%install
make install-i18n DESTDIR=%{buildroot} PREFIX=%{_prefix} AWK=gawk COPTS=%{_copts}
install -d -m 755 %{buildroot}/%{_sysconfdir}/slp.reg.d
install -m 644 dnsmasq.conf.example %{buildroot}/%{_sysconfdir}/dnsmasq.conf
install -m 644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/slp.reg.d/
install -d 755 %{buildroot}%{_datadir}/dbus-1/system.d/
install -m 644 dbus/dnsmasq.conf %{buildroot}%{_datadir}/dbus-1/system.d/dnsmasq.conf
install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/dnsmasq.service
%if %{without tftp_user_package}
install -d -m 0755 %{buildroot}/srv/tftpboot
%else
mkdir -p %{buildroot}%{_sysusersdir}
install -m 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/
%endif
ln -sf %{_sbindir}/service %{buildroot}%{_sbindir}/rcdnsmasq
install -d -m 755 %{buildroot}/%{_sysconfdir}/dnsmasq.d
install -m 644 trust-anchors.conf %{buildroot}/%{_sysconfdir}/dnsmasq.d/trust-anchors.conf
# utils subpackage
mkdir -p %{buildroot}/%{_bindir} %{buildroot}/%{_mandir}/man1
make -C contrib/lease-tools %{?_smp_mflags}
install -m 755 contrib/lease-tools/dhcp_release %{buildroot}/%{_bindir}/dhcp_release
install -m 644 contrib/lease-tools/dhcp_release.1 %{buildroot}/%{_mandir}/man1/dhcp_release.1
install -m 755 contrib/lease-tools/dhcp_release6 %{buildroot}/%{_bindir}/dhcp_release6
install -m 644 contrib/lease-tools/dhcp_release6.1 %{buildroot}/%{_mandir}/man1/dhcp_release6.1
install -m 755 contrib/lease-tools/dhcp_lease_time %{buildroot}/%{_bindir}/dhcp_lease_time
install -m 644 contrib/lease-tools/dhcp_lease_time.1 %{buildroot}/%{_mandir}/man1/dhcp_lease_time.1
make -C contrib/lease-tools clean
rm -rf contrib/Suse
rm -rf contrib/Solaris10
rm -rf contrib/dnsmasq_MacOSX-pre10.4
rm -rf contrib/slackware-dnsmasq
rm -rf contrib/MacOSX-launchd
%find_lang %{name} --with-man
%files -f %{name}.lang
%license COPYING COPYING-v3
%doc CHANGELOG FAQ doc.html setup.html dnsmasq.conf.example contrib dbus
%config(noreplace) %{_sysconfdir}/dnsmasq.conf
%{_sbindir}/dnsmasq
%{_sbindir}/rcdnsmasq
%dir %{_sysconfdir}/slp.reg.d/
%config %attr(0644,root,root) /%{_sysconfdir}/slp.reg.d/dnsmasq.reg
%{_mandir}/man8/dnsmasq.8%{?ext_man}
%{_datadir}/dbus-1/system.d/dnsmasq.conf
%{_unitdir}/dnsmasq.service
%dir %{_sysconfdir}/dnsmasq.d
%config(noreplace) %{_sysconfdir}/dnsmasq.d/trust-anchors.conf
%if %{without tftp_user_package}
%dir %attr(0755,tftp,tftp) /srv/tftpboot
%else
%{_sysusersdir}/system-user-dnsmasq.conf
%endif
%files utils
%{_bindir}/dhcp_*
%{_mandir}/man1/dhcp_*
%changelog

90
rc.dnsmasq-suse Normal file
View File

@ -0,0 +1,90 @@
#! /bin/sh
#
# init.d/dnsmasq
#
### BEGIN INIT INFO
# Provides: dnsmasq
# Required-Start: $network $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 3 5
# Default-Stop:
# Description: Starts internet name service masq caching server (DNS)
### END INIT INFO
NAMED_BIN=/usr/sbin/dnsmasq
NAMED_PID=/var/run/dnsmasq.pid
NAMED_CONF=/etc/dnsmasq.conf
if [ ! -x $NAMED_BIN ] ; then
echo -n "dnsmasq not installed! "
exit 5
fi
. /etc/rc.status
rc_reset
case "$1" in
start)
if grep "^[^#].*/etc/ppp/" /etc/dnsmasq.conf >/dev/null 2>&1; then
echo
echo "Warning! dnsmasq can not read the /etc/ppp directory anymore";
echo " but /etc/ppp seems to be used in your config";
echo " use /var/run/ instead like /var/run/dnsmasq-forwarders.conf";
echo
fi
echo -n "Starting name service masq caching server "
checkproc -p $NAMED_PID $NAMED_BIN
if [ $? -eq 0 ] ; then
echo -n "- Warning: dnsmasq already running! "
else
[ -e $NAMED_PID ] && echo -n "- Warning: $NAMED_PID exists! "
fi
startproc -p $NAMED_PID $NAMED_BIN -u dnsmasq
rc_status -v
;;
stop)
echo -n "Shutting name service masq caching server "
checkproc -p $NAMED_PID $NAMED_BIN
[ $? -ne 0 ] && echo -n "- Warning: dnsmasq not running! "
killproc -p $NAMED_PID -TERM $NAMED_BIN
rc_status -v
;;
try-restart|force-reload)
if $0 status ; then
$0 restart
else
rc_reset
fi
rc_status
;;
restart)
if checkproc -p $NAMED_PID $NAMED_BIN ; then
$0 stop
fi
$0 start
rc_status
;;
reload)
echo -n "Reloading name service masq caching server unsupported "
rc_failed 3
rc_status -v
;;
sighup)
echo -n "Sending SIGHUP to name service masq caching server "
killproc -p $NAMED_PID -HUP $NAMED_BIN
rc_status -v
;;
status)
echo -n "Checking for name service masq caching server "
checkproc -p $NAMED_PID $NAMED_BIN
rc_status -v
;;
probe)
test $NAMED_CONF -nt $NAMED_PID && echo reload
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|sighup|probe}"
exit 1
;;
esac
rc_exit

3
system-user-dnsmasq.conf Normal file
View File

@ -0,0 +1,3 @@
#Type Name ID GECOS Home directory Shell
u dnsmasq - "dnsmasq" /var/lib/empty -
m dnsmasq tftp - - -