Initial commit

package/network/services/dnsmasq/Makefile

@@ -0,0 +1,199 @@
+#
+# Copyright (C) 2006-2016 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dnsmasq
+PKG_UPSTREAM_VERSION:=2.86
+PKG_VERSION:=$(subst test,~~test,$(subst rc,~rc,$(PKG_UPSTREAM_VERSION)))
+PKG_RELEASE:=$(AUTORELEASE)
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_UPSTREAM_VERSION).tar.xz
+PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
+PKG_HASH:=28d52cfc9e2004ac4f85274f52b32e1647b4dbc9761b82e7de1e41c49907eb08
+
+PKG_LICENSE:=GPL-2.0
+PKG_LICENSE_FILES:=COPYING
+PKG_CPE_ID:=cpe:/a:thekelleys:dnsmasq
+
+PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_UPSTREAM_VERSION)
+
+PKG_INSTALL:=1
+PKG_BUILD_PARALLEL:=1
+PKG_ASLR_PIE_REGULAR:=1
+PKG_CONFIG_DEPENDS:= CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6 \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc \
+	CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_tftp
+
+include $(INCLUDE_DIR)/package.mk
+
+define Package/dnsmasq/Default
+  SECTION:=net
+  CATEGORY:=Base system
+  TITLE:=DNS and DHCP server
+  URL:=http://www.thekelleys.org.uk/dnsmasq/
+  DEPENDS:=+libubus
+  USERID:=dnsmasq=453:dnsmasq=453
+endef
+
+define Package/dnsmasq
+$(call Package/dnsmasq/Default)
+  VARIANT:=nodhcpv6
+endef
+
+define Package/dnsmasq-dhcpv6
+$(call Package/dnsmasq/Default)
+  TITLE += (with DHCPv6 support)
+  DEPENDS+=@IPV6
+  VARIANT:=dhcpv6
+  PROVIDES:=dnsmasq
+endef
+
+define Package/dnsmasq-full
+$(call Package/dnsmasq/Default)
+  TITLE += (with DNSSEC, DHCPv6, Auth DNS, IPset, Conntrack, NO_ID enabled by default)
+  DEPENDS+=+PACKAGE_dnsmasq_full_dnssec:libnettle \
+	+PACKAGE_dnsmasq_full_ipset:kmod-ipt-ipset \
+	+PACKAGE_dnsmasq_full_conntrack:libnetfilter-conntrack
+  VARIANT:=full
+  PROVIDES:=dnsmasq
+endef
+
+define Package/dnsmasq/description
+  It is intended to provide coupled DNS and DHCP service to a LAN.
+endef
+
+define Package/dnsmasq-dhcpv6/description
+$(call Package/dnsmasq/description)
+
+This is a variant with DHCPv6 support
+endef
+
+define Package/dnsmasq-full/description
+$(call Package/dnsmasq/description)
+
+This is a fully configurable variant with DHCPv4, DHCPv6, DNSSEC, Authoritative DNS
+and IPset, Conntrack support & NO_ID enabled by default.
+endef
+
+define Package/dnsmasq/conffiles
+/etc/config/dhcp
+/etc/dnsmasq.conf
+/etc/dnsmasq.d/
+endef
+
+define Package/dnsmasq-full/config
+	if PACKAGE_dnsmasq-full
+	config PACKAGE_dnsmasq_full_dhcp
+		bool "Build with DHCP support."
+		default y
+	config PACKAGE_dnsmasq_full_dhcpv6
+		bool "Build with DHCPv6 support."
+		depends on IPV6 && PACKAGE_dnsmasq_full_dhcp
+		default y
+	config PACKAGE_dnsmasq_full_dnssec
+		bool "Build with DNSSEC support."
+		default y
+	config PACKAGE_dnsmasq_full_auth
+		bool "Build with the facility to act as an authoritative DNS server."
+		default y
+	config PACKAGE_dnsmasq_full_ipset
+		bool "Build with IPset support."
+		default y
+	config PACKAGE_dnsmasq_full_conntrack
+		bool "Build with Conntrack support."
+		default y
+	config PACKAGE_dnsmasq_full_noid
+		bool "Build with NO_ID. (hide *.bind pseudo domain)"
+		default y
+	config PACKAGE_dnsmasq_full_broken_rtc
+		bool "Build with HAVE_BROKEN_RTC."
+		default n
+	config PACKAGE_dnsmasq_full_tftp
+		bool "Build with TFTP server support."
+		default y
+	endif
+endef
+
+Package/dnsmasq-dhcpv6/conffiles = $(Package/dnsmasq/conffiles)
+Package/dnsmasq-full/conffiles = $(Package/dnsmasq/conffiles)
+
+TARGET_CFLAGS += -flto
+TARGET_LDFLAGS += -flto=jobserver
+
+COPTS = -DHAVE_UBUS -DHAVE_POLL_H \
+	$(if $(CONFIG_IPV6),,-DNO_IPV6)
+
+ifeq ($(BUILD_VARIANT),nodhcpv6)
+	COPTS += -DNO_DHCP6
+endif
+
+ifeq ($(BUILD_VARIANT),full)
+	COPTS += $(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcp),,-DNO_DHCP) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dhcpv6),,-DNO_DHCP6) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_dnssec),-DHAVE_DNSSEC) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_auth),,-DNO_AUTH) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_ipset),,-DNO_IPSET) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_conntrack),-DHAVE_CONNTRACK,) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_noid),-DNO_ID,) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_broken_rtc),-DHAVE_BROKEN_RTC) \
+		$(if $(CONFIG_PACKAGE_dnsmasq_$(BUILD_VARIANT)_tftp),,-DNO_TFTP)
+	COPTS += $(if $(CONFIG_LIBNETTLE_MINI),-DNO_GMP,)
+else
+	COPTS += -DNO_AUTH -DNO_IPSET -DNO_ID
+endif
+
+MAKE_FLAGS := \
+	$(TARGET_CONFIGURE_OPTS) \
+	CFLAGS="$(TARGET_CFLAGS) $(TARGET_CPPFLAGS)" \
+	LDFLAGS="$(TARGET_LDFLAGS)" \
+	COPTS="$(COPTS)" \
+	PREFIX="/usr"
+
+define Package/dnsmasq/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(CP) $(PKG_INSTALL_DIR)/usr/sbin/dnsmasq $(1)/usr/sbin/
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/dhcp.conf $(1)/etc/config/dhcp
+	$(INSTALL_CONF) ./files/dnsmasq.conf $(1)/etc/dnsmasq.conf
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/dnsmasq.init $(1)/etc/init.d/dnsmasq
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/dhcp
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/neigh
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/ntp
+	$(INSTALL_DIR) $(1)/etc/hotplug.d/tftp
+	$(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
+	$(INSTALL_DIR) $(1)/usr/share/dnsmasq
+	$(INSTALL_CONF) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/
+	$(INSTALL_CONF) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/
+	$(INSTALL_DIR) $(1)/usr/lib/dnsmasq
+	$(INSTALL_BIN) ./files/dhcp-script.sh $(1)/usr/lib/dnsmasq/dhcp-script.sh
+	$(INSTALL_DIR) $(1)/usr/share/acl.d
+	$(INSTALL_DATA) ./files/dnsmasq_acl.json $(1)/usr/share/acl.d/
+	$(INSTALL_DIR) $(1)/etc/uci-defaults
+	$(INSTALL_BIN) ./files/50-dnsmasq-migrate-resolv-conf-auto.sh $(1)/etc/uci-defaults
+endef
+
+Package/dnsmasq-dhcpv6/install = $(Package/dnsmasq/install)
+
+define Package/dnsmasq-full/install
+$(call Package/dnsmasq/install,$(1))
+ifneq ($(CONFIG_PACKAGE_dnsmasq_full_dnssec),)
+	$(INSTALL_DIR) $(1)/usr/share/dnsmasq
+	$(INSTALL_CONF) $(PKG_BUILD_DIR)/trust-anchors.conf $(1)/usr/share/dnsmasq
+endif
+endef
+
+$(eval $(call BuildPackage,dnsmasq))
+$(eval $(call BuildPackage,dnsmasq-dhcpv6))
+$(eval $(call BuildPackage,dnsmasq-full))

package/network/services/dnsmasq/files/50-dnsmasq-migrate-resolv-conf-auto.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+[ "$(uci get dhcp.@dnsmasq[0].resolvfile)" = "/tmp/resolv.conf.auto" ] && {
+	uci set dhcp.@dnsmasq[0].resolvfile="/tmp/resolv.conf.d/resolv.conf.auto"
+	uci commit dhcp
+}
+
+exit 0

package/network/services/dnsmasq/files/dhcp-script.sh

@@ -0,0 +1,53 @@
+#!/bin/sh
+
+[ -f "$USER_DHCPSCRIPT" ] && . "$USER_DHCPSCRIPT" "$@"
+
+. /usr/share/libubox/jshn.sh
+
+json_init
+json_add_array env
+hotplugobj=""
+
+case "$1" in
+	add | del | old | arp-add | arp-del)
+		json_add_string "" "MACADDR=$2"
+		json_add_string "" "IPADDR=$3"
+	;;
+esac
+
+case "$1" in
+	add)
+		json_add_string "" "ACTION=add"
+		json_add_string "" "HOSTNAME=$4"
+		hotplugobj="dhcp"
+	;;
+	del)
+		json_add_string "" "ACTION=remove"
+		json_add_string "" "HOSTNAME=$4"
+		hotplugobj="dhcp"
+	;;
+	old)
+		json_add_string "" "ACTION=update"
+		json_add_string "" "HOSTNAME=$4"
+		hotplugobj="dhcp"
+	;;
+	arp-add)
+		json_add_string "" "ACTION=add"
+		hotplugobj="neigh"
+	;;
+	arp-del)
+		json_add_string "" "ACTION=remove"
+		hotplugobj="neigh"
+	;;
+	tftp)
+		json_add_string "" "ACTION=add"
+		json_add_string "" "TFTP_SIZE=$2"
+		json_add_string "" "TFTP_ADDR=$3"
+		json_add_string "" "TFTP_PATH=$4"
+		hotplugobj="tftp"
+	;;
+esac
+
+json_close_array env
+
+[ -n "$hotplugobj" ] && ubus call hotplug.${hotplugobj} call "$(json_dump)"

package/network/services/dnsmasq/files/dhcp.conf

@@ -0,0 +1,33 @@
+config dnsmasq
+	option domainneeded	1
+	option boguspriv	1
+	option filterwin2k	0  # enable for dial on demand
+	option localise_queries	1
+	option rebind_protection 1  # disable if upstream must serve RFC1918 addresses
+	option rebind_localhost 1  # enable for RBL checking and similar services
+	#list rebind_domain example.lan  # whitelist RFC1918 responses for domains
+	option local	'/lan/'
+	option domain	'lan'
+	option expandhosts	1
+	option nonegcache	0
+	option authoritative	1
+	option readethers	1
+	option leasefile	'/tmp/dhcp.leases'
+	option resolvfile	'/tmp/resolv.conf.d/resolv.conf.auto'
+	#list server		'/mycompany.local/1.2.3.4'
+	option nonwildcard	1 # bind to & keep track of interfaces
+	#list interface		br-lan
+	#list notinterface	lo
+	#list bogusnxdomain     '64.94.110.11'
+	option localservice	1  # disable to allow DNS requests from non-local subnets
+	option ednspacket_max	1232
+
+config dhcp lan
+	option interface	lan
+	option start 	100
+	option limit	150
+	option leasetime	12h
+
+config dhcp wan
+	option interface	wan
+	option ignore	1

package/network/services/dnsmasq/files/dhcpbogushostname.conf

@@ -0,0 +1,8 @@
+# dhcpbogushostname.conf included configuration file for dnsmasq
+#
+# includes a list of hostnames that should not be associated with dhcp leases
+# in response to CERT VU#598349
+# file included by default, option dhcpbogushostname 0  to disable
+
+dhcp-name-match=set:dhcp_bogus_hostname,localhost
+dhcp-name-match=set:dhcp_bogus_hostname,wpad

package/network/services/dnsmasq/files/dnsmasq.conf

@@ -0,0 +1,37 @@
+# Change the following lines if you want dnsmasq to serve SRV
+# records.
+# You may add multiple srv-host lines.
+# The fields are <name>,<target>,<port>,<priority>,<weight>
+
+# A SRV record sending LDAP for the example.com domain to
+# ldapserver.example.com port 289
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
+
+# Two SRV records for LDAP, each with different priorities
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
+#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
+
+# A SRV record indicating that there is no LDAP server for the domain
+# example.com
+#srv-host=_ldap._tcp.example.com
+
+# The following line shows how to make dnsmasq serve an arbitrary PTR
+# record. This is useful for DNS-SD.
+# The fields are <name>,<target>
+#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
+
+# Change the following lines to enable dnsmasq to serve TXT records.
+# These are used for things like SPF and zeroconf.
+# The fields are <name>,<text>,<text>...
+
+#Example SPF.
+#txt-record=example.com,"v=spf1 a -all"
+
+#Example zeroconf
+#txt-record=_http._tcp.example.com,name=value,paper=A4
+
+# Provide an alias for a "local" DNS name. Note that this _only_ works
+# for targets which are names from DHCP or /etc/hosts. Give host
+# "bert" another name, bertrand
+# The fields are <cname>,<target>
+#cname=bertand,bert

package/network/services/dnsmasq/files/dnsmasq_acl.json

@@ -0,0 +1,12 @@
+{
+	"user": "dnsmasq",
+	"publish": [ "dnsmasq" ],
+	"access": {
+		"hotplug.dhcp": {
+			"methods": [ "call" ]
+		},
+		"hotplug.neigh": {
+			"methods": [ "call" ]
+		}
+	}
+}

package/network/services/dnsmasq/files/dnsmasqsec.hotplug

@@ -0,0 +1,12 @@
+TIMEVALIDFILE="/var/state/dnsmasqsec"
+
+[ "$ACTION" = "stratum" ] || exit 0
+
+[ -f "$TIMEVALIDFILE" ] || {
+	echo "ntpd says time is valid" >$TIMEVALIDFILE
+	/etc/init.d/dnsmasq enabled && {
+		initscript=dnsmasq
+		. /lib/functions/procd.sh
+		procd_send_signal dnsmasq '*' INT
+	}
+}

package/network/services/dnsmasq/files/rfc6761.conf

@@ -0,0 +1,11 @@
+# RFC6761 included configuration file for dnsmasq
+#
+# includes a list of domains that should not be forwarded to Internet name servers
+# to reduce burden on them, asking questions that they won't know the answer to.
+
+server=/bind/
+server=/invalid/
+server=/local/
+server=/localhost/
+server=/onion/
+server=/test/

package/network/services/dnsmasq/patches/100-remove-old-runtime-kernel-support.patch

@@ -0,0 +1,165 @@
+From 02fbe60e1c7e74d2ba57109575e7bfc238b1b5d4 Mon Sep 17 00:00:00 2001
+From: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+Date: Sun, 5 Apr 2020 17:18:23 +0100
+Subject: [PATCH] drop runtime old kernel support
+
+Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
+---
+ src/dnsmasq.c |  4 ----
+ src/dnsmasq.h |  5 +---
+ src/ipset.c   | 64 ++++-----------------------------------------------
+ src/util.c    | 19 ---------------
+ 4 files changed, 5 insertions(+), 87 deletions(-)
+
+--- a/src/dnsmasq.c
++++ b/src/dnsmasq.c
+@@ -95,10 +95,6 @@ int main (int argc, char **argv)
+   
+   read_opts(argc, argv, compile_opts);
+  
+-#ifdef HAVE_LINUX_NETWORK
+-  daemon->kernel_version = kernel_version();
+-#endif
+-
+   if (daemon->edns_pktsz < PACKETSZ)
+     daemon->edns_pktsz = PACKETSZ;
+ 
+--- a/src/dnsmasq.h
++++ b/src/dnsmasq.h
+@@ -1201,7 +1201,7 @@ extern struct daemon {
+   int inotifyfd;
+ #endif
+ #if defined(HAVE_LINUX_NETWORK)
+-  int netlinkfd, kernel_version;
++  int netlinkfd;
+ #elif defined(HAVE_BSD_NETWORK)
+   int dhcp_raw_fd, dhcp_icmp_fd, routefd;
+ #endif
+@@ -1388,9 +1388,6 @@ int read_write(int fd, unsigned char *pa
+ void close_fds(long max_fd, int spare1, int spare2, int spare3);
+ int wildcard_match(const char* wildcard, const char* match);
+ int wildcard_matchn(const char* wildcard, const char* match, int num);
+-#ifdef HAVE_LINUX_NETWORK
+-int kernel_version(void);
+-#endif
+ 
+ /* log.c */
+ void die(char *message, char *arg1, int exit_code) ATTRIBUTE_NORETURN;
+--- a/src/ipset.c
++++ b/src/ipset.c
+@@ -70,7 +70,7 @@ struct my_nfgenmsg {
+ 
+ #define NL_ALIGN(len) (((len)+3) & ~(3))
+ static const struct sockaddr_nl snl = { .nl_family = AF_NETLINK };
+-static int ipset_sock, old_kernel;
++static int ipset_sock;
+ static char *buffer;
+ 
+ static inline void add_attr(struct nlmsghdr *nlh, uint16_t type, size_t len, const void *data)
+@@ -85,12 +85,7 @@ static inline void add_attr(struct nlmsg
+ 
+ void ipset_init(void)
+ {
+-  old_kernel = (daemon->kernel_version < KERNEL_VERSION(2,6,32));
+-  
+-  if (old_kernel && (ipset_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) != -1)
+-    return;
+-  
+-  if (!old_kernel && 
++  if (
+       (buffer = safe_malloc(BUFF_SZ)) &&
+       (ipset_sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER)) != -1 &&
+       (bind(ipset_sock, (struct sockaddr *)&snl, sizeof(snl)) != -1))
+@@ -147,65 +142,14 @@ static int new_add_to_ipset(const char *
+   return errno == 0 ? 0 : -1;
+ }
+ 
+-
+-static int old_add_to_ipset(const char *setname, const union all_addr *ipaddr, int remove)
+-{
+-  socklen_t size;
+-  struct ip_set_req_adt_get {
+-    unsigned op;
+-    unsigned version;
+-    union {
+-      char name[IPSET_MAXNAMELEN];
+-      uint16_t index;
+-    } set;
+-    char typename[IPSET_MAXNAMELEN];
+-  } req_adt_get;
+-  struct ip_set_req_adt {
+-    unsigned op;
+-    uint16_t index;
+-    uint32_t ip;
+-  } req_adt;
+-  
+-  if (strlen(setname) >= sizeof(req_adt_get.set.name)) 
+-    {
+-      errno = ENAMETOOLONG;
+-      return -1;
+-    }
+-  
+-  req_adt_get.op = 0x10;
+-  req_adt_get.version = 3;
+-  strcpy(req_adt_get.set.name, setname);
+-  size = sizeof(req_adt_get);
+-  if (getsockopt(ipset_sock, SOL_IP, 83, &req_adt_get, &size) < 0)
+-    return -1;
+-  req_adt.op = remove ? 0x102 : 0x101;
+-  req_adt.index = req_adt_get.set.index;
+-  req_adt.ip = ntohl(ipaddr->addr4.s_addr);
+-  if (setsockopt(ipset_sock, SOL_IP, 83, &req_adt, sizeof(req_adt)) < 0)
+-    return -1;
+-  
+-  return 0;
+-}
+-
+-
+-
+ int add_to_ipset(const char *setname, const union all_addr *ipaddr, int flags, int remove)
+ {
+   int ret = 0, af = AF_INET;
+ 
+   if (flags & F_IPV6)
+-    {
+       af = AF_INET6;
+-      /* old method only supports IPv4 */
+-      if (old_kernel)
+-	{
+-	  errno = EAFNOSUPPORT ;
+-	  ret = -1;
+-	}
+-    }
+-  
+-  if (ret != -1) 
+-    ret = old_kernel ? old_add_to_ipset(setname, ipaddr, remove) : new_add_to_ipset(setname, ipaddr, af, remove);
++
++  ret = new_add_to_ipset(setname, ipaddr, af, remove);
+ 
+   if (ret == -1)
+      my_syslog(LOG_ERR, _("failed to update ipset %s: %s"), setname, strerror(errno));
+--- a/src/util.c
++++ b/src/util.c
+@@ -796,22 +796,3 @@ int wildcard_matchn(const char* wildcard
+ 
+   return (!num) || (*wildcard == *match);
+ }
+-
+-#ifdef HAVE_LINUX_NETWORK
+-int kernel_version(void)
+-{
+-  struct utsname utsname;
+-  int version;
+-  char *split;
+-  
+-  if (uname(&utsname) < 0)
+-    die(_("failed to find kernel version: %s"), NULL, EC_MISC);
+-  
+-  split = strtok(utsname.release, ".");
+-  version = (split ? atoi(split) : 0);
+-  split = strtok(NULL, ".");
+-  version = version * 256 + (split ? atoi(split) : 0);
+-  split = strtok(NULL, ".");
+-  return version * 256 + (split ? atoi(split) : 0);
+-}
+-#endif